US-exclusive warned firms about Russian Kaspersky software day after invasion -Sources By Reuters

© Reuters. FILE PHOTO: People walk next to Russia’s Kaspersky booth during GSMA’s 2022 Mobile World Congress (MWC), in Barcelona, ​​Spain, March 2, 2022. REUTERS/Albert Gea/File Photo

By Christopher Bing

(Reuters) – The US government began personally warning some US companies the day after Russia invaded Ukraine that Moscow could manipulate software designed by Russian cybersecurity firm Kaspersky to cause harm, according to a senior US official and two people who are familiar with the matter.

The secret briefings are part of Washington’s broader strategy to prepare suppliers of critical infrastructure such as water, telecom and energy for potential Russian intrusions.

President Joe Biden said last week that sanctions imposed on Russia for the February 24 attack on Ukraine could lead to backlash, including cyber disruptions, but the White House did not offer details.

“The risk assessment has changed with the Ukraine conflict,” the senior US official said of Kaspersky’s software. “It has increased.”

One of the most popular antivirus software makers in the cybersecurity industry, Kaspersky is headquartered in Moscow and founded by a former Russian intelligence officer, Eugene Kaspersky.

A Kaspersky spokeswoman said in a statement that the briefings about alleged risks posed by Kaspersky software would be “further damaging” to Kaspersky’s reputation “without giving the company the ability to respond directly to such concerns” and that it was “inappropriate or righteous.”

The senior US official said Kaspersky’s Russian-based personnel could be coerced by Russian law enforcement or intelligence agencies to grant or help set up remote access to their customers’ computers.

Kaspersky, which has an office in the United States, lists partnerships with Microsoft (NASDAQ:), Intel (NASDAQ:) and IBM (NYSE:) on its website. Microsoft declined to comment. Intel and IBM did not respond to requests for comment.

On March 25, the Federal Communications Commission added Kaspersky to its list of communications equipment and service providers it considers a threat to U.S. national security.

It is not the first time Washington has said that Kaspersky could be influenced by the Kremlin.

The Trump administration has banned Kaspersky from government systems for months, warning countless companies not to use the software in 2017 and 2018.

US security agencies have held a series of similar cybersecurity briefings on the Trump ban. The content of those meetings four years ago was similar to the new briefings, says one of the people familiar with the case.

Over the years, Kaspersky has consistently denied wrongdoing or any secret partnership with Russian intelligence.

It is unclear whether a specific incident or new information led to the safety briefings. The senior official declined to comment on classified information.

So far, no US or allied intelligence agency has ever provided direct, public evidence of a backdoor in Kaspersky software.

Following Trump’s decision, Kaspersky opened a series of transparency centers, where it says partners can review the code to monitor for malicious activity. A company blog post at the time explained that the goal was to build trust with customers following the US allegations.

But the US official said the transparency centers are not “even a fig leaf” because they do not address the concerns of the US government.

“Moscow software engineers provide the [software] updates, that’s where the risk is,” they said. “They can send malicious commands through the updaters and that’s coming from Russia.”

Cybersecurity experts say that because of the way antivirus software normally functions on computers it’s installed on, it takes a deep level of scrutiny to discover malware. This makes antivirus software an inherently beneficial channel to conduct espionage.

In addition, Kaspersky’s products are also sometimes sold under white label sales agreements. This means that the software can be packaged and renamed in commercial deals by information technology contractors, making its origin difficult to determine immediately.

While not referring to Kaspersky by name, Britain’s cybersecurity center said on Tuesday that organizations providing services related to Ukraine or critical infrastructure should reconsider the risk associated with using Russian computer technology in their supply chains.

“We have no evidence that the Russian state intends to sideline Russian commercial products and services to harm UK interests, but the absence of evidence is not evidence of absence,” the National Cyber ​​Security said. Center in a blog post.