sign in sign up
<<
Home , Asher Karni, Coreflood, Stewart Nozette

UNCLASSIFIED

(U) FBI Tampa Division Threat Awareness Monthly Bulletin APRIL 2012

(U) Administrative Note: This product reflects the views of the FBI-

Tampa Division and has not been vetted by FBI Headquarters.

(U) Handling notice: Although UNCLASSIFIED, this information is property of the FBI and may be distributed only to members of organizations receiving this bulletin, or to cleared defense contractors. Precautions should be taken to ensure this information is stored and/or destroyed in a manner that precludes unauthorized access.

10 APR 2012 (U) The FBI Tampa Division National Security Threat Awareness Monthly Bulletin provides a summary of previously reported US government press releases, publications, and news articles from wire services and news organizations relating to counterintelligence, cyber and terrorism threats. The information in this bulletin represents the views and opinions of the cited sources for each article, and the analyst comment is intended only to highlight items of interest to organizations in Florida. This bulletin is provided solely to inform our Domain partners of news items of interest, and does not represent FBI information.

In the APRIL 2012 Issue: Article Title Page NATIONAL SECURITY THREAT NEWS FROM GOVERNMENT AGENCIES: FBI Director Delivers Statement on Key National Security Threats and Crime Problems p. 2 Congressional Commission Release Report on Chinese Capabilities for Computer Network p. 8 Operations and Cyber COUNTERINTELLIGENCE/ECONOMIC ESPIONAGE THREAT ITEMS FROM THE PRESS: FBI Traces Trail of Spy Ring to China p. 10 Former DuPont Scientist Pleads Guilty To Economic Espionage p. 14 Ex-Marine Accused of Attempting to Export Sensitive Military Items p. 14 Australian Indicted in Plot to Export Restricted Military and Other US Technology to p. 16 Iranian Convicted In Arms Smuggling Case Deported p. 17 As Security Threats Evolve, Justice Department’s Pelak Focuses on Illegal Exports p. 18 Noted Scientist Sentenced to Prison for Attempted Espionage, Fraud and Tax Charges p. 20 China Suspected of Facebook Attack on NATO's Supreme Allied Commander p. 22 Attackers Leverage Iran Nuclear Tensions in Targeted Attack Against US Military Staff p. 24 Chinese Universities Send Big Signals to Foreigners p. 25 Chinese Spies Target Taiwan's US-Made Defenses p. 27 Iran Hacks BBC Persian TV p. 29 CYBERSECURITY SPECIAL FOCUS FOR INDUSTRY The Bright Side of Being Hacked p. 30 Study: Senior Executives Lack Awareness of IT Security and Privacy p. 32 CYBER THREAT ITEMS FROM THE PRESS: FBI Director Warns Cyber Crime on Par with Terrorism p. 33 Don't Underestimate Cyber Terrorism Threat, Security Experts Say p. 34 How to Catch a Cyber Thief: Devoted Cyber-Sleuths Fight Industrial Espionage and p. 34 New Interest in Hacking as Threat to Security p. 35 Cyber-Criminals Change Tactics as Network Security Improves p. 37 New Verizon Breach Data Shows Outside Threat Dominated 2011 p. 38 : The Latest Trend in p. 39 US Cyber Chief: We are Fighting a “Tide of Criminality” p. 40 US Nukes Face Up to 10 Million Cyber Attacks Daily p. 41 Report: Seized Control of Computers in NASA’s Jet Propulsion Lab p. 42 US Secret Service’s “Operation Open Market” Nets 19 Arrests p. 43

UNCLASSIFIED 1 UNCLASSIFIED

Anonymous Vandalizes US Prison Contractors' Site p. 44 Interpol Says Suspected Hackers Arrested p. 44 Anonymous Shuts Interpol Site in Revenge p. 44 Anonymous Takes Down Security Firm's Website, Vows to Fight on After Arrests p. 46 Unsecured Email Led to Leak of FBI and Scotland Yard Call p. 47 Malicious Code in the IT Supply Chain Threatens Federal Operations p. 48 COUNTERTERRORISM THREAT ITEMS FROM THE PRESS: High School Grad Guilty in Terror Case is Cited in Report on Future of Islamist Extremism p. 48 NYC Man Gets 27 Years in Homegrown Terror Case p. 51 Maryland Teen Plans Guilty Plea in Pennsylvania Terror Case p. 51 Philadelphia Man Charged with Aiding Islamic Terror Group p. 52 Iran Diplomats Cased NYC Landmarks, Police Official Says p. 53 Authorities Probing Possible Terrorist Links to People Taking Photos Of NYC Landmarks p. 54 Azerbaijan Arrests 22 Suspected of Plotting US, Embassy Attacks on Iran's Behalf p. 55 Former US Army Soldier Indicted for Attempting to Provide Material Support to Al-Shabaab p. 56

(U) NATIONAL SECURITY THREAT NEWS FROM GOVERNMENT AGENCIES:

(U) FBI Director Robert Mueller Delivers Statement on Key National Security Threats and Crime Problems to the House Appropriations Committee, Subcommittee on Commerce, Justice, Science, and Related Agencies (07 MAR 2012)

(U) The FBI remains focused on defending the against terrorism, foreign intelligence, and cyber threats; upholding and enforcing the criminal laws of the United States; protecting civil rights and civil liberties; and providing leadership and criminal justice services to federal, state, municipal, and international agencies and partners. Our continued ability to carry out this complex and demanding mission reflects the support and oversight provided by this subcommittee.

(U) More than 10 years after the terrorist attacks of 9/11, the FBI continues to be a threat-focused, intelligence-driven organization that is guided by clear operational strategies. And we remain firmly committed to carrying out these strategies under guidelines established by the attorney general that protect the civil liberties of those entrusting us with the authorities to carry out our mission.

(U) As our nation‘s national security and criminal adversaries constantly adapt and evolve, so must the FBI be able to respond with new or revised strategies and operations to counter these threats. The FBI continues to shift to be more predictive, preventative, and actively engaged with the communities we serve. The FBI‘s evolution has been made possible by greater use of technology to gather, analyze, and share information on current and emerging threats; expansion of collaboration with new partners, both domestically and internationally; and investments in training, developing, and maximizing our workforce. The FBI continues to be successful in maintaining this momentum of transformation even during these challenging times. Here is a brief summary of key national security threats and crime problems.

(U) National Security Threats

(U) Terrorism

(U) The terrorist threat facing the United States remains complex and ever-changing. We are seeing more groups and individuals engaged in terrorism, a wider array of terrorist targets, greater cooperation among terrorist groups, and continued evolution and adaptation in tactics and communication.

UNCLASSIFIED 2 UNCLASSIFIED

(U) While Osama bin Laden and certain other key leaders have been removed, al Qaeda and its affiliates and adherents continue to represent the top terrorism threat to the United States abroad and at home. Core al Qaeda remains committed to high-profile attacks against the United States. Additionally, al Qaeda affiliates and surrogates, such as al Qaeda in the Arabian Peninsula, represent significant threats to our nation. These groups have attempted several attacks against the homeland and our citizens and interests abroad, including the failed Christmas Day airline bombing in 2009 and the attempted bombing of US- bound cargo planes in October 2010.

(U) In addition to al Qaeda and its affiliates, the United States faces a terrorist threat from self-radicalized individuals. Self-radicalized extremists, often acting on their own, are among the most difficult to detect and stop. For example, in February, the FBI arrested Amine El Khalifi, a 29-year-old Moroccan immigrant, for the suspected attempt to detonate a bomb in a suicide attack on the US Capitol building. According to court documents, Khalifi believed he was conducting the terrorist attack on behalf of al Qaeda and had become radicalized even though he was not directly affiliated with any group. The Khalifi case exemplifies the need for the FBI to continue to enhance our intelligence capabilities, to get critical information to the right people at the right time, before any harm is done.

(U) The basis from which acts of terrorism are committed, from organizations to affiliates/surrogates to self-radicalized individuals, continue to evolve and expand. Of particular note is al Qaeda‘s use of online chat rooms and websites to recruit and radicalize followers to commit acts of terrorism. And they are not hiding in the shadows of cyber space: al Qaeda in the Arabian Peninsula has produced a full-color, English-language online magazine. Terrorists are not only sharing ideas; they are soliciting information and inviting communication. Al Shabaab, the al Qaeda affiliate in Somalia, uses Twitter to taunt its enemies, in English, and encourage terrorist activity.

(U) To date, terrorists have not used the Internet to launch a full-scale cyber attack, but we cannot underestimate their intent. Terrorists have shown interest in pursuing hacking skills. And they may seek to train their own recruits or hire outsiders, with an eye toward pursuing cyber attacks. These adaptations of the terrorist threat make the FBI‘s counterterrorism mission that much more difficult and challenging.

(U) Foreign Intelligence

(U) While foreign intelligence services continue traditional efforts to target political and military intelligence, counterintelligence threats now include efforts to obtain technologies and trade secrets from corporations and universities. The loss of critical research and development data, intellectual property, and insider information poses a significant threat to national security.

(U) For example, last year, Noshir Gowadia was sentenced to 32 years in prison for selling secrets to foreign nations. For 18 years, Gowadia had worked as an engineer at Northrop Grumman, the defense contractor that built the B-2 stealth bomber. Gowadia, a naturalized United States citizen from , decided to offer his knowledge of sensitive design aspects of the B-2 to anyone willing to pay for it. He sold highly about the B-2‘s stealth technology to several nations and made six trips to China to assist them in the development of stealth technology for their cruise missiles.

(U) Last fall, Kexue Huang, a former scientist for two of America‘s largest agriculture companies, pled guilty to charges that he sent trade secrets to his native China. While working at Dow AgriSciences and later at Cargill, Huang became a research leader in biotechnology and the development of organic pesticides. Although he had signed non-disclosure agreements, he transferred stolen trade secrets from both companies to persons in Germany and China. His criminal conduct cost Dow and Cargill millions of dollars.

UNCLASSIFIED 3 UNCLASSIFIED

(U) And just last month, five individuals and five companies were indicted in San Francisco for economic espionage and theft of trade secrets for their roles in a long-running effort to obtain US trade secrets for the benefit of companies controlled by the government of the People‘s Republic of China. According to the indictment, the Chinese government sought to obtain a proprietary chemical compound developed by DuPont to be produced in a Chinese factory.

(U) These cases illustrate the growing scope of the “insider threat” from employees who use their legitimate access to steal secrets for the benefit of another company or country. Through our relationships with businesses, academia, US government agencies, and with other components of the Department of Justice, the FBI and its counterintelligence partners must continue our efforts to identify and protect sensitive American technology and projects of great importance to the United States government.

(U) Cyber

(U) Cyber attacks and crimes are becoming more commonplace, more sophisticated, and more dangerous. The scope and targets of these attacks and crimes encompass the full range and scope of the FBI‘s national security and criminal investigative missions. Our national security secrets are regularly targeted by foreign and domestic actors; our children are targeted by sexual predators and traffickers; our citizens are targeted for fraud and identity theft; our companies are targeted for insider information; and our universities and national laboratories are targeted for their research and development. Since 2002, the FBI has seen an 84 percent increase in the number of computer intrusions investigations opened. Hackers— whether state sponsored, criminal enterprises, or individuals—constantly test and probe networks, computer software, and computers to identify and exploit vulnerabilities.

(U) Just as the FBI has transformed its counterterrorism program to deal with an evolving and adapting threat, the Bureau is enhancing its cyber program and capabilities. To counter the cyber threat, the FBI has cyber squads in each of our 56 field offices. The FBI now has more than 1,000 specially trained agents, analysts, and digital forensic examiners that run complex undercover operations and examine digital evidence. Along with 20 law enforcement and intelligence agency partners, the FBI is the executive agent of the National Cyber Investigative Joint Task Force. The task force operates through Threat Focus Cells—smaller groups of agents, officers, and analysts from different agencies, focused on particular threats.

(U) In April of this year, the FBI brought down an international ―‖ known as Coreflood. Botnets are networks of virus-infected computers controlled remotely by an attacker. To shut down Coreflood, the FBI took control of five servers the hackers had used to infect some two million computers with malware. In an unprecedented step, after obtaining court approval, we responded to the signals sent from the infected computers in the United States, and sent a command that stopped the malware, preventing harm to hundreds of thousands of users.

(U) Over the past year, the FBI and our partners have also pursued members of Anonymous, who are alleged to have coordinated and executed distributed denial of service (DDoS) attacks against various Internet companies. To date, 16 individuals have been arrested and charged in more than 10 states as part of this ongoing investigation. According to the indictment, the Anonymous group referred to the DDoS attacks as Operation Avenge Assange and allegedly conducted the attacks in support of Wikileaks founder Julian Assange. The defendants are charged with various counts of conspiracy and intentional damage to a protected computer.

(U) US law enforcement and intelligence communities, along with our international and private sector partners, are making progress. Technological advancements and the Internet‘s expansion continue to

UNCLASSIFIED 4 UNCLASSIFIED provide malicious cyber actors the opportunity to harm US national security and the economy. Given the consequences of such attacks, the FBI must be able to keep pace with this rapidly developing and diverse threat.

(U) Criminal Threats

(U) Criminal organizations, domestic and international, and individual criminal activity also represent a significant threat to our security and safety in communities across the nation. The FBI focuses on many criminal threats, from white-collar crime and health care fraud to organized crime and gang violence to corruption and violence along the Southwest border. Today, I would like to highlight a number of these criminal threats for the subcommittee.

(U) Financial and Mortgage Fraud

(U) From foreclosure frauds to subprime scams, mortgage fraud is a serious problem. The FBI continues to develop new approaches and techniques for detecting, investigating, and combating mortgage-related fraud. Through the use of joint agency task forces and working groups, the FBI and its partners work to pinpoint the most egregious offenders and identify emerging trends before they flourish. In FY 2011, these efforts translated into roughly 3,000 pending mortgage fraud investigations—compared to approximately 700 investigations in FY 2005. Nearly 70 percent of FBI‘s pending investigations involve losses of more than $1 million. The number of FBI special agents investigating mortgage fraud cases has increased from 120 in FY 2007 to 332 special agents in FY 2011. The multi-agency task force and working group model serves as a force-multiplier, providing an array of interagency resources and expertise to identify the source of the fraud, as well as finding the most effective way to prosecute each case, particularly in active markets where fraud is widespread.

(U) The FBI and its law enforcement partners also continue to uncover major frauds, insider trading activity, and Ponzi schemes. At the end of FY 2011, the FBI had more than 2,500 active corporate and securities fraud investigations, representing a 47 percent increase since FY 2008. Over the past three years, the FBI has obtained approximately $23.5 billion in recoveries, fines, and restitutions in such programs, and during FY 2011, the FBI obtained 611 convictions, a historic high. The FBI is pursuing those who commit fraud at every level and is working to ensure that those who played a role in the recent financial crisis are brought to justice.

(U) For FY 2013, the FBI is requesting a program increase totaling $15 million and 44 positions (40 special agents and four forensic accountants) to further address financial and mortgage fraud at all levels of organizations—both senior executives and lower level employees. These resources will increase the FBI‘s ability to combat corporate fraud, securities and commodities fraud, and mortgage fraud, and they will enable the FBI to adapt as new fraud schemes emerge.

(U) Health Care Fraud

(U) The focus on health care fraud is no less important. The federal government spends hundreds of billions of dollars every year to fund Medicare, Medicaid, and other government health care programs. In 2011, the FBI had approximately 2,700 active health care fraud investigations, up approximately 7 percent since 2009. Together with attorneys at the Department of Justice and our partners at the Department of Health and Human Services, the FBI is aggressively pursuing fraud and abuse within our nation‘s health care system.

(U) The annual Health Care Fraud and Abuse Control Program report showed that the government‘s health care fraud prevention and enforcement efforts recovered nearly $4.1 billion in taxpayer dollars in

UNCLASSIFIED 5 UNCLASSIFIED

FY 2011. This is the highest annual amount ever recovered from individuals and companies who attempted to defraud taxpayers or who sought payments to which they were not entitled.

(U) Gangs and Violent Crime

(U) Violent crimes and gang activities exact a high toll on victimized individuals and communities. There are approximately 33,000 violent street gangs, motorcycle gangs, and prison gangs with about 1.4 million members who are criminally active in the United States today. A number of these gangs are sophisticated and well organized; many use violence to control neighborhoods and boost their illegal money-making activities, which include robbery, drug and gun trafficking, fraud, extortion, and prostitution rings. Gangs do not limit their illegal activities to single jurisdictions or communities. FBI is able to work across such lines and, therefore, brings particular value to the fight against violent crime in big cities and small towns across the nation. Every day, FBI special agents work in partnership with state and local officers and deputies on joint task forces and individual investigations. The FBI also has a surge capacity that can be tapped into during major cases.

(U) FBI joint task forces: Violent Crime, Violent Gang, Safe Streets, and Safe Trails: focus on identifying and targeting major groups operating as criminal enterprises. Much of the Bureau‘s criminal intelligence comes from our state, local, and tribal law enforcement partners, who know their communities inside and out. Joint task forces benefit from FBI surveillance assets and sources to track these gangs to identify emerging trends. Through these multi-subject and multi-jurisdictional investigations, the FBI concentrates its efforts on high-level groups engaged in patterns of racketeering. This investigative model enables us to target senior gang leadership and to develop enterprise-based prosecutions.

(U) In addition, while the FY 2013 budget proposes to eliminate the National Gang Intelligence Center (NGIC), this will not hinder the FBI‘s ability to perform the analytical work done there. The FBI will continue to produce intelligence products and threat assessments, which are critical to reducing criminal gang activity in our communities. The FBI will also continue to examine the threat posed to the United States by criminal gangs and will focus on sharing intelligence at the field level, where intelligence sharing and coordination between Department of Justice agencies and state and local partners already exist. For example, our Field Intelligence Groups regularly produce intelligence products covering criminal threats, including gangs. It is through these existing resources that we will continue to produce gang-related intelligence in the absence of NGIC. In fact, the responsibility for the production of that material will happen now at the field level, where gangs operate in neighborhoods, districts, and communities. The field offices are the closest to the gang problem, have a unique understanding of the gang problem, and are in the best position to share that intelligence.

(U) Violence Along the Southwest Border

(U) The escalating violence associated with drug trafficking in Mexico continues to be a significant issue. In addressing this crime problem, the FBI relies on a multi-faceted approach for collecting and sharing intelligence, an approach made possible and enhanced through the Southwest Intelligence Group, the El Paso Intelligence Center, OCDETF Fusion Center, and the intelligence community. Guided by intelligence, the FBI and its federal law enforcement partners are working diligently, in coordination with the government of Mexico, to counter violent crime and corruption that facilitates the flow of illicit drugs into the United States. The FBI is also cooperating closely with the government of Mexico in their efforts to break the power of the drug cartels inside the country.

(U) Most recently, the collective efforts of the FBI, the Drug Enforcement Administration, and other US and Mexican law enforcement partners resulted in the identification and indictment of 35 leaders, members, and associates of one of the most brutal gangs operating along the US-Mexico border on

UNCLASSIFIED 6 UNCLASSIFIED charges of racketeering, murder, drug offenses, money laundering, and obstruction of justice. Of these 35 subjects, 10 Mexican nationals were specifically charged with the March 2010 murders in Juarez, Mexico, of a US Consulate employee and her husband, along with the husband of another consulate employee.

(U) Organized Crime

(U) Ten years ago, the image of organized crime was of hierarchical organizations, or families, that exerted influence over criminal activities in neighborhoods, cities, or states. That image of organized crime has changed dramatically. Today, international criminal enterprises run multi-national, multi- billion-dollar schemes from start to finish. These criminal enterprises are flat, fluid networks and have global reach. While still engaged in many of the ―traditional‖ organized crime activities of loan-sharking, extortion, and murder, new criminal enterprises are targeting stock market fraud and manipulation, cyber- facilitated bank fraud and embezzlement, identify theft, trafficking of women and children, and other illegal activities. This transformation demands a concentrated effort by the FBI and federal, state, local, and international partners to prevent and combat transnational organized crime.

(U) For example, late last year, an investigation by the FBI and its partners led to the indictment and arrest of over 70 members and associates of an Armenian organized crime ring for their role in nearly $170 million in health care fraud. This case, which involved more than 160 medical clinics, was the culmination of a national level, multi-agency, intelligence-driven investigation. To date, it remains the largest Medicare fraud scheme ever committed by a single enterprise and criminally charged by the Department of Justice.

(U) The FBI is expanding its focus to include West African and Southeast Asian organized crime groups. The Bureau continues to share intelligence about criminal groups with our partners and to combine resources and expertise to gain a full understanding of each group. To further these efforts, the FBI participates in the International Organized Crime Intelligence Operations Center. This center serves as the primary coordinating mechanism for the efforts of nine federal law enforcement agencies in combating non-drug transnational organized crime networks.

(U) Crimes Against Children

(U) The FBI remains vigilant in its efforts to remove predators from our communities and to keep our children safe. Ready response teams are stationed across the country to quickly respond to abductions. Investigators bring to this issue the full array of forensic tools such as DNA, trace evidence, impression evidence, and digital forensics. Through globalization, law enforcement also has the ability to quickly share information with partners throughout the world and our outreach programs play an integral role in prevention.

(U) The FBI also has several programs in place to educate both parents and children about the dangers posed by violent predators and to recover missing and endangered children should they be taken. Through our Child Abduction Rapid Deployment teams, Innocence Lost National Initiative, Innocent Images National Initiative, Office of Victim Assistance, and numerous community outreach programs, the FBI and its partners are working to make our world a safer place for our children.

UNCLASSIFIED 7 UNCLASSIFIED

(U) Congressional Commission Release Report on Chinese Capabilities for Computer Network Operations and Cyber Espionage (US-China Economic and Security Review Commission Press Release, www.uscc.gov, 08 MAR 2012)

(U) In March, the US-China Economic and Security Review Commission, which was created by Congress to report on the national security implications of the bilateral trade and economic relationship between the United States and the People‘s Republic of China, released a report entitled: ―Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage.‖ The report details how China is advancing its capabilities in computer network attack, defense, and exploitation and examines issues related to cybersecurity, China, and potential risks to US national security and economic interests. "The United States suffers from continual cyber operations sanctioned or tolerated by the Chinese government" said Commission Chairman Dennis Shea. "Our nation's national and economic security are threatened, and as the Chinese government funds research to improve its advanced cyber capabilities these threats will continue to grow. This report is timely as the United States Congress is currently considering cybersecurity legislation, and the Commission hopes that this work will be useful to the Congress as it deliberates on how to best protect our networks."

(U) "The report highlights China's extensive development of cyber tools to advance the leadership's objectives‖ said Commissioner Michael Wessel. ―It's getting harder and harder for China's leaders to claim ignorance and innocence as to the massive electronic reconnaissance and cyber intrusions activities directed by Chinese interests at the US government and our private sector. The report identifies specific doctrinal intent as well as financial support for government-sponsored cyber espionage capabilities. There's clear and present danger that is increasing every day."

(U) The report was prepared for the US-China Economic and Security Review Commission by Northrop Grumman Corp, and is a follow-up to a 2009 report prepared for the Commission by Northrop Grumman on the ―Capability of the People‘s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation.‖ The following is the Commission‘s synopsis of the report:

(U) Report Conclusions

(U) Among other things, the report concludes that:

(U) Chinese capabilities in computer network operations have advanced sufficiently to pose genuine risk to US military operations in the event of a conflict

(U) Chinese commercial firms, with foreign partners supplying critical technology and often sharing the cost of the R&D, are enabling the PLA to receive access to cutting edge research and technology

(U) The Chinese military’s close relationship with large Chinese telecommunications firms creates an avenue for state sponsored or state directed penetrations of supply chains for electronics supporting US military, government, and civilian industry – with the potential to cause the catastrophic failure of systems and networks supporting critical infrastructure for national security or public safety

(U) The Chinese Military Is Targeting Sensitive US Defense Systems

(U) Chinese capabilities in computer network operations have advanced sufficiently to pose genuine risk to US military operations in the event of a conflict.

UNCLASSIFIED 8 UNCLASSIFIED

(U) People‘s Liberation Army (PLA) leaders have embraced the idea that successful warfighting is based on the ability to exert control over an adversary‘s information and information systems. The PLA has placed computer network operations in a unified framework broadly known as information confrontation and seeks to integrate all elements of information warfare, electronic and non-electronic, offensive and defensive, under a single command authority.

(U) PLA analysts consistently identify logistics and C4ISR (Command, Control, Communications, Computers, Intelligence, Surveillance and Reconnaissance) infrastructure as US strategic centers of gravity, which they would almost certainly target in the event of the conflict, likely in advance of actual combat to delay US entry or degrade capabilities. Currently, no policy exists to easily determine appropriate response options to a large scale attack on US military or civilian networks in which definitive attribution is lacking. Beijing, understanding this, may seek to exploit this gray area in US policymaking and legal frameworks to create delays in US command decision making.

(U) The Chinese Military Is Developing Cyber Capability with Commercial & Academic Partners

(U) The PLA is tapping the talent and resources found in China’s commercial IT sector and the academic talent in its military and civilian university system. As part of this effort, the Chinese government funds grant programs to support offensive and defensive cyber research, including research related to information warfare, at civilian and military universities. The PLA also collaborates with Chinese companies and universities in order to receive access to cutting edge research and technology, including dual-use and military-grade microelectronics and telecommunications. This work is often carried out by Chinese commercial firms, with foreign partners supplying critical technology and often sharing the cost of the R&D.

(U) US Critical Infrastructure and Global Supply Chains Are Vulnerable

(U) The Chinese military‘s close relationship with large Chinese telecommunications firms creates an avenue for state sponsored or state directed penetrations of supply chains for electronics supporting US military, government, and civilian industry. Globally distributed supply chain networks mean that virtually every sector of private industry has the potential to be impacted; either from upstream manufacturing channels or downstream distribution channels.

(U) Successful penetration of a supply chain such as that for telecommunications industry has the potential to cause the catastrophic failure of systems and networks supporting critical infrastructure for national security or public safety. Potential effects include providing an adversary with capabilities to gain covert access and monitoring of sensitive systems, to degrade a system‘s mission effectiveness, or to insert false information or instructions that could cause premature failure or complete remote control or destruction of the targeted system.

(U) The technical and logistical challenges associated with hardware supply chain compromises make these types of attacks feasible for only extremely well-resourced organizations, such as state intelligence organizations, which have the expertise and access to technical personnel to penetrate a supply chain with sophisticated technology.

(U) Analyst Comment: As the USCC report highlights, the PRC Peoples Liberation Army (PLA) is developing its cyber and C4ISR capabilities by using its PRC partners in academia, telecommunications, and the PRC commercial IT sector to develop relationships with western companies and gain access to critical technology. Florida telecommunications and IT companies that enter joint partnerships with PRC firms should be aware of these PLA activities and take care to safeguard and protect critical, proprietary technology that is not part of the joint venture.

UNCLASSIFIED 9 UNCLASSIFIED

(U) COUNTERINTELLIGENCE/ECONOMIC ESPIONAGE THREAT ITEMS FROM THE PRESS

(U) FBI Traces Trail of Spy Ring to China (The Wall Street Journal, 09 MAR 2012)

(U) Federal agents were searching Walter and Christina Liew's home last July for evidence of corporate espionage when a safe deposit box key caught their attention. They asked Ms. Liew if she knew where the bank was located. Her husband told her in Chinese to say she didn't, according to an account later given by federal prosecutors. An agent who understood Chinese picked up on the exchange and followed Ms. Liew as she left the house, drove to an Oakland bank and tried to empty a safe deposit box the key fit.

(U) The box, according to prosecutors, contained documents outlining a more than decade-long plot to steal DuPont Co. corporate secrets and sell them to a Chinese government- owned company. The Liews now are at the center of a case that the Justice Department says marks the first time US officials have filed criminal espionage charges against a state- owned foreign company. The company, Pangang Group, is fighting the charges, which were unveiled a month ago in San Francisco.

(U) The Liews were charged with conspiring to steal trade secrets and sell them to the Chinese, charges they deny. The allegations involve an obscure chemical and a 50-year-old technology that is hardly cutting edge, but one DuPont has wanted, for decades, to keep secret. The case, described by people intimate with its details and revealed by documents reviewed by The Wall Street Journal, provides a rare view inside a stepped-up drive the federal government has mounted to combat organized efforts by foreign governments to steal US intellectual property. "What we've learned since the end of the Cold War is that when it comes to the economy, our adversaries and even our allies will spy on us when it's in their economic interest," said Frank Figliuzzi, the Federal Bureau of Investigation's assistant director for counterintelligence.

(U) He wouldn't comment on the DuPont-related case but said that, speaking generally, the FBI is doubling down on corporate-espionage investigations because despite years of attempts by the bureau to raise awareness at companies and prosecute trade-secret theft, the problem is growing. Since passage of a law in 1996 giving the Justice Department wide powers to prosecute corporate espionage, only about a dozen cases have been brought.

UNCLASSIFIED 10 UNCLASSIFIED

(U) The number of cases has remained low even as Department officials publicly announced attempted crackdowns on corporate spying before, including one in 2007. Convictions are hard to get because they require tying companies directly to foreign governments, said Patrick Rowan, a former national-security prosecutor. Lisa Monaco, assistant US attorney general for national security, who also wouldn't comment on the DuPont-related case, said that while espionage is traditionally thought of as nations trying to steal military or diplomatic secrets, "today's espionage also involves nation states like China focused on stealing research and development, sensitive technology, corporate trade secrets and other materials to advance their economic and military capabilities."

(U) China regularly denies that its government or state-owned companies engage in concerted efforts at corporate espionage. On a broader level, China aims at gathering already-discovered technical know-how to build global competitors through legitimate means such as joint ventures. More controversially, China has been insisting that foreign companies hand over technology as the price of market access. Within China, many foreign companies are so concerned about intellectual-property theft that they avoid bringing in their cutting-edge technology and manufacturing processes. Federal law-enforcement officials contend US companies do too little to protect their interests, failing to monitor employees and rarely bringing problems to federal agents for fear of bad publicity.

(U) That is not the case with DuPont. It hires former high- ranking federal agents to keep tabs on its intellectual property and notifies federal officials of problems. The Justice Department has won at least four DuPont-related cases in recent years, among them convictions in 2009 of a former DuPont employee for stealing information related to Kevlar high-strength fabric and giving it to a Korean company, and of another for stealing trade secrets related to light-emitting diodes and taking them to China.

(U) DuPont tries as hard to protect long-established technologies as new ones. It was more than 50 years ago that the company laid the groundwork for an efficient process to produce dioxide, a white pigment used in paints and other products, according to court filings. The company honed the process through the years, becoming the world's largest producer of the chemical. To keep its complex production process secret, DuPont allowed most employees to know about only individual pieces of it.

(U) Chinese state-owned companies, including Pangang, a conglomerate based in Panzhihua in Sichuan Province, talked for years with DuPont about opening a joint-venture titanium plant in China, say people familiar with the matter, but a deal was never worked out. In the 1990s, according to documents confiscated from Mr. Liew in Orinda last summer and since filed in federal district court in San Francisco, Pangang and Chinese-government officials started asking businessmen to procure DuPont's proprietary titanium-production methods. Pangang didn't respond to requests for comment. A former chairman of the company denied it dealt in stolen intellectual property.

UNCLASSIFIED 11 UNCLASSIFIED

(U) One document taken in the search of the Liews' home and filed with the court is a letter Mr. Liew addressed in 2004 to Pangang officials, in which he stated that a high-ranking Chinese Communist Party leader asked him in 1991 to bring titanium-dioxide-making secrets back to China. "Some years ago China let me know that she urgently needed titanium white by chlorination technology," the letter reads. "After many years of follow-up research and application, my company has possession and mastery of the complete DuPont way."

(U) In an affidavit filed in court, Mr. Liew, a 54-year-old Chinese Malaysian-born naturalized US citizen who worked in Silicon Valley as an electrical engineer, said, "Those documents are not accurate or reliable." Mr. Liew said he had misrepresented facts, including his employment history and relationships with Chinese officials. A lawyer for Mr. Liew said during a bail proceeding that his client hadn't told the truth in some documents cited by the government, including business pitches that claimed ties to Chinese Communist Party officials. A former Pangang executive to whom the letter was addressed, Hong Jibi, said he was unfamiliar with Mr. Liew. "I don't know him, I never met him, I never dealt with him, and I never got any letter from him," Mr. Hong said in Beijing.

(U) Over the past 15 years, according to court filings and people familiar with the matter, Mr. Liew hired several former DuPont employees knowledgeable about specific pieces of the titanium process, a practice that isn't illegal. One was Tim Spitler, an engineer in Reno, Nev., with a reputation for great titanium expertise. He told a friend around 2003 that he was working with Mr. Liew to cobble together titanium- making know-how to sell to a Chinese company, the friend said in an interview. A lawyer for Mr. Spitler said he eventually agreed to cooperate with investigators. Another was Tze Chao, a 36-year DuPont veteran. Mr. Chao, who last week pled guilty to conspiracy to commit economic espionage (see story below), said in a statement filed in court that shortly after his 2002 retirement, Pangang officials asked him to provide DuPont titanium-dioxide-making information. Mr. Chao said he connected with Mr. Liew after learning Mr. Liew was trying to sell similar information to Pangang.

(U) Prosecutors have filed in court letters purportedly written by Mr. Liew in which he says he has sold DuPont titanium-oxide technology to various companies affiliated with the Chinese government. Mr. Liew's companies received more than $12 million from a Pangang subsidiary between 2009 and 2011 for his efforts. The couple, prosecutors charged, "wired millions of dollars in proceeds from Pangang Group to Christina Liew's relatives" in China.

(U) In 2010, DuPont received an anonymous letter saying that Mr. Liew and one of his employees, a Bay Area man who was also employed by Chevron Corp, had sold DuPont information to a Chinese company, according to court filings. Chevron security officials began an investigation after hearing from DuPont, court filings say, and searched the computer of the employee, named John Liu. They found documents related to DuPont technology, court filings said. Mr. Liu's lawyer noted that his client hasn't been charged. According to people familiar with the case, Mr. Liu has cooperated with prosecutors.

(U) Chevron last March forwarded information found on Mr. Liu's computer to DuPont, which in turn brought it to FBI agents in San Francisco, said people familiar with the case. DuPont last spring also filed a civil suit against Mr. Liew in San Francisco federal court, seeking damages for theft of trade secrets. Mr. Liew's response denied that he and his partners possessed DuPont trade secrets and said there was "no uniqueness" to its titanium-dioxide process. He filed a counterclaim alleging that DuPont had improperly obtained his trade secrets. The suit is pending.

UNCLASSIFIED 12 UNCLASSIFIED

(U) DuPont said the case "demonstrates that DuPont reacts swiftly and vigorously when its trade secrets are stolen. When we learned of the suspected theft, we investigated further until we had sufficient information to file suit. We also notified law enforcement." On July 19, FBI agents searched the Liews' gray house in Orinda, a hilly suburb about 25 miles east of San Francisco. It was during that search that an agent trailed Ms. Liew to a safe deposit box that contained documents and disk drives, prosecutors wrote last month in a court filing opposing bail for Mr. Liew. The Liews were arrested on charges of obstructing their investigation.

(U) FBI agents soon learned that two senior Pangang executives were in California and preparing to meet with the Liews, according to lawyers familiar with the case. They included a top company executive, Zhuang Kai. Agents confiscated the Chinese executives' passports and told them to stay in the hotel in Alameda, Calif., as material witnesses while the investigation continued. Federal agents began translating thousands of pages of Chinese-language documents confiscated from the Liews and following the leads generated. The investigation led them to Mr. Chao, the DuPont retiree. Agents searched Mr. Chao's house in Delaware in October, according to a statement he made as part of his guilty plea. While they found some DuPont-related documents, said a person familiar with the case, they missed others. A few days later, Mr. Chao's court filing says, he took those others into his yard and burned them. But the information the FBI did find was enough for the 77-year-old to decide to cooperate with investigators, court filings show.

(U) Prosecutors granted immunity to the two Pangang executives visiting California so they would talk with prosecutors with their American lawyers present. In late fall prosecutors decided they could no longer hold the men as witnesses and let them return to China. Lawyers for both men say their clients have done nothing wrong. Prosecutors went ahead with preparations for a case against others, and made plans to ask a grand jury to hand up an indictment on a Wednesday in early January, said people familiar with the case. But days before the scheduled grand jury meeting, one intended witness, Mr. Spitler, the Reno-area engineer with the wide knowledge of the titanium dioxide process, shot himself. His family hasn't returned calls requesting comment.

(U) Prosecutors regrouped, and in early February obtained indictments that included Mr. and Ms. Liew; Pangang Group and three affiliates; a midlevel executive of a Pangang affiliate in China for whom the indictment said an arrest warrant had been issued; and a former DuPont engineer named Robert Maegerle. All were charged with conspiracy to commit economic espionage except for Mr. Maegerle, who was charged only with conspiracy to commit theft of trade secrets. He pleaded not guilty in March . (U) Mr. Chao, in pleading guilty in San Francisco federal court a week ago to conspiracy to commit economic espionage, said he had been led astray after officials from the People's Republic of China "overtly appealed to my Chinese ethnicity and asked me to work for the good of the PRC." Pangang Group's lawyers have said they believe the prosecutors must go through the Chinese judicial system to serve the indictment and are fighting the matter in court. They haven't filed a plea. Ms. Liew pled not guilty in March. Mr. Liew intends to do so as well, his lawyer said. Mr. Liew remains in an Alameda County jail, where he has been since the July raid on his home in Orinda.

(U) Analyst Comment: This case is one of the first in which documents show PRC government officials actively using state-owned companies to target and collect critical foreign technology. As the article notes ―In the 1990s, according to documents confiscated from Mr. Liew in Orinda last summer and since filed in federal district court in San Francisco, Pangang and Chinese-government officials started asking businessmen to procure DuPont's proprietary titanium-production methods.‖ Companies in Florida should be aware of this directed targeting and reporting any suspicious activity involving PRC delegations or cyber activity to the FBI Tampa Field Office.

UNCLASSIFIED 13 UNCLASSIFIED

(U) Former DuPont Scientist Pleads Guilty To Economic Espionage (US Department of Justice Press Release, 02 MAR 2012)

(U) Tze Chao pled guilty in federal court in San Francisco in March to conspiracy to commit economic espionage, a United States Attorney announced. In pleading guilty, Chao, who was employed by DuPont from 1966 to 2002, admitted that he provided trade secrets concerning DuPont‘s proprietary titanium dioxide (TiO2) manufacturing process to companies he knew were controlled by the government of the People‘s Republic of China (PRC). Chao admitted that beginning in 2003, the year after he left DuPont, he began consulting for the Pangang Group, a PRC government controlled company that produces TiO2. According to his plea agreement, Chao had “learned that the PRC government had placed a priority on developing chloride-process TiO2 technology in a short period of time and wished to acquire this technology from western companies.”

(U) In 2008, Chao submitted a bid to design a 100,000 ton per year TiO2 facility for the Pangang Group. In connection with his bid, Chao provided DuPont information to the Pangang Group, including information that, according to his plea agreement, he ―understood to be secret to DuPont and not available to the public.‖ Chao did not win the contract but in 2009 was asked by Pangang Group to review design work done by USA Performance Technology Inc. He did so, and in the course of this review, provided additional DuPont trade secret information to Pangang Group.

(U) Chao’s plea comes in connection with the superseding indictment returned three weeks ago charging Walter Liew, Christina Liew, Robert Maegerle, and USA Performance Technology Inc., among others, for their efforts to sell DuPont trade secrets to companies controlled by the PRC government. Those companies – the Pangang Group and three subsidiaries – also were named as defendants in the indictment and charged with conspiracy to commit economic espionage and attempted economic espionage. As part of his plea agreement, Chao agreed to cooperate in the investigation and prosecution of this case. Chao, 77 of Newark, Del., was indicted by a federal Grand Jury on Feb. 7, 2012. He was charged with one count of conspiracy to commit economic espionage, in violation of 18 USC. § 1831(a)(5). Under the plea agreement, Chao pleaded guilty to this charge as alleged in the superseding indictment.

(U) Chao was arraigned yesterday in San Francisco and released on his own recognizance. He entered his guilty plea before the Honorable Jeffrey S. White late yesterday afternoon in San Francisco. A date for sentencing was not set. The maximum statutory penalty is 15 years in prison and a fine of $500,000, plus restitution if appropriate. However, any sentence following conviction would be imposed by the court after consideration of the US Sentencing Guidelines and the federal statute governing the imposition of a sentence, 18 USC. § 3553. This case is being prosecuted by the Special Prosecutions and National Security Unit of the US Attorney‘s Office in San Francisco and the Counterespionage Section of the National Security Division of the US Department of Justice. The investigation is being conducted by the Federal Bureau of Investigation.

(U) Ex-Marine Accused of Attempting to Export Sensitive Military Items (US Department of Justice Press Release, 05 MAR 2012)

(U) A retired Marine Corps staff sergeant, who until recently worked in the Marine Aviation Supply Office at Edwards Air Force Base, was arrested by federal agents this morning following an undercover probe that allegedly revealed he lied to the government as part of a scheme to sell sensitive military equipment to buyers around the globe. Sean Elias Sayegh, 41, of Rosamond, was taken into custody at his residence by agents with US Immigration and Customs Enforcement‘s (ICE) Homeland Security Investigations (HSI).

UNCLASSIFIED 14 UNCLASSIFIED

(U) Sayegh, who retired from the Marine Corps in December 2011, was named in an indictment returned by a federal grand jury last Friday that charges him with four counts of making false statements. Specifically, the indictment alleges that on four occasions Sayegh made fraudulent claims on US Postal Service customs declaration forms, stating that packages he was shipping contained camera lenses and other camera equipment, when the items were actually laser light interference filters (LIFs). The alleged violations, which occurred between December 2009 and February 2010, involved the shipment of more than 100 LIFs. LIFs, which are used with military night vision goggles, are on the US Munitions List and cannot legally be exported without a license issued by the Department of State. LIFs protect the optics inside night vision goggles from being damaged by lasers. The technology is considered sufficiently sensitive that the military requires that LIFs be destroyed when they reach the end of their service life.

(U) The Defense Criminal Investigative Service (DCIS) initiated the probe into Sayegh‘s activities after receiving a lead about the possible sale of Munitions List items on eBay. DCIS referred the matter to the Naval Criminal Investigative Service (NCIS). HSI joined the investigation, at the request of NCIS, because of the potential export violations. HSI carried out the undercover investigation. Each false statement charge in the indictment carries a statutory maximum penalty of five years in federal prison. Therefore, if he is convicted of the four counts in the indictment, Sayegh would face a maximum sentence of 20 years in prison, as well as a $1 million fine.

(U) ―These items may look innocuous, but their sophistication makes them highly sought after by our adversaries,‖ said the special agent in charge for HSI Los Angeles. ―They were developed to give America and its allies a strategic military advantage, which is why HSI will continue to work with its law enforcement partners to ensure such technology doesn‘t fall into the wrong hands.‖ The special agent in charge for NCIS‘ Southwest Field Office, stated, ―One of the US military‘s greatest advantages is its ability to operate effectively at night when our adversaries cannot. In large part, this advantage is reliant on equipment and technologies like former-SSGT Sayegh attempted to sell to unauthorized buyers abroad. Actions like this risk the technological advantage that the US military maintains and for this reason this case is significant. NCIS will work aggressively with our law enforcement partners to stop the compromise of these important technologies.‖ In addition to HSI, NCIS, and DCIS, the US Postal Inspection Service (USPIS) and US Customs and Border Protection (CBP) also played a prominent role in the case.

(U) In November 2009, the government announced the Export Control Initiative to streamline the complex system of US export controls and enhance the coordination of efforts to address current security threats. As part of those ongoing reforms, HSI recently established the Long Beach-based Counter Proliferation Investigations Center (CPIC). CPICs are located in strategic cities where the threat of illegal exportations is greatest. The goal of these centers is to better facilitate regional enforcement efforts to target the illegal exportation of sensitive weapons and technology. In addition to DCIS, NCIS, USPIS, and CBP, other federal agencies currently participating in the HSI-led initiative include the Department of Commerce‘s Office of Export Enforcement; the Air Force Office of Special Investigations; the Bureau of Alcohol, Tobacco, Firearms, and Explosives; the FBI; and the National Aeronautics Space Agency (NASA) Office of Inspector General. The center enables the participating agencies to pool their resources, expertise, and intelligence to pursue cases involving export enforcement.

UNCLASSIFIED 15 UNCLASSIFIED

(U) Australian Man and His Firm Indicted in Plot to Export Restricted Military and Other US Technology to Iran (US Department of Justice Press Release, 29 FEB 2012)

(U) An Australian man and his company were indicted in February by a federal grand jury in the District of Columbia for conspiring to export sensitive military and other technology from the United States to Iran, including components with applications in missiles, drones, torpedoes and helicopters. The five- count indictment charges David Levick, 50, an Australian national, and his company, ICM Components Inc., located in Thorleigh, Australia, each with one count of conspiracy to defraud the United States and to violate the International Emergency Economic Powers Act (IEEPA) and the Arms Export Control Act; as well as four counts of illegally exporting goods to an embargoed nation in violation of IEEPA; and forfeiture of at least $199,227.41.

(U) Levick, who is the general manager of ICM Components, remains at large and is believed to be in Australia. If convicted, Levick faces a potential maximum sentence of five years in prison for the conspiracy count and 20 years in prison for each count of violating IEEPA. According to the indictment, beginning as early as March 2007 and continuing through around March 15, 2009, Levick and ICM solicited purchase orders from a representative of a trading company in Iran for US-origin aircraft parts and other goods. This person in Iran, referenced in the charges as ―Iranian A,‖ also operated and controlled companies in Malaysia that acted as intermediaries for the Iranian trading company.

(U) The indictment alleges that Levick and ICM then placed orders with US companies on behalf of Iranian A for aircraft parts and other goods that Iranian A could not have directly purchased from the United States without US government permission. Among the items the defendants allegedly sought to procure from the United States are the following:

(U) VG-34 Series Miniature Vertical Gyroscopes. These are aerospace products used to measure precisely and/or maintain control of pitch and roll in applications such as helicopter flight systems, target drones, missiles, torpedoes and remotely piloted vehicles. They are classified as defense articles by the US government and may not be exported from the United States without a license from the State Department or exported to Iran without a license from the Treasury Department.

(U) K2000 Series Servo Actuators designed for use on aircraft. The standard Servo Actuator is designed to be used for throttle, nose wheel steering and most flight control surfaces. High- torque Servo Actuators are designed to be used for providing higher torque levels for applications such as flaps and landing gear retraction. These items are classified as defense articles by the US government and may not be exported from the United States without a license from the State Department or exported to Iran without a license from the Treasury Department.

(U) Precision Pressure Transducers. These are sensor devices that have a wide variety of applications in the avionics industry, among others, and can be used for altitude measurements, laboratory testing, measuring instrumentations and recording barometric pressure. These items may not be exported to Iran without a license from the Treasury Department.

(U) Emergency Floatation System Kits. These kits contained a landing gear, float bags, composite cylinder and a complete electrical installation kit. Such float kits were designed for use on Bell 206 helicopters to assist the helicopter when landing in either water or soft desert terrain. These items may not be exported to Iran without a license from the Treasury Department.

UNCLASSIFIED 16 UNCLASSIFIED

(U) Shock Mounted Light Assemblies. These items are packages of lights and mounting equipment designed for high vibration use and which can be used on helicopters and other fixed wing aircraft. These items may not be exported to Iran without a license from the Treasury Department.

(U) According to the charges, Levick and ICM, when necessary, used a broker in Florida to place orders for these goods with US firms to conceal that they were intended for transshipment to Iran. The defendants also concealed the final end-use and end-users of the goods from manufacturers, distributors, shippers and freight forwarders in the United States and elsewhere, as well as from US Customs and Border Protection. To further conceal their efforts, the defendants structured payments between each other for the goods to avoid restrictions on Iranian financial institutions by other countries. The indictment further alleges that Levick and ICM wired money to companies located in the United States as payment for these restricted goods. Levick, ICM and other members of the conspiracy never obtained the required licenses from the Treasury or State Department for the export of any of these goods to Iran, according to the charges.

(U) In addition to the conspiracy allegations, the indictment charges the defendants with exporting or attempting to export four specific shipments of goods from the United States to Iran in violation of IEEPA. These include a shipment of 10 shock mounted light assemblies on Jan. 27, 2007; a shipment of five precision pressure transducers on Dec. 20, 2007; a shipment of 10 shock mounted light assemblies on March 17, 2008; and a shipment of one emergency floatation system kit on June 24, 2008.

(U) This investigation was jointly conducted by agents of the Department of Commerce Office of Export Enforcement, FBI, DCIS and ICE-HSI. The prosecution is being handled by Assistant US Attorneys of the US Attorney‘s Office for the District of Columbia and a trial attorney of the Counterespionage Section of the Justice Department‘s National Security Division.

(U) Iranian Convicted In Arms Smuggling Case Deported (Fox News, 20 MAR 2012)

(U) An Iranian national who pleaded guilty in 2009 to plotting to ship sensitive US military technology to Iran has been deported back to his home country, a spokesman for the US State Department confirmed in March. Amir Hossein Ardebili was deported to Iran after he had completed his prison sentence, State spokesman Noel Clay said. Ardebili, 38, was sentenced to five years in prison, with credit for time served, after pleading guilty in US District Court in Delaware to charges including conspiracy, money laundering, smuggling and arms export control violations. At the time, US officials said his case was an example of Iran's efforts to evade export controls and acquire critical military technology amid a long-running standoff with the West over its nuclear program.

(U) Prosecutors wrote in court documents that Ardebili admitted he was assisting Iran in preparing for war with the United States. Court papers also said that during a 2007 meeting with an undercover agent, Ardebili said he wanted a lot of material so "the government (of Iran) could defend ... Because they think the war is coming." According to Bureau of Prisons spokesman Chris Burke, Ardebili was first assigned to a facility in Pennsylvania, then moved to the Federal Medical Center in Rochester, Minn., in February 2010. He finished out his sentence in Minnesota and was released in February. His attorney said he was not surprised by word of Ardebili's deportation. He said he understood that Ardebili would be deported because he had been released from prison and was in the custody of Immigration and Customs Enforcement. A spokesman for ICE could not immediately confirm Ardebili's deportation.

UNCLASSIFIED 17 UNCLASSIFIED

(U) According to court papers, Ardebili worked as a procurement agent for the Iranian government and acquired thousands of components, including military aircraft parts, night vision devices, communications equipment and Kevlar. Federal authorities targeted him in 2004 after he contacted an undercover storefront set up in Philadelphia to investigate illegal arms trafficking. Authorities said his primary interest was in obtaining electrical components with military applications, as well as replacement computer systems to update Iran's fleet of aging F-4 fighter aircraft.

(U) After years of telephone and email communications with undercover agents, Ardebili agreed to meet with them in the Republic of Georgia in October 2007 and he was arrested. He was extradited to the United States in 2008. After three American hikers were detained in Iran in 2009, Iranian President Mahmoud Ahmadinejad hinted they could be swapped for Iranians in US prisons, and he drew a link to Ardebili's case. Sarah Shourd was released after 14 months in prison, while Shane Bauer and Josh Fattal were held for more than two years before being freed on bail. State Department spokesman Clay said: "We don't see any link between this case and cases involving the unjust detention of US citizens in Iran."

(U) As Security Threats Evolve, Justice Department’s Pelak Focuses on Illegal Exports (www.mainjustice.com, 18 MAR 2012)

(U) A triggered spark gap can save lives. The spool-like, high-voltage switch can also kill people, as Justice Department National Security Division official Steve Pelak knows. Prosecuting the illegal export of such ―dual use‖ items as the triggered spark gap, which hospitals us to break up kidney stones and weapons engineers use to detonate nuclear warheads, has been a priority of the Justice Department since Pelak was appointed its first National Coordinator for Export Enforcement in 2007. Pelak also holds the post of deputy chief of the Counterespionage Section, reflecting the increasingly complex threat to national security posed by terrorists and restricted nations who hope to steal American secrets and technology through illegal exports, economic espionage and traditional spying. The invigorated prosecution of export violations is one factor driving a build-up in law firms of practices specializing in national-security related regulatory and enforcement law.

(U) Pelak‘s own expertise with export cases goes back to his days at the District of Columbia US Attorney‘s office, where he supervised the prosecution of notorious export broker Asher Karni. In 2003, Karni bought dozens [2] of spark gaps for a Pakistani buyer from a Massachusetts company that sells them in much smaller quantities to hospitals for medical use. The triggers‘s weapons potential is precisely the reason their unlicensed export to is illegal. Karni, an Israeli national living in Cape Town, avoided Commerce Department licensing requirements by saying they were bound for a hospital in Soweto, according to a Justice Department sentencing memo. But he instead diverted them to Pakistan where the deactivated shipment was tracked after an informant let the US government in on the plot. To Pelak, 51, the case illustrates the threat posed by middlemen like Karni who illegally peddle dual use items without caring where they end up. ―It‘s a matter of greed and ambition just driving people and causing them to be blind,‖ Pelak said. ―It‘s a common and an old tale in human history.‖

(U) Since Pelak started as export coordinator in June 2007, the National Security Division has compiled an informal case log that stretches more than 60 pages and focuses on export and embargo crimes, along with the theft of trade and state secrets. Certain destinations appear often – Iran and China for sensitive technology, Mexico for machine guns – among a host of other countries. One duty of prosecutors is to help cut the supply chain to restricted buyers and to make controlled exports, which are sometimes protected for strategic rather than military reasons, more expensive to procure illegally. Before the National Security Division was created in 2006 in response to the Sept. 11, 2001 terrorist attacks and other threats, the Counterespionage Section was under the umbrella of the Criminal Division. There, it was just one of numerous sections that had to share the division‘s resources and the attention of a single

UNCLASSIFIED 18 UNCLASSIFIED

Assistant Attorney General. Moving the section over to the new grouping raised its profile at a time when fears were high that sensitive technology would fall into the hands of restricted nations and terrorist groups. Kenneth Wainstein, the first Assistant Attorney General for the National Security Division, now partner at O‘Melveny & Myers LLP, said the job of enforcement coordinator was the right fit for Pelak because of the expertise he developed in more than 18 years as an assistant US attorney in the District of Columbia. Much of his work there involved government fraud, terrorism and public corruption investigations, but he also learned to prosecute export cases at a time when few others were pursuing them.

(U) Triggered spark gap

(U) ―When I was doing the Karni case, there were not a lot of resources and experiences to draw upon,‖ said Jay Bratt, who served as prosecutor on the case. ―I was fortunate to be able to draw upon Steve‘s experience and judgment.‖ In part, US attorney‘s offices around the country lacked export experience because the cases had a reputation for being difficult to work. They‘re complicated. They take years to build. They‘re hard to sell to a jury. Some offices had done them, and done them well. Los Angeles, Miami, New York, Connecticut, the District of Columbia, Boston and had notable experience. But others had barely seen them.

(U) One of the reasons the role of export enforcement coordinator exists, a title Pelak still holds, even as he gained the mantle of deputy chief of the Counterespionage Section in 2008, is to empower US attorney‘s offices with the training they need to work the cases and to give them access to investigative and intelligence resources in Washington. Sometimes it means an attorney from the Counterespionage Section will serve as co-counsel. Sometimes this means the section just offers advice. ―We‘re not going to tell anybody how to do their job,‖ Pelak said. ―We may have recommendations, but we‘re really available from A to Z.‖

(U) The work of US Attorney‘s offices on these cases is getting increasing recognition. In September, the National Association of Former US Attorney‘s gave an award to Hawaii prosecutor Ken Sorenson for sending a naturalized US citizen to prison for selling stolen military technology to the People‘s Republic of China for use in making stealthy cruise missiles resistant to detention and interception. Export cases can be highly technical, but Pelak said prosecutors already have the skills to work them. A crucial component of any export case is the ability of investigators to show that the defendant had consciousness of guilt. Accidental or negligent breaches of the law aren‘t prosecuted, and Pelak says this isn‘t much different from fraud cases that prosecutors work all the time.

(U) In the Karni case, prosecutors could point to emails between Karni and Pakistani Humayun Khan that discussed how unlicensed shipments violated export laws and how they decided to push forward after acknowledging that it was illegal. Because export cases are by nature international, coordination with foreign investigators is also crucial. As US law enforcement searched the offices of an export broker in New Jersey, South African police searched Karni‘s business offices, piecing together the conspiracy to divert up to 200 of the spark gaps to Pakistan, which could be used as nuclear triggers. Bratt, who is now deputy chief of the National Security Section of the US Attorney‘s office for the District of Columbia, notes that an ICE attaché in played a vital role in moving the investigation forward abroad.

(U) Since Karni was sentenced to three years in prison and two years supervised release in 2005, investigators have become more familiar with export cases and have indeed disrupted illicit supply chains by sending scores of violators to prison. Each US attorney‘s office has say over how cases are investigated, though the US Attorney‘s Manual requires prosecutors to consult with the Counterespionage Section before certain types of export charges are filed. Before an investigation reaches this point, the

UNCLASSIFIED 19 UNCLASSIFIED office has to decide if it can prove the intent required for a criminal conviction. If not, an individual or company may face fines from regulators but won‘t see charges from the Justice Department.

(U) Sharing the sandbox

(U) Early on, Pelak had the task of synchronizing the work of prosecutors with federal regulators and law enforcement agencies, which are fragmented across the federal government. Each of the agencies has individual interests, and with these interests came the potential for friction. ―There‘s always turf battles when you deal with different investigative agencies,‖ said Roos, now director of International Trade Compliance at ITT Corporation. ― ‗Why are you bringing them on board? They don‘t usually play in this sandbox.‘ ‖ Avoiding this is a matter of communication, Pelak said, and once everyone is in the room, it becomes clear that an investigation is not an FBI case or an ICE case, or a Commerce case, but a case of the United States. As deputy chief, Pelak works closely with John Dion, who heads the Counterespionage Section, and also benefits from the advocacy of Assistant Attorney General for Lisa Monaco and her predecessors at the National Security Division. He deflects credit for the success of the export prosecutions to many others, yet those who have worked with him say that his enthusiasm and experience have been crucial to the initiative.

(U) Patrick Rowan, former Assistant Attorney General for National Security, compared Pelak‘s work with what Mark Mendelsohn, former deputy chief of the Criminal Division‘s Fraud Section, accomplished in his tenure jump-starting Foreign Corrupt Practices Act investigations, another area where prosecutions have increased in recent years. ―To me, Steve Pelak is the Mark Mendelsohn of export enforcement,‖ said Rowan, now a partner at McGuireWoods LLP. Rowan notes the skill Pelak has navigating Washington bureaucracy and his ability to engage prosecutors as a veteran with first-hand knowledge of national security investigations. Before joining the US attorney‘s office in 1989, Pelak spent three years in private practice split between Arnold & Porter LLP and Hughes Hubbard & Reed LLP in Washington, D.C.

(U) Among other accomplishments as an assistant US attorney, he served on a special task force to investigate federal officials related to the 1992 Ruby Ridge shooting deaths incident in Idaho and was sent to Kenya and Tanzania in 1998 in the wake of US embassy bombings. He was also appointed in 2001 as the first Anti-terrorism Advisory Council Coordinator for the D.C. US Attorney‘s Office. Pelak sees his work now as a continuation of national security efforts that stretch back at least 40 years. The work is ongoing, and even as prosecutions have increased, so has the threat from buyers like Karni who illegally acquire sensitive exports destined for an increasing number of countries. ―It‘s not a matter of defeating ultimately and totally and completely threats to national security,‖ Pelak said. ―It‘s a matter of, on our watch, while we‘re doing this, are we doing the best that we can to employ all the resources we might have available reasonably to attack the situation?‖

(U) Noted Scientist Sentenced to 13-Year Prison Term for Attempted Espionage, Fraud and Tax Charges (US Department of Justice Press Release, 21 MAR 2012)

(U) Stewart David Nozette, 54, a scientist who once worked for the Department of Energy, the Department of Defense, the National Aeronautics and Space Administration and the White House‘s , was sentenced in March to 13 years in prison for attempted espionage, conspiracy to defraud the United States and tax evasion. The sentence covered charges in two cases. In one, Nozette pleaded guilty in September 2011 to attempted espionage for providing classified information to a person he believed to be an Israeli intelligence officer. In the other, he pleaded guilty in January 2009 to fraud and tax charges stemming from more than $265,000 in false claims he submitted to

UNCLASSIFIED 20 UNCLASSIFIED the government. In addition to the prison term, Nozette was ordered to pay more than $217,000 in restitution to the government agencies he defrauded.

(U) Nozette has been in custody since his arrest for attempted espionage on Oct. 19, 2009. At the time, he was awaiting sentencing on the fraud and tax evasion charges. FBI agents arrested Nozette following an undercover operation in which he provided classified materials on three occasions, including one that formed the basis for his guilty plea. He was subsequently indicted by a federal grand jury. The indictment does not allege that the government of Israel or anyone acting on its behalf committed any offense under US laws in this case.

(U) ―Stewart Nozette's greed exceeded his loyalty to our country‖ said a US Attorney. ―He wasted his talent and ruined his reputation by agreeing to sell national secrets to someone he believed was a foreign agent. His time in prison will provide him ample opportunity to reflect on his decision to betray the United States.‖ ―Stewart Nozette betrayed his country and the trust that was placed in him by attempting to sell some of America‘s most closely-guarded secrets for profit. Today, he received the justice he deserves. As this case demonstrates, we remain vigilant in protecting America‘s secrets and in bringing to justice those who compromise them,‖ said an Assistant Attorney General. ―I thank the many agents, analysts and prosecutors who worked on this important case.‖ ―Today‘s sentencing demonstrates that espionage remains a serious threat to our national security,‖ said FBI Assistant Director in Charge McJunkin. ―The FBI and our partners in the defense and intelligence communities work every day to prevent sensitive information from getting into the wrong hands, and I commend the hard work of the dedicated agents, analysts and prosecutors who spent a significant amount of time bringing this case to resolution.‖

(U) Nozette received a Ph.D. in Planetary Sciences from the Massachusetts Institute of Technology. Beginning in at least 1989, he held sensitive and high-profile positions within the US government. He worked in various capacities on behalf of the government in the development of state-of-the-art programs in defense and space. During his career, for example, Nozette worked at the White House on the National Space Council, Executive Office of the President. He also worked as a physicist for the US Department of Energy‘s Lawrence Livermore National Laboratory, where he designed highly advanced technology.

(U) Nozette was the president, treasurer and director of the Alliance for Competitive Technology (ACT), a non-profit organization that he organized in March 1990. Between January 2000 and February 2006, Nozette, through his company, ACT, entered into agreements with several government agencies to develop highly advanced technology. Nozette performed some of this research and development at the US Naval Research Laboratory (NRL) in Washington, D.C., the Defense Advanced Research Projects Agency (DARPA) in Arlington, Va., and NASA‘s Goddard Space Flight Center in Greenbelt, Md.

(U) In connection with the fraud and tax case, Nozette admitted that, from 2000 through 2006, he used ACT to defraud the NRL, DARPA and NASA by making and presenting more than $265,000 in fraudulent reimbursement claims, most of which were paid. He also admitted that, from 2001 through 2005, he willfully evaded more than $200,000 in federal taxes. In addition, he admitted using ACT, an entity exempt from taxation because of its non-profit status, to receive income and to pay personal expenses, such as mortgages, automobile loans, sedan services and other items. The investigation concerning ACT led investigators to suspect that Nozette had misused government information. From 1989 through 2006, Nozette held security clearances as high as TOP SECRET and had regular, frequent access to classified information and documents related to the national defense of the United States.

UNCLASSIFIED 21 UNCLASSIFIED

(U) On Sept. 3, 2009, Nozette was contacted via telephone by an individual purporting to be an Israeli intelligence officer from the , but who was, in fact, an undercover employee of the FBI. That same day, Nozette informed the undercover employee that he had clearances ―all the way to Top Secret SCI‖ and that anything ―that the United States has done in space I‘ve seen.‖ He stated that he would provide classified information for money and a foreign passport to a country without extradition to the United States.

(U) A series of contacts followed over the next several weeks, including meetings and exchanges in which Nozette took $10,000 in cash left by the FBI at pre-arranged drop-off sites. Nozette provided information classified as SECRET/SCI and TOP SECRET/SCI that related to the national defense. Some of this information directly concerned satellites, early warning systems, means of defense or retaliation against large-scale attack, communications intelligence information and major elements of defense strategy. Nozette and the undercover employee met for the final time on Oct. 19, 2009, at the Mayflower Hotel. During that meeting, Nozette pushed to receive larger payments for the secrets he was disclosing, declaring that, ―I gave you even in this first run, some of the most classified information that there is. . . . I‘ve sort of crossed the Rubicon.‖ Nozette was arrested soon after he made these statements.

(U) The investigation of the fraud and tax evasion case was conducted by NASA-OIG, NCIS, the Defense Criminal Investigative Service (DCIS), IRS-CI, the IRS Tax Exempt & Government Entities Group, the Naval Audit Service, the Defense Contract Audit Agency and the FBI‘s Washington Field Office. The investigation of the attempted espionage case was conducted by the FBI‘s Washington Field Office, with assistance from NCIS; Naval Audit Service; National Reconnaissance Office; Air Force Office of Special Investigations; Defense Computer Forensics Laboratory; Defense Advanced Research Projects Agency; DCIS; Defense Contract Audit Agency; US Army 902nd Military Intelligence Group; NASA Office of Counterintelligence; NASA-OIG; Department of Energy Office of Intelligence and Counterintelligence; IRS-CI; IRS Tax Exempt & Government Entities group; US Customs and Border Protection; and the US Postal Inspection Service, as well as other partners in the US intelligence community.

(U) China Suspected of Facebook Attack on NATO's Supreme Allied Commander; Beijing Cyber- Spies Accused of Using Fake Social Networking Accounts in Bid to Steal Military Secrets from the West (The Observer, 10 MAR 2012, The Telegraph, 10 MAR 2012)

(U) NATO's most senior military commander has been repeatedly targeted in a Facebook scam thought to have been coordinated by cyber-spies in China, the Observer has learned. The spies are suspected of being behind a campaign to glean information about Admiral James Stavridis from his colleagues, friends and family, sources say. This involved setting up fake Facebook accounts bearing his name in the hope that those close to him would be lured into making contact or answering private messages, potentially giving away personal details about Stavridis or themselves. This type of "social engineering" impersonation is an increasingly common web fraud. NATO said it wasn't clear who was responsible for the spoof Facebook pages, but other security sources pointed the finger at China.

(U) For example, senior British military officers and Ministry of Defense officials are understood to have been among those who accepted "friend requests" from the bogus account for American Admiral James Stavridis. They thought they had become genuine friends of NATO's Supreme Allied Commander, but instead every personal detail on Facebook, including private email addresses, phone numbers and pictures were able to be harvested. NATO officials are reluctant to say publicly who was behind the attack. But the Sunday Telegraph has learned that in classified briefings, military officers and diplomats were told the evidence pointed to "state-sponsored individuals in China". Although they are unlikely to have found any genuine military secrets from the Facebook accounts they accessed , the incident is highly embarrassing.

UNCLASSIFIED 22 UNCLASSIFIED

In the wake of it NATP has advised senior officers and officials to open their own social networking pages to prevent a repeat of the security breach.

(U) Last year, criminals in China were accused of being behind a similar operation, which was given the codename Night Dragon. This involved hackers impersonating executives at companies in the US, Taiwan and Greece so that they could steal business secrets. The latest disclosure will add to growing fears in the UK and US about the scale of cyber-espionage being undertaken by China. As well as targeting senior figures in the military, the tactic has been blamed for the wholesale theft of valuable intellectual property from some leading defense companies.

(U) The sophistication and relentlessness of these "advanced persistent threat" cyber attacks has convinced intelligence agencies on both sides of the Atlantic that they must have been state-sponsored. NATO has warned its top officials about the dangers of being impersonated on social networking sites, and awarded a £40m contract to a major defense company to bolster security at the organization‘s headquarters and 50 other sites across Europe. A NATO official confirmed that Stavridis, who is the supreme allied commander Europe (SACEUR), had been targeted on several occasions in the past two years: "There have been several fake SACEUR pages. Facebook has cooperated in taking them down… the most important thing is for Facebook to get rid of them." The official added: "First and foremost, we want to make sure that the public is not being misinformed. SACEUR and NATO have made significant policy announcements on either the Twitter or Facebook feed, which reflects NATO keeping pace with social media. It is important the public has trust in our social media."

(U) NATO said it was now in regular contact with Facebook account managers and that the fake pages were usually deleted within 24 to 28 hours of being discovered. Finding the actual source in cases such as these is notoriously difficult, but another security source said: "The most senior people in NATO were warned about this kind of activity. The belief is that China is behind this." Stavridis, who is also in charge of all American forces in Europe, is a keen user of social media. He has a genuine Facebook account, which he uses to post frequent messages about what he is doing, and where. Last year he used Facebook to declare that the military campaign in Libya was at an end.

(U) The threat posed by Chinese cyber activity has been causing mounting concern in the United Kingdom and the United States, where it is judged to be a systematic attempt to spy on governments and their militaries. They also accuse Beijing of being involved in the anonymous theft and transfer of massive quantities of data from the west. In a surprisingly pointed report to Congress last year, US officials broke with diplomatic protocol and for the first time challenged China directly on the issue. The National Counterintelligence Executive said Chinese hackers were "the world's most active and persistent perpetrators of economic espionage". It said China appeared to have been responsible for "an onslaught of computer network intrusions". The report also claimed that Chinese citizens living abroad were being leaned on to provide "insider access to corporate networks to steal trade secrets". The use of moles was, it said, a clear exploitation of people who might fear for relatives in China.

(U) Security analysts in Washington said they believed China had undertaken comprehensive cyber- surveillance of the computer networks that control much of America's critical infrastructure. This has stoked a political debate on Capitol Hill, where Democrats and Republicans are locked in an ideological battle about how to tackle cyber threats. President Barack Obama wants to introduce regulation to ensure companies are taking them seriously, but that approach is opposed by Republicans, including Senator John McCain.

UNCLASSIFIED 23 UNCLASSIFIED

(U) James Lewis, a cyber expert from the Centre for Strategic and International Studies think tank in Washington, said the time for dithering had passed. "We know that Russia and China have done the reconnaissance necessary to plan to attack US critical infrastructure," he said. "You might think we should put protection of critical infrastructure at a slightly higher level. It is completely vulnerable." Shawn Henry, an executive assistant director at the FBI, told the Observer that the agency was dealing with thousands of fresh attacks every month. "We recognize that there are vulnerabilities in infrastructure. That's why we see breaches by the thousand every single month," he said. "There are thousands of breaches every month across industry and retail infrastructure. We know that the capabilities of foreign states are substantial and we know the type of information they are targeting."

(U) The Department of Homeland Security has been tasked by the White House with countering the cyber threat, but without making people lose confidence in the web. Its senior counselor for cyber-security, Bruce McConnell, said: "The internet is civilian space. It is a marketplace. Like the market in Beirut in the 1970s, it will sometimes be a battleground. But its true nature is peaceful, and that must be preserved."

(U) Analyst Comment: Although Facebook and other social media sites may provide value in distributing an organizations messages to the public, government, military and law enforcement personnel should be very careful in posting information about their work and background on these sites and should carefully examine the operational security risks involved.

(U) Attackers Leverage Iran Nuclear Tensions in Targeted Attack Against US Military Staff (Security Week.com, 13 MAR 2012)

(U) In March, SecurityWeek reported on a recent incident where senior military and government officials were duped into ―friending‖ someone on Facebook that was pretending to be US Admiral James Stavridis, NATO‘s Supreme Allied Commander in Europe. That fake profile was believed to be setup by Chinese hackers interested in gathering email addresses and other information from military and government officials. Facebook took the fake account down as soon as it was discovered.

(U) While that reconnaissance effort through Facebook may not have led to an attack, researchers from Bitdefender shared details of an attack that appears to be targeting US government and military staff. According to Bitdefender, cybercriminals that appear to be located in China are using rising political tensions over Iran‘s suspected nuclear weapons program as a way to sneak malware on to systems belonging to US military staff. The attack in question comes in the form of a browser exploitation spread through a Microsoft Word (.doc) document attached to an email message. The document, titled "Iran's Oil and Nuclear Situation.doc", document contains a Shockwave Flash applet that attempts to load a video filed named "test.mp4" from a web server.

(U) But this MP4 file isn‘t your typical video file, Bitdefender says. ―It has been crafted to include a valid header so it can legitimately identify itself as MP4, but the rest of the file is filled with 0x0C values. When the file loads and the Flash Player tries to render the MP4, it triggers an exploit in the Adobe Flash plug-in (CVE-2012-0754), that ultimately drops an executable file embedded in the initial .doc.‖ During the attack, that seemingly innocent MP4 file triggering the exploit is streamed over the web, enabling a system to be exploited before an antivirus engine would normally scan a file. Additionally, the malware embedded inside the .doc file (us.exe) has multiple layers of obfuscation to dodge detection, Bitdefender says.

UNCLASSIFIED 24 UNCLASSIFIED

(U) Next, the newly downloaded 4.63 MB file is placed in a system‘s temporary folder and executed. The file mimics the Java Updater application and appears to originate from China. Inside the file, the malicious code of only 22.5 KB tries to connect to a C & C server that uses dynamic DNS services to permanently change its IP address. Identified by Bitdefender as ―Gen:Variant.Graftor.15447‖, once the malware has infected a system, a backdoor starts listening for commands from its command and control server in China.

(U) ―This is clearly a targeted attack, it may aim at US military staff involved in Iranian military operations,‖ a researcher at Bitdefender, explained in a blog post. ―The malware has not been delivered by mass spam and has not shown up in ―honeypots,‖ or e-mail addresses used by the antivirus industry to attract and catch malware.‖ ―The payload is also an advanced persistent threat - extremely difficult to detect once inside the network. Although it‘s more than a week old, the backdoor still has poor detection, with [as of Monday] only 7 of 42 antivirus solutions able to detect it,‖ he added. As usual, Bitdefender encourages users to maintain an updated antivirus solution and keep critical applications to date by installing security fixes as soon as they become available.

(U) Chinese Universities Send Big Signals to Foreigners (, 11 MAR 2012)

(U) In the 1990s, Jeffrey S. Lehman, then the dean of the University of Michigan Law School, began visiting Beijing to help open a program for members of his faculty to teach at Peking University‘s law school during the summer. Given China‘s rising influence, he thought it would be beneficial for his colleagues to learn about legal education in China at one of the country‘s most prestigious institutions. But Mr. Lehman, who is also a former president of Cornell University, did not expect to work for a Chinese university himself. ―I would have given long, long odds against that possibility,‖ he said.

(U) In 2007, the leaders of Peking University, with whom he had developed strong relationships over the years, asked him to help establish a school teaching American law to Chinese students on their Shenzhen campus. That summer he became the chancellor and founding dean of the school, called the Peking University School of Transnational Law. ―It‘s been deeply gratifying,‖ Mr. Lehman said of his Chinese experience. The number of foreigners working at the law school has increased since it was established, with Americans, Germans, British and South Korean academics. Of the nine permanent faculty, seven are foreigners.

(U) The rise in foreign academics at the law school reflects a broader trend. As institutions in Western countries continue to suffer from budget cuts, academics looking for opportunities farther afield are finding that China is welcoming foreign professors with open arms. Individual Chinese universities have been increasingly recruiting Western academics in recent years, but the Chinese government is also enticing foreigners with a new program that offers a range of incentives. ―We are going to see more foreign professors coming to China,‖ said Wang Huiyao, director general of the Center for China and Globalization in Beijing.

(U) Late last year, the Chinese government started the Thousand Foreign Experts program, which is designed to attract up to 1,000 foreign academics and entrepreneurs over the next 10 years to help improve research and innovation. It has already attracted more than 200 applicants from countries like the United States, Japan and Germany, according to a report in February by Xinhua, China’s official news agency. The program is an extension of the Thousand Talent program, which started in 2008 as a way to attract experts, academics and entrepreneurs to China.

UNCLASSIFIED 25 UNCLASSIFIED

(U) While 1,600 experts, more than half of them academics, came to China under that program, most were Chinese-born, said Mr. Wang, an adviser to the government on its talent policy. Mr. Wang said the government wanted to further lift its intake of overseas experts, which led to the establishment of the latest program specifically aimed at foreigners. Under the new program, successful candidates receive a subsidy of up to one million renminbi, or nearly $160,000, and scientific researchers can receive a research allowance worth three million to five million renminbi. Mr. Wang said the program, run by the State Administration of Foreign Expert Affairs in Beijing, aimed to attract academics to tenured professor positions. He said the program was targeted at ―people who have been recognized in the West, those who have a good track record.‖

(U) Mr. Wang said that while there were already many foreigners working in Chinese universities, particularly top-tier schools like Peking University and Tsinghua University, he expected the new government program would accelerate the number of foreigners joining other Chinese schools. ―They are sending a big signal to all universities in China that they actively support this,‖ Mr. Wang said. With funding harder to come by in many Western countries, China‘s impressive investment in research and development is proving a draw for many Western researchers. And with China itself becoming a rapidly growing field of research for scholars, academics like Marc Idelson are moving there to further their research.

(U) Mr. Idelson, who is half French and half British, joined Peking University‘s HSBC Business School in Shenzhen last August as an assistant professor after an interview with a Peking representative at a business conference in Canada in 2010. Mr. Idelson, who previously worked at the Essec Business School in , joined the university on a tenure track where academics are expected to receive tenure in six years. Mr. Idelson, whose wife is Chinese, had not set his sights specifically on China and said he was willing to move anywhere, as long as the job and location met his criteria. ―The first criteria was strategic alignment,‖ he said. ―Would this job enable me to further my research? The second criteria was, would I integrate socially? And the third was financially, what was the package like?‖ The position at Peking University ticked all the boxes, he said.

(U) Li Jun, an assistant professor at the Department of International Education and Lifelong Learning at the Hong Kong Institute of Education, said mainland Chinese universities were now well-funded by the government and able to offer foreigners lucrative packages. He said China wanted to attract more foreign academics to help lift its international competitiveness. At the institutional level, Chinese universities were increasingly competing with one another to improve their status and employing foreigners helped their reputations, he said. ―They can use that to recruit students and to get recognition from the public, Mr. Li said, adding that top foreign academics also helped Chinese universities attract more research funding and made it easier for them to connect with the international academic community. ―Their papers will be written in English, which is a big barrier to the local academics,‖ he said. ―In terms of international recognition of scholars, that will be a big help for the universities.‖

(U) Mr. Li, who said that Chinese universities preferred academics from highly developed Western countries, especially the United States and Canada, said the schools recruited foreigners by advertising on higher education Web sites, using their consulates to help target particular academics and encouraged Chinese academics to use their personal connections with foreigners to reach out to them. Alex Katsomitros, a research analyst at the Observatory on Borderless Higher Education in , said Chinese institutions would most likely be more interested in attracting academics who specialized in the so-called Stem subjects — science, technology, engineering and mathematics — which lift economic growth through innovation and are seen as “politically neutral.” ―Social science and humanities academics are less willing to move to China for obvious reasons,‖ he said in an e-mail.

UNCLASSIFIED 26 UNCLASSIFIED

(U) Mr. Katsomitros cited the case of the French virologist Luc Montagnier, who received the Nobel Prize in 2008 for his discovery of H.I.V. and joined Shanghai Jiao Tong University in 2010, where he set up a research institute. In an interview with the journal Science in 2010, Mr. Montagnier, then 78, explained China‘s appeal. He described how he was no longer able to work at a public institute in France because of the country‘s retirement laws, and spoke of the ―intellectual terror‖ that made it difficult to obtain funding for research related to homeopathy in France. Mr. Katsomitros said Chinese universities may be ―mainly interested in the status and publicity‖ such ―academia superstars‖ bring, rather than the results of their research.

(U) Nevertheless, he says that Western institutions should not fret about losing academics to China. ―In general, the flee of academics might have been an issue of concern in the past, but it shouldn‘t be that worrying today, as higher education and academic research are going through a phase of rapid internationalization,‖ he said. ―The fact that academics go to China for a couple of years doesn‘t mean they have defected. On the contrary, they might bring back home valuable knowledge and help their home countries understand China better.‖

(U) Analyst Comment: As this article notes, Chinese institutions are actively seeking foreign academics to come to China, but they are ―most likely be more interested in attracting academics who specialized in the so-called Stem subjects — science, technology, engineering and mathematics — which lift economic growth through innovation‖ and also because they can use relationships created with these academics to target and collection cutting edge, in some cases proprietary, research. Florida academic institutions and academics that establish or participate in such program in the PRC should be aware of these risks.

(U) Chinese Spies Target Taiwan's US-Made Defenses (The , 21 MAR 2012)

(U) When Taiwanese security personnel detained a suspected spy for China at a top secret military base in February, they may have had a sense of deja vu. Air Force Capt. Chiang, he was identified only by his surname, was the fourth Taiwanese in only 14 months known to have been picked up on charges of spying for China, from which the island split amid civil war 63 years ago. While Taiwan's Defense Ministry did not disclose details of his alleged offense, his base in the northern part of the island hosts the air force's highly classified radar system and US-made Patriot surface-to-air missiles, both vital to the island's aerial defense.

(U) Chiang's arrest followed that of Maj. Gen. Lo Hsieh-che, who had access to crucial information on Taiwan's US-designed command and control system, and civilian Lai Kun-chieh, who the Defense Ministry says tried without success to inveigle Patriot-related secrets from an unnamed military officer. A fourth alleged spy was detained on non-defense-related charges. The cases show that China is seeking information about two systems that are integral to Taiwan's defenses and built with sensitive US technology. A major breach could make Taiwan more vulnerable to Chinese attack.

(U) Though relations between the two have warmed in recent years, Beijing has never recanted a vow to retake the island, by force if necessary. Information about the US-supplied defense systems could also help the People's Liberation Army understand other US defenses. Taiwanese officials, however, say their systems are secure, and US experts say American secrets will remain protected in any case. The possibility that Taiwan might give up military secrets is certainly a worry for the United States, its most important foreign partner.

UNCLASSIFIED 27 UNCLASSIFIED

(U) Despite shifting recognition from Taipei to Beijing in 1979, Washington continues to sell the island sophisticated military equipment, and sees it as an element in a string of Asian defense relationships that stretches from South Korea to Australia. Any confirmed leak of US defense secrets from Taiwan to China could undermine United States willingness to continue providing military equipment and technology to the island. "We are concerned whenever this type of incident occurs," a US defense official said in an email response to an Associated Press request for comment on the recent espionage incidents. "However, Taiwan has taken aggressive steps in the last year to protect itself from intelligence threats." The official spoke on condition of anonymity because of the sensitivity of the issue.

(U) China and Taiwan have been spying on each other for decades, and US intelligence agencies have also been active on both sides of the Taiwan Strait, including sharing sensitive mainland-related data with Taiwan. But the recent arrests represent a big upsurge in both the seriousness and quantity of Taiwan spy cases compared with previous years. At the heart of the China's Taiwan espionage efforts are two systems with substantial US technology, the Lockheed Martin Corp. and Raytheon Co.-built Patriot missile defense system and the Lockheed-designed Po Sheng command and control system.

(U) The Patriot uses sophisticated radar to track incoming aerial threats, then launches high-performance missiles to bring them down. The Po Sheng network -- the Chinese name means Broad Victory -- allows Taiwan's army, air force and navy to exchange battlefield information in real time. That is a big advantage in coordinating responses to the attack China has promised if Taiwan ever moves to make its de facto independence permanent.

(U) Defense expert Arthur Ding of Taiwan's Institute for International Relations said successful penetration of the Patriot system could wreak havoc with Taiwan's air defenses, a key component in turning back any future Chinese attack. "China wants radar data so they can develop countermeasures," he said. "If you have this data you can jam the system or redirect its missiles." Former Taiwan Deputy Defense Minister Lin Chong-pin said it is not surprising that China was targeting the Patriot and Po Sheng systems. "These are several of our key capabilities which have been helped by the United States," he said. "They are the main obstacles to seizing Taiwan by force." Deputy Defense Minister Andrew Yang agreed, calling Patriot and Po Sheng "a critical Taiwanese asset." But he told The AP, "The systems have not been compromised."

(U) Beijing's biggest Po Sheng catch to date was almost certainly Maj. Gen. Lo, described by local media at the time of his arrest 14 months ago as the most effective Chinese spy on Taiwan since the 1960s, when a deputy defense minister was picked up in a sweep of communist agents. Lo headed the army command's communications and information office, and according to Taiwan's defense ministry, he was recruited by the Chinese as a spy in 2004 when he was a military attaché based overseas. Taiwanese news reports say that Lo was arrested on the heels of US surveillance, which determined that he had been recruited by a sultry female spy while serving in Bangkok. The reports said Lo had been blackmailed into providing Beijing with secrets involving electronic warfare and overall strategic planning. The Defense Ministry says Lo's exposure to Po Sheng was limited. Last July he was sentenced to life in prison after being convicted on espionage charges.

(U) Like Lo, Capt. Chiang had access to sensitive military secrets. Taiwanese news reports said he passed information about an early warning radar system through a Taiwanese businessman working in China. Citing unidentified military sources, Taiwan's Apple Daily newspaper described the system as a joint Taiwan-US air defense called "yellow net" that can track Chinese missiles launched at the island. The defense ministry has acknowledged that Chiang had worked at a ground command center in northern Taiwan, without elaborating on what he did there. The Apple Daily said officials concluded that a major motive for his alleged spying had been a desire to get money to impress his girlfriend with frequent visits to expensive nightclubs.

UNCLASSIFIED 28 UNCLASSIFIED

(U) Two former US government officials familiar with American defense sales to Taiwan said that despite some Taiwanese media reports, China's recent espionage activity on the island does not threaten the integrity of US defense technology. They said Washington withholds sensitive information and equips highly classified electronic components with anti-tamper devices. Still, more than just US technology is at stake when Chinese spies target Taiwanese defense networks, one of the former officials said. "How Po Sheng is used, the network layouts, what systems are integrated into the network and what are not, all this would be very useful for the Chinese to know," he said.

(U) This kind of knowledge -- which would not necessarily compromise US technology -- could help the Chinese pinpoint weaknesses in the island's overall defense alignment. While insisting that China's espionage efforts had not undermined Taiwan's ability to defend itself, Yang, the deputy defense minister, said they showed that China has never let up on trying to steal Taiwan's most vital military secrets, despite Taiwan President Ma Ying-jeou's recent moves to try to lower tensions across the Taiwan Strait amid rapidly improving commercial and political relations. "Nothing has really changed," Yang said. "Beijing has continued its espionage activities despite the improvement in ties."

(U) Iran Hacks BBC Persian TV (ZDnet, 13 MAR 2012)

(U) Reports indicate Iran hacked BBC Persian TV in March. The move is part of a broader attempt by the government to disrupt the BBC‘s Persian service, according to BBC News. The BBC‘s London office was inundated with automatic phone calls and the company‘s satellite feeds into Iran were also jammed, while this only affected owners of illegal satellite dishes, these are of course the only ones that can receive the BBC signal in Iran.

(U) The media organization released extracts from a speech confirming the attack, delivered by Director- general Mark Thompson in March. Thompson was expected to use the address to the Royal Television Society to accuse Iran of trying to undermine the service. While he was expected to stop short of explicitly accusing Tehran of being behind the hacking, he would strongly suggest the country‘s government is to blame.

(U) ―It now looks as if those who seek to disrupt or block BBC Persian may be widening their tactics,‖ Thompson would say, according to Reuters. ―There was a day recently when there was a simultaneous attempt to jam two different satellite feeds of BBC Persian into Iran, to disrupt the service‘s London phone lines by the use of multiple automatic calls, and a sophisticated cyber-attack on the BBC. It is difficult, and may prove impossible, to confirm the source of these attacks, though attempted jamming of BBC services into Iran is nothing new and we regard the coincidence of these different attacks as self- evidently suspicious. We are taking every step we can, as we always do, to ensure that this vital service continues to reach the people who need it.‖

(U) The BBC has previously accused Iran of attempting to jam its broadcasts by eliminating VPN networks for example, as well as intimidating its staff. This recent attack follows various tactics by the Iranian government, such as harassment, arrests, and threats against the relatives of BBC Persia correspondents who still live in Iran, in an effort to force the journalists to quit the Persian news service. Since few Western journalists are permitted to work in Iran, as the Islamic government is suspicious of foreign media, all BBC Persian service staff work outside the country.

(U) BBC Persian is available via TV, radio, and online services in Farsi. Despite an intensifying campaign of censorship and intimidation by the Iranian authorities, BBC Persian TV‘s audience in Iran almost doubled between 2009 and 2011. Last month, BBC News reported that the channel‘s audience had

UNCLASSIFIED 29 UNCLASSIFIED grown from 3.1 million three years ago to 6 million last year. Overall global weekly audience estimates for the BBC‘s international news services in Iran (including TV and radio) have risen from 3.9 million in 2009 to 7.2 million in 2012. In other words, one in 10 Iranians watch BBC Persian TV weekly.

(U) CYBERSECURITY SPECIAL FOCUS FOR INDUSTRY:

(U) The Bright Side of Being Hacked (The New York Times, 04 MAR 2012)

(U) Hackers operating under the banner Anonymous have been poking a finger in the eye of one private company after another for two years now. They steal files from inside corporate computer systems and occasionally, as in the case of the intelligence firm Strategic Forecasting (STRATFOR) in late February, dump company e-mail online for all to see. The STRATFOR hack, in which Anonymous claimed to have joined forces with WikiLeaks, drove home a clear lesson about the era of ubiquitous "hactivism," or hacking as a form of protest. Despite the arrests of dozens of suspected members of Anonymous and its offshoots worldwide, it is far from diminished. Nor have most of its corporate targets been irreparably damaged by the attacks. Rather, what Anonymous has done, experts said at the big RSA computer security conference here last week, is raise the alarm about the unguarded state of corporate computer systems.

(U) By and large, the Anonymous break-ins take advantage of gaping computer holes and gullible human beings. The hackers ferret out weak passwords and take advantage of unencrypted e-mail stashes. They persuade company employees, one is all it takes, to click on rogue Web sites or divulge a confidential piece of information, in an exercise known as social engineering. "Anonymous is a wake-up call," said a senior vice president of Booz Allen Hamilton, a defense and intelligence contractor that was attacked by the group last summer. "Any company that is patting themselves on the back and saying that they're not a target or not susceptible to attack is in complete and utter denial." More to the point, a company that is a target of Anonymous may also be the target of a far more potent adversary. The social engineering tactics that Anonymous members have repeatedly used are often similar to those used by criminal hackers and state-sponsored actors who penetrate company systems in order to steal valuable secrets, whether for monetary gain or competitive edge.

(U) Anonymous draws public attention, and by extension, that of executives and shareholders. It puts a face, or rather, a mask, on a far more pernicious problem: online espionage. "The attacks by them pale in comparison to the nation-state stuff and the criminal element," said the chief security officer for RSA, the organizer of the computer security conference and a maker of security tokens, which was itself the target of a highly publicized breach by suspected state-backed hackers. "There is an awakening. There is a lot more visibility in the press."

(U) An Anonymous attack can leave a measurable toll. In 2010, its activists broke into Sony's systems, exposing names and credit card numbers of millions of customers; Sony said last May that the cleanup would cost it $170 million. Last year, Anonymous extracted the password of an executive at the security firm HBGary and helped itself to a pile of internal company e-mail. News of the breach at the geopolitical analysis firm STRATFOR began trickling out on Christmas Eve, when the company's site was defaced. At first, a group called Antisec, an Anonymous offshoot, claimed responsibility, announcing that it had penetrated the company's network. It posted the names, addresses and credit card details of 75,000 people who subscribed to STRATFOR newsletters. Soon came a dump of credentials for 860,000 user accounts, not all of whom may have been paid subscribers.

UNCLASSIFIED 30 UNCLASSIFIED

(U) A senior security researcher at Cisco who has closely studied the STRATFOR breach, said the attack appears to have been twofold: a relatively commonplace attack, known as an SQL injection, on four servers that stored e-mails dating back several years, as well as a breach of a vulnerable third-party e- commerce system that STRATFOR would have used to process its paid subscribers. A company's vulnerabilities, whether human or machine, are far easier to spot, she pointed out, if a sprawling army of thieves is plotting the break-in. "The more eyes, the greater chance of success," she said.

(U) Soon the paid customers found themselves having to deal with purchases made with the stolen card numbers. Then they began receiving e-mails that purported to be from George Friedman, STRATFOR's chief executive, and came with malicious software attached. Mr. Friedman announced that STRATFOR had not sent out the e-mails, and the company stopped charging for its subscriptions, which had been its principal source of revenue. A class-action lawsuit followed, accusing the company of negligence in securely storing its customers' information and failing to promptly notify them of the theft.

(U) In its response to the lawsuit, STRATFOR said it had informed the FBI as soon as it learned of the breach on Dec. 7. The most recent salvo in the STRATFOR hack began when WikiLeaks began releasing the contents of the company's internal e-mail communications. STRATFOR for its part refused to distinguish between e-mails that it said may have been "forged" and those that were "authentic." STRATFOR declined requests for an interview.

(U) Law enforcement officials at the RSA conference expressed frustration with their inability to squelch the rise of such attacks. Those who participate can be hard to find. And often they turn out to be minors who are not prosecuted as aggressively as adults. The Director of the Federal Bureau of Investigation, Robert Mueller, struck an ominous note about the threat of digital attacks on corporate America. "There are only two types of companies," Mr. Mueller said in a keynote speech at the conference, "those that have been hacked and those that will be."

(U) Oddly enough, despite the stream of attacks and a security industry that is eager to sell its services, a survey of the largest American companies shows that neither their top executives nor their board members are directly involved in decisions about the security of their data. According to the latest results of an annual survey by Carnegie Mellon University, released last week, more than 70 percent said they occasionally, rarely or never reviewed their top information security policies or staff.

(U) How the attack will damage STRATFOR in the long run remains to be seen. If HBGary is any yardstick, it may pull through. HBGary suffered an embarrassing blow last year when thousands of its internal e-mails were dumped on the Internet. The chief executive of its sister company, HBGary Federal, who provoked the ire of Anonymous by boasting of having penetrated its anonymity, resigned. But in late February, despite the hacking, HBGary was acquired by ManTech, a giant Virginia-based defense contractor, which itself had been hacked by Anonymous last August.

(U) Analyst Comment: This article highlights the critical need for all companies and organizations to have a robust and comprehensive IT security program focused on employee security knowledge. The author notes that hackers often focus on ―gullible employees‖ and ignorance.

UNCLASSIFIED 31 UNCLASSIFIED

(U) Study: Senior Executives Lack Awareness of IT Security and Privacy (www.searchsecurity.com. 28 FEB 2012)

(U) A litany of high-profile data security breaches has done little to get corporate boards and senior-level executives to understand the security and privacy risks within the enterprise, according to the results of a new study. The 2012 Carnegie Mellon CyLab Governance survey, which was conducted in 2008, 2010 and 2012, found some improvements, but noted severe gaps in the way corporate CEOs and other senior executives take responsibility for the organization‘s security and privacy practices. The corporate security governance study, sponsored by RSA, the Security Division of EMC, surveyed the firms in the Forbes Global 2000 list.

(U) Less than one-third of the respondents are undertaking basic responsibilities for cybergovernance, according to the report. The study found that 70 percent of executives and their corporate board of directors rarely or never review security policies. About 74 percent of those surveyed indicated they fail to regularly review the roles and responsibilities of the lead personnel responsible for privacy and IT security. ―Boards and senior executives are not exercising good cybergovernance,‖ said the CEO of Global Cyber Risk and adjunct distinguished fellow at Carnegie Mellon University. ―They‘re not watching what‘s going on with privacy and security in their organization.‖ Budgets for IT security and privacy initiatives are also failing to be properly reviewed and approved, according to the study, with 64 percent of those surveyed, indicating they occasionally, rarely or never oversee such a review. Nearly 60 percent of those surveyed indicated they fail to get regular reports about privacy and IT security risks.

(U) The Global Cyber Risk CEO said the findings are consistent with complaints by CISOs/CSOs that they cannot get the attention of their senior management and boards and their budgets are inadequate. Computer and data security and IT operations ranked at the bottom of the issues being actively addressed and governed by corporate boards. The three areas that ranked lowest held the same position in the 2010 results: vendor management (13 percent), computer and data security (35 percent) and IT operations (29 percent). Nearly half of those surveyed indicated their companies do not have personnel in key privacy and security roles. In addition, 58 percent said their boards of directors are not regularly reviewing the company‘s insurance coverage for cyber-related risks.

(U) Risk management activities increasing

(U) The CEO said there were signs of progress since the study began in 2008. In 2008, only 8 percent of respondents said their organization had a separate risk committee; in 2010, the percentage rose up to 14 percent, and in 2012, it jumped to 46 percent. Risk management was also a top concern among boards of directors and senior leadership. More enterprises are setting up teams of business leaders and IT professionals to talk about security and privacy issues. The number of committees has increased from a low of 17 percent in 2008 to about 70 percent in 2012. She said the sharp increase is a positive sign that enterprises are starting to think more seriously about their risk tolerance activities. ―Risk should not all be addressed by the CISO; it should be the business unit‘s line management responsibility,‖ she said. ―We find that if it falls directly on the CISO or privacy officer, the business just doesn‘t care.‖

(U) The CEO said senior leadership and the corporate board of directors are in a position to set the tone for the entire organization. Signs that senior leadership don‘t see security and privacy as a priority trickle down to the business units and the weaken IT security teams ability to properly ensure data security and maintain the integrity of the network. Senior leadership must regularly review roles and responsibilities to ensure qualified, full-time senior-level professionals are in place to help guide security and privacy initiatives. In addition, IT budgets for privacy and security should be reviewed separate from the CIO‘s budget. A regular external assessment of the company‘s security controls should be conducted so weaknesses can be addressed, she said. ―Organizations with senior leadership that take security and

UNCLASSIFIED 32 UNCLASSIFIED privacy matters seriously have the opportunity to develop a culture among employees that security is essential,‖ she said. ―That needs to be backed with strong leadership.‖

(U) Download the full report at: http://www.rsa.com/innovation/docs/11656_CMU_- _GOVERNANCE_2012_RSA_Key_Findings_v2_%282%29.pdf

(U) CYBER THREAT ITEMS FROM THE PRESS

(U) FBI Director Warns Cyber Crime on Par with Terrorism (AFP, 02 MAR 2012)

(U) FBI Director Robert Mueller warned a gathering of Internet security specialists that the threat of cyber attacks rivals terrorism as a national security concern. The only way to combat cyber assaults is for police, intelligence agencies and private companies to join forces, Mueller said during a presentation at an annual RSA Conference in San Francisco in March. "Technology is moving so rapidly that, from a security perspective, it is difficult to keep up," Mueller said. "In the future, we anticipate that the cyber threat will pose the number one threat to our country." It's essential that private corporations and government agencies across the globe coordinate on cyber crime, Mueller said, in part because nefarious hackers are already forming alliances."We must work together to safeguard our property, to safeguard our ideas and safeguard our innovation," Mueller said. "We must use our connectivity to stop those who seek to do us harm." Gone are the "good old days" of teenage boys hacking into websites for fun, Muller said. Today's hackers are savvy and often work in groups, like traditional crime families.

(U) Private sector computer security researchers have attributed waves of cyber assaults to nations out to steal government or business secrets. "Once isolated hackers have joined forces to form criminal syndicates," Mueller said. Those "syndicates" often operate across borders, posing a particular problem for government agencies that are constrained by conflicting justice systems and a lack of coordination with foreign agencies, he said. "Borders and boundaries pose no obstacles to hackers, but they continue to pose obstacles for global law enforcement," he said.

(U) In a presentation that a subsequent speaker said "really scared the bejeezus out of us," Mueller emphasized an overlap between the violent terrorism the FBI has focused on since September 11 and today's world of cyber crime. Terrorist organizations like Al-Qaeda and Al-Shabaab in Somalia are "increasingly cyber savvy," he said. Mueller referenced Al-Qaeda's English-language online magazine and Al-Shabaab's Twitter account, which he says the group uses to recruit and encourage terrorism."They are using the Internet to grow their business and to connect with like-minded individuals," he said.

(U) Mueller warned that no company is immune from cyber attack. He argued that it's in the best interest of private companies to share information about online assaults with government agencies fighting the hackers. The nation's top cop promised that the FBI would "minimize disruption" and protect the privacy of corporations as it investigated cyber threats. Companies are often reluctant to report network security breaches out of fear that the publicity could tarnish images in the eyes of customers or erode shareholder confidence. "Maintaining a code of silence will not serve us in the long run," Mueller said. "For it is no longer a question of 'if' but when and how often." "We are losing money, we are losing data, we are losing ideas," he added. "Together we must find a way to stop the bleeding."

UNCLASSIFIED 33 UNCLASSIFIED

(U) Don't Underestimate Cyber Terrorism Threat, Security Experts Say (IDG News Service, 02 MAR 2012)

(U) Concern about cyber terrorism was evident among security experts at the RSA security conference in San Francisco, who find that some people with extremist views have the technical knowledge that could be used to hack into systems. Cyber terrorism does not exist currently in a serious form, but some individuals with extremist views have displayed a significant level of knowledge of hacking, so the threat shouldn't be underestimated, said F-Secure's chief research officer at the RSA security conference in San Francisco . Other security experts agree. "I think it's something that we should be concerned about. I wouldn't be surprised if 2012 is the year when we start seeing more cyber terrorism," said a senior security analyst at security vendor Zscaler.

(U) Extremists commonly use the Internet to communicate, spread their message, recruit new members and even launder money in some cases, F-Secure‘s chief research officer said during a presentation about cyber terrorism at the conference. Based on the data the researcher analyzed, most groups of radical Islamists, Chechen terrorists or white supremacists seem at this stage more concerned about protecting their communications and hiding incriminating evidence on their computers. They've even built their own file and email encryption tools to serve this goal and they use strong algorithms that cannot be cracked, he said. However, there are some extremists out there that possess advanced knowledge of hacking, and they are trying to share it with others, he added.

(U) The researcher has seen members of extremist forums publish guides on how to use penetration testing and computer forensics tools like Metasploit, BackTrack Linux or Maltego. "I don't think they're using these for penetration testing though," he said. Others have posted guides on website vulnerability scanning, SQL injection techniques, and on using Google search hacks to find leaked data and more, he said. Although such extremists have mainly succeeded in unsophisticated Web defacements so far, the researcher believes that cyber terrorists could become the fourth group of Internet attackers after financially-motivated hackers, hacktivists and nation states engaging in cyber espionage.

(U) SCADA systems used in industrial facilities could represent a target for cyber terrorist attacks. "If you're talking about terrorism in the real world where you want to blow up a dam or do some destruction, you can potentially do that remotely through a cyber attack," the Zscaler security analyst said. The technology required to do this already exists, he said. The closest we've gotten to a real cyber terrorist attack was the DigiNotar breach which resulted in rogue digital certificates being issued for high-profile domain names, said the vice president of strategy and product marketing at French defense contractor Thales.

(U) The Iranian who took credit for the breach claimed that he had no affiliation to the Iranian government, but he did express pro-government political views in his statements. With Iran currently under the spotlight because of its controversial nuclear energy program, it will be interesting to see how the country's hackers react, F-Secure research officer said.

(U) How to Catch an Internet Cyber Thief: Devoted Cyber-Sleuths Fight Industrial Espionage and Botnets (Network World, 01 MAR 2012)

(U) They're out there, says security researchers: the Chinese hackers attempting to break into US enterprises, and jihadist terrorists that brazenly post videos of sniper killings, while stealing credit-cards to launder money for funding nefarious campaigns in Mideast or Caucasus hot spots. It's just a matter of finding them, and a Dell SecureWorks researcher described at the RSA Conference this week how he caught one by laboriously collecting information related to a Chinese hacker. He's calling the incident the

UNCLASSIFIED 34 UNCLASSIFIED

"Sin Digoo Affair" after the misspelling of San Diego in Internet domain registrations under the fake name of "Tawnya Grilth" that he saw over and over again, which was but one clue, including many others such as malware signatures, he followed in his quest to track down an attacker based on a case of industrial espionage and botnets.

(U) "We know we have a set of domains exclusively used for espionage activity," says the researcher. After months of sleuthing, he managed to link the email [email protected] used to register those domains to a multitude of other clues to follow a trail that led him to believe "Tawnya" is a Chinese hacker whose probably part of a group promoting SocialUp.net, a site that accepts payment, including PayPal, for delivering "artificial likes, often through bots" so people can get promoted on Facebook.

(U) Tracking this laboriously amassed evidence, including known Chinese hacker websites, the researcher thinks he has identified the espionage hacker he set out to find through his real Chinese name. Undisclosed publicly, this name and what's known about him has been turned over to the FBI, though the outcome of any meaningful prosecution of espionage activity through China may at the moment be slim. Still, Stewart wants to make the point that criminal activity related to bots can be investigated, though he emphasizes what he's found is simply evidence of an individual's activity.

(U) Another session at RSA talked about what jihadist extremists are doing today on the Web and how they launder money for terrorist causes. The chief research officer at F-Secure, says he spent time combing the Internet to find evidence of what extremists, mostly Arab speaking but also Chechens from the Caucasus who have made terrorist attacks on Russian civilian targets, are doing in terms of sophisticated use of technology online. "My first impression is high-tech terrorists don't exist," he said in a media briefing. But after considerable online research, his opinion has changed. He has found evidence of a growing amount of interest in technology, encryption and hacking in online jihadist publications that now include topics such as an "Open Source Jihad" section to "Technical Mujahaden" which tells how to hide files using rootkits and steganography. He said he's also analyzed what he thinks is probably British intelligence counter-efforts to trojanize fake versions of these publications so that if they're downloaded, monitoring of possible terrorist activity could take place on whatever computer it's downloaded to.

(U) One of the biggest cases linking Islamic terrorists to high-tech operations like stealing credit cards through botnets that controlled thousands of victims' computers was that of London-based Tariq Al- Daour, sentenced a number of years ago after his gang was caught playing at the Absolute Poker site with stolen credit cards, mainly to launder $3.5 million in poker games, says the F-Secure chief research officer. He spent the money he stole on satellite phones, sleeping bags and lot of other gear he sent to support terrorist activity connected to Al Qaeda. He paid a Russian to build his software, the chief researcher noted. The situation today with extremist groups using high-tech hacking and bots "isn't out of hand," he says. But there's mounting evidence that extremist groups are increasingly interested in high- tech, writing in their slick multimedia online publications about Apache, PGP, NMAP, and creating their own public crypto keys, right alongside instructions for bomb-building. He says it may be time to pay more attention to it.

(U) New Interest in Hacking as Threat to Security (The New York Times, 13 MAR 2012)

(U) During the five-month period between October and February, there were 86 reported attacks on computer systems in the United States that control critical infrastructure, factories and databases, according to the Department of Homeland Security, compared with 11 over the same period a year ago. None of the attacks caused significant damage, but they were part of a spike in hacking attacks on networks and computers of all kinds over the same period. The department recorded more than 50,000

UNCLASSIFIED 35 UNCLASSIFIED incidents since October, about 10,000 more than in the same period a year earlier, with an incident defined as any intrusion or attempted intrusion on a computer network.

(U) The increase has prompted a new interest in cybersecurity on Capitol Hill, where lawmakers are being prodded by the Obama administration to advance legislation that could require new standards at facilities where a breach could cause significant casualties or economic damage. It is not clear whether the higher numbers were due to increased reporting amid a wave of high-profile hacking, including the arrest last week of several members of the group Anonymous, or an actual increase in attacks.

(U) James A. Lewis, a senior fellow and a specialist in computer security issues at the Center for Strategic and International Studies, a policy group in Washington, said that as hacking awareness had increased, attacks had become more common. He said that the attacks on the nation‘s infrastructure were particularly jarring. ―Some of this is heightened awareness because everyone is babbling about it,‖ he said of the reported rise in computer attacks. ―But much of it is because the technology has improved and the hackers have gotten better and people and countries are probing around more like the Russians and Chinese have.‖ He added: ―We hit rock bottom on this in 2010. Then we hit rock bottom in 2011. And we are still at rock bottom. We were vulnerable before and now we‘re just more vulnerable. You can destroy physical infrastructure with a cyberattack just like you could with a bomb.‖

(U) The legislation the administration is pressing Congress to pass would give the federal government greater authority to regulate the security used by companies that run the nation‘s infrastructure. It would give the Homeland Security Department the authority to enforce minimum standards on companies whose service or product would lead to mass casualties, evacuations or major economic damage if crippled by hackers. The bill the administration backs is sponsored by Senators Joseph I. Lieberman, independent of Connecticut, and Susan Collins, Republican of Maine. It has bipartisan support, and its prospects appear good. Senator John McCain, Republican of Arizona, is sponsoring a more business-friendly bill that emphasizes the sharing of information and has fewer requirements for companies.

(U) In March, on Capitol Hill, Janet Napolitano, the secretary of Homeland Security; Robert S. Mueller III, the director of the Federal Bureau of Investigation; and Gen. Martin E. Dempsey, the chairman of the Joint Chiefs of Staff, made their pitch to roughly four dozen senators about why they should pass the Lieberman-Collins bill. At a closed-door briefing, the senators were shown how a power company employee could derail the New York City electrical grid by clicking on an e-mail attachment sent by a hacker, and how an attack during a heat wave could have a cascading impact that would lead to deaths and cost the nation billions of dollars.

(U) ―I think General Dempsey said it best when he said that prior to 9/11, there were all kinds of information out there that a catastrophic attack was looming,‖ Ms. Napolitano said in an interview. ―The information on a cyberattack is at that same frequency and intensity and is bubbling at the same level, and we should not wait for an attack in order to do something.‖ General Dempsey told the senators that he had skipped a meeting of the National Security Council on Iran to attend the briefing because he was so concerned about a cyberattack, according to a person who had been told details of the meeting. A spokesman for General Dempsey said the chairman had ―sent his vice chairman to the meeting on Iran so that he could attend the Senate meeting and emphasize his concern about cybersecurity.‖ ―His point was about his presence at the cyber exercise rather than a value judgment on the ‗threat,‘ ‖ the spokesman, Col. David Lapan, said.

(U) Experts say one of the biggest problems is that no part of the government has complete authority over the issue. The Central Intelligence Agency and the National Security Agency give the government intelligence on potential attacks, and the FBI prosecutes hackers who break the law. The Department of Homeland Security receives reports about security breaches but has no authority to compel business to

UNCLASSIFIED 36 UNCLASSIFIED improve their security. ―Nobody does critical infrastructure of the dot-com space where America now relies on faith healing and snake oil for protection,‖ Mr. Lewis said. ―The administration wants it to be the Department of Homeland Security, but the department needs additional authorities to be effective.‖

(U) Cyber-Criminals Change Tactics as Network Security Improves (CIOinsight, 23 MAR 2012)

(U) Cyber-criminals, increasingly stymied by better security around traditional threats like spam and exploit codes, are changing gears and focusing more of their efforts in such areas as mobile devices, social networks and cloud computing, according to a report by IBM. In Big Blue's "X-Force 2011 Trend and Risk Report," released March 22, IBM found significant reductions in such Internet security threats as spam and improvements in such areas as vulnerability patching and software application code. However, in response to such developments, cyber-criminals are now trying to find new ways to launch their attacks, as well as relying on a well-worn method: phishing.

(U) IBM's report is based on research of public vulnerability disclosures findings from more than 4,000 clients and information gathered from the monitoring of about 13 billion events a day in 2011. "In 2011, we've seen surprisingly good progress in the fight against attacks through the IT industry's efforts to improve the quality of software," Tom Cross, manager of threat intelligence and strategy for IBM X-Force, said in a statement. "In response, attackers continue to evolve their techniques to find new avenues into an organization. As long as attackers profit from cyber-crime, organizations should remain diligent in prioritizing and addressing their vulnerabilities."

(U) Among the positives IBM saw in 2011 was a 50 percent drop in spam, compared with 2010 levels, and better patching of security vulnerabilities in software. Vendors left only 36 percent of software vulnerabilities unpatched, compared with 43 percent in 2010. IBM officials said some of the decline in spam probably came from authorities taking down several large botnets, such as Rustock.

(U) There also was a higher quality of software application code, IBM found. That was seen in Web application vulnerabilities called cross-site scripting, which were half as likely to exist in clients‘ software as they were four years ago. There also was a 30 percent drop in the availability of exploit code, which is released to help attackers when security vulnerabilities are found. IBM attributes the decline to procedural and architectural changes by software developers that make it more difficult for cyber-criminals to take advantage of vulnerabilities that are disclosed.

(U) But attackers are adapting in a number of ways, including increasing their targeting of shell command injection vulnerabilities instead of using SQL infection attacks against Web applications. The number of SQL injection vulnerabilities in Web applications such vulnerabilities enable attackers to get into the databases behind the applications dropped 46 percent in 2011. However, shell command injection attacks which let cyber-criminals execute commands directly on a Web server grew by almost three times last year.

(U) There also were increases in the second half of 2011 in both automated password guessing and phishing attacks. In particular, phishing attacks in the second half of the year hit levels that hadn't been seen since 2008, according to IBM, with many disguised as coming from social networking sites and mail parcel services.

(U) Mobile devices, social media and the cloud are areas of emerging interest to attackers, according to IBM. There was a 19 percent increase in 2011 in publically released exploits aimed at mobile devices. For IT managers, that becomes a key concern, given the growing bring-your-own-device (BYOD) trend, where employees are using their personal smartphones and tablets to access corporate networks and data.

UNCLASSIFIED 37 UNCLASSIFIED

IBM also saw a surge in phishing attacks in social media sites, where users are increasingly offering information about their personal and professional lives.

(U) The rapid adoption of cloud computing is also a growing cause for concern, and IBM recommended that IT administrators give a lot of thought in deciding what data can be put into a public cloud and what should be left inside the firewall, and how service level agreements (SLAs) are written. "Many cloud customers using a service worry about the security of the technology," an IBM security cloud strategist, said in a statement. "Depending upon the type of cloud deployment, most, if not all, of the technology is outside of the customer's control. They should focus on information security requirements of the data destined for the cloud, and through due diligence, make certain their cloud provider has the capability to adequately secure the workload."

(U) New Verizon Breach Data Shows Outside Threat Dominated 2011; Malware and Hacking the Top Breach Methods (Dark Reading, 28 FEB 2012)

(U) More than 85 percent of the data breach incident response cases investigated by Verizon Business last year originated from a hack, and more than 90 percent of them came from the outside rather than via a malicious insider or business partner. In February, Verizon published a snapshot of data from its upcoming 2012 Data Breach Investigations Report, using data from its own caseload of some 90 of its 855 breach cases for last year. "This is the first year that we worked more cases outside the United States than inside. That ratio has been building and it makes the case that this is not a US-specific problem. All regions are having data breaches," said the director of research and intelligence at Verizon Enterprise Solutions.

(U) At the top of the list of compromised industries again was retail, financial services, and hospitality. And a big factor in this year's cases was the rise in hacktivist-based attacks. Outside or external attackers jumped from 88 percent in 2010 to 92 percent in 2011, and breaches due to internal threats continued to decline, from just more than 10 percent in 2010 to less than 5 percent in 2011, according to Verizon's data. "We can expect this trend to continue. Every single caseload we ever looked at shows the external [threat agent] as the majority except for one," the Verizon director says.

(U) As for breach methods, hacking (86 percent) and malware (57 percent) were on the rise, while social engineering, misuse, physical threats, errors, and environmental factors all dropped. The most commonly used venue for breaches was exploiting default or easily guessed passwords, with 29 percent of the cases last year, followed by backdoor malware (26 percent), use of stolen credentials (24 percent), exploiting backdoor or command and control channels (23 percent), and keyloggers and spyware (18 percent). SQL injection attacks accounted for 13 percent of the breaches. "There were a lot of authentication-type attacks," he says.

(U) As for the targets, 90 percent of the breaches Verizon investigated went after servers, mainly point-of- sale servers, Web and app servers, and database servers. Nearly 50 percent targeted user devices such as desktops, laptops, and POS terminals. "The user device serves as a foothold into the environment. They are trying to get into your environment and then they spread out," he says. How do organizations learn that they've been hit? Most find out from an external source, usually law enforcement, according to Baker. And for nearly 60 percent of the cases, it took months before the organization learned that it had been hacked.

(U) Verizon's full report for 2011 will include caseload data from Verizon as well as the U.S. Secret Service, the London Metropolitan Police, the Irish CERT, the Dutch National Police, and the Australian Federal Police. Download the report at: http://www.verizonbusiness.com/resources/reports/rp_data- breach-investigations-report-2012_en_xg.pdf

UNCLASSIFIED 38 UNCLASSIFIED

(U) Ransomware: The Latest Trend in Malware (Network World, 21 MAR 2012)

(U) If the software industry showed as much innovation and initiative as the malware business, we might have some really nice software to choose from. But for now, the bad guys are one step ahead of the rest of us, with a new way to squeeze money out of your pocket. Microsoft calls this new trend ransomware, and it looks a lot like older scams in which an app masqueraded as an antivirus program and then tried to sucker you into buying a useless piece of software to remove an infection that doesn't exist.

(U) In the case of ransomware, an infection takes control of and holds hostage an infected machine, locking the user out until a payment of some form is made. In one case, Microsoft found an example that looked like an official Microsoft screen, claiming the Windows license was invalid.

UNCLASSIFIED 39 UNCLASSIFIED

(U) Others used artwork from legitimate organizations when they were in fact not affiliated. These have included the German Federal Police, GEMA (Germany's performance rights organization), the Swiss Federal Department of Justice and Police, the UK Metropolitan Police, the Spanish police and the Dutch police.

(U) The ransomware locks the computer, displays the alert screen and demands the payment of a "fine" for the supposed infraction through a legitimate online payment service like Paysafecard or Ukash. Since many of these infections are taking place in Europe, Paypal does not seem to be involved. Many of these infections are distributed through drive-by downloads on websites that use the Blackhole Exploit Kit, a popular kit for other drive-by infections. This comes through redirects to malicious websites or through exploits in vulnerabilities. The Blackhole Exploit Kit looks to see if a number of known vulnerabilities are unpatched on the system. Fortunately, none of them are zero-day, so there are no excuses for not running Windows Update.

(U) US Cyber Chief: We are Fighting a “Tide of Criminality” (Layer 8, 21 MAR 2012)

(U) What the government is doing and how much money it is spending to protect cyberspace was again the subject of a congressional hearing in March as top execs in the Department of Defense detailed what they would be doing with the $3.4 billion cyber security portion of their 2013 budget request. For example, DOD's chief information officer told the House Armed Services Committee's subcommittee on emerging threats and capabilities that the agency's overall $37 billion information technology budget request for 2013 includes a range of IT investments, including the $3.4 billion for cyber security to protect information, information systems and networks against known cyber vulnerabilities. It also includes $182 million for Cyber Command for network defense, cryptographic systems, communications security, network resiliency, workforce development, and development of cyber security standards and technologies department-wide, she stated.

UNCLASSIFIED 40 UNCLASSIFIED

(U) A key portion of the DoD's plan is a move to a single, joint network architecture allowing the agency and Cyber Command better visibility into network activity and better defense against cyber-attacks. The department has made significant progress in several areas. One effort involved deploying a host-based security system that enhances situational awareness of the network and improves the ability to detect, diagnose and react to cyber intrusions, the DOD CIO said.

(U) Despite improvements and the money it‘s going to take to continue the cyber security effort, the industry is really at the beginning of the battle. "Nation-state actors in cyberspace are riding a tide of criminality. Several nations have turned their resources and power against us and foreign businesses and enterprises, even those that manage critical infrastructure in this country, and others," Army Gen. Keith Alexander, commander of US Cyber Command and director of the National Security Agency told the committee. "I think we're making progress," Alexander said, "but the risks that face our country are growing faster than our progress and we have to work hard on that."

(U) Alexander described five key areas Cyber Command is working on:

• Building the enterprise and training the force

• Developing a defensible architecture

• Getting authorities needed to operate in cyberspace;

• Setting the teamwork properly across US government agencies; and

• Creating a concept of operations for operating in cyberspace.

(U) US Nukes Face Up to 10 Million Cyber Attacks Daily (www.usnews.com, 20 MAR 2012)

(U) The computer systems of the agency in charge of America's nuclear weapons stockpile are "under constant attack" and face millions of hacking attempts daily, according to officials at the National Nuclear Security Administration (NNSA). Thomas D'Agostino, head of the agency, says the agency faces cyber attacks from a "full spectrum" of hackers. "They're from other countries' [governments], but we also get fairly sophisticated non-state actors as well," he said. "The [nuclear] labs are under constant attack, the Department of Energy is under constant attack."

(U) A spokesman for the agency says the Nuclear Security Enterprise experiences up to 10 million "security significant cyber security events" each day. "Of the security significant events, less than one hundredth of a percent can be categorized as successful attacks against the Nuclear Security Enterprise computing infrastructure," the spokesman said, which puts the maximum number at about 1,000 daily. The agency wants to beef up its cybersecurity budget from about $126 million in 2012 to about $155 million in 2013 and has developed an "incident response center" responsible for identifying and mitigating cyber security attacks. In April of last year, the Department of Energy's Oak Ridge National Laboratory was successfully hacked and several megabytes of data were stolen, D'Agostino said. Internet access for workers at the lab was disconnected following the breach.

(U) A cybersecurity expert with the Council on Foreign Relations says it's likely that a majority of those 10 million daily attacks are automated bots that "are constantly scanning the Internet looking for vulnerabilities." "The numbers are kind of inflated on that front," he says, adding that it's extremely unlikely that hackers would be able to remotely launch a nuclear warhead, because those systems are

UNCLASSIFIED 41 UNCLASSIFIED

"airgapped" or disconnected from standard internet systems. But the computer worm, discovered in 2010, was widely spread to supposedly-secure uranium enrichment plants in Iran, Indonesia and India, shutting those systems down.

(U) The NNSA says they are not aware of any viruses or malware that could remotely launch a nuclear warhead, but the "Stuxnet worm is a very real example of how sophisticated malware can cause physical damage to industrial systems." The cybersecurity expert says Stuxnet was a lesson—no matter how secure a computer system appears to be, it can be breached. Many experts said the worm was so sophisticated that it had to have been developed by a team of hackers associated with a national government. "Stuxnet showed that airgapping is not a perfect defense," he says. "Even in secure systems, people stick in their thumb drives, they go back and forth between computers. They can find vulnerabilities that way. If people put enough attention to it, they can possibly be penetrated."

(U) D'Agostino said with the agency facing so many hacking attempts, its employees have to remain vigilant. "All it takes is one person to let their guard down," he said. "This is going to be, in my view, an ever-growing area of concern." The cybersecurity expert says any successful hackers would likely have to have an intimate knowledge of the programming languages used by the Department of Energy. "There'd probably have to be a state-based actor behind it. You have to understand a lot about the systems," he says. "Hacking into the Department of Energy and looking for nuclear secrets—how to build a bomb, is probably much easier than trying to take over a bomb or a launch code, and probably of more interest to the Russians or the Chinese or the Iranians."

(U) Report: Hackers Seized Control of Computers in NASA’s Jet Propulsion Lab (www.wired.com, 01 MAR 2012)

(U) Hackers seized control of networks at NASA‘s Jet Propulsion Laboratory last November, gaining the ability to install malware, delete or steal sensitive data, and hijack the accounts of users in order to gain their privileged access, according to a report from the National Aeronautics and Space Administration‘s inspector general. The breach, originating from Chinese-based IP addresses, allowed the intruders to compromise the accounts ―of the most privileged JPL users,‖ giving them ―full access to key JPL systems,‖ according to Inspector General Paul K. Martin in a report to Congress. The investigation of the breach is ongoing, but Martin says the intruders had the ability to modify sensitive files; modify or delete user accounts for mission-critical JPL systems; and alter system logs to conceal their actions. ―In other words, the attackers had full functional control over these networks,‖ Martin writes.

(U) But this wasn‘t the only breach NASA experienced. In 2010 and 2011, the agency had 5,408 computer security incidents that resulted in the installation of malicious software and the theft of export- controlled and otherwise sensitive data, with an estimated cost to NASA of more than $7 million. Some of the breaches ―may have been sponsored by foreign intelligence services seeking to further their countries‘ objectives,‖ Martin writes. One March 2011 theft of an unencrypted NASA notebook computer resulted in the loss of algorithms used to command and control the International Space Station. In one of the most successful attacks, Martin notes, intruders stole user credentials for more than 150 NASA employees, which could have been used to gain unauthorized access to NASA systems.

(U) NASA operates more than 550 information systems that control spacecraft, collect and process scientific data, and enable NASA personnel to collaborate with colleagues around the world, and spends about $58 million annually for IT security. ―Some NASA systems house sensitive information which, if lost or stolen, could result in significant financial loss, adversely affect national security, or significantly impair our Nation‘s competitive technological advantage,‖ Martin writes. But even more troubling, he

UNCLASSIFIED 42 UNCLASSIFIED said, skilled attackers ―could choose to cause significant disruption to NASA operations, as IT networks are central to all aspects of NASA‘s operations.‖

(U) US Secret Service’s “Operation Open Market” Nets 19 Arrests; Suspects Indicted for Racketeering, Identity Theft, Access Device Fraud (US Secret Service Press Release, 16 MAR 2012)

(U) The US Secret Service, in coordination with US Immigration and Customs Enforcement, arrested 19 individuals over the last two days in nine states in ―Operation Open Market.‖ This was an investigation into transnational organized crime which operated on multiple cyber platforms and whose members bought and sold stolen personal and financial information through online forums. The group then engaged in crimes such as identity theft and counterfeit credit card trafficking. This investigation is the first Secret Service cybercrime case to result in a Racketeer Influenced Corrupt Organization (RICO) indictment. ―The indictments and arrests in this case are yet another example of how the Secret Service continues to promote the Department of Homeland Security‘s mission of providing a safe, secure and resilient cyber environment. The successful partnerships fostered by the Secret Service‘s electronic crimes task forces result in ground-breaking investigations such as Operation Open Market,‖ said A.T. Smith, the Secret Service‘s Assistant Director for Investigations.

(U) US Secret Service and US Immigration and Customs Enforcement arrested two persons in Las Vegas yesterday, and another 17 persons in California, Florida, New York, Georgia, Michigan, Ohio, New Jersey and West Virginia. The individuals are charged in three separate indictments which were returned by the Grand Jury in Las Vegas in early 2012 and unsealed today. The charges include racketeering, conspiracy, and production and trafficking in false identification documents and access device cards. Fifty persons are charged in the investigation. One indictment charges 39 defendants; however, the names of 16 of those defendants have been redacted and remain sealed because authorities have not yet arrested them, and 11 more are identified as John Doe and an alias. Another indictment charges seven individuals, and a third indictment charges four individuals.

(U) Authorities also executed a number of search warrants today at the known residences of several defendants and seized electronic media, counterfeit credit card manufacturing plants and an ATM machine. ―These suspects targeted the personal and financial information of ordinary citizens,‖ said Rick Shields, Special Agent in Charge of the Secret Service‘s Las Vegas Field Office. ―Working together with our partners in the Las Vegas Electronic Crimes Task Force, including Immigration and Customs Enforcement, we were able to build a comprehensive investigation based on information sharing, resource sharing and technical expertise that bridges jurisdictional boundaries.‖

(U) The defendants are alleged to be members and associates of a criminal organization who traffic in and manufacture stolen and counterfeit identification documents and access device cards (debit and credit cards), and engage in identity theft and financial fraud crimes. The organization encourages members to sell contraband, such as counterfeit documents and stolen bank account information by way of the organization‘s websites. Higher level members of the organization examined and tested the products that other members wished to advertise and sell on its websites, and posted summaries of these reviews on the websites. Members of the organization used various procedures to mask their identities from law enforcement and to prevent detection from rival criminal organizations. Contraband available for purchase included money laundering services, fraudulent identification documents, stolen credit card account information or ―dumps,‖ stolen PayPal accounts, and counterfeit plastic and counterfeit holograms used for producing counterfeit credit cards. The indictment states that ―dumps‖ from the United States were the least expensive, and ―dumps‖ from Europe, the Middle East and Asia were the most expensive.

UNCLASSIFIED 43 UNCLASSIFIED

(U) The US Secret Service has taken a lead role in mitigating the threat of financial crimes since the agency‘s inception in 1865. As technology has evolved, the scope of the US Secret Service‘s mission has expanded from its original counterfeit currency investigations to also include emerging financial crimes. As a component agency within the US Department of Homeland Security, the US Secret Service has established successful partnerships in both the law enforcement and business communities – across the country and around the world – in order to effectively combat financial crimes.

(U) Anonymous Vandalizes US Prison Contractors' Site (The Associated Press, 24 FEB 2012)

(U) The website of an international prison contractor was defaced by hackers who replaced the company's home page with a hip-hop homage devoted to former death row inmate Mumia Abu Jamal. Hackers allied to the loose-knit Anonymous movement claimed responsibility for vandalizing the site of Boca Raton, Florida-based GEO Group Inc., which manages some 60 custodial facilities in Europe, North America, Australia and South Africa. A call to the GEO Group Inc. was routed to The GEO Group Foundation, a charitable organization linked to the company. A foundation representative refused to discuss the attack, asking that questions be submitted in writing to the foundation's Executive Director.

(U) Anonymous said in a statement posted to the stricken website that its hack was "part of our ongoing efforts to dismantle the prison industrial complex." Earlier, Anonymous claimed credit for defacing the website of a Dayton, Ohio-based chapter of Infragard, a public-private partnership for critical infrastructure protection sponsored by the FBI. The group's site was replaced by a video of Coolio's 1995 rap hit, "Gangsta's Paradise." The FBI declined to comment on that attack.

(U) Anonymous, an amorphous collection of activists and Internet mischief-makers, has increasingly focused its energy on military, police and security companies in recent months. Among its most spectacular coups: The interception of a conference call between FBI and Scotland Yard cyber- investigators working to track them down. At least one element within the group has promised weekly attacks on government-linked targets.

(U) Interpol Says Suspected Anonymous Hackers Arrested (The Associated Press, 29 FEB 2012)

(U) Interpol said that 25 suspected members of the loose-knit Anonymous hacker movement have been arrested in a sweep across Europe and South America. The international police agency said in a statement in late February that the arrests in Argentina, Chile, Colombia and Spain were carried out by national law enforcement officers working under the support of Interpol's Latin American Working Group of Experts on Information Technology Crime. The suspects, aged between 17 and 40, are suspected of planning coordinated cyberattacks against institutions including Colombia's defense ministry and presidential websites, Chile's Endesa electricity company and national library, as well as other targets.

(U) The arrests followed an ongoing investigation begun in mid-February which also led to the seizure of 250 items of IT equipment and mobile phones in searches of 40 premises in 15 cities, Interpol said. In Chile's capital, Subprefect Jamie Jara said at a news conference that authorities arrested five Chileans and a Colombian. Two of the Chileans are 17-year-old minors. The case was being handled by prosecutor Marcos Mercado, who specializes in computer crime. He said the suspects were charged with altering websites, including that of Chile's National Library, and engaging in denial-of-service attacks on websites of the electricity companies Endesa and Hidroaysen. The charges carry a penalty of 541 days to five years in prison, he said. Jara said the arrests resulted from a recently begun investigation and officials do not yet know if those arrested are tied to any "illicit group." "For now, we have not established that they have had

UNCLASSIFIED 44 UNCLASSIFIED any special communications among themselves," he said. Jara said authorities were continuing to investigate other avenues, but gave no details.

(U) Gen. Carlos Mena, commander of Colombia's Judicial Police, said no one was arrested in Colombia, but he noted that some Colombians had been arrested elsewhere, including Chile. He said he hadn't confirmed a report that one of those arrested in Argentina may have been from Colombia. Mena did hint that there might be arrests in Colombia. He said other nations have been providing information and Colombian authorities are looking into it, but so far haven't arrested any hackers. "You have to leave them alone, so when we have all the evidence, and the prosecutor makes the decision, we will be all over it and capturing them," he said.

(U) No official statements have been released yet in Argentina. An Argentine media website based its story on the Interpol statement, which it quotes as saying that 10 people were arrested in Argentina. Earlier Tuesday, police in Spain announced the arrest of four suspected Anonymous hackers in connection with attacks on Spanish political party websites. These four were among the 25 announced by Interpol. A National Police statement said two servers used by the group in Bulgaria and the Czech Republic have been blocked. It said the four included the alleged manager of Anonymous' computer operations in Spain and Latin America, who was identified only by his initials and the aliases "Thunder" and "Pacotron." The four are suspected of defacing websites, carrying out denial-of-service attacks and publishing data on police assigned to the royal palace and the premier's office online.

(U) Interpol is headquartered in Lyon, France. The organization has no powers of arrest or investigation but it helps police forces around the world work together, facilitating intelligence sharing. Anonymous, whose genesis can be traced back to a popular US image messaging board, has become increasingly politicized amid a global clampdown on music piracy and the international controversy over the secret- spilling site WikiLeaks, with which many of its supporters identify. Authorities in Europe, North America and elsewhere have made dozens of arrests, and Anonymous has increasingly attacked law enforcement, military and intelligence-linked targets in retaliation.

(U) One of Anonymous' most spectacular coups: Secretly recording a conference call between US and British cyber investigators tasked with bringing the group to justice. Anonymous has no real membership structure. Hackers, activists, and supporters can claim allegiance to its freewheeling principles at their convenience, so it's unclear what impact the arrests will have. Some Internet chatter appeared to point to a revenge attack on Interpol's website, but the police organization's home page appeared to operating as normal. One Twitter account purportedly associated with Anonymous' Brazilian wing said the sweep would fail. "Interpol, you can't take Anonymous," the message read. "It's an idea."

(U) Anonymous Shuts Interpol Site in Revenge (UPI, 29 FEB 2012)

(U) Anonymous said it shut down Interpol's Web site to avenge the worldwide police agency's arrest of 25 suspected members of the activist Internet hacking group. People claiming to be hackers associated with Anonymous took credit on Twitter for the site shutdown and encouraged sympathizers to keep Interpol's site offline by flooding its servers with traffic. "They poked the hive," Twitter user AnonymousIRC wrote in a post monitored by United Press International. "Interpol dubbed their attempt at arresting anons 'Operation Unmask' -- funny," anonymouSabu, also self-identified as The Real Sabu, posted on Twitter. "Let us assist them by unmasking and exposing Interpol agents." The Interpol site was still down a day later, with users seeing "Server not found" and "Problem loading page" messages instead, a UPI spot check indicated.

UNCLASSIFIED 45 UNCLASSIFIED

(U) The Operation Unmask arrests in Argentina, Chile, Colombia and Spain were conducted with cooperation from those countries' governments, Interpol said. The International Criminal Police Organization said it seized 250 pieces of information technology equipment and cellphones at 40 locations in 15 cities, as well as credit cards and cash from some alleged hackers. It said the suspects ranged in age from 17 to 40, but the Spanish newspaper El Pais said Wednesday a 16-year-old girl was allegedly part of an Anonymous hacking group known as Sector 404. Spain's RTVE network said an unidentified minor was released to parental custody.

(U) Interpol said it began the operation a couple of weeks ago after a series of coordinated cyberattacks against Spanish political parties' Web sites, the Colombian Defense Ministry and presidential Web sites, Chile's national library and largest electric utility and other targets. Arrested in Malaga, Spain, was an alleged hacker identified as FJBD, also known as Thunder or Pacotron, "allegedly responsible for administering and managing the IT infrastructure used by Anonymous in Spain and Latin America," Spain's National Police Corps said in a statement. FJBD allegedly managed servers hosted in the Czech Republic and Bulgaria that were key for communication and coordination of Anonymous attacks, the statement said. Arrested in Madrid was JMLG, or Troy, the alleged perpetrator of Spain's most notorious Anonymous attacks and private-data leaks, the statement said.

(U) Anonymous is a loosely affiliated group of activist computer hackers first identified in 2003 with cyberpranks. It become increasingly associated with collaborative, international "" in 2008, often in retaliation for anti-digital piracy campaigns by motion-picture and recording-industry trade associations. In January, Anonymous claimed responsibility for attacking the Web sites of the US Justice Department and several major entertainment companies and trade groups in retaliation for the seizure of Megaupload Ltd., a popular online service that let users transfer movies and music anonymously.

(U) The FBI charged seven people tied to Megaupload with running an international criminal enterprise centered on copyright infringement. Anonymous is accused of knocking the CIA Web site offline Feb. 10. A week earlier, hackers allegedly tied to the group intercepted a conference call between the FBI and Britain's Metropolitan Police Service, or Scotland Yard, and released a 16-minute recording of the call. Hackers allegedly associated with Anonymous threatened to "shut the Internet down on March 31" by attacking servers that perform Internet switchboard functions.

(U) Anonymous Takes Down Security Firm's Website, Vows to Fight on After Arrests Panda Security Says Hack of PandaLabs Did Not Breach Company's Internal Network (Computerworld, 07 MAR 2012)

(U) Hackers claiming to belong to the Anonymous hacking collective early Wednesday defaced Panda Security's PandaLabs website in apparent response to the arrests of five hackers in early March in the United Kingdom and the United States. In a characteristically defiant message posted on PandaLabs' hacked homepage, Anonymous taunted the former LulzSec leader Sabu for helping the FBI nab the hackers, and vowed to carry on its hactivist campaign regardless of the setback. "We are Antisec we'll fight till the end," the message noted. "To FBI and other s.... come at us bros we are waiting for you," it noted. The message was preceded by a seven-minute video clip set to the tune of "Santa Claus is Coming to Town" that appeared to recap Anonymous' activities over the past year.

(U) The attackers also posted what seemed to be the login credentials of numerous Panda Labs employees on the defaced homepage. They noted that the attack on the security firm's site was in retaliation for Panda's alleged role in helping law enforcement crack down on members of the hacking collective. "They helped to jail 25 anonymous in different countries and they were actively participating in our IRC channels trying to dox many others," the attackers said in apparent reference to a series of arrests of

UNCLASSIFIED 46 UNCLASSIFIED

Anonymous members last year. "Yep we know about you. How does it feels being the spied one?" the message asked.

(U) In an emailed statement, a Panda Security spokeswoman said the hackers had obtained access to a Panda Security webserver that was hosted outside of Panda's internal network. This server was used only for marketing campaigns and to host company blogs, it said. "Neither the main website www.pandasecurity.com nor www.cloudantivirus.com were affected in the attack," the statement said. "The attack did not breach Panda Security's internal network and neither source code, update servers nor customer data was accessed. The only information accessed was related to marketing campaigns such as landing pages and some obsolete credentials, including supposed credentials for employees that have not been working at Panda for over five years," the company said. Prior to the attack, PandaLabs technical director had posted a blog titled "Where is the Lulz Now" praising the arrests.

(U) The attack on Panda Labs came less than 24 hours after the US Attorney's office for the Southern District of New York said it had arrested five prominent members of Anonymous and a splinter group LulzSec in raids in the United Kingdom and in Chicago. Among those arrested was an individual who is alleged to have been responsible for the Christmas Day hacks against security intelligence firm Strategic Forecasting (STRATFOR).

(U) Each of the individuals was indicted on computer hacking charges and faces a maximum of 20 to 30 years in prison if convicted. The arrests were made with the help of Hector Monsegur, a New York native who was the leader of LulzSec before being arrested last year. Monsegur, who also used the handle "Sabu," pleaded guilty in August to 12 hacking charges and faces up to 124 years in prison. After his arrest, Sabu agreed to help the FBI go after other members of LulzSec and Anonymous in the hopes of receiving a reduced sentence.

(U) The attackers of Panda's website chided Monsegur for being a snitch. "Traison (sic) is something we don't forgive," the message noted. "Yeah Yeah we know...Sabu snitched on us. As usually happens FBI menaced him to take his sons away we understood." The attackers noted that the arrests might well mean the end of LulzSec, but not of Anonymous. "Anonymous existed before LulzSec and will continue existing," the message read. Analysts lauded the FBI's efforts in nabbing the alleged Anonymous hackers but had expressed doubt over the long-term impact it would have on the group's activities. The arrests show that it is going to be increasingly hard for Anonymous to act with the kind impunity they have shown in the past, an analyst with Securois, had said. "But there's no way to predict where this will go," he noted.

(U) Unsecured Email Led to Leak of FBI and Scotland Yard Call; Teen Intercepted Email and Used Information to Secretly Record Call (The Associated Press, 06 MAR 2012)

(U) US authorities say the leak of a conference call between the FBI and Scotland Yard came about due to an Irish police officer's blunder. A US indictment says a teenage hacker was able to eavesdrop on the sensitive call after the unnamed Irish officer forwarded a work message to an insecure personal email account. The FBI says 19-year-old Donncha O'Cearrbhail intercepted the email and used the information in it to access and secretly record the Jan. 17 call. In the call, FBI and Scotland Yard investigators discussed ways to bring down the hacking collective known as Anonymous. Anonymous later published a roughly 15-minute-long recording of the call to the Internet. A spokesman for Ireland's national police force declined to comment Tuesday.

UNCLASSIFIED 47 UNCLASSIFIED

(U) Malicious Code in the IT Supply Chain Threatens Federal Operations (Nextgov, 23 MAR 2012)

(U) Agencies that deal with national security data and programs must do more to secure their information technology supply chains, a government watchdog said in March. Federal agencies aren't required to track "the extent to which their telecommunications networks contain foreign-developed equipment, software or services," the Government Accountability Office report said, and they typically are aware only of the IT vendors nearest to them on the supply chain, not the numerous vendors downstream. That has left IT systems at the Energy, Homeland Security and Justice departments more vulnerable to malicious or counterfeit software installed by other nations' intelligence agencies or by nonstate actors and hackers. US enemies could use that malicious software to secretly pull information from government systems, erase or alter information on those systems, or even take control of them remotely.

(U) The Justice Department has identified measures to protect its supply chain but has not developed procedures to implement those measures, the report said. Energy and Homeland Security haven't identified measures to protect their supply chains at all, according to GAO. The watchdog agency also examined the Defense Department, which it said had designed and effectively implemented a supply chain risk management program. Defense has reduced its supply chain risk through a series of pilot programs and expects to have "full operational capability for supply chain risk management" by 2016, the report said. Those pilots focus both on assessing the risk posed by particular vendors' supply chains and on testing and evaluating the purchased systems for malicious components, GAO said.

(U) The US Computer Emergency Readiness Team inside DHS has found that about one-fourth of roughly 43,000 agency-reported security incidents during fiscal 2011 involved malicious code that could have been installed somewhere along the supply chain, GAO said. Globally sourced IT hardware buys can prove embarrassing for agencies that deal with national security data even if there's no malicious or counterfeit technology inside the machines. The Air Force Special Operations Command, for instance, canceled a planned iPad acquisition in February, two days after receiving a query from Nextgov about Russian-developed security and document reading software specified in the procurement documents.

(U) Tracking the origins of federal technology has been complicated by the complex ownership structures of multinational IT suppliers, which sometimes are owned in one nation, source their IT in another nation and manufacture it in a third nation, GAO said. The report recommended that Energy and Homeland Security officials develop and implement firm procedures to protect against supply chain threats. The watchdog recommended that all three departments develop monitoring procedures to ensure their supply chain management practices are effective. The departments largely agreed with GAO's assessments, the report said.

(U) COUNTERTERRORISM THREAT ITEMS FROM THE PRESS:

(U) High School Grad Guilty in Terror Case is Cited in Report on Future of Islamist Extremism (The Washington Post, 26 FEB 2012;US Congress Press Release, 27 FEB 2012))

(U) Zachary Adam Chesser, the 22-year-old Oakton High School graduate who converted to Islam as a teen and pleaded guilty last year to terrorism-related charges, represents the future of online Islamist radicalization, according to a report to be released Monday by the Senate Committee on Homeland Security and Governmental Affairs. The report includes copies of four letters handwritten by Chesser from prison and sent to committee staff, and coincides with his own apparent return to the Internet last week. A four-part screed signed by Chesser and posted online on Feb. 20 outlines some of the ways he says he was wronged by the US justice system. The letters and the posting offer what appear to be the first public glimpses into Chesser‘s thinking since he was sentenced last February to 25 years in federal

UNCLASSIFIED 48 UNCLASSIFIED prison. He pleaded guilty to soliciting violence, attempting to provide material support to a terrorist group, and threatening the creators of ―South Park‖ after one of their shows depicted the prophet Muhammad in a bear suit.

(U) Chesser, whom the report describes as the son of a US government contractor, is incarcerated in Marion, IL. The facility is one of two high-security penitentiaries in the United States with ―Special Communications Units‖ sometimes referred to as ―Guantanamo North‖ because they contain a high percentage of Muslim prisoners convicted of terrorism-related charges. A gifted student who was, according to the report, briefly a Buddhist, Chesser converted to Islam in high school after dating a Muslim girl. But his radicalization appears to have taken place almost completely over the Internet, where he found like-minded people after local Islamic leaders disagreed with his views.

(U) In his often rambling writings before his arrest, he recommended ―desensitizing‖ law enforcement by planting phony bombs, and urged Muslim mothers to teach their children ―the basics of jihaad.‖ He also corresponded via e-mail with Anwar al-Awlaki, the US-born radical cleric killed by a US drone last year in Yemen. Chesser‘s latest posting, on a Muslim prisoner advocacy site called aseerun.org and titled ―Victims of the American Inquisition,‖ offers a window into a family torn apart by the events surrounding his arrest.

(U) His wife, a fellow convert and a citizen of Uganda, voluntarily left the United States last year as part of his plea agreement and settled in Jordan. According to Chesser‘s posting, the couple had hoped their 2- year-old son, Talhah, would join her. Instead, against their wishes, Chesser‘s mother won custody earlier this year, Chesser wrote, and his mother-in-law has visitation rights. Neither woman is Muslim.

(U) Although Chesser did not directly engage in violence, he is ―significant because he is part of a trend which, if not addressed, threatens the security of our homeland,‖ the report says, adding that as incendiary material becomes more widely available online, there is ―a corresponding increase in the number of individuals viewing extremist material and who can become radicalized.‖Chesser‘s writings, videos and songs appeared on various extremist Islamist Web sites, allowing the government to track him over two years and arrest him in July 2010 after he tried to fly to Uganda in an apparent attempt to join an al- Qaeda-linked terrorist group in Somalia.

(U) In a statement he read at his sentencing, Chesser implied that he regretted his actions. But his letters to the committee, neatly printed on lined paper, display the same combination of self-importance and naivete that pervaded his earlier online writings. ―I have above average artistic, computer graphics, video editing, writing, and programming skills,‖ he writes in one. ―These, combined with a flair for propaganda, motivational work, recruiting, networking, and marketing led to my quick rise on the internet . . . I wound up in a position of enormous influence.‖

(U) In the letters, he suggests creating a forum for discussion among Islamists and the government and counterterrorism community, and he expresses anger at his lawyers‘ attempts to portray him as ―some guy with no influence and no connections trying to just march into Somalia.‖ At the same time, he appears to criticize law enforcement for taking his activities too seriously. ―There is no voice from the government seeking understanding,‖ he writes in one letter. ―There is no stage between someone saying, ‗I like the Taliban‘ for the first time and a sting operation. Read Orwell‘s 1984 and you will see how it feels to be Muslim in America.‖ He adds, ―I had no clue you could be arrested for joining al-Shabaab.‖ Chesser‘s pre-arrest activities resurfaced in the news in February when a fellow convert, Jesse Curtis Morton, who worked with Chesser on a now-defunct Web site called Revolution Muslim, pleaded guilty to using the site to make threats against the ―South Park‖ creators and others.

UNCLASSIFIED 49 UNCLASSIFIED

(U) The Senate committee issued a press release that noted ―Chesser represents a growing breed of young Americans who have such comfort and facility with social media that they can self radicalize to violent Islamist extremism in an accelerated time period, compared to more traditional routes to radicalization,‖ the report said. Chesser‘s ―prolific online writings and written correspondence with Committee staff provide a window into his thinking, and in turn, may shed light on the thinking of other like-minded individuals who may follow in his destructive path of radicalization toward violent Islamist extremism.‖ Committee staff corresponded with Chesser over a three-month period from August through October 2011 and included four of those hand-written letters in the report. Chesser‘s extensive online writings also were analyzed closely. He was a member of and contributed to at least six terrorist online sites, created three YouTube terrorist propaganda channels, managed at least two Twitter accounts and a Facebook page, and authored two blogs advocating violent Islamist extremism.

(U) The report offered two recommendations: It called on the federal government to develop a strategy aimed specifically at global internet radicalization and propaganda. ―The US Government needs a comprehensive Internet strategy to address online radicalization that integrates activities across the State Department, the Defense Department, the Department of Homeland Security, the FBI, and other agencies into a single, coherent approach – while vigilantly respecting the First Amendment rights of all Americans,‖ the report concluded. But a committee staff member who helped produce the report acknowledged that this would have been difficult to do with Chesser, who was not part of a mosque. ―It raises the importance of the Internet,‖ he said. ―People can really self-segregate to a large degree. I suppose that represents the purest form of the threat: People who have no connection to people who don‘t agree with them.‖ Chesser‘s father and lawyer declined to comment; his mother, a supervising trial lawyer for the District, could not be reached.

(U) The report also recommended the federal government develop a “whole of society” approach to countering violent Islamist radicalization that includes “how to facilitate community intervention by family, friends, and community and religious leaders supported by federal, state, and local government resources. In addition, the US government should strengthen its ability to assist Muslim American communities seeking to address and counter radicalization online.‖

(U) The director of the Anti-Defamation League‘s Center on Extremism, called Chesser‘s case an important reminder of the extent to which extremism can flourish on the Internet. ―People still have this idea that there‘s anonymity online,‖ he said. ―It‘s not uncommon for people to think that they can explore the underbelly of things online and have it be a safe space.‖ The Internet, he said, also allows people to bypass community members and find like-minded others, ―without the shame of asking the wrong person the wrong thing.‖

(U) Download the full report at: http://www.hsgac.senate.gov/imo/media/doc/CHESSER%20FINAL%20REPORT.pdf

(U) Analyst Comment: This report, which should be downloaded and read by all law enforcement and government security personnel in Florida, provides a detailed study of the impact of the Internet on radicalization. In New Jersey, two individuals who described themselves as the ―Arabian Knightz‖ were arrested when they attempted to travel to Somalia to join jihadist forces, spent time on extremist Internet forums.

UNCLASSIFIED 50 UNCLASSIFIED

(U) NYC Man Gets 27 Years in Homegrown Terror Case (The Associated Press, 02 MAR 2012)

(U) A New York City man was sentenced to 27 years in prison in March for traveling to the Middle East in a failed bid to join al-Qaida and avenge abuse of Muslims by killing American troops. "I wish I had not gone down that path," Betim Kaziu told a US District Judge before hearing the sentence in federal court in Brooklyn. "I completely regret what I did in that phase of my life." But the judge said it was first time he'd hear the defendant express remorse, and that it wasn't convincing. "You grew up in Brooklyn and you decided to murder your own country's soldiers," the judge said. "There's still an element of defiance in you. ... You're still way too proud of becoming a jihadist." The government had sought a life term, arguing that Kaziu could resume his quest to commit terrorism if given anything less.

(U) A jury found the 24-year-old Kaziu guilty last year of conspiracy to provide material support to a terrorist organization and other charges last year at a trial that featured the testimony of a would-be terrorist and childhood friend of the defendant who became a government cooperator. Unlike the cases of Najibullah Zazi, mastermind of a foiled suicide attack on New York City subways, or Faisal Shahzad, the failed Times Square bomber, Kaziu's case received little attention, in part because the plot didn't get far. But his story had many of the same themes of homegrown terrorism.

(U) Kaziu and star witness Sulejah Hadzovic were two US-born sons of Islamic immigrants from the former Yugoslavia who met in sixth grade. By 2008, "they pursued a growing interest in radical Islam" and began searching the Internet for opportunities to take up arms against US troops. "We were upset at what was happening in places like Abu Ghraib prison and Guantanamo Bay, how they were humiliating and torturing Muslims there," Hadzovic testified. "It's what ultimately made us want to go and fight in jihad." The pair traveled in 2009 to Egypt, where Hadzovic they attended school, sought to obtain AK-47s and considered whether to take up arms in Iraq, Afghanistan, Pakistan, Palestine or Somalia.

(U) Hadzovic said he began to waver after hearing President Barack Obama's speech in Cairo in 2009 that extended a hand of friendship to Islam. Kaziu, he said, told him: "Don't let (the speech) fool you. It's like throwing sand in your eyes to blind you from the truth." Defying his friend, Hadzovic returned to New York. About three week later, federal authorities approached him and demanded answers about his travels. He eventually agreed to plead guilty and cooperate.

(U) Prosecutors say that once on his own, Kaziu tried, but failed, to join al-Qaida groups in Iraq, Afghanistan and the Balkans. He eventually made his way to Kosovo. On the Albanian coast, he recorded a video that a prosecutor described as "his goodbye, contemplating how he would soon depart for paradise, a reward for those who die a martyr," and had bought a plane ticket to Pakistan. But he was captured local authorities before he could make the trip. The defense claimed the alleged martyrdom video and other home videos shot by Kaziu were made in jest. His lawyers also argued that most of evidence against their client was widely distributed anti-American propaganda.

(U) Maryland Teen Plans Guilty Plea in Pennsylvania Terror Case (The Associated Press, 06 MAR 2012)

(U) A Maryland teenager accused of helping a terror cell based in Ireland will plead guilty to a US terrorism charge, according to court papers. Mohammad Hassan Khalid became a rare juvenile suspect held in FBI custody after his arrest last summer, when he was a 17-year-old high school student in Ellicott City, Maryland. Khalid had met a Pennsylvania woman who called herself Jihad Jane in an online chat room when he was 15 and had agreed to help her seek money and recruits to wage a Muslim holy war in Europe and South Asia, authorities said. The woman, Colleen LaRose, admitted last March that she had

UNCLASSIFIED 51 UNCLASSIFIED plotted to kill a Swedish artist who had offended Muslims. LaRose, 48, faces a sentence of life in prison. She is not just a homegrown terrorist but a rare female one.

(U) Khalid was arrested in July. He first appeared in open court in October, after he turned 18 and was indicted on a charge of aiding terrorism. He has pleaded not guilty to the charge, which carries a maximum 15-year prison sentence. A defense lawyer declined to comment on the scheduled April 2 change-of-plea hearing. He previously said that he believes LaRose helped the FBI build its case against his client. Khalid and his family are legal immigrants from Pakistan. He could be deported if convicted.

(U) Teachers at Mount Hebron High School said they remember Khalid, a 2011 graduate, for his strong work ethic. Khalid had been offered a full scholarship to prestigious Johns Hopkins University. But in a secret life online, he pledged to forward money to LaRose for her to pass on to the jihadists, or holy warriors, and hid a passport she sent him, authorities said.LaRose, of Pennsburg, was being watched by the FBI after posting online videos in which she vowed to kill or die for the jihadist cause. She moved to Ireland in late 2009 but returned voluntarily to surrender to US authorities.

(U) Khalid was indicted along with Ali Charaf Damache, an Irish citizen from Algeria who married another American woman, Jamie Paulin-Ramirez, of Colorado, after she moved to Waterford, Ireland, to meet him. Paulin-Ramirez, 33, pleaded guilty last year to providing material support to terrorists, the charge now facing Khalid. The US women were sought for their Western looks and passports, authorities have said. No sentencing date has been set for either. Damache, known as Black Flag, was charged in the Khalid indictment but has not been extradited. According to prosecutors, he sought recruits to train with the group known as al-Qaida in the Islamic Maghreb. The group is an al-Qaida offshoot that has focused its efforts inside Algeria and has never attempted an attack on the United States.

(U) Damache was taken into Irish custody on a threat-related charge in March 2010, when police in Waterford detained him, Paulin-Ramirez and five others as they investigated the plot against the artist. It's unclear if he's still in custody. Damache is charged in the United States with conspiracy to aid terrorists and attempted identity theft to facilitate international terrorism. He does not have a lawyer listed in court records. There is no evidence from court documents that LaRose ever made it to Sweden to kill artist Lars Vilks, although prosecutors have said she followed his activities online. His 2007 depiction of the Prophet Muhammad as a dog prompted threats on his life. Vilks called the murder plot "rather low-tech," adding he was glad LaRose never pulled it off.

(U) Philadelphia Man Charged with Aiding Islamic Terror Group (The Philadelphia Inquirer, 15 MAR 2012)

(U) A Philadelphia man was arrested in March by the Philadelphia FBI Joint Terrorism Task Force, the Justice Department said. Bakhtiyor Jumaev, 45, of Port Richmond, was charged with helping to fund the Islamic Jihad Union. Charges were filed in Colorado by the US Attorney, which is handling the case. The IJU is a terrorist organization which splintered from the Islamic Movement of Uzbekistan in the early 2000s. It has conducted attacks and bombings in Uzbekistan and against Coalition forces in Afghanistan and attempted attacks in Germany. If convicted, Jumaev faces 15 years and a $250,000 fine.

(U) The FBI said they had been investigating Jumaev and an associate, Jamshid Muhtorov, since 2010. Muhtorov was arrested in January on similar charges at Chicago's O'Hare International Airport while attempting to leave the country. He was allegedly carrying $2,800 in cash at the time, authorities said. Court papers said Jumaev and Muhtorov pledged financial backing for the IJU and Jumaev sent $300 to Muhtorov on March 15, 2011 that was specifically intended for the IJU.

UNCLASSIFIED 52 UNCLASSIFIED

(U) Jumaev, in a series of eight YouTube videos, is seen espousing support for terrorists and a IJU cofounder, according to federal authorities. The IJU first conducted attacks in April 2004, targeting a popular bazaar and police at several roadway checkpoints, killing 47, according to court documents. The IJU also claimed responsibility for attacks targeting Coalition forces in Afghanistan in 2008, including a March 2008 suicide attack against a US military post.

(U) Iran Diplomats Cased NYC Landmarks, Police Official Says (Bloomberg, 21 MAR 2012)

(U) Iranian diplomats may have carried out ―hostile reconnaissance‖ of sites in New York as many as six times, a warning sign that the city might be targeted for terrorist attack, according to a police official. The incidents occurred between 2002 and 2010 and involved videotaping or photographing landmarks, rail service and bridges, said Mitchell Silber, director of the city police department‘s intelligence analysis unit, in testimony before a US House panel. Hezbollah, a militant group allied with Iran that has been designated a terrorist organization by the US State Department, also has ties to the New York region, he said. ―The city remains the most likely venue for global tensions with Iran to spill over onto American soil,‖ Silber told the House Homeland Security Committee.

(U) Tensions with Iran have increased over the country‘s unwillingness to scale back its nuclear program. In February, Homeland Security Secretary Janet Napolitano said she was concerned that Hezbollah would attempt a terrorist attack on American soil and that she had been in touch with US Jewish groups. Napolitano said she wasn‘t aware of any specific threats to the groups or other US targets.

(U) Operatives in United States

(U) Government officials estimate ―hundreds‖ of Iranian and Hezbollah operatives are in the United States, said Representative Peter King, a Republican from New York who is the homeland security panel‘s chairman. ―We have a duty to prepare for the worst,‖ he said. Representative Bennie Thompson of Mississippi, the panel‘s senior Democrat, complained that Obama administration officials weren‘t among the witnesses at the hearing. ―I am concerned about whether the testimony we received will be based on current information,‖ said Thompson. ―We should not engage in a public discussion that creates fear and delivers misinformation.‖

(U) Economic Sanctions

(U) The United States and Europe have tightened economic sanctions on Iran since a Nov. 8 United Nations atomic inspectors‘ report raised questions about Iran‘s nuclear program. The sanctions are meant to pressure Iran‘s leaders to abandon weapons-related work and head off a potential conflict in the Persian Gulf region that holds more than half the world‘s oil reserves. The Iranian surveillance has been going on for years, Silber said. In February 2010, federal air marshals found four people who said they worked for the Islamic Republic of Iran Broadcasting Co. videotaping and photographing the Wall Street heliport, he said. One person held a camera at waist level, focusing on the structure and not the helicopters in the air, he said. Several members of the Iranian delegation to the United Nations in 2008 were seen taking pictures of the Metropolitan Transportation Authority train tracks inside Grand Central Station, Silber said. In the early to mid-2000s, police interviewed people with ties to the Iranian government who were taking pictures and videotaping infrastructure, he said.

UNCLASSIFIED 53 UNCLASSIFIED

(U) Terror Plots

Police have been examining recent terrorist plots in India, Georgia, Azerbaijan and Thailand that may be connected to Iran, Silber said. An alleged Iranian plot last year to assassinate the Saudi Arabian ambassador to the United States shows that Iran doesn‘t fear conducting American operations, said the director of the Stein Program on Counterterrorism and Intelligence at the Washington Institute for Near East Policy in Washington. ―America and its allies are already involved in a shadow war with Iran,‖ he said.

(U) Hezbollah‘s presence in the New York region has been uncovered in investigations, Silber said. Twenty-six people, including a former Brooklyn resident, were indicted in 2009 for conspiring to provide material support to Hezbollah by obtaining weapons, and raising money through the sale of fraudulent passports and other schemes, Silber said. Past cases have shown that Hezbollah operatives, whose primary purpose was to raise money and provide supplies to the group, can have a ―potential lethal nature,‖ said a former assistant director of the Federal Bureau of Investigation. Intelligence officials have told the committee‘s staff that ―Hezbollah is the group most capable of flipping its nationwide network of criminal fund-raising cells into an operational terror force capable of great violence,‖ King said.

(U) Authorities Probing Possible Terrorist Links to People Taking Photos Of NYC Landmarks (The Associated Press, 22 MAR 2012)

(U) Are these camera-toting people harmless tourists? Or potential terrorists? Authorities have interviewed at least 13 people since 2005 with ties to Iran's government who were seen taking pictures of New York City landmarks, a senior New York Police Department official said in March. Police consider these instances to be pre-operational surveillance, bolstering their concerns that Iran or its proxy terrorist group could be prepared to strike inside the United States, if provoked by escalating tensions between the two countries.

(U) Mitchell Silber, the NYPD's director of intelligence analysis, told Congress that New York's international significance as a terror target and its large Jewish population make the city a likely place for Iran and Hezbollah to strike. Silber testified before the House Homeland Security about the potential threat. Much of what Silber said echoed his previous statements on the potential threat, but he offered new details about past activities in New York. In May 2005, Silber said, tips led the NYPD to six people on a sight-seeing cruise who were taking pictures and movies of city landmarks like the Brooklyn Bridge. In September 2008, police interviewed three people taking pictures of railroad tracks. And in September 2010, federal air marshals saw four people taking pictures and videos at a New York heliport. Interviews with law enforcement revealed that all were associated with the Iranian government, but they were ultimately released and never charged, Silber said.

(U) US officials long have worried that Iran would use Hezbollah to carry out attacks inside the United States. And Iran was previously accused in a disrupted plot to assassinate the Saudi ambassador to the United States here last year, a plan interpreted in the US intelligence community as a clear message that Iran is not afraid to carry out an attack inside this country. In January, James Clapper, the top US intelligence official, said some Iranian officials are probably "more willing to conduct an attack in the United States in response to real or perceived US actions that threaten the regime." But government officials have said there are no known or specific threats indicating Iranian plans to attack inside the United States.

UNCLASSIFIED 54 UNCLASSIFIED

(U) Azerbaijan Arrests 22 Suspected of Plotting US, Israel Embassy Attacks on Iran's Behalf (AFP, 14 MAR 2012)

(U) Azerbaijan arrested 22 people on suspicion of plotting attacks on the US and Israeli embassies in Baku on behalf of neighboring Iran, the national security ministry announced in March. "Twenty-two citizens of Azerbaijan have been arrested by the national security ministry for cooperating with the Iranian Sepah," its statement said, referring to the elite Iranian Revolutionary Guards. "On orders of the Sepah they were to commit terrorist acts against the US, Israeli and other Western states' embassies and the embassies' employees," it said.

(U) The ministry said that the suspects were recruited from 1999 onwards and trained in the use of weapons and spy techniques at military camps in Iran to enable them to gather information on foreign embassies, organizations and companies in Azerbaijan and stage attacks. "Firearms, cartridges, explosives and espionage equipment were found during the arrest," the statement said, without specifying when or how the arrests were made.

(U) The arrests come just days after Iran announced it was confident that neighboring Azerbaijan would not allow attacking forces to pass through its territory, Iran's President Mahmoud Ahmadinejad said in March, according to the official IRNA news agency. Ahmadinejad told visiting Azerbaijan Defense Minister Gen. Safar Abiyev, "We are sure that no problem will take place against Iran from (the land of) our friend and brother, Azerbaijan." Earlier, Abiyev, told reporters Azerbaijan will not act against "great Iran" or allow an attack using its territory. This came after he met his Iranian counterpart, Gen. Ahmad Vahidi. Ahmadinejad said, "Joint enemies of the two countries seek to stop improvement relations between Tehran and Baku," Azerbaijan's capital. He did not elaborate.

(U) On February 29, Israel signed a $1.6 billion deal to sell drones, anti-aircraft and missile defense systems to Azerbaijan, bringing Israeli technology to the border of archenemy Iran. In reaction, Iran summoned Azeri envoy, seeking clarifications about the sale. In March, Abiyev indirectly defended the deal. "Azerbaijan must improve its army, and for this purpose it is obliged to purchase weapons and equipment," he said. Vahidi announced Iran's readiness to provide the Azeri army with Iranian military products. "We are ready to offer any support that can lead to self-sufficiency of army of Azerbaijan," Vahidi said. He said both countries should avoid any action that could damage security and tranquility in the region.

(U) Iran has expressed concern over alleged Israeli intelligence activity in the oil-rich Caucasian state. Israel has hinted at an attack on Iran's nuclear facilities, charging Iran is trying to make nuclear weapons. Iran denies the charge, saying its nuclear activities are aimed at peaceful purposes like power generation and cancer treatment.

(U) Analyst Comment: Given the increase in US-Iranian tensions over their nuclear development program and support for terrorism, it is important that law enforcement, government and private sector critical infrastructure entities in Florida are aware of the indicators of pre-operational planning and surveillance, as the plot in Azerbaijan demonstrates Iran‘s commitment to plan and conduct overseas attacks.

UNCLASSIFIED 55 UNCLASSIFIED

(U) Former US Army Soldier Indicted for Attempting to Provide Material Support to Al-Shabaab; Defendant Arrested in Kenya While En Route to Somalia (US Department of Justice Press Release, 07 MAR 2012)

(U) A federal grand jury returned an indictment in March charging Craig Benedict Baxam, age 24, of Laurel, Maryland, with attempting to provide material support to Al-Shabaab, a foreign terrorist organization. ―The indictment alleges that Craig Baxam intended to travel to Somalia and join the terrorist organization Al-Shabaab,‖ said a US Attorney. ―Mr. Baxam was arrested in Kenya before he reached Somalia, and there is no allegation that anyone assisted him.‖According to the indictment, Baxam served in the US Army from 2007 through July 2011.

(U) The indictment alleges that sometime after July 2011, while living in Maryland, Baxam decided to travel to Somalia to join and fight for Al-Shabaab, which Baxam knew to be a designated foreign terrorist organization. According to court documents, Al-Shabaab is a militia group that uses intimidation and violence to undermine Somalia‘s Transitional Federal Government (TFG). In February 2008, the US Department of State designated Al-Shabaab, aka Harakat Shabaab al-Mujahidin, aka The Youth, as a foreign terrorist organization, stating that Al-Shabaab has committed or poses a significant risk of committing acts of terrorism that threaten the security of the United States. The indictment alleges that Baxam cashed out his retirement savings, purchased a plane ticket to Kenya and traveled in Kenya toward its northern border with Somalia, all in his effort to join and fight for Al-Shabaab. On December 23, 2011, Kenyan Anti-Terrorism police arrested Baxam near Mombasa, Kenya, for attempting to travel to Somalia to join Al-Shabaab.

(U) Baxam faces a maximum sentence of 15 years in prison followed by three years of supervised release. No court appearance has been scheduled. Baxam has been detained since his arrest on a criminal complaint on Friday, January 6, 2012, upon his return to Maryland after traveling to Africa. The United States Attorney praised the FBI‘s Maryland and New York Joint Terrorism Task Forces for their work in the investigation and recognized the Department of Justice Counterterrorism Section and US Attorney‘s Office for the Southern District of New York for their assistance in the investigation.

(U) This bulletin has been prepared by the Tampa Division of the FBI.

(U) If you are a security officer, foreign sales representative, or employee of a business or company in Florida, you may receive unsolicited, suspicious emails from a foreign company or individual asking specific and detailed questions about your products, or inquires about starting a joint-venture or other commercial relationship. Your company or agency may also host foreign visitors or delegations that ask specific questions about or seeks access to technology or information outside the scope of their visit. If you have incidents like these to report, please contact FBI Strategic Partnership Coordinator, Patrick Laflin at 813-253-1029 . Please note, cleared defense contractors are required under the NISPOM to submit suspicious contact reports to their Defense Security Service (DSS) representative.

PRESENTATIONS AND OUTREACH

The CI Strategic Partnership Newsletter is a product of the FBI’s Counterintelligence Program Coordination Section which plays a key role in protecting our sensitive technologies from our adversaries.

UNCLASSIFIED 56 UNCLASSIFIED

The Challenge: to protect United States sensitive information, technologies and thereby competitiveness in an age of globalization.

Our Solution: to foster communication and build awareness through partnerships with key public and private entities, by educating, and enabling our partners to identify what is at counterintelligence risk and how to protect it. We call it “knowing your domain”— identifying the research, information and technologies that are targeted by our adversaries, and establishing an ongoing dialog and information exchange with partners, the goal of which is to change behaviors and reduce opportunities that benefit the opposition’s efforts.

The United States is a world’s leader in innovation. Consider the breakthrough research and development that’s taking place on the nation’s campuses and in research facilities—often on behalf of the government. Sensitive research, much of which occurs in the unclassified realm, is the key to our nation’s global advantage, both economically and militarily.

The Counterintelligence (CI) Program Coordination Section is responsible for determining and safeguarding those technologies which, if compromised, would result in catastrophic losses to national security. Through our partnerships with businesses, academia, and US Government agencies, the FBI and its counterintelligence community partners are able to identify and effectively protect projects of great importance to the U.S. Government. This provides the first line of defense inside facilities where research and development occurs and where intelligence services are focused.

The FBI’s outreach efforts continue to evolve. This newsletter is one way we hope to expand our outreach to the elements of our “CI Domain.” We continue in contacting businesses and organizations with which we have not yet made personal contact. In support of its Counterintelligence Domain/Strategic Partnership Program, the Federal Bureau of Investigation hosts an annual Research and Technology Protection (RTP) Conference for Facility Security Officers and RTP Professionals. Unclassified presentations address specific country threats to your technology, industrial and economic espionage, counterintelligence threat issues, and computer intrusion/cyber threat matters. The annual RTP Conference is offered in two locations during the year: Orlando and Clearwater.

The FBI's Domain/Strategic Partnership Program seeks to interface with private industry, high tech companies, research institutes, any stakeholder and/or contractor that design, develop, produce, and distribute critical information and technologies. Our job is to establish contact with these "Domain entities" in our territory, and assist them to better understand the foreign intelligence threat, and improve their ability to institute protective mechanisms. In addition to hosting an annual Research Technology Protection (RTP) Conference for security professionals, we also provide security

UNCLASSIFIED 57 UNCLASSIFIED awareness threat briefings to our defense contractor partners, high tech companies and research institutes. To schedule CI, cyber, security, education, training and awareness briefings, contact the Tampa Domain/SPC. You may also be interested in scheduling a presentation of the FBI video “BETRAYED” followed by Q&A.

“Betrayed” represents a scenario where an FBI Intelligence Analyst is slowly but steadly compromised by a series of steps that ultimately fully compromise him into working on behalf of a foreign intelligence service. The video clearly demonstrates the traits and activities demonstrated by individuals who are involved in stealing classified information (or even proprietary information and trade secrets). The video also shows the passivity of co-workers who have clearly seen demonstrations of suspicious activity by the Intelligence Analyst, and how their failure to report the suspicious activity exasperates the situation.

The Tampa Field Office Counterintelligence Strategic Partnership Program Coordinator: James “Pat” Laflin ([email protected]) 813.253.1029

Federal Bureau of Investigation

5525 West Gray Street Tampa, FL 33609 Phone: 813.253.1000

UNCLASSIFIED 58