1000’s of Russian video-surveillance methods utilized by Ukrainian cities, infrastructure, non-public firms, and odd houses can relay footage to Moscow-based servers owned by massive Russian firms that service the Russian authorities and army, Schemes, the investigative unit of RFE/RL’s Ukrainian Service, has discovered.
The State Service of Particular Communications and Info Safety informed Schemes it had warned the federal government that TRASSIR video-surveillance methods, that are bought by the Moscow-based agency DSSL, pose a safety risk.
Technical consultants, together with a TRASSIR specialist, and one former senior Safety Service of Ukraine (SBU) officer echoed that evaluation.
“If this digicam was positioned on some vital infrastructure facility, there could also be a query about what the staff on the opposite facet and the house owners of that server see, and the way they use that info for army functions,” mentioned Serhiy Denysenko, government director of the Ukrainian information-security firm CyberLab’s Digital Forensics Laboratory. By “the opposite facet,” he meant Russia.
Russia launched its full-scale invasion of Ukraine in February 2022. Up to now, the Ukrainian authorities has issued no public warning towards utilizing the TRASSIR video-surveillance methods. Nevertheless, after Schemes printed a report on the outcomes of its investigation, on December 7, Inside Affairs Minister Ihor Klymenko vowed that state authorities would conduct a “thorough test” of the journalists’ findings.
”In fact, it’s unacceptable when any digicam, even hypothetically, will be linked and transmit info, particularly throughout wartime, to any [foreign] nation,” Klymenko mentioned on nationwide tv the next day.
The shuttered Chernobyl nuclear energy plant, which was occupied by Russian forces for over a month initially of the invasion, is among the many delicate government-run websites which have used TRASSIR video-surveillance methods, in line with the import-export database ImportGenius and a letter from a Chernobyl consultant to DSSL. Others embrace the Ukrainian Sea Ports Authority and the Maritime Search and Rescue Service within the Black Sea port metropolis of Odesa, in line with the general public procurement database Prozorro.
Purchases had been made each earlier than and after Russia occupied the Black Sea peninsula of Crimea and fomented warfare within the japanese Donbas area in 2014.
The strategically vital southern metropolis of Kherson, which Russian forces occupied for months in 2022 earlier than retreating that November, and which they proceed to bombard continuously, purchased TRASSIR for video surveillance of public areas, the database reveals. Different purchasers embrace the commercial cities of Nikopol, Poltava, and Slavutych, all of which have confronted Russian assaults.
Schemes discovered no proof that the Russian army or safety providers are utilizing TRASSIR-system footage to focus on these particular places. Lower than per week into the full-scale invasion, Kyiv blocked entry to the Russia-based Web servers that TRASSIR makes use of. A lot of the Ukrainian firms or services which have used TRASSIR and responded to questions from Schemes mentioned that they used the Russian software program in a closed native community, to cut back the danger of information leakage, or that they’d stopped utilizing it.
But Schemes and digital-security consultants decided that the TRASSIR methods nonetheless can entry these servers by way of digital non-public networks (VPNs), which conceal a person’s location and are broadly utilized in Ukraine.
The Kremlin’s Digital camera Connection
TRASSIR, owned by DSSL, is a longtime model identify for digicam surveillance in Russia: The printed hub for Russian nationwide TV channels, Moscow’s Ostankino Tower, the Tomsk area’s authorities headquarters, and a St. Petersburg bridge all use the TRASSIR CCTV system, in line with the DSSL web site. Altogether, the corporate claims 150 companions in Belarus, Bulgaria, Kazakhstan, Kyrgyzstan, Moldova, Romania, and Russia.
The system, which TRASSIR claims can be utilized at websites starting from “a small retailer to an airport,” largely makes use of cameras from the Chinese language firm Hikvision, however the software program that transmits the cameras’ footage is TRASSIR’s personal.
The import-export database ImportGenius reveals that Ukrainian firms imported over 10,000 cameras and video recorders from the TRASSIR surveillance system from 2016 till Kyiv ended all Russian imports in February 2022. These numbers don’t take attainable unlawful imports under consideration.
Digital safety activists informed Schemes that cameras outfitted with the TRASSIR software program can transmit video to Russian servers. Individually, a 2019 promotional article mentioned that quite a lot of government-run services and personal firms had been among the many Ukrainian entities utilizing TRASSIR’s digicam methods.
To verify the activists’ findings, Schemes collaborated with the Digital Forensics Laboratory and the Digital Safety Laboratory, a Kyiv-based nonprofit, to check the TRASSIR video-surveillance system. Schemes purchased one of many cameras on-line; the activists, who requested anonymity, supplied a number of cameras from the TRASSIR surveillance system and a video recorder.
Utilizing a VPN to skirt Ukraine’s block on Russian servers, Digital Safety Laboratory specialist Natalia Onishchenko decided that, other than different locations, corresponding to Google in the US, the digicam sends data-transfer requests to a Russia-based subdomain of TRASSIR’s web site,, m30.ru.cloudtrassir.com.
A domain-name tracer revealed that this subdomain‘s Web Protocol (IP) deal with, the string of numbers that identifies it on-line, belongs to a Moscow firm referred to as Digital Community.
Digital Community is an Web service supplier (ISP) that’s a part of a giant Russian company and is understood by the model identify msm.ru. Its shoppers embrace the Web firm Yandex, whose merchandise embrace Russia’s dominant search engine, and the Russian Protection Ministry’s TV channel, Zvezda.
Data from Russia’s portal for presidency contracts, EIS Zakupki, present that Digital Community supplied Web entry to “army unit 43753,” in any other case referred to as the Middle for Info Safety and Particular Communication, between 2015 and 2017. The Middle, a part of the Federal Safety Service (FSB), Russia’s foremost intelligence company, displays and evaluates software program and assists the FSB with decryption.
The TRASSIR system’s software program additionally despatched a knowledge request to a server that belongs to the large non-public Russian IT firm VK, one other of the Kremlin’s company comrades, which, in line with one German researcher, is “state-controlled and pursues ideological and intelligence targets” for the Kremlin. VK based the favored social-media networks VK and Odnoklassniki, and owns the broadly used electronic mail system Mail.ru.
Below Russia’s 2019 Sovereign Web Regulation, Russian IT firms are obliged to put in gear that enables the federal communications company Roskomnadzor to watch their Web visitors. An earlier regulation, a part of the so-called Yarovaya amendments, stipulates that IT firms protect knowledge, together with video footage, for six months and switch it over to Russian state buildings upon demand.
Such laws implies that “entry to all sources saved in Russia is feasible for the particular providers and legislation enforcement companies even with out courtroom choices,” mentioned Ukrainian counterintelligence specialist Viktor Yahun, a reserve SBU main normal who previously labored on counterintelligence operations towards the FSB.
”All the things associated to info, the Web, communication — all that is united on this middle,” he mentioned.
A Blocked Buy
Yury Shyhol, a former director of Ukraine’s State Service of Particular Communications and Info Safety, which oversees cybersecurity, informed Schemes in a written response that the company had warned “safety and protection sector ministries” in Could 2022, some three months into Russia’s full-scale invasion, that DSSL and TRASSIR cooperate with Russian safety ministries and providers.
Shyhol didn’t elaborate concerning the Ukrainian ministries’ response, however Schemes might discover no indication that the federal government has issued a public warning concerning the TRASSIR video-surveillance methods or tried to cease their sale inside Ukraine.
In response to Schemes’ question about TRASSIR, the SBU mentioned that it couldn’t focus on counterintelligence actions. It talked about a 2020 case, nonetheless, through which it blocked the 8-million-hryvnya ($280,000) buy of TRASSIR video-surveillance methods by the administration of the Lviv area in western Ukraine.
The methods might be used to “acquire details about the motion of army gear by rail transportation and public highways,” the SBU mentioned in a publication explaining the choice to dam the acquisition.
A ’Harmful’ Know-how
A technician at one of many former foremost Ukrainian distributors of the TRASSIR system, TRASSIR EU, conceded that the truth that the cameras’ knowledge travels first to Russian servers is “harmful.”
“However that’s the best way the know-how is,” mentioned TRASSIR EU technical specialist Vitaliy Fedorenko. “The entire world works like this.”
The methods will be redirected to ship their knowledge to Ukrainian servers, however it’s “unrealistic” for house owners to do this for every of the “lots of of 1000’s” of TRASSIR cameras in Ukraine, Fedorenko mentioned.
Most reported TRASSIR shoppers who responded to Schemes’ questions careworn that they use or have used the system inside a neighborhood community inaccessible to outdoors entities.
The performing normal director of the Chernobyl plant, Serhiy Martinov, mentioned that it had stopped utilizing TRASSIR in 2023. A letter from the plant on the DSSL website states Chernobyl had used it since 2011.
Within the east-central metropolis of Poltava, the place TRASSIR is used as a part of a municipal security program, First Deputy Mayor Valeriy Parkhomenko mentioned he had “had no official appeals or warnings that this technique has any dangers.”
The pinnacle of the town’s Housing and Communal Providers Division’s emergency response staff, Mykola Yosipenko, conceded, although, that he couldn’t be “100-percent positive” that the digicam’s data-transfers are totally secure.
An engineer from the corporate that put in TRASSIR for Poltava, Yavir-2000, suggested towards utilizing the system, saying that it may be hacked and that Russia might use it for monitoring. The engineer, who didn’t know he was chatting with a journalist, prompt that it might make sense to make use of the system “if you want to be monitored from Russia.”
Plans For The Future
TRASSIR EU’s founder, Oleh Kiyashko , a local of Ukraine who has Ukrainian and Russian citizenship and is listed on one enterprise registry website as a co-owner of a sales-focused DSSL affiliate referred to as DSSL-Pyervy (DSSL-First), couldn’t be reached for remark concerning the surveillance methods’ software program.
TRASSIR EU Director Larysa Osadcha claims that the corporate ended its contract and contacts with DSSL in April 2023.
Ukraine’s patent registry reveals, nonetheless, that the agency nonetheless holds the copyright to the TRASSIR software program in Ukraine.
Osadcha mentioned that the corporate is now working with new software program for video-surveillance methods referred to as AZIGUARD — this time from Romania, which is a member of NATO and the European Union. Nevertheless, the web site of AziTrend, the corporate that owns AZIGUARD, nonetheless comprises quite a few references to TRASSIR software program, which, in line with the commercial, is a part of the system from the Romanian producer.
Later, after Schemes made inquiries and reported on TRASSIR, references to this Russian software program started to vanish from the AziTrend web site, however a few of them haven’t been eliminated.