How trustworthy are security products from Russia-based Kaspersky?
The question was raised last month in two stories from the Wall Street Journal quoting unnamed U.S. sources that hackers working for the Russian government got hold of details of how the U.S. penetrates foreign computer networks and defends against cyber attacks after breaking into the home computer of a contractor who worked for the U.S. National Security Agency (NSA) in 2015.
The first story (subscription required) alleged the damaging files had been identified by Kaspersky anti-virus software on the contractor’s computer, which led to Russian hackers grabbing files. The second story went further, alleging Russia has modified Kaspersky AV software so it can spy on any computer that uses the application. It has been noted by other news services that the stories cite anonymous U.S. sources.
Kaspersky has vigorously denied working with the Russian government on espionage. Last week the company released the result of an inside investigation that may or may not shed light on the claims.
After looking at telemetry sent from subscribers around the world as part of the application’s routine anonymous reporting, Kaspersky is pretty sure it identified the computer described by the Journal. It assumed the computer had files Kaspersky had previously identified as coming from “The Equation Group,” which allegedly has ties to the NSA. The Equation Group allegedly has a number of tools which can be used to hack into computers. That came to light in 2016 when someone calling themselves The Shadow Brokers alleged they had broken into the Equation Group, stole and then released malware code it found. Some of that code was used in the WannaCry ransomware that spread earlier this year.
So Kaspersky researchers looked for machines in its telemetry that had detected a lot of Equation signatures, and found one in Baltimore, which isn’t that far from NSA headquarters.
One theory, not mentioned in the Kaspersky report, is the contract lawfully or unlawfully had NSA hacking tools code on their personal computer. For whatever reason, had a Russian hacker broken into this computer and gone snooping around, Equation code that would have looked like malware to an AV application would have been found. Presumably, the attacker was curious and uploaded those files, and discovered some gems.
But there’s more. The Kaspersky report acknowledges that, as its product intends, malicious executables and their archives are pulled from infected machines and uploaded to the company.On this particular machine the files uploaded included four documents bearing classification markings, and other files related to the same project.”
“The documents were inadvertently pulled back because they were contained within the larger archive file that alerted on many Equation signatures,” says the report. What happened to those classified files? On the orders of Kaspersky founder and CEO Eugene Kaspersky they were deleted from all company systems. Could a Russian agent friendly with Kaspersky staff have seen those files?
There’s more intrigue. The Kaspersky report says it found the suspect computer had been compromised in October, 2014 by a malicious Microsoft Word file that included a backdoor. And the only way that could have happened, the Kaspersky report says, is if the Kaspersky product had been disabled, because it should have caught that malware.
Could that have been the way a Russian hacker got into the computer?
Exactly what happened may never be known. The Kaspersky report argues the contractor’s computer could have been the target of espionage regardless of which AV application was on it.
“It is appalling to see that accusations against our company continue to appear without any proof or factual information being presented. Rumors, anonymous sources, and lack of hard evidence spreads only fear, uncertainty and doubt. We hope that this report sheds some long-overdue light to the public and allows people to draw their own conclusions based on the facts presented above. We are also open and willing to do more, should that be required.”
Before the Wall Street Journal stories broke the U.S. Department of Homeland Security ordered all departments to remove Kaspersky software from their systems. “The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” says the order. “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”
So far Canada’s Communications Security Establishment (CSE), which is responsible for securing federal government systems, hasn’t publicly issued a government ban on Kaspersky products.
UPDATE: In response to a question this morning a CSE spokesperson said in an email that the agency “does not provide recommendations for or against specific cyber security products, services, or vendors. CSE provides advice and guidance based on risk assessments.”
UPDATE: Shared Services Canada oversees many government networks. In a statement the agency said it currently uses a number of anti-virus products including those from major cyber security vendors in the industry. “For security reasons, Shared Services Canada will not disclose which specific anti-virus products are used. SSC does not have any Kaspersky software deployed on computers in its inventory.”