Snowden: NSA And GCHQ ‘Targeted’ Security Firms

The NSA and GCHQ targeted the makers of widely used antivirus software in order to find ways to bypass the programs’ protections, according to newly leaked documents obtained by former NSA contractor Edward Snowden.

GCHQ had a particular focus on Russian antivirus maker Kaspersky Lab, and even obtained warrants for the reverse-engineering of Kaspersky’s software because it feared the activity might otherwise be “unlawful”.

Neutralising security

“Reverse engineering of commercial products needs to be warranted in order to be lawful,” read a 2009 GCHQ memo published by The Intercept, an online publication launched last year with a focus on the Snowden documents. “There is a risk that in the unlikely event of a challenge by the copyright owner or licensor, the courts would, in the absence of a legal authorisation, hold that such activity was unlawful.”

The warrants were issued by the Foreign Secretary under the UK’s Intelligence Services Act 1994 Section 5, giving GCHQ permission to modify commercial software to “enable intercept, decryption and other related tasks”.

GCHQ said in another memo that personal security products such as Kaspersky’s posed a “challenge” to the agency’s Computer Network Exploitation (CNE) capability. “SRE (software reverse-engineering) is essential in order to be able to exploit such software and to prevent detection of our activities,” the memo stated.

The Intercept argued that the warrants are “legally questionable on several grounds”, in part because the law upon which they are based makes reference to interference with property and communications systems but not intellectual property.

A slide from an NSA presentation lists at least 23 IT security software makers that the agency targeted, including Finland’s F-Secure, Slovakia’s Eset, Czech Republic’s Avast and Romania’s Bit-Defender. US firms Symantec and McAfee and the UK’s Sophos were not listed.

Communications intercepted

In addition to reverse engineering, the agencies also intercepted communications sent to companies including Kaspersky in order to identify newly reported vulnerabilities that might be used to help gain access to target systems, according to the report.

The spy agencies also reportedly reverse-engineered CheckPoint firewall software and commercial encryption programs such as CrypticDisk and Acer’s eDataSecurity, as well as Cisco routers, modifying some routers in order to “re-route selective traffic” into data collection systems.

Earlier this month Kaspersky said it was hacked last year by the Stuxnet and Duqu gangs, which transferred data from the company’s network over a period of several months.

Kaspersky says its software protects more than 400 million users worldwide.

Are you a security pro? Try our quiz!