Kaspersky defends its role in NSA breach By Gordon Corera

Security correspondent Published duration 16 November 2017

image copyright Reuters image caption Eugene Kaspersky has denied his company has worked with the Kremlin to hack others

The Russian-headquartered anti-virus company Kaspersky Lab has hit back at reports it deliberately extracted sensitive files from a US National Security Agency worker's computer.

Russian hackers had used Kaspersky software to identify classified files on the NSA contractor's home computer, which they then stole, it said.

It later emerged Kaspersky had also copied files off the PC itself.

image copyright Reuters image caption An NSA contractor was said to have installed Kaspersky's software on a personal computer

But the company has now said this was not deliberate and any classified documents were destroyed.

It said its researchers had been investigating malicious software created by "the Equation Group", which is widely understood to be Kaspersky's codeword for the NSA.

And this research had included looking for signatures relating to known Equation activity on machines running the company's software.

On 11 September 2014, the company said, one of its products deployed on a home computer with an internet protocol (IP) address in Baltimore, Maryland - close to where the NSA is based - had reported what appeared to be variants of the malware used by the Equation Group.

image copyright Getty Images image caption Kaspersky Lab denies sharing any of the copied archive's files with third parties

Soon after, the user had disabled the Kaspersky Lab anti-virus tool and downloaded and installed pirated software infected with another, separate form of malware.

And when the Kaspersky product had been re-activated, it had also detected this malware and new variants of Equation malware inside a 7zip archive - a file containing compressed documents.

This had been sent back to Kaspersky Lab and found to contain known and unknown Equation tools, source code and classified documents, indicating the user of the computer had been not a victim of Equation but one of its authors.

Eugene Kaspersky, the company's founder and chief executive, had then ordered the classified data should be deleted from the company's systems, and within days it had been.

image copyright Getty Images image caption The scandal overshadowed Kaspersky's 20th anniversary celebrations earlier this month

Kaspersky had kept only the malware "binaries", computer code necessary to improve protection for its customers.

"According to security software industry standards, requesting a copy of an archive containing malware is a legitimate request," the firm said.

"We also found no indication the information ever left our corporate networks."

The Wall Street Journal report had said the Russian government had secretly scanned computers using Kaspersky software to spy on the US government - not necessarily with the company's knowledge.

Israeli intelligence

Kaspersky denies creating "signatures" specifically designed to search for top secret or classified material.

And it has now said the only third-party intrusion in its networks was by Duqu 2.0 - malware linked to Israeli intelligence.

Following the Wall Street Journal report, the New York Times had reported that Israel had penetrated Kaspersky's networks in 2014 and alerted the US to the possibility of Kaspersky software being used for espionage.

Kaspersky has also said the separate form of malware not linked to the Equation Group that it had detected on the Maryland PC, had been Smoke Bot or Smoke Loader, a Trojan created by a Russian hacker in 2012 and sold on Russian underground forums.

Prime target

And during this period the command-and-control servers of this malware were registered to what appeared to be a Chinese entity.

"Given that system owner's potential clearance level, the user could have been a prime target of nation states," the Kaspersky spokesman said.

US federal agencies have now been told to remove all Kaspersky software from their computers.

The Kaspersky spokesman said: "Kaspersky Lab security software, like all other similar solutions from our competitors, has privileged access to computer systems to be able to resist serious malware infections and return control of the infected system back to the user," the company says in its statement.

"This level of access allows our software to see any file on the systems that we protect. With great access comes great responsibility."