It's 'very possible' that Kaspersky Lab found NSA malware, says CEO

It's 'very possible' that Kaspersky Lab found NSA malware, says CEO

By Alexander J Martin, Technology Reporter - Exclusive

"Technically, it's a very possible scenario" Eugene Kaspersky told Sky News, responding to whether his anti-virus software could have found new US National Security Agency hacking tools on a staffer's home computer.

Mr Kaspersky is the chief executive and namesake of Kaspersky Lab, a Russian anti-virus company which is vigorously denying US media reports that it was responsible for Russia's Federal Security Service (FSB) stealing cyberweapons from an NSA employee who stashed them on his home PC.

Between the media reports sourced from anonymous intelligence personnel - and Kaspersky's protests of innocence - are a number of hypothetical scenarios which suggest very different facts about the cybersecurity company and its relationships with two rival intelligence agencies constantly attempting to hack each other.

In an exclusive interview with Sky News, Eugene Kaspersky acknowledged the harm the claims of his company's involvement with espionage had done to his business, and said he did not understand where the allegations could have originated from.


Speaking to the media for the first time since the allegations were published, the Kaspersky Lab chief executive also said that he had sent legal warnings to organisations outside of the US to protect his company's reputation.

Of course, if it's true, it will simply kill our business.

:: Legal warnings sent

Mr Kaspersky describes the allegations as "definitely not true" but said his business saw "almost zero opportunity for us to start legal action against the United States media because this information was made in such a way that it's not possible to start the legal case".

"For example, they say that I have a strong relationship with Russian intelligence. If you read it, you understand it as we do have a close relationship with Russian spy agencies," he continued.

"But the term 'intelligence' also covers police investigations. So technically speaking, if we have the relationship, if we have a raid with cyber police, like the FSB cybercrime department, or if we cooperate with agencies like the FBI, it means [we have that relationship with] 'intelligence'."

The CEO stressed that Kaspersky Lab only cooperates with legitimate criminal investigations and has never engaged in espionage activities.

At the same time as reading these reports in the US media, Kaspersky Lab issued legal warnings to organisations in other countries who were potentially alleging falsehoods, according to the chief executive.

"We sent a warning to these companies that we are about to start a legal case against them and they stopped, so they satisfied our needs," he said.

A spokesperson clarified: "No legal warnings were issued to any media outlets, but we did get in touch with some competitors about their underhand marketing campaigns and as a result most stopped the campaigns and publicly apologised."

Despite these protestations of innocence, Kaspersky Lab's reputation has been significantly damaged in the US.

Mr Kaspersky, who is a mathematician by training, said that while there was "no 100 per cent guarantee" it was a "very, very low risk - almost zero - that our network is compromised by some security service which is using our products to spy on the customers".

'Almost zero risk', but 'if it's true... it will kill the company'

He stated in absolute terms that it was "a zero risk that our employees do anything wrong, because it will be visible".

"Of course, if it's true, it will simply kill our business," acknowledged Mr Kaspersky.

"But the good news is that most of our customers, most of our partners, they don't really believe it's true and they don't really trust these false allegations."

The company has now announced a global transparency initiative in response to the allegations, aiming to win back the trust of those who believe it may pose a security risk to them.

Chinese telecoms giant Huawei had previously embarked on a similar transparency project as part of its bid to have its products used within the UK's critical national infrastructure.

One security researcher noted to Sky News that the Kaspersky and Huawei transparency efforts seem far superior to the efforts shown by US network vendors, with mystery still surrounding a sophisticated cryptographic backdoor discovered in software from California-based Juniper Networks.

Image: FBI Director James Comey(L) and National Security Agency Director Mike Rogers(R) arrive to speak during the House Permanent Select Committee on Intelligence hearing on Russian actions during the 2016 US election campaign on 20 March, 2017

:: Russian hostility

Before the reports in October, Kaspersky Lab's reputation had already been damaged by a ban of its products being used on federal government systems.

Criticism regarding Russian enterprises and individuals with connections to Russia became increasingly common following allegations of Russian interference in the presidential election.

Russia hits back at US hacking claims

At a Senate Intelligence Committee public hearing in May, the heads of six intelligence agencies said they would be uncomfortable with Kaspersky Lab software on their agencies' computers.

In an opinion piece for The New York Times, US Democrat Senator Jeanne Shaheen cited these comments and explained why she was "advancing bipartisan legislation to prohibit federal government from using Kaspersky Lab software" - legislation which was quickly passed.

"I cannot disclose the classified assessments that prompted the intelligence chiefs' response," wrote the New Hampshire politician, adding that despite Kaspersky Lab's refutation of a "backdoor" it was the nature of anti-virus technology to require complete access to a computer's files and to upload suspicious ones to the company's own servers for investigation by its analysts.

I don't really understand what's going on, why we're under the media attack and the government attack right now.

This could allow the software to function as an espionage tool searching through government computers, argued Mrs Shaheen, adding that the legal regime in Russia was constructed in such a way that Kaspersky Lab was beholden to the Kremlin's directions if it wanted to exploit the anti-virus software for spying.

But as Mrs Shaheen said, this was "a normal situation [for] any anti-virus company," Mr Kaspersky argued to Sky News, and it was not a situation that justified why his company was being singled out for criticism.

At the time, Kaspersky Lab told Sky News it "was not involved in and does not possess any knowledge of the situation in question".

It argued that "no credible evidence has been presented to suggest that such an alleged incident ever happened. Further, we can state categorically that Kaspersky Lab doesn't provide user information to any third party, and doesn't assist any government in the world with its offensive activity".

Asked hypothetically whether Kaspersky Labs could have identified new NSA malware on an employee's home computer, the CEO was unequivocal: "Yes, of course."

"Technically it's a very possible scenario," he explained: "Actually what we do, we are looking for the already known malware, we simply detect it and remove it from computers, and also we are watching the new suspicious applications, new suspicious data which could be new types of malware," he said.

"In this case, according to our End User License Agreement if the computers are connected to our cloud services, and only in this case, we upload the suspected files to our cloud services for further processing.

"And actually it's a very possible situation and actually it happens a thousand times a day when new malicious files are uploaded to our cloud services."

At the time of Mrs Shaheen's campaign, the anti-virus business claimed "the only conclusion seems to be that Kaspersky Lab, a private company, is caught in the middle of a geopolitical fight, and it's being treated unfairly even though the company has never helped, nor will help, any government in the world with its cyber-espionage or offensive cyber efforts".

CEO: 'Contradictory reports don't make sense'

The company's CEO told Sky News that he no longer believed this: "Right now, I simply don't understand what is going on... the company is not so big, so important, to be under this huge wave of allegations."

Professor Mark Galeotti, an expert on Russian security affairs at the Institute of International Relations in Prague, told Sky News that the allegations were occurring in an environment which might be perceived as inclined to attribute a range of misdeeds towards Russia before there was sufficient proof.

"Clearly context is crucial," Professor Galeotti said. "Under any circumstances, potential cyber-espionage matters, but given the current frenzy about Russian hacking and online subversion, this has clearly become not just a priority but a public issue."

There may be a confluence of factors contributing to the attacks against Kaspersky Lab, the company's CEO told Sky News.

"I don't really understand what's going on, why we're under the media attack and the government attack... maybe most probably this anti-Russian wind in the United States is one of the components," he said.

Image: Inside the National Security Agency's Threat Operations Centre at Fort Meade, Maryland

:: Classified

Asked what would happen if the anti-virus software identified NSA hacking tools as suspicious and uploaded them for analysis, Mr Kaspersky told Sky News: "In our virus lab, all our virus researchers and all our experts have a strict note that if we download, by mistake or by the cloud services, if we download any kind of classified information and if we see it's classified information - it doesn't matter the origin of this information - it must be deleted."

'If classified data is collected, it is deleted'

While this leaves open the possibility that a security flaw in Kaspersky's network allows a third party to intercept material between the device it was found on and its researchers' digital laboratories, it is not always clear whether malware is indeed classified.

An academic researcher who spoke to Sky News said they had been surprised by a particular quality of the CIA's Vault 7 malware, which WikiLeaks began to release in March.

They were surprised that the hacking tools which were leaked were mostly unclassified because they had to comply with CIA classification standards which allowed the malware to be sent to infect a non-security-cleared target's computer.

It may have been possible that the NSA made a similar decision with the tools alleged to have been captured by Kaspersky Lab's anti-virus.

"In general terms, it is fair to assume that as a high-tech company operating in Russia in an intrinsically sensitive field, Kaspersky Labs will have some kind of relationship with the Russian security apparatus in general, FSB in particular," Professor Galeott said.

He added this was not exceptional: "Much as, if we're honest, many of their western counterparts will with the NSA, GCHQ and the like."

Kaspersky Lab has maintained that it does not have any improper relationships with intelligence agencies.

Its global research and analysis team have identified and disclosed details about hacking campaigns believed to be conducted by both US and Russian intelligence agencies.

The company may have legitimate commercial and security relationships with security agencies, but it says these are only for defensive purposes.

The company has dismissed claims that is actively colluding with the FSB to spy on its customers. It also said that annual security audits at Kaspersky Lab have found no breach of its network or exploitable code that would allow Kremlin operatives illicit access.

"We are absolutely sure that there's nothing wrong," said the CEO, repeating there was no evidence for the allegations at all.

Image: Eugene Kaspersky: 'We are absolutely sure that there is nothing wrong'

:: NSA (No Security = Accidents?)

Security professionals consulted by Sky News - many of whom had formerly worked in cybersecurity for the British government - unanimously and independently declared that regardless of the substance of the allegations against Kaspersky, a large portion of blame should fall on the NSA employee who stored the hacking tools on his personal computer, away from the agency's secured networks.

The NSA employee who took the data home is reported to have worked at the agency's elite Tailored Access Operations hacking unit.

He could potentially be the fifth leaker of NSA data - intentionally or not - since Edward Snowden in 2013.

Former employees of the elite team recently told The Daily Beast that removing secret hacking tools from the cybersecurity facility was "child's play".

None of the experts consulted by Sky News said they had heard of concerns regarding Kaspersky Lab anti-virus within the security and intelligence community in the UK or outside of the US, although their periods of employment preceded the publication of the claims against the company.

A Reuters news report in July stated that the UK's National Cyber Security Centre had never given Kaspersky products a tick as part of its commercial product assurance scheme.

However, it did not mention that no anti-virus products at all had received certification from the National Cyber Security Centre, as the experts there said there are no objective security characteristics for such products.

A spokesperson for the NCSC told Sky News: "Our end user device guidance and the commercial product assurance scheme help departments with the design of their systems and the selection of products to implement it.

"Supply chain security is a complex problem and our advice is much more detailed than noting the name on the product or the country the vendor comes from."

Image: An analyst looks at code in a malware lab

:: Damaging claims

How damaging the reports have been for Kaspersky "depends on the country" said the company's CEO, admitting the firm was "expecting the allegations to have a negative impact on the United States".

"It's not too much, but unfortunately after all these stories, we'll have there negative growth in the United States. But in many other nations our business is growing," he said.

In October, Germany's Federal Office for Information Security (BSI) told Reuters that it had no evidence to support the US media reports.

"There are no plans to warn against the use of Kaspersky products since the BSI has no evidence for misconduct by the company or weaknesses in its software," the agency said.

Mr Kaspersky told Sky News that Germany's strict privacy laws made it a potential destination for its planned European transparency centre.

"The false allegations don't really affect our business, except in the United States," he added, although he did not go into details about how significantly Kaspersky's US business was being affected.

A report this month by The Daily Beast described a very difficult picture for Kaspersky Lab in America, with former employees claiming many staff were leaving the company.

"Our position is the same - the company is open for cooperation. We can disclose any data which the United States Government needs. We can prove that we don't do anything wrong," Mr Kaspersky told Sky News.

The US House of Representatives has scheduled a hearing on Kaspersky Lab for 25 October.

Mr Kaspersky said at the time of the scheduling that he looked forward to "having the opportunity to address the committee's concerns directly".

However, he has not been invited to give evidence, and no Kaspersky Lab representatives are listed among the witnesses.