Categories
China China spying Espionage Intelwars Meyya meyyappan NASA spying Thousand talents Thousand talents plan Thousand talents program

Senior NASA scientist pleads guilty to lying about China ties

A senior NASA scientist pleaded guilty to lying about his participation in a Chinese program that recruits “individuals with access to or knowledge of foreign technology or intellectual property.”

Meyya Meyyappan of Pacifica, California, pleaded guilty to one count of making false statements in a New York federal court on Wednesday. Meyyappan, 66, entered his plea before U.S. District Judge Kevin Castel in Manhattan federal court, the U.S. Department of Justice said Wednesday.

Meyyappan has been employed by the National Aeronautics and Space Administration since 1996, and has been a “chief scientist for Exploration Technology at NASA’s Ames Research Center in California’s Silicon Valley” since 2006, according to Meyyappan’s profile on the NASA website. Previously, Meyyappan served as the director of the Center for Nanotechnology at Ames.

“Dr. Meyyappan is a Fellow of the Institute of Electrical and Electronics Engineers (IEEE), Electrochemical Society (ECS), American Vacuum Society (AVS), Materials Research Society (MRS), Institute of Physics (IOP), American Institute of Chemical Engineers (AIChE), American Institute of Mechanical Engineers (ASME), National Academy of Inventors, and the California Council of Science and Technology,” the space agency said.

In October, Meyyappan was interviewed by the FBI, the NASA Office of Inspector General, and the United States Attorney’s Office.

“During that interview, Meyyappan falsely stated, among other things, that he was not a member of the Thousand Talents Program and that he did not hold a professorship at a Chinese university,” the DOJ press release stated. “In truth and in fact, Meyyappan was a member of the Thousand Talents Program and held a professorship at a Chinese university, funded by the Chinese government.”

The DOJ stated that Meyyappan “participated in China’s Thousand Talents Program, a program established by the Chinese government to recruit individuals with access to or knowledge of foreign technology or intellectual property, and held professorships at universities in China, South Korea, and Japan, and failed to disclose these associations and positions to NASA and the U.S. Office of Government Ethics.”

NASA OIG Special Agent in Charge Mark J. Zielinski stated, “Certain NASA employees are required to disclose affiliations with foreign entities in order to protect NASA’s intellectual property. Failure to do so could allow malicious foreign actors unauthorized access to American taxpayer funded technologies. We thank the FBI and the USAO, SDNY for their assistance throughout this investigation.”

Acting U.S. Attorney Audrey Strauss said, “Meyya Meyyappan held a trusted position at NASA, with access to valuable intellectual property. In violation of the terms of his employment and relevant laws and regulations, Meyyappan failed to disclose participation in a Chinese government recruitment program, and subsequently lied about it to NASA investigators, FBI agents, and our Office. Now, having admitted his crime, Meyyappan awaits sentencing.”

Meyyappan is scheduled to be sentenced on June 16, and faces a maximum sentence of five years in prison and a fine of up to $250,000.

In May, the DOJ announced that a former Cleveland Clinic employee had been arrested. Dr. Qing Wang “lied to receive more than $3.6 million in grants from the National Institutes of Health while also collecting money for the same research from the Chinese government,” NPR reported.

“It is also alleged that Dr. Wang participated in the Thousand Talents Program, a program established by the Chinese government to recruit individuals with access to or knowledge of foreign technology and intellectual property,” the DOJ statement said.

In June, a prominent scientist at Harvard University was indicted by the Justice Department for lying to federal authorities about his participation in China’s Thousand Talents Program.

Dr. Charles Lieber, the former chair of Harvard University’s Chemistry and Chemical Biology Department, lied to the U.S. government about his position as “Strategic Scientist” at the Wuhan University of Technology in China, according to prosecutors. He was allegedly paid a salary of up to $50,000 a month to set up the laboratory for the Wuhan University of Technology, plus was allotted additional living expenses of up to $158,000.

Lieber has pleaded not guilty.

In July, the Department of Justice claimed that a NASA researcher and University of Arkansas professor had ties to the Chinese government. Simon Saw-Teong Ang, was indicted by a federal grand jury on 42 counts of wire fraud and two counts of passport fraud.

Court documents show that Ang had conversations with a researcher in China about his involvement in the Thousand Talents Program.

“Not many people here know I am [a Thousand talents program scholar] but if this leaks out, my job here will be in deep troubles,” Ang reportedly wrote. “I have to be very careful or else I may be out of my job from this university.”

FBI Director Chris Wray gave a speech at the Hudson Institute in July, where he delivered a warning about the Thousand Talents Program.

“Through its talent recruitment programs, like the so-called Thousand Talents Program, the Chinese government tries to entice scientists to secretly bring our knowledge and innovation back to China — even if that means stealing proprietary information or violating our export controls and conflict-of-interest rules,” Wray said.

“The greatest long-term threat to our nation’s information and intellectual property, and to our economic vitality, is the counterintelligence and economic espionage threat from China,” Wray said during the speech. “It’s a threat to our economic security — and by extension, to our national security.”

In November 2019, the U.S. Senate released a report titled, “Threats to the U.S. Research Enterprise: China’s Talent Recruitment Plans,” which outlined dangers presented by Chinese recruitment organizations, including the Thousand Talents Program.

Launched in 2008, the Thousand Talents Plan incentivizes individuals engaged in research and development in the United States to transmit the knowledge and research they gain here to China in exchange for salaries, research funding, lab space, and other incentives. China unfairly uses the American research and expertise it obtains for its own economic and military gain. In recent years, federal agencies have discovered talent recruitment plan members who downloaded sensitive electronic research files before leaving to return to China, submitted false information when applying for grant funds, and willfully failed to disclose receiving money from the Chinese government on U.S. grant applications.

China designed the Thousand Talents Plan to recruit 2,000 high-quality overseas talents, including scientists, engineers, entrepreneurs, and finance experts. The plan provides salaries, research funding, lab space, and other incentives to lure experts into researching for China. According to one report, by 2017, China dramatically exceeded its recruitment goal, having recruited more than 7,000 “high-end professionals,” including several Nobel laureates.

In December, a massive database of nearly 2 million registered Chinese Communist Party members was leaked to the public. The database breach reportedly gave insight into CCP members infiltrating western companies, including businesses in the United States, Australia, and the United Kingdom.

Share
Categories
backdoors cyberattack Cybercrime cyberespionage Espionage essays hacking Intelwars Russia vulnerabilities

Russia’s SolarWinds Attack

Recent news articles have all been talking about the massive Russian cyberattack against the United States, but that’s wrong on two accounts. It wasn’t a cyberattack in international relations terms, it was espionage. And the victim wasn’t just the US, it was the entire world. But it was massive, and it is dangerous.

Espionage is internationally allowed in peacetime. The problem is that both espionage and cyberattacks require the same computer and network intrusions, and the difference is only a few keystrokes. And since this Russian operation isn’t at all targeted, the entire world is at risk — and not just from Russia. Many countries carry out these sorts of operations, none more extensively than the US. The solution is to prioritize security and defense over espionage and attack.

Here’s what we know: Orion is a network management product from a company named SolarWinds, with over 300,000 customers worldwide. Sometime before March, hackers working for the Russian SVR — previously known as the KGB — hacked into SolarWinds and slipped a backdoor into an Orion software update. (We don’t know how, but last year the company’s update server was protected by the password “solarwinds123” — something that speaks to a lack of security culture.) Users who downloaded and installed that corrupted update between March and June unwittingly gave SVR hackers access to their networks.

This is called a supply-chain attack, because it targets a supplier to an organization rather than an organization itself — and can affect all of a supplier’s customers. It’s an increasingly common way to attack networks. Other examples of this sort of attack include fake apps in the Google Play store, and hacked replacement screens for your smartphone.

SolarWinds has removed its customer list from its website, but the Internet Archive saved it: all five branches of the US military, the state department, the White House, the NSA, 425 of the Fortune 500 companies, all five of the top five accounting firms, and hundreds of universities and colleges. In an SEC filing, SolarWinds said that it believes “fewer than 18,000” of those customers installed this malicious update, another way of saying that more than 17,000 did.

That’s a lot of vulnerable networks, and it’s inconceivable that the SVR penetrated them all. Instead, it chose carefully from its cornucopia of targets. Microsoft’s analysis identified 40 customers who were infiltrated using this vulnerability. The great majority of those were in the US, but networks in Canada, Mexico, Belgium, Spain, the UK, Israel and the UAE were also targeted. This list includes governments, government contractors, IT companies, thinktanks, and NGOs — and it will certainly grow.

Once inside a network, SVR hackers followed a standard playbook: establish persistent access that will remain even if the initial vulnerability is fixed; move laterally around the network by compromising additional systems and accounts; and then exfiltrate data. Not being a SolarWinds customer is no guarantee of security; this SVR operation used other initial infection vectors and techniques as well. These are sophisticated and patient hackers, and we’re only just learning some of the techniques involved here.

Recovering from this attack isn’t easy. Because any SVR hackers would establish persistent access, the only way to ensure that your network isn’t compromised is to burn it to the ground and rebuild it, similar to reinstalling your computer’s operating system to recover from a bad hack. This is how a lot of sysadmins are going to spend their Christmas holiday, and even then they can&;t be sure. There are many ways to establish persistent access that survive rebuilding individual computers and networks. We know, for example, of an NSA exploit that remains on a hard drive even after it is reformatted. Code for that exploit was part of the Equation Group tools that the Shadow Brokers — again believed to be Russia — stole from the NSA and published in 2016. The SVR probably has the same kinds of tools.

Even without that caveat, many network administrators won’t go through the long, painful, and potentially expensive rebuilding process. They’ll just hope for the best.

It’s hard to overstate how bad this is. We are still learning about US government organizations breached: the state department, the treasury department, homeland security, the Los Alamos and Sandia National Laboratories (where nuclear weapons are developed), the National Nuclear Security Administration, the National Institutes of Health, and many more. At this point, there’s no indication that any classified networks were penetrated, although that could change easily. It will take years to learn which networks the SVR has penetrated, and where it still has access. Much of that will probably be classified, which means that we, the public, will never know.

And now that the Orion vulnerability is public, other governments and cybercriminals will use it to penetrate vulnerable networks. I can guarantee you that the NSA is using the SVR’s hack to infiltrate other networks; why would they not? (Do any Russian organizations use Orion? Probably.)

While this is a security failure of enormous proportions, it is not, as Senator Richard Durban said, “virtually a declaration of war by Russia on the United States.” While President-elect Biden said he will make this a top priority, it’s unlikely that he will do much to retaliate.

The reason is that, by international norms, Russia did nothing wrong. This is the normal state of affairs. Countries spy on each other all the time. There are no rules or even norms, and it’s basically “buyer beware.” The US regularly fails to retaliate against espionage operations — such as China’s hack of the Office of Personal Management (OPM) and previous Russian hacks — because we do it, too. Speaking of the OPM hack, the then director of national intelligence, James Clapper, said: “You have to kind of salute the Chinese for what they did. If we had the opportunity to do that, I don’t think we’d hesitate for a minute.”

We don’t, and I’m sure NSA employees are grudgingly impressed with the SVR. The US has by far the most extensive and aggressive intelligence operation in the world. The NSA’s budget is the largest of any intelligence agency. It aggressively leverages the US’s position controlling most of the internet backbone and most of the major internet companies. Edward Snowden disclosed many targets of its efforts around 2014, which then included 193 countries, the World Bank, the IMF and the International Atomic Energy Agency. We are undoubtedly running an offensive operation on the scale of this SVR operation right now, and it’ll probably never be made public. In 2016, President Obama boasted that we have “more capacity than anybody both offensively and defensively.”

He may have been too optimistic about our defensive capability. The US prioritizes and spends many times more on offense than on defensive cybersecurity. In recent years, the NSA has adopted a strategy of “persistent engagement,” sometimes called “defending forward.” The idea is that instead of passively waiting for the enemy to attack our networks and infrastructure, we go on the offensive and disrupt attacks before they get to us. This strategy was credited with foiling a plot by the Russian Internet Research Agency to disrupt the 2018 elections.

But if persistent engagement is so effective, how could it have missed this massive SVR operation? It seems that pretty much the entire US government was unknowingly sending information back to Moscow. If we had been watching everything the Russians were doing, we would have seen some evidence of this. The Russians’ success under the watchful eye of the NSA and US Cyber Command shows that this is a failed approach.

And how did US defensive capability miss this? The only reason we know about this breach is because, earlier this month, the security company FireEye discovered that it had been hacked. During its own audit of its network, it uncovered the Orion vulnerability and alerted the US government. Why don’t organizations like the Departments of State, Treasury and Homeland Wecurity regularly conduct that level of audit on their own systems? The government’s intrusion detection system, Einstein 3, failed here because it doesn’t detect new sophisticated attacks — a deficiency pointed out in 2018 but never fixed. We shouldn’t have to rely on a private cybersecurity company to alert us of a major nation-state attack.

If anything, the US’s prioritization of offense over defense makes us less safe. In the interests of surveillance, the NSA has pushed for an insecure cell phone encryption standard and a backdoor in random number generators (important for secure encryption). The DoJ has never relented in its insistence that the world’s popular encryption systems be made insecure through back doors — another hot point where attack and defense are in conflict. In other words, we allow for insecure standards and systems, because we can use them to spy on others.

We need to adopt a defense-dominant strategy. As computers and the internet become increasingly essential to society, cyberattacks are likely to be the precursor to actual war. We are simply too vulnerable when we prioritize offense, even if we have to give up the advantage of using those insecurities to spy on others.

Our vulnerability is magnified as eavesdropping may bleed into a direct attack. The SVR’s access allows them not only to eavesdrop, but also to modify data, degrade network performance, or erase entire networks. The first might be normal spying, but the second certainly could be considered an act of war. Russia is almost certainly laying the groundwork for future attack.

This preparation would not be unprecedented. There’s a lot of attack going on in the world. In 2010, the US and Israel attacked the Iranian nuclear program. In 2012, Iran attacked the Saudi national oil company. North Korea attacked Sony in 2014. Russia attacked the Ukrainian power grid in 2015 and 2016. Russia is hacking the US power grid, and the US is hacking Russia’s power grid — just in case the capability is needed someday. All of these attacks began as a spying operation. Security vulnerabilities have real-world consequences.

We’re not going to be able to secure our networks and systems in this no-rules, free-for-all every-network-for-itself world. The US needs to willingly give up part of its offensive advantage in cyberspace in exchange for a vastly more secure global cyberspace. We need to invest in securing the world’s supply chains from this type of attack, and to press for international norms and agreements prioritizing cybersecurity, like the 2018 Paris Call for Trust and Security in Cyberspace or the Global Commission on the Stability of Cyberspace. Hardening widely used software like Orion (or the core internet protocols) helps everyone. We need to dampen this offensive arms race rather than exacerbate it, and work towards cyber peace. Otherwise, hypocritically criticizing the Russians for doing the same thing we do every day won’t help create the safer world in which we all want to live.

This essay previously appeared in the Guardian.

Share
Categories
China Espionage hacking intelligence Intelwars Operational Security

How China Uses Stolen US Personnel Data

Interesting analysis of China’s efforts to identify US spies:

By about 2010, two former CIA officials recalled, the Chinese security services had instituted a sophisticated travel intelligence program, developing databases that tracked flights and passenger lists for espionage purposes. “We looked at it very carefully,” said the former senior CIA official. China’s spies “were actively using that for counterintelligence and offensive intelligence. The capability was there and was being utilized.” China had also stepped up its hacking efforts targeting biometric and passenger data from transit hubs…

To be sure, China had stolen plenty of data before discovering how deeply infiltrated it was by U.S. intelligence agencies. However, the shake-up between 2010 and 2012 gave Beijing an impetus not only to go after bigger, riskier targets, but also to put together the infrastructure needed to process the purloined information. It was around this time, said a former senior NSA official, that Chinese intelligence agencies transitioned from merely being able to steal large datasets en masse to actually rapidly sifting through information from within them for use….

For U.S. intelligence personnel, these new capabilities made China’s successful hack of the U.S. Office of Personnel Management (OPM) that much more chilling. During the OPM breach, Chinese hackers stole detailed, often highly sensitive personnel data from 21.5 million current and former U.S. officials, their spouses, and job applicants, including health, residency, employment, fingerprint, and financial data. In some cases, details from background investigations tied to the granting of security clearances — investigations that can delve deeply into individuals’ mental health records, their sexual histories and proclivities, and whether a person’s relatives abroad may be subject to government blackmail — were stolen as well….

When paired with travel details and other purloined data, information from the OPM breach likely provided Chinese intelligence potent clues about unusual behavior patterns, biographical information, or career milestones that marked individuals as likely U.S. spies, officials say. Now, these officials feared, China could search for when suspected U.S. spies were in certain locations — and potentially also meeting secretly with their Chinese sources. China “collects bulk personal data to help it track dissidents or other perceived enemies of China around the world,” Evanina, the top U.S. counterintelligence official, said.

[..]

But after the OPM breach, anomalies began to multiply. In 2012, senior U.S. spy hunters began to puzzle over some “head-scratchers”: In a few cases, spouses of U.S. officials whose sensitive work should have been difficult to discern were being approached by Chinese and Russian intelligence operatives abroad, according to the former counterintelligence executive. In one case, Chinese operatives tried to harass and entrap a U.S. official’s wife while she accompanied her children on a school field trip to China. “The MO is that, usually at the end of the trip, the lightbulb goes on [and the foreign intelligence service identifies potential persons of interest]. But these were from day one, from the airport onward,” the former official said.

Worries about what the Chinese now knew precipitated an intelligence community-wide damage assessment surrounding the OPM and other hacks, recalled Douglas Wise, a former senior CIA official who served deputy director of the Defense Intelligence Agency from 2014 to 2016. Some worried that China might have purposefully secretly altered data in individuals’ OPM files to later use as leverage in recruitment attempts. Officials also believed that the Chinese might sift through the OPM data to try and craft the most ideal profiles for Chinese intelligence assets seeking to infiltrate the U.S. government­ — since they now had granular knowledge of what the U.S. government looked for, and what it didn’t, while considering applicants for sensitive positions. U.S. intelligence agencies altered their screening procedures to anticipate new, more finely tuned Chinese attempts at human spying, Wise said.

Share
Categories
Big tech Ccp China Espionage Intelwars spying Tech censorship tiananmen square Zoom

Zoom executive exposed as Chinese Communist spy who sabotaged anti-China video conferences with child porn and terrorism: DOJ

A former executive at Zoom, who shut down video conferences that were not flattering to China, was exposed as a spy for the Chinese Communist Party, according to the Department of Justice.

Xinjiang Jin, aka Julien Jin, was an employee of the American video conferencing company. The 39-year-old, who was based in China’s Zhejiang Province, worked as a “security technical leader” for tech company headquartered in San Jose, California. Jin served as a liaison between Zoom and the Chinese government after Beijing blocked the company’s service in China in September 2019.

Jin provided the Chinese Communist Party with information about users and meetings, even supplying the CCP with IP addresses from anyone who held anti-China sentiments, say federal prosecutors in Brooklyn, New York.

According to the complaint filed in United States District Court for the Eastern District of New York, Jin reportedly participated in a plot to disrupt a series of meetings in May and June that commemorated the Tiananmen Square massacre, where at least 280 pro-democracy demonstrators were shot dead.

In the CCP’s bidding, it is reported that at least four video meetings commemorating the 31st anniversary of the Tiananmen Square massacre were infiltrated and terminated. Jin and his co-conspirators reportedly contrived false accusations, including child porn and terrorism, against Zoom users in the United States.

Jin’s co-conspirators created fake email accounts and Company-1 accounts in the names of others, including PRC political dissidents, to fabricate evidence that the hosts of and participants in the meetings to commemorate the Tiananmen Square massacre were supporting terrorist organizations, inciting violence or distributing child pornography. The fabricated evidence falsely asserted that the meetings included discussions of child abuse or exploitation, terrorism, racism or incitements to violence, and sometimes included screenshots of the purported participants’ user profiles featuring, for example, a masked person holding a flag resembling that of the Islamic State terrorist group. Jin used the complaints as evidence to persuade Company-1 executives based in the United States to terminate meetings and suspend or terminate the user accounts of the meeting hosts.

In June, Zoom admitted that they suspended a U.S.-based user who had hosted an event commemorating the anniversary of 1989’s Tiananmen Square Massacre. Republican Sen. Marco Rubio, the chair of the Senate Intelligence Committee, questioned the company’s close ties with China.

“The allegations in the complaint lay bare the Faustian bargain that the PRC government demands of U.S. technology companies doing business within the PRC’s borders, and the insider threat that those companies face from their own employees in the PRC,” acting U.S. Attorney Seth DuCharme said in a statement. “As alleged, Jin worked closely with the PRC government and members of PRC intelligence services to help the PRC government silence the political and religious speech of users of the platform of a U.S. technology company. Jin willingly committed crimes, and sought to mislead others at the company, to help PRC authorities censor and punish U.S. users’ core political speech merely for exercising their rights to free expression.”

Zoom is not directly identified in the DOJ document, but the teleconferencing company released a statement addressing the situation. Zoom said they were “fully cooperating” with the Department of Justice, terminated the “China-based former employee charged in this matter,” and “placed other employees on administrative leave pending the completion of our investigation.”

Last week, there was a massive database leak of nearly 2 million registered Chinese Communist Party members. The breach provided an “unprecedented view” into how China could infiltrate western businesses and companies.

Share
Categories
Ccp China Chinese Communist Party Database leak Espionage Intelwars Spies

‘Unprecedented’ database leak exposes Chinese Communist Party members ’embedded’ in western companies and governments: report

A massive database of nearly 2 million registered Chinese Communist Party members has been leaked, providing the rest of the world with an “unprecedented view” into the structure of how China could infiltrate western businesses and companies, including ones in the United States, Australia, and the United Kingdom.

The worrisome leak was reported by Sky News Australia, which said the database breach “lifts the lid on how the party operates under President and Chairman Xi Jinping.”

“Communist party branches have been set up inside western companies, allowing the infiltration of those companies by CCP members — who, if called on, are answerable directly to the communist party, to the Chairman, the president himself,” Sky News’ Sharri Markson said. “Along with the personal identifying details of 1.95 million communist party members, mostly from Shanghai, there are also the details of 79,000 communist party branches, many of them inside companies.”

“It is believed to be the first leak of its kind in the world,” Markson proclaimed.

“Detailed analysis” of the database leak revealed that there are 123 “party loyalists” employed at Pfizer and AstraZeneca, according to the Daily Mail. Both pharmaceutical behemoths are developing coronavirus vaccines.

There were allegedly “hundreds” of Chinese Communist Party members employed at “firms with defense industry interests” such as Airbus, Boeing, and Rolls-Royce “employed hundreds of party members.”

There were reportedly 600 CCP members working at 19 branches of British banks, such as HSBC and Standard Chartered in 2016. The CCP members even infiltrated British consulates and universities, according to the report.

The database leak reveals the names, party positions, date of birth, national identification number, and ethnicity of the CCP members. In some cases, the list even includes the phone numbers of the members.

The breach of the Chinese government database originally happened in April 2016, when the data was allegedly extracted by Chinese dissidents and whistleblowers and leaked on Telegram, an instant messaging app.

Markson added a disclaimer, “It is worth noting that there’s no suggestion that these members have committed espionage — but the concern is over whether Australia or these companies knew of the CCP members and if so have any steps been taken to protect their data and people.”


Major leak has provided an ‘unprecedented view’ into the Communist Party of China

www.youtube.com

Share
Categories
CIA Cybersecurity Espionage Hardware Intelwars SWEDEN Switzerland

Swiss-Swedish Diplomatic Row Over Crypto AG

Previously I have written about the Swedish-owned Swiss-based cryptographic hardware company: Crypto AG. It was a CIA-owned Cold War operation for decades. Today it is called Crypto International, still based in Switzerland but owned by a Swedish company.

It’s back in the news:

Late last week, Swedish Foreign Minister Ann Linde said she had canceled a meeting with her Swiss counterpart Ignazio Cassis slated for this month after Switzerland placed an export ban on Crypto International, a Swiss-based and Swedish-owned cybersecurity company.

The ban was imposed while Swiss authorities examine long-running and explosive claims that a previous incarnation of Crypto International, Crypto AG, was little more than a front for U.S. intelligence-gathering during the Cold War.

Linde said the Swiss ban was stopping “goods” — which experts suggest could include cybersecurity upgrades or other IT support needed by Swedish state agencies — from reaching Sweden.

She told public broadcaster SVT that the meeting with Cassis was “not appropriate right now until we have fully understood the Swiss actions.”

Share
Categories
academic papers data collection Espionage geolocation Intelwars national security policy privacy Surveillance

On Executive Order 12333

Mark Jaycox has written a long article on the US Executive Order 12333: “No Oversight, No Limits, No Worries: A Primer on Presidential Spying and Executive Order 12,333“:

Abstract: Executive Order 12,333 (“EO 12333”) is a 1980s Executive Order signed by President Ronald Reagan that, among other things, establishes an overarching policy framework for the Executive Branch’s spying powers. Although electronic surveillance programs authorized by EO 12333 generally target foreign intelligence from foreign targets, its permissive targeting standards allow for the substantial collection of Americans’ communications containing little to no foreign intelligence value. This fact alone necessitates closer inspection.

This working draft conducts such an inspection by collecting and coalescing the various declassifications, disclosures, legislative investigations, and news reports concerning EO 12333 electronic surveillance programs in order to provide a better understanding of how the Executive Branch implements the order and the surveillance programs it authorizes. The Article pays particular attention to EO 12333’s designation of the National Security Agency as primarily responsible for conducting signals intelligence, which includes the installation of malware, the analysis of internet traffic traversing the telecommunications backbone, the hacking of U.S.-based companies like Yahoo and Google, and the analysis of Americans’ communications, contact lists, text messages, geolocation data, and other information.

After exploring the electronic surveillance programs authorized by EO 12333, this Article proposes reforms to the existing policy framework, including narrowing the aperture of authorized surveillance, increasing privacy standards for the retention of data, and requiring greater transparency and accountability.

Share
Categories
cyberespionage Cybersecurity Espionage FBI implants Intelwars Malware NSA Russia

Drovorub Malware

The NSA and FBI have jointly disclosed Drovorub, a Russian malware suite that targets Linux.

Detailed advisory. Fact sheet. News articles. Reddit thread.

Share
Categories
Coronavirus vaccine Covid-19 vaccine Espionage FSB GRU Hackers Intelwars Russia

US, UK, and Canada accuse Russia of trying to steal coronavirus vaccine research

Hackers linked to Russian intelligence services are attempting to steal coronavirus vaccine research from pharmaceutical companies and other organizations, according to security officials from the U.S., the U.K., and Canada.

The three nations alleged on Thursday that hacking group APT29, also known as “Cozy Bear” and “the Dukes,” is trying to steal COVID-19 vaccine research. The U.S. National Security Agency, U.K.’s National Cyber Security Centre, and Canada’s Communications Security Establishment all agree that the hacker group is “almost certainly part of the Russian intelligence services.”

“Throughout 2020, APT29 has targeted various organizations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines,” according to the U.K.’s National Cyber Security Centre. “The group uses a variety of tools and techniques to predominantly target governmental, diplomatic, think-tank, healthcare and energy targets for intelligence gain.”

APT29, which is associated with the Russian military spy agency GRU, is reportedly using custom malicious software to target organizations around the world. The malware being used is called “WellMess” and “WellMail,” according to the 16-page advisory.

Targets include health care agencies, pharmaceutical companies, academia, medical research organizations, and local governments, security officials warned.

“In recent attacks targeting COVID-19 vaccine research and development, the group conducted basic vulnerability scanning against specific external IP addresses owned by the organizations,” the joint advisory stated. “The group then deployed public exploits against the vulnerable services identified.”

“It is completely unacceptable that the Russian Intelligence Services are targeting those working to combat the coronavirus pandemic,? said Dominic Raab, Britain’s foreign secretary. “While others pursue their selfish interests with reckless behavior, the U.K. and its allies are getting on with the hard work of finding a vaccine and protecting global health.”

“APT29 is likely to continue to target organizations involved in COVID-19 vaccine research and development, as they seek to answer additional intelligence questions relating to the pandemic,” the advisory concludes.

Russia has denied the allegations.

“We do not have information on who might have hacked into pharmaceutical companies and research centers,” Russian spokesman Dmitry Peskov told the TASS news agency. “We can only say one thing: Russia has nothing to do with these attempts. We do not accept these accusations, as well as the usual accusations of interference in the 2019 (sic) election.”

U.S. officials have made similar accusations about theft of COVID-19 research against China.

“At this very moment, China is working to compromise American health care organizations, pharmaceutical companies, and academic institutions conducting essential COVID-19 research,” FBI Director Chris Wray said last week.

Cozy Bear was identified as one of the Russian-linked groups that hacked into the Democratic National Committee computer network and stole emails and phone calls before the 2016 presidential election.

In early April, the U.S. Department of Homeland Security issued a warning that cyber espionage groups were attempting to exploit the coronavirus pandemic.

“Both [Cybersecurity and Infrastructure and Security Agency] and [National Cyber Security Centre] are seeing a growing use of COVID-19-related themes by malicious cyber actors,” the alert stated. “At the same time, the surge in teleworking has increased the use of potentially vulnerable services, such as virtual private networks, amplifying the threat to individuals and organizations.”

Share
Categories
attribution cyberespionage Espionage Impersonation Intelwars LinkedIn Malware Reports

Nation-State Espionage Campaigns against Middle East Defense Contractors

Report on espionage attacks using LinkedIn as a vector for malware, with details and screenshots. They talk about “several hints suggesting a possible link” to the Lazarus group (aka North Korea), but that’s by no means definite.

As part of the initial compromise phase, the Operation In(ter)ception attackers had created fake LinkedIn accounts posing as HR representatives of well-known companies in the aerospace and defense industries. In our investigation, we’ve seen profiles impersonating Collins Aerospace (formerly Rockwell Collins) and General Dynamics, both major US corporations in the field.

Detailed report.

Share
Categories
Espionage google Intelwars Kaspersky Malware Phishing Spyware

Malware in Google Apps

Interesting story of malware hidden in Google Apps. This particular campaign is tied to the government of Vietnam.

At a remote virtual version of its annual Security Analyst Summit, researchers from the Russian security firm Kaspersky today plan to present research about a hacking campaign they call PhantomLance, in which spies hid malware in the Play Store to target users in Vietnam, Bangladesh, Indonesia, and India. Unlike most of the shady apps found in Play Store malware, Kaspersky’s researchers say, PhantomLance’s hackers apparently smuggled in data-stealing apps with the aim of infecting only some hundreds of users; the spy campaign likely sent links to the malicious apps to those targets via phishing emails. “In this case, the attackers used Google Play as a trusted source,” says Kaspersky researcher Alexey Firsh. “You can deliver a link to this app, and the victim will trust it because it’s Google Play.”

[…]

The first hints of PhantomLance’s campaign focusing on Google Play came to light in July of last year. That’s when Russian security firm Dr. Web found a sample of spyware in Google’s app store that impersonated a downloader of graphic design software but in fact had the capability to steal contacts, call logs, and text messages from Android phones. Kaspersky’s researchers found a similar spyware app, impersonating a browser cache-cleaning tool called Browser Turbo, still active in Google Play in November of that year. (Google removed both malicious apps from Google Play after they were reported.) While the espionage capabilities of those apps was fairly basic, Firsh says that they both could have expanded. “What’s important is the ability to download new malicious payloads,” he says. “It could extend its features significantly.”

Kaspersky went on to find tens of other, similar spyware apps dating back to 2015 that Google had already removed from its Play Store, but which were still visible in archived mirrors of the app repository. Those apps appeared to have a Vietnamese focus, offering tools for finding nearby churches in Vietnam and Vietnamese-language news. In every case, Firsh says, the hackers had created a new account and even Github repositories for spoofed developers to make the apps appear legitimate and hide their tracks.

Share
Categories
2016 election Bernie Sanders betrayal Conspiracy Fact and Theory Constitution Deep State DNC corruption Donald Trump Espionage exposing the government Extradition Free Press free speech Headline News Hillary Clinton HYPOCRISY Information Intelwars John Brennan journalism Julian Assange Presidential Candidate Ron Paul russian election meddling torture Trump administration WikiLeaks

Trump’s Betrayal of Julian Assange

This article was originally published by Ron Paul at The Ron Paul Institute for Peace and Prosperity.

One thing we’ve learned from the Trump Presidency is that the “deep state” is not just some crazy conspiracy theory. For the past three years, we’ve seen that deep state launch plot after plot to overturn the election.

It all started with former CIA director John Brennan’s phony “Intelligence Assessment” of Russian involvement in the 2016 election. It was claimed that all 17 US intelligence agencies agreed that Putin put Trump in office, but we found out later that the report was cooked up by a handful of Brennan’s hand-picked agents.

Donald Trump upset the Washington apple cart as a presidential candidate and in so doing he set elements of the deep state in motion against him.

One of the things candidate Donald Trump did to paint a deep state target on his back was his repeated praise of Wikileaks, the pro-transparency media organization headed up by Australian journalist Julian Assange. More than 100 times candidate Trump said “I love Wikileaks” on the campaign trail.

Trump loved it when Wikileaks exposed the criminality of Hillary Clinton and the Democratic Party, as it cheated to deprive Bernie Sanders of the Democratic Party nomination. Wikileaks’ release of the DNC emails exposed the deep corruption at the heart of US politics, and as a candidate, Trump loved the transparency.

Then Trump got elected.

The real tragedy of the Trump presidency is nowhere better demonstrated than in Trump’s 180 degree turn away from Wikileaks and its founder Julian Assange. “I know nothing about Wikileaks,” he said as president. “It’s really not my thing.”

US pressure and bribes to the Ecuadorian government ended Assange’s asylum and his seven years in a room at the Ecuadorian embassy in London. After his dramatic arrest by London’s Metropolitan Police last April, he has been effectively tortured in British jails at the behest of the US deep state.


Today, Monday the 24th of February, Assange faces an extradition hearing in a UK courthouse. The Trump administration – led by a man who praised Assange’s work – seeks a show trial of Assange worthy of the worst of the Soviet era. The US is seeking a 175-year prison sentence.

The Trump administration argues that the Australian Assange should be tried and convicted of espionage against a country of which he is not a citizen. At the same time the Trump administration argues that the First Amendment does not apply to Assange because he is not an American citizen! So Assange is subject to US law when it comes to publishing information embarrassing to the US deep state but he is not subject to the law of the land – the US Constitution – which protects all journalists and is the backbone of our system of government.

It is ironic that a President Trump who has been the victim of so much deep state meddling has done the deep state’s bidding when it comes to Assange and Wikileaks. President Trump should preempt the inevitable US show trial of Assange by granting the journalist blanket pardon under the First Amendment of the United States Constitution.

The deep state Trump is serving by persecuting Assange is the same deep state that continues to plot Trump’s own ouster. Free Assange!

Share
Categories
Apple datamining Email Espionage Intelwars Marketing Surveillance

Companies that Scrape Your Email

Motherboard has a long article on apps — Edison, Slice, and Cleanfox — that spy on your email by scraping your screen, and then sell that information to others:

Some of the companies listed in the J.P. Morgan document sell data sourced from “personal inboxes,” the document adds. A spokesperson for J.P. Morgan Research, the part of the company that created the document, told Motherboard that the research “is intended for institutional clients.”

That document describes Edison as providing “consumer purchase metrics including brand loyalty, wallet share, purchase preferences, etc.” The document adds that the “source” of the data is the “Edison Email App.”

[…]

A dataset obtained by Motherboard shows what some of the information pulled from free email app users’ inboxes looks like. A spreadsheet containing data from Rakuten’s Slice, an app that scrapes a user’s inbox so they can better track packages or get their money back once a product goes down in price, contains the item that an app user bought from a specific brand, what they paid, and an unique identification code for each buyer.

Share
Categories
backdoors CIA Cryptography Espionage Intelwars Switzerland

Crypto AG Was Owned by the CIA

The Swiss cryptography firm Crypto AG sold equipment to governments and militaries around the world for decades after World War II. They were owned by the CIA:

But what none of its customers ever knew was that Crypto AG was secretly owned by the CIA in a highly classified partnership with West German intelligence. These spy agencies rigged the company’s devices so they could easily break the codes that countries used to send encrypted messages.

This isn’t really news. We have long known that Crypto AG was backdooring crypto equipment for the Americans. What is new is the formerly classified documents describing the details:

The decades-long arrangement, among the most closely guarded secrets of the Cold War, is laid bare in a classified, comprehensive CIA history of the operation obtained by The Washington Post and ZDF, a German public broadcaster, in a joint reporting project.

The account identifies the CIA officers who ran the program and the company executives entrusted to execute it. It traces the origin of the venture as well as the internal conflicts that nearly derailed it. It describes how the United States and its allies exploited other nations’ gullibility for years, taking their money and stealing their secrets.

The operation, known first by the code name “Thesaurus” and later “Rubicon,” ranks among the most audacious in CIA history.

EDITED TO ADD: MOre news article. And a 1995 story on this. It’s not new news.

Share