Israeli hackers uncover Russian hackers using cybersecurity software to hack the U.S. government’s hackers. Do you have the same software installed on your computer?
Kaspersky Lab, the popular Russian cybersecurity and anti-virus company, has been implicated in the theft of classified information from the United States National Security Agency. The stolen information was taken from an NSA contractor’s computer by Russian state-sponsored hackers, apparently after Kaspersky antivirus software enabled them to identify and target the classified documents.
For their part, Kaspersky Labs has denied any involvement or responsibility for the hackers gaining access to the computers that were compromised. In a statement posted on their website, they stated that they had “not been provided any evidence substantiating” their involvement; they called all allegations “unproven claims.”
The news about the alleged involvement of Kaspersky Labs antivirus programs follows last month’s directive from the Department of Homeland Security (DHS) that ordered all federal departments and agencies to develop detailed plans to remove any and all Kaspersky products identified on their computer systems and networks. In a statement released on the 13th of September, DHS said that “The Department is concerned about the ties between Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks.”
According to DHS, the risk in this situation is the “the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”
What we do know about the breach is that it occurred back in 2015, when an NSA employee took classified NSA malware files, designed for spying on NSA targets, home and installed them on their home computer. An installed Kaspersky antivirus program then flagged the classified programs and uploaded them for analysis. At this point, it is unclear if Kaspersky Labs realized the chance to exploit this vulnerability and identified Russian agents or if Russian intelligence identified the opportunity without Kasperky’s knowledge.
On Twitter, cybersecurity expert Matt Tait offered several possible theories on how Kaspersky could have been involved. Both revolve around Kaspersky conducting an Advanced Persistent Threat (APT) investigation. The question of malicious intent hinges on whether they launched the scan because the user was identified as working for the NSA, or if their Antivirus program just detected NSA implant and exploit signatures. In the case of the latter, then the Kaspersky Labs program was doing what it was designed to do. Under that scenario, the FSB could have breached Kaspersky AV telemetry without Kaspersky knowing.
At this point, it is all speculation about whether Kaspersky was acting nefariously or if they were an unwitting pawn in the hack. One of the major takeaways from the story is that the two-year-old hack was discovered by Israeli intelligence, who discovered the issue while hacking Kaspersky Labs themselves. The timing of the hack could signal that the leaks coming from Shadow Brokers originated with this hack. Two, it shows how slow the United States government was in taking a closer look at Russian involvement in Kaspersky Labs and the potential vulnerabilities that their software could pose to the U.S. government.
