The Wall Street Journal just published an incendiary article that says hackers working for the Russian government stole confidential material from an NSA contractor’s home computer. The hackers did so, according to the WSJ, after identifying files though the contractor’s use of antivirus software from Moscow-based Kaspersky Lab.
The report may well be true, but, for now, there’s no way to independently confirm it. The report is based on unnamed people the publication says had knowledge of the matter, and it provides no evidence to support its claim. What’s more, the lack of detail leaves open the possibility that, even if Kaspersky’s AV did help Russia home in on the highly sensitive code and documents, the disclosure was the inadvertent result of a software bug and that no one from Kaspersky Lab cooperated with the attackers in any way. Also lost in the focus on Kaspersky Lab is the startling revelation that yet another NSA insider managed to sneak classified material outside of the NSA’s network and put it on an unsecured computer. More of this analysis will follow.
First, here’s a summary of what the WSJ reported.
The unnamed contractor removed the material from the NSA and stored it on a home computer that ran a version of Kaspersky AV. The material, according to the unnamed sources, included “details about how the NSA penetrates foreign computer networks, the computer code it uses for such spying, and how it defends networks inside the US.” Sometime in 2015, the material was stolen by Russia-sponsored hackers who “appear to have targeted the contractor after identifying the files through the contractor’s use” of the Kaspersky AV. The breach was discovered in the first three months of 2016.
The post continued:
US investigators believe the contractor’s use of the software alerted Russian hackers to the presence of files that may have been taken from the NSA, according to people with knowledge of the investigation. Experts said the software, in searching for malicious code, may have found samples of it in the data the contractor removed from the NSA.
But how the antivirus system made that determination is unclear, such as whether Kaspersky technicians programed the software to look for specific parameters that indicated NSA material. Also unclear is whether Kaspersky employees alerted the Russian government to the finding.
Investigators did determine that, armed with the knowledge that Kaspersky’s software provided of what files were suspected on the contractor’s computer, hackers working for Russia homed in on the machine and obtained a large amount of information, according to the people familiar with the matter.
The report comes as concerns mount inside the US about Russian hacking in general and more specifically about whether Kaspersky Lab has ever, or might in the future, play a role in supporting such hacks. Rumors have swirled for years that, because of Kaspersky Labs’ nationality and the early training founder Eugene Kaspersky received from the Russian government, the company was a Russian proxy that provided, or at least could provide when asked, that country’s government with assistance in breaking into the computers of Russian adversaries.
As early as August, according to Cyber Scoop, the FBI quietly briefed private-sector companies on the threat it believed Kaspersky products and services posed. In early September, electronics retailer Best Buy stopped selling Kaspersky software and offered free removals and credits toward competing packages. Last month, the suspicions reached a new high when the US Department of Homeland Security took the unprecedented step of directing all US agencies to stop using Kaspersky products and services.
The US government has never provided hard evidence for the private briefings or the DHS directive. Dave Aitel, a former NSA hacker who is now CEO of penetration-testing firm Immunity, said the allegations aired on Thursday’s WSJ post are a plausible explanation.
“That’s exactly the kind of behavior that would cause the US government to do what they’re doing,” he told Ars. “There’s only one really big thing, which is they think [Kaspersky] is operating as an agent for a foreign government, most likely wittingly.”
Not so fast
The counter argument to what Aitel and plenty of people in security and national security circles are saying is that the extraordinary allegations are based solely on anonymous sources and aren’t backed up with any hard evidence. What’s more, the anonymous sources never say that anyone from Kaspersky Lab aided or cooperated with the hackers. The latter point leaves open the possibility that the hole left open by Kaspersky AV was unintentional by its developers and was exploited by Russian hackers without any help from the company.
In September 2015, Google Project Zero researcher Tavis Ormandy said his cursory examination of Kaspersky AV exposed multiple vulnerabilities that made it possible for attackers to remotely execute malicious code on computers that ran the software. If the hackers had knowledge the NSA contractor was using the Kaspersky AV, it’s at least feasible they exploited those vulnerabilities or similar ones to identify the sensitive materials and possibly also steal them.
Kaspersky has since patched the vulnerabilities. Over the years, Ormandy has discovered equally severe code-execution vulnerabilities in AV software from a host of Kaspersky competitors.
The WSJ article tacitly suggests this alternate theory is not the case. It cites a former NSA hacker speculating that the names and fingerprints of the sensitive files were indexed in a scan performed by the Kaspersky software and then uploaded to the company’s cloud environment so they can be compared against a master list of known malware. “You’re basically surrendering your right to privacy by using Kaspersky software,” the former NSA employee, Blake Darché, told the publication.