Risk Evaluation of Kaspersky related Risks, if subject to forceful cooperation by Russian Government for Intelligence and Military Purposes
Brainstorming on possible tactical and strategic advantage of Russian Security Agencies compelling Kaspersky for cooperation:
- Acquire all databases of endusers (Cloud Scanning and Endpoint) for tactical and strategical planning of future attack
- Acquire all meta-data of endusers (Cloud Scanning and Endpoint) to create a detailed data-taxonomy in the planning of future attacks
- Disable the functionality of Updates on a targeted basis (only some specific endpoint or company or networks)
- Disable the functionality of Protection on a targeted basis (only some specific endpoint or company or networks)
- Disable the functionality of Updates on a generalized basis
- Disable the functionality of Protection on a generalized basis
- Search and Seize files on targeted parametric / endpoints (Cloud Scanning and Endpoint)
- Delivery of a malicious updates on a generalized basis (massive updates)
- Delivery of a malicious updates on a targeted basis (only some specific endpoint or company or networks)
Means to delivery of malicious updates:
- Direct Backdoor Delivery: Download of a new malicious executable - Higher risk of detection on a "generalized basis" - Lower risks on a "targeted basis"
- Indirect Bugdoor Delivery: Delivery of detection patterns updates, that trigger a complex exploit, leading to code execution - Survive Source Code Analysis
Parametric Search and Seizer could be based on specific endpoint, on specific networks, on specific organizations, on specific files type, for example:
- Send to Cloud Scanning all Microsoft Office document with Macro opened from the the (French Ministry of Defense| SWIFT Belgium Backoffice Financial Operator| AntiMoney Laundering Regulator of Germany) owned networks
The Detection Risks for Russian Security Agencies is proportionate to how wide their actions in compelling Kaspersky could be:
- For Cloud Scanning and Database Acquisition it's high likely all actions could be done without possibility of detection by endusers (Server Operations)
- For Massive Actions, there's a high possibility of detection due to the disruptive measures and generally available executables
- For Targeted Actions, there's very low possibilty of detections, being the Endpoint Protection Software in charge of detecting abuses:
- For delivery of malicious updates via Bug Door is extremely difficult, to the point of being nearly impossible in a real scenario, to detect it
- For delivery of malicious updates via direct malicious code delivery, assuming a pre-verified authorisation and validation process of the individual customer, there are chance of detection via application of senior software reverse engineering effort for each single update.
Actually the Transparency Centers methods, including one-off source code analysis, fail to deliver protection against all of the risks above represented:
- Source code inspection to detect Bugdoors would require many man working years of seniors security engineers
- Review of any software release, with analysis and re-inspection of code changes following a deterministic build, would require many man working years of senior security engineers to be effective
- Technical Operations of Zurich Backend Infrastructure, Changes in the way data are processed and/or who's entitled to access those data, can't be oversee by endusers and/or can't be subject to ongoing basis (only one-off checks, in a controlled environment).
The Russian Government abusing of Kaspersky compelled cooperation, would likely uses the "targeted action" like for "targeted 0day attacks", knowingly that the discovery of the attack would make ineffective the entire attack capability. Each "bullet" have to be carefully planned before beeing shoot.
If those conclusions are technically considered valid, it would not be possible trough Kaspersky's Transparency Center inititive to provide Security Gurantees against Russian Security Agencies coercion for cooperation.
In order to assess the risks of coercion from Russian Government of Russian Management, Owners, R&S and Technical Operations we have to evaluate whenever Kaspersky is a Russian Company or not:
- Is Kaspersky a company who's Directors and Owners lives in Russia? Yes
- Is Kaspersky a company who's majority of employee lives in russia? Yes
- Is the Kaspersky UK holding company fully owned and fully managed (directors) by Russian Resident and Russian Citizens? Yes
- Is Kaspersky main market Russia? Yes* (According to Deposited Balancesheet roughly more than 40% of Commercial Credit is "CIS and Baltic" area)
Starting from the assumption above, Kaspersky is a Russian Company that can be victim of compelled cooperation from Russian Government.
Note: Also Apple and Google has been victim of coercion from Russian Government, with Moscow based executive being harrassed by the FSB up until they successfully obtained their U.S. employee forcefully removal the Navalny app