Andrew E. Kramer – New York Times June 3, 2012
When Eugene Kaspersky, the founder of Europe’s largest antivirus company, discovered the Flame virus that is afflicting computers in Iran and the Middle East, he recognized it as a technologically sophisticated virus that only a government could create.
He also recognized that the virus, which he compares to the Stuxnet virus built by programmers employed by the United States and Israel, adds weight to his warnings of the grave dangers posed by governments that manufacture and release viruses on the Internet.
“Cyberweapons are the most dangerous innovation of this century,” he told a gathering of technology company executives, called the CeBIT conference, last month in Sydney, Australia. While the United States and Israel are using the weapons to slow the nuclear bomb-making abilities of Iran, they could also be used to disrupt power grids and financial systems or even wreak havoc with military defenses.
Computer security companies have for years used their discovery of a new virus or worm to call attention to themselves and win more business from companies seeking computer protection. Mr. Kaspersky, a Russian computer security expert, and his company, Kaspersky Lab, are no different in that regard. But he is also using his company’s integral role in exposing or decrypting three computer viruses apparently intended to slow or halt Iran’s nuclear program to argue for an international treaty banning computer warfare.
A growing array of nations and other entities are using online weapons, he says, because they are “thousands of times cheaper” than conventional armaments.
While antivirus companies might catch some, he says, only an international treaty that would ban militaries and spy agencies from making viruses will truly solve the problem.
The wide disclosure of the details of the Flame virus by Kaspersky Lab also seems intended to promote the Russian call for a ban on cyberweapons like those that blocked poison gas or expanding bullets from the armies of major nations and other entities.
And that puts the Russian company in a difficult position because it already faces suspicions that it is tied to the Russian government, accusations Mr. Kaspersky has constantly denied as he has built his business.
While Russian officials have not commented on the discovery of Flame, the Russian minister of telecommunications gave a speech, also in May, calling for an international cyberweapon ban. Russia has also pushed for a bilateral treaty with the United States.
The United States has agreed to discuss such a disarmament treaty with the Russians, but has also tried to encourage Russia to prosecute online crime, which flourishes in this country.
The United States has long objected to the Russian crusade for an online arms control ban. “There is no broad international support for a cyberweapon ban,” says James A. Lewis, a senior fellow at the Center for Strategic and International Studies in Washington. “This is a global diplomatic ploy by the Russians to take down a perceived area of U.S. military advantage.”
Russia, many security experts note, has been accused of using cyberwarfare in disputes with Estonia and wars in Georgia.
Mr. Kaspersky said that at no point did he cooperate with the Federal Security Agency, the successor agency to the K.G.B., as the Flame virus was not a threat to Russian citizens.
Kaspersky Lab, he said, felt justified exposing the Flame virus because the company was working under the auspices of a United Nations agency. But the company has been noticeably silent on viruses perpetrated in its own backyard, where Russian-speaking criminal syndicates controlled a third of the estimated $12 billion global cybercrime market last year, according to the Russian security firm Group-IB.
Some say there is good reason. “He’s got family,” said Sean Sullivan, an adviser at F-Secure, a computer security firm in Helsinki. “I wouldn’t expect them to be the most aggressive about publicizing threats in their neighborhood for fear those neighbors would retaliate.”
Last year, Mr. Kaspersky’s 19-year-old son was kidnapped by criminals demanding a ransom. The kidnappers did not appear to have ties to any of Russia’s online criminal syndicates, but Mr. Sullivan says, “It was probably a wake-up call.”
Some computer security firms say Mr. Kaspersky’s researchers have hyped Flame. It is too early, his critics say, to call the virus a “cyberweapon” and to suggest it was sponsored by a state.
Joe Jaroch, a vice president at Webroot, an antivirus maker, says he first encountered a sample of Flame in 2007. He says he did not publicize the discovery because he did not consider the code sophisticated. “There are many more dangerous viruses out there,” he said. “I would be shocked if this was the work of a nation state.”
Mr. Sullivan, from F-Secure, said: “It’s interesting and complex, but not sleek and stealthy. It could be the work of a military contractor — Northrop Grumman, Lockheed Martin, Raytheon and other contractors are developing programs like these for different intelligence services. To call it a cyberweapon says more about Kaspersky’s cold war mentality than anything else. It has to be taken with a grain of salt.”
Whether the skepticism is authentic or professional jealousy, no one doubts the Kaspersky Lab’s skills. Mr. Kaspersky studied cryptography at a high school that was co-sponsored by the K.G.B. and Russia’s ministry of defense, and later took a job with the Russian military. He started tracking computer viruses as a side project in 1989, after his work PC was infected with one. In 1997, he co-founded Kaspersky Lab with his wife at the time, Natalya, in their Moscow apartment.
The headquarters of the team that unraveled Flame is an open-plan office of cubicles overlooking a park on the edge of Moscow. Mr. Kaspersky eschews suits and his researchers wear Converse shoes and tattered jeans, much as their counterparts in the United States do. A Darth Vader mask adorns one desk.
Talent also abounds. The Belarussian virus hunter who first found the Stuxnet virus in 2010, Sergei Ulasen, now works for Kaspersky Lab.
Today, the company is one of Russia’s most recognizable exports. It commands 8 percent of the world’s software security market for businesses, with revenue reaching $612 million last year.
Yet Mr. Kaspersky says he often has to dispute suggested ties to Russia’s security services. Analysts say suspicions about the firm’s Russian roots have hindered its expansion abroad.
“The U.S. government, defense contractors and lots of U.S. companies won’t work with them,” said Peter Firstbrook, director of malware research at Gartner, a research firm. “There’s no evidence that they have any back doors in their software or any ties to the Russian mafia or state. It’s a red herring, but there is still a concern that you can’t operate in Russia without being controlled by the ruling party.”
Mr. Kaspersky said his company tackled Flame upon the request of the International Telecommunications Unit, a branch of the United Nations. He assigned about three dozen engineers to investigate a virus that was erasing files on computers at Iran’s oil ministry. Kaspersky researchers, some of whom had analyzed suspected United States and Israeli viruses that destroyed centrifuges in Iran’s nuclear program two years earlier, were already following up on complaints from Iranian clients that Kaspersky’s antivirus software was not catching a new type of malware on their systems, Kaspersky officials said.
“We saw an unusual structure of the code, compressed and encrypted in several ways,” Vitaly Kamlyuk, a researcher on the team that cracked the virus.
It was the first virus to look for Bluetooth-enabled devices in the vicinity, either to spread to those devices, map a user’s social or professional circle, or steal information from them. The program also contained a command called “microbe” that silently turned on users’ microphones to record their conversations and sent audio files back to the attackers. It was clearly not a virus made by criminals.
“Antivirus companies are in a not easy situation,” Mr. Kaspersky said. “We have to protect our customers everywhere in the world. On the other hand, we understand there are quite serious powers behind these viruses.”
Even though finding viruses first is usually a boon for antivirus companies, cracking Flame, Mr. Kaspersky said, might hurt his business in one regard. “For the next five years, we can forget about government contracts in the United States.”