Former U.S. spies say anti-virus software makes for a perfect espionage platform

Popular anti-virus software companies are a prime target for intelligence agencies because they have direct, continuous access into their clients’ networks and collect large quantities of data about them, former U.S. intelligence officials and cybersecurity experts say.

Although the targeting of anti-virus (AV) companies by government-backed hackers only recently became well-known, experts say sophisticated intelligence agencies have long understood the inherent value of infiltrating these firms to gather information and in some cases, spread malware.

“As cybersecurity companies centralize information and maintain access to their customers, securing the cloud-based infrastructure of those cyber companies becomes paramount,” said Ben Johnson, a former NSA computer scientist. “These organizations have become prime targets for intelligence agencies, militaries, and sophisticated cyber organizations looking for ways into corporate and government institutions.”

Because most anti-virus vendors have designed their products to autonomously search for computer viruses on users’ systems by directly scanning files and then sending that data back to a server for analysis, the software is highly intrusive by nature. Some of these anti-virus makers include Symantec, McAfee and the Moscow-based Kaspersky Lab.

“Aside from the remote risks, antivirus can extend the attack surface of a host,” said Blake Darche, a former computer network exploitation analyst with the NSA. “If an attacker can gain access to the central antivirus server within an organizations network, that central server can be used for malware distribution.”

What makes the technology so efficient in identifying and neutralizing viruses is also what makes it so effective as a spy tool, experts explained. Conversely, that’s what makes it important to guard as well.

“All AV relies on signatures and some of them are broad. All AV also gets some measure of data back from customers to look for false positives, new and otherwise undetected stuff. Many will also send files up for sandboxing,” said John Bambenek, a threat intelligence specialist with Fidelis Cybersecurity and host of Cybersecurity Today Radio. “If instead of looking for maliciousness I just look for other indicators I have the raw tools to either send that stuff to me or to take telemetry that says X signature was detected at Y IP address and use that for targeting.”

In addition to compromising the architecture behind anti-virus software, elite hacking groups have been known to routinely probe industry leading products. Secret 2015 U.S. government documents published by WikiLeaks earlier this year showed the CIA regularly conducted tests against popular defensive cybersecurity products to find weakness in them that could help the agency evade detection during offensive operations.

“AV is a risk to offensive cyber-operations,” said Jason Kichen, a former intelligence officer who managed offensive cyber-operations for the U.S. government.

“Understanding, at a deep level, how a specific AV platform works and how it functions allows tools to be built and tactics to be deployed that avoid detection by these platforms,” Kichen said. “The difference between an AV platform and rootkit is intent, not function. I need to avoid detection, but if I can compromise the local AV platform and then use it to enable my access, move laterally, or exfiltrate data, I can better maintain my clandestinity.”

In June 2015, NSA documents shared by Edward Snowden were published by The Intercept showing the NSA and its British counterpart, GCHQ, had actively worked to “subvert anti-virus and other security software in order to track users and infiltrate networks.”

Anti-virus software is unique largely because of the access it offers, the fact that it is widely adopted by a variety of different targets, internationally, and due to the recurrence of updates. Software updates, which can help patch bugs or other issues in a product, adds another attack vector because it provides a trusted avenue for the remote introduction of code into computers around the world.

Hackers in recent months, for example, were able to infect the update mechanism behind a popular file cleaning tool named CCleaner to dispense custom backdoor implants into targeted technology firms. The attackers in this incident, according to some security researchers, may have come from Chinese hackers connected to Beijing. Analysts say the operation illustrated, yet again, the dynamic security challenges underpinning software supply chains.

Two significant incidents reported in the last week also shed light on why and how anti-virus companies can be exploited for espionage purposes.

The first — which was originally reported by a combination of journalists from The Wall Street Journal, Washington Post and New York Times — details an apparent Russian spy mission to collect classified U.S. government documents by leveraging Moscow-based cybersecurity firm Kaspersky Lab to find classified material that was stored on Kaspersky users’ systems. It’s unclear exactly how this reported espionage occurred, if the company was complicit in the effort, or how Russian intelligence ultimately tapped into and exfiltrated files remotely from each computer of interest.

Kaspersky has denied any wrongdoing and subsequently called into question the journalists’ sources, who had provided information relevant to the alleged activity. The journalists criticized by Kaspersky are among the best in the industry in terms of reporting on intelligence and national security matters.

“We’ve been aware of this sort of threat for some time,” said Bambenek. “Ironically Kaspersky just presented last week on fourth-party collection. But I think people just assume a security company does things secure and that is a bad assumption.”

The second was a Wall Street Journal article about North Korean hackers who broke into the network of a South Korean military base by, among other things, successfully breaching the facility’s anti-virus provider in order to access secret war plans. The hackers, which are reportedly associated with Pyongyang, were successful because of a blatant configuration issue — classified servers had been mistakenly connected to the public internet — which opened the door for a multi-stage intrusion that hijacked a South Korean anti-virus product to gain a foothold.