November 20, 2019

Leaked report reveals security risks at the Austrian security service BVT

(Updated: November 9, 2022)

A classified report that was published by an Austrian newspaper has revealed a range of security risks at the Austrian security service BVT, especially regarding its internal computer network.

The classified report was prepared by an investigation team from the SOTERIA group of the secretive Club of Berne, a cooperation platform in which almost all European domestic security services collaborate.


 

Austria's security service BVT

The Austrian security service is officially called Office for the Protection of the Constitution and Counterterrorism (German: Bundesamt für Verfassungsschutz und Terrorismusbekämpfung or BVT) and was created in 2002 by merging the Austrian state police with various special task forces against terrorism and organized crime.

The BVT came into a crisis after on February 28, 2018 Austrian police forces raided its headquarters, seizing large amounts of data. In August 2018, The Washington Post reported that European security services didn't trust their Austrian counterpart anymore, apparently because the Austrian interior minister Herbert Kickl from the far-right FPÖ party was too close to the Russian government.

On November 6, 2018, an Austrian newspaper published a leaked document showing that the Finnish secret service didn't want to share counter-intelligence information with BVT. In April 2019 it was reported that British and Dutch agencies also heavily restricted their intelligence sharing with the BVT. Because of these concerns, the BVT's participation in the working groups of the Club of Bern was postponed.



The headquarters of the Austrian security service BVT at the Rennweg in Vienna
(photo: Tokfo/Wikimedia Commons - click to enlarge)
   

Club de Berne (CdB)

The Club of Berne (French: Club de Berne, or CdB) is an intelligence sharing forum for the domestic security services of the 28 states of the European Union (EU) plus Norway and Switzerland and is named after the Swiss city of Bern, where it was probably founded.

The Club started in 1971 with nine members and is based on voluntary exchange of information, best practices, experiences and views as well as discussing problems related to counter-intelligence, counter-proliferation and cyber threats.

After the attacks of 9/11, the Club of Berne created the Counter Terrorism Group (CTG) which is specifically aimed at counter-terrorism. Since July 2016, the CTG has a platform for the real-time sharing of information about terrorism suspects and there's also a database which makes information about foreign fighters more easily accessible. The Dutch secret service AIVD hosts a collaboration center where analysts from 23 of the 30 CTG members can share and analyse intelligence information.



The security assessment

Now, a classified internal report from the Club of Berne about the internal security of the BVT has been leaked to the press. It was published on November 11, 2019 on oe24.at, the website of the Austrian newspaper ÖSTERREICH. They seemed to have received a copy of the 25-page report from an intelligence expert.

This isn't the first leak of intelligence information in Austria. Hardly noticed outside the German-speaking world was that in 2015, the Austrian member of parliament Peter Pilz published a range of highly sensitive documents about operation Eikonal, a cooperation between the NSA and the German BND for tapping fiber-optic cables of Deutsche Telekom.




Front page of the Club of Berne's security assessment of BVT
(click to enlarge)


Club of Berne's coat of arms

First, the leaked report shows that the Club de Berne has its own coat of arms and that its SOTERIA group has its own logo - both are on the front page of the report.

The Club of Berne coat of arms has a latin cross in red, with in three of the four quarters nine white stars on a green background. The fourth quarter is a variation on the coat of arms of Bern, with a walking bear.

It's likely that the white stars stand for the members of the Club of Berne, which started with nine members in 1971. It's not clear why there are just 27 stars, whereas, as far as we know, the Club has 30 members.


SOTERIA group's logo

Next to the coat of arms is the logo of the SOTERIA group. As indicated by the circle in an ancient decorative pattern, this group is named after Soteria, the Greek goddess or spirit of safety and salvation, deliverance, and preservation from harm. As we will see below, the networks and databases of the Club of Berne also have names from Greek mythology.

Given the topic of the report, the SOTERIA group is apparently responsible for internal security of the Club. It may not have been the intention, but the coat of arms with the big red cross, especially in combination with the Soteria-logo actually look quite esoteric.




The assessment team

The inspection of the BVT was conducted by an assessment team that visited the BVT headquarters at Rennweg 93 in Vienna on February 13, 2019. The team consisted of the following members:
- Team Leader, from the British MI5
- Team Coordinator, also from the British MI5
- Personnel security expert, from the Swiss Federal Intelligence Service (FIS) and the German Federal Security Service BfV
- Cyber security expert, from the Latvian State Security Department VSD
- Physical security expert, again from the British MI5

Deficiencies of BVT's network

During their inspection, the assessment team found a remarkable number of deficiencies. The main risk was that the BVT had just one single computer network, which was not accredited to handle and store any level of classified information.

This internal network also had connections to the public internet, which not only raised a threat to its own classified information, but also to that from the Club of Berne and to classified information of the other members of the Club. This is shown in one of the diagrams from the security assessment report:




From this diagram we learn that the computer network of the Club of Berne is called POSEIDON and that members of the Club are connected to it in various ways:

- A Voice-over-IP (VoIP) and Video Teleconferencing (VTC) capability.

- A terminal for access to the NEPTUNE network, which is accredited for classified information up to Secret and "may be used for future communications with Club members". The terminal has no connections with other networks, but data may be transferred between the NEPTUNE network and the BVT's internal network using "USB over airgap". This implies a security risk, but according to the investigators, it was "carried out by the assigned personnel in compliance with established procedures."

- A terminal for access to the PHOENIX database of the Counter Terrorism Group (CTG), which, according to the diagram, is a stand-alone machine with no connections to the BVT's network.

- Finally, yet another stand-alone terminal for NEPTUNE "web services".

Update:
The Dutch security service BVD participated in the Technical Working Group of the Club Communication Committee since 1971. Initially, the Dutch part of the NEPTUNE network was just an encrypted teletype connection that was managed by the BVD-verbindingscentrum. This NEPTUNE network existed in its original form for quite some time, but eventually the Automatiseringsafdeling of the BVD started to develop a secure data communication system.


With at least three computer terminals for the network of the Club of Berne alone, one can imagine how many different terminals there must be at intelligence and security services that also participate in other intelligence sharing groups, like the SIGINT Seniors Europe (14-Eyes).



Three pages from the SOTERIA group security assessment of the BVT
(screenshots from oe24.at - click to enlarge)


Even more security risks

The security assessment report by the SOTERIA group identifies even more security risks. The BVT allowed its employees to take mobile phones or laptops in areas where classified information up to Secret is handled, so everyone could take photos of classified documents and bring them to the outside.

Another issue was that the BVT was using four antivirus programs and one of them was developed by the Russian company Kaspersky Lab. Other intelligence services, like those in the Netherlands, decided to remove this software from their systems already in May 2018, because the risk of espionage was deemed too high.

Regarding the personnel of the BVT, the assessment says: "The security vetting is repeated every three years and may theoretically result in the revocation of the security clearance. This has, however, never happened so far." Employees could also travel to countries with "aggressive intelligence organisations" without having to report that, something that is mandatory at many other agencies.

The headquarters building of the BVT was also not very well secured: although the windows on the ground floor were barred, those on the upper floors could be opened without triggering an alarm. This also applied to the fire exit doors. Finally, there are about 100 security cameras on the building, but there were only two officials to watch them on just two screens.



Security cameras at the BVT headquarters building
(screenshot from oe24.at)


Update:
On November 12, 2020 it was announced that the BVT will be split into a federal police and a national security branch, this to prevent that intelligence from foreign partners ends up in criminal cases. The national security branch will be enlarged and modernized.


Links & sources
- about:intel: The Club de Berne: a black box of growing intelligence cooperation
- oe24.at: Wer trägt die Schuld am BVT-Chaos? (Nov. 19, 2019)
- oe24.at: Alarm: Verfassungsschutz BVT steht total blamiert da (Nov. 11, 2019)
- Swissint.ch: Die Nachrichtendienste und ihre geheimen Klubs: Ein Einblick in die unbekannte Seite der Antiterrrorkooperation in Europa (Oct. 29, 2018)
- The Washington Post: Austria’s far-right ordered a raid on its own intelligence service. Now allies are freezing the country out. (Aug. 17, 2018)


No comments:

In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties