Documents from the National Security Agency and the United Kingdom's Government Communications Headquarters (GCHQ) obtained by former NSA contractor Edward Snowden reveal that the two agencies—and GCHQ in particular—targeted antivirus software developers in an attempt to subvert their tools to assure success in computer network exploitation attacks on intelligence targets. Chief among their targets was Kaspersky Labs, the Russian antivirus software company, according to a report by The Intercept's Andrew Fishman and First Look Media Director of Security Morgan Marquis-Boire.

Kaspersky has had a high profile in combatting state-sponsored malware and was central in the exposure of a secret NSA-backed hacking group that had been in operation for 14 years. More recently, it was revealed that Kaspersky had come under direct attack recently from an updated version of the Duqu malware —possibly launched by an Israeli-sponsored hacking group. The same malware was found on the networks of locations hosting negotiations over Iran's nuclear program. But the latest Snowden documents show that both the NSA and GCHQ waged a somewhat more subversive battle against Kaspersky—both by attempting to reverse-engineer the company's antivirus software and leveraging its intelligence-collection operations for their own benefit.

Kaspersky was not the only target, but the company was the one most prominently mentioned in the Snowden documents released today by The Intercept. GCHQ officials mentioned Kaspersky by name in a warrant extension request "in respect of activities which involve the modification of commercial software" in June 2008, requesting authorization to reverse engineer Kaspersky's and other companies' software products to exploit them for intelligence purposes. (The original warrant had been in place since at least January of 2008.)

In the text of the warrant application, GCHQ officials wrote, "Personal security products such as the Russian anti-virus software Kaspersky continue to pose a challenge to GCHQ’s [computer network exploitation] capability and [software reverse engineering] is essential in order to be able to exploit such software and to prevent detection of our activities. Examination of Kaspersky and other such products continues."







In a classified NSA slide presentation from 2010 on "Project Camberdada," NSA analysts discussed how the agency intercepted e-mails to Kaspersky containing malware samples. NSA analysts used the malware samples not only to configure NSA and other government malware defenses but also to look at ways to repurpose the malware for espionage purposes.

Camberdada began tapping into the flow of malware samples to Kaspersky through "signals intelligence collection" in 2009—most likely via XKeyscore, the worldwide Internet traffic processing system constructed by the NSA and other members of the "Five Eyes" intelligence community—the NSA was able to collect about 10 "potentially malicious files" per day. By the time of the presentation in 2010, over 500 such files had been collected. And 50 new signatures for malware had been added to the intrusion-detection and -prevention systems of the Department of Defense's NIPRnet sensitive-but-unclassified internal network over that period, with nine domain names associated with the malware added to NIPRnet's "Cloudshield" DNS blocking system.

In the 2010 NSA presentation, NSA analysts noted that the malware collected from Camberdada monitoring of Kaspersky could also be potentially repurposed by the Tailored Access Office at the NSA to attack intelligence targets' systems. The NSA could also "check Kaspersky AV to see if they continue to let any of these virus files through their Anti-Virus product," the analysts suggested, and "monitor the folks who provide the malware to see if they're into more nefarious activity." The analysts also listed other non-US antivirus companies that could potentially be targeted, including Checkpoint, F-prot, F-secure, and Bit Defender—though it's not clear that any of these products were ever targeted based on the documents.

Update: A spokesperson from Kaspersky provided the following statement on the report: "As noted during the recent Duqu 2.0 nation-state sponsored attack, we find it extremely worrying that government organizations are targeting security companies instead of focusing their resources against legitimate adversaries and are actively working to subvert security software that is designed to keep us all safe. We are closely reviewing and investigating the information disclosed today in order to assess the potential level of risk it may pose to our infrastructure and how to effectively mitigate it. Once again, we would like to stress the need for security companies to work together as a community and fight for user privacy, the right to privacy on the Internet, thwart mass surveillance and make the world a safer place.”