WHEN THE RUSSIAN security firm Kaspersky Lab disclosed recently that it had been hacked, it noted that the attackers, believed to be from Israel, had been in its network since sometime last year.
The company also said the attackers seemed intent on studying its antivirus software to find ways to subvert the software on customer machines and avoid detection.
Now newly published documents released by Edward Snowden show that the NSA and its British counterpart, GCHQ, were years ahead of Israel and had engaged in a systematic campaign to target not only Kaspersky software but the software of other antivirus and security firms as far back as 2008.
The documents, published today by The Intercept, don’t describe actual computer breaches against the security firms, but instead depict a systematic campaign to reverse-engineer their software in order to uncover vulnerabilities that could help the spy agencies subvert it. The British spy agency regarded the Kaspersky software in particular as a hindrance to its hacking operations and sought a way to neutralize it.
“Personal security products such as the Russian anti-virus software Kaspersky continue to pose a challenge to GCHQ’s CNE [Computer Network Exploitation] capability,” reads one of the documents, “and SRE [software reverse-engineering] is essential in order to be able to exploit such software and to prevent detection of our activities.”
An NSA slide describing “Project CAMBERDADA” lists at least 23 antivirus and security firms that were in that spy agency’s sights. They include the Finnish antivirus firm F-Secure, the Slovakian firm Eset, Avast software from the Czech Republic. and Bit-Defender from Romania. Notably missing from the list are the American anti-virus firms Symantec and McAfee as well as the UK-based firm Sophos.
But antivirus wasn’t the only target of the two spy agencies. They also targeted their reverse-engineering skills against CheckPoint, an Israeli maker of firewall software, as well as commercial encryption programs and software underpinning the online bulletin boards of numerous companies. GCHQ, for example, reverse-engineered both the CrypticDisk program made by Exlade and the eDataSecurity system from Acer. The spy agency also targeted web forum systems like vBulletin and Invision Power Board—used by Sony Pictures, Electronic Arts, NBC Universal and others—as well as CPanel, a software used by GoDaddy for configuring its servers, and PostfixAdmin, for managing the Postfix email server software But that’s not all. GCHQ reverse-engineerred Cisco routers, too, which allowed the agency’s spies to access “almost any user of the internet” inside Pakistan and “to re-route selective traffic” straight into the mouth of GCHQ’s collection systems.
To obtain legal cover for all this activity, the GCHQ sought and obtained warrants granting permission to reverse-engineer the software. The warrants, issued by the UK Foreign Secretary under the UK’s Intelligence Services Act 1994 Section 5, gave the spy agency permission to modify commercially available software to “enable intercept, decryption and other related tasks.” One of the warrants, used to reverse-engineer Kaspersky software, was valid for six months from July 7, 2008 to January 7, 2009, after which the agency sought to renew it.
Without a warrant, the agency feared it would be in breach of Kaspersky’s customer licensing agreement or violate its copyright. Software makers often embed protection mechanisms in their programs to thwart reverse-engineering and copying of their programs and include language in their licensing agreements prohibiting such activity.
“Reverse engineering of commercial products needs to be warranted in order to be lawful,” one GCHQ agency memo noted. “There is a risk that in the unlikely event of a challenge by the copyright owner or licensor, the courts would, in the absence of a legal authorisation, hold that such activity was unlawful[…]”
But, according to The Intercept, the warrant itself wason shaky legal grounds since the Intelligence Services Act, Section 5, references interference with property and “wireless telegraphy” by intelligence agencies but does not mention intellectual property. Its use to authorize copyright infringement is novel, to say the least.
Earlier this month, Kaspersky disclosed that it had been hacked last year by members of the infamous Stuxnet and Duqu gangs. The intruders remained entrenched in the security firm’s networks for months siphoning intelligence about nation-state attacks the company is investigating and studying how Kaspersky’s detection software works so they could devise ways to subvert it on customer machines. Kaspersky claims to have more than 400 million users worldwide.
The attackers were also interested in the Kaspersky Security Network, an opt-in system that gathers data from customer machines about new threats infecting them. Any time Kaspersky’s antivirus and other security software detects a new infection on the machine of a customer who has opted-in to the program, or encounters a suspicious file, data gets sent automatically to Kaspersky’s servers so the company’s algorithms and analysts can study and track emerging and existing threats. The company uses KSN to create maps outlining the geographical reach of various threats and is an important tool for tracking nation-state attacks from agencies like the NSA and GCHQ.
The newly published NSA documents describe a different method for gaining intelligence about Kaspersky and its customers. The spy agencies apparently monitored email traffic coming to Kaspersky and other antivirus companies from their customers in order to uncover reports about new malware attacks. The spy agencies would then examine the malware sent by these customers and determine if it had use to them. A 2010 presentation indicates that the NSA’s signals intelligence would pick out for analysis about ten new “potentially malicious files per day” out of the hundreds of thousands that came into Kaspersky’s network each day. NSA analysts would then check the malicious files against Kaspersky’s antivirus software to make sure they weren’t being detected by the software yet, then the NSA’s hackers would “repurpose the malware” for their own use, checking periodically to determine when Kaspersky had added detection for the malware to its anti-virus software.