SPY NEWS: 2022 — Week 48
Summary of the espionage-related news stories for the Week 48 (27 November-3 December) of 2022.
1. Latvian VDD Investigates “TV Rain” Support to Russian Forces
With an official announcement Latvian State Security Service (VDD) counter-intelligence stated that “on December 2 this year, the State Security Service (VDD) has opened an investigation in connection with the statements made in the news program of the television channel “TV Rain” registered in Latvia, which raises suspicions about the assistance provided by this television channel to the soldiers of the Russian occupation forces.”
2. United States: Madison County Resident Indicted for Violating U.S. Sanctions Against Iran
On November 29th the FBI Counterintelligence Division (CD) together with the US Department of Justice stated that “an indictment was unsealed today charging Ray Hunt, 69, of Madison County, with federal offenses related to an illegal scheme to export U.S.-origin goods to Iran. The 15-count indictment charges the defendant with conspiracy to defraud the United States, sanctions violations, smuggling goods from the United States, and submitting false or misleading export information. According to the indictment, since at least November 2017, the defendant conspired to export U.S.-origin parts used in the oil and gas industry, including control valves and oil tubing, through his Alabama-based company, Vega Tools LLC, to customers in Iran. The defendant transshipped the goods to Iran through Turkey and the UAE to evade U.S. sanctions. Hunt was arrested and made his initial court appearance earlier today. If convicted, Hunt faces a maximum penalty of up to 20 years in prison and up to a $1 million fine for violating U.S. trade sanctions against Iran. In addition, he faces up to five years for the conspiracy charge, 10 years for the smuggling offense, and up to five years for the false information offense. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.” The indictment is available here.
3. Australia’s ASIO: National Terrorism Threat Level
On November 28th the Australian Security Intelligence Organisation (ASIO) released this video. As per its description, “Australia’s general terrorism threat level is POSSIBLE. While Australia remains a potential terrorist target, there are fewer extremists with the intention to conduct an attack onshore. A transcript of the Director-General’s statement is available on the ASIO website.”
4. Artamonov Released the Names of British Intelligence Officers Involved in the Attack on the Crimean Bridge
On December 3rd the RIAFAN reported that “British intelligence MI-6 participated in the preparation of terrorist attacks on the Nord Stream gas pipelines and was involved in undermining the Crimean bridge. This was stated by military expert Alexander Artamonov. He said that he already knew the names and surnames of those officers who had a hand in the incidents. Artamonov said that an officer of the British Army Intelligence Corps, Nigel Donnelly, as well as a British officer, Hugh Ward, were involved in the terrorist attack on the Crimean Bridge. The latter was just developing a plan for the destruction of a strategic facility. The expert also noted that, according to his information, Officer Donnelly is currently in Lithuania.”
5. The EU Has a Spy Problem — Here’s Why It’s So Difficult to Catch Them
Politico published this article on December 1st stating that “Brussels, as nearly everyone knows, is packed with spies. They’re hovering at the bar at the think tank networking event. They’re raising their hand in the press room at European Union briefings. They’re listening in — if a 2019 warning to staff from the European External Action Service is to be believed — at the bars and restaurants near the European Commission’s headquarters. That the walls have ears has long been a fact of Brussels life. But the fight against espionage is receiving renewed attention as the EU’s spy-catchers redouble their efforts in the face of Russian hostility, Chinese spying and the return of Great Power geopolitics. The trouble, for those charged with addressing the problem, is just how much can be done about it. And the answer, for now, seems to be: not enough. To start with, nobody really knows just how many spies are operating in the EU capital. When Belgian security officials are pressed to provide a number they joke that, if anybody can find out, they’d be delighted to know. The United States and Australia require people working for foreign interests to register, providing at least a glimpse of attempts to influence the political process. Belgium does not. Then there’s the number of targets — and the potential for cover stories — the city’s international postings provide. Brussels hosts not just the EU institutions and NATO but also around 100 other international organizations and 300 foreign diplomatic missions. Together, these employ about 26,000 registered diplomats, according to the Belgian foreign affairs ministry — each one a possible spy. For a spook, a diplomatic passport is the ultimate cover. Not only is rubbing shoulders with top officials and unearthing information part of the job description, but diplomats are also protected from prosecution under the Vienna Convention. Belgian security officials estimate that, in some embassies, between 10 and 20 percent of the diplomats are intelligence officers. Jobs in academia or think tanks — places where people are paid to obtain and analyze information — are also attractive covers.”
6. Researcher Accused of Spying for China Granted Bail in Canada
On November 28th Reuters reported that “a researcher charged with espionage in Canada for allegedly trying to steal trade secrets to benefit China was granted bail on Monday by a Canadian judge, according to representatives for both the defense and prosecutors. Yuesheng Wang, 35, who worked as a battery materials researcher for Hydro-Quebec — Canada’s largest electricity producer — was arrested earlier this month and is facing four charges, including fraud, for obtaining trade secrets, and breach of trust by public officers. Wang’s attorney Gary Martin said he was satisfied with the judge’s decision to grant his client bail. “We still have a lot of work to do,” he said. Wang worked for a Hydro-Quebec research unit devoted to developing battery materials that has teamed up with others in the industry including the U.S. Army Research Laboratory. He was fired this month after about six years at the provincially-owned firm and allegedly committed the crimes between January 2018 and October 2022. Hydro-Quebec and the Public Prosecution Service of Canada both declined comment. A spokeswoman for prosecutors said Wang would next appear in court on Dec. 13.”
7. Podcast: Team House: CIA Covert Ops from Afghanistan to Sudan — Milt Bearden
The Team House released a new podcast episode on December 3rd. As per its description, “a 30-year veteran of the CIA, Milton Bearden masterminded and ran the CIA’s covert operations in Afghanistan. He was station chief in Pakistan, Germany, Sudan, and head of Soviet Division at CIA HQ, and trained the Afghan freedom fighters who overthrew the Soviets — many of whom, like Osama bin Laden, have now turned against the United States. He received the Donovan Award and the Distinguished Intelligence Medal, the CIA’s highest honor. Bearden was born in Oklahoma and spent his childhood in Washington State, where his father worked on the Manhattan Project. He lives in Reston, Virginia.”
8. Ukrainian SBU Detained 2 Russian Agents in Slovyansk
On November 28th the Ukrainian Security Service (SBU) announced that they “neutralised the enemy agents who were pointing Russian missiles at schools in Slovyansk. The Security Service detained two more Russian agents during counter-subversive measures in the front-line areas of Donetsk region. The perpetrators gathered intelligence about the locations and routes of movement of units of the Defence Forces in the region. In addition, they gave the aggressor the locations of social facilities, including general educational institutions in Slovyansk. The occupiers planned to use the received information to launch targeted missile strikes on the Ukrainian city. However, the SBU employees worked ahead of time and detained both Russian agents trying to pass intelligence to the occupiers. According to the investigation, the enemy accomplices turned out to be two local residents who worked for the “People’s Militia DNR” under the control of the Russian intelligence services. Communication was maintained through anonymous messengers, and a specially created chatbot was used to transmit classified data. It was there that the attackers posted information about the movement of military equipment of the Armed Forces, as well as the geolocation of Ukrainian schools. They supplemented their “reports” with photographs and a detailed description of the surrounding area. For cover, one of the informants named his account with a female name. During the searches of the places of residence of both criminals, law enforcement officers found mobile phones and laptops with evidence of subversive activities.”
9. Indian Cyber Espionage Operation Targeting Pakistan Navy War College
On December 1st the RedDrip Team discovered and disclosed technical indicators of a cyber espionage operation attributed to an actor dubbed as SIDEWINDER, previously associated with India. The operation involved a lure document impersonating the “Guidelines for Journal — 2023” of the Pakistan Navy War Collect (PNWC). If opened the document was covertly installing a custom cyber espionage software implant.
10. Bahrain: From Royal Guard to Israeli Cyber, Sheikh Nasser Emerges as Strategist of Bahrain’s Ambitions
On December 2nd Intelligence Online reported that “King Hamad bin Isa Al Khalifa’s favourite son, Prince Nasser bin Hamad Al Khalifa, is playing out a plan carefully crafted by his father. In his tussle for position within Bahrain’s security apparatus with his half brother, the Crown Prince Salman bin Hamad Al Khalifa, Sheikh Nasser has been gaining sovereign responsibilities in Manama.”
11. Rise in Iranian Assassination, Kidnapping Plots Alarms Western Officials
The Washington Post reported on December 1st that “the tempo of the plots has dramatically increased in the past two years, and they are among the most ambitious and far-reaching in recent memory, according to the officials and documents. Iran’s actions have led to diplomatic expulsions and warnings to potential targets from governments. “The general feeling I got was they were beginning to take this issue seriously,” said Seyed Emami, who recalled that one of the Canadian officers asked him to place his phone in a bag designed to block electromagnetic waves, so their conversation could not be surveilled. “They realize if people are being threatened on their own land, it’s a whole different story.”.”
12. Google TAG Bulletin — Q4 2022
On December 1st Google’s Threat Analysis Group (TAG) published their Q4 2022 bulletin covering six cases they responded to related to coordinated influence operations linked to Brazil, to Russia, and China.
13. Russian Covert Action in Northern Europe: A 6-month Outlook
On November 29th the Grey Dynamics published this article saying that “since the suspected sabotage on the Nord Stream 1 & 2 pipelines on September 26th, there are indications of increased suspected Russian covert action in Northern Europe. Europe is facing a severe energy deficit following Russia’s invasion of Ukraine. Norway is now the leading gas supplier in the region as gas supplies from Russia to Europe are cut. Following the Russian strategy of energy warfare, a raised threat level is prevalent. The presence of Russian assets in Europe is a well-known phenomenon, as are covert operations and plausible deniability. After Vladimir Putin’s call for partial mobilisation on September 21st, many Russian men left the country, entering Europe. There are indications of a correlation between Russian migration and suspected covert operations targeting critical energy infrastructure in Northern Europe. However, the intent of recent activities is still being determined.”
14. Bombardier Defence to Begin Modification Package for PEGASUS Project
The Business Jet Interiors reported on December 1st that “a Global 6000 has arrived in Wichita, Kansas, marking the next phase of Bombardier Defense’s contract to support Lufthansa Technik’s participation in the Hensoldt-led PEGASUS programme for the German armed forces. Bombardier Defense will perform major structural modifications to accommodate the Kalætron Integral signal intelligence (SIGINT) system developed by Hensoldt, which collects and analyses military signals from radar and radio systems. The integration of this system will subsequently be performed at Lufthansa Technik’s special-mission aircraft competence centre in Hamburg, Germany. Bombardier has previously delivered three Global 6000 jets to Lufthansa Technik since the aircraft was selected for the programme in 2020. This milestone marks the first major work package for a European customer performed at Bombardier Defense’s US headquarters in Wichita since the company unveiled the site’s new mission in April 2022. Bombardier Defense will now be transitioning to the aircraft modification phase after its engineering team developed precise and mission-specific designed solutions. Bombardier Defense will then perform testing and required certification of the modified aircraft. As part of this programme, Lufthansa Technik will perform and support systems integration for Hensoldt, in addition to engineering and modification work contracted to Bombardier Defense.”
15. Crypto Museum: Project IKAR — US Bugs Discovered by the Soviets
Following week 39 story #21, this week the Netherlands-based Crypto Museum added a new entry to their website. As per its introduction, “Project IKAR (Icarus) was a secret investigation by the Soviet Union (USSR), carried out between 1969 and 1978, in which covert listening devices of the US Central Intelligence Agency (CIA) were discovered, analysed and documented. The file was secretly shared with the security services in other Warsaw Pact countries including Poland. It was publicly revealed in September 2022 by Zach Dorfman in an article on The Brush Pass, with scans of the original photographic evidence. It is likely that the file was compiled by the KGB — the main intelligence service of the USSR. The file, which was discovered in the archives of the Polish Ministry of the Interior, contains 23 pages with full-colour images of a wide variety of covert surveillance devices (bugs) that were found in the buildings and even in the vehicles of the Soviet mission in Washington (USA).”
16. Israel Beefs Up Protection of Its Senior Spies, As Proxy War with Iran Intensifies
Intel News reported on November 28th that “Israeli authorities have stepped up up measures to protect its senior intelligence and security figures, over concerns they may be targeted by agents of the Iranian state, according to news reports. The news comes amidst widespread concerns that the ongoing shadow conflict between Israel and Iran is escalating in the shadow of the Russo-Ukrainian war. On Thursday, Israel’s state-owned broadcaster and news agency, Kan, reported that the government of Israel had implemented additional security measures to protect current and former members of its security and intelligence agencies. The report added that the measures are focused largely on current and former members of Israel’s foreign intelligence agency, the Mossad, as well as those associated with Israel’s intelligence and security apparatus that are living abroad. The report comes amidst concerns among security observers that a clandestine war between Israel and Iran is growing in intensity. To a notable extent, this growth is being fueled by the ongoing Russo-Ukrainian conflict. Iran’s supply of cheap and reliable attack drones appears to be enabling Moscow to subvert and outright destroy Ukraine’s national infrastructure. In what seems like a direct response to Iran’s actions, Israel war materiel is now flowing into Ukraine, reportedly through a NATO country.”
17. Canada: CSIS Under Fire from Canadian Parliament After Stand-off Between Trudeau and Xi Jinping
Intelligence Online reported on November 30th that “as relations between the two countries become increasingly tense, the federal intelligence service has been ordered to account for its efforts to counter supposed Chinese interference in Canadian affairs.”
18. Catalan Spyware Victims Demand Justice
On November 29th EU Observer reported that “victims of the widening spyware scandal in Spain are demanding justice and reparations, following revelations that journalists, lawyers, civil society and politicians had been targeted. “We are seeking reparations and a clear commitment of the Spanish state to stop such practices against political dissidents,” Elisenda Paluzie, told MEPs on Tuesday (29 November). Paluzie, a prominent Catalan economist and academic, had been targeted by Pegasus, an Israeli-made spyware that can take full control over a person’s mobile phone. Paluzie said the attacks happened on the first day of internal elections to the Catalan National Assembly, an independence organisation. Those elections were held on June 10, 2020. “The attacks were designed to trigger an impulse reaction the click the links,” she said. Citizen Lab, a Canadian laboratory based out of the University of Toronto, said the attack masqueraded as a Twitter update from a Catalan newspaper. Paluzie is among the 65 known people targeted by spyware in Spain.”
19. Netherlands: AIVD: Other Countries Are Increasingly Threatening Dutch Security
On November 28th the Dutch General Intelligence and Security Service (AIVD) announced that “other countries such as Russia and China increasingly threaten national security in different ways. This is partly due to far-reaching international developments that cause instability. The most striking and worrying development is, of course, the war in Ukraine, which touches on several national security interests. This is the conclusion of the heads of the General Intelligence and Security Service (AIVD), the Military Intelligence and Security Service (MIVD) and the National Coordinator for Security and Counterterrorism (NCTV). They do so in the second joint State Actors Threat Assessment (DBSA 2). According to them, the territorial security of the EU, NATO and the Netherlands is under increasing pressure. In addition, interference from other countries continues to threaten the social and political stability of the Netherlands. The Netherlands is also increasingly confronted with threats to economic security. This threat has existed for a long time, but has become even greater in recent years.” The announcement includes the supportive threat assessment documents.
20. Webinar: Intelligence Preparation of the Battlespace
On December 2nd the S2 Underground released a new 14-minute long video. As per its description it covers: 1) Introduction, 2) Define the Operational Environment, 3) Describe Battlefield Effects, 4) Evaluate the Threat, 5) Determine Threat COAs, 6) A Continuous Process, 7) Quick and Dirty IPB, and 8) Closing Thoughts.
21. Ukrainian SBU Detained Russian Agent Passing Intelligence for Air Defence Through Russian “Journalists”
Ukraine’s SBU announced on November 28th that they “detained an agent who was passing intelligence on air defence to the enemy through Russian “journalists”. Cyber specialists of the Security Service exposed another enemy agent in Odessa. He collected information about the deployment locations of units of the Armed Forces of Ukraine in the southern region and Kyiv. First of all, he tried to identify the locations of command centres and air defence systems of the Ukrainian troops. The received information was transmitted through a “liaison”. He turned out to be a representative of the pro-Kremlin information agency “Bel.ru”, which is located in the Belgorod region of Russia, recruited by the FSB. For communication and transmission of classified information, a previously developed anonymous Telegram channel was used. The enemy planned to use the received information to prepare targeted missile strikes on Ukrainian military facilities. During a special operation in Odessa, employees of the Security Service detained a Russian agent trying to transmit information to the Russian Federation. According to the investigation, the enemy’s accomplice turned out to be a local resident whom the FSB engaged in tacit cooperation after a full-scale invasion. He received the “offer” to cooperate with the occupiers through banned social networks, where he repeatedly expressed support for armed aggression against Ukraine. During searches of the perpetrator’s residence, law enforcement officers seized mobile phones from which he communicated with the Russian intelligence services. Communist symbols and propaganda materials in support of the Communist Party of the Russian Federation, banned in Ukraine, were also found in his apartment.”
22. Turkish MIT Assassinates PKK/YPG Member in Syria
On December 2nd the AA reported that “through a National Intelligence Organisation (MIT) operation, the so-called Tel Tamir province brigade chief of the terrorist organisation PKK / YPG, Muhammed Nasır, code-named Kemal Pir, was neutralised in Syria. According to the information obtained from the intelligence sources, it was determined that the terrorist, who is considered to know the border line of the Peace Spring region very well as he is from the people of the region, is an expert in missiles and took an active role in the making of sabotage plans. It was determined that the terrorist played an important role in the actions against the Peace Spring region. The terrorist, who participated in sabotage actions with his subordinates, was included in the target list by the MIT. MIT neutralised the terrorist in an operation in Syria.”
23. South Korea Ex-Spy Chief Arrested Over Sea Border Shooting
Bloomberg reported on December 3rd that “a South Korean court approved the arrest of a former security chief accused of covering up the death of a fisheries official by North Korean soldiers near a nautical border, Yonhap reported. The Seoul Central District Court ordered Suh Hoon, former director of the National Security Office, to surrender to authorities over the incident that took place in 2020, the report said. It cited the court saying there is a possibility Suh would destroy evidence based on the gravity of allegations, his social status and relations with those involved. The 47-year-old fisheries official was fatally shot before being set on fire in what was the first killing of a South Korean civilian by North Korea’s military in about a decade. The fisheries official went missing in September 2020 from his boat near Yeonpyeong Island, about 10 kilometers (6 miles) south of the nautical border known as Northern Limit Line. Authorities under former President Moon Jae-in’s administration said he may have tried to defect but was treated harshly by the North Koreans because they believed he could have been a carrier of the coronavirus.”
24. Podcast: Janes World of Intelligence: Using OSINT to Understand Geoeconomic Statecraft
On November 28th Janes World of Intelligence released a new podcast episode. As per its description, “in this episode we speak to Claire Chu, Senior Chinese Analyst at Janes Group to discuss economic statecraft as a valuable element of your OSINT toolbox and how open source intelligence on state sponsored commercial activity can support their national interests.”
25. Serbia Appoints Pro-Russian Politician as New Spy Chief
EuroNews reported on December 2nd that “Serbia’s government on Thursday appointed a pro-Russian politician as the country’s new spy chief. Aleksandar Vulin, who formerly served as the Balkan’s state interior minister and held the defence ministry portfolio prior to that, will become the new director of BIA, Serbia’s intelligence agency, the government said in a statement. Vulin is deemed “Moscow’s man” within the Serbian leadership. As interior minister, he visited Moscow in August, a rare visit by a European state official that underlined Belgrade’s decision to distance itself from the West’s actions against Russia over its invasion of Ukraine. He subsequently told Russian Foreign Minister Sergey Lavrov that “Serbia is the only state in Europe that didn’t introduce sanctions and was not part of the anti-Russian hysteria.” Serbia, which is formally seeking European Union membership, has for years been drifting away from its EU-aligned trajectory and has been leaning towards traditional Slavic ally Russia, as well as China. Vulin himself said Serbia should discard its EU membership goal and instead turn to Moscow. He advocates the creation of a “Serbian World” — mirroring the “Russian World” — uniting Serbs under one flag led by Serbian President Aleksandar Vucic. He has also frequently pilloried Serbia’s neighbouring states and their leaders, and has been barred from entering Croatia, an EU member state. Vulin’s appointment to such a sensitive intelligence post has subsequently outraged the country’s pro-Western opposition and is seen as another snub to the West.” BIA also made a press statement for this.
26. Investigation on British Secret Operations Targeting Julian Assange
Throughout this week the Declassified UK published three investigative articles in relation to secret operations targeting Julian Assange of WikiLeaks. Those were: 1) UK Government Deployed 15 Staff on Secret Operation to Seize Julian Assange, 2) Four British Ministries Refuse to Say If They’ve Discussed Assange with U.S., and 3) Minister ‘Misled Parliament’ on Foreign Office Role in Secret Assange Operation.
27. Russia: SVR: Warsaw is Speeding Up Preparations for the Annexation of Ukrainian Lands
On November 30th the Foreign Intelligence Service (SVR) or Russia issued an announcement saying that “the Polish leadership aims to act proactively and persistently out of fear that senior NATO partners will try to negotiate with Moscow in the coming winter months, defying the interests of not only Ukrainians, but also Poles. Meanwhile, Warsaw is confident that they deserved generous compensation for the military assistance provided to Kyiv, the provision of shelter for numerous Ukrainian migrants, and, finally, the recent missile attack on Polish territory, which Warsaw silently “swallowed” at the instigation of the United States and leading European countries. Acting proactively, Polish President Andrzej Duda instructed the intelligence services to prepare an official justification for Polish claims to Western Ukraine in a short time. The starting point in ongoing archival research is the Volyn massacre of 1943. This tragic episode, according to Polish experts, “irrefutably proves” the involvement of the Organisation of Ukrainian Nationalists — Ukrainian Insurgent Army in the genocide of the Polish people. Warsaw is sure that the information available in the state archives is enough to put forward weighty restitution demands to Kyiv. The Polish administration aims to give this step the appearance of an “initiative from below.” To do this, the number of plaintiffs is supposed to include the descendants of people who suffered from Ukrainian nationalists living in Poland. In addition, the editors of the leading Polish media have been tasked with starting to warm up the public in the country on the subject of “the need to collect Polish lands.” In order to ensure the legitimacy of the planned territorial acquisitions, the Polish leadership decided to use the successful Russian experience of returning ancestral territories by holding referendums on them. As a “trial ball”, the Polish intelligence services “leaked” to the Ukrainian media information about the alleged preparation of a plebiscite in the Lvov region of Ukraine on the topic of joining Poland.”
28. Podcast: SpyCast: “The FBI & Cyber” — with Cyber Division Chief Bryan Vorndran
Following last week’s part 1/2, on November 29th the International Spy Museum’s SpyCast podcast published the second, and last, episode of this series. The intelligence topics covered in this are: 1) The evolution of the FBI and cyber, 2) Weakening cyber adversaries, 3) Motivations behind creating and distributing malware, and 4) How to keep your information safe from cyber attacks.
29. United States: CIA Names First Chief Wellbeing Officer
Through an official announcement on November 28th, the US Central Intelligence Agency (CIA) stated that “Director William J. Burns welcomed Dr. Jennifer Posa during a swearing-in ceremony last month to serve as CIA’s first-ever Chief Wellbeing Officer. Dr. Posa will use her extensive private sector experience in wellbeing and organizational health expertise to expand CIA’s efforts to support its workforce’s health and wellbeing. Dr. Posa will strengthen CIA’s strategy to promote officers’ wellbeing, a key priority for CIA’s leaders, especially given the burdens placed on CIA’s workforce in the two decades following 9/11 and the recent pandemic. The Agency’s holistic approach seeks to care for the workforce, both domestically and abroad, empowering officers to thrive while increasing resilience. “Building a healthy and resilient workforce is one of my most profound responsibilities. It is absolutely critical to our success as an Agency,” said Director Burns who added, “That’s why I’m delighted that Dr. Posa has joined our team and will bring her unique set of experiences and skills to this crucial role.” Dr. Posa and a growing team of health and wellness professionals will oversee initiatives such as expanding opportunities for employees to practice health and wellbeing activities during the work day; providing additional mental health resources to officers and their family members; increasing access to childcare subsidies; and identifying additional flexible work options for officers.”
30. Private Sector Reaches Out to Russia’s Future Cryptography Centre
On December 1st Intelligence Online reported that “the new national cryptography centre planned for 2024 is now to be finished before the end of the year. To meet the altered deadline, the intelligence services have stepped in and are calling on their go-to providers.”
31. Moscow’s Mule: How Russia Rewrote a Narcotics Case to Get its Spy Back
On November 28th Bellingcat published a new investigative article starting by stating that “a series of indictment documents and information from Russia’s data markets show that Moscow’s pretext for recalling a spy behind bars in Brazil appears not only implausible, but impossible, Bellingcat can reveal. When the blond 36–year old man carrying a Brazilian passport in the name of Victor Muller Ferreira landed at São Paulo airport in April 2022, he was immediately taken away by Brazilian security service officers. He tried to argue that he was, in fact, just as Brazilian as they, and that he could not comprehend why the Dutch authorities had told the Brazilians that he was in fact Sergey Cherkasov, a deep-cover spy of Russia’s GRU foreign military intelligence agency who had attempted to infiltrate the International Criminal Court at the Hague as an intern. As Bellingcat reported at the time, his cover story was full of holes. Brazil’s Federal Court quickly sent him off to jail for fifteen years after he was convicted on charges of fraudulently obtaining and abusing Brazilian identity documents. But now Moscow wants him back. Shortly after his conviction, Cherkasov’s story took an unexpected direction. In July 2022, Russian investigative bodies approached Brazilian authorities requesting the extradition of the jailed Russian, who they admitted was Sergey Cherkasov. However Russian authorities claimed Cherkasov was not a deep-cover GRU spy but a hardened criminal on the run from Russian justice, who ran a heroin smuggling ring in Russia in the early 2010s.”
32. SIGNAL Journal — Issue December 2022
This week the December 2022 issue of SIGNAL was published. It includes articles such as “Protecting Operations in the Indo-Pacific”, “Are Iran’s Drone Capabilities a Threat?” and “Enabling Operations With Cross-Domain Transfer and Access”.
33. Podcast: Spycraft 101: An Activist Escaping Panama with Kimberly Muse
Spycraft 101 published a new podcast episode on November 28th with its description saying that “this week, Justin speaks with Kimberly Muse, daughter of Kurt Muse. Kim grew up in Panama, where her father was became the leader of a group of activists in protesting against General Manuel Noriega via radio transmissions. Their work caught the attention of the CIA, and they even received support from the agency for their efforts. In spring of 1989, Kurt was suddenly arrested at Panama City Airport as he was returning from a trip to the United States. His family and cohorts fled to the US, but Kurt was imprisoned at Carcel Modelo for nine months until a tactical Delta Force mission, Operation Acid Gambit, came to the rescue. Kurt later wrote a best selling memoir of his activism and rescue.”
34. United States CIA Podcast: The Greatest Museum You’ll Never See
On November 30th the CIA released a new episode of their “Langley Files” series. As per its description, “a top secret mission to the bottom of the Pacific Ocean. A legendary CIA officer who postponed retirement to lead the Agency’s response to 9/11. An entire building turned into a listening post. Where can you find artifacts from these chapters of hidden history and many more? The museum at the heart of CIA Headquarters. Since this museum is not open to the general public, in this episode of The Langley Files, Dee and Walter catch up with the museum’s director and deputy director for a behind the scenes tour … podcast-style.”
35. Greece: The Woman-Mastermind in EYP’s Espionage Scandal
On November 28th Greek media revealed that “the role of the 50 police officers under her command is crucial, as they all returned to the Hellenic Police as soon as the surveillance scandal broke. The key person in the wiretapping scandal is, according to information from Documento, the former head of the Intelligence Collection and Analysis Directorate and 2nd Deputy Director of Terrorism and Organised Crime of the Ministry of Defence, Evangelia Georgakopoulou. This is an Hellenic Police officer who in the past has served in critical positions in the police. “Vangelitsa”, as she is called in EYP, who “is mastermind” in the service, is said to be the person who signed the controversial agreements. In addition to her, the 50 police officers who were transferred by the Hellenic Police to EYP during the Mitsotakis administration, shortly after the prime minister himself assumed responsibility for EYP, have a key role in the wiretapping scandal, who in recent months have gradually returned to the the Hellenic Police. The role of “Vangelitsa” in the wiretapping has been reported for months not only by Documento but also by newspapers such as “Vima” and “Nea”. However, to this day she does not seem to have been examined by the prosecutors, just as the police officers who were under her orders have not been examined either, since although the information says that she has already been summoned, she has repeatedly pleaded illness in order not to appear as a witness . She had used the same excuse in order not to attend a hearing by the ADAE. The investigation has already been delayed by the prosecuting authorities, while the range of crimes they are investigating has not been opened.”
36. United States: FBI Arrest 25 Years Ago Today Shows the Same China Targeting U.S. Aerospace Technology
The Clearance Jobs published this article on December 3rd saying that “the multiyear investigation into the activities of Yen Men Kao reached a culmination on December 3, 1993, when he was arrested by the FBI. In a somewhat bizarre turn of events, as seen through the prism of 2022, Kao was never prosecuted. Instead, those in charge of that decision opted to pursue a different path and filed a complaint for his visa status. An immigration judge, just three weeks after his arrest, declared him to be in violation of his visa and deported him, allowing him, at his request to be deported to Hong Kong instead of China, as he apparently feared he would be punished by his China’s security and intelligence community.”
37. Security Authorities of the LNR Detained an Agent of the SBU Who Transmitted Military Data
The LUG-Info reported on November 29th that “the security authorities of the LPR have detained an agent of the Security Service of Ukraine (SBU), who since August 2021 has been collecting and transmitting military information to the Ukrainian intelligence services about the deployment and movement of military equipment of the Russian Armed Forces and units of the People’s Militia. The LIC was informed about this by a source in the security bodies of the Republic. “LNR security officials detained a citizen of Ukraine born in 1959, who, since August 2021, maintained confidential relations with a foreign intelligence officer — detective of the Main Department for Combating Corruption and Organised Crime of the SBU Directorate in Donetsk and Luhansk regions Dinnik (Revenko) Andrey Vadimovich “, the message says. The source notes that the detainee “acted deliberately to the detriment of the security of the Lugansk People’s Republic.” A criminal case has been initiated against this person on suspicion of committing a crime under Article 276 of the Criminal Code of the Russian Federation “Espionage”.”
38. Iran Executes Four People for Spying for Israel
On December 1st Islam Today reported that “in Iran, a court has sentenced four people to death on charges of espionage for Israel and “subversive activities” in the republic. According to the Iranian news agency Mehr, under the leadership of Israeli intelligence, the group was engaged in the destruction of private and state property and kidnapping. The members of the group were arrested with the assistance of the Islamic Revolutionary Guard Corps and the Ministry of Intelligence. The entire group, consisting of four men, was sentenced to death. Earlier it was reported that the Iranian courts began to impose death sentences on protesters that have been ongoing in the country since mid-September after the death of 22-year-old Mahsa Amini. The girl was arrested by the vice police for “wrong wearing the hijab” and taken to the police station. Subsequently, she was taken from there to the hospital, where she died without regaining consciousness. The authorities said that she had a heart attack, but the public is sure that she was beaten.”
39. Spy Way of Life: The Cosmos Club in Washington, DC
This week’s selection for Intelligence Online’s Spy Way of Life was the he Cosmos Club, located in Washington, DC, United States. It’s described as “Washington’s private Cosmos Club: where CIA officials socialised and conducted confidential business” and the article says that “declassified CIA files reveal the agency luminaries who mingled at the Cosmos Club, which was a spy refuge for decades.”
40. Google TAG: New Details on Commercial Spyware Vendor Variston
On November 30th Google TAG released this article stating that “Threat Analysis Group (TAG) has been tracking the activities of commercial spyware vendors for years, using our research to improve the safety and security of Google’s products and share intelligence with our industry peers. TAG’s research underscores that the commercial surveillance industry is thriving and has expanded significantly in recent years, creating risk for Internet users around the globe. Commercial spyware puts advanced surveillance capabilities in the hands of governments who use them to spy on journalists, human rights activists, political opposition and dissidents. Google and TAG are committed to disrupting these threats, protecting users, and raising awareness of the risks posed by the growing commercial spyware industry. Continuing this work, today, we’re sharing findings on an exploitation framework with likely ties to Variston IT, a company in Barcelona, Spain that claims to be a provider of custom security solutions. Their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox and Microsoft Defender and provides all the tools necessary to deploy a payload to a target device. Google, Microsoft and Mozilla fixed the affected vulnerabilities in 2021 and early 2022. While we have not detected active exploitation, based on the research below, it appears likely these were utilized as zero-days in the wild. TAG has created detections in Safe Browsing to warn users when they attempt to navigate to dangerous sites or download dangerous files. To ensure full protection against Heliconia and other exploits, it’s essential to keep Chrome and other software fully up-to-date.”
41. United States: CIA Venture Capital Arm Partners with Ex-Googler’s Startup to “Safeguard the Internet”
The Intercept reported on December 2nd that “Trust Lab was founded by a team of well-credentialed Big Tech alumni who came together in 2021 with a mission: Make online content moderation more transparent, accountable, and trustworthy. A year later, the company announced a “strategic partnership” with the CIA’s venture capital firm. Trust Lab’s basic pitch is simple: Globe-spanning internet platforms like Facebook and YouTube so thoroughly and consistently botch their content moderation efforts that decisions about what speech to delete ought to be turned over to completely independent outside firms — firms like Trust Lab. In a June 2021 blog post, Trust Lab co-founder Tom Siegel described content moderation as “the Big Problem that Big Tech cannot solve.” The contention that Trust Lab can solve the unsolvable appears to have caught the attention of In-Q-Tel, a venture capital firm tasked with securing technology for the CIA’s thorniest challenges, not those of the global internet. The quiet October 29 announcement of the partnership is light on details, stating that Trust Lab and In-Q-Tel — which invests in and collaborates with firms it believes will advance the mission of the CIA — will work on “a long-term project that will help identify harmful content and actors in order to safeguard the internet.” Key terms like “harmful” and “safeguard” are unexplained, but the press release goes on to say that the company will work toward “pinpointing many types of online harmful content, including toxicity and misinformation.” Though Trust Lab’s stated mission is sympathetic and grounded in reality — online content moderation is genuinely broken — it’s difficult to imagine how aligning the startup with the CIA is compatible with Siegel’s goal of bringing greater transparency and integrity to internet governance. What would it mean, for instance, to incubate counter-misinformation technology for an agency with a vast history of perpetuating misinformation? Placing the company within the CIA’s tech pipeline also raises questions about Trust Lab’s view of who or what might be a “harmful” online, a nebulous concept that will no doubt mean something very different to the U.S. intelligence community than it means elsewhere in the internet-using world.”
42. Podcast: International Intrigue: COP27, Iranian Drones, Turkey, DPRK, DRC & Chinese Espionage
On November 27th the International Intrigue published this podcast episode. As per its description, “the 26 November 2022 Episode of Intrigue, Explained where two former Australian diplomats break down the big international relations stories of the week in a light, accessible format.” Among others, they cover the topic of “Iranian Drones downed in Ukraine were found to consist almost entirely of components from US, German, Chinese and Israeli firms the majority of which violate the sanctions against the Iranian Regime” as well as that “Canadian police arrested a man on charges of spying for the Chinese Government.”
43. Is The UK Being Infiltrated By Putin’s Spies? One Former MI6 Agent Warns So
On November 27th the Republic World reported that “a former agent of the United Kingdom’s Secret Intelligence Service has warned of rogue operatives in the country that could terminate enemies at the behest of Russia. According to The Sun, erstwhile MI-6 agent Julian Richards said that Britain’s intelligence agencies ‘don’t know’ the exact number of sleeper agents spying for Moscow in the UK. It is believed that Russian President Vladimir Putin’s key espionage tactic is to send spies into countries as regular civilians in order to gather valuable intel and erode the West out of its critical secrets. The threat of spies has the UK wrapped around its fingers, with multiple former CIA and MI6 agents warning civilians to stay vigilant due to the surge of infiltration by Putin’s spies.”
44. Russia: FSB Announces Neutralising Terrorist Plots in the Zaporizhzhia Region
On November 28th the Russian Federal Security Service (FSB) issued a press statement saying that they “prevented the preparation of a series of terrorist attacks in places of mass gathering of citizens on the territory of the Zaporizhzhia region. In the city of Melitopol, three citizens of Ukraine were detained on their way to the place of laying an explosive device in one of the city’s markets. Two of them, previously convicted of serious crimes on the territory of Ukraine, confessed that they acted on the instructions of the Ukrainian intelligence services in order to intimidate the civilian population of the Zaporizhzhia region. Components of an improvised explosive device based on plastic explosives and electric detonators were confiscated in the car of the detainees, two pistols with ammunition, a grenade with a fuse were found in the apartments. The perpetrators were taken to Moscow, where the investigating authorities initiated criminal cases against them for preparing terrorist attacks and illegal trafficking in firearms, ammunition, explosives and explosive devices. The identity of those detained in the interests of the investigation was not disclosed.”
45. The Seal of the NSA’s Research Directorate
On November 29th Electrospaces published a Twitter thread explaining the National Security Agency’s (NSA) Research Directorate seal, its origin, and their facilities.
46. Ukrainian SBU Detained Russian Agent in Zaporizhzhia
On November 29th Ukraine’s SBU announced that they “detained a Russian agent who was “adjusting” rockets for repeated strikes on the Zaporizhzhia infrastructure. The attacker was correcting the aimed missile strikes of the Russian Federation on the critical infrastructure of the region. First of all, he “directed” Russian weapons at energy facilities and other structures of life support systems. It was established that after the Russian airstrikes, he went to the area to record the consequences of the “hits” and transfer relevant data to the enemy. “Curated” information was needed by the occupiers for further shelling of the city. In addition, he covertly collected intelligence about the places of temporary bases and the movement of Ukrainian military equipment in the territory of the regional centre. He transmitted the collected intelligence to the aggressor through social networks, including the Telegram channel of the traitor and Kremlin propagandist Rogov. It was there that he approvingly commented on racist “posts”, called for support for the aggressor country, and disclosed classified information about Ukrainian sites in the form of “marked” digital maps. As a result of investigative and operational actions, the Security Service employees located and detained the agent. According to the investigation, the detainee is an employee of one of the Ukrainian defence factories. At the beginning of the full-scale invasion, he was recruited by the Russian intelligence services to carry out reconnaissance and subversive activities in the south of Ukraine. He came to the attention of the occupiers because of his pro-Russian “activity” in social networks, where he was offered confidential cooperation. For this, money and a “position” were “guaranteed” in the event of the capture of the region. During searches of the person’s residence, law enforcement officers found a mobile phone and computer equipment with evidence of hidden correspondence with the Russian “handler”.”
47. The Swedens. How A Married Couple Arrested in Sweden Turned Out to Be Linked to Military Intelligence and the Skripal Poisoners
Following week 47 story #1, the Russian Insider reported on November 27th that “this week a Russian couple was arrested in Stockholm. Sergei Skvortsov and Elena Kulkova have lived in Sweden for many years and did not arouse any suspicions among neighbours and acquaintances. As The Insider and Bellingcat found out, Skvortsov did an active business with a well-known GRU operative, who was once expelled from France for espionage, and a Belgian entrepreneur who was sanctioned for selling American military technology to China. Also, according to The Insider and Bellingcat, shortly before leaving for Sweden, Skvortsov and Kulkova received an apartment on Zorge Street at the same address where Denis Sergeev, one of the Skripal poisoners, lived. Other high-ranking GRU operatives were often there as well. With all this, Kulkova’s daughter turned out to be a cohabitant of the former head of the Swedish military intelligence department.”
48. Geospatial Intelligence Experts Get Organised in UAE
Intelligence Online reported on November 30th that “Western New Space is making a big push into the UAE, attracted by the rise of geospatial intelligence in the region, despite uncertainty over how many of the growing number of sovereign projects will come to fruition.”
49. Germany: Iran Responsible for Attacks on Synagogues?
The Tagesschau published an exclusive story on December 1st saying that “investigators suspect the Iranian Revolutionary Guards and a German-Iranian from the rocker milieu were behind the attacks on synagogues in North Rhine-Westphalia. The ARD political magazine Kontraste learned this from security circles. After several attacks on synagogues in North Rhine-Westphalia, the Attorney General will take over the investigation — although it is still unclear when exactly this will happen. A spokeswoman could neither give the exact time nor the specific reason for taking over the investigation. According to information from Kontraste, the German-Iranian Ramin Y. is said to be the focus of the investigation. He apparently defected to Iran in September 2021. The investigators see a connection between the shots at the old synagogue in Essen, the unsuccessful arson attack on the synagogue in Bochum and the instigation of an arson attack on the synagogue in Dortmund in mid-November. “We’re talking about state terrorism here,” an investigator told Contrasts.”
50. Russia: In Tula, They Are Considering A Case of Espionage Against A Citizen of Ukraine
News Tula reported on November 29th that “the Tula Regional Court is considering a criminal case against a citizen of Ukraine, who is accused under the article “Espionage”. The detention of a man was reported in August last year. It was reported that the man, on the instructions of Ukrainian intelligence, was looking for employees of Russian defence enterprises from among the secret carriers. He needed to collect intelligence about promising developments in the field of small arms. The defendant faces up to 20 years in prison. The first hearing in the case took place on November 29.”
51. Putin’s Spy Chief Says He Discussed Ukraine with CIA Director
Following week 46 story #24, Reuters reported on November 30th that “Russian foreign intelligence chief Sergei Naryshkin said in an interview published on Wednesday that he discussed nuclear issues and Ukraine in a meeting earlier this month with United States Central Intelligence Agency Director William Burns. The two men met in Turkey on Nov. 14 in the highest-level face-to-face contact between the two sides since Russia invaded Ukraine in February. Russia has not previously commented on what was discussed, saying the subject matter was sensitive. Washington has said Burns delivered a warning about the consequences of any Russian use of nuclear weapons. Elizabeth Rood, chargee d’affaires at the U.S. embassy in Moscow, told Russia’s RIA news agency this week that Burns “did not negotiate anything and he did not discuss a settlement of the conflict in Ukraine”. Naryshkin told RIA: “For my part, I confirm Ms Rood’s statement. Additionally, I can note that the most frequently used words at this meeting were ‘strategic stability’, ‘nuclear security’, ‘Ukraine’ and ‘Kyiv regime’.” He also confirmed Rood’s comments that the two countries had a channel to manage risks and that if there was a need for another such conversation, it could happen.”
52. Flight of the Predator: Jet Linked to Israeli Spyware Tycoon Brings Surveillance Tech From EU to Notorious Sudanese Militia
Haaretz published this investigative article on November 30th stating that “a cross-continental investigation uncovered a network of firms connected to Tal Dilian, ex-commander of a top secret Israeli intel unit, who has bought up an array of sophisticated surveillance technology and established an EU foothold in Greece and Cyprus.” It continues that “on a dusty May morning in Khartoum an executive jet taxied to a halt under the blistering sun. Two jeeps with tinted windows stood ready to meet it from one of the most notorious and feared militias in the world, the Rapid Support Forces. The sleek white Cessna flew in from Cyprus and remained on the ground in Sudan’s capital for just 45 minutes, long enough to draw a disturbing line of connection between the ferocious contest for power in Sudan and a spyware scandal roiling Greece. Details of the Cessna’s arrival, its passengers and cargo were meant to remain secret — logged in an inaccessible location, foregoing the usual procedures. The secrecy was a testament to the power of Mohamed Hamdan Dagalo, known as Hemedti, Sudan’s richest man and the owner of a private army that is the heir to the murderous legacy of the Janjaweed, infamous for their crimes against humanity in Sudan’s troubled Western region, Darfur. According to three independent sources, the cargo was high-end surveillance technology, made in the European Union, with the potential to tip the balance of power in Sudan thanks to its capacity to turn smartphones into audio-visual informants on their owners. When news of its arrival reached Hemedti’s rivals the equipment was seen as so dangerous that an RSF commander speaking on condition of anonymity said it was smuggled out of Khartoum to the militia’s stronghold in Darfur to prevent its seizure by the army.”
53. New Zealand’s Terror Threat Level Drops from ‘Medium’ to ‘Low’
According to STUFF from November 30th, “New Zealand’s terrorism threat level has been dropped from “medium” to “low”, meaning a terror attack is now deemed “a realistic possibility” instead of “feasible and could well occur”. Security Intelligence Service (SIS) director-general Rebecca Kitteridge announced the change on Wednesday after an annual review of the threat level by national security agencies. “While the lowered threat level is a positive sign, the lowering of the threat level does not mean there is no threat,” Kitteridge said in a statement. “An attack remains a realistic possibility and individuals of concern are still being investigated by the New Zealand Security Intelligence Service.” It was the first change to the terror threat level since April 2019, when the threat risk was raised to medium in the wake of the Christchurch mosque terror attacks the month prior. Australia similarly lower its terror threat level earlier this week, from “probable” to “possible”. “There will be no decrease in the effort made by NZSIS to detect and investigate violent extremism,” Kitteridge said.”
54. Cyber Espionage Operation Targeting the Government of Pakistan
On November 28th cyber threat intelligence researcher Souiten discovered and disclosed technical indicators of a cyber espionage operation targeting the government of Pakistan. It was a lure document titled “Prime Minister’s visit to Türkiye” which, if opened, was covertly installing a custom cyber espionage software implant. Currently it is not known who was the actor conducting the operation.
55. Documentary: Space: A New Battlefield
The ARTE TV published this documentary on November 27th. As per its description, “are we on the brink of a space war? Power play, espionage, harassment — tensions between space-faring nations are growing and the arms race is in full swing. This documentary provides a deep insight into the geostrategic challenges of military spaceflight.”
56. Spain: All Questions and No Answers, as Spanish Spy Chief Stays Mute on Pegasus Hacking Scandal
On November 29th EuroNews reported that “Spain’s spy chief failed to answer any of the questions posed to her by MEPs related to the Spanish spyware scandal, as the expectations for revelations were dampened. The presence of Esperanza Casteleiro at a hearing in the European Parliament on Tuesday was initially seen as the big news of the day. But it was followed by huge disappointment after she limited herself to explaining in detail the legal framework in which the Spanish secret services operates, failing to answer any of the 28 questions raised by lawmakers. Everything in this context is basically secret, according to intelligence services chief Casteleiro, who spoke via videolink from Madrid. Saskia Bricmont, a Belgian MEP from the Greens, told Euronews that she was particularly worried for her colleagues that have been under surveillance. “Amongst them are, for instance, colleagues from the European Parliament, which immunity protects them in the context of their mandate. And so spying on MEPs is illegal. We didn’t get really answers on these elements,” she told Euronews. “So, this morning during the hearing, what we call for is the justice to do its work in full independency on the one hand. On the other hand, we also call on the governments to share more information with the enquiry committee because they’re all using the national security argument.” In Spain there are two separate cases. One is the surveillance of Prime Minister Pedro Sanchez and two Spanish ministers by a third country — which some attribute to Morocco — and on the other hand, there is the case of at least 65 Catalan pro-independence leaders, among them some MEPs, that were also infected by the Pegasus spyware. But Spanish MEP Jordi Cañas has defended the head of Spanish Secret Services for maintaining her silence.”
57. Up to 15% of Drivers in Ukraine Unknowingly “Spy” for Russia by Using Russian Apps
The Inform Napalm released this article on December 2nd stating that “in Ukraine, despite sweeping bans, it is still possible to install and use Russian navigation applications like 2-GIS, Yandex Maps and Navigator by using a VPN. We have reasonable grounds to believe that these applications are controlled by the government of the aggressor country, and that through these applications, the Russian government receives online information about the situation on Ukrainian roads, passage of military equipment, and even entrances and exits to any building.”
58. British FARA Returns to National Security Bill
Intelligence Online published this article on December 2nd saying that “on the insistance of MPs, the British government has substantially amended its National Security Bill, where it has reintroduced a foreign agents register. But it was also allowed to introduce new measures, which now have the opposition’s support. Initially designated as “countering state threats legislation”, Britain’s National Security Bill (NSB), which is on its way to the House of Lords, has been substantially modified since its second reading on 6 June. Intelligence Online had previously reported on the tense discussions that took place between the new minister of state for security Tom Tugendhat and the NSB parliamentary committee. The main change to the NSB is the introduction of a Foreign Influence Registration Scheme (FIRS) along the lines of the US Foreign Agents Registration Act (FARA). A central measure in the initial project, it was abandoned by the government and then reintroduced on the insistence of MPs, particularly on the opposition benches. Yvette Cooper, the shadow home secretary, described the lack of a foreign agents register as a “gaping hole” in the bill. Julian Lewis, chair of the Intelligence and Security Committee (ISC), shared her conclusions. The government eventually agreed to reintroduce it, and sought advice from the Australian government, which established its own Foreign influence transparency scheme (FITS) in 2020 to tackle foreign — mostly Chinese — interference. Members of the ISC and some Labour MPs are still concerned about the way the FIRS articles were drafted due to the complexity of the measures and concerns that there are loopholes in the system. For instance, unlike the US’s FARA, lawyers working for a foreign government would be exempt from registering.”
59. Netherlands: The Ministers of the Interior and Kingdom Relations and Defence are Sending a Temporary Cyber Operations Act to the House of Representatives
On December 2nd the Dutch AIVD issued this press release stating that “today, Ministers Hanke Bruins Slot (BZK) and Kajsa Ollongren (Defence) sent the proposal for the temporary cyber operations act to the House of Representatives. With this temporary law, the AIVD and MIVD can use their powers faster and more effectively against the increased cyber threat from countries that commit cyber attacks against the Netherlands. The Netherlands and its allies are increasingly faced with digital attacks from countries with an offensive cyber strategy, such as Russia and China. This concerns, for example, attempts to steal sensitive information or sabotage vital infrastructure. Disruption or failure of this can lead to serious social disruption and economic damage. The cyber threat is increasing and these actors can act faster and more advanced and are increasingly able to hide. The aim is to give the services a better view of this increasing cyber threat by ensuring that existing powers can be used more quickly and effectively against this threat. For example, dynamic monitoring makes it possible to monitor an ongoing investigation where an attacker moves to a new server or device without having to stop the operation to resubmit a consent request. Because attackers switch servers or devices constantly in the cyber domain, which means that it is very difficult to track attackers properly under current regulations. The bill ensures a better connection of testing and supervision to the current dynamics of cyber attacks in practice. For a number of powers, the time of review shifts from prior to the operation by the Review Committee on Deployment Powers (TIB), to during and afterwards by the Supervisory Committee of the Intelligence and Security Services (CTIVD). The CTIVD is hereby given the authority to immediately stop an operation and to decide that the data acquired in this way will be destroyed. This keeps supervision up to standard. In this way, there is a better connection with the dynamic nature of this ever-increasing (unprecedented) cyber threat.”
60. Ukrainian SBU Detains 2 Russian Collaborators in Kherson
On November 30th Ukraine’s SBU announced that they “detained two collaborators from the former “Ministry of the Russian Federation” in Kherson region, who kidnapped Ukrainians to death camps. The Security Service exposed two more accomplices of the enemy as a result of stabilisation measures in liberated Kherson. During the capture of the city, they voluntarily joined the “main department of the Ministry of the Interior of the Kherson region” created by the occupiers. After an “interview” with representatives of the FSB, one of the attackers was appointed an “investigator” and tasked with participating in the suppression of the resistance movement in the occupied part of the region. Victims were subjected to psychological pressure, violence and threats of physical violence. Through terror and repression, the Rashists tried to spread the Kremlin regime in the temporarily captured territory of southern Ukraine. Another collaborator was appointed “police patrolman” as part of the occupation body. While in this “position”, he directly participated in the persecution and illegal detention of Ukrainian citizens. After the liberation of Kherson, the collaborators tried to hide in the territory of the city. However, they did not succeed. Officers of the Security Service established the location and detained the intruders.”
61. Podcast: Spycraft 101: A Secret US Intel Organisation: Mysteries of The Pond with Dr. Mark Stout
Spycraft 101 published this podcast episode on November 27th. As per its description, “founded by an Army officer named John Grombach, the Pond was part of the War Department during World War II, then transitioned into a private organization during the post-war period. They offered their services via contract to the CIA and FBI, and continued operating into the mid-1950s. Grombach wrote in his memoirs published in 1980 that Petiot was known to his organization. Virtually nothing was known of the Pond’s activities until historian Mark Stout published an article he’d researched in 2004. Since then more information has gradually come to light about the Pond’s global reach, their operational successes and failures, and their ultimate downfall. For episode 44 of the Spycraft 101 podcast, I spoke with Dr. Stout on his findings after more than 21 years of research and writing about the Pond.”
62. Cyber Espionage in South Korea — Who’s Swimming in South Korean Waters? Meet ScarCruft’s Dolphin
Private cyber threat intelligence firm ESET released this technical analysis on November 30th. As per its overview, “ESET researchers have analyzed a previously unreported backdoor used by the ScarCruft APT group. The backdoor, which we named Dolphin, has a wide range of spying capabilities, including monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots, and stealing credentials from browsers. Its functionality is reserved for selected targets, to which the backdoor is deployed after initial compromise using less advanced malware. In line with other ScarCruft tools, Dolphin abuses cloud storage services — specifically Google Drive — for C&C communication. During our investigation, we saw continued development of the backdoor and attempts by the malware authors to evade detection. A notable feature of earlier Dolphin versions we analyzed is the ability to modify the settings of victims’ signed-in Google and Gmail accounts to lower their security, most likely to maintain access to victims’ email inboxes. In this blogpost, we provide a technical analysis of the Dolphin backdoor and explain its connection to previously documented ScarCruft activity. We will present our findings about this new addition to ScarCruft’s toolset at the AVAR 2022 conference.” As per the report, “it primarily focuses on South Korea, but other Asian countries also have been targeted. ScarCruft seems to be interested mainly in government and military organizations, and companies in various industries linked to the interests of North Korea.”
63. Pegasus Spyware Inquiry Targeted by Disinformation Campaign, Say Experts
The Guardian reported on November 28th that “victims of spyware and a group of security experts have privately warned that a European parliament investigatory committee risks being thrown off course by an alleged “disinformation campaign”. The warning, contained in a letter to MEPs signed by the victims, academics and some of the world’s most renowned surveillance experts, followed news last week that two individuals accused of trying to discredit widely accepted evidence in spyware cases in Spain had been invited to appear before the committee investigating abuse of hacking software. “The invitation to these individuals would impede the committee’s goal of fact-finding and accountability and will discourage victims from testifying before the committee in the future,” the letter said. It was signed by two people who have previously been targeted multiple times by governments using Pegasus: Carine Kanimba, the daughter of Paul Rusesabagina, who is in prison in Rwanda, and the Hungarian journalist Szabolcs Panyi. Other signatories included Access Now, the Electronic Frontier Foundation, Red en Defensa de los Derechos Digitales, and the Human Rights Foundation. One MEP said it appeared that Spain’s “national interest” was influencing the committee’s inquiry. The invitation to one of the individuals — José Javier Olivas, a political scientist from Spain’s Universidad Nacional de Educación a Distancia — was rescinded but the other, to Gregorio Martín from the University of Valencia, was not and he is expected to appear before the parliamentary panel on Tuesday. At the centre of the controversy lies the European parliament’s committee investigating the use of Pegasus, a powerful surveillance tool used by governments around the world. Pegasus is made and licensed by NSO Group, an Israeli company that was blacklisted by the Biden administration last year, after the US said it had evidence that foreign governments had used its spyware to maliciously target government officials, journalists, businesspeople, activists, academics and embassy workers.”
64. Video: The Debrief: Behind the Museum — CIA In The Sky
On November 30th the United States CIA published this new video with its description stating that “behind the Museum is giving you a closer look at one of the newly unveiled exhibit cases. The “CIA in the Sky” exhibit houses incredible artifacts from CIA’s pioneering overhead photo reconnaissance missions, which were essential to filling intelligence gaps and helped bring an end to the Cold War.”
65. Turkish Cyber Provider Pavo Group Goes Door Knocking in UAE
Intelligence Online reported on December 2nd that “Pavo Group, chaired by Alper Ozbilen, wants to stretch its horizons beyond its home turf. It is working on new interception and big data tools, and has made contact with the UAE’s main defence conglomerates.”
66. Russia: American Whelan, Serving Time for Espionage, is Undergoing Planned Treatment
Russia Today reported on December 2nd that “RIA Novosti writes about this with reference to the chairman of the Public Monitoring Commission of Mordovia, Alexei Tyurkin. Whelan’s diagnosis is not specified. On November 29, Russian Deputy Foreign Minister Sergei Ryabkov said that a prisoner exchange between Russia and the United States would send a positive signal to bilateral relations. The White House noted that Washington and Moscow continue to negotiate on the exchange of prisoners and the United States is seeking the speedy release of its citizens Brittney Griner and Paul Whelan.”
67. The United States Must Go to War Against China’s Spies
On November 27th the National Interest released this article stating that “the Biden administration should not treat Chinese espionage as an afterthought in a long list of grievances with Beijing. In late October, U.S. prosecutors charged thirteen Chinese agents for conducting illegal operations in the United States. Unfortunately, only two of the suspects are in custody. The other eleven remain free to continue their espionage and intimidation operations against American victims from the same place they usually operate — China. These cases illustrate how far behind U.S. law enforcement is in its fight to defend America from assaults by the Chinese Communist Party (CCP). While indictments against Chinese agents are becoming more common, the perpetrators are rarely brought to justice. The October charges resulted from three separate cases. Seven defendants were charged in connection with a scheme to force a Chinese national residing in the United States to return to China to face prosecution under Operation Fox Hunt. In a separate case, two China-based intelligence officers were charged for attempting to solicit information from a U.S. government employee to obstruct the criminal prosecution of a Chinese firm understood to be Huawei. In a third case, four Chinese nationals were charged for operating a long-running campaign to recruit Americans to act as Chinese agents. Cases like these would be effective if the objective were simply to keep Chinese spies out of the United States. Indeed, the arrest warrants all but ensure these defendants will never step foot on American soil. But that doesn’t stop them from victimizing Americans, as most of their activity is carried out remotely from China. Spies in Chinese cities routinely target American citizens through social media. They also send them “consulting” proposals via email, which they cushion in legitimate-sounding business contracts. Sometimes they even invite their attempted recruits on all-expense-paid trips to China, where they wine and dine and entice them to provide information and services that benefit Beijing.”
68. Getting to the Bottom of Hungary’s Russian Spying Problem
The Balkan Insight reported on November 30th that “in late November, at a Ukrainian-Hungarian border crossing checkpoint, Ukrainian special forces armed with machine guns and rifles arrested a suspected Russian agent just as he was trying to cross the state border. The man was a former employee of the Ministry of Internal Affairs of Ukraine, who, according to the Ukrainian security agency SBU’s statement, “collected classified information about the leadership and staff of the law enforcement agencies of Ukraine. The man planned to personally transfer the data to the Russian Embassy in Budapest on a flash drive”. The stolen data was partly personal information on SBU and GUR (military intelligence) officers, leaders of the Azov movement, and on military personnel of the 72nd mechanized brigade of the Armed Forces of Ukraine. The other part of the data was sensitive military information on Ukrainian army bases, arsenals, warehouses and their locations. Ukrainian Telegram channels posting video footage of the arrest mostly focused on an unconfirmed but understandably newsworthy detail: that the Russian agent had allegedly hidden the USB drive in his anus. However, the most interesting information of the SBU’s statement was about the role of Hungary and the Russian embassy in Budapest, which was apparently considered by the protagonists as a safe place for arranging such meetings. The pro-Kremlin attitude of Viktor Orban’s government — even after the invasion of Ukraine — is well documented. Most recently, together with a colleague of mine at Direkt36, we investigated the Hungarian government’s response to the war and motivations behind the policy to maintain a close relationship with the Kremlin. What we found is that through Hungary’s dependency on Russian fossil fuels, Moscow has essentially taken the Orban government hostage.”
69. Podcast: Inside CIA Contracting with a Navy SEAL Shawn Ryan
On November 29th Anthony Pompliano released a new podcast episode. As per its description, “Shawn Ryan is a former Navy SEAL, CIA Contractor & current host of the “Shawn Ryan Show” podcast. In this conversation, we discuss his military career, his time as a contractor, lessons learned from the military that he applies to the business world, his positive experience using psychedelics, and what he’s learned from hosting his own podcast.”
70. No French DGSE Paramilitary Forces Died in Ukraine
As to reporter Georges Malbrunot stated on December 3rd, “none of the Action Service members has died since their deployment to Ukraine at the end of February,” said a French intelligence source. Rumors of the disappearance of 2 members of the SA of the DGSE had circulated. About 50 have been in Ukraine since the start of the Russian invasion. With the military support given by France to Ukraine, the intelligence apparatus has been expanded in recent months, with the dispatch of other members of other French services.”
71. United States FBI Alerted Notorious Spy for Russia to Another Working for Cuba
According to this article by the Washington Post from November 30th, “in late 2000, the FBI was closing in on a suspected spy for Cuba working inside the Defense Intelligence Agency. Undercover operatives would soon begin trailing Ana Montes, the agency’s top military and political analyst on Cuba, by car and on foot. They filmed her making calls on pay phones, even though she carried a cellphone in her purse. They intercepted Montes’s mail and inspected the trash outside her apartment in Washington. Montes had been spying nearly 17 years for Cuba, passing along so much classified information about DIA personnel, as well as on eavesdropping technology covertly installed on the island, that she essentially compromised every method the United States used to surveil the Castro regime, according to current and former U.S. intelligence officials. That makes Montes one of the most damaging spies of her time, they said. Opening an investigation against a decorated intelligence officer, who colleagues heralded as the “Queen of Cuba,” was painstaking and high-stakes. And almost as soon it began, the FBI nearly shot itself in the foot.”
72. Espionage group using USB devices to hack targets in Southeast Asia
The Record reported on November 29th that “USB devices are being used to hack targets in Southeast Asia, according to a new report by cybersecurity firm Mandiant. The use of USB devices as an initial access vector is unusual as they require some form of physical access — even if it is provided by an unwitting employee — to the target device. Earlier this year the FBI warned that cybercriminals were sending malicious USB devices to American companies via the U.S. Postal Service with the aim of getting victims to plug them in and unwittingly compromise their networks. The new campaign in Southeast Asia potentially began as far back as September 2021, according to a post on the Mandiant Managed Defence blog, published on Monday. Mandiant is now a part of Google Cloud. The hackers behind it are concentrating on targets in the Philippines. The researchers assess the group has a China nexus, although it did not formally attribute the cyber espionage operation to a specific state-sponsored group. Operations conducted by the threat actor, followed as UNC4191, “have affected a range of public and private sector entities primarily in Southeast Asia and extending to the U.S., Europe, and APJ [Asia Pacific Japan],” the researchers said. “However, even when targeted organizations were based in other locations, the specific systems targeted by UNC4191 were also found to be physically located in the Philippines,” it added. After the initial infection via the USB devices, the hackers use legitimately signed binaries to side-load malware onto the target computers.”
73. Podcast: Spycraft 101: Finding Che: Clandestine Ops in the Congo with Jim Hawes
On December 3rd the Spycraft 101 published a new podcast episode with its description stating that “American covert operators became involved in conflict in the Congo in the mid-1960s when Simba rebels made great strides in their fight against the Congolese government. Armed and supported by the Soviet and Cuban governments, the Republic of the Congo became another proxy battleground between the Cold War superpowers. The enormous Lake Tanganyika, a natural border between the Congo and Tanzania, was a major logistical route for arms and equipment headed to the Simbas. To counter this threat, the CIA sent Jim Hawes, fresh out of the Navy after service in Vietnam as a SEAL. Hawes assembled a freshwater navy called the Force Naval Congolaise, using locally purchased watercraft augmented by the two Swift Boats. The crews were mercenaries from Mike Hoare’s commando forces and anti-Castro Cuban exiles recruited mostly from South Florida. These men were already veterans of the Bay of Pigs invasion, and had crewed these very same Swift Boats in attacks on the Cuban coastline and shipping as part of Operation Mongoose. Now they volunteered to fight halfway around the world against a very different enemy. Only the enemy wasn’t so different after all. Because Ernesto “Che” Guevara and some of his most dedicated Marxist followers had come to the Congo as well, in support of the Simba rebellion. Now, the exiles overheard Cuban-accented Spanish on the radio waves and homed in on boats loaded down with arms and ammunition crossing Lake Tanganyika under the cover of night.”
74. When Journalists Are The Target of High-Tech Espionage
Boston Globe reported on December 2nd that “if you have a smartphone or use Facebook, Google, or Alexa, you have probably long resigned yourself to the idea that technology is steadily eroding your privacy. Tech companies have a near-perfect profile of our habits and tastes. They know what we like, where we click, how we shop. Yet I have held onto the idea, perhaps very naively, that we still maintain a certain degree of online anonymity. Now, a chilling new case that involves journalists and a pernicious type of spyware has me rethinking the notion. Fifteen members of El Faro, a digital news outlet based in El Salvador, recently filed a lawsuit in a US federal court in California against the NSO Group, an Israeli-based company that makes the spyware Pegasus. The lawsuit alleges that Pegasus was used to hack dozens of times into the smartphones of several El Faro journalists — one of whom is a US citizen. The plaintiffs allege that the NSO Group, which has already been taken to court by Apple and WhatsApp in the United States for cybersurveillance in high-profile lawsuits that are pending, violated a federal law that bans gaining access to devices without authorization. The El Faro complaint alleges that some of the wrongdoing occurred in the United States, where some of the apps in the hacked devices (like WhatsApp and Facebook) have servers.”
75. William Donovan Award Presented to George Tenet
As the OSS Society announced on December 3rd, “presentation of the 2022 William J. Donovan Award® to The Hon. George Tenet by Dr. Mike Vickers.” Here is the complete video of the ceremony.
76. Three New Videos on Secret Radio Facilities and Capabilities
This week Ringway Manchester published three new videos related to nation-state signal capabilities, some related to espionage activities. Those were: 1) How Radio Detectives Solved One Of Short Waves Biggest Mysteries!, 2) Russian Woodpecker — The Radio Signal That Wreaked Havoc Around The World, and 3) Firedrake — The Mega Jammer That Wipes Out Radio Stations For Millions.
77. Greece: New Leak Says that EYP was Spying on the Leadership of the Armed Forces
Following this week’s story #35, on December 3rd it was reported on Greek media that “the leadership of the armed forces and other officials were allegedly under surveillance by YP according to a new publication by the Documento newspaper. In Documento, which will be released tomorrow, Sunday, December 4, it is stated that in addition to the Predator spyware, the National Intelligence Service (EYP), by order of Prime Minister Kyriakos Mitsotakis, had under surveillance service officials and top national actors. As mentioned, in addition to the leaders of National Defence General Staff and Hellenic Army General Staff, the former Director of the General Directorate of Supplies Th. Lagios was also on the wiretapping list!” The editor of Documento stated on Twitter that “if you remember, the EYP Prosecutor of the Public Prosecutor’s Office, Mrs. Vlachou, had told the Institutions Committee of the Parliament, that she would even monitor the President of Greece. I’m afraid she meant it. EYP has turned into the 60s KYP and is spying on the “internal enemy” of Mitsotakis.”
