Germany’s Federal Office for Information Security (BSI) has told organisations in the country using Kaspersky Lab antivirus products to strip it out of their systems — saying “a Russian IT manufacturer can carry out offensive cyber operations itself, be forced to attack target systems against its will, or be spied on without its knowledge” and adding that “data stored by Kaspersky could be used for reconnaissance or sabotage actions.”
In a two-page alert published March 15 2022 that did not include any evidence of potential abuse of Kaspersky products, the BSI said that “Kaspersky should be replaced by alternative products,” adding that “companies and authorities with special security interests and critical infrastructure are particularly at risk.”
“If there are doubts about the reliability of the manufacturer, anti-virus software poses a particular risk to IT infrastructure that is to be protected” the BSI added. “To ensure up-to-date and and effective protection against malware, it must have extensive system system authorizations and must (at least for updates) have a permanent, encrypted and encrypted and unauditable connection to the manufacturer’s servers.
” Therefore, trust [is critical] in a manufacturer’s reliability and self-protection as well as its authentic ability to secure use of such systems. Antivirus software is an exposed target of offensive operations in cyberspace in order to spy on potential adversaries, compromise the integrity of their systems, or even to completely limit the availability of the data stored on them,” the BSI warned. [Translated from the German]. “The actions of military and/or intelligence forces in Russia, as well as the recent threats made by Russia against the EU in the course of the current against the EU, NATO and the Federal Republic of Germany in the course of the current war are associated with a considerable risk of a successful IT attack with far-reaching consequences” it added.
Kaspersly Lab told The Stack: “We believe this decision is not based on a technical assessment of Kaspersky products – that we continuously advocated for with the BSI and across Europe – but instead is being made on political grounds. We will continue to assure our partners and customers in the quality and integrity of our products, and we will be working with the BSI for clarification on its decision and for the means to address its and other regulators’ concerns… Kaspersky is a private global cybersecurity company and, as a private company, does not have any ties to the Russian or any other government. Our data processing infrastructure was relocated to Switzerland in 2018: since then, malicious and suspicious files voluntarily shared by users of Kaspersky products in Germany are processed in two data centers in Zurich that provide world-class facilities, in compliance with industry standards, to ensure the highest levels of security. Beyond our cyberthreat-related data processing facilities in Switzerland, statistics provided by users to Kaspersky can be processed on the Kaspersky Security Network’s services located in various countries around the world, including Canada and Germany. The security and integrity of our data services and engineering practices have been confirmed by independent third-party assessments: through the SOC 2 Audit conducted by a ‘Big Four’ auditor, and through the ISO 27001 certification and recent re-certification by TÜV Austria.
“Our customers can run a free technical and comprehensive review of our solutions, allowing them to:
- Review our secure software development documentation including threat analysis, secure review, and application security testing processes
- Review the source code of our leading solutions including Kaspersky Internet Security (KIS), our flagship consumer product; Kaspersky Endpoint Security (KES), our flagship enterprise product; and Kaspersky Security Center (KSC), a control console for our enterprise products
- Review all versions of our builds and AV-database updates, as well as the types of information which Kaspersky products send to our cloud-based Kaspersky Security Network (KSN)
- Rebuild the source code to make sure it corresponds to publicly available modules
- Review the results of an external audit of the company’s engineering practices conducted by one of the ‘Big Four’ accounting firms;
- Review the Software Bill of Materials (SBOM) for Kaspersky Internet Security (KIS), Kaspersky Endpoint Security (KES), and Kaspersky Security Center (KSC).”
Follow The Stack on LinkedIn
In a personal blogpost this month, one Kaspersky security researchers, Ivan Kwiatkowski, a French national, posted his own views on the perennial debates around the “trustability” of the company (which regularly performs well in independent testing), asking rhetorically “‘is there a backdoor in Kaspersky products?’
“This accusation has been directed at the company since 2017 and has yet to be backed by evidence of any form. The source code can be reviewed in transparency centers. Not enough for you? You’re asking me to prove a negative, but maybe I can sway you with a telling absence of smoking gun. APTs [Advanced Persistent Threats, or sophisticated threat groups] reverse-engineer our products all the time. I know that, because I know they’re not stupid: they want to avoid detection as much as we want to catch them,” he wrote.
“At this point, if the NSA hasn’t looked at every single instruction of our AV, someone simply isn’t doing their damn job. If there were hidden features in there, they’d know about it, and I have to assume that they want nothing more than to expose Kaspersky’s dastardly ways to the world. It’s time to consider that the backdoor just isn’t there” Kwiatkowski wrote, in a heartfelt defense of his decision to keep working for the company.
The BSI alert on Kaspersky software comes two weeks after the Netherlands upheld its 2018 ban on the use of Kaspersky AV on government systems. Republished 2018 documents from Dutch authorities noted that “regarding the manifestation of the identified threats, several various scenarios are conceivable. At this time, no conclusive evidence can found in open sources for one or more of the scenarios and therefore no definite answer can be given as to whether Kaspersky currently actively poses a threat to National Security.”
In September 2019 the US instituted a sweeping ban on the use of Kaspersky products by federal agencies with the Federal Acquisition Regulation Council — the Defense Department, General Services Administration and NASA — publishing a rule to the Federal Register outlining how agencies should abide by a provision in the 2018 National Defense Authorization Act restricting the use of Kaspersky products.
That restriction was introduced after the US intelligence community reportedly warned that Kaspersky executives — some of whom are former Russian intelligence officers — have close ties to Russian government officials. The company strenuously denied any wrongdoing with founder Eugene Kaspersky noting at the time that his company had just $50,000-worth of business with the US government and adding that allegations were “fake… after two years, no proof, no data at all” (to substantiate claims the software was being misused.)