Kaspersky’s Antivirus Products the NSA and U.S National Security — An Analysis

Dancho Danchev
Oct 22 · 7 min read
Sample Presentation Slide from a Top Secret GCHQ Program Targeting Kaspersky Software

It has recently became evident that the U.S is further strengthening it’s position on the cyber warfare front by successfully tackling internal and external utilization of foreign products within it’s networks further banning the use of one of the World’s most popular antivirus solutions Kaspersky Antivirus on its networks in an attempt to ensure that proprietary and classified information remains properly protected and to ensure that the data doesn’t fall into the wrong hands by utilizing foreign antivirus solutions on proprietary and classified networks further “phoning back” potentially compromising proprietary and classified networks including data.

With Kaspersky’s cloud-based proprietary sand-boxing and data-aggregation platform it is becoming increasingly easier for proprietary and classified data to fall victim into the wrong hands potentially compromising OPSEC (Operational Security) including related intellectual property leaks leading to the exposure of proprietary and classified information. Despite the fact that users are given the option to opt-out it should become clearly evident that modern antivirus software cannot really prevent the usability and actual applicability offered by network-based IDS (Intrusion Detection Systems) including the active use of a properly secured and hardened end-point in particular a secured Web-browser through the prism of preventing possible data and information including identification leaks and the execution and actual exploitation of malicious code on the targeted host.

Sample list of Public Kaspersky Labs Netblock IPs:

hxxp://dnl-01.geo.kaspersky.com
hxxp://dnl-02.geo.kaspersky.com
hxxp://dnl-03.geo.kaspersky.com
hxxp://dnl-04.geo.kaspersky.com
hxxp://dnl-05.geo.kaspersky.com
hxxp://dnl-06.geo.kaspersky.com
hxxp://dnl-07.geo.kaspersky.com
hxxp://dnl-08.geo.kaspersky.com
hxxp://dnl-09.geo.kaspersky.com
hxxp://dnl-10.geo.kaspersky.com
hxxp://dnl-11.geo.kaspersky.com
hxxp://dnl-12.geo.kaspersky.com
hxxp://dnl-13.geo.kaspersky.com
hxxp://dnl-14.geo.kaspersky.com
hxxp://dnl-15.geo.kaspersky.com
hxxp://dnl-16.geo.kaspersky.com
hxxp://dnl-17.geo.kaspersky.com
hxxp://dnl-18.geo.kaspersky.com
hxxp://dnl-19.geo.kaspersky.com
hxxp://dnl-00.geo.kaspersky.com
hxxp://downloads0.kaspersky-labs.com
hxxp://downloads1.kaspersky-labs.com
hxxp://downloads2.kaspersky-labs.com
hxxp://downloads3.kaspersky-labs.com
hxxp://downloads4.kaspersky-labs.com
hxxp://downloads5.kaspersky-labs.com
hxxp://downloads6.kaspersky-labs.com
hxxp://downloads7.kaspersky-labs.com
hxxp://downloads8.kaspersky-labs.com
hxxp://downloads9.kaspersky-labs.com
hxxps://s00.upd.kaspersky.com
hxxps://s01.upd.kaspersky.com
hxxps://s02.upd.kaspersky.com
hxxps://s03.upd.kaspersky.com
hxxps://s04.upd.kaspersky.com
hxxps://s05.upd.kaspersky.com
hxxps://s06.upd.kaspersky.com
hxxps://s07.upd.kaspersky.com
hxxps://s08.upd.kaspersky.com
hxxps://s09.upd.kaspersky.com
hxxps://s10.upd.kaspersky.com
hxxps://s11.upd.kaspersky.com
hxxps://s12.upd.kaspersky.com
hxxps://s13.upd.kaspersky.com
hxxps://s14.upd.kaspersky.com
hxxps://s15.upd.kaspersky.com
hxxps://s16.upd.kaspersky.com
hxxps://s17.upd.kaspersky.com
hxxps://s18.upd.kaspersky.com
hxxps://s19.upd.kaspersky.com
hxxp://p00.upd.kaspersky.com
hxxp://p01.upd.kaspersky.com
hxxp://p02.upd.kaspersky.com
hxxp://p03.upd.kaspersky.com
hxxp://p04.upd.kaspersky.com
hxxp://p05.upd.kaspersky.com
hxxp://p06.upd.kaspersky.com
hxxp://p07.upd.kaspersky.com
hxxp://p08.upd.kaspersky.com
hxxp://p09.upd.kaspersky.com
hxxp://p10.upd.kaspersky.com
hxxp://p11.upd.kaspersky.com
hxxp://p12.upd.kaspersky.com
hxxp://p13.upd.kaspersky.com
hxxp://p14.upd.kaspersky.com
hxxp://p15.upd.kaspersky.com
hxxp://p16.upd.kaspersky.com
hxxp://p17.upd.kaspersky.com
hxxp://p18.upd.kaspersky.com
hxxp://p19.upd.kaspersky.com
hxxp://downloads.kaspersky-labs.com
hxxps://downloads.upd.kaspersky.com
hxxp://crl.kaspersky.com
hxxp://ocsp.kaspersky.com

It’s been clearly noted that in the past the U.S Government is starting to express a very specific interest in the activities of Kaspersky Software in particular their presence of the software on U.S Government end-points citing potential cyber espionage and data-leaks. The ultimate question? Does the U.S Government really need a Russian-based including possibly internationally-based major anti-virus vendor solution residing on its end-points? It largely depends unless of course the person and organization responsibly for evaluating and implementing such type of solutions doesn’t really fall victim into a possible “security through obscurity” example.

Sample Screenshot of SNORT IDS in action for Network-Based Intrusion Detection

How can this be achieved? There are several scenarios worth pointing out in terms of properly securing an end point in particular the introduction of anti-fingerprinting and off-the-shelf “stripped” browser whose primary purpose would be to prevent possibly data and information leaks including the identification and personal leaks courtesy of possible active and passive browser and online-identity fingerprinting campaigns and identification techniques which could not only compromise a host’s OPSEC (Operational Security) but could also introduce possible malicious and fraudulent client-side execution flaws on the targeted host though the utilization of a popular and publicly accessible major Web browser release.

In should be noted that in the past the U.S Intelligence Community is known to have targeted Kaspersky including other anti-malware vendors though an active SIGINT campaign with the idea to “steal” and “bring back” a decent portion of new malware variants in a Top Secret Program known as “CAMBERDADA” which basically aims to eavesdrop on Kaspersky Infrastructure for the purpose of offering the U.S Intelligence Community a decent portion of malware-releases in terms of a possible “acquisition” of malicious software right from the source in this particular case Kaspersky Labs.

What can Kaspersky and other anti-virus vendors do in this particular case? It should be noted that basic network-based concepts such as perimeter defense at the network-infrastructure should be definitely taken into consideration including the active use of encrypted communication between an organization’s members including the use of basic Data Center encryption methodologies such as for instance basic Ethernet-based encryption which basically ensures that data-in-transit cannot really be decrypted for the purpose attributing the traffic to a particular event or Major Intelligence Program courtesy of the U.S Intelligence Community.

Sample Enthernet Data Center Site-to-Site Hardware appliance

You can find more information on possible Data Center and Traffic-Based Site-to-Site Encryption methodologies here — https://www.engageinc.com/Products2/BlackDoor.htm

Another possible methodology which could be implemented within any organization’s infrastructure for the purpose of ensuring that both external and internal communication channels remain properly protected from possible surveillance and eavesdropping attempts includes the use of basic traffic and communication obfuscation techniques which basically includes the use of “Whole Message Encryption” or basic PGP-Based Internal and External Communication Encryption strategy for the purpose of ensuring that an organization’s email communication work-flow remains properly protected from potential surveillance and eavesdropping attempts.

The overall reliance on foreign and custom-made Security Solutions can greatly contribute to a growing set of Cyber Espionage concerns in particular the leaking of classified and sensitive information to foreign entities without the actual knowledge of the user.

In a World dominated by a popular “security through obscurity” methodology where the Chinese and the Russians are actively attempting to compromise the Security of International organizations for the purpose of stealing and obtaining access to sensitive and classified “know-how” data information and knowledge it should be clearly noted that an important trend in the context of data mining and obtaining automated OSINT-based type of access to public U.S Government resources data information and knowledge for the purpose of stealing and actually piggybacking on on the actual “know-how” has been taking place for over a decade now in particular in a post 9/11 World. What exactly do I have in mind?

Basically what used to be once classified and sensitive research documents courtesy of the U.S Government and the U.S Intelligence Community in terms of offensive and defensive cyber warfare is today’s modern Chinese and Russian Cyber Warfare doctrine with both countries including for instance Iran directly piggybacking on popular U.S Based research in the area of Offensive and Defensive Cyber Warfare Operations.

It should be also noted that a huge portion of today’s modern advanced persistent threats in particular the active use of Remote access Tools (Rats) also known as DIY (do-it-yourself) Trojan Horses for the purpose of launching active Cyber Espionage campaigns can be best described as a re-surrection of a popular trend which used to take place during the 90’s in this particular case the “lawful surveillance” and “lawful interception” of network-connected hosts through the use of publicly obtainable and easy-to-use Trojan Horse generating tools a tactic and a practice which throughout the 90’s was largely used by Law Enforcement including hackers enthusiasts for the purpose of stealing confidential data or actually launching surveillance and eavesdropping campaigns against an unknown set of individuals for purely educational and research purposes.

Sample Screenshot of Spybot anti-telemetry Windows-based Solution in action

From the perspective of an Intelligence analyst — what every decent analyst should possibly consider is the use of “stripped” including hardened and secured devices including Workstations for the purpose of actively conducting research in a secure OPSEC (Operational Security) conscious environment which basically means a stripped OS (Operating System) including basic network-based perimeter defense mechanism such as for instance the use of Snot while running on the extremely popular PfSense hardware appliance. Case in point is the recently released Emerging Threats Pro Telemetry Ruleset which basically prevents your host from “phoning back” to a pre-defined set of application-based C&C type of contact points which basically means it can get pretty difficult for an Intelligence agency or a competitor including a possible rogue or nation-state actor to actually launch passive or active infrastructure of network or host-based fingerprinting attack techniques.

What does this mean for Kaspersky an other Security Vendors looking for ways to protect their infrastructure from eavesdropping and possible surveillance attempts? Basically in a monocultural OS-dominated World it shouldn’t be surprising that vendors including Security Researchers often fall victims to basic OPSEC (Operational Security) mistakes which could possibly lead to a direct compromise of their research activities including the active stealing and use of their Intellectual Property (IP) for fraudulent or malicious purposes.

Sample U.S Government Supply Chain Management and Infiltration Cyber Espionage Risk Matrix

What the U.S can be better do to tackle the growing use including the active abuse of its Intellectual Property on a global scale through the systematic and persistent robbery courtesy of various rogue including nation-state actors looking for ways to obtain access to sensitive including classified information for commercial purposes? Pretty simple — it could definitely look to outsource some of its key National Security needs to the private sector in a possible private and government sector type of partnership. In terms of possible Supply Chain Management and Infiltration it should be clearly noted that basic precautions while travelling in the context of data-encryption at rest including basic OPSEC (Operational Security) principles while working and doing research should be definitely take into consideration for the purpose of preventing a wide-spread Intellectual Property theft including theft of “know-how” and technical experience while doing research.

Image courtesy of — The U.S-China Economic and Security Review Commission - “Supply Chain Vulnerabilities from China in U.S. Federal Information and Communications Technology”.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade