Category Archives: Department of Homeland Security

After Trump’s Saudi Arabia Speech, Iran Responds

Posted on by

After President Trump delivered his speech in Saudi Arabia that included harsh words, rightly so regarding Iran, it was predicted by the owner of this site that Tehran would respond. Responses are beginning to surface and militant operations are probable.

Primer:

Iran’s Motivations for Supporting Terrorist and Militant Groups

In part from Byman: Iran has supported terrorist and militant groups in the Islamic world since the 1979 revolution. In his 2016 testimony, Director of National Intelligence (DNI) James Clapper warned: “Iran—the foremost state sponsor of terrorism—continues to exert its influence in regional crises in the Middle East through the Islamic Revolutionary Guard Corps—Qods Force (IRGC-QF), its terrorist partner Lebanese Hizballah, and proxy groups” – an assessment that has stayed roughly constant for many years.

Iran has long sought to “try hard to export our revolution to the world,” in the words of Ayatollah Khomeini, the clerical regime’s dominant revolutionary leader. This goal is embedded in Iran’s constitution and in the missions of organizations such as the Islamic Revolutionary Guard Corps (IRGC), a military and paramilitary organization that oversees Iran’s relationships with many substate groups. More here.

***   ArmControl.org

Iranian President: ‘We Need Missiles’ to Confront Trump Admin, Enemies
Recently re-elected Rouhani takes aim at Trump administration as Congress passes new sanctions

Recently re-elected Iranian President Hassan Rouhani lashed out at the Trump administration this week, describing it as ignorant and saying that Iran “needs missiles” to confront the United States and its allies, according to recent remarks certain to rile leaders in Washington, D.C.

Just days after President Donald Trump blasted the Islamic Republic for its illicit ballistic missile program and support of terrorism in the Middle East, Rouhani confirmed that Iran would not cease its missile activity, despite repeated calls by U.S. officials.

“We need missiles and the enemy should know that we make everything we need and we don’t pay an iota of attention to your words,” Rouhani was quoted as saying on Wednesday during a meeting with Iranian cabinet members. “The remarks by the enemies of the Iranian nation against Iran’s missile power are out of ignorance.”

The Iranian leaders remarks support recent comments by senior military leaders in the country, who have repeatedly declared that Iran will “never stop” developing ballistic missiles, a program that has raised concerns with the U.S. intelligence community, which assesses that Iran’s missile program could be used to carry a nuclear weapon.

The remarks came as Iran announced the construction of a third underground ballistic missile production factory, helmed by Iran’s Revolutionary Guard Corps, or IRGC.

Iranian General Amir Ali Hajizadeh, and IRGC leader, said the factory is meant to boosts Tehran’s “missile power” and intimidate the United States and “Zionist regime,” or Israel.

“We will increase our missile power. Our enemies, the United States, and the Zionist regime (Israel) are naturally upset and get angry at our missile production, tests and underground missile facilities because they want Iran to be in a weak position,” Hajizadeh announced on Thursday.

The facility was built in the last few years, according to the IRGC. Iranian military leaders also are working on building Iran’s first “ground-to-ground” ballistic missile.

Iran’s repeated test firing of ballistic missiles, as well as its multiple space launches—which are believed to be cover for an intercontinental ballistic missile program—have riled the Trump administration and leaders of both parties on Capitol Hill.

A bipartisan delegation of nearly 50 senators announced on Thursday that it is moving forward with new legislation to increase economic sanctions on Iran as a result of its missile program, as well as the Islamic Republic’s support for terrorism and illegal weapons trade.

Sen. Robert Menendez (D., N.J.), a chief sponsor of the legislation, said that it is part of a larger effort to ensure that “Iran’s leaders understand they do not enjoy blanket impunity as the United States continues to live up to its commitments under the” nuclear agreement.

“Independent of the nuclear portfolio, and as President Rouhani starts his second presidential term, our broader policy towards Iran must be one that holds Tehran accountable for their destabilizing efforts in the region, illegal and dangerous missile technology development, and nefarious activities as the world’s leading sponsor of terrorism,” Menendez said. “As the administration continues to review its Iran policy, Congress must set out clear markers that impose real consequences to Iran’s illicit behavior that runs counter to our national security and that of our allies in the region.”

The legislation would impose mandatory sanctions on all individuals associated with Iran’s ballistic missile program, as well as those who perform transactions with them.

Sanctions also would be applied to those who support Iran’s terror operations, including the IRGC, which is not currently designated as a terror organization by the United States.

The legislation also requires President Trump to block the property of all individuals and entities involved in supplying, selling, and transferring prohibited arms and other weaponry to Iran.

A State Department official, speaking on background, told the Washington Free Beacon that the Trump administration is moving closer to finishing its comprehensive review of the Iran deal and dealing with Iran’s provocative actions in the region.

“As Secretary [Rex] Tillerson said, the Trump administration is currently conducting a comprehensive review of our Iran policy,” the official said. “Once we have finalized our conclusions, we will meet the challenges Iran poses with clarity and conviction.”

One veteran foreign policy adviser who is close to the White House told the Free Beacon that the Trump administration would not stand by as Iranian leaders mock and threaten the United States.

“The Obama administration treated the Iranians with kid gloves because that was to get the nuclear deal,” the source said. “That ended last January but the Iranians are still acting as if they have a friend in the White House. They threaten and mock the United States, our leaders, and our allies, and they expect us to roll with it. This president is not going to roll with it, and neither is Congress.”

Meanwhile, senior Iranian military leaders continue to criticize the Trump administration for its efforts to stop Iran’s missile program.

Iranian Armed Forces Brigadier General Massoud Jazzayeri offered harsh words for Secretary of State Tillerson following his call for Iran to cease its ballistic missile work.

“The U.S. secretary of state’s expectations of the Iranian president indicate the U.S. officials’ non-understanding of the Islamic Republic of Iran,” Jazzayeri was quoted as saying in the country’s state-controlled press.

Toronto Uni. Report on Russian Information Warfare

Posted on by

Image result for university of toronto citizen lab

Related reading: How The Citizen Lab polices the world’s digital spies

The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs, University of Toronto, Canada focusing on advanced research and development at the intersection of Information and Communication Technologies (ICTs), human rights, and global security. The Citizen Lab’s ongoing research network includes the Cyber Stewards Network, OpenNet Initiative, OpenNet Eurasia, Opennet.Asia. The Citizen Lab was a founding partner of the Information Warfare Monitor (2002-2012).

Russian spies may have backed email phishing campaign in effort to spread disinformation

218 email accounts across 39 countries targeted, report by University of Toronto’s Citizen Lab finds

New evidence of a global espionage campaign involving email phishing attacks and leaked falsified documents emerged on Thursday, with clues suggesting the Russian government might have been involved.

The targets spanned government, industry, military and civil society groups, each with ties to Russia or Russian interests, a report by the University of Toronto’s Citizen Lab suggests.

Although there is no definitive proof of Russia’s involvement in the attacks, there is “overlap” with previously reported Russian espionage activities — in particular, the work of a Russia-backed hacking group known as APT-28, or Fancy Bear.

Notably, Citizen Lab’s researchers say “an identical approach” to the phishing campaign described in their report was used in a March 2016 attack targeting Hillary Clinton’s presidential campaign and the Democratic National Committee.

“While we have no ‘smoking gun’ that provides definitive proof linking what we discovered to a particular government agency … our report nonetheless provides clear evidence of overlap with what has been publicly reported by numerous industry and government reports about Russian cyberespionage,” wrote Citizen Lab director Ron Deibert in a blog post.

U.S. reporter’s documents leaked, manipulated

The report focuses in part on what the authors have termed “tainted leaks,” leaks of stolen documents that are largely authentic but have been manipulated in certain parts to achieve a particular goal — in this case, a political one.

In the incident Citizen Lab examined, documents obtained through a phishing operation in October 2016 that targeted the email account of U.S. journalist David Satter were selectively modified in an apparent attempt to discredit Satter and his work and then posted online. Satter has reported on Russia for decades and was expelled from the country in December 2013.

In unpacking that particular leak, Citizen Lab then identified a further 218 unique email accounts spanning 39 countries that had been targeted using the same phishing method used to fool Satter.

The accounts belong to members of governments — including “a former Russian prime minister, members of cabinets from Europe and Eurasia, ambassadors, high-ranking military officers, CEOs of energy companies” — but also members of civil society organizations, such as academics, activists, journalists and employees with non-governmental organizations that have been critical of the Russian government or investigated its activities.

The scope of the targets, the report says, “suggests a well-resourced actor, such as a nation state.”

Fancy Bear

U.S. intelligence officials believe Russian-backed groups conducted a series of cyberespionage campaigns throughout 2015 and 2016 in an attempt to interfere with and potentially sway the outcome of last year’s presidential election.

One group in particular was mentioned frequently in coverage of the attacks: APT-28, sometimes referred to by the nickname Fancy Bear. It is believed that the group is backed by a nation state, if not a nation state itself — namelyRussia.

While Citizen Lab’s researchers could not make a “conclusive technical link” between their findings and Fancy Bear, they identified a number of similarities with the group’s prior attacks.

For example, some of the domain names used in the campaign Citizen Lab studied bear a striking similarity to a Fancy Bear linked phishing operation identified by the cybersecurity research firm Mandiant last year. There are also similarities with the methods used to break into the email account of Clinton’s campaign chairman, John Podesta — suggesting, at the  very least, two separate actors are sharing the same code.

Tainted Leaks

Civil society groups are particularly rich targets for cyberespionage campaigns, as they tend to lack the resources of larger or better funded organizations to deal with digital attacks. Of note, the researchers say that 21 per cent of those targeted in the campaign they studied were activists, academics, journalists, and NGOs — the second-largest set after government targets.

“Many of the civil society targets seem to have been singled out for the perception that their actions could pose a threat to the Putin regime,” the report said.

In Satter’s case, leaked documents were selectively modified in such a way that the majority remained authentic, but misinformation was seeded throughout, in an attempt to lend legitimacy to otherwise false information. The researchers compared Satter’s case with that of a prior attack on the grant-making organization Open Society Foundations (OSF).

For example, one document was modified “to make Satter appear to be paying Russian journalists and anti-corruption activists to write stories critical of the Russian government,” the report said.

In the OSF case, modifications were made to documents detailing a budget and funding strategies to make it appear as if the U.S.-based group was sponsoring Russian opposition leader Alexei Navalny’s Foundation for Fighting Corruption.

Earlier this month, falsified documents appeared in a trove of documents taken from staff on French President Emmanuel Macron’s election campaign.

Described as “fakes in a forest of facts,” the report concludes that such tainted leaks “test the limits of how media, citizen journalism, and social media users handle fact checking and the amplification of enticing but questionable information.”

However, University of Toronto political science professor Seva Gunitsky says the practice of tainting leaks with false information could ultimately backfire.

“If they actually discover something politically damaging in a future phishing attack, it will be hard to credibly claim it was a real find,” he said. “Of course, if the overall goal is just to sow informational chaos, tainted leaks are a good way of doing that.”

State Dept. Spent $22.8 Mil to Resettle Muslim Refugees

Posted on by

A short list of VOLAGS  Image result for refugee resettlement

Church World Service (CWS)Visit disclaimer page

How lucrative is the resettlement business? Check out the summary document here.

Image result for refugee resettlement

State Dept. Redacts Big Chunks of $22.8 Mil Contract to Resettle Muslim Refugees

The U.S. government spends billions of dollars to “resettle” foreign nationals and transparency on how the money is spent depends on the agency involved. Judicial Watch has been investigating it for years, specifically the huge amount of taxpayer dollars that go to “voluntary agencies”, known as VOLAGs, to provide a wide range of services for the new arrivals.

Throughout the ongoing probe Judicial Watch has found a striking difference on how government lawyers use an exemption, officially known as (b)(4), to the Freedom of Information Act (FOIA) to withhold records. All the cases involve public funds being used to resettle foreigners on U.S. soil and Americans should be entitled to the records.

The (b)(4) exemption permits agencies to withhold trade secrets and commercial or financial information obtained from a person which is privileged or confidential. Depending on the government agency and the mood of the taxpayer-funded lawyers handling public records requests, that information is exempt from disclosure. In these cases, the Department of Health and Human Services (HHS) disclosed a VOLAG contract to resettle tens of thousands of Unaccompanied Alien Children (UAC) that entered the U.S. through Mexico under the Obama administration while the State Department withheld large portions of a one-year, $22.8 million deal to resettle refugees from Muslim countries.

Most of the UACs came from El Salvador, Honduras and Guatemala and the Obama administration blamed the sudden surge on violence in the three central American nations. The agency responsible for resettling the minors and issuing contracts for the costly services is HHS.

As a result of Judicial Watch’s work HHS furnished records with virtually nothing redacted. Disclosed were employee salaries of VOLAGs contracted by the agency to provide services for the illegal immigrant minors, the cost of laptops, big screen TVs, food, pregnancy tests, “multicultural crayons” and shower stalls for the new arrivals. The general contract was to provide “basic shelter care” for 2,400 minors for a period of four months in 2014. This cost American taxpayers an astounding $182,129,786 and the VOLAG contracted to do it was government regular called Baptist Children and Family Services (BCFS). The breakdown includes charges of $104,215,608 for UACs at Fort Sill, Oklahoma and an additional $77,914,178 for UACs at Lackland Air Force Base in San Antonio, Texas.

HHS rightfully provided all sorts of details in the records, including the cost of emergency surge beds ($104,215,608) for just four months; food for the illegal alien minors and staff ($18,198,000); medical supplies such as first aid kits, latex gloves, lice shampoo and pregnancy tests ($1,120,400); recreation items such as board games, soccer balls and jump ropes ($180,000); educational items like art paper and multicultural crayons ($180,000); laptops ($200,000) and cellphones ($160,000). Hotel accommodations for the BCFS staff was $6,765,000, the records show, and the salary for a 30-member “Incident Management Team” was $2,648,800, which breaks down to $88,293 per IMT member for the four-month period. It was outrageous that the Obama administration spent nearly $200 million of taxpayer funds to provide illegal alien children with the types of extravagant high-tech equipment and lavish benefits many American families cannot even afford for their own children.

This has become a heated issue for the government which may explain why other agencies aren’t as forthcoming in providing specific figures, thus abusing the (b)(4) exemption. The State Department, for instance, redacted huge portions of records involving contracts with VOLAGs to resettle refugees from mostly Muslim countries.

The files illustrate the disparate redaction treatment given by different government agencies to the same types of records. The State Department paid a VOLAG called United States Conference of Catholic Bishops (USCCB) a ghastly $22,838,173 in one year to resettle refugees that came mostly from Muslim countries. Unlike HHS, the agency redacted information related to what the USCCB charged the government for things like furniture, personnel, equipment and other costs associated with contracts to resettle refugees. Why did one government agency hand over the same types of records that another agency claims are trade secrets? Judicial Watch is challenging the State Department’s (b)(4) exemption and will provide updates as they become available.

HHS and the State Department work with nine VOLAGs to resettle refugees and the voluntary agencies have hundreds of contractors they like to call “affiliates.” It’s a huge racket that costs American taxpayers monstrous sums and Judicial Watch is working to pinpoint the exact amount. Besides BCFS and USCCB, other VOLAGs with lucrative government gigs to resettle refugees are: Church World Service, Ethiopian Community Development Council, Episcopal Migration Ministries, Hebrew Immigrant Aid Society, International Rescue Committee, U.S. Committee for Refugees and Immigrants, Lutheran Immigration Refugee Services and World Relief Corporation.

U.S. is Doing ‘That’ Extreme Vetting in Australia

Posted on by

Remember on the campaign trail when President Trump said it was stupid to take the Syria refugees Australia was holding on a remote island that was under agreement by Barack Obama? Remember when there was a discussion between President Trump and the Prime Minister of Australia where apparently Trump hung up the phone, terminating the conversation. The Prime Minister visited the Trump White House and now all is allegedly fine between the two countries.Remember when VP Pence finally agreed to honor the deal and accept those refugees? The reason? The US. is accepting a number of those refugees.

Exclusive: U.S. starts ‘extreme vetting’ at Australia’s offshore detention centers

Reuters: U.S. Homeland Security officials have begun “extreme vetting” interviews at Australia’s offshore detention centers, two sources at the camps told Reuters on Tuesday, as Washington honors a refugee swap that U.S. President Donald Trump had called “a dumb deal”.

The Trump administration said last month the agreement to offer refuge to up to 1,250 asylum seekers in the centers would progress on condition that refugees satisfied strict checks.

In exchange, Australia has pledged to take Central American refugees from a center in Costa Rica, where the United States has expanded intake in recent years, under the deal struck with former President Barack Obama.

Image result for Papua New Guinea's Manus Island detention center DailyMail

The first security interviews finished last week at Papua New Guinea’s Manus Island detention center, two refugees who went through the process told Reuters.

The refugees told Reuters that interviews began with an oath to God to tell the truth and then proceeded for as long as six hours, with in-depth questions on associates, family, friends and any interactions with the Islamic State militant group.

Image result for Papua New Guinea's Manus Island detention center  VOANews

“They asked about why I fled my home, why I sought asylum in Australia,” said one refugee who declined to be named, fearing it could jeopardize his application for U.S. resettlement.

The security interviews are the last stage of U.S. consideration of applicants.

Manus Island is one of two Australian-operated detention centers, which hold nearly 1,300 people who were intercepted trying to reach Australia by boat.

Human rights groups have condemned the intercept policy and the harsh conditions of the camps. Australia says offshore processing is needed as a deterrent after thousands of people drowned at sea before the policy was introduced in 2013.

A decision on the fate of the first 70 people interviewed is expected to be reached within the next month, a different source who works with refugees said.

A spokesman for Australia’s immigration minister refused to comment on the resettlement process.

A U.S. State Department spokeswoman said that refugees from the Australian-run facilities will be subject to the same stringent vetting applied to all refugees who are being considered for entry to the United States.

“The United States remains deeply committed to safeguarding the American public, just as we are committed to providing refuge to some of the world’s most vulnerable people. These goals are not mutually exclusive,” she said.

The White House did not immediately respond to questions.

U.S. President Donald Trump’s plans for extreme vetting have extended to those traveling to the United States from Muslim countries.

Australia’s relationship with the new administration in Washington got off to a rocky start when Trump lambasted Australian Prime Minister Malcolm Turnbull over the resettlement arrangement, which Trump labeled a “dumb deal”.

Details of an acrimonious phone call between the pair soon after Trump took office made headlines around the world. Australia is one of Washington’s staunchest allies and has sent troops to fight alongside the U.S. military in conflicts in Iraq and Afghanistan.

The relocation of asylum seekers to the United States is designed to help Papua New Guinea and Australia proceed with the planned closure of the Manus detention center on Oct. 31.

But the fate of approximately 200 men deemed non-refugees is uncertain.

Those not offered resettlement in the United States will be offered the chance to settle in Papua New Guinea or return home.

Australia has already offered detainees up to $25,000 to voluntarily return home; an offer very few have taken up.

2010: Remember When Obama Pulled U.S. Spies From China

Posted on by

Of course you don’t, one had to be quite the investigator of journalism to know it much less remember it.

So….why you ask? Hold on….there is a pattern and story here.

Image result for u.s. spies in china  Image result for trump with jinping

2010: The White House National Security Council recently directed U.S. spy agencies to lower the priority placed on intelligence collection for China, amid opposition to the policy change from senior intelligence leaders who feared it would hamper efforts to obtain secrets about Beijing’s military and its cyber-attacks.

The downgrading of intelligence gathering on China was challenged by Director of National Intelligence Dennis C. Blair and CIA Director Leon E. Panetta after it was first proposed in interagency memorandums in October, current and former intelligence officials said.

The decision downgrades China from “Priority 1” status, alongside Iran and North Korea, to “Priority 2,” which covers specific events such as the humanitarian crisis after the Haitian earthquake or tensions between India and Pakistan.

The National Security Council staff, in response, pressed ahead with the change and sought to assure Mr. Blair and other intelligence chiefs that the change would not affect the allocation of resources for spying on China or the urgency of focusing on Chinese spying targets, the officials told The Washington Times.

White House National Security Council officials declined to comment on the intelligence issue. Mike Birmingham, a spokesman for Mr. Blair, declined to comment. A CIA spokesman also declined to comment.

*** Image result for u.s. spies in china Cyberwarzone

Directors of CIA in that time frame:

Leon Panetta 2010

Mike Morrell (acting) 2011

David Petraeus 2011

Mike Morrell (acting) 2012

John Brennan 2013

Mike Pompeo, current director

***

Killing C.I.A. Informants, China Crippled U.S. Spying Operations

NYT/WASHINGTON — The Chinese government systematically dismantled C.I.A. spying operations in the country starting in 2010, killing or imprisoning more than a dozen sources over two years and crippling intelligence gathering there for years afterward.
Current and former American officials described the intelligence breach as one of the worst in decades. It set off a scramble in Washington’s intelligence and law enforcement agencies to contain the fallout, but investigators were bitterly divided over the cause. Some were convinced that a mole within the C.I.A. had betrayed the United States. Others believed that the Chinese had hacked the covert system the C.I.A. used to communicate with its foreign sources. Years later, that debate remains unresolved.
But there was no disagreement about the damage. From the final weeks of 2010 through the end of 2012, according to former American officials, the Chinese killed at least a dozen of the C.I.A.’s sources. According to three of the officials, one was shot in front of his colleagues in the courtyard of a government building — a message to others who might have been working for the C.I.A.
Still others were put in jail. All told, the Chinese killed or imprisoned 18 to 20 of the C.I.A.’s sources in China, according to two former senior American officials, effectively unraveling a network that had taken years to build.
Assessing the fallout from an exposed spy operation can be difficult, but the episode was considered particularly damaging. The number of American assets lost in China, officials said, rivaled those lost in the Soviet Union and Russia during the betrayals of both Aldrich Ames and Robert Hanssen, formerly of the C.I.A. and the F.B.I., who divulged intelligence operations to Moscow for years.
The previously unreported episode shows how successful the Chinese were in disrupting American spying efforts and stealing secrets years before a well-publicized breach in 2015 gave Beijing access to thousands of government personnel records, including intelligence contractors. The C.I.A. considers spying in China one of its top priorities, but the country’s extensive security apparatus makes it exceptionally hard for Western spy services to develop sources there.
At a time when the C.I.A. is trying to figure out how some of its most sensitive documents were leaked onto the internet two months ago by WikiLeaks, and the F.B.I. investigates possible ties between President Trump’s campaign and Russia, the unsettled nature of the China investigation demonstrates the difficulty of conducting counterespionage investigations into sophisticated spy services like those in Russia and China.
The C.I.A. and the F.B.I. both declined to comment.
Details about the investigation have been tightly held. Ten current and former American officials described the investigation on the condition of anonymity because they did not want to be identified discussing the information.
Investigators still disagree how it happened, but the unsettled nature of the China investigation demonstrates the difficulty of conducting counterespionage investigations into sophisticated spy services. Credit Carolyn Kaster/Associated Press..Photo by: Carolyn Kaster/Associated Press..
The first signs of trouble emerged in 2010. At the time, the quality of the C.I.A.’s information about the inner workings of the Chinese government was the best it had been for years, the result of recruiting sources deep inside the bureaucracy in Beijing, four former officials said. Some were Chinese nationals who the C.I.A. believed had become disillusioned with the Chinese government’s corruption.
But by the end of the year, the flow of information began to dry up. By early 2011, senior agency officers realized they had a problem: Assets in China, one of their most precious resources, were disappearing.
The F.B.I. and the C.I.A. opened a joint investigation run by top counterintelligence officials at both agencies. Working out of a secret office in Northern Virginia, they began analyzing every operation being run in Beijing. One former senior American official said the investigation had been code-named Honey Badger.
As more and more sources vanished, the operation took on increased urgency. Nearly every employee at the American Embassy was scrutinized, no matter how high ranking. Some investigators believed the Chinese had cracked the encrypted method that the C.I.A. used to communicate with its assets. Others suspected a traitor in the C.I.A., a theory that agency officials were at first reluctant to embrace — and that some in both agencies still do not believe.
Their debates were punctuated with macabre phone calls — “We lost another one” — and urgent questions from the Obama administration wondering why intelligence about the Chinese had slowed.
The mole hunt eventually zeroed in on a former agency operative who had worked in the C.I.A.’s division overseeing China, believing he was most likely responsible for the crippling disclosures. But efforts to gather enough evidence to arrest him failed, and he is now living in another Asian country, current and former officials said.
There was good reason to suspect an insider, some former officials say. Around that time, Chinese spies compromised National Security Agency surveillance in Taiwan — an island Beijing claims is part of China — by infiltrating Taiwanese intelligence, an American partner, according to two former officials. And the C.I.A. had discovered Chinese operatives in the agency’s hiring pipeline, according to officials and court documents.
But the C.I.A.’s top spy hunter, Mark Kelton, resisted the mole theory, at least initially, former officials say. Mr. Kelton had been close friends with Brian J. Kelley, a C.I.A. officer who in the 1990s was wrongly suspected by the F.B.I. of being a Russian spy. The real traitor, it turned out, was Mr. Hanssen. Mr. Kelton often mentioned Mr. Kelley’s mistreatment in meetings during the China episode, former colleagues say, and said he would not accuse someone without ironclad evidence.
Those who rejected the mole theory attributed the losses to sloppy American tradecraft at a time when the Chinese were becoming better at monitoring American espionage activities in the country. Some F.B.I. agents became convinced that C.I.A. handlers in Beijing too often traveled the same routes to the same meeting points, which would have helped China’s vast surveillance network identify the spies in its midst.
Some officers met their sources at a restaurant where Chinese agents had planted listening devices, former officials said, and even the waiters worked for Chinese intelligence.
This carelessness, coupled with the possibility that the Chinese had hacked the covert communications channel, would explain many, if not all, of the disappearances and deaths, some former officials said. Some in the agency, particularly those who had helped build the spy network, resisted this theory and believed they had been caught in the middle of a turf war within the C.I.A.
Still, the Chinese picked off more and more of the agency’s spies, continuing through 2011 and into 2012. As investigators narrowed the list of suspects with access to the information, they started focusing on a Chinese-American who had left the C.I.A. shortly before the intelligence losses began. Some investigators believed he had become disgruntled and had begun spying for China. One official said the man had access to the identities of C.I.A. informants and fit all the indicators on a matrix used to identify espionage threats.
After leaving the C.I.A., the man decided to remain in Asia with his family and pursue a business opportunity, which some officials suspect that Chinese intelligence agents had arranged.
Officials said the F.B.I. and the C.I.A. lured the man back to the United States around 2012 with a ruse about a possible contract with the agency, an arrangement common among former officers. Agents questioned the man, asking why he had decided to stay in Asia, concerned that he possessed a number of secrets that would be valuable to the Chinese. It’s not clear whether agents confronted the man about whether he had spied for China.
The man defended his reasons for living in Asia and did not admit any wrongdoing, an official said. He then returned to Asia.
By 2013, the F.B.I. and the C.I.A. concluded that China’s success in identifying C.I.A. agents had been blunted — it is not clear how — but the damage had been done.
The C.I.A. has tried to rebuild its network of spies in China, officials said, an expensive and time-consuming effort led at one time by the former chief of the East Asia Division. A former intelligence official said the former chief was particularly bitter because he had worked with the suspected mole and recruited some of the spies in China who were ultimately executed.
China has been particularly aggressive in its espionage in recent years, beyond the breach of the Office of Personnel Management records in 2015, American officials said. Last year, an F.B.I. employee pleaded guilty to acting as a Chinese agent for years, passing sensitive technology information to Beijing in exchange for cash, lavish hotel rooms during foreign travel and prostitutes.
In March, prosecutors announced the arrest of a longtime State Department employee, Candace Marie Claiborne, accused of lying to investigators about her contacts with Chinese officials. According to the criminal complaint against Ms. Claiborne, who pleaded not guilty, Chinese agents wired cash into her bank account and showered her with gifts that included an iPhone, a laptop and tuition at a Chinese fashion school. In addition, according to the complaint, she received a fully furnished apartment and a stipend.
*** Just to be sure China had a real handle on all CIA operatives in country, what came next? The OPM hack, remember that one?
Enter China’s Unit 61398
The program used by China:

In part from Wired: The US-CERT team moved into OPM’s sub-basement and among the first moves was to analyze the malware that Saulsbury had found attached to mcutil.dll. The program turned out to be one they knew well: a variant of PlugX, a remote-access tool commonly deployed by Chinese-­speaking hacking units. The tool has also shown up on computers used by foes of China’s government, including activists in Hong Kong and Tibet. The malware’s code is always slightly tweaked between attacks so firewalls can’t recognize it.

By Tuesday the 21st, having churned through a string of nearly sleepless days and nights, the investigators felt satisfied that they’d done their due diligence. Their scans had identified over 2,000 individual pieces of malware that were unrelated to the attack in question (everything from routine adware to dormant viruses). The PlugX variant they were seeking to annihilate was present on fewer than 10 OPM machines; unfortunately, some of those machines were pivotal to the entire network. “The big one was what we call the jumpbox,” Mejeur says. “That’s the administrative server that’s used to log in to all the other servers. And it’s got malware on it. That is an ‘Oh feces’ moment.”

By controlling the jumpbox, the attackers had gained access to every nook and cranny of OPM’s digital terrain. The investigators wondered whether the APT had pulled off that impressive feat with the aid of the system blueprints stolen in the breach discovered in March 2014. If that were the case, then the hackers had devoted months to laying the groundwork for this attack.

Leaping forward in details:

Once established on the agency’s network, they used trial and error to find the credentials necessary to seed the jumpbox with their PlugX variant. Then, during the long Fourth of July weekend in 2014, when staffing was sure to be light, the hackers began to run a series of commands meant to prepare data for exfiltration. Bundles of records were copied, moved onto drives from which they could be snatched, and chopped up into .zip or .rar files to avoid causing suspicious traffic spikes. The records that the attackers targeted were some of the most sensitive imaginable.

The hackers had first pillaged a massive trove of background-check data. As part of its human resources mission, OPM processes over 2 million background investigations per year, involving everyone from contractors to federal judges. OPM’s digital archives contain roughly 18 million copies of Standard Form 86, a 127-page questionnaire for federal security clearance that includes probing questions about an applicant’s personal finances, past substance abuse, and psychiatric care. The agency also warehouses the data that is gathered on applicants for some of the government’s most secretive jobs. That data can include everything from lie detector results to notes about whether an applicant engages in risky sexual behavior.

The hackers next delved into the complete personnel files of 4.2 million employees, past and present. Then, just weeks before OPM booted them out, they grabbed approximately 5.6 million digital images of government employee fingerprints.

Then comes, a little too late and thin on substance in February 2015:

President Obama Speaks at the White House Summit on Cybersecurity and Consumer Protection

Is all this fix yet? Hah…not even close. Then we need to ask why are we trusting China with North Korea’s nuclear weapons and missile program? Do we have spies in Iran? North Korea? Any new operatives in China?

Scary eh?