igor - Fotolia
NSA cyberweapons report follows Kaspersky transparency plan
A Kaspersky transparency initiative and a full code review of its products are on the way, and a new Kaspersky statement explained how NSA cyberweapons were uploaded to its servers.
Kaspersky Lab launched a transparency initiative for its popular security products in order to ease fears of inappropriate ties to Russia and also released a statement explaining how the company came into possession of NSA cyberweapons.
A new statement from Kaspersky provided details regarding a recently uncovered incident where an NSA contractor reportedly put agency cyberweapons on a personal computer and that NSA malware was transmitted to Kaspersky servers.
Though others have claimed Kaspersky products could be used for spying, Kaspersky Lab has continually asserted the incident occurred because NSA cyberweapons are malware and its products are designed to find and quarantine malware.
In the latest statement on the matter, Kaspersky explained that after a user's device was flagged for having the Equation Group malware on it, the device was also found to have pirated Microsoft Office software containing malware. At some point, the individual disabled the Kaspersky product in order to run a keygen for the pirated software and was infected with malware.
"Executing the keygen would not have been possible with the antivirus enabled," the team wrote in the Kaspersky report. "The user was infected with this malware for an unspecified period, while the product was inactive. The malware dropped from the trojanized keygen was a full blown backdoor which may have allowed third parties access to the user's machine."
The Kaspersky statement also noted that after an analyst processed the data gathered from the device and determined samples to be Equation Group NSA cyberweapons, the incident was reported to Kaspersky CEO Eugene Kaspersky who ordered all archives of the data be deleted from company's systems.
Jake Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., said on Twitter he understood the rationale behind the decision to delete all traces of the NSA cyberweapons.
Kaspersky's account of events is now at least plausible. Even the deletion. If that archive had classification markings, it's toxic. Dump it— Jake Williams (@MalwareJake) October 25, 2017
Kaspersky transparency plan
Prior to detailing the NSA cyberweapons incident, the company introduced a new Kaspersky transparency initiative that includes a number of components to help restore trust in the company, including three new transparency centers to be located in the U.S., Asia and Europe and all open by 2020, increased bug bounty rewards and independent reviews of product source code and internal processes.
The U.S. Department of Homeland Security recently banned Kaspersky products from use on government systems, and a number of stories based on unnamed sources claimed connections between Kaspersky and the Russian government, as well as Kaspersky products potentially searching out classified data on customer devices.
Eugene Kaspersky said in a public statement that the move was intended to prove the company has nothing to hide and "to overcome mistrust and support our commitment to protecting people in any country on our planet."
Matt Suichefounder, Comae Technologies
"Internet balkanization benefits no one except cybercriminals. Reduced cooperation among countries helps the bad guys in their operations, and public-private partnerships don't work like they should. The internet was created to unite people and share knowledge," Kaspersky said. "Cybersecurity has no borders, but attempts to introduce national boundaries in cyberspace [are] counterproductive and must be stopped. We need to reestablish trust in relationships between companies, governments and citizens."
However, the early expert reaction to the announcement noted the Kaspersky transparency plan may not go far enough. Security professionals noted that any potential evidence of spying may not be visible in Kaspersky product source code reviews and it would be necessary to review server-side code or the rulesets that govern what data is pulled from client systems to the Kaspersky Security Network (KSN).
When asked about this issue, Kaspersky Lab told SearchSecurity the initial code review would focus on products with the "biggest user base -- like Kaspersky Internet Security and Kaspersky Endpoint Security for Business," but said the KSN might be included.
"Our proposal for source code and software updates analysis suggests the access to review how our products interact with Kaspersky Security Network," Kaspersky Lab said. "Kaspersky Lab wants to work with highly reputable and credible independent experts who have the expertise, capability and capacity to account for the company's extensive code base and technology infrastructure underpinning its products and solutions, as well as the diverse sets of controls and processes that govern the company's data processing practices."
Matt Suiche, founder of managed threat detection company Comae Technologies, told SearchSecurity that the Kaspersky transparency "initiative is good in general," but said it might not be enough to prove they are innocent. "It's hard (or impossible) to come back from allegations from the U.S. government."
Learn why possible Kaspersky-Russian ties are still unclear.
Find out why security code reviews by Russian agencies are causing concern.
Get info on addressing the Equation Group vulnerabilities.