Category Archives: FBI

U.S. Puts Former Gitmo Detainee on Terror List, Istanbul Attack

Posted on by

What has he been doing since his release 10 years ago? Planning and recruiting for the Istanbul airport terror attack? And Obama released 3 detainees in 2 days and more to come. What about those ‘forever’ detainees like Khalid Sheik Mohammed? Hummmm

Ex-Gitmo detainee, Islamic State’s leader in Chechnya designated by State Department

The State Department announced today that two jihadists have been added to the US government’s list of designated terrorists.

One of the two, Ayrat Nasimovich Vakhitov, was once detained at Guantanamo and was recently arrested by Turkish authorities. According to Voice of America, Vakhitov is “among 30 people Turkish authorities say they have arrested in connection with” the terrorist attack at Istanbul’s Ataturk airport late last month. No terrorist organization has claimed responsibility for the assault on the airport, which left more than 40 people dead. But it is widely suspected to be the work of the Islamic State.

The second newly-designated terrorist is Aslan Avgazarovich Byutukaev, who leads the jihadists in Chechnya who are loyal to the Islamic State’s so-called Caucasus province.

Former Guantanamo Detainee

Screen Shot 2016-07-13 at 12.26.28 PM

Vakhitov (pictured on the right) was held at Guantanamo for less than two years, from June 2002 until February 2004. He was then transferred to Russia. The State Department’s designation page does not say that Vakhitov was once detained at the American facility in Cuba, but The Long War Journal has confirmed that he is the same individual.

The details of his story, as recounted in a leaked Joint Task Force – Guantanamo (JTF-GTMO) threat assessment, are somewhat odd. Vakhitov was “arrested by the Taliban on suspicion of espionage, and incarcerated at the Sarpuza prison complex in Kandahar,” the leaked file reads. He was apparently transferred to Guantanamo because of “his possible knowledge of an American citizen killed” at that same prison “while he was there.”

JTF-GTMO ultimately concluded that Vakhitov was neither affiliated with al Qaeda, nor a Taliban leader. He was recommended for transfer. But JTF-GTMO also thought he would be remain imprisoned inside Russia.

“Because of the Russian government’s agreement to incarcerate this detainee upon his transfer, and provided that he remains incarcerated under the control of the Russian government, the detainee poses no future threat to the U.S. or its allies,” JTF-GTMO’s threat assessment reads.

The State Department says that Vakhitov “is associated with Jaysh al-Muhajirin Wal Ansar” (JMWA, or “the Army of the Emigrants and Helpers”). Part of the original JMWA organization joined the Islamic State, while the rest of the organization continued to operate independently before swearing allegiance to Al Nusrah Front in Sept. 2015. Al Nusrah is al Qaeda’s official branch in Syria and the Islamic State’s rival.

The State Department’s designation page does not mention Vakhitov’s reported arrest in Turkey, but does say he has “used the internet to recruit militants to travel to Syria.”

Islamic State leader in Chechnya

The State Department note Byutukaev was a “prominent leader” in the Islamic Caucasus Emirate (ICE). ICE is openly loyal to al Qaeda, but has suffered a string of defections to the Islamic State.

Russian security forces killed ICE’s top emir and his two successors in less than two years time, from late 2013 until mid-2015. The decapitation strikes likely helped the Islamic State win the loyalty of some of ICE’s most important remaining commanders, including Byutukaev.

Byutukaev, also known as Emir Khamzat, was a close confidant of Dokku Umarov and led ICE’s Riyad-us-Saliheen Martyr Brigade. But Umarov perished sometime in late 2013 or early 2014. His replacement, Aliaskhab Kebekov, more commonly known as Ali Abu Muhammad al Dagestani, was subsequently killed by Russian forces in April 2015.

Less than two months after Kebekov’s demise, Byutukaev officially broke with ICE, declaring himself to be one of Baghdadi’s men.

The pro-al Qaeda contingent in the Caucasus then suffered another blow when Abu Usman, Kebekov’s successor, was hunted down in August 2015. Both Kebekov and Abu Usman were vocal opponents of Abu Bakr al Baghdadi’s Islamic State, so much so that al Qaeda’s main propaganda arm continues to feature clips of their anti-Baghdadi lectures in its productions.

High value targeting, as it is commonly called, is an essential part of any government’s counterterrorism strategy. But it can lead to unintended consequences as well. In this instance, the deaths of ICE’s top leaders probably helped drive Byutukaev and his comrades into the Islamic State’s arms. The large contingent of fighters from the Caucasus region in the Islamic State’s ranks in Iraq and Syria most likely added to the pressure on the jihadists back home to flip as well.

The State Department notes that Byutukaev is “responsible for directing numerous deadly suicide bombing operations, including the January 2011 attack at the crowded international arrivals hall of Moscow’s Domodedovo Airport.” The bombing killed at least 35 people and wounded more than 100 others.

Umarov, who was ICE’s emir at the time, quickly claimed credit for the airport attack in a video released online.

Doku-Riyah-video-Kavkaz

Umarov also appeared in another video alongside Byutukaev (seen on the left in the photo included here) and a suicide bomber identified only as “Saifullah.” Umarov said that he had visited the Riyad-us-Saliheen Martyr Brigade’s base before sending Saifullah on a “special operation,” meaning the bombing at Domodedovo.

At the end of video, both Umarov and Byutukaev were shown embracing Saifullah. [See LWJ report, Caucasus Emirate leader threatens Russia with ‘a year of blood and tears.’]

“Since becoming an ISIL [Islamic State in Iraq and the Levant] leader in June 2015,” State reports, “Byutukaev has planned attacks on behalf of the group.” One of these operations took place in November 2015, when “Russian Special Forces discovered a large bomb hidden on the side of the road in Kantyshevo, Ingushetiya, Russia.”

The Caucasus “province” was announced in June 2015, after Islamic State spokesman Abu Muhammad al Adnani publicly accepted the oaths of allegiance sworn by jihadists throughout the region. The Caucasus branch is reportedly led by Rustam Asilderov, a former ICE leader who defected to the Islamic State in late 2014. Asilderov’s defection set off a firestorm of controversy and bickering among the Caucasus jihadists.

In Sept. 2015, Foggy Bottom designated the Islamic State’s Caucasus “province” as a terrorist organization and also identified other ICE defectors who had joined its cause.

Thomas Joscelyn is a Senior Fellow at the Foundation for Defense of Democracies and the Senior Editor for The Long War Journal.

*****

Aiat Nasimovich Vahitov, also spelled Ayrat Wakhitov or Vahidov (Tatar Cyrillic: Айрат Вахитов, Latin: Ayrat Waxitov) is an ethnic Tatar citizen of Russia who was held in extrajudicial detention in the United States Guantanamo Bay detention camp, in Cuba.[1] He was repatriated with six other Russians in February 2004. Fluent in Arabic, Pashto, Persian, Urdu and Russian, he also spoke basic English.[2]

On May 15, 2006 the Department of Defense released its first full official list of all the Guantanamo detainees who were held in military custody.[3] Airat Vakhitov’s name is not on that list. The list includes an individual named Aiat Nasimovich Vahitov.who was born on March 27, 1977, on Naberezhnye Chelny, Tatarstan, Russia.

Russian authorities released the detainees after investigations into whether they had broken any Russian laws.

Vakhitov spoke publicly on June 28, 2005 about torture in Guantanamo when he announced he was planning to sue the United States for his mistreatment.[4] He was invited, by Amnesty International, to speak about Guantanamo torture, in London, on November 2, 2002.

Geydar Dzhemal, chairman of the Islamic Committee of Russia, reported that he was hosting Vakhitov, and another former Guantanamo detainee, Rustam Akhmyarov, following threats by security officials.[5] According to Dzhemal the security officials had visited Vakhitov, and warned him that he should only talk about torture in Guantanamo Bay, not Russian torture. Dzhemal reported that security officials subsequently seized Vakhitov and Akhmyarov from his apartment on August 29, 2005. He called their seizure a kidnapping because they refused to show their identification. He predicted that the pair would be arrested on trumped up charges, to curtail their human rights activities.

The pair were released from detention on September 2, 2005  More details here.

FBI Required to Sign Unique NDA on Hillary Case

Posted on by

If you think the Hillary team, the Department of Justice and the FBI have not colluded with the White House to alter the course of history and the election, then think again.

Proof? Click the link and read it for yourself.  It is all clear now how confident Hillary was, why Comey made his press briefing and why Loretta Lynch refused to answer questions at the hearing. This takes the Department of Justice to the highest level of corruption and collusion in American history. Think about that.

Hillary FBI NDA

‘Gag’ order: FBI confirms special secrecy agreements for agents in Clinton email probe

FNC: The FBI has confirmed to a senior Republican senator that agents were sworn to secrecy — and subject to lie detector tests — in the Hillary Clinton email probe, an extensive measure one former agent said could have a “chilling effect.”

A July 1 letter sent by a senior deputy to FBI Director James Comey to Senate Judiciary Committee Chairman Charles Grassley, R-Iowa, detailed the restrictions on agents. The letter, reviewed by Fox News, confirmed agents signed a “Case Briefing Acknowledgement” which says the disclosure of information is “strictly prohibited” without prior approval, and those who sign are subject to lie detector tests.

“The purpose of this form is to maintain an official record of persons knowledgeable of a highly sensitive Federal Bureau of Investigation counterintelligence investigation,” the agreement attached to the Grassley letter reads, “….I (FBI agent) also understand that, due to the nature and sensitivity of this investigation, compliance with these restrictions may be subject to verification by polygraph examination.”

The measures show the extent to which the bureau has gone to keep additional details of the politically sensitive case from going public. While Comey has provided some information ‎on why the FBI did not opt to pursue charges, Attorney General Loretta Lynch repeatedly ducked questions on specifics of the case at a House hearing Tuesday.

A recently retired FBI agent, who declined to speak on the record, citing the sensitivity of the matter, said a “Case Briefing Acknowledgement” is reserved for “the most sensitive of sensitive cases,” and can have a “chilling effect” on agents, who understand “it comes from the very top and that there has to be a tight lid on the case.”

The former agent said the agreements can also contribute to “group think” because investigators cannot bounce ideas off other agents, only those within a small circle.

 

 

 

Hillary Emails Recovered by FBI to be Released

Posted on by

Earlier this year, top officials at the Justice Department and FBI began formulating a rough plan for how the findings in the unusual Clinton probe would be announced, officials close to the matter said.The idea that some top officials supported was that the FBI and the Justice Department, which have jointly managed the probe, would announce their decision together and at the same time announce how they came to it. This would prevent the spectacle of the FBI concluding its investigation then handing over recommendations to the Justice Department for review, with a final decision to be announced by Lynch.

But as the investigation drew to a close in the late spring, Comey began having other thoughts.
The political furor of the investigation was reaching a fever pitch.
FBI officials and Clinton’s lawyers began discussing plans for her interview and possible dates when she could come by FBI headquarters, preferably without a mob of reporters following her. There were some internal disputes about timing, with some at the FBI believing the interview could have happened weeks ago and Justice lawyers pushing to wait for more investigative work to be completed.
And last week, just when the political atmosphere surrounding the FBI investigation couldn’t seem more charged, things took a new bizarre turn. Former President Bill Clinton charged uninvited onto Lynch’s plane parked on the tarmac at the Phoenix airport. Lynch and the former president said they discussed nothing related to the probe and kept the visit to social matters. More on all the pre-planning and political planning is here from CNN.
*****
Senator Cornyn introduces, S.3135, the Taking Responsibility Using Secured Technologies (TRUST) Act of 2016, would put Congress on record saying that Clinton should have no access to classified information “until she earns the legal right to such access.”
*****
Speaker Ryan sent a letter to ODNI Director James Clapper requesting suspension of classified information and briefings to Hillary Clinton but the Clapper denied the request.

State Dept. to release deleted Clinton emails uncovered by FBI

You can bet these emails wont be released until after the November election, right?

WashingtonExaminer: State Department officials plan to publish all work-related emails discovered on Hillary Clinton’s private servers by the FBI once agents turn over the records Clinton withheld from the government.

“Just as we processed the material turned over to the department by former Secretary Clinton, we will appropriately and with due diligence process any additional material that we receive from the FBI to identify work-related records and make them available to the public,” agency spokesman John Kirby said Wednesday.

Clinton had previously stated her legal team provided everything that could possibly considered related to her State Department work to the agency in late 2014.

However, the year-long FBI investigation into her treatment of classified material discovered “several thousand” work-related records on the servers agents took into custody last year.

Clinton has yet to address the contradiction in her statement and the findings of the FBI.

Kirby did not provide a timeline of when the newly-uncovered emails would be available to the public.

****

While much attention has been given to the meeting between Loretta Lynch and former President Bill Clinton on her private plane, there are symptoms the decision was made long before to close the case and not prosecute Hillary Clinton for violations of the Espionage Act. When Hillary made the ‘gesture’ to meet with the FBI for 3.5 hours on a Saturday morning, nothing was gained such that the FBI did not take her responses with any seriousness to continue with the investigation. So…..what is the chatter at the water coolers at the FBI?

Source: FBI Agents Believe An ‘Inside Deal’ Protected Hillary Clinton

“FBI agents believe there was an inside deal put in place after the Loretta Lynch/Bill Clinton tarmac meeting.”

Was the FBI investigation of Hillary Clinton’s mishandling of classified information cooked from the very beginning? According to the New York Post, FBI agents investigating Hillary Clinton’s use of an unsecured, private email server during her tenure as Secretary of State were required to sign unprecedented non-disclosure agreements prohibiting them from disclosing anything about their investigation of Hillary.

A former FBI chief told the New York Post that such a requirement is “very, very unusual.”

While FBI agents are typically required to sign vanilla non-disclosure agreements as part of their security clearances, law enforcement sources say they’ve never heard of a “Case Briefing Acknowledgment,” the agreement agents investigating Clinton were reportedly required to sign.

“FBI agents believe there was an inside deal put in place after the Loretta Lynch/Bill Clinton tarmac meeting,” a source told the Post.

Last week, FBI Director James Comey said that despite Clinton being “extremely careless” with classified information, the agency would recommend the presumptive Democratic nominee not face any criminal charges. Following his comments, the U.S. Department of Justice formally closed the Clinton email case.

A week before the DOJ closed the case, Attorney General Loretta Lynch privately met with Bill Clinton aboard a private jet on the tarmac of an airport in Phoenix — raising serious concerns about the integrity of the investigation.

Hillary Clinton is reportedly planning to keep Lynch on as AG if she wins in November, according to The New York Times.

During a congressional hearing last week, Comey told the House Oversight Committee the FBI had no transcript or recording of its July 4 weekend interview with Hillary Clinton, nor was she required to swear an oath promising to tell the truth.

But John Kerry, Iran Does Support al Qaeda

Posted on by

Primer:

The State Department confirmed that Iran continues to work with Al-Qaeda elements, despite
their expressed hostility towards one another. It stated: “Iran remained unwilling to bring to
justice senior Al-Qaeda (AQ) members it continued to detain, and refused to publicly identify
those senior members in its custody.
Iran allowed AQ facilitators Muhsin al-Fadhli and Adel Radi Saq al-Wahabi al-Harbi to operate a
core facilitation pipeline through Iran, enabling AQ to move funds and fighters to South Asia and
also to Syria.

Al-Fadhli is a veteran AQ operative who has been active for years. Al-Fadhli began working with the Iran-based AQ facilitation network in 2009 and was later arrested by Iranian authorities. He was released in 2011 and assumed leadership of the Iran-based AQ facilitation network.” Clarion Project

Related reading: Al Qaeda’s Global Reach – State Dept Foreign Terror Org. List

Related reading: Usama bin Ladin’s sons thought to be in Iran

Related reading: Osama bin Laden’s Son Threatens Revenge Against U.S. For Father’s Assassination

Top Intel Official: Al Qaeda Worked on WMD in Iran

New evidence of the bin Laden-Iran connection.

WeeklyStandard: Al Qaeda operatives based in Iran worked on  and biological weapons, according to a letter written to Osama bin Laden that is described in a new book by a top former U.S. intelligence official.

The letter was captured by a U.S. military sensitive site exploitation team during the raid on bin Laden’s Abbottabad headquarters in May 2011. It is described in Field of Fight, out Tuesday from Lieutenant General Michael Flynn, the former head of the Defense Intelligence Agency, and Michael Ledeen of the Foundation for Defense of Democracies.

“One letter to bin Laden reveals that al Qaeda was working on chemical and biological weapons in Iran,” Flynn writes.

Flynn’s claim, if true, significantly advances what we know about al Qaeda’s activity in Iran. The book was cleared by the intelligence community’s classification review process. And U.S. intelligence sources familiar with the bin Laden documents tell us the disclosure on al Qaeda’s WMD work is accurate.

Flynn notes that only a small subset of bin Laden’s files have been released to the public. The “Defense Intelligence Agency’s numerous summaries and analyses of the files remain classified,” too, Flynn writes. “But even the public peek gives us considerable insight into the capabilities of this very dangerous global organization.”

It’s not just al Qaeda.

  

“There’s a lot of information on Iran in the files and computer discs captured at the Pakistan hideout of Osama bin Laden,” Flynn writes in the introduction. The authors note that the relationship between Iran and al Qaeda “has always been strained” and “[s]ometimes bin Laden himself would erupt angrily at the Iranians.” Previously released documents and other evidence show that al Qaeda kidnapped an Iranian diplomat in order to force a hostage exchange and bin Laden was very concerned about the Iranians’ ability to track his family members.

And yet the book makes clear that Flynn believes there is much more to the al Qaeda-Iran relationship than the public has been told. And that’s not an accident. Obama administration “censors have been busy,” Flynn writes, blocking the release of the bin Laden documents to the public and, in some cases, to analysts inside the U.S. intelligence community. “Some of it—a tiny fraction—has been declassified and released, but the bulk of it is still under official seal. Those of us who have read bin Laden’s material know how important it is…”

Not surprisingly, Obama administration officials bristle at Flynn’s characterization of their lack of transparency and lack of urgency on jihadists and their state sponsors. “Mike Flynn, in true Kremlin form, has been peddling these baseless conspiracy theories for years. Anyone who thinks Iran was or is in bed with al Qaeda doesn’t know much about either,” an Obama administration official told THE WEEKLY STANDARD.

It’s an odd line of attack, given the fact that the Obama administration has repeatedly accused Iran of directly aiding al Qaeda. The Treasury and State Departments publicly accused the Iranian regime of allowing al Qaeda to operate inside Iran in: July 2011, December 2011, February 2012,July 2012, October 2012, May 2013, January 2014, February 2014, April 2014, and August 2014. In addition, in congressional testimony in February 2012, Director of National Intelligence James Clapper described the relationship as a “marriage of convenience.”

Asked about the administration’s own repeated statements pointing to the Iranian regime’s deal with al Qaeda, the administration official who dismissed Flynn’s claim as a “baseless conspiracy” theory declined to comment further.

The Flynn/Ledeen claim about al Qaeda’s WMD work in Iran comes with an interesting wrinkle. The authors preface their disclosure of al Qaeda’s work on “chemical and biological weapons in Iran” by suggesting that the revelation was included in documents already public.

But the only document released to date that seems to touch on the subject is a March 28, 2007, letter to an al Qaeda operative known as “Hafiz Sultan.” The letter, which discussed the possibility of Iran-based al Qaeda operatives using chlorine gas on Kurdish leaders and includes a likely reference to Atiyah ‘Abd-al-Rahman, was released by the administration via the Combating Terrorism Center at West Point in May 2012. President Obama’s Treasury Department has claimed that Rahman was appointed by Osama bin Laden “to serve as al Qaeda’s emissary in Iran, a position which allowed him to travel in and out of Iran with the permission of Iranian officials.” It is not, however, addressed to bin Laden and it does not include a reference to biological weapons.

And while the U.S. Treasury and State Department have repeatedly sanctioned al Qaeda’s operatives inside Iran and offered rewards for information on their activities, as noted, statements from Treasury and the State Department do not mention al Qaeda’s “chemical and biological weapons” work inside Iran.

The takeaway: It does not appear that the al Qaeda document referenced by Flynn has been released by the U.S. government.

Flynn and others who have seen the documents say there are more explosive revelations in the bin Laden files kept from the public. Those already released give us a hint. One document, released in 2015, is a letter presumably written by Osama bin Laden to the “Honorable brother Karim.” The recipient of the October 18, 2007, missive, “Karim,” was likely an al Qaeda veteran known Abu Ayyub al Masri, who led al Qaeda in the Iraq (AQI) at the time.

Bin Laden chastised the AQI leader for threatening to attack Iran. The al Qaeda master offered a number of reasons why this didn’t make sense. “You did not consult with us on that serious issue that affects the general welfare of all of us,” bin Laden wrote. “We expected you would consult with us for these important matters, for as you are aware, Iran is our main artery for funds, personnel, and communication, as well as the matter of hostages.”

That language from bin Laden sounds a lot like the language the Obama administration used in July 2011, when a statement from the U.S. Treasury noted that the network in Iran “serves as the core pipeline through which Al Qaeda moves money, facilitators and operatives from across the Middle East to South Asia.”

David Cohen, who was then a top Treasury official and is now the number two official at the CIA, told us back then: “There is an agreement between the Iranian government and al Qaeda to allow this network to operate. There’s no dispute in the intelligence community on this.”

Why, then, is the Obama administration attempting to dismiss the cooperative relationship between Iran and al Qaeda as a “baseless conspiracy?” Good question.

And it’s one that releasing the rest of the documents could help answer.

Note: Flynn’s co-author Michael Ledeen is a colleague of Thomas Joscelyn at the Foundation for Defense of Democracies.

****

Most recently, in September, the Obama administration launched missile strikes against al Qaeda’s so-called Khorasan Group in Syria. The administration pointed to  indicating that this cadre of “core” al Qaeda operatives was planning mass killings in the West, and possibly even in the United States. Two of the terrorists who lead the Khorasan Group formerly headed al Qaeda’s operations in Iran. Tellingly, Iran allowed this pair to continue their fight against the West, even as they have battled Iran’s chief allies in Syria.

Obama’s Treasury Department first publicly recognized the relationship between the Iranian regime and al Qaeda on July 28, 2011. Treasury added six al Qaeda operatives to the U.S. government’s list of designated terrorists. The principal terrorist among them is known as Yasin al-Suri, “a prominent Iran-based al Qaeda facilitator” who operates “under an agreement between al Qaeda and the Iranian government.” Treasury described al Qaeda’s presence in Iran as a “core pipeline” and “a critical transit point for funding to support al Qaeda’s activities in Afghanistan and Pakistan.” Treasury made it clear that other high-level al Qaeda members were actively involved in shuttling cash and recruits across Iran.

Grid Hacking Tool Found, Have a Generator Yet?

Posted on by

Researchers Found a Hacking Tool that Targets Energy Grids on the Dark Web

Motherboard: A sophisticated piece of government-made malware, designed to do reconnaissance on energy grid’s system ahead of an eventual cyberattack on critical infrastructure, was found on a dark web hacking forum.

Cybersecurity researchers usually catch samples of malicious software like spyware or viruses when a victim who’s using their software such as an antivirus, gets infected. But at times, they find those samples somewhere else. Such was the case for Furtim, a newly discovered malware, caught recently by researchers from the security firm SentinelOne.

SentinelOne’s researchers believe the malware was created by a team of hackers working for a government, likely from eastern Europe, according to a report published on Tuesday.

Hacking forums, of course, are home to a lot of malicious data and software. But they are usually not places where sophisticated government-made hacking tools get exchanged.

Udi Shamir, chief security officer at SentinelOne, said that it’s normal to find reused code and malware on forums because “nobody tries to reinvent the wheel again and again and again.” But in this case, “it was very surprising to see such a sophisticated sample” appear in hacking forums, he told Motherboard in a phone interview.

“This was not the work of a kid. […] It was cyberespionage at its best.”

Shamir said that the malware, dubbed Furtim, was “clearly not” made by cybercriminals to make some money but for a government spying operations.

Furtim is a “dropper tool,” a platform that infects a machine and then serves as a first step to launch further attacks. It was designed to target specifically European energy companies using Windows, was released in May, and is still active, according to SentinelOne.

Another interesting characteristic is that Furtim actively tries to avoid dozens of common antivirus products, as well as sandboxes and virtual machines, in an attempt to evade detection and stay hidden as long as possible. The goal is “to remove any antivirus software that is installed on the system and drop its final payload,” SentintelOne’s report reads.

Security experts believe that critical infrastructure, such as the energy grid, is highly vulnerable to cyberattacks, and believe a future conflict might start with taking down the power using malware. While it might sound far-fetched, at the end of last year, hackers believed to be working for the Russian government caused a blackout in parts of Ukraine after gaining access to the power grid using malware.

It’s unclear who’s behind this cyberespionage operation, but Shamir said it’s likely a government from Eastern Europe, with a lot of resources and skills. The malware’s developers were very familiar with Windows; they knew it “to the bone,” according to him.

“This was not the work of a kid,” he said. “It was cyberespionage at its best.”

****

The dropper’s principle mission is to avoid detection; it will not execute if it senses it’s being run in a virtualized environment such as a sandbox, and it also can bypass antivirus protection running on compromised machines.

The sample also includes a pair of privilege escalation exploits for patched Windows vulnerabilities (CVE-2014-4113 and CVE-2015-1701), as well as a bypass for Windows User Account Control (UAC), which limits user privileges.

“It escalates privileges after all these checks and registers a hidden binary that it drops onto the hard drive that runs early in the boot process,” SentinelOne senior security researcher Joseph Landry said. “It will go through and systematically remove any AV on the machine that it targets. Then it drops another payload to the Windows directory and runs it during login time.” More from ThreatPost