Russian
cybersecurity company Kaspersky Lab boasts 400 million users worldwide.
As many as 200 million may not know it. The huge reach of Kaspersky’s
technology is partly the …
Kaspersky Lab Has Been Working With Russian Intelligence
Emails show the security-software maker developed products for the FSB and accompanied agents on raids.
By
Jordan Robertson
and
Michael Riley
Illustration: Kurt Woerpel for Bloomberg Businessweek
Russian cybersecurity company Kaspersky Lab
boasts 400 million users worldwide. As many as 200 million may not know
it. The huge reach of Kaspersky’s technology is partly the result of
licensing agreements that allow customers to quietly embed the software
in everything from firewalls to sensitive telecommunications
equipment—none of which carry the Kaspersky name.
That
success is starting to worry U.S. national security officials concerned
about the company’s links to the Russian government. In early May six
U.S. intelligence and law enforcement agency chiefs were asked in an
open Senate hearing whether they’d let their networks use Kaspersky
software, often found on Best Buy shelves. The answer was a unanimous
and resounding no. The question, from Florida Republican Marco Rubio,
came out of nowhere, often a sign a senator is trying to indirectly draw
attention to something learned in classified briefings.
Eugene
Kaspersky took to Reddit to respond. Claims about Kaspersky Lab’s ties
to the Kremlin are “unfounded conspiracy theories” and “total BS,” the
company’s boisterous, barrel-chested chief executive officer wrote.
While the U.S. government hasn’t disclosed any evidence of the ties,
internal company emails obtained by Bloomberg Businessweek show
that Kaspersky Lab has maintained a much closer working relationship
with Russia’s main intelligence agency, the FSB, than it has publicly
admitted. It has developed security technology at the spy agency’s
behest and worked on joint projects the CEO knew would be embarrassing
if made public.
Most major cybersecurity companies maintain close ties to
home governments, but the emails are at odds with Kaspersky Lab’s
carefully controlled image of being free from Moscow’s influence.
Kaspersky’s work with Russian intelligence could scare off business in
Western Europe and the U.S., where Russian cyber operations have grown
increasingly aggressive, including attempts to influence elections.
Western Europe and the U.S. accounted for $374 million of the company’s
$633 million in sales in 2016, according to researcher International
Data Corp.
“When statements
are taken out of context, anything can be manipulated to serve an
agenda,” the company said in a statement. “Kaspersky Lab has always
acknowledged that it provides appropriate products and services to
governments around the world to protect those organizations from
cyberthreats, but it does not have any unethical ties or affiliations
with any government, including Russia.”
Antivirus companies are
especially delicate because the products they make have access to every
file on the computers they protect. The software also regularly
communicates with the maker to receive updates, which security experts
say could theoretically provide access to sensitive users such as
government agencies, banks, and internet companies. Adding to the U.S.
government’s jitters, Kaspersky recently has developed products designed
to help run critical infrastructure such as power grids.
The
previously unreported emails, from October 2009, are from a thread
between Eugene Kaspersky and senior staff. In Russian, Kaspersky
outlines a project undertaken in secret a year earlier “per a big
request on the Lubyanka side,” a reference to the FSB offices. Kaspersky
Lab confirmed the emails are authentic.
Kaspersky
Lab CEO Eugene Kaspersky speaks at a plenary meeting titled
“Cybersecurity in the Face of New Challenges and Threats,” part of the
Finopolis 2016 forum of innovative financial technologies, in Kazan,
Russia.
Photographer: Getty Images
The
software that the CEO was referring to had the stated purpose of
protecting clients, including the Russian government, from distributed
denial-of-service (DDoS) attacks, but its scope went further. Kaspersky
Lab would also cooperate with internet hosting companies to locate bad
actors and block their attacks, while assisting with “active
countermeasures,” a capability so sensitive that Kaspersky advised his
staff to keep it secret.
“The project includes both technology to protect against
attacks (filters) as well as interaction with the hosters (‘spreading’
of sacrifice) and active countermeasures (about which, we keep quiet)
and so on,” Kaspersky wrote in one of the emails.
“Active
countermeasures” is a term of art among security professionals, often
referring to hacking the hackers, or shutting down their computers with
malware or other tricks. In this case, Kaspersky may have been referring
to something even more rare in the security world. A person familiar
with the company’s anti-DDoS system says it’s made up of two parts. The
first consists of traditional defensive techniques, including rerouting
malicious traffic to servers that can harmlessly absorb it. The second
part is more unusual: Kaspersky provides the FSB with real-time
intelligence on the hackers’ location and sends experts to accompany the
FSB and Russian police when they conduct raids. That’s what Kaspersky
was referring to in the emails, says the person familiar with the
system. They weren’t just hacking the hackers; they were banging down
the doors.
The project lead was Kaspersky Lab’s chief legal
officer, Igor Chekunov, a former policeman and KGB officer. Chekunov is
the point man for technical support to the FSB and other Russian
agencies, say three people familiar with his role, and that includes
gathering identifying data from customers’ computers. One Kaspersky Lab
employee who used to ride along with Russian agents on raids was Ruslan
Stoyanov, whose technology underpinned the company’s anti-DDoS efforts,
says the person familiar with the program. Stoyanov previously worked in
the Interior Ministry’s cybercrime unit. In December he and a senior
FSB cyber investigator were arrested on treason charges, adding a
bizarre twist to the company’s relationship to the government. Kaspersky
Lab has said the case involved allegations of wrongdoing before
Stoyanov worked for the company. Stoyanov couldn’t be reached for
comment.
In the emails, Kaspersky said the aim of the project for
the FSB was to turn the anti-DDoS technology into a mass-market product
for businesses. “In the future the project may become one of the items
on the list of services that we provide to corporate customers,” he
wrote. Kaspersky now sells its DDoS protection service to large
companies, installing sensors directly inside customers’ networks. The
company’s website contains a large red notice that it’s not available in
the U.S. or Canada.
The U.S. government hasn’t identified any
evidence connecting Kaspersky Lab to Russia’s spy agencies, even as it
continues to turn up the heat. In June, FBI agents visited a number of
the company’s U.S. employees at their homes, asking to whom they
reported and how much guidance they received from Kaspersky’s Moscow
headquarters. And a bill was introduced in Congress that would ban the
U.S. military from using any Kaspersky products, with one senator
calling ties between the company and the Kremlin “very alarming.”
Russia’s communications minister promptly threatened sanctions if the
measure passed.
Indeed, many in Russia see the anti-Kaspersky
campaign as politics with a dash of protectionism. “This is quite
useless to find any real evidence, any real cases where Kaspersky Lab
would violate their privacy policies and transfer some data from U.S.
customers, from U.S. enterprise clients, to Russian intelligence or
FSB,” says Oleg Demidov, a consultant for researcher PIR Center in
Moscow who studies Russian cyberattacks. “There are no such cases. At
least, they are not publicly discussed.”
There’s another possibility, given Kaspersky Lab’s
success at embedding its products in sensitive locations. Last year,
Eugene Kaspersky announced the launch of the company’s secure operating
system, KasperskyOS, designed to run systems that control electrical
grids, factories, pipelines, and other critical infrastructure. The U.S.
Defense Intelligence Agency reportedly circulated a warning that the
product could let Russian government hackers disable those systems, a
claim Kaspersky denied.
Fourteen years in development, Kaspersky
Lab’s secure OS is designed to be easily adaptable for the internet of
things, everything from web-connected cameras to cars. That could be a
great business model for the Russian company. U.S. national security
officials seem determined to make sure it isn’t. —With Carol Matlack
BOTTOM LINE - Kaspersky Lab’s ties to the
Russian government may threaten its business in the U.S. and Western
Europe, which account for almost 60 percent of its sales.
No comments:
Post a Comment