Kaspersky Lab Says NSA Worker Turned Off its Antivirus Before Hack

Embattled security vendor Kaspersky Lab is rebutting claims that its antivirus facilitated the theft by Russian hackers of secret U.S. files from the home computer of a contractor with the National Security Agency.

The allegations – first reported early this month in The Wall Street Journal – include claims that hackers with ties to the Russian government used a file inventory produced by the Kaspersky antivirus to locate the secret files.

Those files, which had been removed from an NSA facility without authorization, were later exfiltrated by the hackers.

Citing preliminary results of an internal investigation, Kaspersky Lab said it has found evidence of only one similar instance, and that the user in that case had deactivated his home version of Kaspersky antivirus, then downloaded and installed a pirated copy of Microsoft Office that turned out to be infected with a backdoor.

That backdoor appears to have been used to identify “Equation” advanced persistent threat malware, which was also present on the user’s computer.

Equation refers to “The Equation Group,” a highly secretive and sophisticated hacker entity believed to be linked to the NSA.

The malware Backdoor.Win32.Mokes.hvl was packaged with an illegal Microsoft Office activation key generator, or “keygen.”

“To install and run this keygen, the user appears to have disabled the Kaspersky products on his machine,” the company’s researchers wrote.

“Our telemetry does not allow us to say when the antivirus was disabled, however, the fact that the keygen malware was later detected as running in the system suggests the antivirus had been disabled or was not running when the keygen was run,” the report continued. “Executing the keygen would not have been possible with the antivirus enabled.”

The allegation that Kaspersky Lab antivirus was used to exploit the personal computer of a worker with sensitive U.S. government access speaks to widely expressed fears by intelligence officials.

Federal authorities have intensified their scrutiny of the Moscow-based software vendor following concerns of Russian meddling in the 2016 U.S. Presidential election.

Since then, the U.S. Department of Homeland Security has banned the use of all Kaspersky Lab products by any agency of the federal government.

Kaspersky Lab has maintained it has done nothing wrong, and pointed to a 20-year history of reputable business dealings around the world.

In the case of the NSA worker, the company said, evidence shows Kaspersky Lab was not to blame for the hacking.  

Once the employee deactivated the antivirus and let in the malware containing the backdoor, intruders had access to the user’s computer.

“The user was infected with this malware for an unspecified period, while the product was inactive,” the report states. “The malware dropped from the Trojanized keygen was a full blown backdoor which may have allowed third parties access to the user’s machine.”

Later, the user reactivated the antivirus, which restarted detection of files containing the secret NSA malware.

“After being infected with the Backdoor.Win32.Mokes.hvl malware, the user scanned the computer multiple times which resulted in detections of new and unknown variants of Equation APT malware,” the report states.

Kaspersky has said that it will continue working with U.S. authorities to shed light on the incident and clear its name.

“We believe the above is an accurate analysis of this incident from 2014,” the Kaspersky report said.

“The investigation is still ongoing, and the company will provide additional technical information as it becomes available,” it went on. “We are planning to share full information about this incident, including all technical details with a trusted third party as part of our Global Transparency Initiative for cross-verification.”

Send tips and news to [email protected].