Can Kaspersky survive the Ukraine war?
Despite suffering years of government bans in the U.S. and Britain and mounting suspicions of links to Russian intelligence services, Moscow’s most famous cybersecurity company, Kaspersky, managed to persevere.
Its founder, Eugene Kaspersky, regularly denied his antivirus company was doing the bidding of the Russian government. Indeed, the company founded in 1989 has hundreds of millions of users worldwide and a track record of producing some of the most important cybersecurity research over the past three decades, often exposing Russian cyber operations against American interests.
But the Ukraine war has given Kaspersky critics even more ammunition. In March, after Eugene Kaspersky tweeted that he hoped Ukrainians and Russians could “compromise,” as the Russians were bombing civilian targets, and many security researchers questioned why the company was protecting Russian military web assets from DDoS attacks, industry and government leaders worldwide again questioned whether it could be trusted.
Now, a new wave of potential actions aimed at Kaspersky as an additional means of punishing Moscow over the war adds even more pressure on the already beleaguered company.
“The notion that all of Kaspersky’s defenses and arguments in the past must now be looked through the current unlawful military operations in Ukraine puts all of this into stark relief,” Tom Bossert, former homeland security advisor for President Trump, told CyberScoop. “To me, at this point, Kaspersky’s continued support of the Russian defense ministry has demonstrated that they’ve made a choice to help the bad guys. And if that’s the case the good guys have every right to throw them out,” said Bossert, now president of Trinity Cyber, Inc.
Late last week, Poland, Estonia, Latvia and Lithuania proposed that the European Union ban Kaspersky as part of a broader wave of sanctions against Russia that included cutting Russian banks Gazprombank, Alfa Bank, Rosbank and Tinkoff Bank from the international SWIFT payment system, banning cooperating with Russia on nuclear energy and stopping EU firms from performing IT work for Russian clients, EU Observer reported.
The proposal follows previous moves against the company following the Ukraine invasion. Government agencies and private interests in Germany, Italy and the U.S. either cut ties or warned about the supposed dangers of using Kaspersky products amid claims it could be used by the Russian government to further its wartime goals. In April, Poland sanctioned 50 countries and people, including Eugene Kaspersky.
A Kaspersky spokesperson told CyberScoop in an email this week that the company is aware of both the discussions within the EU of a new sanctions package and the proposal from Poland, the Baltic States and Ireland to ban Kaspersky in the EU.
“In Europe, Kaspersky runs legal entities in 13 countries, conducts research and development, maintains several hundred high-quality jobs, and pays wages, taxes and social security contributions,” the company said in the statement. “Kaspersky contributes to cybersecurity and cyber resilience in Europe and globally with extensive expertise and market-leading solutions, services and products. In addition, the company attaches great importance to transparency and ethical, responsible conduct.”
The company added that EU sanctions are intended to limit consequences for “those not responsible for the actions that have triggered their imposition,” according to its understandings how sanctions would be imposed. “Because of that, Kaspersky is convinced that the EU will not take any sanctions against a responsible global cybersecurity company without any inappropriate ties to the Russian state,” the company said.
The company pointed to its “Global Transparency Initiative,” which included moving cyberthreat-related data storage and processing from Russia to Switzerland, a tally of law enforcement and information requests received by the company and access to some of the company’s documentation and source code for government and enterprise customers.
But for years many in the U.S. national security community have held deep reservations about Kaspersky and connections to Russian intelligence. In 2015, the company revealed a suite of sophisticated U.S.-linked hacking tools, and had also that year come under suspicion from U.S. officials after the software uploaded NSA malware to its servers from an NSA employee’s home computer, who had improperly taken it home, Politico reported in 2019.
Politico also noted that Kaspersky had assisted the U.S. government as well by helping in 2016 to expose Harold “Hal” Martin, who was charged with stealing 50 terabytes of NSA and other U.S. government data.
Others also noted the company’s repeated exposure of Russian cyber tools and campaigns. In 2017, during a Senate Intelligence Committee hearing, Sen. Marco Rubio, R-Fla., told the committee that in the summer of 2016 somebody had attempted to hack former campaign staffers from “IP addresses with an unknown location within Russia.” He then asked the witnesses whether they’d install Kaspersky products on any of their devices.
“I would, yes, I would also use competing products at the same time,” said Thomas Rid, a professor of strategic studies and founding director of the Alperovitch Institute for Cybersecurity Studies at Johns Hopkins University. Kaspersky is “not an arm of the Russian government,” he explained, sitting next to Kevin Mandia, the CEO of Mandiant, and retired Gen. Keith Alexander, the former director of the NSA and the first commander of U.S. Cyber Command, who both sidestepped Rubio’s question by saying there were better products available.
Rid noted that Kaspersky had repeatedly published details of Russian cyberattacks and campaigns. “Name any American company that publishes information about American digital espionage,” he said.
But by 2016 the FBI was investigating Kaspersky, CyberScoop reported in 2017, with the FBI urging some companies to cut ties with the company. In 2017, the government banned the use of Kaspersky products on federal systems, with Bossert telling reporters at the White House that Kaspersky “constituted a risk unacceptable to our federal networks.”
The 2018 National Defense Authorization Act included a provision along the same lines, and in 2019 the rule became permanent.
In the days after the invasion, the U.S. government was warning some American companies that “Moscow could manipulate software designed by … Kaspersky to cause harm,” Reuters reported March 31 and, in the weeks after the invasion, the Biden administration was reportedly considering sanctioning the company, according to The Wall Street Journal.
Earlier that month the FCC added the company to its national security threats list alongside several Chinese telecoms, preventing FCC funds from being used to buy or maintain the product.
At the time, FCC Commissioner Brandan Carr said: “Their addition, as well as Kaspersky Labs, will help secure our networks from threats posed by Chinese and Russian state backed entities seeking to engage in espionage and otherwise harm America’s interests.”
This story was featured in CyberScoop Special Report: War in Ukraine