Former NSA TAO hacker sentenced to 66 months in prison over Kaspersky Leak
27.9.2018 securityaffairs
BigBrothers

Former NSA TAO hacker was sentenced to 66 months in prison because he leaked top-secret online documents related to the US government ban on Kaspersky.
A former member of the NSA’s Tailored Access Operations hacking team was sentenced to 66 months in prison because he leaked top-secret online documents related to the US government ban on Kaspersky software.

The former NSA hacker is Nghia Hoang Pho (68), he served the US intelligence for 10 years as a member of the NSA’s elite Tailored Access Operations hacking unit.

The man pleaded guilty in December 2017 to one count of willful retention of classified national defense information.

The Vietnam-born American citizen, who was living in Ellicott City, Maryland, was charged with illegally removing top secret materials.

The NSA hacker admitted taking home copies of classified NSA hacking tools and exploits with the knowledge that they were cyber weapons.

The tools were detected by the Kaspersky Lab software installed on the NSA hacker’s personal computer and were sent back to Kaspersky’s server for further analysis.

Kaspersky Lab, published a detailed report on how cyber spies could have easily stolen the software exploits from the NSA employee’s Windows PC.

According to the prosecutors, between 2010 and 2015, the former NSA hacker had taken home with him TAO materials, including exploits and hacking tools.

According to the telemetry logs collected by the Russian firm, the staffer temporary switched off the antivirus protection on the PC, and infected his personal computer with a spyware from a product key generator while trying to use a pirated copy of Office.

On September 11, 2014, Kaspersky antivirus detected the Win32.GrayFish.gen trojan on the former NSA TAO member’s PC, sometime later the employee disabled the Kaspersky software to execute the activation-key generator.

Then the antivirus was reactivated on October 4, it removed the backdoored key-gen tool from the NSA employee’s PC and uploaded it to Kaspersky’s cloud for further analysis.

Kaspersky published a second report that sheds the light on the investigation conducted by the firm on the NSA-linked Equation Group APT.

Kaspersky has begun running searches in its databases since June 2014, 6 months prior to the year the alleged hack of its antivirus, for all alerts triggered containing wildcards such as “HEUR:Trojan.Win32.Equestre.*”. The experts found a few test signatures in place that produced a LARGE number of false positives.

The analysis revealed the presence of a specific signature that fired a large number of times in a short time span on just one system, specifically the signature “HEUR:Trojan.Win32.Equestre.m” and a 7zip archive (referred below as “[undisclosed].7z”). This is the beginning of the analysis of the system that was found containing not only this archive but many files both common and unknown that indicated this was probably a person related to the malware development.

The analysis of the computer where the archive was found revealed that it was already infected with malware. In October of that year the user downloaded a pirated copy of the Microsoft Office 2013, but the .ISO was containing the Mokes backdoor.

Kaspersky was able to detect and halt Mokes, but the user turned off the Russian software to execute the keygen.

Once the antivirus was turned on again, it detected the malware. Kaspersky added that over a two month its security software found 128 separate malware samples on the machine that weren’t related to the Equation Group.

Kaspersky found that the Mokes’ command and control servers were apparently being operated by a Chinese entity going by the name “Zhou Lou”, from Hunan, using the e-mail address “zhoulu823@gmail.com.”

The security firm explained that it’s also possible that the NSA contractor’s PC may have been infected with a sophisticated strain of malware developed by an APT that was not detected at the time.

NSA TAO hacker

According to the Wall Street Journal, the intrusion of the Pho’s computer led to the Russians obtaining information on how the NSA TAO using hack into foreign computer networks.

“As a result of his actions, Pho compromised some of our country’s most closely held types of intelligence, and forced NSA to abandon important initiatives to protect itself and its operational capabilities, at great economic and operational cost,” declared US Attorney Robert Hur.

The US Government banned using Kaspersky anti-virus software on government networks and blamed the company of working for the Russian intelligence.

Kaspersky has repeatedly denied any ties to the Russian intelligence and announced the launch of a transparency initiative that involves giving partners access to the source code of its solutions.