The Delft-based computer and security company Fox-IT has been selling its products to Russia since 2010 and has continued doing so after the implementation of international sanctions against the country in 2014. The Dutch government is a major client of Fox-IT’s. Among other things, the company safeguards the security of state secrets.
One of the key players in Fox-IT’s trade with Russia is the Russian Evgeny Gengrinovich, who used to work for different Russian state companies. Since 2011 he promotes the Fox DataDiode on behalf of the Swiss Snitegroup GmbH and the Russian ZAO NPF Simet. Later on he presents himself as Fox-IT representative and plays a key role in the recruitment of other intermediaries.
Fox-IT intermediaries have close ties to Russian state companies in the energy and financial sectors, but also to the Russian Ministry of Defence, defence contractors and Russian intelligence agency FSB. The Delft-based company in general has little insight into the end users, to whom its products are offered and re-sold by intermediaries.
Gengrinovich himself also has ties to Defence and the FSB. From 2010 to 2014 he provided certification work for the FSTEC (Federal Service for Technical and Export Control) and the Ministry of Defence. In September 2017 he became an advisor for the Russian information security company Infotecs. This company was placed on the American sanctions list due to its ties to the Russian intelligence agency FSB in 2018.
After the implementation of international sanctions in 2014 Fox-IT continued selling its products to Russia. The war in Eastern Ukraine, the annexation of Crimea, the downing of flight MH17 and the implementation of the international sanctions haven’t affected its sales.
Russian sales after the sanctions
In 2015 Fox-IT even acquires the Russian certification for the Fox DataDiode, which increases their access to the Russian market. The FSTEC, responsible for the Russian certification of the DataDiode, resorts under the Ministry of Defence and works closely with the FSB.
About FSTEC certification and the certification company Echelon, which also investigated the DataDiode, doubts have been raised since 2013. Renowned American cybersecurity firm Symantec judged the certification process to be insufficiently independent from the Russian state in 2017 and has even stopped cooperating with FSTEC and Echelon.
In 2015 the Fox DataDiode was offered up for sale by ARinteg, a Moscow-based company in information security, among others to Russian banks. According to its commercial director, Dmitry Slobodenyuk, ARingteg sold the DataDiode after the implementation of the international sanctions in 2014 at least to one of the biggest banks of Russia.
Many Russian banks and their figure heads have been put on the American and European sanctions lists, due to their ties to the Russian military industry. Among them many clients of ARinteg, like state bank Vnesheconombank VEB and Alfa Bank, which has close ties to the Russian military industry.
Fox-IT itself acknowledges to have sold to Russia, including to the Russian government, up to 2015. The Delft-based company hasn’t revealed, however, which government institutions it has supplied. We do know it involves at least one delivery of the Fox DataDiode to the Russian state company RusHydro. Due to this company’s close ties to the Kremlin several of RusHydro’s leading figures were added to the American sanctions list in 2018.
The Fox DataDiode is a kind of one-way traffic firewall between a public and a private network, which enables the regulation of access to confidential information. Since 2009 it’s classed as dual-use goods: goods with a civilian application as well as a military use, which require an export licence. According to Fox-IT, government institutions all over the world, including the military industry, are major potential clients for the Fox DataDiode.
In 2011 Fox-IT possessed a global export licence specifically for the Fox DataDiode, which allowed it to export to Russia. In 2012 and 2013 it obtained an export licence for ‘information security equipment’, which could, apart from the DataDiode, also include other Fox-IT products, such as Redfox and Skytale. To this day the Foreign Office has failed to disclose if Fox-IT has requested and obtained any export licences, and if so how many, since 2013. Exporting dual use goods without an export licence to countries outside the European Union, including Russia, is in principle illegal.
Fox-IT has not responded to questions asked by Buro Jansen & Janssen.
Buro Jansen & Janssen has requested Fox-IT to comment on the findings of this investigation on May 7th, 13th, 19th and 20th, 2021. Up till now the Delft-based company hasn’t responded. Evgeny Gengrinovich also does not respond to questions from Buro Jansen & Janssen.
– Onderzoek: Fox-IT in Rusland (pdf)