On the public side, Positive is like a lot of cybersecurity companies: staff look at high-tech security, post research on new threats, and even have cute desktop signs that say “Stay Positive!” hanging over their desks. The company is open to some of its ties to the Russian government: it has 18 years of defensive cybersecurity expertise, including a two-decade relationship with the Russian Defense Ministry. But according to previously unreported U.S. intelligence assessments, it also develops and sells armed software exploits to the Russian government.
One area that has stood out is the company’s work on SS7, a technology essential for global telephone networks. During a public demonstration for Forbes, Positive has shown how it can bypass encryption by exploiting weaknesses in SS7. Privately, the United States concluded that Positive not only discovered and made public the flaws in the system, but also developed offensive hacking capabilities to exploit the security flaws which were then used by the intelligence services. Russians in cyber-campaigns.
Much of what Positive does for Russian government hacking operations is similar to what US security contractors do for US agencies. But there are major differences. A former US intelligence official, who requested anonymity because they are not authorized to discuss classified documents, described the relationship between companies like Positive and their Russian intelligence counterparts as “complex” and even “abusive. “. The pay is relatively low, the demands are one-sided, the power dynamics are biased, and the implicit threat of non-cooperation can be significant.
Close working relationships
U.S. intelligence agencies have long concluded that Positive also conducts hacking operations itself, with a large team authorized to conduct its own cyber campaigns as long as they are in Russia’s national interest. Such practices are illegal in the Western world: US private military contractors are under the direct and day-to-day management of the agency they work for on cyber contracts.
Former US officials say there is a close working relationship with Russian intelligence agency FSB which includes exploit discovery, malware development and even reverse engineering of cyber capabilities used by countries Westerners like the United States against Russia itself.
The company’s flagship annual event, Positive Hack Days, has been described in recent US sanctions as “recruiting events for the FSB and GRU”. The event has long been famous for being frequented by Russian agents.
Positive did not respond to a request for comment.
Tit for tat
Thursday’s announcement is not the first time that Russian security firms have come under scrutiny.
Russia’s largest cybersecurity firm, Kaspersky, has come under fire for years for its dealings with the Russian government – ultimately banned from U.S. government networks. Kaspersky has always denied a special relationship with the Russian government.
But one factor that sets Kaspersky apart from Positive, at least in the eyes of US intelligence officials, is that Kaspersky sells antivirus software to Western companies and governments. There are few better intelligence gathering tools than antivirus software, which is purposefully designed to see everything that is happening on a computer and can even take control of the machines it occupies. American officials believe Russian hackers have used Kaspersky software to spy on Americans, but Positive – a small company selling different products and services – has no equivalent.
The recent sanctions are the latest step in a tit-for-tat cycle between Moscow and Washington due to the escalation of cyber operations, including the one sponsored by Russia. SolarWinds attack against the United States, which led to hacks against nine federal agencies over an extended period of time. Earlier this year, the acting head of the U.S. cybersecurity agency said recovery from this attack could take at least 18 months in the United States.