Security

WikiLeaks drama alert: CIA forged digital certs imitating Kaspersky Lab

Vault 8 release says spooks used disguise to siphon off data

By John Leyden

29 SHARE

The CIA wrote code to impersonate Kaspersky Labs in order to more easily siphon off sensitive data from hack targets, according to leaked intel released by Wikileaks on Thursday.

Forged digital certificates were reportedly used to "authenticate" malicious implants developed by the CIA. Wikileaks said:

Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities. The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town. In this way, if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated.

Eugene Kaspersky, chief exec of Kaspersky Lab, sought to reassure customers. "We've investigated the Vault 8 report and confirm the certificates in our name are fake. Our customers, private keys and services are safe and unaffected," he said.

Hackers are increasingly abusing digital certs to smuggle malware past security scanners. Malware-slinging miscreants may not even need to control a code-signing certificate. Security researchers from the University of Maryland found that simply copying an authenticode signature from a legitimate file to a known malware sample – which results in an invalid signature – can result in antivirus products failing to detect it.

Learn client-server C programming – with this free tutorial from the CIA

READ MORE

Independent experts reckon the CIA used Kaspersky because it's a widely known vendor.

Martijn Grooten, security researcher and editor of industry journal Virus Bulletin, said: "The CIA needed a client certificate to authenticate its C&C comms, couldn't link it to CIA and used 'Kaspersky', probably just because they needed a widely used name. No CA hacking or crypto breaking involved. Clever stuff, but not shocking. Not targeted against Kaspersky."

Revelations about the abuse of digital certificates by the US spy agency came as Wikileaks released CIA source code and logs for a malware control system called Hive, as previously reported.

Security expert Professor Alan Woodward criticised the release with a reference to the Equation Group (NSA hacking unit)/Shadow Brokers leak. "Wikileaks is now releasing source for exploits in Vault 7. Do they remember what happened last time such exploit code was leaked? Standby for another WannaCry." ®

Sign up to our NewsletterGet IT in your inbox daily

29 Comments

More from The Register

Remember those stolen 'NSA exploits' leaked online by the Shadow Brokers? The Chinese had them a year before

Or so claims Symantec

Protip: No, the CIA will not call off a pedophilia probe into your life in exchange for Bitcoin

Kaspersky warns of fake 'dirty agent' scam circulating

CIA notices Big Red sh!tstorm around Pentagon's JEDI: Um, can we have multiple cloud vendors, please?

US spy agency plans to award multibillion-dollar deal in 2021

Client-attorney privilege? Not when you're accused of leaking Vault 7 CIA code

Lawyer for Joshua Schulte unhappy about agency review

Hua-no-wei! NSA, FBI, CIA bosses put Chinese mobe makers on blast

No probs, says Huawei: It's a big world, we don't need America

Leaky Martin will be livin' la vida lockdown: Ex-NSA bod cops to taking home 'up to 50TB' of hush-hush dossiers

'Hoarder' faces up to nine years in the clink for harvesting Uncle Sam's top secrets

Late with your financial paperwork? Here's a handy excuse: Malware smacked your bean-counter cloud offline

Accountancy SaaS CCH falls over, thanks to nasty infection

Spotted: Miscreants use pilfered NSA hacking tools to pwn boxes in nuke, aerospace worlds

High-value servers targeted by cyber-weapons dumped online by Shadow Brokers

NSA: That ginormous effort to slurp up Americans' phone records that Snowden exposed? Ehhh, we don't need that no more

An attack of conscience or have the super-snoops got something better now?

Did you know?! Ghidra, the NSA's open-sourced decompiler toolkit, is ancient Norse for 'No backdoors, we swear!'

RSA Reverse-engineering suite now available to download... and maybe run in a VM, eh?