The Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI), and the United Kingdom’s (UK) National Cyber Security Centre (NCSC) released a joint Technical Alert (TA) about malicious cyber activity carried out by the Russian Government. The U.S. Government refers to malicious cyber activity by the Russian government as GRIZZLY STEPPE.
NCCIC encourages users and administrators to review the GRIZZLY STEPPE – Russian Malicious Cyber Activity page, which links to TA18-106A – Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices, for more information.
***
photo
Senator Tom Cotton: Our nation’s communications networks benefit us in ways unimaginable at the start of the digital age. But a potential danger lurks: hidden “backdoors” in network equipment. A hostile foreign power could use these backdoors to spy on Americans or attack our critical infrastructure by injecting viruses or launching denial-of-service attacks. These backdoors can be designed into routers, switches, and virtually any other type of telecommunications equipment that, together, make up our networks.
This highlights the importance of our networks’ supply chain—that is, the process by which telecommunications equipment is manufactured, sold, distributed, and installed. Whether the threat involves hacking into our nation’s communications networks or conducting industrial or political espionage at the behest of a foreign government, the integrity of the supply chain has worried U.S. government officials for years.
In 2012, the House Permanent Select Committee on Intelligence released a bipartisan report on the national security threats posed by certain foreign manufacturers. This past year, Congress barred the Department of Defense from buying certain equipment and services from Chinese companies Huawei and ZTE on account of concerns about those companies’ connections to that country’s government. And Congress recently banned all federal agencies from using products or services made by Kaspersky Lab, a company with alleged ties to the Russian government.
We’re committed to protecting our national security, and this proposal is a prudent step to accomplish that goal.
But the supply-chain threat persists. Just this February, FBI Director Christopher Wray testified about “the risks of allowing any company or entity that is beholden to foreign governments that don’t share our values to gain positions of power inside our telecommunications networks.” These risks include the ability to “maliciously modify or steal information” and “conduct undetected espionage.” As the supply chain for our networks increasingly stretches beyond U.S. borders, this danger has become all too real.
Given the national security risks, we believe it’s time for more concerted federal action. Among other things, that means making sure that our government doesn’t make the problem worse by spending the American people’s money on products and services from any company that poses a national security threat to our communications networks.
The Federal Communications Commission is a good place to start. It regulates America’s communications networks. And it administers the Universal Service Fund, an almost $9 billion-per-year program designed to ensure that all Americans have access to phone and broadband services. The money in the Fund comes from fees paid by the American people on their phone bills. About $4.7 billion annually is spent expanding high-speed Internet access in rural communities; $2.7 billion helps connect schools and libraries to the Internet; $1.3 billion assists in making phone and broadband services more affordable to low-income Americans; and about $300 million supports communications services for rural health-care facilities. These are important programs. But there’s no reason one dime of this funding should go to suppliers that raise national security concerns. There are plenty of other providers we can use to help bridge the digital divide.
That’s why the FCC will vote on April 17 on Chairman Pai’s recent proposal to bar the use of universal service funding to buy equipment or services from any company that poses a national security threat to the integrity of our communications networks or the communications supply chain. If approved, the proposal would also seek public input on how we should identify suspect firms and which types of telecommunications equipment or services should fall within the prohibition. Everyone concerned about this issue will have a chance to weigh in.
Bottom line: We’re committed to protecting our national security, and this proposal is a prudent step to accomplish that goal. The FCC, Congress, and all government agencies must work together to safeguard the integrity of our communications supply chain. We strongly urge the full Commission to approve this proposal and for other agencies to follow the lead.
Category Archives: Terror
Cyberwar: The new Forever Battle, Indicators of Compromise
The United States is in the midst of the most resounding policy shift on cyber conflict, one with profound implications for national security and the future of the internet. The just-released U.S. Cyber Command “vision” accurately diagnoses the current state of cyber conflict and outlines an appropriate new operational model for the command: since cyber forces are in “persistent engagement” with one another, U.S. Cyber Command must dive into the fight, actively contesting adversaries farther forward and with more agility and operational partnerships.
The vision, however, ignores many of the risks and how to best address them. Most importantly, the vision does not even recognize the risk that more active defense – in systems and networks in other, potentially friendly nations – persistently, year after year, might not work and significantly increases the chances and consequences of miscalculations and mistakes. Even if they are stabilizing, such actions may be incompatible with the larger U.S. goals of an open and free Internet. More here including the critique of the report.
*** Meanwhile we know all too well about Russia and China’s cyber espionage, yet when proof surfaces by hacking into their documents for evidence….both countries begin another denial session. And Trump invited Putin to a bi-lateral meeting at the White House? Any bi-lateral meeting should take place outside the United States in a neutral location like Vanuatu or the Canary Islands….
TheTimes: Russian attempts to fuel dissent and spread disinformation have been exposed by a cache of leaked documents that show what the Kremlin is prepared to pay for hacking, propaganda and rent-a-mob rallies.
Hacked emails sent by Moscow-linked figures outline a dirty-tricks campaign in Ukraine, which was invaded on the orders of President Putin in 2014. Experts said that they exposed the dangers faced by Britain and its allies because Russia used the same weapons of disinformation, bribery and distortion to attack the West.
Bob Seely, a Tory MP and expert on Russian warfare, said his analysis of the leaks, which comprise thousands of emails and a password-protected document related to the conflict in Ukraine, revealed a “shopping list of subversion”.
“There is overwhelming evidence that the tools and techniques of Russian covert conflict are being used in and against the UK, the US and the EU,” he added. “In the wake of the Skripal poisoning it’s more important than ever that we understand these methods.”
The cost and extent of tactics were disclosed in a third tranche of the so-called Surkov leaks, named after Vladislav Surkov, a Kremlin spin-master said by some to be Mr Putin’s Rasputin.
Two previous tranches, published online by Ukrainian Cyber Alliance, a hacker activist collective, were said to include emails from an account linked to Mr Surkov. He has been closely involved with the management of Donetsk and Luhansk People’s Republics, two Russian-controlled “statelets” in Ukraine established by pro-Moscow separatists.
The latest publication appears to contain emails found in accounts linked to Inal Ardzinba, Mr Surkov’s first deputy, and to a Ukrainian Communist party leader. They suggest that the Kremlin paid local groups and individuals in Ukraine that were willing to advance its aim to fracture the country.
One set of correspondence from October 2014, which appears to have been sent by a Russian politician to Mr Ardzinba, contained proposals to fund cyberoperations, including hacking email accounts for between $100 and $300. A wider plan to “troll opponents”, “demotivate enemies” on social media, and amass the personal data of targeted individuals in Ukraine’s second largest city, Kharkiv, was priced at $130,500.
The Russian foreign ministry has denied in the past that Mr Ardzinba has had anything to do with propaganda in Ukraine. According to Mr Seely, the leaks appear to reveal plans to plant new historical and philosophical ideas. The emails also include an event and two books that would claim that an area of Ukraine had Russian heritage.
Other proposals included the orchestration of anti-Ukraine, pro-Russia rallies. These involved the transport of “sportsmen” trained in martial arts to agitate at the rallies, bribes to local media to feature the protests and bribes to police to turn a blind eye. A month of rallies in Kharkiv was priced at $19,200. It included 100 participants, three organisers and two lawyers. It is unclear if the rallies took place, though others orchestrated by the Kremlin did happen, the research said. Moves to get 30 ex-communist figures elected to local government were floated in June 2015, at $120,460, the leaks said.
The Kremlin has claimed in the past that the Surkov leaks are fabricated and in the information war between Ukraine and Russia falsehoods may have been planted. However, the authors of correspondence in the first two tranches confirmed their authenticity. They were supported by the Atlantic Council, an international affairs think tank, after an analysis of metadata.
In their analysis of the third tranche, Mr Seely and his co-researcher Alya Shandra, managing editor of an English-language Ukrainian news website, say the leaks are “very likely to be authentic”. Ms Shandra and Mr Seely plan to publish their report with the Royal United Services Institute.
Peter Quentin, a research fellow at the Royal United Services Institute, said: “There is no reason to believe these leaks are any less credible than the previous tranches. This third tranche certainly seems to fit with the trend of well-documented subversion by Russian activists in the region.”
Schiff Never Complained when Obama Normalized Relations with Putin
Remember, under the Obama administration, rogue nations such as Iran and Cuba were placed as among the world’s good actors. Hillary went to Russia with a ‘reset button’ and gave Moscow more authority and power in regions of major conflict. Yet it is Congressman Adam Schiff and his friendly democrat friends that are continuing to whine about Trump’s interactions with Russia or Russians.
So, Obama set the table on the friendly approach to Medvedev and Putin and Russian aggression around the world has more than threatened equilibrium, it is deadly.
Have you wondered why Bashir al Assad has not been brought before a global tribunal for war crimes?
UNITED NATIONS – Russia and China on Thursday vetoed a U.N. Security Council resolution referring the Syrian crisis to the International Criminal Court for investigation of possible war crimes, prompting angry responses from the proposal’s supporters who said the two countries should be ashamed.
This is the fourth time Russia and China have used their veto power as permanent council members to deflect action against the government of President Bashar Assad. The 13 other council members voted in favor of the resolution.
More than 60 countries signed on to support the French-drafted measure, in a dramatic demonstration of international backing for justice in the conflict which has sent millions fleeing and killed more than 160,000, according to activists. More here.
*** That is right, Russia has veto power and they have used it since at least 2014. Does it even make sense that Russia is part of the Security Council in the first place? Nope…
As the United States continues to fight against the Taliban in Afghanistan, who has been supplying the Taliban with weapons? Yup…Russia. You see, Russia has training operations with real fighting equipment and when the training is complete, they leave the high tech equipment behind and tell the Taliban to come get it.
Did Adam Schiff or Maxine Waters get on TV and demand impeachment over Obama’s relationship with Moscow? Nah….
While not a fan at all of MSNBC, Richard Engle however did an exceptional reporting piece on Putin including who else was to be assassinated by poison, including Christopher Steele of the Trump dossier.
So, in solidarity with Britain, the Trump administration took aggressive action in expelling several Russian diplomats (read spies) as did at least almost three dozen other countries. Trump also closed the Russian diplomatic post in Seattle. What was going on there was terrifying and it is questionable on why Obama did not order it closed in December of 2016. Read below for what the FBI knew and yet was unable to take action due to the Obama White House.
Among the 27 countries that have retaliated for what is believed to be a Kremlin-ordered chemical-weapon attack on an ex-Russian intelligence officer and his daughter in Britain earlier this month, the United States took by far the most dramatic steps: ousting 60 diplomats in total, including 15 suspected intelligence operatives based at Russia’s United Nations Mission alone—the most significant action of its type since the Reagan administration. (The move prompted Russia, on Thursday, to announce the expulsion of 60 U.S. diplomats and the closure of the U.S. consulate in Saint Petersburg.) But it was the Trump administration’s announcement of the shuttering of Russia’s consulate in Seattle that turned heads. Why Seattle? What was going on there? Would the closure matter?
While Seattle is an important city for Russian intelligence collection efforts domestically, its consulate’s profile has generally been quieter than San Francisco’s or New York’s, according to two former U.S. intelligence officials who asked to remain anonymous but have knowledge of Russian activities in these areas. But the closure of the consulate is noteworthy nonetheless: Along with the administration’s shuttering of the San Francisco consulate in 2017, Russia will now lack a diplomatic facility west of Houston, or any diplomatic presence on the West Coast for the first time since 1971. Russian intelligence officers—at least those under diplomatic cover—will no longer operate in easy proximity to America’s two great tech capitals. Indeed, at least in Seattle, suspected Russia spies have already been caught attempting to infiltrate local tech companies.
“Certainly, there were enough issues that were important to the Russians in Seattle—the naval bases, Microsoft, Boeing, Amazon,” says John Sipher, a former CIA officer who worked closely with the FBI on counterespionage issues. “There was always nervousness within the national security agencies that the sheer number of ethnic Russians in these industries was something the Russians could take advantage of. I don’t know if closing Seattle was a strategic choice; nonetheless, the concentration of high-tech and military resources makes it a sensible target.”
After the closure of the Russian consulate in San Francisco, former senior U.S. intel officials told me that facility had, for decades, functioned as the primary hub for Russian intelligence-gathering in the Western United States. It featured key classified communications systems, and was a crucial collection center in Russia’s long-running effort to map out America’s fiber-optic cable network.
One of the two anonymous former intelligence officials I spoke with called Seattle a top-five U.S. city for Russian counterintelligence work, but a “smaller operation” than San Francisco. Seattle did not have the same type of communications facilities as San Francisco, the two former officials said. In fact, Russian diplomats used to regularly drive a van with protected diplomatic information from San Francisco to Seattle, said a second official, though the frequency of those trips decreased over time, when U.S. officials suspected the Russians had begun to move their communications to encrypted channels online.
Still, the Seattle area has some rich espionage targets. Firms like Boeing and Microsoft have long been of interest to Russian operatives, the former intel officials said. So have the many military bases in the area, including, pre-eminently, Naval Base Kitsap, located just across the Puget Sound from Seattle and home to eight nuclear-armed submarines. Administration officials have openly cited the Seattle consulate’s proximity to Boeing, and sensitive military bases, as reasons for its closure.
Because there is a seven-hour float from Kitsap to these nuclear-armed submarines’ dive point, the two former officials said, there are numerous opportunities to track the subs’ movements—a longstanding concern for U.S. intelligence and military officials. Knowing when a submarine is headed out to sea or how many submarines are running patrols at a given time, and potentially identifying new technologies on these vessels, are all valuable pieces of intelligence, these officials said. Moreover, U.S. intel officials have worried that in a worst-case-scenario—actual armed hostilities between the two countries—information gleaned from Russian operatives in the Pacific Northwest could be used to identify “choke points.” For instance, they might know the ideal places to fire a rocket-propelled grenade at a fishing boat in a narrow channel, which could prevent military vessels from deploying.
In the past, suspected intel operatives based at Russia’s Seattle consulate were observed engaging in the same sorts of behavior as their counterparts in San Francisco, the two former intel officials said, including tracking down potential fiber-optic nodes (as part of Russia’s long-term effort to map where data were being transferred), or Cold War-era intelligence-collection sites, in Northwestern forests. U.S. officials also believed Russian operatives were traveling to remote beaches in the area in order to “signal,” or cryptically transmit and receive data, with interlocutors offshore. (There was a specific beach in Oregon these individuals would favor, the two former officials said.)
More recently, however, these activities appeared to die down, these individuals said, an event one of the former intel officials attributes to Edward Snowden’s 2013 disclosures, which some in the intelligence community believe led Russia to overhaul its strategies for domestic intelligence-gathering. Generally, this person said, Seattle seemed like a “proving ground” for junior Russian intelligence officers, a place to send less-experienced operatives to acclimate them to the United States. After Snowden, U.S. intel officials started seeing more “travelers” in the Seattle area—suspected intelligence operatives working under both diplomatic and nonofficial cover—flying in remotely to meet with individuals, the two former officials said.
The biggest Russia-related concern in Seattle was “cyber-related activities,” which were separate from the consulate, the two former officials said—including those of the local Kaspersky Labs affiliate. In July 2017, U.S. officials banned Moscow-based Kaspersky, which produces anti-virus software, from being used on any government computers, over fears about the company’s connections to Russian intelligence. U.S. counterintelligence officials were concerned that Kaspersky was being used as a tool for Russian covert communications, the two former officials said, and were also examining whether individuals affiliated with Kaspersky were actual engaging in cyber-espionage domestically. “As a private company, Kaspersky Lab does not have inappropriate ties to any government, including Russia, and the company has never helped, nor will help, any government in the world with its cyber espionage efforts,” a spokesperson for Kaspersky said. “The U.S. government actions against Kaspersky Lab lack sufficient basis, are unconstitutional, have been taken without any evidence of wrongdoing by the company, and rely upon subjective, non-technical public sources, such as uncorroborated and often anonymously sourced media reports, related claims, and rumors, which is why the company has challenged the validity of these actions in federal court.“
“Was Kaspersky looking at Microsoft or Boeing as opportunities to exploit? Was it just business development? Or were they actually engaged in trying to penetrate these enterprises?” asked one of the former officials. “The suspicions on Kaspersky have pretty much been borne out … when you look at the recent U.S. government decision, and what has been publicly reported on what the Israelis have been able to find out.” In 2017 the New York Times reported that Israeli intelligence had hacked into a Russian espionage operation, observing Russian operatives using back doors in Kaspersky software to scan for, and purloin, U.S. intelligence documents.
Russia’s interest in Microsoft is also well-documented. In 2010, U.S. officials deported Alexey Karetnikov, a 23-year-old Russian national, from the Seattle area, where he had been working at Microsoft as a software tester. U.S. officials believed he was actually a Russian intelligence officer, and linked him to the ring of 10 “illegals”—Russian deep-cover operatives who had been living in the United States—that U.S. officials had arrested and deported earlier that year. Two of those undercover operatives, Michael Zottoli and Patricia Mills (whose real names are Mikhail Kutsik and Natalia Pereverzeva), had lived in Seattle for years, even starting a family there. In Seattle, Kutsik worked at a telecommunications firm, and both operatives took finance classes at the University of Washington. In a 2017 article in Seattle Met Magazine, Kutsik and Pereverzeva’s former investments professor said he believed the Russians were interested in his class because many of his students went on to work for Amazon, Boeing or Microsoft. Kutsik, Pereverzeva and Karetnikov were not known to have been coordinating their activities with the Seattle consulate, one of the former officials said.
Even as Russian espionage continues to migrate outside consular facilities—to travelers, and individuals working locally under nonofficial cover—it is “no coincidence” that both shuttered diplomatic outposts were on the West Coast, said one of the former officials. No matter when—or if—these two consulates are reopened, Russian interest in the West Coast is likely to continue far into the foreseeable future.
Where is Adam Schiff now?
2 Russians May not Survive Poison, but What about Lesin’s Murder?
As of the time this article is published, the Kremlin is turning the blame of the attempted assassination in Britain on the Brits themselves. There is overwhelming evidence that the poisoning was in fact done at the hands of thugs at the behest of Moscow.
Russia has denied any involvement in the attack and has said it suspects the British secret services of using the Novichok nerve agent, which was developed by the Soviet military, to frame Russia and stoke anti-Russian hysteria.
“We believe the Skripals first came into contact with the nerve agent from their front door,” said Dean Haydon, Britain’s’ senior national coordinator for counter terrorism policing. More here from Reuters.
Noisy Room has an excellent summary on Skripal and his daughter, that sadly are not expected to survive the assassination attempt by novichok. In part:
Sergei Skripal, 66, and his daughter, Yulia, are still hospitalized and are in critical condition in Britain after being exposed to the Russian nerve agent called novichok. Authorities now believe it was applied to their front door and that is how they came into contact with it. This is a military grade nerve agent that has no cure.
Skripal’s niece, Viktoria Skripal, told the BBC that the two have about a one percent chance of surviving. If they do, they will be crippled physically and mentally for the rest of their lives. The effects are debilitating and the pain continues to grow. It is prolonged torture until the victim succumbs and dies. She said the prognosis “really isn’t good.” The attack took place on March 4th in Salisbury. “Out of 99 percent, I have maybe 1 percent hope,” she said. “Whatever [nerve agent] was used, it has given them a very small chance of survival. But they’re going to be invalids for the rest of their lives.” More here.
*** But the United States is not without a successful assassination that happened in Washington DC, that seems to continue to be a major coverup. Further, the Obama administration did nothing to Moscow regarding the case.
BuzzFeed News has uncovered new information in its ongoing investigation into the strange death of Russia Today founder and Vladimir Putin’s former media czar Mikhail Lesin on Nov. 5, 2015, thanks – in part – to a report by Christopher Steele.
The [FBI] received his report while it was helping the Washington, DC, Metropolitan Police Department investigate the Russian media baron’s death, the sources said.
(…)
Now BuzzFeed News has established:
• Steele’s report says that Lesin was bludgeoned to death by enforcers working for an oligarch close to Putin, the four sources said.
• The thugs had been instructed to beat Lesin, not kill him, but they went too far, the sources said Steele wrote.
• Three of the sources said that the report described the killers as Russian state security agents moonlighting for the oligarch.
The Steele report is not the FBI’s only source for this account of Lesin’s death: Three other people, acting independently from Steele, said they also told the FBI that Lesin had been bludgeoned to death by enforcers working for the same oligarch named by Steele.
DC police said Lesin died from a series of drunken falls, which just happened to take place the evening before Lesin was scheduled to meet with U.S. Justice Department officials to discuss the inner workings of RT.
BuzzFeed News has been out front on the issue of questionable deaths under Putin’s regime, and in the wake of the poisoning of former spy Sergei Skripal and his daughter Yulia in Salisbury, England on March 4th, the British government says it is taking another look at 14 incidents BuzzFeed has flagged as suspicious.
Meanwhile, the way authorities claim Lesin died in a Dupont Circle hotel in the heart of Washington, DC defies logic.
“What I can tell you is that there isn’t a single person inside the bureau who believes this guy got drunk, fell down, and died,” an FBI agent told BuzzFeed News last year. “Everyone thinks he was whacked and that Putin or the Kremlin were behind it.”
In December, DC police released 58 pages of its case file on Lesin’s death. While many parts are blacked out, what was released says nothing about the blunt force injuries that killed Lesin — or even about him falling down, which is how he is supposed to have died.
(…)
For his report to the FBI about Lesin, Steele gathered intelligence from high-level sources in Moscow, according to the two sources who read the whole report.
All four of the people who read Steele’s report said it pins Lesin’s murder on a professional relationship gone lethally awry. According to the report, they said, Lesin fell out with a powerful oligarch close to Putin. Wanting to intimidate Lesin, the oligarch then contracted with Russian state security agents to beat up Lesin, the report states, according to three of the sources. The goal was not to kill Lesin, all four sources said Steele wrote, but Lesin died from the attack.
The sources could not recall what, if anything, the report said about whether Putin knew of or sanctioned the attack.
Full story: Christopher Steele’s Other Report: A Murder In Washington (BuzzFeed News)
The British Government Will Review Allegations Of Russian Involvement In 14 Suspicious Deaths Exposed By BuzzFeed News (BuzzFeed News)
Related: More Mystery in Russia-Connected DC Death
From CIR’s Human Rights Abuses page:
Eight high-profile Russians have died since the November 8, 2016 U.S. presidential election. Buzzfeed has been investigating 14 suspicious deaths on British soil with ties to Russia that have taken place under Putin’s regime. The news site also has filed a lawsuit to speed up the FBI’s possible release of information pertaining to the suspicious death of Putin’s former media czar, Mikhail Lesin, in a DC hotel the night before he was scheduled to meet with the U.S. Department of Justice back in November 2015.
9 Iranians Charged in Hacking 176 Universities, Intellectual Property
Nine Iranians Charged With Conducting Massive Cyber Theft Campaign On Behalf Of The Islamic Revolutionary Guard Corps
Mabna Institute Hackers Penetrated Systems Belonging to Hundreds of Universities, Companies, and Other Victims to Steal Research, Academic Data, Proprietary Data, and Intellectual Property
Rod J. Rosenstein, the Deputy Attorney General of the United States, Geoffrey S. Berman, the United States Attorney for the Southern District of New York, William F. Sweeney Jr., the Assistant Director-in-Charge of the New York Field Division of the Federal Bureau of Investigation (“FBI”), and John C. Demers, Assistant Attorney General for National Security, announced today the unsealing of an indictment charging GHOLAMREZA RAFATNEJAD, EHSAN MOHAMMADI, ABDOLLAH KARIMA, a/k/a “Vahid Karima,” MOSTAFA SADEGHI, SEYED ALI MIRKARIMI, MOHAMMED REZA SABAHI, ROOZBEH SABAHI, ABUZAR GOHARI MOQADAM, and SAJJAD TAHMASEBI. The defendants were each leaders, contractors, associates, hackers-for-hire, and affiliates of the Mabna Institute, an Iran-based company that was responsible for a coordinated campaign of cyber intrusions that began in at least 2013 into computer systems belonging to 144 U.S.-based universities, 176 universities across 21 foreign countries, 47 domestic and foreign private sector companies, the United States Department of Labor, the Federal Energy Regulatory Commission, the State of Hawaii, the State of Indiana, the United Nations, and the United Nations Children’s Fund. Through the activities of the defendants, the Mabna Institute conducted these intrusions to steal over 30 terabytes of academic data and intellectual property from universities, and email inboxes from employees of victim private sector companies, government victims, and non-governmental organizations. The defendants conducted many of these intrusions on behalf of the Islamic Republic of Iran’s (“Iran”) Islamic Revolutionary Guard Corps (“IRGC”), one of several entities within the government of Iran responsible for gathering intelligence, as well as other Iranian government clients. In addition to these criminal charges, today the Department of Treasury’s Office of Foreign Assets Control (OFAC) designated the Mabna Institute and the nine defendants for sanctions for the malicious cyber-enabled activity outlined in the Indictment.
Deputy Attorney General Rod J. Rosenstein said: “These nine Iranian nationals allegedly stole more than 31 terabytes of documents and data from more than 140 American universities, 30 American companies, five American government agencies, and also more than 176 universities in 21 foreign countries. For many of these intrusions, the defendants acted at the behest of the Iranian government and, specifically, the Iranian Revolutionary Guard Corps. The Department of Justice will aggressively investigate and prosecute hostile actors who attempt to profit from America’s ideas by infiltrating our computer systems and stealing intellectual property. This case is important because it will disrupt the defendants’ hacking operations and deter similar crimes.”
Manhattan U.S. Attorney Geoffrey S. Berman said: “Today, in one of the largest state-sponsored hacking campaigns ever prosecuted by the Department of Justice, we have unmasked criminals who normally hide behind the ones and zeros of computer code. As alleged, this massive and brazen cyber-assault on the computer systems of hundreds of universities in 22 countries, including the United States, and dozens of private sector companies and governmental organizations was conducted on behalf of Iran’s Islamic Revolutionary Guard. The hackers targeted innovations and intellectual property from our country’s greatest minds. These defendants are now fugitives from American justice, no longer free to travel outside Iran without risk of arrest. The only way they will see the outside world is through their computer screens, but stripped of their greatest asset – anonymity.”
FBI Assistant Director William F. Sweeney Jr. said: “The numbers alone in this case are staggering, over 300 universities and 47 private sector companies both here in the United States and abroad were targeted to gain unauthorized access to online accounts and steal data. An estimated 30 terabytes was removed from universities’ accounts since this attack began, which is roughly equivalent of 8 billion double-sided pages of text. It is hard to quantify the value on the research and information that was taken from victims but it is estimated to be in the billions of dollars. The nine Iranians indicted today now find themselves wanted by the FBI and our partner law enforcement agencies around the globe – and like other cyber criminals they will soon learn their ability to freely move was just limited to the virtual world only.”
According to the allegations contained in the Indictment[1] unsealed today in Manhattan federal court:
Background on the Mabna Institute
GHOLAMREZA RAFATNEJAD and EHSAN MOHAMMADI, the defendants, founded the Mabna Institute in approximately 2013 to assist Iranian universities and scientific and research organizations in stealing access to non-Iranian scientific resources. In furtherance of its mission, the Mabna Institute employed, contracted, and affiliated itself with hackers-for-hire and other contract personnel to conduct cyber intrusions to steal academic data, intellectual property, email inboxes and other proprietary data, including ABDOLLAH KARIMA, a/k/a “Vahid Karima,” MOSTAFA SADEGHI, SEYED ALI MIRKARIMI, MOHAMMED REZA SABAHI, ROOZBEH SABAHI, ABUZAR GOHARI MOQADAM, and SAJJAD TAHMASEBI. The Mabna Institute contracted with both Iranian governmental and private entities to conduct hacking activities on their behalf, and specifically conducted the university spearphishing campaign on behalf of the IRGC. The Mabna Institute is located at Tehran, Sheikh Bahaii Shomali, Koucheh Dawazdeh Metri Sevom, Plak 14, Vahed 2, Code Posti 1995873351.
University Hacking Campaign
The Mabna Institute, through the activities of the defendants, targeted over 100,000 accounts of professors around the world. They successfully compromised approximately 8,000 professor email accounts across 144 U.S.-based universities, and 176 universities located in foreign countries, including Australia, Canada, China, Denmark, Finland, Germany, Ireland, Israel, Italy, Japan, Malaysia, Netherlands, Norway, Poland, Singapore, South Korea, Spain, Sweden, Switzerland, Turkey, and the United Kingdom. The campaign started in approximately 2013, and has continued through at least December 2017, and broadly targeted all types of academic data and intellectual property from the systems of compromised universities, including, among other things, academic journals, theses, dissertations, and electronic books. Through the course of the conspiracy, U.S.-based universities spent over approximately $3.4 billion to procure and access such data and intellectual property.
The hacking campaign against universities was conducted across multiple stages. First, the defendants conducted online reconnaissance of university professors, including to determine these professors’ research interests and the academic articles they had published. Second, using the information collected during the reconnaissance phase, the defendants created and sent spearphishing emails to targeted professors, which were personalized and created so as to appear to be sent from a professor at another university. In general, those spearphishing emails indicated that the purported sender had read an article the victim professor had recently published, and expressed an interest in several other articles, with links to those additional articles included in the spearphishing email. If the targeted professor clicked on certain links in the email, the professor would be directed to a malicious Internet domain named to appear confusingly similar to the authentic domain of the recipient professor’s university. The malicious domain contained a webpage designed to appear to be the login webpage for the victim professor’s university. It was the defendants’ intent that the victim professor would be led to believe that he or she had inadvertently been logged out of his or her university’s computer system, prompting the victim professor for his or her login credentials. If a professor then entered his or her login credentials, those credentials were then logged and captured by the hackers.
Finally, the members of the conspiracy used stolen account credentials to obtain unauthorized access to victim professor accounts, through which they then exfiltrated intellectual property, research, and other academic data and documents from the systems of compromised universities, including, among other things, academic journals, theses, dissertations, and electronic books. The defendants targeted data across all fields of research and academic disciplines, including science and technology, engineering, social sciences, medical, and other professional fields. At least approximately 31.5 terabytes of academic data and intellectual property from compromised universities were stolen and exfiltrated to servers under the control of members of the conspiracy located in countries outside the United States.
In addition to stealing academic data and login credentials for university professors for the benefit of the Government of Iran, the defendants also sold the stolen data through two websites, Megapaper.ir (“Megapaper”) and Gigapaper.ir (“Gigapaper”). Megapaper was operated by Falinoos Company (“Falinoos”), a company controlled by ABDOLLAH KARIMA, a/k/a “Vahid Karima,” the defendant, and Gigapaper was affiliated with KARIMA. Megapaper sold stolen academic resources to customers within Iran, including Iran-based public universities and institutions, and Gigapaper sold a service to customers within Iran whereby purchasing customers could use compromised university professor accounts to directly access the online library systems of particular United States-based and foreign universities.
Prior to the unsealing of the Indictment, the FBI provided foreign law enforcement partners with detailed information regarding victims within their jurisdictions, so that victims in foreign countries could be notified and so that foreign partners could assist in remediation efforts.
Private Sector Hacking Victims
In addition to targeting and compromising universities, the Mabna Institute defendants targeted and compromised employee email accounts for at least approximately 36 United States-based private companies, and at least approximately 11 private companies based in Germany, Italy, Switzerland, Sweden, and the United Kingdom, and exfiltrated entire email mailboxes from compromised employees’ accounts. Among the United States-based private sector victims were three academic publishers, two media and entertainment companies, one law firm, 11 technology companies, five consulting firms, four marketing firms, two banking and/or investment firms, two online car sales companies, one healthcare company, one employee benefits company, one industrial machinery company, one biotechnology company, one food and beverage company, and one stock images company.
In order to compromise accounts of private sector victims, members of the conspiracy used a technique known as “password spraying,” whereby they first collected lists of names and email accounts associated with the intended victim company through open source Internet searches. Then, they attempted to gain access to those accounts with commonly-used passwords, such as frequently used default passwords, in order to attempt to obtain unauthorized access to as many accounts as possible. Once they obtained access to the victim accounts, members of the conspiracy, among other things, exfiltrated entire email mailboxes from the victims. In addition, in many cases, the defendants established automated forwarding rules for compromised accounts that would prospectively forward new outgoing and incoming email messages from the compromised accounts to email accounts controlled by the conspiracy.
In connection with the unsealing of the Indictment, today the FBI issued a FBI Liaison Alert System (FLASH) message, providing detailed information regarding the vulnerabilities targeted and the intrusion vectors used by the Mabna Institute in their campaign against private sector companies, to provide the public with information to assist in detecting and remediating the threat.
U.S. Government and NGO Hacking Victims
In the same time period as the university and private sector hacking campaigns described above, the Mabna Institute also conducted a computer hacking campaign against various governmental and non-governmental organizations within the United States. During the course of that campaign, employee login credentials were stolen by members of the conspiracy through password spraying. Among the victims were the following, all based in the United States: the United States Department of Labor, the Federal Energy Regulatory Commission, the State of Hawaii, the State of Indiana, the State of Indiana Department of Education, the United Nations, and the United Nations Children’s Fund. As with private sector victims, the defendants targeted for theft email inboxes of employees of these organizations.
* * *
GHOLAMREZA RAFATNEJAD, EHSAN MOHAMMADI, ABDOLLAH KARIMA, a/k/a “Vahid Karima,” MOSTAFA SADEGHI, SEYED ALI MIRKARIMI, MOHAMMED REZA SABAHI, ROOZBEH SABAHI, ABUZAR GOHARI MOQADAM, and SAJJAD TAHMASEBI, the defendants, are citizens and residents of Iran. Each is charged with one count of conspiracy to commit computer intrusions, which carries a maximum sentence of five years in prison; one count of conspiracy to commit wire fraud, which carries a maximum sentence of 20 years in prison; two counts of unauthorized access of a computer, each of which carries a maximum sentence of five years in prison; two counts of wire fraud, each of which carries a maximum sentence of 20 years in prison; and one count of aggravated identity theft, which carries a mandatory sentence of two years in prison. The maximum potential sentences in this case are prescribed by Congress and are provided here for informational purposes only, as any sentencings of the defendants will be determined by the assigned judge.
Mr. Berman praised the outstanding investigative work of the FBI, the assistance of the United Kingdom’s National Crime Agency (NCA), and the support of the OFAC. The case is being handled by the Office’s Complex Frauds and Cybercrime Unit. Assistant United States Attorneys Timothy T. Howard, Jonathan Cohen, and Richard Cooper are in charge of the prosecution, with assistance provided by Heather Alpino and Jason McCullough of the National Security Division’s Counterintelligence and Export Control Section.
The charges contained in the Indictment are merely accusations and the defendants are presumed innocent unless and until proven guilty.
[1] As the introductory phrase signifies, the entirety of the text of the Indictment, and the description of the Indictment set forth herein, constitute only allegations, and every fact described should be treated as an allegation.