UPDATE: Sometime in 2014, a group of analysts walked into the office of Eugene Kaspersky, the ebullient founder of Russian cybersecurity firm Kaspersky Lab, to deliver some sobering news.
Kaspersky’s anti-virus software had automatically scraped powerful digital surveillance tools off a computer in the United States and the analysts were worried: The data’s headers clearly identified the files as classified.
“They immediately came to my office,” Kaspersky recalled, “and they told me that they have a problem.”
He said there was no hesitation about what to do with the cache.
“It must be deleted,” Kaspersky says he told them.
The incident, recounted by Kaspersky during a brief telephone interview on Tuesday and supplemented by a timeline and other information provided by company officials, could not immediately be corroborated. But it’s the first public acknowledgement of a story that has been building for the past three weeks — that Kaspersky’s popular anti-virus program uploaded powerful digital espionage tools belonging to the National Security Agency from a computer in the United States and sent them to servers in Moscow.
The account provides new perspective on the U.S. government’s recent move to blacklist Kaspersky from federal computer networks, even if it still leaves important questions unanswered.
To hear Kaspersky tell it, the incident was an accident borne of carelessness.
Analysts at his company were already on the trail of the Equation Group — a powerful group of hackers later exposed as an arm of the NSA — when a computer in the United States was flagged for further investigation. The machine’s owner, identified in media reports as an NSA worker, had run anti-virus scans on their home computer after it was infected by a pirated copy of Microsoft Office, according to a Kaspersky timeline released Wednesday.
The scan didn’t just treat the infection. It also triggered an alert for Equation Group files the worker had left in a compressed archive which was then spirited to Moscow for analysis.
Kaspersky’s story at least partially matches accounts published in The New York Times, The Washington Post and The Wall Street Journal. All three publications recently reported that someone at the NSA’s elite hacking unit lost control of some of the agency’s powerful surveillance tools after they brought their work home with them, leaving what should have been closely guarded code on a personal computer running Kaspersky’s anti-virus software.
But information security experts puzzling over the hints dropped by anonymous government officials are still wondering at whether Kaspersky is suspected of deliberately hunting for confidential data or was merely doing its job by sniffing out suspicious files.
Much of the ambiguity is down to the nature of modern anti-virus software, which routinely submits rogue files back to company servers for analysis. The software can easily be quietly tweaked to scoop up other files, too: perhaps classified documents belonging to a foreign rival’s government, for example.
Concerns have been fanned by increasingly explicit warnings from U.S. government officials after tensions with Russia escalated in the wake of the 2016 presidential election.
Kaspersky denies any inappropriate link to the Russian government, and said in his interview that any classified documents inadvertently swept up by his software would be destroyed on discovery.
“If we see confidential or classified information, it will be immediately deleted and that was exactly (what happened in) this case,” he said, adding that the order had since been written into company policy.
A media request request for a copy of that policy wasn’t immediately granted.
Kaspersky’s account still has some gaps. For example, why not alert American authorities to what happened? The newspaper reports alleged that the U.S. learned that Kaspersky had acquired the NSA’s tools via an Israeli spying operation.
Kaspersky declined to say whether he had ever alerted U.S. authorities to the incident.
“Do you really think that I want to see in the news that I tried to contact the NSA to report this case?” he said at one point. “Definitely I don’t want to see that in the news.”
So did he alert the NSA to the incident or not?
“I’m afraid I can’t answer the question,” he said.
Even if some questions linger, Kaspersky’s explanation sounds plausible, said Jake Williams, a former NSA analyst and the founder of Augusta, Georgia-based Rendition InfoSec. He noted that Kaspersky was pitching itself at the time to government clients in the United States and may not have wanted the risk of having classified documents on its network.
“It makes sense that they pulled those up and looked at the classification marking and then deleted them,” said Williams. “I can see where it’s so toxic you may not want it on your systems.”
As for the insinuation that someone at the NSA not only walked highly classified software out of the building but put it on a computer running a bootleg version of Office, Williams called it “absolutely wild.”
“It’s hard to imagine a worse PR nightmare for the NSA,” he said.
Kaspersky is working overtime trying to regain some form of trust after being accused of having very close ties to the Kremlin. Their latest attempt might have put the final nail in their coffin though when they opened up the source code for their software.
Moscow-based cyber security firm Kaspersky Lab, battered by suspicion of Russian government influence, wants to reassure customers by opening up its software’s underlying code for outside review. But security experts and some U.S. politicians say the move is mostly meaningless.
In September, the U.S. government barred federal agencies from using Kaspersky’s anti-virus products because of concerns about its ties to the Kremlin and Russian spy operations. News reports have since linked Kaspersky software to an alleged theft of cybersecurity information from the U.S. National Security Agency.
The company has repeatedly denied the allegations and says it’s been dragged into the middle of a “geopolitical fight.”
Now Kaspersky says it will provide the source code of its software — including software updates and threat-detection rules updates — for independent review and assessment. Outside experts, however, say such a review can only reveal so much, and thus would do little to address concerns of customers and the U.S. government.
“They’re trying to salvage their reputation,” said Blake Darche, a former NSA worker who is now chief security officer for security firm Area 1. “I don’t see how it addresses the allegations against them in any meaningful way.”
“This review is a red herring that doesn’t address any of the fundamental underlying concerns with Kaspersky products, most significantly, that Russian law enables the Kremlin to monitor data transmissions, including Kaspersky’s,” U.S. Sen. Jeanne Shaheen, a New Hampshire Democrat and regular Kaspersky critic, said in a statement Monday.
The suspicion has taken a toll on Kaspersky. Shortly after the federal ban, retailers such as Best Buy and Office Depot also stopped selling its consumer security software.
Then news broke in early October that hackers allegedly working for the Kremlin used Kaspersky’s software to steal information from a National Security Agency contractor about how the U.S. infiltrates foreign networks and defends against cyber attacks. The company denied involvement.
CEO Eugene Kaspersky said on Twitter on Monday that’s he’s evaluating contractors who can conduct an independent code review.
By 2020, the company says it plans to open three centers in Europe, Asia and the United States where it says customers, government agencies, and concerned organizations will also be able to review its code.
Security researcher Chris Wysopal said he welcomed multiple, independent reviewers, but cautioned that such analyses could provide only a snapshot of how the software works at a given moment in time. Like phone apps and other programs, security software is frequently updated.
“Even with this transparency, there’s still a level of trust you have to give the company,” said Wysopal, the chief technology officer of Vericode, a part of CA Technologies. “But this is a world we live in. There’s a supply chain. We live in a world of dynamic software, constantly updating.”
In a blog post, the company said it had discovered a single incident when it found the tools developed by a state actor, which Kaspersky calls Equation group. They were detected by a line of products designed for a home user, making them unlikely to have been used by the US government. The Wall Street Journal had reported that the tools were found on the home computer of an NSA analyst, which was running Kaspersky software.
The Kaspersky report said the incident was in 2015 and that no other incidents had been found. It also denied reports that it detected documents based on keywords such as “top secret” or “classified”.
“Following a request from the CEO, the archive was deleted from all our systems,” the company said, adding that no third parties had seen the code.
The US government took the rare step of banning federal agencies from using Kaspersky software last month, in a move that many security experts worry could be a significant step in the splintering of the industry into national territories.
The announcement came as a US congressional committee met to discuss the risk of Kaspersky Lab products to the federal government. Lamar Smith, the Republican chairman of the committee, said it wants to know why the software was approved for government use and if the ban is enough to protect US interests.
Calling Kaspersky a “wolf in sheep’s clothing,” the congressman said the company’s recent comments — denying its software could be used for Russian espionage and claiming to be the victim of a media attack — “have done little to alleviate these concerns”.
“While once considered reputable, Kaspersky Lab, its founder and their Russian ties have created a significant risk to US security,” he wrote in his opening statement.
Kaspersky has been fighting back against the accusations, which could significantly damage its business in the US. Office Depot, Staples, and Best Buy all say they will no longer sell its products, though they are still available at Amazon and Walmart.
US cybersecurity companies McAfee and Symantec have responded by insisting they do not let any governments review their source code, a way to spot flaws to exploit.