Documents show NSA, GCHQ launched attacks against anti-virus software makers
The U.S. National Security Agency and its British equivalent, the Government Communications Headquarters, have both been launching attacks against security software in order to track individuals and break into networks, a report said on Monday.
One of the primary targets has been Russia's Kaspersky Lab, according to documents leaked by ex-NSA contractor Edward Snowden, obtained by The Intercept. The agencies have been reverse-engineering Kaspersky software to discover potential exploits, the documents show, and the NSA in particular has allegedly taken things a step further by intercepting data sent from Kaspersky apps to the company's servers. Much of that app data is reportedly unencrypted, although Kaspersky told The Intercept that it was unable to reproduce similar findings in testing.
One specific piece of evidence for reverse engineering is a GCHQ warrant renewal request from 2008, asking for the legal sanction to deconstruct apps from Kasperksy and others because they "pose a challenge to GCHQ's CNE [Computer Network Exploitation] capability and SRE [Software Reverse Engineering] is essential in order to be able to exploit such software and to prevent detection of our activities." The agency also indicated that SRE was being used to judge the suitability of anti-virus programs for use by separate government organizations.
The NSA tracking program reportedly involves monitoring HTTP requests, which contain unique identifiers showing that a customer has Kaspersky software. This in turn allows the NSA to track someone and judge whether their computer is vulnerable to an attack. In a statement to The Intercept however, Kaspersky insisted transmitted data is depersonalized and that it uses encryption.
Another NSA method involves scanning the email traffic of foreign anti-virus companies in order to pick up hints of new exploits and malware. In the case of malware, the agency has a group that can repurpose it to launch an attack against a desired target.
An internal 2010 presentation on the monitoring program, known as "Project CAMBERDADA," mentions 23 foreign anti-virus firms apart from Kaspersky such as Avast, F-secure, and Check Point. Major American and British companies are excluded, such as McAfee, Symantec and Sophos.
Earlier this year Kaspersky was hit with a major intrusion. The company indicated that the group behind the attack may be connected to other incidents involving negotiations involving Iran's nuclear program, as well as the 70th anniversary of the liberation of the Auschwitz-Birkenau concentration camp during World War II.