Kaspersky Says Russia Didn’t Steal NSA Secrets; AV Firm Uploaded Code While Analyzing NSA Staffer’s PC for Malware

Rafia Shaikh
cloud act Russia kaspersky us israel

Following a story that involved spies from Russia, Israel and the United States, Kaspersky has now admitted its antivirus software lifted code belonging to the National Security Agency (NSA) for analysis. The company insists that the theft was not intentional and that the data was "immediately" deleted.

The incident has been recounted by none other than Kaspersky's founder, Eugene Kaspersky, and supported by the Moscow-based firm's preliminary report of its internal investigation into the "alleged incident".

Related StoryRafia Shaikh
Kaspersky Announces Stopping All Work with European Cybercrime Initiatives In Response to Potential EU Ban

This is the first public acknowledgement of the allegations coming from the AV firm that has largely denied any and all role in helping Russia use its products to steal US government's secrets. While Kaspersky suggests that the data was lifted as a routine analysis, the report isn't likely to help the company in the United States where the Trump administration has put an indefinite ban on its products use in government offices.

Kaspersky says Russia didn't need to steal data from NSA, staffer's computer was already infected

The Russian security firm says that the computer of the NSA staffer was already infected as pirated software was downloaded on his personal computer, including an illegal Microsoft Office activation key generator.

"The malware dropped from the trojanized keygen was a full blown backdoor which may have allowed third parties access to the user's machine," Kaspersky said in today's report. The company added that the staffer had disabled its AV program for the software to run, or it would have blocked it. After the program was turned on again, it spotted the malware and the NSA hacking tools.

To install and run this keygen, the user appears to have disabled the Kaspersky products on his machine. Our telemetry does not allow us to say when the antivirus was disabled, however, the fact that the keygen malware was later detected as running in the system suggests the antivirus had been disabled or was not running when the keygen was run. Executing the keygen would not have been possible with the antivirus enabled.

"The archive [NSA data] itself was detected as malicious and submitted to Kaspersky Lab for analysis, where it was processed by one of the analysts," the report published by Kaspersky says. "Upon processing, the archive was found to contain multiple malware samples and source code for what appeared to be Equation* malware."

Taken (and deleted) by Kaspersky according to the AV firm itself

While the original report published by The Wall Street Journal had suggested that the incident occurred in 2015, the AV firm says it was actually a year earlier when the code belonging to the NSA's Equation Group was taken by Kaspersky, not by Russian spies as Israeli intelligence agencies had reportedly told their US counterparts.

It is possible that the Israeli intelligence agency - that had itself infected Kaspersky and was later booted out by Kaspersky - had discovered this data and assumed it was proactively stolen by Kaspersky for Russia, and not "lifted for routine analysis".

"One of the files detected by the product as new variants of Equation APT malware was a 7zip archive."

Kaspersky, however, in its report says that after discovering the Equation malware source code, the analyst reported the incident to the CEO himself and "the archive was deleted from all our systems" and wasn't shared with any third parties.

It is unclear if the programs ever ended up with Russians or if it was pure speculation on the part of Israel. However, the report and details aren't going to help Kaspersky's case either as it remains at the center of these cyber espionage allegations. The Trump administration would also probably want to know why the AV firm that had several US government contracts failed to notify the government of this incident. The media reports had claimed that it was through the Israeli intelligence agencies that the US first became aware of this security breach.

While Kaspersky had denied all such reports and still calls them "allegations", its latest report at least partially corroborates with stories published by the WaPo, WSJ, and the NYT. Today's report raises further questions for security experts about how Kaspersky's antivirus products work and if they deliberately hunt for confidential data. The security firm had earlier this week promised to open its source code for independent review next year to put an end to these suspicions.

* Equation Group is an elite group of hackers identified as an arm of the National Security Agency.

Share this story

Deal of the Day