Anti-Malware , Cybersecurity , Data Loss

Spy Whose Files Were Plucked by Kaspersky Pleads Guilty

Nghia Hoang Pho, 67, Reportedly Took Files Home to Work on His Resume
Spy Whose Files Were Plucked by Kaspersky Pleads Guilty
National Security Agency headquarters

One of the biggest computer security conflicts of the year was Kaspersky's row with the U.S. government. Officials contended the anti-virus vendor's software was co-opted by Russia, which used it to hunt for top-secret files, which Kaspersky denies.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

The conflict was rooted in a cache of top-secret National Security Agency information that ended up in Russian hands. But the files leaked in the first place due to a dumbfounding mistake: an NSA analyst took the material home and copied it to his home computer, where Kaspersky collected and analyzed spy agency malware.

The identity of the agent was unknown until Friday. The Justice Department announced that Nghia Hoang Pho, 67, of Ellicot City, Maryland, pleaded guilty to one count of wilfull retention of national security data. Born in Vietnam, Pho is a naturalized U.S. citizen. He is not accused of taking the material for espionage purposes.

Pho was a developer within the NSA's Tailored Access Operations group, which is now called Computer Network Operations. The group specializes in penetrating into foreign computer networks for cyber espionage operations.

Pho could face up to 10 years in prison, but as part of his plea deal, he will receive no longer than eight years and possibly less. He is scheduled for sentencing April 6 in federal court in Maryland.

Working on a Resume?

On Friday, the Justice Department released the plea agreement and criminal information. Neither document contains detail as to why Pho, who worked for the TAO between 2006 and last year, mishandled classified material.

But citing unnamed government officials, The New York Times reported that Pho took the material home to purportedly work on his resume.

Pho began removing classified material both in paper and digital formats between 2010 and March 2015, according to the criminal information document. He kept the material "in a number of locations" in his Maryland home. He held security clearances for top secret data and SCI, short for sensitive compartmented information.

"Pho worked on highly classified, specialized projects and had access to government computer systems, programs, and information, including classified information," it reads.

The document suggests that Pho was called out around March 9, 2015, when he "failed to deliver" documents to someone with authorization to receive the material.

Plucked by Kaspersky

Pho ran Kaspersky Lab's anti-virus software on his home computer. Last month, Kaspersky said that between September and November 2014, its software collected a 7zip archive that contained suspected malware.

The company had been investigating malware related to the Equation Group, a sophisticated actor that is widely believed to be the NSA. Kaspersky says its software, like that of other anti-virus vendors, collects files that may be malicious as part of its proactive defenses.

In addition to Equation Group code, the archive also contained four classified Microsoft Word documents, which were brought to the attention of Eugene Kaspersky, the company's co-founder. He ordered that those files be deleted (see Kaspersky Blames NSA Analyst For US Intel Leak).

Kaspersky placed the blame for the situation at the hands of the NSA analyst. The company alleged that he practiced poor security and further that his computer was riddled with other malware.

Anonymous U.S. officials, however, have alleged that tests showed Kaspersky's software was tuned to trigger on keywords found in certain files. Kaspersky has vehemently denied the accusation and the correlation that it possibly collaborated with Russian intelligence agencies.

U.S. officials were tipped off by Israeli intelligence, which had infiltrated Kaspersky's systems only to find that Russia was also inside the company's networks. So far, no evidence has been made public that would indicate Kaspersky willingly worked with Russia. Nonetheless, the U.S. government banned the use of the company's software in September (see Kaspersky Software Ordered Removed From US Gov't Computers).

Maddening Leaks

Beginning with former NSA contractor Edward Snowden's disclosures in 2013, the U.S intelligence community has been rocked by a devastating series of leaks and breaches. After Snowden, the U.S. attempted to shore up its defenses of classified material, but jaw-dropping incidents have continued.

Harold T. Martin III, a long-time government contractor, was accused in August 2016 of taken reams of classified material belonging to several U.S. intelligence agencies that was found in his car and residence. But like Pho, he is not suspected of taking the material with the intent of passing it onto others (see Former US Contractor Indicted in Theft of Classified Material).

Then in June, an employee of defense contractor Pluribus International Corp. was arrested. Reality Leigh Winner was accused of removing a top-secret NSA document that described Russian efforts to compromise the U.S. election and passing it to the media. The document turned up in a story by The Intercept (see Inside Job: NSA Fails to Stop Another Leaker).

None of the leaks have bee definitely linked with The Shadow Brokers, the group that began leaking NSA files and tools in August 2016 (see Ethical Debate: OK to Pay Shadow Brokers for Exploit Dumps?).

The CIA has also seen its own trouble. Wikileaks began releasing in March what it calls Vault7, which comprises 8,761 files describing the agency's exploitation tools and techniques (see 7 Facts: 'Vault 7' CIA Hacking Tool Dump by WikiLeaks).


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Jeremy Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.co.uk, you agree to our use of cookies.