The NSA and its British counterpart, Government Communications Headquarters (GCHQ), tried to hack into Russian and Chinese companies that make anti-virus and other security software to track users and infiltrate networks, according to documents leaked by former U.S. intelligence contractor and NSA whistleblower Edward Snowden. Citing documents leaked more than two years ago, The Intercept reported Monday that the NSA and GCHQ teamed up to carry out the cyberattacks.
Both spy agencies tried to reverse-engineer and bypass the security software at 23 companies, including Russia’s Kaspersky Lab and DrWeb; the Czech Republic’s AVG and Avast; China’s Antiy; and Finland’s F-Secure, according to the report. The attacks were reportedly conducted as part of “Project CAMBERDADA” -- an operation that did not target America’s McAfee and Symantec, and the U.K.’s Sophos.
“It is extremely worrying that government organizations would be targeting us instead of focusing resources against legitimate adversaries, and working to subvert security software that is designed to keep us all safe,” Kaspersky said, in a statement to The Intercept.
The Russian anti-virus firm announced earlier this month that its corporate network had been targeted by a state-sponsored hackers group linked to the Duqu malware, which was used in the 2010 Stuxnet attacks on Iran’s nuclear facilities.
“In early spring 2015 Kaspersky Lab detected a cyber-intrusion affecting several of its internal systems,” the company said, in a statement at the time. “The attack was carefully planned and carried out by the same group that was behind the infamous 2011 Duqu APT attack. Kaspersky Lab believes this is a nation-state sponsored campaign.”
According to the leaked documents, NSA and GCHQ targeted Kaspersky by studying the company’s software as well as by intercepting and monitoring customer emails flagging new vulnerabilities and malware. A 2010 NSA presentation on “Project CAMBERDADA” revealed that, after obtaining the companies’ communications, NSA analysts examined “Kaspersky AV [anti-virus] to see if they continue to let any of these virus files through their Anti-Virus product,” The Intercept reported.
GCHQ said in a warrant renewal request, written in 2008, that Kaspersky’s software was a crucial target as it was considered to be an obstruction to its hacking operations.
“Personal security products such as the Russian anti-virus software Kaspersky continue to pose a challenge to GCHQ’s CNE [Computer Network Exploitation] capability,” the U.K. spy agency said in the request, adding that reverse engineering "is essential in order to be able to exploit such software and to prevent such detection of our activities."
According to Joxean Koret, a researcher with Coseinc, a Singapore-based information security consultancy, anti-virus software products are easier and ideal targets as any attacker can obtain a range of key information in just one successful hacking attempt.
“If you write an exploit for an anti-virus product you’re likely going to get the highest privileges (root, system or even kernel) with just one shot,” Koret told The Intercept.