June 22, 2015 at 20:31Snowden: NSA spies on foreign antivirus companies
The Intercept publication has published another piece of information from the secret documents of a fugitive NSA employee Edward Snowden. The spyware project for various anti-virus companies was called “CAMBERDADA” and was used to track their activities. The list of vendors is shown below in the screenshot (from the NSA presentation). It can be seen that the list does not include American vendors Symantec and McAfee, as well as the British Sophos.
One of the documents indicated that US and British intelligence agencies collected emails that users sent to antivirus companies, warning them of new malware. It also indicates that an NSA unit called Tailored Access Operations (TAO), which is known as an “ offensive security unit ”, could “repurpose” malware to perform other functions, for example, to bypass antivirus security functions.
Fig. Various methods of collecting information on the activities of AV companies ( slides ).
Fig. One of the intercepted email messages that was addressed to the AV company.
The CAMBERDADA program is not new, we wrote earlierabout a malware campaign that used state-sponsored Duqu2 malware. Duqu2 was aimed at compromising a well-known anti-virus company and a zero-day exploit was used to distribute it; in addition, the malware drivers were signed with a digital certificate stolen from Foxconn.
One of the documents indicated that US and British intelligence agencies collected emails that users sent to antivirus companies, warning them of new malware. It also indicates that an NSA unit called Tailored Access Operations (TAO), which is known as an “ offensive security unit ”, could “repurpose” malware to perform other functions, for example, to bypass antivirus security functions.
Fig. Various methods of collecting information on the activities of AV companies ( slides ).
Fig. One of the intercepted email messages that was addressed to the AV company.
The CAMBERDADA program is not new, we wrote earlierabout a malware campaign that used state-sponsored Duqu2 malware. Duqu2 was aimed at compromising a well-known anti-virus company and a zero-day exploit was used to distribute it; in addition, the malware drivers were signed with a digital certificate stolen from Foxconn.