CIA masks its malicious software under the software "Kaspersky"

10 November 2017, 16:41 | Technologies 
фото с InternetUA

WikiLeaks published the code of the CIA hacking tool, through which the agency masqueraded its malicious software designed to steal data for the products of real software manufacturers, including Kaspersky Lab.

WikiLeaks Publication.

The malicious software by which the Central Intelligence Agency (CIA) of the United States extracted information from other people's computers was masked for the products of Kaspersky Lab. The masking was carried out by a special tool called Hive, the source code of which was just released by the WikiLeaks resource within the Vault 8 project.

Even if the owner of an outside computer discovered that an implant was working on his device - malware that extracts information - thanks to Hive, the user could not connect his work with the CIA in any way. When the owner of the computer checked which servers on the Internet the implant transmitted information, Hive masked the connection of the software with the servers of the agency. In fact, the tool is a hidden communications platform for the CIA's malicious software, through which it sends management data to the management and receives new instructions, writes WikiLeaks.

At the same time, when malware is authenticated in a CIA server system, digital certificates are generated that mimic the ownership of software by existing manufacturers. Three samples that are present in the source code published by WikiLeaks, forge Kaspersky Lab certificates from Moscow, allegedly signed by a trusted certificate of Thawte Premium Server in Cape Town. If a user who finds an implant is trying to understand where the traffic is coming from his network, he will think not of the CIA, but of the specified software vendor.

"Laboratory" reacted to the publication of WikiLeaks with the following comment: "We examined the statements that were published on November 9 in the Vault 8 report, and we can confirm that the certificates that mimic ours are not real. The keys, services and clients of Kaspersky Lab are safe and have not been affected ".

Server system.

Hive performs a number of operations with the help of implants operating on the computer, with each operation being registered in a harmlessly looking domain-cover. The server on which the domain is located is leased from the providers of commercial hosting as a virtual private server (VPS). Its software is customized for the specifications of the CIA. These servers represent the public facade of the CIA server system, and then they transfer the HTTP (S) -terface through a virtual private network (VPN) to a hidden server called Blot.

If someone comes to the cover domain, it shows the visitor quite innocent information. The only worrying difference is the infrequently used HTTPS server option called Optional Client Authentication. Thanks to it, users who are browsing the domain do not need authentication - it is not required. But the implant, contacting the server, passes it necessarily, so that it could detect the server Blot.

Traffic from the implants is sent to the gateway of the operator of the implant operator called Honeycomb, and all other traffic goes to the cover server, which delivers harmless content available to all users. In the process of authenticating the implant, a digital certificate is generated, which simulates the ownership of the software by actually existing manufacturers.

Problems of the "Laboratory" in the US.

Publication WikiLeaks appeared against the background of the aggravation of the "Laboratory" conflict with the American government. The conflict began in 2016. , when the Federal Bureau of Investigation (FBI) voiced a number of concerns about the company's products to industry representatives, including the Electricity Subsector Coordinating Council, an organization that includes the heads of the power companies of North America. In response, in February 2017. The US Department of Homeland Security sent a secret report to the US secret services concerning the "Laboratory".

In April 2017 g. concern about the possible threat posed by the "Laboratory" was expressed in a secret memorandum sent to the Director of National Intelligence Dan Coats and Prosecutor General Jeff Sessions,. The document was prepared by the US Senate Intelligence Committee. The Committee strongly requested that measures be taken to address the potential risk that the wide spread of Lab products in the US market.

In this regard, Eugene Kaspersky expressed willingness to address the US Senate and answer any of its questions. Also, "Laboratory" announced its readiness to disclose to the US authorities the source codes of its software in order to get rid of accusations of cyber espionage.

The FBI investigation and its consequences.

In June, it became known that the FBI had interviewed a number of employees of the US office of "Laboratory". At least 12 people were interviewed in different places. The FBI was interested in the details of Kaspersky Lab's work and the extent to which the US representation of the company reports to the head office in Moscow.

In July, the administration of the US president expelled the "Laboratory" from two lists of suppliers of high-tech equipment for state needs. These are two lists of the Office of General Services of the United States (U. General Services Administration, GSA), which certifies suppliers and brings them to the database of companies: services in the field of information technology and the supply of photographic equipment. The lists were changed for reasons of "government and network security".

The aggravation of the conflict.

In September, it became known that the US authorities ordered the removal of Kaspersky Lab's solutions from US government networks. The agencies are given 90 days. Pentagon order does not apply, but he does not use the products of the Russian company.

In October, a number of large US media reported that the Lab's products were used to steal data on US national defense from the National Security Agency (NSA). According to The Wall Street Journal, the data was on the home PC of the contractor ANB, where the software of a Russian company.

Shortly thereafter, the New York Times reported that information about the incident with the NSA was received by the Americans from the Israeli security services, which could penetrate the network of the Laboratory - presumably with the help of the Duku-2 tool. In October, Eugene Kaspersky recognized the fact of downloading to the server of his company classified information NSA. However, this download occurred accidentally, and the classified information was immediately deleted, he explained..

Источник: InternetUA
© 2009 - 2025 NewsMe. All rights reserved.
The site administration is not responsible for information what put in, as well as its reliability. Use material NewsMe permitted only for reference (for internet issues - hyperlinks) on NewsMe.com.ua.

Наши проекты: