Vault 7's DriftingShadows: The CIA's cyberwar against Kaspersky and anti-virus software by rebelskum

View this thread on steempeak.com
· @rebelskum · (edited)
$2.77
Vault 7's DriftingShadows: The CIA's cyberwar against Kaspersky and anti-virus software
![Kaspersky](https://www.grahamcluley.com/wp-content/uploads/2015/06/kaspersky-wide.jpeg)

"Your mission, should you choose to accept it, is to Trojan everything with anything on all OSes and evade detection by all PSPs all the time."

[CIA Operational Support Branch User #71473](https://wikileaks.org/ciav7p1/cms/page_2621683.html)

Vault 7 reveals that the CIA had keen interest in bypassing alarms in personal security products (PSPs) like AVG and Kaspersky. Not only do numerous documents prove the CIA's interest in bypassing anti-virus systems, but several CIA developers, for example [User #1179925](https://wikileaks.org/ciav7p1/cms/space_1736706.html), were specifically assigned to projects targeting just about every anti-virus system including:

* Kaspersky
* AVG
* Symantec
* Trend Micro
* Malwarebytes
* Norton
* McAfee
* ClamAV
* Panda Security
* Rising
* Zone Alarm
* EMET (Enhanced Mitigation Experience Toolkit)
* Microsoft Security Essentials
* GDATA
* ESET
* Bitdefender
* Avira

This article will discuss security flaws in the commonly used anti-virus program, Kaspersky, which has been targeted and exploited by the CIA, rendering their attacks virtually undetectable to its millions of users. In addition, we uncover strong evidence by admission that the CIA was actually the anti-Kaspersky cyberweapons group known as "The Equation Group".

Kaspersky is a popular personal security product (PSP) developer based in Moscow, Russia. The CIA showed particular interest in bypassing Kaspersky anti-virus programs and their attempts to do so can be found in several different documents.[(1)](https://wikileaks.org/ciav7p1/cms/page_13763143.html) Some have suggested this may be because Kaspersky has close ties with the Russian intelligence organization, FSB.[(2)](https://www.bloomberg.com/news/articles/2015-03-19/cybersecurity-kaspersky-has-close-ties-to-russian-spies)

Regardless, however, this should be cause for alarm as Kaspersky isn't just used by Russia. In fact, Kaspersky is used by over 200 million people worldwide including the United States.[(3)](http://ask.brothersoft.com/how-many-people-use-this-antivirus-how-would-you-rate-it-10365.html)

Just how compromised is Kaspersky? Well...

One particular document available on Vault 7 provides a script for testing whether or not a certain program will trigger Kaspersky's anti-virus alert.[(4)](https://wikileaks.org/ciav7p1/cms/page_13763143.html) It is interesting to note that in the first lines of this script the library "tybase.palantir.client" is imported, meaning that it is either dependent on or directly interfaced with components of Palantir.

**DriftingShadows** can create dll files which will check for the existence of Kaspersky on the target system, check for the existence of a stop file, and will have a list of whitelisted IP addresses to target. It can then begin covertly running an exploit payload known as **GRAVITYTURN**.[(5)](https://wikileaks.org/ciav7p1/cms/page_14588388.html) Apparently DriftingShadows was also tested against AVG anti-virus successfully, but a Secret/Noforn document available in Vault 7 shows that certain instances of DriftingShadows could be caught by AVG.[(6)](https://wikileaks.org/ciav7p1/cms/page_14588112.html)

Kaspersky analysts believe that several hacking tools were developed by a collective they labelled as, "Equation". Sometime in 2015, the CIA discussed Equation itself and how to avoid mistakes of its operation which led to its detection by Kaspersky.[(7)](https://wikileaks.org/ciav7p1/cms/page_14588809.html) The previously mentioned User #1179925 corrected the claim of Equation being a rogue cyberweapons group by  admitting:

>The Equation Group as labeled in the report does not relate to a specific group but rather a collection of tools (mostly TAO (Tailored Access Operation) some IOC (CIA Information Operations Center)). 

Documents also show that another tool, **Grasshopper**, was able to successfully bypass Kaspersky as well as Symantech and Windows Security Essentials systems.[(8)](https://wikileaks.org/ciav7p1/cms/page_14587218.html) This tool seems to have primarily targeted Windows systems up until Windows 8, but Grasshopper releases in Vault 7 show it was updated up until at least December 2015[(9)](https://wikileaks.org/ciav7p1/cms/page_12353659.html) and may have likely supported more recent versions.

This leaves me with some intriguing conclusions. Not only does the CIA actively (and successfully) bypass all commonly used anti-virus programs, but they seem to be involved with other infamous surveillance groups such as Palantir and more.

In addition, it's entirely possible the CIA and their allies may have used these cyberweapons to commit serious cybercrimes. The source for the Duqu and Duqu 2.0 attacks on Kaspersky, for instance, is still unknown, but contained several false flag indicators used to mask the attacker as being Chinese or Romanian in origin[(10)](https://wikileaks.org/ciav7p1/cms/files/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf) which is eerily reminiscent of the CIA's UMBRAGE group.

Now that we know they are actually the CIA, I will look more into The Equation Group and their malware programs in an upcoming article. For now, however, it should be assumed that **anti-virus programs are not an effective countermeasure** to CIA hacks present in Vault 7.
👍  , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , and 11 others
properties (23)
post_id2,251,579
authorrebelskum
permlinkvault-7-s-driftingshadows-the-cia-s-cyberwar-against-kaspersky-and-anti-virus-software
categorytechnology
json_metadata"{"app": "steemit/0.1", "format": "markdown", "links": ["https://wikileaks.org/ciav7p1/cms/page_2621683.html", "https://wikileaks.org/ciav7p1/cms/space_1736706.html", "https://wikileaks.org/ciav7p1/cms/page_13763143.html", "https://www.bloomberg.com/news/articles/2015-03-19/cybersecurity-kaspersky-has-close-ties-to-russian-spies", "http://ask.brothersoft.com/how-many-people-use-this-antivirus-how-would-you-rate-it-10365.html", "https://wikileaks.org/ciav7p1/cms/page_14588388.html", "https://wikileaks.org/ciav7p1/cms/page_14588112.html", "https://wikileaks.org/ciav7p1/cms/page_14588809.html", "https://wikileaks.org/ciav7p1/cms/page_14587218.html", "https://wikileaks.org/ciav7p1/cms/page_12353659.html", "https://wikileaks.org/ciav7p1/cms/files/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf"], "image": ["https://www.grahamcluley.com/wp-content/uploads/2015/06/kaspersky-wide.jpeg"], "tags": ["technology", "politics", "news", "wikileaks", "vault7"]}"
created2017-03-25 22:18:30
last_update2017-03-26 17:59:45
depth0
children2
net_rshares3,283,597,095,680
last_payout2017-04-25 23:12:12
cashout_time1969-12-31 23:59:59
total_payout_value2.202 SBD
curator_payout_value0.568 SBD
pending_payout_value0.000 SBD
promoted0.000 SBD
body_length5,401
author_reputation30,045,385,302,046
root_title"Vault 7's DriftingShadows: The CIA's cyberwar against Kaspersky and anti-virus software"
beneficiaries[]
max_accepted_payout1,000,000.000 SBD
percent_steem_dollars0
author_curate_reward""
vote details (75)
@inity ·
Thanks for the updates, keep em coming!
properties (22)
post_id2,257,350
authorinity
permlinkre-rebelskum-vault-7-s-driftingshadows-the-cia-s-cyberwar-against-kaspersky-and-anti-virus-software-20170326t143500206z
categorytechnology
json_metadata"{"app": "steemit/0.1", "tags": ["technology"]}"
created2017-03-26 14:35:00
last_update2017-03-26 14:35:00
depth1
children0
net_rshares0
last_payout2017-04-25 23:12:12
cashout_time1969-12-31 23:59:59
total_payout_value0.000 SBD
curator_payout_value0.000 SBD
pending_payout_value0.000 SBD
promoted0.000 SBD
body_length39
author_reputation2,576,980,374,514
root_title"Vault 7's DriftingShadows: The CIA's cyberwar against Kaspersky and anti-virus software"
beneficiaries[]
max_accepted_payout1,000,000.000 SBD
percent_steem_dollars10,000
@shawnwaldow ·
Excellent work sir.
properties (22)
post_id2,263,699
authorshawnwaldow
permlinkre-rebelskum-vault-7-s-driftingshadows-the-cia-s-cyberwar-against-kaspersky-and-anti-virus-software-20170327t034931914z
categorytechnology
json_metadata"{"app": "steemit/0.1", "tags": ["technology"]}"
created2017-03-27 03:49:36
last_update2017-03-27 03:49:36
depth1
children0
net_rshares0
last_payout2017-04-25 23:12:12
cashout_time1969-12-31 23:59:59
total_payout_value0.000 SBD
curator_payout_value0.000 SBD
pending_payout_value0.000 SBD
promoted0.000 SBD
body_length19
author_reputation0
root_title"Vault 7's DriftingShadows: The CIA's cyberwar against Kaspersky and anti-virus software"
beneficiaries[]
max_accepted_payout1,000,000.000 SBD
percent_steem_dollars10,000