Following a ban on Kaspersky Lab’s anti-virus software for use by the US federal government, the Wall Street Journal reported that officials believe hackers used the software to steal sensitive NSA documents. On Wednesday, the story deepened with reports that the US government was tipped off by Israeli intelligence after its spies observed Russian agents using the software as a personal back door.
The New York Times was the first to break the story that Israeli agents were able to hack into the Kaspersky Lab network in 2014, and observe in real time what the Israeli agents claimed were hackers working for the Russian government searching through the computers of Kaspersky’s 400 million users.
Citing “multiple people who have been briefed on the matter,” the Times claims that the hackers were looking for code names used by American intelligence programs. Officials from Israel then notified the US government of what its agents had seen, and this information allegedly prompted the decision to remove Kaspersky’s software from almost two dozen agencies’ computers. Though the NSA wasn’t one of those agencies—it has breached anti-virus software before, so it knows better—the list of departments that were using it included the State Department, Department of Defense, Department of Energy and the Army, Navy and Air Force. In the case of the NSA breach, it’s believed that an employee took the classified information home to complete some after-hours work, and hackers were able to access his personal computer through Kaspersky.
The Israeli breach was confirmed by Kaspersky publicly in a 2015 report. From the Times:
The report did not name Israel as the intruder but noted that the breach bore striking similarities to a previous attack, known as “Duqu,” which researchers had attributed to the same nation states responsible for the infamous Stuxnet cyberweapon. Stuxnet was a joint American-Israeli operation that successfully infiltrated Iran’s Natanz nuclear facility, and used malicious code to destroy a fifth of Iran’s uranium centrifuges in 2010....
Among the targets Kaspersky uncovered were hotels and conference venues used for closed-door meetings by members of the United Nations Security Council to negotiate the terms of the Iran nuclear deal — negotiations from which Israel was excluded. Several targets were in the United States, which suggested that the operation was Israel’s alone, not a joint American-Israeli operation like Stuxnet.
It’s Kaspersky Lab’s job to hunt for and catalog malware, whether the malware is created by an individual, organized crime, or a nation-state. So, when the NSA uses malware tools for its own hacking purposes, Kaspersky will catalog what it knows. If a rival nation were to gain access to Kaspersky, it could use known code names and malware designs to search through Kaspersky’s system to locate US government computers and possibly go further. According to the Washington Post, which confirmed the Israeli report through its own sources:
Over the past several years, the firm has, on occasion, used a standard industry technique that detects computer viruses but can also be employed to identify information and other data not related to malware, according to two industry officials, who spoke on the condition of anonymity to discuss sensitive information.
The tool is called “silent signatures”—strings of digital code that operate in stealth to find malware but which could also be written to search computers for potential classified documents, using keywords or acronyms.
No reports thus far have offered any detailed evidence that Kaspersky Lab’s software has been compromised and no public reports have shown analysis to back up these intelligence claims. Kaspersky has vehemently denied any willing cooperation in Russian spying operations and in a press release stated:
As the integrity of our products is fundamental to our business, Kaspersky Lab patches any vulnerabilities it identifies or that are reported to the company. Kaspersky Lab reiterates its willingness to work alongside U.S. authorities to address any concerns they may have about its products as well as its systems, and respectfully requests any relevant, verifiable information that would help the company in its own investigation to certifiably refute the false accusations....
Kaspersky Lab has never helped, nor will help, for any government in the world with its cyberespionage efforts, and contrary to erroneous reports, Kaspersky Lab software does not contain any undeclared capabilities such as backdoors as that would be illegal and unethical.
Unfortunately for the company’s founder, Eugene Kaspersky, he has a background that raises suspicion based on his attendance of a Russian intelligence institute and his time working for the Ministry of Defence. He’s a respected figure in the security company, as is his software, but his company is also the only major anti-virus provider that has to route its data through Russian ISPs which are monitored by the Russian government. Kaspersky argues that the data is encrypted but not everyone is convinced that encryption is enough. Andrei Soldatov, a Russian surveillance expert and author of “The Red Web,” tells the Washington Post, that Kaspersky has to obtain a license from the FSB and that “means your company is completely transparent.”
Whether Kaspersky software is vulnerable or not, anti-virus protection is largely about trust. Anti-virus software itself is a big ol’ back door that relies on public trust and the security community’s mutual respect. These reports put the company in a bind because Kaspersky offered to go over the US and Israeli evidence to either further secure its product or defend itself against accusations. Those governments are likely unwilling to cooperate out of fear of revealing sources and methods. Likewise, whatever officials are leaking that this info came from Israel probably aren’t making that country’s intelligence arm very happy. For the average consumer, you’ll have to ask who you trust.