Category Archives: Cyber War

Remember, Obama Removed Iran/Hezbollah from Terror List

Posted on by

In February of 2015, yup the Obama administration instructed the intelligence community to remove Iran and it’s proxies such as Hezbollah from the terror list mostly due to the Iran nuclear deal and the assistance Iran was providing the Baghdad government in fighting Islamic State…..ahem….sure thing.

“Islamic Revolutionary Guard Corps-Qods Force (IRGC-QF) and Lebanese Hezbollah are instruments of Iran’s foreign policy and its ability to project power in Iraq, Syria, and beyond,” that assessment, also submitted to the Senate of February 26, said in its section on terrorism. “Hezbollah continues to support the Syrian regime, pro-regime militants and Iraqi Shia militants in Syria. Hezbollah trainers and advisors in Iraq assist Iranian and Iraqi Shia militias fighting Sunni extremists there. Select Iraqi Shia militant groups also warned of their willingness to fight US forces returning to Iraq.” More here.

***

But Hezbollah’s more recent moves in Latin America are very much a matter of interest for investigators, too. In October, a joint FBI-NYPD investigation led to the arrest of two individuals who were allegedly acting on behalf of Hezbollah’s terrorist wing, the Islamic Jihad Organization (IJO). At the direction of their Hezbollah handlers, one person allegedly “conducted missions in Panama to locate the U.S. and Israeli Embassies and to assess the vulnerabilities of the Panama Canal and ships in the Canal,” according to a Justice Department press release. The other allegedly “conducted surveillance of potential targets in America, including military and law enforcement facilities in New York City.” In the wake of these arrests, the director of the National Counterterrorism Center warned: “It’s our assessment that Hezbollah is determined to give itself a potential homeland option as a critical component of its terrorism playbook, and that is something that those of us in the counterterrorism community take very, very seriously.” These cases, one official added, are “likely the tip of the iceberg.”

The administration’s counter-Hezbollah campaign is an interagency effort that includes leveraging diplomatic, intelligence, financial and law enforcement tools to expose and disrupt the logistics, fundraising and operational activities of Iran, the Qods Force and the long list of Iranian proxies from Lebanese Hezbollah to other Shia militias in Iraq and elsewhere. But in the words of Ambassador Nathan Sale, the State Department coordinator for counterterrorism, “Countering Hezbollah is a top priority for the Trump administration.” Since it took office, the Trump administration has taken a series of actions against Hezbollah in particular — including indictmentsextraditions, public statements and rewards for information on wanted Hezbollah terrorist leaders — and officials are signaling that more actions are expected, especially in Latin America. Congress has passed a series of bills aimed at Hezbollah as well. The goal, according to an administration official quoted by Politico, is to “expose them for their behavior.” The thinking goes: Hezbollah cannot claim to be a legitimate actor even as it engages in a laundry list of illicit activities that undermine stability at home in Lebanon, across the Middle East region and around the world.

To support this policy, the administration has issued a broad RFI — a request for information — requiring departments and agencies to scour their files and collect new information that could be used to identify targets and help direct and inform the implementation of forthcoming actions. Though it is unclear if it is a result of that RFI, it appears new information is coming in, as evidenced most recently by a little-noticed FBI “Seeking Information” bulletin issued by the Bureau’s Miami Field Office. More here.

***

Image result for iran terror networks photo

All of this has turned quite political on The Hill due in part to recent investigative report published by Politico on how Obama gave Iran, a state sponsor of terror networks worldwide a major pass. In part from Congressional testimony in June of 2017:

Hezbollah has experienced a series of financial setbacks, leading U.S.
officials to describe the group being in the “worst financial shape in decades.”
Indeed, Hezbollah has in recent months resorted to launching an online fundraising crowdsourcing campaign entitled “Equip a Mujahid Campaign” which calls for donations, large or small, payable all at once or in installments, to equip Hezbollah fighters.
Hezbollah has also promoted a fundraising campaign on billboards and posters promoting a program through which supporters whereby supporters can avoid recruitment into Hezbollah’s militia forces for a payment of about $1,000.
These are desperate measures for a group suffering tough financial times.
And yet, Hezbollah continues to collect sufficient funds to deploy a significant militia
at home and next door in Syria, to send smaller groups of operatives to Iraq and Yemen,
and to operate an international terrorist network with deadly effect.
To effectively counter Hezbollah’s financing, the U.S. must lead an international effort to target the group’s illicit financial conduct both at home in Lebanon and around the world. More here.
***
Meanwhile to fully comprehend the full construction of Iranian terror networks globally and the historical facts, go here.
In day 5 of the Iranian people protesting the Iran government, at least a dozen have been killed.

Initially, state TV said that 10 people had been killed overnight, but that figure was later raised to 13 by a regional governor:

  • Six died after shots were fired in the western town of Tuyserkan, 300km (185 miles) south-west of Tehran
  • Later, Hamadan province’s governor told the ISNA agency that another three people had also been killed in the city
  • Two people died in the south-western town of Izeh, an official said
  • Two died in clashes in Dorud in Lorestan province

This has the makings of the conflict seen in Syria as the genesis is the same. Where will this put militant Islamist groups in the mix is an open question. Islamic State did launch a terror attack in June of 2017.

There are other moving parts to the building civil conflicts in Iran and they include Israel, Saudi Arabia, North Korea, Syria, Lebanon, Iraq and the United States.

Image result for protests in iran photo

In part from Reuters: Hundreds have been arrested, according to officials and social media. Online video showed police in the capital Tehran firing water cannon to disperse demonstrators, in footage said to have been filmed on Sunday.

Protests against economic hardships and alleged corruption erupted in Iran’s second city of Mashhad on Thursday and escalated across the country into calls for the religious establishment to step down.

Some of the anger was directed at Ayatollah Ali Khamenei, breaking a taboo surrounding the man who has been supreme leader of Iran since 1989.

Video posted on social media showed crowds of people walking through the streets, some chanting “Death to the dictator!” Reuters was not immediately able to verify the footage. The Fars news agency reported “scattered groups” of protesters in Tehran on Monday and said a ringleader had been arrested.

“The government will show no tolerance for those who damage public property, violate public order and create unrest in society,” Rouhani said in his address on Sunday.

Unsigned statements on social media urged Iranians to continue to demonstrate in 50 towns and cities.

The government said it was temporarily restricting access to the Telegram messaging app and Instagram. There were reports that internet mobile access was blocked in some areas.

 

The Plotting Begins to Surface at FBI/DoJ

Posted on by

Primer:

(Washington, DC)Judicial Watch today released Justice Department records showing that FBI Deputy Director Andrew McCabe did not recuse himself from the investigation into former Secretary of State Hillary Clinton’s unsecure, non-government email server until Tuesday, November 1, 2016, one week prior to the presidential election. The Clinton email probe was codenamed “Midyear Exam.”

While working as Assistant Director in Charge of the Washington Field Office, McCabe controlled resources supporting the investigation into former Secretary of State Hillary Clinton’s email scandal. An October 2016 internal FBI memorandum labeled “Overview of Deputy Director McCabe’s Recusal Related To Dr. McCabe’s Campaign for Political Office,” details talking points about McCabe’s various potential conflicts of interest, including the FBI’s investigation of Clinton’s illicit server, which officially began in July 2015:

While at [Washington Field Office] did Mr. McCabe provide assistance to the Clinton investigation?

Related reading: Nunes blasts DOJ, FBI for ‘failure’ to produce records relating to anti-Trump dossier

After the referral was made, FBI Headquarters asked the Washington Field Office for personnel to conduct a special investigation. McCabe was serving as [Assistant Director] and provided personnel resources. However, he was not told what the investigation was about. In February 2016 McCabe became Deputy Director and began overseeing the Clinton investigation.

The Overview also shows if asked whether McCabe played any role in his wife’s campaign, the scripted response was: “No. Then-[Assistant Director] McCabe played no role, attended no events and did not participate in fundraising or support of any kind.” More here.

Related reading: Russia never stopped its cyberattacks on the United States

Wider context:

Why do heads seem to be rolling—or at least tilting—at the Department of Justice and FBI?

Eight high ranking Department of Justice and FBI officials have been removed, reassigned or are rumored to be leaving. They include the top FBI agents who worked on two of the agency’s most high-profile investigations in the past two years: the probe into Hillary Clinton’s mishandling of classified information as secretary of state, and the Trump-Russia collusion investigation.

There’s been a great deal of news coverage about allegations of collusion between President Trump and Russia; much of the reporting apparently accurate and some of it not.

Less attention has been given to concurrent investigations that seem to be claiming scalps even if indirectly.

The investigations into the investigators include Congressional inquiries and a multi-faceted probe launched by Department of Justice Inspector General Michael Horowitz surrounding the FBI decision not to prosecute Clinton. Specifically, Horowitz—who was appointed by President Obama—said he’s reviewing:

  • Allegations that FBI Deputy Director Andrew McCabe and Assistant Attorney General Peter Kadzik should have recused themselves.
  • Allegations of improper political contacts by Kadzik.
  • Allegations that Justice Department and FBI employees improperly disclosed non-public information and were influenced by improper considerations in releasing certain documents just before the 2016 election.

Below are some of the players. Their inclusion in this article does not imply any wrongdoing. None of those mentioned are formally accused of any improper activities. Their past or pending job status may not be related to the controversies discussed. To the extent that any have commented, they firmly deny any misconduct and are staunchly defended by supporters and colleagues.

Fired: Sally Yates, Deputy Attorney General

Sally Yates, former Deputy Attorney General

Alleged philosophical mutiny for failing to defend presidential order on immigration; alleged politically-motivated “unmaskings.”

Under questioning from Congress, Yates admitted that as Deputy Attorney General under Loretta Lynch, she engaged in the sensitive practice of unmasking and reviewing classified documents from “Trump, his associates or any member of Congress.” Later, as Acting Attorney General, Yates ordered Justice Department attorneys not to defend President Trump’s ban on certain Muslim visitors from entering the U.S.

Latest: President Trump fired Yates in January 2017. She was both praised and criticized for her stance on the travel ban. Since her firing, Yates has attacked President Trump in public referring to him as as “shamelessly unpatriotic,” saying he has “indifference to truth,” and claiming his “respect for the rule of law” is “in tatters.”

Departed: Peter Kadzik, Department of Justice liaison to Congress, Assistant Attorney General for Legislative Affairs.

Peter Kadzik, former Justice Dept. Asst. Attorney General

Alleged conflicts of interest with the Hillary Clinton campaign and alleged disclosure of nonpublic information for political reasons.

During the FBI investigation of Hillary Clinton, Kadzik appeared to tip off Clinton presidential campaign chairman John Podesta about two issues: an upcoming hearing where a Justice Department official would be asked about the Clinton emails, and the timing of the release of some Clinton emails. Kadzik previously worked for Podesta as an attorney. He denied any wrongdoing.

Latest: Kadzik left the Justice Department in January 2017 and works in private practice.

“Retiring”: Andrew McCabe, FBI Deputy Director

Failure to exclude himself from leading the Hillary Clinton email probe despite alleged conflicts of interest.

Appointed by James Comey, McCabe led the FBI investigation that determined Hillary Clinton should not be prosecuted for her mishandling of classified emails. McCabe’s wife had reportedly received $700,000 for her unsuccessful Virginia senate campaign from close Clinton ally Virginia Governor Terry McAuliffe. (McAuliffe was also said to be under FBI investigation regarding campaign contributions from a Chinese businessman. He has not been charged and has denied any wrongdoing.)

Latest: News reports say McCabe will retire in early March when he’s eligible for his full pension.

Andrew McCabe, FBI Deputy Director

“Reassigned”: James Baker, FBI General Counsel

James Baker, FBI General Counsel

Reportedly under IG investigation for allegedly improperly leaking information.

Baker also served as counsel for McCabe during Congressional questioning. Separately, Baker was allegedly in contact with a reporter who published the first story about an anti-Trump “dossier” alleging ties between Trump and Russia. (The reporter denies Baker was a source.) The dossier was presented shortly before the election as if it were an intelligence investigative file. But it turned out to be political opposition research funded by the Hillary Clinton campaign and the Democratic National Committee. Congress is investigating whether the FBI improperly used the dossier to convince a secret court to authorize wiretaps to surveil Trump associates. The FBI reportedly secretly offered to pay the author of the dossier to keep pursuing leads after the election, but the deal wasn’t ultimately consummated.

Latest: Baker has reportedly been reassigned. His supporters have told reporters the reassignment is unrelated to the investigations and that he did nothing wrong.

“Transferred”: Peter Strzok, the top FBI agent on Special Counsel Robert Mueller’s team

Peter Strzok, FBI official

Alleged anti-Trump political bias.

Strzok is identified as the FBI official who softened language and watered down key findings in the Clinton email probe. He was the top FBI agent on Special Counsel Robert Mueller’s team investigating alleged Trump-Russia collusion and number two in FBI Counterintelligence office during Hillary Clinton email investigation. Strzok oversaw FBI interviews with Trump National Security Adviser Lt. Gen. Michael Flynn (who plead guilty to lying to the FBI).

While Strzok worked on the Trump-Russia investigation, the Inspector General unearthed anti-Trump text messages Strzok had exchanged with FBI attorney Lisa Page, a fellow member of Mueller’s team with whom Strzok was reportedly having an illicit affair.

Latest: Strzok was ousted from Mueller’s team and transferred to human resources in August after the controversial anti-Trump text messages were discovered.

Shifted: Lisa Page, FBI lawyer and McCabe senior adviser

Alleged anti-Trump political bias. 

Page was on the FBI Mueller team investigating alleged Trump-Russia collusion. She had exchanged anti-Trump text messages with Strzok, the top FBI agent on Mueller’s team, with whom she was reportedly having an illicit affair.

Latest: Page left the Mueller team last summer. Reports say the move was unrelated to the controversy.

Excerpts from text exchanges between FBI couple Strzok and Page who served on the Mueller team investigating Trump:Page: “I cannot believe Donald Trump is likely to be an actual, serious candidate for president” and “God(,) Trump is a loathsome human.”

Page: “I just saw my first Bernie Sander [sic] bumper sticker. Made me want to key the car.”

Strzok: “He’s an idiot like Trump. Figure they cancel each other out.”

Strzok called Trump “awful” and “an idiot” and said Clinton should win “100,000,000-0.’’

Strzok on Election Day when he learned Trump could win: “f*****g terrifying.”

Strzok: “I want to believe the path you threw out for consideration in Andy’s [believed to refer to McCabe] office that there’s no way he gets elected — but I’m afraid we can’t take that risk. It’s like an insurance policy in the unlikely event you die before you’re 40.’’

Page texted that she hoped Republican House Speaker Paul Ryan “fails and crashes in a blaze of glory.” Strzok replied that Republicans need “to pull their head out of that *ss. Shows no sign of occurring any time soon.”

Fired: James Comey, FBI Director under President Obama

Comey originally served under George W. Bush and briefly under President Trump. Once he was fired by Trump in May 2017, Comey secretly leaked a memo to the press to engineer the appointment of a special counsel to investigate alleged Trump-Russia collusion.

James Comey, former FBI Director

“Demoted”: Bruce Ohr, Associate Deputy Attorney General at the Department of Justice

Bruce Ohr, Justice Dept. official; Photo courtesy C-SPAN

Alleged improper political conflicts.

Bruce Ohr arranged to meet with the co-founder Fusion GPS, the political opposition research firm that compiled the anti-Trump “dossier,” according to court filings. Fusion GPS also hired Ohr’s wife, Nellie.

Latest: Ohr still works at the Justice Department, but was reportedly recently removed as associate deputy attorney general.

Investigator: Robert Mueller

Special Counsel investigating alleged Trump-Russia collusion in 2016 US election. Former FBI Director 2001-2013 under Bush and Obama. Mueller served as FBI Director under Comey when Comey was a top Bush Justice Department official.

Robert Mueller, former FBI Director, Special Counsel investigating alleged Trump-Russia collusion

Investigator: Michael Horowitz

Obama-appointed Department of Justice Inspector General investigating a wide range of alleged misconduct within FBI and Department of Justice.

Michael Horowitz, Department of Justice Inspector General

Romanians Hacked Surveillance Cameras in DC

Posted on by

Image result for washington dc surveillance cameras photo and more information here

Washington (CNN) Two Romanian hackers infiltrated nearly two-thirds of the outdoor surveillance cameras in Washington, DC, as part of an extortion scheme, according to federal court documents.

In a criminal complaint filed last week in the US District Court for the District of Columbia, the US government alleges that the two Romanian hackers operating outside the United States infiltrated 65% of the outdoor surveillance cameras operated by DC city police — that’s 123 cameras out of 187 in the city. The alleged hacking occurred during a four-day period in early January.
Side bar: Seems Mihai Alexandru Isvanca and Eveline Cismaru once had an operation in London. There is also an address where it seems lots of people lived.
The hacking suspects, Mihai Alexandru Isvanca and Eveline Cismaru, are also accused of using the computers behind the surveillance cameras to distribute ransomware through spam emails, according to an affidavit by Secret Service agent James Graham in support of the government’s criminal complaint. The affidavit alleges the hackers meant to use the malware to lock victims’ computers and then extort payments from them to regain access.
In the affidavit, the Romanians are accused of “intent to extort from persons money and other things of value, to transmit in interstate and foreign commerce communications containing threats to cause damage to protected computers.”
They were traced through their registered email addresses, one of which roughly translates into “selling souls” in Romanian, according to the affidavit.
*** But hold on, how bad was it? Don’t you love it when the matter is minimized or has lies attached?

WaPo: Hackers infected 70 percent of storage devices that record data from D.C. police surveillance cameras eight days before President Trump’s inauguration, forcing major citywide reinstallation efforts, according to the police and the city’s technology office.

City officials said ransomware left police cameras unable to record between Jan. 12 and Jan. 15. The cyberattack affected 123 of 187 network video recorders in a closed-circuit TV system for public spaces across the city, the officials said late Friday.

Brian Ebert, a Secret Service official, said the safety of the public or protectees was never jeopardized.

Archana Vemulapalli, the city’s Chief Technology Officer, said the city paid no ransom and resolved the problem by taking the devices offline, removing all software and restarting the system at each site.

An investigation into the source of the hack continues, said Vemulapalli, who said the intrusion was confined to the police CCTV cameras that monitor public areas and did not extend deeper into D.C. computer networks.

Ransomware is malware that is said to be proliferating. It infects computers, often when users click on a link or open an attachment in an email. It then encrypts files or otherwise locks users out until they pay.

The D.C. hack appeared to be an extortion effort that”was localized” and did not affect criminal investigations, city officials said.

On Jan. 12 D.C. police noticed four camera sites were not functioning properly and told OCTO. The technology office found two forms of ransomware in the four recording devices and launched a citywide sweep of the network where they found more infected sites, said Vemulapalli.

The network video recorders are connected to as many as four cameras at each site, she said.

“There was no access from these devices into our environment,” Vemulapalli said.

Interim Police Chief Peter Newsham said that police worked with OCTO but that the incident was limited to about 48 hours He said there was “no significant impact” overall.

City officials declined to say who they suspected in the attack.

The Post Obama Iran Report

Posted on by

 

Former Mossad Chief explains, it is all about the Iran threat. Clearly, the Obama administration including is National Security Council and both Secretaries of State focused more on Israel and accusatory ‘occupier’ status than on Iran.

*** Image result for iran kitten hacking photo

Behzad Mesri, the Iranian national the US has accused of hacking HBO this year, is part of an elite Iranian cyber-espionage unit known in infosec circles as Charming Kitten, according to a report released yesterday by Israeli firm ClearSky Cybersecurity.

Known as an APT (Advanced Persistent Threat), this group has been active since 2013 and is believed to be operating under the protection of the local Iranian government.

The group’s activities have been first exposed in March 2014, when US cyber-security firm FireEye published a report entitled “Operation Saffron Rose.”

Charming Kitten —also tracked under various codenames such as Newscaster, NewsBeef, Flying Kitten, and the Ajax Security Team— was one of the most active Iran-based cyber-espionage units at the time, but once the FireEye report went public, the group dismantled its infrastructure and went dormant.

Subsequent research published by Iran Threats and ClearSky show that parts of the old Charming Kitten infrastructure, such as malware and credential theft resources, have been reused by another Iranian cyber-espionage unit named Rocket Kittens, and possibly more.

Various experts have pointed out that most of these groups are most likely operating under the protection and guidance of Iranian military, hence the reason why some resources are used not by one or two, but multiple APTs.

According to the official indictment, US officials said Mesri worked for the Iranian military, but that he also lived a separate life as a hacker. Evidence shows that Mesri defaced hundreds of websites and most likely carried out the HBO hack outside of his role in the Charming Kittens operations, most of which have targeted Iranian dissidents.

Mesri had connections to other Charming Kitten members

The 59-page ClearSky report released yesterday shows a web of connections between Mesri and other members of the Charming Kitten espionage unit, including connections to a hacktivist group known as the Turk Black Hat Security hacking group, where Mesri operated under the pseudonym of “Skote Vahshat,” together with other persons linked to Iranian APTs.

Besides Charming Kitten and the subsequent Rocket Kitten incarnation, Iran is home to other APT groups such as OilRig [1, 2], CopyKittens, and Magic Hound (Cobalt Gypsy, Timberworm), all very active.

In fact, Iranian actors are some of the most active groups around, albeit far from the most sophisticated. Their usual targets are businesses, human rights groups, individuals, and nearby governments of interest or at odds with the Iranian government — such as Saudi Arabian companies and government agencies, or Israeli military and government targets.

According to multiple reports, the Charming Kittens group of which Mesri is suspected of being a member, operated using mundane spear-phishing and watering hole attacks, and targeted individuals using made-up organizations and people, fake news sites, or by impersonating real companies.

The group was not sophisticated like US, Chinese, or Russian counterparts, but persisted with attacks until they got access to their targets’ email inbox and social media accounts, most likely to gather information on a person’s past or upcoming plans. More details here.

***

Image result for iran kitten hacking photo

Is Iran a cyber threat? Yes and gaining hacking abilities quickly.

Tehran poses an increasing cyber threat to the U.S., in light of the Trump administration’s allegations that Iran is violating United Nations Security Council resolutions tied to the nuclear agreement. Iran-sponsored hackers—dismissively referred to as “kittens” for their original lack of sophistication—are bolstering their cyber warfare capabilities as part of their rivalry with Saudi Arabia. But should President Donald Trump take further steps to scrap the nuclear deal, it could mean an uptick in Iranian state-sponsored cyber intrusions into American and allied systems, with the goals of espionage, subversion, sabotage and possibly coercion.

  • Since 2011, Iran has worked to establish itself as a prominent aggressor in cyberspace, alongside China, Russia and North Korea. Evolving from mere website defacement and crude censorship domestically in the early 2000s, Iran has become a player in sustained cyber espionage campaigns, disruptive denial of service (DDoS) attacks and the probing of networks for critical infrastructure facilities.
  • Iran wasn’t pursuing cyber capabilities with much urgency, experts say, until it was revealed  in 2010 that a joint Israeli-U.S. Stuxnet worm sabotaged nuclear centrifuges at Iran’s facility in Natanz. As the first-known instance of virtual intrusions resulting in physical effects, the operation demonstrated the potential effectiveness of such an attack and has informed much of Iranian cyber operations since.
  • Iran often has conducted disruptive cyber operations loosely in response to actions taken by others. It sees offensive cyber operations as an asymmetric but proportional tool for retaliation. For example, following the Stuxnet attack and the imposition of new sanctions on Iran’s oil and financial sectors in 2011, Tehran was suspected of retaliating in 2012 by releasing the Shamoon disk-wiping malware into the networks of Saudi oil giant Saudi Aramco and Qatar’s natural gas authority, RasGas. It also launched volleys of DDoS attacks against at least 46 major U.S. financial systems.
  • Iran commonly conducts its state-sponsored cyber operations behind a thin veil of hacktivism. From 2011 to 2013, a group calling itself the Qassam Cyber Fighters launched DDoS attacks that flooded the servers of U.S. banks with artificial traffic until they became inaccessible. In March 2016, the Justice Department unsealed indictments of seven individuals—employees of the Iran-based computer companies ITSecTeam and Mersad Company—for conducting the DDoS attacks — and intrusions into a small dam in upstate New York—on behalf of the Islamic Revolutionary Guard Corps (IRGC), the arm of Iran’s military formed in the aftermath of the 1979 Iranian revolution.

While much of Iran’s cyber operations have been attempts at asymmetric disruption against its Gulf rivals, Israel and the United States, it has recalculated since the 2015 negotiation of the Joint Comprehensive Plan of Action (JCPOA), the Iran nuclear deal.

  • Under scrutiny by the international community, Iran has largely reined in disruptive attacks against the U.S., with some operations still deployed against Saudi Arabia. In November 2016, a variant of the disk-wiping malware Shamoon was deployed against Saudi aviation and transportation authorities.

Rather than relying on disruptive attacks against the West, Iran has pursued cyber-enabled information warfare against its regional competitors, namely Saudi Arabia. By utilizing cyber proxies to access and weaponize privileged information, Iran has subtly sought to undermine Saudi Arabia’s political standing in the region and in the eyes of international allies. This kind of grey-zone offensive—an act short of war—is a page right out of the Russian intelligence playbook of active measures in Europe and the U.S.

  • In April 2015, the pro-Saudi newspaper Al Hayat was hacked by a group calling itself the Yemen Cyber Army, which experts say has loose ties to Iran. The attack replaced the media outlet’s front page with threatening messages aimed at dissuading the Saudis from getting involved in the civil unrest bubbling across their southern border. The hack was followed quickly by stories on Iran’s state-run FARS news agency and Russia’s RT network, citing the Yemen Cyber Army for breaching the Saudi foreign ministry and its threats to release personal information on Saudi officials and expose diplomatic correspondence that allegedly suggested Saudi support of Islamist groups in the region. One month later, WikiLeaks published material likely taken from the trove of stolen correspondence.
  • In another example, an Iran-linked Hezbollah hacktivist group known as the Islamic Cyber Resistance leaked sensitive material related to the Saudi army, the Saudi Binladin Group and the Israeli Defense Forces, following the December 2013 assassination of Hezbollah leader Hassan al-Laqis, according to Matthew McInniss, an AEI scholar now working on Iran in the Trump State Department. Ties also have been detected between Iran and the Syrian Electronic Army, the hacking wing of the regime of Bashar al-Assad, according to Cipher Brief expert and former CIA and NSA chief Michael Hayden.
  • The link between Iranian government support and the cyber proxy actors is difficult to prove. But it would follow the pattern of Iranian military assistance given to other types of proxy forces in Lebanon, Syria and Yemen.
  • The governmental structure in Iran that oversees cyber-related activities is the Supreme Council of Cyberspace, established by Ayatollah Ali Khamenei in March 2012. It consists of representatives from various Iranian intelligence and security services. However, the direct command-and-control structure for engaging in cyber operations remains a mystery, particularly when it comes to cyber proxies. While it could be the responsibility of Iran’s Quds Force, the external wing of the IRGC, the lack of a clear command-and-control system could be intentional. Similar to Iran’s “mosaic defense” military structure, cyber operations appear more decentralized and fluid than other countries with advanced cyber capabilities—Russia and China, for example—complicating the tracking and attribution of attacks.

The Iranian nuclear deal may have had some cyber-deterrent value, in that it reined in Iranian disruptive attacks against the West, but this could be short-lived. Rhetoric from the Trump administration is stoking the fire, including recent statements by U.S. Ambassador to the United Nations Nikki Haley that Iran is violating the nuclear agreement.

  • Iran, as a result, is likely to engage in broad-spectrum cyber espionage to alleviate that uncertainty. For example, Operation Cleaver in 2012-14 hit U.S. military targets, as well as systems in critical industries such as energy and utilities, oil and gas, chemicals, airlines and transportation hubs, global telecommunications, healthcare, aerospace, education and the defense industrial base. Earlier this month, reports surfaced of a new Iranian state-sponsored actor—referred to as APT 34—conducting reconnaissance of critical infrastructure in the Middle East.
  • While the probing of such essential systems is alarming, it is expected as a contingency plan, should relations with adversaries escalate. The New York Times reported that the U.S. had similar plans – known as Operation Nitro Zeus – to disrupt Iranian critical services should the nuclear negotiations have gone sideways during the Obama administration. It is likely the Trump administration is devising similar contingency plans. Learn more about the contributors here.

 

Russia Plans Alternate Internet, Condemns the West

Posted on by

Image result for putin in china photo

Primer: Capping off months of controversy, espionage claims and international intrigue, the U.S. government ban on Kaspersky Lab software has been signed into law. The ban, wedged into the Fiscal Year 2018 National Defense Authorization Act (NDAA), would preclude all federal computers and connected networks from using antivirus software made by the Russian cybersecurity firm.

The Kaspersky ban, which appears in Section 1634 of the 2018 NDAA, reads as follows:

“No department, agency, organization, or other element of the Federal Government may use, whether directly or through work with or on behalf of another department, agency, organization, or element of the Federal Government, any hardware, software, or services developed or provided, in whole or in part, by—

(1) Kaspersky Lab (or any successor entity);

(2) any entity that controls, is controlled by, or is under common control with Kaspersky Lab; or

(3) any entity of which Kaspersky Lab has majority ownership.”

Last week, Kaspersky Lab announced that it would close its Washington, D.C. offices, which it stated were “no longer viable.”

***

Since the founding of the Shanghai Cooperation Organization in 2009, Russian and Chinese officials have frequently discussed joint cybersecurity initiatives. A relatively substantial degree of collaboration was formalized in the context of heightened Russo-Chinese cooperation in 2014 and 2015, with both countries signing an agreement that included cybersecurity cooperation provisions in May of last year. In the words of the agreement’s signatories, its purpose was to limit the use of informational technology designed “to interfere in the internal affairs of states; undermine sovereignty, political, economic and social stability; [and] disturb public order.”

Digital Sovereignty

This emphasis on digital sovereignty remains a central tenet of both countries’ cyber policies, even as cooperation on the issue has ebbed and flowed. The non-aggression elements of the 2015 agreement floundered in the implementation stage, in part due to ambiguous language but largely as a result of continued Chinese cyberespionage. This activity rose to unprecedented levels in 2016, with Russian cybersecurity company Kaspersky Labs reporting 194 Chinese cyberattacks in the first seven months of the year alone—compared to just 72 in 2015. These attacks targeted Russian government agencies, the defense and aerospace industries, and nuclear technology companies. And they’re probably underreported: A Kaspersky Labs spokesperson told Bloomberg that only around 10% of their corporate clients exchange data related to hacks with their security network. More here.

Image result for BRICS photo

Russia Seeks to Build Alternative Internet

TJF: Numerous Russian sources report that efforts are underway to produce a new and independent internet that would align Russia more closely with the BRICS countries (Brazil, Russia, India China and South Africa) while giving Russian political authorities greater control over what they refer to as “digital sovereignty.” In late November, the RBK news agency reported on the proceedings of a recent meeting of the Security Council of the Russian Federation (SCRF), which underscored the national security threats posed by the increasing vulnerability of the global Internet (RBK, November 28). The publicly available SCRF website confirms that a high-level meeting on cyber security did take place, but it does not expand upon it in detail (Scrf.gov.ru, October 25). Russia’s state-managed propaganda mouthpiece RT, however, cited “members of the Security Council” as stating that “the increased capabilities of Western nations to conduct offensive operations in the informational space as well as the increased readiness to exercise these capabilities pose a serious threat to Russia’s security” (RT, November 28). RT also noted that President Vladimir Putin set August 1, 2018, as the deadline for creating an alternative to the Internet.

The creation of an alternative internet—which would allow the governments of Russia and the BRICS countries to control the addressing and routing of electronic communications within their territory—raises many complex questions. For one thing, the establishment of a disjointed and competitive sphere of cyberspace threatens to disrupt and potentially fragment the existing conventions of global Internet practice. Moreover, the creation a “counter-net” would necessitate the establishment of an alternative system of identification, addressing and routing information through a new information network operating in a new “domain name system,” a new DNS. The existing DNS is based on a unique number associated with each originating and terminating point for every Internet transmission, coded in the form of a packet of digital information. The idea of the “RU NET” has long been discussed in post-Communist countries. But until now, this idea has only referred to the Russian-language-speaking Internet activities originating from servers in Russia or in other post-Soviet countries where Russian is recognized as an official language—not to a separate internet architecture (APN, December 14, 2016).

The global Internet is already a network of networks, consisting of a broad common space but with some segmented spheres of activity. Gaining complete control over a specific domain in the cyber-sphere, however, would require gaining autonomy. Full control over the Internet (or any segment therein) could only be achieved by creating “the ability to set policies for naming, addressing and routing” transmissions (Milton Mueller, Will the Internet Fragment?, 2017, p. 22). That, in turn, would require establishing control over the domain name system.

Earlier attempts by Russian authorities to gain control over the digital sphere focused on taking charge of the physical hardware of the Internet, such as transmission facilities, and asserting authority over the places where data resides, particularly web servers. In 2014, Russia’s Ministry of Communications and Mass Media specified data localization requirements in the federal communications legislation (Federal Law No. 242) (Minsvyaz.ru, accessed December 13). The law requires data operators in Russia to store all personal data of citizens of the Russian Federation in databases located inside Russia. This legislation was further extended in December 2016 by a set of measures by President Putin to establish a “digital economy” in Russia (Kremlin.ru, December 1, 2016). The most recent Law on “Security of Critical Infrastructure” was passed in July 2017, and is scheduled to go into effect January 1, 2018 (Pravo.gov.ru, July 27).

In order to control the flow of information not in compliance with the legislation, the idea of blocking transmission through physical facilities located on the territory of the Russian Federation led to the establishment of a single register of websites, maintained by the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor). In an effort to conduct this “filtering,” Roskomnadzor developed and implemented a so-called “blacklist” (Rkn.gov.ru, accessed December 13). But while the blacklist succeeded in blocking some websites it identified as unwanted, it also had the effect of blocking websites linked to those, effectively creating a self-censoring network. Roskomnadzor has now stepped back from this practice, correcting many of those problems of excessive blockage but has nonetheless reasserted the intention to more vigorously pursue the policing of websites (Rkn.gov.ru, December 8). Creating the establishment of a separate domain naming system goes considerably further than efforts to “filter” websites, even though Igor Shchyogolev, the staff member of the President’s Office assigned to mass communications, has insisted the idea is not to fragment the Internet (TASS, March 27, 2017)

The robustness of the current Internet naming conventions probably can be attributed to the fact that the Internet emerged in its early days more as a computer science experiment than as an effort to create a new format for global communication, commerce and governance. The identification of parties communicating on the Internet was established through naming protocols established for convenience and by convention, not for control. But the Internet grew so quickly that management responsibility was turned over to a new body, the Internet Corporation for Assigned Names and Numbers (ICANN), in September 1998, which, on October 1, 2016, was re-chartered as a fully independent, non-governmental organization.

The functions of ICANN quickly attracted international competition. Some governments sought to promote a government-centric framework for addressing and naming conventions, while other parties sought to maintain a multiple-stakeholders approach. The failure of the Russian government and others to prevail in winning greater control for states is what has led to Moscow’s intention to create a “counter-net.” The question of whether an autonomous and detachable “segment” of cyberspace could be fashioned by the Kremlin without resulting in self-imposed isolation is an issue with far-reaching implications.

 

–Gregory Gleason