More Than 120 Malware Detections Triggered on NSA Employee’s Computer

Kaspersky Lab has concluded an internal investigation into an incident that led to the company being accused of using its antivirus program to copy secret files from the personal computer of an NSA employee. The company believes it has identified the incident in its logs, but telemetry data revealed more than 120 malware detections on the computer, including malware for a backdoor of Russian origin.

Last month, the Washington Post and the Wall Street Journal reported that in 2015 an NSA employee from the agency’s Tailored Access Operations division took home classified files, including source code for cyberattack tools that he was working on replacing for the agency due to the Snowden leaks.

Because the employee had Kaspersky Antivirus on his personal computer, the files were detected and copied and subsequently ended up in the hands of the Russian government, the newspapers reported, citing unnamed sources familiar with the matter.

Kaspersky repeatedly denied having any inappropriate ties to governments or intelligence agencies but launched an internal investigation to determine if the alleged incident happened and how. The results of that investigation were published Thursday.

The company has analyzed all instances in which its products detected malware associated with Equation, a cyberespionage group that’s widely believed to be the NSA’s Tailored Access Operations unit. In this case, an unusually large number of Equation-related detections were triggered over a short period of time in September 2014 on the same computer.

“The file paths observed from these detections indicated that a developer of Equation had plugged in one or more removable drives, AV signatures fired on some executables as well as archives containing them, and any files detected (including archives they were contained within) were automatically pulled back,” the company said in its report. “At this point in time, we felt confident we had found the source of the story fed to Wall Street Journal and others.”

When investigating one of the archives that was sent back to the company’s servers by the antivirus program, a Kaspersky analyst determined that in addition to malicious binary files, it contained source code and four documents marked as secret.

“Upon further inquiring about this event and missing files, it was later discovered that at the direction of the CEO, the archive file, named ‘[undisclosed].7z’ was removed from storage,” the company said, adding that this was done because of concerns regarding the handling of potentially classified materials.

Kaspersky Lab’s data suggests that other hackers might have obtained access to the computer at around the same time when the Equation files were present on it. That’s because the antivirus triggered detections on the same machine for 121 non-Equation related malware programs, including exploits for Java, Flash Player, Windows and other programs; password cracking and credential harvesting tools; Trojans; adware; backdoors and viruses.

Some of those detections were probably for tools the NSA employee was working with, but some clearly were not. In one case, the antivirus program detected a backdoor called Win32.Mokes.hvl embedded in an illegal activator for Microsoft Office. The backdoor program was later detected again but running on the system, which suggests that the user disabled the antivirus to install the Office crack.

According to Kaspersky Lab, Mokes is a Trojan program created by a Russian hacker in 2011 and sold on underground forums as Smoke Bot or Smoke Loader.

“Of course, the possibility exists that there may have been other malware on the system which our engines did not detect at the time of research,” the company said. “Given that system owner’s potential clearance level, the user could have been a prime target of nation states. Adding the user’s apparent need for cracked versions of Windows and Office, poor security practices, and improper handling of what appeared to be classified materials, it is possible that the user could have leaked information to many hands.”

Kaspersky’s report is not likely to change the opinion of people in the U.S. government and intelligence community who believe running Kaspersky Lab products on government computers represents a risk for national security. However, the incident shows that the NSA has trouble keeping its files secure.

This is the third case of an NSA employee taking home a large number of classified files without authorization, after Edward Snowden and Harold T. Martin III, who is currently awaiting trial for storing 50TB of data on his personal computer. And some people think there might be a fourth leak associated with the Shadow Brokers, a shadowy group that has been publishing and selling NSA exploits and tools for more than a year.

Sponsored Content
Upcoming Webinar
Not All Flaws Are Created Equal: The Difference Between a Flaw, a Vulnerability and an Exploit

Not All Flaws Are Created Equal: The Difference Between a Flaw, a Vulnerability and an Exploit

According to Gartner, the application layer contains 90% of all vulnerabilities. However, do security experts and developers know what’s happening underneath the application layer? Organizations are aware they cannot afford to let potential system flaws or weaknesses in applications be exploited, but knowing the distinctions between these weaknesses can make ... Read More
May 29, 2018

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 151 posts and counting.See all posts by lucian-constantin