Threat Intelligence

Is Russian Intelligence Using Tainted Software to Access Corporate and Government Networks?

Pierluigi Paganini
October 9, 2017 by
Pierluigi Paganini

Documents leaked by the famous whistleblower Edward Snowden shed light about the surveillance machine used by the NSA to spy on allies and foreign government.

Many documents described the ability of the US cyberspies of compromising legitimate software and hardware with implants, in some cases with the help of hardware manufacturers and software vendors.

Recent events suggest that Russian intelligence is adopting a similar technique to compromise legitimate defense software to hack into the networks of its adversaries.

In a few days, we had two cases that made the headlines, two security firms Kaspersky Lab and HPE have allegedly supported the activities of Russian intelligence consciously.

Russian cyberspies pilfered data NSA exploit from NSA Contractor's home PC running a Kaspersky AV

Russian hackers allegedly exploited the Kaspersky antivirus software to hack into NSA contractor and steal the NSA exploit code.

The news complicates the position of the Russian firm Kaspersky that is currently facing the ban from US Government agencies.

Anonymous sources claimed Russian cyberspies had extracted NSA exploits from the personal computer of a US government contractor that was running the Kaspersky software.

Sources told the Wall Street Journal that a malicious code allowed Russian intelligence to steal classified code and other sensitive data from the targeted PC. Cyberspies exploited the Kaspersky antivirus software to detect the NSA hacking codes on the contractor's PC and exfiltrated them.

"Hackers working for the Russian government stole details of how the U.S. penetrates foreign computer networks and defends against cyberattacks after a National Security Agency contractor removed the highly classified material and put it on his home computer, according to multiple people with knowledge of the matter," states the Wall Street Journal.

"The hackers appear to have targeted the contractor after identifying the files through the contractor's use of a popular antivirus software made by Russia-based Kaspersky Lab," these people said.

The Wall Street Journal's sources confirmed the security breach occurred in 2015, but it was discovered only earlier this year.

The NSA hacking code stolen by the Russian hackers belong to the NSA arsenal, a collection of dangerous exploit codes and hacking tools that was made public following the Shadow Brokers data leak dated back to 2013.

According to the WSJ's sources, the Kaspersky antivirus discovered the NSA exploit while scanning the machines. Once detected the malicious software the antivirus sent it back to a cloud service to inspect it, then the Russian cyberspies allegedly exploited the Kaspersky antivirus to establish a backdoor to the PC.

The WSJ's did not provide further information about the role of the Kaspersky firm in the cyber theft, but there are two plausible scenarios.

  • Russian hackers have discovered security vulnerabilities in the Kaspersky Antivirus and have triggered them to establish a backdoor in the PC running the security application. It is not difficult for Russian Government experts to find a flaw in the Kaspersky software considering that the FSB might have imposed on the Russian firm a code review for their products.
  • Another possibility is that under the Russian law, the Russian Government forced the Kaspersky experts to hack into the computer containing the NSA code and exfiltrate it.

Why does Russian intelligence exploit Kaspersky software to target the NSA?

Kaspersky Lab was the company that first spotted malware used by the NSA-linked Equation Group; the security firm conducted an extensive analysis of Techniques, Tactics, and Procedures (TTPs) of the US nation-state group, it is likely that the Russian intelligence exploited this knowledge to arrange its counter-espionage activity.

The WSJ sources speculate the Kaspersky antivirus may have detected NSA malware being used in the wild, and intentionally or not have provided the Russian cyberspies the backdoor to steal the precious code.

Kaspersky Lab denied any involvement and published the following statement;

"Kaspersky Lab has not been provided any evidence substantiating the company's involvement in the alleged incident reported by the Wall Street Journal on October 5, 2017, and it is unfortunate that news coverage of unproven claims continue to perpetuate accusations about the company.

"As a private company, Kaspersky Lab does not have inappropriate ties to any government, including Russia, and the only conclusion seems to be that Kaspersky Lab is caught in the middle of a geopolitical fight.

"We make no apologies for being aggressive in the battle against malware and cybercriminals. The company actively detects and mitigates malware infections, regardless of the source, and we have been proudly doing so for 20 years, which has led to continuous top ratings in independent malware detection tests. It's also important to note that Kaspersky Lab products adhere to the cybersecurity industry's strict standards and have similar levels of access and privileges to the systems they protect as any other popular security vendor in the U.S. and around the world." Attributable to Kaspersky Lab.

The founder Eugene Kaspersky believes that this last revelation made by anonymous sources are part of a broader project to discredit the security firm as retaliation against Russian Government.

Figure 1 - Eugene Kaspersky Tweet

Since the US government is banning Kaspersky products from Federal computers in September, Kaspersky repeatedly offered up the source code of its products for officials to review.

"It's a lot harder to beat your opponent when they're reading your playbook, and it's even worse when someone on your team gives it to them. If these reports are true, Russia has pulled that off," said U.S. Senator Ben Sasse, a member of the Senate Armed Services Committee.

"The men and women of the US Intelligence Community are patriots; but, the NSA needs to get its head out of the sand and solve its contractor problem. Russia is a clear adversary in cyberspace, and we can't afford these self-inflicted injuries."

Many US politicians expressed their concerns for the adoption of Kaspersky solutions and requested the US Government to assess the product used by the Government agencies carefully.

The Senator Jeanne Shaheen (D-NH) also condemned the company and urged a strong action against the company.

"The strong ties between Kaspersky and the Kremlin are extremely alarming and have been well documented for some time," she said today. "It's astounding and deeply concerning that the Russian government continues to have this tool at their disposal to harm the United States." reads the Shaheen's statement.

In September, the US Department of Homeland security banned government agencies for using software products developed by Kaspersky Labs. The ban was the response to the concerns about possible ties between the Russian security firm and Russian intelligence agencies.

According to The Washington Post, which first reported the news, the order applies to all civilian government networks, but not the military ones.

In July, the US General Services Administration announced that the security firm Kaspersky Lab was deleted from lists of approved vendors.

The US government banned Kaspersky solutions amid concerns over Russian state-sponsored hacking.

The Homeland Security issued a Binding Operational Directive that orders agencies to remove products developed by Kaspersky Lab within 90 days.

IT managers have 30 days to assess their infrastructure to check for the presence of Kaspersky software and 60 days to develop a plan to remove it.

"The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks," the agency said in a statement.

"The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security."

HPE allowed Russians to review the code of ArcSight software also used by the Pentagon

Another tech giant has come under fire; reports claimed the company HPE gave Russian defense forces access to review software it sold to the Pentagon. The software is the same supposedly used by many US departments to protect their networks.

Once again, the Russian intelligence is suspected to be interested in exploiting defense software to targeted American firms and Government organizations.

According to administrative records seen by the Reuters agency, HPE allowed Russian defense agencies to access the source code of its ArcSight software to obtain the certification needed to sell its software to the Russian public sector.

The ArcSight solutions are widely adopted by both government and private industries for threat intelligence and defense purposes, the analysis of the code could help the Russian Government in detecting security vulnerabilities that could be exploited by state-sponsored hackers to target HPE customers, including the Pentagon.

The Russian experts reviewed the ArcSight software last year, while the US Government was accusing the Kremlin of numerous intrusion in its systems and several targeted attacks aimed to interfere with the 2016 Presidential elections.

"Hewlett Packard Enterprise allowed a Russian defense agency to review the inner workings of cyber defense software used by the Pentagon to guard its computer networks, according to Russian regulatory records and interviews with people with direct knowledge of the issue." states a blog post published by the Reuters.

"The HPE system, called ArcSight, serves as a cybersecurity nerve center for much of the U.S. military, alerting analysts when it detects that computer systems may have come under attack. ArcSight is also widely used in the private sector."

The Reuters quoted several former US military sources and former ArcSight employees, HPE told Reuters that no "backdoor vulnerabilities" were uncovered in the Russian review.

"Six former U.S. intelligence officials, as well as former ArcSight employees and independent security experts, said the source code review could help Moscow discover weaknesses in the software, potentially helping attackers to blind the U.S. military to a cyber attack." continues the Reuters.

"It's a huge security vulnerability," said Greg Martin, a former security architect for ArcSight. "You are definitely giving inner access and potential exploits to an adversary."

HPE highlighted that the Russian experts had compromised neither ArcSight source code or any of its products.

The code review was conducted by the company Echelon which has close ties to the Russian military. The company operated on behalf of Russia's Federal Service for Technical and Export Control (FSTEC), the Russian agency tasked with countering cyber espionage.

"Echelon president and majority owner Alexey Markov said in an email to Reuters that he is required to report any vulnerabilities his team discovers to the Russian government." continues the Reuters.

"But he said he does so only after alerting the software developer of the problem and getting its permission to disclose the vulnerability. Echelon did not provide details about HPE's source code review, citing a non-disclosure agreement with the company."

Conclusion

The code review discussed in the HPE case can give precious information to the Russian intelligence about the capabilities of the defense software, but from the Russian point of view, it is essential to carefully inspect any software developed by foreign firms to prevent cyber espionage activities like the ones described by Edward Snowden.

Let me stress about the urgency to adopt a widely adopted framework for norms of states behavior that will condemn any attempt to use tainted software to hack into systems of a foreign state.

Code review could be conducted by a team of independent experts from all the states that work to discover the presence of malicious code and to report vendors the vulnerabilities discovered during the assessment.

References

http://www.reuters.com/article/us-usa-cyber-russia-hpe-specialreport/special-report-hp-enterprise-let-russia-scrutinize-cyberdefense-system-used-by-pentagon-idUSKCN1C716M

https://www.wsj.com/articles/russian-hackers-stole-nsa-data-on-u-s-cyber-defense-1507222108

http://securityaffairs.co/wordpress/64004/intelligence/russians-arcsight-code-review.html

http://securityaffairs.co/wordpress/63883/intelligence/kaspersky-av-espionage.html

http://securityaffairs.co/wordpress/63013/intelligence/dhs-kaspersky-lab-ban.html

http://securityaffairs.co/wordpress/60957/cyber-warfare-2/us-bans-kaspersky-lab.html

http://securityaffairs.co/wordpress/33637/cyber-crime/the-equation-group-atp.html

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

https://www.washingtonpost.com/world/national-security/us-to-ban-use-of-kaspersky-software-in-federal-agencies-amid-concerns-of-russian-espionage/2017/09/13/36b717d0-989e-11e7-82e4-f1076f6d6152_story.html?utm_term=.234882d60a55

Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.