NSA Contractor Downloaded Backdoor to PC, Says Kaspersky Lab

Exterminator

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
Kaspersky Lab has released the results of an internal investigation into the suspected theft by Russian spies of NSA hacking tools from a contractor’s laptop, which seem to clear it of wrongdoing alleged in US media reports.

The Moscow-headquartered vendor has been under fire over the past few months after reports in various outlets including the Washington Post and Wall Street Journal indicated its products may have been used by Russian intelligence to harvest the data; potentially with the firm’s knowledge.

A New York Times story earlier this month then claimed that Israeli spies which had also compromised Kaspersky Lab software had spotted Kremlin hackers using its tools, evidence it passed on to Washington, which then banned federal use of all products.

However, Kaspersky Lab now says it has reviewed telemetry logs in relation to “alleged 2015 incidents described in the media”.

Most notably, it claims the NSA worker in question, who took home the stolen classified materials, disabled the Kaspersky Lab software running on his PC after it detected new versions of Equation APT – malware linked to the US spy agency.

It continues:

“Following these detections, the user appears to have downloaded and installed pirated software on his machines, as indicated by an illegal Microsoft Office activation key generator (aka ‘keygen’) which turned out to be infected with malware. Kaspersky Lab products detected the malware with the verdict Backdoor.Win32.Mokes.hvl.

To install and run this keygen, the user appears to have disabled the Kaspersky products on his machine. Our telemetry does not allow us to say when the anti-virus was disabled, however, the fact that the keygen malware was later detected as running in the system suggests the antivirus had been disabled or was not running when the keygen was run. Executing the keygen would not have been possible with the anti-virus enabled.”

This “full blown backdoor” could have allowed third parties to access the user’s machine, Kaspersky Lab claimed.

An unspecified time later, the same user re-enabled Kaspersky Lab and new malicious variants of Equation APT were sent back to the vendor’s servers for analysis.

“After discovering the suspected Equation malware source code, the analyst reported the incident to the CEO,” it added. “Following a request from the CEO, the archive was deleted from all our systems. The archive was not shared with any third parties.”

Kaspersky Lab claimed no further detections were received from the user in 2015 and there have been no other incidents or third-party intrusions to date, except the “Duqu 2.0” intrusion thought to be the work of Israeli spies.

What’s more, Kaspersky Lab confirmed it has never created any detection of non-malicious documents in its products based on keywords like “top secret” and “classified”, as alleged in a WSJ story.

The only question mark remains around the timing of the incident. Most reports have it as 2015, while Kaspersky Lab claimed it happened in 2014. The firm went public with its findings on the NSA’s Equation Group in February 2015.

As part of its efforts to prove its innocence, Kaspersky Lab this week launched a Global Transparency Initiative under which it plans to offer its source code for independent third party review.
Click to expand...
 
  • Like
Reactions: Solarquest, plat1098, Deletedmessiah and 11 others
TairikuOkami

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,486
I guess times are hard, when NSA can not even afford to buy Microsoft Office for its employes. :ROFLMAO:

“After discovering the suspected Equation malware source code, the analyst reported the incident to the CEO,” it added. “Following a request from the CEO, the archive was deleted from all our systems. The archive was not shared with any third parties.”
Click to expand...

They did not share it with 3rd parties, right. :unsure:

The first report on Equation was published by Kaspersky during their 2015 Security Analyst Summit.
Click to expand...

Intelligence Report: Equation Group | Check Point Blog

Bottom line: Kaspersky's own report indeed says, that the AV had uploaded the source code. And people wonder, why I do not fancy cloud analysis (smartscreen, etc). :)
 
Last edited:
  • Like
Reactions: Weebarra, Deletedmessiah, given and 3 others
brambedkar59

brambedkar59

Level 29
Verified
Top Poster
Well-known
Apr 16, 2017
1,876
So even NSA workers are like average user.
Download "totally clean" hacktool/keygen, AV says file is malicious: don't run, user runs it after disabling "stupid" AV, then user's PC is infected and in the end AV sucks or at least the user thinks so.
 
  • Like
Reactions: bribon77, plat1098, mlnevese and 3 others
Weebarra

Weebarra

Level 17
Verified
Top Poster
Well-known
Apr 5, 2017
836
rockstarrocks said:
So even NSA workers are like average user.
Download "totally clean" hacktool/keygen, AV says file is malicious: don't run, user runs it after disabling "stupid" AV, then user's PC is infected and in the end AV sucks or at least the user thinks so.
Click to expand...

Sounds like me (except the keygen part) stupid AV :ROFLMAO: only joking, not any more;)
 
  • Like
Reactions: bribon77, plat1098, harlan4096 and 3 others
D

Deleted member 65228

TairikuOkami said:
Bottom line: Kaspersky's own report indeed says, that the AV had uploaded the source code. And people wonder, why I do not fancy cloud analysis (smartscreen, etc). :)
Click to expand...
The system was infected, the user had disabled the protection and then when the protection was re-enabled, other potentially dangerous content was found. Due to the protection being re-enabled and the suspicious items not having a clear verdict, the flagged items were uploaded to the cloud network. I can admit that I find it strange that Kaspersky would be uploading files with a format of *.asm, *.c, *.cpp, *.py or others related to source files (if they do not actually contain executable code -> the source code documents are not executable, only the compiled are executable however an attacker can always re-name extensions I guess); maybe the source code was in a non-password protected archive or similar instead of just within a normal folder containing no other executable files. In fact, maybe the compiled versions were present in the same folder (or was within a sub-folder) so Kaspersky just uploaded that whole portion (e.g. after flagging the compiled executables as suspicious)... Who knows. And who cares? The product was doing its job by trying to protect the user. They aren't going to just "know" the user worked for the NSA and had classified files which can be used to cause a lot of damage if gotten into the wrong hands. :unsure:

The moral of the story is not that "Kaspersky cannot be trusted" but that if you are working for the government, don't take classified private documents home to your personal computer and don't work pirated software - whether someone believes piracy is morally right or wrong (despite it being illegal) it comes with risks such as malicious software embedded within it. The agent who took the classified source code files back home to his system and was using the malicious keygen is nothing but silly... :rolleyes:

Kaspersky prevent several millions (well that is an under-statement) infections each year. They don't care about stealing source code from other people or being in the firing line from government agencies. The government (US) is mad because their technology was "stolen", but instead of them trying to shift the blame, they should blame themselves for:
- Not training their employees properly in cyber-security.
- Allowing employees to be involved in sophisticated projects (such as the one related to this malware they were developing) when the employee cannot even differentiate between a good or bad practice (using key-gens and pirating software is a no-no when it comes to security).
- Not enforcing better access control to prevent employees from violating potential rules (e.g. copying data to a removable device so they can access it from home without the correct authorisation).

Kaspersky might be a very well-known and popular security vendor which have been around for as long as I can remember, but that does not mean that they are invincible. Every single internet-based company can be breached by attackers if they are determined enough and have the necessary skill-set; we of all people should understand that you can only try to prevent attacks being successful but you may fail - typically using a layered protection approach.

I apologise if people disagree with my thoughts (and even though I quoted @TairikuOkami I am not having a go at him, I just quoted it as an entry point) but this is really ridiculous. The employee was trying to pirate software illegally using a malicious keygen, had classified documents present on his system when he enabled the protection for security software with cloud functionality (their privacy policy outlines everything they may do - including potentially uploading files) and there has been a huge mess regarding Kaspersky for months now. :oops:

If you are paranoid about privacy then pick a security product with a privacy policy you have a liking to, or just don't use a third-party product. Find another way to protect yourself whilst meeting your needs. There is no point having a grudge about vendors who provide software which meets your requirements and then just being depressed about not having 100% privacy (which will never exist when you are online).
 
  • Like
Reactions: XhenEd, Weebarra, mlnevese and 4 others
F

ForgottenSeer 58943

This is why I always say calling US Intelligence 'intelligence' is a misnomer..

The government (US) is mad because their technology was "stolen", but instead of them trying to shift the blame, they should blame themselves for:
- Not training their employees properly in cyber-security.
- Allowing employees to be involved in sophisticated projects (such as the one related to this malware they were developing) when the employee cannot even differentiate between a good or bad practice (using key-gens and pirating software is a no-no when it comes to security).
- Not enforcing better access control to prevent employees from violating potential rules (e.g. copying data to a removable device so they can access it from home without the correct authorisation).
Click to expand...

I need some popcorn, this is getting awesome and the NSA is looking more stupid by the week.
 
  • Like
Reactions: Weebarra, brambedkar59 and ForgottenSeer
boredog

boredog

Level 9
Verified
Jul 5, 2016
416
"Russian spies of NSA hacking tools from a contractor’s laptop, which seem to clear it of wrongdoing alleged in US media reports."

The person tha took the doc's home wasn't a government employee but rather a contractor. If I read the article right. The government should have done a better background check and screening. And who are these Russian spies?
 
  • Like
Reactions: Weebarra and mlnevese
You must log in or register to reply here.

Similar threads

L
    • Like
    • Sad
    • Wow
Serious Discussion US to ban its citizens from using Kaspersky?
Replies
37
Views
2,405
Kaspersky
monkeylove
monkeylove
Jonny Quest
    • +Reputation
Security News Idaho National Nuclear Lab targeted in major data breach
Replies
0
Views
1,088
Security News
Jonny Quest
Jonny Quest
vtqhtr413
    • Wow
    • +Reputation
    • Like
Security News AT&T says leaked data of 70m people is not from its systems
Replies
3
Views
1,705
Security News
vtqhtr413
vtqhtr413

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top