Kaspersky Lab, the under-fire Russian security software supplier, has denied it played any role in hacking into the personal computer of a US National Security Agency worker.
Kaspersky has today published the results of its full internal investigation examining allegations that its software was in some way used to compromise an NSA employee's home computer.
In early October, a report published in the Wall Street Journal claimed that the Russian cybersecurity firm's software was used to download confidential data from an American agent's home computer.
Reports later circulated accusing the company of deliberately taking files from the PC, using its anti-virus software to identify the PCs of people who may be of interest to Russian intelligence, and then using it to exfiltrate data and files.
Kaspersky, though, claimed that its software works like any other anti-virus software, identifying potentially malicious files and only sending unidentified potential threats back to base that have been picked up by the software's heuristic detection engines.
In the case of the NSA worker, the company claimed that the software's heuristics identified some NSA malware that he had taken home to work on as potentially malicious and its exfiltration was simply a part of its normal operation.
Following the incident, Kaspersky conducted a full internal investigation to work out how it happened.
Researchers at the company confirmed that Russian cyber crooks installed software on a NSA contractor's computer to access and steal sensitive data - but have concluded that the contractor himself was responsible.
The user, according to the company, had downloaded and installed pirated software on the PC. The researchers identified a compromised Microsoft Office ISO file, as well as an illegal Microsoft Office 2013 activation tool.
The user had been able to install the pirate copy of Office 2013 only after disabling Kaspersky Anti-Virus. If it had been left on the PC, it would have identified and blocked the malware-ridden key generator used to activate the pirated software.
The key generator, meanwhile, was left on the PC while the Kaspersky software was inactive. The malware meant other third-parties could theoretically have accessed the user's machine while the anti-virus software was de-activated.
However, when the company's anti-virus software was re-activated, it detected the software with the verdict Backdoor.Win32.Mokes.hvl and stopped it from contacting its command-and-control site.
Kaspersky researchers said the anti-virus software detected other variants of the Equation APT malware too.
Variants of the malware, including a 7zip compressed archive, was sent to the Kaspersky Virus Lab for analysis. Researchers found that it contained source code and classified documents, and the case was referred to the company's CEO Eugene Kaspersky, who ordered the files to be removed from Kaspersky's servers.
"The reason Kaspersky Lab deleted those files and will delete similar ones in the future is two-fold: first, it needs only malware binaries to improve protection and, secondly, it has concerns regarding the handling of potentially classified material," the company wrote in its report.
It continued: "Because of this incident, a new policy was created for all malware analysts: they are now required to delete any potentially classified material that has been accidentally collected during anti-malware research.
"To further support the objectivity of the internal investigation we ran it using multiple analysts including those of non-Russian origin and working outside of Russia to avoid even potential accusations of influence."
Speaking about other findings, the firm said that one of the major early discoveries of the investigation was that the PC in question was infected with the Mokes backdoor malware, providing malicious users with remote access to the PC.
"As part of the investigation, Kaspersky Lab researchers took a deeper look at this backdoor and other non-Equation threat-related telemetry sent from the computer," claimed the report.
Facebook told by Brussels-based court to stop tracking non-users and to delete all data held on them
Supply chain and manufacturing experience could give Dyson an important edge
New VR Zone Portal arcades open in London and Tunbridge Wells
Systems-on-a-chip with integrated AI features could make voice and facial recognition