Written byPatrick Howell O'Neill
The United States’ hostile relationship with Moscow-based cybersecurity firm Kaspersky Lab may have been partially shaped by an incident two years ago in which an eyebrow-raising Kaspersky sales pitch eventually led to a secret and previously undisclosed confrontation between Russian intelligence and the CIA.
The confrontation, which ended in Russia’s domestic intelligence agency issuing a diplomatic démarche, was the result of the U.S. government’s intrusive treatment of the Russian company and helped set off a chain of events that is still unfolding today, according to multiple people with knowledge of the matter.
These officials spoke to CyberScoop anonymously in order to freely discuss the sensitive nature of the ongoing saga.
In the first half of 2015, Kaspersky was making aggressive sales pitches to numerous U.S. intelligence and law enforcement agencies, including the FBI and NSA, multiple U.S. officials told CyberScoop. The sales pitch caught officials’ attention inside the FBI’s Counterterrorism Division when Kaspersky representatives boasted they could leverage their product in order to facilitate the capture of targets tied to terrorism in the Middle East. While some were intrigued by the offer, other more technical members of the intelligence community took the pitch to mean that Kaspersky’s anti-virus software could effectively be used as a spying tool, according to current U.S. intelligence officials who received briefings on the matter.
The flirtation between the FBI and Kaspersky went far enough that the bureau began looking closely at the company and interviewing employees in what’s been described by a U.S. intelligence official as “due diligence” after Counterterrorism Division officials viewed Kaspersky’s offerings with interest.
The examination of Kaspersky was immediately noticed in Moscow. In the middle of July 2015, a group of CIA officials were called into a Moscow meeting with officials from the FSB, the successor to the KGB. The message, delivered as a diplomatic démarche, was clear: Do not interfere with Kaspersky.
The démarche is not public and has not been previously reported on. A démarche typically comes from a foreign ministry and is addressed to another country’s diplomats in an effort to send a message and often to lodge a protest. Officials told CyberScoop that the 2015 document was worded as an objection to what the Russians deemed malicious interference against the Moscow company.
Moscow’s response sent up alarms in Washington within the intelligence community and White House. Diplomatic démarches are normally delivered by foreign ministry officials, not intelligence officials. The Russian reaction to the FBI’s interest seemed to reveal more to U.S. intelligence than the FBI’s due diligence had, one American official said.
“This was a clear signal from the FSB to the U.S. to get off their intelligence asset,” another senior U.S. official told CyberScoop. “If this was from the foreign ministry, that would have been different. It is extremely rare and a different message when an intelligence agency démarches you.”
The meeting was described by multiple officials as a “major pivot point” in the U.S. government’s relationship with Kaspersky, which was actively marketing its products to many agencies. It triggered closer scrutiny by the FBI, which led the bureau to urge the rest of the federal intelligence and law enforcement community to say no to the company’s sales overtures. It also led to a years-long FBI counterintelligence investigation that continues to this day.
The CIA did not respond to multiple requests for comment.
By 2016, the FBI had started briefing U.S. companies across industries, urging them to cut ties with Kaspersky. The success of those briefings has been mixed but, as a result, at least one major American energy firm opted against signing a contract with Kaspersky. Additionally, the FBI has presented a combination of open source and classified intelligence to Congress, while other intelligence agencies allege the Russian government has continuous access to Kaspersky’s data.
A story published Oct. 5 by the Wall Street Journal details Russian state hackers’ theft of NSA tools with the help of Kaspersky software. The incident reportedly took place in 2015, but was not discovered until 2016, well after the FSB-CIA confrontation.
After initially dismissing the WSJ story as a “conspiracy theory,” CEO Eugene Kaspersky tweeted that he is “very concerned about possible breach of our products. If anon sources from WSJ article want to investigate let’s do it ASAP.”
Last month, a Department of Homeland Security order banned further use of Kaspersky products inside federal networks after a 90-day review period.
U.S. retail giants including Best Buy and Office Depot stopped selling Kaspersky products last month. Other American retailers, including Amazon and Walmart, continue to sell them.
There is still no publicly available evidence, technical or otherwise, that Kaspersky operates on behalf of Russian intelligence. The company continues to forcefully deny every charge of wrongdoing. Eugene Kaspersky has said for months the company he co-founded is caught in the middle of a geopolitical fight between Washington and Moscow.
“If Eugene has nothing to hide, he’s a victim of his own intelligence agency at home,” said one senior U.S. official. “[The FSB] didn’t do a good job here.”
In a statement, Kaspersky Lab said it “does not include any undeclared capabilities such as backdoors as that would be illegal and unethical, and regardless of claims by anonymous sources, Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage efforts.”