Counterintelligence and Cyber News and Views

September 2012 Volume 1 Issue 6

Inside this issue: Pg. 1 Countering Insider Threat Pg. 2 Foreign Travel Briefing Source

Pg. 6 Ransomware‟ Locks Computers Pg. 7 Malware Installed on Travelers‟ Laptops Software Updates on Hotel Internet Pg. 7 OnGuardOnline.gov to help you be safe, secure and responsible online. Pg. 8 DoD Efforts to Stop Unauthorized Disclosure of Classified Information Pg. 9 Lieutenant colonel in soup for Corporate Headquarters befriending ISI agent on Facebook Pg. 9 Russian spies with Canadian links 222 North Sepulveda Boulevard, Suite 1780 were prepping son for espionage El Segundo, California 90245 (310) 536-9876 Pg. 10 Spear Phishers Angling to Steal Your Financial Info www.advantagesci.com Pg. 10 Looks To Good to be True Pg. 11 Major fraud types on the internet Pg. 12 Spies give way to 'sexy' social media CI TRENDS Pg. 13 Preventing Illegal Exports, Protecting National Security in Today‟s Global Market A CONTINUING DISCUSSION: COUNTERING INSIDER THREAT, BEST PRACTICES Pg. 14 EBay's Security Efforts Lead to Massive Fraud Drop and 3K Arrests AND INFORMATION AND EDUCATION RESOURCES Pg. 15 Cyber Related Threats Reported by In our last newsletter we began a discussion on the Insider Threat. Several readers expressed interest in the DHS Daily Open Source Infrastructure Report article and asked for more. Accordingly, we will continue that discussion in this issue of our newsletter. Pg. 17 2012 Arrests or convictions for Export Violations, Economic Espionage As readers may recall, Executive Order 13587 titled “STRUCTURAL REFORMS TO IMPROVE THE SECU- RITY OF CLASSIFIED NETWORKS AND THE RESPONSIBLE SHARING AND SAFEGUARDING OF Pg. 18 Conspiracy to Illegally Export Military Plane Parts to Venezuela CLASSIFIED INFORMATION” was issued October 7, 2011. Pg. 18 Attempting To Illegally Export Missile One of the requirements established by EO 13567 was the creation of an interagency Insider Threat Task Components To Iran Force. The task force was to develop and publish a program and guidance government-wide for Insider Pg. 19 Army Translator gets 9+ Years for Threat programs. Policies, objectives and priorities are to be established for a multi-disciplined approach to Unauthorized Possession of Classified countering nefarious insider threats. Pg. 19 18 Months in Prison for Acting as Not only will the policies developed by the interagency Insider Threat Task Force be implemented across gov- Unregistered Agent for Syrian Government ernment, there is no doubt that the commercial cleared defense sector will also be guided by these same or Pg. 20 Tried to Give Iran U.S.-Materials for very similar policies. Gas Centrifuges to Enrich Uranium Pg. 22 Helping China Develop Helicopter Already we are seeing examples of this unfolding, as mandated within Department of Defense Instructions. Pg. 24 Lady in Red‟s „accomplice‟ is held over secret German files As an example, DoD Instruction 5240.26, May 4, 2012, includes taskings as highlighted below: Pg. 24 Sandia National Lab scientist charged ―DIRECTOR, DEFENSE SECURITY SERVICE (DSS). The Director, DSS, under the authority, direction, and Pg. 25 Chinese National Charged with Illegal control of the USD(I) and in addition to the responsibilities in section 8 of this enclosure, shall: Export of Sensitive Technology to China (continued on page 3) Pg. 25 Chemist at Pharmaceutical Company gets 18 Months for Theft of Trade Secrets Pg. 25 Silicon Valley Engineer Convicted of NOTE: Much of the Information contained within this newsletter originates from websites maintained by Stealing Trade Secrets agencies of the U.S. Federal Government. The original web address from which material has been derived is Pg. 26 4 yrs. For stealing Motorola Trade posted at the beginning of reproduced articles. Readers are always encouraged to visit the web address Secrets before travel to China from where the article has been derived from, in order to view the article in the original form in which it Pg. 27 Consulate Guard Pleads Guilty to was presented. This newsletter also contains commentary from the editor of the newsletter. Such Trying to Pass Classified to China commentary is solely the opinion of the newsletter editor and does not represent the views of the U.S. Pg. 29 NSA Photo Gallery Government, nor the agency originally presenting this information on the internet. Questions, Pg. 30 Advantage SCI Products, Services, comments, and subscription requests may be directed to the editor at [email protected] or to Training Richard Haidle at 310-536-9876 x237 1 Counterintelligence and Cyber News and Views

iTravelSafe™

 Avoid Cultural Missteps

 Protect Your Business Secrets

 Avoid Crime and Scams Travelers Face

iTravelSafe™ The Advantage SCI Avoid getting “scammed” when traveling overseas. Read about App frauds and scams related to international travel. Do you have elderly relatives traveling overseas? Gift them a copy of this App so they can be aware of scams targeting the elderly. Sitting in the plane, holding your iPhone, thinking about your trip to Brazil…

―Hmmm. My phone is in ―Airplane Mode‖ with no internet connection. I really wish I had read a bit more detailed information about traveling to Brazil, what I could do safely. But with no internet connection, I guess I can‘t do that, can I?‖ ―Wait a second!! I have the iTravelSafe™ app on my iPhone. All of the data I need is on my phone now. I can read it all even with no internet or cellular connection! Wow, that is really cool! Oh my, look here! I better not go on that hiking Are you a parent with a child trip near Brazil‘s border regions, I might get spending a semester in an kidnapped. Oh no, my planned charitable overseas study course? journey to Rio‘s shanty town is too dangerous. I‘ll Driving overseas? Read about driving in many have to call it off. It‘s a good thing I had iTravelSafe™ with me to tip me off to the Make sure your children read the “Tips for Students” section of the more than 200 countries this App in- danger!‖ of the iTravelSafe™ App. cludes.

iTravelSafe™ gives an organization an app for its employees traveling outside the U.S. to use Advantage SCI‟s New Smartphone App: iTravelSafe™ as a ―self-briefing‖ travel tool. Read about hotel safety. Study up on tips about which business Everything you see pictured here is a screenshot from the iTravelSafe™ App. travelers need to be ―savvy.‖ An Android version of this App is available for immediate purchase at the Google Play Store https:// play.google.com/store/search?q=itravelsafe&c=apps, or an iPhone version at the iTunes Store http:// itunes.apple.com/us/app/itravelsafe/id521506480?ls=1&mt=8.

Keep up to date with the latest Travel Alerts pushed out to iTravelSafe™ users immediately from the U.S. State Department.

Example of the screenshot, appropriate for the country to which it applies, will be sent to your device as soon as the U.S. State Department pushes out the notification of any Travel Alert

For volume sales, please contact Richard Haidle at 310-536-9876 x237 or email [email protected].

2 Counterintelligence and Cyber News and Views

(Continued from page 1) that notification is coordinated with the FBI or d. If DCHC determines an anomaly warrants in- applicable MDCO. vestigation, DCHC shall refer the matter to the a. Ensure CI insider threat awareness and appropriate MDCO or the FBI in accordance with counter-measures information is included COMMENT: This formalizes what already is Reference (u). within security training. existing practice under contracts with US Gov- ernment (USG) Customers. Contractors and 3. CI INSIDER THREAT PROGRAM ELEMENTS. b. Provide instruction and assistance to DoD- USG customers should address exceptions to The CI Insider Threat Program shall include: cleared defense contractors regarding CI this in appropriate channels. END COMMENT insider threat awareness and reporting pro- a. CI Analysis of Information Technology Auditing cedures. Enclosure 3 of DoD Instruction 5240.26 estab- and Monitoring. Mitigation tools are a collection of lishes a comprehensive list of procedures IA tools or a single application that provides COMMENT: DSS will certainly be tasked to inherent to future Insider Threat programs. standard on-line behavioral monitoring of prohibit- monitor the implementation of Insider Threat Enclosure 3 follows: ed activities, anomalous behavior, and suspicious Programs within cleared defense contractors. actions. These automated systems shall have a Beyond existing contractual requirements with ENCLOSURE 3: PROCEDURES standard data sharing capability to ease interoper- US Government Customers, it is realistic for ability within DoD and the IC. The tools shall be Cleared Defense Contractors to expect more 1. UNKNOWN SUBJECT LEADS. Information supported by technical and analytical resources. comprehensive and detailed measures and based on a reasonable belief that a clandestine requirements to be levied on them as imple- relationship exists or has existed between an FIE b. CI Insider Threat Awareness and Training. mentation of the interagency Insider Threat and an unidentified current or former DoD- Awareness and training shall consist of integrated Task Force policies are published. END COM- affiliated individual shall be immediately reported CI, security, IA, and AT/FP education programs MENT and handled as follows: addressing threats to personnel within the DoD Component in accordance with Reference (h). HEADS OF THE DoD COMPONENTS. The a. DoD personnel shall immediately report such Education programs shall be mandatory, interac- Heads of the DoD Components shall: information to their organizational CI element, tive, and address current and real threats in the supporting MDCO, the FBI, or other appropriate work and personal environment. a. Conduct authorized CI activities to detect, iden- authority in accordance with Reference (h). tify, assess, exploit, and deny FIE and the insider c. Foreign Travel and Contact Reporting and threat in accordance with this Instruction and DoD b. Organizational CI elements that receive such Analysis. A process for DoD personnel, including 5240.1-R (Reference (t)). information or develop the information during the contractor support, to report foreign travel and course of a CI inquiry shall immediately notify b. Share information provided by CI, security, IA, foreign contacts. The process includes foreign DCHC and the supporting MDCO or the FBI in national visits to DoD and contractor facilities. The LE, and AT/FP working groups to effectively coun- accordance with Reference (k). ter the CI insider threat. process shall be in accordance with Reference (h) and DoDD 5230.20 (Reference (x)). The process c. MDCOs shall report such information to DCHC. shall be integrated into component travel systems, c. Notify the appropriate MDCO or the Federal This information supports the DCHC requirement Bureau of Investigation (FBI) when there is a rea- as appropriate, to ensure proper notifications and to serve as the focal point and central repository that pre- and post-travel briefings are conducted. sonable belief that a clandestine relationship ex- for unknown subject leads, reports, and infor- ists or has existed between an FIE and an uniden- mation in accordance with Reference (u). tified current or former DoD-affiliated individual in d. Polygraph and Credibility Assessment. Poly- graph and approved credibility assessment tools accordance with Enclosure 3, Reference (k), and d. DCHC personnel shall review and evaluate DoDI 5240.04 (Reference (u)). shall be used in accordance with Reference (l) to reports that indicate a CI insider threat from an identify and resolve CI insider threat issues. unknown DoD-affiliated person. DCHC personnel d. Incorporate CI insider threat information into CI, shall attempt to identify the unknown individual‘s security, IA, LE, and AT/FP training in accordance (1) Favorable CI scope polygraph (CSP) and ex- organizational affiliation and refer developed infor- panded-scope screening exams shall be entered with Reference (h) and DoDD 8570.01 (Reference mation to the appropriate MDCO or the FBI in (v)). into the Joint Personnel Adjudication System and accordance with Reference (u). Scattered Castle system, to allow information to be shared with components and the IC, unless e. Establish and maintain the capability to support 2. ANOMALIES CI analysis of audit and monitoring data. inputting the data will compromise the status or affiliation of the concerned individual. a. The DoD Components report anomalies to f. Consistent with authorized activities, implement DCHC in accordance with Reference (n). This is CI insider threat initiatives to identify DoD- (2) DoD Polygraph Program personnel shall report done by memorandums within 5 working days, the results of unfavorable CSP examinations to affiliated personnel suspected of or actually com- using the procedures established for CI inquiries promising DoD information on behalf of an FIE. the responsible authority for determination of ac- and referrals in accordance with Reference (k). cess suitability, CI analysis, and further investigation, as appropriate. g. Report anomalies to the Director, DCHC, in b. DCHC shall share CI insider threat trends with- accordance with Enclosure 3 and Reference (n). in the CI enterprise. (continued on page 4) h. Ensure notification to DSS when cleared con- c. If no FIE connection is found, threat information tractor locations or personnel are involved, and shall be forwarded to the applicable law enforcement organizations.

3 Counterintelligence and Cyber News and Views

(Continued from page 3) comments (see below hyperlink for comments until October, the administration has already in their original form) regarding the implementa- tasked agencies with firming up their stance on e. Personnel Security, Evaluation, Analysis, and tion of the recommendations from the inter- other factors often involved in a data breach, Reporting. In accordance with DoD Manual agency Insider Threat Task Force. Addressing such as the policies governing removable me- 5200.01-V-3 (Reference (y)), both personnel the task force and guidelines for its mandate‘s, dia, online identity management, access control security and CI professionals shall coordinate CIO.com discussed a likely path forward: and enterprise auditing. ― within their authorities when CI concerns are developed through the adjudicative process. http://www.cio.com/article/703510/ BEST PRACTICIES AND EDUCATIONAL Feds_to_Unveil_Insider_Threat_Defense_Plan RESOURCES: f. Security Incident Reporting and Evaluation. CI _by_Year_End and security professionals shall coordinate to One great tip from DarkReading.com (http:// obtain records of security incidents, violations, ―…agencies will also be charged with conduct- www.darkreading.com/security/client - suspicious incidents, and anomalies by DoD- ing self-assessments of their compliance with security/232800363/how-to-prevent-data-leaks- affiliated persons in accordance with Reference the new standards and policies, and required to from-happening-to-your-organization.html) be- (t). submit those reports to a new steering commit- low addresses anomaly detection : tee that the executive order established. Affect- g. Proactive CI Initiatives. The implementation ed agencies will also be expected to dispatch Another network-level option is a behavioral of innovative activities to identify CI insider staff, as needed, to the task force and a new anomaly detection system, from companies like threats is a shared responsibility and mission Classified Information Sharing and Safeguard- Lancope and Riverbed Technologies. These for CI, security, IA, and AT/FP, while working in ing Office. products create a baseline of normal network concert with the MDCOs and, as appropriate, activity and then send alerts when activity devi- the FBI, in accordance with existing policies and That will mean a variety of new mandates for ates from the baseline. For example, say a laws. Components shall coordinate innovative cash-strapped agencies -- always a source of computer on the network typically touches activities with their respective legal advisors concern in the government -- though the presi- about 12 other computers and servers, and before implementing. dent's executive order allows that implementa- transfers about 100 to 200 MB a day. If one day tion of the directive is subject to the availability that computer touches 20 or more other sys- COMMENT: Putting into place the resultant of funding. tems or transfers 500 MB from a file server or a policies of the interagency Insider Threat Task database, the behavioral anomaly system alerts force is not just applicable to DoD elements. As Officials formulating the guidelines for deterring an administrator. an example, comments from the FBI (see below insider threats sought to downplay the impact hypertext link to view these comments in their their work would have on agency operations, Carnegie Mellon University's CERT Insider original form) regarding the Bureau‘s initial and noted that they are seeking input from all Threat Center has identified several insider steps in preparation for implementation follow: corners of government to ensure they arrive at attacker behaviors, one of which shows that a practical implementation strategy that will insider attackers usually act within 30 days http://www.fbi.gov/stats-services/publications/ prevent another WikiLeaks-like episode without prior to leaving their employers. They down- national-information-sharing-strategy-1/national- establishing an onerous compliance burden or load data from a company server to their information-sharing-strategy/ trampling on government employees' privacy or workstation, then email it out, burn it to a Executive Order 13587, ―Structural Reforms to civil rights. CD, or copy it to a flash drive. The bulk data Improve the Security of Classified Networks and download is where a network anomaly detection "On a macro level almost you can't be looking the Responsible Sharing and Safeguarding of system could detect the user's activity and flag at one aspect of this directive. You have to be Classified Information,‖ heavily influenced ISPB it. looking at systems and people," said the FBI's activities in 2011. Review of agency implemen- Diana Braun. "In other words, nobody's sitting in However, behavioral anomaly detection sys- tation criteria showed that FBI is meeting all an ivory tower and coming up with policies that tems have drawbacks. For one, they can't send minimum compliance standards, and is consid- aren't possible to implement in the field." you an alert saying, "Looks like Bob is trying to ered a model for other agencies to emulate steal a bunch of records." Instead, IT gets re- regarding ―insider threat protection,‖ and the Braun explained that the task force is not ap- ports on odd application and network behavior, overall implementation to ―safeguard without proaching the issue of insider threats with a and it's up to security staff to investigate. That preventing information flow.‖ The Director‘s "one-size-fits-all" mentality, but will provide means digging into logs, reviewing network Office named the CISO as the FBI Senior Offi- agencies with some flexibility to implement the activity, and talking to people. Investigations cial charged with overseeing classified infor- standards in accordance with the nuances of may turn up harmless, though unusual, activity. mation sharing and safeguarding efforts for the their organization. IT and security teams must be prepared to in- agency. The Board agreed that ―minimum com- vest time and effort in properly tuning a behav- pliance‖ is not sufficient, and the FBI needs to What's more, members of the task force are ioral anomaly system, parsing reports, and continue progress. Finance Division, Infor- urging agency heads to continue to evaluate investigating alerts to get value from such a mation Technology Branch, Security Division, and strengthen their existing procedures for system. and Counterintelligence Division collaborated to detecting insider threats ahead of the final di- identify and redress the unfunded requirements rective, noting that any government arm that to meet structural reforms called for in Execu- handles or accesses classified data should tive Order 13587 implementation guidance. already be acting in concert with a set of best ( continued on page 5) practices. Even though the final standards and COMMENT: In addition to the foregoing, an guidelines from the task force aren't due out article from CIO.com referenced additional FBI

4 Counterintelligence and Cyber News and Views

(Continued from page 4) https://www.it-isac.org/ (Information Technolo-

EDUCATIONAL RESOURCES: gy) Common Sense Guide to Prevention and

Detection of Insider Threats The U.S. Computer Emergency Readiness http://www.reisac.org/ (Real Estate)

Team (CERT) web site is a central collection Carnegie Mellon University CyLab 2nd Edition – point with a wealth of information, white papers, http://www.ren-isac.net/ (Research and Educa- July 2006 links, studies, RSS Feeds and a great variety of tion

cyber (and in some cases, non cyber) related http://www.cylab.cmu.edu/files/pdfs/CERT/ tips dealing with matters related to the Insider http://www.ncs.gov/ncc/ (Telecommunications) CommonSenseInsiderThreatsV2.1-1-070118- Threat. 1.pdf http://www.surfacetransportationisac.org/

Hyperlinks to some interesting and useful arti- CERT has long been a leading proponent in the cles and papers, all at the CERT site, follow: http://www.waterisac.org/ (Water) fight to identify, neutralize or prevent incidents of Insider Threat. In its analysis of the problem http://energy.gov/oe/downloads/21-steps- Finally, a few more relevant links at CERT‘s site (available in its entirety from the above hyper- improve-cyber-security-scada-networks that readers might find useful: link) CERT identified thirteen practices successfully demonstrated to counter, mitigate or pre- http://www.us-cert.gov/reading_room/ http://www.us-cert.gov/cas/tips/(Several exam- vent Insider Threat. A listing of these practices HomeRouterSecurity2011.pdf ples from the ―Tips‖ site follow): follows. Readers are encouraged to view the original report in its entirety: http://www.cert.org/insider_threat http://www.us-cert.gov/cas/tips/ST05-002.html

(keeping children safe online) PRACTICE 1: Institute periodic enterprise-wide http://www.us-cert.gov/reading_room/ risk assessments. phishing_trends0511.pdf http://www.us-cert.gov/cas/tips/ST10-001.html

(recognizing fake antivirus) PRACTICE 2: Institute periodic security aware- http://www.us-cert.gov/reading_room/ ness training for all employees. cyber_threats_to_mobile_phones.pdf http://www.us-cert.gov/cas/tips/ST04-014.html

(avoiding social engineering and phishing at- PRACTICE 3: Enforce separation of duties and http://www.us-cert.gov/reading_room/ tacks) least privilege. safe_social_networking.pdf

http://www.us-cert.gov/cas/tips/ST06-005.html PRACTICE 3: Enforce separation of duties and http://www.us-cert.gov/cas/tips/ST11-001.html (dealing with cyber bullies) least privilege. (pertains to safe travel with electronic devices)

http://www.us-cert.gov/cas/tips/ST05-019.html PRACTICE 5: Log, monitor, and audit employee http://www.us-cert.gov/reading_room/ (preventing identity threat) online actions. Banking_Securely_Online07102006.pdf

http://www.us-cert.gov/cas/tips/ST05-006.html PRACTICE 6: Use extra caution with system http://www.us-cert.gov/reading_room/ (recovering from viruses, worms, spyware) administrators and privileged users. emailscams_0905.pdf

http://www.us-cert.gov/cas/tips/ST04-007.html PRACTICE 7: Actively defend against malicious http://www.dhs.gov/cyber (reducing spam) code.

The CERT site has several links to Information http://www.us-cert.gov/cas/tips/ST06-003.html PRACTICE 8: Use layered defense against Sharing and Analysis Centers (ISACs). ISACS (staying safe on social networking sites) remote attacks. were established to allow critical sectors to

share information and work together in an effort http://www.us-cert.gov/cas/tips/ST04-011.html PRACTICE 9: Monitor and respond to suspi- to protect our critical infrastructures and mini- (using instant messaging and chat rooms safe- cious or disruptive behavior. mize vulnerabilities. The next several links are ly)

related to various ISACs: PRACTICE 10: Deactivate computer access http://www.us-cert.gov/cas/tips/ST08-001.html following termination. http://www.fsisac.com/ (Banking and Finance) (using USB drives safely)

PRACTICE 11: Collect and save data for use in http://www.usfa.dhs.gov/fireservice/subjects/ http://www.us-cert.gov/cas/tips/ST07-001.html investigations. emr-isac/index.shtm (Emergency services) (shopping online safely)

PRACTICE 12: Implement secure backup and http://www.esisac.com/ (Electricity) recovery processes.

http://www.msisac.org/ (Government) PRACTICE 13: Clearly document insider threat controls. http://www.nhisac.org/ (Health)

5 Counterintelligence and Cyber News and Views

NEW INTERNET SCAM „RANSOMWARE‟ The bogus message goes on to say that the Since that time, the virus has become more LOCKS COMPUTERS, DEMANDS PAYMENT user‘s Internet address was identified by the FBI widespread in the United States and internation- or the Department of Justice‘s Computer Crime ally. Some variants of Reveton can even turn on Below, from the FBI website is a new internet and Intellectual Property Section as having been computer webcams and display the victim‘s scam. The scam generates fake emails that associated with child pornography sites or other picture on the frozen screen. appear to be coming from the FBI. Recipients of illegal online activity. To unlock their machines, the email are faced with a dilemma. Pay up or users are required to pay a fine using a prepaid ―We are getting dozens of complaints every your computer will be locked (frozen, inoperable) money card service. day,‖ Gregory said, noting that there is no easy until the fee is paid. Of course, it‘s a scam. Pic- fix if your computer becomes infected. ―Unlike tured above is an example of what such an ―Some people have actually paid the so-called other viruses,‖ she explained, ―Reveton freezes email would look like. Please view the original fine,‖ said the IC3‘s Gregory, who oversees a your computer and stops it in its tracks. And the post at the following hyperlink. team of cyber crime subject matter experts. (The average user will not be able to easily remove IC3 was established in 2000 as a partnership the malware.‖ http://www.fbi.gov/news/stories/2012/august/new between the FBI and the National White Collar -internet-scam Crime Center. It gives victims an easy way to The IC3 suggests the following if you become a report cyber crimes and provides law enforce- victim of the Reveton virus: ment and regulatory agencies with a central 08/09/12 referral system for complaints.)  Do not pay any money or provide any per- There is a new ―drive-by‖ virus on the Internet, sonal information. ―While browsing the Internet a window popped and it often carries a fake message—and fine— up with no way to close it,‖ one Reveton victim  Contact a computer professional to remove purportedly from the FBI. recently wrote to the IC3. ―The window was la- Reveton and Citadel from your computer. beled FBI and said I was in violation of one of  Be aware that even if you are able to un- “We‟re getting inundated with complaints,” the following: illegal use of downloaded media, freeze your computer on your own, the said Donna Gregory of the Internet Crime under-age porn viewing, or computer-use negli- malware may still operate in the back- Complaint Center (IC3), referring to the virus gence. It listed fines and penalties for each and ground. Certain types of malware have known as Reveton ransomware, which is directed me to pay $200 via a MoneyPak order. been known to capture personal information designed to extort money from its victims. Instructions were given on how to load the card such as user names, passwords, and credit and make the payment. The page said if the card numbers through embedded keystroke Reveton is described as drive-by malware be- demands were not met, criminal charges would logging programs. cause unlike many viruses—which activate be filed and my computer would remain locked  File a complaint and look for updates about when users open a file or attachment—this one on that screen.‖ the Reveton virus on the IC3 website. can install itself when users simply click on a compromised website. Once infected, the vic- The Reveton virus, used by hackers in con- tim‘s computer immediately locks, and the moni- junction with Citadel malware—a software tor displays a screen stating there has been a delivery platform that can disseminate vari- violation of federal law. ous kinds of computer viruses—first came to the attention of the FBI in 2011. The IC3 issued a warning on its website in May 2012.

6 Counterintelligence and Cyber News and Views

Lotteries and Sweepstakes Scams MALWARE INSTALLED ON TRAVELERS‟ Have to pay to get your prize? It‘s a scam. LAPTOPS THROUGH SOFTWARE UPDATES ON HOTEL INTERNET CONNECTIONS Miracle Cures ONGUARDONLINE.GOV IS THE FEDERAL Health products that overpromise usually under- GOVERNMENT‟S WEBSITE TO HELP YOU BE http://www.fbi.gov/scams-safety/e-scams SAFE, SECURE AND RESPONSIBLE ONLINE. deliver. Here‘s why. Money Transfer Scams 05/08/12—Recent analysis from the FBI and The Federal Trade Commission manages On- other government agencies demonstrates that GuardOnline.gov, in partnership a variety of Fed- Scammers often insist on money transfers for malicious actors are targeting travelers abroad eral Government agencies, departments, bu- payment because wiring money is like sending through pop-up windows while they are establish- reaus, offices and other entities. OnGuar- cash: Once it's gone, you can't get it back ing an Internet connection in their hotel rooms. dOnline.gov is a partner in the Stop Think Con- nect campaign, led by the Department of Home- Mystery Shopper Scams Recently, there have been instances of travelers‘ land Security, and part of the National Initiative Interested in mystery shopping? Distinguish real laptops being infected with malicious software for Cybersecurity Education, led by the National opportunities from bogus offers while using hotel Internet connections. In these Institute of Standards and Technology. instances, the traveler was attempting to set up Online Dating Scams the hotel room Internet connection and was pre- The information provided at OnGuardOnline.gov Signs that your online love is a scam artist sented with a pop-up window notifying the user to is valuable to security educators, Counterintelli- update a widely used software product. If the gence professionals, cleared individuals, and Online Penny Auctions user clicked to accept and install the update, family members alike. Readers of our publication Tips to help you understand how penny auctions malicious software was installed on the laptop. are encouraged to provide electronic copies of work and recognize the pitfalls before you lose The pop-up window appeared to be offering a this publication to individuals that might benefit any money routine update to a legitimate software product from the tips located at the hyperlinks that follow. for which updates are frequently available. And by all means, please encourage your con- Pay-in-Advance Credit Offers tacts to visit the OnGuardOnline.gov website to The FBI recommends that all government, pri- view the information provided here in its original Legitimate lenders don‘t guarantee you credit – vate industry, and academic personnel who trav- form. or require large upfront fees – before you apply el abroad take extra caution before updating Phishing software products through their hotel Internet Avoiding Online Scams connection. Checking the author or digital certifi- Ten steps you can take to avoid scams What to do about messages that ask for your cate of any prompted update to see if it corre- personal information Bogus Apartment Rentals sponds to the software vendor may reveal an Spam attempted attack. The FBI also recommends that Looking for an apartment? Look out for bogus travelers perform software updates on laptops listings. What you can do to reduce unwanted commer- immediately before traveling, and that they down- cial emails Common Online Scams load software updates directly from the software Tax-Related Identity Theft vendor‘s website if updates are necessary while Tricks that con artists use to get people to send abroad. them money Warning signs that an identity thief has used your social security number for tax purposes and what Anyone who believes they have been a target of Debt Relief Scams to do about it this type of attack should immediately contact Some debt relief offers are code for bankruptcy The “Nigerian” Email Scam their local FBI office and promptly report it to the IC3‘s website at www.IC3.gov. The IC3‘s com- Fake Check Scams Don‘t believe strangers who offer ―big rewards‖ to plaint database links complaints together to refer A fake check can take weeks to uncover – and help them move money out of a foreign country them to the appropriate law enforcement agency cost you a fortune Weight Loss Claims for case consideration. The complaint information is also used to identify emerging trends and pat- Identity Theft Weight loss gimmicks that promise more than terns. If you believe your personal information has been they can deliver lost or stolen, there are steps you can take to Work-at-Home Scams minimize the damage Bogus ads often promise steady income for mini- Imposter Scams mal labor Tips to help you spot a scammer impersonating a friend or relative

Investment Schemes Signs that a ―low risk‖ investment is really a sham

7 Counterintelligence and Cyber News and Views

DOD EFFORTS TO STOP UNAUTHORIZED disclosures of defense department classified access any of the government‘s secret net- DISCLOSURE OF CLASSIFIED INFORMATION information. works.  Improving the auditing of information ac- The following comments (edited, see original In addition, over the past months, the following cesses so as to spot anomalous behav- at the below hyperlink) give a flavor of actions have been taken to help safeguard clas- ior. Department information officers are measures already taken and measures pro- sified information: assessing the use of HBSS and other tools posed or planned to limit the unauthorized to collect and centralize data about infor- disclosure of classified information.  Improved personnel training on how to han- mation accesses to more quickly improve dle and protect classified information. The detection of malicious insiders. http://www.defense.gov/utility/printitem.aspx? department has updated its information  Stepping up internal oversight and assess- print=http://www.defense.gov/releases/ assurance and information security training ment programs. The department has estab- release.aspx?releaseid=15451 courses that all personnel are required to lished the first Defense Security Oversight take each year. The department has devel- and Assessment Program (DSOAP) to con- The Department of Defense (DoD) has taken a oped training designed to help individuals duct on-site interviews and staff assistance comprehensive approach to address the issue of know what to do if they suspect a threat visits to determine and proliferate best prac- national security leaks. Personnel in all compo- from an insider or observe security incidents tices as well as assess security policy af- nents are continuously working to protect classi- such as leaks of classified information. fects on components. The effort identifies fied information and identify those who do not  Clarification of Information Security Poli- policy changes and gaps and provides data uphold their obligations to protect national de- cy. The department published the 5200.1M to the Defense Security Enterprise to effect fense information. Information Security Program Manual which policy remedies. contains clearer instructions as to what con-  An ―Enterprise Approach‖ to managing De- Recent reforms at the department include: stitutes an unauthorized disclosure, report- fense Department security. In response to  Improved training on handling and protecting requirements, the conduct of preliminary findings of the DoD IG and issues raised ing classified information inquiries and other investigations, as well as during the WikiLeaks investigation, the de-  Issuance of new guidance on the protection roles and responsibilities across the depart- partment is publishing the DoD Directive of classified information ment. 5200.LL, Managing the Defense Security  Improvement of security on classified com-  Automated Security Incident Reporting Sys- Enterprise. This issuance stands up an puter networks tem. The department has put into effect for executive level governance structure aimed  Implementation of President Obama‘s Exec- the first time an online reporting system for at creating strategic management of depart- utive Order establishing an Insider Threat significant security incidents for use across ment investments in security resources. It is Task Force the department. This capability went into the first body to bring the functions of securi-  Mandating use of a department wide inci- full operation in December of 2011 and is ty, counterintelligence, and information as- dent report system to track unauthorized currently under evaluation for improvements surance together for decision-making and disclosures in data management and tracking of investi- proponency of the security mission and for gations and other associated actions. its workforce. In addition, Secretary Panetta has directed that  Lockdown of removable storage device use  Comprehensive Insider Threat Program. the department establish a new ―top down‖ re- on the Defense Secure Network The department has now initiated a compre- porting system for monitoring national-level dis- (SIPRNET). The department has deployed hensive DoD Insider Threat Program which closures. a host-based security system (HBSS) tool to includes elements from Physical Security, virtually monitor every defense department Cyber Security, Counterintelligence, Antiter- Current regulations mandate that every compo- computer. HBSS prevents the downloading rorism, and Force Protection. A forthcoming nent within the department report unauthorized of information onto removable storage like DoD directive (2000.rr) will codify this ap- disclosures to a security officer for a preliminary DVDs, CDs, and memory sticks, with very proach to address aspects of the insider review. The matter is also sent to the Under limited exceptions. The tool also sends an threat. Secretary of Defense for Intelligence, who in alarm any time someone tries to write classi-  Unauthorized Disclosure Working Group coordination with the General Counsel, may refer fied information to such removable stor- (UDWG) and Unauthorized Disclosure Ac- matters to the Department of Justice for potential age. For authorized exceptions, the tool tion Plan. The Under Secretary of Defense prosecution. This ―bottom up‖ system requires audits any downloads of information. for Intelligence has commissioned the that individuals report potential violations up the  Improved monitoring of DoD networks. The UDWG in April 2012 to develop a strategy chain of command. department issued a cyber identity creden- and plan of action and milestones aimed at tial (Public Key Infrastructure certificate) to improving our ability to prevent accidental To ensure greater accountability and tracking of every person operating on the department and deter intentional public disclosure of unauthorized disclosures, Secretary Panetta is unclassified network. That process is unclassified national security information. The directing a new ―top down‖ approach as derway for the classified network as well. group has its plan in draft and is in the pro- well. The Undersecretary of Defense for Intelli- Department personnel are working with cess of overseeing its execution. gence, in consultation with the Assistant Secre- other federal departments and agencies to tary for Public Affairs, will monitor all major, na- help them issue the same cyber identity tional level media reporting for unauthorized credential to all employees who need to

8 Counterintelligence and Cyber News and Views LIEUTENANT COLONEL IN SOUP FOR BE- in honey traps in recent years. The Navy, for States from Canada, where he had graduated FRIENDING ISI AGENT ON FACEBOOK instance, last year sacked Commodore Su- from York University and she claimed to have khjinder Singh after his sexually explicit pictures studied at McGill University. http://timesofindia.indiatimes.com/india/ with a Russian woman had surfaced. Singh was Lieutenant-colonel-in-soup-for-befriending-ISI- posted in Moscow as part of the Indian negotiat- Their son, identified as Tim, was a child when agent-on-Facebook/articleshow/14828343.cms? ing team for the acquisition of aircraft carrier they left Canada and a 20-year-old student at prtpage=1 Admiral Gorshkov (now rechristened INS George Washington University in the U.S. capital Vikramaditya), for which India finally agreed to at the time of his parents‘ arrest. By then he is pay $2.33 billion after protracted and bitter nego- alleged to have known of their covert activity. tiations with Russia ―His parents revealed their double life to him well Several military officers are also in the dock for before their arrest, according to current and for- compromising classified information and data mer officials, whose knowledge of the discussion through the improper use of internet or social was based on surveillance by the Federal Bureau networking websites like Facebook, Orkut and of Investigation that included bugging suspects‘ Twitter despite strict guidelines against such homes,‖ reporter Devlin Barrett wrote in WSJ. conduct Lt Colonel 'honeytrapped' by woman working for ―The officials said the parents also told their son ISI Five to six officers, for instance, are facing a they wanted him to follow in their footsteps. He naval board of inquiry (BoI) after Chinese hack- agreed, said the officials. At the end of the dis- NEW DELHI: In yet another security breach in ers were recently detected to have broken into cussion with his parents, according to one person the military, an Army officer has been caught for sensitive naval computers, in and around Eastern familiar with the surveillance, the young man establishing contact on social networking site Navy Command HQs at Visakhapatnam, with the stood up and saluted ‗Mother Russia.‘ He also Facebook with a Bangladeshi woman working for help of "worm-infected" pen-drives. agreed to travel to Russia to begin formal espio- Pakistan's ISI. The woman, in fact, had earlier nage training, officials said.‖ "honey-trapped" another Indian officer in an ISI Another BoI in the Mumbai-based Western Navy espionage operation in Bangladesh late last year. Command has recommended stringent action, The paper was unable to find evidence indicating including dismissal from service, against at least whether the young man, who is said now to be in The Army is conducting a court of inquiry (CoI) two commanders for posting confidential infor- Russia, actually pursued the training. against the officer, a lieutenant colonel from the mation and data, including location of warships 82 Armoured Regiment deployed in a forward and their patrolling patterns, on Facebook. It‘s unclear when Mr. Heathfield and Ms. Foley formation in Suratgarh district of Rajasthan, to arrived in Canada. Their first confirmed presence ascertain whether he divulged or compromised RUSSIAN SPIES WITH CANADIAN LINKS can be traced to 1995, when Mr. Heathfield got classified operational information along the WERE PREPPING SON FOR ESPIONAGE an economics degree from York. The spy, who Western front with Pakistan. seems to have lifted his identity from a deceased

http://www.theglobeandmail.com/news/world/ Canadian, has been described as an impressive The Army strongly denied reports that the lieu- russian-spies-with-canadian-links-were-prepping- intellect. He went on to launch several French tenant colonel had also got entangled in a honey son-for-espionage-report/article4442020/ and American business ventures, patented a trap -- basically an intelligence operation for first computer program for ―mapping future events‖ seducing and then blackmailing a person into The Globe and Mail Jul. 26 2012 and studied at Harvard‘s Kennedy School of divulging confidential information - or that two Governance. laptops with sensitive information had gone miss- A pair of married Russian spies who built part of ing. their cover story in Canada before moving to the But there were errors along the way. A 2005 United States were grooming their son for espio- death notice in a Toronto newspaper for Howard "The officer was just chatting online with the nage, according to published reports. Heathfield noted that his son, Don, had prede- woman on the computer ... there was no physical ceased him. And a 2001 FBI check of a safety contact. No laptops have been lost. We are con- The revelation came two years after the arrests deposit box kept by the couple turned up a photo ducting a CoI into the incident," a senior officer of 11 people in the largest espionage-related of Ms. Foley, the negative stamped with the said. bust since the end of the Cold War. All eventually name of a Soviet film company. pleaded guilty to working for Russia and were Intelligence Bureau got wind of the matter as expelled. It has not been established whether Ms. Foley they were already tracking the Bangladeshi wom- actually attended McGill University, as an online an, identified as Sheeba, after she had honey In spite of the size of the bust, U.S. officials at the profile claimed. She worked as a real estate trapped another Indian lieutenant colonel, this time presented the group‘s spying activity as agent in Cambridge, Massachusetts, where her time a Para Regiment commando, who was un- largely ineffectual. But a new report from the Wall accent sometimes raised eyebrows as not dergoing a staff college course in the Bangladesh Street Journal offers a more sophisticated picture sounding properly French-Canadian. military academy in Dhaka last year. of their activities. And it contains the allegation, denied by a lawyer, that at least two of the spies Regardless, said Redfin Realty president Glenn "The Para officer was compromised in the ISI recruited their own son. Kelman, ―she was a darn good field agent.‖ honey trap at Dhaka. But instead of giving away any information, he alerted Indian authorities and In 1999, people using the names Donald Heath- was promptly flown out of Bangladesh," an offi- field and Tracey Foley moved to the United cial Other military officers have also been caught

9 Counterintelligence and Cyber News and Views

SPEAR PHISHERS ANGLING TO STEAL realistic-looking website, where they are asked to a joint federal law enforcement and industry task YOUR FINANCIAL INFO provide passwords, account numbers, user IDs, force. Funding for the site has been provided by access codes, PINs, etc. the United States Postal Inspection Service and http://www.fbi.gov/news/stories/2009/april/ the Federal Bureau of Investigation. Key partners spearphishing_040109 Criminal gain, your loss. Once criminals have include the National White Collar Crime Center, your personal data, they can access your bank Monster.com, Target and members of the Mer- 04/01/09 account, use your credit cards, and create a chants Risk Council. whole new identity using your information. Spear phishing can also trick you into download- No Lottery Scam Victim Here ing malicious codes or malware after you click on a link embedded in the e-mail…an especially http://www.lookstoogoodtobetrue.com/stories/ useful tool in crimes like economic espionage vicLottery2.aspx where sensitive internal communications can be accessed and trade secrets stolen. Malware can In early Sept, my husband and I received a scam also hijack your computer, and hijacked comput- letter for Lottery winnings. Even though we were ers can be organized into enormous networks suspicious, my husband told them to send us the called botnets that can be used for denial of ser- "check" for the prize fee. We were sent a check Customers of a telecommunications firm received vice attacks. for $3,720.00. Via internet, we investigated the an e-mail recently explaining a problem with their check, confirmed it was fake, and contacted the latest order. They were asked to go to the com- How to avoid becoming a spear phishing vic- real owner of the bank account. We then called pany website, via a link in the e-mail, to provide tim. Law enforcement takes this kind of crime the contact phone for the check, told the scam- personal information—like their birthdates and seriously, and we in the FBI work cyber investi- mers we had been able to cash it, and where did Social Security numbers. But both the e-mail and gations with our partners, including the U.S. Se- we send him money? We could tell they were the website were bogus. cret Service and investigative agencies within the excited, and we heard people giggling in the

Department of Defense. But what can you do to background. They gave us an address to mail to, It‘s a real-life, classic case of ―phishing‖—a virtual make sure you don‘t end up a victim in one of our and we had the phone number, which we traced trap set by cyber thieves that uses official-looking cases? to Canada. After we told them we were sending e-mails to lure you to fake websites and trick you the money, we called the Canadian authorities into revealing your personal information. and gave them the phone number and address  Keep in mind that most companies, banks, given to us by the scammers. Hopefully, they got It‟s also an example of an even more mischie- agencies, etc., don‘t request personal information caught. We fought back! vous type of phishing known as “spear phish- via e-mail. If in doubt, give them a call (but don‘t Midge, AZ ing”—a rising cyber threat that you need to know use the phone number contained in the e-mail— about. that‘s usually phony as well). Fell For The Lottery Scam, Now In Debt  Use a phishing filter…many of the latest Instead of casting out thousands of e-mails ran- web browsers have them built in or offer them as http://www.lookstoogoodtobetrue.com/stories/ domly hoping a few victims will bite, spear phish- plug-ins. vicLottery3.aspx ers target select groups of people with something  Never follow a link to a secure site from an e I recently fell victim to a lottery scam from Cana- in common—they work at the same company, -mail—always enter the URL manually. da and now I'm $3800.00 in debt to my bank. bank at the same financial institution, attend the Don't be fooled (especially today) by the latest Currently being unemployed I receive this job same college, order merchandise from the same scams. offer for a payment manager/financial coordina- website, etc. The e-mails are ostensibly sent tor, I received an email instructing me what to do from organizations or individuals the potential Resources: with the money orders that I will be receiving, victims would normally get e-mails from, making - How to protect your computer sure enough the parcel was delivered inside them even more deceptive. - FBI Cyber investigations were 4 money orders to total 3400.00 my com-

- Latest E-scams and warnings mission for processing (depositing in my account) How spear phishing works. First, criminals - Be Crime Smart website was 10% or 340.00 too good to be true, my first need some inside information on their targets to red flag was the package came from a US ad- convince them the e-mails are legitimate. They dress when supposedly the business was in the often obtain it by hacking into an organization‘s LOOKS TO GOOD TO BE TRUE UK., second red flag was the serial numbers on computer network (which is what happened in The following testimonials are from individuals m.o. were not in consecutive order, so I tried to the above case) or sometimes by combing who were faced with scams, and their responses. get a number to the party that sent the m.o., no through other websites, blogs, and social net- Most scams originated via email, though one did number listed so I did a reverse address search working sites. originate through postal mail. The point here is and much to my amazement it the address was the methodology and similarity of the scams, all that of a Corrections facility in Washington. I fell Then, they send e-mails that look like the real designed to separate the potential victims from victim once and I'm paying for it. So if it sounds thing to targeted victims, offering all sorts of ur- their money. The web site these testimonials are too good to be true it most likely isn't. gent and legitimate-sounding explanations as to taken from, www.lookstogoodtobetrue.com is a why they need your personal data. website built to educate consumers, and help Mary, NY prevent them from becoming a victim of an Inter- Finally, the victims are asked to click on a link (Continued on page 11) net fraud scheme. inside the e-mail that takes them to a phony but The website was developed and is maintained by

10 Counterintelligence and Cyber News and Views

(Continued from page 10) Mystery Shopper Terminology

Someone From another Country Wants to http://www.lookstoogoodtobetrue.com/stories/ International Auction Fraud Send Me More Than the Amount They Owe vicShopper.aspx Escrow Services Scam http://www.lookstoogoodtobetrue.com/stories/ I received a letter from a company out of Barrie, vicCashier2.aspx Ontario. The letter included a evaluation form, a Counterfeit Payments Fraud letter explaining the code of conduct and a check I thought I could be smart and fell into a trap The latest scam to hit American consumers in- made out to me for $2,490.00. In the letter was a anyway. I was contacted about giving dance volves counterfeit financial instruments. lessons from a girl that supposedly works in a explanation of how the funds were to be spent at major stores and the amount of 2,100 was to be Counterfeit Cashier's Checks club in the UK. She asked me how long would it take for her to learn the dance style I teach. I told sent back to them. The balance of 230.00 was for Counterfeit Money Orders her probably 3 months on a regular basis. She me to keep as a "paid training assignment". All of this is very professionally done. Very believable. said she spoke with her boss and they are going Financial Fraud to send her to Orlando to take lessons with me. I The check looks 100% real. I tried to call the company as instructed but never could get thought...ok. Then, some time passed and she Financial fraud is any non-violent offense that is needed to know my name and address to send through. I checked on the company and validated their name and address. I noticed the check was committed by or against an individual or corpora- me the check. I thought there is no way I am tion and which results in a financial loss. telling this person where I live and my "real" drawn on a US bank. I tried to find the bank at that address and couldn't find one. I sent a email name. I was using my stage name the whole Cross-Border Fraud time. I told her to make it out to my company's to bank and explained all of this to them. In their name and to send it to my job. She said fine and response I learned that NO, they do not have a Romance Schemes branch at the address that is on the check and as I would be receiving a check from a courier. She Advanced Fee Scams for the account and routing number on the check, said it would be for $4500. I would keep a $1000 Charities Fraud of it and then send the rest to her travel agent for they are not valid either. After I found them and the ticket. She would need the MTCN number they showed the company and it was the right Debt Elimination address, I almost went through with it, but some- and there is a pet‘s name. The answer is Jarule. I Investment Frauds didn't have a clue what she was talking about. I thing just didn't feel right. Anyone who comes Job Scams asked why the company doesn‘t write a check for across offers like this, beware. I asked myself me and a separate one to the travel agent. She one simple question; what company would just Nigerian "4-1-9" Scams send out that kind of money and trust that one gave me an excuse. SO I receive the check and Ponzi & Pyramid Schemes would send the balance back. When offers come need to get more info from my accountant on how to enter this kind of transaction. We played around like this, just do all the homework you can. If not it can cost you. Identity Fraud phone tag for a week and then he answered my question. Wrong answer of course!! Next day I Cindy, WA In what many are calling America's fastest grow- deposited the check into my bank. I wanted to FRAUD TYPES ing type of robbery, crooks use your name, social make sure the check was valid and asked the security number or that blank, pre-approved teller when would the money be in my account. Following are some of the major fraud types credit application you tossed out. My "good standing with the bank" allowed me to prevalent on the internet. Please pass this have it in 24hrs. I was surprised and thought it information onto friends and family to help Hacking must be all done electronically that's why it's so them prevent becoming victims of internet Identity Theft fast now. So I thought the check was valid. I fraud. Phishing/Spoofing withdrew the $3500 in cash. Her agent was in More importantly, readers should be aware Spam Nigeria. I asked her where she is coming from. variations of these frauds can and have been Spyware No answer and changed the subject. I sent the launched against specific targeted individuals money western union to her agent but he couldn't holding security clearances or access to sen- Online Advertising Fraud pick it up. (No ID) Then she said, "Send it to my sitive proprietary information. The methods other travel agent in the Netherlands as a and techniques, the type of approaches The growth of the online advertising industry has MoneyGram." I sent it western union instead made, the “story‟ behind the contact, all can attracted the attention of cyber criminals who because I had no clue where a MoneyGram be manipulated and altered to individual tar- seek to defraud advertisers by infecting unsus- place was located. She graciously sent me a list gets (spearphishing) identified through col- pecting consumers' computers and using them to of about 20 and chewed my head off. At this lection of publicly available information generate fake ad clicks. Beware of the following point, I wanted to send her all "her" money and (Facebook, Linkedin, other social media giv- ways in which you, or your computer, may be get rid of her once and for all. So in the end...she ing up the interests, likes, beliefs of potential victimized and used as a pawn in these fraud received most of the money. The check I deposit- targets). schemes. ed bounced because it has no funds. Now she needs another $850 to buy the ticket since all the http://www.lookstoogoodtobetrue.com/fraud.aspx money was used to send it western union and money gram. I reported this incident. Tricked no Auction Fraud (Continued on page 12) more in Florida! Internet auction fraud occurs in several ways, but Sandra, FL the most common is the failure to deliver the purchased item.

11 Counterintelligence and Cyber News and Views Botnet community must develop new tools and best information on targets in other countries can Browser Hijacking practices to analyze the information. begin. Click Fraud There are opportunities involved, but there also "We're very mindful of the sensitivities surround- are challenges in the process of adjusting to the ing that," he said. "On the one hand, people don't Malware shift, as O'Neil and two other panelists discussed want to hear that we're monitoring social media. Money Laundering at the event hosted by the Government Executive On the other hand, people would be appalled if Pyramid Schemes Media Group and the Intelligence and National we told them we aren't monitoring social media. Security Alliance in Washington Tuesday. We're very mindful of where that line is and we pay a lot of attention to staying on the right side Pharmacy Fraud O'Neil said the Director of National Intelligence of it." Online Pharmacy Fraud incorporates numerous has chosen the Open Source Center to act as crimes and potentially dangerous health consid- the intelligence community's functional manager The Open Source Intelligence Exchange has erations. for open source intelligence and to coordinate more freedom since it is part of a university and Pharmacy Fraud resources and methodologies between govern- not a spy agency, Abruzzino said. The group mental agencies. cannot do anything for a law enforcement agency that the agency could not legally do on its own, Software Piracy "Our goal is to collect information once and dis- he added. tribute it to everybody in the government who Software piracy is the unauthorized copying or needs it," O'Neil said. In general, people need to keep in mind that distribution of copyrighted software. This can be updates on Twitter are completely open to any- done by copying, downloading, sharing, selling or Open source benefits one with Internet access and users have no rea- installing multiple copies onto personal or work Incorporating more traditional research into the sonable expectation of privacy, Abruzzino said. computers. intelligence community has only started within That's not necessarily the case with more walled- the past 15 years or so, said David Abruzzino, Software Piracy off platforms such as Facebook, which allow the director of the Open Source Intelligence Ex- users to determine their own privacy settings and change at Fairmont State University. Sweepstakes/Lottery Fraud where account holders don't intend to make all "We need to see social media as intelligence their posts public. Thousands of American consumers receive gathering very similar to spying," Abruzzino said. sweepstakes promotions but if you have to pay to Invertix only accesses public data, Parisot said. play or pay to receive your "winnings" the promo- "Part of this is deciding what information we can His company also ensures that it is transparent tion is a scam. get from open sourcing and what needs to come with governmental clients about where infor- from clandestine methods. It is important to inte- mation comes from. In the end, he said, individu- Foreign Lottery Fraud grate the two." als are responsible for what they post online. Sweepstakes/Prizes Scam There is a cost to secret work which makes tradi- Some other open sourcing challenges the panel tional research valuable, O'Neil said. discussed included: SPIES GIVE WAY TO 'SEXY' SOCIAL MEDIA "Finding open source information is easier, The necessity of being familiar with the nu- http://www.dni.gov/index.php/newsroom/ic-in-the- cheaper and safer," he added. "It allows us to ances of a culture when analyzing news/187-ic-in-the-news-2012/584-spies-give- save the spy work for bigger issues." content written in another language. way-to-sexy-social-media? Keeping in mind who uses social media — Culling valuable intelligence from social media is tmpl=component&format=pdf typically a small percentage of a coun- becoming a specialized tradecraft, said Craig try's population which tends to be more By Esther Carey Parisot, chief operating officer at Invertix, a com- activist oriented. pany that builds data analytics tools for federal Special to Federal News Radio Training analysts and keeping them up-to- intelligence agencies. It is important for compa- date on new social media forms in a Aug. 2, 2012 nies to emphasize the professional nature of constantly shifting environment. social media analysis in order to attract new em- Gathering intelligence from social media has Managing and shifting through the massive ployees in the area, he added. finally become as "sexy" as more traditional clan- amounts of data available. destine methods. Challenges of using social media Despite the challenges, there are also success Open source intelligence — generally regarded One primary concern about the emergence of stories from utilizing social media. as information gathered through methods other this new intelligence source focuses on people's Abruzzino said the West Virginia National Guard than clandestine activity — is the "hot new field" rights to privacy and civil liberties. This is an area asked his company to monitor social media for in the intelligence community, said Patrick O'Neil, in which ODNI, Congress and others still are areas of trouble during the recent East Coast director of analytic development at the Open developing policy, and the differing circumstanc- Derecho storm. Analysts found a tweet from a es of the various panel members affected their Source Center (OSC) in the Office of the Director woman without power and whose husband was of National Intelligence. various safeguards. on a respirator. The Guard delivered gasoline Intelligence agencies are developing their capa- The OSC is not allowed to collect intelligence on and a generator to the house. U.S. citizens, O'Neil said, adding that safeguards bilities to gather useful information by scouring social media platforms such as Twitter and Face- and workforce monitoring are in place to prevent book. The amount of data available continues to even inadvertent collections on Americans from (Concluded on page 13) grow from the inclusion of these non-traditional happening. Also, a demonstrable intelligence sources. As a result, members of the intelligence value must be shown before gathering

12 Counterintelligence and Cyber News and Views

(Continued from page 12) monopoly of the spice market or who might reach foreign nation. The end-user might attempt to the West Indies first. reverse engineer and re-manufacture controlled "If we helped save the life of even just that one products. All of this not only presents a national man, I consider that worth it," Abruzzino said. Our fears rest with the individual, organization, or security threat, it threatens to undercut the United Social media has enabled ODNI to monitor nation that might possess the components for a States economy. changes of mood in other parts of the world ballistic missile…the radio frequency modules for where the agency does not tend to focus its at- an explosive device…or the material for a nucle- By way of example, Chinese national Chi Mak tention, O'Neil said. By comparing snapshots ar bomb. was sent to the United States from China in from different days and keeping an eye out for 1978. He was directed to obtain employment in issues such as increasing arrests, the Open The proliferation of weapons of mass destruction the defense industry. Source Center can have a finger on the pulse of is one of the FBI‘s top threats. For this reason, what may be trending in other countries. preventing our adversaries from obtaining pro- For more than 20 years, Chi Mak passed infor- tected technology and information is one of our mation to the Chinese government, including highest priorities. Export controls ensure that information on quiet electric propulsion systems FBI Director Robert S. Mueller, III, in prepared select individuals, organizations, or nations can- for the next generation of U.S. submarines, com- remarks presented to the U.S. Department of not buy protected items, such as components plex radar systems, and stealth ships developed Commerce, Bureau of Industry and Security used in military satellite communications or mate- by the United States Navy. He recruited family Annual Update Conference on Export Con- rials used to create nuclear weapons. Conse- members to courier the information back to Chi- trols and Policy, (see link below for unedited quently, our adversaries routinely evade our na. comments) addressed the insider threat, eco- export laws to obtain such protected items. nomic espionage, FBI partnerships with gov- In 2007, he was convicted of attempting to violate ernment agencies and the private sector, and They may use front companies or technology export control laws, among several other charg- InfraGard. Highlights from his speech, brokers, through which they reroute shipments es, and was sentenced to more than 24 years in “Preventing Illegal Exports and Protecting and falsify export documents. They may target prison. National Security in Today‟s Global Market dual-use items that have both legitimate and illicit Place” are provided below. uses to arouse less suspicion. Now, what does the FBI bring to the table? We are one of several agencies responsible for the http://www.fbi.gov/news/speeches/preventing- Each of these scenarios presents a serious na- enforcement of export control laws and regula- illegal-exports-and-protecting-national-security-in tional security threat. tions. Our primary interest relates to export mat- -todays-global-marketplace ters with a national security nexus. In today‘s world of web-based purchases and ―...Yet this is not the first time globalization has deals struck over e-mail, it may be difficult for But we do not work in isolation. To protect nation- changed the game. In the ancient world, spices you, as an exporter, to know with whom you are al security assets and to prevent the illegal export were the coin of the realm. They were difficult to dealing. While your customer may say that the of restricted materials, we must—and we do— transport, they were expensive to buy, and as a goods are destined for a neutral nation, they may work in concert with the Departments of Com- result, they were highly coveted. be bound for an embargoed country…or for an merce, Homeland Security, and Defense and our individual or an organization prohibited from re- other intelligence community partners at home Nutmeg was worth more than gold. Roman sol- ceiving U.S. exports without the required licens- and abroad. diers were paid in salt; London dockworkers were es. paid in cloves. Even as far back as 410 A.D., In addition to our resources dedicated to counter- when the Visigoths sacked Rome, they demand- Much like the phishing schemes so rampant in ing espionage and insider threats, one year ago ed 3,000 pounds of peppercorns as ransom… the cyber world, those seeking illicit exports will we established the Counterproliferation Center at though I am not quite sure what one does with often e-mail requests for quotes to dozens of FBI Headquarters. This center brings together 3,000 pounds of peppercorns. suppliers at once. The law of averages holds that the expertise of our Weapons of Mass Destruc- at least one company will take the bait. tion and Counterintelligence Divisions to prevent Indeed, the spice trade was once the world‘s the illegal export of protected United States biggest industry. But in the 15th century, the Age We do recognize that genuine mistakes do occur. goods. And we are making progress. We now of Discovery transformed international travel and In many instances, there is no knowledge on the have more than 1,500 pending cases, and in the the spice trade. The advent of navigational equip- part of the exporter that a violation is underway. past year, we made several high-value arrests ment made distance sailing a reality, opening up That is one reason why these cases are so chal- and witnessed a significant increase in disrup- trade routes around the globe. Farmers began to lenging for us. tions. grow spices from other parts of the world. And as spices became more common, their value fell, I would like to take a moment here to address an One recent case, called Wintry Blast, was and monopolies began to crumble. Globalization issue that is distinct from export controls, but opened when our Minneapolis Field Office un- 1.0, one might say. important for you to be aware of nonetheless. covered a major Iranian procurement network That is the insider threat—employees with legiti- operating through front companies in Asia. The Today, one could argue that we have moved well mate access to your proprietary information. network was seeking export-controlled U.S. tech- beyond globalization 2.0. We are hyper- nology for the Iranian military and for Iran‘s ballis- connected in terms of communication and com- These insiders may steal company property for tic missile programs. merce. But our fears no longer rest on a sale to the highest bidder, or for the benefit of a (Continued on page 14)

13 Counterintelligence and Cyber News and Views

(Continued from page 13) and intelligence products. managed to cut it by 90 percent in the last three years, the company's former Chief Information In September 2010, five individuals and four of There are also several special interest groups Security Officer Dave Cullinane recently shared their companies were indicted for participating in within InfraGard, including one that is focused on at a meeting. the illegal export of military-grade restricted an- research and technology protection. This group tennas and 6,000 radio frequency modules. Six- According to CSO Online, this increased interest works to share relevant information with mem- teen of those modules were found in unexploded in shutting down malicious individuals that were bers so that we can better protect our collective bombs and in weapons caches in Iraq. trying to take advantage of the site and its users research and technology. has led to the arrest of some 3,000 around the

Last October, officials in Singapore arrested four world, mostly outside the US. Beyond InfraGard, our Counterintelligence and of the five defendants—all citizens of Singapore. Weapons of Mass Destruction Divisions run a Cullinane, who has left eBay in May this year and We continue to seek their extradition to the Unit- number of partnership initiatives. We have a joined California-based Security Starfish as CEO, ed States. The fifth defendant—an Iranian nation- partnership coordinator in each of our 56 field has successfully managed to convince eBay al—remains at large. offices to inform you about foreign intelligence executives to up the budget allocated for IT secu-

threats to your research, your products, and your rity from $10 million annually in 2006 to $48 mil- We would not have been successful without our personnel. lion annually in 2011. strong partnership with the Departments of Com- merce and Homeland Security and our counter- Another such initiative addresses the synthetic He accomplished this by showing to them the parts in Singapore. biology sector. We are working with biology com- costs of breaches and other security incidents

panies to protect the new technology that ena- that are likely to befall the company if they didn't But just as we develop sophisticated tradecraft, bles the synthetic generation of DNA sequences. invest in security. He also managed to make so, too, do those individuals who seek our pro- them agree to physically move five major compa- Together, we have developed procedures to tected technology. screen unusual purchases…and we have creat- ny data centers from their then position on a

ed a reporting mechanism for suspicious orders major fault line in California. To stay ahead of our adversaries, we must con- that may pose a threat. Given the sheer size of the site and its popularity tinue to work with partners at home and abroad.

And we must constantly improve our efforts to as a target for cyber crooks of all kinds - scam- This is complex, high-stakes technology. But counter the threat, always remaining within the mers, those interested in harvesting customer though the technology itself is complex, and the limits of the Constitution and the rule of law. information, or those trying to bring the site to its threat is ever changing, one thing is clear—we knees via DDoS attacks - he realized that in or- must continue to work together if we are to be der to keep the site's positive reputation going, Turning to the importance of private sector part- successful in preventing illegal exports and pro- nerships… he will need to cover a lot of ground. tecting national security.

So during his six-year tenure as CISO, the com- Close working relationships with our federal and Your companies are ripe for targeting, but your pany has begun investing heavily into IT security international partners are but one aspect of our vigilance can go a long way toward recognizing by setting up new programs, educating staff, efforts to prevent illegal exports. Our partnerships potential threats. investing in botnet detection and cyber intelli- with those of you in the private sector are equally gence software, and cooperating heavily with law important. Be aware of red flags. If a customer is willing to enforcement agencies by providing the infor-

pay cash for an expensive item…if they are mation needed to track down and prosecute Proliferation networks are sophisticated and far- vague about the product‘s end use…if the prod- scammers and attackers. The company also reaching. They use deceptive practices and they uct could be used in a weapons system…then began disposing of legacy code and made secu- frequently work in concert with a web of associ- reach out and talk to us. rity a priority. ates to disguise their true activities.

Cullinane pointed out that a good relationship We do not want to impede your business pro- We are working hard to disrupt, neutralize, and with company executives is crucial to doing a cesses or to intrude upon free commerce. Our eliminate these networks, and we need your good job as CISO. "The CEO and CFO are your primary function with regard to exports is to keep help. greatest allies," he said to the information securi- abreast of the national security threat. And the ty professionals present at the Information Sys- best way to do that is by standing side-by-side Through the FBI‘s InfraGard program, individuals tems Security Association's gathering. "But they and sharing information…‖ in law enforcement, government, and the private shouldn't be hearing about a breach at your com- sector, as well as academia, meet to talk about pany from the press. They should be hearing it EBAY'S SECURITY EFFORTS LEAD TO MAS- how best to protect our country‘s critical infra- from you." SIVE FRAUD DROP AND 3K ARRESTS structure and key resources. He encouraged them to be paranoid about secu- http://www.net-security.org/secworld.php? rity and to be always aware that a breach can Since its inception in 1996, InfraGard has grown id=13396 happen to their companies, too, and urged those from a single chapter in the Cleveland Field Of- Posted on 08 August 2012. working for bigger companies to share their fice to 88 chapters around the country, with more knowledge with security professionals working for than 51,000 members. Members have access to eBay, the notable online auction and shopping small ones, as they are currently heavily target- an FBI secure communications network through mammoth website and the company that runs it, ed, but often don't have the technology, man which we disseminate threat alerts, advisories, has taken the fraud threat seriously and has power and expertise to keep safe.

14 Counterintelligence and Cyber News and Views

CYBER RELATED THREATS REPORTED IN ■Be aware that even if you are able to unfreeze THE DHS DAILY OPEN SOURCE INFRA- your computer on your own, the malware may Targeting organizations in the defense, chemical, STRUCTURE REPORT still operate in the background. Certain types of technology, and aerospace industries, the malware have been known to capture personal MyAgent trojan is primarily spreading through The following are extracts from DHS Daily information such as user names, passwords, and email as a zipped .exe file or PDF attachment, Open Source Infrastructure Report, located at credit card numbers through embedded key- according to researchers at the Fire Eye Malware http://www.dhs.gov/files/programs/ stroke logging programs. Intelligence Lab. Fire Eye examined a sample of editorial_0542.shtm . These reports link back MyAgent that, once executed, opens a PDF file to more detailed reporting from the original Source:http://www.fbi.gov/sandiego/press- titled ―Health Insurance and Welfare Policy and source. Included here are extracts pertaining releases/2012/citadel-malware-continues-to- then drops a second executable, titled to cyber threats prevalent on a daily basis. deliver-reveton-ransomware-in-attempts-to-extort ―ABODE32.exe,‖in the temp directory, they say Readers may find practical applications for -money in their report. Fire Eye notes the this material both in their work and in their ―ABODE32.exe‖executable accesses Windows personal use of computing devices and inter- August 17, Computerworld – (International) Protected Storage, which holds the passwords net usage. SHAMOON MALWARE CRIPPLES WINDOWS for Internet Explorer, Outlook, and other PCS TO COVER TRACKS. A new trojan tries to CITADEL MALWARE CONTINUES TO DELIV- applications. Once the trojan infects its host covers its tracks by crippling the victim‘s ER REVETON RANSOMWARE IN ATTEMPTS machine, it communicates with its command and computer after stealing data, a security TO EXTORT MONEY control (C&C) server, the user agent string and researcher said August 17. Dubbed ―Shamoon‖ URI of which are hard-coded into MyAgent‗s by most antivirus companies, the malware has The IC3 has been made aware of a new Citadel binary. Also, Fire Eye noticed the malware been used in targeted attacks aimed at specific malware platform used to deliver ransomware loading different DLLs to communicate with its named Reveton. The ransomware lures the vic- individuals or firms, including at least one in the C&C server. Despite MyAgent‗s relatively high energy sector. According to security company tim to a drive-by download website, at which time detection rate, its dynamic intermediary stages Seculert, Shamoon relies on a one-two punch, the ransomware is installed on the user‘s com- place it among what Fire Eye considers puter. Once installed, the computer freezes and a first taking control of a system connected to the advanced malware. JavaScript within the PDF Internet before spreading to other PCs on an screen is displayed warning the user they have variety of MyAgent determines which version of organization‘s network. The second stage violated United States federal law. The message Adobe Reader is running on its host and then overwrites files and the Master Boot Record further declares the user‘s IP address has been deploys well-known exploits tailored to the (MBR) of the machine. The latter makes the PC identified by the Federal Bureau of Investigation specific version. If the machine is running any of as visiting websites that feature child pornogra- unbootable. Seculert and other security Reader 9.0‗s predecessors, then MyAgent companies, including Kaspersky Lab and phy and other illegal content. exploits the ―Collab.getIcon()‖vulnerability. Symantec, have not yet figured out what kind of

To unlock the computer, the user is instructed to data Shamoon is looking for, then stealing. They pay a fine to the U.S. Department of Justice us- Source: http://threatpost.com/en_us/blogs/email- assume that because the malware uses a trojan-tageting-defense-aerospace-andother- ing a prepaid money card service. The geograph- second infected system to communicate with a industries-081612 ic location of the user‘s IP address determines hacker-controlled command-and-control (C&C) what payment services are offered. In addition to server, Shamoon is copying files from pillaged July 10, Softpedia – (International) ICS-CERT the ransomware, the Citadel malware continues PCs and sending that information to its masters. to operate on the compromised computer and warns of malware that spreads via USB Malware rarely destroys files or wipes the MBR. drives. The U.S. Industrial Control Systems can be used to commit online banking and credit Most threats try to work quietly to avoid detection Cyber Emergency Response Team (ICS-CERT) card fraud. as long as possible. Crippling a computer only warned organizations to be cautious when brings unwanted attention. ―Threats with such This is an attempt to extort money with the addi- handling removable media flash drives since destructive payloads are unusual and are not tional possibility of the victim‘s computer being there are many malicious elements that use them typical of targeted attacks,‖ Symantec said used to participate in online bank fraud. If you to spread. They cite an incident that took place in August 16. Since a list of overwritten files is have received this or something similar, do not April 2012. Workers in an energy company transmitted to the C&C server, Seculert‘s CTO follow payment instructions. Infected computers identified a piece of malware on a USB stick left speculated that Shamoon‘s makers wanted to may not operate normally. If your computer is by mistake in the USB port of a human-machine ―know what and how much got wiped.‖ infected, you may need to contact a local com- interface (HMI) computer by another staffer. The puter expert for assistance to remove the mal- Hamweq virus was not able to perform its tasks Source: http://www.computerworld.com/s/ ware. because it depended on the operating system‘s article/9230359/ auto-run function, which was disabled on all It is suggested that you: Shamoon_malware_cripples_Windows_PCs_to_ devices. If the auto-run feature was enabled, the cover_tracks?taxonomyId=82 ■File a complaint at www.IC3.gov. Look for up- threat could have injected malicious code and dates about the Reveton virus on the IC3 web- created a backdoor that may have been August 16, Threatpost –(International) EMAIL site. leveraged by the attackers to steal sensitive data. TROJAN TARGETING DEFENSE, AERO-

■Seek out a local computer expert to assist with SPACE AND OTHER INDUSTRIES. What (Continued on page 16) removing the malware. appears to be a targeted attack campaign ■Do not pay any money or provide personal against several high value industries is using a information. trojan that employs rigged PDFs to deliver its payload.

15 Counterintelligence and Cyber News and Views

(Continued from page 15) during May and June. Large enterprises targeted attacks on attendees of an international consisting of more than 2,500 employees are still aerospace conference, Threatpost reported July According to ICS-CERT, in order to avoid similar receiving the greatest number of attacks, with an 3. The attacks use exploits for recently disclosed incidents, organizations should always properly average 69 being blocked each day. ―There security holes, such as Microsoft's Windows XML mark removable media. They should also disable appears to be a direct correlation between the Core Services vulnerability first disclosed in auto-run functions when possible. Other rise in attacks against smaller businesses and a June. The new Sykipot variant also uses a recommendations include the use of dedicated drop in attacks against larger ones. It almost collection of recently registered Web domains to media for the same type of systems, and the seems attackers are diverting their resources issue malicious attacks. Most were registered in separation of malfunctioning or potentially directly from the one group to the other,‖ said a the last month and are linked to the same infected drives from ones cataloged as cybersecurity intelligence manager at Symantec. yahoo.com e-mail address, AlienVault disclosed. acceptable. The workers that operate industrial ―It may be that your company is not the primary At least one of the new domains was linked to control systems should never connect removable target, but an attacker may use your organization targeted phishing-email attacks on attendees of media drives with as a stepping-stone to attack another company,‖ the IEEE Aerospace Conference (the an unknown origin to a system without properly he said. The defense industry was the targeted International Conference for Aerospace Experts, checking first. They should also avoid using industry of choice in the first half of 2012, with an Academics, Military Personnel, and Industry personally owned devices for work-related tasks. average of 7.3 attacks per\day. The chemical/ Leaders), AlienVault said. pharmaceutical and manufacturing sectors Source: http://news.softpedia.com/news/ICS- maintain the number two and three spots, Source: http://threatpost.com/en_us/blogs/new- CERT-Warns-of-Malware-that-Spreads-Via-USB- respectively. These targets clearly received a version-sykipot-trojan-linked-targetedattacks- D r i v e s - 280442.shtml h t t p : / / smaller percentage of overall attention than in aerospace-industry-070312 www.computerworld.com/s/article/9230359/ 2011, but the chemical/pharmaceutical sector is Shamoon_malware_cripples_Windows_PCs_to_ still hit by one in every five targeted attacks, while June 14, Threatpost – (International) HON- cover_tracks?taxonomyId=82 manufacturing still accounts for almost 10 EYNET PROJECT LAUNCHES „GHOST‟ TO percent of all targeted attacks. SNARE USB MALWARE. The Honeynet Project July 11, The Register – (International) launched a new project June 14 designed to CHEMICAL GIANT FOILS INFECTED USB Source: http://www.net-security.org/ snare malware that spreads by infecting remova- STICK ESPIONAGE BID. An attempt to infiltrate secworld.php?id=13225&utm ble universal serial bus (USB) storage drives, the corporate systems of Dutch chemical citing the increased reliance of malicious pro- company DSM by leaving malware-laden USB July 10, CNNMoney – (International) MOBILE grams on portable drives to move from computer sticks in the corporation‘s car park failed, The ADS CAN HIJACK YOUR PHONE AND STEAL to computer. The ghost-usb-honeypot project Register reported July 11. Instead of plugging the YOUR CONTACTS. Tens of thousands of smart- stems from research conducted by a student at discarded drives into a workstations, which would phone applications are running ads from rogue Bonn University in Germany. He first presented have infected the company‘s machines, a worker advertising networks that change smart-phone the results of work he and others conducted at who first found one of the devices turned it in to settings and take contact information without the University of Bonn‘s Institute of Computer DSM‘s IT department. System administrators permission, according to a new study released Science at a Honeynet Project conference in San subsequently found an unspecified password- July 9. Aggressive ad networks can disguise ads Francisco in March. He said propagation via USB stealing keylogger, according to local reports. as text message notifications or app icons, and drives is increasingly common, as malware au- The spyware was designed to upload stolen sometimes change browser settings and thors look for ways to breach machines or net- usernames and passwords to a server under the bookmarks. Often, the ads will upload your works that are ―air-gapped,‖ or not accessible from other networks. control of hackers. This site was blocked by contacts list to the ad network‘s servers — DSM‘s system administrators, so the firm would information the ad network can then sell to Source: http://threatpost.com/en_us/blogs/ be protected even if other workers find and use marketers. As many as 5 percent of free mobile honeynet-project-launches-ghost-snare- the infected USBs on corporate laptops. Using apps use an ―aggressive‖ ad network to make usbmalware-061412 infected USBs as way to smuggle malware into money, according to Lookout, a San Francisco- firms has become a regular occurrence in recent based mobile security company. With millions of June 11, Ars Technica – (International) JAMES years, security researchers‘ note, especially mobile apps in stores, that small percentage BOND-STYLE MALWARE TARGETS FIRM since they were the presumed delivery adds up to a big number. The study found that THAT SECURES INDUSTRIAL SYSTEMS. A mechanism of the Stuxnet worm. 19,200 of the 384,000 apps it tested used malware-based espionage campaign was malicious ad networks. Those apps were recently perpetrated against Digital Bond, a Source: http://www.theregister.co.uk/2012/07/11/ downloaded 80 million times. security consultancy that specializes in infected_usb_spyware/ safeguarding computer systems used to control Source: http://www.dailyfinance.com/2012/07/10/ dams, gasoline refineries, and other critical July 11, Help Net Security – (International) mobile-ads-can-hijack-your-phoneand-steal-your- infrastructure against attack. An e-mail that TARGETED ATTACKS FOCUS ON SMALL contacts/ addressed a Digital Bond employee by name BUSINESSES. Thirty-six percent of all targeted used an account registered to appear as if it attacks (58 per day) during the last 6 months July 3, Threatpost – (International) NEW belonged to the company‘s founder and CEO. were directed at businesses with 250 or fewer VERSION OF SYKIPOT TROJAN LINKED TO According to a blog post published the week of employees, according to Symantec. During the TARGETED ATTACKS ON AEROSPACE June 4, the message made reference to a paper first half of 2012, the total number of daily INDUSTRY. According to researchers at the the executive co-authored in 2009 and asked the targeted attacks continued to increase at a security firm AlienVault, a new version of the employee to click on a Web link that led to a compressed file stored on a compromised server. minimum rate of 24 percent with an average of Sykipot trojan is being pushed to unsuspecting 151 targeted attacks being blocked each day users in a wave of online attacks, including (Concluded on page 17)

16 Counterintelligence and Cyber News and Views (Continued from page 16) Source: http://www.nextgov.com/cybersecurity/ ARRESTS, TRIALS AND CONVICTIONS Malicious code in the file installs a remote cybersecurity-report/2012/05/no-moredot-mil- backdoor on end-user machines. It was detected accounts-dating-sites/55930/?oref=ng-voicestop The following are typically US Attorney, De- by only 7 of 42 antivirus products. That suggests partment of Justice or FBI Press Releases the trojan did not circulate widely before it May 29, Threatpost – (National) DHS TO announcing arrests, trials and convictions of targeted Digital Bond. CRITICAL INFRASTRUCTURE OWNERS: individuals accused or convicted of National HOLD ON TO DATA AFTER CYBER ATTACK. security or cyber related criminal activity. Source: http://arstechnica.com/security/2012/06/ The DHS is offering organizations that use Inclusion of these press releases is intended jamesmalware-targets-industrialsystems-experts/ industrial control systems advice on mitigating the to provide security educators and their em- effects of cyber attacks. Among the agency‘s ployees with vivid examples of the types of June 5, Computerworld – (International) recommendations: Hold on to data from infected threat government and cleared defense con- RESEARCHERS REVEAL HOW FLAME FAKES systems and prevent enemies from moving within tractor employees face in protecting classified WINDOWS UPDATE. June 5, security your organization. DHS‘ Industrial Control and proprietary information and export con- researchers published detailed information about Systems Cyber Emergency Response Team (ICS trolled materials. how the Flame cyber-espionage malware spreads -CERT) published a technical paper on cyber through a network by exploiting Microsoft‘s intrusion mitigation strategies May 25. The To lead off this section of our newsletter, we Windows Update mechanism. Their examinations document calls on critical infrastructure owners to are listing Chinese and Iranian backed or answered a question that puzzled researchers at take a number of steps to thwart attacks, or limit linked targeting of defense related technology Kaspersky Lab: How was Flame infecting fully- the damage they cause. Among them are or weapons systems, as well as targeting of patched Windows 7 machines? Key to the phony improving their ability to collect and retain forensic advanced technology and export controlled Windows Update process was that the hackers data, and to detect attempts by attackers to move materials during the first half of calendar year located and exploited a flaw in the company‘s laterally within their organization. The document is 2012. Readers are encouraged to visit the Terminal Services licensing certificate authority guidance from ICS-CERT to critical infrastructure original Department of Justice site for the re- that allowed them to generate code-validating owners and is targeted at both enterprise and port in its original form and context (located at certificates ―signed‖ by Microsoft. Armed with control system networks, DHS said. the following hyperlink) http://www.justice.gov/ those fake certificates, the attackers could fool a nsd/docs/export-case-fact-sheet.pdf Windows PC into accepting a file as an update Source: http://threatpost.com/en_us/blogs/dhs- from Microsoft when in reality it was nothing of the critical-infrastructure-owners-hold-dataafter-cyber- ARRESTS OR CONVICTIONS FOR EXPORT kind. attack-052912 VIOLATIONS, ECONOMIC ESPIONAGE, TRADE SECRET VIOLATIONS AND EMBARGO Source:http://www.computerworld.com/s/ May 23, Threatpost – (International) ANATOMY VIOLATIONS. article/9227736/ OF A LULZSEC ATTACK ‘SINGLES OUT‟ WEB So far, during Calendar year 2012, 16 different Researchers_reveal_how_Flame_fakes_Windows 2.0 WEAKNESS. A new report analyzing a recent countries or locations have been identified or _Update attack on a military dating site underscores the associated with Arrests or convictions for Export need for stronger safeguards on social networks. Violations, Economic Espionage, Trade Secret May 25, Nextgov – (National) NO MORE DOT- As part of its Hacker Intelligence Initiative, Violations and Embargo Violations. MIL ACCOUNTS ON DATING SITES. According database and application security provider to Defense Department officials, the Pentagon Imperva deconstructed a March attack by the There is no surprise that the leaders of this ques- plans to distribute a new policy on personal social hacker collective LulzSec on MilitarySingles.com. tionable list are once again are China and Iran. media use that tells troops to hide certain By bypassing simple checks and filters, the group identifying information when interacting online, was able to steal sensitive data, including Violations involving China included the following Nextgov reported May 25. The directive was passwords on more than 170,000 members of the items, technologies or companies: expected to be released in late May. Increasingly, dating site. The ―reborn‖ group posted the attack  Software for Attack Helicopters hackers are gleaning sensitive work details from on Pastebin March 26. The attackers took social networks by drawing inferences from posts, advantage of a vulnerable area in developing  Pressure Transducers such as military unit locations, and by penetrating social applications: consumer-created content. In  Firearms the actual sites. Defense officials acknowledged the case of MilitarySingles.com, attackers  Trade Secrets involving Irrigation Equipment they are aware of a reported MilitarySingles.com leveraged the picture upload functionality.  Drone / Missile / Stealth Technology breach that may have exposed soldiers‘ dot-mil e- Hackers also took advantage of the dating site‘s  Thermal Imaging Cameras mail addresses and passwords. Future instruction password management. Members‘ secret codes  Military Technical Data that specifically addresses use of commercial were hashed with a weak MD5 algorithm and no  Unspecified Trade Secrets social media will direct all Defense employees to additional salting to thwart a dictionary attack.  Du Pont Trade Secrets ―use non-mission related contact information,  Motorola Trade Secrets such as telephone numbers or postal and email Source: http://threatpost.com/en_us/blogs/  Radiation Hardened Circuits addresses, to establish personal accounts, when anatomy-lulzsec-attack-singles-out-web-20-  Pharmaceutical Trade Secrets such information is required.‖ Despite the weakness-052312  Dow Chemicals Trade Secrets forthcoming policy, dot-mil e-mail addresses may  Accelerometers still appear in some personal communications, partly because family members and guests using the Army Knowledge Online service are issued (Continued on page 18) military addresses, a Defense spokesperson said.

17 Counterintelligence and Cyber News and Views

(Continued from page 17) Fort Lauderdale, according to court between November 2008 and August records. 2010. Violations involving Iran included the fol- A third Broward man, Freddy Arguelles, lowing items, technologies or companies: Alberto Pichardo, 40, of Weston, pleaded 37, of Pembroke Pines, is scheduled to guilty earlier this month to conspiring to  Missile Components plead guilty for his role in the alleged con- violate the Arms Export Control Act by spiracy on Friday in federal court in Fort  Gas Centrifuges sending parts and supplies to the Vene-  Petrochemical Supplies Lauderdale. Arguelles, a former Venezue- zuelan military. lan Air Force pilot, was charged earlier this  Computers year with helping Pichardo with the F-16  Carbon Fiber Technology Pichardo, an officer in the Venezuelan Air supplies.  Financial Transactions Force, worked at the Venezuelan Military  Oils and Polymers Acquisitions Office in Doral and previously A fourth man, Victor Brown, 55, of Hialeah  Aircraft Components was an administrator of the military's F-16 is also scheduled to plead guilty to his role  Military Gyroscopes fighter program, according to federal pros- in the case next week in federal court in  Hawk Missile Batteries ecutors. Fort Lauderdale, according to court rec-  Computer Technology ords  IED Components Pichardo admitted that he conspired to export various defense supplies that feder- CALIFORNIA MAN PLEADS GUILTY TO ATTEMPTING TO ILLEGALLY EXPORT Readers interested in specific details can al authorities have placed on a list of items that cannot be exported without a license MISSILE COMPONENTS TO IRAN view the related cases, as well as numerous other cases dating back to 2007 at the or special permission. The conspiracy http://www.bis.doc.gov/news/2012/ below web link: http://www.justice.gov/nsd/ operated between November 2008 and doj07262012.htm August 2010, he said. docs/export-case-fact-sheet.pdf CHICAGO – A California man pleaded guilty today in Federal Court here to a Among the items Pichardo conspired to felony charge stemming from his efforts to send to the Venezuelan military were F-16 TWO BROWARD MEN PLEAD GUILTY illegally export missile components from ejection seats and munitions, unmanned TO CONSPIRACY TO ILLEGALLY the United States to Iran, via the United aerial vehicle engines, T-56 plane engines, EXPORT MILITARY PLANE PARTS TO Arab Emirates. The defendant, Andro radars and oxygen masks. VENEZUELA Telemi, 42, of Sun Valley, Calif., pleaded guilty to one count of attempting to export In April 2010, Pichardo met with an under- http://articles.sun-sentinel.com/2012-07- defense articles on the U.S. Munitions List cover FBI employee and another unidenti- 2 6 / n e w s / f l - p a r t s - to- v e n e z u e l a - from the United States without a license or fied individual at a Miramar hotel and was 20120726_1_freddy-arguelles-kirk-drellich- approval from the U.S. Department of videotaped admitting that he knew he was skyhigh-accessories State in violation of the Arms Export Con- breaking the law and federal regulations, trol Act. according to court records. Two Broward, Florida men have pleaded U.S. District Judge Samuel Der-Yeghiayan guilty to federal charges related to their "[Pichardo's conduct] had the potential to set sentencing for Oct. 30. Telemi faces a roles in a conspiracy to illegally export be harmful and was harmful to the security maximum penalty of 20 years in prison a various military airplane parts to and foreign policy interests of the United $250,000 fine. Telemi pleaded guilty with- Venezuela. States," Assistant U.S. Attorney Thomas J. out entering into a plea agreement with the

Mulvihill wrote in court documents. government. An officer in the Venezuelan Air Force, who worked at the Venezuelan Military The guilty plea was announced by Gary S. Pichardo received $21,000 and expected Acquisitions Office in Doral, pleaded guilty Shapiro, Acting United States Attorney for to be paid a total of $200,000 for his role, in early July to conspiring to violate the the Northern District of lllinois; Gary J. according to court documents. He was Arms Export Control Act by sending parts Hartwig, Special Agent-in-Charge of released on electronic monitoring until his and supplies to the Venezuelan military Homeland Security Investigations (HSI) in sentencing in September. between November 2008 and August Chicago; Richard D. Zott, Special Agent-in- 2010. Among the items he conspired to Charge of the Defense Criminal Investiga- On Thursday, Kirk Drellich, 49, of Davie, send to the Venezuelan military were F16 tive Service Central Field Office in St. Lou- also pleaded guilty to conspiring to violate ejection seats and munitions, unmanned is; Ronald B. Orzel, Special Agent-in- the Arms Export Control Act. He is free aerial vehicle engines, T-56 plane engines, Charge of the Chicago office of the Depart- pending his sentencing hearing, which is radars, and oxygen masks. In addition, the ment of Commerce's Office of Export En- also scheduled in September. owner and president of SkyHigh forcement; and Thomas Jankowski, Acting Accessories Inc. in Davie pleaded guilty Special Agent-in-Charge of the Chicago Drellich, the owner and president of July 26 to conspiring to violate the Arms office of the Internal Revenue Service SkyHigh Accessories Inc. in Davie, was Export Control Act. A former Venezuelan Criminal Investigation Division. The Chica- involved in the buying and selling of aircraft Air Force pilot and a fourth man were also go Police Department also assisted in the parts. Drellich admitted Thursday that he scheduled to plead guilty for their roles in investigation. was involved in the illegal exportation of the alleged conspiracy in federal court in parts for cargo planes in Venezuela (Continued on page 19)

18 Counterintelligence and Cyber News and Views

(Continued from page 18) U.S. Attorney‘s Office Eastern District of battle of Najaf, where the U.S. and Iraqi New York (718) 254-7000 security forces sustained serious casual- "Our national security is threatened when ties. In September 2005, the Federal Bu- August 01, 2012 anyone attempts to illegally export restrict- reau of Investigation‘s Joint Terrorism Task ed military components that could fall into BROOKLYN, NY—A U.S. Army contract Force recovered these classified docu- the wrong hands," Mr. Hartwig said. "HSI translator was re-sentenced today to 108 ments during a search of the defendant‘s will continue to aggressively investigate months of imprisonment for illegally pos- Brooklyn apartment. One of the documents individuals and organizations who would sessing national defense documents and remains classified and therefore is not seek to sell sensitive technology at the using a false identity to procure his United described here. In connection with the re- expense of our own security." States citizenship and to gain access to sentencing, the court found that the de-

Telemi, a naturalized U.S. citizen from classified military materials. The proceed- fendant had intentionally taken the classi- Iran, also known as "Andre Telimi," and ing was held before United States District fied materials that were later found in his "Andre Telemi," was indicted in December Judge Brian M. Cogan at the U.S. Court- possession. house in Brooklyn, New York. 2009, along with co-defendant Davoud ―The defendant used fraud and deception Baniameri, 39, of Woodland Hills, Calif. A Previously, on February 14, 2007, the de- to work his way into a position of unde- superseding indictment in July 2010 fendant—whose true identity is still un- served trust. He then used that position to charged Baniameri, Telemi and a third known and who goes by various names steal sensitive data about U.S. troops and defendant, Syed Majid Mousavi, an Irani- including Abdulhakeem Nour, Abu Hakim, their mission. Significant breaches of na- an citizen living in Iran. Baniameri pleaded Noureddine Malki, Almaliki Nour, and tional security must be prosecuted aggres- guilty last year and was sentenced to 51 Almalik Nour Eddin— pleaded guilty to the sively,‖ stated United States Attorney months in federal prison. Mousavi, also unauthorized possession of classified doc- Loretta E. Lynch. ―Today‘s re-sentencing known as "Majid Moosavy," remains a uments charge. On December 20, 2005, ensures that he will spend nine years con- fugitive and is believed to be in Iran. templating the failure of his plans.‖ the defendant pleaded guilty to the false According to Telemi's guilty plea and court identity charge. On May 19, 2008, the de- records, sometime before Aug. 17, 2009, fendant was originally sentenced to 121 Ms. Lynch extended her grateful apprecia- Baniameri contacted Telemi and requested months‘ imprisonment. That sentence was tion to the Federal Bureau of Investigation, his assistance in purchasing and exporting later reversed on appeal due to an error in New York Field Office; the New York City to Iran via Dubai 10 connector adapters for the calculation of the advisory United Police Department; and U.S. Immigration the TOW and TOW2 anti-armor missile States Sentencing Guidelines range. The and Customs Enforcement (ICE), Home- systems. Telemi agreed and over the next case was then remanded for re- land security Investigations (HSI), New month, they negotiated the purchase of 10 sentencing, and Judge Cogan imposed an York, for spearheading the government‘s connector adaptors for $9,450 from a com- above-Guidelines sentence. investigation and thanked the U.S. Depart- ment of Defense for its assistance. pany in Illinois, which unbeknownst to In August 2003, the defendant used a false them, was controlled by law enforcement. identity to apply for and gain a position as The government‘s case is being prosecut- In September 2009, after Baniameri made an Arabic translator for the L-3 Titan Corp., ed by Assistant United States Attorney a down payment to the Illinois company, which provides translation services in Iraq Daniel Silver. This case was originally he arranged for Telemi to pay the remain- for U.S. military personnel. He then used prosecuted by former Assistant United ing balance and take possession of the the same false identity to fraudulently ob- States Attorneys John Buretta and Jeffrey connector adaptors in California. Telemi tain ―Secret‖ and then ―Top Secret‖ securi- Knox. knew that he needed to obtain a license ty clearances. Subsequently, during as- VIRGINIA MAN SENTENCED TO 18 from the U.S. government to export the signments in Iraq, the defendant took clas- MONTHS IN PRISON FOR ACTING AS connector adaptors, and at no time did he sified documents from the U.S. Army with- UNREGISTERED AGENT FOR SYRIAN or anyone else obtain, or attempt to obtain, out authorization. While assigned to an such a license. GOVERNMENT intelligence group in the 82nd Airborne The government is being represented in Division of the U.S. Army at Al Taqqadam http://www.justice.gov/opa/pr/2012/July/12- court by Assistant U.S. Attorney Patrick C. Air Base, he downloaded a classified elec- nsd-894.html Pope. tronic document and took hard copies of Mohamad Anas Haitham Soueid, 48, a U.S. ARMY TRANSLATOR RE- several other classified documents. The resident of Leesburg, Va., was sentenced SENTENCED TO 108 MONTHS‟ IMPRIS- documents detail the 82nd Airborne‘s mis- today to 18 months in prison, followed by ONMENT FOR UNAUTHORIZED POS- sion in Iraq in regard to insurgent activity, three years of supervised release, for col- SESSION OF CLASSIFIED DOCUMENTS such as coordinates of insurgent locations lecting video and audio recordings and CONCERNING IRAQI INSURGENCY upon which the U.S. Army was preparing other information about individuals in the AND FOR USING A FALSE IDENTITY to fire in January 2004 and U.S. Army plans for protecting Sunni Iraqis traveling http://www.fbi.gov/newyork/press- on their pilgrimage to Mecca, Saudi Arabia, releases/2012/u.s.-army-translator-re- in late January 2004. During a later deploy- s e n t e n c e d - to- 1 0 8 - m o n t h s 2 0 1 9 - ment to a U.S. Army base near Najaf, Iraq, imprisonment-for-unauthorized-possession the defendant obtained a photograph of a

-of-classified-documents-concerning-iraqi- classified battle map identifying U.S. troop (Continued on page 20) insurgency-and-for-using-a-false-identity routes used in August 2004 during the

19 Counterintelligence and Cyber News and Views

(Continued from page 19) required by law. The U.S. government has TWO INDICTED FOR ALLEGED EF- designated the Syrian government a state FORTS TO SUPPLY IRAN WITH U.S.- United States and Syria who were protest- sponsor of terrorism since 1979. MATERIALS FOR GAS CENTRIFUGES ing the government of Syria and to provid- TO ENRICH URANIUM Under the direction and control of Syrian ing these materials to Syrian intelligence officials, Soueid recruited individuals living agencies in order to silence, intimidate and http://www.justice.gov/opa/pr/2012/July/12- in the United States to make dozens of potentially harm the protestors. nsd-873.html audio and video recordings of protests

Lisa Monaco, Assistant Attorney General against the Syrian regime – including re- Department of Justice, Office of Public for National Security; Neil MacBride, U.S. cordings of conversations with individual Affairs Attorney for the Eastern District of Virginia; protestors – in the United States and Syria, and James McJunkin, Assistant Director in which he provided to the Syrian govern- Friday, July 13, 2012 Charge of the FBI Washington Field Office, ment. He also supplied the Syrian govern- made the announcement following sen- ment with contact information for key dissi- Accused Iranian Procurement Agent Ar- tencing by United States District Judge dent figures in the United States, details rested in the Philippines Claude M. Hilton. about the financiers of the dissident move-

ment, logistics for protests and meetings, Soueid, aka ―Alex Soueid‖ or ―Anas WASHINGTON – A federal grand jury in internal conflicts within the movement, and Alswaid,‖ a Syrian-born naturalized U.S. the District of Columbia has returned a the movement‘s future plans. citizen, was charged by a federal grand superseding indictment charging Parviz jury on Oct. 5, 2011, in a six-count indict- In a handwritten letter to a Syrian official in Khaki, a citizen of Iran, and Zongcheng Yi, ment in the Eastern District of Virginia. He April 2011, Soueid outlined his support for a resident of China, for their alleged efforts was convicted of unlawfully acting as an the Syrian government‘s repressions of its to obtain and illegally export to Iran U.S.- agent of a foreign government on March citizens, stating that disposing of dissen- origin materials that can be used to con- 26, 2012. sion must be decisive and prompt and that struct, operate and maintain gas centrifug- violence, home invasions, and arrests es to enrich uranium, including maraging ―Mohamad Soueid acted as an unregis- against dissidents is justified. steel, aluminum alloys, mass spectrome- tered agent of the Syrian government as ters, vacuum pumps and other items. part of an effort to collect information on The Syrian government provided Soueid people in this country protesting the Syrian with a laptop to further their ability to sur- Khaki is also accused of conspiring to pro- government crack-down. I applaud the reptitiously communicate, which he later cure radioactive source materials from the many agents, analysts and prosecutors destroyed. In late June 2011, the Syrian United States for customers in Iran. who helped bring about this important government paid for Soueid to travel to case,‖ said Assistant Attorney General Syria, where he met with intelligence offi- The superseding indictment, which was Monaco. cials and spoke with President Bashar al- returned late yesterday, was announced by Assad in private. ―Mr. Soueid betrayed this country to work Lisa Monaco, Assistant Attorney General on behalf of a state sponsor of terror,‖ said To thwart detection of his activities by U.S. for National Security; Ronald C. Machen U.S. Attorney MacBride. ―While the auto- law enforcement, Soueid lied to a Customs Jr., U.S. Attorney for the District of Colum- cratic Syrian regime killed, kidnapped, and Border Patrol agent upon his return bia; and John Morton, Director of U.S. intimidated and silenced thousands of its from meeting with President al-Assad in Immigration and Customs Enforcement own citizens, Mr. Soueid spearheaded Syria, and he also lied repeatedly to FBI (ICE). efforts to identify and intimidate those pro- agents when they questioned him in Au- testing against the Syrian government in gust 2011. Following the FBI interview, The superseding indictment charges Kha- the United States.‖ Soueid destroyed documents in his back- ki, age 43, aka ―Martin,‖ and Yi, aka ―Yi yard and informed the Mukhbarat about his Cheng,‖ aka ―Kohler,‖ aka ―Kohler Yi,‖ ―By illegally acting as an agent of Syria, FBI interview. each with one count of conspiracy to vio- Mr. Souied deceived his adopted country late the International Emergency Economic of the United States in support of a violent This investigation is being conducted by Powers Act (IEEPA) by conspiring with and repressive despotic government,‖ said the FBI‘s Washington Field Office with others to cause the export of U.S. goods to Assistant Director in Charge McJunkin. assistance from the Loudon County, Va., Iran without the required U.S. Treasury ―Through today‘s sentencing, he will now Sheriff‘s Office. The prosecution is being Department license. Both defendants are be held accountable for his actions.‖ handled by Assistant U.S. Attorneys Den- also charged with one count of conspiracy nis Fitzpatrick and Neil Hammerstrom of According to court records, from March to to defraud the United States; two counts of the U.S. Attorney‘s Office for the Eastern October 2011, Soueid acted in the United smuggling; two counts of illegally exporting District of Virginia and Trial Attorney Bran- States as an agent of the Syrian Mukha- U.S. goods to Iran in violation of IEEPA; don L. Van Grack of the Counterespionage barat, which refers to the intelligence agen- and one count of conspiracy to commit Section of the Justice Department‘s Na- cies for the Government of Syria, including money laundering. tional Security Division. the Syrian Military Intelligence and General Intelligence Directorate. At no time while acting as an agent of the government of Syria in this country did Soueid provide (Continued on page 21) prior notification to the Attorney General as

20 Counterintelligence and Cyber News and Views

(Continued from page 20) For example, the indictment alleges that on Efforts to Export to Iran Radioactive ―Today‘s indictment sheds light on the Dec. 6, 2008, Khaki asked an individual in Materials reach of Iran‘s illegal procurement net- China to obtain 20 tons of C-350 maraging The indictment further alleges that Khaki works and the importance of keeping U.S. steel from the United States for Khaki‘s sought to obtain radioactive source materi- nuclear-related materials from being ex- customer in Iran. In the months that fol- als from the United States. In May 2009, ploited by Iran. Iranian procurement net- lowed, Khaki also had communications for instance, Khaki sent an email to the works continue to target U.S. and Western with Yi about purchasing 20 tons of marag- undercover agent asking the agent to pur- companies for technology acquisition by ing steel from a U.S. company with which chase radioactive sources and test materi- using fraud, front companies and middle- Yi was in contact. Maraging steel is a als from a U.S. company. Attached to the men in nations around the globe. I ap- special class of high-strength steel known email was a list of products, including bari- plaud the authorities in the Philippines and for possessing superior strength without um-133 source and europium-152 source, the many U.S. agents, analysts and prose- losing malleability. The enhanced strength as well as contact information for the U.S. cutors who worked on this important case,‖ of maraging steel makes it particularly company. said Lisa Monaco, Assistant Attorney Gen- suited for use in gas centrifuges for urani- eral for National Security. um enrichment. In January 2011, Khaki contacted the undercover agent again requesting that he This new indictment shows that we have In March 2009, Khaki allegedly began purchase various radioactive sources. In no tolerance for those who try to traffic in communicating with an undercover U.S. one email to the agent, Khaki allegedly commodities that can be used to support federal agent posing as an illegal exporter sent a product catalogue for radioactive Iran‘s nuclear program,‖ said U.S. Attorney of U.S. goods. The agent told Khaki that sources, including cobalt-57 source, and in Ronald C. Machen Jr. ―It also under- the U.S. company (referenced above) another email he requested the agent pur- scores our commitment to aggressively could not sell Khaki the maraging steel chase cadmium-109 source. enforcing export laws." because doing so was illegal, but that he Exports to Iran of Lathes and Nickel ―By dismantling this complex conspiracy to (the undercover agent) could potentially help export the steel for a fee. Khaki al- Alloy Wire through Hong Kong, China deliver nuclear-related materials from the United States to Iran, we have disrupted a legedly replied to the agent with questions The indictment alleges the defendants significant threat to national security,‖ said about price and payment. In the months caused the illegal export of lathes and ICE Director John Morton. ―Homeland that followed, Khaki continued to communi- nickel alloy 120 wire from the United Security Investigations will continue to cate with the agent in an effort to acquire States through China to Iran. In February pursue those who exploit U.S. businesses and export the maraging steel to Iran, not- 2009, Khaki asked Yi to contact a U.S. to illegally supply foreign governments with ing in one instance, ―you know and I know company about procuring two Twister sensitive materials and technology that this material are [sic] limited material and Speed Lathes. Yi allegedly purchased pose a serious risk to America and its al- danger goods…‖ Khaki also discussed his these items and arranged for them to be lies.‖ desire to make money from the transac- shipped from the United States to Hong tion. Kong and ultimately to Iran in June 2009.

According to the indictment, from around October 2008 through January 2011, Kha- The indictment also alleges that in late In another transaction, on Jan. 26, 2009, ki, Yi and others conspired to cause the 2008, Khaki reached out to an individual in Khaki allegedly asked a conspirator to export of goods from the United States to China about procuring 20 tons of 7075-O contact a U.S. company about purchasing Iran in violation of the embargo. At no aluminum alloy 80mm rods and 20 tons of nickel alloy 120. At Khaki‘s request, the time during this period did the defendants 7075-T6 aluminum alloy 150 mm rods from conspirator sent a U.S. company an order have a license or authorization from the the United States or Europe. In one com- for nickel alloy, falsely stating that a com- Treasury Department to export any U.S. munication, Khaki explained to the individ- pany in China was the purchaser. In June goods to Iran. ual that the aluminum alloy had to be 2009, the U.S. company shipped the nickel American made because his Iranian cus- alloy to Yi in Hong Kong, who shipped it on In carrying out the conspiracy, the indict- tomer had previously found that Chinese to Iran, according to the charges. ment alleges that Khaki directed Yi and aluminum alloy was of poor quality. others to contact U.S. companies about This investigation was conducted by U.S. purchasing U.S.-origin goods. Yi and Khaki also allegedly sought to obtain Immigration and Customs Enforcement other conspirators then placed orders and mass spectrometers from the United (ICE) Homeland Security Investigation purchased goods from various U.S. com- States. In a May 2009 email request to (HSI) agents. Assistance was provided by panies and had the goods exported from the undercover federal agent, Khaki speci- authorities in the Philippines. The prose- the United States through China and Hong fied that one magnetic mass spectrometer cution is being handled by the U.S. Attor- Kong to Khaki and others in Iran. Yi and he sought was for the isotopic analysis of ney‘s Office for the District of Columbia others allegedly made a variety of false gaseous uranium hexafluoride. Uranium and Trial Attorney Brandon L. Van Grack statements to U.S. companies on behalf of hexafluoride is the chemical compound of the Counterespionage Section of the Khaki to conceal that Iran was the final used in the gas centrifuge process to en- Justice Department‘s National Security destination and end-user of the goods and rich uranium. Khaki and Yi also conspired Division. The Office of International Af- to convince U.S. companies to export the- to obtain other items from U.S. companies fairs in the Justice Department‘s Criminal se items to a third country. that can be used for gas centrifuges, in- Division also provided assistance. cluding measuring instruments, pressure Efforts to Export to Iran U.S. Materials transducers, vacuum pumps and other (Continued on page 22) for Gas Centrifuges to Enrich Uranium accessories, according to the charges.

21 Counterintelligence and Cyber News and Views

(Continued from page 21) The Charges engines to China in 2001 and 2002. De- spite the military nature of the Z-10 heli- UNITED TECHNOLOGIES SUBSIDIARY Today in the District of Connecticut, the copter, PWC determined on its own that PLEADS GUILTY TO CRIMINAL CHARG- Justice Department filed a three-count these development engines for the Z-10 ES FOR HELPING CHINA DEVELOP criminal information charging UTC, PWC did not constitute ―defense articles,‖ requir- NEW ATTACK HELICOPTER and HSC. Count One charges PWC with ing a U.S. export license, because they violating the Arms Export Control Act in http://www.justice.gov/opa/pr/2012/June/12 were identical to those engines PWC was connection with the illegal export of de- -nsd-824.html already supplying China for a commercial fense articles to China for the Z-10 helicop- helicopter. United Technologies, Pratt & Whitney Can- ter. Count Two charges PWC, UTC and ada and Hamilton Sundstrand Corpora- HSC with making false statements to the Because the Electronic Engine Control tions Also Agree to Pay More Than $75 U.S. government in their belated disclo- software, made by HSC in the United Million to U.S. Government sures relating to the illegal exports. Count States to test and operate the PWC en- Three charges PWC and HSC with failure gines, was modified for a military helicopter BRIDGEPORT, Conn. – Pratt & Whitney to timely inform the U.S. government of application, it was a defense article and Canada Corp. (PWC), a Canadian subsidi- required a U.S. export license. Still, PWC ary of the Connecticut-based defense con- exports of defense articles to China. knowingly and willfully caused this soft- tractor United Technologies Corporation While PWC has pleaded guilty to Counts ware to be exported to China for the Z-10 (UTC), today pleaded guilty to violating the One and Two, the Justice Department has without any U.S. export license. In 2002 Arms Export Control Act and making false recommended that prosecution of UTC and 2003, PWC caused six versions of the statements in connection with its illegal and HSC on Count Two, and PWC and military software to be illegally exported export to China of U.S.-origin military soft- HSC on Count Three be deferred for two from HSC in the United States to PWC in ware used in the development of China‘s years, provided the companies abide by Canada, and then to China, where it was first modern military attack helicopter, the the terms of a deferred prosecution agree- used in the PWC engines for the Z-10. Z-10. ment with the Justice Department. As part of the agreement, the companies must pay According to court documents, PWC knew In addition, UTC, its U.S.-based subsidiary $75 million and retain an Independent from the start of the Z-10 project in 2000 Hamilton Sundstrand Corporation (HSC) Monitor to monitor and assess their compli- that the Chinese were developing an at- and PWC have all agreed to pay more ance with export laws for the next two tack helicopter and that supplying it with than $75 million as part of a global settle- U.S.-origin components would be illegal. ment with the Justice Department and years. When the Chinese claimed that a civil ver- State Department in connection with the The Export Scheme sion of the helicopter would be developed China arms export violations and for mak- in parallel, PWC marketing personnel ex- ing false and belated disclosures to the Since 1989, the United States has im- pressed skepticism internally about the U.S. government about these illegal exposed a prohibition upon the export to ―sudden appearance‖ of the civil program, ports. Roughly $20.7 million of this sum is China of all U.S. defense articles and as- the timing of which they questioned as to be paid to the Justice Department. The sociated technical data as a result of the ―real or imagined.‖ PWC nevertheless saw remaining $55 million is payable to the conduct in June 1989 at Tiananmen an opening for PWC ―to insist on exclusivi- State Department as part of a separate Square by the military of the People‘s Re- ty in [the] civil version of this helicopter,‖ consent agreement to resolve outstanding public of China. In February 1990, the and stated that the Chinese would ―no export issues, including those related to U.S. Congress imposed a prohibition upon longer make reference to the military pro- the Z-10. Up to $20 million of this penalty licenses or approvals for the export of de- gram.‖ PWC failed to notify UTC or HSC can be suspended if applied by UTC to fense articles to the People‘s Republic of about the attack helicopter until years later remedial compliance measures. As part of China. In codifying the embargo, Con- and purposely turned a blind eye to the the settlement, the companies admitted gress specifically named helicopters for conduct set forth in a stipulated and public- inclusion in the ban. helicopter‘s military application. ly filed statement of facts. Dating back to the 1980s, China sought to HSC in the United States had believed it was providing its software to PWC for a Today‘s actions were announced by David develop a military attack helicopter. . civilian helicopter in China, based on B. Fein, U.S. Attorney for the District of Beginning in the 1990s, after Congress claims from PWC. By early 2004, HSC Connecticut; Lisa Monaco, Assistant Attor- had imposed the prohibition on exports to learned there might an export problem and ney General for National Security; John China, China sought to develop its attack stopped working on the Z-10 project. UTC Morton, Director of U.S. Immigration and helicopter under the guise of a civilian also began to ask PWC about the exports Customs Enforcement (ICE); Ed Bradley, medium helicopter program in order to to China for the Z-10. Regardless, PWC Special Agent in Charge of the Northeast secure Western assistance. The Z-10, on its own modified the software and con- Field Office of the Defense Criminal Inves- developed with assistance from Western tinued to export it to China through June tigative Service (DCIS); Kimberly K. Mertz, suppliers, is China‘s first modern military 2005. Special Agent in Charge of the FBI New attack helicopter. Haven Division; David Mills, Department of Commerce Assistant Secretary for Export During the development phases of China‘s Enforcement; and Andrew J. Shapiro, As- Z-10 program, each Z-10 helicopter was sistant Secretary of State for Political powered by engines supplied by PWC. (Continued on page 23) Military Affairs. PWC delivered 10 of these development

22 Counterintelligence and Cyber News and Views

(Continued from page 22) embargoed nation will be prosecuted and associated with economic espionage and punished, as will those who know about it illegal technology transfers may not cap- According to court documents, PWC‘s and fail to make a timely and truthful dis- ture the same level of attention as a terror- illegal conduct was driven by profit. PWC closure.‖ ist incident, the costs to the U.S. economy anticipated that its work on the Z-10 mili- ―Due in part to the efforts of these compa- and our national security are substantial. tary attack helicopter in China would open nies, China was able to develop its first Violations of the Arms Export Control Act the door to a far more lucrative civilian modern military attack helicopter with re- put our nation at risk and the FBI, along helicopter market in China, which accord- stricted U.S. defense technology. As to- with all of our federal agency partners, are ing to PWC estimates, was potentially day‘s case demonstrates, the Justice De- committed to ensuring that embargoed worth as much as $2 billion to PWC. partment will spare no effort to hold ac- technologies do not fall into the wrong hands. Those who violate these laws Belated and False Disclosures to U.S. countable those who compromise U.S. should expect to be held accountable. An Government national security for the sake of profits and then lie about it to the government,‖ said important part of the FBI‘s strategy in this These companies failed to disclose to the Assistant Attorney General Monaco. ―I area involves the development of strategic U.S. government the illegal exports to Chi- thank the agents, analysts and prosecutors partnerships. In that regard, the FBI looks na for several years and only did so after who helped bring about this important forward to future coordination with UTC an investor group queried UTC in early case.‖ and its subsidiaries to strengthen infor- 2006 about whether PWC‘s role in China‘s mation sharing and counterintelligence Z-10 attack helicopter might violate U.S. ―This case is a clear example of how the awareness.‖ laws. The companies then made an initial illegal export of sensitive technology reduc- ―Protecting national security is our top disclosure to the State Department in July es the advantages our military currently priority,‖ said Assistant Secretary of Com- 2006, with follow-up submissions in August possesses,‖ said ICE Director Morton. ―I merce for Export Enforcement Mills. and September 2006. am hopeful that the conviction of Pratt & Whitney Canada and the substantial penal- ―Today‘s action sends a clear signal that The 2006 disclosures contained numerous ty levied against United Technologies and federal law enforcement agencies will work false statements. Among other things, the its subsidiaries will deter other companies together diligently to prevent U.S. technol- companies falsely asserted that they were from considering similarly ill-conceived ogy from falling into the wrong hands.‖ unaware until 2003 or 2004 that the Z-10 business practices in the future. American Assistant Secretary Shapiro, of the State program involved a military helicopter. In military prowess depends on lawful, con- Department‘s Bureau of Political and Mili- fact, by the time of the disclosures, all trolled exports of sensitive technology by tary Affairs, said, ―Today‘s $75 million set- three companies were aware that PWC U.S. industries and their subsidiaries, tlement with United Technologies Corpora- officials knew at the project‘s inception in which is why ICE will continue its present tion sends a clear message: willful viola- 2000 that the Z-10 program involved an campaign to aggressively investigate and tors of U.S. arms export control regulations attack helicopter. prosecute criminal violations of U.S. export will be pursued and punished. The suc- Today, the Z-10 helicopter is in production laws relating to national security.‖ cessful resolution of this case is the by- and initial batches were delivered to the ―Today‘s charges and settlement demon- product of the tireless work of our compli- People‘s Liberation Army of China in 2009 strate the continued commitment of the ance officers and highlights the relentless and 2010. The primary mission of the Z-10 Defense Criminal Investigative Service commitment of the State Department to is anti-armor and battlefield interdiction. (DCIS) and fellow agencies to protect sen- protect sensitive American technologies Weapons of the Z-10 have included 30 mm sitive U.S. defense technology from being from being illegally transferred.‖ cannons, anti-tank guided missiles, air-to- illegally exported,‖ said DCIS Special U.S. Attorney Fein commended the many air missiles and unguided rockets. Agent in Charge Bradley. ―Safeguarding agencies involved in this investigation, ―PWC exported controlled U.S. technology our military technology is vital to our na- including ICE‘s Homeland Security Investi- to China, knowing it would be used in the tion‘s defense and the protection of our gations (HSI) in New Haven; the DCIS in development of a military attack helicopter war fighters both home and abroad. We New Haven; the New Haven Division of the in violation of the U.S. arms embargo with know that foreign governments are actively FBI; the Department of Commerce‘s Bos- China,‖ said U.S. Attorney Fein. ―PWC seeking U.S. defense technology for their ton Office of Export Enforcement. He also took what it described internally as a own development. Thwarting these efforts praised the Office of the HSI Attaché in ‗calculated risk,‘ because it wanted to be- is a top priority for DCIS. I applaud the Toronto, which was essential to the initia- come the exclusive supplier for a civil heli- agents and prosecutors who worked tire- tion and investigation of this matter, and copter market in China with projected reve- lessly to bring about this result.‖ the State Department‘s Office of Defense nues of up to two billion dollars. Several ―Preventing the loss of critical U.S. infor- Trade Controls Compliance in the Bureau years after the violations were known, mation and technologies is one of the most of Political-Military Affairs, for its critical UTC, HSC and PWC disclosed the viola- important investigative priorities of the role in the global resolution of this matter. tions to the government and made false FBI,‖ said FBI Special Agent in Charge statements in doing so. The guilty pleas Mertz. ―Our adversaries routinely target by PWC and the agreement reached with sensitive research and development data all three companies should send a clear and intellectual property from universities, message that any corporation that willfully government agencies, manufacturers, and sends export controlled material to an defense contractors. While the thefts (Continued on page 24)

23 Counterintelligence and Cyber News and Views

(Continued from page 23) marrying former public schoolboy Alex unsealed this morning against a Pennsyl- Chapman. They divorced in 2006. vania man, alleging that he hacked into LADY IN RED‟S „ACCOMPLICE‟ IS HELD computer networks in Massachusetts and around the country and then sold unau- OVER SECRET GERMAN FILES SANDIA NATIONAL LABS SCIENTIST thorized access to those networks. INDICTED http://www.standard.co.uk/news/world/lady -in-reds-accomplice-is-held-over-secret- http://www.krqe.com/dpp/news/crime/ Andrew James Miller, 23, of Devon, Pa., german-files-7880545.html sandia-national-labs-scientist-indicted was arrested this morning and charged in a four-count indictment with committing

Published : Monday, 04 Jun 2012, 6:00 PM conspiracy, computer fraud and access Jessica Garate device fraud.

ALBUQUERQUE (KRQE) - A Sandia Na- According to the Indictment, between 2008 tional Labs scientist is in federal custody -2011, Miller and others remotely hacked on charges he stole lab research and into computer networks belonging to Mas- shared it with China. Court documents sachusetts company RNK Telecommuni- show was in contact with several state run cations, Inc., Colorado advertising agency universities there. Crispin Porter and Bogusky, Inc., the Uni-

Jianyu Huang started working at a Sandia versity of Massachusetts, the United 'Spy ring': Anna Chapman was deported Labs research center that focuses on nan- States Department of Energy, and other from US in 2010 otechnology five years ago. institutions and companies. By hacking into these computer networks, Miller obtained Allan Hall in Berlin 25 June 2012 He was fired in April. Sandia National other users‘ access credentials to the com- Labs says Huang did not have access to promised computers. It is alleged that he An alleged accomplice of former KGB spy classified national security information. and his co-conspirators then offered to sell, Anna Chapman has been arrested in Hol- However, the indictment accuses the sci- and sold, access to these computer net- land after being suspected of passing on entist of stealing research on nanotechnol- works as well as other access credentials. sensitive German government documents. ogy that belongs to the United States and Identified only as Raymond P, aged 60, the saying it was his own. He is also accused If convicted, Miller faces up to five years in man was targeted by the German Federal of sharing that information online with dif- prison for the conspiracy count and one of Prosecutor‘s Office. ferent state run universities in China. the computer fraud counts, and up to 10

Huang also made a trip to China. years in prison on one of the computer German media reported today that he al- fraud counts and the access device fraud legedly passed on 450 secret files to a He's accused of lying to lab counterintelli- count, to be followed by three years of couple linked to Chapman. He is now in gence officers about taking a laptop there supervised release, a $250,000 fine and custody and refusing to speak to investiga- that belongs to the lab, a violation of lab restitution. tors. procedures.

Lab workers are not allowed to take any United States Attorney Carmen M. Ortiz, News magazine Focus said the man, Assistant Attorney General Lanny A. Breu- thought to be a Dutch diplomat, gave the lab equipment on international trips without approval. er, of the Justice Department‘s Criminal paperwork to a couple arrested in the Ger- Division and Richard DesLauriers, Special man university city of Marburg who are In a statement released by Sandia Mon- Agent in Charge of the Federal Bureau of believed to have belonged to the same day, it says it expects all employees to Investigation - Boston Field in Boston espionage network as Chapman and were follow procedures. He was fired for violat- made the announcement today. The case provided with false identity papers by their ing those procedures. Huang was indicted is being prosecuted by Assistant United Moscow controllers. They deny charges on five counts of federal program fraud and States Attorney Adam J. Bookbinder, of of espionage and using false documents. one count of false statements. Ortiz‘s Cybercrime Unit, and by Mona

His indictment in May was sealed until Sedky, a trial attorney with the Department Chapman, 30, nicknamed the Lady in Red, of Justice‘s Computer Crime & Intellectual is the daughter of a former KGB agent. Monday and he was arrested on the charges over the weekend. Property Section. She is said to have used her charms to entrap targets and gain vital information Huang remains in federal custody. He will The details contained in the Indictment are from them. She lived and worked in Lon- be arraigned on these charges Tuesday. allegations. The defendant is presumed to don for five years before allegedly becom- be innocent unless and until proven guilty ing part of a spy ring based in the US beyond a reasonable doubt in a court of which sent secrets back to the Kremlin. PENNSYLVANIA MAN CHARGED WITH law. COMPUTER HACKING AND PASS- Chapman was arrested in the US in 2010 WORD TRAFFICKING for espionage and then deported along with nine other Russian agents. http://www.justice.gov/usao/ma/ news/2012/June/MillerAndrewJames.html Born Anna Vasil‘yevna Kushchyenko, (Continued on page 25) Chapman kept her British surname after June 14, 2012 BOSTON - Charges were

24 Counterintelligence and Cyber News and Views

(Continued from page 24) convicted, he faces a maximum sentence of 20 Li worked as a research scientist at Sanofi‘s years in federal prison to be followed by up to Bridgewater headquarters from October 2006 CHINESE NATIONAL CHARGED WITH ILLE- three years of supervised release, and a $1 through June 2011, where she directly assisted GAL EXPORT OF SENSITIVE TECHNOLOGY million fine. in the development of a number of compounds TO CHINA that sanofi viewed as potential building blocks United States Attorney Carmen M. Ortiz; Rich- http://www.justice.gov/usao/ma/news/2012/ ard DesLauriers, Special Agent in Charge of for future drugs. These compounds were sano- May/HUQiangchargesPR.html the Federal Bureau of Investigation, Boston fi‘s trade secrets and had not been disclosed outside Sanofi in any manner, including by MAY 23, 2012 BOSTON - A Chinese national Field Office; Bruce M. Foucart, Special Agent in Charge of U.S. Immigration and Customs En- means of a patent application. in Massachusetts on business was arrested for illegally supplying U.S. origin parts to end-users forcement‘s Office of Homeland Security Inves- tigations in Boston; and John J. McKenna, While employed at Sanofi, Li was also a 50 in China in violation of U.S. export laws. percent partner in Abby, which is engaged in Special Agent in Charge of the U.S. Depart- Qiang Hu, a/k/a Johnson Hu, 47, was charged ment of Commerce, Office of Export Enforce- the sale and distribution of pharmaceuticals. in a complaint with conspiracy to violate the ment, Boston Field Office made the announce- Export Administration Regulations and the ment today. The case is being prosecuted by Li admitted that between January 2010 and International Emergency Economic Powers Assistant U.S. Attorneys William D. Weinreb June 2011, she accessed an internal Sanofi Act. The complaint, originally filed on May 18, and B. Stephanie Siegmann in Ortiz‘s Antiter- database and downloaded information related was unsealed after Hu‘s arrest at his hotel in rorism and National Security Unit. to a number of Sanofi compounds, including North Andover yesterday. their chemical structures, onto her Sanofi- The details contained in the complaint are alle- issued laptop computer. The complaint alleges that Hu has been the gations. The defendant is presumed to be inno- She also admitted she then transferred the sales manager at MKS Instruments Shanghai, cent unless and until proven guilty beyond a reasona- information to her personal home computer by Ltd. (MKS-Shanghai) since 2008. MKS- ble doubt in a court of law. sending it to her personal e-mail address or via Shanghai is the Shanghai sales office of MKS a USB thumb drive. Instruments, Inc. (MKS), which is headquar- FORMER RESEARCH CHEMIST AT GLOBAL tered in Andover. Hu‘s employment gave him PHARMACEUTICAL COMPANY SEN- Li acknowledged that she made the stolen access to MKS manufactured parts, including TENCED TO 18 MONTHS IN PRISON FOR compounds available for sale on Abby‘s web- export-controlled pressure-measuring sensors THEFT OF TRADE SECRE T S site. (manometer types 622B, 623B, 626A, 626B,

627B, 722A, and 722B), which are commonly http://www.fbi.gov/newark/press-releases/2012/ In addition to the prison term, Judge Pisano known as pressure transducers. Pressure f o r m e r - r e s e a r c h - c h e m i s t - at- g l o b a l - sentenced Li to serve two years of supervised transducers are export controlled because they pharmaceutical-company-sentenced-to-18- release and ordered her to pay $131,000 in are used in gas centrifuges to enrich uranium months-in-prison-for-theft-of-trade-secrets restitution. and produce weapons-grade uranium.

TRENTON—A former research chemist with U.S. Attorney Fishman credited special agents The complaint alleges that beginning in 2007, global pharmaceutical company Sanofi-Aventis of the FBI, under the direction of Special Agent Hu and others caused thousands of MKS pres- (Sanofi) was sentenced today to 18 months in in Charge Michael B. Ward, with the investiga- sure transducers worth millions of dollars to be prison for stealing sanofi‘s trade secrets and tion. exported from the United States and delivered making them available for sale through Abby to unauthorized end-users using export licens- Pharmatech Inc. (Abby), the U.S. subsidiary of The government is represented by Assistant es that were fraudulently obtained from the a Chinese chemicals company, U.S. Attorney U.S. Attorney Gurbir S. Grewal of the Comput- U.S. Department of Commerce. The complaint Paul J. Fishman announced. er Hacking and Intellectual Property Section of alleges that Hu and his co-conspirators used the U.S. Attorney‘s Office Economic Crimes two primary means of deception to export the Yuan Li, 30, of Somerset, New Jersey, a Chi- Unit in Newark. pressure transducers. First, the conspirators nese national, previously pleaded guilty to an used licenses issued to legitimate MKS busi- information charging her with one count of theft FORMER SILICON VALLEY ENGINEER ness customers to export the pressure trans- of trade secrets. Li entered her guilty plea be- CONVICTED OF STEALING TRADE SE- ducers to China, and then caused the parts to fore U.S. District Judge Joel A. Pisano, who CRETS SUIBIN ZHANG DOWNLOADED, be delivered to other end-users who were not also imposed the sentence today in Trenton COPIED TRADE SECRETS FROM MARVELL themselves named on the export licenses or federal court. SEMICONDUCTOR INC.‟S SECURE DATA- authorized to receive the parts. Second, the BASE conspirators obtained export licenses in the According to documents filed in this case and name of a front company and then used these statements made in court: http://www.fbi.gov/sanfrancisco/press- fraudulently obtained licenses to export the releases/2012/former-silicon-valley-engineer- parts to China, where they were delivered to Sanofi is a global health care company with convicted-of-stealing-trade-secrets the actual end-users. U.S. headquarters in Bridgewater, New Jersey. SAN JOSE, CA—A federal judge convicted a Among other things, sanofi is engaged in the former Silicon Valley engineer of five counts of MKS is not a target of the government's investi- development, manufacture, and marketing of theft of trade secrets, United States Attorney gation into these matters. health care products including the prescription Melinda Haag announced.

drugs Allegra, Plavix, Copaxone, and Ambien. Hu remains in custody, and is scheduled for a detention hearing on May 31 at 11 a.m. If (Continued on page 26)

25 Counterintelligence and Cyber News and Views

(Continued from page 25) Matt Parrella and Dave Callaway are the Assis- added. Mr. Shapiro announced the sentence tant U.S. Attorneys who prosecuted the case with William C. Monroe, Acting Special Agent- Suibin Zhang was found guilty Monday of three with the assistance of Legal Tech Nina Burney- in-Charge of the Chicago Office of the Federal counts of theft and copying of trade secrets for Williams. The conviction is the result of an in- Bureau of Investigation. The U.S. Customs and downloading the trade secrets from a secure vestigation by the Federal Bureau of Investiga- Border Protection Service played a key role in database, one count of duplication of trade tion. Both Marvell Semiconductor Inc. and the investigation. secrets for loading those trade secrets onto a Netgear Inc. cooperated fully with the FBI in the According to the evidence, Jin began working laptop provided by his new employer, and one investigation. for Motorola in 1998 and took a medical leave count of possession of stolen trade secrets. of absence in February 2006. While on sick The defendant was acquitted of three counts of SUBURBAN CHICAGO WOMAN SEN- leave in 2006 and secretly from Motorola, Jin computer fraud and one count of unauthorized TENCED TO FOUR YEARS IN PRISON FOR pursued employment in China with Sun Kai- transmission of a trade secret. The guilty ver- STEALING MOTOROLA TRADE SECRETS sens, the Chinese telecommunications compa- dict followed a more than two-week bench trial BEFORE BOARDING PLANE FOR CHINA before United States District Court Judge ny that developed products for the Chinese Ronald M. Whyte, which began October 24, http://www.justice.gov/usao/iln/pr/ military. Between November 2006 and Febru- 2011 and concluded November 9, 2011. chicago/2012/pr0829_01.pdf ary 2007, Jin returned to China and worked for Sun Kaisens on projects for the Chinese mili- CHICAGO — A former software engineer for ―The protection of intellectual property rights is tary. During this same period of time, she was Motorola, Inc., now Motorola Solutions, Inc., a of vital importance to the economic security of given classified Chinese military documents by telecommunications company based in subur- our region,‖ United States Attorney Melinda Sun Kaisens to review in order to better assist ban Schaumburg, was sentenced today to four Haag said. ―The investigation and prosecution with the Chinese military projects. After receiv- years in federal prison for stealing Motorola of thefts of trade secrets remain a significant ing these documents, Jin agreed to review the trade secrets relating to its proprietary iDEN priority for this office.‖ documents and provide assistance. technology. The defendant, HANJUAN JIN, a Evidence at trial showed that Zhang, 43, of naturalized U.S. citizen born in China, was On Feb. 15, 2007, Jin returned to the United Belmont, California, was employed as a project secretly working for a Chinese company that States from China. On Feb. 22, 2007, just two engineer at Netgear Inc., of San Jose, and had developed telecommunications technology for days after she became a naturalized U.S. citi- access to the secure database of Marvell Semi- the Chinese military when she was stopped by zen, Jin reserved a one-way ticket to China for conductor Inc. by virtue of his position at U.S. customs officials at O‘Hare International a flight scheduled to depart on Feb. 28, 2007. Netgear. The evidence further showed that on Airport from traveling on a one-way ticket to The following day, on Feb. 23, 2007, Jin ad- March 8, 2005, Zhang had accepted a position China in February 2007. Customs officials vised Motorola that she was ready to end her at Marvell‘s chief competitor, Broadcom Corpo- seized more than 1,000 electronic and paper medical leave and return to work at Motorola, ration, and that, beginning on March 9, 2005, Motorola documents found in Jin‘s possession without advising that she planned to return to and continuing to March 18, 2005, Zhang used as she attempted to leave the country. China to work for Sun Kaisens. his Netgear account to download and steal Jin, 41, of Aurora and formerly of Schaumburg, On Feb. 26, 2007, Jin returned to Motorola, trade secret information found in dozens of a nine-year Motorola software engineer, con- purportedly to resume full-time work, and was documents, data sheets, hardware specifica- ducted a ―purposeful raid to steal technology,‖ given no assignments by her supervisor. Be- tions, design guides, functional specifications, U.S. District Judge Ruben Castillo said in im- tween 9 a.m. and 2 p.m., Jin accessed more application notes, board designs, and other posing the sentence in Federal Court in Chica- than 200 technical documents belonging to confidential and proprietary items from Marvell. go. Jin was fined $20,000 and ordered to re- Motorola on its secure internal computer net- main on home confinement with electronic work. At about 9 p.m. that night, Jin returned to The defendant then loaded the Marvell trade monitoring until beginning her sentence on Oct. Motorola and downloaded additional docu- secrets onto a laptop issued by his new em- 25, 2012. ments. At approximately 12:15 a.m. on Feb. 27, ployer, Broadcom, on April 27, 2005 and was in 2007, Jin was recorded twice leaving a Jin was convicted of three counts of theft of possession of those stolen trade secrets on Motorola building with hard copy documents trade secrets in a Feb. 8, 2012, ruling by Judge June 24, 2005 when the Federal Bureau of and other materials. Investigation executed search warrants at his Castillo following a five-day bench trial in No- home and at Broadcom. vember 2011. In a 77-page opinion, Judge During the day on Feb. 27, 2007, Jin sent an Castillo found her not guilty of three counts of email to her manager in which she appeared to The sentencing of Zhang is scheduled for 9 economic espionage for the benefit of the Peo- volunteer for a layoff at Motorola. At about 10 a.m. on August 27, 2012 before Judge Whyte ple‘s Republic p.m. that night, she returned to Motorola‘s offices and downloaded numerous additional tech- in San Jose. The maximum statutory penalty ―This sentence reinforces the message that nical documents. Jin was later recorded leaving for violation of 18 U.S.C. § 1832 is 10 years in federal courts view the theft of trade secrets as a Motorola building with what appeared to be a prison and a fine of $250,000, plus restitution if a serious crime that warrants significant pun- laptop computer bag. the court deems appropriate. However, any ishment,‖ said Gary S. Shapiro, Acting United sentence following conviction would be im- States Attorney for the Northern District of Illi- posed by the court after consideration of the nois. ―We will do everything we can to guard (Continued on page. 27) U.S. Sentencing Guidelines and the federal our economic and national security from the statute governing the imposition of a sentence, theft of American trade secrets, and this case 18 U.S.C. § 3553. Zhang has been released by shows that we can work with victim corpora- the court on $500,000 bond. tions to protect the trade secrets involved,‖ he

26 Counterintelligence and Cyber News and Views

(Continued from page 26) documents, photographs, or information in ques- ―The close working relationship between the tion were to be used to the injury of the United U.S. Department of State‘s Diplomatic Security As she attempted to depart from O‘Hare bound States or to the advantage of a foreign nation. Service, the FBI, and the U.S. Attorney‘s Office for China on Feb. 28, 2007, authorities seized resulted in the capture and conviction of Bryan numerous materials, some of which were The guilty plea was announced by Lisa Monaco, Underwood before he could harm the security of marked confidential and proprietary belonging to Assistant Attorney General for National Security; our country,‖ said Assistant Secretary of State Motorola. Some of the documents provided a Ronald C. Machen, Jr., U.S. Attorney for the Boswell. ―The Diplomatic Security Service is detailed description of how Motorola provides a District of Columbia; James W. McJunkin, Assis- firmly committed to thoroughly investigating all specific communication feature that Motorola tant Director in Charge of the FBI‘s Washington potential intelligence threats to our nation.‖ incorporates into its telecommunications prod- Field Office; and Eric J. Boswell, Assistant Sec- ucts sold throughout the world. At the same retary of State for Diplomatic Security. According to court documents, from November time, authorities recovered multiple classified 2009 to August 2011, Underwood worked as a Chinese military documents written in the Chi- Underwood, 32, a former resident of Indiana, cleared American guard (CAG) at the construc- nese language that described certain telecom- was first charged in an indictment on August 31, tion site of a new U.S. Consulate compound in munication projects for the Chinese military. 2011, with two counts of making false state- Guangzhou, China. CAGs are American civilian Many of these documents were marked ―secret‖ ments and was arrested on September 1, 2011. security guards with top secret clearances who by the Chinese military. On September 21, 2011, he failed to appear at a serve to prevent foreign governments from im- Authorities also recovered approximately scheduled status hearing in federal court in the properly obtaining sensitive or classified infor- $30,000 in U.S. currency that was in six different District of Columbia. The FBI later located Un- mation from the U.S. Consulate. Underwood envelopes, each containing $5,000, all in hun- derwood in a hotel in Los Angeles and arrested received briefings on how to handle and protect dred dollar bills. him there on September 24, 2011. On Septem- classified information as well as briefings and The Government is being represented by Assis- ber 28, 2011, Underwood was charged in a su- instructions on security protocols for the U.S. tant U.S. Attorneys Steven Dollear, Sharon Fair- perseding indictment with one count of attempt- Consulate, including the prohibition on photog- ley, and Christopher Stetler ing to communicate national defense information raphy in certain areas of the consulate. to a foreign government, two counts of making false statements, and one count of failing to Plan to Sell Information and Access for $3 appear in court pursuant to his conditions of Million to $5 Million release. Sentencing for Underwood has been scheduled for November 19, 2012. He faces a In February 2011, Underwood was asked by maximum potential sentence of life in prison. U.S. law enforcement to assist in a project at the consulate, and he agreed. In March 2011, Un- ―Bryan Underwood was charged with protecting derwood lost a substantial amount of money in a new U.S. Consulate compound against foreign the stock market. According to court documents, espionage, but, facing financial hardship, he Underwood then devised a plan to use his assis- HANJUAN JIN arrives at the Dirksen Federal attempted to betray his country for personal tance to U.S. law enforcement as a ―cover‖ for Building for her sentencing gain,‖ said Assistant Attorney General Monaco. making contact with the Chinese government. ―This prosecution demonstrates that we remain According to his subsequent statements to U.S. FORMER U.S. CONSULATE GUARD PLEADS vigilant in protecting America‘s secrets and in law enforcement, Underwood intended to sell his GUILTY TO ATTEMPTING TO COMMUNI- bringing to justice those who attempt to compro- information about and access to the U.S. Consu- CATE NATIONAL DEFENSE INFORMATION mise them.‖ late to the Chinese MSS for $3 million to $5 TO CHINA million. If any U.S. personnel caught him, he ―Bryan Underwood was determined to make planned to falsely claim he was assisting U.S. http://www.fbi.gov/washingtondc/press- millions by selling secret photos of restricted law enforcement. releases/2012/former-u.s.-consulate-guard- areas inside a U.S. Consulate in China,‖ said pleads-guilty-to-attempting-to-communicate- U.S. Attorney Machen. ―His greed drove him to As part of his plan, Underwood wrote a letter to national-defense-information-to-china exploit his access to America‘s secrets to line his the Chinese MSS expressing his ―interest in own pockets. The lengthy prison sentence facing initiating a business arrangement with your offic- WASHINGTON—Bryan Underwood, a former Underwood should chasten anyone who is es‖ and stating, ―I know I have information and civilian guard at a U.S. Consulate compound tempted to put our nation at risk for personal skills that would be beneficial to your offices [sic] under construction in China, pleaded guilty today gain.‖ goals. And I know your office can assist me in in the District of Columbia in connection with his my financial endeavors.‖ According to court doc- efforts to sell for personal financial gain classi- ―Bryan Underwood sought to benefit from his uments, Underwood attempted to deliver this fied photographs, information, and access relat- access to sensitive information, but his attempt- letter to the offices of the Chinese MSS in ed to the U.S. Consulate to China‘s Ministry of ed betrayal was detected before our nation‘s Guangzhou but was turned away by a guard State Security (MSS). secrets fell into the wrong hands,‖ said FBI As- who declined to accept the letter. Underwood sistant Director in Charge McJunkin. ―Together then left the letter in the open in his apartment At a hearing today before U.S. District Judge with our partners, the FBI will continue to work to hoping that the Chinese MSS would find it, as he Ellen S. Huvelle, Underwood pleaded guilty to expose, investigate, and prevent acts of espio- believed the MSS routinely conducted searches one count of attempting to communicate national nage that threaten our national security.‖ of apartments occupied by Americans. defense information to a foreign government with intent or reason to believe that the (Concluded on page 28)

27 Counterintelligence and Cyber News and Views

(Continued from page 27) Cyber-espionage operations across the Internet four-rotor Enigma. In December 1942, the British are extensive yet highly targeted, said a solved the four-rotor problem, allowing them to In May 2011, Underwood secreted a camera into research director at Dell SecureWorks, speaking read messages with moderate delays. the U.S. Consulate compound and took photo- at the Black Hat Conference in Las Vegas. His In its efforts to break the four-rotor enciphering graphs of a restricted building and its contents. paper, titled ―Chasing APT‖ released July 25, code, the U.S. Navy contracted NCR in March Many of these photographs depict areas or infor- pinpoints 200 unique families of custom malware 1942 to build its Bombes, which were machines mation classified at the secret level. Underwood used in cyberespionage campaigns that many used for processing the German navy‘s four- also created a schematic that listed all security refer to as ―advanced persistent threats.‖ It is rotor Enigma-based messages. NCR selected upgrades to the U.S. Consulate and drew a dia- not just governments targeting other Joseph Desch, head of its electrical research gram of the surveillance camera locations at the governments or trying to steal corporate secrets laboratory, to be the principal engineer on the consulate. In addition, according to his subse- — private security companies also are involved project. While the British had already solved the quent statements to U.S. law enforcement, Un- in these break-ins even while claiming to offer four-rotor Enigma in December 1942, the Ameri- derwood ―mentally‖ constructed a plan in which ―ethical hacking services.‖ In terms of its cans felt they needed a faster machine and con- the MSS could gain undetected access to a technical analysis of APTs, SecureWorks stated tinued its efforts. building at the U.S. Consulate to install listening it believes that along with the 200 unique devices or other technical penetrations. families of custom malware used in cyber- Mr. Desch, working under a compressed sched- espionage intrusions, there appear to be more ule and immense pressure, turned complex According to court documents, the photographs than 1,100 domain names registered by cyber- cryptanalytic theories into a practical blueprint Underwood took were reviewed by an expert at espionage actors for use in hosting malware for constructing a working machine to solve the the State Department‘s Bureau of Diplomatic command-and-control or spear-phishing, and four-rotor Enigma. To do so, he had to solve Security who had original classification authority nearly 20,000 subdomains or purposes such as many difficult, unforeseen problems. Mr. Desch for facilities, security, and countermeasures at ―malware resolution.‖ But unlike other types of understood that untold numbers of lives, and the U.S. Consulate. The expert determined that criminal botnets that ―can contain millions of possibly the outcome of the war, depended on many of the photographs contained images clas- infected computers,‖ cyber-espionage is far his work, so he drove himself relentlessly toward sified at the secret level and that disclosure of more focused, with ―tens of thousands of designing a device that could solve the four-rotor such material could cause serious damage to infected computers spread across hundreds of Enigma. He solved the key problems and drew the United States. botnets, each of which may only control a few to up a successful design. He completed his work a few hundred computers at a time,‖ the Dell on prototype four-rotor Bombes by Spring 1943. In early August 2011, Underwood was inter- SecureWorks report said. viewed several times by FBI and Diplomatic Despite the haste with which they were de- NSA HISTORY Security agents, during which he admitted mak- signed, the Bombes produced in Dayton were ing efforts to contact the Chinese MSS, but On the next page we show a few examples of faster and more efficient than any analytic ma- falsely claimed that he took these actions to items on display at the National Cryptologic chines before them. The Bombes Mr. Desch assist U.S. law enforcement. On August 19, Museum at Ft. Meade. One of the items on designed in Dayton became a vital cryptanalytic 2011, Underwood was again interviewed by law display is the Bombes, a decoding device tool in the war against Germany‘s U-boats and enforcement agents, and he admitted that he built through the efforts of Joseph Desch, an important component of Allied victory in Eu- planned to sell photos, information, and access whose biography (printed at the NSA web rope in World War II. The last original four-rotor to the U.S. Consulate in Guangzhou to the Chi- site) follows: Bombe resides in the National Cryptologic Mu- nese MSS for his personal financial gain. Joseph Desch graduated from the University of seum. Dayton in Ohio in 1929 with a degree in electri- After the war, Mr. Desch served with distinction The U.S. government has found no evidence cal engineering. as a member of NSA Scientific Advisory Board. that Underwood succeeded in passing classified While working, first for General Motors, then for Joseph Desch died August 3, 1987, at age 80. information concerning the U.S. Consulate in National Cash Register Company (NCR), he Guangzhou to anyone at the Chinese MSS. acquired a reputation as an innovative engineer. Among other achievements, early in World War This investigation was conducted jointly by the FBI‘s Washington Field Office and the State II he helped design a proximity fuse for anti- aircraft artillery shells. He also worked on a high- Department‘s Bureau of Diplomatic Security. The prosecution is being handled by the U.S. speed electronic counter that, unknown to him, Attorney‘s Office for the District of Columbia and was used in the Manhattan Project. Trial Attorney Brandon L. Van Grack from the From early in World War II, the United States Counterespionage Section of the Justice Depart- and Great Britain worked to solve the problem of ment‘s National Security Division. the German Enigma machine. The Enigma machine used a series of rotor wheels and a plug BLACK HAT: CYBER-ESPIONAGE board that theoretically gave the device enci- OPERATIONS VAST YET HIGHLY FOCUSED, phering capabilities of 3×10114, thus convincing RESEARCHER CLAIMS. the Germans that the code was unbreakable. http://www.computerworld.com/s/ The code was eventually broken, and Germa- article/9229658/ ny‘s U-boat commander added another rotor to Black_Hat_Cyber_espionage_operations_vast_y the machines used in his submarines to increase et_highly_focused_researcher_claims? communications security. The United States and taxonomyId=82&pageNumber=1 Great Britain then worked on solving the

28 Counterintelligence and Cyber News and Views

Interesting Examples from the NSA Photo Gallery Located at located at http://www.nsa.gov/about/photo_gallery/index.shtml

The Bombes Mr. Desch designed in Dayton became a vital cryptanalytic tool Reproduction of the first GRAB satellite, launched 22 June 1960 in the war against Germany‟s U-boats and an important component of Allied on the same rocket as Transit 2A, an early naval navigation sat- victory in Europe in World War II. An example of the NCR built Bombes is ellite. Called GRAB 1, it has the distinction of being the first pictured above. successful U.S. intelligence satellite, returning intelligence data on 5 July 1960. It collected ELINT information over a period of three months, totaling 22 data collection passes of 40 min each over the Soviet Union, China and their allies. The SOLRAD ex- periment remained operational for 10 months.

An exhibit pertaining to the infamous “Zimmerman Note” which precipitated the United States entry into World War I.

An exhibit pertaining to the USS Liberty, recognizing its heroic crew and An exhibit honoring American Women pioneers in Cryptology. Medal of Honor recipient Captain William Loren McGonagle.

29 Counterintelligence and Cyber News and Views

Homeland Security and Private Sector Business Advantage SCI Vision: ADVANTAGE SCI PRODUCTS, SERVICES AND TRAINING Corporations' Role in Critical Infrastructure “Educate America’s 300 million people Protection and business leaders on prevention, Advantage SCI offers services supporting By Elsa Lee detection, and response to 21st century the counterintelligence needs of the threats.” cleared defense contractor community, Auerbach Publications 2009 Print ISBN: 978-1- private business, government, utilities, and 4200-7078-1 Corporate Headquarters municipalities with requirements to protect eBook ISBN: 978-1-4200-7079-8 Advantage SCI, LLC classified information, trade secrets, intel- Order Your Copy at: 222 North Sepulveda Boulevard lectual property and other privileged infor- http://www.crcpress.com/ Suite 1780 mation. El Segundo, California 90245 Services include:

Phone: 310.536.9876  Vulnerability Assessments Fax: 310.943.2351  Threat briefings/Foreign Travel Brief- www.advantagesci.com ings/Debriefings Newsletter Editor:  Counterintelligence (CI) Awareness Richard Haidle, Training / Insider Threat Training Counterintelligence Services Manager  TSCM services in classified or unclas- [email protected] sified spaces

310.536.9876 x237  Facility Security Officer (FSO) In a Box

 Consult With a CI Professional

 Foreign Travel Briefings and Debrief- ings

NAICS Codes:  Intelligence Analysis / Intelligence Analysts 928110 - NATIONAL SECURITY  Plans, SOPs and Regulatory related 541512 - COMPUTER SYSTEMS DESIGN SERVICES materials 541519 - OTHER COMPUTER RELATED SERVICES  Other matters related to improving CI 541611 - ADMIN MGMT/GENERAL MGMT CONSULTING related posture 541612 - CONSULTING SERVICES Since September 11, 2001 the American 541618 - OTHER MANAGEMENT CONSULTING Advantage SCI is a 8(A), SERVICE- Public has not had a clear understanding 541690 - OTHER SCIENTIFIC AND TECH CONSULTING DISABLED VETERAN-OWNED BUSI- of "Homeland Security" and just what it 541990 - OTHER PROF, SCIENTIFIC, & TECH SERVICES NESS (SDVOSB), SMALL BUSIBESS means for the average citizen and 561210 - FACILITIES SUPPORT SERVICES ENTITY (SBE), MINORITY-OWNED BUSI- business owner. Elsa Lee, in her first attempt, has hit ―a home run!‖ Not only is 561499 - OTHER BUSINESS SUPPORT SERVICES NESS ENTITY (MBE), SMALL DISAD- the book well researched, but it is quite 561611 - INVESTIGATION SERVICES VANTAGED BUSINESS ENTITY (SDB), WOMAN-OWNED BUSINESS ENTITY simply the best resource on this important 561621 - SECURITY SYSTEMS (EXCEPT LOCKSMITHS) (WBE) subject. I found the context to be 561990 - OTHER SUPPORT SERVICES informative, persuasive, and topical. Not

611430 - PROFESSIONAL AND MGMT DEVELT TRAINING only does the writer provide a clear understanding of the need for a National 611699 - OTHER MISC SCHOOLS AND INSTRUCTION Infrastructure Plan, but provides the 922190 - OTHER JUSTICE, PUBL ORDER/SAFETY ACTIVITES reader with a clear blueprint for protecting all of America's resources at home and abroad. Hopefully, every university and college with a Homeland Security course will use this book as a major text to insure that all students obtain a grounded education on this important topic.

Review by: Alfred J. Finch FBI Legal Attaché, Cairo (Retired)