Kaspersky case – Now we know who is the NSA hacker who kept Agency’s cyber weapons at home

A former NSA hacker pleaded guilty on Friday to illegally taking classified documents home, which were later stolen by Russian cyber spies.

A member of the US National Security Agency Tailored Access Operations hacking team, Nghia Hoang Pho (67) pleaded guilty in a US district court in Baltimore on Friday to one count of willful retention of national defense information.

The Vietnam-born American citizen, who lives in Ellicott City, Maryland, has been charged with illegally removing top secret materials.

The NSA hacker admitted taking home copies of classified NSA hacking tools and exploits with the knowledge that they were cyber weapons.

The tools were detected by the Kaspersky Lab software installed on the NSA hacker’s personal computer and were sent back to Kaspersky’s server for further analysis.

Kaspersky Lab, published recently a detailed report on how cyber spies could have easily stolen the software exploits from the NSA employee’s Windows PC.

According to the telemetry logs collected by the Russian firm, the staffer temporary switched off the antivirus protection on the PC, and infected his personal computer with a spyware from a product key generator while trying to use a pirated copy of Office.

On September 11, 2014, Kaspersky antivirus detected the Win32.GrayFish.gen trojan on the NSA employee’s PC, sometime later the employee disabled the Kaspersky software to execute the activation-key generator.

Then the antivirus was reactivated on October 4, it removed the backdoored key-gen tool from the NSA employee’s PC and uploaded it to Kaspersky’s cloud for further analysis.

Kaspersky published a second report that sheds the light on the investigation conducted by the firm on the NSA-linked Equation Group APT.

Kaspersky has begun running searches in its databases since June 2014, 6 months prior to the year the alleged hack of its antivirus, for all alerts triggered containing wildcards such as “HEUR:Trojan.Win32.Equestre.*”. The experts found a few test signatures in place that produced a LARGE number of false positives.

The analysis revealed the presence of a specific signature that fired a large number of times in a short time span on just one system, specifically the signature “HEUR:Trojan.Win32.Equestre.m” and a 7zip archive (referred below as “[undisclosed].7z”). This is the beginning of the analysis of the system that was found containing not only this archive, but many files both common and unknown that indicated this was probably a person related to the malware development.

The analysis of the computer where the archive was found revealed that it was already infected with malware. In October of that year the user downloaded a pirated copy of the Microsoft Office 2013, but the .ISO was containing the Mokes backdoor.

Kaspersky was able to detect and halt Mokes, but the user turned off the Russian software to execute the keygen.

Once the antivirus was turned on again, it detected the malware. Kaspersky added that over a two month its security software found 128 separate malware samples on the machine that weren’t related to the Equation Group.

Kaspersky found that the Mokes’ command and control servers were apparently being operated by a Chinese entity going by the name “Zhou Lou”, from Hunan, using the e-mail address “zhoulu823@gmail.com.”

The security firm explained that it’s also possible that the NSA contractor’s PC may have been infected with a sophisticated strain of malware developed by an APT that was not detected at the time.

The NSA hacker Pho now faces roughly six to eight years in prison, with sentencing set for April 2017.

According to the  plea deal, Pho broke federal law because he took the codes at home multiple times, he admitted that, over a five-year period starting in 2010, he copied the information from NSA machines and took it all home with him.

“Beginning in 2010 and continuing through March 2015, Pho removed and retained U.S. Governmentdocuments and writings that contained national defense information, including information classified as Top Secret and Sensitive Compartmented Information,” the US Department of Justice said in disclosing the guilty plea.

“This material was in both hard-copy and digital form, and was retained in Pho’s residence in Maryland.”

The positive aspect of the story is that Pho did act with cyber espionage purposes, he wasn’t charged to sell or pass off any of the data.

The fact that Pho was the third NSA employee charged in the past two years for taking home top-secret information is embarrassing and highlights the risk of insiders.