New N.S.A. Breach Linked to Popular Russian Antivirus Software

By Scott Shane, David E. Sanger and Nicole Perlroth

WASHINGTON — In the latest case of an insider removing sensitive data from the nation’s largest intelligence agency, Russian hackers obtained classified documents that a National Security Agency employee had taken and stored on his home computer. Investigators believe the hackers may have penetrated the computer by exploiting Kaspersky Lab antivirus software, a Russian brand widely used around the world, that the employee was using, according to officials briefed on the matter.

The highly classified material involved the agency’s techniques for breaking into foreign computer networks to collect intelligence, the officials said. The case appears to be separate from a larger breach of security, by a group calling itself the Shadow Brokers, which has been publicly posting samples of the agency’s hacking tools periodically for more than a year. The case was first reported by The Wall Street Journal on Thursday.

Investigators say the employee does not appear to have intended to let the sensitive cybertools escape to the outside world. Officials believe he took the material home — an egregious violation of agency rules and the law — because he wanted to refer to it as he worked on his résumé. The maker of the antivirus software installed on his home computer, Kaspersky Lab, is a Russian company that American security officials have long feared may cooperate with, or be infiltrated by, the Russian government.

The officials did not make their concerns public, and the antivirus software remains popular. But last month the federal government ordered the Kaspersky software removed from all government computers. The F.B.I. has been investigating whether Kaspersky products, especially the well-reviewed antivirus programs, contain “back doors” that could allow Russian intelligence agencies into any computers or networks on which they are running. The company has always denied that it has any links to Russian intelligence.

It is unclear whether the National Security Agency breach played a major role in the government’s decision to ban Kaspersky products. While the Russian theft was first discovered two years ago, the Kaspersky link was understood only more recently.

The concerns about Kaspersky Lab date back many years, in part because its founder, Eugene Kaspersky, attended a K.G.B. technical college and served in military intelligence. Tim Evans, a former National Security Agency lawyer, said that in 2008 he was dispatched by the agency to the United States Patent Office to retrieve every patent application filed by Kaspersky so that the agency could study the names of its employees for known officers of the F.S.B., the K.G.B.’s successor.

“This is an old question for N.S.A.,” said Mr. Evans, now with Adlumin, a cybersecurity contractor.

While federal prosecutors in Maryland are handling the case, the agency employee who took the documents home does not appear to have been charged. In the past, taking classified information from agency premises and storing it on an insecure computer has been considered a prosecutable offense. John M. Deutch, who served as director of the C.I.A. in 1995 and 1996, was investigated after classified information was found on his unclassified laptops. He agreed to plead guilty to a misdemeanor but was pardoned by President Bill Clinton.

The breach is only the latest blow to the National Security Agency, which for decades has broken foreign codes and eavesdropped on telephone and other communications. Today it devotes a huge effort as well to penetrating computer networks overseas to gather information.

In 2013, Edward J. Snowden, an agency contractor in Hawaii, took hundreds of thousands of classified documents, flew to Hong Kong and turned the material over to journalists. Last year, another contractor, Harold T. Martin III, was discovered to have taken an even larger quantity of agency data to his Maryland home, where he stored it in his car and in a shed in his yard. About the same time Mr. Martin was arrested, the unidentified Shadow Brokers began to post some of the agency’s most guarded software tools on the web.

“They just keep getting hammered,” said Robert S. Johnston, the president of Adlumin and another former agency officer. “N.S.A. used to say they’d never had a spy. That’s totally changed since 2013.”

Several former agency officers said the breach might not necessarily require complicity on the part of Kaspersky Lab. Antivirus software routinely scans files to hunt for malware and even uploads files to the cloud for particular study. By redirecting data between the employee’s computer and Kaspersky back to their own servers, via a “man in the middle attack,” or hacking Kaspersky’s software and adding a back door, Russian operators could have potentially downloaded the employee’s files without Kaspersky’s knowledge.

“Antivirus software could totally be used for espionage,” said Jake Williams, a former officer at the agency and the founder of Rendition Infosec, a cybersecurity contractor. “It looks damning for Kaspersky, but we don’t yet know the whole story.”

Originally published in The New York Times / October 5, 2017

Adam Goldman contributed reporting from New York. A version of this article appears in print on , Section A, Page 22 of the New York edition with the headline: Security Agency Breach Is Linked to Popular Russian Antivirus Software.