Russian hackers who are claimed to have gained access to NSA secrets on the home computer of one of the agency's staff may have done so after the man's computer was infected by malware via a key generator for producing pirated licence keys for Microsoft Office.
The malware in question was a backdoor that allowed third parties access to the user’s machine, according to an internal investigation by Kaspersky Lab published this evening.
Kaspersky undertook a review of a 2014 incident when the company had detected advanced persistent threats that it traced to a group called the Equation Group which is suspected to be an NSA front.
The review was undertaken following claims in mainstream US media earlier this month that Russian Government employees had used Kaspersky's anti-virus software to search for the code names of NSA exploits, while Israeli intelligence officials looked on.
{loadposition sam08}Other reports had hinted that Kaspersky had made available the source code for its software to the Russian Government and that Israeli Government security professionals had found NSA hacking tools in Kaspersky Lab's system when it broke into the company's servers in 2014.
So, uhm, Kaspersky's version of how the NSA lost their malware is 1st one that actually makes sense. & I have a hard time figuring out where was the part Kaspersky turned the product into an FSB espionage tool rather than an NSA employee doing dumb things https://t.co/DMXcR7fZ26 https://t.co/6g0xIcmpWp
— Artturi Lehtiö (@lehtior2) 25 October 2017
Today's Kaspersky Lab report said the NSA employee in question had Kaspersky anti-virus running on his PC but appeared to have turned it off in order to run the key generator, which otherwise would have been detected and stopped by the anti-virus software.
Later, when he turned the anti-virus back on, it had run a scan on his computer, and since Kaspersky Security Network was running, it had submitted samples of suspected malware code from the Equation Group present on the NSA employee's machine to the company's servers for analysis.
This was in the form of a 7zip archive which was later analysed by a Kaspersky analyst who found that the archive contained multiple samples and source code for what appeared to be Equation Group malware.
"After discovering the suspected Equation malware source code, the analyst reported the incident to the CEO. Following a request from the CEO, the archive was deleted from all our systems. The archive was not shared with any third parties," the Kaspersky report said.
It added that apart from the intrusion into its systems by Israeli hackers — which the company detailed in 2015 — no other intrusion had taken place.
In 2014 and 2015, Kaspersky published two major reports on alleged GCHQ and NSA hacking operations which bore the code names Regin and the Equation Group. Regin was used to hack a Belgian telecommunications provider.
After the detailed report about several types of malware attributed to the Equation Group appeared, several other users with IPs in the same range had appeared with KSN enabled, Wednesday's report said.
"The investigation has not revealed any other related incidents in 2015, 2016 or 2017. No other third party intrusion, besides Duqu 2.0 (the Israeli intrusion), were detected in Kaspersky Lab’s networks."
Contradicting claims by The Wall Street Journal, the Kaspersky report said it had "confirmed that Kaspersky Lab has never created any detection of non-weaponised (non-malicious) documents in its products based on keywords like 'top secret' and 'classified'."
At the time the WSJ made this claim, well-known British security researcher Kevin Beaumont expressed scepticism, saying, "There's so much b***shit in the briefings being given to press. AV uploading every document with term 'top secret' would fry networks."