IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

GCHQ and NSA try to crack Kaspersky software and others

Snowden files reveal reverse-engineering attempts on popular consumer anti-virus firms, as well as web forum surveillance

Kaspersky sign on a white post

GCHQ and the NSA stand accused of reverse-engineering consumer anti-virus software in order to hide their operations, it has been revealed.

Hacking efforts by UK spy body GCHQ have been stymied in the past by security vendors such as Kaspersky Labs, according to a warrant renewal request published by The Intercept.

The warrant states that the Russian AV company in particular continues to "pose a challenge" to GCHQ, and that the agency's goal is to be able to "exploit such software and to prevent detection of [their] activities".

In order to circumvent this type of security, the agency examined various elements of it for vulnerabilities, using a technique known as Software Reverse Engineering.

As part of the "computer network exploitation" tactics covered by the warrant, GCHQ likewise examined popular forum software vBulletin, which the document claims is "widely used to run terrorist web forums".

It is also, however, used to run and maintain a huge majority of legitimate forums such as NEOGAF and SomethingAwful, and SRE methods have previously yielded the recovery of an unspecified number of user credentials.

As these SRE techniques could potentially constitute "an infringement of copyright", GCHQ requires a legally-protecting warrant from the government that must be renewed every six months.

It was one such renewal request, dated from 2008, that was published today as part of the Snowden files. It is unclear whether this practise of reverse-engineering security software is still common, as well as what GCHQ hoped to achieve in the process.

The warrant also notes that the agency's success in reverse-engineering strategies have led to developing capabilities against Cisco routers. This allows UK spies entry into the Pakistan Internet Exchange, where they have "access to almost any user of the internet inside Pakistan".

The NSA has also been undertaking similar projects. In a briefing from 2010, also part of the Snowden files, the US spy agency's "Project CAMBERDADA" was revealed to be intercepting malware-flagging email traffic between end-users and anti-virus vendors.

This information is used to compile a list of malware that vendors like Kaspersky have not yet adapted to combat. The agency's Tailored Access Operation unit then "repurpose the malware", allowing them piggyback access to machines and networks.

Kaspersky has been a notable opponent of state-sponsored intrusion. The Russian company had a hand in detecting and flagging multiple examples of suspected government malware such as the Gauss, Flame and Stuxnet viruses.

Earlier this month, the company discovered that it had itself been hit by the Duqu 2.0 worm, which founder Eugene Kaspersky believes to be a "nation-state sponsored campaign".

The company said in a statement that "we find it extremely worrying that government organizations are targeting security companies instead of focusing their resources against legitimate adversaries."

It decried the fact that government divisions are "actively working to subvert security software that is designed to keep us all safe."

Along with Kaspersky Labs, a total of 23 vendors were listed in the presentation on a slide jauntily titled "more targets!" These included Bit-Defender, Avast, Avira and Checkpoint, with examples from multiple US-allied countries although none from within the US itself, or the UK.

However, while this may come as a shock to some, others in the infosec community are less than astonished. Ben Johnson, Chief Security Strategist for Bit9 + Carbon Black, points out that "AV tools can be bought and pulled apart by anyone".

He notes the logic of GCHQ's operations, asking "is it really a surprise that intelligence agencies try to circumvent technologies that might prevent them from collecting information? Or test these technologies for weaknesses?"  

He likens this probing of vendor proficiency to real-world combat tactics; "In the hacker world as well as the military world before conducting any operation it is vital to test offensive tools against defensive capabilities".

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download


US gov issues fresh warning over Russian threat to critical infrastructure
cyber warfare

US gov issues fresh warning over Russian threat to critical infrastructure

12 Jan 2022
UK and US pledge to punish cyber criminals at annual meeting
cyber security

UK and US pledge to punish cyber criminals at annual meeting

19 Nov 2021

Most Popular

Why convenience is the biggest threat to your security

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Microsoft successfully tests emission-free hydrogen fuel cell system for data centres
data centres

Microsoft successfully tests emission-free hydrogen fuel cell system for data centres

29 Jul 2022