By AFP on January 11, 2019
The computer security firm Kaspersky Lab helped the US NSA spy agency uncover one of its worst-ever security breaches — one year before the US banned the company’s products for government use, US media has reported.
Politico and the Washington Post said the Moscow-based maker of anti-malware products told the National Security Agency that one of its contractors, Harold Martin, had contacted it via cryptic messages on Twitter.
The messages arrived at Kaspersky shortly before unknown hackers known as the “Shadow Brokers” made available on the internet an assembly of advanced hacking tools that the ultra-secret signals intelligence body used to spy on the communications and computers of foreign governments and officials.
After the Shadow Brokers release, Kaspersky researchers thought there was a connection with Martin’s messages and reached out with the information to the NSA.
Weeks later, in August 2016, federal agents arrested the contractor, Harold Martin, discovering that he had stockpiled in his home a massive amount of sensitive NSA data, computer code and programs — some 50 terabytes worth — over two decades.
It was considered the largest-ever breach of classified data in US history.
According to the reports, the Twitter messages were used to justify the warrant issued to investigators to search Martin’s home.
The Kaspersky assistance “indicates that the government’s own internal monitoring systems and investigators had little to do with catching Martin,” Politico wrote, citing two unnamed sources familiar with the Martin investigation.
But within months, the NSA decided that Kaspersky itself could have been instrumental in another leak of its hacking tools, and in September 2017 officially banned the use of Kaspersky software from computers involved in any government operations.
US intelligence officials — including then-NSA chief Michael Rogers — suggested Kaspersky had intimate ties to Russian intelligence.
“The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates US national security,” acting secretary of Homeland Security Elaine Duke said at the time.
Kaspersky strenuously denied the allegation. But it took a heavy toll on Kaspersky’s two-decade-old business that saw its anti-virus software installed on hundreds of millions of computers around the world.
Both the NSA and Kaspersky declined to comment, with the NSA citing the ongoing litigation regarding Martin.
Martin has been charged with theft of and illegal retention of classified data in his Maryland home.
But he has not been charged with leaking the materials to the Shadow Brokers or any others.
Kaspersky Shares More Details on NSA Incident
By Eduard Kovacs on November 16, 2017
Kaspersky Lab on Thursday shared more details from its investigation into reports claiming that Russian hackers stole data belonging to the U.S. National Security Agency (NSA) by exploiting the company’s software.
The Wall Street Journal reported last month that hackers working for the Russian government stole information on how the U.S. penetrates foreign networks and how it defends against cyberattacks. The files were allegedly taken in 2015 from the personal computer of an NSA contractor who had been using a security product from Kaspersky Lab.
The WSJ article suggested that Kaspersky either knowingly helped the Russian government obtain the files or that the hackers exploited vulnerabilities in the company’s software without the firm’s involvement.
In a preliminary report, Kaspersky said the incident referenced in the WSJ article likely took place in 2014, when the company was investigating malware used by the Equation Group, a threat actor later associated with the NSA.
In a more technical report published on Thursday, Kaspersky said the incident likely occurred between September 11, 2014 and November 17, 2014 – the security firm believes WSJ’s source may have mixed up the dates.
In September 2014, Kaspersky’s products detected malware associated with the Equation Group on a device with an IP address pointing to the Baltimore area in Maryland. It’s worth noting that the NSA headquarters are in Fort Meade, Maryland, less than 20 miles from the city of Baltimore.
The Kaspersky product present on the device automatically sent an archive containing the suspected malware files back to the company’s systems for further analysis. The said archive contained source code for Equation malware, along with four documents with classification markings (e.g. secret, confidential).
The Kaspersky analyst who found the archive informed the company’s CEO of its content and the decision was made to remove the files from its storage systems.
So is it possible that the classified files were somehow obtained by Russian actors from Kaspersky’s systems? The firm denies spying for the Russian government and claims the data was removed from its systems – only some statistics and metadata remain – but it cannot guarantee that its employees handled the data appropriately.
“We cannot assess whether the data was ‘handled appropriately’ (according to US Government norms) since our analysts have not been trained on handling US classified information, nor are they under any legal obligation to do so,” the company said.
While Kaspersky admitted that its systems were breached in 2015 by a threat group linked to Israeli intelligence, the company said it found no evidence that the NSA files left its systems.
As for the assumption that Kaspersky’s products may have been specifically configured to look for secret files on the systems they were installed on, the company said all the signatures for retrieving files from a user’s device are carefully handled and verified by an experienced developer, and there is no evidence that anyone created a signature for files marked “secret” during the Equation investigation.
The company determined that an analyst did create a signature for files with names that included the string “secret,” but it was for a piece of malware associated with the TeamSpy espionage campaign. The signature included a path specific for that malware to avoid false positives.
Another possible scenario is related to the fact that the device of the NSA contractor got infected with malware after the Kaspersky antivirus was disabled. The security product was temporarily disabled when the user attempted to install a pirated copy of Microsoft Office using a known activation tool.
After the antivirus was re-enabled, Kaspersky detected 121 threats on the system. The malware associated with the Office activation tool was Smoke Bot (aka Smoke Loader), which had been sold on Russian underground forums since 2011. At the time of the incident, the malware communicated with servers apparently set up by an individual located in China.
Kaspersky says it’s also possible that the contractor’s computer may have been infected with stealthy malware from a sophisticated threat actor that was not detected at the time.
Several recent media reports focused on Kaspersky’s alleged connection to the Kremlin, which has led to many U.S. officials raising concerns regarding the use of company’s products. As a result, the Department of Homeland Security (DHS) has ordered all government agencies to identify and remove the firm’s products, despite the apparent lack of evidence supporting the claims.
In an effort to clear its name, Kaspersky announced the launch of a new transparency initiative that involves giving partners access to source code and paying significantly larger bug bounties for vulnerabilities found in the firm’s products.
“Shadow Brokers” Wants 10,000 Bitcoins for NSA Exploits
By Eduard Kovacs on October 17, 2016
The group calling itself “The Shadow Brokers” has changed tactics and announced the launch of a crowdfunding campaign for the exploits allegedly stolen from the NSA-linked threat actor known as the Equation Group.
In mid-August, The Shadow Brokers leaked 300 Mb of firewall exploits, implants and tools, claiming that the files had been obtained from the Equation Group. The hackers launched an all-pay auction in hopes of making a serious profit for a second batch of files that allegedly includes exploits, vulnerabilities, RATs, persistence mechanisms and data collection tools.
However, since the auction only raised less than two bitcoins, the group has decided to try a different approach: crowdfunding. They have insisted that their only goal is to get paid for the exploits.
“TheShadowBrokers is not being interested in fame. TheShadowBrokers is selling to be making money and you peoples is never hearing from TheShadowBrokers again!,” the group said. “TheShadowBrokers is being disappointed peoples no seeing novelty of auction solution. Auction is design for to make benefit TheShadowBrokers.”
The first statement published by the hackers led many to believe that they had been demanding one million bitcoins for the second batch of files, but the group later clarified that their demands were misunderstood.
They claimed the second batch was up for auction and that the one million bitcoins were actually related to a “consolation prize.” Since only the winner of the auction would get the files, the hackers were prepared to leak more information for free if they raised one million bitcoins.
“TheShadowBrokers is publicly posting the password when receive 10,000 btc (ten thousand bitcoins),” the hackers said. “Sharing risk. Sharing reward. Everyone winning.”
Experts confirmed that the first files published by Shadow Brokers were genuine and Cisco even discovered zero-day exploits in the leak.
There are several theories on who is behind Shadow Brokers. Some believe it’s the work of the Russian government, while others suggested that it could be an NSA insider. Some speculated that the files might have been inadvertently exposed on a server, allowing anyone to grab them.
“Shadow Brokers” Claim Hack of NSA-Linked Equation Group
By Kevin Townsend on August 16, 2016
Has the Bear Raided the Eagle’s Nest?
News that a supposedly NSA-related hacking group known as The Equation Group had itself been hacked by a separate group known as The Shadow Brokers emerged Monday. A number of files and screenshots were leaked by the latter with the offer of making the supposedly more damning files available for a fee of 1 million bitcoins (currently in excess of $500 million).
The Equation Group has been linked to the NSA since a Kaspersky Lab report dated February 16, 2015. This report said the group has been active for almost two decades and that it is “a threat actor that surpasses anything known in terms of complexity and sophistication of techniques.” It does not specifically associate the group with the NSA, but suggests “the Equation group has interacted with other powerful groups, such as the Stuxnet and Flame operators — generally from a position of superiority. The Equation Group had access to zero-days before they were used by Stuxnet and Flame.”
There is nothing currently known about the Shadow Brokers.
The files leaked so far appear to be genuine. How, where, when and from whom they were acquired remains unknown — and there is no guarantee that there really is anything else. The ransom fee of $0.5 billion takes this beyond a normal extortion exercise since there are few who could pay this. If the Equation Group really is the NSA, then it could be an attempt to get the US government to ‘buy back’ their cyber weapons — but that would be unlikely.
There have been suggestions that perhaps the NSA itself has been hacked. This is also unlikely. A security researcher known as the Grugq tweeted “This dump does not support the assertion that NSA was hacked. That sort of access is too valuable to waste for (almost) any reason.” He added, “I would guess: the dump is the take from a counter hack against a pivot/C2 that was mistakenly loaded with too much data. Shit happens.”
This view is shared by Sean Sullivan at F-Secure. “If the Shadow Brokers actually hacked something, it wasn’t ‘the NSA’. At least not in the sense that some group is now in the NSA’s many various networks reading through documents and e-mails and such.” Instead he also suggests that it could be an example of ‘hacking back’. Perhaps an organization hacked by the Equation Group forensically “discovered a resource to go after. This ‘auction’ seems an awful good way to publicly embarrass a political rival in a way that can’t be positively attributed.”
Embarrassment would appear to be a strong motive behind this incident. The news emerged at the beginning of the week, and Shadow Brokers had pre-registered Tumblr, Reddit, Twitter and Github accounts to get their message out with maximum impact.
One question remains. Who are Shadow Brokers? Many are suggesting it is a Russian state-actor, potentially the Russian equivalent of the Equation Group. This is possible. There is a low-level cyber war between the US and Russia. It is suggested that Russia was behind the DNC hack, and that Guccifer 2.0 is in fact ‘Russia’. For its part, the NSA will have been active against Russian targets; that’s its job.
It is therefore a reasonable conjecture that the Equation Group breached a Russian target and that a Russian forensics team traced the breach back to a server that contained Equation Group files. But was the NSA hacked? Almost certainly not. Do the Shadow Brokers have more files? Possible; but probably nothing like they intimate. Given the armory of Equation Group weapons described by Kaspersky, would any criminal gang or foreign state either admit they have them or sell them back? Using the weapons would earn even more than their asking price.
We will likely learn more over the coming months — but for the moment, we can only guess.