Van nieuwsblog.burojansen.nl

The whistleblower lists damning claims of spying on innocent individuals by a secretive Scotland Yard unit. It’s now vital that we hold the police to account
‘When the police act with impunity all of our private lives are put at risk’

As the only Green party peer I receive a lot of post to my office in the House of Lords. Rarely, though, do I open letters like the one that has been revealed. The anonymous writer alleged that there was a secretive unit within Scotland Yard that has used hackers to illegally access the emails of campaigners and journalists. It included a list of 10 people and the passwords to their email accounts.

As soon as I read the first sentence of the letter, I knew the content would be astonishing – and when some aspects of the letter were corroborated by lawyers and those on the list – I was convinced that we owed it to this brave whistleblower to hold the police to account.

The list of allegations is lengthy. It includes illegal hacking of emails, using an Indian-based operation to do the dirty work, shredding documents and using sex as a tool of infiltration. And these revelations matter to all of us. None of us knows whether the police organised for our emails to be hacked, but all of us know the wide range of personal information that our emails contain. It might be medical conditions, family arguments, love lives or a whole range of drug- or alcohol-related misdemeanours.

When the police act with impunity, all of our private lives are put at risk. Whether you’re involved in a local campaign against library closures, a concerned citizen worried about air pollution or someone working for a charity – who’s to say that officers won’t be spying on the emails you send? The police put me on the domestic extremism database during the decade when I was on the Metropolitan Police Authority signing off their budgets and working closely with officers on the ground to fight crimes such as road crime and illegal trafficking. If someone in my position – no criminal record and on semi-friendly terms with the Met commissioner – can end up on the database, then you can too.

The truth is that without the bravery and professionalism of two serving police officers who have blown the whistle on state snooping I would know nothing about my files, and those of other campaigners, being shredded by the Domestic Extremism Unit. We would have had no suspicion that those files had been shredded to cover up the illegal hacking of personal and work e-mails by the police.

Please don’t fall for the old establishment lie that the problem is a few rotten apples. This alleged criminality is the result of a deliberate government policy of using the police and security services to suppress dissent and protest in order to protect company profits and the status quo. Such an approach inevitably leads to police officers overstepping the mark as they feel emboldened by those at the top levels of government and an immunity from prosecution provided by senior officers keen to please the people who decide their budgets.

The stories you need to read, in one handy email
Read more
The police don’t always act as neutral agents of the law. We know that the Thatcher government’s determination to break the miners’ strike led to the Orgreave confrontation in 1984. There are still allegations about the links between the police and those running blacklisting databases that led to hundreds of construction workers being condemned to unemployment and poverty.

And don’t mistake this for a partisan attack on Conservative politicians. Theresa May has forced through the draconian Investigatory Powers Act, but the Labour party too has been timid at best in opposing this snoopers’ charter. Indeed it was the Blair government that left a legacy of draconian public order laws, and which broadly defined the anti-terrorism legislation upon which an edifice of modern surveillance powers has been constructed.

Many are unaware that joining an anti-fracking group, or going on a demonstration, could get you labelled a domestic extremist, photographed, questioned and followed for months or even years – without ever having been convicted of a crime.

It’s only by speaking out against these intrusions that we are able to challenge this rotten culture of impunity. After all, it was David Cameron who gave us the Hillsborough inquiry and Theresa May who set up the Pitchford inquiry into undercover officers. Politicians don’t always do things for good reasons, but they do respond to public pressure.

Change is possible, but in the meantime, we should be doing everything we can to make it hard for the police to spy on us. Use encryption, two-step email security and other precautions suggested by organisations such as Liberty. Don’t stop saying what you think, or working to make the world a better place, but do assume that the police will be working to protect the companies, banks or energy companies that you want to challenge.

It isn’t how things should be, but the evidence shows that is the way things are.

A campaign to get the police out of the lives of environmentalists and social justice campaigners is a good start, but it will fail unless it reaches out – starting by working with those in the Muslim community intimidated by Prevent.

Above all, we must convince the middle ground of society that everyone will be safer if the security services focused on what we all want them to do – stopping terrorists and serious criminals. This is not unreasonable, and the starting point is a change to the legislation so that it narrows the definition of terrorism to exclude the nonviolent, noisy and rebellious

Wednesday 22 March 2017 15.23 GMT Last modified on Wednesday 22 March 2017 17.29 GMT
Jenny Jones
Find this story at 22 March 2017

© 2017 Guardian News and Media Limited

Van nieuwsblog.burojansen.nl

POLICE Scotland has confirmed that a secret file was created on the activities of a disgraced undercover unit at the G8 summit at Gleneagles.

The “intelligence briefings” on the National Public Order Intelligence Unit, whose officers had sex with the protestors they spied on, will now be examined by a watchdog as part of its covert policing probe. Police Scotland said they would not comment on the contents of the file.

Two Met-based units – the Special Demonstration Squad and the NPOIU – were set up to keep tabs on so-called subversives and domestic extremists.

Loading article content

A key strategy was to embed undercover officers in campaign groups, which included anti-racism organisations, and report back to handlers.

However, some of the tactics deployed by officers in the units, such as using the identities of dead babies and deceiving women into long-term sexual relationships before vanishing, have since been exposed.

The Pitchford Inquiry, set up by Theresa May when she was Home Secretary, is examining undercover policing going back decades.

Although the judicial-led investigation does not apply to Scotland, NPOIU activity took place north of the border in the run up to the G8 summit in Scotland in 2005.

Mark “Stone” was a driver for campaigners at the G8, but was unmasked as undercover officer Mark Kennedy.

He later said in an interview: “My superior officer told me on more than one occasion, particularly during the G8 protests in Scotland in 2005, that information I was providing was going directly to Tony Blair’s desk.”

Ahead of the G8, the then Scottish Executive issued a Ministerial Certificate blocking the release of information connected with the summit. The blackout applied to all Scottish public authorities, including police forces, health bodies and the Government.

However, it can be revealed that the SNP Government quietly revoked the certificate in 2010, a decision that could result in information on the summit being released.

After being asked by this newspaper for the titles of all files produced by on the G8 in 2005, Police Scotland confirmed the names of 1168 files.

Forty-four were created by the former Fife Constabulary, whose patch included the Gleneagles hotel, while 1124 files were produced by Lothian and Borders police.

Many of the files are on routine policing matters, but one document is described as “intelligence briefings” on the “National Public Order Intelligence Unit”.

Other files include “stop the war coalition – regulatory board” and “indymedia”, which was a left-wing website at the time.

There was also correspondence with the security services on the “Senior Leadership Development Programme”, a funding request for a “special branch operation” in May 2005 and over a dozen files on the peaceful Make Poverty History march.

After the UK Government refused to extend the Pitchford Inquiry to Scotland, Her Majesty’s Inspectorate of Constabulary in Scotland launched its own review of undercover policing.

A spokesperson for HMICS said: “As outlined in our terms of reference HMICS will examine the scale and extent of undercover police operations in Scotland conducted by the SDS and the NPOIU. As part of our scrutiny, we will review the authorisations for undercover deployments during the G8 Summit in Scotland in July 2005. HMICS are currently engaged in this process with the full cooperation of Police Scotland. With specific regard to the intelligence file, HMICS will ?examine this file for any information that may inform our review process.”

Donal O’Driscoll, a core participant in the Pitchford Inquiry who was spied on in Scotland, said: “We have long argued that the both the SDS and the NPOIU were active in Scotland, particularly around the 2005 G8. The existence of this file strengthens our case that there needs to be a full inquiry into the activities of spy cops in Scotland – and renders the exclusion of Scotland from the Pitchford Inquiry even more inexplicable.

“We continue to have no confidence in the HMICS review. Nevertheless, I’d expect them to at least make the effort to examine this and related briefings as part of the bare minimum they need to do. Not least because it is now beyond dispute there were multiple undercover police from the NPOIU and foreign police forces present at the G8 protests. However, only a full public inquiry can get to the truth as to what the police and the state had planned and co-ordinated when they interfered in legitimate democratic protest.”

A Police Scotland spokesperson said: “Police Scotland does not routinely comment on covert policing or intelligence. We will not offer any comment on the contents of any specific files. Any inquiries relating to the NPOIU should be directed to the Met Police. Police Scotland will also fully and openly co-operate with the review of undercover policing to be carried out by HMICS.”

/ Paul Hutcheon, Investigations Editor / @paulhutcheon

Find this story at 25 March 2017
© Copyright 2017 Herald & Times Group

Van nieuwsblog.burojansen.nl

THE DEPARTMENT OF Homeland Security announced an unprecedented new restriction on travelers from 10 airports in eight Muslim-majority countries on Tuesday.

The DHS restriction states “that all personal electronic devices larger than a cell phone or smart phone be placed in checked baggage at 10 airports where flights are departing for the United States.”

It’s a Muslim laptop ban.

The 10 airports are in Jordan, Egypt, Turkey, Saudi Arabia, Kuwait, Morocco, Qatar, and the United Arab Emirates.

American-based airlines do not fly directly to the United States from these airports, so these restrictions will not apply to them. The impact of this move will instead fall on nine airlines, including Gulf-based carriers that U.S. airlines have been asking President Trump to punish since the day after his election.

The U.S. carriers have long complained that Gulf carriers such as Emirates, Etihad Airways, and Qatar Airways are unfairly subsidized by their national governments.

Executives at Delta Airlines, United Airlines, and American Airlines met with Trump in early February. The day before the meeting, a group representing these American airlines, called the Partnership for Open & Fair Skies, distributed a slick video using Trump’s own words to argue against the subsidies.

With this new travel impediment, Trump may be throwing these executives a bone. The new restrictions appear to be targeting airports that serve as flight “hubs” for these airlines — such as Dubai International, which is the hub of Emirates. Airlines use these hub airports to transfer passengers between flights, delivering significant savings.

California Democratic Rep. Adam Schiff, who is the ranking member of the House Intelligence Committee, quickly rose to the defense of Trump’s DHS on Tuesday, calling the restrictions both “necessary and proportional to the threat”:

Ranking House Intel Dem Schiff backs new electronics ban on US-bound flights from 8 Muslim-maj countries – critics say measure is arbitrary pic.twitter.com/3zPwehf2ZW

— Jessica Schulberg (@jessicaschulb) March 21, 2017

In 2015, Schiff was one of 262 Members of the House who signed a letter protesting subsidies for the Gulf airlines. The letter is featured on the website of the Partnership for Open & Fair Skies.

Whatever the motivation, the security justifications are unclear at best. The Guardian interviewed a number of top technologists about the new policy on Tuesday, and they were puzzled. “If you assume the attacker is interested in turning a laptop into a bomb, it would work just as well in the cargo hold,” Nicholas Weaver, who is a researcher at the International Computer Science Institute, told the paper.

“From a technological perspective, nothing has changed between the last dozen years and today. That is, there are no new technological breakthroughs that make this threat any more serious today,” Bruce Schneier, a top technologist at the Berkman Klein Center for Internet & Society at Harvard University, told the Guardian. “And there is certainly nothing technological that would limit this newfound threat to a handful of Middle Eastern airlines.”

The United Kingdom enacted similar restrictions hours after the United States, but with two puzzling differences. The U.K. ban includes 14 airlines, including six based in the U.K. And it does not include airports in Qatar or the UAE — which are the epicenter of the subsidies dispute. Canada is reportedly weighing its own restrictions.

For its part, Emirates responded by inviting customers to sample its in-flight entertainment in lieu of tablets and laptops — by repurposing an old advertisement featuring Jennifer Anniston:

Let us entertain you. pic.twitter.com/FKqayqUdQ7

— Emirates airline (@emirates) March 21, 2017

Zaid Jilani
March 21 2017, 7:51 p.m.
Find this story at 21 March 2017

Copyright https://theintercept.com/

Van nieuwsblog.burojansen.nl

A new Homeland Security rule will ban electronics on flights from airports in Muslim-majority countries. Is this protectionism or prudence? Well, it’s complicated.

Travelers from eight different Muslim-majority nations will no longer be allowed to carry laptops, tablets, or certain other electronic devices with them in the cabin on flights inbound to the U.S., according to new rules that take effect on Tuesday. The U.K. was quick to announce that it would follow suit with a Muslim laptop ban of its own.

Officials at the U.S. Department of Homeland Security and Transportation Security Administration say that the new rules reflect a potential threat of terrorists smuggling explosive devices on board planes using portable electronic devices—iPads, Kindles, and the like. The DHS guidance cites a 2016 attempted airliner downing in Somalia as one recent incident that could be linked to a laptop bomb. The U.S. rules affect last-point-of-departure airports from 10 airports—some of them the busiest hubs in the Middle East—from Saudi Arabia to Istanbul to the UAE.

Behind the order, though, lies a long history of conflict between America’s big three carriers—Delta, United, and American—and their peers in the Gulf. Critics spied an ulterior motive behind the Trump administration’s new rule: a protectionist measure for U.S. carriers promised by President Donald Trump.

Henry Farrell and Abraham Newman floated this notion in the Washington Post, suggesting that the financial security of United, American, and Delta might be behind the new counterterrorism measures. The U.S. airlines have grumbled for years that their counterparts from the Gulf—specifically Emirates, Etihad Airways, and Qatar Airways—benefit unfairly from government subsidies. Those carriers have recently expanded their service to U.S. cities such as Chicago and Washington, D.C. (as any Washington Wizards fan can tell you, since Etihad is a major advertiser in the Verizon Center).

Back in February, the chief executives of United, American, and Delta sent a letter to U.S. Secretary of State Rex Tillerson complaining about the “massive subsidization of three state-owned Gulf carriers … and the significant harm this subsidized competition is causing to U.S. airlines and U.S. jobs.” In a meeting with the executives shortly thereafter, Trump promised “phenomenal” tax relief, broad deregulation, and other forms of support to the industry.

It’s not yet clear whether this laptop travel ban applies exclusively to all inbound flights from Muslim-majority airports or just those from Gulf carriers. If the latter, that would be a boon to U.S. operators. International business-class travelers—and there are a lot of them circulating between the U.S. and the Middle East—are bound to prefer flights that allow them to work on the plane. During a 14-hour nonstop haul from Dubai to Dulles, passengers are likely to appreciate all the electronic conveniences and entertainment they can carry.

But a one-sided ban would also be a plain violation of trade rules. Global airline carriers have been duking it out over national subsidies for years. In September, the World Trade Organization ruled that the European Union had been illegally propping up Airbus to the tune of $22 billion, a decision that the Washington Post described as “the most expensive dispute in international history.”

A U.K. electronics ban in the Gulf would bite the hand that feeds British Airways.
The Financial Times reports that the rule applies only to non-U.S. carriers: Saudi Arabian Airlines, Royal Jordanian Airlines, Emirates, Etihad Airways, Qatar Airways, Kuwait Airways, Turkish Airlines, EgyptAir, and Royal Air Maroc. Several of these state-owned airlines have indeed enjoyed massive subsidies from their governments. But there’s nothing in the guidance released by Homeland Security that specifies those carriers or otherwise exempts U.S. domestic airlines from the electronics ban. DHS is specific only about the 10 affected airports.

According to CNN, domestic carriers are not affected by the ruling because they do not operate any direct flights to the U.S. from those airports. A travel engine search corroborates and complicates that explanation. Delta runs flights from Cairo to Washington, D.C., that are operated by Air France, for example. British Airways operates American Airlines flights from Istanbul to New York. Both Delta and United operate inbound flights by other carriers—Lufthansa, KLM, and so on—from the restricted airports.

Homeland Security has not responded to a request for clarification. Across the pond, an electronics ban is even more more complicated, since Qatar Airways has increased its ownership stake in the parent company for British Airways to 20 percent after Brexit. A U.K. electronics ban in the Gulf would bite the hand that feeds British Airways.

These bans may be motivated by urgent and legitimate national security concerns. Rep. Adam Schiff, the ranking member of the House Permanent Select Committee on Intelligence and a Democrat, says that the electronics ban is justified. There is a debate to be had even if the threat is real, though. The tradeoff between travel security and convenience is an enormous drag on productivity (not to mention a cost for airports and airlines). The new rules may sidestep that debate. If an electronics ban applies solely to Gulf carriers, exempting domestic airlines, then it’s pretty plainly a protectionist measure, of the kind that Trump has explicitly promised to deliver for U.S. airlines.

The risk, of course, is that Gulf states could respond in kind—meaning that no one gets to binge on Netflix on international flights. Trade battles have a way of escalating quickly. After the European Union restricted hormone-treated beef from America in 1999, the Clinton administration retaliated with a 100 percent tariff on Roquefort from France. The Bush administration escalated the conflict—totally arbitrarily!—with a 300 percent duty on Roquefort in 2003. The ensuing cheese war lasted nearly through the Obama administration.

Depriving Americans of imported fromage is one thing; taking screens away from their toddlers could represent a whole other degree of inconvenience. Whether or not the Trump administration is pushing protectionist trade policies under the guise of national security, it seems likely that international flights are going to feel a whole hell of a lot longer.

KRISTON CAPPS @kristoncapps Mar 21, 2017 10 Comments

Find this story at 21 March 2017

Copyright 2017 The Atlantic Monthly Group.

Van nieuwsblog.burojansen.nl

The question of whether political operative Roger Stone helped Russian hackers break into the email of Democratic politicians, to some people, invites another: Who says the hackers were Russian?

The FBI does, and so do several U.S. intelligence agencies, as they’ve declared repeatedly over the past five months. But among private-sector computer security companies, not everybody thinks the case is proven.

“I have no problem blaming Russia for what they do, which is a lot,” said Jeffrey Carr of the international cybersecurity company Taia Global Inc. “I just don’t want to blame them for things we don’t know that they did. It may turn out that they’re guilty, but we are very short on evidence here.”

As Carr notes, the FBI never examined the servers that were hacked at the Democratic National Committee. Instead, the DNC used the private computer security company CrowdStrike to detect and repair the penetrations.

“All the forensic work on those servers was done by CrowdStrike, and everyone else is relying on information they provided,” said Carr. “And CrowdStrike was the one to declare this the work of the Russians.”

The CrowdStrike argument relies heavily on the fact that remnants of a piece of malware known as AGENT-X were found in the DNC computers. AGENT-X collects and transmits hacked files to rogue computers.

“AGENT-X has been around for ages and ages, and its use has always been attributed to the Russian government, a theory that’s known in the industry as ‘exclusive use,’” Carr said. “The problem with exclusive use is that it’s completely false. Unlike a bomb or an artillery shell, malware doesn’t detonate on impact and destroy itself.

“You can recover it, reverse-engineer it, and reuse it. The U.S. government learned a lesson about that when it created the Stuxnet computer worm to destroy Iran’s nuclear program. Stuxnet survived and now other people have it.”

Carr said he is aware of at least two working copies of AGENT-X outside Russian hands. One is in the possession of a group of Ukrainian hackers he has spoken with, and the other is with an American cybersecurity company. “And if an American security company has it, you can be certain other people do, too,” he said.

There’s growing doubt in the computer security industry about CrowdStrike’s theories about AGENT-X and Russian hackers, Carr said, including some critical responses to a CrowdStrike report on Russian use of the malware to disable Ukrainian artillery.

“This is a close-knit community and criticizing a member to the outside world is kind of like talking out of turn,” Carr said. “I’ve been repeatedly criticized for speaking out in public about whether the hacking was really done by the Russians. But this has to be made public, has to be addressed, and has to be acknowledged by the House and Senate Intelligence Committees.”

MARCH 24, 2017 7:00 AM
BY GLENN GARVIN

Find this story at 24 March 2017
Copyright http://www.miamiherald.com/

Van nieuwsblog.burojansen.nl

Russia, we are told, breached the servers of the Democratic National Committee (DNC), swiped emails and other documents, and released them to the public, to alter the outcome of the U.S. presidential election.

How substantial is the evidence backing these assertions?

Hired by the Democratic National Committee to investigate unusual network activity, the security firm Crowdstrike discovered two separate intrusions on DNC servers. Crowdstrike named the two intruders Cozy Bear and Fancy Bear, in an allusion to what it felt were Russian sources. According to Crowdstrike, “Their tradecraft is superb, operational security second to none,” and “both groups were constantly going back into the environment” to change code and methods and switch command and control channels.

On what basis did Crowdstrike attribute these breaches to Russian intelligence services? The security firm claims that the techniques used were similar to those deployed in past security hacking operations that have been attributed to the same actors, while the profile of previous victims “closely mirrors the strategic interests of the Russian government. Furthermore, it appeared that the intruders were unaware of each other’s presence in the DNC system. “While you would virtually never see Western intelligence agencies going after the same target without de-confliction for fear of compromising each other’s operations,” Crowdstrike reports, “in Russia this is not an uncommon scenario.” [1]

Those may be indicators of Russian government culpability. But then again, perhaps not. Regarding the point about separate intruders, each operating independently of the other, that would seem to more likely indicate that the sources have nothing in common.

Each of the two intrusions acted as an advanced persistent threat (APT), which is an attack that resides undetected on a network for a long time. The goal of an APT is to exfiltrate data from the infected system rather than inflict damage. Several names have been given to these two actors, and most commonly Fancy Bear is known as APT28, and Cozy Bear as APT29.

The fact that many of the techniques used in the hack resembled, in varying degrees, past attacks attributed to Russia may not necessarily carry as much significance as we are led to believe. Once malware is deployed, it tends to be picked up by cybercriminals and offered for sale or trade on Deep Web black markets, where anyone can purchase it. Exploit kits are especially popular sellers. Quite often, the code is modified for specific uses. Security specialist Josh Pitts demonstrated how easy that process can be, downloading and modifying nine samples of the OnionDuke malware, which is thought to have first originated with the Russian government. Pitts reports that this exercise demonstrates “how easy it is to repurpose nation-state code/malware.” [2]

In another example, when SentinalOne Research discovered the Gyges malware in 2014, it reported that it “exhibits similarities to Russian espionage malware,” and is “designed to target government organizations. It comes as no surprise to us that this type of intelligence agency-grade malware would eventually fall into cybercriminals’ hands.” The security firm explains that Gyges is an “example of how advanced techniques and code developed by governments for espionage are effectively being repurposed, modularized and coupled with other malware to commit cybercrime.” [3]

Attribution is hard, cybersecurity specialists often point out. “Once an APT is released into the wild, its spread isn’t controlled by the attacker,” writes Mark McArdle. “They can’t prevent someone from analyzing it and repurposing it for their own needs.” Adapting malware “is a well-known reality,” he continues. “Finding irrefutable evidence that links an attacker to an attack is virtually unattainable, so everything boils down to assumptions and judgment.” [4]

Security Alliance regards security firm FireEye’s analysis that tied APT28 to the Russian government as based “largely on circumstantial evidence.” FireEye’s report “explicitly disregards targets that do not seem to indicate sponsorship by a nation-state,” having excluded various targets because they are “not particularly indicative of a specific sponsor’s interests.” [5] FireEye reported that the APT28 “victim set is narrow,” which helped lead it to the conclusion that it is a Russian operation. Cybersecurity consultant Jeffrey Carr reacts with scorn: “The victim set is narrow because the report’s authors make it narrow! In fact, it wasn’t narrowly targeted at all if you take into account the targets mentioned by other cybersecurity companies, not to mention those that FireEye deliberately excluded for being ‘not particularly indicative of a specific sponsor’s interests’.” [6]

FireEye’s report from 2014, on which much of the DNC Russian attribution is based, found that 89 percent of the APT28 software samples it analyzed were compiled during regular working hours in St. Petersburg and Moscow. [7]

But compile times, like language settings, can be easily altered to mislead investigators. Mark McArdle wonders, “If we think about the very high level of design, engineering, and testing that would be required for such a sophisticated attack, is it reasonable to assume that the attacker would leave these kinds of breadcrumbs? It’s possible. But it’s also possible that these things can be used to misdirect attention to a different party. Potentially another adversary. Is this evidence the result of sloppiness or a careful misdirection?” [8]

“If the guys are really good,” says Chris Finan, CEO of Manifold Technology, “they’re not leaving much evidence or they’re leaving evidence to throw you off the scent entirely.” [9] How plausible is it that Russian intelligence services would fail even to attempt such a fundamental step?

James Scott of the Institute for Critical Infrastructure Technology points out that the very vulnerability of the DNC servers constitutes a muddied basis on which determine attribution. “Attribution is less exact in the case of the DNC breach because the mail servers compromised were not well-secured; the organization of a few hundred personnel did not practice proper cyber-hygiene; the DNC has a global reputation and is a valuable target to script kiddies, hacktivists, lone-wolf cyber-threat actors, cyber-criminals, cyber-jihadists, hail-mary threats, and nation-state sponsored advanced persistent threats; and because the malware discovered on DNC systems were well-known, publicly disclosed, and variants could be purchased on Deep Web markets and forums.” [10]

Someone, or some group, operating under the pseudonym of Guccifer 2.0, claimed to be a lone actor in hacking the DNC servers. It is unclear what relation – if any – Guccifer 2.0 has to either of the two APT attacks on the DNC. In a PDF file that Guccifer 2.0 sent to Gawker.com, metadata indicated that it was it was last saved by someone having a username in Cyrillic letters. During the conversion of the file from Microsoft Word to PDF, invalid hyperlink error messages were automatically generated in the Russian language. [11]

This would seem to present rather damning evidence. But who is Guccifer 2.0? A Russian government operation? A private group? Or a lone hacktivist? In the poorly secured DNC system, there were almost certainly many infiltrators of various stripes. Nor can it be ruled out that the metadata indicators were intentionally generated in the file to misdirect attribution. The two APT attacks have been noted for their sophistication, and these mistakes – if that is what they are – seem amateurish. To change the language setting on a computer can be done in a matter of seconds, and that would be standard procedure for advanced cyber-warriors. On the other hand, sloppiness on the part of developers is not entirely unknown. However, one would expect a nation-state to enforce strict software and document handling procedures and implement rigorous review processes.

At any rate, the documents posted to the Guccifer 2.0 blog do not necessarily originate from the same source as those published by WikiLeaks. Certainly, none of the documents posted to WikiLeaks possess the same metadata issues. And one hacking operation does not preclude another, let alone an insider leak.

APT28 relied on XTunnel, repurposed from open source code that is available to anyone, to open network ports and siphon data. The interesting thing about the software is its failure to match the level of sophistication claimed for APT28. The strings in the code quite transparently indicate its intent, with no attempt at obfuscation. [12] It seems an odd oversight for a nation-state operation, in which plausible deniability would be essential, to overlook that glaring point during software development.

Command-and-control servers remotely issue malicious commands to infected machines. Oddly, for such a key component of the operation, the command-and-control IP address in both attacks was hard-coded in the malware. This seems like another inexplicable choice, given that the point of an advanced persistent threat is to operate for an extended period without detection. A more suitable approach would be to use a Domain Name System (DNS) address, which is a decentralized computer naming system. That would provide a more covert means of identifying the command-and-control server. [13] Moreover, one would expect that address to be encrypted. Using a DNS address would also allow the command-and-control operation to easily move to another server if its location is detected, without the need to modify and reinstall the code.

One of the IP addresses is claimed to be a “well-known APT 28” command-and-control address, while the second is said to be linked to Russian military intelligence. [14] The first address points to a server located in San Jose, California, and is operated by a server hosting service. [15] The second server is situated in Paris, France, and owned by another server hosting service. [16] Clearly, these are servers that have been compromised by hackers. It is customary for hackers to route their attacks through vulnerable computers. The IP addresses of compromised computers are widely available on the Deep Web, and typically a hacked server will be used by multiple threat actors. These two particular servers may or may not have been regularly utilized by Russian Intelligence, but they were not uniquely so used. Almost certainly, many other hackers would have used the same machines, and it cannot be said that these IP addresses uniquely identify an infiltrator. Indeed, the second IP address is associated with the common Trojan viruses Agent-APPR and Shunnael. [17]

“Everyone is focused on attribution, but we may be missing the bigger truth,” says Joshua Croman, Director of the Cyber Statecraft Initiative at the Atlantic Council. “[T]he level of sophistication required to do this hack was so low that nearly anyone could do it.” [18]

In answer to critics, the Department of Homeland Security and the FBI issued a joint analysis report, which presented “technical details regarding the tools and infrastructure used” by Russian intelligence services “to compromise and exploit networks” associated with the U.S. election, U.S. government, political, and private sector entities. The report code-named these activities “Grizzly Steppe.” [19]

For a document that purports to offer strong evidence on behalf of U.S. government allegations of Russian culpability, it is striking how weak and sloppy the content is. Included in the report is a list of every threat group ever said to be associated with the Russian government, most of which are unrelated to the DNC hack. It appears that various governmental organizations were asked to send a list of Russian threats, and then an official lacking IT background compiled that information for the report, and the result is a mishmash of threat groups, software, and techniques. “PowerShell backdoor,” for instance, is a method used by many hackers, and in no way describes a Russian operation.

Indeed, one must take the list on faith, because nowhere in the document is any evidence provided to back up the claim of a Russian connection. Indeed, as the majority of items on the list are unrelated to the DNC hack, one wonders what the point is. But it bears repeating: even where software can be traced to Russian origination, it does not necessarily indicate exclusive usage. Jeffrey Carr explains: “Once malware is deployed, it is no longer under the control of the hacker who deployed it or the developer who created it. It can be reverse-engineered, copied, modified, shared and redeployed again and again by anyone.” Carr quotes security firm ESET in regard to the Sednit group, one of the items on the report’s list, and which is another name for APT28: “As security researchers, what we call ‘the Sednit group’ is merely a set of software and the related infrastructure, which we can hardly correlate with any specific organization.” Carr points out that X-Agent software, which is said to have been utilized in the DNC hack, was easily obtained by ESET for analysis. “If ESET could do it, so can others. It is both foolish and baseless to claim, as Crowdstrike does, that X-Agent is used solely by the Russian government when the source code is there for anyone to find and use at will.” [20]

The salient impression given by the government’s report is how devoid of evidence it is. For that matter, the majority of the content is taken up by what security specialist John Hinderaker describes as “pedestrian advice to IT professionals about computer security.” As for the report’s indicators of compromise (IoC), Hinderaker characterizes these as “tools that are freely available and IP addresses that are used by hackers around the world.” [21]

In conjunction with the report, the FBI and Department of Homeland Security provided a list of IP addresses it identified with Russian intelligence services. [22] Wordfence analyzed the IP addresses as well as a PHP malware script provided by the Department of Homeland Security. In analyzing the source code, Wordfence discovered that the software used was P.A.S., version 3.1.0. It then found that the website that manufactures the malware had a site country code indicating that it is Ukrainian. The current version of the P.A.S. software is 4.1.1, which is much newer than that used in the DNC hack, and the latest version has changed “quite substantially.” Wordfence notes that not only is the software “commonly available,” but also that it would be reasonable to expect “Russian intelligence operatives to develop their own tools or at least use current malicious tools from outside sources.” To put it plainly, Wordfence concludes that the malware sample “has no apparent relationship with Russian intelligence.” [23]

Wordfence also analyzed the government’s list of 876 IP addresses included as indicators of compromise. The sites are widely dispersed geographically, and of those with a known location, the United States has the largest number. A large number of the IP addresses belong to low-cost server hosting companies. “A common pattern that we see in the industry,” Wordfence states, “is that accounts at these hosts are compromised and those hacked sites are used to launch attacks around the web.” Fifteen percent of the IP addresses are currently Tor exit nodes. “These exit nodes are used by anyone who wants to be anonymous online, including malicious actors.” [24]

If one also takes into account the IP addresses that not only point to current Tor exits, but also those that once belonged to Tor exit nodes, then these comprise 42 percent of the government’s list. [25] “The fact that so many of the IPs are Tor addresses reveals the true sloppiness of the report,” concludes network security specialist Jerry Gamblin. [26]

Cybersecurity analyst Robert Graham was particularly blistering in his assessment of the government’s report, characterizing it as “full of garbage.” The report fails to tie the indicators of compromise to the Russian government. “It contains signatures of viruses that are publicly available, used by hackers around the world, not just Russia. It contains a long list of IP addresses from perfectly normal services, like Tor, Google, Dropbox, Yahoo, and so forth. Yes, hackers use Yahoo for phishing and maladvertising. It doesn’t mean every access of Yahoo is an ‘indicator of compromise’.” Graham compared the list of IP addresses against those accessed by his web browser, and found two matches. “No,” he continues. “This doesn’t mean I’ve been hacked. It means I just had a normal interaction with Yahoo. It means the Grizzly Steppe IoCs are garbage.” Graham goes on to point out that “what really happened” with the supposed Russian hack into the Vermont power grid “is that somebody just checked their Yahoo email, thereby accessing one of the same IP addresses I did. How they get from the facts (one person accessed Yahoo email) to the story (Russians hacked power grid)” is U.S. government “misinformation.” [27]

The indicators of compromise, in Graham’s assessment, were “published as a political tool, to prove they have evidence pointing to Russia.” As for the P.A.S. web shell, it is “used by hundreds if not thousands of hackers, mostly associated with Russia, but also throughout the rest of the world.” Relying on the government’s sample for attribution is problematic: “Just because you found P.A.S. in two different places doesn’t mean it’s the same hacker.” A web shell “is one of the most common things hackers use once they’ve broken into a server,” Graham observes. [28]

Although cybersecurity analyst Robert M. Lee is inclined to accept the government’s position on the DNC hack, he feels the joint analysis report “reads like a poorly done vendor intelligence report stringing together various aspects of attribution without evidence.” The report’s list “detracts from the confidence because of the interweaving of unrelated data.” The information presented is not sourced, he adds. “It’s a random collection of information and in that way, is mostly useless.” Indeed, the indicators of compromise have “a high rate of false positives for defenders that use them.” [29]

Among the government’s list of Russian actors are Energetic Bear and Crouching Yeti, two names for the same threat group. In its analysis, Kaspersky Lab found that most of the group’s victims “fall into the industrial/machinery building sector,” and it is “not currently possible to determine the country of origin.” Although listed in the government’s report, it is not suggested that the group played a part in the DNC hack. But it does serve as an example of the uncertainty surrounding government claims about Russian hacking operations in general. [30]

CosmicDuke is one of the software packages listed as tied to Russia. SecureList, however, finds that unlike the software’s predecessor, CosmicDuke targets those who traffic in “controlled substances, such as steroids and hormones.” One possibility is that CosmicDuke is used by law enforcement agencies, while another possibility “is that it’s simply available in the underground and purchased by various competitors in the pharmaceutical business to spy on each other.” In either case, whether or not the software is utilized by the Russian government, there is a broader base for its use. [31]

The intent of the joint analysis report was to provide evidence of Russian state responsibility for the DNC hack. But nowhere does it do so. Mere assertions are meant to persuade. How much evidence does the government have? The Democratic Party claims that the FBI never requested access to DNC servers. [32] The FBI, for its part, says it made “multiple requests” for access to the DNC servers and was repeatedly turned down. [33] Either way, it is a remarkable admission. In a case like this, the FBI would typically conduct its own investigation. Was the DNC afraid the FBI might come to a different conclusion than the DNC-hired security firm Crowdstrike? The FBI was left to rely on whatever evidence Crowdstrike chose to supply. During its analysis of DNC servers, Crowdstrike reports that it found evidence of APT28 and APT29 intrusions within two hours. Did it stop there, satisfied with what it had found? Or did it continue to explore whether additional intrusions by other actors had taken place?

In an attempt to further inflame the hysteria generated from accusations of Russian hacking, the Office of the Director of National Intelligence published a declassified version of a document briefed to U.S. officials. The information was supplied by the CIA, FBI, and National Security Agency, and was meant to cement the government’s case. Not surprisingly, the report received a warm welcome in the mainstream media, but what is notable is that it offers not a single piece of evidence to support its claim of “high confidence” in assessing that Russia hacked the DNC and released documents to WikiLeaks. Instead, the bulk of the report is an unhinged diatribe against Russian-owned RT media. The content is rife with inaccuracies and absurdities. Among the heinous actions RT is accused of are having run “anti-fracking programming, highlighting environmental issues and the impacts on health issues,” airing a documentary on Occupy Wall Street, and hosting third-party candidates during the 2012 election.[34]

The report would be laughable, were it not for the fact that it is being played up for propaganda effect, bypassing logic and appealing directly to unexamined emotion. The 2016 election should have been a wake-up call for the Democratic Party. Instead, predictably enough, no self-examination has taken place, as the party doubles down on the neoliberal policies that have impoverished tens of millions, and backing military interventions that have sown so much death and chaos. Instead of thoughtful analysis, the party is lashing out and blaming Russia for its loss to an opponent that even a merely weak candidate would have beaten handily.

Mainstream media start with the premise that the Russian government was responsible, despite a lack of convincing evidence. They then leap to the fallacious conclusion that because Russia hacked the DNC, only it could have leaked the documents.

So, did the Russian government hack the DNC and feed documents to WikiLeaks? There are really two questions here: who hacked the DNC, and who released the DNC documents? These are not necessarily the same. An earlier intrusion into German parliament servers was blamed on the Russians, yet the release of documents to WikiLeaks is thought to have originated from an insider. [35] Had the Russians hacked into the DNC, it may have been to gather intelligence, while another actor released the documents. But it is far from certain that Russian intelligence services had anything to do with the intrusions. Julian Assange says that he did not receive the DNC documents from a nation-state. It has been pointed out that Russia could have used a third party to pass along the material. Fair enough, but former UK diplomat Craig Murray asserts: “I know who the source is… It’s from a Washington insider. It’s not from Russia.” [36]

There are too many inconsistencies and holes in the official story. In all likelihood, there were multiple intrusions into DNC servers, not all of which have been identified. The public ought to be wary of quick claims of attribution. It requires a long and involved process to arrive at a plausible identification, and in many cases the source can never be determined. As Jeffrey Carr explains, “It’s important to know that the process of attributing an attack by a cybersecurity company has nothing to do with the scientific method. Claims of attribution aren’t testable or repeatable because the hypothesis is never proven right or wrong.” [37]

Russia-bashing is in full swing, and there does not appear to be any letup in sight. We are plunging headlong into a new Cold War, riding on a wave of propaganda-induced hysteria. The self-serving claims fueling this campaign need to be challenged every step of the way. Surrendering to evidence-free emotional appeals would only serve those who arrogantly advocate confrontation and geopolitical domination.

Notes.

[1] Dmitri Alperovitch, “Bears in the Midst: Intrusion into the Democratic National Committee,” Crowdstrike blog, June 15, 2016.

[2] Josh Pitts, “Repurposing OnionDuke: A Single Case Study Around Reusing Nation-state Malware,” Black Hat, July 21, 2015.

[3] Udi Shamir, “The Case of Gyges, the Invisible Malware,” SentinelOne, July 2014.

[4] Mark McArdle, “’Whodunnit?’ Why the Attribution of Hacks like the Recent DNC Hack is so Difficult,” Esentire, July 28, 2016.

[5] “The Usual Suspects: Faith-Based Attribution and its Effects on the Security Community,” October 21, 2016.

[6] Jeffrey Carr, “The DNC Breach and the Hijacking of Common Sense,” June 20, 2016.

[7] “APT28: A Window into Russia’s Cyber Espionage Operations?” FireEye, October 27, 2014.

[8] Mark McArdle, “’Whodunnit?’ Why the Attribution of Hacks like the Recent DNC Hack is so Difficult,” Esentire, July 28, 2016.

[9] Patrick Howell O’Neill, “Obama’s Former Cybersecurity Advisor Says Only ‘Idiots’ Want to Hack Russia Back for DNC Breach,” The Daily Dot, July 29, 2016.

[10] Janes Scott, Sr., “It’s the Russians! … or is it? Cold War Rhetoric in the Digital Age,” ICIT, December 13, 2016.

[11] Sam Biddle and Gabrielle Bluestone, “This Looks like the DNC’s Hacked Trump Oppo File,” Gawker, June 15, 2016.

Dan Goodin, “’Guccifer’ Leak of DNC Trump Research Has a Russian’s Fingerprints on It,” Ars Technica, June 16, 2016.

[12] Pat Belcher, “Tunnel of Gov: DNC Hack and the Russian XTunnel,” Invincea, July 28, 2016.

[13] Seth Bromberger, “DNS as a Covert Channel within Protected Networks,” National Electric Sector Cyber Security Organization, January 25, 2011.

[14] Thomas Rid, “All Signs Point to Russia Being Behind the DNC Hack,” Motherboard, July 25, 2016.

[15] https://www.threatminer.org/host.php?q=45.32.129.185

[16] https://www.threatminer.org/host.php?q=176.31.112.10

[17] https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-APPR/detailed-analysis.aspx

https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2015-062518-5557-99

[18] Paul, “Security Pros Pan US Government Report on Russian Hacking,” The Security Ledger, December 30, 2016.

[19] “Grizzly Steppe – Russian Malicious Cyber Activity,” JAR-16-20296, National Cybersecurity & Communications Integration Center, Federal Bureau of Investigation, December 29, 2016.

[20] Jeffrey Carr, “FBI/DHS Joint Analysis Report: A Fatally Flawed Effort,” Jeffrey Carr/Medium, December 30, 2016.

[21] John Hinderaker, “Is “Grizzly Steppe’ Really a Russian Operation?” Powerline, December 31, 2016.

[22] https://www.us-cert.gov/sites/default/files/publications/JAR-16-20296A.csv

[23] Mark Maunder, “US Govt Data Shows Russia Used Outdated Ukrainian PHP Malware,” Wordfence, December 30, 2016.

[24] Mark Maunder, “US Govt Data Shows Russia Used Outdated Ukrainian PHP Malware,” Wordfence, December 30, 2016.

[25] Micah Lee, “The U.S. Government Thinks Thousands of Russian Hackers May be Reading my Blog. They Aren’t,” The Intercept, January 4, 2017.

[26] Jerry Gamblin, “Grizzly Steppe: Here’s My IP and Hash Analysis,” A New Domain, January 2, 2017.

[27] Robert Graham, “Dear Obama, from Infosec,” Errata Security, January 3, 2017.

[28] Robert Graham, “Some Notes on IoCs,” Errata Security, December 29, 2016.

[29] Robert M. Lee, “Critiques of the DHS/FBI’s Grizzly Steppe Report,” Robert M. Lee blog, December 30, 2016.

[30] “Energetic Bear – Crouching Yeti,” Kaspersky Lab Global Research and Analysis Team, July 31, 2014.

[31] “Miniduke is back: Nemesis Gemina and the Botgen Studio,” Securelist, July 3, 2014.

[32] Ali Watkins, “The FBI Never Asked for Access to Hacked Computer Servers,” Buzzfeed, January 4, 2017.

[33] “James Comey: DNC Denied FBI Direct Access to Servers During Russia Hacking Probe,” Washington Times, January 10, 2017.

[34] “Assessing Russian Activities and Intentions in Recent Activities and Intentions in Recent US Elections,” Office of the Director of National Intelligence, January 6, 2017.

[35] “Quelle für Enthüllungen im Bundestag Vermutet,” Frankfurter Allgemeine Zeitung, December 17, 2016.

[36] RT broadcast, January 7, 2017. https://www.youtube.com/watch?v=w3DvaVrRweY

[37] Jeffrey Carr, “Faith-based Attribution,” Jeffrey Carr/Medium, July 10, 2016.

Join the debate on Facebook
Gregory Elich is on the Board of Directors of the Jasenovac Research Institute and the Advisory Board of the Korea Policy Institute. He a member of the Solidarity Committee for Democracy and Peace in Korea, a columnist for Voice of the People, and one of the co-authors of Killing Democracy: CIA and Pentagon Operations in the Post-Soviet Period, published in the Russian language. He is also a member of the Task Force to Stop THAAD in Korea and Militarism in Asia and the Pacific. His website is https://gregoryelich.org

JANUARY 13, 2017
by GREGORY ELICH

Find this story at 13 January 2017
Copyright © CounterPunch

Van nieuwsblog.burojansen.nl

THERE ARE SOME good reasons to believe Russians had something to do with the breaches into email accounts belonging to members of the Democratic party, which proved varyingly embarrassing or disruptive for Hillary Clinton’s presidential campaign. But “good” doesn’t necessarily mean good enough to indict Russia’s head of state for sabotaging our democracy.

There’s a lot of evidence from the attack on the table, mostly detailing how the hack was perpetrated, and possibly the language of the perpetrators. It certainly remains plausible that Russians hacked the DNC, and remains possible that Russia itself ordered it. But the refrain of Russian attribution has been repeated so regularly and so emphatically that it’s become easy to forget that no one has ever truly proven the claim. There is strong evidence indicating that Democratic email accounts were breached via phishing messages, and that specific malware was spread across DNC computers. There’s even evidence that the attackers are the same group that’s been spotted attacking other targets in the past. But again: No one has actually proven that group is the Russian government (or works for it). This remains the enormous inductive leap that’s not been reckoned with, and Americans deserve better.

We should also bear in mind that private security firm CrowdStrike’s frequently cited findings of Russian responsibility were essentially paid for by the DNC, which contracted its services in June. It’s highly unusual for evidence of a crime to be assembled on the victim’s dime. If we’re going to blame the Russian government for disrupting our presidential election — easily construed as an act of war — we need to be damn sure of every single shred of evidence. Guesswork and assumption could be disastrous.

The gist of the Case Against Russia goes like this: The person or people who infiltrated the DNC’s email system and the account of John Podesta left behind clues of varying technical specificity indicating they have some connection to Russia, or at least speak Russian. Guccifer 2.0, the entity that originally distributed hacked materials from the Democratic party, is a deeply suspicious figure who has made statements and decisions that indicate some Russian connection. The website DCLeaks, which began publishing a great number of DNC emails, has some apparent ties to Guccifer and possibly Russia. And then there’s WikiLeaks, which after a long, sad slide into paranoia, conspiracy theorizing, and general internet toxicity has made no attempt to mask its affection for Vladimir Putin and its crazed contempt for Hillary Clinton. (Julian Assange has been stuck indoors for a very, very long time.) If you look at all of this and sort of squint, it looks quite strong indeed, an insurmountable heap of circumstantial evidence too great in volume to dismiss as just circumstantial or mere coincidence.

But look more closely at the above and you can’t help but notice all of the qualifying words: Possibly, appears, connects, indicates. It’s impossible (or at least dishonest) to present the evidence for Russian responsibility for hacking the Democrats without using language like this. The question, then, is this: Do we want to make major foreign policy decisions with a belligerent nuclear power based on suggestions alone, no matter how strong?

What We Know

So far, all of the evidence pointing to Russia’s involvement in the Democratic hacks (DNC, DCCC, Podesta, et al.) comes from either private security firms (like CrowdStrike or FireEye) who sell cyber-defense services to other companies, or independent researchers, some with university affiliations and serious credentials, and some who are basically just Guys on Twitter. Although some of these private firms groups had proprietary access to DNC computers or files from them, much of the evidence has been drawn from publicly available data like the hacked emails and documents.

Some of the malware found on DNC computers is believed to be the same as that used by two hacking groups believed to be Russian intelligence units, codenamed APT (Advanced Persistent Threat) 28/Fancy Bear and APT 29/Cozy Bear by industry researchers who track them.

The attacker or attackers registered a deliberately misspelled domain name used for email phishing attacks against DNC employees, connected to an IP address associated with APT 28/Fancy Bear.
Malware found on the DNC computers was programmed to communicate with an IP address associated with APT 28/Fancy Bear.
Metadata in a file leaked by “Guccifer 2.0″ shows it was modified by a user called, in cyrillic, “Felix Edmundovich,” a reference to the founder of a Soviet-era secret police force. Another document contained cyrillic metadata indicating it had been edited on a document with Russian language settings.
Peculiarities in a conversation with “Guccifer 2.0″ that Motherboard published in June suggests he is not Romanian, as he originally claimed.
The DCLeaks.com domain was registered by a person using the same email service as the person who registered a misspelled domain used to send phishing emails to DNC employees.
Some of the phishing emails were sent using Yandex, a Moscow-based webmail provider.
A bit.ly link believed to have been used by APT 28/Fancy Bear in the past was also used against Podesta.
Why That Isn’t Enough

Viewed as a whole, the above evidence looks strong, and maybe even damning. But view each piece on its own, and it’s hard to feel impressed.

For one, a lot of the so-called evidence above is no such thing. CrowdStrike, whose claims of Russian responsibility are perhaps most influential throughout the media, says APT 28/Fancy Bear “is known for its technique of registering domains that closely resemble domains of legitimate organizations they plan to target.” But this isn’t a Russian technique any more than using a computer is a Russian technique — misspelled domains are a cornerstone of phishing attacks all over the world. Is Yandex — the Russian equivalent of Google — some sort of giveaway? Anyone who claimed a hacker must be a CIA agent because they used a Gmail account would be laughed off the internet. We must also acknowledge that just because Guccifer 2.0 pretended to be Romanian, we can’t conclude he works for the Russian government — it just makes him a liar.

Next, consider the fact that CrowdStrike describes APT 28 and 29 like this:

Their tradecraft is superb, operational security second to none and the extensive usage of “living-off-the-land” techniques enables them to easily bypass many security solutions they encounter. In particular, we identified advanced methods consistent with nation-state level capabilities including deliberate targeting and “access management” tradecraft — both groups were constantly going back into the environment to change out their implants, modify persistent methods, move to new Command & Control channels and perform other tasks to try to stay ahead of being detected.

Compare that description to CrowdStrike’s claim it was able to finger APT 28 and 29, described above as digital spies par excellence, because they were so incredibly sloppy. Would a group whose “tradecraft is superb” with “operational security second to none” really leave behind the name of a Soviet spy chief imprinted on a document it sent to American journalists? Would these groups really be dumb enough to leave cyrillic comments on these documents? Would these groups that “constantly [go] back into the environment to change out their implants, modify persistent methods, move to new Command & Control channels” get caught because they precisely didn’t make sure not to use IP addresses they’d been associated before? It’s very hard to buy the argument that the Democrats were hacked by one of the most sophisticated, diabolical foreign intelligence services in history, and that we know this because they screwed up over and over again.

But how do we even know these oddly named groups are Russian? CrowdStrike co-founder Dmitri Alperovitch himself describes APT 28 as a “Russian-based threat actor” whose modus operandi “closely mirrors the strategic interests of the Russian government” and “may indicate affiliation [Russia’s] Main Intelligence Department or GRU, Russia’s premier military intelligence service.” Security firm SecureWorks issued a report blaming Russia with “moderate confidence.” What constitutes moderate confidence? SecureWorks said it adopted the “grading system published by the U.S. Office of the Director of National Intelligence to indicate confidence in their assessments. … Moderate confidence generally means that the information is credibly sourced and plausible but not of sufficient quality or corroborated sufficiently to warrant a higher level of confidence.” All of this amounts to a very educated guess, at best.

Even the claim that APT 28/Fancy Bear itself is a group working for the Kremlin is speculative, a fact that’s been completely erased from this year’s discourse. In its 2014 reveal of the group, the high-profile security firm FireEye couldn’t even blame Russia without a question mark in the headline: “APT28: A Window into Russia’s Cyber Espionage Operations?” The blog post itself is remarkably similar to arguments about the DNC hack: technical but still largely speculative, presenting evidence the company “[believes] indicate a government sponsor based in Moscow.” Believe! Indicate! We should know already this is no smoking gun. FireEye’s argument that the malware used by APT 28 is connected to the Russian government is based on the belief that its “developers are Russian language speakers operating during business hours that are consistent with the time zone of Russia’s major cities.”

As security researcher Jeffrey Carr pointed out in June, FireEye’s 2014 report on APT 28 is questionable from the start:

To my surprise, the report’s authors declared that they deliberately excluded evidence that didn’t support their judgment that the Russian government was responsible for APT28’s activities:

“APT28 has targeted a variety of organizations that fall outside of the three themes we highlighted above. However, we are not profiling all of APT28’s targets with the same detail because they are not particularly indicative of a specific sponsor’s interests.” (emphasis added)

That is the very definition of confirmation bias. Had FireEye published a detailed picture of APT28’s activities including all of their known targets, other theories regarding this group could have emerged; for example, that the malware developers and the operators of that malware were not the same or even necessarily affiliated.

The notion that APT 28 has a narrow focus on American political targets is undermined in another SecureWorks paper, which shows that the hackers have a wide variety of interests: 10 percent of their targets are NGOs, 22 percent are journalists, 4 percent are aerospace researchers, and 8 percent are “government supply chain.” SecureWorks says that only 8 percent of APT 28/Fancy Bear’s targets are “government personnel” of any nationality — hardly the focused agenda described by CrowdStrike.

Truly, the argument that “Guccifer 2.0″ is a Kremlin agent or that GRU breached John Podesta’s email only works if you presume that APT 28/Fancy Bear is a unit of the Russian government, a fact that has never been proven beyond any reasonable doubt. According to Carr, “it’s an old assumption going back years to when any attack against a non-financial target was attributed to a state actor.” Without that premise, all we can truly conclude is that some email accounts at the DNC et al. appear to have been broken into by someone, and perhaps they speak Russian. Left ignored is the mammoth difference between Russians and Russia.

Security researcher Claudio Guarnieri put it this way:

[Private security firms] can’t produce anything conclusive. What they produce is speculative attribution that is pretty common to make in the threat research field. I do that same speculative attribution myself, but it is just circumstantial. At the very best it can only prove that the actor that perpetrated the attack is very likely located in Russia. As for government involvement, it can only speculate that it is plausible because of context and political motivations, as well as technical connections with previous (or following attacks) that appear to be perpetrated by the same group and that corroborate the analysis that it is a Russian state-sponsored actor (for example, hacking of institutions of other countries Russia has some geopolitical interests in).

Finally, one can’t be reminded enough that all of this evidence comes from private companies with a direct financial interest in making the internet seem as scary as possible, just as Lysol depends on making you believe your kitchen is crawling with E. Coli.

What Does the Government Know?

In October, the Department of Homeland Security and the Office of the Director of National Intelligence released a joint statement blaming the Russian government for hacking the DNC. In it, they state their attribution plainly:

The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations. The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts. These thefts and disclosures are intended to interfere with the US election process.

What’s missing is any evidence at all. If this federal confidence is based on evidence that’s being withheld from the public for any reason, that’s one thing — secrecy is their game. But if the U.S. Intelligence Community is asking the American electorate to believe them, to accept as true their claim that our most important civic institution was compromised by a longtime geopolitical nemesis, we need them to show us why.

The same goes for the CIA, which is now squaring off directly against Trump, claiming (through leaks to the Washington Post and New York Times) that the Russian government conducted the hacks for the express purpose of helping defeat Clinton. Days later, Senator John McCain agreed with the assessment, deeming it “another form of warfare.” Again, it’s completely possible (and probable, really) that the CIA possesses hard evidence that could establish Russian attribution — it’s their job to have such evidence, and often to keep it secret.

But what we’re presented with isn’t just the idea that these hacks happened, and that someone is responsible, and, well, I guess it’s just a shame. Our lawmakers and intelligence agencies are asking us to react to an attack that is almost military in nature — this is, we’re being told, “warfare.” When a foreign government conducts (or supports) an act of warfare against another country, it’s entirely possible that there will be an equal response. What we’re looking at now is the distinct possibility that the United States will consider military retaliation (digital or otherwise) against Russia, based on nothing but private sector consultants and secret intelligence agency notes. If you care about the country enough to be angry at the prospect of election-meddling, you should be terrified of the prospect of military tensions with Russia based on hidden evidence. You need not look too far back in recent history to find an example of when wrongly blaming a foreign government for sponsoring an attack on the U.S. has tremendously backfired.

We Need the Real Evidence, Right Now

It must be stated plainly: The U.S. intelligence community must make its evidence against Russia public if they want us to believe their claims. The integrity of our presidential elections is vital to the country’s survival; blind trust in the CIA is not. A governmental disclosure like this is also not entirely without precedent: In 2014, the Department of Justice produced a 56-page indictment detailing their exact evidence against a team of Chinese hackers working for the People’s Liberation Army, accused of stealing American trade secrets; each member was accused by name. The 2014 trade secret theft was a crime of much lower magnitude than election meddling, but what the DOJ furnished is what we should demand today from our country’s spies.

If the CIA does show its hand, we should demand to see the evidence that matters (which, according to Edward Snowden, the government probably has, if it exists). I asked Jeffrey Carr what he would consider undeniable evidence of Russian governmental involvement: “Captured communications between a Russian government employee and the hackers,” adding that attribution “should solely be handled by government agencies because they have the legal authorization to do what it takes to get hard evidence.”

Claudio Guarnieri concurred:

All in all, technical circumstantial attribution is acceptable only so far as it is to explain an attack. It most definitely isn’t for the political repercussions that we’re observing now. For that, only documental evidence that is verifiable or intercepts of Russian officials would be convincing enough, I suspect.

Given that the U.S. routinely attempts to intercept the communications of heads of state around the world, it’s not impossible that the CIA or the NSA has exactly this kind of proof. Granted, these intelligence agencies will be loath to reveal any evidence that could compromise the method they used to gather it. But in times of extraordinary risk, with two enormous military powers placed in direct conflict over national sovereignty, we need an extraordinary disclosure. The stakes are simply too high to take anyone’s word for it.

Sam Biddle
December 14 2016, 5:30 p.m.

Find this story at 14 December 2016

Copyright https://theintercept.com/

Van nieuwsblog.burojansen.nl

On the May 13, 2016, Lebanese people were surprised when the Hezbollah’s leading man Hassan Nasrallah was seen mourning the death of his most senior militia commander Mustafa Badreddine.

No sooner did the news of Badreddine demise in Syria broke out, the Lebanese media adopted the story perpetuated by Hezbollah on the circumstances surrounding his death. Still, a few days later, questions began to rise about the credibility of Hezbollah’s version of events.

After investigations into the story, evidence proved that Badreddine did not die fighting in the battlefields of Syria as claimed, but rather, the Hezbollah militia commander was assassinated. And the person responsible for his assassination was none other but his revered leader and friend, Hassan Nasrallah.

Events leading up to May 12
In 2013, Hezbollah was summoned to fight in Syria and Nasrallah commissioned Badreddine to lead the factions there alongside Iran’s Qassem Soleimani who led Quds Force, a branch of Iran’s Revolutionary Guard Corps (IRGC).

Soleimani ignored Badreddine’s great experience and aspired to lead the entire battle all by himself. While Badreddine took one risk after the other in the battlefields, leading his soldiers to victories and assuming full responsibility for the losses, he discovered that Soleimani was favoring the lives of the revolutionary guards over those of Hezbollah. The former asked the latter to lead his soldiers himself and take full responsibility over his army.

Both Hassan Nasrallah and Qassem Soleimani are said to have a hand behind Mustafa Badreddine mysterious death.

While Badreddine was fighting with his army in Syria, he was tried in absentia at the International Tribunal in the case of the assassination Rafiq Hariri, former Prime Minister of Lebanon in 2005. Nasrallah has been under a huge pressure from Soleimani, who requested the removal of Badreddine from the battlefield. Consequently, it appears that he had schemed to get rid of the commander.

The question then begs: What really happened on the evening of May 12, 2016? How did Soleimani and Nasrallah arrange the assassination of Mustafa Badreddine? And what really happened near the Damascus International Airport on the night between the May 12-13, 2016?

Aftermath
On May 14, 2016, less than two days after the operation, Al-Akhbar newspaper published the results of the investigation. Badreddine was reported to have arrived to the international airport was reportedly accompanied to the meeting with three other people but was the only one who was killed.

Initial reporting by Al-Mayadeen blamed Israel for the fatal attack, claiming that an Israeli Air Force (IAF) strike successfully targeted Badreddine’s position. But that article was later erased.

The cause of his death was assumed to be a vacuum bomb, while the nearest fighter group was 12 km away from the Damascus airport, which places it in the range of the artillery. Yet, these groups usually used unguided shells for their operations.

However, no gun powder residue found at the scene.

Infographic: Who was Hezbollah’s Mustafa Badreddine?

(Design by: Craig Willers)

Nicholas Blanford, a nonresident senior fellow with the Middle East Peace and Security Initiative, recently wrote an analysis on that point.

“The one claim of responsibility from the rebels came from the Jaysh al-Sunna group which said it had killed Badreddine in Khan Touman in southern Aleppo province. If that were true, why would Hezbollah hide it and make up a story about “takfiris” killing Badreddine much further south in the Damascus airport area?” Blanford asked.

“Also it is unclear what weapon system would be in the hands of rebel groups in the vicinity of Damascus airport that could account for the “large explosion” that Hezbollah said on Friday killed Badreddine. Diplomatic sources in Beirut confirmed that there really was a powerful blast near Damascus airport on Thursday (May 12) even if its origin remains unknown,” Blanford added.

One airport employee recounted the events of the night, saying airport employees were being barred from entering their workplace as the operation was taking place.

“As I was approaching to go to work, I saw a lot of people crowding near the airport. At approximately 10 PM that night we suddenly heard a loud bang and what sounded like fire from three rifles,” the airport employee told Al Arabiya.

“We tried approaching the scene to see what was going on but we were stopped by Hezbollah fighters telling us we weren’t allowed to enter. They did not even allow Syrian senior army officer or the Syrian police from entering the airport,” he said.

Images show the reported site hours before Mustafa Badreddine was killed compared to the same site pictured a day later. (Al Arabiya)

Al Arabiya also obtained images of the site where Mustafa Badreddine was killed which revealed aerial views of the exact scene on May 12 and May 14, both photos showing the site unscathed.

On the same say, the Shiite cleric Abbas Hoteit declared to the south Lebanon website Janoubia that “Badreddine was killed by two treacherous bullets”.

Evidence and eyewitness accounts suggested that four people met at the security building near the Damascus airport that night, one of them being Badreddine himself. The identity of the second person was discovered immediately after the operation on Twitter when a number of people reported they saw Soleimani leaving the site minutes before the operation. The third person was Badreddine’s bodyguard, who could not save his commander’s life.

According to eyewitnesses, the fourth person identified was Ibrahim Hussein Jezzini, a person who Badreddine reportedly trusted the most.

Badreddine’s death was seen as a victory for those affected by his involvement in attacks dating back to the 1980s, reportedly including the deadly suicide truck bombing attack that left over 200 US soldiers dead in Beirut in 1983 as well as the bombings targeting the French and US embassies in Kuwait the same year.

Al Arabiya News ChannelWednesday, 8 March 2017
Find this story at 8 March 2017

Copyright http://english.alarabiya.net

Van nieuwsblog.burojansen.nl

Killing of Mustafa Amine Badreddine last year shows the ‘depth of the internal crisis within Hezbollah,’ Gadi Eisenkot says.

Lt. Gen. Gadi Eisenkot said reports that Mustafa Amine Badreddine was killed by Hezbollah officers are in accordance to “intelligence we have.” The incident “indicates the depth of the internal crisis within Hezbollah,” and “the extent of the cruelty, complexity and tension between Hezbollah and its patron Iran.”
He added that despite Hezbollah’s fighting in Syria providing it with cumulative operational experience, it remains in crisis. “It is an internal crisis over what they are fighting fore, an economic crisis and a leadership crisis,” he asserted. Eisenkot was speaking at an academic conference in Netanya.
Badreddine, one of Hezbollah’s highest ranking military commanders, was killed in Syria in May last year. Initial reports attributed the attack to a covert Israeli operation, but signs suggested otherwise.
Badreddine was said to have assumed the position of his brother-in-law, Hezbollah commander Imad Moughniyeh, who died in a 2008 assassination in Damascus also attributed to Israel. However, some dispute his official status as the group’s military leader, saying he was only in charge of its operations in Syria, as Hezbollah has never publicly named a successor for Moughniyeh, whose son Jihad was also killed in Syria in an attack said to be Israel’s doing.

A U.S. Department of the Treasury statement detailing sanctions against Badreddine had said he was assessed to be responsible for the group’s military operations in Syria since 2011, and he had accompanied Hezbollah leader Sayyed Hassan Nasrallah during strategic coordination meetings with Assad in Damascus.

Eisenkot also hinted at the Israeli army’s recent operational activity, which has generated tension with the Russian regime. He said, “Despite six years of war in Syria, we are managing to maintain a quiet border, and to prevent the growth in power of those who need not be strengthened with advanced weaponry.” He added that the civil war in Syria involves not only risks but also “many opportunities for regional and international cooperation.”
In his remarks, Eisenkot also stressed Iran’s influence on Hezbollah and Hamas. “Iran is waging before us another campaign, a proxy war, and it is present both in Lebanon and in Syria with thousands of Shi’ite militiamen, as well as in Gaza,” he said. The chief of staff contended that the “primary challenge” for the Israel Defense Forces is Hezbollah, which operates both in Lebanon and in Syria.
Mossad chief Yossi Cohen, however, said Iran poses Israel’s foremost threat. Iran did not give up its nuclear ambitions, and it is trying to influence and shape the Middle East, said Cohen, also at the conference.
“As long as the Ayatollah regime exists, Iran will be the primary challenge for the security establishment, with or without the nuclear deal,” he asserted.

Gili Cohen Mar 22, 2017 12:44 PM

Find this story at 22 March 2017
© Haaretz Daily Newspaper Ltd

Van nieuwsblog.burojansen.nl

Israel’s military chief said Tuesday that a top Hezbollah commander who died last year was assassinated by members of his own group, the Iran-backed Lebanese Shiite militia.

Mustafa Badreddine died near the Syrian capital, Damascus, in May 2016, and Hezbollah said that Syrian rebel shelling caused his death.

But recent Arab media reports have alleged that Hezbollah wanted rid of Badreddine because of a difference in opinion on how to wage the military campaign in support of President Bashar al-Assad in Syria. Hezbollah has deployed thousands of troops to the war-torn country to boost the Syrian dictator’s ranks.

Lieutenant-General Gadi Eisenkot, chief of the Israeli armed forces, said that Israeli intelligence had corroborated reports of Hezbollah assassinating one of its own commanders, but did not elaborate on the circumstances.

“According to [media] reports, he was killed by his superiors, which points to the extent of the cruelty, complexity and tension between Hezbollah and its patron, Iran,” he said during a conference speech in the central Israeli city of Netanya, Israeli newspaper Haaretz reported. “These reports corresponded with the information we have and with our assessment.”

Read more: Another war between Israel and Hezbollah is inevitable

He continued: “It is an internal crisis over what they are fighting for, an economic crisis and a leadership crisis.”

Hezbollah spokesman Mohammed Afif told Reuters the Israeli remarks were “lies that do not deserve comment.”

Both the U.S. and Israel believed 55-year-old Badreddine to be Hezbollah’s military commander in Syria. His brother-in-law Imad Mughniyeh was Hezbollah’s military commander until he was assassinated in a 2008 bomb blast in Damascus, which reports suggested was the work of both Israel’s Mossad and America’s CIA agencies. Israel as a rule does comment on its foreign operations.

The Lebanese militia fought a one-month war with Israel, its primary enemy, in 2006. It centered on the southern Lebanese border with northern Israel, and the Golan Heights, a contested territory that Israel captured from Syria in the 1967 Six-Day War.

Iran, whose leadership routinely calls for Israel’s destruction, continues to support Hezbollah financially and militarily. Israel continues to conduct strikes against Hezbollah in Syria and Lebanon to prevent Iranian arms transfers to the group.

BY JACK MOORE ON 3/21/17 AT 1:51 PM

Find this story at 21 March 2017

Copyright http://www.newsweek.com/

Van nieuwsblog.burojansen.nl

The General Directorate of General Security announced Wednesday that it has arrested two Lebanese men, two Nepalese women and a Palestinian man on charges of “spying for Israeli embassies abroad.”

“During interrogation, the detainees confessed to the charges, admitting that they had called phone numbers belonging to the Israeli enemy’s embassies in Turkey, Jordan, Britain and Nepal with the aim of spying and passing on information,” a General Security statement said.

The investigations revealed that the two aforementioned Nepalese women were actively recruiting Nepalese domestic workers in Lebanon with the aim of spying for Israel.

“They gave them the phone number of the Israeli embassy in Nepal so that they pass on information about their employers to the Mossad Israeli intelligence agency,” the statement added.

“Following interrogation, they were referred to the relevant judicial authorities on charges of collaborating with the Israeli enemy and efforts are underway to arrest the rest of the culprits,” General Security said.

by Naharnet Newsdesk 25 January 2017, 16:04

Find this story at 25 January 2017

Naharnet © 2017

Van nieuwsblog.burojansen.nl

Hezbollah has confirmed its military commander, Mustafa Badreddine, was killed in Syria this week in what it described as a “major explosion” at Damascus airport.

Media reports in Lebanon and Israel quickly suggested the blast had been caused by an Israeli airstrike, a suggestion to which Hezbollah gave weight, announcing it was investigating whether a “missile or artillery strike” had been responsible.

Badreddine was the most senior member of the organisation to have been killed since the death of his predecessor and brother-in-law, Imad Mughniyeh, who was assassinated by a joint Mossad/CIA operation in the Syrian capital in February 2008.

There was no immediate reaction from the Israeli government, which has authorised at least eight air strikes against targets inside Syria since the start of the civil war five years ago. Most had targeted anti-aircraft systems that Israeli officials claimed were being moved to Lebanon, where they could pose a threat against its air force.

Mustafa Amine Badreddine, in an undated handout picture released at the Special Tribunal for Lebanon website.
Facebook Twitter Pinterest
Mustafa Amine Badreddine, in an undated handout picture released at the Special Tribunal for Lebanon website.
Announcing Badreddine’s death, Hezbollah said: “He said months ago that he would not return from Syria except as a martyr or carrying the flag of victory. He is the great jihadi leader Mustafa Badreddine, and he has returned today a martyr.”

The statement added: “The information gleaned from the initial investigation is that a major explosion targeted one of our centres near Damascus International airport, which led to the martyrdom of Sayyid Zul Fikar [his nom de guerre] and the injuries of others.

“The investigation will work to determine the nature of the explosion and its causes, whether it was due to an air or missile or artillery strike, and we will announce the results of the investigation soon.”

Nicknamed Zul Fikar, after the sword of Imam Ali, the Prophet Muhammad’s cousin and one of the most revered figures in Shia Islam, Badreddine was born in 1961 in the southern Beirut suburb of Ghobeiry, and rose to greater prominence after Mughniyeh’s assassination.

He was sentenced to death in Kuwait in the 1980s over a plot to blow up the American and French embassies there during the Iran-Iraq war, but later escaped after Saddam Hussein’s army invaded the oil-rich emirate and threw open its prisons.

Hezbollah said he had been involved in nearly all the group’s operations since its inception in the early 1980s. Most had targeted Israel, which occupied southern Lebanon from 1982 to 2000. However, Badreddine had also been accused of leading a cell that was allegedly responsible for the assassination of former Lebanese prime minister Rafiq Hariri on the Beirut waterfront in February 2005.

He was indicted in 2011 by the special tribunal for Lebanon, an international court established in the Hague, in connection with the massive 2005 bombing, which led Syrian leader Bashar al-Assad to withdraw his forces from Lebanon in the face of a civic uprising.

Badreddine and four other alleged members of Hezbollah remain on trial in absentia at the Hague. Prosecutors have offered one of the few publicly available glimpses of the shadowy Hezbollah operative, describing him as the “apex” of the cell that allegedly killed Hariri, and a figure akin to an “untraceable ghost” who assumed multiple identities.

‘Nobody wants to stay in Lebanon. It’s a miserable life’
Read more
He was known to have studied at a Lebanese university and to have maintained an apartment in the Lebanese seaside area of Jounieh. He was also active in the south Beirut suburb of Dahiyeh, where he was last seen early last year at a wake for Jihad Mughniyeh, the son of Imad Mughniyeh, who was also killed by an Israeli airstrike.

While holding senior positions throughout his career, Badreddine was most known for his role in leading Hezbollah’s large contingent in Syria, which it sent to defend the interest of the Assad regime as his grip on power weakened in 2012. Hezbollah has since lost an estimated 900 members in fighting across Syria, where along with Iran, it has taken the lead in directing numerous battles.

Israel has refused to comment on airstrikes it has previously launched inside Syria. However, unnamed officials have said the strikes had targeted anti-aircraft systems that were allegedly being transferred to Hezbollah. It had also targeted a Hezbollah leader, Samir Kuntar, who had been jailed inside Israel for more than 30 years until his release in 2008.

Despite Israeli protests, Russia has recently proceeded with a long-delayed sale to Iran of the advanced S-300 weapons system, which can shoot down most modern fighter jets. Israeli officials have said they would prioritise tracking the whereabouts of the systems, the position of which in southern Lebanon would pose a potent threat to their air force.

The US treasury department sanctioned Badreddine in 2012 for his activities in support of the government of Assad in Syria, along with the group’s leader, Hassan Nasrallah, and its head of external operations, Talal Hamiyah.

Hezbollah said it would hold funeral services on Friday in honour of Badreddine. In south Beirut, posters of Badreddine, whose image had rarely been published, were being hung from overpasses and lamp-posts.

Tens of thousands of mourners are expected to pay their respects at a shrine site for Hezbollah dead, which includes the graves of Imad and Jihad Mughniyah. Nasrallah is also expected to make a public statement – his second within a week.

Martin Chulov and Kareem Shaheen in Beirut
Friday 13 May 2016 04.00 BST First published on Friday 13 May 2016 03.32 BST

Find this story at 13 May 2016

© 2017 Guardian News and Media Limited

Van nieuwsblog.burojansen.nl

Elias Saab. Sami Issa. Safi Badr. Zul Fikar. All were aliases of Hezbollah’s secretive military commander, Mustafa Amine Badreddine, described in court records as an “untraceable ghost”.

Few details are known about Badreddine, who was killed this week in a mysterious explosion at a Hezbollah base near Damascus airport. This despite him being one of the most prominent figures in the party and the brother-in-law of the notorious Imad Mughniyeh, who he succeeded as military commander after the latter was killed in a 2008 joint CIA-Mossad operation in the Syrian capital.

Born in the southern Beirut suburb of Ghobeiry on 6 April 1961, Badreddine had a pronounced limp, believed to have been sustained while he fought alongside pro-Palestinian and pan-Arabist militias during the Israeli invasion of Lebanon in 1982.

His nom de guerre was Sayyed Zul Fikar: Sayyed indicating a claimed descent from the prophet Muhammad; Zul Fikar being the name of the legendary forked sword of Imam Ali, the prophet’s cousin and one of the most revered figures in Shia Islam.

Badreddine was arrested and sentenced to death in Kuwait in 1983 over his suspected involvement in a string of coordinated bombings in the tiny Gulf emirate that also targeted the US and French embassies. They were believed to be retribution for Kuwait and the west’s support for Iraq in its war with Iran.

The sentence, which had to be formally approved by the emir, was never carried out, perhaps as a consequence of a series of attacks and plane hijackings demanding the release of the Kuwait attackers, and which allegedly involved Mughniyeh. It was also never carried out because when the Iraqi dictator Saddam Hussein invaded Kuwait in August 1990, he threw open the doors of the country’s prisons, allowing Badreddine to escape.

This is where the trail disappears. It only emerges again in 2011, when UN prosecutors investigating a 2005 Beirut bombing that killed Lebanon’s prime minister, Rafik Hariri, indicted Badreddine. They alleged he was the coordinator of a sophisticated network that tracked and ultimately assassinated the popular billionaire.

Analysis Ten years after Hariri’s assassination, Lebanon badly needs his moderation
Lebanon dared to hope under Rafik Hariri, but the prime minister’s death exposed the country’s sectarian fault lines and lit the fuse that led to Syria’s civil war
Read more
Court records from the special tribunal for Lebanon have offered a rare glimpse into the life of Badreddine, who was charged with conspiring to commit a terrorist act, carrying out a terrorist act by means of an explosive device, and intentional homicide.

Badreddine studied political science at the Lebanese American University from 2002-04. He drove a Mercedes Benz, owned the Samino jewellery shop in Beirut, and an apartment in Jounieh, a coastal town north of the capital known for its active nightlife, where he supposedly entertained friends.

His phone’s contact list, prosecutors alleged, included the numbers of college friends and business associates, Hezbollah officials and bodyguards, family members as well as supposed girlfriends.

Badreddine became military commander in 2008 after his brother-in-law was killed by a bomb placed in the headrest of his car. Mughniyeh had been the architect of Hezbollah’s guerrilla defence in Lebanon during the 2006 war with Israel and was implicated in the 1990s bombing of a synagogue in Argentina.

There are almost no images available of Badreddine. Two that were made available by the tribunal were dated, one showing him as a teenager and the other apparently from his days in Kuwait, showing a handsome young man with curly hair and a moustache, dressed in a tie-less suit. On Friday’s Hezbollah’s media department circulated an photo of the commander smiling in military fatigues and sporting a short grey beard and spectacles.

Badreddine left few personal records. Investigators for the UN trial say they found no driving licences or passports, no property formally owned by him, no record of him ever having left Lebanon, no bank accounts, and no photos from around the time of Hariri’s assassination. In the opening sessions of his trial in absentia in The Hague, prosecutors said he “passes as an unrecognisable and untraceable ghost throughout Lebanon, leaving no footprint as he passes”.

Hezbollah vehemently denies the allegations and does not recognise the tribunal.

In recent years, Badreddine was mostly known for his role in leading Hezbollah’s contingent in Syria, where the paramilitary group has been instrumental in ensuring the continued survival of the Assad government, alongside its patron, Iran, where an estimated 900 of the party’s fighters have died, including Jihad Mughniyeh, Imad’s son.

Badreddine was sanctioned by the US Treasury Department over his role in Syria in 2012.

An Israeli investigative journalist who is writing a history of the Mossad said the strike that killed Jihad Mughniyeh near the Golan Heights last year was actually aimed at Badreddine.

Kareem Shaheen in Beirut
Friday 13 May 2016 10.02 BST Last modified on Friday 27 May 2016 07.25 BST

Find this story at 13 May 2016

© 2017 Guardian News and Media Limited

Van nieuwsblog.burojansen.nl

BEIRUT, Lebanon — When the youngest son of the former Libyan leader, Col. Muammar el-Qaddafi, was arrested in Lebanon last week in connection with the unsolved disappearance of Moussa al-Sadr, an exalted Lebanese Shiite cleric who vanished while visiting Libya in 1978, speculation sprouted about new information concerning one of the biggest whodunits in the treacherous politics of the Middle East.

On Monday, the mystery deepened with news that the son, Hannibal Qaddafi, may have been forcibly — and illegally — brought to Lebanon against his will in a plot involving the son of a colleague of Mr. Sadr’s, Sheikh Mohammad Yacoub, who disappeared along with Mr. Sadr and a third companion in Libya nearly four decades ago.

Lebanese officials said that Sheikh Yacoub’s son, Hassan Yacoub, a former member of Parliament, had been formally placed under arrest on suspicion that he had helped orchestrate the abduction of Hannibal Qaddafi from Damascus, Syria, in the days preceding Mr. Qaddafi’s arrest here. The officials and a lawyer for Mr. Qaddafi said he had been living in Syria, granted asylum by the Syrian government in the aftermath of Colonel Qaddafi’s violent fall from power in October 2011.

Even with the arrest of Mr. Yacoub, Hannibal Qaddafi remains under arrest in Lebanon, accused by an investigative magistrate of not providing all information he may know about the disappearance of Mr. Sadr, Sheikh Yacoub and Abbas Badreddine, a journalist, while they were visiting Libya at Colonel Qaddafi’s invitation in August 1978. It is unclear what information Hannibal Qaddafi, 40, could possibly share, since he was a small boy at the time.

The disappearance of Mr. Sadr and his colleagues in Libya remains a potent mystery in Lebanon, where Mr. Sadr is revered as a hero to poor Shiites from the tumultuous days of the 1970s, when Lebanon was convulsed by civil war, a spillover of the Israeli-Palestinian conflict and other problems. The disappearance has been the subject of numerous criminal inquiries. Colonel Qaddafi, a notoriously erratic and unpredictable dictator, insisted that he had nothing to do with it and that the Lebanese visitors vanished after having flown to Italy.

Many Lebanese say they believe that three Qaddafi aides, disguised as the Lebanese visitors, flew to Italy with their luggage to create a false narrative about where they had last been seen.

Mr. Qaddafi’s lawyer, Boshra Khalil, said in a telephone interview that her client had been beaten and thrown into a car trunk when kidnapped from Syria by people she described as bodyguards of Mr. Yacoub.

The Lebanese news media have widely reported that Mr. Qaddafi had been brought to Lebanon in Mr. Yacoub’s car. His abductors forced Mr. Qaddafi to read a statement broadcast on Lebanese television on Dec. 10, in which he said that they were disciples of Mr. Sadr and that their cause was just. They turned him over to Lebanon’s Internal Security Forces the next day, and he was placed under formal arrest on Dec. 14.

Ms. Khalil said she expected him to be released soon. “He is not guilty, and he was 3 years old when Imam Sadr went missing,” she said. “He knows nothing about the case.”

Hwaida Saad reported from Beirut, and Rick Gladstone from New York.

By HWAIDA SAAD and RICK GLADSTONEDEC. 21, 2015

Find this story at 21 December 2015

© 2017 The New York Times Company

Van nieuwsblog.burojansen.nl

The relatives of one of the victims of the twin suicide attacks in Beirut mourned during a funeral procession in the city’s Burj al-Barajneh neighborhood. Credit Wael Hamzeh/European Pressphoto Agency
BEIRUT, Lebanon — Ali Awad, 14, was chopping vegetables when the first bomb struck. Adel Tormous, who would die tackling the second bomber, was sitting at a nearby coffee stand. Khodr Alaa Deen, a registered nurse, was on his way to work his night shift at the teaching hospital of the American University at Beirut, in Lebanon.

All three lost their lives in a double suicide attack in Beirut on Thursday, along with 40 others, and much like the scores who died a day later in Paris, they were killed at random, in a bustling urban area, while going about their normal evening business.

Around the crime scenes in south Beirut and central Paris alike, a sense of shock and sadness lingered into the weekend, with cafes and markets quieter than usual. The consecutive rampages, both claimed by the Islamic State, inspired feelings of shared, even global vulnerability — especially in Lebanon, where many expressed shock that such chaos had reached France, a country they regarded as far safer than their own.

But for some in Beirut, that solidarity was mixed with anguish over the fact that just one of the stricken cities — Paris — received a global outpouring of sympathy akin to the one lavished on the United States after the 9/11 attacks.

Monuments around the world lit up in the colors of the French flag; presidential speeches touted the need to defend “shared values;” Facebook offered users a one-click option to overlay their profile pictures with the French tricolor, a service not offered for the Lebanese flag. On Friday the social media giant even activated Safety Check, a feature usually reserved for natural disasters that lets people alert loved ones that they are unhurt; they had not activated it the day before for Beirut.

Photo

The site of Thursday’s twin suicide bombings in the Burj al-Barajneh neighborhood of Beirut, Lebanon. Credit Bilal Hussein/Associated Press
“When my people died, no country bothered to light up its landmarks in the colors of their flag,” Elie Fares, a Lebanese doctor, wrote on his blog. “When my people died, they did not send the world into mourning. Their death was but an irrelevant fleck along the international news cycle, something that happens in those parts of the world.”

The implication, numerous Lebanese commentators complained, was that Arab lives mattered less. Either that, or that their country — relatively calm despite the war next door — was perceived as a place where carnage is the norm, an undifferentiated corner of a basket-case region.

In fact, while Beirut was once synonymous with violence, when it went through a grinding civil war a generation ago, this was the deadliest suicide bombing to hit the city since that conflict ended in 1990. Lebanon has weathered waves of political assassinations, street skirmishes and wars; Israeli airstrikes leveled whole apartment blocks in 2006. But it had been a year of relative calm.

(A reminder of the muddled perceptions came last week, when Jeb Bush, the Republican presidential candidate, declared that “if you’re a Christian, increasingly in Lebanon, or Iraq or Syria, you’re gonna be beheaded.” That was news to Lebanon’s Christians, who hold significant political power.)

The disparity in reactions highlighted a sense in the region of being left alone to bear the brunt of Syria’s deadly four-year war, which has sent more than four million refugees fleeing, mostly to neighboring countries like Lebanon. For the Lebanese, the government has been little help, plagued as it is with gridlock and corruption that have engendered electricity and water shortages and, most recently, a collapse of garbage collection. Many in the region — both supporters and opponents of the Syrian government — say they have long warned the international powers that, if left unaddressed, the conflict would eventually spill into the West.

How ISIS Expanded Its Threat
The Islamic State emerged from a group of militants in Iraq to take over large portions of Iraq and Syria, and now threatens other countries in Europe and elsewhere.

To be sure, the attacks meant different things in Paris and Beirut. Paris saw it as a bolt from the blue, the worst attack in the city in decades, while to Beirut the bombing was the fulfillment of a never entirely absent fear that another outbreak of violence may come.

Lebanon seemed to have recovered over the past year and a half from a series of bombings claimed by Sunni militant groups as revenge for the intervention by Hezbollah, the Lebanon-based Shiite militia, in the Syrian civil war to provide critical support for the Syrian government.

Some blamed news coverage for the perception that Beirut is still an active war zone. They cited headlines — including, briefly, a Times one that was soon changed to be more precise — that refer to the predominantly Shiite neighborhood where the bombing took place as a “stronghold” of the militia and political party Hezbollah.

That is hard to dispute in the political sense — Hezbollah controls security in the neighborhood and is highly popular there, along with the allied Amal party. But the phrase also risks portraying a busy civilian, residential and commercial district as a justifiable military target.

Meanwhile, Syrians fretted that the brunt of reaction to both attacks would fall on them. There are a million Syrians in Lebanon, a country of four million; some have become desperate enough to contemplate joining the accelerating flow of those taking smugglers’ boats to Europe.

Get the Morning Briefing by Email
What you need to know to start your day, delivered to your inbox Monday through Friday.

Enter your email address
Sign Up

Receive occasional updates and special offers for The New York Times’s products and services.

SEE SAMPLE PRIVACY POLICY
But now, the attacks could rally political pressure in Europe to stop admitting them. When evidence emerged that at least one of the Paris attackers may have posed as an asylum seeker to reach Europe, some opponents of the migration quickly used that to argue for closing the doors.

That drew sharp reactions from Syrians, who said refugees were fleeing to Europe precisely to escape indiscriminate violence.

“This is the sort of terrorism that Syrian refugees have been fleeing by the millions,” declared Faisal Alazem, a spokesman for the Syrian Canadian Council.

The compassion gap is even more evident when it comes to the situation in Syria itself, where death tolls comparable to the 129 so far in the Paris attacks are far from rare and, during the worst periods, were virtually daily occurrences.

“Imagine if what happened in Paris last night would happen there on a daily basis for five years,” said Nour Kabbach, who fled the heavy bombardment of her home city of Aleppo, Syria, several years ago and now works in humanitarian aid in Beirut.

GRAPHIC
Where ISIS Has Directed and Inspired Attacks Around the World
More than a dozen countries have had attacks since the Islamic State, or ISIS, began to pursue a global strategy in the summer of 2014.

OPEN GRAPHIC
“Now imagine all that happening without global sympathy for innocent lost lives, with no special media updates by the minute, and without the support of every world leader condemning the violence,” she wrote on Facebook. Finally, she said, ask yourself what it would be like to have to explain to your child why an attack in “another pretty city like yours” got worldwide attention and your own did not.

Back in southern Beirut over the weekend, as the government announced the arrest of seven Syrians and two Lebanese in connection with the attack, the street where the bombings took place was strewn with lettuce and parsley from pushcarts overturned in the blast. Men washed blood from sidewalks. A shop’s inventory of shoes — from small children’s slippers to women’s clogs — was scattered across the pavement. Several funeral processions were massing, ready to march to cemeteries.

Residents mourned Ali Awad, 14, passing around his picture in a scouting uniform. He had run out to see what had happened after the first blast, and was caught in the second, relatives said.

Nearby, Abdullah Jawad stood staring glumly into a shop. His friend, the owner, had died there, just after Mr. Jawad had painted the place.

“The government can’t protect us,” he said. “They can’t even pick up the trash from the streets.”

As for Facebook, it declared that the high level of social media activity around the Paris attacks had inspired the company to activate Safety Check for the first time for an emergency other than a natural disaster, and that a policy of when to do so was still developing.

“There has to be a first time for trying something new, even in complex and sensitive times, and for us that was Paris,” wrote Alex Schultz, the company’s vice president for growth, adding that Safety Check is less useful in continuing wars and epidemics because, without a clear end point, “it’s impossible to know when someone is truly ‘safe.’”

Hwaida Saad contributed reporting.
By ANNE BARNARDNOV. 15, 2015

Find this story at 15 November 2015

© 2017 The New York Times Company