Data Loss Prevention (DLP) , Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development

Kaspersky Blames NSA Analyst For US Intel Leak

Anti-virus Vendor Says It Collected, Then Deleted Four Classified Documents
Kaspersky Blames NSA Analyst For US Intel Leak
Kaspersky Lab's Moscow headquarters. (Photo: Mikhail Deynekin via Creative Commons)

Kaspersky Lab says it "inadvertently" scooped up classified U.S. documents and code from a U.S. National Security Agency analyst's home computer, but suggested it wasn't the conduit by which the material ended up in Russian hands.

See Also: Secureworks Named a Major Player in the 2024 IDC MDR Marketscape

The anti-virus company has been under intense pressure after reports in early October that its systems may have been co-opted by Russian intelligence agencies and used to hunt for secret U.S. cyber espionage projects (see Report: NSA Secrets Stolen From Computer Using Kaspersky Software).

The controversy centers on the computer of an NSA analyst who violated procedures for handling classified information, taking it home and copying it to his computer, which had Kaspersky's software installed.

In a Thursday blog, the company deflected the blame to the NSA analyst, who also erred by installing a pirated copy of Microsoft Office that contained malware.

"Adding the user's apparent need for cracked versions of Windows and Office, poor security practices and improper handling of what appeared to be classified materials, it is possible that the user could have leaked information to many hands," Kaspersky Lab says in a blog post.

Officials in Israel, which had compromised Kaspersky's systems, allegedly told the U.S. that Russia had also compromised the anti-virus vendor. While the software could have been tweaked to sniff out files using keywords, co-founder and CEO Eugene Kaspersky has steadfastly denied working with the Russian government for such purposes.

Nonetheless, the allegations have been damaging. In September, the U.S. banned Kaspersky's software from being used on government systems (see Kaspersky Software Ordered Removed From US Gov't Computers). But this week, a Department of Homeland Security official testified at a Congressional hearing that she has seen no decisive proof that Kaspersky Lab's security software had been exploited to breach federal government information systems.

Arm of Russia?

The U.S. believes Russian intelligence agencies found out about the classified material via Kaspersky and targeted the analyst's computer for further exfiltration. Officials maintain that tests of the anti-virus software showed it searched not just for malware, but also for sensitive key words in documents.

Kaspersky again called the allegations "appalling" and that they "appear without any proof or factual information."

In its blog, the company strove to clarify how it came in possession of classified material. Kaspersky says it was in the midst of an investigation into the Equation Group when the analyst's computer started triggering alerts. The Equation Group is suspected to be the NSA.

Kaspersky looked back through its logs to see what it recorded between September through November 2014. Its anti-virus software collected a compressed 7zip archive file that contained four classified Microsoft Word documents and exploit code that matched the profile of the Equation Group.

The archive was collected as part of a routine process and "security software industry standard" that other companies used to investigate possible malware, Kaspersky says. When an analyst realized what the software had collected, CEO Eugene Kaspersky was notified.

"Following a request from the CEO, the archive was deleted from all of our systems," according to the company's blog post.

Equation Group Heat

Kaspersky Lab was the first company to publish a report on the Equation Group in February 2015. It was a bold report to come from a Russian company because many experts say the group's sophisticated capabilities could have only come from a handful of nation-states.

In the second half of 2014, Kaspersky had been hunting Equation Group malware and tweaking "silent" signatures to try to find samples. Silent signatures are descriptions of suspicious files that an anti-virus company would like to look at further, but don't trigger an immediate quarantine or a user alert.

In September 2014, one system "fired a large number of times in a short time span" on an Equation Group signature, including a compressed archive file.

"After analyzing the alerts, it was quickly realized that this system contained not only this archive, but many files both common and unknown that indicated this was probably a person related to the malware development," Kaspersky says.

Other technical information, the company says, suggests that the NSA analyst copied the code to his home computer from a thumb drive, because Kaspersky's software then began sending alerts back to the company. The classified documents in the archive were "inadvertently" sent back to Kaspersky along with suspected malware for analysis, according to the blog.

Malware Infections

The NSA analyst's computer, which had an IP address that traces to the Baltimore area, was also riddled with malware, Kaspersky claims.

Kaspersky says it detected a backdoor, known as Smoke Bot or Smoke Loader, on the computer. A Russian hacker is believed to have created the backdoor around 2011.

The malware appears to have been installed on the computer when the analyst installed a pirated copy of Microsoft Office 2013. It's anti-virus would have detected the backdoor, but it appears the analyst temporarily turned it off.

The company also took a close look at 121 other alerts that came from the analyst's computer but were unrelated to Equation Group malware, Kaspersky says. It published a list of the suspicious files detected, which are variously flagged as backdoors, exploits, adware and exfiltration tools.

"Of course, the possibility exists that there may have been other malware on the system which our engines did not detect at the time of research," Kaspersky writes. "Given that system owner's potential clearance level, the user could have been a prime target of nation-states."

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.