RUSSIAN SECURITY OUTFIT Kaspersky has denied it played a role in hacking into the personal computer of a US National Security Agency (NSA) worker.
Kaspersky Lab has published a report detailing an internal investigation it launched examining allegations that its software was used to compromise an NSA employee’s home computer.
In early October, a report published in the Wall Street Journal claimed that the firm’s software was used to download confidential data from an American agent’s home computer.
However, later reports circulated accusing the firm of deliberately taking files from the PC. Following the incident, Kaspersky conducted a full investigation to gain additional evidence of the incident and explore how it happened.
Researchers at the company confirmed that Russian cybercrooks installed software on an NSA contractor’s computer to access and steal sensitive data.
The user, according to the company, was able to download and install pirated software on the machine. The researchers identified a compromised Microsoft Office ISO file, as well as an illegal Microsoft Office 2013 activation tool.
They were able to install the pirate copy of Office 2013 after disabling the Kaspersky security product. If the latter had been left on the PC, it would have identified the illegal activator tool.
This illegal tool was infected with malware, and this was left on the PC while the Kaspersky software was inactive. The malware meant other third-parties could access the user’s machine, causing major security concerns.
However, when the company’s antivirus software was re-enabled, it detected the software with the verdict Backdoor.Win32.Mokes.hvl and stopped it from contacting a dodgy command and control software.
This backdoor approach was first identified in October 2014, but it’s still being used by cybercriminals looking to steal important data. Kaspersky researchers said the antivirus software detected other variants of the Equation APT malware too.
Various variants of the malware, including a 7zip archive, was sent to the Kaspersky Virus Lab for analysis. Researchers found that it contained a number of source codes and classified documents.
At the request of the firm’s CEO, these files were removed from its servers.
“The reason Kaspersky Lab deleted those files and will delete similar ones in the future is two-fold: first, it needs only malware binaries to improve protection and, secondly, it has concerns regarding the handling of potentially classified material,” the firm wrote.
“Because of this incident, a new policy was created for all malware analysts: they are now required to delete any potentially classified material that has been accidentally collected during anti-malware research.”
“To further support the objectivity of the internal investigation we ran it using multiple analysts including those of non-Russian origin and working outside of Russia to avoid even potential accusations of influence.”
Speaking about other findings, the firm said: “One of the major early discoveries of the investigation was that the PC in question was infected with the Mokes backdoor – a malware allowing malicious users remote access to a computer.
“As part of the investigation, Kaspersky Lab researchers took a deeper look at this backdoor and other non-Equation threat-related telemetry sent from the computer.” µ
Source : Inquirer