He said, she said —

Kaspersky: Yes, we obtained NSA secrets. No, we didn’t help steal them

Moscow-based AV provider challenges claims it helped Russian spies.

Kaspersky: Yes, we obtained NSA secrets. No, we didn’t help steal them

For almost two months in 2014, servers belonging to Moscow-based Kaspersky Lab received confidential National Security Agency materials from a poorly secured computer located in the United States that stored the files, most likely in violation of US laws, company officials said.

The classified source code, documents, and executable binaries were stored on a computer that used an IP address reserved for Verizon FIOS customers in Baltimore, about 20 miles from the NSA's Fort Meade, Maryland, headquarters, Kaspersky Lab said in an investigation report it published early Thursday morning. Starting on September 11, 2014 and running until November 9 of that year, Kaspersky Lab servers downloaded the confidential files multiple times after the company's antivirus software, which was installed on the machine, found they contained malicious code from Equation Group, an NSA-linked hacking group that operated for at least 14 years before Kaspersky exposed it in 2015.

The downloads—which, like other AV software, the Kaspersky program automatically initiated when it encountered suspicious software that warranted further inspection—included a 45MB 7-Zip archive that contained source code, malicious executables, and four documents bearing US government classification markings. A company analyst who manually reviewed the archive quickly determined it contained confidential material. Within a few days and at the direction of CEO and founder Eugene Kaspersky, the company deleted all materials except for the malicious binaries. The company then created a special software tweak to prevent the 7-Zip file from being downloaded again.

"The reason we deleted those files and will delete similar ones in the future is two-fold," Kaspersky Lab officials wrote in Thursday's report. "We don’t need anything other than malware binaries to improve protection of our customers and secondly, because of concerns regarding the handling of potential classified materials. Assuming that the markings were real, such information cannot and will not [be] consumed even to produce detection signatures based on descriptions."

Kaspersky Lab said it never provided the documents to anyone outside the company. A thorough investigation has also uncovered no indication any of the material was accessed by hackers during the brief time it was stored on the company's network. Kaspersky Lab employees, the report said, rely on robust encryption—specifically, "RSA+AES with an acceptable key length"—when transferring malware samples, a practice that makes it unlikely anyone who intercepted the traffic could read it.

Pushing back

The report is Kaspersky's latest attempt to refute anonymous allegations, reported last month by The Wall Street Journal, The New York Times, and The Washington Post, that hackers working for the Russian government used Kaspersky AV to locate or steal confidential NSA material stored on a worker's home computer. The initial WSJ report said the AV program somehow alerted the hackers to the presence of the improperly stored files, but the paper said it wasn't clear how the program detected the material or whether company employees alerted the Russian government of those files.

Five days later, the NYT and WaPo said the Russian hackers were caught in the act of abusing the Kaspersky AV by Israeli spies, who happened to be burrowed deep inside Kaspersky's network at the time the confidential NSA files were stolen (Kaspersky Lab disclosed the breach in 2015). A day later, the WSJ went on to report that the role AV played in the hack required changes to the way the program worked and that those modifications likely came with the knowledge of Kaspersky officials.

The allegations, all attributed to unnamed officials with no supporting documentation, helped explain why the US Department of Homeland Security in September took the unprecedented step of directing all US agencies to stop using Kaspersky products and services. A month earlier, according to Cyber Scoop, members of the FBI quietly briefed US companies in the private sector on the threat US officials believed Kaspersky posed to national security. Within weeks of the briefings, retailer Best Buy stopped selling Kaspersky software and offered free removals and credits toward competing packages.

Thursday's report is Kaspersky Lab's attempt to fight accusations that could significantly reduce the revenue it generates in the US and potentially US allies. The report expands on preliminary findings it published three weeks ago that challenge the NSA narrative that its highly privileged access to millions of PCs throughout the world helps the Russian government obtain confidential materials from its adversaries.

Smoke Loader backdoor

Thursday's 13-page report provided more details about a malicious backdoor that infected the Kaspersky customer's computer when it installed a pirated version of Microsoft Office. The report said that Kaspersky AV first detected the trojan known as Smoke Loader and Smoke Bot on October 4 at 11:38pm EDT. That was 22 days after the AV program first detected the Equation Group files and 15 days after Kaspersky had downloaded the 7-Zip file. For it to have been installed, a user would have to temporarily disable the AV program. Kaspersky Lab officials suspect the user turned off protection when it blocked attempts to install the pirated version of Office and once it was installed, then turned the AV back on.

Smoke Loader came to the attention of security researchers in 2011, when a Russian hacker advertised the Trojan for sale in an underground forum. During the time it infected the computer storing the NSA material, it relied on a command and control domain that was registered to someone using the name Zhou Lou, an address in Hunan, China, and the e-mail address zhoulu823@gmail.com. This analysis, which was published three months before Kaspersky Lab says the Baltimore PC was infected, reports Smoke Loader contained a range of malicious capabilities, including the ability for attackers to remotely control it. There may have been more malware besides Smoke Loader installed on the computer. During the same two-month span, Kaspersky AV provided 121 alerts for non-NSA software.

"The hygiene of this user on the Internet was not very good," Brian Bartholomew, a US-based principal security researcher at Kaspersky Lab, told Ars. "All that leads to the possibility that there was potentially someone else on that system at the time" the NSA materials were reported stolen. "We see no indications of that, but there is that possibility."

Kaspersky Lab has additional information about the backdoor here.

One of the few new pieces of information in the report is the revelation of a detection rule Kaspersky Lab added to its AV in 2015. To better detect a surveillance operation known as TeamSpy, the AV program started scanning files that embedded the word "secret" inside its code. A malware analyst, the report said, added it because TeamSpy malware was designed to automatically collect certain files of interest to the attackers. Specifically, files of interest contained both extensions such as .doc, .rtf, .xls, .mdb, and .pdf and words including "pass," "secret," and "saidumlo" (the Georgian translation for secret). The 2015 detection rule searched files for strings including:

  • *saidumlo*
  • *secret*
  • *.xls
  • *.pdf
  • *.pgp
  • *pass*

The rule might explain reporting in the latter WSJ article that, citing unnamed officials, said Kaspersky AV "searched for terms as broad as 'top secret,' which may be written on classified government documents, as well as the classified code names of US government programs."

Plausible deniability

Like the preliminary findings Kaspersky published three weeks ago, Thursday's report isn't likely to change the minds of critics who say the company's ties to the Kremlin pose an unacceptable risk to US security.

"It's very, very believable," Dave Aitel, a former NSA analyst and long-time Kaspersky critic said of the information Kaspersky Lab has brought to light. "But my personal perspective is that it does not address whatever the [US government] has on Kaspersky."

Still, Kaspersky's version of events raises a variety of inconsistencies and questions in the narrative provided by the unnamed people cited in the October articles. For instance:

  • Is the computer Kaspersky described the same one that stored the NSA secrets that were stolen by Russian hackers? If it is, why did the news accounts say the data theft occurred in 2015?
  • If the PCs are the same, do US government investigators have any evidence it was infected by malware at the time it stored those materials? If yes, have investigators ruled out the possibility the infection played a role in the location or theft of the NSA materials?
  • How can US government investigators be sure Kaspersky AV was modified intentionally to help Russian spies locate the NSA material?

Representatives with the NSA declined to answer the questions and referred Ars to FBI officials. The FBI declined to comment as well.

In fairness to US officials, there are often valid national security reasons for not providing specific pieces of information when disclosing classified information to reporters. What's more, if Russian President Vladimir Putin were to order Kaspersky Lab to help steal NSA secrets, it's not at all clear the Moscow-based company would have a legal mechanism to challenge the demand. Such an order would almost certainly require absolute secrecy and the kinds of vigorous denials Kaspersky Lab is publishing now.

This leaves much of the security world in a geopolitical he-said/she-said duel that makes it hard to know which version of events to believe. This stalemate isn't likely to resolve itself until US officials provide more details.

"I think it's plausible that Kaspersky Lab has been used to obtain confidential material, but so far we've only seen accusations, largely from anonymous sources," Jake Williams, a malware expert at Rendition InfoSec who worked in the NSA's elite Tailored Access Operations hacking group until 2013, told Ars. "Credible evidence and/or on the record statements from the US government are needed before we attack a foreign company."

Channel Ars Technica