Businesses should reconsider the risks involved in using Russian software in the wake of the war in Ukraine, the UK’s National Cyber Security Centre (NCSC) said today. The NCSC warning comes after several national governments advised businesses to avoid Kaspersky, the antivirus software vendor headquartered in Russia, while earlier today another Russian tech business, Yandex, was cited as a possible security risk.
In a blog published on Tuesday afternoon, the NCSC’s technical director Ian Levy said his organisation was assessing the threat posed by Russia’s cyber activities, but said they had to be “realistic” about the possibility of attacks.
“Russian law already contains legal obligations on companies to assist the Russian Federal Security Service (FSB), and the pressure to do so may increase in a time of war,” Levy wrote. “We also have hacktivists on each side, further complicating matters, so the overall risk has materially changed. We have no evidence that the Russian state intends to suborn Russian commercial products and services to cause damage to UK interests, but the absence of evidence is not evidence of absence.”
But the cases of Kaspersky and Yandex show removing Russian companies entirely from complex supply chains is not straightforward.
The NCSC advice on dealing with Russian tech companies
The NCSC first warned about the threat posed to supply chain security by Russian companies back in 2017, and Levy said his organisation is now expanding the list of UK organisations that should “specifically consider the risk of Russian-controlled parts of their supply chain as part of their overall business risk management.”
This now includes organisations providing services to Ukraine, those providing services covering critical infrastructure, and “high-profile organisations” that might be seen as giving Russia a “PR win” if they were compromised. The NCSC is also expanding the list of public sector bodies covered by its 2017 guidance.
Levy stops short of calling for individual organisations to delete Kaspersky software, saying the company’s products remain safe for most to use. “It almost certainly remains the case that nearly all individuals in the UK (and many enterprises) are not going to be targeted by Russian cyberattack, regardless of whether they use Russian products and services,” he says.
This differs from advice from elsewhere, where the German government has told businesses to stop using Kaspersky, and the Italian government has removed its system from public sector organisations. Kaspersky says both decisions are politically motivated.
For UK businesses, Levy adds: “This conflict has changed the world order, and the increased risk and uncertainty aren’t going away any time soon. However, the best thing to do is to make plans, ensure your systems are as resilient as practical and have good recovery plans.”
Yandex SDK in the spotlight
The NCSC advice comes on the same day research revealed the widespread use of software developer kit (SDK) AppMetrica, produced by Russian technology company Yandex. SDKs are a common software development framework used to in app building, and according to mobile apps analytics platform App Figures, AppMetrica is used in 13% of apps on the Apple App Store and 24% in the Google Play Store, meaning it features in hundreds of thousands of apps.
AppMetrica is sending back metadata to servers in Finland and, crucially, Russia, which leaves it under the jurisdiction of the Russian government. Researcher Zach Edwards first made this discovery as part of an app auditing campaign for non-profit organisation the ME2B Alliance, before sharing his information with the Financial Times.
A spokesperson from Yandex said the information gathered by the SDKs is not detailed, calling it “personalised and very limited,” adding that “although theoretically possible, in practice it is extremely hard to identify users based solely on such information collected. Yandex definitely cannot do this.”
Sharing metadata through software tools such as SDKs is common, explains Toby Lewis, global head of threat analysis at cybersecurity company Darktrace. “Most apps have between ten and 20 different third-party libraries that form part of their software,” Lewis says. “And all of those could be phoning home and communicating with a third-party service.”
What does this mean for the apps using AppMetrica?
With many tech businesses taking a public stance against Russia in the wake of war breaking out, using AppMetrica could lead to opposition from customers, Lewis says. “If an organisation is seen to be effectively supporting Russian businesses or indirectly through part of their supply chain, would they want to change their operating model in a similar way to withdrawing their SDK from service?,” he asks. “Would they be worried that users or customers would leave them because of the use of that particular SDK itself?”
He adds: “You could see a lot of the cancel culture, for want of a better phrase, that we’ve seen over the past few weeks [reflected here].”
Yandex operates across a number of markets, and data available to Yandex Taxi, its ride-hailing service, has already reportedly been handed over to the Russian government.
Kremlin is planning to give the FSB full access to taxi passengers’ trip histories. Full totalitarian stuff, and they’re not even hiding it: they’re announcing it on national news networks!
— Dr. Ian Garner (@irgarner) March 28, 2022
A report in the Moscow Times said the Russian government plans to ask Yandex and other services to hand over access to data that is used to “receive, store, process and transfer orders for a passenger taxi.”