Slashdot Mirror

← Back to Stories (view on slashdot.org)

Russian Hackers Exploited Kaspersky Antivirus To Steal NSA Data on US Cyber Defense: WSJ (wsj.com)

Posted by msmash on from the breaking-news dept.

An NSA contractor brought home highly classified documents that detailed how the U.S. penetrates foreign computer networks and defends against cyberattacks. The contractor used Kaspersky antivirus on his home computer, which hackers working for the Russian government exploited to steal the documents, the WSJ reported on Thursday (the link could be paywalled; alternative source), citing multiple people with knowledge of the matter. From the report: The hackers appear to have targeted the contractor after identifying the files through the contractor's use of a popular antivirus software made by Russia-based Kaspersky Lab, these people said. The theft, which hasn't been disclosed, is considered by experts to be one of the most significant security breaches in recent years. It offers a rare glimpse into how the intelligence community thinks Russian intelligence exploits a widely available commercial software product to spy on the U.S. The incident occurred in 2015 but wasn't discovered until spring of last year, said the people familiar with the matter. Having such information could give the Russian government information on how to protect its own networks, making it more difficult for the NSA to conduct its work. It also could give the Russians methods to infiltrate the networks of the U.S. and other nations, these people said. Ahead of the publication of WSJ report, Kaspersky founder Eugene Kaspersky tweeted, "New conspiracy theory, anon sources media story coming. Note we make no apologies for being aggressive in the battle against cyberthreats."

18 of 223 comments (clear)

  1. LOL by Aighearach · · Score: 2, Insightful

    OK fanboys, I've got the popcorn out, what is your new excuse why they should still be trusted? The nonsense people said last week was so rich, I'm waiting for it to grow even more absurd today as the cognitive dissonance builds and blinds them to the quality of their arguments.

    1. Re:LOL by Tablizer · · Score: 2

      your new excuse [defense?]

      Simple, Ruskies probably did the same to the OTHER antivirus co's. We just haven't heard about it yet.

      Doesn't mean K is good, just that like the telecoms, their competition also sucks. In the land of D-minuses, D is king.

      --
      Table-ized A.I.
    2. Re:LOL by Anonymous Coward · · Score: 2, Insightful

      According to the summary, an anti-virus product helped to protect against cyberattacks. Meanwhile, certain foreign govermnent-sponsored hackers are complaining that some of their victims may now be able to defend themselves against some of their cyberattacks. This poses no additional risk to citizens of the U.S. unless the NSA chooses to withhold information about the exploits that they had been using.

      Why who should be trusted, by the way? Were you addressing fanboys of the WSJ, the NSA, Kaspersky Lab, or those hackers who hacked the other hackers?

    3. Re:LOL by DivineKnight · · Score: 2

      Russian hackers / {crackers}? Your guess is as good as mine. Though they are pretty good at cracking DRM on video games, etc. I think I'm supposed to post something like: ----===Greetz Fr0m Raz0r 1911 to all the crews===----...

      Oh wait, you meant Kaspersky. Still looking for some evidence there...I mean, they are Russian (I think?), but that's purely beyond their control (they were born that way).

      Now, why the contractor was using last year's antiviral / anti-malware solution? Questions should be asked. I could double-check the leaked Panama Papers, but I thought BitDefender...and one other, someone remind me, was this year's hotness. Unless that's what the CIA / NSA wants us to think (puts on tin foil hat).

       

    4. Re:LOL by swb · · Score: 3, Insightful

      I'm willing to buy the argument that they were more easily exploitable because of their domestic Russian base -- that means vulnerable humans who can turned through the usual apparatus of spycraft and domestic security services, as well as increased general vulnerability because of their geographic location.

      That being said, I think any software producer whose products are expected to run at "ring zero" of security should be thought of as vulnerable, regardless of where they are based. I'm sure the intelligence services and security services long ago made the conceptual leap that these were vulnerable targets that would give them direct entry into high value targets due to the nature of their functional security requirements.

      I think the chain of trust anymore is pretty much broken and it's not really very paranoid to consider anything secure.

    5. Re:LOL by Aighearach · · Score: 2

      Your response is literal FUD. You do understand that, right?

    6. Re:LOL by arth1 · · Score: 2

      As a former antivirus author, I suggest a third alternative:
      Don't trust your computer to any antivirus. You give these programs full access to your machine, and they become an attack vector as well as slowing down the machine.
      And it's not like they are going to stop zero day attacks anyhow, and that's the second biggest thing to worry about (after human gullibility).

    7. Re:LOL by david_thornley · · Score: 2

      Incidentally, you are being stupid by believing Kaspersky is any less trustworthy than their competitors.

      Do you mean trustworthy as a general attribute (probably more or less true, none of them picked up the Sony rootkit), or trustworthy to anyone in particular? I wouldn't trust Kaspersky for an installation with US government secrets, but I trust it as much as any other AV on my computer. If I'm to have spyware on my computer, I'd prefer Russian to US, since the Russians have a lot less potential interest in what I do, and have far less ability to hassle me than US authorities.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  2. Idiot Contractor by DatbeDank · · Score: 4, Insightful

    The problem here isn't Kaspersky and Russian hackers, they're just being opportunistic.

    The REAL problem here is a dumb @$$ contractor who stole classified information and brought it home.

    Why isn't the contractor, both company and employee, being punished for breach of secure information? Any other countries' spooks would want this info, including our allies.

    Ahh that's right, let's just take this as an opportunity to bash Russia some more while our real enemy China is cleaning out both our industrial trade and military secrets! /sarcasm

    1. Re:Idiot Contractor by Anonymous Coward · · Score: 5, Informative

      Do you have a copy of the terms of the contract that dictates what the contractor is and is not allowed to do? Can you provide information on relevant law governing information access? Can you cite what level of clearances are involved?

      From TFA:

      "An NSA contractor brought home highly classified documents that detailed how the U.S. penetrates foreign computer networks and defends against cyberattacks. The contractor used Kaspersky antivirus on his home computer...

      As you can see in the above text, I've highlighted the areas that might help pull your head out of your ass.

      "Home" computers are not something that is authorized for storing or transmitting highly classified information. Not to mention "home" building codes lacking SCIF-level TEMPEST protections. Regardless of my lack of access to specific contractual details, I'd say there's about a 0.0000001% chance that this bullshit was authorized in any way.

    2. Re:Idiot Contractor by Anonymous Coward · · Score: 2, Insightful

      Sure, it's all spelled out in the NISPOM:
      https://en.wikipedia.org/wiki/...

      The most relevant section is Chapter 5:
      http://www.dss.mil/documents/o...

      Nobody can take classified material home, ever. Nobody can put classified material onto an unapproved computer, ever. These are not things that change from contract to contract.

    3. Re:Idiot Contractor by Anonymous Coward · · Score: 2, Interesting

      Not quite: If you are the recipient of classified information, marked or unmarked, emailed to you, you have a responsibility to report it. Not doing so is a violation - probably not a jailable violation, but your next security briefing would be uncomfortable to say the least, and you probably would be denied anything above flat SECRET clearance in the future. Back in my classified days, I once received (from a government lab employee) a series of SECRET, oh, lets call them numbers. The guy obviously didn't mark them as such, and he even split them between two emails because he knew that the two emails together contained classified information, but separately they were unclassified. Fun fact: splitting a classified item between two emails specifically to avoid classification procedures is a no-no. I reported the incident. He was fired. My computer was seized off my desk for sanitation which took three days. The email server was scrubbed, but I reported it so quickly no backups were impacted, so that made scrubbing significantly easier.

      Your next question would likely be: how do you know it's classified if it isn't marked? Answer: you make it your job to know. You work in the field, and you come to know what smells like a classified fact or figure. There are also security classified guides to help if you're not sure. And I admit, sure, one email, a hazy classified thing that you read quickly and slips by absolutely possible. But 100 emails (your number, I thought it was a little larger), that's willful disregard and negligence. If I had done it, probably not jail, but certainly no more clearances in my future.

      I also seem to recall (too disinterested to look it up because this is all in the distant past), I believe what Comey said was not that what she did was not illegal, but that no one would prosecute her for it. Of course, not - she was Hillary Freaking Clinton, the likely next President of the US. That's like saying, hey, I'm pretty sure this is a loaded handgun I have here, but I can't seem to find anyone willing to put it against their temple and pull the trigger to test that theory.

    4. Re:Idiot Contractor by bobbied · · Score: 2

      Ah, but you forget that she sent/received content with portion marks. Public Sources do not generally portion mark their material. That stuff came from classified documents, was marked as classified, and should have been recognized by Hillary (and the rest of those reading the E-mails) as classified.

      You are stopping at story #3 out of #4...

      Story 1: I didn't use my private E-mail server for work E-mails, it was just wedding planning and Yoga schedules.

      Story 2: I used it for work, but only for non classified stuff and only because I didn't want to have multiple devices just to receive E-mail.

      Story 3: I used it for work, but didn't send anything that was marked as classified. It was all public information that was retroactively declared classified.

      Story 4: I did send and receive Classified, some of it was obviously portion marked, but I didn't see that at the time....

      Hillary has misstated the truth multiple times here and had to revise her story as more facts came to light.... Comey clearly said as much.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  3. Paranoids burying the lede by HBI · · Score: 5, Insightful

    The idiot Hal Smith, former NSA employee, apparently put stuff that shouldn't have been seen outside a SCIF on his home system. His content was exfiltrated, presumably by Russians. But now it's the vector of the exfiltration's fault that classified material was stolen.

    News flash: the system was broken the moment the stuff saw a computer outside of an airgapped network. For that matter, Mr. Smith put himself in criminal jeopardy at that moment.

    If the guy had been using Avast or Bitdefender, would that have made you feel better? Do you really think the Russians couldn't penetrate the firms providing those products? Think again.

    While we're at it, do you really think that the Russians are the only people soaking up data from the US like a sponge? Why so much focus on their activities? You'd think people had a political axe to grind, almost...

    --
    HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
  4. Is it so easy to bring home classified stuff? by Picodon · · Score: 2

    I’m a bit puzzled: aren’t highly confidential documents stored, viewed and edited only on secured computers? Is it really that easy for a contractor (or even an employee) to grab a copy and leave with it, entirely unnoticed?

    1. Re: Is it so easy to bring home classified stuff? by nehumanuscrede · · Score: 3, Interesting

      Sadly, yes it is.

      Many years ago when I was doing the Navy thing, I would find classified stuff just laying about, unsecured in staterooms.

      ( Security patrols in case you're wondering why I was even in Officer's Country )

      The vast majority of it was documentation of various things found on a ship that was tossed onto a table or rack ( bed ) in a stateroom. Easy to spot due to the color of the cover sheets. ( blue, red, orange, etc )

      Apparently the junior officers thought closing the door to their stateroom was enough to protect it. :|

      I thought about hiding it from them just to watch the panic set in when they realized a Secret book was now missing, but it would have ended their careers, so I usually just educated them on it.

      Stuff up to Secret levels only. Most TS+ and Crypto related stuff required 2-person control and they were much more protective of it.

  5. Re:Why was he allowed to take the docs home?! by gweihir · · Score: 4, Insightful

    Although doesn't this:

    Note we make no apologies for being aggressive in the battle against cyberthreats.

    Sound like a tacit admission?

    No, it does not. It merely says that if the Kaspersky scanner detected files it suspected of being malware but did not know yet (e.g. because the identification was via suspicious behavior pattern, not code signature), it phones home. That is standard behavior and no secret. In fact, you agree to that in the license and it can, I believe, be switched off.

    So what likely happened here is that the Kaspersky product was configured to send suspected, but yet unknown, malware files to Kaspersky and it did correctly identify some NSA malware as such and sent them to Kaspersky. I men, seriously, this is what correctly working AV is supposed to do. This whole thing is much more likely about the NSA being butthurt that their criminal activity (criminal everywhere outside the US that is) was discovered and that their respective malware is now detected by Kaspersky. Add to that a few creatively misleading statements to the WSJ reporters (who have zero understanding of what is going on and how the respective technology works) and you have what the WSJ is reporting now.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  6. Re:Yeah. by superwiz · · Score: 2

    Putin was in politics long before he was President. He left KGB with the title of Lieutenant Colonel -- hardly a high profile operative. He became a mid-level politicl operative after the collapse of the USSR operative. As for whether anything replaced KGB, that's irrelevant. Wehrmacht was replaced by the East German and West German militaries after WWII. That doesn't mean that one would expect a mid-level officer of Wehrmacht to serve in either West German of East German army. I would not expect most of USSR operatives to retain any kind of power in the post-USSR Russia. Yeltsin went so far as to ban and defund the former Communist party institutions after the collapse. He also had to disband the parliament and force a new election after pro-Communist parties got the majority and tried to muscle him from power. If anything, being anti-communist was the only was to rise to any kind of political power in the post USSR Russia. Modern Russian state is not pro-Soviet. It's national socialist. But it's difficult to imagine how anyone who remained committed to pro-soviet agenda could have remained anywhere even close to power.

    --
    Any guest worker system is indistinguishable from indentured servitude.