UK and US spy agencies targeted Russian and Chinese anti-virus firms: Snowden leaks

PUBLISHED : Tuesday, 23 June, 2015, 1:05pm
UPDATED : Tuesday, 23 June, 2015, 5:18pm

American and British spy agencies tried to break into popular anti-virus and computer security software to infiltrate networks and track users, according to documents leaked by former US intelligence analyst Edward Snowden.

New documents released by The Intercept illustrate how the National Security Agency and its British counterpart, Government Communications Headquarters (GCHQ), spied on the makers of the software and sought to reverse engineer and bypass their products.

The Intercept is a media platform co-founded by journalist Glenn Greenwald to report on the documents leaked by Snowden. Greenwald had been one of the journalists who first revealed Snowden’s material.

According to The Intercept, firms targeted included Russia’s Kaspersky Lab, Czech makers Avast and AVG and Chinese firm Antiy. Between them, the companies have almost a billion users.

Founded in Harbin in 2000, Antiy is a relatively small firm which focuses on mobile security, with around 10 million users worldwide. The revelations that Chinese firms were targeted by US spies will come as an embarrassment ahead of President Barack Obama's summit with Chinese leader Xi Jinping in the US in September.

Neither leading American anti-virus makers McAfee and Symantec nor UK firm Sophos were targeted, according to the documents.

Anti-virus firms are no strangers to being targeted by hackers.

This month, Kaspersky revealed that its corporate network had been compromised by a state-sponsored group linked to the Duqu malware, which is believed to have been used as a precursor to the 2010 Stuxnet attacks on Iranian nuclear facilities.

"As noted during the recent Duqu 2.0 nation-state sponsored attack, we find it extremely worrying that government organisations are targeting security companies instead of focusing their resources against legitimate adversaries, and are actively working to subvert security software that is designed to keep us all safe," Kaspersky said in a statement.

AVG and Antiy did not immediately reply to requests for comment by the South China Morning Post. Avast said that its targeting by the spy agencies "proves that we don't work with the NSA and GCHQ ... our commitment to our customers is to provide protection from all forms of spying".

READ MORE: Britain pulls out spies as Russia, China 'crack Snowden files': reports

A top-secret report outlining "Project Camberdara", as the NSA-led initiative was called, explained how spies targeted Kaspersky, studying the company's software for weaknesses and monitoring its communications.

Customer emails to the company flagging new malware were also intercepted and monitored by the agencies.

In a slide titled "What else can we do?", spies suggested repurposing malware and monitoring Kaspersky "to see if they continue to let any of these virus files through their anti-virus product", according to the report.

The documents also recommended monitoring customers who reported malware "to see if they're into more nefarious activity".

"By monitoring the threats/malware/vulnerabilities reported by customers, the agencies can have understanding of the limitations of the customers anti-virus software, and can create tools that can by-pass the anti-virus software installed in the customers' machines," said KP Chow, associate director of Hong Kong University's Centre for Information and Security and Cryptography.  

By examining malware reports to anti-virus companies, the spy agencies could potentially use the exploits before they were patched.

Google security engineer Tavis Ormandy estimated in 2012 that it took anti-virus firms up to 60 days to introduce fixes for reported vulnerabilities.

"Personal security products such as the Russian anti-virus software Kaspersky continue to pose a challenge to GCHQ's [computer network exploitation] capability,” the UK spy agency said when requesting authorisation from the British government for its activities.

Software reverse engineering “is essential in order to be able to exploit such software and to prevent such detection of our activities," the agency added.

It was referring to the process of taking a computer programme apart and analysing how it operates. This allows for the detection of vulnerabilities and the removal of anti-piracy protections.

Many companies prohibit the practice in licensing agreements, and some have issued lawsuits in the past to protect their software from reverse engineering.

Inside knowledge of how commercial anti-virus software operates "could allow the NSA to ensure its spyware goes undetected on target computer systems", said Michael Gazeley, managing director of Hong Kong-based security firm Network Box.