In Ex-Soviet States, Russian Spy Tech Still Watches You
By Andrei Soldatov and Irina Borogan
On November 12, the Russian Supreme Court okayed the wiretapping of an opposition activist. The Court ruled that spying on Maxim Petlin, a regional opposition leader in Yekaterinburg, was lawful, since he had taken part in rallies where calls against extending the powers of Russia’s security services were heard. The court decided that these were demands for “extremist actions” and approved surveillance carried out by the national interception system, known as SORM.
Manned by the country’s main security service, the FSB, this ”System of Operative Search Measures” has been in use for more than two decades. But recently, SORM has been upgraded. It is ingesting new types of data. It is being used as Moscow’s main tool for spying on the country’s political protesters. And it has become extremely useful in the quest to make sure that the Kremlin’s influence in the former Soviet Union continues long into the second regime of Vladimir Putin.
Meet the New Boss
When the Soviet Union collapsed, many of the KGB’s regional branches became the security services of the newly independent states. But they didn’t stray far from the Kremlin’s lead. They modeled their governing laws after Moscow’s, and used similar technology, too. Namely, SORM — Russia’s nationwide system of automated and remote legal interception on all kinds of communications.
SORM’s tactical and technical foundations were developed by a KGB research institute in the mid-1980s. Initially SORM was installed on analogue telephone lines. As new technologies developed, SORM did, as well.
Today SORM-1 intercepts telephone traffic, including mobile networks, while SORM-2 is responsible for intercepting internet traffic, including VoIP. SORM-3 gathers information from all communication media, and offers long-term storage (three years), providing access to all data on subscribers. In addition, SORM enables the use of mobile control points, a laptop that can be plugged directly into communication hubs and immediately intercept and record the operator’s traffic.
SORM also proved essential to spy on social networks based in Russia. “We can use SORM to take stuff off their servers behind their backs,” an FSB official told us. According to figures published by Russia’s Supreme Court, over the last five years the number of legal telephone intercepts alone has almost doubled, from 265,937 intercepts and recordings of phone calls and e-mails to 466,152 in 2011.
Suppliers of SORM equipment openly publicize their wares. In their press releases, the gear is often called by the Western term LI, short for lawful interception (.pdf). While it’s true that both systems do interception on telecommunications, there is a crucial difference between the Russian and Western approaches.
In the U.S. and Western Europe, a law enforcement agency seeks a warrant from a court and then issues an order for LI to a network operator or internet service provider, which is obliged to intercept and then to deliver the requested information.
In Russia, an FSB operative is also required to get an eavesdropping warrant, but he is not obliged to show it to anyone. Telecom providers have no right to demand that the FSB show them the warrant. The providers are required to pay for the SORM equipment and its installation, but they are denied access to the surveillance boxes.
Thus, the FSB does not need to contact the ISP’s staff; instead the security service calls on the special controller at the FSB HQ that is connected by a protected cable directly to the SORM device installed on the ISP network. This system is copied all over the country: In every Russian town there are protected underground cables, which connect the HQ of the local FSB department with all ISPs and telecom providers in the region.
The difference is that according to the European Telecommunications Standards Institute, the operator gets an order to start the interception, and the provider/operator immediately knows who is being intercepted. “On the Russian requirements, a provider/operator provides a pass for SORM, and he does not know who is intercepted,” e-mails Boris Goldstein, a professor at the St. Peterburg Telecommunications Institute and a leading Russian authority on technical issues of SORM.
In short, the Russian approach is far more flexible and intrusive than the Western one: if the FSB needs to add new phone numbers or e-mail addresses to the intercept list, it does not need to repeat the whole procedure, as in the West. The FSB just updates the requirements list in the SORM control device, known as a Punkt Upravlenia, or PU.
But it also means that the Russian suppliers of surveillance technologies have natural advantages over their Western counterparts, which need to adapt their products to the Russian telecoms market and markets of those countries in which intercept law is similar. The same is true for the former Soviet Union.
Victor Shlyapobersky, a chief of the SORM testing laboratory at the St. Petersburg branch of the Central Research Institute of Communications, confirmed that although there are technical differences between SORM in Russia and in the countries of the former Soviet Union, the principle is the same. “We use different protocols. For example, the Ukrainian SORM is tougher – they have the right to interrupt the conversation and we have no such powers. But Ukraine, Kazakhstan, Belarus and Uzbekistan, they all use a system which is much closer to SORM than to the European or American systems.”
Divide and Conquer
When the countries of the former Soviet Union found themselves facing a new, tech-enabled opposition in late 2011 and early 2012, they turned to a very traditional means of surveillance: SORM.
Russia was quick to understand the growing importance of SORM. While protesters flooded out onto Moscow’s streets, the Russian authorities tightened control over ISPs’ SORM facilities. We found Roskomnadzor’s (the Agency for the Supervision of Information Technology, Communications and Mass Media ) statistics covering warnings issued to ISPs and telecoms providers for SORM facilities shortcomings.
In 2010, there were 16 such warnings, and another 13 in 2011, The next year, that number jumped to 30 warnings. In most cases this means that the local FSB or prosecutor’s office checked the ISP’s SORM equipment, and if shortcomings were identified, sent the information to Roskomnadzor, which warned the ISP.
That SORM might be used against opposition leaders became clear already in December 2011, during the first post-election anti-Putin protest rallies. On December 19, 2011, records of nine taped phone calls between Boris Nemtsov, former deputy prime minister and opposition leader, and other activists were posted on the Kremlin-friendly website lifenews.ru. The lifenews.ru has put the records on its website five days before one of the biggest protest rallies, “For Fair Elections,” on December 24, at Sakharov avenue in Moscow. Since then the leaks of video-footage and audio records of opposition activists appeared almost regularly on the Internet and in pro government media.
Boris Nemtsov was convinced that the FSB was behind the tapping.
“They’ve been tapping my phone all my life,” said the politician. “On the instructions of Putin, the KGB people and [Vladislav] Surkov (then the First Deputy Chief of the Kremlin Administration), they’ve been eavesdropping on my conversations and leaking everything on the Internet. Their goal was simple: they wanted to divide us in the run-up to the rally but the opposition didn’t fall for it.”
Follow the Leader
Russia was not the only country of the former Soviet Union that has put more thought into SORM regulations in the two years since the Arab spring. Countries like Belarus, Ukraine and Kyrgyztan have all updated their national interception systems, modeled after the Russian SORM, and Russian suppliers were ready at hand.
In March 2010, Belarusian president Alexander Lukashenko signed an order introducing SORM to the country. In April 2012, the national telecom operator Beltelecom reported that it had installed SORM on its byfly data network. There is no official information about the supplier, but according to our information, Beltelecom used the equipment of the Russian company Digiton in many of its SORM projects.
In late 2010, Ukraine updated its national requirements for SORM equipment – and in April 2011 the Russian company Iskratel was happy to announce that its SORM device was tested successfully under the new requirements and had been approved by the SBU (Ukraine’s Security Service).
And in August 2012 the Kyrgyz’s State Committee of National Security put on its website the draft of a national regulation that is almost identical to the Russian interception system. The interests of Russian suppliers were guaranteed when the Kyrgyz parliament’s Defense and Security Committee stated in an economic analysis of the proposed SORM legislation that the Russian-made connection device linking SORM equipment and the PU would be three times cheaper than that of the Israeli firm Verint.
Moscow hardly misses these opportunities to extend its intelligence positions on the soil of the former Soviet Union. Nevertheless, that option is clearly considered as a minor evil by the governments of these countries.
The Kyrgyz “telephone gate” scandal greatly embarrassed the provisional government as it exposed how the positions and money were distributed. Making matters worse, the Russian producers tapping gear — Moscow’s Oniks-Line and Novosibirsk’s Signatek — were accused of retaining backdoors in the equipment. “We shipped the interception equipment to Kyrgyzstan, it was an intergovernmental decision,” admitted Sergei Pykhtunov, deputy director of the Sygnatek. But he said he was not aware of the scandal and dismissed the accusation. Sergei Bogotskoi, CEO of Oniks-Line, took the same line. The scandal did not cause the national government to change the approach to the national interception rules.
In turn, Russian companies seem not to be troubled by the growing international outcry over surveillance technologies exports to the countries with repressive regimes. Take Vadim Sekeresh, a phlegmatic, 40-year-old graduate of the applied mathematics department of St. Petersburg University, is in charge of SORM in the telecommunications-interception technology producer Protei, which has contracts with Uzbekistan and Belarus and is known to develop the SORM equipment for for Soviet countries.
In December 2011 when WikiLeaks launched The Spy Files, a database on the global surveillance industry, his company was put in the list of Russian surveillance technology suppliers. Sekeresh was then unruffled by the WikiLeaks revelation.
“I didn’t pay any attention to it,” Sekeresh, a classical engineer by training, told us at the time. “I didn’t really look into it because the whole thing doesn’t bother me. In fact we don’t sell surveillance bugs and that kind of thing. We aren’t the only ones producing such applications anyway.”
Share and Share Alike
But Russia is doing more than sharing technology with its former client states. It’s trying to work with its neighbors to develop a joint strategy to try to put down the social media-fueled protests that have emerged in the shadow of the Arab Spring.
They’re operating through a series of regional alliances in an attempt to get it done. The Collective Security Treaty Organization (CSTO ) is a Moscow-led regional defense alliance consisting of Russia, Belarus, Armenia, Kazakhstan, Kyrgyzstan and Tajikistan. The Shanghai Cooperation Organization, an international group founded in 2001 by China, Russia and Central Asian states.
On June 15, 2011 Kazakhstan’s president, Nursultan Nazarbayev, proposed the idea of an alliance-wide cyber police force at the opening of the SCO summit in Astana. He added that it was time to include the concept of “electronic borders” and “e-sovereignty” into the international law.
Ten months later, at a second SCO summit, member states agreed on joint measures to be taken by their secret services to “prevent and disrupt the usage of the Internet in terrorist, separatist and extremist purposes,” according to Jenishbek Jumanbekov, a director of the executive committee of the SCO’s regional counter-terrorism structure.
In turn, the Collective Security Treaty Organization established a working group on information security and launched a series of the joint operations by secret services of member-states. The operation was called PROKSI, and Nikolai Bordyuzha, Secretary General of the CSTO, reported that 216 websites in Russia had been shut down thanks to it.
On May 30, 2012 the leading research center within the Russian Ministry of Communications, known as VNIIPVTI, was put in charge of training of technical specialists in information security by the Commonwealth of Independent States, a loose collection of former Soviet Republics.
And in September 2012 at a summit in Yalta, the heads of CIS countries announced their full support for the establishment of the CIS Center of Cybersecurity, which should be modeled after the CERT (Community Emergency Response Team) to counter a cyber threat on multinational level.
There are very few doubts about what it is all really about.
Vladislav Shushin, a counselor of the Secretariat of the Collective Security Treaty Organization, is a leading CSTO expert on information security. Before joining the CSTO, Shushin has had a long career inside state security: a military officer by training, he joined soon the KGB counterintelligence department. He then moved to the analysis department of the KGB where he dealt with political analysis and finally got interested in information security issues as it is understood in Russia – not just cyberwar but psyops and propaganda.
Sitting in the small room in the mansion on Sverchkov lane in central Moscow, Shushin tried to avoid details as much as possible. But he confirmed that indeed the CSTO consider information security much wider in scope than it’s usually thought: “The CSTO member-states look at information security from the international point of view, from the perspective of protecting national interests. It’s not about the technology only (i.e. the protection of computer networks, commanding systems and so on). But it’s also the political-ideological area – combating the misuse of information technology to undermine the political situation, and creating confrontational relationships. The CSTO is making sure that such crimes are investigated jointly.”
Although this may seem ominous, almost all that feverish activity proved to be far from effective.
The establishment of the CIS CERT was postponed, we were told by Grigory Vuss, the chief VNIPVTI consultant of the program. ”While the question of the CIS CERT creation is in the plan just approved at Yalta, we have a problem: there are no national centers yet, at least in Russia,” he said. “So we decided to wait for the national CERTs to be established, and then to work on the collaboration between them. So this question is put aside, for a while.”
The fate of the cyber police proposed by Kazakhstan’s President is even more disastrous. Valikhan Tuleshov, a deputy director of the Kazakhstan Institute of World Politics and Economy told us that the initiative was supported by China but Russia was more hesitant along with other members of the SCO. Finally the idea was dropped.
The PROKSI operations carried out by the CSTO were last heard of in 2010 – there were no such operations in 2011 and 2012. It turned out that where the secret services of the CIS countries tried their hand in adopting new tools to counter the emerging threat on the internet, the result was far from impressive.
The suspicious and inward-looking mentality of the secret services’ bureaucracy in CIS states prevent supranational agencies being created, and also obstructs any agreement on the sharing of sensitive information.
Published on Wired, December 21, 2012