The CI Shield Your Counterintelligence News Source

Volume 2, Issue 19 28 May, 2010

Experts: Google China cyberattack part of vast espionage campaign The Washington Post, 14 Jan 10: Computer attacks on Google that the search giant said originated in China were part of a con- Overview: This certed political and corporate espionage effort that exploited newsletter presents real security flaws in e-mail attachments to sneak into the networks of world examples of major financial, defense and technology companies and threats posed against research institutions in the United States, security experts said. At corporate proprietary least 34 companies -- including Yahoo, Symantec, Adobe, and U.S. military Northrop Grumman and Dow Chemical -- were attacked, technologies. according to congressional and industry sources. Google, which disclosed on Tuesday that hackers had penetrated the Gmail accounts of Chinese human rights advocates in the United States, Europe and China, threatened to shutter its operations in the country as Goal: Educate readers a result. Human rights groups as well as Washington-based think tanks that have helped for methods used to shape the debate in Congress about China were also hit. Security experts say the attacks exploit, compromise, showed a new level of sophistication, exploiting multiple flaws in different software pro- and / or illegally obtain grams and underscoring what senior administration officials have said over the past year is information or an increasingly serious cyber threat to the nation's critical industries. "Usually it's a group technologies using one type of malicious code per target," said Eli Jellenc, head of international cyber- intelligence for VeriSign's iDefense Labs, a Silicon Valley company helping some firms in- vestigate the attacks. "In this case, they're using multiple types against multiple targets -- Source: This newsletter but all in the same attack campaign. That's a marked leap in coordination." While it's diffi- incorporates open cult to say with certainty where a cyberattack originated because the Internet allows source news articles as hackers to seemingly crisscross country borders and time zones in seconds, the issue is a training method to quickly turning into a source of diplomatic tension. The standoff between Google and educate readers on China touches on the most sensitive subjects in U.S.-China relations: human rights and cen- security matters in sorship, trade, intellectual property disputes, and access to high-tech military technology. compliance with USC "The recent cyber-intrusion that Google attributes to China is troubling, and the federal Title 17, section 107, government is looking into it," White House spokesman Nick Shapiro said. He added that Paragraph a. President Obama made Internet freedom "a central human rights issue" on his trip to China last fall. Since it began operations in China five years ago, Google had agreed in theory to filter sensitive searches but clashed with the Chinese government on what material was covered, and the company regularly found its service blocked when it defied its hosts. China's state media reported that the government is looking into Google's claims.

In China, news about Tuesday's public rebuke by Google was heavily censored except for a stinging opinion piece in the official People's Daily that called the Silicon Valley tech gi- ant a "spoiled child" and predicted that it would not follow through on its ultimatum. The INSIDE THIS ISSUE recent attacks seem to have targeted companies in strategic industries in which China is lagging, industry experts said. The attacks on defense companies were aimed at gaining information on weapons systems, experts said, while those on tech firms sought valuable source code that powers software applications -- the firms' bread and butter. The attacks Experts: Google China cyber 1 also focused on obtaining information about political dissidents. Adobe, a software maker, attack part of vast espionage confirmed on Wednesday that it learned of the attacks on Jan. 2 but said there was "no campaign evidence to indicate that any sensitive information . . . has been compromised," while Sy- SKorean, US firms embroiled in 2 mantec, which makes security software, said it is investigating to "ensure we are providing chip espionage case appropriate protection to our customers." Dow Chemical said that it has "no reason to be- Report: Son of Hamas founder 3 lieve that the safety, security and intellectual property of our operations are in jeopardy." was top Israeli agent Yahoo and defense contractor Northrop Grumman declined to comment on the attack. Ex-Pharmaceutical Worker 4 The attackers, experts said, followed the familiar "phishing" ruse: A recipient Accused of Secrets Theft

The Spy Kite 4 Continued on the next page

Page 1 The CI Shield

opens an e-mail that purports to be from someone he knows and, not suspecting malicious intent, opens an attachment containing a "sleeper" program that embeds in his computer. That program can be controlled remotely, allowing the attacker to access e-mail, send confidential documents to a specific address -- even turn on a Web camera or microphone to record what is going on in the room. In many cases, a user does not know he has been the victim of an attack. One type of attack exploits a flaw in Adobe Reader, a popular free program that allows e-mail users to The views expressed read .pdf document files. The flaw was made public Dec. 15 but fixed only on Tuesday -- the day in articles obtained Google announced that its systems had been compromised. Sara L.M. Davis, executive director of from public sources New York-based Asia Catalyst, which assists charities in developing countries, said she began to receive these fake e-mails shortly after the new year. The senders all appeared to be people with within this product do whom she regularly communicates. The subject lines contained topics -- "AIDS in China" or "Some not necessarily reflect photographs of you and Dr. Gao" -- that suggested familiarity with her and her organization. "If I those of the weren't already paranoid, I would have already opened one," Davis said. Google declined to pro- New Mexico vide details on what exactly the attackers took and whether it included any information about Counterintelligence super-secret search engine technology that drives the company's profits. Nart Villeneuve, a re- Working Group search fellow at the University of Toronto, has analyzed attack e-mails sent to human rights groups over the past few months. Villeneuve, who works at Citizen Lab, which focuses on Internet and politics, helped research GhostNet, a vast cyberspying operation revealed last year that appar- ently originated in China and targeted the office of the Dalai Lama, foreign embassies and gov- ernment offices. He said the GhostNet attack resembles the strategy used against Google, other U.S. companies and human rights groups this time around. The attack e-mails to the human rights The New Mexico organizations could mostly be traced to "command and control" computers in mainland China. Counterintelligence However, Jellenc said, the two attacks do not appear to have been carried out by the same Working Group group. In August, someone obtained a list of 5,000 subscribers to the China Leadership Monitor, a (NMCIWG) is respected quarterly publication from the Stanford University's Hoover Institution. The subscribers comprised of received a fake e-mail from a Gmail account purportedly from the publication but with an attach- ment that would take over their computers. Alice Miller, a visiting professor at Stanford and the counterintelligence, publication's editor, said she had worked with U.S. government investigators and said the attack cyber, intelligence originated in China. This is a big espionage program aimed at getting high-tech information and analysts, legal, and politically sensitive information -- the high-tech information to jump-start China's economy and the security professionals political information to ensure the survival of the regime," said James A. Lewis, a cyber and na- in the New Mexico tional security expert at the Center for Strategic and International Studies. "This is what China's business community leadership is after. This reflects China's national priorities."

SKorean, US firms embroiled in chip espionage case AP, 4 Feb 2010: SEOUL, South Korea – The world's top producers of computer memory chips are embroiled in an apparent case of industrial espionage after South Korean prosecutors indicted 18 people over alleged technology The NMCIWG theft. Prosecutors said Thursday those involved — including employees of U.S. membership includes company Allied Materials and its South Korean unit — are suspected of leak- ing semiconductor technology belonging to South Korea's Samsung Elec- representatives from tronics Co. to its domestic rival Hynix Semiconductor Inc. The case highlights the intense competi- these agencies: 902nd tion among chipmakers and other sellers of high tech products, who frequently sue each other MI, AFOSI, AFRL, over alleged patent infringements. Samsung and Hynix are the world's top two producers of dy- DCIS, DOE, DSS, namic random access memory, or DRAM, chips, used mostly in personal computers. Suwon, South DTRA, FBI, ICE, MDA, Korea-based Samsung is also the world's biggest manufacturer of NAND flash chips, used in digital NAG, NCIS, Sandia devices such as cameras, music players and smartphones. Hynix ranks No. 3 in NAND, behind Labs, and the U.S. Samsung and Japan's Toshiba Corp. Prosecutors indicted 18 people on Wednesday, though

Attorney’s Office Continued on the next page

Page 2 The CI Shield

14 were not physically detained ahead of trial, said Kim Yeong-cheol, a prosecutor handling the case. He said prosecutors were also seeking a former Samsung employee for questioning. The technology is believed to have been obtained by employees of the South Korean arm of Applied Materials Inc., a U.S. company that makes equipment for chip manufacturers including Samsung, and then passed on to Hynix, according to prosecutors. The local operation of Applied Materials had access to Samsung's "core technology" through installing and maintaining the company's chip manufacturing equipment, prosecutors said in a statement Wednesday. Indicted and being held were one employee each from Samsung and Hynix, the former head of the South Korean arm of Applied Materials — who currently serves as a vice president of the U.S. company — and one of The NMCIWG also the South Korean unit's current employees, prosecutors said. Kim, the prosecutor, said no decision has been made whether to seek extradition of a former Samsung employee who is working for produces a daily Applied Materials in the United States. That person is suspected of leaking Samsung technology to Cyber Threat Applied's South Korean arm, Kim said. Santa Clara, California-based Applied Materials said it was newsletter for aware of the actions by prosecutors and confirmed that its vice president and some employees of Applied Materials Korea were indicted and detained. "Applied believes that there are meritorious Information defenses to the charges and is taking appropriate measures to address this matter," the company Technology and said in a filing to the U.S. Securities and Exchange Commission on Wednesday. "Applied has strict Security policies in place to protect the intellectual property of its customers, suppliers, competitors and Professionals. To other third parties, and takes any violation of these policies seriously," the company said. Samsung, meanwhile, said it was concerned over the case and Hynix expressed "great regret." "We are very subscribe to this concerned by this transgression as it is likely to damage the semiconductor market," Samsung newsletter please spokeswoman Lee Soo-jeong said. "We plan to take appropriate measures." She said she could not click HERE. confirm whether a Samsung employee had been arrested. "Hynix expresses its great regret that our employees have gotten involved in this case," said spokeswoman Park Seong-ae. "We expect that the facts of the case shall be strictly investigated and clearly revealed." Park confirmed the arrest of a Hynix executive in the case, but did not elaborate.

Report: Son of Hamas founder was top Israeli agent AP, 25 Sep 10: JERUSALEM – The son of one of Hamas' founders served as a top informant for Israel for more than a decade, providing top-secret intelli- gence that helped prevent dozens of suicide bombings and other attacks against Israelis, a newspaper reported Wednesday. Mosab Hassan Yousef, To subscribe to this dubbed as "the Green Prince" by his handlers, was one of the Shin Bet security espionage newsletter service's most valuable sources, Israel's Haaretz daily said. His reports led to the arrests of several high-ranking Palestinian figures during the violent Palestinian please click HERE. uprising that began in 2000, according to the newspaper. Yousef's father — Sheik Hassan Yousef — was a founding member of the Islamic militant group Hamas in the 1980s. He is currently serving a In the email text six-year sentence in an Israeli prison for his political activities. The younger Yousef converted to please include the Christianity and moved to California in 2007. If the Haaretz report is true, the revelation would deal name of your another setback to Hamas, which is reeling from the assassination of a top operative in Dubai last month. There have been reports that a Hamas insider assisted the killers. Hamas spokesman Mushir employer, your name / al-Masri told a Gaza Web site that he would not address the younger Yousef's claims, and ac- job title / phone cused Haaretz of "fabrications and lies." Yousef's memoir, "Son of Hamas," is being published next number and if you are week in the United States by Tyndale House Publishers. Yousef could not be immediately con- tacted for comment, but an excerpt from the book on his Facebook page plugs it as "a gripping interested in having a account of terror, betrayal, political intrigue, and unthinkable choices." It describes Yousef's jour- NMCIWG ney as one that "jeopardized Hamas, endangered his family, and threatened his life." It also says representative contact Yousef's relationship with the Shin Bet helped thwart an Israeli plan to assassinate his father. Speak- you for additional ing with Haaretz, Yousef said Shin Bet agents first approached him in prison in 1996 and proposed he infiltrate the upper echelons of Hamas. He did so successfully and is credited by Israel with sav- cyber security or ing hundreds of Israeli lives. Yousef told the paper he hoped to send a message of peace to Is- counterintelligence raelis, though he remained pessimistic about the prospects for ending the Israel-Palestinian con- assistance. flict. He had particularly sharp comments for Hamas, the Iranian-backed movement that seized control of the Gaza Strip in 2007 and has been branded a terrorist organization by Israel and the

Continued on the next page

Page 3 The CI Shield

West. "Hamas cannot make peace with the Israelis. That is against what their God tells them. It is impossible to make peace with infidels," he told Haaretz. Shin Bet officials declined comment on the Haaretz article, but the techniques described in the report — recruiting a potential agent in jail and targeting a family member of a valuable target — are believed to be common tactics used by the agency. A former high-ranking Shin Bet official said he was not familiar with Yousef, but noted that only a handful of agents would even be aware of such a valuable source. The official spoke on condition of anonymity because of the sensitivity of the issue. The dramatic defection of Reminder: If you are someone of Yousef's stature is a huge setback to Hamas, says Martin Kramer, a senior fellow at the asked to provide Shalem Center, a conservative Jerusalem-based think tank. "This obviously is the sort of thing that sensitive / classified makes Hamas wonder whether there aren't still more informers in their ranks," he said. While sure to information that the damage Hamas, the book's publication could also embarrass Israel, said Ehud Yatom, a former requestor is not top Shin Bet official. "If the story is true, then he saved the lives of hundreds of people, but the dam- authorized to receive, age in revealing how he was recruited and how he operated could cause great damage," he told IMMEDIATELY notify Israel's Army Radio. "The damage that could be caused is in the little secrets of the recruitment your organization’s process." Yousef's family members were not immediately available for comment. counterintelligence officer or security Ex-Pharmaceutical Worker Accused of Secrets Theft manager Reuters, 3 Feb 10: A former pharmaceutical employee was charged with stealing company secrets and proprietary information as part of a plan to set up his own pharmaceutical company in India, the US Justice Department announced in Feb- ruary. Shalin Jhaveri, 29, had worked as a technical operations associate since November 2007, but was fired from the company's Syracuse facility on February Reminder: Email 2nd. "Jhaveri stole numerous trade secrets as part of a plan to establish a phar- poses a serious threat maceutical firm in his native India which would compete with the US company in to sensitive various markets around the world," the Justice Department said in a statement. If information. If you convicted, Jhaveri could face up to 10 years in prison and a $250,000 fine. He iss receive an email that accused of downloading more than 1,300 company documents to his laptop and portable hard seems suspicious do drives, according to an FBI affidavit filed in a New York federal court. "I have concluded that NOT open, delete, Jhaveri has taken confidential and proprietary documents from (the company) that have substan- print, or forward the tial value," said the affidavit by a FBI special agent. It did not state a specific value. Employed on email without the an immigrant worker's visa, Jhaveri had been taking part in a management training program at assistance of your the company. In the training program, Jhaveri was rotated through various departments, and the organization’s department he was in most recently was one of the more sensitive areas of the company. Com- counterintelligence pany corporate security officials notified its in-house computer security experts in December, 2009 officer or security that Jhaveri was taking confidential material. They learned days later that he planned to start a manager bio-pharmaceutical business in India with his father, the affidavit said. An FBI special agent said that on February 2nd, he observed a meeting at a hotel between Jhaveri and an unidentified indi- vidual from whom he believed could provide financing for the venture in India. The FBI rof docu- ments, understood that they were proprietary and confidential and that he had shown some of them to the unnamed individual who was not connected to the US company. The pharmaceutical Reminder: If you are company develops and manufactures biotechnology medicines for clinical and commercial use traveling out of the at the Syracuse facility. The US Attorney praised the cooperation between the FBI and the Immi- U.S., attending a gration and Customs Enforcement Service which participated jointly in the investigation. The Spe- scientific conference, cial Agent in Charge of the local FBI Field Office noted that theft of trade secrets and intellectual participating in a property has become a matter of increasing importance for federal law enforcement agencies DoD / scientific test who must, necessarily, pool their resources to address the growing problem. event or hosting a foreign national to The Spy Kite your home or facility Gadget Venue, 23 Jul 09: The Spy Kite is a kite that’s equipped with a digital you need to camera allowing you to grab pictures of the ground from 80 feet in the air. The immediately notify camera is secured to the underside of the kite and can be pre programmed to your organization’s capture images at 15, 30, 60 or 90 second intervals. 25 pictures can be stored counterintelligence at the highest resolution of 640 x 480 and this jumps up to 305 pictures of you officer or security use the 320 x 200 resolution. 4MB of memory is built in to store the images but manager to receive a unfortunately, you cannot upgrade this with an SD card or equivalent. To get the pictures from the threat briefing camera to computer you need a Windows based PC running either XP or Vista and the images are transferred via USB. Available from Hammacher for $89.95.

Page 4