Kaspersky Lab as a company needs no introduction. The company’s cybersecurity offerings are used by companies, governments and individuals globally, and till recently, it was among the more favoured anti-malware operators around.
A damning report published in The Wall Street Journal has, however, now put the company’s credibility and livelihood on the line. The report alleges that Kaspersky Lab played a role in helping Russia’s spy agency, the FSB, gain access to top-secret data and tools belonging to the US National Security Agency (NSA) and that it was involved in large-scale espionage.
Various reports on The New York Times and The Washington Post back up these claims with quotes and reports from numerous unnamed sources. These various reports suggest that Kaspersky Lab either directly or indirectly colluded with the FSB in enabling a global spy program involving Kaspersky Lab software.
Following these reports, and an internal investigation, the US government issued a directive ordering government agencies to stop using Kaspersky Lab software. The US government’s reaction is understandable given the mounting evidence that suggests extensive Russian meddling in the 2016 US presidential elections.
That said, Kaspersky Lab is adamant that it shares no “inappropriate ties to any government, including Russia”, and that the company is simply caught in “the middle of a geopolitical fight.”
In a statement to the press, Kaspersky Lab says, “Kaspersky Lab has not been provided any evidence substantiating the company’s involvement in the alleged incident reported by the Wall Street Journal on October 5, 2017, and it is unfortunate that news coverage of unproven claims continues to perpetuate accusations about the company.”
It’s just as likely that the NSA is pushing the blame for its own incompetence on Kaspersky Lab as it is that Kaspersky Lab has no ties at all to the Russian government. Whatever the case, here are all the facts as we know them.
Israel hacks Kaspersky Lab
At some point in 2014, Israel targeted and hacked Kaspersky Lab networks with a highly sophisticated attack that allowed hackers to surreptitiously snoop on Kaspersky’s networks and steal data.
At the time, Kaspersky Lab wasn’t focussing on state-sponsored attacks, which are usually expensive to orchestrate, and didn’t detect the intrusion.
By the time the intrusion was finally detected in 2015, when Kaspersky Lab started work on tools to detect such sophisticated, state-sponsored attacks, the damage had already been done.
While in Kaspersky Lab’s computers, Israeli hackers discovered that the company had access to classified hacking tools belonging to the NSA. More damning was the discovery that Russian hackers were in Kaspersky Lab’s network as well and that they were using Kaspersky Lab software to look for classified data and for hacking into various computers globally.
Kaspersky Lab, for its part, publicly disclosed the hack (PDF) and apparently gave out all the information they had on it. In its report, Kaspersky did not single out Israel, only hinting that the attack signature resembled that used by the American-Israeli sponsored Stuxnet and Duqu attacks.
Explaining the situation, Kaspersky stated that the attack used zero-day vulnerabilities in Windows and other software to infiltrate Kaspersky’s systems and that the attacks were designed to be extremely stealthy. Since Kaspersky wasn’t focusing on APT (advanced persistent threat) attacks, Kaspersky didn’t discover the threat. The attack was eventually discovered in 2015, but only after Kaspersky developed a prototype APT detection tool.
Interestingly, Kaspersky’s report bears no mention of the presence of Russian hackers in its systems.
NSA contractor’s PC hacked
Israel reported these findings to the NSA. The NSA, launching its own investigation, later discovered that a computer of an NSA contractor using Kaspersky software was hacked. The contractor had sneaked classified NSA tools onto his home PC and these were “stolen” from his device by Russian hackers.
According to this NYT report on the 2015 hack of the NSA contractor’s PC, Russian hackers repurposed a “silent signatures” tool to snoop for sensitive data on the contractor’s PC.
The tool is like the one used by many antivirus companies. It is used to scan files for malware signatures and it does so surreptitiously to avoid alerting the malware. Unfortunately, this tool can also be used to surreptitiously scour a PC for specific information. The Russian hackers apparently used a modified version of the tool to look for documents labelled “top secret”, names of covert CIA programs, etc. Kaspersky Lab software allegedly flagged the software for Russian hackers, allowing them to target the contractor's computer.
The discovery of this hack, and Israel’s allegations placed the spotlight on Kaspersky Lab.
The case against Kaspersky Lab
While no media house has seen any hard evidence to back any of the allegations made against Kaspersky Lab, several pointers indicate that Kaspersky Lab is directly or indirectly involved in state-sponsored espionage on behalf of Russia.
Israel did hack Kaspersky Lab’s network and claims to have real-time data of Russian hackers modifying Kaspersky Lab software and using its software to search for and steal sensitive information. Israel claims to have submitted this data to the NSA and anonymous sources of The Washington Post claim to have verified the data.
Kaspersky Lab did disclose that it was hacked and hinted at Israel’s involvement in its report, but made no mention of a simultaneous Russian hack within its networks.
The NSA claims that the contractor’s PC was protected by Kaspersky AV, which revealed the presence of classified material to Russian hackers, allowing them to target said PC.
Data collected by Kaspersky Lab software is transmitted via Russian servers. Russia’s FSB controls the flow of information and is likely to have had access to all data sent to Kaspersky’s servers.
Despite Kaspersky’s claims that the data so transmitted is encrypted, and so, impossible to read. Russian surveillance expert Andrei Soldatov tells The Washington Post that even if the data was encrypted, Kaspersky Lab wouldn’t have been able to do so without the blessing of the FSB, which comes in the form of a license permitting the use of encryption.
The requirements for the license haven’t been specified, but it is very likely that the FSB has decryption keys, making the use of encryption redundant.
Russians obtained some NSA hacking tools in 2015 and both Israel and the NSA claim that these were acquired via Kaspersky Lab software.
The case for Kaspersky Lab’s innocence
The media and public haven’t seen any hard evidence that Kaspersky Lab or its products were involved in any form of state-sponsored hacking.
Kaspersky Lab’s senior executives may have been oblivious of Russian government involvement.
There is no evidence that Kaspersky Lab was actively involved in any sort of espionage activities.
Kaspersky AV must have just been doing its job when it discovered the stolen NSA malware on the contractor’s PC. It may have detected and classified said tools as malware. This malware may have been uploaded to Kaspersky Lab servers for analysis as standard operating procedure, inadvertently making it appear that Kaspersky Lab was stealing data from the US government. Russian hackers may have hacked into Kaspersky Lab’s servers and then stolen the data from there.
Germany’s BSI federal cyber agency has given the company a clean chit, telling Reuters that it found “no evidence to back media reports that Russian hackers used Kaspersky Lab antivirus software to spy on US authorities.” The BSI made it clear that it found no evidence of misconduct by the company or of any weakness in the software, reports Reuters.
In fact, the BSI is quoted as saying that “there is no indication that the hacking process occurred as described in the media.” The German government has placed no restrictions on the use of Kaspersky Lab products.
All software used by governmental agencies needs to be vetted before use. It’s possible that a US federal governmental agency actually gave Kaspersky Lab a clean chit or that the vetting process wasn’t followed. The NSA contractor should not have been able to sneak off with classified NSA hacking tools. Given this information, it’s possible that Kaspersky Lab is simply being used as a scapegoat to cover up governmental incompetence.
The NSA, CIA and various US governmental agencies have suffered massive data breaches in the past, indicating an inherent problem at the "secretive" agencies.
What can Kaspersky do?
Kaspersky Lab is a Russia-based cybersecurity company that sells its products globally. As a company that originates from a country which aims for absolute control over the flow of information and is not on friendly terms with the US, Kaspersky Lab is in a very unfortunate situation.
The case against Kaspersky Lab is very strong. If the company did indeed collude with the Russians to spy on the rest of the world, it can never be trusted again and deserves to be banned from use. If the company is innocent of all charges, it was unfortunate enough to have been thoroughly infiltrated and hacked not once, but twice (separately by Russia and Israel). That’s poor showing for a cybersecurity company that claims to offer “the best defence for every device” and doesn't do the company's reputation any favours.
Either way, Kaspersky Lab is, as the saying goes, between a rock and a hard place, and there appears to be little it can do about it.
Note: We've reached out to Kaspersky for comment and will update the story with their response when it's made available to us.
Published Date: Oct 12, 2017 01:25 pm | Updated Date: Oct 12, 2017 03:23 pm