- InformNapalm.org (English) - https://informnapalm.org/en -

Kaspersky case and cyber espionage: how Russia opened the Pandora’s box

Sean Brian Townsend [1] is an independent researcher in the field of information and computer security, a member and the spokesman of the Ukrainian Cyber Alliance [2]. He explains how Kaspersky Lab and the FSB hacked and leaked the secret NSA tools under the guise of The Shadow Brokers hacker group. These leaks became the origin of WannaCry, NotPetya, and BadRabbit ransomware attacks.
The editors of InformNapalm may not share the opinions of the authors in the [opinion] [3] section, and does not alter the original style of the articles.

Antivirus software – myths and reality

The activities of antivirus (AV) companies are steeped in myth. Users tend to accuse them of two deadly sins: that they themselves develop viruses for their own enrichment, and that AV software can be used for surveillance. These myths are false but very tenacious, and AV developers have been struggling to dispel these conspiracy theories for decades. The origins of the suspicion lie in the fact that the users are forced to blindly trust AV software.

Kaspersky Lab has played fair for 25 years, but one day it did fall for a temptation. And now this AV vendor will not be remembered in the future as a defender. Its fame will be like that of the Irish builder in the “you fuck just one goat” joke.

Hacker myths

Myths about hackers are as rife. In mass culture, hacking is perceived as a “superpower”. As Arthur Clarke once put it, “Sufficiently advanced technology is indistinguishable from magic”. The character under the Guy Fawkes mask, with a few keyboard strokes, retrieves passwords “from under the asterisks”, transfers a million dollars, or redirects the traffic in a tunnel in the opposite direction, spreading panic and destruction. This never really happens. Or rather, it happens, but not exactly like that.

Most hackers specialize in one specific area and achieve their goals with the number, persistence, and simplicity of the technologies used, rather than with some esoteric computer voodoo. It is all based on simple economic and statistical rules, where it’s easier to make a dollar a thousand times than a thousand dollars once. And the cost of a targeted attack starts at several thousand dollars. The development of hacking tools takes time, which equals money, and it all can be spent on something more useful than trying to break through a wall with one’s head.

All this means that there are well-known behavior patterns that distinguish real hackers from those who are only pretending. And there is always the temptation to blame one’s own blunders on a hacker attack (“I was hacked”, “A virus corrupted that budget draft”, “The Shadow Brokers did it”). Few people understand how hackers operate, therefore such excuses sound quite plausible. The intelligence agencies, on the other hand, need very specific information, they are not constrained by time, money, or any ethical considerations. Their only concern is the national security of their countries.

The story with the National Security Agency (NSA) leak has been unfolding for years. In February 2015, Kaspersky Lab published a report on the Equation Group [4] (a codename coined by Kaspersky for the NSA unit allegedly conducting cyber intelligence). In March of that year, the NSA had just recovered after Snowden’s leak, so they sent a pretty clear warning to Russian spies to stay away. Bloomberg published an article The Company Securing Your Internet Has Close Ties to Russian Spies [5]. The company’s founder Eugene Kaspersky pretended not to get the hint [6].

The very fact of cooperation between Kaspersky and Russian intelligence agencies is no secret. Kaspersky’s business started with a blessing from his former teacher at the Higher School of KGB Reshetnikov. And the company’s employees not only do not hide their cooperation with the secret services, but are proud of it.


Why didn’t NSA take on Kaspersky sooner?

A reader might wonder, “Why did it take until 2017 for the NSA to ban Kaspersky’s software, if he’s a KGB spy?” The reason is, back then the whole story was about malware samples. A “sample” in the professional slang means a fragment of a larger software suite. That is the virus that antiviruses are supposed to catch. So many viruses appear in the world today that no person or company could analyze all of them. Most of the viruses are caught through automation, and AV software uses tens of thousands of fuzzy rules. When a file seems suspicious, the AV sends it to its company for analysis. This is how most antiviruses function.

Intelligence agencies of various countries have been repeatedly outed as malware creators, and their viruses are among the ones identified by AV software. Had this been limited only to samples, the US security agencies would have kept mum and would not have resorted to sending signals to Kaspersky through the press. But they already started to suspect that this time it was different. After the DNC was hacked in the summer of 2016, Russians were accused of the hacking. And then, in August, a previously unknown hacker group [7] appeared and claimed that they had hacked the Equation Group. And then they started publishing not just research or samples, but complete suites of hacker software along with the documentation. Money, as was later the case with NotPetya, was not the subject.

Hackers or intelligence services (non-comparative behavioral analysis)

It was a grave mistake. If they had been real hackers, they would have said they had hacked the NSA or the Tailored Access Operations Office (TAO), but they certainly would not have called the organization they targeted using the code name coined by Kaspersky. But more importantly, real hackers would not have made public the tools worth millions of dollars. And there is another thing that makes no sense – you hack a computer, yet fail to understand who it belongs to? The NSA can sometimes jokingly call itself “No Such Agency”, but certainly not the “Equation Group” nickname invented by some Russian.

Either the people behind The Shadow Brokers failed to appreciate the significance of the published tools, or, on the opposite, they were aware that the vulnerabilities such as Eternal Blue and Eternal Romance would be immediately used by black hat hackers. Or by those who would choose to pretend to be black hat hackers. And this would distract the public from the Trump scandals, Russian hackers, and spy ops. And that’s exactly what happened, with the WannaCry, NotPetya, and BadRabbit ransomware using the NSA tools leaked by The Shadow Brokers [8].

However, the “hacker scandal” would not go away. The Shadow Brokers continued to leak NSA tools. And the agency finally got fed up. In the spring of 2017, the ban on the use of Kaspersky AV by US federal agencies was first proposed, and, after it was declared, large American retailers also stopped the sales of the Russian AV software. Why so late? Russians and Americans are not the only participants in the cyberwar. Back in the same 2015, the Israeli intelligence agencies (codenamed Duqu) joined the fray.

The Israelis hacked Kaspersky Lab and several other major tech companies. The hack was detected in June 2015 (Kaspersky Lab investigates hacker attack on its own network [9]). And Israel had reasons to intervene. It was not the first time that Kaspersky threw a spanner in the works of its intelligence operations (Stuxnet). Thus he attracted the attention of the strongest players. The noose tightened hard.

What happened? My version

Apparently, the AV market became too small for Kaspersky. Adding one banking Trojan after the next to the database got too tedious. So Kaspersky Lab got into spy games. From the ANT NSA catalog (Snowden, December 2013 (!)) they learned the code names of secret NSA software, such as COTTONMOUTH. As a next step, you just search for this keyword among the accumulated suspicious files (Kaspersky has tens, if not hundreds of millions of those). Or you can add a special procedure to the AV database.

In addition to search templates, databases in modern AVs also contain code. And when Kaspersky suggests that Americans check the code of his AV for the presence of backdoors, he is just being sly. There are thousands of subroutines in the AV database, there is no way to check them all, and they can easily change with the next update. The code could also do something like this: any file containing a word of 11 letters that add up to 164 (A=1, B=2, …) should be sent to the “HQ” for additional analysis. Thus, any file containing the “COTTONMOUTH” string would be sent to KSN (Kaspersky Security Network – suspicious files storage). There could be a slightly more complex algorithm than simple addition, and no code analysis will find any evidence that Kaspersky was looking for a secret American hacking tool, and not some prehistoric MS-DOS virus.

When the Americans realized that Kaspersky was intentionally studying their viruses, they sent the warning through Bloomberg. No one would have bothered with a single random breach, to avoid further compromising the secrecy. But the Israelis who hacked the Lab apparently found documentation and pieces of auxiliary non-malicious code instead of just virus samples. It meant that Kaspersky had identified not only the viruses, but also the computers they were developed and tested on. Why and how Kaspersky Antivirus ended up on these computers is a separate conversation. Eugene Kaspersky could not resist the temptation and violated the first commandment of AV companies: not to use their own product for hacking. He vacuumed everything stored in those computers. And then he probably took to blackmail: “Either you stop blaming Russian hackers, or The Shadow Brokers will leak how you hack others”.

J’accuse! I am absolutely certain that Kaspersky Lab and The Shadow Brokers “hacker group” are one and the same. It does not matter now whether the FSB is behind Kaspersky’s activities, or he did everything himself. There is a side story here: CyberBerkut and the hacking of the Central Electoral Commission of Ukraine in May 2014. CyberBerkut is a low tech group, mostly used for leaks. But after the hacking they said they had used a Cisco zero-day exploit. They could have said anything, they could have remained silent, but they chose to write exactly that. No one believed them then. But NSA had zero-day exploits for Cisco, and they were published by The Shadow Brokers in the first Equation Group dump.

Some of the conclusions are speculative for now, but the big picture looks exactly as I expected [10]. Now we have all the parts of the puzzle: the Russian Presidential Administration, which sets the general political agenda, the various black hat hackers used on a case-by-case basis, who can be both real hackers and just a cover story, and the Russian Federal Security Service, which closely cooperates with software developers and with information security companies.

And here, a seemingly intelligent person made a practically fatal mistake. Eugene Kaspersky in an interview to the Associated Press confirmed [11] the fact that he had not only virus samples (he could have got them in the regular course of business), but also additional software and classified documents that could only be obtained through a hack. Kaspersky claimed that the files ended up in the hands of the company’s specialists during the collection of information about the Equation Group hackers, which were later exposed as an arm of the NSA. According to the businessman, after learning about the unexpected finding, he ordered to immediately delete this data.

It does not matter whether they were deleted it or not (they were not). What matters is that Kaspersky publicly admitted to something very little short of murder, specifically that he used the antivirus for hacking and espionage. And then provoked (if not organized) a virus attack. He opened the Pandora’s box, to find there is no hope hidden at the bottom.

Once an agreement is broken (just like with the Budapest Memorandum), the trust-based collective security system no longer works. What we are witnessing now is not a habitual spy duel, it is the world cyber war. As in the case of the Russian-Ukrainian war, the Russians did not even realize that they had crossed an invisible but very important line. And they can now act all surprised by the severity of the backlash, but it does not matter anymore because the whole world has changed irreversibly through their insane actions.

The editors of InformNapalm may not share the authors’ opinion in the [opinion] and [civil society] sections.

Translated by Artem Velichko, edited by Max Alginin