Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Very High Level of Confidence' Russia Used Kaspersky Software For Devastating NSA Leaks (yahoo.com)

Posted by BeauHD on from the shrouded-in-secrecy dept.

bricko shares a report from Yahoo Finance: Three months after U.S. officials asserted that Russian intelligence used popular antivirus company Kaspersky to steal U.S. classified information, there are indications that the alleged espionage is related to a public campaign of highly damaging NSA leaks by a mysterious group called the Shadow Brokers. In August 2016, the Shadow Brokers began leaking classified NSA exploit code that amounted to hacking manuals. In October 2017, U.S. officials told major U.S. newspapers that Russian intelligence leveraged software sold by Kaspersky to exfiltrate classified documents from certain computers. (Kaspersky software, like all antivirus software, requires access to everything stored on a computer so that it can scan for malicious software.) And last week the Wall Street Journal reported that U.S. investigators "now believe that those manuals [leaked by Shadow Brokers] may have been obtained using Kaspersky to scan computers on which they were stored." Members of the computer security industry agree with that suspicion. "I think there's a very high level of confidence that the Shadow Brokers dump was directly related to Kaspersky ... and it's very much attributable," David Kennedy, CEO of TrustedSec, told Yahoo Finance. "Unfortunately, we can only hear that from the intelligence side about how they got that information to see if it's legitimate."

41 of 232 comments (clear)

  1. Kaspersky did their job by KiloByte · · Score: 5, Insightful

    If Kaspersky are indeed behind this, they are doing what their company is supposed to do: find malware and make it public. Without their help, NSA's malware would be still in the wild.

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    1. Re:Kaspersky did their job by Mike+Van+Pelt · · Score: 4, Insightful

      There's a difference between detecting malware running on the PCs that Kaspersky is protecting, and leveraging its presence on a PC in an intelligence agency's network to exfiltrate their little logic bombs. The first is entirely legitimate. The second... is espionage. I think it was Heinlein that said "Espionage is not immoral; everyone does it. But the cost for getting caught at it is very high." The cost to Kaspersky is likely to be very high indeed, whether someone at the company did it, or some Russian TLA inserted the code without their knowledge.

      Kaspersky should have stuck to the first. Still, I wish they had let Stuxnet have its way with Iran's centrifuges for a few more years.

    2. Re:Kaspersky did their job by Anonymous Coward · · Score: 3, Insightful

      Yes, he ran against Hillary.

    3. Re: Kaspersky did their job by poity · · Score: 4, Funny

      Absolutely correct. The PDF where intelligence community officials say they have a high degree of confidence and backed it up with diagrams of computer networks, we all knew the case was bulletproof. And when IT pros read that document and saw those diagrams they literally said "it's Russia via Kaspersky 100%, also Tuck Frumpf".

      --
      your thin skin doesn't make me a troll
    4. Re:Kaspersky did their job by Anonymous Coward · · Score: 4, Insightful

      Except modern antivirus products use various algorithms to spot novel malware programs that it doesn't know yet as well as ones it has published signatures for. A program is a program. The antivirus software has no way to know the difference between a malware that has infected a computer and a malware that has been compiled by that computer's user. They were indeed doing their job. The fault lies with the NSA having antivirus software installed on a computer where they were developing viruses.

    5. Re:Kaspersky did their job by johanw · · Score: 4, Insightful

      > And was publicly opposed by hundreds of prominent members of the GOP & the American Right, incl both Presidents Bush

      That is quite a recommendation. No wonder he won.

    6. Re:Kaspersky did their job by bsDaemon · · Score: 4, Informative

      The fault lies with the contractor who stole classified information, took it home, and put it on a personal computer where he had Kaspersky installed. I have a very hard time believing such actions to NOT be deliberate with the intention that the programs be scanned by Kaspersky, and possibly specifically by Kaspersky. I'm not saying Nghia Hoang Pho, 67, was flipped in his soviet client state homeland and sent to the US with specific pro-Russian instructions, but I mean, come on....

    7. Re:Kaspersky did their job by DCFusor · · Score: 4, Insightful

      I'd mod this up if I could. Damn partisans miss the point - they're all crooked as hell.

      --
      Why guess when you can know? Measure!
    8. Re:Kaspersky did their job by Anonymous Coward · · Score: 5, Interesting

      Yet, in spite of the GOP abandoning him, he won the election. I think this can only be explained by some combination of Clinton being so obnoxious a choice that people couldn't bring themselves to case a ballot for her and Trump being quite crafty in his strategy.

      Remember, both candidates knew that the popular vote didn't matter and both campaigned to win the EC.

      For example, Trump didn't spend much time in California because there was no possibility he would win it and, if he did win it, it meant he didn't need it as the election would have been a landslide in his favor even without California's EC votes. Similarly, California voters who may have supported Trump had no reason to even bother to vote. In a liberal state like California, putting a Trump sticker on your car in an urban area was like putting a Goldwater sticker on your car in 1964 (I know, I lived there in Berkeley in 1964 and our family cars had Goldwater stickers on them -- those "tolerant liberals" were only tolerant of their own views - it really sucked being a small child and having your car windows spat on). Thus, most potential Trump voters in California didn't look around and see stickers and yard signs that would motivate them to vote.

      Clinton, on the other hand did spend a bit of time in California -- mostly to raise money -- and putting a Clinton yard sign up or a Clinton sticker on your car was perfectly acceptable and wouldn't get you abused, so supporters did so. This inevitably garnered more support as sheeple looked around and saw only Clinton campaign signs and stickers and, being herd animals and tribal in nature, jumped on the bandwagon.

      Do you want a President who ran their campaign so terribly that she paid for 3M votes that were obviously useless to her instead of buying a few hundred thousand which would have mattered? Her inability to administer her own campaign effectively and efficiently leaves little doubt that she would have been similarly incompetent as administrator of the country.

      On the other hand, Trump is a horrible joke -- but fortunately he's doing a good job at his second most important responsibility - appointing Federal Judges that respect the rule of law and think politicians should make policy, not judges. This judicial legacy will long outlast his term as Federal Judges serve for life, His first most important responsibility is defense -- it's not clear how he will do on that as he's not been tested yet and I hope he's not.

    9. Re:Kaspersky did their job by negRo_slim · · Score: 4, Insightful

      Can we get back on topic, I'm trying to find any of that stuff... uhhh shit what's it called, umm prof? pruf? Oh no PROOF that's right. Has any proof been offered up or are still just on red scare autopilot?

      --
      On the Oregon Cost born and raised, On the beach is where I spent most of my days
    10. Re:Kaspersky did their job by AHuxley · · Score: 3, Informative

      The OS had changes made by the NSA malware. Every new AV product made with some level of skill should have detected the new, novel and unexpected changes to the OS.
      Got a sample and reported back to their brand for that brands experts to the look over and warn the world about.
      Thats what every good AV brands builds behavioral analysis into their AV products.
      Behavioral analysis is what finds the new problems in the wild and protects the global community from new issues deep in an OS, network.
      Detecting new malware and protecting the world from new malware is not "espionage" ....

      --
      Domestic spying is now "Benign Information Gathering"
    11. Re: Kaspersky did their job by Anonymous Coward · · Score: 4, Insightful

      Everything was apparently against Trump, yet he won. Just. The margin was so narrow that the Russian help from the stolen documents and massive social media trolling was vital in pushing him over the finish line first. Not that he colluded, no he would have been as oblivious to their help as he is to most things which don't have his name on.

      Unfortunately, the Russians are unable to help him now he's president, and try as they might, his supporters are unable to stop everyone seeing his chaotic ignorant incompetence. All of which is great for his opponents, of which there are more and more, appalled at what he's doing to the USA and its reputation. At this rate, the GOP will lose its majority in Congress in November, if Trump lasts that long.

      I hope his interview with Mueller is filmed. I want to see him squirm, as for possibly the first time in his life he is forced to tell the truth.

    12. Re:Kaspersky did their job by sound+vision · · Score: 2

      But are there easier ways that let you keep plausible deniability?

  2. Very high level of confidence in TREASON by Anonymous Coward · · Score: 3, Insightful

    Donald Trump is still shielding Russia from accountability for its multiple attacks on our country.

    He won't even admit that Russia hacked into our election equipment!

    1. Re:Very high level of confidence in TREASON by Anonymous Coward · · Score: 4, Informative

      Where is this evidence?

      The first attack, on Aug. 24, involved an attack on an American company "evidently to obtain information on elections-related software and hardware solutions."

      That attack was most likely successful. The report said the G.R.U. used data most likely obtained from it to conduct the second set of attacks, a "voter registration themed spear-phishing campaign targeting U.S. local government organizations."

      Specifically, it said, in late October or early November, the G.R.U. sent to 122 local elections officials emails designed to look as if they were from that company and containing attachments designed to look like an updated system manual and checklist. Opening the attachment would download malicious software from a remote server, the report said.

      The report masked the name of the software vendor, referring to it as "U.S. Company 1," in keeping with standard minimization rules for intelligence reports based on surveillance. However, the report contained references to an electronic voter identification system used by poll workers and sold by VR Systems, a Florida company.

      VR Systems' website said its products were used by jurisdictions in California, Florida, Illinois, Indiana, New York, North Carolina, Virginia and West Virginia. In a statement, VR acknowledged that there had been a problem, while stressing that none of its products dealt with vote marking or tabulation. ...

      Mr. Trump called for a crackdown in the context of leaks about what surveillance has shown about his own associatesâ(TM) contacts with Russian officials. The report Ms. Winner is accused of leaking, by contrast, focuses on pre-election hacking operations targeting voter registration databases and does not mention the Trump campaign.

    2. Re:Very high level of confidence in TREASON by DCFusor · · Score: 3, Interesting
      Funny anyone asking for real evidence gets modded troll immediately. TLA's are here and are "controlling the narrative" - but failing. We know there's no other reason to call a legit request for "how you know what you claim" as trolling. It's obvious, and I had to burn a mod point to make this point. This is important. You think the Russians are doing all the badware on earth? How about this situation?
      .

      Peek-a-boo - I see you, paid "intelligence community trolls with mod points". A big FU to lying to keep your rice bowl full.

      --
      Why guess when you can know? Measure!
    3. Re:Very high level of confidence in TREASON by DRJlaw · · Score: 5, Funny

      Funny anyone asking for real evidence gets modded troll immediately. TLA's are here and are "controlling the narrative" - but failing.

      Where's the evidence of this?

    4. Re:Very high level of confidence in TREASON by Entrope · · Score: 4, Informative

      That is not evidence of Trump trying to shield Russia. That is evidence of Trump trying to enforce the nation's anti-espionage laws, although he still has a long way to go before he equals Obama's record for prosecuting alleged leakers.

      Do you have video of Trump talking to Russia's president or prime minister, saying something like "after my election, I have more flexibility", and asking that the message be carried to Vladimir Putin? Did Trump's DOJ hide an investigation into Russian bribes and similar corruption among uranium dealers until after Trump's State Department approved the sale of something like 20% of America's uranium reserves to a Russian company?

      If you substitute "Obama" for "Trump" in those questions, the answer to both is "yes".

      But that's a narrative that you won't hear from Los Tiempos de Nuevo York.

    5. Re:Very high level of confidence in TREASON by Highdude702 · · Score: 2

      Its not that its hard, It is not allowed. The current situation in politics shows clearly. If you think for yourself you are the enemy. And it seems so on both sides. One more than the other by quite a bit. Who needs evidence when you can FEEL it? Because feelings are so much better than thoughts.

    6. Re: Very high level of confidence in TREASON by guruevi · · Score: 2

      In computer security, if your security is weak enough it becomes a "public unsecured server". Eg. anything you find through Shodan is imho a "public unsecured server" because a search engine can find it.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
  3. Been using Kaspersky for years, its gotten worse by BrookHarty · · Score: 4, Interesting

    Had my new Win10 machine, decided to put the latest version on. Kas put a man in the middle SSL scanner so it could scan SSL streams. After I told it not too and even disabled it, it still tried to scan all my SSL traffic and would block my browser. It just would not leave my SSL traffic alone even after specifically disabling web protection. This was the scanner only, i did not install the full protection suite.

    So I uninstalled it. Rebooted, and it still left the SSL middleware installed. WTF is this amateur behavior at Kaspersky.

    No idea wtf is going over there at Kaspersky, but its gone to hell. I don't care if one of the fastest, very low cpu usage, and great anti-virus detection. These stupid games like MITM SSL without my permission is downright unforgivable.

  4. I believe it and so should you by poity · · Score: 2, Insightful

    There is no reason to doubt our esteemed intelligence community. When they implore us to trust them because the evidence is too dangerous to show to the public, it is every patriotic citizen's duty to trust them. Spies are lurking in every corner, even on our beloved Slashdot, so we must remain vigilant against efforts to undermine faith in government. Faith keeps us strong, strength crushes enemies. Have faith.

    --
    your thin skin doesn't make me a troll
    1. Re: I believe it and so should you by guruevi · · Score: 2

      In computer security any lack of "intelligence" makes the issue at hand usable by anyone from a 10 year old in their moms basement to any government, friendly or not and it also affects everyone.

      Hence why we WANT the FBI/NSA to publish these issues because today it's some low level NSA rent-a-coder being hacked, tomorrow it's the nuclear arsenal or the economy or some other government agency because even other parts of the government doesn't get to know these details, there is no "secret patch list".

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
  5. Zero evidence = No case by Karmashock · · Score: 2, Insightful

    Mic drop.

    --
    I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
    1. Re:Zero evidence = No case by Karmashock · · Score: 2

      Cite it. If it is so obvious and so abundant... Cite it.

      If you had a case, they'd go to court with it. No one is taking them to court... because there is no evidence.

      Prove me wrong or you'll prove me right... right now.

      --
      I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
    2. Re:Zero evidence = No case by rl117 · · Score: 2

      There has been a lot of noise, and a lot of claims that evidence exists, but I've yet to see a single concrete bit of evidence. Can you point to some that's not anecdotal hearsay?

  6. Amazing by 110010001000 · · Score: 5, Insightful

    The amazing part is that someone actually runs a closed source virus suite from a Russian vendor. Insane.

    1. Re:Amazing by 110010001000 · · Score: 2

      You are right. Running closed source in general is pretty insane. It could be doing anything and you would have no clue.

    2. Re:Amazing by DNS-and-BIND · · Score: 5, Insightful

      Why not? What have we got to fear? The NSA has a much larger chance of harming me than some distant foreign government. In fact I'd say the dirty foreigners' interest in me is about zero, while the NSA has a constant canker of anxiety about us American citizens, otherwise it wouldn't be spying on us illegally. I simply have less to fear from the foreigners and much to fear from the lawless NSA.

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    3. Re:Amazing by ngc5194 · · Score: 2

      ... and if I knew that the NSA was using some spyware brand to spy on me I wouldn't buy that either. I don't understand the point of your post. Even if you think the NSA is more likely to be damaging to you than the FSB, that doesn't mean I want the FSB to have access to my computer. One criminal organization may be more likely to cause me damage than another, but that doesn't mean I want the second one in my house.

    4. Re:Amazing by sjames · · Score: 2

      Except the Russian AV software doesn't mind catching NSA spyware. The American AV doesn't mind catching FSB spyware. People who live within the FSB's jurisdiction should use American AV software.

      If you have to give one of them six lines written by you, give them to the one that doesn't have jurisdiction over you.

    5. Re: Amazing by houghi · · Score: 2

      Not sure if that is better than a closed source American one.

      --
      Don't fight for your country, if your country does not fight for you.
  7. Never Mind All That... by BlueStrat · · Score: 2, Insightful

    ...What I want to know are the names of the people responsible for running a foreign COTS A/V on 'net-connected PCs and placing Classified/Top Secret data on those computers and what legal actions/charges are pending against them, and if no legal actions/charges are pending and/or they refuse to identify who they are, why not.

    *THOSE* are the questions we should be asking very, very loudly and demanding and the people who should be spending time at Club Fed. Given that level of cavalier handling of such highly-classified and top-secret data, Kaspersky/Putin/FSB et al were likely the very LAST bad-actors to get the data.

    How about we figure out how to plug the hole in the lifeboat first before we start holding hearings on where to place the blame?

    Strat

    --
    Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
    1. Re:Never Mind All That... by DCFusor · · Score: 2

      It was an NSA guy who illegally took stuff home. Since "no intent" is currently a defense in the just-us system, no one wants to talk about it or prosecute the guy. Kaspersky picked up on his illegal stuff because his home computer was full of other illegal stuff (stolen MS software - not that I'd care about that - with the usual added malware by the 'wares guys).

      --
      Why guess when you can know? Measure!
  8. So, what steps? by DCFusor · · Score: 5, Insightful
    Israel claims to have hacked Kaspersky and seen the Russians in there too - they told us and that's how we originally claimed we knew Kaspersky was involved at all. If you trace back this convoluted story, that's the closest thing you can find to something that's almost believable. OK, so some _NSA_ _dude_ breaks all the rules and takes the nasties home - accidental treason if you will - and happens to have a machine full of stolen microsoft code that came with viruses, and Kaspersky AV too. It sees this, and some other nasty looking things, and brings them back to the mother ship to see what's up - all as designed and as in the EULA and so on. All this was told to us by "reputable sources" naming "reputable sources" in the IC and promoted by the MSM. Now their story changes...they seem to be depending on people having a real short attention span.
    .

    Not only were there the usual viruses associated with stolen code from MS, but also this stuff from NSA which was picked up as it had the signature of a nasty - because it IS. If the Russians got ahold of it because they had already penetrated Kaspersky...then Kaspersky didn't actually do this - they were an unwitting "useful idiot" at most.
    But we have to hate them? Want to bet that's because they refused to back down about putting bugs into their code to "not notice" TLA code, when all other AV's agreed to do that?
    .

    OK Occam's razor - find another reason that makes sense all around. GoodLuckWithThat. I've yet to see reasonable evidence that the shadow brokers are even russian - they might be, but who knows? Attribution is hard. CIA's leaked tools show their tricks for leaving a false trail, for example (and this is yet another reason not to give any of these guys an encryption backdoor they promise to keep safe - they can't even keep their own stuff safe).

    --
    Why guess when you can know? Measure!
    1. Re: So, what steps? by poity · · Score: 3, Funny

      We can only draw one conclusion: Kaspersky illegally ignored the "Top secret NSA virus do not upload for analysis" metatag embedded in those files.

      --
      your thin skin doesn't make me a troll
  9. Re:Kaspersky? by ChunderDownunder · · Score: 2

    The surprise is they're running Windows and not some hardened Linux or an OS written by Canadian hacker Theo de RaaBSD

  10. Oh fuck off by Anonymous Coward · · Score: 2, Insightful

    Stop smearing Kaspersky, it's the only company not in bed with the NSA.

    Shit probably got stolen by one of the 50 Intel backdoors anyway.

    "High level of confidence" means "We got nothing but we'll smear someone anyway"

  11. Are you sure? (y/N) by ElizabethGreene · · Score: 2

    Are these the same sources that attributed the Mirai botnet to Russia-sponsored actors?

    We don't have a good track record of attributing these actions of late.

  12. How Kaspersky accidentally hacked the NSA by raymorris · · Score: 2

    Bringing the thread back on topic, my experience at work shows how Kaspersky would have accidentally "hacked" this material.

    For my day job I write software tools which scan networks, checking to see if any computers on the customers' network are vulnerable to any known vulnerabilities. Occasionally the antivirus/anti-malware that is mandated by corporate flags our on tools as likely malware. That makes sense, because our code looks a lot like malware code - we seek out vulnerable hosts, checking each to see if it's actually vulnerable. After that, our system reports to the customer where their vulnerabilities are, but to anti-virus / anti-malware systems our code resembles a threat. Our code also closely resembles some of the NSA code, which was basically malware. Our company has to conform to certain security standards, and those standards require all desktops and laptops to have anti-virus / anti-malware, so we aren't supposed to just disable it, even though it's troublesome when it flags our own files. Right or wrong, bureacracy requires that our systems have this protection.

    The anti-malware vendors program their software so that when it detects a new strain of likely malware, it sends a copy back to the vendor so they can learn about the new malware. That's typical so they can provide better service by continually adding new detection for new malware varieties.

    If, due to bureacratic fiat or any other reason, anti-malware were installed on an NSA system which had a copy of the NSA kit, I'd expect the anti-malware would detect a few of those tools as being possible malware infecting the system. (It is basically malware, after all). Standard practice would be for the anti-malware system to send samples back to Kaspersky, so they can update and improve their detection. Some low-level analyst at Kaspersky would receive several new zero days all "infecting" one computer. Since there are several and they are new, they'd alert their boss and Kaspersky would/should take a look at this customer system that contains several new zero days. Maybe look at the folder the zero days were in to see if more new threats are there. In the same folder the zero days came from, they'd find the NSA manual on how.yo use them. Suddenly Kaspersky would have the NSA kit without ever doing anything more than doing their job as expected.

    The policy that would cause this to happen - without any malice by anyone, would be a rule that "all NSA desktops must have anti-malware installed", combined with choosing Kaspersky, a foreign company, as their vendor.

  13. "exfiltrate classified documents?" by OmniGeek · · Score: 2

    In a properly run secure computing facility, classified materials are NEVER, EVER allowed to exist on computers connected to insecure networks. That's not a suggestion, that's a formal requirement, at least for the programs I used to work on. OS updates, antivirus software, everything was air-gapped from the Internet. No exceptions. For the exfiltration to happen as described, the NSA must be routinely violating basic infosec procedures in ways that would get any contractor fired, fined, and possibly imprisoned.

    --

    "My strength is as the strength of ten men, for I am wired to the eyeballs on espresso."