WASHINGTON — Back in 2015, Israel’s intelligence agencies were caught on the defensive when a Russian-based cybersecurity firm released an explosive report strongly implicating them of spying on the United States at host sights of the Iran nuclear talks.
The firm, Kaspersky Labs, declined to name Israel as directly responsible for the hack. But it pointed to the use of a sophisticated malware, codenamed Duqu 2.0, that had originally been developed jointly by Israelis and Americans and had now been adapted to target US interests.
Or so the story went in 2015.
Now Kaspersky Labs is the party on the defensive, after The New York Times revealed this week that, in its 2015 hack of Kaspersky systems, Israel uncovered a Russian government effort to use the private firm as a powerful search engine on computers worldwide.
After Israel reportedly uncovered the Russian operation, it promptly alerted the US to its findings. The report calls into question the dominant 2015 narrative that Jerusalem and Washington were working against one another, and not together, on intelligence collection.
At that time, the Obama administration fielded questions from reporters focused primarily on the question of whether Israel was targeting the US through espionage, due to disagreements over the Iran talks.
“I can say that we take steps, certainly, to ensure that confidential, that classified negotiating details stay behind closed doors in these negotiations,” said Jeff Rathke, then a State Department spokesman.
He declined to elaborate. But US officials in private repeatedly accused Israel of spying on their efforts, and in the closing months of the talks dramatically curtailed their briefings to Israeli officials on their diplomatic progress.
Spying was surely going both ways, and it remains unclear whether Israel’s intended goal of the Kaspersky hack was to understand Kaspersky’s systems, to collect intelligence on the nuclear talks, or some other unknown purpose.
In December of that year, the Wall Street Journal revealed that a wide US surveillance net of Israeli leaders had incidentally collected the communications of several members of Congress. Other reports from that year seem to confirm Israeli and US efforts to spy on one another.
And Israel’s willingness to come forward with its discovery of Russia’s effort does not necessarily mean they revealed to the Americans their sources and methods for the information shared.
In a statement to The Jerusalem Post on Thursday, Kaspersky Labs could not confirm that Israel’s findings on the use of Kaspersky systems occurred during its alleged infiltration of the Iran talks. The firm further denied any connection to the Russian government.
“With regards to unverified assertions that this situation relates to Duqu2, a sophisticated cyber attack of which Kaspersky Lab was not the only target, we are confident that we have identified and removed all of the infections that happened during that incident,” the firm said. “Kaspersky Lab does not definitively attribute attacks to specific entities or nation-states because the company’s policy is to focus on the technical analysis of cyber threats.”
The organization said that no evidence had been presented to substantiate the Times report, and called on “relevant parties to responsibly provide the company with verifiable information.”
“Contrary to erroneous reports, Kaspersky Lab technologies are designed and used for the sole purpose of detecting all kinds of threats, including nation-state sponsored malware, regardless of the origin or purpose,” the firm added.
In an interview in 2015 with the Post, Kaspersky Lab’s principal security researcher, Kurt Baumgartner, offered more specificity.
“Attribution of cyber attacks over the Internet is a difficult thing,” Baumgartner said. “However, it’s important to stress that we are absolutely sure that Duqu 2.0 is an updated version of the infamous 2011 Duqu malware.” Duqu was originally discovered in 2011 as a strikingly similar software to Stuxnet, the virus of US-Israeli origin that was used to infiltrate Iran’s nuclear infrastructure and destroy it from within.
“In addition to several unknown victims, we are quite sure that at least three of the venues where P5+1 talks about a nuclear deal with Iran were held have been attacked,” Baumgartner said, adding: “The Duqu 2.0 group launched a similar attack in relation to the 70th anniversary event of the liberation of Auschwitz-Birkenau.”