Amid U.S. concerns about Kaspersky Lab's affiliation with the Russian government, Kharon has found evidence indicating that Russian security agencies had access to the company's software long before the U.S. banned it in June.
Kaspersky Lab is a Russian-based cybersecurity firm that provides antivirus software products to over 400 million users worldwide. In recent years, the company has faced serious allegations from the U.S. government over its ties to the Russian government, specifically with the Federal Security Service (FSB).
Further complicating Russia and Kaspersky Lab's relationship, the company has been designated a "systemically important organization” in the tech sector by the Russian government. This designation makes it a crucial entity in the economy and allows the company and its subsidiaries access to government grants, contracts, and other privileges.
While announcing the new restrictions, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) determined that Kaspersky Lab’s antivirus software presents a significant national security risk. Specifically, BIS noted that Kaspersky’s products could be used as a backdoor by Russian cyber and intelligence agencies to infiltrate U.S. networks and access personal data.
In July, the Federal Communication Commission (FCC) added antivirus software made by Kaspersky Lab, Inc. (the U.S. subsidiary) to its Covered List, which identifies communication equipment and services that pose a national security risk to the U.S. This follows products and services provided by Kaspersky Lab AO, a subsidiary of Kaspersky Lab Limited and the company’s main Russian office, being added to the list in 2022.
What we’ve uncovered: Kharon found that two of Russia’s top security agencies have been previewed to Kaspersky’s antivirus software and have determined that it’s suitable for their own work. This could potentially pose a national security concern in the eyes of the U.S. government.
According to the Kaspersky website, the FSB and the Ministry of Defense issued two separate licenses to Kaspersky Lab AO certifying that the company’s antivirus software product meets the criteria for use by the security agencies, specifically in protecting data containing government secrets.
One of the licenses was issued by the FSB in November 2020 and is active through October 2025. The other license, which was first issued in January 2019, was re-issued in February by the Federal Service for Technical and Export Control, a unit of Russia’s Ministry of Defense.
Although the licenses don’t specify whether Kaspersky’s products are currently being used by either agency, they do mention that the certification was based on several factors, including an expert review of the antivirus software conducted by the two security agencies.
More on BIS ban: The June action prohibits the company from providing the software and other cybersecurity products in the U.S. or to U.S. persons.
The ban was prompted by an investigation that found that the company’s operations in the U.S. posed a national security risk “due to the Russian government’s offensive cyber capabilities and capacity to influence or direct Kaspersky’s operations.”
BIS noted that since Kaspersky is subject to Russian jurisdiction and laws, it could be forced to comply and share customer data with the Russian government. BIS also warned that the company could intentionally install malicious software on U.S. customers' computers or withhold critical software updates.
The U.S. agency added that the ban was a more appropriate response as the security risk could not be addressed “through mitigation measures.”
In addition to the ban, BIS added three affiliated entities, Kaspersky Lab AO, Kaspersky Group OOO (Russia), and Kaspersky Labs Limited (United Kingdom), to its Entity List for their alleged cooperation with Russian military and intelligence authorities. The Entity List prohibits these companies from exporting or re-exporting high-risk products from the U.S. without a license.
What U.S. officials are saying: “Russia has shown time and again they have the capability and intent to exploit Russian companies, like Kaspersky Lab, to collect and weaponize sensitive U.S. information, and we will continue to use every tool at our disposal to safeguard U.S. national security and the American people,” said Commerce Secretary Gina Raimondo in a June statement.
Kaspersky’s response: Following the U.S. ban on its antivirus software, Kaspersky Lab denied allegations that the product poses a security threat. The company stated the ban is based on the “geopolitical climate and theoretical concerns” rather than on an independent investigation to determine whether the product presents a risk, The Associated Press reported.
The ban ultimately led the company to begin winding down its U.S. operations in July. However, it still has offices operating across Europe.
Previous action taken: This isn’t the first time that the U.S. has taken action against Kaspersky Lab. In 2017, the U.S. banned federal agencies from using the company’s software over concerns that the firm had ties to Russian cyber espionage operations.
Responding to the 2017 federal ban, Kaspersky said that it “doesn’t have inappropriate ties with any government… [and] has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts,” The Washington Post reported.
Reports that Russia hacked NSA using Kaspersky: That same year, the media reported that Israeli intelligence officials, who were spying on Russian government hackers, discovered that in 2015, these hackers had used Kaspersky software to gain access to U.S. hacking tools from the NSA.
Although Kaspersky Lab has continued to deny allegations that the Russian government has access to the company’s data, an independent Russian security expert who spoke to the Washington Post in 2017 said he is “very, very skeptical” that Russian security agencies don’t already have access to the data.
He added that because Kaspersky deals with encrypted information, it is required to obtain a license from the FSB, which means that the company has to be “completely transparent” with the security agency.
Kaspersky Lab is a Russian-based cybersecurity firm that provides antivirus software products to over 400 million users worldwide. In recent years, the company has faced serious allegations from the U.S. government over its ties to the Russian government, specifically with the Federal Security Service (FSB).
Further complicating Russia and Kaspersky Lab's relationship, the company has been designated a "systemically important organization” in the tech sector by the Russian government. This designation makes it a crucial entity in the economy and allows the company and its subsidiaries access to government grants, contracts, and other privileges.
While announcing the new restrictions, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) determined that Kaspersky Lab’s antivirus software presents a significant national security risk. Specifically, BIS noted that Kaspersky’s products could be used as a backdoor by Russian cyber and intelligence agencies to infiltrate U.S. networks and access personal data.
In July, the Federal Communication Commission (FCC) added antivirus software made by Kaspersky Lab, Inc. (the U.S. subsidiary) to its Covered List, which identifies communication equipment and services that pose a national security risk to the U.S. This follows products and services provided by Kaspersky Lab AO, a subsidiary of Kaspersky Lab Limited and the company’s main Russian office, being added to the list in 2022.
What we’ve uncovered: Kharon found that two of Russia’s top security agencies have been previewed to Kaspersky’s antivirus software and have determined that it’s suitable for their own work. This could potentially pose a national security concern in the eyes of the U.S. government.
According to the Kaspersky website, the FSB and the Ministry of Defense issued two separate licenses to Kaspersky Lab AO certifying that the company’s antivirus software product meets the criteria for use by the security agencies, specifically in protecting data containing government secrets.
One of the licenses was issued by the FSB in November 2020 and is active through October 2025. The other license, which was first issued in January 2019, was re-issued in February by the Federal Service for Technical and Export Control, a unit of Russia’s Ministry of Defense.
Although the licenses don’t specify whether Kaspersky’s products are currently being used by either agency, they do mention that the certification was based on several factors, including an expert review of the antivirus software conducted by the two security agencies.
More on BIS ban: The June action prohibits the company from providing the software and other cybersecurity products in the U.S. or to U.S. persons.
The ban was prompted by an investigation that found that the company’s operations in the U.S. posed a national security risk “due to the Russian government’s offensive cyber capabilities and capacity to influence or direct Kaspersky’s operations.”
BIS noted that since Kaspersky is subject to Russian jurisdiction and laws, it could be forced to comply and share customer data with the Russian government. BIS also warned that the company could intentionally install malicious software on U.S. customers' computers or withhold critical software updates.
The U.S. agency added that the ban was a more appropriate response as the security risk could not be addressed “through mitigation measures.”
In addition to the ban, BIS added three affiliated entities, Kaspersky Lab AO, Kaspersky Group OOO (Russia), and Kaspersky Labs Limited (United Kingdom), to its Entity List for their alleged cooperation with Russian military and intelligence authorities. The Entity List prohibits these companies from exporting or re-exporting high-risk products from the U.S. without a license.
What U.S. officials are saying: “Russia has shown time and again they have the capability and intent to exploit Russian companies, like Kaspersky Lab, to collect and weaponize sensitive U.S. information, and we will continue to use every tool at our disposal to safeguard U.S. national security and the American people,” said Commerce Secretary Gina Raimondo in a June statement.
Kaspersky’s response: Following the U.S. ban on its antivirus software, Kaspersky Lab denied allegations that the product poses a security threat. The company stated the ban is based on the “geopolitical climate and theoretical concerns” rather than on an independent investigation to determine whether the product presents a risk, The Associated Press reported.
The ban ultimately led the company to begin winding down its U.S. operations in July. However, it still has offices operating across Europe.
Previous action taken: This isn’t the first time that the U.S. has taken action against Kaspersky Lab. In 2017, the U.S. banned federal agencies from using the company’s software over concerns that the firm had ties to Russian cyber espionage operations.
Responding to the 2017 federal ban, Kaspersky said that it “doesn’t have inappropriate ties with any government… [and] has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts,” The Washington Post reported.
Reports that Russia hacked NSA using Kaspersky: That same year, the media reported that Israeli intelligence officials, who were spying on Russian government hackers, discovered that in 2015, these hackers had used Kaspersky software to gain access to U.S. hacking tools from the NSA.
Although Kaspersky Lab has continued to deny allegations that the Russian government has access to the company’s data, an independent Russian security expert who spoke to the Washington Post in 2017 said he is “very, very skeptical” that Russian security agencies don’t already have access to the data.
He added that because Kaspersky deals with encrypted information, it is required to obtain a license from the FSB, which means that the company has to be “completely transparent” with the security agency.
