Category Archives: Russia

About that Trump Server with Pings from Alfa Bank

Posted on by

A matter of note: Alfa Bank has FIFA as a customer. Under Loretta Lynch at DoJ, she prosecuted the FIFA fraud, Further, that pesky Trump dossier that was crafted by Christopher Steele is the same person that broke the case on FIFA. (Note the end of this press release).

Image result for alfa bank  Image result for alfa bank russia

Press Statement: Alfa Bank confirms it has sought help from U.S. authorities, and discloses new cyberattacks linked to Trump hoax  —

Alfa Bank, a privately owned Russian bank, confirmed today that it has contacted U.S. law enforcement authorities for assistance and offered U.S. agencies its complete co-operation in finding the people behind attempted cyberattacks on its servers that have made it appear falsely that it has been communicating with the Trump Organization.

Alfa Bank confirmed a story in Circa News that it had been subjected to three new attempted domain name server (DNS) cyberattacks of increasing intensity over the last few weeks. In the attacks, multiple DNS requests were made by unidentified individuals, mostly using U.S. server providers, to a Trump Organization server. The DNS requests were made to appear as if they originated from Alfa Bank. The DNS responses from the Trump server were then erroneously returned to Alfa Bank, activating Alfa Bank’s automated security systems on February 18 and again on March 11 and 13. Alfa Bank has engaged the U.S.-based cyber forensics firm Stroz Friedberg to investigate these new attacks.

Alfa Bank believes that these malicious attacks are designed to create the false impression that Alfa Bank has a secretive relationship with the Trump Organization. In fact, there is not and never has been such a relationship.

New February 2017 attack on Alfa Bank server

On February 18, 2017, Alfa Bank experienced suspicious cyber-activity from an unidentified third-party. Specifically, the unidentified third-party repeatedly sent suspicious DNS queries from servers in the U.S. to a Trump Organization server. The unidentified individuals made it look as though these queries originated from variants of MOSCow.ALFAintRa.nET. As a result, the DNS responses from the Trump server were returned incorrectly to Alfa Bank’s server, which triggered Alfa Bank’s automated security system.

Alfa Bank believes that unknown individuals — using an identified U.S.-based service provider — are behind this recent attack, and that they are attempting to trigger verification signals between Alfa Bank and a server associated with the Trump Organization.

It believes that someone or some group manufactured this deceit by «spoofing» or falsifying DNS lookups to create the impression of communication between Alfa Bank and the Trump Organization. However, Alfa Bank’s DNS servers neither send nor receive email. Instead, they react when contacted by unwanted and unsolicited messages by sending out DNS verification signals asking, in effect, who is the server contacting Alfa Bank.

An Alfa Bank spokesperson said:

“The cyberattacks are an attempt by unknown parties to manufacture the illusion of contact between Alfa Bank’s DNS servers and ’Trump servers’.

«A simple analogy would be someone in the U.S. sending an empty envelope (in this case a DNS signal) to a Trump office (server) addressed to Trump, but on the back of the envelope the return address is Russia (Alfa Bank) instead of its own real address. The Trump office, recognizing there is nothing in the empty envelope to deal with, returns it as undelivered to Russia instead of to the U.S.-based sender. So, on cursory examination, Alfa Bank appears to have been receiving responses to queries it never actually sent.

«We have gone to the U.S. Justice Department and offered our complete co-operation to get to the bottom of this sham and fraud.»

Other indications of human intervention include the fact that the queries occurring in these logs included mixed uppercased and lowercased letters. The majority of DNS queries are machine based queries (for example, browsers and email clients), which would send lowercased queries to the DNS servers.

A few days after the February 18 DNS attack, Alfa Bank again started to receive inquiries from U.S. media outlets, including CNN, about allegations of cyber links with Donald Trump. No such link exists or, in fact, has ever existed between Alfa Bank and Mr. Trump or his organization.

An anonymous group has been trying for months to persuade news organizations to publish stories that such a link is real. Alfa Bank has asked reporters who have contacted it about the traffic to assist by letting the bank know if someone is trying to create the false impression that Alfa Bank has business or other dealings with Mr. Trump.

Two new confirmed March 2017 attacks on Alfa Bank server

On March 11 and 13, Alfa Bank was subjected to two new DNS attacks using similar methods. These attacks appear to have been orchestrated from multiple servers primarily in the U.S.

Between 02:00 and 07:00 (Moscow Time) on March 11 and at 21:00 on March 13, Alfa Bank experienced suspicious cyber activity from an unidentified third party or parties. The unidentified third parties or party repeatedly sent unusual DNS queries to a Trump server, the responses to which again ultimately triggered Alfa Bank’s automated security system.

Over a five-hour period on Saturday — and again on Monday — Alfa Bank received more than 1,340 DNS responses containing mail.trump-email.com.moscow.alfaintra.net.

These malicious and seemingly co-ordinated DNS attacks are coming from unidentified users using a variety of predominantly U.S. servers, including Google and Amazon web services. These IP service providers are inadvertently allowing their infrastructure to be used to attack Alfa Bank.

Alfa Bank suspects the unidentified parties are attempting to cover their tracks by using cloud services from these providers.

Given the frequency of the attacks and the variety of Internet service providers used in the attacks, Alfa Bank’s working hypothesis is that these new attacks are being launched from a botnet.

Possible third new attack In March 2017

Alfa Bank has now started to monitor all incoming messages to its servers containing the word «trump.» This monitoring has revealed that Alfa Bank also is receiving unsolicited marketing emails from «[email protected].» These incoming spam marketing emails also trigger Alfa Bank’s security system, which automatically sends multiple DNS verification requests back to the originating server — here, the Trump server — in order to ascertain the identity of the sender.

Alfa Bank does not know whether these marketing emails are legitimate, or whether a third-party is orchestrating the campaign in another attempt to create the false impression of inappropriate communications between Alfa Bank and the Trump Organization.

In response to media questions that started last September, Alfa Bank asked Mandiant, one of the world’s leading cyber experts, to investigate allegations suggested by an anonymous cyber group of a link between Alfa Bank and Trump, based on unverified DNS logs.

Mandiant completed its independent investigation late last year. After examining Alfa Bank’s system both remotely and on the ground in Moscow, and the unverified DNS data presented to the media by the anonymous cyber group, Mandiant concluded that there is no evidence of substantive contact, such as emails or financial links, between Alfa Bank and the Trump Campaign or the Trump Organization.

Mandiant investigated (1) the DNS data given to the media, which journalists had shared with independent DNS experts, and (2) Alfa Bank servers for any evidence of links.

Mandiant concluded:

DNS data — There is no information that indicates where the list (obtained by reporters) has come from. The list contains approximately 2,800 look ups of a Domain Name over a period of 90 days. The information is inconclusive and is not evidence of substantive contact or a direct email or financial link between Alfa Bank and the Trump Campaign or Organization.

Alfa Bank servers — Nothing we have or have found alters our view as described above that there is no evidence of substantive contact or a direct email or financial link between Alfa Bank and the Trump Campaign or Organization.

Mandiant’s working hypothesis is that the activity the reporters’ sources alleged last year was caused by an email marketing/spam campaign possibly targeted at Alfa Bank employees by a marketing server, which triggered security software.

Earlier this year, Alfa Bank launched another investigation to find out who was — and maybe still is — behind this elaborate hoax.

Access to other’s DNS data is highly privileged and is usually independently examined for academic purposes and cyber security research. Therefore, the examination and sharing of DNS data by the people involved in these fraudulent activities brings into question whether these data were acquired lawfully and whether it was ethical to misuse privileged access in order to manufacture a deceit.

Alfa Bank’s working hypothesis is that an individual — possibly well known in internet research circles — may have fed selected DNS data to an anonymous cyber group to ensure they reached a specific (and erroneous) conclusion. Alternatively, the cyber group may have been complicit in the deceit. In the most recent cases, unknown individuals demonstrably attempted to insert falsified records onto Alfa Bank’s computer systems designed to create the same impression.

An Alfa Bank spokesperson said: «The anonymous cyber group, which is led according to news accounts by ‘Tea Leaves,’ cannot produce evidence of a link because there never has been one. Alfa Bank believes that it is under attack and has pledged its complete cooperation to U.S. authorities to find out who is behind these malicious attacks and false stories.»

Founded in 1990, Alfa-Bank is a full-service bank operating in most sectors of the financial market, including retail and corporate lending, investment banking, leasing, factoring and trade finance.

According to its IFRS Consolidated Financial Statements as of 31 December 2016, the Alfa Banking Group, which comprises ABH Financial, Joint Stock Company Alfa-Bank as well as its subsidiary financial companies, had total assets of $38.2 bn, gross loans of $23.9 bn, and total equity of $5.7 bn. Net profit for 2016 amounted to $527 mln.

As of December 31, 2016 the Alfa Banking Group serves around 334,000 corporate and 14.3 mln retail customers, while the branch network consists of 733 offices across Russia and abroad, including a subsidiary bank in the Netherlands and financial subsidiaries in United Kingdom and Cyprus.

Alfa-Bank is an official European bank of the 2018 FIFA World Cup and the 2017 FIFA Confederations Cup. Since its foundation in 1990 Alfa-Bank has been known for supporting of large cultural events. With the assistance of Alfa-Bank a lot of world-famous foreign musicians visited Russia: Ray Charles, Elton John, Tina Turner, Bryan Adams, Eric Clapton, Sting, Robbie Williams, Whitney Houston, Paul McCartney, Mark Knopfler and others.

In 2011 the bank organized a 4D show of internationally acknowledged David Atkins on Moscow’s Vorobyovy Hills visited by over 800 000 spectators. In addition, Alfa-Bank is the organizer of the annual modern music and technology festival AlfaFuturePeople.

North Korea’s Weapons Program Includes More Countries

Posted on by

We can go back to 1968 when North Korea hijacked our naval intelligence ship USS Pueblo as a reminder for the basis on how to address North Korea today.

Image result for uss puelbo

Then as today, Russia collaborated with North Korea as does Iran. North Korea dispatched 2 MiG fighter jets along with several attack submarines in the capture of the Pueblo. At the time was also the Vietnam war of which Russia provided unmeasured military support to North Vietnam and did not want to add another theater of conflict with the United States, as noted by the Blue House raid.  noted by the In fact, China cannot be overlooked either for many reasons.

Newly placed U.S. Secretary of State Rex Tillerson is traveling the region meeting with Asian leaders on the matter of stopping North Korea. The question is how far and wide are these talks with regard to additional countries cooperation with North Korea.

As for Iran and North Korea, The Telegraph reported the following:

The Shahab-3 is a modified version of North Korea’s Nodong missile which itself is based on the old Soviet-made Scud.

The Nodong, which Iran secretly acquired from North Korea in the mid-1990s, is designed to carry a conventional warhead. But Iranian engineers have been working for several years to adapt the Shahab-3 to carry nuclear weapons.

“This is a major breakthrough for the Iranians,” said a senior US official. “They have been trying to do this for years and now they have succeeded. It is a very disturbing development.”

The Shahab 3 has a range of 800 miles, enabling it to hit a wide range of targets throughout the Middle East – including Israel.

Image result for north korea high thrust engine UPI

Further in 2015, Forbes reported collaboration between Iran and North Korea where the exchange of engineers and scientists between the two countries is common:

North Korea and Iran are believed to be exchanging critical stuff – North Korean experts and workers remaining in place while Iran sends observers to check out intermittent North Korean missile launches and see what North Korea is doing about staging a fourth underground nuclear explosion.

The nuclear exchange revolves around North Korea’s program for developing warheads with highly enriched uranium – with centrifuges and centrifuge technology in part acquired from Iran. At the same time, North Korea is able to assist Iran in miniaturizing warheads to fit on missiles – a goal the North has long been pursuing – and also can supply uranium and other metals mined in its remote mountain regions.

“North Korea continues to supply technology, components, and even raw materials for Iran’s HEU weaponization program,” says Bruce Bechtol, author of numerous books and studies on North Korea’s military and political ambitions. Moreover, he says, “They are even helping Iran to pursue a second track by helping them to build a plutonium reactor.”

That assessment supports the view of analysts that Iran is counting on North Korean expertise in constructing a reactor that produces warheads with plutonium. The reactor would be a more powerful version of the aging five-megawatt “experimental” reactor with which the North has built perhaps a dozen warheads at its nuclear complex at Yongbyon, including three that it’s tested underground — in October 2006, May 2009 and February 2013, two years ago this month.

Then comes China, where the entire North Korea internet platform used by North Korea is hosted by China. Beyond managing cyber systems for North Korea, China is also collaborating with North Korea on nuclear weapons at key production sites producing lithium for thermonuclear and boosted fission research and development.

Sanctions have been placed on North Korea due to violations of UN resolutions due to the weapons of mass destruction operations which does include missiles and the nuclear program. However, North Korea has not been affected with regard to the research/development and production due to out of country front operations where China and Malaysia are involved.

Forbes also reported:

Although the UN resolutions have highly restricted North Korea’s access to the financial system on paper, the report suggests that these sanctions have not affected the ability of North Korean networks such as Pan Systems Pyongyang to finance its operations, asserting that the network maintains bank accounts in China, Malaysia, Singapore, Indonesia, and the Middle East. By conducting financial transactions under the names of its affiliates such as Pan Systems Singapore, the company has been able to maintain sufficient financial access to the international financial system that it was able to transfer funds to a supply chain of more than twenty companies in China, and has also used front companies to conduct transactions via Hong Kong-registered companies that were cleared through U.S. correspondent banks in New York. The Panel of Experts report also provides details on the interception in the Suez Canal of the Cambodian-flagged and North Korean-crew piloted Jie Shun in what it categorizes as the “largest interdicted ammunition consignment in DPRK sanctions history,” superseding the 2013 interdiction of the North Korean flagged Chong Chon Gang ship that was loaded with vintage Cuban munitions and airplane parts. The interdiction of the Jie Shun by Egypt revealed a cargo from North Korea through the Suez Canal containing 30,000 PG-7 rocket propelled grenades (RPG) and related sub-components shipped in wooden crates concealed under 2,300 tons of limonite (iron ore). The Jie Shun evaded detection by cutting off GPS during most of its journey, with the exception of transit through heavily trafficked straits and ports. The shipment from Haeju in North Korea to an undisclosed Middle Eastern destination were falsely labeled as “assembly parts for an underwater pump,” and the bill of lading showed the address of the “Dalian Haoda Petroleum Chemical Company, Ltd.”

Rex Tillerson stated that ‘strategic patience’ has run out with regard to North Korea and all options remain on the table including preemptive strikes. North Korea has launched 46 missiles since 2011 and the most recent launch was to test a super high thrust rocket steering engine which was designed by Russian blueprints and engineers.

 Tillerson at the DMZ lexpress.fr

The addition of a four-chamber steering engine further points toward a design rooted in Soviet missile technology as RD-250 and its descendants – when used on the R-36 missile and Tsiklon-2/3 orbital launchers – were coupled with a four-chamber RD-68M steering engine.

Photo: KCNA

This engine adaptation in all likelihood uses Unsymmetrical Dimethylhydrazine and Nitrogen Tetroxide propellants – a more powerful combination in terms of specific impulse compared to the Nitric Acid / UDMH propellant used by North Korea’s Unha booster

September 2016 Test Setup vs- March 2017 Test Setup – Images: KCTV/KCNA

 

 

WTH: Siphoning off Cellphone Data in DC is Real

Posted on by

First

An IMSIcatcher (International Mobile Subscriber Identity) is a telephony eavesdropping device used for intercepting mobile phone traffic and tracking movement of mobile phone users. Essentially a “fake” mobile tower acting between the target mobile phone(s) and the service provider’s real towers, it is considered a man-in-the-middle (MITM) attack.

Low-cost IMSI catcher for 4G/LTE networks tracks phones’ precise locations

$1,400 device can track users for days with little indication anything is amiss.

The researchers have devised a separate class of attacks that causes phones to lose connections to LTE networks, a scenario that could be exploited to silently downgrade devices to the less secure 2G and 3G mobile specifications. The 2G, or GSM, protocol has long been known to be susceptible to man-in-the-middle attacks using a form of a fake base station known as an IMSI catcher (like the Stingray). 2G networks are also vulnerable to attacks that reveal a phone’s location within about 0.6 square mile. 3G phones suffer from a similar tracking flaw. The new attacks, described in a research paper published Monday, are believed to be the first to target LTE networks, which have been widely viewed as more secure than their predecessors.

“The LTE access network security protocols promise several layers of protection techniques to prevent tracking of subscribers and ensure availability of network services at all times,” the researchers wrote in the paper, which is titled “Practical attacks against privacy and availability in 4G/LTE mobile communication systems.”

Second

ESD Overwatch:

Generate a continuously updated national situation report by means of distributed detection and localization of a multitude of baseband attacks as well as the manipulation of cellular signaling.

Detect and monitor cellular attacks in real-time

  • IMSI Catchers

    IMSI Catchers

  • Baseband Attacks

    Baseband Processor Attacks

  • Rogue Basestation

    Rogue Basestations

  • Cellular Jamming

    Cellular Jamming

Third

Suspected Hack Attack Snagging Cell Phone Data Across D.C.

Malicious entity could be tracking phones of domestic, foreign officials

FreeBeacon: An unusual amount of highly suspicious cellphone activity in the Washington, D.C., region is fueling concerns that a rogue entity is surveying the communications of numerous individuals, likely including U.S. government officials and foreign diplomats, according to documents viewed by the Washington Free Beacon and conversations with security insiders.

A large spike in suspicious activity on a major U.S. cellular carrier has raised red flags in the Department of Homeland Security and prompted concerns that cellphones in the region are being tracked. Such activity could allow pernicious actors to clone devices and other mobile equipment used by civilians and government insiders, according to information obtained by the Free Beacon.

It remains unclear who is behind the attacks, but the sophistication and amount of time indicates it could be a foreign nation, sources said.

Mass amounts of location data appear to have been siphoned off by a third party who may have control of entire cell phone towers in the area, according to information obtained by the Free Beacon. This information was compiled by a program that monitors cell towers for anomalies supported by DHS and ESD America and known as ESD Overwatch.

Cell phone information gathered by the program shows major anomalies in the D.C.-area indicating that a third-party is tracking en-masse a large number of cellphones. Such a tactic could be used to clone phones, introduce malware to facilitate spying, and track government phones being used by officials in the area.

“The attack was first seen in D.C. but was later seen on other sensors across the USA,” according to one source familiar with the situation. “A sensor located close to the White House and another over near the Pentagon have been part of those that have seen this tracking.”

The data gathered by the ESD Overwatch program indicates the U.S. cell carrier has experienced “unlawful access to their network for the purpose of large scale subscriber tracking,” according to a report prepared by ESD Overwatch, a contractor working on behalf of DHS, and viewed by the Free Beacon.

Information gathered by the program shows a massive uptick in efforts to identify and track cellphones. The third-party hacker appears to be identifying phones as they connect with local cellphone towers and recording this information.

This method of hacking could permit a malicious actor to track an individual’s cellphone and pinpoint phones that may be of importance, such as government entities.

The cellular network involved in the attack is being abused in order to track phones subscribed to the carrier, according to one source familiar with the situation.

DHS’s Office of Public Affairs confirmed that the ESD Overwatch program has been operating under a 90-day pilot program that began Jan. 18. Before the surveillance program was initiated the federal government did not have a method to detect intrusions of the nature seen over the past several months.

The attack on this network is still underway, according to sources monitoring the situation.

An official with ESD Overwatch acknowledged the existence of the DHS program, but would not comment further on the matter.

The issue of cellphone vulnerabilities has been a top concern in Congress, where lawmakers petitioned DHS on Wednesday to outline steps the government is taking to prevent foreign governments from performing the type of attacks observed by Overwatch.

“For several years, cyber security experts have repeatedly warned that U.S. cellular communications networks are vulnerable to surveillance by foreign governments, hackers, and criminals exploiting vulnerabilities in Signaling System 7,” which is used by cellular phones and text messaging applications, according to a letter set by Sen. Ron Wyden (D., Ore.) and Rep. Ted Lieu (D., Calif.).

“U.S. cellular phones can be tracked, tapped, and hacked—by adversaries thousands of miles away—through SS7-enabled surveillance,” the lawmakers write. “We are deeply concerned that the security of America’s telecommunications infrastructure is not getting the attention it deserves.”

“We suspect that most Americans simply have no idea how easy it is for a relatively sophisticated adversary to track their movements, tap their calls, and hack their smartphones,” the lawmakers write.

Concerns continue to mount that the government is not adequately taking steps to secure cellular networks.

The lawmakers request that DHS outline specific steps being taken to insulate networks from attacks and ensure that U.S. cell carriers are doing the same.

 

Gen. Flynn Worked for Several Russian Companies

Posted on by

 Image result for general flynn

WSJ: President Trump’s former national security adviser, Mike Flynn, was paid tens of thousands of dollars by Russian companies shortly before he became a formal adviser to the then-candidate, according to documents obtained by a congressional oversight committee that revealed business interests that hadn’t been previously known.

Mr. Flynn was paid $11,250 each by a Russian air cargo company that had been suspended as a vendor to the United Nations following a corruption scandal, and by a Russian cybersecurity company that was then trying to expand its business with the U.S. government, according to the documents, which were reviewed by The Wall Street Journal.

The speaking engagements took place in the summer and fall of 2015, a year after Mr. Flynn had been fired as the director of the Defense Intelligence Agency and while he continued to maintain a top-secret level security clearance.

In December 2015, the Kremlin-backed news organization RT also paid Mr. Flynn $33,750 to speak about U.S. foreign policy and intelligence matters at a conference in Moscow.

In February 2016, Mr. Flynn became an official adviser to the presidential campaign of Donald Trump, who at the time was taking a softer stance toward Moscow than his Republican rivals.

Mike Flynn resigned Monday as Trump’s national security adviser. He came under fire for making conflicting statements on whether he discussed sanctions with a Russian official before the president’s inauguration. Photo: Reuters (Originally published Feb., 14, 2017)

Price Floyd, a spokesman for Mr. Flynn, said he reported his RT appearance to the Defense Intelligence Agency, as required. Mr. Floyd didn’t immediately respond to questions about the other fees.

The new details about Mr. Flynn’s speaking engagements are contained in emails and documents provided to congress by his speaker’s bureau, Leading Authorities, and shed light on a continuing inquiry into Mr. Flynn’s and other Trump associates’ ties to Moscow.

On Monday, FBI Director James Comey and other current and former U.S. officials are scheduled to testify about possible Russian interference in the 2016 presidential election before a congressional committee that is also probing Trump associates’ ties to Russia.

Attorney General Jeff Sessions has recused himself from any investigation related to the 2016 presidential campaign after he failed to disclose the extent of his own contacts with the Russian ambassador to the U.S., Sergei Kislyak.

Mr. Flynn resigned under pressure in February after he failed to tell White House officials about phone calls he had with Mr. Kislyak, in which the two discussed the potential lifting of U.S. sanctions on Russia, according to U.S. officials familiar with the contents of the conversations.

While the documents from Mr. Flynn’s speaker’s bureau provide the most detail to date on his business dealings with Russia, they don’t show what other work he may have been doing outside his role as a paid speaker. Mr. Flynn commanded high fees for speaking on the state of global security and talking about his role as one of the most senior intelligence officials in the Obama administration.

Mr. Flynn was removed from his post as DIA chief after complaints of poor management and organization, not because of a policy dispute, according to people who worked with him at the time.

Last week, Mr. Flynn filed papers with the Justice Department disclosing that his firm was paid $530,000 to work in the U.S. on behalf of the interests of the Turkish government. Mr. Flynn had performed those services while he was advising Mr. Trump, then a presidential candidate.

Little additional information has become public about other clients the former military intelligence chief’s private consulting firm, Flynn Intel Group, may have had before the retired general’s appointment as national security adviser.

In a letter sent Thursday by Rep. Elijah Cummings (D., Md.) to Mr. Trump, Defense Secretary Jim Mattis and Mr. Comey, Mr. Cummings wrote that by taking the RT speaking fee, Mr. Flynn had “accepted funds from an instrument of the Russian government.”

Mr. Cummings, the top Democrat on the House Oversight and Government Reform Committee, pointed to a Central Intelligence Agency analysis written in 2012, while Mr. Flynn was running the DIA, that said RT was “created and financed by the Russian government,” which spent hundreds of millions of dollars a year to help the network create and disseminate programming that is broadcast in English around the world, including in the U.S.

Mr. Cummings said that by taking the fee, Mr. Flynn had violated the emoluments clause of the Constitution, which prohibits people in public office from accepting money from foreign governments. Some analysts have said this prohibition may apply to retired officers as well, because they could be recalled to service.

“I cannot recall anytime in our nation’s history when the president selected as his national security adviser someone who violated the Constitution by accepting tens of thousands of dollars from an agent of a global adversary that attacked our democracy,” Mr. Cummings wrote.

Though Mr. Flynn’s RT appearance had been reported, the documents provided new details about how he came to speak at the RT conference in December 2015, an event marking the network’s 10th anniversary.

While Mr. Flynn’s speakers’ bureau acted as a middleman, email communications indicate that RT sought to orchestrate the event and the content of his remarks.

“Using your expertise as an intelligence professional, we’d like you to talk about the decision-making process in the White House—and the role of the intelligence community in it,” an official from RT TV-Russia wrote in an email on Nov. 20, 2015, the month before Mr. Flynn’s appearance in Moscow.

In an earlier email in October, an RT official described the event as a networking opportunity for Mr. Flynn and an occasion to meet “political influencers from Russia and around the world.” At a gala dinner during the event, Mr. Flynn sat at the head table next to Russian President Vladimir Putin.

“It was something of a surprise to see General Flynn there,” said Ray McGovern, a former CIA officer and political activist who also attended.

Before the dinner, Mr. Flynn gave an interview on stage with an RT correspondent and chastised the Obama administration for objecting to Russia’s intervention in Syria.

“The United States can’t sit there and say, ‘Russia, you’re bad,’” Mr. Flynn said, according to a video of the interview, noting that both countries had shared global interests and were “in a marriage, whether we like it or not.” The countries should “stop acting like two bullies in a playground” and “quit acting immature with each other,” Mr. Flynn said.

Mr. Flynn attended with his son, Michael Flynn Jr., who worked as the chief of staff to his consulting firm. Records show that RT paid for travel and lodging expenses for both Flynns, including business-class airfare, accommodations at Moscow’s Hotel Metropol, and meals and incidental expenses while in Russia.

Mr. Putin entered the dinner late with two body guards, Mr. McGovern said. He waved and took his seat at the table, where he remained for about 20 minutes. After a fifteen-minute speech, Mr. Putin sat down, listened to a performance by the Russian Army chorus and then left, Mr. McGovern said.

It isn’t clear what Mr. Flynn said during speeches to the other two companies, computer security firm Kaspersky and Russian airliner Volga-Dnepr.

Mr. Flynn appears to have to spoken to Kaspersky at a conference the company sponsored in Washington, D.C., in October 2015. It wasn’t clear where Mr. Flynn spoke to Volga-Dnepr, but records from his speaker’s bureau show the engagement took place on August 19, 2015.

Kaspersky sponsors a number of events world-wide and in recent years has been trying to expand its business in the U.S., looking to supply government clients with antivirus products for industrial control systems.

Kaspersky said in a statement that its U.S. subsidiary paid Mr. Flynn a speaker fee for remarks at the 2015 Government Cyber Security Forum in Washington, D.C.

“As a private company, Kaspersky Lab has no ties to any government, but the company is proud to collaborate with the authorities of many countries, as well as international law enforcement agencies in the fight against cybercrime,” the company said.

Volga-Dnepr didn’t respond to a request for comment. The Russian cargo air firm is known for operating one of the largest military transport aircraft in the world, the An-124, which the U.S. has contracted in the past to lift military equipment, including Russian helicopters, into Afghanistan. The plane has a larger capacity than the U.S. military’s biggest cargo plane.

***

In part from Associated Press: Flynn’s sparkling military resume had included key assignments at home and abroad, and high praise from superiors.

The son of an Army veteran of World War II and the Korean war, Flynn was commissioned as a second lieutenant in May 1981 after graduating from the University of Rhode Island. He started in intelligence, eventually commanding military intelligence units at the battalion and then brigade level. In the early years of the Iraq war, he was intelligence chief for Joint Special Operations Command, the organization in charge of secret commando units like SEAL Team 6 and Delta Force. He then led intelligence efforts for all U.S. military operations in the Middle East and then took up the top intelligence post on the Joint Staff in the Pentagon.

Ian McCulloh, a Johns Hopkins data science specialist, became an admirer of Flynn while working as an Army lieutenant colonel in Afghanistan in 2009. At the time, Flynn ran intelligence for the U.S.-led international coalition in Kabul and was pushing for more creative approaches to targeting Taliban networks, including use of data mining and social network analysis, according to McCulloh.

“He was pushing for us to think out of the box and try to leverage technology better and innovate,” McCulloh said, crediting Flynn for improving the effectiveness of U.S. targeting. “A lot of people didn’t like it because it was different.”

It was typical of the determined, though divisive, approach Flynn would adopt at the Defense Intelligence Agency, which provides military intelligence to commanders and defense policymakers. There, he quickly acquired a reputation as a disruptive force. While some applauded Flynn with forcing a tradition-bound bureaucracy to abandon old habits and seek out new, more effective ways of collecting and analyzing intelligence useful in the fight against extremist groups, others saw his efforts as erratic and his style as prone to grandstanding.

In the spring of 2014, after less than two years on the job, he was told to pack his bags.

According to Flynn’s telling, it was his no-nonsense approach to fighting Islamic extremist groups that caused the rift.

A former senior Obama administration official who was consulted during the deliberations disputed that account. Flynn was relieved of his post for insubordination after failing to follow guidance from superiors, including James Clapper, Obama’s director of national intelligence, said the official, who asked for anonymity to discuss personnel matters.

Plunged into civilian life for the first time in 33 years, Flynn moved quickly to capitalize on his military and intelligence world connections and experience. He did so in an unorthodox way.

“I didn’t walk out like a lot of guys and go to big jobs in Northrup Grumman or Booz Allen or some of these other big companies,” Flynn told Foreign Policy magazine in 2015.

Instead, he opened his own consulting firm, Flynn Intelligence Group, in Alexandria, Va. He brought in his son, Michael G. Flynn as a top aide, and began assembling a crew of former armed forces veterans with expertise in cyber, logistics and surveillance, and sought out ties with lesser-known figures and companies trying to expand their profiles as contractors in the military and intelligence spheres.

One “team” member listed on the firm’s site was James Woolsey, President Bill Clinton’s former CIA director. Woolsey briefly joined Flynn on Trump’s transition team as a senior adviser, but quit in January. Another was lobbyist Robert Kelley.

Kelley proved a central player in the Flynn Group’s decision to help a Turkish businessman tied to Turkey’s government. At the same time that Flynn was advising Trump on national security matters, Kelley was lobbying legislators on behalf of businessman Ekim Alptekin’s firm between mid-September and December last year, lobbying documents show.

It was an odd match. Flynn has stirred controversy with dire warnings about Islam, calling it a “political ideology” that “definitely hides behind being a religion” and accusing Obama of preventing the U.S. from “discrediting” radical Islam. But his alarms apparently didn’t extend to Turkish President Recep Tayyip Erdogan’s government as it cracked down on dissent and jailed thousands of opponents after a failed coup last summer. Erdogan’s power base is among Turkey’s conservative Muslim voters and many affected by his crackdown are secularists. More here.

Russian FSB Officers Charged in Yahoo Hack and More

Posted on by
 NBC, Washington

Yahoo announced on Thursday that the account information of at least 500 million users was stolen by hackers two years ago, in the biggest known intrusion of one company’s computer network.

In a statement, Yahoo said user information — including names, email addresses, telephone numbers, birth dates, encrypted passwords and, in some cases, security questions — was compromised in 2014 by what it believed was a “state-sponsored actor.” More here from NYT’s.

U.S. Charges Russian FSB Officers and Their Criminal Conspirators for Hacking Yahoo and Millions of Email Accounts

FSB Officers Protected, Directed, Facilitated and Paid Criminal Hackers

Image result for Dmitry Aleksandrovich Dokuchaev Image result for Igor Anatolyevich Sushchin Image result for Alexsey Alexseyevich Belan

Image result for Karim Akehmet Tokbergenov Karim Taloverov, arrested in Canada

A grand jury in the Northern District of California has indicted four defendants, including two officers of the Russian Federal Security Service (FSB), for computer hacking, economic espionage and other criminal offenses in connection with a conspiracy, beginning in January 2014, to access Yahoo’s network and the contents of webmail accounts. The defendants are Dmitry Aleksandrovich Dokuchaev, 33, a Russian national and resident; Igor Anatolyevich Sushchin, 43, a Russian national and resident; Alexsey Alexseyevich Belan, aka “Magg,” 29, a Russian national and resident; and Karim Baratov, aka “Kay,” “Karim Taloverov” and “Karim Akehmet Tokbergenov,” 22, a Canadian and Kazakh national and a resident of Canada.

The defendants used unauthorized access to Yahoo’s systems to steal information from about at least 500 million Yahoo accounts and then used some of that stolen information to obtain unauthorized access to the contents of accounts at Yahoo, Google and other webmail providers, including accounts of Russian journalists, U.S. and Russian government officials and private-sector employees of financial, transportation and other companies. One of the defendants also exploited his access to Yahoo’s network for his personal financial gain, by searching Yahoo user communications for credit card and gift card account numbers, redirecting a subset of Yahoo search engine web traffic so he could make commissions and enabling the theft of the contacts of at least 30 million Yahoo accounts to facilitate a spam campaign.

The charges were announced by Attorney General Jeff Sessions of the U.S. Department of Justice, Director James Comey of the FBI, Acting Assistant Attorney General Mary McCord of the National Security Division, U.S. Attorney Brian Stretch for the Northern District of California and Executive Assistant Director Paul Abbate of the FBI’s Criminal, Cyber, Response and Services Branch.

“Cyber crime poses a significant threat to our nation’s security and prosperity, and this is one of the largest data breaches in history,” said Attorney General Sessions. “But thanks to the tireless efforts of U.S. prosecutors and investigators, as well as our Canadian partners, today we have identified four individuals, including two Russian FSB officers, responsible for unauthorized access to millions of users’ accounts. The United States will vigorously investigate and prosecute the people behind such attacks to the fullest extent of the law.”

“Today we continue to pierce the veil of anonymity surrounding cyber crimes,” said Director Comey. “We are shrinking the world to ensure that cyber criminals think twice before targeting U.S. persons and interests.”

“ The criminal conduct at issue, carried out and otherwise facilitated by officers from an FSB unit that serves as the FBI’s point of contact in Moscow on cybercrime matters, is beyond the pale,” said Acting Assistant Attorney General McCord. “Once again, the Department and the FBI have demonstrated that hackers around the world can and will be exposed and held accountable. State actors may be using common criminals to access the data they want, but the indictment shows that our companies do not have to stand alone against this threat. We commend Yahoo and Google for their sustained and invaluable cooperation in the investigation aimed at obtaining justice for, and protecting the privacy of their users.”

“This is a highly complicated investigation of a very complex threat. It underscores the value of early, proactive engagement and cooperation between the private sector and the government,” said Executive Assistant Director Abbate. “The FBI will continue to work relentlessly with our private sector and international partners to identify those who conduct cyber-attacks against our citizens and our nation, expose them and hold them accountable under the law, no matter where they attempt to hide.”

“Silicon Valley’s computer infrastructure provides the means by which people around the world communicate with each other in their business and personal lives. The privacy and security of those communications must be governed by the rule of law, not by the whim of criminal hackers and those who employ them. People rightly expect that their communications through Silicon Valley internet providers will remain private, unless lawful authority provides otherwise. We will not tolerate unauthorized and illegal intrusions into the Silicon Valley computer infrastructure upon which both private citizens and the global economy rely,” said U.S. Attorney Stretch. “Working closely with Yahoo and Google, Department of Justice lawyers and the FBI were able to identify and expose the hackers responsible for the conduct described today, without unduly intruding into the privacy of the accounts that were stolen. We commend Yahoo and Google for providing exemplary cooperation while zealously protecting their users’ privacy.”

Summary of Allegations

According to the allegations of the Indictment:

The FSB officer defendants, Dmitry Dokuchaev and Igor Sushchin, protected, directed, facilitated and paid criminal hackers to collect information through computer intrusions in the U.S. and elsewhere. In the present case, they worked with co-defendants Alexsey Belan and Karim Baratov to obtain access to the email accounts of thousands of individuals.

Belan had been publicly indicted in September 2012 and June 2013 and was named one of FBI’s Cyber Most Wanted criminals in November 2013. An Interpol Red Notice seeking his immediate detention has been lodged (including with Russia) since July 26, 2013. Belan was arrested in a European country on a request from the U.S. in June 2013, but he was able to escape to Russia before he could be extradited.

Instead of acting on the U.S. government’s Red Notice and detaining Belan after his return, Dokuchaev and Sushchin subsequently used him to gain unauthorized access to Yahoo’s network. In or around November and December 2014, Belan stole a copy of at least a portion of Yahoo’s User Database (UDB), a Yahoo trade secret that contained, among other data, subscriber information including users’ names, recovery email accounts, phone numbers and certain information required to manually create, or “mint,” account authentication web browser “cookies” for more than 500 million Yahoo accounts.

Belan also obtained unauthorized access on behalf of the FSB conspirators to Yahoo’s Account Management Tool (AMT), which was a proprietary means by which Yahoo made and logged changes to user accounts. Belan, Dokuchaev and Sushchin then used the stolen UDB copy and AMT access to locate Yahoo email accounts of interest and to mint cookies for those accounts, enabling the co-conspirators to access at least 6,500 such accounts without authorization.

Some victim accounts were of predictable interest to the FSB, a foreign intelligence and law enforcement service, such as personal accounts belonging to Russian journalists; Russian and U.S. government officials; employees of a prominent Russian cybersecurity company; and numerous employees of other providers whose networks the conspirators sought to exploit. However, other personal accounts belonged to employees of commercial entities, such as a Russian investment banking firm, a French transportation company, U.S. financial services and private equity firms, a Swiss bitcoin wallet and banking firm and a U.S. airline.

 

During the conspiracy, the FSB officers facilitated Belan’s other criminal activities, by providing him with sensitive FSB law enforcement and intelligence information that would have helped him avoid detection by U.S. and other law enforcement agencies outside Russia, including information regarding FSB investigations of computer hacking and FSB techniques for identifying criminal hackers. Additionally, while working with his FSB conspirators to compromise Yahoo’s network and its users, Belan used his access to steal financial information such as gift card and credit card numbers from webmail accounts; to gain access to more than 30 million accounts whose contacts were then stolen to facilitate a spam campaign; and to earn commissions from fraudulently redirecting a subset of Yahoo’s search engine traffic.

 

When Dokuchaev and Sushchin learned that a target of interest had accounts at webmail providers other than Yahoo, including through information obtained as part of the Yahoo intrusion, they tasked their co-conspirator, Baratov, a resident of Canada, with obtaining unauthorized access to more than 80 accounts in exchange for commissions. On March 7, the Department of Justice submitted a provisional arrest warrant to Canadian law enforcement authorities, requesting Baratov’s arrest. On March 14, Baratov was arrested in Canada and the matter is now pending with the Canadian authorities.

 

An indictment is merely an accusation, and a defendant is presumed innocent unless proven guilty in a court of law.

 

The FBI, led by the San Francisco Field Office, conducted the investigation that resulted in the charges announced today. The case is being prosecuted by the U.S. Department of Justice National Security Division’s Counterintelligence and Export Control Section and the U.S. Attorney’s Office for the Northern District of California, with support from the Justice Department’s Office of International Affairs.

Defendants: At all times relevant to the charges, the Indictment alleges as follows:

    • Dmitry Aleksandrovich Dokuchaev, 33, was an officer in the FSB Center for Information Security, aka “Center 18.” Dokuchaev was a Russian national and resident.
    • Igor Anatolyevich Sushchin, 43, was an FSB officer, a superior to Dokuchaev within the FSB, and a Russian national and resident. Sushchin was embedded as a purported employee and Head of Information Security at a Russian investment bank.
    • Alexsey Alexseyevich Belan, aka “Magg,” 29, was born in Latvia and is a Russian national and resident. U.S. Federal grand juries have indicted Belan twice before, in 2012 and 2013, for computer fraud and abuse, access device fraud and aggravated identity theft involving three U.S.-based e-commerce companies and the FBI placed Belan on its “Cyber Most Wanted” list.  Belan is currently the subject of a pending “Red Notice” requesting that Interpol member nations (including Russia) arrest him pending extradition. Belan was also one of two criminal hackers named by President Barack Obama on Dec. 29, 2016, pursuant to Executive Order 13694, as a Specially Designated National subject to sanctions.
    • Karim Baratov, aka “Kay,” “Karim Taloverov” and “Karim Akehmet Tokbergenov,” 22. He is a Canadian and Kazakh national and a resident of Canada.

Victims: Yahoo; more than 500 million Yahoo accounts for which account information about was stolen by the defendants; more than 30 million Yahoo accounts for which account contents were accessed without authorization to facilitate a spam campaign; and at least 18 additional users at other webmail providers whose accounts were accessed without authorization.

 

Time Period: As alleged in the Indictment, the conspiracy began at least as early as 2014 and, even though the conspirators lost their access to Yahoo’s networks in September 2016, they continued to utilize information stolen from the intrusion up to and including at least December 2016.

 

Crimes:

Count(s) Defendant(s) Charge Statute                 18 U.S.C. Conduct Maximum Penalty
1 All Conspiring to commit computer fraud and abuse § 1030(b) Defendants conspired to hack into the computers of Yahoo and accounts maintained by Yahoo, Google and other providers to steal information from them.

 

First, Belan gained access to Yahoo’s servers and stole information that allowed him, Dokuchaev, and Sushchin to gain unauthorized access to individual Yahoo user accounts.

Then, Dokuchaev and Sushchin tasked Baratov with gaining access to individual user accounts at Google and other Providers (but not Yahoo) and paid Baratov for providing them with the account passwords. In some instances, Dokuchaev and Sushchin tasked Baratov with targeting accounts that they learned of through access to Yahoo’s UDB and AMT (e.g., Gmail accounts that served as a Yahoo user’s secondary account).

 10 years
2 Dokuchaev

Sushchin

Belan

 Conspiring to engage in economic espionage § 1831(a)(5) Starting on Nov. 4, 2014, Belan stole, and the defendants thereafter transferred, received and possessed the following Yahoo trade secrets:

  • the Yahoo UDB, which was proprietary and confidential Yahoo technology and information, including subscriber names, secondary accounts, phone numbers, challenge questions and answers;
  • the AMT, Yahoo’s interface to the UDB; and
  • Yahoo’s cookie “minting” source code, which enabled the defendants to manufacture account cookies to then gain access to individual Yahoo user accounts.
 15 years
3 Dokuchaev

Sushchin

Belan

 Conspiring to engage in theft of trade secrets § 1832(a)(5) See Count 2 10 years
4-6 Dokuchaev

Sushchin

Belan

 Economic espionage §§ 1831(a)(1), (a)(4), and 2 See Count 2 15 years (each count)
7-9 Dokuchaev

Sushchin

Belan

 Theft of trade secrets §§ 1832(a)(1), and 2 See Count 2 10 years (each count)
10 Dokuchaev

Sushchin

Belan

 Conspiring to commit wire fraud § 1349 The defendants fraudulently schemed to gain unauthorized access to Yahoo’s network through compromised Yahoo employee accounts and then used the Yahoo trade secrets to gain unauthorized access to valuable non-public information in individual Yahoo user accounts. 20 years
11-13 Dokuchaev

Sushchin

Belan

 Accessing (or attempting to access) a computer without authorization to obtain information for the purpose of commercial advantage and private financial gain. §§ 1030(a)(2)(C), 1030(c)(2)(B)(i)-(iii), and 2 The defendants gained unauthorized access to Yahoo’s corporate network and obtained information regarding Yahoo’s network architecture and the UDB. 5 years

(each count)
14-17 Dokuchaev

Sushchin

Belan

 Transmitting code with the intent to cause damage to computers. §§ 1030(a)(5)(A), 1030(c)(4)(B), and 2 During the course of their unauthorized access to Yahoo’s network, the defendants transmitted code on Yahoo’s network in order to maintain a persistent presence, to redirect Yahoo search engine users and to mint cookies for individual Yahoo accounts. 10 years (each count)
18-24 Dokuchaev

Sushchin

Belan

 Accessing (or attempting to access) a computer without authorization to obtain information for the purpose of commercial advantage and private financial gain. §§ 1030(a)(2)(C), 1030(c)(2)(B)(i)-(iii), and 2 Defendants obtained unauthorized access to individual Yahoo user accounts. 5 years

(each count)
25-36 Dokuchaev

Sushchin

Belan

 Counterfeit access device fraud §§ 1029(a)(1), 1029(b)(1), and 2 Defendants used minted cookies to gain unauthorized access to individual Yahoo user accounts. 10 years (each count)
37 Dokuchaev

Sushchin

Belan

 Counterfeit access device making equipment §§ 1029(a)(4) Defendants used software to mint cookies for unauthorized access to individual Yahoo user accounts. 15 years
38 Dokuchaev

Sushchin

Baratov

 Conspiring to commit access device fraud §§ 1029(b)(2) Defendants Dokuchaev and Sushchin tasked Baratov with gaining unauthorized access to individual user accounts at Google and other Providers and then paid Baratov for providing them with the account passwords. In some instances, Dokuchaev and Sushchin tasked Baratov with targeting accounts that they learned of through access to Yahoo’s UDB and AMT (e.g., Gmail accounts that served as a Yahoo user’s secondary account). 7 ½ years.
39 Dokuchaev

Sushchin

Baratov

 Conspiring to commit wire fraud § 1349 See Count 38 20 years
40-47 Dokuchaev

Baratov

 Aggravated identity theft § 1028A(a)(1) See Count 38 2 years

Dmitri Dokuchae et al Indictment Redacted

17-278

National Security Division (NSD)

USAO – California, Northern

Topic:

Counterintelligence and Export Control

Updated March 15, 2017