Kaspersky Gives Its Side of the Story on How the NSA Lost Some Its Hacking Tools

CERT-LatestNews ThreatsActivists

Kaspersky logo

Russian cyber-security vendor Kaspersky Lab published today a report detailing its side of events on the whole Kaspersky-stole-US-government-files-for-Russia saga.

While US authorities had quietly investigated Kaspersky on suspected ties to the Russian government, nothing was known for the first few months of the year.

Only this fall, after reports from the Wall Street Journal and the New York Times, is when the public found out that the US government suspected that Russian FSB agents or other Kaspersky insiders had used the Kaspersky antivirus as an interactive search engine to scan computers all over the world.

The two media outlets alluded that this is how classified US government files taken home —without permission— by an NSA employee ended up in the hands of the Russian government in a data leak unknown until that point.

Kaspersky says data collection was automatic, as designed

Kaspersky denied any wrongdoing all summer and especially after the recent media coverage, promising to start an investigation into what happened.

The preliminary findings of that investigation were published today. In the report, Kaspersky admits that it did indeed collect secret NSA documents, but it was never intentional, as US media alluded.

The company said the collection process was automatic, as the documents were hacking tools detected under signatures tied to malware the company believed it belonged to a cyber-espionage group it was investigating at the time.

This incident took place in 2014 and Kaspersky published a report on this group in 2015. The group’s name and the report are now infamous — the Equation Group — and most security experts generally acknowledge that the group is NSA’s cyber-operations division.

CEO ordered the collected files to be destroyed

While Kaspersky does not go as far as to make assumptions as to whom the computer where the Equation Group malware detections came from, the company says that this user used its antivirus designed for home users and had enabled “automatic sample submission of new and unknown malware.”

Kaspersky says the files collected from that user “appeared to be new, unknown and debug variants of malware used by the Equation group.”

Because it was new malware, an analyst took a look at the collected data to verify and classify the new detection. The company says this employee reported the files to the company’s CEO, Eugene Kaspersky, after realizing that he might have discovered the source code of NSA tools.

In a surprising turn of events, Eugene Kaspersky ordered the files to be deleted. The company did not provide a reason why its CEO took this decision but specified it did not share the files with any third-party.

Alleged NSA leaker was also infected with another backdoor

The findings of this report come to confirm unofficial theories that circulated in the infosec community regarding what really happened.

Most experts suspected that the Kaspersky antivirus did nothing more than do its job after a careless NSA employee smuggled hacking tools out of NSA’s network and took them home, for unknown reasons.

Furthermore, Kaspersky complicated things today, even more, when they said they also took a look at telemetry data from the computer of the supposed NSA employee.

The Russian antivirus maker said the same user who apparently was harboring NSA hacking tools on his home PC was also infected with another malware shortly after.

Kaspersky claims the user downloaded a keygen in order to install a pirated version of Microsoft Office. As it’s usually the case with keygens for pirated software, this file was laced with malware, in this case, the Win32.Mokes.hvl backdoor trojan.

What Kaspersky is trying to say by mentioning this detail in its report is that some random cybercrook also had access to the same computer that hosted NSA hacking tools.

Kaspersky detected NSA honeypots, behaved normally

The Mokes infection didn’t get unnoticed, and after realizing something was wrong, the same user scanned his computer multiple times with the Kaspersky antivirus. The AV reported back to the user not only the Mokes infection but also detections for the Equation Group malware.

At one point or another, the NSA employee appears to have reported the incident to its supervisors, or the NSA realized it had another leak, because after Kaspersky published the Equation Group report in February 2015, the company detected computers configured as “honeypots,” harboring the same malware and in the same IP range as the initial detection.

This part of the report corroborates the WSJ report that said the US government had set up test computers in controlled experiments. Kaspersky said its product behaved as designed and only collected malicious executables, and not top secret or classified data as anonymous sources told the WSJ and NYT.

It’s now the US government’s turn to come clean

All in all, the Kaspersky report provides all the technical details that lacked in the original reporting, painting a more believable storyline for the events that led to US officials banning Kaspersky on US government computers.

What’s now left is for the US government to do the same and release a similar technical report. All the reporting we have on the Kaspersky allegations until now are only from anonymous sources going to US media, with no official announcement from US authorities.

Of course, Kaspersky is not necessarily innocent because it offered more details, as other details also need to be clarified, like a sales pitch it made to the US government in which it claimed it can use its AV product as a tool to help with the capture terrorist suspects.

Also this week, Kaspersky announced a new transparency initiative that would allow approved auditors to review its products’ source code for any hidden backdoors or suspicious behavior.