Anti-virus software as a spy tool

Anti-virus software as a spy tool

In October 2017 the Wall Street Journal published an article accusing hackers working for the Russian government of exploiting Kaspersky Lab’s anti-virus software to hack a NSA contractor’s personal computer and steal files in 2015.  The WSJ article references only anonymous sources.

Kaspersky vehemently deny any link with Russian intelligence. They have laid the blame on poor security at the NSA. Yes, they had NSA secrets but, no, they did not steal them. They say that they are an unwilling geopolitical football, caught in the spat between the USA and Russia. Unfortunately for Kaspersky, Russia has been caught flexing its cyber muscles to hack political parties, damage the democratic process and setting the West up for a nightmare as they crash critical infrastructure.

The WSJ said the 2015 event was one of the most significant security breaches at the agency. The files are alleged to have included the code used to create NSA tool kits, like exploits stolen by Shadow Brokers and subsequently criminalized.

Why would an NSA contractor use Kaspersky AV software, when it is banned in the NSA? In mitigation, Kaspersky Lab enjoy a good reputation. Russian software engineers are some of the best in the world. However, any NSA contractor would know they are a target for nation state hackers. Kaspersky Lab are a big, Russian owned business which generally survive at the largesse of the Kremlin.

Conspiracy theorists decry that an NSA contractor could be so stupid to take home classified material (Harold Martin or Reality Winner?) or use Russian anti malware in the first instance and that the article is part of a complex US-Israeli move to take out the only real opposition in the cyber warfare field. Kaspersky Lab actions are, at the bare minimum, an annoyance to state sponsored APTs and because of their location they are difficult to control. They are the only AV security company that proactively seeks out and neuters NSA spyware, as the AV industry starts to follow distinct geopolitical lines.

In 2010 Kaspersky Lab uncovered the “Stuxnet” worm which caused substantial damage to Iran’s nuclear program and is widely attributed to US and Israeli intelligence. In 2015 Kaspersky Lab outed the NSA’s Equation Group saying the group has been active since at least 2001 and that their research showed “the similar type of usage of both exploits together in different computer worms, at around the same time, indicates that the EQUATION group and the Stuxnet developers are either the same or working closely together”. Conversely, Kaspersky Lab have not shown the same diligence or philanthropy regarding Fancy Bear or Cosy Bear, hacking groups attributed to Russia’s intelligence apparatus.

It is ironic that Kaspersky had been deployed by the US Government in some sensitive areas (including the Department of Defense) for years and at the same time was busy chasing down NSA (part of the DOD) spyware tools and updating its antivirus signatures so Kaspersky’s clients would be protected from the NSA.

Prior to the USG deciding that allowing US Government agencies to buy Kasperksy products was not such a great idea, the Army, Navy and Air Force, and the departments of Defense, State, Homeland Security, Energy, Veterans Affairs, Justice and Treasury were all users. Kaspersky was a great salesman.

anti-virus software, Kaspersky Lab, NSA, NSA hacked, data breach, spy, surveillance, WannaCry, NotPetya, Zero Day, Kaspersky Lab, NSA, NSA hacked, data breach, spy, surveillance, WannaCry, NotPetya, Zero Day,
FSB Headquarters ‘Lubyanka’ Dzerzhinsky Square, Moscow

Kaspersky will work with local Russian security services in the same way as any other cyber security company work with their indigenous special services. Based on my experiences, the balance of probability is that Russian intelligence agencies do leverage Kaspersky. Bloomberg identified senior managers who accompanied Russia’s FSB on raids when tracking down the bad guys.  However, if you scratch the surface at any cyber security company in the West, you will see many ex-intelligence or military, so none of this should come as a shock.

While denying knowledge of the 2015 NSA data breach as reported by the Wall Street Journal, they did volunteer similarities with an incident in 2014. They also disclosed some extraordinary activities. Then, Kaspersky’s anti-malware program was tailored to search for files with specific names and to exfiltrate those folders and files to Moscow. The files in this instance were found on a computer at a Verizon IP address, 20 miles from the NSA headquarters.

Kaspersky Lab ‘subsequently’ believed the lifted files belonged to the Equation Group (Tailored Access Operations Unit at the NSA) but at the time, did not know. Kaspersky Lab spent 3 months delving in the NSA contractor’s computer, finding 37 unique NSA files including source code.

“An archive file firing on these signatures was an anomaly, so we decided to dig further into the alerts on this system to see what might be going on. After analysing the alerts, it was quickly realized that this system contained not only this archive, but many files both common and unknown that indicated this was probably a person related to the malware development.”

There are other twists in the tale as Kaspersky claim that the NSA contractor used pirated Microsoft copies and was already infected with Chinese spyware.

Whether a NSA sting to prove a link between Russian Intelligence and Kaspersky; or Kaspersky is an innocent dupe, is academic.

Noteworthy is that Kaspersky Lab came clean on actively searching their clients’ computers for “interesting files” and to sending them back to head office at Leningradskoe Shosse, Moscow for analysis.? Why were Kaspersky uploading uninfected files and doing keyword searches? That is ‘files’, not hash codes or check sums.

Think about that for a moment.

 There is a deafening silence from other vendors. Who does the same?


Alexander Rogan is CEO of Zero Day Plus who are the licensed re-seller of a new to market endpoint security technology that protects data locally and helps organisations comply with GDPR.

A proven (10-years in stealth with Military – never breached) patented kernel level filter driver that preserves the integrity of the endpoint (laptop, desktop, server, SCADA, Industrial Control Systems) against persistent malware and Fileless or in-memory attacks. It reports actionable intelligence real time (I.e. no false positives). It does not require patching or updates. It enables life extension for legacy estates out of support or extended support. It secures Windows from 2016 to NT4. At under 100 Kb it is suitable for Internet of Things.