sign in sign up
<<
Home , DigiNotar, Terrorism in Azerbaijan, Titanium (malware)

UNCLASSIFIED

(U) FBI Tampa Division National Security Threat Awareness Monthly Bulletin MARCH 2012

(U) Administrative Note: This product reflects the views of the FBI-

Tampa Division and has not been vetted by FBI Headquarters.

(U) Handling notice: Although UNCLASSIFIED, this information is property of the FBI and may be distributed only to members of organizations receiving this bulletin, or to cleared defense contractors. Precautions should be taken to ensure this information is stored and/or destroyed in a manner that precludes unauthorized access.

10 MAR 2012 (U) The FBI Tampa Division National Security Threat Awareness Monthly Bulletin provides a summary of previously reported US government press releases, publications, and news articles from wire services and news organizations relating to counterintelligence, cyber and threats. The information in this bulletin represents the views and opinions of the cited sources for each article, and the analyst comment is intended only to highlight items of interest to organizations in Florida. This bulletin is provided solely to inform our Domain partners of news items of interest, and does not represent FBI information.

In the MAR 2012 Issue: Article Title Page NATIONAL SECURITY THREAT NEWS FROM GOVERNMENT AGENCIES: Director of National Intelligence delivers "Worldwide Threat Assessment" p. 2 US Intelligence Community Lists Iran Attack Threat and Cyberattacks as Leading Concerns p. 4 Secretary Napolitano Unveils National Strategy for Global Supply Chain Security p. 5 COUNTERINTELLIGENCE/ECONOMIC ESPIONAGE THREAT ITEMS FROM THE PRESS: United States Alleges DuPont TiO2 Technology Stolen for China p. 6 US to Share Cautionary Tale of Wind Turbine Trade Secret Theft with New Chinese Leader p. 8 Man Pleads Guilty to Conspiracy to Export Military Antennae to Singapore and Hong Kong p. 10 Chinese Suspected In Long-Term Nortel Breach p. 11 Nortel Breach Exposes Security Vulnerabilities of All Enterprises p. 12 Researchers Unearth More Chinese Links to Defense Contractor Attacks p. 15 Company Pleads Guilty to Conspiracy to Export Computer-Related Equipment to Iran p. 15 Russian Diplomats Left Canada Weeks Before Halifax Espionage Arrest p. 16 CYBERSECURITY SPECIAL FOCUS FOR INDUSTRY Digital Spies: The Alarming Rise of Electronic Espionage p. 16 Traveling Light in a Time of Digital Thievery p. 23 CYBER THREAT ITEMS FROM THE PRESS: FBI Director Says Cyberthreat Will Surpass Threat from Terrorists p. 24 FBI Admits Group’s Eavesdropping p. 26 Cybersecurity Report Stresses Need for Cooperation p. 27 Cybersecurity Lessons from the Battlefields of Europe p. 30 Fake Windows Updater Targets Government Contractors, Stealing Sensitive Data p. 31 13 Security Myths You'll Hear, but Should You Believe? [. 32 Network Threats Rising, How to Defend Yourself p. 35 The 10 Worst Cyberattacks p. 37 Nation-States Launch Cyberattacks Against an Array of Targets p. 39 US Official Signals Growing Concern Over Group's Capabilities p. 40 Anonymous Continues To Plague Authority Figures p. 41 In Attack on Vatican Web Site, a Glimpse of Hackers’ Tactics p. 42 Ex-UCF Student Pleads Guilty To Federal Hacking Charge p. 44 Romanian Police Arrest Alleged Hacker In Pentagon, NASA Breaches p. 45 Hacking Now Responsible for Most of Exposed Records p. 45

UNCLASSIFIED 1 UNCLASSIFIED

Iran Develops New Cyber-Army p. 46 Iranian Hackers Attacked the Website of Azerbaijani National State TV p. 46 Smartphone, Social Media Users at Risk for Identity Fraud p. 47 IRS Helps Bust 105 People in Massive Identity Theft Crackdown p. 47 More Than Half of Cyberattacks Come From Asia p. 49 GPS Attacks Risk Maritime Disaster, Trading Chaos p. 50 GPS Jammers and Spoofers Threaten Infrastructure, Say Researchers p. 51 COUNTERTERRORISM THREAT ITEMS FROM THE PRESS: 'Sovereign Citizen' Movement Now on FBI's Radar p. 52 NYPD Intelligence Director Mitchell Silber Warns Iran's First Target Is 'Essentially' New York p. 54 Al Qaeda Terrorist Dad Sent To Jail For 4 1/2 Years For Lies To FBI p. 54 US Capitol Suicide Bomb Plot Foiled: How to Catch a 'Lone Wolf' p. 55 D.C. Terrorism Case: Suspect Told Others to Be Ready For Battle, Authorities Said p. 56 Group Admits London Stock Exchange Bomb Plot p. 57 Florida Bomb Plot Suspect Pleads Not Guilty p. 59

(U) NATIONAL SECURITY THREAT NEWS FROM GOVERNMENT AGENCIES:

(U) Director of National Intelligence delivers Office of the Director of National Intelligence (ODNI) "Worldwide Threat Assessment" to the US Senate Intelligence Committee

(U) Director of National Intelligence James Clapper and CIA Director David Petraeus gave their annual global threat assessment to the Senate Intelligence panel on January 31st, eight months after the US intelligence community celebrated its role in the killing of al-Qaida leader Osama bin Laden. While the two were optimistic about the decline of al-Qaida, they noted that its fragmentation poses continued risks. In addition, Clapper said, the United States in the future is likely to face an increasingly complex security environment with no single predominant threat. "The capabilities, technologies, know-how, communications and environmental forces not confined to borders are occurring with astonishing speed," Clapper told lawmakers Tuesday. "Never before has the intelligence community been asked to master such a complex environment."

(U) Here four key take-aways from the testimony:

(U) 1. Core al-Qaida is on the run, but the decentralized jihadi movement still poses a threat

(U) The killing of Osama bin Laden last May as well as the assassination of several other top al-Qaida leaders has severely fragmented al-Qaida's organization. "A new group of leaders, even if they could be found, would have difficulty integrating into the organization and compensating for mounting losses," Clapper wrote in his testimony. But franchises in weak and failed states such as , Somalia, and north Africa are still dangerous and plotting attacks against the United States. The global jihadi movement "will continue to be a dangerous transnational force," Clapper wrote. "Terrorist groups and individuals sympathetic to the jihadist movement will have access to the recruits, financing, arms and explosives, and safe havens needed to execute operations."

UNCLASSIFIED 2 UNCLASSIFIED

(U) 2. Iran undecided on assembling nuclear weapons; but willing to carry out attacks on the United States

(U) In Clapper's written testimony, he pointed to last year's plot to assassinate the Saudi ambassador to the United States as a sign that members of Iran's leadership show a new willingness to conduct attacks in the United States. The US intelligence community assesses that Iran's leaders have not yet made the decision whether to produce nuclear weapons. However, the spy chief said, Iran is keeping its options open to do so by pursuing materials needed for a nuclear bomb. Senator Olympia Snow asked Clapper and Petraeus at the hearing how we would know if Iran decides to make a nuclear weapon. "A clear indicator would be enrichment of uranium to 90 percent level," Clapper replied (90 percent is weapon grade). "That would be a pretty good indicator of their seriousness. There [are] however, some other things they still need to do." CIA Director Petraeus added that Iran is pursuing "various components" needed for a nuclear weapon, including "enrichment, weaponization research and delivery" mechanisms, he told Snowe.

(U) 3. Cyber attacks are a growing threat

(U) Clapper noted growing intelligence community concern about the United States' vulnerability to cyber-threats, from both state-sponsored and non-state hackers from places like China and Russia. Senators at the hearing expressed frustration that the US government still lacks an integrated strategy for confronting the problem. "Cyber threats pose a critical national and economic security concern due to the continued advances in, and growing dependency on, the information technology (IT) that underpins nearly all aspects of modern society," Clapper wrote. But while "our technical advancements in detection and attribution shed light on malicious activity," he continued, "cyber intruders continue to explore new means to circumvent defensive measures."

(U) 4. United States facing increasingly complex security challenges, as intelligence community faces fiscal constraints

(U) The intelligence community is struggling to assess a world of fast-paced, inter-connected challenges-- in a time of fiscal constraints. "Although I believe that counterterrorism, counterproliferation, cybersecurity, and counterintelligence are at the immediate forefront of our security concerns, it is virtually impossible to rank, in terms of long-term importance, the numerous, potential threats to US national security," Clapper wrote. "The United States no longer faces, as in the Cold War, one dominant threat. Rather, it is the multiplicity and interconnectedness of potential threats, and the actors behind them, that constitute our biggest challenge." "Indeed, even the four categories noted above are also inextricably linked, reflecting a quickly changing international environment of rising new powers, rapid diffusion of power to nonstate actors and ever greater access by individuals and small groups to lethal technologies," Clapper said.

(U) Analyst Comment: I advise all our partners in the US government, state and local government, law enforcement, and the private sector, especially those companies doing business overseas, to download and review this document. This assessment is a concise, yet comprehensive overview of the national security threats facing the United States. The section in Iran especially highlights an emerging threat to government and private sector entities.

(U) The threat assessment can be downloaded at: http://dni.gov/testimonies/20120131_testimony_ata.pdf

UNCLASSIFIED 3 UNCLASSIFIED

(U) US Intelligence Community Lists Iran Attack Threat and Cyberattacks as Leading Concerns (New York Times, 31 JAN 2012)

(U) Some senior Iranian leaders are now more willing to carry out attacks inside the United States in response to perceived American threats against their country, the Obama administration‟s top intelligence official noted in statements before Congress, pointing to last fall‟s suspected assassination plot against the Saudi ambassador to Washington. The comments by the official, James R. Clapper Jr., the director of national intelligence, in prepared testimony to the Senate Intelligence Committee, came as tensions between the United States and its allies with Iran over its nuclear program have escalated, with the United States trying to build support for increased sanctions against Iran.

(U) Other intelligence officials indicated that while there was no evidence of other Iranian plots in the United States, Mr. Clapper‟s remarks were intended to put both the Iranians and the American intelligence community on notice that high priority would be given to ferreting out information about possible plans to stage attacks in this country. Mr. Clapper said that the suspected assassination plot “shows that some Iranian officials, probably including supreme leader Ali Khamenei, have changed their calculus and are now more willing to conduct an attack in the United States in response to real or perceived US actions that threaten the regime.”

(U) He said the United States was also concerned about plotting by Iran against American or allied interests overseas, adding that “Iran‟s willingness to sponsor future attacks in the United States or against our interests abroad probably will be shaped by Tehran‟s evaluation of the costs it bears for the plot against the ambassador as well as Iranian leaders‟ perceptions of US threats against the regime.” The written statement did not provide any details on what types of attacks Mr. Clapper thought were possible, and senators did not ask him about it during the panel‟s annual session to review global threats to the United States.

(U) The session was the first such hearing since the death of Osama bin Laden last May, and Mr. Clapper used the opportunity to say that sustained pressure from the United States and its allies will probably reduce Al Qaeda‟s remaining leadership in Pakistan to “largely symbolic importance” over the next two to three years as the terrorist organization fragments into more regionally focused groups and homegrown extremists.

(U) Flanked by senior intelligence officials from throughout the government, Mr. Clapper also noted the rising volatility in the and North Africa after the popular uprisings of the Arab Spring, increasing threats of cyberattacks against government and private business computer systems, continued tensions with North Korea over its nuclear program and rising drug-fueled violence in Mexico and Central America that threatens to spill over the border.

(U) Mr. Clapper acknowledged that the Taliban remained “a resilient, determined adversary” and underscored that any deal involving prisoners would hinge on “where these detainees might go and the conditions in which they would be controlled or surveilled.” As Taliban leaders debate whether to fight or cut a deal, the death of Bin Laden has severely weakened a Qaeda leadership that was already reeling from the death or capture of several other top leaders. The losses have forced the organization to rely more heavily on affiliates in such places as North Africa, Iraq and Yemen, as well as individual “lone wolf” extremists in the United States.

(U) Intelligence officials say that continued pressure by the United States and its allies — including drone strikes, efforts to dry up terrorists‟ financing and campaigns to counter extremist recruiting propaganda — are likely to fragment this already decentralized movement. “As long as we sustain the pressure on it, we judge that core Al Qaeda will be of largely symbolic importance to the global jihadist movement,” Mr.

UNCLASSIFIED 4 UNCLASSIFIED

Clapper said in his opening statement. Of all the affiliates that have sprouted up over the past decade, intelligence analysts say that the Qaeda arm in Yemen, Al Qaeda in the Arabian Peninsula, poses the greatest immediate threat to the United States. Mr. Clapper said that the death last September of Anwar al-Awlaki, an American-born cleric who was a top propagandist and operational planner for the Yemen affiliate, “probably reduces, at least temporarily, A.Q.A.P.‟s ability to plan transnational attacks.” Over all, Al Qaeda has struggled to keep pace with events unfolding as result of the Arab Spring, Mr. Clapper said, warning, however, that “prolonged instability or unmet promises of reform would give Al Qaeda, its affiliates and its allies more time to establish networks, gain support and potentially engage in operations, probably with less scrutiny from local security services.”

(U) The domestic instability in Syria could potentially escalate into regional crises, and American intelligence officials were wary of being pinned down on how long the government of President Bashar al-Assad could survive and what would replace it if it fell. “It‟s a question of time before Assad falls, but that‟s the issue; it could be a long time,” Mr. Clapper told senators. “The opposition continues to be fragmented.” David H. Petraeus, the director of the Central Intelligence Agency, said the opposition had shown increasing resilience in the face of stepped-up attacks by Syrian military forces in suburbs of Aleppo and Damascus. “It has shown, indeed, how substantial the opposition to the regime is and how it is, in fact, growing and how increasing areas are becoming beyond the reach of the regime‟s security forces,” he said.

(U) Hopscotching around the world in his remarks, Mr. Clapper singled out Iran for special attention in both his opening comments and a more detailed written statement. He reiterated the American intelligence assessment that “Iran is keeping open the option to develop nuclear weapons, in part by developing various nuclear capabilities that better position it to produce such weapons, should it choose to do so.” He added, “We do not know, however, if Iran will eventually decide to build nuclear weapons.” The United States also faces evolving cyberthreats from nations like Russia and China, as well as nonstate entities. Robert S. Mueller III, the director of the Federal Bureau of Investigation, said his agency was beginning to reorganize to combat this. “Down the road, the cyberthreat, which cuts across all programs, will be the number one threat to the country,” he said.

(U) Secretary Napolitano Unveils National Strategy for Global Supply Chain Security – Release Date: January 25, 2012

(U) Secretary of Homeland Security Janet Napolitano today unveiled the Obama administrations National Strategy for Global Supply Chain Security at the World Economic Forum in Davos, Switzerland. The Department of Homeland Security (DHS) is committed to facilitating legitimate trade and travel, while preventing terrorists from exploiting supply chains, protecting transportation systems from attacks and disruptions, and increasing the resilience of global supply chains. We must continue to strengthen global supply chains to ensure that they operate effectively in time of crisis; recover quickly from disruptions; and facilitate international trade and travel, said Secretary Napolitano. As a part of this effort, we look forward to working closely with our international partners in the public and private sector to build a more resilient global supply chain.

(U) The National Strategy for Global Supply Chain Security outlines clear goals to promote the efficient and secure movement of goods and foster a resilient supply chain system. It also provides guidance for the US government and crucial domestic, international, public and private stakeholders who share a common interest in the security and resiliency of the global supply chain.

UNCLASSIFIED 5 UNCLASSIFIED

(U) The international community made significant progress on this front through Project Global Shield, now Program Global Shield, launched by DHS with the World Customs Organization, the UN Office on Drugs and Crime, and Interpol. Program Global Shield is an initiative to protect the supply chain by preventing the theft or illegal diversion of precursor chemicals that can be used to make Improvised Explosive Devices (IEDs). Since November 2010, 89 participating nations and international organizations have been sharing information about the export of 14 precursor chemicals used in Improvised Explosive Devices (IEDs). As of January 2012, Program Global Shield has accounted for seizures of chemical precursors totaling over 62 metric tons and 31 arrests related to the illicit diversion of these chemicals.

(U) DHS works with leaders from global shipping companies and the International Air Transport Association (IATA) on developing preventative measures, including terrorism awareness training for employees and vetting personnel with access to cargo. Fulfilling a requirement of the 9/11 Act, 100 percent of high risk cargo on international flights bound for the United States is screened.

(U) In addition, through the Container Security Initiative currently operational in over 50 foreign seaports in Europe, North, Central and South America, Africa, the Middle East, and throughout Asia. US Customs and Border Protection helps our partner countries identify and screen US-bound maritime containers before they reach the United States.

(U) Following the release of the National Strategy for Global Supply Chain Security, DHS and the Department of State will lead a six month engagement period with the international community and industry stakeholders to solicit feedback and specific recommendations on how to implement the Strategy in a cost effective and collaborative manner. Within 12 months of the release of the Strategy, a consolidated report on the status of implementation efforts will be developed.

(U) Download the full strategy at: http://www.whitehouse.gov/sites/default/files/national_strategy_for_global_supply_chain_security.pdf

(U) COUNTERINTELLIGENCE/ECONOMIC ESPIONAGE THREAT ITEMS FROM THE PRESS

(U) United States Alleges DuPont TiO2 Technology Stolen for China (ICIS News, 01 FEB 2012; Reuters, 01 FEB 2012)

(U) A federal judge in San Francisco, California, ordered businessman Walter Liew, to stay in a US jail as a flight risk to remain in detention pending trial, because of his flight risk. A spokesman for the US Attorney‟s Office said Liew was under arrest for his involvement in an alleged scheme to steal dioxide (TiO2) trade secrets from DuPont on behalf of Chinese government officials. The US attorney‟s office opposed Liew‟s release and alleged in a court document that investigators found a “trove of evidence … which shows Liew was selling trade secrets belonging to [DuPont] to companies controlled by the government of the People‟s Republic of China [PRC]”. "DuPont's state-of-the-art technology is not available publicly and PRC companies have not been able to master it on their own," prosecutors said. "Liew, however, obtained that technology from former DuPont employees and sold it to companies controlled by the PRC government."

(U) Liew paid at least two former DuPont engineers for assistance in designing chloride-route titanium dioxide, also known as TiO2, according to the indictment. DuPont is the world's largest producer of the white pigment used to make a range of white-tinted products, including paper, paint and plastics. A Dupont spokesman said the company referred the matter to law enforcement, and "will continue to take, aggressive measures to protect its proprietary, unique, and confidential technologies."The United States

UNCLASSIFIED 6 UNCLASSIFIED has identified industrial spying as a significant and growing threat to the nation's prosperity. In a government report released last November, authorities cited China as "the world's most active and persistent perpetrators of economic espionage."

(U) Lawyers for Liew did not immediately respond to calls seeking comment. Calls to the Chinese embassy were unanswered. Liew is charged with witness tampering, conspiracy to tamper with witnesses and making a false statement in connection with the US probe. In July, federal investigators searching Liew‟s home found a key to a safe-deposit box and asked Liew's wife, Christina Liew, if she knew the location of the box, the government alleged. Walter Liew told his wife in Chinese to lie, and she complied, saying that she did not remember the box's location, the government alleged.

(U) However, one of the agents understood Chinese, the government said. Ultimately, they learned that the box was in a bank, and it was held in Christina Liew's name, the US alleged. In the box, agents found evidence showing that Walter Liew was selling DuPont's trade secrets to companies controlled by China, the United States alleges. At Walter Liew's home, agents also found DuPont blueprints and handwritten notes showing that he knew the plans were stolen, the US alleged. "The evidence shows that Liew was tasked by representatives of the PRC government to obtain technology used to build chloride-route titanium dioxide factories," court papers states.

(U) The Liews were arrested in August and charged with making false statements to the FBI. Both pleaded not guilty. The US government argued on Tuesday that Walter Liew should remain in detention. "The evidence shows that Liew has significant ties with PRC government and business interests," the United States alleged. To bolster its accusations, the US quoted a memorandum that Walter Liew allegedly wrote in 2004. The memorandum describes a December 1991 meeting with Luo Gan, who was then a high-ranking official of the central committee of the Communist Party of China, as well as the secretary general of the state council.

(U) Days after the meeting, Liew allegedly wrote that he was given a list of key tasks from Chinese agencies, including obtaining chloride-route TiO2 production technology. According to the US, Walter Liew had responding by saying that the evidence is not accurate or reliable and includes erroneous statements. US prosecutors said they have evidence showing that Walter Liew allegedly obtained over $20m from the sale of TiO2 technologies to Chinese companies.

(U) In April, DuPont sued Liew, and his company, Performance Group (USA), also known as USA Performance Technology. DuPont accused them of stealing the company's TiO2 technology and selling it to an unnamed company, which was building a TiO2 plant in China. “We also referred the alleged theft to law enforcement,” said DuPont spokesperson Dan Turner. Walter Liew denied the DuPont allegations. In its complaint, DuPont did not allege that he had ties to the Chinese government.

(U) However, newly released court documents from prosecutors provide fresh details about Liew's alleged links with the Chinese government. They name, as one of the Chinese representatives who met with him, a high-ranking Communist Party official who later became a member of the Politburo. A technology analyst, who has studied Chinese trade policy and spying for years, said he had never seen a member of the Politburo named in an espionage case before. He said the DuPont case was all the more remarkable because the main thrust of the case was economic, not military. "This is their most valuable trade secret in the world of paint," he said, noting that the DuPont division in question reported $6 billion in revenue in 2010.

UNCLASSIFIED 7 UNCLASSIFIED

(U) Liew was hosted at a banquet in 1991 by Luo Gan, who at the time was a high-ranking official of the Communist Party of China Central Committee, according to correspondence from Liew that US federal officials say they seized from his safety deposit box. Luo Gan went on to become a member of the nine- member Standing Committee of the Politburo, prosecutors wrote in the filing. Several other Chinese officials also attended, according to the documents. "The purpose of the banquet is to thank me for being a patriotic overseas Chinese who has made contributions to China," Liew wrote in a memo to a Chinese company, according to US prosecutors, "and who has provided key technologies with national defense applications, in paint/coating and microwave communications." Luo Gan gave Liew directives at the meeting, and two days later Liew received a list of "key task projects," including TiO2, prosecutors stated.

(U) In his court filing seeking bail, Liew denies he was invited to a banquet with some Chinese officials, but Luo Gan is not discussed. Prosecutors contend that Chinese companies had not been able to master DuPont's technology on their own. "Liew, however, obtained that technology from former DuPont employees and sold it to companies controlled by the PRC government," prosecutors wrote. The Chinese embassy in Washington did not immediately respond to an email seeking comment on Wednesday.

(U) Analyst Comment: Thus case highlights the risk to US companies from Chinese economic espionage efforts and documents the PRC government involvement in these efforts.

(U) United States to Share Cautionary Tale of Wind Turbine Trade Secret Theft with New Chinese Leader (The New York Times, 14 FEB 2012)

(U) China‟s next leader, Xi Jinping, may never have heard of American Superconductor Corporation before he arrived here Monday, but by the end of his visit United States officials hoped to make the small Massachusetts wind-energy company an object lesson in the impact of Chinese trade secret theft on American business. Senator John Kerry, chairman of the Senate Foreign Relations Committee and a Massachusetts Democrat, planned to raise personally with Mr. Xi the case of a company that saw 70 percent of its business evaporate last year after a Chinese partner enticed one of its employees to steal the crown jewel of its technology. “It‟s a very clear and, in our judgment, egregious, palpable demonstration of the practice that we are deeply concerned about,” Mr. Kerry said, “but it‟s not the only one. There are so many things: cyberattacks, access-to-market issues, espionage, theft. These are major points of discussion between us and China.”

(U) Both President Obama and Vice President Joseph R. Biden Jr. warned Mr. Xi that they had been hearing more and more from United States businesses about intellectual property and trade secret theft, but they did not specifically mention American Superconductor. However, background material on the company‟s experience was included in briefing papers distributed before the arrival in Washington of Mr. Xi‟s delegation, and a top administration official said the Chinese were aware of United States frustration over the case.

(U) With anger toward Chinese trade and industrial practices emerging as a major theme for the 2012 campaign season, American Superconductor‟s story seems ripe for the moment. The facts are difficult to dispute, given the volume of evidence. Last March, China‟s Sinovel, the world‟s second largest wind turbine manufacturer, abruptly refused shipments of American Superconductor‟s wind turbine electrical systems and control software. The blow was devastating; Sinovel provided more than 70 percent of the firm‟s revenues. The value of undelivered components on existing contracts exceeded $700 million, the company‟s president and chief executive, told investors. Its share price plunged by more than 80 percent in six months.

UNCLASSIFIED 8 UNCLASSIFIED

(U) Last summer, evidence emerged that Sinovel had promised $1.5 million to Dejan Karabasevic, a Serbian employee of American Superconductor in Austria. Company officials say they found hundreds of e-mails and messages between senior Sinovel staff members and Mr. Karabasevic detailing the property to be stolen from the company, offering the money, and showing the actual transfer of the software. They even found signed contracts for the transaction. Mr. Karabasevic was arrested, confessed to the crime, was convicted and is now serving time in an Austrian prison.

(U) American Superconductor filed multiple lawsuits against Sinovel, seeking more than $1.2 billion in damages, cease and desist orders and copyright remedies. In October, Sinovel countersued, saying it stopped accepting components because of quality problems and asking an arbitration commission to award it about $58 million for a breach of contract. The company is also demanding that American Superconductor pay its lawyers‟ fees, expenses and the cost of the arbitration. In February, a court in Hainan, China, dismissed the smallest of the suits and said it should be heard by an arbitration commission in Beijing. The first arbitration hearing was scheduled for Feb. 24.

(U) Company officials would not discuss their push for attention in Washington, but in a conference call with analysts in November, the company‟s president was open about his view of the case. “While we acknowledge that this is a commercial matter, many have pointed to this case as an important litmus test for future energy cooperation between China and the West,” he said, according to a transcript of the call.

(U) The president of the Information Technology and Innovation Foundation who has been leading a roundtable on such cases for the White House Office of Science and Technology Policy, called the case particularly egregious. But, he added, “This is not a one-shot deal that affects one company in Massachusetts. It is unbelievably endemic.” A lengthy paper by the foundation, due out in two weeks, will detail what the foundation president says has been the systematic pilfering of United States technology. “The Chinese have US companies over a barrel because of the pressure for short-term earnings. They‟ve got renminbi dancing in their eyes,” he said, referring to China‟s currency. “But nine years later the Chinese are eating your lunch.”

(U) The United States-China Business Council, which encourages economic cooperation, is more sanguine. Its survey of companies doing business in China found that only 18 percent said they had been asked to transfer technology as a condition for a business transaction. Three percent said they were able to scale back the request but did hand over some of their technology. About 2 percent said they met the request so they could stay in business in China. But stories like American Superconductor‟s are rampant. Japanese and European companies like Kawasaki Heavy Industries and Siemens AG say they are competing against their once-junior Chinese partners and their own technology for the global high-speed rail business. Automobile writers have waxed indignantly about a new Chinese pickup truck that looks uncannily like the Ford F-150.

(U) Such concerns are meshing with Mr. Obama‟s stern new push to make China play by the rules of international commerce. “I will not stand by when our competitors don‟t play by the rules,” the president said during his State of the Union address in January, announcing the creation of what he has called a Trade Enforcement Union “that will be charged with investigating unfair trade practices in countries like China.”

(U) The foundation president is not convinced that the administration will hold to that pledge. “They‟ve got to stop pretending that this engagement that they‟re in right now with China is yielding results,” he said. “For every mole they whack, three more pop up. They need to vocally call out China on these egregious practices and say enough is enough.”

UNCLASSIFIED 9 UNCLASSIFIED

(U) Massachusetts Man Pleads Guilty to Conspiracy to Export Military Antennae to Singapore and Hong Kong (US Department of Justice Press Release, 20 JAN 2012)

(U) Rudolf L. Cheung, 57, a resident of Massachusetts, pled guilty in federal court in the District of Columba to conspiracy to violate the Arms Export Control Act in connection with the unlawful export of 55 military antennae from the United States to Singapore and Hong Kong. Cheung serves as the head of the Research & Development Department at a private company that manufactures antennae. Over the past 17 years, he has designed or supervised the development of a full library of antennae made by the firm, many of which have military applications and are used by defense contractors. Some of Cheung‟s inventions are used in the US space program.

(U) According to court documents filed in the case, in June 2006, a company in Singapore sent an inquiry to the firm that employs Cheung seeking a quotation for two types of antennae that are classified by the US government as defense articles and may not be exported without a license or approval from the State Department. After receiving the query, the export compliance officer at Cheung‟s firm advised the firm in Singapore that neither antenna could be exported unless they filled out a US government form attesting that the goods would not be transferred. The firm in Singapore refused, and the order was stopped.

(U) After learning that the export compliance officer at his company had blocked the export, Cheung admitted that he discussed with an individual outside his company (co-conspirator C) a plan to bypass the export controls at his company and arrange for the antennae to be exported to Singapore through co- conspirator C. Under the plan, co-conspirator C, who operated his own company in Massachusetts, would purchase these goods from Cheung‟s company and then export them on his own to the firm in Singapore, with Cheung‟s knowledge.

(U) Subsequently, co-conspirator C contacted the firm in Singapore and offered to broker the deal with Cheung‟s company. Co-conspirator C then negotiated the purchase of the antennae with employees of the firm in Singapore and, later, with another company called Corezing International in Singapore. Between July and September 2007, co-conspirator C purchased 55 military antennae from Cheung‟s company, which he then exported to Corezing addresses in both Singapore and Hong Kong.

(U) According to court documents, Cheung was aware that the purchases by Co-conspirator C were intended for export from the United States and that these exports had previously been blocked by his export compliance manager. Yet Cheung took no action to stop the sale of these antennae from his company or their subsequent export from the United States, even though he knew a license was required for such exports. Cheung neither sought nor obtained any license from the State Department to export these items outside the United States. At sentencing, Cheung faces a maximum potential sentence of five years in prison, a fine of $250,000 and a three-year term of supervised release.

(U) Corezing, based in Singapore, has been charged in a separate indictment in the District of Columbia in connection with the export of these particular military antennae to Singapore and Hong Kong. Corezing and its principals have also been charged, and the United States is seeking their extradition, in connection with the export of 6,000 radio frequency modules from the United States to Iran via Singapore, some of which were later found in improvised explosive devices in Iraq. This investigation was jointly conducted by ICE agents in Boston and Los Angeles; FBI agents in Minneapolis; and Department of Commerce, Bureau of Industry and Security agents in Chicago and Boston. Substantial assistance was provided by the US Department of Defense, US Customs and Border Protection and the State Department‟s Directorate of Defense Trade Controls.

UNCLASSIFIED 10 UNCLASSIFIED

(U) Chinese Hackers Suspected In Long-Term Nortel Breach (The Wall Street Journal, 14 FEB 2012)

(U) For nearly a decade, hackers enjoyed widespread access to the corporate computer network of Nortel Networks Ltd., a once-giant telecommunications firm now fallen on hard times. Using seven passwords stolen from top Nortel executives, including the chief executive, the hackers, who appeared to be working in China, penetrated Nortel's computers at least as far back as 2000 and over the years downloaded technical papers, research-and-development reports, business plans, employee emails and other documents, according to a former 19-year Nortel veteran who led an internal investigation.

(U) The hackers also hid spying software so deeply within some employees' computers that it took investigators years to realize the pervasiveness of the problem, according to the Nortel veteran and Nortel documents reviewed by The Wall Street Journal. They "had access to everything," Mr. Shields said of the hackers. "They had plenty of time. All they had to do was figure out what they wanted." According to an internal report, Nortel "did nothing from a security standpoint" to keep out the hackers, other than resetting the seven passwords.

(U) Nortel's breach offers a rare level of detail about a type of international corporate espionage that is of growing concern to US officials. A US intelligence report released in November concluded that hackers operating from China, both government-affiliated and private-sector, are the world's most "active and persistent" perpetrators of industrial spying. The report cited a number of Chinese attacks, including one targeting ; the theft of data from global energy companies; and theft of proprietary data such as client lists and acquisition plans at other companies.

(U) The Nortel revelations come as China's vice president, Xi Jinping, arrived in the United States for a visit in which China is seeking to promote greater trust between the two countries. Mr. Xi, who arrived Monday afternoon, likely will press the United States to expand Chinese access to US high-tech markets at a time when US intelligence officials have expressed increasing alarm about what they say is government-sponsored cyberspying on US and Western companies, particularly in China. China's government has denied allegations of cyberspying. When asked about Nortel specifically, the Chinese embassy in Washington issued a statement saying in part that "cyber attacks are transnational and anonymous" and shouldn't be assumed to originate in China "without thorough investigation and hard evidence."

(U) Nortel didn't respond to requests for comment. The Canadian company is in the final stages of selling itself off in pieces as part of a 2009 bankruptcy filing. Nortel was a pioneering maker of the computerized switches and telecom gear that powers much of the world's phone and Internet networks. Nortel equipment (now part of a business owned by Genband Corp.) makes up 45 percent to 50 percent of the US telephone switch marketplace, according to Akshay Sharma of research firm Gartner Inc.

(U) As part of its internal investigation, Nortel made no effort to determine if its products were also compromised by hackers, according to several former employees including the veteran who led the internal investigation, a senior adviser for systems security at Nortel. The investigation lasted about six months, and for some of that time involved three staffers, the senior advisor said, before it fizzled out due to a lack of leads.

(U) The former senior advisor and several former colleagues said the company didn't fix the hacking problem before starting to sell its assets, and didn't disclose the hacking to prospective buyers. Nortel assets have been purchased by Avaya Inc., Ciena Corp., Telefon AB L.M. Ericsson and Genband. It is possible for companies to inherit or hacker infiltrations via acquisitions, said Sean an individual who until recently ran the US government's cybersecurity intelligence center. "When you're buying those

UNCLASSIFIED 11 UNCLASSIFIED files or that intellectual property, you're also buying that ','" he said, using a term that refers to embedded spy software.

(U) Nortel's experience exposes the uncertainties in reporting requirements for company officials who discover that their networks are infiltrated. Companies aren't obligated to disclose a breach to another company as part of an acquisition deal, said a representative of Good Harbor Consulting, a firm that advises companies on national-security issues. It is up to the acquiring company to ask, he said. Since Nortel's stock traded publicly in the United States, it was required by the Securities and Exchange Commission to disclose "material" risks and events to investors. Many companies are just now becoming aware that cyber attacks must be reported if considered material, said a former Capitol Hill aide who led a committee investigation into public disclosure of incidents like these. As a result of that investigation, late last year the SEC issued a formal guidance memo saying cyber attacks can be "material." It also said companies are expected to investigate a breach to determine whether it is material.

(U) Two of Nortel's three former CEOs during the period of the hacking didn't respond to a request for comment. The third, Mike Zafirovski, said, "People who looked at [the hacking] did not believe it was a real issue. This never came up like, 'We have a real issue and we need to disclose to potential buyers of businesses.'" Mr. Zafirovski said he didn't believe the infiltrations could be passed on to acquiring companies. "That's a real, real stretch," he said. In interviews, three former Nortel information-technology employees disputed Mr. Zafirovski's position, pointing out that a significant number of people continued to use Nortel laptops and desktop computers after moving to Avaya and Genband and connected them to those companies' networks. One of the three said he knew with certainty that his machine wasn't tested for possible infiltration before it was connected to Avaya's network; he estimated the total number of similar machines to be "in the high hundreds." Both companies declined to comment on Nortel machines being connected to their networks.

(U) The Nortel veteran who led the internal investigation said he believes Nortel's silence put the acquiring companies at risk. "It's despicable that Nortel didn't say anything," he said. Nortel discovered the hacking in 2004, when an employee noticed that a senior executive appeared to be downloading an unusual set of documents, according to the internal report. When asked about it, the executive said he hadn't downloaded the documents. The Nortel veteran and a handful of the firm's computer-security officers soon learned that hackers had apparently obtained the passwords of seven top officials, including a previous CEO. The hackers had been infiltrating Nortel's network, from China-based Internet addresses, at least as early as 2000, the Nortel internal investigator and his colleagues determined. Hackers had almost complete access to the company's systems, he said, because the internal structure of Nortel's network posed few barriers. "Once you were on the inside of the network, it was soft and gooey," he said.

(U) About six months later, the internal investigator said, he saw signs that hackers were still in the system. Every month or so, a few computers on the network were sending small bursts of data to one of the same Internet addresses in Shanghai involved in the password-hacking episodes. Unexpected transmissions like these -- where one computer sends a quick "ping" to another -- often suggests the presence of spyware, security experts say. "That's the really deep covert presence," said one person familiar with Nortel's investigation. "There is something on those computers that's doing that, and finding it is very difficult." The internal investigator said he suggested further steps to secure the network, but Nortel chose not to take the recommendations. "Our own internal process choked us all the time," he said.

(U) In 2008, he learned of a new kind of test, called a memory dump, he could run on PCs suspected of being infected. By this time, however, Nortel was in deep financial trouble. Cost-cutting layoffs had begun, the stock was tanking and top executives were desperately trying to pilot the company through a rapidly changing telecom industry. In January 2009, Nortel filed for bankruptcy protection. In March of that year, the internal investigator got approval to examine two of the 50 or so computers he had noticed

UNCLASSIFIED 12 UNCLASSIFIED occasionally communicating with the Shanghai Internet address. But within a couple of weeks, he himself was laid off, caught in the latest round of cost-cutting convulsing Nortel at the time. (Former supervisors confirm his layoff wasn't related to job performance.)

(U) The day after he left Nortel, the internal investigator said, he received the test results for the two computers, which had previously gotten a clean bill of health from Nortel's antivirus experts. Hackers had installed spyware on the computers and could control them remotely. The hackers were also monitoring employee email, he said. The spyware unearthed in 2009 was a sophisticated mix. On both computers, researchers found a particularly malicious and hard-to-spot spying tool, namely "rootkit" software that can give a hacker full control over a computer and enables them to conceal their spying campaign, according to two people familiar with the investigation. On one computer, hackers had set up an encrypted communications channel to an Internet address near Beijing. On the other computer, the investigators found a program that hackers were likely using to sniff out other security weaknesses within Nortel's networks. The hackers had created a "reliable back door," according to one person familiar with the investigation, allowing them to come and go as they pleased in Nortel's network. Five former Nortel employees familiar with the investigation said the company did nothing with the new information the internal investigator had collected. "It was blown off," one said.

(U) Soon after, the former internal investigator was hired back as a consultant to another part of the company. In June 2009, he sent a 15-page report, detailing the infiltrations spanning nearly a decade, to Mr. Zafirovski, the then-CEO. "The Chinese are still in your network, we never really rid them out," he wrote. "I personally would not trust anything you do on your computer as it is extremely likely it is being monitored." Mr. Zafirovski said he didn't recall the report. He said some security managers have told him Mr. Shields had a reputation as someone who was smart, but would also "cry wolf."

(U) At that point, Nortel's focus was on selling assets, not assessing possible hacker damage, former employees said. In July 2009, Nortel began inking deals that ultimately totaled $1.4 billion in sales of a range of wireless businesses to Ericsson, the Swedish telecom company. In December, in a $900 million deal with US-based Avaya, Nortel sold off a business that included much of its work with the US government. In February 2010, Nortel sold its Internet-phone business and other assets to US-based Genband. The following month, it sold its high-end communications-networking business to US-based Ciena for $769 million, according to Gartner data.

(U) After Avaya's acquisition of Nortel businesses, the former internal investigator shared his report on the infiltrations with a security official at Avaya. This was the first time the company learned of Nortel's intrusion, according to a person familiar with the matter. A top US intelligence official said Nortel's hacking experience is representative of the types of incidents he sees. "That is consistent with what we've seen in long-term, multipronged attacks," he said. "If I'm looking to get a jump on my R&D, that's a good way to do it."

(U) Nortel Breach Exposes Security Vulnerabilities of All Enterprises (CIOinsight, 16 FEB 2012)

(U) Nortel is dealing with the fallout from a 10-year data breach that exposed thousands of sensitive company documents to cyber-spies. The question security experts now are asking is how many other enterprises are also vulnerable to a similar attack? The decade-long security breach at Nortel, where thousands of company documents were exposed, is just a one example of how vulnerable corporations are to cyber-espionage. What's even more worrisome is the likelihood that even more businesses are currently breached and not aware of it, security experts said. CIOs, CTOs and CSOs have long known that this type of extended and invasive breach was a "possibility" and "likely occurring" in a number of companies, said the president of Axis Technology.

UNCLASSIFIED 13 UNCLASSIFIED

(U) Industrial espionage is not new, as perpetrators try to bridge technology gaps by stealing from others. Companies can bypass years of research and development by somehow obtaining technical documents, prototypes and other sensitive information. This can allow them to create products that are highly similar, or underbid competitors because they don't have to take into account their research and development costs. The Internet has made spying "so much easier," the CTO of LogRhythm wrote on the company blog. It's just a matter of compromising a password, logging in to the system, and getting down to business, he wrote. "How many other US corporations are breached and leaking right now? Personally, I'm afraid we'd be appalled by the number, it is likely very high," he said.

(U) Nortel first discovered the breach in 2004 when IT staff noticed a suspicious set of documents being downloaded by an executive, according to a Feb. 14 report in the Wall Street Journal. It turned out attackers had accessed the network using login credentials stolen from seven senior executives as early as 2000 and sensitive information was being transmitted back to a computer with a Chinese IP address. Although some at the company were aware of the breach, Nortel's own IT security department was still discovering spyware were placed on some of the company's computers as late as 2009. At the time, this operation would have been considered "sophisticated," but now would be considered "pedestrian," said the founder of Invincea. The "unsettling truth" is that these types of attacks can still work today, he said. Enterprises are focusing heavily on the network perimeter and not securing the inside as well.

(U) The Aurora attacks, the RSA breach and other attacks identified in 2011 clearly demonstrated that corporations are under constant threat from nation states such as China seeking shortcuts to technological advances, said the research director of Corero . It is expensive and time- intensive to extensively investigate a breach, and companies often stop as soon as they get reports that everything is fine, The Axis Technology president said. Nortel changed passwords and monitored certain activity before declaring the job done. It did not search extensively for other malicious activity or continue monitoring, which allowed these attacks to continue for several years. Stopping the internal investigation too soon can be devastating.

(U) The failure of Nortel, which many viewed as an "innovative and sophisticated IT company," fully investigate and then address the risks posed by this data breach is "puzzling," the Corero research director said. It's possible the company underestimated the risks eight years ago, he added. Recent events may also lead to more aggressive monitoring of enterprise networks to detect suspicious outbound traffic and other activity in the event of a breach.

(U) The new guidelines from the US Securities Exchange Commission for organizations to disclose breaches and any security risks that may have a material impact on the company's operations that may result in more disclosures, said the Corero research director. Companies will be more upfront about these events for the sake of the business community at large. If the guidelines had been in place even a few years ago, Nortel would likely have had to disclose the incident.

(U) Even if Nortel was not sure what intellectual property had been stolen, the fact that computers belonging to key executives were compromised is material enough. The guidelines will also force organizations to start thinking about preventive measures to stop the attack before it gets through the network, said the Invincea founder. "The more disclosure we see, the more likely we are to adopt innovative solutions that defend against these types of attacks," he said.

(U) Analyst Comment: This case highlights the cyber intrusion risk to companies in Florida. Any company that identifies suspicious network activity should contact the Tampa FBI Cyber squad.

UNCLASSIFIED 14 UNCLASSIFIED

(U) Researchers Unearth More Chinese Links to Defense Contractor Attacks: Symantec Locates China-Based Staging Server Used in 'Sykipot' Attacks, Traces Hacker to Zhejiang Province (Computerworld, 27 JAN 2012)

(U) Researchers with Symantec have uncovered additional clues that point to Chinese hacker involvement in attacks against a large number of Western companies, including major US defense contractors. The attacks use malicious PDF documents that exploit an Adobe Reader bug patched last month to infect Windows PCs with "Sykipot," a general-purpose . According to findings published in January by Symantec's research team, a "staging server" used by the attackers is based in the Beijing area, and is hosted by one of the country's largest Internet service providers, or ISPs. Symantec did not identify the ISP.

(U) The staging server stores new files, many of them malformed PDFs, that are used to infect machines. Symantec found more than 100 malicious files on the server; many had been used in Sykipot campaigns. Researchers also said that one of the attackers who connected to the staging server did so from Zhejiang province on China's eastern coast. Hangzhou is that province's capital and largest city. Previously, Symantec had confirmed that the Sykipot attacks had been aimed at people working at major defense contractors , and at a smaller number of individuals employed in the telecommunications, manufacturing, computer hardware and chemical sectors. Lockheed Martin, whose security team was among those who reported the Reader vulnerability to Adobe, may have been one of the targeted defense contractors.

(U) After digging through the staging server, Symantec found clues that led it to a second system where the same group hosted a tool that automatically modifies files, again including PDFs, as part of its strategy to evade detection by . Like other authors of targeted attacks, the Sykipot gang tags each campaign with an identification number so that it can evaluate each assault's effectiveness. The unique identifiers are hard-coded into the malware, said Symantec. , a Trojan aimed at Iran last year, uses a similar tracking tactic that relies on customized malware, as well as a separate command-and- control (C&C) server for each attack.

(U) Adobe began patching the Reader vulnerability exploited by the Sykipot attacks on Dec. 16, and wrapped up the fixes on Jan. 10. Although Symantec did not come out and name China as the home base of the Sykipot hackers, it came close. "The attackers are familiar with the Chinese language and are using computer resources in China," the company said. "They are clearly a group of attackers who are constantly modifying their creation to utilize new vulnerabilities and to evade security products and we expect that they will continue their attacks in the future."

(U) California Resident and Company Plead Guilty to Conspiracy to Export Computer-Related Equipment to Iran (US Department of Justice Press Release, 16 FEB 2012)

(U) Massoud Habibion, 49, a US citizen and co-owner of a Costa Mesa, Calif., company, Online Micro LLC, pled guilty in the District of Columbia to conspiracy to illegally export computers from the United States to Iran through the United Arab Emirates (UAE). Additionally, Mohsen Motamedian, 44, a US citizen and co-owner of Online Micro, pled guilty to obstruction of justice. At a hearing before a US District Judge, Habibion and Online Micro each pleaded guilty to conspiracy to violate the International Emergency Economic Powers Act and to defraud the United States. Motamedian pled guilty to obstruction of justice. The maximum sentence for Habibion and the company is five years in prison and $1 million. The maximum sentence for Motamedian is 20 years in prison.

(U) Under the terms of the plea and related civil settlements with the Department of Commerce‟s Bureau of Industry and Security (BIS) and the Department of the Treasury‟s Office of Foreign Assets Control

UNCLASSIFIED 15 UNCLASSIFIED

(OFAC), Habibion and his company have agreed to forfeiture of a money judgment in the amount of $1.9 million. In addition, Habibion and Online Micro are denied export privileges for 10 years, although the denial order will be suspended provided that neither Habibion nor Online Micro commit any export violations during the ten-year probationary period and comply with the terms of the criminal plea agreements and sentences. Motamedian separately agreed to a $50,000 monetary penalty to settle a civil charge that he solicited a false statement to federal law enforcement agents.

(U) Habibion and Motamedian were arrested on a criminal complaint in California on April 7, 2011. The defendants and their company were later indicted on April 21, 2011 Habibion and Online Micro admitted in court that they willfully conspired with a company operating in Dubai, UAE, and Tehran, Iran, to procure US-origin computers from the United States and export those computers from the United States to Iran through Dubai without first obtaining licenses or authorizations from OFAC. In or around May 2007, Online Micro purchased 1,000 computer units from Dell Inc. for approximately $500,000. Later that year, Dell began receiving service calls concerning Dell computer units from individuals in Iran, and after conducting an internal investigation, suspended Online Micro from placing further orders with Dell.

(U) Beginning around Nov. 9, 2009, and continuing through December 2010, Habibion and Online Micro conspired with Company X, a firm operating in Dubai and Tehran, to procure US-origin computer-related goods and export those goods to Iran via the UAE. During the scope of the conspiracy, defendants Online Micro and Habibion sold and exported from the United States to Company X numerous shipments of computer-related goods, worth a total of more than $4,904,962, with knowledge that the majority of those goods were destined for Iran.

(U) Online Micro also caused Shipper‟s Export Declarations to be filed with US Customs and Border Protection falsely identifying the ultimate destination of the goods as the UAE. During the course of the investigation, Habibion and Motamedian told a government cooperator (Individual A) to lie to US law enforcement officials about the transactions. Specifically, the defendants told Individual A to lie about Iran being the true ultimate destination for the goods and counseled him to tell US law enforcement agents that the computer-related goods remained in Dubai.

(U) Motamedian and Habibion also acknowledged to Individual A that the sanctions “are serious” and “were not a joke.” Yet Motamedian told Individual A to “Say, „I sold over there‟ and have your guys make up invoices;” and “[d]efinitely delete your communication with [Company X‟s agent in Iran] on Yahoo.” Similarly, Habibion stated to Individual A that he should tell US law enforcement agents that the computer-related goods remained in Dubai: “Well, you can say, „I kept the goods there.‟ How does he know what happened?”

(U) Analyst Comment: Despite rising tensions between the United State and Iran, Iranian entities continue to attempt to acquire US technology, dual-use equipment and components. Florida companies involved in international sales should exercise due diligence when dealing with new sales contacts who request items be shipped to known transshipment centers like the UAE, Singapore, Malaysia and Hong Kong.

(U) Russian Diplomats Left Canada Weeks Before Halifax Espionage Arrest (National Post, 20 JAN 2012)

UNCLASSIFIED 16 UNCLASSIFIED

(U) Two Russian diplomats reportedly expelled from Canada in connection with an espionage case against a Canadian naval officer were at the end of their terms and scheduled to leave weeks and months before the charges were laid, Postmedia has learned. Lt.-Col. Dmitry Fedorchatenko was seen off by fellow defence attaches in early November after nearly three years in Ottawa, while political attache Konstantin Kolpakov left Canada at the end of December after nearly five years in Canada. Media reports said their names and two other Russian embassy administrative and technical staff members, Mikhail Nikiforov and Tatiana Steklova, were dropped from the Department of Foreign Affairs‟ list of foreign representatives officially recognized by Canada on Jan. 19.

(U) The Conservative government has refused to comment, citing national security, but a Russian embassy official denied the four had been expelled, telling the Globe and Mail they had left Ottawa after coming to the end of their postings. Russia denied Canada had expelled four of their, saying the envoys had left at the end of their postings. “We are surprised by reports in the Canadian press about the expulsion of Russian diplomats since they left the country in 2011 after completing their postings,” the Russian foreign ministry said on its official Twitter blog.

(U) Sub-Lt. Jeffrey Paul Delisle was charged in January under the Security of Information Act. He‟s the first person charged under a new secrecy law enacted after the Sept. 11, 2001, attacks. Delisle is accused of giving “a foreign entity” secret information between July 6, 2007 and Jan 13, 2012. He was arrested in Halifax and stayed in jail until his hearing on Jan 25. Convictions under the security act carry a maximum penalty of life in prison. The Conservative government has had poor relations with Moscow since it took power in 2006, complaining about “increasingly aggressive Russian actions around the globe” and reconnaissance flights which approach Canadian airspace. The two countries are jostling for influence in the mineral-rich Arctic.

(U) CYBERSECURITY SPECIAL FOCUS FOR INDUSTRY:

(U) Digital Spies: The Alarming Rise of Electronic Espionage (Popular Mechanics, 24 JAN 2012)

(U) Foreign agents are stealing stealth technology, hacking heads of state, and sabotaging American companies. And while many of these attacks are traced to China, electronic espionage is an accelerating scourge that knows no national boundaries.

(U) The first warning that hackers had penetrated the American oil company came soon after the initial breach, in the summer of 2009. The computer help desk received complaints from employees who were locked out of their accounts or whose computers had already been logged onto. Then the complaints abruptly ceased: The digital spies had obtained an administrator password and were intercepting help- desk tickets, unlocking accounts, and notifying users that their problems had been fixed. With that access, the hackers copied thousands of confidential emails, including those of top executives, and transmitted them to China in massive files late at night, after the oil company's employees had left for the day.

(U) By the time the FBI informed the company of suspicious network traffic in the summer of 2010, Chinese firms had outbid the oil company on several high-stakes acquisitions by just a few thousand dollars. But it could have been far worse: For months, malware that allowed the hackers to take over terminals had been burrowing deeper into the company's systems and had wormed its way into computers that controlled oil-drilling and pipeline operations. "People were alarmed that their email was compromised, but the hackers could have crippled the business," says the founder of Red Tiger Security in Houston. In early 2011, he helped the oil company identify some of the hackers' breaches; he refused to name the company, citing a confidentiality agreement.

UNCLASSIFIED 17 UNCLASSIFIED

(U) This example is just one incident in an ongoing, aggressive campaign of electronic espionage that costs US firms billions of dollars, endangers our military secrets, and threatens to erode our technological edge, as computer hackers, often but not exclusively traced to China, help their clients, and their countries, gain the upper hand in business deals and steal intellectual property. (An October 2011 report prepared for the Director of National Intelligence titled "Foreign Spies Stealing US Economic Secrets in Cyberspace" explicitly accuses China and Russia of hacking US companies, calling Chinese hackers "the world's most active and persistent perpetrators of economic espionage.")

(U) The phenomenon blurs the lines between white-collar crime, international spying, and even acts of war, but the attacks are known in the intelligence community as advanced persistent threats, or APTs. Well-financed, patient teams of hackers that US intelligence agencies believe are backed by foreign governments now constitute a major national security risk. The hackers use tactics that are inherently difficult to trace and choose targets that have deep roots within US infrastructure, government, and military. Recent news accounts have identified APT victims that include Google, ExxonMobil, Royal Dutch Shell, Morgan Stanley, Dow Chemical, Symantec, Northrop Grumman, and Lockheed Martin, to name just a few.

(U) Private industry is understandably reluctant to reveal such breaches, even to the government: If a digital attack strikes fear in the hearts of a company's executives, one can only imagine how it would make shareholders feel. But digital spying is like a cockroach infestation—for every one that you see, thousands thrive out of view. "I can't find an organization, an entity, a business, or a department that hasn't suffered from cyber intrusions," says Gordon M. Snow, assistant director of the FBI's Cyber Division. "If they really believe they haven't, they're just not aware of it yet."

(U) In August 2011, a report by the security firm McAfee detailed hacks into some 72 public and private computer networks in 14 countries and warned of "the biggest transfer of wealth in terms of intellectual property in history." Technology theft is the most common motive for digital espionage, but China and other nations have used it to squelch internal political dissent as well. Stolen source code from Google was used to hack into the accounts of Chinese dissidents, and after an Iranian hacker broke into Dutch security firm DigiNotar, the stolen technology was used to help his government spy on troublemakers in Iran. These attacks can cause collateral damage that compromises the security of everyone online. Digital security certificates from DigiNotar were part of the basic verification system of the Internet. If you can fake one of those, you can fool a browser into thinking any site is safe.

(U) A History of Hacks

(U) The United States itself is no slouch at cyber spying. The and the Pentagon possess the most sophisticated signals intelligence and digital warfare technology in the world. That gives us the ability to spy on foreign cellphone calls, shut down enemy air defenses, or even remotely cause equipment in an adversary's weapons facility to self-destruct. But former US officials insist the government does not engage in economic espionage or intellectual property theft from foreign companies. In part, they contend, that's because there is little IP we would want to steal, and to do so would undercut our efforts to discourage such theft by other nations. Private US companies, meanwhile, would be breaking US law if they hacked into the servers of state-owned competitors in places like China and Russia, although some US multinationals have been accused of dirty business overseas (see "Who's Spying on Whom?" page 55). "The United States has an enormous stake in the integrity of the intellectual property regime," says Joel Brenner, former head of US counterintelligence during the Bush and Obama administrations and the author of America the Vulnerable, a book on digital espionage published last September. "Many of our adversaries don't believe we don't do this. But it's really true. We don't." According to a digital security expert at the Washington, D.C.—based Center for Strategic and

UNCLASSIFIED 18 UNCLASSIFIED

International Studies, this apparent unwillingness to retaliate presents "an asymmetric disadvantage" that our rivals are exploiting to win an emerging digital cold war.

(U) Computer espionage has a history almost as long as that of the modern Internet. In the late 1980s, the German hacker Markus Hess and several associates were recruited by the KGB to penetrate computers at American universities and military labs. They made off with sensitive semiconductor, satellite, space, and aircraft technologies. Today, China, Israel, and Russia are reportedly the most aggressive about stealing secrets. But China is playing a game of a different magnitude. "The Chinese didn't create this problem," Brenner says. "But there's no question China is the worst offender now. They are all over us. It's just relentless."

(U) Experts believe today's attacks on US industry are an extension of a series of attacks on American military computer networks that took place in the late '90s and early 2000s. The assault has netted the Chinese sensitive military technologies that might one day be used against us. Then, as now, the Chinese government has vehemently denied that it has any state-sponsored hacking program, calling US allegations groundless and irresponsible.

(U) Plausible deniability is precisely what makes digital espionage such an effective tool. It's difficult to detect and impossible to prove, and thus can't be used to justify retaliation. Digital-security experts call this the attribution problem. "At most, you know the immediate computer involved in attacking you or receiving the stolen data, and sometimes you don't even know that," says a Columbia University computer scientist who advises the Department of Homeland Security on the issue. "But you don't know who actually controls the computer. It could be another hacked computer someplace that somebody else is controlling from somewhere else."

(U) Still, few buy the Chinese denials. There have simply been too many attacks traced to the mainland. Last spring, secret State Department cables obtained by WikiLeaks and made public by Reuters detailed a widespread digital spying operation, Byzantine Hades, linked to the People's Liberation Army Chengdu Military Region First Technical Reconnaissance Bureau, an electronic espionage unit of the Chinese military. According to the cables, Byzantine Hades targeted not only the US government and industry, but also high-level European officials. The Chinese hackers even managed to remotely activate the computer microphones and Web cameras of French officials so they could peek in on everything from office gossip to high-level diplomatic planning sessions. In the past, surveillance like that would have required spies to know where their targets were staying and mic the room—but in the age of cellphones and laptops, spies can listen in on foreign officials half a world away.

UNCLASSIFIED 19 UNCLASSIFIED

(U) Last year, the Chinese military unveiled the Chengdu J-20 stealth fighter. Some US intelligence experts see the J-20 as the result of a long campaign of technology theft

(U) Anatomy of an Attack

(U) In February 2011, McAfee released a report detailing a series of hacks called Night Dragon. Emanating from locations in China and aimed at six global oil, gas, and petrochemical companies, the hacks resembled the oil company attack described by the founder of Red Tiger Security. The media later identified the victims as ExxonMobil, Royal Dutch Shell, BP, Marathon Oil, ConocoPhillips, and Baker Hughes, all of which declined to discuss the report when asked by Popular Mechanics.

(U) Regardless, the methods described by both Red Tiger Security and McAfee are straight out of the playbook of Chinese-based APTs. Instead of trying to identify vulnerabilities in a company's , APTs focus on exploiting the one thing that's impossible to control, the vulnerabilities of company employees. The hackers the founder of Red Tiger Security investigated found personal information about the oil company's executives on social-networking sites such as Facebook and Myspace. Then they crafted emails aimed at enticing the executives to click on a poisoned link. "The initial attack is very subtle," he says. "It no longer says, 'I am a Nigerian prince and need to hide a bank account.' If the hacker can find an executive who likes to restore old cars and can find the names of some of his friends, he will send an email saying 'Hey, I was talking to our friend Paul, and he said you were restoring 1950s Chevys. I found this great website you should check out.'" When the victim clicks on the link, it takes him to a webpage where malware loads onto his computer. It sits there for days until it wakes up and phones home. The malware might post a code to a Twitter account or post a comment as simple as "I'm going skiing on Saturday" to a blog. That beacon alerts hackers that their malware has taken root and is ready for instructions. The hackers can then respond with coded directives by the same means.

(U) It wasn't until a year into the hack on the oil company that the FBI contacted executives and informed them they had spotted data traffic leaving their network and heading to servers in China known to be used to command and control networks, Pollet says. The FBI's Snow says he cannot comment on specific cases. But it was certainly not the first time the FBI stepped in. The current campaign of cyber espionage is so widespread, he says, that it has forced a "significant cultural shift" in the way the FBI handles cyber intrusions. Previously, "the No. 1 priority was to protect the operational security of the investigation and the prosecutive equities on the criminal side." While those goals are still important, "it's even more important that the victims understand they have been victimized," he says.

(U) Emergency Response

(U) After the FBI alert, the oil company brought in security firms Red Tiger and Mandiant to expunge the intruders. But expelling an APT isn't as simple as it sounds. "They are agile, dynamic, and, if you defeat them once, they're going to change their tactic," says the chief security officer for Mandiant, who also would not comment on the specifics of the oil company attack. The attackers, he notes, are usually in it for the long haul and are likely to return if the company still has intelligence on its networks that the hackers or their employers consider of value.

(U) The best approach once an intrusion is detected is not to tip your hand until you are ready to respond with a serious defense. Countermeasures usually involve first identifying as many infected computers as possible by looking for suspicious software on hard drives and tracking which computers have been contacting suspicious host servers. The response team then attempts to pull as many infected computers as

UNCLASSIFIED 20 UNCLASSIFIED possible off the server at once, "by any means necessary," the Mandiant says. "In some cases it's literally pulling a cable out of the computer." But often it's impossible to know whether all the malware has been successfully removed. And even if it has, the attacker will often attempt to break in once again, using more sophisticated, perhaps never-before-seen code. That's one of the reasons that many in the intelligence community are calling for a new security paradigm, one that places an emphasis on information sharing and preventive measures.

(U) The government can go only so far to protect the networks of private companies. In the past year, the Department of Defense launched a pilot program with the defense industrial base that helps contractors improve security and share information about emerging forms of malware. Most US companies, however, remain shockingly vulnerable to massive security breaches and naive about the extent of the problem. Even with cooperation, most security experts believe that keeping a capable and determined adversary out of a system is impossible. "Perimeter defense is finished," Brenner says. "If you want to talk about really confidential stuff in email, you've got to understand that if you've got a real sophisticated adversary, they're reading it."

(U) The FBI's Snow agrees. "We have to have a cultural shift in the nation where we understand that there is no secure system, that people are going to be hacked," he says. As for retaliation the Mandiant CSO says he often gets questions from high-level executives who want to "hack back," even if all that means is retaliating against a Chinese computer with a virus that will disable it. "There is sufficient resistance from outside counsel because it would violate US law, and in US government agencies, there is no support to do that," he says. When asked if compromised companies might use the knowledge that they have been infiltrated to feed spies false data, he scoffed. "Those deception maneuvers are so far beyond the capability of any private corporation that no one could pull that off," he says. "You couldn't protect the planning. The bad guys will see it all and laugh."

(U) Don't Get Hacked

· (U) Foreign spies aren't after your PC, says the CTO of security firm iSEC Partners, but the code from their hacks can be quickly mimicked by cyber criminals. "It's like R&D for the broader malware market," he says. Keep your software updated to stay safe.

· (U) Any employee of a large company can become an attack vector for spies looking to steal data. "Be paranoid about what you click on," Stamos says—even emails that seem to be from friends.

· (U) Be careful if you store personal data on your work computer. If the machine becomes infected, your employer can erase everything.

· (U) USB drives are classic tools for getting malware through a firewall. If you don't trust where a drive came from, don't plug it into your computer.

UNCLASSIFIED 21 UNCLASSIFIED

(U) Traveling Light in a Time of Digital Thievery (The New York Times, 10 FEB 2012)

(U) When Kenneth G. Lieberthal, a China expert at the Brookings Institution, travels to that country, he follows a routine that seems straight from a spy film. He leaves his cellphone and laptop at home and instead brings “loaner” devices, which he erases before he leaves the United States and wipes clean the minute he returns. In China, he disables Bluetooth and Wi-Fi, never lets his phone out of his sight and, in meetings, not only turns off his phone but also removes the battery, for fear his microphone could be turned on remotely. He connects to the Internet only through an encrypted, password-protected channel,

UNCLASSIFIED 22 UNCLASSIFIED and copies and pastes his password from a USB thumb drive. He never types in a password directly, because, he said, “the Chinese are very good at installing key-logging software on your laptop.”

(U) What might have once sounded like the behavior of a paranoid is now standard operating procedure for officials at American government agencies, research groups and companies that do business in China and Russia, like Google, the State Department and the giant McAfee. Digital espionage in these countries, security experts say, is a real and growing threat, whether in pursuit of confidential government information or corporate trade secrets. “If a company has significant intellectual property that the Chinese and Russians are interested in, and you go over there with mobile devices, your devices will get penetrated,” said Joel F. Brenner, formerly the top counterintelligence official in the office of the director of national intelligence.

(U) Theft of trade secrets was long the work of insiders, corporate moles or disgruntled employees. But it has become easier to steal information remotely because of the Internet, the proliferation of smartphones and the inclination of employees to plug their personal devices into workplace networks and cart proprietary information around. Hackers‟ preferred modus operandi, security experts say, is to break into employees‟ portable devices and leapfrog into employers‟ networks, stealing secrets while leaving nary a trace. Targets of hack attacks are reluctant to discuss them and statistics are scarce. Most breaches go unreported, security experts say, because corporate victims fear what disclosure might mean for their stock price, or because those affected never knew they were hacked in the first place.

(U) But the scope of the problem is illustrated by an incident at the United States Chamber of Commerce in 2010. The chamber did not learn that it, and its member organizations, were the victims of a cybertheft that had lasted for months until the Federal Bureau of Investigation told the group that servers in China were stealing information from four of its Asia policy experts, who frequent China. By the time the chamber secured its network, hackers had pilfered at least six weeks worth of e-mails with its member organizations, which include most of the nation‟s largest corporations. Later still, the chamber discovered that its office printer and even a thermostat in one of its corporate apartments were still communicating with an Internet address in China.

(U) The chamber did not disclose how hackers had infiltrated its systems, but its first step after the attack was to bar employees from taking devices with them “to certain countries,” notably China, a spokesman said. The implication, said a cybersecurity expert at Good Harbor Consulting, was that devices brought into China were hacked. “Everybody knows that if you are doing business in China, in the 21st century, you don‟t bring anything with you. That‟s „Business 101‟, at least it should be.”

(U) Neither the Chinese nor Russian embassies in Washington responded to several requests for comment. But after Google accused Chinese hackers of breaking into its systems in 2010, Chinese officials gave this statement: “China is committed to protecting the legitimate rights and interests of foreign companies in our country.” Still, United States security experts and government officials say they are increasingly concerned about breaches from within these countries into corporate networks, whether through mobile devices or other means.

(U) On January 31st, James R. Clapper, the director of national intelligence, warned in testimony before the Senate Intelligence Committee about theft of trade secrets by “entities” within China and Russia. And Mike McConnell, a former director of national intelligence, and now a private consultant, said in an interview, “In looking at computer systems of consequence, in government, Congress, at the Department of Defense, aerospace, companies with valuable trade secrets, we‟ve not examined one yet that has not been infected by an advanced persistent threat.”

UNCLASSIFIED 23 UNCLASSIFIED

(U) Both China and Russia prohibit travelers from entering the country with encrypted devices unless they have government permission. When officials from those countries visit the United States, they take extra precautions to prevent the hacking of their portable devices, according to security experts. Now, United States companies, government agencies and organizations are doing the same by imposing do-not- carry rules. Representative Mike Rogers, the Michigan Republican who is chairman of the House Intelligence Committee, said its members could bring only “clean” devices to China and were forbidden from connecting to the government‟s network while abroad. As for himself, he said he traveled “electronically naked.”

(U) At the State Department, employees get specific instruction on how to secure their devices in Russia and China, and are briefed annually on general principles of security. At the Brookings Institution, Mr. Lieberthal advises companies that do business in China. He said that there was no formal policy mandating that employees leave their devices at home, “but they certainly educate employees who travel to China and Russia to do so.”

(U) McAfee, the security company, said that if any employee‟s device was inspected at the Chinese border, it could never be plugged into McAfee‟s network again. Ever. “We just wouldn‟t take the risk,” said a vice president. At AirPatrol, a company based in Columbia, Md., that specializes in wireless security systems, employees take only loaner devices to China and Russia, never enable Bluetooth and always switch off the microphone and camera. “We operate under the assumption that we will inevitably be compromised,” said the company‟s chief technology officer and a member of a panel established by the Center for Strategic and International Studies to advise President Obama on cybersecurity. Google said it would not comment on its internal travel policies, but employees who spoke on condition of anonymity said the company prohibited them from bringing sensitive data to China, required they bring only loaner laptops or have their devices inspected upon their return.

(U) Federal lawmakers are considering bills aimed at thwarting cybertheft of trade secrets, although it is unclear whether this legislation would directly address problems that arise from business trips overseas. In the meantime, companies are leaking critical information, often without realizing it. “The Chinese are very good at covering their tracks,” said a former FBI agent who specialized in counterintelligence and computer intrusion. “In most cases, companies don‟t realize they‟ve been burned until years later when a foreign competitor puts out their very same product, only they‟re making it 30 percent cheaper.” “We‟ve already lost our manufacturing base,” he said. “Now we‟re losing our R.& D. base. If we lose that, what do we fall back on?”

(U) Analyst Comment: Florida companies with employees that travel to high risk countries like China and Russia should review this article and develop a comprehensive policy on carrying and using portable electronic devices while overseas.

(U) CYBER THREAT ITEMS FROM THE PRESS

(U) FBI Director Says Cyberthreat Will Surpass Threat from Terrorists (ABC News, 31 JAN 2012)

UNCLASSIFIED 24 UNCLASSIFIED

(U) Threats from cyber-espionage, computer crime, and attacks on critical infrastructure will surpass terrorism as the number one threat facing the United States, FBI Director Robert Mueller testified before the Senate. Mueller and National Intelligence Director James Clapper, addressing the annual Worldwide Threat hearing before the Senate Select Committee on Intelligence, cited their concerns about cyber- security and noted that China and Russia run robust intrusion operations against key US industries and the government. "I do not think today it is necessarily [the] number one threat, but it will be tomorrow," Mueller said. "Counterterrorism — stopping terrorist attacks — with the FBI is the present number one priority. But down the road, the cyberthreat, which cuts across all [FBI] programs, will be the number one threat to the country."

(U) A report released in November by the National Counterintelligence Executive singled out Russia and China for their aggressive efforts to steal American intellectual property, trade secrets and national security information. "The cyberthreat is one of the most challenging ones we face," Clapper said. "Among state actors, we're particularly concerned about entities within China and Russia conducting intrusions into US computer networks and stealing US data. And the growing role that nonstate actors are playing in cyberspace is a great example of the easy access to potentially disruptive and even lethal technology and know-how by such groups." "We foresee a cyber-environment in which emerging technologies are developed and implemented before security responses can be put in place," Clapper said. US officials estimate that there are 60,000 new malicious computer programs identified each day.

(U) In January, the computer security firm Symantec released a report on a Trojan horse program dubbed "Sykipot," which researchers say was traced to computer servers in China and was allegedly targeting firms in the defense industry. "The Sykipot attackers have a long running history of attacks against multiple industries. Based on these insights, the attackers are familiar with the Chinese language and are using computer resources in China. They are clearly a group of attackers who are constantly modifying their creation to utilize new vulnerabilities and to evade security products and we expect that they will continue their attacks in the future," Symantec noted in a blog posting.

(U) In the past several years there has been a growing list of complex computer breaches that highlight the wide array of threats the officials were testifying about:

(U) The high-profile intrusions of Google's by China in 2009 also targeted as many as 30 other high-tech companies including Yahoo, Adobe, Rackspace and Northrop Grumman. US officials believe China was attempting to gain access to these firms' networks to obtain intellectual property and source code information.

(U) China is also believed to be behind hacking into computer systems run by NASDAQ- OMX, the parent company of the NASDAQ stock exchange, and an intrusion last year into computers at the International Monetary Fund.

(U) Last year RSA, the security division of the EMC Corp., suffered a breach of the firm's intellectual property, SecureID, which provides encrypted authentication services to defense contractors and the US government, including the FBI. US officials say Chinese entities compromised the RSA SecureID system to try to break into computers used by defense contractor Lockheed Martin.

(U) In 2007, Russia waged cyber-attacks against computer systems in Estonia and US officials have also cited Russia using cyber-capabilities in the conflict between Russia and Georgia in 2008.

UNCLASSIFIED 25 UNCLASSIFIED

(U) Non-state entities such as the computer "hacktivist" group Anonymous have wreaked havoc recently with distributed denial of service attacks against the websites of the Justice Department, Universal Music, the Motion Picture Association of America, the Recording Industry Association of America and the FBI. Anonymous also has conducted sophisticated intrusions, breaching the computer systems of government contractor HB Gary, a cybersecurity firm, in early 2011 when they downloaded more than 50,000 emails from the firm and posted private information about the CEO on his own Twitter account.

(U) Congress is expected to take up debate shortly about pending cyber-security legislation that could possibly give the Department of Homeland Security new authorities to protect critical computer networks. Senators questioned the panel about why they have not done more to move forward on the issue. "I can tell you that we are exceptionally concerned about that threat," Mueller said, citing the establishment of the National Cyber Investigative Joint Task Force that brings together the 18 intelligence agencies to work on various cyber threats. "In the same way we changed to address terrorism, we have to change to address ." Mueller said. "And so we have to build up the collective addressing of that threat in the same way that we did so and broke down the walls in the wake of September 11th ."

(U) FBI Admits ’s Eavesdropping (The New York Times, 03 FEB 2012)

(U) The international hackers group known as Anonymous turned the tables on the FBI by listening in on a conference call last month between the bureau, Scotland Yard and other foreign police agencies about their joint investigation of the group and its allies. Anonymous posted a 16-minute recording of the call on the Web on Friday and crowed about the episode in via Twitter: “The FBI might be curious how we‟re able to continuously read their internal comms for some time now.” Hours later, the group took responsibility for hacking the Web site of a law firm that had represented Staff Sgt. Frank Wuterich, who was accused of leading a group of Marines responsible for killing 24 unarmed civilians in Haditha, Iraq, in 2005. The group said it would soon make public “mails, faxes, transcriptions” and other material related to the case, taken from the site of Puckett & Faraj, a Washington-area law firm. A voluminous 2.55 gigabyte file labeled as those files was later posted on a site often used by hackers, Pirate Bay.

(U) Regarding the conference call, an FBI official said Anonymous had not in fact hacked into it or any other bureau facilities. Instead, the official said, the group had simply obtained an e-mail giving the time, telephone number and access code for the call. The e-mail had been sent on Jan. 13 to more than three dozen people at the bureau, Scotland Yard, and agencies in France, Germany, Ireland, the and Sweden. One recipient, a foreign police official, evidently forwarded the notification to a private account, he said, and it was then intercepted by Anonymous. “It‟s not really that sophisticated,” said the official, who would discuss the episode only on condition of anonymity. He said no Federal Bureau of Investigation system was compromised but noted that communications security was more challenging when agencies in multiple countries were involved. “We‟re always looking at ways to make our communications more secure, and obviously we‟ll be taking a look at what happened here,” he said.

(U) The bureau issued a brief statement confirming the intrusion, which was first reported by The Associated Press: “The information was intended for law enforcement officers only and was illegally obtained. A criminal investigation is under way to identify and hold accountable those responsible.”

UNCLASSIFIED 26 UNCLASSIFIED

The breach, clearly an embarrassment for investigators, is the latest chapter in a continuing war of words and contest of technology between hacking groups and their perceived opponents in law enforcement and the corporate world.

(U) The FBI e-mail titled “Anon-Lulz International Coordination Call” — a reference to Anonymous and to an allied group of hackers, Lulz Security — announced a conference call for investigators “to discuss the on-going investigations related to Anonymous, Lulzsec, Antisec, and other associated splinter groups.” The recording posted on YouTube and elsewhere included American and British voices discussing suspects in the case. The call begins with banter between an American named Bruce and British officials named Stewart or Stuart and Matt, who are joined by another official from FBI headquarters, Timothy F. Lauster Jr., who sent the e-mail announcing the conference call.

(U) The conference call illustrates both the scale of the international police effort to identify and prosecute the hackers, and the striking contrast in age and status of the investigators and their targets: what seem to be middle-aged law enforcement officials on two continents are overheard dissecting the illicit activities of teenagers. A British official refers to Ryan Cleary and Jake Davis, two British teenagers who have been arrested and are wanted in the United States on suspicion of having ties to Anonymous. The British official describes a 325-page report analyzing Ryan Cleary‟s hard drive, and an FBI agent in Los Angeles discusses various suspects and their nicknames. The investigators also refer to several suspects who had not yet been arrested, including one who calls himself Tehwongz, described by the British official as “a 15-year-old kid who‟s basically just doing this all for attention and is a bit of an idiot.”

(U) The conversation was part of an international criminal investigation that began in 2010 after Anonymous championed WikiLeaks by mounting electronic attacks on MasterCard and PayPal and other sites that had stopped collecting donations for the antisecrecy organization. Last month, Anonymous attacked the Web sites of the Justice Department and major entertainment companies in retaliation for criminal charges against the founders of Megaupload, a popular Internet service used to transfer music and movies anonymously.

(U) The hackers could have penetrated the law-enforcement official‟s personal e-mail account by guessing a weak password, sneaking into an unencrypted wireless network, or, most likely, with a common and relatively easy tactic known as a phishing attack, said a computer science professor at Polytechnic Institute of New York University and a security expert. A phishing attack involves sending an e-mail that looks like it is from a friend or relative and persuading the recipient to click on a link that allows every keystroke entered on that particular computer to be recorded. Recording keystrokes is an efficient way to steal someone‟s e-mail username and password. “The real issue for law-enforcement officials is they need to be better educated about how they handle sensitive data on their e-mails,” the professor said. “It‟s an easy vulnerability to crack. If you‟re not careful it‟s a very dangerous attack.”

(U) The same methods may have been used to hack the Web site of the lawyers who represented Sergeant Wuterich, Neal Puckett and Haytham Faraj. Their Web site was defaced by the hackers to display a message from Anonymous saying it was exposing “the corruption of the court systems and the brutality of US imperialism,” Gawker.com reported. Later, the site was taken down. In an interview late Friday, Mr. Faraj said he thought that little of the material stolen from their site related to the Haditha case, though some documents might relate to a polygraph that he said Sergeant Wuterich had passed. He said he feared the documents might include a confidential statement from a rape victim in an unrelated case. “I think in their haste to put stuff out there, they‟re going to hurt some people,” he said. (U) Mr. Faraj said he had represented Guantanamo detainees and had supported and offered to represent Pfc. Bradley Manning, the soldier accused of providing documents to WikiLeaks, suggesting that the hackers of Anonymous may be inadvertently attacking someone who shares some of their presumed

UNCLASSIFIED 27 UNCLASSIFIED political views. “They got the wrong guy,” he said. He said the FBI had contacted the law firm and opened an investigation.

(U) Sergeant Wuterich, 31, pleaded guilty last month in a military court in California to dereliction of duty, telling the judge that he regretted ordering his men to “shoot first, ask questions later.” As part of a plea agreement, however, he received no prison time, though his rank was reduced to private. The sentence sparked anger in Iraq and among some human rights advocates, and the Anonymous message complained that Sergeant Wuterich had gotten “only a pay cut” as a penalty.

(U) Cybersecurity Report Stresses Need for Cooperation (Network World, 30 JAN 2012)

(U) As they grapple with a growing crop of increasingly sophisticated threats that know no political borders, nations must dramatically improve their framework for coordinating on cybersecurity policy and preventing and responding to attacks, according to a new study sponsored by security software vendor McAfee. McAfee commissioned the Security and Defense Agenda (SDA), a prominent think tank based in Brussels, to canvas global leaders and cybersecurity experts for the report entitled, "Cybersecurity: The Vexed Question of Global Rules," released at an event in late January.

(U) The authors of the report emphasized the need for sharing information about threats in real time, both among nations around the globe and between the public and private sectors in any given country. Some 57 percent of the leaders and experts polled said they believe the world is in the midst of a cyber arms race, and 36 percent said that cybersecurity should rank as a higher priority than missile defense programs. Those findings underscore the new reality that cyber operations, both offensive and defensive, play an increasingly central role in virtually every modern military and intelligence operation, even if the sort of full-on electronic warfare that could knock out a regional electric grid or telecommunications system has yet to transpire.

(U) Under Cyber Assault

(U) "We're not in cyber wars today but all of the nations that were surveyed feel that they're under assault from a significant campaign of cyber espionage," said a partner with the law firm of Steptoe and Johnson who served as assistant secretary at the Department of Homeland Security under the George W. Bush administration. "People recognize it isn't happening now, but the attackers who are engaged in cyber espionage are so effective that it's obvious that if they chose to they could turn to having the equivalent of kinetic effects without too much difficulty, and consequently, for most countries, the prospect of cyber war is very real but has not yet eventuated," he said.

(U) The authors of the report evaluated the level of cyber readiness in 23 countries based on a methodology developed by Robert Lentz, the president and CEO of the consultancy Cyber Security Strategies and a former deputy assistant secretary of defense. Lentz's model is a five-step roadmap that evaluates the relative maturity of the cyber defenses of a government or business, with the ultimate goal of reaching a high level of resilience. No country the researchers evaluated merited a score of five, though three: Finland, Israel and Sweden received a four-and-a-half. The United States, along with several European nations, including the United Kingdom, France and Germany, earned a four.

(U) Meanwhile, several nations with surging online populations didn't fare so well, including Mexico, which received a two, the lowest of any country evaluated, and India and Brazil, both scoring two-and-a- half, and China and Russia, which both scored a three. Lentz explained that most countries have yet to reach the higher levels of cyber maturity, marked by codified standards and data exchanges and,

UNCLASSIFIED 28 UNCLASSIFIED eventually, an agile defense system with cyber defenses layered into sophisticated sensors and intrusion prevention systems spanning from host to gateway. "They're really not looking at this in terms of a long- term consequence or strategy," Lentz said. "So as a result, they are very, very focused on the near term." Legislation on the Horizon

(U) The McAfee-SDA report comes out as members of the Senate are putting the finishing touches on a comprehensive cybersecurity overhaul bill. "We are working hard toward having something out this week," said the counsel for the majority staff of the Senate Homeland Security and Government Affairs Committee. Several draft bills have been circulating around the upper chamber outlining various approaches toward many of the contentious issues in play, particularly the balance of federal oversight of private networks and infrastructure, but as of Sunday, he said that Majority Leader Harry Reid's office had still indicated the intention to schedule time for a floor debate in the current working period.

(U) The Obama administration delivered a set of legislative proposals to Congress last May, asking for additional authorities to safeguard digital infrastructure. Last week, on the heels of the president's State of the Union address, White House Cybersecurity Coordinator Howard Schmidt reiterated the administration's support for comprehensive legislation, seeming to reject the more piecemeal approach that lawmakers have taken in the House, where work on cybersecurity issues has been balkanized into a series of more limited bills working their way through the various committees that hold jurisdiction. "Legislation that fails to provide the legislative authorities our professionals need to work with the private sector to ensure the safe and reliable operation of our critical infrastructure networks would not be commensurate with the very real and urgent risks to our nation," Schmidt wrote in a post on the White House blog. A Model for Information Sharing

(U) The Steptoe and Johnson law partner said that the bill that emerges in the Senate will address the crucial question of information sharing, as do some of the proposals pending in the House. That keeps with the spirit of the McAfee/SDA report, which favors a model developed in the Netherlands that established a third-party cyber exchange for sharing threat information between the public and private sectors. But in the private sector, sharing inherently sensitive information about security threats invites a host of concerns about consumer privacy and reputational damage, not to mention the widely held feeling that public-private partnerships too often don't flow as a two-way street. "The government only inhales, it never exhales," said the director of the Cyber Statecraft Initiative at the Atlantic Council, a Washington think tank. "It will take all the information but it will take any excuse to not share," added the director, who served as director of cyber infrastructure protection at the White House from 2003 to 2005.

(U) The information-sharing question, then, requires a good-faith effort, both between public and private sector entities and among nations. The authors of the McAfee-SDA report highlighted the absence of any widely adopted framework for multinational coordination on cyber defenses and intelligence gathering. The authors recommend against a multinational treaty on cybersecurity in the model of traditional arms control conventions, as some leaders have advocated. They warn that such a measure would be unverifiable and unenforceable, and could not account for common practices in the cyber world, such as the use off-shore proxies to carry out espionage and attacks.

(U) Instead, they call for cyber-confidence measures that would codify a set of norms in the cyber realm and provide for a level of transparency with regard to the use of cyber tactics in military doctrine. Proposals to develop such a framework, which would aim to cultivate a climate of trust and honest engagement in the global community, are under consideration at the United Nations and the Organization for Economic Cooperation and Development, and could appear on the agenda at international conferences on cyber issues scheduled this year in Budapest and next year in South Korea. "It goes back to trust," said

UNCLASSIFIED 29 UNCLASSIFIED

McAfee's vice president and CTO for the global public sector, "because you get what you give in information sharing."

(U) Cybersecurity Lessons from the Battlefields of Europe (Network World, 31 JAN 2012)

(U) At the beginning of WWI, battlefield tactics had not advanced much since the US Civil War. The general goal was to continually advance on the enemy with waves of infantry attacks and eventually break through the lines by overwhelming enemy defenses. It didn‟t take long until both sides realized that things had changed. With the invention of the water-cooled machine gun and pill box fortification, human waves were not only ineffective; but also resulted in mass casualties. The sides adapted to this new reality with trench warfare, long-range munitions, and a battlefield stalemate for much of the war.

(U) There are countless examples like this in the history of warfare where technology advancement forced tactical changes for both offense and defense. In theory, cybersecurity should behave in a similar way where new threats lead to new defenses and tactics. Unfortunately however, things don‟t always progress so quickly. Take Advanced Persistent Threats (APTs) for example. APTs have been in the mainstream since the Aurora attack was first exposed by Google in January 2010 but many organizations haven‟t adapted defenses or tactics accordingly. Why? Several reasons:

(U) 1. Executives don‟t get it. CISOs who lobby executives for more money tend to be faced with a rather cynical question: Why do you need to invest in new security technologies when we‟ve already invested millions? This is like a WWI general asking why the troops needed shovels to dig trenches when they were already trained to charge the enemy.

(U) 2. Security staff wants a canned solution. In the past, each new type of threat (i.e. SPAM, spyware, DOS attacks, etc.) was addressed with a discrete threat management solution but this no longer works. APTs exploit the gaps between security defenses with 0-day vulnerabilities, credentials harvesting, DDNS, and homegrown encryption algorithms and transport protocols. Rather than a one-size-fits-all APT solution, enterprises need defenses for each stage of an attack.

(U) 3. If you can‟t see the enemy, you can‟t defeat the enemy. I‟m sure Sun Tzu said something along these lines and it is certainly true in cybersecurity. The situational awareness tools in use today typically capture and analyze a fraction of the data needed. Many of these platforms also need custom coding and must be managed by highly-skilled security analysts. As a result, security intelligence remains an exclusive and elitist club.

(U) In WWI, the military adapted quickly for two main reasons. First, they faced a life or death situation so there was a real sense of urgency. Second, armies are hierarchical organizations so when generals‟ mandate changes in training and tactics, everyone else falls into line. Like WWI weapons advances, we‟ve reached a new era where our enemies are embracing new technologies and offensive tactics. We need to respond with appropriate changes in defenses skills, and situational awareness. Like it or not, we are engaged in a cybersecurity arms race, and our adversaries show no sign of fatigue. If your organization isn‟t willing to recognize this, understand the enemy, and adapt accordingly, you may as well disconnect from the Internet before an inevitable attack.

(U) Fake Windows Updater Targets Government Contractors, Stealing Sensitive Data (arstechnica.com, 31 JAN 2012)

UNCLASSIFIED 30 UNCLASSIFIED

(U) ThreatExpert Malware Failure Dialog Box

(U) Two security companies today released a joint report describing an ongoing series of attacks against government contractors that have been occurring since at least early 2009. According to the vendors Seculert and Zscaler, attackers are sending firms phishing e-mails with fake invitations to conferences, often in the form of PDF files that exploit flaws in Adobe Reader. The file installs what the vendors call an "MSUpdater" Trojan that poses as a legitimate Windows Update process. In reality, the Trojan is a remote access tool that can steal information from a company's network for as long as the breach remains undiscovered.

(U) "Foreign and domestic (United States) companies with intellectual property dealing in aero/geospace and defense seem to be some of the recent industries targeted in these attacks," the report states, without identifying specific attack targets The vendors believe the attacks are either state- sponsored or perpetrated by a high-profile group of attackers, but haven't yet been able to determine their identities, the Seculert CTO told Ars Technica. One spear-phishing attack using the method described was launched against a US-based defense technology company in September 2010, with an e-mail containing a PDF invitation to the International Conference Series on Intelligent Sensors, Sensor Networks, and Information Processing. "Clearly, it is a highly targeted attack on that global defense technology company," Seculert and Zscaler write. "The attachment allegedly exploited Adobe Reader vulnerabilities and dropped a few executable files, among which is 'msupdater.exe'."

(U) A zero-day vulnerability within Adobe Reader at that time allowed the attack, and was patched by Adobe in October 2010. But the MSUpdater attackers simply latch on to new zero-day vulnerabilities as they occur and exploit them until they are closed and newer ones come along, Raff says. Some cases have involved Excel files, but Raff says the attacks mainly use PDFs and exploit Adobe vulnerabilities.

(U) Both Seculert and Zscaler say they have observed these attacks recently targeting their own customers. Zscaler writes in its own analysis that the attacks are sophisticated and can go undetected for long periods of time. Once a Trojan is installed, the target machines begin communicating with the attackers' command and control server. Despite the presence of a centralized command and control server, creating a does not appear to be the attackers' goal. Instead, they are stealing information and controlling specific targets.

(U) "The malware dropped and launched from the PDF exploit has been seen to be virtual machine (VM) aware in order to prevent analysis within a sandbox," Zscaler writes. "The Trojan functionality is decrypted at run-time, and includes expected functionality, such as downloading, uploading, and executing files driven by commands from the C&C. Communication with the C&C is over HTTP but is encoded to evade detection."

UNCLASSIFIED 31 UNCLASSIFIED

(U) To be clear, one reason Seculert is reporting on the attack is to publicize its own FogSense service, which is designed to run long-term analytics to identify threats such as these. Seculert says that "if your organization encounters this type of advanced threat, it will most likely be persistent and bound to exist undetected for a long period of time in your network, as well as most probable to happen again in the future."

(U) 13 Security Myths You'll Hear, but Should You Believe? (Network World, 14 FEB 2012)

(U) They're "security myths," oft-repeated and generally accepted notions about IT security that arguably are simply not true -- in order words, it's just a myth. We asked security experts, consultants, vendors and enterprise security managers to share their favorite "security myths" with us. Here are 13 of them:

(U) Security Myth No. 1: "More security is always better."

(U) A security expert and author of several books, including his most recent, "Liars and Outliers," explains why this security concept of "you can't get enough" that's often bandied about is off the mark to him. He explains: "More security isn't necessarily better. First security is always a trade-off, and sometimes additional security costs more than it's worth. For example, it's not worth spending $100,000 to protect a donut. Yes, the donut would be more secure, but it would make more sense to simply risk the donut." He also notes that "additional security is subject to diminishing returns. That is, measures that reduce a particular crime -- say, shoplifting -- by 25 percent cost some amount of money; but additional measures to reduce it another 25 percent cost much more. There will always be a point where more security isn't worth it. And as a corollary, absolute security is not achievable." Sometimes security may even become a moral choice and being in compliance might be an immoral decision, as it could pertain to a totalitarian system, for example. "Security enforces compliance, and sometimes complying isn't the right thing to do."

(U) Security Myth No. 2: "The DDoS problem is bandwidth-oriented."

(U) "There are a lot of urban myths you hear over time that aren't backed up by real evidence," says the vice president of security solutions at Radware, who says there's a widespread belief among IT managers that if only they had enough bandwidth, distributed denial-of-service (DDoS) attacks would go away. The reality, he claims, is that since last year, it's become evident that more than half of DDoS attacks are not characterized by bandwidth at all but are application-oriented, where attackers strike at the application stack, and exploit standards for purposes of service disruption. In these circumstances, having more bandwidth actually helps the attacker. In fact, only about one-quarter of the DDoS attacks seen today are mitigated by adding bandwidth, he contends.

(U) Security Myth No. 3: "Regular expiration (typically every 90 days) strengthens password systems."

(U) "I think this is like the nutritional advice that urges us to drink eight glasses of water a day," says the chief scientist, RSA, the security division of EMC, about his favorite myth, which is that passwords should be expired regularly. No one knows where this came from or if it's good advice at all, he points out. "In fact, recent research suggests that regular password expiration may not be useful," he says. Research that RSA Labs has done suggests that if an organization is going to expire passwords, it should do so on a random schedule, not a fixed one.

(U) Security Myth No. 4: "You can rely on the wisdom of the crowds."

UNCLASSIFIED 32 UNCLASSIFIED

(U) "Over and over again, an employee will get an email from someone saying there's a new virus" or some other type of imminent danger on the Internet has cropped up and they'll contact the IT department, says the vice president of information technology for the Phoenix Suns basketball team. But upon investigation, these commonly shared notions never seem to pan out as being new at all, he says. In fact, most of the time, the panic is about well-known malware threats first spotted a decade ago.

(U) Security Myth No. 5: "Client-side virtualization will solve the security problems of 'bring your own device.'"

(U) "The myth I keep hearing is BYOD security problems will be solved by having a 'work' virtual machine and a 'personal' virtual machine," says a Gartner analyst. "That way, all the risk on the personal side will be contained and no data will be leaked from the work side to the play side." But the Gartner analyst says he's skeptical. "The intelligence community tried this years ago, NSA paid a tiny (at that time) company named VMware to develop a product called NetTop for intelligence analyst use which created separate VMs for Secret, Top Secret, Unclassified, etc. it immediately ran into a problem, analysts don't work in Secret now, Top Secret later, they work across all domains at once and need to move things between domains. The same is true today with 'work' and 'play.' The first thing that happens with client- side virtualization is that I get personal email in my work environment and I need to use it in my personal world (or vice versa) -- so I email it to myself or use a USB stick to transfer across, and all separation is lost. Virtualization is just a big waste of money. NetTop is still around, very limited use in the intelligence community and that was the most likely place it could succeed!"

(U) Security Myth No. 6: "IT should encourage users to use completely random passwords to increase password strength and they should also require passwords to be changed at least every 30 days."

(U) The reality, contends the director of Symantec security response, is "completely random passwords can be strong but they have disadvantages, too: they are usually difficult to remember and slow to type. In reality, it is pretty easy to create passwords that are just as strong as random ones, but much easier to remember by using a few simple techniques. Passwords that are at least 14 characters long, utilize upper- and lower-case letters, two numbers and two symbols are typically quite strong and can be formulated into a pretty easy to remember phrase." He adds that while 30-day expiration might be good advice for some high-risk environments, it often is not the best policy because such a short period of time tends to induce users to develop predictable patterns or otherwise decrease the effectiveness of their passwords. A length of between 90 to 120 days is "more realistic," he says.

(U) Security Myth No. 7: "Any will produce a visible symptom on the screen."

(U) "To the man in the street, computer viruses are mostly a myth. That is to say, most of what he believes about malware comes to him from science fiction, from television and the movies," says the president of G Data Software North America. "My favorite is probably the idea that any computer virus will produce a visible symptom on the screen, showing the files melting away or making the computer itself catch on fire. This extrapolates down until people blame everything that goes wrong with their computer on a virus." He adds: "And that lack of visible trouble means that a system is obviously malware free."

(U) Security Myth No. 8: "We are not a target."

(U) "Mostly I hear it from victims," says the senior managing director for the cybersecurity and information assurance practice at Kroll. "They think they aren't worth hacking. Some say it's not worthwhile because they're a small business, not on anybody's radar. Others contend they don't collect Social Security numbers, credit card data or other 'valuable' information. They are usually wrong."

UNCLASSIFIED 33 UNCLASSIFIED

(U) Security Myth No. 9: "Software today isn't any better than it used to be in terms of security holes."

(U) "There are a whole bunch of people actively claiming software isn't any better because of the holes in it," says the chief technology officer at Cigital. But, he argues, "We have gotten way better" and "the defect density ratio is going down." He says safe coding practices are much better understood today than a decade or two ago and the tools for it are available. "We know what to do," he says. The point that's sometimes overlooked, he says, is that in comparison to the era of Windows 95, there is simply so much more software code being written and "the square miles of code we're building is bigger than ever before." The sheer volume of code is why it sounds like software today is as full of vulnerabilities as was experienced in decades past, but the opposite is true. He adds: "Perfection is impossible."

(U) Security Myth No. 10: "Sensitive information transfer via SSL session is secure."

(U) "Companies often use SSL to send sensitive information from customers or partners with the assumption that transferring via SSL session is secure," says the chief technology officer, Americas, NCP Engineering. "But increasingly, vulnerabilities during this process have surfaced." He notes that Citigroup last year suffered a breach that can be chalked up to a problem in this regard, and it isn't an isolated case. "Swiss researchers recently published a memo describing a way to gather information about the data transmitted over an SSL channel by exploiting a vulnerability in the implementations of block ciphers, such as AES." He says there are doubts about SSL session security, and "perhaps the ideal way to avoid this pitfall is to never use the same key stream to encrypt two different documents." Ender also adds that another favorite security myth has to do with any notion that using trusted certificates from a is airtight. He contends last year's trouble with spoofed fraudulent certificates has shown that to be a myth.

(U) Security Myth No. 11: "Endpoint security software is a commodity product."

(U) An analyst at Enterprise Strategy Group (ESG), says it did appear that the majority of enterprise security professionals did agree with this statement about endpoint security products basically being all the same and a commodity when they were asked about it as a survey question by ESG. But the analyst says he has to disagree with the idea that endpoint security software is basically all the same. "I believe this is a complete myth," he says. "Endpoint security products are vastly different in terms of levels of protection and feature/functionality." He adds that he even thinks that most organizations are unaware of the capabilities of the endpoint security products they have acquired and "therefore don't use the products appropriately for maximum protection."

(U) Security Myth No. 12: "Sure, we have a firewall on our network; of course we're protected!"

(U) An information technology security analyst at the University of Arkansas for Medical Sciences, who says he has spent a decade as a firewall administrator, says there are plenty of myths about firewalls. Acknowledging he might have believed a few of them over the years, the analyst says the ones that stand out for him are that "firewalls are always a piece of hardware" and "a properly configured firewall will protect you from all threats." About this second one he notes: "Nothing quite says hello like malicious content encapsulated over an SSL connection infecting your workstations." Other firewall myths he knows of include "with a firewall, there's no need for antivirus software" and one that really gets his ire, "Brand 'X' firewall protects against even zero-day threats." About this, he says, "New exploits against firewall protections are identified faster than they are mitigated. A firewall shall never be a 'fire and forget' solution for perimeter protection, EVER!"

UNCLASSIFIED 34 UNCLASSIFIED

(U) Security Myth No. 13: "You should not upload malware samples found as part of a targeted attack to reputable malware vendors or services."

(U) The director of malware analysis for Dell SecureWorks, says he has heard this recommendation, which he considers to be "flawed advice." He says the idea came about because, "First, the theory goes that the attacker may be watching public sandboxes and virus scanners for signs of their malware, and uploading samples found during an incident response will tip them off that they have been detected." He notes a secondary reason sometimes suggested is that in a targeted attack, the malware may have clues as to who the target is, leading to unintentional notification of the attack. He says the counter-arguments he makes are, "The first point assumes the attacker has time to check for such things regularly. That is likely not the case, as even in targeted attacks, there are often dozens of victims in a single campaign, with the same attacker launching several campaigns per year. Attackers with even a small number of targets rarely use a unique strain of malware for each target, instead they rotate through a set of preselected Trojans over time, tweaking them along the way to avoid antivirus detection. So even if a malware sample shows up on one of the public malware tracking sites, there's no guarantee that the attacker will check for it, and even if they do, no guarantee which target found the sample and uploaded it." Stewart says there's a great benefit to sharing samples involved in targeted attacks. And as to malware revealing the names of targeted institutions, he acknowledges "it's possible however it is not frequently seen." He adds that state/industrial espionage has become a "fact of life on the modern Internet" and no one should be surprised to hear any company or government was the target of an attack "if they have some information useful to another nation-state." Stewart says it's his own view that "attempting to keep reports about this activity quiet are harming everyone except the attackers in the long run."

(U) Malware Network Threats Rising, How to Defend Yourself (CIO Magazine, 15 FEB 2012)

(U) In 2011, cybercriminals stepped up their game with the creation of malware networks (malnets)- distributed network infrastructures that exploit popular places on the Internet like search engines and social networking sites to repeatedly launch a variety of malware attacks. Security firm Blue Coat Systems began tracking malnets this past year. In its 2012 security report, Blue Coat noted that malnet infrastructures give cybercriminals the capability to launch dynamic attacks that traditional anti-virus solutions typically don't detect for days or even months. It pointed to one malware payload that in February 2011 changed its location more than 1,500 times in a single day. "We track in the order of 500 of these," the senior director of product marketing at Blue Coat, told CIO.com. "Some are very small and some are global. Vast parts of these networks may be silent for months. It's a very effective way to evade law enforcement."

(U) The largest malnet identified by Blue Coat is Shnakule, which averages 1,269 hosts. It is distributed across North America, South America, Europe and Asia, and its malicious activity deals in drive-by downloads, fake AV, codecs, Flash and updates, botnet CnC controls, pornography, gambling and work-at-home scams. Blue Coat said that in July it expanded its traditional activities to include malvertising.

(U) How Malnets Operate

(U) Malnets are a collection of several thousand unique domains, servers and websites designed to work together to funnel victims to a malware payload, often using trusted sites as the starting point. Using this infrastructure and trending news- or celebrity-related lures, Blue Coat said cybercriminals can rapidly launch new attacks that attract many potential victims before security technologies can identify and block it. "A lot of legitimate sites are actually infected," the Blue Coat senior director said. "In some cases, you've got legitimate websites with up to 74 percent malicious content." Perhaps the most popular way to

UNCLASSIFIED 35 UNCLASSIFIED lure unsuspecting users is search engine poisoning (SEP), which uses search engine optimization (SEO) techniques to seed malware sites high in common search results. "About 1 in 142 searches or so led to a malicious URL in 2011," he said. "When you look at how important search requests are to all of us, that's pretty scary."

(U) Blue Coat said each attack uses different trusted sites and bait to lure users. Some of the attacks don't even use relay servers. Once the users take the bait they are taken directly to exploit servers that identify the user's system or application vulnerabilities and use that information to serve a malware payload. "In some cases, as with iFrame injections, users will travel the malnet path unknowingly," Blue Coat said. "The relay and exploit server action takes place in the background and secretly installs malware. In other cases, downloading malware requires the user to click on a link."

(U) While search engines/portals and email remain the most targeted category of content by criminals, social networking sites also surged in popularity in 2011, the senior director said. It should come as no surprise; Blue Coat said malnet operators follow low-investment/high-impact strategies, and search engines, portals and social networking sites offer an abundance of potential victims. But those aren't the only categories that are at risk. Malnet operators like to hide their malicious payloads in plain sight, and online storage sites and software download sites are especially appealing because hosting files are part of their business models. Blue Coat said that in 2011, 74 percent of all new ratings in online storage were malicious.

(U) Best Threat Protection Practices

(U) Given the evolving nature of the threat, how can IT organizations defend themselves and their employees? Blue Coat recommends six best practices:

(U) Know your logs and check them frequently. Reviewing the traffic on your network can help you identify anomalous behavior, like an infected computer attempting to phone home to a command-and-control console. If you see a lot of unrated traffic from a computer on your network, it may be a sign that you have a problem.

(U) Block all executable content from unrated domains. This is a no-brainer. If content that cannot be rated is attempting to download an executable, there's a high probability that it is malicious.

(U) Set policies around dangerous and potentially dangerous categories. When it comes to suspect categories, either block them or at least block executables. High-risk categories include hacking and gambling sites, pornography, placeholder domains and proxy avoidance sites. Other at-risk categories include software downloads, open/mixed content, online storage, web advertisements, non-viewable content and dynamic DNS hosts.

Block all non-SSL traffic that attempts to use port 443. Blue Coat said many bots use a custom encryption over port 443 to avoid detection when phoning home to their command-and-control servers. Organizations can increase their defense by using a proxy device to provide visibility into SSL traffic over port 443 and by blocking all non-SSL traffic attempting to use the port.

Layer anti-virus solutions at the desktop and gateway. By deploying multiple anti-virus engines throughout your network, you can increase the chances that a malicious executable missed by one engine will be blocked by another.

UNCLASSIFIED 36 UNCLASSIFIED

(U) Use granular application and operation controls in addition to web filtering technology to mitigate the risks of social networking. Murthy pointed out that social networking sites have expanded to become an "Internet within the Internet," nearly self-contained environments in which users can do almost everything they would do in the wider Internet. As a result, businesses need detailed analysis and control that extends beyond the social networking sites to include individual web applications and content within those sites. For instance, Murthy noted that some government agencies have implemented a read-only policy and controls for Facebook.

(U) "The biggest thing we're calling out here is the fact that you can block threats before they occur," the senior director said. "You can see the torpedo coming in the water before it hits you."

(U) Analyst Comment: As this article points out, all companies should monitor and maintain logs of network traffic. If a company suspects there is suspicious network activity, they should contact the Tampa FBI Cyber squad, and have the logs analyzed.

(U) The 10 Worst Cyberattacks (Foreign Policy, 27 FEB 2012)

(U) TITAN RAIN, Year: 2003-2007, Alleged source: China

(U) Fallout: In 2004, US federal investigators discovered an ongoing series of attacks, penetrating the networks of departments of Defense, State, Energy and Homeland Security as well as defense contractors and downloading terabytes of data. The investigators were able to trace the cyberspying ring -- which they codenamed "Titan Rain" back to computer in Guangdong, China. While the Chinese military is widely believed to have been involved in the attacks, Beijing has consistently denied responsibility. It was reported in 2007 that attacks believed to be connected to Titan rain had also targeted the British foreign office.

(U) SHADY RAT, Year: 2006-present, Target: Dozens, Alleged source: China

(U) Fallout: In 2011, McAfee reported the existence of a five-year old hacking campaign it calls Shady RAT. The RAT works by sending an e-mail to an employee of a targeted of an organization, that installs a "Trojan horse" on the computer after they click and innocuous looking attachment. The 49 victims include the International Olympic Committee, the United Nations, the Association of Southeast Asian Nations, companies in Japan, Switzerland, the United Kingdom, Indonesia, Denmark, Singapore, Hong Kong, Germany, and India and the governments of United States, Taiwan, South Korea, Vietnam, and Canada. At least 13 US defense contractors were also hit. The list of targets has led many analysts to suspect Chinese involvement. It has been called the biggest cyber attack of all time.

(U) The Estonia Attacks, Year: 2007, Alleged source: Russia

(U) Fallout: One of the most devastating attacks ever unleashed on a country, the Estonia attack followed the controversial decision to remove a Soviet war memorial in central Tallinn. The operation was a distributed denial of service (DDOS), which involves using remotely commandeered computers -- known as a botnet -- to overwhelm a targeted web server, taking it offline. The attacks took down the websites of Estonia's major banks, government websites, and news portals. At the peak of the crisis bank cards and mobile phones were inoperable within the country. The Russian government has denied responsibility for the attack, but a State Duma Deputy from the ruling United Russia party made an offhand remark to a journalist two years later saying that one of his staff had been involved in the attack.

UNCLASSIFIED 37 UNCLASSIFIED

(U) THE AUGUST WAR, Year: 2008, Alleged source: Russia

(U) Fallout: During the August, 2008 Russia-Georgia war, key Georgian websites including the pages of President Mikheil Saakashvili, the Ministry of Foreign Affairs, the Ministry of Defense, and numerous corporate and media sites were taken down by cyberattacks. At one point the parliament's site was replaced with photos comparing Saakashvili to Hitler. Georgian criminals have blamed a cybercriminal group known as the Russian Business Network for the attacks. Russian president Dmitry Medvedev denied government involvement.

(U) GHOSTNET, Year: 2009-present, Alleged source: China

Fallout: In 2009, Canadian researchers discovered a massive electronic spying network that had infiltrated 1,295 computers in 103 countries. The researchers were acting on a request from the Dalai Lama's office to see whether his personal network had been infiltrated - it had. Ministries of foreign affairs and embassies in Iran, Bangladesh, Indonesia, India, South Korea, Thailand, German and Pakistan were also affected. The Chinese government denied involvement.

(U) , Year: 2010, Alleged source: Israel

(U) Fallout: Discovered in June 2010, the StuxNet worm exploits a vulnerability in Windows to attack Siemens industrial systems, such as those used in nuclear power plants. While systems in several countries -including the United States -- were affected, Iran was the worst hit with over 16,000 computers infected. The virus seemed to be specifically targeting Iran's nuclear program, leading to suspicions that it has been designed by Israel. The Israeli government has neither confirmed nor denied involvement, but a 2011 New York Times investigation concluded that the worm had been developed and tested in Israel.

(U) 50 DAYS OF LULZ, Year: 2011, Alleged source: Lulzsec (U) Fallout: In the Spring and Summer of 2011, a group of hackers calling itself , associated with the online collective Anonymous, went on a tear, disabling and defacing a series of prominent websites. Unlike previous large-scale cyberattacks, the group didn't seem motivated by profit or a particularly ideology, but were in fact, in it for the lulz. They did occasionally take a stand, such as posting a story alleging that Tupac Shakur is alive on the PBS website in response to a documentary about WikiLeaks that they felt was negative. The group also took down CIA.gov at one point. In its biggest operation, Lulzsec hacked into Sony Playstation's website, compromising the personal information of more than a million users. In June, the group announced through its Twitter feed that it was suspending its campaign, releasing a trove of classified AT&T documents as a parting shot. In July 2011, police arrested an 18- year-old man in the Shetland Islands said to be "," one of the Lulzsec ringleaders.

(U) THE SOUTH KOREAN DDOS, Year: 2011, Alleged source: North Korea

(U) Fallout: DDOS attacks in March 2004 targeted more than 40 South Korean websites including the National Assembly, military headquarters, US Forces in Korea and several major banks. The attacks shut down the country's stock trading system for several minutes. An estimated 11,000 personal computers may have been infected by malware as part of the attack. A month later, an attack brought down the network of a major South Korean bank. The South has accused North Korea of running an ongoing cyberwarfare campaign since similar smaller attacks in 2009, but no solid link to Pyongyang has been proven.

(U) ANONYMOUS, Year: 2011-2012, Alleged source: A loose coalition of online "hacktivists"

UNCLASSIFIED 38 UNCLASSIFIED

(U) Fallout: The online group known as Anonymous was, until recently, best known for its attacks on the Church and Scientology and Fox News host Bill O'Reilly. But lately, it's taken on more of a political character. Anonymous targeted Egyptian government websites during the uprising against Hosni Mubarak, and when the regime took the unprecedented step of shutting the country's internet down, they went old school - flooding government offices with faxes. In response to the arrest of Megaupload founder Kim Dotcom in January, Anonymous shut down the websites of the Department of Justice and the Recording Industry Association of America, as well as several record companies and congressional offices. In February, they took credit for shutting down the website of the CIA.

(U) India: Year: 2012, Alleged source: India or China

(U) Fallout: In January 2012, US authorities began investigating allegations that the Indian intelligence operatives had hacked into the e-mails of the US-China Economic and Security Review Commission, an American agency that monitors trade policy was China. The investigation came after hackers posted a document online purporting to show Indian military intelligence plans to target the commission as well as extracts from the e-mails in question. However, just a few weeks later, the document was found to be fake - though the e-mails were real -- and investigators are now focusing on Chinese hackers as the most likely source of the breach.

(U) Nation-States Launch Cyberattacks Against an Array of Targets (infosecurity-magazine.com, 06 SEP 2011)

(U) Cyber attacks from nation-states can be divided into three categories: political activism and espionage, industrial espionage, and cyberwarfare, observed the vice president and security strategist at Fidelis Security Systems. Political activism and espionage are intended to achieve a political objective, such as disabling dissidents, he told Infosecurity. An example would be the cyberattack by the Chinese government on a Falun Gong website in Alabama, which was revealed in a recent Chinese military video carried by China Central Television.

(U) Industrial espionage involves cyberattacks against commercial enterprises and the US defense industrial base, he said. Attacks against commercial enterprises are intended to catch up economically. An example of that type of attack was the attack of Google, which the company blamed on the Chinese government. The attack targeted a highly secretive system operated by the search engine giant called Gaia. In addition, the Night Dragon attacks, also attributed to China, targeted oil and gas giants, such as Exxon Mobil, Shell, and BP. The attacks resulted in the loss of project-finance information relating to oil and gas field bids and operations.

(U) Attacks against the US defense industrial base are designed to steal defense technology. The new Chinese stealth fighter, the J-20, appears very similar to the US F-22 and F-35 fighters, he observed. Under the cyberwarfare category, nation-states would target critical infrastructure and military capacity. “The motivation would be to compensate for inferiority in terms of traditional warfare by using cyber tactics to disrupt communications, logistics, utilities, and thing like that. We haven‟t seen that against the United States yet. But there has been probing and mapping of critical infrastructure”, he observed. The Fidelis strategist said that other countries besides China, as well as organized crime, are active in cyberattacks. “It is hard to know in some cases whether it was a nation-state or an organized crime group that launched an attack. In some cases, it is pretty obvious....but it other cases, particularly on the commercial side of industrial espionage, it is hard to tell”, he observed. (U) Alert on Hacker Power Play; US Official Signals Growing Concern Over Anonymous Group's Capabilities (The Wall Street Journal, 21 FEB 2012)

UNCLASSIFIED 39 UNCLASSIFIED

(U) The director of the National Security Agency (NSA) has warned that the hacking group Anonymous could have the ability within the next year or two to bring about a limited power outage through a cyberattack. Gen. Keith Alexander, the NSA director, provided his assessment in meetings at the White House and in other private sessions, according to people familiar with the gatherings. While he hasn't publicly expressed his concerns about the potential for Anonymous to disrupt power supplies, he has warned publicly about an emerging ability by cyberattackers to disable or even damage computer networks.

(U) Some recent acts by the group:

(U) December 2010: Attacks groups and individuals that had tangled with WikiLeaks and its founder, Julian Assange.

(U) February 2011: Followers break into computer systems of California Internet-security company HBGary Federal, release tens of thousands of internal emails online. Company CEO resigns.

(U) Aug. 14, 2011: Hacks a Bay Area Rapid Transit website to protest the rail system's move to temporarily shut down cellphone service.

(U) Jan. 19, 2012: Attacks Justice Department website and apparently knocks it offline to retaliate against shutdown of a media-downloading site.

(U) Feb. 12, 2012: Announces a plan that it says will shut down the Internet on March 31.

(U) Feb. 17, 2012: Attacks two sites of the Federal Trade Commission.

(U) Gen. Alexander's warning signals a growing federal concern over the capabilities of Anonymous, a loose affiliation of so-called hacktivist computer programmers who have launched a raft of high-profile cyberassaults against US government and corporate targets such as Visa Inc., MasterCard Inc. and eBay Inc.'s PayPal service. So far, the attacks have primarily served to embarrass companies and organizations, and cybersecurity experts differ on the extent of the threat posed by Anonymous.

(U) The group has never listed a power blackout as a goal, but some federal officials believe Anonymous is headed in a more disruptive direction. An attack on a network would be consistent with recent public claims and threats by the group. Last week, for instance, Anonymous announced a plan to shut down the Internet on March 31, which it calls Operation Global Blackout. Experts consider the likelihood of an Internet blackout to be low. The Internet should be able to absorb the attack the group outlined, said Richard Bejtlich, chief security officer at computer-security company Mandiant. The announcement, however, shows the network's intent to wage more destructive attacks.

(U) Similarly, any attack by Anonymous directed at the power grid is likely to inflict limited damage but would be certain to sow alarm, especially if Anonymous took credit publicly. Grid officials said their systems face regular attacks, and they devote tremendous resources to repelling invaders, whether from Anonymous or some other source. "The industry is engaged and stepping up widely to respond to emerging cyber threats," said one electric-industry official. "There is a recognition that there are groups out there like Anonymous, and we are concerned, as are other sectors." Another industry official noted that the electric grid has a number of backup systems that allow utilities to restore power quickly if it is taken out by a cyberattack or other event.

UNCLASSIFIED 40 UNCLASSIFIED

(U) Intelligence officials believe that, for now, the cyber threat to the power grid is relatively limited. The countries that could most quickly develop and use cyber means to destroy part of the grid—such as China and Russia—have little incentive to do it. Those who might have more incentive, like Iran or North Korea, don't have the capability. US intelligence officials already have found what they say is evidence of Chinese and Russian cyberspies snooping in computer systems that run the electric grid, possibly in preparation for a conflict with the United States. The governments of China and Russia have denied any involvement.

(U) A stateless group like Anonymous doesn't yet have that capability, officials say. But if the group's members around the world developed or acquired it, an attack on the power grid would become far more likely, according to cybersecurity experts. "It's a real threat," said a cybersecurity specialist at the Center for Strategic and International Studies who is currently researching the group. "You want to occupy Wall Street? How about turn Wall Street off? Even for a day."

(U) Gen. Alexander's discussions stemmed from a broader policy concern over how to deter adversaries in cyberspace, a former official said. Groups like Anonymous are particularly difficult to deter because they are, indeed, anonymous and don't have clear interests that can be used to deter aggression in cyberspace in the way a country's government would. Other officials at the White House meeting, which was headed by John Brennan, deputy national security adviser, said it would take a little more time for Anonymous to obtain such a capability, closer to three to five years, the former official said. But all agreed it would likely be a threat in the next few years. Possible scenarios discussed, the former official said, included one in which a foreign government developed the attack capability and outsourced it to a group like Anonymous, or if a US adversary like al Qaeda hired hackers to mount a cyberattack.

(U) That threat was described to lawmakers at a hearing in February. "A near-peer competitor [country] could give cyber malware capability to some fringe group," said Gen. Martin Dempsey, chairman of the Joint Chiefs of Staff. "Some hacker, next thing you know, could be into our electrical grid. We have to get after this." White House spokeswoman Caitlin Hayden said she couldn't discuss details of internal deliberations, but she said the administration "has made cybersecurity a top priority, and we are working tirelessly to protect ourselves from the threats we face, whether they come from other nations, cyber criminals, or from stateless activist hacker groups." The NSA declined to comment.

(U) Anonymous Continues To Plague Authority Figures (Daily Tech, 13 FEB 2012)

(U) Hacker groups connected with Anonymous systematically pick off high-profile targets The collective hacker group Anonymous has continued its online assault against high profile targets ranging from companies to state and federal governments. In their most recent attacks, Anonymous bumped the CIA's website offline for a short time, while also targeting people in the state of Alabama. CIA confirmed they are investigating the security breach, which appears to be sophisticated DDoS attacks. Also targeted, the West Virginia Chiefs of Police Association saw the personal information of at least 150 police officers published on the internet.

(U) In addition to the US government and US-based companies, a number of foreign governments have drawn the wrath of Anonymous. Included on the attack list, Anonymous is targeting Israel, claiming the government is "trampling the liberties of the masses," using both political bribery and media deception in order to control their citizens. In addition, Croatian political candidates and other Eastern European authorities have been targeted for their support of anti-piracy and pro-government efforts. (U) Hackers loosely connected with Anonymous attacked a state database used for overdue traffic tickets and other minor fines. More than 45,000 people had their personal information stolen as a result of the

UNCLASSIFIED 41 UNCLASSIFIED data theft. Names, addresses, phone numbers, dates of birth, and Social Security numbers were compromised alongside criminal records and license plate numbers of those in the database, and the network intrusion was in response to "recent racist legislation in an attempt to punish immigrants as criminals."

(U) In early February, Anonymous admitted to spying on a secret phone conference between the FBI and the Scotland Yard. The group also attacked the Ultimate Fighting Championship‟s President, a major figure head for the No. 1 mixed martial arts program, for UFC's support of SOPA and PIPA. Unfortunately, some of the sensitive information released by Anonymous was of a Las Vegas, Nevada, woman unrelated to White, and her phone number and personal address was released, with harassing and threatening messages continuing for days. However, the official Twitter account for Anonymous, @YourAnonNews, relayed a message indicating that some attacks reportedly committed by Anonymous may not have been carried out by the group.

(U) The actions of Anonymous have been supported by some, but others have called them vigilantes hurting Internet users. As the hacker group operates from a growing list of presumed enemies, authorities have largely been unable to hinder those responsible. Sometimes legal action has been threatened, but actual court enforcement would likely prove to be difficult against such a scattered group. Instead of showing public disgust, the Boston Police Department sidestepped explanation as to why they were attacked by Antisec. Instead, the BPD PR team decided to post a tongue-in-cheek video on the Internet discussing the heartbreak felt because the site was hacked.

(U) In Attack on Vatican Web Site, a Glimpse of Hackers’ Tactics (The New York Times, 26 FEB 2012)

(U) The campaign against the Vatican, which did not receive wide attention at the time, involved hundreds of people, some with hacking skills and some without. A core group of participants openly drummed up support for the attack using YouTube, Twitter and Facebook. Others searched for vulnerabilities on a Vatican Web site and, when that failed, enlisted amateur recruits to flood the site with traffic, hoping it would crash, according to a computer security firm‟s report released in February. The attack, albeit an unsuccessful one, provides a rare glimpse into the recruiting, reconnaissance and warfare tactics used by the shadowy hacking collective.

(U) Anonymous, which first gained widespread notice with an attack on the Church of Scientology in 2008, has since carried out hundreds of increasingly bold strikes, taking aim at perceived enemies including law enforcement agencies, Internet security companies and opponents of the whistle-blower site WikiLeaks. The group‟s attack on the Vatican was confirmed by the hackers and is detailed in a report that Imperva, a computer security company based in Redwood City, Calif., plans to release ahead of a computer security conference here this week. It may be the first end-to-end record of a full Anonymous attack.

(U) Though Imperva declined to identify the target of the attack and kept any mention of the Vatican out of its report, two people briefed on the investigation confirmed that it had been the target. Imperva had a unique window into the situation because it had been hired by the Vatican‟s security team as a subcontractor to block and record the assault. “We have seen the tools and the techniques that were used in this attack used by other criminal groups on the Web,” said Imperva‟s chief technology officer. “What set this attack apart from others is it had a clear timeline and evolution, starting from an announcement and recruitment phase that was very public.” The Vatican declined to comment on the attack. In an e- mail intended for a colleague but accidentally sent to a reporter, a church official wrote: “I do not think it

UNCLASSIFIED 42 UNCLASSIFIED is convenient to respond to journalists on real or potential attacks,” adding, “The more we are silent in this area the better.”

(U) The attack was called Operation Pharisee in a reference to the sect that Jesus called hypocrites. It was initially organized by hackers in South America and Mexico before spreading to other countries, and it was timed to coincide with Pope Benedict XVI‟s visit to Madrid in August 2011 for World Youth Day, an international event held every other year that regularly attracts more than a million Catholic youths. Hackers initially tried to take down a Web site set up by the church to promote the event, handle registrations and sell merchandise. Their goal, according to YouTube messages delivered by an Anonymous figure in a Guy Fawkes mask, was to disrupt the event and draw attention to child sexual abuse by priests, among other issues. The videos, which have been viewed more than 77,000 times, include a verbal attack on the pope and the young people who “have forgotten the abominations of the Catholic Church.” One calls on volunteers to “prepare your weapons, my dear brother, for this August 17th to Sunday August 21st, we will drop anger over the Vatican.”

U) Much as in a grass-roots lobbying campaign, the hackers spent weeks spreading their message through their own Web site and social sites like Twitter and Flickr. Their Facebook page called on volunteers to download free attack software and implored them to “stop child abuse” by joining the cause. It featured split-screen images of the pope seated on a gilded throne on one side and starving African children on the other. And it linked to articles about sexual abuse cases and blog posts itemizing the church‟s assets.

(U) It took the hackers 18 days to recruit enough people, the Imperva report says. Then the reconnaissance began. A core group of roughly a dozen skilled hackers spent three days poking around the church‟s World Youth Day site looking for common security holes that could let them inside, the report says. Probing for such loopholes used to be tedious and slow, but the advent of automated tools made it possible for hackers to do this while they slept. In this case, the scanning software failed to turn up any gaps. So the hackers turned to a brute-force approach, a so-called distributed denial-of-service, or DDoS, attack that involves clogging a site with data requests until it crashes. Even unskilled supporters could take part in this from their computers or smartphones.

(U) “Anonymous is a handful of geniuses surrounded by a legion of idiots,” said an author who has researched the movement. “You have four or five guys who really know what they‟re doing and are able to pull off some of the more serious hacks, and then thousands of people spreading the word, or turning their computers over to participate in a DDoS attack.” Over the course of the campaign‟s final two days, Anonymous enlisted as many as a thousand people to download attack software, or directed them to custom-built Web sites that let them participate using their cellphones. Visiting a particular Web address caused the phones to instantly start flooding the target Web site with hundreds of data requests each second, with no special software required, the report says.

(U) On the first day, the denial-of-service attack resulted in 28 times the normal traffic to the church site, rising to 34 times the next day. Hackers involved in the attack, who did not identify themselves, said through a Twitter account associated with the campaign that the two-day effort succeeded in slowing the site‟s performance and making the page unavailable “in several countries.” Imperva disputed that the site‟s performance was affected and said its technologies had successfully siphoned the excess data away from the site. Anonymous moved on to other targets, including an unofficial site about the pope, which the hackers were briefly able to deface. Imperva executives say the Vatican’s defenses held up because, unlike Sony and other hacker targets, it invested in the infrastructure needed to repel both break-ins and full-scale assaults.

(U) Researchers who have followed Anonymous say that despite its lack of success in this and other campaigns, recent attacks show the movement is still evolving and, if anything, emboldened. Threatened

UNCLASSIFIED 43 UNCLASSIFIED attacks on the New York Stock Exchange and Facebook last autumn apparently fizzled. But the hackers appeared to regain momentum in January after federal authorities shut down Megaupload, a popular file- sharing site. In retaliation, hackers affiliated with Anonymous briefly knocked dozens of Web sites offline, including those of the FBI, the White House and the Justice Department. At one point, they were able to eavesdrop on a conference call between the FBI and Scotland Yard. “Part of the reason „Op Megaupload‟ was so successful is that they‟ve learned from their past mistakes,” said an associate professor at McGill University who has studied Anonymous. The professor said the hackers had been using a new tool to better protect their anonymity. “Finally people felt safe using it,” she said. “That could explain why it was so big.”

(U) In recent weeks, Anonymous has made increasingly bold threats, at one point promising to “shut the Internet down on March 31” by attacking servers that perform switchboard functions for the Internet. Security experts now say that a sort of open season has begun. “Who is Anonymous?” asked Imperva‟s director of security. “Anyone can use the Anonymous umbrella to hack anyone at anytime.” Indeed, in the last six months, hackers have attacked everything from pornography sites to the Web portals of Brazilian airlines. And some hackers have been accused of trying to extort money from corporations, all under the banner of Anonymous. “Anonymous is an idea, a global protest movement, by activists on the streets and by hackers in the network,” the hackers said through the Twitter account. “Anyone can be Anonymous, because we are an idea without leaders who defend freedom and promote free knowledge.”

(U) Ex-UCF Student Pleads Guilty To Federal Hacking Charge (The Orlando Sentinel, 25 JAN 2012)

(U) A now former University of Central Florida student charged with hacking into a website used by the FBI recently pled guilty in federal court, records show. Scott Matthew Arciszewski was arrested at his dorm on the UCF campus in July after investigators said he hacked into the Tampa Bay InfraGard site a month prior and uploaded three files. Minutes after the unauthorized intrusion, federal prosecutors said, Arciszewski posted a thread on a hacker forum website that provided a link to InfraGard and instructions on how to exploit the site. Soon after his posting, at least 15 hacking attempts were made to the website, seven of them being successful, court records said.

(U) InfraGard is an FBI program designed to establish an alliance among academia, private industry and the federal agency, where members exchange information. Court records also said that Arciszewski, using the Twitter name "voodooKobra," sent a message to the FBI's press office Twitter account stating that InfraGard "has one hell of an exploit." Arciszewski was arrested on a federal hacking charge July 19, the same day agents across the country arrested more than a dozen others for their suspected roles in cyberattacks reportedly linked to the group Anonymous. Documents filed by prosecutors said Arciszewski confessed to hacking into the InfraGard site. Records show Arciszewski pled guilty in federal court in Tampa in January, and a judge accepted the plea and adjudicated him guilty. Arciszewski, no longer a UCF student, will be sentenced April 19 in Tampa. He faces up to five years in federal prison, up to three years probation, and a fine up to $250,000.

(U) Romanian Police Arrest Alleged Hacker In Pentagon, NASA Breaches (Network World, 15 FEB 2012)

UNCLASSIFIED 44 UNCLASSIFIED

(U) A 20-year-old hacker who goes by the Internet name TinKode was arrested recently by Romanian police after he bragged about hacking into Pentagon and NASA computer systems. Razvan Manole Cernaianu is accused of revealing security holes and publishing information about SQL injection vulnerabilities in those agencies. The Romanian Directorate for Investigating Organized Crime and Terrorism said Cernaianu also offered a computer program on his blog that could be used to hack into websites and published a video showing Internet attacks he had made against the US government. The FBI and NASA assisted in the investigation. The US Embassy in Bucharest said Cernaianu used, "advanced hacking tools to gain unauthorized access to government and commercial systems."

(U) Cernaianu allegedly hacked into a computer server at NASA's Goddard Space Flight Center last April, and posted a screen grab that showed files connected to confidential satellite data. The managing editor of Infosec Island, says that TinKode is known to have taken advantage of several well-known vulnerabilities that many of his targets should have resolved before he exploited them through SQL injections -- a technique many security experts now derisively call "Hacking 101." "His targets tend to be large entities that undoubtedly have complex network deployments and multiple interfaces for third parties like contractors or client bases," he says, "which provide a higher product probability of his finding unprotected points of entry."

(U) The Infosec Island managing editor says penetration by a determined hacker is almost guaranteed in networks of this size. "They should focus on detection and data protection within the networks," he says, "while working under the assumption that they will not be able to prevent all breach attempts. "Advanced monitoring systems, appropriate data classification, and secondary authentication protocols for access to the most sensitive information is critical both for detecting an intrusion and slowing hackers progress. This can buy the needed time to lock down the compromised system and prevent data theft."

(U) The CTO of Cigital, says if TinKode didn't want to get caught, he should not have been bragging so publicly. "If you go looking for attention, you're probably going to get it," he says. The CTO says the damage caused was probably minor. "But, to get past all of these silly problems, agencies like these should build systems with security in mind in the first place. Right now they are trying to fix broken systems."

(U) Hacking Now Responsible for Most of Exposed Records (SC Magazine, 27 FEB 2012)

(U) Until last year, lost and stolen laptops were to blame for the largest percentage of breach types. Now, hacking has claimed the top spot. Computer intrusion was responsible for 83 percent of the total reported exposed records in 2011 and a third of the total breaches, according to the year-end "Data Breach Intelligence" report from Risk Based Security, affiliated with the Open Security Foundation, which chronicles security incidents. Last year saw nearly 368 million records breached, the highest ever, and the all-time tally sits at 1.3 billion, according to the report, released last week. The previous high was 191 million records in 2009.

(U) 2011 was aided by a number of massive breaches, namely the Sony PlayStation Network hack, which compromised some 77 million records. Valve, owner of online video game distribution network Steam, saw 35 million credit card numbers exposed. Another massive incident involved Tianya, China's largest online forum, when data on 40 million users was leaked. Meanwhile, in February, Javelin Strategy & Research revealed that identity fraud rose 13 percent in 2011, when 11.6 million US adults became victims. However, out-of-pocket costs diminished by a whopping 44 percent thanks to enhanced prevention and detection tools, and fraud alerts. Javelin attributed the fraud rise to breaches and increased reliance on social media and mobile devices.

UNCLASSIFIED 45 UNCLASSIFIED

(U) Iran Develops New Cyber-Army (www.infosecurity-magazine.com, 22 FEB 2012)

(U) The director of the Iranian passive defense organization, brigadier general Gholamreza Jalali, has been discussing a new . According to the Mehr News Agency this morning, Jalali declared in a televised press conference, “The US is downsizing its army for bigger cyber defense infrastructure. So countries like Iran also have to set up and upgrade their cyber defense headquarters and even [build] a cyber army.”

(U) The move appears to be both a response to the Stuxnet and Duqu viruses (at least one of which seems to have been particularly targeted at the Iranian nuclear program), and the increasing cyber budgets of most western countries. But the problem with cyber defense is that it invariably also implies cyber offense. The UK and Ireland manager for Stonesoft, makes just this point in advising western governments to “take the necessary protective measures to ensure their national infrastructure does not come under attack... Despite the fact,” he adds, “that Iran is saying the army will be used as a defensive measure there is no guaranteeing they won‟t use it as an offensive measure as well and use it to launch cyber attacks.”

(U) An ESET analyst believes that Stuxnet was an effective wake-up for most nations, but that cyberwarfare exploration has been a fact of life for many years. He suggests that the real significance of Stuxnet is that it forced governments to reassure their population that cyber security is being protected. The problem is that you cannot “realistically develop effective technology in those areas thinking purely defensively even if you wanted to.” The analyst has little time for the fictional view of future wars being fought behind computer screens. “But almost any upcoming war between any but the most technologically under-developed nations will, at this point," he warns, "be conducted making heavy use of a wide range of technical tools. Some of those tools are increasingly likely to go beyond intelligence gathering and the strategic deployment of a military solution.”

(U) Iranian Hackers Attacked the Website of Azerbaijani National State TV (Azerireport, 23 FEB 2012)

(U) In February, the website of the AzTV, Azerbaijani National State TV, was hacked by a group which called itself Cyber Army of Iran. The site featured an inscription in English: "Life is game. Game over." After several hours the website was restored. On February 23, Iranian hackers continued attacking the websites of the government institutions of . A similar attack was carried out by Iranian hackers on 30 Azeri sites a few weeks ago. The attack of the Iranian hackers on the websites of the Azerbaijani government institutions coincide with the growing tensions in the Iranian-Azeri relations.

(U) Currently, the Azerbaijani and Iranian government officials are engaged in bringing up mutual accusations and threats against each other. The Iranian government accuses Azerbaijan of providing hiding grounds to the Israeli secret service agents who assassinated the Iranian nuclear scientists. The Azerbaijani law enforcement agencies made press statements accusing Iran of sponsoring attempted acts of terrorism in Azerbaijan.

(U) In a recent sweeping operation, the Azerbaijani Ministry of National Security (MNS) arrested dozens of people in Nardaran, a suburban village of Baku with strong anti-government mood, claiming that the arrested people had close ties with the Iranian secret services. The Azerbaijani law enforcement agency went as far as arresting the driver and the journalist of the Iranian TV channel “Sahar” under “illegal drug

UNCLASSIFIED 46 UNCLASSIFIED possession” charges, a standard charge for a political arrest in Azerbaijan. The pro-government members of the Azerbaijani parliament made a number of anti-Iranian statements threatening to utilize the large Azeri minority inside Iran against the anti-Azerbaijani policies of the Ahmadinejat administration. The hacker attack against the website of the AzTV is just a new minor episode in an escalating conflict between Iran and Azerbaijan.

(U) Analyst Comment: This article highlights how hackers claiming to support Iran conducted cyber attacks on Azeri websites in conjunction with a plot to conduct a physical attack in Azerbaijan. Given the increasing tensions with Iran, private sector companies and organizations should immediately report any suspicious network intrusions or web defacements/hacking to the Tampa FBI cyber squad.

(U) Smartphone, Social Media Users at Risk for Identity Fraud (CIOinsight, 24 FEB 2012)

(U) Social media and mobile devices may be putting consumers at greater risk for identity fraud, according to a Feb. 22 report on identity fraud. More than 11.6 million adults were a victim of identity fraud in the United States in 2011, an increase of 13 percent since 2010, according to the Javelin Strategy and Research report. About 7 percent of smartphone users were victims of identity fraud, in contrast to the 4.9 percent fraud rate among the general population, according to the 2012 Identify Fraud Report.

(U) Smartphone owners are not protecting their devices, which exposes them to fraud, according to Javelin. Around 62 percent said they don't use a password or a pin code to lock their devices. About 32 percent admitted to saving log-in information on their devices. Social media and mobile behaviors made users more vulnerable to fraud, according to the report. Users of social networking services, such as LinkedIn, Google+, Facebook and Twitter, had the highest incidence of fraud. Consumers who actively engage with social media and use a smartphone were found to have a disproportionate rate of identity fraud than consumers who do not use in these services. LinkedIn users were more than twice as likely to have reported being a victim, and users who regularly checked in to services using GPS-enabled location data reported fraud rates that were more than double the average rate among the general population.

(U) However, while the numbers are interesting, there is no "proof of direct causation" at this time, according to the report. Significant amounts of personal information that are often used to authenticate users online were freely shared online, Javelin researchers found. Birthdays are one such example, and 68 percent of the people in Javelin's survey shared the date online. About 45 percent shared the birth year, as well. Name of the high school attended and the name of a pet are common security questions for online services. About 63 percent of the respondents listed the high school on their public profiles and 12 percent posted pet names.

(U) IRS Helps Bust 105 People in Massive Identity Theft Crackdown; IRS and DOJ Team on Nationwide Strike Against Identity Theft, Fraud, Phishing (Network World, 31 JAN 2012)

(U) The Internal Revenue Service and the Department of Justice teamed up for a coast-to-coast crackdown on identity thieves in late January. The coast-to-coast law enforcement onslaught arrested 105 people in 23 states and included indictments, arrests and the execution of search warrants involving the potential theft of thousands of identities and taxpayer refunds, the IRS stated. In all, 939 criminal charges are included in the 69 indictments and information related to identity theft. The IRS said auditors also conducted compliance visits to money service businesses in nine locations across the country. The approximately 150 visits occurred to help ensure these check-cashing facilities aren't facilitating refund fraud and identity theft, the IRS stated.

UNCLASSIFIED 47 UNCLASSIFIED

(U) The IRS also is taking a number of additional steps this tax season to prevent identity theft and detect refund fraud before it occurs. These efforts include designing new identity theft screening filters that will improve the IRS's ability to spot false returns before they are processed and before a refund is issued, as well as expanded efforts to place identity theft indicators on taxpayer accounts to track and manage identity theft incidents, the agency stated.

(U) The IRS in January created a special section on IRS.gov dedicated to identity theft, including YouTube videos, tips for taxpayers and a special guide to assistance. The information includes how to contact the IRS Identity Protection Specialized Unit and tips to protect against phishing schemes that can lead to identity theft.

(U) The IRS is instrumental in fighting identity theft. A 2011 report by the Government Accountability Office stated that in 2010, the IRS identified more than 245,000 identity theft incidents that affected the tax system. The hundreds of thousands of taxpayers with tax problems caused by identity theft represent a small percentage of the expected 140 million individual returns filed, but for those affected, the problems can be quite serious. "The IRS provides taxpayers with targeted information to increase their awareness of identity theft, tips and suggestions for safeguarding taxpayers' personal information, and information to help them better understand tax administration issues related to identity theft," the GAO states.

(U) Included in the GAO report was IRS' top 10 list of identity theft information everyone should be aware of. The list:

(U) 1. The IRS does not initiate contact with a taxpayer by email.

(U) 2. If you receive a scam email claiming to be from the IRS, forward it to the IRS at [email protected].

(U) 3. Identity thieves get your personal information by many different means, including:

● stealing your wallet or purse;

● posing as someone who needs information about you through a phone call or email;

● looking through your trash for personal information;

● accessing information you provide to an unsecured Internet site.

(U) 4. If you discover a website that claims to be the IRS but does not begin with "www.irs.gov," forward that link to the IRS at [email protected].

(U) 5. To learn how to identify a secure website, visit the Federal Trade Commission.

(U) 6. If your Social Security number is stolen, another individual may use it to get a job. That person's employer may then report income earned to the IRS using your Social Security number, thus making it appear that you did not report all of your income on your tax return.

(U) 7. Your identity may have been stolen if a letter from the IRS indicates more than one tax return was filed for you or the letter states you received wages from an employer you don't know. If you receive such a letter from the IRS, leading you to believe your identity has been stolen, respond immediately to the name, address or phone number on the IRS notice.

UNCLASSIFIED 48 UNCLASSIFIED

(U) 8. If your tax records are not currently affected by identity theft, but you believe you may be at risk due to a lost wallet, questionable credit card activity or credit report, you need to provide the IRS with proof of your identity. You should submit a copy of your valid government-issued identification -- such as a Social Security card, driver's license or passport -- along with a copy of a police report and/or a completed Form 14039, Identity Theft Affidavit. As an option, you can also contact the IRS Identity Protection Specialized Unit, toll-free at 800-908-4490. You should also follow FTC guidance for reporting identity theft at www.ftc.gov/idtheft.

(U) 9. Show your Social Security card to your employer when you start a job or to your financial institution for tax reporting purposes. Do not routinely carry your card or other documents that display your Social Security number.

(U) 10. For more information about identity theft, including information about how to report identity theft, phishing and related fraudulent activity, visit the IRS Identity Theft and Your Tax Records Page, which you can find by searching "Identity Theft" on the IRS.gov home page.

(U) More Than Half of Cyberattacks Come From Asia; DDoS Attacks Worldwide on the Rise, Report Finds (Dark Reading, 31 JAN 2012)

(U) Asia is a hot spot for distributed denial-of-service (DDoS) and other types of online attacks, and, not surprisingly, DDoS attacks have spiked during the past few months. It has been a busy year or so DDoS attacks: A new report from Akamai shows a 2,000 percent increase in the number of incidents during the past three years. The Anonymous hacktivist group contributed to that spike, as did politically motivated country versus country attacks, according to Akamai. "Hacktivist activity has really accounted for a significant part of that growth, [as well as] spats between individual countries attacking one another," says the vice president of dynamic site solutions at Akamai.

(U) And while website takedowns waged by HTTP-borne DDoS attacks have been all the rage lately, attacks targeting Port 80/HTTP declined in Q3 2011 by about a third of what they were in Q2 2011, and attacks on telnet/Port 23 grew that much. Akamai attributes the Telnet attacks to attacks from Egypt, where there were 18 times as many telnet attacks as other ports, and South Korea, where telnet attacks were four times the number of port attacks versus others.

(U) No one is immune from DDoS attacks anymore, thanks to the rise in . "It used to be if you didn't have a big brand or weren't making a lot of Web presence, if you went down it was an annoyance or inconvenient. And the odds were really low" that you'd be DDoS'ed, the Akamai vice president says. "That's totally changed," he says. "You cannot predict if you're going to go down." Meanwhile, the Asia- Pacific region accounted for more than 49 percent of attack traffic in the third quarter of 2011, up from 47 percent in the previous quarter. Indonesia led the way with 14 percent of that traffic, followed by Taiwan and China. South Korea's attack traffic tripled, up to about 4 percent of the Asian attack traffic. Europe accounted for about 28 percent of the global attack traffic, and North and South America, about 19 percent.

(U) A full copy of the Akamai report is available here: http://www.akamai.com/stateoftheinternet

(U) GPS Attacks Risk Maritime Disaster, Trading Chaos (Reuters, 22 FEB 2012)

(U) Satellite navigation systems are at risk from criminals, terrorists or even just bored teenagers, with the potential to cause major incidents from maritime disasters to chaos in financial markets, leading experts warned in February. From maps on car dashboards and mobile phones, to road tolls, aviation and marine

UNCLASSIFIED 49 UNCLASSIFIED navigation systems and even financial exchanges, much of modern life relies on Global Navigation Satellite Systems (GNSS) that use satellite signals to find a location or keep exact time.

(U) The familiar Global Positioning System (GPS) set up by the US government, and GLONASS, a similar Russian system, were both built for military purposes but are now available to anyone with a device that can receive a signal. The European Union, China and India are setting up similar systems. Experts are worried about havoc that could be caused if GNSS signals were illegally jammed, said a director at Britain's ICT Knowledge Transfer Network, an initiative funded by the UK's national innovation agency, which hosted a conference in London.

(U) The problem was illustrated in 2009 when navigation systems at Newark Airport in the United States began suffering daily breakdowns brought about by a truck driver with just a cheap, low-powered jammer in his vehicle going by on a nearby road. "We have moved on from a potentially threatening situation to a real danger that we must address now," the director said.

(U) JAMMING INCIDENTS (U) Widely available on the internet, jammers are not illegal to own but are illegal to use. Just how widespread they are is unclear but research unveiled at the London conference revealed monitors at one location in Britain recorded 60 individual jamming incidents over six months. Criminals have also embraced the technology, the ICT director said said, with cases where thieves had hijacked vans carrying high value goods after jamming their GPS and cellphone systems. "Certainly toughening the law to make it illegal to possess one is certainly a step that can be taken. But before that, we need to know just how many of them there are and how widespread the problem is," he told Reuters.

(U) Some devices confiscated by police possessed "monstrous" transmission power when compared with the weak signal emitted by satellites and that had serious implications, he said. Researchers in 2010 issued low-level jamming from the coast to see the effect on shipping in the English Channel, one of the world's busiest shipping lanes. They noted that ships veered off course without their knowledge, gave out false readings to other vessels about their position so risking collisions, and caused communications systems to fail, preventing crew talking to coastguard. The ICT director said there were no serious concerns "that we are going to see a disaster" in the Channel within the next decade. Nor do the jammers require great expertise to make. "You could imagine the bored teenager, hacker personality builds one of these things just to see what would happen," he said.

(U) "SPOOFING" THREAT

(U) While jamming poses an immediate threat, a potentially more serious risk is posed by "spoofing" - creating false GPS signals to alter users perceptions of time or location. Until recently, while theoretically possible, such technology was not seen as viable or affordable. However, Todd Humphreys, a specialist in GPS technology from the University of Texas, told Reuters he had developed the first GPS civilian spoofer, a "very powerful" device which cost under $1,000 to assemble. He said spoofers could be attractive to anyone who could make money from fooling GPS systems, from fishermen wanting to work in forbidden waters, motorists dodging road charges to those wanting to cheat the world's financial trading markets. "The financial exchanges that depend so much on their own credibility and on people's trust of the markets could be damaged fairly significantly by routine manipulation of the time stamps that they apply to all of their transactions," he said. "That could cause turmoil in the markets and people to pull out of the market automatically because their algorithms are designed to pull out when something looks fishy."

(U) Unscrupulous traders could also use a time discrepancy of just a few milliseconds to make large gains via intermarket arbitrage. Like jammers, they could be easy to put together. "It's not outside the capability

UNCLASSIFIED 50 UNCLASSIFIED of any other smart graduate student in GPS or GNSS across the world," he said. "And it's not outside the capability of any kind of sophisticated terrorist organization." No fully-fledged spoofing attacks have yet been reported, although an Iranian engineer claimed to have used the technique to down a US stealth drone last December. "It was within the realm of possibility and that was the real story," said Humphreys who studied the engineer's report.

(U) Whether the authorities are ready for such a threat is unclear. A spokeswoman for London's Stock Exchange said the exchange was unaware of such a threat and Humphreys said while the US Department of Homeland Security had conducted a risk assessment last year, more needed to be done. "I think the United States is finally taking this seriously," he said. "But I haven't seen any serious money put down on spoofing counter measure.

(U) GPS Jammers and Spoofers Threaten Infrastructure, Say Researchers (Ars Technica, 24 FEB 2012)

(U) A GPS and cell phone jammer, for sale on the Internet

(U) During the GNSS Vulnerability 2012 event at the UK's National Physical Laboratory on Wednesday, experts discussed the threat posed by a growing number of GPS jamming and spoofing devices. The increasing popularity of the jammers is troubling, according to a conference organizer, because even low- power GPS jammers pose a significant threat to cell phone systems, parts of the electrical grid, and the safety of drivers. Since cell phone towers and some electrical grid systems use GPS signals for time- keeping, GPS jamming can throw them off and cause outages. "We're seeing a large number of low power devices which plug into power sockets in a car," he told Ars. "These devices take out the GPS tracker in the vehicle, but they also create a 'bubble' of interference, sometimes out to up to 100 yards. They're illegal, so their quality control is generally not good."

(U) There has also been an emerging threat from more powerful GPS "spoofing" systems, according to the conference organizer, who is also the director of Position, Navigation and Timing technology for the UK's ICT Knowledge Transfer Network. GPS spoofing attacks can provide both inaccurate location and time information, potentially creating much larger problems than a dropped call. "There have been

UNCLASSIFIED 51 UNCLASSIFIED incidents where trucks carrying high value goods have been hijacked," he said, "where GPS and cell phones have been blocked." While such incidents have been rare, he said, these more high-powered jamming systems cause the greatest concern. The equipment on the systems have power equivalent to that aboard GPS satellites, he said, "but they're not 10,000 miles away, they're a mile away." Use of these sorts of attacks by criminals or terrorists, especially in bad weather, could lead to the grounding of ships in constrained channels like the Strait of Dover, or cause problems with GPS-based air traffic control.

(U) One of the presenters at the conference, University of Texas assistant professor Todd Humphries, presented findings on the impact of spoofing and jamming on cell phone systems. Humphries, who claims his lab possesses the most powerful civilian-owned GPS spoofer, said that in US tests, his research team succeeded in interfering with timing devices used in cellular network towers, breaking down synchronization between cells and preventing calls from being handed off from one cellular station to another. "So far, no credible high profile attack has been recorded," Humphries said, "but we are seeing evidence of basic spoofing, likely carried out by rogue individuals or small groups." It's a major technological leap from basic spoofing to more technically advanced systems, but "all it takes is someone to put one together and publish it online and we have a major problem."

(U) Small short-range jammers have created isolated problems in the US. In late 2009, a single truck using a GPS jammer caused headaches for technicians at Newark Liberty International Airport as it interfered with a navigation aid every time the truck passed on the New Jersey Turnpike. Truck drivers and other drivers who want to conceal their movements from tracking devices sometimes use basic GPS jammers embedded in their vehicles. Trucking companies use GPS systems to monitor the location of their trucks and cargo, and to keep tabs on their drivers' compliance with company rules and federal regulations. Auto rental companies use GPS in the US to track whether customers violate the terms of a rental contract by speeding or leaving a geographic area. GPS is also being used by auto insurance companies for "pay as you go" policies that offer reduced rates for drivers, metering their bill based on how far and when they drive, as well as other factors.

(U) To get a sense of the extent of the use of these jammers and the reliability of GPS signals, the UK's National Physical Laboratory is taking part in a research project called SENTINEL, along with a coalition of other organizations and companies led by navigation equipment manufacturer Chronos Technology. So far, the project has installed 20 sensors at roadside locations throughout the UK to detect GPS jamming "incidents." Over the last six months, one sensor alone recorded over 60 incidents of GPS jamming. Another GPS jamming "probe" provided results that actually resulted in law enforcement retrieving a jamming device based on the regularity of its use.

(U) COUNTERTERRORISM THREAT ITEMS FROM THE PRESS:

(U) 'Sovereign Citizen' Movement Now on FBI's Radar (Sacramento Bee, 26 FEB 2012)

(U) With the FBI pounding on his door, and his wife and two children barely awake, Shawn Rice allegedly strapped on a bulletproof vest, grabbed a semiautomatic pistol and stepped out his back door on Dec. 22. But dozens of FBI agents and local police had surrounded the ranch house in Seligman, Ariz., about 80 miles west of Flagstaff, and the only nearby cover was knee-high sagebrush. Rice ducked back inside, and warned the FBI to keep away. After a tense 10-hour standoff, Rice, 49, was arrested. He now sits in a Las Vegas jail awaiting trial on federal money-laundering charges.

(U) But it wasn't Rice's alleged offense alone that prompted the FBI's interest. According to court papers, Rice was involved in the "sovereign citizen" movement, a group that has attracted little national media

UNCLASSIFIED 52 UNCLASSIFIED attention but which the FBI classifies as an "extremist antigovernment group." So-called sovereign citizens argue that they are not subject to local, state or federal laws, and some refuse to recognize the authority of courts or police.

(U) Since 2000, members of the movement have killed six police officers, and clashes with law enforcement are on the rise, according to the FBI. The deadliest incident came in 2010, when a shootout with a member left four people dead, including two police officers, during what began as a routine traffic stop in West Memphis, Ark. Since then, in a notable shift in policy, federal officials have stepped up their attention on sovereign citizens. We are focusing our efforts because of the threat of violence," said Stuart R. McArthur, a deputy assistant director in the FBI's Counterterrorism Division.

(U) In two recent unpublished studies, the Homeland Security Department and the National Counterterrorism Center ranked the sovereign citizen movement as a major threat, along with Islamic extremists and white supremacists. The FBI assigned a supervisor to coordinate investigations of the movement last year. "This is a movement that has absolutely exploded," said a senior fellow at the Southern Poverty Law Center, a nonprofit organization based in Montgomery, Ala., that tracks domestic terrorists and hate groups. More than 100,000 Americans have aligned themselves with the sovereign citizens, the center said.

(U) Adherents cite a patchwork of beliefs, including that the United States is essentially under martial law, that some US constitutional amendments are invalid, and that dollars have been illegitimate since the US Treasury went off the gold standard during the Great Depression. Most important, some followers believe they are entitled to use armed force to resist arrest and fight police. The FBI also is investigating followers for alleged mail fraud and harassment of federal officials through nuisance lawsuits and property liens. Such cases are clogging courts in every state, said Casey Carty, who heads the FBI's sovereign citizen unit.

(U) Until recently, federal officials had steered clear of any extensive focus on right-wing extremist groups. In 2009, some members of Congress complained after a Homeland Security Department report warned that such groups might seek to recruit disaffected military veterans returning from Iraq and Afghanistan, as well as others. The report highlighted several groups, including the sovereign citizen movement. Bowing to the criticism, Homeland Security officials gutted the office that had focused on right-wing extremism. They also canceled planned presentations and shelved a reference guide that the office had produced to inform local police about the movement. "The topic had become too politically charged," said the manager who headed the team that wrote the 2009 report.

(U) That changed after the West Memphis shootout with Jerry Kane Jr., a sovereign citizen proponent who had traveled the country offering $100-a-head seminars that taught spurious ways to avoid paying taxes, among other movement tactics. Kane and his 16-year-old son, Joseph, were killed in the shootout. Also killed was Police Sgt. Brandon Paudert, son of the local police chief, Bob Paudert. Paudert had never heard of the sovereign citizen movement until that day. Now retired, he has spoken to more than 75 law enforcement groups around the country warning of its danger. Paudert remains angry that Kane wasn't identified as potentially armed and dangerous in the FBI-run database that local police normally access for warrants and other data when they stop a vehicle. He wants the FBI to change the database to flag known sovereign citizen adherents."If we had that, (my son) would have immediately called for backup," Paudert said. "He would be alive today." (U) Analyst Comment: There have been incidents of individuals with sovereign citizen-type identification stopped by law enforcement officers in Florida, but there have been no cases of violence during these stops.

UNCLASSIFIED 53 UNCLASSIFIED

(U) NYPD Intelligence Director Mitchell Silber Warns Iran's First Target Is 'Essentially' New York (Huffington Post, 15 FEB 2012)

(U) As tensions continue to rise in the Middle East, there are increasing concerns over a potential attack by Iran and some experts believe New York City could be the number one target. The NYPD's director of intelligence analysis Mitchell Silber warns, "Iran is the subject of the vast majority of our discussions right now. This, right now, is a front-burner issue. I hesitate to say it's No. 1, because we don't want to ignore the other threats, but right now, it's essentially No. 1."

In an editorial for the Wall Street Journal, Silber detailed the dangerous effects that could develop in light of the escalating conflict involving Iran's nuclear program and mounting fears of an imminent war between Iran and Israel. Silber says that New York, with its large Jewish population, is an "increasingly attractive target" and points to the presence of Hezbollah and terrorism supporters in the city and surrounding areas. Recalling various terrorism-linked, post September 11th incidents, Silber concludes, "The NYPD must remain vigilant in attempting to detect and disrupt any attack by Iran or its proxies. Anything less would be abdicating our duty to protect New York City and its residents."

(U) Al Qaeda Terrorist Dad Sent To Jail For 4 1/2 Years For Lies To FBI (New York Daily News, 10 FEB 2012)

(U) The father of Al Qaeda terrorist Najibullah Zazi was sentenced Friday to 4 1/2 years in prison for obstructing the probe of his son's plan to detonate bombs in Manhattan subway trains. Mohammed Wali Zazi was convicted last summer by a Brooklyn jury of lying to the FBI and ordering family members to destroy Najibullah's bomb-making materials in Denver before the cache of chemicals, bleach, goggles and masks could be found by the FBI. He was also found guilty of visa fraud involving a nephew. The federal judge rejected the government's urging to wallop Zazi with a 30-year term for hindering a terrorism investigation.

(U) But the judge observed Zazi remains delusional about his evil son. "I'm surprised at the almost complete absence of remorse," he said. "When someone's going to bomb the New York City subway system, every lie matters. It's the difference between life and death of large numbers of people." Zazi, 56, still refuses to believe his son is a terrorist. "My son was pressured (to plead guilty) and I don't think he was involved in wrongdoing," said Zazi, a US citizen who emigrated from Afghanistan.

(U) Prosecutors concede there is no evidence that Najibullah told his father of the impending attack that was planned for the week of the 9/11 anniversary in 2009. A defense lawyer called the elder Zazi a "proud American." "He fervently believed in the American Dream and wanted to give his children American opportunities that he never had," she said. Najibullah Zazi and co-conspirator Zarein Ahmedzay pled guilty to their crimes and are cooperating with the government. The would-be bombers attended Flushing High School and later became radical, traveling to Pakistan where they received military training at an Al Qaeda terror camp in Waziristan. A third conspirator, Adis Medunjanin, of Queens, goes on trial in April. The attack was meant to meant as retaliation for the presence of US troops in Muslim countries and the perceived mistreatment of Muslims overseas, said prosecutor Berit Berger. Mohammed Wali Zazi, the father of would-be subway terrorist Najibullah Zazi

(U) US Capitol Suicide Bomb Plot Foiled: How to Catch a 'Lone Wolf' (The Christian Science Monitor, 18 FEB 2012)

UNCLASSIFIED 54 UNCLASSIFIED

(U) The arrest of Amine El Khalifi, a Moroccan man suspected of plotting to blow himself up inside the US Capitol, shows how law enforcement has fine-tuned techniques to stop lone wolf terrorists. Long a mainstay of the drug war, undercover agents have found a new calling in netting so-called “lone wolf” terrorists, including playing a major role in the case of Amine Al Khalifi, the Moroccan man arrested in February after he allegedly set into motion a plot to blow himself up inside the US Capitol in hopes of killing at least 30 people.

(U) The arrest was the latest in a long string of foiled plots with undercover agents at the heart of investigations. Not thought to be affiliated with Al Qaeda, Mr. El Khalifi worked with what he thought was an Al Qaeda associate to take possession of a weapon and a suicide bomb vest, both of which turned out to be fakes provided by an undercover agent who had gained the man's confidence. According to security experts, the US law enforcement approach is to identify potential lone wolf plotters, usually through tip-offs or online activity, and then deploy squads of covert agents to glean details of the plot. If the suspected terrorist is seen to be seriously planning an attack, agents will scheme to assist in the attack to create a record that can be later used in court.

(U) The tactic has proven highly effective, playing a role in almost all of the 36 homegrown terror plots authorities have unraveled in the last three years. Since 2009, according to one senior US terrorism official quoted by CNN, all terrorist plots in the West have been the work of lone individuals, sparking President Obama last August to call such threats "the most likely scenario that we have to guard against right now." At the same time, security officials aren't convinced that using undercover agents to act as accomplices has actually proven effective in defusing the overall threat of lone wolf terrorism.

(U) “While this approach has proven very effective in catching would-be terrorists, it is not at all clear whether it is something that actually is eliminating, or accelerating, the problem of lone wolf terrorism,” writes an associate fellow at the International Center for the Study of Radicalization, in a recent Homeland Security Today article. “The approach of identifying possible lone wolves and then persuading them that they are part of a plot might be having the effect of turning armchair observers into active radicals. Who is to say they would have progressed to the point of actually carrying out an attack if they had not had the support of the network of undercover law enforcement operatives around them?”

(U) In lone wolf investigations, undercover agents are the horn of a vast surveillance cast net built up under the Department of Homeland Security since the 9/11 terror attacks, part of a growing, largely secret, bureaucracy in Washington profiled by the Washington Post in its “Top Secret America” series last year. Authorities in the Khalifi case were tipped off to the would-be bomber early last year when his landlord suspected a home “luggage business” was a front for bomb-making activities. The tip-off began the meshing of the nation's surveillance gears, as the capitol region's Joint Terrorism Task Force, a conglomerate of local, state and federal law enforcement officers, swooped in to start surveillance.

(U) According to John Miller, a former assistant FBI director, the JTTF moved swiftly to ascertain Khalifi's intentions and document his plan. “By ... December, [agents] had introduced El Khalifi to 'Hussein,' who was cooperating with the FBI,” Mr. Miller writes for CBS News. “On Dec. 1, 2011, 'Hussein' drove El Khalifi to Baltimore to meet with a shadowy figure named Yusuf. Hussein told El Khalifi that Yusuf was a man who could help him realize his goal: To attack America. Yusuf claimed to be from al Qaeda, but was actually an undercover officer working for the JTTF.” Similar tactics were employed by JTTF offices against other recent alleged terror plotters, including Jose Pimentel, who was arrested in November for plotting attacks on targets in New York, as well as in the case of Rezwan Ferdaus of Massachusetts, who was arrested in September 2011 for allegedly planning to fly bomb-filled remote controlled airplanes into the dome of the US Capitol.

UNCLASSIFIED 55 UNCLASSIFIED

(U) El Khalifi, who came to the US as a teenager, was in the country illegally, but had flown for years under the radar of immigration authorities. A number of questions confronted the FBI and other federal authorities as they watched him, including whether moving in and arresting him would scatter other potential accomplices into the shadows. That question became moot in February as El Khalifi began putting his plan into motion. He was arrested, authorities say, near the Capitol, wearing the non- functioning suicide vest provided to him by the undercover agent.

(U) DC Terrorism Case: Suspect Told Others to Be Ready For Battle, Authorities Said (Mass Live, 18 FEB 2012)

(U) The Moroccan man accused of plotting to carry out what he thought would be a suicide bombing at the US Capitol told acquaintances that America's war on terrorism was a war on Muslims and that they needed to be ready for battle, according to authorities. Then the 29-year-old unemployed man started preparations of his own and believed he was working with an al-Qaida operative on the plot, according to court documents and an affidavit. A man brought him an automatic weapon. He got a suicide vest, scouted out targets and practiced setting off explosives, the documents say. (U) In February, Amine El Khalifi's goal to detonate the vest at the Capitol ended with his arrest in an FBI sting, said US authorities who had been monitoring him for nearly a year. Undercover operatives, not an al-Qaida representative as he believed, gave him a gun and explosives that didn't work, according to an affidavit. He had those items with him when he was taken into custody at a parking garage near the Capitol, a counterterrorism official said. He was charged in a criminal complaint with knowingly and unlawfully attempting to use a weapon of mass destruction against property that is owned and used by the United States.

(U) El Khalifi, who is not believed to be associated with al-Qaida, expressed interest in killing at least 30 people, officials said. Two people briefed on the matter told The Associated Press the FBI has had him under surveillance around the clock for several weeks. They spoke on condition of anonymity because they were not authorized to speak publicly. He came to the United States when he was 16 years old and overstayed his visitor visa, which expired in 1999, making him in the country illegally, according to court documents.

(U) Before settling on a suicide bombing plot, he considered targeting an office building in Alexandria, where military officials worked and a restaurant in Washington to target military officials who gathered there. He even purchased nails for the operation, according to the affidavit. But he settled on the Capitol after canvassing that area a couple of times, the counterterrorism official said. He met with an undercover law enforcement officer, who gave him an automatic weapon that didn't work. El Khalifi carried the firearm around the room, practiced pulling the trigger and looking at himself in the mirror. He later asked his associates for more explosives that could be detonated by dialing a cell phone number. In January, he told an undercover agent he wanted to know if an explosion would be large enough to destroy an entire building. The same month, he went with undercover operatives to a quarry in West Virginia to practice detonating explosives, according to court documents.

(U) El Khalifi's activities drew the suspicions of a former landlord in Arlington, who called police a year and a half ago. The landlord said when he told El Khalifi to leave, the suspect said he had a right to stay and threatened to beat him up. The former landlord said he thought El Khalifi was making bombs, but police told him to leave the man alone. The landlord had El Khalifi evicted in 2010. El Khalifi had at least one man staying with him and claimed he was running a luggage business from the apartment, Dynda said, doubting that was true because he never saw any bags. "I reported to police I think he's making bombs," the former landlord said. "I was ready to get my shotgun and run him out of the building, but that would have been a lot of trouble."

UNCLASSIFIED 56 UNCLASSIFIED

(U) A Dar Al-Hijrah Islamic Center imam, who along with other Muslim leaders meets regularly with the FBI, said he was contacted by an agency official after El Khalifi's arrest and was told that Khalifi was not someone he needed to worry about. He said the official told him that Khalifi was "not a regular at your mosque or any mosque in the area." He said he offered to supply the FBI with surveillance video of the mosque in Falls Church, Va., in case it helped with their investigation but was told that was it not necessary.

(U) Police are close to arresting one of El Khalifi's associates on charges unrelated to the terror conspiracy, the counterterrorism official said. The associate was said to also be a Moroccan, living here illegally. Police are investigating others El Khalifi associated with, but not because they believe the associates were part of a terror conspiracy, the official said.

(U) Analyst Comment: This article highlights that violent extremists conduct pre-operational surveillance of intended targets. In this case, the attacker planned to target military personnel, but then chose a more accessible target, the US Capitol, perhaps because he could inflict greater casualties because it is a more crowded area. Public and private sector security officials should be aware and report all suspicious activity related to surveillance and pre-operational planning.

(U) Group Admits London Stock Exchange Bomb Plot (BBC, 01 FEB 12)

(U) Four men inspired by al-Qaeda admitted in February to planning to detonate a bomb at the London Stock Exchange. Mohammed Chowdhury, Shah Rahman, Gurukanth Desai and Abdul Miah pleaded guilty to engaging in conduct in preparation for acts of terrorism. The men planned to terrorize people and to damage the economy and property. The men, from London and Cardiff, were arrested in December 2010 and were set to stand trial at Woolwich Crown Court. Five other men have pleaded guilty to other terrorism offences and all nine were sentenced in mid-February. The men, who are all British nationals, had been inspired by the preachings of the recently-killed radical extremist Anwar Al- Awlaki.

(U) Were they realists or fantasists?

(U) They were certainly dangerous enough for the police and MI5 to have placed them under surveillance, and ultimately arrest them. The homes of some of them had been searched as long ago as 2008. At the end of 2010 two of them scouted high-profile targets in London and discussed with others the possibility of blowing up the London Stock Exchange. Others talked about putting bombs in the post, even suggesting one be hidden in a toy doll. The men from Stoke got as far as pondering the logistical problems of religiously observant Muslims planting bombs in pub toilets. And they were surveillance- aware too, warning each other about the possibility of bugs in their cars, and meeting outdoors in secluded places like country parks. No explosive materials were bought - and no bombs planted. But that may have been different had they not been arrested.

(U) Fantasy could have become reality.

(U) It emerged that those who admitted planning to target the London Stock Exchange wanted to send five mail bombs to various targets during the run up to Christmas 2010 and discussed launching a "Mumbai-style" atrocity. A hand-written target list discovered at the home of one of the men listed the names and addresses of London Mayor Boris Johnson, two rabbis, the US embassy and the Stock Exchange. The conspiracy was stopped by undercover anti-terror police before firm dates could be set for attacks. The terrorists met because of their membership of various radical groups and stayed in touch over

UNCLASSIFIED 57 UNCLASSIFIED the internet, through mobile phones and at specially arranged meetings. They gathered in parks in a bid to make surveillance difficult.

(U) The court heard that Chowdhury, 21, and his London accomplice Rahman, 28, were followed by undercover detectives on 28 November 2010, observing Big Ben, Westminster Abbey, the London Eye and the Palace of Westminster. Chowdhury, of Stanliff House, Tower Hamlets and Rahman, of St Bernard's Road, Newham, admitted preparing for acts of terrorism by planning to plant an improvised explosive device in the toilets of the London Stock Exchange. A jury had been sworn in to hear the trial before the defendants changed their pleas to guilty.

(U) How the plot unfolded -The conspiracy developed over six weeks in late 2010, before the police arrested the nine men:

7 November 2010: Group meet in Roath Park, Cardiff, to discuss their ambitions 28 November 2010: Choudhury, Rahman, Miah and Desai meet in London to discuss targets and methodology 12 December 2010: Another group meeting at Cwmcarn Country Park, near Caerphilly. Stock Exchange discussed 14 December 2010: Stoke defendants discuss their own plans, under surveillance 20 December 2010: Police arrest suspects in early hours

(U) Addressing the jurors as they were discharged, a prosecutor said that the four involved in the Stock Exchange plot had not intended to maim and kill. "Their intention was to cause terror and economic harm and disruption. But their chosen method meant there was a risk people would be maimed or killed," he said. The men admitted the offences after a special hearing which allows a defendant to hear from the judge what sentence they may receive if they plead guilty on the eve of a trial.

Chowdhury was told by the judge that he would receive 18-and-a-half years and Rahman was told he would receive a maximum of 17 years. Brothers Gurukanth Desai, 30, of Albert Street, Cardiff, and Abdul Miah, 25, of Ninian Park Road, Cardiff, also admitted the same count, namely preparing for acts of terrorism by planning to plant an improvised explosive device in the toilets of the London Stock Exchange. Meanwhile, Omar Latif, 28, of Neville Street, Cardiff, admitted attending meetings with the intention of assisting others to prepare or commit acts of terrorism.

(U) Four of the nine-man group are from Stoke-on-Trent, Staffordshire. The quartet talked about leaving homemade bombs in the toilets of their city's pubs and discussed travelling abroad for terror training. Three of the Stoke contingent admitted a lesser, specific charge - engaging in conduct for the preparation of terrorism between 1 November and 21 December 2010 - namely travelling to and attending operational meetings, fundraising for terrorist training, preparing to travel abroad and assisting others in travelling abroad. Usman Khan, 20, of Persia Walk, Mohammed Shahjahan 27, of Burmarsh Walk and Nazam Hussain, 26, of Grove Street, all Stoke, admitted attending operational meetings in Roath Park, Cardiff on 7 November and in a Newport country park on 12 December. The fourth Stoke defendant, Mohibur Rahman, 27, of North Road, admitted possessing two editions of al-Qaeda magazine Inspire for terrorist purposes.

(U) Protect the public

UNCLASSIFIED 58 UNCLASSIFIED

(U) Following the guilty pleas, DAC Stuart Osborne, senior national coordinator of Scotland Yard's counter-terrorism team, said: "We welcome the guilty pleas entered by all nine defendants today, following what was the largest counter terrorism operation of 2010. "The investigation was coordinated by the West Midlands Counter Terrorism Unit, working in close partnership with the national CT network, Staffordshire, South Wales and Metropolitan Police, the Security Service and Crown Prosecution Service. "Our priority is, and always will be, the protection of the public." Bob Quick, the country's most senior anti-terrorism police officer until 2009, said it was an important case, with serious acts being planned. "It serves to remind us that there are still people out there in the country that are prepared to contemplate, conspire and even perpetrate serious acts of terrorism."

(U) The Liberal Democrat peer Lord Carlile, the government's former independent reviewer of terrorism legislation, said the case showed the value of the new law that made preparing for terrorism a criminal offence. But he added he was disappointed the control orders had been abandoned for "the wrong political reasons". "They should have remained in place until at least after the Olympic Games. I hope we will not rue the abandonment of control orders particularly with the tool of re-locating people who are suspected of being terrorists away from their normal home environment," he said.

(U) Florida Bomb Plot Suspect Pleads Not Guilty (CNN.com, 09 FEB 2012)

(U) A Florida man accused of planning to use explosives and weapons "to create mayhem'" in Tampa pled not guilty in February to charges of attempted use of a weapon of mass destruction. A criminal complaint alleged that Sami Osmakac, a naturalized American born in Kosovo, planned a car bombing that would be followed by hostage-taking and the explosion of a suicide belt he planned to wear. "We all have to die, so why not die the Islamic way?" Osmakac allegedly told an undercover FBI employee, according to the complaint. He said in a martyrdom video message recorded shortly before his arrest in early January that he wanted "'pay back' for wrongs he felt were done to Muslims," the complaint said. Osmakac, in his mid-20s, entered a written not guilty plea to the US District Court in Tampa.

(U) Authorities have said that the alleged bomb plot was foiled, thanks to the local Muslim community and law enforcement. "When a person's got an AK-47 which he believes is operable, when he has explosives which he believes are real, and when he has an explosive pack and a car bomb which ... he is going to utilize against Americans, that makes it a crime," the US attorney for the Middle District of Florida, said in January. "Was it real? It was very real." The US attorney added that, through the local Muslim community, "we were able to know that this person had this ideology and wanted to commit a crime." Steve Ibison, who heads the FBI's Tampa office, called assistance from members of the Muslim community "very significant" throughout the investigation. Osmakac did not appear to have any ties to al Qaeda, officials said.

(U) The federal investigation of Osmakac began in September after a source told the FBI that Osmakac, a resident of Pinellas Park, Florida, "asked for al Qaeda flags," the complaint said. By November, he was discussing potential terror targets in Tampa and asked for the confidential source's help in getting guns and explosives for the attacks, the complaint said. The government's source introduced Osmakac to an undercover FBI employee, which led to a December 21 meeting during which the suspect said "he wished to acquire an AK-47-style machine gun, Uzi submachine guns, high capacity magazines, grenades and an explosive belt," the complaint said. He later allegedly gave the FBI employee a $500 down payment for the weapons, according to the document. His alleged bomb targets included night clubs in the Ybor City area of Tampa, a bar, the operations center of the local sheriff's office and a business in the South Tampa area, the government said FBI agents arrested him on January 7, just after he made the video explaining his motives.

(U) This bulletin has been prepared by the Tampa Division of the FBI.

UNCLASSIFIED 59 UNCLASSIFIED

(U) If you are a security officer, foreign sales representative, or employee of a business or company in Florida, you may receive unsolicited, suspicious emails from a foreign company or individual asking specific and detailed questions about your products, or inquires about starting a joint-venture or other commercial relationship. Your company or agency may also host foreign visitors or delegations that ask specific questions about or seeks access to technology or information outside the scope of their visit. If you have incidents like these to report, please contact FBI Strategic Partnership Coordinator, Patrick Laflin at 813-253-1029 . Please note, cleared defense contractors are required under the NISPOM to submit suspicious contact reports to their Defense Security Service (DSS) representative.

PRESENTATIONS AND OUTREACH

The CI Strategic Partnership Newsletter is a product of the FBI’s Counterintelligence Program Coordination Section which plays a key role in protecting our sensitive technologies from our adversaries.

The Challenge: to protect United States sensitive information, technologies and thereby competitiveness in an age of globalization.

Our Solution: to foster communication and build awareness through partnerships with key public and private entities, by educating, and enabling our partners to identify what is at counterintelligence risk and how to protect it. We call it “knowing your domain”— identifying the research, information and technologies that are targeted by our adversaries, and establishing an ongoing dialog and information exchange with partners, the goal of which is to change behaviors and reduce opportunities that benefit the opposition’s efforts.

The United States is a world’s leader in innovation. Consider the breakthrough research and development that’s taking place on the nation’s campuses and in research facilities—often on behalf of the government. Sensitive research, much of which occurs in the unclassified realm, is the key to our nation’s global advantage, both economically and militarily.

The Counterintelligence (CI) Program Coordination Section is responsible for determining and safeguarding those technologies which, if compromised, would result in catastrophic losses to national security. Through our partnerships with businesses, academia, and US Government agencies, the FBI and its counterintelligence community partners are able to identify and effectively protect projects of great importance to the U.S. Government. This provides the first line of defense inside facilities where research and development occurs and where intelligence services are focused.

The FBI’s outreach efforts continue to evolve. This newsletter is one way we hope to expand our outreach to the elements of our “CI Domain.” We continue in contacting

UNCLASSIFIED 60 UNCLASSIFIED businesses and organizations with which we have not yet made personal contact. In support of its Counterintelligence Domain/Strategic Partnership Program, the Federal Bureau of Investigation hosts an annual Research and Technology Protection (RTP) Conference for Facility Security Officers and RTP Professionals. Unclassified presentations address specific country threats to your technology, industrial and economic espionage, counterintelligence threat issues, and computer intrusion/cyber threat matters. The annual RTP Conference is offered in two locations during the year: Orlando and Clearwater.

The FBI's Domain/Strategic Partnership Program seeks to interface with private industry, high tech companies, research institutes, any stakeholder and/or contractor that design, develop, produce, and distribute critical information and technologies. Our job is to establish contact with these "Domain entities" in our territory, and assist them to better understand the foreign intelligence threat, and improve their ability to institute protective mechanisms. In addition to hosting an annual Research Technology Protection (RTP) Conference for security professionals, we also provide security awareness threat briefings to our defense contractor partners, high tech companies and research institutes. To schedule CI, cyber, security, education, training and awareness briefings, contact the Tampa Domain/SPC. You may also be interested in scheduling a presentation of the FBI video “BETRAYED” followed by Q&A.

“Betrayed” represents a scenario where an FBI Intelligence Analyst is slowly but steadly compromised by a series of steps that ultimately fully compromise him into working on behalf of a foreign intelligence service. The video clearly demonstrates the traits and activities demonstrated by individuals who are involved in stealing classified information (or even proprietary information and trade secrets). The video also shows the passivity of co-workers who have clearly seen demonstrations of suspicious activity by the Intelligence Analyst, and how their failure to report the suspicious activity exasperates the situation.

The Tampa Field Office Counterintelligence Strategic Partnership Program Coordinator: James “Pat” Laflin ([email protected]) 813.253.1029

Federal Bureau of Investigation

5525 West Gray Street Tampa, FL 33609 Phone: 813.253.1000

UNCLASSIFIED 61