Category Archives: NSA Spying

NSA Leaker, Reality Leigh Winner Charged, Russian Hacks

Posted on by

The search warrant is located here. The warrant was issued on June 3 and she was arrested the same day and charged.

A criminal complaint was filed in the Southern District of Georgia today charging Reality Leigh Winner, 25, a federal contractor from Augusta, Georgia, with removing classified material from a government facility and mailing it to a news outlet, in violation of 18 U.S.C. Section 793(e).

Winner was arrested by the FBI at her home on Saturday, June 3, and appeared in federal court in Augusta this afternoon.

“Exceptional law enforcement efforts allowed us quickly to identify and arrest the defendant,” said Deputy Attorney General Rod J. Rosenstein. “Releasing classified material without authorization threatens our nation’s security and undermines public faith in government. People who are trusted with classified information and pledge to protect it must be held accountable when they violate that obligation.”

According to the allegations contained in the criminal complaint:

Winner is a contractor with Pluribus International Corporation assigned to a U.S. government agency facility in Georgia. She has been employed at the facility since on or about February 13, and has held a Top Secret clearance during that time. On or about May 9, Winner printed and improperly removed classified intelligence reporting, which contained classified national defense information from an intelligence community agency, and unlawfully retained it. Approximately a few days later, Winner unlawfully transmitted by mail the intelligence reporting to an online news outlet.

Once investigative efforts identified Winner as a suspect, the FBI obtained and executed a search warrant at her residence. According to the complaint, Winner agreed to talk with agents during the execution of the warrant. During that conversation, Winner admitted intentionally identifying and printing the classified intelligence reporting at issue despite not having a “need to know,” and with knowledge that the intelligence reporting was classified. Winner further admitted removing the classified intelligence reporting from her office space, retaining it, and mailing it from Augusta, Georgia, to the news outlet, which she knew was not authorized to receive or possess the documents.

An individual charged by criminal complaint is presumed innocent unless and until proven guilty at some later criminal proceedings.

The prosecution is being handled by Trial Attorney Julie A. Edelstein of the U.S. Department of Justice’s National Security Division’s Counterintelligence and Export Control Section, and Assistant U.S. Attorney Jennifer Solari of the U.S. Attorney’s Office for the Southern District of Georgia. The investigation is being conducted by the FBI.

***

Winner’s lawyer, Titus T. Nichols, said he had not yet seen any of the evidence in the case, so he could not discuss the specific accusations. He said his client has served in the Air Force for six years, including a recent assignment at Fort Meade, home of the NSA.

According to court documents, Winner had a top-security clearance as an active-duty member of the Air Force from January 2013 until February of this year, when she began working for Pluribus International Corporation, a government contractor, at a facility in Georgia.

Winner remains in jail pending a detention hearing later this week, said the lawyer, adding that he expects the government will seek to keep her behind bars pending trial. Nichols said his client should be released.    More here. Intercept is known to be the media outlet to which she mailed the documents. See the full story from Intercept here.

nsa-russia-hacking-election-3-1496690296

Did Megyn Kelly ask Vladimir Putin About these Items?

Posted on by

Image result for megyn kelly vladimir putin Business Insider

LONDON — Vladimir Putin again denied that Russia interfered in last year’s U.S. election, joking to NBC News’ Megyn Kelly on Friday that even her “underage daughter” could have been behind the hacking.

The journalist asked the Russian president about what American intelligence agencies say is evidence that he became personally involved in a covert campaign to harm Hillary Clinton and benefit Donald Trump.

“IP addresses can be invented — a child can do that! Your underage daughter could do that. That is not proof,” Putin replied.

He also said that U.S. accusations about Russia were reminiscent of “anti-Semitism and blaming the Jews,” describing them as “disinformation.”

*** Hummm, okay, but he also said this:

Moscow (CNN)Russian President Vladimir Putin seemed to suggest Thursday that “patriotic hackers” may have meddled in the US election, but insisted that none of their potential activities were state-backed.

It’s the first time the Russian leader has conceded that any election-related hacking attacks may have emanated from his country.
In comments to reporters at the St. Petersburg Economic Forum, Putin likened hackers to “artists,” who could act on behalf of Russia if they felt its interests were being threatened.
“(Artists) may act on behalf of their country, they wake up in good mood and paint things. Same with hackers, they woke up today, read something about the state-to-state relations.
“If they are patriotic, they contribute in a way they think is right, to fight against those who say bad things about Russia,” Putin said.
*** Typical Kremlin, squishy on truth and commitment. Now…how about this mess that the Trump White House is working a deal with the Kremlin to return the two dachas in Maryland and New York that Obama ordered shuttered in December? It is said that the Kremlin did not respond to this action by Obama, but actually they did by terminating the construction of our diplomatic post in St. Petersburg. C’mon Tillerson really? Why should we be so hard on Putin and the Kremlin? Let’s go deeper shall we? We may also have to wait for the full Putin/Kelly interview to be aired.
Image result for megyn kelly vladimir putin  There are many more Russia vs. United States issues like Russian bombers buzzing U.S. military aircraft or that Russian spy ship that hovered off the Atlantic coast….moving on….
***
How many Russian spies are inside the United States? Answer unknown, but the estimates are in the tens of thousands. One such former FBI sleuth explains the condition here:

A national-security expert who has worked as a double agent for the FBI against Russian intelligence operations says the bureau’s current model for identifying Russian assets relies too much on a Cold War-era style of human-asset recruitment.

Naveed Jamali, who secretly reported to the FBI for four years while pretending to work for a Russian spy, was invited by Democratic Rep. Eric Swalwell to brief the House Intelligence Committee last week on Russia’s techniques for recruiting foreign spies. More here.

***

Politico: Russian diplomats, whose travel was supposed to be tracked by the State Department, were going missing.The diplomats, widely assumed to be intelligence operatives, would eventually turn up in odd places, often in middle-of-nowhere USA. One was found on a beach, nowhere near where he was supposed to be. In one particularly bizarre case, relayed by a U.S. intelligence official, another turned up wandering around in the middle of the desert. Interestingly, both seemed to be lingering where underground fiber-optic cables tend to run.

According to another U.S. intelligence official, “They find these guys driving around in circles in Kansas. It’s a pretty aggressive effort.”

It’s a trend that has led intelligence officials to conclude that the Kremlin is waging a quiet effort to map the United States’ telecommunications infrastructure, perhaps preparing for an opportunity to disrupt it.

“Half the time, they’re never confronted,” the official, who declined to be identified discussing intelligence matters, said of the incidents. “We assume they’re mapping our infrastructure.”

As the country — and Washington in particular — borders on near-obsession over whether affiliates of Donald Trump’s campaign colluded with the Kremlin to swing the 2016 presidential election, U.S. intelligence officials say Moscow’s espionage ground game is growing stronger and more brazen than ever.

It’s a problem that’s sparking increasing concern from the intelligence community, including the FBI. After neglecting the Russian threat for a decade, the U.S. was caught flat-footed by Moscow’s election operation. Now, officials are scrambling to figure out how to contain a sophisticated intelligence network that’s festered and strengthened at home after years’ worth of inattention.

“We’ve definitely been ignoring Russia for the last 15 years,” another intelligence official said, calling the Kremlin “resurgent.”

POLITICO spoke with half a dozen current and former U.S. intelligence officials about Russian spy strategies. All requested anonymity to openly discuss espionage.

“They’ve just got so many bodies,” the first intelligence official said of the Russians. “It’s not about what we know [is happening]. It’s about what we don’t know.”

It’s one of the most poorly kept secrets in the intelligence community: The Russian effort is a startlingly open and aggressive one, and often falls in a complex legal gray zone.

For example, the second official said, diplomats wandering around the desert might be in violation of certain travel requirements, but it’s not necessarily illegal.

Most U.S. intelligence officials can relay stories of run-ins with Russian intelligence operatives — often moonlighting as lobbyists, diplomats and businessmen — hanging around popular Washington happy hours. It’s an open assumption that they use Capitol Hill and its public office buildings as a farming ground for potential recruits. And the presumed agents aren’t hard to spot, according to officials: An oft-traded joke is to go to one of Washington’s handful of Russian restaurants and look for the guy in a tracksuit.

As the Russians continue aggressively pushing legal boundaries in both the United States and Moscow, there’s a tangible frustration among U.S. intelligence officials and on Capitol Hill that the U.S. has consistently missed its chance to crack down on Moscow’s spy games.

For years, lawmakers from both sides of the aisle pressed a hesitant Obama White House to crack down on some of the Kremlin’s more brazen stateside maneuvers.

“There was a general feeling that this was not getting the attention it deserved,” said Sen. Ron Wyden (D-Ore.), a member of the Senate Intelligence Committee who has supported the panel’s efforts in pressing the White House to tow a harder line with the Kremlin.

Around last summer, that tension reached a fever pitch.

Lawmakers, frustrated by Russian diplomats’ repeated violation of travel rules, inserted a provision in last year’s intelligence authorization bill that would have required Russian diplomats to provide ample notice to the State Department if they planned to travel more than 50 miles from where they were based, and further, would have required the FBI to validate that travel. According to several sources involved in the discussions at that time, the administration fought desperately — and failed — to get those provisions taken out of the bill.

Around that same time, two key Democratic lawmakers informed the White House of plans to publicly finger Russia as the foreign power behind a widespread effort to manipulate the ongoing U.S. election — something no official U.S. government entity had yet done. Fearful of escalation, the administration tried to get Sen. Dianne Feinstein and Rep. Adam Schiff, then the two leading Democrats on the Senate and House intelligence committees, respectively, to back off. The California lawmakers didn’t, and they released the statement. Backed into a corner by Congress, the administration released a statement saying the same a week later.

The Obama administration’s tentativeness in the weeks leading up to Nov. 8 — especially in the high-stakes context of a presidential election — is something that still bewilders corners of the intelligence world. Some speculate that Secretary of State John Kerry, desperate for a peace deal in Syria, urged the White House to lie low. Some blame it on fear of igniting a cyberwar, and still others say it stemmed from a generalized underestimation of the Russian threat.

Blaming one factor, one of the officials said, is “oversimplified.” But the frustration — and regret — is tangible.

Underscoring all this is that the Kremlin shows none of the same reluctance at home, nor does it show any propensity to abide by the gentlemen’s espionage rules that the U.S. tends to uphold, sometimes to the chagrin of its own spy corps.

“We can’t even leave the compound over there without being followed,” the first U.S. intelligence official said.

One well-publicized incident continues to agitate officials in Washington. In June of last year, a U.S. diplomat was returning to the embassy in Moscow when a guard with the FSB, the domestic Russian security service, exploded from his booth on the compound’s perimeter and assaulted him. A surveillance video shows the guard tackling the man and throwing him to the ground before the U.S. diplomat was able to drag himself inside the doors of the embassy to safety.

The U.S. diplomat, whom POLITICO confirmed was actually a CIA officer, had done the impossible — he had lost his tails as he maneuvered in Moscow. Infuriated, the Russians sent an FSB guard the man wouldn’t recognize to wait outside the embassy for his inevitable return. The officer was beaten so badly he was immediately flown out of the country for urgent medical attention.

The account was confirmed by another person familiar with the incident.

“They are far more aggressive on counterintelligence issues in Russia than we are here,” one of the officials said.

It’s these incidents that worry and frustrate the Americans. The unspoken rules of spying mean nothing to the Kremlin.

“They agree to rules, and then break them,” another U.S. official said.

Former CIA Director John Brennan made reference to this frustration in recent congressional testimony. Though he stopped short of explicitly discussing the June 2016 incident in Moscow, he told lawmakers that he had brought up the broader harassment issue to his Russian counterpart at Russian state security services last August.

“I first told him, as I had several times previously, that the continued mistreatment and harassment of U.S. diplomats in Moscow was intolerable and needed to stop,” Brennan said.

The CIA declined to comment. The FBI did not respond to an official request for comment by deadline.

7 Subpoenas Issued for ‘Unmasking’ Activities

Posted on by

In April:

Then-National Security Adviser Susan Rice did at times ask that certain names in intelligence reports be “unmasked” in order to understand the context in which they were mentioned in intelligence reports, a former national security official told CBS News.

Rice asked for the identities of those Americans picked up during surveillance of foreign nationals when it was deemed important context for national security, and she did not ask that the information be disseminated broadly, according to this former official. A Monday report by Bloomberg’s Eli Lake said that Rice requested the unmasking of Trump officials. Names of Americans swept up incidentally in the collection of intelligence are normally masked, or kept redacted, in intelligence briefings. However, the law provides for much leeway when it comes to unmasking by National Security Council officials, which suggests that Rice’s request was legal. More here.

CBS: The House Intelligence Committee issued seven subpoenas — four related to the investigation into Russian meddling in the presidential election and three to the “unmasking” of Trump associates during the presidential transition.

The committee announced late Wednesday afternoon that it would subpoena former National Security Adviser Michael Flynn and the Flynn Intel Group LLC, and Trump lawyer Michael Cohen and Michael D. Cohen & Associates PC as part of its investigation into Russian meddling in the 2016 campaign.

The committee’s statement, released by Chairman Rep. Mike Conaway and ranking member Rep. Adam Schiff, said that the subpoenas were for “testimony, personal documents and business records.”

The Wall Street Journal, which first reported the subpoenas, said that the committee also subpoenaed the National Security Agency (NSA), FBI and CIA for information about “unmasking,” that is, the exposure of Trump campaign officials mentioned in classified intelligence reports, based on intercepts of conversations. Names of Americans swept up incidentally in the collection of intelligence are normally masked, or kept redacted, in intelligence briefings, but under the law, national security officials can request that these names be revealed, or unmasked.

The subpoenas related to unmasking, according to the Journal, seek information about requests made by then-National Security Adviser Susan Rice, then-CIA Director John Brennan and then-U.N. Ambassador Samantha Power to unmask names contained in classified documents.

*** Image result for unmasking subpoenas Susan Rice

Image result for john brennan John Brennan

Image result for samantha power Samantha Power

In part from Rosen at FNC:

The inclusion of Power’s name on the subpoenas marks the first appearance of the former U.N. ambassador in the controversy surrounding the Obama administration’s use of unmasking. Capitol Hill sources told Fox News they are devoting increasing scrutiny to Power – a former historian and winner of the Pulitzer Prize who worked as a foreign policy adviser in the Senate office of Barack Obama before joining his administration – because they have come to see her role in the unmasking as larger than previously known, and eclipsing those of the other former officials named.

Rice has previously denied any improper activity in her use of unmasking. “The allegation is somehow Obama administration officials utilized intelligence for political purposes, that’s absolutely false,” Rice told MSNBC on April 4. President Trump said at that time that he personally believed Rice had committed a crime. None of those named on the subpoenas has been formally accused of wrongdoing.

Inquiries placed with representatives of Power and Brennan were not immediately returned.

That Nunes signed the seven subpoenas, as is standard practice, underscored the chairman’s continuing influence over key aspects of over his committee’s probe, despite the fact that Nunes in early April “stepped aside” from his panel’s Russia probe. He insists his decision was not a formal recusal, and he is still awaiting a hearing by the House Ethics Committee, which agreed at the time to investigate whether Nunes had improperly shared classified data with the White House before presenting it to Schiff and the rest of the intelligence committee.

Nunes told Fox News in an exclusive interview on May 19 that he is an active chairman, including continuing to preside over the unmasking angle of the investigation

Investigative sources on the committee’s Republican majority staff told Fox News that the unmasking subpoenas do not reflect a “fishing expedition,” but were issued because documentary evidence already in hand warranted demands for additional documents relating to Rice, Brennan and Power.

Where NSA had previously complied with the House panel’s investigators, sources said that cooperation had ground to a complete halt, and that the other agencies – FBI and CIA – had never substantively cooperated with document requests at all. The investigators believe that even rudimentary document production as a result of the subpoenas will enable them to piece together a timeline linking the unmasking activity to news media reports, based on leaks, that conveyed the same information provided to the officials requesting unmasking.

President Trump and the White House have dismissed the long-running allegations of collusion between Russia and the Trump campaign, and possibly the transition team, as “fake news,” a scandal ginned up by supporters of President Obama and Hillary Clinton to explain the Democratic nominee’s stunning loss to Mr. Trump last November.

However, the Trump administration belatedly acquiesced in the appointment of former FBI Director Robert S. Mueller III as a special counsel to investigate the allegations “and related matters.” Critics of the administration have also pointed to sustained reporting alleging undisclosed contacts between key Trump aides and various Russians – Attorney General Jeff Sessions recused himself from the probe at an early stage because of such contacts – and to a memorandum prepared in February by former FBI director James Comey, leaked a few days after his termination by President Trump, in which Comey alleged that the president had personally importuned him to abandon the FBI’s probe of Flynn.

Oh, Another Incident of Chinese Industrial Espionage

Posted on by

There is no denying Russia is using cyber warfare against the West. Little is ever mentioned about China’s industrial espionage, something this site attempts to publish as often as possible. Further, the owner of this site participated in two key hearings today in Congress, one with former CIA Director John Brennan and the other included ODNI Dan Coats and DIA Director General Stewart.

Clearly both hearings revealed just how pervasive and common cyber warfare is at the hands of China and Russia. Here is just another example.

China’s theft of IBM’s intellectual property

A former employee of IBM pleaded guilty to theft of source code on behalf of China

Image result for Xu Jiaqiang ibm  And you think the FBI has easy work? Further, we are trusting China to deal with North Korea’s nuclear program and missile systems aimed against Western interests.

CSO: China continues to view the theft of intellectual property as a viable means of technology transfer. Global private sector entities are finding their insiders are being used by China to purloin the proprietary information for use by Chinese state-owned-enterprises or national entities with ever increasing regularity.

On 19 May 2017, Xu Jiaqiang, a PRC national, pleaded guilty to economic espionage and trade secret theft. Xu stole source code from his employer, IBM, and attempted to share it with the National Health and Family Planning Commission in the PRC.  According to the Department of Justice, Xu pleaded guilty to all six of the counts included in his indictment.

A review of Xu’s Linked-In profile shows only his employment with IBM from November 2010 through July 2014 (date is different from that which is contained in the indictment) as a “General Parallel File System Developer at IBM”

Xu was a trusted insider within IBM. According to the DOJ advisory, which contained content from both the criminal complaint and superseding indictment, Xu worked for IBM from 2010-14, with unencumbered access to the “proprietary source code.” DOJ advises, Xu voluntarily resigned from IBM in May 2014.

In late 2014, the Federal Bureau of Investigation (FBI) was informed (source unidentified) that Xu claimed to have access (unauthorized) to the source code and was using the source code in various business ventures. Undercover law enforcement officers subsequently contacted Xu to affirm Xu’s possession of the source code

The criminal complaint describes undercover officers posing as investors engaged in a multi-month email exchanges with Xu which culminated in his sharing portions of the source code as bonafides of his knowledge of “operating systems and parallel file systems.”  At that time, the victim company, IBM, identified the shared code as identical to their proprietary source code.

In late-2015, Xu had a face-to-face meeting with undercover law enforcement officers. At the meeting, Xu noted the code was his former employer’ s(IBM) code. Xu also confirmed to his interlocutors how he had purloined the code prior to his May 2014 employment separation and had made modification so as to obscure the point of origin, IBM.

In June 2016, Xu was indicted and charged with three counts of economic espionage, one count each of theft of trade secrets, possession of trade secrets, and distribution of trade secrets. He will be sentenced in October 2017.

Though IBM has declined comment to media regarding this theft of their intellectual property, reading between the lines, it would appear IBM had deduced (correctly) that Xu absconded with a copy of their GPFS proprietary source code, and was attempting to use it commercially. They then brought the theft to the attention of the FBI.

Illicit technology transfer

China has not slowed down in their acquisition of technology utilizing the access afforded to trusted insiders. The US Director of National Intelligence made it clear in his May 2017 presentation to the Senate Select Committee on Intelligence on the worldwide threat to the United States as to the threat posed by China.

In April 2017, we saw the arrest of a Dutch employee of Siemens, working within the energy arm of Siemens, charged with stealing the intellectual property of his employer and attempting to share it with China.

From the FBI perspective, this was the perfect economic espionage case. Theft of proprietary information for provision to a foreign government. The theft was from a company with an insider threat program in place and who was cooperative (providing technical expertise during the investigation), and of sufficient size to withstand any blow-back from China which may occur.

There is no need to be xenophobic. Multinational companies employee individuals from a great variety of nationalities. The reality is, few employees break trust with their employer.

That said, having your paper trail on agreements which safeguard intellectual property is mandatory. As is a review of all activities of all departing employees for break from pattern, be it a voluntary separation or for cause. If a deeper dive into the employees activities is warranted, make sure to look for any sudden increase in 403 errors – or similar (caused by attempts to access unauthorized data). Verify the complete inventory of all storage devices which the employee may have accessed, and have each returned and or data on the devices destroyed, and review email and uploads for any inappropriate usage.

Remember, though it is the FBI and DOJ success which brought Xu to our collective attention, it was not the FBI who initially discovered Xu’s intellectual property theft. The FBI pursued the lead brought to them by an unidentified third party (presumably IBM).

You are your company’s first line of defense in the protection of intellectual property, not the FBI.

2010: Remember When Obama Pulled U.S. Spies From China

Posted on by

Of course you don’t, one had to be quite the investigator of journalism to know it much less remember it.

So….why you ask? Hold on….there is a pattern and story here.

Image result for u.s. spies in china  Image result for trump with jinping

2010: The White House National Security Council recently directed U.S. spy agencies to lower the priority placed on intelligence collection for China, amid opposition to the policy change from senior intelligence leaders who feared it would hamper efforts to obtain secrets about Beijing’s military and its cyber-attacks.

The downgrading of intelligence gathering on China was challenged by Director of National Intelligence Dennis C. Blair and CIA Director Leon E. Panetta after it was first proposed in interagency memorandums in October, current and former intelligence officials said.

The decision downgrades China from “Priority 1” status, alongside Iran and North Korea, to “Priority 2,” which covers specific events such as the humanitarian crisis after the Haitian earthquake or tensions between India and Pakistan.

The National Security Council staff, in response, pressed ahead with the change and sought to assure Mr. Blair and other intelligence chiefs that the change would not affect the allocation of resources for spying on China or the urgency of focusing on Chinese spying targets, the officials told The Washington Times.

White House National Security Council officials declined to comment on the intelligence issue. Mike Birmingham, a spokesman for Mr. Blair, declined to comment. A CIA spokesman also declined to comment.

*** Image result for u.s. spies in china Cyberwarzone

Directors of CIA in that time frame:

Leon Panetta 2010

Mike Morrell (acting) 2011

David Petraeus 2011

Mike Morrell (acting) 2012

John Brennan 2013

Mike Pompeo, current director

***

Killing C.I.A. Informants, China Crippled U.S. Spying Operations

NYT/WASHINGTON — The Chinese government systematically dismantled C.I.A. spying operations in the country starting in 2010, killing or imprisoning more than a dozen sources over two years and crippling intelligence gathering there for years afterward.
Current and former American officials described the intelligence breach as one of the worst in decades. It set off a scramble in Washington’s intelligence and law enforcement agencies to contain the fallout, but investigators were bitterly divided over the cause. Some were convinced that a mole within the C.I.A. had betrayed the United States. Others believed that the Chinese had hacked the covert system the C.I.A. used to communicate with its foreign sources. Years later, that debate remains unresolved.
But there was no disagreement about the damage. From the final weeks of 2010 through the end of 2012, according to former American officials, the Chinese killed at least a dozen of the C.I.A.’s sources. According to three of the officials, one was shot in front of his colleagues in the courtyard of a government building — a message to others who might have been working for the C.I.A.
Still others were put in jail. All told, the Chinese killed or imprisoned 18 to 20 of the C.I.A.’s sources in China, according to two former senior American officials, effectively unraveling a network that had taken years to build.
Assessing the fallout from an exposed spy operation can be difficult, but the episode was considered particularly damaging. The number of American assets lost in China, officials said, rivaled those lost in the Soviet Union and Russia during the betrayals of both Aldrich Ames and Robert Hanssen, formerly of the C.I.A. and the F.B.I., who divulged intelligence operations to Moscow for years.
The previously unreported episode shows how successful the Chinese were in disrupting American spying efforts and stealing secrets years before a well-publicized breach in 2015 gave Beijing access to thousands of government personnel records, including intelligence contractors. The C.I.A. considers spying in China one of its top priorities, but the country’s extensive security apparatus makes it exceptionally hard for Western spy services to develop sources there.
At a time when the C.I.A. is trying to figure out how some of its most sensitive documents were leaked onto the internet two months ago by WikiLeaks, and the F.B.I. investigates possible ties between President Trump’s campaign and Russia, the unsettled nature of the China investigation demonstrates the difficulty of conducting counterespionage investigations into sophisticated spy services like those in Russia and China.
The C.I.A. and the F.B.I. both declined to comment.
Details about the investigation have been tightly held. Ten current and former American officials described the investigation on the condition of anonymity because they did not want to be identified discussing the information.
Investigators still disagree how it happened, but the unsettled nature of the China investigation demonstrates the difficulty of conducting counterespionage investigations into sophisticated spy services. Credit Carolyn Kaster/Associated Press..Photo by: Carolyn Kaster/Associated Press..
The first signs of trouble emerged in 2010. At the time, the quality of the C.I.A.’s information about the inner workings of the Chinese government was the best it had been for years, the result of recruiting sources deep inside the bureaucracy in Beijing, four former officials said. Some were Chinese nationals who the C.I.A. believed had become disillusioned with the Chinese government’s corruption.
But by the end of the year, the flow of information began to dry up. By early 2011, senior agency officers realized they had a problem: Assets in China, one of their most precious resources, were disappearing.
The F.B.I. and the C.I.A. opened a joint investigation run by top counterintelligence officials at both agencies. Working out of a secret office in Northern Virginia, they began analyzing every operation being run in Beijing. One former senior American official said the investigation had been code-named Honey Badger.
As more and more sources vanished, the operation took on increased urgency. Nearly every employee at the American Embassy was scrutinized, no matter how high ranking. Some investigators believed the Chinese had cracked the encrypted method that the C.I.A. used to communicate with its assets. Others suspected a traitor in the C.I.A., a theory that agency officials were at first reluctant to embrace — and that some in both agencies still do not believe.
Their debates were punctuated with macabre phone calls — “We lost another one” — and urgent questions from the Obama administration wondering why intelligence about the Chinese had slowed.
The mole hunt eventually zeroed in on a former agency operative who had worked in the C.I.A.’s division overseeing China, believing he was most likely responsible for the crippling disclosures. But efforts to gather enough evidence to arrest him failed, and he is now living in another Asian country, current and former officials said.
There was good reason to suspect an insider, some former officials say. Around that time, Chinese spies compromised National Security Agency surveillance in Taiwan — an island Beijing claims is part of China — by infiltrating Taiwanese intelligence, an American partner, according to two former officials. And the C.I.A. had discovered Chinese operatives in the agency’s hiring pipeline, according to officials and court documents.
But the C.I.A.’s top spy hunter, Mark Kelton, resisted the mole theory, at least initially, former officials say. Mr. Kelton had been close friends with Brian J. Kelley, a C.I.A. officer who in the 1990s was wrongly suspected by the F.B.I. of being a Russian spy. The real traitor, it turned out, was Mr. Hanssen. Mr. Kelton often mentioned Mr. Kelley’s mistreatment in meetings during the China episode, former colleagues say, and said he would not accuse someone without ironclad evidence.
Those who rejected the mole theory attributed the losses to sloppy American tradecraft at a time when the Chinese were becoming better at monitoring American espionage activities in the country. Some F.B.I. agents became convinced that C.I.A. handlers in Beijing too often traveled the same routes to the same meeting points, which would have helped China’s vast surveillance network identify the spies in its midst.
Some officers met their sources at a restaurant where Chinese agents had planted listening devices, former officials said, and even the waiters worked for Chinese intelligence.
This carelessness, coupled with the possibility that the Chinese had hacked the covert communications channel, would explain many, if not all, of the disappearances and deaths, some former officials said. Some in the agency, particularly those who had helped build the spy network, resisted this theory and believed they had been caught in the middle of a turf war within the C.I.A.
Still, the Chinese picked off more and more of the agency’s spies, continuing through 2011 and into 2012. As investigators narrowed the list of suspects with access to the information, they started focusing on a Chinese-American who had left the C.I.A. shortly before the intelligence losses began. Some investigators believed he had become disgruntled and had begun spying for China. One official said the man had access to the identities of C.I.A. informants and fit all the indicators on a matrix used to identify espionage threats.
After leaving the C.I.A., the man decided to remain in Asia with his family and pursue a business opportunity, which some officials suspect that Chinese intelligence agents had arranged.
Officials said the F.B.I. and the C.I.A. lured the man back to the United States around 2012 with a ruse about a possible contract with the agency, an arrangement common among former officers. Agents questioned the man, asking why he had decided to stay in Asia, concerned that he possessed a number of secrets that would be valuable to the Chinese. It’s not clear whether agents confronted the man about whether he had spied for China.
The man defended his reasons for living in Asia and did not admit any wrongdoing, an official said. He then returned to Asia.
By 2013, the F.B.I. and the C.I.A. concluded that China’s success in identifying C.I.A. agents had been blunted — it is not clear how — but the damage had been done.
The C.I.A. has tried to rebuild its network of spies in China, officials said, an expensive and time-consuming effort led at one time by the former chief of the East Asia Division. A former intelligence official said the former chief was particularly bitter because he had worked with the suspected mole and recruited some of the spies in China who were ultimately executed.
China has been particularly aggressive in its espionage in recent years, beyond the breach of the Office of Personnel Management records in 2015, American officials said. Last year, an F.B.I. employee pleaded guilty to acting as a Chinese agent for years, passing sensitive technology information to Beijing in exchange for cash, lavish hotel rooms during foreign travel and prostitutes.
In March, prosecutors announced the arrest of a longtime State Department employee, Candace Marie Claiborne, accused of lying to investigators about her contacts with Chinese officials. According to the criminal complaint against Ms. Claiborne, who pleaded not guilty, Chinese agents wired cash into her bank account and showered her with gifts that included an iPhone, a laptop and tuition at a Chinese fashion school. In addition, according to the complaint, she received a fully furnished apartment and a stipend.
*** Just to be sure China had a real handle on all CIA operatives in country, what came next? The OPM hack, remember that one?
Enter China’s Unit 61398
The program used by China:

In part from Wired: The US-CERT team moved into OPM’s sub-basement and among the first moves was to analyze the malware that Saulsbury had found attached to mcutil.dll. The program turned out to be one they knew well: a variant of PlugX, a remote-access tool commonly deployed by Chinese-­speaking hacking units. The tool has also shown up on computers used by foes of China’s government, including activists in Hong Kong and Tibet. The malware’s code is always slightly tweaked between attacks so firewalls can’t recognize it.

By Tuesday the 21st, having churned through a string of nearly sleepless days and nights, the investigators felt satisfied that they’d done their due diligence. Their scans had identified over 2,000 individual pieces of malware that were unrelated to the attack in question (everything from routine adware to dormant viruses). The PlugX variant they were seeking to annihilate was present on fewer than 10 OPM machines; unfortunately, some of those machines were pivotal to the entire network. “The big one was what we call the jumpbox,” Mejeur says. “That’s the administrative server that’s used to log in to all the other servers. And it’s got malware on it. That is an ‘Oh feces’ moment.”

By controlling the jumpbox, the attackers had gained access to every nook and cranny of OPM’s digital terrain. The investigators wondered whether the APT had pulled off that impressive feat with the aid of the system blueprints stolen in the breach discovered in March 2014. If that were the case, then the hackers had devoted months to laying the groundwork for this attack.

Leaping forward in details:

Once established on the agency’s network, they used trial and error to find the credentials necessary to seed the jumpbox with their PlugX variant. Then, during the long Fourth of July weekend in 2014, when staffing was sure to be light, the hackers began to run a series of commands meant to prepare data for exfiltration. Bundles of records were copied, moved onto drives from which they could be snatched, and chopped up into .zip or .rar files to avoid causing suspicious traffic spikes. The records that the attackers targeted were some of the most sensitive imaginable.

The hackers had first pillaged a massive trove of background-check data. As part of its human resources mission, OPM processes over 2 million background investigations per year, involving everyone from contractors to federal judges. OPM’s digital archives contain roughly 18 million copies of Standard Form 86, a 127-page questionnaire for federal security clearance that includes probing questions about an applicant’s personal finances, past substance abuse, and psychiatric care. The agency also warehouses the data that is gathered on applicants for some of the government’s most secretive jobs. That data can include everything from lie detector results to notes about whether an applicant engages in risky sexual behavior.

The hackers next delved into the complete personnel files of 4.2 million employees, past and present. Then, just weeks before OPM booted them out, they grabbed approximately 5.6 million digital images of government employee fingerprints.

Then comes, a little too late and thin on substance in February 2015:

President Obama Speaks at the White House Summit on Cybersecurity and Consumer Protection

Is all this fix yet? Hah…not even close. Then we need to ask why are we trusting China with North Korea’s nuclear weapons and missile program? Do we have spies in Iran? North Korea? Any new operatives in China?

Scary eh?