Kaspersky's explanation for possessing secret NSA cyberweapons is a doozy

Kaspersky — a respected Russia-based security company — has been under a cloud since they were accused of stealing NSA cyberweapons on behalf of the Russian government. But the company has a perfectly innocent — if complicated and at times bizarre explanation for how it came to be in possession of the NSA's crown jewels.

Kaspersky's anti-malware tool automatically scans its users' computers for suspicious code and uploads samples to Kaspersky for analysis. The company says that this is how it came to discover the malware that the NSA had been using against its adversaries — malware it attributed to a state-level actor it dubbed "The Equation Group" (previously).

Here's where it gets weird. In 2016, an entity calling itself The Shadow Brokers created a bizarre auction for a cache of NSA cyberweapons (which eventually leaked and led to the supercharging of the ransomware epidemic). Quickly, the FBI arrested Harold Thomas Martin variously described as an NSA contractor or employee, who had the bizarre hobby of bringing home NSA cyberweapons to hoard on his home PC, from which they had apparently leaked to the Shadow Brokers.

According to Kaspersky, someone who worked for the NSA and liked to bring home NSA cyberweapons (presumably Harold Thomas Martin) was also a software pirate who needed to switch off their anti-virus tools to install cracked versions of Microsoft Office. During one of these incidents, they were hit was a backdoor trojan that let spies — The Shadow Brokers, or their suppliers — raid their hard-drive for the cyberweapons they'd'd brought home from work.

When (presumably) Martin turned his Kaspersky anti-virus back on, he ran several checks on his whole hard drive. Kaspersky's product examined every file on his hard-drive, including the stolen cyberweapons (which had already leaked to the Shadow Brokers or their suppliers). Because these appeared to be early, "debug" versions of the Equation Group malware that Kaspersky had already encountered in the wild, the software automatically flagged these files and sent them to Kaspersky for further analysis.

Kaspersky says they quickly realized that someone from the NSA had unintentionally uploaded their internal cyberweapons development files to their servers, and deleted them.

Case closed!

Details from the investigation, including the assertion that Kaspersky's CEO ordered the files deleted after they were recognized as potential classified NSA material, could help absolve the antivirus firm of allegations that it intentionally searched the worker's computer for classified files that did not contain malware. But they also raise new questions about the company's actions, the NSA worker, and the spying narrative that anonymous government sources have been leaking to news media over the last two weeks.


Kaspersky Lab: Preliminary results of the internal investigation into alleged incident reported by U.S. media ?