Analysis: No Conspiracy Theories Necessary to Explain Epic NSA Pwnage
Modern day spy story: A member of the National Security Agency’s offensive hacking team takes top-secret work home, copies it onto a home PC in violation of agency rules, and his Kaspersky Lab consumer anti-virus product flags the code as malware, sending a copy back to the vendor’s security researchers for analysis. At some point, one or more intelligence agencies apparently also see a copy of the malware and potentially trace it back to the PC in question, which they hack into directly, stealing everything it contains.
See Also: How to Scale Your Vendor Risk Management Program
So goes one bare-bones theory explaining how the NSA allegedly had some of its biggest secrets stolen in 2015 by Russian intelligence agents. Two media reports published Thursday about the breach, which was allegedly discovered this past spring, appear to flesh out the U.S. government’s concerns about how Kaspersky Lab products running on U.S. government systems could pose a threat to national interests (see Russian Theft of NSA Secrets: Many Questions, Few Answers).
Here are 10 reactions to this unfolding story:
1. NSA: Recurring Insider Problems
Blaming Kaspersky Lab may be politically expedient for U.S. intelligence agencies. But for an analyst to take top-secret NSA malware home and install it on his PC represents a massive operational security error, as highlighted by the satirical @SwiftOnSecurity Twitter account.
I installed Kaspersky on my computer and it detected the malware I was writing for the US government! pic.twitter.com/Ye4dAa16rH
— SwiftOnSecurity (@SwiftOnSecurity) October 6, 2017
The NSA employee who took work documents and data home and installed it on an unclassified system does not appear to have been charged, the New York Times reports.
The incident is only the latest in a string of embarrassing insider episodes, including the case of ex-contractor Edward Snowden, who began leaking documents in 2013.
For example, in August 2016, former U.S. Navy officer and a long-time government contractor Harold T. Martin III was accused of collecting an enormous stash of classified information over a 20-year period.
In June, Reality Leigh Winner, a contractor with Pluribus International, was arrested on charges that she leaked a top-secret document to the media that describes how Russia attempted to compromise the 2016 U.S. presidential election.
2. All AV Firms Analyze Suspicious Files
The newly revealed breach that resulted from the NSA analyst allegedly taking malware home might have been prevented if he had adjusted his anti-virus settings.
As British information security researcher Kevin Beaumont notes, all anti-virus applications give users the option to share suspicious files with the vendor for further analysis. But this feature can be disabled. In enterprises, the feature can typically also be disabled via Group Policy settings in Windows so users do not have the option to participate.
Worth noting that Windows 10 Defender, which is baked into the OS, does automatic submission of suspect files to MS – like Kaspersky. pic.twitter.com/4vCnTEvcHJ
— Kevin Beaumont (@GossiTheDog) October 6, 2017
3. Sharing Is the Norm
Sharing samples has long been the information security community norm. “In fact this is an industry standard. However, with KAV people can completely turn off the telemetry or install private KSN,” says Kaspersky Lab CEO Eugene Kaspersky via Twitter, referring to the Kaspersky Security Network.
The company says KSN “allows Kaspersky Lab quick collecting of data concerning new threats and developing methods to protect computers from new threats” and notes that “the more users participate in KSN, the more your computer is protected.”
But as the end user license agreement for Kaspersky Anti-Virus 2018 states: “If you do not wish to provide information to the Kaspersky Security Network service, you should not activate the Kaspersky Security Network service.”
It adds: “Kaspersky Lab does not collect, process and store any personal user information.
4. Virus Telemetry Data Matters
Security experts say such telemetry data, collected by all anti-virus software, is crucial for helping security firms to spot emerging threats and block them.
Anti-virus telemetry refers to records the software generates for all known malware that has been detected and for which a signature has been deployed. Firms regularly analyze massive quantities of unknown and potentially suspicious files to see if they’re a variant of previously seen malware, or entirely new attack code.
Signal to noise can be a problem, especially with advanced attack code developed by nation-states, which may only ever get deployed against a handful of targets. Working together, however, security firms have continued to unearth some of these attack tools, such as Flame, Regin and Duqu, some of which have been tied to the Equation Group, which many security experts believe is the NSA (see AV Firms Defend Regin Alert Timing).
On a related note, Kaspersky Lab in June 2015 said that it had been infected by a Stuxnet cousin called Duqu 2.0, which many security researchers suspect was built and used exclusively by the NSA.
That may very well tie in to the recent revelations and could explain how Kaspersky Lab came to possess so many Equation Group files, notes American independent journalist Marcy Wheeler on her “emptywheel” website. “If some NSA contractor delivered all that up to Kaspersky [Lab], it would explain the breadth of Kaspersky’s knowledge,” she writes. “It would also explain why NSA would counter-hack Kaspersky using Duqu 2.0, which led to Kaspersky learning more about NSA’s tools.”
5. Sharing With VirusTotal Common
Malware samples not only get shared among security firms, but also with malware-analysis services such as VirusTotal. “Many U.S. security companies do automated submission to VirusTotal, which has Russian (etc.) researchers. That is fine and helps everybody,” Beaumont notes.
Others also use VirusTotal for research purposes. For example, last year, about a week after the secret arrest of Martin, the FBI uploaded numerous files from Martin’s PC to VirusTotal to see if they were malware, security researchers found. Beaumont says he tested the files and found that they were all encrypted with PGP, meaning no one else would have been able to open them. None of the files, he added, matched known malware samples.
6. Lawmakers Make Hay
Some U.S. lawmakers are already making political hay out of the Thursday reports that the NSA got pwned because an analyst took work home and it got flagged by his Kaspersky Lab anti-virus software.
The breach “serves as a stark warning – not just to the federal government, but to states, local governments and the American public – of the serious dangers of using Kaspersky software,” claims Sen. Jeanne Shaheen, D-N.H., the Washington Post reports.
Shaheen has led the push in Congress to ban Kaspersky Lab software from government networks and beyond. “Trump admin should declassify info on Kaspersky Labs to raise awareness,” Shaheen says via Twitter.
Her comment underlies the fact that the U.S. government has released no evidence that might support its assertions that Kaspersky Lab products are dangerous for not just government users, but also businesses and consumers (see Kaspersky Lab Debate: Put Up or Shut Up).
7. Remember PRISM?
Shaheen’s assertion also reveals a stark U.S. bias. What’s to say that domestic anti-virus vendors are not working with the U.S. government, either voluntarily or after being compelled to do so in secret? In addition, what if their telemetry pipelines are being monitored by intelligence agencies, both foreign and domestic?
In the case of the PRISM program, Snowden’s leaks revealed that the NSA was secretly tapping into data centers run by such technology and cloud service giants as Apple, AOL, Dropbox, Facebook, Google, Microsoft and Yahoo. In response, many of those firms began encrypting all data center communications and rolling out end-to-end encrypted messaging products.
In an ironic twist, the Washington Post reports that the NSA employee who took his malware work home in 2015 was helping develop new attack tools because the old ones had been considered to have been burned after Snowden’s leaks.
8. How Was Analyst Tracked?
What remains unclear is how the NSA employee’s home PC may have come to the attention of Russian intelligence.
Anonymously sourced U.S. news reports have noted that it isn’t clear if Kaspersky Lab may have helped the Russian government directly or if its software was an unwitting pawn. On the latter front, intelligence agencies might have been listening in on the Kaspersky Lab telemetry-reporting pipeline. Or they might have identified the employee as a person of interest and simply hacked into his PC by exploiting a flaw in the Kaspersky Lab software.
How exactly do anti-virus firms anonymize the origin of malware samples that get shared from a user’s installation with security researchers? Information Security Media Group on Friday put this question to Avast, Avira, Bitdefender, Bullguard, Emsisoft, ESET, F-Secure, Kaspersky Lab, McAfee, Microsoft, Panda, Symantec, Trend Micro, VIPRE and Webroot and will provide updates with their answers.
9. Kaspersky: Potential Political Pawn
Eugene Kaspersky and his firm have continued to deny any improper behavior, saying it would never help “any government in the world with its cyber espionage efforts.” He’s further defended his company’s reputation, in part, by noting all of the state-sponsored malware from various countries that his firm has helped unmask.
“We make no apologies for being aggressive in the battle against cyber threats,” Kaspersky says via Twitter.
Kaspersky has long offered to testify before U.S. lawmakers and had been scheduled to do so on Sept. 27 before a House subcommittee on technology. But lawmakers subsequently postponed the hearing, apparently indefinitely.
On Thursday, Kaspersky threw a dig at “politicians” – pointedly not qualifying it by saying if he was referring to the U.S. or Russian government – for besmirching his firm’s reputation.
Ok, politicians destroyed trust in #cybersecurity. What’s next? Will customers move from multy-layered to multi-vendor protection?
— Eugene Kaspersky (@e_kaspersky) October 5, 2017
Kaspersky Lab told ISMG in a statement Friday that it “has not been provided any evidence substantiating the company’s involvement in the alleged incident reported by the Wall Street Journal on October 5, 2017, and it is unfortunate that news coverage of unproven claims continue to perpetuate accusations about the company.”
Cryptographer Matthew Green, an assistant professor of computer science at Johns Hopkins University, says it’s unlikely any such evidence would ever be produced for public consumption.
That’s the thing about geopolitical infowars. They are not conducted in such a way that random people like us get evidence briefings.
— Matthew Green (@matthew_d_green) October 6, 2017
10. Likelihood: No Conspiracy
Numerous security researchers, speaking with ISMG, doubt that there’s any conspiracy involving Kaspersky Lab and the Russian government. In fact, the same charges being leveled against the Moscow-based firm by anonymous U.S. officials speaking on background could potentially be leveled at any other security firm (see Anti-Virus Conspiracy Theories Cut Both Ways).
But any security firm found to be aiding its government’s cyber espionage efforts would risk reputational damage and bankruptcy.
To suggest otherwise overlooks the fact that governments don’t need security firms’ help to hack a PC. All software has bugs, and that includes security software. Intelligence agencies regularly search for or purchase details of these vulnerabilities to aid in their targeted attacks (see Yes Virginia, Even Security Software Has Flaws).
When governments develop their own attack code, don’t expect Kaspersky Lab anti-virus or any similar products to spot or block it. “Consumer-grade anti-virus products can’t protect well against targeted malware created by well-resourced nation-states with bulging budgets,” says Mikko Hypponen, chief research officer at Finnish anti-virus firm F-Secure.