Category Archives: China

Chinese Intelligence at Center of OPM Hack

Posted on by

First reported there was Anthem, one of the largest healthcare providers that was hacked. 80 million personal records were compromised. What is notable is Anthem is part of the Blue Cross Blue Shield health coverage network and even more concerning is BCBS provides coverage to more that half of the federal government workforce.

Take note of the following fro Threatconnect.com:

“Anthem Themed Infrastructure & Signed Malware:
In September 2014, the ThreatConnect Intelligence Research Team (TCIRT) observed a variant of the Derusbi APT malware family, MD5: 0A9545F9FC7A6D8596CF07A59F400FD3, which was signed by a valid digital signature from the Korean company DTOPTOOLZ Co. Derusbi is a family of malware used by multiple actor groups but associated exclusively with Chinese APT. TCIRT began tracking the DTOPTOOLZ signature for additional signed malware samples and memorialized them within our Threat Intelligence Platform over time.
Analyst Comment: The DTOPTOOLZ signature has also been observed in association with Korean Adware that is affiliated with the actual DTOPTOOLZ Co. This adware should not be confused with the APT malware that is abusing the same digital signature.
Later, in mid-November we discovered another implant that was digitally signed with the DTOPTOOLZ signature. This implant, MD5: 98721c78dfbf8a45d152a888c804427c, was from the “Sakula” (aka. Sakurel) family of malware, a known variant of the Derusbi backdoor, and was configured to communicate with the malicious command and control (C2) domains extcitrix.we11point[.]com and www.we11point[.]com. Through our Farsight  Security passive DNS integration, we uncovered that this malicious infrastructure was likely named in such a way to impersonate the legitimate Wellpoint IT infrastructure.”

This brings us to the hack or rather simply sign-on as a root user of the 14 million personnel records of Office of Personnel Management (OPM) located in Colorado.

From Reuters:

U.S. employee data breach tied to Chinese intelligence

The Chinese hacking group suspected of stealing sensitive information about millions of current and former U.S. government employees has a different mission and organizational structure than the military hackers who have been accused of other U.S. data breaches, according to people familiar with the matter.

While the Chinese People’s Liberation Army typically goes after defense and trade secrets, this hacking group has repeatedly accessed data that could be useful to Chinese counter-intelligence and internal stability, said two people close to the U.S. investigation.

Washington has not publicly accused Beijing of orchestrating the data breach at the U.S. Office of Personnel Management (OPM), and China has dismissed as “irresponsible and unscientific” any suggestion that it was behind the attack.

Sources told Reuters that the hackers employed a rare tool to take remote control of computers, dubbed Sakula, that was also used in the data breach at U.S. health insurer Anthem Inc last year.

The Anthem attack, in turn, has been tied to a group that security researchers said is affiliated with China’s Ministry of State Security, which is focused on government stability, counter-intelligence and dissidents. The ministry could not immediately be reached for comment.

In addition, U.S. investigators believe the hackers registered the deceptively named OPM-Learning.org website to try to capture employee names and passwords, in the same way that Anthem, formerly known as Wellpoint, was subverted with spurious websites such as We11point.com, which used the number “1” instead of the letter “l”.

Both the Anthem and OPM breaches used malicious software electronically signed as safe with a certificate stolen from DTOPTOOLZ Co, a Korean software company, the people close to the inquiry said. DTOPTOOLZ said it had no involvement in the data breaches.

The FBI did not respond to requests for comment. People familiar with its investigation said Sakula had only been seen in use by a small number of Chinese hacking teams.

“Chinese law prohibits hacking attacks and other such behaviors which damage Internet security,” China’s Foreign Ministry said in a statement. “The Chinese government takes resolute strong measures against any kind of hacking attack. We oppose baseless insinuations against China.”

MANY UNKNOWNS

Most of the biggest U.S. cyber attacks blamed on China have been attributed, with varying degrees of certitude, to elements of the Chinese army. In the most dramatic case two years ago, the U.S. Justice Department indicted five PLA officers for alleged economic espionage.

Far less is known about the OPM hackers, and security researchers have differing views about the size of the group and what other attacks it is responsible for.

People close to the OPM investigation said the same group was behind Anthem and other insurance breaches. But they are not yet sure which part of the Chinese government is responsible.

“We are seeing a group that is only targeting personal information,” said Laura Gigante, manager of threat intelligence at FireEye Inc, which has worked on a number of the high-profile network intrusions.

CrowdStrike and other security companies, however, say the Anthem hackers also engaged in stealing defense and industry trade secrets. CrowdStrike calls the group “Deep Panda,” EMC Corp’s RSA security division dubs it “Shell Crew,” and other firms have picked different names.

The OPM breach gave hackers access to U.S. government job applicants’ security clearance forms detailing past drug use, love affairs, and foreign contacts that officials fear could be used for blackmail or recruiting.

In contrast to hacking outfits associated with the Chinese army, “Deep Panda” appears to be affiliated with the Ministry of State Security, said CrowdStrike co-founder Dmitri Alperovitch.

Information about U.S. spies in China would logically be a top priority for the ministry, Alperovitch said, adding that “Deep Panda’s” tools and techniques have also been used to monitor democracy protesters in Hong Kong.

An executive at one of the first companies to connect the Anthem and OPM compromises, ThreatConnect, said the disagreements about the boundaries of “Deep Panda” could reflect a different structure than that in top-down military units.

“We think it’s likely a cohort of Chinese actors, a bunch of mini-groups that are handled by one main benefactor,” said Rich Barger, co-founder of ThreatConnect, adding that the group could get software tools and other resources from a common supplier.

“We think this series of activity over time is a little more distributed, and that is why there is not a broad consensus as to the beginning and end of this group.”

America Recovery Reinvestment Act, NOT SO Much

Posted on by

When one visits the government website www.recovery.gov, these description reads that the board is a non-partisan, non-political agency and then in bold letter in a heading it also reads ‘The Recovery Accountability and Transparency Board’.

Additionally the site mission statement reads: “To promote accountability by coordinating and conducting oversight of Recovery funds to prevent fraud, waste, and abuse and to foster transparency on Recovery spending by providing the public with accurate, user-friendly information.”

Sheesh note the one particular case below and then ask yourself if there is a violation.

From Watchdog.org:

Company that got millions from U.S. taxpayers now profits Chinese owners

The good news is electric car battery maker A123 Systems is finally on track to turn a profit.

The bad news is taxpayers don’t figure to see any of the $133 million the federal government spent and the estimated $141 million in tax credits and subsidies secured from Michigan to help the company take off in 2009, only to see A123 Systems crash, declare bankruptcy in 2012 and then get purchased by a privately held Chinese conglomerate.

“In the case of A123, they created some jobs and a year or two later those jobs were gone, so taxpayers weren’t getting that money back,” said Jarret Skorup, a policy analyst at Michigan’s Mackinac Center, a free-market think tank .

Earlier this month, CEO Jason Forcier announced that A123 Systems’ parent company, the China-based Wanxiang Group, will spend $200 million to double the capacity of three lithium-ion battery plants, including two in suburban Detroit.

Forcier told Crain’s Detroit Business that A123 Systems is expected to generate $300 million in revenue this year and plans to double that amount by 2018. The company, Forcier said, will turn a profit for the first time in its history in 2015.

“The strength of A123 has never been greater and we are honored to be expanding our existing customer relationships and establishing new ones at the same time,” Forcier said in a company news release.

It would mark a dramatic turnaround for the company that was on the verge of collapse when Wanxiang bought it a little more than two years ago at a stripped-down price of $256.6 million. 

But finding out if taxpayers will ever see any of their money back is another matter.

Watchdog.org sent an email and left two voicemail messages with A123 Systems, asking whether any refunds are coming or if — under the terms of the bankruptcy — Wanxiang is under no financial obligation to do so.

The one-sentence response from Paulette Spagnuolo, A123’s marketing and communications manager: “A123 continues to meet and exceed all of the terms of the state and federal grants including all job creation, repayment and investment requirements.”

Spagnuolo did not respond to inquiries asking her to elaborate.

Skorup says the money is gone for good.

“There are a lot of local and state rebates and they are largely upfront costs, so yes, taxpayers are sunk on those,” Skorup told Watchdog.org in a telephone interview. “They’re not going to be getting money back from them … Michigan doesn’t require (A123 Systems) to pay them back anyway.”

How much money?

On the federal level, A123 Systems was originally slated to receive $249 million in grants from the U.S. Department of Energy in 2009 to build production facilities in the towns of Romulus and Livonia, Michigan — just $7.6 million less than Wanxiang eventually bought the entire company for four years later.

But A123 Systems ran into trouble early on. After some of its batteries were involved in a recall for the company’s biggest customer, the electric car company Fisker Automotive, the company’s federal grant was cut off after A123 received $133 million. 

Figuring out how much Michigan passed out has been more difficult.

The Detroit Free Press and the Mackinac Center have been rebuffed in attempts to see how much of an investment the state made in A123 Systems because the Michigan Economic Development Corporation will not disclose specifics.

Skorup estimates Michigan approved A123 Systems for $100 million in a tax credit program and another $41 million in subsidies.

“How much they actually cashed in those we don’t know,” Skorup said. “We’ve tried to find out, but the state won’t give it to us … they say it’s a private contract.”

The federal money was part of the stimulus package and a green-tech initiative the Obama administration touted would spur economic success.

A123 Systems was one of a number of Michigan battery companies that received a surge of tax credits from the state in 2009, but the incentives did not spur the jobs and dollars that were promised.

Detroit Free Press estimated $861 million in Obama administration grants were awarded in the fledgling Michigan battery industry and another $543 million in state tax credits were awarded during the administration of then-Gov. Jennifer Granholm, a Democrat.

Most of the Michigan business tax credit program was eliminated by current Gov. Rick Snyder, a Republican. However, companies that had already secured the tax incentives were allowed to keep them.

“The general lesson for policy makers is that they make very poor venture capitalists because they’re not spending their own money,” said Skorup. “They’re spending other people’s money and those politicians weren’t putting their own stock portfolios into A123 Systems. They were putting taxpayer money into them.

“And the lesson for taxpayers should be, when politicians are making these claims about job projections they should be extremely skeptical. In Michigan, almost none of those — we’ve done multiple studies, other news organizations have done multiple studies — reach the actual projections that they promise.”

“Just because the jobs haven’t happened ‘yet,’ it doesn’t mean that cracking the code to vehicle batteries was the wrong strategy,” Granholm told the Free Press in March 2014.

President Obama appeared by remote broadcast for the grand opening of the A123 Systems Livonia plant in the fall of 2010, an event hosted by Granholm.

“Thanks to the Recovery Act, you guys are the first American factory to start high-volume production of advanced vehicle batteries,” Obama said at the time.

Skorup told Watchdog.org  the video of the event was taken down by the Michigan Economic Development Corporation, but the Mackinac Center, a sharp critic of the battery plan from the start, retained a copy of it:

 

China did Not Hack OPM, Operative Just Signed In

Posted on by

Per ARS Technica: Not only were the database records of POM not encrypted, it simply did not matter. At least 14 million personnel files have been compromised and protecting social security numbers by encryption did not mater.

But even if the systems had been encrypted, it likely wouldn’t have mattered. Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that encryption would “not have helped in this case” because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network.

House Oversight Chairman Jason Chaffetz (R-Utah) told Archuleta and OPM Chief Information Officer Donna Seymour, “You failed utterly and totally.” He referred to OPM’s own inspector general reports and hammered Seymour in particular for the 11 major systems out of 47 that had not been properly certified as secure—which were not contractor systems but systems operated by OPM’s own IT department. “They were in your office, which is a horrible example to be setting,” Chaffetz told Seymour. In total, 65 percent of OPM’s data was stored on those uncertified systems.’

Even more chilling, a person or team just found a way to sign in as a root user.

Some of the contractors that have helped OPM with managing internal data have had security issues of their own—including potentially giving foreign governments direct access to data long before the recent reported breaches. A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project “was in Argentina and his co-worker was physically located in the [People’s Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is ‘so what’s new?'”

Given the scope and duration of the data breaches, it may be impossible for the US government to get a handle on the exact extent of the damage done just by the latest attack on OPM’s systems. If anything is clear, it is that the aging infrastructure of many civilian agencies in Washington magnify the problems the government faces in securing its networks, and OPM’s data breach may just be the biggest one that the government knows about to date.

Future consequences of lack of security of data systems is blackmail

Reuters: The same hackers breached several health insurance companies last summer and made off with the medical records of 11 million people, including members of Blue Cross/Blue Shield’s District of Columbia affiliate CareFirst.

Media pundits spent all week talking about how Deep Panda could compile all this information to craft a potential blackmail database on U.S. operatives for its patron, presumably China. But that’s ridiculous. Beijing is smarter than that.

Espionage is a long game, not a race, and countries are patient. Blackmail is a quick, brutal method of acquiring information in the short term.

It typically begins when foreign agents play on a target’s existing weakness — a penchant for gambling, for example, or deviant sexual behavior — enticing the target to indulge in it and then threatening exposure.

That’s a lot of work for a short-term gain. Blackmail targets are almost always found out, or turn on their blackmailers or end their lives. No, a better use for that database is as a reference to create the background for the perfect mole. Many additional details found here.

An additional security concern of real proporations is this cyber intrusion has affected Hill and Congressional staff.

In Part from the Hill: Officials had initially said the breach only encompassed 4.2 million federal employees, all within the executive branch. But the discovery of a second breach that compromised security clearance data has many expecting the breach to eventually expose up to 14 million people.

According to an email sent to House staff members shortly before midnight Tuesday and obtained by The Hill, many of them are at risk.

“It now appears likely that the service records of current House employees employed previously by ANY federal government entity (including the House, if an individual left the House and later returned to a House position) may have been compromised,” said the email said, sent by House Chief Administrative Officer Ed Cassidy.

When staffers leave Capitol Hill, or any federal agency, their retirement records are forwarded to the OPM.

“In addition, the background investigation files of individuals holding security clearances (whether currently active or not) may have been exposed,” the email added.

Senate staffers received a similar email from the Senate Sergeant at Arms several hours earlier on Tuesday, according to multiple reports.

 

 

WalMart has a Secret Global Operation

Posted on by

In 2013, WalMart announced an ‘All American’ objective….yet there are other truths.

Wal-Mart Stores Inc will buy an additional $50 billion in U.S.-made goods over the next decade in areas like sporting goods and high-end appliances in what the world’s largest retailer called a bid to help boost the U.S. economy. Wal-Mart, the largest private employer in the United States, also said on Tuesday it plans to hire 100,000 newly discharged veterans over the next five years, at a time when the U.S. unemployment rate is at 7.8 percent.

The moves are likely to receive a cool reception from critics, who claim Wal-Mart does not pay its workers enough and slam the retailer for selling too many goods made in lower-cost countries like China. The company is also under pressure over its sourcing practices, particularly after a deadly fire at a Bangladesh factory that made Wal-Mart clothes.

Then Walmart went all in with China.

But WalMart is fully offshore hiding monies for tax purposes…what would Barack Obama say?

Wal-Mart Has $76 Billion in Undisclosed Overseas Tax Havens

Wal-Mart Stores Inc. owns more than $76 billion of assets through a web of units in offshore tax havens around the world, though you wouldn’t know it from reading the giant retailer’s annual report. A new study has found Wal-Mart has at least 78 offshore subsidiaries and branches, more than 30 created since 2009 and none mentioned in U.S. securities filings. Overseas operations have helped the company cut more than $3.5 billion off its income tax bills in the past six years, its annual reports show. The study, researched by the United Food & Commercial Workers International Union and published Wednesday in a report by Americans for Tax Fairness, found 90 percent of Wal-Mart’s overseas assets are owned by subsidiaries in Luxembourg and the Netherlands, two of the most popular corporate tax havens.

Units in Luxembourg — where the company has no stores — reported $1.3 billion in profits between 2010 and 2013 and paid tax at a rate of less than 1 percent, according to the report. All of Wal-Mart’s roughly 3,500 stores in China, Central America, the U.K., Brazil, Japan, South Africa and Chile appear to be owned through units in tax havens such as the British Virgin Islands, Curacao and Luxembourg, according to the report from the advocacy group. The union conducted its research using publicly available documents filed in various countries by Wal-Mart and its subsidiaries. Randy Hargrove, a Wal-Mart spokesman, called the report incomplete and “designed to mislead” by its union authors. He said the company has “processes in place to comply with applicable SEC and IRS rules, as well as the tax laws of each country where we operate.”

Mailbox Subsidiaries

The union behind the study backs the Organization United for Respect at Wal-Mart, a group that campaigns for wage increases and more predictable schedules. Wal-Mart has historically resisted unions and discourages employees from joining them. The report comes a week after the Group of Twenty nations unveiled its latest effort to combat multinational corporate tax avoidance. The body wants companies to disclose to regulators where they book profits, employees and sales, so tax authorities can be aware of discrepancies between where corporations report income and where they have operations. Hargrove, the Wal-Mart spokesman, pointed to guidance issued by the SEC that permits companies to avoid disclosure of subsidiaries with significant “intercompany transactions.” He said Wal-Mart’s tax savings overseas was driven by lower rates in markets including Canada and the U.K.

‘Continuing Evidence’

Companies such as Google Inc., Apple Inc. and Starbucks Corp. have come under fire for avoiding billions of dollars of income taxes by attributing profits to mailbox subsidiaries in low-tax jurisdictions like Bermuda. The Group of Twenty has directed the Organization for Economic Cooperation and Development to develop plans to crack down on such strategies. The new Wal-Mart disclosures could expand the scope of international tax reform, which has often focused on technology companies that move profits offshore by assigning valuable patent rights to mailbox units. Bloomberg News reported last year that Inditex SA, the parent of Zara, the world’s biggest fashion retailer, cut its taxes by shifting billions of dollars of profits to a tiny Dutch unit. “This report is continuing evidence that everybody has been engaging in cross-border tax avoidance,” said Stephen E. Shay, a professor at Harvard Law School and former deputy assistant secretary for international tax affairs for the Obama Treasury Department.

Hybrid-Loan Strategy

Nearly a decade ago, Wal-Mart ran into trouble over strategies to avoid U.S. state income taxes. It used a real estate investment trust to effectively pay rent to itself, generating big tax deductions, even though the rent payments never left the company. At least six states changed their tax laws after publicity about the tactics. Since then, Wal-Mart has stepped up its use of offshore tax havens. It has created 20 new subsidiaries in Luxembourg alone since 2009, according to the report. Wal-Mart employs a popular legal strategy in that country called a hybrid loan. It permits companies’ offshore units to take tax deductions for interest paid — typically on paper only — to their parents in the U.S. The parent, however, doesn’t include that interest as taxable income in the U.S. The OECD has called for an end to the tax benefits of such loans. Luxembourg generated headlines last year after the International Consortium of Investigative Journalists revealed its role in cutting the tax bills of hundreds of multinationals.

Union Funding

U.S. companies owe tax at a rate of 35 percent but can defer indefinitely the income taxes on profits attributed to overseas units. In 2011, Wal-Mart’s then-chief executive officer, Mike Duke, called in testimony before Congress for a system that would exempt from U.S. income tax the earnings that multinationals generate overseas. Wal-Mart’s accumulated offshore earnings have doubled to $23.3 billion in 2015 from $10.7 billion 2008. The company operates about 6,300 stores in 27 countries outside the U.S. and last fiscal year reported 28 percent of its sales abroad, or about $137 billion. Wal-Mart paid $6.2 billion in U.S. income tax last year, Hargrove, the company spokesman, said, or “nearly 2 percent of all corporate income tax collected by the U.S. Treasury.” Americans for Tax Fairness called on the European Union to open investigations into whether the Luxembourg tax benefits constitute illegal state aid. The EU has issued preliminary findings that this was indeed the case with companies using similar strategies in various countries, including as Starbucks in the Netherlands, Apple in Ireland and Fiat SpA in Luxembourg. The tax group receives most of its funding from foundations, including the Ford Foundation, Open Society Foundations, Bauman Foundations and Stoneman Family Foundation. It’s also funded by public-sector unions, including the American Federation of State, County and Municipal Employees and the National Education Association.

Russia China Pact with Snowden in the Middle

Posted on by

Going beyond the major hack by China into the Office of Personnel Management that cultivated at least 14 million personnel files of government, intelligence and military, China is building a database of individuals in America. Would they share it with Russia? The wake of destruction is yet to be known and future predictions are impossible to imagine.

Russia is turning to China and likewise China is delighted for the relationship as proven by the Silk Road Economic objectives.

Putin’s vision of a ‘greater Europe’ from Lisbon to Vladivostok, made up of the European Union and the Russian-led Eurasian Economic Union, is being replaced by a ‘greater Asia’ from Shanghai to St. Petersburg.

China's silk road

In part:

The rupture between Russia and the West stemming from the 2014 crisis over Ukraine has wide-ranging geopolitical implications. Russia has reverted to its traditional position as a Eurasian power sitting between the East and the West, and it is tilting toward China in the face of political and economic pressure from the United States and Europe. This does not presage a new Sino-Russian bloc, but the epoch of post-communist Russia’s integration with the West is over. In the new epoch, Russia will seek to expand and deepen its relations with non-Western nations, focusing on Asia. Western leaders need to take this shift seriously.


Russia’s Pivot to Asia
Russia’s pivot to Asia predates the Ukraine crisis, but it has become more pronounced since then. This is in part because China is the largest economy outside of the coalition that has imposed sanctions on Russia as a result of the crisis.

What was originally Moscow’s “marriage of convenience” with Beijing has turned into a much closer partnership that includes cooperation on energy trade, infrastructure development, and defense.

Putin’s vision of a “greater Europe” from Lisbon to Vladivostok, made up of the European Union and the Russian-led Eurasian Economic Union, is being replaced by a “greater Asia” from Shanghai to St. Petersburg.

Russia is now more likely to back China in the steadily growing competition between Beijing and Washington, which will strengthen China’s hand.
Takeaways for Western Leaders
Russia’s confrontation with the United States will help mitigate Sino-Russian rivalries, mostly to China’s advantage. But this doesn’t mean Russia will be dominated by China—Moscow is likely to find a way to craft a special relationship with its partner.

With China’s economic might and Russia’s great-power expertise, the BRICS group (of which Russia is a part, along with Brazil, India, China, and South Africa) will increasingly challenge the G7 as a parallel center of global governance.

The Shanghai Cooperation Organization, due to include India and Pakistan this year, is on its way to becoming the principal development and security forum for continental Asia.

Through its enhanced relations with non-Western countries, Russia will actively promote a concept of world order that seeks to reduce U.S. global dominance and replace it with a broader great-power consensus. Much more detail here.

Enter Snowden

Confirmed: UK agents ‘moved over Snowden files’

Russia, China Decrypt Snowden Files

Russia and China have allegedly decrypted the top-secret cache of files stolen by whistleblower Edward Snowden, according to a report from The Sunday Times, to be published tomorrow.

The info has compelled British intelligence agency MI6 to withdraw some of its agents from active operations and other Western intelligence agencies are now actively involved in rescue operations. In a July 2013 email to a former U.S. Senator, Snowden stated that, “No intel­li­gence ser­vice—not even our own—has the capac­ity to com­pro­mise the secrets I con­tinue to pro­tect. While it has not been reported in the media, one of my spe­cial­iza­tions was to teach our peo­ple at DIA how to keep such infor­ma­tion from being com­pro­mised even in the high­est threat counter-intelligence envi­ron­ments (i.e. China).” Many in the intelligence agencies at the time greeted this claim with scepticism. Now, one senior British official said Snowden had “blood on his hands,” but another said there’s yet no evidence anyone was harmed. Snowden eventually fled to Russia via Hong Kong after downloading some 1.7 million documents from U.S. government computers and leaking them to journalists out of a desire to protect “privacy and basic liberties.” The revelations of mass spying outraged populations and governments around the world, at least temporarily damaged relations, and eventually led to changes in the mass surveillance policies of the NSA and British GCHQ.