Interview A gauche "spy" has made clumsy efforts to get critics of Russian antivirus biz Kaspersky Lab to incriminate themselves as shills for rival security companies.
At least three public critics of the company have been lured to meetings on the promise of business or employment opportunities, it is claimed. Once there, conversation focused on Kaspersky Lab and whether its critics are being paid by rival firms, the Associated Press newswire revealed this morning.
Keir Giles, a senior consulting fellow for Russia and Eurasia at the Chatham House think-tank, was asked to a meeting to discuss an apparent $10,000 opportunity to give a speech for a private equity company conference in Hong Kong.
Giles said his suspicions were first aroused by the man's suit, telling The Register: "He wasn't scruffy but he wasn't wearing the high-end tailoring and well-polished shoes I'd associate with someone in his supposed business."
Giles' suspicions were triggered because the man said he was from Belgium but didn't have a French or Flemish accent. Instead, he sounded central European. He claimed to live in Hong Kong but gave an unconvincing description of precisely where; Giles himself grew up in Hong Kong.
Giles said: "There was nothing that totally ruled him out but it raised my suspicions."
He said he was hard of hearing and asked Giles to speak more loudly and speak directly towards him – leaving the think-tanker wondering where the microphone was.
The shabby-suited spook went by the name of Lucas Lambert and kept steering the conversation back to Kaspersky Lab and Giles' motivation for criticising it.
Giles told the AP: "He was drilling down hard on whether there had been any ulterior motives behind negative media commentary on Kaspersky. The angle he wanted to push was that individuals — like me — who had been quoted in the media had been induced by or motivated to do so by Kaspersky's competitors."
Sensing a pattern?
The newswire found four other Kaspersky critics who had been targeted in similar ways.
Giles told The Reg: "In my job I'm probably slightly more alert to entrapment than most people. My spidey senses were already going off. Then, at our second meeting, he claimed I'd said something at the first meeting which I hadn’t and I got really suspicious."
Giles said that he'd carried out brief checks when he got the first email and found a basic web and social networking presence for the company – "there was nothing immediately off, but nothing that made it seem definitely legitimate either." Giles was asked to recommend other possible speakers and warned them by email of his suspicions.
Giles said: "I'm really not 'an opponent of Kaspersky', I've always tried to be even-handed and I don’t have an axe to grind. I'm suspicious of all antivirus companies and have pointed out in the past that all security companies usually co-operate with their nation's intelligence services – it just so happens in the case of Kaspersky that means Russia."
He said he was surprised at the disconnect between seemingly sophisticated cyber espionage abilities with quite clumsy social engineering.
AP were unable to find any trace of Lucas Lambert's supposed employer NPH Investments at the address he gave on his business card. There were no records for the company in Japan where Lambert claimed it also had an office.
Giles received regular contact from Lambert from April until mid-October, when he emailed to say the conference had to be postponed because one of his clients had to have an "unplanned board meeting" that day.
Giles said he had been the target of sophisticated spear-phishing attempts in the past, including appointment reminders which appeared to come from his usual optician. Colleagues at Chatham House also received an email purportedly from his PA which claimed to include draft chapters of a book he was writing. This attack was followed up with phone calls asking for feedback on the work in progress. The caller's thick Russian accent discouraged anyone from clicking on the link.
Sloppy detective work
The clumsy intelligence-gathering efforts closely mirrored the experience of Canadian research outfit Citizen Lab, which earlier this year outed an Israeli company whose software was implicated in spying on the inner circle of Washington Post reporter Jamal Khashoggi before his murder in Saudi Arabia.
John Scott-Railton, senior researcher at Citizen Lab, told the newswire that the creators of the NPH Investments online identity were remarkably similar to the websites created to spoof Citizen Lab.
Scott-Railton told The Register: "When I began looking at the cover identity constructed for this operation I had immediate déjà vu. It was an echo of my bumbling lunch companion's cover, just with different words, names and stock photos. I had a mental image of someone in a cubicle churning out fake cover companies.. but for whatever reason a big fan of the name Lambert..."
He said the sites used the same domain registration pattern and the same off-the-shelf designs from an Israeli firm called Wix. The sites were also connected to the same small network of LinkedIn profiles featuring black-and-white or oddly angled photographs of men and women wearing sunglasses.
Kaspersky has faced criticism of its closeness to Russian agencies, which has intensified since the 2016 US election. Congress has since banned Kaspersky products from government networks.
Kaspersky Lab declined to comment. ®