[Edit] Kaspersky's own internal audit shows that NSA employees were using pirated, cracked versions of Microsoft Office

[captain_to_fire]

Sources: Mashable, Kaspersky [here and here]

 

Quote

Kaspersky Lab's relationship with the United States is rife with suspicion. The Department of Homeland Security ordered federal agencies to remove the lab's widely used antivirus software in September, writing in a statement that DHS was "concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks. The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security."

But, as Wired wrote on Wednesday, the U.S. hasn't provided evidence to back up its claims, leaving observers to hash out what to believe, and forcing Kaspersky customers to decide whether to ditch the software due to suspicion alone. 

All this brings us back to why it's important to figure out Kaspersky's relationship to the stolen NSA tools, which, according to The Wall Street Journal, contained information about tactics the NSA uses to break into computer networks in other nations.

Kaspersky's version of events begins on Sept. 11, 2014, when, as explained in a blog post from the company on Wednesday, their antivirus software discovered "Equation malware" on a user's computer. "Equation malware" is thought to be associated with the NSA. 

This is why it's hard to judge whether which side is telling the truth. All the US media says is that anonymous individuals especially unnamed Israeli hackers have witnessed Russian hackers using Kaspersky AV to data mine the US government. At the same time, Kaspersky only did an internal audit of their databases although they promised next year they will become more transparent and even have their source code inspected.

Quote

Full results

In October 2017, Kaspersky Lab initiated a thorough review of our telemetry logs in relation to alleged 2015 incidents described in the media. We were aware only of one single incident that happened in 2014 during an APT investigation when our detection subsystems caught what appeared to be Equation malware source code files and decided to check if there were any similar incidents. Additionally, we decided to investigate if there were any third party intrusions in our systems besides Duqu 2.0 at the time of this alleged 2015 incident.

We have performed a deep investigation associated with the case from 2014 and preliminary results of this investigation revealed the following:

Verdict: HEUR:Trojan.Win32.GrayFish.gen

• During the investigation of the Equation APT (Advanced Persistent Threat), we have observed infections from all around the world, in more than 40 countries.
• Some of these infections have been observed in the USA.
• As a routine procedure, Kaspersky Lab has been informing the relevant U.S. Government institutions about active APT infections in the USA.
• One of the infections in the USA consisted in what appeared to be new, unknown and debug variants of malware used by the Equation group.
• The incident where the new Equation samples were detected used our line of products for home users, with KSN enabled and automatic sample submission of new and unknown malware turned on.
• The first detection of Equation malware in this incident was on September 11 2014. The following sample was detected:
  • 44006165AABF2C39063A419BC73D790D
  • mpdkg32.dll
• Following these detections, the user appears to have downloaded and installed pirated software on his machines, as indicated by an illegal Microsoft Office activation key generator (aka “keygen”) (md5: a82c0575f214bdc7c8ef5a06116cd2a4 — for detection coverage, see this VirusTotal link) which turned out to be infected with malware. Kaspersky Lab products detected the malware with the verdict Win32.Mokes.hvl.
• The malware was detected inside a folder named “Office-2013-PPVL-x64-en-US-Oct2013.iso”. This suggests an ISO image mounted in the system as a virtual drive/folder.
• Detection for the Backdoor.Win32.Mokes.hvl (the fake keygen) has been available in Kaspersky Lab products since 2013.
• The first detection of the malicious (fake) keygen on this machine was on October 4 2014.
• To install and run this keygen, the user appears to have disabled the Kaspersky products on his machine. Our telemetry does not allow us to say when the antivirus was disabled, however, the fact that the keygen malware was later detected as running in the system suggests the antivirus had been disabled or was not running when the keygen was run. Executing the keygen would not have been possible with the antivirus enabled.
• The user was infected with this malware for an unspecified period, while the product was inactive. The malware dropped from the trojanized keygen was a full blown backdoor which may have allowed third parties access to the user’s machine.
• At a later time, the user re-enabled the antivirus and the product properly detected (verdict: “Win32.Mokes.hvl“) and blocked this malware from running further.
• After being infected with the Win32.Mokes.hvl malware, the user scanned the computer multiple times which resulted in detections of new and unknown variants of Equation APT malware.
• The last detection from this machine was on November 17 2014.
• One of the files detected by the product as new variants of Equation APT malware was a 7zip archive.
• The archive itself was detected as malicious and submitted to Kaspersky Lab for analysis, where it was processed by one of the analysts. Upon processing, the archive was found to contain multiple malware samples and source code for what appeared to be Equation malware.
• After discovering the suspected Equation malware source code, the analyst reported the incident to the CEO. Following a request from the CEO, the archive was deleted from all our systems. The archive was not shared with any third parties.
• No further detections have been received from this user in 2015.
• Following our Equation announcement from Feb 2015, several other users with KSN enabled have appeared in the same IP range as the original detection. These seem to have been configured as “honeypots”, each computer being loaded with various Equation-related samples. No unusual (non-executable) samples have been detected and submitted from these “honeypots” and detections have not been processed in any special way.
• The investigation has not revealed any other related incidents in 2015, 2016 or 2017.
• No other third party intrusion, besides Duqu 2.0, were detected in Kaspersky Lab’s networks.
• The investigation confirmed that Kaspersky Lab has never created any detection of non-weaponized (non-malicious) documents in its products based on keywords like “top secret” and “classified”.

Now, I'm reserving judgement until third parties are able to inspect both the source code and their databases but if what Kaspersky lab is saying is true, it's embarrassing for the NSA. First of all, how stupid would it be for an employee to take home classified files for cyberespionage and later run a pirated Microsoft Office? It makes me wonder how much NSA is paying its employees that they'll cheap out and resort to software piracy which they know is illegal and dangerous. How stupid for the NSA employee to use a pirated software to begin with? 

 

If proven true by third parties, it only shows that using counterfeit/pirated software is dangerous even if you have nothing to hide on your computer since it can be used as a remote malware factory and distribution and even in this forum, so many new members are asking questions like "How to get Office for free?" or "How to get a Windows 10 license for free?" I think at the moment there has been a hearing about Kaspersky but no details have been release publicly at the moment. Speaking of transparency, they promised next year that they'll have more third parties inspect their source code and databases and increase their bug bounty rewards up to $100,000 per vulnerability. https://www.kaspersky.com/blog/transparency-initiative/19870/

 

It makes me question my career choice as being an ethical, white hat hacker seems to be very lucrative.

 

Edit: Here's the full video of the hearing assessing Kaspersky Lab. I haven't watched the video myself at the time I added the video.

Here's an interesting debate from Fortune:

 

Edited October 28, 2017 by hey_yo_
added the video from the hearing

[MegaDave91]

Ayyyy?

[flibberdipper]

[PlayStation 2]

ARR I BE JUST A PAINTING

[Guest]

I wonder how wide spread this was. If anything, I would have imagined that they had a keygen developed and distributed internally (Unless this was the one ?)

[ARikozuM]

Isn't this a Mitchell & Webb skit? 

[captain_to_fire]

5 minutes ago, ARikozuM said:

Isn't this a Mitchell & Webb skit? 

How? Also I don't know who those people are. 

15 minutes ago, tjcater said:

I wonder how wide spread this was. If anything, I would have imagined that they had a keygen developed and distributed internally (Unless this was the one ?)

Probably they made it themselves or they have used a keygen publicly distributed in P2P/torrenting websites. But it would be an embarrassment that they have to cheap out and resort to piracy just to have Microsoft Office which makes me wonder how much salary does the NSA pay?

[NumLock21]

I wonder how is Microsoft going to fine the NSA for using pirated Office?

 

MS: Hey, you no pay for office!

NSA: wat?

[captain_to_fire]

3 minutes ago, NumLock21 said:

I wonder how is Microsoft going to fine the NSA for using pirated Office?

 

MS: Hey, you no pay for office!

NSA: wat?

Would Microsoft file a DMCA complaint against the NSA? That would be interesting if they did. 

[NumLock21]

6 minutes ago, hey_yo_ said:

Would Microsoft file a DMCA complaint against the NSA? That would be interesting if they did. 

Cheapest Office cost $149 for the Home and Student, but it's not allowed for commercial use. The older version allows for up to 3 PCs, now it's just 1 PC. Back then there was even a retail version of Vista or Win7, that's also lets you use up to 3 PCs. Then MS killed it.

[captain_to_fire]

3 minutes ago, NumLock21 said:

Cheapest Office cost $149 for the Home and Student, but it's not allowed for commercial use. The older version allows for up to 3 PCs, now it's just 1 PC. Back then there was even a retail version of Vista or Win7, that's also lets you use up to 3 PCs. Then MS killed it.

Oh yeah back when it was just Office 2010/Office for Mac 2011. I used to have that. 

[captain_to_fire]

I think at the moment it’s much harder to pirate Microsoft Office thanks to Office 365 requiring monthly or annual subscriptions.  I hope the NSA pays their employees’ subscriptions which it seems that most universities and colleges are doing better. 

[Master Disaster]

37 minutes ago, hey_yo_ said:

I think at the moment it’s much harder to pirate Microsoft Office thanks to Office 365 requiring monthly or annual subscriptions.  I hope the NSA pays their employees’ subscriptions which it seems that most universities and colleges are doing better. 

Actually it's much easier now than it was due to KMS.

[captain_to_fire]

23 minutes ago, Master Disaster said:

Actually it's much easier now than it was due to KMS.

How? Maybe I should ask @Windspeed36 if it's true because I never pirated Office 365.

[Master Disaster]

25 minutes ago, hey_yo_ said:

How? Maybe I should ask @Windspeed36 if it's true because I never pirated Office 365.

Microsoft added the ability for Corporate partners to handle their own internal key management. Instead of simply issuing VLKs to corporate partners instead corporate partners can now create their own Key Management Servers (KMS). Employees are issued KMS keys that are activated at the place of work using the internal KMS and employees are required to reactivate the key every 30 days by physically connecting their machines to the corporate network (it has to be physical, no VPN or tunnelling). The stupidest thing about it is even if an employee doesn't reactivate after 30 days the software continues to fully operate forever, it just nags at boot to be reactivated by a KMS.

 

It didn't take the pirates long to figure out any retail software can easily be converted to a KMS version by swapping a few DLLs. They then created KMS emulators and by now you can see where this is going. A KMS key installed into converted retail Office/Windows with a KMS emulator and a Windows task scheduler task that runs the KMS emulator every 29 days and you've got a fully activated version that will never expire and MS cannot even blacklist the key as key blacklisting is also handled by the internal KMS.

 

KMS works with Windows 8, 8.1, 10, Server 2016, Office 2013 & Office 2016.

 

Without going into details cracking Windows and Office is now as simple as downloading the auto KMS tools, running them and pressing Activate Office, Activate Windows or Activate Both then pressing OK a few times and waiting. It even auto detects which versions you have, can handle multiple versions simultaneously and will crack them all individually.

[Deletist_Jerk]

This person who pirated MS Office must be a real dumbass. Government employees can get MS Office for $10. 

 

Must be a real cheap dude or lady. 

[captain_to_fire]

23 minutes ago, Master Disaster said:

-snip-

If that’s the case, then why would the NSA employee be stupid to resort to using a keygen cracker? 

25 minutes ago, Deletist_Jerk said:

This person who pirated MS Office must be a real dumbass. Government employees can get MS Office for $10. 

 

Must be a real cheap dude or lady. 

What’s more stupid is that the NSA employee took home the NSA spying malware and ran it on his PC with the AV’s real time and cloud protection turned on. 

[NumLock21]

9 hours ago, hey_yo_ said:

Oh yeah back when it was just Office 2010/Office for Mac 2011. I used to have that. 

My office 2007 has it too for 3 pcs. Don't remember the one before, Office XP, if it had or not, and when was the last ms office, to offer a license for 3 pcs. 

The good part is, they are retail, that means you can transfer the license to a new PC.

 

And a lot of software these days are subscription based not just office. adobe and autodesk are also subscription based.

[ashypanda]

it could be someone's personal computer on the NSA's network or for what ever reason they could have been trying to exploit KMS tools for a way to gain access to computers as they'd know that an awful lot of people activate windows and office with a KMS tool, 

 

10 hours ago, hey_yo_ said:

Would Microsoft file a DMCA complaint against the NSA? That would be interesting if they did. 

they'd file a formal cease and desist notice, but wouldn't pursue it any further, due to losing out on on the gov contracts, even though they gov has no other options but windows and office.

[Misanthrope]

Yep. Doesn't surprises me at all.

 

So let's not beat around the bush here: This is kind of why the office suit it's still fairly dominant for most office work. It's why Microsoft offers large corporations fairly sweet licensing deals and even directly caters to pirates offering discounts of up to 80 or 90% on already more accessible licensing prices for people to "go legal" they know most small and medium sized organizations just crack it for the most part. OS is not as widespread since for smaller businesses they build in the price in the price of the hardware itself to begin with but still, quite prevalent.

[captain_to_fire]

12 minutes ago, ashypanda said:

it could be someone's personal computer on the NSA's network or for what ever reason they could have been trying to exploit KMS tools for a way to gain access to computers as they'd know that an awful lot of people activate windows and office with a KMS tool, 

It was a personal computer of an NSA employee as it turns out. Allegedly, the NSA were in the process of developing spying malware but the NSA employee took home the piece of malware and decided to play with it on his home PC with Kaspersky AV installed. The spying malware was picked up by the AV and was sent to Kaspersky's servers for analysis and was found to be malicious [here: https://www.kaspersky.com/blog/kaspersky-in-the-shitstorm/19794/]. I think at the moment there's a hearing but details are not yet released.

I can't find a valid reason why would an employee of the NSA would cheap out despite knowing the risk of running counterfeit software and I'm pretty sure they knew the risks before anyone else since they're the intelligence agency of the US Department of Defense.

1 minute ago, Misanthrope said:

Yep. Doesn't surprises me at all

But it's still embarrassing that an NSA employee (or instructed by NSA?) to use a pirated MS Office which makes me wonder how much does the NSA pay their employees.

[Misanthrope]

17 minutes ago, hey_yo_ said:

But it's still embarrassing that an NSA employee (or instructed by NSA?) to use a pirated MS Office which makes me wonder how much does the NSA pay their employees.

Actually I'm not sure money is the issue: you are basically asking people to do a very unscrupulous job. Now I know some people might have little problem justifying it as "for the greater good" within their moral compass but either you get those fully committed people with high conviction...or you get unscrupulous types to do unscrupulous jobs and they don't really care they're supposed to represent the government.

[dalekphalm]

16 hours ago, NumLock21 said:

Cheapest Office cost $149 for the Home and Student, but it's not allowed for commercial use. The older version allows for up to 3 PCs, now it's just 1 PC. Back then there was even a retail version of Vista or Win7, that's also lets you use up to 3 PCs. Then MS killed it.

Government organizations get massive volume discounts on Office. 

 

I work for a public library which is only quasi government and we pay something like $10-$20 per license for the “Professional Plus” edition. 

[AresKrieger]

I really hope this is true as why should we follow copyright if the government who controls these retarded laws doesn't even do so becomes a valid counter point as a result.

[NumLock21]

1 hour ago, valdyrgramr said:

 

What's funny is that the Government and Schools get discounts on MS products through what use to be dreamspark and other MS programs.  But, ya...I guess the Government is too busy stealing instead of doing their own research.   

I know the govt gets huge discounts. Now if your a college student, you can get huge discounts too.