This content is part of the Essential Guide: Cyberthreats, cyber vulnerabilities, and how to fight back

NSA breach leads to theft of government spy software

An NSA contractor became the target of a cyberattack after storing agency spying software on a personal device, and this NSA breach has caused a rise in fears regarding Russia.

A new report claims government spying software was stolen after a National Security Agency contractor stored confidential files on a personal device.

The NSA breach reportedly occurred in 2015, but it was not discovered until spring of 2016. According to the original report by the Wall Street Journal, the stolen data included code the NSA would use to infiltrate foreign computer networks and perform spying missions, as well as code used to defend U.S. networks.

The NSA breach reportedly occurred after a contractor removed highly classified materials from the agency network and stored them on a home computer. Unnamed sources claimed hackers working for the Russian government were behind the attack.

Although no evidence was given to support the story, Russia fears were stoked further by claims that the contractor was made a target because of his use of Kaspersky Lab software, implying the NSA breach might have been caused by the attacker exploiting Kaspersky Lab software on the device.

The NSA did not respond to requests for comment, but Kaspersky Lab released a statement reiterating its past denials of involvement with the Russian government.

"Kaspersky Lab is a private company and has no political connections with any government in the world, including Russia," the company said. "The only conclusion the company can make in the current situation is that it has become a pawn in a geopolitical conflict."

What the NSA breach means

Jake Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., said the transfer of classified files to a personal device was "a serious security issue whether Kaspersky was running on his machine or not."

"The Kaspersky connection is secondary. If, as reported, the individual was a [Tailored Access Operations] developer, he would likely have been targeted by Russian hackers without Kaspersky's help," Williams told SearchSecurity. "The security in most home networks is simply insufficient to protect classified data."

Williams added that there are many unanswered questions due to the lack of evidence presented in reports.

"If forensic investigators found evidence of Russian hackers on the contractor's machine, then I believe they could attribute that activity correctly. But the article doesn't really stipulate what happened," Williams said. "I would be extremely careful of confirmation bias is this case. I would be skeptical of any forensic analyst who says they can tie the theft of files on the machine to Kaspersky software. Now, if the intelligence community has additional information that proves those files were collected by Kaspersky, then that's something else entirely. As it stands, this sounds like it could be a case of confirmation bias."

Another NSA breach and more Russia fears

This NSA breach is another incident in a line of problems the government has had with contractors, going back to 2013 when NSA contractor Edward Snowden stole and subsequently leaked thousands of top-secret documents.

More recently, Harold Martin, another NSA contractor, was indicted for stealing classified material, including elite NSA cyberweapons, over the course of 20 years. Contractors have been implicated in other breaches, including the massive U.S. Office of Personnel Management breach disclosed in 2015, which was blamed on attackers stealing account credentials from a contractor.

The NSA needs to crack down on security measures -- both on the human and technology level.
Simon Gibsonfellow and security architect at Gigamon

Simon Gibson, fellow and security architect at Gigamon, based in Santa Clara, Calif., said insiders will always be an issue. He added that "preventative controls need improving, and the NSA needs to be able to see network traffic."

"The NSA needs to crack down on security measures -- both on the human and technology level. The contractor had these materials loaded onto his home system, and that simply should not be allowed to happen," Gibson told SearchSecurity. "Moving forward, the NSA needs to prioritize visibility into their network traffic and keep a close eye on who is using what. They need to log and track access and trust users, but also verify permissions."

The latest NSA breach is also another in a line of incidents being blamed on Russian hackers, and the increased tensions have led U.S. lawmakers to raise suspicions that Kaspersky Lab has ties to the Russian government. In September, despite no evidence of ties and Kaspersky's willingness to allow the U.S. government to inspect its source code, the Department of Homeland Security banned Kaspersky software from use on government systems.

Gibson said Kaspersky Lab has "always been a friend to network defenders," but added that he understands the government needs to be careful with software that has system privileges, because "if it goes bad, it's game over."

"We simply can't risk having sensitive or classified information compromised, especially when the result could be online attacks on critical infrastructure," Gibson said. "In the case of Kaspersky, I feel as though we've lost an ally in the war of network defense. I could be wrong, but if this new Binding Operational Directive causes the company to lose business, chances are it will need to shrink its staff and be unable to provide as in-depth and valuable research as before."

Next Steps

Learn about NSA spyware infecting tens of thousands worldwide

Find out why the former NSA chief wants the private sector to take on cyberthreats

Get info on Kaspersky antimalware protection services

Dig Deeper on Data security and privacy

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing