Russian cybersecurity firm Kaspersky Lab pointed to new analysis this week regarding recent news reports suggesting their collusion with the Russian government. Allegations in The Wall Street Journal and The Washington Post pointed to the Russian government stealing classified files from the home computer of an NSA employee in 2015 via Kaspersky’s antivirus software, which was installed onto the NSA employee’s home system. The case is not yet public and is under investigation by federal prosecutors.
Kaspersky Lab released a statement this week in which it fought back to win trust in its cybersecurity products, including detailing an internal investigation it is running into the said computer. Its internal logs show that in September 2014, the computer in question had 121 pieces of malware on the system, including exploits, backdoors and Trojans.
In doing so, it found multiple security alerts for malicious files on the NSA employee’s computer, which may have emanated from pirated software, including the file Backdoor.Win32.Mokes.hvl. “Mokes” is a malicious piece of Trojan software which was allegedly created by a Russian hacker in 2011 and sold on underground forums in Russia. On October 4 2014, “Mokes” infected the NSA employee’s computer. According to Kaspersky Lab, at the time of infection, the Mokes malware was communication with a command control server from a “Chinese entity” going by Zhou Lou, using the email address [email protected]
The security firm claims that the computer became infected as a result of the NSA employee disabling antivirus software to install a pirated version of Microsoft Office, in which a hidden piece of malware was hidden. Kaspersky Lab said “executing the malware would not have been possible with the antivirus enabled”. Kaspersky added, “The malware consisted of a full-blown backdoor which could have allowed other third-parties to access the user’s machine… Adding the user’s apparent need for cracked versions of Windows and Office, poor security practices, and improper handling of what appeared to be classified materials, it is possible that the user could have leaked information to many hands.”
However, Kaspersky Lab admitted last month that it had inadvertently downloaded classified files from the NSA employee’s computer. The company’s antivirus tools discovered hacking tools on the contractor’s machine, and identified them as malware (as the system should do). In doing so, according to The Wall Street Jounral, this “alerted Russian hackers to the presence” of the NSA tools. Kaspersky Lab said that it had not deliberately done so, and as soon as they realized the error, they immediately deleted the files from their own database.
The cybersecurity firm said its software was no different to rival antivirus products that also scan system files for possible malware and therefore need access to everything stored on a computer in order to scour it for viruses and other cyber threats. Trust is therefore imperative for the company.
The damaging allegations against Kaspersky Lab have led to various US retailers, including Best Buy, removing its antivirus software from shelves, and the US Department of Homeland Security ordering federal agencies to remove Kaspersky Lab software from their systems over fears of collusion with Russian spy agencies. Kaspersky has been adamant throughout that the company does not cooperate with Russian security services.
In the statement on their website, the company says, “To further support the objectivity of the internal investigation we ran our investigation using multiple analysts of non-Russian origin and working outside of Russia to avoid even potential accusations of influence.” They have also launched “a global transparency initiative” which includes the creation of new data protection controls for its handling of secure data, which will be independently overseen along with an independent overview of its security practices and source code.
In a further ironic twist, as reported recently by The New York Times, it was Israeli intelligence officers who discovered that Russian hackers were breaking into NSA intelligence programs via the Kaspersky software. The Russian hackers turned the Kaspersky software into a kind of Google search for sensitive information.
In the words of New York Times reporters, Nicole Perlroth and Scott Shane, “it was a case of spies watching spies watching spies”.
According to The New York Times, there was been speculation for years that Kaspersky’s antivirus program might provide back door access for Russian intelligence. Over 60% of its sales comes from the US and Western Europe, and until recently, nearly two dozen US government agencies had Kaspersky’s antivirus software running on its systems. It is unclear how complicit Kaspersky Lab and its employees have been complicit in the hacking using their products. Technical experts say that Russian intelligence could have hacked into Kaspersky’s global software deployment without their knowledge or cooperation.
“Antivirus is the ultimate back door,” Blake Darché, a former N.S.A. operator and co-founder of Area 1 Security told The Times. “It provides consistent, reliable and remote access that can be used for any purpose, from launching a destructive attack to conducting espionage on thousands or even millions of users.”