3 Chinese Nationals Charged with Hacking, Stealing Intellectual Property

Indictment found here.

Wonder if President Trump has called President Xi….The U.S. Treasury should at least sanction Guangzhou Bo Yu Information Technology Company Limited….

Pittsburgh:

The Justice Department on Monday unsealed an indictment against three Chinese nationals in connection with cyberhacks and the alleged theft of intellectual property of three companies, according to US officials briefed on the investigation.

But the Trump administration is stopping short of publicly confronting the Chinese government about its role in the breach. The hacks occurred during both the Obama and Trump administrations.
The charges being brought in Pittsburgh allege that the hackers stole intellectual property from several companies, including Trimble, a maker of navigation systems; Siemens, a German technology company with major operations in the US; and Moody’s Analytics.
US investigators have concluded that the three charged by the US attorney in Pittsburgh were working for a Chinese intelligence contractor, the sources briefed on the investigation say. But missing from court documents filed in the case is any explicit mention that the thefts were state-sponsored.
A 2015 deal between then-President Barack Obama and Chinese President Xi Jinping prohibits the US and China from stealing intellectual property for the purpose of giving advantage to domestic companies.
In recent months some US intelligence agencies have concluded that China is breaking the agreement, sources briefed on the matter say. But there’s debate among intelligence officials about whether there’s sufficient evidence to publicly reveal the Chinese government’s role in the infractions, these people say.
Obama administration officials had touted the Obama-Xi agreement, as well as 2014 Justice Department charges against members of the Chinese People’s Liberation Army for commercial espionage, for reducing some of the Chinese cyberactivity against companies in the US.
But the 2015 Obama-Xi deal was met with skepticism inside the US agencies whose job it is to guard against Chinese cyberactivity targeting US companies. Some now say there was only a brief drop in the number of cyberspying incidents, if at all.
In the waning months of the Obama administration, intelligence officials briefed senior White House officials on information showing that the Chinese cyberattacks were back to levels previously seen, sources familiar with the matter told CNN. Early in the Trump administration, US intelligence officials briefed senior officials, including the President and vice president, as well as advisers Jared Kushner and Steve Bannon. More here.
***

Acting U.S. Attorney for Western Pennsylvania Soo C. Song charged Wu Yingzhuo, Dong Hao and Xia Lei with conspiracy to commit computer fraud and abuse, conspiracy to steal trade secrets, wire fraud and identity theft.

The most serious charge, wire fraud, carries a sentence of up 20 years in federal prison. Each conspiracy charge has a possible sentence of up to 10 years and the identity theft carries a sentence of up to two years.

The indictment alleged that Wu, Dong and Xia worked with Guangzhou Bo Yu Information Technology Company Limited, a Chinese cybersecurity firm in Guangzhou, but used their skills to launch attacks on corporations in the U.S.

Between 2011 and May 2017, the trio stole files containing documents and data pertaining to a new technology under development by Trimble, along with employee usernames and passwords and 407 gigabytes of proprietary data concerning Siemens’ energy, technology and transportation efforts, according to the indictment. The trio gained access to the internal email server at Moody’s Analytics and forwarded all emails sent to an “influential economist” working for the firm, the indictment stated. Those emails contained proprietary and confidential economic analyses, findings and opinions. The economist was not named in the indictment.

A Siemens spokesperson said that the company “rigorously” monitors and protects its infrastructure and continually detects and hunts for breaches. The company did not comment on the alleged breach by the Chinese hackers and declined to comment on internal security measures.

Michael Adler, a spokesman for Moody’s Analytics, said that to the company’s knowledge no confidential consumer data or other personal employee information was exposed in the alleged hack.

“We take information security very seriously and continuously review and enhance our cybersecurity defenses to safeguard the integrity of our data and systems,” Adler wrote in an email to the Tribune-Review.

Trimble, in a statement sent to the Trib, wrote that no client data was breached. The company concluded that the attack had no meaningful impact on its business.

Song, however, said the loss to the companies targeted was considerable.

“The fruit of these cyber intrusions and exfiltration of data represent a staggering amount of dollars and hours lost to the companies,” Song said.

Wu, Dong and Xia used “spearphish” emails to gain access to computers, spread malware to infect networks and covered their tracks by exploiting other computers known as “hop points.”

Hop points allow users to hide their identities and locations by routing themselves through third-party computer networks.

“But there were missteps that led our investigators right to them,” said FBI Special Agent in Charge Bob Johnson of the Pittsburgh office.

Johnson would not elaborate on the missteps the accused hackers took, claiming doing so could jeopardize future investigations.

The U.S. Attorney’s Office led the investigation and was assisted by the FBI’s Pittsburgh Division, the Navy Criminal Investigative Service Cyber Operations Field Office and the Air Force Office of Special Investigations.

Cottage Industry in U.S. for Refugee Resettlement

There was a time when the U.S. State Department along with associated agencies including USAID and the CIA would work to migrate countries from communism to democracies. After the rise of militant Islam and terror attacks around the world, countless gestures have been launched to destroy terror including of course war. Stable countries are now vulnerable and susceptible to radical migrant refugees and migrants.

Europe is in the worst condition and the United States is functioning in much the same manner. We constantly hear that the United States was built on immigrants and we invite legal immigration. Few conceive the notion that immigrants would not seek out America if there home countries were stable, democratic and functioning especially when the United States sends billions each year offshore for assistance and stability.

Meanwhile, America continues to budget and appropriate funds for migrants and refugees in the United States and more coming.

Image result for Reception and Placement Programphoto

For an exact sample on how the states operate, this site provided some great insight using Michigan.

Do you wonder what the total and comprehensive costs are for refugee resettlement? Well, the General Accounting Office is to report those costs, yet there seems to be no recent report. Meanwhile see pages 8-9 for the resettlement numbers by state by clicking here.

FY 2017 Notice of Funding Opportunity for Reception and Placement Program

Funding Procedures

Under current funding procedures, each agency with which the Bureau enters into a Cooperative Agreement (CA) is provided $2,025 for each refugee it sponsors who arrives in the United States during the period of the CA and is verified to have been placed and assisted by the agency. The funding is intended to supplement private resources available to the applicant and may be used at the local affiliates at which refugees are resettled and only for the direct benefit of refugees and for the delivery of services to refugees in accordance with program requirements as described in the CA. In addition, the Bureau funds national R&P Program management costs according to separately negotiated and approved budgets based on the applicant’s sponsorship capacity.

The annual ceiling for refugee admissions will be established by the President following consultations with the Congress towards the end of FY 2016. The FY 2017 appropriation and refugee ceiling have not yet been determined. For planning purposes, applicants should use the following refugee admissions projections as a baseline, although they may not necessarily be the regional or total ceilings that will be set by the President for FY 2017. Projections by region are as follows:

Africa — 30,000

East Asia — 12,000

Europe and Central Asia — 5,000

Latin America and the Caribbean — 5,000

Near East and South Asia — 44,000

Unallocated Reserve — 4,000

In addition, applicants should include 7,000 Special Immigrant Visa (SIV) recipients in their planning.

As in previous years, applicants should base their placement plans provided to PRM in response to this notice of funding opportunity on the capacity of their network of local affiliates, which will have consulted with resettlement partners in their communities in order to ensure that the placement plans are reasonable and appropriate. Should the FY 2017 Presidential Determination and appropriation processes result in ceilings that are different from the total capacity that has been proposed by all approved applicants, the Bureau will work with approved applicants, as necessary, to develop a revised plan, as it has in previous years. If you can stand it, continue the stipulations and grant procedures here.

***

It has become a cottage industry with almost zero checks and balances and your tax dollars? Well glad you asked. Check it:

Requirements to resettle refugees
To be selected as an R&P program agency, a non-governmental organization must apply to the PRM, which stipulates they meet three requirements:
1. Applicants must be “well-established social service providers with demonstrated case management expertise and experience managing a network of affiliates that provide reception and placement or similar services to refugees or other migrant populations in the United States;
2. (they must) have been in operation for at least three full years in non-profit status;
3. and document the availability of private financial resources to contribute to the program” (FY 2012 Funding Opportunity Announcement for Reception and Placement Program).

How it works 
Each agency enters into a Cooperative Agreement (CA) with the PRM and is provided $1800 per refugee it sponsors who arrives in the U.S. during the period of the CA. Resettlement agencies have voluntary agreements with the Office of Refugee Resettlement within the U.S. Department of Health and Human Services (US DHHS). The resettlement agencies generally receive seven to ten days notice prior to the arrival of a refugee so that they can assign a case manager, find housing, furniture, and purchase necessary household items. If the refugee has a relative or other tie already living in the U.S. (called an “anchor”), the resettlement agency usually establishes an agreement before the refugees arrive to determine the role the relative or tie will have in assisting the newly arrived refugee in accessing core services.

Service period & basic services
The R&P service period is thirty days long, but can be extended to up to ninety days if more time is necessary to complete delivery of R&P services, although some service agencies allow extensions of assistance based on a client’s needs. Basic support consists of the provision of:
1. Decent, safe, sanitary, and affordable housing
2. Essential furnishings
3. Appropriate food and food allowances
4. Necessary clothing
5. Assistance in applying for social security cards
6. Assistance in registering children in school
7. Transportation to job interviews and job training
8. At least two home visits
9. An initial housing orientation visit by a designated R&P representative or case manager
10. Assistance in obtaining health screening and mental health services
11. Obtaining employment services
12. Obtaining appropriate benefits
13. Referrals to social service programs
14. Enrollment in English as a Second Language instruction.
15. Pre-arrival processing & reception planning
16. Airport pickup
17. Hot meal on night of arrival
18. General case management
19. Development and implementation of a resettlement plan
20. Cultural orientation classes
21. Employment assessment and possible enrollment in UST’s employment program
22. Referrals to UST internal programs
23. Advocacy within government and social services agencies
24. Coordination of community volunteers that provide additional adjustment assistance
25. Follow up and basic needs support

If refugees are still in need of assistance after this 30-90 day period, they can seek aid from public benefit programs for up to seven years. Refugees retain their status as such for one year, and then are considered permanent residents for four years. After that, they can apply for U.S. citizenship.

Other services listed on our website are also accessible to our clients.  Some services are subject to office location.

 

AP Blames FBI for Few Warning on Fancy Bear Hacks

While much of the global hacking came to a scandal status in 2015-16, the Russian ‘Fancy Bear’ activity goes back to at least 2008. The FBI is an investigative wing and works in collaboration with foreign intelligence and outside cyber experts. For official warnings to be provided to U.S. government agencies, contractors, media or political operations, the FBI will generally make an official visit to affected entities to gather evidence. The NSA, Cyber Command and the DHS all have cyber experts that track and work to make accurate attributions of the hackers.

Image result for fancy bear apt 28

The Department of Homeland Security is generally the agency to make official warnings. The Associated Press gathered independent cyber experts to perform an independent study and is ready to blame the FBI for not going far enough in warnings.

When it came to the Clinton presidential campaign hack, the FBI made several attempts to officials there and were met with disdain and distrust. The FBI wanted copies of the ‘log-in’ files for evidence and were denied.

In part the AP report states:

“CLOAK-AND-DAGGER”

In the absence of any official warning, some of those contacted by AP brushed off the idea that they were taken in by a foreign power’s intelligence service.

“I don’t open anything I don’t recognize,” said Joseph Barnard, who headed the personnel recovery branch of the Air Force’s Air Combat Command.

That may well be true of Barnard; Secureworks’ data suggests he never clicked the malicious link sent to him in June 2015. But it isn’t true of everyone.

An AP analysis of the data suggests that out of 312 U.S. military and government figures targeted by Fancy Bear, 131 clicked the links sent to them. That could mean that as many as 2 in 5 came perilously close to handing over their passwords.

It’s not clear how many gave up their credentials in the end or what the hackers may have acquired.

Some of those accounts hold emails that go back years, when even many of the retired officials still occupied sensitive posts.

Overwhelmingly, interviewees told AP they kept classified material out of their Gmail inboxes, but intelligence experts said Russian spies could use personal correspondence as a springboard for further hacking, recruitment or even blackmail.

“You start to have information you might be able to leverage against that person,” said Sina Beaghley, a researcher at the RAND Corp. who served on the NSC until 2014.

In the few cases where the FBI did warn targets, they were sometimes left little wiser about what was going on or what to do.

Rob “Butch” Bracknell, a 20-year military veteran who works as a NATO lawyer in Norfolk, Virginia, said an FBI agent visited him about a year ago to examine his emails and warn him that a “foreign actor” was trying to break into his account.

“He was real cloak-and-dagger about it,” Bracknell said. “He came here to my work, wrote in his little notebook and away he went.”

Left to fend for themselves, some targets have been improvising their cybersecurity.

Retired Gen. Roger A. Brady, who was responsible for American nuclear weapons in Europe as part of his past role as commander of the U.S. Air Force there, turned to Apple support this year when he noticed something suspicious on his computer. Hughes, a former DIA head, said he had his hard drive replaced by the “Geek Squad” at a Best Buy in Florida after his machine began behaving strangely. Keller, the former senior spy satellite official, said it was his son who told him his emails had been posted to the web after getting a Google alert in June 2016.

A former U.S. ambassador to Russia, Michael McFaul, who like many others was repeatedly targeted by Fancy Bear but has yet to receive any warning from the FBI, said the lackluster response risked something worse than last year’s parade of leaks.

“Our government needs to be taking greater responsibility to defend its citizens in both the physical and cyber worlds, now, before a cyberattack produces an even more catastrophic outcome than we have already experienced,” McFaul said. Read the full article here.

Image result for fancy bear apt 28 photo

***

Every organization has a Chief Technology Officer, even small business has a ‘go-to’ person for issues. To be in denial there are any vulnerabilities is reckless and dangerous. To assume systems are adequately protected against cyber intrusions is also derelict in duty.

Fancy Bear is listed as APT 28. APT=Advanced Persistent Threat.

APT28 made at least two attempts to compromise Eastern European government organizations:
In a late 2013 incident, a FireEye device
deployed at an Eastern European Ministry of
Foreign Affairs detected APT28 malware in
the client’s network.
More recently, in August 2014 APT28 used a
lure (Figure 3) about hostilities surrounding a
Malaysia Airlines flight downed in Ukraine in
a probable attempt to compromise the Polish
government. A SOURFACE sample employed
in the same Malaysia Airlines lure was
referenced by a Polish computer security
company in a blog post.
The Polish security
company indicated that the sample was “sent
to the government,” presumably the Polish
government, given the company’s locations and visibility.
Additionally:
Other probable APT28 targets that we have
identified:
Norwegian Army (Forsvaret)
Government of Mexico
Chilean Military
Pakistani Navy
U.S. Defense Contractors
European Embassy in Iraq
Special Operations Forces Exhibition (SOFEX)
in Jordan
Defense Attaches in East Asia
Asia-Pacific Economic Cooperation
There is also NATO, the World Bank and military trade shows. Pure and simple, it is industrial espionage.
MALWARE
Evolves and Maintains Tools for Continued, Long-Term Use
Uses malware with flexible and lasting platforms
Constantly evolves malware samples for continued use
Malware is tailored to specific victims’ environments, and is designed to hamper reverse engineering efforts
Development in a formal code development environment
Various Data Theft Techniques
Backdoors using HTTP protocol
Backdoors using victim mail server
Local copying to defeat closed/air gapped networks
TARGETING
Georgia and the Caucasus
Ministry of Internal Affairs
Ministry of Defense
Journalist writing on Caucasus issues
Kavkaz Center
Eastern European Governments & Militaries
Polish Government
Hungarian Government
Ministry of Foreign Affairs in Eastern Europe
Baltic Host exercises
Security-related Organizations
NATO
OSCE
Defense attaches
Defense events and exhibitions
RUSSIAN ATTRIBUTES
Russian Language Indicators
Consistent use of Russian language in malware over a period of six years
Lure to journalist writing on Caucasus issues suggests APT28 understands both Russian and English
Malware Compile Times Correspond to Work Day in Moscow’s Time Zone
Consistent among APT28 samples with compile times from 2007 to 2014
The compile times align with the standard workday in the UTC + 4 time zone which includes major Russian cities such as Moscow and St. Petersburg
FireEye, is a non-government independent cyber agencies that has performed and continues to perform cyber investigations and attributions. There are others that do the same. To blame exclusively the FBI for lack of warnings is unfair.
Hacking conditions were especially common during the Obama administration and countless hearings have been held on The Hill, while still there is no cyber policy, legislation or real consequence. Remember too, it was the Obama administration that chose to do nothing with regard to Russia’s interference until after the election in November and then only in December did Obama expel several Russians part of diplomatic operations and those possibly working under cover including shuttering two dachas and one mission post in San Francisco.

What the Uranium One Documents Reveal

Our Operations

Uranium One is engaged through its subsidiaries and joint ventures in uranium production, and in the exploration and development of uranium properties, in Kazakhstan, the United States, Tanzania and elsewhere. Uranium One is focused on low cost and low technical risk operations, with existing, near and medium-term production visibility in some of the world’s largest uranium resource jurisdictions.

Uranium One is a joint venture partner with JSC NAC Kazatomprom, the Kazakhstan state-owned atomic energy company, in six major producing uranium mines in Kazakhstan – Akdala, South Inkai, Karatau, Akbastau, Zarechnoye and Kharasan. The company also operates the Willow Creek uranium mine in Wyoming, and is the operator of, and owns a 13.9 percent interest in, the Mkuju River uranium development project in Tanzania.

Uranium One’s revenues are largely derived from the sale of uranium concentrates. The company sells its uranium to major nuclear utilities in Russia, Europe, North America, South America, Middle East and Asia.

***

This was an internal coup advanced by the Obama administration. What is worse, where are those Hillary, State Department of CFIUS or White House related emails?

***

William Campbell, the FBI informant, documented for his FBI handlers the first illegal activity by Russians nuclear industry officials in fall 2009, nearly a entire year before the Russian state-owned Rosatom nuclear firm won Obama administration approval for the Uranium One deal, the memos show.

Evidence gathered by an FBI undercover informant conflicts with several media reports as well as statements by Justice officials concerning the connections between a Russian nuclear bribery case and the Obama administration’s approval of the sale of uranium One to Russia’s state-owned Rosatom nuclear company. More here.

*** Image result for uranium one photo

During Campbell’s time working as a confidential informant, he was required by the Russians to launder large sums of money to financial institutions in Cyprus, Latvia and Seychelles. With Campbell’s help the FBI uncovered an extensive money Russian nuclear money laundering apparatus and Campbell was working solo. He was required to launder money, from his own salary, on particular days and times when Russian money handlers would be working at the banks. If he missed a scheduled pay time for any reason his Russian counterparts would threaten him, he told his attorney. He was also required on many occasions to deliver cash directly to those who were being paid off, most of which he recorded on hidden cameras for the FBI.

It didn’t end there. In order to keep his cover he spent many nights with his Russian counterparts drinking, collecting information and more importantly gaining their trust. He was in his early 60s and his once unblemished driving record ended with a DUI in 2008 and two other reckless driving charges in 2010 and 2012, said Toensing, who noted they were all misdemeanors.

THE PLAYERS

The cast of characters deep within the Russian nuclear agency also included another American businessman named Rod Fisk, whose company Transportation Logistics International, also known as TLI,  was the primary transport company for Russian enriched uranium sold to the United States.

Fisk passed away in 2011, and his Vice President Daren Condrey replaced him. In 2015, Daren Condrey, of Maryland, pleaded guilty to conspiring to violate the Foreign Corrupt Practices Act (FCPA) and conspiring to commit wire fraud, according to the DOJ.

Adding to the colorful array of Russian criminals the FBI was watching, was a Russian national named Vadim Mikerin. He was then a top official of the Russian nuclear arms subsidiary Tenex. Mikerin, who had close ties to elite members of the Kremlin, and who bragged in emails and documents about his families connections to current Russian President Vladimir Putin, would later become president of Tenam, the American subsidiary that began operations in 2010, according to the contract. Boris Rubizhevsky, another Russian national from New Jersey,  who was  president of the security firm NEXGEN Security, also pleaded guilty in 2015, to conspiracy to commit money laundering.  He served as a consultant to TENAM and to Mikerin. He was sentenced to prison last week along with three years of supervised release and a $26,500 fine, according to a recent Reuters report.

Mikerin was eventually arrested for a racketeering scheme that dated back to 2004, and included fraud, extortion and money laundering. But he only plead guilty to money-laundering. He was sentenced to 48 months in prison in December 2015. More here.

Vadim Mikerin (image from flickr.com by Tenam USA) / Flickr

 

Here are five revelations from those documents reviewed by The Hill:

Russia saw its purchase of Uranium One as part of a strategy to dominate global uranium markets, including making the United States more dependent on Moscow’s nuclear fuel.

Documents the informant gave the FBI clearly show that the purchase of Uranium One was seen by Russia and its American consultants as one tool in a strategy to “control” the uranium market worldwide. In the United States, that strategy focused on securing billions of new uranium contracts to create a new reliance on Russian nuclear fuel just as the Cold War-era Megatons to Megawatts program was ending.

Uranium One did export some of its U.S. uranium ore.

News organizations, including The Washington Post, continue to report none of Uranium One’s product left the U.S. after Russia took control. In fact, the Nuclear Regulatory Commission (NRC) approved an export license for a third party trucking firm to export Uranium One ore to Canada for enrichment, and that some of that uranium ended up in Europe, NRC memos show. Uranium One itself admits that as much as 25 percent of the uranium it exported to Canada ended up with European or Asian clients through what is know in the industry as “book transfers.”

The FBI informant Douglas Campbell does have information to share with Congress about Rosatom’s Uranium One purchase.

Justice officials have suggested in recent stories that Campbell has little on Uranium One because his work forced on nuclear bribery involving a different Rosatom subsidiary. While it’s true Campbell’s undercover work focused on criminality inside the Rosatom subsidiary Tenex, he did gather extensive documents about Rosatom’s efforts to win approval to buy Uranium One.

The FBI did have evidence that Rosatom officials were engaged in criminality well before the Obama administration approved Rosatom’s purchase of Uranium One.

Evidence that a foreign company is involved in criminality can disqualify it from Committee on Foreign Investment in the United States (CFIUS) approval to buy a sensitive U.S. asset. And Campbell helped the FBI recorded the first criminal activity by Rosatom officials inside its Tenex arm in November 2009, nearly an entire year before CFIUS approved Rosatom’s purchase of Uranium One.

Justice officials trusted the informant Campbell enough to keep him working undercover for six years and to pay him more than $51,000 once the convictions were secured.

A check obtained by The Hill shows the FBI paid Campbell an informant fee of more than $51,000 in January 2016, shortly after the last convictions in the Russian nuclear bribery case were made.

Counterfeit Operations, Iran and North Korea

Image result for counterfeit operations irgc

photo

It is a globally business and a nasty one.

U.S. officials have long accused Iran of supplying arms to rebel Houthi forces battling for control of Yemen. But Monday’s sanctions help highlight the scope of what Western officials commonly describe as the IRGC’s far-reaching and malign activities.

“Iran itself, together with its proxy, Lebanese Hezbollah, is knee-deep and has been knee-deep in the counterfeit business for quite some time,” said Matthew Levitt with the Washington Institute for Near East Policy. “Exposing this is kind of a two-for one, both exposing the organization’s terrorist activity and also exposing the nature of the criminal activity that it engages in.” More here.

Image result for counterfeit money yemen photo

Treasury Designates Large-Scale IRGC-QF Counterfeiting Ring

11/20/2017

Iranian Network Prints Counterfeit Yemeni Bank Notes for IRGC-Qods Force

WASHINGTON – Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated a network of individuals and entities involved in a large-scale scheme to help Iran’s Islamic Revolutionary Guard Corps-Qods Force (IRGC-QF) counterfeit currency to support its destabilizing activities.  This network employed deceptive measures to circumvent European export control restrictions and procured advanced equipment and materials to print counterfeit Yemeni bank notes potentially worth hundreds of millions of dollars for the IRGC-QF.  The IRGC-QF was designated pursuant to the global terrorism Executive Order (E.O.) 13224.

“This scheme exposes the deep levels of deception the IRGC-Qods Force is willing to employ against companies in Europe, governments in the Gulf, and the rest of the world to support its destabilizing activities.  Counterfeiting strikes at the heart of the international financial system, and the fact that elements of the government of Iran are involved in this behavior is completely unacceptable,” said Treasury Secretary Steven Mnuchin.  “This counterfeiting scheme exposes the serious risks faced by anyone doing business with Iran, as the IRGC continues to obscure its involvement in Iran’s economy and hide behind the façade of legitimate businesses to perpetrate its nefarious objectives.”

Reza Heidari and Pardazesh Tasvir Rayan Co.

Reza Heidari (Heidari) is being designated today for having acted for or on behalf of the IRGC-QF and having assisted in, sponsored, or provided financial, material, or technological support for, or financial or other services to or in support of, the IRGC-QF.

Pardavesh Tasvir Rayan Co. (Rayan Printing) is being designated today for being controlled by Heidari; for having acted for or on behalf of the IRGC-QF; having assisted, sponsored, or provided financial, material, or technological support for, or financial or other services to or in support of, the IRGC-QF; and being owned by Tejarat Almas Mobin Holding, another Iranian company also being designated today.

Heidari played a key role in procuring secure printing equipment and materials for the IRGC-QF in support of the group’s currency counterfeiting scheme.  Heidari served as the managing director of Iran-based Rayan Printing, a company involved in printing counterfeit Yemeni rial bank notes potentially worth hundreds of millions of dollars for the IRGC-QF, as of late 2016.  Heidari used front companies to obfuscate the actual end user and facilitate deceptive transactions when dealing with European suppliers of secure printing equipment and materials.

ForEnt Technik and Printing Trade Center

ForEnt Technik GmbH is being designated today for being owned or controlled by Heidari, while Printing Trade Center GmbH (PTC) is being designated for having acted for or on behalf of, and assisted in, sponsored, or provided financial, material, or technological support for, or financial or other services to or in support of, Heidari.

Heidari used German-based ForEnt Technik GmbH and PTC as front companies to deceive European suppliers, circumvent export restrictions, and acquire advanced printing machinery, security printing machinery, and raw materials in support of the IRGC-QF’s counterfeit currency capabilities.  These raw materials included watermarked paper and specialty inks from European suppliers.  Heidari is the Managing Director and sole shareholder of ForEnt Technik Gmbh.

Mahmoud Seif and Tejarat Almas Mobin

Mahmoud Seif is being designated today for having assisted, sponsored, or provided financial, material, or technological support for, or other services to or in support of, the IRGC-QF.  Tejarat Almas Mobin Holding is being designated today for being controlled by Seif.

Seif is the managing director of Tejarat Almas Mobin, the parent company of Rayan Printing.  Heidari and Seif coordinated on the procurement of raw supplies and equipment that enabled the IRGC-QF counterfeiting capabilities.  Seif was involved with the logistics of importing materials for the counterfeiting project into Iran.  Additionally, Seif has previously been involved in the procurement of weapons for the IRGC-QF.

For identifying information on the individuals and entities listed today, click here: https://www.treasury.gov/resource-center/sanctions/OFAC-Enforcement/Pages/20171120.aspx

*** So, did Iran teach North Korea to counterfeit or was it the other way around? North Korea has been counterfeiting and participating in illicit activities going back decades. North Korea is not especially fretful over the newly applied sanctions or being listed again as a terror state by President Trump. While it should be done, the regime has proven methods to finesse the system.

Ri Jong Ho had simply had enough. He’d seen too many executions.

Ri, a high-profile North Korean defector, spent years working for what is essentially a slush fund for one of the most notorious regimes on the planet, Kim Jong Un and his compatriots.
Life was good. Ri helped bring in somewhere between $50 million and $100 million for North Korean elites, and was handsomely rewarded with luxuries most North Koreans couldn’t dream of in years past: a car, a color TV and some extra cash on the side, once rarities in the communist state but more commonplace now in the capital, Pyongyang.
But he watched the regime kill his peers and their families, even children.
“It was not just high level officers, officials, but their families, their children (and) their followers,” Ri told CNN in his first interview to a major US broadcast network. “It was not just once or twice a year — it was ongoing throughout the year, thousands of people being executed or purged.”
Ri said the final straw came in late 2013, when Kim Jong Un executed his own uncle, Jang Song Thaek, with an anti-aircraft gun.
“It was a cruel and crude method of execution,” he said. “After all these years living in the socialist system, I never witnessed anything like that.”
Ri was living in China at the time, and in 2014 was able to safely defect with his family.
And just like that, Kim lost one of his top money makers.

Office 39

Ri said he worked for decades in what’s known as “Office 39.”
The office is in charge of bringing in hard currency for the regime. Ri calls it a “slush fund for the leader and the leadership.”
Ri told CNN “Office 39” is not engaged in illicit activities, but the US Treasury Department says otherwise.
The US government accused the office of engaging in “illicit economic activities” to support the North Korean government. It has branches throughout the nation that raise and manage funds and is responsible for earning foreign currency for North Korea’s Korean Workers’ Party senior leadership through illicit activities such as narcotics trafficking.
North Korea has been accused of crimes like hacking banks, counterfeiting currency, dealing drugs and even trafficking endangered species.
Workers who help bring in cash for the regime are granted access to the outside world — especially China — in order to establish networks that are crucial to making money, analysts say. They often have diplomatic privileges that allow them to evade their host country’s domestic laws, experts say.
Ri said he was not involved in illegal activities and that they were not under the purview of Office 39, but did not deny they occurred. He said much of North Korea’s hard cash is earned through exporting labor — the country sends workers across the globe and collects much of their pay, according to the UN — and exporting natural resources like coal, which China used to buy but has since stopped.
Illicit activities make a lot of money, though. The Congressional Research Service estimated in 2008 that North Korea could earn anywhere from $500 million to $1 billion from these types of illicit activities.
That money helps fund the lavish lifestyles of the North Korean elites while sanctions limit the country’s ability to make money. That keeps North Korea’s leadership happy and helps Kim prevent coup attempts, analysts say.
“They (North Korean leaders) are focused on maintaining their ruling power, and they are working on making this dynasty-like system lasting for a long time,” Ri said. “So instead of focusing on their economic development or better life, they are more focused on maintaining their system.
Some of Office 39’s profits also go to the country’s nuclear and missile programs, which crossed an important threshold this month with the testing of two intercontinental ballistic missiles, weapons that experts say likely put the United States homeland in North Korea’s range.
CNN reached out to the North Korean mission at the United Nations for a response to the interview with Ri. An official at the mission said Ri was lying to “make money and save his own life.”

‘Hundreds of fishing boats’

Analysts say Office 39 is likely now in the cross hairs of US President Donald Trump’s administration.
The Trump team has made it clear that one of the ways it plans to deal with North Korea is to squeeze its revenue streams across the globe in order to pressure them into negotiations over their weapons programs.
Ri is not sure if the tactic will work, as he says it’s easy to side-step sanctions and believes the international community has made strategic mistakes that could come back to bite them.
North Korean companies can just change their names once sanctioned, he says. North Korean leaders don’t keep much money abroad, so the sanctions against them are pointless, according to Ri. Smugglers are difficult to catch.
“Smuggling is conducted by any and every means you could imagine. Mostly larger items are done using ships, for example by filing a cargo list … where what’s written on the (list) is different from what is really being shipped,” he said. “On the open sea, the Yellow Sea, there are hundreds of fishing boats — both from China and North Korea — and all the smuggling is done by these so-called fishing boats.

Going after China

Ri believes that secondary sanctions — targeting those who do business with North Korea, like the United States did to China’s Bank of Dandong in June — is the way to go, especially in China.
Beijing accounts for about 85% of North Korean imports in 2015, according to UN data, though Ri revealed that Pyongyang does import some oil from Russia.
North Korean economist Ri Gi Song told CNN in February that China accounts for 70% of trade and that trade with Russia is increasing. More here from CNN.