The promise was clear: give our software all sorts of access to your computer, and we’ll make sure it isn’t infected with a bevy of viruses, worms, or other dodgy programs.
But one aspect of Russian-born cybersecurity company Kaspersky’s anti-virus product is threatening the sacred trust of its hundreds of millions of users around the world: the Kremlin’s intelligence apparatus can, if they feel like it, grab a copy of customer’s own files by leveraging Kaspersky’s software installed on computers across the world, according to reporting from The Wall Street Journal.
Now, multiple U.S. security consultants and other industry sources tell The Daily Beast customers are dropping their use of Kaspersky software all together, particularly in the financial sector, likely concerned that Russian spies can rummage through their files. Some security companies are being told to only provide U.S. products.
And former Kaspersky employees describe the firm as reeling, with department closures and anticipation that researchers will jump ship soon.
“We are under great pressure to only use American products no matter the technical or performance consequences,” said a source in a cybersecurity firm which uses Kaspersky’s anti-virus engine in its own services. The Daily Beast granted anonymity to some of the industry sources to discuss internal deliberations, as well as the former Kaspersky employees to talk candidly about recent events.
Last week The Wall Street Journal reported that Kaspersky’s software was tweaked to not only hunt out for malware, as a piece of anti-virus is expected to, but also documents marked as “top secret”—a change that U.S officials believe only could have been made with Kaspersky’s knowledge. Kaspersky’s software helped steal sensitive files from an employee of the NSA’s elite hacking unit Tailored Access Operations (TAO)—the unnamed worker took classified information home to his Kaspersky-loaded personal computer.
Eugene Kaspersky, the founder of the company, has denied any knowledge of this function of Kaspersky’s software. Last Tuesday, he announced in a tweet an internal investigation into the issue. A former Kaspersky employee said the company’s researchers "are not involved or privy to any political shenanigans and they're the public faces.”
Even if the company’s chief executive or its employees were unaware of the Russian government’s newly reported spying capability, some customers will think that Kaspersky, by allowing its product to act as an espionage tool, has betrayed customer trust—the very point of the software is to keep hackers out, not provide them a way in.
Blake Darché, a former NSA operator and co-founder of cybersecurity firm Area 1 Security, told The Daily Beast that consumers, including one of his own family members, are removing Kaspersky from their computers.
To be clear, many of Kaspersky’s customers—ordinary users who just want to protect themselves and their bank accounts from cybercriminals—are likely not under direct threat from this Kremlin-spying. Kaspersky’s anti-virus is generally seen in the information security industry as a robust product. But for some users, including those in the U.S., it will pose a serious issue.
“Essentially they are treating KAV [Kaspersky Anti-Virus] as malware,” Dave Aitel, a former NSA analyst and now CEO of security firm Immunity Inc., said of high security New York financials.
A consultant working with financial organizations said they know of one enterprise which is exploring how it can remove Kaspersky’s software.
The U.S. and Western Europe accounted for a weighty $374 million of Kaspersky’s $633 million sales in 2016, says market intelligence firm International Data Corp. Kaspersky has some 270,000 corporate clients, according to the company’s own figures.
The past few months have clearly had an impact on Kaspersky’s U.S. operations. In a May 11 Senate Intelligence Committee hearing, the heads of the FBI, CIA and the Director of National Intelligence all said they did not trust Kaspersky’s software. In September, the Department of Homeland Security banned Kaspersky software from U.S. government networks, giving agencies 90 days to start removing the anti-virus from their machines, and retailer giant Best Buy said it would remove Kaspersky software from its shelves, before Staples followed last week.
No one was present at the Virginia offices of Kaspersky’s U.S. subsidiary, KGSS, when a Reuters reporter visited them in July of this year. At the time, a Kaspersky spokesperson told Reuters that most of the employees work from home.
But according to one of the former Kaspersky employees, KGSS was closed at least two months ago.
“KGSS was setup to handle [government] sales. That was the obvious first casualty,” the source said, and added that most top managers in the U.S. are gone. Last Wednesday, CyberScoop reported that Jennifer Wood, the head of Kaspersky’s corporate communications in North America, left the company.
In a statement, a Kaspersky spokesperson said, “Given that U.S. government sales have not been a significant part of the company’s activity in North America, Kaspersky Lab is exploring opportunities to better optimize the Washington D.C. office responsible for threat intelligence offerings to U.S. government entities,” the company wrote. Reuters previously reported Kaspersky planned to open offices in Chicago, Los Angeles and Toronto in 2018. The spokesperson did not reply when The Daily Beast asked whether this is still the case.
Beyond losing customers, all of this scrutiny and media attention is also allegedly impacting Kaspersky’s researchers themselves.
"It's bad. GReAT guys in turmoil," the first former Kaspersky employee said, referring to the company’s Global Research & Analysis Team, which focuses on tracking high-level hacking campaigns.
“American guys are struggling most,” they said. The FBI questioned U.S. based Kaspersky staffers earlier this year. “I can’t discuss out of respect for them, but there will be significant departures,” the source added, without specifying which country these employees might be from.
A second former employee told The Daily Beast, “I think some researchers might leave as a result of the media saga, of course.” The source thought that other researchers will join the company, however, and didn’t think Kaspersky will disappear altogether.
“The world needs uncompromising APT research,” the former employee said, referring to so-called Advanced Persistent Threats, an industry euphemism for state-sponsored hackers.
Any major shifts within Kaspersky could have a knock-on effect onto other areas, and the customers who decide to stay put.
“Lots of big [organizations] pay money for that visibility that only Kaspersky has,” the first former employee added. “It that goes away, [there] will be a big dark spot. And it will go away when guys pack and leave.”
It’s unclear what impact the revelations will have on Kaspersky’s business outside of the U.S., though, as other countries say they have seen no indications that Russian spies are exploiting Kaspersky’s software.
“There are no plans to warn against the use of Kaspersky products since the BSI has no evidence for misconduct by the company or weaknesses in its software," a representative from Germany’s federal cyber agency told Reuters.
When The Daily Beast asked Eugene Kaspersky for comment directly, he pointed to a recent article covering Kaspersky’s prospects for the future, which reads "Eugene Kaspersky doesn't seem like the type of guy who would sabotage his own beloved company, which he tirelessly promotes."
The piece also says that Kaspersky “may face some dark days ahead.”