Embattled security firm Kaspersky Lab said its antivirus software did download secret hacking tools from a US computer back in 2014, but deleted them after realizing the data was classified.
"The archive was deleted from all our systems. The archive was not shared with any third parties," Kaspersky Lab said on Tuesday.
The Moscow-based security firm has been fighting accusations that its antivirus software helped Russian spies steal confidential files from the US National Security Agency.On Tuesday, Kaspersky Lab tried to clear the air, and said its antivirus software did indeed download the secret hacking files, but only because they were flagged as malware after an NSA contractor's home computer was reportedly infected.
"US law tolerates inadvertent acquisition of classified data, but doesn't allow to distribute it. We deleted it to follow the law," the company's CEO Eugene Kaspersky tweeted on Wednesday. The Russian security firm added: "Kaspersky Lab has never created any detection of non-weaponized (non-malicious) documents in its products based on keywords like 'top secret' and 'classified'."
In a statement, the security firm provided a timeline detailing how Kaspersky Lab came across the classified files, which seems to point the finger at the careless behavior of the NSA contractor.
In 2014, Kaspersky was investigating a shadowy hacking group called Equation, which experts now believe is actually the NSA. Ultimately, Equation Group hacking tools ended up in the hands of a group known as the Shadow Brokers, which reportedly has links to Russia.
As part of its investigation into the Equation Group, Kaspersky's antivirus software detected some unknown malicious code in a 7-zip archive on a US home computer. The archive was then uploaded to Kaspersky Lab for analysis, and was found to contain an arsenal of hacking tools.
According to Kaspersky Lab, the computer in question at one point downloaded and installed pirated software that contained a separate piece of malware called "Backdoor.Win32.Mokes.hvl." Kaspersky's software flagged it as malicious. However, to get the pirated software to run, the computer's user disabled Kaspersky's antivirus product. The computer was then infected with a backdoor that Kaspersky Lab says can give a hacker remote control over the system.
Kaspersky Lab isn't sure how long the computer was infected with the backdoor. But its software first detected its presence on Oct. 4 2014, with a final detection on Nov. 17 of that year. It's also unclear who may have been in control of the backdoor.
Jake Williams, founder of US cybersecurity firm Rendition InfoSec, said "I think the story Kaspersky has laid out is completely plausible."
It'll be up to the US government to back up its own claims against Kaspersky, he added. "And they need to back their claims with data, not just accusations," Williams said.
Many of the accusations against Kaspersky have come from media reports that largely cite anonymous sources. Nevertheless, the US Department of Homeland Security is forcing federal agencies to stop using the company's antivirus software. Retailers such as Best Buy have also dropped Kaspersky Lab products from store shelves.
In response, Kaspersky Lab has offered up an independent review of the company's source code for flaws.