Kaspersky Admits To Reaping Hacking Tools From NSA Employee PC

Kaspersky has acknowledged that code belonging to the US National Security Agency (NSA) was lifted from a PC for analysis but insists the theft was not intentional. From a report: In October, a report from the Wall Street Journal claimed that in 2015, the Russian firm targeted an employee of the NSA known for working on the intelligence agency's hacking tools and software. The story suggested that the unnamed employee took classified materials home and operated on their PC, which was running Kaspersky's antivirus software. Once these secretive files were identified -- through an avenue carved by the antivirus -- the Russian government was then able to obtain this information. Kaspersky has denied any wrongdoing, but the allegation that the firm was working covertly with the Russian government was enough to ensure Kaspersky products were banned on federal networks. There was a number of theories relating to what actually took place -- was Kaspersky deliberately targeting NSA employees on behalf of the Kremlin, did an external threat actor exploit a zero-day vulnerability in Kaspersky's antivirus, or were the files detected and pulled by accident? According to Kaspersky, the latter is true. On Wednesday, the Moscow-based firm said in a statement that the results of a preliminary investigation have produced a rough timeline of how the incident took place. It was actually a year earlier than the WSJ believed, in 2014, that code belonging to the NSA's Equation Group was taken.

Re:Beleivable

[Train0987]

Doing that with Officially Classified materials has legal consequences. .

Unless you're Hillary Clinton, of course.

Is it Executive IT Syndrome?

[ErichTheRed]

Here's another thought about why it happened -- is it possible that NSA treats some of their more brilliant analysts the same way companies treat executives? Everywhere I've worked, security policies apply to absolutely everyone except the C-level and senior VP ranks. Execs just tell IT to plug whatever new shiny thing they got at a conference or Best Buy into the network, override password policy so they don't have to log in to their machines, and a whole bunch of other things that would get ordinary workers fired. Maybe if you're a super-brilliant borderline autistic cybersecurity genius, the NSA decides it's not worth it to try to enforce policy?

I'm sure a lot of the safeguards around classified information are the equivalent of "security theatre" but I'm kind of surprised NSA would let their analysts casually walk out the door with unreleased exploit code and bring it home with them. People I know who work for defense contractors on much more mundane stuff can't even mount USB drives on their computers read-only, let alone copy files, but it seems like they just let things like this happen once you get a certain level of access beyond the perimeter. Some of the things I've heard described are totally security theatre, like covering whiteboards when the janitor comes through or insisting that every piece of garbage be burned _and_ shredded...but at least they have the common sense to prohibit employees from taking confidential data home and employees I've spoken with are well-trained to not talk about exactly what they're working on. I have a feeling we'd never know about this if it hadn't gotten to a machine without Internet access.

Almost all companies work like this too -- once you're inside everything is trusted and can talk to everything else. That's absolutely the wrong thing to do, but rebuilding the network and walling things off to an "assumed-compromised" posture is super expensive and hard to implement. Lots of companies don't even have internal PKI right yet so port-level authentication on network gear isn't even possible. And the app landscape is so vast and much of it is so old that totally locking down some things would take tons of research and effort...all of which the company won't pay for. You would think NSA would be all over that though, given what they work on.