Kaspersky: pirated software led to NSA contractor breach

Russian cybersecurity vendor Kaspersky Lab released preliminary results from an internal investigation Oct. 25, claiming that a widely reported breach of a National Security Agency contractor's home computer took place after he or she disabled Kaspersky Lab antivirus software in order to download a pirated version of Microsoft Word that turned out to be infected with malware.

According to a release by Kaspersky Lab, the investigation was initiated “in relation to alleged 2015 incidents described in the media." While some details are inconsistent -- for example, the firm claims the incident took place in 2014 -- many of the details match up with an Oct. 5 story reported in the Wall Street Journal detailing how Russian hackers in 2015 stole classified NSA material from a contractor through Kaspersky Lab's antivirus software installed on the contractor's home computer.

However, Kaspersky Lab claims that its internal investigation reached a different conclusion: that the contractor in question only exposed his or her systems after turning off the firm's antivirus software in order to download a pirated version of Microsoft Word. That software was apparently infected with malware that created “a full-blown backdoor which may have allowed third parties access to the user's machine.”

According to the release, after the contractor turned the antivirus software on again and scanned the computer, the software detected "new and unknown variants of Equation [Advanced Persistent Threat] malware." The Equation Group is a hacking group widely suspected to operate under the aegis of the NSA. Because the contractor had Kaspersky's cloud-based security network enabled, those malware samples were uploaded and sent to the company's headquarters in Moscow for further analysis, something the company said is standard procedure any time its antivirus software flags a suspicious file.

Missing from the company's explanation is how those files eventually ended up in the hands of Russian intelligence. Eugene Kaspersky, the firm's founder, has repeatedly denied the company ever assisted the Russian government or other governments in conducting espionage. The release stated that news reports claiming its software was searching computers for terms like "top secret," something that would indicate an intentional effort to look for and collect classified information, were false.

At an Oct. 25 House Science, Space and Technology hearing on Kaspersky Lab, top-level officials from the General Services Administration indicated that Kaspersky Lab's presence on the GSA Schedule was the result of unsanctioned modifications made by three resellers to their product offerings. David Shive, CIO of the GSA, told the committee that GSA was aware of discussions within the government about the risks associated with Kaspersky Lab software in late 2016.

However, other than running a scan to ensure the software wasn't running on the agency's internal network, Shive said that GSA officials did not take any further action until July 2017.

"With respect to Kaspersky Lab products, they were available from three resale vendors on GSA's schedule contract. On July 11 of this year, GSA directed the three resellers to remove all Kaspersky Lab manufactured products from their catalogues within 30 days. All three resellers complied," Shive said.

However, text of Shive's official statement to the committee includes a passage stating that these resellers "did not gain approval to do so via the required contract modification process."

Rep. Ralph Norman (R-S.C.) asked Shive if the GSA evaluated whether to sanction the resale vendors for including Kaspersky Lab products on their offerings without gaining prior approval.

Shive said he wasn't familiar with the process by which vendors on the GSA schedule are sanctioned, eventually admitting, "I'm not saying that there were or were not consequences, I just don't know if there was" and promised to get back to the committee with more specifics.

In a statement, a GSA spokesperson explained that Kaspersky Lab products were "improperly added through the Schedule Input Program," GSA’s proprietary software that vendors use to upload their electronic catalog, and not through a contract modification request. The agency declined to reveal the identities of the three resellers but said a review had determined the issue did not warrant punishment.

"The three vendors that previously offered Kaspersky Lab products have been fully cooperative with GSA's directive to remove all Kaspersky Lab products from their offerings and GSA’s contracting officers determined that their mistake should not result in the cancellation of their contract in full," said the GSA spokesperson.

Sean Kanuck, director of future conflict and cybersecurity for the International Institute for Strategic Studies, told the committee that Kaspersky Lab's antivirus software, like other antivirus programs, are complete network monitoring solutions with remote administration capabilities and access to their client's networks. This, he argued, gives Kaspersky Lab the capability to act as "a private global cyber intelligence network."

Citing press reports detailing successful penetration of Kaspersky software by the Israeli and Russian governments, Kanuck said the debate about complicity on the part of the company is irrelevant at this point.

"If we believe the media reports … then at least two foreign government agencies have exploited Kaspersky's network, and in my mind that makes the question of 'is there a risk through Kaspersky products?' to become nearly [moot], because allegedly it has already happened twice,” Kanuck said. “Furthermore, I do not personally feel it is necessary to prove a willful complicity or collaboration by Kaspersky employees or the company with the Russian government or any other to show a potential risk.… The mere fact alone that foreign intelligence agencies have sought access through this implies there is a risk.”

One of the unanswered questions hanging over the hearing is when different civilian and military agencies became aware of a potential danger from using Kaspersky Lab products and how quickly they should have moved to mitigate the threat. Despite the NSA contractor hack which reportedly took place in 2014 or 2015, the federal government did not take any official action to purge the vendor from federal systems until the Department of Homeland Security issued a Binding Operational Directive banning Kaspersky Lab products in September 2017.

Shive told the committee that placement of a product on the GSA schedule only indicates that the product has been certified as meeting the necessary contract and legal requirements and "does not make any value or technical judgement about the nature of the product." Later, he told the committee that the responsibility for evaluating when to take action to remove Kaspersky Lab software ultimately falls to individual agency CIOs.

"What I can say is that every agency CIO has a responsibility and obligation to vet any software or technology or process that runs in their organization, and that if Kaspersky or any other similar tool was going to be entered into service in that agency, it would be put through a battery of tests to evaluate whether or not it was suitable for that environment," Shive said.

This article was updated on Oct. 26 to include comment from the General Services Administration.