Kaspersky Lab said an individual, believed to be one identified as a National Security Agency worker in news accounts, triggered the company’s antivirus software and paved the way for it to upload classified NSA files from his computer when he tried to pirate Microsoft Office and ended up infecting himself with malicious software.
The piracy claim is included in a set of preliminary findings released by the Moscow-based company from an internal investigation into a byzantine spying scandal that didn’t seem like it could get any more bizarre. A series of news reports this month, citing U.S. intelligence sources, asserted that the files on the worker’s computer, which included source code for sensitive hacking tools he was developing for the spy agency, were uploaded by Kaspersky security software and then collected by Russian government hackers, possibly with the company’s knowledge or help. Kaspersky has denied that it colluded with Russian authorities or knew about the worker incident as it was described in the press.
Details from the investigation, including the assertion that Kaspersky’s CEO ordered the files deleted after they were recognized as potential classified NSA material, could help absolve the antivirus firm of allegations that it intentionally searched the worker’s computer for classified files that did not contain malware. But they also raise new questions about the company’s actions, the NSA worker, and the spying narrative that anonymous government sources have been leaking to news media over the last two weeks.
After facing increasingly serious allegations of spying, Kaspersky provided The Intercept with a summary of preliminary findings of an internal investigation the company said it conducted in the wake of the news reports.
In its statement of findings, the company acknowledged that it detected and uploaded a compressed file container, specifically a 7zip archive, that had been flagged by Kaspersky’s software as suspicious and turned out to contain malware samples and source code for what appeared to be components related to the NSA’s so-called Equation Group spy kit. But the company said it collected the files in the normal course of its operations, and that once an analyst realized what they were, he deleted them upon the orders of CEO Eugene Kaspersky. The company also insists it never provided the files to anyone else.
Kaspersky doesn’t say the computer belonged to the NSA worker in question and says the incident it recounts in the report occurred in 2014, not 2015 as news reports state. But the details of the incident appear to match what recent news reports say occurred on the worker’s computer.
The NSA could not be reached for comment.
According to Kaspersky, the incident began when the company was in the midst of an initial investigation into the so-called Equation Group set of tools. In March 2014, Kaspersky discovered a suspicious driver file on a machine in the Middle East that didn’t appear to belong to any attack group Kaspersky had seen before. After adding search terms known as “signatures” to its scanner to detect the driver, the company found numerous samples of it, as well as other related components, on machines of customers in more than 40 countries, including the U.S. Kaspersky spent about a year collecting samples until it had amassed an expansive and sophisticated toolkit, which it dubbed the Equation Group, and that had been used by the NSA since 2001, possibly even 1996.
In the case of one infected computer in the U.S., the company said it discovered what appeared to be new and unknown “debug” variants of Equation Group malware on the machine. “Debug” generally refers to code or a program that is still under development and not yet complete, which fits with news accounts of the tools that were taken from the NSA worker’s computer. In one recent Washington Post story, the NSA worker was reportedly a member of the Tailored Access Operations, the NSA’s elite hacking team, who was helping to develop new tools that were likely slated to replace the Equation Group tools.
The computer on which the Kaspersky software detected the debug variants had the Kaspersky Security Network enabled. KSN is a cloud platform that allows Kaspersky to automatically collect samples of new and unknown malware from machines where a customer has enabled this feature (other antivirus products, including those made by U.S.-based Symantec, offer similar cloud collection).
Kaspersky said that after it detected these debug variants, the customer apparently disabled the antivirus scanner in order to run software that would generate software keys and allow him to run pirated Microsoft Office software on his machine. The key-generation software turned out to be infected with known backdoor Trojan malware called Mokes that had been created in 2008 and was already being detected by antivirus scanners in November 2013.
Kaspersky doesn’t know when the customer disabled their scanner, but at some point they re-enabled it, upon which it detected the Mokes backdoor on his computer. Kaspersky didn’t respond to questions asking when the file infected his computer or when its scanner detected the file, but notes in its statement that the malware was already on his system when the scanner was re-enabled. The company knows this because the malware would not have been able to install itself when the antivirus scanner was running.
Kaspersky describes the Mokes malware as a “full-blown backdoor which may have allowed third parties access to the user’s machine” — further underscoring the worker’s recklessness in installing the pirated software, if in fact he did so.
“There’s a whole litany of problems with this,” said Jake Williams, founder of Rendition Infosec and a former NSA employee. “If this guy is a TAO developer — these guys don’t grow on trees, they’re fairly skilled — he has to know the dangers of downloading pirated software. Taking the [classified] tools out of the [NSA] building in the first place [and putting them on his home computer] is a tremendous operational security lapse in judgement. But combining that with pirated software is mind-blowing.”
“From an NSA standpoint, I don’t see how this can get much worse,” Williams added.
When the customer re-enabled the Kaspersky software, he “scanned the computer multiple times,” as Kaspersky writes in its statement, and the scanner detected not only the Mokes backdoor but also what appeared to be new and unknown variants of the Equation Group tools Kaspersky was already investigating. One of the files it flagged and uploaded to the Kaspersky network was the 7zip archive containing multiple malware samples and what appeared to be source code related to the NSA’s Equation Group malware.
“After discovering the suspected Equation malware source code, the analyst reported the incident to [CEO Eugene Kaspersky],” the company said in its summary of findings. “Following a request from the CEO, the archive was deleted from all our systems. The archive was not shared with any third parties.”
The company said it detected no other malicious files on the customer’s machine after this. But it noted that after the company went public in February 2015 with its initial Equation Group findings — findings that did not encompass the 7zip archive — it detected several other computers that appeared to be in the same IP range as the customer. These computers also had KSN enabled and had Equation-related files on them. Kaspersky said the computers appeared to be “honeypots” — decoy systems set up to trick hackers into believing they’re legitimate systems. This would seem to corroborate a recent Wall Street Journal story, which said that after the NSA discovered that classified tools had been taken by Kaspersky from a worker’s computer, the agency set up a test to see if Kaspersky would do the same to other computers.
Williams said it’s perfectly logical that if Kaspersky found debug files during its initial scan for Equation Group files, it would have created signatures, or search parameters, that ultimately led it to detect the 7zip archive when the customer turned the scanner back on. “The idea that they would pull the source code with it is completely viable,” he said, even if this was not yet executable malware.
He also doesn’t find anything suspicious about the company saying it then deleted those files upon the CEO’s orders if the files contained classification markings that identified them as belonging to the U.S.
“[I]f there were actually classification markings in that zip file, at that point that’s so toxic, there’s not a question as to whether or not [you delete it]. Because if you knowingly hold that classified data and you have employees in the U.S. [and are trying to sell your product to the U.S. government] …
“If somebody sent that to me … and if it’s [source code] for a country that I’m doing business in, I’m immediately deleting that off of my machine and, honestly, I would contact legal counsel … because I don’t want to get arrested the next time I land someplace.”
But Williams said that’s the case only if the files contained classification markings that identified them as belonging to the U.S. “If there’s no classification marking then I don’t know why they would get rid of it,” he said, and the explanation becomes more doubtful.
Rob Graham, founder of Errata Security, agreed with Williams about Kaspersky deleting “toxic” files that bear classification markings.
“Even contacting the U.S. government and telling them what they accidentally found, while in theory a sound idea, is fraught with peril,” he said. “I’ve been there — it rarely turns out well.”
All of this, however, raises questions about the stories that have been leaked to various news outlets in recent weeks, suggesting Kaspersky colluded with the Russian government to get the files. The New York Times reported that Israeli hackers who breached Kaspersky’s network in 2014 found evidence that Russian government hackers had somehow used Kaspersky’s software to obtain classified tools from the NSA worker’s computer, and the Wall Street Journal reported that Kaspersky had to know what the hackers were doing when they took the files.
The Intercept already called into question the narrative of those stories in a piece published last week showing how it would have been possible for Kaspersky to obtain the classified files in an innocent manner. If Kaspersky’s version of events in the preliminary findings are true, then the only question remaining is if, and how, those files then got into the hands of the Russian government.
Williams said Kaspersky should release logs showing the precise dates when it uploaded the zip file and deleted it.
“I would say that if all that checks out, that this absolves Kaspersky of wrongdoing,” with regard to taking the files, Williams said.
But then he said the ball is in the U.S. government’s court to prove that Kaspersky colluded with the government.
“This assertion that the code made it into the hands of the Russian government … I don’t know that that’s been substantiated, and it’s on [the U.S.] now to come back and say something about that,” Williams said.
The so-called honeypot computers Kaspersky said were set up after the incident with the NSA worker, presumably by the NSA, were in a position to collect evidence that Kaspersky was intentionally hunting down top-secret documents using its software, instead of malware, if that’s what occurred. The Journal wrote that it was through these “controlled experiments … on a computer being monitored by U.S. spies” — a seeming allusion to honeypots — that the NSA became convinced Kaspersky software had been used for a spy operation and not for hunting malware.
Graham said that if the signatures that found the NSA worker’s files were designed to forage for intelligence secrets rather than malware, that should be easy to prove, “either by putting documents on the system that only have classified top-secret markings on them and see if those files get copied by Kaspersky, or by reverse-engineering the signatures to see what they were looking for.”
Kaspersky said in its findings statement that its scanner didn’t retrieve anything from the honeypot computers that wasn’t a suspicious executable file, meaning it did not collect documents that would have had only an intelligence value.
Graham said it’s now up to the anonymous sources who have been feeding the media allegations about Kaspersky to provide “actual confirmation that a data file rather than an executable was retrieved from [the honeypots]. … Either proof of the signatures themselves or proof of the documents leaving the machines [is what they need to produce].”
Kaspersky said its investigation is still ongoing and that it will provide additional technical information as it becomes available. The company also said in a statement that it plans to share all of its findings, including technical details, with a trusted third party as part of a new transparency initiative it announced this week.