Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

10/27/2017
11:00 AM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

Kaspersky's US Gov Woes Continue

Kaspersky has admitted that its software grabbed a classified file from a private computer. Does it prove the US government's claims - or prove that Kaspersky is a good global citizen?

Kaspersky: in receipt of stolen goods?

On a late summer day in 2014, anti-virus software on an NSA contractor's computer initiated a scan for malware. It quickly discovered catastrophic issues. The malware it found was American. The AV software was Russian. Today, the implications are deeply worrying.

Kaspersky Lab is once again defending itself. The security giant announced earlier this week it would open up its source code for inspection, under pressure to distance itself from accusations of ties to the Russian government. This latest compromise of a security asset, reported by Kaspersky itself as part of an ongoing internal investigation, ratchets that pressure up and presents an extraordinary set of circumstances.

In summary, Kaspersky claims that activity on that late summer day precipitated a set of events that culminated in the CEO, Eugene Kaspersky, ordering the deletion of an archive file acquired from the NSA computer. That 7zip archive file contained source code for malware thought to be developed by the Equation Group, an advanced persistent threat (APT), with ties to the NSA. The infamous Stuxnet worm -- discovered by Kaspersky in 2010 and responsible for cyber damage to Iran's nuclear program -- is said to be part of the Equation Group's arsenal. The group also uses a loader called GrayFish.

According to Kaspersky, the GrayFish trojan was detected as part of a sample automatically uploaded to its cloud-based Kaspersky Security Network (KSN). The Network is used by Kaspersky to analyze new threats, devise fixes, and then update users' security databases -- if it is switched on by the user.

Soon after that, the computer downloaded a pirate Microsoft Office activation key generator which opened up a backdoor using Backdoor.Win32.Mokes.hvl. Crucially, the firm claims that the user disabled their Kaspersky software in order to download the key. When the software was re-enabled, Backdoor.Win32.Mokes.hvl was detected and disarmed. But by then, the backdoor had been utilized, and new and unknown variants of Equation APT malware were present -- and the 7zip file in question was also detected and uploaded automatically to KSN as suspected malware.

In other words, according to Kaspersky, the user themselves exposed the 7zip file to hackers. Observers insinuate that Kaspersky stole the file. The firm has been accused of facilitating Russian hackers to steal NSA secrets, and the fact it acquired a file from an NSA computer can be seen as complicit behavior.

"We believe the Kaspersky Lab products and the analysts behaved in a correct and ethical way and according to existing procedures at that time," a Kaspersky spokesperson told SecurityNow. Destroying files considered to contain classified information is now standard practice among Kaspersky analysts. The rule does not help Kaspersky defend itself, particularly when the cards are already stacked against them.

"I think what really makes Kaspersky a target is the Equation Group report it put out a few years back, and its Russian origins," said Michela Menting, digital security research director at ABI Research. Kaspersky has published multiple reports on the Equation Group, unveiling them in early 2015.

"Kaspersky has tried hard to distance itself from the Russian government -- not always an easy task, especially as the Russian government is very tight with organized cybercrime groups -- and there is little doubt it gets called upon to provide intelligence," she added.

Menting speculates that Kaspersky may have cooperated with the Russian government in the past, but growing reluctance to do that may mean that they have been infiltrated by their own government, and may therefore be unknowingly aiding them.

"Kaspersky is being disparaged because of its Russian origins" she continued. "The involvement of US senators at this time simply reveals that there are non-security professionals determining the fate of a company without any actual evidence -- all we have at the moment is speculation and general statements by security agencies that are hostile to the Russian government."

Hostilities aside, Kaspersky’s business stands to be deeply impacted by the US government’s ban on its products. That ban has cascaded outwards from the public sector into the consumer market, with the high-tech consumer chain, Best Buy, pulling Kaspersky products from the shelves. Enterprises are expected to follow suit.

"Kaspersky Lab has its corporate HQ at 39A/3 Leningradskoe Shosse, Moscow, 125212, Russian Federation. Given the cyber political climate between the US and Moscow, US-based organizations are going to be understandably cautious about using products from Kaspersky," Steve Morgan, founder and CEO at Cybersecurity Ventures, a market intelligence firm, said. "It's a lot easier to switch off from an anti-malware provider compared to a CRM or ERP system."

Meanwhile, Kaspersky may see increased hacker activity directed towards its own operations, as belligerent actors take up cyber arms. The firm was attacked by the Duqu 2.0 triple-zero-day malware platform in 2015, but insists it has not been attacked by anything since -- a statement that suggests it is keen to rule out speculation that bad actors hopped onto its consumer security platform and acted as illicit cyber eyes and ears.

"We are living in a world now where it's code-to-code combat between hackers and their enemies. Just the implication of any wrongdoing by Kaspersky against the US is enough to motivate hackers to aim at them," said Morgan.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-20001
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory ...
CVE-2020-36317
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the sam...
CVE-2020-36318
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.
CVE-2021-28875
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe context. This bug could lead to a buffer overflow.
CVE-2021-28876
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. It calls __iterator_get_unchecked() more than once for the same index when the underlying iterator panics (in certain conditions). This bug could lead to a memory safety violation due to an unmet safety r...