summary:
Several countries in Central Asia and Latin America have established digital surveillance capabilities, almost certainly based on Russia’s System of Operational Detective Operations (SORM), and Russian surveillance technology has become increasingly popular among Russia’s neighbors and allies. It shows that it is spreading. Insikt Group has identified evidence that at least eight SORM providers are exporting to these regions and that at least 15 telecommunications companies may be customers. Russia’s largest SORM providers, such as Citadel, Norsi-Trans and Prorei, export throughout Africa, Latin America and the Middle East, participate in trade shows and further highlight their efforts to expand globally. While there are legitimate security uses for these systems, the governments outlined in this report have no right to abuse their surveillance capabilities, including to repress political dissidents, journalists, and activists without effective or independent oversight. We have a history of doing so. SORM facilitates the interception of a wide range of internet and telecommunications traffic by authorities without the knowledge of the service providers themselves, reducing transparency and oversight of surveillance activities and increasing opportunities for abuse. Companies operating in, or considering establishing physical operations in, these countries should assess their surveillance risks and, to the extent permitted by local law, use privacy tools such as encryption and VPNs. should be implemented to mitigate the interception of sensitive communications.
What is SORM?
Russia’s SORM underpins the Russian Federation’s electronic surveillance equipment and involves all telecommunications and ISP companies installing surveillance equipment under strict government oversight. Security and intelligence services have direct access to telecommunications traffic passing through installed equipment, bypassing service providers who are not authorized to access information about the interception. SORM has evolved from intercepting landline and mobile communications to monitoring internet traffic, Wi-Fi, and social media, and its latest iteration (SORM-3) collects and searches traffic and subscriber metadata. Long-term storage is now possible in a database. This system allows law enforcement and security services to filter data by identifiers such as phone number, location, IP address, and username. All of this is supported by a legal framework that mandates compliance. The nature of SORM’s integration into telecommunications and internet infrastructure facilitates potential interception, reduces visibility of surveillance activities, and increases the risk of exploitation, especially in countries with limited or non-existent surveillance.
Russian government access risks
Given the close relationship of SORM providers with the Russian government and the high value of the information intercepted through these systems, overseas deployment of SORM-based surveillance systems with Russian-made components requires access from Russia. There may be risks involved. Past incidents, such as the alleged abuse of Kaspersky exports, support the assessment that Moscow is likely to have access to exported SORM technology. In June 2024, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) ordered Kaspersky Lab to provide technology and services in or to U.S. persons due to several factors that posed an “unacceptable” risk to national security. was prohibited. Similar concerns apply to SORM providers such as Citadel, which have ties to Russia’s security services, particularly the Federal Security Service (FSB), and oligarchs close to President Vladimir Putin. Citadel’s key role in integrating Russia’s SORM market also highlights its possible ties to the Russian government. In particular, Kazakhstan and Kyrgyzstan have expressed concerns about backdoors in SORM equipment, with evidence suggesting Russian manufacturers maintained access to systems deployed overseas.
mitigation measures
Companies operating in countries that use SORM-based systems should use reliable encryption tools to protect their online communications and use the services of hosting providers that use top-level domains from these countries. You should reduce the risk of interception by avoiding and restricting access to or removing sensitive corporate data while traveling. Conduct a comprehensive assessment of the nation’s digital and physical surveillance capabilities, focusing on evidence of malicious abuse against business travelers.
In this report, Insikt Group provided a list of metrics that companies can use to assess data privacy and surveillance risks from a SORM perspective. None of these factors guarantees that a country is using SORM, but imports from known Russian SORM providers, laws requiring the installation of SORM-like interception technology, and The presence of some indicators, such as joint telecommunications projects, indicates a high state surveillance risk. providers, state control over telecommunications infrastructure, reporting of intrusive or malicious surveillance, and restrictions on encryption technologies. Recorded Future’s Country Risks feature provides regularly updated analysis and mitigation guidance for assessing such risks.
outlook
The marketing materials and trade show participation of major SORM providers suggests that these organizations will likely continue to explore international expansion opportunities. Countries with close ties to Russia, especially those with a history of joint projects in the fields of cybersecurity, intelligence cooperation, and telecommunications, are likely to continue sourcing digital surveillance components from Russian providers. Deploying SORM in these regions will almost certainly continue to pose data security risks, especially in regions with weak government oversight oversight. More broadly, Russian exports of surveillance technology will continue to provide Moscow with an opportunity to expand its influence, particularly in the “near abroad” and potentially strengthen its intelligence-gathering capabilities, but the potential The extent of access is unknown.
To read the full analysis, click here to download the report as a PDF.
