GCHQ and the NSA stand accused of reverse-engineering consumer anti-virus software in order to hide their operations, it has been revealed.
Hacking efforts by UK spy body GCHQ have been stymied in the past by security vendors such as Kaspersky Labs, according to a warrant renewal request published by The Intercept.
The warrant states that the Russian AV company in particular continues to "pose a challenge" to GCHQ, and that the agency's goal is to be able to "exploit such software and to prevent detection of [their] activities".
In order to circumvent this type of security, the agency examined various elements of it for vulnerabilities, using a technique known as Software Reverse Engineering.
As part of the "computer network exploitation" tactics covered by the warrant, GCHQ likewise examined popular forum software vBulletin, which the document claims is "widely used to run terrorist web forums".
It is also, however, used to run and maintain a huge majority of legitimate forums such as NEOGAF and SomethingAwful, and SRE methods have previously yielded the recovery of an unspecified number of user credentials.
As these SRE techniques could potentially constitute "an infringement of copyright", GCHQ requires a legally-protecting warrant from the government that must be renewed every six months.
It was one such renewal request, dated from 2008, that was published today as part of the Snowden files. It is unclear whether this practise of reverse-engineering security software is still common, as well as what GCHQ hoped to achieve in the process.
The warrant also notes that the agency's success in reverse-engineering strategies have led to developing capabilities against Cisco routers. This allows UK spies entry into the Pakistan Internet Exchange, where they have "access to almost any user of the internet inside Pakistan".
The NSA has also been undertaking similar projects. In a briefing from 2010, also part of the Snowden files, the US spy agency's "Project CAMBERDADA" was revealed to be intercepting malware-flagging email traffic between end-users and anti-virus vendors.
This information is used to compile a list of malware that vendors like Kaspersky have not yet adapted to combat. The agency's Tailored Access Operation unit then "repurpose the malware", allowing them piggyback access to machines and networks.
Kaspersky has been a notable opponent of state-sponsored intrusion. The Russian company had a hand in detecting and flagging multiple examples of suspected government malware such as the Gauss, Flame and Stuxnet viruses.
Earlier this month, the company discovered that it had itself been hit by the Duqu 2.0 worm, which founder Eugene Kaspersky believes to be a "nation-state sponsored campaign".
The company said in a statement that "we find it extremely worrying that government organizations are targeting security companies instead of focusing their resources against legitimate adversaries."
It decried the fact that government divisions are "actively working to subvert security software that is designed to keep us all safe."
Along with Kaspersky Labs, a total of 23 vendors were listed in the presentation on a slide jauntily titled "more targets!" These included Bit-Defender, Avast, Avira and Checkpoint, with examples from multiple US-allied countries although none from within the US itself, or the UK.
However, while this may come as a shock to some, others in the infosec community are less than astonished. Ben Johnson, Chief Security Strategist for Bit9 + Carbon Black, points out that "AV tools can be bought and pulled apart by anyone".
He notes the logic of GCHQ's operations, asking "is it really a surprise that intelligence agencies try to circumvent technologies that might prevent them from collecting information? Or test these technologies for weaknesses?"
He likens this probing of vendor proficiency to real-world combat tactics; "In the hacker world as well as the military world before conducting any operation it is vital to test offensive tools against defensive capabilities".
-
What is polymorphic malware?Explainer Polymorphic malware constantly changes its code to avoid detection, making it a top cybersecurity threat that demands advanced, behavior-based defenses
-
Outgoing Kaseya CEO teases "this is just the beginning" for the companyOpinion We spoke to Fred Voccola who remains a key figurehead at the firm as it enters its next chapter...
-
Former GCHQ intern risked national security after taking home top secret dataNews A former GCHQ intern has pleaded guilty to transferring data from a top-secret computer onto his work phone.
-
Businesses must get better at sharing cyber information, urges former GCHQ chiefJeremy Fleming, the former head of GCHQ, has warned businesses face increasingly sophisticated cyber attacks on critical national infrastructure (CNI).
-
Hackers are lying low in networks to wage critical infrastructure attacks - here’s how they do itNews Hackers are researching key IT workers in their bid to gain access to vital systems
-
ASUS, Cisco, Netgear devices exploited in ongoing Chinese hacking campaignNews Critical national infrastructure is the target of sustained attempts from state-sponsored hackers, according to Five Eyes advisories
-
US reveals bespoke tool that took down Russian malware operationNews Snake had been used to steal NATO countries’ data for 20 years
-
Move away from memory-unsafe languages like C and C++, NSA urgesNews The US agency advises organisations to begin using languages like Rust, Java, and Swift
-
US gov issues fresh warning over Russian threat to critical infrastructureNews The FBI, NSA and CISA have urged network defenders to be on "heightened alert" for Russian cyber attacks
-
UK and US pledge to punish cyber criminals at annual meetingNews Intelligence and defence officials met at the annual forum to discuss approaches to cyber security for the years ahead
