Wikileaks: CIA Wrote Code Impersonating Kaspersky Labs Casting Further Doubt on DNC ‘Hack’ Claims

In September, the U.S. Senate voted to ban the use of computer anti-virus software by the federal government from the Russian cybersecurity firm Kaspersky Lab over national security concerns.

The vote, which was included as an amendment to an annual defense policy spending bill, was made following the apparent discovery that the software provided foreign agents with a backdoor into computers with the software installed. It was approved on the same day by the Senate and prohibited the use of Kaspersky Lab software in government civilian and military agencies.

However, a new release by WikiLeaks on Thursday shows that the “national security risk” from Kaspersky could have been the product of CIA subterfuge. In documents published by WikiLeaks, the agency reportedly developed hacking software, code-named “Hive,” which has the capability to impersonate software produced by the Russian company.

The new revelations could prove a major blow to the Democratic National Committee’s claims that they were hacked by Russian agents. 

Citing WikiLeaks, ZeroHedge reports that accordingly, “if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated.”

WikiLeaks has a summary of the documents:

Today, 9 November 2017, WikiLeaks publishes the source code and development logs to Hive, a major component of the CIA infrastructure to control its malware.

Hive solves a critical problem for the malware operators at the CIA. Even the most sophisticated malware implant on a target computer is useless if there is no way for it to communicate with its operators in a secure manner that does not draw attention. Using Hive even if an implant is discovered on a target computer, attributing it to the CIA is difficult by just looking at the communication of the malware with other servers on the internet. Hive provides a covert communications platform for a whole range of CIA malware to send exfiltrated information to CIA servers and to receive new instructions from operators at the CIA.

The cover domain delivers ‘innocent’ content if somebody browses it by chance. A visitor will not suspect that it is anything else but a normal website. The only peculiarity is not visible to non-technical users – a HTTPS server option that is not widely used: Optional Client Authentication. But Hive uses the uncommon Optional Client Authentication so that the user browsing the website is not required to authenticate – it is optional. But implants talking to Hive do authenticate themselves and can therefore be detected by the Blot server. Traffic from implants is sent to an implant operator management gateway called Honeycomb (see graphic above) while all other traffic go to a cover server that delivers the insuspicious content for all other users.

Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities. The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town. In this way, if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated.

Kaspersky Lab denies that they have been involved in state-sanctioned espionage, maintaining in an October press release that the company has been “caught in the middle of a geopolitical fight,” and that it is being used as a scapegoat “even though the company has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts.”

24 Comments

24 Comments

  1. DaisyToo

    November 13, 2017 at 9:52 am

    RIP, Seth Rich.

  2. Steve O

    November 13, 2017 at 11:30 am

    Hang on a second. The US federal government installed “anti-virus” software from a RUSSIAN company??? Maxwell Smart would have seen through that! I don’t think Frank Drebin would be that dumb.

    • gscott

      November 13, 2017 at 12:55 pm

      Uh. go back and read this story again. With comprehension this time.

      • Steve O

        November 13, 2017 at 2:00 pm

        “In September, the U.S. Senate voted to ban the use of computer anti-virus software by the
        federal government from the Russian cybersecurity firm Kaspersky Lab over national security concerns.”

        • M Wilkens

          November 13, 2017 at 9:49 pm

          … are you even reading the same story as we are? Google ‘false flag’.

  3. contrariant

    November 13, 2017 at 1:45 pm

    Kaspersky is always highly rated. They detected the malware used to destroy Iranian centrifuges. Very smart guys.

  4. Divegoddess

    November 13, 2017 at 5:56 pm

    My oh my! The democrats lying again. Who would have thought? Lol

  5. Dante Alighieri 📌

    November 14, 2017 at 7:37 am

    one word — stuxnet

  6. webkilla

    November 14, 2017 at 8:51 am

    So… the CIA impersonated russians for hacking purposes. Whelp

  7. ranterator

    November 14, 2017 at 8:26 pm

    The CIA has been a “national security risk” since the day it was created…

  8. a

    January 7, 2018 at 8:16 pm

    Thanks very interesting blog!

  9. a

    January 10, 2018 at 5:36 pm

    Attractive section of content. I just stumbled upon your website and in accession capital to claim
    that I get actually loved account your weblog posts.
    Any way I will be subscribing for your feeds and
    even I achievement you get admission to consistently rapidly.

  10. a

    January 10, 2018 at 6:25 pm

    Wonderful beat ! I wish to apprentice even as you amend your website, how can i subscribe for a weblog web site?

    The account aided me a applicable deal. I had been a little bit acquainted of this
    your broadcast offered shiny transparent idea

  11. a

    January 10, 2018 at 8:44 pm

    I got this web page from my pal who told me on the topic of this web site
    and now this time I am visiting this site and reading very informative articles or reviews at this place.

  12. a

    January 10, 2018 at 9:01 pm

    Hey there! I know this is kind of off topic but I was wondering if you knew where I
    could locate a captcha plugin for my comment form?
    I’m using the same blog platform as yours and I’m having difficulty finding one?
    Thanks a lot!

  13. a

    January 10, 2018 at 9:21 pm

    Highly descriptive blog, I loved that a lot. Will there be a part 2?

  14. a

    January 10, 2018 at 9:23 pm

    I couldn’t resist commenting. Exceptionally well written!

  15. a

    January 10, 2018 at 10:23 pm

    I all the time emailed this blog post page to all my friends, as
    if like to read it next my friends will too.

  16. a

    January 11, 2018 at 2:18 am

    Hello, this weekend is nice for me, since this time i am reading this enormous educational article here at my home.

  17. a

    January 11, 2018 at 2:33 am

    Yes! Finally someone writes about car washes.

  18. a

    January 11, 2018 at 5:07 am

    You have made some decent points there. I looked on the internet for
    additional information about the issue and found most people will go along with your views on this site.

  19. a

    January 11, 2018 at 8:15 am

    When someone writes an piece of writing he/she keeps the plan of a
    user in his/her brain that how a user can be aware of it.
    Thus that’s why this paragraph is perfect. Thanks!

  20. a

    January 11, 2018 at 11:08 am

    Hello, There’s no doubt that your blog could be having browser compatibility problems.
    Whenever I take a look at your website in Safari, it looks fine however, when opening in I.E., it has some overlapping issues.

    I simply wanted to provide you with a quick heads up!
    Aside from that, great site!

  21. a

    January 12, 2018 at 12:40 am

    Way cool! Some extremely valid points! I appreciate you penning
    this post and also the rest of the website is
    also very good.

Leave a Reply

Your email address will not be published. Required fields are marked *

To Top