Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

10/27/2017
11:00 AM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

Kaspersky's US Gov Woes Continue

Kaspersky has admitted that its software grabbed a classified file from a private computer. Does it prove the US government's claims - or prove that Kaspersky is a good global citizen?

Kaspersky: in receipt of stolen goods?

On a late summer day in 2014, anti-virus software on an NSA contractor's computer initiated a scan for malware. It quickly discovered catastrophic issues. The malware it found was American. The AV software was Russian. Today, the implications are deeply worrying.

Kaspersky Lab is once again defending itself. The security giant announced earlier this week it would open up its source code for inspection, under pressure to distance itself from accusations of ties to the Russian government. This latest compromise of a security asset, reported by Kaspersky itself as part of an ongoing internal investigation, ratchets that pressure up and presents an extraordinary set of circumstances.

In summary, Kaspersky claims that activity on that late summer day precipitated a set of events that culminated in the CEO, Eugene Kaspersky, ordering the deletion of an archive file acquired from the NSA computer. That 7zip archive file contained source code for malware thought to be developed by the Equation Group, an advanced persistent threat (APT), with ties to the NSA. The infamous Stuxnet worm -- discovered by Kaspersky in 2010 and responsible for cyber damage to Iran's nuclear program -- is said to be part of the Equation Group's arsenal. The group also uses a loader called GrayFish.

According to Kaspersky, the GrayFish trojan was detected as part of a sample automatically uploaded to its cloud-based Kaspersky Security Network (KSN). The Network is used by Kaspersky to analyze new threats, devise fixes, and then update users' security databases -- if it is switched on by the user.

Soon after that, the computer downloaded a pirate Microsoft Office activation key generator which opened up a backdoor using Backdoor.Win32.Mokes.hvl. Crucially, the firm claims that the user disabled their Kaspersky software in order to download the key. When the software was re-enabled, Backdoor.Win32.Mokes.hvl was detected and disarmed. But by then, the backdoor had been utilized, and new and unknown variants of Equation APT malware were present -- and the 7zip file in question was also detected and uploaded automatically to KSN as suspected malware.

In other words, according to Kaspersky, the user themselves exposed the 7zip file to hackers. Observers insinuate that Kaspersky stole the file. The firm has been accused of facilitating Russian hackers to steal NSA secrets, and the fact it acquired a file from an NSA computer can be seen as complicit behavior.

"We believe the Kaspersky Lab products and the analysts behaved in a correct and ethical way and according to existing procedures at that time," a Kaspersky spokesperson told SecurityNow. Destroying files considered to contain classified information is now standard practice among Kaspersky analysts. The rule does not help Kaspersky defend itself, particularly when the cards are already stacked against them.

"I think what really makes Kaspersky a target is the Equation Group report it put out a few years back, and its Russian origins," said Michela Menting, digital security research director at ABI Research. Kaspersky has published multiple reports on the Equation Group, unveiling them in early 2015.

"Kaspersky has tried hard to distance itself from the Russian government -- not always an easy task, especially as the Russian government is very tight with organized cybercrime groups -- and there is little doubt it gets called upon to provide intelligence," she added.

Menting speculates that Kaspersky may have cooperated with the Russian government in the past, but growing reluctance to do that may mean that they have been infiltrated by their own government, and may therefore be unknowingly aiding them.

"Kaspersky is being disparaged because of its Russian origins" she continued. "The involvement of US senators at this time simply reveals that there are non-security professionals determining the fate of a company without any actual evidence -- all we have at the moment is speculation and general statements by security agencies that are hostile to the Russian government."

Hostilities aside, Kaspersky’s business stands to be deeply impacted by the US government’s ban on its products. That ban has cascaded outwards from the public sector into the consumer market, with the high-tech consumer chain, Best Buy, pulling Kaspersky products from the shelves. Enterprises are expected to follow suit.

"Kaspersky Lab has its corporate HQ at 39A/3 Leningradskoe Shosse, Moscow, 125212, Russian Federation. Given the cyber political climate between the US and Moscow, US-based organizations are going to be understandably cautious about using products from Kaspersky," Steve Morgan, founder and CEO at Cybersecurity Ventures, a market intelligence firm, said. "It's a lot easier to switch off from an anti-malware provider compared to a CRM or ERP system."

Meanwhile, Kaspersky may see increased hacker activity directed towards its own operations, as belligerent actors take up cyber arms. The firm was attacked by the Duqu 2.0 triple-zero-day malware platform in 2015, but insists it has not been attacked by anything since -- a statement that suggests it is keen to rule out speculation that bad actors hopped onto its consumer security platform and acted as illicit cyber eyes and ears.

"We are living in a world now where it's code-to-code combat between hackers and their enemies. Just the implication of any wrongdoing by Kaspersky against the US is enough to motivate hackers to aim at them," said Morgan.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...
CVE-2020-8247
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...