Russian spies hacked a popular anti-virus program to steal U.S. secrets. Here’s how Israel caught them | Toronto Star

2

The NSA and the White House declined to comment for this article. The Israeli Embassy declined to comment, and the Russian Embassy did not respond to requests for comment.

The Wall Street Journal reported last week that Russian hackers had stolen classified NSA materials from a contractor using the Kaspersky software on his home computer. But the role of Israeli intelligence in uncovering that breach and the Russian hackers’ use of Kaspersky software in the broader search for U.S. secrets have not previously been disclosed.

Kaspersky Lab denied any knowledge of, or involvement in, the Russian hacking. “Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage efforts,” the company said in a statement Tuesday. Kaspersky Lab also said it “respectfully requests any relevant, verifiable information that would enable the company to begin an investigation at the earliest opportunity.”

The Kaspersky-related breach is only the latest bad news for the security of American intelligence secrets. It does not appear to be related to a devastating leak of NSA hacking tools last year to a group, still unidentified, calling itself the Shadow Brokers, which has placed many of them online. Nor is it evidently connected to a parallel leak of hacking data from the CIA to WikiLeaks, which has posted classified CIA documents regularly under the name Vault7.

For years, there has been speculation that Kaspersky’s popular anti-virus software might provide a backdoor for Russian intelligence. More than 60 per cent, or $374 million, of the company’s $633 million in annual sales come from customers in the United States and Western Europe. Among them have been nearly two dozen U.S. government agencies – including the State Department, the Department of Defense, Department of Energy, Justice Department, Treasury Department and the Army, Navy and Air Force.

The NSA bans its analysts from using Kaspersky anti-virus at the agency, in large part because the agency has exploited anti-virus software for its own foreign hacking operations and knows the same technique is used by its adversaries.

“Anti-virus is the ultimate backdoor,” Blake Darché, a former NSA operator and co-founder of Area 1 Security. “It provides consistent, reliable and remote access that can be used for any purpose, from launching a destructive attack to conducting espionage on thousands or even millions of users.”

(BEGIN OPTIONAL TRIM.)

On Sept. 13, the Department of Homeland Security ordered all federal executive branch agencies to stop using Kaspersky products, giving agencies 90 days to remove the software. Acting Department of Homeland Security Secretary Elaine C. Duke cited the “information security risks” presented by Kaspersky and said the company’s anti-virus and other software “provide broad access to files” and “can be exploited by malicious cyber actors to compromise” federal computer systems.

That directive, which some officials thought was long overdue, was based, in large part, on intelligence gleaned from Israel’s 2014 intrusion into Kaspersky’s corporate systems. It followed months of discussions among intelligence officials, which included a study of how Kaspersky’s software works and the company’s suspected ties with the Kremlin.

“The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky,” DHS said in its statement, “could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”

(END OPTIONAL TRIM.)

Kaspersky Lab did not discover the Israeli intrusion into its systems until mid-2015, when a Kaspersky engineer testing a new detection tool noticed unusual activity in the company’s network. The company investigated and detailed its findings in June 2015 in a public report.

The report did not name Israel as the intruder but noted that the breach bore striking similarities to a previous attack, known as “Duqu,” which researchers had attributed to the same nation states responsible for the infamous Stuxnet cyberweapon. Stuxnet was a joint U.S.-Israeli operation that successfully infiltrated Iran’s Natanz nuclear facility, and used malicious code to destroy a fifth of Iran’s uranium centrifuges in 2010.

Kaspersky reported that its attackers had used the same algorithm and some of the same code as Duqu, but noted that in many ways it was even more sophisticated. So the company researchers named the new attack Duqu 2.0, noting that other victims of the attack were prime Israeli targets.

Among the targets Kaspersky uncovered were hotels and conference venues used for closed-door meetings by members of the U.N. Security Council to negotiate the terms of the Iran nuclear deal – negotiations from which Israel was excluded. Several targets were in the United States, which suggested that the operation was Israel’s alone, not a joint U.S.-Israeli operation like Stuxnet.

Kaspersky’s researchers noted that attackers had managed to burrow deep into the company’s computers and evade detection for months. Investigators later discovered that the Israeli hackers had implanted multiple back doors into Kaspersky’s systems, employing sophisticated tools to steal passwords, take screenshots, and vacuum up emails and documents.

(BEGIN OPTIONAL TRIM.)

In its June 2015 report, Kaspersky noted that its attackers seemed primarily interested in the company’s work on nation-state attacks, particularly Kaspersky’s work on the “Equation Group” – its private industry term for the NSA – and the “Regin” campaign, another industry term for a hacking unit inside the United Kingdom’s intelligence agency, the Government Communications Headquarters, or GCHQ.

Israeli intelligence officers informed the NSA that in the course of their Kaspersky hack, they uncovered evidence that Russian government hackers were using Kaspersky’s access to aggressively scan for U.S. government classified programs, and pulling any findings back to Russian intelligence systems. They provided their NSA counterparts with solid evidence of the Kremlin campaign in the form of screenshots and other documentation, according to the people briefed on the events.

(END OPTIONAL TRIM.)

It is not clear whether, or to what degree, Eugene V. Kaspersky, the founder of Kaspersky Lab, and other company employees have been complicit in the hacking using their products. Technical experts say that at least in theory, Russian intelligence hackers could have exploited Kaspersky’s worldwide deployment of software and sensors without the company’s co-operation or knowledge. Another possibility is that Russian intelligence officers might have infiltrated the company without the knowledge of its executives.

But experts on Russia say that under President Vladimir Putin, a former KGB officer, businesses asked for assistance by Russian spy agencies may feel they have no choice but to give it. To refuse might well invite hostile action from the government against the business or its leaders. Kaspersky, who attended an intelligence institute and served in Russia’s Ministry of Defense, would have few illusions about the cost of refusing a Kremlin request.

Steven L. Hall, a former chief of Russian operations at the CIA, said his former agency never used Kaspersky software, but other federal agencies did. By 2013, he said, Kaspersky officials were “trying to do damage control and convince the U.S. government that it was just another security company.”

He didn’t buy it, Hall said. “I had the gravest concerns about Kaspersky, and anyone who worked on Russia or in counter-intelligence shared those concerns,” he said.