from the malware-is-malware-no-matter-who-controls-it dept.
US officials: Kaspersky "Slingshot" report burned anti-terror operation
A malware campaign discovered by researchers for Kaspersky Lab this month was in fact a US military operation, according to a report by CyberScoop's Chris Bing and Patrick Howell O'Neill. Unnamed US intelligence officials told CyberScoop that Kaspersky's report had exposed a long-running Joint Special Operations Command (JSOC) operation targeting the Islamic State and Al Qaeda.
The malware used in the campaign, according to the officials, was used to target computers in Internet cafés where it was believed individuals associated with the Islamic State and Al Qaeda would communicate with their organizations' leadership. Kaspersky's report showed Slingshot had targeted computers in countries where ISIS, Al Qaeda, and other radical Islamic terrorist groups have a presence or recruit: Afghanistan, Yemen, Iraq, Jordan, Turkey, Libya, Sudan, Somalia, Kenya, Tanzania, and the Democratic Republic of Congo.
The publication of the report, the officials contended, likely caused JSOC to abandon the operation and may have put the lives of soldiers fighting ISIS and Al Qaeda in danger. One former intelligence official told CyberScoop that it was standard operating procedure "to kill it all with fire once you get caught... It happens sometimes and we're accustomed to dealing with it. But it still sucks. I can tell you this didn't help anyone."
This is good malware. You can't expose the good malware!
Related: Kaspersky Claims to have Found NSA's Advanced Malware Trojan
Ties Alleged Between Kaspersky Lab and Russian Intelligence Agencies
Kaspersky Willing to Hand Source Code Over to U.S. Government
Kaspersky Lab has been Working With Russian Intelligence
FBI Reportedly Advising Companies to Ditch Kaspersky Apps
Federal Government, Concerned About Cyberespionage, Bans Use of Kaspersky Labs Products
Kaspersky Lab and Lax Contractor Blamed for Russian Acquisition of NSA Tools
Related Stories
All of you knew that it could only get worse:
Kaspersky malware probers have uncovered a new 'operating system-like' platform that [they claim] was developed and used by the National Security Agency (NSA) in its Equation spying arsenal. The EquationDrug or Equestre platform is used to deploy [an estimated] 116 plug-in modules to target computers that can siphon data and spy on victims. So far, only 30 modules have been identified.
"It's important to note that EquationDrug is not just a trojan, but a full espionage platform, which includes a framework for conducting cyber-espionage activities by deploying specific modules on the machines of selected victims," Kaspersky researchers say in a report.
The article goes on to explain that Kaspersky further believes that the software is part of the "NSA's campaign to infect hard disk firmware". There is considerably more detail in the article.
I think I am going to get my old manual typewriter out of the garage, get a new ribbon, use U.S. Mail instead of e-mail, and buy more ink for my fountain pens.
Recently, we have reported several claims (here, here, and here) made by the Russian security software manufacturer Kaspersky Lab that they have discovered 'evidence' of NSA involvement in malware. Now, Bloomberg claims that the Moscow-based computer security company has effectively been taken over by the FSB. Company founder Eugene Kaspersky was educated at a KBG-run school, which was never a secret, but the new report describes a much more current and intimate connection.
Kaspersky Lab is denying the allegations, as one might expect, and counter with the statement:
It's not as though the US has clean hands in all of this. The CIA has funded the development of security software firms like FireEye, Veracode, and Hytrust though its In-Q-Tel investment fund, and American firms have been noticeably silent when it comes to investigating suspected US state-sponsored malware.
We are unlikely to hear the truth from either side, nor should we realistically expect a confession from the NSA or the FSB. Nevertheless, it is possible that the security industries on both sides are 'guilty' of looking after their respective government's interests and what we are seeing is just another day in the world of intelligence collection and cyber-security, the world of claim and counter-claim.
[Editor's Comment: Typo fixed at 15:39 UTC]
Kaspersky Lab is willing to go to extreme lengths to reassure the U.S. government about the security of its products:
Eugene Kaspersky is willing to turn over computer code to United States authorities to prove that his company's security products have not been compromised by the Russian government, The Associated Press reported early Sunday.
"If the United States needs, we can disclose the source code," said the creator of beleaguered Moscow-based computer security company Kaspersky Lab in an interview with the AP.
"Anything I can do to prove that we don't behave maliciously I will do it."
Also at Neowin.
In Worrisome Move, Kaspersky Agrees to Turn Over Source Code to US Government
Over the last couple of weeks, there's been a disturbing trend of governments demanding that private tech companies share their source code if they want to do business. Now, the US government is giving the same ultimatum and it's getting what it wants.
On Sunday, the CEO of security firm Kaspersky Labs, Eugene Kaspersky, told the Associated Press that he's willing to show the US government his company's source code. "Anything I can do to prove that we don't behave maliciously I will do it," Kaspersky said while insisting that he's open to testifying before Congress as well.
The company's willingness to share its source code comes after a proposal was put forth in the Senate that "prohibits the [Defense Department] from using software platforms developed by Kaspersky Lab." It goes on to say, "The Secretary of Defense shall ensure that any network connection between ... the Department of Defense and a department or agency of the United States Government that is using or hosting on its networks a software platform [associated with Kaspersky Lab] is immediately severed."
Jeanne Shaheen, a New Hampshire Democrat tells ABC News, that there is "a consensus in Congress and among administration officials that Kaspersky Lab cannot be trusted to protect critical infrastructure." The fears follow years of suspicion from the FBI that Kaspersky Labs is too close to the Russian government. The company is based in Russia but has worked with both Moscow and the FBI in the past, often serving as a go-between to help the two governments cooperate. "As a private company, Kaspersky Lab has no ties to any government, and the company has never helped, nor will help, any government in the world with its cyberespionage efforts," an official statement from Kaspersky Labs reads.
Source: Gizmodo
According to emails from October 2009 obtained by Jordan Robertson and Michael Riley at Bloomberg it appears that Kaspersky Lab has been working with Russian Intelligence. Despite long standing rumours over these connections Eugene Kaspersky has always denied this to be the case, including as recently as last week in response to questions in the US Senate by Florida Republican Marco Rubio when he stated that "Claims about Kaspersky Lab's ties to the Kremlin are "unfounded conspiracy theories" and "total BS,"" on Reddit, and even offering to hand over the source code to the US Government for inspection.
While the exact nature of the co-operation with the FSB is still unclear, in the emails Kaspersky outlines a project undertaken in secret a year earlier "per a big request on the Lubyanka side," a reference to the FSB offices, that "includes both technology to protect against attacks (filters) as well as interaction with the hosters ('spreading' of sacrifice) and active countermeasures (about which, we keep quiet) and so on," Kaspersky wrote in one of the emails. Kaspersky Lab has confirmed that the emails are authentic. Whether this was legitimate work with the FSB in the prevention of cybercrime or securing FSB facilities or something more nefarious, it seems likely that this is not going to alleviate concerns over the use of their software putting further pressure on Kaspersky's business in other countries.
Kaspersky Lab's tussle with the US government could have ramifications for its dealings with the private sector. A new report claims the FBI has been meeting with companies to warn them of the threat posed by the cybersecurity firm. The briefings are the latest chapter in an ongoing saga concerning the use of Kaspersky's products by government agencies. Officials claim the company is a Russian stooge that can't be trusted with protecting America's critical infrastructure. The company denies these claims -- its CEO Eugene Kaspersky has even offered up its source code in a bid to clear his firm's name.
It appears that olive branch went unnoticed. Throughout the year, the FBI has been meeting with US firms to convince them to remove Kaspersky Lab's tools from their systems, according to officials that spoke to CyberScoop. In view of the cyberattacks that crippled Ukraine's power grid in 2016, the FBI has reportedly focussed its briefings on companies in the energy sector. Although, it has also supposedly met with major tech firms too.
The law enforcement agency has apparently been sharing its threat assessment with the companies, including Kaspersky Lab's alleged deep ties with Russian intelligence. However, the meetings have reportedly yielded mixed results. Whereas firms in the energy sector have been quick to cooperate, tech giants have resisted taking swift action, claims CyberScoop.
Source: EnGadget
The Washington Post is reporting U.S. moves to ban Kaspersky software in federal agencies amid concerns of Russian espionage:
Acting Homeland Security secretary Elaine Duke ordered that Kaspersky Lab software be barred from federal civilian government networks, giving agencies a timeline to get rid of it, according to several officials familiar with the plan who were not authorized to speak publicly about it. Duke ordered the scrub on the grounds that the company has connections to the Russian government and its software poses a security risk.
[...] "The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security."
[...] The directive comes months after the federal General Services Administration, the agency in charge of government purchasing, removed Kaspersky from its list of approved vendors. In doing so, the GSA suggested a vulnerability exists in Kaspersky that could give the Kremlin backdoor access to the systems the company protects.
Someone that is in a position to know all about it tells me that Kaspersky doesn't detect malware created by the Russian Business Network. My fear is that if I named that someone, the RBN will give that someone a bad hair day.
[Ed. addition follows]
The full text of the DHS notice is available at https://www.dhs.gov/news/2017/09/13/dhs-statement-issuance-binding-operational-directive-17-01.
Previously:
FBI Reportedly Advising Companies to Ditch Kaspersky Apps.
According to unverifiable sources, an NSA contractor stored classified data and hacking tools on his home computer, which were made available to Russian hackers through the contractor's use of Kaspersky Lab anti-virus software:
Russian government-backed hackers stole highly classified U.S. cyber secrets in 2015 from the National Security Agency after a contractor put information on his home computer, two newspapers reported on Thursday.
As reported first by The Wall Street Journal, citing unidentified sources, the theft included information on penetrating foreign computer networks and protecting against cyber attacks and is likely to be viewed as one of the most significant security breaches to date.
In a later story, The Washington Post said the employee had worked at the NSA's Tailored Access Operations unit for elite hackers before he was fired in 2015.
[...] Citing unidentified sources, both the Journal and the Post also reported that the contractor used antivirus software from Moscow-based Kaspersky Lab, the company whose products were banned from U.S. government networks last month because of suspicions they help the Kremlin conduct espionage.
(Score: -1, Troll) by cocaine overdose on Thursday March 22 2018, @06:46PM
(Score: 2) by Gaaark on Thursday March 22 2018, @06:46PM (3 children)
It's good until it's used against Americans. Then it's bad?
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 5, Insightful) by Snotnose on Thursday March 22 2018, @06:54PM
The problem is the holes they're exploiting exist on all computers/networks, and you can be damned sure it's not just JSOC that knows about them.
What they should do, but I'm not holding my breath, is tell the vendors about these holes so they can fix them. Then again, I haven't been drinking the RA RA 'MURICA! Kool Aid for the past 20 years.
Bad decisions, great stories
(Score: 3, Insightful) by Anonymous Coward on Thursday March 22 2018, @06:54PM (1 child)
No, no, no. That's not it at all. It's good until we get caught and cannot plausibly deny it. Then it's bad that we got caught (but the malware is still good).
(Score: 2, Interesting) by Anonymous Coward on Thursday March 22 2018, @07:07PM
Backdoors found - "bad", and quickly swept under the rug: compare with the brouhaha around Meltdown/Spectre.
The parts providing them - still "good", even if for nothing apparent but more backdoors.
(Score: 3, Insightful) by Anonymous Coward on Thursday March 22 2018, @06:55PM (4 children)
The officials apparently failed to realize that using malware might be detected by security researchers?
Color me surprised...Military Intelligence just might be an oxymoron in this case.
The part I find most objectionable is playing the 'our troops/assets in danger' card when caught red-handed.
(Score: 4, Insightful) by arcz on Thursday March 22 2018, @06:59PM
The military thinks there is a thing called "cyber warfare" which is bullshit for "lets make viruses". Fucking scumbags in the US military and intelligence community. They ought to be hanged.
(Score: 5, Insightful) by looorg on Thursday March 22 2018, @07:09PM (1 child)
likely ... may ... could they be more vague. Not that "in danger" necessarily mean dead but that is what they actually want to say. So how this exposure leads to dead boots on the ground does seem like a bit of a stretch of the imagination.
(Score: 2, Touché) by Anonymous Coward on Friday March 23 2018, @01:48AM
Possibly.
(Score: 1) by i286NiNJA on Thursday March 22 2018, @07:54PM
APT malware is usually a different breed.
Imagine that someone recreated all the functionality of metasploit from scratch and then wrote a modern Remote Access Tool but with the sort of care and attention to detail you'd see in the more advanced DOS viruses.
Every string is encrypted and most of the tool itself is stored as series of encrypted strings that are decrypted and eval'd as needed. The stub of an unencrypted program that does this is painstakingly designed to mimic the sorts of things a legitimate program may do. Every program has some plausible legitimacy that is coupled with the sorts of system access that you'd expect such a program to have. If the malware is hidden in a game and the malware needs network access, then the game will be sure to present a legitimate need for network access.
Then to top it off they're not trying to get it to spread like wildfire so it won't get caught in random sinkholes and honeypots.
(Score: 4, Interesting) by bob_super on Thursday March 22 2018, @07:21PM (3 children)
1) why do they admit that it was theirs, and describe the way they were using the virus?
2) was that program actually working? If you're gonna tell us, and tell the bad guys to be paranoid, should you be bragging that the thing was helping?
3) who's getting extradited for computer breaches inside a foreign sovereign state ?
(Score: 5, Interesting) by number11 on Thursday March 22 2018, @07:39PM
This. Normally, they would deny it, even if there is overwhelming evidence, or have no comment. They are admitting it for a reason. The story is not that they did it, of course they do stuff like that. The story is that they admit it.
Why? I don't know. To attack Kaspersky? To attacking security researchers in general, at least the ones that they don't control? To encourage the scum who want backdoors in everything? To draw attention away from something else? To obliquely brag that they'd gotten away with it for years? To get adversaries to shift to a different communication channel, which has already been compromised?
(Score: 5, Insightful) by zocalo on Thursday March 22 2018, @07:44PM
UNIX? They're not even circumcised! Savages!
(Score: 3, Informative) by RamiK on Thursday March 22 2018, @08:30PM
Well, according to the new judicial standard [theintercept.com], a measured response in this case would be bombing a small, American-owned, warehouse in the US.
compiling...
(Score: 2) by legont on Thursday March 22 2018, @08:18PM
Do we have to clear bug fixes with the government? Perhaps, only foreigners have because we are protected by the Constitution but they are not?
We probably need licensed developers. The days of guerrilla programming are probably over.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 4, Insightful) by Anonymous Coward on Thursday March 22 2018, @09:38PM
...so, Kaspersky did its job, and the US Govt. is pissed about it?
because getting hit by an AV is always going to be a risk if you're using malware as part of an espionage toolkit
The real question is, what does it gain the govt to openly disclose the fact that they made Slingshot in the first place? Is it just to smear Kaspersky, make 'em look like the bad guys for "helping the terrorists"?
If an American company had found this malware, what would have happened?
(Score: 3, Interesting) by maggotbrain on Thursday March 22 2018, @09:42PM
And sites expect us to stop using ad blockers??? Seriously though, I hadn't realized the MicroTik was Latvian based. Previously, I had just considered it a generic white-box router solution.
(Score: 2) by Bot on Friday March 23 2018, @07:14AM
- russkie citizen
- da?
- about your recent malware discovery
- good catch huh?
- it was our military stuff, you ruined our isis crushing op
- how were we supposed to know? and wasn't isis one of your...
- shutup, first the spy, then the syrian mercenaries, and now this. why are you persecuting us
- still hurt about the election of trump, i see? yet he is a close friends of isr....
- shutup
superior stabat lupus, longeque inferior agnus, and both had nukes, and both were part of the same system which thrives on destruction and reconstrucion.
I tell ya, a true robocalypse (not the meatbag driven project) would probably be a good thing for you.
Account abandoned.