The virus got it.

Photographer: Paul J. Richards/AFP/Getty Images

Trust Kaspersky to Root Out Russian Spyware

Leonid Bershidsky is a Bloomberg View columnist. He was the founding editor of the Russian business daily Vedomosti and founded the opinion website Slon.ru.
Read More.
a | A

If you think U.S. tech companies have a hard time convincing their customers that they don't pass on data to U.S. intelligence services, consider the case of Kaspersky Lab, the Moscow-based cybersecurity company. To show its understandably wary customers that it isn't in the Russian government's pocket, Kaspersky always has to be ahead of others when it comes to research into Russian cyber-espionage. It keeps up a steady stream of revelations, but without mentioning the affiliation of the hackers. 

QuickTake Cybersecurity

The latest such report deals with the hackers known as the Turla group, Snake or Uroburos. They are well-known to the cybersecurity industry, and have used satellites to hide their location and keep their servers from being taken down by governments or Internet providers.

Kaspersky's first findings on Turla followed a March 2014 report by the German cybersecurity firm G Data that linked the group to the 2008 attack on the U.S. Department of Defense and suggested it may have been working for the Russian government. 

Kaspersky Lab reacted immediately, saying it had become "aware of the Turla cyber espionage campaign in March 2013" and had discovered the link between the software the hackers were using and the worm used to penetrate the Pentagon. It didn't mention the possible government connection. Neither did the summaries of subsequent Kaspersky findings about the hackers, though the selection of targets for the cyberattacks, including Ukrainian, Georgian and Western government offices provided strong clues about the identity of the hackers' client. In May 2014, Snake was discovered in the Belgian Foreign Ministry's computer system. Its purpose was to steal sensitive information, and Belgian officials speculated that the hacker activity had something to do with the Ukraine conflict.

Eugene Kaspersky, the Russian cybersecurity firm's founder, did slip up once. In March 2015, Bloomberg Businessweek reported on  his alleged ties to Russian intelligence, saying that "while Kaspersky Lab has published a series of reports that examined alleged electronic espionage by the U.S., Israel, and the U.K., the company hasn’t pursued alleged Russian operations with the same vigor." Kaspersky issued a vituperative denial. He pointed out that the Businessweek reporters "forgot about our reports on Red October, CloudAtlas, Miniduke, CosmicDuke, Epic Turla, Penguin Turla, Black Energy 1 and 2, Agent.BTZ, and Teamspy. According to some observers, these attacks were attributed to Russian cyber-spies."

But the reports were carefully constructed. The one on Agent.btz, the worm used in the 2008 Defense Department attack, pointed out that Russia had the most cases of infection with the malware and stressed that the initial worm and its later versions weren't necessarily created by the same people. In his denial, Kaspersky also was careful to make clear that others -- and not his company -- attributed the attacks to the Russian government. Yet why would have alluded to those sources in response to Businessweek if he didn't believe in the link himself?

It's not easy for Kaspersky Lab to operate out of Moscow. On the one hand, the U.S. and other Western countries are probably right to consider Russian intelligence services as one of the major threats to their computer security. Kaspersky's products are viewed with suspicion. In June, The Intercept reported, citing evidence from National Security Agency whistleblower Edward Snowden, that the NSA analyzed Kaspersky for weaknesses and tried to hack it, as did its U.K.'s GCHQ. At the same time, though Kaspersky Lab uses a  U.K. company to trade in the West, the Kremlin is unlikely to be happy if the company exposes its cyber-espionage operations.

This makes for uneasy compromises, but it also makes Kaspersky one of the most trustworthy sources on cybersecurity threats. It will gleefully report on Western efforts, but it must also keep providing data on the Russian ones, pretending it knows nothing of their origins. Otherwise, it will lose the trust of millions of Western clients who provide the bulk of its revenue, which exceeds $500 million a year. The latest report on Turla's satellite scheme is proof of Kaspersky's determination to keep straddling the cybersecurity frontline for as long as it can.

This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.

To contact the author of this story:
Leonid Bershidsky at lbershidsky@bloomberg.net

To contact the editor responsible for this story:
Max Berley at mberley@bloomberg.net