This story is complex. That’s why, in this post, I will attempt to make it as simple as possible, but it will still be complex. The goal here is not to delineate the technical details of the specific malware involved. Instead, this will be the story behind the malware and its use. The aim will be to determine the extent, if any, of Kaspersky’s implication in hacking the NSA. I will stay as close to the facts as possible and let them speak for themselves.
This story, as is true of so many cybersecurity stories involving nation-states, begins with the development of the Stuxnet malware. This malware set new standards by, among other things, attacking physical machinery that was not connected to the internet. It specifically changed the operating parameters on Iran’s nuclear centrifuges, making them spin out of control until they destroyed themselves.
The important point of this story is that this malware was jointly developed by the U.S. and Israel. This meant that both countries had control over this malware if they needed to modify it for future uses. Unfortunately, those attacked by malware often end up with an understanding of the code behind it. Stuxnet was no exception. As the documentary about Stuxnet, Zero Days, claims, “ironically, the secret formula for writing the code for the virus software fell into the hands of Russia and Iran – the country against which it was developed.” Thus, by at least 2013, four countries controlled the code for this powerful malware.
In 2014, Israel used a Stuxnet variant, named Duqu 2.0, to spy on the ongoing nuclear talks between the PS5+1 nations (the U.S., U.K, France, China, Russia, and Germany) and Iran. Oddly, Israel was not invited to participate even though they had the most to lose. After all, Iran had previously vowed to wipe Israel off the face of the earth. The Duqu 2.0 spyware was used to infiltrate three luxury hotels that were sponsoring the talks. Once installed, the malware took control of the hotels’ networks and was able to obtain information on any device connected to it. They could also listen in on conversations and the actual negotiations themselves. The malware was so good at hiding that it was only discovered by Kaspersky in mid-2015 or, coincidentally (?) at approximately the same time that the nuclear deal was reached with Iran.
In fact, Kaspersky wouldn’t have known about the PS5+1 attacks at all had they not been attacked by the Duqu 2.0 malware themselves. Costin Raiu, director of the global research and analysis team at Kaspersky, said the attackers first targeted a Kaspersky employee in an office in the Asia-Pacific region, likely through an email that contained an attachment in which the virus was hidden. By opening the attachment, the employee inadvertently allowed the virus to infect his computer and, subsequently, the entire Kaspersky network.
But why would Israel make such an effort to target an antivirus firm like Kaspersky? Apparently, Israel wanted information on what Kaspersky had named, The Equation Group. Kaspersky had been targeting the actions of this hacking group for some time and, although they did not state it directly, it became common knowledge in the cyber espionage community that the Equation Group was, in fact, the U.S. National Security Agency (NSA).
The Equation Group had been targeting Iran and other Middle East countries. The information from such attacks would be of especial interest to Israel. Learning how these attacks took place and getting access to these NSA tools could be very useful. At the time, US-Israeli relations were at an all time low, and the Israeli government couldn’t depend on getting updated information on Iran from U.S. intelligence. Such information was crucial to Israel because the U.S. and the other PS5+1 partners were on the verge of signing a nuclear agreement with Iran. So, why not hack into a firm that probably had this information and possibly some NSA hacking tools as well; Kaspersky.
The U.S., however, was spying on Israel and learned that, somehow, Israel had managed to get key documents concerning the upcoming Iran agreement. Alarmed by this finding, they warned Benjamin Netanyahu not to give details of the Iran agreement when he spoke to Congress in March of 2015. Netanyahu only partially complied. He did not give details but said, “This is a bad deal — a very bad deal. We’re better off without it.”
Meanwhile, Kaspersky was beginning to learn that someone, probably Israel, had hacked into their network. Interestingly, the Israeli’s Duqu 2.0 malware targeted Kaspersky’s antivirus programs and used them to infiltrate any network using them. In other words, the notion of using antivirus software as an information gathering agent was first used in 2014. This is the same vector that Kaspersky is accused of using against one of the employees of the NSA in 2015. (This particular attack, according to the Wall Street Journal story, was only identified in the spring of 2016.)
Probably realizing that they would be discovered by Kaspersky (or had already gotten everything they needed), Israel contacted the U.S. and informed them that, while they were within the Kaspersky network, they found evidence of Russian operants lurking there. They claimed that the Russian government was using Kaspersky software, such as its antivirus software, to gather information on U.S. intelligence. Was this a ruse? Was Israel the actual agent behind these attacks and were they trying to shift the focus to Kaspersky and Russia? This is still an open question. In any event, when the U.S. intelligence community learned about this, they set up honeypots to lure in any attacks that used Kaspersky software. These were probably set up before Kaspersky realized it had been attacked by Israel’s Duqu 2.0.
In the most recent defense of itself, Kaspersky claims, in a re-analysis of events at the time of the purported attack, that the last Kaspersky antivirus scan that found NSA-related malware/software on the NSA employee’s computer occurred in November of 2014. They claimed that they deleted the file when they realized it was part of the NSA’s software collection. They claim that no other files from the NSA have been collected since, inadvertently or not. They do claim, however, that they began discovering those aforementioned honeypots after February, 2015. Did they suspect that these honeypots were set up to catch them? They claim these honeypots were “loaded with various Equation-related samples” that they did not take.
That last claim seems unlikely considering the interest that Kaspersky had always had in the Equation Group. This is exemplified by the publication of Kaspersky’s report on the Equation Group in February, 2015. Knowing the group’s products as well as they did, it is possible that Kaspersky did recognize the honeypot files as fakes and ignored them. More likely, though, considering subsequent events, was that the NSA found that Kaspersky was, indeed, interested in these files and actually took some of them. Otherwise, why would they begin spreading the word that Kaspersky was not to be trusted? The subsequent finding of the victimized NSA employee one year later and the connection of the theft of NSA files from his computer to Kaspersky software simply sealed the deal in the minds of those in the NSA.
Throughout 2016, the U.S. intelligence community stepped up its focus on Russian meddling in the U.S. election. It is quite possible that Kaspersky, a Russian-based company, got caught up in this fervor and attracted more suspicion than it normally would have. In any event, by February of this year (2017), Kaspersky had become a real suspect. The U.S. intelligence community began publicly expressing serious doubts about Kaspersky software, according to secret documents prepared by the Department of Homeland Security (DHS). The release of information about this document began an avalanche of bad news that eventually buried Kaspersky.
In early May, the U.S. intelligence community told a Congressional committee that they were considering banning all Kaspersky software in use on government networks. Company founder, Eugene Kaspersky, countered with an offer to appear in person before the committee to answer any questions. His argument at the time was, “I’m very sorry these gentlemen can’t use the best software on the market because of political reasons.” In other words, he blamed the current anti-Russian sentiment for his company’s demise.
In June, the FBI interviewed a dozen Kaspersky employees in the U.S. In July, Bloomberg reported it had obtained emails proving that Kaspersky was working closer with the Russian government than they let on. So, with the walls closing in, Eugene Kaspersky made a surprising offer. He would share the company’s source code with U.S. intelligence agencies. “Anything I can do to prove that we don’t behave maliciously I will do it, he said.” In addition, in late July, Kaspersky began giving away free versions of its antivirus software.
But it was too little, too late and, on September 13, the ax fell. The Department of Homeland Security ordered all federal executive branch agencies using Kaspersky software (approximately 22) to stop using Kaspersky products. They gave these agencies 90 days to remove the software. Although Kaspersky tried to downplay the importance of this decision, it was, in fact, a serious, perhaps even mortal, blow.
Kaspersky’s Defense Scenarios
“Ask yourself one thing: If these recent allegations are true, where’s the evidence? If there was any evidence that we’ve been knowingly involved in cyber-espionage, we’d be toast! No ifs or buts – it’d be game over. Eugene Kaspersky
As I see it, there are three main scenarios that can explain the Kaspersky demise.
Scenario 1: Israel never found Russian operants in the Kaspersky network. They used this as a screen to use Kaspersky’s antivirus software to gather information on the NSA themselves. After all, according to the Kaspersky report on Duqu 2.0, the malware specifically sought out Kaspersky’s antivirus in order to exploit it. Israel told the NSA that Russia was in the Kaspersky network to take the spotlight off themselves. Since the U.S. intelligence agencies were already looking for Russian meddling, they readily accepted Israel’s information. Kaspersky was collateral damage.
For Kaspersky, the bad part of this scenario is that they failed to discover what Israel was up to for over a year. This does not help their reputation as a cybersecurity firm.
Scenario 2: The Russian government infiltrated Kaspersky’s network and gained access to any Equation Group files it had stored. It also made use of Kaspersky’s products to steal information from U.S. intelligence agencies. Kaspersky had no knowledge of this.
Again, this does not make Kaspersky look good. It would mean that two attackers had gained access to their network without them knowing it. In their most recent defense, Kaspersky said it found no other network intrusions after they found Duqu 2.0. However, this could mean that the Russian government, possibly realizing they had been discovered by Israel, activated a kill switch which removed every trace of its attack from Kaspersky’s network.
Scenario 3: Kaspersky worked with the Russian government to infiltrate the NSA network and steal files and programs. A case could be made that the Russian government could threaten to close down Kaspersky if it didn’t comply with its demands.
Clearly, this would be the worst case scenario for Kaspersky. However, it wouldn’t make sense that the Russian government would continue to steal files from honeypots even after Kaspersky had discovered the files in these honeypots were fake. If they were working together, Kaspersky would have warned the Russian government to avoid touching these fake files. Yet, as I mentioned above, it seems the honeypots identified Kaspersky as a threat.
It may be too late for Kaspersky to salvage anything from this situation even if they are not complicit. Sure, many people will take advantage of their free antivirus and some loyal customers will stick with them. But 60% of the company’s sales come from the U.S. and Western Europe and these are certain to fall. Rebranding is not and should not be an option as the company has made numerous contributions to the cybersecurity community that should not be forgotten. However, something drastic needs to be done if Kaspersky is to repair its reputation. It may even mean having to relocate their headquarters outside of Russia.
Giving up the source code to its products to prove that there are no hidden backdoors will not convince anyone who doesn’t trust Kaspersky. After all, Kaspersky may have removed the backdoors before they released the code. The cold truth, whether it is fair or not, is that Kaspersky will have to give up the idea of getting back on U.S. government networks at any time in the near future. The negative atmosphere surrounding Kaspersky will make individual users balk at installing their products even if they are not a political target. So, can you trust Kaspersky? That’s something each person, each company, and each government will have to decide for themselves.