Any Strategy for Russian Military Bases in Ukraine?

Per a joint statement from Senators McCain and Rand Paul: “Russia’s use of force in Ukraine is unfolding in clear violation of Russia’s own commitments to respect Ukraine’s sovereignty and territorial integrity, including under the 1994 Budapest Memorandum. None of us should be under any illusion about what President Putin is capable of doing in Ukraine, especially now that he has requested, and the Russian Duma has approved, the deployment of Russian troops, not just in Crimea but in the country of Ukraine.   In June of 2015, Secretary of Defense Ash Carter spoke to Ukraine not standing alone.

From the Guardian in part:

America’s new military strategy singles out states like China and Russia as aggressive and threatening to US security interests, while warning of growing technological challenges and worsening global stability.

A somber report released Wednesday by General Martin Dempsey, the chairman of the Joint Chiefs of Staff, warns of a “low but growing” probability of the US fighting a war with a major power, with “immense” consequences.

Russia has “repeatedly demonstrated that it does not respect the sovereignty of its neighbors and it is willing to use force to achieve its goals”, the 2015 National Military Strategy says.

“Russia’s military actions are undermining regional security directly and through proxy forces.”

It points to Russian troop presence in the Ukraine conflict, though Moscow denies it has deployed its military in eastern Ukraine to bolster a separatist insurgency.

06.30.2015

By Pierre Vaux

…the time for such an attack may be drawing nearer.

Aerial footage finds smoking-gun evidence of Russian army involvement in the conflict. More war is inevitable.
Dnipro-1, one of Ukraine’s many pro-government volunteer regiments, today released a video compiling drone footage of a Russian military camp just south of the village of Sontsevo in the Donetsk region.

Two drone flights were made over the same area, two weeks apart. Over that time, the camp grew from a small collection of tents and engineering vehicles into a fully-fledged forward operating base (FOB), complete with tanks, communications equipment, personnel quarters and even new roads.

What makes this already impressive discovery even more startling is the location—less than 12 kilometers from the Ukrainian front-line settlements of Granitnoye and Novolaspa. This area, to the east of Volnovakha and the Donetsk-Mariupol highway, has seen a slow but steady intensification of violence over recent months, as well as a buildup of Russian troops and armor in separatist-held territory behind the front lines.

What’s significant about where this Russian FOB is located is that it’s sandwiched between (Ukrainian-held Volnovakha) and (separatist-held) Telmanovo, and would therefore play a lead role in any forthcoming Russian offensive on Mariupol, the port city on the Sea of Azov which also happens to the economic powerhouse in the Donetsk region. The separatists have nothing comparable to Mariupol in their possession and they want it, as Alexander Zakharchenko, the head of the so-called Donetsk People’s Republic, has stated repeatedly to journalists. Reinforcements from this FOB would allow separatists to mount a pincer maneuver to cut Ukrainian forces in Mariupol off from support from the north. I outlined such a plan at the beginning of this year and the evidence is now mounting that the Russians are indeed preparing for such a move.

Aerial footage finds smoking-gun evidence of Russian army involvement in the conflict. More war is inevitable.
Earlier this month, the Organization for Security and Co-operation in Europe reported spotting large quantities of armor and troops in Komsomolskoye and Razdolnoye, which respectively lie 15 and 10 kilometers from the base found by Dnipro-1.

On June 17 our team at The Interpreter reported on evidence culled from social media that proved the presence of a training camp in Razdolnoye, equipped with tanks, infantry fighting vehicles, and Grad rocket launchers.

But today’s video shows something much greater in scale.

When Dnipro-1 first flew over the area on May 20, they filmed around 70 troops, several trucks and engineering vehicles and construction equipment. At least two T-72 tanks and a communications vehicle can also be seen.

Only 15 days later, on June 4, the regiment carried out another drone flight. Russian military engineers had moved fast, constructing a large base, complete with new roads, a parade square, and trenches covering an area of around a hectare. The roads are even lined with reflective markers.

We can now see at least nine T-72 tanks, one of which is equipped with mine-clearing gear, and several fuel bowsers, some of which are parked in protective dugouts. At least one communications vehicle and an anti-tank gun can also be seen. Tents for accommodation, meetings, and cooking are laid out across the camp. Structures have been erected to mask some of the tanks from being seen from ground level and the whole complex is sheltered by woods.

This is quite clearly a base intended for a large-scale future deployment, one that could be instrumental in an assault to the west toward Volnovakha.

Just this morning, the Ukrainian military reported that Russian-backed forces had shelled Granitnoye and Starognatovka, two of the nearest frontline towns to Sontsevo. This has been a regular occurrence, despite the “ceasefire” signed between both parties in Minsk last February, mere hours before the fall of Debaltsevo to the separatists. But June has seen an increase in the number of attacks and, the military command in Mariupol said today, the range.

For the first time since the second Minsk talks, the past month has heralded renewed attacks on Ukrainian positions on the Donetsk-Mariupol highway itself. Last night, the Ukrainians report, the frontline town of Novotroitskoye, just north of Volnovakha, was shelled.

It is in this context that the repeated assaults on Marinka, a southwestern suburb of Donetsk, should be evaluated. Pushing the Ukrainians back from the area southwest of Donetsk and off the highway would allow the Russians to isolate and pin down the defenders of Mariupol from the north, while their forces continue to press through Shirokino on the Azov coast.

The rapid development of this base suggests the time for such an attack may be drawing nearer.

Obama, the Conductor of Chaos

Barack Obama holds the baton to an anti-American orchestra of tuned, tested, rehearsed instruments. The production is mismanaged, sour to the ears and causes people to leave the arena when the verses are not American and in cadence with allies. The entire governmental score is tyrannical and abusive.

His performance however, is well driven by inside marxist, communists and socialist operators who themselves have tuned, tested and rehearsed instruments where it is in harmony with enemies of America. How about Hugo Chavez, Mohammed Morsi or the Taliban? Then there is Iran.

Three branches of government have been reduced to one, where Conductor Obama has ruled with a pen and a phone and otherwise political extortion. Up to the point where Senate majority leader, Harry Reid lost his leadership post, he functionally stopped and paralyzed the people’s work on Congress to protect Barack Obama.

All the while, Maestro Obama had his was working his intonations on the Supreme Court with his choice picks of Elena Kagan and Sonia Sotomayor, swinging the black robe influence to a more left octave. The court is broken when one sees the real dissention between the justices when not on the bench.

Obama has led an opus where the very social and civil structure in America has been thrown into turmoil. Border Patrol has no clue how to enforce immigration laws, they abide to DHS memos written by Secretary Jeh Johnson. Historical flags and icons are to be removed and gender designated bathrooms are now without any designation.

The fundamental security of government personnel and documents of several agencies has been compromised by an epic cyber intrusion and that finale is from over as the damage will be ongoing for years.

The very personal concern of having access to healthcare has reached a crisis pitch such that insurance deductibles are financially bending and having a doctor’s appointment is a future dream. Nothing is more demonstrative of this condition than that of the Veteran’s Administration where there is a slow death waltz.

Barack Obama performed a medley of government fraud and extortion using the IRS, the EPA, the DoJ, ATF, Education, HUD and HHS to name a few.

Off our shores, conditions are much worse. Barack Obama has modulated a score of retreat while his measure of sympathy to Islam in pure nocturne. His administration led of early in 2009 with the Cairo speech where the ligature plays out today throughout the Muslim world. The retreat from Iraq and his shallow threat of a ‘red-line’ have prove deadly in the whole region, a modern day holocaust. And mostly sadly of all was allowing 4 Americans to perish in Libya with no hope of security, support or rescue.

The most grave of the Obama coda is the terror and dying of Christians.

The building crescendo of Obama will be the nuclear agreement with Iran where Israel, Saudi Arabia, Europe and America as the great Satan will be his encore.

The stretto of the Obama symphony is defined here in an excellent summary by Stephen Hayes of The Weekly Standard.

There are several months left for the conductor of chaos to work his baton and that tremolo is clearly upon us and the world.

 

 

 

 

 

Cyber Security on the Skids, Blinking RED

Recorded Future is a real time open source intelligence collection company that determines trends and predictions of emerging threats.

Recorded Future identified the possible exposures of login credentials for 47 United States government agencies across 89 unique domains.

As of early 2015, 12 of these agencies, including the Departments of State and Energy, allowed some of their users access to computer networks with no form of two-factor authentication. The presence of these credentials on the open Web leaves these agencies vulnerable to espionage, socially engineered attacks, and tailored spear-phishing attacks against their workforce.

The damage has yet to be fully realized and cannot be overstated. Where is the White House? Where are the protections? Where is a policy? Major alarm bells as you read on.

From Associated Press:

Tech company finds stolen government log-ins all over Web

WASHINGTON (AP) — A CIA-backed technology company has found logins and passwords for 47 government agencies strewn across the Web – available for hackers, spies and thieves.

Recorded Future, a social media data mining firm backed by the CIA’s venture capital arm, says in a report that login credentials for nearly every federal agency have been posted on open Internet sites for those who know where to look.

According to the company, at least 12 agencies don’t require authentication beyond passwords to access their networks, so those agencies are vulnerable to espionage and cyberattacks.

The company says logins and passwords were found connected with the departments of Defense, Justice, Treasury and Energy, as well as the CIA and the Director of National Intelligence.

From the WSJ: Obama’s Cyber Meltdown

“While Russia and Islamic State are advancing abroad, the Obama Administration may have allowed a cyber 9/11 at home.”

If you thought Edward Snowden damaged U.S. security, evidence is building that the hack of federal Office of Personnel Management (OPM) files may be even worse.

When the Administration disclosed the OPM hack in early June, they said Chinese hackers had stolen the personal information of up to four million current and former federal employees. The suspicion was that this was another case of hackers (presumably sanctioned by China’s government) stealing data to use in identity theft and financial fraud. Which is bad enough.

Yet in recent days Obama officials have quietly acknowledged to Congress that the hack was far bigger, and far more devastating. It appears OPM was subject to two breaches of its system in mid-to-late 2014, and the hackers appear to have made off with millions of security-clearance background check files.

These include reports on Americans who work for, did work for, or attempted to work for the Administration, the military and intelligence agencies. They even include Congressional staffers who left government—since their files are also sent to OPM.

This means the Chinese now possess sensitive information on everyone from current cabinet officials to U.S. spies. Background checks are specifically done to report personal histories that might put federal employees at risk for blackmail. The Chinese now hold a blackmail instruction manual for millions of targets.

These background checks are also a treasure trove of names, containing sensitive information on an applicant’s spouse, children, extended family, friends, neighbors, employers, landlords. Each of those people is also now a target, and in ways they may not contemplate. In many instances the files contain reports on applicants compiled by federal investigators, and thus may contain information that the applicant isn’t aware of.

Of particular concern are federal contractors and subcontractors, who rarely get the same security training as federal employees, and in some scenarios don’t even know for what agency they are working. These employees are particularly ripe targets for highly sophisticated phishing emails that attempt to elicit sensitive corporate or government information.

The volume of data also allows the Chinese to do what the intell pros call “exclusionary analysis.” We’re told, for instance, that some highly sensitive agencies don’t send their background checks to OPM. So imagine a scenario in which the Chinese look through the names of 30 State Department employees in a U.S. embassy. Thanks to their hack, they’ve got information on 27 of them. The other three they can now assume are working, undercover, for a sensitive agency. Say, the CIA.

Or imagine a scenario in which the Chinese cross-match databases, running the names of hacked U.S. officials against, say, hotel logs. They discover that four Americans on whom they have background data all met at a hotel on a certain day in Cairo, along with a fifth American for whom they don’t have data. The point here is that China now has more than enough information to harass U.S. agents around the world.

And not only Americans. Background checks require Americans to list their contacts with foreign nationals. So the Chinese may now have the names of thousands of dissidents and foreigners who have interacted with the U.S. government. China’s rogue allies would no doubt also like this list.

This is a failure of extraordinary proportions, yet even Congress doesn’t know its extent. The Administration is still refusing to say, even in classified briefings, which systems were compromised, which files were taken, or how much data was at risk.

***
While little noticed, the IRS admitted this spring it was also the subject of a Russian hack, in which thieves grabbed 100,000 tax returns and requested 15,000 fraudulent refunds. Officials have figured out that the hackers used names and Social Security data to pretend to be the taxpayers and break through weak IRS cyber-barriers. As Wisconsin Senator Ron Johnson has noted, the Health and Human Services Department and Social Security Administration use the same weak security wall to guard ObamaCare files and retirement information. Yet the Administration is hardly rushing to fix the problem.

Way back in March 2014, OPM knew that Chinese hackers had accessed its system without having downloaded files. So the agency was on notice as a target. It nonetheless failed to stop the two subsequent successful breaches. If this were a private federal contractor that had lost sensitive data, the Justice Department might be contemplating indictments.

Yet OPM director Katherine Archuleta and chief information officer Donna Seymour are still on the job. Mr. Obama has defended Ms. Archuleta, and the Administration is trying to change the subject by faulting Congress for not passing a cybersecurity bill. But that legislation concerns information sharing between business and government. It has nothing to do with OPM and the Administration’s failure to protect itself from cyber attack.

Ms. Archuleta appears before Congress this week, and she ought to remain seated until she explains the extent of this breach. While Russia and Islamic State are advancing abroad, the Obama Administration may have allowed a cyber 9/11 at home.

Cyber Conflict, Chaos and Calamity

There have been several Congressional hearings on cyber-terrorism, yet with such an emergency and threat, no solution is forthcoming.

From AEI: “America’s intelligence leaders have made clear the biggest threat today is cyber and counterintelligence. Who are the largest perpetrators of these types of attacks? The intelligence report singles out Russia and China as first examples. These nations have “highly sophisticated cyber programs” and are regularly conducting “politically motivated” attacks. What are they up to exactly? Countries such as China are “reconnoitering and developing access to US critical infrastructure systems, which might be quickly exploited for disruption if an adversary’s intent became hostile.” Back in 2013, Verizon released a report detailing Chinese hackers lurking around inside American industrial control systems—the cyber equivalent to casing a robbery target. In 2014 alone, the FBI investigated a likely Russian hacking campaign against American banking backbone JP Morgan, while two cybersecurity firms blamed Iran for a major campaign against US critical infrastructure like major airliners, medical universities, and energy companies. As the year ended, the US government publicly accused North Korea of a devastating cyberattack against Sony.”

When of Office of National Intelligence produced a report, the first chapter is on cyber threats.

“Risk. Despite ever-improving network defenses, the diverse possibilities for remote hacking intrusions, supply chain operations to insert compromised hardware or software, and malevolent activities by human insiders will hold nearly all ICT systems at risk for years to come. In short, the cyber threat cannot be eliminated; rather, cyber risk must be managed. Moreover, the risk calculus employed by some private sector entities does not adequately account for foreign cyber threats or the systemic interdependencies between different critical infrastructure sectors.

Costs. During 2014, we saw an increase in the scale and scope of reporting on malevolent cyber activity that can be measured by the amount of corporate data stolen or deleted, personally identifiable information (PII) compromised, or remediation costs incurred by US victims. “

The stakes are higher than anyone will admit, most of all the White House. The Office of Personnel Management hack of personnel files now appears to exceed 18 million individuals. “FBI Director James Comey gave the 18 million estimate in a closed-door briefing to Senators in recent weeks, using the OPM’s own internal data, according to U.S. officials briefed on the matter. Those affected could include people who applied for government jobs, but never actually ended up working for the government.”

Just announced as a possible additional agency falling victim to hacking is the National Archives and Records Administration (NARA). What is chilling about this probability is all government reports, records and communications are by law to be maintained by NARA., even classified material.

EXCLUSIVE: Signs of OPM Hack Turn Up at Another Federal Agency

The National Archives and Records Administration recently detected unauthorized activity on three desktops indicative of the same hack that extracted sensitive details on millions of current and former federal employees, government officials said Monday. The revelation suggests the breadth of one of the most damaging cyber assaults known is wider than officials have disclosed.

The National Archives’ own intrusion-prevention technology successfully spotted the so-called indicators of compromise during a scan this spring, said a source involved in the investigation, who was not authorized to speak publicly about the incident. The discovery was made soon after the Department of Homeland Security’s U.S. Computer Emergency Readiness Team published signs of the wider attack — which targeted the Office of Personnel Management — to look for at agencies, according to NARA.

It is unclear when NARA computers were breached. Suspected Chinese-sponsored cyberspies reportedly had been inside OPM’s networks for a year before the agency discovered what happened in April. Subsequently, the government uncovered a related attack against OPM that mined biographical information on individuals who have filed background investigation forms to access classified secrets.

The National Archives has found no evidence intruders obtained “administrative access,” or took control, of systems, but files were found in places they did not belong, the investigator said.

NARA “systems” and “applications” were not compromised, National Archives spokeswoman Laura Diachenko emphasized to Nextgov,  “but we detected IOCs,” indicators of compromise, “on three workstations, which were cleaned and re-imaged,” or reinstalled.

“Other files found seemed to be legitimate,” such as those from a Microsoft website, she said. “We have requested further guidance from US-CERT on how to deal with these” and are still awaiting guidance on how to proceed.

It will take additional forensics assessments to determine whether attackers ever “owned” the National Archives computers, the investigator said.

Diachenko said, “Continued analysis with our monitoring and forensic tools has not detected any activity associated with a hack,” including alerts from the latest version of a governmentwide network-monitoring tool called EINSTEIN 3A.

EINSTEIN, like NARA’s own intrusion-prevention tool, is now configured to detect the tell-tale signs of the OPM attack.

“OPM isn’t the only agency getting probed by this group,” said John Prisco, president of security provider Triumphant, the company that developed the National Archives’ tool. “It could be happening in lots of other agencies.”

Prisco said he learned of the incident at a security industry conference June 9, from an agency official the company has worked with for years.

“They told us that they were really happy because we stopped the OPM attack in their agency,” Prisco said.

The malicious operation tries to open up ports to the Internet, so it can excise information, Prisco said.

“It’s doing exploration work laterally throughout the network and then it’s looking for a way to communicate what it finds back to its server,” he added.

Homeland Security officials on Monday would not confirm or deny the situation at the National Archives. DHS spokesman S.Y. Lee referred to the department’s earlier statement about the OPM hack: “DHS has shared information regarding the potential incident with all federal chief information officers to ensure that all agencies have the knowledge they need to defend against this cybersecurity incident.”

The assault on OPM represents the seventh raid on national security-sensitive or federal personnel information over the past year.

Well-funded hackers penetrated systems at the State Department, the White House, U.S. Postal Service and, previously in March 2014, OPM. Intruders also broke into networks twice at KeyPoint Government Solutions, an OPM background check provider, and once at USIS, which conducted most of OPM’s employee investigations until last summer.

On Wednesday, the House Oversight and Government Reform Committee is scheduled to hold a hearing on the OPM incident that, among other things, will examine the possibility that hackers got into the agency’s systems by using details taken from the contractors.

Chinese Intelligence at Center of OPM Hack

First reported there was Anthem, one of the largest healthcare providers that was hacked. 80 million personal records were compromised. What is notable is Anthem is part of the Blue Cross Blue Shield health coverage network and even more concerning is BCBS provides coverage to more that half of the federal government workforce.

Take note of the following fro Threatconnect.com:

“Anthem Themed Infrastructure & Signed Malware:
In September 2014, the ThreatConnect Intelligence Research Team (TCIRT) observed a variant of the Derusbi APT malware family, MD5: 0A9545F9FC7A6D8596CF07A59F400FD3, which was signed by a valid digital signature from the Korean company DTOPTOOLZ Co. Derusbi is a family of malware used by multiple actor groups but associated exclusively with Chinese APT. TCIRT began tracking the DTOPTOOLZ signature for additional signed malware samples and memorialized them within our Threat Intelligence Platform over time.
Analyst Comment: The DTOPTOOLZ signature has also been observed in association with Korean Adware that is affiliated with the actual DTOPTOOLZ Co. This adware should not be confused with the APT malware that is abusing the same digital signature.
Later, in mid-November we discovered another implant that was digitally signed with the DTOPTOOLZ signature. This implant, MD5: 98721c78dfbf8a45d152a888c804427c, was from the “Sakula” (aka. Sakurel) family of malware, a known variant of the Derusbi backdoor, and was configured to communicate with the malicious command and control (C2) domains extcitrix.we11point[.]com and www.we11point[.]com. Through our Farsight  Security passive DNS integration, we uncovered that this malicious infrastructure was likely named in such a way to impersonate the legitimate Wellpoint IT infrastructure.”

This brings us to the hack or rather simply sign-on as a root user of the 14 million personnel records of Office of Personnel Management (OPM) located in Colorado.

From Reuters:

U.S. employee data breach tied to Chinese intelligence

The Chinese hacking group suspected of stealing sensitive information about millions of current and former U.S. government employees has a different mission and organizational structure than the military hackers who have been accused of other U.S. data breaches, according to people familiar with the matter.

While the Chinese People’s Liberation Army typically goes after defense and trade secrets, this hacking group has repeatedly accessed data that could be useful to Chinese counter-intelligence and internal stability, said two people close to the U.S. investigation.

Washington has not publicly accused Beijing of orchestrating the data breach at the U.S. Office of Personnel Management (OPM), and China has dismissed as “irresponsible and unscientific” any suggestion that it was behind the attack.

Sources told Reuters that the hackers employed a rare tool to take remote control of computers, dubbed Sakula, that was also used in the data breach at U.S. health insurer Anthem Inc last year.

The Anthem attack, in turn, has been tied to a group that security researchers said is affiliated with China’s Ministry of State Security, which is focused on government stability, counter-intelligence and dissidents. The ministry could not immediately be reached for comment.

In addition, U.S. investigators believe the hackers registered the deceptively named OPM-Learning.org website to try to capture employee names and passwords, in the same way that Anthem, formerly known as Wellpoint, was subverted with spurious websites such as We11point.com, which used the number “1” instead of the letter “l”.

Both the Anthem and OPM breaches used malicious software electronically signed as safe with a certificate stolen from DTOPTOOLZ Co, a Korean software company, the people close to the inquiry said. DTOPTOOLZ said it had no involvement in the data breaches.

The FBI did not respond to requests for comment. People familiar with its investigation said Sakula had only been seen in use by a small number of Chinese hacking teams.

“Chinese law prohibits hacking attacks and other such behaviors which damage Internet security,” China’s Foreign Ministry said in a statement. “The Chinese government takes resolute strong measures against any kind of hacking attack. We oppose baseless insinuations against China.”

MANY UNKNOWNS

Most of the biggest U.S. cyber attacks blamed on China have been attributed, with varying degrees of certitude, to elements of the Chinese army. In the most dramatic case two years ago, the U.S. Justice Department indicted five PLA officers for alleged economic espionage.

Far less is known about the OPM hackers, and security researchers have differing views about the size of the group and what other attacks it is responsible for.

People close to the OPM investigation said the same group was behind Anthem and other insurance breaches. But they are not yet sure which part of the Chinese government is responsible.

“We are seeing a group that is only targeting personal information,” said Laura Gigante, manager of threat intelligence at FireEye Inc, which has worked on a number of the high-profile network intrusions.

CrowdStrike and other security companies, however, say the Anthem hackers also engaged in stealing defense and industry trade secrets. CrowdStrike calls the group “Deep Panda,” EMC Corp’s RSA security division dubs it “Shell Crew,” and other firms have picked different names.

The OPM breach gave hackers access to U.S. government job applicants’ security clearance forms detailing past drug use, love affairs, and foreign contacts that officials fear could be used for blackmail or recruiting.

In contrast to hacking outfits associated with the Chinese army, “Deep Panda” appears to be affiliated with the Ministry of State Security, said CrowdStrike co-founder Dmitri Alperovitch.

Information about U.S. spies in China would logically be a top priority for the ministry, Alperovitch said, adding that “Deep Panda’s” tools and techniques have also been used to monitor democracy protesters in Hong Kong.

An executive at one of the first companies to connect the Anthem and OPM compromises, ThreatConnect, said the disagreements about the boundaries of “Deep Panda” could reflect a different structure than that in top-down military units.

“We think it’s likely a cohort of Chinese actors, a bunch of mini-groups that are handled by one main benefactor,” said Rich Barger, co-founder of ThreatConnect, adding that the group could get software tools and other resources from a common supplier.

“We think this series of activity over time is a little more distributed, and that is why there is not a broad consensus as to the beginning and end of this group.”