Kaspersky provided further details on NSA Incident. Other APTs targeted the same PC

Pierluigi Paganini November 17, 2017

Kaspersky Lab publishes a full technical report related to hack of its antivirus software to steal NSA hacking code.

In October, anonymous source claimed that in 2015 the Russian intelligence stole NSA cyber weapons from the PC of one of its employees that was running the Kaspersky antivirus.

Kaspersky denies any direct involvement and provided further details about the hack, but it wasn’t a good period for the firm.

In September, the US Government banned the Russian security firm from all federal government systems.

The PC was hacked after the NSA employee installed a backdoored key generator for a pirated copy of Microsoft Office.

Kaspersky Lab, published in October a detailed report on the case that explains how cyber spies could have easily stolen the software exploits from the NSA employee’s Windows PC.

In October many media accused Kaspersky of helping the Russian intelligence for the detection of the US cyber-weapons on the PC via its security solutions, but according to the security firm the situation is quite different.

According to the telemetry logs collected by the Russian firm, the staffer temporary switched off the antivirus protection on the PC, and infected his personal computer with a spyware from a product key generator while trying to use a pirated copy of Office.

On September 11, 2014, Kaspersky antivirus detected the Win32.GrayFish.gen trojan on the NSA employee’s PC, some time later the employee disabled the Kaspersky software to execute the activation-key generator

Then the antivirus was reactivated on October 4, it removed the backdoored key-gen tool from the NSA employee’s PC and uploaded it to Kaspersky’s cloud for further analysis.

Kaspersky offered to hand over the source code of its solution to the US experts, to prove it wasn’t up involved in any cyber espionage operation.

Back to the present, Kaspersky published a new report that sheds the light on the investigation conducted by the firm on the NSA-linked Equation Group APT.

Kaspersky began running searches in its databases since June 2014, 6 months prior to the year the alleged hack of its antivirus, for all alerts triggered containing wildcards such as “HEUR:Trojan.Win32.Equestre.*”. The experts found a few test signatures in place that produced a LARGE amount of false positives.

The analysis revealed the presence of a specific signature that fired a large number of times in a short time span on just one system, specifically the signature “HEUR:Trojan.Win32.Equestre.m” and a 7zip archive (referred below as “[undisclosed].7z”). This is the beginning of the analysis on the system that was found containing not only this archive, but many files both common and unknown that indicated this was probably a person related to the malware development.

“In total we detected 37 unique files and 218 detected objects, including executables and archives containing malware associated with the Equation Group. Looking at this metadata during current investigation we were tempted to include the full list of detected files and file paths into current report, however, according to our ethical standards, as well as internal policies, we cannot violate our users’ privacy.” states the new report published by Kaspersky.

“This was a hard decision, but should we make an exception once, even for the sake of protecting our own company’s reputation, that would be a step on the route of giving up privacy and freedom of all people who rely on our products. Unless we receive a legitimate request originating from the owner of that system or a higher legal authority, we cannot release such information.”

kaspersky

The analysis of the computer there the archive was found revealed that it was already infected with malware. In October of that year the user downloaded a pirated copy of the Microsoft Office 2013, but the .ISO was containing the Mokes backdoor.

“What is interesting is that this ISO file is malicious and was mounted and subsequently installed on the system along with files such as “kms.exe” (a name of a popular pirated software activation tool), and “kms.activator.for.microsoft.windows.8.server.2012.and.office.2013.all.editions”. Kaspersky Lab products detected the malware with the verdict Backdoor.Win32.Mokes.hvl.” continues Kaspersky.

Kaspersky was able to detect and halt Mokes, but the user turned off the Russian software to execute the keygen.

Once the antivirus was turned on again, it detected the malware. Kaspersky added that over a two month its security software found 128 separate malware samples on the machine that weren’t related to the Equation Group.

Kaspersky found that the Mokes’ command and control servers were apparently being operated by a Chinese entity going by the name “Zhou Lou”, from Hunan, using the e-mail address “[email protected].”

Kaspersky explained that it’s also possible that the NSA contractor’s PC may have been infected with a sophisticated strain of malware developed by an APT that was not detected at the time.

“Given that system owner’s potential clearance level, the user could have been a prime target of nation states,” Kaspersky said. “Adding the user’s apparent need for cracked versions of Windows and Office, poor security practices, and improper handling of what appeared to be classified materials, it is possible that the user could have leaked information to many hands.”

Further details are included in the technical report.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini 

(Security Affairs – Kaspersky Lab, Cyber espionage)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment