Kaspersky Lab Says It Spotted APT Code, Quickly Deleted ItFirm Confirms Its AV Software Detected Equation Group Source Code on Home PC
Security vendor Kaspersky Lab says that an internal probe has found that that a consumer version of its software running on a U.S-based PC spotted variants of Equation Group advanced persistent threat malware source code.
But after its anti-virus software sent a copy of the malware to Kaspersky Lab's Moscow-based security researchers for analysis and an analyst realized what it was and reported it to CEO Eugene Kaspersky, he ordered that all copies of the source code be immediately deleted, the company says.
Kaspersky's Lab's internal probe was sparked by reports in U.S. media outlets this month that cited unnamed U.S. government sources claiming that Kaspersky Lab's network had been infiltrated by Russian intelligence agencies. Such revelations were reportedly communicated to U.S. officials by Israeli intelligence agents who had hacked into Kaspersky Lab's network and found signs of Russian intelligence infiltration, including Kaspersky Lab's anti-virus software being used to run searches on endpoints for U.S. intelligence secrets.
Kaspersky Lab continues to deny that it's aided any government in any improper way, and it claims that it's a pawn in a geopolitical fight between the U.S. and Russian governments (see Will Kaspersky Lab Survive the Russia Hacking Scandal?).
In terms of the allegation that Israel may have hacked into the company's networks, Kaspersky Lab had already confirmed that its systems were infiltrated in 2015 by Duqu 2.0 malware, which has been tied to the Equation Group.
Preliminary Probe Findings
On Wednesday, the firm issued preliminary results of its investigation into the recent media reports, noting that a review of its telemetry logs confirmed that it had spotted infections involving Equation Group malware in more than 40 countries, including the United States. The firm says it has been informing "relevant U.S. government institutions" - implying the U.S. Computer Emergency Readiness Team - "about active APT infections in the USA."
Telemetry refers to anti-virus software sending hashes of known malware samples back to the vendor so it can geographically track outbreaks. Many anti-virus vendors also have the ability to obtain copies of suspicious files, or to have end users directly submit such files for further analysis. Many security experts say this remains an essential part of the anti-virus process, so that firms can spot and block emerging attacks as quickly as possible (see Surveying 17 Anti-Virus Firms on Their Security Practices).
Kaspersky Lab says its latest probe has confirmed that "no other third-party [intrusions], besides Duqu 2.0, were detected in Kaspersky Lab's networks."
Equation Group Identity: Unconfirmed
Kaspersky Lab and many other security firms and researchers have not stated who they believe the Equation Group to be, other than noting that it appears to be well-resourced and also tied to a variety of other malware, including Stuxnet. But other observers have stated that they believe the Equation Group is associated with or is part of the U.S. National Security Agency's Tailored Access Operations offensive hacking group. Speaking on background, U.S. government officials have also said that Stuxnet was created by a U.S.-Israeli cyber weapons factory.
To date, however, there has been no public evidence that the Equation Group is the NSA; all such suggestions remain circumstantial.
Probe: Trojanized Keygen Infected Endpoint
This month, reports by the New York Times, Washington Post and the Wall Street Journal have suggested that an NSA analyst took home Equation Group software and installed it on his home PC, which was running Kaspersky anti-virus software. Security experts say this would have represented a massive operational security violation by any intelligence analyst (see 10 Reactions: Allegations Against Kaspersky Lab).
But in an even more embarrassing turn of events for the U.S. intelligence establishment, Kaspersky Lab says in its report that the home PC on which the Equation Group malware source code was spotted in 2014 was running a pirated version of Microsoft Office 2013 for which a working serial number had been generated using "an illegal Microsoft Office activation key generator (aka 'keygen')" that was also installed on the system.
Unfortunately for the user, the keygen appears to have been trojanized with backdoor malware that remained undetected for at least some time.
"To install and run this keygen, the user appears to have disabled the Kaspersky products on his machine," the AV firm says. "Our telemetry does not allow us to say when the anti-virus was disabled. However, the fact that the keygen malware was later detected as running in the system suggests the anti-virus had been disabled or was not running when the keygen was run. Executing the keygen would not have been possible with the anti-virus enabled."
Kaspersky Lab says the keygen malware was running on the user's PC for an unknown period of time. "The malware dropped from the trojanized keygen was a full-blown backdoor which may have allowed third parties access to the user's machine," it says. At some later point, it says the user reactivated the anti-virus software, which detected the backdoor malware.
"After being infected with the Backdoor.Win32.Mokes.hvl malware, the user scanned the computer multiple times, which resulted in detections of new and unknown variants of Equation APT malware," Kaspersky Lab says. "One of the files detected by the product as new variants of Equation APT malware was a 7zip archive. The archive itself was detected as malicious and submitted to Kaspersky Lab for analysis, where it was processed by one of the analysts. Upon processing, the archive was found to contain multiple malware samples and source code for what appeared to be Equation malware."
Business Response: Transparency
The results of Kaspersky Lab's probe continue to complicate an already complicated narrative, which so far has been largely built on unsourced allegations. Indeed, no evidence of any wrongdoing on the part of the security firm has been presented by U.S. authorities.
To combat the allegations being lobbed against it by unnamed U.S. government officials speaking to U.S. media outlets, Kaspersky Lab this week announced a Global Transparency Initiative. Starting early next year, the company promises that its software will undergo a full review, "undertaken with an internationally recognized authority," and that by 2020 it will have opened three "transparency centers" in Asia, Europe and the United States where "clients, government bodies and concerned organizations [can] review source code, update code and threat detection rules" (see Kaspersky Opens Up Code to Refute Spying Allegations).
Kaspersky Lab says it internal investigation is ongoing, and it has promised to share the full results of its probe, including technical details, "with a trusted third party as part of our Global Transparency Initiative for cross-verification."
Transparency Efforts Lauded
Security experts have lauded these moves, especially in the face of very serious allegations. "The trouble with all of these 'revelations' is that you have to be very careful to calibrate the source," Alan Woodward, a computer science professor at the University of Surrey, tells Information Security Media Group. "I think Kaspersky's approach with transparency is the best way to rebuild trust, along with independent audit. ... Even if Kaspersky is lying, they have shone a light on the rather cloak-and-dagger way that some of the stories are being released to the media. The only way that anyone can help such tittle-tattle is to present corroborated facts and ask the public to judge for themselves. And that's what Kaspersky is doing."
Kaspersky Lab's move echoes a similar effort undertaken by Chinese networking vendor Huawei after Australia and the United States accused it of having been co-opted by Chinese intelligence agencies.
The moves by the Russian and Chinese firms, however, reveal transparency efforts that surpass anything being offered by U.S. vendors, especially following former NSA contractor Edward Snowden's revelations. As one unnamed security researcher tells Britain's Sky News, unanswered questions remain about how a sophisticated backdoor was added to software used by California-based networking vendor Juniper Networks (see Juniper Backdoor: How Are Vendors Responding?).
Will security vendors in the United States and other countries pursue a similar course of transparency? "I'm just fascinated to see how others now respond, and if they do likewise," Woodward says. "Kaspersky is setting a new standard for transparency which I suspect others will have to follow suit if they are to maintain trust."
'PR Nightmare' for NSA
Some security experts have responded to Kaspersky's denials and recent report by arguing that if it was working with Russian intelligence, of course it would be saying these things.
Many security experts, however, have slammed such insinuations. "Adding xenophobia to the pot is aggravating an already difficult problem," says cybersecurity expert William Hugh Murray.
Some note that while unanswered questions remain, Kaspersky Lab's version of events sounds plausible, including the firm wanting to avoid being in possession of any potentially classified documents, especially as it was trying to make business inroads in the United States. "It makes sense that they pulled those up and looked at the classification marking and then deleted them," Jake Williams, a former NSA analyst and the founder of Augusta, Georgia-based Rendition InfoSec, tells the Associated Press. "I can see where it's so toxic you may not want it on your systems."
Williams also characterized the tale of an NSA analyst not only installing advanced attack code on his home PC but also using a pirated version of Office as being "absolutely wild," noting to AP that "it's hard to imagine a worse PR nightmare for the NSA."
The only way this gets any more surreal is if we find out he was using pirated Visual Studio to build the NSA malware https://t.co/4zvH2z4D8m— Jake Williams (@MalwareJake) October 25, 2017