Kaspersky did upload NSA hacking code from PC that was backdoored via pirated software

While revealing the results of an internal investigation, Kaspersky Lab admitted it had uploaded classified NSA malware from a user’s computer in 2014. But that same user had been backdoored after installing a pirated version of Microsoft Office.

The NSA worker, who had stored classified NSA materials on his home computer, ran a home version of Kaspersky Antivirus and had chosen to enable Kaspersky Security Network (KSN), which automatically uploads new and previously unknown malware. That is how Kaspersky ended up with the new sample of malware. When an analyst alerted CEO Eugene Kaspersky that the file contained classified source code for a new hacking tool, the CEO said to immediately delete it.

The user is not identified as being an NSA worker, but numerous reports have described him as being part of the NSA hacking unit and that he had classified material on his home computer.

According to the preliminary results of Kaspersky Lab’s internal investigation, the Equation malware was first detected Sept. 11, 2014, after it was automatically submitted due to KSN being enabled on the NSA worker’s computer.

After the detection, the NSA worker turned off Kaspersky Lab antivirus in order to install pirated software. Logs indicated that the activation key generator for the 2013 version of Microsoft Office was infected with malware. The antivirus was disabled in order for him to run the keygen.

Kaspersky Lab explained:

The user was infected with this malware for an unspecified period, while the product was inactive. The malware dropped from the trojanized keygen was a full blown backdoor which may have allowed third parties access to the user’s machine.

The NSA worker re-enabled Kaspersky AV at some point, which resulted in the malicious keygen being detected and blocked. The NSA dude then scanned his computer multiple times, “which resulted in detections of new and unknown variants of Equation APT malware.” The last detection from his machine was on Nov. 17, 2014.

One file that was detected and automatically uploaded due to KSN being enabled was a 7zip archive. The archive reportedly contained “multiple malware samples and source code for what appeared to be Equation malware.”

When an analyst told Kaspersky about what was discovered,Kaspersky reportedly said to delete it from their systems. “The archive was not shared with any third parties,” he said.

The internal investigation turned up no other third-party intrusion detected in Kaspersky Lab’s networks other than Duqu 2.0. This fits with reports of Israel having burrowed deeply into Kaspersky’s networks. The company revealed Duqu 2.0 to the public in 2015.

Kaspersky goes on to report that it found no evidence of being hacked by Russian spies. Its “investigation confirmed that Kaspersky Lab has never created any detection of non-weaponized (non-malicious) documents in its products based on keywords like ‘top secret’ and ‘classified.’”

Kaspersky Labs published its report on the Equation Group in February 2015. Afterwards, “several other users with KSN enabled have appeared in the same IP range as the original detection. These seem to have been configured as ‘honeypots,’ each computer being loaded with various Equation-related samples. No unusual (non-executable) samples have been detected and submitted from these ‘honeypots’ and detections have not been processed in any special way.”

To hear Kaspersky tell it, it does sound plausible that Russian hackers may have obtained the NSA malware from the pirated software’s backdoor.

Kaspersky has vehemently denied any inappropriate links to the Russian government. On Monday, the company launched a transparency initiative to win back trust after the U.S. government’s spying claims.