Fraud Management & Cybercrime , Governance & Risk Management , Incident & Breach Response

Will Kaspersky Lab Survive the Russia Hacking Scandal?

Analysis: If RSA's NSA Scandal Is a Guide, Russian Anti-Virus Firm Will Survive
Will Kaspersky Lab Survive the Russia Hacking Scandal?
Kaspersky Lab's Moscow headquarters. (Photo: Mikhail Deynekin via Creative Commons)

It's a tale that reads stranger than fiction, a true Tom Clancy-style yarn: Israeli spies hacked into Kaspersky Lab's network and discovered that the Russian government was using the company's widely installed anti-virus software to spy on U.S. intelligence agencies.

See Also: How to Hunt Threats Like Elite Defenders with Open NDR + MITRE ATT&CK®

Tension and rumors over how the Russian government might be using or misusing Kaspersky Lab have been building for months, if not years. In July, the U.S. General Services Administration removed Kaspersky Lab's software from its list of approved IT vendors. Last month, the U.S. Department of Homeland Security banned the software and ordered it to be removed from all government systems within 90 days (see Kaspersky Software Ordered Removed From US Government Computers).

Kaspersky Lab, led by its barrel-chested, loquacious co-founder Eugene Kaspersky, has been dogged by unfounded speculation that it may be an extension of Russia's security agencies, willingly or not.

Eugene Kaspersky doesn't seem like the type of guy who would sabotage his own beloved company, which he tirelessly promotes. It's one of the few Russian technology companies that have earned wide name recognition, in no small part for the plaudits bestowed on the company's products, its top-notch team of anti-malware researchers and its ongoing efforts to help international police agencies bring cybercriminals to justice.

Spy Versus Spy

With so many allegations swirling, furthermore, it's important to emphasize that many questions remain unanswered, including whether Kaspersky Lab knowingly colluded with the Russian government. Whatever the answer, however, U.S. intelligence agencies have been playing the same game. The NSA has long pressured U.S. companies to provide them with secret ways to break security tools, including encryption. In one notable case, the U.S. government reportedly paid a domestic security firm to deliberately weaken a product.

In December 2013, Reuters reported that U.S. security firm RSA received $10 million from the NSA to use an intentionally flawed formula in its encryption software. The formula generated random numbers, which are crucial for creating unbreakable ciphers. The flaws, however, gave the NSA a secret backdoor for cracking that encryption.

RSA later warned companies not to use the formula, but only after former NSA contractor Edward Snowden leaked documents showing how the intelligence agency had been attempting to undermine commercial software.

Was RSA at fault in this episode? It doesn't take a cryptography expert to think that having the NSA pay you to use a specific algorithm in your random number generator looks fishy.

What's going on now between Russia and Kaspersky Lab - if the government exerted pressure on the firm - would likely be no different. But this is how high-stakes nation-state intelligence operations are accomplished in a golden age of signals intelligence.

Report: Google for Exploits

The latest in the unfolding Kaspersky Lab saga comes via The New York Times, which reports that Israeli intelligence discovered at least two years ago that Russia had its hooks in Kaspersky Lab's software and was using it as the equivalent of a search engine for classified data on U.S. intelligence programs.

Technologically speaking, this is entirely feasible. Anti-virus programs have root-level access into a computer's operating system as well as the ability to copy and send back samples of files. Previous reports have suggested that Kaspersky Lab's software plucked exploitation tools from the home computer of an NSA employee who for some reason took the agency's most sensitive tools home from work and copied them onto his home PC. His computer was allegedly targeted by Russian intelligence, which may have been monitoring Kaspersky Lab's malware-tracking pipeline or received a tipoff from the security firm, potentially via moles.

The New York Times report does not include any evidence about whether Kaspersky Lab knowingly cooperated with the Russian government. Anonymous White House officials have suggested that the adjustments made to Kaspersky Lab's software could only have been made with the company's knowledge and participation. No evidence, however, has been produced to substantiate that assertion.

Certainly, security software - including from U.S. firms - has been altered in the past, apparently surreptitiously and without a vendor's knowledge (see Fortinet Finds More SSH Backdoors).

Kaspersky Lab Refutes Allegations

Eugene Kaspersky and his company have fiercely denied reports that it colludes with the Russian government.

"Kaspersky Lab has never helped, nor will help, any government in the world with its cyber espionage efforts, and contrary to erroneous reports, Kaspersky Lab software does not contain any undeclared capabilities such as backdoors as that would be illegal and unethical," the company tells Information Security Media Group in a statement.

Geopolitically speaking, the accusations against Kaspersky Lab couldn't come at a worse time.

Driven by reports of 2016 U.S. presidential election interference, Russia has resumed its place as "enemy" in the U.S. consciousness as tensions peak to Cold War levels unseen since the early 1980s. Then again, might these accusations only be getting aired because of a U.S. government agenda?

Bold Research

Kaspersky Lab, founded in 1997, has gone from no-name company to a security industry giant that until recently enjoyed a top-shelf position in major U.S. retailers such as Best Buy. The private company doesn't shy away from self-promotion; one of its recent mottos reads: "Saving the world for 20 years."

The company's research into the cybercrime and nation-state hacking operations is well respected. And it has not shied away from outing what have likely been not just U.S. but also Israeli and Russian intelligence operations.

In February 2015, it released a report on what it dubbed the Equation Group, which had developed a breathtaking array of tools and exploitation techniques that seemingly could have only come from a well-funded nation state. These hacking tools were powerful: the cover of Kaspersky's report has an illustration resembling the Death Star - the fearsome, planet-destroying weapon from "Star Wars."

The company stopped short of saying that the Equation Group was the NSA, but it remains clear that few groups or countries would have built such capabilities.

The report may have triggered a direct response. Not long afterwards, Kaspersky Lab, in a rare admission for a security firm, said that it had been hacked. The company then left no stone unturned, publishing a lengthy report in June 2015 on the malware involved in the attack, dubbed Duqu 2.0. The malware showed strong signs of being connected with Stuxnet - malware that has been ascribed to a joint U.S. and Israel "cyber weapons factory" that was purpose-built to wreck Iran's uranium centrifuges.

Moving On

Will the allegations against Kaspersky Lab spell the end of the firm? The incident has been and will continue to be damaging, for sure, even if the company wasn't complicit in the subversion. And it seems clear that Kaspersky Lab will never again land U.S. government contracts.

But Kaspersky Lab's anti-virus application remains one of the most capable tools on the market for blocking and removing the malicious crud that assaults computers daily.

Enterprises defending against nation-states, however, must take into account additional threats, including to their intellectual property. So far, however, the reported Russian intelligence moves have apparently not been focused on such thefts, but rather only searching for U.S. government intelligence.

If history is any guide, Kaspersky Lab will likely continue to thrive. After the report into the RSA - then part of EMC - having been paid by the NSA to use weak crypto, its business continued to thrive. Dell acquired EMC for $67 billion in 2015, then the technology sector's biggest acquisition.

Today, RSA says it works with most of the world's top manufacturing, financial, energy, telecoms and transportation companies. Some observers might say that's because it was co-opted by the U.S. government, rather than by its rival nation state Russia.

For Kaspersky Lab, of course, that situation is flipped. At least for Americans, during the latest Russian scare, Kaspersky Lab remains headquartered in hostile territory. Business-wise, it may face some dark days ahead.

(Executive Editor Mathew Schwartz contributed to this analysis.)

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.