Kaspersky says it accidentally obtained secret NSA files from a US computer

Earlier in the month, news emerged that Kaspersky software had been used by Russian hackers to identify and steal sensitive NSA files from a US computer. Following the revelation, Kaspersky Lab started an investigation, and now the company has published its findings.

Kaspersky concedes that its software had indeed identified classified NSA data -- specifically a hacking tool -- but says that it was unintentional. The unearthed source code was attributed to the Equation Group, and company head Eugene Kaspersky ordered the code be destroyed when the matter was reported to him.

See also:

• Report: Russian hackers stole NSA files after identifying them using Kaspersky software
• Kaspersky software banned from US government systems over concerns about Russia
• Kaspersky's new 'global transparency initiative' aims to rebuild trust by submitting source code for review

A spokeswoman for Kaspersky, Sarah Kitsos, explains: "We deleted the archive because we don't need the source code to improve our protection technologies and because of concerns regarding the handling of classified materials." The company insists that no third parties gained access to the code, and denies that it was passed to the Russian government.

After what it calls a "deep investigation," Kaspersky has published its preliminary findings into the incident. The report includes a rough timeline of events and a breakdown of the findings:

• During the investigation of the Equation APT (Advanced Persistent Threat), we have observed infections from all around the world, in more than 40 countries.
• Some of these infections have been observed in the USA.
• As a routine procedure, Kaspersky Lab has been informing the relevant U.S. Government institutions about active APT infections in the USA.
• One of the infections in the USA consisted in what appeared to be new, unknown and debug variants of malware used by the Equation group.
• The incident where the new Equation samples were detected used our line of products for home users, with KSN enabled and automatic sample submission of new and unknown malware turned on.
• The first detection of Equation malware in this incident was on September 11 2014. The following sample was detected:
  • 44006165AABF2C39063A419BC73D790D
  • mpdkg32.dll
  • Verdict: HEUR:Trojan.Win32.GrayFish.gen
• Following these detections, the user appears to have downloaded and installed pirated software on his machines, as indicated by an illegal Microsoft Office activation key generator (aka "keygen") (md5: a82c0575f214bdc7c8ef5a06116cd2a4 -- for detection coverage, see this VirusTotal link) which turned out to be infected with malware. Kaspersky Lab products detected the malware with the verdict Backdoor.Win32.Mokes.hvl.
• The malware was detected inside a folder named "Office-2013-PPVL-x64-en-US-Oct2013.iso". This suggests an ISO image mounted in the system as a virtual drive/folder.
• Detection for the Backdoor.Win32.Mokes.hvl (the fake keygen) has been available in Kaspersky Lab products since 2013.
• The first detection of the malicious (fake) keygen on this machine was on October 4 2014.
• To install and run this keygen, the user appears to have disabled the Kaspersky products on his machine. Our telemetry does not allow us to say when the antivirus was disabled, however, the fact that the keygen malware was later detected as running in the system suggests the antivirus had been disabled or was not running when the keygen was run. Executing the keygen would not have been possible with the antivirus enabled.
• The user was infected with this malware for an unspecified period, while the product was inactive. The malware dropped from the trojanized keygen was a full blown backdoor which may have allowed third parties access to the user’s machine.
• At a later time, the user re-enabled the antivirus and the product properly detected (verdict: "Backdoor.Win32.Mokes.hvl") and blocked this malware from running further.
• After being infected with the Backdoor.Win32.Mokes.hvl malware, the user scanned the computer multiple times which resulted in detections of new and unknown variants of Equation APT malware.
• The last detection from this machine was on November 17 2014.
• One of the files detected by the product as new variants of Equation APT malware was a 7zip archive.
• The archive itself was detected as malicious and submitted to Kaspersky Lab for analysis, where it was processed by one of the analysts. Upon processing, the archive was found to contain multiple malware samples and source code for what appeared to be Equation malware.
• After discovering the suspected Equation malware source code, the analyst reported the incident to the CEO. Following a request from the CEO, the archive was deleted from all our systems. The archive was not shared with any third parties.
• No further detections have been received from this user in 2015.
• Following our Equation announcement from Feb 2015, several other users with KSN enabled have appeared in the same IP range as the original detection. These seem to have been configured as "honeypots", each computer being loaded with various Equation-related samples. No unusual (non-executable) samples have been detected and submitted from these “honeypots” and detections have not been processed in any special way.
• The investigation has not revealed any other related incidents in 2015, 2016 or 2017.
• No other third party intrusion, besides Duqu 2.0, were detected in Kaspersky Lab's networks.
• The investigation confirmed that Kaspersky Lab has never created any detection of non-weaponized (non-malicious) documents in its products based on keywords like "top secret" and "classified".

Kaspersky says that its investigation will continue, and points out that it will share full details with a "trusted third party" as part of its Global Transparency Initiative.

Image credit: g0d4ather / Shutterstock