How did Russian authorities use UFED on Andrey Pivovarov's phone?

In June 2021, Russian authorities used UFED to access data from Pivovarov's iPhone, including encrypted communications, despite Cellebrite's prior termination of services to Russia.

Russia's Continued Use of Cellebrite Tools Raises Concerns

Q: What are the implications of this incident?

The incident raises concerns about the control and potential misuse of surveillance technologies by authoritarian regimes, even after vendors have ceased official support.

Despite terminating contracts, Cellebrite's tools were used by Russian authorities to access activist data.

Published: June 25, 2026

Share this on:

Executive Summary

In June 2021, Russian authorities utilized Cellebrite's Universal Forensic Extraction Device (UFED) to access the iPhone of detained human rights activist Andrey Pivovarov. This occurred despite Cellebrite's public announcement in March 2021 that it had ceased all sales and services to Russian government agencies. The extracted data reportedly included communications from encrypted messaging apps, which were subsequently used to surveil other dissidents. This incident underscores the challenges technology companies face in controlling the use of their tools post-sale, especially when they are employed for political repression. The case highlights the need for robust mechanisms to prevent the misuse of surveillance technologies by authoritarian regimes, even after contractual relationships have been terminated.

Why This Matters Now

This incident highlights the persistent risk of surveillance tools being misused by authoritarian regimes, even after vendors terminate contracts, emphasizing the need for robust mechanisms to prevent such abuses.

Attack Path Analysis

Russian authorities arrested human rights activist Andrey Pivovarov and confiscated his iPhone. They exploited vulnerabilities in the device using Cellebrite's UFED tool to gain initial access. With this access, they escalated privileges to extract sensitive data, including messages from encrypted applications. The extracted data was analyzed to identify and surveil other dissidents. Authorities maintained control over the device to monitor communications and exfiltrated data to external servers. The operation led to the arrest and persecution of additional activists.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

Medium

Command & Control

Medium

Exfiltration

Medium

Impact

High

Initial Compromise

Description

Authorities exploited vulnerabilities in Pivovarov's confiscated iPhone using Cellebrite's UFED tool to gain access.

Confidence:

High

MITRE ATT&CK® Techniques

Initial Access

T1664

Exploitation for Initial Access

Credential Access

T1417

Input Capture

Remote Service Effects

T1468

Remotely Track Device Without Authorization

Lateral Movement

T1638

Adversary-in-the-Middle

Collection

T1517

Access Notifications

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

NIST SP 800-53 – Access Enforcement

Control ID: AC-3

Unauthorized access to the activist's mobile device indicates a failure in enforcing access controls, allowing adversaries to exploit the device.

PCI DSS 4.0 – Strong Authentication for Users

Control ID: 8.2.1

The breach suggests inadequate authentication mechanisms, enabling unauthorized access to sensitive information on the mobile device.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident highlights the absence or ineffectiveness of a comprehensive cybersecurity policy addressing mobile device security and forensic tool usage.

DORA – ICT Risk Management Framework

Control ID: Article 5

The unauthorized access underscores deficiencies in the organization's ICT risk management framework, particularly concerning mobile device security.

NIS2 Directive – Security Measures

Control ID: Article 21

The breach indicates non-compliance with required security measures to prevent unauthorized access to network and information systems.

CISA ZTMM 2.0 – Device Security

Control ID: 3.1

The incident reveals gaps in device security controls, allowing adversaries to exploit vulnerabilities in mobile devices.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Law Enforcement

State-sponsored surveillance using Cellebrite technology creates risks for evidence integrity, unauthorized access to forensic systems, and potential compromise of investigative capabilities.

Civic/Social Organization

Human rights activists face targeted surveillance through mobile forensic tools, requiring enhanced device security, encrypted communications, and protection against state-sponsored digital persecution.

Computer/Network Security

Demonstrates persistent functionality in offline forensic systems despite contract cancellations, highlighting need for remote disable capabilities and enhanced access control mechanisms.

Government Administration

Reveals challenges in controlling dual-use surveillance technology exports and enforcement, requiring stronger oversight mechanisms for preventing unauthorized usage by restricted entities.

Sources

Russia uses Cellebrite to break into human rights activist’s phone, even after cancellation of contracthttps://cyberscoop.com/russia-cellebrite-activist-phone-hacking/
Verified

Cellebrite said it cut off Russia, but Russia used its tools anywayhttps://techcrunch.com/2026/06/25/cellebrite-said-it-cut-off-russia-but-russia-used-is-tools-anyway/

Verified

Russia cracked an activist’s iPhone with Cellebrite, months after the firm said it lefthttps://thenextweb.com/news/russia-cracked-an-activists-iphone-with-cellebrite-months-after-the-firm-said-it-left

Verified

Citizen Lab reveals Cellebrite tool helped Russian authorities hack opposition phonehttps://mezha.net/eng/bukvy/7e40bb0a_citizen_lab_reveals/

Verified

Frequently Asked Questions

Cellebrite's Universal Forensic Extraction Device (UFED) is a tool used by law enforcement to extract and analyze data from mobile devices.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to escalate privileges, move laterally, and exfiltrate data by enforcing strict segmentation and identity-aware policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: While Aviatrix Zero Trust CNSF primarily secures cloud workloads, its principles of strict segmentation and identity-aware policies could have limited the attacker's ability to escalate privileges and access sensitive data.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: Implementing Zero Trust Segmentation could have limited the attacker's ability to access and extract data from encrypted applications by enforcing strict access controls.

Lateral Movement

Control: East-West Traffic Security

Mitigation: East-West Traffic Security could have limited the attacker's ability to move laterally within the network to analyze and surveil other dissidents.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: Multicloud Visibility & Control could have limited the attacker's ability to maintain control over the device and monitor communications by providing centralized oversight.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: Egress Security & Policy Enforcement could have limited the attacker's ability to exfiltrate sensitive data to external servers by enforcing strict outbound policies.

Impact (Mitigations)

By limiting the attacker's ability to escalate privileges, move laterally, and exfiltrate data, Aviatrix Zero Trust CNSF could have reduced the scope of the attack and its subsequent impact.

Impact at a Glance

Affected Business Functions

Human Rights Advocacy
Political Campaigning
Public Communications

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

Personal communications, contact lists, and sensitive information of human rights activists and political dissidents.

Recommended Actions

• Implement device encryption to protect data at rest.
• Regularly update device software to patch known vulnerabilities.
• Utilize secure communication applications with end-to-end encryption.
• Educate users on the risks of device confiscation and potential exploitation.
• Develop policies for rapid response in case of device loss or seizure.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Russia's Continued Use of Cellebrite Tools Raises Concerns

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Exploitation for Initial Access

Input Capture

Remotely Track Device Without Authorization

Adversary-in-the-Middle

Access Notifications

Potential Compliance Exposure

NIST SP 800-53 – Access Enforcement

PCI DSS 4.0 – Strong Authentication for Users

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

NIS2 Directive – Security Measures

CISA ZTMM 2.0 – Device Security

Sector Implications

Law Enforcement

Civic/Social Organization

Computer/Network Security

Government Administration

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads