A Wide Look at North Korea’s WMD Operations

Image result for north korea defector shot

photo

Primer:

South Korean surgeons operating on a North Korean defector who escaped across the Demilitarized Zone between the two countries under a hail of gunfire on Nov. 13 have found a parasite in the man’s stomach unlike any other they had seen.

The defector, who was shot five times, remained in critical condition after hours in two rounds of surgery, according to an article in the Korea Biomedical Review published on Nov. 15.

North Korean Cyber Operations: Weapons of Mass Disruption

Over the past 10 years, the escapades of various nation-state actors in the cyber realm have exploded onto the pages of top-tier media, and into prime time network news.

Russian espionage against political targets during the 2016 US presidential election, wide reaching Chinese espionage against Western commercial targets, disruptive attacks against the US financial sector associated with Iran, and the destructive attacks against Sony Pictures Entertainment (SPE) are some of the premier examples of mainstream coverage of ‘cyber.’

Behind every single offensive cyber action conducted in the interest of the capable nation-states is a doctrine,[1] and North Korea, like many other nation-states, has incorporated cyber operations within their own broader military doctrine and has conducted numerous offensive operations in the furtherance of their national agenda. What is particularly alarming about DPRK operations is their willingness to initiate escalatory actions, such as their likely connections to the now infamous WannaCry ransomware, and their targeting of the global financial system.

North Korea’s disregard for the consequences of its actions sets them apart from other nation-states, and is particularly dangerous.

North Korean offensive cyber operations have been conducted to collect sensitive political and military intelligence information, to lash out at enemies who threaten their beliefs and interests, and most interestingly, to generate revenue.

This revenue generation aspect of North Korean operations was thrust into the international spotlight when, in early 2016, unauthorized transfers of funds from the Bangladesh Central Bank were issued using the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network for global banking. The attempted transfers amounting to over $950 million USD sought to move funds to entities in locations such as Sri Lanka and the Philippines; ultimately $81 million USD in funds disappeared into the ether.

The subsequent investigation revealed that the perpetrators of the attack used tools to securely delete records from the SWIFT terminals that would alert Bangladesh Central Bank employees of the transfers. Commonly referred to as a “wiper,” this secure deletion tool contained code that was linked by many in the computer security industry to one used in attacks associated with North Korea, notably the attack on SPE through a US Computer Emergency Response Team (USCERT) alert. The revelation that a state would engage in such a flagrant violation of international norms came as a surprise to many in the information security arena. North Korea watchers were, of course, not surprised as the currency generation activities benefiting the Kim family and their isolated nation have been well understood for some time.

The 2016 SWIFT attacks associated with North Korea are part of the broader currency generation operations of DPRK cyber actors and intelligence organizations. Botnets associated with espionage activity targeting South Korea have been used to generate revenue through a variety of schemes for almost 10 years. Recent DPRK activity suggests an interest in obtaining cryptocurrency, such as bitcoin, through extortion and targeting of cryptocurrency exchanges.

In the third quarter of 2017, for instance, malicious emails containing weaponized documents were used to target international financial organizations, as well as bitcoin exchanges. The ultimate goal of these attacks, which were tracked by the information security community under names such as Stardust Chollima and BlueNoroff, is yet unknown, however theft and sabotage are likely.

Bitcoin provides attractive benefits to the isolated nation due to a lack of regulation and the ability to subvert international sanctions. In May 2017, ‘WannaCry’ exploded across the internet, encrypting sensitive material and holding the keys to decrypt the files for a ransom to be paid in bitcoin. This attack, too, had North Korean fingerprints embedded in the code used to execute the attack, as did the tools that were used to develop that code.

Attribution is a particularly sensitive subject in the cyber domain. Technical artifacts from the executable code that was used to conduct the WannaCry attack overlaps with code used in attacks against South Korean nuclear power plants and the SPE attack of 2014. While the technical artifacts can provide some measurable connections between the attacks, they require deep technical understanding to interpret. Other linkages, such as targeting and operational procedures, are the product of intelligence assessments and have been disputed by various parties muddying the water surrounding the assigning of attribution.

North Korea is an exception to the classical understanding of how most nations implement offensive cyber operations in that they incorporate espionage, disruptive/destructive attacks and financially motivated operations using the same computer code and infrastructure.

The value of cyber operations is likely recognized by North Korea’s most senior leadership through the State Affairs Commission (SAC), the General Staff of the Korean People’s Army, and Kim Jong Un himself. Subordinate units, notably the Reconnaissance General Bureau (RGB), Bureau 121, and the Command Automation Bureau (CAB), are likely responsible for executing the specific operations. The individual units may have a charter to self- finance their operations, or to contribute financial gains back to the regime, but it seems clear that various offensive operations are conducted by differing groups with their own approach and missions. For example, one group may have a primary focus on revenue generation, targeting South Korean banks and SWIFT and conducting extortive attacks, while another group might focus on intelligence collection, while a third conducts sabotage and destructive attacks.

Finally, the maturity of North Korean offensive cyber operations has been demonstrated through the integration of destructive attacks by cyber units during military exercises executed in the midst of escalating tension with South Korea. For instance, following the December 2012 launch of the Kwangmyongsong-3 satellite via the Unha-3 satellite launch vehicle, tensions on the Korean peninsula were high. That March, following the passing of UN Security Council Resolution (UNSCR 2087) and B-52 strategic bomber overflights in South Korea, North Korea responded with a particularly aggressive disruptive attack against South Korea.

This massive wiper attack targeted South Korea’s financial and media sectors and coincided with provocations by North Korean military and escalating political rhetoric. This pairing allowed for maximum psychological impact, while demonstrating North Korea’s ability to integrate offensive cyber activities into well-developed military doctrine. During these attacks, the Korea Broadcasting System (KBS), Munhwa Broadcasting Corporation (MBC), Yonhap Television News (YTN) and several Korean financial institutions reported disruptions. With the threat of military escalation on the table, many in South Korea would have depended on the media outlets for breaking news. Disruption of ATM networks and financial institutions would further add to the chaos as word of media disruptions began to spread.

As tensions are once again escalating between North Korea and the international community, more attacks perpetrated by DPRK cyber actors are likely. The recent increase in financial sector targeting associated with these actors may illustrate the potential for disruptive attacks to demonstrate both the capability of the North Korean actors, as well to achieve objectives in line with their broader military doctrine. While North Korea’s isolation may be detrimental to its economy and international relations, it is an effective shield from which to launch offensive cyber operations against a connected and delicate global system.


  1. [1]

    In order to establish some common definitions, we can look to the United States Department of Defense, who established Computer Network Operations (CNO) as a component of the broader Information Operations (Information Warfare) arena. CNO is further categorized into Computer Network Exploitation (CNE), Computer Network Attack (CNA), and Computer Network Defense (CND). Offensive cyber operations conducted by nation-states using this model would be considered CNE and CNA. The use of CNE can be roughly characterized as espionage, whereas CNA would be used to degrade, deny, disrupt, or destroy the network based systems of an adversary. This model can help provide a clear delineation of how various military, intelligence community, and law enforcement agencies with their authorities are able to conduct operations. China, Russia, Iran and virtually every nation-state in the world conduct CNE/CNA operations in accordance with their legal authorities and national interests.

    ***

    There are other weapons few discuss.

    Pyongyang has already achieved partial coverage of US territories. Last June, in a hearing before the US House Armed Services Committee, the head of the US Missile Defense Agency, Vice Admiral James Syring, said: “The advancement and demonstration of technology of ballistic missiles from North Korea in the last six months have caused great concern to me and others. It is incumbent on us to assume that North Korea today can range the US with an ICBM carrying a nuclear warhead.”

    This particular endeavor was likely assisted by Tehran. A February 2016 report by the Congressional Research Service concluded, “Iran has likely exceeded North Korea’s ability to develop, test, and build ballistic missiles.” Tehran might be, and probably is, helpful to Pyongyang with respect to technological aspects of the nuclear sphere as well.

    The nuclear component within the spectrum of North Korea’s weapons of mass destruction (WMDs) is evidently growing. The big question is whether the country’s despot, Kim Jong-un, will be the first person to use nuclear weapons since 1945.

    Quite recently, Kim elected to employ a highly lethal chemical weapon, the nerve agent VX, for a political assassination. This weapon was used last February by two female operatives, one Indonesian and the other Vietnamese, to murder Kim Jong-un’s estranged half-brother, Kim Jong-nam, in Malaysia. The victim died shortly after being assaulted by the two women, who wiped VX on his face as he prepared to board a flight to the Chinese territory of Macau. Traces of VX were revealed on swabs taken from his eyes and face.

    This deadly chemical agent was probably smuggled from North Korea to Malaysia, which in and of itself was an intriguing and risky move. Six of eight potential suspects were from Pyongyang’s Ministries of State Security and Foreign Affairs. The suspects flew from Kuala Lumpur on the day of the assassination, passing through Vladivostok on their way back to Pyongyang. South Korea’s request to detain four of the suspects was rejected by Russian officials on the grounds of lack of evidence.

    It can be assumed that Kim Jong-un was in on the plot from its inception. Symbolically, at least, this political assassination by VX can be regarded as an indication of Pyongyang’s chemical weapons (CW) capabilities. Whether the regime intended it to or not, the assassination signaled the readiness, usability, and deployability of North Korea’s VX, which can be used for guerrilla warfare, chemical terrorism, or wide-scale chemical attack.

    VX is also weaponized within warheads carried by ballistic missiles in Pyongyang’s  vast CW arsenal. The North Korean ballistic program constitutes the principal, though not the only, vehicle for all three WMD programs. The CW and biological weapons (BW) programs are fully matured and have marked operational offensive capabilities. Inadequate attention is being paid to Pyongyang’s large-scale offensive capacities in terms of CW and BW, but the VX political assassination incident was a wake-up call (if unintentional). More here.

About that FBI Uranium One Informant, Mr. Campbell

His name is William Douglas Campbell and he was a former lobbyist for Tenex, the US-based arm of Rosatom, the Russian government’s nuclear agency. Guy Benson had it right on Tucker Carlson’s show…this Uranium One deal is not quite what the conservative media is telling you.

So when AG Jeff Sessions says he will have the Justice Department look at ‘certain aspects’ of the case, reading below, you will be to understand why his words matter.

We have this trucking company that was hired. Transport Logistics International, Inc. provides transportation management services to front-end and back-end sectors of the nuclear power industry. The company manages domestic and international movements of radioactive materials between North America, South America, Europe, Asia, Africa, and Australia. It also offers DOT-compliant training and consulting services associated with transportation feasibility studies, export licensing activities, package validations, and antidumping order compliance. In addition, the company provides professional support for the packaging and transportation of isotopes and related products for commercial and research sectors, as well as for spent fuel transportation. Key executives include:

Co-President and Managing Partner
Co-President and Managing Partner
Director of Operations
Director of TLI Russia
Consultant

Anyway, moving on….

The full criminal complaint is here.

The U.S., meaning Obama and Hillary did not exactly selling 20% of the U.S. inventory of uranium to Russia. Actually, Uranium One USA, LLC, a wholly owned subsidiary to Uranium One, Inc. actually owned the rights to a uranium mine in Casper, Wyoming. And while Hillary is being blamed, she never cast a vote on the transaction at the CFIUS committee. The real question is not selling the uranium but selling the mining location to Uranium One…who authorized that?

Uranium One, at the time the deal was made, controlled land equal to about 20 percent of the United States’ uranium capacity.

 ***
At the time of the sale, Campbell was a confidential source for the FBI in a Maryland bribery and kickback investigation of the head of a U.S. unit of Rosatom, the Russian state-owned nuclear power company. Campbell was identified as an FBI informant by prosecutors in open court and by himself in a publicly available lawsuit he filed last year.
 Also, although both Uranium One and the bribery cases involved Rosatom, the two cases involved different business units, executives and allegations, with little other apparent overlap, Reuters found in a review of the court records of the bribery case.
Campbell countered those who dismiss his knowledge of the Uranium One deal. “I have worked with the Justice Department undercover for several years, and documentation relating to Uranium One and political influence does exist and I have it,” Campbell said. He declined to give details of those documents.

BRIBERY SCHEME

Campbell worked as an informant for federal authorities investigating Vadim Mikerin, a Russian official in charge of U.S. operations for Tenex, a unit of Rosatom. Authorities later accused Mikerin of taking bribes from a shipping company in exchange for contracts to transport Russian uranium into the United States. He pleaded guilty in federal court in Maryland and was sentenced to prison for four years.

The Justice Department had also initially charged Mikerin with extorting kickbacks from Campbell after hiring him as a $50,000-a-month lobbyist.

Prosecutors alleged Mikerin had demanded Campbell pay between one-third and half of that money back to him each month under threat of losing the contract and veiled warnings of violence from the Russians. The demand prompted Campbell to turn to the FBI in 2010, which gave its blessing for him to remain part of the scheme.

Federal prosecutors were ready to use Campbell as a star witness against Mikerin, but they backed away after defense attorneys raised questions about Campbell’s credibility and whether he was a victim or had “entered into a business arrangement with eyes wide open,” according to court records.

Before it was taken down last year, the website of Campbell’s company, Sigma Transnational, did not suggest his firm was a lobbying powerhouse. The website listed four other employees and advisers, although one had died years earlier. A second employee listed said in a court document that she never worked for the company but had agreed in 2014 to pay Campbell to list her as an employee and allow her to use the Sigma name in a business deal. Campbell declined to comment on the staffing or his lobbying contract with Tenex.

Prosecutors dropped the extortion charges against Mikerin and never mentioned Campbell again in any charging documents. A Justice Department spokeswoman declined to comment on the case. Campbell also declined to comment on the issue.

Reuters has been unable to learn why Tenex chose Campbell as its lobbyist. He acknowledged in lawsuit he filed in 2016 that he was hired despite the fact he “had no experience with nuclear fuel sales.” More here from Reuters.

Former KGB Officer Hired for US Embassy Moscow Security

Image result for u.s. embassy moscow

photo

Added: Oct 27, 2017 1:51 pm

Local Guard Services for US Mission Russia.  Contract was awarded in accordance with FAR 6.302-2, Unusual and compelling urgency.

Contract is in accordance with 52.216-25 CONTRACT DEFINITIZATION.

The 4 page contract is here, it appears it was an emergency choice and hire.
Are there any people left in the contract office that have any brains? Is there anyone at the State Department providing guidance or final approvals with brains?

US embassy hires security firm of former Russian spy who worked with Putin

The US embassy in Moscow is to be guarded by a company owned by a former head of KGB counter-intelligence who worked with British double agent Kim Philby and young Vladimir Putin, after cuts to US staff demanded by Russia.

Elite Security Holdings was awarded a $2.83 million contract to provide “local guard services for US mission Russia,” which includes the Moscow embassy and consulates in St Petersburg, Yekaterinburg and Vladivostok, according to a post on a US state procurement website.

The contract and background of the firm came to light in a Kommersant newspaper report on Friday.

Elite Security, a private company and the oldest part of the eponymous holding, was founded in 1997 by Viktor Budanov and his son Dmitry, according to a Russian business registry.

A 2002 article posted on the site of Russia’s foreign intelligence service identified Mr Budanov as a major general in the agency who became a Soviet spy in 1966 and retired a year after the collapse of the USSR.

His long work in Soviet and Russian intelligence could raise questions about whether the guard services contract poses a security or intelligence risk to the US mission.

The US embassy referred The Telegraph to the state department, which did not respond to requests for comment.

Moscow forced Washington to cut its diplomatic staff in Russia from more than 1,200 to 455 in response to sanctions adopted against Russia in August.

Before his work in foreign intelligence Mr Budanov was the director of the KGB’s counter-intelligence division, he has told Russian media.

He also was head of the KGB branch in East Germany in the late 1980s, where a young Mr Putin served under him. In a 2007 interview, Mr Budanov lamented the collapse of the USSR, praised Mr Putin’s leadership and warned that Russia “can’t constantly act as (the Americans) want” or it would be destroyed.

He has also said he worked with Britain’s most infamous Soviet double agent after Philby defected to the USSR in 1963 and was once a guest at a private lunch given in Philby’s honour by Yury Andropov, the KGB head who became leader of the Soviet Union.

In the 1990s, Mr Budanov became acquainted with high-level US intelligence officials while providing business intelligence and security to foreign companies.

He formed a joint venture with the former assistant director of the National Security Agency and said in 2007 he personally knew the head of security at the US embassy in Moscow.

International Risk and Information Services, a company Mr Budanov founded in 1992 that later became part of Elite Security Holdings, says on its website it employs staff with experience in “state security organs”.

In testimony before a UK court in 1993, Oleg Gordievsky, a KGB bureau chief in London who became a British agent, said ​Mr Budanov had drugged and interrogated him after he was recalled to Moscow under suspicion.

Mr Budanov also handled sensitive operations like teaching Bulgarian agents how to use a poisonous umbrella to kill dissidents, Mr Gordievsky said.

Simpson/Dossier Testimony and Why these Wire Transfers?

Image result for glenn simpson fusion

photo

Primer: FNC: The co-founder of the firm behind the anti-Trump ‘dossier’ told House investigators Tuesday that he personally discussed with members of the media allegations of Trump-Russia collusion, though he did not speak to the sources behind the claims, a source told Fox News.

According to a source familiar with the matter, Fusion GPS co-founder Glenn Simpson refused to answer key questions during his seven-hour, closed-door appearance before the House Intelligence Committee. The source said he would not answer questions on his relationship with specific journalists or ties to the Democratic National Committee and Hillary Clinton campaign, which financed the anti-Trump research via the law firm Perkins Coie.

But the source said Simpson acknowledged he did not personally look into certain aspects of the dossier — which was authored by former British intelligence officer Christopher Steele and contained salacious allegations about the Trump team’s ties to Russia.

Simpson told investigators he never spoke to the underlying sources of the document, never traveled to Russia and did not verify the dossier beyond comparing the claims to “open source” media reporting.

The source said Simpson also told investigators he was “upset” when then FBI Director James Comey re-opened the Hillary Clinton email investigation in late October 2016, and Simpson wanted to push back.

Simpson’s appearance was arranged last week in coordination with his attorneys.

The committee initially sought to subpoena Simpson, but withdrew it in exchange for his voluntary testimony.

“Throughout this entire year, the White House and its allies on the Hill and elsewhere have attempted at every turn to smear Fusion GPS because of its connection to the Steele Dossier,” Simpson’s attorney Joshua Levy said Tuesday.

He said Steele and Simpson briefed reporters on the dossier, but neither Simpson nor Fusion GPS paid members of the media to publish stories of any kind. The House Intelligence Committee is back in court Wednesday as Fusion tries to prevent the release of its bank records.

Levy, however, said the dossier is solid.

“What they did do is they contracted with Christopher Steele. … This experienced British intelligence official came back with a report. That now in hindsight looks quite accurate,” Levy said.

Fox News reported earlier this month that Simpson met with Russian lawyer Natalia Veselnitskaya before and after the June 2016 Trump Tower meeting with Donald Trump Jr. and others.

Fox News reported that, during that period, bank records show Fusion GPS was paid by a law firm for work on behalf of a Kremlin-linked oligarch while also paying Steele to dig up dirt on Trump.

But Levy said his client was “shocked and surprised” when he learned in media accounts about the Trump Tower meeting and her presence.

The FBI is examining why Russia transferred nearly $400,000 to its embassies ‘to finance’ the ‘election campaign of 2016’

The FBI is reviewing a series of wire transfers totaling more than $380,000 sent in August and September of last year by the Russian government to its embassies around the world — most with the memo “to finance election campaign of 2016” — BuzzFeed News reported on Tuesday.

It is unclear which “election campaign” the money was for — the US campaign was in full swing, but Russia’s lower house of Parliament was also set to hold an election on September 18.

The funds were transferred to about 60 embassies worldwide from August 3 to September 20, 2016, according to BuzzFeed News. At least one transaction originated from VTB Bank, the report said.

VTB, which is majority-owned by the Kremlin and was sanctioned by the US in 2014, transferred $30,000 to the Citibank account of Russia’s Washington, DC, embassy on August 3, prompting the bank to examine VTB’s other transactions over the same period.

Citibank would then have been required to inform the Treasury’s Financial Crimes Enforcement Network, or FinCEN, if it noticed any suspicious activity.

The Senate Intelligence Committee, which BuzzFeed News says has been made aware of the wire transfers, asked the Treasury for its FinCEN records in April, The Wall Street Journal reported at the time. It received over 2,000 documents from the financial-crimes unit, which monitors over 200 million Bank Secrecy Act records involving more than 80,000 financial institutions.

A dossier compiled by the former British spy Christopher Steele alleging ties between President Donald Trump’s campaign and Moscow claimed that Russian “diplomatic staff” paid “relevant assets” to provide “a two-way flow of intelligence and other useful information.”

“Source E claimed that Russian diplomatic staff in key cities such as New York, Washington DC and Miami were using the emigre ‘pension’ distribution system as cover,” the dossier reads. “The operation therefore depended on key people in the US Russian emigre community for its success. Tens of thousands of dollars were involved.”

The congressional intelligence committees have been examining the dossier’s claims as part of their investigations into whether the Trump campaign colluded with Moscow to influence the outcome of the election.

The special counsel Robert Mueller is leading a parallel investigation into Russia’s election interference. Mueller began hiring lawyers in June with extensive experience in dealing with fraud, racketeering, and other financial crimes. Late last month, the Trump campaign chairman, Paul Manafort, and his longtime business associate Rick Gates were indicted by a grand jury as a result of charges stemming from the investigation.

Mueller’s team is reportedly scrutinizing a meeting in December between Jared Kushner, Trump’s son-in-law, and Sergey Gorkov, the CEO of another sanctioned Russian bank, Vnesheconombank.

Related reading: Top Democrat: Trump’s DOJ nominee helped Russian bank sue over Trump-Russia dossier

Secret Planes, Russia, China and the United States oh My