Kaspersky: in receipt of stolen goods?
On a late summer day in 2014, anti-virus software on an NSA contractor's computer initiated a scan for malware. It quickly discovered catastrophic issues. The malware it found was American. The AV software was Russian. Today, the implications are deeply worrying.
Kaspersky Lab is once again defending itself. The security giant announced earlier this week it would open up its source code for inspection, under pressure to distance itself from accusations of ties to the Russian government. This latest compromise of a security asset, reported by Kaspersky itself as part of an ongoing internal investigation, ratchets that pressure up and presents an extraordinary set of circumstances.
In summary, Kaspersky claims that activity on that late summer day precipitated a set of events that culminated in the CEO, Eugene Kaspersky, ordering the deletion of an archive file acquired from the NSA computer. That 7zip archive file contained source code for malware thought to be developed by the Equation Group, an advanced persistent threat (APT), with ties to the NSA. The infamous Stuxnet worm -- discovered by Kaspersky in 2010 and responsible for cyber damage to Iran's nuclear program -- is said to be part of the Equation Group's arsenal. The group also uses a loader called GrayFish.
According to Kaspersky, the GrayFish trojan was detected as part of a sample automatically uploaded to its cloud-based Kaspersky Security Network (KSN). The Network is used by Kaspersky to analyze new threats, devise fixes, and then update users' security databases -- if it is switched on by the user.
Soon after that, the computer downloaded a pirate Microsoft Office activation key generator which opened up a backdoor using Backdoor.Win32.Mokes.hvl. Crucially, the firm claims that the user disabled their Kaspersky software in order to download the key. When the software was re-enabled, Backdoor.Win32.Mokes.hvl was detected and disarmed. But by then, the backdoor had been utilized, and new and unknown variants of Equation APT malware were present -- and the 7zip file in question was also detected and uploaded automatically to KSN as suspected malware.
In other words, according to Kaspersky, the user themselves exposed the 7zip file to hackers. Observers insinuate that Kaspersky stole the file. The firm has been accused of facilitating Russian hackers to steal NSA secrets, and the fact it acquired a file from an NSA computer can be seen as complicit behavior.
"We believe the Kaspersky Lab products and the analysts behaved in a correct and ethical way and according to existing procedures at that time," a Kaspersky spokesperson told SecurityNow. Destroying files considered to contain classified information is now standard practice among Kaspersky analysts. The rule does not help Kaspersky defend itself, particularly when the cards are already stacked against them.
"I think what really makes Kaspersky a target is the Equation Group report it put out a few years back, and its Russian origins," said Michela Menting, digital security research director at ABI Research. Kaspersky has published multiple reports on the Equation Group, unveiling them in early 2015.
"Kaspersky has tried hard to distance itself from the Russian government -- not always an easy task, especially as the Russian government is very tight with organized cybercrime groups -- and there is little doubt it gets called upon to provide intelligence," she added.
Menting speculates that Kaspersky may have cooperated with the Russian government in the past, but growing reluctance to do that may mean that they have been infiltrated by their own government, and may therefore be unknowingly aiding them.
"Kaspersky is being disparaged because of its Russian origins" she continued. "The involvement of US senators at this time simply reveals that there are non-security professionals determining the fate of a company without any actual evidence -- all we have at the moment is speculation and general statements by security agencies that are hostile to the Russian government."
Hostilities aside, Kaspersky’s business stands to be deeply impacted by the US government’s ban on its products. That ban has cascaded outwards from the public sector into the consumer market, with the high-tech consumer chain, Best Buy, pulling Kaspersky products from the shelves. Enterprises are expected to follow suit.
"Kaspersky Lab has its corporate HQ at 39A/3 Leningradskoe Shosse, Moscow, 125212, Russian Federation. Given the cyber political climate between the US and Moscow, US-based organizations are going to be understandably cautious about using products from Kaspersky," Steve Morgan, founder and CEO at Cybersecurity Ventures, a market intelligence firm, said. "It's a lot easier to switch off from an anti-malware provider compared to a CRM or ERP system."
Meanwhile, Kaspersky may see increased hacker activity directed towards its own operations, as belligerent actors take up cyber arms. The firm was attacked by the Duqu 2.0 triple-zero-day malware platform in 2015, but insists it has not been attacked by anything since -- a statement that suggests it is keen to rule out speculation that bad actors hopped onto its consumer security platform and acted as illicit cyber eyes and ears.
"We are living in a world now where it's code-to-code combat between hackers and their enemies. Just the implication of any wrongdoing by Kaspersky against the US is enough to motivate hackers to aim at them," said Morgan.
- Will Transparency Save Kaspersky?
- Kaspersky & the FBI: Security Meets Politics
- Bad Rabbit Breeds Ransomware Fears
— Simon Marshall, Technology Journalist, special to Security Now