WalksWithCrows March 11, 2015 4:28 PM

Sounds already like “likely NSA”, but the method of going for firmware, and the method of attacking systems in supply chain delivery would be common to any nation.

That is a very old methodology, in some target is ordering something, and some agency grabs in en route and adjusts it. Likewise, they have, for many decades now, performed the same actions on items (computer, or anything, a person’s favorite jacket, or their favorite briefcase, whatever) on order, on repair at a store, or in their house — or anywhere else they can get access to it.

Not so persuaded the time stamps could not have been altered, especially if someone was trying to make it look like a specific nation or group.

I do think what probably would be most interesting here, is more information on who is targeted. For instance, such as what came out about overly wide targeting by the US on prominent Muslim Americans.

Who are they targeting, also, of course, as Bruce noted in his book, often the form of attribution relied on in these cases. From the map I saw on equation group, it looks like “all over”. Many such groups do spread their nets too wide to obscure critical targets, but there is a high cost to that.

This information is especially interesting in regards to nations friendly with the US.

Is the detection only from KAV? Or did they share detection information?

Issues like “did the US target human rights groups”, might then come up. Or “who might the US be interested in targeting?” And so on.

Even to the more granular degrees such as “who does the US therefore believes may be a spy or other person of interest”.

Surely, some have come forward, besides that one forum post a number of years ago? Or maybe KAV, as Mandiant, Trustwave, and Verizon Business Consultancy do “anonymize” the data, yet provide some interesting statistics?

I wonder if any attacks are on American soil?

CHARLIEFOXTROT March 11, 2015 8:39 PM

This is great. Now every firm engaged in ICB that ever lost to US bidders will go to Kaspersky for probative evidence to contest the procurement under GPA Article XX on the grounds of duplicitous proceedings. Or they can make a case for state compensation at the ICJ. That’s half the OECD, smelling blood.

Nice work, Starfleet! Set course for Gamma Quadrant, Black hole of Career Suicide!

STF March 11, 2015 9:42 PM

This enslaved Human is forced to create miniature eavesdropping devices by her Smurf Masters. She was eventually freed by our tactical forces, but lost her valiant fight for life, her death an indirect result of the terrible conditions under which the Smurfs imprisoned her. She was only twenty-four years old. Have they no shame?

They must have Equation devices.

WalksWithCrows March 11, 2015 10:29 PM


What we tend to not hear about much here in the west is how corrupt the russian regime is. Not in the US, anyway. Kaspersky came from the FSB (domestic kgb) which operates like organized crime does mixed with the old soviet union corruption. Not at all surprised that one of the perpetrators of one of the mass hacks of recent years was tied to a russian higher up. Their government spends more time running scams against their own businesses, of course, they would want to start to spread out and start hitting up the wealthy first world nations which they resent deeply.

They don’t have a legal system that is functioning. FSB live as a higher class, the top caste, and can do as they please. They have the privilege, as they did in the old days, of being above the law. The US and their actions are incredibly tame compared to them.

I think they probably feel like the snowden disclosures has revealed they are fools, and so they are fighting back. They were beat at their own game of playing diabolical.

Though, fact is, only reason westerners tend to not pay much attention to their internal situation is because they are so painfully irrelevant.

65535 March 11, 2015 10:35 PM

Wow, just Wow!

115 plugins, 35+ modules, various encryption methods, c&c sever with bot net. Key loggers, clipboard scrapers, validation patch, security logs disabled, reverse look up DNS resolver, packet filters, HDD chip flashers for all major brands of HDDs… and on and on.

keiner March 12, 2015 3:32 AM

Are there any details on how they initially get into the system? Package injection? Are they already inside Windows when installed? What is the first step?

When they are in, apparently everything is lost… Communication via https can hardly be blocked. Does snort recognized the C&C servers as malignant traffic? Both, waeservice.vom and the hardcoded IP? Just asking… 😉

dot tilde dot March 12, 2015 3:32 AM


i didn’t know that kaspersky was an fsb operation.

it looks like you have exclusive information to share. would you please add that to the wikipedia article about kaspersky labs along with links to your sources?

thanks for being helpful!


wiredog March 12, 2015 5:57 AM

What’s surprising is that the codewords are showing up in the files. It’s not that hard to have a list of codewords that must not be in the distributed file, ever, and use that to grep the executables. Heck, it can even be automated. And made a policy. Or so I’ve heard.

65535 March 12, 2015 7:49 AM

@ keiner

“Are there any details on how they initially get into the system? Package injection? Are they already inside Windows when installed? What is the first step?” –keiner

This is the 64 million dollar question. My guess is any means possible.

In the case of Gemalto’s crypto key theft, it could have been done by an employee/NSA spy, interception of a box and planting of exploit or a beacon, a thumb drive dropped in the parking lot, or a spear fishing attack – who knows.

We know that the NSA has a big bag of dirty tricks.

1] Interception of a server, router, switch or mission critical desk top and then inserting a bug.

2] An employee who is actually a spy.

3] Bribe or black mail of key employees.

4] Physical break-in and implant.

5] Phishing attack with booby trapped email.

6] Quantum packet injection.

7] Third party repair person who was a NSA mole.

8] Equation group exploit.

9] Other miscellaneous hacks such as NSAKEY inplant in windows 4.0 servers and other products plus general weakening of security in all points in the IT chain.

10] A combination of all of the above.

[The Intercept on Gemalto’s SIM card key theft]

‘According to one secret GCHQ slide, the British intelligence agency penetrated Gemalto’s internal networks, planting malware on several computers, giving GCHQ secret access. We “believe we have their entire network,” the slide’s author boasted about the operation against Gemalto… the spy agency targeted unnamed cellular companies’ core networks, giving it access to “sales staff machines for customer information and network engineers machines for network maps.” GCHQ also claimed the ability to manipulate the billing servers of cell companies to “suppress” charges in an effort to conceal the spy agency’s secret actions against an individual’s phone… significantly, GCHQ also penetrated “authentication servers,” allowing it to decrypt data and voice communications between a targeted individual’s phone and his or her telecom provider’s network. A note accompanying the slide asserted that the spy agency was “very happy with the data so far and [was] working through the vast quantity of product.”’

‘Gemalto, is a multinational firm incorporated in the Netherlands that makes the chips used in mobile phones and next-generation credit cards. Among its clients are AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world. The company operates in 85 countries and has more than 40 manufacturing facilities. One of its three global headquarters is in Austin, Texas and it has a large factory in Pennsylvania. In all, Gemalto produces some 2 billion SIM cards a year. Its motto is “Security to be Free.”’ –The Intercept


[Schneier on Security]

If Gemalto is a representative of the typical victim, I believe someone on the inside of the Intelligence Community will have to spill the beans – or we will not know exact method for a very long time.

If any knows the exact method of the Gemalto key theft please speak-up.

keiner March 12, 2015 11:23 AM


NO, it’s definitely NOT the million-dollar question. Cause Mr. Snowden knows exactly how it’s done. He has done it several time. Hundred times? Thousand times?

And it’s in the documents he handed over to the press, I guess.

Was it a hint with the package injection, lately, Mr. Schneier?

Is it in the Windows registry already on installation? In the the Linux kernel?

NOBODY of these highly paid security experts has EVERY seen it happen in wild-life? Not even one time? all are blind seers?

If I screwed up on such a mega-scale in my profession, I would open up a bakery the next day, or go fishing for the rest of my life.

What kind of mega-f*ck-up is this? And some know about it and don’t tell?

It’s a SHAME….

WalksWithCrows March 12, 2015 1:57 PM

@dot tilde dot

i didn’t know that kaspersky was an fsb looks like you have exclusive information to share. would you please add that to the wikipedia article about kaspersky labs along with links to your sources?thanks for being helpful!.~.

In 1987, Kaspersky graduated from the technical faculty of the FSB Academy, formerly the largest and most important of several KGB higher educational institutions. In 1992, the technical faculty was renamed the Institute of Cryptography, Telecommunications and Computer Science (IKSI).[4]

You seemed to have mistaken my statement about “Kaspersky” and the man, Kaspersky. Easy to understand, I suppose if you do not know much about the company or the man behind it. Knowing that Eugene Kaspersky is tight with the FSB and was trained as an KGB (FSB) agent is a pretty basic piece of information. Kaspersky continues to be very tight with them.

I would not state any organization is purely any manner of intel organization which is corporate or has some manner of cover. The vast majority of organizations which operate as cover for spies (including domestic intelligence) are not entirely the spy agency, whatsoever.

Reality is that spies tend to operate in separate divisions of cover organizations, or in a solitary fashion when they take as cover a company job. This is not unlike how an embassy works, which is more well known as providing cover for spies. One embassy employee might be a spy, or one division in the embassy might be a cover for a spy division. But, one would not say the entire embassy is a spy organization.

The reason why spy cover operations do not do well as the entire business is because it is then very, very difficult to keep the business running, and so the cover, when that has been attempted. For instance, the FBI attempted to do this during the second world war, and the results were abysmal. As the entire company was simply a cover, it was a very poor cover.

My point was that anything from Kaspersky, the company, in terms of intelligence output should be considered suspect. It is unwise not to do so. If Kaspersky never really left the service and started the company entirely as a cover organization, they would still have wanted to actually have some cover for it. That, in fact, would be a priority. Which means they would have wanted to have a product, to claim distance from the FSB, and to hire the vast majority of employees entirely for the purpose of cover. eg, they would not know, and would take at face value the information that he really did leave the service.

This is not a difficult equation for people to figure out. The same situation happens in the US, and the same level of skepticism happens where and when it happens. For instance, Jamie Butler, Dave Aitel, and Charlie Miller all came from a NSA special program. All have become leaders in the computer security industry. Jamie Butler, here, is specifically noteworthy, in this example, because he helped found Mandiant. And is, or was, a main leader in Mandiant’s research program, which very likely included the Mandiant report on Chinese spying.

Even if that were not the case, the wise would tend to take that Mandiant report as likely having been influenced heavily by the US Government.

Likewise, in KAV’s case, the company. This was discovered when? They have various dates on the reports, but does that mean the dates are true? What happens in any country, just about, when an attack is discovered or suspected as being foreign intelligence is that attack is sent to their national authorities. If the national authorities see it is foreign intelligence, it will end up in that nation’s counter-intelligence.

Counterintelligence then will control what is said or what is not said about the attack.

The company may later release details, but one can very rightly note whatever details are released will be under close counterintelligence direction.

I am not stating anything conclusively about these reports, except: it surely did go through Russian counterintelligence hands. Maybe it was not entirely invented. That would be very probable. The US tends to confirm or deny such stories, so we shall see. Maybe it was merely edited. Whatever the case, the exact specifics should be considered suspect.

The very same could be said about the Mandiant report on China which was a few years back.

As for the reliability of the FSB, I can surely give good research starting points on that. I would take it then you do not know anyone in Russia. People often confuse words and terms with what they “know”. So, if you are American, for instance, you may think of the FSB as being equal to all you know about the FBI (most of which probably comes from cinema). But, the FSB is very much not like the US FBI in how it actually operates. It has similar laws and similar appearance, but that is only the surface.

One starting point on learning about the FSB:

WalksWithCrows March 12, 2015 2:56 PM

Adding information:

I often see people taking KAV at face value. These very same people usually tend to be laypeople. Like many laypeople, who end up talking to me, they usually hold some manner of “conspiracy theory”. I am not talking about “conspiracy theory” on the level of “aliens” or that “Sandy Hook Shooting Never Happened” — nor even the sort of conspiracy theory which is much more common, but equally ignorant, like how many Republicans confess they believe Obama is a Muslim.

I am talking about “conspiracy” as in spies.

These same people would have a problem buying a Chinese anti-virus product. They would suspect it might be Chinese government. But Russian security products they do not mind.

Likewise, some definitely would entertain plausible and implausible notions now about the US Government and their ties to the US Software industry. But, Russia, and KAV? No. And people can get near religious quickly about their security products. KAV has maintained, with great effort, a pretty good name for themselves.

In terms of tests, KAV tends to be up there with Symantec and McAfee.

I am not sure even if it dissuades them just a little to learn that Eugene Kaspersky was KGB, and continues to have very close ties with the KGB now named the FSB and SVR.

They may not even consider Putin’s background in the KGB noteworthy or meaningful.

It is true, the Russian KGB was enormous, far larger then the US CIA and FBI combined.

How it is now is the KGB literally rules the country. When the curtain fell, they took over. They ‘used their power and transferred it to money then back into power again’*. Putin and Kaspersky are just two snowflakes on the tip of that very gigantic iceberg. (* ‘Deception: The Untold Story of East-West Espionage Today’, by Edward Lucas, Senior Editor at the Economist.)

Technically, the timing is very relevant on the Equation Group story. Russia is hitting while the anvil is hot. I think it is clear Russia has been following the Equation Group for many years, and waited to release any information. They finally did so through KAV.

But, the more interesting question would be “why”. And, I believe that answer has very little to do with national polices, justice, or even something like “well look what the US is doing” kind of approach.

No, I believe it has much to do with Snowden, and the many other disclosures which have leaked out over the following years. Including the mysteriously leaked TAO documents. Which continue to be swept under the “Snowden” documents category even though Schneier and others repeatedly point out “it was someone else”. As Schneier operated as a technical consultant to Greenwald, and is generally a very sharp customer, this is highly likely.

Snowden, from the Russian counterintelligence eyes, is part of an elaborate plot by the US and allied countries. How do I know? Because that is how they are raised to think. It is how they thought when they worked under the Czar, it was how they thought when they worked under Lenin, and it has continued to be how they think.

A very good example can be found in the Kim Philby case. Russia literally cut off the Cambridge Five around WWII thinking they were double agents. They then resumed course with them and helped Philby rise to the top of MI6’s counterintelligence. Eventually, Philby defected and ended up in the Soviet Union for decades. Everything was wired there, and the KGB majority opinion was Philby was a triple agent. One man believed this was absurd and sobered Philby up. He helped Philby become operational again for propaganda purposes, and helped him finish his autobiography. Which was useful for them, it at the very least, influenced Robert Hanssen of the FBI traitor fame to become a mole for them.

However, even after all of that, the majority opinion there was Philby was a triple agent.

And probably they have some who even believe Hanssen was.

Invariably, they would see these leaks over the past few years as being US counterintelligence. But, let us skip all of that and get to Snowden: Snowden they may have run from the beginning. I do not know. It does not matter, and would not matter to them. They would invariably see Snowden as likely an US spy whatever the case. Or, they may see him as genuine, as he presents himself, and maybe figure the US simply gave a known, disaffected employee terrific “accidental” access to an enormous amount of very conscience wringing material.

Very likely this went very far beyond “just Snowden”, they would surmise. They would surmise it was all part of a very large US counterintelligence operation partly designed to misinform Russian moles in the system.

The word in some circles is “taint”, as in “tainted material”. The value here is the material is used for taking. Bait. Who takes the bait? They may not know where the moles are, but they know where the moles will be: they will eventually get the bait and then send the bait off. In doing so, they leave a closely monitored trail.

Now, there are a few other things about Snowden: one is, if he is aware of any of these things, then he is now in their “clutches”, just as they had Philby. Two, Snowden made no hiding about the fact he has an extremely good memory and looked at a fantasical number of documents which he did not include for global dissemination. Three, there is the ‘dead man’s trigger’ file which he has – at the least – given to Greenwald. And so, presumably, might retain some manner of information on.

Russia is limited here in direct approaches. So, they make a chess move, which is to throw out all this other information, for one. Their other likely moves, besides bugging everything Snowden touches to try and glean some form of information… is to try to get people into his inner circle, to befriend him, and somehow find leverage or fulcrum (snicker) to get more information from him.

But largely, they are against a wall. They can not very well arrest him, and besides that would not tell them anything. Very well they may not get anything useful from him whatsoever. If there is some greater plot here probably he knows nothing about it and was merely used by the US Government without his knowledge. His story is very plausible, and anyone can look at the polls and see — IT people are very much for Snowden, so it is very likely anyone with his knowledge would have turned. If they felt they could figure out “how” to do so.

When against the wall, then, they have to do something sideways, to hope something might be smoked out.

This, then, has very good timing.

But, for them the game is probably a bit more pressing: if all of these disclosures or even some large part of them were counterintelligence, they invariably would have been a massive diversion, and a timely one at that. So, the clock is ticking.

Their mistake, I believe, which is fatal, is continuing to focus on this line of inquiry.

They are, that is, focused on the very diversion, instead of trying to see what, possibly, they are missing.

Clive Robinson March 12, 2015 7:37 PM

@ Keiner,

And some know about it and don’t tell?

And some who knew did tell… but few if any believed them.

As has oft been said “You can lead a horse to water, but you cann’t make it drink.”.

Even now well over a year of serious revelations of documents, there are those that chose not to believe and others claiming it’s a setup in some way or another and Snowden is acting under NSA secret orders as a disinformation program…

Buck March 12, 2015 10:10 PM

@Clive Robinson

Do you think many would have believed (or even known about) Snowden had it not been for countless U.S. officials screaming bloody murder and demanding the most severe possible punishment for the treacherous rat?

Even still, most of the capabilities thus far revealed in the slides have already been well known to various domain experts, and surely known to the intelligence agencies of certain other countries…

Clearly, the target audience for these leaks was the general public. Disinformation or not, the consensus view now appears to be along the lines of: “Well, we spied on some folks, and we must continue to escalate the spying or the terrorists will win, and blood will run through the streets!”

So the way I see it – act or not, it’s definitely a +1 for the global military-industrial-surveillance-complex. Where will that leave the rest of us?

WalksWithCrows March 12, 2015 11:34 PM

@Clive Robinson

Even now well over a year of serious revelations of documents, there are those that chose not to believe and others claiming it’s a setup in some way or another and Snowden is acting under NSA secret orders as a disinformation program..

Just to be clear, as I just had some poster here attack me personally, instead of calling out anything I said: if that is an oblique reference to one of my posts, please feel free to directly respond to the post.

I do not believe Snowden and all these other disclosures is some kind of disinformation campaign. I do not state that I do. I state, when I have room to do so, that I do believe the Russians probably do consider this strongly as maybe being so. I point out how paranoid and warped their thinking is when doing so.

Actually believing that all these disclosures over the past years are some manner of sophisticated disinformation program is absolutely preposterous. So, I was unaware this might actually offend anyone. If so, please, let me know. I am not intending to offend.

re:disinformation March 13, 2015 12:02 AM

The payrolls are bloated, so disinformation helps cover up all the incompetent bureaucracy. It’s all Snowdens or ______________________(your bad guy)fault. Send the newspapers a bunch of crap as filler between the ads. Make up crap in order to sell more crap. Sources close to the ____________________(some bureau)say that…based on documents from ____________________________(agency)sent Iranians a fruit basket with the letter.

WalksWithCrows March 13, 2015 2:08 AM


The payrolls are bloated, so disinformation helps cover up all the incompetent bureaucracy. It’s all Snowdens or ______________________(your bad guy)fault. Send the newspapers a bunch of crap as filler between the ads. Make up crap in order to sell more crap. Sources close to the ____________________(some bureau)say that…based on documents from ____________________________(agency)sent Iranians a fruit basket with the letter.

big grin

Oh my, so this is the infamous Schneier forum troll. The one who was so harassing “Skeptical”.

Well, I have had my say, so was about to leave anyway…

Tah tah.

65535 March 13, 2015 6:20 AM

@ keener

It could be a trillion dollar question, billion dollar question, a million dollar question or a thousand dollar question. We don’t know the exact method.


[Bruce S.]

“Aside: I don’t believe the person who leaked that catalog [NSA’s 2008 catalog of implants ] is Edward Snowden.”

Are there more informants that Snowden?

@ keener, WalksWithCrows, and others

It is very troubling that Anti-virus vendors will not say if they are under the thumb of NSA:

[AV vendor don’t respond to an open letter about complicity with NSA]

“I joined a group of security experts to ask antivirus companies explicitly if they were ignoring malware at the behest of a government. Understanding that the companies could certainly lie, this is the response so far: no one has admitted to doing so.” –Bruce S.

‘Up until this moment, only a handful of the vendors have replied ESET, F-Secure, Norman Shark, Kaspersky, Panda and Trend Micro. All of the responding companies have confirmed the detection of state sponsored malware, e.g. R2D2 and FinFisher. Furthermore, they claim they have never received a request to not detect malware.’ – see Bruce’s posts and EFF posts.

“The Electronic Frontier Foundation (EFF) sent an open letter Thursday to anti-virus software companies asking a series of questions about their experience countering – or cooperating with – government surveillance.” -Truthandaction


We just don’t know how deep the complicity with the NSA/five-eyes is and we don’t know how most implants are exactly injected – we can only guess.

If any of you have more information on this subject speak up.

Clive Robinson March 13, 2015 8:11 AM

@ WalksWithCrows,

… if that is an oblique reference to one of my posts, please feel free to directly respond to the post.

It’s a generic refrence to the utterances of many in the media, political classes and talking heads, which has resulted in quite a few of the general public, taking that view, or believing there is some kind of “truther” political struggle going on. And to be honest with the more recent upsurge in the popularity of fringe “rightwing” political organisations I can see why they might believe or want to believe that. History shows it to be one of the most common of phenomenon of the human condition,

The secondary issue is that very many regard it as “just politics” and thus “of no interest” and thus the problem persists. And the danger of that is that as time progresses the “tick or leach gets it’s head in further to the body civil” of the citizenry, and will thus require ever increasing force to remove it once the body gets either the fever or pain involved.

As I’ve found out in the past holding a minority and unpopular view attracts unwarranted attention from those who find it conflicts with their belief system. And the problem with such belief systems is that they generaly are not open to evidence or reasoned debate, and thus tend to polemics and abuse. And as the evidence becomes irrefutable the cognative dissonance the belief system causes makes the behaviour obviously less than rational to increasing numbers which make those with the belief system more defensive as they start becoming the minority view point.

As I said sometimes “And some who knew did tell… but few if any believed them.”. Time proves them right, but rarely do others admit they were in error and offer an appology, usually it’s “why did nobody tell us earlier”…

Such is the human condition.

Clive Robinson March 13, 2015 9:22 AM

@ Buck,

Where will that leave the rest of us?

The simple answer is currently in a minority.

With luck and further revelations the evidence will mount and the viewpoint might change stufficiently for it to start becoming main stream.

You can see this happening with “security theatre”, at some point it will either become main stream or another terrorist event will happen.

Arguably the FBI has tried to “forment such actions” by provoking near “nut jobs, of limited intelligence” and even less ability by supplying them faux contacts and faux resources, and then dragging them off in chains at the supposed eleventh hour for a show trial. In other parts of the world such behaviour is seen not just as reprehensible but actually illegal.

There is a term for similar activities but where the resourses are real and not stopped at the eleventh hour, that has become popular meme in limited circles, and it’s “Fund Raiser” and implies it’s a way a Federal Agency can ensure a larger slice of the tax take.

Some have said that is what some previous events are, the simple truth is there is no way to know, and I suspect like many if they have happened, we will be very unlikely to hear the truth of it.

The reason why I doubt that they have happened or heard about one is based on the old saying, “Dead men tell no tales.” and anybody with normal intelligence will believe that and thus not get involved without good reason/safeguards. There is also a second old saying that follows from that to re-enforce the notion, and that is “The only way for two people to keep a secret is for one to kill the other”.

But suicide bombers exist, so we know that people can be talked into killing themselves for a cause they see as just or noble.

So the question thus becomes could people be manipulated or “talked into” a “fund raiser” the answer is obviously yes, but what of those doing the talking? Will they do it knowing that they will more than likely end up dead as well, and what sort of reasons or safeguards would convince them otherwise? What about the next step back, those who talk the talkers into it?… and so on up each link in the chain.

Not even a threat to my immediate family would give me reason to be involved with such ideas, because I can see beyond that, to the fact that my family would be killed anyway as they would be witnesses etc. Further, what safeguards would be not just sufficient but unstoppable the Manning “deadmans” trove did not work, and wikileaks leader is effectivly in prison in an embassy with absolutly no likelyhood of getting freedom any time soon. As for Ed Snowden, is his limited freedom any better than a prison? Would others view a “fundraiser” as being just or noble, I doubt it, but then I could be wrong, maybe somebody has an idea for a safeguard that is foolproof, but I suspect they would be deluding themselves.

Thus eventually the Terrorism FUD will come to an end as all things eventually do, will you or I be alive to see it, probably not. And even if we do, what is the betting it would be because like the “war on drugs” before it, they will find something worse to replace the “war on terror”…

Dirk Praet March 13, 2015 9:24 AM

@ WalksWithCrows, @ Keener, @ 65535

I am not sure even if it dissuades them just a little to learn that Eugene Kaspersky was KGB, and continues to have very close ties with the KGB now named the FSB and SVR.

Evgeni is not the only person in Kaspersky with a KGB background. Chief Operating Officer Andrey Tikhonov was a lieutenant colonel in the military, and Chief Legal Officer Igor Chekunov has served in the KGB’s border service. And, yes, Kaspersky Lab in the past has not always been very forthcoming with reports on activities that were probably tied to GRU or other Russian MIL/IC activity. Conversely, US companies like Symantec, FireEye (Mandiant) and CrowdStrike also count quite some folks in staff and management with current or past MIL/IC/GOV affiliations.

Although Symantec together with Kaspersky reported on Stuxnet, I don’t know of any US-related findings by either FireEye or Crowdstrike, whereas both in the past have repeatedly pointed the finger at Russia and China. Admittedly, Kaspersky operates in a number of places where FireEye ad Crowdstrike don’t, and thus are also in a better place to find first-hand proof of western SIGINT activities in countries specifically targeted by the NSA and its partners.

In essence, what we are seeing here is a balkanisation of the security industry with companies either voluntarily or through direct cooperation with government agencies holding off on detection or reporting of certain findings. In light thereof, I believe it is safe to say that none of these companies can be fully trusted and that it is thus in every company’s interest to always have an intelligent mixture of security products and services instead of putting all of your eggs in the same basket.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.