SORM in Ukrainian operators' networks?

The Ukrainian internet segment erupted in discussion after a statement by Fire Point co-owner and chief designer Denys Shtilerman, who claimed that “SORM” systems are present in the networks of Ukrainian telecom operators. Let’s take a closer look at what this means and why it caused such a reaction.

TABLE OF CONTENTS:

What did Stielerman say?

The engineer suggested that Russian surveillance software known as SORM may be installed within the networks of domestic mobile operators. He also proposed a radical measure: temporarily shutting down operators one by one for several days in order to “clean” the equipment.

The statement quickly attracted attention. During wartime, mobile communications are not merely a commercial service but part of the country’s critical infrastructure, relied upon by both the military and the civilian population.

However, within a few hours of the publication, mobile operators – including Kyivstar – issued official statements denying the claim.

To assess whether such suspicions have any basis, three key questions need to be considered: what SORM is, how realistic it would be to install it within Ukrainian telecommunications networks, and why this version of events appeared in the first place.

What is the SORM system?

SORM (the System for Operative Investigative Activities) is one of the core technological frameworks used for state monitoring of telecommunications in Russia. The system was introduced in the 1990s, but over the past three decades it has evolved from a relatively simple tool for intercepting telephone calls into a complex digital infrastructure capable of monitoring many forms of communication.

Formally, the system was designed to support law-enforcement investigative activities. In practice, it has developed into a large-scale technical surveillance architecture that covers telephone networks, internet traffic, and a significant share of users’ digital data.

The primary operator of the system is the Federal Security Service, which has direct technical access to telecommunications networks.

SORM has expanded alongside advances in communications technology. Early versions focused mainly on traditional telephony, while more recent implementations are designed to process a broad range of digital communications.

The system is usually described as having three generations.

SORM-1 appeared in the mid-1990s. Its capabilities were relatively limited: intercepting telephone conversations and collecting basic connection metadata. This included monitoring landline and mobile calls, as well as recording phone numbers, call times, and call duration.

Even at that stage, however, a key technical characteristic of the system was established: interception equipment was installed directly within the networks of telecommunications operators.

As internet use became widespread, these capabilities were no longer sufficient. In the early 2000s, SORM-2 was introduced, extending monitoring into the digital domain. It enabled the interception of internet traffic, tracking of email communications, analysis of website requests, and collection of technical connection parameters.

In practical terms, this meant that a substantial portion of users’ online activity could fall within the scope of monitoring.

The third generation, SORM-3, represents the most extensive stage of the system’s development. Its primary objective is no longer limited to intercepting communications but also includes the large-scale collection and analysis of data.

This version can gather metadata related to communications, store contact histories, analyze social connections between users, and build long-term digital profiles.

In other words, the focus shifts from monitoring individual calls or messages to assembling a broader picture of a user’s digital activity over time.

How it works technically

The main characteristic of SORM lies in its architecture.

It is not malware and not a cloud-based surveillance platform. SORM consists of physical equipment installed directly within telecommunications infrastructure.

This includes data processing and storage servers, systems for intercepting network traffic, hardware platforms for deep packet inspection, and specialized switching modules.

These devices are connected to backbone communication channels and effectively duplicate data flows.

The collected data is then transmitted through dedicated, secure communication channels that connect operators’ equipment directly to intelligence processing centers.

Another fundamental aspect of the system is the specific role of telecommunications companies.

For SORM to function, operators are required to install the designated equipment, integrate it into their infrastructure, and maintain its operational status.

At the same time, they often do not have direct control over how the system is actually used.

Access to the data is carried out directly by the intelligence agencies. This means that operators may not be aware of when or whose communications are being monitored. In practice, they function primarily as a technical intermediary within the system.

Is it technically possible to install SORM in Ukraine?

In theory, yes. In practice, it would be extremely difficult. The system requires physical access: installing servers, establishing dedicated communication channels, and integrating with the core of the network. Since 2014, Ukrainian operators have gradually phased out Russian equipment, carried out significant modernization, and switched to Western suppliers.

It is also unlikely that operators such as Kyivstar and Vodafone Ukraine would agree to such an installation, particularly under wartime conditions.

In addition, the cybersecurity of critical infrastructure is continuously monitored by the Security Service of Ukraine and the State Service of Special Communications and Information Protection of Ukraine. Deploying a full SORM system without their knowledge would be extremely difficult to do unnoticed.

Why the suspicion arose

The theory that SORM might be present in Ukrainian networks did not emerge without context. Three factors contributed to the discussion:

Networks as a strategic asset during war. Mobile communications are used by the military, civilians, drones, and intelligence systems. Any vulnerability could potentially be exploited by an adversary.
History of cyberattacks. The most notable case was a major attack on Kyivstar in December 2023, which Ukrainian security services attributed to Russian hacker groups. The incident demonstrated that infiltration of operators’ internal infrastructure is possible.
Attempts to explain the effectiveness of Russian drones. Some analysts have speculated on why certain enemy UAVs sometimes bypass air defense with high precision, leading to suggestions that real-time data from networks could be involved.

It is important to note that there is currently no public evidence indicating the presence of SORM in Ukraine.

What Stielerman specifically proposed

The Fire Point engineer stated that the only reliable way to inspect the networks would be to temporarily shut down each operator for several days, conduct a full audit of the equipment, and remove any potentially hostile components. The rationale is straightforward: without active traffic, it is easier to detect hidden backdoors.

Why this is almost unrealistic

Mobile networks in Ukraine are not just a means of communication or internet access. They support coordination of Armed Forces of Ukraine units, emergency medical services, police, and the State Emergency Service. They also facilitate banking transactions and serve as the primary internet access for millions of people. In addition, mobile networks underpin many government services.

Even a single day of downtime for one operator could disrupt logistics, complicate military command, and create significant chaos in the digital economy. Making such a decision without concrete evidence would carry an extremely high risk.

Operators’ position

Kyivstar responded quickly and firmly, stating that “there is no Russian surveillance software in our networks. The infrastructure is continuously monitored, and we cooperate with state cybersecurity authorities.”

Similar statements were issued by other major market players. This suggests that Stielerman’s claims lack technical grounding. Without delving into personal judgments, it would be more appropriate to examine the technical details first before making public assertions.

Real threats that no one disputes

Although the SORM scenario remains hypothetical, telecom data can indeed be exploited by adversaries in other ways:

Metadata analysis. Even without intercepting content, the density of signals, subscriber movements, and device concentrations can reveal information about troop locations and logistics.
Signals intelligence. Russia actively employs electronic intelligence systems that can capture mobile phone signals without any access to operators’ networks.

Summary

Denys Stielerman’s statement is not an investigation but a speculative technical hypothesis from someone who works daily on defense technologies. Operators have denied the claim, and no evidence has been presented. However, the discussion itself highlights an important point.

It serves as a reminder that, during a full-scale war, mobile networks are a strategic target comparable to power plants or factories. Their cybersecurity must be treated with the same priority as air defense or border protection, because in modern conflict, control over communications translates directly into control over the battlefield.

Read also:

“SORM” in Ukrainian Telecom Networks: What’s Behind the Loud Claim by Fire Point’s Co-Owner