The theft was made even worse by the fact that the Kremlin's spies reportedly uncovered the secret cyber weapons on a personal laptop running software made by Moscow-based cybersecurity firm Kaspersky Lab. | AP Photo NSA contractors back in spotlight after reported Russian theft The Kremlin's spies reportedly uncovered the secret cyber weapons on a personal laptop running software made by Kaspersky Lab.

The National Security Agency is once again facing questions over its ability to safeguard the country's most powerful surveillance tools after The Wall Street Journal reported Thursday that Russian government hackers had pilfered classified NSA hacking code from a contractor.

The theft was made even worse by the fact that the Kremlin's spies reportedly uncovered the secret cyber weapons on a personal laptop running software made by Moscow-based cybersecurity firm Kaspersky Lab, which has been accused of having ties to the Russian government.


It's just the latest black eye for the agency in recent months, as two other contractors have also been arrested for leaking classified materials from the supposedly fortress-like spy agency. Additionally, leaked NSA hacking tools — possibly stolen from contractors — have been repurposed this year to launch two unprecedented cyberattacks that raced around the globe, seizing tens of thousands of computer networks.

“The NSA needs to get its head out of the sand and solve its contractor problem,” said Sen. Ben Sasse (R-Neb.). “Russia is a clear adversary in cyberspace and we can’t afford these self-inflicted injuries.”

The incident is also bound to increase government scrutiny of Kaspersky, which has been fighting off allegations of links to Moscow for months.

“This development should serve as a stark warning, not just to the federal government, but to states, local governments and the American public, of the serious dangers of using Kaspersky software,” said Sen. Jeanne Shaheen (D-N.H.), who has been pushing Congress to permanently ban the government from Kaspersky software, following a directive from the Department of Homeland Security to eradicate Kaspersky from federal networks.

The digital theft revealed on Thursday took place in 2015, when an NSA contractor took home files detailing America’s digital intrusion and defense tactics and placed them on his home computer, which ran Kaspersky’s antivirus software, according to the Journal. The software somehow flagged the files, and Kremlin spies subsequently stole them.

Sources told the Journal that the stolen documents described “how the NSA penetrates foreign computer networks, the computer code it uses for such spying and how it defends networks inside the U.S.”

Morning Cybersecurity A daily briefing on politics and cybersecurity — weekday mornings, in your inbox. Email Sign Up By signing up you agree to receive email newsletters or alerts from POLITICO. You can unsubscribe at any time. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The incident “prompted an official letter of reprimand” to NSA Director Adm. Mike Rogers, according to the publication’s sources.

It is unknown how Russia obtained the files from the contractor’s computer. But antivirus programs regularly scan for evidence that a computer has been hacked. If the contractor’s files contained code that matched known NSA malware, Kaspersky’s software could have detected it and flagged it as an infection for Kaspersky researchers.

“Someone in Kaspersky headquarters would have begun reviewing that system in more depth,” Blake Darché, a former hacker for the NSA, told POLITICO. While inspecting the contractor’s computer, “they may have found a folder containing” the NSA files, “and then that folder may have been sucked up for collection as well.”

“Kaspersky is known to use their technology in this way,” said Darché, who is now the chief security officer at cyber defense firm Area 1 Security.

Kaspersky’s chief executive officer hinted that this was how the incident may have begun. “We make no apologies for being aggressive in the battle against cyber threats,” Eugene Kaspersky tweeted.

If the Kremlin had access to Kaspersky’s data, it would have seen this happen and could have tasked its spies with retrieving the files. But there is no indication that Kaspersky knowingly alerted the Russian government to the files or helped it acquire them.

Kaspersky told POLITICO in a statement that it “has not been provided any evidence substantiating the company’s involvement in the alleged incident.”

“The only conclusion,” the company said, “seems to be that Kaspersky Lab is caught in the middle of a geopolitical fight.”

Regardless, Thursday’s report will train a harsh spotlight back on the NSA’s ongoing failure to stop insider leaks.

Starting with Edward Snowden in 2013, the NSA has seen its fearsome reputation tarnished by a string of high-profile contractor breaches.

Most recently, Harold Martin and Reality Winner were arrested for physically removing classified information from NSA facilities. While Winner has been accused of sneaking out only one document related to the alleged Russian hacking campaign targeting last year’s presidential election, Martin had been smuggling out reams of files — both physical and digital — for years, according to prosecutors.

Contractors present a unique personnel challenge because they fit in a gray area between private sector and government workers.

“We need to change the method for conducting [contractor] oversight,” Michael Daniel, former President Barack Obama’s cybersecurity coordinator, told POLITICO.

“The federal government supervisor sitting in the same space as a given contractor can't really do personnel oversight, because they are a contractor,” Daniel said. “On the other hand, the contractor's home company never sees them, because they are always off on contract sites.”

Neither Martin nor Winner was believed to have been working on behalf of a foreign government. But their leaks have led to concerns that they exposed valuable data to foreign hackers merely by taking it out of the building — as apparently happened in the incident reported Thursday.

“It’s a lot harder to beat your opponent when they’re reading your playbook, and it’s even worse when someone on your team gives it to them,” Sasse said.

Collectively, the breaches have also called into question the NSA’s ability to safeguard the extraordinarily powerful digital tools it wields, especially in the wake of two global ransomware outbreaks powered by code from leaked NSA tools.

Those digital assaults, which occurred in May and June, locked up tens of thousand of computers at international firms, universities and government agencies around the world. The malware — which was derived from stolen NSA code — even forced some hospitals to stop admitting new patients with serious medical conditions.

If Russia has indeed made off with more top-secret NSA hacking tools, it can now similarly use those weapons against others. Given the recent series of leaks, digital rights groups have been calling on the NSA not to hoard the software flaws that its cyber weapons are exploiting.

“The government should be doing everything it can to disclose previously unknown security vulnerabilities as soon as possible,” said Robyn Greene, policy counsel at New America’s Open Technology Institute, a digital rights advocacy group. “Otherwise, we'll all just be waiting for the other shoe to drop — for when we find out that our software can be or has been hacked by foreign actors or criminals.”

Thursday's report has also already ratcheted up lawmakers' anger over Kaspersky, a globally popular cybersecurity firm that was once approved for government use, but has fallen out of favor in recent months over allegations that it maintains close links to the Kremlin. DHS recently banned all federal agencies from using the firm's software, and lawmakers are considering legislation that would codify the ban.

“The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security,” DHS said in a statement at the time.

On Thursday, Kaspersky again denied any “inappropriate ties to any government, including Russia.”

Still, lawmakers like Shaheen used the opportunity to call on the Trump administration to declassify any details it has about Kaspersky’s ties to the Kremlin.

“It’s a disservice to the public and our national security to continue withholding this information,” she said.

Virginia Sen. Mark Warner, the Intelligence Committee’s top Democrat, told POLITICO on Thursday, “I think there has been widespread concern about Kaspersky.”

Martin Matishak contributed to this report.