TALK TO ME
What It’s Like to Be Targeted by an (Alleged) Private Spy
AP reported Wednesday that an undercover agent apparently working for Russian cybersecurity firm Kaspersky Lab had targeted researcher Keir Giles. This is his side of the story.
I bear no grudge against Kaspersky Lab, the Moscow-based cybersecurity company. I’ve only met Eugene Kaspersky, the firm’s founder, once, briefly, at a cybersecurity conference years ago. He was thoroughly charming. And friends in the business tell me that Kaspersky Lab’s technical expertise is top-notch.
However, it is true that I wouldn’t want to see their software installed on any system that contains information that shouldn’t be shared with the Russian government. And it’s that view that apparently brought me to the attention of shadowy figures working undercover, with a specific interest in discrediting people who say it publicly. That’s what led to bizarre encounters in a smart London hotel with a mysterious individual pretending, not very well, to be a Far Eastern investment consultant wanting to talk about Russia.
Meeting “Lucas Lambert”
It all started at the end of April 2018, with an email out of the blue to my address at Chatham House, the London-based think tank, asking me if I would be willing to speak at a conference. That’s not so unusual—I do get invitations like that, including from organizations I’ve never heard of before. In this case, it was supposed to be an investment consultancy with offices in Tokyo and Hong Kong, and the “senior partner” who contacted me asked to meet up in London to discuss it further.
That meeting was odd, but not so odd that I was sure it was a set-up. Mr. Lambert, my senior partner, said he was from Belgium but didn't have a French or Flemish accent—instead, he sounded central European. He said he lived in Hong Kong, so since I know it well I asked him where; his answer didn’t sound like anything people who really live there usually say. And when I had looked up his company before the meeting, the website seemed generic, vague and anonymous. But all of this was within the bounds of possibility for being genuine.
Instead, what seemed definitely off-key was the topic of the conversation. From the general chat about the presentation on Russia and cybersecurity that he was asking me to give, Lambert kept steering the conversation back to Kaspersky Lab, and why the previous year I and other people commenting in the media had been urging caution on using their products. Who were we doing this for, he asked?
The answer I gave him, consistently and repeatedly, was that nobody had told or paid me to advise against Kaspersky. Instead, it seemed to me completely logical that you shouldn’t have Kaspersky antivirus software on a computer that contains anything you would rather the Russian government didn’t see. It’s pretty straightforward really: antivirus software scans the contents of your computer to check for malicious content, and reports back on what it finds to a central server. So far so normal, only in the case of Kaspersky, at the time I was talking to the media about it those servers were in Moscow.
So, I said, even if Kaspersky Lab is being completely open and truthful about being innocent of any collusion with the Russian government for espionage purposes, simple prudence would dictate that if you want to keep something confidential from Russia—like, for example, the contents of any computer belonging to a Western government—you shouldn't put Kaspersky anti-virus software on it. It’s easy enough to think of the reverse situation—no Russian government computer would be installing American antivirus software, because of exactly the same concerns.
“Speak up, please”
But Lambert wasn’t satisfied. He asked again and again whether there had been any ulterior motives behind negative media commentary on Kaspersky. He wanted to know if I, or anybody else who had been quoted in the media, had been induced to do so by Kaspersky’s competitors in order to drive down their market share and cost them business. And throughout the conversation, he reminded me that I should speak up and speak clearly and from time to time asked me to repeat myself because, he said, he was hard of hearing.
So by the end of that meeting I was willing to continue the conversation, but warily. Lambert set a provisional date for me to travel out to Hong Kong to deliver the keynote talk and stay on for a day of consultations. He offered flights, accommodation and a fee of US$10,000 for doing so. The fees that people like me earn for sharing our knowledge and expertise vary hugely from job to job: in this case, the offer was well towards the generous end, but not so crazily as to be suspicious. Lambert also asked me to put him in touch with friends and colleagues in the same situation, who could contribute to his conference. He wanted an introduction to Michael Daniel, a former U.S. government official now with the Cyber Threat Alliance, which I couldn’t give. Instead, I contacted a cyberexpert friend working at a U.S. think tank, and explained the offer.
My job involves dealing with Russia, and as a result I may be a little more suspicious about unsolicited approaches than the average person. I’ve had some pretty sophisticated attempts at hacking my email accounts and computers in the past—and of course, you only know about the ones that fail, and can never be sure that something else has not succeeded.
Earlier this year I published a book about Russia, which was immediately used as bait in a cyberattack against Chatham House colleagues. They received emails from a spoofed address made to look like mine, with a note from somebody claiming to be my (non-existent) personal assistant, and a link which claimed to be to sample chapters from the book. But what gave the game away for most of them was the follow-up phone call to their personal numbers from somebody with a thick Russian accent still claiming to be my assistant and urging them to click on the link.
So when I contacted my cyberexpert friend, I also warned him that I was suspicious about Lambert’s company. My friend laughed, and joked about us arriving in Hong Kong and being kidnapped and paraded on Chinese television making a confession. As it turned out, that wasn’t what we needed to worry about.
Lambert later asked me for another meeting in the same hotel, and I agreed. And it was at that meeting that I became convinced I was being set up. Not only did the conversation keep coming back to Kaspersky, but Lambert told me that at our previous meeting I had actually said that I and others had urged against using Kaspersky software because we were being induced to do so by Kaspersky’s competitors. That just wasn’t true, and I said so straight away. The conversation continued, with Lambert reminding me again and again to speak directly toward him, speak up, and repeat myself. All of that left me fairly confident by the end of the conversation that the aim was to record me saying something incriminating that would discredit me or colleagues. And finally, Lambert asked for yet another meeting—only this time I must have the lunch he kept offering me, and “talk about something other than work.”
By now the faint alarm bells I thought I heard earlier were ringing loud and clear. So it was at this point that I decided to drop any further contact with Lambert, and forget about the prospect of a $10,000 fee and business-class flights to Hong Kong. He carried on writing to me, about once a month, before giving up in the middle of October after a final message about the supposed conference being postponed. Meanwhile, my U.S. colleague had also met Lambert, and come away with a similar offer—as well as similar questioning about Kaspersky.
I still had my doubts about whether Lambert and his company might in fact be genuine, but just odd. And those doubts persisted right up to the point when journalist Raphael Satter, working with Associated Press, told me what he had found during his investigations into a group of high end private investigators that had targeted Citizen Lab, a Canadian organization working on information technology and human rights. Those investigators have since been linked to the Israeli intelligence company Black Cube in a Canadian court case. And now, Raphael told me, somebody was using exactly the same techniques against people who had been seen to be critical of Kaspersky Lab. As I told him about my own experience, it seemed gradually to tick all the boxes. And the result was Wednesday’s news story describing me as the “Kaspersky opponent” who was targeted by undercover operatives in a sophisticated sting operation trying to discredit Kaspersky’s critics.
There is no direct evidence that Kaspersky ordered incriminating evidence to be collected in this way—when asked by AP, however, they didn’t deny it. And there is no direct evidence that they hired Black Cube as intermediaries to do so, or that “Lucas Lambert” works for Black Cube. However, AP and their sources at Citizen Lab noted that almost exactly the same techniques had been used in Black Cube operations, right down to the same surname for the front man.
But whatever the truth, for me it’s been a fascinating and slightly bizarre glimpse into a parallel world where nobody is quite who they claim to be—and firmly convinced me that it’s a world I want nothing to do with. At this point I am just hoping that the story is over. But I’ve had the warnings that whoever was behind this operation could still be willing to attack or smear me, with a cyberattack, or manipulated video, or fake news, in revenge for it being exposed.
In fact, the silliest part of the whole affair is that whoever commissioned Mr. Lambert to grill me could just have asked me what they wanted to know. There was no need for the secrecy, the deviousness or the pantomime. I would have just told them anyway.