Kaspersky publishes investigation findings that it says show its products were not used to stage assault which saw NSA code and files stolen
Kaspersky Lab says the results of its internal investigation disprove claims its software was used steal classified files from an NSA employee’s home computer during a cyberattack back in 2014.
Reports last month suggested that the attackers in question used flaws in Kaspersky Lab products to stage the assault which attempted to steal sensitive information that an NSA contractor had stored on their work computer.
The claims were extremely unhelpful to the Russian cybersecurity firm which is engaged in a dispute with the US government over alleged links to the Kremlin.
Kaspersky has admitted did obtain NSA code and documents but said this only happened during the analysis of the malware that allowed the attack to happen and that once it became aware of the contents, they were deleted soon after.
Kaspersky Lab investigation
The preliminary findings to the investigation were published last month but the full publication shares more light on the incident.
The investigation found that the NSA employee in question did have Kaspersky Lab antivirus installed on their computer but they disabled it in order to install a pirated version of Microsoft Office 365 and an illegal key generator.
The Kaspersky Lab product was switched off during this process as it would have prevented the key generator from running. This key activator was infected with malware and a full backdoor was installed on the system in question.
When Kaspersky’s software was switched back on, it identified and the malware and blocked it from communicating with the command and control server. The malware in question related to the Equation APT Group but Kaspersky also detected new pieces of malicious software.
Samples were sent to Kaspersky servers for analysis and it was only at this point the company realised that NSA files had also been sent. Kaspersky kept the malware code and destroyed the NSA documents.
“The Kaspersky Lab software performed as expected and notified our analysts of alerts on signatures written to detect Equation APT group malware that was already under investigation for six months,” said Kaspersky.
“All of this in accordance with the description of the declared product functionality, scenarios, and legal documents which the user agreed to prior to the installation of the software.
“What is believed to be potentially classified information was pulled back because it was contained within an archive that fired on an Equation-specific APT malware signature.
“Kaspersky Lab cannot assess whether the data was ‘handled appropriately’ (according to U.S. Government norms) since our analysts have not been trained on handling U.S. classified information, nor are they under any legal obligation to do so. The information was not shared with any third party.
“Contrary to multiple media publications, no evidence has been found that Kaspersky Lab researchers have ever tried to issue ‘silent’ signatures aimed at searching for documents with words like ‘top secret’ and ‘classified’ and other similar words.”
Several US government departments and law enforcement agencies have ordered that Kaspersky’s products are not be used on its machines, while some retailers, such as Best Buy, have withdrawn them from sale.
Kaspersky has denied any links to the Russian government and CEO Eugene Kaspersky has offered to show its source code to the US government.
“As a completely transparent company, Kaspersky Lab is ready to provide additional details of the investigation in a responsible manner to relevant parties from government organisations and clients concerned about recent media reports,” added Kaspersky Lab.
What do you know about cybersecurity 2017? Try our quiz!