Whether or not you believe Kaspersky was an active partner in the recent malicious hack of NSA documents, things aren’t looking good for the security giant.
Kaspersky is in the antivirus business, and business isn’t good these days. The Russian-owned organization is at the center of the massive conspiracy around data theft from the NSA, with multiple unverified reports stating that Kaspersky software is behind the hack that allowed an unspecified number of files to be stolen from a contractor’s PC in 2015. While the investigation is still ongoing, rumors continue to cycle about potential collusion with the Russian government to reveal U.S. secrets — even potentially providing data to foreign state actors attempting to target computers containing sensitive NSA files. While there is a great deal of secrecy and suspense around the topic of Russian hackers, there’s no denying that Kaspersky’s U.S. operations have been negatively impacted by the ongoing reports.
It’s an unfortunate fact that the current challenges that Kaspersky is dealing with all lead back to a single contractor who made a bad decision to take his laptop home — and the lax security procedures that allowed him to access secure files from a remote location. It’s ironic that a massive cybersecurity company with contracts with the government and other multi-national corporations was unable to control the most basic challenge for all organizations: controlling physical access to sensitive information. Companies of all sizes are challenged with finding the right balance between allowing necessary access to data without providing employees with a way to leverage that same information in a way that will be damaging to the organization. Turns out, Kaspersky fell victim to a rogue contractor who just happened to be a Vietnamese national.
Private Contractors: Sensitive Data
With thousands of contractors and private companies making up the backbone of the security infrastructure of the government, the question remains how to adequately contain these types of leaks in the future. Aside from the relative ease of a contractor walking out of a government building with a thumb drive full of sensitive information, the fact remains that there has been a spotlight pointed on contractors since Edward Snowden’s release of internal NSA documents in 2013 to journalists. The shocking exposé severely damaged the intelligence capabilities of the U.S. as well as ruining the trust of millions in the government’s ability to protect sensitive information.
Hacking the NSA
While cybercriminals may look for ways to breach traditional organizations for monetary gain, hacking the NSA often has a more dangerous slant. The NSA actively develops listening and hacking tools themselves, that allows them to perform remote espionage without detection. These tools are critical in the ongoing war on terrorism and they allow operators to pilfer information quietly as well as break down invisible doors. When these tools were released to the broader world, they lost their efficacy which resulted in what some retired NSA officials consider a “devastating” loss of the agency and their ability to monitor the financial infrastructure of terrorist organizations.
Kaspersky’s Role in the Breach
Technically, the antivirus giant’s role in the breach is a little tenuous and involves a fair bit of theory that has yet to be proven. It’s possible that the breach didn’t even occur when the contractor took home their laptop and accessed the files. One version of the story postulates that the hack occurred earlier the same year is what provided the access to the files on the contractor’s laptop. Still, others believe that the incidents are unrelated. The vulnerability in the system was found by leveraging the standard operating procedure of uploading snippets of viruses found on systems, which was then likely identified by Russian actors who followed the trail back to the NSA files. The major outstanding question is how data that was on Kaspersky servers made its way into Russian computer networks. There is still a significant conversation insecurity and government circles around whether any breach was malicious or could simply be attributed to technical carelessness.
Release of Information
While the Wall Street Journal hasn’t gone quite as far as stating that Kaspersky was solely responsible for the NSA leak, the type of information released is important to consider. According to multiple sources, the material included “details about how the NSA penetrates foreign computer networks, the computer code it uses for such spying, and how it defends networks inside the US.” The information, obtained sometime in 2015, is said to have been stolen by hackers sponsored by Russia who targeted the contractor upon review of the contractor’s files. Unfortunately for Kaspersky, the Kaspersky AV software is thought to have been the mechanism by which the files were identified as belonging to an elite NSA group called TAO, or Tailored Access Operations group. The hacked details, along with the details in the recent Vault 7 WikiLeaks release, render many U.S. government hacking and anti-spyware tools useless or reduce their efficacy overall.
Russian Proxy or Innocent Victim?
The jury is still out on whether Kaspersky is a Russian proxy via the Wall Street Journal narrative, or simply an organization stung by weak security procedures in regards to contractors. The organization’s nationality as Russian and the recent furor around Russian interference in the election have made for great media coverage of a story that may have been buried in quieter times. It doesn’t help that Eugene Kaspersky, the fiery CEO of the organization, received training from the Russian government from an early age. As the U.S. government continues to draw back from utilizing Kaspersky tools, and corporate partners such as Best Buy and others retreat and remove products from sale, it may be that the answer doesn’t matter. The recent move by the Department of Homeland Security to direct all government organizations to stop using Kaspersky services and products doesn’t bode well for their future. However, there is still no hard evidence to be found and a lot of anonymous sources.
What has Kaspersky learned from this ordeal? Hopefully, the lesson includes the importance of maintaining the strict security of physical devices — especially when it comes to the laptops of their myriad contractors. Need help creating your own organization’s cybersecurity manual and putting processes in place to ensure enforcement?