UAE Gets Aggressive on Terror Organizations

In late August, UAE President Sheikh Khalifa Bin Zayed Al-Nahayan enacted federal law number 7, which mandated the list to be published and circulated by the media to further “transparency” and “increase awareness” of terrorist threats.

The move follows a similar step taken by Saudi Arabia in March.

The groups blacklisted by the UAE were as follows:

1- UAE’s Muslim Brotherhood called Al-Islah
2- UAE terrorist cells
3- Karama organization
4- Uma Parties in the Gulf and Arabian Peninsula
5- Al-Qaeda
6- Islamic State of Iraq and Syria (ISIS)
7- Al-Qaeda in the Arabian Peninsula (AQAP)
8- Yemen’s Ansar al-Sharia
9- Muslim Brotherhood, both the organization and movement
10- Al-Gamaa Al-Islamiyya in Egypt
11- Bait al-Maqdis group in Egypt
12- Ajnad Misr (Soldiers of Egypt group)
13- Majlis Shura Al-Mujahedin Fi Aknaf Bayt Al-Maqdis (Mujahidin Shura Council in the Environs of Jerusalem, or MSC)
14- Yemen’s Houthi movement
15- Hezbollah party in Saudi Arabia’s Hijaz
16- Hezbollah in the Gulf region
17- Al-Qaeda in Iran
18- Badr organization in Iraq
19- Asa’ib Ahl al-Haq, also known as the Khazali Network in Iraq
20- Fath al-Islam in Lebanon
21- Osbat Al-Ansar or Asbat an-Ansar (League of the Partisans) in Lebanon
22- Al-Qaeda in the Islamic Maghreb (AQIM)
23- Ansar Al-Sharia in Libya
24- Ansar Al-Sharia in Tunisia
25- Al-Shabab in Somalia
26- Boko Haram in Nigeria
27- Al-Murabitoon brigade in Mali
28- Ansar Al-Din movement in Mali
29- Haqani network in Pakistan
30- Lashkar Taiba in Pakistan
31- Eastern Turkestan Islamic Movement headquartered in Pakistan
32- Mohammed Army in Pakistan
33- Mohammed Army in India
34- Indian mujahideen in India/Kashmir
35- The Caucasus Emirate by Chechen militants
36- Islamic Movement of Uzbekistan (IMU)
37- Abu Sayyaf Islamist group in the Philippines
38- Council on American-Islamic Relations (CAIR)
39- Alleanza Islamic d’Italia or Islamic Alliance in Italy
40- Islamic Association in Finland
41- Islamic Association in Norway
42- Islamic Relief Organization in the UK
43- The Cordoba Foundation in Britain
44- International Islamic Relief Organization belonging to the international Muslim Brotherhood
45- Taliban movement in Pakistan
46- Abu Thur al-Fiqari battalion in Syria
47- Al-Tawheed and Iman battalion in Syria
48- The Green Battalion or Al-Khadraa battalion in Syria
49- Al-Tawhid Brigade in Syria
50- Abu Bakr brigade in Syria
51- Talha bin Ubaidallah in Syria
52- Al-Sarim Al-Batar brigade in Syria
53- Abdullah bin Mubarak brigade in Syria
54- Convoys of Martyrs brigade in Syria
55- Abu Omar brigade in Syria
56- Ahrar Shumar or Free Shumars brigade in Syria
57- Hezbollah brigades in Iraq
58- Brigade of Abu Al-Fadl al-Abbas in Syria
59- Brigades of Al-Yom Al-Mawood (Destined Day in Iraq)
60- Battalion of Omar bin Yasir in Syria
61- Ansar Al-Islam group in Iraq
62- Nusra Front in Syira
63- Harakat Ahrar ash-Sham Al Islami (Islamic Movement of the Free Men of the Levant) in Syria
64- Jaish Al-Islam (Islam Army) in Palestine
65- Abdullah Azzam Brigades
66- Kanvaz in Belgrade, Serbia
67- The Muslim American Society (MAS)
68- Union of Muslim Scholars
69- Union of Islamic Organizations in Europe
70- Union of Islamic Organizations of France
71- Muslim Association of Britain (MAB)
72- Islamic Society of Germany
73- Islamic Society in Denmark
74- Islamic Society in Belgium
75- Sariyat Al-Jabal brigade in Syria
76- Al-Shahbaa brigade in Syria
77- Al-Qa’Qaa’ in Syria
78- Sufian Al-Thawri (Revolutionary Sufian brigade) in Syria
79- Abdulraham brigade in Syria
80- Omar bin Al-Khatab brigade in Syria
81- Al-Shayma brigade in Syria
82- Al-Haq brigade in Syria

 

There still remains a Gulf Coalition that appears to remain aggressive on fighting terror. This coalition does include Qatar and the al Thani monarchy is pushing back hard on the pressure to be more aggressive on harboring terrorists and funding terror networks. So this weekend, the UAE delegation was led by Sheikh Mohammed bin Rashid, Vice President and Ruler of Dubai, Sheikh Mohammed bin Zayed, Crown Prince of Abu Dhabi and Deputy Supreme Commander of the Armed Forces, and Sheikh Abdullah bin Zayed, the Minister of Foreign Affairs was assembled to smooth out unique positions.

Sheikh Tamim bin Hamad Al Thani, the emir of Qatar, and Sheikh Sabah Al Ahmed Al Sabah, the emir of Kuwait, also attended the meeting.

The visitors were greeted by Saudi Arabia’s deputy crown prince, Muqrin bin Abdulaziz Al Saud, and the GCC secretary general Abdullatif bin Rashid Al Zayani.

The GCC leaders had been expected to hold a meeting before their annual summit next month in Doha in an effort to overcome internal differences between Qatar and the UAE, Saudi Arabia and Bahrain, who withdrew their ambassadors from Doha in March.

A GCC foreign ministers’ meeting scheduled on November 10 to prepare for the summit was postponed.

Kuwait’s parliamentary parliament speaker Marzouq Al Ghanem voiced optimism on the efforts by Sheikh Sabah, who has been leading a mediation effort, to end the differences.

“We hope the Riyadh meeting comes to a happy ending that strengthens the GCC,” he said.

It appears some differences were worked out as recalled ambassadors were deployed back to their respective assignments.

DUBAI (Reuters) – Saudi Arabia, the United Arab Emirates and Bahrain on Sunday agreed to return their ambassadors to Qatar, the Gulf Cooperation Council said in a joint statement, signalling an end to a rift over Doha’s support for Islamist groups.

The announcement came after an emergency meeting in the Saudi capital Riyadh to discuss the dispute, which began in March and was threatening an annual summit scheduled to be held in December in Doha.

The question is now what will be the additional result and objectives with regard to Daesh (Islamic State), funding and providing safe havens to terror organizations? An even bigger question is just what will the U.S. State Department take from this meeting and will they follow suit? The last question is of the list of 82 above, how many have visited the White House and are those visitor logs even available or will they be redacted?

Assad’s Bloody Regime, the World Ignores

Just remember the U.S. and the Barack Obama coalition against Daesh is fighting against al Nusra and Khorason which are all al Qaeda, effectually aiding the Assad regime who has used chemical weapons countless times. It should also be mentioned again that Assad continues to get support from Iran, Kerry’s new Middle East ally and Russia as Putin commits deadly hostilities against Ukraine and is moving into the Baltic States. So in effect, the United States has no more enemies but what is below is being ignored by the world. Shameful. Look carefully and ask yourself where is the ubiquitous United Nations Human Rights Council? Where is anyone on this?

Syria’s ‘hospital’ of horrors

By Abd Doumany

A medic stitches the head of a wounded boy at a makeshift clinic after a mortar fired by Syrian government forces fell in the besieged rebel town of Douma, in the outskirts of Damascus, on November 11, 2014 (AFP Photo Abd Doumany)

A medic stitches the head of a wounded boy at a makeshift clinic after a mortar fired by Syrian government forces fell in the besieged rebel town of Douma, in the outskirts of Damascus, on November 11, 2014 (AFP Photo / Abd Doumany)

DOUMA, Syria, November 12, 2014 – Douma, where I live, is a Syrian rebel bastion. A city of 200,000 just northeast of Damascus, it has been under siege for more than a year by forces loyal to President Bashar al-Assad. We are hit practically every day by artillery fire and air and ground raids. It is also located in the Gouta area, which is held by the Free Syrian Army and which was attacked with chemical weapons by the regime in August 2013.
An injured girl is treated at a makeshift hospital in the besieged rebel bastion of Douma, northeast of the Syrian capital Damascus, on September 24, 2014, following reported airstrikes by government forces (AFP Photo / Abd Doumany)

September 24, 2014 (AFP Photo / Abd Doumany)

 

The “hospital” where I took these pictures is a makeshift clinic set up in the basement of a building, managed by the Unified Medical Office of Douma, which was created in 2013 to coordinate private medical care in the area. The hospital treats the war wounded from throughout Gouta and serves as something of a triage unit, with mild to serious cases handled on site and the worst injuries, including those requiring surgery, sent elsewhere.
An injured man waits to be treated at a makeshift hospital in the besieged rebel bastion of Douma on September 24, 2014 (AFP Photo / Abd Doumany)

September 24, 2014 (AFP Photo / Abd Doumany)

 

I head to the hospital each time an intense bombing or air raid hits Douma to document the attacks. At times when I arrive, it is as if I’ve entered a nightmare, with 50 or more injured crammed into the small clinic in an atmosphere of anger and fear. It is very difficult to take pictures at those times. Sometimes I stop. The scene before me is simply too awful.
A wounded Syrian reacts to the pain at a makeshift hospital in the besieged rebel bastion of Douma, northeast of the Syrian capital Damascus, on October 3, 2014 (AFP Photo / Abd Doumany)

October 3, 2014 (AFP Photo / Abd Doumany)

 

The hospital badly lacks medicine and equipment. Doctors and nurses push on against the odds, struggling to maintain a minimum standard of hygiene. They are constantly exhausted since the wounded never seem to stop arriving. During the bloodiest attacks, they can work 48 hours straight without sleeping.
A wounded Syrian boy sits at a makeshift clinic in the besieged rebel town of Douma on November 11, 2014 (AFP Photo Abd Doumany)

November 11, 2014 (AFP Photo / Abd Doumany)

 

Among all the victims I’ve photographed in recent months, the one who most stands out to me is Ahmad. He was 17 years old and arrived with a badly wounded hand. Doctors thought there was no option but to amputate his fingers, but he refused. He said he still had hope that his hand would heal and he would be able to use it again — that he would again be able to write. His hand has since been hit by gangrene, and amputation may indeed be inevitable.
A Syrian girl is treated at a make-shift hospital following a reported regime air raid on November 7, 2014, in Eastern al-Ghouta, Syria (AFP Photo / Abd Doumany)

November 7, 2014 (AFP Photo / Abd Doumany)

 

Each time I return to the hospital, I come away with different feelings. Sometimes fear predominates; sometimes it’s sadness. It is impossible to get used to seeing such scenes. The injured are brought in and they are often similar, but the shock of seeing them is always disturbing. There are times when I spend hours in silence after returning home, unable to speak to anyone. It depresses me, and the horrible images remain stuck in my head for hours.
A young Syrian volunteer treats a wounded man at a makeshift hospital in the rebel-held Damascus suburb of Douma following a reported air strike by government forces on November 11, 2014 (AFP Photo / Abd Doumany)

November 11, 2014 (AFP Photo / Abd Doumany)

 

What hits me hardest is seeing the pain of those who have lost loved ones. Usually I avoid photographing those scenes out of respect for them. I know exactly how they feel: I’ve lost one of my brothers in this war.

 

Abd Doumany is a freelance photographer and an occasional AFP contributor based in Douma, Syria.
A Syrian boy cries as he looks at his wounded father at a makeshift hospital in the rebel-held town of Douma near Damascus on September 9, 2014 (AFP Photo / Abd Doumany)

A Syrian boy cries as he looks at his wounded father on September 9, 2014 (AFP Photo / Abd Doumany)

Meanwhile,

The Islamic State and Jabhat al-Nusra: A Looming Grand Jihadi Alliance?

By Aymenn Jawad Al-Tamimi

The international coalition- led by the U.S.- against the Islamic State [IS], with additional American airstrikes targeting the ‘Khorasan’ al-Qa’ida group in Syria (in reality just al-Qa’ida veterans from the Afghanistan-Pakistan embedded with Syria’s al-Qa’ida affiliate Jabhat al-Nusra [JN])- has prompted media speculation of a wider truce, alliance or even merger between IS and JN. For example, on 28 September, Martin Chulov of The Guardian cited a “senior source” claiming “war planning meetings” held between JN and IS leaders.

Read more here.

Asia Pivot, Made in China

The last visit Barack Obama made to China did not go well such that relations have soured on the diplomatic scale. The visit to China this week consumed huge resources to lay the groundwork in advance of the trip for the 2014 Asia Pacific Economic Cooperation. Susan Rice spent the last weeks challenging the fact that China was so slighted during the 2009 extended trip that China has refused since to extend visas and temporary housing permits of Americans in China on business and with media.

First out of the gate, Obama delivered a most generous gift to China and that was to open a new front on visas for Chinese, from one year renewals to 5-10 years effective immediately claiming it will add to American jobs as it is touted that China infuses $80 billion yearly into the U.S economy. $80 billion is hardly a great sum or epic deal when in fact the Chinese hacking world costs the U.S. corporate industry billions and is a top concern of James Comey, Director of the FBI.

It should also be noted that Russia has been quite effective at cultivating a sustained relationship with China while China’s own economy has almost zero growth and their debt ratio to revenue ratio is stagnant cancelling out each other.

China has presented many issues that must be addressed prior to all the enhanced trade talks and global policy cooperation. China has been most aggressive towards yet other U.S. allies in Asia causing outrage and conflict in the S. China sea with regard to island and territory disputes. There is also censorship within the internet industry and continued human rights issues, both of which the White House and the State Department overlook for the sake of placing a happy face on Obama’s foreign policy strategy.

China does have issues when it comes to its own infrastructure including transportation, medical advancements, factories, power and use of energy sources like oil and gas. Each of those conditions facing China are being addressed in partnership with Russia.

Obama will also use his time in China to push for more attention and resources when it comes to Climate Change, an exclusively assigned mission given to John Podesta and investment treaties.

A topic that will likely not receive any time and attention is the Chinese relationship with North Korea and the associated human rights violations on the heels to two Americans being released from a DPRK prison allegedly managed by ODNI Director James Clapper this past weekend.

In summary, what is really behind Obama’s policy platform in China? Well with the beating he took in the midterms, his policy team has decided to focus on the economy. Obama wants Chinese money and he offered a visa pass to get their money. Going visa free in exchange for money is the common ‘go-to’ agenda of the Obama Administration. Question is, exactly who DOES benefit from the $80 billion of Chinese investment where winners and losers are predetermined by the White House.

Rich Chinese overwhelm U.S. visa program

Any foreigner willing to commit at least $500,000 and create 10 jobs in America can apply for an investor immigrant visa — also known as an EB-5.

The demand from mainland Chinese eager to move abroad has already led the U.S. government to warn the program could hit a wall as early as this summer.

Chinese nationals account for more than 80% of visas issued, compared to just 13% a decade ago, according to government data compiled by CNNMoney. That translates to nearly 6,900 visas for Chinese nationals last year, a massive bump up from 2004, when only 16 visas were granted to Chinese.

“The program has literally taken off to the point [that] in China, the minute anybody hears I’m an immigration lawyer, the first thing they say is, ‘Can we get an EB-5 visa?’ ” said Bernard Wolfsdorf, founder of the Wolfsdorf Immigration Law Group.

“There is a panic being created in China about the demand [getting] so big that there is going to be a visa waiting line,” he said.

 

 

 

Gorbachev Warning Cold War, Useful Idiots

The phrase ‘useful idiots’, supposedly Lenin’s, refers to Westerners duped into saying good things about bad regimes.
Vladimir Lenin and Joseph Stalin used the term “polyezniy idiot” or “useful idiot” to describe sympathizers in the West who blindly supported Communist leaders.
The adulation of left-wing dictators and strongmen by Western intellectuals, journalists, and celebrities didn’t begin with Stalin (in 1921 Duranty had hailed Lenin for his “cool, far-sighted, reasoned sense of realities”), and it certainly didn’t end with him. Mona Charen chronicled the phenomenon in her superb 2003 book “Useful Idiots,” which recalls example after jaw-dropping example of American liberals defending, flattering, and excusing the crimes of one Communist ruler and regime after another. Fidel Castro, Ho Chi Minh, Mao Zedong, the Khmer Rouge, Leonid Brezhnev, Kim Il Sung, the Sandinistas: Over and over the pattern was repeated, from the dawn of the Bolshevik Revolution to the collapse of the Iron Curtain — and beyond.
And so now we have a former Russia leader Gorbachev sounding the clarion call to the West, especially Europe that not only are you idiots but you are ‘irrelevant as a global power’, The matter did not begin with Lenin and Stalin and will not end with Putin until it goes far beyond Ukraine and into the Baltics, of which the KGB ‘useful idiot’ program for recruiting and indoctrination is already underway.
By Bettina Borgfeld 
BERLIN (Reuters) – Former Soviet leader Mikhail Gorbachev warned in a speech in Berlin on Saturday that East-West tensions over the Ukraine crisis were threatening to push the world into a new Cold War, 25 years after the fall of the Berlin Wall.

Gorbachev, who is credited with forging a rapprochement with the West that led to the demise of communist regimes across Eastern Europe, accused the West, and the United States in particular, of not fulfilling their promises after 1989.

“The world is on the brink of a new Cold War. Some say that it has already begun,” said Gorbachev, who is feted in Germany for his pivotal role in helping create the conditions for the Berlin Wall’s peaceful opening on Nov. 9, 1989, heralding the end of the Cold War.

“And yet, while the situation is dramatic, we do not see the main international body, the U.N. Security Council, playing any role or taking any concrete action.”

The conflict in eastern Ukraine has killed more than 4,000 people since the start of an uprising by pro-Russian separatists in mid-April.

Russia blames the crisis on Kiev and the West, but NATO says it has overwhelming evidence that Russia has aided the rebels militarily in the conflict.

Gorbachev, 83, also criticized Europe and said it was in danger of becoming irrelevant as a global power.

“Instead of becoming a leader of change in a global world, Europe has turned into an arena of political upheaval, of competition for spheres of influence and finally of military conflict,” he said.

“The consequence inevitably is Europe weakening at a time when other centers of power and influence are gaining momentum. If this continues, Europe will lose a strong voice in global affairs and gradually become irrelevant.”

Speaking at an event at Berlin’s Brandenburg Gate, Gorbachev said the West had exploited Russia’s weakness after the collapse of the Soviet Union in 1991.

“Euphoria and triumphalism went to the heads of Western leaders,” he said. “Taking advantage of Russia’s weakening and the lack of a counterweight, they claimed monopoly leadership and domination of the world, refusing to heed words of caution from many of those present here,” he said.

Gorbachev said the West had made mistakes that upset Russia with the enlargement of NATO, with its actions in the former Yugoslavia, Iraq, Libya and Syria and with plans for a missile defense system.

“To put it metaphorically, a blister has now turned into a bloody, festering wound,” he said. “And who is suffering the most from what’s happening? I think the answer is more than clear: It is Europe.”

(Writing by Erik Kirschbaum; Editing by Rosalind Russell)

By Nicolas Miletitch

Donetsk (Ukraine) (AFP) – Armoured convoys headed to bolster rebel positions in east Ukraine Sunday as shelling rocked separatist stronghold Donetsk and fears mounted of a return to full-scale fighting.

Shelling rumbled on throughout the afternoon on the edge of Donetsk, where government forces regularly exchange heavy fire with insurgent fighters, but was less intense than overnight when mortar fire was heard close to the centre for around two hours, an AFP journalist reported.

It was among the fiercest combat in the city since the September 5 signing of a frequently-violated ceasefire that halted all-out confrontations across most of the conflict zone but failed to end constant bombardments at strategic hotspots.

An AFP crew saw a convoy of 20 military vehicles and 14 howitzer cannons without number plates or markings driving through the rebel town of Makiivka in the direction of the nearby frontline around Donetsk.

The Organisation for Security and Cooperation in Europe (OSCE) voiced concern Saturday after its monitors witnessed unmarked columns of tanks and troop carriers moving through east Ukraine in territory held by pro-Russia separatists.

The sightings of armoured columns came after Ukraine’s military said Friday a large convoy of tanks and other heavy weapons entered the country from Russia across a section of border that has fallen under the control of rebel fighters.

Russia denies being involved in the fighting in the east.

However, it openly gives the rebels political and humanitarian backing and it is not clear how the insurgents could themselves have access to so much sophisticated and well-maintained weaponry.

In March, Russian soldiers without identification markings took over the southern Ukrainian region of Crimea. Moscow annexed the peninsula shortly after.

The OSCE reports from the east came as fears mounted of a total breakdown in the two-month truce, with the war having already killed some 4,000 people, according to UN figures.

Ukraine’s military said Sunday that three servicemen were killed and thirteen injured as shelling hit government positions around the region.

Rebel leader Alexander Zakharchenko risked heavy fire Sunday morning as he toured the insurgents’ forward positions around the ruins of the Donetsk airport, where Ukrainian troops are battling fiercely to maintain a toe-hold, Russian outlet LifeNews reported.

“They continue to bombard our aiport, nothing is changing,” Zakharchenko was filmed as saying.

– Tanks, cannons, tankers –

Unidentified military columns have been seen increasingly by foreign journalists in the east in recent days, and Ukraine’s military on Sunday repeated allegations that Russia is covertly deploying troops to bolster rebels ahead of a fresh offensive.

The OSCE’s statement gives weight to concerns that the stuttering peace process could soon be ditched definitively.

“More than 40 trucks and tankers” were seen driving on a highway on the eastern outskirts of Makiivka, said the OSCE representatives, who are in Ukraine monitoring the ceasefire.

“Of these, 19 were large trucks –- Kamaz type, covered, and without markings or number plates –- each towing a 122mm howitzer and containing personnel in dark green uniforms without insignia. Fifteen were Kraz troop carriers,” the report said.

Separately, the OSCE monitors said they had seen “a convoy of nine tanks moving west, also unmarked” just southwest of Donetsk.

The OSCE said all these forces were on territory controlled by the separatists’ self-declared Donetsk People’s Republic.

The Swiss foreign minister and OSCE chairperson-in-office, Didier Burkhalter, said he was “very concerned about a resurgence of violence in the eastern regions of Ukraine”, and urged all sides to act responsibly.

– New Cold War? –

The conflict has sent relations between Western backers of Ukraine and Russia to their lowest level in decades.

Russian President Vladimir Putin is gearing up for a fraught week of diplomacy with visits to the Asia-Pacific Economic Cooperation summit in Beijing and Group of 20 meeting in Brisbane, Australia, where he looks likely to face a hostile reception from Western leaders.

The last Soviet leader, Mikhail Gorbachev, said the world “is on the brink of a new Cold War” sparked by Ukraine.

“Some are even saying that it has already begun,” Gorbachev said at an event Saturday marking the 25th anniversary of the fall of the Berlin Wall.

Russia’s economy is suffering from European Union and US sanctions imposed in response to Moscow’s support for the separatists.

With Russia welcoming last week’s rebel elections, which were billed as boosting the separatists’ claim to independence, the sanctions look set to remain in place — and possibly be reinforced.

Dragonfly vs. America, Courtesy of Russia

Can you live without electricity for a day or two? Yes of course if you in advance right? Can you live without power for a week or so? Yes of course with advanced notice right? Can you live without power for a month, 4 months or 18 months? NOPE. It is time to not only think about preparations, but to get prepared and then to practice procedures for short term and long term power outages and the reason is Russia.

There is a sad truth to what is below, the United States is not prepared and what is worse we are not declaring war to stop Russia either. Russia has hacked into U.S. government sites, hacked into corporate sites and hacked into the financial industry all without so much as a whimper as a U.S. reply. We have no countermeasures, we have no offensive measures and have not even written a strongly worded letter.

 

Russia has gone to the dragons against America, well actually to the Dragonflies and this is what you need to know and do. Remember the entire infrastructure is tied to SCADA, that includes water systems, transportation systems, water, hospitals, schools and retail.

Dragonfly: Western Energy Companies Under Sabotage Threat

Cyberespionage campaign stole information from targets and had the capability to launch sabotage operations.

An ongoing cyberespionage campaign against a range of targets, mainly in the energy sector, gave attackers the ability to mount sabotage operations against their victims. The attackers, known to Symantec as Dragonfly, managed to compromise a number of strategically important organizations for spying purposes and, if they had used the sabotage capabilities open to them, could have caused damage or disruption to energy supplies in affected countries.

Among the targets of Dragonfly were energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers. The majority of the victims were located in the United States, Spain, France, Italy, Germany, Turkey, and Poland.

The Dragonfly group is well resourced, with a range of malware tools at its disposal and is capable of launching attacks through a number of different vectors. Its most ambitious attack campaign saw it compromise a number of industrial control system (ICS) equipment providers, infecting their software with a remote access-type Trojan. This caused companies to install the malware when downloading software updates for computers running ICS equipment. These infections not only gave the attackers a beachhead in the targeted organizations’ networks, but also gave them the means to mount sabotage operations against infected ICS computers.

This campaign follows in the footsteps of Stuxnet, which was the first known major malware campaign to target ICS systems. While Stuxnet was narrowly targeted at the Iranian nuclear program and had sabotage as its primary goal, Dragonfly appears to have a much broader focus with espionage and persistent access as its current objective with sabotage as an optional capability if required.

In addition to compromising ICS software, Dragonfly has used spam email campaigns and watering hole attacks to infect targeted organizations. The group has used two main malware tools: Backdoor.Oldrea and Trojan.Karagany. The former appears to be a custom piece of malware, either written by or for the attackers.

Prior to publication, Symantec notified affected victims and relevant national authorities, such as Computer Emergency Response Centers (CERTs) that handle and respond to Internet security incidents.

Background
The Dragonfly group, which is also known by other vendors as Energetic Bear, appears to have been in operation since at least 2011 and may have been active even longer than that. Dragonfly initially targeted defense and aviation companies in the US and Canada before shifting its focus mainly to US and European energy firms in early 2013.

The campaign against the European and American energy sector quickly expanded in scope. The group initially began sending malware in phishing emails to personnel in target firms. Later, the group added watering hole attacks to its offensive, compromising websites likely to be visited by those working in energy in order to redirect them to websites hosting an exploit kit. The exploit kit in turn delivered malware to the victim’s computer. The third phase of the campaign was the Trojanizing of legitimate software bundles belonging to three different ICS equipment manufacturers.

Dragonfly bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability. The group is able to mount attacks through multiple vectors and compromise numerous third party websites in the process. Dragonfly has targeted multiple organizations in the energy sector over a long period of time. Its current main motive appears to be cyberespionage, with potential for sabotage a definite secondary capability.

Analysis of the compilation timestamps on the malware used by the attackers indicate that the group mostly worked between Monday and Friday, with activity mainly concentrated in a nine-hour period that corresponded to a 9am to 6pm working day in the UTC +4 time zone. Based on this information, it is likely the attackers are based in Eastern Europe.

figure1_9.png
Figure. Top 10 countries by active infections (where attackers stole information from infected computers)

Tools employed
Dragonfly uses two main pieces of malware in its attacks. Both are remote access tool (RAT) type malware which provide the attackers with access and control of compromised computers. Dragonfly’s favored malware tool is Backdoor.Oldrea, which is also known as Havex or the Energetic Bear RAT. Oldrea acts as a back door for the attackers on to the victim’s computer, allowing them to extract data and install further malware.

Oldrea appears to be custom malware, either written by the group itself or created for it. This provides some indication of the capabilities and resources behind the Dragonfly group.

Once installed on a victim’s computer, Oldrea gathers system information, along with lists of files, programs installed, and root of available drives. It will also extract data from the computer’s Outlook address book and VPN configuration files. This data is then written to a temporary file in an encrypted format before being sent to a remote command-and-control (C&C) server controlled by the attackers.

The majority of C&C servers appear to be hosted on compromised servers running content management systems, indicating that the attackers may have used the same exploit to gain control of each server. Oldrea has a basic control panel which allows an authenticated user to download a compressed version of the stolen data for each particular victim.

The second main tool used by Dragonfly is Trojan.Karagany. Unlike Oldrea, Karagany was available on the underground market. The source code for version 1 of Karagany was leaked in 2010. Symantec believes that Dragonfly may have taken this source code and modified it for its own use. This version is detected by Symantec as Trojan.Karagany!gen1.

Karagany is capable of uploading stolen data, downloading new files, and running executable files on an infected computer. It is also capable of running additional plugins, such as tools for collecting passwords, taking screenshots, and cataloging documents on infected computers.

Symantec found that the majority of computers compromised by the attackers were infected with Oldrea. Karagany was only used in around 5 percent of infections. The two pieces of malware are similar in functionality and what prompts the attackers to choose one tool over another remains unknown.

Multiple attack vectors
The Dragonfly group has used at least three infection tactics against targets in the energy sector. The earliest method was an email campaign, which saw selected executives and senior employees in target companies receive emails containing a malicious PDF attachment. Infected emails had one of two subject lines: “The account” or “Settlement of delivery problem”. All of the emails were from a single Gmail address.

The spam campaign began in February 2013 and continued into June 2013. Symantec identified seven different organizations targeted in this campaign. The number of emails sent to each organization ranged from one to 84.

The attackers then shifted their focus to watering hole attacks, comprising a number of energy-related websites and injecting an iframe into each which redirected visitors to another compromised legitimate website hosting the Lightsout exploit kit. Lightsout exploits either Java or Internet Explorer in order to drop Oldrea or Karagany on the victim’s computer. The fact that the attackers compromised multiple legitimate websites for each stage of the operation is further evidence that the group has strong technical capabilities.

In September 2013, Dragonfly began using a new version of this exploit kit, known as the Hello exploit kit. The landing page for this kit contains JavaScript which fingerprints the system, identifying installed browser plugins. The victim is then redirected to a URL which in turn determines the best exploit to use based on the information collected.

Trojanized software
The most ambitious attack vector used by Dragonfly was the compromise of a number of legitimate software packages. Three different ICS equipment providers were targeted and malware was inserted into the software bundles they had made available for download on their websites. All three companies made equipment that is used in a number of industrial sectors, including energy.

The first identified Trojanized software was a product used to provide VPN access to programmable logic controller (PLC) type devices. The vendor discovered the attack shortly after it was mounted, but there had already been 250 unique downloads of the compromised software.

The second company to be compromised was a European manufacturer of specialist PLC type devices. In this instance, a software package containing a driver for one of its devices was compromised. Symantec estimates that the Trojanized software was available for download for at least six weeks in June and July 2013.

The third firm attacked was a European company which develops systems to manage wind turbines, biogas plants, and other energy infrastructure. Symantec believes that compromised software may have been available for download for approximately ten days in April 2014.

The Dragonfly group is technically adept and able to think strategically. Given the size of some of its targets, the group found a “soft underbelly” by compromising their suppliers, which are invariably smaller, less protected companies.

Two additional links are below for more information and key use.

http://energy.gov/sites/prod/files/Large%20Power%20Transformer%20Study%20-%20June%202012_0.pdf

http://www.fgdc.gov/usng/