It sounded like a spy novel plot twist, not a major news headline: Israeli intelligence officers hacked a Russian spy operation that used internationally renowned antivirus software to surveil American companies and the U.S. government. But that’s just what The New York Times reported Tuesday. And it raises disturbing questions: How can off-the-shelf computer security software be used for spying? Why are we learning about this just now?
The Tuesday news follows a September report that the U.S. government ordered any of its agencies that used Kaspersky Lab software—about two dozen at the time—to uninstall it.
The notion that the Russian government used Kaspersky software to spy on other countries and companies is not surprising, says Kenneth Geers, who, as a senior fellow at the Brent Scowcroft Center on International Security at the Atlantic Council, focuses on Eastern Europe.
“I feel bad for Kaspersky because they’re probably good guys who are trying to do the right thing, but the forces above them are much more powerful. There’s so much more going on,” he says. “Their software can see nation-state operations because they have deep visibility into enterprise and government networks.”
In statements provided to The Parallax, Kaspersky representatives said the company’s software protects about 400 million users. They also denied that the company was involved in the alleged spying detailed in the Times report this week and in a Wall Street Journal report last week. The Journal report, citing unnamed sources, said hackers used Kaspersky software to steal documents detailing how the U.S. government conducts offensive and defensive cyberoperations.
“As there has not been any evidence presented, Kaspersky Lab cannot investigate these unsubstantiated claims, and if there is any indication that the company’s systems may have been exploited, we respectfully request relevant parties responsibly provide the company with verifiable information,” company representatives wrote in a statement. “It’s disappointing that these unverified claims continue to perpetuate the narrative of a company which, in its 20-year history, has never helped any government in the world with its cyberespionage efforts.”
Antivirus software programs are supposed to protect computers from online threats, which often are complex software programs like viruses designed to avoid detection, extract data, and self-propagate onto other computers and networks. To detect threats, they generally scan nearly every file on their host system for unique malware “signatures.”
Experts say it’s not hard to see why (or how) nation-states might want to use security software to conduct espionage against foreign adversaries. Government agencies—and the individuals who work for them—often trust its deep-scanning skills to keep their computer files safe.
Most traditional security software, including Kaspersky (and Avast, which sponsors this site), has “millions of lines of code,” some of which is “decades-old,” says Brian Robison, the senior director of security technology at Cylance, a California-based antivirus and security software company. Avast did not respond to a request for comment.
“There’s just no way that a human could do a [quality assurance] check on all that code,” he says. A spy would “only have to hide one or two lines [of an exploit] in there.” Trying to find a vulnerability inserted into large, old software is “probably going to be worse than finding a needle in a haystack.”
Hiding a vulnerability in Kaspersky’s code is one way state actors could have used the software for espionage. Getting the company to cooperate with spying efforts—a concept Kaspersky denied happened—would be another.
Robert Graham, an independent security researcher, says the deep hooks of antivirus software could enable “evil” controllers to search files on a targeted computer for text such as “NSA Confidential” or “top secret,” and upload those files to its servers along with legitimately suspicious files.
“Once [the software] tells the antivirus company about the machine, like a few of the suspicious files it found, it could then potentially give full control to the antivirus company, run arbitrary code and scripts, and grab any file a human operator wants from the machine,” he says.
Robert G. Ferrell, a former special agent at the Department of Defense who specialized in auditing government contractors’ computer systems for threats, says the complexity of security software code and the daily signature files antivirus software uses to identify threats add another opportunity for the software to be used in geopolitical espionage.
“Agencies mitigate this risk by downloading the signature files on an unclassified computer and delivering them by sneakernet to servers and workstations, but I’ve actually seen them use the same antivirus program to scan the incoming files as the one for which they are intended,” Ferrell says. “Not exactly a robust security protocol.”
As to why the world is only now learning of the potential for security software to be used for espionage, Geers credits Russia’s more noticeable behavior on the global political stage, including but not limited to international sanctions against the country and its interference in the U.S. election last year.
“It’s important to marry events on the network with events in the political space,” he says. “The fact is that the human rights situation there is not getting any better. That has to be taken into account when we’re thinking about the list of priorities for the Kremlin today. All of this is important, but ultimately, it’s about a lot of money and a lot of power.”