Become a fan of Slashdot on Facebook


Forgot your password?
Software Communications United States Technology

'Very High Level of Confidence' Russia Used Kaspersky Software For Devastating NSA Leaks ( 232

bricko shares a report from Yahoo Finance: Three months after U.S. officials asserted that Russian intelligence used popular antivirus company Kaspersky to steal U.S. classified information, there are indications that the alleged espionage is related to a public campaign of highly damaging NSA leaks by a mysterious group called the Shadow Brokers. In August 2016, the Shadow Brokers began leaking classified NSA exploit code that amounted to hacking manuals. In October 2017, U.S. officials told major U.S. newspapers that Russian intelligence leveraged software sold by Kaspersky to exfiltrate classified documents from certain computers. (Kaspersky software, like all antivirus software, requires access to everything stored on a computer so that it can scan for malicious software.) And last week the Wall Street Journal reported that U.S. investigators "now believe that those manuals [leaked by Shadow Brokers] may have been obtained using Kaspersky to scan computers on which they were stored." Members of the computer security industry agree with that suspicion. "I think there's a very high level of confidence that the Shadow Brokers dump was directly related to Kaspersky ... and it's very much attributable," David Kennedy, CEO of TrustedSec, told Yahoo Finance. "Unfortunately, we can only hear that from the intelligence side about how they got that information to see if it's legitimate."
This discussion has been archived. No new comments can be posted.

'Very High Level of Confidence' Russia Used Kaspersky Software For Devastating NSA Leaks

Comments Filter:
  • by KiloByte ( 825081 ) on Monday January 15, 2018 @08:05PM (#55935011)

    If Kaspersky are indeed behind this, they are doing what their company is supposed to do: find malware and make it public. Without their help, NSA's malware would be still in the wild.

    • by Mike Van Pelt ( 32582 ) on Monday January 15, 2018 @08:18PM (#55935065)

      There's a difference between detecting malware running on the PCs that Kaspersky is protecting, and leveraging its presence on a PC in an intelligence agency's network to exfiltrate their little logic bombs. The first is entirely legitimate. The second... is espionage. I think it was Heinlein that said "Espionage is not immoral; everyone does it. But the cost for getting caught at it is very high." The cost to Kaspersky is likely to be very high indeed, whether someone at the company did it, or some Russian TLA inserted the code without their knowledge.

      Kaspersky should have stuck to the first. Still, I wish they had let Stuxnet have its way with Iran's centrifuges for a few more years.

      • by Anonymous Coward on Monday January 15, 2018 @09:14PM (#55935337)

        Except modern antivirus products use various algorithms to spot novel malware programs that it doesn't know yet as well as ones it has published signatures for. A program is a program. The antivirus software has no way to know the difference between a malware that has infected a computer and a malware that has been compiled by that computer's user. They were indeed doing their job. The fault lies with the NSA having antivirus software installed on a computer where they were developing viruses.

        • by bsDaemon ( 87307 ) on Monday January 15, 2018 @09:31PM (#55935431)

          The fault lies with the contractor who stole classified information, took it home, and put it on a personal computer where he had Kaspersky installed. I have a very hard time believing such actions to NOT be deliberate with the intention that the programs be scanned by Kaspersky, and possibly specifically by Kaspersky. I'm not saying Nghia Hoang Pho, 67, was flipped in his soviet client state homeland and sent to the US with specific pro-Russian instructions, but I mean, come on....

      • by AHuxley ( 892839 ) on Monday January 15, 2018 @10:53PM (#55935863) Journal
        The OS had changes made by the NSA malware. Every new AV product made with some level of skill should have detected the new, novel and unexpected changes to the OS.
        Got a sample and reported back to their brand for that brands experts to the look over and warn the world about.
        Thats what every good AV brands builds behavioral analysis into their AV products.
        Behavioral analysis is what finds the new problems in the wild and protects the global community from new issues deep in an OS, network.
        Detecting new malware and protecting the world from new malware is not "espionage" ....
    • Re: (Score:1, Insightful)

      by Anonymous Coward

      Russia has also been known to spread FUD over the internet via forums and posts. I think this is one of them. At this point, Kaspersky has been shown to be malicious and should be dropped from use with haste by everyone.

      • by poity ( 465672 ) on Monday January 15, 2018 @09:08PM (#55935297)
        Absolutely correct. The PDF where intelligence community officials say they have a high degree of confidence and backed it up with diagrams of computer networks, we all knew the case was bulletproof. And when IT pros read that document and saw those diagrams they literally said "it's Russia via Kaspersky 100%, also Tuck Frumpf".
    • by ngc5194 ( 847747 )

      Fine. I still don't want the FSB having access to my computer.

    • Not flamebait unless truth is flammable.
  • by Anonymous Coward on Monday January 15, 2018 @08:08PM (#55935019)

    Donald Trump is still shielding Russia from accountability for its multiple attacks on our country.

    He won't even admit that Russia hacked into our election equipment!

  • by BrookHarty ( 9119 ) on Monday January 15, 2018 @08:25PM (#55935099) Homepage Journal

    Had my new Win10 machine, decided to put the latest version on. Kas put a man in the middle SSL scanner so it could scan SSL streams. After I told it not too and even disabled it, it still tried to scan all my SSL traffic and would block my browser. It just would not leave my SSL traffic alone even after specifically disabling web protection. This was the scanner only, i did not install the full protection suite.

    So I uninstalled it. Rebooted, and it still left the SSL middleware installed. WTF is this amateur behavior at Kaspersky.

    No idea wtf is going over there at Kaspersky, but its gone to hell. I don't care if one of the fastest, very low cpu usage, and great anti-virus detection. These stupid games like MITM SSL without my permission is downright unforgivable.

    • Not to defend Kaspersky, but this seems to be the trend with most security (or perhaps it's even more general than that) software. A new product comes out that's free of cruft, relatively easy to use, and works effectively. Eventually it turns to shit and it becomes as bloated and craptastic as the other software that it replaced some years ago. Fortunately, there's a new product that has just come out . . .
    • Oh fuck off (Score:2, Insightful)

      by Anonymous Coward

      Stop smearing Kaspersky, it's the only company not in bed with the NSA.

      Shit probably got stolen by one of the 50 Intel backdoors anyway.

      "High level of confidence" means "We got nothing but we'll smear someone anyway"

  • There is no reason to doubt our esteemed intelligence community. When they implore us to trust them because the evidence is too dangerous to show to the public, it is every patriotic citizen's duty to trust them. Spies are lurking in every corner, even on our beloved Slashdot, so we must remain vigilant against efforts to undermine faith in government. Faith keeps us strong, strength crushes enemies. Have faith.
    • by Anonymous Coward

      Trust is earned, not owed.

    • There is no reason to doubt our esteemed intelligence community. When they implore us to trust them because the evidence is too dangerous to show to the public, it is every patriotic citizen's duty to trust them. Spies are lurking in every corner, even on our beloved Slashdot, so we must remain vigilant against efforts to undermine faith in government. Faith keeps us strong, strength crushes enemies. Have faith.

      That's a very valid concern.

      But also consider the other side. A few months ago Trump bragged to the Russian Ambassador about getting intelligence about a laptop bombing plot out of a specific city in Syria []. That initial leak basically led to the entire operation being exposed (and the Israeli bug being useless).

      Now consider the NSA. How do they know about the Russian's using Kaspersky? Is it a mole in Kaspersky? A mole in Russian intelligence? A backdoor into Kaspersky or Russian intelligence? They hacked s

      • In computer security any lack of "intelligence" makes the issue at hand usable by anyone from a 10 year old in their moms basement to any government, friendly or not and it also affects everyone.

        Hence why we WANT the FBI/NSA to publish these issues because today it's some low level NSA rent-a-coder being hacked, tomorrow it's the nuclear arsenal or the economy or some other government agency because even other parts of the government doesn't get to know these details, there is no "secret patch list".

      • Literally a danger to the world SMH. Also FTA:

        "Israel was later named as the source of the intelligence in US media reports."

        I bet it was Fox News because they love Russia. Your article also presents evidence that H.R. McMaster is one of those Russian moles you memtioned:

        At the time, US National Security Adviser H R McMaster said the President âoewasnâ(TM)t even aware where this information came fromâ and âoewasnâ(TM)t briefed on the sources and methodsâ. âoeAt no time were intelligence sources or methods discussed,â he said. âoeThe President did not disclose any military operations that were not already publicly known... I was in the room. It didnâ(TM)t happen.â

        There are some guys in the intelligence community we absolutely must trust, but this guy isn't one of them.

  • Mic drop.

    • Dude they released a PDF with drawings of computer networks in it. What more evidence do you need.
      • AV/Security companies are really good at deconstructing malware in their blog posts so where's the equivalent showing how Kaspersky AV did it? It's more likely the files in question were exfiltrated through unsecured S3 buckets and insecure SMTP mail servers since by default most mail clients don't complain when STARTTLS fails.
      • lolz... exactly. :)

    • Because intelligence agencies are famous for publishing their sources and methods.

      • So, you then believe anything else unconfirmed sources in the CIA have said.

        What is more, the evidence for this should be in the AV. There should be private IT establishments that should know as well.

        What you're asking is for people to listen and believe despite there being no evidence of anything. At the very least you should concede that you don't have anything anyone can really rely on and that you have to have empathy for people that don't find it credible.

        To say I must believe this despite really no ev

  • Amazing (Score:5, Insightful)

    by 110010001000 ( 697113 ) on Monday January 15, 2018 @08:32PM (#55935139) Homepage Journal
    The amazing part is that someone actually runs a closed source virus suite from a Russian vendor. Insane.
    • The amazing part is that someone actually runs a closed source virus suite....

      You could have stopped right there, and we would have been in complete agreement.

      • You are right. Running closed source in general is pretty insane. It could be doing anything and you would have no clue.
    • Re:Amazing (Score:5, Insightful)

      by DNS-and-BIND ( 461968 ) on Monday January 15, 2018 @09:04PM (#55935273) Homepage
      Why not? What have we got to fear? The NSA has a much larger chance of harming me than some distant foreign government. In fact I'd say the dirty foreigners' interest in me is about zero, while the NSA has a constant canker of anxiety about us American citizens, otherwise it wouldn't be spying on us illegally. I simply have less to fear from the foreigners and much to fear from the lawless NSA.
      • by ngc5194 ( 847747 )

        ... and if I knew that the NSA was using some spyware brand to spy on me I wouldn't buy that either. I don't understand the point of your post. Even if you think the NSA is more likely to be damaging to you than the FSB, that doesn't mean I want the FSB to have access to my computer. One criminal organization may be more likely to cause me damage than another, but that doesn't mean I want the second one in my house.

        • by sjames ( 1099 )

          Except the Russian AV software doesn't mind catching NSA spyware. The American AV doesn't mind catching FSB spyware. People who live within the FSB's jurisdiction should use American AV software.

          If you have to give one of them six lines written by you, give them to the one that doesn't have jurisdiction over you.

    • by Anonymous Coward

      I have no doubt that US AV software does the same thing, I know that the NSA is spying on me, being in one of the 5 eyes countries I assume all my data is being shared with my government. I'd rather have Russia spying on my personal info at home rather than my own government. My own government can use it against me - the Russians not so much.

    • by AHuxley ( 892839 )
      Any good quality AV suite would have seen the new NSA work infecting the computer in real time.
      A good AV product would have then uploaded it to its brand. The company of global experts in a nation like the USA, Japan, Czech Republic, Germany, Romania, Slovakia, Spain would have seen the new code too?
      What happened to all the code detected by other really new, advance and quality AV brands?
      They do well in behavioral analysis review and tests over the years too... ?
      Did they not have the OS skill needed t
    • Not sure if that is better than a closed source American one.

    • Who should I be more afraid of, a foreign government, or the one that could kick in my door?

  • by BlueStrat ( 756137 ) on Monday January 15, 2018 @08:33PM (#55935143)

    ...What I want to know are the names of the people responsible for running a foreign COTS A/V on 'net-connected PCs and placing Classified/Top Secret data on those computers and what legal actions/charges are pending against them, and if no legal actions/charges are pending and/or they refuse to identify who they are, why not.

    *THOSE* are the questions we should be asking very, very loudly and demanding and the people who should be spending time at Club Fed. Given that level of cavalier handling of such highly-classified and top-secret data, Kaspersky/Putin/FSB et al were likely the very LAST bad-actors to get the data.

    How about we figure out how to plug the hole in the lifeboat first before we start holding hearings on where to place the blame?


    • It was an NSA guy who illegally took stuff home. Since "no intent" is currently a defense in the just-us system, no one wants to talk about it or prosecute the guy. Kaspersky picked up on his illegal stuff because his home computer was full of other illegal stuff (stolen MS software - not that I'd care about that - with the usual added malware by the 'wares guys).
      • It was an NSA guy who illegally took stuff home. Since "no intent" is currently a defense in the just-us system, no one wants to talk about it or prosecute the guy.

        I believe they won't prosecute this guy because it will bring to light the fact that the leaks didn't occur through him and that this is another REEEE!!! Russia!!! REEEE!!! propaganda story.


      • Since "no intent" is currently a defense in the just-us system, no one wants to talk about it or prosecute the guy.

        Are you saying that the classified material wound up on his computer by accident? He had intent to put the classified stuff on an unsecured system, and therefore will be prosecuted.if he doesn't plead guilty first.

        • No, of course not. It got there on purpose and in serious violation of the rules, we know that, NSA themselves say so. They also say they talked to the guy, and well... The justice I would have gotten when I had a serious clearance (above TS) for doing far less ain't gonna happen to this guy. Seems it's more important to use any event to push some agenda we had already (they hate Kaspersky because it detects their stuff and warns the targets) as in "never let a crisis go to waste". Fake news isn't a new t
  • motivation ? (Score:2, Offtopic)

    by swell ( 195815 )

    Looking only at motivation, one must note that Kaspersky was a financially successful company with a bright future in an increasingly critical industry. They owed that to a growing reputation (and a lowered reputation for some competitors). What incentive would motivate them to sell out to any government? The only thing I can think of is (1) A death threat, or (2) a greater amount of money than their expected future profits. I doubt either 1 or 2 and I think it illogical for Kaspersky to break trust that wa

    • You think that (1) or (2) is unlikely? Both seem highly plausible. I mean, Putin kills people in Britain and elsewhere. I think he can make a Russian programmer one building over disappear. And Russia has a fuckton of money. More than enough to have a programmer or two retire early and it to be a rounding error's rounding error.

  • So, what steps? (Score:5, Insightful)

    by DCFusor ( 1763438 ) on Monday January 15, 2018 @08:38PM (#55935163) Homepage
    Israel claims to have hacked Kaspersky and seen the Russians in there too - they told us and that's how we originally claimed we knew Kaspersky was involved at all. If you trace back this convoluted story, that's the closest thing you can find to something that's almost believable. OK, so some _NSA_ _dude_ breaks all the rules and takes the nasties home - accidental treason if you will - and happens to have a machine full of stolen microsoft code that came with viruses, and Kaspersky AV too. It sees this, and some other nasty looking things, and brings them back to the mother ship to see what's up - all as designed and as in the EULA and so on. All this was told to us by "reputable sources" naming "reputable sources" in the IC and promoted by the MSM. Now their story changes...they seem to be depending on people having a real short attention span.

    Not only were there the usual viruses associated with stolen code from MS, but also this stuff from NSA which was picked up as it had the signature of a nasty - because it IS. If the Russians got ahold of it because they had already penetrated Kaspersky...then Kaspersky didn't actually do this - they were an unwitting "useful idiot" at most.
    But we have to hate them? Want to bet that's because they refused to back down about putting bugs into their code to "not notice" TLA code, when all other AV's agreed to do that?

    OK Occam's razor - find another reason that makes sense all around. GoodLuckWithThat. I've yet to see reasonable evidence that the shadow brokers are even russian - they might be, but who knows? Attribution is hard. CIA's leaked tools show their tricks for leaving a false trail, for example (and this is yet another reason not to give any of these guys an encryption backdoor they promise to keep safe - they can't even keep their own stuff safe).

  • I refuse to install more propitiatory crapware on my computers. I've got enough of it as it is at low levels. We need to cut the crap out and move away from Intel/AMD and other chipsets from companies that won't provide a *complete* set of source code. None of this "open source" non-sense where you only provide half the code or some code wrapped around a proprietary blob. No. I want a *COMPLETE* set of source code that is needed to operate the device. It blows my mind countries don't mandate in law that a

  • by ElizabethGreene ( 1185405 ) on Monday January 15, 2018 @09:43PM (#55935501)

    Are these the same sources that attributed the Mirai botnet to Russia-sponsored actors?

    We don't have a good track record of attributing these actions of late.

  • We know from the Snowden leaks that the NSA bragged about being able to piggyback on others exploits and 3rd party security software, so of course the Russians would do the same. You have to bear in mind that any kind of approach they are using must be tested for being undetectable by all known antivirus programs anyway, so hijacking these programs in the first place is a reasonable approach. Whether Kaspersky colluded with Russian intelligence to facilitate that is unknown, but it seems reasonable to assum
  • I remember a militaristic superpower lying to its own citizens about hidden weapons, metal tubes, babies being pulled from incubators, etc all to start a $1T+ war. Same guys.

    Show me proof or fuck off.

  • by OmniGeek ( 72743 ) on Tuesday January 16, 2018 @09:41AM (#55937897)

    In a properly run secure computing facility, classified materials are NEVER, EVER allowed to exist on computers connected to insecure networks. That's not a suggestion, that's a formal requirement, at least for the programs I used to work on. OS updates, antivirus software, everything was air-gapped from the Internet. No exceptions. For the exfiltration to happen as described, the NSA must be routinely violating basic infosec procedures in ways that would get any contractor fired, fined, and possibly imprisoned.

  • 'Very High Level of Confidence' Russia Used Kaspersky Software'.
    So what does that mean? Is "We heard it from two people" very high? For all I know the "Very high" still means that they THINK it is the case, but are not sure. The amount of "Very High Level of Confidence" as finding WMD's in Iraq? Because we know what that ended up to be.

    What I see is that the NSA does not want us to use it. So what does that mean in the best case scenario? Only the Russians have access to data IF you use Kasperski.
    What does

"Atomic batteries to power, turbines to speed." -- Robin, The Boy Wonder