Threat Intelligence, Malware

New Kaspersky report offers alternate theory for how NSA hacking tools were stolen

Seeking to dispel allegations that its anti-virus software helped Russian cyber spies identify and steal U.S. hacking tools from an NSA contractor's laptop, Kaspersky Lab on Thursday released findings from its own internal probe, including apparent evidence that the laptop had been infected with malware.

Kaspersky believes it pinpointed the contractor's computer system in question, after its investigators linked said system to an unusually large volume of Equation Group malware signatures that were recorded by its anti-virus software and saved to the company's server. (The Equation Group APT has been widely linked to the NSA.)

If, indeed, this is the contractor's computer system, then the hacking incident appears to have taken place sometime between Sept. 11, 2014 and Nov. 17, 2014, Kaspersky explains in an online report. However, this assessment does not jibe with previous accounts that said the incident took place in 2015 -- an inconsistency that could theoretically weaken the Russia-based company's defense.

Kaspersky is also claiming that the contractor's computer system was compromised by an external malicious actor on Oct. 4, 2014 -- a date that lies within the window of time during which the company believes the hacking tools were stolen. Allegedly, the system was infected with a malicious downloader and backdoor program called Smoke Loader or Smoke Bot, which was delivered via a malicious Microsoft Office ISO file.

Kaspersky notes that the contractor had to have temporarily disabled his anti-virus program in order to run and install this malware program. Once re-enabled, the AV software successfully blocked Smoke Loader's attempts at accessing a known malicious domain. But even if Smoke Loader's damage was limited, Kaspersky asserts that the same system also downloaded other questionable software that triggered 121 non-Equation specific AV alerts between Sept. 11 and Nov. 17, 2017.

"The possibility exists that there may have been other malware on the system which our engines did not detect at the time of research," states the Kaspersky report. "Given that system owner's potential clearance level, the user could have been a prime target of nation states. Adding the user's apparent need for cracked versions of Windows and Office, poor security practices, and improper handling of what appeared to be classified materials, it is possible that the user could have leaked information to many hands."

Kaspersky acknowledges that in September 2014, its AV software detected Equation Group malware in a 7zip archive stored on the computer system in question, and then subsequently downloaded this archive onto Kaspersky's servers, as it is programmed to do. However, the company is insisting that only the malware binaries were saved, while any remaining files that were incidentally collected -- including Equation Group source code and classified documents -- were promptly deleted.

"The reason we deleted those files and will delete similar ones in the future is two-fold; We don't need anything other than malware binaries to improve protection of our customers and secondly, because of concerns regarding the handling of potential classified materials," the report states.

Also Kaspersky denied that its products can be secretly leveraged to exfiltrate data to Russian spies, noting that it relies on a secure signature system that external parties would not be able to forge without being detected by third-parties, or recorded in internal databases and historical records.

"In relation to Equation research specifically, our checks verified that during 2014-2016, none of the researchers working on Equation possessed the rights to commit signatures directly without having an experienced signature developer verifying those. If there was a doubtful intention in signatures during the hunt for Equation samples, this would have been questioned and reported by a lead signature developer," the report asserts.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.