Kaspersky admits filching NSA hacking tool source code via anti-virus software

Equation Group malware picked up by Kaspersky Anti-Virus in routine scan, company claims

Kaspersky has today admitted that it obtained the source code of National Security Agency hacking tools via anti-virus software running on a PC in the US.

The admission comes as part of the company's preliminary results from an internal inquiry over claims that Kaspersky Anti-Virus software was being used by the Russian government as part of its spy network.

In particular, the US government has claimed that a US National Security Agency worker had code exfiltrated by Kaspersky from his PC in 2014, while working on NSA tools at home.

The inquiry involves a "thorough review" of the company's telemetry logs. "We were aware only of one single incident that happened in 2014 during an APT [advanced persistent threat] investigation when our detection subsystems caught what appeared to be Equation malware source code files and decided to check if there were any similar incidents," the company explained in its statement today.

One of the Equation Group infections "appeared to be new, unknown and debug variants". It was picked up by Kaspersky's home-user software in the US, with the Kaspersky Security Network (KSN) feature switched on. This transmits samples of potential malware back to base for closer analysis.

"Following these detections, the user appears to have downloaded and installed pirated software on his machines, as indicated by an illegal Microsoft Office activation key generator... which turned out to be infected with malware. Kaspersky Lab products detected the malware with the verdict Backdoor.Win32.Mokes.hvl," continues the statement.

It claims that the user disabled Kaspersky Anti-Virus in order to run the keygen, and that the software detected the malware as soon as it was switched back on. "After being infected with the Backdoor.Win32.Mokes.hvl malware, the user scanned the computer multiple times which resulted in detections of new and unknown variants of Equation APT malware.

"One of the files detected by the product as new variants of Equation APT malware was a 7zip archive.

"The archive itself was detected as malicious and submitted to Kaspersky Lab for analysis, where it was processed by one of the analysts. Upon processing, the archive was found to contain multiple malware samples and source code for what appeared to be Equation malware.

"After discovering the suspected Equation malware source code, the analyst reported the incident to the CEO. Following a request from the CEO [co-founder Eugene Kaspersky], the archive was deleted from all our systems. The archive was not shared with any third parties."

However, Kaspersky also claims that the US government would have been made aware of the company's findings: "As a routine procedure, Kaspersky Lab has been informing the relevant U.S. Government institutions about active APT infections in the USA," added the statement.

Kaspersky made an announcement about the Equation Group - believed to be a cache of US National Security Agency tools taken from a cracked server that was hosting them - in February 2015.

The investigation has not revealed any other related incidents in 2015, 2016 or 2017, nor found any evidence of Kaspersky ‘weaponising' its own software by searching users' computers for keywords like "top secret" and "classified", the statement concluded.