SPY NEWS: 2022 — Week 13

Summary of the espionage-related news stories for the Week 13 (27 March-2 April) of 2022.

1. Boris Nemtsov Tailed by a Russian FSB Squad Prior to 2015 Murder

On Monday, March 28th, the Bellingcat Investigation Team published an analysis providing insights into how 3 officers of Russia’s Federal Security Service (FSB) conducted covert surveillance on Russian opposition leader Boris Nemtsov for months. The covert surveillance activity stopped one trip prior to his assassination by a group of Chechens in Moscow, Russia on February 27th, 2015. Quoting the article “Nemtsov was once the man many thought would succeed Boris Yeltsin until Vladimir Putin was appointed acting president in December 1999. He became a thorn in the Kremlin’s side over the subsequent decade. He advocated international sanctions against Russia’s political leadership. He opposed the annexation of Crimea and demanded an independent investigation into the downing of Malaysian flight MH17 over eastern Ukraine. In the years immediately preceding his death, Nemtsov was one of Putin’s fiercest critics — and among the most prominent.” The analysis also briefly covers the 2015 FSB covert surveillance of Nemtsov’s protégé Vladimir Kara-Murza, and his potential poisoning attempt.

2. Spy Collection: Cony Electronics X-18 Covert Listening Device

We published a 3.5-minute video presenting the X-18, an FM radio transmitter-covert listening device, produced by the Japanese Cony Electronics in the late 80s, early 90s. Those bugs were popular among private investigators of that era and were also used in cases of industrial espionage.

3. Azerbaijan’s State Security Agency Celebrates 103rd Anniversary

On Monday, March 28th, Azerbaijan’s security and intelligence agency celebrated its 103rd anniversary. The history of Azerbaijan’s intelligence and counter-intelligence agency goes back to March 28, 1919. The article says that in October 29, 2020 “local branches of the State Security Service were launched in Jabrayil, Zangilan, Fuzuli, Gubadli and Hadrut settlement of Khojavend region” and in December 2020 the new administrative building of Azerbaijan’s State Security Service’s Shusha regional headquarters opened.

4. New Spy Technologies at DSA 2022 Expo in Malaysia

On 28–31 March 2022 the 17th Defence Services Asia (DSA) exhibition took place at Malaysia International Trade and Exhibition Centre (MITEC) in Kuala Lumpur, Malaysia. You can find the DSA 2022 brochures here. Some of new intelligence gathering technologies were presented there such as Thales Group’s Air Surveillance and intelligence products, PROCITEC’s go2signals SIGINT/COMINT solutions, the first Malaysian UAV by DRB-HICOM Defence Technologies Sdn Bhd (DEFTECH), new radio electronics and intelligence hardware by Rohde & Schwarz, and more.

5. Ukrainian GUR Discloses Full Details of 620 FSB Covert Operatives in Europe

On Monday, the Chief Directorate of Intelligence of the Ministry of Defence of Ukraine (GUR MOU) publicly released full details of 620 covert operatives of Russia’s Federal Security Service (FSB) operating in European countries. The details include full name, date of birth, place of birth, passport number, date of issue, issuing authority, authority code, registration address, authority, previous address, special marks, signature, debts, tickets, credit trips, SIM cards, modems, vehicles, and more.

6. New Declassified CIA Documents from the Government Attic

This week, the Government Attic published some new CIA documents they obtained through FOIA. The first is the CIA Inspector General Investigations Closed during CY 2012–2013, a 9-pages long PDF document. The second is three reports from 1963 and 1964 on the Extrasensory Perception and Human Radio which is compiled into a 12-pages long PDF document.

7. Former Deputy Director of DIA Discusses US Intelligence Community Transformation

On March 27th, the WUCF TV published a 28-minute long interview with Douglas H. Wise, former Deputy Director of the United States Defence Intelligence Agency (DIA), and nearly 30-year CIA’s Senior Intelligence Service veteran — Wise retired from the CIA in 2016. The title of the session was “Global Perspectives” and the interview was focused around the US intelligence community’s transformation.

8. Russia Expels 3 Slovakian Diplomats from Moscow

Following week 11 (story #10) with Slovakian Information Service (SIS) disrupting a Russian espionage network and expelling 3 Russian intelligence officers operating under diplomatic cover from the Russian Embassy in Bratislava, on Monday Russia’s Ministry of Foreign Affairs announced the expulsion of 3 Slovakian diplomats as “a retaliatory measure” from Slovakia’s Embassy in Moscow. Note that the tit-for-tat expulsions with covert intelligence officers/diplomats is a common strategy in foreign policy and in the intelligence community is sometimes referred to as “PNG wars” with PNG standing for Persona Non Grata.

9. More Details on SVR Agent Arrested Last Week in Poland

Last week (story #25) Poland’s Internal Security Agency (ABW) arrested man on espionage charges as a recruited agent of Russia’s Foreign Intelligence Service (SVR). This week it became known that the suspect is 57 year old Tomasz L. who worked as an archivist at the archives of the Civil Registration Office in Warsaw, Poland and is accused of stealing personal information from the archives and transferring them to his SVR handler for the past 5 years.

10. SBU Disrupts 5 Russian Disinformation “Bot Farms” in Ukraine

On March 28th, Ukraine’s Security Service (SBU) announced that since the beginning of the war they have successfully disrupted 5, so called, “bot farms” in Ukraine. Those “farms” were digital and physical infrastructure used to create over 100,000 fake online accounts as well as producing mass communications to disseminate Russian Psychological Operations (PSYOP) content. The 5 mentioned were operated from the cities of Kharkiv, Cherkasy, Ternopil, Poltava, and Zakarpattia. In summary SBU mentions the capture of more than 100 GSM gateways, nearly 10,000 SIM cards of various mobile operators, numerous laptops and computers and accounting documents. Those were used to set up large numbers of fake accounts as well as sending unsolicited SMS messages related to Russian PSYOPs.

11. Pennsylvania National Guard First to Get Trained on the New TDEWS SIGINT System

According to Army Recognition, on March 13–17 eight Pennsylvania National Guard soldiers were the first to get trained on the new Tactical Dismounted Electronic Warfare (TDEWS) Signals Intelligence (SIGINT) system. The training took place at Fort Indiantown Gap, Pennsylvania, United States. The TDEWS is described as an “all-weather, tactical electronic warfare system providing force protection and situational awareness to commanders at any echelon” and following that, the 56th Stryker Brigade Combat Team (56th SBCT) “will be doing a rotation at the National Training Center at Fort Irwin, California, this summer.”

12. Former KGB Spy Shares Insights on Modern-Day Espionage

On Sunday, March 27th, former KGB officer Jack Barsky (born Albrecht Dittrich) gave a 6.5-minute interview in Fox News sharing his views on the ongoing conflict between Russia and Ukraine from the espionage perspective.

13. The 1949 HMS Amethyst Incident in the Chinese Civil War and a Do-It-Yourself One-Time-Pad (OTP)

The former GCHQ departmental historian, Tony Comer, published a blog post about a little known cryptographic story of the British frigate HMS Amethyst which was severely damaged as it “was sailing up the Yangtze from Shanghai to Nanking to provide support to the British Embassy to the Chinese Nationalist government which was temporarily based there.” For security purposes the ship crew destroyed all cryptographic material (as planned) but once required to communicate with CinC Far Eastern Station they had to find a way to do it in secure manner. So, the “Chief Naval Signal Officer Far East (Cdr C R Williams RN) came up with a plan to create a One Time Pad (OTP) which would then be used to re-encipher message sent using the Government Telegraph Code, a copy of which was held by Amethyst but which was also known to be in the possession of the communists.”

14. Somalian NISA Opens New Office in Dhusamareb

Yasin Abdullahi Farey, Acting Director of Somalia’s National Intelligence and Security Agency (NISA) announced that on Monday, March 28, NISA has a new office in the city of Dhusamareb, the capital of Galmudug state in central Somalia. He added that “new NISA officers would be posted to the office to start working from the premises in Galmudug with immediate effect.”

15. Imagery Analysis of the Telephone Sets Used by Ukrainian President Volodymyr Zelenskyy

On March 28th, the Electrospaces published an analysis based on the publicly available imagery of Ukrainian President Volodymyr Zelenskyy and the Ukrainian Presidential facilities. The article goes through the history, current state and details the non-secure, secure, and TEMPEST equipment observed.

16. India’s Cyber Espionage Operation on Pakistani ISI Candidates

Cyber security firm InQuest Labs discovered and disclosed a new cyber espionage operation impersonating Pakistan’s Inter-Services Intelligence (ISI) with a lure document titled “Join Pakistan ISI: Eligibility, Different Posts, Training and Salary” that if the target opened it, they would be infected with a covert cyber espionage software implant. InQuest Labs attributed the operation to an actor dubbed as “CONFUCIUS” who has been previously associated with the government of India.

17. South Sudan’s President Orders NSS to Disclose Intelligence on the 2013 and 2016 Civil War

On Tuesday, March 29, South Sudan’s President Salva Kiir Mayardit announced that he has ordered the country’s National Security Service (NSS) and a law firm known as BRL to publicly disclose classified intelligence products relating to the December 2013 and July 2016 civil wars to “help propel the country toward permanent peace.” According to Mayardit, NSS has intercepted communications showing the genesis of the civil war and noted that “those who may be implicated by the declassified information that is going to be released are guaranteed presidential pardon. So, there is no cause for alarm over this. All we are interested in is for the public to know the truth about the background of the conflict in our country.”

18. Podcast: AFIO- Former CIA Sr. Officer James Lawler on Iranian Nuclear Weapons

The Association of Former Intelligence Officers (AFIO) published a 23.5-minute long recording hosted by AFIO’s 17th President and 37-year Military Intelligence and CIA veteran James R. Hughes. The interview was around a new espionage novel titled “Living Lies: A Novel of the Iranian Nuclear Weapons Program” authored by James Lawler, former senior CIA operations officer who served in relevant positions, including as Chief of the Counterproliferation Division’s Special Activities Unit. He served for 25 years and from 1998 and until his retirement in 2005 he was a member of CIA’s Senior Intelligence Service (SIS-3).

19. Ukraine Disrupts New Cyber Espionage Operation Targeting Government Agencies

The Computer Emergency Response Team of Ukraine (CERT-UA) published technical indicators of a new cyber espionage campaign targeting government agencies in Ukraine over email. The email subject was “Заборгованість по зарплаті” (Wage arrears) and it contained an attached lure document which, if opened, would covertly install variants of some tailored-made cyber espionage software implants dubbed as “GraphSteel” and “GrimPlant” and attributed to a cyber actor dubbed as “UAC-0056” who has been previously associated with Russian nation-state actors.

20. Mossad Spy Ashraf Marwan Was Not a Double Agent According to Senior Egyptian Intelligence Officer’s Testimony

According to Ofer Aderet of the Haaretz newspaper, a recent testimony of a senior Egyptian intelligence officer sheds light into the mystery of the Mossad agent Ashraf Marwan who was accused of being a double agent (for MI6 and Mossad) before and during the Yom Kippur War (1973). According to the new information, Marwan was never a double agent and Professor Uri Bar-Yosef, a Yom Kippur War scholar, said that “this testimony should put the case to rest once and for all.” Note that in 2007 Marwan died after falling from the balcony of his London house, and his wife has been openly accusing Mossad for his assassination. Even to this day, there are suspicions over the death of the Egyptian billionaire and former Mossad agent Ashraf Marwan.

21. ASD Doubles Size for Cyber Operations

On March 29, it was announced that the Australian Signals Directorate (ASD) “will receive almost $10 billion over the next decade as the federal government looks to boost the country’s offensive and defensive cyber security capabilities in the face of increasing threats.” As per IT News Australia, it is expected that ASD will “double in size” with around 1900 staff joining over the next decade and this funding is described as the “largest ever investment in Australia’s intelligence and cyber capabilities.” The released budget papers show that ASD “will receive $9.9 billion to 2030–31 as part of a new resilience, effects, defence, space, intelligence, cyber and enablers package (REDSPICE).”

22. Podcast: US Naval Institute — The Mother of Cryptology

On March 28th, the United States Naval Institute (USNI) published a new 37-minute long recording as part of the “Proceedings Podcast” titled “The Mother of Cryptology.” The hosts of the session are retired US Navy Captain and editor-in-cheif of the USNI Proceedings magazine Bill Hamblet together with Eric Mills, editor-in-chief of the USNI Naval History magazine. The session was based on the article “The Mother of Cryptology” published in the Naval History magazine, April 2022 issue, Volume 3, Number 2. The session features the article’s author, Dr. Ann Todd who served in the US Coast Guard and has been a contributing author and consultant for the National Geographic Society, and worked as a historian for the National Museum of the Marine Corps.

23. New Zealand’s First Maritime Spy Plane Under Construction

As it was announced, Boeing in collaboration with the Spirit AeroSystems (at the facilities of the latter in the US), started the construction of a Boeing P-8A Poseidon (formerly known as Multimission Maritime Aircraft). The aircraft will be equipped to allow the Royal New Zealand Air Force conduct long-range Anti-Submarine Warfare (ASW), anti-surface warfare, as well as Intelligence-Surveillance-and-Reconnaissance (ISR) missions.

24. Ukraine Disrupts Cyber Espionage Operation Targeting Servicemen

At least since March 26th, a cyber espionage operation has been targeting Ukrainian servicemen via email as disclosed by Ukraine’s CERT. The emails included a lure document impersonating information of Ukrainian forces casualties, which if opened, would covertly install a cyber espionage software implant dubbed as “PseudoSteel”. According to CERT-UA, this is attributed with low confidence to a cyber actor dubbed as “UAC-0010” who has been previously associated with Russian nation-state activities.

25. Podcast: 9 New Episodes by Former CIA Case Officer on Information Handling

Following last week’s (story #66) series on the same topic, former CIA case officer Andrew Bustamante published 9 new episodes. The first 19-minute long episode titled “The Reason Kids Perform Better Than Adults” is about learning how to absorb large amounts of information effectively. The second one is a 12-minute episode titled “The Curious Case of Sharing Lies” and discusses misinformation. The third episode is 25.5 minutes long, titled “How to Decode News Headlines and Skip the Slant” covering how to study news headlines to focus on the information that are relevant to you. The fourth episode is 22.5 minutes long, titled “The Dirty Truth About Polls The News Doesn’t Want to Admit” and together with his wife (also former CIA case officer) covers how the human brain processes information and how can you use different methods when interpreting new information. The fifth episode is titled “5 German fears about Russian power” and is 41 minutes long and is an interview of Bustamante hosted by German editor Kaner Etem. The sixth episode, titled “How to Stay Three Steps Ahead of the Next President” is 14.5-minutes long and covers the topic of seeing through deception and linking the dots from publicly available information. The seventh one, 35-minutes long, was titled “How to Dissect a News Article to Tell if it’s Real News” and was covering how to study news with analytic techniques. The eighth episode is 20-minutes long, titled “The Two Lies You Will Remember From This Day Forward” and covering misinformation and disinformation. And lastly, the ninth episode was 26-minutes long, titled “Everyday Precision Without the Bullets” continuing on the same subject of filtering information from news.

26. Nokia’s Russian Domestic Surveillance System Used by the FSB

As reported by the New York Times (NYT), the Finnish telecommunications company Nokia announced that it would stop its sales, denouncing the attack to Ukraine. Based on NYT, Nokia was used in Russia for the System for Operative Investigative Activities (SORM) which has been used by the Russian Federal Security Service (FSB) in numerous domestic investigations of individuals over the years. In summary, SORM is like the, so called, Lawful Interception (LI) platforms that most countries require by law the ISPs to operate so that they can conduct investigations. However, in the case of SORM, according to NYT, it has been abused by the FSB in numerous cases.

27. Mike Pompeo on Mossad-CIA Relationship Then and Now

After being honoured with the “Crown of Israel” award, former US Secretary of State and former Director of the Central Intelligence Agency (DCI), Mike Pompeo stated that in his first week as DCI he flew to Israel “to meet with the best looking spy I’ve ever met, a fellow named Yossi Cohen, he was the director of Mossad.” He continued describing his first encounter with Cohen and how they became friends to a degree that “to this day, when something blows up in Tehran, [Yossi Cohen] calls me — we don’t say where, we just smile and hang up the phone, I tell that story not because of any personal pride but because it set the tone for the cooperation that extended all across the Trump administration, from diplomatic to intelligence to our departments of defense working together to deliver good outcomes for our two nations. When we did that, we made the Middle East far more secure and prosperous, and indeed we made the world more secure and prosperous” and closed by saying that “so much of the goodwill that we had done no longer exists. I pray that we’re able to bring that back again” as well as “This relationship matters. When we get it right it is magic.”

28. 3-part Post on Chinese Space Program — Run by State & Military

Jason Szeftel of The Space Review published a 3-part story detailing the history and current state of China’s space program, which is run by entities funded and/or controlled by the Chinese state, some of which under the control of the Chinese People’s Liberation Army (PLA). For instance the state-owned China Aerospace Science and Technology Corporation (CASC) and China Aerospace Science and Industry Corporation (CASIC), the PLA-funded China National Space Administration (CNSA), and more. The part 1 is the “Red Heaven: China sets its sights on the stars” followed by part 2 “Red Heaven: China sets its sights on the stars” and part 3 “Red Heaven: China sets its sights on the stars”. The series briefly cover the intelligence components of the China’s space program too.

29. Podcast: From KGB Agent to US Informant

Spycraft 101 published a new 45-minute long episode titled “KGB Agent to US Informant” and presenting the story of Nikolai Khokhlov who was tasked “to arrange the targeted killing of Gregory Okolovich, a senior member of the National Alliance of Russian Solidarists.” As per the description “Khokhlov traveled to Frankfurt, West Germany along with two highly trained German agents who would carry out the killing at his direction. They had $55,000 in operational funds, real Austrian passports issued under fake names by a diehard communist agent in the Austrian government, and four silent firearms specifically fabricated by Laboratory Number 12 for this mission. But once Khokhlov arrived in Frankfurt, he put a secret plan of his own into action. A plan that shocked his superiors in Moscow and opened a new chapter in the Cold War. And a plan which cost Nikolai Khokhlov dearly.”

30. The Vietnamese Spy Who Spied for 3 Nation-States

Richard Collett of the Smithsonian Magazine published an article for a Vietnamese spy known under the alias Lai Tek. A career spy that worked for the French, British and Japanese intelligence services. The article talks about his little known history in Southeast Asia during and after WWII.

31. Video: Former CIA GRS Operator’s Recent Story from Covert Counter-Terrorism Operation in North Africa

On March 29th, a former CIA Global Response Staff (GRS) operative from private security firm American Kinetix published a 23-minute long video sharing a recent story from a North African country (likely Mali based on the description). The story is about a covert operation targeting a jihadi sleeper cell living there after an unsuccessful assassination attempt the terrorist group did, specifically a particular agent of that cell working as a taxi driver.

32. Netherlands, Belgium, Czech Republic, Ireland and North Macedonia Expel Russian Spies from the Russian Embassies

Following last week’s series of expulsions of Russian intelligence officers working under diplomatic cover in various Embassies and Consulates, this week it was announced that the Netherlands expelled 17 Russian diplomats stating that “the current attitude of Russia in a broader sense makes the presence of these intelligence officers undesirable. The deportation is a measure taken in the context of national security.” Belgium followed along by expelling 21 Russian intelligence officers under diplomatic cover. Czech Republic expelled 1, Ireland expelled 4, and North Macedonia expelled 5. Later Ireland’s Garda stated that the 4 expelled diplomats were covert GRU intelligence officers.

33. First Espionage Case in Modern History of New Zealand — Pre-Trial Hearing of Soldier Accused of Espionage

For the first time in its modern history, New Zealand is having a pre-trial hearing on a military espionage case. The hearing took place at Court Martial at Linton Military Camp on Wednesday and was about a Linton-based 28-year-old solider arrested in 2020 and facing 17 charges of espionage as well as being a member of a white supremacy group and recording of the Christchurch mosque attack livestream. The soldier faces a maximum sentence of 14 years. There were no further details on his espionage activity.

34. Swiss FIS Reports Increase of Russian Espionage Activity

As reported by Switzerland’s Federal Intelligence Service (FIS), one third of the entire Russian diplomatic mission are intelligence professionals under diplomatic cover. FIS continued that recently they identified “aggressive espionage activity” most notably from Russia. Lastly, FIS “assured the public that it has been able to prevent attacks on companies in Switzerland in the past, citing the examples of when it thwarted an espionage attack in Canton Bern and against the World Anti-Doping Agency. In 2016, the FIS were instrumental in uncovering a Russian secret service unit, leading to their arrest by Dutch police.”

35. Podcast: The IRA, The Troubles & Intelligence

The International Spy Museum’s SpyCast published a new one-hour long episode featuring Cardiff University Lecturer Thomas Leahy together with Queen’s University, Belfast researcher Eleanor Leah Williams on the subject of the intelligence war during the IRA period, better known as “the Troubles.” The session covers: The Troubles through the lens of intelligence, some key intelligence players in the Northern Ireland conflict, how the IRA and the British Army adapted organisationally, and the role intelligence played in the end of the conflict.

36. Denmark Convicts Female MİT Spy to 6 Months in Prison and Assesses Deportation to Turkey

At the court of Hillerød, Denmark it was decided that a 49-year-old woman living in Denmark for the last 27 years was an agent of the Turkish National Intelligence Organisation (MİT). She was convicted to 6 months in prison for violation of the “mild espionage clause” and her deportation to Turkey is being assessed. According to the reports, she was tasked to discover people of Turkish descent affiliated with the movement of Fethullah Gülen (FETÖ) which is classified as a terrorist organisation in Turkey. Danish counter-intelligence says that in August 2016 she sent an email to a police station in Ankara, Turkey with a list of 15 people living in Denmark who were, allegedly, associated with FETÖ.

37. Ukrainian CERT Discloses Cyber Espionage Operation Targeting Citizens and Domestic Organisations

On March 30th, CERT-UA disclosed technical indicators of a mass distribution cyber espionage operation targeting Ukrainian citizens and domestic organisations via emails with the topic “New program for journal entry.” The email contains a lure document impersonating e-learning journals of the Ministry of Education and Science of Ukraine which, if opened, covertly install a cyber espionage software implant known as “Mars Stealer”. CERT-UA attributes the operation to an actor dubbed as “UAC-0041” without any clear statement if its financially motivated (e.g. cyber crime) or nation-state driven.

38. US DoD 2023 Military Intelligence Program Budget Request and ODNI National Intelligence Program Budget Request

Along with the rest of the US government, on March 28th, the United States Department of Defence (DoD) publicly released the Military Intelligence Program (MIP) top line budget request for fiscal year 2023. The total is $26.6 billion. The Office of the Director of National Intelligence (ODNI) released the requested appropriations for the Fiscal Year 2023 National Intelligence Program (NIP) with a total amount of $67.1 billion.

39. Hungarian MFA Networks Compromised by Russian Intelligence

Panyi Szabolcs of the Direkt36 published an investigative article about Russian intelligence’s successful cyber espionage on Hungary’s Ministry of Foreign Affairs (MFA) networks throughout 2021 and in early 2022. According to the report the cyber espionage was conducted by Russia’s Federal Security Service (FSB) as well as Russia’s military intelligence (GRU). The full details and timeline of the infiltration, espionage, and Hungary’s counter-intelligence operation are detailed in the article.

40. Greek NIS Reopens 2005 Investigation of Greek-Egyptian Businessman Assassinated with His Family in Greece

According to Greek newspaper “Espresso News” the National Intelligence Service (NIS) of Greece reopens an assassination case from 2005 that has been opened 3 times since 2005 but still remains unsolved. At the evening of October 15th, 2005 Egyptian-Greek businessman and President of the Hellenic-Egyptian Chamber of Commerce, Michael Zoubatlis (66), his wife Kalliopi-Fani Zoubatli (59), and his son Nick Zoubatlis-Ramzi (40) were killed after someone cut the power in their house, and a man assassinated them using a 9mm pistol. Nick’s wife, Amen Hassan (45), was injured but survived the attack. The case reopened after NIS received an anonymous tip-off 2 months ago. The newspaper says that NIS is working closely with its Middle Eastern counterparts in this investigation. The former Police Chief of the local Police Department, Kostas Kiriakopoulos, who was the first on site after the assassination and was involved in the initial investigation said that “it was a professional hitman. And the weapon, of course, was never found. It was the execution of a “contract killing” done with surgical precision, something reminding me of espionage cases or high-rank organised crime hits.”

41. Podcast: Authentic8 — How OSINT informs executive protection

The US low-attribution products for professional Open Source Intelligence (OSINT) vendor Authentic8 published a new 13.5-minute long podcast episode titled “how OSINT informs executive protection” featuring former US government intelligence professional and currently Global Security Strategist at Splunk, Mike Baccio discussing how OSINT can help improve executive protection such as planning for upcoming public protests, monitoring for threats posted on social media, and others.

42. German Covert Surveillance Vendor FinFisher Declares Insolvency While Investigation Still Ongoing

In 2019 the German government, following human rights organisations reports, opened an investigation against FinFisher. A Germany-based company producing and selling covert cyber intelligence solutions (mainly a multi-platform covert software implant named FinSpy) to government agencies. This Monday it was announced that the “Munich-based spyware company FinFisher declared insolvency last month.” The news story states that a spokesperson for the Munich Public Prosecutor’s Office commented that “Although the investigation is ongoing, FinFisher’s insolvency prevented the prosecutor’s office from seizing the alleged illegally obtained assets belonging to the spyware company because it doesn’t technically exist.” FinFisher did not respond to the news agencies.

43. Yemeni Armed Forces Report Shooting Down US-Made Spy Drone Operated by Saudi Arabia

On March 29, Yemeni Armed Forces spokesperson Brigadier General Yahya Sarea said that “the air defenses managed to shoot down a US-made spy plane of “Scan Eagle” type while carrying out hostile actions over al-Wadi district.” The event, reportedly, took place in Marib province and the Boeing Insitu ScanEagle UAV was operated by Saudi Arabian forces.

44. Finnish Supo Releases Annual Threat Report

On 29 March 2022 the Finnish Security and Intelligence Service (Supo) announced the release of its “Yearbook 2021” in 3 languages (English, Swedish and Finnish). The English version is a 15-pages long report split in the following sections: 1) High-quality intelligence is essential for foreign and security policymaking 2) The aim of refugee espionage is to control and silence 3) Managing data from critical functions is part of future security of supply 4) Terrorist threat assessment 5) The rise of the Taliban is providing living space for al-Qaeda in Afghanistan 6) Supo in figures in 2021 7) Simple explanations are usually wrong — mental health is not the only relevant factor when assessing the threat of terrorism 8) The tense security situation highlights the significance of counterintelligence 9) Online radicalisation changed the far right in Finland 10) Technology shapes societies — and Supo strives to anticipate its progress 11) Supo seeks enhanced interaction with security clearance vetting clients 12) People in Finland trust in Supo

45. French Justice Rejects Moroccan Government’s Complaint for False Espionage Accusations

Several French NGOs and media outlets reported in 2021 how Moroccan intelligence services used the covert surveillance software implant “Pegasus” (developed and sold by the Israeli NSO Group) to spy on journalists, dissidents, activists, foreign politicians and others. Morocco filed a complaint against those entities in France and on March 29th, the French justice system rejected Morocco’s claim declaring the defamation lawsuits as inadmissible, and now Morocco accuses French intelligence services of using those journalists for their information operations.

46. Pakistani Cyber Espionage Operation Targeting Indian Government

Cyber Threat Intelligence (CTI) analysts discovered a new cyber espionage operation targeting Indian government entities, and attributed it to an actor dubbed as “APT36” who has been previously associated with the government of Pakistan. The Pakistani cyber operators modified a mobile application that is “used extensively by military personnel or employees of the Indian government that need to access IT resources like email services or databases.” The application is named Kavach Authentication and provides One-Time-Pad (OTP) tokens. The cyber operators modified it to include a custom covert cyber espionage software implant and then tried to lure Indian officials into installing the modified mobile application, which if they did, would provide the cyber operators full access to their target’s device.

47. Britain’s Head of GCHQ Comments on the Russia-Ukraine War

On March 31st, The Telegraph published a 2-minute long video from the first public comments of Britain’s GCHQ Director, Sir Jeremy Fleming, on the Russia-Ukraine war. Fleming highlights that “Putin’s advisers are afraid to tell him the truth” and also that Russia “overestimated the abilities of his military to secure a rapid victory.” The full transcript of the speech was also published on GCHQ’s official website. The speech took place at the Australian National University.

48. Slovakian MFA Expels 35 More Russian Diplomats

On March 31st, Slovakia’s Ministry of Foreign Affairs (MFA) announced the expulsion of 35 Russian diplomats from Russia’s Embassy in Bratislava. Note that on week 11 (story #10) Slovakian SIS uncovered a Russian espionage network and expelled 3 more Russian diplomats (intelligence officers under diplomatic cover) from the same embassy.

49. Trial of Alleged Australian Spy Begins in Beijing, China

On Thursday, March 31st, the trial of Chinese-Australian journalist, Cheng Lei, began in Beijing, China. Australian diplomats requested permission to attend the proceedings but it was denied. Lei was detained in 2020 while working for China’s state-owned China Global Television Network (CGTN). She was subsequently charged with espionage for using her profession as cover to obtain state secrets and transfer them to an overseas intelligence service (not explicitly named which). Both Lei and the Australian government deny the accusations and report lack of transparency in the overall process. Now, after 19 months of detainment, her trial has started.

50. More Details from South Africa’s SSA and the US CIA on the 2007 Attempt to Break In a Nuclear Research Facility in South Africa

On March 30th, Richard Jurgens of the Mail & Guardian published an investigative article about an incident that took place in November 2007 at a nuclear research station in Pelindaba, west of Pretoria, South Africa. A group of individuals attempted at least two times to break in the facility by disabling multiple security controls (CCTV, electric fence, anti-tampering magnetic sensors, etc.) The facility is run by the state-owned Nuclear Energy Corporation (NESCA) and has been linked with weapons research and development in the past. According to leaked CIA cables this was assessed as a terrorism case by the US Agency, but the South African government insisted it was an ordinary theft case. Eventually, 3 suspects were detained and one of them, a Malawian male, was immediately deported. Later, it became known that South Africa’s State Security Agency (SSA) briefed the CIA stating that there were suspicions of Chinese secret services involvement. NESCA subsequently fired some employees based on SSA’s classified report. The article then covers various SSA domestic corruption and politicisation issues, and closes by stating one of the key technologies developed there was a modular Pebble-Bed-Reactor (PBR) nuclear reactor, and just last year the Chinese government announced the completion and commission of a modular PBR for small and medium-sized power grids which, according to the Chinese officials, was under research and development since 2012.

51. Overview of the 1993 US Army Espionage Case of Jeffery Gregory

On March 28th, the 30+ year CIA case officer veteran Christopher Burgess published a short article summarising the story of US Army Staff Sergeant Jeffery Eugene Gregory who became later known as a member of the “Clyde Conrad espionage network” selling NATO and US military secrets to Hungary and Czechoslovakia. He was arrested in 1993 and pleaded guilty in 1994. He was sentenced to 18 years in prison for participating in the spy ring and, eventually, he was released from prison in 2007.

52. Former Australian Spy Chief David Irvine Dies at 75

David Irvine who had served as Director-General of the domestic Australian Security Intelligence Organisation (ASIO) in 2009–2014, and Director-General of the foreign-focused Australian Secret Intelligence Service (ASIS) in 2003–2009, died at the age of 75 on March 30th. In 2017 he was appointed Chair of the Foreign Investment Review Board (FIRB) and prior to that had a major career as Australian diplomat being stationed as the Australian High Commissioner in Papua, New Guinea in 1996–1999, and as the Australian Ambassador to China in 2000–2003 before becoming the head of ASIS.

53. Trial of Alleged EU Spy Metin Gürcan in Turkey Began

On week 2 (story #3) it was reported that Turkish retired army officer, military analyst and one of the founders of the Democracy and Progress Party (DEVA), Metin Gürcan, was arrested on espionage charges related to selling military intelligence to Spain and Italy. This week the first hearing of the trial was held behind closed doors due to the sensitive topic of case. Former Deputy Prime Minister Ali Babacan defended Gürcan saying that he had no access to classified information and all his analysis was based on open source information. If found guilty, he faces charges of up to life imprisonment.

54. Polish ABW Publishes its First Issue of Terrorism Studies Journal

On March 30th, the Polish Internal Security Agency (ABW) announced the publication the first issue of the bi-annual “Terroryzm — studia, analizy, prewencja” (Terrorism: Studies, Analyses, Prevention). It is a 458-pages long intelligence product written in Polish.

55. Webinar: Bringing MOSA to Electronic Warfare Applications

On March 28th, Mercury Systems published a 14-minute long webinar titled “Bringing MOSA to Electronic Warfare Applications (Military Embedded Systems)” and covering how Electronic Warfare (EW) as well as Signals Intelligence (SIGINT) military systems need to adapt to more modular and open architectures, using the Sensor Open Systems Architecture (SOSA) as a base for the discussion, as well as US Department of Defence’s Modular Open System Architectures (MOSA) initiative. The session also includes an overview of how Mercury Systems’ products align with those initiatives.

56. FBI/DoJ Charge Chinese Agent as Operative for China’s Covert Operation “Fox Hunt” in the United States

On March 30th, the US Department of Justice (DoJ) made a public release, unsealing a criminal complaint for the prosecution of Sun Hoi Ying, aka Sun Haiying, 45 after an FBI counter-intelligence operation targeting China’s Operation Fox Hunt operatives. Operation Fox Hunt is described as a covert Chinese operation to “repress dissent and to forcibly repatriate so-called ‘fugitives’ — including citizens living legally in the United States — through the use of unsanctioned, unilateral and illegal practices.” The accusation is that Ying for “at least February 2017 through February 2022, acted in the United States as an agent of the PRC government.” The suspect “engaged in a range of activities designed to pressure individuals in the United States to return to the PRC to face charges brought by the Chinese government” according to the FBI’s New York Office that led this investigation. His first suspicious activities started in October 2016 and those included, under the directions of his handler, to “pressure, threaten and collect personal information” on targets of Operation Fox Hunt. Note that on week 11 (story #31) the DoJ did a press release for the disruption of a larger Chinese espionage network after FBI’s New York Office investigation, part of the same Chinese covert operation.

57. Google TAG’s Report on Cyber Activity in Eastern Europe

Billy Leonard of Google’s Threat Analysis Group (TAG) published a summary of nation-state cyber activities they have recently detected and/or disrupted in relation to the Russia-Ukraine war. Those were the following three: 1) A cyber espionage operation by China’s PLA Strategic Support Force (SSF) targeting government and military entities in Ukraine, Russia, Kazakhstan, and Mongolia. 2) A cyber espionage campaign from a Russia-based actor “targeting several US based NGOs and think tanks, the military of a Balkans country, and a Ukraine based defense contractor” as well as, for the first time this actor targeted militaries “of multiple Eastern European countries, as well as a NATO Centre of Excellence.” 3) A cyber espionage operation by a unit of the Belarusian Ministry of Defence targeting Ukraine with a new technique for credential harvesting utilising compromised websites.

58. US NGA Announces Collaboration with NextGen for eMTI Service

The United States National Geospatial-intelligence Agency (NGA) announced that they selected “NextGen Federal Systems to develop an Enhanced Moving Target Indicator (eMTI) data service. eMTI is deployed into production in the Amazon Web Services (AWS) Commercial Cloud Service (C2S) environment.” As per NGA’s GEOINT Basic Doctrine 1–0, MTI is defined as “Moving target indicator; category of data derived from pulsed-Doppler radar sent from sensor to user by Joint STARS, bypassing a processor as intermediary; a graphic display of moving target vectors highlighting the direction and velocity of the targets.”

59. Viasat Releases Summary of the Recent Cyber Attack and Researcher Reverse Engineers the Software Implant

On week 10 (story #80) it was disclosed that Viasat and Eutelsat satellite communications (SATCOM) companies faced large-scale cyber attack targeting mainly Ukraine, allegedly from the Russian intelligence services. On week 11 (story #59) the US government issued an alert to SATCOM companies, and this week, on March 30th, Viasat published a short article titled “KA-SAT Network cyber attack overview” describing what happened. Later a reverse engineer obtained an infected device, extracted the software implant and published his research. Sentinel Labs cyber security firm also released a technical analysis and dubbed the software implant as “AcidRain” wiper since its intention was to wipe data to make the SATCOM modems inoperable. Quoting Sentinel Labs, this is the 7th data wiper software implant used against Ukraine for cyber attacks since the beginning of the conflict.

60. Chief of French DRM Dismissed Over Bad Intelligence of Russian Military Plans in Ukraine and AUKUS Pact

On March 31st it was announced that the Director of France’s Military Intelligence Agency (DRM), General Eric Vidaud, was dismissed after barely seven months of service in this position over “inadequate briefings” and a “lack of mastery of subjects.” The article says that French Army Chief of Staff, General Thierry Burkhard explained that “the Americans said that the Russians were going to attack, they were right. Our services thought instead that the cost of conquering Ukraine would have been monstrous and the Russians had other options” to bring down the government of Ukraine. BBC also comments that “his service came in for criticism when Australia scrapped a multi-billion dollar submarine contract with France in favour of a security pact with the US and UK.”

61. Russian FSB Detains Resident of Crimea on Espionage Charges

On Thursday, March 31st, Russia’s Federal Security Service (FSB) announced the detainment of a Russian resident of Crimea for collaborating with Ukraine’s Security Service (SBU), and attempting to escape arrest by moving to areas under the full control Ukraine. No further information were released.

62. Video: Mother, Daughter, Sister, Spy — Women’s History Month

On Thursday, March 31st, the International Spy Museum published a video recording from October 2020 titled “Mother, Daughter, Sister, SPY | Women’s History Month” featuring several female intelligence professionals from the United States. Specifically, the virtual event was moderated by journalist Lori Stokes and featured Amy S. Hess who was Executive Assistant Director at the FBI (twice — First in the Science & Technology Branch and then in the Criminal, Cyber, Response and Services Branch), Lieutenant General Mary Legere who served as US Army’s Deputy Chief of Staff for Intelligence (G2) in 2012–2017, Dr. Jung H. Pak who served as Deputy National Intelligence Officer at the National Intelligence Council, Karen Schaefer who served as CIA Operations Officer including as Chief of Operations in the Directorate of Science & Technology, Deputy Associate Director of Military Affairs, Deputy Chief of Counterintelligence and other positions, and Debra Evans Smith with an over 30 year long career at the FBI’s counterintelligence division, including the investigation of former FBI Agent Robert P. Hanssen.

63. How Intelligence Services Use the Russia-Ukraine War to Conduct Cyber Espionage Operations

On March 31st, Check Point Research cyber security firm published an analysis with 3 examples of how intelligence agencies take advantage of the Russia-Ukraine war in their cyber espionage operations. The 3 examples are: 1) A nation-state actor from a Latin American country, dubbed as “El Machete” conducted a cyber espionage operation targeting financial and government entities in Nicaragua and Venezuela by sending a modified lure document “written and published by Alexander Khokholikov, the Russian Ambassador to Nicaragua that discussed the Russo-Ukrainian conflict from the perspective of the Kremlin” which if opened, would install a cyber espionage software implant. 2) Next, an actor associated with the intelligence agencies of Iran and dubbed as “Lyceum” targeted an Israeli energy company and another one in Saudi Arabia via emails pointing to lure documents about the war or links to news articles that were hosted on websites set up by the actor to covertly install cyber espionage software implants. 3) Finally, it was the Indian government cyber espionage operation targeting Pakistani military entities that was covered in week 11 (story #80).

64. Bulgaria SANS Internal Investigation for Russian Penetrations and Case Opened Against Two Senior SANS Officers

For the last few weeks (see week 9 story #32 and week 11 story #65) Bulgarian authorities have been dismantling Russian espionage networks in the country. This week it was announced that Bulgaria’s State Agency for National Security (SANS) is investigating some of its own employees for potential espionage activities in support of Russia. Bulgarian President, Rumen Radev, stated that “SANS has a strong immune system and is working actively to prevent any breakthrough in terms of espionage activities.” The Prime Minister of Bulgaria, Kiril Petkov provided more details in his statement saying that “what we are investigating in many places is a large Russian diaspora in Bulgaria. SANS is investigating them. Some of my reports are about Russian agents who worked specifically against our mutual understanding of the Republic of North Macedonia. Russia’s interest has been focused on having no European future for the Western Balkans.” On Friday, April 1st, it was announced that two SANS senior officers (heads of two departments) have been removed from the Agency and are investigated. SANS chairman, Plamen Tonchev said that “Measures have been taken to prevent our employees from being allowed into the building. At the moment, they have been fired. I want to assure the public that SANS has an extremely well-established internal control mechanism and we do not hesitate to take action, including against our employees, no matter what it costs us. The goal is to be able to clear the Agency’s structures of elements that have no place in it. After the data collected by the Agency, we informed the Prosecutor’s Office on Wednesday afternoon. Based on our data, pre-trial proceedings were instituted yesterday and the necessary actions have been taken.”

65. Ukrainian SBU Publishes Summary of Counter-Intelligence Activities

On March 31st, Ukraine’s Security Service (SBU) published a short summary of 4 recent counter-intelligence operations. In the Luhansk region SBU opened a criminal case against a group creating and disseminating propaganda against Ukraine. In the city of Rivne SBU exposed a Russian spy gathering intelligence of the location of the Armed Forces of Ukraine. In Kiev SBU detained a Ukrainian national for promoting Russian actions over the internet and disseminating anti-Ukraine content online. Lastly, in the city of Vinnytsia SBU exposed a a female Russian agent promoting the independence of Luhansk and Donetsk and the delivery of subversive actions against Ukraine on social media platforms.

66. Director of the CIA William Burns Tested Positive for COVID-19

Via a press release the US Central Intelligence Agency (CIA) announced on March 31st that CIA Director (DCI) William Burns tested positive for COVID-19. He is fully vaccinated and boosted against the virus and has experienced mild symptoms.

67. Ireland’s Garda Assesses Readiness for Counter-Espionage

Following the expulsion of Russian intelligence officers under diplomatic cover earlier this week (story #32), Garda Commissioner Drew Harris stated that the “Garda’s preparedness, and the level of resources available, for counter-espionage and State security investigations is under review in direct response to Russia’s invasion of Ukraine.” He continued that Garda has dual responsibilities acting as “a security service, as well as being a policing service” including resources dedicated to counter-intelligence operations. He concluded that “we are resourced to deal with the threats and if I feel the resources are insufficient then I have an open channel to my own Minister in terms of the resources or equipment or processes that we might need.”

68. Russian Sanctions Evasion Networks and Technology Companies

The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) published a detailed article describing sanction evasion networks used by the Russian intelligence services to continue the funding of key government sectors in a covert manner. The article also revealed cyber attacks developed and executed by the State Research Centre of the Russian Federation (FGUP) Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM).

69. Interviews & Book: Dr. Kylie Moore-Gilbert — The Uncaged Sky

From September 2018 and until November 2020 British-Australian Islamic Studies expert Dr. Kylie Moore-Gilbert was convicted and imprisoned in Iran on espionage charges based on IRGC counter-intelligence. Eventually, she was released in the 2020 “spy swap” where Iran let her free in return of two Iranian operatives imprisoned in Thailand in relation to the 2012 Bangkok bombings aiming at assassinating Israeli diplomats. This week Moore-Gilbert released her book titled “The Uncaged Sky: My 804 Days in an Iranian Prison” and talked at the Wheeler Centre who published the 1-hour long interview, and 60 Minutes Australia who published a 25-minute long video.

70. New Chinese Cyber Espionage Capabilities and Campaign

On March 30th, Fortinet Threat Research cyber security firm published a technical analysis for a cyber espionage campaign using an opportunistic approach of scanning multiple online entities for vulnerable systems and automatically infiltrating them with a new advanced cyber espionage software implant Fortinet dubbed as “Fire Chili”. The activity has been attributed to an actor dubbed as “DEEP PANDA” who has been previously associated with the Chinese state.

71. DoJ Indicts NSA Cryptographer For Leaking Classified Material

On March 31st, the US Department of Justice (DoJ), after an investigation of FBI’s Counterintelligence Division (CD), released the indictment against Mark Robert Unkenholz, 60, resident of Hanover, Maryland who was subsequently arrested. According to the indictment, he “worked for an office within NSA that was responsible for NSA’s engagement with private industry” and in the period of February 2018 — June 2020 he sent 13 emails with National Defence Information (NDI) ranging in classifications from SECRET to TOP SECRET/SCI to a female (who once was authorised/had clearance) named in the indictment as R.F. The indictment highlights that “UNKENHOLZ was not authorized to send R.F. classified information or NDI using his PERSONAL EMAIL ADDRESS, nor was R.F. ever authorized to receive it at her COMPANY 1 EMAIL ADDRESS or COMPANY 2 EMAIL ADDRESS.” According to researcher Matt Blaze he was an NSA cryptographer who, Blaze believes was one of the inventors of the Clipper chip.

72. Media Reveal FSB PSYOP with Fake Video and Dissemination

As reported by Business Insider, a video showing a woman accusing Ukraine of war crimes in Mariupol was a video created by Russia’s Federal Security Service (FSB) and disseminated via FSB-affiliated news outlets. This was initially reported by the Russian media outlet Mediazona showing screenshots of allegedly emails from FSB’s Public Relations Centre sharing the video and asking news outlets to share it with a disclaimer to omit mentioning its source.

73. Podcast: Cold Space — History of SIGINT Using Satellites

On April 1st, 2022 the Electronic Warfare Podcast published a new 12-minute long episode focused on the Signals Intelligence (SIGINT) gathering satellite capabilities and their development throughout the Cold War era. The guest of the podcast is Dr. Dwayne Day, well known space historian and policy analyst.

74. Canadian CSIS Increased Attention to Ideological Domestic Extremism

Alex Boutilier of Global News published an article quoting documents from the Canadian Security Intelligence Service (CSIS) indicating that there has been a major shift from “closing its right-wing extremism desk in 2016 to spending almost as much time and resources tracking “ideological” domestic extremism as religious terrorist groups like Daesh and al-Qaeda in 2021.” CSIS uses the term Ideologically Motivated Violent Extremism (IMVE) and the article highlights how CSIS asks for more collection powers to combat this (and others) threats. The article quotes former CSIS analyst Stephanie Carvin saying that “there’s real, legitimate concern about the amount of online collection we want our national security services engaging in. There’s real concerns over privacy, freedom of speech. So we need to balance those concerns with the nature of the threat. And the best way to do that is through democratic legislation, not the security services trying to wing it, because they’ve had their knuckles rapped multiple times by the (Federal Court).”

75. New Cyber Espionage Campaign Targeting Russian Dissidents

MalwareBytes Labs cyber security firm published a technical analysis of a previously unknown cyber espionage operation targeting Russian “people that are against the Russian government” in Russia as well as Russian government entities. The operation is delivered via emails with lure documents that, if opened, would install a commercially available cyber espionage software implant named Cobalt Strike. The operation was first observed on March 23rd and it has not yet been attributed to specific actor or exact motivation.

76. Overview of Ukrainian PSYOPs Targeting Russia and Belarus

Michael Weiss of the New Lines magazine published an article demonstrating some of the Ukrainian special services’ Psychological Operations (PSYOPs) observed via WhatsApp messages, radio broadcasts and other media targeting Russian and Belarusian forces in order to dissuade them.

77. Videos: SIGINT History: Clandestine Broadcasters & a Navy “Y” Intercept Station

The YouTube channel Ringway Manchester published two short videos this week related to Signals Intelligence (SIGINT) history. The first was an 11-minute long video titled “The Clandestine Broadcasters They Didn’t Want You To Hear” covering the history of some of the most well known 1980s clandestine radio stations. The second video, 6.5-minutes long, covers a secret Navy “Y” intercept station operated by a small group of women during WWII with the mission of Direction Finding (DF) and interception of enemy signals.

78. Spire Global Spy Satellites for RF and GPS Interference

Following HawkEye 360 (see week 10 story #6), this week Spire Global announced that in partnership Slingshot Aerospace they are expanding their offerings to include Radio Frequency (RF) identification and GPS interference detection for military applications. This came after a $2 million 2021 contract of the US Space Force to develop a tool using proliferated Low Earth Orbit (pLEO) constellations to identify ground RF and GPS interference. For that contract Slingshot will develop the pLEO Data Exploitation and Enhanced Processing (DEEP) prototype in order to “automate manual data exploitation techniques to deliver intuitive, easily digestible data products at low latencies for military operations.” The role of Spire will be to supply “Slingshot Aerospace with GPS telemetry data” from their satellites since it uses “one of the world’s largest multi-purpose satellite constellations.”

79. Pakistani Cyber Espionage Operation Targeting IIT Hyderabad

A Cyber Threat Intelligence (CTI) researcher discovered and disclosed the technical indicators of an active cyber espionage operation targeting India’s Institute of Technology (IIT) in Hyderabad with a lure document impersonating an assignment on Social Studies. If the targets open the document a cyber espionage a custom software implant dubbed as “Crimson RAT” will be covertly installed. The operation was attributed to an actor dubbed as “TRANSPARENT TRIBE” who has been previously associated with the government of Pakistan.

80. Germany Charges Reserve Army Officer as Russian Spy

On Friday, the Federal Prosecutor’s Office of Germany announced that Ralph G., a German Army reserve officer has been charged with espionage related to transferring information to Russian intelligence services in the period of 2014–2020. The suspect was also member of “several German business committees” due to his profession and according to the Prosecutor he has been “supplying information on the German military’s reserves, “civil defence”, the impact of sanctions levelled against Moscow in 2014, and the Nord Stream 2 gas pipeline project between Russia and Germany” as well as “personal data of high ranking members of the Bundeswehr and figures from the business world, including contact details.” The Prosecutor also notes that as part of his compensation the suspect also “received invitations to events organised by the Russian government agencies.”

81. NIA Received Threats of Prime Minister Assassination Plot and Launched Large Scale Operation

As it became known on Friday through controlled leaks, the Mumbai office of India’s National Investigation Agency (NIA), country’s domestic intelligence agency, received a threat via email with details of an assassination plot targeting Prime Minister Narendra Modi. The plot was shared with multiple agencies and the media. NIA launched a country-wide investigation for the threats. The following part of the email was released to the public: “…I have met with some terrorists, they are going to help with rdx, I am happy that I have got bombs very easily and now I will blast everywhere… I have planned it, 20 sleeper cells will be activated and millions of people will be killed.”

82. Canada’s CSE Calls Out Russian Information Operations

Canada’s signals intelligence agency, the Communications Security Establishment (CSE), publicly stated that Russian intelligence services have been conducting Information Operations (IO), or as CSE called them “Russian-backed disinformation campaigns” to influence the public. CSE said that one of them confirmed as fabricated IO is that “Ukraine was harvesting organs of fallen soldiers, women and children, and using mobile cremators to dispose of the evidence.” CSE continued that Russia has “created and amplified fake stories and narratives falsely claiming that only military targets were being attacked, and that civilian causalities in Ukraine were lower than what confirmed, verifiable reports have shown. Equally, we’ve seen Russia’s efforts to promote stories that falsely categorize Russian protesters and citizens opposed to the invasion as supporting neo-Nazis and genocide.”

83. Webinar: AUSA Presentation on Irregular Warfare

On March 31st, the Association of the US Army (AUSA) published the recording of a presentation by Seth G. Jones, PhD, Senior Vice President at the Centre for Strategic & International Studies (CSIS), former Director of the International Security and Defense Policy Centre at the RAND Corporation, with extensive career in the US Special Operations Command, and author of the book “Three Dangerous Men: Russia, China, Iran, and the Rise of Irregular Warfare.” The session was moderated by retired US Army Major General John G. Ferrari and covered the topic of irregular warfare, including the use of intelligence services and covert action, from Russia, China and Iran, with stronger focus on Russia and the recent developments in Ukraine.

84. Dutch Intelligence Agencies Granted More Spying Authorities

On Friday, with a new temporary law the Dutch cabinet decided to grant more cyber espionage powers to the General Intelligence and Security Service (AIVD) and the Dutch Military Intelligence and Security Service (MIVD). Note that in week 7 (story #49) and week 10 (story #5) there was a push to that direction by AIVD and MIVD. With the new law, the two intelligence agencies are allowed to perform “bulk inspection” to proactively identify threats, as well as infiltrating systems if the target changes infrastructure without any additional authorisation (as it was before). The law, for now, was passed as temporary to combat the threats coming from Russia and China. The AIVD also published an announcement of the new authority in its official website.

85. USPS Covert Spying Program Overstepped its Authority

The Inspector General of the US Postal Service (USPS) found that “more than a quarter of analysts’ work on a covert program over two-plus years may not have had legal authorization.” The investigation of USPS’ Internet Covert Operations Program (iCOP) started last year at the request of the House Oversight and Reform Committee. On March 25th, 2022 the auditors stated that “certain proactive searches iCOP conducted using an open-source intelligence tool from February to April 2021 exceeded the Postal Inspection Service’s law enforcement authority. Furthermore, we could not corroborate whether other work analysts completed from October 2018 through June 2021 was legally authorized.” During 2020–2021 more than 15 iCOP produced reports had no postal nexus and less than 5 were election-related. The USPS agreed to “conduct a full review of the Analytics Team’s responsibilities, actions, and procedures to develop a process to ensure its work is authorized and intends to implement those changes by Sept. 30.”

86. Bellingcat Uses Data Breach Data to Uncover Russian Intelligence Services Personnel

On April 1st, Aric Toler of the Bellingcat published an article detailing how a recent data breach of the Russian food delivery service Yandex Food could be used to uncover Russian intelligence personnel. In summary, the OSINT analyst searched for orders from known FSB, GRU and other intelligence agencies’ sites and identified the individuals that made those orders.

87. US Navy Selected REMUS 300 for Unmanned Spy Submarines

As it was published by Janes, the US Navy selected Huntington Ingalls Industries (HII) REMUS 300 Unmanned Underwater Vehicle (UUV) for its next-generation small UUV (SUUV) program. Janes’ article notes that “the selection follows the completion of a two-year rapid prototyping effort” and that this highlights “the production and testing of the REMUS 300 UUVs in its initial phase in 2023.”

88. Israel Identifies Intelligence Gap After Series of Attacks

On April 1st, Amos Harel published a story in Haaretz indicating that the recent attacks from Palestinian actors highlighted that Israeli intelligence community’s focus has shifted over the recent years due to the sustained hits to Al Qaeda and ISIS in Syria, Iraq and elsewhere. However, those recent incidents were a wake up call for Israeli intelligence community to boost their counter-terrorism efforts and resources.

89. Survey of Chinese Espionage in the United States Since 2000

The United States Centre for Strategic & International Studies (CSIS) published a survey of 160 publicly reported instances of Chinese espionage targeting the US since 2000. As CSIS states, “of the 160 incidents we found that 24% occurred between 2000–2009 and 76% occurred between 2010–2021.”

90. Podcast: Cold War Conversations — Shooting Down KAL007

On April 2nd the Cold War Conversations published a new 1.5-hour long episode featuring Brian J. Morra, Chief of Intelligence Analysis for US Forces Japan at Yakota Air Base when on September of 1983 a Korean airliner was shot down by a Soviet Union fighter jet causing the death of 269 people. This is the main topic of this podcast based on Morra’s book “The Able Archers” which is based on his experiences during that time of the Cold War.

91. US General Electric Power Engineer Convicted for Attempting to Conduct Economic Espionage for China

The US Department of Justice (DoJ) convicted Dr. Xiaoqing Zheng, 59, of Niskayuna on “conspiracy to commit economic espionage” this Friday. Zheng was a sealing technology engineer at General Electric (GE) and after the investigation conducted by FBI’s Homeland Security Investigations (HSI) Buffalo Field Office it was discovered that he “conspired to steal trade secrets from his employer, GE, and transfer this information to his business partner in China, so they could enrich both themselves and companies receiving support from the PRC government.” Special Agent in charge, Janeen DiGuiseppi, of the FBI’s Albany Field Office said that “Dr. Zheng used his status as a trusted engineer with GE to conspire to commit economic espionage on behalf of the People’s Republic of China.” Sentencing is scheduled for August 2nd, 2022.

92. Bulgaria Expels Russian Diplomat on Espionage Accusations

Following the expulsion of 2 Russian spies under diplomatic cover in week 9 (story #32) and 10 more on week 11 (story #65), on Friday the Bulgarian Ministry of Foreign Affairs stated that another Russian diplomat is persona non grata over espionage accusations and has 72 hours to leave the country.

93. South Korean NIS Reports 99 Attempts of Industrial Espionage in the Last Five Years

On Saturday, April 2nd, the National Intelligence Service (NIS) of South Korea announced that they have thwarted 99 industrial espionage attempts over the last 5 years which would have costed companies about $18 billion if successful. From January 2017 to February 2022 there were 86 disrupted industrial espionage cases for the following: 19 attempts involving display devices, 17 related to semiconductor technology, 17 about electric and electronic products, 9 on automobile technology, 8 related to shipbuilding, 8 about information and communications systems, and 8 about machinery. The most common method was the recruitment of employees/insiders.

94. Podcast: The Art of Espionage and the Perfect Intelligence Operation

On April 1st, Matt Devost of the OODALoop published a new 49-minute long episode titled “The Art of Espionage and the Perfect Intelligence Operation” and featuring Jim Lawler who served for 25 years as a CIA operations officer in various international posts and as Chief of the Counterproliferation Division’s Special Activities Unit, as well as a member of CIA’s Senior Intelligence Service (SIS-3) from 1998 until his retirement in 2005. J. Lawler is currently Senior Partner at MDO Group, which provides Human Intelligence (HUMINT) training to the Intelligence Community and the commercial sector focused on Weapons of Mass Destruction (WMD), Counter-Intelligence (CI), technical and cyber issues.

95. UAE Has Been Funding the Israeli NSO Group

It was announced that the Israeli NSO Group that develops and sells cyber espionage solutions (mainly “Pegasus”) to governments and since November 2021 is banned in the US, has been receiving funding from the Emirate of Abu Dhabi, in United Arab Emirates (UAE). According to the article, since 2019 the Crown Prince of Abu Dhabi, Mohamed bin Zayed Al Nahyan, through his Mubadala Capital Ventures has been investing to NSO Group.

96. Istanbul Has Been a Spy Hub for Years

On April 2nd, Kieron Monks of the iNews published a story summarising the threats of espionage in Istanbul, Turkey as the Ukraine-Russia peace talks take place there. The article summarises several cases of covert action and espionage that have recently taken place in the Istanbul and the threat that this poses to the negotiators.

97. EFF Analysis on Covert GPS Tracking Device Found on Supporter’s Car

The Electronic Frontier Foundation (EFF) published an article based on a covert GPS tracking device an EFF supporter discovered under her driver’s seat during a visit to a mechanic. It was an M-Labs “Apollo” and EFF did a full technical analysis of it in the article.

98. OSINT Analysis Targeting Russian Troops by InformNapalm

This week the International Volunteer Community (InformNapalm) published various OSINT analyses products from the Russia-Ukraine war. The first post used facial recognition to de-anonymise a member of the Russian Pacific Fleet. The second post used public photos of medals of fallen Russian soldiers to identify people and forces involved in certain battles. And the third post reviewed public photos from Mariupol to identify the Russian units that participated in the battle there.

99. OSINT-Discovered ELINT/SIGINT Flights

This is a brief summary of ELINT/SIGINT/ISR flights identified by aviation enthusiasts during this week:

• 27MAR2022: Summary of at least 5 ISR flights from the US, France and Sweden near Ukraine. Source
• 27MAR2022: US Air Force RQ-4B Global Hawk (10–2045, callsign FORTE10) flight from Naval Air Station Sigonella to the Black Sea near the Ukraine border. Source1 Source2
• 27MAR2022: French Air Force Transall C-160G Gabriel (F216, callsign HOOPA21) flight over Romania. Source
• 27MAR2022: 3 Turkish UAVs flying west of Aleppo, Syria. Source
• 27MAR2022: Turkish Navy Bayraktar TB2 (reg. number N/A, callsign TCB801) flight across the Greece-Turkey sea border. Source
• 27MAR2022: US Air Force Boeing RC-135W Rivet Joint (64–4139, callsign PYTHN57) flight over Iraq. Source
• 27MAR2022: Turkish TAI Aksungur UAV (reg. number N/A, callsign CENAH01) flight from Elâzığ Airport and patrolling over the village of Çevirme, Turkey. Source
• 27MAR2022: Swedish Air Force Gulfstream IV SP S102B Korpen (102002, callsign SVF645) flight from Malmen Airbase to Poland, near Ukraine and Belarus border. Source
• 27MAR2022: US Navy P8 Poseidon (AE6854, callsign N/A) flight from Naval Air Station Keflavik, Iceland and heading to the North Sea. Source
• 27MAR2022: US Navy Lockheed EP-3E Aries II Orion (16–0764, callsign PQ54) flight from Chania, Greece to Romania-Moldova border. Source
• 27MAR2022: Skyborne Aviation Special Mission Diamond DA-42-MPP Guardian (G-SADB, GSADB) flight from Gloucestershire Airport to ISR South of Cardiff and back. Source
• 27MAR2022: Diamond Executive Aviation (DEA) Beech 90 King Air (G-WKTS, WKT27) flight from Birmingham Airport, UK to North of Dublin, Ireland and back. Source
• 28MAR2022: Summary of at least 13 ISR flights from the US, Sweden, and France near Ukraine. Source
• 28MAR2022: US Army Beech RC-12X Guardrail (91–00516, callsign YANK01) and (88–00325, callsign YANK02) flight from Šiauliai Air Base in Lithuania, to the borders with Kaliningrad. Source
• 28MAR2022: US Air Force Northrop Grumman E-8C J-STARS (95–0121, callsign REDEYE6) flight from Ramstein Air Base, Germany to Poland near the Ukraine border. Source
• 28MAR2022: US Air Force RQ-4B Global Hawk (10–2045, callsign FORTE10) flight from Naval Air Station Sigonella to the Black Sea near the Ukraine border. Source
• 28MAR2022: US Air Force Boeing RC-135W Rivet Joint (62–4131, callsign HOMER11) flight from Souda Bay, Crete, Greece to Romania-Moldova border. Source
• 28MAR2022: Swedish Air Force Gulfstream IV SP S102B Korpen (102002, callsign SVF645) flight from Malmen Airbase to Poland, near Ukraine and Belarus border. Source1 Source2
• 28MAR2022: RAF Boeing RC-135W River Joint (ZZ664, callsign RRR7232) flight from RAF Waddington to Poland and Romania near Ukraine’s border. Source
• 28MAR2022: US Air Force Boeing RC-135W Rivet Joint (62–4138, callsign BIFF34) flight from Lincoln Air National Guard Base, Nebraska to Colombia-Venezuela border. Source
• 28MAR2022: Royal Saudi Air Force (RSAF) Beechcraft King Air 350i (4106, callsign N/A) flight from Majors Airport, Greenville, TX to the L3 Harris Multi-Sensor Test Facility in Greenville and back. Source
• 28MAR2022: US Air Force Boeing RC-135U Combat Sent (64–14849, JAKE31) flight from RAF Mildenhall to near Kaliningrad. Source1 Source2
• 28MAR2022: Diamond Executive Aviation (DEA) Beech 90 King Air (G-WKTS, WKT22) flight from Birmingham Airport, UK to ISR over the Liscannor Bay, Ireland and back. Source
• 28MAR2022: US Air Force RC-135W Rivet Joint (62–4130, callsign JAKE11) flight from RAF Mildenhall, UK to Poland-Ukraine border. Source
• 29MAR2022: Summary of at least 5 ISR flights from the US and UK near Ukraine. Source
• 29MAR2022: RAF Boeing RC-135W River Joint (ZZ664, callsign RRR7231) flight from RAF Waddington to Poland and Romania near Ukraine’s border. Source
• 29MAR2022: Hellenic Air Force IAI Heron Blk 1 UAV (0055D8, callsign N/A) flight from Skyros Air Base to over Zacharo, Greece. Source
• 29MAR2022: US government General Atomics MQ-20 Avenger (N901PC, callsign SKYBORG1), General Atomics MQ-9 Reaper (N990DA, callsign UAV12), and unidentified UAV (158F73, SKYBORG3) flight from El Mirage Field Airport, CA. Source
• 29MAR2022: Italian Air Force Gulfstream C-37B (MM62293, callsign PERSEO71) flight from Rome–Fiumicino International Airport, Italy to Romania-Moldova border. Source
• 29MAR2022: US Navy Northrop Grumman MQ-4C Triton (168458, callsign SCORE47) flight from NAS Patuxent River, MD heading South. Source
• 29MAR2022: Turkish TAI Aksungur UAV (4B829B, callsign CENAH01) flight from Elâzığ Airport to ISR over Ağrı Dağı Milli Parkı, Turkey. Source
• 29MAR2022: US Navy Boeing P-8A Poseidon (AE6873, acllsign N/A) flight near Philippines. Source
• 29MAR2022: US Air Force Boeing WC-135W Constant Phoenix (61–2667, JAKE21) flight from RAF Mildenhall heading North. Source
• 29MAR2022: NATO AGS RQ-4D Phoenix (MM-AV-SA0017, UAVGH000) flight from Naval Air Station Sigonella to the Black Sea and Romania, Poland near the Ukraine border. Source
• 29MAR2022: Turkish Bayraktar TB2 (reg. number N/A, callsign BYKR01 and BYKR02) on test flight in the test site of Keşan, Turkey. Source1 Source2
• 30MAR2022: Summary of at least 10 ISR flights from the US and France near Ukraine. Source
• 30MAR2022: Turkish Bayraktar TB2 (reg. number N/A, callsign BYKR04 and BYKR01) on test flight in the test site of Keşan, Turkey. Source1 Source2
• 30MAR2022: US Air Force Boeing RC-135U Combat Sent (64–14849, JAKE31) flight from RAF Mildenhall to near Kaliningrad. Source
• 30MAR2022: US Air Force Boeing RC-135W Rivet Joint (62–4138, callsign RAFT38) from Lincoln Air National Guard Base, Nebraska to Colombia-Venezuela border. Source
• 30MAR2022: US Air Force RC-135W Rivet Joint (62–4130, callsign JAKE11) flight from RAF Mildenhall, UK to Poland-Ukraine border. Source
• 30MAR2022: Turkish Navy Leonardo P-72 ATR 72–600 TMPA (TCB753, callsign GUMUS83) flight from Cengiz Topel Naval Air Station to ISR over Artaki Bay, Sea of Marmara. Source
• 30MAR2022: US Air Force RQ-4B Global Hawk (10–2045, callsign FORTE10) flight from Naval Air Station Sigonella to the Black Sea near the Ukraine border. Source
• 30MAR2022: Azerbaijani Bayraktar TB2 (reg. number N/A, callsign TKTIKTB2) flight from Kyurdamir Air Base to nearby ISR mission. Source
• 30MAR2022: French Air Force Transall C-160G Gabriel (F216, callsign HOOPA21) flight over Romania. Source
• 30MAR2022: US Air Force Northrop Grumman E-8C J-STARS (95–0121, callsign REDEYE6) flight from Ramstein Air Base, Germany to Poland near the Ukraine border. Source
• 30MAR2022: US Air Force Boeing RC-135V Rivet Joint (64–14843, callsign N/A) flight near Taiwan. Source
• 30MAR2022: US Army Beech RC-12X Guardrail (91–00516, callsign YANK01) and (88–00325, callsign YANK02) flight from Šiauliai Air Base in Lithuania, to the borders with Kaliningrad. Source
• 30MAR2022: US Air Force Boeing RC-135W Rivet Joint (62–4131, callsign HOMER31) flight from Souda Bay, Crete, Greece to Romania-Moldova border. Source
• 30MAR2022: (Allegedly covert CIA) MBD Ventures (Prescott) Casa CN-235 Persuader (N506KM, callsign PSK603) flight to Mihail Kogălniceanu International Airport, Romania and then to Zvartnots International Airport, Armenia. Source
• 31MAR2022: Summary of at least 7 ISR flights from the US near Ukraine. Source
• 31MAR2022: US Navy P8 Poseidon (AE67AE, callsign N/A) flight from Naval Air Station Keflavik, Iceland and heading to the North Sea. Source
• 31MAR2022: US Air Force RC-135V Rivet Joint (64–14844, callsign JAKE12) flight from RAF Mildenhall, UK to Poland-Ukraine border. Source1 Source2
• 31MAR2022: Qatar Air Force Bayraktar TB2 (QA605, callsign N/A) flight from the Al-Shamal UAV base to ISR pattern over Al Kuwari. Source
• 31MAR2022: US Air Force Boeing RC-135W Rivet Joint (62–4131, callsign HOMER41) flight from Souda Bay, Crete, Greece to Romania-Moldova border. Source
• 31MAR2022: US Air Force Boeing RC-135S Cobra Ball (61–2663, callsign MEMO63) flight from Kadena Air Base, Japan en route to the Japan Sea. Source
• 31MAR2022: NATO AGS RQ-4D Phoenix (MM-AV-SA0017, UAVGH000) flight from Naval Air Station Sigonella to the Black Sea and Romania, Poland near the Ukraine border. Source
• 31MAR2022: Israeli IAI Heron Machatz-1 UAV (738BE9, callsign N/A) flight from Tel Nof Airbase flying through Gefen, Israel. Source
• 31MAR2022: Royal Australian Air Force Lockheed AP-3C Orion (A9–657, callsign STRIKER10) from RAAF Edinburgh, South Australia and transited to the Bass Strait exercise area between Victoria and Tasmania. Source
• 31MAR2022: US Navy Boeing P-8A Poseidon (AE6793, callsign N/A) flight in East Mediterranean. Source
• 31MAR2022: US Army Beech RC-12X Guardrail (88–00325, callsign YANK03) flight from Šiauliai Air Base in Lithuania, to the borders with Kaliningrad. Source
• 01APR2022: US Air Force Boeing RC-135U Combat Sent (64–14849, JAKE31) flight from RAF Mildenhall to near Kaliningrad. Source1 Source2
• 01APR2022: US Air Force Northrop Grumman E-8C J-STARS (95–0121, callsign REDEYE6) flight from Ramstein Air Base, Germany to Poland near the Ukraine border. Source
• 01APR2022: Swedish Air Force Gulfstream IV SP S102B Korpen (102002, callsign SVF645) flight from Malmen Airbase to Poland, near Ukraine and Belarus border. Source
• 01APR2022: NATO AEW&C Boeing E-3A Sentry (LX-N90450, callsign NATO11) flight from FOB Konya, Turkey to Romania and Poland, near the Ukrainian border. Source
• 01APR2022: Italian Air Force Gulfstream C-37B (MM62293, callsign PERSEO71) flight from Rome–Fiumicino International Airport, Italy to Poland-Ukraine border. Source
• 02APR2022: Swedish Air Force Gulfstream IV SP S102B Korpen (102002, callsign SVF645) flight from Malmen Airbase to Poland, near Ukraine and Belarus border. Source
• 02APR2022: US Air Force Boeing RC-135W Rivet Joint (62–4131, callsign HOMER61) flight from Souda Bay, Crete, Greece to Romania-Moldova border. Source
• 02APR2022: 4 Turkish UAVs (unknown reg. numbers and callsigns) orbiting west of Aleppo, Syria. Source
• 02APR2022: US Navy Lockheed EP-3E Aries II Orion (16–0764, callsign KL12) flight from Chania, Greece to Romania-Moldova border. Source
• 02APR2022: Diamond Executive Aviation (DEA) Beech 90 King Air (G-WKTO, WKT33) on racetrack pattern over Newark on Trent, UK. Source