How Russian Firm Might Have Siphoned Tools From the NSA

Russian hackers got top-secret material via Moscow-based Kaspersky Lab. Intelligence sources and documents explain how it may have happened — without Kaspersky's knowledge.

Photo: Kirill Kudryavtsev/AFP/Getty Images

Kaspersky Lab has come under intense scrutiny after its antivirus software was linked to the breach of an NSA employee’s home computer in 2015 by Russian government hackers; U.S. government sources, quoted in news reports, suggested the Moscow-based company colluded with the hackers to steal classified documents or tools from the worker’s machine, or at least turned a blind eye to this activity. The Department of Homeland Security banned Kaspersky products from civilian government systems, and Best Buy has removed the software from computers it sells based on concerns that the software can be used to spy on customers.

But a closer look at the allegations and technical details of how Kaspersky’s products operate raises questions about the accuracy of the narrative being woven in news reports and suggests that U.S. officials could be technically correct in their statements about what occurred, while also being incorrect about collusion on the part of Kaspersky.

Initial reports suggested the Russian hackers siphoned the files by hijacking Kaspersky software installed on the NSA employee’s machine — without the antivirus firm’s knowledge. But subsequent stories in the New York Times and Wall Street Journal include assertions or suggestions that the company was complicit.

“There is no way, based on what the software was doing, that Kaspersky couldn’t have known about this,” an anonymous former U.S. official told the Journal. The software “would have had to be programmed to look for specific keywords, and Kaspersky’s employees likely would have known that was happening,” the source said, calling the company a “witting partner.”

Kaspersky denied any collusion and said last week it “was not involved in and does not possess any knowledge of the situation in question.”

Multiple stories about the incident have been contradictory and confusing.

The NSA reportedly learned what the Russian hackers were doing after Israel hacked Kaspersky’s network in 2014 and obtained screenshots and keystroke logs showing the Russian hackers using Kaspersky’s software to search “computers around the world.” The searches reportedly used “terms as broad as ‘top secret'” and also included classified code names for U.S. government programs — presumably code names the NSA assigned to hacking tools or hacking operations that were not publicly known.

The stories don’t say how the Israelis knew the searches were conducted by Russian government hackers and not Kaspersky employees. Some have speculated that the Russians provided the search terms to Kaspersky or to a mole or liaison inside the company who initiated the searches for Russia’s Federal Security Service, or FSB, or that Russian hackers hijacked the software to search customer computers on their own. The NSA and Britain’s GCHQ spy agency have themselves studied Kaspersky software extensively since at least 2008 with an eye toward subverting it for their own ends to track users and infiltrate networks.

But there is another possible explanation that would make both U.S. officials and Kaspersky accurate in their claims and potentially absolve Kaspersky of collusion. It involves a technique commonly used by the antivirus community called “silent signatures.”

In this scenario, it’s possible Kaspersky learned the NSA code names on its own and created silent signatures — essentially search terms — to find files or documents on customer computers that it believed contained malicious code. This could happen if Kaspersky’s software detected what it thought was known NSA malware on a customer’s computer, but that turned out to be a document or file containing something different and new, yet still related to previously uncovered malware. Perhaps the file contained snippets of code from known malware, and this is what triggered the software to find a match. If these files also contained previously unknown NSA code names, the company, believing the documents were part of a new malicious attack, would then have written signatures to search for other samples of the files on customer machines and upload them to Kaspersky servers for analysis. Once Kaspersky collected the files, it’s possible Russian intelligence hackers then intercepted them without Kaspersky’s knowledge, using a common nation-state hacking method called “fourth-party collection.”

This scenario could explain why Israel saw someone using the software to search computers and also explain how Russian hackers got hold of files the software collected from machines. And it would explain the odd wording of a directive issued last month by Homeland Security banning Kaspersky software from being used on civilian government computers on grounds that “the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”


Home screen of Kaspersky Internet Security.

Screenshot: Ffgamera

How Silent Signatures Work

Signatures are essentially search terms that antivirus companies program into their scanners to search for known or suspected malicious files on customer machines. There are two types of signatures: overt and silent. An overt signature can be the name of a malicious file or its associated hash — a sort of mathematically-derived representation of the contents of a file — or it can be keywords and snippets of code found in the malware. When antivirus software like Kaspersky’s finds a file that matches a signature or search parameters, it quarantines or deletes the file and alerts the customer, or at least records the finding in a log the customer can view.

Silent signatures serve the same function but without an alert to customers. And instead of simply zapping or quarantining the file, they send the file back to the antivirus company for analysis. Companies like Kaspersky use silent signatures to collect files when they want to see if their overt signatures are producing false positives, when they want to collect additional samples of known malware to see if attackers have altered their techniques in new versions of their code, or when they’ve found a component of what appears to be a new attack or suite of attack tools and want to find other malicious files that are related to it.

“Silent detection is a widely-adopted cybersecurity industry practice used to verify malware detections and minimize false positives,” Kaspersky noted in a statement it released last week. “It enables cybersecurity vendors to offer the most up-to-date protection without bothering users with constant on-screen alerts.”

Customers agree to this sort of collection in the terms of service attached to antivirus software. Kaspersky isn’t alone in using silent signatures; publicly traded American software company Symantec uses them, as do a few others.

“Kaspersky is just the most aggressive,” a former intelligence analyst told The Intercept, asking to remain anonymous to preserve a security clearance essential to his livelihood.

Although silent signatures give antivirus companies the ability to collect any file from a computer, customers expect they will only collect suspicious files, not rifle through the content of all their files searching for anything of interest. The recent stories about Kaspersky suggest the company or Russian government hackers used the Kaspersky software to search broadly not only on the NSA worker’s computer, but also the computers of other customers, using words like “top secret” or NSA code names.

Kaspersky software began using silent signatures in this way in 2008 when the company launched the Kaspersky Security Network with its Kaspersky Endpoint Security 8 virus detection product. KSN, which is essentially a cloud platform works like this: The company’s “overt” signatures analyze the behavior of all executable code on a customer machine, and if they find a file containing executable code that meets a certain threshold of suspicious criteria, the scanner will send information about the file back to Kaspersky cloud servers — including its hash, name, and a list of the activity the executable is trying to perform on a customer’s machine. If the company’s analysts decide they need to examine the file, they will create a silent signature to collect it.

The silent signature is almost identical to the overt signature but for one change. An overt signature for the malicious file, known as “Duqu” — the malware that was reportedly used by Israel to hack Kaspersky — might be “trojan.duqu.file” while a silent signature for the same file would be “trojan.duqu.file.silent.”

Silent signatures can lead to the discovery of new attack operations and have been used by Kaspersky to great success to hunt state-sponsored threats, sometimes referred to as advanced persistent threats, or APTs. If a Kaspersky analyst suspects a file is just one component in a suite of attack tools created by a hacking group, they will create silent signatures to see if they can find other components related to it. It’s believed to be the method Kaspersky used to discover the Equation Group — a complex and sophisticated NSA spy kit that Kaspersky first discovered on a machine in the Middle East in 2014.

Kaspersky has become a hot target of various spy agencies due to its success in discovering and exposing sophisticated attack tools belonging to the NSA, the Israeli signals intelligence agency Unit 8200 (Israel’s counterpart to the NSA), and Britain’s GCHQ. In addition to the Equation Group, the threats Kaspersky has uncovered also include: Flame, which is believed to be a product of the NSA and Israel; Gauss, another tool created by either the U.S. or Israel; Duqu, believed to be a product of Israel; and Regin, attributed to GCHQ. Interest in Kaspersky’s work to uncover APTs is so high that in 2014, Israel hacked the company in large part to uncover intelligence about its investigations into state-sponsored threats and identify the threats Kaspersky might expose next.

“This is how [Kaspersky] picks apart APTs. They were collecting on Equation as silent signatures for like a year before they made the signatures overt,” said the former intelligence analyst. “This same silent signature functionality is almost certainly how they were collecting the NSA tools that the press is talking about right now.”

According to the Washington Post, the NSA worker whose files were stolen was helping to develop new hacking tools for the NSA to replace others that had been compromised after agency contractor Edward Snowden leaked NSA documents to journalists. Many in the information security community believe that the NSA worker, who was targeted in 2015, may have been developing new tools to replace the Equation Group tools, which were partially exposed in 2013 in an NSA hacking catalogue published by Der Spiegel. The NSA would have known it was only a matter of time before the tools were discovered in the wild — and indeed Kaspersky discovered the first component in 2014 and spent a year amassing a large collection of Equation Group tools before going public with the information in 2015, effectively burning the expensive and sophisticated NSA toolset.

The NSA has long been aware of the potential risk Kaspersky’s cloud capability and silent signatures pose to its own operations. The former intelligence analyst tells The Intercept that during his time in the intelligence community, whenever an NSA hacker encountered a target machine that had Kaspersky software with cloud-reporting capability installed on it, they had to get special permission from a mission director to proceed with the intrusion. If a director deemed the risk of being discovered by Kaspersky worth it, then the hackers could proceed. (Asked about this and other elements of this story, the NSA declined to comment.)

NSA documents provided by Snowden seem to support this. One, dated February 2012, instructs NSA hackers that “no new implants [should be installed] on Kaspersky 2010+ [machines]. This is because Kaspersky 2010+ products have been updated to include the cloud functionality.” Another 2012 document notes that after NSA hackers determined that Kaspersky software was installed on one particularly important target computer in the Middle East, “[CounterTerrorism] MAC analysts gained Mission Director approval to install TAO’s second stage implant – UNITEDRAKE.” UNITEDRAKE is an NSA software implant and collection tool that can be adapted to different attack methods using plugins. The same capability that has helped Kaspersky uncover covert NSA hacking operations can conceivably be used to spy on customer machines.

“The reason the government doesn’t want Kaspersky on [U.S.] government machines is because they can and will suck up files they find interesting. They will say it’s to protect people and only will analyze threats, but that’s a moral limitation, not a technical one,” said the former intelligence analyst, indicating the only thing preventing Kaspersky — or any other antivirus firm — from collecting other files is professional ethics.

The fact that the NSA knew this and was cautious about hacking any machine that used Kaspersky software makes it all the more remarkable that the NSA employee whose documents were stolen by Russian intelligence had the Kaspersky software installed on his personal computer.

An employee of Kaspersky Lab works on computers at the company's headquarters in Moscow, Russia, Saturday, July 1, 2017. The chief executive of Russia's Kaspersky Lab, Eugene Kaspersky, says he's ready to have his company's source code examined by U.S. government officials to help dispel long-lingering suspicions about his company's ties to the Kremlin. (AP Photo/Pavel Golovkin)

An employee of Kaspersky Lab works on computers at the company’s headquarters in Moscow, Saturday, July 1, 2017.

Photo: Pavel Golovkin/AP

Source of Code Names

The question now is whether Russian intelligence hijacked the Kaspersky software to send silent signatures to the NSA worker’s computer or supplied the code names and instructed Kaspersky to write the silent signatures, or whether Kaspersky discovered the code names on its own in the course of its normal activity. How would the latter be possible?

If the NSA worker was creating new tools to replace the Equation Group toolkit, he may have had Equation Group files on his home computer or snippets of code from these tools that caused Kaspersky’s overt or silent signatures to detect them. The new tool the worker was developing, or a file containing it, might have shared some properties or code with the Equation Group tools and therefore triggered the silent signature, which caused the file to be uploaded to Kaspersky’s cloud servers. Kaspersky might have pulled something from that file that turned out to be an NSA code name and created silent signatures to look for other files that contained the same term, something that’s in the normal realm of its operations.

“If you’re Kaspersky, that’s what your job is — to find APTs,” said Matt Tait, a former information security specialist for GCHQ. “And in the event that you’re Kaspersky and you’re looking for malware, you’re looking for Russian-state malware and Iranian-state malware and U.S.-state malware, too. And in the event that you discover a whole bunch of nation-state malware on a computer, then obviously that’s of interest.”

But if the company collected documents with words like “top secret” instead of collecting executable files, that’s where it becomes murky.

“They shouldn’t be collecting files that aren’t being executed,” said the former U.S. intelligence analyst. “I don’t see any good reason to be sucking up files off of a customer’s machine just because they wanted to go fishing.”

Tait disagrees. He says there are good reasons to collect documents that match a silent signature.

“[D]ocuments can contain malware — when you have things like macros and zero-days inside documents, that is relevant to a cybersecurity firm,” said Tait, who is currently a cybersecurity fellow at the Robert S. Strauss Center for International Security and Law at the University of Texas at Austin. “What’s not clear from these stories is what precisely it was that they were looking for. Are they looking for a thing that is tied to NSA malware, or something that clearly has no security relevance, but intelligence relevance?”

If Kaspersky was searching for “top secret” documents that contained no malicious code, then Tait said the company’s actions become indefensible.

“In the event they’re looking for names of individuals or classification markings, that’s not them hunting malware but conducting foreign intelligence. In the event that the U.S. intelligence community has reason to believe that is going on, then they should … make a statement to that effect,” he said, not leak anonymously to reporters information that is confusing to readers.

Kaspersky said in a statement to The Intercept that it “has never created any detection in its products based on keywords like ‘top secret’, or ‘classified.'”

The company also wrote that “it is quite normal that malware samples contain codenames and unusual keywords, which have been added there by accident or by their authors as a means to identify it. … It is a normal practice for antivirus researchers to create detection records based on unique keywords.”

Malware like Stuxnet, the famous attack code created by the U.S. and Israel to target Iran’s nuclear program, contained a data string that appeared to identify a name the attackers had given one of the attack’s components — “b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb.” And Equation Group files also contained many words, such as DesertWinter STRAITSHOOTER30, STEALTHFIGHTER, DRINKPARSLEY, STRAITACID, and others that were NSA code names for the tools. Such code names are frequently fed into Yara, an open-source tool widely used by malware researchers to uncover malicious code, the company noted.

“Creating signatures which include such codenames is a perfectly acceptable practice as shown by multiple Yara rules written by many antivirus researchers, independently,” the company said. “The goal of these detection rules is not to hunt for documents containing classified keywords, but rather to detect malware samples based on such unique keywords that do not appear in clean programs. … An antivirus product can scan for keywords in executable files, documents, and other potentially malicious file formats.”

Kaspersky’s detractors reject this explanation.

“I think the idea that Kaspersky randomly found some malware and found code names is ridiculous,” said Dave Aitel, a former NSA analyst and founder of security firm Immunity, who thinks that someone working inside Kaspersky — an FSB agent or a Kaspersky employee — was specifically tasked with doing searches on code names and was caught red-handed by the Israelis grabbing the files. “I think the FSB knew exactly what it was looking for and decided to get copies of the actual files,” he said.

Aitel points to a recent story describing how members of Kaspersky’s sales team in the U.S. reportedly boasted to U.S. government officials in 2015 that the company could leverage its software to help capture targets tied to terrorism in the Middle East. If Kaspersky was offering to use its software to help the U.S. government spy on customers, there’s no reason to believe it didn’t make the same offer to the Russian government, Aitel notes.

Kaspersky has denied the reported claim saying the company “has never helped, nor will help, any government in the world with its cyberespionage efforts.”

Tait said it doesn’t make sense as a business model for Kaspersky to send out silent signatures that are clearly aimed at espionage instead of malware detection, because other antivirus firms regularly reverse-engineer the signatures of competitors to see if their rivals are detecting something they’re not detecting.

“[T]hat seems to me to be a really risky move for Kaspersky, because … someone is going to say, ‘Hey, you’re looking at all of these documents for specific search terms, and they look like terms [being used] on behalf of the Russian government, so you’re the Russian government. From a specifically business perspective, it would be crazy for Kaspersky to go down that path, which is one of the reasons why [this is] such an odd story.”

Aitel thinks Kaspersky could bypass this scrutiny by only sending espionage-related signatures to a narrow set of customers, reducing the possibility that anyone else would see and reverse-engineer them.

If Kaspersky’s own scans did collect the sensitive files from the NSA worker’s home computers in the course of the company’s normal hunting for malware, the question remains: How did Russian intelligence get them? Kaspersky has denied providing anything to the Russian government, so if this is true, it leaves two possibilities, none of which alleviates the broader concern that files the company collected fell into the hands of Russian intelligence.

The first possibility is that a Russian intelligence mole works inside Kaspersky and provided the files to Russian intel. Barring this, Russian intelligence could have stolen the documents from Kaspersky using fourth-party collection.

Screenshot from ”I drink your milkshake” document. Document: NSA/Der Spiegel

Fourth-Party Collection

Fourth-party collection is a spy term that describes when one intelligence agency steals data from another intelligence agency or hacking group that has already stolen it from a victim, allowing them to benefit from the other party’s efforts. The practice is described in an NSA document leaked by Snowden, titled “I Drink Your Milkshake.”

There are two types of fourth-party collection: active and passive. Passive collection involves stealing stolen data after it leaves the victim’s computer and as it traverses undersea cables and routers on its way to the hackers’ infrastructure. This kind of interception requires access to internet infrastructure and also requires the ability to decrypt the stolen traffic if the thieves have encrypted it.

Active collection, by contrast, involves hacking the infrastructure — command-and-control servers or staging servers and collection nodes — of the other hackers, where data they have stolen from victims may be stored unencrypted or with the decryption keys.

News stories have postulated that Russian intelligence hackers intercepted the files taken from the NSA worker’s machine as they traversed Russian telecom networks on their way to the Kaspersky cloud servers. But files that Kaspersky software collects from customer machines is encrypted in transit using SSL with RSA 2048 and AES 256 encryption. Though it’s possible that under Russian law, the government could compel Kaspersky to hand over its decryption keys, the company has insisted it has never aided any government in spying on customers.

But it’s also possible that passive collection may have been the means — that the Russian hackers compromised Kaspersky cloud servers and grabbed the files there. A Washington Post story said the Israeli spies who hacked Kaspersky found the NSA hacking tools “on” Kaspersky’s network, which suggests they may have been collected while at rest, not in transit. If Israel found them on Kaspersky’s network, Russian spies could have found them as well.

And there’s the crux. Regardless of whether Russian intelligence obtained the tools via active or passive collection or some other means, if Russian intelligence was able to obtain them, this raises concerns that anything the company collects from customer computers could fall into the hands of the Russian government. But the same holds true for every antivirus company collecting files from customer computers.

In the end, it’s hard to determine from the conflicting and confusing news reports what exactly occurred, which is why Tait said the public would be better served if the U.S. government stopped the anonymous leaks and insinuations, and stated clearly what the intelligence community does and does not know about the incident.

“The real difficulty with all of this is that we’ve got a bunch of different stories … and all of them are talking about the same set of events, but it’s not really quite clear what precisely has taken place,” he said. “If Kaspersky is genuinely acting on behalf of the Russian government, that is a really important topic for U.S national security, [and the intelligence community needs] to put an official stamp on it and say the U.S. intelligence position is that Kaspersky is an arm of the Russian government. … The national security cost of keeping it secret is higher than the national security benefit of making that fact publicly known.”

The headquarters of Kaspersky Lab in Moscow, Russia, on Monday, Jan. 30, 2017. Moscow has been awash with rumours of a hacking-linked espionage plot at the highest level since cyber-security firm Kaspersky said one of its executives with ties to the Russian intelligence services had been arrested on treason charges. (AP Photo/Pavel Golovkin)

The headquarters of Kaspersky Lab in Moscow on Monday, Jan. 30, 2017.

Photo: Pavel Golovkin/AP


December 30, 2013: Equation Group Tools Exposed

Seven months after journalists began publishing documents leaked by NSA whistleblower Edward Snowden, the German newsweekly Der Spiegel publishes the so-called ANT catalogue — a massive and rich compendium of NSA spy tools apparently compiled by the spy agency in 2008. Der Spiegel does not attribute the leak to Snowden, suggesting the possibility that the catalogue was obtained by other means. The catalogue describes each tool and its capabilities in abundant detail, along with their NSA code names, information that can help security companies devise methods for detecting the tools on machines of customers. Among the tools are a few that will later be identified as belonging to the Equation Group family of malware.

March 2014: Kaspersky Discovers First Equation Group Component in the Wild

Purportedly while investigating “Regin” attack code linked to British spy agency GCHQ, Kaspersky happens upon a malicious file, a driver, that appears to belong to an attack group Kaspersky has never seen before. The driver is found on a system belonging to a research institute in the Middle East that is apparently a high-value target for many state hacker groups. Kaspersky dubs the system the “Magnet of Threats” because it turns out to be cluttered with multiple infections; in addition to Regin and this new mystery threat, Kaspersky finds several other families of malware by other nation-state groups, including Flame, reportedly a product of Israel and the U.S.; Animal Farm, believed to belong to French intelligence; Careto (or Mask), believed to be a Spanish-speaking nation-state group; and Turla, a Russian-speaking group.

The mysterious driver uses advanced techniques to avoid detection but also uses a known method to hijack Windows and thus, triggers an alert in Kaspersky software. After Kaspersky upgrades its products to detect the driver, the driver shows up on the machines of other customers along with other related software components. The discovery of each new component leads to the discovery of more related components, until Kaspersky amasses an expansive and sophisticated toolkit that it dubs the Equation Group, which Kaspersky believes has been used since at least 2001, possibly even 1996. It will be almost a year before Kaspersky will publicly disclose the discovery of the Equation Group, but the authors of the toolkit — believed to be the NSA — are likely aware their toolkit has been discovered before the public disclosure.

A photo taken on September 16, 2013 shows the headquarters of Belgium telephone operator Belgacom in Brussels. Belgacom announced on September 16 that its computer systems were hacked and that it had filed on July 19 a complaint with police about the hacking. According to reports in the Belgian newspaper De Standaard reports, Belgacom was allegedly hacked by the American security service NSA, intercepting conversations in Africa and the Middle East.                                               AFP PHOTO / BELGA /  BRUNO FAHY                  - BELGIUM OUT -        (Photo credit should read BRUNO FAHY/AFP/Getty Images)

A photo taken on Sept. 16, 2013, shows the headquarters of Belgium telephone operator Belgacom in Brussels.

Photo: Bruno Fahy/AFP/Getty Images

November 2014: Kaspersky Goes Public With Discovery of Regin

Kaspersky discloses its discovery of Regin, the surveillance toolkit believed to originate with Britain’s GCHQ. Regin was used to hack the European Commission, Belgium telecommunications company Belgacom, and telecoms in multiple other countries.

February 2015: Kaspersky Goes Public With Discovery of Equation Group

After more than a year spent collecting various components belonging to the Equation Group platform, Kaspersky finally goes public with news of its discovery. If, as the Kaspersky spokesperson reports, Kaspersky didn’t discover it had been hacked until early spring, the company is still ignorant that intruders are in its network when it goes public with the Equation Group news.

Spring 2015: Kaspersky Discovers It Has Been Hacked

Kaspersky discovers that it has been hacked, and all signs point to Israel as the perpetrator. Kaspersky dubs the hackers’ malware “Duqu 2.0,” naming it after “Duqu,” a previous toolkit also believed to originate from Israel. The hackers infected the first Kaspersky system with Duqu 2.0 sometime before November 18, 2014, when Microsoft released a patch for a zero-day vulnerability used by the attackers.

The hackers sought intelligence about Kaspersky’s investigations into the Equation Group and Regin campaigns, which the company had not yet revealed publicly at the time the hack occurred. And according to recent news reports, the hackers also apparently discover at this time evidence that Kaspersky, or Russian government hackers using the Kaspersky software, are collecting a new set of NSA tools that are still in development — possibly tools being built to replace the Equation Group tools that got exposed, or “burned,” via Der Spiegel in 2013. Israel collects screenshots and keystroke logs that show Russian government hackers leveraging the Kaspersky software to spy on the machine of an NSA hacker, who is helping to create the new replacement tools, according to the New York Times and Washington Post.

There are signs the Israeli hackers already know that Kaspersky has caught them in its network, because they erase data from infected Kaspersky machines while Kaspersky is chasing their footprints through the company’s network.

2015: NSA Discovers Theft of Tools From Worker’s Home Computer

Sharing what their hackers have learned, the Israelis at some point in late 2014 or early 2015 notify the NSA that some of its classified tools have fallen into the hands of Russian hackers via Kaspersky software. The NSA traces the leak to the home computer of an NSA worker, a member of its elite hacking division, Tailored Access Operations, who was reportedly developing a new set of NSA hacking tools meant to replace the set exposed starting with the Der Spiegel article in 2013.

The exact dates of everything are unclear: Kaspersky discovered the Israeli intruders in its network in “early spring 2015,” according to a company spokesperson. So the screenshots and computer logs the Israelis collected that show someone using the Kaspersky software to search for NSA code names on customer machines presumably were captured by the Israelis sometime between late 2014 to early 2015. The Washington Post said the theft from the NSA worker’s computer occurred in 2015, and the worker was fired in November 2016; the Wall Street Journal also reports that the theft occurred in 2015, but the NSA didn’t connect it to the NSA worker’s machine until the spring of 2016; the New York Times says the theft was discovered in 2015, but the role Kaspersky’s software played in the theft wasn’t discovered until “recently.”

June 2015: Kaspersky Reveals It Was Hacked

Kaspersky announces that it was hacked beginning in late 2014, and all signs point to Israel. The company says it withheld this information until Microsoft could release a patch for a vulnerability the hackers used to breach the Kaspersky network. Kaspersky also discloses that the same attackers who hit it, also struck several hotels and conference venues where members of the U.N. Security Council had met in 2014 to negotiate a deal with Iran over its nuclear program.

February 2017: U.S. Government Begins Campaign to Ban Kaspersky Software

The Department of Homeland Security sends secret report on the national security risks of Kaspersky software to other government agencies. News leaks to the media that the FBI is also investigating the nature of the company’s relationship with the Russian government. The investigation reportedly stems from some incidents in early 2015 when someone on Kaspersky’s sales team in the U.S. allegedly made aggressive sales pitches to U.S. intelligence and law enforcement agencies about Kaspersky’s ability to use its software to spy on customers and help catch suspected terrorists. It appears that the FBI was both intrigued by the prospect of using Kaspersky software for spying, but also concerned that the tool could be used against U.S. customers, in particular government customers. After the Kremlin reportedly expressed displeasure at the FBI’s investigation of Kaspersky, the FBI began a campaign to get Kaspersky software off of government systems.

Sen. Marco Rubio, R-Fla., listens to testimony during a Senate Intelligence Committee hearing on Capitol Hill in Washington, Thursday, March 30, 2017, on Russian intelligence activities. (AP Photo/Susan Walsh)

Sen. Marco Rubio, R-Fla., listens to testimony during a Senate Intelligence Committee hearing on Capitol Hill in Washington, Thursday, March 30, 2017, on Russian intelligence activities.

Photo: Susan Walsh/AP

March 30, 2017: Lawmakers Ask Witnesses About Kaspersky

During a Senate Intelligence Committee hearing, Sen. Marco Rubio, R-Fla., asks a panel of experts if they would ever install Kaspersky software on any of their computers or devices after citing news stories saying the company has connections to Russian intelligence. Kevin Mandia, CEO of U.S. security firm FireEye, replies: “My answer indirectly would be, there would be better software probably available to you than Kaspersky.”

Gen. Keith Alexander, former director of the National Security Agency who now runs a cybersecurity firm, replies more directly: “No, I wouldn’t. And I wouldn’t recommend that you do it either.” He then mentions that there are other U.S. firms, including FireEye, that would be better.

The only panelist to answer in the affirmative that he would use Kaspersky software is Thomas Rid, then a professor from King’s College in London, who also says he would use other competing products simultaneously. He then adds: “It’s important to say that Kaspersky is not an arm of the Russian government.”

WASHINGTON, DC - AUGUST 04:  (L-R) U.S. Director of National Intelligence Dan Coats, Attorney General Jeff Sessions, and Deputy Attorney General Rod Rosenstein attend an event at the Justice Department August 4, 2017 in Washington, DC. Sessions held the event to discuss "leaks of classified material threatening national security."  (Photo by Alex Wong/Getty Images)

U.S. Director of National Intelligence Dan Coats, left, Attorney General Jeff Sessions, and Deputy Attorney General Rod Rosenstein attend an event at the Justice Department on Aug. 4, 2017, in Washington, D.C.

Photo: Alex Wong/Getty Images

April 2017: Lawmakers Raise Red Flags About Kaspersky

In a secret memo sent to Director of National Intelligence Dan Coats and Attorney General Jeff Sessions, the Senate Intelligence Committee reportedly raises red flags about Kaspersky and urges the intelligence community to address potential risks posed by its software.

September 2017: DHS Issues Ban on Kaspersky Software on Government Computers

The Department of Homeland Security issues a directive banning Kaspersky software from being used on civilian government computers on grounds that “the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.” Not long after this, a series of stories are published that indicate the reason for this ban may be because Kaspersky software was used to steal NSA tools from a worker’s machine in 2015.

Top photo: A picture taken on Oct. 17, 2016, shows an employee walking behind a glass wall with machine coding symbols at the headquarters of internet security giant Kaspersky in Moscow.

Join The Conversation