The Russian Bull’s-Eye on NSA

Last week the Wall Street Journal broke a story about yet another, as yet unidentified, National Security Agency (NSA) contractor who has been taken into custody for improper handling of classified materials. This individual loaded ultra-sensitive NSA documents on to his devices, which apparently used Kaspersky security software. Allegedly, the software was used to siphon the contractor’s data, which was then provided to Russian intelligence entities.

Russia-based Kaspersky Lab is accused of acting as an agent of the Russian Federation. In May, Sen. Marco Rubio (R-FL) let the cat out of the bag when he pointedly asked the leadership of the U.S. intelligence community, “Would any one of you be comfortable with Kaspersky Lab’s software on your computers?” They universally responded in the negative.

This contractor, is believed to have been under investigation since 2015.

What else was happening that involves Kaspersky and/or Russia?

Shadow Brokers and Harold Martin, August 2016

In mid-August 2016, Shadow Brokers offered for sale the entire toy box of cybertools allegedly purloined from the NSA’s Tailored Access Operations (TAO) group. Interestingly Kaspersky, in a company blog, opined the goods came from the Equation Group, a contracting firm of the NSA.

Simultaneous to the Shadow Broker release, we saw the arrest of NSA contractor Harold Martin. Martin hoarded his mega-stash of classified materials from 1996 to 2016. In subsequent court documents, it was noted that Martin had been exfiltrating NSA secret and top secret documents and squirreling them away at his residence for more than 20 years. Just how large was the Martin compromise? Conservatively 50TB of data, six banker boxes full of documents, accompanying handwritten notes and dozens of computers and digital storage devices—or, put differently, the offensive capabilities of the NSA.

Who is This Mystery Contractor?

Is Harold Martin the mystery contractor? This does not appear to be the case.

When arrested, he was employed by Booz Hamilton. Martin’s paranoia and belief he was superior to his colleagues in the world of OPSEC and overall security would make his use of Kaspersky products somewhat improbable.

The Chicago Tribune characterized the newly identified contractor as being a Vietnamese national. Harold Martin is not of Vietnamese ancestry. Additionally, the media outlet noted that the contractor was working within the NSA’s Tailored Access Operations (TAO) group.

DOT No. 1 – Shadow Broker revelation occurs simultaneously with the arrest of Harold Martin coincidence? Not to those who look at everything from the world of no coincidences. Perhaps the timing of the Shadow Broker release was designed to redirect counterintelligence investigations from the Kaspersky technical operation siphoning off the information purloined by a separate contractor whose machine was pawned by Kaspersky?

DOT No. 2 – Shadow Broker releases were very specific—so specific that an opportunity to do a damage assessment and deduce who had access to some data may have provided the investigators with sufficient information to pinpoint this second contractor.

Kaspersky and Russian Intelligence Connections, October 2016

October 2016 through January 2017 saw Kaspersky and one of the company’s most talented managers fall into the crosshairs of the Russian FSB (Federal Security Service of the Russian Federation) for sharing information with U.S. security services. This individual, Ruslan Stoyanov (Руслан Стоянов) and others within the FSB’s own cyber-intelligence group were arrested and charged with violating Article 275 of the Russian criminal code – Treason/Espionage.

According to Russian language media outlet, Kommersant, Stoyanov and others within the FSB Information Security Center (CDC) including Sergey Yuryevich Mikhailov (Сергей Юрьевич Михайлов), deputy head of the FSB CDC, were arrested. Mikahilov’s position was sufficiently senior that he would be aware of any unilateral cyberoperations. How annoyed was the FSB with Mikahilov? The manner in which Mikahilov was arrested hearkens back to the era of the KGB: He was bagged and dragged—during a staff meeting they came up behind him, put a bag over his head and dragged him out of the FSB meeting.

Shortly afterward, in late-January, Russia media outlet RBK noted additional arrests had been made including Dmitry Dokuchaev (дмитрий докучаев), who coincidentally also had been indicted and was wanted by the FBI for his role in a separate cybercrime, the Yahoo compromise of 3 billion accounts. Dokuchaev was Mikhailov’s deputy at the FSB CDC, and they worked together with Stoyanov of Kaspersky.

DOT No. 3 – Stoyanov was a senior manager within Kaspersky and in close and continuing contact with the FSB CDC. The NSA contractor whose device is believed to have been harvested by Kaspersky goes silent. Those whose rice bowl is now broken begin their damage assessment: Why did this source go dry? Did the FSB arrest Stoyanov because he tipped off the NSA to the Kaspersky-evolved data stream?

Trustworthy Kaspersky?

Let us assume Kaspersky is telling the truth and its software is pristine and pure. Is it possible Eugene Kaspersky keeps an arm’s-length relationship with the Russian intelligence and security services? Absolutely. They may be his best customers, but being in bed with the Russian intelligence services would limit his product’s viability to only Russia. It is in both Kaspersky’s and Russian government interest to maintain this status quo.

Russia-Tailored Access?

On the other hand, let there be no doubt: In Putin’s Russia—as in the former Soviet Union—when a citizen of the Russian Federation is called upon to do their patriotic duty, their options are limited. Often, they sign right up to do their part.

Is it possible Kaspersky could be telling the truth and its products are pristine? Yes.

The Russia equivalent of the NSA’s Tailored Access Group may have taken the targeting information obtained elsewhere (say, for example, the 2015 breach of the Office of Personnel Management, which compromised all of the background investigatory information and self-declared peccadilloes of 26 million cleared individuals within the U.S. government) and located a target of interest.

Upon identification, the target group does its technical surveillance and notes that the target of interest is using Kaspersky. The group pulls off the shelf its “doctored” product and pushes an update to the unsuspecting user. The install is slightly different from any other but of ultimate utility to the Russian intelligence folks.

Why do this? Plausible deniability for all sides. Kaspersky does not have a direct hand in the pie and only a handful of Kaspersky employees, if any, know of the existence of the collection capability.

DOT No. 4 – The OPM data breach of 26 million U.S. citizens with government security clearances is a targeting officer’s dream.

What Next?

Once we learn who the unidentified NSA contractor is, we’ll be able to connect these or other dots and get a better picture.

For now, it appears that an NSA contractor purloined NSA documents, took them home and put them on his own device. This device was running Kaspersky antivirus software. The allegation is that his instance of Kaspersky captured, stored and then forwarded the sensitive and classified information the contractor had taken. When and how the investigators discovered the Kaspersky angle is unknown.

One could speculate that a senior manager within Kaspersky with liaison duties with the FSB would know of a one-off capability development. But maybe not; perhaps just a customer list was provided. Nevertheless, this capability can be used in a tailored manner against any target using Kaspersky products without the consent or knowledge of Kaspersky the company. Think of it as man-in-the-middle functionality.

The one constant: The Russian intelligence services are going to continue to target the NSA, and the information taken from the OPM breach of the background information can and will be used to target U.S. individuals in position of knowledge and power.

Christopher Burgess

Christopher Burgess (@burgessct) is a writer, speaker and commentator on security issues. He is a former Senior Security Advisor to Cisco and served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit: Senior Online Safety.

burgesschristopher has 12 posts and counting.See all posts by burgesschristopher