The report, published in The Wall Street Journal in October, claimed that NSA malware had been exfiltrated from an NSA employee's computer by Kaspersky software. It cited anonymous sources and provided no documentation.
In an initial report about the 2014 incident issued last month, Kaspersky claimed that if hackers, including from Russia, had stolen anything from this employee's computer, it had happened because he had malware — and tonnes of it — on his PC that had been installed when he used a key generator for producing pirated licence keys for Microsoft Office.
Kaspersky said at the time that the malware was a backdoor that allowed third parties to access the employee's machine. It said that the NSA malware files had been uploaded to its servers — as is standard behaviour with all anti-virus software once it encounter suspicious files — and, once they were recognised as being confidential, were deleted on the orders of Kaspersky chief Eugene Kaspersky.
Kaspersky said that the WSJ article had made the following claims:
- "The information “stolen” provides details on how the US penetrates foreign computer networks and defends against cyber attacks;
- "An NSA contractor removed the highly classified material and put it on his home computer;
- "The data ended up in the hands of so-called 'Russian hackers” after the files were detected using Kaspersky Lab software;
- "The incident occurred in 2015 but wasn’t discovered until spring of last year ;
- "The Kaspersky Lab-linked incident predates the arrest last year of another NSA contractor, Harold Martin; and
- “'Hackers' homed in on the machine and stole a large amount of data after seeing what files were detected using Kaspersky data."
Kaspersky said company researchers had traced the likely incident back to 2014, and not 2015 as the report contended. Tracking virus signatures, it then honed in on a likely case, "that fired a large number of times in a short time span on one system".
It said that given the limited understanding of the Equation Group at the time of the research — which Kaspersky had identified as being an NSA-affiliated body earlier — "it could have told our analysts that an archive file firing on these signatures was an anomaly, so we decided to dig further into the alerts on this system to see what might be going on".
"After analysing the alerts, it was quickly realised that this system contained not only this archive, but many files both common and unknown that indicated this was probably a person related to the malware development."
The files uploaded to the company's servers were in a zip archive. "Our next task was to try and answer what may have happened to the data that was pulled back," the report said.
"Clearly an archive does not contain only those files that triggered, and more than likely contained a possible treasure trove of data pertaining to the intrusion set. It was soon discovered that the actual archive files themselves appear to have been removed from our storage of samples, while the individual files that triggered the alerts remained."
Further analysis showed what Kaspersky claimed was the only new detail it had uncovered: "It appears the [NSA employee's] system was actually compromised by a malicious actor on 4 October 2014 at 23:38 local time, specifically by a piece of malware hidden inside a malicious MS Office ISO, specifically the 'setup.exe' file (md5: a82c0575f214bdc7c8ef5a06116cd2a4 – for detection coverage, see this VirusTotal link)."
It said that in order to install this infected binary, the employee would have had to first disable the Kaspersky anti-virus software on his machine as it already had signatures for this piece of malware which would have blocked it.
"To install and run this malware, the user must have disabled Kaspersky Lab products on his machine. Our telemetry does not allow us to say when the antivirus was disabled, however, the fact that the malware was later detected as running in the system suggests the antivirus had been disabled or was not running when the malware was run. Executing the malware would not have been possible with the antivirus enabled," the report said.
Based on the investigation, Kaspersky said the WSJ had erred in its dates as the incident had occurred between 11 September 2014 and 17 November 2014, and not in 2015. As to whether there was classified material on the NSA employee's computer, the report said: "What is believed to be potentially classified information was pulled back because it was contained within an archive that fired on Equation-specific malware signatures. Besides malware, the archive also contained what appeared to be source code for Equation malware and four Word documents bearing classification markings."
Kaspersky has made no comment on two other articles that appeared at about the same time as the WSJ article, one in The New York Times, and the other in the Washington Post, both of which again made claims about the company based on anonymous sources and no documentation.
One claim made by the WSJ and not mentioned by Kaspersky prominently was the indirect claim that Russia had gained access to company's software and that it had been modified into an espionage tool and used to search for terms like "top secret".
At the time, well-known British security researcher Kevin Beaumont expressed scepticism about this claim, saying, "There's so much b***shit in the briefings being given to press. AV uploading every document with term 'top secret' would fry networks."
Buried in the report, was this response from Kaspersky: "We have done a thorough search for keywords and classification markings in our signature databases. The result was negative: we never created any signatures on known classification markings."
It said that it had used "wildcard string pattern based on keywords in the file names, such as *pass*, *secret*, *saidumlo* (meaning 'secret' in Georgian) and others. These patterns were hardcoded into the malware that we discovered earlier, and could be used to detect similar malware samples".
The NSA has not publicly reacted to any of Kaspersky's claims. One American publication that did approach the NSA was referred to the FBI but there was no reaction forthcoming from the latter agency either.