In 2015, Russian agents stole highly classified NSA materials from a contractor, according to a new report in The Wall Street Journal. It’s a major breach of internal security, made possible after the contractor transferred the materials to his home computer in violation of known security procedures.
Even more alarming is how the foreign agents became aware of that violation. According to the report, the hackers seem to have identified the files — which contained “details of how the U.S. penetrates foreign computer networks and defends against cyberattacks” — after an antivirus scan by Kaspersky antivirus software, which somehow alerted hackers to the sensitive files.
It’s an embarrassing breach for the NSA, which has struggled with contractor security since the Snowden leaks. NSA contractor Harold Martin was charged with taking home classified documents in 2016, although the Journal makes it clear that the Martin case is unrelated to the latest news. This summer, the Justice Department charged NSA contractor Reality Winner with leaking classified documents concerning Russian election interference.
It’s unclear whether this latest compromise is related to the Shadow Brokers campaign, an ongoing leak of NSA hacking tools that many have linked to the Russian government. The Shadow Brokers first appeared in August 2016; according to the Journal, the NSA only became aware of the compromise that spring.
While Kaspersky’s software was allegedly central to the breach, it’s unclear whether the company was aware of the attack. Antivirus programs routinely send back telematics data to central servers, which in Kaspersky’s case, may well have been located in Russia. Those transmissions are encrypted using SSL, but if Russian agents were able to break that encryption, they would have been able to detect the scan without alerting either Kaspersky or the contractor himself.
There’s reason to think a skilled hacker might be able to get around that encryption. As one person pointed out on Twitter, Google researchers discovered an SSL interception vulnerability in Kaspersky’s antivirus software in November 2016, a year after the events described by the Journal. Tavis Ormandy, the researcher who discovered the bug, was surprised the company hadn’t investigated the errors resulting from the bug, writing, “It seems incredible that Kaspersky haven’t noticed.”
The result is a major breach of trust for a company that has already been the subject of significant scrutiny. The company was barred from selling to the US government this summer, reportedly over concerns about Russian government influence. More recently, the FBI has urged private sector companies to discontinue use of Kaspersky products. Despite widespread pressure from the government, today’s Journal story is the first indication of the Russian government using Kaspersky to attack offshore targets.
In a tweet in advance of publication, Kaspersky dismissed the report as rumor. “New conspiracy theory,” the founder wrote, “note we make no apologies for being aggressive in the battle against cyberthreats.”