Russian hackers exploited antivirus software
U.S. cyber capabilities stolen from NSA employee’s home computer
Russian government hackers lifted details of U.S. cyber capabilities from a National Security Agency employee who was running Russian antivirus software on his computer, according to several individuals familiar with the matter.
The employee had taken classified material home to work on his computer, and his use of Kaspersky Lab antivirus software en- abled Russian hackers to see his files, the individuals said. The case, which dates to 2015 and has not been made public, remains under investigation by federal prosecutors.
The NSA declined to comment on the breach, which was first reported by the Wall Street Journal.
The employee involved was a Vietnamese national who had worked at Tailored Access Operations, the elite hacking division of the NSA that develops tools to penetrate comput- ers overseas to gather foreign intelligence, said the individuals, who spoke on condition of anonymity to discuss an ongoing case. He was removed from the job in 2015, but was not thought to have taken the materials formalicious purposes such as handing them to a foreign spy agency, they said.
The theft of the material enabled the Russian government to more easily detect and evade U.S. government cyberespionage operations, thwart defensive measures and track U.S. activities, the individuals said. It is the latest in a series of damaging breaches of the NSA in recent years and is among the first concrete indications of why the U.S. intelligence community believes that Kaspersky Lab software operates as a tool for Russian espionage.
The breach “serves as a stark warning - not just to the federal government, but to states, local governments and the American public - of the serious dangers of using Kaspersky software,” said Sen. Jeanne Shaheen, D-N. H., a vocal critic of Kaspersky who has pushed for the software’s ban in federal networks.
The material the employee took included hacking tools he was helping to develop to replace others that were considered compromised following the breach of NSA material by former contractor Edward Snowden, said one individual familiarwith thematter.
The Washington Post reported inNovember that the the employee was removed in 2015.
The incident underscores the risks of using products as seemingly innocuous as antivirus software, which can be exploited for national security purposes.
Notably, the breach did not involve former NSA contractor Harold Martin, who was arrested last year after carrying outwhat is said to be the largest theft of classified information in U.S. history, the individuals said. Martin pleaded not guilty this year to violating the Espionage Act and is awaiting trial.
The intelligence community has long assessed that Kaspersky has ties to the Russian government. A Russian law requires telecommunications companies in the country to provide access to their networks. Kaspersky servers are located in Moscow, which means that customer data flowing through their servers passes through those same telecom providers’ networks, a person familiar with the matter told The Post.
Kaspersky Lab said in a statement it “does not have inappropriate ties to the Russian government.”