The Impact of the Kaspersky Ban
On June 20th, 2024, the Department of Commerce's Bureau of Industry and Security (BIS) announced the prohibition of Kaspersky Lab, Inc., the U.S. subsidiary of a Russia-based anti-virus software and cybersecurity company, from directly or indirectly providing anti-virus software and cybersecurity products or services in the U.S. or to U.S. persons. The prohibition also applies to Kaspersky Lab, Inc.’s affiliates, subsidiaries, and parent companies.
This groundbreaking decision means that Kaspersky will generally no longer be able to, among other activities, sell its software within the U.S. or provide any updates to software already in use. Enterprises using Kaspersky in the U.S. are being encouraged to find alternative solutions. Kaspersky can continue certain operational activities in the U.S. until September 29, 2024.
How will this decision impact global users of Kaspersky? Leveraging its proprietary data sets, Bitsight TRACE analyzed the prevalence of Kaspersky products used by organizations around the globe – including in the United States. Our findings include:
- Nearly 25% of Fortune 1000 companies appear to be leveraging Kaspersky products.
- Dozens of government organizations within the U.S. – including multiple U.S. federal agencies – appear to be using Kaspersky products, in spite of a multi-year federal agency ban on Kaspersky product usage.
This blog contains the results of that study, along with recommendations for organizational security leaders.
What is Kaspersky?
Kaspersky develops and sells antivirus, internet security, password management, endpoint security, and other cybersecurity products and services. The first antivirus software was developed by Eugene Kaspersky far back in 1989 and has been a major player in the industry since the beginning of 2000, after the company was officially founded in 1997.
Kaspersky is a multinational company with offices in 31 countries, servicing users in over 200 countries and territories. According to BIS, Kaspersky provides services to over 400 million users and 270,000 corporate clients globally.
Why was Kaspersky banned?
This action is the first of its kind and is the first Final Determination issued by BIS’s Office of Information and Communications Technology and Services (OICTS), whose mission is to investigate whether certain information and communications technology or services transactions in the United States pose an undue or unacceptable national security risk.
BIS determined that Kaspersky poses an undue or unacceptable risk to U.S. national security. According to BIS, U.S. organizations are at risk from their use of Kaspersky because:
- Kaspersky is subject to the jurisdiction of the Russian Government and must comply with requests for information. This may allow the Russian government access to certain information that could imperil U.S. organizations.
- Kaspersky may be able to access sensitive U.S. customer information through administrative privileges, in the provision of cybersecurity and anti-virus software.
- Kaspersky possesses the capability or opportunity to install malicious software and withhold critical updates, leaving U.S. persons and critical infrastructure vulnerable to malware and exploitation.
- Kaspersky’s integration with other products increases the likelihood that Kaspersky software could unwittingly be introduced into devices or networks containing highly sensitive U.S. persons data.
This is not the first time the U.S. government has issued a ban on Kaspersky. In 2017, the U.S. government took action against Kaspersky, when the Department of Homeland Security issued a binding operational directive requiring U.S. federal agencies to remove and discontinue use of Kaspersky-branded products on U.S. federal information systems. The National Defense Authorization Act (NDAA) for Fiscal Year 2018 later prohibited the use of Kaspersky by the U.S. federal government.
Bitsight’s observations
What geographies, sectors, and industries are likely to feel the impact of a ban on Kaspersky? Which geographies, sectors, and industries are currently using Kaspersky products? Bitsight TRACE leveraged its proprietary data sets to assess the prevalence of Kaspersky products internationally and within the United States.
(Figure 1 - Percentage of unique IP addresses contacting Kaspersky servers, per country)
Looking back into the recent weeks, we observed over 14 million unique IP addresses communicating with Kaspersky update servers, making a total of over 100 million connections. We believe observing the connections between IP addresses and Kaspersky update servers is a good indicator for Kaspersky product usage, while acknowledging that this approach is likely to underestimate the total number of users. In addition, our analysis does not eliminate traffic that may be used to perform security research, testing, reconnaissance, or other intelligence collection activities about Kaspersky update servers.
In general, our observations indicate a strong user base in Europe, with Germany and Italy leading. In North America, users are prevalent in Mexico and the U.S.. In Asia, India clearly leads the way and, in Africa, Algeria has the most number of users.
(Figure 2 - Percentage of unique IP addresses contacting Kaspersky servers, top 20 countries)
These numbers give us a general idea of the adoption of Kaspersky solutions at large, but they don’t tell the whole story. Bitsight is able to leverage its entity mapping techniques to understand the prevalence of Kaspersky solutions across sectors and industries.
We start out by analyzing the percentage of organizations that use Kaspersky within each sector, per country. After filtering through the data, removing home users and focusing on enterprises alone, we can better understand which sectors are more exposed within each country.
(Figure 3 - Top 20 countries, percentage of Kaspersky usage within each sector)
Since Kaspersky is a Russian company, its products are highly prevalent inside the Russian Federation territory. Other countries where Kaspersky product use is highly prevalent across different sectors are Saudi Arabia, Portugal, Turkey, and Austria, with the Education, Utilities, and Government sectors clearly highlighted. Looking at the heatmap above, the U.S. is almost unnoticeable. Does this mean it is not affected? Not at all: we detected over 2,500 U.S. organizations using Kaspersky products. In fact, the number of different organizations across multiple industry sectors makes the U.S. stand out.
By analyzing the data, we can infer that while the usage of Kaspersky products does not seem to be systemic of any particular industry sector in the U.S., there are still a considerable number of organizations that use them. In particular, we found that 238 of the Fortune 1000 companies were also in this list, 230 of them being US based.
The U.S. view
Given that the U.S. government issued the ban on Kaspersky, we wanted to understand how U.S. organizations are affected by sector and industry. If we do a sector breakdown, we can see that the U.S. Technology, Education, Manufacturing and Business Sectors are the most common users of Kaspersky products.
(Figure 4 - 2540 Total US orgs, usage per sector, excluding service providers)
Interestingly, we observed a number of government and political organizations within the U.S. that appear to be using Kaspersky products, despite the fact that Kaspersky product usage was heavily discouraged in the past years and even prohibited within the U.S. federal government. In fact, in spite of the federal ban on Kaspersky product usage, we observed multiple U.S. federal government organizations connecting with Kaspersky servers. The map below offers a view of Kaspersky prevalence by U.S. state. Given the ban of Kaspersky products within the US, we are sharing more detailed findings with relevant government agencies so they can quickly remediate these issues.
(Figure 5 - Count per state. Total counts for Government/Politics and Federal Government.)
What’s next
The U.S. government ban of Kaspersky will have an immediate impact on thousands of U.S.-based customers. U.S. customers will need to transition to another antivirus solution, which can be complex, costly, and disruptive to operations, particularly for larger organizations. It is critical for U.S.-based security leaders to identify whether their organizations are leveraging Kaspersky products and seek to replace them for a similar product by another vendor.
Replacing a critical security product like Kaspersky could lead to gaps in coverage. Security leaders should also understand which of their critical third party vendors or suppliers are leveraging Kaspersky products. Knowing that a critical vendor has a plan to effectively transition from Kaspersky to another product will provide important assurance to security leaders.
Bitsight is helping our customers understand if they have assets using Kaspersky in their inventory so they can take the proper actions. Customers can check Vulnerability Detection for this potential security issue and we will provide links on the dashboard so they can see vendors that have Kaspersky dependencies. For more information, please contact us!