Kaspersky admits it unintentionally reaped NSA hacking tools

While tracking the Equation Group in 2014, the cybersecurity firm detected one malware incident with unknown variants in the U.S.
By Jessica Davis
02:56 PM
Kaspersky admits it unintentionally reaped NSA hacking tools

Six U.S. intelligence agencies testified at a Senate hearing on May 11 about Kaspersky Lab’s software. Photo via c-span

Cybersecurity giant Kaspersky conceded its software lifted code from a computer belonging to an NSA employee. However, the company says the act was not intentional.

After the suspected tool was discovered by the analyst it was then reported to CEO Eugene Kaspersky, who then requested the archive be deleted. It was removed and wasn’t shared with any third-parties.

[Also: Facing conspiracy allegations, Kaspersky opens source code for review]

The vendor launched its investigation after media reports that claimed in 2015 Kaspersky targeted an NSA employee who was known to work on the agency’s hacking software. The Wall Street Journal report suggested the employee took classified work home, and his PC ran Kaspersky’s antivirus software.

The WSJ story found that once the classified documents were found leveraging Kaspersky software, the Russian government gained access to the information.

[Also: Kaspersky controversy: U.S. intelligence heads warn not to trust Russian security company; KGB-trained CEO stands by record]

Kaspersky has continually denied any wrongdoing. However, the U.S. government banned the use of the company’s software in any federal agency last month.

At the time of the incident, Kaspersky was involved with an Advanced Persistent Threat investigation and quickly followed the trail of the Equation Group, where it detected what appeared to be Equation malware source code files.

[Also: Report claims Kaspersky ties with Russian intelligence; Company denies]

In 2014, there were more than 40 active Equation infections globally. But one found in the U.S. appeared to be unknown debug variants on a home computer running Kaspersky Security Network Software -- which automatically collects threat data and sends it to the cloud.

Kaspersky researchers claim this user had pirated software installed on their machine, as they found illegal Microsoft Office keygens. The antivirus was turned off while the keygen was in use: a common practice for users operating illegal software to validate pirated copies.

[Also: Citing ties to Russia, DHS bans Kaspersky products for government use]

However, this keygen was infected with malware -- a Trojan with a backdoor of capabilities. The report suggests this backdoor could have been used by others to target this employee. At some point, the antivirus software was turned back on, which then blocked the Trojan malware. While the user was running scans to remove the Trojan, it also caught the NSA hacking tools.

The investigation didn’t reveal any other related incidents in preceding years. Further, researchers confirmed Kaspersky “never created any detection of non-weaponized (non-malicious) documents in its products based on keywords like ‘top secret’ and ‘classified’.”

“The investigation is still ongoing, and the company will provide additional technical information as it becomes available,” the researchers wrote. “We’re planning to share full information about this incident, including all technical details with a trusted third party as part of our Global Transparency Initiative for cross-verification.”

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com