N Korean, Park Jin hyok Charged with Global Cyber Attacks

U.S. CHARGES NORTH KOREAN HACKER

Federal prosecutors charged a North Korean man, Park Jin-hyok, with crimes in connection with a series of costly cyberattacks around the globe, including the WannaCry ransomware attack in 2018, the heist of Bangladesh’s central bank in 2017, and the hack of Sony Pictures in 2014. It is the first time the Justice Department has explicitly charged a North Korean hacker backed by the government. Park was allegedly working as a programmer for a North Korean front company in China called Chosun Expo, which had ties to North Korea’s military intelligence.

Legal analysts say the complaint is the most detailed public accounting yet of North Korea’s cyberattacks against foreign adversaries. The Justice Department has now brought hacking-related charges against North Korea, China, Iran, and Russia. (WSJ, NYT, Reuters, DOJ)

Park Jin Hyok, named by officials as a member of the so-called Lazarus Group hacking team behind last year’s WannaCry global ransomware attack and the 2014 digital attack on Sony, apparently used not only advanced technology, but elaborate reconnaissance work to digitally steal money and sensitive information.

First, Park would obtain a number of email addresses of people affiliated with target businesses from traders dealing in large amounts of personal information. Then he would use the emails to gain an understanding of company employees’ fields of interest and personal relationships.

That would let him craft emails that could pass as genuine messages from major companies in content and style, a tactic known as spear phishing. After spending some time building trust, he would send the malicious links to websites that would infect a target’s computer.

In one case, Park apparently masqueraded as a human resources official at a U.S. defense-linked company to exchange messages with workers at one of the company’s competitors.

Last week’s charges were said to be the first in years against a North Korean hacker related to high-profile attacks linked to the state. The attack on Sony came as the company was preparing to release a movie called “The Interview,” which depicted the assassination of a character resembling North Korean leader Kim Jong Un. The group also allegedly stole $81 million from the central bank of Bangladesh in 2016.

A North Korean suspect is wanted by U.S. authorities on suspicion of hacking. (Courtesy of the U.S. Federal Bureau of Investigation)

“We stand with our partners to name the North Korean government as the force behind this destructive global cyber campaign,” Christopher Wray, director of the Federal Bureau of Investigation, said in a statement on Sept. 6.

The U.S. Treasury also imposed sanctions on Park and a Chinese business he was affiliated with. “We will not allow North Korea to undermine global cybersecurity to advance its interests and generate illicit revenues in violation of our sanctions,” Treasury Secretary Steven Mnuchin said in his own statement.

Under Kim, the North has consolidated its cyber forces under its Reconnaissance General Bureau, which handles overseas spying. The state has a team of 6,800, according to the South Korean government, and is counted as one of the five cyber powers along with the U.S., Russia, China and Israel.

The core of cyber operations is a team known as “Bureau 121,” established in 1998 by Kim’s father, then-leader Kim Jong Il. Bureau 121 is known for its willingness to commit crimes for the sake of bringing in cash.

“The technology behind North Korea’s cybercrimes is some of the most advanced in the world,” said a source with the U.S. State Department.

Governments and businesses around the world are hurrying to guard themselves from the North’s attacks even as its methods grow more sophisticated. Further cooperation between countries’ cyberdefense authorities may be key to finding effective solutions.

British Airways: The airline said a “very sophisticated” hacker stole credit card details of hundreds of thousands of its customers in recent days. Anyone who lost out financially as a result of the breach would be compensated, BA officials said. (Reuters)

JPMorgan Hacker: A Russian man, Andrei Tyurin, has been extradited by Georgia to the United States on charges that he participated in the 2014 hack of JPMorgan Chase and other U.S. companies. (Reuters)

Is that Russian Submarine Threat Still out There?

It is not just the U.S. Navy that is on alert. Europe’s top Navy Commander:

NAPLES, Italy — Russia is deploying more submarines to the Mediterranean, the Black Sea and North Atlantic than at any time since the Cold War as part of a growing power game driving the U.S. to revive a decommissioned fleet and NATO to strengthen its naval defenses, the Navy’s top commander in the theater said.

Russia is upgrading its submarine forces and improving their missile capabilities, all while relations between Moscow and NATO remain tense over Russia’s annexation of Ukraine’s Crimean Peninsula in 2014, Adm. James Foggo, commander of U.S. Naval Forces Europe and Africa, said in an interview earlier this month.

“The illegal annexation of Crimea … that certainly has put a strain on our relationship,” Foggo told Stars and Stripes. “It’s their bad behavior, not ours. It’s the things they are doing.”

The Navy is reviving 2nd Fleet, though on a smaller scale than the one deactivated in 2011, to supply more ships in what Foggo described as growing competition between Russia and NATO in the Atlantic Ocean.

The renewed 2nd Fleet will be a Norfolk, Va.-based joint forces command, with many details yet to be worked out, Foggo said, adding that Navy leaders will know more after NATO’s July summit in Brussels. More here.

***

This is not really a new condition, it has been going on for a few years without any real U.S. response that is until the Omnibus was passed where monies were allocated for air-dropped sonobuoys that can detect submarines and transmit data back to motherships. The warnings began with Russia, operating in the Mediterranean where missiles were fired into Syria on several occasions.

The United States and Britain have been playing cat and mouse with Russia in several locations. Under Exercise Dynamic Mongoose, 10 NATO countries have been practicing hunting tactics of stealth submarines off Norway’s coast.

This past April, Lockheed Martin was awarded a $1 billion contract for a hypersonic cruise missile.

The Hypersonic Conventional Strike Weapon program is one of two hypersonic weapon prototyping efforts being pursued by the Air Force, and comes in addition to the Tactical Boost Glide program, which the Air Force is working on with DARPA and Raytheon. The service plans to have a prototype ready by 2023.

The Tactical Boost Glide is designed to operate at 5 times the speed of sound to enhance current military systems.

The United States has 70 nuclear powered submarines and 52 attack submarines along with 4 cruise missile armed submarines and 14 ballistic missile submarines. They all patrol bodies of water across the globe.

Russian Subs Are Reheating a Cold War Chokepoint - Defense One  photo

Adm. John Richardson, Chief of Naval Operations has confirmed increased foreign submarine operations.

According to GlobalFirePower.com, North Korea has the world’s largest submarine fleet by raw numbers with 76, though most of Pyongyang’s fleet consists of shorter-range, electric-diesel coastal patrol craft. China and Russia, both with modern nuclear-powered fleets that rival the U.S. fleet, have 68 subs and 63 subs, respectively.

NATO Secretary-General Jens Stoltenberg, in an interview with the Frankfurt Allgemeine and other news outlets in December, said the Kremlin is investing heavily in its submarine fleet, with 13 delivered since 2013. NATO countries, he said, have let their underwater firepower lag. “We have practiced less and lost skills,” the NATO chief said.

A particular point of concern, said one former high-level U.S. Navy official, is that Moscow may be attempting to tap into or sever some of the 550,000 miles of underwater fiber-optic cables that span the Atlantic and Arctic sea lanes.

“Russians have had a capability … to do things with these cables for the last 20 to 30 years,” said Tom Callender, who once served as head of capabilities for the Navy’s deputy undersecretary office and is now a senior defense fellow at The Heritage Foundation.

“Russians have had a capability … to do things with these cables for the last 20 to 30 years,” said Tom Callender, who once served as head of capabilities for the Navy’s deputy undersecretary office and is now a senior defense fellow at The Heritage Foundation.More than 95 percent of the global internet traffic — military and civilian, classified and unclassified — is transmitted across the network of submerged cables along the ocean floor, according to Washington-based tech firm TeleGeography. The quantity is massive compared with just a decade ago, when just 1 percent of all online traffic went through the cables.

Seabed vulnerability

The majority of the 285 underwater cables in place crisscross beneath heavily trafficked sea lanes of the Atlantic and Arctic regions. According to TeleGeography, the longest single cable stretches 24,000 miles and relays internet traffic and other electronic communications from Europe, Asia and Africa.

The scale and scope of global communications moving through the network of cables — some of which are only 2 inches thick — present a lucrative target that is vulnerable to attack by U.S. adversaries. It also poses a significant challenge to U.S. forces defending the lines. Read more detail here.

 

Iran Sleeper Cells Parked Around the U.S.

Primer: Two Individuals Charged for Acting as Illegal Agents of the Government of Iran

Could it be that law enforcement officials are working the cases diligently? This adds a deeper dimension to the work of the FBI, ICE and Border Patrol as well as all diplomatic posts in Central America and Latin America. Iran’s economy is in a free-fall, so money/revenue is most important and illicit activities, including attacks are the easiest method to raise operational funds.

Israel and Stuff » Report: Obama WH obstructed Hezbollah ...

Related reading: DoJ’s Bruce Ohr Demoted Again, Project Cassandra?

Iranian-backed militants are operating across the United States mostly unfettered, raising concerns in Congress and among regional experts that these “sleeper cell” agents are poised to launch a large-scale attack on the American homeland, according to testimony before lawmakers.

Iranian agents tied to the terror group Hezbollah have already been discovered in the United States plotting attacks, giving rise to fears that Tehran could order a strike inside America should tensions between the Trump administration and Islamic Republic reach a boiling point.

Intelligence officials and former White House officials confirmed to Congress on Tuesday that such an attack is not only plausible, but relatively easy for Iran to carry out at a time when the Trump administration is considering abandoning the landmark nuclear deal and reapplying sanctions on Tehran.

There is mounting evidence that Iran poses “a direct threat to the homeland,” according to Rep. Peter King (R., N.Y.), a member of the House Homeland Security Committee and chair of its subcommittee on counterterrorism and intelligence.

A chief concern is “Iranian support for Hezbollah, which is active in the Middle East, Latin America, and here in the U.S., where Hezbollah operatives have been arrested for activities conducted in our own country,” King said, referring the recent arrest of two individuals plotting terror attacks in New York City and Michigan.

“Both individuals received significant weapons training from Hezbollah,” King said. “It is clear Hezbollah has the will and capability.”

After more than a decade of receiving intelligence briefs, King said he has concluded that “Hezbollah is probably the most experienced and professional terrorist organization in the world,” even more so than ISIS and Al Qaeda.

Asked if Iran could use Hezbollah to conduct strikes on the United States, a panel of experts including intelligence officials and former White House insiders responded in the affirmative.

“They are as good or better at explosive devices than ISIS, they are better at assassinations and developing assassination cells,” said Michael Pregent, a former intelligence officer who worked to counter Iranian influence in the region. “They’re better at targeting, better at looking at things,” and they can outsource attacks to Hezbollah.

“Hezbollah is smart,” Pregent said. “They’re very good at keeping their communications secure, keeping their operational security secure, and, again, from a high profile attack perspective, they’d be good at improvised explosive devices.”

Others testifying before Congress agreed with this assessment.

“The answer is absolutely. We do face a threat,” said Emanuele Ottolenghi, a senior fellow at the Foundation for Defense of Democracies who has long tracked Iran’s militant efforts. “Their networks are present in the Untied States.”

Iran is believed to have an auxiliary fighting force or around 200,000 militants spread across the Middle East, according to Nader Uskowi, a onetime policy adviser to U.S. Central Command and current visiting fellow at the Washington Institute for Near East Policy.

At least 50 to 60 thousand of these militants are “battle tested” in Syria and elsewhere.

“It doesn’t take many of them to penetrate this country and be a major threat,” Uskowi said. “They can pose a major threat to our homeland.”

While Iran is currently more motivated to use its proxies such as Hezbollah regionally for attacks against Israel or U.S. forces, “those sleeper cells” positioned in the United States could be used to orchestrate an attack, according to Brian Katulis, a former member of the White House National Security Council under President Bill Clinton.

“The potential is there, but the movement’s center of focus is in the region,” said Katulis, a senior fellow at the Center for American Progress.

Among the most pressing threats to the U.S. homeland is Hezbollah’s deep penetration throughout Latin America, where it finances its terror activities by teaming up with drug cartels and crime syndicates.

“Iran’s proxy terror networks in Latin America are run by Tehran’s wholly owned Lebanese franchise Hezbollah,” according to Ottolenghi. “These networks are equal part crime and terror” and have the ability to provide funding and logistics to militant fighters.

“Their presence in Latin America must be viewed as a forward operating base against America’s interest in the region and the homeland itself,” he said.

These Hezbollah operatives exploit loopholes in the U.S. immigration system to enter America under the guise of legitimate business.

Operatives working for Hezbollah and Iran use the United States “as a staging ground for trade-based and real estate-based money laundering.” They “come in through the front door with a legitimate passport and a credible business cover story,” Ottolenghi said.

The matter is further complicated by Iran’s presence in Syria, where it has established not only operating bases, but also weapons factories that have fueled Hezbollah’s and Hamas’s war on Israel.

Iran’s development of advanced ballistic missile and rocket technology—which has continued virtually unimpeded since the nuclear deal was enacted—has benefitted terror groups such as Hezbollah.

“Iran is increasing Hezbollah’s capability to target Israel with more advanced and precision guided rockets and missiles,” according to Pregent. “These missiles are being developed in Syria under the protection of Syrian and Russian air defense networks.”

In Iraq, Iranian forces “have access to U.S. funds and equipment in the Iraqi Ministry of Defense and Iraq’s Ministry of Interior,” Pregent said.

The Trump administration has offered tough talk on Iran, but failed to take adequate action to dismantle its terror networks across the Middle East, as well as in Latin American and the United States itself, according to CAP’s Katulis.

“The Trump administration has talked a good game and has had strong rhetoric, but I would categorize its approach vis-à-vis Iran as one of passive appeasement,” said Katulis. “We simply have not shown up in a meaningful way.”

2 Iranians Indicted for Conducting Surveillance in Chicago

Two Individuals Charged for Acting as Illegal Agents of the Government of Iran

An indictment was returned today charging Ahmadreza Mohammadi-Doostdar, 38, a dual U.S.-Iranian citizen, and Majid Ghorbani, 59, an Iranian citizen and resident of California, with allegedly acting on behalf of the government of the Islamic Republic of Iran by conducting covert surveillance of Israeli and Jewish facilities in the United States, and collecting identifying information about American citizens and U.S. nationals who are members of the group Mujahedin-e Khalq (MEK).

mujahedin-e-khalq

Indictment for Ghorbani

Indictment for Doostdar

The charges were announced by Assistant Attorney General for National Security John Demers, U.S. Attorney Jessie K. Liu for the District of Columbia, and Acting Executive Assistant Director Michael McGarrity of the FBI’s National Security Branch.

“The National Security Division is committed to protecting the United States from individuals within our country who unlawfully act on behalf of hostile foreign nations,” said Assistant Attorney General Demers.  “Doostdar and Ghorbani are alleged to have acted on behalf of Iran, including by conducting surveillance of political opponents and engaging in other activities that could put Americans at risk.  With their arrest and these charges, we are seeking to hold the defendants accountable.”

“This indictment demonstrates the commitment of the Department of Justice to hold accountable agents of foreign governments who act illegally within the United States, especially where those agents are conducting surveillance of individuals and Constitutionally-protected activities in this country,” said Jessie K. Liu, United States Attorney for the District of Columbia.

“This alleged activity demonstrates a continued interest in targeting the United States, as well as potential opposition groups located in the United States,” said Acting Executive Assistant Director McGarrity. “The FBI will continue to identify and disrupt those individuals who seek to engage in unlawful activity, on behalf of Iran, on US soil.”

The indictment charged Doostdar and Ghorbani with knowingly acting as agents of the government of Iran without prior notification to the Attorney General, providing services to Iran in violation of U.S. sanctions, and conspiracy.  Both defendants were arrested on Aug. 9, pursuant to criminal complaints issued by the U.S. District Court for the District of Columbia.  Those complaints were unsealed today.

According to the indictment, in or about July 2017, Doostdar traveled to the United States from Iran in order to collect intelligence information about entities and individuals considered by the government of Iran to be enemies of that regime, including Israeli and Jewish interests, and individuals associated with the MEK, a group that advocates the overthrow of the current Iranian government.

On or about July 21, 2017, Doostdar is alleged to have conducted surveillance of the Rohr Chabad House, a Jewish institution located in Chicago, including photographing the security features surrounding the facility.

On or about Sept. 20, 2017, Ghorbani is alleged to have attended a MEK rally in New York City, during which he photographed individuals participating in the protest against the current Iranian regime.  In or about December 2017, Doostdar returned to the United States from Iran and made contact with Ghorbani in the Los Angeles area.  During the meeting, Doostdar paid Ghorbani approximately $2,000 in cash and Ghorbani delivered to him 28 photographs taken at the September 2017 MEK rally, many of which contained hand-written annotations identifying the individuals who appeared in the photos.  These photographs, along with a hand-written receipt for $2000, were found concealed in Doostdar’s luggage as he transited a U.S. airport on his return to Iran in December 2017.

The indictment also alleges that Ghorbani traveled to Iran in or about March 2018, after informing Doostdar that he would be going to Iran to conduct an “in-person briefing.”  Thereafter, on or about May 4, Ghorbani attended the MEK-affiliated 2018 Iran Freedom Convention for Human Rights in Washington, D.C.  During the course of the conference, Ghorbani appeared to photograph certain speakers and attendees, which included delegations from across the United States.  On May 14, Doostdar called Ghorbani to discuss clandestine methods Ghorbani should use in order to provide this information to Iran.

Ghorbani is scheduled to appear for a detention hearing in the U.S. District Court for the District of Columbia at 9:30 a.m. on Tuesday, Aug. 21, before the Honorable G. Michael Harvey.

The charges in an indictment are merely allegations, and every defendant is presumed innocent unless and until proven guilty beyond a reasonable doubt.  The maximum penalty for conspiracy is five years; the maximum penalty for acting as an agent of a foreign power is ten years; and the maximum penalty for a violation of the International Emergency Economic Powers Act is 20 years.  The maximum statutory sentence is prescribed by Congress and is provided here for informational purposes.  If convicted of any offense, a defendant’s sentence will be determined by the court based on the advisory Sentencing Guidelines and other statutory factors.

The investigation into this matter was conducted by the FBI’s Washington Field Office and Los Angeles Field Office. The case is being prosecuted by the National Security Section of the U.S. Attorney’s Office for the District of Columbia and the Counterintelligence and Export Control Section of the National Security Division of the Department of Justice.

 

About this Security Clearance Mess

  1. There are many levels to having security clearance.
  2. Having clearance does not automatically grant access to classified information as a result of position, rank or title.
  3. Having any level of security clearance also includes a required signature to a non-disclosure agreement.
  4. Based on information, job duty or other stipulations, clearance has limitation including a ‘need to know’ basis.
  5. Clearance can be and is in many cases a temporary condition for people in and outside of government.
  6. Former DNI, James Clapper made the last and most recent modifications to security clearance access in January of 2017 at the behest of former President Obama. It is 27 pages and can be read here.
  7. All people with any type or level of security clearance includes ‘public trust’.
  8. There is an outside/contracted agency that performs the investigation of personnel applying for clearance.

Security Clearance Process Infographic - ClearanceJobs

Eligibility for access to classified information, commonly known as a security clearance, is granted only to those for whom an appropriate personnel security background investigation has been completed. It must be determined that the individual’s personal and professional history indicates loyalty to the United States, strength of character, trustworthiness, honesty, reliability, discretion, and sound judgment, as well as freedom from conflicting allegiances and potential for coercion, and a willingness and ability to abide by regulations governing the use, handling, and protection of classified information. A determination of eligibility for access to such information is a discretionary security decision based on judgments by appropriately trained adjudicative personnel. Eligibility will be granted only where facts and circumstances indicate access to classified information is clearly consistent with the national security interests of the United States. Access to classified information will be terminated when an individual no longer has need for access.

Security clearances are subject to periodic re-investigation every 5 years. The individual will submit an updated security package and another background investigation will be conducted. The investigation will again cover key aspects of the individual’s life, but will start from one’s previous background investigation.

***

Meanwhile, there are now an estimated 177 signatures on the list rebuking President Trump’s removal of former CIA Director John Brennan.

Was Admiral McRaven a hack with his response? Yuppers.   Watch the interview here.