Russian hackers managed to steal sensitive files from the home computer of an NSA contractor who used Kaspersky Lab's antivirus, according to the The Wall Street Journal. The revelation sheds light on the secretive reasons behind the US government ban of Kaspersky Lab products, and former NSA hackers I spoke to said they weren't surprised by the story, saying that it could explain rumors of a leaker at the NSA that have swirled for a year.
On Thursday, the Journal reported that in 2015 Russian hackers identified sensitive NSA files on the home computer of an NSA contractor thanks to their use of Kaspersky Lab antivirus, which apparently detected samples of NSA files on the contractor's computer. According to the report, the hackers detected that the contractor had files it deemed valuable because the contractor used the Kaspersky antivirus software on their computer. The Journal didn't provide details on exactly how the hackers retrieved those files, whether Kaspersky was aware its software was being used this way, or if it alerted the Russian government to these findings.
The breach wasn't identified until 2016, according to the report. If true, this is the third major breach of sensitive information from the NSA after contractors Edward Snowden and Harold Martin took files outside of the spy agency's buildings.
Eugene Kaspersky, the founder of the eponymous company, dismissed the new report.
"We have not been provided any evidence substantiating the company's involvement in the alleged incident," Kaspersky told me in a Twitter direct message, which preceded a longer statement. "And it is unfortunate that news coverage of unproven claims continue to perpetuate accusations about the company."
"There's a lot of concern over more leaks, and not knowing where they're coming from and not being able to control them."
But the idea of a third leaker, or at the very least, a third breach at the NSA has been circulating for at least a year: Last year, The Washington Post reported the existence of a third, unknown leaker from the NSA. On Thursday, the newspaper confirmed that person is the same one mentioned in the WSJ story.
Besides that, I spoke to four different former NSA employees in an attempt to put the Wall Street Journal article in context. Each of them said the report aligns closely with rumors that have been circulating in government infosec circles.
A former NSA hacker, who asked to remain anonymous to talk about sensitive matters, told me that the WSJ report did not surprise them. Rumors of a third data breach or leaker had been swirling among former NSA employees for around a year. Two other former NSA employees, who also requested anonymity, confirmed there was a rumor of a third leaker.
"There's a lot of concern over more leaks, and not knowing where they're coming from and not being able to control them," a fourth former NSA employee, who also asked not to be named, told me in a phone call.
Read more: Your Government Hacking Tools Are Not Safe
In any case, according to my sources, it makes sense that antivirus companies would be targeted or used as leverage to hack other targets by government spies and hackers.
"Antivirus companies are gold mines for espionage groups, whether it's permitted or unwitting access," the first ex-NSA hacker told me. In this case, he said, either Kaspersky Lab helped the Russian hackers directly, or the hackers exploited Kaspersky software without the company's knowledge.
A former member of the US intelligence community told me that The Wall Street Journal story fits with what he knows firsthand about how Kaspersky's antivirus software works.
"The software, by design, is able to suck up any file Kaspersky tasks it to," the source, who asked to remain anonymous, told me. "They can make it grab any file that meets a signature globally or target it down to a specific machine."
This might just be how the company hunts for malware, much like other antivirus companies. In any case, Kaspersky denied this accusation as well.
"This is nonsense and misinterpretation of a common approach in the cybersecurity industry," Kaspersky told me.
Kaspersky Lab itself has been the victim of government hackers. In 2015, the company revealed that government spies, likely from Israel, had breached its internal systems—using a new version of a malware previously discovered by Kaspersky itself.
The Wall Street Journal story doesn't mention that this incident with the unnamed contractor is how the mysterious hacking group The Shadow Brokers obtained the top secret documents and hacking tools that they've been leaking for more than year now. But some experts are already timidly connecting the dots.
"Very cautious working assumption: yes," tweeted Thomas Rid, a professor at Johns Hopkins who has been studying Russian government hacking operations for years.
"The software, by design, is able to suck up any file Kaspersky tasks it to."
Motherboard can't confirm that Kaspersky software was used to detect NSA files on a contractor's computer as the The Journal reported, but the Russian antivirus company has been able to detect NSA software in the past. Kaspersky published two major reports on alleged GCHQ and NSA hacking operations late 2014 and early 2015, codenamed Regin and Equation Group. Regin was a sophisticated malware used to hack a Belgian telecom provider, and the company also published a lengthy report on several types malware attributed to the group codenamed Equation Group, which is largely believed to be the NSA.
Since Kaspersky was able to detect NSA malware, one possible explanation is that the Kaspersky Lab antivirus installed on the NSA contractor computer detected the sensitive files because they contained digital signatures related to the known Equation Group malware, as security and intelligence expert (and occasional Motherboard contributor) Marcy Wheeler wrote in a blog post.
As Rid tweeted, the new WSJ report answers a few questions, but raises many more. There is reason, now, to believe we might soon be able to start connecting the dots between this third major breach within the NSA, and the shadowy group that's been leaking the spy agency's hacking tools for months.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
Get six of our favorite Motherboard stories every day by signing up for our newsletter.