Spy Whose Files Were Plucked by Kaspersky Pleads Guilty

In2an3_PpG

Level 18
Thread author
Verified
Top Poster
Content Creator
Well-known
Nov 15, 2016
867
Spy Whose Files Were Plucked by Kaspersky Pleads Guilty

Nghia Hoang Pho, 67, Took Files Home to Work On His Resume

One of the biggest computer security conflicts of the year was Kaspersky's row with the U.S. government. Officials contended the anti-virus vendor's software was co-opted by Russia, which used it to hunt for top-secret files, which Kaspersky denies.

See Also: How to Scale Your Vendor Risk Management Program

The conflict was rooted in a cache of top-secret National Security Agency information that ended up in Russian hands. But the files leaked in the first place due to a dumbfounding mistake: an NSA analyst took the material home and copied it to his home computer, where Kaspersky collected and analyzed spy agency malware.

The identity of the agent was unknown until Friday. The Justice Department announced that Nghia Hoang Pho, 67, of Ellicot City, Maryland, pleaded guilty to one count of wilfull retention of national security data. Born in Vietnam, Pho is a naturalized U.S. citizen. He is not accused of taking the material for espionage purposes.

Pho was a developer within the NSA's Tailored Access Operations group, which is now called Computer Network Operations. The group specializes in penetrating into foreign computer networks for cyber espionage operations.

Pho could face up to 10 years in prison, but as part of his plea deal, he will receive no longer than eight years and possibly less. He is scheduled for sentencing April 6 in federal court in Maryland.

Working on a Resume?
On Friday, the Justice Department released the plea agreement and criminal information. Neither document contains detail as to why Pho, who worked for the TAO between 2006 and last year, mishandled classified material.

But citing unnamed government officials, The New York Times reported that Pho took the material home to purportedly work on his resume.

Pho began removing classified material both in paper and digital formats between 2010 and March 2015, according to the criminal information document. He kept the material "in a number of locations" in his Maryland home. He held security clearances for top secret data and SCI, short for sensitive compartmented information.

"Pho worked on highly classified, specialized projects and had access to government computer systems, programs, and information, including classified information," it reads.

The document suggests that Pho was called out around March 9, 2015, when he "failed to deliver" documents to someone with authorization to receive the material.

Plucked by Kaspersky
Pho ran Kaspersky Lab's anti-virus software on his home computer. Last month, Kaspersky said that between September and November 2014, its software collected a 7zip archive that contained suspected malware.

The company had been investigating malware related to the Equation Group, a sophisticated actor that is widely believed to be the NSA. Kaspersky says its software, like that of other anti-virus vendors, collects files that may be malicious as part of its proactive defenses.

In addition to Equation Group code, the archive also contained four classified Microsoft Word documents, which were brought to the attention of Eugene Kaspersky, the company's co-founder. He ordered that those files be deleted (see Kaspersky Blames NSA Analyst For US Intel Leak).

Kaspersky placed the blame for the situation at the hands of the NSA analyst. The company alleged that he practiced poor security and further that his computer was riddled with other malware.

Anonymous U.S. officials, however, have alleged that tests showed Kaspersky's software was tuned to trigger on keywords found in certain files. Kaspersky has vehemently denied the accusation and the correlation that it possibly collaborated with Russian intelligence agencies.

U.S. officials were tipped off by Israeli intelligence, which had infiltrated Kaspersky's systems only to find that Russia was also inside the company's networks. So far, no evidence has been made public that would indicate Kaspersky willingly worked with Russia. Nonetheless, the U.S. government banned the use of the company's software in September (see Kaspersky Software Ordered Removed From US Gov't Computers).

Maddening Leaks
Beginning with former NSA contractor Edward Snowden's disclosures in 2013, the U.S intelligence community has been rocked by a devastating series of leaks and breaches. After Snowden, the U.S. attempted to shore up its defenses of classified material, but jaw-dropping incidents have continued.

Harold T. Martin III, a long-time government contractor, was accused in August 2016 of taken reams of classified material belonging to several U.S. intelligence agencies that was found in his car and residence. But like Pho, he is not suspected of taking the material with the intent of passing it onto others (see Former US Contractor Indicted in Theft of Classified Material).

Then in June, an employee of defense contractor Pluribus International Corp. was arrested. Reality Leigh Winner was accused of removing a top-secret NSA document that described Russian efforts to compromise the U.S. election and passing it to the media. The document turned up in a story by The Intercept (see Inside Job: NSA Fails to Stop Another Leaker).

None of the leaks have bee definitely linked with The Shadow Brokers, the group that began leaking NSA files and tools in August 2016 (see Ethical Debate: OK to Pay Shadow Brokers for Exploit Dumps?).

The CIA has also seen its own trouble. Wikileaks began releasing in March what it calls Vault7, which comprises 8,761 files describing the agency's exploitation tools and techniques (see 7 Facts: 'Vault 7' CIA Hacking Tool Dump by WikiLeaks).
 

In2an3_PpG

Level 18
Thread author
Verified
Top Poster
Content Creator
Well-known
Nov 15, 2016
867
Meaning kaspersky incahoots with the russian government.
I doubt it though as why would they ruin their reputation.

Yeah but i saw this article as a hit to the US Government and a huge hit to the NSA again. Due to another employee that the NSA cant seem to control. Letting them pretty much walk out with classified material, again. I do not see Kaspersky being at fault for getting their hands dirty in this one. Majority of AV's as you know all upload suspicious unknown files for examination. They had no clue it was going to be from the NSA. My opinion. The guy was using a non-genuine version of Windows and as per Kaspersky, the pc was riddled with malware. He kept turning Kaspersky's protection off to move the files. I am from the US and I'm on Kaspersky's side. Still no evidence about election meddling either.
 

Andytay70

Level 15
Verified
Top Poster
Well-known
Jul 6, 2015
737
Yeah but i saw this article as a hit to the US Government and a huge hit to the NSA again. Due to another employee that the NSA cant seem to control. Letting them pretty much walk out with classified material, again. I do not see Kaspersky being at fault for getting their hands dirty in this one. Majority of AV's as you know all upload suspicious unknown files for examination. They had no clue it was going to be from the NSA. My opinion. The guy was using a non-genuine version of Windows and as per Kaspersky, the pc was riddled with malware. He kept turning Kaspersky's protection off to move the files. I am from the US and I'm on Kaspersky's side. Still no evidence about election meddling either.

Sorry for going off topic but why arn't they on about quihoo? after all china isnt so squeaky clean!
 

In2an3_PpG

Level 18
Thread author
Verified
Top Poster
Content Creator
Well-known
Nov 15, 2016
867
Sorry for going off topic but why arn't they on about quihoo? after all china isnt so squeaky clean!

Sorry for late reply, just got off break. Qihoo, that's a whole other ball game. :LOL: But yes lets not discuss this cause it could possibly anger others here.
 

Entreri

Level 7
Verified
May 25, 2015
342
This story is very fishy.

So you have an NSA analyst, 67 years old, looking for employment...He had to have extensive computer knowledge and know how but but what does he do? Not just copy and/or run NSA tools, but also pirated software with a lot of other malware.

Kaspersky has no doubt been on the NSA et al radar given how many state sponsored tools they have discovered, and they saw a perfect opportunity to discredit them.

It's like all things Russian, bad, bad, ban, ban...Btw, the Russian Olympic team was just banned as well.

Yes, as one person mentioned, how about the Chinese AV companies? The US government seems to be interestingly silent.
I would never use any Chinese software/hardware if I had any choice, likely backdoored, the info going to the Chinese Communist government is likely.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top