How the KGB Discovered Computer Viruses
A 1989 internal memo warned the Soviet security apparatus about a new threat: malicious software that was spreading among users across the USSR and even within the KGB itself.
In this post I will review an archival KGB document on computer viruses available through the Lithuanian Genocide and Resistance Research Center. It’s 10-page long, so I will not translate the whole thing but rather summarize its content, render selected fragments into English, provide some context based on other sources, and share my reflections.
The Memo
On July 28, 1989, the KGB issued a secret directive “On the procedure of acquisition, operation, and copying of foreign software.” Its key focus was security. The directive warned about the possibility of “various alien programming implants”—better known as computer viruses—being embedded into software, including with “subversive purposes.” Hence information systems within the KGB that were using foreign software on personal computers had to be properly protected.
The document was intended to raise awareness of this new threat across the whole agency. It was sent from the KGB headquarters in Moscow to chairmen of its branches in Union and autonomous republics, heads of regional offices, special sections responsible for military counterintelligence, intelligence schools, and directorates. Simply put, to all top KGB officials.
To protect information systems, the directive instructed the Soviet security apparatus to use authorized software (more on this below) and to follow security recommendations outlined in the annexed memo.
Attached was the 8-page advisory “On ‘computer viruses’ and means to counter them.” This memo not only recommended how to prevent the infection or respond to it but also provided an overview of what KGB specialists knew about computer viruses by that moment.
Going Viral
The memo starts with an overview of computer viruses, their history, and the KGB’s efforts to tackle this threat.
The memo traces early reports about computer viruses on personal computers back to 1985. In recent years descriptions of computer infections including with serious consequences were “all over the Western press.”
Computer viruses reportedly appeared in the Soviet Union starting from 1987 and affected computers in multiple government organizations including within the KGB:
In 1987-89 instances of “computer viruses” appearing on PCs in our country became more frequent, too. According to our information, “computer viruses” were discovered within facilities of the Ministry of Radio Technology, Ministry of Medium Machine-Building [in charge of nuclear industry and nuclear warhead production], Academy of Sciences, and other organizations (in total about 20 computing centers) as well as in the departments of the KGB of the USSR. Usually, “viruses” infect PCs due to the use of software that was purchased or copied without any control through personal informal contacts between users.
But the Soviet authorities were wary of computer security even before computer viruses. The memo mentions the 1982 incident at the Volga Automotive Plant in Tolyatti, which is widely regarded as the first ‘cyber crime’ in the Soviet Union. Murat Urtembayev, a disgruntled engineer and programmer at the plant, modified the program of the assembly line with an intent to cause a disruption that he would then be able to fix. Because of his mistake, the program malfunctioned much earlier than he expected while he was away. It fell upon his colleagues to investigate what happened and fix the program. The disruption caused significant financial damage to the plant. Urtembayev got 3 years of suspended sentence with an obligation to cover the losses working for the same plant albeit with a demotion.
In 1984, the State Military-Industrial Commission under the Council of Ministers tasked a group of agencies and ministries to put together a report on software backdoors. This report was approved by the KGB and submitted to the government.
This 1984 document is not available, so I could only speculate about it. The 1982 car plant incident was probably among the reasons for that report. But the bigger problem had to do with imports of foreign computers. Despite it had domestic industry and aspirations of being self-sufficient in terms of computing technology, the Soviet Union heavily relied on cutting-edge equipment purchased or smuggled from abroad. On the flipside, the dependence on Western technology came with new risks as foreign devices could be sabotaged by the adversaries through hardware or software backdoors.
The tension between the demand for computers and security concerns is perfectly illustrated by an episode described in another KGB document from the Lithuanian archive. In 1984, Lithuania was planning to import a Siemens 7536 computer for the republican State Planning Committee (Gosplan). The Lithuanian KGB learned from one of its agents that the vendor, Siemens, knew where the computer was going to be installed (apparently, it wasn’t supposed to). Moreover, under the contract, foreign specialists were to provide repair services. From the KGB’s perspective, this posed an espionage risk that had to be addressed.
In view of the above, to prevent possible interception of aggregated secret data on the economic potential of the republic with the help of intelligence tools implanted into the equipment, it was decided […] to use this computer only for processing of open information. In this regard, our task is to ensure constant public and agent control over the nature of materials processed on the machine and to consider these conditions when organizing counterintelligence surveillance of foreigners visiting Gosplan.
![We also pay attention to the prevention of possible technical penetration of the enemy into our secrets using imported equipment. Thus, we received a signal from the agent "Vilnius" […] that [Siemens] had known long in advance about the plans to install and use the imported Siemens 7536 computer at the [research institute of Lithuanian Gosplan]. The machine was assembled by foreign specialists. According to the contract, the firm will perform warranty repair service […] on their own.
In view the above, to prevent possible interception of aggregated secret data on the economic potential of the republic with the help of intelligence tools implanted into the equipment, it was decided […] to use this computer only for processing of open information. In this regard, our task is to ensure constant public and agent control over the nature of materials processed on the machine and to consider these conditions when organizing counterintelligence surveillance of foreigners visiting Gosplan.](https://substackcdn.com/image/fetch/$s_!DH0z!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6a9957e2-6efe-4e0e-8b4f-af9aeffe46b4_975x744.jpeg "We also pay attention to the prevention of possible technical penetration of the enemy into our secrets using imported equipment. Thus, we received a signal from the agent \"Vilnius\" […] that [Siemens] had known long in advance about the plans to install and use the imported Siemens 7536 computer at the [research institute of Lithuanian Gosplan]. The machine was assembled by foreign specialists. According to the contract, the firm will perform warranty repair service […] on their own.
In view the above, to prevent possible interception of aggregated secret data on the economic potential of the republic with the help of intelligence tools implanted into the equipment, it was decided […] to use this computer only for processing of open information. In this regard, our task is to ensure constant public and agent control over the nature of materials processed on the machine and to consider these conditions when organizing counterintelligence surveillance of foreigners visiting Gosplan.")
Thus, when describing computer viruses in the 1989 memo, the authors drew a parallel to hardware backdoors: “Just like technical devices that can be secretly embedded into equipment and other structures, program implants with subversive purposes are called software backdoors.”
According to the memo, computer viruses could be created with different motivations including causing economic damage, protecting intellectual property (an apparent reference to the Brain virus), extortion, or personal grievances like in the Urtembayev’s case.
The KGB also believed that U.S. intelligence was already working on weaponizing software: “There is evidence that special services of the adversary are secretly developing ‘computer viruses’ as an effective subversive means of damaging computing systems.”
First Viruses in the Land of the Soviets
The memo stated that, per foreign reports, there were about 40 known computer viruses. But as of mid-1989, the KGB reliably knew of only 3 types of viruses active in the Soviet Union:
Vienna, described as the 648-byte virus also known as DOS-62, TIMEBOMB, VHS-648;
Cascade, described as the 1,701-byte virus;
Jerusalem (probably), described as the 710-byte virus—while the description of the effect of this virus matches those of Jerusalem (a time bomb that corrupts files set on each Friday the 13th) the size doesn’t. The best-known variant of Jerusalem was 1,808 bytes long and the smallest known variant, Einstein, was 878 bytes long.
Of the three, the Vienna virus was the most notorious in the Soviet Union. It was first detected in August 1988 in the Academy of Sciences’ Institute of Program Systems after likely spreading there during a computer summer camp for children that the Institute co-hosted earlier with UNESCO. By the end of 1988 Vienna infected computers in at least 5 government-run institutions. Among them was the State Planning Committee, and that’s where one of its employees, Dmitry Lozinsky, built AIDStest, the first Soviet antivirus (the name was borrowed from a recently announced AIDS test).
Here’s how the KGB memo described Vienna:
One of the most common is a “computer virus” whose length is 648 bytes and which is known as DOS-62, TIMEBOMB, VHS-648. This “virus” infects programs with the .COM extension (command files). The aggressive effects of this “virus” occur under a certain combination of the least significant bits of the PC timer when the '“virus” is copied to another program. These effects involve the modification of the program in such a way that its launch would reset PC’s operating system.
The memo noted that although the three viruses were developed abroad there was a possibility that Soviet programmers could create malicious programs designed for domestically produced computers (this prediction came true very soon).
The Operational Technical Directorate of the KGB had programs for detecting and deleting the former two viruses, Vienna and Cascade.
How up to date was the information in the document? While the KGB was aware of the most common viruses, other sources suggest that by the time the memo was distributed more varieties had already spread to the Soviet Union.
According to Nikolay Bezrukov, a pioneer of Soviet computer virology from Kiev, by summer 1989 there were 3 more viruses discovered in the Soviet Union in addition to those described in the KGB memo, as documented in his 1990 book “Computer Virology.” These included:
Vacsina or TP-4 (discovered in spring 1989);
Marijuana or Stoned (discovered in summer 1989);
Ping-Pong, Italian, or Bouncing Ball (discovered in spring 1989).
These viruses were discovered by various programmers and shared within the emerging antivirus community largely centered around research institutions.
Another piece of evidence is Dmitry Lozinsky’s antivirus. The 1st version of AIDStest was released on November 17, 1988, and only detected and cured one virus, Vienna. Lozinsky would release a new version every time a new virus was discovered. The 2nd version followed within a month. I wasn’t able to find the release dates of the next three versions, but the 6th one (adding the Dark Avenger virus) came out in September 1989. It’s safe to assume that in the summer AIDStest was capable of detecting and deleting four or five viruses: those described in the KGB memo plus a modified Vienna (534 bytes) and Yankee Doodle or Five o’clock (2885 bytes). It’s worth noting that the 6th version did not detect Vacsina, Marijuana, and Ping-Pong although they were already discovered elsewhere. Information about new viruses was not shared immediately.
In short, by summer 1989 there were at least 7 or 8 computer viruses discovered collectively in the Soviet Union. The KGB knew about the most common of those, but its antivirus capabilities lagged behind those of AIDStest, which is a bit counterintuitive given the KGB’s vast access to all kinds of Soviet institutions.
KGB Computer Security Policies
Viruses were spreading across the Soviet Union from user to user. Even the powerful KGB was no exclusion. One article published in July 1989—almost simultaneously with the distribution of the secret KGB directive—characterized the situation as follows:
The problem is that programmers in the USSR indulge in an absolutely promiscuous “computer life” and always engage in “casual relationships” with each other. The official software market is virtually non-existent in our country, hence for most specialists such relationships are almost the only way to acquire the programs they need. Since computer life in the West is more strict, we can assume that a computer plague in the USSR would be especially massive and severe.
(Pavlov, A. Computer Plague in the USSR, Chemistry and Life [Khimiya i Zhizn], 1989, issue 7, pp. 20-21.)
The authors of the memo were preoccupied with preventing infections within the KGB and made several recommendations to tackle this problem.
According to the memo, computer viruses could infect software through three channels:
violation by users, programmers-developpers, or supporting staff of rules of installing and using software on PCs in automated systems that are operational or under development;
installation on computers of the departments of the KGB of software produced abroad or domestically, outside of the departments of the KGB headquarters;
connection of computers of the departments of the KGB to publicly available networks or the use of its own networks that allow for third party access to input devices or for connection of external computers.
To prevent infections via the first channel, i.e. through software built by the KGB, the memo recommended:
screening staff who had access to software and data and maintaining control over their activities;
drawing a clear line between software that was already approved for operation (or literally “combat use”) and software still under development;
strictly controlling access to storage devices with operational software to prevent unauthorized access;
keeping track of changes to operational software throughout its development and modification to exclude unauthorized corrections;
detecting and investigating all unusual situations that raise suspicion of the presence of a computer virus.
To prevent infections via external software, the memo recommended:
testing new programs on specially designated computers (essentially in a sandbox);
primarily using software distributed through the KGB’s Bank of Algorithms and Programs for PCs that included programs built by the KGB or officially purchased from vendors;
inspecting software purchased otherwise (i.e. non-officially) for known viruses using methods suggested by the Operational Technical Directorate; the first list of methods was distributed a month earlier, on June 29, 1989.
The chances of viruses spreading into the agency through networks were deemed very limited as the KGB didn’t use them that much and when it did it was only locally, without connections to external organizations. Thus, the memo didn’t specify recommendations for this channel.
The memo then briefly described how to respond to suspected computer virus infection:
Upon suspicion of a “computer virus” infiltrating the software of a PC, immediate measures must be taken to prevent its possible spread and manifestation of its aggressive properties. To this end, work on the PC in whose software the “virus” is suspected to be present should be temporarily suspended. In addition, work should be suspended on all computers with which information could potentially be exchanged (for instance, via magnetic storage media or network means). Next, the programs affected by the “virus” should be identified. To do this, it is necessary to load a reference copy of the operating system from a write-protected diskette and test the software using available programs for detecting and removing known types of “viruses.” These actions should be performed on each of the shut down computers. Infected programs can also be identified by comparing them with reference copies. The testing should also cover the programs of the operating system that was running at the time of the suspected infiltration of the “virus.” Programs in which “viruses” or differences from reference copies are detected during testing must be restored by copying the references. It is not recommended to use copies of programs in which the “virus” was detected and removed."
Finally, the memo stressed the importance of information sharing for the fight against computer viruses. The KGB charged NIIAI, a research institute under the Operational Technical Directorate, with collecting information about viruses and instructed other departments to promptly report to it all infection cases.
Discussion
The 1989 memo provides the earliest known account of what the KGB knew about computer viruses. The agency took this new threat seriously, not least because computer virus infections were detected even within its system. To address this threat, the KGB put in place computer security policies that were designed to reduce the likelihood of new incidents. While the authors of the memo correctly identified uncontrolled software sharing as the main reason for proliferation of malicious programs, they were also concerned about the possibility of viruses being weaponized by Soviet Union’s adversaries. This concern was informed by the KGB’s past experience of ensuring security of imported computers.
The spread of computer viruses in the Soviet Union in the late 1980s posed a challenge to the KGB and to some degree exposed the limits of its control. Often viewed as omnipresent, the KGB in fact did not have means to prevent software sharing among user—including across borders, which became more open during Perestroika.
As illustrated by recommendations in the memo, the KGB sought to address this problem in a top-down manner, at least within the agency. But this approach was inadequate for the country as a whole. The first outbreaks of computer viruses such as Vienna required quick reaction. Often, it was talented programmers working at research institutions or civilian government agencies who stood up to the challenge. When it came to discovering new viruses, sharing information about them, collectively, this emerging antivirus community performed on par with or even better than the KGB. The networked approach was a better fit for a problem that affected multiple organizations without centralized control over their information systems. Over time, this community became a fertile ground for Russia’s cybersecurity industry.