Is­raelis caught Rus­sian hack­ers

The Phnom Penh Post - - FRONT PAGE - Ni­cole Perlroth and Scott Shane

IT WAS a case of spies watch­ing spies watch­ing spies: Is­raeli in­tel­li­gence of­fi­cers looked on in real time as Rus­sian gov­ern­ment hack­ers searched com­put­ers around the world for the code names of US in­tel­li­gence pro­grammes.

What gave the Rus­sian hack­ing, de­tected over two years ago, such global reach was its im­pro­vised search tool – anti-virus soft­ware made by a Rus­sian com­pany, Kasper­sky Lab, that is used by 400 mil­lion peo­ple world­wide, in­clud­ing by of­fi­cials at some two dozen US gov­ern­ment agen­cies.

The Is­raeli of­fi­cials who had hacked into Kasper­sky’s own net­work alerted the United States to the broad Rus­sian in­tru­sion, which has not been pre­vi­ously re­ported, lead­ing to a de­ci­sion just last

month to or­der Kasper­sky soft­ware re­moved from gov­ern­ment com­put­ers.

The Rus­sian op­er­a­tion, de­scribed by mul­ti­ple peo­ple who have been briefed on the mat­ter, is known to have stolen clas­si­fied doc­u­ments from a National Se­cu­rity Agency em­ployee who had im­prop­erly stored them on his home com­puter, on which Kasper­sky’s an­tivirus soft­ware was in­stalled. What ad­di­tional US se­crets the Rus­sian hack­ers may have gleaned from mul­ti­ple agen­cies, by turn­ing the Kasper­sky soft­ware into a sort of Google search for sen­si­tive in­for­ma­tion, is not yet pub­licly known.

The cur­rent and for­mer gov­ern­ment of­fi­cials who de­scribed the episode spoke about it on con­di­tion of anonymity be­cause of clas­si­fi­ca­tion rules.

Like most se­cu­rity soft­ware, Kasper­sky Lab’s prod­ucts re­quire ac­cess to ev­ery­thing stored on a com­puter in or­der to scour it for viruses. Its pop­u­lar anti-virus soft­ware scans for sig­na­tures of ma­li­cious soft­ware, or mal­ware, then re­moves or neuters it be­fore send­ing a re­port back to Kasper­sky. That pro­ce­dure, rou­tine for such soft­ware, pro­vided a per­fect tool for Rus­sian in­tel­li­gence to ex­ploit to sur­vey the con­tents of com­put­ers and re­trieve what­ever they found of in­ter­est.

The NSA and the White House de­clined to com­ment for this article. The Is­raeli Em­bassy de­clined to com­ment, and the Rus­sian Em­bassy did not re­spond to re­quests for com­ment.

The Wall Street Journal re­ported last week that Rus­sian hack­ers had stolen clas­si­fied NSA ma­te­ri­als from a con­trac­tor us­ing the Kasper­sky soft­ware on his home com­puter. But the role of Is­raeli in­tel­li­gence in un­cov­er­ing that breach and the Rus­sian hack­ers’ use of Kasper­sky soft­ware in the broader search for US se­crets have not pre­vi­ously been dis­closed.

Kasper­sky Lab de­nied any knowl­edge of, or in­volve­ment in, the Rus­sian hack­ing. “Kasper­sky Lab has never helped, nor will help, any gov­ern­ment in the world with its cy­beres­pi­onage ef­forts,” the com­pany said in a state­ment on Tues­day. Kasper­sky Lab also said it “re­spect­fully re­quests any rel­e­vant, ver­i­fi­able in­for­ma­tion that would en­able the com­pany to be­gin an in­ves­ti­ga­tion at the ear­li­est op­por­tu­nity”.

The Kasper­sky-re­lated breach is only the lat­est bad news for the se­cu­rity of Amer­i­can in­tel­li­gence se­crets. It does not ap­pear to be re­lated to a devastating leak of NSA hack­ing tools last year to a group, still uniden­ti­fied, call­ing it­self the Shadow Bro­kers, which has placed many of them on­line. Nor is it ev­i­dently con­nected to a par­al­lel leak of hack­ing data from the CIA to Wik­iLeaks, which has posted clas­si­fied CIA doc­u­ments reg­u­larly un­der the name Vault7.

For years, there has been spec­u­la­tion that Kasper­sky’s anti-virus soft­ware might pro­vide a back­door for Rus­sian in­tel­li­gence. Over 60 per­cent, or $374 mil­lion, of the com­pany’s $633 mil­lion in an­nual sales come from cus­tomers in the US and West­ern Europe. Among them have been nearly two dozen US gov­ern­ment agen­cies – in­clud­ing the State Depart­ment, the Depart­ment of De­fense, Depart­ment of En­ergy, Jus­tice Depart­ment, Trea­sury Depart­ment and the Army, Navy and Air Force.

The NSA bans its an­a­lysts from us­ing Kasper­sky anti-virus at the agency, in large part be­cause the agency has ex­ploited anti-virus soft­ware for its own for­eign hack­ing op­er­a­tions and knows the same tech­nique is used by its ad­ver­saries.

“Anti-virus is the ul­ti­mate back­door,” Blake Darché, a for­mer NSA op­er­a­tor and co-founder of Area 1 Se­cu­rity, said. “It pro­vides con­sis­tent, re­li­able and re­mote ac­cess that can be used for any pur­pose, from launch­ing a de­struc­tive at­tack to con­duct­ing es­pi­onage on thou­sands or even mil­lions of users.”

Kasper­sky Lab did not discover the Is­raeli in­tru­sion into its sys­tems un­til mid-2015, when a Kasper­sky en­gi­neer test­ing a new de­tec­tion tool no­ticed un­usual ac­tiv­ity in the com­pany’s net­work. The com­pany in­ves­ti­gated and de­tailed its find­ings in June 2015 in a pub­lic re­port.

The re­port did not name Is­rael as the in­truder but noted that the breach bore strik­ing sim­i­lar­i­ties to a pre­vi­ous at­tack, known as “Duqu”, which re­searchers had at­trib­uted to the same na­tion states re­spon­si­ble for the in­fa­mous Stuxnet cy­ber­weapon. Stuxnet was a joint USIs­raeli op­er­a­tion that suc­cess­fully in­fil­trated Iran’s Natanz nu­clear fa­cil­ity, and used ma­li­cious code to de­stroy a fifth of Iran’s ura­nium cen­trifuges in 2010.

Kasper­sky re­ported that its at­tack­ers had used the same al­go­rithm and some of the same code as Duqu, but noted that in many ways it was even more so­phis­ti­cated. So the com­pany re­searchers named the new at­tack Duqu 2.0, not­ing that other vic­tims of the at­tack were prime Is­raeli tar­gets.

Among the tar­gets Kasper­sky un­cov­ered were ho­tels and con­fer­ence venues used for closed-door meet­ings by mem­bers of the UN Se­cu­rity Coun­cil to ne­go­ti­ate the terms of the Iran nu­clear deal – ne­go­ti­a­tions from which Is­rael was ex­cluded. Sev­eral tar­gets were in the United States, which sug­gested that the op­er­a­tion was Is­rael’s alone, not a joint US-Is­raeli op­er­a­tion like Stuxnet.

Kasper­sky’s re­searchers noted that at­tack­ers had man­aged to bur­row deep into the com­pany’s com­put­ers and evade de­tec­tion for months. In­ves­tiga- tors later dis­cov­ered that the Is­raeli hack­ers had im­planted mul­ti­ple back doors into Kasper­sky’s sys­tems, em­ploy­ing so­phis­ti­cated tools to steal pass­words, take screen­shots, and vac­uum up emails and doc­u­ments.

It is not clear whether, or to what de­gree, Eu­gene Kasper­sky, the founder of Kasper­sky Lab, and other com­pany em­ploy­ees have been com­plicit in the hack­ing us­ing their prod­ucts. Tech­ni­cal ex­perts say that at least in the­ory, Rus­sian in­tel­li­gence hack­ers could have ex­ploited Kasper­sky’s world­wide de­ploy­ment of soft­ware and sen­sors with­out the com­pany’s co­op­er­a­tion or knowl­edge. An­other pos­si­bil­ity is that Rus­sian in­tel­li­gence of­fi­cers might have in­fil­trated the com­pany with­out the knowl­edge of its ex­ec­u­tives.

But ex­perts on Rus­sia say that un­der Pres­i­dent Vladimir Putin, a for­mer KGB of­fi­cer, busi­nesses asked for as­sis­tance by Rus­sian spy agen­cies may feel they have no choice but to give it. To refuse might well in­vite hos­tile ac­tion from the gov­ern­ment against the busi­ness or its lead­ers. Kasper­sky, who at­tended an in­tel­li­gence in­sti­tute and served in Rus­sia’s Min­istry of De­fence, would have few il­lu­sions about the cost of re­fus­ing a Krem­lin re­quest.

Steven Hall, a for­mer chief of Rus­sian op­er­a­tions at the CIA, said his for­mer agency never used Kasper­sky soft­ware, but other fed­eral agen­cies did. By 2013, he said, Kasper­sky of­fi­cials were “try­ing to do dam­age con­trol and con­vince the US gov­ern­ment that it was just an­other se­cu­rity com­pany”.

He didn’t buy it, Hall said. “I had the gravest con­cerns about Kasper­sky, and any­one who worked on Rus­sia or in coun­ter­in­tel­li­gence shared those con­cerns,” he said.


An em­ployee typ­ing on a com­puter key­board at the head­quar­ters of in­ter­net se­cu­rity gi­ant Kasper­sky in Moscow on Oc­to­ber 17, 2016.

Newspapers in English

Newspapers from Cambodia

© PressReader. All rights reserved.