Since May 2017 certain U.S. circles openly campaign against security products provided by the Russian company Kaspersky Labs. Three recent stories claim involvement of the software in rather fantastic "Russian hackers" stories. It is renewed attack after a silent spy campaign in 2015 against Kaspersky had failed. The current stories seem inconsistent, lack logic and evidence.
If one believes all the now made claims then Israel hacked Kaspersky, which was hacking an NSA employee who had stolen NSA hacks, while being hacked by Russia which was hacked by the NSA, while the NSA was warned by Israel about Russian hacks. Makes sense?
The Russian company Kaspersky Lab makes and sells the probably best anti-virus protection software available. All anti-virus software packages need full access to the system they run on. It is the only way to assure that the packages themselves are not compromised by some super-virus. Anti-virus packages upload malware they find for further analysis. They also update themselves through a secure internet connection. This enables the product to detect new viruses soon after they have been discovered in the wild. Both of the characteristics, full system access and online-update, make these tools inherently dangerous. They can be abused either by their producer or by someone who infiltrates the producers systems.
Computer geeks call such products "snake-oil" as they promise a grade of security that can not be guaranteed, even while they themselves constitute a significant security risk. One either must trust such anti-virus packages or not use them at all.
Since May 2017 Congress made noise about banning Kaspersky products from the U.S. Defense Department and other government entities. In September the Department of Homeland Security order all federal agencies to remove Kaspersky software from their system. Kaspersky Lab makes some 60% of its total revenues in the United States. The DHS order and the resulting press reports will do very serious damage to its business. It will help to sell competing U.S. products.
Eugene Kaspersky, the owner of the company, has offered to provide the source code of the products for review by U.S. government specialists. He also offered to testify before Congress. Both to no avail.
There is fear mongering, without any evidence, that Kaspersky may cooperate with the Russian government. Similar accusations could be made about any anti-virus product. U.S. and British spies systematically target all anti-virus products and companies:
The British spy agency regarded the Kaspersky software in particular as a hindrance to its hacking operations and sought a way to neutralize it.
An NSA slide describing "Project CAMBERDADA" lists at least 23 antivirus and security firms that were in that spy agency's sights. They include the Finnish antivirus firm F-Secure, the Slovakian firm Eset, Avast software from the Czech Republic. and Bit-Defender from Romania. Notably missing from the list are the American anti-virus firms Symantec and McAfee as well as the UK-based firm Sophos.
That the NSA and the British GCHQ did not list U.S. and British made anti-virus products on their "to do" list lets one assume that these packages can already be controlled by them.
In February 2015 Kaspersky announced that it found U.S. and UK government spying and sabotage software infecting computers in some 42 countries. It released a detailed reportabout the "Equation group", its name for NSA and GCHQ spy tools. In June 2015 Kaspersky Lab detected a breach in its own systems by an Israeli government malware. It published an extensive autopsy of the breach and the malware programs used in it. Meanwhile the NSA attacked Kaspersky products and customers:
The NSA has also studied Kaspersky Lab's software for weaknesses, obtaining sensitive customer information by monitoring communications between the software and Kaspersky servers, according to a draft top-secret report. The U.S. spy agency also appears to have examined emails inbound to security software companies flagging new viruses and vulnerabilities.
Later that year the CIA and FBI even tried to recruit Kaspersky employees but were warned off.
That the U.S. government now attempts to damage Kaspersky is likely a sign that Kaspersky Lab and its products continue to be a hard-target which the NSA and GCHQ find difficult to breach.
To justify the public campaign against Kaspersky, which began in May, U.S. officials recently started to provide a series of cover stories. A diligent reading of these stories reveals inconsistencies and a lack of logic.
On October 5 the Wall Street Journal reported: Russian Hackers Stole NSA Data on U.S. Cyber Defense:
Hackers working for the Russian government stole details of how the U.S. penetrates foreign computer networks and defends against cyberattacks after a National Security Agency contractor removed the highly classified material and put it on his home computer, according to multiple people with knowledge of the matter.
The hackers appear to have targeted the contractor after identifying the files through the contractor's use of a popular antivirus software made by Russia-based Kaspersky Lab, these people said.
A NSA employee copied code of top-secret NSA spy tools and put it on his private computer. ("It's just that he was trying to complete the mission, and he needed the tools to do it." said 'one person familiar with the case' to WaPo.)
The Kaspersky anti-virus software, which the NSA employee had installed, identified parts of these tools as malware and uploaded them for analysis to the Kapersky's central detection database. The Kaspersky software behaved exactly as it should. Any other anti-virus software behaves similar if it detects a possibly new virus.
The "multiple people with knowledge of the matter" talking to the WSJ seem to allege that this was a "Russian hacker" breach of NSA code. But nothing was hacked. If the story is correct, the Kaspersky tool was legally installed and worked as it should. The only person in the tale who did something illegal was the NSA employee. His case demonstrates that the NSA continues to have a massive insider security problem. There is no hint in the story to any evidence for its core claim of "Russian hackers".
Eugene Kaspersky himself strongly denies any cooperation with Russian government entities as well as any involvement with any NSA employee leak. The German government found no evidence that Kaspersky is spying for Russia. Its federal data security office (BSI) trashes the U.S. reports:
"The BSI has no indications at this time that the process occurred as described in the media."
Further down the WSJ story says:
The incident occurred in 2015 but wasn't discovered until spring of last year, said the people familiar with the matter."
The stolen material included details about how the NSA penetrates foreign computer networks, the computer code it uses for such spying and how it defends networks inside the U.S., these people said.
If the last sentence is true the employee must have had top access to multiple NSA programs.
A new story in the New York Times today builds on the WSJ tale above. It makes the claims therein even more suspicious. The headline - How Israel Caught Russian Hackers Scouring the World for U.S. Secrets:
It was a case of spies watching spies watching spies: Israeli intelligence officers looked on in real time as Russian government hackers searched computers around the world for the code names of American intelligence programs.
What gave the Russian hacking, detected more than two years ago, such global reach was its improvised search tool - antivirus software made by a Russian company, Kaspersky Lab, ...
The Israeli officials who had hacked into Kaspersky's own network alerted the United States to the broad Russian intrusion, which has not been previously reported, leading to a decision just last month to order Kaspersky software removed from government computers.
The Russian operation, described by multiple people who have been briefed on the matter, is known to have stolen classified documents from a National Security Agency employee who had improperly stored them on his home computer.
The Washington Post version of the story is remarkable different. Unlike the NYT it does not claim any Russian government involvement in Kaspersky systems:
In 2015, Israeli government hackers saw something suspicious in the computers of a Moscow-based cybersecurity firm: hacking tools that could only have come from the National Security Agency.
Israel notified the NSA, where alarmed officials immediately began a hunt for the breach, according to people familiar with the matter, who said an investigation by the agencyrevealed that the tools were in the possession of the Russian government.
Israeli spies had found the hacking material on the network of Kaspersky Lab ...
While the NYT asserts that the Russian government had access to the Kaspersky systems, the Washington Post does not assert that at all.
The NYT claims that the Israelis alerted the NSA of Russian government knowledge of its tools while WaPo says that it was the NSA itself that found this out. That Israel alerts the NSA when it has its hands on a valuable source that reveals NSA tools is not believable. There is no love lost between Israeli and U.S. spy agencies. They spy on each other whenever they can with even deadly consequences.
The NYT story is based on "current and former government officials", not on the usual "U.S.officials". It might well be that Israeli spies are spinning the NYT tale.
We already knew that the Israeli government had in 2015 breached some Kaspersky systems. Kaspersky Lab itself alarmed the public about it and provided an extensive forensic report.
There are several important questions that the above quote stories do not ask:
If the Israelis detected NSA malware in the hand of the Russian government "more than two years ago" (NYT) how come that the NSA hole was only found in 2016 (WSJ)? Did the Israelis use their claimed knowledge for a year without alarming their "allies" at the NSA? Why?
And why would the detection of alleged Russian government intrusion into Kaspersky products lead to a ban of these products only in fall 2017?
If the story were true the NSA should have reacted immediately. All Kaspersky products should have been banned from U.S. government systems as soon as the problem was known. The NSA allowed the Russian government, for more than a year, to sniff through all systems of the more than two dozen American government agencies (including the military) which use the Kaspersky products? That does not make sense.
These recently provided stories stink. There is no evidence provided for the assertions therein. They make the false claim that the NSA employees computer was "hacked". Their timelines make no sense. If not complete fantasies they are likely to be heavily spun to achieve a specific goal: to justify the banning of Kaspersky products from U.S. markets.
I regard these stories as part of "blame Russia" campaign which is used by the military-industrial complex to justify new defense spending. They may also be useful in removing a good security product, which the NSA failed to breach, from the "western" markets.
Posted by b on October 11, 2017