Results of an internal probe seem to refute allegations – first reported this month in The Wall Street Journal – that hackers with ties to the Russian government exploited the Moscow-based vendor’s antivirus to steal secret files.

Aldrin Brown, Editor-in-Chief

October 25, 2017

3 Min Read
Kaspersky Lab Says NSA Worker Turned Off its Antivirus Before Hack

Embattled security vendor Kaspersky Lab is rebutting claims that its antivirus facilitated the theft by Russian hackers of secret U.S. files from the home computer of a contractor with the National Security Agency.

The allegations – first reported early this month in The Wall Street Journal – include claims that hackers with ties to the Russian government used a file inventory produced by the Kaspersky antivirus to locate the secret files.

Those files, which had been removed from an NSA facility without authorization, were later exfiltrated by the hackers.

Citing preliminary results of an internal investigation, Kaspersky Lab said it has found evidence of only one similar instance, and that the user in that case had deactivated his home version of Kaspersky antivirus, then downloaded and installed a pirated copy of Microsoft Office that turned out to be infected with a backdoor.

That backdoor appears to have been used to identify “Equation” advanced persistent threat malware, which was also present on the user’s computer.

Equation refers to “The Equation Group,” a highly secretive and sophisticated hacker entity believed to be linked to the NSA.

The malware Backdoor.Win32.Mokes.hvl was packaged with an illegal Microsoft Office activation key generator, or “keygen.”

“To install and run this keygen, the user appears to have disabled the Kaspersky products on his machine,” the company’s researchers wrote.

“Our telemetry does not allow us to say when the antivirus was disabled, however, the fact that the keygen malware was later detected as running in the system suggests the antivirus had been disabled or was not running when the keygen was run,” the report continued. “Executing the keygen would not have been possible with the antivirus enabled.”

The allegation that Kaspersky Lab antivirus was used to exploit the personal computer of a worker with sensitive U.S. government access speaks to widely expressed fears by intelligence officials.

Federal authorities have intensified their scrutiny of the Moscow-based software vendor following concerns of Russian meddling in the 2016 U.S. Presidential election.

Since then, the U.S. Department of Homeland Security has banned the use of all Kaspersky Lab products by any agency of the federal government.

Kaspersky Lab has maintained it has done nothing wrong, and pointed to a 20-year history of reputable business dealings around the world.

In the case of the NSA worker, the company said, evidence shows Kaspersky Lab was not to blame for the hacking.  

Once the employee deactivated the antivirus and let in the malware containing the backdoor, intruders had access to the user’s computer.

“The user was infected with this malware for an unspecified period, while the product was inactive,” the report states. “The malware dropped from the Trojanized keygen was a full blown backdoor which may have allowed third parties access to the user’s machine.”

Later, the user reactivated the antivirus, which restarted detection of files containing the secret NSA malware.

“After being infected with the Backdoor.Win32.Mokes.hvl malware, the user scanned the computer multiple times which resulted in detections of new and unknown variants of Equation APT malware,” the report states.

Kaspersky has said that it will continue working with U.S. authorities to shed light on the incident and clear its name.

“We believe the above is an accurate analysis of this incident from 2014,” the Kaspersky report said.

“The investigation is still ongoing, and the company will provide additional technical information as it becomes available,” it went on. “We are planning to share full information about this incident, including all technical details with a trusted third party as part of our Global Transparency Initiative for cross-verification.”


Send tips and news to [email protected].

Read more about:


About the Author(s)

Aldrin Brown

Editor-in-Chief, Penton

Veteran journalist Aldrin Brown comes to Penton Technology from Empire Digital Strategies, a business-to-business consulting firm that he founded that provides e-commerce, content and social media solutions to businesses, nonprofits and other organizations seeking to create or grow their digital presence.

Previously, Brown served as the Desert Bureau Chief for City News Service in Southern California and Regional Editor for Patch, AOL's network of local news sites. At Patch, he managed a staff of journalists and more than 30 hyper-local and business news and information websites throughout California. In addition to his work in technology and business, Brown was the city editor for The Sun, a daily newspaper based in San Bernardino, CA; the college sports editor at The Tennessean, Nashville, TN; and an investigative reporter at the Orange County Register, Santa Ana, CA.


Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like