back to article Kaspersky: Clumsy NSA leak snoop's PC was packed with malware

Kaspersky Lab, the US government's least favorite computer security outfit, has published its full technical report into claims Russian intelligence used its antivirus tools to steal NSA secrets. Last month, anonymous sources alleged that in 2015, an NSA engineer took home a big bunch of the agency's cyber-weapons to work on …

Page:

  1. Anonymous Coward
    Devil

    China did it! Not us!

    So sez the ex-KGB/GRU dude. For variable definitions of ex.

    Bu-shi.

    1. Allan George Dyer
      Pirate

      Re: China did it! Not us!

      Nope. Malware developer1 installs anti-malware software2 on their computer. Said software detects multiple items of malware and reports them. Some are ones that the malware developer was creating/using, others were ones from a rival malware developer3 that the first malware developer was unaware of.

      1 - NSA

      2 - Kaspersky

      3 - China

      Score so far: NSA -2, Kaspersky 2, China 0. (not counting the 'FSB hacked Kaspersky', 'Israel hacked FSB' stories that seem uncorroborated).

      1. Anonymous Coward
        Terminator

        Re: China did it! Not us!

        > Malware developer

        You don't know that.

        installs anti-malware software on their computer. Said software detects multiple items of malware and reports them.

        For every complex problem there is an answer that is clear, simple, and wrong..

        Reality is usually more complicated than what the press and other interested parties would want us to believe.

        NSA analyst is tasked with determining whether or not Kaspersky AV is spyware for the Russian FSB. Obviously, for security reasons, this op cannot be undertaken from inside NSA.

        For this purpose, he installs Kaspersky AV on a laptop specifically designated for this purpose, along with an allegedly bootleg copy of Microsoft Office and some obsolete NSA penetration tools. The laptop being used as a probe is connected to the Internet.

        To provide plausible cover for this op, the press is alerted - helpful leak - about this NSA analyst's unlawful copy of highly classified, offensive cyber-weapons. That's a felony that carries many years in prison. Plus the bootleg copy of MS Office to boot.

        Interestingly enough, the NSA analyst isn't formally charged.

        You think US Intelligence agencies don't use the press for planting cover stories? Think again.

        As expected, the NSA tools show up at the Russian FSB. The only possible explanation for this transfer is that Kaspersky AV slurped them from the laptop, and sent them to the FSB.

        Now that NSA has confirmation of what it had suspected all along, another cover story is helpfully leaked to the press - about the Israelis finding the NSA tools and the FSB inside Kaspersky's network.

        Now Kaspersky has a problem: they don't really have a plausible and innocent explanation for how exactly the stuff from that analyst's laptop showed up at the FSB. So, they blame NSA, China, stupid analyst, etc, etc etc. As times goes on, their story gets more and more complicated and implausible.

        Kaspersky is correct on one point, though: NSA was involved in this op from the very beginning. Just not in the way Kaspersky describes it.

        NSA - 1 Kaspersky - 0.

        1. Anonymous Coward
          Anonymous Coward

          Re: China did it! Not us!

          NSA - 1 Kaspersky - 0.

          Possible. But not plausible.

          1. I suggest you read Cobweb. You are attributing too much brain activity to a USA agency. It is uncharacteristic.

          2. It is not plausible, because if it was a "screw Kasperski" op it would have used only a small subset and/or out of date tools. It would have not used crown jewels in active use. The Equation group toolkit discovered at that time was STILL with crown jewel classification.

          3. The Chinese connection is not necessarily Chinese. Both criminal gangs and nation state actors actively use Chinese proxies (so much for the Great Firewall). So no guarantee there. We do know however that the whole Equation group toolkit got stolen at about the same time (and recently put on sale).

          So the actual score at the time looks more like:

          NSA:0 Eugene:1 (he got proper info for his signatures as a result) GRU:2 (They got the whole toolkit - did they get it from Eugene or bypassing him is irrelevant for score taking purposes).

        2. h4rm0ny

          Re: China did it! Not us! @ST

          So your theory is that the NSA put highly valuable software and its source code on a laptop to see if Kaspersky would upload the files rather than, say, opening up "Settings" and toggling the Participate in Kaspersky Security Network or whatever it's called on or off. Or guessing that Kaspersky, like all the other antivirus vendors might have such a feature as is standard practice today?

          >>"Interestingly enough, the NSA analyst isn't formally charged."

          Yeah, I'm not really expecting to see a public trial over the NSA's widespread and dubious legality attempts to hack the world's computers. The guy will be lucky if he isn't Seth Rich'd a few miles from his home (or David Kelly'd as we call it in the UK).

          >>"Now Kaspersky has a problem: they don't really have a plausible and innocent explanation for how exactly the stuff from that analyst's laptop showed up at the FSB"

          I think the story is more than plausible. Idiot takes work home with him, probably because some technical restriction on his work laptop or rules about where things can be stored got in his or her way. Dodging around "stupid" company policies is almost routine for many developers. I once replaced my work computer's entire OS with Ubuntu because I didn't want to use Windows Vista. Smart idiots are the most dangerous of all idiots.

          1. eionmac

            Re: China did it! Not us! @ST

            Quote "I once replaced my work computer's entire OS with Ubuntu because I didn't want to use Windows Vista" Unquote. That was wise.

            1. h4rm0ny

              Re: China did it! Not us! @ST

              It came with a "Designed for Windows Vista" sticker too.

              We put it on the bin in our office.

          2. Anonymous Coward
            Terminator

            Re: China did it! Not us! @ST

            > NSA put highly valuable software

            You assume it was highly valuable. There were media-planted stories that NSA spyware had been mistakenly forgotten on some servers, where it was discovered. Whether or not the story as presented was indeed true is a matter of debate.

            > Participate in Kaspersky Security Network

            Seriously? You really believe that Kasperky AV's extracurricular activities have a disclosed on/off switch? And you really think that checking off the Participate In Kaspersky's Network button stops Kaspersky from vacuuming your laptop or computer? Seriously?

            Idiot takes work home with him

            Yeah. I don't buy this one. That's what Kaspersky and the FSB want everyone to believe. It's good PR for them. It's also the only way their version of the story makes any sense at all. Remove the idiot assumption from their story and everything Kaspersky has been saying falls apart.

            The story about the bootleg copy Microsoft Office doens't make any sense either. For a government employee, installing bootleg copies of software is a very serious offense. Many large-scale employers - and NSA is one of them - offer free copies of MS Windows and MS Office to their employees, while they are employed. I had this offer at two different employers. It was of no use to me, as I don't use Windows. There was no need for this NSA guy to install a bootleg copy of MS Office when he could have gotten a free and legal one from work.

            Yeah, I'm not really expecting to see a public trial over the NSA's widespread and dubious legality attempts to hack the world's computers.

            But that's not what the trial would be about. For one, the trial would be in the US, where NSA's activities are legal. Or, to be precise, are not deemed to be illegal, no matter what they might be. The trial would be about unauthorized removal of classified material from a government facility and/or espionage. NSA has pursued very public lawsuits for this type of offenses in the recent past.

            1. Anonymous Coward
              Anonymous Coward

              Re: China did it! Not us! @ST

              "And you really think that checking off the Participate In Kaspersky's Network button stops Kaspersky from vacuuming your laptop or computer? Seriously?"

              -Yes, because in our company we disabled that, and monitor all outbound traffic.

              "Idiot takes work home with him Yeah. I don't buy this one."

              -There are at least 3 documented known cases of NSA staff taking data out illegally, and how many undocumented and un caught (shadow brokers) - you're the idiot.

              "The story about the bootleg copy Microsoft Office doens't make any sense either."

              -Microsoft's Home Use Program ended before 2015. It was a great deal, but gone. How many PCs does a typical geek have? just one? I doubt it.

              "in the US, where NSA's activities are legal"

              - No, they break the law all the time, they have no special exception. They are a runaway department.

            2. John Brown (no body) Silver badge

              Re: China did it! Not us! @ST

              "Seriously? You really believe that Kasperky AV's extracurricular activities have a disclosed on/off switch? And you really think that checking off the Participate In Kaspersky's Network button stops Kaspersky from vacuuming your laptop or computer? Seriously?"

              That was my thoughts too. Just how much access does the mothership have when you run antimalware and leave the default "share what I find with our researchers" options. It seems that Kasperski has quite a lot of access to your PC. And as you point out, what access does it retain even after you click the off button.

        3. Anonymous Coward
          Big Brother

          Re: China did it! Not us!

          @ST: “NSA analyst is tasked with determining whether or not Kaspersky AV is spyware for the Russian FSB” ..

          Nice piece of disinformation going on there if you don't mind me saying so. The software would have been test on an isolated system in a NSA lab, specifically designed for such purpose.

          Answer me this: if Kaspersky was working for the FSB then why would the publicize the details on the NSA contractor hack?

          1. Anonymous Coward
            WTF?

            Re: China did it! Not us!

            > The software would have been test on an isolated system in a NSA lab, specifically designed for such purpose.

            Man, it's scary how incompetent you are, while firmly believing that you actually know something. One goes together with the other though, so no surprise here.

            Really? You're going to deploy software suspected of being spyware tied to a foreign and hostile intelligence agency inside the secure network of another intelligence agency? And that's OK because you checked off all the checkbox buttons labeled "Slurp the hard drive"?

            Let me ask you something. Do you work for the Internet Research Agency? Or are you just a non-profit freelancer?

            > Answer me this: if Kaspersky was working for the FSB then why would the publicize the details on the NSA contractor hack?

            Because it creates a cover story for their extracurricular activities, and it gives them credibility to gullible morons such as yourself and the AC moron above you who can't even put together a coherent sentence. That's why.

            1. Anonymous Coward
              Big Brother

              Re: China did it! Not us!

              @ST: "Really? You're going to deploy software suspected of being spyware tied to a foreign and hostile intelligence agency inside the secure network of another intelligence agency?"

              What part of isolated in a lab don't you understand. Answer me this: why didn't the other AV tools such as Avast and AVG detect the NSA malware.?

        4. Anonymous Coward
          Facepalm

          Re: China did it! Not us!

          @ST: “for security reasons, this op cannot be undertaken from inside NSA"

          Now who is the gullible moron?

        5. Allan George Dyer

          Re: China did it! Not us!

          As AC said, with more detail, "Possible. But not plausible."

          But I'd add, you said:

          "> Malware developer

          You don't know that."

          and later:

          "NSA penetration tools"

          So what is a penetration tool created with the intent of unauthorised access, if not malicious?

          1. Anonymous Coward
            Anonymous Coward

            Re: China did it! Not us!

            The analyst who had these NSA tools installed on his/her laptop isn't necessarily the same person who wrote them in the first place.

            He or she could just be an analyst tasked with a specific job. As for the penetration tools, these were likely written by a team of engineers, and not just one person.

            We do not know if the analyst in question participated in the development of these tools, or is just a user of these tools and had no involvement in their development.

  2. Ptol

    The problem is that whilst it is entirely possible this is the output of an honest and genuine post incident review, that shines light on both the sophistication of state operators in the internet espionage world, and also the complete naivety and carelessness of key individuals that should have known better.

    It could also be a great work of fiction.

    Guess we might know for sure in 50 years time.

    1. Voland's right hand Silver badge

      It also shines light on just how much would an antivirus package ex-filtrate if it decides that something is potential malware.

      While the goal is "for the greater good", the functionality and capability does not go well with operating it on machines which contain classified data.

      This is applicable to ALL modern commercial antivirus packages and doubly so to the free ones (AV vendors use the free versions as an early warning/capture net).

      1. Destroy All Monsters Silver badge
        Big Brother

        Mocus! Found on the PC of Bickus Dickus!

        One wonders why the NSA both is incapable of delivering a 100% top notch open-source antivirus program to US folks or why they even consider Windows an acceptable endpoint system.

        Maybe a few billions that went to Middle Eastern wars could have been productively used 15 years ago. Project Flask / SELinux is not enough.

        1. h4rm0ny

          Re: Mocus! Found on the PC of Bickus Dickus!

          Why on Earth would the NSA of all people want to help create a more secure OS? That's like expecting bank robbers to want to help create a better safe.

          That's not what they do.

          1. Doctor Syntax Silver badge

            Re: Mocus! Found on the PC of Bickus Dickus!

            "Why on Earth would the NSA of all people want to help create a more secure OS?"

            To use themselves. Clearly they need it.

          2. Anonymous Coward
            FAIL

            Re: Mocus! Found on the PC of Bickus Dickus!

            > That's not what they do.

            Yeah. Check out SE Linux and its offshoot SE Android. Both were originally written by NSA.

        2. Tom Paine

          Re: Mocus! Found on the PC of Bickus Dickus!

          One wonders why the NSA both is incapable of delivering a 100% top notch open-source antivirus program to US folks

          Because it's not something they're set up or resourced to do, and because it would be disrupting commerce with illegal government subsidies?

  3. Winkypop Silver badge

    Who to trust? NSA or Kaspersky?

    No brainer.

    Kaspersky.

    1. Tom 64
      Headmaster

      Re: Who to trust? NSA or Kaspersky?

      Neither.

      *doffs tinfoil hat

      1. h4rm0ny

        Re: Who to trust? NSA or Kaspersky?

        Well of course you should never trust anyone if you can help it. But logically I'd rather the Russians knew if I did something wrong than my own government. Russian police are unlikely to show up at my door because I committed a crime, joined a political group or said one of the ever-expanding list of things considered hate speech or harassment on Twitter. Putin doesn't get off his bear for less than an international incident!

        1. Doctor Syntax Silver badge

          Re: Who to trust? NSA or Kaspersky?

          "Putin doesn't get off his bear for less than an international incident!"

          You really deserve two upvotes. One for that & one for the rest of the post.

        2. Tom Paine
          Black Helicopters

          Re: Who to trust? NSA or Kaspersky?

          Russian police are unlikely to show up at my door because I committed a crime

          But they'd be very happy to use that recruit you into helping them out, if you were in a position with any influence, power, or access to interesting data.

          Thank goodness no-one in government today has any sort of record that might suggest they're susceptible to being, shall we say, influenced. And certainly not the Foreign Secretary, with his gleaming unblemished record and well-known propinquity for propriety at all times.

          https://www.newsmax.com/Newsmax/files/19/19f92cad-4e7b-4fb2-84d1-b61c3ff6c0b6.JPG

  4. frank ly

    Cheapskates?

    Why would someone working at this level of 'software nastiness' install cracked/pirated MS Office software on their computer?

    1. TimeMaster T

      Re: Cheapskates?

      Because they were cheap ass consultants who didn't want to spend the money on fully licensed MS software but were also to lazy to get Libre/Open Office.

      I've encountered that in many small businesses I've done IT work for over the years. One time there where 4 of 5 machines running hacked Solidworks CAD software and ALL the machine (23 total) were running hacked installs of MS Office 2003. I brought this to the owners attention and he told be "I've already given MS enough more money, they aren't getting anymore from me" and my favorite line was "It's too expensive" when I brought up the Solidworks (each license was something like US$40K at the time). About a month later he had me spec out and purchase a new US$ 3500 desktop system, and he asked me if I could download a 64 bit version of Windows instead of paying for it. I was laid off fairly soon afterwards because "the network is running so well we don't think we need a full time IT guy anymore". I thought about tipping off the BSA but the boss wasn't worth it.

      The moral? Even when someone can afford it they will cheat because they want to save a buck or two and don't care how they do it.

    2. Voland's right hand Silver badge

      Re: Cheapskates?

      Paid by the hour contractor. That much is also known - the guy was not on permanent staff.

      1. Destroy All Monsters Silver badge

        Re: Cheapskates?

        Well, if the contract didn't say anything about OpSec requirements....

    3. allthecoolshortnamesweretaken

      Re: Cheapskates?

      Gilks sighed. ‘You’re a clever man, Cjelli, I grant you that,’ he said, ‘but you make the same mistake a lot of clever people do of thinking everyone else is stupid.

  5. TimeMaster T
    Black Helicopters

    Perfect timing ...

    "It was unfortunate timing"

    I wouldn't say that, it was perfectly timed to support the whole "Russians did it" narrative being pushed by the US Government.

    1. Tom Paine
      FAIL

      Re: Perfect timing ...

      it was perfectly timed to support the whole "Russians did it" narrative being pushed by the US Government

      So, the more evidence of Russian AM around the election emerges, and the more solid and reliable it seems, the LESS it should be trusted. Gotcha.

      BTW, I think you'll find the US government has been fairly consistently rejecting the considered opinion of the entire US Intel Community. Last i heard, it was calling the former directors of the NSA and CIA "political hacks".

      (Unless by 'government' you meant that Sputnik / RT "deep state' meme, in which case: yeah,. clever wording, cheers)

  6. Milton

    What's implausible ...

    Notwithstanding the irritating posts that appear to be firmly grinding axes one way or the other, the thing that most surprises me is that a NSA staffer would be working on *anything* at home—or indeed, anywhere that isn't at the office. I don't know NSA's policy specifically, but I can't be the only commentard with some trifling insight into how similar agencies work, and I would be astounded to hear that NSA allows folks to work from home—there should be nothing on an NSA employee's personal devices that even hints what she does for a living, much less scraps of code from her current project. There's a reason Ft Meade has a car park the size of Delaware. A vanishingly small number of senior employees will have dedicated connections and kit in their homes, which will be swept regularly and security audited to a fare-thee-well. A slightly larger number will have thoroughly encrypted mobile devices for field ops (and I'd expect those to be treated much the same way as guns in the Army: you don't take 'em off the premises without approval and are signed back in while still warm). But that's pretty much it.

    For me, the "WFH" part of the Kaspersky story doesn't make sense. I'm not imputing any evil motives to them, but I don't need to: isn't it simply common sense these days, not to use Russian or Chinese stuff? For the person who asked "Who to trust? NSA or Kaspersky?", the answer IS easy: neither.

    And while I'm yammering, a final thought: again, I'll be astonished if NSA itself does not keep a minutely close eye on its employees' use of internet, their deployment of security products, even browsing habits. Surely using a pirated Windows would have earned the offending party an interview without coffee, at the least??

    1. Doctor Syntax Silver badge

      Re: What's implausible ...

      "the thing that most surprises me is that a NSA staffer would be working on"

      Cease being surprised. It's been stated often enough that it was a contractor.

      1. Voland's right hand Silver badge

        Re: What's implausible ...

        Cease being surprised.^2

        USA govt has gone a bit too far down the road of privatization. Have a look at all recent incidents and read them in detail from this perspective - starting from Snowden, going through this one and finishing with the Angst In Her Pants lady.

        ALL CONTRACTORS.

        More than half of the agencies workload especially in the infosec and development area is subcontracted and at least some of them definitely cut corners to increase margins.

      2. Anonymous Coward
        Anonymous Coward

        Re: What's implausible ...

        "Cease being surprised. It's been stated often enough that it was a contractor."

        Why would the contractors be given more access and privileges than the regular personnel? Can they just download all the goodies into their infected laptop full of warez and carry it out of the place just like that?

        Snowden was a contractor. The docudrama carrying his name may or may not have been accurate in depicting his work conditions, but it certainly didn't seem easy to carry documents or *anything* out of the place. I'd hazard a guess that NSA has reviewed their security afterwards and are even more strict these days.

  7. Anonymous Coward
    Anonymous Coward

    is Zhou Lou related to Lin Chin?

    What a criminal mastermind, I mean if you're going to use a command and control server there is no better way to hide your tracks than putting your actual name in the email and run it from your own home.

    Also why is someone with access to NSA spy tools using a pirated copy of Office anyway?

    Who will Fingermouse blame next? I reckon Scampi, he's red so could be a Nork.

    Fingermouse, Fingermouse

    The never stop to think a mouse

    1. Anonymous Coward
      Anonymous Coward

      Zhou Lou = Zulu

      Look for someone with an obsession for old Michael Caine movies. That's who did it...

      1. WolfFan Silver badge

        Zhou Lou = Zulu

        Look for someone with an obsession for old Michael Caine movies. That's who did it...

        That's the very first Michael Caine movie. Well, the first where he got star billing, anyway.

    2. Alan Brown Silver badge

      "is Zhou Lou related to Lin Chin?"

      No, but he does take orders from Captain Kirk whilst he's on the helm

  8. Anonymous Coward
    Anonymous Coward

    So, after all, Kaspersky actively lifted files from a machine and transferred them to Russia...

    ... did it with the user consent, or not?

    AV became just another backdoor, it looks.

    Anyway NSA should really start to hire competent people, not clueless one that want to play with secret malware at home on an internet connected machine full of pirated software and with an AV fully active...

    1. Tom Paine

      Re: So, after all, Kaspersky actively lifted files from a machine and transferred them to Russia...

      Anyway NSA should really start to hire competent people, not clueless one that want to play with secret malware at home on an internet connected machine full of pirated software and with an AV fully active...

      You've never tried recruiting for infosec roles, have you.

      (See this big flat patch at the top of my forehead?)

    2. Anonymous Coward
      Anonymous Coward

      Re: So, after all, Kaspersky actively lifted files from a machine and transferred them to Russia...

      "... did it with the user consent, or not?", this is the USA where pop up legal dialogues are considered binding.

      When you install Kaspersky it has a tick box for this that you can choose to un-tick, it is quite clear that it will upload suspect files to them.

      One would imagine that anyone working in the US in cyber "intelligence" would more than know the implications of clickthough.

      That the machine was riddled with malware shows either how diligent they weren't or that it was a honey pot. Either way Kaspersky wasn't doing anything underhand and to be quite frank I rather like the idea that they would take any opportunity to protect their customers even when it is against the US.

      Kaspersky was, from the reports, doing what they were supposed to do as an AV company, not so for the NSA agent.

  9. x 7

    But why wouldn't Kaspersky report to the Russian Authorities?

    Presumably if Symantec or McAfee turned up a cache of similar government-sponsored hacks they'd report them to the NSA as a matter of course, just as a UK company would report to GCHQ?

    There doesn't have to be any underhand behaviour here - surely reporting threats of this type to the security bods of your country is SOP?

    1. Doctor Syntax Silver badge

      @X7

      Thanks for the last paragraph - until then I thought your posting was ironical.

      Such companies are in the business of protecting their customers from threats. Knowledge of such threats is a company trade secret. No successful business is going to share its trade secrets with anybody, not if it wants to remain successful. And I doubt the local state security organisation would ever consider reciprocating.

    2. Tom Paine
      Thumb Up

      me too

      That my guess about what happened. When the malware samples suddenly started turning protectively marked classified information -- well, would YOU want to explain to Mr President why you destroyed top secret data relating to a reasonably hostile foreign state? Russian prisons have a reputation not dissimilar to that of the psycho-redneck racist sheriff or judge or whatever he was. whose prisons had a mysteriously very high mortality rate (spoiler alert; because sick people were left screaming in agony until they died, and because the guards were - are - very, VERY enthusiastic and keen.)

      Anyway so i don;t think you can really condemn Kaspersky for doing that. That doesn't mean that, if you have confidential data or code that would be of interest to the RU gov, you should run their product.

      The idea that KAV could be in effect a RAT, allowing searches for and exfiltration of data for any other reason than 'it looks like malware and we want to analyse it' is for the birds; as soon as a single researcher got pcaps of it in action, the entire firm would be out of business.

  10. payne747

    TL;DR

    AV software automatically sent leaked NSA malware for analysis. Almost any modern AV would do this today - it just so happened this one was in Russia.

    Fault is entirely with the NSA for having the worst 'take your work home with you' policy ever known to mankind.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like