The Russian government used antivirus software from the private Russian company Kaspersky to steal classified U.S. data, according to several recent reports.

The revelations, following months of vague warnings from U.S. officials, suggest that the U.S. has “direct evidence that there are ways to remote into Kaspersky and pull data back without the user’s intention,” David Kennedy, a prominent security consultant and former U.S. Marines hacker, told Yahoo Finance. “And that is very, very scary. That means that anybody in the world that has Kaspersky installed may have the potential to have their data accessed by Kaspersky.”

But many in the cybersecurity community, such as American cyberwarfare expert Jeffrey Carr, argue that the U.S. government’s allegations shouldn’t be trusted and that “Kaspersky Lab has suffered more slander from more supposedly reputable news outlets than any company in recent memory.”

The debate broke open last week when the Wall Street Journal reported that Russian government hackers had stolen classified data from the home computer of an NSA contractor who had Kaspersky antivirus software installed. Kaspersky software, like all antivirus software, requires access to everything stored on a computer so that it can scan for malicious software (known as malware).

A subsequent New York Times report detailed how Israeli intelligence alerted the U.S. of the Russian espionage-via-antivirus after infiltrating Kaspersky’s system in 2014 and watching Russian hackers search computers running Kaspersky for specific codenames of classified American programs.

The Journal then reported that U.S. intelligence agencies “studied the software and even set up controlled experiments to see if they could trigger Kaspersky’s software into believing it had found classified materials on a computer being monitored by U.S. spies,” and that the experiments “persuaded officials that Kaspersky was being used to detect classified information.”

One former U.S. official, explaining that the company’s software would have had to be programmed to scan for specific keywords, asserted to the Journal: “There is no way, based on what the software was doing, that Kaspersky couldn’t have known about this.”

View photos A picture taken on October 17, 2016 shows Yury Namestnikov, the head of Kaspersky’s Russian research and analysis department at the company’s headquarters in Moscow. (AFP PHOTO) More

‘I think it settles things’

Kaspersky denied the allegations, saying, “Kaspersky Lab was not involved in and does not possess any knowledge of the situation in question.” Consequently, the question is whether observers should trust Kaspersky or the U.S. government, who is making the claims through selective leaks and mostly anonymous sources.

“I think [the slew of reports] settles things, but that’s only if you have some element of trust in what the [U.S.] government is leaking,” Dave Aitel, a former NSA research scientist and CEO of the cybersecurity company Immunity, told Yahoo Finance. “It’s not like we have real evidence. And that’s a difficult thing. … We are now in a world where the [U.S.] government may never be able to present the real evidence against a company and still is going to be forced to act on it. And we’re going to all have to make decisions about whether we trust the government in each and every case because they’ve been wrong before.”

Skeptics demand pure evidence, which the U.S. government cannot provide without revealing highly valuable details about how the information was obtained.

“There’s no good way to do it is the problem,” Aitel said. “It’s not like there’s been a magical way where you can both show the evidence and protect sources and methods. And I don’t there ever will be, especially in this world which is so tightly tied to intelligence sources — where we have a difficulty [trusting] the government in the first place. The issue, largely, is that we don’t trust the [U.S.] government. And there’s really good reasons for that.”

Story continues