SPY NEWS: 2022 — Week 2
Summary of the espionage-related news stories for the Week 2 (8–16 January) of 2022.
1. Taiwan’s National Communications Commission Discovers Hidden Censorship Capabilities on Xioami Smartphones
On January 8th, the National Communications Commission (NCC) of Taipei, Taiwan announced the discovery of built-in applications in the Xiaomi Mi 10T 5G smartphone that censors content (such as politically sensitive keywords and certain websites) in compliance with the Chinese Communist Party (CCP). NCC also stated that, unlike other phones, the 10T devices do not allow users to turn off the tracking functions.
2. NGA Researches Hybrid Way of Working for Those With and Without Security Clearances
Lauren C. Williams of Defense One published on January 10 an article on how the U.S. National Geospatial Agency (NGA) is planning to modernise its way of working as well as its St. Louis campus to enable hybrid way of working for employees with and without security clearances in 2022.
3. Former Military Analyst and Politician Faces Espionage Charges in Turkey
Turkish former military analyst and one of the founders of the Democracy and Progress Party (DEVA), Metin Gürcan, was arrested and faces espionage charges for allegedly providing military intelligence (relating to Turkish operations in Libya, Iraq, PKK, drones, the S-400, and others) to Spain and Italy. He currently faces charges of 15–20 years in prison. Source
4. Danish Intelligence Chief Arrested Over Suspected Leaks of Classified Intelligence to Journalists
The Danish DR news agency released a story on January 10th describing how Lars Findsen, the Chief of the Danish Defence Intelligence Service (DDIS) and former Chief of the Security and Intelligence Service (PET) allegedly leaked classified intelligence products to journalists. Those leaks led to a counter-intelligence operation by PET which eventually led to the detainment of L. Findsen and other intelligence officers involved in the leaks.
5. At Least Half of Russia’s Diplomats in Belgium Were Spies
On January 10 Andrew Rettman of the EU Observer published a story demonstrating that at least half of Russia’s diplomats in Belgium were intelligence officers. The research published aimed on identifying the specific Russian intelligence officers that were operating under diplomatic cover in the NATO headquarters in Belgium.
6. Former Head of Kazakhstan’s Intelligence Agency Arrested for Treason
According to Joseph Fitsanakis’ analysis published on January 10th, Karim Masimov, ex-Intelligence Chief, former Prime Minister (twice), and past Director of Kazakhstan’s National Security Committee (NSC) was dismissed from his position, and soon after that, arrested by the Agency he was previously leading for alleged acts of treason.
7. NGA Supports Influence Operation Against Russian Wagner in Africa
Based on Intelligence Online reporting published on January 10th, the U.S. National Geospatial Agency (NGA) utilises its TEARLINE program to support an influence operation against the involvement of Russia’s Private Military Contractor (PMC) Wagner in the Central African Republic (CAR) region. The program aims on using NGA’s satellite (and other) capabilities to demonstrate the negative impact of Wagner’s operations in CAR.
8. Latvia’s VDD/MIDD Detained Two Persons Associated with Russian GRU
The Public Broadcasting of Latvia (LSM) released a news article on January 11th describing how the country’s State Security Service (VDD) and Military Intelligence and Security Service (MIDD) collaborated in a counter-intelligence operation that resulted in detaining two individuals associated with Russia’s military intelligence (GRU). According to LSM the detained persons were tasked to collect and report “capabilities, procedures, plans and training of the National Armed Forces, procurement of the defense system, as well as activities of NATO extended presence forces in the territory of Latvia.”
9. El Salvador Journalists Under Government Surveillance Using NSO Group’s Pegasus Software Implant
Citizen Lab released a forensics analysis named “Project Torogoz” confirming 35 cases of El Salvadorian journalists that were under government surveillance through the Pegasus software implant which was covertly installed on their mobile devices. Pegasus is developed and sold by the Israeli NSO Group. Although all of the intelligence collection targeting those journalists occurred between July 2020 and November 2021, Citizen Lab proves that El Salvador is a Pegasus customer at least since November 2019.
10. Sweden Created New Intelligence Agency to Combat Information Operations
Sweden announced the creation of the Psychological Defence Agency (MPF) which aims on combating foreign Information Operations (IO). Its mission statement defines it as “identifying, analysing and responding to inappropriate influences and other misleading information directed at Sweden or Swedish interests.”
11. U.S. CISA Issued an Alert for Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure
On January 11th the United States Cybersecurity & Infrastructure Security Agency (CISA) issued the alert AA22–011A created by the joint Cyber Security Advisory (CSA) to warn critical infrastructure operators of commonly seen Tactics, Techniques, and Procedures (TTPs) employed by Russian state-sponsored cyber operatives who are actively targeting the U.S. critical infrastructure sector.
12. CIA Announces Their 75th Anniversary
On January 12th, CIA announced via their official Twitter account their 75th anniversary (1947–2022) which will including the sharing of stories of the Agency throughout the year.
13. U.S. CYBERCOM Attributes Cyber-Espionage Activity to Iran’s MOIS
The U.S. Cyber Command’s Cyber National Mission Force made a public announcement on January 12th officially attributing cyber-espionage activities associated with a nation-state actor dubbed as “MUDDYWATER” by the cyber-security industry to the Iranian Ministry of Intelligence and Security (MOIS).
14. Belgian Interfederal Olympic Committee Warns Travellers to Beijing Olympics of Espionage Threat
Belgian Olympic and Interfederal Committee (BOIC) issued a recommendation to the teams of athletes that will be traveling to China for the 2022 Olympic Games in Beijing to avoid travelling with their personal electronic devices (e.g. laptops, smartphones) in fear of close-access cyber-espionage operations conducted by Chinese intelligence community.
15. MI5 Warns U.K. Parliament of Penetration by Chinese Agent
On January 13th, Gordon Corera & Jennifer Scott of BBC reported that Britain’s MI5 (also known as Security Service) warned Parliament Members that a Chinese agent has infiltrated the Parliament in order to interfere in United Kingdom’s politics. The report explicitly names Christine Ching Kui Lee who has, reportedly, operating on behalf of the Chinese Communist Party (CCP) and influences British politics via donations, fundings, and other activities.
16. DPRK Stole Almost $400 Million in Cryptocurrencies in 2021
The Chain Analysis Team published a report on January 13th demonstrating how North Korea (DPRK) used a variety of cyber-enabled operations with its intelligence apparatus to siphon funds to the country, mainly through cryptocurrencies. There was a 40% growth of such activity from 2020 to 2021, leading to a total of around $400 million worth of digital assets.
17. Ukraine’s SBU Upgrades its Technical Capabilities
The Security Service of Ukraine (SBU) is receiving funds and expertise from the U.S. to upgrade its intelligence capabilities. This leads to investing more in domestic intelligence resources like the recently announced contract of the SBU with the Ukrainian Lawful Interception (LI) vendor Altair-775, as well as the drop of SBU’s contracts with the Israeli Ultra Global and Rayzone that used to provide similar products and services to the SBU.
18. CIA is Conducting a Covert Operation to Train Ukrainian Paramilitary Forces in the U.S.
Zach Dorfman published on January 13th on Yahoo! News an in-depth investigation of an ongoing CIA paramilitary operation which started in 2015 under the Ground Branch of the Special Activities Center (SAC) of the Agency. The operation involves secretly flying select members of Ukrainian special operations forces and other intelligence personnel to an undisclosed location in the Southern part of the United States. Then, train them in a wide variety of paramilitary and espionage skills. The purpose is, reportedly, to assist the CIA in local operations such as intelligence collection activities.
19. Several Ukrainian Government Websites Compromised and Defaced
As reported by Bill Toulas of Bleeping Computer on January 14th, at least 15 websites belonging to various public sector entities of Ukraine were compromised, defaced to display anti-Ukrainian messages, or temporarily taken down. Although some media reports indicate a cyber attack operation from Russian operators, currently there have been no official or reputable evidence to support this.
20. Israel’s Shin Bet Reportedly Disrupted an Iranian Spy Network Recruiting Women
According to public reports Israel’s internal security agency, Shin Bet, completed a counter-intelligence operation which resulted in the arrest of five Jewish women of Iranian descent who were recruited by an Iranian intelligence officer via Facebook and operated for several years using WhatsApp as their main communications channel. They were getting paid by the Iranian handler to provide photos of sensitive locations, infiltrate into communities of interest, and other intelligence collection activities.
21. Russia’s FSB Arrest REvil Ransomware Group Members
On January 14th, Russia’s Federal Security Service (FSB) conducted 25 raids in Moscow, St. Petersburg, Leningrad, and Lipetsk regions and arrested more than 12 members of one of the largest ransomware operators groups, known as REvil. Source
22. Turkish Intelligence Agency (MİT) Launches its First SIGINT/ELINT Ship
Ragip Soylu of the Middle East Eye (MEE) reported on January 14th that Turkey’s National Intelligence Organisation (MİT) is launching its first intelligence-gathering (SIGINT/ELINT) ship. The 99-metre long ship was designed and built by the Turkish government-owned company STM, and is designated as TCG Ufuk (A-591).
23. Microsoft Discovered a Previously Unknown Destructive Malware Targeting Ukrainian Organizations
Microsoft Threat Intelligence Center (MSTIC) identified and reported a previously unknown destructive malware targeting Ukraine-based victims which first appeared on January 13th. The malware pretends to be a ransomware but it is designed to only wipe data. MSTIC refrained from making any attribution statements beyond that it’s a new malware associated with a nation-state actor.
24. Greek Intelligence Agency Leaked Cables Reveal Operations Targeting Anti-Vaccination Movements and Migrant Groups
An article written by journalist Dimitris Terzis and published by EfSyn on 14 January 2022, reveals classified National Intelligence Service (NIS) cables related to operational activities of the internal security branch of NIS. Those included the tracking and identification of people participating in anti-vaccination gatherings and events, migrant activities such as reporting on specific people expressing certain opinions on the topic, and other similar internal security operations.
25. Security Researcher Identified Cyber-Espionage Operation Targeting the Renewable Energy Industry
On January 16th, cyber-security researcher William Thomas published a technical analysis of an active cyber-espionage operation targeting the renewable energy industry for intelligence gathering purposes. Based on his analysis and Google Threat Analysis Group (TAG) tactical intelligence, the activity cannot be accurately attributed but it has some hallmarks of past Russian military intelligence (GRU) characteristics.
26. OSINT-Discovered ELINT/SIGINT Flights
This is a brief summary of ELINT/SIGINT flights identified by aviation enthusiasts during this week:
- 08JAN2022: U.S. Air Force Boeing RC-135V (63-9792, callsign OLIVE56) flight from RAF Mildenhall to Crete, Greece. Source
- 10JAN2022: U.S. Navy Lockheed EP-3E ARIES II (157316, callsign BATMN30) flight over South Korea. Source
- 10JAN2022: U.S. Air Force Boeing RC-135W Rivet Joint (62–4134, callsign JAKE11) flight across Belarus borders in Poland, Lithuania, and Latvia. Source
- 11JAN2022: Swedish Air Force Gulfstream IV SP S102B Korpen (102003, callsign SVF623) flight over the Gulf of Gdansk and Kaliningrad. Source
- 12JAN2022: U.S. Navy EP-3E Orion (16–1410, callsign MN806) flight over the Persian Gulf. Source
- 12JAN2022: U.S. Air Force Boeing RC-135W Rivet Joint (62–4138, callsign N/A) flight over South Korea. Source
- 12JAN2022: U.S. Air Force Boeing RC-135W Rivet Joint (62–4134, callsign JAKE11) flight from RAF Mildenhall, UK to Kaliningrad. Source
- 13JAN2022: U.S. Navy EP-3E Orion (16–1410, callsign MN806) flight over the Persian Gulf. Source
- 13JAN2022: U.S. Air Force Boeing RC-135W River Joint (62–4126, callsign SKIM45) flight over the Caribbean Sea and the Colombian/Venezuelan borders. Source
- 13JAN2022: RAF Boeing RC-135W River Joint (ZZ665, callsign RRR7204) flight from RAF Waddington to Ukraine (borders with Russia and Black Sea). Source
- 14JAN2022: U.S. Air Force Boeing RC-135W Rivet Joint (62–4135, callsign N/A) air refuelling over South China Sea, close to Taiwan. Source
- 14JAN2022: U.S. Army Challenger 650 ARTEMIS (N/A reg. number, callsign: CL60) flight over the Black Sea-Ukrainian/Russian borders. Source
