The loss of NSA software downloaded by a Moscow cybersecurity organization is a national-security disaster for the United States, and  the response to the theft has been far from satisfactory. Here’s the background.

Kaspersky Lab is a security company that develops and sells anti-virus software. It is based in Moscow; it has offices in the United States and elsewhere. The US government was, until very recently, a big customer for Kaspersky software and installed it on computers even in such sensitive places as the Pentagon and Central Intelligence Agency.

While there were always security experts who thought such reliance on a Moscow-based security company was crazy, for a long time they had no concrete evidence that there was anything wrong with the products.  Intelligence agencies discovered no backdoors or funny code lurking in the software. So not only did Kaspersky’s products survive the censors,  they got US government support and became very popular.

But now concrete and disturbing evidence has been uncovered by Israel’s famed Unit 8200 cyber-intelligence group. The Israelis got inside Kaspersky’s computers and found highly classified US documents, including source code for National Security Agency programs important to America’s national security and by extension to America’s friends abroad. Israel informed the United States of the security breach.

The most important software found on Kaspersky’s computers by Unit 8200 was code based on the Duqu virus, a “son of Stuxnet,” the malware that partially shut down Iran’s centrifuges and was allegedly developed in partnership between the NSA and Israel’s 8200 organization.

Duqu can carry out a number of tasks including attacking the operating systems of computers run by hostile forces. Kaspersky had been writing and commenting about Stuxnet and Duqu for some time, so it was a major intelligence coup that it had gotten its hands on the NSA version of Duqu’s attack system.

For example, it might mean that the NSA-Israeli product that could be used to shut down an enemy command and control or missile system could be blocked by the Russians. There is no doubt that the leak of this information constitutes a huge loss for the US government in combating the threats it faces today.

Even more interesting, the Israelis also found that the classified information came from a home computer belonging to an NSA employee. We don’t know how long this information remained in Kaspersky’s computers, and Kaspersky says it destroyed the information.

Here is Kaspersky’s explanation, reported by Wired magazine:

According to Kaspersky, the NSA staffer had in 2014 run a pirated version of Microsoft Word, along with a so-called “keygen” tool used to register it with a spoofed key, and which was infected with malware that included a “full-blown backdoor” capable of allowing the theft of the NSA tools by any third party that controlled the malware. While the NSA staffer had in fact installed Kaspersky’s antivirus software, he or she had it turned off at that time, Kaspersky says, and only turned it on again in November of 2014.

Kaspersky acknowledges that on another occasion, the Kaspersky software did detect and upload a trove of NSA hacking tools from the staffer’s computer, but asserts that Eugene Kaspersky himself ordered them deleted, without sharing them with any other organization.

It is logical that Kaspersky’s anti-virus software would have found the malware that allegedly came from an illegal copy of Microsoft Word. Any anti-virus program that detects a threat would attempt to clean it, usually by deleting the files associated with it. The user, of course, can decide not to allow the software to purge the threat. So in this case, either Kaspersky did not attempt to purge the alleged threat or the user refused to allow it to do so.

Neither presumption makes sense. Kaspersky acknowledges that the threat remained and that the company exploited it by downloading whatever was on the NSA employee’s computer, although Kaspersky claims to have destroyed the files. Are we to assume the employee had no idea? Are we to assume Kaspersky did not know whose computer it was targeting? Or assume one or the other or both perfectly well knew?

The NSA employee had taken home highly classified national-security information without authorization. Why? It makes no sense to think he was planning to work on sensitive NSA spyware while he sat on his sofa and watched TV. Was he preparing to sell the software to a third party?

We do know Kaspersky must have known this guy was an NSA employee, if only by what the firm found on his computer, which were highly classified NSA hacking tools and their source codes.

Highly placed individuals working on sensitive US government projects are often targeted by foreign intelligence services. Operatives use a technique called “phishing” to induce a targeted individual to download malware or spy tools onto their computer. A typical gimmick is to send an e-mail or word file with an invitation that, when opened, drops the malware on to the victim’s computer. Finding the individuals to target became much easier after the theft of millions of people’s security information files from the General Services Administration.

If this is how it was done in the case of the NSA employee, there are a few things to note. First is that the anti-virus tool need not have been the source of the malware, but some additional code – perhaps in the malware planted through a phishing operation – would make the anti-virus software capable of executing a files download command, significantly enhancing the anti-virus software and creating a very effective backdoor. In this case, the anti-virus software would be the transmission vehicle and thus would not be suspect.

We don’t know that the NSA employee was compromised this way, but it is interesting that Kaspersky acknowledges that it did download NSA files on the employee’s computer some time after the software actually detected a virus/malware embedded in an illegal copy of Word. How else would it have done that?

The US government, through the Department of Homeland Security, has put out a binding directive telling government agencies to identify and then to remove Kaspersky software from their computers. The directive, however, does not include government contractors, and of course has nothing to say about civilian use in business or homes.

In light of the latest evidence, attention should be given not only to removing software, but requiring the use of a reliable domestic anti-virus system to clean all government and contractor machines to rid them of any planted or suspected malware. The working assumption has to be that most or all of them are infected.

So far the US government has only taken baby steps to fix the problem, and the level of urgency is suspect. There needs to be an emergency program that is capable of assessing the losses so far suffered and fixing the threat to US security.