Last week, The Wall Street Journal dropped a bombshell when it reported that Russian government hackers located confidential National Security Agency material improperly stored on an employee’s home computer with help from Kaspersky antivirus, which happened to be installed. On Tuesday, The New York Times and The Washington Post provided another shocker: the Russian hackers were caught in the act by spies from Israel, who were burrowed deep inside Kaspersky’s corporate network around the time of the theft.
Moscow-based Kaspersky Lab disclosed the intrusion into its network in mid-2015. Kaspersky released a detailed report that said some of the attack code shared digital fingerprints first found in the Stuxnet worm that sabotaged Iran’s nuclear program. When combined with other clues—including the attackers’ targeting of entities located in the US, which is off limits to the NSA—most analysts concluded that the 2014 hack was carried out by Israel. At the time, Kaspersky Lab researchers said that the hackers appeared most interested in data the company had amassed on nation-sponsored hackers.
The NYT, citing unnamed people, said on Tuesday that Israeli spies indeed carried out the attack. More revealing still, the report said, that during the course of the hack, the spies watched in real time as Russian government hackers turned Kaspersky antivirus software used by 400 million people worldwide into an improvised search tool that scoured computers for code names of US intelligence programs. The NYT likened to a “sort of Google search for sensitive information.” The Israeli spies, in turn, reported their findings to their counterparts in the US.
As reporters Nicole Perlroth and Scott Shane reported:
Kaspersky’s researchers noted that attackers had managed to burrow deep into the company’s computers and evade detection for months. Investigators later discovered that the Israeli hackers had implanted multiple back doors into Kaspersky’s systems, employing sophisticated tools to steal passwords, take screenshots, and vacuum up emails and documents.
In its June 2015 report, Kaspersky noted that its attackers seemed primarily interested in the company’s work on nation-state attacks, particularly Kaspersky’s work on the “Equation Group”—its private industry term for the NSA—and the “Regin” campaign, another industry term for a hacking unit inside the United Kingdom’s intelligence agency, the Government Communications Headquarters, or GCHQ.
Israeli intelligence officers informed the NSA that, in the course of their Kaspersky hack, they uncovered evidence that Russian government hackers were using Kaspersky’s access to aggressively scan for American government classified programs and pulling any findings back to Russian intelligence systems. [Israeli intelligence] provided their NSA counterparts with solid evidence of the Kremlin campaign in the form of screenshots and other documentation, according to the people briefed on the events.
The WaPo article reporting the same events is here It adds additional details about the role Kaspersky AV reportedly played in identifying the NSA material the employee stored on his home computer.
Over the past several years, the firm has, on occasion, used a standard industry technique that detects computer viruses but can also be employed to identify information and other data not related to malware, according to two industry officials, who spoke on the condition of anonymity to discuss sensitive information.
The tool is called “silent signatures”—strings of digital code that operate in stealth to find malware but which could also be written to search computers for potential classified documents, using keywords or acronyms.
In a statement, Kaspersky Lab officials wrote:
Kaspersky Lab was not involved in, and does not possess any knowledge of, the situation in question. As the integrity of our products is fundamental to our business, Kaspersky Lab patches any vulnerabilities it identifies or that are reported to the company. Kaspersky Lab reiterates its willingness to work alongside US authorities to address any concerns they may have about its products as well as its systems, and [Kaspersky] respectfully requests any relevant, verifiable information that would enable the company to begin an investigation at the earliest opportunity. In addition, Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage efforts.
As the WSJ reported last week, the NSA worker breached agency rules by bringing home code and other classified material and storing them on an Internet-connected computer that had Kaspersky software running on it. The Kaspersky software, in turn, allowed Russian hackers to home in on the files. The NYT said the tip-off from Israeli spies led to an unprecedented decision last month that all Kaspersky software be removed from US government computers.
The new details are likely to continue to put pressure on US and Western European companies—which account for about 60 percent of Kaspersky Labs’ sales—to further curtail business with the Russian antivirus provider. What remains unclear is if AV packages from companies located in the US or other Western countries could be used in a similar way to spill secrets belonging to the US and its allies.