Kaspersky Acknowledges Taking Inactive Files in Pursuit of Hackers

Eugene Kaspersky said his company's widely used antivirus software has copied files that did not threaten the personal computers of those customers, a sharp departure from industry practice that could increase suspicions that the Moscow-based firm aids Russian spies.

The acknowledgement, made in an interview last Friday as part of the Reuters Cyber Security Summit, comes days after Kaspersky's company said its software had copied a file containing US National Security Agency (NSA) hacking tools from the home computer of an agency worker in 2014.

"We did nothing wrong," Kaspersky said in the interview.

He said the files containing the NSA hacking tools were taken because they were part of a larger file that included suspicious software. Such actions occur only in “very, very, very rare cases,” he added.

A spokesman at Kaspersky's firm, Kaspersky Lab, told Reuters the company would never take regular computer files that contained nothing suspicious.

The firm has for years faced suspicions that it has links with Russian intelligence and state-sponsored hackers. Kaspersky denies any cooperation with Russian authorities beyond cybercrime enforcement.

In September, the US Department of Homeland Security banned Kaspersky software from use in federal offices, citing the company's ties with Russian intelligence. The company is the subject of a long-running probe by the US Federal Bureau of Investigation, sources have told Reuters.

Antivirus software is designed to burrow deeply into computer systems and has broad access to their contents, but it normally seeks and destroys only files that contain viruses or are otherwise threatening to a customer's computers, leaving all other files untouched.

Searching for and copying files that might contain hacking tools or clues about cybercriminals would not be part of normal operations of antivirus software, former Kaspersky employees and cyber-security experts said.

In the Reuters interview, conducted at Kaspersky Lab's offices in Moscow, Eugene Kaspersky said the NSA tools were copied because they were part of a larger file that had been automatically flagged as malicious.

He said the software removed from the agency worker's computer included a tool researchers dubbed GrayFish, which the company has called the most complex software it has ever seen for corrupting the startup process for Microsoft's Windows operating system.

Kaspersky said he had ordered the file to be deleted "within days" because it contained US government secrets.

But he defended the broader practice of taking inert files from machines of people that the company believes to be hackers as part of a broader mission to help fight cyber crime.

“From time to time, yes, we have their code directly from their computers, from the developers’ computers,” Kaspersky told Reuters.

'Improper practice'
Three former Kaspersky employees and a person close to the FBI probe of the company, who first described the tactic to Reuters this summer, said copying non-infectious files abused the power of antivirus software. The person associated with the FBI said in one case Kaspersky removed a digital photo of a suspected hacker from that person's machine.

Kaspersky declined to discuss specific instances beyond the NSA case, saying he did not want to give hackers ideas for avoiding detection.

"Sometimes we are able to catch cyber criminals, that’s why I am not so comfortable to speak about this to media," he said in the interview. "Many of them are very clever, they can learn from what I am saying."

Other industry experts called the practice improper. Mikko Hypponen, chief research officer at Finnish security company F-Secure, said that when his firm's software finds a document that might contain dangerous code, "it will prompt the user or the administrator and ask if it can upload a copy to us."

Dan Guido, chief executive of cyber-security firm Trail of Bits, which has performed audits on security software, said Kaspersky's practices point to a larger issue with all antivirus software.

"All of them aggregate a huge amount of information about their clients, which can be easily exploited when put in willing hands," he said.

US news organisations have reported that Kaspersky, or Russian spies hijacking its service, have been searching widely among customers' computers for secret files, citing anonymous US intelligence officials. Reuters has not verified such reports.

Kaspersky said he hoped to alleviate concerns about his company by opening up his source code for review by third parties in independently run centers, as well as by raising the maximum amount it offers for information about security flaws in its programs to $100,000.

© Thomson Reuters 2017