US officials have reportedly being speaking privately to a number of US organisations about the risk allegations against Kaspersky Lab.
Reuters reported on Thursday that the US government began privately warning some American companies against the firm, the day after Russia invaded Ukraine.
This is according to a senior US official and two people familiar with the matter. The firms were reportedly told that Moscow could manipulate Kaspersky software to cause harm.
Reuters reported these classified briefings were part of Washington’s broader strategy to prepare providers of critical infrastructure such as water, telecoms and energy for potential Russian intrusions.
“The risk calculation has changed with the Ukraine conflict,” the senior US official reportedly said about Kaspersky’s software. “It has increased.”
Kaspersky made its name in the security industry thanks to its anti-virus software, and the firm is headquartered in Moscow. It was founded by a former Russian intelligence officer, Eugene Kaspersky.
The senior US official reportedly said Kaspersky’s Russia-based staff could be coerced into providing or helping establish remote access into their customers’ computers by Russian law enforcement or intelligence agencies.
The United States in 2017 banned government departments and the US military from using Kaspersky’s products, and the FBI has already advised a wide range of private companies not to use the tools.
That same year the UK’s National Cyber Security Centre (NCSC) also warned government departments not to use antivirus products with links to Russia for systems related to national security and those which are “critically important”.
Since that time, Kaspersky Lab relocated its data processing infrastructure to Switzerland in 2018, and Eugene Kaspersky has repeatedly said that if he was ever asked to provide data to the Russian government, he would move his company out of the country.
But with Russia’s unprovoked invasion of Ukraine and global sanctions against the country, all bets are off.
Germany recently recommended the uninstallation of Kaspersky antivirus (AV) products in the country – a move that Eugene Kaspersky angrily hit back at.
The US Federal Communications Commission (FCC) also recently added Kaspersky Lab (plus China Telecom and China Mobile International USA) to its ‘Covered List’ of communications equipment and service providers deemed to be threats to US national security.
Even Kaspersky’s decision to open a series of transparency centers in the US, where partners can review its code to check for malicious activity, have failed to convince US officials.
Indeed, Reuters reported the US official as saying the transparency centers were not “even a fig leaf” because they do not address the US government’s concern.
“Moscow software engineers handle the [software] updates, that’s where the risk comes,” the official reportedly said. “They can send malicious commands through the updaters and that comes from Russia.”
A Kaspersky spokeswoman responded to the Reuters report, said that the briefings about purported risks of Kaspersky software would be “further damaging” to Kaspersky’s reputation “without giving the company the opportunity to respond directly to such concerns” and that it “is not appropriate or just.”
Meanwhile the UK’s NCSC this week said in a blog post that organisations providing services related to Ukraine or critical infrastructure should reconsider the risk associated with using Russian computer technology in their supply chains.
NCSC did not however mention Kaspersky by name.
“As expected, there are ongoing cyber attacks against Ukrainian infrastructure (including those that we’ve attributed with our partners to the Russian intelligence services), but we’ve not seen – and don’t expect to see – the massive, global cyber attacks that some had predicted,” the UK’s NCSC said.
“However, we have previously seen Russia acting against UK interests, and also acting through proxy compromises to get to UK entities (for example with the SolarWinds Orion software, and in going after UK telecoms networks to get to their customers),” it said.
“We know these are the most common causes of compromises, including those we (and our partners) have attributed to the Russian state,” it said. “We still think this advice is correct but, given the conflict in Ukraine, the context has changed considerably.”
“Whilst we continue to assess the overall level of technical threat resulting from Russia’s actions, we need to be realistic regarding how Russia may respond,” NCSC said. “Russian law already contains legal obligations on companies to assist the Russian Federal Security Service (FSB), and the pressure to do so may increase in a time of war. We also have hacktivists on each side, further complicating matters, so the overall risk has materially changed.”
“We have no evidence that the Russian state intends to suborn Russian commercial products and services to cause damage to UK interests, but the absence of evidence is not evidence of absence,” it said.