China In Eurasia

Listen to the Talking China In Eurasia podcast

Apple Podcasts | Spotify | Google | YouTube

Welcome back to the China In Eurasia briefing, an RFE/RL newsletter tracking China's resurgent influence from Eastern Europe to Central Asia.

Looking ahead, we'll be changing up the newsletter format and will start sending it out every week. Until then, it would be great to hear more about what you like about the newsletter currently and would want more of moving forward. Send me an email to StandishR@rferl.org with your thoughts. Don't be shy :)

I'm RFE/RL correspondent Reid Standish and here's what I'm following right now.

Chinese-Made Surveillance Equipment At Romanian Military Sites

An RFE/RL investigation found that surveillance equipment made by Hikvision and Dahua -- two partially state-owned Chinese companies -- is used by at least 28 military facilities in Romania.

Among those military sites, we found that a base in southern Romania that's home to NATO's Aegis Ashore land-based missile-defense system, which is operated with the U.S. military, uses Hikvision surveillance cameras.

Finding Perspective: In addition to the military facilities, RFE/RL's Romanian Service also found that the equipment is in wide use by hundreds of other public institutions involved in national security in the country, ranging from the coast guard to sites operated by the Romanian Intelligence Service.

Concerns over data access and vulnerability to hacking aren't unique to Hikvision or Dahua, but both companies have received bans in the United States, Britain, and Australia due to concerns over how data is stored, alleged links to the Chinese military, and both firms' role in helping Beijing's crackdown against Uyghurs and other minorities in Xinjiang.

Both brands also have an extensive history of security vulnerabilities that make them higher-risk to being infiltrated by hackers.

In a study released in 2021 by Lithuania's Defense Ministry, they found hundreds of vulnerabilities that led them to recommend not using either brand.

There's also been multiple glitches and breaches over the years that made them susceptible to hacks and their feeds being overtaken remotely.

Why It Matters: There's an ongoing debate across the West about the risks of using Chinese tech in critical infrastructure.

Hikvision and Dahua are among the world's leading providers of closed-circuit television and surveillance systems and their products remain popular across Europe and there are no EU restrictions against them.

When we reached out to Romania's Defense Ministry about this, they said using the cameras was perfectly legal and that they keep them disconnected from the Internet to ensure a high-level of security.

And that's all true. There is no ban in Romania and keeping them on a closed network can limit many of the vulnerabilities found in the cameras.

But surveillance-industry experts we spoke with, such as Conor Healy at the surveillance-industry research firm IPVM, said that there's still risks that Hikvision and Dahua equipment could be hacked, even if it's not connected to the Internet.

In the meantime, the debate in Romania is just getting started. Several lawmakers we spoke with after our investigation said that they want stricter rules over using the Chinese tech at national security sites and plan to bring it up in parliament.

Three More Stories From Eurasia

1. Chinese Police To Budapest

After inking a security agreement in February with his Chinese counterpart, Hungarian Interior Minister Sandor Pinter confirmed that Chinese police will be stationed in Budapest as part of the deal, RFE/RL's Hungarian Service reports.

The Details: According to the agreement, Hungarian and Chinese police officers "will be able to jointly conduct patrol services in the future, thereby helping more effective communication between the citizens and authorities of the two countries, improving internal security, and public order."

The Hungarian Interior Ministry said that the aim of the deal was to improve security during peak tourist periods and generally during events that attract larger crowds.

The agreement has received lots of attention amid Prime Minister Viktor Orban's cozy relationship with Beijing -- as well as Moscow and Tehran -- and that he could be looking to undermine European security goals.

While that may be true, the deal itself should be seen in a wider context.

Beijing has signed similar deals in Europe with Italy and Serbia in the past. Both countries, along with Hungary, have a large Chinese economic presence and a large number of citizens. Rome, however, pulled out of the deal following uproar in 2022 over a constellation of secret police stations China was operating around the world.

As RFE/RL reported at the time, both Budapest and Belgrade were home to secret stations and the Hungarian and Serbian governments denied their presence despite plenty of public evidence showing otherwise.

Chinese nationals have become the largest minority group in Budapest and Beijing is highly focused on monitoring and controlling its citizens abroad -- something that Orban's government appears happy to help with.

2. The Eurasia Angle On Leaked Chinese Hacking Files

On February 18, a collection of documents from a Shanghai-based cybersecurity company was leaked to the online platform Github, offering the most credible public evidence to date about China's expanding hacking ambitions.

Here's a look at the Eurasia angle on the leaks.

What You Need To Know: I-Soon is a private company, but it's a contractor for the Chinese government, police, and military, and the leak contains documents and communications that show the company using spyware to meet Beijing's political interests.

The leaks show operations in various countries, with a focus on Southeast and Central Asia, including Afghanistan, Pakistan, Kazakhstan, and Kyrgyzstan.

The group targeted telecoms networks in Kyrgyzstan and Pakistan, and also hacked Air Astana -- Kazakhstan's national airline -- and Air Malaysia to get data for Xinjiang's regional authorities in their ongoing crackdown against Uyghurs and other minority groups there.

3. Growing China-Russia Tech Cooperation

Russia is increasing its cooperation with China in 5G and satellite technology and this could facilitate Moscow's military aggression against Ukraine, a new report by the London-based Royal United Services Institute (RUSI) security think tank warns.

What It Means: The RUSI report details how the cooperation between Russia and China in 5G and satellite technology can also help Russia on the battlefield in Ukraine.

"Extensive deployment of drones and advanced telecommunications equipment have been crucial on all fronts in Ukraine, from intelligence collection to air-strike campaigns," the report says. "These technologies, though critical, require steady connectivity and geospatial support, making cooperation with China a potential solution to Moscow's desire for a military breakthrough."

5G network development, according to the report, has gained particular significance for China-Russia ties, resulting in multiple agreements between Chinese technology giant Huawei and Russian companies MTS and Beeline.

For more, check out this write-up on the report's main takeaways by my colleague Elitsa Simeonova.

Across The Supercontinent

Middle Corridor Milestone: The leaders of Azerbaijan and Kazakhstan greeted the first containers delivered from China to Azerbaijan's eastern Abseron district on March 11 via a new train route crossing Kazakhstan, RFE/RL's Kazakh and Azerbaijani Services report.

More Visa-Free: After granting visa-free travel to Georgia, Beijing announced that it would also grant it to nationals from Switzerland, Ireland, Hungary, Austria, Belgium, and Luxembourg starting on March 14.

A Message From Stockholm: As questions swirl across Europe about what the return of Donald Trump as U.S. president could mean for American support for Ukraine, Swedish Prime Minister Ulf Kristersson told Politico that Europe needs to do a better job of understanding U.S. security concerns about China in order to persuade Trump against scaling back support for NATO.

Multipolar Partners: Speaking on the sidelines of the Two Sessions, China's annual parliamentary and political advisory meetings, Wang Yi vowed to deepen relations with Russia, as Beijing continues to assert the importance of what it calls a "multipolar" world order.

One Thing To Watch

Speaking of the Two Sessions, it wrapped up on March 11 after Chinese leader Xi Jinping vowed to adopt several new pieces of legislation that aim to safeguard China's sovereignty and security interests.

As William Yang at VOA wrote, China is grappling with strong economic headwinds that could blow it off course, but Xi's focus appears to be on consolidating power and tightening security, all measures that are unlikely to boost the confidence of foreign investors.

That's all from me for now. Don't forget to send me any questions, comments, or tips that you might have.

Until next time,

Reid Standish

If you enjoyed this briefing and don't want to miss the next edition, subscribe here. It will be sent to your inbox every other Wednesday.

BUCHAREST -- A seemingly mundane purchase by the Romanian military on January 16 for Chinese-made surveillance equipment could have far-reaching national-security implications.

For less than $1,000, a Romanian Defense Ministry employee ordered an eight-port switch and two surveillance cameras for the security network at a military base in the sleepy southern village of Deveselu that is home to NATO's Aegis Ashore, land-based, missile-defense system.

The cameras were made by Hikvision, a partly state-owned Chinese company with alleged links to the country's military whose equipment has been blacklisted by the United States and Britain due to data and security vulnerabilities.

While there's no evidence the cameras at Deveselu have resulted in any breaches, a monthslong investigation by RFE/RL's Romanian Service shows that surveillance equipment made by Hikvision and Dahua -- another company that is partly owned by the Chinese government -- is used by at least 28 military facilities in the country. The equipment is also used by hundreds of other public institutions involved in national security, ranging from the coast guard to sites operated by the intelligence service.

Unlike the United States, Britain, or some other NATO partners, there is no prohibition on the use of Hikvision or Dahua equipment in Romania and the country's Defense Ministry and other national-security institutions using the brands told RFE/RL they were on closed-circuit systems that do not have cloud or Internet connections and that strict security protocols are followed.

But experts say their use in Romania raises critical questions about national security and the potential compromise of sensitive information. Vulnerabilities in firmware could allow remote access, control of cameras, data interception, and network attacks by state and nonstate groups alike. While these concerns are not unique to Hikvision and Dahua, questions over how both companies store their data, their connections to the Chinese government, and a growing catalogue of security vulnerabilities make both companies higher-risk.

"There's still a risk, even if something isn't connected to the Internet," Conor Healy, the director of government research at IPVM, a surveillance-industry research firm, told RFE/RL. "There are examples of closed-camera systems being hacked through other systems connected to the Internet."

Hikvision and Dahua are among the world's leading providers for closed-circuit television and surveillance systems and their products remain popular across Europe. There are no EU restrictions against them, but the European Parliament has removed equipment manufactured by the company from its premises. Both companies have denied allegations that their Chinese state links make them a security risk and say they regularly patch any glitches that can lead to vulnerabilities.

SEE ALSO:

'The Network Wars Have Begun': China's Digital Silk Road Ignites Hi-Tech Competition

Dahua did not respond to RFE/RL's request for comment, but Hikvision said the bulk of its devices are sold by third-party distributors and that it cannot access any of its cameras after they are sold to customers, and that the company has "a robust process to quickly address suspected vulnerabilities."

"Hikvision cameras comply with the laws and regulations applicable in Romania and the EU and are subject to strict security requirements," a Hikvision spokesperson told RFE/RL.

There is no specific prohibition in Romania against purchasing Hikvision or Dahua equipment, although politicians like Catalin Tenita, a Romanian parliament member and critic of the use of the companies by Romanian security services, says a legal basis for a ban already exists but has not been fully enforced.

Tenita told RFE/RL that existing legislation could "open up the possibility of eliminating offers that do not comply with established security standards," but that the government has decided not to apply this to Hikvision and Dahua, despite precedents set by partners such as the United States.

Eyes On Deveselu

The Romanian Defense Ministry said that due to the equipment being on closed systems that are not connected to the Internet, they can't be infiltrated from the outside and only operate on secure internal networks.

"All video-surveillance systems installed in military units, including the hardware part -- including video cameras and network and storage equipment, as well as the software applications through which they are operated -- go through strict testing, evaluation, and approval procedures," a ministry spokesperson told RFE/RL.

A spokesperson for the Deveselu Naval Facility, which is operated by U.S. forces responsible for the missile-defense system, told RFE/RL that it would be "inappropriate" to comment on Romanian military purchases but that they are "committed to a strong partnership" with their Romanian counterparts and will "continue to work together to support and promote security throughout the region and in NATO's collective defense."

In response to questions about concerns over the use of Hikvision and Dahua equipment at the Romanian base, a NATO official told RFE/RL that the military alliance followed "robust measures to ensure the security of our staff and facilities throughout the Euro-Atlantic area."

"We do not provide specific details on security infrastructure, but NATO continues to count on allies to ensure that products used at military sites do not pose a potential risk to security," the official said.

The alliance has not issued any formal ban on the use of third-country equipment, but NATO Secretary-General Jens Stoltenberg warned in September 2023 against the use of Chinese technology in critical infrastructure.

"We have seen the results of relying on Russia for our energy supply. We should not repeat this mistake by relying on China to provide the technology for our critical networks," he said.

While the Romanian Defense Ministry insists that keeping the equipment disconnected from the Internet will prevent any security risks, a similar situation was enough to help launch the ban against Hikvision in the United States.

As Hikvision first came under intense public scrutiny in the United States in early 2018, a military base in Missouri removed cameras on a closed network made by the company as a preventive measure.

A year later, U.S. lawmakers put Hikvision on a sanctions list, effectively blocking American companies from selling to it due to security concerns and human rights issues over its role in developing special technology to surveil and track Uyghurs and other minorities in China's Xinjiang Province.

The Lithuanian Defense Ministry scrutinized Hikvision and Dahua in 2021 and reported nearly 100 vulnerabilities in Hikvsion's firmware and concluded that the equipment posed "a chance [of] cyberattacks...or malicious code insertion [being] carried out."

No specific "direct cybersecurity vulnerabilities" were found in Dahua, the report concluded, but testing did show that cameras from the company periodically sent packets to servers in five different countries, including China.

Healy, the expert from IPVM, said that while keeping cameras on a closed network may provide extra security, "the extensive list of vulnerabilities" documented in Hikvision and Dahua makes them more susceptible to hacks by organized crime groups, nonstate actors, and groups associated with rival governments.

He notes that cameras disconnected from the Internet can still be accessed, as shown in an FBI report released in January that said it had shut down a China-backed hacking group called Volt Typhoon. The group was targeting critical infrastructure and, according to a report released by the U.S. Cybersecurity and Infrastructure Security Agency, it was able to gain access to closed camera systems by hacking into a computer's operating system online and then being able to infiltrate into offline networks.

Dahua, Hikvision Spread In Romania

Romania is the EU's largest market for Hikvision equipment, but neither Hikvision nor Dahua directly participate in public procurements. Instead, local security firms act as intermediaries, acquiring and redistributing these technologies to the country's public institutions.

RFE/RL's investigation shows the companies' equipment in prevalent use across both national and local levels by Romanian police, the General Inspectorate for Emergency Situations, the border police, and the country's gendarmerie, which is tasked with high-risk and specialized law enforcement duties.

Procurement records seen by RFE/RL also show that Hikvision and Dahua equipment is ubiquitous in courts, town halls, and universities across Romania, as well as at the national parliament in Bucharest.

Romanian police, the General Inspectorate for Emergency Situations, the border police, and the gendarmerie all told RFE/RL that their Hikvision and Dahua equipment was purchased legally on the basis of national legislation on public procurement and that it "fully meets the required technical specifications."

The institutions added that equipment from the two Chinese firms was not connected to the Internet or computer programs and cloud networks provided by Hikvision or Dahua.

RFE/RL also found that the Romanian Intelligence Service's headquarters in the northeastern city of Iasi, near the border with Moldova, also uses Hikvision and Dahua equipment.

"The video-surveillance systems at the level of our institution are part of a larger system that is protected, secured on a closed-circuit network, and is permanently subject to technical risk analyses that ensure an optimal degree of operational security and prevent risks to any stored data," a Romanian Intelligence Service spokesman told RFE/RL.

Marian Ghenescu, a video-systems specialist and security-systems engineer at Softrust Vision Analytics, a Romanian company specializing in the security of video-surveillance systems, told RFE/RL that keeping networks offline and regularly conducting cybersecurity maintenance can limit any possible vulnerabilities. He says that in Romania, Hikvison and Dahua are often chosen because they are the most affordable option available for budget-conscious local institutions and may not always be installed with the maximum security settings in place.

Alexandru Anghelus, a cybersecurity expert and founder of the consultancy Pro Defense, told RFE/RL that all surveillance equipment is subject to security risks, not just Chinese brands. He adds that Hikvision and Dahua's history of vulnerabilities could warrant additional scrutiny, pointing to a Hikvision security glitch in 2021 that is believed to have affected more than 100 million cameras globally.

In the meantime, some Romanian lawmakers are calling for further investigation.

Adrian Trifan, a senator who serves as the deputy chairman of the Communications, Information Technology, and Artificial Intelligence Committee, says that he wants the cameras removed from parliament and wants to know why Hikvision and Dahua equipment is being used so prevalently at national-security sites.

"It's a serious situation that should be clarified immediately by the relevant institutions," he told RFE/RL. "And it still needs to be clarified how these purchases passed the [Romanian Supreme Council of National Defense's] screening procedures."