Russia Spyware? Kaspersky Admits To Accessing NSA Code By Accident

Russian cybersecurity firm Kaspersky acknowledged Wednesday after an internal review that its antivirus software lifted code belonging to the United States National Security Agency from a contractor’s computer—though the incident was not intentional.

The admission comes just weeks after a report from the Wall Street Journal alleged hackers backed by the Russian government used Kaspersky software to target and steal information from American intelligence agencies.

Through its statement, Kaspersky at the very least seemed to acknowledge the incident—in which its software detected and pulled NSA files from a contractor’s machine after he moved sensitive and classified data onto his personal computer—though it insists the intent was far less malicious than originally suggested.

Kaspersky laid out a timeline of the events surrounding the situation, which took place in 2014—a year earlier than what was originally reported.

At the time the company was investigating an Advanced Persistent Threat (APT) known as Equation, a sophisticated threat actor with ties to the NSA. During its scans for active infections from the Equation Group, the company’s software detected “what appeared to be Equation malware source code files" on a machine in the U.S.

There were more than 40 active infections linked to the Equation group a the time, but the one spotted in the U.S. "consisted in what appeared to be new, unknown and debug variants of malware used by the Equation group," according to Kaspersky Lab.

The source code was detected on a home computer that was running Kaspersky’s antivirus software and had a feature called Security Network enabled that would automatically collect threat data and submitted the sample to the company.

By Kaspersky’s account, what triggered the entire incident was the presence of a pirated copy of Microsoft Office on the system of the NSA contractor. The antivirus software was turned off to allow the stolen software to validate without detection but the keygen—a piece of software the generates a key to validate pirated software—was laced with malware and installed a backdoor onto the contractor’s computer.

The malware, known as Backdoor.Win32.Mokes.hvl, was detected once the antivirus software was turned back on. When the contractor ran a scan of his system in order to remove the malware, the software identified the Equation group hacking tools also present on the machine.

"One of the files detected by the product as new variants of Equation APT malware was a 7zip archive," Kaspersky explained. "The archive itself was detected as malicious and submitted to Kaspersky Lab for analysis, where it was processed by one of the analysts."

After the analysts looked through the source code, they reported their findings to Kaspersky’s CEO, who requested the archive be deleted from the company’s systems. Kaspersky said the archive was removed and was not shared with any third parties.

Kasperksy’s cooperation with third parties may be disputed by a report earlier this month that claimed Israeli intelligence officers were able to track in real time the actions of hackers backed by the Russian government as they attempted to steal information from American intelligence organizations through antivirus tools produced by the company.

The NSA declined to comment when contacted regarding Kaspersky’s disclosures.