According to a senior US official and two people familiar with the subject, the US administration began informally warning some American companies the day after Russia invaded Ukraine that Moscow could modify software produced by Russian cybersecurity company Kaspersky to wreak harm.

The confidential briefings are part of a larger campaign by Washington to prepare essential infrastructure providers such as water, telecommunications, and electricity for possible Russian breaches.

President Joe Biden stated last week that sanctions placed on Russia for its attack on Ukraine on February 24 could result in a reaction, including cyber disruptions, but the White House did not elaborate.

“The risk calculation has changed with the Ukraine conflict,” said the senior U.S. official about Kaspersky’s software. “It has increased.”

Kaspersky, one of the most well-known anti-virus software companies, is based in Moscow and was created by Eugene Kaspersky, a former Russian intelligence operative, according to US officials.

In a statement, a Kaspersky spokeswoman claimed the briefings on alleged Kaspersky software hazards would be “further detrimental” to the business’s reputation “without giving the company the opportunity to reply directly to such concerns,” and that it “is not appropriate or just.”

Russian law enforcement or intelligence services might force Kaspersky’s Russia-based workers to provide or assist in the establishment of remote access into their clients’ systems, according to the senior US official.

According to his company website, Eugene Kaspersky graduated from the Institute of Cryptography, Telecommunications, and Computer Science, which was originally supervised by the Soviet KGB. During his military service, Kaspersky worked as a “software engineer,” according to a company spokeswoman.

On its website, the Russian cybersecurity firm, which has a US headquarters, advertises relationships with Microsoft, Intel, and IBM. Microsoft did not respond to requests for comment. Requests for response from Intel and IBM were not returned.

Kaspersky was included to the Federal Communications Commission’s list of communications equipment and service providers deemed dangers to US national security on March 25. 

It’s not the first time the US has suggested that Kaspersky may be influenced by the Kremlin.

In 2017 and 2018, the Trump administration spent months banning Kaspersky from government systems and urging several businesses not to use the software.

Similar cybersecurity briefings were held by US security agencies in the aftermath of Trump’s travel restriction. According to one of the people acquainted with the situation, the topic of those talks four years ago was akin to the present briefings.

Kaspersky has constantly denied any misconduct or secret collaboration with Russian intelligence over the years.

It’s unclear whether the security briefings were prompted by a specific event or new intelligence. On classified material, the senior official declined to comment.

No US or allied intelligence agency has ever provided direct, public proof of a backdoor in Kaspersky software before now.

Following Trump’s decision, Kaspersky launched a series of transparency centres where partners can analyse its code for malicious activities, according to the company. After the US accusations, the goal, according to a business blog post at the time, was to rebuild customer trust.

The transparency centres, however, are not “even a fig leaf,” according to the US official, because they do not address the US government’s concerns.

“Moscow software engineers handle the [software] updates, that’s where the risk comes,” they said. “They can send malicious commands through the updaters and that comes from Russia.”

According to cybersecurity experts, finding malware demands a high level of control because of how anti-virus software works on machines where it is installed. As a result, anti-virus software is intrinsically advantageous for espionage.

In addition, white label sales agreements are occasionally used to sell Kaspersky’s products. This means that information technology contractors can bundle and rename software in commercial arrangements, making its origin difficult to determine.

While not specifically mentioning Kaspersky, the UK’s cybersecurity centre stated on Tuesday that companies providing services to Ukraine or key infrastructure should reassess the risk of employing Russian computer equipment in their supply chains.

“We have no evidence that the Russian state intends to suborn Russian commercial products and services to cause damage to UK interests, but the absence of evidence is not evidence of absence,” the National Cyber Security Centre said in a blog post.

(Adapted from Reuters.com)