The Wall Street Journal has reported that Russian hackers were able to steal highly classified secrets disclosing how the U.S. government hacks into foreign networks, how it protects itself against cyber-attacks and what hacking tools it uses.
The information reportedly came from a National Security Agency contractor who had taken the material home. The existence of the information may have been revealed through the contractor’s use of Kaspersky Lab security software.
According to the report the theft happened in 2015, shortly before the hacking group Shadow Brokers began leaking similar information on the internet and before an NSA contractor, Harold Martin, was arrested for taking a massive supply of classified NSA documents home so he could work on them. At this point, there’s no clear link between any of these incidents beyond their timing and the nature of the information that was leaked.
The apparent use of Kaspersky antivirus software may be significant, although it’s not clear what its role was in the data theft. The company has said that it has not, and would never, help any government, including the Russian government, hack into its customers computers.
However, it’s possible that Kaspersky itself was compromised. In addition, when Kaspersky software runs an antivirus check, its aggressive approach to fighting malware includes copying files or portions of files and sending them back to company servers for further analysis.
This copying process may have been exploited by Russian hackers or it may have been security analysts at Kaspersky who alerted Russian security researchers about the existence of the NSA data. This practice and suspected deeper connections to Russian intelligence services were the reason for the Department of Homeland Security banning the use of Kaspersky software throughout the government.
However, DHS has not banned government employees or their families from using Kaspersky products at home and in this case the leak came from a home computer that the NSA files had been stored on and that also contained the Kaspersky software.
There are several important things to know about this incident, assuming it happened as the Wall Street Journal said it did. First, the Kaspersky AV software does not appear to have played a role in the actual exfiltration of the classified data.
Instead what appears to have happened is that the AV software indicated the existence of the NSA secret data, which told the Russian hackers what computer to penetrate and where to look. But the Russian hackers still had to break in to the computer and steal the data.
There’s no reason to believe that Kaspersky was the only security software being compromised by Russian or other nation-state sponsored hackers. Because of the depths to which security software may go to search for malware, it’s entirely possible that similar software from other companies has also been compromised.
But as worrying as these revelations are, the next question is whether they really affect you. The disturbing answer is that they likely do. Even if you’re not a government agency or even a contractor for one, it’s important to know that state-sponsored hackers will go to astonishing lengths to steal your data they’re very patient. In addition, they can find patterns in seemingly irrelevant data that can help them reach their goal.
That means that if you run a small business, perhaps a dry cleaners or a hardware store, you can also be part of a state-sponsored hacker’s route for attacking its ultimate target. Just because you don’t do business with a government agency doesn’t protect you.
You might handle the dry cleaning and laundry for the spouse of a government employee and a hack of your records can yield financial information such as credit card numbers. It can also provide information on the activities of that spouse that can yield intelligence benefits when combined with other information from elsewhere.
If you do business with the government, then you’re a potential pathway for hacking into that agency and a possible route for exfiltration. Unless your connection to your government customer is secure enough, you could be the weak link that lets the bad guys in.
As you might expect, it can get worse. A breach of your own customer records is a problem that concerns you directly. Whether it’s a breach of convenience while the hackers are going after the next step up the line, your customer records, credit card numbers and have still been compromised. Or it may be that the breach is being used to cover up the larger breach of your government customer.
There are things you can do. One is to keep your customer data divided into different databases, so that no single breach will yield everything. Another is to require higher level of permissions to access certain types of data, such as credit card numbers.
You can also encrypt as much of the data as possible. At the very least, the wide use of properly configured encryption will slow the hackers down enough that they’ll be encouraged to go elsewhere.
And going elsewhere may be the best you can hope for. It’s unlikely that a commercial enterprise can stand forever against the concerted attacks by a state sponsored hacker, but at least you can send them to some other company. That might give you time to get out an alert, and to further lock down your files—and that’s far better than nothing.