Kaspersky claims at least one other entity in NSA contractor’s computer

Kaspersky Lab says it has identified an unrelated hacking campaign it says struck the same computer the company is accused of aiding Russians with hacking.

The original allegations came from an Oct. 11 article in The Wall Street Journal that claimed Israeli intelligence caught Russian operatives using Kaspersky Antivirus’s file-scanning system to search for classified files and stealing classified National Security Agency (NSA) hacking tools from a contractor’s home computer in 2015.

The article appeared to provide some context for what had been until that point a largely unexplained Department of Homeland Security (DHS) ban on Kaspersky Lab products for federal systems levied one month earlier. 

{mosads}

“It is appalling to see that accusations against our company continue to appear without any proof or factual information being presented. Rumors, anonymous sources, and lack of hard evidence spreads only fear, uncertainty and doubt,” Kaspersky Lab wrote in its investigation report, released Thursday.

The new Kaspersky report fills in some gaps from a prior Kaspersky report on the issue and claims to confirm its earlier analysis.

Kaspersky found the classified hacking tools largely because its antivirus software was trained to protect users from some of the malware found on the system. Other suspicious files were uploaded to the company for analysis and ultimately discarded when they were discovered to be classified American intelligence files. 

But the report provides some new details. The earlier Kaspersky report noted the NSA contractor accidentally infected his or her own system with separate malware at the time by trying to install a pirated version of Microsoft Word. The Kaspersky Antivirus would have flagged that other malware, meaning that the contractor would have had to have disabled the antivirus to install the pirated software. 

The new report explains that malware was the Smoke Bot backdoor, believed to have been created by a Russian criminal hacker and sold on online criminal markets since 2011. The infrastructure created to support the version of Smoke Loader in the pirated Microsoft Office files was registered to a “Zhou Lou” of the Hunan providence of China.

The report contains the alleged email address used to set up the internet accounts used in that infrastructure. 

Third party analysis of Smoke Bot claims that the malware would also have given attackers the ability to steal files. 

The report also claims the Kaspersky file scan that netted classified material took place in 2014 — not 2015, as The Wall Street Journal’s sources claimed.

According to the story, the NSA only discovered the alleged breach last year, and presumably, the error could have come from reconstructing events. 

The new Kaspersky report claims that the alleged Israeli report — that Russian operatives were searching for code words from U.S. classified hacking programs to find files to steal — may be incorrect but have some grounding in truth. 

Antivirus software uses a variety of techniques to identify known malware. According to the report, Kaspersky protected systems against certain NSA malware by searching for telltale words used in their files, including “Equestre,” “Equation,” “Grayfish,” “Fanny,” and “DoubleFantasy.”

That could conceivably have been mistaken for Russian spies searching for specific projects. 

However, in Tuesday testimony at a hearing on Capitol Hill, House Science, Space and Technology Committee Chairman Lamar Smith (R-Texas) implied that intelligence against Kaspersky dated back until at least 2012 and had been convincing enough for the Department of Defense to bar use of its software around that time.

While The Wall Street Journal’s story provided one possible instance of Russian intelligence coopting Kaspersky products, it did not claim it was the only intelligence or instance the DHS relied on for its decision.