The well known antivirus software made by Russian businessman Eugene Kaspersky is once again making news in it’s battle with the EU & USA, as it suspends collaboration with Europol and the NoMoreRansom initiative it was involved in setting up. But are the accusations against Kaspersky valid, and can you still trust it on your home or business computers?
There have been accusations that the company is working alongside the Kremlin in providing information to Russian intelligence from it’s customers around the world.
The Wall Street Journal published a report in October 2015 suggesting Kaspersky Lab antivirus software was involved in the theft of data from an American National Security Agency worker who had put classified files on his home computer.
However, the report contained no evidence and only cited anonymous sources, hardly conclusive or verifiable, indeed Kaspersky posted a reply on September 6th identifying the lack of any evidence.
The New Your Times has gone on to make additional claims against Kaspersky, all of which have been rebuked by the company. (See Kaspersky’s responses below)
In July 2017, there was a proposed bill in the US to prohibit the use of Kaspersky Labs software, and in September The United States Department of Homeland Security ordered US agencies to replace Kaspersky software with other approved software by the end of November 2017.
They stated suspected links to Russian intelligence services and made reference to Russian law requiring communications companies to assist Russian intelligence in intercepting communications transiting Russian networks.
The US General Services Administration removed Kaspersky Labs from the list of approved vendors, and the US firm Best Buy removed Kaspersky Lab products from its shelves.
This was reinforced in mid-December when President Donald Trump signed the National Defense Authorization Act for FY2018.
The Dutch government announced that it has planned to phase out the use of Kaspersky anti-virus software as a precautionary measure, and it recommended that companies involved in the protection of critical infrastructure did the same.
In December 2017, the Lithuanian government also announced that it was going to ban the use of Kaspersky Lab’s products from computers used in critical infrastructure.
While not a ban on Kaspersky, the National Cyber Security Centre (Part of GCHQ) along with MI5 did warn against the use of Russian security products in systems involved with national security issues.
Twitter took the decision to ban targeted adverts from Kaspersky citing the US Department for Homeland Security ban, and in a “short letter from an unnamed employee” told Kaspersky that “Kaspersky operates using a business model that inherently conflicts with acceptable Twitter Ads business practices” but they would allow Kaspersky to remain an ‘organic’ user on the platform.
On 13th June, a motion in the European Parliament on Cyber Defence was passed that identified Kaspersky as being ‘confirmed as malicious’
But again, there is no evidence given to support the claim that Kaspersky is a malicious tool or that information being gathered by the applications are being misused in any way. In a EU Parliamentary question, Polish MEP Anna Fotyga asked:
Risks associated with the use of Kaspersky Lab software, Feb 2018 http://www.europarl.europa.eu/sides/getDoc.do?type=WQ&reference=P-2018-000603&language=EN
With the intriguing reply:
However, the resolution was passed by a broad majority. This is not legally binding, but it will put a lot of emphasis on the anti virus software used by governments in critical areas, and if the ban is carried through, it could have far reaching implications on how private and public sectors work together.
During these accusations, Kaspersky has responded in quite a measured way, citing the lake of any evidence, misrepresentation of Kaspersky Lab’s connections to the Kremlin, and misunderstanding of Russian law.
In the response to a New Your Times post, Kaspersky published a response identifying 7 inaccurate claims, debunking claims about ties to the Russian intelligence service, Eugene’s past relationship with the K.G.B and the Soviet military and the misrepresentation of Russian technical certifications for supplying products to the government.
Another article posted in the New York Times on January 3rd was also responded to, again citing a lack of any actual evidence .
Their response to the American Department of Homeland Security recommendations further emphasised the companies insistence that it was not in any way connected to the Russian intelligence service.
In May 2018, after the US courts upheld the DHA prohibition on the use of Kaspersky products, Kaspersky released this statement.
Responding to the Wall Street Journal article from October 2017, Kaspersky pointed out that no evidence had been given to backup the claims that had been made in the article, and that Kaspersky had made offers to work alongside US authorities to address any concerns but that the offer had not yet been taken up. Damingly, they later published the results of their investigation into the incident which showed that the individual had first disabled Kaspersky, then installed a pirated copy of MS Office 2013, with an illegal Microsoft Office activation key generator that was infected with malware, then re-enabled Kaspersky. (Also mentioned in this press release)
In October 2017, Kaspersky reiterated its commitment to the global collaborative fight on cybercrime, and it’s sharing of resources with Interpol. The commitment looked to strengthen the existing relationship that had so far identified several large scale botnets including thousands of command and control servers, infected PCs and websites.
Another part of the initiative is to move part of the core infrastructure for Kaspersky Labs from Russia into Switzerland, including the customer data storage and processing for the EU and USA, threat detection updates and software assembly. Kaspersky have an independent third party supervising the move to keep in line with their transparency policy.
Then in November Kaspersky Lab signed an agreement, along with other leading technology companies like Apple, Deutsche Telekom, Facebook, Google, Microsoft, Orange and Telefónica, with the Council of Europe in a pledge to promote and open and safe internet.
However, in light of the EU decision to promote a ban on Kaspersky products, the company responded by saying it would suspend collaborative work with Europol and leave the NoMoreRansom programme which it helped setup to help victims of ransomware retrieve their encrypted data.
We haven’t seen any evidence of wrongdoing by Kaspersky Lab, they are a big and well respected company in the information security community.
Some prominent cybersecurity industry experts are skeptical of the accusations against Kaspersky, especially since no evidence of wrongdoing has been provided and many decisions related to the company appear to be based on media reports.
The UK report was significant in that it doesn’t name Kaspersky as a specific ‘threat’ only ‘Russian companies’. It does have an interesting statement in it saying that the UK government is in talks with Kaspersky to see how they can work together. It’s obvious that the UK government are cautious to the actions from the EU but aware that they appear to be based on speculation and rumour.
It may be prudent for nations to keep a close eye on the ‘supply chain’ of their information security products. By their nature, they need to be able to access all the files a user can access to check them for infections. As part of the scanning process, the AV software may need to send bits of information back to their cloud servers for additional analysis, so having a transparent provider is a big tick in the security box.
Mikko Hypponen from F-Secure spoke to Security Week about the accusations made against Kaspersky and the issues faced with modern global information security platforms.
He affirmed Kaspersky’s comments that the stories reported in the Wall Street Journal and the New York Times were only speculation with no evidence to back them up. He also said that links between information security providers and law enforcement in different countries is quite commonplace and necessary for the fight against cybercrime.
He said that in order for someone at Kaspersky Labs to have been able to identify the files sent for analysis as containing top secret information, and then for them to be able to identity and target that individual to get more information from them, would have meant that the Kaspersky product was collecting additional personal data. If that was the case, it’s highly unlikely that it’s products would have survived the test of time, analysis of the data sent from the application back to the cloud servers would surely have picked up the additional information.
He clearly does not believe that Kaspersky Lab is guilty of any malicious behavior. “Why? Because that would be so short-sighted. If you do that and you get caught, your company is toast, and it should be toast. That’s a bad business decision. If it’s the Russian government using a local security company as their way of gaining access to information, that’s short-sighted too. Because Kaspersky Lab is the biggest software success story out of Russia since Tetris.”
Leave a Comment