Kaspersky Lab today released a report detailing its own version of how the NSA files were stolen.
Let's say the US authorities were investigating Kaspersky for suspicious ties with the Russian government for many months, but nothing was known in the first months of the year.
This autumn, however, reports from the Wall Street Journal and the New York Times revealed to the public that the US government suspected that Russian FSB agents used Kaspersky's antivirus as an interactive spy machine to scan all of their service computers .
The two media reported that this was the way the records from the NSA employee leaked and came to the hands of the Russian government. This data leak was unknown until that time.
Kaspersky Lab: Our software works as planned
Kaspersky declined each category from the outset, and especially after the two major media publications, he promised to investigate what happened.
Preliminary findings of this research were published today. In the report, Kaspersky Lab admits that it actually collected NSA secret files, but did not deliberately do it, as reported by the American media.
The company said the data collection process was automatic, as the files were hacking tools that were identified with signatures associated with malware. The company believed that they belonged to an espionage team that was investigating at that time.
This incident happened to 2014, and Kaspersky published a report about it the 2015 team (PDF). The group's name on the company report was Equation Group, and most security experts acknowledged that it was affiliated with the NSA's government operations division.
The Chief Executive Officer ordered the destruction of the files
Kaspersky Lab did not know where the computer from which the Equation Group malware came from, but said the user was using the company's antivirus and had enabled "automatic submission of new samples and unknown malware."
The company states that the files collected by this user "were new, unknown and with malware versions used by Equation Group".
Because it was a new malware, an analyst looked at the data collected to verify and classify them. The company reports that this employee reported the records to CEO Eugene Kaspersky after realizing they contained the source code of the NSA tools.
Eugene Kaspersky ordered the deletion of the files. The company did not mention any reason why its CEO took this decision, but clarified that he did not share the records with any third party.
The "bulletproof" NSA was infected by a backdoor
The findings of this report come to confirm unofficial theories that were circulated to the infosec community about what really happened.
Most experts suspected that Kaspersky Antivirus did nothing but work after an innocent employee of the NSA took hacking tools from the NSA network and went to his home for unknown reasons.
In addition, Kaspersky Lab reported something that would shake the US intelligence service. The company said it saw the telemetry data from the computer of the NSA employee.
As the Russian company said, the NSA agent was also infected by some malware.
Kaspersky claims that the agent used a keygen to install a pirated version of Microsoft Office. As is usually the case with Office keygens (there is no Office keygen) the file contained malicious software (the trojan backdoor Win32.Mokes.hvl).
What Kaspersky is trying to say by reporting this detail in her publication is that a random cheater could also gain access to the same computer that hosted the NSA hacking tools.
Overall, Kaspersky's publication provides all the peppery technical details, painting an incredible story about the events that led US officials to ban the company's software on US computers.
Let's see if the US issue a similar technical report. All reports we have from the US for Kaspersky to date are reportedly only from anonymous sources.
Of course, Kaspersky is not necessarily innocent, as it once did he had stated to the US government that it can use its AV product as a tool to help arrest suspected terrorists.