Kaspersky claims pirated Office software was behind NSA exploit leak

The company has released the early results of its investigation into the 2014 incident

NSA data

Kaspersky has refuted claims its software could be used by the Russian government to spy on US intelligence operatives, indicating that pirated Microsoft Office software is to blame instead.

Following allegations that Russia's FSB intelligence agency used its antivirus software to infiltrate the PC of an NSA contractor and steal top-secret exploit code, the Russian security firm released the preliminary results of its own investigation into the incident.

According to the company's detailed timeline, Kaspersky's antivirus software detected samples of malware created by the Equation group - a highly-sophisticated hacking group widely suspected of ties to the NSA - on the PC of a US user in September 2014.

"Following these detections, the user appears to have downloaded and installed pirated software on his machines, as indicated by an illegal Microsoft Office activation key generator," the company explained. "To install and run this keygen, the user appears to have disabled the Kaspersky products on his machine ... Executing the keygen would not have been possible with the antivirus enabled."

Advertisement
Advertisement - Article continues below

This keygen, the company claimed, was in fact a Trojan, which dropped a "full blown backdoor" onto the subject's PC, which "may have allowed third parties access to the user's machine".

After the user re-enabled their anti-virus installation, the software blocked the backdoor. It also began detecting previously unknown variants of the Equation malware, including a 7zip archive. This archive was promptly sent back to Kaspersky Lab HQ for analysis, at which point it was found to contain "multiple malware samples and source code for what appeared to be Equation malware".

Upon discovery, this was reported to CEO Eugene Kaspersky. The company said that the archive and its contents were deleted from all of Kaspersky's systems and was not shared with anyone else. It also stated that "Kaspersky Lab has never created any detection of non-weaponized (non-malicious) documents in its products based on keywords like 'top secret' and 'classified'."

In short, the company appears to be implying that its software was turned off by an NSA contractor in order to install a pirated version of Office 2013, which contained a backdoor. This backdoor could then have been used by the FSB to gain access to the NSA's Equation exploits, as opposed to the exploits being turned over by Kaspersky Lab itself exploits which were promptly deleted from its files, the company said, when it discovered what they were.

This story has drawn a mixed response from the cybersecurity community; F-Secure chief research officer Mikko Hypponen has subtly hinted that the lure of keeping hold of sophisticated nation-state malware may have been too much for Kaspersky to resist.

Ex-black hat-turned-pen-tester Kevin Mitnick, however, said that the company's account more plausible than alternative explanations.

"The investigation is still ongoing," Kaspersky stated, "and the company will provide additional technical information as it becomes available. We are planning to share full information about this incident, including all technical details with a trusted third party as part of our Global Transparency Initiative for cross-verification."

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/malware/33080/hackers-abuse-linkedin-dms-to-plant-malware
malware

Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Visit/antivirus/28144/best-antivirus
antivirus

Best antivirus for Windows 10

3 Sep 2019
Visit/security/malware/28083/the-five-best-free-malware-removal-tools
Security

Best free malware removal tools 2019

8 Mar 2019

Most Popular

Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/business/business-strategy/354252/huawei-takes-the-us-trade-sanctions-into-its-own-hands
Business strategy

Huawei takes the US trade sanctions into its own hands

3 Dec 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019
Visit/mobile/mobile-phones/354273/pablo-escobars-brother-launches-budget-foldable-phone
Mobile Phones

Pablo Escobar's brother launches budget foldable phone

4 Dec 2019