Kaspersky Lab, NSA Code: ‘Who Do You Trust?’ as Questions, Allegations Mount

Who do you trust? At every corner, Eugene Kaspersky, who helms the Moscow-based, top-dog security provider bearing his name, seems to ask (without directly asking): Are you going with them or us? For one whose technology blunts cyber attackers and ferrets out cyber espionage -- an outfit banking on trust and sporting a long list of big-time clients and successes -- that suspicion seeks it out is kind of ironic, wouldn’t you say?

Right now, the trust answer is up for grabs. When viewed through a skeptical prism the saga’s players may be even more important than the list of events and guilt-by-associations that beset Kaspersky. For instance, trust marks these days aren’t high for the U.S. Congress, the National Security Agency (NSA), Russia, espionage, hackers -- indeed, anyone and everyone involved doesn’t move the needle into the trust zone.

So against that backdrop comes new word that Kaspersky three years ago by its own telling deleted source code for a surveillance tools belonging to the NSA’s elite hacking unit after someone brought their work home with them (via Reuters). The goods, as it were, were moved to a PC running Kaspersky’s anti-virus software and from there, the firm identified it as malicious code, snagged it and fed it to its servers in Russia, ostensibly for further examination.

Nothing Russia is good these days so the rest is easily surmised (details via Reuters): Kaspersky’s researchers looked at the file, realized its classification and that it, indeed, belonged to the NSA-tied Equation Group, removed it and dutifully reported the incident to Eugene Kaspersky. In turn, he demanded the the copy of the code be destroyed.

Here's Kaspersky’s comprehensive blow-by-blow timeline of the 2014 events. And here's its Transparency Initiative. And here's Eugene Kaspersky's spirited defense of his company.

“We deleted the archive because we don’t need the source code to improve our protection technologies and because of concerns regarding the handling of classified materials,” said a Kaspersky spokeswoman, Reuters reported.

Seems plausible enough. But then again, there are those nettlesome trust questions.

What about allegations (unsubstantiated) that Kaspersky was deliberately hunting for secret information and found and located the contractor in question? Do they have any basis in fact? After all, word surfaced earlier this month that in 2015, Russian-back hackers had targeted an NSA contractor by finding flaws in Kaspersky’s software to identify key files. Still, there’s nothing that ties together the two events.

Or was the company merely doing what it’s supposed to do, identifying malicious files and analyzing the code? And what about the timeline? Kaspersky previously said it discovered the surveillance campaign by the Equation Group in February 2015, well after this incident.

Why didn’t Eugene Kaspersky tell the NSA what the company’s technicians had found? He hasn’t said one way or the other but did offer that he didn’t want the media coverage. That’s kind of an odd thing to say considering the volume of information the company has push out in response to the multiple allegations.

So who do you trust? Or is it too soon to say?

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.