Kaspersky Lab, the US government's least favorite computer security outfit, has published its full technical report into claims Russian intelligence used its antivirus tools to steal NSA secrets.
Last month, anonymous sources alleged that in 2015, an NSA engineer took home a big bunch of the agency's cyber-weapons to work on them on his home Windows PC, which was running the Russian biz's antimalware software – kind of a compliment when you think about it. The classified exploit code and associated documents on the personal system were then slurped by Kremlin spies via his copy of Kaspersky antivirus, it was claimed.
Kaspersky denied any direct involvement. It was unfortunate timing considering US officials had banned the Russian software from all federal government systems the month before. The biz offered to hand over its source code to investigators, to prove it wasn't up to anything dodgy, and began a full internal inquiry.
The report, published on Thursday, said it has no record of the described snafu in 2015, but the case looked like a situation that kicked off the year before. A user with a Verizon FiOS IP address in the Baltimore area, near the NSA headquarters, fired up the Kaspersky software, and it found on the PC powerful cyber-attack code that appeared to be part of a collection codenamed the Equation Group files. We know that now these files belonged to the NSA, but at the time, Kaspersky was still figuring out where they came from.
Kaspersky had been researching the Equation Group's spyware tools for months after it encountered the data elsewhere. The files showed all the hallmarks of being a highly sophisticated state-sponsored creation – such as the NSA's handiwork. Assigning names like Equation, Grayfish, Fanny, DoubleFantasy and Equestre to the tools it found in the surveillance set, Kaspersky updated its antivirus signatures in June 2014 to look for instances on its customers' computers. That would mean people running Kaspersky's tools would be protected from the mysterious malware.
Signatures aren't an exact science, and these digital fingerprints for the Equation Group files triggered hundreds and thousands of detections, most of which turned out to be false positives. But towards the end of the year, the software appeared to hit pay dirt, Kaspersky said, and it found 17 instances of Equestre, two more for Greyfish and a 7zip archive that also appeared to be holding the spyware code – all on a single computer. The NSA engineer's home computer.
"An archive file firing on these signatures was an anomaly, so we decided to dig further into the alerts on this system to see what might be going on," the report stated. "After analyzing the alerts, it was quickly realized that this system contained not only this archive, but many files both common and unknown that indicated this was probably a person related to the malware development."
Over a three month period, Kaspersky found 37 unique Equation Group files on the computer, with indications this machine belonged to a developer of the sophisticated malware. The security shop said it was withholding further details on this until it receives permission from the user to do so – so don't hold your breath.
Poor opsec and a third-act twist
It appeared that many of these files were contained on removable drives. Kaspersky said it assumes the mix up on dates came from a misinformed reporter.
The archive was sent back to Kaspersky's servers for further analysis by a lab staffer. It contained a collection of executable modules, four Word documents marked as classified, and other files related to the Equation Group project. It was shown to the CEO Eugene Kaspersky, who ordered it deleted immediately – a claim some in the infosec community are skeptical about.
An examination of the computer the files came from showed an interesting snippet – it was already infected with malware. In October of that year the user downloaded a pirated copy of the Microsoft Office 2013 .ISO containing the Mokes backdoor, and that the Office software had been activated using a pirated key generator.
Kaspersky's software blocks Mokes, and wouldn't have allowed the installation to proceed, so the biz theorized that its software was turned off so the individual could load up the dodgy copy. When the antivirus was fired up again, it detected the threat, but this wasn't too unusual – over a two month period Kaspersky's code found 128 separate malware samples on the machine that weren't related to the Equation Group.
In an interesting third-act twist, the Mokes software appears to have been run out of China. Kaspsersky found that the malware's command and control servers were apparently being masterminded by a one Zhou Lou, from Hunan, using the e-mail address "email@example.com."
"Given that system owner's potential clearance level, the user could have been a prime target of nation states," Kaspersky said. "Adding the user's apparent need for cracked versions of Windows and Office, poor security practices, and improper handling of what appeared to be classified materials, it is possible that the user could have leaked information to many hands." ®