Kaspersky Investigators Reveal How NSA Hacking Tools Were Stolen

In its latest report, Kaspersky Lab revealed the findings of its internal investigation, which was launched to dispel the accusations that it has ties with Russian cyberspies and that it helped Russian spies to hack into US’s National Security Agency’s (NSA) contractor’s laptop where Kaspersky’s antivirus was installed.

The company initiated a probe into the issue and discovered the evidence that the laptop of the said contractor was infected with malware. Kaspersky was accused of helping Russian cyber intelligence in stealing information about NSA’s hacking tools. The findings were released in a report published this Thursday.

The focus of Kaspersky’s investigation was the computer system of the contractor; investigators linked the computer with a massive volume of Equation Group malware signatures, which its antivirus software recorded and saved onto the computer’ server. It is worth noting that the Equation Group APT is also linked with the NSA. The in-depth probe revealed that the contractor’s laptop was infected on 4th October 2014 by some external, malicious actor. This is the same timeframe when investigators believe NSA’s hacking tools were stolen.

If this information is authentic, then the hacking incident probably happened between 11th September 2014 and 17th November 2014. But, the analysis fails to fit with the already acquired information that the hack occurred in 2015. It is also alleged that the computer system was already infected with a malicious downloader and Smoke Bot or Smoke Loader [PDF] backdoor program. The backdoor was delivered to the system through a malicious MS Office ISO document. Since the contractor had disabled the antivirus program temporarily to install and run this malware program, therefore, the hack easily took place.

Kaspersky accept collecting NSA files, claims they were deleted from their system later on

Kaspersky further noted in its report that when re-enabled the antivirus program was successful in blocking the backdoor’s attempt to connect with a suspicious domain, but the system downloaded some other questionable software which was responsible for triggering 121 non-Equation oriented AV alerts. The alerts were triggered between 11th Sep and 17th Nov 2017. This hints at the fact that there might have been other malware present on the computer, which Kaspersky’s engines could not detect.

“Given that system owner’s potential clearance level, the user could have been a prime target of nation states. Adding the user’s apparent need for cracked versions of Windows and Office, poor security practices, and improper handling of what appeared to be classified materials, it is possible that the user could have leaked information to many hands,” revealed the report.

As per Kaspersky’s investigators, the Equation Group malware was detected by its antivirus program in September 2014 in a 7zip archive, which was saved on the contractor’s computer system. This particular malware was programmed to download this archive onto the servers of Kaspersky, but as per the analysis of Kaspersky, only the binaries were stored, and the remaining files including Equation Group source code and some confidential files were collected and deleted.

“The reason we deleted those files and will delete similar ones in the future is two-fold,” Kaspersky Lab researchers wrote in Thursday’s report. “We don’t need anything other than malware binaries to improve protection of our customers and secondly, because of concerns regarding the handling of potential classified materials. Assuming that the markings were real, such information cannot and will not [be] consumed even to produce detection signatures based on descriptions.”

The antivirus vendor denied that its software could be used to send data to Russian spies since external parties cannot forge the system without getting detected by third-parties because its products use a secure signature system. The information is recorded in historical records and internal databases.

According to their investigation, between 2014 and 2016, the researchers working on Equation did not possess the right to commit signatures directly without getting it verified by an experienced signature developer. “If there was a doubtful intention in signatures during the hunt for Equation samples, this would have been questioned and reported by a lead signature developer,” claimed Kaspersky in its report.

It is apparent that Kaspersky’s report is the company’s attempt to counter allegations that it helped Russian spies in invading the contractor’s laptop. It is important for Kaspersky to provide some valid arguments in its defense to safeguard its future in the US tech market.

Source: Kaspersky Labs

Uzair Amir

I am an Electronic Engineer, an Android Game Developer and a Tech writer. I am into music, snooker and my life motto is ‘Do my best, so that I can’t blame myself for anything.’