Newly published documents from the National Security Agency (NSA) and the United Kingdom’s Government Communications Headquarters (GCHQ) leaked by former NSA contractor Edward Snowden reveal that the agencies targeted antivirus software developers in an attempt to evade their detection algorithm, ensuring agencies could successfully exploit their targets without detection. Top targets included Russia-based antivirus firm Kaspersky Labs.
As Kaspersky labs just came under attack from an updated version of the Duqu malware, possibly originating from Israel, now the company is just learning their networks were targeted by both the NSA and GCHQ in an attempt to reverse-engineer their antivirus software and steal information found throughout the networks for intelligence purposes.
Kaspersky labs was not the only target for the hacking duo, but the company was named among the most prominently mentioned, as reported by Firstlook’s The Intercept. Documents obtained by Snowden document GCHQ officials directly mentioning Kaspersky by name in a warrant extension request “in respect of activities which involve the modification of commercial software” made in June 2008. The request asked for authorization to reverse engineer Kaspersky and other companies software products and exploit them for intelligence benefits. The agencies have had this warrant in place since January of 2008.
“Personal security products such as the Russian anti-virus software Kaspersky continue to pose a challenge to GCHQ’s CNE [computer network exploitation]capability and SRE [software reverse engineering]is essential in order to be able to exploit such software and to prevent detection of our activities,” a GCHQ official wrote in the warrant application. “Examination of Kaspersky and other such products continues.”
The officials request mentioned Kaspersky’s name and total network access over Pakistan’s Internet infrastructure.
In obtained documents, a NSA presentation slide from a 2012 operation dubbed “Project Camberdada”, an NSA analyst outlined how the agency had intercepted e-mails from Kaspersky lab containing malware samples. Analysts used the intercepted malware samples to configure proper defenses against the malware as well as build off the samples for espionage.
Project Camberdada detailed the NSA tapping into the flow of malware samples to Kaspersky through “signals intelligence collection” in 2009, which was likely XKeyscore, another NSA program aimed at collecting worldwide Internet traffic, allowing the NSA to collect about 10 “potentially malicious files” per day. By the time the NSA had delivered the presentation, the system had already successfully caught 500 potentially malicious files, alongside 50 new malware signatures being detected and added to the intrusion detection system for the Department of Defense.
The presentation also detailed how a stolen malware sample had been successfully repurposed by the Tailored Access Office at the NSA to attack targeted systems. Intelligence agencies could then “check Kaspersky AV to see if they continue to let any of these virus files through their Anti-Virus product” and “monitor the folks who provide the malware to see if they’re into more nefarious activity.” Both agencies targeted a variety of non-US based antivirus companies including Checkpoint, F-prot, F-secure and Bit Defender. However, the scope of targets could be far larger as the list contained a limited number of names.
“As noted during the recent Duqu 2.0 nation-state sponsored attack, we find it extremely worrying that government organizations are targeting security companies instead of focusing their resources against legitimate adversaries and are actively working to subvert security software that is designed to keep us all safe,” a Kaspersky spokesperson told Ars. “We are closely reviewing and investigating the information disclosed today in order to assess the potential level of risk it may pose to our infrastructure and how to effectively mitigate it. Once again, we would like to stress the need for security companies to work together as a community and fight for user privacy, the right to privacy on the Internet, thwart mass surveillance and make the world a safer place.”