US blacklists sale of Russia-based Kaspersky products over ties to Kremlin

The Commerce Department barred the sale of cybersecurity products made by Russia-based Kaspersky Labs in the United States on grounds that the firm’s ties to the Kremlin pose national security risks to American customers using its services.

The move, which has been mulled for at least the past year, was announced by the agency’s Bureau of Industry and Security. It follows a preexisting ban on Kaspersky offerings in U.S. government systems that was enacted in 2017 after officials said its software was used to steal classified NSA employee data via backdoor intercepts controlled by the Kremlin.

Other restriction steps followed, including a related ban on Kaspersky products for use in U.S. government contracts and a later move from the Federal Communications Commission that added the company to its national security threat list in the wake of Russia’s 2022 invasion of Ukraine. The Thursday move is a first-of-its-kind decision that prevents the American private sector from buying Kaspersky offerings altogether.

The ban was invoked through a Commerce Department authority enacted during the Trump administration that allows the agency to restrict certain IT or communications technology transactions. Two Russia-based Kaspersky entities and one company unit based in the United Kingdom are targeted by the Thursday move.

The firm is barred from entering into new agreements starting July 20. It has until Sept. 29 before it must cease rolling out new security updates to customers using its products, which include its flagship antivirus software. Kaspersky also runs its own threat intelligence service similar to products offered by U.S. providers like Microsoft, Google and CrowdStrike.

Commerce Secretary Gina Raimondo urged U.S. customers “in the strongest possible terms” to cease using Kaspersky and seek alternate providers.

“Russia has shown it has the capacity and … the intent to exploit Russian companies like Kaspersky to collect and weaponize the personal information of Americans, and that’s why we are compelled to take the action that we’re taking today,” she said in a call with reporters previewing the announcement.

The U.S. determined the company has been a continued threat to national security interests but that the agency had been awaiting funding and resources to invoke the restriction only now, said a separate senior Commerce Department official who spoke on the condition of anonymity per ground rules of the news conference.

Kaspersky has a “significant number” of American customers, said the official, who declined to provide an exact figure because the information is confidential. Over 400 million customers in some 200 nations and territories use Kaspersky services, according to the company’s website.

Russia’s state-centered economy allows Moscow to steamroll contracts for military and intelligence operations. A leak last year revealed the intricacies of this relationship, showing a vast network of consultants working on behalf of the Kremlin, including prolific hacking group Sandworm.

“We generally know that the Russian government uses whatever resources available to perpetrate various malicious cyber activities,” said the senior official. “We do not name any particular actions in this final determination, but we certainly believe that it’s more than just a theoretical threat that we described.”

The company has previously denied allegations of ties to the Kremlin. The U.S. isn’t expecting retaliation from Russia at this time but is “certainly on guard and prepared” in the event of a response, the official said. Commerce has evidence Kaspersky is still pushing software updates to its U.S.-based products and will take civil or criminal action if it’s found to be doing so once the September 29 deadline passes, they added.

"Kaspersky believes that the Department of Commerce made its decision based on the present geopolitical climate and theoretical concerns, rather than on a comprehensive evaluation of the integrity of Kaspersky’s products and services," the company said in an emailed statement, adding: "The company intends to pursue all legally available options to preserve its current operations and relationships."

The firm in 2017 launched a transparency initiative and soon after began porting much of its core infrastructure to locations outside Russia, though it still has data centers based in Moscow.

The company has mostly walked a fine line on Russia-U.S. cyber relations since the war in Ukraine broke out two years ago, though its eponymously named founder Eugene Kaspersky had previously argued it’s been caught in the crossfire of U.S.-Russia tensions. The firm came under scrutiny from national security officials shortly after the war began amid concerns that Moscow could influence its software designs for spying purposes.

The company was involved in tensions between Russia and Apple last year when the nation’s Federal Security Service accused the tech giant of aiding the U.S. in a mass espionage campaign against thousands of people based in the country — including diplomats — through the use of a backdoor planted in their iPhones.

The firm at the time assessed the infiltration began with a seemingly innocuous iMessage attachment that could bolt the spying malware onto targeted devices without any user interaction with the message.

Apple vehemently denied FSB’s claims and has declined to provide Kaspersky with a bug bounty reward for finding the flaws in its software that allegedly enabled the hacking to occur. Kaspersky determined the hack was carried out by a nation-state group but said it doesn’t have enough evidence for exact attribution.

Kaspersky has set off alarm bells in other Western governments, including the U.K., Lithuania, Germany and the Netherlands.

Editor's note: This article was updated June 20, 2024 with additional comment.