The Delft-based computer and security company Fox-IT has been selling their products in Russia since 2010 and has continued to do so after international sanctions were put in place against the country.
Fox-IT collaborates with different partners in Russia who sell on their products. These intermediaries maintain close ties with state companies in Russia’s energy and financial sector, but also with the Russian Ministry of Defence, defence companies and the Russian intelligence agency FSB. The Delft-based company has little oversight into its end users or to whom their products are offered and sold by the intermediaries.
Fox-IT acknowledges to have delivered to Russia, including to the Russian government, up till 2015. Even after international sanctions were put in place in 2014, the Delft-based company continued selling its products in Russia. The war in eastern Ukraine, the annexation of Crimea, the downing of flight MH17, the international sanctions against Russia in 2014 and the take over of the English NCC Group have had no influence on the sales activities of Fox-IT in Russia.
After acquiring Russian certification for its Fox DataDiode in 2015, the company even increases its access to the Russian market. Russian certification means the product becomes of interest particularly to large (government) organisations and the lucrative market of the security industry (investigative and intelligence work and for defence). The United States has serious doubts about the involvement of defence and the intelligence agency FSB with regards to this certification.
The Netherlands and Russia, clients of Fox-IT
Computer and security company Fox-IT was established in 1999. The Dutch government, including the department of defence, investigation and intelligence services, quickly became a major client for the company. Among other things, Fox-IT provides the security for Dutch state secrets.
From 2006, Fox-IT becomes more and more internationally active. The Delft-based company writes in its newsletter of December 2006, for example, that an ‘international sales taskforce has been established, whose main task will be to offer products to law enforcement organisations. Take for example the data diode, the analytical tapping software FoxReplay and our cryptographic products’. In the following years the company expands its international task force.
Fox-IT has been active on the Russian market since 2010. The Delft-based company’s main aim is the sale of the Fox DataDiode. Since 2009 the product is classified as a dual-use good: goods with a civic application that can also be used for military purposes. The Fox DataDiode is a kind of one way firewall beteween a public and a private network, with which one can regulate access to confidential information.
According to Fox-IT, one of the potential clients for the DataDiode is the defence industry. In a press release in 2010 the company writes: “With its 1G and 10G Ruggedized DataDiodes Fox-IT focuses on organisations in need of the highest possible security who operate under extreme conditions, such as defence, government departments and companies in the nuclear, energy, oil and gas industries, and in other areas of critical infrastructure.”
Snitegroup GmbH
Fox-IT starts selling to Russia in 2010. The Delft-based company does so in co-operation with the Swiss company Snitegroup GmbH and the Russian company ZAO NPF Simet. The Russian Evgeny Gengrovich plays a key role in this venture. He starts promoting the Fox DataDiode in 2010, later he presents himself as a representative for Fox-IT, and he has a key role in attracting other intermediaries.
On February 1st, 2011, Snitegroup GmbH and Fox-IT sign a Reseller Agreement. This means the Swiss company can resell Fox-IT’s products and services.
In March 2011 Snitegroup appears as a Fox-IT partner for Russia and CIS on the Delft-based company’s website. A year earlier, on March 30th, 2010, Catherine Beretti registered the Swiss company together with the Russian Evgeny Gengrovich at the Zurich trade register. The company is based in the Swiss town of Schlieren.
With the Swiss Chamber of Commerce, the company is registered as a business that focuses on the development and sales of software to CIS countries (Commonwealth of Independent States): “Entwicklung und der Vertrieb von Computer-Software insbesondere Im Bereich der GUS-Staaten.” The CIS countries are Russia, Belarus, Armenia, Kazachstan, Kyrgystan, Tadjikistan, Azerbeidjan, Moldova and Uzbekistan.
Swiss co-owner Beretti claims she was only responsible for the taxes and the paperwork concerning the registration. According to her the company never had any dealings in Switzerland or the EU.
Beretti indicates Snitegroup purchased products and services from Fox-IT and sold those on to the Russian Federation: “Die Snitegroup hat im Rahmen dieses Reseller Agreements Waren und Dienstleistungen von der Fox-IT eingekauft und diese Waren auch in die Russische Föderation weiterverkauft.”
The Swiss company presents itself on its website as a consultancy firm for company development, marketing and other essential services. According to the website the company has partners in six countries, including Israel and Russia. Snitegroup’s customers are energy companies and financial institutions. “Among our customers you can find the market leaders in several industries such as Electric Power, Oil and Gas and finance.”
Evgeny Leonidovich Gengrinovich
The trade link between Snitegroup and Russia is co-owner and CEO Evgeny Gengrinovich. He spends his entire career working for the state-controlled Russian energy sector.
In the nineties he’s mainly involved with the automation of the Russian energy distribution companies. At the start of the century he not only works for producers in the Russian sector, he also works at Russian regulators that are overseeing the automation process of energy bills and smart meters. From 2006 onwards he starts promoting the smart meters of a Swiss company called Landis+Gyr.
In 2010 he makes the switch to the private sector. He manages projects for state instutions, for which he previously worked as civil servant. As a manager he works in the fields of automation, information security, and mostly in sales. According to his curriculum vitae of May 23rd, 2017, since 2010 he’s managed projects for MOEK (Moscow United Electric Grid Company), Russian Railways, FGC UES (Federal Grid Company of Unified Energy System), Transneft, Tyumenenergo, Mosenergo, IDGC (Interregional Grid Company of Siberia) en SIBUR.
Gengrinovich not only sets up Snitegroup in Switzerland, he also becomes vice president of the Russian company ZAO NPF Simet in 2010.
ZAO NPF Simet
Simet was established by brothers Denis and Vadum Buryakov. They have hundreds of companies in their name and the tax department has therefore put them on a list of ‘mass directors’, people who are director of many companies at the same time. The tax departments suspects these owners of tax evasion, though no legal proceedings have been started against the Buryakovs.
Smirnova Lyudmila Petrovna is registered as Simet’s CEO. According to the Russian Chamber of Commerce the company focuses on research and production of integrating systems and metrology. The company seems to be mostly inactive till the end of 2011.
From 2011 Snitegroup is mentioned as a Fox-IT partner on its website, while the address, phone number and email of ZAO NPF Simet are registered with Snitegroup as the Moscow office of the Swiss company: Proletarsky prospekt 1, 115522 Moscow, Russian Federation, email info@simet.ru. It’s the same address that Snitegroup records on its GmbH website as the address of Simet.
According to Snitegroup co-owner Beretti the Swiss company wanted to collaborate with Simet regarding training for the use of Fox-IT products. “Diese Firma hat alle notwendigen Zertifikate um an Ausschreibungen innerhalb Russlands teilzunehmen. Mit dieser Frima wollte die Snitegroup zusammenarbeiten. Die Snitegroup hat geplant, dass Simet in Zukunft die Schulungen von den Fox-IT Produkten in Russland durchführt.”
Beretti claims Snitegroup and Simet never reached an agreement. However, it’s clear that Gengrinovich fulfills a key role in the selling of Fox-IT products in Russia from 2011 onwards, during which he presents himself as representative of both Snitegroup and Simet (and later on of Fox-IT as well).
Gengrinovich, the Fox DataDiode salesman
Since 2010 Evgeny Gengrinovich, in his capacity as director of Snitegroup and vice president of Simet, has been trying to flog Fox-IT products to Russian companies at all kinds of conferences and meetings. Mainly it’s the Fox DataDiode: a kind of one way firewall between an audience and a private network, which enables the regulation of access to confidential information.
Two months after the reseller agreement between Snitegroup and Fox-IT was signed, on April 11th, 2011 Gengrinovich puts together a Powerpoint presentation (file name DiodeRussiaMar). This presentation shows images of the Fox DataDiode. The Dell servers Fox-IT uses also feature. References are made to the EAL7+ and NATO certificates of the Fox-IT product.
Mentioning these certificates is essential to get potential clients interested. Furthermore, governments may demand for some equipment to have the appropriate certification. The EAL (Evaluation Assurance Level) security label is an internationally acknowledged set of safety standards that governments and other organisations use to determine the security of technological products.
On December 20th, 2011, Gengrinovich is one of the speakers at the third International Energy Forum “Innovation, Infrastructure, Security”. The forum is organised by the Duma, supported by the Ministry of Energy and Rosatom. Rosatom, also known as Rosatom State Nuclear Energy Corporation, the State Atomic Energy Corporation Rosatom and Rosatom State Corporation, is the Russian federal agency for nuclear energy. It not only deals with nuclear energy, but also Russia’s nuclear weapons.
Gengrinovich has prepared three PowerPoint presentations for the meeting. One (file name SIMeTGC3v1.96506043) is about a Simet project with the Swiss manufacturer of smart meters Landis+Gyr at the state-controlled Russian energy company Mosenergo, a subsidiary of Gazprom.
The second is about a specific Landis+Gyr product called Converge (file name ConvergeSIMetv1.40459327). The third presentation (file name SIMetBPL.46929715) concerns so-called Smart Grids (smart energy grids).
Beneath the presentations the contact details of Gengrinovich are given as being Deputy General Director CJSC NPF Simet. In the second and third presentation Snitegroup is mentioned as partner of Simet, but Gengrinovich doesn’t reveal he works for both companies.
According to the presenations for the forum Simet employs many professional engineers in branches in Moscow, Yaroslavl, Nzhny Novgorod, Novisibirsk and Krasnoyarsk. It’s also claimed that Simet has partners in Switzerland, Germany, Slovenia, Russia and Israel. Snitegroup also has its headquarters and partners in these countries.
A year later, on June 6th, 2012, Gengrinovich produces a presentation (file name SNITEGroupITSecASUTP) about the Fox DataDiode. In this presentation the logos of Fox-IT and Snitegroup GmbH appear side by side. Many texts are identical to the presentation of April 11th, 2011 (file name DiodeRussiaMar), including the text about the EAL7+ and NATO certificates of the product.
Gengrinovich produces presentations about the Fox DataDiode. Apart from which, Snitegroup and Simet also promote the product on their websites. From September 2012, Snitegroup presents the product on its website as “A Preferred Solution For High-Security Real-time Electronic Data Transfer Between Networks.”
Simet also promotes the product on its website. The company mentions Fox-IT as a partner on its website from October 2012. Next to a picture of the Fox Datadiode it says: “Unidirectional, at the physical layer, connection of network segments.”
Simet and the Russian State
Snitegroup and Simet’s clients largely overlap and they’re Russian state companies or state-controlled companies.
State companies Gazprom and its subsidiary Mosenergo are mentioned as clients on the webites of both companies, as well as Russian Railways, Rosseti and its subsidiary Moesk, and Transneft. Transneft has been led since 2007 by former KGB officer and former colleague of Putin, Nikolay Tokarev. In 1996 and 1997 Tokarev worked alongside Putin in the Russian government under Yeltsin.
Due to their close connections to the Kremlin several Simet clients, as well as their top executives, have been put on international lists of sanctions. Transneft and Gazprom were put on the EU sanctions list because of their involvement in the war in Eastern Ukraine. In 2018 Alexei Miller (Gazprom), Oleg Belozerov (Russian Railways), Oleg Budargin (Rosseti) and Nikolai Tokarev (Transneft) are placed on the American list of sanctions.
The only private company Simet works for is the petrochemical company SIBUR. The company is closely associated with the Kremlin. SIBUR was owned by state companies Gazprom and Gazprombank who ‘sold’ the company in 2010 to Leonid Mikhelson, Gennady Timchenko and Kirill Shamalov. Timchenko is a billionaire and one of Vladimir Putin’s judo partners. Shamalov also belongs to Putin’s inner circle and used to work at Gazprom, Gazprombank and Rosoboronexport. Rosoboronexport is under direct control of Putin, it’s the agency for import and export of defence materials. Shamalov and Timchenko are placed on the American sanctions list in 2018.
Besides these companies, Simet also has ties to the Russian Ministry of Defence and the defence industry. Since 2011, the company has been embroiled in a drawn-out complaints procedure against the Ministry of Defence’s energy company Oboronenergo. Simet’s complaint concerns the tendering of the design and construction of energy relay stations in the eastern region of Russia, Kamchatsky. The tender was about the construction of a power station at the military unit 62695, part of the Russian Pacific fleet which includes nuclear submarines.
Simet’s ties to the Russian state not only show through its clients, it’s also apparent in other ways. In a corporate presentation of January 24th, 2013, the company writes that it possesses all licences and certificates, including those of the Russian intelligence agency, the FSB, necessary to work with state secrets: “The FSB license to carry out work related to the use of information constituting a state secret.” The ability to work with state secrets means Simet can work for state companies, like for example the Russian security sector.
Gengrinovich and the Russian State
Evgeny Gengrinovich plays a vital role in the sale of the Fox DataDiode in Russia. Snitegroup and Simet’s clients are largely the same state companies he used to work for, according to his curriculum vitae, as a civl servant. Gengrinovich not only has close contacts in the energy sector, he also has connections to the Russian Ministry of Defence and the defence industry.
In his curriculum vitae of May 23rd, 2017, Gengrinovich claims to have done certification work for the FSTEC and the Ministry of Defence from 2010 to 2014:“in 2010-2014, work was carried out on the certification of a number of IT solutions at the FSTEC, as well as for use for the needs of the Ministry of Defense and Gazprom.”
The FSTEC (Federal Service for Technical and Export Control) resides under the Ministry of Defence and is the Russian agency responsible for the protection of state secrets. The FSTEC has close ties to the Russian intelligence services that would handle the Russian certification of the Fox DataDiode in 2015.
Furthermore, Gengrinovich indicates in his CV to have managed projects for the Ministry of Defence (“for use of the needs of the Ministry of Defence).
His work for defence is in line with the presentations he made for the ‘Innovation, Infrastructure, Security’ forum of December 20th, 2011, which was co-organised by the Russian nuclear energy agency Rosatom that’s also responsible for Russia’s nuclear weapons. In his presentations about the Fox DataDiode Gengrinovich draws attention to the use of the diodes at the International Atomic Energy Agency (IAEA) in a discourse about monitoring of nuclear power plants.
The IAEA again features in an article about the advantages of DataDiodes on his blog, egengrinovich livejournal, on March 10th, 2105. Just like in his presentation he writes about how the organisation uses Datadiodes: “The International Atomic Energy Agency (IAEA) uses them to monitor the operational situation at nuclear power plants.”
In the same article Gengrinovich claims that defence and energy companies have purchased the Datadiode: “The list of implementations of DataDiodes is quite wide: from defense to large energy companies.” Gengrinovich does not give any names of defence or other companies to whom they’ve sold the Fox Datadiode. With one exception: RusHydro.
Fox DataDiode to PJSC RusHydro
One of the first companies that starts using the DataDiode is RusHydro, according to Gengrinovich. In his blog article of March 10th, 2015 he writes: “In Russia, one of the first companies to apply this solution was the holding company RusHydro.” He doesn’t mention Fox-IT by name in the article.
In his CV of May 23rd, 2017, he refers to a project at RusHydro and claims to have been involved in the installation of information security: “In 2010-2012, a project was implemented to ensure the information security of the technological segments of local computer networks for hydroelectric power plants belonging to JSC RusHydro (8 stations).” Since 2010 Gengrinovich has been active for Snitegroup and Simet with regards to selling the Fox DataDiode.
State company RusHydro is one of the world’s largest hydropower companies in the world. The company came into existence during the reorganisation of Russian energy companies in 2004.
RusHydro is closely connected to the Russian state. That the Kremlin decides how the company is run not only shows from its list of board members, but also from the way excecutives are appointed and dismissed from the top of the company.
RusHydro’s board mainly consists of men who previously worked in state-controlled companies in the energy sector, like Rosatom, Transneft, Inter Rao, Rosseti, Rosneft and in those parts of the financial sector that are controlled by the Kremlin, like VTB Bank and Vnesheconombank VEB.
On November 23rd, 2009, Evgeny Dod is put forward as RusHydro’s CEO by the then vice-premier of Russia and Putin confidant, Igor Sechin. Sechin is Russia’s oil man and has been described by several media, like the Financial Times, as Russia’s second man. His position as CEO of Russian oil company Rosneft provides him with his power. Boris Kovalchuk, another man from Putin’s inner circle, also resides on the board of RusHydro.
In 2011 a top executive of the Russian intelligence agency FSB is appointed to the board of RusHydro. On April 10th, 2011, The Moscow Times writes that Putin has fired temporary minister for Energy, Sergei Shmato, from the board of the company. He’s replaced by Sergei Shishin, senior vice president of the Russian state bank VTB Bank as well as general at the FSB (and its predecessor the KGB), where he heads the department for counter intelligence. In 2012 Putin invests 50 trillion ruble (over a billion euros) in the company.
The ties between the Kremlin and RusHydro are reasons the top executives of the company, including CEO Nikolay Shulginov, have been placed on the American sanctions list for high-level officials of state companies.
Fox-IT export and the insight into end users
From 2010 Snitegroup, Simet and Gengrinovich have been attempting to sell Fox-IT products, specifically the Fox DataDiode, to Russia. These intermediaries have close ties to Russian state companies in the energy and the financial sector, but also with the Russian Ministry of Defence, the defence industry and the Russian intelligence agency FSB.
It raises the question whether the Delft-based company has any insight into which partners in Russia are being offered their products and selling them on. Fox-IT acknowledges having delivered products to Russia. Then director and co-founder Ronald Prins claimed in an interview with Bits & Chips on November 17th, 2015, that the company had sold the Fox DataDiode in Russia.
In an interview with Prins on April 15th, 2014, in MT/Sprout it’s mentioned that the company has sold to the Russian government as well: “The Delft-based company (expected earnings in 2013: 21 million Euros) offers online security solutions to some of the world’s most well-known institutes. This doesn’t just include NASA, NATO or the Dutch, Russian and Indian governments, but also multinationals like T-Mobile and GlobalSign, as well as organisations like the NVB and NOC/NSF (Dutch Olympic Committee).
Previous research by Buro Jansen & Janssen into the exports of Fox-IT showed that the company often has no knowledge about the end users of its products nor to which uses they’re being put.
The export of dual-use goods (goods with both a civilian and a military application, including IT technology and software) to countries outside the EU requires a licence. Companies have to apply for these licences with the Department of Export Control and Strategic Goods – which has resided under the Foreign Office since 2013 and resided under the Ministry of Economic Affairs before that.
In 2009 Fox-IT obtained an EAL-6 certification for the DataDiode, which meant the product required to be licensed. In 2010 an EAL-7 certification was obtained. The EAL (Evaluation Assurance Level) certification is used by Gengrinovich, Snitegroup, Simet and other intermediaries to promote the Fox DataDiode to potential Russian clients.
Buro Jansen & Janssen’s research from January 2010 ‘Fox-IT and the Dutch export policy on dual-use goods’ shows that Fox-IT obtained an annual global export licence in 2011, 2012 and 2013. This enabled the company to export to countries throughout the world – with the exception of so-called ‘difficult countries’ (like North Korea and Iran). It enabled Fox-IT to export to Russia. The export licence in 2011 specifically named the Fox DataDiode, though in the 2012 and 2013 licences no products were specified. It applied to ‘equipment for information security’, which could also include products like Redfox or Skytale. Until this day the Foreign Office still hasn’t revealed if any and if so, how many licences were requested and obtained by Fox-IT since 2013.
The export policy for dual-use goods is meant to prevent undesirable end use. The Handbook on Strategic Goods and Services states: ‘The Dutch dual-use export control system is based on risk analyses. The emphasis lies on preventative checks. The aim is to minimise the risks of undesirable end use or conduits to undesirable final destinations through risk analyses and where necessary the requirement of additional safeguards. Our research ‘Fox-IT and the Dutch export policy for dual-use goods’ shows that in reality hardly any risk analysis takes place. Fox-IT provides hardly any information whatsoever about the end users of its export products.
Our research shows Fox-IT often has no idea about the end users of the products it exports under the global export licence. When companies apply for export licences for a product that contains cryptography they have to fill out a so-called crypto form. Even though the DataDiode contains cryptography, Fox-IT failed to fill out a crypto form in the application process, which means the company didn’t have to deliver as much information about its end users. The form specifically asks into which of the four categories the end user falls (financial institution, government institution, company, private use).
From Buro Jansen & Janssen’s research ‘Fox-IT in the Middle East’ from April 2019 it was also clear that Fox-IT doesn’t have much insight into whom the end users of its products are. The Delft-based company has been co-operating with the German company AGT (Advanced German Technology) in the region since 2007. In the partner and reseller agreemeent with AGT no conditions were stipulated concerning to which countries and clients AGT was allowed to sell on Fox-IT’s products. This meant Fox-IT had little idea where its products ended up or to what purposes they were put.
Fox-IT and the Russian intermediary trade
The trade in Russia is also lacking transparency into end users. Fox-IT uses different partner companies in Russia who are allowed to try and sell its products as intermediaries. On its website the company refers to Snitegroup as a partner since 2011, later on OSIsoft (from 2014) and Axoft (from 2015) were also added.
However, other Russian companies also offer the Fox DataDiode without being mentioned as a partner or reseller by Fox-IT. This, for example, concerns ARinteg (from 2012), RTSoft (from 2013) and the International IT Distribution Group (from 2011). It’s remarkable these companies aren’t mentioned as partners by Fox-IT on its website. Therefore it’s questionable whether the Delft-based company knows its products are being offered for sale by these companies in Russia.
The relation between the Swiss Snitegroup and the Russian IT Distribution Group (ITD Group) is an indication of how the end users are obscured from the view of Fox-IT’s dual-use products exports.
Fox-IT and Snitegroup sign a reseller agreement on February 1st, 2011, which allows Snitegroup to sell the company’s products in Russia. Four months later, Snitegroup signs a non-disclosure agreement (NDA) with ITD Group, a Russian distribution company for hardware and software. This allows ITD Group to sell on Fox-IT products without Snitegroup having to disclose to whom they’re selling and for which purposes the products will be used.
Caterina Beretti, the Swiss co-owner of Snitegroup, claims that after the NDA was signed trade with the Russian company immediately began. “Mit der Firma International IT Distribution Group hat die Snitegroup im Mai 2011 ein Non-Disclosure Agreement unterzeichnet. Es wurden auch in 2011 Geschäfte zwischen der International IT Distribution Group und der Snitegroup GmbH abgewickelt.” Due to the NDA Beretti can’t provide any further details: „Uber die Art der Geschafte kann ich aufgrund des Non-Disclosure Agreements keine weiteren Auskunfte geben.”
Much as we’ve seen with the co-operation between Snitegroup and Simet, Gengrinovich also forms the connection with ITD Group. ITD Group copies the contents of his Snitegroup presentation of June 6th, 2012, about the Fox DataDiode in full, only replacing the contact details of Snitegroup with their company’s website: iitdgroup.ru.
On February 1st, 2014, ITD Group publishes an article about Fox-IT and the DataDiode on its website, which states: “Fox-IT solutions are already being used by government agencies, defense organizations, law enforcement agencies, life support facilities, banks and large commercial organizations around the world.” The article specifically focuses on the DataDiode. “In particular, one of the key solutions offered by the company is Fox DataDiode.” Accompanying the article is a PDF about the product (file name Crypto-_Fox_DataDiode_for_protecting_secrets-RU). It’s the translation of a PDF that can also be found on NATO’s website.
According to ITD Group the Fox DataDiode is being used by government departments and organisations in defence and law enforcement, though it doesn’t specify if it means in Russia. ITD Group does claim on their website that they have Russian government organisations and banks among their clients: “Leading Russian banks, state organizations, utility, telecom, insurance and transportation companies entrust their security to our company.”
Fox-IT has never mentioned ITD Group as a partner or reseller on its website. However, the Delft-based company does have connections to the company. From October 1st to 4th, 2013, Fox-IT is present at the annual VIP conference of ITD Group in Tel Aviv (Israel), “Trends in the Development of Information Security of Modern Business.” Different companies visit the fair: “There will be a great opportunity to try the latest products and ask questions to representatives of vendors – Skybox, PineApp, Intellinx, Checkmarx, WhiteBox, Fox-IT and CyberArk.” It’s not clear whether Gengrinovich was present at the fair, though he does live in Israel part of the time.
In June 2015, Gengrinovich partly transfers to ITD Group. Next to his job for Snitegroup he starts working as an advisor to the General director dealing with information security and product development in that area. In his curriculum vitae he states: “Since June 2015, he has been working in the company AITIDI Group as Advisor to the General Director responsible for the development of the business in the direction of Protection of critical information infrastructure, as well as the development of the company’s product line in this area.”
Regarding ITD Group’s foreign partners Gengrinovich writes: “The work is carried out in constant interaction with potential Customers, Partners and experts, including foreign ones (Israel, Netherlands, Switzerland, Bulgaria).” These countries (with the exception of Bulgaria) are the same ones as the international connections of Snitegroup and Simet.
The war in Eastern Ukraine; Fox-IT sales continue
In 2014 the annexation of Crimea, the war in Eastern Ukraine and the downing of MH17 led to the implementation of sanctions against Russia by the US and the EU.
These developments have no impact on Fox-IT’s sales activities in Russia. Even though Ronald Prins mentions in an interview with Bits & Chips on November 17th, 2015 that the sale of the DataDiode is now prohibited “we also sold it to Russia – that’s no longer allowed -…”, the company doesn’t make any statements about the consequences of the international sanctions on its activities in Russia, for example about stricter checks on end users of the company’s exported products, in any of its company’s internal communication.
Neither does Fox-IT reflect on its co-operation with its Russian partners: Snitegroup, Simet and Gengrinovich continue their sales activities.
In May 2014 the website foxitcis.com goes live. The owner and contact person for the domain is Gengrinovich. On the home page the Fox-IT logo is displayed next to that of Snitegroup. The website is aimed at the sales of Fox-IT products in CIS-countries, including Russia: “Fox-IT (Netherlands), together with partner SNITEGroup GmbH (Switzerland), present information security products for the CIS countries.” It’s not just the website, Gengrinovich also starts introducing himself as Fox-IT representative.
On May 28th, 2014, Gengrinovich delivers a presentation during the OSIsoft Regional Conference in the Milan Hotel in Moscow. OSIsoft is an American company for application software, with a branch in Russia. The presentation is about technological solutions for information security (Information security of technological segments of a data transmission network). On its YouTube channel the Russian is introduced by OSIsoft Russia as representative of the Delft-based company: “Evgeny Gengrinovich, company “Fox-IT””.
In February and March 2015 Gengrinovich publishes two articles in the Journal ‘Automation in Industry’. Both articles deal with the DataDiodes and the security of vital infrastructure and public networks. The article ‘Information Security of Critical Infrastructure’ describes Gengrinovich as a technical advisor to Fox-IT: “Technical advisor Fox-IT.”
Russian FSTEC certification
For Fox-IT’s trade in Russia it’s important to have their products certified. This increases the Delft-based company’s chances on the Russian market. Russian certification means the product becomes more interesting, especially to large (government) companies. And also to the lucrative market of the security industry (investigative and information work as well as defence).
The Russian certification process for the Fox DataDiode was started in 2013. In the technological fact sheet of November 1st, 2013, Fox-IT writes with regards to the Russian Federation: “ФСТЭК (FSTEC) certification in process.”
FSTEC (Federal Service for Technical and Export Control) is the Russian agency concerned with counter espionage and the security of state secrets. According to a number of stipulations by FSTEC in February 2013 and March 2014 (Orders numbers 17, 21, 31 of February 11th and 18th, 2013 and March 13th, 2014 respectively) guidelines and checking mechanisms were put in place for the admission of foreign equipment to the Russian market.
The war in Eastern Ukraine, the downing of MH17 and the international sanctions are no reason for the Delft-based company to halt the certification procedure. To keep potential clients abreast of progress made in the procedure, from 2013 Fox-IT regularly updates its technological folder for the DataDiode. For example on June 17th, 2014, a few weeks prior to the downing of MH17 and in 2015.
Fox-IT didn’t start the certification process itself. The procedure was initiated by ARinteg, the company that has offered the Fox DataDiode since April 1st, 2012. Of all the Russian intermediairies offering Fox-IT products, ARinteg is the only company in 2013 that is in possession of the FSTEC licence (since February 3rd, 2010).
The certification procedure was initiated by ARinteg, but behind the scenes Evgeny Gengrinovich has played his part. In his curriculum vitae he writes that he carried out work on FCSTEC certification from 2010 till 2014:“in 2010-2014, work was carried out on the certification of a number of IT solutions at the FSTEC.” The major ‘IT solution’ Gengrinovich worked on during those years was the Fox DataDiode.
The FCSTEC certification process is successful. On November 3rd, 2015, ARinteg writes on its website: “According to the results of tests on the complex, a certificate of conformity No. 3446 was issued.” On the FSTEC website the certification of the Fox Datadiode is given as August 27th, 2015 till August 27th, 2018.
To clarfiy things ARinteg indicates that the use of the Fox DataDiodes in Russia has been regulated by the FSTEC: “Since 2013, the use of unidirectional data transmission systems in the Russian Federation has been regulated by orders of the FSTEC (Orders 17, 21 and 31).” Fox-IT mentions the acquired licence in their technicologal folder about the DataDiode.
In its technological folder of March 4th, 2015, Fox-IT still writes how the DataDiode holds NATO certification ((“NATO up to and including NATO SECRET, Green Scheme”) and Dutch certification (“The Netherlands up to and including Staatsgeheim GEHEIM, by NL-NCSA/NBV (National Bureau for transmission security)”). At the end of August 2015, after a process of two years apparently, the Russian certification is added. The Delft-based company writes about the process: “This extended certification scope is a result of the Russian government policy on IT security certifications.”
JSC NPO Echelon; intelligence service operation?
Trading with Russia is impossible for Fox-IT without co-operation with the Russian intelligence agency FSB. The FSTEC, who deals with the certifications, resides under the Ministry of Defence and co-operates with the FSB. Due partly to the increased tension between Russia and the West, certification of IT technology becomes an increasingly important component for the intelligence sector from 2013 onwards. Russia doesn’t want foreign eqiupment to be used for spying purposes, but at the same time it seeks to obtain knowledge about the latest foreign technology. Obviously, the US and the EU have the same considerations.
It’s politicised the FSTEC certification. According to several American technology companies the Russians can discover vulnerabilities in products and use that knowledge in hacking attempts: “Those inspections also provide the Russians an opportunity to find vulnerabilities in the products’ source code – instructions that control the basic operations of computer equipment – current and former U.S. officials and security experts said” (Reuters 23 juni 2017).
Where American companies have reservations about the certification process, Fox-IT has none. The company does mention the involvement of the Russian Ministry of Defence in the certification process in its technical folder for the DataDiode: “Russian Federation certificate of the Ministry of Defense of Russia for compliance with Level 2 NDV and RDV control *), by CNII EISU (CNII EISU). Certificate on code review and software testing against Russian Ministry of Defense requirements to undeclared features (level 2) and functional requirements correspondingly.” Contrary to American companies, the Delft-based company has no qualms about it.
One of the American companies, the renowned cyber security company Symantec, decided no longer to co-operate with the Russian governments’ request to view the source code of its products. It’s a decision with consequences for Symantec, because the rejection means the company’s products will no longer be allowed on the Russian market. In 2017 Symantec tells Reuters they believe one of the laboratoriums isn’t independent enough from the Russian state: “Symantec said one of the labs inspecting its products was not independent enough from the Russian government” (Reuters 23 juni 2017).
Symantec is talking about JSC NPO Echelon, one of the Russian companies that execute the certification process. Symantec doubts the company’s independence: “The lab “didn’t meet our bar” for independence.”
The name of the company is a Russian wink to the worldwide tapping programme of the US, the UK, Canada, Australia and New Zealand (the so-called Five Eyes), also known as Echelon. Symantec’s refusal is all about the central role the Russian intelligence agency FSB plays in the certification process. They believe Echelon is independent on paper only, but in reality strongly linked to the Russian army and FSB.
The involvement of the Russian intelligence service was the reason for Symantec not to have its products certified. Fox-IT doesn’t share their objections and has never openly spoken about possible risks regarding the FSTEC certification. Though the company Echelon has also examined the DataDiode, possibly also for vulnerabilities that can be used in hacking attempts.
Fox-IT doesn’t talk about this risk. It says in its technical folders: “The scope of the Russian security certifications however also include the software that is provided with the device and runs on the proxy servers.”
Fox-IT knows that during the certification process both hardware and software are subjected to rigorous screening: “As a result, these certifications do not only warrant the enforced one-way network connection of the Fox DataDiode hardware, but do also warrant the absence of undeclared features (e.g. backdoors and spyware) in the Fox DataDiode software.”
Fox-IT adds somewhat cryptically that the Fox DataDiode can be obtained from unnamed Russian ‘trusted sources’ and that Fox-IT can provide a Russian standard validation: “The certified Fox DataDiode software can be collected from trusted Russian sources. GOST fingerprints are available upon request.”
Trading interests weigh more heavily than any risks with the FSTEC certification for the Delft-based company. Certification of the DataDiode opens up new opportunities for Fox-IT on the Russian market. This is shown in the sales activities of the Russian intermediary ARinteg.
ARinteg: Supplying state banks
The Moscow-based company ARinteg focuses on systems integration and information security. It’s been offering the Fox DataDiode since 2012, even though Fox-IT has never mentioned the company as either a partner, distributor or reseller.
ARinteg has close ties to the Russian government. This isn’t only clear from its role in the certification process of the DataDiode, but also shows in its client base. Many of its customers belong to the Russian state-controlled financial sector, like the Russian Bank of Development Vnesheconombank VEB, Promsvyazbank and its subsidiary Sviaz Bank, Bank Trust and Project Finance Bank.
Potential interest in the DataDiode was already established with state customers before it got its certification. The Vnesheconombank VEB already put out a tender for a DataDiode in 2013. It’s unknown whether ARinteg actually sold the product to the bank. It is known that ARinteg executed a project for the Vnesheconombank VEB that seems to indicate the application of a DataDiode. The company mentions on its website: “Implement centralized management of the anti-virus and other malicious code protection system.”
It’s not just the Vnesheconombank VEB that’s shown an interest in the DataDiode. After the Fox DataDiode was certified in August 2015, ARinteg commercial director Dmitry Slobodenyuk claims in the National Banking Journal of December 7th, 2015, that it’s very important for the company to have the option of one-way exchange of information in its assortment.
One of the biggest banks in Russia is looking to implement it. “Also significant for us was the commissioning of a software and hardware complex for one-way information transfer in one of the largest banks in the Russian Federation.” Slobodenyuk is talking about the Fox DataDiode. He specifically mentions the FSTEC certification: “We have certified this solution at FSTEC and are piloting it in several large companies.”
ARinteg has sold the Fox DataDiode to one of Russia’s biggest banks, though it doesn’t reveal to which bank. The biggest banks in Russia in 2014 are the state banks Sberbank, VTB Bank and Gazprombank. Followed by a subsidiary of VTB Bank, VTB24, the Otkritie FC Bank and Alfa Bank.
In 2014 ARinteg mentions on its website several different banks as customers: the state banks Vnesheconombank VEB, Promsvyazbank, Sviaz Bank, Bank Trust and RPFB Project Finance Bank and a private bank, Alfa Bank.
ARinteg’s commercial director Dmitry Slobodenyuk doesn’t specify to which banks and companies the Fox DataDiode has been sold. Chances are real that Fox-IT’s dual-use products have ended up in the hands of the Russian defence industry. Besides its many customers in the Russian state-controlled financial sector, ARinteg also has customers in the defence industry.
One of these clients is the defence company VPK NPO Mashinostroyeniya, which started focusing on other things besides military products after the Cold War, but does still produce missiles for the Russian navy. It was one of the first companies the American government put on its sanctions list after the invasion of Crimea on July 16th, 2014.
Russian banks and the defence industry
The close ties between the Russian financial sector and the Kremlin have led to international sanctions against several Russian banks after the occupation of Crimea in 2014, including some customers of ARinteg.
The first banks to be put on the US and EU sanctions list in 2014 were the three largest state banks Sberbank, VTB bank and Gazprombank. Later that year Vsneheconombank and Alfa Bank, both ARinteg customers, were added to the list.
It’s not just the banks that were put on the sanctions list. In 2018 a number of top executives of the banks were also put on the American list, including Sergey Gorkov of Vnesheconombank, but also German Gref of Sberbank, Andrey Kostin of VTB bank and Andrey Akimov of Gazprom bank.
Of ARinteg’s customers Alfa Bank stands out particularly. At Alfa Bank ARinteg modernised the anti virus protection. About the project it mentions on its website: “Modernization of the anti-virus protection system to bring it in line with the level of modern threats.”
Though Alfa Bank is a private bank, it has strong ties with the Kremlin controlled Russian defence industry. The Russian newspaper Novayagazeta writes about it: “For years before 2018, Alfa Bank provided substantial loans to subsidiaries of Uralvagonzavod (produces up to 40% of Russian military equipment) and other affiliate entities of the Ministry of Defense and Chemezov’s Rostechnology.”
The bank also has close ties with the Russian nuclear sector. According to the New York Post: “Alfa Bank provided financing throughout the 2000s to Atomstroyexport, the state-owned Russian nuclear vendor that installed the reactors at Bushehr, Iran.”
Besides the financial links to the Russian government, Alfa Bank also has contacts with Russian intelligence, specifically the foreign intelligence agency SVR. Novayagazeta and The Moscow Times report: “Alfa bank representatives also have a long track record of cooperation with Mikhail Fradkov, head of SVR in 2007-2016, and Vladislav Surkov, Putin’s key advisor on propaganda.”
After the implementation of the sanctions Alfa Bank has trouble securing international credit, much like other Russian banks who finance the defence industry. Since 2017, Alfa Bank is apparently no longer involved in the defence industry. The role of financing the Russian defence industry has been obtained by another customer of ARinteg: the Promsvyazbank.
At the start of 2018 the Promsvyazbank, with the support of the Russian government, is rigged up mainly to support the defence sector: “Russia’s Promsvyazbank (PSB), bailed out by the central bank last month, will be recapitalised and transferred to the government and will service the defence sector, the finance ministry said on Friday.” (Reuters 19 januari 2018)
Fox-IT in English hands: Sales to Russia continue
On November 3rd, 2015, ARinteg obtains Russian certification for the Fox DataDiode. Twenty-two days later the Delft-based company is taken over by the NCC Group from Manchester. The take-over is presented in the media as an opportunity for Fox-IT to expand internationally.
The international sanctions against Russia are no reason for the Delft-based company to reconsider their trade with Russia. The DataDiode’s certification actually increases access to the Russian market and makes the product more interesting to large (government) organisations mainly, and on the lucrative market of the security industry (investigative and intelligence work and defence).
Therefore Fox-IT stays active on the Russian market. This is borne out by the LinkedIn page of Joy Meijneke. From April 2017 onwards as International Sales Representative she’s responsible for the sale of the DataDiode and other products in Russia, in co-operation with Russian partners.
She summarises her work as follows: “Managing opportunities for Fox-IT’s High Assurance products (DataDiode, SINA, SkyTale) in collaboration with field representatives. Responsible for inside sales, renewal business, development and employment of partners, and monitoring (partner and end-user) opportunities in the following countries: the Americas, Russia, Asia, Australia and New Zealand.”
Meijneke indicates having co-operated with representatives in the region. This probably would have been Snitegroup, among others, with whom Fox-IT has co-operated since 2011. Snitegroup remains a Fox-IT partner till 2019 when the company is removed from the Swiss trade register.
According to co-owner Caterina Beretti, Snitegroup hasn’t sold any Fox-IT products to Russia after the implementation of the sanctions: “Nach Inkrafttreten der Sanktionen gegen Russland wurden keine Waren mehr von der Fox-IT nach Russland verkauft.”
Snitegroup does appear to have sold maintainance contracts in Russia. According to Beretti this doesn’t break any sanctions, because a relationship with the receving party had already been established: “Im September 2014 wurde ein Drei-Jahres-Maintenancevertrag der Fox-IT nach Russland verkauft. Da der Endempfänger der Fox-IT bekannt ist, und ein schriftliches Angebot der Fox-IT vorliegt, geht die Snitegroup davon aus, dass Europäische Sanktionen durch diesen Wartungsvertrag durch die Schweizer Firma Snitegroup nicht verletzt wurden.”
But after 2014 Fox-IT doesn’t just co-operate with Snitegroup in Russia. The Delft-based company has expanded its Russian network of partner companies and intermediaries after the implementation of the international sanctions.
In 2014 the company enters into a partnership with OSIsoft, an American software application company with a subsidiary in Russia. OSIsoft becomes a Fox-IT technology partner.
In October 2015 Axoft becomes a partner, distributor and reseller for Fox-IT in Russia. The ties between the two companies aren’t new: in November 2014 an article about the Fox DataDiode already appeared in Axoft Times’ company magazine. The company is named as a partner on the Fox-IT website till June 2017.
According to its website, the Moscow-based software company is “the leading IT service distributor in Russia and CIS”. Axoft is distributor for more than 50 manufacturers. Axoft has remarkable ties to NPO Echelon, the company that executed the FSTEC certification for the DataDiode and maintains close ties to the Russian intelligence agency FSB. Since 2015 Axoft has been the only distributor of Echelon products in Russia and other CIS countries, also offering tecnnical assistance and complementary services.
Besides the partners mentioned by Fox-IT on its website, other companies also keep offering the DataDiode in Russia, without being named as partners by the Delft-based company. This concerns RTSoft, ITD Group and ARinteg.
The ITD Group has been involved in the sale of the DataDiode in Russia since 2011. ITD Group’s clients are state institutions and banks, according to their own site: “Leading Russian banks, state organizations, utility, telecom, insurance and transportation companies entrust their security to our company.”
ARinteg, the company that provided the FSTEC certification for the Fox DataDiode, has many customers in the financial sector specifically, but also in the defence industry. It sold the Fox DataDiode at least to one, but possibly several Russian banks in 2015.
The sales efforts of Fox-IT and its subsidiaries are successful. According to journalist Andrey Birukyov, the Fox DataDiode is being sold on a large scale in Russia. In 2018, in the January/February issue of technology magazine ‘System Administrator’ (samag.ru) Biryukov writes: “Another foreigner who was widely used in Russian enterprises in the past is Fox DataDiode from the Dutch company Fox IT.”
Supplies in 2019
With the Russian certification for the DataDiode in 2015, Fox-IT has increased its chances on the Russian market. At the same time, however, the Fox DataDiode also holds a NATO certification. The question is whether due to the risen tension between Russia and the West this NATO certifcate won’t stand in the way of any sales to Russia.
Andrey Biryukov summarises the situation in his article in System Aministrator in 2018 as follows: “The fact is that although this solution has a valid FSTEC certificate, however, Fox DataDiode also has a NATO Secret certificate.”
According to Biryukov Fox-IT won’t be supplying the DataDiode to Russia any longer: “And besides, at present, the company has presented a ban on the supply of this solution in Russia.”
It’s not clear on what he’s basing this assertion. Fox-IT has never announced to stop exporting to Russia in any of her company channels. Snitegroup and Simet were still mentioned as partners on the Delft-based company’s website till 2019.
And Fox-IT products are still finding their way to Russia after 2018. This has become clear from a DataDiode delivery made in 2019.
On March 25th, 2019, a parcel arrives in Saint Petersburg. It’s been imported by the company called Voortman Stil Mashinieri, the Russian branch of the Dutch Voortman Steel Machinery – a producer of steel processing machines. The administrative process of the transaction is handled by EMG (Emerging Markets Group), a Russian service company that works for western companies.
According to Russian customs agency an American Dell server has been exported: “The Fox DataDiode Ruggedized 1G” from the company Fox-IT, Olof Palmestraat 6, 2616 LM Delft, Netherlands.” Fox-IT uses Dell servers to transform them into DataDiodes.
Voortman has acquired the DataDiode from Fox-IT in 2019 and shipped it to her subsidiary in Russia. Russian customs reports: “The Fox DataDiode Ruggedized 1G is categorized under Export Control Classification Number (ECCN) 5A003 of the list of dual-use goods and technologies of the Wassenaar Arrangement (WA-LIST) 5A003b.” It also mentions the Delft-based company holds the relevant export licenses: “Fox-IT holds the necessary export licenses to be able to internationally provide the Fox DataDiode Ruggedized 1G to a very wide range of customers.”
It appears reasonably simple to export the Fox DataDiode to Russia without the intervention of intermediaries. Though the company involved is a subsidiary of Voortman, the product has passed customs formalities without any problems.
The text about the export licences in the Russian customs documents seems extraordinary. The export licence for the delivery is mentioned, but the text used, “Fox-IT holds the necessary export licenses to be able to internationally provide the Fox DataDiode Ruggedized 1G to a very wide range of customers”, is identical to the text in Fox-IT’s technical folder about the DataDiode from March 2015. Exporting dual-use goods, like the DataDiode, to Russia can only be done under licence. The customs documents, however, don’t specify the export licence provided by the Foreign Office.
The Russian customs documents also mention the fact that it concerns a server of the American company Dell as a part of the Fox DataDiode. American sanctions against Russia (and other countries against which export restrictions are in place) are stricter than European. They also apply to American parts used by non-American companies, like Fox-IT, in their products.
Fox-IT, Gengrinovich and the Russian intelligence agencies
Trading with Russia would be impossible for Fox-IT without involvement of the Russian intelligence agency FSB. Many of its intermediaries and potential clients, as well as the FSTEC that provides the certifcation for the DataDiode, have direct links with the Russian state and/or the intelligence agency.
The role of the Russian intelligence agency is revealed in the person of Evgeny Gengrinovich. He plays an important role in Fox-IT’s trade with Russia. From 2011 onwards he promotes the Fox DataDiode on behalf of the Swiss Snitegroup and the Russian Simet, while he later presents himself as Fox-IT representative and plays a key role in acquiring other intermediaries, notably the Russian ITD Group.
It’s unclear how far the Delft-based company has gone to establish the position of its intermediary. Gengrinovich not only has close links to Russian state companies, but also to the Russian intelligence agency FSB. His company Simet held a licence to work with state secrets and he did certification jobs for the FSTEC and the Ministry of Defence.
In September 2017 his connections to the Russian intelligence agency (once again) become clear. Gengrinovich transfers to a company with close ties to the FSB. He leaves ITD Group to become advisor to the general director at Infotecs.
Infotecs (Information Technologies and Communication Systems) is a private company with close links to the Russian intelligence agency FSB. Infotecs and its subsidiary Advanced Monitoring, the company’s research branch, are active in the field of information security.
However, Infotecs isn’t just any information security company. It’s part of the TK 26: theTechnical Committee for Standardization “Cryptographic Information Security” of the FSB. The other company that resides in this committee is the Kvant Scientific Research Institute. Kvant develops tapping and surveillance technology for the Russian intelligence services and has fallen under the direct control of the FSB since 2010. Former Kvant director Georgy Babakin worked for the FSB for 15 years.
Infotecs, Advanced Monitoring and Kvant were in the news in 2015 due to the Hacking Team documents. These hacked documents provide an insight into the sales and customers of the Italian company Hacking Team, which sells software to police and security services with which it’s possible to decrypt encrypted digital data traffic and listen in.
From these documents it transpired that Hacking Team had been selling its digital weapons via Infotecs, Advanced Monitoring and Kvant to the FSB. From 2012 to 2014 the FSB paid the Italian company, through Kvant and Infotecs, 450,000 euros for the digital weapon Remote Control System. The director of Advanced Monitoring, Aleksey Kachalin, who was in contact with Hacking Team moved to the largest Russian state bank, Sberbank, in 2017.
In 2018 the US declared sanctions against Infotecs and Kvant. The companies are being accused of facilitating the Russian intelligence services in executing digital attacks against the US. The European Union hasn’t implemented the sanctions against Infotecs and Kvant yet.
The American sanctions against Infotecs shine a weird light on Fox-IT’s trade with Russia. In 2018 the company where Gengrinovich is director (Snitegroup) is still a Fox-IT partner, but his employer (Infotecs) has been put on the American sanctions list due to its ties to Russian intelligence.
It’s symbolic for the ambivalent attitude of the Delft-based company towards the Russian intelligence agency. Trade with Russia is impossible for Fox-IT without involvement of the Russian intelligence agency FSB. At the same time the company regularly warns about the dangers the FSB poses to Dutch national security.
Why does Fox-IT trade with Russia?
Fox-IT has good connections with the Dutch government and the Dutch intelligence agency AIVD. Dutch defence industry, the investigative and intelligence branches, are a major client for the Delft-based company that provides the security of state secrets. The Delft-based company lobbied openly for the Law on the Intelligence and Security Services (WIV 2017) during the referendum in 2018.
Just like the AIVD, Fox-IT has been warning for years about Russian hackers, whether they’re connected to the Russian state or organised crime. Co-founder and former director Ronald Prins is a guest in a TROS (Dutch broadcasting company) radio show to talk about the ties between Russian hackers and the maffia, he also talks about this in Computable. In the 8th issue of its newsletter Fox News, the company even uses Russian hackers to promote its own business: “Fox-IT can obviously be of service in this area.”
In 2008, Prins is a regular guest in media talkshows about Russian and Chinese spying activities in Holland. Whether the spying from Russia comes from the government isn’t easily established, according to Prins, but he does believe the state can be an actor.
At the start of 2012, the Delft-based company writes about the Russian intelligence agency FSB. On March 20th, 2012, Fox-IT publishes an article on its website about the arrest of eight hackers by the FSB. “Russian authorities have arrested eight men accused of creating and distributing the Carberp banking Trojan in Russia and the Netherlands.” Fox-IT writes that the company was the first to notice the use of malware by this group.
In 2015, once again the connection between the Russian intelligence and Russian hackers is confirmed. In co-operation with the American FBI and the company Crowdstrike, Fox-IT presents an investigation into the malware GameOver Zeus, which is allegedly a product of the growing co-operation between the Russian intelligence and cyber criminals, during the Black Hat conference in Las Vegas
Their warnings about Russian intelligence services are hard to allign with their sales activities in Russia. Especially considering the fact that with the Russian certification of the Fox DataDiode its vulnerabilities could fall in the hands of the Russian intelligence services and be used in hacking attacks. For the American company Symantec this was enough reason not to comply with the certification requirements for its products. However, Fox-IT doesn’t share their objections.
Fox-IT continues their sales in Russia, even after the implementation of international sanctions in 2014. Even while the company often lacks any insight into the end users of the products exported to Russia and doesn’t know to whom its products are sold on or for what purposes they’re used. The risks of undesired end use is significant, considering Fox-IT sells through intermediaries with close ties to Russian state companies as well as to the Ministry of Defence, defence companies and the Russian intelligence agency FSB.
The human rights situation in Russia is no reason either for Fox-IT to reconsider its sales in Russia. When Fox-IT started on the Russian market in 2010, there was already repression of political opposition, human rights activists and journalists taking place. This was already clear from the murder of the journalist Anna Politkovskaya and the critical former intelligence service employee Alexander Litvinenko in London and in 2009 with the lawyer Sergei Magnitsky who died in a Russian cell from injuries sustained from government officials.
The human rights situation has deteriated further in time, also with regards to internet freedom. From 2014 Russia was placed on the Reporters without Borders’ list of Enemies of the Internet, an overview of countries who severely restrict internet freedom, for example by blocking access or monitoring internet traffic. From 2010 until 2013, the country had already been put on a precursor to the Enemies’ list of Reporters without Borders’ in connection with litigation that put individuals on an internet blacklist (Internet blacklist law). The lists were part of measures to repress the anti government protests from 2011 to 2013.
Fox-IT’s choice to enter the Russian market, despite the deteriorating human rights situation, and to remain active is not exceptional. The Delft-based company previously got into trouble for dealings in the Middle East. During the Arab spring of 2011 the company tried to sell its products to government institutions and intelligence services in countries with a dubious reputation for human rights, like Syria, Egypt, Saudi Arabia and the United Arab Emirates.
Additional investigation into Fox-IT necessary
Co-founder and then director Ronald Prins acknowledges in 2015 that Fox-IT has exported the DataDiode to Russia, including to the Russian government. “That diode is something of a success, it’s travelled the whole world. We also sold it to Russia – which is no longer allowed – and to India and America. All outside of Europe; governments there more or less demand this kind of solution for critical infrastructure,” says Prins in an interview with Bits & Chips on November 17th, 2015.
Prins implies in 2015 that Fox-IT hasn’t sold the DataDiode to Russia any more after the implementation of the international sanctions. From this research by Buro Jansen & Janssen, however, it appears Fox-IT did go on selling to Russia after the international sanctions of 2014. The company continued expanding its network of intermediaries. With the certification of the DataDiode the company increased its access to the Russian market, mainly to government organisations and the security industry market.
The Dutch export policy for dual use goods aims to prevent undesirable end use. Companies are expected to provide information about the end users of its exports. In recent years checks on undesirable end use have been tightened. The Public Prosecutor’s office has started proceedings more often against companies that don’t follow the rules and are too neglectful in their monitoring of the end users to whom their products are exported and for what purposes they’re used.
The risk of undesirable end use is real. In Russia Fox-IT co-operates with many different partners that sell on their products, but the company has little insight into the end users and to whom their products are offered and sold on by intermediaries. These intermediaries have close ties to Russian state companies in the energy and financial sectors, but also with the Ministry of Defence, defence companies and the intelligence agency FSB.
From 2011 to 2013 Fox-IT obtained a global export licence annually, which enabled it to export to Russia.
It’s unclear whether Fox-IT has requested or obtained a global export licence nor one specifically for Russia. The Foreign Office has made no documents to this effect public, even after several FOIA requests by Buro Jansen & Janssen. The export of dual use goods, like the Fox DataDiode, without an export licence to countries outside the EU is a criminal offence.
After the implementation of European sanctions against Russia in 2014, export of dual use goods to Russia with a licence remains possible. Export for military purposes, however, is illegal. This pertains not only to the Ministry of Defence and the army, but also to intelligence services, the Home Office and other organisations that are responsible for national security, police and law enforcement. With the in 2015 obtained Russian certification, the Fox DataDiode actually became more interesting to such organisations.
The Fox DataDiode was certainly delivered to Russian banks in 2015. Many Russian banks were put on the American and European sanctions list due to their ties to the Russian defence sector.
Additional investigations into the possibly criminal behaviour of Fox-IT in Russia seems to be in order.