Fingers continue to be pointed as speculation grows in Ankara over who is responsible for wiretapping the prime minister

Speculations have been mounting over perpetrators of the eavesdropping of Prime Minister Recep Tayyip Erdoğan after he made public Dec. 21 that wiretapping devices were found in his home-office.

Erdoğan then suggested it was actors within the deep state behind the wiretapping, but fell short of further elaborating on who the deep-state members were exactly. Days later on Dec. 25 Erdoğan offered to close the “bugs issue,” but noted one more bug had been found at his residence.
Deep state refers to a term extensively used in Turkey to describe clandestine collaboration between high-level state security forces and criminal organizations.

Some critics pointed to the Fethullah Gülen movement for eavesdropping on the premier, recalling conflict between the government and the Gülen movement that surfaced when National Intelligence Organization (MİT) chief Hakan Fidan was called to testify as part of the Kurdistan Communities Union (KCK) probe.

The Gülen movement is an influential moderate-Islamist movement led by Fethullah Gülen, who now resides in the United States. The movement has been accused by critics of manipulating Turkey’s judicial and security apparatus. The Gülen movement has generally lent support to the ruling Justice and Development Party (AKP) since its foundation in 2001.

However, an apparent conflict between the ruling party and the movement surfaced earlier this year when a specially-authorized prosecutor in Istanbul called MİT head Fidan to testify about secret talks with the PKK on Feb. 7.

A special law was hastily adopted to prevent Fidan from testifying. In June, Erdoğan accused the specially-authorized courts of “going too far.” “He was instructed by me. If you want to take someone [to prosecute], then take me,” Erdoğan had said.

In July, specially-authorized courts were abolished despite objection from newspapers close to the Gülen movement.

Journalist Ahmet Şık underlined in daily BirGün Dec. 25 that Erdoğan’s doubts of being wiretapped were not new as he held doubts since February when Fidan was called to testify by prosecutors at a time when he was in the hospital.

Two separate bugging devices were found at Erdoğan’s office in his house. These devices are currently being examined by the MİT, according to reports.

Suspicions that Erdoğan was being wiretapped were voiced by the opposition when Erdoğan’s security chief and all of his bodyguards were changed in September. After Erdoğan’s office at Parliament was renovated from top to bottom in October, main opposition Republican People’s Party (CHP) deputy chair Gürsel Tekin issued a Parliamentary question to Erdoğan on Dec. 3. “The renovation of the prime minister’s office coincides with the replacement of his bodyguards. This move raises suspicion whether the prime minister was eavesdropped on,” Tekin said.

Nationalist Movement Party (MHP) secretary-general İsmet Büyükataman, for his part, asked yesterday if the MİT knew who secretly listened to Erdoğan. “Does the MİT know who eavesdropped on Erdoğan? Have they taken the necessary precautions? Is the Republic of Turkey so helpless that it is unable to find who put those bugs in the prime minister’s office?” Büyükataman said in a statement.

…

December/27/201 ANKARA – Hürriyet Daily News

Find this story at 27 December 2012

© http://www.hurriyetdailynews.com

Early last January, two concealed audio surveillance devices were found at the Ankara headquarters of Turkey’s Republican People’s Party (CHP). Officials and supporters of the center-left party, which is currently Turkey’s main opposition political force, were shocked by the discovery, and an investigation was launched to uncover the culprits. In a surprising move, Turkish police raided late last week the home of a prominent union official, and discovered documents that are said to directly link the CHP wiretaps with Ergenekon, a shadowy ultranationalist network with strong links to the Turkish armed forces. The documents were reportedly discovered at the home of Mustafa Özbek, chairperson of the Türk Metal workers’ union, who is already in prison awaiting trial on criminal conspiracy charges. They appear to disclose that the Ergenekon group set up a clandestine network of safe houses in Turkish capital Ankara, as well as in the occupied Turkish Republic of Northern Cyprus, for the sole purpose of wiretapping the communications of targeted individuals and organizations. The safe houses were reportedly equipped with wiretapping systems purchased in Israel, some of which were portable and were thus moved to various cities and towns in Turkey, in accordance with Ergenekon mission directives. Ergenekon is a clandestine ultra-nationalist organization with secularist and anti-Western objectives. Its membership, which is reportedly drawn primarily from Turkey’s military and security establishments, is involved in both criminal and political activities aiming to preserve the political power of Turkey’s armed forces, while subverting the rise of Islamism and keeping Turkey out of the European Union. The existence of this mysterious organization was revealed in 2001 by Tuncay Güney, an operative of Turkey’s National Intelligence Organization (MİT), who was arrested for petty fraud. Rumors about the group resurfaced in 2007, when police in Istanbul’s Ümraniye neighborhood discovered a safe house containing dozens of hand grenades. The discovery sparked a broad juridical investigation into Ergenekon’s activities, which has so far revealed that the shadow network has carried out several targeted assassinations aimed at toppling Turkey’s pro-Islamic government “by creating chaos and mayhem”. Among those individuals listed as targets in Ergenekon’s recent wiretap conspiracy are officials and maintenance staff at CHP’s headquarters, as well as several leftist politicians and union officials.

…

March 10, 2009 by intelNews
Tuncay Güney
By IAN ALLEN | intelNews.org |

Find this story at 10 March 2009

Judge rules that Manning will not be allowed to present evidence about his motives for the leak – a key plank of his defence

Colonel Denise Lind ruled that general issues of motive were not relevant to the trial stage of the court martial. Photograph: Patrick Semansky/AP

Bradley Manning, the US soldier accused of being behind the largest leak of state secrets in America’s history, has been denied the chance to make a whistleblower defence in his upcoming court martial in which he faces possible life in military custody with no chance of parole.

The judge presiding over Manning’s prosecution by the US government for allegedly transmitting confidential material to WikiLeaks ruled in a pre-trial hearing that Manning will largely be barred from presenting evidence about his motives in leaking the documents and videos. In an earlier hearing, Manning’s lead defence lawyer, David Coombs, had argued that his motive was key to proving that he had no intention to harm US interests or to pass information to the enemy.

The judge, Colonel Denise Lind, ruled that general issues of motive were not relevant to the trial stage of the court martial, and must be held back until Manning either entered a plea or was found guilty, at which point it could be used in mitigation to lessen the sentence. The ruling is a blow to the defence as it will make it harder for the soldier’s legal team to argue he was acting as a whistleblower and not as someone who knowingly damaged US interests at a time of war.

“This is another effort to attack the whistleblower defence,” said Nathan Fuller, a spokesman for the Bradley Manning support network, after the hearing.

The judge also blocked the defence from presenting evidence designed to show that WikiLeaks caused little or no damage to US national security. Coombs has devoted considerable time and energy trying to extract from US government agencies their official assessments of the impact of WikiLeaks around the world, only to find that he is now prevented from using any of the information he has obtained.

The 25-year-old intelligence analyst faces 22 charges relating to the leaking of hundreds of thousands of classified diplomatic cables, war logs from the Afghan and Iraq wars, and videos of US military actions. The most serious charge, “aiding the enemy”, which carries the life sentence, accuses him of arranging for state secrets to be published via WikiLeaks on the internet knowing that al-Qaida would have access to it.

…

Ed Pilkington in New York
guardian.co.uk, Thursday 17 January 2013 18.22 GMT

Find this story at 17 January 2013

© 2013 Guardian News and Media Limited or its affiliated companies. All rights reserved.

Maina Kiai says he is ‘deeply concerned’ about use of officers such as Mark Kennedy to infiltrate non-violent groups

Mark Kennedy, an undercover police officer who infiltrated a group of environmental protesters. Photograph: Philipp Ebeling

A senior United Nations official has called on the British government to launch a judge-led public inquiry into the “shocking” case of Mark Kennedy and other undercover police officers who have been infiltrating protest groups.

Maina Kiai, a UN special rapporteur, said the scandal involving undercover police cultivating intimate sexual relationships with political activists over long periods of time had been as damaging as the phone-hacking controversy that prompted the Leveson inquiry.

He said he was “deeply concerned” about the UK’s use of undercover police officers in non-violent groups exercising their democratic rights to protest.

“The case of Mark Kennedy and other undercover officers is shocking as the groups in question were not engaged in criminal activities,” Kiai told a central London news conference. “The duration of this infiltration, and the resultant trauma and suspicion it has caused, are unacceptable in a democracy.

“It is a clear violation of basic rights protected under the Human Rights Act, and more generally under international law, such as the right to privacy.”

He added: “This is not a James-Bond-type movie issue. I think it is unacceptable that the state can pay somebody who will use women, and be part of their lives and then just devastate them and leave them. That’s unbelievable.”

Kiai is the latest senior figure to call for a full investigation into the controversy since the Guardian began revealing details of the spy operation two years ago. The undercover policing controversy will be raised in parliament next month during a special hearing hosted by the home affairs select committee.

Undercover police have been living double lives for several years among protest groups, sometimes even residing with female activists and spending weeks abroad with them on holiday. At the end of their deployment, the police spies vanish without a trace.

The surveillance operation, which has continued to plant long-term spies in protest groups despite recent controversies, comes under the remit of an initiative to combat what police call domestic extremism. Many of the targets of the operation have turned out to be law-abiding anti-capitalist campaigners or protesters against global warming.

In at least three cases, relationships between police and the women they were spying on have resulted in the birth of children.

The UN rapporteur’s preliminary report follows a 10-day fact-finding mission to London, Belfast and Edinburgh. Kiai met campaigners, senior police, civil servants and the home secretary, Theresa May. He said she told him a full inquiry into undercover policing was “not something on the agenda”.

However, Kiai, who has responsibility in the UN for the rights to freedom of peaceful assembly, said he believed the case of Kennedy and others had left a “trail of victims and survivors in its wake” who deserved answers.

Eleven women and one man are bringing a high court legal action for the emotional trauma suffered as a result of “deeply personal” relationships they formed with men who turned out to be police officers.

A judge ruled last week that some of their claims should be heard by the Investigatory Powers Tribunal, an obscure body that usually deals with complaints against MI5 and MI6.

Mr Justice Tugendhat cited the fictional case of James Bond to argue that when parliament introduced legislation allowing covert police to have personal relationships with targets, they must have assumed they may have sexual encounters.

Rejecting the idea that it could be a “James Bond movie issue”, Kiai said: “I therefore call on the authorities to undertake a judge-led public inquiry into the Mark Kennedy matter, and other related cases, with a view to giving voice to victims, especially women, who were deliberately deceived by their own government, and paving the way for reparations.”

The government has so far resisted calls for a judge-led inquiry, instead choosing to back a host of other separate reviews into the conduct of Kennedy and related issues.

…

Paul Lewis and Rob Evans
The Guardian, Wednesday 23 January 2013 16.49 GMT

Find this story at 23 January 2013

© 2013 Guardian News and Media Limited or its affiliated companies. All rights reserved.

Judge rules half of the women’s cases can be heard in open court but half must be first heard by secret tribunal

The judge said that claims against two police officers – Mark Kennedy (pictured above) and a second spy who posed as Mark Jacobs – should first be heard by the Investigatory Powers Tribunal. Photograph: Philipp Ebeling

Ten women who say they were deceived into having sexual relationships with undercover police officers have won only a partial victory in their fight to have their case heard in the high court.

Mr Justice Tugendhat said the lawsuit alleged “the gravest interference” with the fundamental rights of women who had long-term relationships with police officers sent to spy on their political groups. The judge rejected an attempt by the Metropolitan police to have the whole case struck out of the court.

However, in a mixed ruling, the judge said that half the cases in the legal action should first be heard by a secretive tribunal that usually deals with complaints against MI5.

The case relates to a joint lawsuit brought by 10 women and one man who claim they suffered emotional trauma after forming “deeply personal” relationships with the police spies.

In his ruling, Tugendhat acknowledged that the allegations made by the women were “very serious”. He added that the case appeared to be unprecedented. “No action against the police alleging sexual abuse of the kind in question in these actions has been brought before the courts in the past, so far as I have been made aware.”

The judge drew a comparison with James Bond, the fictional member of the intelligence service who “used relationships with women to obtain information, or access to persons or property”.

Although Ian Fleming, the writer of the Bond series, did not dwell on “psychological harm he might have done to the women concerned”, the judge said fictional accounts such as these point to how “intelligence and police services have for many years deployed both men and women officers to form personal relationships of an intimate sexual nature”.

Lawyers for the Met had attempted to have all 11 cases struck out of the court, arguing they constituted an abuse of process and should instead by heard by the Investigatory Powers Tribunal (IPT), a little-known complaints body.

However, they achieved only a partial victory.

In his ruling, the judge said that claims against two police officers – Mark Kennedy and a second spy who posed as Mark Jacobs – should first be heard by the IPT. Both of these officers were deployed after 2000, and some of the claims allege their activities constituted a breach of the Human Rights Act, which came into force in October that year.

However, the judge said that other claims for damages under common law, including torts of misfeasance in public office, deceit, assault and negligence, should be heard by the high court.

He temporarily stayed high court proceedings pending the conclusion of cases at the IPT. The special tribunal was introduced in 2000 to examine complaints from the public about unjustified state surveillance within what it calls “a necessary ring of secrecy”. Complainants do not see the evidence put forward by the state and have no automatic right to an oral hearing. Neither can they appeal its decision.

Lawyers for the some of the women described the decision to send half of the cases to the tribunal as an “outrage”.

Harriet Wistrich, of Birnberg Peirce, said: “We brought this case because we want to see an end to sexual and psychological abuse of campaigners for social justice and others by undercover police officers. We are outraged that the high court has allowed the police to use the IPT to preserve the secrecy of their abusive and manipulative operations in order to prevent public scrutiny and challenge.”

…

Rob Evans and Paul Lewis
guardian.co.uk, Thursday 17 January 2013 14.01 GMT

Find this story at 17 January 2013

© 2013 Guardian News and Media Limited or its affiliated companies. All rights reserved.

A sophisticated computer virus discovered at the center of the French government’s secure computer network was planted there by the United States, according to unnamed sources inside France’s intelligence community. Paris-based magazine L’Express, France’s version of Time magazine, says in its current issue that the alleged American cyberattack took place shortly before last April’s Presidential elections in France. It resulted in the infection of the entire computer system in the Palais de l’Élysée, which is the official residence of the President of France. The French magazine cites unnamed sources inside the French Network and Information Security Agency (ANSSI), which is responsible for cybersecurity throughout France. The sources claim that the snooping virus allowed its handlers to gain access to the computers of most senior French Presidential aides and advisers during the final weeks of the administration of French President Nicolas Sarkozy, including his Chief of Staff, Xavier Musca. The article claims that the virus used a source code nearly identical to that of Flame, a super-sophisticated version of Stuxnet, the virus unleashed a few years ago against the computer infrastructure of the Iranian nuclear energy program. Many cybersecurity analysts believe that the US and Israel were instrumental in designing both Stuxnet and Flame. IntelNews understands that the alleged virus was initially directed at employees of the Palais de l’Élysée through Facebook. The targets were allegedly befriended by fake Facebook profile accounts handled by the team that operated the virus. The targets were then sent phishing emails that contained links to phony copies of the login page for the Palais de l’Élysée intranet website. Though that bogus website the hackers acquired username and password data of several Palais de l’Élysée staffers, which they subsequently used to gain access to the Presidential Palace’s computer system. Assuming that the virus planted on the Palais de l’Élysée intranet was similar to Flame in method and scope, it can be inferred that its handlers were able to spy on conversations taking place at the Palais using the infected computers’ audiovisual peripherals, as well as log keystrokes and acquire screen shots at regular intervals. The collected data was then routed through a host of different servers on five continents before reaching the hackers.

…

November 22, 2012 by Joseph Fitsanakis 6 Comments

By JOSEPH FITSANAKIS | intelNews.org |

Find this story at 22 November 2012

EXCLUSIF. En mai, l’équipe de Nicolas Sarkozy a été victime d’une opération d’espionnage informatique hypersophistiquée. Les sources de L’Express concordent : le coup vient de… l’ami américain. Révélations sur une attaque qui s’inscrit dans une bataille planétaire.

CYBERGUERRE – Les intrus qui se sont introduits dans les réseaux informatiques de l’Elysée en mai dernier ont subtilisé des notes secrètes et des plans stratégiques à partir des ordinateurs de proches conseillers de Nicolas Sarkozy.
DR

C’est l’un des hold-up les plus audacieux réalisés contre l’Etat français. En mai dernier, quelques jours avant le second tour de l’élection présidentielle, des pirates ont réussi à s’introduire dans les réseaux informatiques de l’Elysée. Révélée par le quotidien régional Le Télégramme, cette intrusion avait alors été soigneusement étouffée par le Château. Une omerta qui, jusqu’à présent, n’avait pas été brisée. Aucune information n’avait filtré sur la nature des agresseurs, ou même sur le préjudice subi. Pourtant, l’affaire est grave, d’autant qu’elle constituerait une cyberattaque sans précédent entre pays alliés.

L’Express peut révéler que les intrus ont non seulement réussi à pénétrer au coeur même du pouvoir politique français, mais qu’ils ont pu fouiller les ordinateurs des proches conseillers de Nicolas Sarkozy. Des notes secrètes ont été récupérées sur des disques durs, mais aussi des plans stratégiques. Du vrai travail de pro, digne du dernier James Bond, Skyfall. Et, comme souvent dans ce type d’attaque, une négligence humaine est à l’origine de la catastrophe.
L’ordinateur du secrétaire général de l’Elysée pillé

Tout a commencé sur Facebook. Les assaillants ont d’abord identifié, sur le réseau social, le profil de personnes travaillant au palais présidentiel. Se faisant passer pour des amis, ils les ont ensuite invitées, par un message électronique, à se connecter sur l’intranet du Château. Sauf que ce lien menait à une fausse page Web – une réplique de celle de l’Elysée. Les victimes n’y ont vu que du feu ; et lorsque est apparu, à l’écran, un message leur demandant leur identifiant et leur mot de passe, elles les ont donnés en toute bonne foi. Une technique bien connue des hackers, qui leur a permis de récupérer les clefs numériques pour s’inviter en toute quiétude dans le saint des saints.

Une fois à l’intérieur, les pirates ont installé un logiciel espion qui s’est propagé d’un ordinateur à l’autre. Très élaboré, ce “ver” n’a infecté que quelques machines. Et pas n’importe lesquelles : celles des conseillers les plus influents du gouvernement… et du secrétaire général, Xavier Musca. Nicolas Sarkozy y a, lui, échappé. Et pour cause, il ne possédait pas de PC. Malheureusement pour les assaillants, le code malveillant a laissé des empreintes. “Telles des marionnettes actionnées par des fils invisibles, les machines infectées communiquent avec leur maître pour prendre leurs ordres, décrypte un expert, Olivier Caleff, responsable sécurité du Cert-Devoteam, une société de sécurité informatique. Lorsque l’on essaie de remonter ces fils sur Internet, on arrive souvent sur des serveurs situés à l’étranger.”

C’est ce travail de fourmi qu’ont mené les enquêteurs français. Le degré de sophistication de l’attaque était tel que les suspects se limitaient, d’emblée, à une poignée de pays. Pour preuve, le cyberpompier de l’Etat, l’Agence nationale de la sécurité des systèmes d’information (Anssi), a mis plusieurs jours pour restaurer le réseau de l’Elysée. Difficile de trouver l’origine de l’offensive. Souvent, les assaillants brouillent les pistes en passant par des pays tiers. Autant de rebonds, sur des serveurs situés sur les cinq continents, qui rendent ce fil d’Ariane très compliqué à suivre, même pour les “cyberdétectives” de l’Etat mobilisés pour l’occasion. Mais, selon les informations recueillies par L’Express auprès de plusieurs sources, leurs conclusions, fondées sur un faisceau de présomptions, convergent vers le plus vieil allié de la France : les Etats-Unis.
Le virus porte la marque de son auteur

Le code malveillant utilisé affiche, en effet, les mêmes fonctionnalités qu’un ver informatique extrêmement puissant, baptisé Flame, identifié à la fin du mois de mai par une grande société russe d’antivirus, Kaspersky. “Très perfectionné, il peut collecter les fichiers présents sur une ma-chine, réaliser des captures d’écran et même activer le microphone d’un PC pour enregistrer les conversations, expli-que Vitaly Kamluk, spécialiste du sujet chez cet éditeur. Sa conception a demandé beaucoup d’argent et des moyens humains que seul un grand pays est en mesure de mobiliser.” Ou même deux : selon la presse anglo-saxonne, le ver aurait été créé par une équipe américano-israélienne, car il devait viser initialement des pays du Moyen-Orient (Iran, Egypte). Autre élément à charge : tel un peintre reconnaissable à son trait, un virus porte les marques du savoir-faire de son auteur. Janet Napolitano, secrétaire d’Etat à la Sécurité intérieure de l’administration Obama, n’a ni confirmé ni démenti nos informations.

Contactés à ce sujet, ni l’Anssi ni l’Elysée n’ont souhaité faire de commentaires. Reste une question. Pourquoi un allié de la France lancerait-il une telle opération ? “Vous pouvez être en très bons termes avec un “pays ami” et vouloir, en même temps, vous assurer de son soutien indéfectible, surtout dans une période de transition politique”, note un proche du dossier, sous le couvert de l’anonymat. Sans compter que l’Elysée joue un rôle clef dans la signature de grands contrats avec des pays étrangers, notamment au Moyen-Orient. “C’était encore plus vrai à l’époque de Nicolas Sarkozy”, rappelle Nicolas Arpagian, directeur scientifique du cycle sécurité numérique à l’Institut national des hautes études de la sécurité et de la justice.

Un instantané des cyberattaques en cours…

HoneyMap réalisé par Honeynet Project

Quitte à être espionné, sans doute vaut-il mieux l’être par un allié… “Nous avons de grands partenaires avec lesquels nous collaborons et entretenons des relations de confiance, et d’autres avec qui nous ne partageons pas les mêmes valeurs”, rappelle le contre-amiral Arnaud Coustillière, responsable du volet militaire de la cyberdéfense française. Il n’empêche, l’attitude de l’administration Obama suscite de nombreuses interrogations.
Vers des attaques “pires que le 11 Septembre” ?

Dans une version du livre blanc sur la défense, actuellement en cours de rédaction, des auteurs ont soulevé les ambiguïtés de Washington. “Face à la difficulté d’utiliser les voies de droit, [les Etats-Unis] ont recours de plus en plus à l’action clandestine, ce qui peut poser une question de contrôle démocratique.”

Ironie du sort, le Congrès américain vient, le 14 novembre, de publier un rapport accablant sur l'”acteur le plus menaçant du cyberespace”, à savoir… la Chine. Leon Panetta, secrétaire d’Etat à la Défense, a même déclaré récemment que, par leur puissance numérique, “certains pays” seraient, d’ores et déjà, capables de provoquer un “cyber-Pearl Harbor” : “Ce serait pire que le 11 Septembre ! Des assaillants pourraient faire dérailler un train de voyageurs ou un convoi de produits chimiques dangereux. Ou, encore, contaminer les systèmes d’eau des grandes villes ou éteindre une grande partie du réseau électrique.” Le tout en se cachant derrière des écrans d’ordinateurs situés à des milliers de kilomètres…
Dans le monde virtuel, tous les coups sont permis

Leon Panetta sait de quoi il parle. L’Oncle Sam a déjà utilisé ces moyens. C’était en 2010, lors de l’opération “Jeux olympiques”, lancée conjointement avec Israël contre l’Iran. Leur logiciel Stuxnet aurait endommagé un grand nombre des centrifugeuses utilisées par Téhéran pour enrichir de l’uranium. Spectaculaire, cette opération ne doit pas faire oublier que d’autres nations oeuvrent dans l’ombre. Dans le plus grand secret, de nombreux pays, démocratiques ou non, fourbissent leurs armes numériques. Des forces secrètes se constituent, des mercenaires vendent leurs services aux plus offrants. Sans foi ni loi. La Toile n’est pas un champ de bataille comme les autres. Oubliez les codes de l’honneur, les conventions internationales ou les alliances. Tous les coups sont permis. Et mieux vaut avoir les moyens de se battre. Dans le cyberespace, personne ne vous entendra crier.

Pour s’en convaincre, il suffit de se rendre au quartier général de l’Otan, à Bruxelles. Tou-tes les nuits, vers 1 heure, c’est le même rituel, explique l’un des responsables européens de la sécurité au sein de l’organisation. “Sur une carte, à l’écran, on voit des dizaines de lumières s’allumer en Chine, explique-t-il. Ce sont les hackers qui, le matin, lancent des attaques lorsqu’ils arrivent au boulot. Et, le soir, elles s’éteignent quand ils rentrent chez eux.” Même constat d’un proche de la NSA, l’agence de renseignement des Etats-Unis : “Parfois, nous enregistrons une baisse sensible des tentatives d’intrusion sur nos sites, témoigne-t-il. Invariablement, cela correspond à des jours fériés en Chine.” Mais l’image d’une “superagence” où des armées de pirates travailleraient en batterie pour ravir les secrets de l’Occident ne reflète pas la réalité. Selon ce même agent, “leur capacité offensive est beaucoup moins centralisée qu’on pourrait l’imaginer. De nombreuses régions ont mis en place leur propre dispositif, qui dépend du bureau politique local. Et il n’est pas rare que ces factions se combattent entre elles.”
Coût d’une attaque : quelques centaines de milliers d’euros

Un hacker, qui souhaite rester anonyme, pense, lui aussi, que l’on surestime un peu le “cyberpéril jaune”. “J’ai eu l’occasion de voir travailler les Chinois, ce ne sont pas les plus affûtés, dit-il. Leurs techniques sont assez rudimentaires par rapport à celles des Américains ou des Israéliens…”

REUTERS/Minoru Iwasaki/Pool

“Les questions de sécurité alimentaire, d’énergie et de cybersécurité deviennent plus aiguës”
Hu Jintao, secrétaire général du Parti communiste chinois, novembre 2012.

A chaque pays sa spécificité. En Russie, le dispositif d’attaque est opaque. De nombreux spécialistes occidentaux du renseignement soupçonnent l’existence d’une relation triangulaire entre l’Etat, la mafia et certaines sociétés de conseil informatique qui seraient le bras armé du Kremlin. “Avez-vous déjà vu, en Russie, un hacker avoir des problèmes avec la police ? questionne Garry Kasparov, ancien champion du monde d’échecs, aujourd’hui l’un des opposants au président Poutine. Non, parce que l’on sait qui se trouve aux manettes, dans l’ombre…”

Contrairement à ce que l’on pourrait croire, les Européens ne sont pas en reste. La France, c’est une surprise, dispose d’une force de frappe numérique. Mais on trouve aussi, sur l’échiquier mondial, des Etats moins avancés sur le plan technique, tels l’Iran et la Corée du Nord. Nul besoin, en effet, d’investir dans des infrastructures coûteuses. Il suffit d’un ordinateur, d’un accès à Internet et de quelques centaines de milliers d’euros pour monter une attaque. Car sur la Toile, comme dans la vraie guerre, on trouve toutes sortes d’armes sur le marché. Il suffit de frapper aux bonnes portes. Au lieu d’une kalachnikov, on repartira avec un logiciel malveillant (malware, dans le jargon) qui permettra de prendre le contrôle d’un système ennemi. La première motivation : “Faire du business !”

“C’est un enjeu de domination. En maîtrisant l’information, on contrôle tout”, résume Jonathan Brossard. Ce hacker français renommé intervient aujourd’hui dans des groupes internationaux.

Son job consiste à s’introduire dans les systèmes informatiques pour en révéler les failles – et trouver des parades. Pour lui, les risques d’un cyberconflit existent, mais ils masquent une autre motivation, bien plus puissante : “Faire du business ! Etre capable de griller un réseau électrique, c’est bien, mais le véritable enjeu, c’est surtout de gagner des parts de marché.” Connaître, dans le détail, la proposition d’un concurrent, lors d’un gros appel d’offres, donne un avantage décisif. Pour l’avoir négligé, certaines sociétés ont péri. Des pirates – chinois semble-t-il – ont pillé les secrets du géant canadien des télécoms Nortel pendant près de dix ans, au point de l’acculer à la faillite. De tels exemples abondent.

Et la France n’est, malheureusement, pas épargnée. Les grandes entreprises du CAC 40 compteraient même parmi les plus vulnérables d’Europe. Sur ce nouveau champ de bataille invisible, on ne compte pas les morts, mais les points de PIB perdus. Et, derrière, sans doute des emplois par milliers.
Batailles de virus

STUXNET
Découverte : juin 2010.
Cible : ce logiciel a détruit des milliers de centrifugeuses nucléaires, en Iran.
Origine supposée : opération “Jeux olympiques”, menée par les Etats-Unis et Israël.

DUQU
Découverte : septembre 2011.
Cible : lié à Stuxnet, ce ver informatique a servi à espionner le programme nucléaire iranien.
Origine supposée : Etats-Unis et Israël.

MAHDI
Découverte : février 2012.
Cible : capable d’enregistrer les frappes sur un clavier et les photos et textes d’un ordinateur, Mahdi a été retrouvé en Iran, en Afghanistan et en Israël.
Origine supposée : inconnue.

WIPER
Découverte : avril 2012.Cible : ce virus fait disparaître les données des disques durs des ordinateurs infectés. Il a touché des compagnies pétrolières iraniennes.
Origine supposée : inconnue.

FLAME
Découverte : mai 2012.
Cible : ce logiciel très sophistiqué aurait espionné depuis 2007 plusieurs pays, dont l’Iran, la Syrie, le Soudan, ou encore l’Arabie saoudite.
Origine supposée : opération des Etats-Unis et d’Israël.

GAUSS
Découverte : juin 2012.
Cible : capable d’espionner les transactions financières et messages électroniques, ce virus s’est répandu au Liban, en Israël et en Palestine.
Origine supposée : inconnue.

SHAMOON
Découverte : août 2012.
Cible : les ordinateurs des compagnies pétrolières saoudiennes Aramco et RasGas au Qatar ont été attaqués par ce virus.
Origine revendiquée : groupe de hackers appelé “Glaive tranchant de la justice”, peut-être d’origine iranienne.

La réaction de l’ambassade des Etats-Unis à Paris

Nous réfutons catégoriquement les allégations de sources non-identifiées, parues dans un article de l’Express, selon lesquelles le gouvernement des Etats-Unis d’Amérique aurait participé à une cyberattaque contre le gouvernement français. La France est l’un de nos meilleurs alliés. Notre coopération est remarquable dans les domaines du renseignement, du maintien de l’ordre et de la cyberdéfense. Elle n’a jamais été aussi bonne et demeure essentielle pour mener à bien notre lutte commune contre la menace extrémiste.
Mitchell Moss, porte-parole de l’ambassade des Etats-Unis à Paris

REUTERS/Larry Downing

“La cybermenace est l’un des plus sérieux défis auxquels nous soyons confrontés en tant que nation”
Barack Obama, président des Etats-Unis, mai 2009.

REUTERS/Neil Hall

“Nous consacrerons un budget de plus d’un demi-milliard de livres [626 millions d’euros] à la cybersécurité”
David Cameron, Premier ministre britannique, octobre 2010.

REUTERS/Thomas Peter

“Les attaques cybernétiques sont aussi dangereuses que la guerre conventionnelle”
Angela Merkel, chancelière allemande, avril 2011.

Par Charles Haquet et Emmanuel Paquette (L’Express) – publié le 20/11/2012 à 15:31

Find this story at 20 November 2012

© Groupe Express-Roularta

Circus Belly-Wien heeft in Almelo bezwaar aangetekend tegen de aan het circus geweigerde speelvergunning voor 2012. In TC/Tubantia lezen we waarom Almelo geen speelvergunning wilde afgeven aan Circus Belly-Wien: De gemeente vreest een verstoring van de openbare orde door vechtpartijen met dierenrechtenactivisten.

De door de gemeente Almelo genoemde demonstraties van dierenrechtenactivisten en vechtpartijen met dierenrechtenactivisten vonden plaats in voornamelijk 2009. Toen heeft een AIVD-infiltrant onder de schuilnaam “Paul Kraaijer” wekelijks demonstraties georganiseerd bij Circus Belly-Wien met slechts een doel: Het in kaart brengen van de in Nederland opererende dierenrechtenactivisten. Tijdens de demonstraties werden activisten door de aanwezige KLPD agenten gefotografeerd en gefilmd. Deze acties van de AIVD en de politie hebben uiteindelijk geleid tot de arrestatie van enkele bekende dierenrechtenactivisten, waaronder de “Vegan Streaker”. Dezelfde AIVD-infiltrant heeft Circus Belly-Wien in diskrediet gebracht. Sinds 2011 is er geen enkele keer meer gedemonstreerd tegen circusdieren. Ook zijn er sinds 2011 geen vechtpartijen meer geweest; ook niet bij Circus Belly-Wien. Door personeelswisselingen is de “grootste vechtersbaas” ook niet meer bij het circus aanwezig.

…

Almelo, 18 januari 2013

Find this story at 18 January 2013

© http://www.klassiekcircus.nl/

ALMELO – De gemeente Almelo heeft circus Belly Wien ten onrechte geweigerd, zegt de Commissie Klassiek Circus. De AIVD en de politie zouden een hetze tegen het circus zijn begonnen.

De commissie legt die complottheorie uit op de eigen website. Almelo weigert Belly Wien omdat de gemeente bang is voor ongeregeldheden. Die angst is gebaseerd op demonstraties van dierenrechtenactivisten en vechtpartijen elders.

…

Geplaatst op:
21 januari 2013
Laatste update:
21 januari, 12:18

Find this story at 21 January 2013

Copyright © 2012 Wegener Media

It is often suggested by intelligence researchers that one major difference between Western and Soviet modes of espionage during the Cold War was their degree of reliance on technology. It is generally accepted that Western espionage was far more dependent on technical innovation than its Soviet equivalent. While this observation may be accurate, it should not be taken to imply that the KGB, GRU, and other Soviet intelligence agencies neglected technical means of intelligence collection. In a recent interview with top-selling Russian newspaper Komsomolskaya Pravda, Russian intelligence historian Gennady Sokolov discusses the case of Vadim Fedorovich Goncharov. Colonel Goncharov was the KGB’s equivalent of ‘Q’, head of the fictional research and development division of Britain’s MI6 in the James Bond films. A veteran of the Battle of Stalingrad, Goncharov eventually rose to the post of chief scientific and technical consultant of KGB’s 5th Special Department, later renamed Operations and Technology Directorate. According to Sokolov, Goncharov’s numerous areas of expertise included cryptology, communications interception and optics. While working in the KGB’s research laboratories, Goncharov came up with the idea of employing the principles behind the theremin, an early electronic musical instrument invented by Soviet physicist Léon Theremin in 1928, in wireless audio surveillance. According to Sokolov, the appropriation of the theremin by the KGB under Goncharov’s leadership “changed the world of intelligence”.

Renamed “passive bug” by the Soviets, a modified version of Theremin’s invention allowed the KGB to do away with wires and hidden microphones, using instead tiny coils and metal plates surreptitiously hidden in a target room or area. Such contraptions acted as sensors that picked up the vibrations in the air during conversations and transmitted them to a beam (receiver) placed nearby, usually in an adjoined room or vehicle. One such device was planted by the KGB inside the large wooden replica of the Great Seal of the United States given by the Soviets to US Ambassador to the USSR, Averell Harriman, as a present in February 1945. By hanging the decorative artifact in his embassy office in Moscow, the Ambassador enabled the KGB to listen in to his private conversations, as well as those of his successors, including Walter Bedell Smith (later Director of Central Intelligence), Alan G. Kirk, and George F. Kennan, for nearly eight years. The bug was discovered by the US in 1952 and exposed to the world during a conference at the United Nations (see photo).

Sokolov says that Goncharov also used the “passive bug” in several Moscow hotels frequented by Western visiting dignitaries, such as the Hotel National and the Hotel Soviet. Targets of “passive bug” operations included Indonesian President Sukarno, British Prime Minister Harold Wilson and German Chancellor Konrad Adenauer, whose conversations Goncharov allegedly managed to bug even though the West German leader chose to spend most of his trip to the USSR inside a luxury train compartment provided by the West German government. The Russian intelligence historian also claims that the theremin-based bug was used to eavesdrop on the conversations of Princess Margaret, sister of Queen Elizabeth II of the United Kingdom. The KGB allegedly bugged Margaret’s cigarette lighter, cigarette case and ashtrays, and was able to listen in to the Princess’ “drunken sprees” during her trips around Western Europe, collecting “dirt on the British Royal House”.

…

December 24, 2012 by intelNews 5 Comments

By JOSEPH FITSANAKIS | intelNews.org |

Find this story at 24 December 2012

KGB homed in on Princess during visit to Copenhagen in 1964
Bugging devices attached to ashtrays and lighters to listen in on ‘scandalous gossip’
Spies set up failed ‘honey trap’ for former Prime Minister Harold Wilson

Soviet spies have admitted using bugging devices on the Royal Family and former British Prime Minister Harold Wilson.

Secret agents from the KGB targeted Princess Margaret in the 1960s, attaching listening aids to her lighter, cigarette case, ashtrays and telephones.

According to the Sunday Express, they homed in on the Princess during a trip to Copenhagen, Denmark in 1964.

Lord Snowdon And Princess Margaret get ready to board a plane in September 1964 ahead of their visit to Copenhagen. Russian spies have admitted bugging the Princess on the trip

Until now, Russia has always denied the covert operation, which took place in a hotel, but has now admitted compiling a dossier on the Princess’s love affair with Robin Douglas-Home and further relationships with Roddy Llewellyn, Colin Tennant and Dominic Ewes, a painter who later committed suicide.

Spies passed photos, tape recordings and ‘most interesting, even scandalous’ gossip involving senior royal figures.

It is also said agents tried to get information from Margaret’s therapist, Kay Kiernan, who also treated the Queen.

Intelligence on Prince Phillip was gathered via society osteopath and artist Stephen Ward, who later killed himself at the height of the Profumo affair.

But spies failed in a sting operation on then future leader Harold Wilson, setting up a ‘honey trap’ for him in a Moscow hotel.

Princess Margaret (second from right and then left) was targeted by KGB spies on her visit to Copenhagen in 1964. Bugging devices were planted in her lighter, cigarette case, ashtrays and telephones

A new book will detail the KGB spies’ attempts at bugging the Royal Family. Pictured, the Kremlin, in Moscow

Female agents posing as prostitutes patrolled the hotel overlooking the Kremlin, with a camera planted in a chandelier in his bedroom.

But when the film was developed, Wilson’s face was disguised.

Colonel Vadim Goncharov, who has since died, was the KGB chief in charge of the snooping operations, and he was ordered by bosses to go on television to deny the claims, fearing they would cast a shadow over the Queen’s first and only visit to Russia in 1994.

…

By Daily Mail Reporter

PUBLISHED: 11:01 GMT, 23 December 2012 | UPDATED: 17:05 GMT, 23 December 2012

Find this story at 23 December 2012

© Associated Newspapers Ltd

Defence Secretary John Nott warned Mrs Thatcher that the USSR was using civilian aircraft to carry out spying missions in the UK

The Soviet Union used civil airliners to conduct secret Cold War spying missions over Britain, according to newly published Government files.

Some aircraft would switch off their transponders, alerting air traffic controllers to their position before veering off their approved flight paths to carry out aerial intelligence-gathering missions over sensitive targets, papers released by the National Archives under the 30-year rule show.

In a memorandum marked SECRET UK US EYES ONLY, Defence Secretary John Nott informed prime minister Margaret Thatcher in December 1981 that the RAF was monitoring the hundreds of monthly flights through UK airspace by Warsaw Pact airliners.

“One incident of particular interest took place on 9th November, when an Aeroflot IL62 made an unauthorized and unannounced descent from 35,000 ft to 10,000 ft just below cloud level, to fly over RAF Boulmer, a radar station currently being modernised. It subsequently climbed back to 37,000 ft,” he wrote.

“During this manoeuvre its Secondary Surveillance Radar which automatically broadcasts the aircraft’s height was switched off, though it was on before and after the incident. It must, therefore, be assumed that it was switched off intentionally to conceal a deliberate and premeditated manoeuvre.

“Our investigations have now revealed it was the same aircraft which over flew the USN base at Groton when the first Trident submarine was being launched. You will recall that as a result of this incident the President banned Aeroflot flights over the USA for a short period.”

But that was not the only example of bad behaviour by enemy spies that year. In August 1981 the Second Secretary at the USSR embassy VN Lazin became the first Soviet diplomat for a decade to be expelled for “activities incompatible with his status”.

The Foreign Office informed No 10 that Lazin, actually the senior member of the scientific and technical intelligence section of the KGB in London, was arrested during a “clandestine meeting” with a Portuguese national.

“He developed his relationship with the Portuguese national over several months and sought to obtain technical and scientific information in the UK from him and to use him as an agent with the possibility of eventually placing him in a Nato post,” the Foreign Office noted.

The Soviets responded in traditional fashion with the tit-for-tat expulsion of the British cultural attache in the Moscow embassy. More was to follow six months later in February 1982 when MI5 decided to call time on the espionage career of another Soviet, Vadim Fedorovich Zadneprovskiy, a member of the Soviet trade delegation whom for the previous five years operated as a KGB agent-runner. His recruits included a British businessman who was given the codename COURT USHER.

Updated: 28 December 2012 11:48 | By pa.press.net

Find this story at 28 December 2012

© 2013 Microsoft

Soviet spies used civilian planes to snoop on British and American military installations during the 1980s, newly released U.K. documents show.

Britain’s Royal Air Force “established that some of these aircraft deviated from their flight-plan routes in circumstances which would lead us to assume that they were gathering intelligence,” the then defense secretary, John Nott, wrote in a memo to Prime Minister Margaret Thatcher that’s among government files from 1982 published today after being kept confidential for the prescribed 30 years.

The papers from the National Archives in London give an insight into both the extent of Soviet espionage and the U.K. government’s awareness of it. One agent from the KGB, the Soviet security agency, was identified on arrival in 1977 and followed for five years, subject to a series of British intelligence operations before finally being expelled.

Relations between Thatcher’s government and the Soviet Union were tense at the time, despite attempts by diplomats to persuade her to take a conciliatory line. More than once in her files she rejects a course of action proposed in a memo, referring to the 1979 Soviet invasion of Afghanistan as the reason.

As Communist Party general secretary Leonid Brezhnev approached his 75th birthday at the end of 1981, Foreign Secretary Peter Carrington said it would be “churlish” of her not to send congratulations.

“Afghanistan?” Thatcher wrote in the margins of the memo suggesting this. “I really don’t think we should send a message.” She underlined “don’t.”
‘Unannounced Descent’

Nott wrote to Thatcher about the KGB’s use of Aeroflot planes over Britain after the Royal Air Force decided to look at the activities of “the thousand or so Warsaw Pact airliners which fly over the U.K. each month.”

In “one incident of particular interest,” the defense secretary wrote, an Ilyushin IL62 from the Soviet airline “made an unauthorized and unannounced descent from 35,000 feet to 10,000 feet, just below cloud level, to fly over RAF Boulmer, a radar station currently being modernized” in northeast England.

The plane turned off its automatic broadcast of its height during the maneuver, after which it returned to its previous altitude and began transmitting again.

The RAF subsequently established the same plane performed a similar operation over the U.S. Navy base at Groton, Connecticut, when the first Trident submarine was being launched.
Trade Official

The KGB was also using more traditional methods. In February 1982, the Security Service, the British internal security agency popularly known as MI5, asked for permission to expel a Russian trade official, Vadim Fedorovich Zadneprovskiy, after he “engaged in unacceptable intelligence-gathering activities.” According to the MI5 report, he had been identified as a KGB agent on his arrival in 1977 and followed.

MI5 used his inquiries about British counter-surveillance techniques to establish gaps in the KGB’s knowledge, with “some success.” The security service watched as he ran a British businessman, whom they codenamed “Court Usher,” as an agent, even using him to deliver equipment “in a thoroughly clandestine manner.” After concluding it wouldn’t be able to recruit Zadneprovskiy, MI5 demanded he be thrown out.

It wasn’t just professional spies trying to get in on the act. As the Falklands War raged, and the government wrestled with the question of how to keep French-built Exocet anti-ship missiles out of Argentine hands, Attorney General Michael Havers sent Thatcher a handwritten note suggesting a way to intercept a shipment.
‘Bond Movie’

Acknowledging his idea “may be thought to be more appropriate to a James Bond movie,” Havers said the Secret Intelligence Service, MI6, should try to insert its own person as loadmaster on any flight used to carry missiles to Argentina.

“If this can be agreed, the loadmaster has total control over the flight and, therefore, could redirect the aircraft in transit to (for example) Bermuda,” he wrote. “This will cost money (this is an expensive dirty business) but could, in my view, be cheap at the price.”

Havers may not have been aware at the time that MI6 was already running operations to precisely that end. Nott’s diary recalls, without giving details, how the agency both prevented Argentina buying missiles available on the open market and disabled missiles it thought could fall into Argentine hands.

The U.S., while leading attempts to broker a cease-fire between Argentina and the U.K., provided information from spies as part of its support to Britain in the conflict.
‘Magnificent Support’

…

By Robert Hutton and Thomas Penny – Dec 27, 2012

Find this story at 27 December 2012

®2013 BLOOMBERG L.P. ALL RIGHTS RESERVED.

In a little-known chapter of the Cold War, Canadian diplomats spied for the U.S. Central Intelligence Agency in Cuba in the aftermath of the 1962 missile crisis – and for years afterward.

A major part of that story is told in a forthcoming memoir by retired Canadian envoy John Graham. Mr. Graham was one of a series of Canadian diplomats recruited to spy for the CIA in Havana. The missions went on for at least seven years, during the 1960s.

“We didn’t have a military attaché in the Canadian embassy,” explained Mr. Graham, who worked under the cover of Political Officer. “And to send one at the time might have raised questions. So it was decided to make our purpose less visible.”

Mr. Graham said he worked as a spy for two years, between 1962 and 1964. His mandate was to visit Soviet bases, identify weapons and electronic equipment and monitor troop movements.

The espionage missions began after President John Kennedy asked Prime Minister Lester Pearson – at their May, 1963, summit in Hyannis Port, Mass. – whether Canada would abet American intelligence-gathering efforts in Cuba.

As a result of the crisis, which brought the superpowers to the brink of nuclear war, the Soviets had agreed to withdraw nuclear missiles from Cuban territory, in exchange for Washington’s pledge to remove its own missile batteries from Turkey and Italy.

To monitor Russian compliance, the United States needed to supplement data gleaned from almost daily U-2 reconnaissance flights. It had few assets on the ground. Its networks of Cuban agents had been progressively rolled up by Castro’s efficient counterintelligence service. And having severed diplomatic relations with Cuba in 1961, it had no embassy of its own through which to infiltrate American spies.

Soon after the summit meeting, Ottawa sent diplomat George Cowley to Havana.

Now deceased, Mr. Cowley, who had served in the Canadian embassy in Japan and sold encyclopedias in Africa, spent about two months in Havana in the late spring of 1963.

He was followed by Mr. Graham, seconded from his post as chargé d’affaires in the Dominican Republic.

His formal training, he told The Globe and Mail, was minimal – a few days at CIA headquarters in Langley, Va. At the end of it, an agency officer offered him a farewell gift – a sophisticated camera with an assortment of telephoto lenses.

He declined the present, arguing that if he were ever caught with it, he’d surely be arrested.

“But how will we know what the Soviet military convoys are carrying?” a CIA officer asked him. “We need precision. Configuration is essential for recognition.”

“I’ll draw you pictures,” Mr. Graham said. “It was a bit like the character in Graham Greene’s Our Man in Havana, but that’s what I did.”

In the Greene novel, an inept salesman, recruited to spy for Britain, sends illustrations of vacuum cleaner parts to his handler, calling them drawings of a military installation.

Mr. Graham’s sketches, however, were the real thing. To get them to Canada, he flew to Mexico City – the only regional air connection – and deposited the drawings at the Canadian embassy. From there, they were dispatched by diplomatic courier to Ottawa. Copies were subsequently sent to the CIA and, Mr. Graham later heard, to the Kennedy White House.

His written reports, sent by ciphered telegram to the Canadian embassy in Washington and then to Ottawa, contained details of electronic arrays in use at Soviet bases. “That information,” he said, “could tell an expert what weapons systems they had.”

Although Moscow had removed its nuclear arsenal by the time Mr. Graham arrived, it maintained a significant military presence. Russian soldiers typically dressed in civilian clothes, usually in plaid sport shirts, khaki pants and running shoes.

To fit in, Mr. Graham adopted the same ensemble – purchased at a Zellers store in Ottawa. Although many missions involved early morning surveillance of naval facilities, he was never followed. He was stopped only once by the police, roaming through a secure section of a communications building. He pretended to be a bumbling tourist and was let go.

On several occasions, Mr. Graham conducted joint reconnaissance with an agent of another Western country that he declines to identify. “He was brilliant and altogether remarkable. At parties, he composed Monty-Python-like lyrics to pet and lingerie commercials, accompanying himself on the piano.”

To relieve the stress of their missions, they would stop for seaside picnics on the way home. “Mr. X would pull out two crystal goblets and a Thermos of premixed martinis. I supplied the olives.”

Canadian officials, he said, went to extraordinary lengths to protect his identity as an agent. He stamped his sketches with the words, “For Canadian Eyes Only, Confidential.” But in Ottawa they were given an additional security designation – “Secret, Ottawa Only, Protect Source,” a classification he had never seen, before or since.

In 1964, Mr. Graham was promoted within the embassy and replaced in his espionage work by Alan McLaine.

In fact, he said, Canada’s role as CIA surrogate in Cuba continued for several years, even under the government of Pierre Trudeau, who had developed a personal friendship with Cuban leader Fidel Castro.

…

MICHAEL POSNER

OTTAWA — The Globe and Mail

Published Monday, Oct. 15 2012, 9:56 PM EDT

Last updated Tuesday, Oct. 16 2012, 5:02 AM EDT

Find this story at 15 October 2012

© Copyright 2013 The Globe and Mail Inc. All Rights Reserved.

During the past five years, a high-level cyber-espionage campaign has successfully infiltrated computer networks at diplomatic, governmental and scientific research organizations, gathering data and intelligence from mobile devices, computer systems and network equipment.

Kaspersky Lab’s researchers have spent several months analyzing this malware, which targets specific organizations mostly in Eastern Europe, former USSR members and countries in Central Asia, but also in Western Europe and North America.

The campaign, identified as “Rocra”, short for “Red October”, is currently still active with data being sent to multiple command-and-control servers, through a configuration which rivals in complexity the infrastructure of the Flame malware. Registration data used for the purchase of C&C domain names and PE timestamps from collected executables suggest that these attacks date as far back as May 2007.

Some key findings from our investigation:
The attackers have been active for at least five years, focusing on diplomatic and governmental agencies of various countries across the world. Information harvested from infected networks is reused in later attacks. For example, stolen credentials were compiled in a list and used when the attackers needed to guess passwords and network credentials in other locations. To control the network of infected machines, the attackers created more than 60 domain names and several server hosting locations in different countries (mainly Germany and Russia). The C&C infrastructure is actually a chain of servers working as proxies and hiding the location of the true -mothership- command and control server.
The attackers created a multi-functional framework which is capable of applying quick extension of the features that gather intelligence. The system is resistant to C&C server takeover and allows the attacker to recover access to infected machines using alternative communication channels.
Beside traditional attack targets (workstations), the system is capable of stealing data from mobile devices, such as smartphones (iPhone, Nokia, Windows Mobile); dumping enterprise network equipment configuration (Cisco); hijacking files from removable disk drives (including already deleted files via a custom file recovery procedure); stealing e-mail databases from local Outlook storage or remote POP/IMAP server; and siphoning files from local network FTP servers.
We have observed the use of at least three different exploits for previously known vulnerabilities: CVE-2009-3129 (MS Excel), CVE-2010-3333 (MS Word) and CVE-2012-0158 (MS Word). The earliest known attacks used the exploit for MS Excel and took place in 2010 and 2011, while attacks targeting the MS Word vulnerabilities appeared in the summer of 2012.

The exploits from the documents used in spear phishing were created by other attackers and employed during different cyber attacks against Tibetan activists as well as military and energy sector targets in Asia. The only thing that was changed is the executable which was embedded in the document; the attackers replaced it with their own code.

Sample fake image used in one of the Rocra spear phishing attacks.
During lateral movement in a victim’s network, the attackers deploy a module to actively scan the local area network, find hosts vulnerable for MS08-067 (the vulnerability exploited by Conficker) or accessible with admin credentials from its own password database. Another module used collected information to infect remote hosts in the same network.
Based on registration data of the C&C servers and numerous artifacts left in executables of the malware, we strongly believe that the attackers have Russian-speaking origins. Current attackers and executables developed by them have been unknown until recently, they have never related to any other targeted cyber attacks. Notably, one of the commands in the Trojan dropper switches the codepage of an infected machine to 1251 before installation. This is required to address files and directories that contain Cyrillic characters in their names.
Rocra FAQ:

What is Rocra? Where does the name come from? Was Operation Rocra targeting any specific industries, organizations or geographical regions?

Rocra (short for “Red October”) is a targeted attack campaign that has been going on for at least five years. It has infected hundreds of victims around the world in eight main categories:
Government
Diplomatic / embassies
Research institutions
Trade and commerce
Nuclear / energy research
Oil and gas companies
Aerospace
Military

It is quite possible there are other targeted sectors which haven’t been discovered yet or have been attacked in the past.

How and when was it discovered?

We have come by the Rocra attacks in October 2012, at the request of one of our partners. By analysing the attack, the spear phishing and malware modules, we understood the scale of this campaign and started dissecting it in depth.

Who provided you with the samples?

Our partner who originally pointed us to this malware prefers to remain anonymous.

How many infected computers have been identified by Kaspersky Lab? How many victims are there? What is the estimated size of Operation Red October on a global scale?

During the past months, we’ve counted several hundreds of infections worldwide – all of them in top locations such as government networks and diplomatic institutions. The infections we’ve identified are distributed mostly in Eastern Europe, but there are also reports coming from North America and Western European countries such as Switzerland or Luxembourg.

Based on our Kaspersky Security Network (KSN) here’s a list of countries with most infections (only for those with more than 5 victims):Country Infections

RUSSIAN FEDERATION 35
KAZAKHSTAN 21
AZERBAIJAN 15
BELGIUM 15
INDIA 14
AFGHANISTAN 10
ARMENIA 10
IRAN; ISLAMIC REPUBLIC OF 7
TURKMENISTAN 7
UKRAINE 6
UNITED STATES 6
VIET NAM 6
BELARUS 5
GREECE 5
ITALY 5
MOROCCO 5
PAKISTAN 5
SWITZERLAND 5
UGANDA 5
UNITED ARAB EMIRATES 5

For the sinkhole statistics see below.

Who is behind/responsible for this operation? Is this a nation-state sponsored attack?

The information we have collected so far does not appear to point towards any specific location, however, two important factors stand out:
The exploits appear to have been created by Chinese hackers.
The Rocra malware modules have been created by Russian-speaking operatives.

Currently, there is no evidence linking this with a nation-state sponsored attack. The information stolen by the attackers is obviously of the highest level and includes geopolitical data which can be used by nation states. Such information could be traded in the underground and sold to the highest bidder, which can be of course, anywhere.

Are there any interesting texts in the malware that can suggest who the attackers are?

Several Rocra modules contain interesting typos and mis-spellings:

network_scanner: “SUCCESSED”, “Error_massage”, “natrive_os”, “natrive_lan”
imapispool: “UNLNOWN_PC_NAME”, “WinMain: error CreateThred stop”
mapi_client: “Default Messanger”, “BUFEER IS FULL”
msoffice_plugin: “my_encode my_dencode”
winmobile: “Zakladka injected”, “Cannot inject zakladka, Error: %u”
PswSuperMailRu: “——-PROGA START—–“, “——-PROGA END—–”

The word “PROGA” used in here might refer to transliteration of Russian slang “ПРОГА”, which literally means an application or a program among Russian-speaking software engineers.

In particular, the word “Zakladka” in Russian can mean:
“bookmark”
(more likely) a slang term meaning “undeclared functionality”, i.e. in software or hardware. However, it may also mean a microphone embedded in a brick of the embassy building.

The C++ class that holds the C&C configuration parameters is called “MPTraitor” and the corresponding configuration section in the resources is called “conn_a”. Some examples include:

conn_a.D_CONN
conn_a.J_CONN
conn_a.D_CONN
conn_a.J_CONN

What kind of information is being hijacked from infected machines?

Information stolen from infected systems includes documents with extensions:

txt, csv, eml, doc, vsd, sxw, odt, docx, rtf, pdf, mdb, xls, wab, rst, xps, iau,
cif, key, crt, cer, hse, pgp, gpg, xia, xiu, xis, xio, xig, acidcsa, acidsca,
aciddsk, acidpvr, acidppr, acidssa.
In particular, the “acid*” extensions appear to refer to the classified software “Acid Cryptofiler”, which is used by several entities such as the European Union and/or NATO.

What is the purpose/objective of this operation? What were the attackers looking for by conducting this sustained cyber-espionage campaign for so many years?

The main purpose of the operation appears to be the gathering of classified information and geopolitical intelligence, although it seems that the information gathering scope is quite wide. During the past five years, the attackers collected information from hundreds of high profile victims although it’s unknown how the information was used.

It is possible that the information was sold on the black market, or used directly.

What are the infection mechanisms for the malware? Does it have self-propagating (worm) capabilities? How does it work? Do the attackers have a customized attack platform?

The main malware body acts as a point of entry into the system which can later download modules used for lateral movement. After initial infection, the malware won’t propagate by itself – typically, the attackers would gather information about the network for a few days, identify key systems and then deploy modules which can compromise other computers in the network, for instance by using the MS08-067 exploit.

In general, the Rocra framework is designed for executing “tasks” that are provided by its C&C servers. Most of the tasks are provided as one-time PE DLL libraries that are received from the server, executed in memory and then immediately discarded.

Several tasks however need to be constantly present in the system, i.e. waiting for the iPhone or Nokia mobile to connect. These tasks are provided as PE EXE files and are installed in the infected machine.
Examples of “persistent” tasks
Once a USB drive is connected, search and extract files by mask/format, including deleted files. Deleted files are restored using a built in file system parser
Wait for an iPhone or a Nokia phone to be connected. Once connected, retrieve information about the phone, its phone book, contact list, call history, calendar, SMS messages, browsing history
Wait for a Windows Mobile phone to be connected. Once connected, infect the phone with a mobile version of the Rocra main component
Wait for a specially crafted Microsoft Office or PDF document and execute a malicious payload embedded in that document, implementing a one-way covert channel of communication that can be used to restore control of the infected machine
Record all the keystrokes, make screenshots
Execute additional encrypted modules according to a pre-defined schedule
Retrieve e-mail messages and attachments from Microsoft Outlook and from reachable mail servers using previously obtained credentials
Examples of “one-time” tasks
Collect general software and hardware environment information
Collect filesystem and network share information, build directory listings, search and retrieve files by mask provided by the C&C server
Collect information about installed software, most notably Oracle DB, RAdmin, IM software including Mail.Ru agent, drivers and software for Windows Mobile, Nokia, SonyEricsson, HTC, Android phones, USB drives
Extract browsing history from Chrome, Firefox, Internet Explorer, Opera
Extract saved passwords for Web sites, FTP servers, mail and IM accounts
Extract Windows account hashes, most likely for offline cracking
Extract Outlook account information
Determine the external IP address of the infected machine
Download files from FTP servers that are reachable from the infected machine (including those that are connected to its local network) using previously obtained credentials
Write and/or execute arbitrary code provided within the task
Perform a network scan, dump configuration data from Cisco devices if available
Perform a network scan within a predefined range and replicate to vulnerable machines using the MS08-067 vulnerability
Replicate via network using previously obtained administrative credentials

The Rocra framework was designed by the attackers from scratch and hasn’t been used in any other operations.

Was the malware limited to only workstations or did it have additional capabilities, such as a mobile malware component?

Several mobile modules exist, which are designed to steal data from several types of devices:
Windows Mobile
iPhone
Nokia

These modules are installed in the system and wait for mobile devices to be connected to the victim’s machine. When a connection is detected, the modules start collecting data from the mobile phones.

How many variants, modules or malicious files were identified during the overall duration of Operation Red October?

During our investigation, we’ve uncovered over 1000 modules belonging to 30 different module categories. These have been created between 2007 with the most recent being compiled on 8th Jan 2013.

Here’s a list of known modules and categories:

Were initial attacks launched at select “high-profile” victims or were they launched in series of larger (wave) attacks at organizations/victims?

All the attacks are carefully tuned to the specifics of the victims. For instance, the initial documents are customized to make them more appealing and every single module is specifically compiled for the victim with a unique victim ID inside.

Later, there is a high degree of interaction between the attackers and the victim – the operation is driven by the kind of configuration the victim has, which type of documents the use, installed software, native language and so on. Compared to Flame and Gauss, which are highly automated cyberespionage campaigns, Rocra is a lot more “personal” and finely tuned for the victims.

Is Rocra related in any way to the Duqu, Flame and Gauss malware?

Simply put, we could not find any connections between Rocra and the Flame / Tilded platforms.

How does Operation Rocra compare to similar campaigns such as Aurora and Night Dragon? Any notable similarities or differences?

Compared to Aurora and Night Dragon, Rocra is a lot more sophisticated. During our investigation we’ve uncovered over 1000 unique files, belonging to about 30 different module categories. Generally speaking, the Aurora and Night Dragon campaigns used relatively simple malware to steal confidential information.

With Rocra, the attackers managed to stay in the game for over 5 years and evade detection of most antivirus products while continuing to exfiltrate what must be hundreds of Terabytes by now.

How many Command & Control servers are there? Did Kaspersky Lab conduct any forensic analysis on them?

During our investigation, we uncovered more than 60 domain names used by the attackers to control and retrieve data from the victims. The domain names map to several dozen IPs located mostly in Russia and Germany.

Here’s an overview of the Rocra’s command and control infrastructure, as we believe it looks from our investigations:

More detailed information about the Command and Control servers will be revealed at a later date.

Did you sinkhole any of the Command & Control servers?

We were able to sinkhole six of the over 60 domains used by the various versions of the malware. During the monitoring period (2 Nov 2012 – 10 Jan 2013), we registered over 55,000 connections to the sinkhole. The number of different IPs connecting to the sinkhole was 250.

From the point of view of country distribution of connections to the sinkhole, we have observed victims in 39 countries, with most of IPs being from Switzerland. Kazakhstan and Greece follow next.

Sinkhole statistics – 2 Nov 2012 – 10 Jan 2013

Is Kaspersky Lab working with any governmental organizations, Computer Emergency Response Teams (CERTs), law enforcement agencies or security companies as part of the investigation and disinfection efforts?

Kaspersky Lab, in collaboration with international organizations, Law Enforcement, Computer Emergency Response Teams (CERTs) and other IT security companies is continuing its investigation of Operation Red October by providing technical expertise and resources for remediation and mitigation procedures.

Kaspersky Lab would like to express their thanks to: US-CERT, the Romanian CERT and the Belarusian CERT for their assistance with the investigation.

If you are a CERT and would like more information about infections in your country, please contact us at theflame@kaspersky.com.

Here’s a link to the full paper (part 1) about our Red October research. During the next days, we’ll be publishing Part 2, which contains a detailed technical analysis of all the known modules. Please stay tuned.

A list of MD5s of known documents used in the Red October attacks:
114ed0e5298149fc69f6e41566e3717a
1f86299628bed519718478739b0e4b0c
2672fbba23bf4f5e139b10cacc837e9f
350c170870e42dce1715a188ca20d73b
396d9e339c1fd2e787d885a688d5c646
3ded9a0dd566215f04e05340ccf20e0c
44e70bce66cdac5dc06d5c0d6780ba45
4bfa449f1a351210d3c5b03ac2bd18b1
4ce5fd18b1d3f551a098bb26d8347ffb
4daa2e7d3ac1a5c6b81a92f4a9ac21f1
50bd553568422cf547539dd1f49dd80d
51edea56c1e83bcbc9f873168e2370af
5d1121eac9021b5b01570fb58e7d4622
5ecec03853616e13475ac20a0ef987b6
5f9b7a70ca665a54f8879a6a16f6adde
639760784b3e26c1fe619e5df7d0f674
65d277af039004146061ff01bb757a8f
6b23732895daaad4bd6eae1d0b0fef08
731c68d2335e60107df2f5af18b9f4c9
7e5d9b496306b558ba04e5a4c5638f9f
82e518fb3a6749903c8dc17287cebbf8
85baebed3d22fa63ce91ffafcd7cc991
91ebc2b587a14ec914dd74f4cfb8dd0f
93d0222c8c7b57d38931cfd712523c67
9950a027191c4930909ca23608d464cc
9b55887b3e0c7f1e41d1abdc32667a93
9f470a4b0f9827d0d3ae463f44b227db
a7330ce1b0f89ac157e335da825b22c7
b9238737d22a059ff8da903fbc69c352
c78253aefcb35f94acc63585d7bfb176
fc3c874bdaedf731439bbe28fc2e6bbe
bb2f6240402f765a9d0d650b79cd2560
bd05475a538c996cd6cafe72f3a98fae
c42627a677e0a6244b84aa977fbea15d
cb51ef3e541e060f0c56ac10adef37c3
ceac9d75b8920323477e8a4acdae2803
cee7bd726bc57e601c85203c5767293c
d71a9d26d4bb3b0ed189c79cd24d179a
d98378db4016404ac558f9733e906b2b
dc4a977eaa2b62ad7785b46b40c61281
dc8f0d4ecda437c3f870cd17d010a3f6
de56229f497bf51274280ef84277ea54
ec98640c401e296a76ab7f213164ef8c
f0357f969fbaf798095b43c9e7a0cfa7
f16785fc3650490604ab635303e61de2

GReAT
Kaspersky Lab Expert
Posted January 14, 13:00 GMT

Find this story at 14 Januar 2013

And “Red October” Diplomatic Cyber Attacks Investigation