The Wall Street Journal has reported that Russian hackers were able to steal highly classified secrets disclosing how the U.S. government hacks into foreign networks, how it protects itself against cyber-attacks and what hacking tools it uses.
The information reportedly came from a National Security Agency contractor who had taken the material home. The existence of the information may have been revealed through the contractor’s use of Kaspersky Lab security software.
According to the report the theft happened in 2015, shortly before the hacking group Shadow Brokers began leaking similar information on the internet and before an NSA contractor, Harold Martin, was arrested for taking a massive supply of classified NSA documents home so he could work on them. At this point, there’s no clear link between any of these incidents beyond their timing and the nature of the information that was leaked.
The apparent use of Kaspersky antivirus software may be significant, although it’s not clear what its role was in the data theft. The company has said that it has not, and would never, help any government, including the Russian government, hack into its customers computers.
However, it’s possible that Kaspersky itself was compromised. In addition, when Kaspersky software runs an antivirus check, its aggressive approach to fighting malware includes copying files or portions of files and sending them back to company servers for further analysis.
This copying process may have been exploited by Russian hackers or it may have been security analysts at Kaspersky who alerted Russian security researchers about the existence of the NSA data. This practice and suspected deeper connections to Russian intelligence services were the reason for the Department of Homeland Security banning the use of Kaspersky software throughout the government.
However, DHS has not banned government employees or their families from using Kaspersky products at home and in this case the leak came from a home computer that the NSA files had been stored on and that also contained the Kaspersky software.
There are several important things to know about this incident, assuming it happened as the Wall Street Journal said it did. First, the Kaspersky AV software does not appear to have played a role in the actual exfiltration of the classified data.
Instead what appears to have happened is that the AV software indicated the existence of the NSA secret data, which told the Russian hackers what computer to penetrate and where to look. But the Russian hackers still had to break in to the computer and steal the data.