- Shannon Stapleton/Reuters
- Russian cybersecurity firm Kaspersky has published a second investigation to battle allegations that it obtained confidential documents from an NSA worker’s home PC, then passed them on to Russian hackers.
- The original allegations were made by anonymous US officials in The Wall Street Journal.
- Kaspersky admitted it did obtain confidential documents, but not intentionally.
- Kaspersky repeated its claims that the alleged NSA contractor downloaded malware onto his PC and possibly leaked the confidential files by mistake.
Embattled Russian security firm Kaspersky confirmed that it had pulled classified documents from a US computer for almost two months in 2014, but the company again blamed the computer’s owner for poor security practices and said there was a reasonable explanation.
Kaspersky is currently fighting allegations from anonymous sources quoted in The Wall Street Journal that Russia was using the security software firm as a spying tool.
Specifically, US officials have accused the company of pulling classified documents from the home computer of an NSA contractor. The newspaper reported that the files were stolen by Russian hackers, and that Kaspersky’s security software, installed on the PC, had been the conduit.
This is a serious accusation to level against a high-profile company which makes its living by protecting people’s computers.
Kaspersky has fought back by publishing findings from its internal investigation. Its second report, published Thursday, noted something new: That the NSA contractor had disabled Kaspersky’s antivirus software at some point, and that his computer had already been hacked. Kaspersky refused to identify the person, but did say its computer used an IP address normally used by Verizon customers in Baltimore, Maryland – located in the same state as the NSA’s headquarters in Fort Meade.
Why was Kaspersky downloading classified documents at all? The company had detected that the files contained malware from the Equation Group, an NSA-linked hacking group that was exposed by Kaspersky in 2015.
The firm automatically initiated downloads of the files when it detected the malicious software. These files contained Equation malware source code “and four Word documents bearing classification markings.” All of these were pulled to Kaspersky’s servers, the company said.
A Kaspersky analyst made the discovery, and took the findings to CEO Eugene Kaspersky, who then instructed that the confidential files be deleted.
The company wrote: “Following a request from the CEO, the archive was deleted from all of our systems. With the archive that contained the classified information being subsequently removed from our storage locations, only traces of its detection remain in our system (i.e. – statistics and some metadata).
“What we are certain about is that any non-malware data that we received based on passive consent of the user was deleted from our storage.”
Kaspersky also raised the possibility that the person’s computer had already been infected before it found the Equation Group malware. It also said the person disabled their antivirus, though the firm couldn’t say when.
Ars Technica cites two independent security experts who say Kaspersky’s report is plausible, but without more details from the US government, it’s hard to know who to believe. It’s also unlikely to assuage officials’ fears of the company’s alleged links to the Kremlin.
“It’s very, very believable,” Dave Aitel, a former NSA analyst told Ars Technica. “But my personal perspective is that it does not address whatever the [US government] has on Kaspersky.”