author photo
By SecureWorld News Team
Thu | Nov 16, 2017 | 9:50 AM PST

We've just finished reading an extensive internal investigation from Kaspersky Lab.

It looks at the alleged use of the company's antivirus program as a Russian government helper that stole secret U.S. documents.

It turns out Eugene Kaspersky himself, the CEO, knew years ago that  secret documents were pulled back to its network. That's just one of the surprises in this report.

This is all in response to a Wall Street Journal article which suggested an NSA contractor had secret information stolen by Russian hackers after the hackers apparently identified those files through Kaspersky Anti-Viruss.

The program was running on the worker's personal computer, where he had saved some classified information.

Kaspersky says there is evidence someone else hacked the NSA contractor's computer

"During the investigation, we also discovered a very interesting twist to the story that has not been discussed publicly to our knowledge. It appears the system was actually compromised by a malicious actor on October 4, 2014, at 23:38 local time, specifically by a piece of malware hidden inside a malicious MS Office ISO," the company report says.

It claims the malware involved would have been detected and stopped by Kaspersky Anti-Virus because it was already a known threat, and therefore the antivirus program was disabled at the time of the malware infection.

In other words, it wasn't us, but another unknown malicious actor who hacked the computer when Kaspersky was taken off the job by the computer's user.

Kaspersky CEO admits knowing about secret documents from NSA contractor

One really fascinating detail is that Eugene Kaspersky himself came to know about secret documents on the NSA contractor's computer because he was alerted by an analyst.

But how and why did this happen if Kaspersky wasn't secretly trying to steal this information for the Russian government?

The answers come in a 10-question Q&A around what Kaspersky saw and why the company saw it, plus what happened next:

Q4: Was there actually classified information found on the system inadvertently?

A4: What is believed to be potentially classified information was pulled back because it was contained within an archive that fired on an Equation specific malware signatures. Besides malware, the archive also contained what appeared to be source code for Equation malware and four Word documents bearing classification markings.

Q5: If classified information was pulled back, what happened to said data after? Was it handled appropriately?

A5: After discovering the suspected Equation malware source code and classified documents, the analyst reported the incident to the CEO. Following a request from the CEO, the archive was deleted from all of our systems. With the archive that contained the classified information being subsequently removed from our storage locations, only traces of its detection remain in our system (i.e., statistics and some metadata). We cannot assess whether the data was “handled appropriately” (according to US government norms) since our analysts have not been trained on handling US classified information, nor are they under any legal obligation to do so.

Q6: Why was the data pulled back in the first place? Is the evidence this information was passed on to “Russian hackers” or Russian intelligence?

A6: The information was pulled back because the archive fired on multiple Equation malware signatures. We also found no indication the information ever left our corporate networks. Transfer of a malware file is done with appropriate encryption level relying on RSA+AES with an acceptable key length, which should exclude attempts to intercept such data anywhere on the network between our security software and the analyst receiving the file.

Is Kaspersky investigation enough to allow company to move forward?

Time will tell if this is enough information to satisfy critics and those who have been suspicious of Kaspersky's motives. But the company ended its internal investigation by addressing that very question:

"We hope that this report sheds some long-overdue light to the public and allows people to draw their own conclusions based on the facts presented above. We are also open and willing to do more, should that be required."

You can read the complete Kaspersky report here. It gets down in the weeds with technical details and contains a long narrative on the investigative steps the company has taken internally.

And more than that, it shines a light on information that your antivirus vendor (and many vendors, right?) may well have access to.