Russian cyber-security vendor Kaspersky Lab published today a report detailing its side of events on the whole Kaspersky-stole-US-government-files-for-Russia saga.
While US authorities had quietly investigated Kaspersky on suspected ties to the Russian government, nothing was known for the first few months of the year.
Only this fall, after reports from the Wall Street Journal and the New York Times, is when the public found out that the US government suspected that Russian FSB agents or other Kaspersky insiders had used the Kaspersky antivirus as an interactive search engine to scan computers all over the world.
The two media outlets alluded that this is how classified US government files taken home —without permission— by an NSA employee ended up in the hands of the Russian government in a data leak unknown until that point.
Kaspersky says data collection was automatic, as designed
Kaspersky denied any wrongdoing all summer and especially after the recent media coverage, promising to start an investigation into what happened.
The preliminary findings of that investigation were published today. In the report, Kaspersky admits that it did indeed collect secret NSA documents, but it was never intentional, as US media alluded.
The company said the collection process was automatic, as the documents were hacking tools detected under signatures tied to malware the company believed it belonged to a cyber-espionage group it was investigating at the time.
This incident took place in 2014 and Kaspersky published a report on this group in 2015. The group's name and the report are now infamous — the Equation Group — and most security experts generally acknowledge that the group is NSA's cyber-operations division.
CEO ordered the collected files to be destroyed
While Kaspersky does not go as far as to make assumptions as to whom the computer where the Equation Group malware detections came from, the company says that this user used its antivirus designed for home users and had enabled "automatic sample submission of new and unknown malware."
Kaspersky says the files collected from that user "appeared to be new, unknown and debug variants of malware used by the Equation group."
Because it was new malware, an analyst took a look at the collected data to verify and classify the new detection. The company says this employee reported the files to the company's CEO, Eugene Kaspersky, after realizing that he might have discovered the source code of NSA tools.
In a surprising turn of events, Eugene Kaspersky ordered the files to be deleted. The company did not provide a reason why its CEO took this decision but specified it did not share the files with any third-party.
Alleged NSA leaker was also infected with another backdoor
The findings of this report come to confirm unofficial theories that circulated in the infosec community regarding what really happened.
Most experts suspected that the Kaspersky antivirus did nothing more than do its job after a careless NSA employee smuggled hacking tools out of NSA's network and took them home, for unknown reasons.
Furthermore, Kaspersky complicated things today, even more, when they said they also took a look at telemetry data from the computer of the supposed NSA employee.
The Russian antivirus maker said the same user who apparently was harboring NSA hacking tools on his home PC was also infected with another malware shortly after.
Kaspersky claims the user downloaded a keygen in order to install a pirated version of Microsoft Office. As it's usually the case with keygens for pirated software, this file was laced with malware, in this case, the Win32.Mokes.hvl backdoor trojan.
What Kaspersky is trying to say by mentioning this detail in its report is that some random cybercrook also had access to the same computer that hosted NSA hacking tools.
Kaspersky detected NSA honeypots, behaved normally
The Mokes infection didn't get unnoticed, and after realizing something was wrong, the same user scanned his computer multiple times with the Kaspersky antivirus. The AV reported back to the user not only the Mokes infection but also detections for the Equation Group malware.
At one point or another, the NSA employee appears to have reported the incident to its supervisors, or the NSA realized it had another leak, because after Kaspersky published the Equation Group report in February 2015, the company detected computers configured as "honeypots," harboring the same malware and in the same IP range as the initial detection.
This part of the report corroborates the WSJ report that said the US government had set up test computers in controlled experiments. Kaspersky said its product behaved as designed and only collected malicious executables, and not top secret or classified data as anonymous sources told the WSJ and NYT.
It's now the US government's turn to come clean
All in all, the Kaspersky report provides all the technical details that lacked in the original reporting, painting a more believable storyline for the events that led to US officials banning Kaspersky on US government computers.
What's now left is for the US government to do the same and release a similar technical report. All the reporting we have on the Kaspersky allegations until now are only from anonymous sources going to US media, with no official announcement from US authorities.
Of course, Kaspersky is not necessarily innocent because it offered more details, as other details also need to be clarified, like a sales pitch it made to the US government in which it claimed it can use its AV product as a tool to help with the capture terrorist suspects.
Also this week, Kaspersky announced a new transparency initiative that would allow approved auditors to review its products' source code for any hidden backdoors or suspicious behavior.
Comments
JohnC_21 - 6 years ago
In other words, Kaspersky did exactly what it was supposed to do.
Joe C - 6 years ago
This is a long read but informative;
https://freedomhouse.org/report/freedom-net/2016/russia
Basically I think it states it does not matter what Kaspersky does, the Russian govt has control over their network and can decrypt anything they want at any time. If Kaspersky "accidentally" got this data, the Russian govt also had a chance to look at it too. If Kaspersky wants trust, it'll have to move off of Russian soil to do so.
Placing the blame to someone else is a useless ploy to detract the facts
NickAu - 6 years ago
So, a NSA worker sneaks classified malware into his home PC, scans it with a commercial antivirus while leaving the feature that uploads suspected malware to the antivirus company’s servers enabled and it’s all Kaspersky’s fault?
"If Kaspersky wants trust, it'll have to move off of Russian soil to do so."
Same can be said for US based software companies, If they want trust they have to move off US soil.
Sajo8 - 6 years ago
Lol, if that hacker can breach the NSA I think he'd be able to download a proper Office 16 loader.
Joe C - 6 years ago
@NickAu
Kaspersky isn't quite that guilty, but rather the Russian govt that has legal access to Kaspersky's servers. Nobody realized this until Kaspersky got hacked by some Israeli crackers. Did or was Kaspersky aware that the Russian govt had/has access to their servers? can not say.
And yes...I agree that the NSA isn't any better when it comes to privacy. but will the NSA arrest you, beat you up or make you disappear if you bad mouth the U.S. govt?
Steve Holle - 6 years ago
Typical deflection by NSA. The question isn't how or who got the information AFTER it walked out the door at NSA. Isn't their middle name supposed to be "Security?"
Occasional - 6 years ago
Agreed: It's a little like Marshal Whitehat leaving his six-shooter on the front porch of the jail. Whoever swipes it to murder someone is 100% guilty of the crime; but the Marshal has to be held to account, too.
As a guess, I'd say the shear size of the agency, which is a consequence of the scale of, and the dynamic state of technologies to conceal messages in, worldwide communications that has pushed them to skimp on vetting (their own employees - and especially outside contractors).
It might have helped to put an air-gap between those (relatively few), that develop sophisticated penetration and exploitation tools, and those (the many), required to do most of the donkey-work. The few would be extremely well vetted; the rest of the individuals would each have access only to a small subset of sensitive material (putting a limit on damage from a leak).
NickAu - 6 years ago
@ Joe C
And the US Govt hasn't got the same access to Microsoft?
" but will the NSA arrest you, beat you up or make you disappear if you bad mouth the U.S. govt?"
With GroppenFuhrer Trump in the oval office anything is possible.
xrobwx - 6 years ago
With GroppenFuhrer Trump in the oval office anything is possible. Proof? Anything to back up this opinion? Anything that is credible?
herbman - 6 years ago
Of course he has no proof , dem's are the ones that should never be trusted , they are behind all the Russia nonsense, specifically Clinton, Podesta and Robbie Mook which are the 3 responsible for pushing the Russia lie.
Occasional - 6 years ago
Happened across another article from the same time, on this topic:
https://www.darkreading.com/analytics/121-pieces-of-malware-flagged-on-nsa-employees-home-computer/d/d-id/1330450
It reiterates much of what CC wrote, with some more details.
Sometimes it seems a key factor gets overlooked, because it's so obvious: Internet/cloud/Software as a Service/telemetry, and that we are all breathing the same Internet air.
For all the advantages this new paradigm brings, also come intractable complications. When a person owned a PC, it sat in their house, and any software they loaded they had to physically bring into their house to do it. Once installed, if they wanted an update, they got another piece of media to bring into their house, and load on their PC.
Times have changed; yet our way of talking about the subject hasn't. We still talk about his or her computer (as if it were sovereign territory), loading a "piece" of software (as if it were a hermetically sealed black box object), "sending Jane or John Doe" an email or text (rather than your device tossing message packets into the Internet mix-master, trusting that it (rather than one of how many copies), will reach the person's device), trusting that the "From" name in an email/text is the person we associate with the name, "visiting a website" (as if always knew where the WWW bus was taking us), and on and on.
Yes, even we visitors of Bleeping Computer still use these outdated expressions; and that's Ok - as long as we keep in mind that they don't mean what they used to; and our assessments and arguments have to be based on the new realities. Maybe it's a pain to have to be so careful in choosing our words; but that's where we are.
campuscodi - 6 years ago
That article is based on a Kaspersky update released 3 months after my initial story. Didn't bring any new details to the original reporting except that it listed the actual malware the guy was infected with, all of which was mundane.