A National Security Agency worker who reportedly sneaked classified materials out of the agency stored them on a home computer that was later infected by a malicious backdoor that allowed third parties to remotely access the machine, officials with Moscow-based antivirus provider Kaspersky Lab said.
The NSA worker—described in some published reports as a contractor and in others as an employee—installed the backdoor after Kaspersky AV had first detected never-before-seen NSA malware samples on his computer. The backdoor was part of a pirated software package that the worker downloaded and installed. To run the pirated software, he first had to disable the AV program on his computer. After being infected, the worker re-enabled the AV program and scanned his computer multiple times, resulting in Kaspersky developing detections for new and unknown variants of the NSA malware.
The NSA worker’s computer ran a home version of Kaspersky AV that had enabled a voluntary service known as Kaspersky Security Network. When turned on, KSN automatically uploads new and previously unknown malware to company Kaspersky Lab servers. The setting eventually caused the previously undetected NSA malware to be uploaded to Kaspersky Lab servers, where it was then reviewed by a company analyst.
The details are contained in a two-page summary of investigation results that Kaspersky published early Wednesday morning. Kaspersky said only that the results relate to “alleged 2015 incidents described in the media.” The incidents are almost certainly the ones reported earlier this month by The Wall Street Journal, The New York Times, and The Washington Post. The papers said hackers working for the Russian government used Kaspersky AV to obtain classified NSA materials from a worker’s home computer.
Some of the coverage seemed to leave open the possibility that the help from Kaspersky may have been inadvertent. One way this could have been the case: the AV program already installed on the worker’s Internet-connected computer simply detected a new sample of malware belonging to an already-known hacking group. By 2015, Kaspersky researchers already had a detailed profile of Equation Group, the name they gave to an elite hacking outfit with ties to the NSA that had infected more than 500 computers in 42 countries and remained undetected for at least 14 years.
One story published in the WSJ, however, reported that the assistance came in the form of modifications to Kaspersky AV that could only have been made with the likely knowledge of at least one Kaspersky Lab official. Kaspersky Lab officials have vigorously denied knowingly providing any such help. Wednesday’s preliminary findings appear to be aimed at providing a factual basis for the denials.
Fighting for its survival
Wednesday’s report seems to provide at least two plausible scenarios that would largely absolve Kaspersky of knowingly helping Russian government hackers steal the classified NSA materials from the worker’s computer. The first involves the Russian hackers somehow using the backdoor installed on the worker’s computer to access materials improperly stored there. In the second scenario, the hackers somehow obtained the code in the normal course of it passing from the worker’s computer to Kaspersky servers.
Kaspersky said the previously unseen Equation Group malware was compressed into a 7zip archive. Kaspersky AV detected it as malicious and, consistent with the settings on the NSA worker’s computer, submitted it to Kaspersky Lab servers for further processing by a live person. The analysis found it contained multiple malware samples and source code for what appeared to be Equation Group malware.
“After discovering the suspected Equation [Group] malware source code, the analyst reported the incident to the CEO,” Wednesday’s preliminary results reported. “Following a request from the CEO, the archive was deleted from all our systems. The archive was not shared with any third parties.”
After Kaspersky Lab published its report on Equation Group in February 2015, several other AV users with KSN enabled used IP addresses in the same range as the earlier detection. “These seem to have been configured as ‘honeypots,’ each computer being loaded with various Equation [Group]-related samples,” Wednesday’s results state. “No unusual (non-executable) samples have been detected and submitted from these ‘honeypots’ and detections have not been processed in any special way.”
The investigation has found no other related detections in 2015, 2016, and 2017. It also uncovered no other intrusions of Kaspersky Lab’s network other than the 2014 infection dubbed “Duqu 2.0” that Kaspersky revealed in 2015. Challenging a claim in one of this month’s WSJ reports, the investigation also found no evidence Kaspersky has ever created a detection in its products for keywords including “top secret” and “classified.” Kaspersky Lab officials have promised to turn over the evidence in its investigation for verification by a trusted third party.
Wednesday’s account underscores just how serious a predicament Kaspersky Lab finds itself in. The US Department of Homeland Security recently took the unprecedented step of banning all federal government agencies and departments from using any Kaspersky goods or services. The allegations that came to light earlier this month have the potential to cause most if not all US allies around the world to take similar actions. It’s not at all clear how convincing Wednesday’s results will be, but at this point, the AV provider has little to lose in pressing its case.