FacebookTwitterLinkedIn

Kaspersky Labs Linked to NSA Data Breach

Karolis Liucveikis Written by on

Earlier this President Donald Trump’s government moved to ban all Kaspersky Lab products from US Government institutions and agencies. Law enforcement and information agencies also recommended to the private sector that they should desist for purchasing products and services from the Russian based company. Very little evidence was provided to the public as to the decision made by President Trump, however, the reason for the decision rests in Kaspersky Lab’s alleged inappropriate links to the Russian Government.

This matter resurfaced recently on October 6 with articles published in both the Wall Street Journal and the Washington Post that a breach which may have occurred in 2015 was made possible in part by Kaspersky’s Antivirus Software. US officials seem to believe that a scan performed by Kaspersky Lab’s security software on the contractor's computer helped Russian hackers in identifying the files containing sensitive information. Evidence in both articles for the claims rests on anonymous sources who allege one of two situations may have occurred which enabled Russian hackers to gain access to classified documents.

The first being that the antivirus’ practice of uploading suspicious files (malware executables) to the company's server, located in Russia, may have granted the Russian government access to the data. This is deemed possible by US agencies as Russian law requires telecommunications companies in the country to provide access to their networks. The second way classified files might have been gained is by Russian hackers stealing the confidential data by exploiting vulnerabilities in Kaspersky Lab software installed on the targeted system.

Known details of the breach

NSA officials apparently only became aware of the breach in 2016. The employee involved was a US citizen born in Vietnam who worked for the Tailored Access Operations, the elite hacking division of the NSA that develops tools to penetrate computers overseas to gather foreign intelligence. The person, who has not yet been named as the investigation is ongoing, was an employee of the NSA rather than a hired contractor. In past data breaches, it has been contractors who released classified information, often to the public. The employee was removed from his job in 2015 but it is believed he took home classified information. At the time of his dismissal, it was believed that the materials were not taken for any malicious purpose or handed over to foreign spies.

kaspersky lab linked to nsa data breach

Investigators believe that the employee had Kaspersky’s antivirus software installed on the computer used to remove the classified documents and these were stolen by one of the two methods listed above. The Washington Post reported that this incident, “is the latest in a series of damaging breaches of the NSA in recent years and is among the first concrete indications of why the U.S. intelligence community believes that Kaspersky Lab software operates as a tool for Russian espionage.”

The material stolen includes hacking tools he was helping to develop to replace others that were considered compromised following the breach of NSA material by former contractor Edward Snowden, said one individual familiar with the matter. This breach predates last year’s arrest of former NSA contractor Harold T. Martin III which is believed to be the largest theft of classified information in U.S. history. Martin pleaded not guilty this year to violating the Espionage Act and is awaiting trial. This is yet another embarrassing episode in the NSA's fast becoming less than illustrious history.

Kaspersky Lab’s response

In a press statement released shortly after the articles appeared in both the Wall Street Journal and the Washington Post Kaspersky strongly denies the allegations put forward. In the statement, Kaspersky goes on record to state that they have received no evidence substantiating the company’s involvement in the alleged incident reported by the Wall Street Journal on October 5, 2017. In the Washington Post’s article the alleged dangers of antivirus software been leveraged for cyber espionage. In support of the articles claim much was made of Eugene Kaspersky’s past that he graduated from a KGB-supported cryptography school and had worked in Russian military intelligence before starting Kaspersky Labs. The article also questions the trustworthiness of the company’s practices. To which Kaspersky responded:

However, as the trustworthiness and integrity of our products are fundamental to our business, we are seriously concerned about the article’s implications that attackers may have exploited our software. We reiterate our willingness to work alongside U.S. authorities to address any concerns they may have about our products and respectfully request any relevant information that would enable the company to begin an investigation at the earliest opportunity

And

We make no apologies for being aggressive in the battle against malware and cybercriminals. The company actively detects and mitigates malware infections, regardless of the source, and we have been proudly doing so for 20 years, which has led to continuous top ratings in independent malware detection tests. It’s also important to note that Kaspersky Lab products adhere to the cybersecurity industry’s strict standards and have similar levels of access and privileges to the systems they protect as any other popular security vendor in the U.S. and around the world

Eugene Kaspersky, via his blog, has also weighed in on the issue as he actively has done so in the past. In his blog post, he goes on to question that if the report was indeed true that Russian hackers had exploited a weakness found on a user’s computer why was it not reported to them. He goes on to state that the company patches all major bugs within hours so the US Government had an ethical duty to disclose the vulnerability in order to make the world a little safer from cyber threats. Both in the blog and press statement, Kaspersky believes it to be part of a geopolitical fight rather what is alleged in the articles.

With so little to go on in terms of evidence, it is difficult to make assumptions as to Kaspersky’s involvement in this issue and the issue of what the nature of their relationship with the Russian government may be. Cybersecurity firms often assist government globally to catch cybercriminals, assuming a relationship may be abuse the trust and rights of users based on anonymous sources particularly in light of the ongoing hostile relationship between the White House and the Kremlin may be unwise.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog