How antivirus software can be turned into a tool for spying
It has been a secret, long known to intelligence agencies but rarely to consumers, that security software can be a powerful spy tool.
Security software runs closest to the bare metal of a computer, with privileged access to nearly every program, application, web browser, email and file. There's good reason for this: Security products are intended to evaluate everything that touches your machine in search of anything malicious, or even vaguely suspicious. By downloading security software, consumers also run the risk that an untrustworthy antivirus maker - or hacker or spy with a foothold in its systems - could abuse that deep access to track customers' every digital movement.
"In the battle against malicious code, antivirus products are a staple," said Patrick Wardle, chief research officer at Digita Security, a security company. "Ironically, though, these products share many characteristics with the advanced cyberespionage collection implants they seek to detect."
Wardle would know. A former hacker at the National Security Agency, Wardle recently succeeded in subverting antivirus software sold by Kaspersky Lab, turning it into a powerful search tool for classified documents. Wardle's curiosity was piqued by recent news that Russian spies had used Kaspersky antivirus products to siphon classified documents off the home computer of an NSA developer, and may have played a critical role in broader Russian intelligence gathering.
"I wanted to know if this was a feasible attack mechanism," Wardle said. "I didn't want to get into the complex accusations. But from a technical point of view, if an antivirus maker wanted to, was coerced to, or was hacked or somehow subverted, could it create a signature to flag classified documents?"
That question has taken on renewed importance over the last three months in the wake of United States officials' accusations that Kaspersky's antivirus software was used for Russian intelligence gathering, an accusation that Kaspersky has rigorously denied.
Last month, Kaspersky Lab sued the Trump administration after a Department of Homeland Security directive banning its software from federal computer networks. Kaspersky claimed in an open letter that "DHS has harmed Kaspersky Lab's reputation and its commercial operations without any evidence of wrongdoing by the company."
For years, intelligence agencies suspected that Kaspersky Lab's security products provided a back door for Russian intelligence. A draft of a top-secret report leaked by Edward J. Snowden, the former National Security Agency contractor, described a top-secret, NSA effort in 2008 that concluded that Kaspersky's software collected sensitive information off customers' machines.
The documents showed Kaspersky was not the NSA's only target. Future targets included nearly two dozen other foreign antivirus makers, including Checkpoint in Israel and Avast in the Czech Republic.
At the NSA, analysts were barred from using Kaspersky antivirus software because of the risk it would give the Kremlin broad access to their machines and data. But excluding NSA headquarters at Fort Meade, Kaspersky still managed to secure contracts with nearly two dozen American government agencies over the last few years.
Last September, the Department of Homeland Security ordered all federal agencies to cease using Kaspersky products because of the threat that Kaspersky's products could "provide access to files."
A month later, The New York Times reported that the Homeland Security directive was based, in large part, on intelligence shared by Israeli intelligence officials who successfully hacked Kaspersky Lab in 2014. They looked on for months as Russian government hackers scanned computers belonging to Kaspersky customers around the world for top secret American government classified programs.
In at least one case, United States officials claimed Russian intelligence officials were successful in using Kaspersky's software to pull classified documents off a home computer belonging to Nghia H Pho, an NSA developer who had installed Kaspersky's antivirus software on his home computer. Pho pleaded guilty last year to bringing home classified documents and writings, and has said he brought the files home only in an attempt to expand his résumé.
Kaspersky Lab initially denied any knowledge or involvement with the document theft. But the company has since acknowledged finding N.S.A. hacking software on Mr. Pho's computer and removing it, though the company said it had immediately destroyed the documents once it realized they were classified.
The company also said in November that in the course of investigating a surveillance operation known as TeamSpy in 2015, it had tweaked its antivirus program to scan files containing the word "secret." The company said it had done this because the TeamSpy attackers were known to automatically scan for files that included the words "secret," "pass" and "saidumlo," the Georgian translation for the word secret.