Arrested contractor may have worked for NSA’s elite cyber spy unit

NSAA United States federal contractor, who remains in detention following his arrest last summer for stealing classified documents, may have worked for an elite cyber espionage unit of the National Security Agency. The man was identified by The New York Times last week as Harold Thomas Martin III, a 51-year-old employee of Booz Allen Hamilton, one of the largest federal contractors in the US. The paper said that, prior to joining Booz Allen Hamilton, Martin served as a US Navy officer for over a decade, where he specialized in cyber security and acquired a top secret clearance. But last August, agents of the Federal Bureau of Investigation raided Martin’s house in Maryland and arrested him on charges of stealing government property and illegally removing classified material.

Media reports suggest that the FBI discovered significant quantities of classified information, some of it dating back to 2006, on a variety of electronic devices that Martin had stored —though apparently not hidden— in his house and car. Another interesting aspect of the case is that there is no proof at this point that Martin actually shared the classified information with a third party. There is some speculation that he may be behind a disclosure of a collection of NSA hacking tools, which were leaked in August of this year by a previously unknown group calling itself “the Shadow Brokers”. But some speculate that Martin may have taken the classified material home so he could write his dissertation for the PhD he is currently undertaking at the University of Maryland’s Information Systems program.

A few days ago, The Daily Beast quoted an unnamed former colleague of Martin who said that the NSA contractor was a member of one of the agency’s elite cyber spy units. The existence of the secretive unit, which is known as the NSA’s Office of Tailored Access Operations, was revealed in June 2013 by veteran NSA watcher Matthew M. Aid. Writing in Foreign Policy, Aid cited “a number of highly confidential sources” in alleging that the NSA maintained a substantial “hacker army” tasked with conducting offensive cyber espionage against foreign targets. More information on NSA’s TAO was provided in January 2014 by German newsmagazine Der Spiegel. If The Daily Beast’s allegations about Martin are accurate, they would explain why anonymous government sources told The Washington Post last week that some of the documents Martin took home “could be expected to cause exceptionally grave damage to the national security of the United States”. The case also highlights the constant tension between security and the privatization of intelligence, which was also a major parameter in the case of Edward Snowden, another Booz Allen Hamilton contractor who defected to Russia in 2013.

Meanwhile, Martin remains in detention. If he is convicted, he will face up to 11 years behind bars.

Author: Joseph Fitsanakis | Date: 10 October 2016 | Permalink

France’s ex-cyber spy chief speaks candidly about hacking operations

Bernard BarbierThe former director of France’s cyber spy agency has spoken candidly about the recent activities and current state of French cyber espionage, admitting for the first time that France engages in offensive cyber operations. Between 2006 and 2013, Bernard Barbier was director of the technical division of the General Directorate for External Security, France’s external intelligence agency, which is commonly known as DGSE. During his tenure at DGSE, the organization’s technical division witnessed unprecedented financial and administrative growth. Today it is said to employ over 2500 people, nearly half of DGSE’s total personnel.

Earlier this month, Barbier was interviewed on stage during a symposium held by the CentraleSupélec, a top French engineering university based in Paris. He spoke with surprising candor about France’s cyber espionage operations. In the first part of his interview, which can be watched on YouTube, he recounted the history of what he described as “France’s cyber army”. He said that France began to build “teams of hackers” in 1992. Around that time, the DGSE purchased an American-built Cray supercomputer, said Barbier, and soon discovered that it could use the machine’s immense computing power to break passwords. More recently, said the former cyber spy chief, the DGSE has been trying to “catch up” with its American and British counterparts, the National Security Agency and the Government Communications Headquarters, by increasing its annual budget to over half a billion and hiring hundreds of young hackers. Many of these new employees have little to no university education, said Barbier, and are instead self-taught, having started hacking in their teenage years.

Like most governments, France will not officially admit to conducting offensive cyber operations using computer hacking and other techniques. But Barbier said during his interview that France was behind an offensive cyber operation that targeted Iran in 2009. He added that the DGSE has also directed cyber operations against Canada, Ivory Coast, Algeria, Norway, as well as its European Union partners Spain and Greece. He also complained that French government executives do not understand the importance of cyber operations and are not aiming high enough when it comes to planning, direction and hiring. The DGSE’s technical division still needs between 200 and 300 more staff members, Barbier argued in his interview.

Author: Joseph Fitsanakis | Date: 16 September 2016 | Permalink

Russian hackers accessed Obama’s email correspondence

Computer hackers believed to be connected to the Russian government were able to access emails belonging to the president of the United States, according to American officials briefed about the ensuing investigation. The cyberattack on the White House was announced by American government officials in October of last year, soon after it was discovered by security experts. But The New York Times said on Saturday that the hacking was far more intrusive than had been publicly acknowledged and that the information breach resulting from it was “worrisome”. The paper said that the individuals behind the cyberattack were “presumed to be linked to the Russian government, if not working for it”. It also quoted one unnamed senior US official, who said that the group that perpetrated the hacking was “one of the most sophisticated actors we’ve seen”.

Little concrete information has emerged on the hacking, but it appears to have started with attempts to compromise computers at the US Department of State. As CNN reported earlier this month, the hackers essentially managed to take control of the State Department’s declassified computer network and exploit it for several months. In most American government departments, senior officials operate at least two computers in their offices. One is connected to the government’s secure network used for classified communications; the other is used to communicate unclassified information to the outside world. In theory, those two systems are supposed to be separate. However, it is common knowledge that the publicly linked computers often contain sensitive or even classified information. It is this unclassified part of the network that the alleged Russian hackers were able to access, in both the State Department and the White House.

According to The Times, by gaining access to the email accounts of senior US government officials, the hackers were able to read unclassified emails sent or received by, among others, President Barack Obama. The US president’s own unclassified account does not appear to have been breached, said the paper, nor were the hackers able to access the highly classified server that carries the president’s mobile telephone traffic. Nevertheless, the operation to remove monitoring files placed in US government servers by the hackers continues to this day, and some believe that the presence of the intruders has yet to be fully eradicated from the system. The Times contacted the US National Security Council about the issue, but was told by its spokeswoman, Bernadette Meehan, that the Council would “decline to comment”. The White House also declined to provide further information on the incident and the ensuing investigation.

News you may have missed #891

Edward SnowdenBy IAN ALLEN |
►►Sophisticated malware found in 10 countries ‘came from Lebanon’. An Israeli-based computer security firm has discovered a computer spying campaign that it said “likely” originated with a government agency or political group in Lebanon, underscoring how far the capability for sophisticated computer espionage is spreading beyond the world’s top powers. Researchers ruled out any financial motive for the effort that targeted telecommunications and networking companies, military contractors, media organizations and other institutions in Lebanon, Israel, Turkey and seven other countries. The campaign dates back at least three years and allegedly deploys hand-crafted software with some of the hallmarks of state-sponsored computer espionage.
►►Canada’s spy watchdog struggles to keep tabs on agencies. The Security Intelligence Review Committee (SIRC), which monitors Canada’s intelligence agencies, said continued vacancies on its board, the inability to investigate spy operations with other agencies, and delays in intelligence agencies providing required information are “key risks” to its mandate. As a result, SIRC said it can review only a “small number” of intelligence operations each year.
►►Analysis: After Snowden NSA faces recruitment challenge. This year, the NSA needs to find 1,600 recruits. Hundreds of them must come from highly specialized fields like computer science and mathematics. So far the agency has been successful. But with its popularity down, and pay from wealthy Silicon Valley companies way up, Agency officials concede that recruitment is a worry.

After China, Russia may ban some Apple products, fearing espionage

Russian State DumaBy JOSEPH FITSANAKIS |
Parliamentarians in Russia are preparing a bill that would prevent lawmakers from using several Apple products, including iPhones and iPads, due to fears that they are susceptible to penetration by foreign intelligence agencies. A group of lawmakers in the State Duma, the lower house of the Federal Assembly of Russia, have drafted the bill, which argues that State Duma deputies with access to confidential or classified government information should be banned from using iPhones and iPads, among other Apple products. One deputy, Dmitry Gorovtsov, from the center-left Just Russia party, said parliamentarians should simply “switch to simple mobile phones”, preferably produced by Russian manufacturers, and should use them “only for phone calls”. Last month, the Russian Ministry of Defense stepped in to deny media reports that it was about to ban Apple products. The denial came in response to a leading article in mass circulation daily Izvestia, which cited an unnamed Defense Ministry employee as saying that the Russian armed forces were about to ban the use of iPhones by all servicemen. The article claimed the move was designed to stop “information leaks”. But a Russian Ministry of Defense spokesman, Major General Igor Konashenkov, told a press conference that the Russian armed forces had no plans to ban “the mobile devices of a certain manufacturer”. The news from Russia comes a just months after authorities in China announced the removal of some Apple products from a government procurement list, reportedly because of fears that they were susceptible to electronic espionage by the United States. As intelNews reported at the time, nearly a dozen Apple products were removed from the Chinese government list; they included the iPad and iPad Mini, as well as MacBook Air and MacBook Pro products —though interestingly the inventory of removed items did not include Apple smartphone products. The Russian State Duma initiative to ban some Apple products has already been approved by a security-related committee and has now been forwarded to the Duma Council. The latter will consider the bill for approval, before sending it to a plenary session on the floor of the Duma for discussion. The process is expected to take up to two weeks.

Malware targeting ex-Soviet states has Russian hallmarks

Turla trojan operational diagramBy IAN ALLEN |
A malicious software that has infiltrated the computer systems of dozens of embassies belonging to former Eastern Bloc nations “has all the hallmarks of a nation-state” cyberespionage operation, according to researchers. Security firm Symantec said last week that the malware appears to be specifically targeting embassies of former communist nations located in China, Jordan, as well as in locations across Western Europe. In a report published on its website, Symantec said “only a nation state” was likely to have the funds and technical resources to create a malware of such complexity. Additionally, the malware seems to be designed “to go after explicit government networks that are not easy to find”, according to Symantec senior security researcher Vikram Thakur. The infiltration appears to occur in two stages. In the first stage, a computer is infected with a reconnaissance program, known as Wipbot. The initial infection usually occurs through a directed phishing attack or via a compromised website. The Wipbot then conducts an initial exploration of the infected system, collecting vital information about its identity, structure and contents. It then proceeds to compromise it only if it matches a specific Internet address that it is looking for. If a match is confirmed, the Wipbot then invites a second program into the compromised system, whose task is to expropriate data and exfiltrate it in batches that are camouflaged as Internet browser requests. Symantec researchers say that the technical similarities between the two programs are sufficient to justify the view that they were designed and developed by programmers working for the same government agency. Thakur said the structure of the malware is particularly creative; it uses Wipbot as an initial reconnaissance tool before delivering the exfiltration program if it judges that the compromised system is of high enough interest. The Symantec report adds that the malware in question is part of a four-year-long series of cyberespionage attacks that have systematically targeted government facilities belonging to former Communist Bloc states. In May of 2012, a similar malware was found to have infiltrated over 60 different computer systems belonging to a former Soviet Republic, including the office of the Prime Minister. A closely linked attack targeted another former communist state’s embassy in Paris, France, as well as its foreign and internal affairs ministries. The Symantec research points out that many of the malicious program’s core components were compiled in the UTC+4 time zone, which includes Russian cities such as Moscow and St. Petersburg.

China stops using some Apple products, fearing US espionage

By JOSEPH FITSANAKIS | intelNews.orgApple offices in China
Authorities in China have removed Apple products from a government procurement list because of fears that they are susceptible to electronic espionage by the United States. Citing “government officials familiar with the matter”, Bloomberg News said on Wednesday that 10 Apple products have been removed from the list, including the iPad and iPad Mini, as well as MacBook Air and MacBook Pro products —though interestingly the inventory of removed items does not include Apple smartphone products. The procurement list is produced several times a year by China’s Ministry of Finance and the National Commission for Development and Reform. It specifies the types of products that can be purchased with public funds by all central departments of the Communist Party of China, as well as by all state and local government ministries. The surprise removal of Apple products from the list follows a report aired by Beijing’s state-owned China Central Television in July, which claimed that security weaknesses in Apple software could cause the theft of sensitive state secrets. Apple vigorously rejected the claims made in the television report. The action by the Chinese government is the latest move in a tit-for-tat cyberespionage war between Washington and Beijing, which began in 2013, when American defector Edward Snowden began leaking US intelligence secrets. In June of that year, it was revealed that the US National Security Agency (NSA) has been engaged in protracted offensive cyberespionage operations against China for nearly 15 years. Almost a year later, the US Department of Justice charged a group of Chinese military officers with stealing American trade secrets through cyberespionage. Apple is not the first American technology firm to be hit with removals of its products from the Chinese government’s procurement list. Read more of this post