NSA, British Intelligence Poke Holes in Virus-Protection Software

According to newly released Snowden docs, the spy agencies use security vulnerabilities to hack and track users.


NSA hacked anti-virus software to track users
LuChOeDu / Flickr

When the "Heartbleed" bug was made public last year, Bloomberg reported that the National Security Agency had known about the vulnerability for two years, integrating it as "a basic part of the agency's toolkit for stealing account passwords and other common tasks."

In response to the report, the Office of the Director of National Intelligence (ODNI) pulled a Sergeant Shultz: It knew nothing!

But the agency does actively search for exploits, "responsibly" disclosing them "unless there is a clear national security or law enforcement" reason not to, according to Shawn Turner, director of public affairs for the ODNI.

One method the NSA allegedly employs to find vulnerabilities and track users: hacking anti-virus software.

According to a new set of documents leaked by former NSA contractor Edward Snowden, released by The Intercept on Monday, the NSA, along with Britain's Government Communications Headquarters (GCHQ), reverse-engineered widely used anti-virus and security software and analyzing "leaky data," including web traffic and email, looking for security holes.

Kaspersky Lab, a Russian security software firm, was the most frequently cited mark in the documents. Per The Intercept, both the NSA and its British counterpart targeted Kaspersky:

The [GCHQ] viewed Kaspersky software as an obstruction to its hacking operations and needed to reverse engineer it to find ways to neutralize the problem. Doing so required obtaining a warrant.

"Personal security products such as the Russian anti-virus software Kaspersky continue to pose a challenge to GCHQ's CNE [Computer Network Exploitation] capability and SRE is essential in order to be able to exploit such software and to prevent detection of our activities," the warrant renewal request said.


The NSA, like GCHQ, has studied Kaspersky Lab's software for weaknesses. In 2008, an NSA research team discovered that Kaspersky software was transmitting sensitive user information back to the company's servers, which could easily be intercepted and employed to track users, according to a draft of a top-secret report.

The documents also indicate that the NSA monitors the email traffic of foreign anti-virus firms "for reports of new vulnerabilities and malware" in order to take advantage of such holes before they're patched. After vulnerabilities are reported to companies like Kaspersky, it can sometimes take weeks or even months before the software is updated. During that time, intelligence organizations like the NSA are able to use the exploits to snoop on users.

Kaspersky has a knack for frustrating the intelligence community's attempts to use malware to its advantage, though:

In the past few years, the company has proven to be a prolific hunter of state-sponsored malware, playing a role in the discovery and/or analysis of various pieces of malware reportedly linked to government hackers, including the superviruses Flame, which Kaspersky flagged in 2012; Gauss, also detected in 2012; Stuxnet, discovered by another company in 2010; and Regin, revealed by Symantec. In February, the Russian firm announced its biggest find yet: the "Equation Group," an organization that has deployed espionage tools widely believed to have been created by the NSA and hidden on hard drives from leading brands, according to Kaspersky. In a report, the company called it "the most advanced threat actor we have seen" and "probably one of the most sophisticated cyber attack groups in the world."

NEXT: EPA Says Global Greenhouse Gas Cuts Would Save U.S. Economy $1.5 Trillion in 2100

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. So should I switch to Kaspersky, or stay away from them?

    I would really like honest opinions on this.

    1. Well, clearly you want a non-US product.

      1. Right now I use Bitdefender, which I see is out of Romania.

    2. Don’t use Microsoft.

      1. That scans with “What’s New, Pussycat?”

        1. Tom Jones? Why?

          1. I have no idea. Ask Bill Gates.

            1. I’d rather ask Tom.

                1. …to have fun with anyone…

                  1. Why? Why? Why?

  2. That’s interesting. Shouldn’t the NSA be concerned about the security of the private sector as well as the public? We’re far, far more likely to suffer real consequences if our economic system was threatened due to compromised security, after all. That vulnerability should have been quietly shared with the companies producing the applications when discovered.

    Granted, they say they do that (unless “national security” says no, reply is hazy, ask again later), but I’m not sure I believe them.

    1. You misunderstand — See the security that they’re interested in is that of the system. Just as the IRS is used to mold the [official/recognized] organizations in the US based on personal politics, the NSA is about gathering data to preserve the current power structures. — If the next Patrick Henry comes along, they’ll be able to dig up anything and everything to ensure that he’ll never have a political leg to stand on: they’ll release his FaceBook chats from when he was a horny teenager, or maybe they’ll simply say that it’s his naughty, steamy chat… and that is how the NSA it going to do it.

  3. I’m surprised that Kaspersky isn’t dead yet. He has discovered a lot of stuff.

  4. self-edited

  5. The fact that they have been demanding back doors to all security software tells us they don’t give a shit about ‘the security of the private sector’, and the damage they have caused to US-based companies is enormous, but that’s not their problem. As Schneier and others have pointed out, if there are back doors they will be exploited by everyone who can get hold of them, and that list will not be limited to court-authorized snoops.

    All our national security apparatus cares about is being able to read (somebody’s) web presence, whether email or otherwise. What they break in the process are the eggs that Stalin is reputed to have invoked in discussing the making of omelets.

    1. Yeah, that’s a very damning point. Way back in the 90s, the government was pushing very hard for back doors that would be known to the world. Not at all a security concern.

  6. Can we get these guys to start wearing white or black hats? It’s getting pretty hard to figure out who’s a good guy and who’s just another thug.

    1. I think the simplest metric is if they’re concerned with Justice, real justice, which you cannot advance by perpetrating injustices on others (that would include violating the 4th because of “exigent circumstances” — such is a case of the agents valuing “enforcement” [of the law] at the expense of the law) — or if they’re merely interested in power.

Please to post comments

Comments are closed.