SPY NEWS: 2022 — Week 14

Summary of the espionage-related news stories for the Week 14 (3–9 April) of 2022.

1. Kazakhstan’s NSC Arrests Spy Plotting Subversive Actions

On April 3rd it was announced that Kazakhstan’s National Security Committee (NSC) arrested a foreign spy “planning an attack against the president of Kazakhstan and a number of high-level officials, as well as against members of the special services and security forces.” The statement said that the suspect confessed and during a search of his home NSC’s counter-intelligence unit found a foreign-made firearm, drugs and large sums of cash. The arrest took place on March 25th in Nur-Sultan, the capital city of Kazakhstan. Currently it is not publicly known for which foreign intelligence service the suspect was working for. According to Iranian news published on April 6th, this was an Israeli Mossad clandestine operation, and claimed that they will soon be releasing evidence of that. Israel commented on the latter describing it as baseless accusations.

2. Bulgaria Blames Russian Spies for Tensions with North Macedonia

Following last week’s expulsions and investigations in Bulgaria’s State Agency for National Security (SANS), this week Bulgarian Prime Minister Kiril Petkov stated that “Bulgaria’s difficulties with neighbour North Macedonia had been aggravated by Russian intelligence.” According to the announcements, Russian intelligence agencies used their penetrations in SANS to, among others, severe the diplomatic relations between Bulgaria and North Macedonia. Prime Minister Kiril Petkov continued saying that “it has been reported to me that Russian spies have worked specifically against relations between Bulgaria and North Macedonia. Someone is trying to wrongfully represent Bulgaria’s interests. Russia’s interest has always been to stop the Western Balkans from having a European future.”

3. SBU Summary of Counter-Intelligence Activities in Ukraine

On April 3rd, Ukraine’s Security Service (SBU) published a summary of recently completed counter-intelligence activities. In Kherson SBU arrested a pro-Russia resident who helped Russian troops detain residents. In the city of Lviv, SBU detained a man who was recruited by Russian intelligence services and was collecting information of regional Ukrainian Armed Forces movements. Next in Donetsk, a resident of Persotravnevogo was arrested for supplying Russian intelligence services with artillery coordinates, positions and movements of Ukrainian Armed Forces. He was doing that via forwarding those to a close relative living in Donetsk who, in turn, sent them to Russian intelligence. Finally, in Rivne an agent of Russia’s Federal Security Service (FSB) was sentenced to 13 years in prison for collecting and transferring intelligence related to the deployment of Ukrainian forces, and for the preparation of subversive actions in critical infrastructure. All of those were executed under the direct orders of his FSB handler.

4. NRO Announces NROL-85 Launch Patch and Information

On Sunday, April 3rd, the US National Reconnaissance Office (NRO) announced the new patch design for NRO’s Launch mission 85 (NROL-85). According to NRO’s official website, NROL-85 launch is planned for April 15, 2022 from Vandenberg Space Force Base and will reuse the same SpaceX Falcon 9 rocket booster from NROL-87. Here is the 6-pages long Press Kit published for this launch. The spy satellites/payload of NROL-85 remains classified but initial comments suggest the Intruder 13A and 13B satellites, part of Naval Ocean Surveillance System (NOSS) designed for Signals Intelligence (SIGINT) and Electronic Intelligence (ELINT) intelligence gathering for the United States Navy.

5. GCSB Removes Domes and Antennae from Waihopai Station

On Monday, April 4th, New Zealand’s Government Communications Security Bureau (GCSB) Director-General Andrew Hampton announced that for the next 6 weeks a deconstruction project will take place at the Waihopai Station which includes “lifting off of the domes by crane, then the dismantling of the two steel antennae in sections.” As per the announcement, “in November the GCSB announced the decision to retire and remove the iconic radomes and dishes after almost 35 years of service. Changes in global telecommunications and information technology meant the interception of satellite communications from Waihopai had declined over the years to the point where dish use had become virtually obsolete. The radomes had also reached their structural end-of-life and would have required significant investment were they to remain operational.” The Waihopai Station will continue to operate and support GCSB’s SIGINT mission with more modern methods.

6. Podcast: Licensed to Kill: The Couple that Inspired James Bond

On April 3rd the Spycraft 101 published a new 47-minute long episode titled “Licensed to Kill: The Couple that Inspired James Bond” and featuring Dr. Richard Wooldridge, founder and chief curator of the Combined Military Services Museum in the UK. This session is about two people that inspired Ian Fleming write the James Bond spy novels while he was working at the British intelligence service. It’s Peter Mason and his wife Prudence Mason who served at the MI6. During WWII Peter Mason was a member of the SOE and the SAS before getting assigned to a Baker team. His wife, Prudence Mason was a WWII transport pilot who later joined the MI6 and participated in several clandestine operations. Peter was a friend and consultant to Ian Fleming which inspired many of the James Bond stories and technical details.

7. Säpo Intensifies Counter-Intelligence Operations Targeting Russia

On Monday, April 4th, Daniel Stenling the Head of Counter-Intelligence of the Swedish Security Service (Säpo), stated that Säpo’s counter-intelligence operations have intensified to prevent and disrupt Russian espionage networks operating in Sweden. Specifically, he highlighted the increased Russian attempts to recruit agents and noted that all three (SVR, FSB and GRU) Russian intelligence agencies are currently active in Sweden.

8. Germany and France Expel Russian Diplomats on Spying Accusations

On Monday it was announced that Germany expelled 40 Russian diplomats from the Russian Embassy in Berlin for “suspected links to spy agencies” and France followed along by expelling 35 Russian diplomats suspicious of being involved in espionage activities.

9. New Cyber Espionage Campaign Targeting Mongolia

Cyber Threat Intelligence (CTI) researcher Jazi discovered and disclosed technical indicators of an active cyber espionage operation targeting entities in Mongolia by impersonating the national Confederation of Mongolian Trade Unions (CMTU) with a lure document pretending to be government legislation updates for salary increases. If a target opens this lure document, a custom cyber espionage software implant would be covertly installed. It is not known who is behind this operation but last week (story #57), Google’s Threat Analysis Group (TAG) discovered a different cyber espionage operation targeting Mongolia that was executed by China’s PLA Strategic Support Force (SSF).

10. Minister in the Presidency in South Africa Warns SSA Operatives for Stepping out of their Authority

Following the previous weeks’ revelations and escalations about corruption and politicisation in South Africa’s State Security Agency (SSA), this week Mondli Gungubele, Minister in the Presidency, publicly warned SSA operatives to act within the parameters of the law, and that “those caught on the wrong side of the law would would be dealt with.”

11. French DGSE’s 40th Anniversary Celebration

On April 4th France’s foreign intelligence agency, the Directorate-General for External Security (DGSE), announced that on April 2nd the agency celebrated its 40th anniversary. DGSE was created on April 2nd, 1982 as a successor of the External Documentation and Counter-Espionage Service (SDECE) that existed from November 1944 to April 1982. The announcement mentions that 2022 is a special year since the Central Intelligence and Action Bureau (BCRA) also celebrated its 80th anniversary on January 17th. To celebrate this, DGSE published a comic book titled “QUI A CASSÉ ENIGMA?” (Who broke Enigma?)

12. Turkish MİT Kidnaps 3 Individuals from Afrin, Syria

On April 2nd, ANHA news agency published that the Turkish National Intelligence Organisation (MİT) conducted a paramilitary operation in Afrin, Syria and more specifically in the village Deir Sawan of the Shara district. The MİT operatives captured 3 individuals and it is not known why they were captured or where they are currently being held. The 3 individuals are: Aref Nabi Daoud (32), Hassan Naasan Barazi (23) and Ahmed Leyla.

13. Australia Deports Chinese Millionaire on Espionage Accusations

On April 4 Nick McKenzie of The Sydney Morning Herald newspaper published an article describing how the Australian Security Intelligence Service (ASIO) provided evidence to the Australian federal government that led to the deportation of Chinese millionaire property developer Zheng Jiefu. According to the article he was covertly operating on behalf of China’s Ministry of State Security (MSS), the main foreign intelligence agency of China. Zheng Jiefu was granted permanent residency in Australia in 1998 and had been involved in several espionage activities including a defamation covert operation targeting Miles Guo (Guo Wengui) in 2015 for his Whistleblowers’ Movement.

14. Lithuanian Intelligence Warns as Victory Day Approaches

May 9 is one of the largest national celebrations in Russia, the Victory Day which celebrates Soviet Union’s victory over Nazi Germany in WWII. The Lithuanian State Security Department (VSD) announced that “it cannot be ruled out that provocations or violent incidents may occur during these events.” Several former Soviet Union countries (including Lithuania), hold Victory Day events in their cities and as the article says, “these events are usually attended by several hundred people. Some of them wear Saint George’s ribbons, symbols of the Soviet victory over Nazi Germany. However, the Lithuanian parliament is planning to outlaw it, since Saint George’s ribbons have also been used as signs of support for Russia’s war against Ukraine.” All of those increase the risk of civil unrest incidents.

15. Russian Cyber Espionage Operation Targeting EU Governments

Ukraine’s national CERT publicly disclosed technical indicators of a cyber espionage operation delivered via emails impersonating Ukraine’s Ministry of Defence requests for humanitarian and military assistance to foreign governments. The targets were the government of Latvia and other EU government agencies. If the targets opened the attached file they would get compromised by a custom made cyber espionage software implant. The operation has been attributed to an actor dubbed as “UAC-0010” who has been previously associated with Russian FSB’s 4th Section of the Service for Counter-Intelligence Operations (SCO) for the Department of the Russian Federation in the Republic of Crimea and the city of Sevastopol.

16. Podcast: True Spies — Pure Green Greed

On April 5th, SpyScape’s True Spies series published a new 45-minute long episode titled “Pure Green Greed” and featuring retired FBI Supervisory Special Agent John W. Whiteside III who from 1992 led the counter-intelligence case of NSA intelligence analyst Robert Lipka, 32 years after he sold classified NSA material to the Soviet KGB.

17. Crypto Museum: AU-018 VHF/UHF Receiver and AU-020 Bug

The Crypto Museum published a short article for a covert universal VHF/UHF bug receiver named AU-18. The article says that it was developed in the early 1990s by an unknown manufacturer and it was compatible with a series of covert listening devices (bugs) listed in the article, a more detailed article was also posted for the AU-020 covert listening telephone FM device (bug).

18. Sweden Expels 3 Russian Diplomats on Espionage Accusations

On week 12 (story #95) Sweden’s State Security agency (Säpo) was skeptical over the expulsion of Russian intelligence officers under diplomatic cover, but this week Ann Linde, Sweden’s Foreign Minister, announced the expulsion of 3 Russian diplomats as a protest for, quoting, “that war crimes had been committed” in several cities in Ukraine as well as that those 3 Russian diplomats “is absolutely clear that they are involved in illegal espionage activities in Sweden.”

19. Somalia’s NISA Disrupted Terrorist Plot to Assassinate the Country’s President and Prime Minister

Somalia’s National Intelligence and Security Agency (NISA) publicly stated that a cell of the terrorist group Al-Shabaab was plotting to assassinate President Mohamed Abdullahi Mohamed and Prime Minister Mohamed Hussein Roble. NISA highlighted that government officials were briefed on the plot and actions taken by NISA. On April 6th, the Somali President disputed NISA’s claims saying they are collaborating with Al-Shabaab. On April 7th an Al-Shabaab representative said this is a false statement and they never had any intention to assassinate any Somali government leaders.

20. Italy Expels 30 Russian Diplomats and Notes Western Coordinated Effort in the Expulsions

Italian Minister of Foreign Affairs Luigi Di Maio announced the expulsion of 30 Russian diplomats from Italy due to national security concerns following several more EU and Western countries. However, Luigi Di Maio included that this was done after agreement with Italy’s European and NATO partners making it the first public statement indicating a coordinated action among EU and NATO countries to expel Russian intelligence officers.

21. India Disrupts Two Covert Pakistani Actions on the Border

On April 3rd, India’s Army announced that military foiled an infiltration attempt by Pakistani militants in the town of Naushera, Rajouri district. India’s White Knight Corps said they discovered a cache of arms and ammunition set up by this group which was described as an “espionage cell.” The the same day, a Pakistani boat was seized at the Harami Nala area in the town of Bhuj, Gujarat district. The boat was intercepted near Pillar №1160 on the maritime border by India’s Border Security Force (BSF). Later BSF said that “the boat had come for the purpose of espionage and entered the Indian border by mistake. This is also being investigated by the agencies.”

22. Jordanian Cases of Pegasus Espionage from 2019–2021

On Tuesday, April 5th, the Citizen Lab published a detailed analysis of newly identified espionage targets in Jordan using the “Pegasus” covert surveillance solution (developed and sold by the Israeli NSO Group). Citizen Lab identified that 4 “Jordanian human rights defenders, lawyers, and journalists were hacked with NSO Group’s Pegasus spyware between August 2019 and December 2021” and assessed that the operator behind it was Jordan’s intelligence services. This was then used by Human Rights organisations, such as Front Line Defenders that demand Jordanian government and the international community to take an action against the entities behind the revealed espionage cases. In all cases, the targets received SMS with a link that when they clicked, it covertly installed the cyber espionage software implant Pegasus, giving full access to the device to the Pegasus operators.

23. Denmark Expelled 15 Russian Diplomats on Espionage Accusations

Following Germany, France and Italy from earlier this week, on April 5th, Danish Foreign Minister Jeppe Kofod announced that “we have established that the 15 expelled intelligence officers have conducted spying on Danish soil.” The 15 intelligence officers under diplomatic cover were based in the Russian Embassy in Copenhagen and were given 14 days to leave the country. Kofod wanted to “send a clear signal that spying in Denmark is unacceptable.”

24. New Chinese Cyber Espionage Campaign Targeting Governments and NGOs in Multiple Countries

The Threat Hunter Team of cyber security firm Symantec published a threat analysis for a newly detected cyber espionage campaign that started in mid-2021 and was last seen active in February 2022. The campaign targeted “government-related institutions or NGOs, with some of these NGOs working in the fields of education and religion. There were also victims in the telecoms, legal, and pharmaceutical sectors” in various countries, including the US, Canada, Hong Kong, Turkey, Israel, India, Montenegro, Italy as well as a target in Japan. The actor was exploiting a vulnerability in the VLC Media Player to execute their cyber espionage software implant. The objective was not assessed but the campaign was attributed to an actor dubbed as “APT10” who has been previously associated with China’s main intelligence agency, the Ministry of State Security (MSS), and more precisely, the Tianjin MSS Bureau.

25. Russian Film Director Regrets Declining to Work for the KGB

In a recent interview, Russian film director, screenwriter and producer Egor Konchalovsky said that at the age of 20, after a trip to France where he was studying, he was approached by the Soviet KGB in an attempt to recruit him. He said “I’m very sorry that I refused. If it were now, I would agree. And I would have gone to England already as an agent. And my life would be different! More interesting, cooler, double life, back and forth… That’s what had to be done.” He said they never attempted to reach out to him since then.

26. Pakistani Scandal Indicates Removal of ISI Chief Could be Related to Corruption and Politicisation Issues

According to the Times of Islamabad a new audio/video recording surfaced indicating that in 2019 Pakistani Prime Minister Imran Khan removed Lieutenant General Asim Munir, the Director-General of Inter-Services Intelligence (ISI), Pakistan’s premier intelligence agency, after Munir disclosed a corruption case involving Prime Minister’s wife, Bushra Bibi. The authenticity of the evidence is still being assessed.

27. Mossad Concluded that it Cannot Find Any Documents on the 1982 Lebanon Massacre Case

The Supreme Court of Israel requested the Israeli intelligence agency, Mossad, to investigate its archives and identify any documents “relating to ties between the agency and Lebanese Christian militias that carried out massacres at two Palestinian refugee camps in Lebanon in 1982” after a case opened by human rights advocates that are “seeking the disclosure of documents demonstrating Mossad’s links in the 1970s and 1980s to Lebanese Christian militias that committed the massacres at the Sabra and Chatila camps.” Mosssad’s lawyer, Omri Epstein said that Mossad was unable to find any such documents and Supreme Court President Esther Hayut replied that this claim is “strange.” Epstein said that even if such documents do exist “the way in which they are stored, as well as the capability to locate documents for such an inclusive request spanning eight years, is limited and difficult.”

28. Podcast: OSINT’s Crucial Role in CTI

On April 5th the US low-attribution products for professional Open Source Intelligence (OSINT) vendor Authentic8 released a new 17.5-minute long episode featuring Adam Huenke, former USMC Special Operations Command intelligence analyst, and currently OSINT training specialist at Authentic8 discussing how OSINT can support Cyber Threat Intelligence (CTI).

29. Romania and Slovenia Expel Russian Diplomats on Espionage Accusations

The Ministries of Foreign Affairs of Romania and Slovenia announced on Tuesday that they are expelling Russian diplomats as a protest and due to national security concerns. 10 Russian diplomats from the Russian Embassy in Bucharest, Romania were expelled and an unspecified number of Russian diplomats were expelled from the Russian Embassy in Ljubljana, Slovenia.

30. Ukraine Disrupts Cyber Espionage Operation Impersonating War Crimes Updates

The CERT-UA disclosed technical details of a new cyber espionage operation targeting government agencies in Ukraine. The emails were impersonating updates on “war criminals of the Russian Federation” and if opened, the attached file was covertly installing a cyber espionage software implant. The operation was attributed to an actor dubbed as “UAC-0010” who has been previously associated with Russian FSB’s 4th Section of the Service for Counter-Intelligence Operations (SCO) for the Department of the Russian Federation in the Republic of Crimea and the city of Sevastopol.

31. MSAB CELLEX Vendor Publishes 3 New Promotional Videos

The Swedish Cellular Exploitation (CELLEX) intelligence gathering/digital forensics vendor MSAB published 3 short promotional for new versions of their products. The “What’s new in XRY 10.1”, the “What’s new in XAMN 7.1”, the “What’s new in XEC 7.1” and the “Secure Digital Evidence From Any Crime Scene in Minutes Not Hours (SHORT)”

32. Estonia Expels 14 Russian Diplomatic Mission Staff on Espionage Accusations and Closes Two Russian Consulates

On Tuesday, April 5th, the Estonian Ministry of Foreign Affairs announced that due to national security concerns and in protest of Russian actions in the war with Ukraine, 14 staff members of the Russian diplomatic mission, 7 of which were diplomats, are persona non grata. Additionally, Estonia requested the closure of the Russian Consulate General in Narva and the Consular Office of the Russian Embassy in Tartu.

33. Latvia Expels 13 Russian Diplomats and Closes Two Russian Consulates

In the coordinated action of this week, Latvian Foreign Minister Edgars Rinkevics stated that it lowers the diplomatic relations level with Russia and expels 13 Russian diplomats to protest in Russian military actions and due to national security concerns. Additionally, Latvia requested the immediate closure of the Russian Consulates General in Daugavpils and Liepaja.

34. Lithuania Expels Russian Ambassador and Closes Consulate in Klaipeda

On Monday, Lithuanian Ministry of Foreign Affairs requested the closure of the Russian Consulate in Klaipeda, downgraded its diplomatic relations with Russia, and forced the Russian ambassador to leave the country.

35. Reportedly French DGSE Officers Killed in Helicopter Crash in Ukraine

According to Russian media on April 3rd, about 20 km from the coast of Mariupol, Ukraine a helicopter was shot down as it was moving over the Sea of Azov. Russian media state that in the helicopter there were 2 officers of France’s foreign intelligence agency, the Directorate-General for External Security (DGSE). According to Avia Pro, the two suspected DGSE officers have stopped communicating and it is not clear if they are alive or dead. French Ministry of Defence denied the presence of French military in Ukraine and did not comment further on the helicopter crash.

36. Spain Expels 25 Russian Diplomats on Espionage Accusations

On April 5th, the Foreign Minister of Spain, José Manuel Albares stated that 25 Russian diplomats and staff from the Russian Embassy in Madrid are expelled in protest of Russian actions and because those 25 people “represent a threat to the interests and security of our country.”

37. Greek Court Hearings on Police Corruption Case Led by NIS

On Tuesday, the court hearings process opened for a high-profile case of corruption in the Greek government in the period of 2016–2018. The case involves 30 people, 16 of which former or active law enforcement officers as well as some government officials (politicians). The suspects were working with organised crime groups to operate 350 illegal brothels, 250 illegal prostitution houses and 300 illegal gambling sites around Athens, Greece. The investigation was conducted by the Greek National Intelligence Service (NIS) and it includes 100 CDs of incriminating recordings from intercepted communications. During the last five years, 5 key suspects from this case have been assassinated without any of the perpetrators arrested or identified yet.

38. Podcast: 4 New Episodes by Former CIA Case Officer on Information Handling

This week former CIA case officer Andrew Bustamante continued his podcast series on information handling with 4 new podcast episodes throughout the week. Those were: 16-minute long “What Librarians and CIA Agents Have in Common”, followed by 10-minute long “That Awkward Phase of High School and Presidential Elections”, the 17.5-minute long “The Missing Link in the info Chain”, the 18-minute long “The Anatomy of a Conspiracy”, and lastly the 17-minute long “How to Win the Perfect Mentor”.

39. Former Pakistani Spy Chief Says US Will Remember Prime Minister’s Allegations for Attempts to Overthrow Him

On April 6th, the former Director-General of Pakistan’s ISI (1990–1992), Lieutenant General Asad Durrani shared via a social media post that the current Pakistani Prime Minister, Imran Khan, had been stating that the US had tried to covertly overthrow him and this is something that the US will likely not forget and could impact the relations of the two nation-states.

40. Russian Journalist Charged as US Spy in Moscow

On April 4th Russian military reporter Ivan Safronov denied the treason charges as his trial was set to begin behind closed doors due to the sensitive nature of the evidence. Safronov was an officially accredited military journalist with access to Russian forces, Ministry of Defence events and people. In July 2020 the FSB arrested him on accusations of “disclosing secrets about Russian arms deliveries to the Middle East and Africa in 2017, while he was working for the Kommersant newspaper.” The charges state that he sold Russian military secrets to US intelligence. Currently he is facing charges of treason with a sentence of up to 20 years in prison if found guilty.

41. Australian Spy Chiefs Meet with Solomon Islands PM to Combat Chinese Threat in the Region

On April 6th, it was announced that the two top Australian spy chiefs, the Director-General of Australian Secret Intelligence Service (ASIS), Paul Symon and the Director-General of the Office of National Intelligence (ONI), Andrew Shearer, met with Manasseh Sogavare, the Prime Minister of Solomon Islands. The objective of the overt visit was to discuss Solomon Islands’ decision to “broadened security partnership with China and other countries” and align on the threats of China to the region. The article says that Solomon Islands are “willing to soften its position or abandon the deeply contentious agreement with China.”

42. Turkish Court Upholds Prison Sentences for Former TİB and TUBİTAK Executives Involved in High Profile Espionage Case

In 2018 20 of the 28 suspects in a political and military espionage case were sentenced on espionage charges from 10 to 44 years in prison. They were former executives of the Scientific and Technological Research Council of Turkey (TUBİTAK) and the now-closed Presidency of Telecommunication and Communication (TİB). On April 6th, the Supreme Court of Turkey concluded to uphold the sentences. The ruling explains that the espionage activity was related to “crypto mobile phones developed by TUBİTAK in 2011 and made available to senior government officials in December 2012. It said those involved in the production of the phones shared their IMEI numbers and encryption keys with TİB personnel, allowing them to wiretap phone calls made by government officials. Among those whose phones were wiretapped were the then-prime minister and current President Recep Tayyip Erdoğan, National Intelligence Organization (MİT) Undersecretary Hakan Fidan, former head of the Constitutional Court Haşim Kılıç, former Chief of Staff Gen. Necdet Özel and several ministers.”

43. Poland Arrests Two Belarusians on Espionage Charges

Through an official statement Poland’s Regional Prosecutor’s Office in Poznan said on April 6th that two citizens of Belarus were arrested on espionage charges and face up to 10 years in prison. The two suspects were operating as agents of the Belarusian KGB for “among others, conducting reconnaissance of military and civilian facilities of critical importance for the defense of the Republic of Poland.”

44. Ukraine’s SBU Publishes Summary of Recently Completed Counter-Intelligence Operations

In an official update from Ukraine’s Security Service (SBU) from April 6th there were 3 new counter-intelligence cases reported. SBU detained an agent of Russian special services in the Dnipropetrovsk region for collecting “intelligence on location of strategically important objects of region and military units.” In the city of Sumy SBU exposed an agent of Russian special services who was the head of one of the city’s public organisations and was trying to pass lists of Ukrainian citizens to his handler. Lastly, in the region of Donetsk, SBU detained 2 informants of Russian special services who “collected data on the location and movements of Ukrainian troops.”

45. Norway Expels 3 Russian Diplomats due to Unwanted Activities

On April 6th Norwegian Foreign Minister Anniken Huitfeldt announced that 3 Russian diplomats from the Russian Embassy in Oslo are expelled due to the Russian actions in the war with Ukraine and “unwanted Russian activities in Norway.” No further details were provided.

46. Extradited Russian Spy in British Embassy Faces Charges in the UK

David Ballantyne Smith, 57, is a British national who was arrested by Germany’s counter-intelligence agency on August 10th, 2021 as a Russian spy and on Wednesday he was extradited to the UK. He was working as a guard in the British Embassy in Berlin, Germany and was, reportedly, operating as an agent of Russian intelligence agencies between October 2020 and August 2021. He’s now facing nine offences under the Official Secrets Act of the UK.

47. FBI Takes Over and Disrupts GRU Cyber Attack Infrastructure

On April 6th the US Department of Justice released the search warrants that the FBI used to disrupt a cyber attack infrastructure operated by Russia’s military intelligence (GRU) Unit 74455, also known as GTsST (Main Centre for Special Technologies), to conduct cyber attacks in Ukraine during the early days of the war (week 8 story #34). The FBI obtained physical access on the Command & Control (C2) servers, took them over, and used them to remove the GRU software implant (dubbed “Cyclops Blink”) from all the compromised devices as well as to collect intelligence on the GRU operators of the C2 systems. The covert FBI operation was conducted in March 2022.

48. Greece Expels 12 Russian Diplomats and Luxembourg Expels 1

On April 6th, it was announced that after an assessment by the Greek National Intelligence Service (NIS), 12 Russian diplomats were expelled, and shortly after that the Ministry of Foreign Affairs of Luxembourg announced the expulsion of a Russian diplomat “whose actions contradict the security interests of Luxembourg.”

49. Belgian ADIV Purchases Huawei Hardware Despite Warnings

Despite the cyber espionage risks highlighted by the European Union, Belgium’s military intelligence agency (ADIV) proceeded with purchasing new routers and servers from the Chinese firm Huawei. According to an anonymous ADIV official, the agency “is aware of the concerns, but they are not worried because the purchased hardware runs on American software, which limits the risk of espionage from China.”

50. Former SVR Non-Official Cover Officer Mikhail Vasenkov Dies at 79

On Wednesday Russia’s Foreign Intelligence Service (SVR) announced that Mikhail Vasenkov died at the age of 79. He was part of the non-official cover (illegal) SVR spies that had infiltrated the US and dismantled in 2010 by the FBI in the “Illegals Program” where Vasenkov was operating under the cover identity of Uruguay-born Juan Lazaro. In 2013 he moved to Peru with his Peruvian wife. According to SVR, he retired as Colonel from the SVR. He graduated from the Moscow Higher Combined Arms Command School in 1965, did the 2-year training of the KGB Academy and completed the language training for Spanish and English. Since 1975 he was operating globally as non-official cover SVR officer collecting foreign political intelligence. In 1990 he was awarded the title of Hero of the Soviet Union as well as numerous medals from the SVR. In 2010 he was captured while operating undercover in the US after SVR Deputy Head of Directorate S, Aleksandr Poteyev, became a CIA agent and exposed him (among others).

51. Taiwan Passes Law for Up To 12 Years in Prison for Economic Espionage

Following week 7 (story #44) Taiwan’s efforts to strengthen its counter-intelligence legislation against Chinese spies stealing trade secrets and other cases of economic espionage, this week it was announced that the new amendments to the National Security Act that were approved on April 7th state that a sentence of up to 12 years in prison can be given to agents of foreign intelligence services that attempt the “transfer of key core technologies to other countries, China, Hong Kong, Macau, overseas enemy forces, and their organizations, groups, and emissaries.” The new legislation defines “vital technologies” as “technology likely to harm Taiwan’s national security, business competitiveness or economic development, if it fell into enemy hands.”

52. Documentary: Hacked: Inside the US-China Cyberwar

On April 7th the Al Jazeera English published a 25-minute long documentary titled “Hacked: Inside the US-China Cyberwar” and covering a few cyber espionage cases from China and the United States from the late 1990s to the more recent years. Note that the documentary uses the term “cyberwar” while it is referring to cyber espionage (clandestine theft of secrets), and not as military-related destructive operations (which is the definition of cyber war).

53. Meta (Facebook) Publishes Q1 2022 Adversarial Threat Report

The Threat Disruption, Threat Intelligence for Influence Operations and Security Policy teams of Meta (former Facebook) published their First Quarter 2022 Adversarial Threat Report. It is a 27-pages long intelligence report split in the following 6 sections: 1) Removing three cyber-espionage networks from Iran and Azerbaijan 2) Ukraine security update 3) Removing four networks for coordinated inauthentic behavior 4) Removing a mass reporting network in Russia 5) Removing a coordinated violating network in the Philippines, and 6) Removing inauthentic behavior.

54. Croatian Spy Chief Provides Insights Into US Intelligence for the Russia-Ukraine Conflict

On Tuesday Daniel Markić, the Director of Croatia’s Security and Intelligence Agency (SOA), participated in the panel “Security and International Relations” as part of the Croatian-American Forum (US-Croatia Forum) held in Zagreb, Croatia on the occasion of the 30th anniversary of Croatian-American relations. During this event he noted that “the possibility of Russia’s invasion had been discussed at the Munich Security Conference in February but that “no one expected this conflict” except the United States.” He continued by saying that “a US intelligence officer said not only that it would happen but also when it would happen. The US decided to use its intelligence community, its diplomacy and even the media, to make us all aware of that. For some of us, that was hard to believe, this proves the benefit of cooperation with the US.”

55. German BND Intercepted Russian Communications in Ukraine

According to Spiegel, the German Federal Intelligence Agency (BND) has been intercepting communications of Russian military forces in Ukraine. BND states that based on intercepted communications they have evidence that the killings in the city of Bucha, Ukraine were done by members of the Russian Private Military Contractor (PMC) Wagner Group and were known to Russian military officials.

56. New Staff Recruitment Campaign from Turkey’s MİT

According to Dosya Haber, the National Intelligence Organisation (MİT) of Turkey is looking to hire more people with a new recruitment campaign in Turkey. The motto of the campaign is “we are after you and we know you well” and has openings for intelligence specialists, language specialists, protection and security officers and engineers. The candidates must be younger than 35 years old, have higher education and (apart from the language specialist position that is open for almost any language) they should be experts in at least one of the following foreign languages: English, French, German, Spanish, Italian and Dutch.

57. Video: Former FBI Agent Answers Body Language Questions

On April 6th, former FBI agent and supervisor Joe Navarro, who has worked in the FBI’s Counterintelligence Division (CD) and is a founding member of FBI’s Behavioural Analysis Program, answered Twitter questions on WIRED.

58. Ex-FSO Officer Arrested on Espionage Charges in Moscow

On Thursday, April 7th, it was announced that a former Federal Protective Service (FSO) officer was arrested in Moscow, Russia. The suspect’s first name is Andrei. He was arrested after a neighbour reported him due to unusual behaviour like wearing tactical gear, flying Ukrainian flags, etc. Russian law enforcement did a search in his apartment and found tactical equipment, knives, bulletproof vests, images with swastikas, and other items that were seized. The suspect had served as a contractor for 5 years with the FSO and was later recruited by a number of Russian state organisations relating to landowners databases. Currently he is facing charges of conducting espionage for Ukraine but no further information were disclosed.

59. South Korean NIS Warns of Increase Cyber Activity Against Cryptocurrency Exchanges

South Korea’s National Intelligence Service (NIS) publicly stated that they are monitoring and reporting cyber exploitation operations targeting South Korea’s cryptocurrency exchanges, giving several recent examples of such incidents. Most of the activity originates from the intelligence agencies of North Korea who see cryptocurrency theft as another way to boost their economy that is impacted by international sanctions.

60. Hamas Uses Online HUMINT to Compromise Military and Police Officers

Omer Benjakob of Haaretz published an article describing how Hamas, over the past 6 months, has been using online Human Intelligence (HUMINT) techniques in combination with traditional cyber espionage methods to compromise devices of Israeli police and military officials. The Hamas cyber operators are setting up fake social media profiles (mainly on Facebook and dating services like Tinder) of attractive women and then use online HUMINT methods to lure the Israeli officials into installing cyber espionage software implants disguised as messengers, photo attachments, and other files. The cyber security firm Cyber Reason published a technical analysis of the Hamas cyber operation that combines online HUMINT with cyber espionage.

61. Spy Way of Life: Dubai’s Iranian Club

On Friday, Intelligence Online published a new article on their series of “Spy Way of Life” where they are covering meeting grounds and sites that are frequently used by spies. This week’s selection was the Iranian Club, Dubai, a social club complex in the Oud Metha area of Dubai, United Arab Emirates. The club was created in 1990 by the Iranian government and is frequently used by Iranian spies. Quoting Weekly Blitz from March 2021, “the Iranian Club in Dubai is the main social club of Iranian expatriates in the country, which is also known as the key activity point of the Iranian intelligence.”

62. Chinese Cyber Operations Targeting India’s Power Grid

The American private intelligence firm Recorded Future published the analysis of a new cyber operation they detected targeting Indian power grid organisations over the past 18 months. The assessment states that “the objective for intrusions may include gaining an increased understanding into these complex systems in order to facilitate capability development for future use or gaining sufficient access across the system in preparation for future contingency operations.”

63. Alleged ISI Espionage Ring Dismantled in Washington DC

On Thursday the FBI allegedly dismantled a Pakistani ISI espionage network and arrested two of its members. Arian Taherzadeh, 40, and Haider Ali, 35 are the suspects and also four members of the US Secret Service have been placed on administrative leave. Ali Haider claimed that he was an ISI agent operating under his handler’s direction in his confession but the investigation is still ongoing. Taherzadeh had recruited the four Secret Service agents and a DHS employee “with, among other things, rent-free apartments (with a total yearly rent of over $40,000 per apartment), iPhones, surveillance systems, a drone, a flat-screen television, a case for storing an assault rifle, a generator, and law enforcement paraphernalia.” However, all of those (apartments, cars, electronic devices, etc.) were rigged with covert surveillance equipment. Other covert surveillance equipment was also discovered by the FBI. To achieve that, the suspects were posing as US federal agents.

64. Austria Expels 4 Russian Diplomats on Espionage Accusations

Following the rest of the European countries, Austria announced that 4 Russian diplomats from the Russian Embassy of Salzburg will have to leave the country by April 12th. The spokesman didn’t provide justification apart from acting “incompatible with their diplomatic status” but open source reports claim it was related to espionage activity.

65. Tajikistan Disputes Claims of Kyrgyzstan Convicted Spy Having Disappeared

On April 7th the Ministry of Justice of Tajikistan announced that media from Kyrgyzstan have been disseminating fake news over the case of Artykov Saidahmed Ganievich who was arrested and convicted as a spy of Kyrgyzstan while operating covertly. The announcement says that Artykov serves his prison term in the Penal Colony YaS #3/1, has made no complaints, is verified to be healthy and is in constant contact with his close relatives (including visits) and, based on Kyrgyzstan’s request, he’s also regularly meeting with representatives of the Embassy of Kyrgyzstan.

66. Australia’s First Female Intelligence Agency Boss

On April 8th, Anthony Galloway of The Sydney Morning Herald published an article about Rachel Noble, who after 20 years in the Australian intelligence community, in February 2020 she was appointed to the position of Director-General of the Australian Signals Directorate (ASD), Australia’s premier SIGINT agency. That made her the first woman to hold this position.

67. US DoJ Sentences Chinese Spy to 2.5 Years in Prison

On Thursday, April 7th, the US Department of Justice (DoJ) released the public statement for the sentence of Xiang Haitao, 44, who pleaded guilty in January 2022 for conspiring to “steal a trade secret from The Climate Corporation, a subsidiary of Monsanto, an internationally based company doing business in St. Louis, Missouri, for the purpose of benefitting a foreign government, namely the People’s Republic of China (PRC).”

68. Podcast: SpyCast — ISIS Leader al-Mawla

On April 5th International Spy Museum’s SpyCast published a new 48-minute long podcast episode titled “ISIS Leader al-Mawla: Caliph. Scholar. Canary. Snitch.” and featuring Dr. Daniel Milton, Director of Research at the Combating Terrorism Centre at the United States Military Academy and an Associate Professor in the Department of Social Sciences. As the description says, the intelligence-related topics covered are “the ideological feud between Islamic State and Al Qaeda. Islamic State’s retreat from a quasi-state centered to a shadowy insurgency. Battlefield intelligence such as “exploitable material” and “interrogation reports”, and the role of the Combating Terrorism Center in analyzing this intelligence.”

69. MI5’s CPNI Warns of Online Recruitment/HUMINT Operations

Since 2007 the British MI5 operates the Centre for the Protection of National Infrastructure (CPNI) and this week they launched a new threat intelligence campaign to inform national infrastructure entities that foreign intelligence agencies are creating fake social media profiles and use them to recruit spies in the UK via online Human Intelligence (HUMINT) techniques. This became increasingly popular during the earlier days of the pandemic when travel restrictions were stricter, but according to CPNI it continues to this day.

70. US Convicts Kansas University Professor for Hidden Chinese Ties

On Thursday, Feng “Franklin” Tao, 50, was convicted on three counts of wire fraud and “one count of false statements by a federal jury after purposefully hiding that he was employed by a government affiliated university in China.” Feng Tao was employed as Professor of Chemical Engineering at the University of Kansas and had also conducted “research under contracts between the U.S. government and the university.” Although the investigators did not find any clear evidence of espionage, they found that Tao was hiding his relations and financial transactions with the Fuzhou University, and he also lied, stating he was in Europe while he was working full-time at the Fuzhou University of China. He’s now facing up to 20 years in prison.

71. Canada’s CSE Receives Major Funding Boost for Cyber Protection

Canada’s premier SIGINT agency, the Communications Security Establishment (CSE), will be receiving almost a billion dollars over the next 5 years for improvements in offensive and defensive cyber capabilities. The House of Commons announced the funding of $875.2 million over five years, starting in the 2022/2023 fiscal year, and then $238.2 million annually “to address the rapidly evolving cyber threat landscape.”

72. Microsoft Disrupts GRU Cyber Operations in Ukraine

With an official press release on April 7, Microsoft announced that this week they identified and disrupted cyber operations from an actor they track as “STRONTIUM” and who is associated with Russia’s military intelligence (GRU). Microsoft obtained a court order allowing them to take over 7 domain names used by the GRU cyber operators and then redirect all the infected systems to Microsoft-controlled systems to help disinfect them. Microsoft highlights that GRU “was attempting to establish long-term access to the systems of its targets, provide tactical support for the physical invasion and exfiltrate sensitive information” and the targets included media organisations, government institutions and think tanks involved in foreign policy in the United States and European Union.

73. Video: Iranian-backed Group Leaks Alleged Mossad Covert Activities in Kazakhstan

On Friday, April 8th, the hacktivist group “open hands” who has been accused by Israel of being a Iranian intelligence-backed entity, published a 6-minute long video allegedly showing covert Israeli activities in Kazakhstan including arms deals, expansion of military collaboration by creation of military bases, the establishment of organisations to extract and process rare earth ores in Kazakhstan until 2045, as well as support of US intelligence efforts to destabilise Kazakhstan (to indirectly impact Russia) which allowed Israel to increase its military activity in the country including defence systems sales. The article says that the assassination attempt (story #1) was part of this.

74. DSN — The New Domestic Intelligence Agency in Austria

On April 7th, Florian Flade published a detailed blog post in German about the issues the Austrian intelligence community was recently facing and how, since December 2021, the Federal Ministry of Interior has set up the new Directorate for State Security and Intelligence (DSN) as a replacement of the Federal Office for the Protection of the Constitution (BVT). The agency’s head is Omar Haijawi-Pirchner and DSN is responsible for domestic intelligence operations (e.g. counter-espionage, counter-terrorism, national security threats, etc.) Based on DSN’s website its main focus since the beginning of the year is for combating hate crime and right-wing extremism with the agency announcing on April 7th a nation-wide operation to combat those threats.

75. Finland Expels 2 Russian Diplomats

On Friday Finland’s Ministry of Foreign Affairs announced the expulsion of 2 Russian diplomats from the country without any detailed justification other that it was in alignment with EU’s decision for Russia’s actions in the war.

76. Russia Expels 2 Bulgarian and 45 Polish Diplomats from Moscow

In response to the ongoing “PNG war” the Russian Ministry of Foreign Affairs announced that 2 diplomats from the Bulgarian Embassy in Moscow were declared as Persona Non Grata, and 45 employees of the Polish Embassy and Consulate in Russia were also declared as PNG.

77. Dutch AIVD Places New Artwork at the Roof of its HQ

The Dutch General Intelligence and Security Service (AIVD) announced that a new artwork was placed at the roof of the AIVD headquarters building in Zoetermeer, Netherlands. The artwork is a statue designed by artist Anne de Vries and named “De Wachter” (The Watcher).

78. UK Announces New Spy Satellite Project Codenamed MINERVA

On April 4 United Kingdom’s Defence Equipment & Support (DE&S) announced that under Project MINERVA the Surrey Satellite Technology Ltd (SSTL) was awarded a £22 million contract to design and build spy satellites that will be launched in mid-2023. Project MINERVA is the foundation for the development of a network of British satellites for intelligence, surveillance and reconnaissance (ISR) missions.

79. FSB Detains Resident of Yalta for Conducting Cyber Operations

The Russian Federal Security Service (FSB), Office of Crimea and the city of Sevastopol, made a public statement for the detainment of a male born in 1993, resident of Yalta, who supported SBU cyber operations by taking advantage of his employer’s infrastructure to target Russian entities. The suspect was a system administrator in a local company and used his privileged access to install software that allowed him to execute cyber operations in direct orders from his SBU handlers. From February 24th and until March 10th he carried out cyber operations targeting websites of Russian media and financial organisations. He’s now facing up to 5 years in prison.

80. Germany’s Cold War Case of Using BND to Infiltrate Rival Party

Philip Oltermann from The Guardian published an article summarising an espionage case from the 1950s that is not widely known. In summary, Konrad Adenauer who was the first Chancellor of Germany covertly used the country’s Federal Intelligence Agency (BND) to infiltrate and spy on the rival parties which helped him remain in power.

81. Interview: Mike Howard, Former CIA and Microsoft CSO

On April 10th, the Association of Former Intelligence Officers (AFIO) published a new 48-minute long episode from their “Special Interviews for Members” series. The interview was hosted by AFIO’s 17th President and 37-year US intelligence community veteran, James R. Hughes together with Ralph Mariani, former CIA Operations Officer who had served with Mike Howard in Manila, Philippines. The special guest was of course Mike Howard, the former Chief Security Officer (CSO) of Microsoft (for 16 years) and prior to that, CIA Operations Officer for 22 years.

82. Chief of SVR Publishes Summary of the World Situation

On April 7th, Sergei Naryshkin, the Director of Russia’s Foreign Intelligence Service (SVR) published a summary of the world situation as seen by the SVR in the agency’s official website. It identifies the attack to Ukraine as a “moment of truth for the Russian world” that faces existential threats from “aggressive globalism embodied in American hegemony, NATO expansion, the policy of “liberal interventionism” and LGBT propaganda.” He notes that the conflict revealed something “much larger than the fate of the Kiev regime.” He said that US strategists are attempting to turn Ukraine “into a kind of Afghanistan” and putting a wide variety of controls (e.g. economic measures, blocking humanitarian support, etc.) using the “cancellation culture” mechanism to make Russia appear toxic. He quoted the Davos World Economic Forum of “by 2030 you will have nothing and you will be happy” for the middle class elimination, how EU countries are negatively impacted more than Russia due to lack of courage to oppose to the United States, and that Asian, African and Latin American countries support Russia. He notes that “these goals were pursued in Yugoslavia, Afghanistan, Iraq, Libya, and Syria” and that Russia is challenging this by promoting a “multipolar world that never existed before and from which everyone, even our current adversaries, will benefit in the future.”

83. The 1996 Espionage Story of Lockheed Martin Engineer Charlton

30+ year CIA veteran Christopher Burgess published a summary of the espionage case of Lockheed Martin engineer John Douglas Charlton who, while retiring in 1989 stole the US Navy plans for the “Sea Shadow” experimental stealth ship and the “Project CAPTOR” for deep-water naval mines that release anti-submarine mines. Starting in 1993 J. Charlton tried to sell those military secrets to someone posing as a French spy. However, that someone was an undercover FBI Special Agent from the Counterintelligence Division (CD). In 1996 he was sentenced to 2 years in prison.

84. Closer Collaboration Between Turkish MİT and Kyrgyzstan’s UKMK

According to Intelligence Online, the case of Turkish-born Kyrgyz citizen Orhan Inandi who was kidnapped in 2021 by MİT operatives in the capital of Kyrgyzstan, Bishkek, and other recent developments reveal a closer collaboration between the Turkish MİT and Kyrgyzstan’s State Committee for National Security (UKMK) to support each other in covert operations. In the case of MİT, their main effort is to identify and repatriate any Turkish citizens that support or are affiliated with the Gülen movement (FETÖ) — which is classified as a terrorist organisation in Turkey. This was the case with Inandi where UKMK conducted part of this mission and together with MİT covertly captured Inandi, interrogated him and flew him back to Turkey.

85. Former Head of FSB Fifth Service’s DOI Moved to Prison

On week 10 (story #77) it was reported that FSB’s Head of the Department of Operational Information (DOI) of the Fifth Service (Operational Information and International Relations Service), General Sergey Beseda (responsible for the Ukraine intelligence operations) was placed on house arrest after concerns of leaking information to foreign intelligence agencies. This week it was announced that he was transferred to the Lefortovo prison (also known as KGB prison) in Moscow which is operated by the FSB’s counter-intelligence. His case is currently investigated by the Military Investigative Department of the Investigative Committee (GVSU SK).

86. Former Argentinian President’s Brother to Testify on AGI Case

Following week 8 (story #41) where former President of Argentina Mauricio Macri was accused of using the country’s the Federal Intelligence Agency (AGI) for illegal espionage, this week it was disclosed that former President’s brother, Mariano Macri was called to testify as a witness for the illegal espionage case on April 11th.

87. Ecuadorian SENAIN After Swedish Cyber Security Expert

On Saturday, April 9th, news reported that Ecuador’s National Intelligence Secretariat (SENAIN) and law enforcement raided the office of Swedish cyber security expert Ola Bini. According to the Ecuadorian intelligence, Bini is a friend of WikiLeaks founder, Julian Assange, and is accused of attempting to conduct cyber espionage against the state oil company, Petroecuador.

88. Former CIA Senior Executive on Chinese Espionage in the US

On April 7th, Mark Kelton, former CIA Senior Executive with 34 years of service including as as the CIA Deputy Director for Counterintelligence, wrote a short article on the threat of Chinese espionage to the United States.