Kaspersky and the Third Major Breach of NSA’s Hacking Tools

The WSJ has a huge scoop that many are taking to explain why the US has banned Kaspersky software.

Some NSA contractor took some files home in (the story says) 2015 and put them on his home computer, where he was running Kaspersky AV. That led Kaspersky to discover the files. That somehow (the story doesn’t say) led hackers working for the Russian state to identify and steal the documents.

Hackers working for the Russian government stole details of how the U.S. penetrates foreign computer networks and defends against cyberattacks after a National Security Agency contractor removed the highly classified material and put it on his home computer, according to multiple people with knowledge of the matter.

The hackers appear to have targeted the contractor after identifying the files through the contractor’s use of a popular antivirus software made by Russia-based Kaspersky Lab, these people said.

The theft, which hasn’t been disclosed, is considered by experts to be one of the most significant security breaches in recent years. It offers a rare glimpse into how the intelligence community thinks Russian intelligence exploits a widely available commercial software product to spy on the U.S.

The incident occurred in 2015 but wasn’t discovered until spring of last year, said the people familiar with the matter.

The stolen material included details about how the NSA penetrates foreign computer networks, the computer code it uses for such spying and how it defends networks inside the U.S., these people said.

Having such information could give the Russian government information on how to protect its own networks, making it more difficult for the NSA to conduct its work. It also could give the Russians methods to infiltrate the networks of the U.S. and other nations, these people said.

Way down in the story, however, is this disclosure: US investigators believe Kaspersky’s AV identified the files, but isn’t sure whether Kaspersky told the Russian government.

U.S. investigators believe the contractor’s use of the software alerted Russian hackers to the presence of files that may have been taken from the NSA, according to people with knowledge of the investigation. Experts said the software, in searching for malicious code, may have found samples of it in the data the contractor removed from the NSA.

But how the antivirus system made that determination is unclear, such as whether Kaspersky technicians programed the software to look for specific parameters that indicated NSA material. Also unclear is whether Kaspersky employees alerted the Russian government to the finding.

Given the timing, it’s worth considering several other details about the dispute between the US and Kaspersky. (This was all written for another post that I’ll return to.)

The roots of Kaspersky’s troubles in 2015

Amid the reporting on Eugene Kaspersky’s potential visit to testify to Congress, Reuters reported the visit would be Kaspersky’s first visit to the US since spring 2015.

Kaspersky told NBC News in July that he was not currently traveling to the United States because he was “worried about some unexpected problems” if he did, citing the “ruined relationship” between Moscow and Washington.

Kaspersky Lab did not immediately respond when asked when its chief executive was last in the United States. A source familiar with U.S. inquiries into the company said he had not been to the United States since spring of 2015.

A link in that Reuters piece suggests Kaspersky’s concern dates back to August 2015 Reuters reporting, based off leaked emails and interviews with former Kaspersky employees, that suggests the anti-virus firm used fake files to trick its competitors into blocking legitimate files, all in an effort to expose their theft of Kaspersky’s work. A more recent reporting strand, again based on leaked emails, dates to the same 2009 time period and accuses Kaspersky of working with FSB (which in Russia, handles both spying and cybersecurity — though ostensibly again, that’s how the FBI works here).

But two events precede that reporting. In June 2015, Kaspersky revealed that it (and a bunch of locales where negotiations over the Iran deal took place) had been infected by Duqu 2.0, a thread related to StuxNet.

Kaspersky says the attackers became entrenched in its networks some time last year. For what purpose? To siphon intelligence about nation-state attacks the company is investigating—a case of the watchers watching the watchers who are watching them. They also wanted to learn how Kaspersky’s detection software works so they could devise ways to avoid getting caught. Too late, however: Kaspersky found them recently while testing a new product designed to uncover exactly the kind of attack the intruders had launched.


Kaspersky is still trying to determine how much data the attackers stole. The thieves, as with the previous Duqu 2011 attack, embedded the purloined data inside blank image files to slip it out, which Raiu says “makes it difficult to estimate the volume of information that was actually transferred.” But at least, he says, it doesn’t appear that the attackers were out to infect Kaspersky customers through its networks or products. Kaspersky claims to have more than 400 million users worldwide.

Which brings us to what the presumed NSA hackers were looking for:

The attackers were primarily interested in Kaspersky’s work on APT nation-state attacks–especially with the Equation Group and Regin campaigns. Regin was a sophisticated spy tool Kaspersky found in the wild last year that was used to hack the Belgian telecom Belgacom and the European Commission. It’s believed to have been developed by the UK’s intelligence agency GCHQ.

The Equation Group is the name Kaspersky gave an attack team behind a suite of different surveillance tools it exposed earlier this year. These tools are believed to be the same ones disclosed in the so-called NSA ANT catalogue published in 2013 by journalists in Germany. The interest in attacks attributed to the NSA and GCHQ is not surprising if indeed the nation behind Duqu 2.0 is Israel.

Kaspersky released its Equation Group whitepaper in February 2015. It released its Regin whitepaper in November 2014.

One thing that I found particularly interesting in the Equation Group whitepaper — in re-reading it after ShadowBrokers released a bunch of Equation Group tools — is that the report offers very little explanation of how Kaspersky was able to find so many samples of the NSA malware that the report makes clear is almost impossible to find. The only explanation is this CD attack.

One such incident involved targeting participants at a scientific conference in Houston. Upon returning home, some of the participants received by mail a copy of the conference proceedings, together with a slideshow including various conference materials. The compromised CD-ROM used “autorun.inf” to execute an installer that began by attempting to escalate privileges using two known EQUATION group exploits. Next, it attempted to run the group’s DOUBLEFANTASY implant and install it onto the victim’s machine. The exact method by which these CDs were interdicted is unknown. We do not believe the conference organizers did this on purpose. At the same time, the super-rare DOUBLEFANTASY malware, together with its installer with two zero-day exploits, don’t end up on a CD by accident.

But none of the rest of the report explains how Kaspersky could have learned so much about NSA’s tools.

We now may have our answer: initial discovery of NSA tools led to further discovery using its AV tools to do precisely what they’re supposed to. If some NSA contractor delivered all that up to Kaspersky, it would explain the breadth of Kaspersky’s knowledge.

It would also explain why NSA would counter-hack Kaspersky using Duqu 2.0, which led to Kaspersky learning more about NSA’s tools.

So to sum up, Eugene Kaspersky’s reluctance to visit the US dates back to a period when 1) Kaspersky’s researchers released detailed analysis of some of NSA and GCHQ’s key tools, which seems to have led to 2) an NSA hack of Kaspersky, which in turn shortly preceded 3) some reporting based off unexplained emails floating accusations of unfair competition dating back to 2009 and earlier.

We now know all that came after Kaspersky found at least some of these tools sitting on some NSA contractor’s home laptop.

This still doesn’t explain how Russian hackers figured out precisely where Kaspersky was getting this information from — which is a real question, but not one the WSJ piece answers.

But reading those reports again, especially the Equation Group one, should make it clear how the Russian government could have discovered that Kaspersky had discovered these tools.

19 replies
  1. bloopie2 says:

    Yikes. A contractor took files home for use on his home computer, more than a year after Snowden? And we’re supposed to trust these folks to look out for us?
    Although the US has now banned Kaspersky AV from US govt. computers, how do we know that no government machine was compromised? And how do we know that the next AV vendor (to be selected), isn’t just as leaky as Kaspersky?

    • SpaceLifeForm says:

      Point I missed while finding the link.

      “is that the report offers very little explanation of how Kaspersky was able to find so many samples of the NSA malware that the report makes clear is almost impossible to find. The only explanation is this CD attack.”

      No, that is not the only explanation. Tor honeypot makes more sense. Putting strong malware on CD makes no sense. It will be discovered and the attack will be reverse engineered from the CD itself.

      • JGarbo says:

        How does a CD self-install anything? Surely the user must give permission on a govt protected system. Or any system.

  2. SpaceLifeForm says:

    Timing dots: Harold Martin III.

    But that assumes facts not in evidence.

    And again, dealing with leaks.
    “multiple people familiar with the matter”

    Why WSJ? Why not NYT or WAPO?

  3. SpaceLifeForm says:


    Re: CCleaner supply chain attack

    Hope it is not Crowdstrike

    “Avast not able to determine how the attackers got into the build server to begin with. Working with 3rd party forensics firm.”

  4. orionATL says:

    damn! and i got kaspersky parked on my desktop as one of 4 av products and the only one that could take out a nasty trojan i got from a software vender’s download file. i wonder now if the ruskys got my nsa zdexs too?

    maybe this explains why there has been no serious inconvenience (we know of) caused the russians by their 2016 election tricks.

    the image that comes to mind is of warring gangs killing each other off in one revenge shooting after another – the americans, the russians, the brits, the chinese, the n. koreans, who else.

    • SpaceLifeForm says:

      Don’t use AV on Windows. Use common sense. Do not open attachments like docs,
      spreadsheets, PDFs, Powerpoint, etc. Do not click on links in an email.

      Especially do not use multiple AV. You are just increasing the attack surface.

      Just do not use Windows. Period.
      Windows *IS* the attack surface on this planet.

      And if you think the original BG is still around…

      • Charles says:

        This is very, very difficult for the average user to do.

        * Something like 90% of users have Windows. So, sure, get a Mac or, if you have mad skilz, run Linux. But many people just can’t do that.

        * It’s not just attachments or links in e-mail that are potentially dangerous. Any link can be dangerous. Common sense helps, but all of us have, though inadvertence or brainsmog or crazy deadlines clicked a dangerous link.

        * Direct malware infection is less important if one doesn’t do downloads. But indirect attacks, as through PUPs/adware, are ubiquitous. And those can result in accidentally downloading malware. At which point, having AV is actually a good thing.

        * A major problem is that no OS makes it easy to understand what is going on. If every user could easily determine what that sudden slowness is due to, or what is getting called when an unexpected popup appears, there would be a lot less hassle.

        *Microsoft should long ago have built in utilities like CCleaner to make it easy for users to maintain their computers without going to third parties. But this assumes they are minimally competent, which is clearly not so.

        I am not happy with AV either. But if one doesn’t have mad skilz, it seems to be required. Along with anti-PUP software.

        Which is the greater threat to the typical user? Russian government hacking, Chinese government hacking, American government hacking, or criminal hacking? My vote is with the latter. Though of course knowing the line between certain governments and organized crime is sometimes difficult.

  5. greengiant says:

    Seems like a lot of anti virus and software firms including Microsoft and google have the “phone home” default when something is detected.  Once there is a detection it should have been standard practice to hoover the “customers” computer to find known and unknown malware.  So once again bad malware can trigger an investigation that finds the better quality malware.

    • SpaceLifeForm says:

      The ‘phone home’ problem. This is likely, almost certain, why US gov does not want KAV to be used. MITM. Over Tor has to be suspect.

      Depending on the Spy vs Spy angle, of course.
      Who would you pick as the main MITM agent?
      Would that explain to you the bitching about KAV lately?


      In order to inspect encrypted data streams using SSL/TLS, Kasperky installs a WFP driver to intercept all outgoing HTTPS connections. They effectively proxy SSL connections, inserting their own certificate as a trusted authority in the system store and then replace all leaf certificates on-the-fly. This is why if you examine a certificate when using Kaspersky Antivirus, the issuer appears to be “Kaspersky Anti-Virus Personal Root”.

      Kaspersky’s certificate interception has previously resulted in serious vulnerabilities, but quick review finds many simple problems still exist. for example, the way leaf certificates are cached uses an extremely naive fingerprinting technique.

      Kaspersky cache recently generated certificates in memory in case the user agent initiates another connection. In order to do this, Kaspersky fetches the certificate chain and then checks if it’s already generated a matching leaf certificate in the cache. If it has, it just grabs the existing certificate and private key and then reuses it for the new connection.

      The cache is a binary tree, and as new leaf certificates and keys are generated, they’re inserted using the first 32 bits of MD5(serialNumber||issuer) as the key. If a match is found for a key, they just pull the previously generated certificate and key out of the binary tree and start using it to relay data to the user-agent.

      You don’t have to be a cryptographer to understand a 32bit key is not enough to prevent brute-forcing a collision in seconds. In fact, producing a collision with any other certificate is trivial.

      • greengiant says:

        Hmm that’s why I never used Kaspersky?  So maybe all those voting machines pcm1A cards ( read old style USB stuxnet vectors ) with possible extra I/O capabilities that are sourced out of Eastern Europe had absolutely nothing to do with 2016 election results.

  6. SpaceLifeForm says:

    Older DOTs. May be worth another peek.


    Multiple specific targets were highlighted by the DOJ, including Russian journalists, Russian and U.S. government officials, employees of a major Russian cybersecurity company, a French transportation company, U.S. financial services and private equity firms, and an American airline.

    [one can figure out at least two]

    • orionATL says:

      if the russian gov was behind the yahoo personal data theft, could it have been behind other large-scale u. s. data thefts like equifax (twice)) with the thought of building its own person-by-person u. s. adult population data base?

      normally one might guess criminals were behind personal data thefts like equifax, target, and home depot. but maybe not.

      there was also, apparently, one or more very large u. s. voter data bases sitting unsecured on the internet within the last year or so.

      wouldn’t it be something, assuming the computer power was available, to gain access (maybe by theft, maybe thru a broker) to several of these data bases and work to merge them. but to what purpose?

  7. Rufus says:

    It’s really not clear that Kaspersky software actually uploads what it finds and quarantines.  Review of their help files shows that users have to take action to upload the files.

    It is one thing for them to flag files based on signatures or other parameters, quite another to get the actual code off a specific machine sent back to them.

    As such, this story might as well say “NSA contractor sent files to Russians”.  Unless there is some trojaned version of the AV software in play, which is possible, but seems unlikely given that we have to assume some tech savvy of the contractor with access to these tools

  8. SunBadger says:

    I called and emailed the FBI 3 or 5 years ago that the Kasp software was problematic and that I had found it corrupting my system. Must be that I am too insignificant a computer geak. No response, rude. Now going to have to call back now and ask “How do you like them apples now?” LoL

  9. Richard Steven Hack says:

    I totally doubt most of this story. Simply because of the “Russia, Russia, Russia” hysteria – most of it based on zero evidence – which led the US government to start messing with Kaspersky.

    Now we have this “convenient” story – backdated two years for credibility apparently – that suggest – again without ANY evidence or even a DIRECT accusation – which would hold the WSJ out for a lawsuit if proven wrong – that Kaspersky was helping Russian intelligence.

    I call BS. I suspect that most of the infosec community does not believe Kaspersky is working with the Russian government to spy on its users or even some of it users. If it were true, it would likely have been detected years ago (and not just two years ago directly by the NSA.)

    The story also raises a lot of questions about NSA security policy. The NSA guy was supposedly using his home PC to develop new malware. So what? He puts this new malware on his own host machine which runs KAV and doesn’t use a VM for development? So KAV detects his new malware and immediately grabs it to send it up to Kaspersky who immediately recognizes it as NEW NSA malware and calls Russian intelligence?

    Is this NSA guy a moron to be developing classified software – malware at that – on a home PC which is connected to the Internet AND running “phone home” software on it? Is this how they train their people? Would Ed Snowden have done this? Or is the NSA willing to blow what little is left of their credibility just to mess with a Russian AV company?

    Or is it more likely that – like the NSA undoubtedly does in the US – Russian intelligence is hoovering up all Internet streams, especially including AV – and other “phone home” – software for intelligence? The problem of phone home software has been known for years. Presumably both the NSA and the Russian government – and probably many others – know and use that for intelligence collection. So do we assume Kaspersky is the culprit or the wholesale collection of the Internet by government?

    How do we know that Russian intelligence doesn’t know EXACTLY who this NSA employee or contractor is and has been hoovering up his Internet connection for years? Or that the NSA has been hoovering up his Internet stream and the Russians have tapped that?

    As usual with “Russia, Russia, Russia”, a lot of people are jumping to conclusions based on a vague and faulty mainstream media report.

    • bmaz says:

      Jesus. Really? You are saying this to Marcy, who has been far more dubious than most on all of this??

      What is your agenda?


Comments are closed.