Kaspersky being hacked is a lesson for us all

Kaspersky analyst

Often times it’s not the fact that your business has been hacked that will lose your customers’ confidence, but the way your company responds.

When a company suffers an attack (presuming it notices at all), it can take several courses of action.

1. Pretend it never happened. Don’t tell your customers, and hope no-one ever finds out.

Sign up to our free newsletter.
Security news, advice, and tips.

It’s tempting to try to sweep the incident under the carpet, especially if you believe that sensitive customer data may not have been exposed.

But this approach is going to be disastrous for your reputation if the truth eventually leaks out, or it is later determined that the hack was more serious than you initially thought. Not to mention that the authorities may take a dim view if you didn’t report an incident which could have put customer’s private information at risk.

2. Put out a bland “security advisory” statement hidden away on a remote corner of your website, explaining how you take security very seriously.

Inevitably you will throw in words like APT and include vague murmurings from security specialists you have helicoptered in that the threat appears to have been “highly sophisticated” and probably the work of a hacking gang supported by a devious foreign government.

3. Admit, yeah, we got hacked. But it wasn’t that bad and we don’t believe customers or partners are affected.

That final option is the approach taken by Russian anti-virus outfit Kaspersky, who claimed yesterday that some of their internal systems had been compromised by malware.

That’s an uncomfortable admission for any anti-virus company, and there may well have been meetings inside Kaspersky where the risks of “going public” about a hack.

But, to its credit, Kaspersky determined the best approach was to not only admit that it had been hacked, but also to provide extensive information on the malware (dubbed Duqu 2.0, it can be considered the son of the son of Stuxnet) that they found attempting to exfiltrate information from their servers.

Eugene KasperskyAnd the anti-virus company realised that the public’s opinion of the incident would be coloured strongly by the media – and with that in mind it co-ordinated blog posts by founder Eugene Kaspersky on his own site and Forbes, live-streamed press conferences in London, and detailed technical analyses of the malware by its team of experts.

In short, it handled what could have been a corporate crisis well – and reassured customers and partners that their data was safe, and the integrity of its security products had not been compromised.

It also rose above the commonly-seen tactic of publicly blaming specific countries for an attack, even though everyone in the computer security business knows that reliable attribution is a minefield. Nonetheless, Eugene Kaspersky seems certain that a nation state was responsible for the hack:

“Governments attacking IT security companies is simply outrageous. We’re supposed to be on the same side as responsible nations, sharing the common goal of a safe and secure cyberworld. We share our knowledge to fight cybercrime and help investigations become more effective. There are many things we do together to make this cyberworld a better place. But now we see some members of this ‘community’ paying no respect to laws, professional ethics or common sense.”

Kaspersky isn’t the first anti-virus company to have suffered at the hands of hackers, and it certainly won’t be the last.

And it shows that even the most security-conscious organisations can fall victim to determined hackers.

The truth is that most companies have probably been hacked to some extent or another – although most of the time they won’t have been specifically targeted like Kaspersky probably was.

What’s important is for companies to consider testing their own defences, and put effort into hacking themselves, finding vulnerabilities and weaknesses *before* the bad guys strike.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

13 comments on “Kaspersky being hacked is a lesson for us all”

  1. wcoke

    I think that this is just a sign of things to come the more people use the internet the more attacks are going to happen the fact kaspersky came forward and told everyone was the right thing todo. People are just to complacent when it comes to using the internet and I think peoples use of it needs to change because if we don't we will all have to move away from it .

  2. IamVendetta

    I guarantee it was done by the government. I also guarantee it was don't be the U.S. Government.

    1. Graham CluleyGraham Cluley · in reply to IamVendetta

      Are you sure it was don't be the U.S. Government? Because I thought maybe it wasn't don't be the U.S. Government. :)

      1. AlainCo (@alain_co) · in reply to Graham Cluley

        Am I naive or is Kasperspy the only antivirus company who detected the virus targeted as iranian and Syrian (and probably French, german, Chinese too…) ?

        It is clear that in current context it is cold war of antivirus, and frightening the clients of one of the only non-Prism anti-virus provider is valuable for Prism.

        I'm worried, as with TV5, or Sony, to see manipulation involving IT forensic. It is killing trust. maybe is it good in fact?

        1. MC · in reply to AlainCo (@alain_co)

          ya because they wrote it.

    2. whatevs · in reply to IamVendetta

      Definitely seems like a government was to blame. Kaspersky is quoted as saying it was very impressive as well as VERY expensive attack to perform.

  3. Suggestion

    Their software, Kaspersky Internet Security, will detect the Duqu malware so customers are protected. It was definitely a dumb thing to think that such a large, reputable company wouldn't uncover this.

    Like Kaspersky said: whoever created the malware will be licking their wounds now that such a 'valuable' virus has been detected and blocked.

    For something so complicated it has to be a state actor. Going public was definitely the right thing to do. Who knows other AV companies may have been attacked and have chosen not to go public.

  4. Bilal

    Anyone can fall victim to hacks. The thing to do now is to find out who it was and expose the Ba$tards. Do everything you can to go after them in the world courts. Everyone Bull$HITS now days about WMD's but this is a worst nightmare than WMD's ever were!!!!

  5. Alex Eckelberry

    Well…

    http://blog.eckelberry.com/what-the-kaspersky-breach-tells-us-about-the-state-of-antivirus/

    Detections are still poor.

    1. Coyote · in reply to Alex Eckelberry

      It tells us nothing of the sort. It reminds us, however, that it is still (unsurprisingly)[1] a game of cat and mouse. There's nothing else to it. This isn't just basic logic (antivirus corporations make money because they have a reason to exist!) it is logical in the terms of technology (including security): it evolves and given that it evolves there will always be new techniques (loosely defined), new ideas, new anything and everything. The names of old anti-antivirus techniques were given after antivirus programmers encountered the techniques. Think of the following of many others:

      1. Piggybacking.
      2. Multipartite.
      3. Polymorphism.

      I have deliberately excluded more general things like antidebugging/stealth/encryption. I've also excluded virus hosts (as in what the virus attaches to) with the note that multipartite does indeed refer to hosts but in the same virus.. I've excluded encryption above because it is an artefact to mankind (piggybacking refers to a virus piggybacking on an antivirus).

      Yet there is so much more. The above are names created to refer to specific virus properties. Many of those above would trip up heuristics. Piggybacking is even worse.

      This is summarised as such: it is how it has always been and how it always will be (and truthfully how it should be). Yes, yes, security breaches aren't good but the point is you shouldn't expect things to be perfect: there is no such thing as perfect, only continually improving. Any claim of 'perfection' is a suspicious claim at best. In addition, detection capability isn't binary in nature, even for the same strain of the same virus: false positives, false negatives, negative, positive.

      [1] I can think of another antivirus company, one that shall remain nameless, that was compromised. I know it because it was a friend that did it, years ago. I'll also refrain from stating what he did (except to say there wasn't software modification of any kind) and how long before it was uncovered. There have certainly been others and there will be more further. This is also expected.

    2. Oisin G. · in reply to Alex Eckelberry

      Alex, have you read their 44 page technical analysis of duqu/2? It's ridiculously advanced. The entire thing is rigidly non-persistent: it lives entirely in memory, and infects entire networks of computers in an incredibly smart and insidious way. There has been nothing more advanced discovered in the history of AV, and you say "detection is poor?" Really? Frankly I'm surprised they found it at all.

      1. Fred · in reply to Oisin G.

        Exactly so, Oisin G.

        I suspect it's more to do with their advanced detection techniques which understandably they'll be unwilling to discuss. To target, as their self-congratulatory spiel goes, a "world-class security company" shows real determination, gumption and (maybe) desperation. A large amount of resources would have been needed to get it this far.

        They're reputed for successfully uncovering a number of botnets along with cutting-edge malware and spyware. Somebody wants to find out how they're doing it.

        Barclays customers can get a free copy of Kaspersky Internet Security so now is as good an opportunity as any to protect yourself. I like to see a company at the forefront of protection and they certainly seem to be making their mark against hackers/crackers.

  6. Dave Holbon

    It matters not how Kaspersky was hacked or what was hacked.

    Any exposure to the Internet will be hacked if it’s important enough or financially viable. There is just no way around this no matter how clever you think you’re company or you are.

    Remember some of the best hacks weren’t discovered for years after they were first implemented.

    Even worse are those that give hackers multiple choices by backing up their data to the “cloud”, as some companies have been talked into… madness.

    If you want to keep it secret don’t store it on a computer even without an internet connection (USB/DVD/CD drives are just as good).

    All Antivirus/Malware or other detection systems are always three to six months in arrears for new clever hacks; don’t rely on them for protection.

    Even worse are mobile Phones that you can connect to a computer, either to charge or to download photos or whatever.

Leave a Reply to Graham Cluley Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.