Full Report
Bitsight found that 40% of US organizations who used Kaspersky products before the government ban came into effect still appear to be using them
Analysis Summary
This article details the persistent use of Kaspersky security products by US organizations following a government ban, highlighting ongoing supply chain risk challenges.
# Incident Report: Persistent Kaspersky Usage Post-US Ban
## Executive Summary
Following the prohibition on Kaspersky products by the US Department of Commerce on September 29, 2024, a significant number of US organizations, including 19 government entities, reportedly continued active use of the software. This ongoing usage demonstrates a difficulty in immediate compliance with supply chain risk mitigation directives. While global usage of Kaspersky products dropped significantly (by about two-thirds between April and November 2024), the persistence in the US highlights a need for better technology usage measurement by policymakers.
## Incident Details
- **Discovery Date:** Findings based on monitoring up to November 30, 2024 (Bitsight analysis).
- **Incident Date:** The core issue relates to non-compliance *after* the prohibition date of September 29, 2024.
- **Affected Organization:** Various US Organizations, including 19 US Government Entities.
- **Sector:** Broad impact across sectors utilizing endpoint security solutions.
- **Geography:** United States.
## Timeline of Events
### Initial Access
* **Date/Time:** N/A (This is an ongoing usage/compliance issue, not a single intrusion event.)
* **Vector:** Pre-existing legitimate installation of Kaspersky products prior to the ban.
* **Details:** Organizations were using Kaspersky products connected to vendor update servers.
### Lateral Movement
- **N/A** (This report focuses on software usage compliance, not active malicious intrusion or movement.)
### Data Exfiltration/Impact
- **N/A** (The primary impact is **regulatory non-compliance** and **potential national security risk** due to reliance on technology provider linked to a foreign government.)
### Detection & Response
- **How it was discovered:** Bitsight analysis monitoring connections/communications between organizational IP addresses and Kaspersky update servers.
- **Response actions taken:** The US Government (BIS) issued a Final Determination prohibiting use effective September 29, 2024. Kaspersky announced it would wind down US business operations in July 2024. (The report details ongoing non-compliance *despite* these measures.)
## Attack Methodology
This incident is defined by **supply chain risk** and **compliance failure**, not a traditional cyberattack:
- **Initial Access:** Pre-existing software installation.
- **Persistence:** Continued operation and communication of existing Kaspersky software post-ban.
- **Privilege Escalation:** N/A
- **Defense Evasion:** N/A (Software was functioning as intended; the issue is its origin/trust).
- **Credential Access:** N/A
- **Discovery:** N/A
- **Lateral Movement:** N/A
- **Collection:** N/A
- **Exfiltration:** N/A
- **Impact:** Elevated national security risk stemming from the continued use of technology originating from a potentially adversarial nation-state.
## Impact Assessment
- **Financial:** Not explicitly detailed, but implies costs related to remediation/re-procurement.
- **Data Breach:** No specific data breach mentioned; the risk is potential compromise due to the software vendor's ties.
- **Operational:** Potential for disruption if mandated removal or replacement causes unexpected application conflicts.
- **Reputational:** Ongoing scrutiny for US government entities found non-compliant with technology directives.
## Indicators of Compromise
*Note: Since this is a policy compliance report rather than an active intrusion, IoCs are related to the *continued connection* to the vendor.*
- **Network indicators:** Communications/connections observed between organizational IP addresses and known Kaspersky update servers.
- **File indicators:** Use of Kaspersky security software executables and services.
- **Behavioral indicators:** Continued network telemetry indicative of licensed Kaspersky product activity post-September 29, 2024.
## Response Actions
- **Containment measures:** None explicitly detailed as being universally applied at the time of reporting, as the *lack* of action (non-removal) is the issue.
- **Eradication steps:** Organizations need to fully uninstall and replace Kaspersky products.
- **Recovery actions:** Implementation of new, approved endpoint security solutions.
## Lessons Learned
- The prohibition deadlines set by policymakers may not equate to immediate technological removal across all organizations (especially government entities).
- Policymakers require effective, real-time methods for measuring technology usage and supply chain compliance within jurisdictional borders.
- Global trends show that compliance can drop significantly (two-thirds globally), but complete elimination by a deadline is difficult.
## Recommendations
- Implement rigorous Software Asset Management (SAM) and Configuration Management Database (CMDB) auditing to track the physical presence and communication of potentially banned software.
- Establish automated network monitoring specifically looking for external communications with high-risk vendors identified by government directives.
- Prioritize the replacement of high-risk software immediately upon designation, rather than waiting until the final prohibition deadline.