Kaspersky Lab has faced controversy over allegations that it has engaged with the Russian Federal Security Service (FSB) to use its software to scan computers worldwide for material of interest—ties which the company has actively denied. The U.S. Department of Homeland Security banned Kaspersky products from all government departments on 13 September 2017, alleging that Kaspersky Lab had worked on secret projects with Russia's Federal Security Service (FSB). In October 2017, subsequent reports alleged that hackers working for the Russian government stole confidential data from the home computer of a National Security Agency (NSA) contractor in 2015 via Kaspersky antivirus software. Kaspersky denied the allegations, stating that the software had detected Equation Group malware samples which it uploaded to its servers for analysis in its normal course of operation.
The company has since announced commitments to increased accountability, such as soliciting independent reviews and verification of its software's source code, and announcing that it would migrate some of its core infrastructure for selected foreign customers from Russia to Switzerland. The allegations of ties to the Russian government were ignited again with the company's controversial response to the 2022 Russian invasion of Ukraine.
According to the International New York Times, Kaspersky has "become one of Russia's most recognized high-tech exports, but its market-share in the United States has been hampered by its origins".[1] According to Gartner, "There's no evidence that they have any back-doors in their software or any ties to the Russian mafia or state... but there is still a concern that you can't operate in Russia without being controlled by the ruling party".[2] CEO Eugene Kaspersky prior work for the Russian military and his education at a KGB-sponsored technical college has led to allegations of being employed by Russia to expose US cyberweapons, though he denies this.[3] [4] Analysts such as Gartner's Peter Firstbrook say suspicions about the firm's Russian roots have hindered its expansion in the US.[2] The company has denied that it has direct ties with or has engaged with the Russian government.[5]
In August 2015, Bloomberg News reported that Kaspersky Lab changed course in 2012, as "high-level managers have left or been fired, their jobs often filled by people with closer ties to Russia's military or intelligence services. Some of these people actively aid criminal investigations by the FSB, the KGB's successor, using data from some of the 400 million customers".[6] Eugene Kaspersky criticized Bloomberg's coverage on his blog, calling the coverage sensationalist and guilty of exploiting paranoia to increase readership.[7]
From July 2017 to December 2017, U.S. government agencies phased out their use of Kaspersky software. In July 2017, the United States' General Services Administration (GSA) removed Kaspersky Lab from its list of vendors authorized to do business with the U.S. government amid further reports by Bloomberg and McClatchy DC alleging that Kaspersky Lab had worked on secret projects with Russia's Federal Security Service (FSB). Anti-Russian sentiment had also grown in the country in the wake of an investigation of Russian interference in the 2016 presidential election. Kaspersky denied these reports, stating that it did not have "inappropriate ties" with any government, and "never received a request from the Russian government or any affiliated organization to create or participate in any secret projects, including one for anti-DDoS protection".[8] [9] [10] [11]
On 8 September 2017, U.S. electronics store chain Best Buy pulled Kaspersky products amid concerns over these ties,[12] followed by U.S. retailers Office Max and Office Depot.[13] On 13 September 2017, the Department of Homeland Security issued an order stating that in 90 days Kaspersky products will be banned from use within the U.S. civilian federal government, citing "[concerns] about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks."[14]
On 6 October 2017, The Wall Street Journal - citing "multiple people with knowledge of the matter" - alleged that in 2015, hackers working for the Russian government used Kaspersky antivirus software to steal classified material from a home computer belonging to a National Security Agency (NSA) contractor. According to the report, the incident occurred in 2015 and remained undiscovered until early 2016. The stolen material reportedly included "details about how the NSA penetrates foreign computer networks, the computer code it uses for such spying and how it defends networks inside the U.S."[15] The New York Times reported that the hacks had been discovered by Israeli intelligence agents who had themselves hacked into Kaspersky's network and recorded in real time how queries were being made for keywords on user machines.[16]
On 10 June 2015, Eugene Kaspersky in a blog announced that Kaspersky Labs discovered an advanced attack on its own internal network claiming with confidence that there's a nation state behind it, calling the attack Duqu 2.0.[17]
On 11 October 2017, The Wall Street Journal additionally alleged that Russian intelligence uses Kaspersky software to scan computers worldwide for material of interest.[18] The company once again denied the reports, arguing that they were "baseless paranoia" and a "witch hunt", and considered it suspicious that major U.S. media outlets simultaneously "went for us almost in full force and they fantasized simultaneously, as if receiving an order, but they've got confused in details."[19]
On 25 October 2017, Kaspersky confirmed that the incident described by The Wall Street Journal had occurred in 2014, and was the result of the software having detected a ZIP file containing samples and source code from the Equation Group. The user had enabled the Kaspersky Security Network (KSN) features of the software, so the files were automatically uploaded to Kaspersky as a malware sample to KSN for analysis, under the assumption that it was a new malware variant. Eugene Kaspersky stated that he ordered that the sample be destroyed. Kaspersky claimed that the antivirus software had been temporarily disabled by the PC's user in order to install a pirated copy of Microsoft Office. When the software was re-enabled, it detected both the Equation Group code, as well as unrelated backdoor infections created by a keygen program for Office, which may have facilitated third-party access to the computer.[20] [21] [22] [23]
On 13 November 2017, the British intelligence agency MI6 raised suspicions over Kaspersky Lab software after it was distributed free to more than 2 million UK Barclays customers.[24] On 2 December 2017, Barclay's announced that they would no longer provide their new customers with the company's software.[25] Also around 2 December 2017, Britain's National Cyber Security Center advised, as a national security precaution, that UK government departments avoid Russia-based antivirus software such as Kaspersky, but stated there was "no compelling case at present to extend that advice" to the wider public.[26] On 9 December 2017, the U.S. government banned Kaspersky from federal civilian and military computers as part of a broader defense bill.[27]
On 21 December 2017, Lithuanian Government bans Kaspersky Lab software on sensitive computers claiming it to be a threat to Lithuanian national security.[28]
On 14 May 2018, the Dutch government announced it decided to phase out the use of antivirus software made by Kaspersky Labs “as a precautionary measure” and was advising companies involved in safeguarding vital services to do the same.[29]
On 13 June 2018, European Union passed a motion that labeled Kaspersky as "confirmed as malicious" as part of a report on cyber defense written by Estonian MEP Urmas Paet of the Committee on Foreign Affairs. The report "Calls on the EU to perform a comprehensive review of software, IT and communications equipment and infrastructure used in the institutions in order to exclude potentially dangerous programmes and devices, and to ban the ones that have been confirmed as malicious, such as Kaspersky Lab." The resolution was approved with 476 votes in favor and 151 against.[30] Kaspersky Lab responded by claiming the amendment to the report was based on untrue statements and by temporarily halting their numerous collaborative European cybercrime-fighting initiatives.[31] In March 2019, Belgian MEP Gerolf Annemans submitted a question to the European Commission (EC), requesting in writing any evidence the Commission had justifying Parliament's labelling of Kaspersky as "malicious", citing reports from Germany, France, and Belgium which found no evidence of this.[32] [33] [34] [35] [36] On 12 April 2019 the Commission responded by stating, "The Commission is not in possession of any evidence regarding potential issues related to the use of Kaspersky Lab products." and that, "[...] the Commission did not commission any reports."[37]
On 15 March 2022, The German Federal Office for Information Security known as "BSI" urged consumers not to use antivirus software made by Russia's Kaspersky, warning the firm could be implicated in hacking assaults amid Russia's war in Ukraine.[38] According to the agency, antivirus software has extensive system authorizations and must maintain a permanent connection to the manufacturer's servers.[39] The BSI claims a Russian IT manufacturer can be forced to partake in an attack against targets in the EU, NATO, and Germany. Kaspersky published a statement to its Twitter feed concerning the BSI recommendation to stop using Kaspersky.[40]
On 17 March 2022, The Italian government announced that it would curb the use of Russian antivirus software in the public sector in the wake of Russia's invasion of Ukraine, fearing Moscow could hijack the programs to hack key websites.[41]
In January 2018, Twitter banned Kaspersky from advertising on Twitter, stating that "Kaspersky Lab operates using a business model that inherently conflicts with acceptable Twitter Ads business practices", and citing the Department of Homeland Security's warning about Kaspersky.[42]
On 23 October 2017, Kaspersky announced a "Global Transparency Initiative", under which it would be more accountable for security issues surrounding its products to select countries, and would allow third-party analysts to validate its products and other business practices in order to validate their integrity. The company stated that trust "must be repeatedly earned through an ongoing commitment to transparency and accountability", and that this program was a "reaffirmation of the company's commitment to earning and maintaining the trust of their customers and partners every day."[43]
On 15 May 2018, Kaspersky Lab announced that it would be migrating some "core infrastructure" from Russia to new data centers in Switzerland. Kaspersky software and antivirus definitions for foreign markets will be compiled and digitally signed in Switzerland by the end of 2018 (products targeting Russia will still be compiled on existing domestic infrastructure). User data for Europe, the United States, Canada, Australia, New Zealand, Japan, Bangladesh, Brunei, Cambodia, India, Indonesia, South Korea, Laos, Malaysia, Nepal, Pakistan, Philippines, Singapore, Sri Lanka, Thailand and Vietnam markets is to be stored and processed on Swiss servers as of 2022. All other countries will continue to be processed in Moscow, Russia.[44] In November 2020 Kaspersky finished relocating the data of its foreign customers from Russia to Switzerland.[45]
Kaspersky, in addressing the relocation of data processing and why data from many countries was not moved to Switzerland and continues to be processed in Russia stated that it is based on market specifics, customer demands and local regulation.[44]
Kaspersky maintains data centers in Zürich, Switzerland; Frankfurt, Germany; Toronto, Canada; and Moscow, Russia. The Swiss operations will be overseen by a third-party organization holding "all access necessary to verify the trustworthiness of our products and business processes", and will be accompanied by one of the three planned "Transparency Center" facilities, at which "responsible stakeholders" will be allowed to inspect Kaspersky's source code and business practices to verify their integrity. Kaspersky stated that this move was "first and foremost in response to the evolving, ultra-connected global landscape and the challenges the cyber-world is currently facing", and was a further step in its goal to be more accountable and trustworthy in its business practices.[46]
Kaspersky Transparency Centers are operating in Zürich, Madrid, Kuala Lumpur and São Paulo. In early 2021, the North American Transparency Center will open in New Brunswick, Canada in partnership with the CyberNB Association. At all of Kaspersky's Transparency Centers, the company provides the opportunity to compile the company's software from its source code and compare it with the publicly available one.[44]
The Transparency Centers source code reviews do not address the methods used as alleged in the NSA theft controversy. The NSA theft controversy is alleged to have been performed at the Moscow, Russia data center where the results of the scanning of users machines reside and under Russian law the Russian Government can compel Kaspersky's assistance in intercepting communications as they move through Russian computer networks.[47] The way antivirus software works on computers where it is installed requires significant control of that computer to discover malware. Antivirus software can retrieve, delete, or modify any file on any computer. In the review of the Kaspersky source code nothing would stand out as these are standard features and functionality that are routine of all antivirus products in the process of hunting for viruses or malware. These features and functions would not create any red flags in the any source code reviews promoted by the Transparency Centers. This makes antivirus software an inherently advantageous channel to conduct espionage.[48] "U.S. official said the transparency centers are not "even a fig leaf" because they do not address the U.S. government's concerns" in the end its the "Moscow software engineers handle the [software] updates, that's where the risk comes," they said. "They can send malicious commands through the updaters and that comes from Russia."[49]
In December 2017 and February 2018 the company sued the Trump administration, arguing the ban to be a bill of attainder and a violation of due process, and arguing that the government unfairly tarnished Kaspersky's reputation.[50] [51] Both cases were dismissed on May 30, 2018, by Judge Colleen Kollar-Kotelly, a former presiding judge of the Foreign Intelligence Surveillance Court, declaring both as unsubstantial.[52] [53] [54]
On 24 February 2022, the 2022 Russian invasion of Ukraine began. On 28 February, Eugene Kaspersky signed a letter to customers reaffirming Kaspersky's priority in fulfillment of all of its obligations to partners and customers and highlighting its transparency initiative. No mention of Russia was made and the only mention of Ukraine was around watching the events unfolding in and around Ukraine.[55] The U.S. government began privately warning some American companies the day after Russia invaded Ukraine that Moscow could manipulate software designed by Russian cybersecurity company Kaspersky to cause harm.[49]
On 26 February 2022, over 10,000 employees of Russian IT companies (including those of Kaspersky Lab) signed a petition opposing Russian governments actions in Ukraine and stating "We, employees of the Russian IT industry, are categorically against military operations on the territory of Ukraine initiated by the armed forces of the Russian Federation. We consider any display of force that leads to the outbreak of war unjustified and call for the reversal of decisions that could inevitably entail human casualties on each side. Our countries have always been close to each other. And today we are worried about our Ukrainian colleagues, friends and relatives."[56] In connection with the adoption by the Russian Duma of new tougher laws, on 4 March 2022, even before they came into force, the acceptance of signatures for the petition was stopped. "Also, from 4 March 2022, any distribution of the letter and communication with the media has ceased. In connection with the adoption of new laws, we considered it unsafe to leave this letter in the public domain with a list of signers".[57] "There were no big names, opinion leaders or influencers behind the letter, so people mainly signed it and shared with each other on Telegram and other messengers.” Eugene Kaspersky did not sign this form prior to its removal.
On 1 March 2022, the date of the first cease-fire talks between Russia and Ukraine, Eugene Kaspersky made the following statement in Twitter, "We welcome the start of negotiations to resolve the current situation in Ukraine and hope that they will lead to a cessation of hostilities and a compromise. We believe that peaceful dialogue is the only possible instrument for resolving conflicts. War isn't good for anyone".[58] This statement led to much controversy as it failed to condemn Russia for invading Ukraine nor mention Russia.[59] [60]
The company in an interview made a statement: "Kaspersky is focused on its mission to build a safer world. For 25 years, the company delivers deep threat intelligence and security expertise that is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. Kaspersky's business operations remain stable. The company guarantees the fulfillment of its obligations to partners and customers—including product delivery and support and financial transaction continuity. The global management team is monitoring the situation carefully and is ready to act very quickly if needed."[61] This has further ignited a renewed conversation around Kaspersky and the allegations of Russian Government ties and support of the Russian Government.[62]
On 15 March 2022, the German German: [[Bundesamt für Sicherheit in der Informationstechnik]] (BSI) issued a warning against the usage of Kaspersky antivirus and cloud software, claiming that it could be used in cyberattacks against foreign agencies.[63] Kaspersky responded to the BSI in a public letter by stating that the accusations are based on "political grounds" rather than on a technical assessment of its products and that it will be working with the BSI for clarification on its decision and for the means to address its and other regulators concerns.[64]
On 15 March 2022, Eintracht Frankfurt, German soccer club announced it terminated the sponsoring agreement with Russian software company Kaspersky with immediate effect.[65]
On 17 March 2022, the Italian government announced that it would curb the use of Russian antivirus software in the public sector in the wake of Russia's invasion of Ukraine, fearing Moscow could hijack the programs to hack key websites.[41]
On 17 March 2022, Scuderia Ferrari announced a pause in its F1 partnership with Kaspersky which began in 2010, this comes after Ferrari donated €1 million to help Ukrainians affected by the Russian invasion.[66] The partnership pause will have all Kaspersky logos removed from all Ferrari F1 activities.[67] Ferrari also stated that the use of Kaspersky software would be evaluated.[68]
On 26 March 2022, the Federal Communications Commission (FCC) put Kaspersky on its national security list, saying that it poses an "unacceptable risk" to the United States' national security. This forbids Kaspersky from receiving FCC funds through its Universal Service Fund. This follows a previous ban forbidding United States government agencies from using products made by the firm.[69] Kaspersky responded to the FCC's move in a press release on its website, saying that the agency's decision was “made on political grounds” in light of Russia's invasion of Ukraine, and that the company “remains ready to cooperate with US government agencies to address the FCC's and any other regulatory agency's concerns.”[70]
On 30 March 2022, The Wall Street Journal published an article stating the Biden administration is split on a proposal to sanction Kaspersky Labs over the invasion of Ukraine. The division in the administration was driven by a deep concern that such action could trigger a response, and "in addition, some officials in the U.S. and Europe fear sanctioning Kaspersky Lab will increase the likelihood of triggering a cyberattack against the West by Moscow, even potentially leveraging the software itself." The idea of using sanctions against Kaspersky Labs or to Eugene Kaspersky directly were on hold for now. Should the United States Department of the Treasury be asked to sanction Kaspersky they would "block or freeze the assets of companies or individuals who are targeted and bar U.S. citizens from engaging in transactions with those companies or people".[71]
On 26 April 2022, Poland imposed sanctions on 50 Russian oligarchs and companies, including Eugene Kaspersky. The sanctions include the freezing of assets and, for the individuals named, a ban on entering Poland.[72]