Kaspersky Russian Spying Rumors: Should You Use This Antivirus?by PAUL WAGENSEIL Nov 16, 2017, 11:50 AM UPDATED Oct. 18 with comments from Kaspersky Lab. UPDATED Oct. 25 with preliminary results of Kaspersky Lab's internal investigation. UPDATED Nov. 16 with final results of Kaspersky Lab's internal investigation. The allegations that Kaspersky Lab spied on its customers on behalf of Russian intelligence services, as was reported in top American newspapers this past week, are very serious and threaten the future of the antivirus maker even if no conclusive proof has been offered and no one making the accusations has been willing to speak up in public. Here at Tom's Guide, we still recommend Kaspersky antivirus software for home users who don't work in any industries involved with national security. But we sent questions to several information-security experts, ranging from a former NSA staffer to a lawyer for the Electronic Frontier Foundation, for their opinions on whether they considered Kaspersky software safe to use. Most of our respondents agreed that people who work in government or critical-infrastructure industries should not use Kaspersky software. One said he was telling everyone to remove it. "My firm is recommending [that] our customers, who largely are financial companies, uninstall Kaspersky AV," said Dave Aitel, a former NSA staffer and the founder, owner and chief technology officer of Immunity Inc., an information-security consultancy. "There is no plausible innocent explanation for the information that has been presented." Other security experts we spoke to weren't ready to condemn the company without seeing the evidence. But they added that we've got just as much to fear from Chinese vendors and that most modern antivirus software, not just Kaspersky's, could be abused to become an espionage tool. "I haven't seen anything which makes me think that it's any more dangerous to run Kaspersky than any other major antivirus product," Graham Cluley, an independent security blogger and former staffer at the antivirus maker Sophos, told us. "Kaspersky might be being singled out because the company is Russian, and that doesn't sit too well in the current geopolitical climate." John E. Pike, founder and director of GlobalSecurity.org, a national-security think tank, said Kaspersky antivirus software was "probably" safe to use, but he added that "such products have too much spaghetti code for anyone to have confidence that they understand all that is going on under the hood." On Oct. 5, The Wall Street Journal, citing unnamed current and former government officials, reported that in 2015, Kaspersky antivirus software running on the home computer of an unnamed NSA staffer spotted NSA files that the staffer had brought home and put on his or her machine. (The staffer broke the rules by taking the files home, but he or she is not suspected of espionage.) The Kaspersky antivirus software somehow alerted Russian intelligence to the presence of the NSA files, and Russian spies then targeted the NSA staffer's computer and copied files from the machine, according to the WSJ It's not clear exactly how Russian intelligence got access to Kaspersky data, or exactly what kind of NSA files the staffer had on his machine. (NSA-made malware would have been noticed by many antivirus products.) Late Tuesday (Oct. 10), The New York Times, also quoting anonymous sources, reported that Israeli spies who had hacked into Kaspersky's internal networks in 2014 were the first to see evidence that Kaspersky software had been used to spy on the NSA staffer. The Israelis apparently turned what they had found over to the NSA. The Washington Post backed that allegation with its own story, and in 2015, Kaspersky Lab itself had disclosed the Israeli hack of its own networks. On Oct. 11, The Wall Street Journal came back with a second story, in which more (or perhaps the same) unnamed government officials told the paper that Kaspersky's malware database, which looks for certain snippets of code in an attempt to catch malware, had been updated at a certain point to look for text strings that indicated U.S. intelligence documents. Such a text string might be "TOP SECRET," or the code name of a known NSA or CIA operation or program. Rob Graham, head of information-security consultancy Errata Security and creator of several security tools, had a suggestion for all antivirus users who might be worried about the software spying on them. "For ordinary consumers, it's probably as safe using Kaspersky as any other antivirus software," Graham told us. "Whichever product you use, however, you should configure it to NOT send data back to the vendor." Graham was referring to the telemetry, a feature of most antivirus programs that sends data about the customer's machine to the antivirus company's servers for analysis, which, in turn, leads to quick responses to new malware. Kaspersky's telemetry functions reportedly tipped off the Russian spies to the presence of NSA software on the NSA staffer's home computer. Most antivirus software, including Kaspersky's, lets you toggle off telemetry so that your machine, at least in theory, receives data from the antivirus company without sending any back. Because of telemetry, antivirus products "have access to everything on the system and communicate constantly," states a blog post co-authored by Roel Schouwenberg, a former Kaspersky Lab malware researcher who is now at Celsus Advisory Group, an information-security consulting firm. "They are effectively 'trusted implants.'" Kurt Opsahl, deputy executive director and general counsel at the Electronic Frontier Foundation, a digital-liberties advocacy group, agreed that telemetry is a risk, and not only to Kaspersky customers. "Cloud-based AV necessarily allows the AV software to see and report on what's on your machine and gives an opening to intelligence agencies to get that information," he told us. "Kaspersky shows that this can actually happen, though something similar may well have happened elsewhere." Happy to work with the authorities of all nations Within the global information-security community, Kaspersky Lab is highly respected for the quality of its research, as well as for its willingness to share its findings, work with other antivirus companies and collaborate with police agencies against cybercrime. We at Tom's Guide, as well as rival publications, have consistently rated Kaspersky antivirus software well for its excellent malware detection (as borne out in regular lab tests), its low system-performance impact and its useful extra features. As a young man, Eugene Kaspersky was educated at a KGB-run technical academy, then served in Soviet military intelligence. Kaspersky Lab and McAfee, along with Europol and the Dutch national police, created and run the NoMoreRansom.org website to help victims of encrypting ransomware protect and recover their data. Just yesterday (Oct. 12), Interpol announced that it was expanding its relationship with Kaspersky Lab to share threat intelligence. But Kaspersky may not be for everybody "Kaspersky Lab is an excellent company with a solid reputation for building good security products," Nicholas Weaver, a researcher at the International Computer Science Institute, an affiliate of the University of California, Berkeley, wrote on the Lawfare blog in July. "But that is only true for most users. ... Kaspersky software should be banned from all governmental computers, defense contractors, and related assets." "Companies may well be targets of economic spying, while non-profits and activists may be targets of spying on political opposition, and should give a higher weight to the spying risk," Opsahl said. "Given what's known, is it worthwhile to stick with [the] software with this news? Probably less so than with consumers." How close is Kaspersky to the Kremlin? There's always been a bit of suspicion about Kaspersky Lab. The company's co-founder and owner, Eugene Kaspersky, was educated at a KGB-run technical academy beginning when he was a teenager, and then served in Soviet military intelligence. (Many security experts of all nationalities working in the private sector have similar backgrounds.) The company's relationship with the Kremlin has never been clear, though Western experts on Russia think there's no way Eugene Kaspersky could have become a billionaire without having reached an understanding with the government. Under Russian law, any company must open its communications lines to the authorities upon request. The Kaspersky company has consistently denied that it assists any government with espionage operations. Kaspersky Lab was given the contract to run all cybersecurity efforts at the 2014 Winter Olympics in Sochi, Russia, but there may not have been any other Russian company that could have pulled it off. In 2011, Eugene Kaspersky's eldest son was kidnapped and held for ransom by apparently incompetent abductors, then freed unharmed after a police raid. "I feel bad for Kaspersky, because they're probably good guys who are trying to do the right thing, but the forces above them are much more powerful," Kenneth Geers, a senior fellow at the Atlantic Council and an expert on Eastern European cyberespionage, told The Parallax security blog. "Their software can see nation-state operations because they have deep visibility into enterprise and government networks." Does Kaspersky software seek out American spying tools? Kaspersky Lab was involved in the discovery of several spyware tools thought to be developed and used by the NSA, including the Stuxnet worm that sabotaged an Iranian uranium-enrichment facility in 2010. For those reasons, the company has been accused of going after American intelligence operations, but it also has discovered and disclosed spyware campaigns thought to be run by Russian and Chinese intelligence. (Kaspersky has a policy of not naming which countries may be behind specific cyberespionage campaigns.) "Anyone worried about the Russian government or Russian organized crime might want to look elsewhere." John E. Pike, GlobalSecurity.org "We still don't have enough solid information to really judge Kaspersky, just hearsay and rumor," Rob Graham said. "With that said, I wouldn't trust any company from Russia or China, at least not when important national concerns are at stake." "Kaspersky has, in the past, drawn attention to malware campaigns that almost certainly were orchestrated by Russia, and targeted Russia's enemies," said Graham Cluley. "Perhaps I'm a bear of very little brain, but I don't see why a company colluding with the Russian government would be doing that." "Anyone worried about the Russian government or Russian organized crime might want to look elsewhere," Pike told Tom's Guide. "This is the same issue as Lenovo computers probably not a problem for most consumers, but anyone who is worried about being targeted by the Chicoms would probably look elsewhere." "I don't think important government entities should trust security products/services from adversarial nations like Russia and China," Robert Graham said. "It's unlikely Kaspersky is actually spying for his government, but yet, it's still an event we would add to our risk matrix and defense against." "Anyone who views the Chinese government as an adversary should avoid Huawei, and those who count the Russian government as an adversary should not install Kaspersky products," Weaver wrote on his blog. "This is why it is shocking me that U.S. government used Kaspersky Lab's products including on [Department of Defense] systems." None of the suspicions about Kaspersky Lab mattered much until the 2014 popular uprising in Ukraine that removed a pro-Russian president. That, in turn, sparked the Russian forcible takeover of Crimea, the beginning of the ongoing separatist war in eastern Ukraine and the sudden worsening of U.S.-Russian relations. In 2015, stories began appearing in the U.S. media about Kaspersky Lab's ties to the Kremlin and to Russian intelligence, including one that said Russian intelligence operatives had been deliberately placed on Kaspersky's staff in 2012. The Russian intelligence effort to influence the 2016 U.S. presidential election, and the subsequent American investigations into that effort, have only made things harder for Kaspersky Lab. This spring, several U.S. intelligence-agency heads told Congress that they would not run Kaspersky software on their own computers. FBI agents interviewed Kaspersky employees in the U.S. In September, the Department of Homeland Security ordered the removal of Kaspersky software from U.S. government agencies. Best Buy and Office Depot announced they would no longer sell Kaspersky software and offered to remove it from customer machines for free. Eugene Kaspersky has offered to testify before Congress and to let American officials read his company's source code. The U.S. government hasn't taken him up on either offer yet. So far, most of the allegations made against Kaspersky Lab in the American press can be explained. The NSA files on the staffer's home computer could have been malware, in which case Kaspersky's antivirus scanners would have picked them up. Kaspersky itself need not have tipped off Russian intelligence about the files; the Russian security services could have been tapping into Kaspersky's data feeds. "I'll leave it to Kaspersky to provide the plausible innocent explanation," Opsahl told us, but added that "a plausible explanation may not be enough. Kaspersky probably needs to show that it is not just an innocent victim, but actually the better option in the marketplace." Even the allegation that Kaspersky's malware-signatures database was altered to look for "TOP SECRET" and other text strings could be explained if Russian intelligence operatives were working secretly among Kaspersky employees. Kaspersky management might or might not have known about such possible arrangements. But, given the political climate in Russia, it might not have had a choice. "If there really is any evidence that Kaspersky has colluded inappropriately with Russian intelligence, then I think we would all welcome seeing it, to put this matter to bed once and for all," Cluley said. "I think there's a danger for other security companies here, though, too," he added. "Not only are some acting rather shabbily in exploiting Kaspersky's discomfort, but they might also want to be wary that they are not also targeted by whispers in the future." Eugene Kaspersky seems too gregarious and talkative to be a spy. Until things got hot for him in the U.S., he was a regular fixture at American security conferences. If he wasn't addressing a conference, he'd be holding court in the hallway, ready to talk to anyone who asked. Kaspersky the man doesn't seem to spend much time in Moscow. He sponsors a Formula 1 racing team, an Australian rugby team and a Greek archaeological site; he hikes around volcanoes in the Russian Far East; and he has placed Kaspersky Lab's holding company in London. He still holds his own security conference, the Security Analyst Summit, every winter in a tropical tourist resort, although it hasnt been held on U.S. territory since 2013. "It will be interesting to see how other Western countries begin to respond to the claims" against Kaspersky, Cluley said. "So far, I haven't seen other governments sharing America's nervousness about Kaspersky's software." "The question is whether Kaspersky can save its non-American business based on those markets not believing the damning information in U.S. newspapers," Aitel told us. "Should any more leaks come out regarding this investigation that indicate Eugene himself knew about this activity, then the company would be kaput." "We help law enforcement agencies (globally, not only in Russia), but with only one thing catching cybercriminals," the post said. "We've never assisted any cyberspies or military intelligence. That would go against our principles. We do not participate in spying." "Our products, much like antivirus software from most other companies, have a cloud protection component," it continued. "We call this Kaspersky Security Network (KSN)." "You can turn KSN off when installing the product or at any time after installation in the protection settings," the blog post added. "If you like to develop cyberweapons on your home computer, it would be quite logical to turn KSN off otherwise your malicious software will end up in our antivirus database and all your work will have been in vain." UPDATE: On Oct. 25, Kaspersky Lab released preliminary findings from its own internal investigation. (A third-party investigation is still promised.) The findings appear to largely exonerate the company of wrongdoing Most noteworthy was that, according to the Kaspersky report, the NSA staffer upon whose home PC the NSA files were discovered had himself accidentally infected his computer with malware when he installed a "cracked" version of Microsoft Office software. "Cracked" software comes with product-key generators that let you run expensive software without paying for it, but the key generators are often full of malware. The NSA staffer was only able to run the key generator after disabling his Kaspersky antivirus software, the report found. After he installed Microsoft Office, he re-enabled the antivirus software, which detected the malware that came with the key generator as a "backdoor" which could have let any other kind of malware or attacker onto the machine. The Kaspersky report doesn't say so explicitly, but the backdoor could have been an avenue by which cybercriminals or Russian spies could have broken into the machine and stolen NSA-related files. After Kaspersky antivirus software had been re-enabled and had found the key-generator malware, it thoroughly scanned the machine and found a compressed archive files containing new variants of NSA malware (which Kaspersky refers to as "Equation Group" malware). Copies of the archive containing the new variants were uploaded to Kaspersky's cloud servers, analyzed and discovered to be NSA malware. At this point, the report says, Kaspersky chief Eugene Kaspersky (referred to as "the CEO") was informed, and he ordered that the copies of the archive be destroyed. UPDATE: On Nov. 16, Kaspersky Lab released the complete report on its internal investigation. It adds more detail to the preliminary report, noting that the American computer in question used "an IP address that is supposedly assigned to a Verizon FiOS address pool for the Baltimore, MD" area in other words, near NSA headquarters. The report also notes that the customer's computer was infected with at least 121 different strains of malware and adware, not counting the NSA malware also on the machine. The report theorizes that the machine was infected while the user disabled Kaspersky software so that he could install a "cracked" version of Microsoft office, and that such a vulnerable machine could easily have been compromised by nation-state attackers targeting a known NSA employee. It further explains that the compressed archive containing NSA malware also included four documents "bearing classification markings", which implies that they contained language such as "TOP SECRET." The Kaspersky report says that the documents would have been uploaded to Kaspersky servers as part of routine malware collection not because they contained classification markings, but because they were part of an archive containing malware. "We cannot assess whether the data was 'handled appropriately' (according to U.S. Government norms)," the report adds, "since our analysts have not been trained on handling U.S. classified information, nor are they under any legal obligation to do so." The one new item in the full report explains why Kaspersky software might appear to have been deliberately programmed to search for language in documents such as "TOP SECRET," as alleged in one of the media reports concerning the company. Ironically, it's because an older strain of apparently Russian state-sponsored malware searched for exactly the same thing. In March 2013, a cyberespionage campaign exploited the widely used TeamViewer remote-access software to steal electronic documents from governmental organizations, embassies, research institutions and high-tech manufacturers in Europe and the former Soviet states, including Russia. Researchers called the espionage campaign "TeamSpy," and its associated malware searched for keywords, including "secret" in English, Russian and Georgian, in Word, Excel and PDF files. A Kaspersky report at the time noted that the malware appeared to be created by Russian speakers. (Kaspersky never speculates on who might have created state-sponsored malware, leaving it to readers to guess.) In 2015, the current Kaspersky report says, the company added a malware signature to search for the keywords that TeamSpy itself was searching for in an attempt to detect TeamSpy malware. Anyone looking for clues that Kaspersky itself was looking for classified documents could have mistaken that signature for a smoking gun, the report implies. "It is a possibility that [to] an attacker looking for anything that can expose our company from a negative side, observations like this may work as a trigger for a biased mind," the report says. "Despite the intentions of the malware analyst, they could have been interpreted wrongly and used to create false allegations against us."