In early March, at a five-star hotel in Cancun, Mexico, the lights go off, the room turns dark, and a woman wearing a shiny white dress appears on a screen that’s as wide as the stage.“Welcome to Security Analyst Summit 2018,” the woman says, referring to what’s known as SAS, the annual conference thrown by Russian antivirus company Kaspersky Lab. This year, the conference drew 320 people, 231 of which were non-Kaspersky Lab employees, according to the company. There were Israelis, Europeans, Americans, Russians, and others. Among the attendees were industry experts, law enforcement agents, and hackers who used to work for British and American spy agencies.
Advertisement
“For the 10th anniversary of SAS, we’ve created something special. It’s a new story, with new rules and new roles,” the woman in the video said. Lights flash around the room, music blasts, and eight actors wearing Old West costumes, in a nod to the TV show Westworld, appear on stage.“Welcome to SAS X World, a place where the only limit is your imagination,” she says, in another nod to the show. “Answer the main question, who are you really?”
It’s an unintentionally appropriate way for Kaspersky Lab to open its biggest event, since many attendees and the cyber security world at large have the same question for the company.Kaspersky Lab has been mired in an ongoing crisis. First, on the heels of the congressional inquiry into Russian meddling in the 2016 American presidential elections, the US government proposed and eventually passed a federal ban and purge on the use of Kaspersky Lab software across all government agencies. The British and Dutch governments has since followed suit.The government bans have also spilled over to the private sector. Best Buy stopped sales of the software, some of Kaspersky Lab’s financial customers dropped it, and more recently, Twitter banned the company from advertising on its platform.Meanwhile, several news stories alleged that the company’s software helped Russian intelligence services steal highly classified documents from a US National Security Agency contractor. The company’s most recent move to show it’s independent from the Russian government has been to announce a new data center in Switzerland that will store information from customers in US, Europe, Japan, Korea, Singapore and Australia.
Advertisement
At the same time, Kaspersky Lab continues to have a good reputation in the industry. Its team of researchers is widely respected by its peers for its ability to find sophisticated government malware—regardless of where it’s from—and its software is considered one of the best to catch malware on your computer.So what is Kaspersky Lab, really? Is the 20-year-old company behind one of the most popular antivirus programs in the world an arm of Vladimir Putin’s Kremlin? Or is the self-proclaimed “company to save the world” a victim of US government protectionist propaganda? Is SAS simply a networking event with an open bar where the company shows off the latest work from its researchers, who are some of the most well-respected malware hunters in the world? Or is it a chance for the company to expose highly sensitive, ongoing American intelligence operations, and—as some in the cybersecurity world told me—perhaps a chance for spies to keep tabs on attendees?I flew to the Caribbean coast of Mexico to find out.Shortly after the promo reel with the woman dressed in white ended, Eugene Kaspersky, the 52-year-old Russian founder of the company, took the stage. His five o’clock shadow and ice cold blue eyes reflected the lights in an otherwise dark room.“I'm not a speaker for this conference,” Eugene Kaspersky said. “Actually there are very, very few conferences I'm not a speaker [for], and SAS is one of these events. So I'm not going to waste your time. I want to enjoy this event together with you. Thank you, morning, and back to work.”
Advertisement
Kaspersky, whose full name is Yevgeny Valentinovich Kaspersky, graduated from a KGB school before becoming a cybersecurity entrepreneur. He seemed reticent to address the controversy between his company and the US government. It was perhaps a strategic move intended to send the message that, despite all the fuss in the news, Kaspersky Lab is trucking along.Eugene Kaspersky declined to talk to me during SAS, but agreed to answer follow-up questions via email afterward. In our written correspondence, he dismissed concerns over the company’s future, saying the company’s financial results in 2017 were “positive,” and that it remains operating in the US and the West. (Late last year, the company closed down one of its offices in the US.)“I cannot predict the longer term, but it’s business as usual this year,” Eugene Kaspersky said.Over the course of the two-day conference, some of the company’s researchers were happy to talk about the cloud hanging over the company.“You guys have all heard the fake news propaganda about Kaspersky stealing classified documents,” Brian Bartholomew, an American security researcher at Kaspersky Lab, joked during a live debate on disinformation and fake news on the first day of SAS. “You guys are smart enough to understand that that shit’s not real.”The format of Bartholomew’s debate assigned speakers a position they had to defend, regardless of their true beliefs. Speakers were encouraged to be outspoken, almost to the point of satire. Bartholomew was clearly being facetious, though he and his colleagues insist the company is innocent and has been unfairly treated by the media and American authorities.“There is no such thing as good malware. Ever.”
Advertisement
“We don’t have any problems with the US government, they have some issues with us,” fellow Kaspersky Lab researcher Vitaly Kamluk said during a press conference on the morning of SAS’s first day. “We just do our job and we do it good.”Kamluk’s boss, Costin Raiu, the head of GReAT, Kaspersky Lab’s Global Research and Analysis Team, likewise defended the company’s history of going after all hackers, including nation-state hackers, be they American, Russian, or from another country. Earlier this month, GReAT discovered a cyber espionage campaign from a team Kaspersky Lab called ZooPark, which others in the industry believe is connected to the Iranian government, which is a Russian ally.
“Someone was complaining—or you could say whining—that we’re very aggressive when it comes to chasing malware or catching threat actors,” Raiu told me. “I'd like to say, ‘hell yeah!’ There’s no such thing as being too aggressive when it comes to chasing the bad guys in malware.”That is a mantra that comes from the very top.“We only have one rule when it comes to our research—we detect and report on all malware; it does not matter what language it speaks, its origin or purpose,” Eugene Kaspersky told Motherboard. “There is no such thing as good malware. Ever.”Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzo@jabber.ccc.de, or email lorenzo@motherboard.tv
Advertisement
KASPERSKY LAB VERSUS THE US GOVERNMENT
Advertisement
Eugene Kaspersky told Motherboard that these challenges are based “on nothing but rumors and unverified allegations,” and “zero evidence of any wrongdoing.”It’s not just alleged spying, though. Those who believe the company is a front for the Kremlin point to some of the company's most high-profile research.At SAS 2015, Kaspersky Lab published an in-depth report detailing the activities of Equation Group, which the company described as the “gods of cyberespionage.” The company, as usual, didn’t publicly identify who was behind the group’s moniker. The company wrote that it was “either the same [group] or working closely together” with the developers of the sophisticated and stealthy Stuxnet, malware created to sabotage Iranian nuclear centrifuges. Last year, data released by a mysterious group who call themselves The Shadow Brokers linked the NSA to Stuxnet.The NSA and its military counterpart, the US Cyber Command, had known that Kaspersky Lab had discovered and detected its malware used in intelligence operations a year before the Russian company went public with the Equation Group research, according to two sources who worked in the US intelligence community at the time. The sources asked to remain anonymous to discuss sensitive intelligence issues.“By the time [the Equation Group report] came out, everything had been cleaned up for months,” one source said. “We were able to see them discovering it all in real time via their silent signatures. A significant portion of the organization was reassigned to deal with the remediation effort.”
Advertisement
They said that the US government even sent people to SAS that year because it knew Kaspersky Lab was going to talk about Equation Group.
This year, Kaspersky Lab took another shot at US intelligence operations while I was at SAS. And this time, American spies might not have seen it coming.On the second day of the conference, two Russian Kaspersky Lab malware researchers got on stage and talked about newly discovered malware they dubbed “Slingshot.” It would become a textbook example of how Kaspersky Lab can be seen as either a good cyber security outfit or an antagonistic player out to sabotage American operations around the world, depending on who you ask.The hackers behind the operation, the researchers explained, were going after routers, specifically at internet cafes in the Middle East. The day before, at a press briefing, Raiu, the head of GReAT, said that while the company didn’t know who was behind Slingshot, it did know the hackers’ skills matched those of Equation Group and Regin—a cyberespionage group widely believed to be the UK’s spy agency GCHQ.Apart from the talk and the press release, the company didn’t really make a big deal out of this research. It pitched it to journalists and got some coverage, but compared to its report on Equation Group three years earlier, Slingshot barely registered.The impact of Kaspersky’s Slingshot report wouldn’t be known until two weeks after the conference, when anonymous intelligence officials told CyberScoop that by revealing Slingshot, Kaspersky Lab had compromised an ongoing operation led by the Department of Defense’s Joint Special Operations Command (JSOC) to hunt down al Qaeda and ISIS terrorists.“Whatever we find, we publish,” he told me. “For good or bad.”
Advertisement
That revelation completely changed the story of Slingshot. This wasn’t just an interesting report presented at a conference anymore. A talk and its accompanying blog post presented at a conference in Cancun, Mexico, reportedly forced US military hackers to burn and abandon the digital infrastructure of an espionage operation aimed at some of the most dangerous terrorists on the other side of the world.“One can’t possibly help but think this was either a calculated burning of [counterterrorism] operations for PR or retribution for the past year,” Michael Rea, a security researcher at CrowdStrike who used to work in the US intelligence community, wrote on Twitter.Kaspersky Lab doesn’t see it that way. Instead, the company claims its researchers didn’t know who was behind the hack or who were the intended targets.“We do not know the identity of the attackers behind the Slingshot APT or of its victims,” Eugene Kaspersky said. “We also do not discriminate or pick our cases based on nationality or the malware authors’ intent—we report on all threats, period.”If the company is telling the truth, then no one warned the US government or JSOC that its operation was about to be burned. An advance warning along those lines would not have been unusual, according to former GReAT researcher Juan Andres Guerrero-Saade. (JSOC did not respond to a request for comment.)“If you know you're going release something, you go and you tell the organizations that you think are involved,” said Guerrero-Saade, who left the company last year and said he has no direct knowledge of Slingshot. “You go and you give them a heads up. Nobody here [in the industry] is trying to surprise anybody.”
Advertisement
Another former GReAT researcher told me in an online chat that the group generally “attempted to do ‘The Right Thing’ while staying apolitical.” So if Kaspersky Lab was aware of the true nature of Slingshot and went ahead and published the research anyway, “I wouldn't call that responsible disclosure,” the researcher, who asked to remain anonymous because he was not authorized to speak to the press, told me in a chat.Eugene Kaspersky did not directly respond when asked whether the company ever gave governments a heads up about upcoming research.Though Kaspersky Lab researchers say they didn't know who used Slingshot, several outside observers, such as Vesselin Bontchev, an assistant professor at the National Laboratory of Computer Virology at the Bulgarian Academy of Sciences, and pseudonymous researcher Odisseus, concluded soon after the talk that it looked like Americans were behind Slingshot. And at SAS, Kaspersky Lab researchers gave enough clues that suggested the hackers behind Slingshot could be working for the US government, perhaps the CIA.There's a difference between malware research and the public discussion thereof. Kaspersky Lab could have done work in the background, detecting Slingshot and stopping it from infecting customers’ computers. That’s what antivirus software is designed to do. Instead, it decided to disclose Slingshot at the company’s annual marquee event, putting a very public spotlight on it.“Sometimes the PR machine runs faster than anybody's good sense.”
Advertisement
There are very few examples of antivirus companies publishing reports on suspected counterterrorism operations. The tendency for cybersecurity companies to shy away from this type of research is an issue that's rarely discussed in public within the threat intelligence world. But there are a few isolated examples of other companies publishing research that exposes counterterrorism surveillance activities. In 2016, McAfee published research about spyware targeting ISIS sympathizers. In 2014, Symantec, Kaspersky Lab, and The Intercept wrote about a UK intelligence operation nicknamed Regin. At the time, the CEO of a cybersecurity firm that was hired to investigate one of the breaches related to this operation told me that the industry didn’t reveal Regin earlier because "we didn't want to interfere with NSA/GCHQ operations."Raiu told me there’s no company policy against researching malware linked to counterterrorism campaigns. Eugene Kaspersky confirmed this in our email interview, which generally puts the company at odds with how much of the rest of the industry operates.“I believe it would be a problem if companies would restrict the topics researchers can investigate and those they can’t,” Raiu told me over Twitter direct message.When Raiu and I caught up at SAS, he put it in even simpler terms when talking about his company’s decision to publish research on government spying.“Whatever we find, we publish,” he told me. “For good or bad.”
Advertisement
While that sounds like a great tagline, it’s a convenient one for Kaspersky.“Of course they’re trotting out the line ‘a threat is a threat is a threat, and you know we're just going to block threats,’” Patrick Gray, host of the infosec podcast Risky Business, said in a recent episode. “But maybe doing entire presentations on them that make it extremely obvious that this is an American intelligence operation against extremely dangerous people, maybe that's the bit that people have a problem with, not that you just squashed their malware.”And it’s not necessarily true that Kaspersky Lab publishes everything it finds. Especially in the last few years, Kaspersky Lab has not been publishing everything it finds. As part of its business model, which isn’t unusual in the industry, the company now provides paying subscribers with private reports on malware and hacking groups, some of which never get released to the public.According to Guerrero-Saade, occasionally, companies might find it hard to pass up on the public attention that some research gets.“Sometimes the PR machine runs faster than anybody's good sense,” he said, while adding that he did not think Kaspersky Lab was in the wrong in this case.
THE GREATNESS OF THE GREAT
Advertisement
The GReAT researchers also were the first to blow the lid off Russian espionage operations with a report on a group they dubbed Red October. This wasn’t the first and only time they busted Russian government hackers. GReAT has also published reports about other Russian-linked groups they named Sofacy and Cozy Duke, which are different codenames for the infamous Fancy and Cozy Bear, widely believed to be Russian spies.“GReAT is one of the best teams of its kind. It may also have been one of the first ones,” Martijn Grooten, the editor of Virus Bulletin, told me.Kaspersky Lab’s customers, who pay to get private reports on threats, agree.“In my humble opinion, when it comes to APTs, the GReAT remains unrivalled,” said a source who works for a government and is a Kaspersky Lab subscriber, using the abbreviation for Advanced Persistent Threats (APTs), an industry term that refers to government or highly skilled hacking groups.“The others are inferior. Even Symantec, which is the world’s most popular antivirus can’t keep up,” the source, who requested to speak anonymously as he wasn’t authorized to talk to the press, said. “Costin [Raiu] is from another planet.”GReAT’s own members don’t hide how proud they are, and how ambitious they see their mission. At SAS, during a talk to celebrate the team’s 10 year anniversary, Kamluk, one of the group’s researchers, talked about Israel hacking into Kaspersky Lab, and said the attack was aimed at GReAT.
Advertisement
“The attackers that came to infect us, they came after the researchers, and after the technology that we were developing to save the people of the world,” he said.GReAT’s reports routinely get headlines on tech sites like Motherboard, Wired, and Forbes, but also in more traditional outlets such as The New York Times and The Wall Street Journal.Their high-profile research has led to some unwanted attention for some of its members.In 2010, Raiu came back home after giving a talk about Stuxnet. According to Raiu, when he stepped into his living room with his wife, he found a white rubber cube with a message written on it: “take a break.”“It’s a pretty scary situation,” Raiu recalled during a talk in 2015. “You go into your home and you find a gift like this on the table.”Raiu said that he did take a break, but then kept going. He’s proud of his team’s work, which often busts the operations of well-funded and equipped intelligence agencies.“If we, a small company with 3,000 employee can stop the malware produced by a 30,000-strong intelligence agency with billions of dollars in budget,” Raiu said at that 2015 talk, “it means that we’re probably doing something right.”
INSIDE THE SAS
Advertisement
“Very challenging,” Shlychkova said. “The most challenging year.”Her colleague, Sergey Malenkovich, agreed, saying it was hard to put together the conference this year because of “the geopolitical tensions.”Tensions and challenges notwithstanding, the conference is still packed with high profile hackers and researchers. Given the small number of attendees, and the fact that everyone stays at the home hotel and are pretty much at the same events at all times, it’s easy to bump into interesting people. When I arrived at SAS, I ran into into Ryan Naraine, a former Kaspersky employee who still helps the company organize the conference.“Let’s get a shot,” Naraine said. When we ran into another attendee, Naraine whispered to me: “He’s from an intelligence agency.”Serious research and talks seamlessly blend in with the seemingly limitless streams of tequila. This year’s keynote was given by Matt Tait, a well-known former GCHQ and Google hacker, who’s perhaps best known for his prolific tweets under the moniker @pwnallthethings. Tait, who spoke about the history of (mainly Russian) disinformation, won the conference prize for best speaker. When he went on stage to collect it, he snapped a selfie with Eugene Kaspersky himself, who had already spent most of the evening with a drink in hand.I asked Tait a few minutes after he left the stage if he had posted the selfie.“Oh, no!” Tait said, taking out his phone. “Let me tweet it now.”
Advertisement
These are probably the kind of interactions Kaspersky Lab hopes to foster at SAS.“Freebies, good times, and free flowing liquor,” one security researcher, who has never attended SAS but has been invited several times, said of SAS’s reputation. “It’s a very cynical, carefully choreographed attempt to integrate with the security community.” In other words, “it’s a way to wine and dine your way in.”Violet Blue, a reporter who’s covered cybersecurity for years and has previously attended SAS, told me that the conference is a case study in how to influence the infosec world and the journalists who cover it. Kaspersky Lab, Blue wrote in an email, is “generous, warm, kind” to all attendees, including those who come from groups that have been left out of the traditional infosec community.“Kaspersky doesn't care; they make the most excluded outsiders (yes, especially the influential ones) feel like part of something,” Blue wrote. “If they were running some kind of influence campaign, it's commendably slick.”“The point is twofold,” said another security researcher who requested anonymity for fear of angering the Russian government. “First, good will. Second is spying: assessing, recruiting, stealing data on the spot.”
Dan Guido, founder of consulting firm Trail of Bits has come to regret attending the 2010 SAS in Malaga, Spain.“If they were running some kind of influence campaign, it's commendably slick.”
Advertisement
“I did have a fun time,” Guido told me. “For them it was all about, ‘Dan, this upstanding guy in the community, supports this.’ If you speak at a conference your name gives credence to the conference. But all I really supported was a free trip to Spain.”Guido has openly criticized SAS for being a “purposefully engineered opportunity for Russian intelligence to get close to hackers they care about.” Guido admits that every cybersecurity conference is a good opportunity for spies to get close to or hack attendees of interest. But SAS is small, and everyone is pretty much always in the same place, including during field trips or for the evening booze-fueled events (usually away from the conference hotel), so Guido likens targeting people there with “shooting fish in the barrel.”Eugene Kaspersky strongly dismissed these accusations.“This sounds like a James Bond movie! People believe some really crazy things,” he wrote in an email.For another attendee, these are overblown concerns, even if the Russians could get to attendees if they wanted.“My default is if the Russian government wants my files, (a) they can (b) they don't need a Kaspersky conference to do it and (c) I probably won't notice, even if I'm looking, because FSB don't fuck around,” he told me. “It also seems like the wrong conference to try such things.”But not everyone is so sure.“Watch your drinks,” a longtime attendee who asked to remain anonymous advised me before I went.
Advertisement
They told me there have been multiple cases of attendees reporting being slipped drugs in their drinks, or people breaking into other people’s rooms. Another person who attended in the past also described a similar incident, but declined to elaborate. Yet another attendee also said he heard rumors of such incidents.“I have no interest in going back,” another attendee said. “I got a weird vibe the whole time I was there. It was super shady. There were a lot of very inquisitive people that came out of nowhere. It felt like it was an information gathering fest for them. They liquor you up, and work their way into all these conversations that you're having with people.”Motherboard was unable to independently verify the specifics of any of these cases. Eugene Kaspersky said he’s “never heard of such incidents,” and a company spokesperson said there is no validity to them.“Providing SAS participants with the best possible conditions, including safety and security, is a top priority for the event organizers,” a company spokesperson said in an email. “SAS attendees can address any issues with the conference organizers, and to date, we have not received any reports of the speculated incidents.”The vast majority of attendees I spoke to enjoy the conference. Many of them have attended multiple times and have SAS marked in red in their calendar. Several of them, including from companies that compete with Kaspersky Lab, described SAS as one of the best, if not the best, conference they’ve ever attended.
Advertisement
“It’s a fantastic conference,” Chris Sistrunk, a security researcher from Mandiant, a Kaspersky Lab competitor, told me. Guerrero-Saade called it a “researchers’ Christmas.”