SPY NEWS: 2023 — Week 20

Summary of the espionage-related news stories for the Week 20 (May 14–20) of 2023.

1. China Sentences 78-year-old U.S. Citizen to Life on Spy Charges

Nikkei Asia reported on May 15th that “China sentenced a 78-year-old United States citizen to life in prison Monday on spying charges. John Shing-Wan Leung, who holds permanent residency in Hong Kong, was detained April 15, 2021, by the counterintelligence agency in the southeastern city of Suzhou. The city’s intermediate court announced Leung’s sentence in a brief statement on its social media site but gave no details of the charges. Such investigations and trials are held behind closed doors and little or no information is made public. Relations between Washington and Beijing have hit a historical low amid disputes over trade, technology, human rights and China’s increasingly aggressive approach toward its territorial claims. The sentencing comes as U.S. President Joe Biden is traveling to Hiroshima, Japan, for the Group of Seven major industrial nations summit, followed by a visit to Papua New Guinea, a Pacific island nation in a region where China has sought to increase its economic, military and diplomatic influence. While the Suzhou court offered no indication of a tie to overall China-U.S. relations, spying charges are highly selective and evidence backing them up is not released. That is standard practice among most countries, who wish to secure their personal connections, networks and access to information. However, China’s authoritarian political system and the ruling Communist Party’s absolute control over legal matters, civil society and freedom of information forestalls demands for further information, as well as court appeals.”

2. South Africa: Former Spy Boss Billy Masetlha has Died, Aged 68

News 24 reported on May 14th that “former National Intelligence Agency (NIA) director-general Billy Masetlha has died. Masetlha, who was serving as South Africa’s ambassador to Algeria, died on Sunday. He was 68. International Relations and Cooperation Minister Naledi Pandor said the country had lost an experienced and dependable representative who was a firm believer in the goals of Pan-Africanism. “We send our deepest condolences to the family and friends of Ambassador Masetlha,” added Pandor, confirming Masetlha had died after a long illness. Masetlha had served the government in various capacities over the years, including as NIA director-general. He left the agency in 2006 after former president Thabo Mbeki fired him after he was accused of spying on behalf of former president Jacob Zuma. Mbeki had stated Masetlha’s firing was because of a trust deficit.”

3. Ukrainian SBU Detained Russian Agent in Mykolaiv

Ukraine’s Security Service (SBU) announced that they “exposed an enemy informer who “directed” a Russian missile at a residential high-rise in Mykolaiv. The Security Service exposed another adjuster of Russian air attacks on the civilian infrastructure of Ukraine. It was under his guidance that the occupiers launched a rocket attack on a residential high-rise building in Mykolaiv in the fall of 2022. As a result of enemy fire, 8 civilians, including a minor child, died. According to the investigation, the attacker turned out to be a local resident who was recruited by the Russian intelligence service in August of last year. He came to the attention of the invaders due to his pro-Kremlin activity in one of the Telegram channels, where he regularly posted his anti-Ukrainian comments. Posing as a taxi driver, he traveled around the territory of the regional centre and recorded the locations and movements of the Defence Forces in the region. The intruder also tried to gain the trust of his passengers and asked them for information about possible movements of Ukrainian military equipment. In addition, he gave the occupiers the coordinates of civil infrastructure facilities located near residential buildings. For each completed task, the enemy informer received up to 5 thousand hryvnias. The money was transferred to his own bank card. During the search of his place of residence, a mobile phone was found, which he used to communicate with the aggressor.”

4. Spy Collection: Raytheon Multi-INT Special Mission ISTAR-K Spy Plane (2019)

On May 15th we published this video. As per its description, “in October 2019, Raytheon Technologies published this promotional video for their latest Intelligence, Surveillance, and Reconnaissance (ISR) overhead capability enabling multiple intelligence disciplines (Multi-INT) with a single platform. This was demonstrated as a Special Mission Aircraft, available (at the time) for national defence mission profiles. Raytheon called this the ISTAR-K (Intelligence Surveillance Target Acquisition and Reconnaissance-Korea) since it was developed together with Korea Air to meet the requirements of the Republic of Korea (RoK)’s military and government agencies. According to Raytheon, they were the first company to deploy an international ISTAR-type aircraft through the United Kingdom’s Sentinel programme. The Sentinel aircraft and ground stations operated by the Royal Air Force’s (RAF) 5th and 54th Squadrons have been in use since 2007.”

5. India: 3 Detained in Odisha for Sharing SIM Cards, OTPs with Pakistan’s Spy Agency

NDTV reported on May 15th that “the Special Task Force (STF) of Odisha police on Sunday apprehended three people for fraudulently procuring huge numbers of SIM cards and sharing one-time passwords (OTP) with Pakistani Intelligence Operatives (PIO) and ISI agents in Pakistan as well as in India, officials said. “They were fraudulently procuring huge numbers of SIMs in other’s names and selling the OTPs to various clients including some PIO and ISI agents in Pakistan and India. In return, they would be paid by some Pakistani agents based in India. They were also in touch with a female PIO agent who was arrested last year in an Official Secrets Act and Honey-Trap case in Rajasthan,” Odisha STF said in a statement. “Based on the intelligence input Odisha STF apprehended three accused persons from Nayagarh and Jajpur District and they have been identified as Pathanisamant Lenka, (35) works as ITI Teacher, Saroj Kumar Nayak, (26) and Soumya Pattanaik, (19)” STF said. During raids, various incriminating materials such as 19 mobile phones, 47 pre-activated SIM Cards, 61 ATM cards, 23 SIM covers and laptops were seized from their possession. These OTPs were then used to create various accounts and channels on social media like Whatsapp, Telegram, Facebook and Instagram and also on online shopping sites like Amazon and Flipkart. These are also used in opening email accounts. People will think that these accounts are owned by an Indian but actually operated from Pakistan. These social media platforms will be used for various kinds of Anti-India activities like Spying, communication with terrorists, radicalization, running anti-India propaganda, fuelling anti-India/ divisive sentiments on social media, sextortion, Honey-trapping etc. As these accounts are registered and linked to Indian mobile numbers people find it trustworthy.”

6. Canada: Mendicino Concedes There Could be New ‘Chinese Police Stations’ in Canada, Insists RCMP will Shut Them Down

CTV News reported on May 14th that “Public Safety Minister Marco Mendicino concedes there may be new so-called “Chinese police stations” in Canada after saying last month they’d all been shut down, but he insists the RCMP will close any new sites if they do exist. The Spanish human rights organization Safeguard Defenders said last fall it had identified more than 100 of these alleged Chinese overseas police stations, including several in Canada. The groups says these stations serve to spy on Chinese dissidents in Canada and abroad and collect information about opponents to the regime in Beijing, under the guise of providing resources to Chinese people living abroad. China has denied that the stations engage in any foreign interference. “I am confident that the RCMP have taken concrete action to disrupt any foreign interference in relationship to those so-called police stations, and that if new police stations are popping up and so on, that they will continue to take decisive action going forward,” Mendicino told CTV’s Question Period host Vassy Kapelos in an interview airing Sunday. There were reports earlier this month that two Montreal-area community groups, under investigation for allegedly hosting so-called police stations, were still operating normally. The Canadian Press reported that the two groups in question — Service a la Famille Chinoise du Grand Montreal, based in the city’s Chinatown district, and Centre Sino-Quebec de la Rive-Sud, in the Montreal suburb of Brossard, Que. — said the RCMP had taken no action against them. The Canadian Press has also reported that Mendicino told a parliamentary committee last month “the RCMP have taken decisive action to shut down the so-called police stations.” In response to questions about the timeline of which stations were closed when, and whether any were still in existence, Mendicino told Kapelos he was “obviously very clear” at committee that the federal police force had “taken, in the past tense, decisive action.” “That doesn’t mean that there can’t be new foreign interference activities,” Mendicino said. “Our expectation is that if those activities manifest, if there is foreign interference, that yes, the RCMP will take decisive action as they have in the past.” He added it is his job to ensure the RCMP has all and resources needed to do its work, but that the RCMP is operationally independent from the government.”

7. London’s Web of Secret Government Communications

Following last week’s story #26, on May 14th Ringway Manchester published a follow up episode on RF communication antennas installed in embassies based in London, UK. The episode covers: 1) Russian Embassy in Kensington Palace Gardens; 2) Embassy of Iraq in South Kensington; 3) Embassy of Bulgaria in South Kensington; 4) Former Embassy of Algeria in Holland Park; 5) Embassy of Japan in Piccadilly; 6) Embassy of Poland in Portland Place; 7) Bangladesh High Commission in Kensington; 8) Embassy of Jordan in Upper Phillimore Gardens; 9) Embassy of Sudan in Cleveland Row.

8. Ukrainian SBU Detained 2 Russian Informants in Kharkiv

On May 15th Ukraine’s SBU announced that they “detained two Russian informants in the Kharkiv region who were looking for information about the counter-offensive of the Armed Forces of the Russian Federation for the enemy. The perpetrators turned out to be acquaintances of a man and a woman from Vovchansk, who secretly gathered information about the locations and movements of the Defence Forces in the border area. They also recorded the consequences of Russian rocket and artillery shelling of the region. The received information was passed on to a relative who lives in the Russian Federation. Intelligence was needed by the occupiers for planning and preparing repeated airstrikes on Ukrainian sites. SBU officers located and detained both attackers while they were carrying out a hostile mission. During the searches, mobile phones were found in the detainees’ possession, which they used to correspond with the aggressor.”

9. Israel: Netanyahu Gives Shin Bet Edge Over Own Security Staff

Intelligence Online reported on May 15th that “the Israeli prime minister no longer seems in control of far-right minister Itamar Ben-Gvir’s conduct, and has decided to distance him from the Israeli Defense Force’s new military operation in the Gaza Strip. That has meant overriding Israel’s traditional decision-making process.”

10. Wagner Chief Offered to Give Russian Troop Locations to Ukraine, Leak Says

On May 14th The Washington Post published this story saying that “in late January, with his mercenary forces dying by the thousands in a fight for the ruined city of Bakhmut, Wagner Group owner Yevgeniy Prigozhin made Ukraine an extraordinary offer. Prigozhin said that if Ukraine’s commanders withdrew their soldiers from the area around Bakhmut, he would give Kyiv information on Russian troop positions, which Ukraine could use to attack them. Prigozhin conveyed the proposal to his contacts in Ukraine’s military intelligence directorate, with whom he has maintained secret communications during the course of the war, according to previously unreported U.S. intelligence documents leaked on the group-chat platform Discord. Prigozhin has publicly feuded with Russian military commanders, who he furiously claims have failed to equip and resupply his forces, which have provided vital support to Moscow’s war effort. But he is also an ally of Russian President Vladimir Putin, who might well regard Prigozhin’s offer to trade the lives of Wagner fighters for Russian soldiers as a treasonous betrayal. The leaked document does not make clear which Russian troop positions Prigozhin offered to disclose. Two Ukrainian officials confirmed that Prigozhin has spoken several times to the Ukrainian intelligence directorate, known as HUR. One official said that Prigozhin extended the offer regarding Bakhmut more than once, but that Kyiv rejected it because officials don’t trust Prigozhin and thought his proposals could have been disingenuous. A U.S. official also cautioned that there are similar doubts in Washington about Prigozhin’s intentions. The Ukrainian and U.S. officials spoke on the condition of anonymity to discuss sensitive information.”

11. Chinese Hacker Group Stealing Information from Korean Companies

The ASEC reported on May 15th that “recently, there have been frequent cases of attacks targeting vulnerable servers that are accessible externally, such as SQL servers or IIS web servers. The team has confirmed two affected companies in this case. One being a company for semiconductors, and the other being a smart manufacturing company which utilizes artificial intelligence. It is assumed that the threat group that carried out the hacking attack is a Chinese hacker group like Xiaoqiying and Dalbit, as a Chinese text file containing instructions on how to use the hacking tool was found.”

12. Belarusian Balloon Flew to Poland

Censor.Net reported on May 13th that “in the airspace of Poland, a balloon that flew in from the territory of Belarus was recorded. This was reported by the Ministry of Defence of Poland, Censor.NET reports. “The Air Operations Centre recorded the appearance in the airspace of Poland of an object that arrived from Belarus. This is probably a surveillance balloon. Radar contact was lost in the vicinity of Ripin,” the message says. The Ministry of Defence noted that the operational commander decided to send another territorial defence force to search for the balloon. So far the item has not been found.”

13. French Military Intelligence Hires CAE to Cover ISR Missions Before Archange

Intelligence Online reported on May 15th that “as they wait for project Archange to be operational, the French armed forces have turned to their long-standing provider CAE Aviation to provide a temporary airborne SIGINT solution.”

14. Australia: Labor Accuses Coalition of Playing Politics Over Changes to Secretive Intelligence Committee

The Guardian reported on May 14th that “the Albanese government has accused the Coalition of playing politics with national security, amid a political brawl over changes that could see crossbenchers join the secretive bipartisan intelligence committee. There is speculation that the independent MP Andrew Wilkie could be in contention to be appointed to the committee — which only has major party members — but the government has not confirmed any potential choices. Positions on the parliamentary joint committee on intelligence and security (PJCIS) are coveted because it regularly receives top-secret briefings from Asio and other agencies. It also has input into major national security legislation. The Coalition has slammed a government plan to increase the number of members on the committee from 11 to 13. It said it was “concerned that these proposed changes will allow the government to add at least another one or possibly two members from the crossbench as part of a grubby back-room political deal between the government and members of the crossbench”. The Coalition also said the changes could theoretically allow the government to give itself an overwhelming majority on the committee. Andrew Wallace, the deputy chair of the PJCIS and a Speaker under the Morrison government, said the opposition was concerned that the proposed changes were “a result of internal politics within the government”. But a spokesperson for the attorney general, Mark Dreyfus, said the change was “simply about expanding the number of people on the committee to make it easier to manage its workload”. The spokesperson said the prime minister “already has the power to nominate any member of the parliament as member of the committee” and it was up to the houses of parliament to appoint those members. “The Coalition has broken the historic and important tradition of bipartisanship on the PJCIS,” the spokesperson said.”

15. New Videos by Former United States CIA Officer Jason Hanson

Throughout this week former US Central Intelligence Agency (CIA) officer Jason Hanson published the following videos: 1) Should You Carry Concealed Around Kids? | Protecting Your Children and Ensuring Safety, 2) An ATF Agent Told Me to Lie and Here’s What I Did…, 3) Here’s What My 3-year-old Son Said About Self-defense…, 4) How This Slapshot Drill Unlocks Your Inner Fighter.

16. Ukraine’s SBU Detained Blogger for Leaking Sensitive Information on Social Media

On May 15th Ukraine’s Security Service (SBU) announced that “a TikToker who “poured” the locations of the Defence Forces in Cherkasy Oblast to the social network faces imprisonment. Cyber ​​specialists of the Security Service have exposed a blogger in the Cherkasy Oblast who illegally disseminated information about the movement of the Defence Forces in the region. It was established that he personally took photos and videos of the movement of a convoy of Ukrainian military equipment with ammunition. Then he placed the received media files on his own page in the TikTok social network with geolocation data. Within minutes, this video was picked up by Russian propaganda outlets, including pro-Kremlin Telegram channels with a total audience of over 100,000 subscribers. In addition, more than half a million users have viewed this content on the TikToker’s personal page. SBU officers located the blogger and stopped his illegal activities. He explained his criminal actions by the desire to “increase” the audience. During the search of the suspect’s residence, a mobile phone was found, which he used to record the movement of Ukrainian troops and subsequently “publish” the recorded video.”

17. United States: Virginia Man Accused of Attacking Congressional Staffers with Baseball Bat Once Sued CIA, Sought $29M

The WFIN reported on May 15th that “the man accused of beating two staffers of U.S. Rep. Gerry Connolly, D-Va., on Monday with a baseball bat sued the Central Intelligence Agency (CIA) last year. Xuan Kha Tran Pham, 49, a Fairfax resident, claimed the spy agency tortured and imprisoned him, according to a May 2022 complaint. “The C.I.A. has been guilty of wrongfully imprisoning me in a lower perspective based on physics called the book world since 1995,” courts documents read. He added the CIA torture him since 1998 “from the fourth dimension.” Pham has been charged with one count each of aggravated malicious wounding and malicious wounding in Monday’s attack. The U.S. Capitol Police said Pham entered Connolly’s district office and assaulted two staffers with a metal baseball bat. The staffers sustained non-life threatening injuries. Connolly was not in the office at the time of the alleged assault. Investigators have not determined a motive for the attack, the USCP said. In his lawsuit, Pham said he wanted to be returned “to normal condition by a digital technology” and compensated for his alleged suffering in the amount of $29 million. The United States Capitol Police and Congress, over the past few years, have beefed up security for congressional and district offices and allocated additional funds to provide security at the homes and offices of lawmakers.”

18. India: RAW is Running a Big Operation by Entering Pakistan! Anti-India Terrorists are Being Eliminated Selectively

On May 15th News In France reported that “former Major of Pakistan has claimed that Indian intelligence agency RAW is operating in Lahore. According to Farooq, RAW has strengthened its roots in Pakistan. At a time when Pakistan’s army is fighting with its own people. At the same time, the spies of India have killed Pakistan by entering the house. This claim is being discussed fiercely in Pakistan. Retired Major of Pakistani Army Adil Farooq Raja has made a big claim. Former Major of Pakistan has claimed that Indian intelligence agency RAW is operating in Lahore. According to Farooq, RAW has strengthened its roots in Pakistan. Adil Farooq said that the way RAW is operating inside Pakistan is directly the failure of ISI Chief Nadeem Anjum and Army Chief Asim Munir. This retired army officer has also claimed that the current situation in Pakistan. Indian intelligence agency RAW is getting stronger in this. Along with this, former Major of Pakistan has made a big claim that Khalistani terrorist Paramjit Singh was killed in the past, it was an operation of RAW. By the way, such questions were raised earlier as well that who is killing the terrorists in Pakistan selectively. No one knows where India’s most wanted terrorist is hiding in Pakistan and now suddenly the news of his death started coming. In no time, Imtiaz Alam alias Bashir Ahmed Peer, one of India’s most wanted terrorists, dies in Rawalpindi, Pakistan. Then on February 26, unknown people killed Syed Khalid Raza, former commander of Pakistan-based terrorist organization Al Badr. In February itself, the news of the killing of another Kashmiri terrorist came in Pakistan. The name of this terrorist was told as Khalid Raja.”

19. CIA Launches Video to Recruit Russian Spies

CNN reported on May 15th that “the Central Intelligence Agency has launched a new effort to capitalize on what US intelligence officials believe is an “unprecedented” opportunity to convince Russians disaffected by the war in Ukraine and life in Russia to share their secrets, posting a slickly produced, cinematic recruitment video online on Monday. The push includes a new CIA channel on Telegram, the social media network that is a highly popular source of unfiltered news in Russia. The CIA first posted the video on Telegram, which ends with instructions on how to get in touch with the CIA anonymously and securely. The video is also being posted to its other social media platforms, including YouTube, Twitter, Instagram and Facebook. CIA officials involved in the project said that Russia’s invasion of Ukraine has created a historic opening “to have Russians come to us and deliver information the United States needs.” It also comes after a previous recruitment drive following the launch of the invasion that the officials said has been successful, with “contact coming in.” The message, one official said, that they hope Russians who work in sensitive fields with access to valuable information now hear is: “We understand you, maybe better than you think.” “We wanted to convey to Russians in their own language we know what they’re going through,” added the official, who spoke on the condition of anonymity to discuss the sensitive project. The official insisted the video is “absolutely not” meant to be incendiary or fuel unrest among the broader population — where Russian President Vladimir Putin still enjoys a high level of support — but rather targets individuals who may be on the fence, and “demystifies” the process of contacting the CIA. It does not mention Putin or even the war Ukraine, in part because it would be “redundant,” but also because they argue it draws on “timeless” themes that have long convinced disaffected Russians to reach out to the CIA. “Ukraine is top of mind but that’s more or less a symptom of something larger,” one of the officials said. “There are always individuals in Russia who identify with what we have to say here.”.” Here you can watch the newly released video.

20. India: DRDO Espionage Case: Indian Air Force Employee Under Scrutiny, Kurulkar’s Custody Extended

On May 15th Pune Pulse reported that “the Court proceedings of Defence Research and Development Organisation (DRDO) espionage case, today revealed that an employee of the Indian Air Force (IAF) was also in contact with the Pakistani intelligence Operative (PIO). Today, after completion of the police custody period, DRDO scientist Pradeep Kurulkar was produced before court. Nikhil Shende, an IAF employee joined the IAF through the sports quota. He is stationed in Bengaluru and hails from Nagpur. His name was revealed during the investigation conducted by the Maharashtra police’s Anti-Terrorism Squad (ATS). The team was searching for individuals potentially targeted by the same person who trapped Kurulkar. During the argument of extension of custody, it was revealed that an alleged IAF employee’s involvement which has resulted into a departmental inquiry. While the scrutiny intensifies, Kurulkar remains in custody after being arrested by the Maharashtra police’s Anti-Terrorism Squad (ATS) on charges of sharing classified information with a Pakistani agent. The IAF employee was also contacted by using the same IP address which was used to connect with DRDO scientists. Shende’s statement has been registered by Pune Court under CrPC Section 164. The involvement of an IAF officer introduces a new aspect to the ongoing investigation, raising further questions about the extent of the espionage network. During a recent court hearing, the prosecution requested an extension of Kurulkar’s custody. Prosecution stressed the need for further interrogation in the case. In response, the defense argued that all relevant devices had already been confiscated and that Kurulkar had been cooperating fully with the authorities. Considering these arguments, the court granted an additional day of police custody for Kurulkar. The allegations against Kurulkar revolve around his communication with an agent referred to as a Pakistan Intelligence Operative through WhatsApp and video calls, hinting at a potential honeytrap operation. After his arrest, Kurulkar was charged under the applicable sections of the Official Secrets Act.”

21. Podcast: Deep State Radio: How Intelligence Pros See the Future of the War in Ukraine

The Deep State Radio released a new podcast episode on May 15th. As per its description, “on this, the inaugural episode of DSR’s new weekly Spy Show podcast with Marc Polymeropoulos, Marc and co-host David Rothkopf are joined by one of the most respected officers in the CIA’s recent history, Paul Kolbe. Together they discuss what to make of the recent criticisms of Vladimir Putin from within his own ranks, the likely consequences of potential instability in Belarus, and what is working for the US and our allies on the intel front in this complex and consequential war. Join us for perspectives and insights you won’t find anywhere else.”

22. Stealthy MerDoor Malware Uncovered After Five Years of Attacks

On May 15th Bleeping Computer reported that “a new APT hacking group dubbed Lancefly uses a custom ‘Merdoor’ backdoor malware to target government, aviation, and telecommunication organizations in South and Southeast Asia. The Symantec Threat Labs revealed today that Lancefly has been deploying the stealthy Merdoor backdoor in highly targeted attacks since 2018 to establish persistence, execute commands, and perform keylogging on corporate networks. “Lancefly’s custom malware, which we have dubbed Merdoor, is a powerful backdoor that appears to have existed since 2018,” reveals the new Symantec report. “Symantec researchers observed it being used in some activity in 2020 and 2021, as well as this more recent campaign, which continued into the first quarter of 2023. The motivation behind both these campaigns is believed to be intelligence gathering.” Lancefly is believed to focus on cyber-espionage, aiming to collect intelligence from its victims’ networks over extensive periods.”

23. Bahrain: Sheikh Nasser Launches Defence Telecoms Project to Expand Influence Over Bahraini Intelligence

Intelligence Online reported on May 16th that “Bahrain’s Crown Prince Salman has oversight of the kingdom’s intelligence services, but his younger brother Sheikh Nasser is attempting to grab more power with a key defence telecoms project.”

24. Podcast: SpyCast: “70th Anniversary of James Bond, Special” — with Alexis Albion on 007 (Part 1 of 2)

On May 16th the International Spy Museum’s SpyCast released a new episode. As per its description, “on April 13th, 1953, Ian Fleming published the first James Bond novel, Casino Royale. He would go on to publish a new book in the Bond series annually, culminating in 12 novels and 2 short-story collections. Now, 70 years later, the franchise has grown to include 25 movies featuring 6 different actors portraying James Bond. Put simply, the James Bond franchise has left an indelible mark on our world. While perhaps not the most accurate representation of spies and intelligence, Bond has shaped the way people think about espionage. This week on SpyCast, curators Andrew and Alexis join forces to put the past 70 years of Bond into historical perspective. To help frame their conversation, our collections team brought out a fantastic selection of Bond artifacts for Andrew and Alexis to interact with during the recording of this episode. And… A Bond artifact in the collection that Andrew and Alexis did not talk about in this episode is Jaws’ Teeth. Jaws, played by Richard Kiel in The Spy Who Loved Me and Moonraker, is one of the most memorable Bond villains — Even though he only has one spoken line in the entire franchise. Can you quote the line?”

25. Chinese Cyber Espionage: Analysing Custom Router Implant

The private cyber security firm Check Point Research published this technical analysis on May 16th. As per its introduction, “over the past few months, Check Point Research has closely monitored a series of targeted attacks aimed at European foreign affairs entities. These campaigns have been linked to a Chinese state-sponsored APT group we track as Camaro Dragon, which shares similarities with previously reported activities conducted by state-sponsored Chinese threat actors, namely Mustang Panda. Our comprehensive analysis of these attacks has uncovered a malicious firmware implant tailored for TP-Link routers. The implant features several malicious components, including a custom backdoor named “Horse Shell” that enables the attackers to maintain persistent access, build anonymous infrastructure and enable lateral movement into compromised networks. The discovery is yet another example of a long-standing trend of Chinese threat actors to exploit Internet-facing network devices and modify their underlying software or firmware. This blog post will delve into the intricate details of analyzing the “Horse Shell” router implant. We will share our insights into the implant’s functionality and compare it to other router implants associated with Chinese state-sponsored groups. By examining this implant, we hope to shed light on the techniques and tactics utilized by the Camaro Dragon APT group and provide a better understanding of how threat actors utilize malicious firmware implants in network devices in their attacks.”

26. United States: Ex-Intel Boss Stole Top Secret Documents for at Least a Decade, Air Force Says

The Daily Beast reported on May 15th that “a retired U.S. Air Force intelligence officer who admitted earlier this year to keeping hundreds of highly classified government documents at his Florida home had been pilfering confidential material for at least 10 years, according to military records reviewed by The Daily Beast. Long before Lt. Col. Robert Birchum pleaded guilty in federal court to one felony count of unlawful retention of national defense information, he received a searing USAF letter of reprimand describing the conduct for which he would later be charged as “disgraceful,” “inexcusable,” “irresponsible,” and “despicable.” The letter, which is dated Jan. 5, 2018 and signed by Brig. Gen. Darren V. James, provides new insight into the details of Birchum’s alarming hoard, dating back to a posting the Eagle Pass, Texas native assumed about 12 years after joining the service in 1986. The documents Birchum “wrongfully took” were not only from the Department of Defense, but from “other agencies in the Intelligence Community (IC) as well,” the letter states. Although the materials mishandled by Birchum, 54, date back some 25 years, prosecutors said in a sentencing memo filed Friday that “the government cannot identify precisely when the Defendant removed these classified documents from his secure workplaces.” However, according to the filing, “it is likely that he did so over the course of more than a decade.” In the reprimand letter, which was attached to the sentencing memo, James wrote, “In 1998 as a First Lieutenant assigned to Beale AFB, you were responsible for collection of time sensitive U-2 derived intelligence and you also represented 12th Air Force in U-2 mission planning issues at joint AF and other IC exercises. The classified information found at your home included U-2 data that was developed during this time frame. You had no authority to possess these documents, and you additionally failed to safeguard these materials.” The U-2 spy plane is used for high-altitude reconnaissance, and was developed jointly by the Air Force and the CIA. In addition, investigators with the Air Force Office of Special Investigations (AFOSI) found materials developed in 2000, while Birchum, then a captain, oversaw “near real time U-2 derived imagery and signals intelligence collection, exploitation, and dissemination,” the letter goes on. There were also secrets from Birchum’s 2001 to 2003 stint as Chief of Air Force Intelligence, Surveillance and Reconnaissance (ISR) Readiness that AFOSI found in his home, as well as classified ISR documents from 2003–2004, when Birchum was assigned to the Pentagon, according to the letter.”

27. Romania: Israeli IMSI-catcher Specialist PicSix Struggles to Establish Itself in Bucharest

On May 16th Intelligence Online reported that “Israeli IMSI-catcher specialist PicSix is engaged in an intense legal battle with Romanian equipment distributor Cellphone Group Impex, after its performance on a contract from the National Anti-Corruption Directorate exposed the limits of its equipment.”

28. Russia: Kremlin Says Its Spies Are Watching as CIA Urges Russians to Get in Touch

Following this week’s story #19, on May 16th Reuters reported that “the Kremlin said on Tuesday its agencies were tracking Western spy activity after the U.S. Central Intelligence Agency published a video encouraging Russians to make contact via a secure internet channel. The short video in Russian was accompanied by a text saying the agency wanted to hear from military officers, intelligence specialists, diplomats, scientists and people with information about Russia’s economy and its leadership. “Contact us. Perhaps the people around you don’t want to hear the truth. We want to,” the text said. Published nearly 15 months into Moscow’s war with Ukraine, the video invites Russians to take a colossal risk. President Vladimir Putin has warned his compatriots to be on their guard against traitors, and parliament last month voted to increase the penalty for state treason from 20 years to life in prison.”

29. Canadian Lawmaker Speaks Out on Being Targeted by China

Politico reported on May 16th that “the Canadian member of Parliament allegedly targeted by a Chinese diplomat in a foreign meddling scheme said his story illustrates how the country’s national security system is malfunctioning. Conservative MP Michael Chong said the fact he learned about his case through a newspaper leak of classified intelligence is a “symptom of a national security and intelligence system that is not working” and that intelligence is not being shared properly with legislators. And he said Prime Minister Justin Trudeau is to blame for not moving to fix the broken machinery of government — processes, protocols and the way institutions are set up — sooner. “The last several weeks have been a trying time for me and my family,” Chong told a parliamentary hearing, but added his case is only one among an unquantifiable number of Canadians who have “suffered in silence” under threat from foreign governments. Chong told his story to Canadian legislators at the procedure and House affairs committee Tuesday evening and laid out how he and his extended family in Hong Kong suddenly found themselves in the crosshairs of a foreign government aiming to influence the country’s domestic politics. He said it was “shocking” to learn there was a diplomat on Canadian soil that “put a target” on the backs of he and his family.”

30. North Korean Leader Inspects Military Spy Satellite

On May 17th the Yonhap News Agency reported that “North Korean leader Kim Jong-un inspected the country’s first military reconnaissance satellite and gave the green light for its “future action plan,” Pyongyang’s state media said Wednesday. Kim made the on-site inspection to the Non-permanent Satellite Launch Preparatory Committee a day earlier to check the overall status of the spy satellite ready to be mounted, according to the Korean Central News Agency (KCNA). “After acquainting himself in detail with the work of the committee, he inspected the military reconnaissance satellite №1 which is ready for loading after undergoing the final general assembly check and space environment test,” it said. Kim stressed that “the more desperately the U.S. imperialists and South Korean puppet villains” escalate their confrontational moves against the North, “the more fairly, squarely and offensively” it will exercise its just right to self-defence to deter them. He then “approved the future action plan of the preparatory committee,” it added.”

31. Webinar: The Kneeling Man: My Father’s Life as a Black Spy with author Leta McCollough Seletzky

On May 17th the International Spy Museum published this video recording. As per its description, “in the famous photograph of the assassination of Dr. Martin Luther King Jr. on the balcony of Memphis’s Lorraine Motel, one man kneeled down beside King, trying to staunch the blood from his fatal head wound with a borrowed towel. The kneeling man was a member of the Invaders, an activist group that was in talks with King in the days leading up to the murder. But he also had another identity: an undercover Memphis police officer reporting on the activities of this group, which was thought to be possibly dangerous and potentially violent. Leta McCollough Seletzky is the kneeling man’s daughter. Her book, “The Kneeling Man: My Father’s Life as a Black Spy Who Witnessed the Assassination of Martin Luther King Jr.” powerfully shares her quest to learn the truth about her father, Marrell McCollough.”

32. Qatar: Western Partners Pull Away from Dahra in Wake of Espionage Scandal

Intelligence Online reported on May 17th that “Dahra Global’s defence partners and the companies it distributes are trying to distance themselves from the Omani defence reseller. It has been accused of being used by Israeli intelligence to garner information on a top secret programme in Qatar, revealed at the time by Intelligence Online.”

33. United States Justice Department Announces Five Cases as Part of Recently Launched Disruptive Technology Strike Force

On May 16th the US Department of Justice announced that “criminal charges in five cases and four arrests from five different U.S. Attorney’s offices in connection with the recently launched multi-agency Disruptive Technology Strike Force. The Disruptive Technology Strike Force is co-led by the Departments of Justice and Commerce to counter efforts by hostile nation-states to illicitly acquire sensitive U.S. technology to advance their authoritarian regimes and facilitate human rights abuses. The Strike Force’s work has led to the unsealing of charges against multiple defendants in five cases accused of crimes including export violations, smuggling and theft of trade secrets. Two of these cases involve the disruption of alleged procurement networks created to help the Russian military and intelligence services obtain sensitive technology in violation of U.S. laws. In the Eastern District of New York, a Greek national was arrested on May 9 for federal crimes in connection with allegedly acquiring more than 10 different types of sensitive technologies on behalf of the Russian government and serving as a procurement agent for two Russian Specially Designated Nationals (SDNs) operating on behalf of Russia’s intelligence services. In the District of Arizona, two Russian nationals were arrested for their involvement in a procurement scheme to supply multiple Russian commercial airline companies — which were subject to bans from engaging in certain type of commercial transactions — with export-controlled parts and components, including braking technology. Two of the other cases announced today charge former software engineers with stealing software and hardware source code from U.S. tech companies in order to market it to Chinese competitors. In the Central District of California, a senior software engineer was arrested on May 5 for theft of trade secrets for allegedly stealing source code used in metrology software which is used in “smart” automotive manufacturing equipment. The defendant then allegedly marketed the stolen technology to multiple Chinese companies. In the Northern District of California, a citizen of the People’s Republic of China (PRC) and former Apple engineer is accused of allegedly stealing thousands of documents containing the source code for software and hardware pertaining to Apple’s autonomous vehicle technology. This defendant fled to China and is believed to be working for a PRC-based autonomous vehicle competitor. The fifth and final case involves a Chinese procurement network established to provide Iran with materials used in weapons of mass destruction (WMDs) and ballistic missiles. In the Southern District of New York, a PRC national is charged with allegedly participating in a scheme to use his employer to conduct transactions with a U.S. financial institution for the benefit of a purported Iranian entity, as part of an effort to provide isostatic graphite, a material used in the production of WMDs, to Iran.”

34. Russia’s FSB Sent Ex-Islamic State Fighters to Infiltrate Ukraine, Turkey, U.S.

The Moscow Times reported on May 16th that “Russia’s Federal Security Service (FSB) has recruited former Islamic State fighters to infiltrate Ukraine, Turkey and the United States, the independent Meduza news website reported Tuesday, citing four recruited fighters. The outlet said an unnamed source close to the FSB confirmed regular but largely unsuccessful attempts to penetrate Ukraine’s military circles. Meduza interviewed a former Russian Islamic State fighter who had served a four-year prison sentence out of a maximum of 20 years in exchange for agreeing to work for the FSB in Ukraine. The fighter, Baurzhan Kultanov, said the FSB ended up sending him to Turkey in the spring of 2022, where he said he was ordered to gather information about underground efforts to send fighters to Ukraine. In Ukraine, the FSB reportedly targeted the head of a volunteer battalion fighting on the side of Ukraine since 2014 that has Crimean Tatars and Chechens in its ranks. “You’re our eyes and ears there, but you’re not the only one,” Kultanov recalled the FSB recruiters as saying to him. “It would be nice to make you a double and even triple agent so that other special services would want to recruit you,” they continued. “You don’t have to invent anything…You’re really a terrorist and a Muslim who did time here. Just tell them you don’t like Russia and the FSB and want to help. They’ll take you in with open arms,” Kultanov recalled the officer, Alexander Gushin, as saying. Ukraine said in January 2023 that it had exposed more than 600 Russian agents. Kultanov is currently jailed in Turkey on charges of violating immigration rules. Meduza said he had asked for political asylum on claims that he would be jailed and killed if deported to Russia. Meduza cited another ex-ISIS fighter who had allegedly fought alongside Kultanov in Syria, identified as Karim from Russia’s republic of Dagestan, as saying that Russia’s recruitment efforts in Ukraine are an open secret. “That’s why no one trusts each other” among the Russian Muslim diaspora, Karim was quoted as saying. U.S. authorities have detained around 50 Russians suspected of being FSB agents at the U.S.-Mexico border since Russia invaded Ukraine in February 2022, Meduza cited terrorism researcher Vera Mironova as saying.”

35. Kenya Gets a New Intelligence Chief

On May 17th Chimp Reports stated that “Kenya’s President William Ruto has nominated Noordin Haji as the next Director General of the National Intelligence Service. If considered by Parliament, Haji will succeed Philip Kameru, who is due for retirement. Kameru has been at the helm of the intelligence agency since September 2014. President Ruto described his performance at NIS as outstanding, having helped the country confront terrorism, transnational crimes, and “major threats to our security”. Haji takes over at a time when Kenya is dealing with international terrorism. The country faces terror threats from neighbouring and domestic politiacl upheavals.”

36. Serbia: Aleksandar Vulin Shuns Media Spotlight Behind BIA Walls

Intelligence Online reported on May 19th that “since taking over the Serbian civil intelligence agency Bezbednosno-Informativna Agencija last December, the former interior minister has been keeping a low profile. So far, no new scandals have tainted the professional provocateur’s time at the helm, much to his detractors surprise, and the agency has continued to operate out of the limelight.”

37. Podcast: Shawn Ryan Show: Former CIA Analyst Buck Sexton

On May 17th the Shawn Ryan Shown published a new podcast episode. As per its description, “Buck Sexton is a former CIA analyst and currently an American radio host, author, and conservative co-host of The Clay Travis and Buck Sexton Show. This episode covers a lot ground. We get into Buck’s former life as a CIA analyst and how that informs his public works. We discuss the expiration of Title 42 and what that means for the border crisis and asylum seekers. Buck explains how the modern mass media has developed over time and where disinformation collides with the free press. Shawn and Buck touch on the education system and the future of AI. From the Twitter Files to the Epstein case–we tackle these current events head on.”

38. Ukrainian SBU Detains Nurse Acting as FSB Agent

On May 17th Ukraine’s Security Service (SBU) announced that they “detained a nurse who worked for the FSB and “leaked” personal data of Ukrainian defenders to the enemy. The Security Service detained another Russian agent as a result of counter-subversive measures in liberated Kherson. She turned out to be a nurse from one of the local hospitals, who during the occupation of the regional centre was recruited by a case officer of the FSB. According to his instructions, after the liberation of Kherson, she remained in the city and continued to work in a medical facility to carry out intelligence and subversive activities against Ukraine. In the future, the perpetrator collected for the aggressor the identification data of Ukrainian defenders who were being treated in a medical institution. She also spied on the bases of the Defence Forces stationed in the territory of the regional centre. In addition, the Russian agent recorded the consequences of the enemy’s missile and artillery shelling of Kherson and transmitted the relevant “reports” to the FSB via messenger. Intelligence was needed by the occupiers to adjust repeated fire strikes on the city. As the investigators established, the woman came to the attention of the Russian intelligence services because of her public support for the invaders in one of the anti-Ukrainian groups in Telegram. During the search of the suspect’s place of residence, a mobile phone was found, which she used to communicate with the aggressor.”

39. U.S., Russian Spy Agencies Publish Rival Ads Encouraging Would-be Informants

IntelNews reported on May 18th that “rival online campaigns by American and Russian intelligence agencies are encouraging each other’s citizens to contact them, share information and possibly even defect. At least three ads have been on social media, with the Federal Bureau of Investigation (FBI) issuing the earliest one in February of this year. The Central Intelligence Agency (CIA) and its Russian counterpart, the Foreign Intelligence Service (SVR), are now believed to have published similar ads. The FBI ad initially appeared on Twitter, directing users to the website of the Bureau’s Washington Field Office. There, a text in Cyrillic urges Russian nationals to “change [their] future” by contacting the FBI. The CIA followed suit on Monday of this week by posting a video on its new channel on Telegraph, a popular social media platform among young Russians. The CIA video portrays frustrated Russian government employees morally torn by the Kremlin’s policies. It concludes with them contacting the CIA through a secure online connection. A narrator’s voice states, “my family will live with dignity thanks to my actions”. Viewers are then assured that their safety is the CIA’s highest priority, should the choose to do the same.”

40. Spy Way of Life: United Arab Emirates: Zuma Abu Dhabi, Mohammed bin Zayed’s Favourite Izayaka for Fine-tuning Deals Over Fine Dining

This week’s selection for Intelligence Online’s Spy Way of Life was the Zuma Restaurant in Abu Dhabi, United Arab Emirates. As per the article, “this week, Intelligence Online explores Zuma restaurant in Abu Dhabi, where princes and spymasters, and their foreign guests, discuss and make deals over tasty Japanese finger food.”

41. Iraqi Cleric Accuses Mossad of Assassinating Imam Ali, 1,300 years ago

On May 17th i24 News stated that “a prominent cleric in Iraq came under fire last week after he claimed that Israel orchestrated the assassination of Shiite Islam’s first Imam — over 1,300 years ago. In a recorded lecture, the pro-Iranian Shiite cleric repeatedly blamed “the Jews” for killing Ali Ibn Abi Talib. Ali was in fact assassinated, by another Muslim working for a political rival in 661 CE. His son, Hassan, who succeeded his father, was then assassinated nine years later — cementing the schism between the Muslim faithful. Since Shiites venerate Ali and his son as the rightful successors to their Prophet Mohammad, the death of the two Imam caliphs led to the current division between Sunni and Shiite Islam. But Iraqi cleric Qais al-Khazali has came up with a new theory: The deaths of Ali and Hassan were at the hands of “the Jews,” in particular, the Israeli intelligence service Mossad. First for Ali’s death, and then for the deaths of Hassan and his brother Hussein.”

42. India: Defense Journalist Arrested on Suspicion of Espionage

Nova News reported on May 18th that “defense journalist Vivek Raghuvanshi and former Navy commander Ashish Pathak, currently an employee of a private company, were arrested in India by the Central Bureau of Investigation (CBI) for alleged espionage. A spokesman for the investigative agency made it known to the press. The arrests were made yesterday under Section 3 of the Official Secrets Act and Section 120-B of the Penal Code. The investigation started from a complaint filed in September by the New Delhi police and transferred to the CBI in December. The agency carried out 15 searches and seized 48 electronic devices. Raghuvanshi, contributor to the site “Defense News”, is suspected of having collected and shared with foreign intelligence agencies classified military information, including related to procurement by the military and projects of the Defense Research and Development Organization ( Drdo). No details about Pathak were disclosed. Sightline Media Group, US publisher of “Defense News” and “Military Times”, specifying that it is an independent company, condemned the arrest and asked for “the immediate release of the freelance reporter”. “Vivek has been writing about the Indian defense industry for Sightline publications for more than three decades and has proven himself as a journalist of integrity and of the highest ethical standards. Vivek is deeply respected by his colleagues and readers in the defense industry, who know they can rely on accurate and fair reporting,” wrote the group’s editor-in-chief, Mike Gruss. “Sightline executives have seen no evidence to support these allegations and reject attacks on press freedom,” Gruss added. Eileen O’Reilly, president of the longstanding Washington-based National Press Club, and Gil Klein, president of its affiliated National Press Club Journalism Institute, also issued a statement in support of Raghuvanshi, expressing “disappointment” at the arrest. “The allegations against him of collaborating with a foreign intelligence service are completely at odds with his consolidated professional profile. Vivek has a solid reputation and the respect of his colleagues. We hope that his release and the dropping of these charges will proceed quickly and that Vivek will be allowed to resume his reporting for Sightline Media,” a statement read.”

43. Russian FSB Detained Ukrainian National for Espionage

On May 16th Russia’s Federal Security Service (FSB) announced that “in the course of the operational search activities, uncovered and stopped the espionage activities of a 25-year-old citizen of Ukraine. On the instructions of foreign intelligence services, the suspect passed on information regarding sites, military equipment, fortifications and combat positions of the Russian Federation Armed Forces. As a result of the conducted search operations, technical equipment was seized, in which geospatial information was found that revealed the deployment and activities of the Vostok group of troops of the Russian Armed Forces, which took part in a special military operation on the territory of the Kiev region of Ukraine. The transfer of said information to representatives of a foreign state was used against the security of the Russian Federation.”

44. Italian Cyber Companies Benefit from Israeli Export Restrictions

Intelligence Online reported on May 19th that “with Israel’s cyber operators in difficulty because of restrictions on export licences, Italian cyber intelligence companies like RCS Lab and Negg are becoming increasingly busy on the international market.”

45. North Korea Defectors Prompted to Flee by Strict COVID Controls, South Korea Spy Agency Says

Reuters reported on May 19th that “defectors who fled North Korea early this month decided to do so because of the country’s strict COVID-19 controls, South Korea’s spy agency said on Friday. The group of North Koreans, nearly 10 people, crossed the border by ship on the night of May 6, crossing the Northern Limit Line in the Yellow Sea, news agency Yonhap reported. “The defectors testified that they used to watch South Korean TV and admired South Korean society. Then social controls became tougher due to COVID and they grew tired of the North Korean regime,” the National Intelligence Service (NIS) told Reuters, confirming the Yonhap report.”

46. Somali Government Says It Seized Military Shipments Bound for Al-Shabab

The Delhi Times reported on May 19th that “Somalia’s National Intelligence Agency (NISA) said Thursday that it had seized two illicit shipments of military hardware and explosive materials that were apparently bound for the al-Shabab militant group. At a news conference in Mogadishu, Somalia’s State Minister of Defense Mohamed Ali Haga said the agency found the arms at Mogadishu’s port and airport. “At the port of Mogadishu, NISA personnel discovered a shipment of military hardware and explosive materials concealed within containers posing as authorized business imports,” Haga said. “Our forces have [also] seized military equipment at Mogadishu’s Aden Ade International Airport.” A statement from NISA said an investigation relating to the illicit shipments led to the arrest of 10 individuals associated with a smuggling network. “Our agency has been following the activities of these individuals in Somalia and outside Somalia,” Haga said. “It has been following their involvement in this smuggling network. Fortunately, all of them are in custody, and none has escaped.” Neither Haga nor NISA gave further details on the components of the seized shipments, where they were from, or the identities of those involved.” You can find photos of the event in NISA’s Twitter.

47. After Moura Report, Malian Government Accuses UN of ‘Espionage’

On May 19th The Africa Report shared that “in a statement issued on 13 May, the Malian transitional authorities announced the opening of a judicial investigation into “attacks upon the external security of the state […] and military conspiracy.” A Malian governmental response was expected. One day after the publication of the UN report on the Moura massacre, Colonel Abdoulaye Maïga appeared on national television to read a statement accusing the UN of a “military plot”. The UN had reported at least 500 dead in an operation by the Malian army and its Russian Wagner group supporters in Moura at the end of March 2022.”

48. Russians Arrest Former US Employee, Charged with Espionage

The Irish Sun reported on May 19th that “the US State Department said it “strongly condemns” the reported arrest of a former employee of the US mission in Russia, identified as Robert Shonov. The allegations that Shonov illegally collaborated with foreigners is “wholly without merit,” it added. This week, a report by Russian state news agency TASS said that Russian national Shonov was detained in the far eastern city of Vladivostok, but is being held in Moscow’s Lefortovo prison, usually reserved for serious crimes, such as those charged with espionage. In a statement this week, State Department spokesperson Matthew Miller said Shonov was employed by the US Consulate-General in Vladivostok for more than 25 years until Russia ordered the termination of the US mission’s local staff in 2021. At the time of his arrest, Shonov was employed by a company contracted to provide services to the US embassy in Moscow, Miller added, stressing that this arrangement complied with Russia’s laws and regulations. “His being targeted under the ‘confidential cooperation’ statute highlights the Russian Federation’s blatant use of increasingly repressive laws against its own citizens,” Miller said. Meanwhile, TASS reported a law enforcement agency as stating that “after interrogation,” Shonov was charged and could face up to eight years in prison.”

49. Ukrainian SBU Announces Life Sentence for Russian Agent in Lviv Region

Following 2022 week 18 story #18, on May 17th SBU announced that “a traitor who “directed” Russian missiles at railway bridges and factories in Lviv Region was sentenced to life imprisonment. The Security Service has gathered indisputable evidence on another Russian agent who gave the Russian Federation the locations of the Defence Forces and strategic enterprises in western Ukraine. The aggressor used his intelligence to adjust repeated missile strikes on key transport arteries and industrial facilities in the region. Counter-intelligence officers of the SBU detained the attacker in May of last year as a result of a multi-stage special operation in the Lviv region. According to the materials of the Ukrainian intelligence service, the court sentenced the enemy henchman to the highest degree of punishment — life imprisonment with confiscation of property. According to the investigation, the convict is a resident of the regional centre, who was recruited by the Russian intelligence service after the start of the full-scale invasion. The enemy came into the field of view due to his destructive activity on pro-Kremlin Telegram channels, including “Solovyev Live” (Соловьев Live) and “Kadyrov 95” (Кадыров 95). To fulfil the tasks of the aggressor, their henchman personally toured the territory of the region and recorded the locations of military facilities and critical infrastructure. In addition, the Russian agent monitored the consequences of enemy air attacks in the region and sent relevant “reports” to the occupiers, in which they noted the technical condition of Ukrainian facilities. He used messengers to communicate with the aggressor. During the search of the attacker’s residence, a mobile phone was found, which he used for reconnaissance and subversive activities in favour of the Russian Federation.”

50. United States: NUVIEW and Array Labs in Race to Launch LiDAR Satellite Constellations

Intelligence Online reported on May 18th that “the US startup NUVIEW wants to carve out a niche for itself in the market of laser imaging satellites. Its main competitor operating in this new frontier of geospatial intelligence is the more established American tech firm Array Labs.”

51. Russian Intelligence Officer’s Suspicious Purchases in Norwegian Company Raise Espionage Concerns

On May 19th BNN reported that “in a surprising turn of events, a Russian intelligence officer’s series of purchases from a small Norwegian company, Instrumentcompaniet, have raised concerns of espionage. The man, who presented himself as a regular customer, made several specific requests for underwater measuring instruments and monitoring equipment. He was well-dressed, spoke fluent English, and often visited the office, leaving only an email for communication. What struck the employees as unusual were his preferences for cash payments and his avoidance of leaving a mobile number. Although cash payments were considered common for Russians, the management insisted on invoicing him for advance payment. The man’s purchases included equipment for measuring material thickness underwater, water quality instruments, a gas meter, an oxygen meter for underwater use, and even an adhesion meter. However, it was his specific interest in subsea cable detection equipment, particularly from the company Tinsley, that sparked concerns. This interest coincided with an incident involving a cut internet cable between Norway and Svalbard. The employees couldn’t help but wonder if the man’s requests were related to detecting such cables. As tensions escalated with the war in Ukraine, the Norwegian company began to question the nature of the man’s purchases. The explosion of the Nord Stream 1 and 2 gas pipelines in the Baltic Sea, whose perpetrators remain unknown, further deepened their suspicions. The Russian intelligence officer, who held diplomatic status and had connections to the Russian embassy, came under scrutiny. A tip from Instrumentcompaniet prompted the involvement of PST (Norwegian Police Security Service), leading to a meeting with the Russian diplomats and further investigation.”

52. Cyber Espionage: CloudWizard APT: The Bad Magic Story Goes On

Kaspersky Labs published this technical analysis on May 19th stating that “in March 2023, we uncovered a previously unknown APT campaign in the region of the Russo-Ukrainian conflict that involved the use of PowerMagic and CommonMagic implants. However, at the time it was not clear which threat actor was behind the attack. Since the release of our report about CommonMagic, we have been looking for additional clues that would allow us to learn more about this actor. As we expected, we have been able to gain a deeper insight into the “bad magic” story. While looking for implants bearing similarities with PowerMagic and CommonMagic, we identified a cluster of even more sophisticated malicious activities originating from the same threat actor. What was most interesting about it is that its victims were located not only in the Donetsk, Lugansk and Crimea regions, but also in central and western Ukraine. Targets included individuals, as well as diplomatic and research organizations. The newly discovered campaign involved using a modular framework we dubbed CloudWizard. Its features include taking screenshots, microphone recording, keylogging and more. Over the years, the infosec community has discovered multiple APTs operating in the Russo-Ukrainian conflict region — Gamaredon, CloudAtlas, BlackEnergy and many others. Some of these APTs have long been forgotten in the past — such as Prikormka (Operation Groundbait), discovered by ESET in 2016. While there have been no updates about Prikormka or Operation Groundbait for a few years now, we discovered multiple similarities between the malware used in that campaign, CommonMagic and CloudWizard. Upon further investigation, we found that CloudWizard has a rich and interesting history that we decided to dig into.”

53. Ukraine’s SBU Detained GRU Agent in Chernivtsi

Ukraine’s SBU announced on May 19th that they “detained a Russian agent in Chernivtsi who was spying on units of the Armed Forces, the Security Service and border guards. The intruder collected intelligence for the occupiers about the locations of the Defence Forces and critical infrastructure facilities in the eastern and western regions of Ukraine. First of all, the enemy was interested in the locations of the units of the SBU and the State Border Service, as well as the exact coordinates of key bridges and electrical substations in Kharkiv Oblast and Bukovyna. SBU officers detained a Russian agent in Chernivtsi during his covert photo-fixation of a military site. According to the investigation, the accomplice of the aggressor turned out to be a local resident who moved to Kharkiv in 2021 and worked as an internet configuration technician. After the start of the full-scale invasion, he began actively spreading pro-Kremlin narratives on his own page on the banned Odnoklassniki social network. Thus, in February of this year, the man came into the field of view of Russian military intelligence. Later, he was approached remotely by a case officer of the GRU, who offered tacit cooperation in favor of the aggressor country. While in Kharkiv, the enemy agent carried out the instructions of his Russian “handler” to collect data on the location of roadblocks and fortifications in the city. In addition, he gave geo-locations of local energy facilities to the occupiers. Soon the suspect received a new task — to return to Chernivtsi under the guise of visiting relatives. Although in fact the purpose of the “trip” was to spy on the regional SBU department, the border detachment and the local military commissariat. The attacker also focused on transport bridges in the region — their coordinates and security system.”

54. Malicious Emails Aimed at Taiwan Have Spiked in 2023

The Record reported on May 18th that “government employees and a variety of companies in Taiwan have been the targets of a wave of malicious emails this year amid rising concerns about China’s plans for its island neighbor. Researchers at cybersecurity firm Trellix said they have observed a significant rise in extortion emails aimed at Taiwan government officials, with a 30-fold increase year-on-year in the number of malicious emails in January. Joseph Tal, senior vice president of Trellix Advanced Research Center, said in the report that over the past few years his team has noticed that geopolitical conflicts “are one of the main drivers for cyberattacks on a variety of industries and institutions.” In recent months, an already tense atmosphere around Taiwan has worsened, with senior Chinese officials increasingly making forceful statements about Taiwan’s future. Foreign Affairs Ministry Spokesman Wang Wenbin said last month that “Taiwan’s return to China… is an important part of the post-war international order.” The “real status quo of the Taiwan question is that both sides of the Taiwan Strait belong to one and the same China,” he added. “Taiwan is part of China.” Amid this rhetoric, Trellix observed phishing attacks bearing the hallmarks of state-sponsored groups. They saw the number of malicious emails during one three-day stretch in April increase to over four times the usual amount. The campaigns targeted government agencies as well as IT, manufacturing and logistics industries, and typically deployed PlugX, a malware employed by Chinese state-backed groups since 2012.”

55. USMC Receives First Extended-range General Atomics MQ-9

Janes reported on May 18th that “the US Marine Corps (USMC) has taken receipt of its first two extended-range General Atomics Aeronautical Systems (GA-ASI) MQ-9s. The two newbuild aircraft will be operated by Marine Unmanned Aerial Vehicle Squadron 3 (VMU-3) from Marine Corps Air Station (MCAS) Kaneohe Bay, Hawaii. “These aircraft will be based out of Hawaii, fulfilling an immediate need for a long-range, long-endurance, land-based [large-size] UAS [unmanned aircraft system] to conduct persistent maritime domain awareness and data relay in the Indo-Pacific Command area of responsibility,” the USMC told Janes . “The MQ-9A has proven to be a reliable platform with a proven track record in operations and procurement by the United States Air Force (USAF).” The USMC expects to take delivery of four more MQ-9s in fiscal year (FY) 2024, the service told Janes.”

56. Ukraine’s SBU Detained FSB Agent in Zaporizhzhia

On May 18th Ukraine’s SBU announced that they “detained a Russian agent in Zaporizhzhia who was spying on the positions of the Marines of the Ukrainian Armed Forces. The perpetrator turned out to be a former tax police official who was fired in 2011 for corruption. At the beginning of March of this year, he was remotely recruited by an FSB case officer to collect intelligence on the bases of the Defence Forces in the region. The enemy was most interested in the coordinates of the combat positions of the marine units of the Ukrainian Armed Forces in the Melitopol direction. In addition, the aggressor wanted to receive from his agent the exact geolocations of railway bridges and energy facilities in the region. To collect information, he went around the area under the guise of a taxi driver and made video recordings with the help of a hidden recorder and a mobile phone. For each completed task, he was “guaranteed” a monetary “reward” in the amount of 2 to 5 thousand UAH. For the purpose of the conspiracy, the suspect offered to transfer money to his son’s bank card. Also, the Russian intelligence service promised the traitor a leading “position” in the occupation administration in the event of the capture of the regional centre. SBU officers detained the intruder while he was carrying out an enemy mission. According to the investigation, he came to the attention of the FSB due to anti-Ukrainian activity in the banned social networks Vkontakte and Odnoklassniki. Further communication with the aggressor took place in messengers. During the search of the detainee’s place of residence, a mobile phone was found, which he used to correspond with the Russian intelligence service.”

57. Turkish Intelligence Eliminates PKK ‘Accountant’ in Syria

On May 17th the Daily Sabah reported that “a member of the PKK terrorist group in charge of “financial affairs,” Tuba Karakoç, was “neutralized” in Syria by the National Intelligence Organization (MIT), security sources told Turkish media outlets Wednesday. The term is used to describe terrorists killed or captured in counterterrorism operations by Turkish security forces. Karakoç, also known by her codenames “Zin Kobani,” “Cudi Egid” and “Sorxwin,” joined the terrorist group in 2013, participating in the terrorist group’s activities in Türkiye, Iraq and Syria. She was last serving as an “accountant” of the group in Ain al-Arab, also known as Kobani. Ain al-Arab has been under the growing control of the PKK’s Syria wing since the civil war erupted in Türkiye’s southern neighbor. Ankara earlier announced its intention to launch counterterrorism operations into the region to clear out PKK/YPG threats to Turkish soil.”

58. United States: Chinese National Charged for Conspiring to Provide Materials for the Production of Ballistic Missiles to Iran in Violation of U.S. Sanctions

The FBI Counterintelligence Division announced on May 16th that “Xiangjiang Qiao, an Employee of a Chinese Company Sanctioned for Its Role in the Proliferation of Weapons of Mass Destruction, Conspired to Provide Isostatic Graphite, a Material Used in the Production of Intercontinental Ballistic Missiles, to Iran. Damian Williams, the United States Attorney for the Southern District of New York, Matthew G. Olsen, the Assistant Attorney General for National Security, Michael J. Driscoll, the Assistant Director in Charge of the New York Field Office of the Federal Bureau of Investigation (“FBI”), and Matthew S. Axelrod, Assistant Secretary for Export Enforcement of the Commerce Department, announced the unsealing of an Indictment charging XIANGJIANG QIAO, a/k/a “Joe Hansen,” with sanctions evasion, money laundering, and bank fraud offenses based on QIAO’s alleged participation in a scheme to use a sanctioned Chinese company to provide materials used in the production of weapons of mass destruction (“WMDs”) to Iran, in exchange for payments made through the U.S. financial system. QIAO is at large in China.”

59. United States: FBI Misused Surveillance Tool on Jan. 6 Suspects, BLM Arrestees and Other

On May 19th The Washington Post reported that “the FBI has misused a powerful digital surveillance tool more than 278,000 times, including against crime victims, Jan. 6 riot suspects, people arrested at protests after the police killing of George Floyd in 2020 and — in one case — 19,000 donors to a congressional candidate, according to a newly unsealed court document. The FBI says it has already fixed the problems, which it blamed on a misunderstanding between its employees and Justice Department lawyers about how to properly use a vast database named for the legal statute that created it, Section 702 of the Foreign Intelligence Surveillance Act (FISA). But the failures to use the Section 702 database correctly when collecting information about U.S. citizens and others may make it harder for the agency to marshal support in Congress to renew the law, which is due to expire at the end of this year. It may also create additional head winds for the FBI, which has been under attack for years by former president Donald Trump and his political supporters. House lawmakers aligned with Trump held a hearing this week trying to show that the nation’s premier law enforcement agency is biased against conservatives. The Foreign Intelligence Surveillance Court, which oversees Section 702, has pressured the FBI, writing in the April 2022 opinion that was unsealed Friday that if the agency doesn’t perform better, the court will crack down and order its own changes to FBI surveillance practices. The Section 702 database is a vast trove of electronic communications and other information that can be searched by the National Security Agency and the FBI. The FBI is authorized to search the database only when agents have reason to believe that such a search will produce information relevant to foreign intelligence purposes, or evidence of crimes.”

60. Video: Eight Declassified Secrets of the CIA

On May 19th “The Mystery Reporter” published this YouTube video. The 8 examples covered are: 1) Operation PAPERCLIP, 2) Project MK-ULTRA, 3) Operation NORTHWOODS, 4) Congress for Cultural Freedom (CCF), 5) Operation GLADIO, 6) Iran-Contra Affair, 7) Operation MOCKINGBIRD, 8) Stargate Project.

61. Russia: Putin Relieves Senior Russian Diplomat Oleg Syromolotov of His Post Due to Retirement

TASS reported on May 19th that “Russian President Vladimir Putin has relieved Oleg Syromolotov of his post as Russian Deputy Foreign Minister for Counterterrorism, according to the relevant decree published on Friday. “[I hereby decree] that Oleg Vladimirovich Syromolotov be relieved of his post as Russian Deputy Foreign Minister for Counterterrorism,” the text of the presidential decree reads. It takes effect as of the day it was signed. Syromolotov turns 70 on Friday. According to a law signed in 2022 by Putin, this is the upper retirement age for certain categories of civil servants. Syromolotov was born on May 19, 1953 in the then-Latvian Soviet Socialist Republic. In 1976, he graduated from the Riga Institute of Civil Aviation Engineers. In 1979–1998, he held operational and executive positions in state security bodies. In 2000–2004, Syromolotov was deputy director of the Russian Federal Security Service (FSB) and head of the FSB counterintelligence department. From 2004 to 2015, he served as head of the FSB Counterintelligence Service. On March 19, 2015, he was appointed Russian Deputy Foreign Minister for Counterterrorism. He holds the rank of army general.”

62. Decoding China’s Counter-Espionage Crackdown

The Diplomat published this article on May 20th saying that ““we must better balance development and security,” said Xi Jinping at this year’s National People’s Congress, shortly after being reappointed as China’s president. These words reflect Xi’s preference for putting political and national security ahead of economic growth, an approach that appears to be gathering pace at the start of his third term in power. In the weeks following Xi’s speech, Beijing has launched a broad attack on suspected espionage activities. Targets have included an executive of Japanese drugmaker Astellas, who was arrested in March on spying charges, and veteran columnist Dong Yuyu, who was indicted in April for espionage. This month, U.S. citizen and Hong Kong resident John Shing-Wan Leung was sentenced to life in prison for spying. Meanwhile, the China offices of several U.S.-headquartered consulting firms have been raided on national security grounds. They include due diligence provider Mintz Group, which reportedly had five employees detained in March, and “expert network” consultancy Capvision, where employees were alleged to have helped leak state secrets. Concurrent to this crackdown, Beijing has announced revisions to its counter-espionage law. From July, China will prohibit “collaborating with spy organizations and their agents,” and seek to protect any information related to “national security and interests.” Amid today’s fraught geopolitical climate, it is unsurprising that China is rebalancing its security and economic priorities, like the United States and other governments have done. But China’s counter-espionage drive has come just as the country is trying to revive its COVID-battered economy. Upon becoming premier, Li Qiang sought to reassure the world that China remains committed to opening up and creating a “first-class business environment.” Beijing has also said that it still supports the development and growth of the consulting industry. But such claims have rung hollow against the backdrop of raids and arrests, prompting some companies to exit the market. What’s more, many of the charges uncovered against Capvision and others appear not to be recent cases but date back several years. So why has Beijing chosen this moment to go public with its counter-espionage concerns? And how does it square with attempts to bolster business confidence in China?”

63. United States: A Counterintelligence Nightmare: Air Force Command Received Multiple Warnings Before Accused Pentagon Leaker’s Arrest

Following week 15 stories #8 and #50, on May 19th The Debrief published this story stating that “court documents filed by Federal prosecutors this week revealed that Air Force superiors had received multiple warnings regarding the mishandling of classified information by Air National Guardsman Jack Teixeira, the 21-year-old accused of leaking top-secret Pentagon documents online, before his arrest in April. The documents shed light on several instances in which senior non-commissioned officers caught Teixeira acting suspiciously and potentially posing a counterintelligence threat. In each instance, Air Force superiors admonished Teixeira for his handling of classified information. However, he was able to continue having access to highly sensitive materials. Prosecutors also shared copies of comments allegedly made by Teixeira to his friends on Discords, bragging about defying orders related to the sharing of classified information. “‘Breaking a ton of UD regs’ (a reference to ‘unauthorized disclosure,” Teixeira reportedly wrote on December 6, 2022. “Idgaf [I don’t give a fuck] what they say I can or can’t share,” Teixeira added. Prosecutors argue Teixeira’s behavior demonstrates a “willful disregard” for the law and justifies his continued custody. Teixeira, an Airman 1st class with the 102nd Intelligence Wing at Otis Air National Guard Base in Massachusetts, joined the service in 2019 as a cyber transport systems journeyman, responsible for global military communications systems.”

64. Video: I Rang a Secret Government Numbers Station

On May 19th Ringway Manchester published this new YouTube video covering the story of the MI6’s “Lincolnshire Poacher” number station, which was originally based in the UK and later in Cyprus. The video goes through how the station remained operation as a secret phone number for MI6 officers and agents in the Middle East, even after stopping its number stations broadcasts. The number was +44 1252 230607 and the video covers details around it, including recordings of calling it.

65. US Forces Korea Reconnaissance Aircraft ‘Guardrail’ Flies Over the Korean Peninsula

VOA Korea reported on May 19th that “it has been confirmed that a USFK reconnaissance aircraft flew over South Korea on the 19th, Korean Peninsula time. According to the Twitter account ‘Rivet Joint’, which tracks the location information of military aircraft, the USFK reconnaissance aircraft RC-12X ‘Guardrail’ was shown flying in an east-west direction over South Korea. Guardrail is a reconnaissance aircraft that intercepts various communications and signals, and plays a role in early detection of signs of North Korea’s missile provocation. Prior to this, the US Air Force’s ‘RC-135S’ Cobra Ball reconnaissance aircraft sortied over South Korea for two consecutive days on the 14th and 15th, and started reconnaissance flights against North Korea.”

66. Ukraine: Spy Chief Reveals Ukraine Has Been Assassinating Russian Pro-war Propagandists Far from the Frontlines

Business Insider reported on May 20th that “a Ukrainian spy chief revealed that Kyiv has been assassinating Russian pro-war propagandists far behind enemy lines — and they’ve had the help of some Russian citizens to complete their sabotage missions. In a series of interviews reported on by The Times, Major-General Kyrylo Budanov — the head of Ukraine’s military intelligence service — said his agents have been targeting, locating, and killing Kremlin-backed propagandists who’ve cheered on Russia’s invasion. “We’ve already successfully targeted quite a few people,” Budanov said, The Times reported. “There have been well-publicized cases everyone knows about, thanks to the media coverage.” Though Budanov didn’t cite specific names of people targeted in the alleged killings, several high-profile explosions have killed Russian citizens within Putin’s borders. The latest incident involved Russian writer and ultranationalist Zachar Prilepin, who broke both his legs in a car bombing earlier this month. According to BBC News, the bomb was placed under the passenger seat and detonated remotely, killing his friend Alexander Shubin. Prilepin had been driving the car. Investigators accused Russian citizen Alexander Permyakov of working with Ukrainian intelligence to assassinate Prilepin, BBC said. Vladlen Tatarsky, a military blogger, was also killed in a St. Petersburg cafe explosion in April. The bomb was reportedly stuffed into a statue allegedly gifted to Tatarsky by a woman at an event honoring him. Video footage posted online showed Tatarsky receiving the statue moments before the cafe blew up. In another interview, Budanov alleged that “a minority of Russians” are cooperating with Ukraine’s reconnaissance, The Times reported. Recent attacks, such as a cargo train derailment similar to recent freight train derailments, have been enacted by “almost 100 percent citizens of the Russian Federation,” he said.”

67. Video: United States: Jerry Dunleavy on the Durham Report

On May 20th C-SPAN published this video recording. As per its description, “Washington Examiner’s Jerry Dunleavy discussed Special Counsel’s John Durham’s report on the conduct of intelligence agencies during the 2016 presidential election.”

68. New Details Uncovered for Chinese MSS Cyber Actors

Throughout this week the investigative group Intrusion Truth published a series of details about entities and individuals associated with cyber espionage activities of China’s Ministry of State Security (MSS). The articles released are: 1) What’s Cracking at the Kerui Cracking Academy?, 2) The Illustrious Graduates of Wuhan Kerui, 3) All roads lead back to Wuhan… Xiaoruizhi Science and Technology Company, 4) Trouble in Paradise, 5) Introducing Cheng Feng, 6) MiSSing links.

69. United States: Massachusetts Man Indicted for Acting as an Illegal Agent of the People’s Republic of China

The FBI Counterintelligence Division announced on May 15th that “a Massachusetts man was arrested on May 9 for allegedly acting as an agent of the People’s Republic of China (PRC) without providing notification to the U.S. Attorney General. Litang Liang, 63, of Brighton, was indicted on one count of acting as an agent of a foreign government without providing notification to the U.S. Attorney General and one count of conspiracy to act as an agent of a foreign government without providing notification to the U.S. Attorney General. “We will not tolerate the PRC’s efforts to interfere with public discourse and threaten civic participation in the United States,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division. “This case demonstrates, once again, the lengths that the PRC government, including its Ministry of Public Security, will go to target people in the U.S. who exercise their rights to speak out against the PRC.” “The Department of Justice will protect these individual rights and protect our country against those who seek to unlawfully act on behalf of foreign governments while within our borders,” said U.S. Attorney Rachael S. Rollins for the District of Massachusetts. “We allege that Mr. Liang engaged in a series of acts on behalf of the PRC government including providing information on Boston-area residents, organizations and dissidents to PRC government officials — potentially placing people at risk here in Massachusetts and abroad. Attempts to repress constitutionally protected rights here in the United States will never be tolerated. Anyone who infringes upon those rights on American soil will be identified and held to account.” “The United States requires agents of foreign countries to register with our government, and for good reason — in such cases, those agents often act against the interests of the United States,” said Assistant Director Suzanne Turner of the FBI Counterintelligence Division. “The FBI is not going to stand by and allow undeclared agents of the People’s Republic of China to operate in our country unchecked. We will continue to steadfastly enforce the law of the land, uncovering these efforts and holding accountable all those who work with foreign governments to violate our laws.” According to the charging documents, from in or around 2018 through at least 2022, Liang acted within the United States as an agent of the PRC government by allegedly providing PRC government officials with information on Boston-area individuals and organizations; organizing a counter-protest against pro-democracy dissidents; providing photographs of and information about dissidents to PRC government officials; and providing the names of potential recruits to the PRC’s Ministry of Public Security. At no point did Liang notify the U.S. Attorney General that he was acting as a PRC government agent.”

70. Russia: A Resident of Birobidzhan was Arrested on Suspicion of Spying for the SBU

On May 18th REN TV reported that “a resident of Birobidzhan was arrested for collecting information in favour of the Security Service of Ukraine. This was reported on May 18 in the press service of the FSB in the Jewish Autonomous Region. According to investigators, representatives of the SBU promised the man a financial reward for obtaining the information they needed. In return, the suspect collected data on the activities of the Russian army in the special operation zone and searched for those who would be ready to commit sabotage on the territory of the Russian Federation at the behest of the SBU. “A criminal case has been initiated against the suspect under Article 275.1 of the Criminal Code of the Russian Federation (cooperation on a confidential basis with a foreign state, international or foreign organisation). At the request of the investigation, a measure of restraint in the form of arrest was chosen for him,” RIA Novosti quotes the FSB department for the Jewish Autonomous Region.”

71. New Indian Cyber Espionage Operation Uncovered

On May 19th the RedDrip Team discovered and disclosed technical indicators of a new cyber espionage operation attributed to an actor dubbed as DONOT, previously associated with the government of India. The operation involved a lure RTF document titled “List of Invitees.doc” which, if opened, was covertly installing a cyber espionage software implant.

72. United States: Homeland Security Uses AI Tool to Analyse Social Media of U.S. Citizens and Refugees

Vice’s Mortherboard published this story on May 17th stating that “Customs and Border Protection (CBP) is using an invasive, AI-powered monitoring tool to screen travelers, including U.S. citizens, refugees, and people seeking asylum, which can in some cases link their social media posts to their Social Security number and location data, according to an internal CBP document obtained by Motherboard. The news provides much more detail on how CBP deploys a tool sold widely across the U.S. government. Called Babel X, the system lets a user input a piece of information about a target — their name, email address, or telephone number — and receive a bevy of data in return, according to the document. Results can include their social media posts, linked IP address, employment history, and unique advertising identifiers associated with their mobile phone. The monitoring can apply to U.S. persons, including citizens and permanent residents, as well as refugees and asylum seekers, according to the document. “This document provides important new information, and it raises a number of questions about what specific purposes CBP is using social media monitoring for and how that monitoring is conducted in practice,” Patrick Toomey, deputy project director of the National Security Project at the American Civil Liberties Union (ACLU), told Motherboard in an email after reviewing the document.”

73. Electrospaces:New Details About the Pentagon Leak

On May 18th Electrospaces published this article. As per its introduction, “last month it became clear that junior airman Jack Teixeira had posted highly classified military intelligence information on a Discord server, which became known as the Discord or Pentagon Leak. Here I will discuss some additional details from the documents filed by the public prosecutor on April 26 and May 17, which provide some more insight into Teixeira’s training, clearance and working environment.”

74. United States: Inland Empire Man Arrested for Allegedly Stealing Sensitive Software From His U.S. Employers to Build a Competing Business in China

On May 16th the FBI Counterintelligence Division announced that “an Inland Empire man has been arrested on a criminal complaint alleging he stole sensitive technologies from his Southern California-based employers and used them to market his own competing company to businesses in the People’s Republic of China (PRC). Liming Li, 64, of Rancho Cucamonga, is charged with theft of trade secrets. Li was arrested at Ontario International Airport on May 6 after arriving on a flight from Taiwan. Since his arrest, Li has been in federal custody, and he has a detention hearing scheduled for May 22. “Li stole thousands of files of sensitive technology that did not belong to him and used it to help foreign companies build competing technology — technology that could be used in the manufacture of nuclear submarines and military aircraft,” said United States Attorney Martin Estrada. “Protecting our nation’s national security is paramount, and my office will aggressively investigate and prosecute those who misappropriate sensitive intellectual property to the benefit of foreign actors.” “The FBI Los Angeles Field Office takes the protection of our national security and critical technology extremely seriously,” said FBI Assistant Director in Charge Donald Alway. “Foreign adversaries, including the Chinese government, actively seek to erode American competitiveness in the global economy, diminish trust in fair market competition, and use stolen knowledge to increase their military modernization capabilities. Stealing proprietary information not only affects U.S. businesses, but, over time destabilizes American economic security. The FBI is dedicated to countering efforts of those seeking to illegally acquire sensitive information.” The case against Li was brought under the auspices of the Disruptive Technology Strike Force, which is co-led by the Departments of Justice and Commerce. The Strike Force seeks to counter efforts by hostile nation-states to illicitly acquire sensitive U.S. technology to advance their authoritarian regimes and facilitate human rights abuses. The case against Li is one of five announced this morning at a news conference at the Department of Justice where officials detailed cases against defendants accused of crimes that include export violations, smuggling and theft of trade secrets. According to an affidavit filed with the complaint filed in Los Angeles, from 1996 to November 2019, Li worked in various engineering, management and software development roles for two companies in Southern California. The companies are identified in court documents as “Company #1” and “Company #2.” These software programs are related to high precision measurement studies interpretation and point cloud technology, which often are used in making 3D models. They can be used in various sensitive manufacturing contexts, including manufacturing parts for nuclear submarines and military aircraft, and are subject to United States export controls for national security, nuclear nonproliferation and anti-terrorism reasons. As a result of its military application, federal law mandates that this software cannot be exported to the PRC without a license from the Department of Commerce. Li worked for Company #1 from 1996 to 2018 and then worked at Company #2 from 2018 until November 2019. Shortly before beginning his employment with the Company #2, Li and his wife established their own business, JSL Innovations, which was based out of their Rancho Cucamonga home. After Company #2 terminated Li, company security discovered that Li was using his company-issued laptop to attempt to download files from Company #2’s root directory onto his personal external hard drive, according to the complaint affidavit. Company security searched Li’s company-issued laptop and found a folder labeled “ChinaGovernment.” That folder allegedly contained numerous documents showing Li’s efforts to participate in the PRC’s Thousand Talents Program and to use JSL Innovations to provide services and technology to PRC business and government entities related to the export-controlled and trade secret technology that Li took from his former employers in Southern California. In March 2020, Li entered into an agreement with a PRC-based manufacturing company to serve as its chief technology officer. Li’s agreement with this employer required him to spend at least six months per year in the PRC.”

75. New North Korean Cyber Espionage Operation Targeting S. Korea

On May 15th cyber threat researcher Jazi discovered and disclosed technical indicators of a new cyber espionage operation attributed to an actor dubbed as KIMSUKY, previously associated with North Korea. The operation involved a lure CHM document titled “북한인권단체 활동의 어려움과 활성화 방안” (Difficulties in activities of North Korean human rights organisations and measures to vitalise them) which, if opened, was covertly installing a cyber espionage software implant.

76. Russia: The FSB Showed a Video with a Detained Ukrainian Woman Who Was Traveling from Tbilisi to Crimea to Visit Her Sick Father and Became a Defendant in an Espionage Case

Following week 18 story #65, on May 16th Mediazone reported that “the FSB showed a video of a 25-year-old Ukrainian woman detained in a case of espionage and taken to the Lefortovsky District Court of Moscow for a preventive measure. The video was published by RBC and RIA Novosti. According to RIA Novosti, the detainee collected data on Russian military installations and equipment of the Vostok group (Восток). Probably, we are talking about the Crimean Tatar woman and citizen of Ukraine Lenya Umerova (Ление Умерова) — she looks like the detainee in the video. On May 5, the Lefortovsky District Court of Moscow sent Umerova to a pre-trial detention center on a case of espionage (Article 276 of the Criminal Code). There are no other recent arrest warrants under this article on the court’s website.”

77. Commuting to CIA… in a Canoe

On May 19th the US Central Intelligence Agency (CIA) published this article. As per its introduction, “James Bond drove an Aston Martin. Jack Ryan rode a bicycle. At CIA, our officers discovered a new way to commute to work every day: by canoe. In the early 1960s, a few clever CIA officers decided to bypass the maddening, clogged bridges of pre-beltway D.C. and instead began traveling to the Agency by boat, crossing the Potomac River from Maryland into Virginia. They became known as “the CIA Canoe Pool.” Soon, more officers joined this unique voyage to Langley, and it continued for over 20 years.”

78. Russia: The Lefortovo Court of Moscow Received a Petition to Arrest the Fifth Person Suspected of Treason in a Month

Mediazone reported on May 16th that “the Lefortovsky District Court of Moscow registered a petition from the investigation to arrest Babkin A. E. (Бабкин А. Е.)in the case of treason (Article 275 of the Criminal Code). Mediazona found such information in the database of Moscow courts. The materials about the arrest were received today, the date of consideration has not yet been set. Over the past month, the Lefortovo court arrested four defendants in cases under the article on treason. This is Plyske Yu. V. (Плыске Ю. В.), Rasulov R. N. (Расулов Р. Н.), Boyko E. Yu. (Бойко Е. Ю.) and Dovgan A. S. (Довгань А. С.). The materials on such cases are classified, so it is impossible to find out any details of the prosecution. At the end of April, Vladimir Putin approved amendments that increased the maximum sentence under the article on treason — now, instead of 20 years in prison, the courts will be able to appoint defendants terms up to life imprisonment.”

79. 10 Years After Snowden: Some Things Are Better, Some We’re Still Fighting For

On May 19th the Electronic Frontier Foundation (EFF) published this article. As per its introduction, “on May 20, 2013, a young government contractor with an EFF sticker on his laptop disembarked a plane in Hong Kong carrying with him evidence confirming, among other things, that the United States government had been conducting mass surveillance on a global scale. What came next were weeks of disclosures — and official declassifications — as Edward Snowden worked with some of the world’s top news organizations to reveal critical facts about the National Security Agency vacuuming up people’s online communications, internet activity, and phone records, both inside and outside the U.S.. Groups like EFF had been fighting since long before 2013 to reveal and stop the dangerous mass surveillance conducted within the heart of the secretive national security apparatus. But after that summer, Snowden’s revelations acted like a flood light, allowing everyone to better see and understand what happens inside the black box of government surveillance of millions of innocent people in the US. and around the world. The tremendous amount of evidence slowed, if not stopped, the disingenuous denials that the government had made both publicly and privately in response to our allegations. The actual documentary evidence also helped us to better pinpoint our demands, our questions, and our legal tools. Now, ten years after those pivotal revelations, what has changed? Some things are undoubtedly better–under the intense scrutiny of public attention, some of the National Security Agency’s most egregiously illegal programs and authorities have shuttered or been forced to end. The Intelligence Community has started affirmatively releasing at least some important information, although EFF and others have still had to fight some long Freedom of Information Act (FOIA) battles. Outside of government, companies and organizations have worked to close many of the security holes that the NSA abused, most prominently by encrypting the web. But it’s not enough — not even close. There’s still much work to be done to rein in our overzealous national security state, break political gridlock, and end the extreme secrecy that insulates some of the government’s most invasive tactics.”

80. Mobile Communications Association Takes Action Against Swiss IT Experts

Following last week’s story #37, SPIEGEL reported on May 18th that “the international association of mobile communications companies, GSMA, has responded to research by SPIEGEL and its partners on the Swiss IT entrepreneur Andreas Fink. The association advises its members to cut the IT experts’ technical access to the cell phone network. People familiar with the events confirmed this to SPIEGEL. This involves so-called global title addresses, via which network operators and companies handle their technical exchange. If you don’t own or rent a Global Title, you can’t send or receive signals on the network. Now the GSMA has announced internally that it “considers it appropriate for global titles associated with Fink to be terminated.” Large telephone companies such as Deutsche Telekom or Telefonica, as well as many smaller network operators and service providers, are organized within the association. The association cannot intervene in the network itself, but it collects tips and information that associated companies then use as a guide. Earlier this week, the association also organised a meeting in which a Luxembourg IT expert informed about Andreas Fink’s activities.”

81. The Underground History of Russia’s Most Ingenious Hacker Group

On May 20th WIRED published this article. As per its introduction, “ask Western cybersecurity intelligence analysts who their “favorite” group of foreign state-sponsored hackers is — the adversary they can’t help but grudgingly admire and obsessively study — and most won’t name any of the multitudes of hacking groups working on behalf of China or North Korea. Not China’s APT41, with its brazen sprees of supply chain attacks, nor the North Korean Lazarus hackers who pull off massive cryptocurrency heists. Most won’t even point to Russia’s notorious Sandworm hacker group, despite the military unit’s unprecedented blackout cyberattacks against power grids or destructive self-replicating code. Instead, connoisseurs of computer intrusion tend to name a far more subtle team of cyberspies that, in various forms, has silently penetrated networks across the West for far longer than any other: a group known as Turla. Last week, the US Justice Department and the FBI announced that they had dismantled an operation by Turla — also known by names like Venomous Bear and Waterbug — that had infected computers in more than 50 countries with a piece of malware known as Snake, which the US agencies described as the “premiere espionage tool” of Russia’s FSB intelligence agency. By infiltrating Turla’s network of hacked machines and sending the malware a command to delete itself, the US government dealt a serious setback to Turla’s global spying campaigns. But in its announcement — and in court documents filed to carry out the operation — the FBI and DOJ went further, and officially confirmed for the first time the reporting from a group of German journalists last year which revealed that Turla works for the FSB’s Center 16 group in Ryazan, outside Moscow. It also hinted at Turla’s incredible longevity as a top cyberspying outfit: An affidavit filed by the FBI states that Turla’s Snake malware had been in use for nearly 20 years. In fact, Turla has arguably been operating for at least 25 years, says Thomas Rid, a professor of strategic studies and cybersecurity historian at Johns Hopkins University. He points to evidence that it was Turla — or at least a kind of proto-Turla that would become the group we know today — that carried out the first-ever cyberspying operation by an intelligence agency targeting the US, a multiyear hacking campaign known as Moonlight Maze. Given that history, the group will absolutely be back, says Rid, even after the FBI’s latest disruption of its toolkit. “Turla is really the quintessential APT,” says Rid, using the abbreviation for “advanced persistent threat,” a term the cybersecurity industry uses for elite state-sponsored hacking groups. “Its tooling is very sophisticated, it’s stealthy, and it’s persistent. A quarter-century speaks for itself. Really, it’s adversary number one.”.”