cyber espionage [UPDATE] How Kaspersky AV was allegedly caught helping Russian hackers steal NSA secrets according to Israeli Hackers. Germany's BSI responds.

[captain_to_fire]

Sources: Ars Technica, Reuters, BSI (Germany)

 

Quote

Moscow-based Kaspersky Lab disclosed the intrusion into its network in mid-2015. Kaspersky released a detailed report that said some of the attack code shared digital fingerprints first found in the Stuxnet worm that sabotaged Iran's nuclear program. When combined with other clues—including the attackers' targeting of entities located in the US, which is off limits to the NSA—most analysts concluded that the 2014 hack was carried out by Israel. At the time, Kaspersky Lab researchers said that the hackers appeared most interested in data the company had amassed on nation-sponsored hackers.

 

The NYT, citing unnamed people, said on Tuesday that Israeli spies indeed carried out the attack. More revealing still, the report said, that during the course of the hack, the spies watched in real time as Russian government hackers turned Kaspersky antivirus software used by 400 million people worldwide into an improvised search tool that scoured computers for code names of US intelligence programs. The NYT likened to a "sort of Google search for sensitive information." The Israeli spies, in turn, reported their findings to their counterparts in the US.

 

As reporters Nicole Perlroth and Scott Shane reported:

Quote

Kaspersky's researchers noted that attackers had managed to burrow deep into the company's computers and evade detection for months. Investigators later discovered that the Israeli hackers had implanted multiple back doors into Kaspersky's systems, employing sophisticated tools to steal passwords, take screenshots, and vacuum up emails and documents.

 

In its June 2015 report, Kaspersky noted that its attackers seemed primarily interested in the company's work on nation-state attacks, particularly Kaspersky’s work on the "Equation Group"—its private industry term for the NSA—and the "Regin" campaign, another industry term for a hacking unit inside the United Kingdom’s intelligence agency, the Government Communications Headquarters, or GCHQ.

 

Israeli intelligence officers informed the NSA that, in the course of their Kaspersky hack, they uncovered evidence that Russian government hackers were using Kaspersky's access to aggressively scan for American government classified programs and pulling any findings back to Russian intelligence systems. [Israeli intelligence] provided their NSA counterparts with solid evidence of the Kremlin campaign in the form of screenshots and other documentation, according to the people briefed on the events.

The WaPo article reporting the same events is here It adds additional details about the role Kaspersky AV reportedly played in identifying the NSA material the employee stored on his home computer.

Quote

Over the past several years, the firm has, on occasion, used a standard industry technique that detects computer viruses but can also be employed to identify information and other data not related to malware, according to two industry officials, who spoke on the condition of anonymity to discuss sensitive information.

 

The tool is called "silent signatures"—strings of digital code that operate in stealth to find malware but which could also be written to search computers for potential classified documents, using keywords or acronyms.

In a statement, Kaspersky Lab officials wrote:

 

This is a bit concerning. I've used Kaspersky AVs since college when my PC got infected by a nasty worm that hid all my essential files and replaced them with shortcuts and stupid Microsoft Security Essentials wasn't able to detect and remove it so I downloaded a 30-day trial of Kaspersky Internet Security and it detected the nasty worm and I was able to recover my files and from that day on, I've been a customer and I even installed it to my parents' PC at home. While I don't think home users have little to worry about, it is what the alleged spying it does.

 

Until the US Senate hearing ensues, I'd still give them the benefit of the doubt unless the code inspection by US CERT and NIST found something deplorable. Founder and CEO Eugene Kaspersky responded to the allegations in his personal blog saying:

Quote

However, if you strip the article of the content regarding alleged Kremlin-backed hackers, there emerges an outline to a very different – believable – possible scenario, one in which, as the article itself points out, we are ‘aggressive in [our] methods of fighting malware’.

 

Ok, let’s go over the article again…

 

In 2015 a certain NSA employee – a developer working on the U.S. cyber-espionage program – decided to work from home for a bit and so copied some secret documentation onto his (her?) home computer, probably via a USB stick. Now, on that home computer he’d – quite rightly and understandably – installed the best antivirus in the world, and – also quite rightly – had our cloud-based KSN activated. Thus the scene was set, and he continued his daily travails on state-backed malware in the comfort of his own home.

 

Let’s go over that just once more…

 

So, a spy-software developer was working at home on same spy-software, having all the instrumentation and documentation he needed for such a task, and protecting himself from the world’s computer maliciousness with our cloud-connected product.

Now, what could have happened next? This is what:

 

Malware could have been detected as suspicious by the AV and sent to the cloud for analysis. For this is the standard process for processing any newly-found malware – and by ‘standard’ I mean standard across the industry; all our competitors use a similar logic in this or that form. And experience shows it’s a very effective method for fighting cyberthreats (that’s why everyone uses it).

 

So what happens with the data that gets sent to the cloud? In ~99.99% of cases, analysis of the suspicious objects is done by our machine learning technologies, and if they’re malware, they’re added to our malware detection database (and also to our archive), and the rest goes in the bin. The other ~0.1% of data is sent for manual processing by our virus analysts, who analyze it and make their verdicts as to whether it’s malware or not.

 

Next: What about the possibility of hack into our products by Russian-government-backed hackers?

 

Theoretically such a hack is possible (program code is written by humans, and humans will make mistakes), but I put the probability of an actual hack at zero. Here’s one example as to why:

 

In the same year as what the WSJ describes occurred, we discovered on our own network an attack by an unknown seemingly state-sponsored actor – Duqu2. Consequently we conducted a painstakingly detailed audit of our source code, updates and other technologies, and found… – no signs whatsoever of any third-party breach of any of it. So as you can see, we take any reports about possible vulnerabilities in our products very seriously. And this new report about possible vulnerabilities is no exception, which is why we’ll be conducting another deep audit very soon.

I don't know if I'm buying Kaspersky's response there. But the crazy thing is that Israeli hackers penetrated inside Kaspersky Lab's own network and remain undetected for months just to know the shenanigans of the NSA but only to see that allegedly, Kaspersky is working hand in hand with the Russian intelligence. It does raise a lot of concerns but the caveat is that a lot of these evidences proffered against Kaspersky are unknown sources. I think Kaspersky is caught in the middle of a modern day cold war but doubts on cyber espionage cannot be ruled out until the 25th of October when Eugene Kaspersky himself will testify on the US Senate. In their company website, they explained how they work and how their cloud services protect user privacy which you can read here and here.. You be the judge. I'll just wait here as the story unfolds.

Quote

Has Eugene Kaspersky ever worked for the KGB – for example during his time at a KGB-sponsored education facility?

No. Eugene Kaspersky grew up in the Soviet era, when almost every educational opportunity was sponsored by the government in some way. After graduating from a prestigious Soviet high school with a focus on mathematics, he then studied cryptography at a university that was sponsored by four state institutions, one of which was the KGB. Upon graduating in 1987, he was placed at a Ministry of Defense (MoD) scientific institute, where he served as a software engineer. Contrary to misinformed sources, serving as a software engineer was the extent of his military experience, and he never worked for the KGB.

Is Kaspersky Lab subject to Russian surveillance laws (such as SORM)?

Russia and other countries have implemented surveillance legislation aimed at stopping terrorist activities. However, those laws and tools are applicable to telecom companies and Internet Service Providers (ISPs). Kaspersky Lab does not provide communication services, thus the company is not subject to these laws or other government tools, including Russia’s System of Operative-Investigative Measures (SORM). Also, it’s important to note that the information received by the company, as well as traffic, is protected in accordance with legal requirements and stringent industry standards, including encryption, digital certificates, firewalls and more.

Why should I trust a Russian solution when there are comparable products developed in the U.S. (Japan, etc.)?

We live in an age of globalization. Kaspersky Lab was founded in Russia, and then became part of a holding company registered in the UK, and has R&D centers as well as security experts around the world - including in Russia, Europe, Japan, Israel, Australia, South Korea, the Middle East, the United States and Latin America. Product and service quality are the only things that matter. We use an approach similar to that of most Fortune 500 companies today and believe there is a strong link between industry best practice and the use of insight and expertise from a multitude of nationalities. For us, that means cherry picking the best talent from a global pool, without exclusions. In addition, Kaspersky Lab products constantly demonstrate the highest quality protection and usability results in independent tests conducted by respected testing organizations.

Can the data transfer be restricted?

Yes, users have control over the amount of data being shared, because participation in Kaspersky Security Network is voluntary and can be disabled at any time. If users disable KSN, a small amount of data will be shared that is essential for the product to function properly.

Do you process personal data?

Different laws define personal data differently. For example, GDPR says that ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’). In its turn, international standard ISO/IEC 29100:2011(E) says that personally identifiable information (PII) is any information that can be used to identify the PII principal to whom such information relates, or might be directly or indirectly linked to a PII principal.

In accordance with the new legal frameworks being introduced in some countries, information processed in Kaspersky Lab’s cloud may contain data that might be considered as personal or personally identifiable. This could be email addresses used to access the My Kaspersky portal, information used to differentiate users’ licenses and devices in order to let them work properly, etc. However, we do not attribute this data to a specific person. Further, data is reliably protected with encryption and other security measures, including anonymization methods, and is used only to enable our products and services to work better and to provide users with the highest level of protection.

How do you anonymize the data you process?

Kaspersky Lab takes user privacy extremely seriously. The company implements the following measures to anonymize obtained data:

• The information is used in the form of aggregated statistics;
• Logins and passwords are filtered out from transmitted URLs, even if they are stored in the initial browser request from the user;
• When we process possible threat data, by default we do not use the suspicious file. Instead we use hash-sum, which is a one-way math function that provides a unique file identifier;
• Where possible, we obscure IP addresses and device information from the data received;
• The data is stored on separated servers with strict policies regarding access rights, and all the information transferred between the user and the cloud is securely encrypted.

Where is this data stored?

Kaspersky Security Network's front-end servers are located in different countries around the world (Germany, Canada, China, Russia, etc.), while the back-end servers are located in Russia, where the largest part of Kaspersky Lab’s anti-malware research team works. Different types of aggregated stats are stored on different servers with strictly regulated access rights, or in the Microsoft Azure cloud.

Do you share personal data, processed by Kaspersky Lab solutions, with third parties?

We do not share the information with any third parties.

Although reading their privacy statement on their cloud protection service, I kinda wish Microsoft would finally allow full disabling of telemetry in Windows 10. Maybe they'll finally add it in their Spring Creators Update?

 

UPDATE:

There was an Ars Technica article at the moment about how allegedly Kaspersky modified their AV to be used by Russian intelligence to steal NSA secrets. In the latest Reuters article, Germany's BSI federal cyber agency said that the malicious accusations to Kaspersky Lab have no evidence that the Russian government used Kaspersky Lab AV to spy US authorities. 

Quote

“There are no plans to warn against the use of Kaspersky products since the BSI has no evidence for misconduct by the company or weaknesses in its software,” BSI said in an emailed response to questions about the latest media reports.

Here's the original press release from Germany BSI in the original German language. Any German member in LTT can translate it correctly:

Quote

Medien berichten derzeit über mögliche Aktivitäten russischer Hacker, die mithilfe von Kaspersky-Software US-amerikanische Behörden ausspioniert haben sollen.

Dem Bundesamt für Sicherheit in der Informationstechnik (BSI) liegen derzeit keine Erkenntnisse vor, dass der Vorgang wie im Medienbericht beschrieben stattfand. Das BSI steht in Kontakt mit den amerikanischen Partnerbehörden.

 

Eine Warnung des BSI vor dem Einsatz von Kaspersky-Produkten ist derzeit nicht vorgesehen, da dem BSI keine Belege für ein Fehlverhalten des Unternehmens oder Schwachstellen in der Software vorliegen.

 

Antiviren-Programmen kommt nach wie vor eine bedeutsame Rolle in der Absicherung von IT-Systemen zu. Um diesen Schutz realisieren zu können, haben AV-Programme in der Regel Vollzugriff auf alle auf dem Rechner gespeicherten Daten.

 

Diese weitreichenden Zugriffsmöglichkeiten sind notwendig, um auch gut versteckte Schadsoftware zu entdecken. Das erfordert jedoch auch, dass die AV-Software selbst fehlerfrei sein muss und keine Schwachstellen enthalten darf, die es einem Angreifer ermöglichen, über die AV-Software in fremde Rechner einzudringen.

 

Behörden der Bundesverwaltung können zur Ausstattung mit Schutzprogrammen für Clients und Server auf einen Rahmenvertrag zurückgreifen, der vom Beschaffungsamt des Bundesinnenministeriums (BMI) ausgeschrieben wurde. Der Zuschlag wurde zum 1. August 2016 der CANCOM online GmbH erteilt, die mit dem Hersteller Trend Micro zusammenarbeitet. Das BSI setzt im Bereich der technischen Analyse auch Produkte von Kaspersky ein.

 

Google Translate:

Media are currently reporting on possible activities of Russian hackers who have been spying on US authorities using Kaspersky® software.

 

The Federal Office for Security in Information Technology (BSI) does not currently have any knowledge that the process took place as described in the media report. The BSI is in contact with the American partner authorities.

 

A warning from the BSI before the use of Kaspersky products is currently not provided, since the BSI has no evidence of a malfunction of the company or weak points in the software.

Antivirus programs continues to play a significant role in the protection of IT systems. In order to implement this protection, AV programs usually have full access to all data stored on the computer.

 

These extensive access options are necessary to discover well-hidden malicious software. However, this also requires that the AV software itself must be error-free and not contain any weak points, which allow an attacker to penetrate the computer via the AV software.

 

Authorities from the Federal Administration can use a protection contract for clients and servers to access a framework contract, which was issued by the procurement office of the Federal Ministry of the Interior (BMI). The contract was awarded on 1 August 2016 to CANCOM online GmbH, which cooperates with the manufacturer Trend Micro. The BSI also uses Kaspersky products in the field of technical analysis.

Is Google Translate correct in translating? I hope so. But I want to know on what grounds or how did the German BSI investigated and found nothing. If Germany is correct, then all of the allegations to Kaspersky Lab and Eugene Kaspersky is basically oral defamation due to geopolitical conflicts. I wish other intelligence agencies from other countries to come to prove or disprove the allegations.

 

Edited October 12, 2017 by hey_yo_
edited the title, added some stuff from Reuters

[jools]

MS will never change there telemetry stance, the CIA wont let them.....nice read.....I think its all wind coz they are all doing it...

[Okjoek]

I haven't needed antivirus protection in ages, but I genuinely trust Kaspersky. I think this whole thing is US-Israeli attacking anything Russia just because it's Russia. It just feels like War is business and unless our species evolves or eradicates itself nothing's going to change that.

[captain_to_fire]

1 minute ago, jools said:

MS will never change there telemetry stance, the CIA wont let them.....nice read.....I think its all wind coz they are all doing it...

I'm hopeful that they'll add full disabling of telemetry till someone hacked inside Microsoft by a sophisticated exploit and exposed where they share their personally identifiable telemetry data.

2 minutes ago, Okjoek said:

I think this whole thing is US-Israeli attacking anything Russia just because it's Russia

So I guess it's a modern day cold war indeed. 

[TidaLWaveZ]

Everyone in Russia is trained to be an Elite Hacker from birth and everyday they hack everything they can from American intelligence in a quest for world dominance.

 

I mean how can you try to discredit those who did the impossible and literally hacked the entire US election?

[imreloadin]

In b4 everyone talks about how they haven't used antivirus/antimalware software in X amount of time...

[Taf the Ghost]

This feels like a "yo dawg" meme happening in real life.

[captain_to_fire]

2 minutes ago, imreloadin said:

In b4 everyone talks about how they haven't used antivirus/antimalware software in X amount of time...

I’m pretty sure not running an AV in a SME or a large corporation is quite irresponsible. Also, AVs have gotten better and some doesn’t have significant performance penalties unlike AVs 10 years ago. 

[imreloadin]

1 minute ago, hey_yo_ said:

I’m pretty sure not running an AV in a SME or a large corporation is quite irresponsible. Also, AVs have gotten better and some doesn’t have significant performance penalties unlike AVs 10 years ago. 

Trust me I'm well aware of that lol. The most common reason I always see people give is "I just use common sense" or other kinds of "I'm smarter than the normies" statements.

[captain_to_fire]

14 minutes ago, imreloadin said:

Trust me I'm well aware of that lol. The most common reason I always see people give is "I just use common sense" or other kinds of "I'm smarter than the normies" statements.

I wonder if those people know how APTs work and how malware authors can conceal a malware inside something innocuous as a .jpg or a .pdf file but has ransomware or a keylogger inside. And that could be propagated inside a company’s network and infect workstations and servers just by sending a phishing email pretending to be a job application with those pdf files crafted with malware inside.

Edited October 11, 2017 by hey_yo_

[AGrider]

Im confused. Isnt the big issue not that Kaspersky is compromised, which it most likely is not, but the way they handle their virus definitions, and who submits samples for inclusion to its database? I mean, the virus definition files are essentially the "search terms" that the search engine(kaspersky and others) use to identify the malware out there, and they update all the time. How hard would it be to slip in a definition that looks for key words or word arrangements in the fiels being scanned, mark those files for submission with manual review. Once the files are submitted, and you have the data you are after, mark the file as clean and scrub the offending "virus def" out of the definition set. Heck you could do this with any av platform, Kaspersky is just a currently topical scapegoat. 

 

How do all these vendors currently vet their definition sources? Isnt that the larger issue?

[Okjoek]

3 hours ago, hey_yo_ said:

I'm hopeful that they'll add full disabling of telemetry till someone hacked inside Microsoft by a sophisticated exploit and exposed where they share their personally identifiable telemetry data.

So I guess it's a modern day cold war indeed. 

Not necessarily. The cold war the way I see it was a war of ideology, Capitalism vs socialism, Collectivism vs individualism as well as a cultural difference. Nowadays I see it's been replaced with pure nationalism, militarism, imperialism, exceptionalism whatever you want to call it. It's pure cancer IMO and possibly the artificial means of the destruction of our species by ourselves.

[Tech_Dreamer]

so it got caught up doing what it does? scan files & with proper authentication from user to have access to the file & for later analysis.

[Curufinwe_wins]

 Hanlon's razor...

 

If Isrealis can sit in wait for months undetected, I'm sure Russian sources would find it just as if not even easier to do so.

 

These allegations are not implying intent, merely negligence. Which is quote believable given one positive proof of possibility (the attacking hack itself.)

[dfsdfgfkjsefoiqzemnd]

If Kaspersky was indeed hacked, that would make this whole thing just another case of a flaw in an antivirus being used as an attack vector, something that really isn't that new.  Most AV makers had to deal with that in the past 3-4 years. 

 

I find that much more plausible than the twist the Israelis are giving this whole story.

[kirBi]

FYI, Ars Technica reports that Kaspersky knowingly modified their AV products to help Russian intelligence.

[Delicieuxz]

19 minutes ago, Amber_Nova said:

FYI, Ars Technica reports that Kaspersky knowingly modified their AV products to help Russian intelligence.

Ars has had an anti-Russia hard-on since before the 2016 US election. They're about at the level of NYT on the Russophobic scale.

[captain_to_fire]

28 minutes ago, Amber_Nova said:

FYI, Ars Technica reports that Kaspersky knowingly modified their AV products to help Russian intelligence.

I just updated the OP

[2FA]

Just now, hey_yo_ said:

I just updated the OP

Actual original article is WSJ but that is a paywall..

[captain_to_fire]

Just now, DeadEyePsycho said:

Actual original article is WSJ but that is a paywall..

I ain't paying them bruh