Cyber Incident Victim: Kaspersky Lab
Date:
Jan 2014
Location:
United States of America
Summary
Russian government hackers exploited Kaspersky Lab's antivirus software to globally search for and extract U.S. intelligence secrets, including classified documents from a National Security Agency employee's home computer. The breach was detected by Israeli intelligence, which observed real-time scanning operations and alerted U.S. authorities, prompting a federal ban on the software due to national security risks. While the company denied involvement, concerns persisted about potential coercion by Russian authorities or infiltration of its systems, given the software's broad access to user files and the founder's ties to Russian defense institutions. The incident underscored vulnerabilities in using foreign-developed security tools for sensitive government operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In 2014, Israeli intelligence officers monitoring Kaspersky Lab's internal networks observed Russian government hackers exploiting the company's antivirus software to conduct global searches for U.S. intelligence program code names. The Russian operation leveraged Kaspersky's routine scanning processes, which required full access to users' systems to detect malware, as a covert search tool. This allowed Russian actors to identify and exfiltrate sensitive documents from compromised devices, including classified materials from a National Security Agency (NSA) employee who stored files improperly on a home computer running Kaspersky software. The breach remained undetected for months until Israeli officials alerted U.S. counterparts, providing evidence through screenshots and documentation of the intrusion. This discovery prompted the U.S. Department of Homeland Security (DHS) to issue a directive on September 13, 2017, ordering all federal executive agencies to remove Kaspersky products within 90 days due to concerns about Russian government access.
The incident revealed multiple operational layers: Kaspersky itself had been compromised by Israeli hackers in 2014 through sophisticated implants enabling password theft, email collection, and surveillance of the company's research into state-sponsored hacking groups like the NSA-linked "Equation Group." Kaspersky detected this intrusion in mid-2015 during routine testing, documenting it publicly as "Duqu 2.0" but omitting Israel's involvement. The company's global user base of 400 million, including two dozen U.S. government agencies such as the Department of Defense and State Department, amplified the breach's potential scope. While Kaspersky denied collaboration with Russian intelligence, U.S. officials cited risks stemming from either direct Kremlin coercion or unauthorized infiltration of the company's systems. The breach compounded existing security challenges for U.S. intelligence, occurring alongside unrelated leaks of NSA tools by Shadow Brokers and CIA documents through WikiLeaks' Vault7 disclosures. No public evidence confirmed executive-level complicity at Kaspersky, though geopolitical context—including founder Eugene Kaspersky's military-intelligence background and Russia's coercive business environment under President Putin—heightened U.S. suspicions.