In September, the U.S. Senate voted to ban the use of computer anti-virus software by the federal government from the Russian cybersecurity firm Kaspersky Lab over national security concerns.

The vote, which was included as an amendment to an annual defense policy spending bill, was made following the apparent discovery that the software provided foreign agents with a backdoor into computers with the software installed. It was approved on the same day by the Senate and prohibited the use of Kaspersky Lab software in government civilian and military agencies.

However, a new release by WikiLeaks on Thursday shows that the “national security risk” from Kaspersky could have been the product of CIA subterfuge. In documents published by WikiLeaks, the agency reportedly developed hacking software, code-named “Hive,” which has the capability to impersonate software produced by the Russian company.

The new revelations could prove a major blow to the Democratic National Committee’s claims that they were hacked by Russian agents. 

Citing WikiLeaks, ZeroHedge reports that accordingly, “if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated.”

WikiLeaks has a summary of the documents:

Today, 9 November 2017, WikiLeaks publishes the source code and development logs to Hive, a major component of the CIA infrastructure to control its malware.

Hive solves a critical problem for the malware operators at the CIA. Even the most sophisticated malware implant on a target computer is useless if there is no way for it to communicate with its operators in a secure manner that does not draw attention. Using Hive even if an implant is discovered on a target computer, attributing it to the CIA is difficult by just looking at the communication of the malware with other servers on the internet. Hive provides a covert communications platform for a whole range of CIA malware to send exfiltrated information to CIA servers and to receive new instructions from operators at the CIA.

The cover domain delivers ‘innocent’ content if somebody browses it by chance. A visitor will not suspect that it is anything else but a normal website. The only peculiarity is not visible to non-technical users – a HTTPS server option that is not widely used: Optional Client Authentication. But Hive uses the uncommon Optional Client Authentication so that the user browsing the website is not required to authenticate – it is optional. But implants talking to Hive do authenticate themselves and can therefore be detected by the Blot server. Traffic from implants is sent to an implant operator management gateway called Honeycomb (see graphic above) while all other traffic go to a cover server that delivers the insuspicious content for all other users.

Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities. The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town. In this way, if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated.

Kaspersky Lab denies that they have been involved in state-sanctioned espionage, maintaining in an October press release that the company has been “caught in the middle of a geopolitical fight,” and that it is being used as a scapegoat “even though the company has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts.”