{"id":44358,"date":"2022-05-18T05:35:53","date_gmt":"2022-05-18T09:35:53","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=44358"},"modified":"2022-05-18T05:35:53","modified_gmt":"2022-05-18T09:35:53","slug":"interview-ivan-kwiatkowski","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/interview-ivan-kwiatkowski\/44358\/","title":{"rendered":"Ivan Kwiatkowski: “Cybersecurity is a domain I fell into by accident”"},"content":{"rendered":"

Ivan lives in Clermont-Ferrand, in the very center of France. He writes fantasy novels, skydives on occasion, and wants his life to be memorable every day. He\u2019s also a member of the Global Research and Analysis Team (GReAT<\/a>), Kaspersky\u2019s group of top experts who uncovered Carbanak, Cozy Bear, Equation and many other threat actors and their sophisticated malware across the world.<\/p>\n

\u2013 Ivan, looking at your name I couldn\u2019t help but start with this question: do you have some Slavic roots?<\/strong><\/p>\n

\u2013 More or less. My name\u2019s inherited from my grandfather on my dad\u2019s side. The patronym \u201cKwiatkowski\u201d comes from Poland, but, funnily enough, it wasn\u2019t even his: he was an adopted child and his \u201creal\u201d name is unknown, as is his origin. So while there are indeed Slavic roots somewhere, their precise nature is lost forever.<\/p>\n

\u2013 You explore malware and hacker groups. How could you get into such a profession? I doubt it was listed in university courses.<\/strong><\/p>\n

\u2013 Back in the day, there weren\u2019t any cybersecurity curriculums, let alone classes about malware analysis and the like. Cybersecurity is a domain I fell into by accident.<\/p>\n

\"Interview<\/a><\/p>\n

Around 2008, while studying for my degree in computer science, I thought I\u2019d work in the field of artificial intelligence. I was about to leave for Vancouver for an internship, and had to terminate my internet subscription because I didn\u2019t want to keep paying while I was abroad. I got in touch with my ISP and explained the situation. They told me to send them a letter (this was around a month before my departure), and they\u2019d take care of everything.<\/p>\n

So I did, and only a few days later \u2014 I had no more internet access. Never in the history of ISPs had a customer request been handled so efficiently! But for a computer science student, spending a month without internet was unimaginable. Yet my ISP couldn\u2019t restore access \u2014 or, more likely, they didn\u2019t want to. So I started looking into Wi-Fi security to\u2026 temporarily hijack a neighbor\u2019s internet access until my departure, naturally.<\/p>\n

Back then, the encryption protocol everyone used \u2014 WEP \u2014 was very insecure. But having had my first taste of computer security (rather \u2014 the lack thereof), I immediately knew that I\u2019d keep researching this field for years to come. And it felt more reasonable to make a career out of it rather than to be arrested for unsolicited research in the future.<\/p>\n

I gave up on artificial intelligence almost immediately, and started learning cybersecurity on my own, in addition to my studies. And after I\u2019d received my degree, I was able to apply for a job in the field \u2014 and have remained in it ever since!<\/p>\n

\u2013 It\u2019s funny you should say that, since the next question I had in my list was: is it possible to be a security researcher for someone who\u2019s not a hacker in their soul?<\/strong><\/p>\n

\u2013 I\u2019d say it\u2019s a job that requires a lot of passion and dedication, which usually attracts very persistent people. A trait that\u2019s very much part of the hacker spirit.<\/p>\n

\"Interview<\/a><\/p>\n

\u2013 How did you land in Kaspersky?<\/strong><\/p>\n

\u2013 I\u2019d been working for small-size companies providing infosec-related services in Paris. It was interesting, but I felt like I had reached a point where I wanted my work to make a difference, and moving into threat intelligence felt like the right way to achieve this.<\/p>\n

I chose Kaspersky in 2018, right after the very intense negative media campaign that the company had been enduring. My intuition told me that a cyber-defense team that had managed to make so many folks mad had to be doing something right. And being a part of this team now, I can confirm that I was right!<\/p>\n

\u2013 FireEye folks once said<\/a> that they use discretion when it comes to public disclosure of malware: they don\u2019t rush to publicly report a malware if it\u2019s made by a U.S. government agency. For an American company, it\u2019s an understandable position. But what about GReAT? Your team is international, with some researchers from Russia, some from the West, some from Asian countries\u2026 from all over. How do you solve such questions, if you ever have them?<\/strong><\/p>\n

\u2013 I have no particular qualms about doing research on malware of possibly Russian, or American, or French origin. But even if I had, there are many others in the GReAT international team who would happily work on these threat actors. In that sense, there aren\u2019t any limits on which attackers we can track.<\/p>\n

To go a bit deeper, I think there should be a clear separation between offense and defense. Sometimes nation states have legitimate reasons to conduct cyberattacks (for example, in fighting terrorism), and sometimes not (intellectual property theft). None of us at GReAT is qualified to be the arbiter of what operations are legitimate. Being in this position would put us in a world of hurt and dilemmas.<\/p>\n

\"Interview<\/a><\/p>\n

I think that the right way to see this issue is to quote the 18th-century philosopher, Montesquieu: \u201cpower stops power\u201d. States exert their power, and we as a cyberdefense company have the power to make their lives harder. Since we exist they have to think twice before launching offensive operations. Because we impose costs, their power is kept in check and cannot be misused \u2014 or at least not as much. This is a good enough reason for me to justify doing research on all cyber activities \u2014 no matter their origin.<\/p>\n

I think Kaspersky\u2019s existence in the threat intelligence market is crucial, and under no circumstances should the one and only non-aligned vendor be allowed to bite the dust. I hope that we\u2019ll all get through this and keep working on all APTs \u2014 no matter where the attacks come from. We\u2019re equal-opportunity researchers!<\/p>\n

\u2013 The GReAT team held a webinar in March, with analysis of cyberattacks on Ukraine<\/a>: HermeticWiper, WisperGate, Pandora\u2026 But at the same time, there was a wave of attacks targeting Russian organizations: wipers, DDoS, spear phishing. Yet we don\u2019t see any special publications from GReAT about those attacks. Why?<\/strong><\/p>\n

\u2013 It\u2019s mostly a question of volume. The cyberattacks against Ukraine have been massive in scale, and very visible due to the fact that they aimed for disruptive effects: data destruction, ransomware, etc. Many of our competitors also have good visibility in Ukraine; sometimes they even collaborate, which allows getting very precise data about what\u2019s going on in the country. This leads to significant media coverage.<\/p>\n

Some attacks are indeed targeting Russia, but they get less attention. We have covered some of them in our private reporting. And we are tracking a number of actors (chiefly Chinese-speaking) active in the region at the moment. But I\u2019m not aware of any serious destructive activities.<\/p>\n

\"Interview<\/a><\/p>\n

\u2013 We\u2019ve heard about Anonymous claiming to have defaced Russian websites, and some sites were indeed defaced. Do you believe these \u201cAnonymous\u201d actions relate to the 15-year-old movement?<\/strong><\/p>\n

\u2013 Oh, I think Anonymous ceased being a grassroots movement many years ago. While there may still be some genuine hacktivism using that brand, it\u2019s unquestionable that APTs have also used this persona to undertake their own information-warfare operations on occasion.<\/p>\n

As a rule, I believe researchers should never take self-attribution into account, and focus purely on technical elements when trying to figure out which group could be responsible for an attack.<\/p>\n

\u2013 Some European governments tell their citizens to get rid of Kaspersky products. But it looks like France is trying to be as neutral as possible. Is this because of the election? Or do people in France really have some different attitudes about the Ukraine conflict?<\/strong><\/p>\n

\u2013 I think it\u2019s less about the French people than about the country\u2019s institutions. ANSSI, the regulatory body for cybersecurity, has always strived to keep a neutral position in most matters. Beyond this, I think France shares the same perception as the rest of Europe when it comes to the Ukrainian conflict. Believe me, election season means no politician wants to be perceived as being sympathetic toward Vladimir Putin.<\/p>\n

\u2013 What about GReAT\u2019s communication with the rest of the infosec word? Some organizations are cutting ties with Kaspersky. How will it affect your work?<\/strong><\/p>\n

\u2013 The main issue for us relates to US companies that used to provide some services to us. They\u2019re considering cutting ties with us or have already limited our access to their tools. This affects our ability to conduct our daily research.<\/p>\n

As for exchanges with industry peers, yes, some of them will no longer talk to us. Although for the most part the personal relationships we have with other researchers are unaffected.<\/p>\n

Overall, it\u2019s clear that less information exchange reduces the whole industry\u2019s ability to fulfil its mission.<\/p>\n