Kaspersky Lab Obtained NSA Code From PC Also Infected With Backdoor
Kaspersky’s security software had stumbled across NSA code in 2014, but the PC in question was also infected with a backdoor
Kaspersky Lab has acknowledged this week that its security software did stumble across hacking code belonging to the NSA, but it said it deleted the code soon after.
The acknowledgement came after the Russian security specialist blogged its preliminary results from a ‘deep investigation’ of a case in 2014.
It follows an alleged incidents in 2015 which had reported by US media earlier this month.
Case Background
In early October the Wall Street Journal and the Washington Post both reported that Russian hackers had alleged used Kaspersky Lab security products to obtain US National Security Agency (NSA) data.
These ‘Russian government-backed hackers’ allegedly stole this NSA code in 2015, after an NSA contractor had placed sensitive information on his home computer. It seems that the NSA contractor had taken classified material home to work on it on his home computer.
The media reports alleged that the contractor’s home computer was running Kaspersky’s AV software, flaws in which allegedly enabled the Russian government-backed hackers to see his files
It was later alleged that it was Israeli intelligence who had discovered that the hackers were using Kaspersky Lab anti-virus software to spy on US spies.
But Kaspersky Lab denied any inappropriate ties to any government, including Russia.
Indeed, CEO Eugene Kaspersky himself said it would be impossible for any rogue employee to infiltrate the company without being noticed.
Deep Investigation
But nevertheless, Kaspersky Lab decided to open a ‘deep investigation’ into the matter.
Its investigation found that Kaspersky’s consumer security product had been analysing questionable software from a US computer (it didn’t state it was the NSA contractor) and found a zip file that was flagged as malicious.
When the file’s contents were reviewed, a Kaspersky analyst discovered it contained the source code for a hacking tool attributed to what Kaspersky calls the Equation Group (reportedly a NSA project).
When the analyst reported the matter to Eugene Kaspersky, the CEO ordered that the company’s copy of the code be destroyed.
“After discovering the suspected Equation malware source code, the analyst reported the incident to the CEO,” said Kaspersky. “Following a request from the CEO, the archive was deleted from all our systems. The archive was not shared with any third parties.”
Furthermore, Kaspersky’s investigation also revealed that the user’s computer seemed to have been infected with a backdoor.
“The malware dropped from the trojanized keygen was a full blown backdoor which may have allowed third parties access to the user’s machine,” said the firm.
“We believe the above is an accurate analysis of this incident from 2014,” it added.
“The investigation is still ongoing, and the company will provide additional technical information as it becomes available. We are planning to share full information about this incident, including all technical details with a trusted third party as part of our Global Transparency Initiative for cross-verification.”
US Pressure
It is unlikely that this acknowledgement will appease the Americans.
In September the US Department of Homeland Security (DHS) ordered all government departments and agencies to remove Kaspersky software from their IT systems
Kaspersky products were already not allowed on military networks, after the US General Services Administration removed Kaspersky from an approved-vendors list in July.
The FBI meanwhile had been giving private briefings to US companies urging them to stop using products from Kaspersky Lab.
This pressure has also led to a number of US retailers, including Best Buy, withdrawing its products from sale.
Earlier this week, Kaspersky once again offered to open its source code for inspection by authorities.