Kaspersky denies Russia used anti-virus software to steal NSA spying tools
The statement from Kaspersky comes after the New York Times, the Washington Post, and the Wall Street Journal reported that an employee from the National Security Agency's (NSA) elite-hacking unit lost some of the agency's espionage tools after storing them on his home computer. The media reports implied that the Russian government was behind the incident, having used Kaspersky anti-virus software to collect the NSA technology.
However, Kaspersky Lab’s CEO Eugene Kaspersky told Sky News that there is a “very, very low risk – almost zero – that our network is compromised by some security service which is using our products to spy on the customers.”
He added that there is a “zero risk that our employees do anything wrong, because it will be visible,” while admitting that, if the allegations were true, it would “simply kill our business.”
The company also said it found no evidence that it had been hacked by Russian spies, but acknowledged that it had once been infiltrated by the Israeli government.
So what really happened?
According to a statement published on the Kaspersky blog following an internal investigation, the company stumbled upon the code in 2014, a year earlier than the US media reports stated.
Referring to a powerful group of hackers that has been identified as an arm of the NSA – the Equation Group – the statement noted that “the first detection of Equation malware in this incident was on September 11, 2014.”
After the malware was detected, an unidentified Kaspersky software user “appears to have downloaded and installed pirated software on his machines, as indicated by an illegal Microsoft Office activation key generator...which turned out to be infected with malware.”
The malware was identified as Win32.Mokes.hvl. After this had infected the user’s hardware, they “scanned the computer multiple times,” which resulted in antivirus software detecting more suspicious files, including a 7z archive.
“The archive itself was detected as malicious and submitted to Kaspersky Lab for analysis, where it was processed by one of the analysts. Upon processing, the archive was found to contain multiple malware samples and source code for what appeared to be Equation malware,” the statement explained.
The analyst then reported the matter directly to Eugene Kaspersky, who ordered the company’s copy of the code to be destroyed.
“Following a request from the CEO, the archive was deleted from all our systems. The archive was not shared with any third parties.”
Speaking to Sky News, Kaspersky reaffirmed that the data was deleted.
"In our virus lab, all our virus researchers and all our experts have a strict note that if we download, by mistake or by the cloud services, if we download any kind of classified information and if we see it's classified information – it doesn't matter the origin of this information – it must be deleted," he said.
The company has also suggested that others could have obtained the surveillance tools by hacking into the American user’s computer through a back door later found there.
What is US media claiming?
Earlier this month, The Wall Street Journal said that hackers working for Moscow appeared to have targeted the NSA employee by using Kaspersky software to identify classified files.
The Journal also claimed the Kaspersky programs searched for keywords including "top secret."
That claim has been denied by the company, which said that "the investigation confirmed that Kaspersky Lab has never created any detection of non-weaponized (non-malicious) documents in its products based on keywords like 'top secret' and 'classified.'"
Just five days after the Journal's report, The New York Times and The Washington Post stated that Israeli officials had reported the operation allegedly orchestrated by Moscow to the US after hacking into Kaspersky's network.
Eugene Kaspersky has described the US reports as "definitely not true," but says his company saw "almost zero opportunity for us to start legal action against the United States media because this information was made in such a way that it's not possible to start the legal case."
Responding to the allegations, the company has announced a global transparency initiative, which will include a complete audit of its source code by the beginning of the next financial year. It will also set up three transparency centers in various locations across the globe by 2020 "to address any security issues together with customers, trusted partners, and government stakeholders."