Andrea Danti - Fotolia

Kaspersky sheds more light on Equation Group malware detection

A lengthy Kaspersky report offers more insight into how the antivirus company discovered Equation Group malware and came to possess classified U.S. government data.

Kaspersky Lab published a lengthy report that shed further light on its discovery of Equation Group malware and its possession of classified U.S. government materials.

The antivirus company, which has been under intense scrutiny by government officials and lawmakers this year, disclosed that classified materials were transmitted to Kaspersky's network between Sept. 11, 2014, and Nov. 17, 2014. In a previous explanation, the company said Kaspersky antivirus software detected malware on a computer located in the greater Baltimore area. Kaspersky later discovered a 7-Zip archive on the computer that had Equation Group malware and other materials with U.S. government classified markings.

Kaspersky's new investigation details were issued in response to several media reports that claimed Russian state-sponsored hackers used Kaspersky's antivirus software to identify and locate U.S. government data. The reports claimed that, in 2015, a National Security Agency contractor's system was compromised by Russian hackers using Kaspersky antivirus scans, which led to a massive leak of confidential NSA files and Equation Group malware. The news reports also claimed Israeli intelligence penetrated Kaspersky's network in 2014 and found classified NSA materials on its network.

The Equation Group was an advanced persistent threat (APT) group that was first identified by Kaspersky researchers in 2015 and later linked to the NSA in 2016 following disclosures by the hacking group known as the Shadow Brokers.

New details in Kaspersky's investigation

Thursday's report provided new details about the computer with Equation Group malware, which was believed to be the NSA contractor's system. Kaspersky did not confirm or deny these reports, saying its software anonymizes users' information and divulging details about the specific user in this case would violate its ethical and privacy standards.

The Kaspersky investigation revealed the suspected NSA contractor's computer was "compromised by a malicious actor on October 4, 2014" as a result of a backdoor Trojan known as Smoke Loader or Smoke Bot. The compromise occurred during the nearly two-month span Kaspersky identified and scanned the computer from Sept. 11 to Nov. 17, 2014.

Kaspersky said it believes the user turned Kaspersky's antivirus software off at some point during that time frame in order to install a pirated version of Microsoft Office, which allowed Smoke Loader to activate. The report also noted Smoke Loader was attributed to a Russian Hacker in 2011 and was known to be distributed on Russian hacker forums.

Kaspersky said once the classified markings were discovered in the 7-Zip archive materials, all data except the malware binaries was deleted under order of CEO Eugene Kaspersky. The company also said it "found no indication the information ever left our corporate networks."

Kaspersky's report appeared to suggest the threat actors who reportedly found the classified NSA data and Equation Group malware likely did so by hacking the computer directly with Smoke Loader and not, as media reports claimed, by hacking into Kaspersky's network and abusing the company's antivirus technology.

The company also said it's possible the computer had other malware on it that Kaspersky didn't detect.

"Given that system owner's potential clearance level, the user could have been a prime target of nation states," the report stated. "Adding the user's apparent need for cracked versions of Windows and Office, poor security practices, and improper handling of what appeared to be classified materials, it is possible that the user could have leaked information to many hands. What we are certain about is that any non-malware data that we received based on passive consent of the user was deleted from our storage."

Thursday's report followed comments from Jeanette Manfra, assistant secretary for cybersecurity and communications at the U.S. Department of Homeland Security, who told the House Science, Space and Technology Oversight Subcommittee earlier this week that there was no conclusive evidence that Kaspersky software had been exploited to breach government systems.

Policy changes

The report also contained new information about how Kaspersky responded to the 2014 Equation Group malware discovery and the company policy changes that followed.

"The reason we deleted those files and will delete similar ones in the future is two-fold. We don't need anything other than malware binaries to improve protection of our customers and, secondly, because of concerns regarding the handling of potential classified materials," the report states. "Assuming that the markings were real, such information cannot and will not [be] consumed even to produce detection signatures based on descriptions."

Kaspersky said that those concerns led to the adoption of a new policy for the company that requires all analysts to "delete any potential classified materials that have been accidentally collected during anti-malware research or received from a third party."

The report didn't say whether Kaspersky ever notified the NSA or other government agencies about the Equation Group malware it discovered or the classified data contained in the 7-Zip archive. In a previous statement on the situation, the company stated, "As a routine procedure, Kaspersky Lab has been informing the relevant U.S. government institutions about active APT infections in the USA." It's also unclear why, after finding the classified U.S. government files, the company never disclosed Equation Group was connected to the NSA.

Kaspersky has not responded to requests for comment on these questions.

The company responded to media reports that claimed threat actors used Kaspersky antivirus scans to hunt for classified markings.

"We have done a thorough search for keywords and classification markings in our signature databases," Kaspersky said. "The result was negative: We never created any signatures on known classification markings."

Kaspersky did, however, acknowledge that a malware analyst created a signature for the word "secret" based on the discovery of the TeamSpy malware in 2013, which used a wildcard string pattern based on several keywords, including "secret." The company hypothesized that a third party may have either misinterpreted the malware signature or maliciously used it against Kaspersky to spread false allegations.

Dig Deeper on Threats and vulnerabilities