Security Experts:

Kaspersky May Have Found How Russian Hackers Stole NSA Data

Security firm Kaspersky Lab has shared preliminary results from its investigation following media reports that Russian hackers used its software to steal sensitive NSA data from a contractor’s computer back in 2015.

The Wall Street Journal reported earlier this month that a threat group working for the Russian government stole information on how the U.S. hacks foreign networks and how it defends against cyberattacks. The files were allegedly taken in 2015 from the personal computer of an NSA contractor who had been using a security product from Kaspersky Lab.

The article suggested that Kaspersky either knowingly helped the Russian government obtain the files or that the hackers exploited vulnerabilities in the company’s software without the firm knowing about the attack.

Kaspersky immediately launched an internal investigation into the matter and it has now shared preliminary results.

Kaspersky revealed in June 2015 that its own systems had been breached as part of an attack involving Duqu 2.0 malware, which has been linked to Israeli intelligence. The company’s latest investigation has found no evidence of additional intrusions.

As for the 2015 event reported by WSJ, the starting point of Kaspersky’s investigation is an APT-related incident that occurred in 2014. At the time, the company’s systems detected what appeared to be source code for malware used by the Equation Group, a threat actor believed to be associated with the NSA. At this point, the firm had not made its Equation Group research available to the public.

A Kaspersky home product had detected what appeared to be new Equation Group malware samples on a device in the United States. The antivirus had been configured to automatically send new malware samples back to the company for analysis.

The user in question later intentionally downloaded malware-laden piracy software, specifically a Microsoft Office key generator, and temporarily disabled the Kaspersky product on the machine as it would have prevented the installation of the tool. The malware, detected as Backdoor.Win32.Mokes.hvl, remained on the device for an unspecified period and it opened a backdoor on the system, giving hackers easy access to the computer.

When the antivirus was re-enabled, it detected both Backdoor.Win32.Mokes.hvl and other pieces of malware linked to the Equation Group. One of the files, a 7zip archive, was automatically sent to Kaspersky Lab for analysis, but the company’s CEO, Eugene Kaspersky, ordered the removal of the files from all systems after determining that it was Equation malware source code. The files were not shared with third parties before being deleted, Kaspersky said.

According to the company, no other malware was detected by its products on that device in 2015. After the activities of the Equation Group were made public by the company in February 2015, Equation Group malware was detected on several other IPs in the same range as the initial infection, but the devices appeared to be configured as honeypots and Kaspersky said it did not process the detections in any special way.

The company said it did not detect any other related incident since. It also claimed that an analysis of its software confirmed that it had not created any detection rules for non-malicious documents containing keywords such as “classified” or “top secret” – this aims to reinforce its initial statement that it does not intentionally spy for the Russian government.

Kaspersky also pointed out that it routinely informs the U.S. government about active APT attacks detected in the county.

“We believe the above is an accurate analysis of this incident from 2014. The investigation is still ongoing, and the company will provide additional technical information as it becomes available,” Kaspersky said.

Several recent media reports focused on Kaspersky’s alleged connection to the Kremlin, which has led to many U.S. officials raising concerns regarding the use of company’s products. Last month, the Department of Homeland Security (DHS) ordered all government agencies to identify and remove the firm’s security products.

In an effort to clear its name, Kaspersky announced the launch of a new transparency initiative that involves giving partners access to source code and paying significantly larger bug bounties for vulnerabilities found in the firm’s products.

Related: Kaspersky in Focus as US-Russia Cyber-Tensions Rise

Related: Kaspersky Chief Agrees to Testify Before Congress

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.