'Israel hacked Kaspersky and caught Russian spies using AV tool to harvest NSA exploits'

Explosive new claims also put a bomb under US-Israeli cooperation

Updated The brouhaha over Russian spies using Kaspersky antivirus to steal NSA exploits from a staffer's home PC took an explosive turn on Tuesday.

Essentially, it is now claimed Israeli spies hacked into Kaspersky's backend systems only to find Russian snoops secretly and silently using the software as a global search engine. Kremlin agents were observed in real-time sweeping computers worldwide for American cyber-weapons, and then extracting any matching files. The Russians, it is claimed, hacked Kaspersky's servers to harvest any suspicious data flagged up by the antivirus that matched known codenames for American software exploits.

In short, Kaspersky's code, installed on millions of computers around the planet, was being used as a global searchable spying tool by the Russian government, it is alleged. It also means US intelligence insiders, by revealing all of this to the New York Times this week, have blown the lid on details of a highly sensitive Israeli operation.

“The role of Israeli intelligence in uncovering [the Kaspersky] breach and the Russian hackers’ use of Kaspersky software in the broader search for American secrets have not previously been disclosed,” the NYT reported. For good reason: the disclosure means someone in the US intelligence community is prepared to leak against – and put an abrupt end to – an Israeli operation known to America because Israel trusted its intelligence pals.

As cyber-security expert Matt "Pwn All The Things" Tait put it:

As we noted last week, antivirus packages can pose a huge risk to organizations, not least the NSA, because if a scan of someone's computer yields something that looks like a threat, such as a freshly developed exploit or piece of spyware, it's uploaded to the AV vendor's cloud for analysis.

If an attacker were able to infiltrate those backend systems, with or without cooperation, they would be able to rifle through collected sensitive documents and snatch copies of any samples. In this case, the Russians were apparently hunting for America's exploits to, presumably, wield them against corporations and government agencies in the West and beyond, and shore up their IT defenses to thwart the cyber-weapons.

That remains speculative, of course. Tait again:

The New York Times didn't identify exactly what information was exfiltrated by the Russians, but it claims the Kremlin's access into Kaspersky was maintained for two years. Indeed, in 2015, Kaspersky said it detected sophisticated cyber-espionage code within its corporate network, and publicly wrote about it although did not name Israel as the culprit. Back then, Kaspersky was infected by the Duqu 2.0 spyware, which was related to the American-Israeli-developed Stuxnet malware that got into the Iranian government's nuclear weapons labs in 2010 and knackered its uranium centrifuges.

While digging around inside Kaspersky's systems, the Israeli were looking for the Moscow-based business's research into the NSA and the UK's counterparts, GCHQ. After spotting Kremlin agents, the Israelis tipped off the NSA. And now that's all over the news.

Unsurprisingly, Kaspersky Labs founder Eugene Kaspersky denies the substance of the NYT article:

In the light of the ongoing scandal, it's hardly surprising that security vendors are taking a long, hard look at their code review policies – particularly any code that government agents can examine for exploitable bugs to use remotely against customers.

Symantec was the first to jump, with its CEO Greg Clark telling Reuters this week it will no longer let governments inspect its source code. Clark said: “Saying, ‘Okay, we’re going to let people crack it open and grind all the way through it and see how it all works’” poses an unacceptable risk to customers. ®

Updated to add

It's now claimed Kaspersky deliberately engineered its software to allow Russian snoops at the FSB to use it as a global search engine.

PS: Kaspersky just opened a research lab in Israel. Awkward!

Narrower topics

Other stories you might like

  • Nothing says 2022 quite like this remote-controlled machine gun drone
    GNOM is small, but packs a mighty 7.62mm punch

    The latest drone headed to Ukraine's front lines isn't getting there by air. This one powers over rough terrain, armed with a 7.62mm tank machine gun.

    The GNOM (pronounced gnome), designed and built by a company called Temerland, based in Zaporizhzhia, won't be going far either. Next week it's scheduled to begin combat trials in its home city, which sits in southeastern Ukraine and has faced periods of rocket attacks and more since the beginning of the war.

    Measuring just under two feet in length, a couple inches less in width (57cm L х 60cm W x 38cm H), and weighing around 110lbs (50kg), GNOM is small like its namesake. It's also designed to operate quietly, with an all-electric motor that drives its 4x4 wheels. This particular model forgoes stealth in favor of a machine gun, but Temerland said it's quiet enough to "conduct covert surveillance using a circular survey camera on a telescopic mast."

    Continue reading
  • International operation takes down Russian RSOCKS botnet
    $200 a day buys you 90,000 victims

    A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.

    The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.

    It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.

    Continue reading
  • Russia, China warn US its cyber support of Ukraine has consequences
    Countries that accept US infosec help told they could pay a price too

    Russia and China have each warned the United States that the offensive cyber-ops it ran to support Ukraine were acts of aggression that invite reprisal.

    The US has acknowledged it assisted Ukraine to shore up its cyber defences, conducted information operations, and took offensive actions during Russia's illegal invasion.

    While many nations occasionally mention they possess offensive cyber-weapons and won't be afraid to use them, admissions they've been used are rare. US Cyber Command chief General Paul Nakasone's public remarks to that effect were therefore unusual.

    Continue reading
  • IBM finally shutters Russian operations, lays off staff
    Axing workers under 40 must feel like a novel concept for Big Blue

    After freezing operations in Russia earlier this year, IBM has told employees it is ending all work in the country and has begun laying off staff. 

    A letter obtained by Reuters sent by IBM CEO Arvind Krishna to staff cites sanctions as one of the prime reasons for the decision to exit Russia. 

    "As the consequences of the war continue to mount and uncertainty about its long-term ramifications grows, we have now made the decision to carry out an orderly wind-down of IBM's business in Russia," Krishna said. 

    Continue reading

Biting the hand that feeds IT © 1998–2022