Spies Without Borders - How the FSB Infiltrated the International Visa System

One of the unanswered questions lingering after Bellingcat’s unmasking of the identities of suspects in the botched-up poisoning of Sergey and Yulia Skripal, is how two (or, likely, more) undercover GRU officers were able to obtain visas to travel to the UK. Securing a visa to the UK – as to most of EU destinations – is not a trivial procedure. A single-entry visitor visa is relatively straightforward to procure – it requires either an invitation from a UK resident or business, or a pre-arranged tourist trip.

To get a long-term, multi-entry visa – the kind the two GRU officers are reported to have used – a Russian applicant must go through many more hoops. The visa-seeker must make a convincing case for their need for multiple trips and present evidence for both their steady links to their home country, and their financial capability to sustain themselves in the UK over an extended period. The UK consular section makes a concerted effort to validate the data provided by applicants, and is known to reject applicants – even such with a prior multi-entry visa – once they discover an inconsistency in the “back story” presented by a would-be visitor. The following rejection letter sent to an applicant who had a prior six-month multiple visa to the UK, exemplifies the “paranoid” attitude applied by the UK consular service, including its focus on provenance of claimed income.

Given this dense sieve and eagerness to make background checks, how was it possible that the UK Consulate in St. Petersburg issued multi-entry visas to two non-existing personas who allegedly claimed that they were “international businessmen” with well-stocked bank accounts? This question is especially relevant given that a simple search in readily available Russian open-source business databases shows that neither of the two fake personas were registered as owners – or members of management – of a single currently operating Russian company. Bellingcat’s extensive search through corporate registries in Russia established that the only company in which “Boshirov” had been formally employed was Kursor Ltd, a Moscow-based “manufacturer of medical equipment” which was liquidated only months after Boshirov received his cover identity in 2009.

Yet, the non-existent personas “Boshirov” and “Petrov” were apparently able to secure multi-entry visas to the UK, as well as multi-entry Schengen visas, on which they both crisscrossed Europe, visiting the UK at least four times, and repeatedly travelling to at least 7 other EU countries in the period 2014-2018.

In a two-part investigation, Bellingcat and the Insider tries to determine how Russia’s security services attempted to crash through the visa firewall of the UK and other EU countries, and to obtain unconstrained access to their operational playground in Western Europe. While our investigation does not definitively prove that Russian agencies were successful in these concrete efforts, it does paint a picture of a strategic, long-term Russian effort to compromise the visa issuance system, as well as to gather intelligence on potential travelers’ plans – both from Russia to Western Europe, and the other way around.

Part I: Hacking the UK Visa System

As Bellingcat investigators were working on the discovery of real identities of “Boshirov” and “Petrov”, Vadim Mitrofanov[1] – a highly proficient Russian IT specialist awaiting a decision on his family’s asylum request, contacted us with what he thought was a piece of information relevant to the Skripal poisoning case.

Vadim told us that two years earlier, in 2016, he had been working as chief technical officer at a company that is providing exclusive visa application processing services to consulates, including the UK consulates in Russia. As he confessed to us, at that time he had been recruited – under duress – as an undercover collaborator for the FSB, Russia’s ignominious domestic security service. The FSB had planned to use Vadim to try and breach the confidential information flow of visa applicants at the application processing company, as well as to compromise the actual visa issuance system at the British consulate. In Vadim’s own words, in June 2016, his FSB handler had asked him if it was possible to organize visas for “a couple of guys who need to visit the UK”. “It’s important that their passports are accepted and approved directly by the consulate, without any review and background checks and without leaving any trace in the visa center“, the FSB handler had told him. Vadim had replied that this was virtually impossible unless they had an insider at the embassy.

Outsourcing Data Is a Matter of Trust

Nearly a year after he was recruited by the FSB, Vadim arrived in the USA with his family on a visitor’s visa and applied for political asylum for his family and himself. The reason – laid out eloquently in a 10-page deposition to the US authorities, which Bellingcat and the Insider have reviewed, was that – having been forced to collaborate with the FSB, he had ultimately consciously sabotaged their work.

Vadim is a highly trained IT specialist; a graduate of a respectable Moscow engineering university.

In 2015, he was working at the Beijing-based global headquarters of TLSContact , a leading provider of IT and logistical services to consulates. In short, the company was helping embassies of various countries process huge volumes of visa applications, leaving only the final decision-making – and visa issuance process – to the consulates themselves. In many countries the company is the exclusive outsourcing partner for the consulates of a number of EU countries.

Vadim’s job included designing computer systems in new locations as the company expanded its presence out into more and more countries. He also was also the company’s key specialist in the development of a portable and on-site biometric data collection.

Outsourcing pre-processing of visa applications requires a great deal of trust on the part of the consulate, as it allows a private company to collect gigantic volumes of personal information, documents and biometric data of applicants, only a portion of which is passed on to the consular department. Naturally, all employees of TLSContact and similar companies are required to undergo security screening, As Vadim’s job required him to work on the territory of various consulates, he had to pass security screenings and internal background checks, and to provide proof of a clean criminal record at regular intervals. Consequently, he was entrusted with full access to applicants’ confidential biometric data, and his role in the company expanded. He worked closely with the IT departments of visa sections of EU embassies.

In late 2015, Vadim was transferred to the company’s Moscow branch. TLSContact’s Russian office was already providing near-exclusive visa application processing to the UK and Swiss consulates at that time, and it aimed to grow its market share further.

A Family Nightmare Orchestrated by the FSB

When starting his work with the company, Vadim was living in China, where he had married a woman from Mongolia and the two had a young daughter. To bring his family with him, Vadim needed to organize a residence permit for them as they did not hold Russian passports. He took his wife and daughter with him to Russia on the visa-free arrangement between Russia and Mongolia, as they planned to apply for a residence permit on-site in Russia.

What ensued after their arrival to Russia was the stuff of nightmare. Over the following six months, the authorities placed all imaginable bureaucratic hurdles – lawful and blatantly illegal – on his family, in what he believes was a carefully choreographed attempt to force him to collaborate with the FSB. His mother, who they were living with – was repeatedly harassed by immigration authorities, her house was searched “for illegal immigrants” and she was threatened with jailtime for harboring “illegal aliens”. His wife and daughter had to repeatedly leave the country and re-enter in order to not run afoul of the 30-day limit on visa-free stay; upon each re-entry, the migration office required that the whole application process be started anew – creating a vicious unending bureaucratic loop. All objections by Vadim and his family that these hurdles breached Russian laws were left unanswered; a human rights ombudsman rejected their complaints with no motivation. Ultimately, the federal migration service rejected – with no explanation – Vadim’s family application for residence permit. At this point Vadim realized this was more than a random confluence of Russia’s notoriously incompetent bureaucracy. He submitted a court claim against the Federal Migration Service.

It was also at this point – in March 2016 – that he was approached by the overly friendly “Andrei’ who offered to make all his family’s problems to go away. Later Andrei would intimate to him that Vadim had elicited the security service’s attention nearly a year earlier, in March 2015, when Vadim had applied for a passport renewal at the Russian embassy in Beijing. His professional qualifications – and access to confidential information about Western countries visa issuance systems – had made him a prime target for the FSB.

“It Would Be Unpleasant If Your Wife Had To Await Her Deportation In Jail”

The first encounter with Andrei was a phone call from an unknown number that resulted in a meeting at a Moscow café near the TLSContact office. Andrei told Vadim that he was trying to help resolve the unpleasant situation around his family, but that “things did not look good”, and unless a resolution was found, he might have to initiate criminal proceedings against Vadim’s mother for being accessory to illegal immigrants. Furthermore, Andrei said, he might need to initiate an inspection to Vadim’s current residence in Moscow, implying that his wife and daughter – whose latest application had been rejected – would be arrested. “It would be unpleasant if your wife had to wait for her deportation in jail”, he said. As an alternative, Andrei laid down on the café table a blank “Agreement for cooperation with the FSB”, explaining that if he signed it, Vadim would have to provide to the FSB information relating to his work at the visa application center. Vadim had no choice but to sign the agreement, which read bluntly:

“I voluntarily agree to provide consulting services to the FSB, and so to assist operational activities. I acknowledge that I was informed that the disclosure of the existence of this cooperation will be considered as a disclosure of State secrets, punishable by imprisonment under the Criminal Code”

Over the next few weeks, Vadim noticed symptoms of the migration authorities starting to ease the pressure on his family. In parallel, “Andrei” made more specific requests: he wanted information on TLSContact’s internal regulations and organization structure, on the IT network and infrastructure designs: as well as on usage of intrusion detection systems. Vadim complied with the requests, providing fake data, with IDS honeypots set in place.

Shortly after handing over the “network map”, Vadim says he noticed intrusion attempts. When he dived deeper into the access logs, he realized that the FSB already had pre-existing access to the CCTV cameras installed in the visa application center. He surmised that the access had been gained by eaves-dropping on the internet traffic (the SORM-2 system, allowing the FSB to monitor virtually all unencrypted traffic, is mandatory for all ISPs in Russia).

Later Vadim also noticed that at least one of the CCTV camera’s firmware had been modified to provide a backdoor to the internal network. Without being specific enough to risk Andrei’s ire, Vadim generically alerted the company’s security team of the possible risk posed by discovered vulnerabilities.

In early April 2016, Andrei introduced Vadim to “Alexander” – who was presented as an expert from FSB’s K (cyber-crime) department [correction: the FSB cyber-crime department is called 18th Center. “K” is the Ministry of Interior cyber-crime department]. Alexander asked deeper questions relating to the company’s internal network structure, and showed Vadim what appeared to be an outdated network diagram, asking him to confirm if the network layout had changed since the FSB obtained it. “Alexander” was also interested in the logistical interaction between the company and the embassies: specifically, he asked about the route of delivery of passports to consulates, and about the control of access to computer systems on the consulate territory.

Thwarted Attempts to Escape

Conscious that he had to play along with the FSB escalating requests, but uneasy with his own forced complicity in breaching the security of his employer – and of foreign embassies, Vadim devised a plan to extricate his family and himself from Russia.

Over the next months, Vadim’s family made several attempts to leave Russia, each time being intercepted by border guards – or on one occasion by “Andrei” himself, and each time with escalating warnings that he shouldn’t make further attempts until they were happy with his deliverables. Vadim and his family, including his underage child, were locked up in detention several times, each time released hours later following a “good cop” intervention from “Andrei”. In one case, his wife was arrested and kept in a men-only detention center until a court hearing, despite her advanced pregnancyVadim realized that FSB needed his family in Russia as a form of leverage over him, and decided to comply, at least temporarily.

“Andrei”’s subsequent instructions became more and more brazen. He was told to spy on and report to FSB in case of visa applications being filed by certain persons of interest (among them were Alexey Golubovich, a one-time Yukos partner and witness in the case against Khodorkovsky). Vadim complied, hoping to create an illusion of willing cooperation. At one point in the early summer, Vadim was told by Andrei that an FSB-preferred candidate was seeking a job position as head of the company’s Swiss visa center. The candidate did not get the job.

A Shocking Request — And a Reprieve

At the end of June 2016, “Andrei” and “Alexander” gave Vadim the motherlode task: he was to create a backdoor to the UK visa center network. Vadim told them this could be done but required time and concentration, and promised to take to this task after his return from a pending business trip to China. In return, he requested that Andrei let his wife and daughter stay with his wife’s parents in Mongolia during his trip, as respite from the stress she had been under in Russia. Enthused by Vadim’s optimistic view on the backdoor prospects, Andrei took a chance and gave his consent to a short trip.

Having taken his family to safety, Vadim returned to complete certain unfinished projects for his employer, TLSContact. Towards the end of August – and having done essentially no work on a backdoor – he told his handler that he needed to travel abroad to bring his family back to Russia.

Without receiving a final okay from Andrei, Vadim headed to the airport straight from work. In his own words, as described in his asylum application,

On September 2nd 2016, an attempt to arrest me was made. I took a half day off to prepare my stuff for travel. After lunch, around 14:00 I was going to the office following my usual route. On the intersection in front of the office building, where traffic police patrol is usually working, a black car was parked. A person standing next to the car recognized me and commanded me to get into the car. When I started going around trying to act as if I didn’t hear him, he started moving towards me. It was clear that he was trying to intercept me. Fortunately, this happened in a crowded public place, so, I just turned around and ran away. The person didn’t follow me then”

Using a method that we have chosen to withhold at Vadim’s request, he was able to leave Russia the following day.

Later, Vadim informed TLSContact of the circumstances of his sudden departure, and fessed up about his forced collaboration with FSB – and the agency’s ongoing attempts to infiltrate the company’s network infrastructure. Vadim also tried to warn the UK consulate of FSB’s intrusion attempt. Bellingcat has seen evidence of the two respective alerts having been made by Vadim. He says he received no reaction from either.

Our Attempts to Confirm Vadim’s Story

Over the last two months, Bellingcat has interviewed Vadim repeatedly, in an attempt to validate his story. Vadim provided us with copies of the documents submitted to the relevant authorities, as well as of the messages sent to TLSContact and to an employee he knew at the UK consulate. We have concluded that these are authentic documents, submitted or sent at the time Vadim claims they were.

Vadim also provided us with audio recordings of two phone calls between him and “Andrei”. One of the recordings, published below, is allegedly the initial phone call made on 17 March 2016 by “Andrei” to Vadim, while the second call is from 29 May 2016. It is not possible to verify the exact timestamps of the recorded phone calls, but the audio format and format of the file names – which contain time stamps and caller number – are consistent with those of a popular Android call recording app.

We have analyzed the audio content of the calls, which do not contain any signs of editing or manipulation. In the first call, the person who presents himself as “Andrei” cold-calls Vadim and tells him he is calling from the central office of Russia’s migration service and that he is aware of Vadim’s wife legal situation. “Andrei” tells Vadim that his mother may be in criminal legal jeopardy, and offers to meet to discuss the case. Vadim agrees, and “Andrei” proposes to meet somewhere in the vicinity of Pokrovka street in Moscow. Both the central office of the Federal Migration Service, and of the FSB Moscow headquarters, are in the area of Pokrovka street. “Andrei”’s request to meet offsite from premises of the Federal Migration Service cannot be considered normal official practice, and is more consistent with known practices of extortion by Russian officials. Such an arrangement would also be consistent with the version of events presented by Vadim.

In the second call, from 29 May 2016, “Andrei” gives Vadim tips on how his wife must act during an upcoming visit to the Smolensk immigration office. In this call we observe a progression of the relationship between the two, which is much less formal and is on first-name terms. The call ends with “Andrei” telling Vadim he will call him the next day on other matters.

Vadim provided us with the two numbers from which he says he routinely received phone calls from Andrei, We have attempted to determine their ownership. One number is now registered to an unrelated man who told us he has only has this number since March 2018 and does not know who the previous user was. The second number is currently inactive but records show that in 2016 it was registered to a young woman working as a bartender. We contacted the woman, who – after initially agreeing to answer questions about “Andrei” – switched off her phone and could no longer be reached.

Vadim also provided us with a document which he had discovered while working for TLSContact, the content of which he had then found to be suspicious. The file contains a cumulative database of all applicants for UK visas between April 2014 and May 2016 who had withdrawn their application prior to processing their visa cases. Vadim believes that there could be no business rationale to maintain such a cumulative database, and that this file may have been maintained – and exported – by a company employee at the behest of FSB. The file presented has personal identifying data (which was anonymized by Vadim before presenting to Bellingcat) on more than 1,500 Russian citizens. Certain names of interest, such as politicians or public figures, are marked in bold. The file properties suggest that it was created and modified by a person who worked at the company in 2016.

Bellingcat and the Insider approached the UK consulate with a number of questions linked to the potential vulnerabilities of the visa issuance process chain, and the possible risk posed by a visa application processing center infiltrated by a foreign government. The consulate referred our questions to the UK Home Office which replied that the ultimate visa issuance or refusal decision are made by consular staff, without any role played by the processing company. The response, however, did not address the risk of applicant’s confidential personal information being potentially exposed to security services, nor the risk of exploiting of hypothetical vulnerabilities in the communication systems between the outsourcing company and the consulate.

We attempted to ask the same questions to TLSContact but were not able to connect to a company executive via the company’s call center. A former company executive who left TLS Contact several months before Vadim’s departure and alert letter, said she was not aware of third-party attempts to infiltrate the company.

The Insider was able to talk to the former executive of the company whose name appeared on the “withdrawals report”. This person said he was not aware of any attempts by FSB to infiltrate the company. When asked about the provenance and rationale for the document that contained visa application withdrawals – and whether he was the author of this document – he terminated communication.

Bellingcat contacted the FBI to receive a comment on whether they had received the tip-off from Vadim, and whether such information had been channeled to UK law enforcement in the wake of the Skripal poisoning case. As of press-time, the FBI has not replied to our query.

Vadim’s story does not prove conclusively that FSB or any other security agency were successful in breaching the visa issuance system, and thus enabled GRU officers to travel in the UK repeatedly and ultimately conduct an alleged assassination attempt. However, it does indicate the indication and methodical tenacity that were applied in trying to compromise the visa protocols. Such endeavors are not surprising given that security services need to ensure unimpeded access to various European locations. Absent an alternative explanation as to how these and other GRU officers were able to sneak through the multi-entry visa application filter, Vadim’s experience provides one possible answer. After all, Col. Chepiga and Col. Mishkin first traveled to the UK – and Switzerland several months after “Andrei”‘s initial query to Vadim about the feasibility of trace-free issuance of visas to the UK and Switzerland.

To be continued

[1] name and certain non-essential circumstances have been changed to protect the identity of the person