In an internal investigation, Russian security company Kaspersky Lab claims to have obtained classified NSA documents after a contractor for the U.S. intelligence agency used a pirated copy of Microsoft’s Office software infected with malware.
Multiple U.S. intelligence sources have claimed in the last month that Kaspersky has uploaded sensitive NSA files — including source code for hacking tools — to its Moscow servers before sharing the documents with the Kremlin.
The Trump administration has since barred government agencies from using Kaspersky’s antivirus products.
Kaspersky has long denied accusations of collusion with the Russian government and gave its first explanation on Wednesday of how classified NSA files ended up on its servers.
Here’s what Kaspersky says happened:
An NSA contractor working with the elite Equation Group hacking team brought classified documents and files home with him for convenience. The contractor then downloaded and used a piece of software to generate keys that would let him run a pirated version of Microsoft Office.
To do that, however, the contractor needed to disable the Kaspersky antivirus software he was running, which would block the key generator program. The pirated software turned out to be a disguised piece of malware, which opened a backdoor into the contractor’s computer that anyone could have exploited.
When the contractor turned the antivirus back on, the software detected the malware that had been installed. The contractor then scanned his machine several times. That’s when the previously undetected NSA tools were uncovered.
As is typical with cloud-based antivirus tools today, Kaspersky’s software uploaded any suspicious files it found on the computer to its servers for analysis. But as soon as Kaspersky became ware of what had been uploaded — by looking at the classified files’ document headers, according to the report — the company said it destroyed the files.
“After discovering the suspected Equation malware source code, the analyst reported the incident to [CEO Eugene Kaspersky],” the company said in a summary of its findings. “Following a request from the CEO, the archive was deleted from all our systems. The archive was not shared with any third parties.”
The company described the malware the contractor inadvertently installed as a “full-blown backdoor which may have allowed third parties access to the user’s machine.”
Many in the security industry quickly corroborated the plausibility of Kaspersky’s version of events.
“Kaspersky’s version of how the NSA lost its malware “is the first one that actually makes sense,” tweeted Artturi Lehtiö, a cybersecurity consultant for F-Secure. “I have a hard time figuring out where was the part Kaspersky turned the product into an FSB espionage tool rather than an NSA employee doing dumb things.”
Jake Williams, a former NSA employee, said that Kaspersky’s version of events was now “at least plausible.” He told the Intercept that the level of incompetence at play here is “mindblowing.” “From an NSA standpoint, I don’t see how this can get much worse,” he added.
But not everyone is convinced. Patrick Gray, host of the Risky Business security podcast, questioned what took Kaspersky so long to get its story straight.
Another question has come up, too: Why didn’t the company inform the NSA about the breach? When asked about that by the Associated Press, Eugene Kaspersky said: “I’m afraid I can’t answer the question.”