On Wednesday, anti-virus maker Kaspersky Lab continued its defence against accusations that it aided Russian intelligence in stealing classified docs from the NSA. The company released the results of its investigation of the incident and, if the report proves to be accurate, it certainly doesn’t make the NSA look good.
In a blog post, Kaspersky Lab detailed the timeline of events that occurred in 2014, when its software picked up digital surveillance tools and uploaded them to servers in Moscow.
According to Kaspersky’s account, the company had been tracking malware tools connected to a hacking collective that’s come to be known as the Equation Group, which is thought to be connected to the NSA. The company’s software, Kaspersky Security Network, was installed on the home computer of a man who has been anonymously described as a contractor for the NSA. Kaspersky says the analyst’s computer was infected with malware through “an illegal Microsoft Office activation key generator,” that was apparently used to activate some pirated software that was downloaded on the computer. Detection for that particular backdoor had been part of Kaspersky’s package since 2013.
“Executing the keygen would not have been possible with the antivirus enabled,” Kaspersky Lab wrote. “The malware dropped from the trojanized keygen was a full-blown backdoor which may have allowed third parties access to the user’s machine,” the company said.
When Kaspersky’s product was re-enabled, the user apparently scanned their system multiple times when the software detected “new and unknown variants” of malware connected to The Equation Group. That’s when things went wrong.
A 7-zip archive of documents was retrieved for analysis because the user had set the software to send reports of malicious detections. When Kaspersky’s researchers opened the file, they found that data headers labelled the documents classified property. The company’s founder Eugene Kaspersky tells the Associated Press that he told his employees immediately that “It must be deleted.”
From the AP’s report:
Kaspersky’s account still has some gaps. For example, why not alert American authorities to what happened? The newspaper reports alleged that the U.S. learned that Kaspersky had acquired the NSA’s tools via an Israeli spying operation.
Kaspersky declined to say whether he had ever alerted U.S. authorities to the incident.
“Do you really think that I want to see in the news that I tried to contact the NSA to report this case?” he said at one point. “Definitely I don’t want to see that in the news.”
According to Kaspersky, the fault rests of the shoulders of the NSA contractor, who allegedly brought home government surveillance tools and then decided to activate their consumer antivirus software.
Kaspersky’s point about not wanting the world to know if his company shares information with the NSA illustrates a predicament that naturally arises in his business. As a security company that’s attempting to protect a global internet, he can’t be seen as biased in helping individual governments continue their spying operations. Yet security companies have to be based in one country or another, and be subject to that country’s laws. In Kaspersky Lab’s case, the company has to obtain a license from the Russia government and its data has to be routed through Russian ISPs which are reportedly monitored by Russian intelligence. Kaspersky argues that this isn’t an issue because its data is encrypted.
Further complicating matters is the fact that governments routinely engage in the practice of spreading malware for their own purposes. When Kaspersky tells the AP, “If we see confidential or classified information, it will be immediately deleted and that was exactly (what happened in) this case,” it raises the question of whether he even should. If malware is classified, it’s still malware, and arguably should be added to the threat detection analysis. The AP requested a copy of the company’s policy about handling classified material but had yet to receive it at the time of publication.
So, Kaspersky Lab is arguing that its software was doing exactly what it was supposed to do, and that it deleted the classified material when it realised what it had. But a key point that it is denying—a point that US government officials have used to justify the ban on Kaspersky software from federal use—is the accusation that it may have customised its tools to hunt for keywords like “classified” or “top secret.” The company writes in its statement, “The investigation confirmed that Kaspersky Lab has never created any detection of non-weaponised (non-malicious) documents in its products based on keywords.” Its internal investigation will soon be turned over to a “trusted third-party” for cross-verification. On Monday, Kaspersky pledged that it would allow a third-party to review its source code.
As the AP notes, Kaspersky’s story aligns with what sources have told several media outlets: someone working for the NSA broke protocol and took home classified information that was then transmitted to Russia because the worker was a bonehead. It’s not believed that the feckless analyst had any malicious intent but an investigation is still ongoing. Where Kaspersky’s story differs is that the company insists it didn’t share the information with the Russian government, and it says the worker’s computer had a backdoor installed that could have been exploited by someone else.
Unfortunately for the security company, whether it worked on behalf of Russia’s spying operation or not, its reputation with the public is significantly damaged. The industry it works in is highly reliant on trust, and the accusations coming from the US government coupled with paranoia surrounding the Russian government put Kaspersky in an almost unwinnable situation. For now, it’s best to reserve judgement at least until the details of an independent analysis are released. [Kaspersky, Associated Press, Reuters]