THE KASPERSKY FIASCO : THE WAY FORWARD

For quite some time now there have been reports of the US government banning the use of Kaspersky security products in US government offices. On 13 Sept 2017, the Department of Homeland Security issued instructions to all government offices to stop using Kaspersky products, because of Information Security concerns. The advisory gave existing users a period of 90 days to remove existing installations. The list of US government departments using Kaspersky is impressive, State Department, the Department of Defense, Department of Energy, Justice Department, Treasury Department and the Army, Navy and Air Force.

         The issue surrounding Kaspersky products are longstanding. For many years now the F.B.I. along with other intelligence agencies have been trying to confirm if Kaspersky cooperates with Russian military and intelligence agencies in their snooping and hacking activities. The Americans has also been investigating whether Kaspersky products including their famous AV programs, contain back doors that could possibly be exploited by Russian intelligence agencies to scan the computers on which they are running. The company as always strongly denies the allegations.

         It is anticipated that somewhere in 2014 the Israeli intelligence agencies had infiltrated into the Kaspersky corporate network and were keeping a real time tag on the activities of Kaspersky. Here the details become sketchy, the Israelis find details of Russian hackers who were searching computers around the world to find out about American Intelligence programs. The Russian hackers were able to carry out their search operations efficiently because of their innovative search tool, Kaspersky Anti Virus. The Kaspersky AV used in more than 400 million PCs around the world, was being surreptitiously used by the hackers to peep into the PCs.

The Moscow based Kaspersky labs were not totally clueless about the Israeli intrusions into their networks. They first detected intrusions into their network in mid 2015. At that time they had gone public saying that their company networks had been infiltrated. Their analysis had said that the digital footprints were similar to the owners of the Stuxnet virus. Indirectly pointing their fingers to Israel and USA, who are widely believed to be responsible for the Stuxnet virus. After this months announcements in American dailies, it is very clear that Israel was indeed behind the breaches of the Kaspersky Lab corporate network.

Background / Modus Operandi

         As is now apparent, the Israelis were keeping a real time tab on the activities of the Russian hackers. Israeli hackers were successful in installing a number of back doors on Kaspersky's systems, they were able to steal passwords, take screenshots, and pilfer contents from emails and documents. The Russians appeared to have been using Kaspersky Anti-Virus (AV) products as a search tool for sensitive information in the PCs of people who had installed the product. It was the Israelis who alerted the Americans about the Russian operation. The Russians were using the Kaspersky AV product installed in the home PC of an NSA employee. Unfortunately the individual had stored NSA tools in his home PC. It is a basic default requirement for any security product installed in the PC to be able to scan the entire device, so that it can search for virus’s and other kinds of malware. What an ingenious threat vector. Compromise the application that has rights to scan all content on the device, and you virtually own all the content of the device. The punch line is the fact that as a bonus, it provides you continuous, reliable and legal (unsuspecting) remote access to the device of interest. This is because after removing the virus the AV software is supposed to send back a report to the Kaspersky servers. After analyzing the reports sent back to the Kaspersky server, the hackers used to decide which machines to particularly target. The tool specifically exploited is, what is called "silent signatures", these are strings of code that operate in stealth mode in the PC to find malware, the can also be modified to search computers for documents of interest, using keywords or acronyms.

         As of now Kaspersky labs is keeping a stiff upper lip, and denying any knowledge of the Russian government hacking operation. The company has been founded by Eugene V Kaspersky, who attended a high school associated with the Russian Intelligence agencies. Later he is also supposed to have written software for the Soviet Army. He has publicly declared a number of times that he or his company has no association with the Russian government or its intelligence agencies.

         When one installs a Kaspersky AV product, there is a feature which asks you to join the Kaspersky Security Network (KSN) for better support. Once you accept this feature, Kaspersky gets rights to send inputs of malwares from your machine to the cloud. There are also possibilities that when Kaspersky was breached the first time, hackers could have got access to KSN. It is highly possible that the hackers were intercepting transmissions from Kaspersky AV software to KSN. Being a cyber security company it may be too damaging to accept that fact. Either ways there have been previous murmurs also, wherein people have speculated about backdoors in the Kaspersky AV products.

Way Forward

• As a first step whoever has Kaspersky installed in his / her machine needs to disable access to KSN, so that no content goes from your machine to the Kaspersky servers.
• Private business houses in America have already picked up the cue, Best Buy, an electronics chain in the USA, has just announced that they are stopping the sale of Kaspersky Lab security products.
• Till now actually when the Americans were issuing instructions to government offices for not using Kaspersky products, no clear reasoning or logic was being given out. As a result of this, world over, people were looking at it with skepticism, even grading it as a Tit for Tat political battle between the superpowers. However, the present expose has changed the situation dramatically.
• The interesting part in this whole episode is the fact that NSA bans the use of Kaspersky AV on its systems, because the agency already exploits antivirus software for its hacking operations and is confident that its adversaries must be using the same techniques. What is shocking is the fact that if they were aware of this security loop hole and its rampant exploitation, shouldn’t they have at least advised the defense forces against the use of the same. Typical case of the right hand not knowing what the left hand is doing.
• So finally what we have learned is that Kaspersky AV products have been used by Russian hackers affiliated to Russian Intelligence agencies for the purpose of peeping into computers. The same modus operandi is also exploited by NSA. In their case it will be America based AV companies. The AV ecosystem is composed primarily of these two sets of companies. This leaves India in a very peculiar situation. All government offices generally pickup AV products based on their International rankings by various agencies. Thus, we have a situation where government computers are protected by AV products which are Russian or American. In case the computers have important content they surely are being snooped into by Russian or American agencies in the guise of monitoring / updating AV modules in your PC. In such a situation there is a need for the National Cyber Security Coordination Centre to closely scrutinize available AV products and advise government departments which to use accordingly. There may be a very strong case for India to ban all foreign AV products and use only Indian AV products. Developed in India, with the servers residing in India.

It would be unfair to complete the article without giving the Kaspersky perspective. Eugene in his blog post of 19 Oct 2017, brings out the fact that if indeed this was true, and if the governments had clear evidence of the activities of Kaspersky labs, then why don’t they take punitive legal action against Kaspersky? Any comments.