Kaspersky Lab denies leaked emails prove it has been working with Russia’s FSB

Bloomberg alleges that leaked emails prove that Kaspersky Lab has closer ties to the Kremlin than the cybersecurity firm has previously acknowledged. Kaspersky claims that is not true.

Kaspersky Lab denies leaked emails prove it worked with Russia's FSB

While the Trump administration is deciding whether to remove Kaspersky Lab from the General Services Administration’s list of vendors whose products government agencies are allowed to use, Bloomberg Businessweek declared Kaspersky Lab “has been working with Russian intelligence.” The news report alleges that the relationship between Kaspersky Lab and the Kremlin is closer than the cybersecurity firm has previously acknowledged.

Kaspersky Lab came out swinging, issuing a point-by-point denial:

“Regardless of how the facts are misconstrued to fit in with a hypothetical, false theory, Kaspersky Lab, and its executives, do not have inappropriate ties with any government. The company does regularly work with governments and law enforcement agencies around the world with the sole purpose of fighting cybercrime.”

A week ago, Kaspersky offered to disclose its source code for the U.S. government to audit. This was in response to the continued suspicions by some U.S. intelligence agencies that Kaspersky Lab products might have hidden backdoors aka “might be vulnerable to Russian government influence.”

One of Bloomberg’s bigger claims comes from a 2009 email thread between Eugene Kaspersky and senior staff. The article says Kaspersky confirmed the emails are authentic, while Kaspersky claims it confirmed no such thing.

Bloomberg claims that in the email, Kaspersky discusses an anti-DDoS attack software project undertaken per a request by the FSB (Russia’s main intelligence agency). Besides blocking DDoS attacks, Kaspersky allegedly agreed help ISPs locate the attackers. The “active countermeasures” were to be kept a secret. The project reportedly became the basis of Kaspersky’s anti-DDoS technology. Bloomberg quoted a snippet of that email:

The project includes both technology to protect against attacks (filters) as well as interaction with the hosters (‘spreading’ of sacrifice) and active countermeasures (about which, we keep quiet) and so on.

Then Bloomberg added:

“Active countermeasures” is a term of art among security professionals, often referring to hacking the hackers, or shutting down their computers with malware or other tricks. In this case, Kaspersky may have been referring to something even more rare in the security world. A person familiar with the company’s anti-DDoS system says it’s made up of two parts. The first consists of traditional defensive techniques, including rerouting malicious traffic to servers that can harmlessly absorb it. The second part is more unusual: Kaspersky provides the FSB with real-time intelligence on the hackers’ location and sends experts to accompany the FSB and Russian police when they conduct raids. That’s what Kaspersky was referring to in the emails, says the person familiar with the system. They weren’t just hacking the hackers; they were banging down the doors.

In an emailed statement, Kaspersky Lab refuted:

Kaspersky Lab does not cooperate with hosting companies to locate bad actors, and cooperation with hosting providers in an anti-DDoS context means working with a hosting provider to block an attack on their level, before malicious traffic reaches the attacked web resource. This happens when the company experts understand that potential sources of the attack are located in particular data centers.

Regarding the “active countermeasures,” Kaspersky said:

The article inaccurately attributes the countermeasures referenced to be for the government, when the information being discussed was actually referencing the types of active measures needed for strong DDoS-protection for customers, such as the DDoS intelligence system, which alerts that there is an emerging DDoS-attack against a customer through monitoring the activity of DDoS botnets.

Hacking back is illegal, and Kaspersky Lab has never been involved in such activities; and instead we are actively participating in joint shut-down of botnets led by law enforcements of several countries where the company provides technical knowledge.

Regarding the part where Bloomberg alleged Kaspersky provides the FSB with real-time intelligence on attacker’s locations and sends its experts with the FSB and Russian police on raids, Kaspersky claimed:

Kaspersky Lab assists law enforcement agencies around the world with fighting cyberthreats, including those in Russia, by providing cybersecurity expertise on malware and cyberattacks. When assisting in official Russian cybercrime investigations, in accordance with Russian law, we only provide technical expertise throughout the investigation to help them catch cybercriminals. Concerning raids and physically catching cybercriminals, Kaspersky Lab might ride along to examine any digital evidence found, but that is the extent of our participation, as we do not track hackers’ locations. Kaspersky Lab doesn’t provide any government agencies, nor other parties, with information on location of people and doesn’t gather “identifying data from customers’ computers” because it is technically impossible.

The article also suggested that Kaspersky’s software “regularly communicates with the maker to receive updates, which security experts say could theoretically provide access to sensitive users such as government agencies, banks, and internet companies.”

Bloomberg didn’t stop there, adding that the U.S. Defense Intelligence Agency reportedly put out a warning about KasperskyOS, a product that could “let Russian government hackers disable those systems, a claim Kaspersky denied.”

Bloomberg’s report comes as the U.S. is deciding whether or not to ban the use of Kaspersky products by government agencies. At the end of June, before the Senate Armed Services Committee amended a spending bill that would ban the use of Kaspersky software at the DoD and any other agencies that network with the Defense Department, the FBI questioned at least a dozen U.S.-based Kaspersky employees at their homes. That move “completely ruined” the relationship between the FBI and Kaspersky Lab.

Kaspersky claims it searched through its email archives to find the one referenced by Bloomberg:

“In the internal communications referenced within the recent article, the facts are once again either being misinterpreted or manipulated to fit the agenda of certain individuals desperately wanting there to be inappropriate ties between the company, its CEO and the Russian government, but no matter what communication they claim to have, the facts clearly remain there is no evidence because no such inappropriate ties exist.”

Cybersecurity market research: Top 15 statistics for 2017