GCHQ and NSA try to crack Kaspersky software and others
Snowden files reveal reverse-engineering attempts on popular consumer anti-virus firms, as well as web forum surveillance


GCHQ and the NSA stand accused of reverse-engineering consumer anti-virus software in order to hide their operations, it has been revealed.
Hacking efforts by UK spy body GCHQ have been stymied in the past by security vendors such as Kaspersky Labs, according to a warrant renewal request published by The Intercept.
The warrant states that the Russian AV company in particular continues to "pose a challenge" to GCHQ, and that the agency's goal is to be able to "exploit such software and to prevent detection of [their] activities".
In order to circumvent this type of security, the agency examined various elements of it for vulnerabilities, using a technique known as Software Reverse Engineering.
As part of the "computer network exploitation" tactics covered by the warrant, GCHQ likewise examined popular forum software vBulletin, which the document claims is "widely used to run terrorist web forums".
It is also, however, used to run and maintain a huge majority of legitimate forums such as NEOGAF and SomethingAwful, and SRE methods have previously yielded the recovery of an unspecified number of user credentials.
As these SRE techniques could potentially constitute "an infringement of copyright", GCHQ requires a legally-protecting warrant from the government that must be renewed every six months.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
It was one such renewal request, dated from 2008, that was published today as part of the Snowden files. It is unclear whether this practise of reverse-engineering security software is still common, as well as what GCHQ hoped to achieve in the process.
The warrant also notes that the agency's success in reverse-engineering strategies have led to developing capabilities against Cisco routers. This allows UK spies entry into the Pakistan Internet Exchange, where they have "access to almost any user of the internet inside Pakistan".
The NSA has also been undertaking similar projects. In a briefing from 2010, also part of the Snowden files, the US spy agency's "Project CAMBERDADA" was revealed to be intercepting malware-flagging email traffic between end-users and anti-virus vendors.
This information is used to compile a list of malware that vendors like Kaspersky have not yet adapted to combat. The agency's Tailored Access Operation unit then "repurpose the malware", allowing them piggyback access to machines and networks.
Kaspersky has been a notable opponent of state-sponsored intrusion. The Russian company had a hand in detecting and flagging multiple examples of suspected government malware such as the Gauss, Flame and Stuxnet viruses.
Earlier this month, the company discovered that it had itself been hit by the Duqu 2.0 worm, which founder Eugene Kaspersky believes to be a "nation-state sponsored campaign".
The company said in a statement that "we find it extremely worrying that government organizations are targeting security companies instead of focusing their resources against legitimate adversaries."
It decried the fact that government divisions are "actively working to subvert security software that is designed to keep us all safe."
Along with Kaspersky Labs, a total of 23 vendors were listed in the presentation on a slide jauntily titled "more targets!" These included Bit-Defender, Avast, Avira and Checkpoint, with examples from multiple US-allied countries although none from within the US itself, or the UK.
However, while this may come as a shock to some, others in the infosec community are less than astonished. Ben Johnson, Chief Security Strategist for Bit9 + Carbon Black, points out that "AV tools can be bought and pulled apart by anyone".
He notes the logic of GCHQ's operations, asking "is it really a surprise that intelligence agencies try to circumvent technologies that might prevent them from collecting information? Or test these technologies for weaknesses?"
He likens this probing of vendor proficiency to real-world combat tactics; "In the hacker world as well as the military world before conducting any operation it is vital to test offensive tools against defensive capabilities".
Adam Shepherd has been a technology journalist since 2015, covering everything from cloud storage and security, to smartphones and servers. Over the course of his career, he’s seen the spread of 5G, the growing ubiquity of wireless devices, and the start of the connected revolution. He’s also been to more trade shows and technology conferences than he cares to count.
Adam is an avid follower of the latest hardware innovations, and he is never happier than when tinkering with complex network configurations, or exploring a new Linux distro. He was also previously a co-host on the ITPro Podcast, where he was often found ranting about his love of strange gadgets, his disdain for Windows Mobile, and everything in between.
You can find Adam tweeting about enterprise technology (or more often bad jokes) @AdamShepherUK.
-
What is polymorphic malware?
Explainer Polymorphic malware constantly changes its code to avoid detection, making it a top cybersecurity threat that demands advanced, behavior-based defenses
-
Outgoing Kaseya CEO teases "this is just the beginning" for the company
Opinion We spoke to Fred Voccola who remains a key figurehead at the firm as it enters its next chapter...
-
Former GCHQ intern risked national security after taking home top secret data
News A former GCHQ intern has pleaded guilty to transferring data from a top-secret computer onto his work phone.
-
Businesses must get better at sharing cyber information, urges former GCHQ chief
Jeremy Fleming, the former head of GCHQ, has warned businesses face increasingly sophisticated cyber attacks on critical national infrastructure (CNI).
-
Hackers are lying low in networks to wage critical infrastructure attacks - here’s how they do it
News Hackers are researching key IT workers in their bid to gain access to vital systems
-
ASUS, Cisco, Netgear devices exploited in ongoing Chinese hacking campaign
News Critical national infrastructure is the target of sustained attempts from state-sponsored hackers, according to Five Eyes advisories
-
US reveals bespoke tool that took down Russian malware operation
News Snake had been used to steal NATO countries’ data for 20 years
-
Move away from memory-unsafe languages like C and C++, NSA urges
News The US agency advises organisations to begin using languages like Rust, Java, and Swift
-
US gov issues fresh warning over Russian threat to critical infrastructure
News The FBI, NSA and CISA have urged network defenders to be on "heightened alert" for Russian cyber attacks
-
UK and US pledge to punish cyber criminals at annual meeting
News Intelligence and defence officials met at the annual forum to discuss approaches to cyber security for the years ahead