Russia’s Top Cyber Sleuth Foils US Spies, Helps Kremlin Pals

• 
  

Eugene Kaspersky’s lab isn’t just an antivirus company; it’s also a leader in uncovering cyber-espionage.
Photo: Stephen Voss

Next door to the Moscow virus lab is the home base for another arm of the operation—a team of elite hackers from around the world that Kaspersky hand-selected to investigate new or unusual cybersecurity threats. Kaspersky calls this his Global Research and Expert Analysis Team—GREAT, for short. Two of them are waiting for me in their office. Sergei Golovanov sports rectangular glasses and a beard out of a ’90s nu-metal video. Aleks Gostev is skinny as a rope and has dark circles under his eyes.
With Kaspersky’s encouragement, GREAT has become increasingly active in helping big companies and law enforcement agencies track down cybercriminals. Gostev assisted Microsoft in its takedown of the Kelihos botnet, which churned out 3.8 billion pieces of spam every day at its peak. Golovanov spent months chasing the Koobface gang, which suckered social media users out of an estimated $7 million.
One of GREAT’s frequent partners in fighting cybercrime, however, is the FSB. Kaspersky staffers serve as an outsourced, unofficial geek squad to Russia’s security service. They’ve trained FSB agents in digital forensic techniques, and they’re sometimes asked to assist on important cases. That’s what happened in 2007, when agents showed up at Kaspersky HQ with computers, DVDs, and hard drives they had seized from suspected crooks. “We had no sleep for a month,” Golovanov says. Eventually two Russian virus writers were arrested, and Nikolai Patrushev, then head of the FSB, emailed the team his thanks.
Kaspersky’s public-sector work, however, goes well beyond Russia. In May, Gostev and Kaspersky were summoned to the Geneva headquarters of the International Telecommunication Union, the UN body charged with encouraging development of the Internet. The Russians were ushered into the office of ITU secretary-general Hamadoun Touré, where the Soviet-educated satellite engineer told them that a virus was erasing information on the computers of Iran’s oil and gas ministry. This was coming just two years after the discovery of the Stuxnet worm, which had damaged Iran’s centrifuges. Touré asked Kaspersky to look into it.
Back at the lab, analysts from GREAT began combing through archived reports from customers’ machines. One file name stood out: ~DEB93D.tmp. The virus was eventually found on 417 customers’ computers—398 of which were in the Middle East, including 185 in Iran. Some machines had been infected since 2010, but the file had never been deeply analyzed. The researchers were able to isolate one piece of the malicious code—and then another and another.
One module of the software surreptitiously turned on a machine’s microphone and recorded any audio it captured. A second collected files, especially design and architectural drawings. A third uploaded captured data to anonymous command-and-control servers. A fourth module, with the file name Flame, infected other computers. The analysts discovered about 20 modules in all—an entire toolkit for online espionage. It was one of the biggest, most sophisticated pieces of spyware ever discovered. In honor of the transmission program, the researchers called it Flame. On May 28, a Kaspersky analyst announced what the team had found.

Flame was another part of America’s shadow war against Iran — and Kaspersky killed it.

The spyware was too complex for simple crooks or hacktivists, the researchers said. Flame had been coded by professionals, almost certainly at a government’s behest. The company called it a cyberweapon and speculated that it was related to Stuxnet.
On June 1, The New York Times revealed for the first time that the White House had, in fact, ordered the deployment of Stuxnet as part of a sophisticated campaign of cyberespionage and sabotage against Tehran. Then, on June 19, The Washington Post was able to confirm that Flame was yet another part of this shadow war against Iran. Kaspersky had outed—and in effect killed—it.
For Kaspersky, exposing Flame reflects his company’s broader ambition: to serve as a global crime-stopper and peacekeeper. Malware has evolved from a nuisance to a criminal tool to an instrument of the state, he says, so naturally he and his malware fighters have grown in stature and influence too. “My goal is not to earn money. Money is like oxygen: Good idea to have enough, but it’s not the target,” he says. “The target is to save the world.”
In a locked room down the hall from his office, Kaspersky is working on a secret project to fulfill that lofty ambition. Not even his assistant has been allowed inside. But after we’ve spent a day together—and knocked back a few shots of Chivas 12—he unlocks the door and offers me a peek. It’s an industrial control system, a computer for operating heavy machinery, just like the ones that Stuxnet attacked (and, Kaspersky researchers believe, Flame may also have targeted). Kaspersky’s team is quietly working on new ways to harden these systems against cyberattack—to protect the power grids and prisons and sewage plants that rely on these controllers. The idea is to make future Stuxnets harder to pull off. The controllers haven’t been engineered with security in mind, so the project is difficult. But if it succeeds, Kaspersky’s seemingly outsize vision of his company’s role in the world might become a little less outlandish.