Kaspersky Lab, the Russia-based anti-virus software giant, says that its system obtained NSA secrets from the United States. However, the company continues to deny stealing the files for the Russian government. Instead, the files were received from a poorly secured computer and were then deleted.
The company is responding to anonymous allegations reported by The Wall Street Journal, The New York Times, and The Washington Post in October. Unnamed sources claim the Russian government used Kaspersky antivirus to find and steal classified NSA files.
These files were stored on a home PC of an NSA employee. While the company denies the allegations, there is certainly suspicions from within the U.S. government. Before the reports, the Department of Homeland Security directed all US agencies to stop using Kaspersky software.
Kaspersky Lab has consistently refuted the allegations. In danger of losing the lucrative US market (if the private sector follows the government's lead), the company is attempting to explain how the breach happened.
In its own investigation report, Kaspersky says a poorly secured PC sent NSA files to its servers for two months in 2014 (September 11 to November 9). The company says the PC was located in the United States. Among the received files were source code, documents, and executable binaries. All this content was stamped classified.
The servers downloaded the files many times after the antivirus software flagged them for containing malicious code. Kaspersky's AV detected the malicious code from the Equation Group, a NSA-linked hacking group.
Downloading the content is standard practise amongst AV software's. Antivirus solutions automatically work when suspicious content is found and need inspection. A Kaspersky employee manually reviewed the archive and made a decision that it contained confidential content.
Under the order of Eugene Kaspersky (the company's founder), the files were deleted except for the malicious binaries. Programmers then wrote a tweak into the software to stop the download from happening again.
“The reason we deleted those files and will delete similar ones in the future is two-fold,” Kaspersky Lab officials wrote in Thursday's report. “We don't need anything other than malware binaries to improve protection of our customers and secondly, because of concerns regarding the handling of potential classified materials. Assuming that the markings were real, such information cannot and will not [be] consumed even to produce detection signatures based on descriptions.”
In its investigation, Kaspersky also found the root problem that caused the compromised PC to be infected. The company says a pirated version of Microsoft Office allowed a malicious backdoor to be created. However, to initiate, the machine's AV program would need to be switched off. Kaspersky speculates the owner disabled the AV to allow the pirated Office to download.
This particular backdoor is called Smoke Loader. It has been known to researchers since 2011 when it was advertised for sale by a Russian hacker.
Truth or Theft?
Looking through Kaspersky's 13-page report, it certainly makes plenty of sense and seems to explain what happened. However, the report is unlikely to stop critics of the company and those who believe it helped Russian authorities.
One glaring fact here is US government agencies were ordered to stop using Kaspersky software before the story broke. Does the government know more than the reports suggest, or did authorities simply have access to the accusers before they went to the press?