Kaspersky Lab explains how NSA data was uploaded

Days after launching a global transparency initiative, Russian security firm Kaspersky Lab has released details of an internal investigation into claims that its antivirus software was used to spy on the US.

The moves come in the wake of a ban on the use of Kaspersky Lab’s software in US government systems in response to media reports alleging that Russian hackers used the company’s antivirus software to search for classified US government documents.

US media reports claimed that Kaspersky software had identified classified data brought home by a National Security Agency (NSA) contractor and sent it to Kaspersky’s headquarters in Moscow.

When Israeli agents broke into Kaspersky’s network for a separate operation in 2015, they found some source code for NSA hacking tools and alerted the US government.

But Kaspersky Lab says an internal investigation in October 2017 revealed that the NSA contractor’s home computer was infected with malware contained in a key generator downloaded with pirated Microsoft software.

“The malware dropped from the trojanised keygen was a full-blown backdoor which may have allowed third parties access to the user’s machine,” said the Kaspersky Lab investigation report, which means that classified content on the NSA contractor’s computer could have been accessed by anyone.

This is the security firm’s most direct rebuttal to date of the allegations that it was complicit in the identification and theft of classified data from the NSA contractor’s computer.

Kaspersky Lab said the NSA contractor had disabled its software for an unknown period, preventing it from blocking the malware, but when it was reinstated, it identified the Win32.Mokes.hvl malware contained in the key generator as well as NSA hacking tools, which the report refers to as “new and unknown variants of Equation [group] APT malware”, which has been linked to the NSA.

One of the files detected by the product as new variants of Equation APT malware was a 7zip archive, which was submitted to Kaspersky Lab for analysis, where it was processed by one of the analysts.

“Upon processing, the archive was found to contain multiple malware samples and source code for what appeared to be Equation malware,” the report said.

After discovering the suspected Equation malware source code, the analyst reported the incident to Eugene Kaspersky, chief executive of Kaspersky Lab, the report said.

“Following a request from the CEO, the archive was deleted from all our systems. The archive was not shared with any third parties,” the company chief said in tweet.

“US law tolerates inadvertent acquisition of classified data but doesn’t allow distribution of it. We deleted it to follow the law.”

Kaspersky Lab said the investigation confirmed that the company had never created any detection of non-malicious documents in its products based on keywords such as “top secret” and “classified”.

“We believe the above is an accurate analysis of this incident from 2014. The investigation is still ongoing, and the company will provide additional technical information as it becomes available,” Kaspersky Lab said.

The company also said it plans to share full information about this incident, including all technical details, with a trusted third party as part of its Global Transparency Initiative for cross-verification.

As part of the initiative, announced on 23 October 2017 in an effort to restore its reputation, Kaspersky Lab has committed to submitting its source code for third-party review and an independent assessment of the company’s secure development lifecycle processes, and its software and supply chain risk mitigation strategies.

Kaspersky Lab said it will also introduce additional accountability mechanisms by which the company can further demonstrate that it addresses any security issues promptly and thoroughly, and will establish three transparency centres in Europe, Asia and the US by 2020.