Emails show the security-software maker developed products for the FSB and accompanied agents on raids.
Russian cybersecurity company Kaspersky Lab boasts 400 million users worldwide. As many as 200 million may not know it. The huge reach of Kaspersky’s technology is partly the result of licensing agreements that allow customers to quietly embed the software in everything from firewalls to sensitive telecommunications equipment—none of which carry the Kaspersky name.
That success is starting to worry U.S. national security officials concerned about the company’s links to the Russian government. In early May six U.S. intelligence and law enforcement agency chiefs were asked in an open Senate hearing whether they’d let their networks use Kaspersky software, often found on Best Buy shelves. The answer was a unanimous and resounding no. The question, from Florida Republican Marco Rubio, came out of nowhere, often a sign a senator is trying to indirectly draw attention to something learned in classified briefings.
Eugene Kaspersky took to Reddit to respond. Claims about Kaspersky Lab’s ties to the Kremlin are “unfounded conspiracy theories” and “total BS,” the company’s boisterous, barrel-chested chief executive officer wrote. While the U.S. government hasn’t disclosed any evidence of the ties, internal company emails obtained by Bloomberg Businessweek show that Kaspersky Lab has maintained a much closer working relationship with Russia’s main intelligence agency, the FSB, than it has publicly admitted. It has developed security technology at the spy agency’s behest and worked on joint projects the CEO knew would be embarrassing if made public.
Most major cybersecurity companies maintain close ties to home governments, but the emails are at odds with Kaspersky Lab’s carefully controlled image of being free from Moscow’s influence. Kaspersky’s work with Russian intelligence could scare off business in Western Europe and the U.S., where Russian cyber operations have grown increasingly aggressive, including attempts to influence elections. Western Europe and the U.S. accounted for $374 million of the company’s $633 million in sales in 2016, according to researcher International Data Corp.
“When statements are taken out of context, anything can be manipulated to serve an agenda,” the company said in a statement. “Kaspersky Lab has always acknowledged that it provides appropriate products and services to governments around the world to protect those organizations from cyberthreats, but it does not have any unethical ties or affiliations with any government, including Russia.”
Antivirus companies are especially delicate because the products they make have access to every file on the computers they protect. The software also regularly communicates with the maker to receive updates, which security experts say could theoretically provide access to sensitive users such as government agencies, banks, and internet companies. Adding to the U.S. government’s jitters, Kaspersky recently has developed products designed to help run critical infrastructure such as power grids.
The previously unreported emails, from October 2009, are from a thread between Eugene Kaspersky and senior staff. In Russian, Kaspersky outlines a project undertaken in secret a year earlier “per a big request on the Lubyanka side,” a reference to the FSB offices. Kaspersky Lab confirmed the emails are authentic.
The software that the CEO was referring to had the stated purpose of protecting clients, including the Russian government, from distributed denial-of-service (DDoS) attacks, but its scope went further. Kaspersky Lab would also cooperate with internet hosting companies to locate bad actors and block their attacks, while assisting with “active countermeasures,” a capability so sensitive that Kaspersky advised his staff to keep it secret.
“The project includes both technology to protect against attacks (filters) as well as interaction with the hosters (‘spreading’ of sacrifice) and active countermeasures (about which, we keep quiet) and so on,” Kaspersky wrote in one of the emails.
“Active countermeasures” is a term of art among security professionals, often referring to hacking the hackers, or shutting down their computers with malware or other tricks. In this case, Kaspersky may have been referring to something even more rare in the security world. A person familiar with the company’s anti-DDoS system says it’s made up of two parts. The first consists of traditional defensive techniques, including rerouting malicious traffic to servers that can harmlessly absorb it. The second part is more unusual: Kaspersky provides the FSB with real-time intelligence on the hackers’ location and sends experts to accompany the FSB and Russian police when they conduct raids. That’s what Kaspersky was referring to in the emails, says the person familiar with the system. They weren’t just hacking the hackers; they were banging down the doors.
The project lead was Kaspersky Lab’s chief legal officer, Igor Chekunov, a former policeman and KGB officer. Chekunov is the point man for technical support to the FSB and other Russian agencies, say three people familiar with his role, and that includes gathering identifying data from customers’ computers. One Kaspersky Lab employee who used to ride along with Russian agents on raids was Ruslan Stoyanov, whose technology underpinned the company’s anti-DDoS efforts, says the person familiar with the program. Stoyanov previously worked in the Interior Ministry’s cybercrime unit. In December he and a senior FSB cyber investigator were arrested on treason charges, adding a bizarre twist to the company’s relationship to the government. Kaspersky Lab has said the case involved allegations of wrongdoing before Stoyanov worked for the company. Stoyanov couldn’t be reached for comment.
In the emails, Kaspersky said the aim of the project for the FSB was to turn the anti-DDoS technology into a mass-market product for businesses. “In the future the project may become one of the items on the list of services that we provide to corporate customers,” he wrote. Kaspersky now sells its DDoS protection service to large companies, installing sensors directly inside customers’ networks. The company’s website contains a large red notice that it’s not available in the U.S. or Canada.Follow the moneyFind out how once-illegal drugs like marijuana and psychedelics are becoming big business with The Dose, a weekly newsletter.
The U.S. government hasn’t identified any evidence connecting Kaspersky Lab to Russia’s spy agencies, even as it continues to turn up the heat. In June, FBI agents visited a number of the company’s U.S. employees at their homes, asking to whom they reported and how much guidance they received from Kaspersky’s Moscow headquarters. And a bill was introduced in Congress that would ban the U.S. military from using any Kaspersky products, with one senator calling ties between the company and the Kremlin “very alarming.” Russia’s communications minister promptly threatened sanctions if the measure passed.
Indeed, many in Russia see the anti-Kaspersky campaign as politics with a dash of protectionism. “This is quite useless to find any real evidence, any real cases where Kaspersky Lab would violate their privacy policies and transfer some data from U.S. customers, from U.S. enterprise clients, to Russian intelligence or FSB,” says Oleg Demidov, a consultant for researcher PIR Center in Moscow who studies Russian cyberattacks. “There are no such cases. At least, they are not publicly discussed.”
There’s another possibility, given Kaspersky Lab’s success at embedding its products in sensitive locations. Last year, Eugene Kaspersky announced the launch of the company’s secure operating system, KasperskyOS, designed to run systems that control electrical grids, factories, pipelines, and other critical infrastructure. The U.S. Defense Intelligence Agency reportedly circulated a warning that the product could let Russian government hackers disable those systems, a claim Kaspersky denied.
Fourteen years in development, Kaspersky Lab’s secure OS is designed to be easily adaptable for the internet of things, everything from web-connected cameras to cars. That could be a great business model for the Russian company. U.S. national security officials seem determined to make sure it isn’t.
All Rights Reserved for Jordan Robertson and Michael Riley