In early October, a story was published in The Wall Street Journal alleging Kaspersky Lab software was used to download classified data from an NSA employee’s home computer. Given that Kaspersky Lab has been at the forefront of fighting cyberespionage and cybercrime for over 20 years, these allegations were treated very seriously by the company. To gather facts and address any concerns, Kaspersky Lab conducted an internal investigation.
The preliminary results of the investigation were published on October 25. These outlined the general findings of the company’s search for evidence of the alleged event reported by the media. The new report published today confirms the initial findings and provides additional insight on the analysis of Kaspersky Lab products’ telemetry related to the incident. This telemetry describes suspicious activity registered on the computer in question during the timeframe of the incident, which took place in 2014.
To further support the objectivity of the internal investigation we ran it using multiple analysts including those of non-Russian origin and working outside of Russia to avoid even potential accusations of influence.
One of the major early discoveries of the investigation was that the PC in question was infected with the Mokes backdoor – a malware allowing malicious users remote access to a computer. As part of the investigation, Kaspersky Lab researchers took a deeper look at this backdoor and other non-Equation threat-related telemetry sent from the computer.
It is publicly known that the Mokes backdoor (also known as “Smoke Bot” or “Smoke Loader”) appeared on Russian underground forums as it was made available for purchase in 2011. Kaspersky Lab research shows that, during the period of September to November 2014, the command and control servers of this malware were registered to presumably a Chinese entity going by the name “Zhou Lou”. Moreover, deeper analysis of Kaspersky Lab telemetry showed that the Mokes backdoor may not have been the only malware infecting the PC in question at the time of the incident as other illegal activation tools and keygens were detected on the same machine.
Over a period of two months, the product reported alarms on 121 items of non-Equation malware: backdoors, exploits, Trojans and AdWare. All of these alerts, combined with the limited amount of available telemetry, means that while we can confirm our product spotted the threats, it is impossible to determine if they were executing during the period the product was disabled.
Kaspersky Lab continues to research the other malicious samples and further results will be published as soon as the analysis is finished.
The overall conclusions of the investigation are the following:
As a completely transparent company, Kaspersky Lab is ready to provide additional details of the investigation in a responsible manner to relevant parties from government organizations and clients concerned about recent media reports.