MOSCOW — Ivan Kaspersky exited the Strogino metro station in Moscow on the morning of April 19, 2011, and walked toward the nearby office of InfoWatch. The fourth-year student worked as a programmer at his mother’s company, an offshoot of Kaspersky Lab, the Russian software company she had started with Ivan’s father. As the 20-year-old made his way from the station, a man stepped out of a green car parked by the side of the road and grabbed him. A second man ran up and helped to push the young man into the car, where they blindfolded him. His kidnappers switched cars on the way to their destination, a house outside the Russian capital.
Eugene Kaspersky, the CEO of Kaspersky Lab, was in London when an anonymous voice at the other end of the phone line informed him that his son had been kidnapped. The ransom: 3 million euros. Kaspersky immediately called Igor Chekunov, an alleged former KGB officer who acted as both a lawyer for the company and its alleged liaison with the Federal Security Service, or FSB, the successor to the infamous KGB, and other Russian security services. Chekunov took the lead in coordinating the rescue operation. After four days, Russian special operations troops, known as Spetsnaz, came to Ivan’s aid, freeing him from the handcuffs he’d been locked in since his capture.
The young man’s rescue was a relief — but it also served as a tipping point in a battle that had been waged inside his father’s company since 2010. Since its founding in 1998, Kaspersky Lab has grown into an international giant in computer security. Its antivirus system is installed on roughly 400 million computers around the world. But over the last year its outlook has plummeted in North America and Europe, where in 2016 it did over half of its business. Last fall saw Donald Trump — not known for criticizing Russian interference in the US — sign a ban on government agencies using Kaspersky Lab’s products.
Meduza and BuzzFeed News can reveal for the first time that the decline in fortunes of Kaspersky Lab was the result of an internal struggle for control that pitted allies of the Russian secret service against “tech-savvy” staff and Western investors. The managers within Kaspersky Lab, like Chekunov, with ties to Russia’s security agencies won that battle. But in so doing, they threaten to destroy everything the company has built outside Russia.
The ban that Trump signed resulted from rising concerns among US lawmakers and intelligence agencies that Kaspersky Lab’s software could be used by the FSB to access US government documents. The company says it conducted an internal investigation and found that no data was hijacked via Kaspersky’s antivirus product. But even as Kaspersky Lab denied the charges, files from the US’s National Security Agency were reportedly lifted from a computer with Kaspersky software installed, using a system that one former senior manager says can copy files from a user’s hard drive without their knowledge.
Eugene Kaspersky declined to comment personally on Meduza’s questions. A spokesperson for Kaspersky Lab told Meduza, “We don’t have any illegal or unethical ties with security services anywhere in the world.” In a court document filed in a suit against the US government last week, Kaspersky Lab said much the same, and claimed that the US’s allegation had substantially harmed its reputation, causing its business in the US to decline by half compared with the same time last year.
Eugene Kaspersky speaks at the Sueddeutsche Zeitung Economic Summit on Nov. 16, 2017, in Berlin.
Sean Gallup / Getty Images
Everyone at Kaspersky Lab knew not to schedule any meetings on Dec. 20. In Russia, it marks the Day of Federal Security Service Officers, commonly known as Chekist’s Day, a reference to the body that preceded the KGB.
One former manager, who requested anonymity to speak freely about the internal workings of the company, recalled Eugene Kaspersky coming in one Dec. 20 and saying, “Well, congratulate me!” Everyone knew what he meant. Kaspersky would spend the day celebrating with friends from the Federal Security Service. He even planned his business trips around it, the former manager told Meduza, making sure that nothing would prevent him from being in Moscow to raise a glass.
Kaspersky graduated from what was then the Dzerzhinsky Higher School of the KGB, named after the man who founded the Soviet secret services, in 1987. In 1991, as the Soviet Union was falling apart, he started his career at a small firm owned by a former teacher. Six years later, Kaspersky and his wife founded their own company, Kaspersky Lab.
Kaspersky became the company’s technical director, responsible for the development of its eponymous antivirus software. His wife, Natalya Kaspersky, served as general director, in charge of the company’s commercial activities. The couple divorced in 1998, and Natalya remained general director for almost another decade, with her husband taking over in 2007. It was after that, the former senior manager told Meduza, that three groups started to form in a battle for control of the company.
The company’s technical director and main developer of Kaspersky’s antivirus software led the “tech-savvy” faction. A second group, made up of Western financial experts, believed that the company should be more aggressive in the global market and open to filing an IPO to become a publicly traded company. The third faction was composed of Chekunov and other siloviki, a term used inside Russia to refer to politicians and others who formerly served as Russian security services officers. (Eugene Kaspersky has said that Chekunov never worked for the KGB but simply served his compulsory military service in the State Border Troops, which fell under the KGB’s command.)
But Ivan’s kidnapping was a key moment in that struggle. One of the kidnappers claimed in his initial statement to police that he and his son, together with some friends, decided to abduct Ivan after watching a television show about his father. The court, which in March 2013 sentenced four codefendants to seven to 11 years in prison, accepted that as the truth during the trial.
Between the kidnapping in 2011 and his sentencing, however, the attacker, Nikolay Savelyev, changed his account, claiming that an officer with the Federal Protective Service (FSO) named Aleksey Ustimchuk was the real brains behind the kidnapping. (It was reported that Ustimchuk was so well connected that he was once photographed in the chair of Russian President Vladimir Putin.) As a military officer, Ustimchuk was tried for his involvement in the kidnapping of Ivan Kaspersky in a separate court-martial. It’s unclear when that trial took place, but in August 2012 he was sentenced to four and a half years in prison, the result of a reported deal with investigators, but was not stripped of his rank or his honors. Kaspersky’s family withdrew their civil claim, in which they’d sought 120 million rubles (about $21 million) in damages from Ustimchuk, instead only receiving an apology and 10,000 rubles (about $176) as compensation for a mobile phone and wallet the kidnappers had taken from Ivan.
The scene at the Kaspersky Lab 20th Anniversary Party on Nov. 8, 2017, in Milan.
Jacopo Raule / Getty Images for Kaspersky Lab
Soon after the kidnapping, everything changed within the company, according to the former manager: Kaspersky “changed his business tactics, canceled the IPO, got rid of American investors and the majority of senior expats.” As Bloomberg later reported, the process of launching the IPO, which was supposed to take place in partnership with a US investment fund, was frozen and the shares, which had already been purchased by these partners, were bought back.
In public, Kaspersky has said that the IPO would have made the company “less versatile.” But the former manager saw it as further proof of the siloviki’s rise. The evidence had been mounting in his eyes since Ivan’s return. In the summer of 2011, Natalya Kaspersky was not reelected as a chairman of the board of directors of Kaspersky Lab. In November 2011, seven months after the kidnapping, Kaspersky Lab signed an agreement with the FSO to supply the security organization with its products. Two months later, in Feb. 2012, Natalya sold her remaining shares in the company. At the same time, a moratorium on hiring managers from outside Russia was put in place. (Eugene Kaspersky stated at the time that Bloomberg’s reporting on the hiring freeze was false.)
Apart from Chekunov, the siloviki clan included Andrey Tikhonov, an executive director, and Aleksey Kuzyaev, the head of the company’s security service. According to the former senior manager, Tikhonov rose to the rank of lieutenant colonel while serving with the Russian military intelligence service, while Kuzyaev is a former officer with the FSB. (Tikhonov’s official biography with Kaspersky confirms his former rank but does not specify what branch of the Russian military he served in, while Kuzyaev’s LinkedIn profile states that he graduated from the FSB Academy, but does not list service with the group.)
Ruslan Stoyanov, a former officer in the interior ministry, ran a specially formed department inside Kaspersky Lab, tasked with investigating hacking and other cybercrimes in partnership with law enforcement officials, reporting to Kuzyaev. When asked to confirm this chain of command, Kaspersky Lab denied that the department reports to the chief security officer, without naming Kuzyaev directly.
“This was an internally formed department which worked with the FSB” and the interior ministry, the former senior manager told Meduza. The department’s name was a pun: The Computer Incident Investigation Department’s initials in Russian spelled out ORKI, the Russian transliteration of “orc.”
“They liked the name a lot,” the former senior manager said.
The cooperation with the secret services was so close that ORKI members even accompanied Russian security service agents into the field to detain cybercriminals, the former manager said. “They would visit a location together with FSB officers and would not be shy about this,” he told Meduza. “This is, of course, unprecedented.” Kaspersky Lab’s leading antivirus expert, Sergey Golovanov, confirmed to Meduza that company specialists accompany the security forces on arrests in order to provide technical support.
According to Kaspersky Lab, Stoyanov’s group formed in 2012. Andrey Bulay, a Kaspersky Lab spokesperson, told Meduza that ORKI department employees “possess both knowledge and experience across such fields of expertise as high technologies, digital forensic science, criminal law, and criminal procedure legislation that allows them to carry out forensic expertise and participate in investigative activities as technical experts.”
Stoyanov wrote in a 2015 post on Kaspersky Lab’s SecureList blog that his department had taken part in over 330 cybercrime investigations during the previous two years. Kaspersky Lab worked together with the state security agencies during these investigations for free, the former senior manager told Meduza. Kaspersky Lab’s spokesperson confirmed this when asked.
Cars drive past the headquarters of the FSB security service, the successor to the KGB in central Moscow.
Vasily Maximov / AFP / Getty Images
As the siloviki gained influence, they came into ever more conflict with the so-called tech-savvies. The main source of conflict was over the Kaspersky Security Network (KSN) system, which Nikolay Grebennikov, the head of the “tech-savvies” and the company’s technical director, would not allow the siloviki to access, the former senior manager said. (Grebennikov declined to speak to Meduza for this story.)
The KSN, launched in 2012, allows Kaspersky software to examine any potentially threatening file on a user’s computer and compare it with other cases across the network. Previous antivirus software worked locally on computers, comparing infected files to problems in the program’s database. Moving to a “cloud solution” allowed the company to analyze and neutralize new viruses before they spread, Kaspersky Lab has argued.
But according to the former senior manager, who was involved with launching KSN, the product was referred to as “cyberintelligence” inside the company. The system can be run manually from a remote location, he told Meduza, meaning an employee of the Kaspersky Lab can download any file from a computer on which KSN is installed without its owner’s knowledge.
“It’s like an awesome kitchen knife that can be used for superbly slicing bread — or stabbing people,” the source said.
In a September 2017 memo outlining the government’s decision to ban Kaspersky products from federal government computers, the Department of Homeland Security noted that KSN users “agree to the transfer of a lengthy list of private data from user computers to Kaspersky servers,” which could be intercepted by the FSB.
Screenshot of the Kaspersky antivirus install process, prompting access for the KSN
Kaspersky Lab / Via Meduza
Bulay, the company spokesperson, denied this, telling Meduza that KSN “has no mode for manual access to computers.” Kaspersky Lab wrote on its website in 2015 that KSN “does not process users’ personal data at all.” A more recent document says the company does not attribute any data it gathers to individual users that would make them identifiable.
Logging on to KSN is supposed to be an opt-in process for users who have bought Kaspersky’s antivirus software, according to the company’s website, allowing them to choose to make their computer’s files accessible from the cloud — a little like deciding to use iCloud to store your phone’s photos. But the former senior manager said that in the majority of cases, the system is set to activate by default when the antivirus software is installed. When Meduza attempted to install Kaspersky software onto a personal computer, the user was asked whether they wanted to participate in KSN — though the option to join was selected as the default answer.
The former senior manager also said that he was personally present during the product’s demo, during which analysts showed how they tapped into the computers of Gamma Group, a British firm that produces surveillance software for governments around the world, and downloaded the source code of one of the company’s programs.
“Later this code somehow appeared in the public domain, which caused severe damage” to Gamma Group, the former senior manager said. Bulay told Meduza that Kaspersky had never been contracted to provide security for Gamma Group, although in theory the firm could have bought Kaspersky software through a third party.
“It’s like an awesome kitchen knife that can be used for superbly slicing bread — or stabbing people”