Inside The Fight For The Soul Of Kaspersky Lab
MOSCOW — Ivan Kaspersky exited the Strogino metro station in Moscow on the morning of April 19, 2011, and walked toward the nearby office of InfoWatch. The fourth-year student worked as a programmer at his mother’s company, an offshoot of Kaspersky Lab, the Russian software company she had started with Ivan’s father. As the 20-year-old made his way from the station, a man stepped out of a green car parked by the side of the road and grabbed him. A second man ran up and helped to push the young man into the car, where they blindfolded him. His kidnappers switched cars on the way to their destination, a house outside the Russian capital.
Eugene Kaspersky, the CEO of Kaspersky Lab, was in London when an anonymous voice at the other end of the phone line informed him that his son had been kidnapped. The ransom: 3 million euros. Kaspersky immediately called Igor Chekunov, an alleged former KGB officer who acted as both a lawyer for the company and its alleged liaison with the Federal Security Service, or FSB, the successor to the infamous KGB, and other Russian security services. Chekunov took the lead in coordinating the rescue operation. After four days, Russian special operations troops, known as Spetsnaz, came to Ivan’s aid, freeing him from the handcuffs he’d been locked in since his capture.
The young man’s rescue was a relief — but it also served as a tipping point in a battle that had been waged inside his father’s company since 2010. Since its founding in 1998, Kaspersky Lab has grown into an international giant in computer security. Its antivirus system is installed on roughly 400 million computers around the world. But over the last year its outlook has plummeted in North America and Europe, where in 2016 it did over half of its business. Last fall saw Donald Trump — not known for criticizing Russian interference in the US — sign a ban on government agencies using Kaspersky Lab’s products.
Meduza and BuzzFeed News can reveal for the first time that the decline in fortunes of Kaspersky Lab was the result of an internal struggle for control that pitted allies of the Russian secret service against “tech-savvy” staff and Western investors. The managers within Kaspersky Lab, like Chekunov, with ties to Russia’s security agencies won that battle. But in so doing, they threaten to destroy everything the company has built outside Russia.
The ban that Trump signed resulted from rising concerns among US lawmakers and intelligence agencies that Kaspersky Lab’s software could be used by the FSB to access US government documents. The company says it conducted an internal investigation and found that no data was hijacked via Kaspersky’s antivirus product. But even as Kaspersky Lab denied the charges, files from the US’s National Security Agency were reportedly lifted from a computer with Kaspersky software installed, using a system that one former senior manager says can copy files from a user’s hard drive without their knowledge.
Eugene Kaspersky declined to comment personally on Meduza’s questions. A spokesperson for Kaspersky Lab told Meduza, “We don’t have any illegal or unethical ties with security services anywhere in the world.” In a court document filed in a suit against the US government last week, Kaspersky Lab said much the same, and claimed that the US’s allegation had substantially harmed its reputation, causing its business in the US to decline by half compared with the same time last year.
Everyone at Kaspersky Lab knew not to schedule any meetings on Dec. 20. In Russia, it marks the Day of Federal Security Service Officers, commonly known as Chekist’s Day, a reference to the body that preceded the KGB.
One former manager, who requested anonymity to speak freely about the internal workings of the company, recalled Eugene Kaspersky coming in one Dec. 20 and saying, “Well, congratulate me!” Everyone knew what he meant. Kaspersky would spend the day celebrating with friends from the Federal Security Service. He even planned his business trips around it, the former manager told Meduza, making sure that nothing would prevent him from being in Moscow to raise a glass.
Kaspersky graduated from what was then the Dzerzhinsky Higher School of the KGB, named after the man who founded the Soviet secret services, in 1987. In 1991, as the Soviet Union was falling apart, he started his career at a small firm owned by a former teacher. Six years later, Kaspersky and his wife founded their own company, Kaspersky Lab.
Kaspersky became the company’s technical director, responsible for the development of its eponymous antivirus software. His wife, Natalya Kaspersky, served as general director, in charge of the company’s commercial activities. The couple divorced in 1998, and Natalya remained general director for almost another decade, with her husband taking over in 2007. It was after that, the former senior manager told Meduza, that three groups started to form in a battle for control of the company.
The company’s technical director and main developer of Kaspersky’s antivirus software led the “tech-savvy” faction. A second group, made up of Western financial experts, believed that the company should be more aggressive in the global market and open to filing an IPO to become a publicly traded company. The third faction was composed of Chekunov and other siloviki, a term used inside Russia to refer to politicians and others who formerly served as Russian security services officers. (Eugene Kaspersky has said that Chekunov never worked for the KGB but simply served his compulsory military service in the State Border Troops, which fell under the KGB’s command.)
But Ivan’s kidnapping was a key moment in that struggle. One of the kidnappers claimed in his initial statement to police that he and his son, together with some friends, decided to abduct Ivan after watching a television show about his father. The court, which in March 2013 sentenced four codefendants to seven to 11 years in prison, accepted that as the truth during the trial.
Between the kidnapping in 2011 and his sentencing, however, the attacker, Nikolay Savelyev, changed his account, claiming that an officer with the Federal Protective Service (FSO) named Aleksey Ustimchuk was the real brains behind the kidnapping. (It was reported that Ustimchuk was so well connected that he was once photographed in the chair of Russian President Vladimir Putin.) As a military officer, Ustimchuk was tried for his involvement in the kidnapping of Ivan Kaspersky in a separate court-martial. It’s unclear when that trial took place, but in August 2012 he was sentenced to four and a half years in prison, the result of a reported deal with investigators, but was not stripped of his rank or his honors. Kaspersky’s family withdrew their civil claim, in which they’d sought 120 million rubles (about $21 million) in damages from Ustimchuk, instead only receiving an apology and 10,000 rubles (about $176) as compensation for a mobile phone and wallet the kidnappers had taken from Ivan.
Soon after the kidnapping, everything changed within the company, according to the former manager: Kaspersky “changed his business tactics, canceled the IPO, got rid of American investors and the majority of senior expats.” As Bloomberg later reported, the process of launching the IPO, which was supposed to take place in partnership with a US investment fund, was frozen and the shares, which had already been purchased by these partners, were bought back.
In public, Kaspersky has said that the IPO would have made the company “less versatile.” But the former manager saw it as further proof of the siloviki’s rise. The evidence had been mounting in his eyes since Ivan’s return. In the summer of 2011, Natalya Kaspersky was not reelected as a chairman of the board of directors of Kaspersky Lab. In November 2011, seven months after the kidnapping, Kaspersky Lab signed an agreement with the FSO to supply the security organization with its products. Two months later, in Feb. 2012, Natalya sold her remaining shares in the company. At the same time, a moratorium on hiring managers from outside Russia was put in place. (Eugene Kaspersky stated at the time that Bloomberg’s reporting on the hiring freeze was false.)
Apart from Chekunov, the siloviki clan included Andrey Tikhonov, an executive director, and Aleksey Kuzyaev, the head of the company’s security service. According to the former senior manager, Tikhonov rose to the rank of lieutenant colonel while serving with the Russian military intelligence service, while Kuzyaev is a former officer with the FSB. (Tikhonov’s official biography with Kaspersky confirms his former rank but does not specify what branch of the Russian military he served in, while Kuzyaev’s LinkedIn profile states that he graduated from the FSB Academy, but does not list service with the group.)
Ruslan Stoyanov, a former officer in the interior ministry, ran a specially formed department inside Kaspersky Lab, tasked with investigating hacking and other cybercrimes in partnership with law enforcement officials, reporting to Kuzyaev. When asked to confirm this chain of command, Kaspersky Lab denied that the department reports to the chief security officer, without naming Kuzyaev directly.
“This was an internally formed department which worked with the FSB” and the interior ministry, the former senior manager told Meduza. The department’s name was a pun: The Computer Incident Investigation Department’s initials in Russian spelled out ORKI, the Russian transliteration of “orc.”
“They liked the name a lot,” the former senior manager said.
The cooperation with the secret services was so close that ORKI members even accompanied Russian security service agents into the field to detain cybercriminals, the former manager said. “They would visit a location together with FSB officers and would not be shy about this,” he told Meduza. “This is, of course, unprecedented.” Kaspersky Lab’s leading antivirus expert, Sergey Golovanov, confirmed to Meduza that company specialists accompany the security forces on arrests in order to provide technical support.
According to Kaspersky Lab, Stoyanov’s group formed in 2012. Andrey Bulay, a Kaspersky Lab spokesperson, told Meduza that ORKI department employees “possess both knowledge and experience across such fields of expertise as high technologies, digital forensic science, criminal law, and criminal procedure legislation that allows them to carry out forensic expertise and participate in investigative activities as technical experts.”
Stoyanov wrote in a 2015 post on Kaspersky Lab’s SecureList blog that his department had taken part in over 330 cybercrime investigations during the previous two years. Kaspersky Lab worked together with the state security agencies during these investigations for free, the former senior manager told Meduza. Kaspersky Lab’s spokesperson confirmed this when asked.
As the siloviki gained influence, they came into ever more conflict with the so-called tech-savvies. The main source of conflict was over the Kaspersky Security Network (KSN) system, which Nikolay Grebennikov, the head of the “tech-savvies” and the company’s technical director, would not allow the siloviki to access, the former senior manager said. (Grebennikov declined to speak to Meduza for this story.)
The KSN, launched in 2012, allows Kaspersky software to examine any potentially threatening file on a user’s computer and compare it with other cases across the network. Previous antivirus software worked locally on computers, comparing infected files to problems in the program’s database. Moving to a “cloud solution” allowed the company to analyze and neutralize new viruses before they spread, Kaspersky Lab has argued.
But according to the former senior manager, who was involved with launching KSN, the product was referred to as “cyberintelligence” inside the company. The system can be run manually from a remote location, he told Meduza, meaning an employee of the Kaspersky Lab can download any file from a computer on which KSN is installed without its owner’s knowledge.
“It’s like an awesome kitchen knife that can be used for superbly slicing bread — or stabbing people,” the source said.
In a September 2017 memo outlining the government’s decision to ban Kaspersky products from federal government computers, the Department of Homeland Security noted that KSN users “agree to the transfer of a lengthy list of private data from user computers to Kaspersky servers,” which could be intercepted by the FSB.
Bulay, the company spokesperson, denied this, telling Meduza that KSN “has no mode for manual access to computers.” Kaspersky Lab wrote on its website in 2015 that KSN “does not process users’ personal data at all.” A more recent document says the company does not attribute any data it gathers to individual users that would make them identifiable.
Logging on to KSN is supposed to be an opt-in process for users who have bought Kaspersky’s antivirus software, according to the company’s website, allowing them to choose to make their computer’s files accessible from the cloud — a little like deciding to use iCloud to store your phone’s photos. But the former senior manager said that in the majority of cases, the system is set to activate by default when the antivirus software is installed. When Meduza attempted to install Kaspersky software onto a personal computer, the user was asked whether they wanted to participate in KSN — though the option to join was selected as the default answer.
The former senior manager also said that he was personally present during the product’s demo, during which analysts showed how they tapped into the computers of Gamma Group, a British firm that produces surveillance software for governments around the world, and downloaded the source code of one of the company’s programs.
“Later this code somehow appeared in the public domain, which caused severe damage” to Gamma Group, the former senior manager said. Bulay told Meduza that Kaspersky had never been contracted to provide security for Gamma Group, although in theory the firm could have bought Kaspersky software through a third party.
“It’s like an awesome kitchen knife that can be used for superbly slicing bread — or stabbing people”
“Experts at Kaspersky Lab took part in a study of so-called legal malware, developed by Gamma Group and similar companies; company products protect our clients from it,” said Bulay. According to him, company analysts had no access to Gamma Group’s computers, and Kaspersky Lab does not know who was behind the leak of the British company’s data.
Gamma Group did not respond to a BuzzFeed News request for comment.
The wedge between Grebennikov and the siloviki over access to KSN began bubbling over into meetings among the management team that would devolve into shouting matches. “It would not come to a fistfight, but the screaming was loud,” the former manager said.
“We do not comment on unsubstantiated rumours regarding personal or professional relationships inside the company,” Kaspersky Lab told Meduza when asked about the tension between the groups.
Eugene Kaspersky, according to the former senior manager, stayed out of the open clashes between the two groups, even as he took trips with Chekunov and other employees to the banya, or Russian saunas.
In 2013, Kaspersky introduced Grebennikov at a conference in Prague as the potential future head of his company, the latter would later tell Forbes. By February 2014, when the conflict between various teams at Kaspersky Lab was at its peak, Grebennikov’s position was unstable enough that he and the managers overseeing the company’s international business cornered Eugene Kaspersky at a conference. The vision of the company’s future they laid out to him included demoting some siloviki members. After hearing the senior managers out, the founder of the company informed his colleagues of his intention to fire Grebennikov. At the end of the year, he called the technical director to his office and told him that “he had betrayed the company.”
“Revolutionaries have two paths — either to the throne or to Siberia. You are going to Siberia!” Kaspersky said to Grebennikov, as the latter later told Forbes.
Six Russian and foreign senior managers were fired — and the siloviki ended 2014 victorious. According to the former manager, after defeating the “tech-savvies,” Chekunov and his group had no problem gaining access to the KSN.
Any celebration inside Kaspersky Labs among the siviloki was likely short-lived. The first public sign of trouble came with a March 2015 investigation by Bloomberg, which revealed that Kaspersky’s trips to the banya also included contacts inside the FSB. Bloomberg also reported that since 2012, many open job postings at the company had been filled with “people with closer ties to Russia’s military or intelligence services,” noting that while Kaspersky Lab frequently studied hacks originating overseas, hackers with potential ties to the Russian state went uninvestigated.
Kaspersky commented on the banya issue on his blog after the article came out: “I go to the sauna with my colleagues. It is possible that at the same time, the same building is attended by Russian secret service operatives but I do not know them.” He also noted that his company had provided analyses on attacks that had been “attributed to Russian cyber-spies.”
Things have only gotten worse since Russian-sponsored hackers attempted to interfere with the course of the US presidential election in 2016.
Stoyanov, the head of the ORKI, was arrested in January 2017 and is currently in a Russian prison, serving a sentence reportedly related to the hack of the Democratic National Committee and Hillary Clinton’s campaign. Both he and Sergey Mikhaylov, one of the heads of the cybersecurity center of the FSB, are accused of treason; the findings of the investigation are classified. Mikhaylov allegedly shared with foreign intelligence services information about Russian hackers that he obtained from Stoyanov, with whom he has been friends for years, according to the Bell, an independent Russian outlet.
According to the former Kaspersky Lab senior manager, Mikhaylov and Stoyanov often accompanied Kaspersky to the banya. But Kaspersky Lab has claimed that Stoyanov’s arrest had nothing to do with his work for the company. Meduza discovered no evidence that the arrest was related to his work at Kaspersky Lab during the course of reporting this story.
Just a few months later, a series of reports in the Wall Street Journal and other outlets revealed that Kaspersky Lab employees had acquired secret files from the US National Security Agency, damaging what remained of the company’s reputation in the US. The US was first made aware of Kaspersky’s possession of the files via Israel’s security services. Israel had discovered the files while conducting a separate operation inside Kaspersky’s systems before passing the information on to the US. The Israelis also claimed that their tests showed that the company’s antivirus software was specifically looking for the NSA files it had stolen.
“The system’s capacity allows this easily,” the former senior manager said. “You can easily search for, using the keywords, any files Moscow is interested in with specific names.”
Especially damaging for Kaspersky Lab: The NSA files reportedly were extracted from the personal computer of an NSA employee who had been accessing them at home. That computer had Kaspersky’s antivirus software installed. Kaspersky Lab admitted that its KSN had found the files on the employee’s computer. The network, after scanning the files, determined that they were likely infected. Those files were then sent to the company’s internal network for analysis, the company said, where the Israelis later discovered them.
Eugene Kaspersky said in an interview with the AP that the files the system found were connected with a hacker group that some analysts say is a cover for the NSA. When he learned the nature of the files and their origin, Kaspersky says that he ordered their removal from the company’s network. Kaspersky did not say in the interview whether he informed the NSA about this incident after it was discovered.
The only department within Kaspersky Lab that has access to data that is collected from users who have the KSN installed is the company’s research and development department, Bulay, the Kaspersky spokesperson, told Meduza. None of the departments with the company that work with law enforcement can access the network, he said, adding that any data that is collected cannot be matched up with individual users — it all appears as anonymous information.
The company’s denials over the last year haven’t improved its reputation inside the US government. During a hearing of the Senate Intelligence Committee in May 2017, a US senator asked whether the heads of six intelligence agencies trusted Kaspersky’s products — all six responded in the negative. US employees of the Kaspersky Lab were called in for questioning related to the company paying retired Lt. Gen. Michael Flynn to speak at the Forum on Cybersecurity shortly prior to his appointment as Trump’s first national security adviser. In July, the company was excluded from the list of companies the US government could buy products from. By September, the Department of Homeland Security’s ban on using Kaspersky’s antivirus software in US government-owned institutions was in place.
In December, Kaspersky Lab filed a lawsuit against the US government, claiming that the ban imposed by the Department of Homeland Security is unconstitutional, as it is based on dubious evidence and breaches the company’s rights to due process.
“In the US at present Kaspersky is virtually closed; there is one small team remaining in Boston,” the former senior manager of the company told Meduza. (There are still offices in Florida and Seattle, he said, but there are only two or three employees each working in those.) Though Kaspersky says its revenue rose 8% globally in 2017, large retail chains like BestBuy now refuse to sell the antivirus software. In December 2017, Kaspersky Lab announced that it was closing down its office in the US capital, saying “its purpose has been exhausted.” ●
Denis Dmitriev and Daniil Turovsky contributed reporting to this story for Meduza.
Got a confidential tip? Submit it here.