Germany's BSI federal cybersecurity agency has warned the country's citizens not to install Russian-owned Kaspersky antivirus, saying it has "doubts about the reliability of the manufacturer."
Russia-based Kaspersky has long been a target of suspicious rumors in the West over its ownership and allegiance to Russia's rulers.
In an advisory published today, the agency said: "The BSI recommends replacing applications from Kaspersky's virus protection software portfolio with alternative products."
It added: "A Russian IT manufacturer can carry out offensive operations itself, be forced to attack target systems against its will, or be spied on without its knowledge as a victim of a cyber operation, or be misused as a tool for attacks against its own customers."
The warning does not appear to be based on any specific threat. Instead, however, it focuses on the notion that Kaspersky could find itself being used against its management's will to harm instead of protect its customers. The advisory noted, via Google Translate:
Antivirus software, including the associated real-time capable cloud services, has extensive system authorizations and, due to the system (at least for updates), must maintain a permanent, encrypted and non-verifiable connection to the manufacturer's servers. Therefore, trust in the reliability and self-protection of a manufacturer as well as his authentic ability to act is crucial for the safe use of such systems. If there are doubts about the reliability of the manufacturer, virus protection software poses a particular risk for the IT infrastructure to be protected.
Kaspersky, a stalwart of the consumer antivirus scene since its foundation in the late 1990s, denied – unsurprisingly – that it poses a risk to Westerners. Instead it said the decision is politically motivated.
A company spokesman told The Register: "We believe this decision is not based on a technical assessment of Kaspersky products – that we continuously advocated for with the BSI and across Europe – but instead is being made on political grounds... Kaspersky is a private global cybersecurity company and, as a private company, does not have any ties to the Russian or any other government."
He also added, without mentioning Russia's military invasion of Ukraine and its indiscriminate killing of unarmed civilians as a result: "We believe that peaceful dialogue is the only possible instrument for resolving conflicts. War isn't good for anyone."
Like US-sanctioned enterprise infosec firm Positive Technology, Kaspersky tried to soothe fears in the West by moving its European base of operations to Switzerland in 2018. This failed when the Dutch government said it was banning internal use of Kaspersky; both Britain and the US did likewise.
In America's case, however, an NSA hacker's carelessness proved to be Kaspersky's undoing. Nghia Hoang Pho, who worked in the NSA's Tailored Access Operations (TAO) unit, was in the habit of taking his work home with him. When he uploaded an exploit onto his home laptop in 2015, his Kaspersky antivirus functioned exactly as intended: it recognized the malware and uploaded a copy to Kaspersky's servers.
Enraged, the US said Kaspersky had handed the exploit to Russia's FSB spy agency, jailed Pho, and banned the use of Kaspersky across its entire government.
Days after the Pho story first broke, however, rumors (started by the New York Times newspaper) began swirling that Israeli spies had hacked Kaspersky only to discover (so the story went) the infosec firm was working hand-in-glove with Russian spy agencies. This explosive allegation served its evident purpose: Kaspersky was, as far as the US government was concerned, kaput, and its denials of espionage collusion fell on deaf ears.
The company has occasionally repeated its promise of setting up transparency centers, similar to how Huawei has dealt with suspicious Western countries. A page on Kaspersky's website says potential customers can review source code through one of three pre-defined programs. These are said to include verification of binary equivalence ("rebuild the source code to make sure it corresponds to publicly available modules") and details of Kaspersky's Software Bill of Materials (SBOM) for its consumer and enterprise products.
None of this appears to be washing in the West – and today's announcement by Germany won't help the company's position. ®
Co-founder of the eponymous Russian security biz Eugene Kaspersky has hit back the warning.
"Without going into details I can say that these claims are speculations not supported by any objective evidence nor offering technical details,." he said in a statement.
"The reason is simple. No evidence of Kaspersky use or abuse for malicious purpose has ever been discovered and proven in the company's twenty-five years' history notwithstanding countless attempts to do so."
Kaspersky asserted that the German government had given the security shop only hours to answer allegations against it, and that it has offered its code up for review by the BSI years ago. "This is not an invitation for dialogue - it is an insult," he said.
"This is not an invitation for dialogue - it is an insult"
"This war is a tragedy that has already brought suffering to innocent people and repercussions across our hyper-connected world. The global cybersecurity industry that has been built on the basis of trust and cooperation to protect the digital links connecting us with each other may well be its collateral damage - and thus leave everyone even less safe."