It is being reported by media agencies that US cyber breaches utilizing Kaspersky Lab antivirus software, used by 400 million people globally including US government agencies, was discovered by Israeli intelligence officials.
Apparently two years prior Israel had breached the Kaspersky network and warned US intelligence officials of Russian intrusion, according to the New York Times, who had first reported the story. This revelation is what had ultimately prompted the embargo of Kaspersky software in the US government.
On 3 October the Washington Post had reported that Israeli officials had located some penetration tools in Kaspersky’s arsenal that could only have originated from the National Security Agency (NSA). This eventually led to the revelation that the Russian government had possession of these tools, concluding in a classified report by the US National Intelligence Council shared with NATO allies that the Russian government had “probable access” to customer databases of Kaspersky labs including access to their source code. Such wide access of Kaspersky information, and especially if they have access to the very source code, can lead to very powerful, robust, and sophisticated attacks that could be undetected by networks utilizing Kaspersky software whether they be in government, personal, industrial, or commercial use.
The hilarious part about how all of this was discovered, according to the New York Times, was that the classified information that was known to have been stolen was located on an NSA employee’s personal home computer and was improperly stored using Kaspersky. So we now have to question what and if there will be a punishment for such an embarrassing handling of classified information while also highlighting the poor controls the NSA and intelligence agencies under the US government have regarding the storing, supervision, and access of classified documents. The individuals who discussed the incident with the New York Times did so anonymously.
Kaspersky apparently had attained these documents via a tool in Kaspersky which sends potentially suspicious files to antivirus firms for further analysis. This is very much a legitimate function of antivirus and anti-malware as most, whether it be Sophos, Eset, MalwareBytes, McAfee, Avast, Avira, AVG, Windows Defender, etc., usually send files it deems as suspicious but unsure if it is malicious for further analysis to servers where employees can then further analyze if these signatures are malicious or benign. Usually the antivirus prompts the user for permission to do this, but others do so automatically in accordance with the End User License Agreement which users often agree to without reading it.
What we don’t know is whether the secrets discovered by Kaspersky were the result of intentional targeting. All we do know so far is what information Kaspersky has attained via multiple sources. Evidence suggests the Russian government could have used the databases of Kaspersky customers, in very much the same way the US government has as well with other private companies. Bryan Lunduke, an open source software advocate, journalist, board member of the Open SUSE project, and most recently a new member of the Wordwide Web Consortium (W3C, a standards body for how the internet operates), has a 50 minute long lecture on YouTube regarding Google and US Intelligence agencies about how they attain their data and just how much data they have for those who want to understand how what the US is doing isn’t all that different from what Russia was doing.