The day after Russia’s invasion of Ukraine, the U.S. government began issuing personal warnings to some American companies that Moscow could harm software designed by Russian cybersecurity company Kaspersky, a senior U.S. official and two people familiar with the matter said.
Classified briefings are part of Washington’s broader strategy to prepare key infrastructure providers, such as water, telecom and energy, for potential Russian intrusion.
President Joe Biden said last week that sanctions imposed on Russia over the February 24 attack on Ukraine could have repercussions, including cyber-disruptions, but the White House has not made specific proposals.
A senior U.S. official about Kaspersky’s software said, “The risk assessment has changed with the Ukraine conflict.” “It has grown.”
Kaspersky is one of the most popular anti-virus software developers in the cybersecurity industry, headquartered in Moscow and founded by Eugene Kaspersky, a former Russian intelligence officer.
A Kaspersky spokesman said in a statement that briefings on the alleged risks to the Kaspersky software “would be more detrimental to Kaspersky’s reputation” without giving the company a chance to respond directly to such concerns and that it was “not appropriate or fair.”
A senior U.S. official said Kaspersky’s Russia-based staff could be forced by Russian law enforcement or intelligence agencies to provide remote control or assistance to their clients’ computers.
Kaspersky, which has an office in the United States, lists partnerships with Microsoft, Intel and IBM on its website. Microsoft declined to comment. Intel and IBM did not respond to requests for comment.
On March 25, the Federal Communications Commission added Kaspersky to the list of communication equipment and service providers considered a threat to U.S. national security.
This is not the first time Washington has said Kaspersky could be influenced by the Kremlin.
The Trump administration has spent months trying to ban Kaspersky from government action and warn countless companies in 2017 and 2018 not to use the software.
U.S. security agencies have held similar cybersecurity briefings surrounding Trump’s sanctions. The content of those meetings four years ago was comparable to the new briefing, said an acquaintance.
Over the years, Kaspersky has consistently denied any wrongdoing or collusion with Russian intelligence.
It is unknown at this time what he will do after leaving the post. A senior official declined to comment on the confidentiality.
So far no US or allied intelligence has provided direct, universal evidence of backdoor in Kaspersky software.
Following Trump’s decision, Kaspersky opened a series of transparency centers, where it said partners could review its code to test malicious activity. A company blog post at the time explained that the goal was to build trust with customers after the U.S. complaint.
But U.S. officials say the transparency centers are not “even a fig leaf” because they do not address the U.S. government’s concerns.
“Moscow is run by software engineers [software] Updates, that’s where the risk comes in, “they said.” They can send malicious commands through the updaters, and it comes from Russia. “
Cybersecurity experts say that how anti-virus software usually works on the computer where it is installed requires a deeper level of control to detect malware. This makes anti-virus software an inherently convenient channel for managing espionage.
Also, Kaspersky products are sometimes sold under white label sales agreements. This means that the software can be packaged and named in commercial contracts by IT contractors, making it difficult to determine their source immediately.
Without naming Kaspersky, Britain’s Cyber Security Center said on Tuesday that companies providing services related to Ukraine or critical infrastructure should reconsider the risks associated with using Russian computer technology in their supply chains.
The National Cyber Security Center said in a blog post, “We have no evidence that the Russian state intends to harm Russia’s commercial goods and services in the interests of the United Kingdom, but the lack of evidence is not evidence of absence.”
Thomson Reuters 2022