Germany Warns Kaspersky Software Risks Being Exploited by Russia

Germany's BSI federal cybersecurity agency has warned the country's citizens not to install Russian-owned Kaspersky antivirus, saying it has "doubts about the reliability of the manufacturer."

Russia-based Kaspersky has long been a target of suspicious rumors in the West over its ownership and allegiance to Russia's rulers.

In an advisory published today, the agency said: "The BSI recommends replacing applications from Kaspersky's virus protection software portfolio with alternative products."

It added: "A Russian IT manufacturer can carry out offensive operations itself, be forced to attack target systems against its will, or be spied on without its knowledge as a victim of a cyber operation, or be misused as a tool for attacks against its own customers."

The warning does not appear to be based on any specific threat. Instead, however, it focuses on the notion that Kaspersky could find itself being used against its management's will to harm instead of protect its customers. The advisory noted, via Google Translate:

Antivirus software, including the associated real-time capable cloud services, has extensive system authorizations and, due to the system (at least for updates), must maintain a permanent, encrypted and non-verifiable connection to the manufacturer's servers. Therefore, trust in the reliability and self-protection of a manufacturer as well as his authentic ability to act is crucial for the safe use of such systems. If there are doubts about the reliability of the manufacturer, virus protection software poses a particular risk for the IT infrastructure to be protected.
Kaspersky, a stalwart of the consumer antivirus scene since its foundation in the late 1990s, denied – unsurprisingly – that it poses a risk to Westerners. Instead it said the decision is politically motivated.

A company spokesman told The Register: "We believe this decision is not based on a technical assessment of Kaspersky products – that we continuously advocated for with the BSI and across Europe – but instead is being made on political grounds... Kaspersky is a private global cybersecurity company and, as a private company, does not have any ties to the Russian or any other government."

He also added, without mentioning Russia's military invasion of Ukraine and its indiscriminate killing of unarmed civilians as a result: "We believe that peaceful dialogue is the only possible instrument for resolving conflicts. War isn't good for anyone."