Exclusive: US warned companies against Russian software Kaspersky the day after the invasion

People walk by the Russian Kaspersky stand during the GSMA’s Mobile World Congress (MWC) 2022, in Barcelona, ​​Spain, March 2, 2022. REUTERS/Albert Gea/File Photo

March 31 (Reuters) – The U.S. government began privately warning some U.S. companies the day after Russia invaded Ukraine that Moscow could manipulate software designed by Russian cybersecurity firm Kaspersky to cause damage, according to a senior US official and two people familiar with the matter.

The classified briefings are part of Washington’s broader strategy to prepare providers of critical infrastructure such as water, telecommunications and energy for possible Russian intrusions.

President Joe Biden said last week that sanctions imposed on Russia for its February 24 attack on Ukraine could lead to a backlash, including computer disruptions, but the White House did not give details.

“The calculus of risk has changed with the conflict in Ukraine,” the senior US official said of Kaspersky’s software. “It increased.”

Kaspersky, one of the cybersecurity industry’s most popular antivirus software makers, is headquartered in Moscow and was founded by a former Russian intelligence officer, Eugene Kaspersky.

A Kaspersky spokeswoman said in a statement that briefings on alleged Kaspersky software risks would be “further damaging” to Kaspersky’s reputation “without giving the company the opportunity to directly address those concerns” and that this “is neither appropriate nor just”.

The senior US official said Kaspersky personnel based in Russia could be forced to provide or help establish remote access to their customers’ computers by Russian law enforcement or intelligence agencies.

Kaspersky, which has an office in the United States, lists partnerships with Microsoft, Intel and IBM on its website. Microsoft declined to comment. Intel and IBM did not respond to requests for comment.

On March 25, the Federal Communications Commission added Kaspersky to its list of communications equipment and service providers considered threats to US national security. Read more

This is not the first time that Washington has claimed that Kaspersky could be influenced by the Kremlin.

The Trump administration spent months banning Kaspersky from government systems and warning many companies not to use the software in 2017 and 2018.

US security agencies conducted a series of similar cybersecurity briefings around Trump’s ban. The content of those meetings four years ago was comparable to the new briefings, said one of the people familiar with the matter.

Over the years, Kaspersky has always denied any wrongdoing or secret partnership with Russian intelligence.

It is unclear whether a specific incident or new intelligence led to the security briefings. The senior official declined to comment on the classified information.

So far, no US or allied intelligence agency has ever offered direct, public evidence of a backdoor in Kaspersky software.

Following the Trump decision, Kaspersky opened a series of Transparency Centers, where it says partners can review its code to check for malicious activity. A company blog post at the time explained that the goal was to build trust with customers after the US accusations.

But the US official said the Transparency Centers are “not even a fig leaf” because they fail to address US government concerns.

“Moscow software engineers manage the [software] updates, that’s where the risk comes in,” they said. “They can send malicious commands through updates and that’s coming from Russia.”

Cybersecurity experts say that due to the way antivirus software normally works on the computers where it’s installed, it requires a deep level of scrutiny to uncover malware. This makes antivirus software an inherently advantageous channel for spying.

In addition, Kaspersky’s products are also sometimes sold under white label sales agreements. This means that software can be packaged and rebranded under commercial agreements by information technology contractors, making their origin difficult to determine immediately.

Without referring to Kaspersky by name, the UK Cybersecurity Center said on Tuesday that organizations providing services related to Ukraine or critical infrastructure should reconsider the risk associated with using Russian computer technology in their communication chains. ‘supply.

“We have no evidence that the Russian state intends to bribe Russian commercial goods and services to cause damage to British interests, but absence of evidence is not proof of absence,” he said. said the National Cyber ​​Security Center in a blog post.

Reporting by Christopher Bing; edited by Chris Sanders and Grant McCool

Our standards: The Thomson Reuters Trust Principles.