Russian government hackers lifted details of U.S. cyber capabilities from a National Security Agency employee who was running Russian antivirus software on his computer, according to several individuals familiar with the matter.
The employee had taken classified material home to work on it on his computer, and his use of Kaspersky Lab antivirus software enabled Russian hackers to see his files, the individuals said. The case, which dates to 2015 and has not been made public, remains under investigation by federal prosecutors.
The NSA declined to comment on the breach, which was first reported by the Wall Street Journal.
The employee involved was a U.S. citizen born in Vietnam and had worked at Tailored Access Operations, the elite hacking division of the NSA that develops tools to penetrate computers overseas to gather foreign intelligence, said the individuals, who spoke on the condition of anonymity to discuss an ongoing case. He was removed from the job in 2015, but was not thought to have taken the materials for malicious purposes such as handing them to a foreign spy agency, they said.
The theft of the material enabled the Russian government to more easily detect and evade U.S. government cyberespionage operations, thwart defensive measures and track U.S. activities, the individuals said. It is the latest in a series of damaging breaches of the NSA in recent years and is among the first concrete indications of why the U.S. intelligence community believes that Kaspersky Lab software operates as a tool for Russian espionage.
The breach “serves as a stark warning — not just to the federal government, but to states, local governments and the American public — of the serious dangers of using Kaspersky software,” said Sen. Jeanne Shaheen (D-N.H.), a vocal critic of Kaspersky who has pushed for the software’s ban in federal networks.
The material the employee took included hacking tools he was helping to develop to replace others that were considered compromised following the breach of NSA material by former contractor Edward Snowden, said one individual familiar with the matter.
The Washington Post reported the 2015 removal of the employee last November.
The incident underscores the risks of using products as seemingly innocuous as antivirus software, which can be leveraged for national security purposes.
The breach predates last year’s arrest of former NSA contractor Harold T. Martin III, who was accused by officials of carrying out what is said to be the largest theft of classified information in U.S. history. Martin pleaded not guilty this year to violating the Espionage Act and is awaiting trial.
The intelligence community has long assessed that Kaspersky has ties to the Russian government. A Russian law requires telecommunications companies in the country to provide access to their networks. Kaspersky’s servers are located in Moscow, which means that customer data flowing through its servers passes through those same telecom providers’ networks, a person familiar with the matter told The Post.
Kaspersky Lab said in a statement that it “does not have inappropriate ties to the Russian government.”
“Kaspersky Lab has not been provided any evidence substantiating the company’s involvement in the alleged incident,” the company said, “and it is unfortunate that news coverage of unproven claims continue to perpetuate accusations about the company.”
Last month, the U.S. government moved to ban the use of Kaspersky security software by federal agencies over concerns it had ties to Kremlin cyberespionage activities. The Department of Homeland Security ordered civilian agencies to identify Kaspersky Lab software on their networks and remove it after 90 days unless otherwise directed.
The government said the move was done on the grounds that Kaspersky had connections to the Russian government and that its software posed a security risk. Months earlier, the General Services Administration removed Kaspersky from its list of approved vendors, suggesting a software vulnerability existed with Kaspersky that could give Moscow backdoor access to the very systems the company said it protects.
“It’s a lot harder to beat your opponent when they’re reading your playbook, and it’s even worse when someone on your team gives it to them,” said Sen. Ben Sasse (R-Neb.). “Russia is a clear adversary in cyberspace and we can’t afford these self-inflicted injuries.”
All antivirus products, including Kaspersky’s, run in similar fashion. The product is placed on a client’s computer to detect malicious software. To keep the detection capability up to date, the software routinely connects to the antivirus company. That connection is a double-edged sword. It allows the software to be updated, but it also provides an opportunity for the company to inspect files on the computer — and to remove them.
At a Senate Intelligence Committee hearing in May, the chiefs of six major U.S. spy agencies all said they would not use Kaspersky software on their computers.
The company’s founder, Eugene Kaspersky, graduated from a KGB-supported cryptography school and had worked in Russian military intelligence.
Shaheen has called for a hearing on the matter.
“The strong ties between Kaspersky Lab and the Kremlin are extremely alarming and have been well documented for some time,” Shaheen said. “It’s astounding and deeply disturbing that the Russian government continues to have this tool at their disposal to harm the United States.”
[This story has been updated to reflect the employee’s U.S. citizenship.]