the home of online investigations

Spies Without Borders – How the FSB Infiltrated the International Visa System

November 16, 2018

By Bellingcat Investigation Team

Translations: Русский

One of the unanswered questions lingering after Bellingcat’s unmasking of the identities of suspects in the botched-up poisoning of Sergey and Yulia Skripal, is how two (or, likely, more) undercover GRU officers were able to obtain visas to travel to the UK. Securing a visa to the UK – as to most of EU destinations – is not a trivial procedure. A single-entry visitor visa is relatively straightforward to procure – it requires either an invitation from a UK resident or business, or a pre-arranged tourist trip.

To get a long-term, multi-entry visa – the kind the two GRU officers are reported to have used – a Russian applicant must go through many more hoops. The visa-seeker must make a convincing case for their need for multiple trips and present evidence for both their steady links to their home country, and their financial capability to sustain themselves in the UK over an extended period. The UK consular section makes a concerted effort to validate the data provided by applicants, and is known to reject applicants – even such with a prior multi-entry visa – once they discover an inconsistency in the “back story” presented by a would-be visitor. The following rejection letter sent to an applicant who had a prior six-month multiple visa to the UK, exemplifies the “paranoid” attitude applied by the UK consular service, including its focus on provenance of claimed income.

Given this dense sieve and eagerness to make background checks, how was it possible that the UK Consulate in St. Petersburg issued multi-entry visas to two non-existing personas who allegedly claimed that they were “international businessmen” with well-stocked bank accounts? This question is especially relevant given that a simple search in readily available Russian open-source business databases shows that neither of the two fake personas were registered as owners – or members of management – of a single currently operating Russian company. Bellingcat’s extensive search through corporate registries in Russia established that the only company in which “Boshirov” had been formally employed was Kursor Ltd, a Moscow-based “manufacturer of medical equipment” which was liquidated only months after Boshirov received his cover identity in 2009.

Yet, the non-existent personas “Boshirov” and “Petrov” were apparently able to secure multi-entry visas to the UK, as well as multi-entry Schengen visas, on which they both crisscrossed Europe, visiting the UK at least four times, and repeatedly travelling to at least 7 other EU countries in the period 2014-2018.

In a two-part investigation, Bellingcat and the Insider tries to determine how Russia’s security services attempted to crash through the visa firewall of the UK and other EU countries, and to obtain unconstrained access to their operational playground in Western Europe. While our investigation does not definitively prove that Russian agencies were successful in these concrete efforts, it does paint a picture of a strategic, long-term Russian effort to compromise the visa issuance system, as well as to gather intelligence on potential travelers’ plans – both from Russia to Western Europe, and the other way around.

 

Part I: Hacking the UK Visa System

As Bellingcat investigators were working on the discovery of real identities of “Boshirov” and “Petrov”, Vadim Mitrofanov[1] – a highly proficient Russian IT specialist awaiting a decision on his family’s asylum request, contacted us with what he thought was a piece of information relevant to the Skripal poisoning case.

Vadim told us that two years earlier, in 2016, he had been working as chief technical officer at a company that is providing exclusive visa application processing services to consulates, including the UK consulates in Russia. As he confessed to us, at that time he had been recruited – under duress – as an undercover collaborator for the FSB, Russia’s ignominious domestic security service. The FSB had planned to use Vadim to try and breach the confidential information flow of visa applicants at the application processing company, as well as to compromise the actual visa issuance system at the British consulate. In Vadim’s own words, in June 2016, his FSB handler had asked him if it was possible to organize visas for “a couple of guys who need to visit the UK”. “It’s important that their passports are accepted and approved directly by the consulate, without any review and background checks and without leaving any trace in the visa center“, the FSB handler had told him. Vadim had replied that this was virtually impossible unless they had an insider at the embassy.

 

Outsourcing Data Is a Matter of Trust

Nearly a year after he was recruited by the FSB, Vadim arrived in the USA with his family on a visitor’s visa and applied for political asylum for his family and himself. The reason – laid out eloquently in a 10-page deposition to the US authorities, which Bellingcat and the Insider have reviewed, was that – having been forced to collaborate with the FSB, he had ultimately consciously sabotaged their work.

Vadim is a highly trained IT specialist; a graduate of a respectable Moscow engineering university.

In 2015, he was working at the Beijing-based global headquarters of TLSContact , a leading provider of IT and logistical services to consulates. In short, the company was helping embassies of various countries process huge volumes of visa applications, leaving only the final decision-making – and visa issuance process – to the consulates themselves. In many countries the company is the exclusive outsourcing partner for the consulates of a number of EU countries.

Vadim’s job included designing computer systems in new locations as the company expanded its presence out into more and more countries. He also was also the company’s key specialist in the development of a portable and on-site biometric data collection.

Outsourcing pre-processing of visa applications requires a great deal of trust on the part of the consulate, as it allows a private company to collect gigantic volumes of personal information, documents and biometric data of applicants, only a portion of which is passed on to the consular department. Naturally, all employees of TLSContact and similar companies are required to undergo security screening, As Vadim’s job required him to work on the territory of various consulates, he had to pass security screenings and internal background checks, and to provide proof of a clean criminal record at regular intervals. Consequently, he was entrusted with full access to applicants’ confidential biometric data, and his role in the company expanded. He worked closely with the IT departments of visa sections of EU embassies.

In late 2015, Vadim was transferred to the company’s Moscow branch. TLSContact’s Russian office was already providing near-exclusive visa application processing to the UK and Swiss consulates at that time, and it aimed to grow its market share further.

 

A Family Nightmare Orchestrated by the FSB

When starting his work with the company, Vadim was living in China, where he had married a woman from Mongolia and the two had a young daughter. To bring his family with him, Vadim needed to organize a residence permit for them as they did not hold Russian passports. He took his wife and daughter with him to Russia on the visa-free arrangement between Russia and Mongolia, as they planned to apply for a residence permit on-site in Russia.

What ensued after their arrival to Russia was the stuff of nightmare. Over the following six months, the authorities placed all imaginable bureaucratic hurdles – lawful and blatantly illegal – on his family, in what he believes was a carefully choreographed attempt to force him to collaborate with the FSB. His mother, who they were living with – was repeatedly harassed by immigration authorities, her house was searched “for illegal immigrants” and she was threatened with jailtime for harboring “illegal aliens”. His wife and daughter had to repeatedly leave the country and re-enter in order to not run afoul of the 30-day limit on visa-free stay; upon each re-entry, the migration office required that the whole application process be started anew – creating a vicious unending bureaucratic loop. All objections by Vadim and his family that these hurdles breached Russian laws were left unanswered; a human rights ombudsman rejected their complaints with no motivation. Ultimately, the federal migration service rejected – with no explanation – Vadim’s family application for residence permit. At this point Vadim realized this was more than a random confluence of Russia’s notoriously incompetent bureaucracy. He submitted a court claim against the Federal Migration Service.

It was also at this point – in March 2016 – that he was approached by the overly friendly “Andrei’ who offered to make all his family’s problems to go away. Later Andrei would intimate to him that Vadim had elicited the security service’s attention nearly a year earlier, in March 2015, when Vadim had applied for a passport renewal at the Russian embassy in Beijing. His professional qualifications – and access to confidential information about Western countries visa issuance systems – had made him a prime target for the FSB.

 

“It Would Be Unpleasant If Your Wife Had To Await Her Deportation In Jail”

The first encounter with Andrei was a phone call from an unknown number that resulted in a meeting at a Moscow café near the TLSContact office. Andrei told Vadim that he was trying to help resolve the unpleasant situation around his family, but that “things did not look good”, and unless a resolution was found, he might have to initiate criminal proceedings against Vadim’s mother for being accessory to illegal immigrants. Furthermore, Andrei said, he might need to initiate an inspection to Vadim’s current residence in Moscow, implying that his wife and daughter – whose latest application had been rejected – would be arrested. “It would be unpleasant if your wife had to wait for her deportation in jail”, he said. As an alternative, Andrei laid down on the café table a blank “Agreement for cooperation with the FSB”, explaining that if he signed it, Vadim would have to provide to the FSB information relating to his work at the visa application center. Vadim had no choice but to sign the agreement, which read bluntly:

“I voluntarily agree to provide consulting services to the FSB, and so to assist operational activities. I acknowledge that I was informed that the disclosure of the existence of this cooperation will be considered as a disclosure of State secrets, punishable by imprisonment under the Criminal Code”

Over the next few weeks, Vadim noticed symptoms of the migration authorities starting to ease the pressure on his family. In parallel, “Andrei” made more specific requests: he wanted information on TLSContact’s internal regulations and organization structure, on the IT network and infrastructure designs: as well as on usage of intrusion detection systems. Vadim complied with the requests, providing fake data, with IDS honeypots set in place.

Shortly after handing over the “network map”, Vadim says he noticed intrusion attempts. When he dived deeper into the access logs, he realized that the FSB already had pre-existing access to the CCTV cameras installed in the visa application center. He surmised that the access had been gained by eaves-dropping on the internet traffic (the SORM-2 system, allowing the FSB to monitor virtually all unencrypted traffic, is mandatory for all ISPs in Russia).

Later Vadim also noticed that at least one of the CCTV camera’s firmware had been modified to provide a backdoor to the internal network. Without being specific enough to risk Andrei’s ire, Vadim generically alerted the company’s security team of the possible risk posed by discovered vulnerabilities.

In early April 2016, Andrei introduced Vadim to “Alexander” – who was presented as an expert from FSB’s K (cyber-crime) department [correction: the FSB cyber-crime department is called 18th Center. “K” is the Ministry of Interior cyber-crime department]. Alexander asked deeper questions relating to the company’s internal network structure, and showed Vadim what appeared to be an outdated network diagram, asking him to confirm if the network layout had changed since the FSB obtained it. “Alexander” was also interested in the logistical interaction between the company and the embassies: specifically, he asked about the route of delivery of passports to consulates, and about the control of access to computer systems on the consulate territory.

 

Thwarted Attempts to Escape

Conscious that he had to play along with the FSB escalating requests, but uneasy with his own forced complicity in breaching the security of his employer – and of foreign embassies, Vadim devised a plan to extricate his family and himself from Russia.

Over the next months, Vadim’s family made several attempts to leave Russia, each time being intercepted by border guards – or on one occasion by “Andrei” himself, and each time with escalating warnings that he shouldn’t make further attempts until they were happy with his deliverables. Vadim and his family, including his underage child, were locked up in detention several times, each time released hours later following a “good cop” intervention from “Andrei”. In one case, his wife was arrested and kept in a men-only detention center until a court hearing, despite her advanced pregnancyVadim realized that FSB needed his family in Russia as a form of leverage over him, and decided to comply, at least temporarily.

“Andrei”’s subsequent instructions became more and more brazen. He was told to spy on and report to FSB in case of visa applications being filed by certain persons of interest (among them were Alexey Golubovich, a one-time Yukos partner and witness in the case against Khodorkovsky). Vadim complied, hoping to create an illusion of willing cooperation. At one point in the early summer, Vadim was told by Andrei that an FSB-preferred candidate was seeking a job position as head of the company’s Swiss visa center. The candidate did not get the job.

 

A Shocking Request — And a Reprieve

At the end of June 2016, “Andrei” and “Alexander” gave Vadim the motherlode task: he was to create a backdoor to the UK visa center network. Vadim told them this could be done but required time and concentration, and promised to take to this task after his return from a pending business trip to China. In return, he requested that Andrei let his wife and daughter stay with his wife’s parents in Mongolia during his trip, as respite from the stress she had been under in Russia. Enthused by Vadim’s optimistic view on the backdoor prospects, Andrei took a chance and gave his consent to a short trip.

Having taken his family to safety, Vadim returned to complete certain unfinished projects for his employer, TLSContact. Towards the end of August – and having done essentially no work on a backdoor – he told his handler that he needed to travel abroad to bring his family back to Russia.

Without receiving a final okay from Andrei, Vadim headed to the airport straight from work. In his own words, as described in his asylum application,

On September 2nd 2016, an attempt to arrest me was made. I took a half day off to prepare my stuff for travel. After lunch, around 14:00 I was going to the office following my usual route. On the intersection in front of the office building, where traffic police patrol is usually working, a black car was parked. A person standing next to the car recognized me and commanded me to get into the car. When I started going around trying to act as if I didn’t hear him, he started moving towards me. It was clear that he was trying to intercept me. Fortunately, this happened in a crowded public place, so, I just turned around and ran away. The person didn’t follow me then”

Using a method that we have chosen to withhold at Vadim’s request, he was able to leave Russia the following day.

Later, Vadim informed TLSContact of the circumstances of his sudden departure, and fessed up about his forced collaboration with FSB – and the agency’s ongoing attempts to infiltrate the company’s network infrastructure. Vadim also tried to warn the UK consulate of FSB’s intrusion attempt. Bellingcat has seen evidence of the two respective alerts having been made by Vadim. He says he received no reaction from either.

 

Our Attempts to Confirm Vadim’s Story

Over the last two months, Bellingcat has interviewed Vadim repeatedly, in an attempt to validate his story. Vadim provided us with copies of the documents submitted to the relevant authorities, as well as of the messages sent to TLSContact and to an employee he knew at the UK consulate. We have concluded that these are authentic documents, submitted or sent at the time Vadim claims they were.

Vadim also provided us with audio recordings of two phone calls between him and “Andrei”. One of the recordings, published below, is allegedly the initial phone call made on 17 March 2016 by “Andrei” to Vadim, while the second call is from 29 May 2016. It is not possible to verify the exact timestamps of the recorded phone calls, but the audio format and format of the file names – which contain time stamps and caller number – are consistent with those of a popular Android call recording app.

We have analyzed the audio content of the calls, which do not contain any signs of editing or manipulation. In the first call, the person who presents himself as “Andrei” cold-calls Vadim and tells him he is calling from the central office of Russia’s migration service and that he is aware of Vadim’s wife legal situation. “Andrei” tells Vadim that his mother may be in criminal legal jeopardy, and offers to meet to discuss the case. Vadim agrees, and “Andrei” proposes to meet somewhere in the vicinity of Pokrovka street in Moscow. Both the central office of the Federal Migration Service, and of the FSB Moscow headquarters, are in the area of Pokrovka street. “Andrei”’s request to meet offsite from premises of the Federal Migration Service cannot be considered normal official practice, and is more consistent with known practices of extortion by Russian officials. Such an arrangement would also be consistent with the version of events presented by Vadim.

In the second call, from 29 May 2016, “Andrei” gives Vadim tips on how his wife must act during an upcoming visit to the Smolensk immigration office. In this call we observe a progression of the relationship between the two, which is much less formal and is on first-name terms. The call ends with “Andrei” telling Vadim he will call him the next day on other matters.

Vadim provided us with the two numbers from which he says he routinely received phone calls from Andrei, We have attempted to determine their ownership. One number is now registered to an unrelated man who told us he has only has this number since March 2018 and does not know who the previous user was. The second number is currently inactive but records show that in 2016 it was registered to a young woman working as a bartender. We contacted the woman, who – after initially agreeing to answer questions about “Andrei” – switched off her phone and could no longer be reached.

Vadim also provided us with a document which he had discovered while working for TLSContact, the content of which he had then found to be suspicious. The file contains a cumulative database of all applicants for UK visas between April 2014 and May 2016 who had withdrawn their application prior to processing their visa cases. Vadim believes that there could be no business rationale to maintain such a cumulative database, and that this file may have been maintained – and exported – by a company employee at the behest of FSB. The file presented has personal identifying data (which was anonymized by Vadim before presenting to Bellingcat) on more than 1,500 Russian citizens. Certain names of interest, such as politicians or public figures, are marked in bold. The file properties suggest that it was created and modified by a person who worked at the company in 2016.

Bellingcat and the Insider approached the UK consulate with a number of questions linked to the potential vulnerabilities of the visa issuance process chain, and the possible risk posed by a visa application processing center infiltrated by a foreign government. The consulate referred our questions to the UK Home Office which replied that the ultimate visa issuance or refusal decision are made by consular staff, without any role played by the processing company. The response, however, did not address the risk of applicant’s confidential personal information being potentially exposed to security services, nor the risk of exploiting of hypothetical vulnerabilities in the communication systems between the outsourcing company and the consulate.

We attempted to ask the same questions to TLSContact but were not able to connect to a company executive via the company’s call center. A former company executive who left TLS Contact several months before Vadim’s departure and alert letter, said she was not aware of third-party attempts to infiltrate the company.

The Insider was able to talk to the former executive of the company whose name appeared on the “withdrawals report”. This person said he was not aware of any attempts by FSB to infiltrate the company. When asked about the provenance and rationale for the document that contained visa application withdrawals – and whether he was the author of this document – he terminated communication.

Bellingcat contacted the FBI to receive a comment on whether they had received the tip-off from Vadim, and whether such information had been channeled to UK law enforcement in the wake of the Skripal poisoning case. As of press-time, the FBI has not replied to our query.

Vadim’s story does not prove conclusively that FSB or any other security agency were successful in breaching the visa issuance system, and thus enabled GRU officers to travel in the UK repeatedly and ultimately conduct an alleged assassination attempt. However, it does indicate the indication and methodical tenacity that were applied in trying to compromise the visa protocols. Such endeavors are not surprising given that security services need to ensure unimpeded access to various European locations. Absent an alternative explanation as to how these and other GRU officers were able to sneak through the multi-entry visa application filter, Vadim’s experience provides one possible answer. After all, Col. Chepiga and Col. Mishkin first traveled to the UK – and Switzerland several months after “Andrei”‘s initial query to Vadim about the feasibility of trace-free issuance of visas to the UK and Switzerland.

 

 

To be continued

 

[1] name and certain non-essential circumstances have been changed to protect the identity of the person

 

Bellingcat Investigation Team

The Bellingcat Investigation Team is an award winning group of volunteers and full time investigators who make up the core of the Bellingcat's investigative efforts.

Join the Bellingcat Mailing List:

Enter your email address to receive a weekly digest of Bellingcat posts, links to open source research articles, and more.

Support Bellingcat

You can support the work of Bellingcat by donating through the below link:

40 Comments

  1. Fishmanxxx

    Thank you for providing whistle blowers a much needed site, far from Russian influence, as is not the case for WikiLeaks! I trust you will always maintain that principled approach to your work.
    I’ve commented in the past how Bellingcat manages to stay a few steps ahead of government intelligence agencies, and again you receive stone faced responses from those agencies. Either they continue to be embarrassed by their lack of investigative abilities or they don’t want this issue in the public domain. These are somewhat troubling and point to the government’s belief that the general public is ignorant, and in our growing age of digital enlightenment they will, time and time again be proven so wrong!
    Two points I’d make in response to the article.
    Ultimately these agents were able to obtain multiple entry visas and while the article conservatively suggests a route, someone needs to answer as to how this was allowed to happen! To permit such a security failure with disastrous consequences cannot go without resolution. But of course this leads to a further embarrassment.
    Secondly, the mere idea that foreign nationals would be contracted to complete such work is hard to understand. I would suppose a bean counter sitting at their desk decided it would be “cost-effective” to contract out theses services? That doesn’t mean that a country’s nationals are immune to corruption but perhaps agencies should scale their work, or create systems that do not augment their workload to the degree they can no longer securely manage the individuals carrying out the work. Perhaps the work needs to have more “compartments” to be manageable? For example, in Mexico, when you purchase a SIM card for your phone, you arrange the plan with one individual and then walk to another desk to pay for the plan. You return to the first desk and show proof of payment. I’m not suggesting here that Mexico is an illustration of non-corruption, just that perhaps they’re sufficiently “sensitive” to corruption that they create some accountable check and balance? It appears time for government leaders to get “sensitivity training “ on risks as likely some of these old buzzards wouldn’t even know what Cntr Alt Del means?
    As a final note, not everyone will have a conscience like Vadim, but I’m certain the state attack on his family may have further motivated his final revenge. Never attack a man’s family!

    Reply
  2. Eddie Jones

    Excellent review of Russian spy work.
    Let’s hope the CIA and Mi6 are onto this stuff.
    A condensed/edited down version of this story would help.
    I hear, in the Internet age, we humans have an attention span of about 8 seconds.

    Reply
  3. Martin Dewhirst

    I’m wondering whether the mention of ‘Smolensk’ really refers to the HQ of the Russian Ministry of Foreign Affairs on Smolenskaya ploshchad’ in Moscow.

    Reply
  4. Francesca

    But I still don’t get why GRU agents would even travel in such a way as to require visas….fingerprinting etc.
    Travel on false passports to , Belgium for instance,then slip in to UK
    without a visa
    If the GRU is so clever as to be able to manipulate UK consulates then they can manage fake passports with ease.
    Secondly, we have been told to believe that there are thousands of Russian spies already living in the UK.
    Not one of them was suitable for the Skripal job?
    So, on the one hand we have a tale of hopeless Russian intelligence bungling in Salisbury, on the other , the ability to infiltrate and manipulate the Brext campaign, Uk consulates, elections in France and Germany, and also remote control Trump!
    This tale is a rather hopeless attempt to breach the gaping holes in the Skripal story and I’m not buying it

    Reply
    • Servus

      Great job Bcats and you have irritated the notorious “Francesca” also known under other nicknames, otherwise a lazy employee that posts generic rants.
      You ask question about rationale of GRU travel decisions, how on earth can anyone else than GRU know the answer, maybe your supervisor has some friends or former colleagues willing to share some inside stories over vodka and cucumber.

      Reply
  5. Timaty Leary

    Correct me if I am wrong, but there is no single-entry visas for Russians. 6-months is the simplest visa possible.

    Reply
    • Anna

      Timaty, you are right.
      UK’s minimum visa for any purpose is multi-entry for six months for any foreigners excluding EU/EEC countries.

      Reply
  6. Simon Jones

    As far as hacking internet traffic is concerned, much evidence points to off-the-shelf anti-virus software being another internet backdoor loophole exploit hidden is plain sight. Such cybersecurity software can provide data flow directly from the heart of any computer to any specific server. The danger (need I spell it out) is that (for example) domestic banking details could be ripe for exploit by the FSB. There isn’t much clear guidance for public or private users to make an informed decision but caution is the best policy. At worst it is effectively paying for a penetration service made more potent by the popularity of cloud-based storage.

    Reply
    • Servus

      re Simon Jones
      Do you have any references to the “much evidence points to off-the-shelf anti-virus software being another internet backdoor “.
      As far as I know, there is a strong suspicion that Kaspersky AV was used this way, which should not be surprising as “Kaspersky graduated from The Technical Faculty of the KGB Higher School in 1987”.

      Kaspersky AV or other products should not be used by anybody.

      Otherwise, AV systems can potentially create security risks and DOS type events.

      Reply
  7. francesca

    Wow Servile, what a thrill to be “notorious”!
    You know its pretty dull here in the gulag with the guards at your back checking your work from dawn to dusk and bloody cabbage again.So you’ve really brightened up my life
    Thanks awfully
    Did I mention I also go under the name of Maureen?A hint of the Irish you see.
    My supervisor insisted on that , promised me double pay the bastard, it never happened so I only did it once.
    Would you like me to give Bellingcat a big scoop on what its like in the gulag.?
    I also worked on infiltrating the UK Home Office , you know for perpetrating false visas. I’d be happy to spill the beans on that
    Whoops , here comes Ivan,, got to rush, talk soon sweety!

    Reply
  8. Volodymyr Bilotkach

    It is my understanding that the UK issues six-month multiple entry visas by default. I am not sure if single entry visas are issued by the UK at all. This is based on my experience obtaining those visas for myself and more recently for my mother in law.

    Reply
  9. Roo

    It’s difficult to believe that Vadim’s wife had entered Russia in Smolensk (where there are no border points of entry) on her way from China. I highly doubt that she could fly from China to Smolensk))) Unbelievable. All migration issues are subject to local migration offices. So there couldn’t be any cases against her or his mother (who lives in Moscow!!!) In Smolensk. I would rather believe if it happened in Irkutsk or Vladivostok or any other Siberian city having established air connection with China. But not Smolensk.

    Reply
    • Timaty Leary

      You can’t make sense of Smolensk just because Vadim omitted his method to escape Russia. Dig into the topic before posting your doubts

      Reply

Leave a Reply

  • (will not be published)