A classified report that was leaked to an Austrian newspaper has revealed
a range of security risks at the Austrian security service BVT
, especially regarding its internal computer network.
The classified report was prepared by an investigation team from the SOTERIA group of the secretive Club of Berne
, a cooperation platform in which almost all European domestic security services collaborate. Austria's security service BVT
The Austrian security service is officially called Office for the Protection of the Constitution and Counterterrorism (German: Bundesamt für Verfassungsschutz und Terrorismusbekämpfung
or BVT) and was created in 2002 by merging the Austrian state police with various special task forces against terrorism and organized crime.
The BVT came into a crisis after on February 28, 2018 Austrian police forces raided its headquarters, seizing large amounts of data. In August 2018, The Washington Post reported
that European security services didn't trust their Austrian counterpart anymore, apparently because the Austrian interior minister Herbert Kickl from the far-right FPÖ party was too close to the Russian government.
On November 6, 2018, an Austrian newspaper published
a leaked document showing that the Finnish secret service didn't want to share counter-intelligence information with BVT. In April 2019 it was reported
that British and Dutch agencies also heavily restricted their intelligence sharing with the BVT. Because of these concerns, the BVT's participation in the working groups of the Club of Bern was postponed.
The headquarters of the Austrian security service BVT at the Rennweg 93 in Vienna Club de Berne (CdB)
(photo: Tokfo/Wikimedia Commons - click to enlarge)
The Club of Berne (French: Club de Berne
, or CdB) is an intelligence sharing forum for the domestic security services of the 28 states of the European Union (EU) plus Norway and Switzerland and is named after the Swiss city of Bern.
The Club was established in 1971 and is based on voluntary exchange of information, best practices, experience and views as well as discussing problems related to counter-intelligence, counter-proliferation and cyber threats.
After the attacks of 9/11, the Club of Berne created the Counter Terrorism Group
(CTG) which is specifically aimed at counter-terrorism. Since July 2016, the CTG has a platform for the real-time sharing of information about terrorism suspects and there's also a database which makes information about foreign fighters more easily accessible.The security assessment
Now, a classified internal report from the Club of Berne about the internal security of the BVT has been leaked to the press. It was published
on November 11, 2019 on oe24.at, the website of the Austrian newspaper ÖSTERREICH. They seemed to have received a copy of the 25-page report from an intelligence expert.
This isn't the first leak of intelligence information in Austria. Hardly noticed outside the German-speaking world was that in 2015, the Austrian member of parliament Peter Pilz published
a range of highly sensitive documents about operation Eikonal, a cooperation between the NSA and the German BND for tapping fiber-optic cables of Deutsche Telekom.
Front page of the Club of Berne's security assessment of BVTClub of Berne's coat of arms
(click to enlarge)
First, the leaked report shows that the Club de Berne has its own coat of arms and that its SOTERIA group has its own logo - both are on the front page of the report.
The Club of Berne coat of arms has a latin cross in red, with in three of the four quarters nine white stars on a green background. The fourth quarter is a variation on the coat of arms of Bern
, with a walking bear.
It's likely that the white stars stand for the members of the Club of Berne, which started with nine members in 1971. It's not clear why there are just 27 stars, whereas, as far as we know, the Club has 30 members.SOTERIA group's logo
Next to the coat of arms is the logo of the SOTERIA group. As indicated by the circle in an ancient decorative pattern, this group is named after Soteria
, the Greek goddess or spirit of safety and salvation, deliverance, and preservation from harm. Given the topic of the report, the SOTERIA group is apparently responsible for internal security of the Club.
It may not have been the intention, but the coat of arms with the big red cross, especially in combination with the Soteria-logo actually look quite esoteric
.The assessment team
The inspection of the BVT was conducted by an assessment team that visited the BVT headquarters at Rennweg 93 in Vienna on February 13, 2019. The team consisted of the following members:
- Team Leader, from the British MI5Deficiencies
- Team Coordinator, also from the British MI5
- Personnel security expert, from the Swiss Federal Intelligence Service (FIS) and the German Federal Security Service BfV
- Cyber security expert, from the Latvian State Security Department VSD
- Physical security expert, again from the British MI5
During their inspection, the assessment team found a remarkable number of deficiencies. The main risk was that the BVT had just one single computer network, which was not accredited to handle and store any level of classified information.
This internal network also had connections to the public internet, which not only raised a threat to its own classified information, but also to that from the Club of Berne and to classified information of the other members of the Club. This is shown in one of the diagrams from the security assessment report:
From this diagram we learn that the computer network of the Club of Berne is called POSEIDON and that members of the Club are connected to it in various ways:
- A Voice-over-IP (VoIP) and Video Teleconferencing (VTC) capability.
- A terminal for access to the NEPTUNE network, which is accredited for classified information up to Secret and "may be used for future communications with Club members". The terminal has no connections with other networks, but data may be transferred between the NEPTUNE network and the BVT's internal network using "USB over airgap". This implies a security risk, but according to the investigators, it was "carried out by the assigned personnel in compliance with established procedures."
- A terminal for access to the PHOENIX database of the Counter Terrorism Group (CTG), which, according to the diagram, is a stand-alone machine with no connections to the BVT's network.
- Finally, yet another stand-alone terminal for NEPTUNE "web services".More security risks
The security assessment report by the SOTERIA group identifies even more security risks. The BVT allowed its employees to take mobile phones or laptops in areas where classified information up to Secret is handled, so everyone could take photos of classified documents and bring them to the outside.
Another issue was that the BVT was using four antivirus programs and one of them was developed by the Russian company Kaspersky Labs. Other intelligence services, like those in the Netherlands, removed this software from their systems months ago, because the risk of espionage was deemed too high.
The headquarters building of the BVT was also not very well secured: although the windows on the ground floor were barred, those on the upper floors could be opened without triggering an alarm. This also applied to the fire exit doors. Finally, there are about 100 security cameras on the building, but there were only two officials to watch them on just two screens.
Security cameras at the BVT headquarters buildingLinks & sources- oe24.at: Wer trägt die Schuld am BVT-Chaos? (Nov. 19, 2019)
(screenshot from oe24.at)
- oe24.at: Alarm: Verfassungsschutz BVT steht total blamiert da (Nov. 11, 2019)
- The Washington Post: Austria’s far-right ordered a raid on its own intelligence service. Now allies are freezing the country out. (Aug. 17, 2018)