More on Kaspersky and the Stolen NSA Attack Tools

Both the New York Times and the Washington Post are reporting that Israel has penetrated Kaspersky's network and detected the Russian operation.

From the New York Times:

Israeli intelligence officers informed the NSA that, in the course of their Kaspersky hack, they uncovered evidence that Russian government hackers were using Kaspersky's access to aggressively scan for American government classified programs and pulling any findings back to Russian intelligence systems. [Israeli intelligence] provided their NSA counterparts with solid evidence of the Kremlin campaign in the form of screenshots and other documentation, according to the people briefed on the events.

Kaspersky first noticed the Israeli intelligence operation in 2015.

The Washington Post writes about the NSA tools being on the home computer in the first place:

The employee, whose name has not been made public and is under investigation by federal prosecutors, did not intend to pass the material to a foreign adversary. "There wasn't any malice," said one person familiar with the case, who, like others interviewed, spoke on the condition of anonymity to discuss an ongoing case. "It's just that he was trying to complete the mission, and he needed the tools to do it.

I don't buy this. People with clearances are told over and over not to take classified material home with them. It's not just mentioned occasionally; it's a core part of the job.

More news articles.

Tags: , , , , ,

Posted on October 11, 2017 at 2:54 PM • 24 Comments

Comments

handle_xOctober 11, 2017 3:28 PM

" People with clearances are told over and over not to take classified material home with them. It's not just mentioned occasionally; it's a core part of the job. "

AFAIK they (once upon a time?) were audited to maintain that, something about Leavenworth

// Overworked NSA TAO goon pours a third double, plugs in the wrong red thumb drive.

Automount. Autorun. KAV window pops up, scanning removable devices.
KAV in unobtrusive "silent mode" (no popups) dutifully executes a taskbar flash.
Virus definitions auto-update complete. CPU kicks up to 35% briefly, then back.

Default threat telemetry setting : yes
BaconFraud.exe : Uploaded
TurkeyMoney.MSI : Uploaded
PutinParty.gif : Uploaded
EffingMoron.zip : Uploaded

Heuristic file submission complete. "No active threats detected"
--idle--
Edge browser opens, facebook.com homepage opens. Autologin. "Hey, Michael!"

NSA OPSEC ensues.

RatioOctober 11, 2017 3:31 PM

Russia Has Turned Kaspersky Software Into Tool for Spying:

After discovering the 2015 breach, U.S. officials began gathering other evidence that Kaspersky was being used to identify classified information and assist in its theft, said the people familiar with the matter.

For many months, U.S. intelligence agencies studied the software and even set up controlled experiments to see if they could trigger Kaspersky’s software into believing it had found classified materials on a computer being monitored by U.S. spies, these people said. Those experiments persuaded officials that Kaspersky was being used to detect classified information.

Nameless CowOctober 11, 2017 3:32 PM

@Bruce

> I don't buy this. People with clearances are told over and over not to take classified material home with them. It's not just mentioned occasionally; it's a core part of the job.

I don't know whether the explanation is correct, but I find it plausible. Until something like this leak happens, the risk of the material being stolen may seem remote and theoretical. On the other hand, the risk of being fired for not keeping up with assigned tasks looks more real and present. I would not be surprised if someone decides to take a chance by taking work home, thinking that the risk of classified material leaking is low, because they have no intention to pass it to anybody.

Ross SniderOctober 11, 2017 3:58 PM

The bad press and breathless omninous overtones about Kaspersky being a puppet of the Russian intelligence services (while likely true - USGIC has a similar relationship with Symantec - NSA has backdoored most American products and services) is a really awkward propaganda operation. Congressmen months ago were stating that we were going to target all forms of cyberpower of Russia in cyber-conflict and specifically named Kaspersky as a private entity that they wanted to harm. There's been a coordinated set of policies to put pressure on any cyber capability (privately owned or not) by Russia from the very start of Trump's presidency (sanctions on security software).

This is yet another escalation in the ongoing, invisible, and dangerous cyberwar that no country seems to have the political will to refrain fueling.

MaxOctober 11, 2017 4:05 PM

The WaPo article quotes Kaspersky as saying it has no knowledge of an Israeli attack. The NYT article links to a Kaspersky article detailing the Israeli attack. :-)

Vesselin BontchevOctober 11, 2017 4:11 PM

Kaspersky never officially attributed who hacked his company in 2015, but there were several rather obvious pointers that it was the Israeli spy services, so that part is definitely believable. As for the rest, I still don't believe it.

handle_xOctober 11, 2017 4:18 PM

The Israeli K-breach was confirmed by Kaspersky publicly in a 2015 report.
= https://securelist.com/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/70504/

From the Times:

The report did not name Israel as the intruder but noted that the breach bore striking similarities to a previous attack, known as “Duqu,” which researchers had attributed to the same nation states responsible for the infamous Stuxnet cyberweapon. Stuxnet was a joint American-Israeli operation that successfully infiltrated Iran’s Natanz nuclear facility, and used malicious code to destroy a fifth of Iran’s uranium centrifuges in 2010....

Among the targets Kaspersky uncovered were hotels and conference venues used for closed-door meetings by members of the United Nations Security Council to negotiate the terms of the Iran nuclear deal — negotiations from which Israel was excluded. Several targets were in the United States, which suggested that the operation was Israel’s alone, not a joint American-Israeli operation like Stuxnet.

handle_xOctober 11, 2017 4:21 PM

@V. Bontchev

All we "know" is that Russia's intelligence used KAV data/capabilities to search for what they were looking for. Exactly how they accomplished this is not disclosed AFAIK.

Whether or not E.K. was aware of this is an open question. What's not to believe?

Jared HallOctober 11, 2017 4:45 PM

@Bruce: "I don't buy this. People with clearances are told over and over not to take classified material home with them. It's not just mentioned occasionally; it's a core part of the job." Rank and file, yes. Officers and executives, no.
Pretty common for Contractors to work at home also; in fact, they probably developed most of the stuff that the NSA/CIA uses anyway. I thought this was a contractor also, no? As for exploit development contractors, the "sub" of a "sub", of a "sub" is a big management nightmare. Plus, everything starts with just a rumor. Developers may not even know what overall classification was applied to their contributed code upstream in the food chain. There obviously should be some policies applied as to what A/V and malware systems government personnel and contractors are allowed to use. I believe that those policies have already been created; just another lesson learned over time. After this event's conclusion, this is just going to a blip on some congressional report balancing damages done + monetary expeditures versus intelligence gained. We'll never know the outcome. It would indeed be funny to find that other country's intelligence workers use Symantec, McAfee, or GFI. Maybe we'll all have to use software from neutral, non-aligned countries, like Switzerland or Sweden. Hah!

Ease of Use fanOctober 11, 2017 5:05 PM

" People with clearances are told over and over not to take classified material home with them. It's not just mentioned occasionally; it's a core part of the job. "

Unless your name is Clinton. She couldn't even remember getting that briefing...

handle_xOctober 11, 2017 5:21 PM

HRC was elected in 2000 to the senate & the armed services committee. I imagine that requires some clearances. Remembering a date from 15 years ago would be nice.
Lots of things could be important "publicly necessary" information to recall.

Remembering you had several meetings with Russian nationals correctly could be good too.
Or that you had financed real estate transactions for wealthy associates of Putin himself.
The name of your campaign manager or who the heck David Duke was, despite video.

A good memory and honest demeanor could be quite detrimental to the current strategy.
Mueller will work with what he has instead, he'll be fine. The seas have parted.
The 11th commandment has been broken. He didn't build an ark, he built a storm.

Clive RobinsonOctober 11, 2017 5:32 PM

@ All,

Can we cut the party political and personal political rhetoric, it achives nothing, and is at best foolish.

After all how many times can you reboil potatoes befor you end up with starch paste?

DanielOctober 11, 2017 5:39 PM

@Nameless Cow and others

Distinguish incompetence from malice. That's my challenge to you. You can't say the difference lies in the outcome because here the outcomes of incompetence and malice are the same thing: the documents in the hand of an adversary. So that means that the difference is either in the process or in the motive. Here, however, as @bruce notes it can't really be in the process because the employee is constantly warned not to do what they did. So the processes a malicious person would employ and the process a incompetent employee would employ look like the exact same thing: take the documents out of their secure environment. So then in the end all we are left with to distinguish between malice and incompetence is motive.

Motive, however, is notoriously inscrutable. It is easy to deprecate motive after the fact, especially in this case where the NSA's own motives need to be questioned. It looks a lot worse for the NSA to admit they failed to catch a spy than they hired a clown. So of course they will say he didn't mean any harm. What evidence do they have for their statement of faith? "Circle the wagons, boys, and shoot anything that moves."

So I don't feel any better about this case knowing that he claims he didn't mean any harm. He broke the rules, the consequences were devastating, and he/she should pay the price for their actions. As should the NSA who is at the very minimum guilty of a failure to supervise.

handle_XOctober 11, 2017 5:43 PM

Too much Bible in my diet. I can't stand the stuff.

"We'll never know the outcome. It would indeed be funny to find that other country's intelligence workers use Symantec, McAfee, or GFI"

https://static1.businessinsider.com/image/51b228ebeab8ea6f2d000008-900-423/prism%20slide%20comparison.png

They're probably in there somewhere, no doubt. Wittingly and unwittingly both.

That's why the accusations against KAV have so much traction instantly. Because we do it.

Windows Defender Is Your FriendOctober 11, 2017 7:08 PM

Nothing beats good ol' Windows Defender. Anything else is added bloat.

AnonOctober 11, 2017 7:28 PM

Whether true or not about their collusion with the State, doesn't anyone else find it ironic that a security company doesn't detect their own networks were breached?

Ollie JonesOctober 11, 2017 7:52 PM

I have some experience with HIPAA (US health care personal information) infosec.

In that discipline, the regulations (indeed the law) make no distinction between malicious leaks and "innocent" leaks. Ya can't take personal health information home. If it leaks, you're responsible. If you're mugged and beaten and lose your laptop, the information is presumed leaked. And everybody who touches health data, from famous doctors to hospital executives to programmers to data-entry clerks, gets that drilled into them.

Leaks involving more than five hundred patients are made public, here, with the identity of the leaker (not the patients, obviously) https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

Is it hard to understand? Maybe, maybe not. Health care people understand it.

I guess maybe people working for the government don't understand it. That's honestly baffling to me.

AnonOctober 11, 2017 7:54 PM

My question:

If Kaspersky became aware of the Israeli intrusion in 2015, then presumably Israeli intelligence obtained the information no later than 2015. But the US government just began in the past few months (2017) to issue its recommendations and directives against using Kaspersky. What happened in the intervening 1.5 years? Did Israel sit on the information? If so, why? Something doesn't add up here, or there's been some recent intelligence horsetrading.

sooth_sayerOctober 11, 2017 8:02 PM

I would conjecture that the employee who hasn't been charged is a son/son-in-law of some mucktymuck in NSA.

This country, particularly government agencies are epitome of nepotism -- and no rules apply anymore -- only DNA sequence matters.

mostly harmfulOctober 11, 2017 8:32 PM

In the NY Times we read:

[Israeli intelligence] provided their NSA counterparts with solid evidence of the Kremlin campaign in the form of screenshots and other documentation, according to the people briefed on the events.

On screenshots and "solid evidence":

  • The evidentiary value of a screenshot, as far as I know, is roughly equivalent to an "artist's rendering" of a velociraptor breast-feeding its young.
  • After examining popular forms of argument on social media platforms, I gather that hoi polloi employ screenshots as if they constituted some kind of gold standard in evidence.

So it is interesting to me that this NYT article "informs" us that Israeli evidence includes screenshots, in particular (and with all other particulars left to the imagination).

Somehow, I don't feel informed. Instead, I suspect either the journalists or their sources are trying to manipulate their readers into feeling informed.

More generally, note the implications of the following, quite reasonable observation, also from the NYT article:

“Antivirus is the ultimate back door,” Blake Darché, a former N.S.A. operator and co-founder of Area 1 Security. “It provides consistent, reliable and remote access that can be used for any purpose, from launching a destructive attack to conducting espionage on thousands or even millions of users.”

Blake Darché isn't wrong. So the following reactive measure is clearly inadequate:

"On Sept. 13, the Department of Homeland Security ordered all federal executive branch agencies to stop using Kaspersky products, giving agencies 90 days to remove the software."

Read the article in vain, however, to find mention of the DHS ban's obvious inadequacy. If it were a technical defensive measure, why not ban all AV of that class? Why just Kaspersky?

The content of this story is not technical. It is a political hatchet job.

John SmithOctober 11, 2017 8:34 PM

I can understand someone breaking the rules and taking work home. This probably happens quite a bit. The overarching rule: don't get caught.

What I don't buy is someone loading NSA work files on a computer that isn't air-gapped. That is beyond stupid, and NSA does not hire technically stupid people.

This seems more like espionage to me. Loading the files on an internet-connected computer with KAV provides a "plausibly deniable" way to exfiltrate those files.

BenjaminOctober 11, 2017 8:37 PM

Are "cyber-weapons" (to use the USG term) actually classified? My understanding is they weren't - because if they were, they wouldn't actually be able to be weaponized and used outside of a SCIF.

I was under the impression that they were a really grey area - development and such all happened on unclassified systems so that they could then be used against internet targets.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

← Changes in Password Best Practices

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.