The Kaspersky equation
Days before it announced to the world that it had uncovered what could be one of the largest cyber attacks targeting banks and financial institutions in history, a senior executive from Kaspersky Labs flew to Washington, D.C. Shortly after arriving, the executive met with multiple senior cybersecurity officials in the Obama administration — including a member of the National Security Council — to brief them on a new malware program called Carbanak.
In a report published Monday, Kaspersky Labs detailed the exploits of the Carbanak malware, including its ability to steal an estimated $300 million from more than 100 financial institutions in 30 countries. In a separate report, the company also detailed the inner workings of a hacker organization code-named by Kaspersky as the Equation group, which security experts have characterized as one of the most sophisticated, well-funded hacker operations in the world and that some in the media have linked to the National Security Agency.
The widespread media speculation regarding the NSA’s links to the Equation group has also revived some Cold War conspiracy theories about the motivations of Kaspersky Labs’ founder, Eugene Kaspersky, and whether the company can be trusted to be an honest broker in the world of cybersecurity. But for Kaspersky Labs, the company’s record stands on its own, and it has no plans to slink away into obscurity.
While Eugene Kaspersky’s personal history is certainly fodder for speculation and cyber conspiracies — yes, he graduated from a technical school sponsored by the former Soviet KGB, and he served in the Soviet military during the 1980s — his company’s record of unearthing major cyber crime and cyber espionage operations, a growing revenue stream, and willingness to spend the past three years providing pro bono cyber intelligence data to the U.S. government paint a starkly different picture.
The company’s cyber intelligence record is clear: Gauss, Red October, Flame, Regin, Carbanak, Equation group. That success has translated into increased revenue and market share. Last year, technology research firm Gartner put Kaspersky in the “Leader” section of its Magic Quadrant for endpoint protection platforms alongside McAfee, Symantec, Sophos and Trend Micro. “The malware research team has a well-earned reputation for rapid and accurate malware detection,” the Gartner report stated.
Founded in Russia in 1997 and registered in the United Kingdom, Kaspersky Labs now has R&D centers and 3,000 employees all around the world, including Europe, the United States, Latin America, China, Japan and Russia. Currently, the Kaspersky Lab family of companies operates in almost 200 countries and territories worldwide and has established corporate offices in 30 countries. Kaspersky Lab products protect more than 400 million individuals and around 270,000 companies worldwide. The company’s business today is highly diversified, with about 20 percent of its business coming from the U.S., another 20 percent from Russia and the majority of the remainder from Europe.
This year, the company’s U.S. business turns 10. “We started out primarily with a consumer strategy and we’ve successfully grown a business that is in excess of $100 million … with strong compound annual growth rates on the order of 10 percent,” Chris Doggett, managing director of Kaspersky Lab North America, told FedScoop in a telephone interview. “And in the last five years, we’ve made an effort to go into the corporate market, both public and private … and I think our compound annual growth rate has been about 22 to 23 percent over the last five years. We have a very healthy business.”
U.S. government future?
Analysts and media commentators have been quick to point out that Kaspersky Labs has had difficulties penetrating the U.S. government security market, stemming from a combination of geopolitical spillover and as of yet unfounded concerns about supply chain security — basically the provenance of the company’s software at a time when U.S.-Russia relations seem to be in a deep freeze.
Peter Firstbrook, one of the Gartner analysts who co-authored the 2014 report that placed Kaspersky Labs in the Magic Quadrant, told FedScoop in an email that the U.S. government generally “avoids” Kaspersky when it comes to security software and views them as a risk because of the company’s deep Russian roots. A former senior U.S. intelligence official, however, told FedScoop he was unaware of any reason why U.S. federal agencies would avoid the company.
So far, the media speculation about the company’s ties to the Russian intelligence service — a firestorm that began with a 2012 Wired profile of Eugene Kaspersky that the Russian software engineer and his American colleagues characterize as an inaccurate, conspiratorial hit job — hasn’t kept some big names in U.S. government cybersecurity away from the company.
Former White House Cybersecurity Coordinator Howard Schmidt agreed last year to lead Kaspersky’s new International Advisory Board, which includes the likes of public key cryptography pioneer Whitfield Diffie.
A new federal company
Doggett is happy to have the conversation about the media’s speculation, acknowledging that there has been a healthy level of interest in the Kaspersky Labs’ stance on international relations and its relationship with foreign governments. Kaspersky has a good story to tell and has good answers for anybody who has such questions, he said.
“We have, up until very recently, not made any effort to be part of any government contracts,” Doggett said. It wasn’t until last October that the company established Kaspersky Government Security Solutions as “a completely separately run company,” according to Doggett. “And I mean completely — different financials, different systems, different people,” he said. “It’s staffed by people who have federal security clearances and we’re in the process of getting a facilities clearance as well.”
Doggett sees a future for Kaspersky in the federal government providing security intelligence, including the research the company is famous for, the reports that come from that research and even the “raw data feeds” it collects around the world. “We have incredible collection capabilities in terms of malware and where it is coming from, malicious traffic and malicious websites as a result of the global network of collection systems that we operate,” Doggett said. “We think that that could provide some incremental value to organizations in the U.S. government that are either in the intelligence business or in the business of assessing threats.”
But what some critics often miss is the fact that Kaspersky is not trying to actively sell its commercial end point security software to the government, Doggett said. “First of all, it wouldn’t be a good fit. It’s not built for that type of environment and it wouldn’t serve their needs.”
Do the lingering conspiracy theories remain a factor in the company’s plans for its U.S.-based critical infrastructure and government security business? Of course they do; but they are a minor distraction, Doggett said. More importantly, “we haven’t tried and failed.”
The NSA-Equation nexus
Is Kaspersky Labs’ Equation group really the NSA? Although Kaspersky doesn’t have anything to say on the matter, other experts do, and many said the scope and complexity of the espionage operation is in keeping with the NSA’s preferred method of overwhelming the adversary’s infrastructure with all of the tools at its disposal.
“It’s not a leap to connect the NSA to this attack,” said Grayson Milbourne, Webroot’s threat intelligence director. “Kaspersky is drawing correlations between the tactics used in Stuxnet — which was revealed to be a collaborative effort between the U.S. and Israel — and other malware that shows enormous programmatical similarities to Stuxnet. Deep-dive analysis has revealed that the techniques employed were very, very advanced and not something one would see even from an exceptionally organized malware syndicate.”
For example, the worm designed by the Equation group was made to breach an air-gapped network, or a network that’s fully isolated. It also used three zero day exploits that enabled the malware to infect via USB drives, even when auto-run was disabled. Two of the three exploits used included the exact same code found in the Stuxnet attack, Milbourne said. “What’s notable is that Zero Day exploits are incredibly expensive to develop and not something we typically see being utilized by non-nation state actors.”
“Sure, it’s a leap. Just not a very big one,” Contrast Security CTO Jeff Williams said, referring to the speculation surrounding the NSA’s links to the Equation group operations. “As with all cybersecurity incidents, certainty an attribution is basically impossible. You never really know if you’ve identified the real attacker or if you’ve been duped by a sophisticated frame-up. However, in this case, it’s hard to imagine that anyone other than the NSA could have pulled this off. There are a number of technical, manpower and logistical problems with deploying an attack of this magnitude. And yes, it is absolutely an attack. The sophistication of the spying platform that was deployed in this way is amazing.”
Doggett and other Kaspersky Labs executives are quick to point out that it wasn’t Kaspersky who attributed the activities of the Equation group to the NSA. That was strictly a creation of the American media. Attribution of such sophisticated cyber espionage operations is notoriously difficult and company executives said doing so is not fundamental to the company’s mission.
“We are not able to confirm the conclusions that journalists came up with in regards to attribution. Kaspersky Lab experts worked on the technical analysis of the group’s malware, and we don’t have hard proof to attribute the Equation Group or speak of its origin,” the company said in an official statement. “With threat actor groups as skilled as the Equation team, mistakes are rare, and making attribution is extremely difficult. However we do see a close connection between the Equation, Stuxnet and Flame groups.”
Doggett takes it a step further. “It’s not the job of Kaspersky labs to do definitive, final attribution,” he said. “Making that last jump of attribution always involves some form of speculation, and that’s not what we feel is appropriate for us to do.”