Kaspersky: pirated software led to NSA contractor breach
Russian cybersecurity vendor Kaspersky Lab released preliminary results from an internal investigation Oct. 25, claiming that a widely reported breach of a National Security Agency contractor’s home computer took place after he or she disabled Kaspersky Lab antivirus software in order to download a pirated version of Microsoft Word that turned out to be infected with malware.
According to a release by Kaspersky Lab, the investigation was initiated “in relation to alleged 2015 incidents described in the media.” While some details are inconsistent — for example, the firm claims the incident took place in 2014 — many of the details match up with an Oct. 5 story reported in the Wall Street Journal detailing how Russian hackers in 2015 stole classified NSA material from a contractor through Kaspersky Lab’s antivirus software installed on the contractor’s home computer.
However, Kaspersky Lab claims that its internal investigation reached a different conclusion: that the contractor in question only exposed his or her systems after turning off the firm’s antivirus software in order to download a pirated version of Microsoft Word. That software was apparently infected with malware that created “a full-blown backdoor which may have allowed third parties access to the user’s machine.”
According to the release, after the contractor turned the antivirus software on again and scanned the computer, the software detected “new and unknown variants of Equation [Advanced Persistent Threat] malware.” The Equation Group is a hacking group widely suspected to operate under the aegis of the NSA. Because the contractor had Kaspersky’s cloud-based security network enabled, those malware samples were uploaded and sent to the company’s headquarters in Moscow for further analysis, something the company said is standard procedure any time its antivirus software flags a suspicious file.
Missing from the company’s explanation is how those files eventually ended up in the hands of Russian intelligence. Eugene Kaspersky, the firm’s founder, has repeatedly denied the company ever assisted the Russian government or other governments in conducting espionage. The release stated that news reports claiming its software was searching computers for terms like “top secret,” something that would indicate an intentional effort to look for and collect classified information, were false.
At an Oct. 25 House Science, Space and Technology hearing on Kaspersky Lab, top-level officials from the General Services Administration indicated that Kaspersky Lab’s presence on the GSA Schedule was the result of unsanctioned modifications made by three resellers to their product offerings. David Shive, CIO of the GSA, told the committee that GSA was aware of discussions within the government about the risks associated with Kaspersky Lab software in late 2016.
However, other than running a scan to ensure the software wasn’t running on the agency’s internal network, Shive said that GSA officials did not take any further action until July 2017.
“With respect to Kaspersky Lab products, they were available from three resale vendors on GSA’s schedule contract. On July 11 of this year, GSA directed the three resellers to remove all Kaspersky Lab manufactured products from their catalogues within 30 days. All three resellers complied,” Shive said.
However, text of Shive’s official statement to the committee includes a passage stating that these resellers “did not gain approval to do so via the required contract modification process.”
Rep. Ralph Norman (R-S.C.) asked Shive if the GSA evaluated whether to sanction the resale vendors for including Kaspersky Lab products on their offerings without gaining prior approval.
Shive said he wasn’t familiar with the process by which vendors on the GSA schedule are sanctioned, eventually admitting, “I’m not saying that there were or were not consequences, I just don’t know if there was” and promised to get back to the committee with more specifics.
In a statement, a GSA spokesperson explained that Kaspersky Lab products were “improperly added through the Schedule Input Program,” GSA’s proprietary software that vendors use to upload their electronic catalog, and not through a contract modification request. The agency declined to reveal the identities of the three resellers but said a review had determined the issue did not warrant punishment.
“The three vendors that previously offered Kaspersky Lab products have been fully cooperative with GSA’s directive to remove all Kaspersky Lab products from their offerings and GSA’s contracting officers determined that their mistake should not result in the cancellation of their contract in full,” said the GSA spokesperson.
Sean Kanuck, director of future conflict and cybersecurity for the International Institute for Strategic Studies, told the committee that Kaspersky Lab’s antivirus software, like other antivirus programs, are complete network monitoring solutions with remote administration capabilities and access to their client’s networks. This, he argued, gives Kaspersky Lab the capability to act as “a private global cyber intelligence network.”