Kaspersky Lab said an individual, believed to be one identified as a National Security Agency worker in news accounts, triggered the company’s antivirus software and paved the way for it to upload classified NSA files from his computer when he tried to pirate Microsoft Office and ended up infecting himself with malicious software.
The piracy claim is included in a set of preliminary findings released by the Moscow-based company from an internal investigation into a byzantine spying scandal that didn’t seem like it could get any more bizarre. A series of news reports this month, citing U.S. intelligence sources, asserted that the files on the worker’s computer, which included source code for sensitive hacking tools he was developing for the spy agency, were uploaded by Kaspersky security software and then collected by Russian government hackers, possibly with the company’s knowledge or help. Kaspersky has denied that it colluded with Russian authorities or knew about the worker incident as it was described in the press.
Details from the investigation, including the assertion that Kaspersky’s CEO ordered the files deleted after they were recognized as potential classified NSA material, could help absolve the antivirus firm of allegations that it intentionally searched the worker’s computer for classified files that did not contain malware. But they also raise new questions about the company’s actions, the NSA worker, and the spying narrative that anonymous government sources have been leaking to news media over the last two weeks.
After facing increasingly serious allegations of spying, Kaspersky provided The Intercept with a summary of preliminary findings of an internal investigation the company said it conducted in the wake of the news reports.
In its statement of findings, the company acknowledged that it detected and uploaded a compressed file container, specifically a 7zip archive, that had been flagged by Kaspersky’s software as suspicious and turned out to contain malware samples and source code for what appeared to be components related to the NSA’s so-called Equation Group spy kit. But the company said it collected the files in the normal course of its operations, and that once an analyst realized what they were, he deleted them upon the orders of CEO Eugene Kaspersky. The company also insists it never provided the files to anyone else.
Kaspersky doesn’t say the computer belonged to the NSA worker in question and says the incident it recounts in the report occurred in 2014, not 2015 as news reports state. But the details of the incident appear to match what recent news reports say occurred on the worker’s computer.
The NSA could not be reached for comment.
According to Kaspersky, the incident began when the company was in the midst of an initial investigation into the so-called Equation Group set of tools. In March 2014, Kaspersky discovered a suspicious driver file on a machine in the Middle East that didn’t appear to belong to any attack group Kaspersky had seen before. After adding search terms known as “signatures” to its scanner to detect the driver, the company found numerous samples of it, as well as other related components, on machines of customers in more than 40 countries, including the U.S. Kaspersky spent about a year collecting samples until it had amassed an expansive and sophisticated toolkit, which it dubbed the Equation Group, and that had been used by the NSA since 2001, possibly even 1996.
In the case of one infected computer in the U.S., the company said it discovered what appeared to be new and unknown “debug” variants of Equation Group malware on the machine. “Debug” generally refers to code or a program that is still under development and not yet complete, which fits with news accounts of the tools that were taken from the NSA worker’s computer. In one recent Washington Post story, the NSA worker was reportedly a member of the Tailored Access Operations, the NSA’s elite hacking team, who was helping to develop new tools that were likely slated to replace the Equation Group tools.
The computer on which the Kaspersky software detected the debug variants had the Kaspersky Security Network enabled. KSN is a cloud platform that allows Kaspersky to automatically collect samples of new and unknown malware from machines where a customer has enabled this feature (other antivirus products, including those made by U.S.-based Symantec, offer similar cloud collection).
Kaspersky said that after it detected these debug variants, the customer apparently disabled the antivirus scanner in order to run software that would generate software keys and allow him to run pirated Microsoft Office software on his machine. The key-generation software turned out to be infected with known backdoor Trojan malware called Mokes that had been created in 2008 and was already being detected by antivirus scanners in November 2013.
Kaspersky doesn’t know when the customer disabled their scanner, but at some point they re-enabled it, upon which it detected the Mokes backdoor on his computer. Kaspersky didn’t respond to questions asking when the file infected his computer or when its scanner detected the file, but notes in its statement that the malware was already on his system when the scanner was re-enabled. The company knows this because the malware would not have been able to install itself when the antivirus scanner was running.
Kaspersky describes the Mokes malware as a “full-blown backdoor which may have allowed third parties access to the user’s machine” — further underscoring the worker’s recklessness in installing the pirated software, if in fact he did so.
“There’s a whole litany of problems with this,” said Jake Williams, founder of Rendition Infosec and a former NSA employee. “If this guy is a TAO developer — these guys don’t grow on trees, they’re fairly skilled — he has to know the dangers of downloading pirated software. Taking the [classified] tools out of the [NSA] building in the first place [and putting them on his home computer] is a tremendous operational security lapse in judgement. But combining that with pirated software is mind-blowing.”
“From an NSA standpoint, I don’t see how this can get much worse,” Williams added.
When the customer re-enabled the Kaspersky software, he “scanned the computer multiple times,” as Kaspersky writes in its statement, and the scanner detected not only the Mokes backdoor but also what appeared to be new and unknown variants of the Equation Group tools Kaspersky was already investigating. One of the files it flagged and uploaded to the Kaspersky network was the 7zip archive containing multiple malware samples and what appeared to be source code related to the NSA’s Equation Group malware.
“After discovering the suspected Equation malware source code, the analyst reported the incident to [CEO Eugene Kaspersky],” the company said in its summary of findings. “Following a request from the CEO, the archive was deleted from all our systems. The archive was not shared with any third parties.”
The company said it detected no other malicious files on the customer’s machine after this. But it noted that after the company went public in February 2015 with its initial Equation Group findings — findings that did not encompass the 7zip archive — it detected several other computers that appeared to be in the same IP range as the customer. These computers also had KSN enabled and had Equation-related files on them. Kaspersky said the computers appeared to be “honeypots” — decoy systems set up to trick hackers into believing they’re legitimate systems. This would seem to corroborate a recent Wall Street Journal story, which said that after the NSA discovered that classified tools had been taken by Kaspersky from a worker’s computer, the agency set up a test to see if Kaspersky would do the same to other computers.
Williams said it’s perfectly logical that if Kaspersky found debug files during its initial scan for Equation Group files, it would have created signatures, or search parameters, that ultimately led it to detect the 7zip archive when the customer turned the scanner back on. “The idea that they would pull the source code with it is completely viable,” he said, even if this was not yet executable malware.
He also doesn’t find anything suspicious about the company saying it then deleted those files upon the CEO’s orders if the files contained classification markings that identified them as belonging to the U.S.
“[I]f there were actually classification markings in that zip file, at that point that’s so toxic, there’s not a question as to whether or not [you delete it]. Because if you knowingly hold that classified data and you have employees in the U.S. [and are trying to sell your product to the U.S. government] …
“If somebody sent that to me … and if it’s [source code] for a country that I’m doing business in, I’m immediately deleting that off of my machine and, honestly, I would contact legal counsel … because I don’t want to get arrested the next time I land someplace.”
But Williams said that’s the case only if the files contained classification markings that identified them as belonging to the U.S. “If there’s no classification marking then I don’t know why they would get rid of it,” he said, and the explanation becomes more doubtful.
Rob Graham, founder of Errata Security, agreed with Williams about Kaspersky deleting “toxic” files that bear classification markings.
“Even contacting the U.S. government and telling them what they accidentally found, while in theory a sound idea, is fraught with peril,” he said. “I’ve been there — it rarely turns out well.”
All of this, however, raises questions about the stories that have been leaked to various news outlets in recent weeks, suggesting Kaspersky colluded with the Russian government to get the files. The New York Times reported that Israeli hackers who breached Kaspersky’s network in 2014 found evidence that Russian government hackers had somehow used Kaspersky’s software to obtain classified tools from the NSA worker’s computer, and the Wall Street Journal reported that Kaspersky had to know what the hackers were doing when they took the files.
The Intercept already called into question the narrative of those stories in a piece published last week showing how it would have been possible for Kaspersky to obtain the classified files in an innocent manner. If Kaspersky’s version of events in the preliminary findings are true, then the only question remaining is if, and how, those files then got into the hands of the Russian government.
Williams said Kaspersky should release logs showing the precise dates when it uploaded the zip file and deleted it.
“I would say that if all that checks out, that this absolves Kaspersky of wrongdoing,” with regard to taking the files, Williams said.
But then he said the ball is in the U.S. government’s court to prove that Kaspersky colluded with the government.
“This assertion that the code made it into the hands of the Russian government … I don’t know that that’s been substantiated, and it’s on [the U.S.] now to come back and say something about that,” Williams said.
The so-called honeypot computers Kaspersky said were set up after the incident with the NSA worker, presumably by the NSA, were in a position to collect evidence that Kaspersky was intentionally hunting down top-secret documents using its software, instead of malware, if that’s what occurred. The Journal wrote that it was through these “controlled experiments … on a computer being monitored by U.S. spies” — a seeming allusion to honeypots — that the NSA became convinced Kaspersky software had been used for a spy operation and not for hunting malware.
Graham said that if the signatures that found the NSA worker’s files were designed to forage for intelligence secrets rather than malware, that should be easy to prove, “either by putting documents on the system that only have classified top-secret markings on them and see if those files get copied by Kaspersky, or by reverse-engineering the signatures to see what they were looking for.”
Kaspersky said in its findings statement that its scanner didn’t retrieve anything from the honeypot computers that wasn’t a suspicious executable file, meaning it did not collect documents that would have had only an intelligence value.
Graham said it’s now up to the anonymous sources who have been feeding the media allegations about Kaspersky to provide “actual confirmation that a data file rather than an executable was retrieved from [the honeypots]. … Either proof of the signatures themselves or proof of the documents leaving the machines [is what they need to produce].”
Kaspersky said its investigation is still ongoing and that it will provide additional technical information as it becomes available. The company also said in a statement that it plans to share all of its findings, including technical details, with a trusted third party as part of a new transparency initiative it announced this week.
Top photo: The headquarters of the Russian cybersecurity company Kaspersky Lab in Moscow, Russia on Oct. 2, 2017.
This story is part of the backdrop to the legend that Russian hacking helped Trump defeat Clinton.
But the more fundamental point is that the Democrats seem unable to accept that over many years their party dumped the interests of their blue collar voter base; and as a result lost the votes of many blue collar voters who were more than slightly disenchanted with them.
Time to rethink fundamentals of security.
Connecting *anything* to the unfiltered global internet, which we all do with our phones and other doo-hickeys persistently, is simply irresponsible. We’ll look back at these times in disgust of our primitive ways.
This is certainly a curious situation.
One issue not pointed out explicitly is that there’s no real technical difference between the virus / malware that Kaspersky’s software is supposed to find and any purported “spyware” from the NSA. From a technical point of view, the software did a good and proper job of it in finding the supposed NSA materials, and how on earth is the software supposed to know attribution?
An additional interesting twist is that there was apparently some source code included. Hmmm… Curious, that!
About all Kaspersky could have reasonably done better about it would have been to pull the zip file apart and only upload the executable files, and not the whole zip. -shrug-
The article is likely wrong in this paragraph:
Depending on what algorithm was used for creating the signatures, reverse engineering is likely impossible. Most signatures are generated with a tool like SHA1SUM, a “one way hash” specifically so that it’s a unique marker. It could of course be done that a “signature” is actually an encoding that maps out what the program does from a high level abstraction. But, there are a lot of challenges in doing that…
The problems with the American media reporting on “Russian government hacking” are identical to the problems with the “Iraqi weapons of mass destruction” reporting in 2002-2003.
(1) Extensive reliance on unnamed “government officials” and other anonymous sources whose motivations and agendas are thus unclear.
(2) No discussion of the desire of the military-industrial complex to label a foreign government as an enemy in order to pursue geopolitical agendas and maintain the flow of taxpayer dollars into the bureaucracy.
A further issue specific to this case is that of the NSA and its contractors and their own agenda, i.e. to deflect blame away from themselves for losing control of their cyberwarfare arsenal due to woefully poor security practices, by blaming it all on a nefarious foreign government.
So you end up with a general skepticism – is this another “experts and government officials say the aluminum tubes are specifically designed for uranium enrichment and have no other uses” story?
Notably, the sources leading this story – the Wall Street Journal and the New York Times – were also main actors in the fraudulent and dishonest Iraqi WMD story – so there is a real credibility problem.
At some point, anyone paying attention will start thinking that the American media spectrum contains little besides (1) state and corporate propaganda aimed not at ‘truthtelling’ but rather at manipulation of public opinion, and (2) advertising.
As far as how the NSA lost control of its cyberwarfare arsenal, well, who knows? Could have been an NSA insider selling it all on the black market. Could have been a NSA technician with sloppy security. Could have been the Chinese, the Indians, the Russians, the South Africans, whatever. Obviously the NSA bureaucracy doesn’t want to accept responsibility for it, that’s one thing we can be sure of. People could lose their jobs, funding could be cut, the whole basis of the offensive cyberwarfare program could be called into question – they don’t want that.
Yes, exactly. I would add that this is part of the whole fake “Russiagate” panic the Democrats dreamed up as a lame excuse for losing to the Clown Prince.
The article left me with a couple of questions:
First: what happened to the NSA employee with the s….y security?
Second: wait a minute – aren’t the Equation Group tools malware, malware that Kaspersky had already detected on client computers? AND blown the whistle on them? So what’s wrong with them picking up the latest version – on a client’s computer?
The answer to that one is buried near the end (poor structure): the difference between “data” and “executable” files, plus, maybe, US classification markers on the files.
And we still don’t know how the Russian government got them (aside from the NSA’s remarkably, and systemically, poor security). In fact, given the NSA’s risible security, the Russians probably just hacked the agency itself, as others have done. Spy vs. spy, fair game.
A little more likely, they wiretapped Kaspersky, or the connections to the many client computers. Hard to guard against.
A footnote: if the US is going to insist on treating Russia as an enemy (no matter how dangerous and irresponsible that is), then indeed they shouldn’t use Russian security software on government computers. Isn’t that the NSA’s job? What are they good for, besides spying on Americans?
Good post but one question…
how does advertising differ from corporate propaganda?
The NSA isn’t interested in defense, just offense. Every time one of their systems is compromised, their funding increases to counteract the perceived threat. NSA breaches of security may be regrettable, but they are also extremely lucrative. Implementing “woefully poor security practices” is hard work. The NSA may make it look easy, but it is the result of years of practice.
To take a stab at answering my own question: corporate propaganda is how companies protect capitalism. Corporate advertising is how companies maximize profits by increasing sales. Despite what people think, companies prioritize the former. Evolution favors the instinct for self preservation over the instinct to feed (an animal will stop feeding and run if a predator appears).
Some of it gets mixed up. Like those strange ads by corporate conglomerates that sell almost nothing to the general public, like DOW Chemical, telling everyone how they make the world a better place. Or electricity utility advertisements – not like people have a choice about paying the electric bill, so why bother advertising? Probably to prevent anything like a voters going for a publicly operated utility. Then there are the news stories that are really product placement advertisements, I think I saw newspapers running stories on McDonald’s new menu options, for example. . .
There is a third factor. Kaspersky helped identify the US/Israeli Stuxnet virus, and the countermeasures they create would help hinder further similar efforts. No doubt the Soft Warriors* hold grudges just like ordinary warriors.
Also, per Reuters, the German BSI has no evidence of Kaspersky being used for malicious purposes.
https://www.reuters.com/article/us-usa-security-kaspersky-germany/germany-no-evidence-kaspersky-software-used-by-russians-for-hacks-idUSKBN1CG284
NSA make America great again.
https://www.microsoft.com/en-us/store/b/office
I would have expected this article to appear on MSNBC Rachel Madow show. I mean NSA workers, to my knowlegde predominantely white males commit “software piracy” (hear, hear – a very severe crime) and maybe even sometimes – wild speculation – watch Porn, maybe even Russian Porn – you some special counter espionage (stangely not mentioned in this article) – and therefore end up on err uh … dirty websites, some of which owned by Russian gangsters and then strange things might be found then on their computers.
Let me quote Louis de Funes:
“NO!
YES!
OHHHHHHHHHH!”
As foreigner, it is for us more interesting to see, who gets witch hunted – Kaspersky or German car manufactureres or French banks – and who does the same, but suffers almost no consequences.
As usual the hypocrisy is as big as it can ever be. Ze others have to give up all their keys and our own data has to be encrypted and “secure”. Well, fortunately, their hybris is so big, that they shoot themselves in their own foot.
Israel…(enuf said)
“The New York Times reported that Israeli hackers who breached Kaspersky’s network in 2014 found evidence that Russian government hackers”
Here, let me translate it for you:
Israeli Times reported without evidence that it was a Russian plot.
…
Also, did Israel say whether they collected US top secret documents off of Kaspersky in 2014 and didn’t tell anyone for years? But why would they bother getting them from Kaspersky when we likely just hand them over to Israel?
The odds that the FSB hasn’t recruited Kaspersky to spy on both domestic and foreign targets are about the same as the odds that the NSA hasn’t recruited Symantec/Norton, McAfee and other western-based security software makers to do the same.
Everyone’s spying on everyone and among other methods using commercially available security software to do it. Proof would be nice, but all you need to know is that because they can and would want to do this, they almost certainly are.
It’s really the only way to reliably get at data that is stored on physically hard or impossible to get to devices that are connected to the internet but isn’t transmitted over it.
The US has even passed laws making this legal and prohibiting security software makers from disclosing such capabilities.
Yes, unless you’re using non-commercial security software (or are stupid enough to not use any security software), the software you’re using to protect you from intrusion…is being used by the NSA et al to spy on you. As in literally right now.
Or, more accurately, it CAN be used to spy on you, and likely occasionally is, in routine sweeps, but for most people is likely a dormant feature. But for all we know they’re sweeping it all up and storing it in their top-secret Utah data storage and mining facility for future analysis and use.
Obviously, they’re also recording everything you do and transmit or download on the internet, but likely using different methods.
But yeah, the FSB has hacked Kaspersky. 100% probability.
Somehow I suspect that the employee was instructed to do this in order to deprecate Kapersky and Russia. Russia is a rival of the US and Kapersky interferes with the NSA’s operations. How could a professional hacker be so goddamn stupid about his area of expertise? He wasn’t, and their op succeeded.
Makes you wonder why a state intelligence agency wouldn’t just set up an anti-virus company or buy one with a cut out and just use the software to scan for intelligence purposes. I know it’s not as simple as that but it would be pure genius really if done right.
That’s why Kaspersky looks so suspicious. They have the tools and the access to 400 million computers and a lot of them in the US and included a lot of Govt computers until recently. Plus they are quite close to the FSB and GRU who have no scruples at all.Would be a goldmine for industrial espionage stealing advanced designs and R & D product.
And what about all other international companies, who sit on a large pile of sensitive data? The USA are usually among the first, who do not want any consumer protection laws or any other regulation. Only the military-industrial complex and the personal of the empire – they have to be save of course. Which then fails of course, because if you produce unsave software, you end up in an unsave system. Surprise, surprise!
The first time I ever heard that an AV company was compromised, was btw. Symantec. My friend came to me with a cracked version of it. Do you see the irony? That was in the mid 90ies. One day I tried to uninstall Norton and crashed windows, also one of these experiences millions of users had. And I heard rumours about backdoors in Norton and MS products. Then I thought: Ok if they spy, maybe get Kaspersky, it is then at least Russians and they have by far not as much power as US companies and US intelligence. Long before this recent scandal I knew, this was also wrong. There is a reason why some people call all these AV companies snake oil sellers.
Btw. if you in danger to get busted as snake oil seller, maybe you can keep the cover, if you present yourself as patridiot. Hide your fail behind a flag made in China.
And Snowden, who we’re told revealed all the secrets of the NSA to us, never said boo about any of this, or anti-virus software of any kind. What does that tell you about what we were told?
That possibly the NSA’s subcontractors weren’t given access to TAO. It is unclear why the NSA adopted what appears to be a sound security practice.
None of this rules out the main theory in NYT that Russians had a backdoor into K’s network, whether Engene was colluding or unaware.
The NSA should buy software for its employees. It’s false economy to say, “You guys are hackers; if you want Windows on your computer, go out and pirate it”.
So they actually owe a debt of gratitude to Kaspersky for pointing out this flaw in their security practices. Sometimes your internal checks and controls overlook what, in retrospect, are obvious security weaknesses. I’m not saying the NSA should have foreseen this happening. But there definitely appears to be an opportunity to tighten their security protocols.
Unfortunately they’ll probably learn the wrong lessons from this event. They’ll ask Congress to ban anti-virus software or ban Russia.
The key question remains – who pwned the NSA employee’s computer in the first place with the backdoored version of Windows?
NSA infecting itself but blaming Russia….where have I heard that before.
I don’t know. Where?
No one reported the NSA infected itself.