Connect with us

Hi, what are you looking for?



Kaspersky May Have Found How Russian Hackers Stole NSA Data

Security firm Kaspersky Lab has shared preliminary results from its investigation following media reports that Russian hackers used its software to steal sensitive NSA data from a contractor’s computer back in 2015.

Security firm Kaspersky Lab has shared preliminary results from its investigation following media reports that Russian hackers used its software to steal sensitive NSA data from a contractor’s computer back in 2015.

The Wall Street Journal reported earlier this month that a threat group working for the Russian government stole information on how the U.S. hacks foreign networks and how it defends against cyberattacks. The files were allegedly taken in 2015 from the personal computer of an NSA contractor who had been using a security product from Kaspersky Lab.

The article suggested that Kaspersky either knowingly helped the Russian government obtain the files or that the hackers exploited vulnerabilities in the company’s software without the firm knowing about the attack.

Kaspersky immediately launched an internal investigation into the matter and it has now shared preliminary results.

Kaspersky revealed in June 2015 that its own systems had been breached as part of an attack involving Duqu 2.0 malware, which has been linked to Israeli intelligence. The company’s latest investigation has found no evidence of additional intrusions.

As for the 2015 event reported by WSJ, the starting point of Kaspersky’s investigation is an APT-related incident that occurred in 2014. At the time, the company’s systems detected what appeared to be source code for malware used by the Equation Group, a threat actor believed to be associated with the NSA. At this point, the firm had not made its Equation Group research available to the public.

A Kaspersky home product had detected what appeared to be new Equation Group malware samples on a device in the United States. The antivirus had been configured to automatically send new malware samples back to the company for analysis.

The user in question later intentionally downloaded malware-laden piracy software, specifically a Microsoft Office key generator, and temporarily disabled the Kaspersky product on the machine as it would have prevented the installation of the tool. The malware, detected as Backdoor.Win32.Mokes.hvl, remained on the device for an unspecified period and it opened a backdoor on the system, giving hackers easy access to the computer.

Advertisement. Scroll to continue reading.

When the antivirus was re-enabled, it detected both Backdoor.Win32.Mokes.hvl and other pieces of malware linked to the Equation Group. One of the files, a 7zip archive, was automatically sent to Kaspersky Lab for analysis, but the company’s CEO, Eugene Kaspersky, ordered the removal of the files from all systems after determining that it was Equation malware source code. The files were not shared with third parties before being deleted, Kaspersky said.

According to the company, no other malware was detected by its products on that device in 2015. After the activities of the Equation Group were made public by the company in February 2015, Equation Group malware was detected on several other IPs in the same range as the initial infection, but the devices appeared to be configured as honeypots and Kaspersky said it did not process the detections in any special way.

The company said it did not detect any other related incident since. It also claimed that an analysis of its software confirmed that it had not created any detection rules for non-malicious documents containing keywords such as “classified” or “top secret” – this aims to reinforce its initial statement that it does not intentionally spy for the Russian government.

Kaspersky also pointed out that it routinely informs the U.S. government about active APT attacks detected in the county.

“We believe the above is an accurate analysis of this incident from 2014. The investigation is still ongoing, and the company will provide additional technical information as it becomes available,” Kaspersky said.

Several recent media reports focused on Kaspersky’s alleged connection to the Kremlin, which has led to many U.S. officials raising concerns regarding the use of company’s products. Last month, the Department of Homeland Security (DHS) ordered all government agencies to identify and remove the firm’s security products.

In an effort to clear its name, Kaspersky announced the launch of a new transparency initiative that involves giving partners access to source code and paying significantly larger bug bounties for vulnerabilities found in the firm’s products.

Related: Kaspersky in Focus as US-Russia Cyber-Tensions Rise

Related: Kaspersky Chief Agrees to Testify Before Congress

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...