Last month, the Department of Homeland Security ordered every U.S. government agency to stop using a popular anti-virus program made by Kaspersky Lab, a cyber-security firm based in Russia. Officials were “concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies,” the department said in a statement at the time, remaining otherwise tight-lipped about its reasoning for abruptly severing ties with Kaspersky.

Now, the ban seems to make more sense. The Wall Street Journal reported Thursday that Russian state hackers were able to use Kaspersky Lab anti-virus software to identify and steal National Security Agency documents and hacking tools, including “highly classified material,” after an agency contractor took documents home from work and put them on his private computer. The N.S.A. didn’t discover the 2015 theft, which the Journal calls “one of the most significant security breaches in recent years,” until last year. The information the hackers obtained included “details about how the N.S.A. penetrates foreign computer networks, the computer code it uses for such spying, and how it defends networks inside the U.S.,” which Russian state agents could conceivably use to infiltrate U.S. networks and simultaneously protect their own against cyber-attacks.

Kaspersky downplayed any involvement with the hacking attack. In a statement to the Journal, the firm said it “has not been provided any information or evidence substantiating this alleged incident, and as a result, we must assume that this is another example of a false accusation.” (Kaspersky has previously denied it is a tool of Russian intelligence services.) The firm’s founder, Eugene Kaspersky, who studied programming at a school operated by the K.G.B. before going to work for the Russian Ministry of Defense, slammed Congress for its decision to abruptly postpone his testimony in front of the House Science Committee, which had been planned to address the ban of Kaspersky products.. “As I write this I should be in Florence or Rome (more conferences, meetings and other work), but then, quite unexpectedly, I was invited to testify before Congress,” Kaspersky wrote. “Crikey! So I had to cancel everything and fly back home earlier than planned to prepare for this important event. But I needn’t have! Before you could say ‘make your mind up already,’ it was postponed—with no rescheduled date given.”

The N.S.A. doesn’t use Kaspersky-developed anti-virus software. “Whether the information is credible or not, N.S.A.’s policy is never to comment on affiliate or personnel matters,” a spokesman told the Journal. It remains unclear whether the 2015 breach is connected to two other security incidents the N.S.A. faced not too long after: the arrest of a contractor named Hal Martin, whose lawyers didn't deny allegations that he took classified N.S.A. data and put them on his home computer, and a leak of alleged N.S.A. hacking tools by a group called Shadow Brokers.