Cryptologic Bytes Highlights

How Kaspersky’s Software Fell Under Suspicion of Spying on America

How Kaspersky’s Software Fell Under Suspicion of Spying on America
Officials lack conclusive evidence, but incidents involving the firm’s antivirus products raised alarms

By Shane Harris, Gordon Lubold, and Paul Sonne for the Wall Street Journal
Jan. 5, 2018
Click here to view the article on the wsj.com website - including a video interview with Eugene Kaspersky.

Eugene Kaspersky was late for his own dinner party.

At his invitation, guests from the Washington cybersecurity community waited one evening in 2012. Seated at the National Press Club were officials from the White House, State Department, Federal Bureau of Investigation and other agencies, said people who were there. Guests had started their first course when Mr. Kaspersky arrived, wearing a tuxedo with a drink in hand.

Mr. Kaspersky, chief executive of Russian security-software vendor Kaspersky Lab, proposed a toast to the ranking guest, Estonian President Toomas Hendrik Ilves, whose country had suffered a cyberattack five years earlier. The assault followed Estonia’s decision to remove a Soviet-era monument from its capital, and U.S. officials suspected Russia was behind it.

“Toomas,” Mr. Kaspersky said. “I am so sorry that we attacked you.”

The comment stopped all conversation until Mr. Ilves broke the silence. “Thank you,” he said, raising his glass. “This is the first time anyone from Russia has ever admitted attacking my country.”

​No one suggested Kaspersky was involved in the Estonian hack, but Mr. Kaspersky’s toast played into a suspicion held by many in the U.S. intelligence community that his company might be wittingly or unwittingly in league with the Russian government—a suspicion that has only intensified since.

The process of evaluating Kaspersky’s role, and taking action against the company, is complicated by the realities of global commerce and the nature of how modern online software works. A top Department of Homeland Security official said in November congressional testimony the U.S. lacks “conclusive evidence” Kaspersky facilitated national-security breaches.

While the U.S. government hasn’t offered conclusive evidence, Wall Street Journal interviews with current and former U.S. government officials reveal what is driving their suspicions.

Some of these officials said they suspect Kaspersky’s antivirus software—the company says it is installed on 400 million computers world-wide—has been used to spy on the U.S. and blunt American espionage. Kaspersky’s suspected involvement in U.S. security breaches raises concerns about the relationship between the company and Russian intelligence, these officials said.

DHS, convinced Kaspersky is a threat, has banned its software from government computers. The company sued the U.S. government on Dec. 18 in U.S. District Court in Washington, D.C., saying the ban was arbitrary and capricious, and demanding the prohibition be overturned. DHS referred inquiries to the Justice Department, which declined to comment.

Kaspersky, in a statement, said: “Unverified opinions of anonymous officials about Kaspersky Lab continue to be shared, and should be taken as nothing more than unsubstantiated allegations against a company whose mission has always been to protect against malware regardless of its source, and which has repeatedly extended an offering to the U.S. government to help alleviate any substantiated concerns. We have never helped and will never help any government with its cyberespionage efforts.”

The company in a court filing said any Russian government engagement in cyberespionage isn’t evidence that a Russia-headquartered company such as Kaspersky is facilitating government-sponsored cyberintrusions, adding: “In fact, more than 85 percent of Kaspersky Lab’s revenue comes from outside of Russia—a powerful economic incentive to avoid any action that would endanger the trusted relationships and integrity that serve as the foundation of its business by conducting inappropriate or unethical activities with any organization or government.”

The Russian Embassy in Washington, D.C., didn’t respond to requests for comment. In October, Kremlin spokesman Dmitry Peskov didn’t address reports that the Russian government may have stolen U.S. National Security Agency materials using Kaspersky software but criticized the U.S. software ban as “undermining the competitive positions of Russian companies on the world arena.”

Servers in Russia

Mr. Kaspersky enrolled at the KGB-sponsored Institute of Cryptography, Telecommunications, and Computer Science, finished in 1987 and was commissioned in Soviet military intelligence, he has told reporters. He has acknowledged his company has done work for the KGB’s successor, the FSB.

Kaspersky, closely held, says it has unaudited 2016 revenues of $644 million. Current and former U.S. intelligence officials said they doubt Kaspersky could have risen to such heights outside of Russia without cooperating with Russian authorities’ aims, a conjecture the company denies.

Kaspersky’s main product is similar to other antivirus software, which scans computers to identify malicious code or infected files. Such software typically requires total access so it can remotely scan documents or emails and send a record of any suspicious and previously unidentified code back to the software company.

In Kaspersky’s case, some servers are in Russia. When the DHS banned Kaspersky products, it cited “requirements under Russian law that allow Russian intelligence agencies to compel assistance from Kaspersky or intercept communications transiting Russian networks.” Kaspersky countered that those laws and tools don’t apply to its products because the firm doesn’t provide communications services.

Concerns about the potential threat posed by Kaspersky software have circulated in U.S. intelligence circles for years. U.S. intelligence issued more than two dozen reports referring to the company or its connections, according to a U.S. defense official, with the Pentagon first mentioning the firm as a potential “threat actor” in 2004.

A Defense Intelligence Agency supply-chain report flagged Kaspersky in 2013, referring to its efforts to sell American firms a protection product for large-scale U.S. industrial companies, the defense official said. A former U.S. official said Kaspersky’s efforts to make inroads in the U.S. industrial and infrastructure market made people uncomfortable.

At a February 2015 conference, Kaspersky exposed what it described as a cyber-snooping network it dubbed the “Equation Group.” In fact, it was an elite classified espionage group within the NSA, said some of the former U.S. officials. Kaspersky linked it to a virus called Stuxnet that the Journal and other publications have since reported was designed by the U.S. and Israel to destroy Iranian nuclear centrifuges. Kaspersky also described other techniques and tactics the U.S. uses to break into foreign computer networks.

Once such techniques are public, they are effectively useless for spying. When NSA officials got word of Kaspersky’s plans to expose its tactics, they pulled the agency’s spying tools from around the world as a preventive measure and reworked how its hackers were functioning, said some of the former U.S. officials. The NSA didn’t respond to requests for comment.

U.S.-Russian relations at the time were deteriorating. President Vladimir Putin had granted NSA leaker Edward Snowden asylum and annexed a swath of Ukraine. Some U.S. officials were convinced Kaspersky was promoting Russian interests and had shared with the Kremlin what it knew about the Equation Group.

“To think that information wasn’t shared with Russian intelligence, or they weren’t supporting Russian intelligence,” said one former U.S. official about Kaspersky, “you’d have to be very nearsighted to not at least think there was something there.”

Not all U.S. officials believed the worst about Kaspersky, with many citing the high quality of the firm’s cyberthreat research. “There was this innocent until proven guilty attitude,” said another former U.S. official who worked on Russia and national-security matters.

Israeli intelligence shared with U.S. counterparts in 2015 that it had penetrated the networks of Kaspersky, the Journal reported previously. The Israelis discovered Kaspersky software was being used to scan computers not only for viruses but also for classified government information that would be of interest to Russia, said former U.S. officials familiar with the Israeli discovery.

As the NSA investigated the Israeli tip, it homed in on a worker in the agency’s elite hacking unit, then called Tailored Access Operations. The worker had improperly removed classified information about NSA spying operations and installed it on his home computer, said former U.S. officials familiar with the episode. The contractor’s computer ran Kaspersky’s antivirus software, which acted as a digital scout and identified the classified material, these people said.

Assessing damage

U.S. investigators immediately sought to assess the damage, including whether Kaspersky’s products were installed on other sensitive computers, including personal machines used by government employees and their families. That could include those used by family members of then President Barack Obama, said one of the former officials familiar with the episode.

Officials feared Russian intelligence could have not only turned personal computers into tracking devices, but also used them as staging points to access other machines inside the White House, the official said. Still, the incident didn’t trigger a broader alarm across the U.S. government about whether any federal agency computers were using Kaspersky.

In response to the Journal’s story on the incident last year, Kaspersky conducted an internal investigation, releasing a report in November. The only incident Kaspersky said it found that matched the story’s description occurred in late 2014. By then, it said, it had been investigating Equation Group for six months when its antivirus software detected previously unidentified variants of the malware on a U.S.-based computer and sent a zip file containing the suspicious code to the Moscow-based virus lab for analysis.

The analysis discovered hacking tools now known to have belonged to the NSA, as well as four documents bearing what appeared to be classification markings, Kaspersky said, without mentioning the NSA or U.S. government by name. Mr. Kaspersky ordered the files deleted from the company’s systems within days and the information wasn’t shared with third parties, the company said.

Kaspersky said it did keep certain malware files from that collection. It said it also detected commercially available malware on the U.S. computer, which could have been used to remove files.

In the summer of 2016, a mysterious online group calling itself the Shadow Brokers posted stolen NSA cyberspying tools. The Shadow Brokers claimed in its postings that some of the tools came from Equation Group.

Again, U.S. officials rushed to determine how the tools were stolen. Among the posted computer code were technical manuals the NSA uses as part of its spying operations. These are akin to guidebooks, showing the agency’s hackers how to penetrate various systems and walking them through the procedures for different missions.

One lead pointed back to Kaspersky products, said current and former U.S. officials. Investigators now believe that those manuals may have been obtained using Kaspersky to scan computers on which they were stored, according to one of the officials.

Kaspersky said it has no information on the content of the classified documents it received in 2014 because they were deleted. It isn’t clear if the manuals the Shadow Brokers posted are the same documents.

Around the time the Shadow Brokers were spilling NSA secrets, emails stolen from the Democratic National Committee were showing up on WikiLeaks in what intelligence officials have said publicly they concluded was a Russian-led hacking operation to discredit the campaign of Hillary Clinton. Officials from the White House, the Pentagon, the State Department and the intelligence community met in late 2016 to debate responses to the alleged Russian aggression, said some former U.S. officials.

At the State Department, among options considered was taking retaliatory action against Kaspersky, said former officials involved in the deliberations. Daniel Fried, then chief sanctions coordinator at the State Department, told the Journal he recommended to colleagues they look for elements of Russia’s cyberpower the U.S. could target. He told colleagues Kaspersky at least needed to be considered as a potential player in Russia’s moves against the West.

“I asked rhetorically, do you want to testify before some committee about when did you know about this and why didn’t you do anything?” said Mr. Fried, now a Distinguished Fellow at the Atlantic Council, a think tank focusing on international affairs.

The State Department referred inquiries to the Justice Department, which declined to comment.

Some U.S. officials, including top White House security officials at the time, were concerned any action against Kaspersky could hurt U.S. companies by provoking a Russian response against them. U.S. officials also worried that, to justify harsh penalties, they would have to divulge what they knew about Kaspersky and its possible links to Russian intelligence, said several former officials.

Ultimately, the Obama White House didn’t seriously consider sanctioning Kaspersky, some former U.S. officials said.

Last year, Homeland Security created and led an interagency task force that collected information about the scope of the risk the Kaspersky software posed and began coordinating efforts across the government to minimize the risks.

In the months after President Donald Trump took office, concern about Kaspersky grew. Sen. Jeanne Shaheen (D., N.H.) put forward an amendment in the annual military-spending bill that would prohibit Kaspersky’s use on government computers.

During hearings on the matter on Capitol Hill, “I thought the most damning example” came from intelligence-community representatives, she said in an interview. “When each of them got asked would you put Kaspersky on your own personal computer and the answer was no, that’s a pretty strong message that maybe we should be taking a look at this.”

In September, the DHS banned Kaspersky products from government computers, instructing agencies to remove any Kaspersky software and report back on where it was found. The public statement accompanying the ban reads like a declassified version of the intelligence community’s suspicion regarding Kaspersky:

“The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”

Kaspersky says the DHS ban has had a “severe adverse effect” on its commercial operations in the U.S., with retailers removing its products from shelves and an unprecedented number of product returns.

—Aruna Viswanatha contributed to this article.

Return to our HOME PAGE