According to Reuters, details of the incident can be found in Russian regulatory records.
The HPE system, called ArcSight, serves as a cybersecurity nerve center for much of the US military and alerts analysts when it detects that computer systems may have come under attack.
But ArcSight is also widely used in the private sector and the Russians wanted to look a the source code, apparently to see if it was being used to spy on Russian businesses.
HPE was so keen to flog the code to the Russians they handed it over as part of the certification required to sell the product to Russia’s public sector.
Six former US intelligence officials, as well as former ArcSight employees and independent security experts have told Reuters that the source code review could help Moscow discover weaknesses in the software, potentially helping attackers to blind the US military to a cyber-attack.
Greg Martin, a former security architect for ArcSight said that it was a huge security vulnerability and had given inner access and potential exploits to an adversary.
The ArcSight review took place last year, at a time when Washington was accusing Moscow of an increasing number of cyber-attacks against American companies, US politicians and government agencies, including the Pentagon.
The review was conducted by Echelon, a company with close ties to the Russian military, on behalf of Russia’s Federal Service for Technical and Export Control (FSTEC), a defence agency tasked with countering cyber espionage.
Echelon president and majority owner Alexey Markov said in an email to Reuters that he is required to report any vulnerabilities his team discovers to the Russian government.
But he said he does so only after alerting the software developer of the problem and getting its permission to disclose the vulnerability.
HPE said no “backdoor vulnerabilities” were discovered in the Russian review. It declined to provide further details.
Published in
News
HPE let Russians look at Pentagon’s code
What could be wrong with that?
HPE could be in trouble after Hewlett Packard Enterprise allowed a Russian defence agency to review the inner workings of cyber defence software used by the Pentagon to guard its computer networks.