Kaspersky Needs to Come Clean About Russia Spying Accusations

UPDATED 4:55 pm EDT Wednesday, Oct. 11 with details from new Wall Street Journal story.

The allegations against Kaspersky Lab in last night’s New York Times and Washington Post are very serious. The Times story says that Israeli intelligence tipped off the NSA that Kaspersky antivirus software was looking for NSA-related files on U.S. computers. The Washington Post’s sources told it the same thing.

A Kaspersky Lab facility near Moscow. Credit: StockphotoVideo/Shutterstock

(Image credit: A Kaspersky Lab facility near Moscow. Credit: StockphotoVideo/Shutterstock)

It was spies spying on spies spying on spies. The first batch of spies told the third batch of spies what the second batch of spies were up to.

The Israelis reportedly penetrated deep into Kaspersky Lab’s systems and installed long-lasting backdoors that let them have access for many months. They reportedly grabbed screenshots of Kaspersky software looking for and collecting NSA code, then showed the evidence to the NSA.

MORE: Best Antivirus Software

Presumably, that is how the NSA learned that an unnamed NSA employee, whose story broke last week, had had his home computer snooped on by Russian intelligence after the Russians learned via Kaspersky AV software that the employee had NSA files on his home computer.

Is there an innocent explanation? Yes, but the window of possible explanations is narrowing quickly.

Now is this true? We don’t know. All of the stories this week and last week rely on unnamed sources, said to be both current and former U.S. government officials. These are intentional leaks from U.S. government agencies — the kind where the reporter gets a call and is fed information.

No one is willing to go on the record here. The Times story is already being criticized for inaccuracy and innuendo, which often happens with Times information-security stories.

The only concrete piece of information we have is that the Israelis DID hack deep into Kaspersky’s systems around 2015 — which was discovered and disclosed by Kaspersky Lab itself at the time. (Kaspersky Lab also said the attackers had penetrated American targets, which makes me wonder if some of those targets might have been U.S. antivirus companies.)

Could the accusations against Kaspersky be true?

Could this all be true? Certainly. Antivirus software has high system privileges and can see everything that’s happening on your machine. That’s how it works. It’s an ideal spying tool.

Could Kaspersky Lab be complicit? Sure. It could be handing over all sorts of information to the Russian security services. Or it could be complying with Russian government pressure to let it spy on its data-collection lines.  Or the Russian government could be doing so without Kaspersky’s knowledge. Or the Russian security services could be planting operatives on Kaspersky staff.

Is there an innocent explanation? Yes, but the window of possible explanations is narrowing quickly. What really matters is what KIND of NSA files the Israeli screenshots showed Kaspersky software grabbing, and right now, we don’t know.

If it was NSA malware, then that’s perfectly legitimate. Kaspersky knows what a lot of NSA malware looks like, and it would detect it and report it to home base. Any antivirus software would do the same.

If it was NSA code snippets that aren’t necessarily malware, that’s legit too. Known malware writers tend to reuse the same bits of code for various purposes, and NSA-specific code would be recognizable and reported even if it wasn’t doing anything malicious.

But if the Kaspersky software was programmed to look for Word or PDF files that contain the words “NOFORN” or “TOP SECRET,” then that changes things entirely.  Then it would be flat-out spyware. [UPDATE: A new Wall Street Journal story alleges exactly that. Details below.]

What happens next?

Eugene Kaspersky says he is launching an investigation. He also has reiterated his offer to come to Capitol Hill to testify, and to let U.S. government examiners look at his products’ source code.

He is trying to save his company. Allegations like this will force customers away in droves.

If I were him, I would close the Moscow facilities and relocate everything overseas. It would be difficult, but Eugene Kaspersky has been gingerly stepping toward that for years, for example by moving the company’s legal base to London a few years ago.

The real question is how this affects the U.S. end user. Kaspersky remains our top-rated premium security suite, thanks to its excellent malware protection, nearly limitless customization options and light system load. Unless and until we have facts from reliable sources that state otherwise, we continue to recommend Kaspersky software as safe for home use.

UPDATE: The Wall Street Journal reported Wednesday, Oct. 11, that anonymous sources had told it that Kaspersky scan parameters were updated at some point to search for terms such as "Top Secret" and classified code names of U.S. government programs, presumably similar to or identical to those government programs revealed in documents leaked by Edward Snowden.

At the same time, Reuters reported that Germany's signals-intelligence agency said it had no evidence that Kaspersky software had been used to spy on U.S. intelligence agencies.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.