U.S. spies see a global intelligence network in the making in company’s anti-virus software.
LAS VEGAS — It’s a tough year to be a Russian cybersecurity firm fighting for a share of the U.S. market. At last month’s Black Hat security conference, Kaspersky Lab seemed to have a sense of humor about its alleged ties to the Russian government, throwing a party at Red Square, a kitschy Soviet-themed bar.
Red Square features stylized Soviet-era propaganda on the walls, and the booze sits behind industrial glass doors, lit up in a lurid shade of red. Huge chandeliers hang from the ceiling, and a decapitated Lenin statue stands outside its entrance.
The vibe of “tsarist palace collides with Moscow nightclub” was a fitting metaphor for the Russian company, which despite being one of the world’s premier computer-security firms, is now, whether fairly or not, caught up in an investigation into Kremlin interference in the U.S. presidential election.
Kaspersky, which serves some 400 million customers around the world, has become a target for the backlash. American intelligence officials and lawmakers have zeroed in on Kaspersky Lab and launched a campaign to eliminate its use by U.S. government agencies. The firm’s software, its critics allege, could serve as a digital beachhead for Kremlin hackers looking to break into American computer systems.
The company had no executives in attendance at Black Hat, only researchers. And on the showroom floor, where Kaspersky’s small booth occupied a lightly trafficked corner, its employees bristled when asked whether conference attendees had been questioning them about the company’s ties to Russian intelligence. “You are!” one employee, who refused to give his name, snapped.
“Don’t touch our computer!” another employee yelled when a reporter walked over to look at a screen displaying the company’s software. When asked for a demonstration, he said: “I don’t know how it works.”
Questioned on the sidelines of last week’s Black Hat conference, several former American intelligence officials who worked on cybersecurity issues refused to say whether the government has discovered any backdoors in the Russian companies software. But one former senior intelligence official noted that security researchers have been looking for those holes “for years,” and so far no significant vulnerabilities have been discovered in Kaspersky’s software.
But in the wrong hands, Eugene Kaspersky’s global business empire, which took home $644 million in total revenue last year, represents an extraordinary threat. “The tool he sells is essentially a global intelligence operation,” the former intelligence official said.
The fears over Kaspersky’s possible role in Kremlin cyber espionage center on the eponymous company executive’s ties to Russian intelligence. Educated at a KGB-backed cryptography institute, Eugene Kaspersky, the company’s founder and CEO, served in Russian military intelligence following his graduation in 1987. He reportedly attends a weekly banya, or Russian sauna, that draws members of the Russian intelligence community. Kaspersky has described these sessions has purely social, but such ties to the Federal Security Service (FSB) and other Kremlin security organs draw intense suspicion in American intelligence circles.
“Contrary to inaccurate media reports, like most people, Eugene Kaspersky goes to banya to relax, not to meet with intelligence officials,” his company said in a statement to Foreign Policy.
In fact, so far the U.S. government has offered no concrete evidence that Kaspersky has installed backdoors in its software at the Kremlin’s behest, turned customer data over to Russian intelligence agencies, or that its links to security services go beyond the close relationship most cybersecurity firms enjoy with spies in their home countries.
Kaspersky strenuously denies that it serves as a tool in the Kremlin’s espionage ambitions. “Kaspersky Lab has no ties to any government, and the company has never helped, nor will help, any government in the world with its cyberespionage efforts,” the company said in its statement to FP.
The company declined to make any of its executives available for an interview for this story.
In its statement, Kaspersky argues that it is “caught in the middle of a geopolitical fight where each side is attempting to use the company as a pawn in their political game.” Eugene Kaspersky has offered to testify before Cngress about his links to Russian security services and to have his company’s source code audited.
The company’s researchers also regularly write reports documenting Russian state-sponsored hacking activity. Its researchers have, for example, chronicled the technical tools used by the hacking group Fancy Bear, which was one of two Russian-backed groups that broke into the computer systems of the Democratic National Committee. This week, Kaspersky released a report describing the recent use of zero-day exploits by Fancy Bear and another group tied to the Russian government.
Kaspersky — like much of the cybersecurity industry — doesn’t bother attributing such attacks directly to the Russian government. If an attack can be recognized and subsequently blocked, it’s not so interesting where it came from, runs a common line of thinking in the industry. To describe Fancy Bear, Kaspersky researchers will use some variant of the phrase “a highly professional Russian-speaking threat actor.”
Even if there’s no evidence the software is compromised, there’s reason to be concerned about Kaspersky products, insist intelligence officials. “It’s software,” said a former official at In-Q-Tel, the CIA’s high-tech investment arm, attending Black Hat. “You can do anything to software.”
Indeed, within the CIA, engineers within the Directorate of Science and Technology operate under the assumption that Kaspersky technology has been compromised by the Kremlin’s security organs, said the former CIA officer, who left the agency for the cybersecurity industry.
By its very nature, anti-virus software provides its operator with deep insight into its customer’s computer. Kaspersky anti-virus software scans nearly every file that passes through a computer and beams reams of data back to company headquarters. Such software has wide-ranging power — what the computer security researcher Nicholas Weaver calls “God mode” — to update software and potentially gain control of a computer.
In recent months, the company has come under intense scrutiny by the U.S. government. In May, the heads of major American intelligence agencies, including the CIA, FBI, and National Security Agency, all said during Senate testimony they wouldn’t be comfortable running Kaspersky software on their computers, helping fuel deep suspicion of the company. In June, FBI agents fanned out across the United States to interview Kaspersky employees as part of a probe examining the company’s relationship with the Russian government.
Last month, the General Services Administration, the federal procurement giant, banned Kaspersky from two approved vendor lists, following reports that several government agencies were using its software.
But in the absence of technical evidence documenting Kaspersky abetting Russian espionage, how to view the the integrity of the company’s products comes down to a question of paranoia — and when paranoia becomes justifiable.
The NSA, CIA, and Office of the Director of National Intelligence all declined to comment on the record for this story.
Asked whether her agency has any evidence that Kaspersky has done the bidding of the Kremlin by providing access to its client’s computers, Donna Garland, a spokeswoman for the GSA, said her agency is “not aware of access to customer data related to Kaspersky Lab-manufactured products.”
“GSA has only made the decision to not offer those Kaspersky Lab-manufactured products on our contracts based on risk management practices,” she said.
But the U.S. government has never presented evidence that Kaspersky has done the bidding of the Kremlin by making customer data available to its spy agencies or is allowing its software to be used to spy on its customers.
Last month, McClatchy published a document purporting to show a link between Kaspersky and a military intelligence unit of the FSB, but it is unclear whether that document indicates clandestine ties or is a run-of-the-mill regulatory document. In Russia, the FSB serves as the country’s cryptographic regulator.
Kaspersky draws many of its top executives from the ranks of the Russian intelligence. Igor Chekunov, the company’s top legal officer and reportedly a liaison to Russian law enforcement, served in a KGB unit before joining the company. A former top investigator for the firm, Ruslan Stoyanov, served as a senior cybercrime investigator for the Russian interior ministry.
In December, Russian authorities arrested Stoyanov and a senior FSB cyber official on charges of treason. In a statement at the time of his arrest, Kaspersky Lab said Stoyanov’s arrest was related to work conducted prior to joining the company, and his case remains shrouded in mystery.
Stoyanov’s case may highlight possible Kaspersky’s ties to the Russian government, but if the company was in the Kremlin’s pocket, why would the government arrest one of its top investigators, the former senior American intelligence official pointed out.
Others perceive Stoyanov’s arrest as a message from the Kremlin. “Many believe that it was meant to serve as pressure on the company and Kaspersky personally,” said the journalist Andrei Soldatov, the author of The Red Web, a portrait of the Russian internet. “A sort of message — ‘don’t forget where do you operate. You cannot hide from us.’”
Following Stoyanov’s arrest, cooperation between American cybersecurity firms and Kaspersky slowed to a crawl, said John Bambenek, a threat intelligence manager for Fidelis Cybersecurity, a prominent firm that has contracts with the U.S. government. Cybersecurity firms around the world typically collaborate on problems and in identifying malware. Kaspersky’s experts are sought for their insight into the Russian hacker scene, a significant source of the world’s online criminal activity.
Nonetheless, Stoyanov illustrates a basic reality: Cybersecurity companies around the world have deep ties to their domestic security services. In the United States, veterans of the NSA make up some of the most sought-after talent, and former employees of the surveillance agency have founded lucrative firms and do business with the government.
That revolving door was on display at Black Hat. “You could count the number of companies at this event without a former government official on one hand,” Bambenek said.
Whether in Russia or the United States, cybersecurity firms working with law enforcement is not unusual. With cybercrime causing billions of dollars in losses annually, American firms have teamed up with U.S. law enforcement to go after online criminal groups. When the FBI took down the Gameover Zeus botnet in 2014, it was with the help of anti-virus giant Symantec and a coalition of private firms.
Kaspersky has provided similar help to the Russian government, which has been cited as evidence of the firm’s complicit relationship with the Kremlin.
But the company’s aid to Russian security services may go beyond the assistance offered to the FBI by their American counterparts. In emails obtained by Bloomberg Businessweek and published last month, Eugene Kaspersky describes an unusual arrangement with the FSB, the successor to the KGB. “The project includes both technology to protect against attacks (filters) as well as interaction with the hosters (‘spreading’ of sacrifice) and active countermeasures (about which, we keep quiet),” Kaspersky wrote in the 2009 email.
According to Bloomberg, the “active countermeasures” included providing the FSB “with real-time intelligence on the hackers’ location” and sending its “experts to accompany the FSB and Russian police when they conduct raids.”
In a statement, Kaspersky said that it cooperates with law enforcement investigations around the world to fight cyberthreats. “In accordance with Russian law, we only provide technical expertise throughout the investigation to help them catch cybercriminals,” the company said. “Concerning raids and physically catching cybercriminals, Kaspersky Lab might ride along to examine any digital evidence found, but that is the extent of our participation, as we do not track hackers’ locations.”
Former American intelligence officials concede that cooperation between cybersecurity firms and government agencies has become routine, but argue that Russian laws pose a unique threat to Kaspersky’s independence. Laws governing cybersecurity grant the Russian government extraordinary power to install software and hardware, with companies having little power to fight back.
Once a company begins work related to cryptography, it falls under the regulation of the FSB, said Soldatov, the Russian journalist. That regulation subjects the company to constant FSB scrutiny: “in most cases it means a special department consisted of the FSB people inside of your company,” Soldatov said.
The former CIA officer who left the agency for the cybersecurity industry pointed to the Russian Facebook clone, VKontakte (now known just as VK), as an example of what happens to tech companies that run afoul of the Russian government. After organizers used the platform as tool to organize anti-government protests in 2012, the Kremlin attempted to crackdown on anti-government groups on VK. The site’s founder, Pavel Durov, refused to comply.
Kremlin-friendly oligarchs began acquiring significant stakes in the company, pressuring Durov over the company’s finances. Once celebrated as a luminary of the Russian startup scene, Durov had become a liability to the Kremlin and its allies. Durov, an internet libertarian who once offered Edward Snowden a job at his company, appears to have seen the writing on the wall and sold his stake of the company 2014. He now lives in exile and runs the popular encrypted messaging app Telegram.
In the dog-eat-dog world of Russian power politics, Kaspersky’s company is vulnerable by sheer virtue of his location, said one retired CIA officer, who ran the agency’s operations against Russia. “His company, his family, his bank account are all in Russia,” he said said. “What’s stopping the Kremlin?”
MISHA JAPARIDZE/AFP/Getty Images