HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Russia Used Cellebrite UFED Tool to Extract Data from Dissident’s Devices After Vendor Cut Off Access

Russian authorities employed Cellebrite’s UFED forensic device to access a political activist’s phone and laptop in June 2021, despite Cellebrite’s March 2021 announcement that it would cease services to Russia. The breach highlights the need for continuous vendor‑risk monitoring and audit‑ready evidence of de‑provisioning.

LiveThreat™ Intelligence · 📅 June 25, 2026· 📰 therecord.media
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
3 recommended
📰
Source
therecord.media

Russia Leveraged Cellebrite UFED Tool to Extract Data from Dissident’s Devices After Vendor Cut Off Access

What Happened — Russian authorities used Cellebrite’s Universal Forensic Extraction Device (UFED) to pull data from activist Andrey Pivovarov’s iPhone 12 and MacBook in June 2021. This occurred three months after Cellebrite publicly announced it would stop providing services to Russia, yet legacy hardware continued to operate in an offline mode without the company’s consent.

Why It Matters for Compliance & Audit Readiness

  • The incident illustrates a classic vendor‑risk scenario where a third‑party technology remains usable after a formal disengagement, exposing you to unauthorized data access.
  • SOC 2 vendor‑management criteria (CC6.1, CC6.2) require continuous monitoring of third‑party controls and documented evidence that de‑provisioning is effective.
  • Demonstrating that you have real‑time assurance that a vendor’s tools are no longer active in prohibited environments is essential audit evidence for the Security and Confidentiality principles.

Who Is Affected — Government agencies, NGOs, civil‑society groups, and any organization that outsources forensic or mobile‑data extraction services to third‑party vendors.

Recommended Actions

  • Review all contracts with digital‑forensics providers and embed explicit de‑provisioning and revocation clauses.
  • Implement continuous monitoring of vendor‑provided hardware/software inventories to detect legacy assets that could be misused.
  • Capture and retain evidence of vendor disengagement (e.g., termination notices, hardware de‑activation logs) for SOC 2 audit trails.

Technical Notes — Cellebrite’s UFED hardware includes an offline mode that can function without updates or remote support. Legacy devices sold before March 2021 are technically incompatible with newer phones but remain capable of extracting data from older models. The forensic analysis identified a USB connection to a host ID previously attributed to Cellebrite. Source: The Record

📰 Original Source
https://therecord.media/russia-used-cellebrite-tool-after-company-pulled-out-of-country

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

Point-in-time vendor reviews miss incidents like this.

Verisq AI Trust Operations replaces the annual questionnaire with continuous third-party monitoring — so vendor exposure becomes audit evidence, not a once-a-year guess.

See how Verisq AI Trust Operations works →