Kaspersky Lab Claims Malware Caused Security App to Grab Secret Data

Security firm Kaspersky Lab acknowledges that classified data may have been sent back to its servers, but said an investigation showed the incident was limited to a "single" instance where a U.S.-based computer was infected with malware by its owner.

DHS Orders Kaspersky Ban

Facing a ban of its products by U.S. government agencies and an ongoing congressional investigation for allegedly aiding Russian intelligence, security firm Kaspersky Lab released on Oct. 25 its own analysis into whether its software was used to steal data from the U.S. government, arguing that it found only a single case where classified data may have been sent back to its servers.

In its statement, the company acknowledged that an internal investigation had found a “single incident that happened in 2014,” where source code for the “Equation” espionage platform—now linked to U.S. intelligence services—was detected and sent back to the company’s servers for analysis.

The incident occurred because the U.S. analyst working on the project had turned off the antivirus program, downloaded a pirated version of Window that was infected with malware, and then turned on Kaspersky Lab’s security software, the company stated. The software detected the malware and the Equation source code and sent it back to Kaspersky Lab for analysis.

“Upon processing, the archive was found to contain multiple malware samples and source code for what appeared to be Equation malware,” the company said in its statement. “After discovering the suspected Equation malware source code, the analyst reported the incident to the CEO.”

“Following a request from the CEO, the archive was deleted from all our systems. The archive was not shared with any third parties.”

Kaspersky Lab is fighting back against allegations that Russian state intelligence had used the company’s vast network of 400 million installed clients to search its Kaspersky customers' computers for specific keywords.

An Oct. 10 article in the New York Times asserts that Israeli intelligence officers had breached the Russian-owned company’s network and discovered “evidence that Russian government hackers were using Kaspersky’s access to aggressively scan for American government classified programs, and pulling any findings back to Russian intelligence systems.”

The Wall Street Journal reported earlier in October that Russian intelligence had used Kaspersky Lab’s software to target an NSA analyst, who had put classified information on his home computer, which ran Kaspersky Lab’s security software.

The latest statement from Kaspersky Lab comes after the U.S. Department of Homeland Security banned the use of the company’s product in September, giving U.S. government agencies 90 days to transition to another vendor’s software.

Kaspersky stressed that it had never used its software to search for classified information on users’ computers. In addition, the company did not detect any other similar incidents from 2015 until 2017.

“The investigation confirmed that Kaspersky Lab has never created any detection of non-weaponized (non-malicious) documents in its products based on keywords like ‘top secret’ and ‘classified’,” the company stated.

The company did acknowledge that it had detected another espionage-related intrusion—dubbed “Duqu 2.0” by the company—into its systems in 2015. Duqu has been linked to Israeli espionage activities.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...