A Moscow-based cybersecurity firm called Kaspersky Lab has admitted it got a hold of hacking tools linked to the NSA. But it insists the tools were obtained without malicious intent and not provided to the Russian government.
The Russian government did, however, wind up in possession of those tools, which include information about how the U.S. defends against cyberattacks, as well as how they penetrate foreign computer networks. Reportedly, this all came from a hapless NSA contractor. The question is whether Kaspersky was involved and, if so, to what extent — knowingly or unknowingly.
Kaspersky Lab’s relationship with the United States is rife with suspicion. The Department of Homeland Security ordered federal agencies to remove the lab’s widely used antivirus software in September, writing in a statement that DHS was “concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks. The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”
But, as Wired wrote on Wednesday, the U.S. hasn’t provided evidence to back up its claims, leaving observers to hash out what to believe, and forcing Kaspersky customers to decide whether to ditch the software due to suspicion alone.
All this brings us back to why it’s important to figure out Kaspersky’s relationship to the stolen NSA tools, which, according to The Wall Street Journal, contained information about tactics the NSA uses to break into computer networks in other nations.
Kaspersky’s version of events begins on Sept. 11, 2014, when, as explained in a blog post from the company on Wednesday, their antivirus software discovered “Equation malware” on a user’s computer. “Equation malware” is thought to be associated with the NSA.
That user — reportedly an NSA contractor who had information about the agency’s hacking tools on his personal computer — then deactivated the software for several weeks. During that time, the user evidently pirated a malware-ridden version of Microsoft Office. Upon reactivating the software, Kaspersky caught the obvious malware along with something it didn’t recognize, described in the blog post as malware of “new and unknown variants,” linked to that same supposed NSA malware.
Acting according to its security settings, the software sent this new malware to Kaspersky Lab HQ for further processing. A Kaspersky analyst discovered the NSA malware and “reported the incident to the CEO,” Eugene Kaspersky, at which point “the archive was deleted from all our systems. The archive was not shared with any third parties.”
If this is true, then several things seem possible.
The more generic malware contracted by the hapless NSA contractor when he pirated Microsoft Office reportedly contained a “backdoor” that could have allowed unknown actors to waltz into his computer and take what they wanted during the few weeks the contractor had switched off Kaspersky’s antivirus software. If this is the case, then Kaspersky might be free of blame.
Of course, if Kaspersky’s software is (knowingly or unknowingly) compromised, then Russian hackers might have been notified about the NSA information as soon as the antivirus software picked up on those “new and unknown variants.” From there, hackers associated with the Russian government could have repeatedly targeted the NSA contractor to extract as much information as possible.
This wouldn’t necessarily mean Kaspersky Lab is an active partner of the Kremlin, but, as cryptography expert Matthew Green tweeted in early October, it wouldn’t be a good look for a cybersecurity firm.
Consensus on infosec Twitter is that Kaspersky may not have colluded with RU gov; just maybe their product may be horrendously compromised.
— Matthew Green (@matthew_d_green) October 5, 2017
Not quite sure how that’s qualitatively different from the point of view of Kaspersky customers. But I guess it’s something.
— Matthew Green (@matthew_d_green) October 5, 2017
It’s also, of course, possible that Kaspersky isn’t telling the truth.
“I find it surprising that the blog post said that they found this, they took it to Eugene, and he made a decision. But just a couple weeks ago, he said he had never heard of it.”
— Eric Geller (@ericgeller) October 25, 2017
Or, as Eugene Kaspersky implied was possible earlier this month (according to The Guardian), maybe Russian hackers hacked Kaspersky Lab.
As for the NSA contractor, the article from The Wall Street Journal that broke the story didn’t name him. He reportedly wasn’t trying to help the Russian government or any other foreign body, but might’ve brought his work home to get more done — even though he knew it’s possibly against the law to put NSA materials on a personal computer.