The Russian government used antivirus software from the private Russian company Kaspersky to steal classified U.S. data, according to several recent reports.
The revelations, following months of vague warnings from U.S. officials, suggest that the U.S. has “direct evidence that there are ways to remote into Kaspersky and pull data back without the user’s intention,” David Kennedy, a prominent security consultant and former U.S. Marines hacker, told Yahoo Finance. “And that is very, very scary. That means that anybody in the world that has Kaspersky installed may have the potential to have their data accessed by Kaspersky.”
But many in the cybersecurity community, such as American cyberwarfare expert Jeffrey Carr, argue that the U.S. government’s allegations shouldn’t be trusted and that “Kaspersky Lab has suffered more slander from more supposedly reputable news outlets than any company in recent memory.”
The debate broke open last week when the Wall Street Journal reported that Russian government hackers had stolen classified data from the home computer of an NSA contractor who had Kaspersky antivirus software installed. Kaspersky software, like all antivirus software, requires access to everything stored on a computer so that it can scan for malicious software (known as malware).
A subsequent New York Times report detailed how Israeli intelligence alerted the U.S. of the Russian espionage-via-antivirus after infiltrating Kaspersky’s system in 2014 and watching Russian hackers search computers running Kaspersky for specific codenames of classified American programs.
The Journal then reported that U.S. intelligence agencies “studied the software and even set up controlled experiments to see if they could trigger Kaspersky’s software into believing it had found classified materials on a computer being monitored by U.S. spies,” and that the experiments “persuaded officials that Kaspersky was being used to detect classified information.”
One former U.S. official, explaining that the company’s software would have had to be programmed to scan for specific keywords, asserted to the Journal: “There is no way, based on what the software was doing, that Kaspersky couldn’t have known about this.”
‘I think it settles things’
Kaspersky denied the allegations, saying, “Kaspersky Lab was not involved in and does not possess any knowledge of the situation in question.” Consequently, the question is whether observers should trust Kaspersky or the U.S. government, who is making the claims through selective leaks and mostly anonymous sources.
“I think [the slew of reports] settles things, but that’s only if you have some element of trust in what the [U.S.] government is leaking,” Dave Aitel, a former NSA research scientist and CEO of the cybersecurity company Immunity, told Yahoo Finance. “It’s not like we have real evidence. And that’s a difficult thing. … We are now in a world where the [U.S.] government may never be able to present the real evidence against a company and still is going to be forced to act on it. And we’re going to all have to make decisions about whether we trust the government in each and every case because they’ve been wrong before.”
Skeptics demand pure evidence, which the U.S. government cannot provide without revealing highly valuable details about how the information was obtained.
“There’s no good way to do it is the problem,” Aitel said. “It’s not like there’s been a magical way where you can both show the evidence and protect sources and methods. And I don’t there ever will be, especially in this world which is so tightly tied to intelligence sources — where we have a difficulty [trusting] the government in the first place. The issue, largely, is that we don’t trust the [U.S.] government. And there’s really good reasons for that.”
In this case, the evidence is relatively strong.
“According to the public information, the Israelis have screenshots and key logger dumps of this activity happening,” Aitel said. “To me that says they were watching it in real time. And they know exactly who was at the desk because if they have a key logger, they know who’s logged in. They know a lot about the people involved, so we haven’t seen all of the information that the Israelis have.”
‘Trust us, this company is doing bad things’
U.S. officials have been wary of Kaspersky for years, and the FBI warned big business and U.S. agencies to avoid the popular anti-virus software used by 400 million people worldwide. In September, Sen. Jeanne Shaheen, D-N.H., wrote an op-ed in the New York Times arguing that “it is unacceptable to ignore questions about Kaspersky Lab because the answers are shielded in classified materials. Fortunately, there is ample publicly available information to help Americans understand the reasons Congress has serious doubts about the company.”
Aitel explained that the U.S. government knows it has a trust issue, which is why the leaks have come out in a particular way.
“It’s really tough to take a message from the government and trust it as it stands, which is why they did this panoply of leaks to give a veneer of, ‘Hey, it’s not just a Republican member of the administration,” Aitel said. “It’s actually a group of people. They’re well read. There’s a Democratic senator doing an op-ed. … This [Russian operation] dates back to 2014 and 2015, it’s been verified by an outside party, which is Israel. So I think there’s a lot to this story where [the U.S. government] is saying: Listen, this time you have to trust us, this company is doing bad things.”
‘When I go to banya, they’re friends’
Kaspersky Labs was founded by Eugene Kaspersky, a cybersecurity expert who attended a KGB-backed cryptography institute before working for Soviet military intelligence. In 2012, Wired highlighted “the paradox of Eugene Kaspersky: a close associate of the autocratic Putin regime who is charged with safeguarding the data of millions of Americans; a supposedly-retired intelligence officer who is busy today revealing the covert activities of other nations; a vital presence in the open and free Internet who doesn’t want us to be too free.”
While Kaspersky maintains that he has no current ties to Russian intelligence, he “rarely misses a weekly banya (sauna) night with a group of about 5 to 10 that usually includes Russian intelligence officials,” Bloomberg reported in 2015. “When I go to banya, they’re friends,” Kaspersky said at the time.
In July 2017, Bloomberg reported that emails show “Kaspersky Lab has maintained a much closer working relationship with Russia’s main intelligence agency, the FSB, than it has publicly admitted.” The report stated that “Kaspersky provides the FSB with real-time intelligence on the hackers’ location and sends experts to accompany the FSB and Russian police when they conduct raids. … [Kaspersky employees] weren’t just hacking the hackers; they were banging down the doors.”
The big question for the cybersecurity community is whether Eugene Kaspersky — a former Russian government cryptologist who built a globally mainstream software company — knew that Kremlin hackers were using his companies software for espionage. He denies that he did. Evidence (via more selective leaks) could prove otherwise.
“[The Israelis] no doubt have pretty damning screenshots if you’re going to get a United State Democratic Senator to get worked up enough to write the op-ed,” Aitel said. “So if they have the user names that were on those machines, then they know Kaspersky himself is lying. And if he’s willing to lie, then he is basically making a bet that this information is not going to come out because it might risk some source of some kind. But I think he might be wrong. So I think the story is going to continue.”
‘There’s been a lot of burned bridges’
In any case, the reluctance to believe the espionage allegations against Kaspersky reflects the damaged relationship between the U.S. government and the U.S. information security community.
“I see a lot of people in the industry still defending Kaspersky,” Aitel said. “And to be honest, I blame it on the Obama administration and previous administrations, which really didn’t want to engage with the information security community and treated [outside infosec experts] as they weren’t an important part of the discussion.”
Aitel noted that on Oct. 10, the same day that New York Times reported Israel’s role in exposing Kaspersky, Deputy U.S. Attorney General Rod Rosenstein gave a speech signaling a harder line against encryption that was seen as unhelpful by outside cybersecurity experts.
“I’m not seeing how this gets us closer to having the real discussion about solutions in this space,” Ari Schwartz, a former senior director for cybersecurity under Obama who became the managing director of cybersecurity services at a law firm, told the Washington Post. “The government feels as though tech companies have to find a solution for them, and the tech companies feel as though the government just doesn’t understand how they’re putting the larger security at risk here.”
Aitel said that the speech showed that Washington still wasn’t listening enough to outside experts.
“When the information security community says ‘responsible encryption is a nonstarter,’ but the Department of Justice is still pretending like it’s going to be OK, I think that’s that old mindset: ‘We can just market it, we’ll put a law through, and they won’t really get a say in it.’ … There’s been a lot of burned bridges. The lack of trust is palpable. It’s unfortunate though, and I think it needs to change.”
‘Doing the work of rebuilding those bridges’
All that said, progress is being made. One bright spot is the appointment of Rob Joyce, who previously led NSA’s hacking division (office of Tailored Access Operations), as the White House’s cybersecurity coordinator.
Aitel explained that the U.S. government needed cybersecurity people with technical experience — as opposed to those with only policy experience — to garner respect and trust from the information security community at large.
Joyce “is doing the work of rebuilding those bridges,” Aitel said. “His team is just better. They know these people [in the infosec community]. They can go out and have dinner with them; he’s approachable. With the previous administration, it was like: ‘No, we know better than you and you’re always wrong.’
“And I know that you can’t sell any kind of newspaper that has anything positive about the Trump administration,” Aitel added, “but that doesn’t make it not true.’’