Bloomberg BusinessWeek has alleged in an article entitled ‘The Company Securing Your Internet Has Close Ties to Russian Spies' that Kaspersky Lab has edged closer to Russian government since 2012.
“Since then, high-level managers have left or been fired, their jobs often filled by people with closer ties to Russia's military or intelligence services," the article reads. "Some of these people actively aid criminal investigations by the FSB, the KGB's successor, using data from some of the 400 million customers who rely on Kaspersky Lab's software, say six current and former employees who declined to discuss the matter publicly because they feared reprisals.”
The article further goes on to claim that Eugene Kaspersky himself indulges in a weekly sauna – or “banya” – with a group of about five to ten people, some of whom include Russian intelligence officials. Kaspersky replied that these saunas are purely social gatherings and he has no knowledge of Russian intelligence officials participating.
Bloomberg queries Kaspersky's in-depth analysis into Equation Group – the cyber-espionage group believed to be the NSA, which targeted Russia, Iran, and Pakistan and questions why it has published other reports on cyber-espionage by the US, Israel and the UK but “hasn't pursued alleged Russian operations with the same vigour”. Kaspersky replied by pointing to the company's research into Red October, Black Energy and other Russian-suspected actors.
“It's been a long time since I read an article so inaccurate from the get-go – literally from the title and the article's subheading," replied Kaspersky on his company's website.
"So it came as little surprise that a large part of the rest of the article is simply false. Speculations, assumptions and unfair conclusions based on incorrect facts. In their pursuit for a sensation, the journalists turned things upside down and ignored some blatantly obvious facts.”
“I must have said this a million times, but we do not care who's behind the cyber-campaigns we expose. There is cyber-evil and we fight it. If a customer comes and shows us a problem we investigate it. And once we take the genie out of the bottle, there's no way we can put it back. But since these journalists tried to attribute the cyber-attacks we exposed to the countries mentioned, for some reason they forgot about our reports on Red October, CloudAtlas, Miniduke,CosmicDuke, Epic Turla, Penguin Turla, Black Energy 1 and 2, Agent.BTZ, and Teamspy.”
Speaking to SCMagazineUK.com last month, Kaspersky said on the company's origin: “Twenty years ago it was purely a Russian company. Now the company and its security experts are international – though 80 percent of our software engineers are Russian – as Russians are acknowledged as the best. Our R&D is also Russian-based."
"In the US government there is only business for US companies, so it's difficult for others, not just Russians but say French or German too. Washington does take our reports but not our technology, though in the future we are seeing some of our technology being adapted and redesigned for US use.”
The Bloomberg report also mentions FireEye's close relationship with the CIA (it received guidance from the agency in its early days, while the agency once had a stake in the firm, and uses its technology). FireEye itself came under similar scrutiny this week after hinting that it would not detect or remove US government malware.
Information security professionals on Twitter said that all security companies have close connections with government bodies.
Rik Ferguson, vice president of security research at Trend Micro, added: “Bloomberg spots that Kaspersky is Russian, and fails to point out the nationality of FireEye, MFE, SYMC, In-Q-Tel etc. etc”
E.J Hilbert, a former FBI special agent in cyber, tweeted: “Companies need Cyber sec[urity] and use local experts like @e_kaspersky (Eugene Kaspersky) in Russia or @mikko (F-Secure's Mikko Hypponnen) in Finland. Not all are spies!”
It is not the first time the issue has been raised; Kaspersky graduated from the technical faculty of the FSB Academy, formerly a KBG institution, and this seems to form the basis of subsequent (repudiated) allegations including those by Wired alleging political involvement and very close ties with Russian law enforcement agencies. Though the latter is hardly a surprise and Kaspersky also has ties with some Western law enforement agencies.