More on Kaspersky and the Stolen NSA Attack Tools

Both the New York Times and the Washington Post are reporting that Israel has penetrated Kaspersky’s network and detected the Russian operation.

From the New York Times:

Israeli intelligence officers informed the NSA that, in the course of their Kaspersky hack, they uncovered evidence that Russian government hackers were using Kaspersky’s access to aggressively scan for American government classified programs and pulling any findings back to Russian intelligence systems. [Israeli intelligence] provided their NSA counterparts with solid evidence of the Kremlin campaign in the form of screenshots and other documentation, according to the people briefed on the events.

Kaspersky first noticed the Israeli intelligence operation in 2015.

The Washington Post writes about the NSA tools being on the home computer in the first place:

The employee, whose name has not been made public and is under investigation by federal prosecutors, did not intend to pass the material to a foreign adversary. “There wasn’t any malice,” said one person familiar with the case, who, like others interviewed, spoke on the condition of anonymity to discuss an ongoing case. “It’s just that he was trying to complete the mission, and he needed the tools to do it.

I don’t buy this. People with clearances are told over and over not to take classified material home with them. It’s not just mentioned occasionally; it’s a core part of the job.

More news articles.

Posted on October 11, 2017 at 2:54 PM105 Comments


handle_x October 11, 2017 3:28 PM

” People with clearances are told over and over not to take classified material home with them. It’s not just mentioned occasionally; it’s a core part of the job. ”

AFAIK they (once upon a time?) were audited to maintain that, something about Leavenworth

// Overworked NSA TAO goon pours a third double, plugs in the wrong red thumb drive.

Automount. Autorun. KAV window pops up, scanning removable devices.
KAV in unobtrusive “silent mode” (no popups) dutifully executes a taskbar flash.
Virus definitions auto-update complete. CPU kicks up to 35% briefly, then back.

Default threat telemetry setting : yes
BaconFraud.exe : Uploaded
TurkeyMoney.MSI : Uploaded
PutinParty.gif : Uploaded : Uploaded

Heuristic file submission complete. “No active threats detected”
Edge browser opens, homepage opens. Autologin. “Hey, Michael!”

NSA OPSEC ensues.

Ratio October 11, 2017 3:31 PM

Russia Has Turned Kaspersky Software Into Tool for Spying:

After discovering the 2015 breach, U.S. officials began gathering other evidence that Kaspersky was being used to identify classified information and assist in its theft, said the people familiar with the matter.

For many months, U.S. intelligence agencies studied the software and even set up controlled experiments to see if they could trigger Kaspersky’s software into believing it had found classified materials on a computer being monitored by U.S. spies, these people said. Those experiments persuaded officials that Kaspersky was being used to detect classified information.

Nameless Cow October 11, 2017 3:32 PM


I don’t buy this. People with clearances are told over and over not to take classified material home with them. It’s not just mentioned occasionally; it’s a core part of the job.

I don’t know whether the explanation is correct, but I find it plausible. Until something like this leak happens, the risk of the material being stolen may seem remote and theoretical. On the other hand, the risk of being fired for not keeping up with assigned tasks looks more real and present. I would not be surprised if someone decides to take a chance by taking work home, thinking that the risk of classified material leaking is low, because they have no intention to pass it to anybody.

Ross Snider October 11, 2017 3:58 PM

The bad press and breathless omninous overtones about Kaspersky being a puppet of the Russian intelligence services (while likely true – USGIC has a similar relationship with Symantec – NSA has backdoored most American products and services) is a really awkward propaganda operation. Congressmen months ago were stating that we were going to target all forms of cyberpower of Russia in cyber-conflict and specifically named Kaspersky as a private entity that they wanted to harm. There’s been a coordinated set of policies to put pressure on any cyber capability (privately owned or not) by Russia from the very start of Trump’s presidency (sanctions on security software).

This is yet another escalation in the ongoing, invisible, and dangerous cyberwar that no country seems to have the political will to refrain fueling.

Max October 11, 2017 4:05 PM

The WaPo article quotes Kaspersky as saying it has no knowledge of an Israeli attack. The NYT article links to a Kaspersky article detailing the Israeli attack. 🙂

Vesselin Bontchev October 11, 2017 4:11 PM

Kaspersky never officially attributed who hacked his company in 2015, but there were several rather obvious pointers that it was the Israeli spy services, so that part is definitely believable. As for the rest, I still don’t believe it.

handle_x October 11, 2017 4:18 PM

The Israeli K-breach was confirmed by Kaspersky publicly in a 2015 report.

From the Times:

The report did not name Israel as the intruder but noted that the breach bore striking similarities to a previous attack, known as “Duqu,” which researchers had attributed to the same nation states responsible for the infamous Stuxnet cyberweapon. Stuxnet was a joint American-Israeli operation that successfully infiltrated Iran’s Natanz nuclear facility, and used malicious code to destroy a fifth of Iran’s uranium centrifuges in 2010….

Among the targets Kaspersky uncovered were hotels and conference venues used for closed-door meetings by members of the United Nations Security Council to negotiate the terms of the Iran nuclear deal — negotiations from which Israel was excluded. Several targets were in the United States, which suggested that the operation was Israel’s alone, not a joint American-Israeli operation like Stuxnet.

handle_x October 11, 2017 4:21 PM

@V. Bontchev

All we “know” is that Russia’s intelligence used KAV data/capabilities to search for what they were looking for. Exactly how they accomplished this is not disclosed AFAIK.

Whether or not E.K. was aware of this is an open question. What’s not to believe?

Jared Hall October 11, 2017 4:45 PM

@Bruce: “I don’t buy this. People with clearances are told over and over not to take classified material home with them. It’s not just mentioned occasionally; it’s a core part of the job.” Rank and file, yes. Officers and executives, no.
Pretty common for Contractors to work at home also; in fact, they probably developed most of the stuff that the NSA/CIA uses anyway. I thought this was a contractor also, no? As for exploit development contractors, the “sub” of a “sub”, of a “sub” is a big management nightmare. Plus, everything starts with just a rumor. Developers may not even know what overall classification was applied to their contributed code upstream in the food chain. There obviously should be some policies applied as to what A/V and malware systems government personnel and contractors are allowed to use. I believe that those policies have already been created; just another lesson learned over time. After this event’s conclusion, this is just going to a blip on some congressional report balancing damages done + monetary expeditures versus intelligence gained. We’ll never know the outcome. It would indeed be funny to find that other country’s intelligence workers use Symantec, McAfee, or GFI. Maybe we’ll all have to use software from neutral, non-aligned countries, like Switzerland or Sweden. Hah!

Ease of Use fan October 11, 2017 5:05 PM

” People with clearances are told over and over not to take classified material home with them. It’s not just mentioned occasionally; it’s a core part of the job. ”

Unless your name is Clinton. She couldn’t even remember getting that briefing…

handle_x October 11, 2017 5:21 PM

HRC was elected in 2000 to the senate & the armed services committee. I imagine that requires some clearances. Remembering a date from 15 years ago would be nice.
Lots of things could be important “publicly necessary” information to recall.

Remembering you had several meetings with Russian nationals correctly could be good too.
Or that you had financed real estate transactions for wealthy associates of Putin himself.
The name of your campaign manager or who the heck David Duke was, despite video.

A good memory and honest demeanor could be quite detrimental to the current strategy.
Mueller will work with what he has instead, he’ll be fine. The seas have parted.
The 11th commandment has been broken. He didn’t build an ark, he built a storm.

Clive Robinson October 11, 2017 5:32 PM

@ All,

Can we cut the party political and personal political rhetoric, it achives nothing, and is at best foolish.

After all how many times can you reboil potatoes befor you end up with starch paste?

Daniel October 11, 2017 5:39 PM

@Nameless Cow and others

Distinguish incompetence from malice. That’s my challenge to you. You can’t say the difference lies in the outcome because here the outcomes of incompetence and malice are the same thing: the documents in the hand of an adversary. So that means that the difference is either in the process or in the motive. Here, however, as @bruce notes it can’t really be in the process because the employee is constantly warned not to do what they did. So the processes a malicious person would employ and the process a incompetent employee would employ look like the exact same thing: take the documents out of their secure environment. So then in the end all we are left with to distinguish between malice and incompetence is motive.

Motive, however, is notoriously inscrutable. It is easy to deprecate motive after the fact, especially in this case where the NSA’s own motives need to be questioned. It looks a lot worse for the NSA to admit they failed to catch a spy than they hired a clown. So of course they will say he didn’t mean any harm. What evidence do they have for their statement of faith? “Circle the wagons, boys, and shoot anything that moves.”

So I don’t feel any better about this case knowing that he claims he didn’t mean any harm. He broke the rules, the consequences were devastating, and he/she should pay the price for their actions. As should the NSA who is at the very minimum guilty of a failure to supervise.

handle_X October 11, 2017 5:43 PM

Too much Bible in my diet. I can’t stand the stuff.

“We’ll never know the outcome. It would indeed be funny to find that other country’s intelligence workers use Symantec, McAfee, or GFI”

They’re probably in there somewhere, no doubt. Wittingly and unwittingly both.

That’s why the accusations against KAV have so much traction instantly. Because we do it.

Windows Defender Is Your Friend October 11, 2017 7:08 PM

Nothing beats good ol’ Windows Defender. Anything else is added bloat.

Anon October 11, 2017 7:28 PM

Whether true or not about their collusion with the State, doesn’t anyone else find it ironic that a security company doesn’t detect their own networks were breached?

Ollie Jones October 11, 2017 7:52 PM

I have some experience with HIPAA (US health care personal information) infosec.

In that discipline, the regulations (indeed the law) make no distinction between malicious leaks and “innocent” leaks. Ya can’t take personal health information home. If it leaks, you’re responsible. If you’re mugged and beaten and lose your laptop, the information is presumed leaked. And everybody who touches health data, from famous doctors to hospital executives to programmers to data-entry clerks, gets that drilled into them.

Leaks involving more than five hundred patients are made public, here, with the identity of the leaker (not the patients, obviously)

Is it hard to understand? Maybe, maybe not. Health care people understand it.

I guess maybe people working for the government don’t understand it. That’s honestly baffling to me.

Anon October 11, 2017 7:54 PM

My question:

If Kaspersky became aware of the Israeli intrusion in 2015, then presumably Israeli intelligence obtained the information no later than 2015. But the US government just began in the past few months (2017) to issue its recommendations and directives against using Kaspersky. What happened in the intervening 1.5 years? Did Israel sit on the information? If so, why? Something doesn’t add up here, or there’s been some recent intelligence horsetrading.

sooth_sayer October 11, 2017 8:02 PM

I would conjecture that the employee who hasn’t been charged is a son/son-in-law of some mucktymuck in NSA.

This country, particularly government agencies are epitome of nepotism — and no rules apply anymore — only DNA sequence matters.

mostly harmful October 11, 2017 8:32 PM

In the NY Times we read:

[Israeli intelligence] provided their NSA counterparts with solid evidence of the Kremlin campaign in the form of screenshots and other documentation, according to the people briefed on the events.

On screenshots and “solid evidence”:

  • The evidentiary value of a screenshot, as far as I know, is roughly equivalent to an “artist’s rendering” of a velociraptor breast-feeding its young.
  • After examining popular forms of argument on social media platforms, I gather that hoi polloi employ screenshots as if they constituted some kind of gold standard in evidence.

So it is interesting to me that this NYT article “informs” us that Israeli evidence includes screenshots, in particular (and with all other particulars left to the imagination).

Somehow, I don’t feel informed. Instead, I suspect either the journalists or their sources are trying to manipulate their readers into feeling informed.

More generally, note the implications of the following, quite reasonable observation, also from the NYT article:

“Antivirus is the ultimate back door,” Blake Darché, a former N.S.A. operator and co-founder of Area 1 Security. “It provides consistent, reliable and remote access that can be used for any purpose, from launching a destructive attack to conducting espionage on thousands or even millions of users.”

Blake Darché isn’t wrong. So the following reactive measure is clearly inadequate:

“On Sept. 13, the Department of Homeland Security ordered all federal executive branch agencies to stop using Kaspersky products, giving agencies 90 days to remove the software.”

Read the article in vain, however, to find mention of the DHS ban’s obvious inadequacy. If it were a technical defensive measure, why not ban all AV of that class? Why just Kaspersky?

The content of this story is not technical. It is a political hatchet job.

John Smith October 11, 2017 8:34 PM

I can understand someone breaking the rules and taking work home. This probably happens quite a bit. The overarching rule: don’t get caught.

What I don’t buy is someone loading NSA work files on a computer that isn’t air-gapped. That is beyond stupid, and NSA does not hire technically stupid people.

This seems more like espionage to me. Loading the files on an internet-connected computer with KAV provides a “plausibly deniable” way to exfiltrate those files.

Benjamin October 11, 2017 8:37 PM

Are “cyber-weapons” (to use the USG term) actually classified? My understanding is they weren’t – because if they were, they wouldn’t actually be able to be weaponized and used outside of a SCIF.

I was under the impression that they were a really grey area – development and such all happened on unclassified systems so that they could then be used against internet targets.

Clive Robinson October 12, 2017 12:11 AM

@ mostly harmful,

Blake Darché isn’t wrong.

Blake is not wrong, if anything his statment underplays AV software’s abilities for the majority of people.

@ All,

To be able to work effectively AV software agents have to be able to get into “all the crawl spaces” in not just the application/OS interface but lower interfaces as well. Think of AV software as being “the building supervisor with an ‘Access all areas’ pass”, and the authority to ‘destroy or steal’ with impunity.

AV software is in reality the equivalent of a “Test Harness” that allows observation of any and all data that is in the computer and likewise the actions of the user.

What is anoying is we have seen it all quite publically before with Mobile Phones and the CarrierIQ software. But in the majority of cases people don’t remember and even if you tell them repeatedly they do not appear to get a basic fact,

    You only need AV software because the OS is totaly insecure,
    as are the applications and user actions

It’s not just state level attackers that know this, it’s also the likes of Microsoft and Google who write the Windows and Android OS’s respectively. Oh and your every day jobing cyber-criminal.

There is only one thing a sensibly cautious person can do and that is,

    Do not trust the hardware, the OS, the applications and the actions of the user.

The current personal computer market is predicated in misleading users and stealing their data, whilst taking away any rights a user has to defend them selves. It’s why the larger companies hire the same sort of psychologists that retailers and marketers do, to work out the best ways to get you “hooked” and then “suck the life blood out” of you.

There are ways of mitigating this nightmare we have sleep walked into, but can even a fraction of computer users go “cold turkey” on their electronic addiction?

Probably not… Think of it like the more normal addictions of drugs, tobacco and alcohol and compare them to being over weight. With the exception of food you can cut the addictions out of your life altogether and still survive and eventually thrive. It’s why dieting is so very hard, you can not stop eating food, if you do you will most certainly not survive. Thus your addiction to food gets reawakened with every morsel you eat.

Using computers is now getting very close to being essential to living in a modern society. Thus like food you can not survive without using them.

Thus the question is can you ration your consumption of computers to the point it is healty? By what ever measure that might be defined?

Until users can control themselves their usage and take sensible mitigations then they will be exploited and that will be done on the excuse of “security”.

Clive Robinson October 12, 2017 12:56 AM

@ Anon,

[D]oesn’t anyone else find it ironic that a security company doesn’t detect their own networks were breached?

Not in the slightest, infact the exact opposit, remember RSA or numerous CA’s, etc etc. For many years I’ve assumed that it is not possible to keep connected computers secure.

Infact I would consider anyone who claims their computer is secure is deluding themselves, even if they think they can prove it.

Several years ago in a conversation on this blog with @Nick P I quite openly said I did not think it was possible to secure a computer against state level attackers when crossing borders. Since then as others have pointed out, borders do not realy exist any more. That is if a computer can be touched physically or electronically at any point of time by someone with the required skills then “It’s game over”. Which of necessity includes the supply chain.

All you can then do is issolate the computer so it can not exfiltrate data to the attacker. Hence I talk of “mitigation” and “energy gapping” and “instrumented choke points”.

With regards your question about Israel and,

Something doesn’t add up here, or there’s been some recent intelligence horsetrading.

A little philosophical thought for you… It’s said that from the human perspective ony three numbers make practical sense and they are “zero, one and infinity”.

To make it a little more tangible it means that there can be nothing of something, something is unique or there can be unknown numbers of something.

If you apply that to using AV software as a backdoor by SigInt agencies you have the cases of none are doing it, one agency is doing it or in effect all that can are doing it. I would suggest the time line from none to all that can was extreamly short.

Thus it would be likely that the “Golden Goose” effect was in place. That is if you have a goose that lays golden eggs you don’t cackle about it. It was a point first made about Signals Intelligence by Winston Churchill during WWII.

I’ve commented in the past that the role of the NSA is schizophrenic in that it is tasked with both attacking all other nations signals whilst defending a select few signal of the US. Which means that in effect there was a choice for the NSA to keep quiet and use the AV backdoor it’s self or tell the world and kill the backdoor off.

Thus I would say that the NSA were exploiting the AV backdoor to the maximum themselves. And it was only when it became to well known that they decided to take action that would make it public.

Clive Robinson October 12, 2017 2:07 AM

@ handle_x, V. Bontchev,

All we “know” is that Russia’s intelligence used KAV data/capabilities to search for what they were looking for.

What we “know” in reality is “nothing”.

The whole thing is a FUD campaign by various “nameless” people that “supposadly exist” within the USG.

What we do know is that every so often the US Government accuses other countries of cyber-XXX. Usually it’s when some US entity has done something stupid and “been caught with their pants down”. No evidence is ever offered just condemnation and untestable assertions from unnamed individuals.

As for this supposadly careless NSA individual there is no evidence offered of the “who what or how” they supposadly did if anything…

Thus is it supprising that people are starting to think it’s actually a propaganda campaign by parts of the USG that have yet to show their hand.

225 October 12, 2017 2:12 AM

“Russian intelligence officers informed the NSA that, in the course of their Check Point Software Technologies Ltd. hack, they uncovered evidence that Israeli government hackers were using Check Point Software’s access to aggressively scan for American government classified programs and pulling any findings back to Israeli intelligence systems.”

anonymous sources say…

Wesley Parish October 12, 2017 2:45 AM

I like this:

Over the past several years, the firm has on occasion used a standard industry technique that detects computer viruses but can also be employed to identify information and other data not related to malware, according to two industry officials, who spoke on the condition of anonymity to discuss sensitive information.

The tool is called “silent signatures” — strings of digital code that operate in stealth to find malware but which could also be written to search computers for potential classified documents, using keywords or acronyms

I like it – they had the audacity to use a standard industry technique! What were they supposed to do? Sacrifice virgins to the Deep Ones, rowing out into the middle of Innsmouth Harbour and throwing them into the sea, in the hope of thereby identifying malware infestations? If it is a standard industry practice, then all members of that industry are thereby tarred and feathered.

All very mickey mouse!

handle_x October 12, 2017 3:21 AM


I meant what “we know” in the sense of what was reported in several places.

“What we do know is that every so often the US Government accuses other countries of cyber-XXX. Usually it’s when some US entity has done something stupid and “been caught with their pants down”. No evidence is ever offered just condemnation and untestable assertions from unnamed individuals.”

Well that’s not so entirely different from what we’re looking at now.
What DO we know? You’re right, we’re all relying on 3rd party information.

Now can we trust everything that is reported, of course not. But if enough skin-in-game sources are willing to risk their reputation as professionals and vouch for something as having happened, it certainly has a lot more weight than 1 person or 1 group, or 2, denying that and offering no plausible counter-authority or counter-explanation.

The more the better, viva la difference. The truth is an appreciated average.
Sometimes the majority is wrong too.

Kai October 12, 2017 3:35 AM

People are kidding themselves if there’s not any of the AV software from American companies doing the same thing – they just haven’t been caught yet

Clive Robinson October 12, 2017 3:52 AM

@ David,

If the US secret services keeps leaking details of allies investigations to the press …

It’s been going on for years, GWB’s administration did it, Obama’s did it, there is even evidence Ronald Regan’s administration did it before Maggie Thatcher went and had a word with him…

Usually though it’s less blatant and does not draw a public response from the UK Government.

It’s one of modern day politicians dilemmas, if they say nothing they get no press, thus no publicity thus less chance of being voted back in at the next elections. If they talk about sensitive issues at home then they risk drawing the ire of some voters, it gets you publicity but not the form you want. Thus if you talk about something sensitive that does not effect your voters, you get publicity thus potentially votes.

There were many things the Trump Administration could have said back then, but they said things that could potentially impede if not railroad a police investigation, thus it got a public response from the UK.

Mindraker October 12, 2017 6:20 AM

People with clearances are told over and over not to take classified
material home with them.

Stewie: “Whaaaaaaaaaaat?”

matteo October 12, 2017 7:04 AM

am i the only one who find this perfectly normal?
antivirus are designed to find virus.
default configuration upload unknown exe files (and maybe others, i disabled this at install time, since my files are only mine).

kaspersky found a virus, it was nsa virus, so? this proves that kaspersky works nothing more…

american people are always blaming at russia, it was russia, russia hack all the things….
while most of the time is nsa who hacks all the things.

Clive Robinson October 12, 2017 7:26 AM

@ Matteo,

[a]m I the only one who find this perfectly normal?

Which bit,

1, Kaspersky AV software doing exactly what it says on the tin.

2, One or more SigInt agencies taking advantage of it.

I’m not in the slightest bit supprised as we’ve seen it befor with the CarrerIQ debacle. Where mobile phone operators put CarrierIQ’s technical support “test harness” onto the phones they were selling in contracts. The software logged all sorts of information including key presses and sent the log back to the CarrierIQ “mothership” via the internet in what was effectively “plaon text”.

It’s reasonably certain that the NSA hovered up all those log files for later use.

So in a way yes in both cases it’s “perfectly normal”, but it should not be.

Andrew G October 12, 2017 9:16 AM


Quis custodiet ipsos custodes?

The Washington Post and the New York times got their tips from someone. Someone who had inside knowledge of the NSA. To some extent, “ipsos custodes” are obviously watching each other. I would feel a lot better if there were formal and meaningful official oversight, but having some NSA personnel willing to risk prison to expose misconduct is currently our best and only hope.

Sam S October 12, 2017 10:01 AM

From the WaPo article:

Over at least the past two years, the FBI has notified major companies, including in the energy and financial sectors, about the risks of using Kaspersky software. The briefings have elaborated on the risks of espionage, sabotage and supply-chain attacks that could be enabled through use of the software. They also explained the surveillance law that enables the Russian government to see data coursing through its domestic pipes.

This sounds like a really good argument against allowing governments backdoor access to encrypted data, like the data on your iPhone. It’s really too bad Jim Comey isn’t in charge anymore, it would have been fun to see someone ask him why the FBI should get access to any encrypted data it wants, and then follow up immediately with a question about why it’s bad if Russia gets access to any encrypted data it wants.

:D October 12, 2017 10:46 AM

Wasn’t Kapers -ky (for a slippery back door) basically the only one able to reliably spot and block US / Israeli worms and tools in the past? I can’t imagine why the US / Isr folks would have any interest in discrediting them or trying to lose them lots of customers / reduce their standing as a good reliable authority, reduce the use of Kapers AV software in the western world leaving only basically US AV software….. which I am sure is 100% not doing the exact same thing cough (from 2015: )

mark October 12, 2017 11:27 AM

About the WaPo’s report: the guy had the data on his HOME COMPUTER?! Either they’re too stupid for the job, and need to be pushing a broom somewhere, or they knowingly violated regs.

Hell, I work at a civilian sector government agency, and we’re told, in no uncertain terms, and with regular repetitions, that we may NOT USE our own hardware, only agency hardware, to remote in. For that matter, we also don’t get to use passwords, we must use our PIV cards and PIN.

Fredric L. Rice October 12, 2017 11:29 AM

Kaspersky continues to deny that their software deliberately scans for soft targets and for “interesting” files predicated upon file name and content, and they continue to claim that none of the information they don’t (sic) receive from computers infected with their virus-scanning software gets fed to the Kremlin or to other Russian / anybody-else entities.

Considering what is known and what is suspected, I have to wonder why nobody at Kaspesky has fled in to the arms of foreign international law enforcement to sing all that he or she knows about the operation they were/are part of.

Is it because none of the employees, owners, operators, and agents of Kaspersky feel that there will be criminal indictments?

After all, the first to sing usually avoid or evade serious criminal charges if they are the first to rat out the others. Does nobody at Kaspesky, assuming all of the allegations and supposed evidence are true, feel the need to flee in to protective arms of law enforcement outside of Russia?

At minimum one would expect employees to flee the company, to leave before any doors are kicked in by international assets organized by Interpol or any other foreign intelligence agency working in cooperation with some Russian agency not in cahoots with the Kremlin.

My opinions only, as always, and only my opinions.

Fredric L. Rice October 12, 2017 11:36 AM

Oh: It also begs the question, “Does Kaspersky Labs virus-scanning software actually perform virus scanning?” It seems likely that it does actually work as a virus scanner as one of its tasks, yet is that its primary task? Is the software first and foremost a virus-scanning software package, or is its primary purpose to seize intelligence from foreign governmental and corporate computer systems?

Steve October 12, 2017 11:50 AM

@Bruce: I don’t buy this. People with clearances are told over and over not to take classified material home with them. It’s not just mentioned occasionally; it’s a core part of the job.

Yes, but they do anyhow, just like those who put unencrypted HIPAA data on their laptops then get them stolen and any of a hundred other incidents we’ve seen here in these blog pages.

Recall that the whole Wen Ho Li flap a decade ago was because Dr Li took work home with him.

There’s an old adage about censorship on the Internet being perceived as damage and routed around. Cumbersome security measures are pretty much the same thing, in my view.

Dr Schneier may not buy it, but I do.

wumpus October 12, 2017 11:56 AM

“I don’t buy this. People with clearances are told over and over not to take classified material home with them. It’s not just mentioned occasionally; it’s a core part of the job.”

“Need to know” and “compartmentalization” were core parts of the job, yet Snowden managed to trivially scoop up terabytes of “Top Secret” material. Note that he also was a contractor, presumably not quite the “core NSA” (even though those types tend to work for various “employers” while always doing NSA work) much like those who leaked/lost these things.

I’m sure the NSA is still capable of the core government functions of “pork” and “turf”. The days of “No Such Agency” and “Never Say Anything” are long gone.

Cassandra October 12, 2017 11:58 AM

@Frederic L. Rice

It is a germane question, but I believe it can be generalised by dropping ‘Kaspersky Labs’.

As I think it is unlikely that all virus scanning software was first written by front-companies for intelligence services, then I would say that the originally intended primary purpose of virus-scanning software is to prevent computer virus infections. That such software might have been subverted by several intelligence services is likely, given the capabilities of such software, and the trust put in such software by end-users.

I can well understand that an upstanding citizen of the USA might prefer to use a virus-scanner approved by the NSA; and indeed an upstanding citizen of Russia might prefer to use a virus scanner approved by the Спецсвязь России. The interesting question is what virus scanner should a citizen of a non-aligned country, such as Brazil, use?

Grauhut October 12, 2017 12:01 PM

@Fred “Is the software first and foremost a virus-scanning software package, or is its primary purpose to seize intelligence from foreign governmental and corporate computer systems?”

Test it!

German BSI says: “There are no plans to warn against the use of Kaspersky products since the BSI has no evidence for misconduct by the company or weaknesses in its software,” BSI said in an emailed response to questions about the latest media reports.

“The BSI has no indications at this time that the process occurred as described in the media.”

mostly harmful October 12, 2017 1:45 PM

Regarding this passage:

The employee, whose name has not been made public and is under investigation by federal prosecutors, did not intend to pass the material to a foreign adversary. “There wasn’t any malice,” said one person familiar with the case, who, like others interviewed, spoke on the condition of anonymity to discuss an ongoing case. “It’s just that he was trying to complete the mission, and he needed the tools to do it.

@Bruce opines:

I don’t buy this. People with clearances are told over and over not to take classified material home with them. It’s not just mentioned occasionally; it’s a core part of the job.


So… by that logic, where does that leave David Petraeus? Malice for sure, right?

The responsibility for a systemic problem rests with those who have the power to make systemic changes. In other words, probably not with the employee presently being investigated. And whoever those big wheels are, we can surmise their general attitude regarding systemic problems, from their treatment of Bill Binney and Thomas Drake.

The rest of us get told a lot of things by our bosses. How much of it is irrational BS, or even counterproductive? How much is nearly universally ignored? How great does the (perceived) proportion of BS have to grow before critical BS mass is achieved?

Whether The Management likes it or not, showering your workforce with BS has unavoidable consequences. There are lots of illustrative clips from the movie Office Space. Youtube is full of them. They aren’t hard to find.

Cassandra October 12, 2017 2:36 PM

@mostly harmful

Leaked classified information does not magically become unclassified, even if public. This leads to apparently weird behaviour by people who are required to follow, to the letter, the rules for handling classified information.

I remember reading a court transcript that shows this. In the UK, certain MOD establishments are signposted on public roads with a red-bordered sign. As part of the court case, a military officer was shown a picture of such a sign, and asked about it. He could not answer, even though the sign was public, as he was not allowed to provide any information confirming the existence of the site.

Furthermore, when material is ‘protectively marked’, someone who is cleared to read documents of a certain type might be able to recognise leaked documents that are marked in such a way that they know that they do not have clearance to read them. Inadvertent access to such material requires them to report the occurrence (it generates paperwork!), and if they actively seek out such material (such as by browsing a well known site containing leaked material), it could be regarded as a criminal act. When working in such environments you really do have to suppress natural curiosity.

Josh October 12, 2017 4:08 PM

Interesting, “Israel penetrated Kaspersky’s network”.
What’s to say Israel is telling the truth about “Russian penetration” (laugh).
By way of deception thou shalt do war.

Nameless Cow October 12, 2017 4:35 PM


Recall that the whole Wen Ho Li flap a decade ago was because Dr Li took work home with him.

I don’t recall taking work home being part of what Dr. Lee was accused of. I think he only copied some restricted information to a computer not accredited to handle it. Wikipedia’s article about the story seems to suggest that the information was not terribly sensitive.

handle_x October 12, 2017 6:39 PM

“Your elite American cyberwarriors get caught trying to illegally blow up Iran’s civilian nuclear facilities”

Hm, no. They targeted centrifuge motors at enrichment sites like Natantz and did not cause them to “blow up” but merely wear out prematurely while ruining the enrichment.
Nothing blew up.

“your intended victim makes a fool of you,”

Well, it did delay the enrichment for years. That was at least part of the goal.

“takes all your cyberweapons,”

Having patches ready to go for the 0-days can minimize the damage from that.
But it’s a valid concern in the short term for sure.

” positively robs you blind”

If you’re referring to the money we paid to Iran, that was owed them – and more in interest, which was truncated entirely. It was a good deal to pay them that sum. Planes they ordered and paid for were never delivered. Add 20 years interest on BILLIONS, that’s a lot – so “Obama” struck a pretty decent deal to remove most of it.

“then publicly taunts the crap out of you”

Who gives a crap?

“And what you do is… tell everybody it was actually a private company with 3,500 employees that made a fool of you.”

Ok now you’ve moved from Iran to Russia, you realize that right? Actually it was apparently Israeli intelligence that tipped the US off that KAV was being used to locate and procure NSA tools, they looked into it and confirmed it. Yep, someone in the US made a big mistake and the Russians allegedly exploited it. So those particular tools will be burned/patched, and the US goes on making new ones at the rate of hundreds or thousands per year.

What was your point again? Did you want to taunt “the western internet” or Bruce’s forum in particular because you thought this is somehow our individual responsibility?
Or is it already happy hour?

Clive Robinson October 13, 2017 2:15 AM

@ Fredric L. Rice,

Don’t get hooked up on the US “unnamed source” FUD. It’s much more likely than not that it is either “spin” or a “fals flag” operation by the US. There are many non political reasons to be cautious about the whole thing.

But first just a reminder about Stuxnet, nearly every one followed “the party line” and said Iran was the target. Others who chose to look at it after examining the evidence found that North Korea was the probable target. A little while later North Korea showed they belived that as well. Then much later even the USG let it be known that North Korea was their primary target not Iran.

As some of us point out from time to time cyber-attribution is hard and cyber-false-flag is easy in comparison. We were making this point long before the cache of US IC entity cyber-false-flag tools became public.

Also remember the US IC and SigInt agencies are alowed to commit perjury without fear of retribution. And they have been caught lying on sufficient occasions as to brand them “unreliable witnesses”.

But to get back to USG-v-Kaspersky and things you are not getting told in the WSJ et al FUD but you can find out for yourself,

Firstly there has been no evidence offered by the USG only unsubstantiated hearsay at best.

Secondly there are many “test harness” programs out there not just AV programs. Just about anything that supports “Technical Support” remotely has a test harness that digs deep into some or all asspects of a communications end device such as a PC, tablet, smart phone etc. This is normal exprcted behaviour.

Thirdly it’s reasonably well known that all SigInt entities with any kind of capabilities hijack/listen in on any kind of “test harness” that phones home to a company “Mother Ship”. The NSA has certainly done it in the past with CarrierIQ.

Fourthly it’s interesting to note that Israel’s SigInt agency is claimed to have been all over Kaspersky’s systems. Kaspersky does not attribute Israel it just notes it was an imoroved version of earlier Malware that others have attributed to the US and Israel.

Fifthly there is a question of “why now” not two years ago when Kaspersky was first infested by the malware?

Both the US and Israeli SigInt agencies have a very strong dislike for Kaspersky because they find intrusions that US AV vendors do not.

Further there is a “political dimension” to this which boils down to opportunist bare knuckle “Party Politics”. I won’t go further on this asspect as our host has asked us not to. All I will note is that it is fairly obvious to see.

There are several other points of a technical nature about cyber-false-flag methods. Which as they have been talked about on this site befor I’ll let you go and look up.

On balance there realy is no evidence that has be offered agaist Kaspersky. The inuendo is however being trumped up and that should be raising eyebrows.
So on balance I

Wesley Parish October 13, 2017 4:45 AM

@Clive Robinson

Long, long ago, in a land far, far away, etc, … I read in AE Van Vogt and/or some other SF author (most likely Harlan Ellison) an intriguing concept: power is more or less the right to betray one’s subordinates. I think the book was The Silkie; I also remember some other stuff called “logic of levels” which I dismissed as claptrap after discovering what logic was actually about.

Given that the Israeli “Intelligence” outed themselves by telling US “Intelligence” and US “Intelligence” outed Israeli “Intelligence” by going to the media, the question arises: who is betraying who?

It does begin to look like a power struggle somewhere in the murky depths …

Panda October 13, 2017 5:44 AM

Okay, so here is the one that leaked. How many popular software apps do the same?:) In 2017, with all the conspiracies, I don’t even wanna know…

Etienne October 13, 2017 6:19 AM

I worked in a high military security environment for years. With the advent of the Internet, people wanted to do things at home. We had a lot of sensitive stuff that while it wasn’t classified, we didn’t want to read about it in Time magazine.

So finally, we bought a great big expensive VPN system, and then people could check-out a laptop, that was cloned after use. So you had a fresh computer, you dirtied it up, and then before it was re-issued, it was cloned new.

But we also had both the SIPRNET and our own worldwide WAN that used crypto modems to link together. This stuff you couldn’t take home!

Guess what, people found ways to do just that. We caught one guy who printed out stuff off the red network, and then OCR it to the black network, and email it to his house.

They all tried to say, Oh, was I not supposed to do that?? Then we would show them the form they signed, which stated exactly that was punishable.

Obviously they were debriefed, lost their clearance, and went home and killed themselves so as to not go to prison, but the audacity of that mentality was truly shocking to me.

Etienne October 13, 2017 6:36 AM

When I first started flying on ELINT planes in the 70’s, I only had a Secret clearance. I was trained on one piece of gear, and I was told the less I know, the better it is. If you end up in a East German prison, you don’t want to know shit.

So, as a safeguard, the military would have you sign a form that says you may come into contact with information higher than your clearance, but this would be inadvertent. As such, I was signing that I understood this, and would not talk about it, or be fined and sent to prison.

The first time this happened, I balked. I’m not signing a blank form! Then the commander of the mission said, we were going to be flying out of Orly in Paris for a week with full Per diem. Bam! I signed 10 forms in advance!

To this day, I have no idea what we were doing, and my gadget never did anything, and was probably a blank circuit board with a green light bulb that said it passed self-test. The exercise was merely to test me, to see if I was trust-worthy.

I guess I passed.

:D October 13, 2017 9:07 AM

@ Clive Robertson

Mostly agree.

We are told that US Anti Virus programs miss attacks that Kapersky manage to detect, but I am more wondering if it is just that Kapersky is outside US control and are willing to release the information publicly about the US & Israeli sigint attacks they detect. The US AV suppliers are maybe detecting all this action by the US govt / Israeli govt also but not releasing that info publicly or to the media, and helping to protect the govt toolkits and continue their effectiveness (well against the native peoples at least, those with Kapersky installed may not be left as wide open to the US tools possibly).

Which would also imply to me that Kapersky are not fully under the control of the Kremlin either, as the Kremlin would want to keep these captured tools to themselves too and not let the public know.

The intelligence services have always wanted full control of the publicly elected govt officials so having them all using US AV programs means there will be no system within their country that they can’t monitor and control and act upon, if they have a backdoor into that AV suppliers system, the log files alone will tell them every file that has ever been on or attached to that computer, and could be set with flags so they can lock down harder on any info they want to keep from officials and the public.

But we are all guessing here and speculating, nobody really knows for sure, and like the Universe in the Hitch Hikers Guide to the Galaxy – when somebody figures out it’s real nature, that is when it changes again.

Peter S. Shenkin October 13, 2017 10:13 AM

@Clive Anything can happen in the shady world of sigint/humint, but it’s also the case that most things turn out to be simpler than the more elaborate stories that one can concoct to explain them.

@Bruce Yes, everybody signs forms and agreements and should know better than to do the things they do. But it’s not clear to me just what you don’t buy. If you believe the story is true but don’t buy that the “unnamed perp’s” actions were devoid of malice aforethought, then (surprisingly, to me) you underestimate the breathtaking scope of human stupidity.

handle_x October 13, 2017 11:35 AM

@ comrade “Roger” (*What’s the Korean translation for “Roger” anyway?)

I am not a spook, I am not a cyberwarrior. I just read things that interest me.
Say something interesting and win a pat on the back, comrade! Capitalism!

“Now the whole world got MD5 hashes for your coolest cyberweapons,”
-You do realize they can refactor/rejigger that in about 10 seconds, right Vanya?

“You got rolled up like an Afshar rug.”
-I don’t understand the reference, I don’t sell rugs for a living either.. weird?

“Good to see you’re bearing up under the universal gales of derisive laughter.”
-Now I’m thinking North Korean chatbot…

Why so mad, Bogan Jong Un?

Why mad at “us” = everyone else on the internet? Shadowboxing, literally.
You think the NSA even reads Schneier? Yeah telepathically, whatever bro.

Grep a grip. Pipe it to dev/therapist. D’strovia!

handle_x October 13, 2017 12:44 PM

@ Fred Rogers

” Kaspersky continues to deny that their software deliberately scans for soft targets ”

?? It scans for patterns of bits that match malware as well as a few action-triggers. That’s more or less (less..) it.

What are you meaning by soft targets? Windows installed anywhere on the internet? Yes.
It does scan those, when you install it there. That’s the idea. AV does that.
When. You. Install. It. There.

If you work for the NSA and are fooling around with NSA malware and are running a prohibited (for your job) AV working on work code at home (ALSO PROHIBITED) on WINDOWS which ought to be prohibited for you also… yeah, you ARE a damn soft target, for NSA.

Because – you broke OPSEC, the rules, laws, even if you’re not prosecuted you got OWNED. Your entire career and all your web traffic is in the crosshairs of G-men FROM NOW ON.

Blaming Kaspersky is easy because they were involved on some level, wittingly or not.
What if we hold all parties to that standard?

Someone who works for NSA made it darn easy for Russian intelligence to steal this.
He is NOT being prosecuted, they came out ahead of the story just to say that.

Want a story where the blame is more easily attributable? Here.

Who? October 13, 2017 12:57 PM

@ John Smith

What I don’t buy is someone loading NSA work files on a computer that isn’t air-gapped. That is beyond stupid, and NSA does not hire technically stupid people.

Staff working at NSA is not stupid, they are just human beings. Sometimes they have a task to do and there are deadlines. What surprises me is that this software has been stolen from an unsecured computer. See DoDM 5200.01-V3, enclosure 2:

Removal of classified information for work at home. When it is mission critical for individuals to remove classified information and materials (e.g., IT equipment and associated storage media) for work at home, specific security measures and approvals are required. Security measures appropriate for the level of classification must be in place to provide adequate protection and security-in-depth and to prevent access by unauthorized persons.

So working at home with classified material is possible. I am sure NSA has the ability to audit the computing environment used at home and suggest required steps to hardening it before going into production. Why it has not been done this time is a different matter.

As Clive says, an operating system that needs antivirus software is totally insecure so Windows should be out of the “Equation” (pun intended), but for some unknown reason it is used even on highly classified environments. Most of the tools stolen to Equation Group by Shadow Brokers are Windows executables.

Thanks to people on this forum I have been improving my skills over years (e.g. using passwords only when SmartCards are not an option), fully encrypting storage media, and so on. But it only fixes a small part of the big picture. Passwords were the door to our computer systems in the nineties, but they have been replaced over the years by more fundamental bugs that do not require guessing abilities (or brute force). Now password guessing is a last resource on the arsenal of crackers, these days software bugs and backdoors are preferred.

JonKnowsNothing October 13, 2017 1:26 PM

Interesting swaving:

Israel Spy Crafters notice FSB actions in KAV and they don’t bother to notify KAS. They don’t notify KAS of a serious exploit. They USE the exploit to re-exploit the re-re-exploited.

When it finally gets to the re-re-exploited instead of sealing the exploit, the local re-re-exploited get all hot n bothered that the Israelis figured it out and held out for a l o n g time before they dropped a hint.

Since the Israelis have been monitoring the KAS exploit for a good long time… Not only did the FSB get the NSA SW Lolly, the Israelis did too.

Israel is NOT 5Eyes. They get a special full pipe feed. But now they have yet another round of their own software with re-exploited updates from 2+ Spy Crafters – It must be celebration time!

Lurking is very informative. Hunting makes your feet hurt and the quarry is not always what you are aiming at.

Secondary swaving:

So… after all the fingers and toes are done pointing this way and that…

A) The internet is not secure.
It’s not secure for anyone, any place, any time or any government.

The internet is not secure.
It’s not secure for any device (from chips to autoed-autos), any software, any OS, any application.

This is not New News.

B) The scams of internet uses are continuing and loads of folks still sign up.

Recently I found the “DISAGREE” box works pretty well except gee … even when I clicked “DISAGREE” things happened anyway.

So we can “Agree to Disagree”.

C) The BEST option might be the one right on the front page:

USE KAV. All the Time.

  1. As KAV is exploited – its a known exploited product
  2. As KAV appears to phone home to the FSB we can be assured that the NSA AND the FSB and the 5EYES and every single Spy Crafter WILL get a copy of the telemetry. It won’t be only the NSA-5Eyes-SV-FB-M$-Google that gets it, we can be assured that everyone else gets it up front.
  3. We can now safely continue with the refrain:
        followed by
        followed by



I think I’ll be loading up KAV on my next round of useless SW acquisition knowing that at least the intrusions and data will go world wide.

It’s probably the best defense.

Anon October 13, 2017 10:59 PM

@Clive Robinson

I agree in that it isn’t really a surprise that they didn’t know others were in their networks, at least for a while. As they appear to be providing illucit access to systems cia their software, one would think they would be paranoid about their own networks.

I was considering, IF the remote search capability of their software was deliberate, that they would perhaps add some form of monitoring/phone home capability when it was invoked, as a way if seeing if their cover was blown, and the only people accessing the hidden functionality were only those who should know about it.

I appreciate the above trashes plausible deniability, but so too does the idea that AV software can search a hard disk based upon remote input without the users knowledge or consent (legalese in the EULA notwithstanding).

Even if the software just automatically reported back connection data (IP address and date/time) when it was accessed, an alert mechanism could still look legit.

I also agree the evidence is rather weak, and I’m particularly skeptical of any negative news reports regarding Russia.

Grauhut October 14, 2017 4:20 PM

@Jon: “Since the Israelis have been monitoring the KAS exploit for a good long time… Not only did the FSB get the NSA SW Lolly, the Israelis did too.”

We can not even know if some Russian spy agency was ever involved.

If you are so deep inside a network that you can exfiltrate screenshots you are deep enough in it to produce them yourself.

Maybe someone just saw a chance to kick a company out of business that helped SCO and associated states stopping some funny wild west malware coproductions…

JonKnowsNothing October 14, 2017 8:13 PM


@Jon: “Since the Israelis have been monitoring the KAS exploit for a good long time… Not only did the FSB get the NSA SW Lolly, the Israelis did too.”

We can not even know if some Russian spy agency was ever involved.
If you are so deep inside a network that you can exfiltrate screenshots you are deep enough in it to produce them yourself.

This is an interesting point and often overlooked:

The NSA+World Chums would like us to think they are omniscient and invincible and always truthful.

They are and they are not.

They have enormous resources and people to work for them, some of whom have little or no conscience or ethics.

They are willing to do ANYTHING for a buck, a raise and a title.

Being omniscient means: knowing everything all the time any time.

But in fact they are humans. Subject to the same pressures of getting the job done, doing it for less and doing it to satisfaction of their superiors – all the way up and down the line. At any point they can fail.

So it is important to recognize they don’t hold all the cards and some of the cards they show are faked.

Reports and Rumors that the person who willingly and specifically took the items home, loaded them on an unsecured system, exposed them to The Other Side will face no charges – flies in the face of what happens to others such as Petraeus (slapped) and Winner(tbd but jailed).

An old favorite rant of mine is that everything today can be forged. If its electronic it is untrustworthy.

Not even the NSA can vouch for the truth.

They might not even know it if they heard it and they cannot prove it one way or another.

Truth is what you make it.

If you put it on FB or Google or Twitter then that’s God’s Own Word.

Clive Robinson October 15, 2017 8:20 AM

@ JonKnowsNothing, Grahut,

This is an interesting point and often overlooked:

What is also overlooked is that it is mainly “Europeans” saying it and urging appropriate caution. Whilst many in the US just “follow the party line” espoused by FUD pushers and illegal propaganda merchants who unsuprisingly want to remane “unnamed” by those journalists who publically front it for them…

I find the suspension of critical thinking rather alarming…

Grauhut October 15, 2017 12:37 PM

@Clive: “I find the suspension of critical thinking rather alarming…”

I don’t think it’s fake news, it’s more like “fog news”, fog as in fog of war.

We shouldn’t forget that Kaspersky is some kind of legit target.

Kaspersky succesfully devalued a lot of expensive malware investments.

And olympic games are a recurring event, aren’t they? 😉

Critical question: What are they planning or doing, what is it that they fear Kaspersky could find too early? Must be something big and long term if it’s worth to try to kick them out of business.

This one?

Clive Robinson October 15, 2017 2:38 PM

@ Grauhut,

And olympic games are a recurring event, aren’t they? 😉

Yup the next one is Chinese new year “early Feb”2018 in Pyeongchang County South Korea, so the NSA nonsence has already started and been up and running for the past eight months or so. Probably every South Korean politician is having their phone calls emails and other electronic communications recorded and analysed… Kind of handy if you just happen to have sent a carrier fleet in that direction.

I wonder if there will be a following “Greek Tragedy”…

Grauhut October 15, 2017 3:24 PM

@Clive: I originally thought of Op Olympic Games, that stuxnet party, but reminding us of the winter games in SK 2018 is brilliant! Seems NK is the new Iran…

Does that mean the NSA has to make sure no act of NK terror may happen in Pyeongchang County then? And Kaspersky software could somehow interfere with this effort? 😉

Jim October 16, 2017 11:08 AM

“I don’t buy this. People with clearances are told over and over not to take classified material home with them. It’s not just mentioned occasionally; it’s a core part of the job.”

I don’t buy it either.

John Stanton October 16, 2017 11:31 PM

Distract, distract, distract…

Get folks engaged in endless debates & speculations.
Keep blaming anyone but “management”, the suits that
keep failing us. It’s time for a NASA styled change
in “management” that puts decision making in the hands
of senior engineers, not political hacks worried about
the size of their desks & the thread counts in their

“I find the suspension of critical thinking rather alarming…”

Yes! Well said. I agree.

John Stanton October 17, 2017 12:15 AM

To quote a new senior defense software security official
pulling a fat six-figures, demonstrably uninterested
or perhaps even unable to understand a few, specific
glaring software security threats easily solved with
the addition of straightforward software engineering
processes being presented to him, his exact comment –

   "We have to be willing to accept that security
     breaches are just going to keep happening..." 

No. No. No. We need to fire this “suit” and replace him
with a technology savvy leader UNWILLING TO ACCEPT that
that these breaches are going to just keep happening.

NASA cleaned-up their act, we can too.

Grauhut October 20, 2017 12:28 PM

Seems the NSA really hates Kasperky! I think all these developments together made them pull the handbrake.

New Intercept article (Longest Kaspersky ad ever 🙂

“The NSA has long been aware of the potential risk Kaspersky’s cloud capability and silent signatures pose to its own operations. The former intelligence analyst tells The Intercept that during his time in the intelligence community, whenever an NSA hacker encountered a target machine that had Kaspersky software with cloud-reporting capability installed on it, they had to get special permission from a mission director to proceed with the intrusion. If a director deemed the risk of being discovered by Kaspersky worth it, then the hackers could proceed. (Asked about this and other elements of this story, the NSA declined to comment.)”

Grauhut October 20, 2017 2:37 PM

@Wael: Don’t think so. If you try to fck the NSA directly and by sharing their software like Shadowbrokers you don’t give interviews if you want to survive.

The Intercept would be a primary surveillance target, if US national security were my job. And whoever talks to them knows this. I know that you know that i know…

If a “former” operative talked to them i would place a bet that it was semi official pr work.

You can read it between the lines:

“If Kaspersky’s own scans did collect the sensitive files from the NSA worker’s home computers in the course of the company’s normal hunting for malware, the question remains: How did Russian intelligence get them?”

Do we already know what kind of evidence they presented that shows without doubt it was a Russian .gov hacker and not a normal Kaspersky worker hoping for some extra roubles from Eugene for finding something hot?

“Israeli intelligence officers informed the N.S.A. that in the course of their Kaspersky hack, they uncovered evidence that Russian government hackers were using Kaspersky’s access”

What kind of evidence? A screen shot doesn’t show a hackers intelligence service id card.

Wael October 20, 2017 4:50 PM


What you say is certainly sensible, and I agree it’s a possibility. I can’t say for sure.

Grauhut October 20, 2017 5:40 PM

@Wael: Wildneutrons, Shadowbrokers… I would search for active service insiders gone rogue. Just a gut feeling.

Sancho_P October 20, 2017 5:41 PM

Just guessing:
If you have 1000 people in your company sewing T-shirts you don’t have a spy in there.
If you have …

Sancho_P October 20, 2017 5:55 PM

The funny thing is if you search for something you’d better know what you are supposed to search for.

Imagine I search Dr. Goo for “secret NSA software”, would it help?

But searching for SW trying to hide in internals, which is the first purpose of AV SW, or searching for typical parts of, say, Stuxnet (which is very likely for good AV SW) may detect more.

And the Israelis may easily see that, too 😉

Clive Robinson October 20, 2017 6:53 PM

@ Grauhut, Wael,

Seems the NSA really hates Kasperky!

Yes and the more I read the less likely this “working at home” story sounds… To see why we need to think about other asspects of the story and walk through them.

First the least controversial part the Kaspersky – Russian Intelligence link up, as I’ve indicated before, any SigInt agency would have a hard on for Kaapersky’s cloud. No if’s, but’s or maybes. It’s way to valuable and that cloud is fully inside the Russian sphere of control. Thus you would expect Russian Intelligence to be all over not just the Kaspersky cloud but all the immediate upstream nodes (same aa the NSA is believed to do with all US clouds and AV companies).

After I said it, the Kaspersky -Israeli link came up, kind of indicating the point… That many SigInt agencies would have the hard on for Kaspersky’s data.

If you accuse Kaspersky of being in close with Russian Inteligence, how about making the same claim for Israeli Intelligence? The evidence appears about the same… The real difference only being how you as an NSA etc insider tell the story whilst offering no evidence one way or the other.

Now the question arises about the NSA – Israel link…

On the assumption that Israel were in Kaspersky’s cloud computers, “why tell the NSA” what they had seen? They would in effect be giving away a quite valuable load of information and a “method”. Which on the face of it does not make sense, unless you ask the question of “What did Israel get in return?” to “burn a method” and “burn a source”…

One possability is that the Israelis got in by a route that the NSA were aware of and Israel knew that the NSA knew it. Or would do in short order.

Secondly why would the NSA,”burn an Israeli operation?”. We know US congress-critters are more than happy to burn alies assets, Obama did it to the British as Trump has done the same more recently. Worse they have even burned one of their own (Scooter Libby etc).

Israel thus must have known or thought likely that the NSA would tell the congress-critters or others who have a greater aligence to their journalists as “unnamed sources” than to either their oath to their nation or aligence to any other nation the NSA might have an arangment with…

The story does not realy “add up” which ever way you look at it…

Whilst you can not apply Occam’s Razor to the story directly you can still use it as a potential first cut indicator. I won’t go through all the steps but the most likely probability is that the whole story is a fabrication from outside of the US IC for political purposes and for some reason both the NSA and Israeli IC have gone along with it for some reason

Now it does not take much imagination to see why Israel would regard Russia and Putin as a threat. Based on the grabing of what were old Russian ports in the Ukraine that now give Russia a very short route to be well inside conventional weapons range of large areas of Israel. When added to Russia’s past involvment with other Israel unfriendly nations in that region, it must be giving more than a few,in the IDF and Government cause for concern.

But there may be another reason why Israel in particular have gone after Kaspersky. Israel has put more than quite a bit of funding/investment in tech industry. Most of those receiving funding have come from Israels own Intelligence agencies. Those who work in those tech areas will tell you that there are more than persistant rumours that the Israeli Intelligence community are “in tight” if not “running as cover” more than a few of these Israeli companies. Along with this is again persistant stories of Israeli tech having “back doors”. Thus the Israeli’s would most definitely see Kaspersky as a threat to their operations. Thus the “bitds of a feather…” principle is likely to be a contributing factor.

However irrespective of the politics of what is going on one message comes through loud and clear. US tech is so full of security vulnerabilities you might as well regard the bulk of it about as secure as tumble weed in a desert breeze. And further any tech designed upon it irrespective of origin is likewise shot through with so many vulnerabilities that it can in no way be regarded as secure.

Which means organisations realy should be reassessing their tech approach. Because if the US IC can do it and the Israeli IC can likewise do it, it’s most likely all super powers and all western nations can do it. Worse even those nations with IC’s that can not natively develop their own technology they can “buy it in” for quite moderate prices from semi or fully independent startups etc in the nations that can.

The take away for organisations is “If it’s connected it’s owned” the only questions being “By how many entities both Govermentl and Private enterprise?”, “From how many countries?”, “For what gain?” and “How they will capitalize on the ownership?”.

It’s also easy to see how the changes that organisations have made effectively at the whim of technologists and accountants has made the illicit owning of an organisations data inevitable at bargin basement if not fire sale pricing…

Thus the question of if an organisation continues down that road, or if they make changes to first mitigate then remove the vulnerabilities.

The obvious first question being “do we need every PC phone etc Internet connected?” supprisingly for many the answer is most emphatically NO. But even for systems that do need connectivity the question would be “do we need these PCs, phones etc openly and broadly connected to all?” again the answer for most is an emphatic NO.

To put it another way “Do we wish to live as vulnerable vagabonds and tramps or as those who live in houses with doors they can lock and live privately behind?”…

I kbow what I do and why others don’t still supprises me.

Wael October 20, 2017 7:20 PM

@Clive Robinson, @Grauhut,

The story does not realy “add up” which ever way you look at it…

It doesn’t. Some newspapers are hired mouthpieces.

Grauhut October 20, 2017 7:42 PM

@Clive: Kaspersky simply interferes too often with other peoples interests.

Kaspersky is simply a risk for them, especially after the Duqu 2.0 fail.

The better question is: Is someone planning something on US soil that needs to be done without the Kaspersky cloud as a potentially unwanted evidence storage? Some op worth burning the Israelis nearly two years later?

Or: Could it make sense for someone in the US to build a {massive | huge | great} Kaspersky wall to fence them off? 😀

Grauhut October 20, 2017 8:04 PM

@Sancho: “If you have …”

…someone in the internal security department you can do funny stunts without much fear. Quis custodiet ipsos custodes? 🙂

65535 October 20, 2017 9:17 PM

@ Grauhut

‘If you are so deep inside a network that you can exfiltrate screenshots you are deep enough in it to produce them yourself.’

That is true. If you that deep inside you could easily produce any screen shot you desired. The stories don’t make sense. All of the Wapo, NYT and other major outlets are influenced by K street lackies in DC.

The real fact remains any Antivirus with root/administrative privileges can do anything the government of the country of origin wants it to do [that includes SSL stripping such as Symantec and KAV and others do].

The question is if you run a M$ windows shop should you go with no AV products?

65535 October 20, 2017 9:46 PM

The ironic part is that Bruce S. started this question in 2013. Bruce S. and others asked the Antivirus makers how they handled state sponsored malware and only a handful ever answered.


Link relating to the answers is broken

I would say now we know that each country’s AV makers are basically in bed with their respective governments.

Clive Robinson October 21, 2017 8:52 AM

@ 65535,

I would say now we know that each country’s AV makers are basically in bed with their respective governments.

Due to the way AV is also in effect a “test harness” that can “see all the way down” into all those places that even the OS supplier does not provide tools for, it is an ideal target for subversion in many ways.

However if they are all under the National SigInt / IC thumb you have to ask why the secret has not come out. Or to put it another way of the potentially thousands of developers testers investigators world wide in the AV industry “Why one has not broken ranks and spilled the beans etc?”.

For instance we know that a few years ago a small US developer of gambling software used abroad was quite deliberately targeted by a US DA to put in a back door so that credit card info could be harvested to get info that would in all probability be used to target individuals via parallel construction for prosecution. The reason is the developer was SWATED and his family threatened in their own home at gun point, and after being told by various legal advisors to just accept the deal the DA put on the table. He went along till it went up for inking infront of a judge, where he then went public (I mentioned this on this blog to both @Bruce and @Nick P).

Thus we can only assume that either there are very few individuals involved with backdooring their own product and it must be subtal enough to not get picked up by the others in the organisation. Such backdoors would thus have to be in the architecture rather than the code. Or there are weaknesses that are being exploited in some way by the IC’s. Personally I’d go with the latter.

Grauhut October 22, 2017 9:58 AM

@65535: “The question is if you run a M$ windows shop should you go with no AV products?”

Is there a windows shop without Defender av and monthly malicious software removal tool scans? 😉

The main problem is that in the windows ecosystem too many resources are invested in mitigation and not yet enough in code quality.

If you need a secure shop go with the best code quality.

If you need to have a windows shop learn to live with it. Kaspersky is really good in threat mitigation, but this seems to come with a second price tag openly hidden in license texts. And with windows you should never rely on one mitigation level, av proxies using concurrent scan engines are still a good idea if mitm capable. 🙂

gordo October 23, 2017 12:33 AM

No surprise here, but Mr. Eugene Kaspersky, CEO, Kaspersky Lab, is not on the witness list for a rescheduled House science committee hearing . . . [subcommittee on oversight, Wednesday, October 25th]

N.S.A. and C.I.A. don’t use Kaspersky software [1][2] and yet . . .

A New Trojan Horse: The Kaspersky Software Hack of US Intelligence
James Lint, October 18, 2017

According to legend, when the warring Greeks were unable to pierce the defenses of the city of Troy, they presented Troy with a gift — a huge, hollow wooden horse known as the “Trojan Horse.” Since then, the term “Trojan horse” has come to refer to subversion or sabotage from within (par. 1).

The Kaspersky Konundrum
Marcus Ranum, October 11, 2017

The US Government is currently partway into pitching a fit about having systems compromised by a foreign power, while compromising the systems of a foreign power, and trading in its own secrets with another foreign power (par. 15).

Who knows what this Wednesday’s hearing will bring.

[1]The N.S.A. bans its analysts from using Kaspersky antivirus at the agency, in large part because the agency has exploited antivirus software for its own foreign hacking operations and knows the same technique is used by its adversaries (par. 12).
[2]Steven L. Hall, a former chief of Russian operations at the C.I.A., said his former agency never used Kaspersky software, but other federal agencies did (next-to-last par.).

Clive Robinson October 23, 2017 12:25 PM

@ gordo,

The Kaspersky Konundrum Marcus Ranum, October 11, 2017

Nice catch, it’s the first article I’ve read from the US that takes a rational view point.

I just wish a few people on this blog would read it.

Whilst my views are slightly different, it would be splitting hairs. I’ve basically said the same as Marcus for quite some time now on this blog about the US cyber-IC and others things. Sadly others that agreed or said the same thing have in effect been driven away.

But ultimately the most important sentance in Marcus’s post is why defence trumps offence…

gordo October 24, 2017 12:40 AM

@ Clive Robinson,

Good to see, you’re out and about, as it were…

Nothing new here:

How Kaspersky Can Restore Trust
By Rick Ledgett Monday, October 23, 2017

So that is what Kaspersky has been accused of doing: using (or allowing to be used) its legitimate, privileged access to a customer’s computer to identify and retrieve files that were not malware.

From Wired UK, a couple of weeks back:

How involved Kaspersky Labs is in this latest controversy comes down to the as-yet-unanswered question of whether it was actively looking for NSA docs or if it merely spotted samples of exploits in the confidential files as part of its antivirus work, with that feature then abused by hackers. If it’s the former, “Kaspersky is toast,” wrote Matt Tait, CEO of Capital Alpha Security on Twitter. “But if it’s just signatures on NSA implants and NSA exploits, then this is Kaspersky just doing its job, and not at all a Kaspersky-Russia thing.”

Grauhut October 24, 2017 3:35 AM

@Gordo: Does that mean the NSA want’s an independent full take of Kasperskys traffic? Great sense of humor!

If Kaspersky did this, they would really be out of business! 😀

“It’s not the code itself, it’s the use of the code. The experts will find that the code does exactly what it’s supposed to do, and he knows that.

If Eugene Kaspersky really wanted to assuage the fears of customers and potential customers, he would instead have all communications between the company’s servers and the 400 million or so installations on client machines go through an independent monitoring center.”

And the lawfare blog should remember what the “law” in their name means. Innocence presumption?

Wheres the fckn evidence? Still waiting to see some! 😉

Clive Robinson October 24, 2017 11:28 AM

@ Grauhut,

Wheres the fckn evidence? Still waiting to see some! 😉

Don’t hold your breath waiting, you could end up a very unproductive “Health Hazzard in a Box”(tm) 😉

More seriously, I doubt there ever will be anything you, I or many others would consider “evidence” rather than mud slinging, FUD, innuendo and calumny, which the past two US Administrations appear to have dished out by the bucket load.

Note : To all those using AV software from any country, it’s probably safe to assume that unless you “pulled the plug” it does an E.T. And “phones home” to the mothership. Further it’s also safe to assume all SigInt agencies who can are all over the back traffic.

Anura October 24, 2017 11:43 AM

What accusations exactly are they making that are actually in question? That Kaspersky has heuristic malware detection and collects files found for analysis, or that Russian intelligence has the ability to access Kaspersky’s network and does so on a regular basis? Kaspersky straight-up advertises the former, and the latter is highly likely without even needing specific evidence.

Grauhut October 24, 2017 1:41 PM

@Anura: The FVEY hate Kaspersky. Understandably.

GCHQ 2008: “Personal security products such as the Russian anti-virus software Kaspersky continue to pose a challenge to GCHQ’s CNE capability and SRE is essential in order to be able to exploit such software and to prevent detection of our activities”

This time they try to pull Kasperskys econ plug.

@Clive: I believe we served in the same cold war in different uniforms in the same NATO, right? And all of us with some spare brain cells, we were all happy when the cold war was over.

I hate that they try to dig up this zombie again and cheap propaganda offends my mind.

And i still believe that the russians love their children too. 😉

Clive Robinson October 24, 2017 3:41 PM

@ Grauhut,

I believe we served in the same cold war in different uniforms in the same NATO, right?

My uniform was green and brown for the dirt we were supposed to hug. But yes, I was also in Berlin when the wall came down, it was a scary couple of days leading upto it for a foreign. Any way got a large chunk of the wall in the house, it and I are effectively the same age. I keep meaning to do something with it, but never do.

As for my service career I was traind to be amongst other things a “stay behind” in essence we were to hide in a hole, and let the Red Army roll over us, get out and make mischief. I had a whole list of trades not least of which was medic, cook, signals tech, cipher tech and a bunch more. We were supposed to be like the SOE and create trouble behind the lines by doing the “Sniper observer” intel gather assassination thing.

Most soldiers are taught to “shoot to scare” and “shoot to wound” few are actually taught to “shoot to kill”. Snipers were the most hated enemy there could be, which is why you knew you were most unlikely to be a POW. Because the most likely thing to happen to you on capture would be to get kicked to death by the enemy before they could be ordered not to do so…

Grauhut October 24, 2017 7:25 PM

@Clive: 1. Bataillon, heavy tank explorers, Brunswick, southern border north German plains. Our ttl was 45 minutes, inform, shoot, die and always in the right order. Otherwise we wouldn’t have gotten our final leave authorization. 😉

If the Russians or NVA wouldn’t have done the job, some friendly nuke would have done it. Strange times, we shouldn’t repeat them. 🙂

Ratio October 24, 2017 9:30 PM


What accusations exactly are they making that are actually in question?

Oh, shush. That’s no question to ask!

Ratio December 18, 2017 5:34 AM

Court document points to Kaspersky Lab’s cooperation with Russian security service (December 13, 2017):

Kaspersky Lab, a Russian cybersecurity firm, has long asserted its independence of the Russian government. But a court document posted on the Facebook page of a Russian criminal suspect this year shows what appears to be an unusual degree of closeness to the FSB, the country’s powerful security service.

The suspect, Konstantin Kozlovskiy, was arrested in the summer of 2016 in connection with several cyber heists of Russian banks, and he is in a Moscow jail awaiting trial. From his cell, he posted documents related to his case.

One of them shows that in April 2015, an FSB agent inside the office of Kaspersky Lab in Moscow gave a company technician a password for a suspected Russian cyber criminal’s computer. The technician gained access to the computer and obtained decrypted documents for the agent.

The agent, A.V. Kutasevich, worked side-by-side with the Kaspersky technician, Ruslan Sabitov, in the “information retrieval” operation, according to the document, dated April 28, 2015.


“The most interesting thing is that Kaspersky’s experts were not asked to provide expertise,” said Andrei Soldatov, an expert on Russian surveillance and co-author of The Red Web. “They actively and secretly participated in an ongoing FSB operation, which makes them look like assets rather than experts.”

Clive Robinson December 18, 2017 8:50 AM

@ Ratio,

With regards Kaspersky and the articles quote of,

    “They actively and secretly participated in an ongoing FSB operation, which makes them look like assets rather than experts.”

Sounds just like any US company when getting an NSL…

The point is that anything the US/UK et al say about Kaspersky is almost certainly as true as any other AV or similar company with access/records to a suspects computer in the jurisdiction they are based.

For instance the only time Microsoft put their foot down was when it was a non US citizen living within the EU with data on a cloud computer in the EU thus under the protection of EU legislation. If MS had not pushed back they would have broken the law, which would have had rather dire consequences not just for them but many other US companies doing business in the EU.

There is a legal principle about cases involving non home jurisdiction laws, that the US legal system actually inherited with the English legal procedures. Put simply the judge should take advise from an acknowledged expert in the other jurisdictions law and “be advised by it”. The judge presumably under DoJ prompting chose to ignore the principle, which frankly did neither themselves or US jurisprudence any favours. It almost certainly will have “blowback” from not just UK but EU judges when it comes to extradition and the like, such is the way of such things, and I can not see UK or EU politicos getting in the way as it’s got no upside in it for them.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.