Kaspersky NSA hacking report suggests contractor's PC was riddled with malware

Kaspersky identified more than 120 different types of malware on NSA contractor's PC

Kaspersky Lab has released its report into allegations that its anti-virus software was used to hack a US National Security Agency's (NSA) home PC and exfiltrate NSA documents and malware tools.

According to the report, Kaspersky's telemetry indicates that not only did the NSA staffer run pirated software, enabled by malware-ridden key generators when he turned his Kaspersky Anti-Virus off, but that he had more than 120 other different forms of malware lurking on his home PC.

That malware included several different types of Trojan and rootkits, suggesting that the NSA contractor's PC had been thoroughly compromised.

The report comes after allegations were published in early October in the Wall Street Journal claiming that the Russian cybersecurity firm's software was used to download confidential data from an American agent's home computer.

Reports later circulated accusing the company of deliberately taking files from the PC, using its anti-virus software to identify the PCs of people who may be of interest to Russian intelligence, and then using it to exfiltrate data and files.

Kaspersky, though, claimed that its software works like any other anti-virus software, identifying potentially malicious files and only sending unidentified potential threats back to base that have been picked up by the software's heuristic detection engines.

In the case of the NSA worker, the company claimed that the software's heuristics identified some NSA malware that he had taken home to work on as potentially malicious and its exfiltration was simply a part of its normal operation.

Researchers at the company confirmed that Russian cyber crooks installed software on the NSA contractor's computer to access and steal sensitive data, but the volume of malware picked up on the contractor's PC have concluded that the contractor was to blame.

The Kaspersky Anti-Virus software tool identified a compromised Microsoft Office ISO file, as well as a Microsoft Office 2013 activation tool.

The user had been able to install the pirate copy of Office 2013 only after disabling the anti-virus software. If it had been left on the PC, it would have identified and blocked the malware-ridden pirated software.

The key generator, meanwhile, was left on the PC while the Kaspersky software was inactive. The malware meant other third-parties could theoretically have accessed the user's machine while the anti-virus software was de-activated.

However, when the company's anti-virus software was re-activated, it detected the malware and identified it as Backdoor.Win32.Mokes.hvl and blocked it from contacting its command-and-control site.

Kaspersky researchers said the anti-virus software detected other variants of the Equation APT malware too.

Variants of the malware, including a 7zip compressed archive, was sent to the Kaspersky Virus Lab for analysis. Researchers found that it contained source code and classified documents, and the case was referred to the company's CEO Eugene Kaspersky, who ordered the files to be removed from Kaspersky's servers.

"The reason Kaspersky Lab deleted those files and will delete similar ones in the future is two-fold: first, it needs only malware binaries to improve protection and, secondly, it has concerns regarding the handling of potentially classified material," the company wrote in its report.

It continued: "Because of this incident, a new policy was created for all malware analysts: they are now required to delete any potentially classified material that has been accidentally collected during anti-malware research.

"To further support the objectivity of the internal investigation we ran it using multiple analysts including those of non-Russian origin and working outside of Russia to avoid even potential accusations of influence."

Speaking about other findings, the firm said that one of the major early discoveries of the investigation was that the PC in question was infected with the Mokes backdoor malware, providing malicious users with remote access to the PC.

"As part of the investigation, Kaspersky Lab researchers took a deeper look at this backdoor and other non-Equation threat-related telemetry sent from the computer," claimed the report.