The U.S. government began privately warning some American companies the day after Russia invaded Ukraine that Moscow could manipulate software designed by Russian cybersecurity company Kaspersky to cause harm. The classified briefings are part of Washington’s broader strategy to prepare providers of critical infrastructure such as water, telecoms and energy for potential Russian intrusions.
President Joe Biden said that sanctions imposed on Russia for its Feb. 24 attack on Ukraine could result in a backlash. But the White House did not offer specifics. The senior U.S. official said about Kaspersky’s software that the risk calculation has changed with the Ukraine conflict, and it has increased. Kaspersky, one of the cybersecurity industry’s most popular anti-virus software makers, is headquartered in Moscow. It was founded by Eugene Kaspersky, who U.S. officials describe as a former Russian intelligence officer.
A Kaspersky spokeswoman said that the briefings about purported risks of Kaspersky software would be further damaging to Kaspersky’s reputation. The senior U.S. official said Kaspersky’s Russia-based staff could be coerced into providing or helping establish remote access into their customers’ computers by Russian law enforcement. Eugene Kaspersky, graduated from the Institute of Cryptography, Telecommunications and Computer Science, which the Soviet KGB previously administered. The company spokeswoman said that Kaspersky worked as a “software engineer” during military service.
The Russian cybersecurity firm, which has an office in the United States, lists partnerships with Microsoft, Intel and IBM on its website. On March 25, the Federal Communications Commission added Kaspersky to its list of communications equipment and service providers deemed threats to U.S. national security. It is not the first time Washington has said Kaspersky could be influenced by the Kremlin. The Trump administration spent months banning Kaspersky from government systems and warning numerous companies to not use the software in 2017 and 2018.
U.S. security agencies conducted a series of similar cybersecurity briefings surrounding the Trump ban. The content of those meetings four years ago was comparable to the new briefings. Kaspersky has consistently denied wrongdoing with Russian intelligence. Until now no U.S. or allied intelligence agency has ever offered direct, public proof of a backdoor in Kaspersky software. Following the Trump decision, Kaspersky opened a series of transparency centers, where it says partners can review its code to check for malicious activity.
Moscow software engineers handle the updates, that’s where the risk comes. They can send malicious commands through the updaters and that comes from Russia. Cybersecurity experts say that because of how anti-virus software normally functions on computers where it is installed, it requires a deep level of control to discovery malware. Kaspersky’s products are also sometimes sold under white label sales agreements. This means the software can be packaged and renamed in commercial deals by information technology contractors.
Britain’s cybersecurity center said that organizations providing services related to Ukraine or critical infrastructure should reconsider the risk associated with using Russian computer technology in their supply chains. They have no evidence that the Russian state intends to suborn Russian commercial products and services to cause damage to UK interests. But the absence of evidence is not evidence of absence.