SPY NEWS: 2022 — Week 11

Summary of the espionage-related news stories for the Week 11 (13–19 March) of 2022.

1. Ukrainian SBU Publishes COMINT Content from Russian Forces

Throughout this week Ukraine’s Security Service (SBU) has been publishing intercepted communications, allegedly, from Russian forces. The first is from Kharkiv reporting to “attack everyone” including civilians, but not children. The second is Russian troops complaining for not receiving the $2,000 salary promised. The third is demonstrating looting of shops in the Sumy region. Next, the fourth one is from near Kherson with Russian forces arriving unprepared and without prior knowledge of the operation. You can find more in the SBU’s official YouTube channel.

2. Spy Collection: NSA Foreign Satellite (FORNSAT) Exploitation

This week we published a 14-minute long video based on a slide deck leaked in March 2018 by The Intercept, originally obtained by Edward Snowden in 2013. The presentation talks about NSA’s S3312, the Foreign Satellite (FORNSAT) exploitation group, focusing mainly on Inmarsat products’ Signals Intelligence (SIGINT). S3312 was part of NSA’s Global Access Operations (GAO, designation: S33) when that slide deck was created.

3. Cyber Espionage Campaign Targeting Bangladesh

Lous Hur, CEO of Dark Tracer cyber threat intelligence firm, disclosed the discovery of an active cyber espionage campaign targeting law enforcement agencies in Bangladesh by impersonating emails from the Pakistani government. The malicious email had subject “List of Numbers to be verified” and it contained a lure file with a cyber espionage software implant. The sample shown was sent to Bangladesh’s Rapid Action Battalion (RAB), an elite anti-crime and anti-terrorism unit of the Bangladesh Police. No attribution statements were made of who was behind this operation.

4. Russia Confirms Death of GRU Officer in Mariupol, Ukraine

On Monday, March 14th, according to Evening Standard, Russia announced the death of two members of an elite paratrooper unit in Mariupol, Ukraine. One of them was Captain Alexey Glushchak, 31, from Tyumen in Siberia who was serving at Russia’s military intelligence (GRU). The statement said “due to the strict secrecy of the military operation, the circumstances of the death of the Tyumen hero are not disclosed.” This marks the first publicly confirmed death of a GRU officer in Ukraine since the beginning of conflict.

5. Podcast: Damascus Station

Former CIA intelligence analyst David McCloskey did an 1-hour long podcast at “The Crew Reviews” about his latest (spy novel) book titled “Damascus Station.” As per the description, General David Petraeus, former Director of the CIA, reviewed this book as “the best spy novel I have ever read.”

6. S. Korean NIS Warns of Kidnapping Threats in Nigeria and Haiti

On Monday, the Yonhap News Agency published a story quoting South Korea’s National Intelligence Service (NIS). According to it, NIS issued a warning to South Korean citizens for the continued “kidnapping risks in countries including Nigeria and Haiti.” The warning also stated that “South Koreans could face growing threats as international terrorist groups have expanded their power in politically and economically unstable parts of the Middle East and Africa and right-wing hate crimes against women and immigrants have been increasing in the United States and Europe.”

7. SBU Publishes Summary for Counter-Espionage Activities

On March 13th, Ukraine’s Security Service (SBU) published a summary of their counter-espionage activities for that day. Those included detaining a man in the Kharkiv region who was collecting and reporting “data on the location and routes of the Armed Forces, as well as the coordinates of infrastructure facilities, so that the occupiers could carry out missile and bomb strikes on them.” Secondly, a couple in Kharkiv was arrested for collaboration with Russian special services. The man was helping identify shelling locations, and the woman was propagating the idea of “руZZкого міра” (Russian World) on social media. In Odessa, SBU detained a Russian agent “collecting information about the defensive structures that the self-defense forces set up.” And in the Luhansk region SBU arrested a woman who “helped enemy troops bomb Severodonetsk.”

8. Iranian IRGC Hits, Alleged, Mossad Facilities in Iraqi Kurdistan

Reportedly, following an Israeli drone strike in the Iranian province of Kermanshah, the Iranian Islamic Revolution Guard Corps (IRGC) launched a retaliatory attack in the Mahidasht region of Erbil, Iraq (part of semi-autonomous Kurdistan). According to IRGC the targets were two Mossad compounds (acting as covert operations training facility and Mossad station respectively), with Al-Mayadeen television network stating that one was in Masif-Saladin, Erbil and it was “fully razed to the ground and a number of Israeli mercenaries were killed or injured.” Iraq’s Sabereen News reported that “two Mossad training centers were targeted by ballistic missiles in the early hours of Sunday.” On Friday, The Cradle published that “the official spokesman of the Patriotic Union of Kurdistan (PUK) party’s Erbil office, Azad Jolla, confirmed that the Israeli spy agency Mossad has long been active in the capital of the Iraqi Kurdistan Region (IKR)” and released a photo of the site after the Iranian missile attack.

9. Video: Debate with Former MI6 Officer Christopher Steele

The Oxford Union published a 46-minute long debate with Christopher Steele, former MI6 officer who worked with the British intelligence services for over two decades. Among others, he ran the Russia desk at the MI6 headquarters in London before co-founding a private intelligence firm.

10. Slovakia Uncovered Russian Agents and Expelled 3 Officers

The Slovak Defence Minister, Jaroslav Nad confirmed that the National Criminal Agency (NAKA) received “key intelligence information, including clear evidence” for a Russian espionage network after which three Russian diplomats (covert GRU officers) were expelled from the Russian Embassy in Bratislava. The initial reports states that four Slovakian nationals were also detained and two of them face espionage charges. On Tuesday, Denník N news agency published video content from a 2021 covert surveillance operation of the Slovakian Information Service (SIS) showing the Bratislava Russian Embassy’s Military Attaché, Colonel Sergei Solomasov, paying €1000 to Slovakian journalist Bohuš Garbár to promote certain news on the “Hlavné Správy” news website based on classified information provided by Bohuš M. This person, Bohuš M., is a former SIS counter-intelligence officer who was also detained. The third detainee, is Slovakian Military Academy Colonel Pavel Bučka, arrested for providing classified information to his Russian handler since 2013. And the fourth, is former assistant MP Jozef Mihalčina. The task of Mihalčina was to “obtain classified information” related to parliament material such as budgets, policy plans, personal information, etc.

11. New (fourth) Destructive/Wiper Cyber Attack Tool in Ukraine

The Research Labs of the cyber-security firm ESET announced the discovery of a new (fourth so far — along with HermeticWiper, IsaacWiper, and WhisperGate) destructive (data wiping) covert software implant targeting Ukraine. The newly discovered software implant was dubbed “CaddyWiper” and does not share similarities with the previously discovered ones. ESET detected it in Ukraine, “seen on a few dozen systems in a limited number of organizations.” Once executed, “CaddyWiper” covertly wipes/deletes data on the infected systems. No attribution statement was made at this stage. Later, Cisco’s Talos intelligence published a technical analysis of “CaddyWiper.”

12. Video: Former CIA SAC/GRS Operator on Preparing for Fallout

On Tuesday, March 15th, American Kinetix (AX) published a 30-minute long knowledge transfer video featuring a CIA veteran, with experience from CIA’s Special Activities Centre (SAC) and Global Response Staff (GRS). The video focuses on tips, tradecraft, and principles on how to prepare for fallout situations, including how to establish and operate an intelligence network.

13. US Nuclear Engineer and His Wife Were Trying to Sell Secrets to Brazilian Officials

Last month (see week 6 story #52, and week 7 story #11) US Navy Nuclear Engineer Jonathan Toebbe and his wife, Diana Toebbe, pled guilty for attempting to sell nuclear reactor secrets to an unnamed country. The FBI collaborated with that country to find incriminating evidence and arrest them for espionage. According to the New York Times (NYT), the unnamed nation-state was Brazil. The Brazilian officials quickly informed the FBI of Toebbe’s attempts to sell them military secrets and this is how the FBI counter-intelligence operation started. Based on NYT, the Brazilian government “wanted their cooperation to remain confidential which is why the identity was kept a secret.”

14. China Claims They Captured NSA’s NOPEN Cyber Espionage Tool

According to the Chinese state-controlled Global Times, the National Computer Emergency Response Team/Coordination Centre of China (CNCERT/CC) captured an advanced United States National Security Agency (NSA) custom software implant known as “NOPEN” which targeted Chinese entities. The first time (an earlier version of) “NOPEN” was leaked to the public was via The Shadow Brokers in 2016.

15. Podcast: An NSA Agent Abroad

On Tuesday, March 15th, Spycraft 101 published a new over 1-hour long podcast featuring Dr. Eric Haseltine, former Director of Research and Development at the US National Security Agency (NSA) and effectively the Chief Technical Officer (CTO) of the US Intelligence Community. The podcast focuses around NSA operations during the Cold War era.

16. UAE/Israeli Attempt for SIGINT Operation on Yemen’s Aden Net Telecommunications Provider

On March 15th, the Al-Sabah Al-Yemeni news agency published a story describing how the United Arab Emirates (UAE) and Israel used a UAE government support program in an attempt to clandestinely install Signals Intelligence (SIGINT) gathering equipment in Yemen’s “Aden Net” telecommunications provider. The story says that UAE and Israel used a program titled “Assistance to Expand the Aden Net Network” as a cover for the installation of the spying equipment, but Aden Net’s network engineers identified that among the hardware upgrades there were also some “spy devices that were being monitored and controlled remotely” which were manufactured by an Israeli company. Aden Net’s Director, Mansour Al-Yadi, refused to install the devices/continue with the program, and released the story to the public. The news story concludes that it “is noteworthy that the Israeli intelligence and through the Emirates established intelligence and espionage bases on the strategic island of Socotra, and is currently seeking to expand its spying circle to include the entire southern governorates by targeting communication networks and the Internet.”

17. Video: Polish Cyclometer — An Early Enigma Cracking Machine

The British National Museum of Computing (TNMOC) published an 1-hour long presentation by Jerry McCarthy about the methods and devices Polish signals intelligence officers used to break the encryption of the German Enigma-family cipher machines, focusing more on a code-breaking machine they created that is known as “Cyklometr” (Cyclometer).

18. Canada’s CSIS Warned the Space Agency of Zheng’s Actions

A new story released by Canada’s CBC sheds more light into the story of Wanping Zheng (61). A former aerospace engineer that used his status as a Canadian Space Agency (CSA) engineer to negotiate satellite station installation agreements with Iceland on behalf of an unnamed Chinese aerospace company. According to the report, the Canadian Security Intelligence Service (CSIS) had issued three official counter-intelligence warnings to CSA starting in 2015, followed by one in May of 2016, and lastly one in September of 2017. CSIS reports were vague warnings of potential abuse of his access to restricted programs and information, behavioural issues, etc. CSIS refused to provide more details to CSA which led CSA launching an internal investigation on Zheng in 2018. In September 2019 CSA had collected enough evidence, and went to the RCMP to report that Zheng was suspect of having “transmitted secret information to a third party.” Now Zheng is scheduled to appear in a Longueuil, Que. court next week.

19. Cyber Attacks Hit Israeli Government Entities Allegedly from Iran

As it was observed by multiple sources, on Monday evening several Israeli government websites went offline. Israel’s National Cyber Directorate (INCD) classified the cyber attack as Distributed Denial of Service (DDoS) in two of the country’s telecommunications providers (Bezeq and Cellcom). Subsequently, INCD together with the Ministry of Defence made a statement for the country being in a “state of emergency.” According to the Jerusalem Post, this was a retaliatory attack for a sabotage operation in Iran (see story #23) and it was executed by a cyber actor dubbed as “BLACK SHADOW” who is, reportedly, closely affiliated with the state of Iran.

20. NRO Publishes Information on NROL-85 and NROL-87 Missions

The United States National Reconnaissance Office (NRO) published a 2-minute long video on the NRO Launch mission 87 (NROL-87) that launched some classified spy satellite(s) from the Vandenberg Space Force Base (VSFB), California on February 2, 2022. This was followed by a Tweet announcing that no earlier than April 15, 2022 NRO’s next mission (NROL-85) will launch some new payloads from the VSFB.

21. Ukrainian SBU Disrupts Covert GSM Network Used by Russia

On March 15th, Ukraine’s Security Service (SBU) announced the detainment of an individual who was operating a covert cellular phone network inside Ukraine. In the released photos GSM modems with dozens of SIM cards can be seen. According to SBU the covert GSM network had triple purpose. First to send mass anonymous SMS messages to Ukrainians to surrender as part of Russia’s Psychological Operations (PSYOP). Secondly, to allow Russian and Ukrainian officials to communicate anonymously through it. And thirdly, to pass commands and instructions covertly to Russian groups inside Ukraine.

22. Podcast: War in Iraq From In-Country, and While Serving on NSC at the White House

The US Association of Former Intelligence Officers (AFIO) published a 35-minute long interview featuring Douglas Ollivant, Senior National Security Studies Fellow at New America (a think tank) as well as a Managing Partner at Mantid International. Previously, he was a Senior Counter-Insurgency (COIN) Advisor to Regional Command East, and Director for Iraq on the National Security Council (NSC) under the Bush and Obama administrations. He is interviewed by James R. Hughes, 17th President of AFIO and veteran of the US Military Intelligence, CIA’s Clandestine Service, and Associate Deputy Director of Operations (ADDO) at the National Security Agency (NSA).

23. Iranian IRGC Thwarts Israeli Sabotage at Fordow Nuclear Plant

According to the Iranian state television, Iran’s Islamic Revolutionary Guard Corps (IRGC) thwarted an Israeli sabotage operation at Iran’s Fordow Nuclear Plant, planned to be executed right before “Nowruz” (end of the Iranian year which corresponds to March 20th). According to an IRGC spokesperson, an Iranian national was recruited by Mossad, given a laptop with secure communications software, and paid in both cash and cryptocurrencies to conduct this mission. He then used a contact in an unnamed Hong Kong company to put him in touch with an Iranian nuclear plant employee working with the advanced third-generation Iranian centrifuges (codenamed IR-6) at the Fordow Nuclear Plant. The activity was disrupted by IRGC’s Intelligence Organisation who arrested the Mossad agent, but no further details were provided on the sabotage plot or details about the Mossad agent.

24. Two Alleged British-Iranian Spies Released from Iranian Prisons

According to The Guardian, two British-Iranian nationals who had been previously accused and convicted as spies by the Iranian authorities, were released. No statements were given on the justification behind their release. The first is Nazanin Zaghari-Ratcliffe who was arrested by Iran’s Islamic Revolutionary Guard Corps (IRGC) in March 2016. Iranian authorities stated that she was “running a number of projects and plans for anti-revolutionary Iranians based abroad” using her journalist profession as a cover, and that her expenses to travel and work in various countries were controlled by the British MI6. The second released British-Iranian national is Anoosheh Ashoori. He was arrested in August 2017 and sentenced to 12 years in prison on espionage charges as an agent of the Israeli Mossad. According to VOA News, “Britain confirmed that in recent days it had paid a $530 million debt owed to Iran for an unfulfilled order of tanks and other weapons, dating back more than 40 years” but the same article also states that “both Britain and Iran denied Wednesday’s prisoner release was related to the debt.”

25. Podcast: DIA — Catching Noriega

SpyScape published a new 41-minute long podcast titled “Catching Noriega: Panama Gen. Noriega is in hiding but the DIA’s Martha Duncan plans to flush him out with gossip and girl talk.” The episode features retired US Defense Intelligence Agency (DIA) officer Martha Duncan who, after the US invasion in Panama (1989), was tasked to track down Panama’s leader, General Manuel Noriega.

26. US CISA/FBI Warn of Russian Cyber Espionage Campaign on NGO

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint cyber-security alert for a cyber espionage operation attributed to a Russian state-sponsored actor that has been active at least since May 2021. The operation exploited misconfigurations in Multi-Factor Authentication (MFA) solutions with the alert stating that they used “a misconfigured account set to default MFA protocols at a non-governmental organization (NGO), allowing them to enroll a new device for MFA and access the victim network.” The alert gives more details on the objectives of the actor saying that they were aiming to obtain “access to cloud and email accounts for document exfiltration.”

27. Swedish Säpo Warns of Increased Russian Espionage Activity

On Wednesday, March 16th, the Sverige Radio interviewed Anna Sjöberg, Chief of Operations at the Swedish Security Service (Säpo), who stated that the public should be “prepared for a number of different influence attempts from Russia, including trying to recruit agents.” She continued that “there is a broad and in-depth threat that concerns everything from recruiting spies and conducting illegal intelligence activities in Sweden to stealing information through cyber operations.” She concluded that now “it is important to be extra vigilant.”

28. French Transall C-160 Plane Begins Its Farewell Tour — But the C-160 Spy Planes are Expected to Stay Until 2025

Last week (see last section) it was reported that a French Signals Intelligence (SIGINT) Transall C-160 Gabriel aircraft (F216, callsign HOOPA21) was flying over Romania. This week it was announced that after 59 years of service the French fleet of Transall C-160 will be decommissioned, and a specially painted C-160 aircraft will be passing over 24 French cities over the next 20 days as its farewell tour. Although the plan was to decommission all of the C-160s by the end of the month, the Ukraine crisis forced the French Air Force to delay that for the two SIGINT variants it has, called C-160G Gabriel. Those are, reportedly, to remain operational until 2025 when the first Dassault Falcon 8X SIGINT aircraft will arrive.

29. MSAB Released Promotional Videos for Frontline Solutions

MSAB is a Swedish company specialising in mobile digital forensics and used across law enforcement, military, and intelligence agencies for Cellular phone Exploitation (CELLEX) operations. This week MSAB published two new promotional videos. The first is a 3.5-minute long demonstration of the MSAB Kiosk, and the second one is a 4-minute long promotional video of the Frontline Solutions MSAB offers, using a crime scene investigation example.

30. Germany’s BSI and Italy’s NCA Urge for Kaspersky Antivirus Replacement Over Cyber Espionage Concerns

This week the German Federal Office for Information Security (BSI) and the Italian National Cybersecurity Agency (NCA) issued public statements urging their governments and companies to replace their existing Kaspersky Anti-Virus installations. The concern is that Kaspersky is a Russia-based company and considering the operational increase of Russian intelligence activity against EU entities, BSI and NCA are worried that Kaspersky “may either conduct offensive operations itself; be forced to attack target systems against its will; be spied upon, unknowingly, as a victim of a cyber operation; or be used as a vehicle for attacks against its own customers.”

31. US DoJ Disrupts Chinese Spy Network in New York

The US Department of Justice (DoJ) made a press release unsealing the criminal complaints for a recently completed counter-intelligence operation of the FBI which led to the arrest of five individuals operating in New York on behalf of China’s Ministry of State Security (MSS), its main intelligence agency, targeting Chinese dissidents. The five suspects are: 1) Qiming Lin (59), a MSS covert operative, who used harassment, covert surveillance, false accusations, and other means against people of Chinese descent not aligned with China’s foreign policy. 2) Shujun Wang (73), MSS agent, who helped establish a “pro-democracy organization in Queens that memorializes two former leaders of the Chinese Communist Party who promoted political and economic reforms within the PRC and were eventually forced from power.” He was using his position to identify people of interest, push Chinese government MSS objectives, and more. 3) Fan “Frank” Liu (62) was a the President of a media company and, under Chinese government direction he was discrediting and spying (electronically and physically) on pro-democracy Chinese nationals in the United States. 4) Matthew Ziburis (49), former correctional officer for the State of Florida and a bodyguard, collaborated with Liu to harass dissidents and install covert surveillance equipment to spy on them. Lastly, 5) Qiang “Jason” Sun (40), China-based employee of an international technology company, was paying and coordinating many of the activities of Liu and Ziburis. Note that the MSS handler of the espionage group, Sun Qiang, is still at large and wanted by the FBI.

32. 40th Security and Policing 2022 Event in the UK

Between 15–17 March 2022, the British Home Office’s Joint Security & Resilience Centre (JSaRC) hosted the 40th “Security & Policing” event at the Farnborough International Exhibition and Conference Centre. Among others, the event included over 300 exhibitors, many of which demonstrated new intelligence gathering technologies. For example, Kromek’s biological detection systems, Area’s interception systems, DataWalk’s Grash intelligence analysis platform, Esoteric’s counter-espionage services, Artemis’ covert surveillance equipment, Sensus Futuris’ facial recognition, Cellebrite’s cellular intelligence gathering solutions, and others.

33. US FCC Revokes Chinese Telecom Authorisation Over Espionage Concerns

On Wednesday, at the United States Federal Communications Commission (FCC) it was voted to “revoke the authorization for Chinese telecom Pacific Networks and its wholly owned subsidiary ComNet to provide U.S. telecommunications services.” The decision was made to strengthen the United States national security, as noted by FCC Commissioner Geoffrey Starks. FCC said that both “Pacific Networks and ComNet are indirectly and ultimately owned and controlled by the Chinese government.”

34. Executed Ukrainian Negotiator Had Links to Russia’s FSB

On week 9 (story #85) it was reported that the Ukrainian Security Service (SBU) executed Denis Kireev, member of Ukraine’s negotiation team, and two others. News published this week say that he was shot in the head while in a Ukrainian government building due to resisting SBU arrest, and a later Ukrainian government post identified him as an official of Ukraine’s Main Directorate of Intelligence of the Ministry of Defence (HUR MOU). The two other (unnamed last week) individuals that were killed in the same incident were MUR HOU officers too. It was his bodyguard, Alexei Dolya, and one of his advisors, Valery Chibineev. According to retired Colonel Kazimir Baranovsky all three were executed in a SBU safe house next of the Pechersk Court right after the negotiations with Russia, following a direct order of SBU’s Head, Ivan Bakanov. According to Colonel Baranovsky, the executed Kireev and his two associates had close ties with Ukrainian oligarch Rinat Akhmetov, whom President Volodymyr Zelensky had already accused of financing a plot to assassinate him and allegedly Kireev helped in this. Intelligence expert Alexei Ilyashevich stated that this was an ordered political assassination due to direct links with Russia’s Federal Security Service (FSB). Kireev was very close to the Russia-affiliated Andrei Klyuyev, the head of the administration of former Ukrainian President Yanukovych, and he was suspected for a long time of being an FSB agent.

35. Afghanistan’s GID Detain TOLOnews Journalists

According to the Committee to Protect Journalists (CPJ), on Thursday March 17th, officers of the Taliban-controlled General Directorate of Intelligence (GID) detained TOLOnews presenter and journalist Bahram Aman, as well as the TOLOnews news manager Khapalwak Sapai, and the channel’s legal adviser at TOLOnews headquarters in District 10 of Kabul, Afghanistan. According to former news director Lotfullah Najafizada everyone apart from Bahram Aman were later released. GID refused to comment on the case of B. Aman who remains in custody with no official charges announced. According to CPJ, the Taliban use GID for “controlling news media and intimidating journalists.”

36. SANS Publishes Videos from the CTI Summit 2022

Throughout this week, the SANS institute has been publishing video recordings from its recent Cyber Threat Intelligence (CTI) Summit 2022. The talks cover a wide range of cyber espionage and cyber counter-intelligence activities by experts from both the private and the public sector.

37. US Olympian and Her Father Targeted by Chinese Intelligence

News published this week report that United States Olympic figure skater Alyssa Liu as well as her father, Arthur Liu (a former political refugee to the US), were contacted by the FBI’s counterintelligence in October 2021 for the investigation of the case reported earlier (story #31). According to Arthur Liu, “we believed Alyssa had a great chance of making the Olympic team and were really intimidated.” He also said that their case is described in the criminal complaints as “dissident 3” and “member of the family”, respectively.

38. Mobile Phone of Mossad Head’s Wife Compromised by Iran

As reported by Jonathan Lis of Haaretz, the mobile phone of the wife of Israel’s Mossad Chief, David Barnea, was compromised and data from it were leaked online in what Haaretz describes as an “apparent Iranian revenge” attack. The compromise happened from a group identifying themselves as “open hands” who released a video of the compromise in multiple languages and since March 15th they started leaking some of the exfiltrated files via Telegram, Twitter, TikTok and Instagram. This, alleged, Iranian cyber actor started this new campaign this week and describes it as “join us in a mysterious journey to the halls of the Mossad.” Haaretz highlights that only the mobile phone of Barnea’s wife was compromised, not his or any other Mossad secure communications device.

39. Norwegian Photographer Arrested in Greece on Espionage Charges

On March 17th, Thursday, it was announced that Norwegian photographer Knut Bry was arrested in the Greek island of Lesvos on espionage charges for, reportedly, photographing Coast Guard and Navy vessels in a restricted location. He was in Lesvos “working with a local nonprofit organization that helps migrants and refugees.” The report continues that “during a search in his home in the presence of a judicial representative, electronic archives with pictures were seized, and are now under examination.” The suspect was given 24 hours to prepare his testimony, which took place on Friday. His lawyer stated that he does not accept the allegations.

40. GRU Cyber Espionage Operation Target Ukraine with QR Codes

On March 16th, the Computer Emergency Response Team of Ukraine (CERT-UA) published an alert for an ongoing cyber espionage operation attributed to an actor dubbed as “APT28” and who has been previously associated with Russia’s GRU 85th Special Services Centre. The operation impersonated UKR.NET email notifications, containing QR codes and shortened links that if clicked would prompt the victim to submit their email credentials in a fake website that captures them. CERT-UA did not provide more details on who were the targets of this cyber espionage campaign.

41. Podcast: “So, I Design Board Games for the CIA...”

On Wednesday, March 15th, the SpyCast of the International Spy Museum published a new 1-hour long episode titled “So, I Design Board Games for the CIA…” and featuring former CIA intelligence analyst and board games designer, Volko Ruhnke, talking about his story and highlights from the CIA.

42. New US Law to Control Ex-Spies Working with Foreign Entities

In week 7 (story #2) Italy passed a law to limit former senior intelligence officials from working at foreign private companies for 3 years after they leave the agencies, and this week the United States passed a similar law. The US legislation “prohibits U.S. intelligence officials with knowledge of spycraft and national security secrets from selling their services to other countries for 30 months after retiring.”

43. Ukrainian Violinist Allegedly is a Russian GRU Agent

On Thursday, March 17th, Ukrainian journalist Andrei Tsaplienko reported a case which was disseminated by other Russian and Ukrainian media afterwards. According to Tsaplienko, the well known Ukrainian violinist Ilya Smetanin, who played in the Academic Chamber Orchestra of the Volyn Regional Philharmonic, Cantabile, turned out to be a Russian GRU agent. Ilya Smetanin was living in the city of Lutsk and according to the report on February 24th he was providing coordinates to guide the Russian missiles attacking Ukrainian Air Force’s Lutsk Air Base, located in the same city.

44. Blog Post for the History of Japanese Spy Masayoshi Nakajima

On Friday, March 18th, a Chinese user of NetEase using the handle “勇敢他” (brave him) published a blog post detailing the history of Japanese spy Masayoshi Nakajima who had been successfully spying on China for 11 years (1956–1967) before getting arrested in Shanghai, China. He was recruited at the end of 1955, while working at the Tokyo Overseas Chinese Traders Association, by a man named Liu Tao who pretended to be a Taiwanese businessman, but he was a case officer of the Tokyo Station of the Intelligence Bureau of Taiwan’s Ministry of Defence. He was recruited and sent to China under the cover being an interpreter. China’s Shanghai Shipping Public Security Bureau started an investigation on him, led by 23-year old Zhang Bingyi, but it took 11 years (June 1956-September 1967) and 100 total trips of Nakajima to China to arrest him. His task was to memorise and report back “navigation marks, dock depths, passenger ships entering and leaving the port, names and tonnages of cargo ships, and the number of warehouses” as well as “military intelligence, such as naval docks, warship type, quantity, serial number, tonnage size, firepower equipment, rules of entry and exit, and so on.” Eventually, he was arrested at the age of 55 and on April 20, 1973 he was sentenced to 20 years in prison for espionage.

45. New GRU “Cyclops” Cyber Attack Implant Targeting Asus Routers

On week 8 (story #34) the FIVE EYES revealed a cyber attack software implant dubbed as “Cyclops” which was created and operated by Russia’s military intelligence (GRU) Unit 74455, also known as GTsST (Main Centre for Special Technologies) to conduct Computer Network Attack (CNA) operations targeting, mainly, Ukrainian government and military entities. On March 17th, Trend Micro cyber security firm published a technical analysis of a new variant of “Cyclops” targeting Asus routers that they detected.

46. Family of Convicted French Spy in Iran Calls for Paris to Do More

Following the release of the two convicted spies from Iran (story #24), the family of Benjamin Brière, 36, reportedly, asks the French government to make “the same amount of effort” as the British government for his release. As reported in week 3 (story #14) and week 4 (story #6), French national Benjamin Brière was convicted to 8 years in prison for espionage with an additional 8 months for propaganda charges. He was arrested while using a drone to film an unnamed site at the Iran-Turkmenistan border.

47. FSB Reportedly Detains Russian National Guard General

As reported by investigative journalist and expert on Russian intelligence, Christo Grozev, General Roman Gavrilov, Chief of Russia’s National Guard, who faced significant losses in the war in Ukraine, was detained by the Federal Security Service’s (FSB) counter-intelligence department on March 17th. Previously, General Gavrilov was assigned to the Federal Protective Service (FSO), the agency responsible with the protection of the Russian President and other government officials. Grovev says that one of his sources said that General Gavrilov was detained over “leaks of military information that led to loss of life.” Note that on week 10 (story #77) two high-ranking FSB officials were also detained, and then put on house arrest by the FSB’s counter-intelligence department.

48. F-Secure Publishes February 2022 Threat Report

The Finnish cyber security firm F-Secure announced the publication of their 11-pages long February 2022 Threat Highlights Report. Among others, the report discusses the nation-state cyber operations observed in the Ukraine-Russia conflict, the Chinese “Daxin” advanced software implant, and a short summary of other nation-sate activities identified last month.

49. UK Government Acquires New Autonomous Spying Drones

Janes reported that as part of the British Army’s Robotics & Autonomous Systems (RAS) project, the United Kingdom Defence Equipment & Support (DE&S) Future Capability Group (FCG) procured five Torch-X RAS systems for centrally managing autonomous platforms, and along with each of the Torch-X systems there will be six surveillance/intelligence gathering Unmanned Aircraft Systems (UAS) manufactured by the Israeli Easy Aerial. Specifically, the Falcon model. Janes states that FCG also acquired five AtlasNEST units manufactured by the Latvian Atlas Dynamics.

50. Ukrainian Military Centre Reports Capture of a Russian Torn-MDM Tactical SIGINT Mobile System

On March 17th, the Ukrainian Military Centre published an article demonstrating that the Ukrainian Armed Forces have captured a Russian mobile tactical Signals Intelligence (SIGINT) Torn-MDM system. The post states that the Torn-MDM is designed for “search, rapid analysis, and recording of signals in the range of 1.5–3000 MHz, as well as direction finding and location determination. It uses the triangulation method to find the source of signals located in a 70 km radius” and it continues that Torn-MDM’s “VHF range is up to 30 km, and the HF range is 70 km.”

51. Secret CIA SAC Paramilitary Operation in Ukraine

On week 4 (story #18) it was reported that the CIA was conducting a clandestine paramilitary operation in Ukraine to train local forces. This week, Zach Dorfman published a more detailed article on this CIA paramilitary operation. The program was ran by CIA’s Special Activities Centre’s (SAC) Ground Department. The article says that “CIA paramilitaries taught their Ukrainian counterparts sniper techniques; how to operate U.S.-supplied Javelin anti-tank missiles and other equipment; how to evade digital tracking the Russians used to pinpoint the location of Ukrainian troops, which had left them vulnerable to attacks by artillery; how to use covert communications tools; and how to remain undetected in the war zone while also drawing out Russian and insurgent forces from their positions, among other skills.” The paramilitary CIA operation started after the 2014 annexation of Crimea by Russia. The article also discusses the challenges of operating covertly in Ukraine and how this program helped prepare Ukrainian paramilitary forces for the currently ongoing conflict.

52. Cellebrite CELLEX Platform Publishes New Video Content

Throughout this week the Israeli Cellular phone Exploitation (CELLEX) operations vendor Cellebrite published a series of new promotional videos. Those were the: “The Exodus Road and Cellebrite Partner to Prevent and Stop Human Trafficking”, the “Cellebrite’s Digital Intelligence Platform Modernizes Investigations”, next the “Seattle PD: Strengthening the Path to Justice”, followed by “Strengthen Your Path To Justice”, and finally published the “Seattle PD ICAC — Strengthen The Path to Justice.”

53. Former French Spy Claims There is a Plot to Assassinate Putin

The Daily Beast published an article quoting an anonymous retired French Directorate-General for External Security (DGSE) officer stating that assassinating Russian President Vladimir Putin is “on every intelligence agency’s design table.” He continued that they will need at least one person close to him and “it will be an expensive job, a fortune, in my experience, I’d wager an asset is already in place. There always is.” Poison is not considered a common method for Western countries but according to a person working in a Russian Ministry quoted in the article: “Putin in February allegedly sacked the some 1,000 people — from cooks to launderers to secretaries to bodyguards — who catered to his daily personal and professional needs, and replaced them with a new group of attendants.”

54. US Intelligence and Special Operations Hearing

On March 17th, the US House Armed Services Committee published the recording and relevant documents from the Subcommittee on Intelligence and Special Operations Hearing: Defence Intelligence Posture to Support the Warfighters and Policy Makers. This is the unclassified part of the session.

55. Cyber Espionage from LNR’s Intelligence Targeting Ukraine

On Thursday, March 17th, the Computer Emergency Response Team of Ukraine (CERT-UA) published an alert for a disrupted cyber espionage operation targeting state authorities in Ukraine via email. The emails had subject “supply” and contained file attachments which, if opened, would lead to the installation of a software implant dubbed as “SPECTR” in the alert. The operation is attributed to the intelligence service of the, so-called, Luhansk People’s Republic (LNR). The alert also notes that the infrastructure used in the operation has been physically located on “the technical site of the Luhansk provider vServerCo (AS58271) for many years.”

56. Turkish Government Cyber Espionage Operation

On Friday, March 18th, the RedDrip Team of the Chinese Qi An Xin cyber security firm, disclosed technical indicators of an active cyber espionage operation attributed to an actor dubbed as “PROMETHIUM” who has been previously associated with the government of Turkey. No further details were released (such as targets, objectives, or otherwise)

57. Changes in US Military Intelligence and CIA Leadership

On March 14th, the Central Intelligence Agency (CIA) announced that La’Naia J. Jones is appointed as CIA’s Chief Information Officer (CIO) and Director of the Information Technology Enterprise within the Directorate of Digital Innovation (DDI). On the 16th of March, it was announced that Major General Barbara G. Fast became the first female commander of the US Army Intelligence Centre and Fort Huachuca, AZ (USAIC & FH).

58. Catherine Perez-Shakdam Says She’s Not a Mossad Agent

Following last week’s (story #42),reports on French journalist Catherine Perez-Shakdam being a Mossad agent who infiltrated Iran, this week there were new developments with Catherine Perez-Shakdam saying that she is not a Mossad agent and the entire story was made up by Iranian state media.

59. CISA & FBI Issue Alert for SATCOM Cyber Threats

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint alert along with an advisory for strengthening cybersecurity of SATCOM network providers and customers. This came a week after the Eutelsat 9E SATCOM cyber attack targeting Ukraine and EU countries covered in week 10 (story #80).

60. Ukrainian MoD Uses Clearview AI for Facial Recognition

As reported by Reuters, the Ukrainian Ministry of Defence (MoD) started using facial recognition products of the American Clearview AI firm in the conflict with Russia. According to Reuters, facial recognition is used to “uncover Russian assailants, combat misinformation and identify the dead.” Clearview has collected over 2 billion images from Russian social media platforms with a total database of more than 10 billion photos which they correlate with videos/photos provided by Ukraine’s MoD to identify people.

61. Chinese MSS Operative in New York Tried to Lure Congress Candidate Into Sex Scandal

Following the arrest of the New York espionage network (story #31) earlier this week, it became known that one of the targets was retired US Army Major and political candidate for Congress, Xiong Yan. Apart from the surveillance and harassment, an intelligence officer from China’s Ministry of State Security (MSS) who was arrested, Qiming Lin, considered “staging a car crash” to stop Yan’s political career, and tried to lure him with a honeytrap into a sex scandal which could be subsequently used against him for a smear campaign.

62. FBI Announces the Creation of Unit Dedicated to Cryptocurrency Intelligence Analysis

The US Federal Bureau of Investigation (FBI) announced the creation of the Virtual Assets Unit (VAU). The VAU will employ experts in virtual currency (cryptocurrencies) who can support other FBI divisions and US agencies when dealing with cases involving virtual currencies. The motivation for this, according to the announcement, is that “virtual currency is used to facilitate nearly every type of online criminal activity, including ransomware attacks, child exploitation, and furthering the activities of hostile nation states.”

63. South Korean Cyber Espionage Targeting Macao Resorts

On March 17th, US cyber security and intelligence firm Trellix published a technical analysis of a new cyber espionage operation from the period of November 2021 and throughout January 2022, targeting luxury hotels in Macao. As per Bleeping Computer’s report “Two of the hotel chains confirmed as targeted in this campaign are the Grand Coloane Resort and the Wynn Palace, both 5-star hotels. These hotels were planning to host international conferences on trade, investment, and the environment, so DarkHotel’s campaign was likely aiming to lay the foundation for future espionage.” The campaign has been attributed to an actor dubbed as “DarkHotel” and who has been previously associated with the government of South Korea.

64. Video: Hayden Centre: Director’s View for Russia-Ukraine

The US think tank Hayden Centre for Intelligence, Policy, and International Security published a 1.5-hour long virtual meeting recording on the topic of the Russia-Ukraine conflict. The participants were: Retired General and former NSA and CIA Director Michael Hayden, 32-year CIA, ODNI and White House veteran Larry Pfeiffer, former CIA Director John Brennan, former CIA Deputy Director Michael Morell, retired Lieutenant General and DNI and DIA Director James Clapper, Mark Rozell who is a political scientist and chair in public policy at the Schar School of Policy and Government of George Mason University, and lastly, former Secretary of Defence, CIA Director, and White House Chief of Staff, Leon Panetta.

65. Bulgaria Expels 10 (more) Russian Diplomats From Sofia Embassy Likely Involved in Espionage

Following week 9 (story #32) disruption of a Russian espionage network by Bulgaria’s State Agency for National Security (SANS) and the expulsion of two Russian GRU officers operating under diplomatic cover, on Friday, March 18th, Bulgaria expelled ten more Russian diplomats from the Russian Embassy in Sofia. This time the Bulgarian Ministry of Foreign Affairs stated only that they performed “activities deemed incompatible with their diplomatic status” without providing further details.

66. US Senator for Florida Warns 26 Florida Colleges of Chinese Espionage Activities

On Thursday, March 17th, US Senator for Florida, Marco Rubio wrote “to the presidents of 26 research colleges and universities in his state, warning them to guard against espionage efforts by the Chinese Communist Party (CCP).” He highlighted that “the CCP quietly seeks to acquire cutting-edge U.S. technology and the knowledge that will give birth to the technology of the future,” the senator explained. “The CCP believes that access to such knowledge will accelerate the buildup of the People’s Liberation Army (PLA), the CCP’s armed wing, and propel China’s state-directed economy ahead of the United States and into the technological frontier where leadership of the global economy of the 21st century will be contested. For this reason, we cannot approach academic exchange with institutions or individuals from the PRC (People’s Republic of China) with stars in our eyes.”

67. New Cyber Espionage Operation with Fake Dictionary in Ukraine

On week 10 (story #66) a new cyber espionage campaign was identified targeting Ukrainian citizens by impersonating government state bodies with the objective to trick them to install a custom cyber espionage software implant. This week, Sentinel One cyber security firm published a technical analysis of the same actor performing a new campaign delivering a tailored made software implant to Ukrainian citizens. They identified that this actor has been running such operations as early as the beginning of December 2021, and continues to this day. The newly discovered operation involved a “Dictionary Translator” application which, if executed, was covertly installing a tailored-made cyber espionage software implant.

68. Video: Pegasus Spyware Explained by The Security Lab

On March 16th, Amnesty International’s Security Lab published a 10.5-minute long video to describe the “Pegasus” software implant, developed and sold by the Israeli NSO Group firm. The video is based on their experiences investigating this topic and helping people placed under surveillance by various government agencies using “Pegasus” around the world.

69. Corporate Espionage in the US with JHL Biotech Spying on Genentech

The US Department of Justice (DoJ) announced the verdict of Racho Jordanov, the co-founder and former CEO of JHL Biotech, and Rose Lin, another of the company’s co-founders and former COO. Their company, JHL Biotech, Inc., a biopharmaceutical startup in Taiwan, used a variety of espionage techniques to steal trade secrets from their competitor Genentech. Their main methods of operation were recruiting employees Genentech, stealing confidential documents, using elicitation and other means, and then implementing similar or identical technologies and processes. As per DoJ, “Jordanov was sentenced to a term of imprisonment of twelve months and one day, to be followed by a term of supervised release of 36 months, a condition of which shall be to serve nine months in home confinement. Lin was sentenced to a term of imprisonment of twelve months and one day, to be followed by a term of supervised release of 36 months.”

70. US Navy Spy Plane Officer in Prison for Smuggling Pistols to China

According to the US Department of Justice, US Navy P-8 Poseidon Flight Officer, Fan Yang, has been sentenced to 4 years in prison for conspiring to violate firearms law and lying during security clearance investigation. Fang Yang formed a relationship with Chinese citizen Ge Songtao and later, Yang recommended Ge Songtao to hire his wife (Yang Yang) as an employee of the Shanghai Breeze Technology Co. Ltd. A company importing US maritime equipment designed for law enforcement and military missions to China. Among others, under Ge Songtao’s instructions in 2017 and 2018 Fan Yang “purchased two handguns for him, specifically a Sig Sauer 9mm pistol and a Glock 9mm pistol. Ge Songtao reimbursed the Yangs for both purchases and had the Sig Sauer pistol engraved with his initials — “G.S.T.” — and the phrase “Never Out of the Fight.” Each time he purchased a firearm, Fan Yang completed a Firearms Transactions Record (known as ATF Form-4473) on which he falsely represented that he was purchasing the firearm for himself, rather than for Ge Songtao.”

71. El Salvador “Legalised Spying” with “Pegasus”

According to the Justicia En Las Américas, unlike other governments that are investigating and taking steps to control the any illegal use of covert surveillance software implants, like “Pegasus” (developed and sold by the Israeli NSO Group), El Salvador took a different approach. Despite having 35 confirmed cases of El Salvadorian government agencies using “Pegasus” to spy on journalists and activists, on February 1st, 2022 “just two weeks after it became known that in El Salvador they spy with Pegasus, the Legislative Assembly, dominated by the party of President Nayib Bukele, approved spying on citizens through «undercover digital agents.»” This new legislation has five reforms to allow law enforcement agencies conduct “digital undercover operations.” The reforms highlight that “all digital documents, electronic messages, images, videos or other data stored, received or transmitted through digital channels or electronic devices will now be evidence for criminal proceedings” but do not mention what methods of collection/extraction of information are allowed.

72. Podcast: The First Woman to Graduate From French Commando school

On March 18th, the Cold War Conversations published a new over 1-hour long podcast along with a short blog post featuring Maura McCormick who was “posted to Berlin as a Signals Intelligence voice interceptor (Russian). Her workplace was the Teufelsberg U.S. listening station, aka Field Station Berlin.” Among her various Cold War espionage stories, while in “West Berlin, Maura became the first woman to graduate from French Commando school.”

73. Latvia, Lithuania, and Estonia Expel Russian Diplomats Involved in Espionage Activities

On March 18th, three countries coordinated and expelled Russian diplomats from their countries due to performing “activities that are contrary to their diplomatic status.” Latvia expelled three Russian diplomats, and at the same time, Estonian Ministry of Foreign Affairs announced the expulsion of three Russian diplomats from the Russian Embassy in Tallinn who “actively undermined Estonia’s security and spread propaganda.” About one hour later, the Ministry of Foreign Affairs of Lithuania expelled four Russian diplomats for performing “activities incompatible with their diplomatic status.”

74. Morocco Demands from Amnesty International Evidence of Spying Activity Using “Pegasus”

On Friday, March 18th, a Moroccan spokesperson stated that Amnesty International’s (see week 10 story #46) story is “arbitrary allegations” and they demand evidence that link the Moroccan authorities to the observed espionage activity. The spokesperson continued that the evidence must be provided “as soon as possible so that Morocco can take the necessary measures to defend the rights of its citizens.”

75. Polish Whistleblower Found Hanged in his Home in Belarus

Polish soldier and whistleblower Emil Chechko, born in 1996, reportedly found hanged in his apartment in Minsk, Belarus and an investigation has been ordered for his death. In December 2021 Chechko deserted his post in the Polish Army and requested political asylum in Belarus where he revealed that Poland used inhumane methods on refugees including ordered to “systematically killing migrants from Middle Eastern and African countries.” According to reports prior to discovering his body he had messaged that “his life was in danger” and needed protection. According to “Minskaya Pravda” he was in the process of learning Russian to obtain Russian passport. In an interview in Belarusian TV he stated that “during the ten days of my participation in the executions, from 200 to 700 people could be killed.”

76. Former Israeli Aman Officer Confirms Mossad Station in Kurdistan and Reveals IRGC Quds Force Plans for Iraq

Following Iran’s attack on Mossad facilities in the Iraqi Kurdistan (story #8), journalist and retired officer of Israel’s military intelligence (Aman), Yoni Ben Menachem, published an article explaining that IRGC’s Quds Force commander, General Esmail Qaani arrived in Iraq on March 15th with a mission to “unite the country’s Shiite forces and form a government.” He then confirmed the Mossad facility which also was key to the destruction of “several hundred Iranian UAVs of various types” last month. The existence of this facility, according to the author, passed the message to Iran that the Kurdish Democratic Party (KDP) is cooperating closely with Mossad. Iran bombed this facility to get the Iraqi Prime Minister, Mustafa Al-Kadhimi on their side, using this as evidence of covert Mossad activities inside Iraq. Iranian intelligence is worried that Mossad stations in Kurdistan will allow covert operatives easier access for espionage and sabotage in Iran, Iraq and Syria. IRGC Quds Force commander also highlighted that this facility was under the auspices of the CIA which was denied by a senior official of the US government. The article also highlights that KDP founder and leader Masoud Barzani always had good relationship with Israel and that he “has secretly visited Israel several times and met with prime ministers and senior members of the defence establishment” over the years. The article closes by quoting a source well acquainted with Mossad in Kurdistan saying that “Iran’s attempt to drive a wedge between the two will fail, Israel’s alliance with the Kurds is stronger than the Iranian threats.”

77. Chinese Cyber Espionage Activities Targeting Ukraine

Google’s Threat Analysis Group (TAG) revealed that they notified the targets of ongoing cyber espionage activities targeting Ukrainian government organisations from an actor (codenamed MUSTANG PANDA) associated with China’s intelligence apparatus. Later, Intrusion Truth, an expert research group focused on exposing Chinese cyber operations wrote that “Mustang Panda now scrambling to help the CCP understand the war in Ukraine shows two things: 1) the CCP was naive to believe Russia’s word, and 2) MSS-backed APT31 couldn’t deliver the inside scoop when it hacked Russia.”

78. Yemeni Security Forces Disrupt Covert Saudi Cell in Sanaa

Based on news reports, the General Intelligence Presidency (GIP) of Saudi Arabia “established a network of several operatives, equipped it with various types of munitions and explosive devices” and tasked them to conduct subversive actions inside Yemen. The network was, reportedly, disrupted by Yemeni Security Forces who, among others, identified that the “cell was provided with three car bombs in the central province of Marib and tasked with striking vital facilities in Sanaa and elsewhere in Yemen.” For the vehicles that were modified as VBIEDs they “hired a number of transport truck drivers as a cover in order to carry the explosive laden vehicles to designated sites.”

79. New Details on the Cold War Canadian Ambassador Watkins Espionage Case

Dean Beeby of the Globe and Mail published a story about the Cold War case of Canada’s Ambassador in Russia, John Watkins, who died from heart attack in 1964 while interrogated by Canada’s RCMP for being a suspected KGB agent. Documents obtained under the Access to Information Act show that the then Prime Minister of Canada, Lester Pearson was involved in the case. Watkins was almost forced by Pearson to work in the Moscow Embassy and was later trapped by two high-ranking KGB officers posing as academics, who eventually, in 1956, started a blackmail operation against him when they photographed him in a Moscow hotel room with a male lover. Watkins informed the relevant parties in Canada but Pearson wanted to avoid this getting to the public. The article closes with that RCMP needs to accept responsibility for his death, and that “intelligence historian Wesley Wark suggests Mr. Pearson’s “nervous interest” in the Watkins case stemmed from an awareness that right-wing American figures viewed him as “implicated in red politics.” The new material also underlines “the depths to which homophobia influenced security witch hunts during the early decades of the Cold War,” Mr. Wark added.”

80. Military Cyber Espionage from India Targeting Pakistan

The “Shadow Chaser Group” of the GcowSec team disclosed technical indicators of an active cyber espionage operation from an actor dubbed as “SideWinder” and who has been previously associated with the government of India. The operation impersonates the National Institute of Maritime Affairs (NIMA) of the Bahria University Islamabad, Pakistan with a lure document pretending to be an analysis on the Pakistani implications of the Russia-Ukraine conflict, which if opened, it will covertly install a cyber espionage software implant associated with past operations of the same actor.

81. Logos Technologies: BlackKite Pattern of Life Scenario Demo

On March 16th, the American Logos Technologies published a 2.5-minute video demonstrating how their BlackKite Wide-Area Motion Imagery (WAMI) sensor can be used to identify the Pattern of Life (PoL) of multiple surveillance targets at the same time. This example was a scenario of a bomb-making terrorist cell. As per Logos Technologies, the “system can detect and track the movement of multiple high-value targets, day and night, over a large swath of territory. In addition, BlackKite can cue hi-definition spotter cameras to zoom in on targets. This allows the WAMI operator to not just identify targets but build a pattern-of-life analysis from their movement.”

82. SBU Detained Russian Agent in Odessa

On Saturday, March 19th, the Odessa Office of the Security Service of Ukraine (SBU) announced the detainment of a man, along with supportive photographs. The man was recruited on May 2021 by local militant groups and since the Russian attack started, he was given instructions by his handler to collect intelligence on “the number, location and movement of military equipment and units of the Ukrainian Armed Forces, the local defence and border security teams, their composition. In addition, he collected information about civilians helping and supporting the Ukrainian Armed Forces in the region.” To communicate that back to his handler, he was using a private Telegram channel. He currently faces espionage charges.

83. 10 Problems that Made UK Navy’s Encryption Exploitable in 1939

On March 19th, Tony Comer, former departmental historian at Britain’s GCHQ, published a blog post titled “Ten avoidable problems which made the Royal Navy’s encryption exploitable in 1939” which lists those ten issues along with their root cause.

84. New Maritime ViDAR Spy System for USMC’s Aerial Platforms

The US Department of Defence announced that Sentient Vision Systems was selected to provide maritime Visual Detection And Ranging (ViDAR) systems for the US Marine Corps (USMC) as part of the Foreign Comparative Test (FCT) Program. Quoting, this ViDAR system “is an Artificial Intelligence (AI)-based system that uses an Electro-Optic or Infrared (EO/IR) sensor to detect and classify targets in the imagery stream that would be invisible to a human operator or to a conventional radar, or else very hard to spot, such as a human head-size object in the water or a stealthy watercraft. The ViDAR systems will be used for Intelligence, Surveillance and Reconnaissance (ISR) missions, integrated into a medium-altitude long range Unmanned Aerial System (UAS) operated by the USMC. It will be used to gather intelligence and enhance situational awareness during amphibious operations.”

85. OSINT-Discovered ELINT/SIGINT Flights

This is a brief summary of ELINT/SIGINT/ISR flights identified by aviation enthusiasts during this week:

• 13MAR2022: Summary of at least 5 ISR flights from the US, Sweden and France near Ukraine and Belarus. Source
• 13MAR2022: US Army Challenger 650 ARTEMIS (N488CR, callsign: BRIO68) from Mihail Kogălniceanu International Airport, Romania to the border of Belarus. Source
• 13MAR2022: Swedish Air Force Gulfstream IV SP S102B Korpen (102002, callsign SVF622) flight from Malmen Airbase to over the Gulf of Gdansk and Kaliningrad. Source
• 13MAR2022: US Army Beech RC-12X Guardrail (91–00516, callsign YANK01) flight from Šiauliai Air Base in Lithuania, to the borders with Kaliningrad. Source
• 13MAR2022: US Air Force RQ-4B Global Hawk (09–2039, callsign FORTE12) flight from Naval Air Station Sigonella to the Black Sea near the Ukraine-Russia border. Source
• 14MAR2022: Summary of at least 12 ISR flights from the US and Sweden near Ukraine and Belarus. Source
• 14MAR2022: US Air Force Boeing RC-135W Rivet Joint (62–4131, callsign HOOVR01) flight from the US to RAF Mildenhall, UK. Source
• 14MAR2022: US Air Force RQ-4B Global Hawk (09–2039, callsign FORTE12) flight from Naval Air Station Sigonella to the Black Sea near the Ukraine-Russia border. Source
• 14MAR2022: US Army Challenger 650 ARTEMIS (N488CR, callsign: BRIO68) from Mihail Kogălniceanu International Airport, Romania to the border of Belarus. Source
• 14MAR2022: Swedish Air Force Gulfstream IV SP S102B Korpen (102002, callsign SVF622) flight from Malmen Airbase to over the Gulf of Gdansk and Kaliningrad. Source
• 14MAR2022: US Air Force Northrop Grumman E-8C J-STARS (95–0121, callsign REDEYE6) flight from Ramstein Air Base, Germany to Poland near the Ukraine border. Source
• 14MAR2022: US Air Force Boeing RC-135S Cobra Ball (61–2663, callsign BULK73) flight over the Sea of Japan. Source
• 14MAR2022: Acrobat Ltd. Diamond DA-42 MPP Guardian (G-DOSC, callsign GDOSC) flight from Exeter Airport to ISR flight nearby, then Oxford Airport, and Bournemouth Airport, UK. Source
• 14MAR2022: US Air Force RC-135W Rivet Joint (62–4130, callsign JAKE12) flight from RAF Mildenhall, UK to Romania-Moldova border. Source
• 15MAR2022: Summary of at least 8 ISR flights from the US, UK, Germany and Sweden near Ukraine and Belarus. Source
• 15MAR2022: US Army Challenger 650 ARTEMIS (N488CR, callsign: BRIO68) from Mihail Kogălniceanu International Airport, Romania to the border of Belarus. Source
• 15MAR2022: RVL Aviation Ltd. Beech 200 Super King Air (G-RAFL, callsign REV99) flight from East Midlands Airpot, UK to ISR flight over the Strait of Dover and back. Source
• 15MAR2022: US Air Force RQ-4B Global Hawk (10–2045, callsign FORTE11) flight from Naval Air Station Sigonella to the Black Sea near the Ukraine-Russia border. Source
• 15MAR2022: US Air Force RC-135W Rivet Joint (62–4130, callsign JAKE11) flight from RAF Mildenhall, UK to Romania-Moldova border. Source
• 15MAR2022: Swedish Air Force Gulfstream IV SP S102B Korpen (102002, callsign SVF622) flight from Malmen Airbase to over the Gulf of Gdansk and Kaliningrad. Source
• 15MAR2022: Joint Special Forces Aviation Wing Beechcraft Super King Air 350 (ZZ417, callsign RRR7417) flight from Belfast International Airport, Ireland, to ISR over Yeovil, and Jersey Airport, and return back to Ireland. Source
• 15MAR2022: RAF Boeing RC-135W River Joint (ZZ664, callsign RRR7225) flight from RAF Waddington to Poland. Source1 Source2
• 15MAR2022: US Air Force Boeing RC-135V Rivet Joint (64–14842, callsign N/A) flight from Kadena Air Base, Japan to the Philippine Sea. Source
• 15MAR2022: US Air Force Lockheed EP-3E Orion (16–1410, callsign FE45) flight from Chania, Greece to Romania-Moldova border. Source
• 16MAR2022: Summary of at least 12 ISR flights from Sweden, US, and UK near Ukraine. Source
• 16MAR2022: Chinese military Senyang J-6 (00CAC618, callsign N/A) flight from Yangtang Li Air Base. Source
• 16MAR2022: US Air Force RQ-4B Global Hawk (10–2045, callsign FORTE11) flight from Naval Air Station Sigonella to the Black Sea near the Ukraine-Russia border. Source
• 16MAR2022: Swedish Air Force Gulfstream IV SP S102B Korpen (102002, callsign SVF622) flight from Malmen Airbase to over the Gulf of Gdansk and Kaliningrad. Source
• 16MAR2022: US Army Beech RC-12X Guardrail (91–00516, callsign YANK01) flight from Šiauliai Air Base in Lithuania, to the borders with Kaliningrad. Source
• 16MAR2022: US Air Force Northrop Grumman E-8C J-STARS (95–0121, callsign REDEYE6) flight from Ramstein Air Base, Germany to Poland near the Ukraine border. Source
• 16MAR2022: US Air Force RC-135V Rivet Joint (64–14844, callsign JAKE12) flight from RAF Mildenhall, UK to Romania-Moldova border. Source
• 17MAR2022: Summary of at least 12 ISR flights from Sweden, US, and UK near Ukraine. Source
• 17MAR2022: US Air Force Boeing RC-135U Combat Sent (64–14849, callsign JAKE31) flight from RAF Mildenhall, UK to Romania-Moldova and Poland-Lithuania border. Source
• 17MAR2022: US Air Force RC-135W Rivet Joint (62–4130, callsign JAKE11) flight from RAF Mildenhall, UK to Romania-Moldova border. Source
• 17MAR2022: Swedish Air Force Gulfstream IV SP S102B Korpen (102002, callsign SVF622) flight from Malmen Airbase to over the Gulf of Gdansk and Kaliningrad. Source
• 17MAR2022: US Army Challenger 650 ARTEMIS (N488CR, callsign: BRIO68) from Mihail Kogălniceanu International Airport, Romania to the border of Belarus. Source
• 17MAR2022: RAF Boeing RC-135W River Joint (ZZ664, callsign RRR7227) flight from RAF Waddington to Poland. Source
• 17MAR2022: US Air Force Lockheed EP-3E Orion (16–1410, callsign LK32) flight from Chania, Greece to Romania-Moldova border. Source
• 17MAR2022: US Army Beech RC-12X Guardrail (91–00516, callsign YANK01) flight from Šiauliai Air Base in Lithuania, to the borders with Kaliningrad. Source
• 17MAR2022: Taiwanese military Teng Yun 2 Cloud Rider (8991F9, callsign N/A) flight from Jiashan Air Base to the Philippine Sea and back. Source
• 17MAR2022: US Army Beech RC-12X Guardrail (91–00516, callsign YANK01) and (88–00325, callsign YANK02) flight from Šiauliai Air Base in Lithuania, to the borders with Kaliningrad. Source1 Source2
• 18MAR2022: Summary of at least 17 ISR flights from Sweden, US, and UK near Ukraine. Source
• 18MAR2022: US Air Force Boeing RC-135U Combat Sent (64–14849, callsign JAKE31) flight from RAF Mildenhall, UK to Romania-Moldova and Poland-Lithuania border. Source
• 18MAR2022: US Army Challenger 650 ARTEMIS (N488CR, callsign: BRIO68) from Mihail Kogălniceanu International Airport, Romania to the border of Belarus. Source
• 18MAR2022: US Air Force RC-135WV Rivet Joint (64–14844, callsign JAKE12) flight from RAF Mildenhall, UK to Poland border. Source
• 18MAR2022: US Air Force Northrop Grumman E-8C J-STARS (95–0121, callsign REDEYE6) flight from Ramstein Air Base, Germany to Poland near the Ukraine border. Source
• 18MAR2022: US Air Force RC-135V Rivet Joint (64–14844, callsign JAKE11) flight from RAF Mildenhall, UK to Romania-Moldova border. Source
• 18MAR2022: US Air Force Boeing RC-135W Rivet Joint (62–4131, callsign HOOVR01) flight from RAF Mildenhall, UK to Chania, Greece. Source
• 18MAR2022: US Navy P8 Poseidon (AE68A2, callsign N/A) flight over the North Sea. Source
• 18MAR2022: US Army Beech RC-12X Guardrail (91–00516, callsign YANK01) and (88–00325, callsign YANK02) flight from Šiauliai Air Base in Lithuania, to the borders with Kaliningrad. Source
• 18MAR2022: Swedish Air Force Gulfstream IV SP S102B Korpen (102002, callsign SVF622) flight from Malmen Airbase to over the Gulf of Gdansk and Kaliningrad. Source
• 18MAR2022: US Air Force Boeing RC-135S Cobra Ball (61–2663, callsign FOLK41) flight from Kadena Air Base, Japan. Source
• 18MAR2022: US Air Force Boeing RC-135W Rivet Joint (62–4131, callsign WARHK01) flight from RAF Mildenhall, UK to East Mediterranean. Source
• 18MAR2022: RAF Boeing RC-135W River Joint (ZZ664, callsign RRR7244) flight from RAF Waddington to Poland. Source
• 18MAR2022: US Air Force RQ-4B Global Hawk (10–2045, callsign FORTE11) flight from Naval Air Station Sigonella to the Black Sea near the Ukraine-Russia border. Source
• 19MAR2022: Summary of at least 5 ISR flights from Sweden, US and UK near Ukraine. Source
• 19MAR2022: US Air Force Boeing RC-135V Rivet Joint (64–14842, callsign N/A) flight from Kadena Air Base, Japan to the Philippine Sea. Source
• 19MAR2022: Turkish Bayraktar TB2 (001074, callsign TB2T251) on test flight at the company’s test facility in Keşan, Turkey. Source
• 19MAR2022: US Air Force RC-135V Rivet Joint (64–14844, callsign JAKE11) flight from RAF Mildenhall, UK to Romania-Moldova border. Source
• 19MAR2022: US Air Force Boeing RC-135V Rivet Joint (63–9792, callsign HOOVR01) flight from Chania, Greece to RAF Mildenhall, UK. Source
• 19MAR2022: US Air Force Boeing RC-135W Rivet Joint (62–4139, callsign N/A) flight over the Persian Gulf. Source
• 19MAR2022: Qatar Air Force Bayraktar TB2 (QA605, callsign N/A) flight from the Al-Shamal UAV base to ISR pattern over the coast. Source
• 19MAR2022: Swedish Air Force Gulfstream IV SP S102B Korpen (102002, callsign SVF622) flight from Malmen Airbase to over the Gulf of Gdansk and Kaliningrad. Source
• 19MAR2022: US Air Force RQ-4B Global Hawk (10–2045, callsign FORTE11) flight from Naval Air Station Sigonella to the Black Sea near the Ukraine-Russia border. Source
• 19MAR2022: US Air Force Boeing RC-135V (63–9792, callsign FENIX01) flight from RAF Mildenhall heading North. Source