Documents
Kaspersky Lab: Preliminary results of the internal investigation into alleged incident reported by U.S. media ?
Oct. 25 2017 — 4:05 a.m.

Embargoed Kaspersky Lab statement
EMBARGOED UNTIL WEDNESDAY, OCTOBER 25, 2017 AT 4:00 AM ET
Preliminary results of the internal investigation
into alleged incident reported by U.S. media
In October 2017, Kaspersky Lab initiated a thorough review of our telemetry logs in relation to
alleged 2015 incidents described in the media. We were aware only of one single incident that
happened in 2014 during an APT investigation when our detection subsystems caught what
appeared to be Equation malware source code files and decided to check if there were any similar
incidents. Additionally, we decided to investigate if there were any third party intrusions in our
systems besides Duqu 2.0 at the time of this alleged 2015 incident.
We have performed a deep investigation associated with the case from 2014 and preliminary
results of this investigation revealed the following:
●
●
●
●
●
●
●
●
●
●
During the investigation of the Equation APT (Advanced Persistent Threat), we have
observed infections from all around the world, in more than 40 countries.
Some of these infections have been observed in the USA.
As a routine procedure, Kaspersky Lab has been informing the relevant U.S. Government
institutions about active APT infections in the USA.
One of the infections in the USA consisted in what appeared to be new, unknown and
debug variants of malware used by the Equation group.
The incident where the new Equation samples were detected used our line of products for
home users, with KSN enabled and automatic sample submission of new and unknown
malware turned on.
Following these detections, the user appears to have downloaded and installed pirated
software on his machines, as indicated by an illegal Microsoft Office activation key
generator (aka “keygen”) (md5: a82c0575f214bdc7c8ef5a06116cd2a4 - for detection
coverage, see this VirusTotal link) which turned out to be infected with malware. Kaspersky
Lab products detected the malware with the verdict Backdoor.Win32.Mokes.hvl.
To install and run this keygen, the user appears to have disabled the Kaspersky products
on his machine. Our telemetry does not allow us to say when the antivirus was disabled,
however, the fact that the keygen malware was later detected as running in the system
suggests the antivirus had been disabled or was not running when the keygen was run.
Executing the keygen would not have been possible with the antivirus enabled.
The user was infected with this malware for an unspecified period, while the product was
inactive. The malware dropped from the trojanized keygen was a full blown backdoor which
may have allowed third parties access to the user’s machine.
At a later time, the user re-enabled the antivirus and the product properly detected (verdict:
“Backdoor.Win32.Mokes.hvl”) and blocked this malware from running further.
After being infected with the Backdoor.Win32.Mokes.hvl malware, the user scanned the
computer multiple times, which resulted in detections of new and unknown variants of
Equation APT malware.

Embargoed Kaspersky Lab statement
●
●
●
●
●
●
●
●
One of the files detected by the product as new variants of
Equation APT malware was a 7zip archive.
The archive itself was detected as malicious and submitted to Kaspersky Lab for analysis,
where it was processed by one of the analysts. Upon processing, the archive was found to
contain multiple malware samples and source code for what appeared to be Equation
malware.
After discovering the suspected Equation malware source code, the analyst reported the
incident to the CEO. Following a request from the CEO, the archive was deleted from all
our systems. The archive was not shared with any third parties.
No further detections have been received from this user in 2015.
Following our Equation announcement from Feb 2015, several other users with KSN
enabled have appeared in the same IP range as the original detection. These seem to have
been configured as “honeypots”, each computer being loaded with various Equation-related
samples. No unusual (non-executable) samples have been detected and submitted from
these “honeypots” and detections have not been processed in any special way.
The investigation has not revealed any other related incidents in 2015, 2016 or 2017.
No other third party intrusion, besides Duqu 2.0, were detected in Kaspersky Lab’s
networks.
The investigation confirmed that Kaspersky Lab has never created any detection in its
products based on keywords like “top secret” and “classified”.
We believe the above is an accurate analysis of this incident from 2014. The investigation is still
ongoing, and the company will provide additional technical information as it becomes available. We
are planning to share full information about this incident, including all technical details with a
trusted third party as part of our Global Transparency Initiative for cross-verification.