Category Archives: Whistleblower

U.S. Puts Former Gitmo Detainee on Terror List, Istanbul Attack

Posted on by

What has he been doing since his release 10 years ago? Planning and recruiting for the Istanbul airport terror attack? And Obama released 3 detainees in 2 days and more to come. What about those ‘forever’ detainees like Khalid Sheik Mohammed? Hummmm

Ex-Gitmo detainee, Islamic State’s leader in Chechnya designated by State Department

The State Department announced today that two jihadists have been added to the US government’s list of designated terrorists.

One of the two, Ayrat Nasimovich Vakhitov, was once detained at Guantanamo and was recently arrested by Turkish authorities. According to Voice of America, Vakhitov is “among 30 people Turkish authorities say they have arrested in connection with” the terrorist attack at Istanbul’s Ataturk airport late last month. No terrorist organization has claimed responsibility for the assault on the airport, which left more than 40 people dead. But it is widely suspected to be the work of the Islamic State.

The second newly-designated terrorist is Aslan Avgazarovich Byutukaev, who leads the jihadists in Chechnya who are loyal to the Islamic State’s so-called Caucasus province.

Former Guantanamo Detainee

Screen Shot 2016-07-13 at 12.26.28 PM

Vakhitov (pictured on the right) was held at Guantanamo for less than two years, from June 2002 until February 2004. He was then transferred to Russia. The State Department’s designation page does not say that Vakhitov was once detained at the American facility in Cuba, but The Long War Journal has confirmed that he is the same individual.

The details of his story, as recounted in a leaked Joint Task Force – Guantanamo (JTF-GTMO) threat assessment, are somewhat odd. Vakhitov was “arrested by the Taliban on suspicion of espionage, and incarcerated at the Sarpuza prison complex in Kandahar,” the leaked file reads. He was apparently transferred to Guantanamo because of “his possible knowledge of an American citizen killed” at that same prison “while he was there.”

JTF-GTMO ultimately concluded that Vakhitov was neither affiliated with al Qaeda, nor a Taliban leader. He was recommended for transfer. But JTF-GTMO also thought he would be remain imprisoned inside Russia.

“Because of the Russian government’s agreement to incarcerate this detainee upon his transfer, and provided that he remains incarcerated under the control of the Russian government, the detainee poses no future threat to the U.S. or its allies,” JTF-GTMO’s threat assessment reads.

The State Department says that Vakhitov “is associated with Jaysh al-Muhajirin Wal Ansar” (JMWA, or “the Army of the Emigrants and Helpers”). Part of the original JMWA organization joined the Islamic State, while the rest of the organization continued to operate independently before swearing allegiance to Al Nusrah Front in Sept. 2015. Al Nusrah is al Qaeda’s official branch in Syria and the Islamic State’s rival.

The State Department’s designation page does not mention Vakhitov’s reported arrest in Turkey, but does say he has “used the internet to recruit militants to travel to Syria.”

Islamic State leader in Chechnya

The State Department note Byutukaev was a “prominent leader” in the Islamic Caucasus Emirate (ICE). ICE is openly loyal to al Qaeda, but has suffered a string of defections to the Islamic State.

Russian security forces killed ICE’s top emir and his two successors in less than two years time, from late 2013 until mid-2015. The decapitation strikes likely helped the Islamic State win the loyalty of some of ICE’s most important remaining commanders, including Byutukaev.

Byutukaev, also known as Emir Khamzat, was a close confidant of Dokku Umarov and led ICE’s Riyad-us-Saliheen Martyr Brigade. But Umarov perished sometime in late 2013 or early 2014. His replacement, Aliaskhab Kebekov, more commonly known as Ali Abu Muhammad al Dagestani, was subsequently killed by Russian forces in April 2015.

Less than two months after Kebekov’s demise, Byutukaev officially broke with ICE, declaring himself to be one of Baghdadi’s men.

The pro-al Qaeda contingent in the Caucasus then suffered another blow when Abu Usman, Kebekov’s successor, was hunted down in August 2015. Both Kebekov and Abu Usman were vocal opponents of Abu Bakr al Baghdadi’s Islamic State, so much so that al Qaeda’s main propaganda arm continues to feature clips of their anti-Baghdadi lectures in its productions.

High value targeting, as it is commonly called, is an essential part of any government’s counterterrorism strategy. But it can lead to unintended consequences as well. In this instance, the deaths of ICE’s top leaders probably helped drive Byutukaev and his comrades into the Islamic State’s arms. The large contingent of fighters from the Caucasus region in the Islamic State’s ranks in Iraq and Syria most likely added to the pressure on the jihadists back home to flip as well.

The State Department notes that Byutukaev is “responsible for directing numerous deadly suicide bombing operations, including the January 2011 attack at the crowded international arrivals hall of Moscow’s Domodedovo Airport.” The bombing killed at least 35 people and wounded more than 100 others.

Umarov, who was ICE’s emir at the time, quickly claimed credit for the airport attack in a video released online.

Doku-Riyah-video-Kavkaz

Umarov also appeared in another video alongside Byutukaev (seen on the left in the photo included here) and a suicide bomber identified only as “Saifullah.” Umarov said that he had visited the Riyad-us-Saliheen Martyr Brigade’s base before sending Saifullah on a “special operation,” meaning the bombing at Domodedovo.

At the end of video, both Umarov and Byutukaev were shown embracing Saifullah. [See LWJ report, Caucasus Emirate leader threatens Russia with ‘a year of blood and tears.’]

“Since becoming an ISIL [Islamic State in Iraq and the Levant] leader in June 2015,” State reports, “Byutukaev has planned attacks on behalf of the group.” One of these operations took place in November 2015, when “Russian Special Forces discovered a large bomb hidden on the side of the road in Kantyshevo, Ingushetiya, Russia.”

The Caucasus “province” was announced in June 2015, after Islamic State spokesman Abu Muhammad al Adnani publicly accepted the oaths of allegiance sworn by jihadists throughout the region. The Caucasus branch is reportedly led by Rustam Asilderov, a former ICE leader who defected to the Islamic State in late 2014. Asilderov’s defection set off a firestorm of controversy and bickering among the Caucasus jihadists.

In Sept. 2015, Foggy Bottom designated the Islamic State’s Caucasus “province” as a terrorist organization and also identified other ICE defectors who had joined its cause.

Thomas Joscelyn is a Senior Fellow at the Foundation for Defense of Democracies and the Senior Editor for The Long War Journal.

*****

Aiat Nasimovich Vahitov, also spelled Ayrat Wakhitov or Vahidov (Tatar Cyrillic: Айрат Вахитов, Latin: Ayrat Waxitov) is an ethnic Tatar citizen of Russia who was held in extrajudicial detention in the United States Guantanamo Bay detention camp, in Cuba.[1] He was repatriated with six other Russians in February 2004. Fluent in Arabic, Pashto, Persian, Urdu and Russian, he also spoke basic English.[2]

On May 15, 2006 the Department of Defense released its first full official list of all the Guantanamo detainees who were held in military custody.[3] Airat Vakhitov’s name is not on that list. The list includes an individual named Aiat Nasimovich Vahitov.who was born on March 27, 1977, on Naberezhnye Chelny, Tatarstan, Russia.

Russian authorities released the detainees after investigations into whether they had broken any Russian laws.

Vakhitov spoke publicly on June 28, 2005 about torture in Guantanamo when he announced he was planning to sue the United States for his mistreatment.[4] He was invited, by Amnesty International, to speak about Guantanamo torture, in London, on November 2, 2002.

Geydar Dzhemal, chairman of the Islamic Committee of Russia, reported that he was hosting Vakhitov, and another former Guantanamo detainee, Rustam Akhmyarov, following threats by security officials.[5] According to Dzhemal the security officials had visited Vakhitov, and warned him that he should only talk about torture in Guantanamo Bay, not Russian torture. Dzhemal reported that security officials subsequently seized Vakhitov and Akhmyarov from his apartment on August 29, 2005. He called their seizure a kidnapping because they refused to show their identification. He predicted that the pair would be arrested on trumped up charges, to curtail their human rights activities.

The pair were released from detention on September 2, 2005  More details here.

Guccifer 2.0 Releases New DNC Database Docs

Posted on by

Guccifer 2.0 releases new DNC docs

TheHill: Guccifer 2.0, the hacker who breached the Democratic National Committee, has released a cache of purported DNC documents to The Hill in an effort to refocus attention on the hack.

The documents include more than 11,000 names matched with some identifying information, files related to two controversial donors and a research file on Sarah Palin.

“The press [is] gradually forget[ing] about me, [W]ikileaks is playing for time and [I] have some more docs,” he said in electronic chat explaining his rationale.

The documents provide some insight into how the DNC handled high-profile donation scandals. But the choice of documents revealed to The Hill also provides insight into the enigmatic Guccifer 2.0.

 

Related reading: Infamous Clinton Fundraiser Pleads Guilty to Ponzi Scheme

Related reading: Former Political Fundraiser Norman Hsu Sentenced to 292 Months in Prison for Ponzi Scheme and Related Campaign Finance Crimes 

The hacker provided a series of spreadsheets related to Norman Hsu, a Democratic donor jailed in 2009 for running a Ponzi scheme and arranging illegal campaign contributions.  The DNC responded by assembling files to gauge the exposure from Hsu to its slate of candidates.
Related reading: Ex-PMA lobbyist pleads guilty

Related reading: Guccifer 2.o Blog Hat tip
Similar files on Paul J. Magliocchetti, a lobbyist closely associated with former Rep. John Murtha (D-Pa.), provide a quick reference document outlining Magliocchetti’s donations to Republicans. Magliocchetti pleaded guilty in 2010 to involvement in a pay-for-play campaign finance scheme.

Guccifer 2.0 has claimed to be a Romanian hacker with no strong political leanings. Guccifer 2.0’s choice to release documents from Magliocchetti and Hsu, whose cases are now six and seven years old, shows a detailed knowledge of American politics seemingly at odds with the backstory provided by the hacker.

Experts have questioned whether Guccifer 2.0 is Romanian or even a single person. Tools used in the attack were matched to Russian intelligence agencies and, when tested, Guccifer 2.0 has struggled to speak in Romanian.

A popular theory explaining the attack is that the DNC hack is a Russian attempt to embarrass the DNC and influence the election. Republican presidential nominee Donald Trump has speculated that the hack was actually a false flag operation performed by the DNC to cast aspersions on his campaign.

Guccifer 2.0 was an unknown quantity until after the DNC announced it had been breached. He has since leaked a variety of documents, including counter-Trump strategies and donor databases.

The Guccifer 2.0 name, the hacker has said, is an homage to Marcel Lazăr Lehel, who called himself Guccifer. Lehel broke into the email accounts of former President George W. Bush’s aides and family, Clinton family confidant Sidney Blumenthal and “Sex in the City” author Candace Bushnell. Lehel, now imprisoned, recently claimed he had also hacked Hillary Clinton’s private email server. FBI Director James Comey later testified before Congress that Lehel later admitted he lied when he said he hacked the former secretary of State’s server.

The files provided by Guccifer 2.0 to The Hill includes a folder with a list of objectionable quotes from Palin and an archive of the former Alaska governor’s Twitter account assembled in 2011 — before Palin decided against running for president.

Other documents contain internal fundraising goals for different donors and bundlers in 2005 and a 10,000-name email database that, based on the prevalence of Hotmail accounts and lack of Gmail references, appears to be from around the same time. Separate files contain as many as 1,500 names pared with contact information from 2005 and 2006 fundraising events.

“Our experts are confident in their assessment that the Russian government hackers were the actors responsible for the breach detected in April, and we believe that the subsequent release and the claims around it may be a part of a disinformation campaign by the Russians,” a senior DNC official said in a written statement.

 

But John Kerry, Iran Does Support al Qaeda

Posted on by

Primer:

The State Department confirmed that Iran continues to work with Al-Qaeda elements, despite
their expressed hostility towards one another. It stated: “Iran remained unwilling to bring to
justice senior Al-Qaeda (AQ) members it continued to detain, and refused to publicly identify
those senior members in its custody.
Iran allowed AQ facilitators Muhsin al-Fadhli and Adel Radi Saq al-Wahabi al-Harbi to operate a
core facilitation pipeline through Iran, enabling AQ to move funds and fighters to South Asia and
also to Syria.

Al-Fadhli is a veteran AQ operative who has been active for years. Al-Fadhli began working with the Iran-based AQ facilitation network in 2009 and was later arrested by Iranian authorities. He was released in 2011 and assumed leadership of the Iran-based AQ facilitation network.” Clarion Project

Related reading: Al Qaeda’s Global Reach – State Dept Foreign Terror Org. List

Related reading: Usama bin Ladin’s sons thought to be in Iran

Related reading: Osama bin Laden’s Son Threatens Revenge Against U.S. For Father’s Assassination

Top Intel Official: Al Qaeda Worked on WMD in Iran

New evidence of the bin Laden-Iran connection.

WeeklyStandard: Al Qaeda operatives based in Iran worked on  and biological weapons, according to a letter written to Osama bin Laden that is described in a new book by a top former U.S. intelligence official.

The letter was captured by a U.S. military sensitive site exploitation team during the raid on bin Laden’s Abbottabad headquarters in May 2011. It is described in Field of Fight, out Tuesday from Lieutenant General Michael Flynn, the former head of the Defense Intelligence Agency, and Michael Ledeen of the Foundation for Defense of Democracies.

“One letter to bin Laden reveals that al Qaeda was working on chemical and biological weapons in Iran,” Flynn writes.

Flynn’s claim, if true, significantly advances what we know about al Qaeda’s activity in Iran. The book was cleared by the intelligence community’s classification review process. And U.S. intelligence sources familiar with the bin Laden documents tell us the disclosure on al Qaeda’s WMD work is accurate.

Flynn notes that only a small subset of bin Laden’s files have been released to the public. The “Defense Intelligence Agency’s numerous summaries and analyses of the files remain classified,” too, Flynn writes. “But even the public peek gives us considerable insight into the capabilities of this very dangerous global organization.”

It’s not just al Qaeda.

  

“There’s a lot of information on Iran in the files and computer discs captured at the Pakistan hideout of Osama bin Laden,” Flynn writes in the introduction. The authors note that the relationship between Iran and al Qaeda “has always been strained” and “[s]ometimes bin Laden himself would erupt angrily at the Iranians.” Previously released documents and other evidence show that al Qaeda kidnapped an Iranian diplomat in order to force a hostage exchange and bin Laden was very concerned about the Iranians’ ability to track his family members.

And yet the book makes clear that Flynn believes there is much more to the al Qaeda-Iran relationship than the public has been told. And that’s not an accident. Obama administration “censors have been busy,” Flynn writes, blocking the release of the bin Laden documents to the public and, in some cases, to analysts inside the U.S. intelligence community. “Some of it—a tiny fraction—has been declassified and released, but the bulk of it is still under official seal. Those of us who have read bin Laden’s material know how important it is…”

Not surprisingly, Obama administration officials bristle at Flynn’s characterization of their lack of transparency and lack of urgency on jihadists and their state sponsors. “Mike Flynn, in true Kremlin form, has been peddling these baseless conspiracy theories for years. Anyone who thinks Iran was or is in bed with al Qaeda doesn’t know much about either,” an Obama administration official told THE WEEKLY STANDARD.

It’s an odd line of attack, given the fact that the Obama administration has repeatedly accused Iran of directly aiding al Qaeda. The Treasury and State Departments publicly accused the Iranian regime of allowing al Qaeda to operate inside Iran in: July 2011, December 2011, February 2012,July 2012, October 2012, May 2013, January 2014, February 2014, April 2014, and August 2014. In addition, in congressional testimony in February 2012, Director of National Intelligence James Clapper described the relationship as a “marriage of convenience.”

Asked about the administration’s own repeated statements pointing to the Iranian regime’s deal with al Qaeda, the administration official who dismissed Flynn’s claim as a “baseless conspiracy” theory declined to comment further.

The Flynn/Ledeen claim about al Qaeda’s WMD work in Iran comes with an interesting wrinkle. The authors preface their disclosure of al Qaeda’s work on “chemical and biological weapons in Iran” by suggesting that the revelation was included in documents already public.

But the only document released to date that seems to touch on the subject is a March 28, 2007, letter to an al Qaeda operative known as “Hafiz Sultan.” The letter, which discussed the possibility of Iran-based al Qaeda operatives using chlorine gas on Kurdish leaders and includes a likely reference to Atiyah ‘Abd-al-Rahman, was released by the administration via the Combating Terrorism Center at West Point in May 2012. President Obama’s Treasury Department has claimed that Rahman was appointed by Osama bin Laden “to serve as al Qaeda’s emissary in Iran, a position which allowed him to travel in and out of Iran with the permission of Iranian officials.” It is not, however, addressed to bin Laden and it does not include a reference to biological weapons.

And while the U.S. Treasury and State Department have repeatedly sanctioned al Qaeda’s operatives inside Iran and offered rewards for information on their activities, as noted, statements from Treasury and the State Department do not mention al Qaeda’s “chemical and biological weapons” work inside Iran.

The takeaway: It does not appear that the al Qaeda document referenced by Flynn has been released by the U.S. government.

Flynn and others who have seen the documents say there are more explosive revelations in the bin Laden files kept from the public. Those already released give us a hint. One document, released in 2015, is a letter presumably written by Osama bin Laden to the “Honorable brother Karim.” The recipient of the October 18, 2007, missive, “Karim,” was likely an al Qaeda veteran known Abu Ayyub al Masri, who led al Qaeda in the Iraq (AQI) at the time.

Bin Laden chastised the AQI leader for threatening to attack Iran. The al Qaeda master offered a number of reasons why this didn’t make sense. “You did not consult with us on that serious issue that affects the general welfare of all of us,” bin Laden wrote. “We expected you would consult with us for these important matters, for as you are aware, Iran is our main artery for funds, personnel, and communication, as well as the matter of hostages.”

That language from bin Laden sounds a lot like the language the Obama administration used in July 2011, when a statement from the U.S. Treasury noted that the network in Iran “serves as the core pipeline through which Al Qaeda moves money, facilitators and operatives from across the Middle East to South Asia.”

David Cohen, who was then a top Treasury official and is now the number two official at the CIA, told us back then: “There is an agreement between the Iranian government and al Qaeda to allow this network to operate. There’s no dispute in the intelligence community on this.”

Why, then, is the Obama administration attempting to dismiss the cooperative relationship between Iran and al Qaeda as a “baseless conspiracy?” Good question.

And it’s one that releasing the rest of the documents could help answer.

Note: Flynn’s co-author Michael Ledeen is a colleague of Thomas Joscelyn at the Foundation for Defense of Democracies.

****

Most recently, in September, the Obama administration launched missile strikes against al Qaeda’s so-called Khorasan Group in Syria. The administration pointed to  indicating that this cadre of “core” al Qaeda operatives was planning mass killings in the West, and possibly even in the United States. Two of the terrorists who lead the Khorasan Group formerly headed al Qaeda’s operations in Iran. Tellingly, Iran allowed this pair to continue their fight against the West, even as they have battled Iran’s chief allies in Syria.

Obama’s Treasury Department first publicly recognized the relationship between the Iranian regime and al Qaeda on July 28, 2011. Treasury added six al Qaeda operatives to the U.S. government’s list of designated terrorists. The principal terrorist among them is known as Yasin al-Suri, “a prominent Iran-based al Qaeda facilitator” who operates “under an agreement between al Qaeda and the Iranian government.” Treasury described al Qaeda’s presence in Iran as a “core pipeline” and “a critical transit point for funding to support al Qaeda’s activities in Afghanistan and Pakistan.” Treasury made it clear that other high-level al Qaeda members were actively involved in shuttling cash and recruits across Iran.

John Kerry, Iran is Cheating on JPOA, Germany Report

Posted on by

Paging Mr. Kerry, paging Mr. Obama, paging Ben Rhodes..paging anyone, pick up on line 4.

Do we have to rely on Angela Merkel of Germany to get the truth?

In 2015: The number two man at the CIA said today he has a “high degree of confidence” that if Iran cheats on the newly-signed, controversial nuclear deal, the U.S. intelligence community would catch them in the act.

“Our assessment of the provisions that are in the JCPOA (Joint Comprehensive Plan of Action) that provide the real-time, persistent access to the cleared sites, as well as a mechanism for getting scheduled access to suspicious sites, combined with other capabilities and information that we have available to us, gives us a reasonably high degree of confidence that we would be able to detect Iran if it were trying to deviate from the requirements that they’ve signed up to in the JCPOA,” David Cohen, Deputy Director of the Central Intelligence Agency said at the Aspen Security Forum today. “So I think our assessment is that the JCPOA gives us a good ability to detect Iranian deviation from the limitations on enrichment and the other specific elements in the JCPOA.”

When referring to access to Iranian sites, Cohen was presumably referring to the access provided to International Atomic Energy Agency inspectors, as stipulated in the agreement, not access by the CIA. More here from ABC.

***** So….under Obama and Kerry, is the CIA allowed to track Iranian actions and report cheating and violations?

*****

Iran cheats on nuclear deal

Elliott Abrams is a senior fellow for Middle East Studies at the Council on Foreign Relations. This piece is reprinted with permission and can be found on Abrams’ blog “Pressure Points.”

Hayom: The greatest imminent danger in last year’s nuclear deal, the Joint Comprehensive Plan of Action, was always that Iran would cheat — taking all the advantages of the deal, but then seeking to move forward more quickly toward a nuclear weapon — and that the Obama administration would be silent in the face of that cheating.

This was always a reasonable prospect, given the history of arms control agreements. Those who negotiate such agreements wish to defend them. They do not wish to say, six or 12 months and even years later, that they were duped and that the deals must be considered null and void.

Last week, Germany’s intelligence agency produced a report detailing Iranian cheating. Here is an excerpt from the news story:

“Germany’s domestic intelligence agency said in its annual report that Iran has a ‘clandestine’ effort to seek illicit nuclear technology and equipment from German companies ‘at what is, even by international standards, a quantitatively high level.’ The findings by the Federal Office for the Protection of the Constitution, Germany’s equivalent of the FBI, were issued in a 317-page report last week.

“German Chancellor Angela Merkel underscored the findings in a statement to parliament, saying Iran violated the United Nations Security Council’s anti-missile development regulations. ‘Iran continued unabated to develop its rocket program in conflict with the relevant provisions of the U.N. Security Council,’ Merkel told the Bundestag. … The German report also stated, ‘It is safe to expect that Iran will continue its intensive procurement activities in Germany using clandestine methods to achieve its objectives.’

“According to an Institute for Science and International Security July 7 report by David Albright and Andrea Stricker, Iran is required to get permission from a UN Security Council panel for ‘purchases of nuclear direct-use goods.’

“While the German intelligence report did not say what specifically Iran had obtained or attempted to obtain, the more recent report said dual use goods such as carbon fiber must be reported. Iran did not seek permission from the U.N.-affiliated panel for its proliferation attempts and purchases in Germany, officials said.”

Here is a summary of that report by the Institute for Science and International Security:

“The Institute for Science and International Security has learned that Iran’s Atomic Energy Organization recently made an attempt to purchase tons of controlled carbon fiber from a country. This attempt occurred after Implementation Day of the Joint Comprehensive Plan of Action. The attempt to acquire carbon fiber was denied by the supplier and its government. Nonetheless, the AEOI had enough carbon fiber to replace existing advanced centrifuge rotors and had no need for additional quantities over the next several years, let alone for tons of carbon fiber. This attempt thus raises concerns over whether Iran intends to abide by its JCPOA commitments. In particular, Iran may seek to stockpile the carbon fiber so as to be able to build advanced centrifuge rotors far beyond its current needs under the JCPOA, providing an advantage that would allow it to quickly build an advanced centrifuge enrichment plant if it chose to leave or disregard the JCPOA during the next few years. The carbon fiber procurement attempt is also another example of efforts by the P5+1 to keep secret problematic Iranian actions.”

So Iran isn’t only being more aggressive since the signing of the JCPOA — in Iraq and Syria, for example, or in cyber attacks on the United States — but is also cheating on the deal. And what is the reaction from the Obama administration, and other cheerleaders for the JCPOA? Nothing.

John Kerry famously said, “Iran deserves the benefits of the agreement they struck.” They do not deserve to be allowed to cheat. Kerry said in April when asked if Iran would “stick to the key terms of this deal for the next 20 years” that “I have faith and confidence that we will know exactly what they’re doing during that period of time. And if they decide to try to cheat, we will know it, and there are plenty of options available to us. That I have complete faith and confidence in.”

That’s nice. But now we know they are cheating, and the option the administration appears to have chosen is silence: just ignore the problem. When asked about the German intel report and the Institute for Science and International Security report, the State Department spokesman replied, “We have absolutely no indication that Iran has procured any materials in violation of the JCPOA.”

Needless to say this kind of response will only encourage Iran to cheat more, secure in the knowledge that Obama administration officials will not call them out on it, nor choose any serious one of the “plenty of options” it says it has. This means that Iran’s breakout time will diminish, and the danger to its neighbors and to the United States will grow and grow.

From “Pressure Points” by Elliott Abrams. Reprinted with permission from the Council on Foreign Relations.

Grid Hacking Tool Found, Have a Generator Yet?

Posted on by

Researchers Found a Hacking Tool that Targets Energy Grids on the Dark Web

Motherboard: A sophisticated piece of government-made malware, designed to do reconnaissance on energy grid’s system ahead of an eventual cyberattack on critical infrastructure, was found on a dark web hacking forum.

Cybersecurity researchers usually catch samples of malicious software like spyware or viruses when a victim who’s using their software such as an antivirus, gets infected. But at times, they find those samples somewhere else. Such was the case for Furtim, a newly discovered malware, caught recently by researchers from the security firm SentinelOne.

SentinelOne’s researchers believe the malware was created by a team of hackers working for a government, likely from eastern Europe, according to a report published on Tuesday.

Hacking forums, of course, are home to a lot of malicious data and software. But they are usually not places where sophisticated government-made hacking tools get exchanged.

Udi Shamir, chief security officer at SentinelOne, said that it’s normal to find reused code and malware on forums because “nobody tries to reinvent the wheel again and again and again.” But in this case, “it was very surprising to see such a sophisticated sample” appear in hacking forums, he told Motherboard in a phone interview.

“This was not the work of a kid. […] It was cyberespionage at its best.”

Shamir said that the malware, dubbed Furtim, was “clearly not” made by cybercriminals to make some money but for a government spying operations.

Furtim is a “dropper tool,” a platform that infects a machine and then serves as a first step to launch further attacks. It was designed to target specifically European energy companies using Windows, was released in May, and is still active, according to SentinelOne.

Another interesting characteristic is that Furtim actively tries to avoid dozens of common antivirus products, as well as sandboxes and virtual machines, in an attempt to evade detection and stay hidden as long as possible. The goal is “to remove any antivirus software that is installed on the system and drop its final payload,” SentintelOne’s report reads.

Security experts believe that critical infrastructure, such as the energy grid, is highly vulnerable to cyberattacks, and believe a future conflict might start with taking down the power using malware. While it might sound far-fetched, at the end of last year, hackers believed to be working for the Russian government caused a blackout in parts of Ukraine after gaining access to the power grid using malware.

It’s unclear who’s behind this cyberespionage operation, but Shamir said it’s likely a government from Eastern Europe, with a lot of resources and skills. The malware’s developers were very familiar with Windows; they knew it “to the bone,” according to him.

“This was not the work of a kid,” he said. “It was cyberespionage at its best.”

****

The dropper’s principle mission is to avoid detection; it will not execute if it senses it’s being run in a virtualized environment such as a sandbox, and it also can bypass antivirus protection running on compromised machines.

The sample also includes a pair of privilege escalation exploits for patched Windows vulnerabilities (CVE-2014-4113 and CVE-2015-1701), as well as a bypass for Windows User Account Control (UAC), which limits user privileges.

“It escalates privileges after all these checks and registers a hidden binary that it drops onto the hard drive that runs early in the boot process,” SentinelOne senior security researcher Joseph Landry said. “It will go through and systematically remove any AV on the machine that it targets. Then it drops another payload to the Windows directory and runs it during login time.” More from ThreatPost