Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

// // //
10/27/2017
11:00 AM
Simon Marshall
Simon Marshall
Simon Marshall

Kaspersky's US Gov Woes Continue

Kaspersky has admitted that its software grabbed a classified file from a private computer. Does it prove the US government's claims - or prove that Kaspersky is a good global citizen?

Kaspersky: in receipt of stolen goods?

On a late summer day in 2014, anti-virus software on an NSA contractor's computer initiated a scan for malware. It quickly discovered catastrophic issues. The malware it found was American. The AV software was Russian. Today, the implications are deeply worrying.

Kaspersky Lab is once again defending itself. The security giant announced earlier this week it would open up its source code for inspection, under pressure to distance itself from accusations of ties to the Russian government. This latest compromise of a security asset, reported by Kaspersky itself as part of an ongoing internal investigation, ratchets that pressure up and presents an extraordinary set of circumstances.

In summary, Kaspersky claims that activity on that late summer day precipitated a set of events that culminated in the CEO, Eugene Kaspersky, ordering the deletion of an archive file acquired from the NSA computer. That 7zip archive file contained source code for malware thought to be developed by the Equation Group, an advanced persistent threat (APT), with ties to the NSA. The infamous Stuxnet worm -- discovered by Kaspersky in 2010 and responsible for cyber damage to Iran's nuclear program -- is said to be part of the Equation Group's arsenal. The group also uses a loader called GrayFish.

According to Kaspersky, the GrayFish trojan was detected as part of a sample automatically uploaded to its cloud-based Kaspersky Security Network (KSN). The Network is used by Kaspersky to analyze new threats, devise fixes, and then update users' security databases -- if it is switched on by the user.

Soon after that, the computer downloaded a pirate Microsoft Office activation key generator which opened up a backdoor using Backdoor.Win32.Mokes.hvl. Crucially, the firm claims that the user disabled their Kaspersky software in order to download the key. When the software was re-enabled, Backdoor.Win32.Mokes.hvl was detected and disarmed. But by then, the backdoor had been utilized, and new and unknown variants of Equation APT malware were present -- and the 7zip file in question was also detected and uploaded automatically to KSN as suspected malware.

In other words, according to Kaspersky, the user themselves exposed the 7zip file to hackers. Observers insinuate that Kaspersky stole the file. The firm has been accused of facilitating Russian hackers to steal NSA secrets, and the fact it acquired a file from an NSA computer can be seen as complicit behavior.

"We believe the Kaspersky Lab products and the analysts behaved in a correct and ethical way and according to existing procedures at that time," a Kaspersky spokesperson told SecurityNow. Destroying files considered to contain classified information is now standard practice among Kaspersky analysts. The rule does not help Kaspersky defend itself, particularly when the cards are already stacked against them.

"I think what really makes Kaspersky a target is the Equation Group report it put out a few years back, and its Russian origins," said Michela Menting, digital security research director at ABI Research. Kaspersky has published multiple reports on the Equation Group, unveiling them in early 2015.

"Kaspersky has tried hard to distance itself from the Russian government -- not always an easy task, especially as the Russian government is very tight with organized cybercrime groups -- and there is little doubt it gets called upon to provide intelligence," she added.

Menting speculates that Kaspersky may have cooperated with the Russian government in the past, but growing reluctance to do that may mean that they have been infiltrated by their own government, and may therefore be unknowingly aiding them.

"Kaspersky is being disparaged because of its Russian origins" she continued. "The involvement of US senators at this time simply reveals that there are non-security professionals determining the fate of a company without any actual evidence -- all we have at the moment is speculation and general statements by security agencies that are hostile to the Russian government."

Hostilities aside, Kaspersky’s business stands to be deeply impacted by the US government’s ban on its products. That ban has cascaded outwards from the public sector into the consumer market, with the high-tech consumer chain, Best Buy, pulling Kaspersky products from the shelves. Enterprises are expected to follow suit.

"Kaspersky Lab has its corporate HQ at 39A/3 Leningradskoe Shosse, Moscow, 125212, Russian Federation. Given the cyber political climate between the US and Moscow, US-based organizations are going to be understandably cautious about using products from Kaspersky," Steve Morgan, founder and CEO at Cybersecurity Ventures, a market intelligence firm, said. "It's a lot easier to switch off from an anti-malware provider compared to a CRM or ERP system."

Meanwhile, Kaspersky may see increased hacker activity directed towards its own operations, as belligerent actors take up cyber arms. The firm was attacked by the Duqu 2.0 triple-zero-day malware platform in 2015, but insists it has not been attacked by anything since -- a statement that suggests it is keen to rule out speculation that bad actors hopped onto its consumer security platform and acted as illicit cyber eyes and ears.

"We are living in a world now where it's code-to-code combat between hackers and their enemies. Just the implication of any wrongdoing by Kaspersky against the US is enough to motivate hackers to aim at them," said Morgan.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-35942
PUBLISHED: 2022-08-12
Improper input validation on the `contains` LoopBack filter may allow for arbitrary SQL injection. When the extended filter property `contains` is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data ...
CVE-2022-35949
PUBLISHED: 2022-08-12
undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js con...
CVE-2022-35953
PUBLISHED: 2022-08-12
BookWyrm is a social network for tracking your reading, talking about books, writing reviews, and discovering what to read next. Some links in BookWyrm may be vulnerable to tabnabbing, a form of phishing that gives attackers an opportunity to redirect a user to a malicious site. The issue was patche...
CVE-2022-35956
PUBLISHED: 2022-08-12
This Rails gem adds two methods to the ActiveRecord::Base class that allow you to update many records on a single database hit, using a case sql statement for it. Before version 0.1.3 `update_by_case` gem used custom sql strings, and it was not sanitized, making it vulnerable to sql injection. Upgra...
CVE-2022-35943
PUBLISHED: 2022-08-12
Shield is an authentication and authorization framework for CodeIgniter 4. This vulnerability may allow [SameSite Attackers](https://canitakeyoursubdomain.name/) to bypass the [CodeIgniter4 CSRF protection](https://codeigniter4.github.io/userguide/libraries/security.html) mechanism with CodeIgniter ...