The Russia affair in the Swiss secret service: ‘This is espionage’ 

November 3, 2020. Geneva is unusually silent. With restaurants closed and few passers-by, a second Covid lockdown has brought life almost to a standstill. But somewhere in this quiet metropolis two intelligence services meet: the top officials of the FIS and a friendly foreign intelligence service. 

Switzerland is facing a debacle. The issue, as the FIS itself will later state in a secret report, is accusations of “illegal transfer of data”. According to the report, a Swiss secret service employee – we’ll call him W. – had passed on highly sensitive information to Kaspersky, a Russian cybersecurity company. 

The information was passed on to Russian intelligence services via Kaspersky, a second friendly intelligence service added a little later. There was “a risk that lives could be endangered”.

These interventions must have set alarm bells ringing at the FIS headquarters in Bern. Two foreign intelligence services important to Switzerland were threatening nothing less than to “cease co-operation with the FIS if the employee continued to work for the FIS”. 

Cyber affair becomes Russia affair

This investigation by SRF Investigativ delves deep into the inner workings of the intelligence service and shows that W. and his cyber team not only obtained data illegally – that much has already become public in recent years – but they also got involved with a controversial Russian company and shared intelligence. 

For Bulgarian investigative journalist Christo Grozev, who works for The Insider and Der Spiegel and has been researching Russian intelligence operations for years, it is clear: “This is espionage on behalf of Russia.” 

The Russia affair begins in 2014/2015. 

The FIS has recruited W. as the head of the new cyber team. Fellow travellers describe him as charismatic and determined. A doer. W. and his team are tasked with protecting Switzerland in cyberspace. That means, among other things, investigating hacker attacks. 

Together with his team, W. sets up a service within the service. This is clear from the secret report. The team operates its own IT infrastructure, builds its own hacking devices and works independently of the rest of the intelligence service. Several members of the cyber team also state in the internal investigation that “private mobile phones were used for business communication purposes”. 

The team was extremely successful between 2015 and 2020. According to the external report on the cyber affair, it fended off and investigated cyberattacks and “earned a high reputation among foreign partner services” with this work. 

Kaspersky is ‘essential’ for the FIS 

To obtain the best possible data for cyber reconnaissance, W. and his team also maintain contacts with various private companies – partly formalised by contract, partly not. 

Several of these companies are listed in the secret report under “regular contacts”. At the top of the list: Kaspersky. 

The cybersecurity company is “essential” for the work of the cyber team, W. is quoted as saying. This is because “the FIS doesn’t have sufficient expertise and resources […] to recognise hacking activities independently and preventively”. 

Kaspersky is a big name. The Russian cybersecurity company sells anti-virus software worldwide. However, it has also been suspected for years of cooperating with Russian intelligence services. Since 2017, several countries have banned certain authorities from using Kaspersky software for fear of espionage. 

“Kaspersky is one of the most attractive assets that the Russian intelligence services would have to use as a backdoor to the rest of the world,” Grozev says. He says a company based in Russia that works in the cyber sector inevitably has a connection to Russian intelligence services. Quite simply because Russian laws stipulate this

The Swiss intelligence service’s cyber team maintained a close dialogue with this Russian company between 2015 and 2020. 

Private emails to Kaspersky 

A total of nine Kaspersky employees were listed as contacts at the time, one of whom is described as a “person of trust”. The cyber team also secretly used Kaspersky as a money transmitter: payments to a service provider company went through Kaspersky. 

According to the report, these contacts between Kaspersky and the cyber team are not officially documented – as the FIS stipulates. What’s more, W. communicates with them via his private email address. Intelligence service information is also shared via various chats on Threema, an encrypted instant messaging app, some of which are private. 

Unofficial cooperation 

What the FIS receives from Kaspersky is mostly run-of-the-mill intelligence services. The cyber team has a contract with the company, as it does with others, to obtain data to investigate cyberattacks. 

But there is also an unofficial part: the cyber team is also said to have passed on its own information to Kaspersky, such as malware samples, and operated Kaspersky software for this purpose. Malware samples are digital evidence of malicious software such as viruses or ransomware. In other words, they help investigate hacker attacks. 

‘Just a present’ 

There was also a kind of trade in data during this period: the Swiss intelligence service was apparently actively collecting data for Kaspersky and other private cybersecurity companies. The secret report soberly states that the FIS passed on information to the companies “in order to obtain valuable intelligence information from them on other occasions”. 

Attached is a screenshot of an internal Threema chat. In it, W. asks to collect data: “Can you please start a dump? It’s not APT related […] Just a present to […].” Without any connection to a specific critical cyberattack, just as a gift for the company. 

“The FIS passes on information obtained e.g. via server images or network traffic recordings […] to private companies (such as a cybersecurity firm) in order to obtain valuable intelligence information from them on other occasions.” 

Source: Secret report of the FIS 2021 

Investigative journalist Grozev finds Swiss cooperation with Kaspersky “extremely naive”. “The ultimate beneficiary of Kaspersky’s work in Russia is the Russian government,” he says. Even something as seemingly harmless as passing on malware samples is of benefit to Russia, he says, explaining that the Russian secret services could use the samples to recognise why a particular cyberattack by Russian hackers didn’t work and adjust their tactics. 

When asked by SRF Investigativ, Kaspersky rejected the accusation of cooperating with Russian authorities. The company said it is also not subject to the corresponding laws in Russia. 

Information leakage to Russia 

The FIS also does not know how often W. and the cyber team passed on information to Kaspersky or how explosive it was. In the secret report, the investigation team states that it is “not clear” which specific data was exchanged with partner companies such as Kaspersky. However, at least one specific “extremely critical data outflow” is named. 

“An employee of the FIS is said to have passed on information to the GRU via the company Kaspersky.” 

Report from a friendly intelligence service. Source: Secret report of the FIS 2021 

An FIS employee is said to have passed on information to the Russian military intelligence service GRU using Kaspersky. This involved “classified information, among other things” on Russian intelligence agents who were in The Hague in March 2018. This is what the FIS writes in the secret report, referring to a friendly partner service. 

This partner intelligence service warns Switzerland that the life-threatening information had ended up with the Russian military intelligence service GRU and could also have been passed on to the Russian domestic intelligence service FSB. 

“According to the content of the document, there is a risk that the information could flow to the FSB and thus endanger lives.” 

Letter from a friendly partner service. Source: Secret report of the FIS 2021 

The first warning about an information leak to Kaspersky dates back to September 2018 – more than two years before the aforementioned interventions in autumn 2020. During these two years, as can be seen from the chronological list in the secret report, the two important Western intelligence services contacted their Swiss colleagues several times. They criticised the “illegal transfer of data” to Kaspersky and warned against W., who had “behaved in a compromising manner”. 

By spring 2020 at the latest, the director of the FIS was aware of suspicions about W. The secret report does not specify to whom the earlier warnings were addressed – to him or to other people. 

Cooperation severely strained 

Arndt Freytag von Loringhoven knows both worlds. The German diplomat and former ambassador was once stationed in Moscow; later he was vice-president of the German intelligence service BND and intelligence coordinator at defence alliance NATO. “Whenever there’s a possible outflow of data to Russia or the danger of this, then the highest level of alert is called for. The partner services really don’t mess around here,” he says. 

Freytag von Loringhoven can imagine that cooperation with the partner services was heavily strained during this Russia affair even if it may not have come to a standstill.  

“What you often see in such cases, however, is that the cooperation continues formally, so to speak – so no total crisis is declared – but the substance is actually undermined,” he says. The lack of trust means that nothing of significant intelligence value is shared anymore. 

Cyber team destroys data traces 

More than two years after the first warning, the FIS reacted in December 2020, according to the secret report. W. is first restricted to working from home and then leaves the intelligence service. In spring 2021, the FIS orders an internal investigation. 

There are numerous inconsistencies concerning W.’s departure. When he leaves the FIS building, he takes his “personal/official laptop” with him. He didn’t bring it back until March 2021, more than three months later, to be “newly set up”, as it also contained private information. His own cyber team then overwrote the computer several times. The statement says: “Whether the deletion was commissioned and by whom remains unclear.” 

At the same time, the intelligence service received internal information that “data had been deleted on a large scale within the cyber team”. A few weeks later, mobile phones and laptops belonging to members of the cyber team were confiscated as part of the internal investigation and handed over to the Federal Police. However, a systematic analysis never took place. 

Many questions remain unanswered 

The secret report leaves many questions unanswered in this Russia affair. For example, it remains unclear whether the cooperation with Kaspersky continued after 2021. And whether it is plausible that W. maintained these contacts on his own. 

The secret report was sent to those responsible – from the FIS to the supervisory authorities to the Federal Council – in December 2021. Over three years ago. What measures were taken? How were unofficial Russian contacts prevented from continuing? 

The latest indication of how the Russia affair has been dealt with is provided by the AB-ND supervisory authority’s investigation. It was concluded in February 2024, but the report was published only a few weeks ago in May 2025. It states that the AB-ND was surprised to learn that the FIS had not installed any new checks in the cyber team by 2024. “A dual checking principle” with regard to the cyber team “was still missing”. 

Cyber FIS has been ‘comprehensively reorganised’ 

The FIS did not respond to detailed questions from SRF Investigativ, but it wrote that the incidents in the former cyber division between 2015 and 2020 had been investigated. In addition, it said the cyber division was reorganised immediately after the internal investigation. This involved a “fundamental renewal of practices in the procurement of cyber data, an expansion of checking mechanisms and new management”. The oversight of the cyber team had been improved over the past year, it said. 

Regarding the specific questions from SRF in connection with the internal investigation report, the intelligence service writes: “The FIS does not comment on secret reports to the media.” 

Defence minister announces investigation 

Martin Pfister, Swiss defence minister since April, is responsible for the intelligence service. Pfister told SRF Investigativ that a functioning intelligence service is of central importance, “especially in this uncertain global situation”. 

The affair is to be investigated again. “I have initiated an external administrative investigation,” Pfister said. The aim is to check whether the points raised in previous reports have been implemented. The question of who destroyed the data is also part of the investigation. According to Pfister, no criminal investigations are underway into the events of 2015 to 2020. 

“Trust in the FIS is of central importance. I am personally doing everything I can to restore it,” Pfister said. 

And W.? 

Why did W. cultivate these contacts? What was his motivation? In an internal chat of the cyber team, when the cooperation with one of the important service provider companies threatened to collapse, he wrote that would be a nightmare – “we will be like everybody else”. 

W. and his highly successful team apparently feared a loss of status. 

When asked by SRF Investigativ, the former head of the cyber team rejected the accusations. Through his lawyer, he stated that he had cooperated fully with the FIS’s internal investigation in 2021. The intelligence service had made neither an accusation nor an allegation. He said the allegations are false assumptions that are “completely made up out of thin air” and come from “sources that have not been professionally verified”. 

One thing is clear: the Russia affair seems to have done W. little harm so far. He remains active in the cybersecurity field and is a sought-after speaker.

This article was originally published in GermanExternal link by SRF Investigativ. 

Translated from German by DeepL/ts/ac