Threat Management, Threat Management, Threat Intelligence, Malware, Network Security

NSA worker infected computer provided access to Equation Group surveillance code, Kaspersky says

After a 2014 analysis of a malicious zip file found on a computer in the U.S. showed that the consumer version of Kaspersky Lab's antivirus software had picked up the source code for surveillance tools used by the Equation Group, the National Security Agency's elite hacking arm, the file was immediately deleted, according to Kaspersky.

The results of an internal review by the company, whose software was banned by the federal government acting on concerns that Kaspersky had connections to cyberespionage activities, showed that Kaspersky detected Win32.Mokes.hvl  malware in the file on a computer used by an NSA worker who had downloaded and installed a pirate copy of Microsoft Office at home “as indicated by an illegal Microsoft Office activation key generator,” or keygen.

“Backdoor.Win32.Mokes.hvl (the fake keygen) has been available in Kaspersky Lab products since 2013,” the company said, noting that the user apparently disabled Kaspersky software ability to run the keygen, though the company can't determine exactly when the software was disabled.

“However, the fact that the keygen malware was later detected as running in the system suggests the antivirus had been disabled or was not running when the keygen was run” since “executing the keygen would not have been possible with the antivirus enabled,” the company said.

Once the software was re-engaged, after an indeterminate period, it detected and blocked the malware. Further scans by the user uncovered “detections of new and unknown variants of Equation APT malware,” according to the report's findings.

Kaspersky is scrambling to regain trust after Israel discovered that Russian hackers had used Kaspersky Lab's antivirus software to search computers worldwide for information on U.S. intelligence programs and prompted the U.S. government ban. 

Russia's efforts were uncovered by the country's intelligence officers who hacked into Kaspersky's networks and spied on the Russian spies in real time.

“From Kaspersky's report, it sounds as though an NSA employee or contractor had debug versions of new malware. These were running on a machine with a virus created by a key generator (or keygen) that Kaspersky had a signature for, as did VirusTotal,” said Simon Gibson, Fellow Security Architect, Gigamon.

“All of that sounds plausible, though I'd be surprised if the developer needed a keygen to run Windows. I would expect them to be able to get a license key, although it is possible,” said Gibson, who noted that employees typically use keygens when organizational processes and policies prevent them accessing legitimate software needed for their work. “And it's plausible that Kaspersky found malware underdevelopment on a contractor's machine because of a key generator with a virus.

“But, boy, it's a stretch. It's sloppy on the contractor's part but that's part of all of this,” he said. “People are lazy and make mistakes like downloading a Windows keygen rather than submitting the paperwork to get a paid for license from their employer.”

To prove that its products and services are trustworthy and to counter implications to the contrary after the U.S. government, Kaspersky Lab has launchedGlobal Transparency Initiative, providing its source code for third-party review and opening three transparency centers around the globe.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.