Category Archives: DOJ, DC and inside the Beltway

Chinese Intelligence at Center of OPM Hack

Posted on by

First reported there was Anthem, one of the largest healthcare providers that was hacked. 80 million personal records were compromised. What is notable is Anthem is part of the Blue Cross Blue Shield health coverage network and even more concerning is BCBS provides coverage to more that half of the federal government workforce.

Take note of the following fro Threatconnect.com:

“Anthem Themed Infrastructure & Signed Malware:
In September 2014, the ThreatConnect Intelligence Research Team (TCIRT) observed a variant of the Derusbi APT malware family, MD5: 0A9545F9FC7A6D8596CF07A59F400FD3, which was signed by a valid digital signature from the Korean company DTOPTOOLZ Co. Derusbi is a family of malware used by multiple actor groups but associated exclusively with Chinese APT. TCIRT began tracking the DTOPTOOLZ signature for additional signed malware samples and memorialized them within our Threat Intelligence Platform over time.
Analyst Comment: The DTOPTOOLZ signature has also been observed in association with Korean Adware that is affiliated with the actual DTOPTOOLZ Co. This adware should not be confused with the APT malware that is abusing the same digital signature.
Later, in mid-November we discovered another implant that was digitally signed with the DTOPTOOLZ signature. This implant, MD5: 98721c78dfbf8a45d152a888c804427c, was from the “Sakula” (aka. Sakurel) family of malware, a known variant of the Derusbi backdoor, and was configured to communicate with the malicious command and control (C2) domains extcitrix.we11point[.]com and www.we11point[.]com. Through our Farsight  Security passive DNS integration, we uncovered that this malicious infrastructure was likely named in such a way to impersonate the legitimate Wellpoint IT infrastructure.”

This brings us to the hack or rather simply sign-on as a root user of the 14 million personnel records of Office of Personnel Management (OPM) located in Colorado.

From Reuters:

U.S. employee data breach tied to Chinese intelligence

The Chinese hacking group suspected of stealing sensitive information about millions of current and former U.S. government employees has a different mission and organizational structure than the military hackers who have been accused of other U.S. data breaches, according to people familiar with the matter.

While the Chinese People’s Liberation Army typically goes after defense and trade secrets, this hacking group has repeatedly accessed data that could be useful to Chinese counter-intelligence and internal stability, said two people close to the U.S. investigation.

Washington has not publicly accused Beijing of orchestrating the data breach at the U.S. Office of Personnel Management (OPM), and China has dismissed as “irresponsible and unscientific” any suggestion that it was behind the attack.

Sources told Reuters that the hackers employed a rare tool to take remote control of computers, dubbed Sakula, that was also used in the data breach at U.S. health insurer Anthem Inc last year.

The Anthem attack, in turn, has been tied to a group that security researchers said is affiliated with China’s Ministry of State Security, which is focused on government stability, counter-intelligence and dissidents. The ministry could not immediately be reached for comment.

In addition, U.S. investigators believe the hackers registered the deceptively named OPM-Learning.org website to try to capture employee names and passwords, in the same way that Anthem, formerly known as Wellpoint, was subverted with spurious websites such as We11point.com, which used the number “1” instead of the letter “l”.

Both the Anthem and OPM breaches used malicious software electronically signed as safe with a certificate stolen from DTOPTOOLZ Co, a Korean software company, the people close to the inquiry said. DTOPTOOLZ said it had no involvement in the data breaches.

The FBI did not respond to requests for comment. People familiar with its investigation said Sakula had only been seen in use by a small number of Chinese hacking teams.

“Chinese law prohibits hacking attacks and other such behaviors which damage Internet security,” China’s Foreign Ministry said in a statement. “The Chinese government takes resolute strong measures against any kind of hacking attack. We oppose baseless insinuations against China.”

MANY UNKNOWNS

Most of the biggest U.S. cyber attacks blamed on China have been attributed, with varying degrees of certitude, to elements of the Chinese army. In the most dramatic case two years ago, the U.S. Justice Department indicted five PLA officers for alleged economic espionage.

Far less is known about the OPM hackers, and security researchers have differing views about the size of the group and what other attacks it is responsible for.

People close to the OPM investigation said the same group was behind Anthem and other insurance breaches. But they are not yet sure which part of the Chinese government is responsible.

“We are seeing a group that is only targeting personal information,” said Laura Gigante, manager of threat intelligence at FireEye Inc, which has worked on a number of the high-profile network intrusions.

CrowdStrike and other security companies, however, say the Anthem hackers also engaged in stealing defense and industry trade secrets. CrowdStrike calls the group “Deep Panda,” EMC Corp’s RSA security division dubs it “Shell Crew,” and other firms have picked different names.

The OPM breach gave hackers access to U.S. government job applicants’ security clearance forms detailing past drug use, love affairs, and foreign contacts that officials fear could be used for blackmail or recruiting.

In contrast to hacking outfits associated with the Chinese army, “Deep Panda” appears to be affiliated with the Ministry of State Security, said CrowdStrike co-founder Dmitri Alperovitch.

Information about U.S. spies in China would logically be a top priority for the ministry, Alperovitch said, adding that “Deep Panda’s” tools and techniques have also been used to monitor democracy protesters in Hong Kong.

An executive at one of the first companies to connect the Anthem and OPM compromises, ThreatConnect, said the disagreements about the boundaries of “Deep Panda” could reflect a different structure than that in top-down military units.

“We think it’s likely a cohort of Chinese actors, a bunch of mini-groups that are handled by one main benefactor,” said Rich Barger, co-founder of ThreatConnect, adding that the group could get software tools and other resources from a common supplier.

“We think this series of activity over time is a little more distributed, and that is why there is not a broad consensus as to the beginning and end of this group.”

Mexican Gulf Cartels Surveillance Systems

Posted on by

From Breitbart:

The former Tamaulipas governor Eugenio Hernandez Flores was charged on May 27, 2015 on two counts, money laundering and crimes against the United States.

MCALLEN, Texas — The U.S. federal government has formally announced that yet another former governor from Mexico has now become a fugitive sought by the U.S. Drug Enforcement Administration.
The U.S. Attorney’s Office for the Southern District Of Texas announced Friday morning that former Tamaulipas governor Eugenio Hernandez Flores has been charged with money laundering and money laundering conspiracy charges.

As previously reported by Breitbart Texas, Hernandez has been implicated in money laundering through a series of civil forfeiture cases accusing him of laundering bribe money that he received for government favors, as well as from Mexican drug traffickers including Los Zetas.

Hernandez, who was the governor from 2005 to 2010, is the second Tamaulipas governor to be criminally charged in the U.S. on money laundering charges connected to taking money from Mexican drug cartels. Tomas Yarrington Ruvalcaba, who served as governor before Hernandez, is currently facing money laundering and drug trafficking charges for his alleged role in helping the Gulf Cartel, Los Zetas and other Mexican cartels.

It gets worse as Breitbart publishes the following:

Mexican authorities take down a complex surveillance system made up of a range of <a href=home security cameras, set up by the Gulf Cartel in the border city of Reynosa” width=”398″ height=”359″ />

REYNOSA, Tamaulipas – Once again, Mexican authorities have dismantled a complex video surveillance system set up by the Gulf Cartel in order to keep tabs on authorities, their rivals and their future victims.  Breitbart Texas reported on the discovery and destruction of a similar system in May.

This time, authorities seized 39 video surveillance cameras set up around the city under orders from the criminal organization, information provided to Breitbart Texas by the Tamaulipas government revealed.

The seizure began on Tuesday evening, when state police officers spotted two men setting up one of the cameras in the Doctores (Doctor’s) neighborhood. Once in police custody, the two men told authorities that they had just finished setting up another 38 cameras around the city, the information provided by authorities revealed.

Under police guard, the two men took the authorities to the various spots where they had set up the cameras so that officers could take them down. The police did not release the names of the two suspects because the investigation into the cameras remains ongoing.

As previously reported by Breitbart Texas, last month Mexican authorities had discovered a sophisticated surveillance network in which the Gulf cartel placed video cameras in at least 52 different spots around the city. Some of the cameras worked wirelessly and would be controlled remotely.

At the time, Mexican officials confirmed to Breitbart Texas that the Gulf Cartel used the surveillance network in an effort to try to stay one step ahead of law enforcement, as well as to track their victims.

America Recovery Reinvestment Act, NOT SO Much

Posted on by

When one visits the government website www.recovery.gov, these description reads that the board is a non-partisan, non-political agency and then in bold letter in a heading it also reads ‘The Recovery Accountability and Transparency Board’.

Additionally the site mission statement reads: “To promote accountability by coordinating and conducting oversight of Recovery funds to prevent fraud, waste, and abuse and to foster transparency on Recovery spending by providing the public with accurate, user-friendly information.”

Sheesh note the one particular case below and then ask yourself if there is a violation.

From Watchdog.org:

Company that got millions from U.S. taxpayers now profits Chinese owners

The good news is electric car battery maker A123 Systems is finally on track to turn a profit.

The bad news is taxpayers don’t figure to see any of the $133 million the federal government spent and the estimated $141 million in tax credits and subsidies secured from Michigan to help the company take off in 2009, only to see A123 Systems crash, declare bankruptcy in 2012 and then get purchased by a privately held Chinese conglomerate.

“In the case of A123, they created some jobs and a year or two later those jobs were gone, so taxpayers weren’t getting that money back,” said Jarret Skorup, a policy analyst at Michigan’s Mackinac Center, a free-market think tank .

Earlier this month, CEO Jason Forcier announced that A123 Systems’ parent company, the China-based Wanxiang Group, will spend $200 million to double the capacity of three lithium-ion battery plants, including two in suburban Detroit.

Forcier told Crain’s Detroit Business that A123 Systems is expected to generate $300 million in revenue this year and plans to double that amount by 2018. The company, Forcier said, will turn a profit for the first time in its history in 2015.

“The strength of A123 has never been greater and we are honored to be expanding our existing customer relationships and establishing new ones at the same time,” Forcier said in a company news release.

It would mark a dramatic turnaround for the company that was on the verge of collapse when Wanxiang bought it a little more than two years ago at a stripped-down price of $256.6 million. 

But finding out if taxpayers will ever see any of their money back is another matter.

Watchdog.org sent an email and left two voicemail messages with A123 Systems, asking whether any refunds are coming or if — under the terms of the bankruptcy — Wanxiang is under no financial obligation to do so.

The one-sentence response from Paulette Spagnuolo, A123’s marketing and communications manager: “A123 continues to meet and exceed all of the terms of the state and federal grants including all job creation, repayment and investment requirements.”

Spagnuolo did not respond to inquiries asking her to elaborate.

Skorup says the money is gone for good.

“There are a lot of local and state rebates and they are largely upfront costs, so yes, taxpayers are sunk on those,” Skorup told Watchdog.org in a telephone interview. “They’re not going to be getting money back from them … Michigan doesn’t require (A123 Systems) to pay them back anyway.”

How much money?

On the federal level, A123 Systems was originally slated to receive $249 million in grants from the U.S. Department of Energy in 2009 to build production facilities in the towns of Romulus and Livonia, Michigan — just $7.6 million less than Wanxiang eventually bought the entire company for four years later.

But A123 Systems ran into trouble early on. After some of its batteries were involved in a recall for the company’s biggest customer, the electric car company Fisker Automotive, the company’s federal grant was cut off after A123 received $133 million. 

Figuring out how much Michigan passed out has been more difficult.

The Detroit Free Press and the Mackinac Center have been rebuffed in attempts to see how much of an investment the state made in A123 Systems because the Michigan Economic Development Corporation will not disclose specifics.

Skorup estimates Michigan approved A123 Systems for $100 million in a tax credit program and another $41 million in subsidies.

“How much they actually cashed in those we don’t know,” Skorup said. “We’ve tried to find out, but the state won’t give it to us … they say it’s a private contract.”

The federal money was part of the stimulus package and a green-tech initiative the Obama administration touted would spur economic success.

A123 Systems was one of a number of Michigan battery companies that received a surge of tax credits from the state in 2009, but the incentives did not spur the jobs and dollars that were promised.

Detroit Free Press estimated $861 million in Obama administration grants were awarded in the fledgling Michigan battery industry and another $543 million in state tax credits were awarded during the administration of then-Gov. Jennifer Granholm, a Democrat.

Most of the Michigan business tax credit program was eliminated by current Gov. Rick Snyder, a Republican. However, companies that had already secured the tax incentives were allowed to keep them.

“The general lesson for policy makers is that they make very poor venture capitalists because they’re not spending their own money,” said Skorup. “They’re spending other people’s money and those politicians weren’t putting their own stock portfolios into A123 Systems. They were putting taxpayer money into them.

“And the lesson for taxpayers should be, when politicians are making these claims about job projections they should be extremely skeptical. In Michigan, almost none of those — we’ve done multiple studies, other news organizations have done multiple studies — reach the actual projections that they promise.”

“Just because the jobs haven’t happened ‘yet,’ it doesn’t mean that cracking the code to vehicle batteries was the wrong strategy,” Granholm told the Free Press in March 2014.

President Obama appeared by remote broadcast for the grand opening of the A123 Systems Livonia plant in the fall of 2010, an event hosted by Granholm.

“Thanks to the Recovery Act, you guys are the first American factory to start high-volume production of advanced vehicle batteries,” Obama said at the time.

Skorup told Watchdog.org  the video of the event was taken down by the Michigan Economic Development Corporation, but the Mackinac Center, a sharp critic of the battery plan from the start, retained a copy of it:

 

What has Stopped Detention and Deportation

Posted on by

Barack Obama has selectively issued waivers on countless laws, one with real consequences is deportations. Then in August of 2013, the federal court, noted the 9th circuit ruled in a case Rodrigues v. Robbins that long-term detention without due process required immediate bond hearings. As a result, detention and deportations laws and procedures have been turned upside down.

Enforcement? What Enforcement?

by Mark Krikorian
Three recent items highlight the continuing collapse of interior immigration enforcement under Obama.
The first is information pried out of DHS by Senators Grassley and Sessions: One hundred twenty-one convicted criminals who faced deportation orders between 2010 and 2014 were never removed from the country and now face murder charges, according to Immigration and Customs Enforcement (ICE). Just to be clear, these were convicted criminals, in ICE custody, who had been ordered deported but were instead released back into U.S. communities, and then went on to murder Americans. Most were released simply because the administration didn’t want to detain them. Only for two dozen does the administration have any excuse at all, saying that they had to be released because their home countries wouldn’t take them back. And even that’s no excuse, for two reasons: the Supreme Court decision Obama’s people point to (Zadvydas v. Davis) limiting open-ended detention beyond six months of any criminal aliens whose countries won’t take them back has significant wiggle room in it – wiggle room the administration refuses, in this one and only instance, to take advantage of.
And second, the law requires the State Department to impose visa sanctions on countries that won’t take their own citizens back, a requirement Secretaries Clinton and Kerry have simply ignored. Some of the blood of these 121 murdered Americans (whose names we don’t know, presumably because ICE is protecting their murders’ privacy rights) is on the hands of this administration, which chose to release the convicted criminal aliens back into the United States rather than keep them in detention.
If that’s not depressing enough, Maria Sachetti at the Boston Globe has done yeoman’s work in uncovering hundreds of immigrant sex criminals whom ICE let go because of the same Supreme Court ruling – without even making sure they were registered with local authorities as sex offenders. Here’s what happened in several instances after their release by ICE: Immigration officials tried to deport Luis-Leyva Vargas, 47, to Cuba after he served three years in a Florida prison for unlawful sex with a teen. In 2008, officials released him. Two years later, he kidnapped an 18-year-old in Rockingham County, Va., at knifepoint and raped her. Now he is serving a 55-year prison sentence. Felix Rodriguez, a 67-year-old sex offender convicted of raping children as young as 4 in the 1990s, was freed in 2009, also because Cuba would not take him back. Months later, he fatally shot his girlfriend in Kansas City. He pleaded guilty and is serving 10 years in a Missouri prison. Andrew Rui Stanley, convicted in 2000 of multiple counts of sodomizing a child when Stanley was 14, was released in 2009 after Brazil failed to provide a passport needed to send him home. For the next two years, he viciously abused three children in St. Louis and now, at age 31, will be in prison for the rest of his life. None of these sickening crimes should have been allowed to occur. An administration that took public safety seriously would find ways to detain criminals until they could be deported, and apply whatever pressure was needed to get their native countries to comply. But this is not that administration. And finally, on a less grisly note, my colleague Jessica Vaughan has uncovered data showing a collapse in worksite enforcement.
In effect, as the Washington Times headline put it, “Obama gives free pass to businesses that hire illegals.” From 2013 to 2015, the number of ICE audits of employer records (to check the work eligibility of employees) dropped 86 percent; arrests of crooked employers dropped 73 percent; and fines collected dropped 51 percent. It seems that once it became clear that Sen. Rubio’s amnesty/immigration-surge bill was not going to reach his desk, Obama called a halt to the (limited) show of worksite enforcement he had ordered up to persuade skeptical Republican House members that he could be trusted to enforce the provisions of Rubio’s amnesty/immigration-surge bill. The fact that he cut back so drastically on enforcement when it was no longer politically useful is proof that such skepticism was warranted.
And finally, as evidence of this administration’s true priorities, USCIS is broadcasting “DACA Renewal Tips” out of a concern that some recipients of Obama’s lawless version of the DREAM Act amnesty may not renew their two-year work permits (presumably to avoid paying the fee, since they that there won’t be any enforcement consequences from reverting to illegal status).

Jeh Johnson Fighting Deposition

Posted on by

In Tampa back in 2012, there was a scandal brewing that led to an FBI investigation, some compromising emails, generals and some women. In the end, James Clapper called General Petraeus and told him to resign. But the story does not end there.

Another lawsuit is in the pipeline.

Feds fight Jeh Johnson testimony in Petraeus-related lawsuit

From Politico:

The Justice Department is fighting an effort to force Homeland Security Secretary Jeh Johnson to give a deposition in a privacy invasion lawsuit a Florida woman has filed over the federal government’s handling of the investigation into former CIA Director David Petraeus.

Lawyers for Jill Kelley subpoenaed Johnson to testify about his knowledge of a complex inquiry that unfolded after Kelley complained to the FBI in 2012 that someone was sending derogatory statements and threats about her to various of her associates, including Marine Gen. John Allen and Petraeus, and seemed aware of private details about their schedules.

The probe revealed an extramarital relationship between Petraeus and his biographer, Paula Broadwell. That discovery led to Petraeus’s resignation shortly after the 2012 elections. However, in a lawsuit filed in 2013 Kelley alleged that the FBI and the Defense Department leaked personal information about her to the media, including suggestions that she had a sexual relationship with Allen. Kelley has adamantly denied any impropriety.

Johnson was the Defense Department’s general counsel at the time and played a key role in managing the agency’s response. But in a court filing Thursday evening (posted here), government lawyers argue that as a busy cabinet member Johnson should simply be required to answer written questions in the lawsuit and not be subjected to the videotaped depositions most witnesses face.

“Presently, as the head of the Department of Homeland Security, the third largest cabinet-level agency, Secretary Johnson oversees more than 240,000 federal employees. He holds ultimate responsibility for DHS’s mission, which includes preventing terrorism and enhancing national security; managing the borders of the United States; administering immigration laws; securing cyberspace; and ensuring disaster resilience,” the Justice Department argues. “Owing to these responsibilities and the incredible demands they impose on the Secretary’s time and resources, defendants informed plaintiffs that they object to Secretary Johnson’s deposition absent a clear and convincing showing that he possesses unique, non-privileged, relevant information that cannot be obtained through other means.”

The court filing also reveals that lawyers for Kelley have already obtained records of at least one journalist’s communications with Johnson about the Petraeus investigation. In an email sent to U.S. District Court Judge Amy Berman Jackson and attached to the filing, Kelley lawyer Alan Raul said he wants to question Johnson about a Kelley-related email Daily Beast reporter Dan Klaidman sent to Johnson on his personal gmail account in November 2012.

Raul also wants to ask about “Mr. Johnson’s responses and/or prior communications to or from Mr. Klaidman, who addressed him as ‘Jeh’ and to whom it appears he subsequently granted an ‘exclusive’ story about his nomination as DHS Secretary.”

Klaidman—now an editor at Yahoo News—declined to comment.

Kelley’s lawyers also want to question Johnson about the identity of anonymous sources described as “senior defense officials” or “senior military officials” who discussed the investigation with journalists at around the same time. Raul pointed to articles from the Associated Press, USA Today and Washington Post as ones of particular focus. Kelley’s team is also asking for information on Johnson’s contact with Tampa Tribune reporter Howard Altman and for information on who at the Department of Defense may have spoken with one or more reporters for ABC News about Kelley.

It’s possible the journalists themselves could face demands to testify in the case, but that does not appear to have happened yet.

The Justice Department filing does disclose that the government has agreed to make three former senior officials available for depositions in the suit: former Defense Secretary Leon Panetta for a two-hour session, Panetta’s former chief of staff Jeremy Bash for a four-hour session and former Defense Department public affairs chief George Little for a seven-hour session.

Kelley’s lawyers face an uphill battle in trying to force a sitting Cabinet member like Johnson into a deposition. Last year, another federal judge in Washington ordered Agriculture Secretary Tom Vilsack to appear at a deposition in lawsuit brought by fired Ag Department employee Shirley Sherrod, but an appeals court issued an unusual order blocking the deposition.

The government also has one more argument in the current dispute: Johnson is a lawyer, so at least some of his actions on the Petraeus/Kelley matter may have been covered by attorney-client privilege or protection for attorney “work product.”

Johnson was originally subpoenaed to appear for his deposition on Friday, but the session has been postponed until Jackson rules on the dispute.

In April, Petraeus pleaded guilty to a change of mishandling classified information by sharing classified briefing books with Broadwell and maintaining classified information at his home after he was required to turn it in. He was sentenced to two years probation and a $100,000 fine.

The FBI also investigated Broadwell in connection with the episode. No charges have been filed. The status of that inquiry is unclear.