'The nail in the coffin': Russia's top cyber-firm may have made a 'catastrophic' mistake

Thomson Reuters

An employee works near screens in the virus lab at the headquarters of Russian cyber security company Kaspersky Lab in Moscow

• Russian hackers reportedly stole top secret intelligence from the National Security Agency by exploiting Kaspersky antivirus software.
• Experts say that, depending on what was stolen from the contractor, the revelation could be "catastrophic" for Kaspersky Lab.
• The FBI has warned the private sector not to use Kaspersky software, and President Donald Trump banned all government agencies from using it in September.

Investigators believe that software from Russia's top cybersecurity firm, Kaspersky Lab, was involved in a theft of top secret National Security Agency intelligence outlining how the US hacks its adversaries, The Wall Street Journal reported Thursday.

And depending on what was stolen, the breach could spell catastrophe for the company.

According to the Journal, an NSA contractor stole and downloaded onto his personal computer highly classified details about how the US penetrates foreign computer networks and defends itself against cyberattacks. (The Washington Post reported the person was not a contractor, but an employee working for the NSA's elite hacking division known as Tailored Access Operations.)

Russian hackers then stole that intelligence by exploiting the Kaspersky antivirus software the contractor had been running on his computer.

The breach wasn't discovered until spring 2016, according to the Journal and The Washington Post - nearly one year after the hackers are believed to have gained access to the intelligence.

Kaspersky has denied any involvement in the theft, and it is unclear whether the hackers stole code or documents from the contractor. The latter would prove far more damning for Kaspersky, experts say, especially as it stands accused by the US government of being a tool of the Kremlin.

Yuri Kadobnov/Pool/Reuters

Russian President Vladimir Putin casts his ballot at a polling station during the municipal elections in Moscow, Russia, September 10, 2017.

"Ultimately, this will come down to what was stolen from the computer," said David Kennedy, a former NSA intelligence analyst who founded the cybersecurity firm TrustedSec.

"If the antivirus software was pulling back data with no code - for example, strategic documents containing classified information - that's the nail in the coffin," Kennedy said, adding it would be a "catastrophic" for the company. "That's an indication they're spying on individuals."

Jeff Bardin, the chief intelligence officer of cybersecurity firm Treadstone 71, echoed those sentiments.

"If documents were stolen, then that would make them an agent of the Russian government," he said.

Bardin said there is "a certain level of trust" when a customer downloads an antivirus software, because it involves giving the program "a significant amount of access" to a computer.

"They're scanning every file for malware, but at same time they could search for keywords relative to sensitive data," he said.

The FBI interviewed at least one-dozen Kaspersky employees in June, visiting them at their homes on both the US east and west coasts to gather facts about how the company works, NBC reported. Two months later, the bureau reportedly warned private sector companies against using Kaspersky software. Last month, President Donald Trump ordered US government agencies to purge Kaspersky products from their computers altogether.

Kennedy said it is unlikely that the government would have made those moves without "direct evidence" that Kaspersky is in some way connected to the Russian government.

Bardin agreed.

The FBI is "not going to let on and they'll be very generic in their comments to prevent Kaspersky from learning what they know," he said. "But there's definitely something there."

Kaspersky, for its part, said in a statement that it "does not have inappropriate ties to any government, including Russia, and the only conclusion seems to be that Kaspersky Lab is caught in the middle of a geopolitical fight."

"We make no apologies for being aggressive in the battle against malware and cybercriminals," the company said.

While the firm is often aggressive in its pursuit of foreign hackers, however, it doesn't pursue alleged Russian cyber operations "with the same vigor," according to a 2015 Bloomberg investigation.

One Kaspersky investigator stood out for his relentless pursuit of Russian cybercriminals: Ruslan Stoyanov, the head of Kaspersky's computer incidents investigations unit. But he was arrested in December on charges of treason.

Eugene Kaspersky, the firm's billionaire founder and CEO, was educated at a KGB-sponsored cryptography institute before working for Russian military intelligence. He reportedly maintains relationships with former and current Russian intelligence officials, but has pushed back against claims that his company works with the Kremlin.