Internal Kaspersky Investigation Says NSA Worker’s Computer Was Infested with Malware

The personal computer of an NSA worker who took government hacking tools and classified documents home with him was infected with a backdoor trojan, unrelated to these tools, that could have been used by criminal hackers to steal the US government files, according to a new report being released Thursday by Kaspersky Lab in response to recent allegations against the company.

The Moscow-based antivirus firm, which has been accused of using its security software to improperly grab NSA hacking tools and classified documents from the NSA worker's home computer and provide them to the Russian government, says the worker had at least 120 other malicious files on his home computer in addition to the backdoor, and that the latter, which had purportedly been created by a Russian criminal hacker and sold in an underground forum, was trying to actively communicate with a malicious command-and-control server during the time Kaspersky is accused of siphoning the US government files from the worker's computer.

Costin Raiu, director of the company's Global Research and Analysis Team, told Motherboard that his company's software detected and prevented that communication but there was a period of time when the worker had disabled his Kaspersky software and left his computer unprotected. Raiu says they found evidence that the NSA worker may have been infected with a second backdoor as well, though they saw no sign of it trying to communicate with an external server so they don't know if it was active on his computer.

"Given that system owner’s potential clearance level, the user could have been a prime target of nation states," Kaspersky notes in its new report.

Kaspersky has come under scrutiny after anonymous US government sources told several newspapers last month that some time in 2015 the company colluded with Russian government hackers to steal the cache of classified documents and tools that the NSA employee—working for the spy agency's Tailored Access Operations hacking team—had improperly taken from an NSA computer and placed on his home system. Israeli intelligence sources reportedly told the US that Kaspersky employees or Russian government hackers used the Kaspersky software to search the NSA worker’s machine—as well as the machines of other customers—using keywords such as "top secret" to specifically uncover classified documents that contained this marking.

Believing that Kaspersky either then passed files from the NSA worker’s machine to the Russian government or helped government hackers obtain them, the Department of Homeland Security has issued a ban on Kaspersky products from civilian government systems, while the FBI and lawmakers have launched a public campaign that has darkened Kaspersky's reputation and so far resulted in Best Buy canceling a lucrative contract to install the company's software on machines sold in its stores.

Kaspersky has acknowledged that its software detected and collected the NSA hacking tools from the worker’s computer as part of its normal functionality in identifying malicious files on customer machines, but insists that the company deleted the classified documents once an analyst realized that the software had collected more than malicious tools. The company also insists that it never passed those tools or classified documents to the Russian government or to anyone else. But revelations that the worker's computer was infected with a known backdoor and other malware raises the possibility that if the Russian government did obtain the NSA tools that were on the worker's computer, it might have done so through means that didn’t involve Kaspersky.

"It looks like a huge disaster the way it happened with running all this malware on his machine. It's almost unbelievable," says Raiu.

The NSA declined to comment for this story.

In an attempt to get to the bottom of the allegations against it, Kaspersky says it conducted a thorough internal investigation involving workers both in the US and elsewhere that included speaking with the analyst who discovered the NSA tools and reviewing company logs that contained every signature the company has ever sent to customer machines to search for malware.

The logs show that in September 2014, Kaspersky sent out a series of so-called "silent signatures" while investigating a new malicious toolset it was calling "Equestre" at the time. In March 2014, Kaspersky had discovered a malicious and sophisticated component on a machine in the Middle East that it suspected was part of a large nation-state toolset it had never seen before.

Over many months, Kaspersky wrote and distributed dozens of signatures to customer machines, refining the search terms over time, to uncover more components in the toolset. One signature in particular (HEUR:Trojan.Win32.Equestre.m) tagged more than 4,000 suspicious files on customer machines around the world, but one of the most intriguing was a zip archive that it tagged on a machine in Maryland on September 11, 2014. That archive turned out to contain 37 hacking tools belonging to the Equestre toolset, or what later came to be known as the NSA's Equation Group spy kit. But when the Kaspersky software collected the archive to examine it, a Kaspersky analyst discovered that it contained more than malicious Equation Group tools—a legitimate target of the Kaspersky antivirus software; it also had files containing source code and four Word documents that bore classified markings on them.

The file names of the Word documents included words like "test plan" and "revision history," indicating they were documentation for some of the Equation Group tools contained in the archive.

"If you're a software developer, these are the kinds of normal documents that you write, together with your product," Raiu says. "They were related to the software development of this malware."

Raiu says the analyst doesn't recall, three years after the incident, what the exact classification markings on the Word documents were, but says they were similar to markings that had been found on documents leaked in 2013 by Edward Snowden such as "top secret/noforn." After the Kaspersky analyst brought the source code files and Word documents to the company's CEO, Eugene Kaspersky, he was instructed to delete them immediately.

"The reason we deleted those files and will delete similar ones in the future is two-fold; We don’t need anything other than malware binaries to improve protection of our customers and secondly, because of concerns regarding the handling of potential classified materials," said the company in a statement. The company says after the incident occurred, it established a policy requiring all malware analysts going forward to "delete any potential classified materials that have been accidentally collected during anti-malware research or received from a third party."

The company didn't respond to questions about when precisely it instituted this policy, nor did it provide a written copy of the distributed policy before publication of this article.

The company asserts that it never shared the archive with any third parties and that it never found any evidence that a third party breached its network to intercept the archive after Kaspersky collected it. The company also heavily encrypts traffic from customer machines to its network, and asserts that this would make it infeasible for anyone attempting to intercept the traffic enroute and read it.

Notably, Raiu says the Kaspersky software actually detected malicious files in more than one zip archive on the worker's computer, but it collected only the one archive for analysis. Metadata from the deleted archive and the other archives the Kaspersky software tagged on the worker’s machine indicate that the archives were not actually on the worker’s hard drive but were stored on removable media—such as USB drive or some other removable media the worker had plugged into his machine—when the Kaspersky software detected malware them.

In sifting through the log of signatures sent to customers over the years, Raiu says the company never found any signatures that used keywords such as "top secret" or "classified" to conduct improper searches of customer machines, and he says no one at the company can send a signature to customer machines without it being approved by a senior signature developer.

But the company did find one circumstance in 2015 where an analyst used “*secret*.*” in a signature designed to search for a malware family known as TeamSpy. The attackers behind TeamSpy searched victim computers using a string of hardcoded wildcard search terms, that included the words "secret" and "saidumlo," which means secret in Georgian. For this reason, a Kaspersky analyst created a silent signature in 2015 that would search for these wildcard terms and others to uncover TeamSpy infections. Kaspersky believes the sources of recent media stories saying they searched for customer computers using “secret” as a search term may be confusing this incident with the incident that occurred earlier in 2014 when the company collected the Equation Group tools from the NSA worker's machine.

In the course of its investigation, Kaspersky examined every incident in which its software triggered an alert on the machine purportedly belonging to the NSA worker. This is how it discovered that not only did its software find the NSA's Equation Group hacking tools on the computer, it also uncovered dozens of other malicious files during the same time period, including a backdoor that infected the machine around 11:30 PM on October 4. The worker's home machine got infected with the backdoor after he tried to install a pirated version of Microsoft Office.

Not only is pirated software notorious for containing malware, but the worker apparently intentionally disabled his Kaspersky detection software to install the pirated software. The worker disabled it in order to run a tool known as a keygen that would generate a software key that would allow him to run the pirated Microsoft Office software on his machine. But that key-generation software turned out to contain a backdoor known as “Smoke Bot," “Smoke Loader,” and "Mokes" that was purportedly created by a Russian hacker in 2012 and sold on a Russian underground forum. That backdoor was already being detected by Kaspersky and other antivirus scanners in November 2013, so it was no surprise that the software discovered it on the worker’s machine in 2014.

Raiu describes it as a very small backdoor that has the ability to download and run additional plugins from an attackers' command servers; it runs them in an infected machine's memory instead of storing them on the hard disk, making it more stealth than some other malware that installs files directly on the hard drive.

"It's high-end stuff," he says.

It was after the NSA worker installed the pirated Office software and re-enabled the Kaspersky scanner that Kaspersky detected the backdoor on his computer—along with other malicious files including Java exploit code, various viruses, adware, and run-of-the-mill hacking tools, such as a password dumping tool, the company says. The Kaspersky software detected that the backdoor was trying to communicate with a URL—http://xvidmovies[.]in/dir/ind… to be a malicious command-and-control server.

The domain had been registered in April 2012 by someone who appeared to be of Indian nationality, but that registration expired in May 2014, and got picked up two months later by someone purportedly in China by the name “Zhou Lou," and using the email address “zhoulu823@gmail.com.” The domain was still registered to this person—which could be a fake identity—in 2014 when the NSA worker's computer was trying to communicate with it. That registration expired in July 2015 and Raiu says no one has re-registered it after that. Kaspersky recently sinkholed the command servers and have found at least 1,000 other victim machines infected with the backdoor trying to communicate with the malicious domain.

Asked about Kaspersky’s discovery of multiple malware samples on the NSA worker’s home computer, Rob Joyce, the Trump administration’s top cybersecurity adviser who was head of the NSA’s elite hacking division when the TAO worker took the NSA files home and put them on his work computer, declined to respond to Kaspersky’s findings but reiterated the government’s contention that Kaspersky software should be banned from government computers.

“Kaspersky as an entity is a rootkit you run on a computer,” he told Motherboard, using the technical term for stealth and persistent malware that has privileged access to all files on a machine.

He acknowledged that software made by other antivirus companies has the same potential for misuse Kaspersky has but said, Kaspersky is “a Russian company subjected to FSB control and law, and the US government is not comfortable accepting that risk on our networks.”