This story, originally published on July 21, 2017, has been updated to reflect recent developments. The original story in full follows the update.
In the spring of 2015, a private contractor working for the NSA's hacking wing took home classified materials and put them on his home computer, multiple unnamed sources told the Journal.
Kaspersky antivirus software running on the contractor's computer noticed the NSA files, which may have contained NSA-designed malware, and somehow tipped off Russian state-sponsored hackers to its presence. The Russian hackers then targeted the contractor's home machine and copied the NSA files.
However, catching NSA malware on a user's computer is exactly what antivirus software is supposed to do. Kaspersky Lab has exposed several likely NSA cyberespionage efforts in the past few years, as well as some Russian ones, and it knows what state-sponsored spyware looks like.
A former NSA staffer told the Journal that Kaspersky antivirus software is "aggressive" in its search for malware on user machines. But for anyone who didn't have copies of NSA files on his or her computer, this would be a good thing.
"We make no apologies for being aggressive in the battle against malware and cybercriminals," company head Eugene Kaspersky said in a personal blog posting put up shortly after the Journal story ran. "If our technologies detect anything suspicious and this object is identified as malware, in a matter of minutes all our customers — no matter who or where they are — receive protection from the threat."
So did Kaspersky do it or not?
Left unanswered in the Journal's story, and in a companion story in the Washington Post, was the question of whether Kaspersky Lab itself actively told the Russian government about the NSA files on the contractor's machines.
It's possible that the company was compromised by the Russian government without its knowledge — or that Kaspersky Lab knew the Russian security services were listening in, but couldn't do anything about it.
"The key question is what triggered the Kaspersky APT investigation. Was it bc he's an NSA employee? Looking at docs? If so, Kaspersky is toast," tweeted Matt Tait, a British cybersecurity expert and former staffer at GCHQ, the U.K.'s equivalent of the NSA. "But if it's just signatures on NSA implants and NSA exploits, then this is Kaspersky just doing its job, and not at all a Kaspersky-Russia thing."
Both Kaspersky the man and Kaspersky Lab the company have consistently denied any active collusion with the Russian government. In his blog post last night, Eugene Kaspersky said that doing so would make his job impossible.
"We never betray the trust that our users place in our hands," he wrote. "If we were ever to do so just once, it would immediately be spotted by the industry and it would be the end of our business — and rightly so."
In the face of this new information, our own position remains the same: Don't run Kaspersky antivirus software if you or your close family members work for the U.S. government, for a defense contractor or for a company involved in running or maintaining critical infrastructure.
But for everyone else, Kaspersky antivirus software can't be beat. Until we have a real smoking gun — and this story isn't it — we will continue to recommend it.
UPDATE to the update: On Oct. 10 and 11, The New York Times, the Washington Post and The Wall Street Journal all published stories detailing further allegations made against Kaspersky Lab by unnamed current and former U.S. government officials. Our take on those allegations is here. While the allegations are very serious, we feel it would be unfair to act upon them based on accusations made anonymously and without proof.
Our original story:
Russian antivirus firm Kaspersky Lab has been in the news a lot lately, and not in a good way. The U.S. Congress may ban Kaspersky products from the Pentagon. The federal bureaucracy has removed Kaspersky Lab from its list of approved vendors. And FBI agents have interviewed some of Kaspersky's U.S. employees at their homes.
All this has happened mainly because Kaspersky Lab and its CEO and co-founder, Eugene Kaspersky, are perceived as being close to the Kremlin. Reports in major Western news outlets have alleged strong ties between Kaspersky Lab and the Russian security services, though there's not much of a smoking gun.
Eugene Kaspersky has fired back, insisting that his company is free from government interference. He's even offered to show the U.S. government the source code of his company's products. So far, the pushback isn't working.
Not much evidence
I don't know how close Kaspersky Labs is to the Kremlin. I've met Eugene Kaspersky a few times, and I think he talks too much to make a good spy. But I do know one thing for sure: Kaspersky antivirus software is excellent, and unless you're running a nuclear power plant, designing a jet fighter or operating the New York Stock Exchange, it should be safe to use.
Let me state right off the bat that I am not a Russian apologist. The evidence is overwhelming that the Russian government influenced the 2016 U.S. presidential election through propaganda and selective disclosure of stolen information. Cybersecurity experts were aware of Russian electoral machinations in March of 2016, before the GOP primary process was even finished.
But there's no evidence Kaspersky Lab had anything to do with that. What is clear is that Kaspersky has a terrific team of researchers looking into malware and cyberespionage, and they freely and actively share what they discover.
The company has not one, but three cybersecurity blogs that I read every day: the general Kaspersky blog, the technical but informative Securelist blog and the excellent but less technical Threatpost news site.
Yes, Kaspersky has uncovered cyberespionage campaigns conducted by U.S. intelligence agencies, most notably the Flame spyware platform. (Contrary to widespread belief, Kaspersky did not discover the Israeli-NSA Stuxnet worm.) But Kaspersky has also uncovered Russian cyberespionage efforts, such as the Red October campaign.
More recently, Kaspersky Lab did some of the most important work in analyzing the Petya/ExPetr ransomware worm that hit Europe in late June. Kaspersky was the first major cybersecurity company to state that this worm was actually a cyberweapon disguised as ransomware — and the evidence pointed to Petya being part of a Russian attack against Ukraine. (Kaspersky Lab has a policy of not explicitly attributing state-sponsored malware campaigns to any particular state, but it's usually not hard to read between the lines.)
But then, it is Russia...
Nevertheless, it's true that Kaspersky Lab couldn't have become such a successful Russian company, and Eugene Kaspersky a billionaire, without approval, both official and unofficial, from the Russian government, which likes to hold the reins on rich businesspeople. It's also true that Eugene Kaspersky was trained by the KGB's signals-intelligence division during the last years of the Cold War. Years ago, the company even touted that fact on the packaging of Kaspersky products.
The company admits that it works with the FSB, Russia's domestic-intelligence agency, when called upon. Kaspersky Lab got the government contract to secure the communications and computer systems at the 2014 Winter Olympics in Sochi, Russia. News reports have alleged that former Russian military and intelligence officials have been placed in sensitive jobs within the company. In January 2017, Russian authorities arrested a Kaspersky manager along with two active FSB officers. All were charged with treason.
But that doesn't make Kaspersky Lab an arm of the Kremlin, any more than top American information-security firms are arms of the U.S. government. (Many top American cybersecurity analysts have worked for the NSA, and there are rumors that the U.S. government places people high up in American telecommunications companies.) And Kaspersky itself insists that it can't favor one government over another, lest it lose customers worldwide.
Unfortunately, the company may lose customers anyway. Much as Edward Snowden's revelations caused many people around the world to lose faith in U.S. software products, justifiably or not, so too the Russian election-hacking campaign may cause Americans to suspect Russian software — and Kaspersky is by far the biggest and best-known Russian software company.
Who should use Kaspersky software, and who shouldn't
So is Kaspersky software safe to use? It's probably not a good idea for any U.S. defense contractor, federal agency or critical-infrastructure operator to use antivirus software from a potential adversary country. That includes not only Russian companies like Kaspersky and Dr.Web, but also Chinese ones such as Qihoo 360.
But private citizens need not worry that Kaspersky software will open up their computers to Russian hackers. If that were the case, it would have been found out already. What customers need to know is that Kaspersky antivirus software is really good — and will do a great job keeping out real threats instead of merely speculative ones.