Moscow-based antivirus product maker Kaspersky Lab acknowledged on Wednesday that its security software had taken source code for a secret American hacking tool from a personal computer in the United States.
The admission came in a statement by Kaspersky detailing preliminary results of an internal inquiry into media reports that the Russian government had used the company’s software to collect National Security Agency technology.
Though Kaspersky offered the sort of plausible explanation that some security experts had predicted, U.S. officials, who have been campaigning against the use of Kaspersky’s products on sensitive computers, will likely consider the admission as validating their concerns.
The Wall Street Journal reported on Oct. 5 that hackers working for the Russian government appeared to have targeted an NSA worker by using Kaspersky software to identify classified files. The New York Times reported on Oct. 10 that Israeli officials reported the operation to the United States after they hacked into Kaspersky’s network.
Kaspersky said in the statement that it had stumbled on the code in 2014, a year earlier than the newspaper reports had stated.
The company said logs showed that the consumer version of Kaspersky’s popular product had been analyzing questionable software from a U.S. computer and found a zip file that was flagged as malicious.
While reviewing the file’s contents, an analyst discovered it contained the source code for a hacking tool later attributed to what Kaspersky calls the Equation Group. The analyst reported the matter to Chief Executive Eugene Kaspersky, who ordered that the company’s copy of the code be destroyed, the company said.
“Following a request from the CEO, the archive was deleted from all our systems,” the company said.
It said no third parties saw the code, though the media reports said the spy tool had ended up in the hands of the Russian government.
In response to queries from Reuters, Kaspersky said it assumed the 2014 source code episode it was reviewing was connected to the NSA’s loss of files described in media reports.
Kaspersky denied the Journal’s report that its programs searched for keywords including “top secret.”
The company said it found no evidence that it had been hacked by Russian spies or anyone except the Israelis, though it suggested others could have obtained the tools by hacking into the American’s computer through a back door it later spotted there.
The NSA declined to comment on Kaspersky’s review.
The new 2014 date of the incident is of interest because Kaspersky only announced its discovery of an espionage campaign by the Equation Group in February 2015. At that time, Reuters cited former NSA employees who said that Equation Group was an NSA project.
Kaspersky’s Equation Group report was one of its most celebrated findings, since it indicated that the group could infect firmware on most computers. That gave the NSA almost undetectable presence.
Kaspersky also did not say how often it takes uninfected, non-executable files, which normally would pose no threat, from users’ computers.
Former employees told Reuters in July that the company used that technique to help identify suspected hackers. A Kaspersky spokeswoman at the time did not explicitly deny the claim but complained generally about “false allegations.”
Fears about Kaspersky’s ties to Russian intelligence, and the ability of most security software to remove files, prompted an escalating series of warnings and actions from U.S. authorities over the past year. They culminated in the Department of Homeland Security (DHS) last month barring government agencies from using Kaspersky products.
After that, the stories emerged suggesting that Kaspersky was a witting or unwitting partner in espionage against the United States.
Democratic Senator Jeanne Shaheen, who led calls in the U.S. Congress to purge Kaspersky products from federal government networks, on Wednesday sent a letter to DHS Acting Secretary Elaine Duke and Director of National Intelligence Dan Coats, urging the U.S. government to declassify information about Kaspersky products.
The step was necessary, Shaheen wrote, “to allow the American people to make informed decisions about risks to their privacy and security.”
Also on Tuesday, Democratic Senator Claire McCaskill sent a separate letter to DHS asking what was being done to ensure federal agencies were complying with the ban on Kaspersky products.
Kaspersky’s consumer anti-virus software has won high marks from reviewers.
The company said Monday it would submit the source code of its software and future updates for inspection by independent parties.
