Kaspersky: Others May Have Accessed NSA Subcontractor’s PC

Kaspersky has concluded its internal investigation following media reports that an NSA employee had been hacked through his software. In it, the company emphasizes the possibility that the employee has been hacked by another party via a backdoor.

The backdoor in cracked Office 2013 software already appeared in the preliminary results of the internal Kaspersky investigation, but now the company is citing additional details to the results of the closed investigation. The Trojan in question is called Smoke Bot or Smoke Loader. A Russian developed the trojan in 2011, after which the tool was for sale on various forums. Between September and November of 2014, the period when Kaspersky discovered the NSA tools on a system with its software, the c2 domain was registered by an apparently Chinese party, Kaspersky concludes on the basis of registration data.

According to Kaspersky, this indicates that the owner of the system was not sufficiently careful and that there is a chance that other parties had access to his system. The security company writes that large amounts of other malware were found on the system over the course of the two months. Kaspersky has described its analysis of the affected backdoor in the cracked software in a separate document.

In its current publication, Kaspersky also addresses a New York Times article that suggested that Israel gained access to the Kaspersky network and learned that Russia was spying through the company. It has not been able to find any evidence of this, the company claims. If that had been the case, the Russian service would have had to create so-called signatures, rules that allow the software to detect potentially malicious files. If an external party had created such signatures, it would have been noticed. Competitors and researchers also look at such signatures.

Kaspersky then discusses the hypothetical situation that an intelligence service could watch the screens of its analysts. It also reports that in the context of a certain investigation it had created signatures in which it was searched for, among other things, pdf, xls, and pgp files and files containing the word ‘secret’. This was done to detect a particular malware that was searching for these files. An outside party could interpret this as an attempted espionage, according to Kaspersky’s argument.

The Wall Street Journal reported in October that NSA tools were stolen from a subcontractor’s private PC via Kaspersky software. Kaspersky then conducted an investigation, the preliminary results of which it had previously shared. It turned out that in 2014 the company had indeed found an archive of NSA tools after a scan. When it turned out that it was classified government data, the director of the security company is said to have ordered the archive in question to be removed.