The Equation Group malware mystery: Kaspersky offers an explanation

Senior News Director

The ongoing drama between Kaspersky Lab and the U.S. government received some much-needed sunlight last week as the antivirus vendor finally uttered two very important words: Equation Group.

Kaspersky issued a statement describing how it came to possess Equation Group malware, which was a response to recent news reports claiming the vendor had National Security Agency (NSA) cyberweapons on its network in 2015. Both the government and the antivirus vendor have quietly tip-toed around Equation Group since the Kaspersky controversy began rolling earlier this year. And it’s easy to see why – the government doesn’t want to officially acknowledge that the NSA is in the business of creating and using malware, and Kaspersky likely didn’t want to highlight a sore spot for the U.S. government that could further inflame the situation (after all, Kaspersky was the first to blow the lid off Equation Group with its 2015 report).

But Kaspersky was backed into a corner with mounting political pressure and government-wide bans on its products. The company played one of its last remaining cards: it came clean and offered a somewhat plausible explanation why it had possession of Equation Group malware.

In short, Kaspersky’s statement claims that in 2014 its antivirus software scanned a system and detected a simple backdoor in a product-key generator for a pirated version of Microsoft Office (this system is presumed to belong to the NSA contractor/employee that reportedly took cyberweapons home and installed them on a personal computer). The antivirus program also detected a 7-Zip archive of “previously unknown” malware, which the antivirus program via Kaspersky Security Network (KSN) relayed to the company for further analysis.

The statement offers some answers to lingering questions on the matter, but it also produces new questions and concerns for Kaspersky and the U.S. government. Here are some important ones:

“As a routine procedure, Kaspersky Lab has been informing the relevant U.S. Government institutions about active APT infections in the USA,” the statement reads. This assumes that after detecting and analyzing the 7-Zip archive of new Equation Group malware, the company alerted the U.S. government. But that statement is just left hanging there, and Kaspersky never explicitly states it contacted the relevant authorities about the malware. Did it? If Kaspersky did, then why not spell it out in no uncertain terms? If it didn’t, could that be a source of contention between the vendor and U.S. government?
After analyzing the Equation Group malware, Kaspersky researchers notified CEO Eugene Kaspersky. “Following a request from the CEO, the archive was deleted from all our systems,” the statement read. This suggests that Kaspersky did not, in fact, contact the U.S. government about its findings. So why did the company delete the files? It could be, as some have speculated, that the archive had files with classified markings on them. But Kaspersky throws cold water on the media reports of “NSA classified data” being on its servers and states no such incident took place. If it is true, then why did it take extensive analysis from Kaspersky researchers to find those markings?
Kaspersky said it detected other instances of the Equation Group malware on systems in the “same IP range” as the original system. These detections were made after Kaspersky published its Equation Group report in February of 2015; according to the statement, the company believes these systems, which had KSN enabled, were set up as honeypots. However, Kaspersky doesn’t explain why it believes they were honeypots, and why they were set up. But this point suggests the U.S. government, or at least individuals within the NSA, knew the Equation Group malware had been exposed and uploaded to Kaspersky. That would contradict earlier news reports claiming the U.S. didn’t know about exposure of NSA cyberweapons until 2016.
Kaspersky wrote “No other third-party intrusions, besides Duqu 2.0, were detected” on its networks. This is presumably a response to the aforementioned media reports, which claimed that Israeli intelligence officers (who reportedly hacked into Kaspersky’s network) observed Russian hackers on the company’s network abusing antivirus scans to search for U.S. government data. But it doesn’t confront the allegation in The Wall Street Journal report that Kaspersky willingly let state-sponsored threat actors into its environment and was actively working with Russian government. It also dances around the question of who was behind the Duqu 2.0 attack.

Kaspersky’s statement on the Equation Group malware is quite detailed, offering names for malicious code samples and files and specifics about the system on which the malware was first detected. But the statement also skips over important details and key questions in the ongoing Kaspersky controversy. If the company and the government continue to withhold vital information that could clear up this mess, both will look increasingly bad as this drags on.