Ivan lives in Clermont-Ferrand, in the very center of France. He writes fantasy novels, skydives on occasion, and wants his life to be memorable every day. He’s also a member of the Global Research and Analysis Team (GReAT), Kaspersky’s group of top experts who uncovered Carbanak, Cozy Bear, Equation and many other threat actors and their sophisticated malware across the world.
– Ivan, looking at your name I couldn’t help but start with this question: do you have some Slavic roots?
– More or less. My name’s inherited from my grandfather on my dad’s side. The patronym “Kwiatkowski” comes from Poland, but, funnily enough, it wasn’t even his: he was an adopted child and his “real” name is unknown, as is his origin. So while there are indeed Slavic roots somewhere, their precise nature is lost forever.
– You explore malware and hacker groups. How could you get into such a profession? I doubt it was listed in university courses.
– Back in the day, there weren’t any cybersecurity curriculums, let alone classes about malware analysis and the like. Cybersecurity is a domain I fell into by accident.
Around 2008, while studying for my degree in computer science, I thought I’d work in the field of artificial intelligence. I was about to leave for Vancouver for an internship, and had to terminate my internet subscription because I didn’t want to keep paying while I was abroad. I got in touch with my ISP and explained the situation. They told me to send them a letter (this was around a month before my departure), and they’d take care of everything.
So I did, and only a few days later — I had no more internet access. Never in the history of ISPs had a customer request been handled so efficiently! But for a computer science student, spending a month without internet was unimaginable. Yet my ISP couldn’t restore access — or, more likely, they didn’t want to. So I started looking into Wi-Fi security to… temporarily hijack a neighbor’s internet access until my departure, naturally.
Back then, the encryption protocol everyone used — WEP — was very insecure. But having had my first taste of computer security (rather — the lack thereof), I immediately knew that I’d keep researching this field for years to come. And it felt more reasonable to make a career out of it rather than to be arrested for unsolicited research in the future.
I gave up on artificial intelligence almost immediately, and started learning cybersecurity on my own, in addition to my studies. And after I’d received my degree, I was able to apply for a job in the field — and have remained in it ever since!
– It’s funny you should say that, since the next question I had in my list was: is it possible to be a security researcher for someone who’s not a hacker in their soul?
– I’d say it’s a job that requires a lot of passion and dedication, which usually attracts very persistent people. A trait that’s very much part of the hacker spirit.
– How did you land in Kaspersky?
– I’d been working for small-size companies providing infosec-related services in Paris. It was interesting, but I felt like I had reached a point where I wanted my work to make a difference, and moving into threat intelligence felt like the right way to achieve this.
I chose Kaspersky in 2018, right after the very intense negative media campaign that the company had been enduring. My intuition told me that a cyber-defense team that had managed to make so many folks mad had to be doing something right. And being a part of this team now, I can confirm that I was right!
– FireEye folks once said that they use discretion when it comes to public disclosure of malware: they don’t rush to publicly report a malware if it’s made by a U.S. government agency. For an American company, it’s an understandable position. But what about GReAT? Your team is international, with some researchers from Russia, some from the West, some from Asian countries… from all over. How do you solve such questions, if you ever have them?
– I have no particular qualms about doing research on malware of possibly Russian, or American, or French origin. But even if I had, there are many others in the GReAT international team who would happily work on these threat actors. In that sense, there aren’t any limits on which attackers we can track.
To go a bit deeper, I think there should be a clear separation between offense and defense. Sometimes nation states have legitimate reasons to conduct cyberattacks (for example, in fighting terrorism), and sometimes not (intellectual property theft). None of us at GReAT is qualified to be the arbiter of what operations are legitimate. Being in this position would put us in a world of hurt and dilemmas.
I think that the right way to see this issue is to quote the 18th-century philosopher, Montesquieu: “power stops power”. States exert their power, and we as a cyberdefense company have the power to make their lives harder. Since we exist they have to think twice before launching offensive operations. Because we impose costs, their power is kept in check and cannot be misused — or at least not as much. This is a good enough reason for me to justify doing research on all cyber activities — no matter their origin.
I think Kaspersky’s existence in the threat intelligence market is crucial, and under no circumstances should the one and only non-aligned vendor be allowed to bite the dust. I hope that we’ll all get through this and keep working on all APTs — no matter where the attacks come from. We’re equal-opportunity researchers!
– The GReAT team held a webinar in March, with analysis of cyberattacks on Ukraine: HermeticWiper, WisperGate, Pandora… But at the same time, there was a wave of attacks targeting Russian organizations: wipers, DDoS, spear phishing. Yet we don’t see any special publications from GReAT about those attacks. Why?
– It’s mostly a question of volume. The cyberattacks against Ukraine have been massive in scale, and very visible due to the fact that they aimed for disruptive effects: data destruction, ransomware, etc. Many of our competitors also have good visibility in Ukraine; sometimes they even collaborate, which allows getting very precise data about what’s going on in the country. This leads to significant media coverage.
Some attacks are indeed targeting Russia, but they get less attention. We have covered some of them in our private reporting. And we are tracking a number of actors (chiefly Chinese-speaking) active in the region at the moment. But I’m not aware of any serious destructive activities.
– We’ve heard about Anonymous claiming to have defaced Russian websites, and some sites were indeed defaced. Do you believe these “Anonymous” actions relate to the 15-year-old movement?
– Oh, I think Anonymous ceased being a grassroots movement many years ago. While there may still be some genuine hacktivism using that brand, it’s unquestionable that APTs have also used this persona to undertake their own information-warfare operations on occasion.
As a rule, I believe researchers should never take self-attribution into account, and focus purely on technical elements when trying to figure out which group could be responsible for an attack.
– Some European governments tell their citizens to get rid of Kaspersky products. But it looks like France is trying to be as neutral as possible. Is this because of the election? Or do people in France really have some different attitudes about the Ukraine conflict?
– I think it’s less about the French people than about the country’s institutions. ANSSI, the regulatory body for cybersecurity, has always strived to keep a neutral position in most matters. Beyond this, I think France shares the same perception as the rest of Europe when it comes to the Ukrainian conflict. Believe me, election season means no politician wants to be perceived as being sympathetic toward Vladimir Putin.
– What about GReAT’s communication with the rest of the infosec word? Some organizations are cutting ties with Kaspersky. How will it affect your work?
– The main issue for us relates to US companies that used to provide some services to us. They’re considering cutting ties with us or have already limited our access to their tools. This affects our ability to conduct our daily research.
As for exchanges with industry peers, yes, some of them will no longer talk to us. Although for the most part the personal relationships we have with other researchers are unaffected.
Overall, it’s clear that less information exchange reduces the whole industry’s ability to fulfil its mission.
– How do GReAT experts communicate with each other? Do you have regular meetings in real life? Visiting Moscow for a beer with teammates?
– Honestly, things have been rough for a while. We’re a fully remote team, and the various regions will have their own weekly meetings to coordinate work. When I first joined the company there was at least one big meet-up per year, as well as the Security Analyst Summit, which used to be in-person. But due to covid neither have taken place in a while.
I also used to go to Moscow on a regular basis to spend some time with the Russian members of the team, but it’s unclear whether this is still an option. I do hope we’ll find a way to see each other, because those were always amazing trips.