Kaspersky Lab's investigation reveals that the 2014 NSA data leak resulted from the use of pirated software

If you’ve been following the Kaspersky-NSA story, you will be aware that the company is in big trouble with the US government over its alleged, willing or unwitting involvement in state-sponsored spying on behalf of the Russians.

A file photo of Kaspersky Lab CEO Eugene Kaspersky

A file photo of Kaspersky Lab CEO Eugene Kaspersky

To be clear, there’s no concrete evidence that Kaspersky was involved in such spying, nor is there any evidence that it wasn’t. The only facts, as far as we’re aware, are that Israel infiltrated and spied on Kaspersky Lab operations via an APT (advanced persistent threat attack) in 2014. Kaspersky discovered and reported the attack in 2015, the malware was labelled Duqu 2.0. In 2014, sensitive files belonging to the NSA were “stolen” from an NSA contractor’s home PC. These files were there illegally. The PC from which the data was stolen ran Kaspersky Lab software.

Later, The Washington Post and The New York Times reported that the Israeli government had found evidence of stolen NSA malware on Kaspersky Lab’s network. Apparently, the Russians were also in Kaspersky Lab’s network at the same time and had repurposed Kaspersky’s malware detection tools to hunt for sensitive files. Following these revelations, US media, including the WSJ and NYT quoted anonymous sources as saying that Kaspersky Lab was aiding the Russian government in these spying activities.

As Wired notes in its own report on the matter, these sources have since “disclaimed all knowledge of classified matters”. The US government has also not presented any evidence to substantiate any of the claims. As the report further notes, the US government hasn’t even explained what Kaspersky has been accused of.

The real questions surrounding the Kaspersky-NSA story are as follows:

1. Did Kaspersky Lab help the Russians acquire NSA-built malware?

2. Did Kaspersky Lab deliberately or inadvertently acquire that malware?

3. Did Kaspersky Lab unwillingly or willingly collaborate with the Russians?

For its part, Kaspersky has been maintaining that it is innocent of all charges and that the company is not involved with the Russian government. To enable greater transparency in its operations, and to allay private sector and governmental fears of external influences on the company, Kaspersky Labs has announced the “comprehensive transparency initiative.” As per this initiative, Kaspersky will open its source code for review by an “internationally recognised authority”, conduct an independent review of internal processes and open more transparency centres around the world. Bounty rewards for those finding bugs in Kaspersky Lab software have also been bumped up to $100,000.

Presenting further evidence of its innocence, Kaspersky Lab published the findings of a preliminary report into the hacking of an NSA contractor’s personal computer, which some see as the trigger to Kaspersky’s fallout with the government.

Representational image. Reuters

Representational image. Reuters

According to Kaspersky, the NSA contractor’s PC used Kaspersky antivirus for protection. A setting in this antivirus allows for the transmission of detected malware to Kaspersky Lab servers for analysis. The first instance of NSA-designed malware (Equation malware) was detected in September 2014.

To make matters worse, the user, who, bear in mind, is a contractor working for one of the world’s most sophisticated and secure spy agencies, downloaded and installed a pirated version of Microsoft Office 2013. With this download, the user also downloaded a “keygen” — a tool used for generating fake keys to activate an illegal copy of a given software. That keygen was infected with malware, which went on to infect the user’s PC.

Kaspersky malware would have detected that malware and removed it, but the user apparently disabled his antivirus program to allow himself to run the keygen on his PC. The malware, allowed free reign by the user, went on to install backdoors into the system.

When the user turned on Kaspersky antivirus sometime later, the program caught the infected malware and blocked it. The user then ran multiple scans on his system and Kaspersky antivirus detected multiple instances of malware, including a zip file containing the source code of NSA/Equation Group-designed malware. Since the zip file was marked as malicious, as it rightly should be, the file and its contents were uploaded to Kaspersky servers for analysis.

When it was discovered that the malware source code belonged to the NSA, the company CEO ordered that the archive and all files be deleted from Kaspersky Lab systems. Kaspersky maintains that it never gave the archive out to third parties.

Kaspersky Lab also maintains that “No other third-party intrusion, besides Duqu 2.0, were detected in Kaspersky Lab’s networks.”

If true, the NSA contractor displayed an astounding level of ignorance and carelessness for someone who deals with malware for a living, especially so for someone working with the NSA.

Kaspersky's preliminary report on the matter can be found here.

Regardless of whether Kaspersky Lab is in the right or the wrong, the damage has been done. Even if this is a witch hunt on the US govt.’s part, it is unlikely that any Russian-origin product will ever, officially, find its way into government operations.

Equally clear is the fact that the NSA, the organisation tasked with protecting the nation's security, has a serious security problem that is still not being addressed.


Published Date: Oct 26, 2017 01:59 pm | Updated Date: Oct 26, 2017 01:59 pm