According to unverifiable sources, an NSA contractor stored classified data and hacking tools on his home computer, which were made available to Russian hackers through the contractor's use of Kaspersky Lab anti-virus software:
Russian government-backed hackers stole highly classified U.S. cyber secrets in 2015 from the National Security Agency after a contractor put information on his home computer, two newspapers reported on Thursday.
As reported first by The Wall Street Journal, citing unidentified sources, the theft included information on penetrating foreign computer networks and protecting against cyber attacks and is likely to be viewed as one of the most significant security breaches to date.
In a later story, The Washington Post said the employee had worked at the NSA's Tailored Access Operations unit for elite hackers before he was fired in 2015.
[...] Citing unidentified sources, both the Journal and the Post also reported that the contractor used antivirus software from Moscow-based Kaspersky Lab, the company whose products were banned from U.S. government networks last month because of suspicions they help the Kremlin conduct espionage.
Kaspersky Lab has strongly denied those allegations.
Russian government officials could have used flaws in Kaspersky software to hack into the machine in question, security experts told Reuters. They could also have intercepted traffic from the machine to Kaspersky computers.
Kaspersky said in a statement on Thursday that it found itself caught in the middle of a geopolitical fight.
"Kaspersky Lab has not been provided any evidence substantiating the company's involvement in the alleged incident reported by the Wall Street Journal," it said. "It is unfortunate that news coverage of unproven claims continue to perpetuate accusations about the company."
This may be the source of files released by The Shadow Brokers. According to yet another anonymous source, the lax contractor in question is not Harold Martin.
Also at WSJ, The Hill, and The Verge.
Previously: NSA 'Shadow Brokers' Hack Shows SpyWar With Kremlin is Turning Hot
The Shadow Brokers Identify Hundreds of Targets Allegedly Hacked by the NSA
"Shadow Brokers" Release the Rest of Their NSA Hacking Tools
Fearing Shadow Brokers Leak, NSA Reported Critical Flaw to Microsoft
Kaspersky Lab has been Working With Russian Intelligence
FBI Reportedly Advising Companies to Ditch Kaspersky Apps
Federal Government, Concerned About Cyberespionage, Bans Use of Kaspersky Labs Products
Related Stories
Excerpt:
"It's certainly possible that an NSA [National Security Agency] hacker goofed massively and left files in the wrong place at the wrong time. Human error can never be ruled out. Russian cybersleuths carefully watch for possible NSA operations online—just as we look for theirs—and even a single slip-up with Top Secret hacking tools could invite a disastrous compromise.
However, it's far more likely that this information was stolen by an insider. There's something fishy about the official story here. It's far-fetched to think a small group of unknown hackers could infiltrate NSA. Furthermore, explained a former agency scientist, the set-up implied in the account given by The Shadow Brokers makes little sense: "No one puts their exploits on a [command-and-control] server...That's not a thing." In other words, there was no "hack" here at all.
It's much more plausible that NSA has a Kremlin mole (or moles) lurking in its ranks who stole this information and passed it to Russian intelligence for later use. This isn't surprising, since NSA has known since at least 2010 of one or more Russian moles in its ranks and agency counterintelligence has yet to expose them."
The Shadow Brokers are back, and they have a treat for you:
"TheShadowBrokers is having special trick or treat for Amerikanskis tonight," said the Monday morning post, which was signed by the same encryption key used in the August posts. "Many missions into your networks is/was coming from these ip addresses." Monday's leak came as former NSA contractor Harold Thomas Martin III remains in federal custody on charges that he hoarded an astounding 50 terabytes of data in his suburban Maryland home. Much of the data included highly classified information such as the names of US intelligence officers and highly sensitive methods behind intelligence operations. Martin came to the attention of investigators looking into the Shadow Brokers' August leak. Anonymous people with knowledge of the investigation say they don't know what connection, if any, Martin has to the group or the leaks.
[...] According to analyses from researchers here and here, Monday's dump contains 352 distinct IP addresses and 306 domain names that purportedly have been hacked by the NSA. The timestamps included in the leak indicate that the servers were targeted between August 22, 2000 and August 18, 2010. The addresses include 32 .edu domains and nine .gov domains. In all, the targets were located in 49 countries, with the top 10 being China, Japan, Korea, Spain, Germany, India, Taiwan, Mexico, Italy, and Russia. Vitali Kremez, a senior intelligence analyst at security firm Flashpoint, also provides useful analysis here. [...] Other purported NSA tools discussed in Monday's dump have names including DEWDROP, INCISION, JACKLADDER, ORANGUTAN, PATCHICILLIN, RETICULUM, SIDETRACK, AND STOCSURGEON. Little is immediately known about the tools, but the specter that they may be implants or exploits belonging to the NSA is understandably generating intrigue in both security and intelligence circles.
Previously:
"The Shadow Brokers" Claim to Have Hacked NSA
NSA 'Shadow Brokers' Hack Shows SpyWar With Kremlin is Turning Hot
Cisco Begins Patching an NSA Exploit Released by the Shadow Brokers
Probe of Leaked U.S. NSA Hacking Tools Examines Operative's 'Mistake'
NSA Contractor Harold Martin III Arrested
NSA Contractor Accused of "Stealing" Terabytes of Information, Charged Under Espionage Act
Days after the Washington Post reported on the hoarding of Tailored Access Operations tools by Harold T. Martin III, a federal grand jury has indicted the former NSA contractor:
A federal grand jury has indicted a former National Security Agency contractor on 20 counts of willful retention of national defense information.
According to prosecutors, Harold "Hal" Martin took a slew of highly classified documents out of secure facilities and kept them at his home and in his car. Earlier this week, the Washington Post reported that among those materials, Martin is alleged to have taken 75 percent of the hacking tools that were part of the Tailored Access Operations, an elite hacking unit within NSA.
The indictment outlines 20 specific documents that he is accused of having taken, including "a March 2014 NSA leadership briefing outlining the development and future plans for a specific NSA organization."
Previously: NSA Contractor Harold Martin III Arrested
NSA Contractor Accused of "Stealing" Terabytes of Information, Charged Under Espionage Act
The Shadow Brokers Identify Hundreds of Targets Allegedly Hacked by the NSA
Last August, an unknown group called the Shadow Brokers released a bunch of NSA tools to the public. The common guesses were that the tools were discovered on an external staging server, and that the hack and release was the work of the Russians (back then, that wasn't controversial). This was me:
Okay, so let's think about the game theory here. Some group stole all of this data in 2013 and kept it secret for three years. Now they want the world to know it was stolen. Which governments might behave this way? The obvious list is short: China and Russia. Were I betting, I would bet Russia, and that it's a signal to the Obama Administration: "Before you even think of sanctioning us for the DNC hack, know where we've been and what we can do to you."
They published a second, encrypted, file. My speculation:
They claim to be auctioning off the rest of the data to the highest bidder. I think that's PR nonsense. More likely, that second file is random nonsense, and this is all we're going to get. It's a lot, though.
I was wrong. On November 1, the Shadow Brokers released some more documents, and two days ago they released the key to that original encrypted archive:
EQGRP-Auction-Files is CrDj"(;Va.*NdlnzB9M?@K2)#>deB7mN
-- submitted from IRC
After learning that one of its most prized hacking tools was stolen by a mysterious group calling itself the Shadow Brokers, National Security Agency officials warned Microsoft of the critical Windows vulnerability the tool exploited, according to a report published Tuesday by The Washington Post. The private disclosure led to a patch that was issued in March.
Those same NSA officials, according to Tuesday's report, failed to communicate the severity of the vulnerability to the outside world. A month after Microsoft released the patch, the Shadow Brokers published the attack code, code-named EternalBlue, that exploited the critical Windows vulnerability. A month after that, attackers used a modified version of EternalBlue to infect computers around the world with malware that blocked access to data. Within hours of the outbreak of the ransomware worm dubbed WCry, infected hospitals turned away patients; banks, telecommunications companies, and government agencies shut down computers.
"NSA identified a risk and communicated it to Microsoft, who put out an immediate patch," Mike McNerney, a former Pentagon cybersecurity official and a fellow at the Truman National Security Project, told The Washington Post. The problem, he said, is that no senior official took the step of shouting to the world: "This one is very serious, and we need to protect ourselves."
Source: ArsTechnica
According to emails from October 2009 obtained by Jordan Robertson and Michael Riley at Bloomberg it appears that Kaspersky Lab has been working with Russian Intelligence. Despite long standing rumours over these connections Eugene Kaspersky has always denied this to be the case, including as recently as last week in response to questions in the US Senate by Florida Republican Marco Rubio when he stated that "Claims about Kaspersky Lab's ties to the Kremlin are "unfounded conspiracy theories" and "total BS,"" on Reddit, and even offering to hand over the source code to the US Government for inspection.
While the exact nature of the co-operation with the FSB is still unclear, in the emails Kaspersky outlines a project undertaken in secret a year earlier "per a big request on the Lubyanka side," a reference to the FSB offices, that "includes both technology to protect against attacks (filters) as well as interaction with the hosters ('spreading' of sacrifice) and active countermeasures (about which, we keep quiet) and so on," Kaspersky wrote in one of the emails. Kaspersky Lab has confirmed that the emails are authentic. Whether this was legitimate work with the FSB in the prevention of cybercrime or securing FSB facilities or something more nefarious, it seems likely that this is not going to alleviate concerns over the use of their software putting further pressure on Kaspersky's business in other countries.
Kaspersky Lab's tussle with the US government could have ramifications for its dealings with the private sector. A new report claims the FBI has been meeting with companies to warn them of the threat posed by the cybersecurity firm. The briefings are the latest chapter in an ongoing saga concerning the use of Kaspersky's products by government agencies. Officials claim the company is a Russian stooge that can't be trusted with protecting America's critical infrastructure. The company denies these claims -- its CEO Eugene Kaspersky has even offered up its source code in a bid to clear his firm's name.
It appears that olive branch went unnoticed. Throughout the year, the FBI has been meeting with US firms to convince them to remove Kaspersky Lab's tools from their systems, according to officials that spoke to CyberScoop. In view of the cyberattacks that crippled Ukraine's power grid in 2016, the FBI has reportedly focussed its briefings on companies in the energy sector. Although, it has also supposedly met with major tech firms too.
The law enforcement agency has apparently been sharing its threat assessment with the companies, including Kaspersky Lab's alleged deep ties with Russian intelligence. However, the meetings have reportedly yielded mixed results. Whereas firms in the energy sector have been quick to cooperate, tech giants have resisted taking swift action, claims CyberScoop.
Source: EnGadget
The Washington Post is reporting U.S. moves to ban Kaspersky software in federal agencies amid concerns of Russian espionage:
Acting Homeland Security secretary Elaine Duke ordered that Kaspersky Lab software be barred from federal civilian government networks, giving agencies a timeline to get rid of it, according to several officials familiar with the plan who were not authorized to speak publicly about it. Duke ordered the scrub on the grounds that the company has connections to the Russian government and its software poses a security risk.
[...] "The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security."
[...] The directive comes months after the federal General Services Administration, the agency in charge of government purchasing, removed Kaspersky from its list of approved vendors. In doing so, the GSA suggested a vulnerability exists in Kaspersky that could give the Kremlin backdoor access to the systems the company protects.
Someone that is in a position to know all about it tells me that Kaspersky doesn't detect malware created by the Russian Business Network. My fear is that if I named that someone, the RBN will give that someone a bad hair day.
[Ed. addition follows]
The full text of the DHS notice is available at https://www.dhs.gov/news/2017/09/13/dhs-statement-issuance-binding-operational-directive-17-01.
Previously:
FBI Reportedly Advising Companies to Ditch Kaspersky Apps.
US officials: Kaspersky "Slingshot" report burned anti-terror operation
A malware campaign discovered by researchers for Kaspersky Lab this month was in fact a US military operation, according to a report by CyberScoop's Chris Bing and Patrick Howell O'Neill. Unnamed US intelligence officials told CyberScoop that Kaspersky's report had exposed a long-running Joint Special Operations Command (JSOC) operation targeting the Islamic State and Al Qaeda.
The malware used in the campaign, according to the officials, was used to target computers in Internet cafés where it was believed individuals associated with the Islamic State and Al Qaeda would communicate with their organizations' leadership. Kaspersky's report showed Slingshot had targeted computers in countries where ISIS, Al Qaeda, and other radical Islamic terrorist groups have a presence or recruit: Afghanistan, Yemen, Iraq, Jordan, Turkey, Libya, Sudan, Somalia, Kenya, Tanzania, and the Democratic Republic of Congo.
The publication of the report, the officials contended, likely caused JSOC to abandon the operation and may have put the lives of soldiers fighting ISIS and Al Qaeda in danger. One former intelligence official told CyberScoop that it was standard operating procedure "to kill it all with fire once you get caught... It happens sometimes and we're accustomed to dealing with it. But it still sucks. I can tell you this didn't help anyone."
This is good malware. You can't expose the good malware!
Related: Kaspersky Claims to have Found NSA's Advanced Malware Trojan
Ties Alleged Between Kaspersky Lab and Russian Intelligence Agencies
Kaspersky Willing to Hand Source Code Over to U.S. Government
Kaspersky Lab has been Working With Russian Intelligence
FBI Reportedly Advising Companies to Ditch Kaspersky Apps
Federal Government, Concerned About Cyberespionage, Bans Use of Kaspersky Labs Products
Kaspersky Lab and Lax Contractor Blamed for Russian Acquisition of NSA Tools
Last week, The Wall Street Journal dropped a bombshell when it reported that Russian government hackers located confidential National Security Agency material improperly stored on an employee's home computer with help from Kaspersky antivirus, which happened to be installed. On Tuesday, The New York Times and The Washington Post provided another shocker: the Russian hackers were caught in the act by spies from Israel, who were burrowed deep inside Kaspersky's corporate network around the time of the theft.
Ars Technica: How Kaspersky AV reportedly was caught helping Russian hackers steal NSA secrets
The New York Times: How Israel Caught Russian Hackers Scouring the World for U.S. Secrets
The Washington Post: Israel hacked Kaspersky, then tipped the NSA that its tools had been breached (archive)
Previously: Kaspersky Lab and Lax Contractor Blamed for Russian Acquisition of NSA Tools
(Score: 3, Insightful) by Anonymous Coward on Friday October 06 2017, @10:24AM (12 children)
The part about the NSA contractor's unauthorized (and patently stupid) actions is one thing. There are facts to be scrutinized here.
OTOH, blaming Kaspersky because, you know, Russians are Teh Evilz, is just pushing a worn-out narrative with no more evidence than back-fence gossip without proof.
TFA gets a 50% on the Fake News scoreboard.
Meanwhile, Kaspersky has offered to provide their source code to .gov for analysis.
Where's the analysis?
(Score: 1) by khallow on Friday October 06 2017, @10:46AM (4 children)
To be fair to the gubbies, that's completely irrelevant since it would be trivial to run something different on the contractor's machine.
(Score: 0) by Anonymous Coward on Friday October 06 2017, @10:58AM (3 children)
Um...there's this checksum thing ya know.
(Score: 1) by khallow on Friday October 06 2017, @11:42AM
(Score: 0, Disagree) by Anonymous Coward on Friday October 06 2017, @12:15PM (1 child)
Um...there's this collision thing ya know.
(Score: 3, Insightful) by HiThere on Friday October 06 2017, @05:26PM
Collisions with working code on both ends are quite difficult to manage without LOTS of blatant garbage included in the more recent version. So that argument essentially fails.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by Gaaark on Friday October 06 2017, @11:16AM (6 children)
Yep. Next thing, they'll be saying don't use Kaspersky: use MS anti virus. And Windows. Always windows. Isn't that right, God....errrr, Mr Gates.
I. Don't. Trust. The. Governments. Anymore!
--- Please remind me if I haven't been civil to you: I'm channeling MDC. I have always been here. ---Gaaark 2.0 --
(Score: 4, Touché) by c0lo on Friday October 06 2017, @11:25AM (5 children)
Have you noticed any improvement in your life since you started to not trust the government?
https://www.youtube.com/@ProfSteveKeen https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Insightful) by Anonymous Coward on Friday October 06 2017, @03:25PM (1 child)
Taking this comment seriously for a second... it dismisses the "herd immunity" of individual actions. For example, it is usually better (read: easier, cheaper, more rewards, less punishment) for any individual person to cooperate with authorities. However, if everybody does so, it results in an erosion of rights of individuals, such as courts recognizing the decreased expectations people have of privacy.
Even if somebody's individual life degrades, the overall life of everybody may improve fractionally for each small act of defiance against authoritarianism.
Just to Godwin it, everybody who stood quiet or even joined in Kristallnacht [wikipedia.org] or indeed the entire rise of Nazi-ism certainly had a much better life than the ones who defied it.
(Score: 2) by c0lo on Friday October 06 2017, @09:01PM
On the line of taking the comment seriously... it doesn't dismiss anything. Look, does the fact that the herd doesn't trust the government bring any improvement in the herd's life?
I mean: yes, the lack of trust in the government is necessary, but is it sufficient?
(if you just don't trust your government, congratulation... you learnt the freedom 101, here's your ribbon; mind with that pin, you clumsy. Now, go play with your prick in the sandbox, see if the government care about your trust)
https://www.youtube.com/@ProfSteveKeen https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by Gaaark on Saturday October 07 2017, @03:29AM (2 children)
Yes! The TPP was dropped because of activism among non-trusters (although, of course, vigilance is necessary). Stupidity like that would have made my life worse.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. I have always been here. ---Gaaark 2.0 --
(Score: 2) by c0lo on Saturday October 07 2017, @10:51AM (1 child)
And me who thought TPP was dropped only because it has had Obama's blessing.
Maybe your (and others') life is not worse, but I don't see it any better.
(what orange "great builder"... what has he build so far in the places where he "demolished Obama's constructions", what exactly is his counter-proposal?)
https://www.youtube.com/@ProfSteveKeen https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by Gaaark on Saturday October 07 2017, @03:48PM
It's better because it's NOT worse!
:)
--- Please remind me if I haven't been civil to you: I'm channeling MDC. I have always been here. ---Gaaark 2.0 --
(Score: 4, Insightful) by tibman on Friday October 06 2017, @02:25PM (5 children)
Lax contractor? Lax?! He put classified "cyber weapons" on his personal internet connected (24/7) windows machine. That wasn't lax. That was criminal.
SN won't survive on lurkers alone. Write comments.
(Score: 4, Interesting) by urza9814 on Friday October 06 2017, @03:51PM (1 child)
My thoughts exactly.
They're sitting here trying to blame Kaspersky for the fact that one of their own damn contractors stole these documents. That laptop could have been stolen by a gang breaking into his car; it could have been leaked by any old malware; he could have emailed them to the press himself. Once you've got people putting classified information on their personal systems you've lost all control over it; THAT is the theft they ought to be concerned about.
And how is that even possible? I literally can't figure out any way to transfer files from my work PC to my home computer. Can't use a USB stick, because the work laptops aren't permitted to access USB memory. Can't burn a CD; we don't have CD burners. Can't email it due to file size limits and no access to personal email from work devices and vice-versa. Cloud storage sites are blocked on the internal network and the internal transfer tools are blocked from outside. Can't even pull the hard drive and copy the files from that because it's encrypted. How the hell does a fucking *drugstore* have better IT security than the NSA? Or, if the guy seriously managed to jump through that many hoops, he DAMN WELL knew he was doing something he shouldn't have, and it should be pretty damn easy to press charges.
(Score: 1, Interesting) by Anonymous Coward on Sunday October 08 2017, @11:31AM
Network transfer?
There's also audio if audio is allowed.
Last but not least - if you can read contents of the files you can take pictures of them.
(Score: 1, Interesting) by Anonymous Coward on Friday October 06 2017, @04:27PM (2 children)
yeah, just like the opm hack wasn't even a hack. it was our own government who outsourced the shit to the chinese then claimed "hack" when they copy pasted. the opm person who hired the chinese company probably did it on purpose.
now these disgustingly stupid (or treasonous) pieces of shit put sensitive info on their fucking windows machines(hang em high) and whinge when kaspersky rightfully classifies their fucking malware as malware and uploads it to their threat database(just one possible guess. i'm not going to rtfa!).
if they used malware then wtf did you expect you lazy fucking idiot?
(Score: 1) by i286NiNJA on Friday October 06 2017, @04:49PM (1 child)
I'm astonished that the most elite hackers at the NSA run windows on their home work machines.
(Score: 2) by bob_super on Monday October 09 2017, @05:17PM
Intel told you about the Megatasker, here is the NSA version: playing $AAA_title_of_the_month and livestreaming it, while hacking its servers to get extra frags/gold.
(Score: 3, Interesting) by bart on Friday October 06 2017, @03:31PM (2 children)
It's beyond doubt that the NSA, CIA and all the other 5 eyes crap spy on everyone's communication and data without any discretion or oversight whatsoever.
Even if Kaspersky software would upload to the Russian government, I don't see any reason not to use it to protect your computer from malware. Maybe it will even block some of the NSA back-doors that were installed in your friendly Windows, Mac or Redhat systemd O.S.
George Orwell got it right, only his date was a little off.
(Score: 2) by DeathMonkey on Friday October 06 2017, @05:39PM
Even if Kaspersky software would upload to the Russian government, I don't see any reason not to use it to protect your computer from malware
Well, I see 1 reason: it failed to protect this guy's data.
(Score: 3, Interesting) by PinkyGigglebrain on Friday October 06 2017, @07:04PM
I used to think that Huxley was closer to the current state of affairs, but when you really look at it all they were both right.
https://biblioklept.files.wordpress.com/2010/12/huxley-orwell-amusing-ourselves-to-death.jpg?w=739 [wordpress.com]
"Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
(Score: 2) by linkdude64 on Saturday October 07 2017, @06:15PM
I couldn't write a script to list the contents of a directory, and yet I build my PCs, or, if they are purchased, remove all bloatware from them.
I am also aware of the massively insecure nature of antivirus programs, where complete and unfettered access to your machine is given without any oversight.
Yet I am to believe that this TAO operative is less competent and aware of these things than I am?