By Joseph Menn
SAN FRANCISCO (Reuters) – Moscow-based antivirus software maker Kaspersky Lab said on Wednesday that its security software had taken source code for a secret American hacking tool from a personal computer in the United States.
In September, U.S. officials ordered Kaspersky’s products removed from government computers, saying the firm was vulnerable to Kremlin influence and that using the software could jeopardize national security.
After that announcement, the Wall Street Journal reported on Oct. 5 that hackers working for the Russian government appeared to have targeted a National Security Agency (NSA) worker by using Kaspersky software to identify classified files in 2015. The New York Times reported on Oct. 10 that Israeli officials reported the operation to the United States after they hacked into Kaspersky’s network.
The Russian government has denied any involvement.
Kaspersky began an internal inquiry in a bid to restore trust. On Wednesday, it said it had stumbled on the code in 2014 when the consumer version of its popular software flagged a zip file as malicious on a U.S. computer.
While reviewing the file’s contents, a Kaspersky analyst discovered it contained the source code for a hacking tool later attributed to what Kaspersky calls the Equation Group. The software removed the file and the analyst reported the matter to Chief Executive Eugene Kaspersky, who ordered that the copy of the code be destroyed, the company said.
Kaspersky said it assumed the 2014 source code episode was connected to the NSA’s loss of files described in media reports.
“We deleted the archive because we don’t need the source code to improve our protection technologies and because of concerns regarding the handling of classified materials,” said Kaspersky spokeswoman Sarah Kitsos.
Source code, which is normally hidden and gives instructions to computers, would have posed no danger to the Kaspersky customer.
Former employees told Reuters in July that the company had on rare occasions removed uninfected files. Kaspersky spokeswoman Yuliya Shlychkova on Wednesday said removals of such uninfected material happen “extremely rarely.”
Kaspersky said no third parties saw the code, though the media reports said the spy tool had ended up in the hands of the Russian government.
Kaspersky denied the Journal’s report that its programs searched for keywords including “top secret.”
The company said it found no evidence that it had been hacked by Russian spies or anyone except the Israelis, though it suggested others could have obtained the tools by hacking into the American’s computer through a back door it later spotted there.
The NSA declined to comment on Kaspersky’s review.
The new 2014 date of the incident is of interest because Kaspersky only announced its discovery of an espionage campaign by the Equation Group in February 2015. At that time, Reuters cited former NSA employees who said that Equation Group was an NSA project.
Kaspersky’s Equation Group report was one of its most celebrated findings, since it indicated that the group could infect firmware on most computers. That gave the NSA almost undetectable presence.
Shlychkova said the American machine’s files were found before the big Equation Group announcement but after Kaspersky had discovered Equation software on a machine in the Middle East. She said that occurred in March 2014.
Democratic Senator Jeanne Shaheen, who led calls in the U.S. Congress to purge Kaspersky products from federal government networks, on Wednesday sent a letter to DHS acting Secretary Elaine Duke and Director of National Intelligence Dan Coats, urging the U.S. government to declassify information about Kaspersky products.
The step was necessary, Shaheen wrote, “to allow the American people to make informed decisions about risks to their privacy and security.”
Also on Tuesday, Democratic Senator Claire McCaskill sent a separate letter to DHS asking what was being done to ensure federal agencies were complying with the ban on Kaspersky products.
Kaspersky’s consumer anti-virus software has won high marks from reviewers.
The company said Monday it would submit the source code of its software and future updates for inspection by independent parties.
(Additional reporting by Dustin Volz; Editing by Jim Finkle and Lisa Shumaker)