The usa.kaspersky.com domain was attacked on Saturday, February 7, 2009. Several attackers with IP addresses from Romanian ISPs launched an SQL injection attack on a subsection of the site. When a new version of this support site was rolled out at the end of January it contained a vulnerability. After conducting the attack, the attackers posted on their blog claiming they had gained access to “personal details” and “activation codes”. However, a thorough analysis conducted by Kaspersky Lab’s web security experts immediately following the attack revealed that although the attack had penetrated the support site, no sensitive data was compromised. No activation codes or personal data were leaked as a result of the attack.
Company personnel took immediate action when notified of the issue, and the vulnerability was fixed. The attack didn't affect any other Kaspersky Lab sites or the ecommerce sections on these sites.
Kaspersky Lab’s specialists investigated the incident and hired an independent expert, Next Generation Security Software’s David Litchfield, to corroborate the results of the internal investigation, and to confirm that no data was leaked. Litchfield’s report was delivered to Kaspersky Lab on Thursday, February 12, 2009, and confirmed that no data had in fact been compromised from the site.
Litchfield’s report states the following:
“The usa.kaspersky.com website and database were successfully breached early on Saturday morning on the 7th of February. Kaspersky was deliberately targeted. The attacker, based in Romania, used Google to search for web servers owned by Kaspersky running applications that may be vulnerable to SQL injection. The attacker claims to have been able to access private customer information but has publicly stated that no data was compromised. The attacker's claim to be able to access customer data is correct and, as is apparent from the web server log files, the attacker did attempt to gain access to customer data however, the attempts failed. At no point was customer data accessed. On the Saturday, the attacker published the fact that the usa.kaspersky.com web site was vulnerable to SQL injection. This caused a number of other attackers from various locations to probe the site further. None of these followup attackers accessed any customer data either. On hearing of the threat, Kaspersky immediately took down the vulnerable web server, preventing further and deeper breaches.”
Kaspersky Lab recognizes the fact that this attack could have had much more serious consequences. The company is conducting a thorough security audit of all official Kaspersky Lab sites and developing additional internal review procedures to ensure corporate resources are protected from similar attacks in the future.
It should also be noted that Kaspersky Lab’s core competency is in developing anti-malware solutions; although the attack is naturally a cause for concern, it has no impact on the quality of the products offered by the company.