The NSA Leak Report


Three months ago, we began seeing reports about an NSA Leak involving a careless NSA employee and Russian Cyber Security giant, Kaspersky.  We’ll briefly recap the details for you.  This former NSA employee – Nghia Hoang Pho – took top-secret documents belonging to the NSA, copying the files to his personal Windows Computer, which was running Kaspersky’s endpoint protection software.

The reports stated that the NSA believes Kaspersky’s antivirus software was used to steal the classified documents from Pho’s PC, sometime in 2015.  Kaspersky was quick to defend itself, issuing a report that its antivirus detected the files as malware due to a searching algorithm looking for files with matching signatures to the hacking malware purportedly used by the Equation Group.  Those files were uploaded to the Kaspersky cloud for further analysis.  According to Kaspersky, once the company realized what files had been collected, they deleted their copy of the classified documents and reprogrammed their software to never download them again.

They added that Pho’s PC was riddled with malware, including a pirated Microsoft Office version containing the Mokes backdoor.  Apparently, a window of opportunity was presented to hackers when Pho turned off the antivirus, so he could install this pirated Office version and activate it with a keygen.  Kaspersky suspects this was when the files were stolen by someone else.  When the antivirus was activated again, it duly removed the trojan keygen from the NSA staff’s PC.

That’s the official story, from Kaspersky Labs’ perspective.  While we may or may not get to read an NSA report on the incident (they are an intelligence agency after all), there are key lessons to be learned from this incident, for every organization.  We’ll be analyzing these lessons based on what we know for sure, and what is purely speculation or theory, at the moment.

Data Protection is Critical to Organizational Security

We know Pho took the files

This has been confirmed by both the NSA and Kaspersky and it brings our first lesson to the forefront.  Data Protection is critical in all forms – Data Loss Prevention, Data Leak Prevention, Encryption, Secure Storage etc. This is an important security control measure for organizations.  Alarmingly, it is one control measure most organizations in Nigeria do not have in place or haven’t fully set up.  The consequences of having sensitive data fall into the wrong hands, can be as far reaching as business ending, so it is important for organizations to re-evaluate their security posture with respect to how data flows within and out of their business (both digitally and physically), how and where that data resides (storage) and just how much control they have over that data.  When analyzing data control measures, organizations should ask themselves the following questions:

  • Do we properly classify and re-classify our data into standard classification levels over time?
  • Do we accurately define data access permissions for our employees based on conditions such as job function, employee organizational level, temporal need (project-based) and the like?
  • How often do we review, revoke or modify these data access permissions?
  • How do we enforce and control data access across the entire organization? What, if any, physical and cyber access controls/solutions are in place to ensure data is accessed by only those who should have access to it (Confidentiality)?
  • Since the perimeter of the network is still the biggest data convergence point, can our perimeter security appliance properly enforce data access control based on organizational identity? How granular is the enforcement afforded to us and is it enough?
  • Is our data encrypted at rest or in motion? Are the encryption algorithms strong enough yet light enough so they aren’t network and compute resource intensive?
  • Can we control who can remove data from our network? Can we maintain control of that data after it leaves our network?
  • Can we gain visibility into all our data in terms of the following log/report parameters?
    • Who is accessing our data?
    • When did they access the data?
    • From where did they access the data?
    • At what time did they access the data?
    • How many times did they attempt to access the data?
    • Were their access attempts successful or unsuccessful?

These questions are not exhaustive, but they do provide a sound ‘stress test’ for any organization’s data protection model and the answers to the questions will clearly tell an organization whether that model does need serious attention or not.  In addition to the questions listed above, organizations must also think about how they enforce these data control policies and how they implement checks and balances over the designated enforcers.  Whether an employee-centric enforcement model (the employee applies the data protection to files generated) or a centralized enforcement model (the IT Security department is solely responsible for data protection enforcement) is chosen, organizations must realize that these employees are human beings.  This leads us directly to our next lesson.

The Human Element is still the Weakest Element in Security

We know the files weren’t leaked until Pho copied them

Training, awareness campaigns and sensitization sessions will always be relevant for one simple reason: the human element.  For all the risk management and mitigation solutions, an organization invests in, its most valuable investment is most likely going to be in training and sensitizing its employees with regards to cybersecurity.  One careless or malicious employee can undermine millions of dollars invested in security solutions and processes intended to safeguard the business.  These slip-ups will be exploited.  Malicious users are also opportunists, waiting for the smallest crack in the armor, to slip in unnoticed and wreak havoc on a business IT environment.

Businesses should constantly train their technical staff and sensitize their non-technical staff so cybersecurity becomes a business process and responsibility, not a department within the organization.  When considering what sort of training a business needs, the following questions should be considered.

  • What new technologies has the business adopted and what are the risks involved with embracing them e.g. cloud computing or collaboration tools.
  • Is the business a mobility friendly environment? Can employees work remotely?  Can they bring in their personal devices and connect to the corporate network?  Can they take corporate-issued devices home?
  • Are there security solutions deployed within the business and how much internal capacity is there for management and configuration of those security solutions?
  • Is the business heavily reliant on external support for the cybersecurity solutions in place? If support is unavailable, can incidents and issues be resolved internally?
  • Are technically sound staff properly sensitized on the risks of bypassing/evading existing cybersecurity controls and solutions?
  • Are employees properly trained on social media security, phishing, pharming and other social engineering based attacks that malicious attackers use?

In addition to these questions, organizations should also make sure employee devices used for work-related functions (personal or company issued) have an endpoint protection solution that can protect against today’s attacks – both known and unknown (zero-day) – installed on them.  The question of which endpoint protection solution vendor to go with brings us to our next lesson.

Security Applications could be used to Exfiltrate Data

We think Kaspersky’s antivirus was used to slurp up the NSA files

Kaspersky had to defend itself against the NSA’s claims.  Those claims were brand damaging, to say the least.  If the NSA’s claims were true, then Kaspersky had aided in compromising the very security it was supposed to protect.  While their analysis is plausible, we have no proof that this was exactly what happened.  If the NSA debunks claims that a bootleg version of Office was installed and that the antivirus was never deactivated, Kaspersky’s claims fall like a pack of cards.  What businesses should be focused on, however, is this: Kaspersky Labs did manage to retrieve copies of the files and upload it to their cloud.  The subsequent deletion story is entirely their own.  They have proven that they can retrieve files from an endpoint, without the knowledge of the endpoint user.  Is it far-fetched to imagine that a Russian Cyber Security company would have its allegiance to the Russian government?

In the wake of India’s recently released list of Chinese apps that double as spyware – True Caller was among the applications listed – it has become very important to vet and properly evaluate any software or solution being introduced into the business environment, even if that solution/software is designed to offer some form of security.  It is important for Nigerian organizations to invest in software analyzers that evaluate in-house developed applications as well as external applications for vulnerabilities, backdoors, and functionalities that hint at some form of data exfiltration ability.  A few questions for businesses to ask include:

  • Have we built in defense in depth into our security posture?
  • Is there security for our in-house applications and the external applications our employees or customers use?
  • Does our perimeter defense solution have extensive application layer control?
  • Can we create policies that permit certain application functionalities while blocking others?
  • Can our perimeter defense solution detect application state changes and track application related data in real time via logs?
  • Can we have a geographical view of where our application data goes and who accesses our applications from the internet (untrust)? Note: It is bad practice to have any sort of application access from ‘untrust’ allowed.
  • Do we have a solution that evaluates applications we build or purchase, at the source code level for vulnerabilities, backdoors or trojans?


Based on the evidence we’ve got so far, three major security gaps combined to make the NSA Leaks possible:

  1. Inability to control the exfiltration of data from the NSA network by an employee and an inability to detect that exfiltration in time.
  2. A careless employee who compromised the security of his PC and the security of the organization he worked for.
  3. A possible though as yet unproven exfiltration of data from the compromised PC by an otherwise reputable Cyber Security Organization.

The threat landscape keeps increasing and evolving.  As such, it is key for organizations to ditch the stop-gap measures and explore lasting cyber security solutions to the security gaps they operate with before a perfect storm leads to a disastrous leak as it did with the NSA.  Consulting with a trusted Cyber Security Service provider is always a good start.

Who We Are

At 3G Quantum Secure, we provide Cyber Security consultancy and managed services to organizations in need of expert advice on the ever-changing persistent threat landscape, as well as top class managed security services aimed at maximizing the utilization of existing security infrastructure, and strategically improving that infrastructure over a period of time.

While our core operations revolve around cybersecurity services, we strategically partner with some of the best in class security OEMs to provide and manage solutions needed to ensure business continuity and mitigate the risks and threats against it.

We also believe in empowering our customers as they seek to take more ownership of their cybersecurity posture.  We do this by designing targeted cybersecurity awareness or technical training sessions that directly address our customers’ unique needs and fits in with a well-developed cybersecurity vision.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s