Officials fear Russia could try to target US through popular software firm under FBI scrutiny
The FBI launched a probe tied to the company several years ago, sources said.
— -- Russia’s growing aggression toward the United States has deepened concerns among U.S. officials that Russian spies might try to exploit one of the world’s most respected cybersecurity firms to snoop on Americans or sabotage key U.S. systems, according to an ABC News investigation.
Products from the company, Kaspersky Lab, based in Moscow, are widely used in homes, businesses and government agencies throughout the United States, including the Bureau of Prisons. Kaspersky Lab’s products are stocked on the shelves of Target and Best Buy, which also sells laptops loaded by manufacturers with the firm’s anti-virus software.
But in a secret memorandum sent last month to Director of National Intelligence Dan Coats and Attorney General Jeff Sessions, the Senate Intelligence Committee raised possible red flags about Kaspersky Lab and urged the intelligence community to address potential risks posed by the company’s powerful market position.
“This [is an] important national security issue,” declared the bipartisan memorandum, described to ABC News by congressional sources.
In February, the Department of Homeland Security issued a secret report on the matter to other government agencies. And the FBI is investigating the nature of Kaspersky Lab’s relationship to the Russian government, sources with knowledge of the probe told ABC News.
The company has repeatedly insisted it poses no threat to U.S. customers and would never be used as a government tool.
Current and former U.S. officials, however, point to company executives who previously worked for Russian intelligence and military agencies. They worry that Kaspersky Lab’s software could allow state-sponsored hackers to steal users’ files, read private emails or attack critical infrastructure in the United States.
Kaspersky Lab’s possible relationship with Russian intelligence services “makes a lot of people in the national security community uncomfortable,” said Eric Rosenbach, a cybersecurity veteran who until January was the Defense Department’s chief of staff.
In particular, current and former U.S. officials fear Kaspersky Lab products have the potential to facilitate Russian cyberattacks on power grids or other key utilities.
“That is something I have followed for a long time and have significant concerns about,” former U.S. Deputy Secretary of Energy Liz Sherwood-Randall said.
There was “widespread knowledge that this poses a huge risk to the U.S. critical infrastructure,” according to Michael Carpenter, who until January served as the Defense Department’s deputy assistant secretary for Russia, Ukraine and Eurasia.
Last year, FBI officials communicated potential concerns about Kaspersky Lab to a select group of private-sector leaders, including the Electricity Subsector Coordinating Council, an organization of electric company chiefs from across North America, sources said. The Senate Intelligence Committee also received several briefings on the matter.
Adversaries like Russia “seek to exploit grid vulnerabilities to serve strategic objectives in wartime and are growing capabilities to strike at U.S. critical infrastructure,” warned a report published by the Energy Department last year.
“The potential for lethality is astronomical,” Carpenter said.
Kaspersky Lab has long maintained it has no “inappropriate” links with the Russian government, and it recently issued a statement dismissing the types of concerns being raised by U.S. officials.
“Kaspersky Lab does not develop any offensive techniques and has never helped nor will help any government in the world with their offensive efforts in cyberspace,” it read.
In an interview with ABC News, the founder and chief executive officer of Kaspersky Lab, Eugene Kaspersky, called U.S. government warnings about his company “wrong advice” and said that “rumors about our partnership with government agencies [are] false.”
Nevertheless, in discussing their concerns about Kaspersky Lab, current and former U.S. officials also point to Russia’s System of Operative-Investigative Measures (SORM), which “legally permits authorities to monitor and record all data that traverses Russia’s networks,” according to the State Department.
Russian authorities must obtain a court-approved warrant to collect a customer’s information from a company. But the company doesn’t always get to see the warrant, and authorities may lawfully gather information on anyone else later tied to the targeted customer “so long as the new targets are part of the same operation,” according to a State Department SORM fact sheet obtained by ABC News.
“In practice, these are very broad powers,” and “Russia’s approach is more flexible and intrusive than similar Western systems,” the State Department wrote.
Carpenter said the law means “the Russian government can demand” information from Russian telecommunications companies and that “poses enormous vulnerabilities … in terms of them being able to glean information in a time of conflict.”
In his interview with ABC News, however, Eugene Kaspersky insisted that unless ordered by a court in a criminal case, “we don’t share our customers’ data with anyone.”
“My response if I’m asked to spy on anyone coming from any state, any government — not only Russian — will be definite no,” he said.
Customers can opt out if they don’t want even anonymized data sent through servers in foreign locations like Russia, where it might be subject to collection under SORM. Also, enterprise and government users can install a local “Kaspersky security network center on their premises to make sure the data never leaves their facility or country,” a spokeswoman for the company said.
Eugene Kaspersky surmised that U.S. officials are now voicing concerns about his company “simply because” of the “present geopolitical turbulence” and the firm’s growing success.
The FBI probe and more questions
In 2009, Eugene Kaspersky personally led Russia’s then-President Dmitry Medvedev on a detailed tour of the firm’s Moscow headquarters.
With news cameras rolling, Medvedev told Eugene Kaspersky and leaders of other Russian tech firms that software development and other innovations inside Russia “should be under direct presidential control.”
Since then, Medvedev has become Russia’s prime minister, former KGB officer Vladimir Putin has retaken the presidency, and questions about the company have percolated online.
As far back as August 2012, in a long profile of Eugene Kaspersky, Wired magazine wondered whether he was “a tool of the Kremlin,” given his “KGB-sponsored training … and his deep and ongoing relationship with Russia’s Federal Security Service, or FSB.”
Around that time, FBI agents were asking similar questions, and they launched a counterintelligence investigation to uncover any possible efforts to collect intelligence on Americans and to assess Kaspersky Lab’s ties with Russian intelligence services, sources said.
Kaspersky Lab’s chief legal officer, Igor Chekunov, previously worked for Russia’s border patrol, which reported to the KGB. COO Andrey Tikhonov previously served as a lieutenant colonel in the Russian military, spending much of his service focused on information technology programs.
“These two guys, I am 100 percent sure they don’t have any wrong relations with the Russian government,” Eugene Kaspersky told ABC News, noting that both men joined his company more than 20 years ago.
He reiterated that company executives “don’t have a close relationship with the Russian government” in a way that could be viewed as “bad meaning.”
At a foreign press event in 2013, Kaspersky recalled that — with “so many” people in the United States asking him, “Hey, you’re a Russian spy?” — he once offered to let U.S. officials review all the digital code underlying his company’s products “to prove that you can trust us.”
Three sources told ABC News that several years ago, during a meeting in Washington, FBI agents tried to persuade Eugene Kaspersky to become an informant for the agency.
“He was not receptive to a pitch,” one source said. At the time, Kaspersky dismissed FBI concerns about his company, so the meeting “wasn’t fruitful,” according to another source.
But in his interview with ABC News, Kaspersky insisted the FBI “never” asked him to become an informant.
A Kaspersky Lab spokeswoman said, “Eugene has met with the FBI, and several other law enforcement organizations around the world, to discuss his company’s products and the best solutions for fighting cybercrime, and that’s the full extent of his conversations with those organizations.”
The FBI and other agencies in the U.S. intelligence community have yet to publicly present any evidence connecting company executives with Russian security services. And sources who spoke with ABC News did not offer any evidence suggesting Kaspersky Lab has helped breach a U.S. system or taken hostile action on behalf of the Russian government.
ABC News asked Eugene Kaspersky whether the Kremlin could force his company to target the United States. He responded, “I think it’s hardly possible.”
Nevertheless, the FBI investigation has pressed on, and in recent months, agents have taken further action to move their probe forward, including a review of records related to Kaspersky Lab, sources said.
‘They do some good things’
There is one key thing to remember about Kaspersky Lab: “They do some good things, and they have good products,” according to Carpenter.
Founded in 1997, the company boasts an estimated 400 million users in nearly 200 countries. And it reportedly rakes in hundreds of millions of dollars a year, making Eugene Kaspersky a very wealthy man not only through his company’s anti-virus software but also through the analysis it conducts about emerging threats.
Kaspersky Lab executives are widely looked to — and cited in news reports — as experts on global cybercrime and internet-based threats.
“We do our best with our technologies and services not only to develop the solutions against the threats but also to predict what’s next,” Eugene Kaspersky told ABC News. “And I’m happy to be one of the best companies to do it.”
Carpenter said Kaspersky Lab’s “level of technical sophistication is world-class.”
“Clearly its business model is dependent on it appearing to be a neutral, honest broker that is out there to protect cybersecurity across the board,” he added.
Last month the firm released the results of a yearlong investigation it conducted into what it called “one of the largest, most successful cyberheists ever,” involving the theft of $81 million from a bank in Bangladesh.
The company’s findings “helped to interrupt at least two other operations [attempting] to steal a large amount of money from financial institutions,” Kaspersky Lab said in a press release.
The company’s findings also interrupted secret cyberweapons deployed by foreign governments, including Russian and U.S. intelligence agencies.
“We do not care who’s behind the cybercampaigns we expose,” Eugene Kaspersky said in 2015, responding to a Bloomberg News report about his alleged ties to Russian officials. “There is cyber-evil, and we fight it.”
In 2013, Kaspersky Lab outed what it called Red October, an alleged Russian hacking campaign to spy on diplomatic agencies in Eastern Europe. Kaspersky Lab researchers were also behind the discovery of Stuxnet, the U.S. National Security Agency’s special cyberbomb targeting Iranian nuclear facilities in 2009 and 2010.
‘A huge market share’
Countless Americans use Kaspersky Lab products on their personal devices at home. And many local, state and federal government agencies also rely on the company — a choice driven in part by the affordability of the software.
“Kaspersky’s got a huge market share because it’s inexpensive and it works really well,” said Jeff Stutzman, a former Navy intelligence officer who now runs the cybersecurity firm Wapack Labs.
From the Los Angeles suburb of Covina, California, to small cities like Dahlonega, Georgia, Kaspersky Lab anti-virus software can be found in city halls, water treatment plants and other locally run sites.
In Arkansas, the office that manages the state’s ports and waterways is “currently running the Kaspersky solution,” according to the Arkansas Department of Information Systems. And in Oklahoma, Kaspersky Lab software has been approved for the agency that runs the state’s health care insurance system.
Kaspersky Lab is also gunning for contracts with big federal agencies. That’s why three years ago it created the U.S. subsidiary Kaspersky Government Security Solutions (KGSS).
“KGSS designs, implements and delivers holistic cybersecurity services and solutions for the U.S. government, U.S. government contractors and the U.S. national critical infrastructure sector,” according to a recent press release from the company.
The extent to which federal systems use Kaspersky Lab software is hard to determine because the anti-virus software is often folded into package deals with outside vendors and subcontractors.
Such bundles, for example, drove the Bureau of Prisons to install the software on its systems.
“Kaspersky technology is used as part of a multilayer approach to identify malware and vulnerabilities,” a bureau spokeswoman told ABC News.
Similarly, the Consumer Product Safety Commission, the U.S. agency that announces recalls of dangerous products, “has an active contract with Kaspersky,” an agency spokeswoman said.
Two years ago, the U.S. Embassy in Cairo signed a contract with an Indianapolis-based vendor to provide as many as 150 Defense Department computers in the embassy with the Russian software.
A senior Defense Department official wouldn’t confirm whether the Cairo contract has since been renewed, saying only that the U.S. military “does not have a blanket ban on Kaspersky products and does not blacklist suppliers or individual products.”
But “Kaspersky came up often” at the Pentagon, “and I would be concerned about Kaspersky anti-virus being installed on a Defense Department computer,” said Rosenbach, who spent the past six years at the department.
In March of last year, according to a Washington Free Beacon report, the Defense Intelligence Agency warned the Pentagon that new Kaspersky Lab software could create vulnerabilities in U.S. utility systems.
“It’s time to ask if government agencies should stop using Kaspersky immediately,” Sen. Marco Rubio, R-Fla., a member of the Senate Intelligence Committee, told ABC News in a recent statement.
Eugene Kaspersky, meanwhile, said it’s “a bad idea to pay attention” to statements made for “geopolitical reasons.”
“We protect our customers better than our competitors do,” he said.
‘Keys to the kingdom’
All anti-virus software typically works the same way: In order to be effective, it needs access to nearly every file and piece of data on a user’s computer. And in order to know what new threats to look for and when to update itself, the software is constantly communicating with company servers.
“You’re giving them the keys to your kingdom,” said a former U.S. intelligence official who now works for a major cybersecurity firm.
The concern is that such deep access could allow the anti-virus software “to send information back,” said Rosenbach. There is also concern it could allow hackers to “implant information” on a user’s computer without the user ever knowing, one former U.S. official noted.
Eugene Kaspersky, however, said, “Technically it’s very difficult” to implant information in that way, especially through his company’s software. He said his company does “our best [to make sure] it’s not possible to inject anything wrong into our products without being recognized.”
He added, “We do our best not to keep our data in the same place, so it’s not easy to access our databases without being recognized.”
Nevertheless, while Kaspersky Lab “makes a great product,” there has “got to be a little bit of common sense” when it comes to who uses it, according to Stutzman.
“If you’re a physicist working in a Department of Defense nuclear facility, you probably shouldn’t be using Kaspersky,” he said. “If you’re a home user like my parents, maybe [you can].”
During a Senate Intelligence Committee hearing several weeks ago, Rubio asked a panel of three experts whether they would be willing to put Kaspersky Lab software on their devices.
Gen. Keith Alexander, a former director of the National Security Agency who now runs his own cybersecurity firm, was blunt, saying, “No, I wouldn’t. And I wouldn’t recommend that you do it either.”
Another panelist said, “My answer indirectly would be, there would be better software probably available to you than Kaspersky.”
The only panelist to explicitly answer “yes” was Thomas Rid, a professor from King’s College in London, who told lawmakers, “It’s important to say that Kaspersky is not an arm of the Russian government.”
Three days after that testimony, Rid was with Eugene Kaspersky and others at a Caribbean resort in St. Maarten, where Kaspersky Lab was hosting its annual Security Analyst Summit — once described by the company as “an exclusive, invite-only gig” filled with “guest-list-only cliquishness.”
He was there, for the second year in a row, to detail a 1990s-era cyberattack on the Pentagon, which he spent a year studying with Kaspersky Lab’s senior security researcher.
“The presentation of my academic research at a leading security conference is unrelated to what I said on Kaspersky Lab in response to Sen. Rubio’s question,” he told ABC News.
A former FBI official said that, when it comes to what the Russian government might do next, it’s important to remember the country is under the control of Putin, who rose through the ranks of the KGB, which “was disbanded because it was so violent of an intelligence service.”
Last year, Putin’s government took the “unbelievably bold move” of using cyberweapons to target the Democratic National Committee and influence the U.S. presidential campaign, said Bob Anderson, who oversaw counterintelligence cases for the FBI before heading its cyber and criminal branch. Anderson, now a managing director at the consulting firm Navigant, left the FBI in late 2015.
In an odd twist of events, Russian authorities recently arrested an FSB officer and a senior manager at Kaspersky Lab, reportedly accusing them of trying to aid a foreign government. The Russian government has released few details about the case.
Then just last month, the top Democrat on the House Oversight and Government Reform Committee disclosed that Kaspersky Lab’s U.S. subsidiary paid retired Lt. Gen. Mike Flynn more than $11,000 to speak at a 2015 conference in Washington.
Flynn became President Donald Trump’s first national security adviser, only to be fired after three weeks for allegedly misleading White House officials about his preinauguration dealings with Russian officials.
Eugene Kaspersky dismissed any concerns over Flynn’s appearance at the conference, telling ABC News, “He is a very respected person. One of the best speakers. Why not?”
Kaspersky Lab is one of many foreign-based technology companies whose footprint in the United States has worried U.S. officials. In 2011, concerns over two Chinese companies prompted a yearlong congressional investigation.
Both companies still operate in the United States.
ABC News’ Jack Date, Geneva Sands and Luke Barr contributed to this report.
EDITORIAL NOTE: Former Deputy Secretary of Energy Liz Sherwood-Randall is the sister of Ben Sherwood, the president of Disney-ABC Television Group, the parent company of ABC News.