GCHQ has reverse engineered Kaspersky Lab software to find weaknesses which could be exploited to prevent detection of its own exploit activities, according to new Edward Snowden documents.
The news emerged from a government warrant renewal request from 2008 covering activities which “involve modifying commercially available software to enable interception, decryption and other related tasks, or ‘reverse engineering’ software,” according to The Intercept.
“Personal security products such as the Russian anti-virus software Kaspersky continue to pose a challenge to GCHQ’s CNE [Computer Network Exploitation] capability and SRE is essential in order to be able to exploit such software and to prevent detection of our activities,” it apparently continued.
It’s unclear whether GCHQ was successful in this, although the NSA is also revealed to have been monitoring the Russian internet security player for similar reasons.
A top secret report from 2008 seems to show that agents found a way of pulling information from ‘user agent’ strings included in HTTP header requests to uniquely identify and possibly attack Kaspersky Lab customers.
The agency has also been monitoring the emails sent to and from employees of AV companies to spot mention of new vulnerabilities which they can then exploit, according to a document entitled Project CAMBERDADA.
Over 20 AV companies are apparently listed, including F-Secure, Check Point, Bit-Defender and Avast. Tellingly, American giants McAfee and Symantec, and British leader Sophos are omitted.
Earlier this month, Kaspersky Lab founder, Eugene Kaspersky, revealed that his firm had detected an advanced state-sponsored attack on its network designed to uncover information about key technologies.
“Governments attacking IT security companies is simply outrageous. We’re supposed to be on the same side as responsible nations, sharing the common goal of a safe and secure cyberworld,” he argued in a blog post.
“We share our knowledge to fight cybercrime and help investigations become more effective. There are many things we do together to make this cyberworld a better place. But now we see some members of this ‘community’ paying no respect to laws, professional ethics or common sense.”
Ben Johnson, chief security strategist for Bit9 + Carbon Black, argued that it isn’t surprising the NSA and GCHQ test their offensive tools against the defensive capabilities of AV firms.
“AV tools can be bought and pulled apart by anyone – once a hacker has access to the blacklist, they have the key to avoiding any tripwires and tweak their code in order to evade detection,” he added.
“This is why we have seen such a rise in polymorphic malware, or ‘zero-day’ attacks – if an attack has never been seen, it is not a known threat, and so it cannot exist on an AV blacklist. This is why organizations need to move away from blacklisting and start whitelisting instead.”