Category Archives: Cyber War

Toronto Uni. Report on Russian Information Warfare

Posted on by

Image result for university of toronto citizen lab

Related reading: How The Citizen Lab polices the world’s digital spies

The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs, University of Toronto, Canada focusing on advanced research and development at the intersection of Information and Communication Technologies (ICTs), human rights, and global security. The Citizen Lab’s ongoing research network includes the Cyber Stewards Network, OpenNet Initiative, OpenNet Eurasia, Opennet.Asia. The Citizen Lab was a founding partner of the Information Warfare Monitor (2002-2012).

Russian spies may have backed email phishing campaign in effort to spread disinformation

218 email accounts across 39 countries targeted, report by University of Toronto’s Citizen Lab finds

New evidence of a global espionage campaign involving email phishing attacks and leaked falsified documents emerged on Thursday, with clues suggesting the Russian government might have been involved.

The targets spanned government, industry, military and civil society groups, each with ties to Russia or Russian interests, a report by the University of Toronto’s Citizen Lab suggests.

Although there is no definitive proof of Russia’s involvement in the attacks, there is “overlap” with previously reported Russian espionage activities — in particular, the work of a Russia-backed hacking group known as APT-28, or Fancy Bear.

Notably, Citizen Lab’s researchers say “an identical approach” to the phishing campaign described in their report was used in a March 2016 attack targeting Hillary Clinton’s presidential campaign and the Democratic National Committee.

“While we have no ‘smoking gun’ that provides definitive proof linking what we discovered to a particular government agency … our report nonetheless provides clear evidence of overlap with what has been publicly reported by numerous industry and government reports about Russian cyberespionage,” wrote Citizen Lab director Ron Deibert in a blog post.

U.S. reporter’s documents leaked, manipulated

The report focuses in part on what the authors have termed “tainted leaks,” leaks of stolen documents that are largely authentic but have been manipulated in certain parts to achieve a particular goal — in this case, a political one.

In the incident Citizen Lab examined, documents obtained through a phishing operation in October 2016 that targeted the email account of U.S. journalist David Satter were selectively modified in an apparent attempt to discredit Satter and his work and then posted online. Satter has reported on Russia for decades and was expelled from the country in December 2013.

In unpacking that particular leak, Citizen Lab then identified a further 218 unique email accounts spanning 39 countries that had been targeted using the same phishing method used to fool Satter.

The accounts belong to members of governments — including “a former Russian prime minister, members of cabinets from Europe and Eurasia, ambassadors, high-ranking military officers, CEOs of energy companies” — but also members of civil society organizations, such as academics, activists, journalists and employees with non-governmental organizations that have been critical of the Russian government or investigated its activities.

The scope of the targets, the report says, “suggests a well-resourced actor, such as a nation state.”

Fancy Bear

U.S. intelligence officials believe Russian-backed groups conducted a series of cyberespionage campaigns throughout 2015 and 2016 in an attempt to interfere with and potentially sway the outcome of last year’s presidential election.

One group in particular was mentioned frequently in coverage of the attacks: APT-28, sometimes referred to by the nickname Fancy Bear. It is believed that the group is backed by a nation state, if not a nation state itself — namelyRussia.

While Citizen Lab’s researchers could not make a “conclusive technical link” between their findings and Fancy Bear, they identified a number of similarities with the group’s prior attacks.

For example, some of the domain names used in the campaign Citizen Lab studied bear a striking similarity to a Fancy Bear linked phishing operation identified by the cybersecurity research firm Mandiant last year. There are also similarities with the methods used to break into the email account of Clinton’s campaign chairman, John Podesta — suggesting, at the  very least, two separate actors are sharing the same code.

Tainted Leaks

Civil society groups are particularly rich targets for cyberespionage campaigns, as they tend to lack the resources of larger or better funded organizations to deal with digital attacks. Of note, the researchers say that 21 per cent of those targeted in the campaign they studied were activists, academics, journalists, and NGOs — the second-largest set after government targets.

“Many of the civil society targets seem to have been singled out for the perception that their actions could pose a threat to the Putin regime,” the report said.

In Satter’s case, leaked documents were selectively modified in such a way that the majority remained authentic, but misinformation was seeded throughout, in an attempt to lend legitimacy to otherwise false information. The researchers compared Satter’s case with that of a prior attack on the grant-making organization Open Society Foundations (OSF).

For example, one document was modified “to make Satter appear to be paying Russian journalists and anti-corruption activists to write stories critical of the Russian government,” the report said.

In the OSF case, modifications were made to documents detailing a budget and funding strategies to make it appear as if the U.S.-based group was sponsoring Russian opposition leader Alexei Navalny’s Foundation for Fighting Corruption.

Earlier this month, falsified documents appeared in a trove of documents taken from staff on French President Emmanuel Macron’s election campaign.

Described as “fakes in a forest of facts,” the report concludes that such tainted leaks “test the limits of how media, citizen journalism, and social media users handle fact checking and the amplification of enticing but questionable information.”

However, University of Toronto political science professor Seva Gunitsky says the practice of tainting leaks with false information could ultimately backfire.

“If they actually discover something politically damaging in a future phishing attack, it will be hard to credibly claim it was a real find,” he said. “Of course, if the overall goal is just to sow informational chaos, tainted leaks are a good way of doing that.”

Germany’s Secret Bundeswehr

Posted on by

The secret German army, with soldiers from other countries has a variety of duties. There is a growing concern in Europe, but what about NATO? That question goes to President Trump. The secret is, no one is talking about it openly, further there was no real reason given on why VP Pence travel to meet top NATO officials to calm the nerves regarding the viability of NATO due to President Trump. Article 5 remains a large question with European leaders.

Image result for secret army bundeswehr

The original Bundeswehr has a scandalous history. Nazi Veterans Created Illegal Army

First, there will be cyber soldiers

The German military (Bundeswehr) on Wednesday is launching a brand new “cyber army” to fight against digital attacks on networks and weapons systems. But some are concerned about how this new unit might engage in cyber assaults itself.

Defence Minister Ursula von der Leyen will announce the new unit in Bonn on Wednesday afternoon. The ministry wants to deploy around 13,500 soldiers and civilian workers by 2021 to protect the Bundeswehr’s networks and weapons systems, but the unit must also be capable of launching their own attacks against hackers.

The Chief of Staff of the new cyber army is Lieutenant-General Ludwig Leinhos, who is an expert in electronic warfare.

Cyber attacks are a growing concern in Germany, with the Federal Office for Information Security (BSI) reporting last year that the government’s computer networks are hit by around 20 highly specialized attacks per day.

German intelligence agencies and the BSI last year began work on setting up their own special cyber response teams.

According to broadcaster N-tv, the Bundeswehr’s new cyber soldiers will be on equal ranking with their colleagues in the army, air force and marines – and their new beret colour will be grey.

Parliamentary ombudsman for the Bundeswehr, Hans-Peter Bartels (SPD), warned that the new cyber unit should be kept under parliamentary control, though, as part of their work would entail launching cyber attacks of their own.

Bartels told the Neue Osnabrücker Zeitung on Wednesday that the cyber army must seek permission from the Bundestag (German parliament) before launching such assaults.

“Every offensive measure of our constitutionally enshrined parliamentary army needs to have the explicit mandate of the Bundestag,” Bartels said, adding that this policy goes for not only military assaults, but also virtual attacks on the data network of an adversary.

Bartels stressed that the cyber army was desperately needed to protect the Bundeswehr’s computer and weapons systems. But he also criticized the fact that the new unit is only now being created.

“Germany is not a pioneer here,” he said. “One can already learn from the experiences of other countries, like the USA or Israel.”

Second, the conventional forces

Germany is to increase the size of its armed forces amid growing concerns over the security of Europe.

Troop numbers in the Bundeswehr will be raised to almost 200,000 over the next seven years, under new plans announced on Wednesday.

The move comes days after Mike Pence, the US vice-president, called on Nato’s European members to increase military spending.

President Donald Trump has repeatedly demanded Europe pay more towards the cost of its own defence.

The move also comes amid growing concern in European capitals over Mr Trumps’ commitment to Nato, after he described the alliance as “obsolete”.

Under the new plans, Germany will recruit 20,000 more troops by 2025, bringing its total service personnel to 198,000.

That is slightly more than the British armed forces’ current strength of 196,410.

In a statement announcing the plans, Ursula von der Leyen, the defence minister, said: “The Bundeswehr has rarely been as necessary as it is now.

“Whether it is the fight against Isil terrorism, the stabilization of Mali, continuing support of Afghanistan, operations against migrant smugglers in the Mediterranean or with our increased Nato presence in the Baltics.”

The announcement came as Germany deployed tanks and hundreds troops to Lithuania as part of a Nato force to deter Russian aggression.

During the Cold War, West Germany was considered the first line of defence against a Soviet invasion and at its height the Bundeswehr had 500,000 active service personnel.

But in the years following the fall of the Berlin Wall and German reunification defence spending dropped sharply.

Germany ended conscription in 2011 and troop numbers fell to an all-time low of 166,500 in June last year.

Cold War historians described West Germany’s army as “perhaps the best in the world”.

But in more recent years it has been better known for embarrassing equipment shortages that saw soldiers forces to use broomsticks instead of guns on Nato exercises, and use ordinary Mercedes vans to stand in for armoured personnel carriers.

The German air force was forced to ground half of its ageing Tornado fighters last year over maintenance issues, including six that are deployed on reconaissance missions against Islamic State in Iraq and the Levant (Isil) in Syria.

There are growing calls for Europe to do more to secure its own defence after Mr Trump described Nato as “obsolete” in an interview in January, and earlier this month Angela Merkel’s government was forced to take the unusual step of denying that it is interested in becoming a nuclear power.

Mr Trump has repeatedly accused Nato’s European members of not paying enough towards the cost of their defence and during the US presidential campaign Mr Trump warned the US may not necessarily come to the aid of Nato allies if they are attacked.

German Bundeswehr Soldiers of the 'battalion of armored infantryman' called 'Panzergrenadierbataillon 122' sit on a wrecker called 'Bueffel' during vehicles wait to be loaded onto a train in Grafenwoehr, Germany, 31 January 2017, before being deployed as part of a NATO force in Lithuania
German Bundeswehr Soldiers of the ‘battalion of armored infantryman’ called ‘Panzergrenadierbataillon 122’ sit on a wrecker called ‘Bueffel’ during vehicles wait to be loaded onto a train in Grafenwoehr, Germany, 31 January 2017, before being deployed as part of a NATO force in Lithuania Credit: LUKAS BARTH/EPA

Mr Pence sought to reassure jittery European allies in a speech at Nato headquarters in Brussels on Monday in which he said the US’ “commitment to Nato is clear”. But he demanded “real progress” in increased European defence spending.

Ms von der Leyen has been attempting to reverse the decline of Germany’s armed forces, and already announced a smaller increase in troop numbers last year. Those targets were revised upwards with Wednesday’s announcement.

It is estimated the increases will cost Germany between around €900m (£760m) a year. But the amount is still far short of the extra €25.4bn Germany would have to spend on defence each year to meet Nato’s annual target of 2 per cent of GDP.

The UK is one of only five Nato members to meet the target at present, along with the US, Greece, Estonia and Poland.

Despite boasting the largest economy in Europe, Germany lags far behind, spending only 1.19 per cent of its GDP on defence in 2016.

 

Oh, Another Incident of Chinese Industrial Espionage

Posted on by

There is no denying Russia is using cyber warfare against the West. Little is ever mentioned about China’s industrial espionage, something this site attempts to publish as often as possible. Further, the owner of this site participated in two key hearings today in Congress, one with former CIA Director John Brennan and the other included ODNI Dan Coats and DIA Director General Stewart.

Clearly both hearings revealed just how pervasive and common cyber warfare is at the hands of China and Russia. Here is just another example.

China’s theft of IBM’s intellectual property

A former employee of IBM pleaded guilty to theft of source code on behalf of China

Image result for Xu Jiaqiang ibm  And you think the FBI has easy work? Further, we are trusting China to deal with North Korea’s nuclear program and missile systems aimed against Western interests.

CSO: China continues to view the theft of intellectual property as a viable means of technology transfer. Global private sector entities are finding their insiders are being used by China to purloin the proprietary information for use by Chinese state-owned-enterprises or national entities with ever increasing regularity.

On 19 May 2017, Xu Jiaqiang, a PRC national, pleaded guilty to economic espionage and trade secret theft. Xu stole source code from his employer, IBM, and attempted to share it with the National Health and Family Planning Commission in the PRC.  According to the Department of Justice, Xu pleaded guilty to all six of the counts included in his indictment.

A review of Xu’s Linked-In profile shows only his employment with IBM from November 2010 through July 2014 (date is different from that which is contained in the indictment) as a “General Parallel File System Developer at IBM”

Xu was a trusted insider within IBM. According to the DOJ advisory, which contained content from both the criminal complaint and superseding indictment, Xu worked for IBM from 2010-14, with unencumbered access to the “proprietary source code.” DOJ advises, Xu voluntarily resigned from IBM in May 2014.

In late 2014, the Federal Bureau of Investigation (FBI) was informed (source unidentified) that Xu claimed to have access (unauthorized) to the source code and was using the source code in various business ventures. Undercover law enforcement officers subsequently contacted Xu to affirm Xu’s possession of the source code

The criminal complaint describes undercover officers posing as investors engaged in a multi-month email exchanges with Xu which culminated in his sharing portions of the source code as bonafides of his knowledge of “operating systems and parallel file systems.”  At that time, the victim company, IBM, identified the shared code as identical to their proprietary source code.

In late-2015, Xu had a face-to-face meeting with undercover law enforcement officers. At the meeting, Xu noted the code was his former employer’ s(IBM) code. Xu also confirmed to his interlocutors how he had purloined the code prior to his May 2014 employment separation and had made modification so as to obscure the point of origin, IBM.

In June 2016, Xu was indicted and charged with three counts of economic espionage, one count each of theft of trade secrets, possession of trade secrets, and distribution of trade secrets. He will be sentenced in October 2017.

Though IBM has declined comment to media regarding this theft of their intellectual property, reading between the lines, it would appear IBM had deduced (correctly) that Xu absconded with a copy of their GPFS proprietary source code, and was attempting to use it commercially. They then brought the theft to the attention of the FBI.

Illicit technology transfer

China has not slowed down in their acquisition of technology utilizing the access afforded to trusted insiders. The US Director of National Intelligence made it clear in his May 2017 presentation to the Senate Select Committee on Intelligence on the worldwide threat to the United States as to the threat posed by China.

In April 2017, we saw the arrest of a Dutch employee of Siemens, working within the energy arm of Siemens, charged with stealing the intellectual property of his employer and attempting to share it with China.

From the FBI perspective, this was the perfect economic espionage case. Theft of proprietary information for provision to a foreign government. The theft was from a company with an insider threat program in place and who was cooperative (providing technical expertise during the investigation), and of sufficient size to withstand any blow-back from China which may occur.

There is no need to be xenophobic. Multinational companies employee individuals from a great variety of nationalities. The reality is, few employees break trust with their employer.

That said, having your paper trail on agreements which safeguard intellectual property is mandatory. As is a review of all activities of all departing employees for break from pattern, be it a voluntary separation or for cause. If a deeper dive into the employees activities is warranted, make sure to look for any sudden increase in 403 errors – or similar (caused by attempts to access unauthorized data). Verify the complete inventory of all storage devices which the employee may have accessed, and have each returned and or data on the devices destroyed, and review email and uploads for any inappropriate usage.

Remember, though it is the FBI and DOJ success which brought Xu to our collective attention, it was not the FBI who initially discovered Xu’s intellectual property theft. The FBI pursued the lead brought to them by an unidentified third party (presumably IBM).

You are your company’s first line of defense in the protection of intellectual property, not the FBI.

2010: Remember When Obama Pulled U.S. Spies From China

Posted on by

Of course you don’t, one had to be quite the investigator of journalism to know it much less remember it.

So….why you ask? Hold on….there is a pattern and story here.

Image result for u.s. spies in china  Image result for trump with jinping

2010: The White House National Security Council recently directed U.S. spy agencies to lower the priority placed on intelligence collection for China, amid opposition to the policy change from senior intelligence leaders who feared it would hamper efforts to obtain secrets about Beijing’s military and its cyber-attacks.

The downgrading of intelligence gathering on China was challenged by Director of National Intelligence Dennis C. Blair and CIA Director Leon E. Panetta after it was first proposed in interagency memorandums in October, current and former intelligence officials said.

The decision downgrades China from “Priority 1” status, alongside Iran and North Korea, to “Priority 2,” which covers specific events such as the humanitarian crisis after the Haitian earthquake or tensions between India and Pakistan.

The National Security Council staff, in response, pressed ahead with the change and sought to assure Mr. Blair and other intelligence chiefs that the change would not affect the allocation of resources for spying on China or the urgency of focusing on Chinese spying targets, the officials told The Washington Times.

White House National Security Council officials declined to comment on the intelligence issue. Mike Birmingham, a spokesman for Mr. Blair, declined to comment. A CIA spokesman also declined to comment.

*** Image result for u.s. spies in china Cyberwarzone

Directors of CIA in that time frame:

Leon Panetta 2010

Mike Morrell (acting) 2011

David Petraeus 2011

Mike Morrell (acting) 2012

John Brennan 2013

Mike Pompeo, current director

***

Killing C.I.A. Informants, China Crippled U.S. Spying Operations

NYT/WASHINGTON — The Chinese government systematically dismantled C.I.A. spying operations in the country starting in 2010, killing or imprisoning more than a dozen sources over two years and crippling intelligence gathering there for years afterward.
Current and former American officials described the intelligence breach as one of the worst in decades. It set off a scramble in Washington’s intelligence and law enforcement agencies to contain the fallout, but investigators were bitterly divided over the cause. Some were convinced that a mole within the C.I.A. had betrayed the United States. Others believed that the Chinese had hacked the covert system the C.I.A. used to communicate with its foreign sources. Years later, that debate remains unresolved.
But there was no disagreement about the damage. From the final weeks of 2010 through the end of 2012, according to former American officials, the Chinese killed at least a dozen of the C.I.A.’s sources. According to three of the officials, one was shot in front of his colleagues in the courtyard of a government building — a message to others who might have been working for the C.I.A.
Still others were put in jail. All told, the Chinese killed or imprisoned 18 to 20 of the C.I.A.’s sources in China, according to two former senior American officials, effectively unraveling a network that had taken years to build.
Assessing the fallout from an exposed spy operation can be difficult, but the episode was considered particularly damaging. The number of American assets lost in China, officials said, rivaled those lost in the Soviet Union and Russia during the betrayals of both Aldrich Ames and Robert Hanssen, formerly of the C.I.A. and the F.B.I., who divulged intelligence operations to Moscow for years.
The previously unreported episode shows how successful the Chinese were in disrupting American spying efforts and stealing secrets years before a well-publicized breach in 2015 gave Beijing access to thousands of government personnel records, including intelligence contractors. The C.I.A. considers spying in China one of its top priorities, but the country’s extensive security apparatus makes it exceptionally hard for Western spy services to develop sources there.
At a time when the C.I.A. is trying to figure out how some of its most sensitive documents were leaked onto the internet two months ago by WikiLeaks, and the F.B.I. investigates possible ties between President Trump’s campaign and Russia, the unsettled nature of the China investigation demonstrates the difficulty of conducting counterespionage investigations into sophisticated spy services like those in Russia and China.
The C.I.A. and the F.B.I. both declined to comment.
Details about the investigation have been tightly held. Ten current and former American officials described the investigation on the condition of anonymity because they did not want to be identified discussing the information.
Investigators still disagree how it happened, but the unsettled nature of the China investigation demonstrates the difficulty of conducting counterespionage investigations into sophisticated spy services. Credit Carolyn Kaster/Associated Press..Photo by: Carolyn Kaster/Associated Press..
The first signs of trouble emerged in 2010. At the time, the quality of the C.I.A.’s information about the inner workings of the Chinese government was the best it had been for years, the result of recruiting sources deep inside the bureaucracy in Beijing, four former officials said. Some were Chinese nationals who the C.I.A. believed had become disillusioned with the Chinese government’s corruption.
But by the end of the year, the flow of information began to dry up. By early 2011, senior agency officers realized they had a problem: Assets in China, one of their most precious resources, were disappearing.
The F.B.I. and the C.I.A. opened a joint investigation run by top counterintelligence officials at both agencies. Working out of a secret office in Northern Virginia, they began analyzing every operation being run in Beijing. One former senior American official said the investigation had been code-named Honey Badger.
As more and more sources vanished, the operation took on increased urgency. Nearly every employee at the American Embassy was scrutinized, no matter how high ranking. Some investigators believed the Chinese had cracked the encrypted method that the C.I.A. used to communicate with its assets. Others suspected a traitor in the C.I.A., a theory that agency officials were at first reluctant to embrace — and that some in both agencies still do not believe.
Their debates were punctuated with macabre phone calls — “We lost another one” — and urgent questions from the Obama administration wondering why intelligence about the Chinese had slowed.
The mole hunt eventually zeroed in on a former agency operative who had worked in the C.I.A.’s division overseeing China, believing he was most likely responsible for the crippling disclosures. But efforts to gather enough evidence to arrest him failed, and he is now living in another Asian country, current and former officials said.
There was good reason to suspect an insider, some former officials say. Around that time, Chinese spies compromised National Security Agency surveillance in Taiwan — an island Beijing claims is part of China — by infiltrating Taiwanese intelligence, an American partner, according to two former officials. And the C.I.A. had discovered Chinese operatives in the agency’s hiring pipeline, according to officials and court documents.
But the C.I.A.’s top spy hunter, Mark Kelton, resisted the mole theory, at least initially, former officials say. Mr. Kelton had been close friends with Brian J. Kelley, a C.I.A. officer who in the 1990s was wrongly suspected by the F.B.I. of being a Russian spy. The real traitor, it turned out, was Mr. Hanssen. Mr. Kelton often mentioned Mr. Kelley’s mistreatment in meetings during the China episode, former colleagues say, and said he would not accuse someone without ironclad evidence.
Those who rejected the mole theory attributed the losses to sloppy American tradecraft at a time when the Chinese were becoming better at monitoring American espionage activities in the country. Some F.B.I. agents became convinced that C.I.A. handlers in Beijing too often traveled the same routes to the same meeting points, which would have helped China’s vast surveillance network identify the spies in its midst.
Some officers met their sources at a restaurant where Chinese agents had planted listening devices, former officials said, and even the waiters worked for Chinese intelligence.
This carelessness, coupled with the possibility that the Chinese had hacked the covert communications channel, would explain many, if not all, of the disappearances and deaths, some former officials said. Some in the agency, particularly those who had helped build the spy network, resisted this theory and believed they had been caught in the middle of a turf war within the C.I.A.
Still, the Chinese picked off more and more of the agency’s spies, continuing through 2011 and into 2012. As investigators narrowed the list of suspects with access to the information, they started focusing on a Chinese-American who had left the C.I.A. shortly before the intelligence losses began. Some investigators believed he had become disgruntled and had begun spying for China. One official said the man had access to the identities of C.I.A. informants and fit all the indicators on a matrix used to identify espionage threats.
After leaving the C.I.A., the man decided to remain in Asia with his family and pursue a business opportunity, which some officials suspect that Chinese intelligence agents had arranged.
Officials said the F.B.I. and the C.I.A. lured the man back to the United States around 2012 with a ruse about a possible contract with the agency, an arrangement common among former officers. Agents questioned the man, asking why he had decided to stay in Asia, concerned that he possessed a number of secrets that would be valuable to the Chinese. It’s not clear whether agents confronted the man about whether he had spied for China.
The man defended his reasons for living in Asia and did not admit any wrongdoing, an official said. He then returned to Asia.
By 2013, the F.B.I. and the C.I.A. concluded that China’s success in identifying C.I.A. agents had been blunted — it is not clear how — but the damage had been done.
The C.I.A. has tried to rebuild its network of spies in China, officials said, an expensive and time-consuming effort led at one time by the former chief of the East Asia Division. A former intelligence official said the former chief was particularly bitter because he had worked with the suspected mole and recruited some of the spies in China who were ultimately executed.
China has been particularly aggressive in its espionage in recent years, beyond the breach of the Office of Personnel Management records in 2015, American officials said. Last year, an F.B.I. employee pleaded guilty to acting as a Chinese agent for years, passing sensitive technology information to Beijing in exchange for cash, lavish hotel rooms during foreign travel and prostitutes.
In March, prosecutors announced the arrest of a longtime State Department employee, Candace Marie Claiborne, accused of lying to investigators about her contacts with Chinese officials. According to the criminal complaint against Ms. Claiborne, who pleaded not guilty, Chinese agents wired cash into her bank account and showered her with gifts that included an iPhone, a laptop and tuition at a Chinese fashion school. In addition, according to the complaint, she received a fully furnished apartment and a stipend.
*** Just to be sure China had a real handle on all CIA operatives in country, what came next? The OPM hack, remember that one?
Enter China’s Unit 61398
The program used by China:

In part from Wired: The US-CERT team moved into OPM’s sub-basement and among the first moves was to analyze the malware that Saulsbury had found attached to mcutil.dll. The program turned out to be one they knew well: a variant of PlugX, a remote-access tool commonly deployed by Chinese-­speaking hacking units. The tool has also shown up on computers used by foes of China’s government, including activists in Hong Kong and Tibet. The malware’s code is always slightly tweaked between attacks so firewalls can’t recognize it.

By Tuesday the 21st, having churned through a string of nearly sleepless days and nights, the investigators felt satisfied that they’d done their due diligence. Their scans had identified over 2,000 individual pieces of malware that were unrelated to the attack in question (everything from routine adware to dormant viruses). The PlugX variant they were seeking to annihilate was present on fewer than 10 OPM machines; unfortunately, some of those machines were pivotal to the entire network. “The big one was what we call the jumpbox,” Mejeur says. “That’s the administrative server that’s used to log in to all the other servers. And it’s got malware on it. That is an ‘Oh feces’ moment.”

By controlling the jumpbox, the attackers had gained access to every nook and cranny of OPM’s digital terrain. The investigators wondered whether the APT had pulled off that impressive feat with the aid of the system blueprints stolen in the breach discovered in March 2014. If that were the case, then the hackers had devoted months to laying the groundwork for this attack.

Leaping forward in details:

Once established on the agency’s network, they used trial and error to find the credentials necessary to seed the jumpbox with their PlugX variant. Then, during the long Fourth of July weekend in 2014, when staffing was sure to be light, the hackers began to run a series of commands meant to prepare data for exfiltration. Bundles of records were copied, moved onto drives from which they could be snatched, and chopped up into .zip or .rar files to avoid causing suspicious traffic spikes. The records that the attackers targeted were some of the most sensitive imaginable.

The hackers had first pillaged a massive trove of background-check data. As part of its human resources mission, OPM processes over 2 million background investigations per year, involving everyone from contractors to federal judges. OPM’s digital archives contain roughly 18 million copies of Standard Form 86, a 127-page questionnaire for federal security clearance that includes probing questions about an applicant’s personal finances, past substance abuse, and psychiatric care. The agency also warehouses the data that is gathered on applicants for some of the government’s most secretive jobs. That data can include everything from lie detector results to notes about whether an applicant engages in risky sexual behavior.

The hackers next delved into the complete personnel files of 4.2 million employees, past and present. Then, just weeks before OPM booted them out, they grabbed approximately 5.6 million digital images of government employee fingerprints.

Then comes, a little too late and thin on substance in February 2015:

President Obama Speaks at the White House Summit on Cybersecurity and Consumer Protection

Is all this fix yet? Hah…not even close. Then we need to ask why are we trusting China with North Korea’s nuclear weapons and missile program? Do we have spies in Iran? North Korea? Any new operatives in China?

Scary eh?

 

Moscow’s Igor Sergun: Cong. Rohrabacher to your ‘Like Button’

Posted on by

One part of this Moscow mess began in 2012, when the FBI held a private session with Congressman Dana Rohrahacher, (CA), Mike Rogers, Michigan, and according to one former official, Representative C. A. Dutch Ruppersberger, telling them they were the targets of Russian influence and possible targets of recruiting.

Of note, Igor Sergun died in January of 2016, but his operations were already underway.

Image result for igor sergun

Sergun is credited as an important figure in the renaissance of the GRU, which had suffered deep staff and budget cuts prior to his arrival. Under Sergun, the agency regained political power within the Russian government as well as control over the Spetsnaz special forces, making it “crucial in the seizure of Crimea and operations in the Donbas,” as well as “as the lead agency for dealing with violent non-state actors.”

Perhaps the United States should take a hard look at the actions Ukraine has taken regarding Russian intrusion.

Poroshenko this week ordered Ukrainian Internet providers to block Vkontakte and Odnoclassniki. The sites are similar to Facebook and are two of the most popular social networking sites in the former Soviet space.

More than 25 million Ukrainians, in a country of about 43 million people, use the Russian sites to connect with friends, join groups and use the online messaging systems.

Poroshenko said the new restrictions were necessary to further protect Ukraine from Kremlin hybrid warfare, including disinformation campaigns, propaganda and military attacks. The two neighbors and former Soviet republics have been embroiled in a brutal, three-year war that has killed more than 10,000 people and displaced about 1.7 million eastern Ukrainians.

Supporters of the ban said it would also protect Ukrainians from the Russian security services’ ability to monitor and gather metadata from the sites’ users. Ukrainian government officials said the sites are closely monitored by Russia’s FSB, the successor agency to the KGB. More here from LATimes.

One must take the time to see the evidence the domestic intelligence agencies and private cyber companies along with data analysis experts are uncovering and studying. Further, since we citizens cannot attend meetings, some in classified settings that are held in Congress and we don’t get any information from the investigations, there are some interviews with professionals that are sounding the alarm bells.

Are you sick of Russia and hearing about Putin? Sure you are, but so is our government and other global leaders, rightly so. You are going to have to understand some facts and buckle in….there is more to come. Until the United States crafts a policy, decides on responses and pass legislation, Russia has nothing to stop their actions. What actions?

In part from Time: On March 2, a disturbing report hit the desks of U.S. counterintelligence officials in Washington. For months, American spy hunters had scrambled to uncover details of Russia’s influence operation against the 2016 presidential election. In offices in both D.C. and suburban Virginia, they had created massive wall charts to track the different players in Russia’s multipronged scheme. But the report in early March was something new.

It described how Russia had already moved on from the rudimentary email hacks against politicians it had used in 2016. Now the Russians were running a more sophisticated hack on Twitter. The report said the Russians had sent expertly tailored messages carrying malware to more than 10,000 Twitter users in the Defense Department. Depending on the interests of the targets, the messages offered links to stories on recent sporting events or the Oscars, which had taken place the previous weekend. When clicked, the links took users to a Russian-controlled server that downloaded a program allowing Moscow’s hackers to take control of the victim’s phone or computer–and Twitter account.

As they scrambled to contain the damage from the hack and regain control of any compromised devices, the spy hunters realized they faced a new kind of threat. In 2016, Russia had used thousands of covert human agents and robot computer programs to spread disinformation referencing the stolen campaign emails of Hillary Clinton, amplifying their effect. Now counterintelligence officials wondered: What chaos could Moscow unleash with thousands of Twitter handles that spoke in real time with the authority of the armed forces of the United States? At any given moment, perhaps during a natural disaster or a terrorist attack, Pentagon Twitter accounts might send out false information. As each tweet corroborated another, and covert Russian agents amplified the messages even further afield, the result could be panic and confusion.

***

Americans generate a vast trove of data on what they think and how they respond to ideas and arguments–literally thousands of expressions of belief every second on Twitter, Facebook, Reddit and Google. All of those digitized convictions are collected and stored, and much of that data is available commercially to anyone with sufficient computing power to take advantage of it.

That’s where the algorithms come in. American researchers have found they can use mathematical formulas to segment huge populations into thousands of subgroups according to defining characteristics like religion and political beliefs or taste in TV shows and music. Other algorithms can determine those groups’ hot-button issues and identify “followers” among them, pinpointing those most susceptible to suggestion. Propagandists can then manually craft messages to influence them, deploying covert provocateurs, either humans or automated computer programs known as bots, in hopes of altering their behavior.

That is what Moscow is doing, more than a dozen senior intelligence officials and others investigating Russia’s influence operations tell TIME. The Russians “target you and see what you like, what you click on, and see if you’re sympathetic or not sympathetic,” says a senior intelligence official. Whether and how much they have actually been able to change Americans’ behavior is hard to say. But as they have investigated the Russian 2016 operation, intelligence and other officials have found that Moscow has developed sophisticated tactics.

In May 2016, a Russian military intelligence officer bragged to a colleague that his organization, known as the GRU, was getting ready to pay Clinton back for what President Vladimir Putin believed was an influence operation she had run against him five years earlier as Secretary of State. The GRU, he said, was going to cause chaos in the upcoming U.S. election.

What the officer didn’t know, senior intelligence officials tell TIME, was that U.S. spies were listening. They wrote up the conversation and sent it back to analysts at headquarters, who turned it from raw intelligence into an official report and circulated it. But if the officer’s boast seems like a red flag now, at the time U.S. officials didn’t know what to make of it. “We didn’t really understand the context of it until much later,” says the senior intelligence official. Investigators now realize that the officer’s boast was the first indication U.S. spies had from their sources that Russia wasn’t just hacking email accounts to collect intelligence but was also considering interfering in the vote. Like much of America, many in the U.S. government hadn’t imagined the kind of influence operation that Russia was preparing to unleash on the 2016 election. Fewer still realized it had been five years in the making.

Putin publicly accused then Secretary of State Clinton of running a massive influence operation against his country, saying she had sent “a signal” to protesters and that the State Department had actively worked to fuel the protests. The State Department said it had just funded pro-democracy organizations. Former officials say any such operations–in Russia or elsewhere–would require a special intelligence finding by the President and that Barack Obama was not likely to have issued one.

After his re-election the following year, Putin dispatched his newly installed head of military intelligence, Igor Sergun, to begin repurposing cyberweapons previously used for psychological operations in war zones for use in electioneering. Russian intelligence agencies funded “troll farms,” botnet spamming operations and fake news outlets as part of an expanding focus on psychological operations in cyberspace.

One particularly talented Russian programmer who had worked with social media researchers in the U.S. for 10 years had returned to Moscow and brought with him a trove of algorithms that could be used in influence operations. He was promptly hired by those working for Russian intelligence services, senior intelligence officials tell TIME. “The engineer who built them the algorithms is U.S.-trained,” says the senior intelligence official.

Soon, Putin was aiming his new weapons at the U.S. Following Moscow’s April 2014 invasion of Ukraine, the U.S. considered sanctions that would block the export of drilling and fracking technologies to Russia, putting out of reach some $8.2 trillion in oil reserves that could not be tapped without U.S. technology. As they watched Moscow’s intelligence operations in the U.S., American spy hunters saw Russian agents applying their new social media tactics on key aides to members of Congress. Moscow’s agents broadcast material on social media and watched how targets responded in an attempt to find those who might support their cause, the senior intelligence official tells TIME. “The Russians started using it on the Hill with staffers,” the official says, “to see who is more susceptible to continue this program [and] to see who would be more favorable to what they want to do.”

Finish reading this remarkable report here. There is much more detail, including cyber operations, candidates, analysis and concocted political scandals. If one wonders why there is yet no evidence presented yet by the FBI and what the members of Congress are told, you now have a clue. This investigative process is a very long one and attributions as well as analysis is cumbersome and heavy on expert resources.