NSA Contractor Downloaded Backdoor to PC, Says Kaspersky Lab

Written by

Kaspersky Lab has released the results of an internal investigation into the suspected theft by Russian spies of NSA hacking tools from a contractor’s laptop, which seem to clear it of wrongdoing alleged in US media reports.

The Moscow-headquartered vendor has been under fire over the past few months after reports in various outlets including the Washington Post and Wall Street Journal indicated its products may have been used by Russian intelligence to harvest the data; potentially with the firm’s knowledge.

A New York Times story earlier this month then claimed that Israeli spies which had also compromised Kaspersky Lab software had spotted Kremlin hackers using its tools, evidence it passed on to Washington, which then banned federal use of all products.

However, Kaspersky Lab now says it has reviewed telemetry logs in relation to “alleged 2015 incidents described in the media”.

Most notably, it claims the NSA worker in question, who took home the stolen classified materials, disabled the Kaspersky Lab software running on his PC after it detected new versions of Equation APT – malware linked to the US spy agency.

It continues:

“Following these detections, the user appears to have downloaded and installed pirated software on his machines, as indicated by an illegal Microsoft Office activation key generator (aka ‘keygen’) which turned out to be infected with malware. Kaspersky Lab products detected the malware with the verdict Backdoor.Win32.Mokes.hvl.

To install and run this keygen, the user appears to have disabled the Kaspersky products on his machine. Our telemetry does not allow us to say when the anti-virus was disabled, however, the fact that the keygen malware was later detected as running in the system suggests the antivirus had been disabled or was not running when the keygen was run. Executing the keygen would not have been possible with the anti-virus enabled.”

This “full blown backdoor” could have allowed third parties to access the user’s machine, Kaspersky Lab claimed.

An unspecified time later, the same user re-enabled Kaspersky Lab and new malicious variants of Equation APT were sent back to the vendor’s servers for analysis.

“After discovering the suspected Equation malware source code, the analyst reported the incident to the CEO,” it added. “Following a request from the CEO, the archive was deleted from all our systems. The archive was not shared with any third parties.”

Kaspersky Lab claimed no further detections were received from the user in 2015 and there have been no other incidents or third-party intrusions to date, except the “Duqu 2.0” intrusion thought to be the work of Israeli spies.

What’s more, Kaspersky Lab confirmed it has never created any detection of non-malicious documents in its products based on keywords like “top secret” and “classified”, as alleged in a WSJ story.

The only question mark remains around the timing of the incident. Most reports have it as 2015, while Kaspersky Lab claimed it happened in 2014. The firm went public with its findings on the NSA’s Equation Group in February 2015.

As part of its efforts to prove its innocence, Kaspersky Lab this week launched a Global Transparency Initiative under which it plans to offer its source code for independent third party review.

What’s hot on Infosecurity Magazine?