Russian espionage-linked Kaspersky software discovered in government agencies, critical infrastructure despite ban
Critical infrastructure and government agencies were exposed to a product previously linked with state-based espionage despite a 2017 directive that instructed agencies not to use Kaspersky’s products.
Critical infrastructure and government agencies were exposed to a Russian cybersecurity product previously linked with state-based espionage, despite a 2017 government directive that instructed public servants not to use that company’s products.
The revelation has been seized on by both the Coalition and the Greens, which have respectively slammed the “critical failure” and “serious security failure”.
The Department of Home Affairs in May 2024 found “critical infrastructure and state agencies” had been exposed to products from Russian cybersecurity firm Kaspersky.
A broader survey the following June found another instance of its use in a “non-corporate commonwealth entity”, the department revealed.
Russian cybersecurity firm Kaspersky – operated by a holding company in the UK – was previously alleged to have been implicated with a hack co-ordinated with the Russian state intelligence agency, a claim the company has denied.
The US government in 2017 banned Kaspersky from federal agencies out of espionage fears and the Australian Department of Prime Minister and Cabinet followed in December that year with a memo that “effectively said for non-corporate commonwealth entities not to use Kaspersky products”, Home Affairs cyber and infrastructure security group deputy secretary Hamish Hansford told Senate estimates in March this year.
But in response to questions on notice, the department revealed that in May 2024, it was “made aware of critical infrastructure and state agencies using Kaspersky products through a third party vendor”.
“The department conducted a survey of the use of Kaspersky Lab, Inc. products in non-corporate commonwealth entities in June 2024,” it said.
“One non-corporate commonwealth entity identified use of Kaspersky Lab, Inc. products and services via this survey, which was subsequently removed.”
The Home Affairs Department issued a more formal ban on Kaspersky products in February this year under the protective security policy framework. The US government in 2024 banned the company entirely from the country and applied sanctions on the company’s leaders.
Opposition home affairs spokesman Andrew Hastie the admission revealed a “critical failure”.
“It is deeply concerning that, seven years after the former Coalition government’s original directive, the commonwealth government continued using Kaspersky despite well-documented security risks including foreign interference, espionage and sabotage,” he said.
“This situation highlights a critical failure in cybersecurity protocols and government transparency.
“This incident serves as a stark reminder of the ongoing threat of foreign interference through technologies and services used across Australia, and the government must implement robust processes to prevent these kinds of security lapses in future and set an example for critical infrastructure providers and other sectors across the Australian economy who should do the same.”
Greens home affairs spokesman David Shoebridge said this was a “serious security failure” and raised questions about whether the government took cybersecurity seriously.
“The government has banned these platforms because of security risks linked to the foreign governments, but then doesn’t seem to take serious enforcement actions or risk assessments to make the bans effective,” he told The Australian.
“We need immediate answers about which agencies were compromised, what data was at risk, and why the government’s own cybersecurity directions were ignored.
“The partial answers and obfuscation from the agency, including the refusal to produce the 2017 letter from PMO, only raises more questions about the inadequacy of the government’s response.
“This isn’t just about one software company, it’s about whether this government takes cybersecurity seriously. Again, the evidence suggests they don’t.
“The government didn’t even conduct a proper audit once they realised this security risk was present, instead, they sent out a survey and hoped agencies would self-report their Kaspersky usage.
“You don’t protect critical infrastructure with surveys and wishful thinking, you need mandatory audits, clear consequences, and actual oversight.”
When contacted for comment, Home Affairs Minister Tony Burke defended the government’s record on the issue and blamed it on the previous Coalition government’s “non-binding letter”.
“It’s this government that put a legal ban on Kaspersky Lab, Inc,” Mr Burke said.
“The former government never banned Kaspersky.
“They sent a non-binding letter that clearly didn’t work. We used the law and banned the application.
“This government’s actions have made Australians safer.”
Australian Strategic Policy Institute cyber, technology and security director James Corera said the risk was that Kaspersky software “could enable or facilitate malign states or non-state actors to disrupt that critical infrastructure”.
“We only need to look at Europe right now and the extent of Russian aggression, not just targeting Ukraine, but through the use of hybrid threats, including but not limited to sabotage, and how that’s playing out across continental Europe,” he said.
“That is what should concern us.
“And that is why the directive and ensuring the whole economy sees the risk of Kaspersky is really important, because it is about hardening our infrastructure and our systems so that it is resilient, so that it is protected against these risks, better positioned to be able to deal with disruption and sabotage.”
RMIT Centre for Cyber Security Research and Innovation director Matt Warren said this represented a “massive issue” for Australia.
“It is very complex trying to understand where technology is or isn’t being used,” he said.
“And the problem is, you know, we’re talking about government.
“But then when you start to think of critical infrastructure that underpins the Australian economy, again, you’ve also got the same concerns.”
Cybersecurity firm CyberCX executive director Katherine Mansted urged an Australian cybersecurity approach that had safety “baked into the technology stack from the beginning” instead of the current “whack-a-mole” approach.
“By the time government identifies something like a Kaspersky and says, no, don’t do it, organisations may well already have it in their network, and then you’re in a position of having to walk that back, and you’re being reactive, not proactive,” she said.
“So, I do think we need a mindset change that when we’re talking about security, we’re not just saying prevent hacks, we’re saying preventing accesses that access could be baked into your technology stack from the beginning, which is a bit of a mindset change from just, stop hacks.”
Add your comment to this story
Trump showdown looms on defence spend
Anthony Albanese is on a collision course with Donald Trump on defence funding after Spain’s Pedro Sanchez refused to lift military spending above 2.1 per cent of GDP.
Labor mulls defence spending lift after Donald Trump’s NATO victory
While Anthony Albanese, Richard Marles and Jim Chalmers are actively considering increasing spending, they will not bow to pressure from Trump to lift Australia’s defence spending to 3.5 per cent of GDP.
To join the conversation, please log in. Don't have an account? Register
Join the conversation, you are commenting as Logout