Kaspersky Ban Shows What Can Happen When Antivirus Goes Bad

By Adam Maruyama

Adam Maruyama is a cybersecurity and national security professional and the Field CTO for Garrison Technology. He served more than 15 years in the Intelligence Community supporting cyber and counterterrorism operations, including numerous warzone tours and co-leading the drafting of the 2018 National Strategy for Counterterrorism. During his time in industry, Adam has served commercial and government customers at McKinsey & Company and Palo Alto Networks.

OPINION — The Commerce Department’s recent decision to ban the sale of Kaspersky Lab’s anti-virus products in the United States removed a significant strategic threat from the cybersecurity ecosystem. But the removal of a back doored product from the market will not stop sophisticated attackers from trying to hack other security products to give them similar capabilities.

In its Final Determination outlining the ban against Kaspersky, the Commerce Department notably did not critique Kaspersky’s effectiveness as an antivirus product; it instead highlighted the elevated privileges that antivirus products like Kaspersky have on users’ systems and how a hostile actor – in this case, Russia – could use those privileges to nefarious effect. Some of these effects include:

  • Using antivirus’s deep level of access to the core of the operating system to “inspect data and files” stored on devices using Kaspersky software;
  • Rerouting data, including “personal and proprietary data” to attackers’ servers;
  • Activating the camera and other location functions of a device to reveal its user’s identity and location; and
  • Providing a clear vector to install other malware or strategically fail to apply malware signature updates.

Looking for a way to get ahead of the week in cyber and tech? Sign up for theCyber Initiatives Group Sunday newsletter to quickly get up to speed on the biggest cyber and tech headlines and be ready for the week ahead. Sign up today.


Although the Determination goes on to enumerate how the policies of Kaspersky’s US subsidiary do little to prevent – and in some cases actually enable – the Russian government or malicious insiders to take advantage of this level of privileges, it’s important to note that these levels of privilege, and their potential deleterious effects, aren’t unique to Kaspersky’s anti-virus products. In fact, the ability to inspect files and network traffic are critical to anti-virus software’s ability to do its job on users’ systems. And just as Kaspersky is accused of leaving a backdoor in its software to allow the Russian government to take advantage of these privileges, sophisticated attackers are looking for vulnerabilities that will let them do the same.

A less publicized, but equally alarming, trend in cybersecurity is the increasing frequency of attacks on enterprise cybersecurity software. Google’s review of new vulnerabilities exploited by hackers in 2023 revealed an uptick in targeting of enterprise technologies “fueled mainly by the exploitation of security software and appliances.” In essence, sophisticated attackers realize that they don’t have to produce and market a subverted anti-virus product to gain the abilities that Kaspersky’s anti-virus supposedly provided to the Russian government: all they have to do is find a vulnerability in an existing security product and exploit it. Then, as PRC-linked threat actors have recently done, they can use the security bypass to install other tools that will give them continued access to the impacted networks and systems even after the vulnerability is patched.

As quick and ready access to the information and resources hosted on the Internet becomes increasingly imperative for government, critical infrastructure, and businesses, the risk of subverted security software – whether it’s through compromise by design in the case of Kaspersky or through one of the 36 vulnerabilities in enterprise solutions identified in Google’s report – is rising.


What national security news are you missing today? Get full access to your own national security daily brief by upgrading to Subscriber+Member status. 


What’s more, many of the same companies whose products have been hacked are encouraging customers to take a “platformization” approach – concentrating more functions, and therefore more potential privileges for an attacker to abuse if the platform is subverted. Yet the vulnerabilities that emerge in these platforms are generally not met with the widespread attention that is emerging around Kaspersky products; instead, the cybersecurity community collectively puts temporary protections in place and installs a patch when one is available – often with a shrug of acknowledgement that vulnerabilities in security products are the new normal.

But this doesn’t need to be the case. CISA’s Secure by Design program aims to provide a software framework that eliminates entire classes of vulnerabilities from software, and other innovative approaches to cybersecurity – such as including security functions that are engrained in single-purpose hardware rather than coded into hackable software – are emerging.

For these approaches to succeed, however, the cybersecurity companies adopting them need the market’s help. One can only hope that, as companies look to replace Kaspersky with other solutions, they not only ask, “Does this product do a good job of identifying viruses” – because Kaspersky did just that – but also ask, “How does this product keep sophisticated attackers from compromising it and using it against my organization?”

The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals. 

Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.

Have a perspective to share based on your experience in the national security field?  Send it to [email protected] for publication consideration.

Read more expert-driven national security insights, perspective and analysis in The Cipher Brief

Sign up for the Cyber Initiatives Group newsletter. Better results in cyber require better thinking. Sign up for the CIG newsletter today.


Related Articles

Search

Close