1.8 Million Exchange Students Part of Security Investigation Review

Posted on June 23, 2017June 23, 2017 by Denise Simon

Primer: Chinese spies target US intellectual property (important due to universities relationships with government operations) Further is 2015, U.S. diplomats previously warned China to stop using covert law enforcement agents on U.S. soil. CNN reported that the agents pressure Chinese citizens to return to the country to face justice, often on corruption charges, United States officials confirmed to CNN. The agents have successfully coerced several Chinese nationals to return to China from the U.S., they said.

So, between India and China we have more than a million foreign nationals at the student level. Are they really students? This is a number too, where American students are eliminated from college acceptance due to favorable foreign student policy.

The Student and Exchange Visitor Program (SEVP) is a part of the National Security Investigations Division and acts as a bridge for government organizations that have an interest in information on nonimmigrants whose primary reason for coming to the United States is to be students.

On behalf of the Department of Homeland Security (DHS), SEVP manages schools, nonimmigrant students in the F and M visa classifications and their dependents. The Department of State (DoS) manages Exchange Visitor Programs, nonimmigrant exchange visitors in the J visa classification and their dependents. Both SEVP and DoS use the Student and Exchange Visitor Information System (SEVIS) to track and monitor schools; exchange visitor programs; and F, M and J nonimmigrants while they visit the United States and participate in the U.S. education system.

WASHINGTON — There are 1.18 million international students with F (academic) or M (vocational) status studying at 8,774 schools in the United States according to the latest “SEVIS by the Numbers.” The biannual report on international student data, which includes a new section on regional data trends, is prepared by the Student and Exchange Visitor Program (SEVP), part of U.S. Immigration and Customs Enforcement’s (ICE) Homeland Security Investigations (HSI).

The report, released Thursday by SEVP, highlights May 2017 data from the Student and Exchange Visitor Information System (SEVIS), a web-based system that includes information about international students, exchange visitors and their dependents while they are in the United States.

Based on data extracted from SEVIS May 5, the international student population increased 2 percent compared to May 2016, with 76 percent of students enrolled in higher education programs of study.

Seventy-seven percent of international students hailed from Asia. Among continents, South America had the largest percentage increase (6.5 percent) in international students studying in the United States when compared to May 2016.

China and India continue to send the largest number of students to study in the United States, at 362,368 students and 206,698 students, respectively. And even with a 19 percent decline – the steepest percentage decline among the top 10 Asian countries – Saudi Arabia still had 55,806 students studying in the United States in May 2017, ranking fourth among Asian countries. With an 18 percent increase, Nepal saw the largest proportional growth in students coming to the United States.

Nearly 514,000 international students pursued science, technology engineering or mathematics (STEM) degrees in May 2017, marking an 8 percent increase from May 2016. Thirty-nine percent of those students pursued engineering degrees. India not only had the largest number of STEM students, but also the largest proportional STEM student population; 84 percent of Indian students in the United States studied STEM.

In May 2017, 10 U.S. universities certified to enroll only F international students accounted for 10 percent of the entire international student population. New York University (15,386 students), the University of Southern California (13,365 students) and Northeastern University (12,372 students) – all certified to enroll F students – had the highest international student enrollment numbers among U.S. schools.

Nine percent of schools can enroll both F and M international students. The top three schools in this category included: Cornell University (5,716 students), the Houston Community College System (4,768 students) and Santa Monica College (3,554 students).

The international student population in the Northeast increased 4 percent when compared to May 2016, marking the highest proportional growth of the four U.S. regions. Rhode Island was the only state in the region to experience a dip in the number of international students compared to the previous year, while New York and Massachusetts added the largest number of international students during that same period, 4,490 students and 2,770 students, respectively. New Jersey saw an increase of 10 percent in international students pursuing bachelor’s degrees.

In the South, the international student population grew 3 percent since May 2016. Florida, Georgia and Texas all saw significant increases in the number of international students studying in those states. While Louisiana, Tennessee and Oklahoma saw decreases in the number of international students studying there..

Arkansas, Kentucky and Maryland all saw major growth in international students taking part in their higher education system. Maryland saw a 10 percent increase in the number of students earning a bachelor’s degree. However, the southern region saw the largest growth at the graduate degree level. The number of international students pursuing master’s degrees increased 25 percent in Arkansas and 35 percent in Kentucky.

The Midwest saw minimal growth of 1 percent. Illinois added 1,331 students to its international student population, marking the largest increase in the region, while Nebraska experienced the largest proportional growth of 7 percent. Missouri experienced the largest decrease in international students, both in terms of student numbers and proportional decline, 763 students and 3 percent, respectively.

In the western part of the United States, international student enrollment stayed relatively static in California, other than an 8 percent increase in the number of students earning bachelor’s degrees. Idaho saw a 14 percent drop in the total number of international students studying in the state, with a 16 percent decrease in the number of students earning a bachelor’s degree. But, Nevada’s international student population grew by 5 percent, marking the largest proportional growth in the region.

The full “SEVIS by the Numbers” report can be viewed here. Report data was extracted from SEVIS May 5. The report captures a point-in-time snapshot of data related to international students studying in the United States. Data for the previous “SEVIS by the Numbers” report was extracted from SEVIS in November 2016.

Individuals can explore more international student data from current and previous “SEVIS by the Numbers” reports by visiting the Study in the States interactive mapping tool. This information is accessible at the continent, region and country level and includes information on gender and education levels, as well as international student populations by state, broken down by geographical areas across the globe.

SEVP monitors the more than one million international students pursuing academic or vocational studies (F and M visa holders) in the United States and their dependents. It also certifies the schools and programs that enroll these students. The U.S. Department of State monitors exchange visitors (J visa holders) and their dependents, and oversees exchange visitor programs.

Both SEVP and the Department of State use SEVIS to protect national security by ensuring that students, visitors and schools comply with U.S. laws. SEVP also collects and shares SEVIS information with government partners, including U.S. Customs and Border Protection and U.S. Citizenship and Immigration Services, so only legitimate international students and exchange visitors gain entry into the United States.

HSI reviews SEVIS records for potential violations and refers cases with possible national security risks or public safety concerns to its field offices for further investigation. Additionally, SEVP’s Analysis and Operations Center reviews student and school records for administrative compliance with federal regulations related to studying in the United States.

Why is China Protecting North Korea? Reasons Abound

Posted on June 16, 2017June 16, 2017 by Denise Simon

Primer:

The United States Computer Emergency Readiness Team (US-CERT) issued a technical alert about the activity of the North Korea’s ‘Hidden Cobra’ APT group.
The joint Technical Alert (TA) report is the result of the efforts between of the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI).

The US Government has tracked the hacker group as Hidden Cobra, but the APT is most popular as the Lazarus APT Group.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind recent attacks on banks, including the Bangladesh cyber heist.

According to security experts, the group was behind, other large-scale cyber espionage campaigns against targets worldwide, including the Troy Operation, the DarkSeoul Operation, and the Sony Picture hack.

The joint alert from the FBI and the DHS further details on the group, including indicators of compromise (IoC) for its DeltaCharlie botnet involved in the “Operation Blockbuster” to power DDoS attacks. More here.

*** Most of North Korea’s cyber operations are located in China hosted on Chinese communications internet/communications platforms. It is espionage of an epic standard. But let us go deeper.

(Remember, Obama removed Cuba in 2015 from the terror list as a means to establish the process to normalize relations)

*** Image result for north korea minerals

Few think of North Korea as being a prosperous nation. But it is rich in one regard: mineral resources.

Currently North Korea is alarming neighbors with its frequent missile tests, and the US with its attempts to field long-range nuclear missiles that can hit American cities. A sixth nuclear test could be imminent. An attack on the US or its allies would be suicidal, so Pyongyang probably aims to extract “aid” from the international community in exchange for dismantling some of its weaponry—rewind about 10 years to see the last time it pulled off the old “nuclear blackmail” trick.

AP

But however much North Korea could extract from other nations that way, the result would pale in comparison to the value of its largely untapped underground resources.

Below the nation’s mostly mountainous surface are vast mineral reserves, including iron, gold, magnesite, zinc, copper, limestone, molybdenum, graphite, and more—all told about 200 kinds of minerals. Also present are large amounts of rare earth metals, which factories in nearby countries need to make smartphones and other high-tech products.

NKNews

Estimates as to the value of the nation’s mineral resources have varied greatly over the years, made difficult by secrecy and lack of access. North Korea itself has made what are likely exaggerated claims about them. According to one estimate from a South Korean state-owned mining company, they’re worth over $6 trillion. Another from a South Korean research institute puts the amount closer to $10 trillion.

State of neglect

North Korea has prioritized its mining sector since the 1970s (pdf, p. 31). But while mining production increased until about 1990—iron ore production peaked in 1985—after that it started to decline. A count in 2012 put the number of mines in the country at about 700 (pdf, p. 2). Many, though, have been poorly run and are in a state of neglect. The nation lacks the equipment, expertise, and even basic infrastructure to properly tap into the jackpot that waits in the ground.

In April, Lloyd R. Vasey, a senior adviser at the Center for Strategic and International Studies, noted that:

North Korean mining production has decreased significantly since the early 1990s. It is likely that the average operational rate of existing mine facilities is below 30 per cent of capacity. There is a shortage of mining equipment and North Korea is unable to purchase new equipment due to its dire economic situation, the energy shortage and the age and generally poor condition of the power grid.

It doesn’t help that private mining is illegal in communist North Korea, as are private enterprises in general (at least technically). Or that the ruling regime, now led by third-generation dictator Kim Jong-un, has been known to, seemingly on a whim, kick out foreign mining companies it’s allowed in, or suddenly change the terms of agreements.

Despite all this, the nation is so blessed with underground resources that mining makes up roughly 14% of the economy.

A “cash cow”

China is the sector’s main customer. Last September, South Korea’s state-run Korea Development Institute said that the mineral trade between North Korea and China remains a “cash cow” for Pyongyang despite UN sanctions, and that it accounted for 54% (paywall) of the North’s total trade volume to China in the first half of 2016. In 2015 China imported $73 million in iron ore from North Korea, and $680,000 worth of zincin the first quarter of this year.

North Korea has been particularly active in coal mining in recent years. In 2015 China imported about $1 billion worth of coal from North Korea. Coal is especially appealing because it can be mined with relatively simple equipment. Large deposits of the stuff are located near major ports and the border with China, making the nation’s bad transportation infrastructure less of an issue.

For years Chinese buyers have purchased coal from North Korea at far below the market rate. As of last summer, coal shipments to China accounted for about 40% (paywall) of all North Korean exports. But global demand for coal is declining as alternatives like natural gas and renewables gain momentum, and earlier this year Beijing, in line with UN sanctions, began restricting coal imports from its neighbor.

The sanctions game

After North Korea conducted its first nuclear test in 2006, the UN began imposing ever stronger sanctions against it. Last year the nation’s underground resources became a focus. In November 2016, the UN passed a resolution capping North Korea’s coal exports and banning shipments of nickel, copper, zinc, and silver. That followed a resolution in March 2016 banning the export (pdf) of gold, vanadium, titanium, and rare earth metals.

The resolutions targeting the mining sector could hurt the Kim regime. Before they were issued, a 2014 report on the country’s mining sector by the United States Geological Survey noted that (pdf, p. 3), “The mining sector in North Korea is not directly subject to international economic sanctions and is, therefore, the only legal, lucrative source of investment trade available to the country.”

That is no longer the case.

Of course, Pyongyang has grown adept at evading such sanctions, especially through shipping. Glimpses of its covert activities come from occasional interceptions of vessels. Last August Egyptian authorities boarded a ship laden with 2,300 tons (2,087 metric tons) of iron ore heading from North Korea to the Suez Canal (they also found 30,000 rocket-propelled grenades below the ore).

Earlier this year a group of UN experts concluded that North Korea, despite sanctions, continues to export banned minerals. They determined, as well, that North Korea uses another mineral—gold—along with cash to “entirely circumvent the formal financial sector.”

Interested neighbors

Meanwhile China’s overall trade with North Korea actually increased 37.4% (paywall) in the first quarter compared to the same period last year. Its imports of iron ore from North Korea shot up 270% in January and February from a year ago. Coal dropped 51.6%.

North Korea’s neighbors have long had their eyes on its bonanza of mineral wealth. About five years ago China spent some $10 billion on an infrastructure project near the border with North Korea, primarily to give it easier access to the mineral resources. Conveniently North Korea’s largest iron ore deposits, in Musan County, are right by the border. An analysis of satellite images published last October by 38 North, a website affiliated with Johns Hopkins University, showed mining activity was alive and well in the area.

China particularly covets North Korea’s rare earth minerals. Pyongyang knows this. It punished Beijing in March by suspending exports of the metals to China in retaliation for the coal trade restrictions.

Meanwhile Russia, which also shares a (smaller) border with North Korea, in 2014 developed plans to overhaul North Korea’s rail network in exchange for access to the country’s mineral resources. That particular plan lost steam (pdf, p. 8), but the general sentiment is still alive.

But South Korea has its own plans for the mineral resources. It sees them as a way to help pay for reunification (should it finally come to pass), which is expected to take decades and cost hundreds of billions or even trillions of dollars. (Germany knows a few things about that.) Overhauling the North’s decrepit infrastructure, including the aging railway line, will be part of the enormous bill.

In May, South Korea’s Ministry of Land, Infrastructure and Transport invited companies to submit bids on possible infrastructure projects in North Korea, especially ones regarding the mining sector. It argued that (paywall) the underground resources could “cover the expense of repairing the North’s poor infrastructure.”

It was, of course, jumping the gun a bit. For now South Korea—and the world—is stuck with a bully in the mineral-blessed North.

***

China is undergoing a major military build up around the world and has even included collaboration with Pakistan.

The new assessment focuses instead on the buildup on Spratly Islands, noting that previous year the Mischief, Subi and Fiery Cross Reefs, three of the largest outposts, saw the construction of 24 administration buildings, barracks, fixed weapons positions, communication facilities and fighter-sized hangars by China, each of them with runways 8,800 feet long.

While the report notes that China has not undertaken any new land reclamation projects on disputed features in the South China Sea during 2016, it did accuse China of further militarizing the contested Spratly Islands via the construction of 24 hangars capable of housing fighter aircraft, fixed weapons positions, barracks and communication facilities.

Beijing has opposed the deployment of a U.S. missile shield in South Korea to defend against attacks from North Korea, in part because it says it could be used to counter China’s capabilities.

Meanwhile Pakistan itself has not made any comments about this statement.

Published Tuesday, the Pentagon report estimated that China spent US$180 billion previous year on its military – the world’s largest – a figure well over the country’s official US$140 billion defence budget.

The report made “irresponsible remarks on China’s national defense development and reasonable actions in defending our territorial sovereignty and security interests in disregard of the facts“, foreign ministry spokeswoman Hua Chunying told reporters yesterday.

“China likely will seek to establish additional military bases in countries with which it has longstanding, friendly relationships“, the report predicts.

China has cited anti-piracy patrolling as one of the reasons for developing what it calls a naval logistics center in Djibouti.

“China’s expanding global economic interests are increasing demands for the [Chinese Navy] to operate in more distant maritime environments to protect Chinese citizens, investments, and critical sea lines of communication”, the report reads.

The defence ministry in a statement refuted the U.S. assessment, saying “China is not doing any military expansion and does not seek a sphere of influence”. Pakistan has also emerged as the biggest market for Chinese arms exports, a focus area in Beijing’s expansion plans, the report titled “Military and Security Developments Involving the People’s Republic of China 2017″, said. He harshly criticized China’s construction in the South China Sea and became the first member of President Donald Trump’s cabinet to lay out a comprehensive strategy on Asia. That region accounted for almost half of China’s over $20 billion in arms exports from 2011 to 2015.

Countries including Pakistan and Afghanistan welcome it as a path out of poverty. “To support this modernisation, China uses a variety of methods to acquire foreign military and dual-use technologies, including cyber theft, targeted foreign direct investment and exploitation of the access of private Chinese nationals to such technologies”, the report said.

Regarding the Senkaku Islands, a group of East China Sea islets controlled by Japan but claimed by the mainland and Taiwan, the Pentagon said that previous year Beijing continued to use law-enforcement ships and aircraft to “patrol” near the islands in an attempt to undermine Japan’s administration of them.

China has also always been a strong military, economic, and diplomatic supporter of Pakistan and is considered Islamabad’s largest trade and defense partner.

Oh, Another Incident of Chinese Industrial Espionage

Posted on May 23, 2017May 23, 2017 by Denise Simon

There is no denying Russia is using cyber warfare against the West. Little is ever mentioned about China’s industrial espionage, something this site attempts to publish as often as possible. Further, the owner of this site participated in two key hearings today in Congress, one with former CIA Director John Brennan and the other included ODNI Dan Coats and DIA Director General Stewart.

Clearly both hearings revealed just how pervasive and common cyber warfare is at the hands of China and Russia. Here is just another example.

China’s theft of IBM’s intellectual property

A former employee of IBM pleaded guilty to theft of source code on behalf of China

Image result for Xu Jiaqiang ibm And you think the FBI has easy work? Further, we are trusting China to deal with North Korea’s nuclear program and missile systems aimed against Western interests.

CSO: China continues to view the theft of intellectual property as a viable means of technology transfer. Global private sector entities are finding their insiders are being used by China to purloin the proprietary information for use by Chinese state-owned-enterprises or national entities with ever increasing regularity.

On 19 May 2017, Xu Jiaqiang, a PRC national, pleaded guilty to economic espionage and trade secret theft. Xu stole source code from his employer, IBM, and attempted to share it with the National Health and Family Planning Commission in the PRC. According to the Department of Justice, Xu pleaded guilty to all six of the counts included in his indictment.

A review of Xu’s Linked-In profile shows only his employment with IBM from November 2010 through July 2014 (date is different from that which is contained in the indictment) as a “General Parallel File System Developer at IBM”

Xu was a trusted insider within IBM. According to the DOJ advisory, which contained content from both the criminal complaint and superseding indictment, Xu worked for IBM from 2010-14, with unencumbered access to the “proprietary source code.” DOJ advises, Xu voluntarily resigned from IBM in May 2014.

In late 2014, the Federal Bureau of Investigation (FBI) was informed (source unidentified) that Xu claimed to have access (unauthorized) to the source code and was using the source code in various business ventures. Undercover law enforcement officers subsequently contacted Xu to affirm Xu’s possession of the source code

The criminal complaint describes undercover officers posing as investors engaged in a multi-month email exchanges with Xu which culminated in his sharing portions of the source code as bonafides of his knowledge of “operating systems and parallel file systems.” At that time, the victim company, IBM, identified the shared code as identical to their proprietary source code.

In late-2015, Xu had a face-to-face meeting with undercover law enforcement officers. At the meeting, Xu noted the code was his former employer’ s(IBM) code. Xu also confirmed to his interlocutors how he had purloined the code prior to his May 2014 employment separation and had made modification so as to obscure the point of origin, IBM.

In June 2016, Xu was indicted and charged with three counts of economic espionage, one count each of theft of trade secrets, possession of trade secrets, and distribution of trade secrets. He will be sentenced in October 2017.

Though IBM has declined comment to media regarding this theft of their intellectual property, reading between the lines, it would appear IBM had deduced (correctly) that Xu absconded with a copy of their GPFS proprietary source code, and was attempting to use it commercially. They then brought the theft to the attention of the FBI.

Illicit technology transfer

China has not slowed down in their acquisition of technology utilizing the access afforded to trusted insiders. The US Director of National Intelligence made it clear in his May 2017 presentation to the Senate Select Committee on Intelligence on the worldwide threat to the United States as to the threat posed by China.

In April 2017, we saw the arrest of a Dutch employee of Siemens, working within the energy arm of Siemens, charged with stealing the intellectual property of his employer and attempting to share it with China.

From the FBI perspective, this was the perfect economic espionage case. Theft of proprietary information for provision to a foreign government. The theft was from a company with an insider threat program in place and who was cooperative (providing technical expertise during the investigation), and of sufficient size to withstand any blow-back from China which may occur.

There is no need to be xenophobic. Multinational companies employee individuals from a great variety of nationalities. The reality is, few employees break trust with their employer.

That said, having your paper trail on agreements which safeguard intellectual property is mandatory. As is a review of all activities of all departing employees for break from pattern, be it a voluntary separation or for cause. If a deeper dive into the employees activities is warranted, make sure to look for any sudden increase in 403 errors – or similar (caused by attempts to access unauthorized data). Verify the complete inventory of all storage devices which the employee may have accessed, and have each returned and or data on the devices destroyed, and review email and uploads for any inappropriate usage.

Remember, though it is the FBI and DOJ success which brought Xu to our collective attention, it was not the FBI who initially discovered Xu’s intellectual property theft. The FBI pursued the lead brought to them by an unidentified third party (presumably IBM).

You are your company’s first line of defense in the protection of intellectual property, not the FBI.

2010: Remember When Obama Pulled U.S. Spies From China

Posted on May 22, 2017May 22, 2017 by Denise Simon

Of course you don’t, one had to be quite the investigator of journalism to know it much less remember it.

So….why you ask? Hold on….there is a pattern and story here.

Image result for u.s. spies in china Image result for trump with jinping

2010: The White House National Security Council recently directed U.S. spy agencies to lower the priority placed on intelligence collection for China, amid opposition to the policy change from senior intelligence leaders who feared it would hamper efforts to obtain secrets about Beijing’s military and its cyber-attacks.

The downgrading of intelligence gathering on China was challenged by Director of National Intelligence Dennis C. Blair and CIA Director Leon E. Panetta after it was first proposed in interagency memorandums in October, current and former intelligence officials said.

The decision downgrades China from “Priority 1” status, alongside Iran and North Korea, to “Priority 2,” which covers specific events such as the humanitarian crisis after the Haitian earthquake or tensions between India and Pakistan.

The National Security Council staff, in response, pressed ahead with the change and sought to assure Mr. Blair and other intelligence chiefs that the change would not affect the allocation of resources for spying on China or the urgency of focusing on Chinese spying targets, the officials told The Washington Times.

White House National Security Council officials declined to comment on the intelligence issue. Mike Birmingham, a spokesman for Mr. Blair, declined to comment. A CIA spokesman also declined to comment.

*** Image result for u.s. spies in china Cyberwarzone

Directors of CIA in that time frame:

Leon Panetta 2010

Mike Morrell (acting) 2011

David Petraeus 2011

Mike Morrell (acting) 2012

John Brennan 2013

Mike Pompeo, current director

***

Killing C.I.A. Informants, China Crippled U.S. Spying Operations

NYT/WASHINGTON — The Chinese government systematically dismantled C.I.A. spying operations in the country starting in 2010, killing or imprisoning more than a dozen sources over two years and crippling intelligence gathering there for years afterward.

Current and former American officials described the intelligence breach as one of the worst in decades. It set off a scramble in Washington’s intelligence and law enforcement agencies to contain the fallout, but investigators were bitterly divided over the cause. Some were convinced that a mole within the C.I.A. had betrayed the United States. Others believed that the Chinese had hacked the covert system the C.I.A. used to communicate with its foreign sources. Years later, that debate remains unresolved.

But there was no disagreement about the damage. From the final weeks of 2010 through the end of 2012, according to former American officials, the Chinese killed at least a dozen of the C.I.A.’s sources. According to three of the officials, one was shot in front of his colleagues in the courtyard of a government building — a message to others who might have been working for the C.I.A.

Still others were put in jail. All told, the Chinese killed or imprisoned 18 to 20 of the C.I.A.’s sources in China, according to two former senior American officials, effectively unraveling a network that had taken years to build.

Assessing the fallout from an exposed spy operation can be difficult, but the episode was considered particularly damaging. The number of American assets lost in China, officials said, rivaled those lost in the Soviet Union and Russia during the betrayals of both Aldrich Ames and Robert Hanssen, formerly of the C.I.A. and the F.B.I., who divulged intelligence operations to Moscow for years.

The previously unreported episode shows how successful the Chinese were in disrupting American spying efforts and stealing secrets years before a well-publicized breach in 2015 gave Beijing access to thousands of government personnel records, including intelligence contractors. The C.I.A. considers spying in China one of its top priorities, but the country’s extensive security apparatus makes it exceptionally hard for Western spy services to develop sources there.

At a time when the C.I.A. is trying to figure out how some of its most sensitive documents were leaked onto the internet two months ago by WikiLeaks, and the F.B.I. investigates possible ties between President Trump’s campaign and Russia, the unsettled nature of the China investigation demonstrates the difficulty of conducting counterespionage investigations into sophisticated spy services like those in Russia and China.

The C.I.A. and the F.B.I. both declined to comment.

Details about the investigation have been tightly held. Ten current and former American officials described the investigation on the condition of anonymity because they did not want to be identified discussing the information.

Investigators still disagree how it happened, but the unsettled nature of the China investigation demonstrates the difficulty of conducting counterespionage investigations into sophisticated spy services. Credit Carolyn Kaster/Associated Press..Photo by: Carolyn Kaster/Associated Press..

The first signs of trouble emerged in 2010. At the time, the quality of the C.I.A.’s information about the inner workings of the Chinese government was the best it had been for years, the result of recruiting sources deep inside the bureaucracy in Beijing, four former officials said. Some were Chinese nationals who the C.I.A. believed had become disillusioned with the Chinese government’s corruption.

But by the end of the year, the flow of information began to dry up. By early 2011, senior agency officers realized they had a problem: Assets in China, one of their most precious resources, were disappearing.

The F.B.I. and the C.I.A. opened a joint investigation run by top counterintelligence officials at both agencies. Working out of a secret office in Northern Virginia, they began analyzing every operation being run in Beijing. One former senior American official said the investigation had been code-named Honey Badger.

As more and more sources vanished, the operation took on increased urgency. Nearly every employee at the American Embassy was scrutinized, no matter how high ranking. Some investigators believed the Chinese had cracked the encrypted method that the C.I.A. used to communicate with its assets. Others suspected a traitor in the C.I.A., a theory that agency officials were at first reluctant to embrace — and that some in both agencies still do not believe.

Their debates were punctuated with macabre phone calls — “We lost another one” — and urgent questions from the Obama administration wondering why intelligence about the Chinese had slowed.

The mole hunt eventually zeroed in on a former agency operative who had worked in the C.I.A.’s division overseeing China, believing he was most likely responsible for the crippling disclosures. But efforts to gather enough evidence to arrest him failed, and he is now living in another Asian country, current and former officials said.

There was good reason to suspect an insider, some former officials say. Around that time, Chinese spies compromised National Security Agency surveillance in Taiwan — an island Beijing claims is part of China — by infiltrating Taiwanese intelligence, an American partner, according to two former officials. And the C.I.A. had discovered Chinese operatives in the agency’s hiring pipeline, according to officials and court documents.

But the C.I.A.’s top spy hunter, Mark Kelton, resisted the mole theory, at least initially, former officials say. Mr. Kelton had been close friends with Brian J. Kelley, a C.I.A. officer who in the 1990s was wrongly suspected by the F.B.I. of being a Russian spy. The real traitor, it turned out, was Mr. Hanssen. Mr. Kelton often mentioned Mr. Kelley’s mistreatment in meetings during the China episode, former colleagues say, and said he would not accuse someone without ironclad evidence.

Those who rejected the mole theory attributed the losses to sloppy American tradecraft at a time when the Chinese were becoming better at monitoring American espionage activities in the country. Some F.B.I. agents became convinced that C.I.A. handlers in Beijing too often traveled the same routes to the same meeting points, which would have helped China’s vast surveillance network identify the spies in its midst.

Some officers met their sources at a restaurant where Chinese agents had planted listening devices, former officials said, and even the waiters worked for Chinese intelligence.

This carelessness, coupled with the possibility that the Chinese had hacked the covert communications channel, would explain many, if not all, of the disappearances and deaths, some former officials said. Some in the agency, particularly those who had helped build the spy network, resisted this theory and believed they had been caught in the middle of a turf war within the C.I.A.

Still, the Chinese picked off more and more of the agency’s spies, continuing through 2011 and into 2012. As investigators narrowed the list of suspects with access to the information, they started focusing on a Chinese-American who had left the C.I.A. shortly before the intelligence losses began. Some investigators believed he had become disgruntled and had begun spying for China. One official said the man had access to the identities of C.I.A. informants and fit all the indicators on a matrix used to identify espionage threats.

After leaving the C.I.A., the man decided to remain in Asia with his family and pursue a business opportunity, which some officials suspect that Chinese intelligence agents had arranged.

Officials said the F.B.I. and the C.I.A. lured the man back to the United States around 2012 with a ruse about a possible contract with the agency, an arrangement common among former officers. Agents questioned the man, asking why he had decided to stay in Asia, concerned that he possessed a number of secrets that would be valuable to the Chinese. It’s not clear whether agents confronted the man about whether he had spied for China.

The man defended his reasons for living in Asia and did not admit any wrongdoing, an official said. He then returned to Asia.

By 2013, the F.B.I. and the C.I.A. concluded that China’s success in identifying C.I.A. agents had been blunted — it is not clear how — but the damage had been done.

The C.I.A. has tried to rebuild its network of spies in China, officials said, an expensive and time-consuming effort led at one time by the former chief of the East Asia Division. A former intelligence official said the former chief was particularly bitter because he had worked with the suspected mole and recruited some of the spies in China who were ultimately executed.

China has been particularly aggressive in its espionage in recent years, beyond the breach of the Office of Personnel Management records in 2015, American officials said. Last year, an F.B.I. employee pleaded guilty to acting as a Chinese agent for years, passing sensitive technology information to Beijing in exchange for cash, lavish hotel rooms during foreign travel and prostitutes.

In March, prosecutors announced the arrest of a longtime State Department employee, Candace Marie Claiborne, accused of lying to investigators about her contacts with Chinese officials. According to the criminal complaint against Ms. Claiborne, who pleaded not guilty, Chinese agents wired cash into her bank account and showered her with gifts that included an iPhone, a laptop and tuition at a Chinese fashion school. In addition, according to the complaint, she received a fully furnished apartment and a stipend.

*** Just to be sure China had a real handle on all CIA operatives in country, what came next? The OPM hack, remember that one?

Enter China’s Unit 61398

The program used by China:

In part from Wired: The US-CERT team moved into OPM’s sub-basement and among the first moves was to analyze the malware that Saulsbury had found attached to mcutil.dll. The program turned out to be one they knew well: a variant of PlugX, a remote-access tool commonly deployed by Chinese-speaking hacking units. The tool has also shown up on computers used by foes of China’s government, including activists in Hong Kong and Tibet. The malware’s code is always slightly tweaked between attacks so firewalls can’t recognize it.

By Tuesday the 21st, having churned through a string of nearly sleepless days and nights, the investigators felt satisfied that they’d done their due diligence. Their scans had identified over 2,000 individual pieces of malware that were unrelated to the attack in question (everything from routine adware to dormant viruses). The PlugX variant they were seeking to annihilate was present on fewer than 10 OPM machines; unfortunately, some of those machines were pivotal to the entire network. “The big one was what we call the jumpbox,” Mejeur says. “That’s the administrative server that’s used to log in to all the other servers. And it’s got malware on it. That is an ‘Oh feces’ moment.”

By controlling the jumpbox, the attackers had gained access to every nook and cranny of OPM’s digital terrain. The investigators wondered whether the APT had pulled off that impressive feat with the aid of the system blueprints stolen in the breach discovered in March 2014. If that were the case, then the hackers had devoted months to laying the groundwork for this attack.

Leaping forward in details:

Once established on the agency’s network, they used trial and error to find the credentials necessary to seed the jumpbox with their PlugX variant. Then, during the long Fourth of July weekend in 2014, when staffing was sure to be light, the hackers began to run a series of commands meant to prepare data for exfiltration. Bundles of records were copied, moved onto drives from which they could be snatched, and chopped up into .zip or .rar files to avoid causing suspicious traffic spikes. The records that the attackers targeted were some of the most sensitive imaginable.

The hackers had first pillaged a massive trove of background-check data. As part of its human resources mission, OPM processes over 2 million background investigations per year, involving everyone from contractors to federal judges. OPM’s digital archives contain roughly 18 million copies of Standard Form 86, a 127-page questionnaire for federal security clearance that includes probing questions about an applicant’s personal finances, past substance abuse, and psychiatric care. The agency also warehouses the data that is gathered on applicants for some of the government’s most secretive jobs. That data can include everything from lie detector results to notes about whether an applicant engages in risky sexual behavior.

The hackers next delved into the complete personnel files of 4.2 million employees, past and present. Then, just weeks before OPM booted them out, they grabbed approximately 5.6 million digital images of government employee fingerprints.

Then comes, a little too late and thin on substance in February 2015:

President Obama Speaks at the White House Summit on Cybersecurity and Consumer Protection

Is all this fix yet? Hah…not even close. Then we need to ask why are we trusting China with North Korea’s nuclear weapons and missile program? Do we have spies in Iran? North Korea? Any new operatives in China?

Scary eh?

North Korea and Friends, Cyber War, Nerve Gas and WMD

Posted on May 15, 2017May 15, 2017 by Denise Simon

Hey, look over there –>

WikiLeaks Reveals ‘AfterMidnight’ & ‘Assassin’ CIA Windows Malware Frameworks

When the world was dealing with the threat of the self-spreading WannaCry ransomware, WikiLeaks released a new batch of CIA Vault 7 leaks, detailing two apparent CIA malware frameworks for the Microsoft Windows platform. Dubbed “AfterMidnight” and “Assassin,” both malware programs are designed to monitor and report back actions on the infected remote host computer running the Windows operating system and execute malicious actions specified by the CIA. Since March, WikiLeaks has published hundreds of thousands of documents and secret hacking tools that the group claims came from the US Central Intelligence Agency (CIA). This latest batch is the 8th release in the whistleblowing organization’s ‘Vault 7’ series.

‘AfterMidnight’ Malware Framework

According to a statement from WikiLeaks, ‘AfterMidnight’ allows its operators to dynamically load and execute malicious payload on a target system. The main controller of the malicious payload, disguised as a self-persisting Windows Dynamic-Link Library (DLL) file and executes “Gremlins” – small payloads that remain hidden on the target machine by subverting the functionality of targeted software, surveying the target, or providing services for other gremlins. Once installed on a target machine, AfterMidnight uses an HTTPS-based Listening Post (LP) system called “Octopus” to check for any schedu led events. If found one, the malware framework downloads and stores all required components before loading all new gremlins in the memory. According to a user guide provided in the latest leak, local storage related to AfterMidnight is encrypted with a key which is not stored on the target machine. A special payload, called “AlphaGremlin,” contains a custom script language which even allows operators to schedule custom tasks to be executed on the targeted system. More detail here.

Meanwhile….

North Korean hacking group is thought to be behind cyber attack which wreaked havoc across the globe

Technical clues suggest North Korean hacking group is behind cyber attack

Ransomware left the NHS crippled with operations cancelled over the weekend

The virus is now thought to have been released by the Lazarus Group

It has already been blamed for a string of hacks dating back to at least 2009

It includes the 2014 attack on Sony that left its network offline for weeks

Okay maybe….while other IT cyber professionals point to Russian thug hackers….

Rex Tillerson last month spoke about a quasi red line with North Korea….when is enough, enough? Well his answer was, ‘we will know it when we see it’.

Nonetheless, what more needs to be known about North Korea that the media is not reporting? Plenty…..

‘Unrestricted Warfare’ (超限战, literally “warfare beyond bounds”) is a book on military strategy written in 1999 by two colonels in the People’s Liberation Army, Qiao Liang (乔良) and Wang Xiangsui (王湘穗). Its primary concern is how a nation such as China can defeat a technologically superior opponent (such as the United States) through a variety of means. Rather than focusing on direct military confrontation, this book instead examines a variety of other means. Such means include using International Law (see Lawfare) and a variety of economic means to place one’s opponent in a bad position and circumvent the need for direct military action.[1] Go here for more information.

This already tells us and the Pentagon, to not trust China….right? So how can we place trust and the burden of dealing with North Korea on Beijing? We cant.

The RGB is the KGB….

The RGB is the North Korean Reconnaissance General Bureau….much like that of the KGB, now in Russia known as the FSB.

In 2015, North Korea spies infiltrated the United Nations agencies including the World Food Program which is a major supplier of food aid to North Korea. Somehow, the Obama White House and other government agencies neglected to take real action on that or even earnestly report it. Prior to that little event, in 2010, the U.S. Treasury via and Obama Executive Order targeted North Korea for proliferation and other illicit activities including arms trafficking, money laundering and smuggling narcotics.

Barack Obama, simply annexed a GW Bush Executive Order adding a few new items noted below:

President Obama also identified the following entities and individual for sanctions by listing them on the Annex to the Order:

·   The Reconnaissance General Bureau (RGB), North Korea’s premiere intelligence organization involved in North Korea’s conventional arms trade;

·       RGB commander Lieutenant General Kim Yong Chol;

·   Green Pine Associated Corporation, a North Korean conventional arms dealer subordinated to the control of the RGB; and

·   Office 39 of the Korean Workers’ Party, which provides critical support to North Korean leadership in part through engaging in illicit economic activities and managing the leadership’s slush funds.

The U.S. government has longstanding concerns regarding North Korea’s involvement in a range of illicit activities conducted through government agencies and associated front companies. North Korea’s nuclear and missile proliferation activity and other illicit conduct violate UN Security Council Resolutions 1718 and 1874, and these activities and their other illicit conduct violate international norms and destabilize the Korean Peninsula and the entire region. In signing this Order, President Obama has frozen the property and interests in property of the three entities and one individual listed on the Annex. This Order provides the United States with new tools to disrupt illicit economic activity conducted by North Korea.

As a matter of note, in recent days, Russia has stepped in to offer some diplomatic assistance dealing with North Korea as it appears China is dragging the diplomatic and political anchor dealing with the DPRK. Ah Russia again right? The in depth study is here on North Korea, It includes, history, terror attacks, cyber attacks, assassination attempts, raids and details on unrestricted warfare.

Just for some context, Russia and China have been aiding North Korea for decades…..but has the media done their work to expose this or the State Department? Nope…

Image result for north korea general o kuk ryol Courtesy

You see, General O Kuk ryol and Kim Jong Un both manage Unit 121. Unit 121, is part of the RGB and did the Sony hack, remember that? Well General O, is a graduate of the Mangyongdae Revolutionary School and the Kim Il sung University….but most importantly, he graduated also from Frunze Military Academy in 1962….where is that? Ah….Moscow, and at the time, it was the Soviet Union.

Frunze Military Academy in Devichie pole, Moscow

Strategy: Integrate their cyber forces into an overall battle strategy as part of a combined arms campaign. Additionally they wish to use cyber weapons as a limited non-war time method to project their power and influence.

Experience: Hacked into the South Korea and caused substantial damage; hacked into the U.S. Defense Department Systems. More here.

Meanwhile, we also have the Korea Computer Center…there are 9 production facilities and 11 regional centers. However, the KCC also has offices in China, Germany and Syria..further it should be noted that an estimated 10,000 North Korean IT developers operate in China, where it is common that $500.00 of their monthly salary goes back to the North Korean state.

So, we have Syria, Russia, China all colluding with North Korea….Iran is as well but the United Nations too? Yup…

FNC: For more than a year, a United Nations agency in Geneva has been helping North Korea prepare an international patent application for production of sodium cyanide — a chemical used to make the nerve gas Tabun — which has been on a list of materials banned from shipment to that country by the U.N. Security Council since 2006.

The World Intellectual Property Organization, or WIPO, has made no mention of the application to the Security Council committee monitoring North Korea sanctions, nor to the U.N. Panel of Experts that reports sanctions violations to the committee, even while concerns about North Korean weapons of mass destruction, and the willingness to use them, have been on a steep upward spiral.

Fox News told both U.N. bodies of the patent application for the first time late last week, after examining the application file on a publicly available WIPO internal website.

Information on the website indicates that North Korea started the international patent process on Nov. 1, 2015 — about two months before its fourth illegal nuclear test. The most recent document on the website is a “status report,” dated May 14, 2017 (and replacing a previous status report of May 8), declaring the North Korean applicants’ fitness “to apply for and be granted a patent.”

CLICK HERE FOR THE STATUS REPORT

During all that time, however, the U.N.’s Panel of Experts on North Korea “has no record of any communication from WIPO to the Committee or the Panel regarding such a serious patent application,” said Hugh Griffiths, coordinator of the international U.N. expert team, in response to a Fox News question.

The Panel of Experts has now officially “opened an investigation into this matter,” he said.

“This is a disturbing development that should be of great concern to the U.S. administration and to Congress, as well as the U.S. Representative to the U.N.,” William Newcomb, a member of the U.N. Panel of Experts for nearly three years ending in 2014, told Fox News.

Said an expert familiar with the sanctions regime: “It undermines sanctions to have this going on. The U.N. agencies involved should have been much more alert to checking these programs out.”

Questions sent last week to the U.S. State Department about WIPO’s patent dealings with North Korea had not been answered before this story was published.

For its part, a WIPO spokesperson told Fox News by email, in response to the question of whether it had reported the patent application to the U.N. sanctions committee, only that the organization “has strict procedures in place to ensure that it fully complies with all requirements in relation to U.N. Security Council sanction regimes.”

The spokesperson added that “we communicate with the relevant U.N. oversight committees as necessary.”

But apparently, help with preparing international patent applications for a sanctioned nerve gas “chemical precursor” does not necessarily count as grounds for such communication, if the Panel of Experts records are correct.

This is by no means the first time that WIPO, led by its controversial director general, Francis Gurry, has flabbergasted other parts of the U.N. and most Western nations with its casual and undeclared assistance, with potential WMD implications, to the bellicose and unstable North Korean regime.

And, as before, how the action is judged may depend upon razor-thin, legalistic interpretations of U.N. sanctions law on the one side vs. staggering violations of, at a minimum, common sense in dealing with the unstable North Korean regime, which among other things has never signed the international convention banning the development, production, stockpiling and use of chemical weapons.

While the patent process went on at WIPO, that regime has conducted five illegal nuclear tests — two in the past year, while the patent process was under way — and at least ten illegal ballistic missile launches since 2016, while issuing countless threats of mass destruction against its neighbors and the U.S.

In 2012, Fox News reported that WIPO had shipped U.S.-made computers and sophisticated computer servers to North Korea, and also to Iran, without informing sanctions committee officials.

The shipments were ostensibly part of a routine technology upgrade. Neither country could obtain the equipment on the open market, and much of it would have required special export licenses if shipped from the U.S.

The report kicked off an uproar, but after a lengthy investigation, the U.N. sanctions committee decided that the world organization’s porous restrictions had not been violated, while also noting WIPO’s defense that as an international organization, it was not subject to the rules aimed at its own member states.

Nonetheless, the investigators declared that “we simply cannot fathom how WIPO could have convinced itself that most Member States would support the delivery of equipment to countries whose behavior was so egregious it forced the international community to impose embargoes.”

The investigators also declared that “WIPO, as a U.N. agency, shares the obligation to support the work of other U.N. bodies, including the Sanctions Committees,” and that in response to the furor, WIPO had “implemented new requirements to check on sanctions compliance in advance of program implementation.”

There is no doubt about the banned nature of sodium cyanide — which can also be used to produce deadly cyanide gas, another weapon of mass destruction.

The chemical appears on a Security Council list of “items, materials, equipment, goods and technology” related to North Korea’s “other weapons of mass destruction programs” beyond nuclear weapons, which first appeared after U.N. Security Council resolution 1718 was approved in 2006.

CLICK HERE FOR THE LIST

That resolution, voted after North Korea conducted its first nuclear test, ordained that member states “prevent the direct or indirect supply, sale or transfer” to the regime known as the Democratic People’s Republic of Korea, or DPRK, of the listed items “which could contribute to DPRK’s nuclear-related, ballistic missile-related or other weapons of mass destruction-related programs.”

It also declared that “all member states shall prevent any transfers to the DPRK by their nationals or from their territories, or from the DPRK by its nationals or from its territory, of technical training, advice, services or assistance related to the provision, manufacture, maintenance or use of the items” listed.

Additionally, it demanded a freeze by U.N. member states or all “funds, other financial assets and economic resources” that could be used in the mass destruction-related programs.

CLICK HERE FOR RESOLUTION 1718

A subsequent Security Council resolution, 2270, in 2016 broadened things by declaring that “economic resources” referred to in Resolution 1718 “includes assets of every kind, whether tangible or intangible, movable or immovable, accrual or potential, which potentially may be used to obtain funds, goods or services” by DPRK.

This may open up another controversial aspect of the cyanide patent application, since, along with its mass-destructive uses, the chemical is considered the most common agent in the extraction of gold from ores and concentrates.

Further, according to the North Korean application to WIPO, the new process it wants to make ready for international patenting is a lower-cost process that produces ultra-high-grade product.

CLICK HERE FOR THE PROCESS APPLICATION DESCRIPTION

In WIPO’s response to Fox News, the agency’s spokesperson emphasized that “WIPO is not a patent-granting authority. Its role in handling these applications is to ensure that they conform to the procedural requirements” of the 152-member Patent Cooperation Treaty, or PCT, “and to publish them in accordance with the provisions of the treaty.” North Korea is a PCT signatory.

Translation: WIPO is merely a neutral, technical pass-through mechanism. As the spokesperson put it: “The decisions concerning whether or not to ultimately grant the patent are the sole purview of each jurisdiction where protection is being sought, in accordance with national law.”

While that may be true, it is also true, according to the WIPO website, that the U.N. agency gives those who use its services a lot of financially meaningful help.

That starts with the fact that by filing an international filing application with the agency, you have to pay only one fee rather than more than 150 to get an application acceptable in all PCT countries (which include the U.S. as one of the treaty’s biggest users).

WIPO also provides one-stop research on whether a patent overlaps with those elsewhere, and offers the possibility of widespread dissemination and publicity — i.e., stimulating demand, and thus at least the potential for sanctions-breaking in any subsequent licensing the North Korean patent.

Igniting controversy has been a characteristic of Director General Gurry’s reign — indeed, even before he first took WIPO’s top executive office in 2008.

In 2015, the U.N.’s watchdog Office of Internal Oversight Services (OIOS) was asked by WIPO’s own General Assembly chair to investigate Gurry for allegedly ordering, in 2008, break-ins of the offices of staffers to seek DNA evidence that they wrote anonymous letters against him. Gurry was WIPO’s No. 2 at the time.

A year later, after much byzantine maneuvering, a heavily redacted version of the report declared that “while there were indications that Mr. Gurry had a direct interest in the outcome of the DNA analysis, there is no evidence that he was involved in the taking of DNA samples.”

But the same document also found that Gurry had bent the organization’s rules and steered a sensitive cyber-security contract to a business acquaintance, , something alleged by one of Gurry’s former top deputies, James Pooley.

Under Gurry, WIPO also has been the only U.N. agency ever sanctioned by the U.S. State Department, on the grounds that it failed to adopt “best practices” in ethics and whistle-blower standards — a punishment first meted out by the pro-U.N. Obama administration in September 2015.

Among the whistle-blowers who say they were forced to leave WIPO during Gurry’s tenure for drawing attention to the agency’s previous computer shipments to North Korea is Miranda Brown, formerly Gurry’s senior strategic advisor.

Brown has repeatedly asked for her reinstatement at the WIPO, and just as often has been turned down by Gurry’s office.