GCHQ and NSA try to crack Kaspersky software and others

Kaspersky sign on a white post

GCHQ and the NSA stand accused of reverse-engineering consumer anti-virus software in order to hide their operations, it has been revealed.

Hacking efforts by UK spy body GCHQ have been stymied in the past by security vendors such as Kaspersky Labs, according to a warrant renewal request published by The Intercept.

The warrant states that the Russian AV company in particular continues to "pose a challenge" to GCHQ, and that the agency's goal is to be able to "exploit such software and to prevent detection of [their] activities".

In order to circumvent this type of security, the agency examined various elements of it for vulnerabilities, using a technique known as Software Reverse Engineering.

As part of the "computer network exploitation" tactics covered by the warrant, GCHQ likewise examined popular forum software vBulletin, which the document claims is "widely used to run terrorist web forums".

It is also, however, used to run and maintain a huge majority of legitimate forums such as NEOGAF and SomethingAwful, and SRE methods have previously yielded the recovery of an unspecified number of user credentials.

As these SRE techniques could potentially constitute "an infringement of copyright", GCHQ requires a legally-protecting warrant from the government that must be renewed every six months.

It was one such renewal request, dated from 2008, that was published today as part of the Snowden files. It is unclear whether this practise of reverse-engineering security software is still common, as well as what GCHQ hoped to achieve in the process.

The warrant also notes that the agency's success in reverse-engineering strategies have led to developing capabilities against Cisco routers. This allows UK spies entry into the Pakistan Internet Exchange, where they have "access to almost any user of the internet inside Pakistan".

The NSA has also been undertaking similar projects. In a briefing from 2010, also part of the Snowden files, the US spy agency's "Project CAMBERDADA" was revealed to be intercepting malware-flagging email traffic between end-users and anti-virus vendors.

This information is used to compile a list of malware that vendors like Kaspersky have not yet adapted to combat. The agency's Tailored Access Operation unit then "repurpose the malware", allowing them piggyback access to machines and networks.

Kaspersky has been a notable opponent of state-sponsored intrusion. The Russian company had a hand in detecting and flagging multiple examples of suspected government malware such as the Gauss, Flame and Stuxnet viruses.

Earlier this month, the company discovered that it had itself been hit by the Duqu 2.0 worm, which founder Eugene Kaspersky believes to be a "nation-state sponsored campaign".

The company said in a statement that "we find it extremely worrying that government organizations are targeting security companies instead of focusing their resources against legitimate adversaries."

It decried the fact that government divisions are "actively working to subvert security software that is designed to keep us all safe."

Along with Kaspersky Labs, a total of 23 vendors were listed in the presentation on a slide jauntily titled "more targets!" These included Bit-Defender, Avast, Avira and Checkpoint, with examples from multiple US-allied countries although none from within the US itself, or the UK.

However, while this may come as a shock to some, others in the infosec community are less than astonished. Ben Johnson, Chief Security Strategist for Bit9 + Carbon Black, points out that "AV tools can be bought and pulled apart by anyone".

He notes the logic of GCHQ's operations, asking "is it really a surprise that intelligence agencies try to circumvent technologies that might prevent them from collecting information? Or test these technologies for weaknesses?"

He likens this probing of vendor proficiency to real-world combat tactics; "In the hacker world as well as the military world before conducting any operation it is vital to test offensive tools against defensive capabilities".

Adam Shepherd

Adam Shepherd has been a technology journalist since 2015, covering everything from cloud storage and security, to smartphones and servers. Over the course of his career, he’s seen the spread of 5G, the growing ubiquity of wireless devices, and the start of the connected revolution. He’s also been to more trade shows and technology conferences than he cares to count.

Adam is an avid follower of the latest hardware innovations, and he is never happier than when tinkering with complex network configurations, or exploring a new Linux distro. He was also previously a co-host on the ITPro Podcast, where he was often found ranting about his love of strange gadgets, his disdain for Windows Mobile, and everything in between.

You can find Adam tweeting about enterprise technology (or more often bad jokes) @AdamShepherUK.