Update 10/23/2017:
Kaspersky Lab has announced a transparency initiative, opening their source code up to independent review. The announcement comes after reports form the Wall Street Journal and the New York Times, stating that Russian hackers used Kaspersky's product to steal sensitive materials from an NSA contractor's computer. Kaspersky denied any cooperation with the Russian government at the time those stories were printed, and continues to do so.
In a press release, Kaspersky says the transparency initiative will involve submitting the source code of its software – including updates and detection rules – for independent review. The aim is to give those with relevant interest a chance to validate and verify the code's trustworthiness, as well as the trustworthiness of the company's internal processes and business operations.
However, while the initiative is a solid starting point, it doesn't address the real concern, wrote Rick Ledgett, the former Deputy Director of the National Security Agency.
Anti-virus software is designed to have access to all the files on a customer's computer. In this case, the customer was an NSA contractor. By design, Kaspersky's software would have scanned those files, and if there was a signature match, it's possible they would have collected them for further analysis.
"So that is what Kaspersky has been accused of doing: using (or allowing to be used) its legitimate, privileged access to a customer's computer to identify and retrieve files that were not malware," Ledgett explained.
"Eugene Kaspersky's proposal to have experts analyze Kaspersky anti-virus code is irrelevant in this case, because the code is doing exactly what it has been designed to do, but in a way that is inconsistent with what customers expect and are paying for. It's not the code itself, it's the use of the code. The experts will find that the code does exactly what it's supposed to do, and he knows that."
This circles back to the original question. Did Kaspersky willingly share their trusted access, or were they victims too?
The original story, as well as all previous updates are below.
Update 10/10/2017:
On Tuesday, the New York Times published a story connecting Israeli spies to the 2015 data breach at Kaspersky. It was during the Israeli operation that they noticed the NSA tools on Kaspersky's network, and reported their discovery to the NSA. The NSA launched an immediate investigation, which is what eventually led to the black balling Kaspersky faces in the U.S. today.
The original NYT story is here.
In a statement, Kaspersky denies any involvement and says they have no knowledge of the intelligence operation described in the Times' article.
"Kaspersky Lab was not involved in, and does not possess any knowledge of, the situation in question. As the integrity of our products is fundamental to our business, Kaspersky Lab patches any vulnerabilities it identifies or that are reported to the company," the company said in a prepared statement.
"Kaspersky Lab reiterates its willingness to work alongside U.S. authorities to address any concerns they may have about its products as well as its systems, and respectfully requests any relevant, verifiable information that would enable the company to begin an investigation at the earliest opportunity. In addition, Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage efforts."
Update:
After this story was published, Salted Hash was made aware of statements from Eugene Kaspersky on his blog.
"While protecting our customers, we do – as any other cybersecurity vendors – check the health of a computer. It works like an X-ray: the security solution can see almost everything in order to identify problems, but it cannot attribute what it sees to a particular user," Kaspersky said in his post addressing the WSJ report.
"In the wake of the last article I want to emphasize: if our technologies detect anything suspicious and this object is identified as malware, in a matter of minutes ALL our clients no matter who and where they are, will receive protection from this threat."
As for the notion that his company product was hacked:
"Now if we assume, that what is reported is true: that Russian hackers exploited a weakness in our products installed on a PC of one of our users, and respected government agencies concerned of national security knew about that, why didn’t they report it to us? We patch the most severe bugs in a matter of hours, so why not make the world a bit more secure by reporting the vulnerability to us? I can’t imagine an ethical justification for not doing so."
Original Story:
A report in The Wall Street Journal says that hackers working for the Russian government stole sensitive documents from a NSA contractor's home computer. The story goes on to say the contractor was targeted after the files were discovered by Kaspersky's Anti-Virus software, somewhat explaining the U.S. government's push to ban Kaspersky on its systems.
"The theft, which hasn’t been disclosed, is considered by experts to be one of the most significant security breaches in recent years. It offers a rare glimpse into how the intelligence community thinks Russian intelligence exploits a widely available commercial software product to spy on the U.S. The incident occurred in 2015 but wasn’t discovered until spring of last year, said the people familiar with the matter," the WSJ reported.
If the story proves to be true, the bigger picture is that the NSA suffered a third data breach of its hacking tools.
As to how Kaspersky ties into this data breach, the WSJ report says U.S. investigators believe the unnamed contractor's use of Kaspersky Anti-Virus (KAV) alerted the Russian hackers to the presence of the files.
"Experts said the software, in searching for malicious code, may have found samples of it in the data the contractor removed from the NSA. But how the antivirus system made that determination is unclear, such as whether Kaspersky technicians programed the software to look for specific parameters that indicated NSA material. Also unclear is whether Kaspersky employees alerted the Russian government to the finding," the WSJ reported.
One of the major unanswered questions in this story is what caused KAV to hit on these files?
If the files were related to Equation Group, then it should come as no surprise that Kaspersky's software scanned for known files and flagged them for further analysis. All anti-virus vendors do this, including those developed in the U.S.
In 2015, Kaspersky disclosed a nation-state level attack on their network (Duqu 2.0), and said the attackers were focused on their work related to APTs and nation-state attacks, including Equation Group and Regin. Considering the timeline, this suggests that Duqu 2.0 was some sort of retaliation for the compromise of the contractor's system – but that's just speculation.
The other big question: How did the Russian hackers get information from KAV?
Well, there are no solid answers to that million-dollar question.
The idea that Russian intelligence compromised Kaspersky's network in an effort to leverage their install-base isn't as far-fetched as it sounds. No one, not even Kaspersky, can thwart nation-state actors forever. Eventually, they will get what they're after. However, there isn't any proof such a scenario happened.
Did Kaspersky willingly hand over access to the Russian government? Again, while unlikely, there is no proof either way and Kaspersky denies any such cooperation with intelligence services.
In briefings with the private sector, urging them to dump Kaspersky products from their network, the FBI wouldn't get into much detail other than to essentially say, "Kaspersky, bad. Anything else, good." and leave it at that.
While it isn't clear what initially triggered the U.S. government's investigation into Kaspersky, Thursday's WSJ report certainly feels like a better explanation. They feel the software was used as a tool to compromise a NSA contractor.
Another interesting question stemming from the WSJ report centers on the hackers. What is the evidence that points to them working with or for the Russian government? If the usage of Kaspersky's software is the only link, that's a bit flimsy.
Kaspersky is a software company, they're not immune from exploitable flaws.
In 2015, Kaspersky worked with Tavis Ormandy to address a number of software flaws, "which could result in a complete compromise of any Kaspersky Antivirus user."
Is it possible one of those flaws, prior to being patched, led to outsiders compromising the software and the contractor's files? Maybe, but that would be speculation.
Again, the larger story is the third data breach of NSA hacking tools. This incident started with a contractor taking sensitive information home. Leaving Kaspersky completely out of the picture, this was never a good idea and placed that data at extreme risk.
Should enterprise managers consider today's story when selecting an anti-virus vendor? If Russia is part of your threat model, then perhaps Kaspersky isn't the best choice.
At the same time, there is a reason Kaspersky has a reputation before being aggressive and hard to avoid in the malware world. They're good at what they do.
However, risks should be weighed individually. What doesn't work for one organization might be fine for another.
In this reporter's opinion, it feels as if someone hacked Kaspersky's product and was able to access files that were being flagged for analysis. If this is the case, then the NSA's third data breach is the fault of an unknown contractor who took files home and a group of criminals who hacked a security vendor.
If Russian intelligence was responsible, then Kaspersky could be nothing more than a pawn in a political chess match. If anything, the WSJ shows just how hard it is for the NSA to control their tools and contractors.
The bad blood between Russia and the U.S. has placed Kaspersky in a crossfire, and today's story won't do them any favors.