Kaspersky says NSA hacking tools obtained after malware was found

Share this…

Apparently, a pirate download of Microsoft Office could be the root of all the trouble. Kaspersky has acknowledged that code belonging to the US National Security Agency (NSA) was lifted from a PC for analysis but insists the theft was not intentional.

In October, a report from The Wall Street Journal claimed that in 2015, the Russian firm targeted an employee of the NSA known for working on the intelligence agency’s hacking tools and software.

The story suggested that the unnamed employee took classified materials home and operated on their PC, which was running Kaspersky’s antivirus software. Once these secretive files were identified — through an avenue carved by the antivirus — the Russian government was then able to obtain this information.

Kaspersky has denied any wrongdoing, but the allegation that the firm was working covertly with the Russian government was enough to ensure Kaspersky products were banned on federal networks.

There was a number of theories relating to what actually took place — was Kaspersky deliberately targeting NSA employees on behalf of the Kremlin, did an external threat actor exploit a zero-day vulnerability in Kaspersky’s antivirus, or were the files detected and pulled by accident?

According to Kaspersky, the latter is true.

On Wednesday, the Moscow-based firm said in a statement that the results of a preliminary investigation have produced a rough timeline of how the incident took place.

It was actually a year earlier than the Journal believed, in 2014, that code belonging to the NSA’s Equation Group was taken.

Kaspersky says the company was in the middle of an Advanced Persistent Threat (APT) investigation, and when on the trail of the Equation Group, detection subsystems “caught what appeared to be Equation malware source code files.”

There were over 40 active infections worldwide at the time, but one of the “infections” in the US “consisted in what appeared to be new, unknown and debug variants of malware used by the Equation group.”

Kaspersky’s antivirus detected the sample on a home computer which had Kaspersky’s Security Network (KSN) enabled, a system which automatically collects threat data and sends it to the cloud.

The company claims that the user in question had installed pirate software on their machine as illegal Microsoft Office keygens were present.

What appears to have happened is that the antivirus was turned off while the keygen was in use — a common practice for those using the illegal software to ‘validate’ pirate copies — but the keygen was infected with malware known as Backdoor.Win32.Mokes.hvl.

(The malware was a Trojan with full backdoor capabilities, and there may also be the suggestion that this backdoor could have been used by others to target the employee.)

Later, although the exact timeframe has not been specified, the antivirus was enabled and the malware was blocked. The user then ran a number of scans to remove the Trojan, which also caught the Equation group hacking tools in the mix.

“One of the files detected by the product as new variants of Equation APT malware was a 7zip archive,” Kaspersky says. “The archive itself was detected as malicious and submitted to Kaspersky Lab for analysis, where it was processed by one of the analysts.”

“Upon processing, the archive was found to contain multiple malware samples and source code for what appeared to be Equation malware,” the company added.

The analyst in question which obtained the files then reported the findings to Kaspersky CEO Eugene Kaspersky, who requested for the archive to be deleted from the company’s systems.

Kaspersky says that the samples were not shared with third parties, although a New York Times report claims that Israeli intelligence officers hacked into the firm’s network in 2014 and discovered Russian hackers were exploiting Kaspersky software to “turn [it] into a sort of Google search for sensitive information.”

The company says that this is the only incident of its kind to take place, and although “honeypot” PCs have been detected since with Equation-related samples, detections have “not been processed in any special way.”

Kaspersky hopes that the public disclosure of the incident — at least, some of the details — may further the company’s goal of regaining consumer, business, and government trust.

The security firm says that the investigation “confirmed that Kaspersky Lab has never created any detection of non-weaponized (non-malicious) documents in its products based on keywords like “top secret” and “classified.”

It’s interesting, though, that according to a telephone interview between ABC News and Kaspersky, that the files were deleted as the analysts knew the information was classified.

Kaspersky said that company policy now dictates that confidential information slurped up by scanners and antivirus will not be stored.

“If we see confidential or classified information, it will be immediately deleted and that was exactly (what happened in) this case,” the CEO told the publication.

In addition, the Kaspersky executive would not reveal whether or not the NSA had been informed of the findings at the time.

“We believe the above is an accurate analysis of this incident from 2014,” the company says. “The investigation is still ongoing, and the company will provide additional technical information as it becomes available. We are planning to share full information about this incident, including all technical details with a trusted third party.”