New documents from the leaked Edward Snowden cache indicate that the security services of both the US and UK targeted anti-virus software to see how they might be able to crack or circumvent the security of a swathe of vendors.
Check Point Software, BitDefender, AVG, Avira, Avast and Eset were among the vendors targeted – but US and UK based companies, including Sophos, Intel-owned McAfee and Symantec were notable by their omission, as was Japan’s Trend Micro.
The document have raised questions over whether these vendors were left off of the list for legal or other reasons – or whether they may have covertly complied with security services demands to whitelist malware used by the US National Security Agency (NSA) and GCHQ.
However, security specialist Graham Cluley, who spent more than a decade at Sophos, refuted claims that the company, one of Britain’s biggest software vendors, worked with GCHQ. “I’m not aware of any requirements made to Sophos by GCHQ during my time working there,” he wrote in response to a comment on his website.
The documents, revealed on The Intercept, the website founded by Glenn Greenwald, one of the journalists who handled the original Edward Snowden scoop for The Guardian, indicated that popular Russian security software vendor Kaspersky was a particular target of the security services.
“Personal security products, such as the Russian anti-virus software [vendor] Kaspersky, continue to pose a challenge to GCHQ’s CNE [computer network exploitation] capability, and SRE [software reverse-engineering] is essential in order to be able to exploit such software and to prevent detection of our activities. Examination of Kaspersky and other such products continues,” read the document.
“In a nutshell, the likes of GCHQ and the NSA want to write malware that will get past the defences of the anti-virus software. And ideally they would like the green light of legal immunity in order to proceed,” explained Cluley.
The Intercept suggested that cracking the security of Kaspersky might require some form of legal authority. “According to a top-secret GCHQ warrant renewal request written in 2008 and published today by The Intercept, the British spy agency viewed Kaspersky software as an obstruction to its hacking operations and needed to reverse engineer it to find ways to neutralize the problem. Doing so required obtaining a warrant.”
GCHQ requested a warrant to examine Kaspersky and other anti-virus software products under section five of the 1994 Intelligence Services Act – which requires ministerial authorisation every six months. In other words, GCHQ would have required high-level authorisation by a government minister in order to be able to conduct an examination of security software products.
It is unclear, however, whether that authorisation – which commenced in 2008 – has been renewed recently, or whether GCHQ was successful in cracking Kaspersky’s and other anti-virus software vendors’ products.