Refuting allegations that its anti-virus product helped Russian spies steal classified files from an NSA employee’s laptop, Kaspersky Lab has released more findings that suggest the computer in question may have been infected with malware.
Moscow-based cyber security firm Kaspersky Lab on Thursday published the results of its own internal investigation claiming the NSA worker who took classified documents home had a personal home computer overwhelmed with malware.
According to the latest Kaspersky report, the telemetry data its antivirus collected from the NSA staffer’s home computer contained large amounts of malware files which acted as a backdoor to the PC.
The report also provided more details about the malicious backdoor that infected the NSA worker’s computer when he installed a pirated version of Microsoft Office 2013 .ISO containing the Mokes backdoor, also known as Smoke Loader.
Backdoor On NSA Worker’s PC May Have Helped Other Hackers Steal Classified Documents
This backdoor could have allowed other hackers to steal classified documents and hacking tools belonging to the NSA from the machine of the employee, who worked for the Tailored Access Operations (TAO) group of hackers at the agency.
For those unaware, United States has banned Kaspersky antivirus software from all of its government computers over suspicion of Kaspersky’s involvement with the Russian intelligence agency and spying fears.
Though there’s no substantial evidence yet available, an article published by US news agency WSJ last month claimed that Kaspersky Antivirus helped Russian government hackers steal highly classified documents and hacking tools belonging to the NSA in 2015 from a staffer’s home PC.
However, the article, which quoted multiple anonymous sources, failed to provide any solid evidence to prove if Kaspersky was intentionally involved with the Russian spies or some hackers simply exploited some zero-day bug in the Antivirus product.
Kaspersky lives up to its claims that its antivirus software detected and collected the NSA classified files as part of its normal functionality, and has rigorously denied allegations it passed those documents onto the Russian government.
Now, in the recent report published by the anti-virus firm said between September 11, 2014, and November 17, 2014, Kaspersky Lab servers received confidential NSA materials multiple times from a poorly secured computer located in the United States.
The company’s antivirus software, which was installed on the employee’s PC, discovered that the files contained malware used by Equation Group, a 14-year-old NSA’s elite hacking group that was exposed by Kaspersky in 2015.
Kaspersky Claims it Deleted All NSA Classified Files
Besides confidential material, the software also collected 121 separate malware samples (including a backdoor) which were not related to the Equation Group.
The report also insists that the company deleted all classified documents once one of its analysts realized that the antivirus had collected more than malicious binaries. Also, the company then created a special software tweak, preventing those files from being downloaded again.
“The reason we deleted those files and will delete similar ones in the future is two-fold; we do not need anything other than malware binaries to improve protection of our customers and secondly, because of concerns regarding the handling of potential classified materials,” Kaspersky Lab report reads.
“Assuming that the markings were real, such information cannot and will not [be] consumed even to produce detection signatures based on descriptions.”
Trojan Discovered on NSA Worker’s Computer
The backdoor discovered on the NSA staffer’s PC was actually a Trojan, which was later identified as “Smoke Bot” or “Smoke Loader” and allegedly created by a Russian criminal hacker in 2011. It had also been advertised on Russian underground forums.
Interestingly, this Trojan communicated with the command and control servers apparently set up by a Chinese individual going by the name “Zhou Lou,” using the e-mail address “firstname.lastname@example.org.”
Since executing the malware would not have been possible with the Kaspersky antivirus enabled, the staffer must have disabled the antivirus software to do so.
“Given that system owner’s potential clearance level, the user could have been a prime target of nation states,” the Kaspersky report reads.
“Adding the user’s apparent need for cracked versions of Windows and Office, poor security practices, and improper handling of what appeared to be classified materials, it is possible that the user could have leaked information to many hands.”
More details on the backdoor can be found here.
For now, the Kaspersky anti-virus software has been banned by the U.S. Department of Homeland Security (DHS) from all of its government computers.
In the wake of this incident, Kaspersky Lab has recently launched a new transparency initiative that involves giving partners access to its antivirus source code and paying large bug bounties for security issues discovered in its products.