Kaspersky CEO: U.S. files scraped but then deleted
PARIS — Sometime in 2014, a group of analysts walked into the office of Eugene Kaspersky, the ebullient founder of Russian cybersecurity firm Kaspersky Lab, to deliver some sobering news.
Kaspersky’s anti-virus software had automatically scraped digital surveillance tools off a computer in the U.S., and the analysts were worried: The data’s headers clearly identified the files as classified.
“They immediately came to my office,” Kaspersky recalled, “and they told me that they have a problem.” He said there was no hesitation about what to do with the cache.
“It must be deleted,” Kaspersky says he told them.
The incident, recounted by Kaspersky during a brief telephone interview on Tuesday and supplemented by a timeline and other information provided by company officials, could not immediately be corroborated.
It’s the first public acknowledgement of a story that has been building — that Kaspersky’s popular anti-virus program uploaded powerful digital espionage tools belonging to the National Security Agency from a computer in the U.S. and sent them to servers in Moscow.
The account provides new perspective on the U.S. government’s move to blacklist Kaspersky from federal computer networks, even if it still leaves questions unanswered.
To hear Kaspersky tell it, the incident was an accident borne of carelessness.
Analysts at his company were on the trail of the Equation Group — hackers later exposed as an arm of the NSA — when a computer in the U.S. was flagged for investigation. The machine’s owner, identified in media reports as an NSA worker, had run anti-virus scans on their home computer after it was infected by a pirated copy of Microsoft Office, according to a Kaspersky timeline released Wednesday.
The scan didn’t just treat the infection. It also triggered an alert for Equation Group files the worker had left in a compressed archive which was then sent to Moscow for analysis.
Kaspersky’s story partially matches accounts in the New York Times, the Washington Post and the Wall Street Journal.
Kaspersky declined to say whether he had ever alerted U.S. authorities to the incident.
Even if some questions linger, Kaspersky’s explanation sounds plausible, said Jake Williams, a former NSA analyst and the founder of Rendition InfoSec. He noted that Kaspersky was pitching itself at the time to government clients in the United States and may not have wanted the risk of having classified documents on its network.
“It makes sense that they pulled those up and looked at the classification marking and then deleted them,” said Williams. “I can see where it’s so toxic you may not want it on your systems.”