The Wall Street Journal is reporting that Russian hackers used Russian-made Kaspersky anti-virus software as a gateway to invade the National Security Agency and collect information on America’s cyber-defense.
Hackers working for the Russian government stole details of how the U.S. penetrates foreign computer networks and defends against cyberattacks after a National Security Agency contractor removed the highly classified material and put it on his home computer, according to multiple people with knowledge of the matter.
The hackers appear to have targeted the contractor after identifying the files through the contractor’s use of a popular antivirus software made by Russia-based Kaspersky Lab, these people said.
Kaspersky anti-virus software remains extremely popular, with more than $700 million in revenue in 2014, and millions of copies sold. Best Buy, which had formerly pushed the software through it’s “Geek Squad,” stopped selling Kaspersky AV last month, after federal agencies banned internal use. At present, it’s still found on millions of personal, business, and government computers in the United States and elsewhere. Which makes this attack, extremely worrisome.
The stolen material included details about how the NSA penetrates foreign computer networks, the computer code it uses for such spying and how it defends networks inside the U.S. …
The breach is the first known incident in which Kaspersky software is believed to have been exploited by Russian hackers to conduct espionage against the U.S. government.
Concerns about Kaspersky increased after a changeover in personnel and leaking of memos that brought to light close ties between the company and Russian intelligence.
Those associations existed from the beginning.
Founder and Chief Executive Officer Eugene Kaspersky was educated at a KGB-sponsored cryptography institute, then worked for Russian military intelligence, and in 2007, one of the company’s Japanese ad campaigns used the slogan “A Specialist in Cryptography from KGB.” …
And a memo from 2009 seems to indicate the connection never went away.
The previously unreported emails, from October 2009, are from a thread between Eugene Kaspersky and senior staff. In Russian, Kaspersky outlines a project undertaken in secret a year earlier “per a big request on the Lubyanka side,” a reference to the FSB offices. Kaspersky Lab confirmed the emails are authentic.
In 2012, a shuffle in the company replaced encryption experts with academic backgrounds with hackers who had known ties to Russian agencies.
Unlike most kinds of software that run on PCs, antivirus programs aren’t “sand boxed” in a way that keeps them from looking at only their own data. The nature of the product means that it’s able to peek into files, query the contents of memory, even alter code that’s part of the computer’s operating system.
Though many details have not been released, that kind of access may have been used in the multi-state attack on voting systems.
Intelligence officials have concluded that a campaign authorized by the highest levels of the Russian government hacked into state election-board systems and the email networks of political organizations to damage the candidacy of Democratic presidential nominee Hillary Clinton.
The federal government ban on using Kaspersky was only this May, and then only at certain agencies. It is still far from complete.
In June, FBI agents visited a number of the company’s U.S. employees at their homes, asking to whom they reported and how much guidance they received from Kaspersky’s Moscow headquarters. And a bill was introduced in Congress that would ban the U.S. military from using any Kaspersky products, with one senator calling ties between the company and the Kremlin “very alarming.” Russia’s communications minister promptly threatened sanctions if the measure passed.
The breach which allowed cyber-defense information to be collected appears to have happened in 2015, before events around the election and some information about Kaspersky came to light.
But the US is in a position where some computers that are supposed to be protecting systems from intrusion, are actually gateways into that system for Russian hackers.