Kaspersky: NSA worker’s computer was packed with malware

"It is possible that the [NSA] user could have leaked information to many hands," Kaspersky's investigation concluded.
Eugene Kaspersky (CeBIT Australia / Flickr)

As Kaspersky Lab faces accusations that its software allowed spying on classified U.S. documents, the Russian cybersecurity firm published the results of an internal investigation Thursday claiming an NSA worker who took classified documents home had a personal computer overwhelmed with malware.

Other than a trove of NSA hacking tools, the unidentified NSA worker’s computer had 121 malicious files, including at least one backdoor created by a Russian criminal hacker, the firm concluded.

Kaspersky said its antivirus software must have been disabled on the machine in order to allow the backdoor, known as Mokes, to run. The individual NSA worker has not been named publicly but is currently going through legal processes, according to U.S. officials.

Kaspersky has been the focus of multiple congressional hearings. It was recently banned from civilian and military federal networks by a Department of  Homeland Security directive. The possibility of legal action by the Moscow-based company looms over the ongoing removal efforts.


The NSA worker was most likely compromised in 2014 by someone using Mokes, malware created in 2011 by a Russian hacker and then used around the cybercriminal underground, according to Kaspersky. The firm’s researchers also say that the NSA worker would be a prime target for nation-state hackers and that other malware may have been on the machine but went undetected. Mokes was used around the world, including by someone in China named “Zhou Lou,” an identity that could have been manufactured.

Kaspersky emphasized that it didn’t keep any classified information from the NSA worker’s computer.

“Adding the user’s apparent need for cracked versions of Windows and Office, poor security practices, and improper handling of what appeared to be classified materials, it is possible that the user could have leaked information to many hands,” Kaspersky’s report reads. “What we are certain about is that any non-malware data that we received based on passive consent of the user was deleted from our storage.”

The cybersecurity firm says its software did pull classified information from the NSA worker’s machine because it was contained in an archive where malware was detected along with Equation Group source code and four Microsoft Word documents with classification markings. Equation Group is a sophisticated hacking group widely attributed to the NSA. The NSA worker had Equation Group hacks on his computer because he brought his highly classified work home, a move that’s against both NSA rules and federal law.

“After discovering the suspected Equation malware source code and classified documents, the analyst reported the incident to the CEO,” the report states. “Following a request from the CEO, the archive was deleted from all of our systems. With the archive that contained the classified information being subsequently removed from our storage locations, only traces of its detection remain in our system (i.e. – statistics and some metadata). We cannot assess whether the data was ‘handled appropriately’ (according to US Government norms) since our analysts have not been trained on handling US classified information, nor are they under any legal obligation to do so.”


There is no evidence the data left Kaspersky’s corporate network nor that it was intercepted, the company says.

Latest Podcasts