Russian spies pilfered data from NSA Contractor’s home PC running a Kaspersky AV

Russian hackers allegedly exploited Kaspersky AV to hack into NSA contractor and steal the NSA exploit code. It complicates Kaspersky’s position.

Anonymous sources have claimed Russian intelligence extracted NSA exploits from a US government contractor’s home PC using Kaspersky Lab software.

Sources told the Wall Street Journal that a malicious code allowed cyber spies to exfiltrate classified code, documentation and other sensitive data. It is alleged Kremlin hackers exploited the security package in one way or another to identify those sensitive files and exfiltrate them.

“Hackers working for the Russian government stole details of how the U.S. penetrates foreign computer networks and defends against cyberattacks after a National Security Agency contractor removed the highly classified material and put it on his home computer, according to multiple people with knowledge of the matter.” states the Wall Street Journal.

“The hackers appear to have targeted the contractor after identifying the files through the contractor’s use of a popular antivirus software made by Russia-based Kaspersky Lab, these people said”

The security breach occurred in 2015, but it was discovered earlier this year. Experts speculate the stolen NSA exploit code and classified documents could be compared with code included in the Shadow Brokers dump that dates back to 2013.

According to the sources, the Kaspersky antivirus discovered the NSA exploit while scanning the machines. Once detected the malicious software the antivirus sent it back to a cloud service to inspect it, it is in this phase that the Russian intelligence allegedly exploited the software to establish a backdoor to the PC.

The WSJ’s sources don’t clarify the role of the Kaspersky firm in the cyber theft, it is unclear if it helped the Russian spies or if the hackers exploited some flaws in Kaspersky software to exfiltrate the exposed documents.

Another possibility is that, under Russian law, the Russian Government forced the Kaspersky personnel to hack into the computer containing the NSA code and exfiltrate it.

Kaspersky Lab was the company that first spotted malware used by the NSA-linked Equation Group and it is likely that the Russian intelligence exploited this knowledge for espionage purposes.

Kaspersky Lab promptly denied any involvement, below the official statement published by the company.

“Kaspersky Lab has not been provided any evidence substantiating the company’s involvement in the alleged incident reported by the Wall Street Journal on October 5, 2017, and it is unfortunate that news coverage of unproven claims continue to perpetuate accusations about the company.

“As a private company, Kaspersky Lab does not have inappropriate ties to any government, including Russia, and the only conclusion seems to be that Kaspersky Lab is caught in the middle of a geopolitical fight.

“We make no apologies for being aggressive in the battle against malware and cybercriminals. The company actively detects and mitigates malware infections, regardless of the source, and we have been proudly doing so for 20 years, which has led to continuous top ratings in independent malware detection tests. It’s also important to note that Kaspersky Lab products adhere to the cybersecurity industry’s strict standards and have similar levels of access and privileges to the systems they protect as any other popular security vendor in the U.S. and around the world.” – Attributable to Kaspersky Lab.

Since the US government is banning Kaspersky products from federal computers in September Kaspersky repeatedly offered up the source code of its products for officials to review.

“It’s a lot harder to beat your opponent when they’re reading your playbook, and it’s even worse when someone on your team gives it to them. If these reports are true, Russia has pulled that off,” said U.S. Senator Ben Sasse, a member of the Senate Armed Services Committee.

“The men and women of the US Intelligence Community are patriots; but, the NSA needs to get its head out of the sand and solve its contractor problem. Russia is a clear adversary in cyberspace and we can’t afford these self-inflicted injuries.”

The Kaspersky antivirus may have detected NSA malware being used in the wild, and intentionally or not have provided the Russian cyberspies the backdoor to steal the precious code.

Sincerely I’m disconcerted about the way such kind of code is managed by US intelligence, the code was stolen from a personal PC with running a Kaspersky Antivirus, is this the best way to keep a hacking tool?

“The strong ties between Kaspersky and the Kremlin are extremely alarming and have been well documented for some time,” she said today. “It’s astounding and deeply concerning that the Russian government continues to have this tool at their disposal to harm the United States.” reads the Shaheen’s statement.

Pierluigi Paganini

(Security Affairs – Kaspersky, NSA)

[adrotate banner=”5″]

[adrotate banner=”13″]