Special Feature
Part of a ZDNet Special Feature: Cyberwar and the Future of Cybersecurity

What is Kaspersky's role in NSA data theft? Here are three likely outcomes

A bombshell news report on Kaspersky's alleged involvement in the theft of NSA data leaves one crucial question unanswered.

(Image: file photo)

Kaspersky is fighting for its survival after a bombshell story in The Wall Street Journal revealed hackers working for the Russian government had obtained classified NSA data.

At the heart of the story is a claim that hackers in 2015 targeted an NSA employee, who worked for the agency's elite hacking tools development unit (confirmed from additional reporting by The Washington Post), and who took classified materials home and opened on their home computer that was running a Kaspersky antivirus. The report said that the Russian hackers targeted the employee after they identified the NSA files through the antivirus software.

NATIONAL SECURITY

How did one contractor steal 50TB of NSA data? Easily, say former spies

The massive theft of NSA data is the largest breach of classified data in US history.

Read More

The hack included data on how the US "penetrates foreign computer networks, the computer code it uses for such spying, and how it defends networks inside the US." That stolen data could not only help the Russians defend against US hacks, but it could theoretically also be used against US-based systems.

The hack has been described as "one of the most significant security breaches" in recent years -- all of which probably could've been avoided had the NSA employee not taken his work home.

It's a complicated story, one that did not address a key question: What role did Kaspersky play in the hack -- if any?

As much as US government wants you to believe that Kaspersky is a de facto arm of the Kremlin, neither the story nor the government has offered any concrete evidence. That said, the allegation alone could be the reason why the government pulled the plug in recent weeks on all federal agencies using the antivirus maker's software. On the other hand, you have Kaspersky rebuffing claims it's inappropriately close to any government, including the Kremlin, but -- devil's advocate -- there's no way to know if the antivirus maker is telling the truth. Eugene Kaspersky, chief executive of the eponymous company, also criticized the story for its anonymous sourcing. (It's often necessary to protect sources who discuss national security.)

There are three working theories, based on what several security researchers and experts are saying. Here's a look at the possible outcomes.

THEORY 1: HACKERS EXPLOITED FLAW IN KASPERSKY TO STEAL DATA

The Journal doesn't explicitly say that Kaspersky, as a company, helped in the data theft, but infers that the Kaspersky product may have been exploited to hack the computer it was running on.

It's something that Eugene Kaspersky said in a tweet that he was "very concerned" about.

Antivirus and security products -- ironically -- are known to be notoriously buggy because they're complicated pieces of software that can increase the scope of attack. Kaspersky in the last two years has patched several bugs that could have allowed attackers to crash the software or exploit a local system. Other products are just as vulnerable. Microsoft's anti-malware system has been hit by several significant bugs. In some cases, anti-malware products mistakenly attack their own systems. In the same year as the NSA data theft, Google researcher Tavis Ormandy found a remotely exploitable bug in Kaspersky. It was patched within a day.

But the theory only works if Russian hackers knew of the target, or that they were running a vulnerable version of Kaspersky's software and knew how to exploit the vulnerability.

What's also possible is that a hack of Kaspersky's systems in the same year, which wasn't attributed to any group or nation state, resulted in access to the NSA employee's computer. "Top tech companies, especially security teams, continue to be juicy, often easy targets for old-school covert infiltration," said Thomas Rid, a professor at Johns Hopkins, in a tweet.

If the software was hacked or exploited, that may absolve Kaspersky of collusion, but the company would still have a lot to answer for.

In any case, the Journal casts doubt on the theory. According to the report, Kaspersky's software "alerted Russian hackers to the presence of files that may have been taken from the NSA."

THEORY 2: KASPERSKY DETECTED MALWARE, RUSSIAN SPIES INTERVENED

What's more likely is that the Kaspersky product detected one of the NSA's hacking tools, taken out of the safe confines of the agency's offices, and was flagged by the software.

"Experts said the software, in searching for malicious code, may have found samples of it in the data the contractor removed from the NSA," said the report.

It's not surprising that Kaspersky would recognize either known malware or hacking tools, or malware-type behavior. The company, like others, already has a wealth of antivirus signatures of leaked NSA hacking tools at its disposal, including infamous malware strains like Stuxnet -- which researchers believe was developed by the NSA. Hacking tools used by the so-called Equation Group, thought to be a hacking unit within the NSA, were publicly exposed by a hacking group known as the Shadow Brokers, which initially put the classified tools up for auction. It was Kaspersky that first discovered the hacking unit.

Kaspersky products sift through files and upload samples that are flagged as dangerous to be analyzed in the cloud. Many antivirus makers do this -- including Windows Defender -- in part to save on local system resources, but also to allow researchers to get samples.

In a tweet, former GCHQ staffer Matt Tait said: "If it's just signatures on NSA implants and NSA exploits, then this is Kaspersky just doing its job, and not at all a Kaspersky-Russia thing."

The question remains: How did hackers associated with the Russian government get access to that data?

In Kaspersky's case, data is likely sent to servers operated by Kaspersky in Russia. The Journal noted that the Russian company is subject to Russian law, which "can compel the company's assistance in intercepting communications as they move through Russian computer networks." Again, it would not be too dissimilar to how US companies are subject to US laws, including foreign intelligence gathering provisions that are regularly violated for domestic surveillance. It's possible that Russian authorities simply intercepted the data as it was sent in transit -- which could be Kaspersky deliberately complying with Russian laws, or technical carelessness.

Some have argued that if it's carelessness, it would be "basically the same" as colluding.

"If you deliberately route insecure traffic through a hostile country that's intercepting it and using it to launch attacks, you own that," tweeted Matthew Green, a cryptographer and professor.

For its part, chief executive Eugene Kaspersky said in a statement that his company "is caught in the middle of a geopolitical fight" between Russia and the US.

THEORY 3: KASPERSKY DETECTED AND STOLE MALWARE FOR RUSSIA

The alternative theory is that Kaspersky's product found and uploaded the NSA hacking tools that were brought home -- and that's when the company dug around for more.

"Initial discovery of NSA tools led to further discovery using its [antivirus] tools to do precisely what they're supposed to," wrote Marcy Wheeler, a national security blogger. If the NSA employee "delivered all that up to Kaspersky, it would explain the breadth of Kaspersky's knowledge" of the NSA's hacking tools, she said.

But that doesn't answer how the Russians found out, said Wheeler.

If that's the case, the company is toast. For its part, Kaspersky has long denied a connection to any government.

In any scenario, it's hard to see how Kaspersky comes out of this unscathed. How much damage there will be isn't known.

Assuming the worst, not only would a proven accusation that Kaspersky works for the Russians be damning for the company, it would cast a spotlight on the wider industry.

Companies routinely and voluntarily work with their national cybersecurity bodies to fight cybercrime. But if governments encroach on that relationship, they could find themselves in a situation that forces companies to work for the intelligence agencies, not too dissimilar to how US firms were forced to turn over data under the PRISM surveillance program.

What's clear is the end result of this saga could sink Kaspersky. With such little evidence to support either side, it's worth keeping an open mind until more evidence comes to light.

And, if you know something, you can always reach out securely.

Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Read More

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All