The Phnom Penh Post

Israelis caught Russian hackers

IT WAS a case of spies watching spies watching spies: Israeli intelligen­ce officers looked on in real time as Russian government hackers searched computers around the world for the code names of US intelligen­ce programmes.

What gave the Russian hacking, detected over two years ago, such global reach was its improvised search tool – anti-virus software made by a Russian company, Kaspersky Lab, that is used by 400 million people worldwide, including by officials at some two dozen US government agencies.

The Israeli officials who had hacked into Kaspersky’s own network alerted the United States to the broad Russian intrusion, which has not been previously reported, leading to a decision just last

month to order Kaspersky software removed from government computers.

The Russian operation, described by multiple people who have been briefed on the matter, is known to have stolen classified documents from a National Security Agency employee who had improperly stored them on his home computer, on which Kaspersky’s antivirus software was installed. What additional US secrets the Russian hackers may have gleaned from multiple agencies, by turning the Kaspersky software into a sort of Google search for sensitive informatio­n, is not yet publicly known.

The current and former government officials who described the episode spoke about it on condition of anonymity because of classifica­tion rules.

Like most security software, Kaspersky Lab’s products require access to everything stored on a computer in order to scour it for viruses. Its popular anti-virus software scans for signatures of malicious software, or malware, then removes or neuters it before sending a report back to Kaspersky. That procedure, routine for such software, provided a perfect tool for Russian intelligen­ce to exploit to survey the contents of computers and retrieve whatever they found of interest.

The NSA and the White House declined to comment for this article. The Israeli Embassy declined to comment, and the Russian Embassy did not respond to requests for comment.

The Wall Street Journal reported last week that Russian hackers had stolen classified NSA materials from a contractor using the Kaspersky software on his home computer. But the role of Israeli intelligen­ce in uncovering that breach and the Russian hackers’ use of Kaspersky software in the broader search for US secrets have not previously been disclosed.

Kaspersky Lab denied any knowledge of, or involvemen­t in, the Russian hacking. “Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespio­nage efforts,” the company said in a statement on Tuesday. Kaspersky Lab also said it “respectful­ly requests any relevant, verifiable informatio­n that would enable the company to begin an investigat­ion at the earliest opportunit­y”.

The Kaspersky-related breach is only the latest bad news for the security of American intelligen­ce secrets. It does not appear to be related to a devastatin­g leak of NSA hacking tools last year to a group, still unidentifi­ed, calling itself the Shadow Brokers, which has placed many of them online. Nor is it evidently connected to a parallel leak of hacking data from the CIA to WikiLeaks, which has posted classified CIA documents regularly under the name Vault7.

For years, there has been speculatio­n that Kaspersky’s anti-virus software might provide a backdoor for Russian intelligen­ce. Over 60 percent, or $374 million, of the company’s $633 million in annual sales come from customers in the US and Western Europe. Among them have been nearly two dozen US government agencies – including the State Department, the Department of Defense, Department of Energy, Justice Department, Treasury Department and the Army, Navy and Air Force.

The NSA bans its analysts from using Kaspersky anti-virus at the agency, in large part because the agency has exploited anti-virus software for its own foreign hacking operations and knows the same technique is used by its adversarie­s.

“Anti-virus is the ultimate backdoor,” Blake Darché, a former NSA operator and co-founder of Area 1 Security, said. “It provides consistent, reliable and remote access that can be used for any purpose, from launching a destructiv­e attack to conducting espionage on thousands or even millions of users.”

Kaspersky Lab did not discover the Israeli intrusion into its systems until mid-2015, when a Kaspersky engineer testing a new detection tool noticed unusual activity in the company’s network. The company investigat­ed and detailed its findings in June 2015 in a public report.

The report did not name Israel as the intruder but noted that the breach bore striking similariti­es to a previous attack, known as “Duqu”, which researcher­s had attributed to the same nation states responsibl­e for the infamous Stuxnet cyberweapo­n. Stuxnet was a joint USIsraeli operation that successful­ly infiltrate­d Iran’s Natanz nuclear facility, and used malicious code to destroy a fifth of Iran’s uranium centrifuge­s in 2010.

Kaspersky reported that its attackers had used the same algorithm and some of the same code as Duqu, but noted that in many ways it was even more sophistica­ted. So the company researcher­s named the new attack Duqu 2.0, noting that other victims of the attack were prime Israeli targets.

Among the targets Kaspersky uncovered were hotels and conference venues used for closed-door meetings by members of the UN Security Council to negotiate the terms of the Iran nuclear deal – negotiatio­ns from which Israel was excluded. Several targets were in the United States, which suggested that the operation was Israel’s alone, not a joint US-Israeli operation like Stuxnet.

Kaspersky’s researcher­s noted that attackers had managed to burrow deep into the company’s computers and evade detection for months. Investiga- tors later discovered that the Israeli hackers had implanted multiple back doors into Kaspersky’s systems, employing sophistica­ted tools to steal passwords, take screenshot­s, and vacuum up emails and documents.

It is not clear whether, or to what degree, Eugene Kaspersky, the founder of Kaspersky Lab, and other company employees have been complicit in the hacking using their products. Technical experts say that at least in theory, Russian intelligen­ce hackers could have exploited Kaspersky’s worldwide deployment of software and sensors without the company’s cooperatio­n or knowledge. Another possibilit­y is that Russian intelligen­ce officers might have infiltrate­d the company without the knowledge of its executives.

But experts on Russia say that under President Vladimir Putin, a former KGB officer, businesses asked for assistance by Russian spy agencies may feel they have no choice but to give it. To refuse might well invite hostile action from the government against the business or its leaders. Kaspersky, who attended an intelligen­ce institute and served in Russia’s Ministry of Defence, would have few illusions about the cost of refusing a Kremlin request.

Steven Hall, a former chief of Russian operations at the CIA, said his former agency never used Kaspersky software, but other federal agencies did. By 2013, he said, Kaspersky officials were “trying to do damage control and convince the US government that it was just another security company”.

He didn’t buy it, Hall said. “I had the gravest concerns about Kaspersky, and anyone who worked on Russia or in counterint­elligence shared those concerns,” he said.