SecState Pompeo to UNSC to Invoke Iran Snapback Sanctions

President Trump confirmed on Wednesday that he had asked Secretary of State Mike Pompeo to notify the UN Security Council that the U.S. intends to initiate “snapback” sanctions on Iran. The formal request is expected on Thursday, Israeli officials told Axios.

The backdrop: This move could create a diplomatic and legal crisis unlike any seen before at the Security Council. It comes days after the U.S. failed to mobilize support at the council to extend an international arms embargo on Iran.

The big picture: Despite having withdrawn from the 2015 Iran nuclear deal, the U.S. is invoking its terms in an attempt to force sanctions lifted under the pact to snap back into place.

  • The deal says any of the signatories — the U.S., Russia, China, France, Germany and the U.K. — can demand sanctions be reimposed automatically if they believe Iran has committed substantial violations. No country can veto such a move.
  • Russia and China contend that the U.S. gave up its right to reimpose the sanctions when it withdrew from the deal. That view is shared by others on the council, and even by John Bolton, the hawkish former national security adviser.
  • The U.S., on the other hand, claims it has the right to initiate the snapback mechanism because it is a party to the Security Council resolution that endorsed the nuclear deal and included the snapback mechanism.
  • The European signatories, who have tried desperately to save the nuclear deal, also oppose the U.S. move.

How it works: Pompeo is expected to arrive in New York on Thursday and present formal letters to the UN secretary-general and the UN ambassador from Indonesia, who holds the Security Council’s rotating presidency.

  • The letter will then be circulated to other members, beginning a 30-day consultation period.

What to watch: Israeli officials and Western diplomats both say they expect a major diplomatic crisis over those 30 days.

  • If any member of the Security Council submits a resolution to stop the snapback move, the U.S. will be able to veto it.
  • U.S. officials believe that the renewal of international sanctions will lead Iran to withdraw from the nuclear deal — and likely make it impossible for Democratic nominee Joe Biden to put the deal back together if he wins in November.
  • Israeli officials were notified on Monday that the Trump administration intended to submit the official complaint on Thursday.

The latest: “When the United States entered into the Iran deal, it was clear that the United States would always have the right to restore the UN sanctions that would prevent Iran from developing a nuclear weapon,” Trump claimed in a press conference on Wednesday.

*** UN crisis looms as US readies demand for Iran sanctions ...

For background and context:

In May of 2020 –

State Dept: The 13-year-old arms embargo on the Iranian regime will expire in October. The embargo was created by the United Nations Security Council but is scheduled to end because of the 2015 Iran nuclear deal, leaving the world’s foremost state sponsor of terrorism and anti-Semitism free to import and export combat aircraft, warships, submarines and guided missiles. To prevent this, the Security Council must pass a resolution to extend the arms embargo. If this effort is defeated by a veto, the Trump administration is prepared to exercise all legally available options to extend the embargo.

We face this circumstance because the Obama administration acceded to Iran’s demand that the U.N. embargo end in the fifth year of the deal. It is only one of many restrictions on Iran scheduled to expire over time. President Obama hoped concessions would moderate the regime’s behavior. “Ideally,” he said in 2015, “we would see a situation in which Iran, seeing sanctions reduced, would start . . . re-entering the world community [and] lessening its provocative activities.”

Instead, Iranian provocations accelerated under the nuclear deal. Emboldened by repeated diplomatic wins and flush with cash, the Iranian regime increased its ballistic-missile testing and missile proliferation to terrorist proxies. Iran built out a “Shiite crescent” in Syria, Iraq, Lebanon, Bahrain and Yemen, arming its proxies to the teeth.

The U.S. and partners have used the arms embargo to disrupt Iran’s sending advanced weaponry to terrorists and militants. This diplomatic tool has rallied the international community to interdict and inspect weapons shipments, building global condemnation of Iranian violations.

Among many examples, on Feb. 9, a U.S. Navy ship interdicted a ship attempting to smuggle Iranian weapons to Houthi rebels in Yemen. American sailors found 150 antitank guided missiles, three surface-to-air missiles, and component parts for unmanned explosive boats.

Iran’s President Hassan Rouhani sees a bright future when the embargo lapses. In November 2019, he said: “When the embargo . . . is lifted next year, we can easily buy and sell weapons.” He went on to hail the provision as a “huge political success” for Iran.

Kerry: Agreement on Iran issue only alternative to force ... John Kerry/Wendy Sherman negotiators of JCPOA

The regime plans to upgrade Iran’s aging air force, improve the accuracy of its missiles, and strengthen its ability to strike ships and shoot down aircraft. Iran’s Islamic Revolutionary Guard Corps—a terrorist group with a long history of targeting and killing Americans—could then reverse-engineer technologies in these systems for domestic weapons production and export.

Iranian weapons already put American and allied troops in the region under threat and endanger Israel. Letting the arms embargo expire would make it considerably easier for Iran to ship weapons to its allies in Syria, Hamas in Gaza, and Shiite militias in Iraq.

Mr. Rouhani understands the stakes. Last week he appeared on Iranian television to declare that “Iran will give a crushing response if the arms embargo on Tehran is extended.” This threat is designed to intimidate nations into accepting Iran’s usual violent behavior for fear of something worse.

The Security Council must reject Mr. Rouhani’s extortion. The U.S. will press ahead with diplomacy and build support to extend the embargo. We have drafted a resolution and hope it will pass. Russia’s and China’s interests would be served by a “yes” vote—they have more to gain from Mideast stability than from selling weapons to Iran for its sectarian wars.

If American diplomacy is frustrated by a veto, however, the U.S. retains the right to renew the arms embargo by other means. Security Council Resolution 2231 (2015) lifted most U.N. sanctions but also created a legal mechanism for exclusive use by certain nations to snap sanctions back. The arms embargo is one of these sanctions.

Mr. Obama explained how “snapback” works in 2015: “If Iran violates the agreement over the next decade, all of the sanctions can snap back into place. We won’t need the support of other members of the U.N. Security Council; America can trigger snapback on our own.” As of today, Iran has violated the nuclear deal at least five times.

The Trump administration’s preferred strategy is for the Security Council to extend the arms embargo while the U.S. continues to apply maximum economic pressure and maintains deterrence against Iranian aggression. Nearly 400 House members, an overwhelming bipartisan majority, have signed a letter backing Secretary of State Mike Pompeo’s diplomacy to extend the arms embargo. Iran certainly hasn’t earned the right to have it lifted. One way or another, the U.S. will ensure it remains in place against the violent and revolutionary regime in Tehran.

AG Barr on Operation LeGend Successes

Attorney General William Barr announced Wednesday that there have been nearly 1,500 arrests across eight U.S. cities thus far under the “Operation Legend” law enforcement initiative launched roughly six weeks ago. These are Federal charges only. Investigations and cases dealing with state charges or violations of law are turned over to the local District Attorneys for prosecution(s).

Mayors Worry Operation Legend Is About Politics, Not the ... source

Federal officers involved in Operation Legend, a Justice Department initiative to assist cities plagued by violent crime, have made more than 1,000 arrests across the country, Attorney General William Barr said Wednesday.

Of those arrests, more than 200 defendants have been charged with federal crimes, including 90 murder suspects, and nearly 400 guns have been taken off the streets, Mr. Barr said, speaking with reporters in Kansas City, Missouri.

“Operation Legend is the heart of the federal government’s response to this uptick in violent crime,” he said. “Its mission is to save lives, solve crimes and take violent offenders off our streets before they can claim more victims.

“Rather than demonizing or defunding police, we are supporting and strengthening our law enforcement partners at the state and local level.”

Operation Legend is named after 4-year-old LeGend Taliferro, who was shot and killed in Kansas City while he was sleeping. The operation started in that city earlier this month.

Cities that are part of Operation Legend will receive increased resources from the FBI, U.S. Marshals Service, Drug Enforcement Administration and Bureau of Alcohol, Tobacco, Firearms and Explosives to reduce violent crime, with a focus on gun violence. More than 1,000 additional agents have been sent to the nine cities.     The program also has allocated $78.5 million in grants to fund additional police positions, more prosecutors and improve technology to solve gun crimes.

A total of 61 defendants in Chicago have been charged with federal crimes. In Albuquerque, 16 individuals face federal charges, 32 in Cleveland, 22 in Detroit, 11 in Milwaukee, 15 in St. Louis and seven in Memphis, Tennessee.

Indianapolis was not included in the totals because that program began only last week.

Federal charges include illegal possession of a firearm, distribution of narcotics, carjacking, and bank robbery.

***

Barr has noted that Operation Legend, however, is separate from those deployments in response to unrest and that the dozens of investigators being dispatched to the cities are instead more focused on assisting federal and state authorities with probing violent crimes.

“There has been a lot of confusion in the media, some of it not unintentional, conflating two different aspects of law enforcement,” Barr said. “One is dealing with civil unrest, rioting, and the other is the classical traditional work that law enforcement does.”

During the news conference, Barr addressed the recent uptick of violent crime across several parts of the country, at one point saying, without providing evidence, that he believed it might be a result of a combination between “pent up aggression” to state and local quarantine orders, the “premature release of dangerous criminals by the courts” during the COVID-19 pandemic and the “Defund the Police” movement.

Barr added that he expected there will be an increase in the national violent crime rate this year after it saw decreases for the last two years.

Chinese Regime Rushes to Destroy Files Overseas

In part: The Chinese Communist Party (CCP) has directed certain overseas Party cells to destroy sensitive documents and safeguard Party secrets, in response to heightened scrutiny in the West of the regime’s covert activities abroad, an internal document obtained by The Epoch Times reveals.

A notice issued in August by China’s state-owned oil giant China National Petroleum Corporation (CNPC) instructed that the company’s overseas offices in more than ten countries, including Australia and Canada, must “urgently destroy or transfer sensitive documents” relating to “overseas Party-building activities.”

China National Petroleum Corporation - Barco source

Party-building activities overseas, according to New York-based China commentator Qin Peng, refers to the CCP’s efforts to expand its global influence. Under this program, Chinese consulates can instruct Chinese multinational companies to carry out tasks beyond their business operations, such as collecting intelligence, stealing sensitive information, and influencing local officials, he said.

The notice said that important documents that can’t be easily destroyed may be given to the Chinese embassy in Cambodia for safekeeping.

It also directs the company’s Party members not to divulge sensitive information to local law enforcement.

“When subject to foreign investigations, Party members and cadres must abide by [the principle of] ‘strictly guarding Party secrets,’” the document said. “This is an iron rule and discipline.”

The directive was a response to recent actions by the United States and other Western governments, the document said, citing an incident in Australia where authorities searched and seized mobile phones and computers of Chinese diplomatic personnel because they contained material relating to the CCP. It did not provide further detail about this incident.

The United States has in recent months escalated efforts in combating Chinese espionage and malign influence activities. The Trump administration in July ordered the closure of the Chinese consulate in Houston, saying the diplomatic outpost was a “hub of spying and intellectual property theft.” Federal agents also made a string of arrests of suspected undercover Chinese military officers studying in the country, who prosecutors say are part of a broader network spanning 50 U.S. cities.

The regime’s covert foreign influence operations have also come under the spotlight in many democracies, particularly in Australia, where the government has stepped up actions targeting Chinese influence in politics and university campuses.

Nicholas Eftimiades, a former senior U.S. intelligence official and author of the book “Chinese Intelligence Operations,” told The Epoch Times that the incident in Australia may have referred to an unreported seizure by border officials at the country’s ports of entry, or the recent raid of a Chinese-Australian’s home as part of an investigation into Chinese foreign interference.

Going Underground

The notice said the United States, the U.K., Australia, Canada, and New Zealand were “highly sensitive countries,” and directed staff in those countries to delete all Party-building materials from electronic devices and destroy physical files. Where documents can’t be destroyed, they should be “sealed and stored” in a secure location or handed over to the Chinese embassy in Cambodia, the document instructed.

In Australia and Canada, CNPC staff are to report to their local Chinese consulate the status of how they have dealt with “sensitive urgent information,” the notice said.

The document also demands that all the company’s overseas party organizations, particularly those located in Malaysia, Singapore, and Saudi Arabia, should “proactively accept the leadership role of the Party committee at Cambodia’s Chinese embassy.”

The instructions also emphasized limiting public exposure of overseas Party activities. It prohibited events from being promoted on Chinese social media such as Weibo and WeChat, and issuing public reports of such activities. Communications about Party members or organizations, and reports on Party-building activities should be sent via encrypted channels. Party members were also banned from raising the Chinese national flag, wearing the Party badge, and displaying the content of Party activities on notice boards.

Chinese diplomats return from Houston consulate shut by US ...

In addition, when holding Party-building activities, staff are not to disclose the identities of Party members and their Party positions, the notice said.

‘Damage Control’

Eftimiades said that it’s very likely this directive was issued to other state-owned enterprises. The notice, he said, revealed an “extraordinary global operation to protect information, to restrict activities so that they don’t come up on the radar of foreign governments.”

James Carafano, vice president of the Heritage Foundation’s institute for national security and foreign policy, said this move would not be surprising given that the regime is likely anticipating much more scrutiny from Western countries.

“If there’s one thing they’re really good at, it’s covering up their tracks,” Carafano told The Epoch Times.

The notice also reveals the close cooperation between the regime and state-owned companies, Eftimiades said.

“A huge dimension of this is the role of the consulates in directing and coordinating the activities of state-owned enterprises abroad,” he said.

The Chinese regime also publicly reveals how Chinese consulates preside over overseas Chinese companies.

A document on “risk prevention guidelines” for overseas Chinese companies, found on the website of China’s Ministry of Foreign Affairs, points out that companies must register with their local consulates and accept their “guidance and management.”

In the event of sudden “safety-related incidents,” Chinese companies must do their public relations under the guidance of corresponding consulates and related Chinese agencies, to “positively guide the public opinion.”

In March 2019, Qi Yu, secretary of the Party committee at China’s Ministry of Foreign Affairs, held a meeting, during which the committee said Chinese consulates should “enhance their political understanding…in order to better serve” the Party.

While the document suggests the CCP has become more cautious, countries shouldn’t let up their guard, Qin warns, adding that as these activities go underground, the Chinese regime is likely to engage in more covert actions, and it’s a long-term threat that countries shouldn’t dismiss.

N. Korea has 60 Nuclear Bombs, 5000 tons of Chemical Weapons

An Army report has the following information in part regarding North Korea:

A new assessment made by the United States Department of the Army estimates that the North Korean regime is in possession of massive amounts of conventional and non-conventional weapons that they are “highly likely” to use in specific circumstances, according to the Yonhap News Agency.

The assessment was published in a report entitled “North Korean Tactics,” and attributes North Korea’s huge armaments program to a desire to “prevent other countries from contemplating regime change.” Apparently, Kim Jong-un, the North Korean dictator, took note of what happened to his Libyan counterpart Muammar Gaddafi and “does not want something similar to happen” to him. (Gaddafi was killed by rebel Libyan forces, after a multi-national force including NATO countries attacked Libya with the stated goal of imposing an arms embargo, sanctions, and an assets freeze against regime leaders.)

According to the report, North Korea already has between 20 and 60 nuclear bombs and “the capacity to produce six new devices each year.” It also boasts the world’s third-largest stockpile of chemical weapons – between 2,500 and 5,000 tons of various substances – and is engaged in research into biological warfare as well. “Only one kilogram of anthrax could kill up to 50,000 people in Seoul,” the capital of South Korea, the report’s authors note.

Another ongoing source of concern is North Korea’s Cyber Warfare Guidance Unit, which employs over 6,000 computer hackers who “can successfully conduct invasive computer warfare activities from the safety of its own territory.” North Korean operatives are known to already be operating in several foreign countries including Belarus, China, India, Malaysia, and Russia.

Negotiations between the United States and North Korea broke down entirely following an unproductive summit between Kim Jong-un and US President Donald Trump in February, 2019.

Further details in the report to Congress includes:

North Korea’s military “uses tactics based on former Soviet or current Russian doctrine, Chinese developments, lessons learned, and observation of recent military actions,” according to a new US Army manual on the subject.

“While North Korea maintains large amounts of military equipment, much of it is outdated making it quantitatively superior to most armies but qualitatively inferior,” the new manual said. See North Korean Tactics, Army Techniques Publication (ATP) 7-100.2, 24 July 2020.

But North Korea has proved resourceful in other areas, including offensive cyber warfare.

“The primary organization responsible for computer warfare in North Korea is Bureau 121, which fielded at least 1,000 elite hackers in 2010 who focused on other countries’ computer systems. This number is likely much higher now” and includes “cyberspace teams [deployed] in foreign countries.”

And not least of all, “The country’s possession of a nuclear arsenal and its pursuit of missile technology are attempts to ensure that external powers do not interfere with its internal affairs for fear of a nuclear reprisal,” the Army manual said.

 

“North Korea is constantly adapting and evolving its capabilities,” the Army said.

***

Formed in the late 1990s, Bureau 121 is unit 121 of the General Bureau of Reconnaissance in North Korea’s military. (now made up of 6000 hackers)

Part of the unit is sometimes known as the DarkSeoul Gang, according to a report by Reuters.

Despite being one of the poorest countries in the world, North Korea puts a lot of its cash into Bureau 121.

North Korea is still technically at war with South Korea and cyber-warfare is arguably its best weapon. Coming from a defector in 2015, more details were provided to the BBC.

There is an official training school for the younger hacking applicants.

North Korea's Bureau 21 cyber-warriors trained up for ... source

Students sent to the Military school after graduating from Geumseong Middle School in the capital. A report into the cyber threat written by US Major Steve Sin in 2009 revealed Unit 121 had a base in Chilbosan Hotel, in Shenyang, China, from where could launch its attacks.The 164-room three star hotel – which is jointly owned by the North Koreans and Chinese. More details here. 

Hat tip to NSA FBI for Cracking Drovorub

The National Security Agency and the FBI are jointly exposing malware that they say Russian military hackers use in cyber-espionage operations.

Hackers working for Russia’s General Staff Main Intelligence Directorate’s 85th Main Special Service Center, military unit 26165, use the malware, which the Russians themselves call “Drovorub,” to target Linux systems, the NSA and FBI said Thursday in a detailed report.

The hackers, also known as APT28 or Fancy Bear, allegedly hacked the Democratic National Committee in 2016 and frequently target defense, government, and aerospace entities. The Russian military agency is also known as the GRU.

FBI e NSA descobrem novo malware Linux chamado Drovorub ...

While the alert does not include specific details about Drovorub victims, U.S. officials did say they published the alert Thursday to raise awareness about state-sponsored Russian hacking and possible defense sector vulnerabilities. The disclosure comes just months before American voters will conduct a presidential election.

“Information in this Cybersecurity Advisory is being disclosed publicly to assist National Security System owners and the public to counter the capabilities of the GRU, an organization which continues to threaten the United States and U.S. allies as part of its rogue behavior, including their interference in the 2016 U.S. Presidential Election,” the NSA and FBI said in the report.

The U.S. intelligence community has assessed that multiple foreign governments may “seek to compromise our election infrastructure.” It was not clear if the Russian hackers were using Drovorub malware in any ongoing interference efforts related to the 2020 presidential elections.

The NSA and FBI urged national security personnel, including the U.S. Department of Defense, to be on the alert for Drovorub attacks.

“The malware represents a threat because Linux systems are used pervasively throughout National Security Systems, Department of Defense, and the Defense Industrial Base,” the statement said. “All stakeholders should take action as appropriate.”

The announcement comes nearly one year after the NSA stood up a new cybersecurity directorate aimed at sharing more adversary threat intelligence with the public, and in recent weeks the NSA has worked to expose a spate of Russian campaigns, including Russian hackers’ efforts to target coronavirus research.

Senior Vice President of Intelligence at CrowdStrike, Adam Meyers, told CyberScoop the release shows these hackers are not easily deterred.

“Most importantly it demonstrates that FANCY BEAR has more tools and capabilities that are still being identified. This actor didn’t pack up and go home, they still have tricks up their sleeve,” Meyers told CyberScoop, adding that the news should raise alarm bells about Linux security. “Another important take away is that Linux is an area that organizations need to keep in mind from a malware perspective, many have not invested in similar security tools for this platform as they have for user platforms.”

Attacks employing Drovorub may be linked with previous Russian military efforts against connected devices, according to the NSA and the FBI. An APT28 attack that Microsoft security researchers identified last year against devices such as an office printer or a VOIP phone, for instance, was linked with an IP address that has also been used to access the Drovorub command and control IP address, the NSA and FBI said.

In such attacks, the hackers appeared interested in exploiting so-called internet of things devices in order to gain access to broader networks, other insecure accounts, and sensitive data, according to Microsoft.

The joint NSA and FBI release also has the effect of alerting the Russian government that U.S. officials are capable of tracking some of their work. The 780th Military Intelligence Brigade, which currently works with the Pentagon’s offensive cyber arm, Cyber Command, tweeted information out about the malware, and tagged a state-funded media outlet, RT, to flag the news for them.

The Drovorub malware consists of several components, the NSA and the FBI said, including an implant, a kernel module rootlet, a file transfer tool, and an attacker-controlled command and control server.

“When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with actor-controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands as ‘root’; and port forwarding of network traffic to other hosts on the network,” the NSA and FBI said.

More detail for zdnet:

“Technical details released today by the NSA and FBI on APT28’s Drovorub toolset are highly valuable to cyber defenders across the United States.”

To prevent attacks, the agency recommends that US organizations update any Linux system to a version running kernel version 3.7 or later, “in order to take full advantage of kernel signing enforcement,” a security feature that would prevent APT28 hackers from installing Drovorub’s rootkit.

The joint security alert [PDF] contains guidance for running Volatility, probing for file hiding behavior, Snort rules, and Yara rules — all helpful for deploying proper detection measures.

Some interesting details we gathered from the 45-page-long security alert:

  • The name Drovorub is the name that APT28 uses for the malware, and not one assigned by the NSA or FBI.
  • The name comes from drovo [дрово], which translates to “firewood”, or “wood” and rub [руб], which translates to “to fell”, or “to chop.”
  • The FBI and NSA said they were able to link Drovorub to APT28 after the Russian hackers reused servers across different operations. For example, the two agencies claim Drovorub connected to a C&C server that was previously used in the past for APT28 operations targeting IoT devices in the spring of 2019. The IP address had been previously documented by Microsoft.