Security

WikiLeaks drama alert: CIA forged digital certs imitating Kaspersky Lab

Vault 8 release says spooks used disguise to siphon off data

29 Got Tips?

The CIA wrote code to impersonate Kaspersky Labs in order to more easily siphon off sensitive data from hack targets, according to leaked intel released by Wikileaks on Thursday.

Forged digital certificates were reportedly used to "authenticate" malicious implants developed by the CIA. Wikileaks said:

Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities. The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town. In this way, if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated.

Eugene Kaspersky, chief exec of Kaspersky Lab, sought to reassure customers. "We've investigated the Vault 8 report and confirm the certificates in our name are fake. Our customers, private keys and services are safe and unaffected," he said.

Hackers are increasingly abusing digital certs to smuggle malware past security scanners. Malware-slinging miscreants may not even need to control a code-signing certificate. Security researchers from the University of Maryland found that simply copying an authenticode signature from a legitimate file to a known malware sample – which results in an invalid signature – can result in antivirus products failing to detect it.

Learn client-server C programming – with this free tutorial from the CIA

READ MORE

Independent experts reckon the CIA used Kaspersky because it's a widely known vendor.

Martijn Grooten, security researcher and editor of industry journal Virus Bulletin, said: "The CIA needed a client certificate to authenticate its C&C comms, couldn't link it to CIA and used 'Kaspersky', probably just because they needed a widely used name. No CA hacking or crypto breaking involved. Clever stuff, but not shocking. Not targeted against Kaspersky."

Revelations about the abuse of digital certificates by the US spy agency came as Wikileaks released CIA source code and logs for a malware control system called Hive, as previously reported.

Security expert Professor Alan Woodward criticised the release with a reference to the Equation Group (NSA hacking unit)/Shadow Brokers leak. "Wikileaks is now releasing source for exploits in Vault 7. Do they remember what happened last time such exploit code was leaked? Standby for another WannaCry." ®

Sign up to our NewsletterGet IT in your inbox daily

29 Comments

Keep Reading

Report: CIA runs secret cyberwar with little oversight after Trump gave the OK, say US government officials

Details start to emerge on real-world impact of Prez-signed secret memo

If you're despairing at staff sharing admin passwords, look on the bright side. That's CIA-grade security

Internal report confirms what we all feared: Lax controls led to WikiLeaks Vault 7 hack tools blab

Months-long trial of alleged CIA Vault 7 exploit leaker ends with hung jury: Ex-sysadmin guilty of contempt, lying to FBI

Mystery still surrounds saga of top-secret tools spillage

US government sues ex-IT guy for breaking his NDA (Yes, we mean Edward Snowden)

Uncle Sam tries to plug leaker's pay, ends up plugging leaker's book

Former US Homeland Security Inspector General accused of stealing govt code and trying to resell it to... the US govt

That's one way to pad your pension pot, allegedly

US Air Force probes targeted malware attack, blames... er, the US Navy? What?

War crimes trial takes a fresh twist

Data-stealing, password-harvesting, backdoor-opening QNAP NAS malware cruises along at 62,000 infections

If you're still using a vulnerable box, you ought to factory reset it before patching

He’s a pain in the ASCII to everybody. Now please acquit my sysadmin client over these CIA Vault 7 leaking charges

Trial of Joshua Schulte gets off to an unusual start amid claims of hidden backdoors, backups, and more

Russia-backed crew's latest malware has discerning taste – when screening visitors to poisoned watering holes

Previously unseen nasty spotted lurking in Armenian government websites

Client-attorney privilege? Not when you're accused of leaking Vault 7 CIA code

Lawyer for Joshua Schulte unhappy about agency review

Tech Resources

National / Industry / Cloud Exposure Report (NICER) 2020

Rapid7’s National / Industry / Cloud Exposure Report (NICER) for 2020 is the most comprehensive census of the modern internet. In a time of global pandemic and recession, the …

Simplifying Hybrid Cloud Flash Storage

According to industry analysts, a critical element for secure hybrid multicloud environments is the storage infrastructure.

Navigating the New Era of Cloud Computing

Hear from Steve Sibley, VP of Offering Management for IBM Power Systems about how IBM Power Systems can enable hybrid cloud environments that support “build once, deploy anywhere” options.

Quit your addiction to storage

Traditional storage management won’t cut it with today’s massive data growth.