Cloud
10/5/2017
08:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
0%
100%

Russian Hackers Pilfered Data from NSA Contractor's Home Computer: Report

Classified information and hacking tools from the US National Security Agency landed in the hands of Russian cyberspies, according to a Wall Street Journal report.

Turns out the National Security Agency (NSA) may have suffered yet another data breach: in 2015, Russian state hackers stole classified cyberattack and defense tools and information off of the home computer of an NSA contractor, according to a Wall Street Journal report today.

The hack reportedly occurred via Kaspersky Lab antivirus software on the contractor's home computer, where the AV flagged the NSA cyberspying tools and code. The breach wasn't detected until the spring of 2016, and wasn't known publicly until the WSJ report published today.

Just how the NSA contractor's Kaspersky Lab software was apparently abused and exploited — or not — is under debate by experts; it could be a case of the application's detection of the tools on the contractor's system inadvertently landing in the wrong hands, they say, or the software could have been hijacked and hacked by the attackers during a software update, for instance, or a more nefarious scenario.

The WSJ report meanwhile appears to shed light on what ultimately may have led to the US government's recent ban of the Russian security vendor's software. The Trump administration ordered all federal agencies to remove Kaspersky Lab's products and services from their systems, citing concerns of a link between the company and the Russian government, which is already under fire for its role in meddling with the 2016 US presidential election.

The unnamed NSA contractor reportedly moved the data to his home to work after-hours, even though he was aware that removing classified information without approval is against NSA policy and potentially a criminal offense, the report said. The case is under investigation by the federal government. NSA employees and contractors have always been prohibited from using Kaspersky Lab software at work, and the NSA prior to this incident had recommended they not use it at home, either, the report said.

This marks the third case of an NSA contractor exposing or leaking classified information: the first being, of course, Edward Snowden, whose infamous theft and leak to journalists of NSA files in 2013 served as a wakeup call for the insider threat; and the second, the recent arrest of contractor Harold Martin, who had hoarded more than 50 terabytes of NSA documents for 20 years in his home and the trunk of his car.

Whether this latest NSA contractor leak leads directly to the mysterious Shadow Brokers group that since 2016 has been leaking and later offering for sale online a trove of NSA hacking tools and exploits is unclear at this point, but some security experts say this could be the long-awaited link to Shadow Brokers. "It seems to point in that direction," John Bambenek, threat systems manager at Fidelis Cybersecurity, says of today's report.

Meantime, just how Kaspersky Lab's AV software fits into the case is unclear from the report. According to the WSJ, the software may have detected some of the NSA files as suspicious code, somehow cluing Russian hackers into the machine full of NSA classified information. According to the report, "But how the antivirus system made that determination is unclear, such as whether Kaspersky technicians programmed the software to look for specific parameters that indicated NSA material. Also unclear is whether Kaspersky employees alerted the Russian government to the finding."

Antivirus and other security software routinely vet newly detected, suspicious-looking samples to their malware databases and other threat intelligence resources, so the Russian threat actors may have either intercepted that traffic or even spotted it in another intelligence-sharing forum, security experts told Dark Reading. "The reality is they [antivirus programs] all do that," Bambenek says.

He says he's even seen classified documents posted on VirusTotal, the online malware-checking tool used by researchers and even victim organizations to crowdsource malware discoveries. And threat intel-sharing is common practice among security researchers as well, he says.

"Malware systems that make use of the cloud often send your documents upstream for analysis," explains Gary McGraw, vice president of security technology at Synopsys.

Kaspersky Lab researchers have worked closely with Interpol on cybercrime investigations, and the firm has outed multiple Russian advanced persistent threat actors, or nation-state groups, which confounds security experts analyzing the feds' suspicions of Russian state involvement with Kaspersky Lab.

"I've worked with Kaspersky Lab for a long time, fighting antivirus back in the day, and they've always been stand-up guys who want to fight the good fight against malware actors," says Joe Stewart, formerly the director of malware research at Secureworks and now a security researcher with Cymmetria.

One possible explanation for the NSA contractor's machine compromise, Stewart notes, is a hack of the AV software. "Any time you've got a situation where software running on a machine has an update process, it can be compromised," Stewart says.

Several major AV products, including Kaspersky Lab's, have been outed with security vulnerabilities by researchers over the past few years.

Fidelis' Bambenek says there's always a chance a mole resides in any security software firm or organization. "That's how espionage is done," he says. He says he has no firsthand knowledge of that being the case at Kaspersky Lab, and the argument of collusion between the firm and the Russian government so far remains as "weak tea," he says.

Other security experts see subterfuge. Dan Guido, co-founder and CEO of red-team and security research firm Trail of Bits, said via Twitter: "There are only 2 good answers: Either the Russian gov rides on KAV infrastructure globally or Kaspersky helps them do it one at a time."

Kaspersky Lab denies any wrongdoing and shot down the WSJ report: "Kaspersky Lab has not been provided any evidence substantiating the company’s involvement in the alleged incident reported by the Wall Street Journal on October 5, 2017, and it is unfortunate that news coverage of unproven claims continue to perpetuate accusations about the company. As a private company, Kaspersky Lab does not have inappropriate ties to any government, including Russia, and the only conclusion seems to be that Kaspersky Lab is caught in the middle of a geopolitical fight," the company said in a statement.

"The company actively detects and mitigates malware infections, regardless of the source," and "Kaspersky Lab products adhere to the cybersecurity industry's strict standards and have similar levels of access and privileges to the systems they protect as any other popular security vendor in the U.S. and around the world," the company said.

Insider Problems
Bambenek says the NSA contractor moving classified agency data onto his home laptop or computer should never have happened in the first place. "The problem is the NSA is not following its own rules," he says. "Shouldn't there be technical controls controlling [and detecting] when top-secret stuff goes out of the NSA building? This just keeps happening there. I'm more concerned about a spy agency consistently have a problem keeping its secrets."

There's a fine line of what constitutes legitimate and acceptable cyber espionage. Nations spy on other nations: that's a given. And sometimes, security software firms find themselves inadvertently in the crosshairs, experts point out. And it's likely the NSA could be using antivirus software similarly to spy on other nations, they argue.

Even so, the US federal government's ban on Kaspersky Lab products comes amid a backdrop of renewed distrust in the Russian government in the wake of the intelligence community's findings of election-meddling, as well as investigations into possible collusion between the Trump campaign and Russian operatives.

Jim Christy, former director of futures exploration at the federal government's Defense Cyber Crime Center (DC3), notes that the feds are traditionally "risk-averse," so the ban of Kaspersky Lab software should come as no surprise.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
jsmwaste
50%
50%
jsmwaste,
User Rank: Apprentice
10/11/2017 | 1:25:34 PM
Re: Whose fault?
Nice infomartion..Thanks for sharing
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/10/2017 | 4:48:33 PM
Re: Security Corrective Action
@REISEN: To clarify: I 100% agree about the severity of the situation, which absolutely must go into account -- as must the role of the particular employee (big difference, for instance, between, say, an IT worker and a public-relations admin).

At the same time, speaking generally and not necessarily on this particular incident, the severity of the situation has to be taken into account the other way too. Some situations do call for extreme measures, but if every reaction is one of draconian you-know-what-to-the-wall maximum punishment, then you greatly risk decreased self-reporting of highly serious situations involving highly sensitive data. Everything is a balancing act.

More on my take here, including insights from another federal agency that deals with highly sensitive data: enterprisenetworkingplanet.com/netsysm/minimize-shadow-it-damage-by-encouraging-self-reporting.html
LouiseMiller
50%
50%
LouiseMiller,
User Rank: Apprentice
10/10/2017 | 9:11:04 AM
Re: Whose fault?
And they are always here - hackers 
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
10/10/2017 | 7:31:02 AM
Re: Security Corrective Action
If the data in question was merely QUARTLERLY ERESULTS for a public company, I would agree.  But this is NATIONAL SECURITY data!!!  We are on a different scale here.  This material HAS to be classified!!!!!  This is not a powerpoint presentation of the 2017 Kick off meeting at Atlanta.  And what about COMMON SENSE for a contract worker?  Or emplooyee for that matter.  No, we are dealling with national secrets!!!  Different ball game. 
Joe Stanganelli
0%
100%
Joe Stanganelli,
User Rank: Ninja
10/9/2017 | 3:27:43 PM
Re: Security Corrective Action
>  I think conseqiuences such as termination, lawsuit, jail can be persuasive. 

While I don't disagree with your overall reaction, there are certain problems with immediately going to extreme retributive measures when it comes to this stuff. At the end of the day, it's shadow IT -- and if you unrelentingly flog the peasants every time something like this comes to light, you're going to discourage self-reporting of security incidents for other employees who may be violating IT rules.

Perhaps the employee should be fired, but that shouldn't be the one-size-fits-all insta-solution for every IT violation. Otherwise, you risk not finding out about compromises until it's far too late because employees will fear for their jobs.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/9/2017 | 3:22:22 PM
Re: Whose fault?
> actually an NSA employee, not a contractor.

That's kind of worse, no?

I certainly support work-from-home and telecommuting, but when you're talking about that kind of high-level government work, things need to be vetted for the home office.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
10/9/2017 | 2:43:27 PM
Re: Security Corrective Action
The virtue of simplicity.  How about NO GOVERNMENT-PRIVATE DATA EVER EVER EVER on a "home" system particularly if you are dealing with SECURITY CLEARANCE ISSUE!!!    I think conseqiuences such as termination, lawsuit, jail can be persuasive.  A home computer IS NOT secure and most government systems sure are not either.  But to add pain to the pudding through a home system exposure is a violation of every sane security law in the book!!!!  RTFM as they used to say ages ago. 
rdusek483
50%
50%
rdusek483,
User Rank: Apprentice
10/7/2017 | 8:08:48 AM
Security Corrective Action
Internal-External Airgapping needed . . .
Kelly Jackson Higgins
0%
100%
Kelly Jackson Higgins,
User Rank: Strategist
10/6/2017 | 3:25:39 PM
Re: Whose fault?
Mainframes for the win!
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
10/6/2017 | 3:21:52 PM
Re: Whose fault?
I suppose we may all be thankful that the USA Nuclear command and control seems to be hosted on 1970s vintage mainframe systems of which NOBODY remembers HOW to hack and invade?   Those old System/370 systems, S/34 - 36 and 38 go on forever.  
Page 1 / 2   >   >>
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Be a unicorn, not a donkey...
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.