GCHQ and NSA try to crack Kaspersky software and others

Snowden files reveal reverse-engineering attempts on popular consumer anti-virus firms, as well as web forum surveillance

GCHQ and the NSA stand accused of reverse-engineering consumer anti-virus software in order to hide their operations, it has been revealed.

Hacking efforts by UK spy body GCHQ have been stymied in the past by security vendors such as Kaspersky Labs, according to a warrant renewal request published by The Intercept.

The warrant states that the Russian AV company in particular continues to "pose a challenge" to GCHQ, and that the agency's goal is to be able to "exploit such software and to prevent detection of [their] activities".

In order to circumvent this type of security, the agency examined various elements of it for vulnerabilities, using a technique known as Software Reverse Engineering.

As part of the "computer network exploitation" tactics covered by the warrant, GCHQ likewise examined popular forum software vBulletin, which the document claims is "widely used to run terrorist web forums".

It is also, however, used to run and maintain a huge majority of legitimate forums such as NEOGAF and SomethingAwful, and SRE methods have previously yielded the recovery of an unspecified number of user credentials.

As these SRE techniques could potentially constitute "an infringement of copyright", GCHQ requires a legally-protecting warrant from the government that must be renewed every six months.

It was one such renewal request, dated from 2008, that was published today as part of the Snowden files. It is unclear whether this practise of reverse-engineering security software is still common, as well as what GCHQ hoped to achieve in the process.

The warrant also notes that the agency's success in reverse-engineering strategies have led to developing capabilities against Cisco routers. This allows UK spies entry into the Pakistan Internet Exchange, where they have "access to almost any user of the internet inside Pakistan".

The NSA has also been undertaking similar projects. In a briefing from 2010, also part of the Snowden files, the US spy agency's "Project CAMBERDADA" was revealed to be intercepting malware-flagging email traffic between end-users and anti-virus vendors.

This information is used to compile a list of malware that vendors like Kaspersky have not yet adapted to combat. The agency's Tailored Access Operation unit then "repurpose the malware", allowing them piggyback access to machines and networks.

Kaspersky has been a notable opponent of state-sponsored intrusion. The Russian company had a hand in detecting and flagging multiple examples of suspected government malware such as the Gauss, Flame and Stuxnet viruses.

Earlier this month, the company discovered that it had itself been hit by the Duqu 2.0 worm, which founder Eugene Kaspersky believes to be a "nation-state sponsored campaign".

The company said in a statement that "we find it extremely worrying that government organizations are targeting security companies instead of focusing their resources against legitimate adversaries."

It decried the fact that government divisions are "actively working to subvert security software that is designed to keep us all safe."

Along with Kaspersky Labs, a total of 23 vendors were listed in the presentation on a slide jauntily titled "more targets!" These included Bit-Defender, Avast, Avira and Checkpoint, with examples from multiple US-allied countries although none from within the US itself, or the UK.

However, while this may come as a shock to some, others in the infosec community are less than astonished. Ben Johnson, Chief Security Strategist for Bit9 + Carbon Black, points out that "AV tools can be bought and pulled apart by anyone".

He notes the logic of GCHQ's operations, asking "is it really a surprise that intelligence agencies try to circumvent technologies that might prevent them from collecting information? Or test these technologies for weaknesses?"  

He likens this probing of vendor proficiency to real-world combat tactics; "In the hacker world as well as the military world before conducting any operation it is vital to test offensive tools against defensive capabilities".

Featured Resources

The ultimate guide to business connectivity in field services

A roadmap to increased workplace efficiency

Free download

The definitive guide to migrating to the cloud

Migrate apps to the public cloud with multi-cloud infrastructure solutions

Free download

Transform your network with advanced load balancing from VMware

How to modernise load balancing to enable digital transformation

Free download

How to secure workloads in hybrid clouds

Cloud workload protection

Free download


NSA issues guidance on encrypted DNS usage
Domain Name System (DNS)

NSA issues guidance on encrypted DNS usage

15 Jan 2021

Most Popular

How to find RAM speed, size and type

How to find RAM speed, size and type

17 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

17 Sep 2021