The United States has taken a step that was a long time coming, depending on one's point of view. According to the final determination from the Commerce Department’s Bureau of Industry and Security, the government banned the sale of Kaspersky Lab products in the U.S. effective July 20, just about two weeks ago.
While the Commerce Department established a final date of September 29, 2024, when all other activities, such as updates, resales through the distribution channel, licensing, and customer integrations are prohibited, it’s mostly moot now that Kaspersky Lab has decided to pull out of the Unites States market.
I am not surprised that Kaspersky Lab was banned. The company has a long and established history of working with adversaries of the United States, according to many expert sources.
The risks are clear: For the past decade or more, the U.S. government has claimed that the Russian government could use Kaspersky Lab’s anti-virus (AV) software to spy on Americans via hacking or data collection. The latest move should have come much sooner and comes in the backdrop of the U.S. already banning Huawei products on national security grounds two years ago and on the verge of banning TikTok on the same national security grounds in the coming months.
How Kaspersky Lab helped Iran after Stuxnet
In his book The Perfect Weapon: David Sanger details Operation Olympic Games, the first use of a true cyberweapon in 2010 against Iran. Olympic Games, a joint venture between Israel and the United States, was designed to take out as many Iranian centrifuges as possible and prevent a state sponsor of terrorism from acquiring enough nuclear material to make a bomb that could attack Israel or threaten other U.S. interests in the Middle East.
From this, a couple of weapons were born: Stuxnet and Flame. No secret stays secret forever, and eventually, the code for both, including another variant called Duqu, made its way into the public domain.
But here’s the issue that raised significant concerns:
As a follow-up to Stuxnet, in May 2012, the United Nations International Telecommunications Union (UN ITU) – a UN agency responsible for matters related to information and communications technology – asked Kaspersky Lab for help researching infected computers from the Iranian Oil Ministry and the Iranian National Oil Company. Their assistance and research led to the discovery of Flame, another potent cyber weapon reportedly developed by the U.S. and Israel that targeted Iran, a known state sponsor of terrorism.
Keep in mind that back in 1984, Iran received that designation by the State Department. Iran’s support for other terrorist groups such as Hamas, Hezbollah, and the Houthis only cements their legacy of violence and terrorism.
More trouble was brewing on the horizon.
Harold Martin was an NSA contractor who accumulated over 50 terabytes of classified information, hoarding it in various forms at his home. During his sentencing, in which he was sent to prison for nine years, the judge noted that the government did not accuse Martin of “transmitting” the classified hacking tools, but rather, abusing the trust the government had placed in him and mishandling classified information.
At the time the Martin case was made public and the involvement of Kaspersky AV software was reported, Eugene Kaspersky, the company’s CEO, said he didn’t deny obtaining access to the NSA hacking tools Martin took home because the Kaspersky software did what it was supposed to do: identify the tools as malware. Kaspersky claimed that the company’s antivirus program detected malware attributed to “The Equation Group,” an internal code name for NSA Tailored Access Operations (TAO), malware code that was uploaded via Kaspersky’s AV software to Kaspersky Lab for analysis.
Then there was the case of Nghia Hoang Pho, a National Security Agency employee who was ultimately sentenced to 66 months in prison in September 2018. Back in September 2014, Pho, who was working at NSA TAO, took home the most secret cyber weapons the NSA was working on at the time to continue development.
What raised eyebrows among NSA officials was that Pho was running Kaspersky Antivirus on his personal laptop, software the NSA never authorized even back then for fear of the company’s links to the Russian government.
The Washington Post also reported that hackers working for Israeli intelligence had compromised Kaspersky’s network and detected signatures they recognized as the NSA’s. The Israeli’s alerted the NSA, which launched an investigation that led them to Pho, who was removed from his position in 2015.
In a statement to NBC News, Kaspersky denied any connection between Kaspersky and the Russian government in the Pho case, saying: “no credible evidence has been presented to substantiate the claim of the company’s involvement in the alleged incident.”
The big question the investigators had was this: Was Kaspersky Lab involved in turning over NSA hacking tools to the Russian government?
In the Martin case, Kaspersky Lab had deniability, they said their software did its job. And according to additional reporting from the Wall Street Journal and NBC News, a former U.S. intelligence official briefed on the cases said it was Russian hackers who accessed Pho’s machine and stole additional code and material.
While the stories around the NSA hacking tools remain extremely cloudy, this much is clear: In 2017, DHS issued a directive prohibiting using Kaspersky products in government systems. The DHS order noted the following: “The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks.”
And, as recently as fall 2023, the Director of National Intelligence (DNI) released a one-page fact sheet detailing links between Russian Intelligence Service (RIS) members and Kaspersky Lab. Here are some of the findings:
- Former RIS officers employed by K.L.—which include the founder and CEO and several of its executives—use their positions and access to maintain cooperation and share identifying client data with current RIS officers.
- FSB can legally direct K.L. to provide user data, modify software or hardware, and perform searches on end-user systems.
- K.L’s product suite routes all client data through its cloud-based network or Russia-based Internet service providers (ISPs).
- K.L. antivirus software accesses all data on a U.S. user’s system.
In my view, getting American companies to install Kaspersky AV is one of modern history’s most brilliant covert surveillance and espionage operations. It shouldn’t come as a surprise that the U.S. government’s actions are a response to Russia’s continued aggression and the ongoing offensive cyber operations targeting the defense industrial base, critical infrastructure, and state/local governments, to name just a few.
That doesn’t mean everything Kaspersky did was suspect. Securelist is a tremendous resource for researchers about malware, threat intelligence, and APTs.
The KasperskyOS was a novel idea when it came out—a microkernel-based operating system with significant implications for security in IoT.
But, I take the world as I find it. Not as I wish it were.
Regardless of the prior history with Kaspersky in the Pho and Martin cases, the current geopolitical climate would have ultimately led to the same decision to ban Kaspersky Lab.
Adversaries or even suspected adversaries of the United States shouldn’t have free reign to sell products and services into our critical infrastructure. Full stop.
Morgan Wright, chief security advisor, SentinelOne
