Suddenly the curious Kaspersky case looks a little clearer. Three months ago, news leaked of an FBI probe into the Russia-based anti-virus firm, and less than a month ago the US government ordered the Kaspersky software purged from all of its computers. Today the Wall Street Journal reports that the suspicions began last year, when the NSA discovered a data theft originating with an employee who had put it on his home computer:

Hackers working for the Russian government stole details of how the U.S. penetrates foreign computer networks and defends against cyberattacks after a National Security Agency contractor removed the highly classified material and put it on his home computer, according to multiple people with knowledge of the matter.

The hackers appear to have targeted the contractor after identifying the files through the contractor’s use of a popular antivirus software made by Russia-based Kaspersky Lab, these people said.

The theft, which hasn’t been disclosed, is considered by experts to be one of the most significant security breaches in recent years. It offers a rare glimpse into how the intelligence community thinks Russian intelligence exploits a widely available commercial software product to spy on the U.S.

The Washington Post corroborated the WSJ story and provides a look at what the Russians got in their penetration:

The employee involved was a U.S. citizen born in Vietnam and had worked at Tailored Access Operations, the elite hacking division of the NSA that develops tools to penetrate computers overseas to gather foreign intelligence, said the individuals, who spoke on the condition of anonymity to discuss an ongoing case. He was removed from the job in 2015, but was not thought to have taken the materials for malicious purposes such as handing them to a foreign spy agency, they said.

The theft of the material enabled the Russian government to more easily detect and evade U.S. government cyberespionage operations, thwart defensive measures and track U.S. activities, the individuals said. It is the latest in a series of damaging breaches of the NSA in recent years and is among the first concrete indications of why the U.S. intelligence community believes that Kaspersky Lab software operates as a tool for Russian espionage.

It might also explain why the Russian government filed a complaint about the purging of Kaspersky Labs software from US government computers. That seemed odd at the time, considering that retail software isn’t exactly a part of diplomatic relations. The Putin government must have known the game was up at that point but wanted to see if they could push back hard enough to get the US to reconsider. All it did was raise even more suspicions, and should have had everyone checking to ensure that their computers didn’t have Kaspersky on them.

The timing of this seems pretty curious, too. The penetration took place in 2015, but the NSA apparently didn’t connect it to Kaspersky until sometime in 2016. Why didn’t the alarm get raised at that point? Did the NSA or the Department of Defense begin warning federal agencies to migrate to a different anti-virus platform at that time?

Part of that answer might be found in the details of the WSJ report. Kaspersky’s software works differently than most other anti-virus systems in that it copies data on the user’s hard drive and sends it back to their servers for further analysis. The suspicion is that Kaspersky may have some coordination with Russian intel to look for data that specifically references intelligence operations and then directs them to that user for further penetration. However, investigators still have not found that mechanism, nor a solid connection between Kaspersky and the FSB or GRU. They have enough, however, to warrant the purge.

Nor is this the only notable penetration revealed in the last day or so. Perhaps we should just start keeping track of who hasn’t been hacked. You know, there’s … uh … and, er … we’ll get back to you on that. The White House believes that the personal cellphone of chief of staff John Kelly was compromised as long ago as December, according to Politico. The penetration may not be as damaging as one could imagine, however:

White House officials believe that chief of staff John Kelly’s personal cellphone was compromised, potentially as long ago as December, according to three U.S. government officials.

The discovery raises concerns that hackers or foreign governments may have had access to data on Kelly’s phone while he was secretary of Homeland Security and after he joined the West Wing.

Tech support staff discovered the suspected breach after Kelly turned his phone in to White House tech support this summer complaining that it wasn’t working or updating software properly.

Kelly told the staffers the phone hadn’t been working properly for months, according to the officials.

The key here is that the suspected hack took place on Kelly’s personal cellphone. When Kelly took over as Secretary of Homeland Security, he mainly relied on his government-issued cellphone, as is protocol for government officials. Inside the White House, officials have lockers in which to leave personal devices, and Kelly would likely have followed that procedure more closely than most. Politico notes, though, that Kelly’s travel schedule before January is “under review,” presumably to assess potential damage as well as the source of the penetration.

As far as the former NSA employee, no one’s quite sure whether he’s been charged with a crime for taking his classified work home with him and putting it on his private computer system. Given that we almost elected someone who did the same thing, it might be tough to win a prosecution while she’s on book tour. Say, did Hillary Clinton’s home-brew server use Kaspersky for its anti-virus program?