For only 350 thousand KM without requests for security checks, the FBIH Banking Agency provided the Serbian company Energosoft, behind which hides Prointer Belgrade, a complete insight into the financial sector of the Federation of BiH and private accounts of citizens of this BiH entity. It is a continuation of the control of the critical infrastructure of the FBIH by IT companies that are associated with the very political leadership of the Republic of Serbia.
Writes: Predrag BLAGOVČANIN
At the beginning of the year, the FBiH Banking Agency, headed by Jasmin Mahmuzić, announced a tender for in-depth risk analysis services for the information and communication system.
The required analysis is to check the security of the FBIH Banking Agency’s system and to detect vulnerabilities within the IT system to hacker intrusions that could lead to unauthorized use, publication or destruction of data.
The importance of the security of the ICT system of the FBIH Banking Agency is reflected in the competence of this agency as well as the data at its disposal.
According to the law from 2017, this agency performs complete supervision of commercial banks as well as other subjects of the banking and financial system with complete insight into operations. In this context, the Agency stores and processes large amounts of data on physical and legal clients of banks as well as the subjects of the banking system.
If the security of this data, to which the Law on Personal Data Protection and the Law on Protection of Classified Data is applied, were violated, there would be unforeseeable consequences and disruptions in the functioning of the agency and the entire FBIH financial sector.
Only a consortium of companies “A MI Manera” Belgrade-Vračar “MC Global Audit” Belgrade, “Energosoft ITSS” Belgrade and “Atia” Sarajevo applied for the tender which provided complete insight into the business as well as data from the FBIH Banking Agency.
The company “A MI Manera”, which leads this consortium, was founded in 2020, and according to publicly available data from the Republic of Serbia, it did not participate in tenders in this country.
According to the available biography, the founder Tatjana Vukić has more than 15 years of experience in the leading banking systems of Serbia. She was the President of the Executive Board of “Fidomestic Bank” Belgrade and led the integration of “Piraeus Bank” with “Direct Bank Kragujevac”, and since 2016 she has been the President of the Supervisory Board of the state company “Dunav Osiguranje”.
Unlike Tatjana Vukić, the owner of the company “MC Global Audit” Milivoje Cvetinović has rich business experience in Bosnia and Herzegovina.
In his career, Dr Cvetinovic was also the director for the public sector of SAP West Balkan, which together with B4B was involved in the affair of millions of purchases of SAP software by Elektroprivreda BIH, Elektroprenos BIH and JU Apoteka Sarajevo, which have been waiting for their prosecutorial epilogue since 2015.
From Serbia with love
Energosoft ITSS, the third company in this interesting consortium is the daughter of Prointer ITSS Belgrade, which is linked to Slaviša Kokez, a high-ranking member of the SNS and former president of the Football Association of Serbia.
Identical to the eponymous counterpart on the other side of the Drina, the company Prointer Belgrade bases its business success on lucrative contracts with the public sector of the Republic of Serbia. Thus, only in December 2016, this company received one tender contract from the public sector of this country every day.
Žana Gauk, a journalist from the Žurnal.info portal, who has been analyzing Prointer’s business with the public sector for years, as well as the role of the Dodik family in the “incredible” business success of this company, points out the connection between Belgrade and Banja Luka’s Prointer.
“At the time when “Prointer” in RS started to get all the jobs in the public sector, Slavisa Kokeza, until recently the president of the Football Association of Serbia and a great friend of Milorad Dodik, was mentioned as a co-owner from the other side of the Drina. Just like Igor Dodik, Kokeza was never officially the owner of Belgrade’s “Prointer”, but he is the official owner of “Eurosalon”. Today, according to official data in the APR, a certain Ivana Rajić is at the head of both companies. It is interesting that both of these companies are located at the same address as Kokeza’s company “Senior Team”. The Belgrade parent company was also dominant in tenders. In fact, it was considered one of the main IT companies affiliated with the ruling SNS there.”
“Prointer” Belgrade will officially leave the ownership structure of “Prointer” Banja Luka in 2020, whose 100% owner will be Infinity International Group. However, the additional sanctions of the American administration from 2022 against Milorad Dodik, as well as the companies that are connected to his family, did not have a great impact on the business of Prointer Banja Luka.
Žana Gauk sees in this an incredible resemblance to her Belgrade counterpart. Despite the fact that Kokeza was arrested and questioned in the case against the criminal group of Veljko Belivuk in Serbia, Prointer Belgrade continued to get public jobs in this country.
“Even after the arrest of Slavisa Kokeza, Prointer continued to gain important state jobs. Until recently, in Republika Srpska US sanctions have become tougher against Milorad Dodik and Alternative Television, which was owned by Prointer, the situation was identical. All databases with personal data of the citizens of this country are in the hands of “Prointer”. “Microsoft” and “IBM”, which terminated their partnership, did not hinder the company too much. From the day the sanctions were announced, January 5, until March 18, “Prointer” received contracts worth more than four million KM from the public sector. In 72 days.”
The only BiH company that will participate in the analysis of the ICT system of the FBIH Banking Agency is the Sarajevo company “Atia Consulting”. Relatively unknown in the IT industry, its business with the public sector in BiH is based on the provision of penetration testing services and security of information systems.
Unlike his business colleagues from the Republic of Serbia, the owner of the company Atia Consulting”, Anel Tanović, partially answered the questions of the Tačno.net portal. After a telephone conversation in which he emphasized that he had not passed the security check but that he would sign a confidentiality agreement after further work, he referred us to the Banking Agency for further answers.
FBiH Banking Agency: They did not understand what they gave
Due to the specifics of data and information available to the FBIH Banking Agency and the fact that data are protected by the Law on Personal Data Protection and the Law on Protection of Classified Information, we asked whether they sought security checks for the above companies.
“Regarding your question, and to the extent that we understand the same, we inform you that issues of secrecy, confidentiality and security of data exchange are ensured by the signing of a contract with the selected bidder, by signing declarations of confidentiality and confidentiality with all members bidders participating in the realization of the service in question.”
However, the significance and legal weight of the declaration of secrecy and confidentiality of the data that the Agency will sign with this consortium is equivalent to accepting the consent to subscribe to the Newsletter of “Sarajevo Kiseljak” or some other commercial company.
Bosnia and Herzegovina has legal legislation as well as a clearly defined procedure for issuing industrial safety permits. This licence represents the application of security measures for the protection of classified information when it is necessary to hire a legal or natural person to perform a particular job.
The Ministry of Security of BiH, which issues these licenses, after checking the companies by the Intelligence Agency – OSA, submitted to the portal Tačno.net a list of 12 companies in the field of IT that have a BiH level industrial security permit.
„MIBO KOMUNIKACIJE d.o.o. Sarajevo, SECTOR ADS d.o.o., ORKA doo, QSS d.o.o., BOSNIEN BUSINESS SYSTEMS – BBS d.o.o., PING doo, NEONTX d.o.o, KING ICT d.o.o., PAGE d.o.o., ROAMING NETWORKS d.o.o., LANACO d.o.o. i CORE d.o.o.“
The Industrial Security Permit should be one of the primary tools for protecting the IT security of critical infrastructure of Bosnia and Herzegovina and the FBIH from unauthorized data collection and publication or destruction.
We remind you that in 2019, Republika Srpska, following the example of the surrounding countries, adopted the “Law on Critical Infrastructure Security” which defines activities aimed at protecting industry and energy, ICT infrastructure, transport, health, utilities, water management, food distribution, storage of hazardous materials, etc.
Unlike this entity, Bosnia and Herzegovina and the Federation do not have a Law on Critical Infrastructure Protection. Reasons should be sought in indolence or particular interests for the refusal to address this crucial security issue.
Anywhere Prointer is everywhere
When analyzing data from companies or institutions from the state and federal levels, companies within the Prointer Group received tender contracts in the CRA, the Municipality of Centar Sarajevo, the Veterinary Office of BiH, KJKP VIK Sarajevo, the Audit Office of BiH, The Council of Ministers of BiH, the Ministry of Foreign Trade and Economic Relations of BiH, Elektroprenos BIH, JP Autoceste FBIH, the Agency for Statistics BIH, the Ministry of Agriculture, Water Management and Forestry FBIH, JP Elektroprivreda HZHB, IDDEEA-i BIH, the Indirect Taxation Authority BIH, NOS- in BiH, Clinical Center Sarajevo, etc.
And from March this year, as can we see Prointer Belgrade, the former owner of Prointer Banja Luka will have the opportunity for an in-depth analysis of the Information and Communication System of the FBIH Banking Agency.
In this context, the question arises of the effectiveness of the ban on entry into BiH by persons declared by the Intelligence and Security Agency to be a threat to the national security of BiH. We remind you that in 2007, the entire banking system of Estonia was exposed to a massive DDoS attack that literally paralyzed state institutions, internet media and other segments of critical infrastructure. The problem was solved in cooperation with NATO experts in a way that Estonia disconnected itself from the Internet.
Security expert Ahmed Kico emphasizes the possible consequences of the fact that companies hired by the Banking Agency for in-depth analysis of the Information and Communication System do not have an industrial security license.
“All companies that have direct or indirect access to classified or protected information must pass security checks and have an industrial security license. In order to prevent an authorized or unauthorized agency from another country from entering the complete banking system, a security check must be performed. If this is not done, there is a certain chance that confidential information will be transferred to the intelligence systems of neighbouring or other countries. That can be a huge problem not only for the banking system but for the entire country. “
According to Kica, the transfer of confidential data and their use for intelligence purposes is only one of the tools of hybrid operations that can hypothetically be launched against Bosnia and Herzegovina.
“In this case, foreign intelligence agencies can timely plan all types of hybrid operations directed against BiH. If the FBIH Banking Agency is not up to the task in this case, it can hypothetically be responsible for, for example, the non-functioning of ATMs in the FBIH, which would lead to chaos and panic among citizens, which is the key purpose of hybrid operations. Panic and chaos, as we know, can lead in an unknown direction. “
Indicative, the FBIH Banking Agency signed a contract with the consortium behind Prointer Belgrade less than a month after the takeover of Sberbank BiH dd Sarajevo and the sale of this bank for 15 million KM to ASA finance.