SAN FRANCISCO (Reuters) - Eugene Kaspersky said his company’s widely used antivirus software has copied files that did not threaten the personal computers of customers, a sharp departure from industry practice that could increase suspicions that the Moscow-based firm aids Russian spies.
The acknowledgement, made in an interview last Friday as part of the Reuters Cyber Security Summit, comes days after Kaspersky’s company said its software had copied a file containing U.S. National Security Agency hacking tools from the home computer of an agency worker in 2014.
Kaspersky’s firm has for years faced suspicions that it has links with Russian intelligence and state-sponsored hackers. Kaspersky denies any cooperation with Russian authorities beyond cyber crime enforcement.
In September, the U.S. Department of Homeland Security banned Kaspersky software from use in federal offices, citing the company’s ties with Russian intelligence. The company is the subject of a long-running probe by the U.S. Federal Bureau of Investigation, sources have told Reuters.
Antivirus software is designed to burrow deeply into computer systems and has broad access to their contents, but it normally seeks and destroys only files that contain viruses or are otherwise threatening to a customer’s computers, leaving all other files untouched.
Searching for and copying files that might contain hacking tools or clues about cyber criminals would not be part of normal operations of antivirus software, former Kaspersky employees and cyber security experts said.
In the Reuters interview, conducted at Kaspersky Lab’s offices in Moscow, Eugene Kaspersky said the NSA tools were copied because they were part of a larger file that had been automatically flagged as malicious.
He said the software removed from the agency worker’s computer included a tool researchers dubbed GrayFish, which the company has called the most complex software it has ever seen for corrupting the startup process for Microsoft’s Windows operating system.
Kaspersky said he had ordered the file to be deleted “within days” because it contained U.S. government secrets.
But he defended the broader practice of taking inert files from machines of people that the company believes to be hackers as part of a broader mission to help fight cyber crime.
“From time to time, yes, we have their code directly from their computers, from the developers’ computers,” Kaspersky told Reuters.
Three former Kaspersky employees and a person close to the FBI probe of the company, who first described the tactic to Reuters this summer, said copying non-infectious files abused the power of antivirus software. The person associated with the FBI said in one case Kaspersky removed a digital photo of a suspected hacker from that person’s machine.
Eugene Kaspersky declined to discuss specific instances beyond the NSA case, saying he did not want to give hackers ideas for avoiding detection.
“Sometimes we are able to catch cyber criminals, that’s why I am not so comfortable to speak about this to media,” he said in the interview. “Many of them are very clever, they can learn from what I am saying.”
Other industry experts called the practice improper. Mikko Hypponen, chief research officer at Finnish security company F-Secure, said that when his firm’s software finds a document that might contain dangerous code, “it will prompt the user or the administrator and ask if it can upload a copy to us.”
Dan Guido, chief executive of cyber security firm Trail of Bits, which has performed audits on security software, said Kaspersky’s practices point to a larger issue with all antivirus software.
“All of them aggregate a huge amount of information about their clients, which can be easily exploited when put in willing hands,” he said.
U.S. news organizations have reported that Kaspersky, or Russian spies hijacking its service, have been searching widely among customers’ computers for secret files, citing anonymous U.S. intelligence officials. Reuters has not verified such reports.
Kaspersky said he hoped to alleviate concerns about his company by opening up his source code for review by third parties in independently run centres, as well as by raising the maximum amount it offers for information about security flaws in its programs to $100,000.
Reporting by Joseph Menn in San Francisco; Additional reporting by Jack Stubbs in Moscow, Jim Finkle and Alastair Sharp in Toronto and Dustin Volz in Washington; Editing by Jonathan Weber and Bill Rigby