The FBI is briefing US companies against using Kaspersky products, claims report

Bad news for Kaspersky as it fights rumours of Russian government collusion.

The FBI is briefing US companies against using Kaspersky products, claims report

According to a CyberScoop report, the FBI has been quietly meeting with companies to warn them of the threat posed by Russian security firm Kaspersky:

The briefings are one part of an escalating conflict between the U.S. government and Kaspersky amid long-running suspicions among U.S. intelligence officials that Russian spy agencies use the company as an intelligence-gathering tool of global proportions.

The FBI's goal is to have U.S. firms push Kaspersky out of their systems as soon as possible or refrain from using them in new products or other efforts, the current and former officials say.

The FBI's counterintelligence section has been giving briefings since beginning of the year on a priority basis, prioritizing companies in the energy sector and those that use industrial control (ICS) and Supervisory Control and Data Acquisition (SCADA) systems.

The continuing rumblings from US intelligence agencies about whether Kaspersky products can be trusted, implying possible collusion with the Russian government, is more than a headache for the security firm. It's a direct challenge to Kaspersky's attempt to grow its American marketshare.

Kaspersky has said the allegations are baseless, and founder Eugene Kaspersky has offered to let the US government examine his product's source code.

The problem for Kaspersky is that rumours can cause damage, even if nobody ever comes up with any actual evidence of wrongdoing. Some of the rumours have verged on the absurd, attempting to link Eugene Kaspersky's sauna visits to secret meetings with FSB agents.

There will always be some people whose belief that Kaspersky's Russian connection might be a problem, even if it's a tiny chance, could be enough for them to choose a competitor instead.

And you can bet your bottom dollar that some of Kaspersky's competitors will be (either subtly or brazenly) bringing the scuttlebutt surrounding Kaspersky
to customers' attention, in the hope of winning business.

The FBI's emphasis on briefing energy and businesses that use industrial control systems isn't much of a surprise. Past attacks on Ukraine's power grid (widely believed to have originated in Russia) may have made some energy companies more receptive to the FBI's anti-Kaspersky warning, even without the discovery of a "smoking gun".

At the other end of the spectrum, I'm finding an increasing number of emails in my inbox from home users who have heard that Kaspersky are "bad guys because they're Russian" and asking me for advice as to what software they should use to protect their PCs.

I admit that I feel highly uncomfortable with Kaspersky being targeted in this way. Security companies around the world work with law enforcement agencies in the fight against online criminals, but that's a very different thing from spying on your own customers at the behest of your government.

Furthermore, it would be commercial suicide for Kaspersky if any evidence was ever found that one of its customers was being secretly spied upon by its anti-virus software.

The whole thing feels like an anti-Kaspersky witch-hunt to me, fed by competitors who are either actively exploiting the awkward pickle Kaspersky finds itself in or allowing it to continue by choosing not to speak out in defence of their commercial rival. Such companies would be wise to remember that the real enemy is not your competitor in the anti-virus industry, but the organised criminals who are infecting millions of computers with malware.

And I have to ask, if we're so worried about Russia, what about China?

How much pressure might Chinese companies be receiving from their government?

How many technological devices do you have in your home or office that rely upon components, software or hardware that was built in China? If it is so worried about Russia, shouldn't it be similarly kicking up a stink about that?

My guess is that it would simply be unacceptable to tell America to throw away its Chinese-made smartphones and laptops, as there are few decent all-American equivalents to take their place.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, , ,

10 Responses

  1. John Q

    August 22, 2017 at 4:28 pm #

    Agreed.
    Where is ANY evidence what-so-ever that Kaspersky has engaged in any wrongdoing? For years their product has been a highly reputable anti-virus product with many demonstrations of being on the correct-side of the battle. We shouldn't jump to conclusions merely because of the geographic region this product originates without some sort of verifiable proof of wrongdoing.

  2. Mike

    August 23, 2017 at 10:07 am #

    The loony left strike again. More globalist agenda being played out.

  3. M. Sirell

    August 23, 2017 at 3:46 pm #

    Full Disc – I run Kaspersky on my mobile devices and have no plans to change that.

    There are some flaws in the logic here.

    Firstly, absence of publicly released evidence obviously doesn't mean that the US spooks don't have any — for obvious reasons.

    Secondly, it's entirely possible the Kaspersky AV product is capable of being used for malicious purposes at the behest of the Russian state in a manner that isn't evident from the source code. AV products are designed to auto-update not just malware sigs / defs, but their own engine code as well. And it's possible — a racing certainty, in fact, given the nature of AV — that the code contains bugs that could give an attacker RCE, possibly as Administrator or SYSTEM, which haven't been publicly discovered except by the FSB, GRU or the arms-length groups they're known to sometimes employ. (Just as the NSA have their stash of Windows 0day.)

    Thirdly, whilst it may well be commercial suicide for Kaspersky to be caught working on behalf of the Russian spooks, it's not hard to imagine scenarios where declining to co-operate would be LITERAL suicide. (Follow the trail of dead Russians from the last 15 years to see what I mean.)

    Fourthly it's possible cooperation consists of passive activity. Eg., the KAV client reports on the filenames or applications it finds back to the mothership (AFAIK all AV does something like this to some extent or another, even if it's only reporting suspicious links to a cloud-sourced domain reputation database or suchlike. Easy to imagine how that could be useful to the FSB / GRU.

    Fifthly (though there's no IT angle here ;) ) I've no idea whether it is, or isn't, possible for handlers to meet agents or assets in a sauna. I can't see anything that makes the suggestion inherently and self-evidently "absurd", though. Mind you I'm no expert on opsec or tradecraft .)

    Finally the US spooks may be messing with Kaspersky for legitimate /FOR THEM/ reasons even without evidence that they're doing anything malicious, or necessarily /believing/ it. Considering the epic Active Measures ops they've carried out over the last few years that have lead to a certifiable fruitcake in the White House, I imagine they're pretty pissed off with Russia. It's reasonable to thinik the US intelligence community see it as in their legitimate national interest to get back at Russia, both overtly and covertly, for both tactical and strategic reasons. In this circumstance, the fact that Kaspersky (the man, the company and it's employees) may be relatively (or completely!) innocent of the charges levelled against them butters no parsnips.

    As a UK citizen I don't necessarily feel that I owe the US LEA / IC any particular favours in terms of helping them damage Russia's economy, albeit in a pretty small way. Of course it's possible –
    probable even – that the CIA / NSA have the ability to hack my systems, listen to my phonecalls and whatever. However, given a choice of helping out the NSA / CIA or the FSB/GRU, you'd have to have your head so far up your backside that it's coming out of your own mouth to find that a tough decision. Call me old fashioned, but I dislike authoritarian nationalist cult-of-personality dictatorships, or "fascists" as we used to call them.

  4. Arnold Schmidt

    August 23, 2017 at 6:20 pm #

    In all this to-do about Kaspersky maybe getting too cozy with the Russian security services, has it not occurred to anyone that all the AV producers in the good 'ol USA may be in bed with our own such people? After all, we already know through Ed Snowden's efforts that the NSA and CIA have been listening in on the communications of ours, regardless of the prohibitions against such things, so why would anyone believe that our own security people wouldn't put the same kind of pressure on our domestic AV makers that the FSB is allegedly doing with Kaspersky? If a user of Kaspersky's products is going to stop using them out of a paranoid fear of information leakage from them, then he or she may as well stop using ANY software he or she doesn't create him or herself! Go read "Trusting Trust" by, I believe, Brian Kernighan, if you want to know why, at bottom, no one can ever really trust someone else's software.

  5. IanH

    August 23, 2017 at 8:11 pm #

    Given that it's the FBI putting in lots of effort to persuade people not to use Kaspersky, you don't have to be a conspiracy theorist to think this is because it is one AV system they can't use to snoop. Come on – the FBI doing public service education? Spare me…..!

    I have used Kaspersky exactly BECAUSE it isn't under USA influence and I feel it is therefore less likley it is snoopoing on my activities.

  6. Tea Thoughts

    August 23, 2017 at 10:07 pm #

    I've heard this anti Kaspersky pitch before some years ago. It was from someone who liked to think he was closer to GCHQ than he was – he was definitely a frustrated spook thought and I still think he was just reciting some overheard prejudice against all things Russian

  7. Kas

    August 24, 2017 at 12:18 am #

    I choose a different AV vendor because of this, but not for the reason you might think.
    During the last 12 months news reports have emerged of Kaspersky personnel being targetted both in the US and in Russia. In the US FBI agents appeared on the doorstep of Kaspersky employees.
    Just imagine what that does to an employee, both in Russia and the US. I can easily imagine employees switching jobs just to get out of this geo political firestorm. And that in turn will result in a shortage in R&D, product quality and time-to-market, which in the end will have an impact on me, the customer.
    I side with Graham on the (possibly dishonest) campaign against Kaspersky, but that's not my battle. I just want the best tool for my security and vendor stability is a factor in that decision.

  8. David L

    August 24, 2017 at 3:14 pm #

    I'm always amazed that those in the UK forget about their own intelligence agencies, and the close ties they have to others around the world, namely, Five Eyes group. Then the next group of fourteen. They all share information, and cooperate closely. Ever hear about the Snoopers Charter in your own country?

    The problem, is all countries are becoming bulkanized, restricting more and more access to information. There are legitimate reasons to be overly cautious about products made by countries that are violating human rights, of which, freedom of information is one. Evidenced by Russia and China banning VPNs for instance. So, like the "Great Firewall of China", Russia too, is monitoring the pipes. Kaspersky does not need to do anything wrong, but, can be compromised, just by being located in Russia.

    I'll admit, I'm concerned to the point of not using products, like phones or apps made in, or by Chinese developers. Likewise, Russia. I do have a Taiwanese product, HTC, and was very disappointed to find them using Baidu SDKs. As a result, I don't use the OEM apps that would give access to my phone. But, it's hard to know everything running in the background, even with various apps to monitor things. I've eliminated just about any app with ads, and have steadily built up a library of privacy minded apk. Developers products. So, it's hard work to harden your devices these days. Eliminating the obvious things is only a beginning. Ultimately, the question remains,…Do You Trust, the devices and software you use?

  9. Michael

    August 25, 2017 at 7:21 pm #

    What credibility does the FBI have? An organization that was caught illegally spying on Americans is warning Americans that a Russian company _might_ be doing something? But they have no evidence to present and we should just trust them? This sounds like more of the same anti-Russian hysteria we've been hearing for the last few months.

  10. Richard Steven Hack

    August 25, 2017 at 8:38 pm #

    Arnold Schmidt has it right. If you should be paranoid about any software, it's software made in the US.

    We already KNOW that Microsoft handed their software to the NSA to "look for security vulnerabilities". We can surmise that the NSA discovered "X" vulnerabilities – and reported X minus Y vulnerabilities to Microsoft, retaining the rest for its own use.

    We also already KNOW that US companies have been forced by the NSA to install various forms of surveillance on various hardware and software.

    The bottom line: There is NO WAY to PROVE that ANY software is clean of surveillance absent it being open source, thoroughly analyzed by independent parties, and THEN the COMPILED software checked yet again for surveillance added afterward.

    But this whole "just because it's Russian it's evil" is just political nonsense.

    And we STILL don't have ANY PROOF that the DNC was hacked by any kind of Russians, let alone the Russian government, despite all the official "assessments." Which is what started this whole thing.

Leave a Reply