Categories Search

CIA Hacking Tool Designed To "Impersonate" Russia's Kaspersky Lab

Video Preview

On September 18th, the US Senate voted to ban the use of products from the Moscow-based cyber security firm Kaspersky Lab by the federal government, citing national security risk. The vote was included as an amendment to an annual defense policy spending bill approved by the Senate on the same day and was written to bar the use of Kaspersky Lab software in government civilian and military agencies, reported Zero Hedge (US).

Alas, according to a new revelation from WikiLeaks this morning, any perceived "national security risk" from Kaspersky could have resulted from the fact that the CIA specifically designed hacking software, code-named 'Hive', which intentionally "impersonated" the Russian cyber security firm so that "if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated."

Here's a summary of the hacking tool posted by WikiLeaks:
“Today, 9 November 2017, WikiLeaks publishes the source code and development logs to Hive, a major component of the CIA infrastructure to control its malware.

Hive solves a critical problem for the malware operators at the CIA. Even the most sophisticated malware implant on a target computer is useless if there is no way for it to communicate with its operators in a secure manner that does not draw attention. Using Hive even if an implant is discovered on a target computer, attributing it to the CIA is difficult by just looking at the communication of the malware with other servers on the internet. Hive provides a covert communications platform for a whole range of CIA malware to send exfiltrated information to CIA servers and to receive new instructions from operators at the CIA.

The cover domain delivers 'innocent' content if somebody browses it by chance. A visitor will not suspect that it is anything else but a normal website. The only peculiarity is not visible to non-technical users - a HTTPS server option that is not widely used: Optional Client Authentication. But Hive uses the uncommon Optional Client Authentication so that the user browsing the website is not required to authenticate - it is optional. But implants talking to Hive do authenticate themselves and can therefore be detected by the Blot server. Traffic from implants is sent to an implant operator management gateway called Honeycomb (see graphic above) while all other traffic go to a cover server that delivers the insuspicious content for all other users.

Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities. The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town. In this way, if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated.”

***

The campaign to discredit Kaspersky Lab dates back to 2010, when the Russian based cybersecurity firm uncovered the origin of the Stuxnet malicious computer worm which ruined Iran's nuclear centrifuges, experts in the field told Russia Today.

Kaspersky Lab, founded in Moscow in 1997, has been a world leader in cybersecurity for decades, taking pride in working outside of any government’s sphere of influence. US intelligence agencies, however, seem to consider the Russian firm a competitive challenge, the cybersecurity experts said.

“Kaspersky is highly reputable. It has been operating for a couple of decades. It has 400 million users around the world, including until very recently the American government,” former MI5 analyst Annie Machon said. “So of course if they are doing it, other countries are going to do it to a competitor corporation around the world too. Obviously, the CIA would be interested in a very successful Russian based company that offers protection on the internet.”

“Kaspersky [has] one of the most successful security teams worldwide. Don’t forget that Kaspersky was the security firm that first of all discovered the NSA linked group of activities involved in cyber espionage activities worldwide,” Pierluigi Paganini, the head of cybersecurity at Grant Thornton Consultants, told RT.

“Kaspersky has been a very reputable company. And so what this is, quite frankly, an old Russian term 'kompromat' [compromising material], where you impersonate, as they see it, the enemy... Using [a] particular Hive program,” London-based intelligence analyst Glenmore Trenear-Harvey said.

The Russian company became one of the targets amidst the ongoing anti-Russian hysteria in the US, which centers around the unproven allegations of Russian meddling in the 2016 US presidential elections. In September, the US Department of Homeland Security (DHS) ordered all government agencies to stop using Kaspersky products and to remove it from computers, citing “security risks.”

WikiLeaks latest disclosure features real documents, former CIA analyst Ray McGovern told RT, describing it as “original, pristine and pure documents.” The CIA hacking tool Hive, first exposed by Wikileaks in March, “enables the CIA to hack into computer, or network and ‘obfuscate’ is the word in CIA document… To conceal who hacked in and then leave traces like in Cyrillic, or the name of the first head of the Soviet secret police... Just to show that it might be the Russians,” McGovern, who has decades of experience in the CIA, said.

“What is important in this specific story is the complexity, the effort spent by the US intelligence to make hard the attribution. Kaspersky is the actual victim of these activities. There is a government agency, the CIA that conducted cyber espionage activities to also use false flag in its operation in order to make harder the attribution,” Paganini explained.

“The evidence such as it is, suggests to me, an intelligence analyst connecting dots, that Kaspersky might not even know that it was the CIA that has put in the damaging information which indicated that supposedly, Kaspersky was doing something untoward,” McGovern told RT.

Kaspersky Lab remains one of the few companies in the world that can expose the CIA’s scheming, and that is why the Russian company is facing so much backlash, Machon believes.

“We have Kaspersky saying 'We can do this-we can prove some of these hacks are not Russian, they are American’ when it comes to the presidential elections. And so they needed to discredit them, and I think that this new application of a virus at state level, a very aggressive virus that would discredit a very proven brand around the world it’s exactly what the Americans would want and the Israelis also would want,” the former MI5 operative pointed out.

The campaign against the Russian cybersecurity firm goes back to 2010, when Kaspersky Lab revealed the origin of the Stuxnet virus, Machon told RT. Back then, Kaspersky Labs stated that “this type of attack could only be conducted with nation-state support and backing.” Nobody officially claimed responsibility for the creation of the complex cyber weapon that targeted industrial control systems, used in infrastructure facilities, to affect their automated processes. However, it is widely believed that US and Israeli intelligence agencies were behind Stuxnet, which reportedly ruined almost one-fifth of Iran’s nuclear centrifuges used to develop civilian atomic power.

Stuxnet was deployed against the centrifuges that enriched the uranium and nobody knew where it came from. It seemed to be very weaponized at the state level. And it was actually Kaspersky that unveiled who had developed it. And it was American and the Israeli intelligence agencies,” Machon told RT. “So ever since then, it has sort of been daggers drawn between these two competing sides [Kaspersky vs CIA]. Kaspersky has been very much in the crosshairs of both American and Israeli intelligence agencies.”

show source

Rating: (0)
Location: Show map
Location: Show map
Share report:
Share on Facebook
If you want to buy or a sell a report
go to marketplace
Marketplace

Comment report: