Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

11:00 AM
Simon Marshall
Simon Marshall
Simon Marshall

Kaspersky's US Gov Woes Continue

Kaspersky has admitted that its software grabbed a classified file from a private computer. Does it prove the US government's claims - or prove that Kaspersky is a good global citizen?

Kaspersky: in receipt of stolen goods?

On a late summer day in 2014, anti-virus software on an NSA contractor's computer initiated a scan for malware. It quickly discovered catastrophic issues. The malware it found was American. The AV software was Russian. Today, the implications are deeply worrying.

Kaspersky Lab is once again defending itself. The security giant announced earlier this week it would open up its source code for inspection, under pressure to distance itself from accusations of ties to the Russian government. This latest compromise of a security asset, reported by Kaspersky itself as part of an ongoing internal investigation, ratchets that pressure up and presents an extraordinary set of circumstances.

In summary, Kaspersky claims that activity on that late summer day precipitated a set of events that culminated in the CEO, Eugene Kaspersky, ordering the deletion of an archive file acquired from the NSA computer. That 7zip archive file contained source code for malware thought to be developed by the Equation Group, an advanced persistent threat (APT), with ties to the NSA. The infamous Stuxnet worm -- discovered by Kaspersky in 2010 and responsible for cyber damage to Iran's nuclear program -- is said to be part of the Equation Group's arsenal. The group also uses a loader called GrayFish.

According to Kaspersky, the GrayFish trojan was detected as part of a sample automatically uploaded to its cloud-based Kaspersky Security Network (KSN). The Network is used by Kaspersky to analyze new threats, devise fixes, and then update users' security databases -- if it is switched on by the user.

Soon after that, the computer downloaded a pirate Microsoft Office activation key generator which opened up a backdoor using Backdoor.Win32.Mokes.hvl. Crucially, the firm claims that the user disabled their Kaspersky software in order to download the key. When the software was re-enabled, Backdoor.Win32.Mokes.hvl was detected and disarmed. But by then, the backdoor had been utilized, and new and unknown variants of Equation APT malware were present -- and the 7zip file in question was also detected and uploaded automatically to KSN as suspected malware.

In other words, according to Kaspersky, the user themselves exposed the 7zip file to hackers. Observers insinuate that Kaspersky stole the file. The firm has been accused of facilitating Russian hackers to steal NSA secrets, and the fact it acquired a file from an NSA computer can be seen as complicit behavior.

"We believe the Kaspersky Lab products and the analysts behaved in a correct and ethical way and according to existing procedures at that time," a Kaspersky spokesperson told SecurityNow. Destroying files considered to contain classified information is now standard practice among Kaspersky analysts. The rule does not help Kaspersky defend itself, particularly when the cards are already stacked against them.

"I think what really makes Kaspersky a target is the Equation Group report it put out a few years back, and its Russian origins," said Michela Menting, digital security research director at ABI Research. Kaspersky has published multiple reports on the Equation Group, unveiling them in early 2015.

"Kaspersky has tried hard to distance itself from the Russian government -- not always an easy task, especially as the Russian government is very tight with organized cybercrime groups -- and there is little doubt it gets called upon to provide intelligence," she added.

Menting speculates that Kaspersky may have cooperated with the Russian government in the past, but growing reluctance to do that may mean that they have been infiltrated by their own government, and may therefore be unknowingly aiding them.

"Kaspersky is being disparaged because of its Russian origins" she continued. "The involvement of US senators at this time simply reveals that there are non-security professionals determining the fate of a company without any actual evidence -- all we have at the moment is speculation and general statements by security agencies that are hostile to the Russian government."

Hostilities aside, Kaspersky’s business stands to be deeply impacted by the US government’s ban on its products. That ban has cascaded outwards from the public sector into the consumer market, with the high-tech consumer chain, Best Buy, pulling Kaspersky products from the shelves. Enterprises are expected to follow suit.

"Kaspersky Lab has its corporate HQ at 39A/3 Leningradskoe Shosse, Moscow, 125212, Russian Federation. Given the cyber political climate between the US and Moscow, US-based organizations are going to be understandably cautious about using products from Kaspersky," Steve Morgan, founder and CEO at Cybersecurity Ventures, a market intelligence firm, said. "It's a lot easier to switch off from an anti-malware provider compared to a CRM or ERP system."

Meanwhile, Kaspersky may see increased hacker activity directed towards its own operations, as belligerent actors take up cyber arms. The firm was attacked by the Duqu 2.0 triple-zero-day malware platform in 2015, but insists it has not been attacked by anything since -- a statement that suggests it is keen to rule out speculation that bad actors hopped onto its consumer security platform and acted as illicit cyber eyes and ears.

"We are living in a world now where it's code-to-code combat between hackers and their enemies. Just the implication of any wrongdoing by Kaspersky against the US is enough to motivate hackers to aim at them," said Morgan.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-28
An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.
PUBLISHED: 2020-11-28
An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.
PUBLISHED: 2020-11-28
An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an munmap call, aka CID-246c320a8cfe.
PUBLISHED: 2020-11-28
An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.
PUBLISHED: 2020-11-28
An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4. Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.