Counterintelligence and Cyber News and Views

October-November 2012 Volume 1 Issue 7

Inside this issue:

Pg. 1 THE SPIES AMONG US: THE NEVERENDING CYCLE AND THE PLAYERS NEVER SEEM TO CHANGE Pg. 2 FOREIGN TRAVEL BRIEFING SOURCE Pg. 4 CHI MAK CONVICTION UPHELD

Pg. 4 FORMER CIA OFFICER JOHN KIRAKOU PLEADS GUILTY TO DISCLOSING CLASSIFIED INFORMATION

Pg. 5 TWO CHINESE NATIONALS CHARGED WITH STEALING TRADE SECRETS

Pg. 6 U.S. CONSULATE GUARD PLEADS GUILTY TO ATTEMPTING TO COMMUNICATE NATIONAL DEFENSE INFORMATION TO CHINA Corporate Headquarters

Pg. 7 RUSSIAN AGENT AND 10 OTHER MEMBERS OF 222 North Sepulveda Boulevard, Suite 1780 PROCUREMENT NETWORK FOR RUSSIAN MILITARY AND INTELLIGENCE OPERATING IN THE U.S. AND El Segundo, California 90245 (310) 536-9876 RUSSIA INDICTED www.advantagesci.com Pg. 9 DEFENSE CONTRACTOR ALLEGED TO HAVE TAKEN COMPETITOR‟S BID INFORMATION PAYS $1.15 MILLION Pg. 10 TAIWANESE NATIONAL SENTENCED TO PRISON FOR ILLEGALLY EXPORTING MILITARY SENSITIVE ITEMS FROM THE UNITED STATES CI TRENDS Pg. 11 CHINESE NATIONAL ARRESTED AFTER ATTEMPTING TO ILLEGALLY EXPORT AEROSPACE- THE SPIES AMONG US: A NEVERENDING CYCLE AND THE PLAYERS NEVER SEEM GRADE CARBON FIBER TO CHINA TO CHANGE Pg. 12 FORMER EMPLOYEE OF NEW JERSEY In this months newsletter the reader will see at least nine news releases detailing arrests, trials, convictions or DEFENSE CONTRACTOR CONVICTED OF EXPORTING SENSITIVE MILITARY TECHNOLOGY TO CHINA appellate rulings pertaining to individuals charged with violations of the espionage statutes, economic espionage, theft of trade secrets, export violations, and related criminal violations. Pg. 13 FORMER CME GROUP SOFTWARE ENGINEER PLEADS GUILTY TO STEALING GLOBEX COMPUTER Perhaps of interest to the reader is the list of countries for which these alleged or convicted individuals were TRADE SECRETS working, or on behalf of, or to which they were seeking to sell secrets . Pg. 13 TOP EXECUTIVES AT KOLON INDUSTRIES INDICTED FOR STEALING DUPONT‟S KEVLAR TRADE Readers of this newsletter, similar newsletters, media publications and viewers of newscasts have seen the SECRETS same countries involved, year after year. Only the naïve trust our foreign competitors and hostile foreign gov- Pg. 15 RUSSIAN MOLE HAD ACCESS TO WEALTH OF ernments to act ethically and within the boundaries of the law. CSIS, RCMP, PRIVY COUNCIL FILES I remember sitting around the FBI counterintelligence bullpens of the early to mid 1990s, and seeing all the cut Pg. 16 „SO DEAD INSIDE‟: HOW THE MOUNTIES CRACKED JEFFREY DELISLE backs in counterintelligence resources and personnel. Back then, the discussion always focused on the topic of ―Well now the cold war is over. Now the Russians are our friends.‖ Or around 1996, when the political Pg. 18 CHINESE SUSPECTED OF SPYING ON U.S. campaigns of that year were well underway and money was flowing into US politicians through actions such STRATEGIC MISSILE BASE IN WYOMING as described here from Wikipedia: Pg. 18 WHY A YOUNG AMERICAN WANTS TO BE A RUSSIAN SPY The issue first received public attention in early 1997, with news that a Justice Department investiga- Pg. 19 TALIBAN POSE AS 'ATTRACTIVE WOMEN' ON tion had uncovered evidence that agents of China sought to direct contributions to the Democratic FACEBOOK FOR SPYING National Committee (DNC) in violation of U.S. laws regarding foreign political contributions. The Chi- Pg. 20 DETER DETECT DEFEND IDENTITY THEFT nese government denied all accusations. Twenty-two people were eventually convicted of fraud or for funneling Asian funds into the United States elections, and others fled U.S. jurisdiction. Pg. 21 SMARTPHONE USERS SHOULD BE AWARE OF (continued on page 3) MALWARE TARGETING MOBILE DEVICES

Pg. 22 LAWYERS‟ IDENTITIES BEING USED FOR FAKE WEBSITES AND SOLICITATIONS NOTE: Much of the Information contained within this newsletter originates from websites maintained by agencies of the U.S. Federal Government. The original web address from which material has been derived is Pg. 22 OUR UNIVERSITIES ARE LEAKING SECRETS posted at the beginning of reproduced articles. Readers are always encouraged to visit the web address Pg. 23 CYBER RELATED THREATS REPORTED from where the article has been derived from, in order to view the article in the original form in which it Pg. 29 OUR BRAVE COUNTERINTELLIGENCE FORCES was presented. This newsletter also contains commentary from the editor of the newsletter. Such IN ACTION commentary is solely the opinion of the newsletter editor and does not represent the views of the U.S. Pg. 30 ADVANTAGE SCI PRODUCTS, SERVICES, Government, nor the agency originally presenting this information on the internet. Questions, TRAINING comments, and subscription requests may be directed to the editor at [email protected] or to Richard Haidle at 310-536-9876 x237 1 Counterintelligence and Cyber News and Views

iTravelSafe™

 Avoid Cultural Missteps

 Protect Your Business Secrets

 Avoid Crime and Scams Travelers Face

iTravelSafe™ The Advantage SCI Avoid getting “scammed” when traveling overseas. Read about App frauds and scams related to international travel. Do you have elderly relatives traveling overseas? Gift them a copy of this Sitting in the plane, holding your iPhone, App so they can be aware of scams targeting the elderly. thinking about your trip to Brazil…

―Hmmm. My phone is in ―Airplane Mode‖ with no internet connection. I really wish I had read a bit more detailed information about traveling to Brazil, what I could do safely. But with no internet connection, I guess I can‘t do that, can I?‖ ―Wait a second!! I have the iTravelSafe™ app on my iPhone. All of the data I need is on my phone now. I can read it all even with no internet or cellular connection! Wow, that is really cool! Oh my, look here! I better not Are you a parent with a child go on that hiking trip near Brazil‘s border spending a semester in an regions, I might get kidnapped. Oh no, my overseas study course? planned charitable journey to Rio‘s shanty town is too dangerous. I‘ll have to call it off. Driving overseas? Read about driving in many It‘s a good thing I had iTravelSafe™ with Make sure your children read the “Tips for Students” section of the more than 200 countries this App in- me to tip me off to the danger!‖ of the iTravelSafe™ App. cludes. iTravelSafe™ gives an organization an app for its employees traveling outside the Advantage SCI‟s New Smartphone App: iTravelSafe™ U.S. to use as a ―self-briefing‖ travel tool. Read about hotel safety. Study up on tips Everything you see pictured here is a screenshot from the iTravelSafe™ App. about which business travelers need to be ―savvy.‖ An Android version of this App is available for immediate purchase at the Google Play Store https:// play.google.com/store/search?q=itravelsafe&c=apps, or an iPhone version at the iTunes Store http:// itunes.apple.com/us/app/itravelsafe/id521506480?ls=1&mt=8.

Keep up to date with the latest Travel Alerts pushed out to iTravelSafe™ users immediately from the U.S. State Department.

Example of the screenshot, appropriate for the country to which it applies, will be sent to your device as soon as the U.S. State Department pushes out the notification of any Travel Alert

NOW INCLUDING SECURITY TIP OF THE WEEK !

For volume sales, please contact Richard Haidle at 310-536-9876 x237 or email [email protected].

2 Counterintelligence and Cyber News and Views

(continued from page 1) The five South Korean directors and employees of A trite cliché to close this article, but nevertheless,

The thought was, well how can we know? Isn‘t Kolon Industries of South Korea must not have very true.

China our friend? We‘ve cut back resources, so read the memo about don‘t bite the hand of he who is feeding you when they conspired to steal this must not be a problem. No foreign nation would seek to influence our political process, the technology behind DuPont‘s Kevlar Trade would they? Secrets.

And of course, no US citizen would reveal Well, over the course of time, wiser heads prevailed, and appropriate resources and classified information to the media that could manpower were restored to the cause potential harm. Unless of course, you are counterintelligence arena. former CIA Officer John Kiriakou, 48, of Arlington, Virginia, who pleaded guilty to disclosing to a When this happened, and over the course of the journalist the name of a covert CIA officer and to John Kiriakou last ten or 15 years, the spies and economic disclosing information revealing the role of thieves and corrupt insiders trading in classified another CIA employee in classified activities. information and trade secrets were caught, increasingly before doing harm. And no US company would try to steal trade secrets or proprietary information from another US The fine work of special agents from the FBI, from company, would they? Not unless they were a the Immigration and Customs Enforcement offices defense contractor based in Aurora, Colorado, that agreed to pay $1,150,000 to settle allegations of the Department of Homeland Security, the Kolon Industries Department of Commerce, the Naval Criminal that it improperly obtained bid and proposal Investigative Service, the Air Force Office of information from a competitor on contracts for the Special Investigations, the Defense Criminal National Reconnaissance Office (NRO). Investigative Service and other Federal Agencies and Task Forces has resulted in detecting, What conclusions can we draw from this litany of deterring, preventing or arresting those that would illegal activity? steal our national and commercial secrets. Well, first, the theft of trade secrets and economic

The hard work and dedication of these special espionage activity could not have been stopped agents, from all of these agencies, is represented through use of criminal statutes until October of in the arrests, etc. that you see detailed in this 1996 when The Economic Espionage Statute was issue of our newsletter. signed into law. This is the one good thing that came out during the lull in the counterintelligence In reviewing the current details of arrests, etc. the effort. breakdown of countries involved is quite U.S. Consulate in Because this law was enacted, and because our interesting. Guangzhou, China foreign competitors and enemies have continued The cold war is over? The Russians are not a stealing our commercial secrets, we continue to threat? They are not the number one geopolitical see an increasing number of arrests and threat? convictions for this type of activity.

Well the 11 Russians arrested for conspiracy to Second, we continue to see an inordinate number illegally export microchips from a Houston based of arrests related to Chinese and Russian activity company might not have been fighting US here in the US. This illustrates that though the interests at the United Nations and behind the calendar has changed pages many times since political scene around the world, but they certainly the end of the Cold War, since the fall of the were seeking illegal advantage over the United Soviet Union, and Tiananmen Square, our old States. Cold War adversaries continue to proceed along the same paths, following the same methodology The Chinese are our friends? They wouldn‘t harm as they demonstrated in the 1970‘s and 1980‘s. their greatest source of foreign capital? Third, when reading the examples of illicit activity Well, the four Chinese and one US citizen demonstrated in theses arrests, the type of arrested for seeking to illegally help China with information targeted, the types of materials Federal Agents remove classified information and trade secrets weren‘t sought, the betrayals exhibited, these all are eerily exactly helping us out in a friendly way. similar to activity demonstrated throughout the evidence from ARC Electronics, history of espionage and export violations within Houston Texas as part of And, what about our true friends, countries we the United States. have saved and continued to protect from investigation involving illegal invasion and destruction? Countries such as The more the clock turns, the more things stay the exports to Russia South Korea? Certainly friends such as these same. would never seek to do us harm?

3 Counterintelligence and Cyber News and Views

CHI MAK CONVICTION UPHELD (2) the court‘s instructions to the jury concerning ―The government has a vital interest in protecting technical data did not violate Mak‘s Due Process the identities of those involved in covert opera- COMMENTARY: Those of you familiar with the rights because they expressly required the Gov- tions,‖ said U.S. Attorney MacBride. ―Leaks of Ninth Circuit Court of Appeals are also familiar ernment to prove that the documents at issue are highly sensitive, closely held, and classified infor- with its tendency to make rulings that often hinder not in the public domain; mation compromise national security and can put law enforcement and defy logic. individual lives in danger.‖ (3) the court‘s instructions to the jury on willful- Perhaps not a surprise to many, but certainly a ness did not violate Mak‘s Sixth Amendment ―Disclosing classified information, including the pleasant surprise to this commentator, the Ninth rights because they did not prevent the jury from names of CIA officers, to unauthorized individuals has upheld the conviction of Chi Mak and denied fully deliberating as to whether Mak acted willful- is a clear violation of the law,‖ said Assistant his appeals. ly, as required by the AECA; 7374 UNITED Director in Charge McJunkin. ―Today‘s plea STATES v. MAK would not be possible without the hard work of For those of you that don’t recall, Chi Mak was a the prosecutors and FBI special agents and ana- senior engineer for Power Paragon, Inc. (4) the documents at issue were covered by the lysts who brought this case to justice and who will (Paragon), a defense contractor in Anaheim, United States Munitions List (USML) at the time continue to pursue those who ignore their obliga- California, that designs and manufactures electri- Mak attempted to export them and, therefore, his tions to protect national security secrets.‖ cal systems for U.S. Navy combat ships and conviction does not violate the Ex Post Facto submarines. On October 28, 2005, Tai Mak, Ma- Clause. According to court records, the case is a result of k’s brother, and his sister-in-law, Fuk Li, were an investigation triggered by a classified filing in arrested at the Los Angeles International Airport http://www.ca9.uscourts.gov/datastore/ January 2009 by defense counsel for high-value prior to boarding a flight to Hong Kong. When opinions/2012/06/21/08-50148.pdf detainees at Guantanamo Bay, Cuba. This filing they were arrested, the Government seized a CD THIS OPINION, IN ITS ENTIRETY, CAN BE contained classified information the defense had from their luggage. In addition to several innocu- VIEWED AT THE HYPERLINK ABOVE. not been given through official government chan- ous files, the CD contained three encrypted files nels, including photographs of certain govern- Mak had given to his brother containing export- ment employees and contractors. The investiga- controlled naval technology, including documents tion revealed that on multiple occasions, one of authored by Mak regarding the Quiet Electric the journalists to whom Kiriakou illegally dis- Drive project (QED document), a project intended closed classified information, in turn, disclosed to decrease the signature noise data emitted by that information to a defense team investigator. U.S. Navy submarines and warships—a subma- This information was reflected in the classified rine’s greatest vulnerability. CHI MAK defense filing and enabled the defense team to take or obtain surveillance photographs of gov- The ruling, in part, follows: ernment personnel. The government has made

Ninth Circuit Rules in Appeal by CHI Mak no allegations of criminal activity by any mem- FORMER CIA OFFICER JOHN KIRAKOU bers of the defense team for the detainees. OPINION PLEADS GUILTY TO DISCLOSING CLASSI- Kiriakou was a CIA intelligence officer between M. SMITH, Circuit Judge: FIED INFORMATION ABOUT CIA OFFICER 1990 and 2004, serving at headquarters and in various classified overseas assignments. Upon Chi Mak (Mak) appeals his jury conviction of http://www.fbi.gov/washingtondc/press - releases/2012/former-cia-officer-john-kirakou- joining the CIA in 1990 and on multiple occasions conspiring to violate export control laws and at- in following years, Kiriakou signed secrecy and tempting to export a defense article to the Peo- pleads-guilty-to-disclosing-classified-information- about-cia-officer non-disclosure agreements not to disclose classi- ple‘s Republic of China, in violation of the Arms fied information to unauthorized individuals. In a Export Control Act (AECA), 22 U.S.C. § 2778, as U.S. Attorney‘s Office Eastern District of Virginia statement of facts filed with his plea agreement, implemented by the International Traffic in Arms Kiriakou admitted that he made illegal disclosures Regulations (ITAR), 22 C.F.R. §§ 120-30. Follow- ALEXANDRIA, VA—Former CIA Officer John about two CIA employees and their involvement ing his conviction, Mak moved for a new trial, Kiriakou, 48, of Arlington, Virginia, pleaded guilty in classified operations to two journalists challenging the Government‘s failure to timely today to disclosing to a journalist the name of a (referenced as ―Journalist A‖ and ―Journalist B‖ in disclose its intended use of a particular expert covert CIA officer and also admitted to disclosing court records) on multiple occasions between witness, and claiming that the AECA is unconsti- information revealing the role of another CIA 2007 and 2009. tutionally vague. employee in classified activities. Kiriakou also admitted that he lied to the CIA The district court denied Mak‘s motion. Mak now Neil H. MacBride, U.S. Attorney for the Eastern regarding the existence and use of a classified appeals his conviction, claiming violations of his District of Virginia, and James W. McJunkin, technique, referred to as a ―magic box,‖ while rights under the First, Fifth, and Sixth Amend- Assistant Director in Charge of the FBI‘s Wash- seeking permission from the CIA‘s Publications ments, and the Ex Post Facto Clause. ington Field Office, made the announcement after Review Board to include the classified technique the plea was accepted by U.S. District Judge in a book. We affirm the district court because: Leonie M. Brinkema. Kiriakou pleaded guilty (continued on page 5) (1) the AECA and its implementing regulations do today to one count of intentionally disclosing not violate Mak‘s First Amendment rights since information identifying a covert agent. As part of the AECA is substantially related to the protection the plea agreement, the United States and Kir- of an important governmental interest; iakou agree that a sentence of 30 months in prison is the appropriate disposition of this case. Sentencing has been scheduled for January 25, 2013. 4 Counterintelligence and Cyber News and Views

(continued from page 4) U.S. Attorney‘s Office Western District of charged co-conspirator (who is not identified in Missouri the affidavit), met with a plant employee. The Kiriakou admitted that, through a series of e- KANSAS CITY, MO—Two Chinese nationals plant employee discussed some of the general mails with Journalist A, he disclosed the full were charged in federal court today with attempt- processes of producing FOAMGLAS, however, name of a CIA officer (referred to as ―Officer A‖ in ing to pay $100,000 for stolen trade secrets from he did not disclose any proprietary information. court records) whose association with the CIA Pittsburgh Corning, which has a manufacturing had been classified for more than two decades. plant in Sedalia, Missouri, that produces Another plant employee reported that Huang and In addition to identifying the officer for the journal- FOAMGLAS, announced David M. Ketchmark, the uncharged co-conspirator were trespassing ist, Kiriakou also provided information that helped Acting U.S. Attorney for the Western District of at the Sedalia plant on June 18 and 19, 2012. the journalist link the officer to a particular classi- Missouri. They allegedly recorded video or photos on a cell fied operation. phone and asked employees specific questions Ji Li Huang, 45, and Xiao Guang Qi, 31, both about FOAMGLAS. In addition, Kiriakou admitted that he disclosed to citizens of China, were charged in a federal crimi- Journalists A and B the name and contact infor- nal complaint filed in the U.S. District Court in On July 22, 2012, an advertisement was mation of a CIA analyst, identified in court rec- Kansas City. Today‘s complaint alleges that published in the local newspaper that solicited ords as ―Officer B,‖ along with his association Huang and Qi attempted to illegally purchase ―technical talent‖ with experience at Corning with an operation to capture terrorism subject trade secrets of Pittsburgh Corning for the pur- Pittsburgh to lead a project to build a foam glass Abu Zubaydah in 2002. Kiriakou knew that the pose of opening a plant in China to compete with factory in the Asian market. A confidential association of Officer B with the Abu Zubaydah Pittsburgh Corning. Huang and Qi, who were source—a trusted employee working with the operation was classified. Based in part on this arrested on Sunday, September 2, 2012, had an FBI—responded to the contact e-mail address information, Journalist B subsequently published initial court appearance today and remain in fed- cited in the newspaper advertisement. A second a June 2008 front-page story in The New York eral custody pending a detention hearing. uncharged co-conspirator (who also is not identi- Times disclosing Officer B‘s alleged role in the fied in the affidavit) allegedly corresponded by Abu Zubaydah operation. Pittsburgh Corning, headquartered in Pittsburgh, e-mail with the FBI‘s cooperating source, who manufactures various grades or densities of cel- pretended to be willing to unlawfully copy and sell Without Kiriakou‘s knowledge, Journalist A lular glass insulation sold under the trade name trade secrets. During a monitored telephone call, passed the information he obtained from Kiriakou FOAMGLAS. That material is used to insulate the affidavit says, the cooperating source told this to an investigator assisting in the defense of high industrial piping systems and liquefied natural co-conspirator that the information he requested -value detainees at Guantanamo Bay. gas storage tank bases. Pittsburgh Corning‘s was Pittsburgh Corning‘s proprietary and confi- This case was investigated by the FBI‘s Wash- main customers are energy companies, petro- dential information and that he could go to jail if ington Field Office, with assistance from the CIA chemical companies, and natural gas facilities. anyone found out he gave away Pittsburgh Corn- and the Air Force Office of Special Investigations. ing‘s proprietary information. The Pittsburgh Corning facility in Sedalia is the Assistant U.S. Attorneys Iris Lan of the Southern company‘s flagship facility, responsible for ap- During the monitored telephone call, the affidavit District of New York; Mark E. Schneider and proximately 90 percent of the material produced says, this co-conspirator agreed to pay $100,000 Ryan Fayhee of the Northern District of Illinois; by the company. The Sedalia facility operates 24 to the cooperating source. They later arranged and W. Neil Hammerstrom, Jr. of the Eastern hours per day, 365 days per year. The plant em- for Huang to travel from China to the United District of Virginia are prosecuting the case on ploys 250-300 people and conducts research and States to meet with the cooperating source. They behalf of the United States. development on FOAMGLAS for Pittsburgh allegedly agreed that $25,000 would be ex- Corning. changed on September 2, 2012, for a package of Pittsburgh Corning‘s processes and formulary on Pittsburgh Corning recently made technological FOAMGLAS. They also discussed paying the advances in the formulation and manufacturing cooperating source to travel to China several process of FOAMGLAS insulation. Pittsburgh times for consulting, the affidavit says. Corning considers the product formula and manufacturing process for FOAMGLAS proprietary On Saturday, September 1, 2012, the and trade secrets. cooperating source met with Huang and Qi at a Kansas City restaurant. Qi participated in the Three months ago, Pittsburgh Corning meeting and also acted as a translator for Huang John Kiriakou announced plans to open a facility in China. for parts of the conversation. According to the Pittsburgh Corning is negotiating to build a plant affidavit, a follow-up meeting was scheduled for in China, since most of the world‘s need for the next day, at which the cooperating source FOAMGLAS comes from China. FOAMGLAS is TWO CHINESE NATIONALS CHARGED WITH would bring the stolen proprietary information used in liquid natural gas (LNG) tanks. China has and Huang and Qi would bring the payment. STEALING TRADE SECRETS FROM MIS- approximately 10,000 LNG plants. SOURI MANUFACTURING PLANT According to an affidavit filed in support of (continued on page 6) http://www.fbi.gov/kansascity/press- today‘s criminal complaint, a man identified as releases/2012/two-chinese-nationals-charged- ―T.S.‖ requested a tour of Pittsburgh Corning‘s with-stealing-trade-secrets-from-missouri- FOAMGLAS plant on June 7, 2012. Pittsburgh manufacturing-plant Corning refused the request for a tour. On June 14, 2012, T.S., along with Huang and an un-

5 Counterintelligence and Cyber News and Views

(continued from page 5) Ronald C. Machen, Jr., U.S. Attorney for the potential intelligence threats to our nation.‖ District of Columbia; James W. McJunkin, The cooperating source told Huang and Qi that According to court documents, from November Assistant Director in Charge of the FBI‘s he had to drive back to Pittsburgh Corning and 2009 to August 2011, Underwood worked as a Washington Field Office; and Eric J. Boswell, break into the engineering department to steal cleared American guard (CAG) at the construc- Assistant Secretary of State for Diplomatic the documents and drawings for the equipment tion site of a new U.S. Consulate compound in Security. in order to complete the list. Qi asked if there Guangzhou, China. CAGs are American civilian would be any problem; the cooperating source Underwood, 32, a former resident of Indiana, security guards with top secret clearances who explained to Qi there would be no problem was first charged in an indictment on August 31, serve to prevent foreign governments from im- because nobody would be at the plant over the 2011, with two counts of making false state- properly obtaining sensitive or classified infor- holiday weekend. ments and was arrested on September 1, 2011. mation from the U.S. Consulate. Underwood The next day, the affidavit says, Huang and Qi On September 21, 2011, he failed to appear at a received briefings on how to handle and protect met the cooperating source at a prearranged scheduled status hearing in federal court in the classified information as well as briefings and location and brought a bag containing the mon- District of Columbia. The FBI later located Un- instructions on security protocols for the U.S. ey. The cooperating source showed them docu- derwood in a hotel in Los Angeles and arrested Consulate, including the prohibition on photog- ments that were purportedly Pittsburgh Corn- him there on September 24, 2011. On Septem- raphy in certain areas of the consulate. ber 28, 2011, Underwood was charged in a su- ing‘s trade secret information, some of which Plan to Sell Information and Access for $3 Mil- perseding indictment with one count of attempt- were stamped with secret and confidential mark- lion to $5 Million ings. ing to communicate national defense information to a foreign government, two counts of making In February 2011, Underwood was asked by Shortly afterward, FBI agents arrested Huang false statements, and one count of failing to U.S. law enforcement to assist in a project at the and Qi at their hotel room. appear in court pursuant to his conditions of consulate, and he agreed. In March 2011, Un- Ketchmark cautioned that the charge contained release. Sentencing for Underwood has been derwood lost a substantial amount of money in in this complaint is simply an accusation, and not scheduled for November 19, 2012. He faces a the stock market. According to court documents, evidence of guilt. Evidence supporting the maximum potential sentence of life in prison. Underwood then devised a plan to use his assistance to U.S. law enforcement as a ―cover‖ for charge must be presented to a federal trial jury, ―Bryan Underwood was charged with protecting making contact with the Chinese government. whose duty is to determine guilt or innocence. a new U.S. Consulate compound against foreign According to his subsequent statements to U.S. espionage, but, facing financial hardship, he This case is being prosecuted by Assistant U.S. law enforcement, Underwood intended to sell his attempted to betray his country for personal Attorneys Brian Casey and Matt Wolesky. It was information about and access to the U.S. Consu- gain,‖ said Assistant Attorney General Monaco. investigated by the FBI. late to the Chinese MSS for $3 million to $5 ―This prosecution demonstrates that we remain million. If any U.S. personnel caught him, he vigilant in protecting America‘s secrets and in planned to falsely claim he was assisting U.S. bringing to justice those who attempt to compro- FORMER U.S. CONSULATE GUARD PLEADS law enforcement. GUILTY TO ATTEMPTING TO mise them.‖ As part of his plan, Underwood wrote a letter to COMMUNICATE NATIONAL DEFENSE ―Bryan Underwood was determined to make the Chinese MSS expressing his ―interest in INFORMATION TO CHINA millions by selling secret photos of restricted initiating a business arrangement with your offic- areas inside a U.S. Consulate in China,‖ said http://www.fbi.gov/washingtondc/press- es‖ and stating, ―I know I have information and U.S. Attorney Machen. ―His greed drove him to releases/2012/former-u.s.-consulate-guard- skills that would be beneficial to your offices [sic] exploit his access to America‘s secrets to line his pleads-guilty-to-attempting-to-communicate- goals. And I know your office can assist me in own pockets. The lengthy prison sentence facing national-defense-information-to-china my financial endeavors.‖ According to court Underwood should chasten anyone who is documents, Underwood attempted to deliver this WASHINGTON—Bryan Underwood, a former tempted to put our nation at risk for personal letter to the offices of the Chinese MSS in civilian guard at a U.S. Consulate compound gain.‖ under construction in China, pleaded guilty today Guangzhou but was turned away by a guard in the District of Columbia in connection with his ―Bryan Underwood sought to benefit from his who declined to accept the letter. Underwood efforts to sell for personal financial gain classi- access to sensitive information, but his attempt- then left the letter in the open in his apartment fied photographs, information, and access related betrayal was detected before our nation‘s hoping that the Chinese MSS would find it, as he ed to the U.S. Consulate to China‘s Ministry of secrets fell into the wrong hands,‖ said FBI As- believed the MSS routinely conducted searches sistant Director in Charge McJunkin. ―Together State Security (MSS). of apartments occupied by Americans. with our partners, the FBI will continue to work to

At a hearing today before U.S. District Judge expose, investigate, and prevent acts of espio- Ellen S. Huvelle, Underwood pleaded guilty to nage that threaten our national security.‖ (continued on page 7) one count of attempting to communicate national defense information to a foreign government ―The close working relationship between the with intent or reason to believe that the docu- U.S. Department of State‘s Diplomatic Security ments, photographs, or information in question Service, the FBI, and the U.S. Attorney‘s Office were to be used to the injury of the United States resulted in the capture and conviction of Bryan Underwood before he could harm the security of or to the advantage of a foreign nation. our country,‖ said Assistant Secretary of State The guilty plea was announced by Lisa Monaco, Boswell. ―The Diplomatic Security Service is Assistant Attorney General for National Security; firmly committed to thoroughly investigating all

6 Counterintelligence and Cyber News and Views

(continued from page 6) procurement-network-for-russian-military-and- ties by the defendants to its ―Entity List.‖ This In May 2011, Underwood secreted a camera into intelligence-operating-in-the-u.s.-and-russia- designation imposes a license requirement be- the U.S. Consulate compound and took photo- indicted-in-new-york fore any commodities can be exported from the graphs of a restricted building and its contents. United States to these persons or companies and Defendants Also Include Texas- and Russia- Many of these photographs depict areas or infor- establishes a presumption that no such license Based Corporations; 165 Persons and Compa- mation classified at the secret level. Underwood will be granted. also created a schematic that listed all security nies ‗Designated‘ by Commerce Department The Scheme upgrades to the U.S. Consulate and drew a dia- U.S. Attorney‘s Office Eastern District of New gram of the surveillance camera locations at the York As alleged in the indictment, between approxi- consulate. In addition, according to his subse- mately October 2008 and the present, Fishenko quent statements to U.S. law enforcement, Un- BROOKLYN, NY—An indictment was unsealed and the other defendants engaged in a surrepti- derwood ―mentally‖ constructed a plan in which today in U.S. District Court for the Eastern Dis- tious and systematic conspiracy to obtain ad- the MSS could gain undetected access to a trict of New York charging 11 members of a Rus- vanced, technologically cutting-edge microelec- building at the U.S. Consulate to install listening sian military procurement network operating in tronics from manufacturers and suppliers located devices or other technical penetrations. the United States and Russia, as well as a Texas within the United States and to export those high- -based export company and a Russia-based tech goods to Russia, while carefully evading the According to court documents, the photographs procurement firm, with illegally exporting high- government licensing system set up to control Underwood took were reviewed by an expert at tech microelectronics from the United States to such exports. The microelectronics shipped to the State Department‘s Bureau of Diplomatic Russian military and intelligence agencies. Russia included analog-to-digital converters, Security who had original classification authority static random access memory chips, microcon- for facilities, security, and countermeasures at Alexander Fishenko, an owner and executive of trollers, and microprocessors. These commodi- the U.S. Consulate. The expert determined that the American and Russian companies, is also ties have applications and are frequently used in many of the photographs contained images clas- charged with operating as an unregistered agent a wide range of military systems, including radar sified at the secret level and that disclosure of of the Russian government inside the United and surveillance systems, missile guidance sys- such material could cause serious damage to the States by illegally procuring the high-tech microe- tems, and detonation triggers. Russia does not United States. lectronics on behalf of the Russian government. The microelectronics allegedly exported to Rus- produce many of these sophisticated goods do- In early August 2011, Underwood was inter- sia are subject to strict government controls due mestically. viewed several times by FBI and Diplomatic Se- to their potential use in a wide range of military According to the indictment and a detention mo- curity agents, during which he admitted making systems, including radar and surveillance sys- tion filed by the government today, defendant efforts to contact the Chinese MSS, but falsely tems, weapons guidance systems, and detona- Alexander Fishenko was born in what was, at the claimed that he took these actions to assist U.S. tion triggers. time, the Soviet Republic of Kazakhstan, and law enforcement. On August 19, 2011, Under- graduated from the Leningrad Electro-Technical wood was again interviewed by law enforcement The charges were announced by Loretta E. Institute in St. Petersburg, Russia. He immigrated agents, and he admitted that he planned to sell Lynch, U.S. Attorney for the Eastern District of to the United States in 1994 and became a natu- photos, information, and access to the U.S. Con- New York; Lisa Monaco, Assistant Attorney Gen- ralized citizen of the United States in 2003. In sulate in Guangzhou to the Chinese MSS for his eral for National Security; Stephen L. Morris, 1998, he founded defendant Arc Electronics Inc. personal financial gain. Special Agent in Charge, FBI, Houston Field Office; Under Secretary of Commerce Eric L. in Houston. Between 2002 and the present, Arc The U.S. government has found no evidence that Hirschhorn, Department of Commerce; and Tim- has shipped approximately $50,000,000 worth of Underwood succeeded in passing classified in- othy W. Reeves, Special Agent in Charge, Naval microelectronics and other technologies to Rus- formation concerning the U.S. Consulate in Criminal Investigative Service, Central Field Of- sia. Guangzhou to anyone at the Chinese MSS. fice. Fishenko and his wife are the sole owners of Arc, This investigation was conducted jointly by the The defendants arrested yesterday and today will and Fishenko serves as the company‘s president FBI‘s Washington Field Office and the State De- be arraigned this afternoon before U.S. States and chief executive officer. Fishenko is also a partment‘s Bureau of Diplomatic Security. The Magistrate Judge George C. Hanks, Jr., at the part owner and executive of defendant Apex prosecution is being handled by the U.S. Attor- U.S. Courthouse in Houston, where the govern- System LLC, a Moscow, Russia-based procure- ney‘s Office for the District of Columbia and Trial ment will seek their removal to the Eastern Dis- ment firm. Attorney Brandon L. Van Grack from the Coun- trict of New York. Apex, working through subsidiaries, served as a terespionage Section of the Justice Department‘s certified supplier of military equipment for the National Security Division In addition to the unsealing of the charges, search warrants were executed today at seven Russian government.

residences and business locations associated with the defendants, and seizure warrants were RUSSIAN AGENT AND 10 OTHER MEMBERS executed on five bank accounts held by Fishenko (continued on page 8) OF PROCUREMENT NETWORK FOR RUS- SIAN MILITARY AND INTELLIGENCE OPER- and defendant Arc Electronics Inc., the Texas- ATING IN THE U.S. AND RUSSIA INDICTED IN based export company. In conjunction with the NEW YORK unsealing of these charges, the Department of Commerce has added 165 foreign persons and http://www.fbi.gov/houston/press-releases/2012/ companies who received, transshipped, or other- russian-agent-and-10-other-members-of- wise facilitated the export of controlled commodi-

7 Counterintelligence and Cyber News and Views

(continued from page 7) example, the investigation uncovered a Russian gurov, and Savin conspired with Fishenko and

Ministry of Defense document designating an the Arc defendants to obtain controlled U.S.- Between 1996 and the present, Fishenko has Apex subsidiary as a company ―certified‖ to pro- origin microelectronics and to export those tech- regularly traveled back and forth between the cure and deliver military equipment and electron- nologically sensitive goods to Russia without the United States and Russia. Defendant Alexander ics. The FBI recovered a letter sent by a special- required export licenses by falsifying information Posobilov entered the United States from Russia ized electronics laboratory of Russia‘s Federal to hide the true nature, users, and intended uses in 2001 and became a naturalized citizen in Security Service (FSB), Russia‘s primary domes- of the goods. In addition, Fishenko, Posobilov, 2008. tic intelligence agency, to an Apex affiliate re- Klebanova, Klinov, and Shegurov were charged He joined Arc in 2004 and serves as its director garding certain microchips obtained for the FSB with obstruction of justice, and Fishenko and Arc of procurement. Posobilov was arrested at by Arc. The letter stated that the microchips were were charged with conspiring to commit money George Bush Intercontinental Airport in Houston faulty and demanded that the defendants supply laundering. replacement parts. on his way to Singapore and Moscow. The individual defendants face maximum terms The defendants allegedly exported many of these In addition, in anticipation of an inquiry by the of incarceration of five years for the conspiracy high-tech goods, frequently through intermediary Department of Commerce regarding the export of charge, 20 years for each of the substantive procurement firms, to Russian end users, includ- certain controlled microelectronics, defendants IEEPA and AECA charges, and 20 years for the ing Russian military and intelligence agencies. To Fishenko, Posobilov, and Arc salesperson obstruction of justice charge. In addition, Fishen- induce manufacturers and suppliers to sell them Viktoria Klebanova allegedly directed Apex exec- ko faces a maximum term of incarceration of 20 these high-tech goods and to evade applicable utives Sergey Klinov and Dmitriy Shegurov, as years for conspiring to commit money laundering export controls, the defendants often provided well as other Apex employees, to alter Apex‘s and 10 years for acting as an unregistered agent false end-user information in connection with the website and forge documents regarding certain of the Russian government. The corporate de- purchase of the goods, concealed the fact that transactions to hide Apex‘s connections to the fendants face fines of up to $500,000 for the they were exporters, and falsely classified the Russian military. In connection with the cover-up, conspiracy count and $1 million for each of the goods they exported on export records submitted Apex removed images of Russian military aircraft substantive IEEPA and AECA counts. to the Department of Commerce. For example, in and missiles and other links to the Russian Minis- “As alleged in the indictment, the defendants order to obtain microelectronics containing con- try of Defense from its website. spun an elaborate web of lies to evade the laws trolled, sensitive technologies, Arc claimed to The Arc Defendants that protect our national security. The defendants American suppliers that, rather than exporting tried to take advantage of America‘s free markets goods to Russia, it merely manufactured benign In addition to Fishenko, Posobilov, and Kleba- to steal American technologies for the Russian products such as traffic lights. Arc also falsely nova, the indictment charges Arc salespersons government. But U.S. law enforcement detected, claimed to be a traffic light manufacturer on its Lyudmila Bagdikian, Anastasia Diatlova, Sevinj disrupted, and dismantled the defendants‘ net- website. In fact, Arc manufactured no goods and Taghiyeva, and Svetalina Zagon, as well as Arc work,‖ stated United States Attorney Loretta E. operated exclusively as an exporter. shipping manager Shavkat Abdullaev, with one Lynch. ―We will not rest in our efforts to protect count of conspiring to violate and 21 counts of According to the court documents, the defend- the technological advantage produced by Ameri- violating the International Emergency Economic ants went to great lengths to conceal their pro- can ingenuity. And, we will expose and hold re- Powers Act (IEEPA) and the Arms Export Control curement activities for the Russian military. For sponsible all who break our counter-proliferation Act (AECA) and with conspiring to commit wire example, on one occasion, defendants Posobilov laws, particularly those, like Fishenko, who serve fraud. According to the indictment, these defend- and Yuri Savin, the director of marketing at an- foreign governments.‖ ants obtained controlled microelectronics by lying other Russian procurement firm, discussed how and submitting false information regarding the Ms. Lynch thanked the United States Attorney‘s best to conceal the fact that certain goods Savin true nature, users, and intended uses of the high- Office for the Southern District of Texas for its had purchased from Arc were intended for the tech goods, then exporting the goods, without the assistance in this matter. Russian military. Savin asked Posobilov, ―What required licenses, to procurement firms in Rus- can we do if a client is military all over?‖ Posobi- sia. The defendants‘ principal port of export for ―Today‘s case underscores the importance of lov replied, ―We can‘t be the ones making things these goods was John F. Kennedy International safeguarding America‘s sensitive technology and up. You should be the ones.‖ Similarly, on anoth- Airport in the Eastern District of New York. our commitment to disrupt and prosecute net- er occasion, defendant Fishenko directed a Rus- works that attempt to illegally export these sian procurement company that, when the com- The Foreign Defendants goods,‖ said Lisa Monaco, Assistant Attorney pany provided false end-user information, to General for National Security. ―I applaud the ―make it up pretty, correctly, and make sure it According to the indictment, in addition to owning many agents, analysts, and prosecutors who looks good.‖ On yet another occasion, Posobilov and controlling Arc, Fishenko is also a controlling worked on this extensive investigation.‖ instructed a Russian procurement company to principal of the Russian procurement firm Apex, ―make sure that‖ the end-use certificate indicated the defendant Sergey Klinov is the chief execu- ―fishing boats and not fishing/anti-submarine tive officer of Apex, and the defendant Dmitriy (continued on page 9) ones....Then we‘ll be able to start working.‖ Shegurov is an employee of Apex. Apex and its affiliates supplied microelectronics to Russian Despite this subterfuge, according to the docu- government agencies, including Russian military ments, the investigation revealed that the defend- and intelligence agencies. The defendant Yuri ants were supplying Russian government agen- Savin was the director of marketing at Atrilor Ltd., cies with sophisticated microelectronics. For another Russian procurement firm. Klinov, She-

8 Counterintelligence and Cyber News and Views (continued from page 8) The Defendants: two separate contracts, as well as other infor-

―In this day and time, the ability of foreign coun- Arc Electronics Inc. mation. The Paragon Dynamics employee was tries to illegally acquire sensitive and sophisticat- then videotaped by a security camera as he Principal Place of Business: Houston, Texas ed U.S. technology poses a significant threat to faxed part of a proposal to the president of Para- both the economic and national security of our Apex System LLC gon Dynamics. The president of Paragon Dy- nation,‖ said Houston FBI Special Agent in namics then sent that information to another Charge Stephen L. Morris. ―While some countries Principal Place of Business: Moscow, Russia corporation that Paragon Dynamics was teaming may leverage our technology for financial gain, with in a competition to win the NRO contract. An many countries hostile to the United States seek Alexander Fishenko, age 46 investigation revealed that the employee had obtained drafts of Raytheon‘s proposals for two to improve their defense capabilities and to mod- Shavkat Abdullaev, age 34 ernize their weapons systems at the expense of government contracts, as well as other related U.S. taxpayers. The FBI will continue to work Lyudmila Bagdikian, age 58 documents. Some of these documents were then aggressively with our partners in the U.S. Intelli- identified on a computer system maintained by gence Community to protect this technology and Anastasia Diatlova, age 38 another employee of Paragon Dynamics. hold accountable those companies that willfully Viktoria Klebanova, age 37 ―When companies cheat in the bidding process choose to violate our U.S. export laws.‖ for government contracts by stealing the work of Sergey Klinov, age 44 ―Today‘s action is a perfect example of two of the their competitors, they face strict penalties,‖ said core benefits of the administration‘s export con- Alexander Posobilov, age 58 John Walsh, United States Attorney for the Dis- trol reform effort—higher enforcement walls trict of Colorado. ―Corporate espionage erodes around controlled items and extensive coordina- Yuri Savin, age 36 the trust we have in our public procurement system, and the Department of Justice will hold tion and cooperation among the enforcement Dmitriy Shegurov, age unknown agencies. I applaud our special agents who cheaters accountable for their actions.‖ worked with the Justice Department in the inter- Sevinj Taghiyeva, age 32 As part of today‘s agreement, the Office of In- agency effort that led to today‘s actions,‖ said Svetalina Zagon, age 31 spector General for the National Reconnaissance Under Secretary of Commerce Eric L. Hirsch- Office (NRO-OIG) also reached a Corporate horn. Integrity Agreement with Paragon Dynamics.

DEFENSE CONTRACTOR ALLEGED TO HAVE ―The receipt of U.S.-made, cutting-edge microe- ―The culmination of this case and the effort put lectronics has advanced Russia‘s military techno- TAKEN COMPETITOR‟S BID INFORMATION PAYS $1.15 MILLION forth in the investigation illustrate the NRO‘s logical capabilities. NCIS and the Department of commitment to maintaining and enforcing a busi- the Navy have worked closely with the FBI, the http://www.fbi.gov/denver/press-releases/2012/ ness environment that promotes fair competi- Department of Justice, and the Department of tion,‖ said Eric Beatty, the NRO-OIG Assistant Commerce in this investigation due to the poten- defense-contractor-alleged-to-have-taken- competitor2019s-bid-information-pays-1.15- Inspector General for Investigations. ―Our suc- tial for significant enhancement of Russian naval cess is a direct result of our partnerships with law weapons systems that would result from the million enforcement agencies and to those in govern- illegal acquisition of these export-controlled tech- ment and industry who are willing to report nologies,‖ said Special Agent in Charge Timothy U.S. Attorney‘s Office District of Colorado wrongdoing.‖ W. Reeves, NCIS Central Field Office. DENVER—The United States Attorney for the ―The settlement in this investigation is the result District of Colorado announces that Paragon As a result of this case, there may be victims and of a highly successful joint effort by the Defense Dynamics Inc., a defense contractor based in witnesses who need to contact the agencies Criminal Investigative Service (DCIS) and our law Aurora, Colorado, has agreed to pay $1,150,000 involved in the investigation. If your business has enforcement partners from the Federal Bureau of to settle allegations that it improperly obtained been approached by one of the defendants or by Investigation and the National Reconnaissance bid and proposal information from a competitor someone trying to obtain export-protected, sensi- Office-Office of Inspector General,‖ said Janice on contracts for the National Reconnaissance tive technology who appeared not to be legiti- M. Flores, Special Agent in Charge of the DCIS, Office (NRO). mate, please report that information to busi- Southwest Field Office. ―This settlement high- [email protected]. The information will re- Today‘s settlement resolves contentions by the lights the federal government‘s continuing remain confidential and will be handled by the ap- United States that Paragon Dynamics violated solve to ensure those who violate the Program propriate authorities. the Procurement Integrity Act by improperly ob- Integrity Act are held accountable for their ac-

taining bid and proposal information from Raythe- tions.‖ The government‘s case is being prosecuted by on Corporation. Specifically, the United States Assistant U.S. Attorneys Daniel Silver, Hilary (continued on page 10) contended the following: from February 2008 to Jager, and Claire Kedeshian, as well as Trial August 2009, Raytheon was competing to win Attorney David Recker of the Counterespionage certain contracts for the National Reconnais- Section of the Justice Department‘s National sance Office, which is the federal agency in Security Division. charge of designing, building, launching, and The charges contained in the indictment are maintaining America‘s intelligence satellites. A merely allegations, and the defendants have not Paragon Dynamics employee with access to a yet been convicted of these offenses. Raytheon facility in Aurora used his access to obtain entire drafts of Raytheon‘s proposals for

9 Counterintelligence and Cyber News and Views

(continued from page 9) Division Special Agent in Charge Armando Fer- Agent in Charge Jerry Robinette, San Antonio

―This successful investigation was initiated as a nandez. Office. result of the continuing relationship with our cor- A seven-count indictment, returned on June 15, From October 9, 2007, to June 15, 2011, the porate partners, in conjunction with our counter- 2011 and unsealed today, charged Yip, Mehrdad defendants obtained or attempted to obtain from parts in the Office of Inspector General within the Foomanie (aka Frank Foomanie) of Iran, and a companies worldwide over 105,000 parts valued National Reconnaissance Office and the Defense third defendant, Merdad Ansari of the United at approximately $2,630,800 involving more than Criminal Investigative Service,‖ said FBI Denver Arab Emirates, with conspiracy to violate the 1,250 transactions. The defendants conducted Special Agent in Charge James Yacone. Iranian Transaction Regulations, conspiracy to 599 transactions with 63 different United States ―Through these partnerships the FBI will continue launder money and conspiracy to commit wire companies where they obtained or attempted to to assist in detecting, deterring, and prosecuting fraud. obtain parts from United States companies with- those who illegally collect and share proprietary out notifying the United States companies these bid information for U.S. contracts.‖ On July 20, 2012, Yip pleaded guilty to one count parts were being shipped to Iran or getting the of conspiracy to violate the Iranian Transaction The Procurement Integrity Act was originally required U.S. Government license to ship these Regulations. enacted in the late 1980s in response to allega- parts to Iran. tions of insider trading on government contractor By pleading guilty, Yip admitted that from Octo- At no time did Yip, Foomanie, or Ansari, individu- procurement information. Among its provisions, ber 9, 2007, to June 15, 2011, she acted as a ally or through any of their companies, ever apply the Procurement Integrity Act has clear prohibi- broker and conduit for Foomanie to buy items in for or receive either a required United States tions against disclosing or obtaining various the United States and have them unlawfully Department of the Treasury's Office of Foreign types of contractor bid and proposal information. shipped to Iran. Assets Control (OFAC) license or Department of The Procurement Integrity Act is currently codi- Commerce export license to ship any item listed fied at 41 U.S.C. §§ 2201-2207. According to the indictment, Foomanie also bought or attempted to buy items in the United in this Indictment to the Republic of Iran. The United States Attorney‘s Office acknowledg- States and arranged to have them unlawfully ―This sentencing was a result of a highly suc- es the cooperation and teamwork demonstrated shipped to Iran through his companies in Iran cessful joint investigative effort by the DCIS, HSI, by the governmental entities involved in today‘s (Sazgan Ertebat Co. Ltd, and Morvarid Shargh FBI, the Department of Commerce – Office of recovery. Special thanks are extended to the Co. Ltd.); in Hong Kong (Panda Semiconductor Export Enforcement and the U.S. Attorney's Of- Office of Inspector General for the National Re- and Foang Tech Inc., aka Ofogh Electronics fice for the Western District of Texas,‖ said connaissance Office, the Defense Criminal Inves- Co.); and, in China (Ninehead Bird Semiconduc- Janice M. Flores, Special Agent-in-Charge of the tigative Service, and the Denver Field Office of tor). The indictment also alleges that Ansari at- DCIS, Southwest Field Office. ―The DCIS is com- the Federal Bureau of Investigation. tempted to transship and transshipped cargo mitted to protecting America from this type of obtained from the United States by Yip and The claims settled by this agreement are only activity, and this commitment combined with the Foohmanie using Ansari‘s company, Gulf Gate allegations. There has been no determination of courage and determination of the law enforce- Sea Cargo L.L.C., located in Dubai, United Arab liability. ment agents involved, prevented sensitive mili- Emirates. tary technology from falling into the hands of our Assistant United States Attorney J. Chris Larson In her guilty plea, Yip admitted to primarily using adversaries. I believe this speaks volumes and handled this matter for the United States Attor- her companies in Taiwan (Hivocal Technology serves as a warning for those intent on commit- ney‘s Office. Company, Ltd.; Enrich Ever Technologies Co., ting this type of criminal activity that law enforcement will pursue these crimes relentlessly.‖ Ltd.; and, Kuang-Su Corporation) and in Hong Kong (Infinity Wise Technology; Well Smart (HK) Iranian Transaction Regulations prohibit, among TAIWANESE NATIONAL SENTENCED TO Technology; Pinky Trading Co., Ltd.; and, Wise PRISON FOR ILLEGALLY EXPORTING MILI- other things, the exportation, re-exportation, sale Smart (HK) Electronics Limited) to carry out the or supply, directly or indirectly, to Iran or the Gov- TARYSENSITIVE ITEMS FROM THE UNITED fraudulent scheme. STATES TO IRAN ernment of Iran, of any goods, technology or United States Attorney Robert Pitman stated, services from the United States or by a United This afternoon in San Antonio, 35-year-old Susan ―When companies or individuals sell or otherwise States person. The embargo also prohibits any Yip (aka Susan Yeh), a citizen of Taiwan, was facilitate the shipment of certain categories of transaction by any United States person or within sentenced to two years in federal prison for help- goods to other countries in violation of the law or the United States that evades or avoids, or has ing to obtain military sensitive parts for Iran in turn a blind eye to the end user, they are subject- the purpose of evading or avoiding, any prohibi- violation of the Iranian Trade Embargo an- ing the United States to potential risks to its nation set forth in the Executive Orders. nounced United States Attorney Robert Pitman; tional security. As we allege in court documents, Homeland Security Investigations (HSI) San ―Parties who conspire to transship sensitive U.S. the parts in this case had dual-use military and technology to hostile nations such as Iran will be Antonio Office Special Agent in Charge Jerry civilian capability. We will continue to be vigilant Robinette; Defense Criminal Investigative Ser- pursued and prosecuted to the fullest extent of in detecting and prosecuting those who would the law," said Special Agent in Charge Tracy vice (DCIS) Southwest Field Office Special Agent jeopardize our security in this way.‖ in Charge Janice M. Flores; Special Agent in Martin, U.S. Commerce Department's Bureau of Charge Tracy Martin, U.S. Commerce Depart- ―This investigation should serve as a clear indica- Industry and Security's Office of Export Enforce- ment's Bureau of Industry and Security's Office of tion to those who attempt to supply or trade with ment Dallas Field Office. Export Enforcement, Dallas Field Office; and, our enemies, that all investigative efforts will be (continued on page 11) Federal Bureau of Investigation San Antonio utilized to bring you to justice,‖ said HSI Special

10 Counterintelligence and Cyber News and Views

(continued from page 10) deal to acquire the specialized carbon fiber, a perature, chemical inertness and high damping

―Today's sentencing demonstrates how federal high-tech material used frequently in the military, are important. The two main applications of car- law enforcement partners effectively work togeth- defense and aerospace industries, and is there- bon fiber are in specialized technology, particu- er to prevent U.S. technology from falling into the fore closely regulated by the United States De- larly in the fields of aerospace and nuclear engi- wrong hands." partment of Commerce to combat nuclear prolif- neering, and in general engineering and trans- eration and terrorism. Zhang is scheduled to portation. In addition, certain carbon fiber-based ―This investigation demonstrates the critical need make his initial appearance today at 2:00 p.m. at composites, such as the material sought by the for unwavering vigilance when our national secu- the United States Courthouse, 225 Cadman Pla- defendant, are used in military aircraft. rity is at risk as threats can emerge from any- za East, Brooklyn, New York, before United where and from anyone, even in what appears to States Magistrate Judge Vera Scanlon. If convicted of the charges in the complaint, be legitimate commerce,‖ stated FBI Special Zhang faces up to 20 years in prison. Agent in Charge Armando Fernandez, San Anto- The arrest and charges were announced by ―The defendant allegedly tried to break laws that nio Division. Loretta E. Lynch, United States Attorney for the Eastern District of New York; James T. Hayes, protect our national security by preventing spe- Foomanie and Ansari remain fugitives. Upon Jr., Special Agent-in-Charge, U.S. Immigration cialized technologies from falling into the wrong conviction, each faces up to 20 years in federal and Customs Enforcement (ICE), Homeland hands,‖ stated U.S. Attorney Lynch. ―We will use prison for conspiracy to violate Iranian Trade Security Investigations (HSI), New York; and every tool at our disposal to protect the homeland Regulations, up to 20 years in federal prison for Sidney Simon, Special Agent-in-Charge, U.S. and give teeth to the laws that maintain our tech- conspiracy to launder money and up to five years Department of Commerce, Bureau of Industry nological superiority on the battlefield and in the in federal prison for conspiracy to commit mail and Security, Office of Export Enforcement, New skies.‖ fraud. York Field Office. Ms. Lynch expressed her grateful appreciation to It is important to note that an indictment is merely The complaint alleges that Zhang came to the the DOC and HSI, which worked closely together a charge and should not be considered as evi- attention of federal authorities earlier this year to investigate the case and bring the defendant to dence of guilt. The defendants are presumed after two Taiwanese accomplices attempted to face charges, and noted that the government‘s innocent until proven guilty in a court of law. locate large quantities of the specialized carbon investigation is ongoing. fiber via remote Internet contacts. In July, Zhang ―Zhang allegedly tried to circumvent U.S. export told an accomplice: ―When I place the order, I laws to sell technology vital to our nation‘s de- place one to two tons. However, the first ship- fense. This technology in the wrong hands poses ment will be for 100 kg [kilograms].‖ Shortly a serious threat to our national security,‖ said HSI thereafter, Zhang contacted an undercover law Special Agent-in-Charge Hayes. enforcement agent in an effort to finalize the deal

to export the carbon fiber from New York to Chi- ―HSI will continue to work with its law enforce-

na. In one recorded conversation, Zhang stated ment partners and the U.S. Attorney‘s Office to

that he had an urgent need for the carbon fiber in safeguard our sensitive technology from those

connection with the scheduled test flight of a who can potentially use it against us.‖ Chinese fighter plane. Zhang then arranged a meeting with an undercover agent to take pos- ―This arrest demonstrates our resolve to investi- session of a carbon fiber sample, which was to gate and arrest those who violate U.S. criminal laws. We are proud to work with our law enforce- 35-year-old Susan Yip (aka be shipped to China and analyzed to verify its authenticity. Zhang was subsequently placed ment partners in protecting national security and Susan Yeh), a citizen of under arrest. leveling the playing field for legitimate com- Taiwan merce,‖ stated DOC Special Agent-in-Charge The regulation of carbon fiber falls under the Simon. CHINESE NATIONAL ARRESTED AFTER AT- jurisdiction of the Department of Commerce, TEMPTING TO ILLEGALLY EXPORT AERO- which reviews and controls the export of certain The government‘s case is being prosecuted by SPACE-GRADE CARBON FIBER TO CHINA goods and technology from the United States to Assistant United States Attorneys Seth Du- foreign countries. In particular, the Commerce Charme and David Sarratt, with assistance from http://www.justice.gov/usao/nye/ Department has placed restrictions on the export Trial Attorney David Recker of the Department of pr/2012/2012sep26.html of goods and technology that it has determined Justice Counterespionage Section. Assistance was also provided by Trial Attorney Dan E. Stigall Defendant Sought Thousands Of Pounds Of could make a significant contribution to the mili- of the Department of Justice Office of Internation- High-Tech Material For Use In Chinese Fighter tary potential or nuclear proliferation of other al Affairs. Planes nations, or that could be detrimental to the foreign policy or national security of the United The Defendant: A criminal complaint was unsealed in Brooklyn States. federal court today charging Ming Suan Zhang MING SUAN ZHANG with attempting to illegally export thousands of Carbon fiber composites of the type allegedly pursued by Zhang and his accomplices are ideal- Age: 40 pounds of aerospace-grade carbon fiber from the United States to China. ly suited to applications where strength, stiffness, The charges contained in the complaint are lower weight, and outstanding fatigue character- merely allegations, and the defendant is pre- According to the complaint, Zhang was arrested istics are critical requirements. These composites sumed innocent unless and until proven guilty. in the United States after trying to negotiate a also can be used in applications where high tem-

11 Counterintelligence and Cyber News and Views FORMER EMPLOYEE OF NEW JERSEY that HSI has no tolerance for those who try to countries with which the United States maintains DEFENSE CONTRACTOR CONVICTED OF undermine our nation‘s safety and security.‖ an arms embargo, including the PRC. EXPORTING SENSITIVE MILITARY TECHNOLOGY TO CHINA ―This arrest demonstrates the determination of The jury heard testimony that Liu‘s company Customs and Border Protection‘s frontline trained him about the United States‘ export http://www.fbi.gov/newark/press-releases/2012/ officers, who work closely with our law control laws and told him that most of the former-employee-of-new-jersey-defense- enforcement partners to safeguard the American company‘s products were covered by those laws. contractor-convicted-of-exporting-sensitive- public from potential threats,‖ Robert E. Perez, military-technology-to-china Director Field Operations, for CBP New York, After the verdict, Judge Chesler ordered Liu said. taken into custody, citing the penalties Liu faces, Stole Trade Secrets from Morris County his ties to the PRC, and the lack of an extradition Company The jury convicted Liu of nine of the 11 counts in treaty with the PRC, among other reasons. the second superseding indictment with which he U.S. Attorney‘s Office District of New Jersey was charged, including six counts of violating the Liu faces the following maximum penalties, per count: NEWARK—A federal jury today convicted a Arms Export Control Act and the International former employee of a New Jersey-based defense Traffic in Arms Regulations, one count of ■ Export violations—20 years in prison, $1 contractor of exporting sensitive U.S. military possessing stolen trade secrets in violation of the million fine technology to the People‘s Republic of China Economic Espionage Act of 1996, one count of ■ Stolen trade secrets violation—10 years in (PRC), stealing trade secrets, and lying to federal transporting stolen property in interstate prison, $250,000 fine agents, U.S. Attorney Paul J. Fishman commerce, and one count of lying to federal ■ Interstate transportation of stolen property—10 announced. agents. The jury acquitted Liu on two counts of years‘ in prison, $250,000 fine lying to federal agents. ■ False statement—five years in prison, Sixing Liu, a/k/a, ―Steve Liu,‖ 49, a PRC citizen $250,000 fine who had recently lived in Flanders, New Jersey, According to documents filed in the case and evidence presented at trial: and Deerfield, Illinois, was taken into custody U.S. Attorney Fishman credited special agents of following the verdict, based on risk of flight In 2010, Liu stole thousands of electronic files the FBI, under the direction of Special Agent in considerations. Sentencing before U.S. District from his employer, L-3 Communications, Space Charge Ward; special agents of ICE-HSI, under Judge Stanley R. Chesler is scheduled for and Navigation Division, located in Budd Lake, the direction of Special Agent in Charge McLees; January 7, 2013. New Jersey. The stolen files detailed the and officers of CBP, under Director of Field performance and design of guidance systems for Operations Perez, for the investigation leading to ―The jury found that in order to promote himself, today‘s verdict. Liu took highly sensitive defense information and missiles, rockets, target locators, and unmanned aerial vehicles. Liu stole the files to position and trade secrets to China, violating the rules of his The government is represented by Assistant U.S. prepare himself for future employment in the company and the laws of this country, and then Attorney L. Judson Welle of the United States PRC. As part of that plan, Liu delivered lied about it upon his return to the United States,‖ Attorney‘s Office‘s National Security Unit and presentations about the technology at several U.S. Attorney Fishman said. ―We will not tolerate Assistant U.S. Attorney Gurbir S. Grewal of the PRC universities, the Chinese Academy of the exploitation of this country‘s opportunities United States Attorney‘s Office‘s Economic Sciences, and conferences organized by PRC through the theft of our secrets.‖ Crimes Unit, both in Newark. The prosecution government entities. However, Liu was not received valuable support from attorneys of the charged with any crimes related to those ―This specific investigation is troubling on many U.S. Department of Justice‘s National Security levels,‖ FBI Special Agent in Charge Michael B. presentations. Division, Counterespionage Section. Ward said. ―Mr. Liu helped develop technology critical to our military, then took a computer with On November 12, 2010, Liu boarded a flight from that information on an unauthorized trip to China Newark Liberty International Airport to the PRC. to present at a conference sponsored by the Upon his return to the United States on Chinese government. The United States spends November 29, 2010, agents found Liu in billions of dollars each year on research and possession of a non-work-issued computer found development, and this ‗intellectual capital‘ is very to contain the stolen material. The following day, attractive to others. If they are able to acquire this Liu lied to agents of the Department of Homeland research, they can save billions and quickly Security about the extent of his work on U.S. develop their own products to compete against defense technology, which the jury found to be a the United States, be it in the world economic criminal false statement. market or on the battlefield.‖ The U.S. Department of State‘s Directorate of ―Exporting military weapons and technical data Defense Trade Controls later verified that several and the theft of sensitive technology in violation of the stolen files on Liu‘s computer contained of the Arms Export Control Act are serious export-controlled technical data that relates to crimes with global consequences,‖ Andrew defense items listed on the United States McLees, Special Agent in Charge of Immigration Munitions List (USML). Under federal regulations, and Customs Enforcement-Homeland Security items and data covered by the USML may not be Investigations (ICE-HSI) in Newark, said. ―Illegal exported without a license, which Liu did not foreign procurement networks continue to obtain. The regulations also provide that it is the threaten our safety and this conviction reinforces policy of the United States to deny licenses to export items and data covered by the USML to

12 Counterintelligence and Cyber News and Views

FORMER CME GROUP SOFTWARE According to the plea agreement, Yang began software based on the FIX computer coding ENGINEER PLEADS GUILTY TO STEALING working for CME Group in 2000 and was a senior language. GLOBEX COMPUTER TRADE SECRETS software engineer at the time of his arrest. His WHILE PLANNING TO IM PRO VE responsibilities included writing computer code The government is being represented by Assistant ELECTRONIC TRADING IN CHINA and, because of his position, he had access to the United States Attorneys Barry Jonas and Paul software programs that supported the Globex Tzur. http://www.fbi.gov/chicago/press-releases/2012/ electronic trading platform, which allowed market former-cme-group-software-engineer-pleads-guilty TOP EXECUTIVES AT KOLON INDUSTRIES participants to buy and sell CME Group products INDICTED FOR STEALING DUPONT‟S KEVLAR -to-stealing-globex-computer-trade-secrets-while- from any place at any time. The source code and planning-to-improve-electronic-trading-in-china TRADE SECRETS algorithms that made up the supporting programs

were proprietary and confidential business http://www.justice.gov/opa/pr/2012/October/12- U.S. Attorney‘s Office Northern District of Illinois property of CME Group, which instituted internal crm-1257.html CHICAGO—A former senior software engineer for measures to safeguard and protect its trade Chicago-based CME Group Inc. pleaded guilty secrets. Also Charged with Conspiracy to Steal Intellectual today to theft of trade secrets for stealing Property from Japan-Based Teijin Limited Between late 2010 and June 30, 2011, Yang computer source code and other proprietary downloaded more than 10,000 computer files Kolon Industries Inc. and several of its executives information while at the same time pursuing plans containing CME computer source code from and employees have been indicted for allegedly to improve an electronic trading exchange in CME‘s secure internal computer system to his engaging in a multi-year campaign to steal trade China. The defendant, Chunlai Yang, admitted CME-issued work computer. He then transferred secrets related to DuPont‘s Kevlar para-aramid that he downloaded more than 10,000 files many of these files from his work computer to his fiber and Teijin Limited‘s Twaron para-aramid containing CME computer source code that made personal USB flash drives and then transferred fiber. The indictment seeks forfeiture of at least up a substantial part of the operating systems for many of these files from his flash drives to his $225 million in proceeds from the alleged theft of the Globex electronic trading platform. The personal computers and hard drives at his home. trade secrets from Kolon‘s competitors. government maintains that the potential loss was Yang also admitted that he downloaded between $50 million and $100 million, while Yang thousands of others CME files. Court documents The charges were announced today by U.S. maintains that the potential loss was less than disclosed that he printed numerous CME internal Attorney for the Eastern District of Virginia Neil H. $55.7 million. manuals and guidelines describing how many of MacBride; Assistant Attorney General Lanny A. Breuer of the Justice Department‘s Criminal Yang, 49, of Libertyville, who worked for CME the computer files that comprise Globex operate Division; and Jeffrey C. Mazanec, Special Agent Group for 11 years, pleaded guilty to two counts and how these computer files interact with each other. in Charge of the FBI‘s Richmond Field Office . of theft of trade secrets. He faces a maximum penalty of 10 years in prison and a $250,000 fine Yang also admitted that he and two unnamed ―Kolon is accused of engaging in a massive on each count, while a written plea agreement business partners developed plans to form a industrial espionage campaign that allowed it to contemplates an advisory federal sentencing business referred to as the Tongmei (Gateway to bring Heracron quickly to the market and compete guideline of 70 to 87 months in prison. Yang was America) Futures Exchange Software Technology directly with Kevlar,‖ said U.S. Attorney MacBride. released on a $500,000 secured bond after he Company (Gateway), whose purpose was to ―This country‘s greatest asset is the innovation was arrested on July 1, 2011. U.S. District Judge increase the trading volume at the Zhangjiagang, and the ingenuity and creativity of the American John W. Darrah scheduled sentencing for China, chemical electronic trading exchange (the people. The genius of free enterprise is that February 20, 2013. Zhangjiagang Exchange). Yang engaged in companies compete on the excellence of their Yang also agreed to forfeit computers and related contract negotiations on behalf of Gateway with ideas, products and services – not on theft. This equipment that were seized from him when he the Zhangjiagang Free Trade Board for Gateway indictment should send a strong message to was arrested. to improve the trading platform for the companies located in the United States and Zhangjiagang Exchange. around the world that industrial espionage is not a The guilty plea was announced by Gary S. business strategy.‖ Shapiro, Acting United States Attorney for the The Zhangjiagang Exchange was to become a Northern District of Illinois; and William C. transfer station to China for advanced ―By allegedly conspiring to steal DuPont‘s and Monroe, Acting Special Agent in Charge of the technologies companies around the world. Yang Teijin‘s intellectual property, Kolon threatened to Chicago Office of the Federal Bureau of expected that Gateway would provide the undermine an economic engine at both Investigation. exchange with technology through written source companies,‖ said Assistant Attorney General code to allow for high trading volume, high trading Breuer. ―Developing Kevlar and Twaron was ―This case and similar prosecutions demonstrate speeds, and multiple trading functions. To help resource-intensive work, and required strategic that law enforcement and corporations can work the China exchange attract more customers and investment and ingenuity. Kolon, through its together to protect trade secrets. CME Group generate higher profits, Gateway proposed to executives and employees, allegedly acted reported this matter to federal authorities and fully expand the Zhangjiagang Exchange‘s software by brazenly to profit off the backs of others. The cooperated with the investigation. Trade secret providing customers with more ways of placing Justice Department has made fighting intellectual theft is a serious economic crime that affects the orders; connecting the exchange database‘s property crime a top priority, and we will continue interests of corporations, as well as our national storage systems and matching systems; rewriting to aggressively prosecute IP crimes all over the interest, in protecting intellectual property. We the trading system software in the Java computer country.‖ encourage the private sector to work with federal programming language; raising the system‘s agencies in the investigation and prosecution of capacity and speed by modifying communication (continued on page 14) trade secret theft,‖ Mr. Shapiro said. lines and structures; and developing trading

13 Counterintelligence and Cyber News and Views

(continued from page 13) aspect of DuPont‘s manufacturing process for sessions. ―It‘s critical that law enforcement aggressively Kevlar, and within three years Kolon had Young-Soo Seo, 48, reported to Choi and served investigate crimes of intellectual property theft, replicated it. This successful misappropriation of as the general manager for the Heracron such as this one,‖ said FBI Special Agent in DuPont‘s confidential information, the indictment Business Team beginning in November 2006. He Charge Mazanec. ―If not, intellectual creativity and alleges, spurred Kolon leadership to develop a allegedly participated in the consulting sessions. our economy will be compromised. As a member multi-phase plan in November 2005 to secure Ju-Wan Kim, 40 , was a manager on the Heracron of the Department of Justice Task Force on additional trade secret information from its Business Team from September 2007 through Intellectual Property, our office will investigate any competitors, by targeting people with knowledge February 2009 and reported to Seo. He was the company, domestic or international, that steals of both pre-1990 para-aramid technology and post main point of contact at Kolon for at least one of confidential proprietary information for their own -1990 technologies. the ex-DuPont employees. He also participated in benefit. We will pursue those that prey on the Kolon is alleged to have retained at least five originality and vision of hardworking businesses the consulting sessions. former DuPont employees as consultants. Kolon who conduct their own research, obtain patents The conspiracy and theft of trade secrets counts allegedly met with these people individually on and market a successful product.‖ each carry a maximum penalty of 10 years in multiple occasions from 2006 through 2008 to prison and a fine of $250,000 or twice the gross Headquartered in Seoul, South Korea, Kolon was solicit and obtain sensitive, proprietary information gain or loss for individual defendants, and a fine indicted by a grand jury in Richmond, VA. The that included details about DuPont‘s of $5 million or twice the gross gain or loss for the indictment charges Kolon with one count of manufacturing processes for Kevlar, experiment corporate defendant. The obstruction of justice conspiring to convert trade secrets, four counts of results, blueprints and designs, prices paid to count carries a maximum penalty of 20 years in theft of trade secrets and one count of obstruction suppliers and new fiber technology. In cases prison and a fine of $250,000 or twice the gross of justice. where the consultants could not answer Kolon‘s gain or loss for individual defendants, and a fine specific and detailed questions, Kolon allegedly of $500,000 or twice the gross gain or loss for the Kolon makes a product called Heracron, which is requested the consultants to obtain the corporate defendant. a recent entrant into the para-aramid fiber market information from current employees at DuPont. as a competitor to products called Kevlar and The indictment seeks at least $225 million in Twaron. Para-aramid fibers are used to make, for Kolon also is accused of attempting to recruit a forfeiture, which represents the approximate gross example, body armor, fiberoptic cables and former employee of a Teijin subsidiary, Teijin proceeds of the sale of Heracron from January automotive and industrial products. Kevlar is Twaron, who reported the requests for trade 2006 through June 2012, along with $341,000 in produced by E. I. duPont de Nemours and secret information to Teijin Twaron. Legal payments made to former DuPont employees in Company (DuPont), one of the largest chemical representatives from Teijin Twaron sent a letter to exchange for trade secret information. companies in the United States. For decades, Kolon in January 2008 demanding that Kolon Kevlar has competed against Twaron, a para- cease and desist from seeking to obtain trade The case is being prosecuted by Assistant U.S. aramid fiber product produced by Teijin Limited, secrets related to Twaron. After this incident, the Attorneys Timothy D. Belevetz and Kosta S. one of the largest chemical companies in Japan. indictment alleges that Kolon continued to try to Stojilkovic of the U.S. Attorney‘s Office for the obtain trade secrets, but took additional steps to Eastern District of Virginia‘s Financial Crimes and According to the indictment, from July 2002 attempt to avoid detection of its actions. Public Corruption Unit and Trial Attorney John W. through February 2009, Kolon allegedly sought to Borchert of the Criminal Division‘s Fraud Section improve its Heracron product by targeting current The indictment alleges that, in August 2008, and Senior Counsel Rudolfo Orjales of the and former employees at DuPont and Teijin and Kolon employees met with a current DuPont Criminal Division‘s Computer Crime and hiring them to serve as consultants, then asking employee in a hotel room in Richmond and Intellectual Property Section. This case is being these consultants to reveal information that was discussed how the DuPont employee could investigated by the FBI‘s Richmond Field Office. confidential and proprietary. provide trade secrets to Kolon without leaving evidence. This case is part of efforts being undertaken by The indictment alleges that during a meeting with the Department of Justice Task Force on one consultant, a Kolon employee surreptitiously In addition to the corporation itself, the following Intellectual Property (IP Task Force) to stop the copied information from a CD the former DuPont Kolon executives and employees from Seoul were theft of intellectual property. Attorney General Eric employee had brought with him that contained charged with conspiring together to steal trade Holder created the IP Task Force to combat the numerous confidential DuPont business secrets and obstruction of justice for deleting growing number of domestic and international documents, including a detailed breakdown of information from their computers: intellectual property crimes, protect the health and DuPont‘s capabilities and costs for the full line of Jong-Hyun Choi, 56, was a senior executive safety of American consumers, and safeguard the its Kevlar products, customer pricing information, overseeing the Heracron Business Team. He nation‘s economic security against those who analyses of market trends and strategies for allegedly met with other top executives at Kolon to seek to profit illegally from American creativity, specific Kevlar submarkets. This wealth of develop the directives to secure consultants and innovation and hard work. The IP Task Force information was allegedly copied and dispersed directly participated in carrying out the directives. seeks to strengthen intellectual property rights among several Kolon executives and employees, protection through heightened criminal and civil and the indictment alleges that many of these In-Sik Han, 50, managed Kolon‘s research and enforcement, greater coordination among federal, documents and others associated with the development related to Heracron and was state and local law enforcement partners, and consultants were deleted by the Kolon executives allegedly responsible for overseeing the increased focus on international enforcement and employees after DuPont filed a civil suit ―consulting‖ sessions with ex-DuPont employees. efforts, including reinforcing relationships with key against Kolon in 2009. Kyeong-Hwan Rho, 47, worked for Kolon for more foreign partners and U.S. industry leaders. To than 25 years and served as the head of the learn more about the IP Task Force, go to The indictment alleges that in July 2002, Kolon Heracron Technical Team beginning in January www.justice.gov/dag/iptaskforce . obtained confidential information related to an 2008. He allegedly participated in the consulting

14 Counterintelligence and Cyber News and Views

RUSSIAN MOLE HAD ACCESS TO WEALTH that to other nations could embarrass the govern- "He had robust access to all source intelligence OF CSIS, RCMP, PRIVY COUNCIL FILES ment." from our partners ... Australia, Canada, Great Britain and the United States ... Straight through http://www.theglobeandmail.com/news/politics/ Placed under surveillance only days before his to Canada's only reporting, such as CSIS reports russian-mole-had-access-to-wealth-of-csis-rcmp- January, 2012, arrest, SLt. Delisle was caught or Privy Counsel Office reports." privy-council-files/article4627659/?page=all copying two CSIS reports, in addition to unspeci- fied foreign material, before trying to e-mail that On Sunday, U.S. Ambassador David Jacobson October 22, 2012 information to the Russians. characterized the leak as "a lot of highly classified By COLIN FREEZE and JANE TABER material". Under Vladimir Putin, Russia has greatly reinvest- Revelations about the Jeffrey Delisle spy case ed in espionage. The GRU, the intelligence "I will say this: he pleaded guilty to selling secrets have been found in a treasure trove of documents branch of the Russian armed forces, hired SLt. of the United States and secrets of Canada to the obtained by The Globe and Mail – including his Delisle after he walked into the Ottawa embassy Russians. That is obviously not good," the ambas- confession to police and the apocalyptic postmor- to volunteer his services in July, 2007. sador told CTV's Question Period. tems by federal officials. A naval 'threat assess- Once interrogated, he admitted to some breach- How he did it: ment analyst,' he had been cleared to acquire es. He said he passed along a U.S. Chief of De- reports from civilian agencies – including CSIS, fence Intelligence contact list and similar contact On the 10th day of every month for nearly five Canada's spy agency, and the PCO, Ottawa's lists to the Russians. years, Jeffrey Delisle sold secrets to the Rus- bureaucratic nerve centre. sians. He denied blowing the cover of any Canadian or The Canadian mole at the centre of an interna- allied spies. "They wanted Western agents in First, he downloaded military secrets from his tional espionage scandal was after more than Russia, which we never had," he said. secure office computers onto a floppy disk. Then, military secrets – he accessed computer networks he put the data on a memory stick, took it home to filled with files from the Privy Council Office, the SLt. Delisle's "Top Secret Five Eyes Only" clear- his laptop, and then input the data in a "Draft" e- Canadian Security Intelligence Service, the ance provided him access to what one source mail. RCMP, as well as databases maintained by for- calls the "motherlode" database – the "Stone eign allies. Ghost" repository of intelligence from English- He used Gawab.com – a Web-based e-mail pro- speaking powers, especially the United States vider hosted in the Middle East. He and his Rus- Revelations about the Jeffrey Delisle spy case and Britain. sian handlers shared a password to one account. have been found in a treasure trove of documents That way, they could communicate via draft e- obtained by The Globe and Mail – including his It's unclear what foreign material he purloined mails, without ever having to send more traceable confession to police and the apocalyptic postmor- from it; but there is little doubt he took volumes. messages across the Internet. tems by federal officials. "It was never really Canadian stuff," SLt. Delisle For this, Sub-Lieutenant Delisle was paid $3,000 These documents reveal the Canadian Forces told police. He later added, "There was American a month. The amount was capped because, he intelligence officer's astonishing breadth of access stuff, there was some British stuff, Australian stuff told police, anything more than $3,000 "gets to state secrets, and precisely what the Russian – it was everybody's stuff." flagged." GRU spy service was asking him to look for. For Canadian military intelligence, he had turned His paymasters told him not to be too "flashy" with He spied for more than 50 months before being to "Spartan" – a Department of National Defence his money. caught. A naval "threat assessment analyst," he network. For civilian intelligence reports, the had been cleared to acquire reports from civilian "Mandrake" system was one-stop shopping. "So He was paid by money orders. Records show SLt. agencies – including CSIS, Canada's spy agency, you got PCO, you got CSIS, you got RCMP, you Delisle picked up his funds at a number of Money and the PCO, Ottawa's bureaucratic nerve centre. got Transport Canada, you got CBSA – you get Mart locations, regardless of whether he was 'em all," he told police. stationed in Kingston, Ottawa or Halifax. "We spy on everybody. Everybody spies," Sub- Lieutenant Delisle told police after his arrest. "I Documents suggest some of SLt. Delisle's Top Canadian Security Intelligence Service tried to just give them [the Russians] stuff that Secret clearances may have been pulled for 18 Mandate: Human source spying shows them that 'Hey, we're just paying attention.‖ months, but it's not clear why they were pulled or why they were restored. Delisle damage assessment: "Severe and irrepa- The bulk of what he divulged, he said, was picked rable" up by electronic eavesdropping, and not by any The Russians, he said, were fixated on counteres- undercover spies. "There's not human assets pionage but wanted files on the "energy sector Implications: "The unauthorized release of [CSIS] listed on our machines," he explained. "It's government of Canada" as well as Russian orga- reports to a hostile foreign intelligence service SIGINT [signals intelligence] really." nized crime and political figures. The GRU also could have allowed this foreign intelligence ser- tapped SLt. Delisle to learn what he could about a vice to identify CSIS sources ... The service is Still, officials reckoning with his betrayal fear the specific but unnamed "GRU agent" in financial unaware at this time if and how many other CSIS worst about blown identities and blown surveil- trouble. employees' names were potentially passed to the lance. Russians. Their association to the service might SLt. Delilse pleaded guilty to espionage early this "He has access to CSIS reporting ... they were in put might put these employees at risk by hostile month. He is still to be sentenced, with his next intelligence services and terrorist groups." places in the Middle East," SLt. Delisle's boss at court date set for January. His closest colleagues the Trinity naval-intelligence-fusion centre in Hali- told police the damage he wrought was (continued on page 16) fax told police. "The fact that he could disclose "unfathomable" and "astronomical."

15 Counterintelligence and Cyber News and Views

(Continued from page 15) Implications: "Should a non-allied foreign govern- „SO DEAD INSIDE‟: HOW THE MOUNTIES "Delisle admitted to providing contact lists of intel- ment have acquired the [CSIS] reports uploaded CRACKED JEFFREY DELISLE on 11 January 2012 it would have gained insight ligence-related individuals .. he has put at ." http://www.theglobeandmail.com/news/politics/so- into matters of national security well beyond the dead-inside-how-the-mounties-cracked-jeffrey- What he took intended intelligence purposes of the reports delisle/article4630144/ themselves. ... Analysis of the contents of these Two days before his arrest on Jan. 13, Sub- reports could reasonably lead a foreign intelli- COLIN FREEZE and JANE TABER Lieutenant Jeffrey Delisle was observed by police gence agency to draw a number of significant The Globe and Mail as he attempted to send two "secret" CSIS docu- conclusions about allied and Canadian intelli- Published Monday, Oct. 22 2012, 9:35 PM EDT ments to Russia. gence targets, techniques, methods, and capabili- Last updated Tuesday, Oct. 23 2012, 10:45 AM CSIS later determined the risk to national security ties. Countermeasures taken as a result of insight EDT (real or perceived) into intelligence capabilities was "high" given the documents could have It took more than an hour of patient questioning could be costly in terms of lost sources and addi- helped identify intelligence officers, as well as a before RCMP Sergeant Jimmy Moffat tipped his tional work to re-establish – where possible – "shopping list" of other valuable reports. hand. these intelligence capabilities." That was one breach. But the vast amount of ―Jeff, we have you. Okay? You‘re caught. You‘re Trinity centre at CFB Halifax spying that SLt. Delisle committed over four and a so caught,‖ the police interrogator said, showing half years of treachery was never observed. Mandate: Intelligence "fusion centre" printouts of e-mails to Russian spies. Under interrogation, he said he passed Russia Delisle damage assessment: "Astronomical" It was around 9 p.m. on Jan. 13, in the police material originating from Canada, Britain, the interview room. Just a few hours after the arrest. United States and Australia. He also said he sent Implications: "I can't fathom the response the over conversations gleaned from electronic sur- globe will be facing. It'll stop. We'll lose our intelli- For almost five years, Sub-Lieutenant Jeffrey veillance as well as "contact lists" of intelligence gence ... it could lead to the death of our sailors in Delisle had lived a double life. But he broke down officials. the worst-case scenario. and confessed in no time, according to a 63-page interrogation transcript obtained by The Globe He denied ever giving up undercover spies. "We'll lose our intelligence. If he passed infor- and Mail. mation about what the [CENSORED] reporting Canadian Security Intelligence Service was doing, he could expose or provide infor- ―Jim. I‘ve been so dead. So dead inside,‖ he said, before sobbing. ―It wasn‘t for the money.‖ Mandate: Human source spying mation to whoever. And that puts either their operations or their lives in jeopardy ... civilian mem- SLt. Delisle recalled the moment he betrayed his Delisle damage assessment: "Severe and irrepa- bers, government members. country. ―I walked right into the Russian embassy rable" "If we lose information from our allies we might and said, ‗Here I am. …‘ ‖ Implications: "The unauthorized release of [CSIS] not get that indication of an impending terrorist It was 2007. He didn‘t specify the date beyond reports to a hostile foreign intelligence service attack. ... I think this is going to push us back to that it was ―the day my wife cheated.‖ could have allowed this foreign intelligence ser- the Stone Age ... vice to identify CSIS sources ... The service is The 41-year-old divorced father of four admitted "It's the worst case scenario and it's unfathoma- unaware at this time if and how many other CSIS that he had spied. And that he done it for the most ble." employees' names were potentially passed to the banal of reasons. He had a broken heart. Russians. Their association to the service might Department of National Defence put might put these employees at risk by hostile The naval officer‘s hemorrhaging of state secrets intelligence services and terrorist groups." Mandate: Canada's military has caused ―astronomical‖ damage to national security, federal officials have said. On Monday in "Delisle admitted to providing contact lists of intel- Delisle damage assessment: "Exceptionally the House of Commons, interim Liberal leader ligence-related individuals .. he has put at risk the grave" Bob Rae pressed for a judicial inquiry into the security of these individuals and the partnership Delisle debacle. The Conservative government is of Canada's closest allies." Implications: "The release of this information by playing down the problem. the accused puts Canada's relationships with our "[Delisle] may have 1) damaged the Service's partners in jeopardy. The inability to provide the Earlier this month, SLt. Delisle pleaded guilty to relationship with its closest foreign partners... 2) assurance to our allies that we can and are safe- espionage-related charges. A sentencing hearing affected the safety/security of Service sources guarding their intelligence could in extremis result is scheduled for January. and that of its closest foreign partners; 3.) in- in the termination of access. Canada's closest formed the Russians of the extent of the Service's intelligence allies are the United States, Britain, The naval intelligence officer had never been a investigations; and 4.) compromised service Australia, New Zealand and NATO... riser in the Canadian Forces. In fact, his 16-year methodologies including how it assess, reports career never really got off the ground. and communicates information and intelligence." "This compromise could put Canadians, Canadian Forces members, and allies in the field at risk. ―I can‘t deploy because I‘m diabetic,‘ he told po- Communications Security Establishment Canada This disclosure may also negatively affect our lice. ―I never sailed.‖ ability to receive timely and essential intelligence Mandate: Electronic-eavesdropping agency (continued on page 17) and information from our allies, which in turn puts Delisle Damage assessment: ―High" the safety of Canadian citizens and of our Canadi- an Forces members in jeopardy."

16 Counterintelligence and Cyber News and Views (continued from page 16) his laptop to send files to the GRU. (And, after the ―Something went wrong Jeff. You went through a But he was put into a virtual crow‘s nest from stick was wiped clean, he said it usually ended up lot of pain,‖ Sgt. Moffat said. which he could see very far: the Trinity naval intel- in his son‘s Xbox.) ligence centre inside CFB Halifax. Trinity bursts ―A lot of pain,‖ he replied. with state secrets collected from all corners of the The Mounties were tipped to Sgt. Delisle‘s treach- Earth. Secrets that are lent in confidence to Cana- ery by intelligence partners in December, 2011. The word ―pain‖ triggered memories of his wife da by its allies. Once looped in, detectives rushed to get warrants cheating. The intelligence officer confided to Sgt. to spy on the spy. Moffat that the infidelity had made him suicidal. Trinity is exactly where an aggressive, non-allied spy service such as Russia‘s GRU would want to The surveillance meant there was zero chance ―I wanted to die, but I can‘t leave my children,‖ be. And, through a proxy, it was. SLt. Delisle could lie his way out of trouble. Police SLt. Delisle said. So he settled on the next best had seen his every keystroke. ―You type, ‗I love thing. No one noticed SLt. Delisle scouring intelligence you,‘ I see, ‗I love you,‘ ‖ Sgt. Moffat made a point databases for references to Russia. No one no- of saying during the interview. ―You erase, ‗I love ―I committed professional suicide. That‘s what I ticed him cutting and pasting text into files. No you,‘ – I still see, ‗I love you.‘ ‖ did.‖ one cared that his secure computer had – against And that was why, he said, on a day in 2007, he most military protocols – a floppy disk drive. ―Love‖ was used hypothetically. But, as it turned out, love was the key to cracking the psyche of put on his civilian clothes, went to Charlotte Street Sgt. Moffat asked the suspect how he moved data SLt. Delisle, who had tried to be cagey for as long in Ottawa, and entered the Russian embassy to out of a secure facility. as he could in the interrogation. offer his services.

―Disk – floppy,‖ SLt. Delisle replied. Police knew he was not paid a princely sum for ―I was devastated,‖ he said. ―Crushed to no end.‖ the secrets. Money transfers showed he got only ―Floppy disk?‖ $3,000 a month. And while the GRU had issued Somehow, in the muddled mind of the mole, his veiled threats to keep SLt. Delisle working, that indiscretions were the lesser betrayal. Yet, he ―Yeah – I know,‖ he said, adding that his comput- wouldn‘t explain why he had turned in the first knew full well the global consequences. er was ―ancient.‖ place. ―This is going to blow up like a powder keg,‖ SLt. After SLt. Delisle downloaded material onto a Sgt. Moffat applied a classic interrogation tech- Delisle said as the RCMP interview wrapped up. disk, he used a second computer to transfer the nique, probing to see if a bruised ego could have data to a USB memory stick, which he pocketed been the trigger. before leaving. At home, he plugged the stick into

SENIOR LIEUTENANT JEFFREY DELISLE

17 Counterintelligence and Cyber News and Views CHINESE SUSPECTED OF SPYING ON U.S. At the time, I explained to U.S. journalists that STRATEGIC MISSILE BASE IN WYOMING: WHY A YOUNG AMERICAN WANTS TO BE A Russia's secret operation was a complete failure. RUSSIAN SPY After all, the spies had been working undercover Source: http://freebeacon.com/spy-games/ for years and had failed to obtain a single (EDITORS NOTE: This is taken from the government secret. What's more, the Russian A group of Asian men set off alarm bells in U.S. Moscow Times, so I am not including any side considered the operation a success only counterintelligence circles last week by showing hyperlinks back to the original source of this because the agents had managed to initially fool up outside the entrance to a U.S. strategic missile article, or within the body of this story. U.S. authorities with fake passports. But base in Wyoming. Readers may be interested in reading the the agents did absolutely nothing of importance Russian perspective on the “sleeper agents”, Between eight and 10 people suspected of being while in the United States, so their which is reprinted below. Chinese nationals drove up to the entrance accomplishment of securing fake passports was negligible at best. outside F.E. Warren Air Force Base, one of three 08 August 2012 strategic nuclear missile bases in the United By Andrei Soldatov This notion that a spy operation is successful States. According to defense officials and a base by simply establishing a physical presence in a spokeswoman, the group asked to use the rest The notion that several children of the sleeper foreign country was inherited by the Foreign room at the base‘s visitor control center. They spies arrested in 2010 in the United States were Intelligence Service from its predecessor, then began asking questions about photos of Air groomed by Russian authorities to become the KGB. It is worth noting that the Foreign Force command leaders posted on a ―command foreign spies as adults is more evidence of the Intelligence Service is the only intelligence agency board‖ at the entrance facility. The suspicious absurdity of the whole operation. in Russia that was not subjected to post-Soviet visitors then asked to photograph display missiles reforms. It was simply spun off into a separate near the entrance to the base, and were denied. Tim Foley, 20, is the eldest son of Donald Heathfield and Tracey Foley, whose real names agency after the Soviet collapse. As a result, The base, home to the 90th Missile Wing that the agency kept all of the outdated traditions includes a group of Minuteman III nuclear are Andrei Bezrukov and Yelena Vavilova. Tim became a problem for U.S. authorities from the and practices of the KGB without understanding missiles, is located about three miles west of that they have no relevance to today's Cheyenne, Wyo. outset of the spy scandal. He had already finished his sophomore year at George Washington environment. One security official said the suspicious incident University when his parents were arrested by U.S. One of the largest anachronisms of this Soviet on Sept. 3 appeared to be part of a Chinese authorities. Following the deportation of the legacy was the practice of sending Russian intelligence collection operation or perhaps a Russian agents from the United States, Foley citizens to live in the West undercover. This training exercise for intelligence personnel. informed the university that he still planned emerged in the late 1940s when new secret Another theory is that the group was part of the to continue his studies there. But since Foley agents were needed to replace a decreasing population of Asian guest workers residing in reportedly knew sensitive details about his supply of Communist sympathizers in the West. other parts of Wyoming or the west. parents' activities, Russian authorities have not In reality, the practice of using Communist allowed him to return to the United States. U.S. intelligence officials have said Chinese sympathizers was never really successful anyway intelligence agencies conduct aggressive spying On July 31, The Wall Street Journal reported that because they did not have professional activities against U.S. military facilities and have the FBI had determined Tim Foley's desire intelligence backgrounds, nor did they have been known to case the Pentagon‘s strategic to serve Russia's intelligence services after the social connections needed to secure sensitive missile defense base at Fort Greeley, Alaska. bugging the Foleys' home. According to FBI government posts. officials, Tim's parents told their son they wanted Faced with a shortage of foreign agents, Russian him to follow in their footsteps, after which Tim intelligence came up with the idea of sending stood up and swore allegiance to "Mother sleeper agents that Moscow hoped would be able Russia," the Journal said. to strike from within Western society at the As a result of this article, many journalists needed moment — that is, if the Cold War turned concluded that the Russian spies could have hot. posed a greater threat to U.S. national security Why has this outdated practice continued than was thought two years ago because their in Russia when almost every other country gave it children grew up in that country and could better up many years ago? integrate into American life and one day infiltrate U.S. government agencies. One of the biggest problems is that the Foreign In 2010, the United States and Russia interpreted Intelligence Service answers directly to President the spy scandal differently. Washington saw it as Vladimir Putin, not to the parliament or the public. proof of the failure and backwardness of Russian It was therefore a relatively easy task to convince intelligence, while Moscow claimed it was a proud Putin of the wisdom of continuing the old tradition achievement that it could infiltrate U.S. society. of supporting sleeper agents in foreign countries. Russian leaders believed the Foreign Intelligence F.E. WARREN AFB Service had finally restored the prestigious status (continued on page 19) that it lost after the end of the Cold War.

18 Counterintelligence and Cyber News and Views (continued from page 18) is made or a photo is uploaded, is a

What's more, the opportunity to plant Russian TALIBAN POSE AS 'ATTRACTIVE WOMEN' ON significant danger. agents in the United States appealed to Putin's FACEBOOK FOR SPYING Family and friends of soldiers are ongoing desire to outdo Russia's former Cold War http://www.ndtv.com/article/world/taliban-pose-as- inadvertently jeopardising missions by enemy any way he could. Still stuck in the past, attractive-women-on-facebook-for-spying-265257 sharing confidential information online, Putin views this superpower rivalry much in the Australia's Daily Telegraph reported . same way he wants Russian athletes to get more (Editors Commentary: This article, from an medals than the Americans at the Olympic Indian publication, goes to the use of Three Australian soldiers were this month Games. Facebook by the enemy and how real it really murdered inside their base, allegedly by an is. This is a lesson that must be taken to Afghan Army Trainee. Judging by The Wall Street Journal article, heart, not only to the warfighters on the front the United States has finally understood line, but also those deployed far from home Many of the 1577 Defence members and accepted Russia's logic. Only that logic could and tempted to make Facebook friends with surveyed for the review had no awareness of explain why U.S. authorities are wondering what total strangers.) the risk, it said, adding 58 per cent of the naturalized children of the spies could have Defence staff had no social media training. accomplished in five or six years had they Press Trust of India | Updated: September 10, graduated from U.S. universities and their parents' 2012 14:49 IST Surveyed troops said social media open "a whole true identity remained undetected. In fact, can of worms when it comes to operational, the renewed U.S. concern over the spy incident is Melbourne: Taliban insurgents are posing as personnel and physical security.‖ the best possible gift that the Foreign Intelligence "attractive women" on Facebook to befriend Service, with its wounded pride, could have coalition soldiers for gathering sensitive "Many individuals who use social media are received. intelligence about operations in Afghanistan, an extremely trusting," the review said. Australian government report has warned. But there is another, more mundane explanation "Most did not recognize that people using fake why Tim Foley wanted to continue his studies The dangers of social media have been pointed profiles, perhaps masquerading as school friends, at George Washington University: When out in a federal government review of social media could capture information and movements. Few the young man learned that his parents earned so and defence, which was finalised in March but has consider the possibilities of data mining and how much money for simply living in the United States not been acted upon, Defence sources said. patterns of behaviour can be identified over time," and doing absolutely nothing, he could not resist the review added. the temptation to follow in their footsteps and get The review found an "overt reliance" on privacy The review recommended education for family the cushiest job on Earth. settings had led to "a false sense of security" among personnel. and friends on the dangers of sharing details like Andrei Soldatov is an intelligence analyst names, ranks and locations. Several troop at Agentura.ru and co-author of "The New The review warns troops to beware of fake members have argued for a total social media Nobility: The Restoration of Russia's Security profiles. "Media personnel and enemies create ban. State" and "The Enduring Legacy of the KGB." fake profiles to gather information. For example, the Taliban have used pictures of attractive "I see too many members who post info/pics of women as the front of their Facebook profiles and themselves which identify what unit they belong to have befriended soldiers,― it said. and where they are serving," a soldier said. Australian soldiers are now being given Security expert Peter Hannay, from Edith Cowan pre-deployment briefings about enemies University's school of computer and security creating fake profiles to spy on troops. science, said geo-tag information "can be data- mined and sold to anybody". Personnel are also being warned that geo- tagging, a function of many websites that secretly logs the location from where a post

EXAMPLE OF FAKE FACEBOOK PAGE

19 Counterintelligence and Cyber News and Views

DETER DETECT DEFEND IDENTITY THEFT Make a list of all your credit card account numbers Close accounts. Close any accounts that have and bank account numbers with customer service been tampered with or established fraudulently. The following is from a brochure offered by: phone numbers and keep it in a safe place. Call the security or fraud departments of each company where an account was opened or Office of Security Operations Security Detect suspicious activity by routinely monitoring (OPSEC) changed without your okay. Follow up in writing, your financial accounts and billing statements. with copies of supporting documents. U.S. Department of Homeland Security Office Be alert to signs that require immediate attention: of Security Washington, D.C. 20528 Use the ID Theft Affidavit at ftc.gov/idtheft to sup- ills that do not arrive as expected port your written statement. Phone: (202) 447-5010 Unexpected credit cards or account statements Ask for verification that the disputed account has Email: [email protected] been closed and the fraudulent debts discharged. Denials of credit for no apparent reason Users are highly encouraged to contact DHS Keep copies of documents and records of your to obtain copies of the brochure or to view it in Calls or letters about purchases you did not make conversations about the theft. its original form. Inspect your credit report. Credit reports contain File a police report. File a report with law enforce- Identity theft is a serious crime. It occurs when information about you, including what accounts ment officials to help you with creditors who may your personal information is stolen and used with- you have and your bill paying history. want proof of the crime. out your knowledge to obtain credit or commit fraud and other crimes. Identity theft can cost you The law requires the major nationwide consumer Report the theft to the Federal Trade Commission. reporting companies—Equifax, Experian, and time and money. It can destroy your credit and Your report helps law enforcement officials across ruin your good name. TransUnion—to give you a free copy of your credit report each year if you ask for it. the country in their investigations. Deter identity thieves by safeguarding your infor- Online: ftc.gov/idtheft mation. Visit www.AnnualCreditReport.com or call 1-877- 322-8228, a service created by these three com- By phone: 1-877-ID-THEFT (438-4338) or TTY, 1- Shred financial documents and paperwork with panies, to order your free credit reports each year. 866-653-4261 personal information before you discard them. You also can write: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348- By mail: Identity Theft Clearinghouse, Federal Be careful what you throw in the trash. 5281. Trade Commission, Washington, DC 20580 Protect your Social Security number. Don‘t carry When you receive your credit reports, review them COMMON WAYS ID THEFT HAPPENS: your Social Security card in your wallet or write carefully. Confirm that your personal information is Skilled identity thieves use a variety of methods to your Social Security number on a check. Give it correct. Look for inquiries you did not initiate, ac- out only if absolutely necessary or ask to use steal your personal information, including: counts you did not open, and unexplained debts. another identifier. If there are accounts or charges you did not au- 1. Dumpster Diving. They rummage through trash Don‘t give out personal information on the phone, thorize, immediately notify the credit bureaus. looking for bills or other paper with your personal information on it. through the mail, or over the Internet unless you Review financial accounts and billing statements know who you are dealing with. Identity thieves regularly, looking for charges you did not make. 2. Skimming. They steal credit/debit card numbers will pose as bank representatives, internet service by using a special storage device when pro- providers, and even government officials to get Defend against ID theft as soon as you suspect it. cessing your card. you to reveal identifying information. Place a ―Fraud Alert‖ on your credit reports, and 3. Phishing. They pretend to be financial institu- Never click on links sent in unsolicited emails; review the reports carefully. The alert tells credi- tions or companies and send spam or pop- up instead, type in a web address you know. tors to follow certain procedures before they open messages to get you to reveal your personal infor- new accounts in your name or make changes to mation. Use firewalls, anti-spyware, and anti-virus soft- your existing accounts. The three nationwide con- 4. Changing Your Address. They divert your billing ware to protect your home computer; keep them sumer reporting companies have toll-free num- up-to-date. statements to another location by completing a bers for placing an initial 90-day fraud alert; a call ―change of address‖ form. Visit OnGuardOnline.gov for more information. to one company is sufficient: 5. ―Old-Fashioned‖ Stealing. They steal wallets Don‘t use an obvious password like your birth Equifax: 1-800-525-6285 and purses; mail, including bank and credit card date, your mother‘s maiden name, or the last four Experian: 1-888-EXPERIAN (397-3742) statements; pre-approved credit offers; and new digits of your Social Security number. Trans Union: 1-800-680-7289 checks or tax information. They steal personnel records from their employers, or bribe employees Keep your personal information in a secure place Placing a fraud alert entitles you to free copies of who have access. at home, especially if you have roommates, em- your credit reports. Look for inquiries from compa- ploy outside help, or are having work done in your nies you haven‘t contacted, accounts you didn‘t (continued on page 21) house. open, and debts on your accounts that you can‘t explain.

20 Counterintelligence and Cyber News and Views (continued from page 20) Loozfon and FinFisher are just two examples of Jailbreak or rooting is used to remove certain

(Editor’s Note: The following article is reprint- malware used by criminals to lure users into com- restrictions imposed by the device manufacturer ed from the Internet Crime Complaint Center. promising their devices. or cell phone carrier. This allows the user nearly unregulated control over what programs can be Readers are encouraged to visit the IC3 web Safety tips to protect your mobile device: site to see this material in its original form.) installed and how the device can be used. Howev- When purchasing a Smartphone, know the fea- er, this procedure often involves exploiting signifi- Intelligence Note tures of the device, including the default settings. cant security vulnerabilities and increases the attack surface of the device. Anytime a user, ap- Prepared by the Internet Crime Complaint Center Turn off features of the device not needed to mini- mize the attack surface of the device. plication or service runs in "unrestricted" or (IC3) "system" level within an operation system, it al- October 12, 2012 Depending on the type of phone, the operating lows any compromise to take full control of the http://www.ic3.gov/media/2012/121012.aspx system may have encryption available. This can device. SMARTPHONE USERS SHOULD BE AWARE be used to protect the user's personal data in the case of loss or theft. Do not allow your device to connect to unknown OF MALWARE TARGETING MOBILE DEVICES wireless networks. These networks could be AND SAFETY MEASURES TO HELP AVOID With the growth of the application market for mo- rogue access points that capture information COMPROMISE bile devices, users should look at the reviews of passed between your device and a legitimate The IC3 has been made aware of various mal- the developer/company who published the appli- server. cation. ware attacking Android operating systems for If you decide to sell your device or trade it in, mobile devices. Some of the latest known ver- Review and understand the permissions you are make sure you wipe the device (reset it to factory sions of this type of malware are Loozfon and giving when you download applications. default) to avoid leaving personal data on the FinFisher. Loozfon is an information-stealing device. piece of malware. Criminals use different variants Passcode protect your mobile device. This is the to lure the victims. One version is a work-at-home first layer of physical security to protect the con- Smartphones require updates to run applications opportunity that promises a profitable payday just tents of the device. In conjunction with the and firmware. If users neglect this it increases the for sending out email. A link within these adver- passcode, enable the screen lock feature after a risk of having their device hacked or compro- tisements leads to a website that is designed to few minutes of inactivity. mised. push Loozfon on the user's device. The malicious application steals contact details from the user‘s Obtain malware protection for your mobile device. Avoid clicking on or otherwise downloading soft- address book and the infected device's phone Look for applications that specialize in antivirus or ware or links from unknown sources. number. file integrity that helps protect your device from rogue applications and malware. Use the same precautions on your mobile phone FinFisher is a spyware capable of taking over the as you would on your computer when using the components of a mobile device. When installed Be aware of applications that enable Geo- Internet. the mobile device can be remotely controlled and location. The application will track the user's location anywhere. This application can be used for If you have been a victim of an internet scam or monitored no matter where the Target is located. have received an e-mail that you believe was an FinFisher can be easily transmitted to a marketing, but can be used by malicious actors raising concerns of assisting a possible stalker attempted scam, please file a complaint at Smartphone when the user visits a specific web www.IC3.gov . link or opens a text message masquerading as a and/or burglaries. system update.

21 Counterintelligence and Cyber News and Views LAWYERS‟ IDENTITIES BEING USED FOR in a value chain that leads to those private con- OUR UNIVERSITIES ARE LEAKING SECRETS FAKE WEBSITES AND SOLICITATIONS tractors, often 10 to 15 times removed. Source: http://www.newsmax.com/Newsfront/ http://www.fbi.gov/scams-safety/e-scams ―Some products and services are sold by compa- universities-military-secrets-russia/2012/04/30/ nies in the defense industrial base that are truly id/437442 09/14/12—A recent scam has surfaced in which unique to defense applications, he said, ―but most the identify of a Texas attorney, who had not (Editors note: A very detailed article about have substantial levels of nondefense demand or practiced in years, was used to set up a fake law leaks of classified information are emanating even [are] sold exclusively on commercial terms.‖ firm website using the attorney‘s maiden name, from our universities can be found at the Just as some suppliers may not realize their prod- former office address, and portions of her profes- above link. A brief snippet follows): uct is used in a military system, he added, DOD, sional biography. Other attorneys have com- in turn, may not realize it depends on a commer- For 15 days in late 2009, Internet users in 36 plained about the use of their names and profes- cial component. countries, including China, Russia, Iran, and Paki- sional information to solicit legal work. All attor- stan, viewed sensitive information about U.S. neys should be on the alert to this scam. If you ―For decades, the United States has commanded weapons technology that was supposed to be for become aware of the same or a similar situation a decisive lead in the quality and quantity of the American eyes only. involving your name and/or law firm, you should defense-related research and engineering con- immediately report the incident to local authori- ducted globally,‖ Lambert said. He also noted the The disclosure, which prompted a rebuke from a ties, your state Bar, and the FBI at the Internet critical role the U.S. defense industrial base sup- U.S. State Department official, came from a Geor- Crime Complaint Center. Additionally, be sure to ply chain plays in equipping the military with su- gia Institute of Technology course for federal closely monitor your credit report or bank ac- perior and ―technically vibrant‖ capabilities. employees and contractors on infrared technolo- counts to ensure that your identity is not the only gy used in weapons-aiming systems for aircraft, ―We rely on our industrial supply chain to develop, thing being stolen. If you have been a victim of an ships and tanks. Asked by instructor David build and ultimately maintain the goods and ser- Internet scam or have received an e-mail that you Schmieder to copy the course onto a DVD, Geor- vices upon which our warfighters‘ lives depend, believe was an attempted scam, please file a gia Tech‘s media staff instead uploaded it to serv- as well as the lives of the citizens they defend,‖ complaint at www.IC3.gov . ers. Lambert said. ―I completely forgot the course‘s access was re- PANELISTS BRAINSTORM TO BUFFER However, DOD and NSA are concerned about stricted,‖ Media Quality Control Supervisor Ed- AGAINST SUPPLY CHAIN THREAT protecting the valuable information that‘s con- ward Bailey told university investigators, accord- tained within cyberspace, the experts said. http://www.defense.gov/news/newsarticle.aspx? ing to documents obtained from Georgia Tech ―Cyberspace is where our nation stores its treas- id=118019 through a public-records request. ure and its wealth -- our treasure being the intel- By Amaani Lyle lectual property of our nation … and our wealth, CONTINUE READING AT: American Forces Press Service not being so much the money that we print or the coins that we mint, but the bits and databases WASHINGTON, Sept. 26, 2012 – Defense De- http://www.newsmax.com/Newsfront/universities- that actually represent that,‖ Bartko said. military-secrets-russia/2012/04/30/id/437442 partment and National Security Agency officials met with members of academia and industry to- The use of cyberspace, he added, has enhanced day to discuss managing and protecting an ever- national security, economic competiveness, pub- more-global, commercial and financially complex lic safety and civil liberties, but challenges and supply chain. threats remain and derive from various origins, tools and techniques. As National Cyber Security Awareness month approaches in October, panelists framed dialogue Insider threats through cyber networks over re- at the Potomac Institute for Policy Studies to ex- mote access are one example of things that could plore how its significant investment in cyberspace jeopardize critical supply chains, Bartko said, and supports global missions. determining solutions requires a recognition and understanding of cyberspace‘s main attribute: Brett Lambert, deputy assistant secretary of de- convergence. fense for manufacturing and industrial base, and Dennis Bartko, special assistant for cyber at NSA, Media such as video, telephone systems, text were part of the panel. messaging and email were separate before the advent of smartphones, tablets and similar devic- The defense industrial base, Lambert said, comes, Barkto noted. prises a diverse set of companies that provide products and services directly and indirectly to the ―Cyberspace was created from separate elements military and NSA. that were converging over time increasingly [and] became [what] we call the Internet and … cyber- He added that the industrial base is not a mono- space,‖ he said, resulting in a need for integration lithic entity. Rather, it includes companies that run in buffering supply chains. And continual change the gamut from major companies to garage start- also is critical, as information contained in cyber- ups. space exponentially increases, Bartko said. ―We While some companies deal directly with the know that cyberspace is not going to be the same federal government, Lambert said, the vast major- tomorrow as it is today,‖ he said. ―Our response ity of suppliers, subcontractors and providers are needs to be highly agile.‖

22 Counterintelligence and Cyber News and Views CYBER RELATED THREATS REPORTED IN until the unassuming victim pays imposter bureau THE DHS DAILY OPEN SOURCE INFRA- agents a fine. This apparently is the first time September 14, Threatpost –(International) Fake STRUCTURE REPORT hackers have taken the identity of the Cyber ADP and FDIC notifications leading users to Command to collect ransom. ―Affected users Blackhole Exploit Kit. The latest iteration of the The following are extracts from DHS Daily should not follow the payment instructions, the Blackhole Exploit Kit hit the Web the week of Open Source Infrastructure Report, located at alert states. September 10 and attackers spread links to get http://www.dhs.gov/files/programs/ Source: unsuspecting victims to click through to the first editorial_0542.shtm . These reports link back to http://www.nextgov.com/cybersecurity/2012/08/ version of the kit. Email notifications claiming to more detailed reporting from the original software-alert-claiming-becyber-command-aims- come from Microsoft Exchange, ADP, the Federal source. Included here are extracts pertaining steal-money/57715/ Deposit Insurance Corporation (FDIC), and other to cyber threats prevalent on a daily basis. purported trusted sources were spotted leading Readers may find practical applications for September 13, Threatpost –(International) RE- Web users to pages hosting the original exploit this material both in their work and in their SEARCH SHOWS HALF OF ALL ANDROIDS kit. A notification claiming to come from payroll personal use of computing devices and inter- CONTAIN KNOWN VULNERABILITIES. About services company ADP tries to trick employees net usage. half of all Android phones contain at least one into clicking through to what appears to be their September 4, Help Net Security –(International) vulnerability that could be used to take control of Online Invoice Management account to ―protect FAKE AMEX „SECURITY VERIFICATION‟ the device, according to new research. Duo Secu- the security of [their] data. An email PHISHING EMAILS DOING ROUNDS. Malicious rity, which launched a free vulnerability scanning disguised as a voicemail notification from Mi- spam emails impersonating American Express application for Android in the summer of 2012, crosoft Exchange Server tries to get users to click (AmEx) have been hitting inboxes in the last few said their preliminary data from users shows a a link to listen to a voicemail. An email that ap- days, trying to make recipients open an attached huge number of the devices are vulnerable to at pears to be from the FDIC tries to get users to HTML file to gather personal information, Help least one of all known Android flaws. The X-Ray click to download a new security version. Net Security reported September 4. The email app from Duo scans Android devices for a set of Source: purports to be a notification about a Membership known vulnerabilities in a variety of the Android http://threatpost.com/en_us/blogs/fake-adp-and- Security Verification, and warns the users that a releases. Many of them are flaws attackers have fdic-notifications-leadingusers-blackhole-exploit- ―slight error has been detected in their AmEx used in the last few months. The main issue with kit-091412 accounts. To make it right —and not lose access Android security and patches is that each carrier to their accounts in the next 48 hours —the vic- is responsible for pushing out new versions of the September 18, Softpedia –(International) FBI: tims are urged to download the attached HTML operating system to its users, and they all do it on Networks of financial institutions targeted with file and open it in a browser. The phishers are random timelines. Also, users do not have to up- malware, RATs, and keyloggers. A FBI report looking for every bit of personal and financial data grade, so there is a good chance many users are shows that cybercriminals have started focusing they can get, including the users ‗name, address, running older, vulnerable versions of Android at their efforts on targeting the networks of financial home and work telephone numbers, Social Secu- any given time. institutions, Softpedia reported September 18. rity number, mother‗s maiden name and date of Source: Cybercriminals are relying on spam, keyloggers, birth, users ‗date of birth, AmEx credit card num- http://threatpost.com/en_us/blogs/research-shows Remote Access Trojans (RATs), phishing, and ber, expiration date, card security code, ATM PIN, - h a l f - a l l - a n d r o i d s - c o n t a i n - k n o w n - other malicious elements to steal employee log-in email address, and the password for it. All of the vulnerabilities091312 credentials. The Internet Crime Complaint Center information submitted on the fake form will be (IC3) reported that the stolen information has sent to online criminals and subsequently used to September 17, Help Net Security –(International) been utilized to perform unauthorized wire trans- steal the identities of victims as well as use their LinkedIn-themed spam using data stolen in fers for amounts between $400,000 and credit card details to conduct fraudulent transac- June breach? Spoofed LinkedIn emails notifying $900,000. In the first phase of these operations, tions, according to Hoax-Slayer. recipients of messages requiring their attention the criminals use spam and phishing emails. Source: are not new, but ones being distributed recently Once they compromise the machine of an em- http://www.net-security.org/secworld.php? appear to be more targeted than usual. The ployee, they plant RATs, keyloggers, and other id=13520 emails supposedly come from LinkedIn Remind- pieces of malware to gain access to internal net- ers and usually contain ―There are a total of works and the details needed to access third party August 28, Nextgov –(National) SOFTWARE messages awaiting your response in the subject systems. Most of the victims appear to be small to ALERT CLAIMING TO BE FROM CYBER line. What makes this spam run different is that medium-sized banks and credit unions, but major COMMAND AIMS TO STEAL MONEY. most of them landed in real accounts instead of financial institutions have also been targeted. In Fraudsters are posing as officials from U.S. Cyber spam traps, making Avira‗s researchers suspect some cases, the crooks launched distributed deni- Command and other federal agencies to scare the spammers have access to information stolen al-of-service attacks against the bank‘s Web site, Internet users into paying off bogus fines, the U.S. from the professional social network during the most likely to cover up their fraudulent transac- Computer Emergency Readiness Team warned June breach. If that is true, the scammers are tions. August 28. The alert stated that it is aware of probably having more success than usual in trying Source: multiple malware campaigns impersonating to get users to follow the offered link. While the http://news.softpedia.com/news/FBI-Networks-of- multiple U.S. government agencies. The malicious link‗s destination is an online pharmacy present- Financial-Institutions-Targeted-with-Malware- software pulls up a computer screen claiming that ing no immediate danger to users, the destination RATs-and-Keyloggers-293126.shtml a federal agency has determined the user is can be changed at any time, and lead them to involved in criminal activity. The message directs Web sites serving malware. (continued on page 24) the victim to either pay a fine or lose access to the Source: computer. The FBI has warned of similar http://www.net-security.org/secworld.php? schemes that essentially hold computers hostage id=13607

23 Counterintelligence and Cyber News and Views (continued from page 23) September 20, Reuters – (International) BANK September 24, Threatpost – (International) AN- September 18, Help Net Security –(International) GROUP WARNS OF HEIGHTENED RISK OF OTHER IE EXPLOIT TARGETING DEFENSE BOGUS „REFUND PENDING‟ EMAILS TARGET- CYBER ATTACKS. The Financial Services Infor- INDUSTRY DISCOVERED. Another malicious ING PAYPAL CUSTOMERS. Fake PayPal notifi- mation Sharing and Analysis Center (FSISAC) Web site was discovered hosting an exploit for the cations about a bogus refund are hitting inboxes warned U.S. banks, brokerages, and insurers zero-day vulnerability Internet Explorer patched by around the world, trying to trick users into follow- September 19 to be on heightened alert for cyber Microsoft the week of September 17. This site, like ing the offered link and supposedly log into their attacks after Bank of America and JPMorgan the other exploits discovered, targets the defense accounts to receive it. The link will take users to a Chase experienced unexplained outages on their and space industries, and is dropping an unknown page that looks like PayPal‘s log-in page, but is public Web sites. FS-ISAC raised the cyber threat payload, according to Barracuda Labs. One re- actually a fake one mimicking PayPal‘s, and all level to high from elevated in an advisory to mem- searcher said the compromised site is not likely a the information submitted gets forwarded directly bers, citing recent credible intelligence regarding drive-by attack, but instead may be included in to the phishers behind the scheme. They will then the potential‖ for cyber attacks as its reason for phishing email messages to specific individuals likely use it to hijack the victim‘s PayPal and gain the move. The move by FSISAC came just 2 days within those respective industries. Previous ex- entrance to other online accounts. the FBI published a ―fraud alert‖ advising finan- ploits were dropping either the Poison Ivy or Source: cial services firms that cyber criminals may be PlugX remote access trojans. This malicious file http://www.net-security.org/secworld.php?id=13615 disrupting service to their Web sites in a bid to discovered by Barracuda has a similar file name keep banks from noticing a recent surge in fraudu- to the others, Grumgog.swf, named after a char- September 13, Softpedia –(International) Page: lent large-sized wire transfers. acter in a video game. Barracuda did not identify CRITICAL LIMITED EDITION MALWARE TAR- Source: the payload dropped here, but did call it a back- GETS DEFENSE INDUSTRY. Researchers ana- http://in.reuters.com/article/2012/09/20/us- door. lyzed a piece of malware called Page. They found jpmorganchase-websiteidINBRE88I16M20120920 Source: the critical limited edition malware is masqueraded http://threatpost.com/en_us/blogs/another-ie- as a PDF file and sent out to companies in the September 20, Government Computer News – exploit-targeting-defense-industry-discovered- aviation defense industry. When victims open the (National) ENERGY LAB DEVELOPS SOPHIA 092412 apparently innocent PDF file, they are presented TO HELP SECURE SCADA SYSTEMS. New with an invitation to an upcoming industry event. cybersecurity software developed by an Energy September 25, Softpedia – (International) DHL: While the user views the invitation, a vulnerability Department lab specifically for utilities and other MOST COMMON WORD USED IN SPEAR in collab.hetlcon is exploited to create and execute industrial systems could be available as early as PHISHING ATTACKS IN 2012 H1. In a new re- a file. Once it is executed, the file drops a DLL, October. The Idaho National Laboratory‘s Sophia port, FireEye identified a trend in the words being which opens a backdoor at TCP port 49163 and software sentry, funded by the Energy Depart- utilized in the names of malicious files sent in initiates network communications, Fire Eye ex- ment‘s Office of Electricity Delivery & Energy Reli- spam campaigns. In the second half of 2011, the perts explained. ability and DHS, passively monitors networks to most common word used in such cybercriminal Source: help operators detect intruders and other anoma- campaigns was ―label. In the first half of 2012, http://news.softpedia.com/news/Page-Critical-Limited- lies. Industrial systems such as power plants have ―label dropped to the 6th position. Currently, the Edition-Malware-Targets-Defense-Industry-291955.shtml concentrated on physical security because they most commonly utilized words in spear phishing were not connected to the Internet, but that has attacks are ―dhl and ―notification. changed as operators have added computer net- September 19, Infosecurity – (International) IN- Each of these words appears in almost a quarter works. Sophia is a tool to automate real-time mon- TERNET EXPLORER ZERO-DAY TARGETING (23.42 percent and 23.37 percent, respectively) of itoring on static Supervisory Control and Data DEFENSE INDUSTRY. Researchers at AlienVault all the malicious attachments that land in users‘ Acquisition (SCADA) system networks — those discovered new versions of the new zeroday vul- inboxes. Other words that stand out are: nerability in Internet Explorer that are targeting a with fairly fixed communications patterns. Any- number of defense and industrial companies, thing out of the ordinary triggers an alert. If the ―delivery, ―express, ―2012, ―shipment, including a U.S. aircraft and weapons delivery program detects suspicious activity, it alerts an ―ups, ―international,―parcel, ―post, systems firm, a U.S. aerospace and defense tech- operator or network administrator, who can then ―confirmation, ―alert, ―usps, ―report, nology company, and a U.K. defense contractor. decide if the activity is threatening. ―jan2012, ―april, ―identification, ―ticket, and ―We also found a fake domain of a company that Source: ―shipping. http://gcn.com/articles/2012/09/20/inl-sophia- builds turbines and power sources used in several (continued on Page 25) applications including utilities and power plants, a industrial-control-system-security-tool.aspx researcher said. ―We were able to check that the official Web site of the company has been compromised as well and it is serving the Internet Explorer ZeroDay to the visitors. They‘ve included an iframe to the exploit in the entry page. The researcher and his team also found the exploit code evolved and is now able to infect not only Windows XP but also Windows 7 32-bit running Java 6. Source: http://www.infosecurity-magazine.com/ view/28357/

24 Counterintelligence and Cyber News and Views This shows that most of the malicious files that the call did so. Among the flags contestants could software and stole project files related to one of its come via spam emails are somehow related to pursue were disk-encryption type, ESSID name, core offerings — OASyS SCADA — a product that shipping. While this may not seem new, the fig- computer model and OS, antivirus software, name helps energy firms mesh older IT assets with more ures from the report reveal that names related to of cleaning/janitorial service, and the name of the advanced ―smart grid‖ technologies. The firm this topic have grown from 19.20 percent to 26.35 company‘s third-party security guard company. said it was still investigating the incident, but that percent. Mobil and Shell employees contacted by the con- as a precautionary measure, it had disconnected Source: testants posing as their various pretext characters the usual data links between clients and affected http://news.softpedia.com/news/DHL-Most- were the most cautious and uncooperative in giv- portions of its internal networks. Common-Word-Used-in-Spear-Phishing-Attacks- ing up information. Source: in-2012-H1-294570.shtml Source: http://krebsonsecurity.com/2012/09/chinese- http://www.darkreading.com/insider- hackers-blamed-for-intrusion-at-energy-industry-

September 10, Dark Reading – (National) RETAIL threat/167801100/security/attacks - giant-telvent/ breaches/240007096/retail-fail-walmart-target- FAIL: WALMART, TARGET FARED WORST IN September 25, Krebs on Security – (International) fared-worst-in-def-con-social-engineering- DEF CON SOCIAL ENGINEERING CONTEST. ESPIONAGE HACKERS TARGET „WATERING contest.html The third annual Def Con Social Engineering Cap- HOLE‟ SITES. Security experts are accustomed ture the Flag Contest held at the Def Con 20 con- September 26, Krebs on Security – (International) to direct attacks, but some of today‗s more insidi- ference in July featured 20 contestants competing Chinese hackers blamed for intrusion at energy ous incursions succeed in a roundabout way — by to elicit as much specific information, or flags, out industry giant Telvent. A company whose software planting malware at sites deemed most likely to be of employees at Walmart, AT&T, Verizon, Target, and services are used to remotely administer and visited by the targets of interest. New research HP, Cisco, Mobil, Shell, FedEx, and UPS in cold- monitor large sections of the energy industry be- suggests these so-called ―watering hole‖ tactics calls. Walmart and Target ended up with the high- gan have recently been used as stepping stones to est scores, which means they did the worst, said a conduct espionage attacks against a host of tar- professional social engineer with social- Warning customers the week of September 17 gets across a variety of industries, including the engineer.org who lead the contest. Walmart per- that it is investigating a sophisticated hacker at- defense, government, academia, financial ser- formed the worst by exposing the most infor- tack spanning its operations in the United States, vices, healthcare, and utilities sectors. In a report mation both online and when its employees were Canada, and Spain, Krebs on Security reported released September 25, RSA First Watch‗s (RSA) cold-called by the social engineering contestants. September 26. Experts say digital fingerprints left experts hint at — but do not explicitly name — behind by attackers point to a Chinese hacking some of the watering hole sites. According to Contestants posed as everything from fellow em- group tied to repeated cyber-espionage cam- ployees to office-cleaning service providers, using RSA, the sites in question were hacked between paigns against key Western interests. In letters June and July 2012. these phony personae as pretexts to schmooze sent to customers, Telvent Canada Ltd. said that the employees to give up seemingly benign but Source: September 10 it learned of a breach of its internal http://krebsonsecurity.com/2012/09/espionage-hackers- actually very valuable data that can expose an firewall and security systems. organization to attack. One disturbing trend: every target-watering-hole-sites/ employee who was asked to visit a URL during Telvent said the attacker(s) installed malicious (continued on page 26)

TOP WORDS USED IN INTERNET SCAMS

25 Counterintelligence and Cyber News and Views (continued from page 25) the ability to share information on cyber threats you know what you're looking for." DECS, the part October 5, Help Net Security –(International) with DHS. of the program aimed at sharing the threat TROJAN DISGUISED AS IMAGE DELIVERED signatures with intelligence agencies, "ran in pilot "We're teamed closely with [the Department of VIA SKYPE MESSAGES. A spamming campaign mode" for several years and was finally cleared to Homeland Security] to see if DHS can expand this that surfaced in the last few days is being expand in the spring of this year, DoD Chief model out to other critical infrastructure," said propagated via compromised Skype accounts. Information Officer Teri Takai told Killer Apps Hale. This comes as Pentagon officials revealed The offered links do not lead to an image, but to a during the same interview as Rosenbach. "It's that they plan to work with private companies to malicious executable something we think could be expanded to develop incentives to meet high standards to (skype_02102012_image.exe) posing as one. possibly work for protecting critical infrastructure defend against cyber attacks via counterfeit or Running the file will cause it to self delete and the and other parts of the federal government," said compromised electronic parts in their supply chain infected PC will begin making DNS requests to a Rosenbach. "We've got a queue of companies (this is either a major threat or completely number of URLs, including a .pl, a .com and a .kz that are interested in joining, we've got other - we also saw references to IRC channel names overblown, depending on who you ask). federal agencies that are interested in coming in the network traffic and are investigating further, So far, these efforts between DoD and defense aboard, and we've got other federal agencies that said a researcher from GFI. contractors to share information and defend are interested in either using our program or Source: against cyber threats have been "enormously creating a similar program," added Takai. http://www.net-security.org/malware_news.php?id=2285 successful," Eric Rosenbach, deputy assistant Congress has repeatedly tried and failed to pass secretary of defense for cyber policy told Killer legislation that would allow and encourage private

Apps earlier this month. Rosenbach went on to companies to share information about cyber PENTAGON EXPANDING PUBLIC-PRIVATE describe the part of the information-sharing security threats with the U.S. government. Many CYBER INFORMATION SHARING PROGRAM subset of DIBCIA whereby U.S. intelligence of these bills have been met with strong opposition from civil liberties groups -- and in FP, 27 Sep 2012: Rather than wait for Congress agencies analyze cyber threats on behalf of defense contractors via something called the some cases the White House -- who claim that to pass legislation enabling private companies to companies could unnecessarily gather and share send information about cyber attacks to the U.S. Defense Enhanced Cybersecurity Service, (DECS). "We wanted to create a new model for private information about U.S. citizens with the government, the Pentagon is expanding a little- government, in the name of cybersecurity. known program allowing defense contractors to trying to protect information, so we are using specialized [threat] signatures [known to] the Supporters of these bills argue that real-time share information with the government about information sharing between critical infrastructure cyber espionage and attacks against them. In intelligence community, giving them to Internet service providers, who then screen the Internet providers and the government is required to recent years, U.S. defense contractors have defend against advanced cyber threats. famously been hit by cyber attacks compromising service traffic" to protect defense companies who subscribe to the service, said Rosenbach. He Source: information on high-profile weapons systems, http://killerapps.foreignpolicy.com/posts/2012/09/27/ such as the $1.5 trillion F-35 Joint Strike Fighter insisted that the intelligence community does not see the actual web traffic -- and therefore private pentagon_expanding_public_private_cyber_information program. In the case of the F-35, the attacks have _sharing_program led to costly software redesigns and production citizens' information-- running across the networks delays. To remedy this, the Defense Industrial of Internet service providers (ISPs); it merely Base Cybersecurity and Information Assurance gives information and analysis about malicious October 11, Computerworld –(International) NEW (DIBCIA) program was established several years signatures to the providers who can be on the SECURITY THREAT AT WORK: BRING-YOUR- ago as a voluntary partnership between defense lookout for them. OWN-NETWORK. Even as IT pros wrestle with contractors with security clearances and the "The part that's unique is the intelligence the bring-your-own-device (BYOD) trend, government, aimed at sharing information on community involvement, just giving them the corporate security is being further complicated by cyber threats and even providing companies with signatures. The intelligence community does not another emerging trend: bring your own network assistance from U.S. intelligence agencies in scan the traffic, see the traffic, see any of the (BYON). BYON is a byproduct of increasingly defending against cyber threats. Now, the results of scanning, so they're completely common technology that allows users to create Pentagon is opening up DIBCIA to a broader separate. They just give the special sauce, so to their own mobile networks, usually through mobile swath of companies. speak," said Rosenbach, referring to the wireless hotspots. Security professionals say BYON requires a new approach to security "If you're a Defense Department contractor with a information on advanced cyber threats given by because some internal networks may now be as facility clearance, we want to share classified intelligence agencies to the ISPs. insecure as consumer devices. An attorney with threat information with you," said Richard Hale, Defense contractors pay for this service and "the the law firm Much Shelist said BYON represents a the Pentagon's deputy chief information officer for only thing that the government provides [is the more dangerous threat to data security than cyber during a Sept. 27 cybersecurity conference analysis of] these specialized signatures and the employees who bring their own smartphones or in Washington. "It's a voluntary program. We'll ISPs are responsible for making sure it all runs," tablets into the office. ―The network thing blows share with you, you share with us. We also have added Rosenbach. Those signatures are this up completely, because it takes the data out a second part of that program that allows you to "basically a string of numbers in hexadecimal of the network the company protects, he said. get security services from a service provider that's format that's mostly unintelligible unless it's read Source: getting classified information and using it to by a machine or an antivirus program," said http://www.computerworld.com/s/article/9232302/ protect you." DoD is now working with the Rosenbach. "That type of information, technical New_security_threat_at_work_Bring_your_own_network Department of Homeland Security to develop a information, is what's most valuable to information similar program that would allow companies sharing. It's not the personally identifiable responsible for maintaining critical infrastructure -- information that we're interested; it's the type of (continued on page 27) banks, utilities, Internet service providers, etc. -- information that could help you stop an attack if

26 Counterintelligence and Cyber News and Views (continued from page 26) law firms. Only some of the victims have reported Dark Reading posted the following article on Sep- Internet Crime Complaint Center's (IC3) Scam previously applying for a payday loan, others said tember 18, 2012: they have never made such an application. Alerts NEW TDSS/TDL4 MALWARE INFECTS 46 OF http://www.ic3.gov/media/2012/121023.aspx The subjects seem to have accurate information FORTUNE 500 on the victims, including social security numbers, New Domain Generation Algorithm-Based Mal- October 23, 2012 dates of birth, addresses, employer information, ware Claims At Least 250,000 Victims This report, which is based upon information from bank account numbers, names and telephone law enforcement and complaints submitted to the numbers of relatives and friends. A new iteration of TDSS/TDL4 malware has infected at least 250,000 victims, including 46 com- IC3, details recent cyber crime trends and new The subjects refuse to provide any details of the panies in the Fortune 500, researchers said Mon- twists to previously-existing cyber scams. alleged payday loans and become abusive when day. DATING EXTORTION SCAM questioned. Victims are threatened with legal actions, arrests and, in some cases, physical vio- According to a new report on the TDSS/TDL4 The IC3 has recently received reports regarding a lence if they refuse to pay. Some have been told malware published by security firm Damballa, the scam that baits individuals into intimate online there was an outstanding warrant for their arrest. new attack is using domain generation algorithm conversations and then extorting them for finan- Many reported that subjects have also harassed (DGA)-based communication for command-and- cial gain. The scam was initiated after the victims their relatives, friends, and employers. In a couple control (C&C). met someone online, such as on a dating site, and of instances, the subjects came to the victims‘ were asked to connect via a specific online social places of employment and residences claiming to Used by Murofet, Sinowal and the recent Mac- based Flashback malware, DGA communications network. Shortly after, the conversations became be process servers. sexual in nature. Later, victims received text mes- techniques are being used to successfully evade sages, either containing their names, asking if it Over the last couple of months, the scam has detection by blacklists, signature filters and static was them or containing a statement that indicated evolved from just receiving telephone calls to also reputation systems, and to hide C&C infrastruc- their names were posted on a particular website. receiving official-looking emails purportedly from ture, Damballa reported. The victims were provided a link to a page on the the United States Attorney. The emails reference the FBI, court proceedings, and serious allega- TDSS/TDL4 is malware known to infect the mas- website that claimed they were a ―cheater.‖ Pho- ter boot record (MBR) of computers, making it tions. Allegations include violation of federal bank- tos of the victims and their telephone numbers resistant to common practices in remediation. It were also posted. There was an option to view ing regulations such as collateral check fraud, theft by deception, and fraudulently conducting has been described as the "indestructible" botnet, and buy the posted conversations for $9. Victims with the ability to act as a launch pad for other were also given the option to have their names electronic fund transfers. Recipients were instructed to contact the subject within 48 hours of receiv- malware. At one point it was reported as having and conversations removed for $99. Some were infected over 4.5 million victims. even told that once the payment was made, the ing the email. information would be removed within an hour and To educate consumers and reduce the number of A total of 85 hosting servers and 418 unique do- the website would not allow anyone to post any- victims of this scam, the IC3 has posted two Pub- mains were identified as being related to the new TDSS/TDL4 threat, Damballa said. The top three thing pertaining to the victims‘ names again. How- lic Service Announcements (PSA) warning con- ever, reports do not indicate that the information sumers. The first PSA was posted in December hosting countries for the C&C servers are Russia was ever removed. 2010 and the most recent was posted in February (26 hosts), Romania (15 hosts) and the Nether- lands (12 hosts). PAYDAY LOAN SCAMS 2012. Both PSAs are available at: "By adding elusive DGA C&C capabilities to mal- The IC3 has received thousands of complaints ware that already evades detection and circum- http://www.ic3.gov/media/2012/120221.aspx regarding pay day loan scams over the last three vents best practices in remediation by infecting years and continues to see new variations of the And master boot records, TDL4 is becoming increas- scam. The scam involves victims who are relent- ingly problematic," said Manos Antonakakis, direc- http://www.ic3.gov/media/2010/101201.aspx lessly contacted, via the telephone, at their resi- tor of academic sciences for Damballa. dences and places of employment. The subjects claim the victims are delinquent on a payday loan "With its known ability to act as a launch pad for and must repay the loan to avoid legal conse- other malware and TDSS' history of sub-leasing access to their victims, these hidden infections in quences. The subjects use coercion techniques such as harassment, threats, and claims that they corporate networks go undetected for long periods were representatives of government agencies and of time," Antonakakis said.

27 Counterintelligence and Cyber News and Views Child ID App After entering the FBI-SOS website, students The Safe Online Surfing ―travel‖ to their grade-specific island, which in- (SOS) website is the se- cludes either seven or eight learning portals to cond tool the FBI has visit. These areas address topics such as the pro- launched over the past tection of personal information, password strength, year to help protect kids. cell phone safety, social networking, and online The other—the FBI Child gaming safety. The videos also include real-life ID app—provides an easy stories of kids who have faced cyber bullies and way for parents to use online predators. Visit SOS their smartphones to store pictures and information It‘s called the FBI-SOS (Safe Online Surfing) Inter- on their kids in case they The FBI SOS site highlights cyber net Challenge—and it was developed with the go missing. assistance of the National Center for Missing & security through games, videos, Exploited Children and with the input of teachers and other interactive features. and schools. Learn More FBI-SOS is available through a newly revamped http://www.fbi.gov/news/stories/2012/october/new- Can anyone visit the website? Absolutely. Kids of cyber-safety-website-for-teachers-students website at https://sos.fbi.gov. The site features six grade-specific ―islands‖—for third- through eighth- all ages—and even adults—can explore the site, play the games, watch the videos, and learn all (Editor’s Comment: The above and following grade students—highlighting various aspects of cyber security through games, videos, and other about cyber safety. However, the exam can only are taken from the FBI Public website, and may be taken by third- to eighth-grade students whose be viewed in its original form at the above hy- interactive features. Each island has either seven or eight areas to explore—with a specific cyber classes have been registered by their teachers. perlink) safety lesson—and its own central character and An important note: the FBI is not collecting stu- visual theme. For example, fourth grade features Safe Online Surfing dent names, ages, or other identifying information Ice Island, complete with falling snow and pen- New Cyber Safety Website for Teachers, Stu- through the website. Students are identified only dents guins. by number when taking the exams; their teachers 10/15/12 To encourage participation and enhance learning, alone know which number matches which student.

FBI-SOS includes both testing for students and And teachers only need to provide their name, With school back in session, one topic that‘s on school, and e-mail address when signing up. The many class curriculums around the nation is cyber competition among schools. Each grade level has its own exam, which can only be taken after teach- e-mail address is needed to verify the teacher‘s safety. After all, it‘s a hyper-connected world—with identity for registration purposes. texting, social networking, e-mail, online gaming, ers have signed up their respective classes and all activities on the island have been completed by chat, music downloading, web surfing, and other ―FBI-SOS is a fun, free, and effective way to teach each student. And once all the exams for a class forms of wired and wireless communication now a kids how to use the Internet safely and responsi- are graded (done electronically by the FBI), regular part of children‘s lives. bly,‖ says Scott McMillion, head of the unit that schools appear on a leader board in three catego- manages the program in the FBI‘s Criminal Inves- ries based on the number of total participants. The FBI has a new program that can help. Today, tigative Division. ―We encourage teachers to check During each rating period, top scoring schools in as part of its longstanding crime prevention and out the site and sign up their classes during the each category nationwide are awarded an FBI- public outreach efforts, the FBI is announcing a school year.‖ free web-based initiative designed to help teach- SOS trophy and, when possible, receive a visit ers educate students about cyber safety. from a local FBI agent. All public, private, and Visit the site at https://sos.fbi.gov SOS Topics home schools are eligible to participate.

For teachers and schools, FBI-SOS provides virtu- ally everything they need to teach good cyber citizenship:

A free, ready-made curriculum that meets state and federal Internet safety mandates (see sidebar for topics covered);

Age-appropriate content for each of the six grade levels;

A printable teacher‘s guide that spells out how teachers can sign up their classes and use the site; and Detailed rules and instructions for students.

28 Counterintelligence and Cyber News and Views

ILLUSTRATED BELOW IN ALL ITS AUTHENTICITY IS AN EXAMPLE OF OUR BRAVE COUNTERINTELLIGENCE FORCES IN ACTION, SMASHING SPIES AND FIGHTING THE COMMUNIST MENACE DURING THE 1950‟S

29 Counterintelligence and Cyber News and Views

Advantage SCI Vision: ADVANTAGE SCI PRODUCTS, Homeland Security and Private Sector SERVICES, AND TRAINING Business “Educate America’s 300 million people and business leaders on prevention, Advantage SCI offers services Corporations' Role in Critical detection, and response to 21st century supporting the counterintelligence needs Infrastructure Protection threats.” of the cleared defense contractor By Elsa Lee community, private business, Corporate Headquarters government, utilities, and municipalities Auerbach Publications 2009 Print ISBN: Advantage SCI, LLC with requirements to protect classified 978-1-4200-7078-1 222 North Sepulveda Boulevard information, trade secrets, intellectual eBook ISBN: 978-1-4200-7079-8 Suite 1780 property and other privileged information. El Segundo, California 90245 Order Your Copy at: Services include: http://www.crcpress.com/ Phone: 310.536.9876 Fax: 310.943.2351  Vulnerability Assessments www.advantagesci.com  Threat briefings/Foreign Travel Briefings/Debriefings Newsletter Editor: Richard Haidle,  Counterintelligence (CI) Awareness Counterintelligence Services Training / Insider Threat Training Manager [email protected]  TSCM services in classified or 310.536.9876 x237 unclassified spaces  Facility Security Officer (FSO) In a Box Advantage SCI is a 8(A), SERVICE-  Consult With a CI Professional DISABLED VETERAN - O W N E D BUSINESS (SDVOSB), SMALL  Foreign Travel Briefings and BUSIBESS ENTITY (SBE), MINORITY- Debriefings OWNED BUSINESS ENTITY (MBE),  Intelligence Analysis / Intelligence SMALL DISADVANTAGED BUSINESS Analysts ENTITY (SDB), WOMAN-OWNED BUSINESS ENTITY (WBE)  Plans, SOPs and Regulatory related materials  Other matters related to improving CI related posture

Since September 11, 2001 the American NAICS Codes Public has not had a clear understanding 928110 - NATIONAL SECURITY of "Homeland Security" and just what it means for the average citizen and 541512 - COMPUTER SYSTEMS DESIGN SERVICES business owner. Elsa Lee, in her first 541519 - OTHER COMPUTER RELATED SERVICES attempt, has hit ―a home run!‖ Not only is 541611 - ADMIN MGMT/GENERAL MGMT CONSULTING the book well researched, but it is quite simply the best resource on this important 541612 - CONSULTING SERVICES subject. I found the context to be 541618 - OTHER MANAGEMENT CONSULTING informative, persuasive, and topical. Not 541690 - OTHER SCIENTIFIC AND TECH CONSULTING Securing Tomorrow Today! only does the writer provide a clear understanding of the need for a National 541990 - OTHER PROF, SCIENTIFIC, & TECH SERVICES Infrastructure Plan, but provides the 561210 - FACILITIES SUPPORT SERVICES reader with a clear blueprint for protecting 561499 - OTHER BUSINESS SUPPORT SERVICES all of America's resources at home and abroad. Hopefully, every university and 561611 - INVESTIGATION SERVICES college with a Homeland Security course 561621 - SECURITY SYSTEMS (EXCEPT LOCKSMITHS) will use this book as a major text to insure 561990 - OTHER SUPPORT SERVICES that all students obtain a grounded education on this important topic. 611430 - PROFESSIONAL AND MGMT DEVELT TRAINING

611699 - OTHER MISC SCHOOLS AND INSTRUCTION Review by: Alfred J. Finch 922190 - OTHER JUSTICE, PUBL ORDER/SAFETY ACTIVITES FBI Legal Attaché, Cairo (Retired)