Category Archives: NSA Spying

Wenxia Man, Chinese Spy Found Guilty Stealing Aircraft Secrets

Posted on by

Illegally Export Fighter Jet Engines and Unmanned Aerial Vehicle to China

Wenxia Man, aka Wency Man, 45, of San Diego, was sentenced today to 50 months in prison for conspiring to export and cause the export of fighter jet engines, an unmanned aerial vehicle – commonly known as a drone – and related technical data to the People’s Republic of China in violation of the Arms Export Control Act.

The sentence was announced by Assistant Attorney General for National Security John P. Carlin, U.S. Attorney Wifredo A. Ferrer of the Southern District of Florida, Special Agent in Charge Mark Selby of the U.S. Immigration and Customs Enforcement’s Homeland Security Investigations (ICE-HSI) in Miami and Special Agent in Charge John F. Khin of the Department of Defense’s Defense Criminal Investigative Service (DCIS).

On June 9, 2016, Man was convicted by a federal jury in the Southern District of Florida of one count of conspiring to export and cause the export of defense articles without the required license.

According to evidence presented at trial, between approximately March 2011 and June 2013, Man conspired with Xinsheng Zhang, who was located in China, to illegally acquire and export to China defense articles including: Pratt & Whitney F135-PW-100 engines used in the F-35 Joint Strike Fighter; Pratt & Whitney F119-PW-100 turbofan engines used in the F-22 Raptor fighter jet; General Electric F110-GE-132 engines designed for the F-16 fighter jet; the General Atomics MQ-9 Reaper/Predator B Unmanned Aerial Vehicle, capable of firing Hellfire Missiles; and technical data for each of these defense articles. During the course of the investigation, when talking to an undercover HSI agent, Man referred to Zhang as a “technology spy” who worked on behalf of the Chinese military to copy items obtained from other countries and stated that he was particularly interested in stealth technology.

HSI and DCIS investigated the case. Assistant U.S. Attorney Michael Walleisa of the Southern District of Florida and Trial Attorney Thea D. R. Kendler of the National Security Division’s Counterintelligence and Export Control Section prosecuted the case.

 Photo: balicad24.com 

Announcement by the Justice Department

Related reading: 5 Weapons China Stole & Copied from the US

Related reading: Chinese cyber spies may be watching you, experts warn

In part from FreeBeacon:

Michael Walleisa, assistant U.S. Attorney for the Southern District of Florida, asked the judge to impose the maximum sentence of 78 months for the weapons conspiracy conviction.

“There is hardly a more serious case than a case such as this that involves some of our most sophisticated fighter jet engines and unmanned weaponized aerial drones,” Walleisa said in a sentencing memorandum.

“The potential for harm to the safety of our fighter pilots, military personnel, and national security which would occur had the defendant been successful is immeasurable, particularly where, as here the clear intent of the co-conspirators was to enable the People’s Republic of China to reverse engineer the defense articles and manufacture fighter jets and UAV’s.”

The conspiracy revealed that China was seeking to “increase its military capabilities and might to the potential detriment of the United States,” Walleisa said.

The U.S. government imposed an arms embargo on China in 1990 following the Chinese military’s massacre of unarmed pro-democracy protesters in Beijing’s Tiananmen Square a year earlier.

Between 2011 and 2013, Man and Zhang worked together to solicit three sets of General Electric and Pratt and Whitney turbofan engines for the F-35, F-22, and F-16 jets, as well as a General Atomics Reaper drone and technical details of the equipment. The Chinese were prepared to pay $50 million for the embargoed items.

Authorities launched an investigation of the case after Man contacted a defense industry source who alerted U.S. Immigration and Customs Enforcement’s Homeland Security Investigations unit in Miami. The Pentagon’s Defense Criminal Investigative Service also investigated the case.

Man used a company called AFM Microelectronics, Inc. in trying to buy the military equipment. She disclosed to an undercover federal agent in 2012 that the jet engines were meant for the Chinese government and that she knew it was illegal to export them, according to court papers.

China is engaged in a major military buildup that includes two new advanced stealth jet fighters that U.S. intelligence agencies say benefitted from stolen American aircraft technology.

The attempt to buy embargoed jet fighter engines highlights what military analysts say is China’s major technology shortfall—its inability to manufacture high-quality jet engines. Turbofan engines require extremely precise machine work and parts because of the high speeds of their spinning engine fans.

Zhang was described by the government in court papers as a “technology spy” working for China’s military-industrial complex. The Chinese government buys arms and military technology from Russia and other states “so that China can obtain sophisticated technology without having to conduct its own research,” the indictment in the case states.

The name of the Chinese entity was not disclosed. China’s government defense industry group is SASTIND, an acronym for State Administration for Science, Technology and Industry for National Defense.

Zhang sought to buy the operating system and aircraft control system for the MQ-9 Reaper as well as the unmanned aerial vehicle itself and the technical design data for the aircraft. The drone sought was an armed version capable of firing Hellfire missiles.

Man, 45, was convicted of one count of conspiracy to export defense goods with a license.

At sentencing on Friday, U.S. District Judge Beth Bloom told the court that Man hoped to get a $1 million commission on the illegal export and that she wanted to help China compete with the United States militarily.

“I’m innocent,” Man told the judge, the South Florida Sun-Sentinel newspaper reported. “This is my country, too.” She plans to appeal the conviction that was reached after a jury trial in June.

Michael Pillsbury, a China specialist at the Hudson Institute, said the Man case highlights China’s large-scale technology theft program.

“The scope and the ambition of their technology intelligence collection is breathtaking,” said Pillsbury. “They’re not after petty secrets.”

The Man case is similar to an earlier Chinese technology acquisition operation headed by Chi Mak, another naturalized Chinese citizen. In 2007, Mak, an electrical engineer at the U.S. firm Power Paragon, was convicted of conspiracy to export sensitive electronics defense technology to China.

Mak was a long-term technology spy who operated for 20 years. U.S. officials believe Mak provided China with secrets to the Aegis battle management system, the heart of current Navy warships.

China has deployed a similar version of the Aegis ship, known as the Type 052D warship.

 

The Clinton’s History with Iran and Cuba and Latin America

Posted on by

Posted earlier on this site, Iran’s Cuba and Latin American Tours and Trouble Ahead forced a deeper examination of the Iran, Cuba and Latin America relationship. As Iran is now at least $1.7 billion dollars richer, larger questions develop on Iran’s global expansion. Being in our hemisphere and right in the backyard of America some chilling conditions emerge.

Reported in 2010, Cuba has expressed support for Iran’s nuclear program and has defended Iran’s right to peaceful nuclear technology in the face of UN sanctions. Cuban President Raul Castro also serves as the Secretary-General of the Non-Aligned Movement, which released a statement in July 2008 declaring that its member states “welcomed the continuing cooperation being extended by the Islamic Republic of Iran to the IAEA” and “reaffirmed that states’ choices and decisions, including those of the Islamic Republic of Iran, in the field of peaceful uses of nuclear technology and its fuel cycle policies must be respected.”[1]

In late November 2009, the IAEA passed a rebuke of Iran for building a second enrichment plan in secret.[2] Cuba, along with Venezuela and Malaysia, opposed the resolution.[3] The resolution by the 35-member IAEA Board of Governors calls on Iran to halt uranium enrichment and immediately freeze the construction of its Fordo nuclear facility, located near Qom.[4]  Cuba and Iran cooperate bilaterally and multilaterally through the Non-Aligned Movement. In a June 2008 memorandum of understanding, Iranian President Ahmadinejad explained that the two countries expressed their continued support for “each other on the international scene.” [17]  In September 2008, Iran began funding medical students from the Solomon Islands to study in Cuba, including airfare and computers for medical students unable to finance their own way to Havana to study.[18]  More here.

Related reading: It’s time to start worrying about what Russia’s been up to in Latin America

There is a long and nefarious history between the United States and Cuba but we don’t have to go back much further than the Clinton administration. Seems with enough money to the Clinton’s or to the Democrat National Committee, lots of things can be overlooked.

****

THREAT TO THE HOMELAND

Iran’s Extending Influence in the Western Hemisphere

Iran not only continues to expand its presence in and bilateral relationships with countries like Cuba, Ecuador, Nicaragua, and Venezuela, but it also maintains a network of intelligence agents specifically tasked with sponsoring and executing terrorist attacks in the western hemisphere. True, the unclassified annex to a recent State Department report on Iranian activity in the western hemisphere downplayed Iran’s activities in the region; this material, however, appeared in an introductory section of the annex that listed the author’s self-described “assumptions.” While one assumption noted that “Iranian interest in Latin America is of concern,” another stated that as a result of U.S. and allied efforts “Iranian influence in Latin America and the Caribbean is waning.” More here from the Washington Institute.

Back in 1996, seems the Clintons were doing then what they are doing today, hanging with criminals that donate.

WASHINGTON DESK – The Justice Department released on Wednesday photographs showing a convicted Miami cocaine trafficer who is seen standing next to and posing with vice president Al Gore. The two were attending a party in Florida last December.

Apparently, Cabrera was asked to make a large donation to the Clinton-Gore campaign in exchange for perks like hob-nobbing with Al Gore and the first lady, Hillary Rodham Clinton.

Jorge Cabrera’s cash contributions to the Clinton-Gore campaign were so generous, that Cabrera was also invited to the White House and gained entrance there without any FBI & Secret Service security clearance.

CNN reported Wednesday that Cabrera’s attorney, Stephen Bronis, said $20,000(given to the Clinton-Gore campaign) was not intended to buy protection for drug smuggling.

‘He had a lobster and stone crab fishery in the Keys and felt that contribution might promote that future course,’ Bronis said.

The Clinton-Gore campaign only returned the $20,000 last week after the full story had reached ABC News, and the Clinton administration had been asked for comment by the media.

Cabrera was arrested in January during a Miami drug bust of nearly three tons of cocaine. Cabrera was arrested and pleaded guilty to one drug count. He was also imprisoned in the 1980s on narcotics charges.

A report that the picture of Cabrera and Gore had been impounded by the Justice Department prompted an angry reaction from Republicans, including Bob Dole’s presidential campaign, House Speaker Newt Gingrich and Rep. Bob Livingston of Louisiana, chairman of the House Appropriations Committee.

Republicans sent letters to Attorney General Janet Reno and the directors of the FBI and the Secret Service seeking information about Cabrera and the campaign contribution.

Livingston asked the federal agencies for a complete accounting of the facts relating to the story within three days: whether Cabrera had dined at the White House, details of his relationship with Clinton and Gore and, if he did dine with them, how he passed FBI & Secret Service scrutiny to gain access to them.

The U.S. attorney’s office in Miami was contacted by reporters. Justice said it would not provide photographs of Cabrera and Gore in Florida and at the White House when reporters requested them on Monday. The Justice Department attempted to claim that Cabrera’s story is coverd by the Privacy Act law in turning down the media request for information on the arrest for cocaine possession of tons of the illegat drug and dealing.

Jant Reno put out information that the photo of Cabrera with Gore and Clinton could not be released without the consent of Cabrera. Later, the Justice Department did release the photographs after Cabrera submitted written authorization.

The delay by the Justice Department appeared to be an effort to distance itself from accusations that are mounting from the American public that the Justice Department is receiving guidance from the Clinton White House and the vice president’s office on the timing of Janet Reno’s investigation.

Justice says it is looking into the breach of National Security by Cabrera’s ready access to secured areas of the White House and its grounds when he entered as an invited quest of president Clinton for dinner and photo-ops.

Then much more recently, like February of 2016, Hillary was busy nurturing the pro-Iran lobby including a fund-raiser.

Clinton will participate in a Menlo Park fundraiser on Sunday hosted by Twitter executive Omid Kordestani and his wife Gisel Hiscock, as well as National Iranian American Council (NIAC) board member Lily Sarafan and Noosheen Hashemi, who serves on the board of the pro-Iran advocacy group Ploughshares, a major funder of pro-Iran efforts.

NIAC, an advocacy group formed by Iranian-Americans to work against the pro-Israel community, has long been accused of lobbying on Iran’s behalf against sanctions and other measures that could harm the Islamic Republic’s interest.

Ploughshares, which partners with NIAC, is joining the White House in efforts to pressure the Jewish community and others to back the recently implemented Iran nuclear agreement, the Free Beacon reported.

The organization has also spent millions to influence coverage of Iran and protect the Obama administration’s diplomatic relations with Iran.

NIAC has emerged a key pro-Iran player in the United States, working with the White House and liberal groups to spin the deal as a positive for U.S. national security.

The group is currently leading the charge to block recent counter-terrorism legislation that would require individuals who have travelled to Iran to obtain a visa before entering the United States. More from FreeBeacon.

Alright so we have established historical relationships with Cuba and Iran and the Clintons. Is there more that we should know? Yes.

  1. Cuban spies in America
  2. The DEA did it’s job but Bill Clinton remained loyal to the Castro brothers
  3. Hillary’s personal global spy, Sidney Blumenthal collaborated on Hezbollah’s new office in Cuba.
  4. In 2011, Hillary’s State Department sent their old friend Bill Richardson to Cuba to bring back an American, Alan Gross, who was an embedded spy working for USAID.
  5. In 2009, Obama and Hillary began the normalization process with Cuba.
  6. Bill Clinton’s old buddy Strobe Talbott collaborated on Cuba with Hillary’s State Department.
  7. Hillary announced that Iran would be invited to an upcoming  multinational conference on Afghanistan
  8. Documents reveal Bill Clinton’s secret contact with Iran
  9. Sid Blumenthal, Jake Sullivan and Hillary on Iran and Israel

Iran’s Cuba and Latin American Tours and Trouble Ahead

Posted on by

While the United States attempted to normalize relations with both Iran and Cuba, it appears the real result is a renewed friendliness between Iran and Cuba at the cost of the U.S. taxpayer, that $1.7 billion or more.

It also must be noted that Cuban refugees continue to appear on American shores but now we must question how many of them are terrorists and what are they bringing with them. Iceberg ahead.

It is also important to note that the Cuban military runs all tourism and the hospitality industry as the United States has opened those travel channels.

****

Related reading: Breaking Sanctions with Cuba?

Cuba is a state sponsor of terrorism, that is until the White House decided it was no longer.

Cuba supports Iran’s nuclear ambitions and opposed IAEA rebukes of secret Iranian enrichment sites. The two countries have banking agreements (Islamic Republic News Agency), economic cooperation and lines of credit ( FNA), and three-way energy-focused treaties with Bolivia (CSMonitor). Cuba and Iran hold regular ‘Joint Economic Commission’ meetings; the latest, in November 2009, further expanded bilateral trade and economic ties.

Related reading: The U.S. has had a Russian Problem of Espionage for Decades

One of Cuba’s largest and long-term industries is spying and selling intelligence and secrets globally.

**** Image result for javad zarif 

Iran says will open new chapter in relations with Cuba

Reuters: Kicking off a six-day tour of Latin America, Iranian Foreign Minister Mohammad Javad Zarif said on Monday in Havana his visit would open a new chapter in the Islamic Republic’s relations with Communist-ruled Cuba.

Iran, which has long been friendly with Cuba, is on a drive to improve foreign commerce after the removal in January of international sanctions against the Islamic Republic.

“We will start a new chapter in the bilateral relations with Cuba on the basis of a big (business) delegation accompanying me on this visit,” Zarif said at a meeting with his Cuban counterpart, Bruno Rodriguez.

The international community lifted sanctions on Iran as part of the deal under which Tehran curbed its nuclear program.

Rodriguez congratulated Iran on the “success of its foreign policy” while reiterating its longstanding support for “all countries to develop nuclear energy with pacific ends”.

Cuba and Iran have in common a long stand-off with the United States. They were both on the U.S. State Department’s list of terrorism sponsoring countries until Havana was removed last year as part of a detente with Washington.

“We have always been on the side of the great Cuban people in view of atrocities and unjust sanctions,” Zarif said.

“The government and Cuban people have also always shown us solidarity with regards to the atrocities committed by the empire.”

Zarif’s tour will also take him to Chile, Nicaragua, Bolivia and Venezuela.

Just last week, Cuba’s new Economy Minister Ricardo Cabrisas made a trip to Tehran where he met with President Hassan Rouhani.

German exports to Iran, mostly machines and equipment, jumped in the first half of the year following the removal of international sanctions against the Islamic Republic, official trade data showed on Monday

Pelosi’s Saturday Night Call over Russia Hacked Ploys

Posted on by

Seems there is some talking point being launched that whatever Russia did do with regard to hacking the Democrats…watch out because the actual text could be altered and false…seems Politico is carrying the water for that talking point as well.

Admittedly, Russia does publish false propaganda for sure and the use of Russia Today (RT) and Sputnik News are the go to methods…but in this case….does Russia need to do this? Okay, read on as the Democrats are in fear and setting the table to promote an early new warning.

Democrats’ new warning: Leaks could include Russian lies

 Photo: CBS

The move could help inoculate Hillary Clinton against an October cyber surprise.

Politico: Democratic leaders are putting out a warning that could help inoculate Hillary Clinton against an October cyber surprise: Any future mass leaks of embarrassing party emails might contain fake information inserted by Russian hackers.

House Minority Leader Nancy Pelosi is among those sounding that alarm, echoing security experts who say Russian security services have been known to doctor documents and images or bury fictitious, damaging details amid genuine information. For hackers to resort to such tactics would be highly unusual, but security specialists say it’s a realistic extension of Moscow’s robust information warfare efforts.

Pelosi aired her concerns during a Saturday night conference call with Democratic lawmakers and aides who had been stung by a dump of their emails and phone numbers, according to a source on the call.

Democratic strategists say the party would be wise to trumpet warnings about faked leaks as it braces for the possibility of hackers releasing damaging information about Clinton or other candidates close to Election Day. Preemptively casting doubt on the leaks may be easier now than trying to mount a full response days before voters go to the polls.

“It is certainly a valid issue to raise, because clearly the people who are doing these attacks have a political agenda that’s against the Democratic Party,” said Anita Dunn, who was White House communications director in the early part of President Barack Obama’s first term.

If Russia is indeed attempting to destabilize Clinton’s candidacy through the widespread digital assault on Democratic institutions — as many researchers believe, and Democrats are alleging, but Moscow strongly denies — “why wouldn’t you want to raise the potential [for tampering]?” asked Dunn, now a partner at communications firm SKDKnickerbocker. “I think it’s only prudent for people to raise that possibility.”

Republicans say Democrats are just trying to distract the public from the most important issue: the content of the leaks. They say the Democrats already tried to do that with the first batch of 20,000 Democratic National Committee emails that leaked in July, which forced the resignation of Chairwoman Debbie Wasserman Schultz after showing that some DNC staffers had favored Clinton over primary rival Sen. Bernie Sanders.

“First, they made it all about Russia instead of the substance of what was actually in the emails,” said Matt Mackowiak, a veteran Republican strategist. Now, he added, “If there is a massive trove of emails or documents relating to the Clinton campaign or the Clinton Foundation … they may just say, ‘Look, the authenticity of the emails hasn’t been confirmed.’”

Intelligence officials — including NSA Director Adm. Michael Rogers and Director of National Intelligence James Clapper — have long argued that data manipulation more broadly is a disturbing possibility, and potentially the next front in both cybercrime and the budding digital warfare between countries.

Last month, a bipartisan group of 32 national security experts at the Aspen Institute Homeland Security Group warned of a specific type of fakery following the DNC hack, arguing that the suspected Russian hackers who struck the DNC and the Democratic Congressional Campaign Committee could “salt the files they release with plausible forgeries.”

In Saturday’s call, Pelosi was underlining a point made by cyber experts at CrowdStrike, the firm the party has hired to investigate the breaches at the DNC and the DCCC. The conference call was prompted by the late Friday release of DCCC spreadsheets containing nearly all House Democrats’ and staffers’ personal emails and phone numbers, which led to a flood of harassing emails and phone calls over the weekend.

In total, the hackers have reportedly infiltrated more than 100 party officials and groups, leaving progressives fearful that the entire Democratic Party apparatus is potentially compromised. During Saturday’s call, House members in competitive races voiced concerns about what damning information might be out there.

But hacking specialists say the most harmful information might not even be genuine.

“You may have material that’s 95 percent authentic, but 5 percent is modified, and you’ll never actually be able to prove a negative, that you never wrote what’s in that material,” CrowdStrike co-founder Dmitri Alperovitch told POLITICO. “Even if you released the original email, how will you prove that it’s not doctored? It’s sort of damned if you do, damned if you don’t.”

Several Democratic operatives said they even expect fake information, though mixed with enough truth to cause damage.

“The most powerful lie contains truth,” said Craig Varoga, a D.C.-based Democratic strategist. “Whether it’s the devil or it’s Russian intelligence services, they traffic in things that are true in order to put across a greater lie.”

Historically, it’s not unprecedented for intelligence agencies — including those in the U.S. — to release fake reports for propaganda purposes. The FBI’s COINTELPRO program infamously used forged documents and false news reports to discredit or harass dissenters during the 1950s and 1960s, including civil rights leaders, anti-war protesters and alleged communist organizations.

Hackers have adopted similar strategies.

In 2013, Syrian hackers backing embattled President Bashar Assad hijacked The Associated Press’ Twitter account, tweeting out falsified reports of two explosions at the White House that had injured Obama. The Dow plummeted in minutes, wiping out $136 billion in market value, according to Bloomberg. It stabilized shortly thereafter, once the report was revealed to be a hoax.

Russia has long been known for engaging in such propaganda warfare, going back to the days of the Soviet Union, when the KGB spread conspiracy theories about the FBI and CIA’s involvement in President John F. Kennedy’s assassination. In the 1980s, the KGB planted newspaper articles alleging that the U.S. had invented HIV during a biological weapons research project.

The security agency also secretly helped an East German journalist write a book, “Who’s Who in the CIA,” that accurately outed numerous undercover CIA agents but also intentionally included a raft of people who were simply American officials stationed overseas, according to a former top Soviet security official.

In the weeks since the DNC email leaks, cyber specialists on Twitter have been circulating a passage from the memoirs of a former East German spymaster who wrote about the “creative” use of forgeries in conjunction with genuine leaks.

“Embarrassed by the publication of genuine but suppressed information, the targets were badly placed to defend themselves against the other, more damaging accusations that had been invented,” wrote Markus Wolf, who had headed East Germany’s foreign intelligence division for more than three decades. (On the other hand, he added that, “my principle was to stick as close to the truth as possible, especially when there was so much of it that could easily further the department’s aims.”)

In recent years, the Kremlin has adapted these tactics for a digital age.

The Kremlin was caught in 2014 manipulating satellite images to produce “proof” that Ukraine had shot down the Malaysia Airlines flight that was downed over Ukraine, killing 298 passengers. Last year, a Russian lawmaker’s staffer was exposed filming a fake war report, pretending to be near the front line in eastern Ukraine, where Moscow has seized territory.

“Standard Russian modus operandi,” said James Lewis, an international cyber policy expert at the Center for Strategic and International Studies, via email. “They’ve done it before in the Baltics and other parts of Europe: Leak a lot of real data and slip in some fakes (or more often, things that have been subtly modified rather than a complete fake).”

Digital forensics experts even noted that the metadata on some of the early documents leaked from the DNC — which included opposition research files — had been altered, although it didn’t appear that any content was compromised. But the discovery showed how easy such an edit would be.

“They have information warfare as a core tenet of what they do form a geopolitical perspective,” said Steve Ward, director of communications for digital security firm FireEye, which tracks many Russian hacking groups. “It’s really in their wheelhouse.”

But Ward and other digital security experts acknowledge that the exact scenario Pelosi was discussing would be novel, and that so far, hackers have had little incentive to manipulate leaked data. As anonymous digital actors, hackers already have the deck stacked against them when trying to expose information.

“You’ve got to suspend disbelief and trust the bad guys when you’re looking at this stuff,” Ward said. If they make just one discredited leak, hackers are “effectively losing the value of the operation by creating distrust with the data,” he added.

This leads many cyber experts to suspect that any release of faked emails, if it comes at all, would probably not come until days before the Nov. 8 election. At that point, the Democrats wouldn’t have time to definitively prove a forgery.

So it makes sense, strategists said, for Democrats to put the concept in the public’s mind now.

“What Pelosi is doing is making the response now,” said Brad Bannon, a longtime Democratic consultant. “Democrats do have their antenna up over this thing. They are anticipating.”

Eric Geller, Martin Matishak and Heather Caygle contributed to this report.

 

 

 

 

 

The Russians Hacked the NSA? Ah…What?

Posted on by

This is bad bad bad….and panic has struck Washington DC ….payment is to be in Bitcoins…

Graphics of files below courtesy of Arstechnica.

    

More here in further detail.

*****

Most outside experts who examined the posts, by a group calling itself the “Shadow Brokers,” said they contained what appeared to be genuine samples of the code — though somewhat outdated — used in the production of the NSA’s custom-built malware. Most of the code was designed to break through network firewalls and get inside the computer systems of competitors like Russia, China and Iran. That, in turn, allows the NSA to place “implants” in the system, which can lurk unseen for years and be used to monitor network traffic or enable a debilitating computer attack.  More here.

NSA and the No Good, Very Bad Monday

LawFare: Monday was a tough day for those in the business of computer espionage. Russia, still using the alias Guccifer2.0, dumped even more DNC documents. And on Twitter, Mikko Hypponen noted an announcement on Github that had gone overlooked for two days, a group is hosting an auction for code from the “Equation Group,” which is more commonly known as the NSA. The auctioneer’s pitch is simple, brutal, and to the point:

How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT + LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.

This release included two encrypted files, and the password to one was provided as proof while the other remains encrypted. The attackers claim that they will provide the password to the second file to the winner of a Bitcoin auction.

The public auction part is nonsense. Despite prevailing misconceptions on cryptocurrency, Bitcoin’s innate traceability means that no one could really expect to launder even $1M out of a high profile Bitcoin wallet like this one without risking detection, let alone the $500M being requested for a full public release. The auction is the equivalent of a criminal asking to be paid in new, marked, sequential bills. Because the actors here are certainly not amateurs, the auction is presumably a bit of “Doctor Evil” theater—the only bids will be $20 investments from Twitter jokesters.

But the proof itself appears to be very real. The proof file is 134 MB of data compressed, expanding out to a 301 MB archive. This archive appears to contain a large fraction of the NSA’s implant framework for firewalls, including what appears to be several versions of different implants, server side utility scripts, and eight apparent exploits for a variety of targets.

The exploits themselves appear to target Fortinet, Cisco, Shaanxi Networkcloud Information Technology (sxnc.com.cn) Firewalls, and similar network security systems. I will leave it to others to analyze the reliability, versions supported, and other details. But nothing I’ve found in either the exploits or elsewhere is newer than 2013.

Because of the sheer volume and quality, it is overwhelmingly likely that this data is authentic. And it does not appear to be information taken from compromised targets. Instead, the exploits, binaries with help strings, server configuration scripts, 5 separate versions of one implant framework, and all sort of other features indicate that this is analyst-side code—the kind that probably never leaves the NSA.

It is also unlikely that this data is from the Snowden cache. Those documents focused on PowerPoint slides and shared data, not detailed exploits. Besides NSA, the only plausible candidate for ownership is GCHQ—and the implications of stealing Top Secret data from GCHQ and modifying it to frame the NSA would themselves be startling.

All this is to say that there is relatively high confidence that these files contain genuine NSA material.

From an operational standpoint, this is not a catastrophic leak. Nothing here reveals some special “NSA magic.” Instead, this is evidence of good craftsmanship in a widely modular framework designed for ease of use. The immediate consequence is probably a lot of hours of work down the drain.

But the big picture is a far scarier one. Somebody managed to steal 301 MB of data from a TS//SCI system at some point between 2013 and today. Possibly, even probably, it occurred in 2013. But the theft also could have occurred yesterday with a simple utility run to scrub all newer documents. Relying on the file timestamps—which are easy to modify—the most likely date of acquisition was June 11, 2013 (see Update, however). That is two weeks after Snowden fled to Hong Kong and six days after the first Guardian publication. That would make sense, since in the immediate response to the leaks, as the NSA furiously ran down possible sources, it may have accidentally or deliberately eliminated this adversary’s access.

As with other recent cyber conflicts, the  espionage aspect is troubling but not entirely new. It’s very, very bad that someone was able to go rummaging through a TS//SCI system—or even an unclassified Internet staging system where the NSA operator unwisely uploaded all this data—and to steal 300 MB of data. But whoever stole this data now wants the world to know—and that has much graver implications. The list of suspects is short: Russia or China. And in the context of the recent conflict between the US and Russia over election interference, safe money is on the former.

Right now, I’d imagine that the folks at NSA are having rather unpleasant conversations about what the other encrypted file might contain, and what other secrets this attacker may have gained access to. Even if they were aware of the attack that resulted in this leak, there’s no way of knowing what is in the other archive. Is there evidence of another non-Snowden insider who went silent three years ago? Was a TS//SCI system remotely compromised? Was there some kind of massive screw-up at an agency which prides itself on world class OPSEC? Some combination of the three?

And—most chillingly—what else might be released before this war of leaks is over?

 

Update:  Thanks to @botherder for pointing out that a couple files have a newer date:  One file has a date of June 17th, 2013; another has a date of July 5th, 2013; three setup strips are dated September 4th, 2013; and two have dates of October 18th 2013.  One of those files (which I’m currently investigating) is the database of allocated Ethernet MAC addresses, which may be able to identify a later minimum date of compromise.  If the latter date of October 18th, 2013 is correct, this is even more worrysome, as this suggests that the compromise happened four months after the initial Snowden revelations—a period of time when the NSA’s systems should have been the most secure.

Update 2: Looking at the dates again, it now does seem somewhat likely that this was data copied on June 11th, 2013 with a few updates with a compromise after October 18th.  This does make it more likely that this was taken from a set of files deliberately moved onto a system on the Internet used for attacking others.  To my mind, this is actually an even scarier possibility than the NSA internal system compromise: This scenario would have the NSA, after the Snowden revelations, practicing some incredibly awful operational security.  Why should the NSA include five different versions of the same implant on a system used to attack other systems on the Internet?  Let alone implants which still have all the debugging strings, internal function names, and absolutely no obfuscation?

Update 3: Kaspersky confirms that the particular use of RC6 matches the unique design present in other Equation Group malcode.  XORcat apparently confirmed that the Cisco exploit works and, due to the versions it can attack, was a zero day at the time.  This exploit would generally work to take over a firewall from the inside of a target network since it did require limited access that is almost always blocked from the outside.

*****

In part from the WashingtonPost:

A cache of hacking tools with code names such as Epicbanana, Buzzdirection and Egregiousblunder appeared mysteriously online over the weekend, setting the security world abuzz with speculation over whether the material was legitimate.

The file appeared to be real, according to former NSA personnel who worked in the agency’s hacking division, known as Tailored Access Operations (TAO).

“Without a doubt, they’re the keys to the kingdom,” said one former TAO employee, who spoke on the condition of anonymity to discuss sensitive internal operations. “The stuff you’re talking about would undermine the security of a lot of major government and corporate networks both here and abroad.”

Said a second former TAO hacker who saw the file: “From what I saw, there was no doubt in my mind that it was legitimate.”

“Faking this information would be monumentally difficult, there is just such a sheer volume of meaningful stuff,” Nicholas Weaver, a computer security researcher at the University of California at Berkeley, said in an interview. “Much of this code should never leave the NSA.”

The tools were posted by a group calling itself the Shadow Brokers using file-sharing sites such as BitTorrent and DropBox.

At the same time, other spy services, like Russia’s, are doing the same thing to the United States.

It is not unprecedented for a TAO operator to accidentally upload a large file of tools to a redirector, one of the former employees said. “What’s unprecedented is to not realize you made a mistake,” he said. “You would recognize, ‘Oops, I uploaded that set’ and delete it.”

Critics of the NSA have suspected that the agency, when it discovers a software vulnerability, frequently does not disclose it, thereby putting at risk the cybersecurity of anyone using that product. The file disclosure shows why it’s important to tell software-makers when flaws are detected, rather than keeping them secret, one of the former agency employees said, because now the information is public, available for anyone to employ to hack widely used Internet infrastructure. Read the full article here.