Kaspersky Says Its Hand Was in the Cookie Jar, But …

Kaspersky Lab has been bombarded with an unending stream of claims that its Russian roots equate to being part of the Russian national team when it comes to national security interests. We previously discussed the rationale behind the ban of Kaspersky Lab security products in any U.S. government device, and how the company is believed to be a part of the Russian effort to put a bullseye on the National Security Agency (NSA). The publicly available information asks us to trust the U.S. government’s claim that under all that smoke about Kaspersky, there is actually a fire. It turns out that it’s true—well, at least partially true.

While we would have preferred the U.S. government to share the specifics of the purloining of NSA secrets from a contractor’s laptop (two crimes possibly committed there: one unauthorized removal of classified materials by the contractor from the NSA and the second the theft of those secrets from the contractor’s computer by Kaspersky), that didn’t happen.

Reactive Kaspersky

Kaspersky, no doubt watching its U.S. market share evaporate, took a reactive step. The company conducted an internal review. Kaspersky describes its effort as “preliminary results of internal investigation into alleged incident reported by U.S. media.” That’s a mouthful of qualifying words; some might go so far as to call them mealy mouthed words.

Bottom line, its investigation did confirm the claim that Kaspersky pulled a .zip file from a user who was using Kaspersky’s antivirus software. Upon inspection of the file, the company discovered that the .zip file contained what “appeared to be Equation malware source code files.”

Those who have been following the Shadow Brokers saga (234 megabytes of data stolen), will recognize the Equation Group as the entity whose offensive cybertools were offered for sale in mid-August 2016. Ironically, it was Kaspersky that crafted a rather comprehensive explainer on the Equation Group, which was described as “a highly sophisticated threat actor that has been engaged in multiple computer network exploitation operations dating back to 2001, perhaps as early as 1996.” Kaspersky left it to others to connect the dots between the Equation Group and its tools and those of the NSA’s Tailored Access Operations (TAO) group.

Now we have Kaspersky with a .zip file containing tools which the company believes have their providence within the Equation Group and they have to decide what to do next. Its relationship with the individual from whom it lifted the .zip file was one of vendor-consumer. Yet, the various files found sure made the individual consumer look suspect and his device of interest. Kaspersky’s analyst escalates the situation, which eventually finds its way to CEO Eugene Kaspersky’s desk. He decides to destroy the file. “Following a request from the CEO, the archive was deleted from all our systems. The archive was not shared with any third parties.”

Kaspersky continues, “The investigation confirmed that Kaspersky Lab has never created any detection of non-weaponized (non-malicious) documents in its products based on keywords like “top secret” and “classified”.” In other words, Kaspersky isn’t using its antivirus scan of files on a protected system as a means to conduct a scan for documents which may contained identifiers indicating the presence of a government classification.

Hmmm.

What Next with Kaspersky?

There’s a couple of teaching points that fall onto the table.

What we lack in Kaspersky’s preliminary results of investigation is any indication that the escalation of this discovery included contacting the U.S. government. Early on in its piece Kaspersky makes it clear that the company liaisons with the U.S. government on Advance Persistent Threat issues, so the plumbing was in place to have the discussion. One would have thought once the files were recognized as being Equation Group malware source code, outreach to the U.S. government would have been a logical next step, given the device was in the United States. The CEO’s direction to destroy the files makes one accept Kaspsersky’s conclusion: Kaspersky knew what it had, it didn’t want to have it.

Antivirus software (regardless of flavor—Kaspersky, McAfee, Norton, Sophos, AVG) scans your files for the presence of malware. Think about that. Kaspersky noted in its piece it has verified that its stock version of its antivirus was not scanning for keywords in a search for classified materials. Capture the essence of this statement. Not scanning for keywords is not synonymous with being unable scan for keywords. One should conclude that Kaspersky—or any other security program that scans your files—may search for the presence of specific content.

Then for the truly paranoid among us, let’s look at the art of the possible when thinking along the lines of nation-state capabilities. As we opined in our piece on Russian targeting NSA, the Russian security services could push “amended” product updates that do have the ability to scan for specific keywords or files in a given user’s system. Kaspersky has confirmed it has the ability to pull files from a user’s device (one may assume other providers can as well). No doubt Kaspersky’s source code has been reviewed by Russia (the company just offered the same review to the United States). Such reviews permit the entity doing the review to search for backdoors and specific manelvolant behavior. It is also believed to give the reviewer a more comprehensive understanding of the product, which may facilitate the compromise of the integrity of the product. It is precisely this reason we now see McAfee joining Symantec in not permitting its source code to be reviewed by government entities. It is clear both understand the art of the possible from a product manipulation perspective and won’t hand over their code to give a potential entity a running start. It is, therefore, not hard to conclude: Plausible deniability may have been the reason for Kaspersky’s carefully worded title for its preliminary investigative report.

What we Want to Know

Kaspersky has destroyed the Equation Group files it uploaded. Its destruction of the files effectively puts the onus on the U.S. government to step forward and show how the Kaspersky antivirus application that was on the NSA contractor’s device did what Kaspersky claims (operating properly) or had been enhanced (scenario three above). We need to be able to determine if Kaspersky is unwitting or complicit.

Featured eBook
The Main Application Security Technologies to Adopt by 2018

The Main Application Security Technologies to Adopt by 2018

As hacker attacks on the application layer evolve, the need for application security that provides continuous coverage and real-time protection and remediation becomes a top priority. The tools and practices that used to provide security to organizations no longer provide a complete solution in today’s developer ecosystem. Security practices need to change, being implemented and ... Read More
WhiteSource

Christopher Burgess

Christopher Burgess (@burgessct) is a writer, speaker and commentator on security issues. He is a former Senior Security Advisor to Cisco and served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit: Senior Online Safety.

burgesschristopher has 56 posts and counting.See all posts by burgesschristopher

One thought on “Kaspersky Says Its Hand Was in the Cookie Jar, But …

Comments are closed.