Analysis The NSA staffer who took home top-secret US government spyware installed a backdoored key generator for a pirated copy of Microsoft Office on his PC – exposing the confidential cyber-weapons on the computer to hackers.
That's according to Kaspersky Lab, which today published a report detailing, in its view, how miscreants could have easily stolen powerful and highly confidential software exploits from the NSA employee's bedroom Windows PC.
Earlier this month, it was alleged Russian intelligence services were able to search computers running Moscow-based Kaspersky's antivirus tools, allowing the snoops to seek out foreign intelligence workers and steal secrets from their hard drives.
The NSA employee's home PC was one of those tens of millions of machines running Kaspersky antivirus. Kaspersky was, therefore, accused of detecting the American cyber-weapons on the PC via its tools, tipping off Kremlin spies, and effectively helping them hack the machine to siphon off the valuable vulnerability exploits.
Well, not quite, says Kaspersky.
According to the Russian security giant, the staffer temporary switched off the antivirus protection on the PC, and infected his personal computer with malware from a product key generator while trying to use a bootleg copy of Office.
Later, once reactivated, Kaspersky's software searched the machine as usual, removed the trojanized key-gen tool, found the secret NSA code during the scan, and uploaded it to Kaspersky's cloud for further study by staff. Kaspersky's technology is always on the lookout for the NSA's secretive surveillance tools in the wild – such as the hard drive firmware spyware it revealed in 2015 – so it's no surprise the archive of source code and other files was detected and copied for analysis.
Users can configure Kaspersky's software to not send suspicious samples back to Mother Russia for scrutiny, however, in this case, the NSA staffer didn't take that option, allowing the highly sensitive files to escape.
Once in the hands of a reverse-engineer, it became clear this was leaked NSA software. The CEO Eugene Kaspersky was alerted, copies of the data were deleted, and "the archive was not shared with any third parties," we're told.
Kaspersky's argument is that anyone could have abused the backdoored key generator to remotely log into the machine and steal the secrets the NSA employee foolishly took home, rather than state spies abusing its antivirus to snoop on people.
Kaspersky does share intelligence of upcoming cyber-security threats, such as new strains of spyware and other software nasties, with its big customers and governments. However, in this case, it is claimed, the American tools went no further, the argument being that if the Russians got hold of the leaked exploits, it wasn't via Kaspersky Lab.
That the biz deleted the archive almost immediately raised eyebrows in the infosec world.
I might dream about telling everyone that I deleted it.— Mikko Hypponen (@mikko) October 25, 2017
Here's a summary of what Kaspersky said happened:
On September 11, 2014, Kaspersky's software detected the Win32.GrayFish.gen trojan on the NSA staffer's PC. Some time after that, the employee disabled the antivirus to run an activation-key generator designed to unlock pirated copies of Microsoft Office 2013. The malicious executable was downloaded along with an ISO file of Office 2013.
As is so often the case with rogue key-gens, the software came with malware included, which was why the employee had to disable his AV. Fast forward to October 4, and Kaspersky's software was allowed to run again, and the fake key-gen tool's bundled malware, Win32.Mokes.hvl, which has been on the security shop's naughty list since 2013, was clocked by the defense software.
"To install and run this keygen, the user appears to have disabled the Kaspersky products on his machine," Kaspersky Lab said in its report.
"Our telemetry does not allow us to say when the antivirus was disabled, however, the fact that the keygen malware was later detected as running in the system suggests the antivirus had been disabled or was not running when the keygen was run. Executing the keygen would not have been possible with the antivirus enabled."
The user was warned his computer was infected, so he told the toolkit to scan and remove all threats. The antivirus duly deleted the Mokes malware, but also found several new types of NSA code – which appeared to be similar to the agency's Equation Group weapons that Kaspersky was already familiar with – which were pinged back to Russian servers for analysis.
According to the security firm's account, one of its researchers recognized that they had received some highly advanced malware, and reported the discovery to Kaspersky's CEO Eugene:
One of the files detected by the product as new variants of Equation APT malware was a 7zip archive.
The archive itself was detected as malicious and submitted to Kaspersky Lab for analysis, where it was processed by one of the analysts. Upon processing, the archive was found to contain multiple malware samples and source code for what appeared to be Equation malware.
After discovering the suspected Equation malware source code, the analyst reported the incident to the CEO. Following a request from the CEO, the archive was deleted from all our systems. The archive was not shared with any third parties.
Kapsersky said it never received any more malware samples from that particularly user, and went public with its Equation Group findings in February 2015. It says that after that disclosure, it began to find more Equation Group malware samples in the same IP range as the original discovery – honeypots to snare whoever may have stolen copies of the cyber-weapons, presumably.
"These seem to have been configured as 'honeypots', each computer being loaded with various Equation-related samples," Kaspersky Lab said. "No unusual (non-executable) samples have been detected and submitted from these 'honeypots' and detections have not been processed in any special way."
As for claims Russian spy agency the FSB romped through Kaspersky's backend systems to infiltrate computers using the company's antivirus, not so, said the software maker. Its investigation found that, apart from a Duqu malware infection in spring 2015 that waylaid its servers, the firm has suffered no intrusions by third parties.
That seems surprising. Security vendors are at the top of hackers' list of targets to subvert, The Register was told by Michael Viscuso, CTO of security shop Carbon Black and a former member of the NSA's elite hacking crew, the Tailored Access Operations team. Compromising anti-malware tools gives tremendous low-level access to a target's computer, so you'd expect Kaspersky to come under repeated attack, some of them being successful. On the other hand, the lab may not know it was infiltrated.
US Congress to the rescue a la Keystone Kops
Kaspersky's report was published online shortly before the US House of Representatives Committee on Science, Space and Technology held hearings to assess the risks – if any – posed by Kaspersky software.
The hearings followed the US federal government banning Kaspersky software on its computers, a decision that led to Best Buy pulling the code from its shelves and offering customers free removal of the code. As you'd expect with Congress and technical stuff, the hearing didn't go well.
Oversight subcommittee chairman Darin LaHood (R-IL) set the tone by repeatedly referred to the firm as "Kapersky Lab," showing the in-depth knowledge and high-end security chops we've come to expect from our elected leaders.
One of the witnesses, Sean Kanuck, director of future conflict and cyber security at the International Institute for Strategic Studies, said that two foreign powers had penetrated Kaspersky servers. Presumably one was the Israelis, who reportedly hacked Kaspersky Lab and spotted Russian spies using its product as a global search engine of computers, but the other was unnamed – presumably either the FSB or possibly America's own NSA.
Asked if other security vendors were equally at risk from hacking, Kanuck declined to answer, saying that these hearings were about Kaspersky, not other vendors. Another fact – that yet another NSA staffer took top-secret work home and lost it, which is a criminal felony – was outside of the committee's remit, according to Representative Barry Loudermilk (R-GA).
Overall, the hearing was a bit of a dead loss. David Shive, CIO of the US General Services Administration, confirmed that Kaspersky software was off its PCs but also added that it hadn't seen any evidence of nefarious use, and was just acting on what Homeland Security had told him.
So there we have it: the he-said, she-said war of words goes on. Kaspersky has put its evidence on the table, and it's up to the US government to see if it'll do likewise to justify stripping the otherwise decent antivirus from its computer systems. ®