Germany warns against using Kaspersky software, citing 'considerable' cyber risk after Russia's invasion

The German Federal Office for Information Security (BSI) warned organizations against using Kaspersky antivirus software over fears it could be exploited for cyber-espionage or launching cyberattacks amid Russia's ongoing war in Ukraine.

While the office is not explicitly banning the use of Kaspersky software, the security agency is urging German organizations to replace products made by the Moscow-headquartered firm with alternative software from non-Russian vendors, warning that Russia’s military and intelligence activities in Ukraine, along with its threats against Europe, NATO and Germany, means there is “a considerable risk of a successful IT attack.”

“A Russian IT manufacturer can carry out offensive operations itself, be forced to attack target systems against its will, or be spied on without its knowledge as a victim of a cyber operation, or be misused as a tool for attacks against its own customers,” the BSI said in a statement, explaining that antivirus software such as Kaspersky's have deep system access and must maintain a permanent, encrypted and non-verifiable connection to the manufacturer's servers. “Companies and authorities with special security interests and operators of critical infrastructures are particularly at risk,” the statement adds.

The BSI adds that while consumers are likely to be the “last targeted” in the event of a successful attack, they could be the victim of “collateral" damage or spillover.

This warning, which the BSI notes “is only intended to raise awareness of possible dangers,” has already led to German organizations, such as Germany's Eintracht Frankfurt soccer club, to cut ties with Kaspersky. “We have notified Kaspersky management that we are terminating the sponsorship agreement effective immediately,” club spokesman Axel Hellmann said in a press release. “We very much regret the development.”

Italy’s Computer Security Incident Response Team (CSIRT) has also urged organizations to urgently risk-assess what technologies are provided by Russian companies or companies with links to Russia, though it does not explicitly mention Kaspersky.

Kaspersky said it believes the BSI's decision is not based on a technical assessment of its products, rather on political grounds.

“We will continue to assure our partners and customers in the quality and integrity of our products, and we will be working with the BSI for clarification on its decision and for the means to address its and other regulators’ concerns,” Kaspersky spokesperson Francesco Tius told TechCrunch. “Kaspersky is a private global cybersecurity company and, as a private company, does not have ties to the Russian or any other government.

“We believe that peaceful dialogue is the only possible instrument for resolving conflicts. War isn’t good for anyone,” the company added.

The statement follows similar comments by the company's chief executive Eugene Kaspersky, who earlier this month tweeted that he welcomed negotiations that would lead to "compromise," prompting angry responses. A recently imposed law in Russia bans journalists from calling the Kremlin's military operation in Ukraine either "war" or an "invasion," though it's unclear if this extends to Russia-based companies.

Kaspersky's ties to Russia are long known but have been a long-running source of controversy. In 2017, the Trump administration banned government agencies from using Kaspersky's software, citing concerns about the firm’s alleged links to the Russian government. The following year, the European Parliament passed a resolution that classifies the security firm’s software as “malicious” due to the alleged link of the company with Russian intelligence.