According to a report from the Wall Street Journal, highly classified material from the NSA was stolen by hackers working for the Russian government in 2015. It’s being called “one of the most significant security breaches in recent years,” and multiple sources reportedly said that it was made possible because Kaspersky Lab’s anti-virus software identified the files.
The Journal’s sources said an NSA contractor took the files home without authorization and they were accessed by attackers on that person’s home computer, which was running Kaspersky Lab’s software. The contractor isn’t believed to have had malicious intent, and was apparently trying to get off-hours work done. Without explaining how this situation might have played out, or providing evidence publicly, the sources said Kaspersky’s software identified the files on the contractor’s computer, and Russian agents cyber-swooped in to grab them.
According to the report:
The incident occurred in 2015 but wasn’t discovered until spring of last year, said the people familiar with the matter.
The stolen material included details about how the NSA penetrates foreign computer networks, the computer code it uses for such spying and how it defends networks inside the U.S., these people said.
Having such information could give the Russian government information on how to protect its own networks, making it more difficult for the NSA to conduct its work. It also could give the Russians methods to infiltrate the networks of the U.S. and other nations, these people said.
The NSA declined to comment on the story, but the Russia-based Kaspersky Lab is vigorously denying that it was involved in any nefarious activity or coordination with the Russian government. Before the Journal’s story dropped on Thursday afternoon, the company’s founder Eugene Kaspersky was already defending himself, tweeting, “New conspiracy theory, anon sources media story coming. Note we make no apologies for being aggressive in the battle against cyberthreats.” Kaspersky Lab has also released a full denial to the press that reads in part:
Kaspersky Lab has not been provided any evidence substantiating the company’s involvement in the alleged incident reported by the Wall Street Journal on October 5, 2017, and it is unfortunate that news coverage of unproven claims continue to perpetuate accusations about the company.
As a private company, Kaspersky Lab does not have inappropriate ties to any government, including Russia, and the only conclusion seems to be that Kaspersky Lab is caught in the middle of a geopolitical fight.
Kaspersky appears to be saying that its software picked up on the NSA’s malware tools, which is what it’s supposed to do. Security researchers have been offering speculation on Twitter regarding what it could mean when the Journal’s sources say that Kaspersky’s software aided the hackers, but it’s hard to nail down what theories stand up best because of the limited information we have from the report.
Kaspersky is certainly correct that no evidence is being offered that implicates him in any wrongdoing. He’s a well-respected figure in the infosec community and the US government’s decision to ban his company’s products from federal use last month was also accompanied by few details about the government’s reasoning.
What the story does make clear is that NSA cyber defense materials have reportedly been leaked to an adversary, and the NSA’s director, Mike Rogers, has apparently been reprimanded for allowing breaches to occur in the past. According to a report from the Washington Post in November, Rogers was on thin ice at the end of the Obama administration and was likely on his way out before he traveled to New Jersey to meet with President-elect Trump, who decided to keep him on. Kaspersky Lab may or may not have been involved in this breach, but it’s absolutely clear that the NSA needs to get its shit together.