Israel says Russians using Kaspersky window to steal US secrets

It was a case of spies watching spies watching spies: Israeli intelligence officers looked on in real time as Russian government hackers searched computers around the world for the code names of American intelligence programmes.

What gave the Russian hacking, detected more than two years ago, such global reach was its improvised search tool - antivirus software made by a Russian company, Kaspersky Lab, that is used by 400 million people worldwide, including by officials at some two dozen American government agencies.

The Israeli officials who had hacked into Kaspersky’s own network alerted the United States to the broad Russian intrusion, which has not been previously reported, leading to a decision just last month to order Kaspersky software removed from government computers.

The Russian operation, described by multiple people who have been briefed on the matter, is known to have stolen classified documents from a National Security Agency employee who had improperly stored them on his home computer, on which Kaspersky’s antivirus software was installed. What additional American secrets the Russian hackers may have gleaned from multiple agencies, by turning the Kaspersky software into a sort of Google search for sensitive information, is not yet publicly known.

The current and former government officials who described the episode spoke about it on condition of anonymity because of classification rules.
 

Like most security software, Kaspersky Lab’s products require access to everything stored on a computer in order to scour it for viruses or other dangers. Its popular antivirus software scans for signatures of malicious software, or malware, then removes or neuters it before sending a report back to Kaspersky. That procedure, routine for such software, provided a perfect tool for Russian intelligence to exploit to survey the contents of computers and retrieve whatever they found of interest.

The National Security Agency and the White House declined to comment for this article. The Israeli Embassy declined to comment, and the Russian Embassy did not respond to requests for comment.

The Wall Street Journal reported last week that Russian hackers had stolen classified NSA materials from a contractor using the Kaspersky software on his home computer. But the role of Israeli intelligence in uncovering that breach and the Russian hackers’ use of Kaspersky software in the broader search for American secrets have not previously been disclosed.

Kaspersky Lab denied any knowledge of, or involvement in, the Russian hacking. “Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage efforts,” the company said in a statement Tuesday afternoon. Kaspersky Lab also said it “respectfully requests any relevant, verifiable information that would enable the company to begin an investigation at the earliest opportunity.”

The Kaspersky-related breach is only the latest bad news for the security of American intelligence secrets. It does not appear to be related to a devastating leak of NSA hacking tools last year to a group, still unidentified, calling itself the Shadow Brokers, which has placed many of them online. Nor is it evidently connected to a parallel leak of hacking data from the CIA to WikiLeaks, which has posted classified CIA documents regularly under the name Vault7.

For years, there has been speculation that Kaspersky’s popular antivirus software might provide a back door for Russian intelligence. More than 60 per cent, or $374 million, of the company’s $633 million in annual sales come from customers in the United States and Western Europe. Among them have been nearly two dozen American government agencies - including the State Department, the Department of Defence, Department of Energy, Justice Department, Treasury Department and the Army, Navy and Air Force.

The NSA bans its analysts from using Kaspersky antivirus at the agency, in large part because the agency has exploited antivirus software for its own foreign hacking operations and knows the same technique is used by its adversaries.

“Antivirus is the ultimate back door,” Blake Darché, a former NSA operator and co-founder of Area 1 Security. “It provides consistent, reliable and remote access that can be used for any purpose, from launching a destructive attack to conducting espionage on thousands or even millions of users.”

On September 13, the Department of Homeland Security ordered all federal executive branch agencies to stop using Kaspersky products, giving agencies 90 days to remove the software. Acting Department of Homeland Security Secretary Elaine C Duke cited the “information security risks” presented by Kaspersky and said the company’s antivirus and other software “provide broad access to files” and “can be exploited by malicious cyber actors to compromise” federal computer systems.

That directive, which some officials thought was long overdue, was based, in large part, on intelligence gleaned from Israel’s 2014 intrusion into Kaspersky’s corporate systems. It followed months of discussions among intelligence officials, which included a study of how Kaspersky’s software works and the company’s suspected ties with the Kremlin.

“The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky,” DHS said in its statement, “could capitalise on access provided by Kaspersky products to compromise federal information and information systems directly implicates US national security.”

©2017 The New York Times News Service