N Korean, Park Jin hyok Charged with Global Cyber Attacks

Posted on September 11, 2018September 11, 2018 by Denise Simon

U.S. CHARGES NORTH KOREAN HACKER

Federal prosecutors charged a North Korean man, Park Jin-hyok, with crimes in connection with a series of costly cyberattacks around the globe, including the WannaCry ransomware attack in 2018, the heist of Bangladesh’s central bank in 2017, and the hack of Sony Pictures in 2014. It is the first time the Justice Department has explicitly charged a North Korean hacker backed by the government. Park was allegedly working as a programmer for a North Korean front company in China called Chosun Expo, which had ties to North Korea’s military intelligence.

Legal analysts say the complaint is the most detailed public accounting yet of North Korea’s cyberattacks against foreign adversaries. The Justice Department has now brought hacking-related charges against North Korea, China, Iran, and Russia. (WSJ, NYT, Reuters, DOJ)

Park Jin Hyok, named by officials as a member of the so-called Lazarus Group hacking team behind last year’s WannaCry global ransomware attack and the 2014 digital attack on Sony, apparently used not only advanced technology, but elaborate reconnaissance work to digitally steal money and sensitive information.

First, Park would obtain a number of email addresses of people affiliated with target businesses from traders dealing in large amounts of personal information. Then he would use the emails to gain an understanding of company employees’ fields of interest and personal relationships.

That would let him craft emails that could pass as genuine messages from major companies in content and style, a tactic known as spear phishing. After spending some time building trust, he would send the malicious links to websites that would infect a target’s computer.

In one case, Park apparently masqueraded as a human resources official at a U.S. defense-linked company to exchange messages with workers at one of the company’s competitors.

Last week’s charges were said to be the first in years against a North Korean hacker related to high-profile attacks linked to the state. The attack on Sony came as the company was preparing to release a movie called “The Interview,” which depicted the assassination of a character resembling North Korean leader Kim Jong Un. The group also allegedly stole $81 million from the central bank of Bangladesh in 2016.

A North Korean suspect is wanted by U.S. authorities on suspicion of hacking. (Courtesy of the U.S. Federal Bureau of Investigation)

“We stand with our partners to name the North Korean government as the force behind this destructive global cyber campaign,” Christopher Wray, director of the Federal Bureau of Investigation, said in a statement on Sept. 6.

The U.S. Treasury also imposed sanctions on Park and a Chinese business he was affiliated with. “We will not allow North Korea to undermine global cybersecurity to advance its interests and generate illicit revenues in violation of our sanctions,” Treasury Secretary Steven Mnuchin said in his own statement.

Under Kim, the North has consolidated its cyber forces under its Reconnaissance General Bureau, which handles overseas spying. The state has a team of 6,800, according to the South Korean government, and is counted as one of the five cyber powers along with the U.S., Russia, China and Israel.

The core of cyber operations is a team known as “Bureau 121,” established in 1998 by Kim’s father, then-leader Kim Jong Il. Bureau 121 is known for its willingness to commit crimes for the sake of bringing in cash.

“The technology behind North Korea’s cybercrimes is some of the most advanced in the world,” said a source with the U.S. State Department.

Governments and businesses around the world are hurrying to guard themselves from the North’s attacks even as its methods grow more sophisticated. Further cooperation between countries’ cyberdefense authorities may be key to finding effective solutions.

British Airways: The airline said a “very sophisticated” hacker stole credit card details of hundreds of thousands of its customers in recent days. Anyone who lost out financially as a result of the breach would be compensated, BA officials said. (Reuters)

JPMorgan Hacker: A Russian man, Andrei Tyurin, has been extradited by Georgia to the United States on charges that he participated in the 2014 hack of JPMorgan Chase and other U.S. companies. (Reuters)

Middleweight Boxing Champion Led a Crime Syndicate

Posted on September 7, 2018September 7, 2018 by Denise Simon

The Shulaya Enterprise was an organized criminal group operating under the direction and protection of Razhden Shulaya, a/k/a “Brother,” a/k/a “Roma,” a “vor v zakone” or “vor,” which are Russian phrases translated roughly as “Thief-in-Law” or “Thief,” and which refer to an order of elite criminals from the former Soviet Union who receive tribute from other criminals, offer protection, and use their recognized status as vor to adjudicate disputes among lower-level criminals. As a vor, Shulaya had substantial influence in the criminal underworld and offered assistance to and protection of the members and associates of the Shulaya Enterprise. Those members and associates, and Shulaya himself, engaged in widespread criminal activities, including acts of violence, extortion, the operation of illegal gambling businesses, fraud on various casinos, identity theft, credit card frauds, trafficking in large quantities of stolen goods, money laundering through a fraudulently established vodka import-export company, payment of bribes to local law enforcement officers, and the operation of a Brooklyn-based brothel.

The Shulaya Enterprise operated through groups of individuals, often with overlapping members or associates, dedicated to particular criminal tasks. While many of these crews were based in New York City, the Shulaya Enterprise had operations in various locations throughout the United States (including in New Jersey, Pennsylvania, Florida, and Nevada) and abroad. Most members and associates of the Shulaya Enterprise were born in the former Soviet Union and many maintained substantial ties to Georgia, Ukraine, and the Russian Federation, including regular travel to those countries, communication with associates in those countries, and the transfer of criminal proceeds to individuals in those countries.

Not too sure he was not a spy either frankly.

Georgian former boxing champion Avtandil Khurtsidze has been sentenced to 10 years in prison for working as the “chief enforcer” for an “elite” criminal enterprise.

He was convicted in June in New York of racketeering and wire fraud conspiracy.

Prosecutors said the 38-year-old boxer had “substantial influence” in the criminal underworld as part of a Soviet Union crime gang.

They said Khurtsidze used violence in service of the group’s activities.

He and his associates, known as the Shulaya Enterprise, were blamed for crimes across the US including extortion, wire fraud, illegal gambling and operating a brothel in Brooklyn.

Many of the crew’s activities were based in New York but they also operated in other major cities as well as abroad, a justice department statement said.

Officials say most of its members were born in the former Soviet Union, with strong ties to Georgia, where the boxer was born.

Khurtsidze was caught on film twice carrying out assaults, with prosecutors describing him as a “heavyweight enforcer” for the group’s members and leadership.

He was also accused of participating in a complex fraud scheme to predict casino slot machines algorithms, which involved kidnapping a software engineer in Las Vegas in 2014.

Khurtsidze on shoulders with a belt above head

Getty Image

Image caption Khurtsidze was arrested in 2017, scuppering his chances at the WBO middleweight title

On top of his decade federal jail sentence, the Georgian boxer was given two further years supervision on release.

“Thanks to our dedicated law enforcement partners around the globe, Khurtsidze’s reign of extortion and violence has been halted,” US attorney Geoffrey Berman said in a statement.

‘Just a waste’

Khurtsidze held the interim WBO middleweight title in 2017.

His last professional fight was against British boxer Tommy Langford in April 2017, which he won.

A later bout against Billy Joe Sanders was cancelled after Khurtsidze was arrested along with more than 30 others in a swoop against the organised crime syndicate.

Following his conviction, his former promoter Lou DiBella criticised the boxer for squandering his career.

“He let many people down who believed in him, but no one more than himself. Just a waste, and it’s all on him for choosing the dark side,” Mr DiBella told ESPN.

Nations Stand with Britain Against Russia and Poison Attack

Posted on September 7, 2018September 7, 2018 by Denise Simon

LONDON — The leaders of the United States, France, Germany and Canada on Thursday endorsed Britain’s assessment that a nerve-agent attack on a former Russian spy and his daughter in March was conducted by Russian military officers and “almost certainly” approved at a senior level of the Russian government.

The leaders urged Russia to provide a “full disclosure” of its Novichok nerve-agent program and said they would “continue to disrupt together the hostile activities of foreign intelligence networks on our territories.”

The joint statement was released shortly before London’s and Moscow’s envoys to the United Nations squared off in an emergency Security Council meeting called by Britain to brief diplomats on the investigation.

British ambassador Karen Pierce methodically outlined evidence that she said pointed to the Kremlin’s complicity in the attack, which occurred March 4 in the quiet English city of Salisbury.

Two Russians — using the names Alexander Petrov and Ruslan Boshirov — were charged Wednesday in absentia with attempting to murder Sergei Skripal and his daughter, Yulia, with Novichok, a military-grade nerve agent.

Pierce acknowledged the two suspects, who flew back to Russia shortly after the attack, cannot be extradited under the Russian constitution. But she said Britain will ask Interpol to issue an alert to arrest them if they ever leave Russian territory, so they can be tried in Britain. More here from the Washington Post.

Very important short video

Deeper dive:

Sergei Skripal, the Russian double agent who was poisoned with a military-grade nerve agent in England earlier this year, worked with Spanish intelligence after his defection to the United Kingdom, according to sources. Skripal, a former military intelligence officer who spied for Britain in the early 2000s, had kept a low profile while living in the English town of Salisbury. He was resettled there in 2010 by the British Secret Intelligence Service (MI6), after he was released from a Russian prison. But he and his daughter Yulia made international headlines in March, after they were poisoned by a powerful nerve agent that nearly killed them. The attack has been widely blamed on the Russian government, but the Kremlin denies that it had a role in it.

The attempt to kill Skripal surprised some intelligence observers due to the fact that the Russian government had officially pardoned the double agent prior to exchanging him with Russian spies who had been caught in the West. As intelNews wrote in May, “typically a spy who has been pardoned as part of an authorized spy-swap will not need to worry about being targeted by the agency that he betrayed. If it indeed tried to kill Skripal, the Russian government may therefore have broken the unwritten rules of the espionage game”. Eventually, however, it was revealed that, instead of retiring after his defection to the UK, Skripal traveled extensively in Eastern Europe, where he advised local intelligence agencies on how to defend against Russian espionage. The double agent participated in MI6-sponsored events in which he briefed intelligence practitioners in at least two countries, Estonia and the Czech Republic. These activities may have convinced the Kremlin that Skripal had broken the unwritten conditions of his release, namely that he would not participate in any intelligence-related activities against Russia.

Now The New York Times has claimed that, in addition to consulting for Czech and Estonian spies, Skripal also visited Spain, where he met with officers from the country’s National Intelligence Center (CNI). Citing an unnamed Spanish former police chief and Fernando Rueda, a Spanish intelligence expert, The Times said that Skripal advised the CNI about the activities of Russian organized crime in Spain and the alleged connections between Russian mobsters and the Kremlin. When he traveled to Spain under MI6 protection, said the paper, Skripal was effectively returning to the place where he had been initially recruited to spy for the British. Skripal spent several years in Spain, said The Times, serving as a military attaché at the Russian embassy in Madrid. It was there that he began to work secretly for MI6. However, the precise timing of Skripal’s return trips to Spain after 2010, as well as the content of his discussions with Spanish intelligence officials, remain unknown, according to The Times. Hat tip.

Iran Using Same ‘Active Measure’ Tactics Against the U.S.

Posted on August 24, 2018August 24, 2018 by Denise Simon

When traveling internet sites, social media accounts and various news aggregator services, one needs to be even more suspect of what information is out there. Russia has been applying propaganda ‘active measure’ tactics for decades and due to the global internet system, the volume has gone beyond measure.

With all things Russia going on in Washington DC and in media, the success of active measures has been noticed by both China and Iran. Both have launched robust propaganda operations forcing the West and citizens to question authenticity of sites, articles and posts of all forms.

Watch out for those hashtags….influencing voters and fake/false news goes back to at least 2016. The operations are so effective that even big media has been duped and corrections are printed or made often when recognized. Some items are never corrected.

Iran’s Anti-US Propaganda Reflects regime’s instability photo

(Reuters) – Alphabet Inc’s (GOOGL.O) Google said on Thursday it had identified and terminated 39 YouTube channels linked to state-run Islamic Republic of Iran Broadcasting.

Google has also removed 39 YouTube channels and six blogs on Blogger and 13 Google+ accounts.

“Our investigations on these topics are ongoing and we will continue to share our findings with law enforcement and other relevant government entities in the U.S. and elsewhere,” Google said in a blog post here

On Tuesday, Facebook Inc (FB.O), Twitter Inc (TWTR.N) and Alphabet Inc (GOOGL.O) collectively removed hundreds of accounts tied to an alleged Iranian propaganda operation.

Google, which had engaged cyber-security firm FireEye Inc (FEYE.O) to provide the company with intelligence, said it has detected and blocked attempts by “state-sponsored actors” in recent months.

FireEye said here it has suspected “influence operation” that appears to originate from Iran, aimed at audiences in the United States, the U.K., Latin America, and the Middle East.

Shares of FireEye rose as much as 10 percent to $16.38 after Google identified the company as a consultant.

***

The Daily Beast went for a deeper dive on the tactics by Iran and explained a few cases.

An Iranian propaganda campaign created fake Bernie Sanders supporters online, Facebook disclosed Tuesday.

In a press release, the social-media giant said it had removed 652 pages associated with political-influence campaigns traced to Iran, including coordinated inauthentic behavior that originated in Iran and targeted people across multiple internet services in the Middle East, Latin America, U.K., and U.S.”

The cybersecurity company FireEye, which first alerted Facebook to the influence campaign months ago, wrote in a separate posting on its site that it had traced the campaign—including posts from supposed “American liberals supportive of U.S. Senator Bernie Sanders”—to Iran through email addresses and phone numbers associated with the “inauthentic” accounts.

The investigation began with FireEye’s discovery of a fake U.S. news outlet called Liberty Front Press, which Facebook says was created in 2013. The actors behind that site over time branched out into different personas intended to appeal to different audiences including “anti-Saudi, anti-Israeli, and pro-Palestinian themes.” Examples included accounts like The British Left, which published content in support of U.K. Labour party leader Jeremy Corbyn, and the pro-Palestinian Patriotic Palestinian Front. FireEye also says it “identified multiple Arabic-language, Middle East-focused sites” as part of the effort.

Unlike the Russian cyberinfluence campaign in 2016, FireEye didn’t find a complementary hacking campaign attached to the propaganda activity. Iran has spent big on developing its offensive online capabilities, but FireEye said it found no links to APT35—a hacking group that has targeted U.S. defense companies and Saudi energy firms. Instead, the security firm found links between the campaign and Iran’s state-run TV propaganda channel, PressTV.

The Iranian actors behind the campaign expanded beyond Facebook and Instagram and onto Twitter, according to FireEye. In a separate statement late Tuesday, Twitter announced it had suspended 284 accounts for what it said was “coordinated manipulation” and that “it appears many of these accounts originated from Iran.”

The Daily Beast recovered tweets from what appears to be an account associated with the campaign. @libertyfrontpr has since been deleted, but Google cache results show it linked back to the LibertyFrontPress.com website FireEye attributed to be part of the propaganda effort. The account was active as of at least Tuesday and is not listed as suspended on the platform.

The account used hashtags like “#Resist” and #NotMyPresident when tweeting out anti-Trump sentiments. It also weighed in against the Supreme Court nomination of Judge Brett Kavanaugh. “The #Senate has a responsibility to reject any nominee who would fail to be a fair-minded constitutionalist. That is #BrettKavanaugh. We must #StopKavanaugh.”

In a rare move for Holocaust-denying Iranian propaganda, @libertypr slammed the Republican Party for allowing anti-Semite and Holocaust denier John Fitzgerald to run for a seat in the California legislature.

In addition to the U.S. themes, Liberty’s Twitter account also targeted opponents of the Iranian government, including the Mujahedeen Khalq exile group, or MEK, which advocates the overthrow of Iran’s clerical government, with hashtags like “#BanTerrorOrg.”

The takedown marks the second time since the 2016 election that Facebook has appeared to act without U.S. government pressure to stop an alleged political-influence campaign. In late July, Facebook took down a handful of sock-puppet accounts purporting to be black, Hispanic, and #Resistance activists. Facebook didn’t attribute that campaign to a specific country or group, but it did note that some of the accounts had links to the infamous Russian Internet Research Agency troll farm.

Facebook said Tuesday that it had taken down the new batch of pages only after waiting “many months” after being alerted to the campaign by FireEye. The delay allowed the company to further investigate the campaign and improve its defenses against future efforts.

That Deported Nazi was One of Many in the U.S.

Posted on August 22, 2018August 22, 2018 by Denise Simon

by Fred Lucas

Amid a politically-charged debate over its existence, Immigration and Customs Enforcement has removed war criminal Jakiw Palij, marking the 68th deportation of a Nazi from the United States.

On Monday, ICE arrested Palij, 95, a former labor camp guard, enforcing a 2004 court order the same day President Donald Trump praised ICE and Customs and Border Protection officials at a White House ceremony.

Specifically for ICE, created in 2003, this marks at least the fourth Nazi arrest, deporting Nazi concentration camp guards John Demjanjuk and Josias Kumpf in 2009, and soldier John (Ivan) Kalymon in 2011.

“Despite a court ordering his deportation in 2004, past administrations were unsuccessful in removing Palij,” White House press secretary Sarah Huckabee Sanders said in a statement.

“To protect the promise of freedom for Holocaust survivors and their families, President Trump prioritized the removal of Palij. Through extensive negotiations, President Trump and his team secured Palij’s deportation to Germany and advanced the United States’ collaborative efforts with a key European ally,” Sanders added.

For months, some Democrats have demanded the government “abolish ICE,” which is charged with enforcing immigration law in the interior of the country. Last month, three House Democrats introduced legislation to shut down ICE. Meanwhile, other politicians and commentators have compared ICE with Nazis or the Gestapo for arresting illegal immigrants.

ICE is often associated with arresting illegal immigrants that cross the border, but the agency also regularly investigates naturalization fraud, passport fraud, illegal immigrants in possession of firearms, as well as the smuggling of drugs, money, counterfeit merchandise, and weapons into the United States. This includes confronting sexual trafficking, and in some cases, fighting child pornography.

Three ICE offices—Enforcement and Removal Operations, the Office of the Principal Legal Advisor, the Human Rights Violators and War Crimes Center—were all involved in the removal of Palij, according to ICE.

The ICE Human Rights Violators and War Crimes Center, established in 2009, locates and prosecutes human rights abusers in the United States, which includes those known or suspected to have participated in persecution, war crimes, genocide, torture, extrajudicial killings, female genital mutilation, and the use or recruitment of child soldiers.

War criminals won’t find a safe haven in the United States, Homeland Security Secretary Kirstjen Nielsen said in a statement.

“The arrest and removal of Jakiw Palij to Germany is a testament to the dedication and commitment of the men and women of ICE, who faithfully enforce our immigration laws to protect the American people,” Nielsen said.

Palij, the former Nazi officer arrested Monday in the Queens borough of New York City, was born in a part of Poland that is present day Ukraine.

Palij came to the United States in 1949, and lied to immigration officials, claiming to have spent World War II working on a farm and in a factory. He gained citizenship in 1957.

He trained with the Nazis in 1943 in German-occupied Poland. Court documents show those who trained him at the SS training camp in Trawniki participated in executing “Operation Reinhard,” a code name for the Third Reich’s plan to murder Jews in Poland. Palij served as an armed guard at the adjacent Trawniki labor camp.

“By helping to prevent the escape of these prisoners during his service at Trawniki, Palij played an indispensable role in ensuring that they later met their tragic fate at the hands of the Nazis,” Sanders said.

On Nov. 3, 1943, about 6,000 Jewish people held at the Trawniki labor camp were shot to death in one of the single largest massacres of the Holocaust.

In 2001, after an investigation, Palij admitted his past with the Nazis to the Justice Department. In May 2002, the Justice Department’s Office of Special Investigations and the U.S. Attorney’s Office of the Eastern District of New York filed a four-count complaint in U.S. District Court to revoke his citizenship based on his wartime activities.

A judge revoked his U.S. citizenship in 2003. U.S. Immigration Judge Robert Owens ordered his deportation in 2004 to Ukraine, Poland, Germany, or any country that would admit him, and a panel denied his 2005 appeal.

The Justice Department began targeting Nazis in the United States in 1979, won cases against 108 individuals, and prevented 180 individuals with ties to the Axis powers from World War II from entering the United States, according to ICE. But 68 were deported.

Similar to Palij, previous Nazi deportation orders took years to act on.

In May 2009, ICE deported John Demjanjuk, 89, a former Nazi death camp guard and a resident of Seven Hills, Ohio, to Germany to face criminal charges for 28,060 counts of accessory to murder. He was a retired auto worker in Ohio, and was born in what is today Ukraine. He came to the United States in 1952, concealing his Nazi past. It was one of the most storied cases that worked its way through the legal process for almost three decades.

Demjanjuk was first tried on allegations of participation in Nazi persecution in a civil denaturalization (citizenship revocation) case decided in 1981, and it was unearthed that he was a gas chamber operator at the Sobibor concentration camp where Nazis killed 250,000 Jews. In 1986, the U.S. extradited him to Israel, where the country’s Supreme Court found reasonable doubt. After his release, he returned to the United States.

In 1999, the U.S. initiated a new denaturalization case against Demjanjuk, relying in large part on captured Nazi documents that came to light following the 1991 dissolution of the Soviet Union, according to ICE. This evidence found he not only served at Sobibor, but also worked as a guard at the Majdanek camp, where Nazis killed 170,000 Jews.

A U.S. District Court in Cleveland revoked his citizenship in 2002. But it wasn’t until December 2005 that Chief Immigration Judge Michael J. Creppy ordered Demjanjuk removed from the United States to Ukraine, Germany, or Poland. The U.S. Supreme Court rejected Demjanjuk’s petition for review.

That same year, in March 2009, ICE removed Josias Kumpf, 83, to Austria. He was living in Racine, Wisconsin. He came to the United States after World War II.

According to ICE, Kumpf was a former Waffen SS Death’s Head Battalion guard at the Nazi-run Sachsenhausen concentration camp in Germany and at the Trawniki SS training camp in Poland, the same camp as Palij served, where Nazis murdered thousands of Jews on Nov. 3, 1943.

In September 2011, ICE announced that the Board of Immigration Appeals dismissed an appeal by John (Ivan) Kalymon, 90, of Troy, Michigan, affirming his deportation because of his Nazi activities during World War II. Kalymon, who came to the United States in 1949, shot Jews while voluntarily serving as a member of the Nazi-sponsored Ukrainian Auxiliary Police from 1941 to 1944 in German-occupied Lviv, Ukraine, according to ICE.

***

There were upwards of a thousand Nazis who were used by U.S. intelligence after the war by the CIA, the FBI, the military and other U.S. intelligence agencies — both in Europe as well as inside the United States, in Latin America, in the Middle East, even a few in Australia. And these were seen as basically cold warriors who served as spies, informants and in other intelligence roles. More here.