Many fictions don’t add up to a fact

The story of Kaspersky Lab’s alleged misdeeds is juicy — let’s check out how this fiction is made.

You may have noticed some noise around Kaspersky Lab recently. The year 2017 was unprecedented for us: We’ve never seen so many articles from media sources accusing Kaspersky Lab of different kinds of misbehavior — all without any substantive proof.

We don’t really know who’s behind the noise and where this desire to harm the company comes from, but it’s clearly done with one purpose: to ruin Kaspersky Lab’s reputation as one of the world’s most renowned and trusted cybersecurity companies.

Most of the articles published feature biased coverage, a lack of alternative positions, and, apparently, zero desire to fact-check. That kind of coverage has nothing to do with independent journalism — in fact, it’s similar to propaganda. About 80% of the arguments are based on claims from anonymous sources or false accusations, and only about 20% of the information is the truth. The 20% is key to giving the stories a veneer of believability.

To show you what they do and how they do it, we’ve come up with a collection of the most widespread false accusations and biased opinions about Kaspersky Lab that some journalists are frequently using and borrowing from each other. Here’s how it’s done.

Fiction: You can search users’ computers using Kaspersky Lab products and steal files from them

Fact: Files from users’ computers are uploaded only on rare occasions and only when they are new and behave suspiciously. Threat detection rules, including ones that enable such uploads, are the same for the whole world, and any interested party can inspect them by reviewing database updates.

Kaspersky Security Network (KSN) technology is a cloud knowledge base that accumulates data about new threats and potentially malicious files. It can upload suspicious files from our customers’ computers to our servers for analysis. But that doesn’t mean it can be used as a remote access tool or as a search engine. An analyst can’t secretly search through random files on users’ devices. Every detection rule issued is available for everyone for one and only one reason: to protect our customers from malware.

It’s also important to note that unlike with many other products on the market, Kaspersky Lab users have control over data sharing — their participation in KSN is voluntary, and they may disable telemetry reporting at any time.

Perhaps the best illustration of how KSN technology really works is the incident involving source code from Equation (that is, allegedly related to the NSA) malware being uploaded to our server. A couple of months ago we explained how it all happened; for the whole story, see this post, but here is a short version:

  • Our product installed on a computer detected Equation malware that was already known to us.
  • Using proactive protection technology, our product also detected another, previously unknown, malicious file that was contained in a 7-Zip archive.
  • Our product sent this 7-Zip archive to our antivirus researchers for analysis.
  • It turned out that aside from malware executables, the archive also contained the source code of new Equation malware (which we deleted; we need only executable files to develop protection).

The key point here is that we didn’t search that computer, let alone target any specific documents on it. The only thing that can trigger detection and subsequent file upload is a malicious or potentially malicious file. An independent review will soon prove that is exactly how the KSN technology works.

And the last point: All threat detection rules in our products are publicly available and visible to all. So any rule like the one described above can be checked by interested third parties.

Fiction: Kaspersky Lab’s office in the US is about to close, and all that’s left is a small team

Fact: We just completed renovations in our North American headquarters, which is located just north of Boston, in Woburn, Massachusetts. More than 250 members of our North American team are now working from a modernized office space or remotely across the North American region, including Canada.

In addition, the North American team recently gathered for its annual kickoff event, where together, team members discussed strategic plans for the region in 2018.

Fiction: Kaspersky Lab never investigates Russian-speaking cyberespionage

Fact: It’s very easy to demonstrate that Kaspersky Lab has investigated dozens of threats with Russian-language roots. In our Targeted Cyberattacks Logbook, we collect all of the advanced persistent threats (APTs; most APTs are connected to cyberespionage) that our Global Research and Analysis Team have investigated. Choose Russian in the Language behind the APT drop-down menu to see them.

To save you the search, our company’s experts have published at least 17 reports about APT attacks with Russian language included in the code, including RedOctober, Cloud Atlas, Epic Turla, and many more.

In the Logbook, you can also check out which Arabic-, Chinese-, English-, French-, Korean-, and Spanish-speaking advanced actors our researchers have also investigated. We do not care what language bad guys speak or who they work for. We’re doing our best to protect our customers from any malefactors, regardless of their origin or intention. Some may dislike Kaspersky Lab for this principle, but it has never stopped us and it never will.

Fiction: Every company in Russia is under KGB/FSB control; Kaspersky Lab is from Russia, therefore it’s also under KGB/FSB control

Fact: We often disrupt operations and hacker groups, including really significant ones, that are allegedly connected to or owned by Russian intelligence services. Of the Russian-speaking APTs we have investigated in the past few years, two deserve special attention: the CozyDuke (also known as CozyBear, or APT29) and the Sofacy (also known as Fancy Bear or APT28) are both believed to be tied to Russian intelligence agencies. Note that we published our research on these groups in 2015.

In fact, we were the first to report on CozyDuke/CozyBear.

A year later, in 2016, malicious tools made by these very actors were found on US Democratic National Committee (DNC) computers during the investigation of the DNC cyberattacks. According to investigators, the attacks began in 2015.

If Kaspersky Lab was controlled by Russian intelligence, why would they let us publish research on APTs allegedly tied to Russian intelligence at the very same time these groups reportedly were hacking US elections?

Let us be very clear: Kaspersky Lab is not under the control of the FSB.

Fiction: Kaspersky Lab’s top management are former KGB, and there’s no such thing as “former” when it comes to the KGB

Fact: In particular, three names pop up from time to time in the media when it comes to alleged ties between Kaspersky Lab’s top management and the KGB. They are: CEO Eugene Kaspersky himself, Chief Legal Officer Igor Chekunov, and Chief Operating Officer Andrey Tikhonov.

First of all, it’s not all the same when it comes to the KGB. For example, Eugene Kaspersky graduated from the cryptographic high school of the KGB, which is now named the Institute of Cryptography, Communications and Informatics; however, he never served in the KGB (or the FSB, for that matter). It’s also important to note that Eugene grew up in the Soviet era, when almost every educational opportunity was sponsored by the government in some manner.

Igor Chekunov did his compulsory military service at the State Border Service, which back in those times was a branch of the KGB, and Andrey Tikhonov worked in a research institution that was related to the Ministry of Defense, but not the KGB.

Second, Kaspersky, Chekunov, and Tikhonov have been with the company for ages, since it was a small start-up in the very niche area of “antivirus security.” That was 10 to 15 years before cybersecurity went mainstream, and it was of no interest to the Kremlin, or Lubyanka, or anyone else in that realm. It would be weird (and flat-out wrong) to assume these executives were introduced into the company’s top management to give Russian spies leverage in Kaspersky Lab’s actions.

Fiction: Kaspersky Lab helps Russian law-enforcement agencies during investigations, which means it works for the Russian government

Fact: We do help law-enforcement agencies to investigate cybercrimes, but not just Russian agencies. We are open to collaboration in other countries as well. In fact, we provide assistance to many LEAs all over the world, as well as to international organizations such as Europol and Interpol. Our experts have a lot of experience with cyberforensics. And Kaspersky Lab benefits from this cooperation because it allows our researchers to gather more information on the newest threats, which in turn helps keep everyone protected.

Fiction: There wouldn’t be so many accusations if Kaspersky Lab wasn’t in fact tied to Russian spies

Fact: No credible evidence has been presented of Kaspersky Lab inappropriately helping Russian (or any other) intelligence agencies. Why? Simply put, no evidence exists because Kaspersky Lab (and its CEO) has no inappropriate ties to any government.

We have never spied, nor will we ever spy, on our users. Such accusations are always based on information given by anonymous sources, who may have a hidden agenda. In addition, more recent articles rely on older pieces that suggest these false allegations are proven facts — even though they aren’t, and never will be.

That’s how propaganda works: Keep telling the same story over and over again until people consider it true. No smoke without fire, right? Who needs proof, actual evidence, or even logic?