In fall 2017, the Department of Homeland Security ordered all federal agencies to stop using software developed by Kaspersky Labs over concerns about the company’s connections to the Russian government and evidence that hackers were exploiting Kaspersky’s software to steal U.S. intelligence and other data. According to two whistleblowers, there’s more trouble brewing, for fingerprint-analysis software used by the FBI and other law enforcement agencies could include Russian-made code, which could lead to data being stolen or manipulated and even outright cyberattacks against law enforcement.
According to BuzzFeed News, the U.S. purchased the software from a company that was a subsidiary of the French conglomerate Safran Group. During the contract bidding process, the subsidiary, Sagem Sécurité, hid the fact that some of the code in the software was created by a Russian company, Papillon AO, that is closely connected to the FSB, Russia’s intelligence service that has been linked to other hacks against U.S. targets.
According to documents provided by two French whistleblowers, Sagem Sécurité struck a licensing deal with Papillon AO in order to boost its fingerprint-analysis software and win an FBI contract. According to court documents, both companies agreed to keep their agreement confidential and not inform third parties (like the U.S. government) that they were working together. According to one of the whistleblowers, the Safran Group officials repeatedly stressed how important it was to keep the deal a secret so as to not jeopardize opportunities to sell the software in the U.S.
Another of the whistleblowers called Papillon AO’s connections to the Russian government an open secret.
In response to Buzzfeed’s report, the FBI issued a statement: “As is typical for all commercial software that we operate, appropriate security reviews were completed prior to operational deployment.”
(Via Buzzfeed News)