When Sergei and Yulia Skripal were near-fatally poisoned with Novichok in Salisbury in March 2018, suspicion immediately fell upon the Russian state. The British government released footage of the men said to be responsible and the aliases under which they secured UK visit visas. But it took a website called Bellingcat, which publishes in-depth investigations on foreign affairs and organised crime, to reveal the real identities of the Russian military operatives: Anatoliy Chepiga and Alexander Mishkin. These identifications have been repeated by the BBC, and British police and intelligence sources are “not disputing” their accuracy.
I know what you’re thinking: where is this going and what on earth does it have to do with immigration law? The answer lies in a 2018 immigration story that received far less attention than it merited.
In November, Bellingcat published an investigation accusing Russian intelligence operatives of trying to hack into the UK visa application system. The website interviewed a former employee of a firm that processes applications for UK visas who says that the Russian FSB security services blackmailed him into helping them get access to company’s computer systems.
You may not have heard of Bellingcat, but it is well respected for its work, which involves close scrutiny of publicly available information to find or add to news stories about conflict zones — such as the use of chemical weapons in Syria. Bellingcat’s conclusion that a Russian missile was responsible for the downing of Malaysian Airlines flight MH17 in 2014 was subsequently confirmed by an international investigation team. The website is frequently cited by the BBC, among others.
This investigation raises concerns about the security of the UK visa system, which is increasingly digital and partly entrusted to private firms. Bellingcat’s story is on one hand reassuring, in that the Russians do not seem to have been able to access the visa processing system without an inside man. But it also suggests they are capable of finding such a person if they want to, and there is some suggestion that the data is being used inappropriately already.
UK visa outsourcing
In around 80 countries across Europe, Africa, Central Asia and the Middle East, applying for a UK visa means registering with a company called TLScontact. It operates outsourced face-to-face visa processing application centres — in other words, taking most of the administration and logistics involved in visa applications and leaving only the yes-or-no decision to civil servants. TLScontact is a subsidiary of Teleperformance, which is paid £33.3 million a year to run these overseas visa centres. (Centres in the rest of the world are operated by VF Worldwide Holdings Ltd.)
Within the UK, visa applications go via a firm called Sopra Steria. The Home Office awarded it a £91 million contract in May 2018 to run the new Visa and Citizenship Application Service centres recently opened around the UK. A firm called BLS International is also involved, in particular to provide “added value services”. These include document translation and validation and, more controversially, immigration advice. The Home Office website signposts applicants interested in legal advice on their application to World Migration Services, a subsidiary of BLS International that is registered with the Office of the Immigration Services Commissioner.
Russian attacks on visa outsourcing firms
This is where Bellingcat picks up the story. Vadim Mitrofanov (not his real name) is a Russian IT specialist, once based at the Moscow office of TLScontact and now seeking asylum in the USA. His involvement with the Russian FSB intelligence service began, ironically, when he needed a visa for his own Mongolian spouse. Vadim told that Bellingcat investigators that their application was repeatedly held up by the Russian authorities and the family harassed by the immigration services. He was eventually contacted by “Andrei”, an FSB handler who told him that his visa troubles could go away — if he would pass on information about TLScontact’s internal workings. These included “internal regulations and organization structure, on the IT network and infrastructure designs: as well as on usage of intrusion detection systems”.
Vadim thinks he was not the only one worrying away at the firm’s defences. He also showed Bellingcat a suspicious document compiled by another employee. This contained a database of various Russian applicants for UK visas, with names of politicians or public figures marked in bold. There was, according to Vadim, “no business rationale to maintain such a cumulative database, and that this file may have been maintained – and exported – by a company employee at the behest of FSB”.
The FSB ultimately asked Vadim whether it would be possible to secure visas for “a couple of guys who need to visit the UK… it’s important that their passports are accepted and approved directly by the consulate, without any review and background checks and without leaving any trace in the visa center“. He was also asked to create a “back door” into the “backdoor to the UK visa center network”. Although he fled to the US before completing the tasks, Bellingcat suggests that these activities could be linked to the Salisbury poisonings.
The BBC, which has also reported on the story and spoken to Vadim, says that the pair travelled on valid UK visas. However:
There is no direct evidence linking their applications to any subversion of the visa system in Russia. Officials in the UK have suggested they received legitimate visas based on the false documentation including passports they provided and have played down any possibility that the system was subverted.
Whether or not the FSB’s attempted hacking helped with the Salisbury killings, the investigation does appear to show that the UK’s visa infrastructure is a prime target for hostile attack. BBC security correspondent Gordon Corera says that “it is impossible to verify all of [Vadim’s] claims but Western security sources say they are consistent with the behaviour and activity they would expect from the FSB”.
The UK immigration authorities are increasingly bringing visa applications online. This is undoubtedly more efficient. But there are downsides. Campaign group the3million has complained that the gigantic Settlement Scheme, under which 3.8 million EU citizens and their families must apply to stay in the UK after Brexit, comes with terms and condition saying that the Home Office “may share your information with other public and private sector organisations in the UK and overseas”.
Even if personal data is not deliberately thrown around, online databases are vulnerable to remote attacks or falsification by an inside man or woman in a way that a filing cabinet in Croydon is not. Home Office staff have been convicted for illegally tampering with records before. When such databases are shared with external contractors, that only increases the number of vulnerable points. The Home Office must now be sure, not only of its own staff, but of all those hired by external contractors. Is it?