Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Government Security News

Russian Hackers Exploited Kaspersky Antivirus To Steal NSA Data on US Cyber Defense: WSJ (wsj.com) 223

An NSA contractor brought home highly classified documents that detailed how the U.S. penetrates foreign computer networks and defends against cyberattacks. The contractor used Kaspersky antivirus on his home computer, which hackers working for the Russian government exploited to steal the documents, the WSJ reported on Thursday (the link could be paywalled; alternative source), citing multiple people with knowledge of the matter. From the report: The hackers appear to have targeted the contractor after identifying the files through the contractor's use of a popular antivirus software made by Russia-based Kaspersky Lab, these people said. The theft, which hasn't been disclosed, is considered by experts to be one of the most significant security breaches in recent years. It offers a rare glimpse into how the intelligence community thinks Russian intelligence exploits a widely available commercial software product to spy on the U.S. The incident occurred in 2015 but wasn't discovered until spring of last year, said the people familiar with the matter. Having such information could give the Russian government information on how to protect its own networks, making it more difficult for the NSA to conduct its work. It also could give the Russians methods to infiltrate the networks of the U.S. and other nations, these people said. Ahead of the publication of WSJ report, Kaspersky founder Eugene Kaspersky tweeted, "New conspiracy theory, anon sources media story coming. Note we make no apologies for being aggressive in the battle against cyberthreats."
This discussion has been archived. No new comments can be posted.

Russian Hackers Exploited Kaspersky Antivirus To Steal NSA Data on US Cyber Defense: WSJ

Comments Filter:
  • LOL (Score:2, Insightful)

    by Aighearach ( 97333 )

    OK fanboys, I've got the popcorn out, what is your new excuse why they should still be trusted? The nonsense people said last week was so rich, I'm waiting for it to grow even more absurd today as the cognitive dissonance builds and blinds them to the quality of their arguments.

    • by Tablizer ( 95088 )

      your new excuse [defense?]

      Simple, Ruskies probably did the same to the OTHER antivirus co's. We just haven't heard about it yet.

      Doesn't mean K is good, just that like the telecoms, their competition also sucks. In the land of D-minuses, D is king.

      • Your response is literal FUD. You do understand that, right?

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      According to the summary, an anti-virus product helped to protect against cyberattacks. Meanwhile, certain foreign govermnent-sponsored hackers are complaining that some of their victims may now be able to defend themselves against some of their cyberattacks. This poses no additional risk to citizens of the U.S. unless the NSA chooses to withhold information about the exploits that they had been using.

      Why who should be trusted, by the way? Were you addressing fanboys of the WSJ, the NSA, Kaspersky Lab, or t

    • Russian hackers / {crackers}? Your guess is as good as mine. Though they are pretty good at cracking DRM on video games, etc. I think I'm supposed to post something like: ----===Greetz Fr0m Raz0r 1911 to all the crews===----...

      Oh wait, you meant Kaspersky. Still looking for some evidence there...I mean, they are Russian (I think?), but that's purely beyond their control (they were born that way).

      Now, why the contractor was using last year's antiviral / anti-malware solution? Questions should be asked. I cou

    • by gweihir ( 88907 )

      Stupid is stupid and no way around that. But do enjoy your popcorn, that seems to be right down your alley. difficulty wise. But I would advise you to stay away from anything mentally more tasking.

      Incidentally, you are being stupid by believing Kaspersky is any less trustworthy than their competitors.

      • Calling me names won't change the situation in any meaningful way.

      • Incidentally, you are being stupid by believing Kaspersky is any less trustworthy than their competitors.

        Do you mean trustworthy as a general attribute (probably more or less true, none of them picked up the Sony rootkit), or trustworthy to anyone in particular? I wouldn't trust Kaspersky for an installation with US government secrets, but I trust it as much as any other AV on my computer. If I'm to have spyware on my computer, I'd prefer Russian to US, since the Russians have a lot less potential inter

    • Re:LOL (Score:4, Insightful)

      by swb ( 14022 ) on Thursday October 05, 2017 @02:40PM (#55317173)

      I'm willing to buy the argument that they were more easily exploitable because of their domestic Russian base -- that means vulnerable humans who can turned through the usual apparatus of spycraft and domestic security services, as well as increased general vulnerability because of their geographic location.

      That being said, I think any software producer whose products are expected to run at "ring zero" of security should be thought of as vulnerable, regardless of where they are based. I'm sure the intelligence services and security services long ago made the conceptual leap that these were vulnerable targets that would give them direct entry into high value targets due to the nature of their functional security requirements.

      I think the chain of trust anymore is pretty much broken and it's not really very paranoid to consider anything secure.

      • There's an old truism when it comes to security: the moment that you feel secure is the moment when you are the most vulnerable.

        No defense is impenetrable, and if you feel that yours are, it's very easy to overlook red flags that you've been penetrated.

        • Right, but that in no way implies that avoiding increased risks means you must be trusting something. You can be distrusting in general, and still be certain that some things can't be trusted.

          No defense is impenetrable. Yet use of purported defenses with conflicts of interest is itself a red flag.

      • Absolutely! Trust no one!

        On linux when we run virus scanners for whatever reason, we run them in userspace.

        That said, if you're on a system that needs active protection from virus scanners, then avoiding the vendors with an enhanced risk profile seems obvious. You have to trust somebody in that situation, but yeah, don't trust them very much; be ready to change later when somebody else appears to be the least risky, because it changes over time.

        And avoid vendors outside your own country or allied countries.

        • by arth1 ( 260657 )

          Absolutely! Trust no one!

          Including the guy who says "Trust no one!", and including yourself.

          Especially yourself. When it comes to security, the person in charge of a system or a network is its worst enemy.

          • I didn't say anything about trusting me, instead I expressed ideas that you can use or not. Making use of ideas requires first understanding them though.

            What sort of nonsense would you have to be doing where trust of self would even come up as a security issue? Are you writing your own login code or something? Don't trust yourself, instead learn best practices about which parts to use stable libraries for.

            • by arth1 ( 260657 )

              What sort of nonsense would you have to be doing where trust of self would even come up as a security issue?

              Anyone who writes code, or configures a computer, or add firewall rules, or pick programs to install should question whether they trust themselves too much, and whether a second and third set of eyes would be useful.

              We are easily blind to the problems we ourselves introduce, and tend to trust our own judgement without questioning. And when the brown stuff hits the rotating thing, the natural reaction is to place blame elsewhere, and forget that we shouldn't have trusted our own judgement.

        • I don't get your reasoning.

          I do little to annoy Russia, other than posting opinions on sites they sometimes troll, and having a friend who's blocked from entering Russia. Russians really can't do all that much to me without considerable effort.

          However, I normally have opinions that conflict with those of assorted government officials in the US, which gives them more reason to hassle me than any Russian official has. Moreover, it's not that difficult for a police officer or IRS auditor or some other o

          • That's where you're wrong, they sell access to you to criminal gangs, who steal your money.

            Domestic criminals have a much harder time getting that data; it doesn't seem to be even on the market to buy access here. In Russia they openly sell access to p0wned systems from any country not a Russian ally; in the US there is no such mainstream market.

            Yeah, if you're a criminal and you're in the US, then in that case you'd have a higher threat profile from the US government; but the vast majority of people worrie

            • Are you saying that it's likely that Kaspersky would be coerced by the Russian government into giving out information that they then sell to criminal gangs? Do you have evidence? It sounds far-fetched to me. If I'm going to worry about that possible breach of security, I have to worry about US AV companies, since some of them can get pretty shady, and any market in AV-generated information isn't going to be accessible only from Russia.

    • by Bert64 ( 520050 )

      Russia has one antivirus vendor they can leverage...
      The NSA has several, as well as OS vendors and many other software vendors...

      I'm sure the russians are making use of any situation which is to their advantage, but it's naive to think the NSA and other intelligence agencies aren't doing exactly the same.

      • Or as they say in my country, "SQUIRREL!"

        I'm not really that interested in network squirrels, or even urban squirrels.

    • No one is making the claim that you should blindly trust the tribe on the other side of the mountain, but that those who allege that the current chief is the product, or even a pawn, of that other tribe need to have more evidence besides pointing to some wooden signs along the river.

      • by dcw3 ( 649211 )

        When the other tribe has been your enemy for decades, you don't need more evidence to decide that it's more risky to buy products from them than your own tribe. It may or may not be fact based, but it's still prudent.

      • No one is making the claim that you should blindly trust the tribe on the other side of the mountain, but that those who allege that the current chief is the product, or even a pawn, of that other tribe need to have more evidence besides pointing to some wooden signs along the river.

        Um no. You don't trust everyone you pick up for sex, even though they me be as disease free as Jeebuz and pure as the driven snow.

        You wear that rubber because there are some folks out there who just might have an STD, and you don't say hey Russia hasn't been unequivocally proven beyond a shadow of a doubt in a court of law in every country before you decide that you might want to think about not using Kaspersky's AV software.

    • Kaspersky's proprietary anti-malware software was never trustworthy. Kaspersky's anti-malware didn't recently become untrustworthy, and the year-plus long Russophobia didn't change anything nor does that craze amongst the war profiteers inform the current situation.

      We judge software's trustworthiness by software freedom—the freedom to run, inspect, share, and modify published computer software. If a program is non-free (proprietary, user-subjugating) that program is untrustworthy regardless of what it

    • The NSA could trivially show proof of a backdoor or sidechannel in a two year old PUBLIC binary without exposing any secrets. If it was there they'd show it.

      Ipso facto, it's not there ... fake news.

      • by dcw3 ( 649211 )

        Nice hand waving. When has NSA ever publically announced any of it's findings? Get a clue.

  • Idiot Contractor (Score:5, Insightful)

    by DatbeDank ( 4580343 ) on Thursday October 05, 2017 @12:42PM (#55316301)

    The problem here isn't Kaspersky and Russian hackers, they're just being opportunistic.

    The REAL problem here is a dumb @$$ contractor who stole classified information and brought it home.

    Why isn't the contractor, both company and employee, being punished for breach of secure information? Any other countries' spooks would want this info, including our allies.

    Ahh that's right, let's just take this as an opportunity to bash Russia some more while our real enemy China is cleaning out both our industrial trade and military secrets! /sarcasm

    • The problem here isn't Kaspersky and Russian hackers, they're just being opportunistic.

      The REAL problem here is a dumb @$$ contractor who stole classified information and brought it home.

      Why isn't the contractor, both company and employee, being punished for breach of secure information? Any other countries' spooks would want this info, including our allies.

      Ahh that's right, let's just take this as an opportunity to bash Russia some more while our real enemy China is cleaning out both our industrial trade and military secrets! /sarcasm

      It is possible to have two problems at the same time. In fact, that usually how disasters happen. The contractor needs denutted for what he did. But that doesn't mean that software designd to compromise a person's computer is supposed to be applauded as Hey, Everone's doing it, so it's all good.

      That isn't how the game works regardless of what you think. Contractor? At best a dumbass, at worst a leaker or actual spy. Kaspersky? Well everyone doing it or not, they were caught. And "Everyone does it" isn't

  • It didn't even have to be Kapersky - it could've been any malware on his PC that would've leaked the documents!

    Although doesn't this:

    Note we make no apologies for being aggressive in the battle against cyberthreats.

    Sound like a tacit admission?

    • by gweihir ( 88907 ) on Thursday October 05, 2017 @01:10PM (#55316549)

      Although doesn't this:

      Note we make no apologies for being aggressive in the battle against cyberthreats.

      Sound like a tacit admission?

      No, it does not. It merely says that if the Kaspersky scanner detected files it suspected of being malware but did not know yet (e.g. because the identification was via suspicious behavior pattern, not code signature), it phones home. That is standard behavior and no secret. In fact, you agree to that in the license and it can, I believe, be switched off.

      So what likely happened here is that the Kaspersky product was configured to send suspected, but yet unknown, malware files to Kaspersky and it did correctly identify some NSA malware as such and sent them to Kaspersky. I men, seriously, this is what correctly working AV is supposed to do. This whole thing is much more likely about the NSA being butthurt that their criminal activity (criminal everywhere outside the US that is) was discovered and that their respective malware is now detected by Kaspersky. Add to that a few creatively misleading statements to the WSJ reporters (who have zero understanding of what is going on and how the respective technology works) and you have what the WSJ is reporting now.

      • That explains how the docs got to Kapersky's labs and Russia.

        It does not explain how it got OUT of Kapersky's labs and into the hands of Russian hackers.

        So essentially - any antivirus program will essentially spy on you and upload any personal documents it claims looks "suspicious".
        It's like having the TSA installed on your computer.
        • by gweihir ( 88907 )

          In does not even explain that it got from Kaspersky to the Russian hackers. It may have taken another path. Or it may have been given to other parties (including other AV vendors and to government agencies) after analysis showed it was malware and not personal files. AV vendors do that all the time, and some organizations can pay for that data-stream as well.

          Yes, every AV spies on you if you allow it to. Configuring AV is one place where you should pay attention.

          And no, I am not particularly fond of Kaspers

  • by HBI ( 604924 ) on Thursday October 05, 2017 @12:51PM (#55316363) Journal

    The idiot Hal Smith, former NSA employee, apparently put stuff that shouldn't have been seen outside a SCIF on his home system. His content was exfiltrated, presumably by Russians. But now it's the vector of the exfiltration's fault that classified material was stolen.

    News flash: the system was broken the moment the stuff saw a computer outside of an airgapped network. For that matter, Mr. Smith put himself in criminal jeopardy at that moment.

    If the guy had been using Avast or Bitdefender, would that have made you feel better? Do you really think the Russians couldn't penetrate the firms providing those products? Think again.

    While we're at it, do you really think that the Russians are the only people soaking up data from the US like a sponge? Why so much focus on their activities? You'd think people had a political axe to grind, almost...

    • by houghi ( 78078 )

      The thing is that now the NSA can say that you not should Kapersky, but rather use one that THEY can use to access your information.

  • And very likely with pretty much the methods described, I think this cannot get much more hypocritical. And while we _know_ the NSA does this, we only have a scare-story that may turn out to be a complete fantasy on the Russians and Kaspersky.

  • by Picodon ( 4937267 ) on Thursday October 05, 2017 @01:01PM (#55316475)

    I’m a bit puzzled: aren’t highly confidential documents stored, viewed and edited only on secured computers? Is it really that easy for a contractor (or even an employee) to grab a copy and leave with it, entirely unnoticed?

    • Reality Winner did it by printing out a copy and securing it to her body via her pantyhose.
    • by nehumanuscrede ( 624750 ) on Thursday October 05, 2017 @01:16PM (#55316609)

      Sadly, yes it is.

      Many years ago when I was doing the Navy thing, I would find classified stuff just laying about, unsecured in staterooms.

      ( Security patrols in case you're wondering why I was even in Officer's Country )

      The vast majority of it was documentation of various things found on a ship that was tossed onto a table or rack ( bed ) in a stateroom. Easy to spot due to the color of the cover sheets. ( blue, red, orange, etc )

      Apparently the junior officers thought closing the door to their stateroom was enough to protect it. :|

      I thought about hiding it from them just to watch the panic set in when they realized a Secret book was now missing, but it would have ended their careers, so I usually just educated them on it.

      Stuff up to Secret levels only. Most TS+ and Crypto related stuff required 2-person control and they were much more protective of it.

      • I never did classified work, but when I worked at a defense contractor that did this in the 80s, they were highly paranoid. Even for non-classified work they did not let me take storage devices into or out of the company without authorization. Secure documents were only allowed in secure buildings, and I was not allowed into those buildings until they turned on the flashing lights to tell everyone to hide their papers and turn off their monitors. We had a tunnel to move documents between buildings so that

  • 1) Any intelligence agency that doesn't look for exploits in commonly used tools isn't doing their job.
    2) Kaspersky is a great target for exploit research no matter who you are.
    3) Its common practice to keep identified exploits secret for high value zero day attacks JUST like this.
    4) Also standard practice to request (or steal) source from domestic (or vulnerable) corps to make exploit location easier.

    Not to defend Kaspersky (cause who knows?) but this just sounds like a normal day at the office for this pr

  • is the fact the employee brought home classified documents which somehow found their way onto their home ( read that: Unlikely certified to handle classified information ) computer.

    Normally, I would consider this unlikely, but apparently keeping classified info on private systems / servers is all the rage these days :|

    • is the fact the employee brought home classified documents which somehow found their way onto their home ( read that: Unlikely certified to handle classified information ) computer.

      Normally, I would consider this unlikely, but apparently keeping classified info on private systems / servers is all the rage these days :|

      I understand the confusion.. Apparently if you don't "intend" to mishandle classified, you can do what you want, including sending it via E-mail to everybody and their brother in unencrypted form. Just be sure to "wipe" that server "with a cloth" should you get questioned on this...

      James Comey said so!

      • From a legal point of view, you're pretty much right. Unintentional mishandling is not prosecuted. I suspect it's a policy matter, so that people who have made a mistake won't be afraid of hard time should they report it or fail to cover it up.

        • Continued mishandling of classified, albeit unintentional or not, IS a disqualifier however. Seriously, if you make a mistake or two, I'm sure they will be reasonable, require some remedial training in the areas where you are making mistakes and keep an eye on you for awhile. If you keep messing up, they are going to eventually yank your access and kick you to the curb because you don't seem well suited for the work you are doing.

          However, intent is not necessary to break the law here. If you are careles

          • Continued misbehavior is when a person is warned about his or her behavior and persists in it anyway. It doesn't have anything to do with the length of time the person has been misbehaving. Misbehavior that doesn't occur after a warning isn't continued. If someone has made a mistake, and no attention is called to it, that person is likely to continue making that mistake. Only if the misbehavior continues after a warning is it a matter of conscious choice.

            The thing about criminal negligence is that it

  • "An NSA contractor brought home highly classified documents"

    ^^^ THIS

  • So any idea of the company he worked for?
    Booz Allen had been running up a nice streak but lost that with reality winner, so have that pushed forward and tried to start streak two?
  • Russians drank all my beer! Just the other day I bought a six-pack, and now it's gone. Goddammit I blame the Russians!

    • by Mal-2 ( 675116 )

      Next time try putting a mouse in the container and blame it on the brewery [wikipedia.org].

  • Am I understanding correctly? Of course I didn't read TFA, but from the summary I'm guessing that dude had Kapersky antivirus, and when he loaded the files it sent them home for scanning, and since they're a Russian company the Russian government has access to the files. This doesn't really make sense to me. It would make sense that it could send the checksums back home to compare, except even that doesn't make a lot of sense, since the "virus database" (aka a list of checksums of flagged blocks) should be

    • by AHuxley ( 892839 )
      Its some US story about cyber.
      Documents get taken home from work and existed on some home network computer.
      Some outside network discovers the documents that have never been in the wild before. The bad people have all the "checksums" for random US gov documents and scan the world for them?
      Data gets sent back up the network nobody has noticed on any other version of the product range...
      Russia.
      More cyber fiction.
  • In my years working on "highly classified" things, we NEVER, EVER brought that stuff home, because we couldn't without breaking all kinds of rules and safeguards. It was a major operation just to get it transferred to another secure facility to work on it. But time after time now we get the story that this or that person had a laptop full of stuff in their car, their house, on the bus, etc. When did the rules change that you can just walk out with extremely sensitive data, or are these lunkheads simply vio
    • viperidaenz - said it perfectly in the post below.

      An NSA contractor stole highly classified documents, but before he could sell them, they got stolen. Because he had no other reason to take home classified documents.

      I've worked in banks, you cannot remove data from a PC without the drive being encrypted first. That drive can only be read by the banks PC's, and there are layers of security etc around that as well. Who can actually take data, who can read that data, etc. etc.

      Most of the banks data is per

      • I was a contractor for a financial firm around 2006, and I had a work-issued laptop. It had full-disk encryption, integrated with the Windows logon. While putting Visual Studio on it, IT managed to hose it somehow so it could not get into Windows.

        This gave IT a real problem. The disk was encrypted, and the encryption could not be broken. IT was required to pull all information off disks before destroying or reformatting them, and the information was completely inaccessible. They kept that laptop for

  • An NSA contractor stole highly classified documents, but before he could sell them, they got stolen.

    Because he had no other reason to take home classified documents.

    • by dcw3 ( 649211 )

      Possibly, or he could have just been doing so out of laziness/convenience, a la Clinton.

  • Honest question for someone who dropped Windows decades ago. How do admins even take their security seriously when their tools have these issues. Something similar happened with, I believe it was, ccleaner a couple months ago. I mean what is the rationale behind infosec in Windows shops?

"So why don't you make like a tree, and get outta here." -- Biff in "Back to the Future"

Working...