At times, it does not pay to be the brightest kid on the block. But Kaspersky Lab would have got away even with this, had it not been for a catastrophic leak of Windows vulnerabilities crafted by the NSA via a group that has called itself the Shadow Brokers.
The Brokers, which is how I will refer to the group from now on, leaked a number of NSA Windows exploits on the Web in April 2016.
Even today, despite a long-running investigation by the NSA's counter-intelligence arm, the Q Group, and the FBI, there is no clue as to how these exploits, created by the NSA's elite Tailored Access Operations group, leaked to the outside world. They are all now publicly available on the Web and have been used to craft some of the more widely spread ransomware attacks like last year's WannaCry and NotPetya attacks.
For those who have taken the time and the trouble to read through the sometimes garbled posts posted by the Brokers, it should be clear that they have been made by someone/some people for whom English is a first language. This would not be immediately apparent to someone who has not moved around in countries where English is not the dominant language.
{loadposition sam08}Another fact that is inescapable about the Brokers is that whoever is behind this group has intimate knowledge of the inner workings of the NSA. Else, the group would have been unable to provide detailed information about former NSA hacker Jake Williams on its Twitter account.
The tweets, since deleted, provided such a level of detail about the activities of Williams, a former member of the TAO, that he was reluctant to travel to certain countries for a while, given that the tweets indicated that his NSA work may have been aimed against these countries.
Kaspersky Lab was tied to the Brokers through claims in the three main US mainstream newspapers – The New York Times, The Wall Street Journal and the Washington Post.
Permit me to digress a bit, gentle reader, while I explain what anti-virus software does. This genre of software operates like a rootkit; it has access to every file on a Windows system — desktop Linux use does not need any A-V software and Mac users can get away without using it as well — and all A-V software uploads suspicious files to a given location for later analysis.
At times, this is a virus database like the Google-owned VirusTotal, at others it is a database owned by the A-V company in question. In the case of Kaspersky, when a service called Kaspersky Security Network is switched on, suspicious files are uploaded to its servers in Moscow for analysis by its own staff.
With the home version of Kaspersky A-V, the user has to opt in to KSN; the corporate product will query the KSN (by sending a MD5 hash and the file size), but nothing is uploaded. There is no option for businesses to upload files.
The US media reports hinted that Kaspersky Lad had uploaded NSA files to its own servers after they had been detected as malware on an NSA employee's Windows computer. The inference is that they were then given over, or intercepted, by Russian Government hackers and then handed over to the Shadow Brokers.
If one were to believe this theory, then the Brokers are a Russian creation or at least one which is in cohorts with Russia.
But the language used by the Brokers argues against this; only a native English speaker could craft language such as that used by them. And my judgement is made as someone who is a native English speaker, despite having been born in an environment that is far removed from any English-speaking country.
For its sins, Kaspersky Lab has been cut out of supplying security software to the US public service.
It is quite likely that Kaspersky Lab would have suffered this fate anyway, after it repeatedly exposed the antics of a number of nation states, beginning with the UK's GCHQ in 2014, which tried to hack a Belgian telecommunications provider.
In 2015, Kaspersky exposed a group it called the Equation Group, which has been long rumoured to be an internal NSA unit. The company also detailed how the Stuxnet operation was carried out to cripple Iran's nuclear reactors. Stuxnet was discovered by Sergey Ulasen in 2010; he joined Kaspersky Lab a year later. The virus was infiltrated into Iran's nuclear labs through an USB drive as the lab was not connected to any external network.
Israeli Government hackers breached the Kaspersky network in 2014; after the company found out in 2015, it wrote a long, detailed analysis of the incident.
But the leaks by the Shadow Brokers was the straw that broke the camel's back. Even so, had the NSA been able to determine the identity of those behind the leaks early on in the piece, Kaspersky Lab may have escaped.
Given that the NSA, the best-resourced and most experienced digital spy outfit in the world, had been caught with its pants literally around its ankles, someone had to pay a price.
The convenient scapegoat was Kaspersky Lab. Convenient, because in the midst of the bloodletting over the Democrat's 2016 presidential loss, there was a need for a scapegoat and Russia fitted the bill, despite there being very scanty and incomplete evidence.
Kaspersky Lab is undoubtedly Russian. Its founder, Eugene Kaspersky, has worked for Soviet military intelligence in the distant past. Whoa, the US has got its bête noire.