WASHINGTON—The Russian government used a popular antivirus software to secretly scan computers around the world for classified U.S. government documents and top-secret information, modifying the program to turn it into an espionage tool, according to current and former U.S. officials with knowledge of the matter.
The software, made by the Moscow-based company Kaspersky Lab, routinely scans files of computers on which it is installed looking for viruses and other malicious software. But in an adjustment to its normal operations that the officials say could only have been made with the company’s knowledge, the program searched for terms as broad as “top secret,” which may be written on classified government documents, as well as the classified code names of U.S. government programs, these people said.
The Wall Street Journal reported last week that Russian hackers used Kaspersky’s software in 2015 to target a contractor working for the National Security Agency, who had removed classified materials from his workplace and put them on his home computer, which was running the program. The hackers stole highly classified information on how the NSA conducts espionage and protects against incursions by other countries, said people familiar with the matter. An NSA spokesman didn’t comment on the breach.
But the use of the Kaspersky program to spy on the U.S. is broader and more pervasive than the operation against that one individual, whose name hasn’t been publicly released, current and former officials said.
Kaspersky Lab, founded by an engineer trained at a KGB technical school, has long insisted that it doesn’t assist the Russian government with spying on other countries. But many U.S. officials now think the evidence the U.S. has collected shows the company is a witting partner, said people familiar with the matter.
“There is no way, based on what the software was doing, that Kaspersky couldn’t have known about this,” said a former U.S. official with knowledge of information gleaned in 2015 about how the software was used to search for American secrets. He said the nature of the software is such that it would have had to be programmed to look for specific keywords, and Kaspersky’s employees likely would have known that was happening, this former official said.
The company said in a statement Wednesday that “Kaspersky Lab was not involved in and does not possess any knowledge of the situation in question, and the company reiterates its willingness to work alongside U.S. authorities to address any concerns they may have about its products as well as its systems.”
Representatives of the Russian government didn’t immediately respond to requests for comment. In a statement last week in response to the earlier Journal story, a Kremlin spokesman didn’t address whether the Russian government stole NSA materials using Kaspersky software.
A spokesman for the NSA declined to comment, as did a White House spokesman.
It remains unclear exactly how many other government computers or employees may have been targeted using the Kaspersky product or whether secret government material was stolen, said the people familiar with the matter.
After discovering the 2015 breach, U.S. officials began gathering other evidence that Kaspersky was being used to identify classified information and assist in its theft, said the people familiar with the matter.
For many months, U.S. intelligence agencies studied the software and even set up controlled experiments to see if they could trigger Kaspersky’s software into believing it had found classified materials on a computer being monitored by U.S. spies, these people said. Those experiments persuaded officials that Kaspersky was being used to detect classified information.
The government of Israel first alerted the U.S. that Kaspersky software was being used to find American intelligence information, after Israel’s own computer spies penetrated the networks of Kaspersky Lab beginning in 2014, the current and former officials said.
Once inside, the Israelis discovered how the software was being used and how Russia had obtained classified information from the NSA, these current and former officials said.
Israel’s spying on Kaspersky, which U.S. officials said provided crucial evidence that Kaspersky Lab was working with the Russian government, and the use of Kaspersky to scan for classified keywords was first reported Tuesday by the New York Times. Israeli officials didn’t immediately respond to requests for comment.
After the Israelis passed along what they knew to the U.S., officials at the NSA began an investigation that led to the contractor who had installed Kaspersky software on his personal computer at home. People familiar with that investigation say he appeared to have no ill intent, but knew that removing the classified material from the NSA’s headquarters campus at Fort Meade, Md., was a violation of agency rules and possibly a crime.
Last month, the Department of Homeland Security took the extraordinary step of banning all federal government agencies and departments from using Kaspersky goods and services. That action was a direct result of U.S. efforts to build a case against Kaspersky, said former officials involved in the work.
Until that decision was made, Kaspersky software was authorized for use in 22 government agencies, U.S. officials have said. It also is sold to U.S. consumers and companies.
“This new report further underscores the overwhelming case against Kaspersky Lab,” said Sen. Jeanne Shaheen (D., N.H.), who has redoubled her efforts in recent days to force the Trump administration to explain the damage the use of Kaspersky in government computers may have had. “These revelations should expedite efforts at the federal level to rid all federal infrastructure of Kaspersky Lab products.”
Ms. Shaheen reiterated her request for the Senate Armed Services Committee to hold a hearing on the “vulnerability to our national security.”
In a twist, Kaspersky appears to have known, or at least suspected, that it had been hacked by Israel. In June 2015, the company published a detailed technical analysis about malicious computer code used to break into its systems, which it dubbed Duqu 2.0. Experts believe that the original Duqu malware, on which the one inside Kaspersky’s system appears to have been based, was used to spy on officials participating in international negotiations over Iran’s nuclear program, a fact that Kaspersky acknowledged in its paper.
The Journal reported in 2015 that Israel had spied on closed-door talks among the U.S. and other world powers about curtailing Iran’s nuclear ambitions. Israeli officials denied spying directly on U.S. negotiators and said they received their information through other means, including close surveillance of Iranian leaders receiving the latest U.S. and European offers.
In its paper, Kaspersky Lab also noted the original Duqu’s technical and design links to an earlier, more famous malware known as Stuxnet, which was developed by the U.S. and Israel to disrupt Iran’s nuclear program.
The Kaspersky paper didn’t explicitly name Israel as the country that had penetrated the company, but people with knowledge of the operation confirmed that the company’s public technical analysis is referring to it.
Kaspersky Lab said in a statement that it “was not the only target” of the malware and “we are confident that we have identified and removed all of the infections that happened during that incident. Furthermore, Kaspersky Lab publicly reported the attack, and the company offered its assistance to affected or interested organizations to help mitigate this threat.”