Shorter Kaspersky: Our Home AV Found NSA’s Lost Tools Six Months Before NSA Did

Kaspersky has what it calls a preliminary investigation into the allegations that it obtained NSA tools by taking them from an NSA hacker who loaded them onto his home computer. It follows by just a few days and directly refutes the silly accusations made by Rick Ledgett the other day in Lawfare, most notably that Kaspersky found the tools by searching on “TS/SCI,” much less the “proprietary” Ledgett claimed. I assume the word “preliminary” here means, “Okay, you’ve made your public accusation, now Imma badly discredit you, but I’m holding other details back for your next accusation.”

Instead of finding the hacking tools in early 2015, Kaspersky says, they found the GrayFish tool back on September 11, 2014, probably six months before the anonymous government sources have been saying it was discovered.

And they found it with their home AV.

  • The incident where the new Equation samples were detected used our line of products for home users, with KSN enabled and automatic sample submission of new and unknown malware turned on.
  • The first detection of Equation malware in this incident was on September 11 2014. The following sample was detected:
    • 44006165AABF2C39063A419BC73D790D
    • mpdkg32.dll
    • Verdict: HEUR:Trojan.Win32.GrayFish.gen

After that, what Kaspersky describes as “the user” disabled the AV and downloaded a pirated Microsoft copy onto his computer, which created a backdoor that could have been used by anyone.

  • After being infected with the Backdoor.Win32.Mokes.hvl malware, the user scanned the computer multiple times which resulted in detections of new and unknown variants of Equation APT malware.

Once that backdoor was loaded, “the user” scanned the computer and found other Equation Group tools.

What Kaspersky is not saying is that this probably wasn’t the TAO hacker, but probably was someone pretending to be the user (perhaps using NSA’s own tools?!), who stole a slew of files then.

Two other points: Kaspersky claims to have called the cops — or probably the FBI, which would have been the appropriate authority, and he claims to call the cops whenever they find malware in the US.

  • Some of these infections have been observed in the USA.
  • As a routine procedure, Kaspersky Lab has been informing the relevant U.S. Government institutions about active APT infections in the USA.

It’s possible that Kaspersky did inform the FBI, and that FBI routinely gets such notice, but that FBI routinely ignores such notice because they don’t care if NSA is hacking people in the US (which given what we know, is at least sometimes, and would have been during this period, Americans approved for 705(b) surveillance that doesn’t get turned off as is legally required when they return to the US).

In other words, it’s possible that FBI learned about this, but ignored it because they ignore NSA’s illegal hacking the US. Only this time it wasn’t NSA’s illegal hacking, but NSA’s incompetence, which in turn led an NSA hacker to get hacked by … someone else.

Finally, there’s this bit, which is the least credible thing in this announcement. The Kaspersky statement says Eugene himself was informed of the discovery, and ordered the tool (in a kind of one-man Vulnerabilities Equities Process) to be destroyed.

  • After discovering the suspected Equation malware source code, the analyst reported the incident to the CEO. Following a request from the CEO, the archive was deleted from all our systems. The archive was not shared with any third parties.

I don’t so much doubt that Eugene ordered the malware to be destroyed. Once Kaspersky finished its analysis of the tool, they would have no use for it, and it would add to risk for Kaspersky itself. I just find it remarkable that he would have made the personal decision to destroy this malware at some point after its discovery, but not have raised it until now.

Unless, of course, he was just waiting for someone like Rick Ledgett to go on the sort of record.

Though note how Kaspersky gets conspicuously silent about the timing of that part of the story.

One final point: this new timeline doesn’t explain how Israel (possibly with the involvement of the US) would have found this tool by hacking Kaspersky (unless the decision to destroy the tool came after Kaspersky discovered the hack). But it does suggest the Duqu chicken was chasing the TAO hacker egg, and not vice versa as anonymous sources have been claiming.

That is, the scenario laid out by this timeline (which of course, with the notable exceptions of the Duqu hack and the destruction date for GrayFish, comes with dates and file names and so at least looks more credible than Rick Ledgett’s farcical “proprietary” claims) is that Kaspersky found the file, reported it as an infection to the cops, which likely told NSA about it, leading to the attack on Kaspersky to go try to retrieve it or discover how much else they obtained. That is, Duqu didn’t hack Kaspersky and then find the file. They hacked Kaspersky to find the file that some dopey TAO hacker had made available by running Kaspersky home AV on his computer.

Update: Changed “probable” involvement of US in Duqu hack to “possible.”

Update: Changed “stolen” in title to “lost.”

19 replies
  1. lefty665 says:

    So the crusade against Kaspersky seems more pocketbook retaliation for being good at what they do and part of the RUSSIA hysteria than real Kaspersky collusion with the Ruskies?


    • SpaceLifeForm says:

      It’s all pure BS. See the @josephfcox tweets on the hearing today. Clueless congresscritters. But they attack KL sans understanding.

  2. SpaceLifeForm says:

    OT? Maybe not a bit.

    The DUHK attack is a historical failure of the federal standardization process for cryptography. The general vulnerability has been known for at least two decades, yet none of the descriptions of the algorithm we could find mentioned that the seed key should be unpredictable to the attacker.

    This vulnerability should be viewed in the context of a multi-year line of research showing how subverted standards, parameter choices, subtle vulnerabilities, and implementation flaws might allow state-level actors to passively decrypt encrypted network traffic.

  3. SpaceLifeForm says:

    Bunch of dots.

    Alfa Bank. Viet Dinh. Kirkland & Ellis.
    (and others)

    Sam Biddle
    October 26 2017, 7:42 p.m.

    IN NOVEMBER 2016, just days before Donald Trump won the presidential election, Slate published what appeared to be an explosive story connecting his business empire to a prominent, Kremlin-linked bank in Moscow. The story, using breadcrumbs left across DNS, the esoteric global computer system that undergirds the internet, alleged a pattern of covert communications between a Trump Organization email server and Alfa Bank. The story had some serious technical problems, but the underlying strangeness of what seemed to be going on was certainly worth checking out.

    Today, the bank at the heart of the controversy is waging an intimidating legal campaign against an American professor who helped connect the odd dots — academic and intellectual freedom are being challenged by the interests of private capital. The Slate story itself was based in part on (highly educated) speculation by a small group of computer scientists about whether a list of internet pings between servers in the U.S. and Russia might have signified the existence of a backchannel between the Trump Organization and the Russian finance sector. Some of this internet traffic data was readily and publicly available, while some appeared to represent a rare and powerful (though not impossible or unheard of) ability to monitor the functioning of the internet. But all of the work done by these researchers, apparently led by a pseudonymous luminary in the internet infrastructure world named “Tea Leaves,” appeared carefully compiled and dispassionately argued.

    • orionATL says:

      so what does ew call this – russian “lawfare” ?

      the russian government seems to be trying to cover its tracks involving the 2016 presidential intrusion. where there’s legal smoke there must be illegal political sabotage fire, right?

  4. orionATL says:

    does this mean what i think it means:

    “…  with KSN enabled and automatic sample submission of new and unknown malware turned on…”

    or not?

    does it mean that a nsa employee was working at home with his trusted av, kaspersky, turned on, and with that av’s automatic (unless disbled on purpose) report-back function turned on, thereby allowing the av to sus out a nsa exploit on worker’s computer and then automatically report it back to the kaspersky av analysis lab, as so many av programs do?

    no nsa analyst could be that incompetent could they?

    • SpaceLifeForm says:

      “no nsa analyst could be that incompetent could they?'”

      One would think not.

      Which is why I wondered about the Office License key.

      To me, this seems like a backwards attack on KL. A honeypot set up so that KL *would* discover the tools.

      One, KL already has said there are different ‘sigs’ from what SB dumped, as in, there is not a match.

      Two, the 6 month difference. Possibly there were two separate events, and KL did not see the second one (the one WSJ reported), and that some other group was associated with the second event.

  5. Evangelista says:

    To upload malware to an average unsuspecting internet using “fish” one baits a phishing “hook” and dangles it in email, or disguises it in a ‘life-like’ site-lure.  When the target takes the bait one is in and may launch his digital parasite to load into the ‘host’.  Then the loader/launcher may self-destruct, to not leave a trackable trail…

    To upload malware to a site maintained by technically proficient monitors, as, for example, the Linux Kernal site, one plants parasites in code-contributors’ computers and then attempts to implant bits of mal-code in their code-capsules, hoping they will slide in with the capsules when contributed, and, being bits and scraps, slip ‘under radar’ past cross-checkings to connect with previous insertions and bit-contributions sent along via other contributors’ provisions, ultimately escaping detection through final checking to provide a usable parasitic implant…

    To upload malware to install in [hack] an Anti-Virus Provider’s AV, to be carried along with the AV’s installations, to implant spy-ware to provide ‘back-dooring’ or other access, what would one do?

    Perhaps attach initial parts to a variant form of a known virus?  So the AV software will upload to home?  Doing this from “home”, of course, to appear an innocent, and, of course, have the lowest level AV version, for least sophistication, and most likely minimal monitoring at Headquarters…  Then, if that succeeds, or is anticipated to have, one could add some ‘pirate’ [mal-modified] software, load it with additional bits to attach to the ‘hooks’ previously ‘automatically uploaded’ and try to have the parts connect together, to complete the installation of the malware and open the ‘backdoor’ into and through the AV when the AV was re-installed…  One would multipli-re-install the AV, trying to make the hook-up…

    If one is a state-actor, in the “Middle-East”, or anywhere else, with sophisticated tools maybe borrowed , or “borrowed” from the US NSA one would naturally use those to effect a sophisticated intrusion, and, with a failure of any key point, leave those hanging in the trarget software, as artifacts of the intrusion attempt…

    It could also happen that one might effect a hack, but suffer a failure of tool-deletion, leaving artifacts…  The leavings would have to be explained, and an “explanation” that the ‘lost’ tools were not lost, but “stolen” by the victim, or intended victim, would be a natural one.

    Especially if the spyware installation attempt was unsuccessful it would be convenient to “explain” that the intended victim was the villian, and, especially if one had a captive congressional system, full of bozos ready to blather party-line, to accompany, if not add power to, the accusation by raising a hue and cry against the intended victim, for being a “spy”, rather than a victim of an intrusion-failure…  Especially if your failure would mean that you could not have a worm in the victim’s AV to provide you a hose into the victim’s AV users’ data you might be tempted to use all your resources to deprecate the victim. to steer AV users away from its product, maybe to more easily, or already, intruded AV software…

  6. SpaceLifeForm says:

    Retrocover. Hacking back.
    Active Cyber Defense Certainty Act (ACDC)

    If A hacks B and then B hacks A back, then, according to the language of the ACDC Act, B is the victim and A is the attacker. But once the hacking back—I mean, the active defense—starts, then the reverse is also, of course, true.

    Want to go after a competitor? Stage an attack directed at yourself coming from their servers, and then hack back!

    • SpaceLifeForm says:

      Linked from above link, article 10 months old but very important to understand:

      Attribution is really, really hard.

      AFTER MONTHS OF news about Russian meddling in this year’s US presidential election you’re probably sick of speculation and ready for answers: What exactly did Russia do and why? It sounds simple enough, but a fundamental concept in cybersecurity and digital forensics is the fact that it is sometimes extremely difficult after a cyberattack to definitively name a perpetrator. Hackers have a lot of technical tools at their disposal to cover their tracks. And even when analysts figure out which computer a hacker used, going from there to who used it is very difficult. This is known as the attribution problem.

      [Especially hard if a TLA is involved and has access to a lot of backbone routers]

      • orionATL says:

        ah. now i understand a little better.

        further, truly, lay people like myself don’t have a chinaman’s chance of protecting themselves or their organizations. what a world we have created since +- 1980!

        • Evangelista says:


          Make that “…have created in the 21st century, since about 2000”

          2000 was when the internet went seriously commercial, simple-minded and then malicious.

          From 1970 to 1980 the “internet” was more toy than tool, though an educational tool.  Communications then were on the order of texting ten years ago.

          From 1980 to 1990 the internet was primarily academic, especially computer-lit-and-com info-trading, but with other academic realms jumping in to take advantage of digital data exchange.

          1990 to 2000 was the golden-age, when the internet was a nerd-net, when vast amounts of useful and usable information was available through searchable data-bases.

          When the net went popular, about 2000, it went dumb and dumber, to accommodate the hoi-poloi.  Academic information began to be hack-attacked by contrarians, who chose destroying as an easier option than communicating contradiction.  serious information began to disappear, pulled behind firewalls for protection, or removed from general distribution, to preserve integrity, and prevent thefts.

          And then came commerce, with focus to selling.  Everything dumbed down more, advertising content exploded and displaced just about everything else.  Serious information became more trouble than worth to ferret out.

          And then came the “joy” of getting into everyone else’s.  Everyone else’s whatever, computers, content, cameras, on and on.  Botting and spaming became endemic, until today insecurity and intrusion is epidemic, with “law enforcement” among the most malicious of the malicious, digging for dirt, planting dirt, spying, invading, doing everything criminal that criminals do, but on grand and national actor scales, having ‘unlimited’ resources and no ethical or other restraints, no policing of the police.  Spies everywhere and security impossible, the internet has become dangerous, as well as useless…

Comments are closed.