Kaspersky’s Carrot-and-Stick TAO Compromise Incident Report

Last week, Kaspersky released its investigation into the reported collection of NSA hacking tools off an employee’s computer. Kim Zetter did an excellent story on it, so read that for analysis of what the report said.

The short version, though, is that Kaspersky identified a computer in the Baltimore, MD area that was sending a whole slew of alerts in response to a silent signature for Equation Group software from September to November 2014 — a year earlier than the leaked reports about the incident claimed the compromise had happened. Kaspersky pulled in an archive including those signatures as well as some associated files in the normal course of collecting analysis (and, according to Zetter, did not pull other archives of malware also associated with the machine). Kaspersky IDed it as irregular, and — so they’re claiming — the analyst who found it told Eugene Kaspersky (referred to throughout in the third person “CEO” here), who told told the analyst to destroy the source code and related documents immediately. The report claims Kaspersky subsequently instituted a policy mandating such destruction going forward.

As Zetter notes, the timing of events gets awfully murky about when the file got destroyed and the new destruction policy was instituted.

The company didn’t respond to questions about when precisely it instituted this policy, nor did it provide a written copy of the distributed policy before publication of this article.

Meanwhile, during the same period this machine was sending out all the Equation Group alerts, someone hacked it.

It appears the system was actually compromised by a malicious actor on October 4, 2014 at 23:38 local time,

The report explains this compromise at length, providing (in addition to the precise time), the C&C server URL, a list of 121 other virus signatures found on the machine during the period the Equation Group signatures were alerting. It also links to Kaspersky’s analysis of the backdoor in question, which was developed by Russian criminal hackers.

“It looks like a huge disaster the way it happened with running all this malware on his machine. It’s almost unbelievable,” [Zetter quotes Kaspersky’s director of the company’s Global Research and Analysis Team Costin Raiu].

Thus far, consider what this report does: it makes it clear that Kaspersky has far more detail about the compromise than the anonymous sources leaking to the press are willing to share (all the time with Eugene Kaspersky inviting them to provide more details). It elaborates on the story it had already shared about who the likely culprit was to have stolen and used the files. And it suggests (though I’m not sure I believe it), that it’s entirely the fault of the hacker who turned off Kaspersky’s AV in order to run a pirated copy of Windows Office.

That’s the carrot. Here, Kaspersky is saying, we’ve figured out who stole those files your idiot developer loaded onto his malware-riddled computer. Go get them. Free incident response, three years after the fact!

But it’s the stick I’m just as interested in.

First, as part of its explanation of the process Kaspersky used to hone in on the incident, the report includes a list of hits and false positives on NSA signatures just from September 2014 — effectively providing a list of (dated) malware signatures. While the report notes many of these alerts are false positives, Kaspersky is nevertheless saying, here’s a list of all the victims of your spying we identified for just one month out of the 40 months we just analyzed. Presumably, the hits after September 2014 would have come to include far more true victims.

Then, the report provides a list of all the Equation Group signatures found on the TAO engineers’ computer, providing a snapshot of what one person might work on, a snapshot that would provide useful for those trying to understand NSA’s work patterns.

Even while it provides lists of signatures that will provide others some insight into NSA activity, the report makes a grand show of concern for privacy, redacting the name of the archive as [undisclosed] and including a discussion about how it could have — but chose not to — include the complete file paths of the archive.

Looking at this metadata during current investigation we were tempted to include the full list of detected files and file paths into current report, however, according to our ethical standards, as well as internal policies, we cannot violate our users’ privacy. This was a hard decision, but should we make an exception once, even for the sake of protecting our own company’s reputation, that would be a step on the route of giving up privacy and freedom of all people who rely on our products. Unless we receive a legitimate request originating from the owner of that system or a higher legal authority, we cannot release such information.

Mind you, FSB is the “higher legal authority” in Russia for such things.

Then, in the guise of claiming how little information Kaspersky has on the individual behind all this, the report makes it clear it retains his IP, from which they could reconstitute his identity.

Q3 – Who was this person?

A3 – Because our software anonymizes certain aspects of users’ information, we are unable to pinpoint specifically who the user was. Even if we could, disclosing such information is against our policies and ethical standards. What we can determine is that the user was originating from an IP address that is supposedly assigned to a Verizon FiOS address pool for the Baltimore, MD and surrounding area.

In short, along with providing a detailed description of what likely happened — the hacker got pwned by someone else — Kaspersky lays out all the information on NSA’s hacking activities that it could, if it so chose, make public: who NSA hacked when, who the developer in question is, and more details on how the NSA develops its tools.

But (in the interest of privacy, you understand?) Kaspersky’s not going to do that unless some higher authority forces it to.

Of course, Kaspersky’s collection of all that data on NSA’s hacking is undoubtedly one of the reasons the NSA would prefer it not exist.

A carrot, and a stick.

At the end of her piece, Zetter quotes Rob Joyce laying out the more modest attack on Kaspersky (this stuff shouldn’t be run on sensitive government computers, which it shouldn’t), even while admitting that other AV products have the same privileged access to collect such information on users.

Asked about Kaspersky’s discovery of multiple malware samples on the NSA worker’s home computer, Rob Joyce, the Trump administration’s top cybersecurity adviser who was head of the NSA’s elite hacking division when the TAO worker took the NSA files home and put them on his work computer, declined to respond to Kaspersky’s findings but reiterated the government’s contention that Kaspersky software should be banned from government computers.

“Kaspersky as an entity is a rootkit you run on a computer,” he told Motherboard, using the technical term for stealth and persistent malware that has privileged access to all files on a machine.

He acknowledged that software made by other antivirus companies has the same potential for misuse Kaspersky has but said, Kaspersky is “a Russian company subjected to FSB control and law, and the US government is not comfortable accepting that risk on our networks.”

We shall see if this report serves to halt all the (inaccurate at least with respect to timing, if this report is to be believed) leaks to the press or even the other attacks on Kaspersky.

All that said, there are two parts of this story that still don’t make sense.

First, I share Zetter’s apparent skepticism about the timing of the decision to destroy the source code, which the report describes this way:

Upon further inquiring about this event and missing files, it was later discovered that at the direction of the CEO, the archive file, named “[undisclosed].7z” was removed from storage. Based on description from the analyst working on that archive, it contained a collection of executable modules, four documents bearing classification markings, and other files related to the same project. The reason we deleted those files and will delete similar ones in the future is two-fold; We don’t need anything other than malware binaries to improve protection of our customers and secondly, because of concerns regarding the handling of potential classified materials. Assuming that the markings were real, such information cannot and will not [note this typo] consumed even to produce detection signatures based on descriptions.

This concern was later translated into a policy for all malware analysts which are required to delete any potential classified materials that have been accidentally collected during anti-malware research or received from a third party. Again to restate: to the best of our knowledge, it appears the archive files and documents were removed from our storage, and only individual executable files (malware) that were already detected by our signatures were left in storage.

The key sentence — “it was later discovered … the archive file … was removed” — is a master use of the passive voice. And unlike all the other things for which the report offers affirmative data, the data offered here is the absence of data. “It appears” that the archive is no longer in storage, without any details about when it got removed. The report is also silent about whether any of these events — the removal and claimed destruction and the institution of a new policy to destroy such things going forward — were a response to the Duqu 2 hack discovering such files, as well as the one silent signature integrating the word “secret” described elsewhere in the report, on Kaspersky’s servers.

Then there’s the implausibility of an NSA developer 1) running Kaspersky then 2) turning it off 3) to load a bunch of malware onto his computer in the guise of loading a pirated copy of Office 4) only to have a bunch of other malware infect the computer in the same window of time, finally 5) turning the Kaspersky back on to discover what happened after the fact.

Really? I mean, maybe this guy is that dumb, or maybe there’s another explanation for these forensic details.

In any case, the entire report is a cheeky chess move. I eagerly wait to see if the US’ anonymous leakers respond.

 

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

32 replies
  1. orionATL says:

    “… The short version, though, is that Kaspersky identified a computer in the Baltimore, MD area that was sending a whole slew of alerts in response to a silent signature for Equation Group software…”

    as i recall, “equation group” is a nickname shadowbrokers gave nsa’s tao operation due to its encrytion techniques. so the usage in this post is contemporary; it would not have been used back in 2014, right?

    what is a “silent” signature in contrast to a “normal” malware signature? aren’t all malware signatures generally similar?

    • orionATL says:

      based on this media report from early 2015, it seems it was kaspersky that applied the term “equation group” to the developers of very sophisticated malware. equation group was suspected of being from the u. s. nsa.

      http://observer.com/2015/02/equation-group/

      i infer from the date that kaspersky has had this data for nearly three years. only now, after being blackballed by the u. s. gov, did kaspersky issue the investigation report of this prior discovery.

      this means nsa may have known – may we not say surely knew – about this problem for about 3 yrs.

      snowden took nsa data with him when he flew the coop in may, 2013.

      i wonder what matters were going on in sept. – nov. 2014 (other than an american election) that so interested the nsa researcher (or his bosses) that he would need or want to be working from his home?

      finally, it seems entirely unlikely fsb doesn’t have its hands on the nsa programing jewels.

      • SpaceLufeForm says:

        The alleged dumb NSA analyst (that took stuff home), was likely an attack that caused KL to be infected (as they disclose in 2015, but believe hapened in 2014).

        The spycorps/IC do not like Kaspersky Antivir, because it actually works very well.

        GCHQ and NSA have not liked Kaspersky Antivir since at least 2008. They have been trying to defeat it for years. They may have gotten successful in 2014.

        http://www.zdnet.com/google-amp/article/kaspersky-software-reverse-engineered-by-nsa-gchq-report/

        The NSA and GCHQ have been reportedly reverse engineering Kaspersky Lab and other anti-virus security companies since 2008.

        ..

        The Intercept posted an NSA document titled “Project Camberdada” that lists at least 23 antivirus and security firms that were in that spy agency’s sights…

        • bmaz says:

          Hi there Mr. Digibyte.

          I see you are now posting under the handle of “SpaceLufeForm” instead of “SpaceLifeForm”. If you pay any attention to things other than your own yakking in the mirror here, you know that is not acceptable. You have a handle here. Use it. If you sock puppet, I will bounce you. Same as I have advised others for years before you brought your “Life Form” to grace our presence.

          How do you want to play this Digibyte, you want to be a member of this community, or just an itinerant jerk off? The choice is yours. Personally, I think if you get your head out of your hacker ass, you could be valuable. If not, then not so much.

          [Editor note: Nobody ever messed with this person’s original handle, he is pulling this cheap shit just to poke a thumb in the eye of attempts to get him/her to actually participate meaningfully here as commenters have always done. For nearly a decade before this self professed genius decided to not just join, but personally occupy our comments section. That is not right.]

          • orionATL says:

            come on bmaz, your need to be sure that your moderating doesn’t move from helpful to oppressive and also get in the way of discussion.

            you set a standard of writing for spacelifeform to met in terms of intelligibility to others. he has met it here.

            a good teacher gives change a chance.

          • rg says:

            Please note that the letters  “i” and “u” are next to each other on the keyboard. Hurried writers can often type without  looking at their product, and then not checking their spelling .  This seems to happen often, and by EW herslf.

        • orionATL says:

          this brings a new perspective to the destruction of the nsa’s burgler’s kit of malware.

          let’s say that nsa knows with fair certainty that kasperski can be forced to help the russian state (fsb) in the same manner that apple can be (and soon will be by congressional fiat) forced to hp the ametican state (fbi).

          nsa organizes to damage the effectiveness of kaspersky because it fears what kaspersky can do for the russian state. but two can play that game. the russians organize (let’s say) to damage the effectiveness of the nsa. kasperski and nsa are not equivalent organizations in rank, but nonetheless…

          as it happens, nsa, not the russians, suffers the grievous wound, perhaps at the hand of kasperski. nsa loses control of a large collection of older malware programs the were used to spy on individuals and organizations. now more damage to nsa is being threatened by shadowbrokers and wikileaks who are both threatening to sell or expose the actual working programs (the code). as if that weren’t enough, comes kasperski making a veiled threat to reveal who was being targeted by nsa – unwanted political exposure of the sort snowden provided.

          in terms of international politics, i think we are inching closer to treaty-making time where rules of cyberwarfare, like the laws of war, will be worked out for all to follow – sort of.

          back to kasperski’s 2014 discovery of nsa malware. how come it is only now, 3 yrs later, that we are suddenly reading in the nytimes how upset and demoralized nsa employees are?

  2. lb says:

    Hi Marcy et al,

    I’ve read your writing for a long time and seldom do I have something useful to add. Maybe today I can help :)

    I’m not going to make any particular argument in support of or against Kaspersky, but I figured it might good to dissect the appearance that something is no longer on storage. I’m a systems guy who does not work in storage, but I believe I understand enough here to say something useful.

    Absolute assurance that there is no trace of content on a modern storage system is actually difficult to achieve. If you want to be sure something is irrecoverable, it’s important to actually physically destroy the entire unit of storage medium in question, for any which ever contained the content. Let’s break this down into a non-exhaustive explanation of the ways that deletion can be imperfect (leave traces behind), on both spinning disks and solid state disks.

    Files are broken down into sub-parts by a storage stack, so I’m going to focus on those sub-parts.

    Storage devices break their available space down into blocks (call them physical blocks) and make these blocks available to software (call these logical blocks). There is a mapping performed by the disk itself to abstract the notion of these logical blocks from physical blocks. It is extremely likely that there are more physical blocks than logical blocks. Extra physical blocks allow for physical failure of some blocks to be handled: a failed block can be marked as bad and the logical block pointing to it remapped to an extra physical block. If failure is caught early enough, the contents of the old physical block can be copied to the extra physical block before the remapping occurs, such that there is no loss of data. The net effect is that software doesn’t notice the disk has lower capacity. This is, to my understanding, how spinning disks have worked for quite some time.

    Solid state disks have some other interesting properties with regard to blocks. The physical properties of solid state media are such that particular blocks can be come “worn out” by significant use. Imagine the most popular block being written over and over and over, and then dying. There needs to be a remapping mechanism, as with spinning disks, sure. But there also needs to be some pre-emption of this wearing-out. SSDs thus perform “wear-leveling”. I believe this is a pre-emptive remapping at the time of write, such that for a logical block (say it’s LB 4), the SSD will remap which physical block over time at each write (PB 1000 -> PB 2000 -> PB 9999, who knows?).

    Also, remapping is transparent — software can’t ask for access to specific physical blocks, nor can it generally ask about the mapping between logical and physical. The disk is a black box and the logical block interface is all software gets.

    So what happens to a physical block to which no logical block points (one that was already remapped-from)? It still has the possibility of containing its old content from before remapping — the magnetic encoding of the ones and zeroes persists at a truly physical level. There are companies which will crack a disk open and attempt to extract information at various levels to recover disks. These companies do so for people who have had a catastrophic crash and want to recover their own important data. These companies do the same for law enforcement and other governmental circumstances.

    This is the physical disk layer that’s harder to track. It’s also possible that software could have done its own remaps, replication and so forth. Traces of files can hide in all sorts of places, though you’d hope that the people purging sensitive data know as much. There’s a notion of “secure deletion” which attempts to overwrite files with zeroes, patterns and so on (there’s a whole DOD specification for this sort of deletion), to guarantee that a physical deletion has occurred. Of course, if each of those writes may be remapped, well… things are murky.

    So it’s possible that the statement on the appearance that a file is gone is an engineer’s technical hedge against making absolute statements you can’t provably make. I have no idea whether that’s the appropriate reading or intent here, though.

    • emptywheel says:

      Definitely possible. I just find several parts of the statement worth notice, not least the lack of record-keeping (or the reluctance to share such record-keeping) given all the other extreme transparency.

      • Clive says:

        Marcy,

        It’s not just the “hard drives” but back up tapes and any copies pulled automatically or by other analysts. Just telling some one to delete he files is realy insufficient.

        Which raises the “Oh S41t” aspect of it. If you were the boss you’ld want to keep things well under wraps even from your own employees, especially as many had come through the same “education” system. That is he might trust them to be diligent workers but would he trust them not to say things that would get back to the likes of the FSB etc… probably not. Which means he is not going to trigger the sort of indepth search for other copies etc as it would cause raised eyebrows to say the least. He would wait untill things quietened down for a while before doing anything else. Like as not he would wait for some other event to act as an excuse to change policy, and then appear to chuck the rules on “secret” stuff in as an after thought. Such an event might be the redeployment of the analyst concerned or their leaving etc.

        What ever the reasons are Kaspersky are in an awkward position at the best of times and this whole thing stinks of a US Political smoke screen for other things.

        Thus I’m quite unsuprised that he is playing it like a high stakes game of poker where he has to bluf not just the USG but the Rusian Gov but a whole load of others including most of Europe.

        Me I’m going to get another bowl of popcorn and enjoy the show, looking for the slight of hand movments that will give an indication or clue as to what exactly the USG is upto…

        As some have pointed out there are seniors at the NSA that should have been drop kicked out the door. But for some reason they are still there… Maybe somebody has called in a marker…

  3. Twinkle says:

    “Kaspersky lays out all the information on NSA’s hacking activities that it could, if it so chose, make public: who NSA hacked when, who the developer in question is, and more details on how the NSA develops its tools.”

    This doesn’t strike me as fully accurate. Kaspersky has the IP address of the machine associated with the leak. Yet that may tell us little to nothing about the identity of the developer in question. The IP is likely linked by Verizon to an account and the account has a street address but who lives there? One person? Many people? Is it a business or home address? As I see it you are making a flawed assumption in assuming there is a direct link between an IP address and a specific developer. That could be the case. Could not. No way to know in advance.

    So it is a stretch to state that Kaspersky can tell us the id of the developer if it chose to. Maybe. Maybe not.

    • SpaceLifeForm says:

      They can ID the machine via MAC.
      The resaon they redacted the full path names of files is because it likely contained enough of a clue to tie to persons name.
      The IP address is not definitive. Maybe static, maybe dynamic. Probably basically static.
      But the MAC is a solid start to identifying location and more via legal request to ISP.

      • bmaz says:

        Hey jackass, if you think I am kidding, you are barking up the wrong tree. Life, Lufe, loofah like Bill O’Reilly. Whatever. You mess with the rules here, continue to be a self inflating jerk talking to yourself instead of genuinely explaining and participating here, you are going to be done.

          • bmaz says:

            Seriously?? Which part do YOU object to High Holy Orion? The part where the commenter has to actually talk to  the community in terms they can understand?

            Or the part where evolving sock puppetry is not acceptable out of commenters?

            Thanks for all your help.

              • orionATL says:

                cassiopeia is the “w” shaped constellation.

                polaris is at the end of the tail of ursa minor, aka the little dipper.

                • bmaz says:

                  Are you serious? This is where you want to go? Remember when you couldn’t even get on this blog when we moved, and I nursed you though it? Leave editorial decisions to others that actually have them.

                  • orionATL says:

                    this is the emptywheel weblog, bmaz.

                    being fair is important, ESPECIALLY for moderators.

                    status differences here based on knowledge are inevitable.

                    pulling rank – or trying to – is not, and is inappropriate.

                    • bmaz says:

                      Thank you for letting your true freak flag fly. By the way, nobody here has EVER “pulled rank” on you. In fact, because of your status of having been around for over a decade you have been coddled and protected.

                      Again, thank you for affirmatively admitting and proving how much times have changed. It is all good to know, and all up to you now.

        • greengiant says:

          SLF,  what were those cryptograms about Georgia?   22,  46 or whatever, went right past me.

          ID  identify

          MAC  I would have gone with  Machine address, but https://en.wikipedia.org/wiki/MAC_address it is media access control [ address ]  unique machine identifier.   Some news on the web and at schneier.com about malware capturing MACs.

          IP address,  Internet protocol address

          static IP,  a fixed IP address which in the US can be provided by the ISP internet service provider and is static or constant for days

          dynamic IP,  A changing IP address,  if using TOR, VPN,  or the equivalent, i.e. renting a cloud virtual computer(s),  or if holding or capturing a block of IP addresses,  rolling your own changing IP address.

          All of these are of big interest to not only NSA and such actors but big data,  adware,  Cambridge Analytics,  anyone trying to track users across platforms to make more money off of their data and usage.  Imagine for some malware it is cheaper to buy this information from big data, or use precisely targeted adware to generate same,  than to suck it up into the NSA bit farm and retrieve it.  The reported problem with using cloud computers to do secure work is that nothing in the cloud is secure and may be captured and even encrypted communications and data are vulnerable.

          • orionATL says:

            tx. this offers me a wider view:

            “… All of these are of big interest to not only NSA and such actors but big data,  adware,  Cambridge Analytics,  anyone trying to track users across platforms to make more money off of their data and usage.  Imagine for some malware it is cheaper to buy this information from big data, or use precisely targeted adware to generate same,  than to suck it up into the NSA bit farm and retrieve it.  The reported problem with using cloud computers to do secure work is that nothing in the cloud is secure and may be captured and even encrypted communications and data are vulnerable.”…

            i’ve refused to use the cloud for anything. but if my spouse or family do, then some of my personal “data” are available on the cloud to exploit.

            • greengiant says:

              Not an expert in anyway.  Every time you visit a web site your Internet Protocol address,  the operating system and version, web browser, and for all I know the name you call your machine and MAC are read and usually stored by that site,  as well as stored any other web site that has the right cookies on your machine.  By recent law your Internet Service Provider will do the same and sell it.  There was great angst when Facebook was storing mouse movements.

              You have no control over which big data firms or credit reporting agencies or whomever store information about you, nor the manner in which they do it.   So kudos for keeping documents and pictures off the cloud.   There is quite another game afoot.   Just combine the OMB data hack with users computer usage history and what kind of blackmail material do you think can be found and used.

              • SpaceLifeForm says:

                Your MAC address is not normally visible.

                The MAC is tied to the NIC (Network Interface Card), and most users computers only have one NIC, so the MAC basically ties the user to a computer. The IP Address (whether static or dynamic) is tied to the MAC.

                Antivir programs run with high privilege, they can see both the MAC and the IP address.

                Kaspersky knows more than you would guess.

                • bmaz says:

                  Oh, thank you Digibyte for gracing us with your knowledge. How did we ever get along without you over more than a decade? Can you tell us more about a MAC you jack?

          • lefty665 says:

            Minor note on static and dynamic IP addresses. Static addresses are just that, static, they do not change. Providers charge for making IPs static, usually as a monthly add on fee for each one you want. Dynamic addresses may change at anytime. In watching my IP addresses over several years after dropping static IPs I found they tended to stay the same for varying periods from a couple of months to a half year or more. No guarantee, they changed at the convenience (whim) of the provider and changes were transparent to the end user in most instances.

            Jeez GG, you spilled the beans, orion thought his browsing wasn’t part of cloud data collection.

            • orionATL says:

              typically for your personality, lefty, you are twisting the use of words to inject a sarcastic remark into the conversation.

              when i say i don’t use the cloud i mean i do not concsiously store data of any kind on the cloud; i refuse all proferred cloud services like bookmarking or photo storage. i do not mean that my internet data never flows to/thru the many computer-storage-farms-for-lease, metaphorically referred to as “the cloud”, which various internet services and service providers use. neither i nor anyone else using the internet has total control over that aspect of internet use, even if they are their own isp.

              • lefty665 says:

                “i’ve refused to use the cloud for anything.” S’ok orion, we get it that you really have no clue that you “concsiously (sic) store data of any kind on the cloud” every time you fire up your browser or post here. Your response just dug the hole deeper. I’m inclined to drop it, hope you are too.

                • orionATL says:

                  you’re playing with malintent with the casual use of words, lefty.

                  the issue of importance to me is controlling what i can control.

                  • lefty665 says:

                    A happy Thanksgiving to you, your spouse and your family. May all be healthy, happy and thriving. Gobble, gobble.

                    • orionATL says:

                      disguising a mean-spirited joke in a well-loved holiday greeting is but one more indication, if any other were needed, of your vindictive personality, lefty.

Comments are closed.