When the "Heartbleed" bug was made public last year, Bloomberg reported that the National Security Agency had known about the vulnerability for two years, integrating it as "a basic part of the agency's toolkit for stealing account passwords and other common tasks."
In response to the report, the Office of the Director of National Intelligence (ODNI) pulled a Sergeant Shultz: It knew nothing!
But the agency does actively search for exploits, "responsibly" disclosing them "unless there is a clear national security or law enforcement" reason not to, according to Shawn Turner, director of public affairs for the ODNI.
One method the NSA allegedly employs to find vulnerabilities and track users: hacking anti-virus software.
According to a new set of documents leaked by former NSA contractor Edward Snowden, released by The Intercept on Monday, the NSA, along with Britain's Government Communications Headquarters (GCHQ), reverse-engineered widely used anti-virus and security software and analyzing "leaky data," including web traffic and email, looking for security holes.
Kaspersky Lab, a Russian security software firm, was the most frequently cited mark in the documents. Per The Intercept, both the NSA and its British counterpart targeted Kaspersky:
The [GCHQ] viewed Kaspersky software as an obstruction to its hacking operations and needed to reverse engineer it to find ways to neutralize the problem. Doing so required obtaining a warrant.
"Personal security products such as the Russian anti-virus software Kaspersky continue to pose a challenge to GCHQ's CNE [Computer Network Exploitation] capability and SRE is essential in order to be able to exploit such software and to prevent detection of our activities," the warrant renewal request said.
The NSA, like GCHQ, has studied Kaspersky Lab's software for weaknesses. In 2008, an NSA research team discovered that Kaspersky software was transmitting sensitive user information back to the company's servers, which could easily be intercepted and employed to track users, according to a draft of a top-secret report.
The documents also indicate that the NSA monitors the email traffic of foreign anti-virus firms "for reports of new vulnerabilities and malware" in order to take advantage of such holes before they're patched. After vulnerabilities are reported to companies like Kaspersky, it can sometimes take weeks or even months before the software is updated. During that time, intelligence organizations like the NSA are able to use the exploits to snoop on users.
Kaspersky has a knack for frustrating the intelligence community's attempts to use malware to its advantage, though:
In the past few years, the company has proven to be a prolific hunter of state-sponsored malware, playing a role in the discovery and/or analysis of various pieces of malware reportedly linked to government hackers, including the superviruses Flame, which Kaspersky flagged in 2012; Gauss, also detected in 2012; Stuxnet, discovered by another company in 2010; and Regin, revealed by Symantec. In February, the Russian firm announced its biggest find yet: the "Equation Group," an organization that has deployed espionage tools widely believed to have been created by the NSA and hidden on hard drives from leading brands, according to Kaspersky. In a report, the company called it "the most advanced threat actor we have seen" and "probably one of the most sophisticated cyber attack groups in the world."