A spectacular trial has begun at a Stuttgart court involving a German-based couple accused of spying on NATO and the EU for decades on Russia’s behalf. Neighbors say they knew something was fishy.

It reads like a John le Carre novel: “dead mail boxes,” secret radio signals, encrypted messages hidden in plain sight on the Internet.

According to accusations, a married couple has been spying in Germany for more than 20 years – first at the behest of the Soviet Union and thereafter for its post-Soviet incarnation, the Russian Foreign Intelligence Service.

On Tuesday (15.01.2013) the trial against 54-year-old Andreas Anschlag and his 48-year-old wife, Heidrun, opened up in Stuttgart. Federal prosecutors accused them of “secret agent activity” and of “forgery of documents.”
The former KGB building is today’s Foreign Intelligence headquarters

As to whether those are the real names of the accused, however, there is reason to doubt. In an interview with DW, the couples’ defense lawyer, Horst-Dieter Pötschke, did not deny that “Anschlag” might not be the true surname of the suspected agent pair. He also responded evasively to questions about the accusations themselves. What the Munich lawyer did say, however, is that the potential ten-year sentence is nothing short of excessive.

In cases of espionage, Pötschke is on familiar ground. In the 70s and 80s he defended former agents who had fled the Soviet KGB or the East German state security apparatus, the Stasi. One of his most well-known cases involved Günter Guillaume, a speaker for former German Chancellor Willy Brandt who also turned out to be an East German spy. When Guillaume’s true identity was revealed in 1974, Chancellor Brandt resigned.

A discrete life

The history of the purported agent couple begins at a time when the Soviet Union still existed and the Cold War was still cold. According to accusations, Andreas Anschlag traveled to West Germany in 1988 with the help of a forged Austrian passport. His wife did the same in 1990. Both were supposed to have been born in South America. The two settled in Aachen, close to the western border with Belgium, where Mr. Anschlag studied mechanical engineering.

With the birth of a daughter their German disguise was complete. The couple moved to a popular neighborhood of Meckenheim, a small town of 24,000 inhabitants close to the former West German capital of Bonn. There they lived discreetly. Neighbors describe them as friendly, if a bit distant.
The house in Michelbach in which the accused “Anschlag” couple lived

“They didn’t have much contact with others,” a neighbor said. “I never saw the husband, even though we lived close to each other.”

NATO documents for Moscow

For their informant, the couple managed to recruit a Dutch diplomat, says the German Attorney General. The diplomat, in turn, is supposed to have provided dozens of secret documents from NATO and the EU. Among the topics covered within those documents were issues relating to Russia.

The files were delivered via “dead mail boxes,” according to official charges, to the Russian Foreign Intelligence Service in Moscow. The couple apparently received further commands through an agent radio network and sent their own messages via satellite and through an internet video platform.

When they were arrested in October 2011, the German news magazine Der Spiegel reported that the woman was sitting in front of a shortwave receiver, writing down secret messages. At that point the pair was living in a house in Michelbach, a small community in the German state of Hesse.

“Suddenly we had this spy thriller taking place right outside our window – it was better than the movies,” one of the neighbors told DW.

The husband was arrested on the same day 200 kilometers (120 miles) away in the town of Balingen. For days thereafter, German criminal officers – with the help of special electronic devices – searched the house and the foundation of the supposed “agent couple.”

A post-judgment exchange?

How can it be that the Russian agents could work in Germany for so many years without their cover being blown? A neighbor in Michelbach claims to have recognized the pair’s eastern European accent. The story about the “Austrian” couple’s Latin American origins appeared suspicious, some now say, as did a few of the pair’s habits. “The wife usually went into the backyard to make telephone calls, even in winter,” a woman said.
The entrance to the Upper Regional Court in Stuttgart, where the trial is taking place

…

Date 14.01.2013
Author Mikhail Bushuev / rg, cd
Editor Gabriel Borrud

Find this story at 14 January 2013

© 2012 Deutsche Welle

The two accused spies, their faces not shown due to a court order, appearing in a German courtroom Tuesday.

Germany put a married couple thought to be in their mid-40s on trial this week on suspicion that they spied for Russia for more than two decades under the cover of being an ordinary middle-class family.

The case of Andreas and Heidrun Anschlag, names believed to be aliases, is likely to add pressure to Berlin’s troubled relations with Moscow until June.

The court in the southwestern city of Stuttgart is planning to hold 31 hearings over five months, according to a schedule on the court’s website.

Prosecutors say the pair collected sensitive information from NATO and the European Union for Russia’s Foreign Intelligence Service while posing as Austrian nationals with Latin American heritage.

Their names and passports are thought to be fake, but the judge said at the initial hearing Tuesday that she would continue to address them as Herr and Frau Anschlag “to make communication easier,” local media outlets reported.

The couple, who face up to a decade in prison if convicted, denied guilt but declined to make any further statements. The hearing continued Thursday with the questioning of a federal police investigator, court spokesman Stefan SchЯler said by e-mail.

The case has been linked to the “deep cover” sleeper agents uncovered in the U.S. in 2010. According to a report by German weekly Der Spiegel, the Anschlags’ October 2011 arrest was made possible when the FBI passed on information from Alexander Poteyev, a Foreign Intelligence Service colonel who reportedly acted as a U.S. mole.

Poteyev, who ostensibly betrayed the spy ring even as he ran it, fled Moscow just days before the FBI rolled up the operation on June 27, 2010. In 2011, a Moscow military court sentenced him in absentia to 25 years in prison on charges of treason and desertion.

Analysts have speculated about why the Anschlags’ case went to court while the U.S. spy ring was whisked off to Russia within weeks in a Cold War-style spy swap.

German media reported last year that Berlin had decided to press charges after the Kremlin failed to react to a German offer for a spy swap.

…

18 January 2013 | Issue 5049
By Nikolaus von Twickel

Find this story at 18 January 2013

© Copyright 1992-2013. The Moscow Times

Action against al-Qa’ida in North Africa could last decades, PM warns

The West faces a decades-long battle to defeat al-Qa’ida in North Africa, David Cameron warned today, as he signalled a dramatic shift in the UK’s fight against terrorism.

The heads of MI5, MI6, GCHQ and the Chief of the Defence Staff will gather on Tuesday to begin planning Britain’s response to the burgeoning terror threat from Saharan Africa.

Britain will offer money, military co-operation and security training to African states to head off the advance of Islamist radicalism.

Special forces are understood to be preparing to hunt down the jihadist leader behind the siege and hostage killings in Algeria, Mokhtar Belmokhtar.

Britain will use its chairmanship of the G8 to focus militarily and diplomatically on the Sahara region, following the hostage crisis which claimed the lives of up to six Britons. One Middle East expert likened the long-term impact of the atrocity in Algeria to the 9/11 attacks.

Following the end of the four-day stand-off at the BP gas plant at In Amenas, Algerian forces discovered 25 more bodies and took five militants alive. The death toll had previously been put at 23 hostages and 32 captors.

Three Britons have been confirmed among the dead and another three are feared to have been killed during the siege, which ended with a shoot-out on Saturday. Tonight 46-year-old Paul Thomas Morgan was the first British victim to be named by the Foreign and Commonwealth Office.

Kenneth Whiteside, an engineer from Glenrothes in Fife, and Garry Barlow, a BP systems supervisor from Merseyside, are also understood to be among the dead. Another UK resident was also believed to have been killed.

Twenty-two other British nationals have arrived home, many with chilling stories of how they evaded capture by jihadists belonging to an al-Qa’ida splinter group styling themselves Those Who Sign In Blood.

Alan Wright, from Aberdeenshire, told of how he hid in an office for 24 hours before joining Algerian workers who cut their way through a perimeter fence and fled.

Mr Cameron will update MPs on the attack today and hold a meeting of Whitehall’s emergency Cobra committee to consider the implications of the attack.

French forces – with support from Britain – are attempting to oust insurgents from northern Mali, amid fears that neighbouring countries including Niger and Mauritania could fall under their influence.

As the French Defence Minister, Jean-Yves Le Drian, described the hostage-taking as an “act of war”, Belmokhtar was reported to be “ready to negotiate” in return for an end to the action in Mali.

Last night Mauritanian news website Sahara Media said Belmokhtar had claimed responsibility in the name of al Qa’ida for the hostage-taking in a video. He had said: “We in al Qa’ida announce this blessed operation. We are ready to negotiate with the West and the Algerian government provided they stop their bombing of Mali’s Muslims. We had around 40 jihadists, most of them from Muslim countries and some even from the West.”

A BP spokesman would not comment on reports in Algeria that Belmokhtar’s men had infiltrated the gas plant as drivers, cooks and guards working on short-term contracts.

Mr Cameron spelt out the scale of the challenge posed by al-Qa’ida-affiliated groups operating in the region. “It will require a response that is about years, even decades, rather than months,” he said. “And it requires a response that is painstaking, that is tough but also intelligent, but above all has an absolutely iron resolve. And that is what we will deliver over these coming years.

“What we face is an extremist, Islamist, al-Qa’ida-linked terrorist group. Just as we had to deal with that in Pakistan and in Afghanistan, so the world needs to come together to deal with this threat in North Africa… We need to work with others to defeat the terrorists and to close down the ungoverned spaces where they thrive with all the means that we have.”

The Government has not ruled out giving extra help to the French-led operation in Mali.

However, Whitehall sources said the terrorist threat in the region would ultimately be best tackled by diplomatic means. Britain is to beef up its presence in nations where the UK historically had a limited presence and to liaise more closely with Paris over the challenges faced by the traditionally Francophone area.

Abdelasiem el-Difraoui, an al-Qa’ida expert with the Berlin Institute for Media and Communications Studies, told a French newspaper that the hostage-taking would for France make as “a huge bang as strong as September 11”.

The French Government distanced itself from suggestions among other nations caught up in the hostage crisis that Algeria’s response was “heavy-handed”.

President François Hollande said: “When so many hostages have been taken and when the terrorists are ready to murder them in cold blood, I think the Algerian approach was the best one.”
Britons in the desert

Garry Barlow: Semtex was strapped to his chest

Garry Barlow, 49, was a systems supervisor for BP Exploration Algeria, Statoil and Sonatrach JV. He lived in the Mossley Hill area of Liverpool with his wife Lorraine, and sons Scott, 17, and Paul, 15.

He had been working in In Amenas since October 2011, and had worked previously for Addax Petroleum and Shell EP on the west coast of Central Africa.

He was captured with some of his colleagues including 29-year-old project services contracts administrator Mark Grant, who is believed to have survived the ordeal.

Initial reports suggested Mr Barlow was safe and well and was being repatriated by the Foreign Office, but he is now thought to have died as Algerian troops tried to regain control of the compound.

The last his wife heard from him was a message in which he said: “I’m sitting here at my desk with Semtex strapped to my chest. The local army have already tried and failed to storm the plant and they’ve said that if that happens again they are going to kill us all.”

Paul Morgan: Former soldier died fighting

The first British victim of the Algerian hostage crisis was described last night as a “true gentleman” who “loved life and lived it to the full”.

Paul Morgan, 46, from Liverpool, a former soldier with the French Foreign Legion, reportedly “went down fighting” when the bus he was travelling in was attacked by the kidnappers last Wednesday.

His mother Marianne and partner Emma Steele, 36, paid tribute to him: “Paul died doing the job he loved. We are so proud of him and so proud of what he achieved in his life. He will be truly missed.”

Kenneth Whiteside: Shot as army stormed compound

Kenneth Whiteside had been living in Johannesburg with his wife and two daughters but was originally from Glenrothes in Fife.

An Algerian colleague at the plant is said to have witnessed the BP project services manager “being shot” by his captors as commandos stormed the compound.

The 59-year-old was educated at Auchmuty High School and studied engineering at Glenrothes Technical College between 1970 and 1974.

Friends posted tribute messages on his Facebook account on Saturday. Steward Goodwin in South Africa wrote: “How will we understand this? My heartfelt condolences go to the family and friends who are trying to come to terms with this senseless murder.”

Billy Hunter wrote: “We’ll always remember him and his bagpipes.” “It’s hard to understand such senseless waste of life,” added Joe McMahon.

…

Nigel Morris, John Lichfield
Monday, 21 January 2013

Find this story at 21 January 2013

© independent.co.uk

WASHINGTON — The United States military is preparing to establish a drone base in northwest Africa so that it can increase surveillance missions on the local affiliate of Al Qaeda and other Islamist extremist groups that American and other Western officials say pose a growing menace to the region.

For now, officials say they envision flying only unarmed surveillance drones from the base, though they have not ruled out conducting missile strikes at some point if the threat worsens.

The move is an indication of the priority Africa has become in American antiterrorism efforts. The United States military has a limited presence in Africa, with only one permanent base, in the country of Djibouti, more than 3,000 miles from Mali, where French and Malian troops are now battling Qaeda-backed fighters who control the northern part of Mali.

A new drone base in northwest Africa would join a constellation of small airstrips in recent years on the continent, including in Ethiopia, for surveillance missions flown by drones or turboprop planes designed to look like civilian aircraft.

If the base is approved, the most likely location for it would be in Niger, a largely desert nation on the eastern border of Mali. The American military’s Africa Command, or Africom, is also discussing options for the base with other countries in the region, including Burkina Faso, officials said.

The immediate impetus for a drone base in the region is to provide surveillance assistance to the French-led operation in Mali. “This is directly related to the Mali mission, but it could also give Africom a more enduring presence for I.S.R.,” one American military official said Sunday, referring to intelligence, surveillance and reconnaissance.

A handful of unarmed Predator drones would carry out surveillance missions in the region and fill a desperate need for more detailed information on a range of regional threats, including militants in Mali and the unabated flow of fighters and weapons from Libya. American military commanders and intelligence analysts complain that such information has been sorely lacking.

The Africa Command’s plan still needs approval from the Pentagon and eventually from the White House, as well as from officials in Niger. American military officials said that they were still working out some details, and that no final decision had been made. But in Niger on Monday, the two countries reached a status-of-forces agreement that clears the way for greater American military involvement in the country and provides legal protection to American troops there, including any who might deploy to a new drone base.

The plan could face resistance from some in the White House who are wary of committing any additional American forces to a fight against a poorly understood web of extremist groups in North Africa.

If approved, the base could ultimately have as many as 300 United States military and contractor personnel, but it would probably begin with far fewer people than that, military officials said.

Some Africa specialists expressed concern that setting up a drone base in Niger or in a neighboring country, even if only to fly surveillance missions, could alienate local people who may associate the distinctive aircraft with deadly attacks in Pakistan, Somalia and Yemen.

Officials from Niger did not respond to e-mails over the weekend about the plan, but its president, Mahamadou Issoufou, has expressed a willingness to establish what he called in a recent interview “a long-term strategic relationship with the U.S.”

“What’s happening in northern Mali is a big concern for us because what’s happening in northern Mali can also happen to us,” Mr. Issoufou said in an interview at the presidential palace in Niamey, Niger’s capital, on Jan. 10, the day before French troops swept into Mali to blunt the militant advance.

Gen. Carter F. Ham, the head of the Africa Command, who visited Niger this month to discuss expanding the country’s security cooperation with the United States, declined to comment on the proposed drone base, saying in an e-mail that the subject was “too operational for me to confirm or deny.”

Discussions about the drone base come at a time when the French operation in Mali and a militant attack on a remote gas field in the Algerian desert that left at least 37 foreign hostages, including 3 Americans, dead have thrown a spotlight on Al Qaeda’s franchise in the region, Al Qaeda in the Islamic Maghreb, and forced Western governments and their allies in the region to accelerate efforts to combat it.

Senator Dianne Feinstein, a California Democrat who is chairwoman of the Intelligence Committee, said on CBS’s “Face the Nation” on Sunday that in the wake of Osama bin Laden’s death and the turmoil of the Arab Spring, there was “an effort to establish a beachhead for terrorism, a joining together of terrorist organizations.”

According to current and former American government officials, as well as classified government cables made public by the group WikiLeaks, the surveillance missions flown by American turboprop planes in northern Mali have had only a limited effect.

Flown mainly from Ouagadougou, the capital of Burkina Faso, the missions have faced stiff challenges as militant leaders have taken greater precautions in using electronic communications and have taken more care not to disclose delicate information that could be monitored, like their precise locations.

General Ham said in an interview on his visit to Niger that it had been difficult for American intelligence agencies to collect consistent, reliable intelligence about what was going on in northern Mali, as well as in other largely ungoverned parts of the sub-Saharan region.

“It’s tough to penetrate,” he said. “It’s tough to get access for platforms that can collect. It’s an extraordinarily tough environment for human intelligence, not just ours but the neighboring countries as well.”

…

January 28, 2013
By ERIC SCHMITT

Find this story at 28 January 2013

© 2013 The New York Times Company

Maina Kiai says he is ‘deeply concerned’ about use of officers such as Mark Kennedy to infiltrate non-violent groups

Mark Kennedy, an undercover police officer who infiltrated a group of environmental protesters. Photograph: Philipp Ebeling

A senior United Nations official has called on the British government to launch a judge-led public inquiry into the “shocking” case of Mark Kennedy and other undercover police officers who have been infiltrating protest groups.

Maina Kiai, a UN special rapporteur, said the scandal involving undercover police cultivating intimate sexual relationships with political activists over long periods of time had been as damaging as the phone-hacking controversy that prompted the Leveson inquiry.

He said he was “deeply concerned” about the UK’s use of undercover police officers in non-violent groups exercising their democratic rights to protest.

“The case of Mark Kennedy and other undercover officers is shocking as the groups in question were not engaged in criminal activities,” Kiai told a central London news conference. “The duration of this infiltration, and the resultant trauma and suspicion it has caused, are unacceptable in a democracy.

“It is a clear violation of basic rights protected under the Human Rights Act, and more generally under international law, such as the right to privacy.”

He added: “This is not a James-Bond-type movie issue. I think it is unacceptable that the state can pay somebody who will use women, and be part of their lives and then just devastate them and leave them. That’s unbelievable.”

Kiai is the latest senior figure to call for a full investigation into the controversy since the Guardian began revealing details of the spy operation two years ago. The undercover policing controversy will be raised in parliament next month during a special hearing hosted by the home affairs select committee.

Undercover police have been living double lives for several years among protest groups, sometimes even residing with female activists and spending weeks abroad with them on holiday. At the end of their deployment, the police spies vanish without a trace.

The surveillance operation, which has continued to plant long-term spies in protest groups despite recent controversies, comes under the remit of an initiative to combat what police call domestic extremism. Many of the targets of the operation have turned out to be law-abiding anti-capitalist campaigners or protesters against global warming.

In at least three cases, relationships between police and the women they were spying on have resulted in the birth of children.

The UN rapporteur’s preliminary report follows a 10-day fact-finding mission to London, Belfast and Edinburgh. Kiai met campaigners, senior police, civil servants and the home secretary, Theresa May. He said she told him a full inquiry into undercover policing was “not something on the agenda”.

However, Kiai, who has responsibility in the UN for the rights to freedom of peaceful assembly, said he believed the case of Kennedy and others had left a “trail of victims and survivors in its wake” who deserved answers.

Eleven women and one man are bringing a high court legal action for the emotional trauma suffered as a result of “deeply personal” relationships they formed with men who turned out to be police officers.

A judge ruled last week that some of their claims should be heard by the Investigatory Powers Tribunal, an obscure body that usually deals with complaints against MI5 and MI6.

Mr Justice Tugendhat cited the fictional case of James Bond to argue that when parliament introduced legislation allowing covert police to have personal relationships with targets, they must have assumed they may have sexual encounters.

Rejecting the idea that it could be a “James Bond movie issue”, Kiai said: “I therefore call on the authorities to undertake a judge-led public inquiry into the Mark Kennedy matter, and other related cases, with a view to giving voice to victims, especially women, who were deliberately deceived by their own government, and paving the way for reparations.”

The government has so far resisted calls for a judge-led inquiry, instead choosing to back a host of other separate reviews into the conduct of Kennedy and related issues.

…

Paul Lewis and Rob Evans
The Guardian, Wednesday 23 January 2013 16.49 GMT

Find this story at 23 January 2013

© 2013 Guardian News and Media Limited or its affiliated companies. All rights reserved.

Judge rules half of the women’s cases can be heard in open court but half must be first heard by secret tribunal

The judge said that claims against two police officers – Mark Kennedy (pictured above) and a second spy who posed as Mark Jacobs – should first be heard by the Investigatory Powers Tribunal. Photograph: Philipp Ebeling

Ten women who say they were deceived into having sexual relationships with undercover police officers have won only a partial victory in their fight to have their case heard in the high court.

Mr Justice Tugendhat said the lawsuit alleged “the gravest interference” with the fundamental rights of women who had long-term relationships with police officers sent to spy on their political groups. The judge rejected an attempt by the Metropolitan police to have the whole case struck out of the court.

However, in a mixed ruling, the judge said that half the cases in the legal action should first be heard by a secretive tribunal that usually deals with complaints against MI5.

The case relates to a joint lawsuit brought by 10 women and one man who claim they suffered emotional trauma after forming “deeply personal” relationships with the police spies.

In his ruling, Tugendhat acknowledged that the allegations made by the women were “very serious”. He added that the case appeared to be unprecedented. “No action against the police alleging sexual abuse of the kind in question in these actions has been brought before the courts in the past, so far as I have been made aware.”

The judge drew a comparison with James Bond, the fictional member of the intelligence service who “used relationships with women to obtain information, or access to persons or property”.

Although Ian Fleming, the writer of the Bond series, did not dwell on “psychological harm he might have done to the women concerned”, the judge said fictional accounts such as these point to how “intelligence and police services have for many years deployed both men and women officers to form personal relationships of an intimate sexual nature”.

Lawyers for the Met had attempted to have all 11 cases struck out of the court, arguing they constituted an abuse of process and should instead by heard by the Investigatory Powers Tribunal (IPT), a little-known complaints body.

However, they achieved only a partial victory.

In his ruling, the judge said that claims against two police officers – Mark Kennedy and a second spy who posed as Mark Jacobs – should first be heard by the IPT. Both of these officers were deployed after 2000, and some of the claims allege their activities constituted a breach of the Human Rights Act, which came into force in October that year.

However, the judge said that other claims for damages under common law, including torts of misfeasance in public office, deceit, assault and negligence, should be heard by the high court.

He temporarily stayed high court proceedings pending the conclusion of cases at the IPT. The special tribunal was introduced in 2000 to examine complaints from the public about unjustified state surveillance within what it calls “a necessary ring of secrecy”. Complainants do not see the evidence put forward by the state and have no automatic right to an oral hearing. Neither can they appeal its decision.

Lawyers for the some of the women described the decision to send half of the cases to the tribunal as an “outrage”.

Harriet Wistrich, of Birnberg Peirce, said: “We brought this case because we want to see an end to sexual and psychological abuse of campaigners for social justice and others by undercover police officers. We are outraged that the high court has allowed the police to use the IPT to preserve the secrecy of their abusive and manipulative operations in order to prevent public scrutiny and challenge.”

…

Rob Evans and Paul Lewis
guardian.co.uk, Thursday 17 January 2013 14.01 GMT

Find this story at 17 January 2013

© 2013 Guardian News and Media Limited or its affiliated companies. All rights reserved.

A sophisticated computer virus discovered at the center of the French government’s secure computer network was planted there by the United States, according to unnamed sources inside France’s intelligence community. Paris-based magazine L’Express, France’s version of Time magazine, says in its current issue that the alleged American cyberattack took place shortly before last April’s Presidential elections in France. It resulted in the infection of the entire computer system in the Palais de l’Élysée, which is the official residence of the President of France. The French magazine cites unnamed sources inside the French Network and Information Security Agency (ANSSI), which is responsible for cybersecurity throughout France. The sources claim that the snooping virus allowed its handlers to gain access to the computers of most senior French Presidential aides and advisers during the final weeks of the administration of French President Nicolas Sarkozy, including his Chief of Staff, Xavier Musca. The article claims that the virus used a source code nearly identical to that of Flame, a super-sophisticated version of Stuxnet, the virus unleashed a few years ago against the computer infrastructure of the Iranian nuclear energy program. Many cybersecurity analysts believe that the US and Israel were instrumental in designing both Stuxnet and Flame. IntelNews understands that the alleged virus was initially directed at employees of the Palais de l’Élysée through Facebook. The targets were allegedly befriended by fake Facebook profile accounts handled by the team that operated the virus. The targets were then sent phishing emails that contained links to phony copies of the login page for the Palais de l’Élysée intranet website. Though that bogus website the hackers acquired username and password data of several Palais de l’Élysée staffers, which they subsequently used to gain access to the Presidential Palace’s computer system. Assuming that the virus planted on the Palais de l’Élysée intranet was similar to Flame in method and scope, it can be inferred that its handlers were able to spy on conversations taking place at the Palais using the infected computers’ audiovisual peripherals, as well as log keystrokes and acquire screen shots at regular intervals. The collected data was then routed through a host of different servers on five continents before reaching the hackers.

…

November 22, 2012 by Joseph Fitsanakis 6 Comments

By JOSEPH FITSANAKIS | intelNews.org |

Find this story at 22 November 2012

EXCLUSIF. En mai, l’équipe de Nicolas Sarkozy a été victime d’une opération d’espionnage informatique hypersophistiquée. Les sources de L’Express concordent : le coup vient de… l’ami américain. Révélations sur une attaque qui s’inscrit dans une bataille planétaire.

CYBERGUERRE – Les intrus qui se sont introduits dans les réseaux informatiques de l’Elysée en mai dernier ont subtilisé des notes secrètes et des plans stratégiques à partir des ordinateurs de proches conseillers de Nicolas Sarkozy.
DR

C’est l’un des hold-up les plus audacieux réalisés contre l’Etat français. En mai dernier, quelques jours avant le second tour de l’élection présidentielle, des pirates ont réussi à s’introduire dans les réseaux informatiques de l’Elysée. Révélée par le quotidien régional Le Télégramme, cette intrusion avait alors été soigneusement étouffée par le Château. Une omerta qui, jusqu’à présent, n’avait pas été brisée. Aucune information n’avait filtré sur la nature des agresseurs, ou même sur le préjudice subi. Pourtant, l’affaire est grave, d’autant qu’elle constituerait une cyberattaque sans précédent entre pays alliés.

L’Express peut révéler que les intrus ont non seulement réussi à pénétrer au coeur même du pouvoir politique français, mais qu’ils ont pu fouiller les ordinateurs des proches conseillers de Nicolas Sarkozy. Des notes secrètes ont été récupérées sur des disques durs, mais aussi des plans stratégiques. Du vrai travail de pro, digne du dernier James Bond, Skyfall. Et, comme souvent dans ce type d’attaque, une négligence humaine est à l’origine de la catastrophe.
L’ordinateur du secrétaire général de l’Elysée pillé

Tout a commencé sur Facebook. Les assaillants ont d’abord identifié, sur le réseau social, le profil de personnes travaillant au palais présidentiel. Se faisant passer pour des amis, ils les ont ensuite invitées, par un message électronique, à se connecter sur l’intranet du Château. Sauf que ce lien menait à une fausse page Web – une réplique de celle de l’Elysée. Les victimes n’y ont vu que du feu ; et lorsque est apparu, à l’écran, un message leur demandant leur identifiant et leur mot de passe, elles les ont donnés en toute bonne foi. Une technique bien connue des hackers, qui leur a permis de récupérer les clefs numériques pour s’inviter en toute quiétude dans le saint des saints.

Une fois à l’intérieur, les pirates ont installé un logiciel espion qui s’est propagé d’un ordinateur à l’autre. Très élaboré, ce “ver” n’a infecté que quelques machines. Et pas n’importe lesquelles : celles des conseillers les plus influents du gouvernement… et du secrétaire général, Xavier Musca. Nicolas Sarkozy y a, lui, échappé. Et pour cause, il ne possédait pas de PC. Malheureusement pour les assaillants, le code malveillant a laissé des empreintes. “Telles des marionnettes actionnées par des fils invisibles, les machines infectées communiquent avec leur maître pour prendre leurs ordres, décrypte un expert, Olivier Caleff, responsable sécurité du Cert-Devoteam, une société de sécurité informatique. Lorsque l’on essaie de remonter ces fils sur Internet, on arrive souvent sur des serveurs situés à l’étranger.”

C’est ce travail de fourmi qu’ont mené les enquêteurs français. Le degré de sophistication de l’attaque était tel que les suspects se limitaient, d’emblée, à une poignée de pays. Pour preuve, le cyberpompier de l’Etat, l’Agence nationale de la sécurité des systèmes d’information (Anssi), a mis plusieurs jours pour restaurer le réseau de l’Elysée. Difficile de trouver l’origine de l’offensive. Souvent, les assaillants brouillent les pistes en passant par des pays tiers. Autant de rebonds, sur des serveurs situés sur les cinq continents, qui rendent ce fil d’Ariane très compliqué à suivre, même pour les “cyberdétectives” de l’Etat mobilisés pour l’occasion. Mais, selon les informations recueillies par L’Express auprès de plusieurs sources, leurs conclusions, fondées sur un faisceau de présomptions, convergent vers le plus vieil allié de la France : les Etats-Unis.
Le virus porte la marque de son auteur

Le code malveillant utilisé affiche, en effet, les mêmes fonctionnalités qu’un ver informatique extrêmement puissant, baptisé Flame, identifié à la fin du mois de mai par une grande société russe d’antivirus, Kaspersky. “Très perfectionné, il peut collecter les fichiers présents sur une ma-chine, réaliser des captures d’écran et même activer le microphone d’un PC pour enregistrer les conversations, expli-que Vitaly Kamluk, spécialiste du sujet chez cet éditeur. Sa conception a demandé beaucoup d’argent et des moyens humains que seul un grand pays est en mesure de mobiliser.” Ou même deux : selon la presse anglo-saxonne, le ver aurait été créé par une équipe américano-israélienne, car il devait viser initialement des pays du Moyen-Orient (Iran, Egypte). Autre élément à charge : tel un peintre reconnaissable à son trait, un virus porte les marques du savoir-faire de son auteur. Janet Napolitano, secrétaire d’Etat à la Sécurité intérieure de l’administration Obama, n’a ni confirmé ni démenti nos informations.

Contactés à ce sujet, ni l’Anssi ni l’Elysée n’ont souhaité faire de commentaires. Reste une question. Pourquoi un allié de la France lancerait-il une telle opération ? “Vous pouvez être en très bons termes avec un “pays ami” et vouloir, en même temps, vous assurer de son soutien indéfectible, surtout dans une période de transition politique”, note un proche du dossier, sous le couvert de l’anonymat. Sans compter que l’Elysée joue un rôle clef dans la signature de grands contrats avec des pays étrangers, notamment au Moyen-Orient. “C’était encore plus vrai à l’époque de Nicolas Sarkozy”, rappelle Nicolas Arpagian, directeur scientifique du cycle sécurité numérique à l’Institut national des hautes études de la sécurité et de la justice.

Un instantané des cyberattaques en cours…

HoneyMap réalisé par Honeynet Project

Quitte à être espionné, sans doute vaut-il mieux l’être par un allié… “Nous avons de grands partenaires avec lesquels nous collaborons et entretenons des relations de confiance, et d’autres avec qui nous ne partageons pas les mêmes valeurs”, rappelle le contre-amiral Arnaud Coustillière, responsable du volet militaire de la cyberdéfense française. Il n’empêche, l’attitude de l’administration Obama suscite de nombreuses interrogations.
Vers des attaques “pires que le 11 Septembre” ?

Dans une version du livre blanc sur la défense, actuellement en cours de rédaction, des auteurs ont soulevé les ambiguïtés de Washington. “Face à la difficulté d’utiliser les voies de droit, [les Etats-Unis] ont recours de plus en plus à l’action clandestine, ce qui peut poser une question de contrôle démocratique.”

Ironie du sort, le Congrès américain vient, le 14 novembre, de publier un rapport accablant sur l'”acteur le plus menaçant du cyberespace”, à savoir… la Chine. Leon Panetta, secrétaire d’Etat à la Défense, a même déclaré récemment que, par leur puissance numérique, “certains pays” seraient, d’ores et déjà, capables de provoquer un “cyber-Pearl Harbor” : “Ce serait pire que le 11 Septembre ! Des assaillants pourraient faire dérailler un train de voyageurs ou un convoi de produits chimiques dangereux. Ou, encore, contaminer les systèmes d’eau des grandes villes ou éteindre une grande partie du réseau électrique.” Le tout en se cachant derrière des écrans d’ordinateurs situés à des milliers de kilomètres…
Dans le monde virtuel, tous les coups sont permis

Leon Panetta sait de quoi il parle. L’Oncle Sam a déjà utilisé ces moyens. C’était en 2010, lors de l’opération “Jeux olympiques”, lancée conjointement avec Israël contre l’Iran. Leur logiciel Stuxnet aurait endommagé un grand nombre des centrifugeuses utilisées par Téhéran pour enrichir de l’uranium. Spectaculaire, cette opération ne doit pas faire oublier que d’autres nations oeuvrent dans l’ombre. Dans le plus grand secret, de nombreux pays, démocratiques ou non, fourbissent leurs armes numériques. Des forces secrètes se constituent, des mercenaires vendent leurs services aux plus offrants. Sans foi ni loi. La Toile n’est pas un champ de bataille comme les autres. Oubliez les codes de l’honneur, les conventions internationales ou les alliances. Tous les coups sont permis. Et mieux vaut avoir les moyens de se battre. Dans le cyberespace, personne ne vous entendra crier.

Pour s’en convaincre, il suffit de se rendre au quartier général de l’Otan, à Bruxelles. Tou-tes les nuits, vers 1 heure, c’est le même rituel, explique l’un des responsables européens de la sécurité au sein de l’organisation. “Sur une carte, à l’écran, on voit des dizaines de lumières s’allumer en Chine, explique-t-il. Ce sont les hackers qui, le matin, lancent des attaques lorsqu’ils arrivent au boulot. Et, le soir, elles s’éteignent quand ils rentrent chez eux.” Même constat d’un proche de la NSA, l’agence de renseignement des Etats-Unis : “Parfois, nous enregistrons une baisse sensible des tentatives d’intrusion sur nos sites, témoigne-t-il. Invariablement, cela correspond à des jours fériés en Chine.” Mais l’image d’une “superagence” où des armées de pirates travailleraient en batterie pour ravir les secrets de l’Occident ne reflète pas la réalité. Selon ce même agent, “leur capacité offensive est beaucoup moins centralisée qu’on pourrait l’imaginer. De nombreuses régions ont mis en place leur propre dispositif, qui dépend du bureau politique local. Et il n’est pas rare que ces factions se combattent entre elles.”
Coût d’une attaque : quelques centaines de milliers d’euros

Un hacker, qui souhaite rester anonyme, pense, lui aussi, que l’on surestime un peu le “cyberpéril jaune”. “J’ai eu l’occasion de voir travailler les Chinois, ce ne sont pas les plus affûtés, dit-il. Leurs techniques sont assez rudimentaires par rapport à celles des Américains ou des Israéliens…”

REUTERS/Minoru Iwasaki/Pool

“Les questions de sécurité alimentaire, d’énergie et de cybersécurité deviennent plus aiguës”
Hu Jintao, secrétaire général du Parti communiste chinois, novembre 2012.

A chaque pays sa spécificité. En Russie, le dispositif d’attaque est opaque. De nombreux spécialistes occidentaux du renseignement soupçonnent l’existence d’une relation triangulaire entre l’Etat, la mafia et certaines sociétés de conseil informatique qui seraient le bras armé du Kremlin. “Avez-vous déjà vu, en Russie, un hacker avoir des problèmes avec la police ? questionne Garry Kasparov, ancien champion du monde d’échecs, aujourd’hui l’un des opposants au président Poutine. Non, parce que l’on sait qui se trouve aux manettes, dans l’ombre…”

Contrairement à ce que l’on pourrait croire, les Européens ne sont pas en reste. La France, c’est une surprise, dispose d’une force de frappe numérique. Mais on trouve aussi, sur l’échiquier mondial, des Etats moins avancés sur le plan technique, tels l’Iran et la Corée du Nord. Nul besoin, en effet, d’investir dans des infrastructures coûteuses. Il suffit d’un ordinateur, d’un accès à Internet et de quelques centaines de milliers d’euros pour monter une attaque. Car sur la Toile, comme dans la vraie guerre, on trouve toutes sortes d’armes sur le marché. Il suffit de frapper aux bonnes portes. Au lieu d’une kalachnikov, on repartira avec un logiciel malveillant (malware, dans le jargon) qui permettra de prendre le contrôle d’un système ennemi. La première motivation : “Faire du business !”

“C’est un enjeu de domination. En maîtrisant l’information, on contrôle tout”, résume Jonathan Brossard. Ce hacker français renommé intervient aujourd’hui dans des groupes internationaux.

Son job consiste à s’introduire dans les systèmes informatiques pour en révéler les failles – et trouver des parades. Pour lui, les risques d’un cyberconflit existent, mais ils masquent une autre motivation, bien plus puissante : “Faire du business ! Etre capable de griller un réseau électrique, c’est bien, mais le véritable enjeu, c’est surtout de gagner des parts de marché.” Connaître, dans le détail, la proposition d’un concurrent, lors d’un gros appel d’offres, donne un avantage décisif. Pour l’avoir négligé, certaines sociétés ont péri. Des pirates – chinois semble-t-il – ont pillé les secrets du géant canadien des télécoms Nortel pendant près de dix ans, au point de l’acculer à la faillite. De tels exemples abondent.

Et la France n’est, malheureusement, pas épargnée. Les grandes entreprises du CAC 40 compteraient même parmi les plus vulnérables d’Europe. Sur ce nouveau champ de bataille invisible, on ne compte pas les morts, mais les points de PIB perdus. Et, derrière, sans doute des emplois par milliers.
Batailles de virus

STUXNET
Découverte : juin 2010.
Cible : ce logiciel a détruit des milliers de centrifugeuses nucléaires, en Iran.
Origine supposée : opération “Jeux olympiques”, menée par les Etats-Unis et Israël.

DUQU
Découverte : septembre 2011.
Cible : lié à Stuxnet, ce ver informatique a servi à espionner le programme nucléaire iranien.
Origine supposée : Etats-Unis et Israël.

MAHDI
Découverte : février 2012.
Cible : capable d’enregistrer les frappes sur un clavier et les photos et textes d’un ordinateur, Mahdi a été retrouvé en Iran, en Afghanistan et en Israël.
Origine supposée : inconnue.

WIPER
Découverte : avril 2012.Cible : ce virus fait disparaître les données des disques durs des ordinateurs infectés. Il a touché des compagnies pétrolières iraniennes.
Origine supposée : inconnue.

FLAME
Découverte : mai 2012.
Cible : ce logiciel très sophistiqué aurait espionné depuis 2007 plusieurs pays, dont l’Iran, la Syrie, le Soudan, ou encore l’Arabie saoudite.
Origine supposée : opération des Etats-Unis et d’Israël.

GAUSS
Découverte : juin 2012.
Cible : capable d’espionner les transactions financières et messages électroniques, ce virus s’est répandu au Liban, en Israël et en Palestine.
Origine supposée : inconnue.

SHAMOON
Découverte : août 2012.
Cible : les ordinateurs des compagnies pétrolières saoudiennes Aramco et RasGas au Qatar ont été attaqués par ce virus.
Origine revendiquée : groupe de hackers appelé “Glaive tranchant de la justice”, peut-être d’origine iranienne.

La réaction de l’ambassade des Etats-Unis à Paris

Nous réfutons catégoriquement les allégations de sources non-identifiées, parues dans un article de l’Express, selon lesquelles le gouvernement des Etats-Unis d’Amérique aurait participé à une cyberattaque contre le gouvernement français. La France est l’un de nos meilleurs alliés. Notre coopération est remarquable dans les domaines du renseignement, du maintien de l’ordre et de la cyberdéfense. Elle n’a jamais été aussi bonne et demeure essentielle pour mener à bien notre lutte commune contre la menace extrémiste.
Mitchell Moss, porte-parole de l’ambassade des Etats-Unis à Paris

REUTERS/Larry Downing

“La cybermenace est l’un des plus sérieux défis auxquels nous soyons confrontés en tant que nation”
Barack Obama, président des Etats-Unis, mai 2009.

REUTERS/Neil Hall

“Nous consacrerons un budget de plus d’un demi-milliard de livres [626 millions d’euros] à la cybersécurité”
David Cameron, Premier ministre britannique, octobre 2010.

REUTERS/Thomas Peter

“Les attaques cybernétiques sont aussi dangereuses que la guerre conventionnelle”
Angela Merkel, chancelière allemande, avril 2011.

Par Charles Haquet et Emmanuel Paquette (L’Express) – publié le 20/11/2012 à 15:31

Find this story at 20 November 2012

© Groupe Express-Roularta

It is often suggested by intelligence researchers that one major difference between Western and Soviet modes of espionage during the Cold War was their degree of reliance on technology. It is generally accepted that Western espionage was far more dependent on technical innovation than its Soviet equivalent. While this observation may be accurate, it should not be taken to imply that the KGB, GRU, and other Soviet intelligence agencies neglected technical means of intelligence collection. In a recent interview with top-selling Russian newspaper Komsomolskaya Pravda, Russian intelligence historian Gennady Sokolov discusses the case of Vadim Fedorovich Goncharov. Colonel Goncharov was the KGB’s equivalent of ‘Q’, head of the fictional research and development division of Britain’s MI6 in the James Bond films. A veteran of the Battle of Stalingrad, Goncharov eventually rose to the post of chief scientific and technical consultant of KGB’s 5th Special Department, later renamed Operations and Technology Directorate. According to Sokolov, Goncharov’s numerous areas of expertise included cryptology, communications interception and optics. While working in the KGB’s research laboratories, Goncharov came up with the idea of employing the principles behind the theremin, an early electronic musical instrument invented by Soviet physicist Léon Theremin in 1928, in wireless audio surveillance. According to Sokolov, the appropriation of the theremin by the KGB under Goncharov’s leadership “changed the world of intelligence”.

Renamed “passive bug” by the Soviets, a modified version of Theremin’s invention allowed the KGB to do away with wires and hidden microphones, using instead tiny coils and metal plates surreptitiously hidden in a target room or area. Such contraptions acted as sensors that picked up the vibrations in the air during conversations and transmitted them to a beam (receiver) placed nearby, usually in an adjoined room or vehicle. One such device was planted by the KGB inside the large wooden replica of the Great Seal of the United States given by the Soviets to US Ambassador to the USSR, Averell Harriman, as a present in February 1945. By hanging the decorative artifact in his embassy office in Moscow, the Ambassador enabled the KGB to listen in to his private conversations, as well as those of his successors, including Walter Bedell Smith (later Director of Central Intelligence), Alan G. Kirk, and George F. Kennan, for nearly eight years. The bug was discovered by the US in 1952 and exposed to the world during a conference at the United Nations (see photo).

Sokolov says that Goncharov also used the “passive bug” in several Moscow hotels frequented by Western visiting dignitaries, such as the Hotel National and the Hotel Soviet. Targets of “passive bug” operations included Indonesian President Sukarno, British Prime Minister Harold Wilson and German Chancellor Konrad Adenauer, whose conversations Goncharov allegedly managed to bug even though the West German leader chose to spend most of his trip to the USSR inside a luxury train compartment provided by the West German government. The Russian intelligence historian also claims that the theremin-based bug was used to eavesdrop on the conversations of Princess Margaret, sister of Queen Elizabeth II of the United Kingdom. The KGB allegedly bugged Margaret’s cigarette lighter, cigarette case and ashtrays, and was able to listen in to the Princess’ “drunken sprees” during her trips around Western Europe, collecting “dirt on the British Royal House”.

…

December 24, 2012 by intelNews 5 Comments

By JOSEPH FITSANAKIS | intelNews.org |

Find this story at 24 December 2012

KGB homed in on Princess during visit to Copenhagen in 1964
Bugging devices attached to ashtrays and lighters to listen in on ‘scandalous gossip’
Spies set up failed ‘honey trap’ for former Prime Minister Harold Wilson

Soviet spies have admitted using bugging devices on the Royal Family and former British Prime Minister Harold Wilson.

Secret agents from the KGB targeted Princess Margaret in the 1960s, attaching listening aids to her lighter, cigarette case, ashtrays and telephones.

According to the Sunday Express, they homed in on the Princess during a trip to Copenhagen, Denmark in 1964.

Lord Snowdon And Princess Margaret get ready to board a plane in September 1964 ahead of their visit to Copenhagen. Russian spies have admitted bugging the Princess on the trip

Until now, Russia has always denied the covert operation, which took place in a hotel, but has now admitted compiling a dossier on the Princess’s love affair with Robin Douglas-Home and further relationships with Roddy Llewellyn, Colin Tennant and Dominic Ewes, a painter who later committed suicide.

Spies passed photos, tape recordings and ‘most interesting, even scandalous’ gossip involving senior royal figures.

It is also said agents tried to get information from Margaret’s therapist, Kay Kiernan, who also treated the Queen.

Intelligence on Prince Phillip was gathered via society osteopath and artist Stephen Ward, who later killed himself at the height of the Profumo affair.

But spies failed in a sting operation on then future leader Harold Wilson, setting up a ‘honey trap’ for him in a Moscow hotel.

Princess Margaret (second from right and then left) was targeted by KGB spies on her visit to Copenhagen in 1964. Bugging devices were planted in her lighter, cigarette case, ashtrays and telephones

A new book will detail the KGB spies’ attempts at bugging the Royal Family. Pictured, the Kremlin, in Moscow

Female agents posing as prostitutes patrolled the hotel overlooking the Kremlin, with a camera planted in a chandelier in his bedroom.

But when the film was developed, Wilson’s face was disguised.

Colonel Vadim Goncharov, who has since died, was the KGB chief in charge of the snooping operations, and he was ordered by bosses to go on television to deny the claims, fearing they would cast a shadow over the Queen’s first and only visit to Russia in 1994.

…

By Daily Mail Reporter

PUBLISHED: 11:01 GMT, 23 December 2012 | UPDATED: 17:05 GMT, 23 December 2012

Find this story at 23 December 2012

© Associated Newspapers Ltd

Defence Secretary John Nott warned Mrs Thatcher that the USSR was using civilian aircraft to carry out spying missions in the UK

The Soviet Union used civil airliners to conduct secret Cold War spying missions over Britain, according to newly published Government files.

Some aircraft would switch off their transponders, alerting air traffic controllers to their position before veering off their approved flight paths to carry out aerial intelligence-gathering missions over sensitive targets, papers released by the National Archives under the 30-year rule show.

In a memorandum marked SECRET UK US EYES ONLY, Defence Secretary John Nott informed prime minister Margaret Thatcher in December 1981 that the RAF was monitoring the hundreds of monthly flights through UK airspace by Warsaw Pact airliners.

“One incident of particular interest took place on 9th November, when an Aeroflot IL62 made an unauthorized and unannounced descent from 35,000 ft to 10,000 ft just below cloud level, to fly over RAF Boulmer, a radar station currently being modernised. It subsequently climbed back to 37,000 ft,” he wrote.

“During this manoeuvre its Secondary Surveillance Radar which automatically broadcasts the aircraft’s height was switched off, though it was on before and after the incident. It must, therefore, be assumed that it was switched off intentionally to conceal a deliberate and premeditated manoeuvre.

“Our investigations have now revealed it was the same aircraft which over flew the USN base at Groton when the first Trident submarine was being launched. You will recall that as a result of this incident the President banned Aeroflot flights over the USA for a short period.”

But that was not the only example of bad behaviour by enemy spies that year. In August 1981 the Second Secretary at the USSR embassy VN Lazin became the first Soviet diplomat for a decade to be expelled for “activities incompatible with his status”.

The Foreign Office informed No 10 that Lazin, actually the senior member of the scientific and technical intelligence section of the KGB in London, was arrested during a “clandestine meeting” with a Portuguese national.

“He developed his relationship with the Portuguese national over several months and sought to obtain technical and scientific information in the UK from him and to use him as an agent with the possibility of eventually placing him in a Nato post,” the Foreign Office noted.

The Soviets responded in traditional fashion with the tit-for-tat expulsion of the British cultural attache in the Moscow embassy. More was to follow six months later in February 1982 when MI5 decided to call time on the espionage career of another Soviet, Vadim Fedorovich Zadneprovskiy, a member of the Soviet trade delegation whom for the previous five years operated as a KGB agent-runner. His recruits included a British businessman who was given the codename COURT USHER.

Updated: 28 December 2012 11:48 | By pa.press.net

Find this story at 28 December 2012

© 2013 Microsoft

Soviet spies used civilian planes to snoop on British and American military installations during the 1980s, newly released U.K. documents show.

Britain’s Royal Air Force “established that some of these aircraft deviated from their flight-plan routes in circumstances which would lead us to assume that they were gathering intelligence,” the then defense secretary, John Nott, wrote in a memo to Prime Minister Margaret Thatcher that’s among government files from 1982 published today after being kept confidential for the prescribed 30 years.

The papers from the National Archives in London give an insight into both the extent of Soviet espionage and the U.K. government’s awareness of it. One agent from the KGB, the Soviet security agency, was identified on arrival in 1977 and followed for five years, subject to a series of British intelligence operations before finally being expelled.

Relations between Thatcher’s government and the Soviet Union were tense at the time, despite attempts by diplomats to persuade her to take a conciliatory line. More than once in her files she rejects a course of action proposed in a memo, referring to the 1979 Soviet invasion of Afghanistan as the reason.

As Communist Party general secretary Leonid Brezhnev approached his 75th birthday at the end of 1981, Foreign Secretary Peter Carrington said it would be “churlish” of her not to send congratulations.

“Afghanistan?” Thatcher wrote in the margins of the memo suggesting this. “I really don’t think we should send a message.” She underlined “don’t.”
‘Unannounced Descent’

Nott wrote to Thatcher about the KGB’s use of Aeroflot planes over Britain after the Royal Air Force decided to look at the activities of “the thousand or so Warsaw Pact airliners which fly over the U.K. each month.”

In “one incident of particular interest,” the defense secretary wrote, an Ilyushin IL62 from the Soviet airline “made an unauthorized and unannounced descent from 35,000 feet to 10,000 feet, just below cloud level, to fly over RAF Boulmer, a radar station currently being modernized” in northeast England.

The plane turned off its automatic broadcast of its height during the maneuver, after which it returned to its previous altitude and began transmitting again.

The RAF subsequently established the same plane performed a similar operation over the U.S. Navy base at Groton, Connecticut, when the first Trident submarine was being launched.
Trade Official

The KGB was also using more traditional methods. In February 1982, the Security Service, the British internal security agency popularly known as MI5, asked for permission to expel a Russian trade official, Vadim Fedorovich Zadneprovskiy, after he “engaged in unacceptable intelligence-gathering activities.” According to the MI5 report, he had been identified as a KGB agent on his arrival in 1977 and followed.

MI5 used his inquiries about British counter-surveillance techniques to establish gaps in the KGB’s knowledge, with “some success.” The security service watched as he ran a British businessman, whom they codenamed “Court Usher,” as an agent, even using him to deliver equipment “in a thoroughly clandestine manner.” After concluding it wouldn’t be able to recruit Zadneprovskiy, MI5 demanded he be thrown out.

It wasn’t just professional spies trying to get in on the act. As the Falklands War raged, and the government wrestled with the question of how to keep French-built Exocet anti-ship missiles out of Argentine hands, Attorney General Michael Havers sent Thatcher a handwritten note suggesting a way to intercept a shipment.
‘Bond Movie’

Acknowledging his idea “may be thought to be more appropriate to a James Bond movie,” Havers said the Secret Intelligence Service, MI6, should try to insert its own person as loadmaster on any flight used to carry missiles to Argentina.

“If this can be agreed, the loadmaster has total control over the flight and, therefore, could redirect the aircraft in transit to (for example) Bermuda,” he wrote. “This will cost money (this is an expensive dirty business) but could, in my view, be cheap at the price.”

Havers may not have been aware at the time that MI6 was already running operations to precisely that end. Nott’s diary recalls, without giving details, how the agency both prevented Argentina buying missiles available on the open market and disabled missiles it thought could fall into Argentine hands.

The U.S., while leading attempts to broker a cease-fire between Argentina and the U.K., provided information from spies as part of its support to Britain in the conflict.
‘Magnificent Support’

…

By Robert Hutton and Thomas Penny – Dec 27, 2012

Find this story at 27 December 2012

®2013 BLOOMBERG L.P. ALL RIGHTS RESERVED.

In a little-known chapter of the Cold War, Canadian diplomats spied for the U.S. Central Intelligence Agency in Cuba in the aftermath of the 1962 missile crisis – and for years afterward.

A major part of that story is told in a forthcoming memoir by retired Canadian envoy John Graham. Mr. Graham was one of a series of Canadian diplomats recruited to spy for the CIA in Havana. The missions went on for at least seven years, during the 1960s.

“We didn’t have a military attaché in the Canadian embassy,” explained Mr. Graham, who worked under the cover of Political Officer. “And to send one at the time might have raised questions. So it was decided to make our purpose less visible.”

Mr. Graham said he worked as a spy for two years, between 1962 and 1964. His mandate was to visit Soviet bases, identify weapons and electronic equipment and monitor troop movements.

The espionage missions began after President John Kennedy asked Prime Minister Lester Pearson – at their May, 1963, summit in Hyannis Port, Mass. – whether Canada would abet American intelligence-gathering efforts in Cuba.

As a result of the crisis, which brought the superpowers to the brink of nuclear war, the Soviets had agreed to withdraw nuclear missiles from Cuban territory, in exchange for Washington’s pledge to remove its own missile batteries from Turkey and Italy.

To monitor Russian compliance, the United States needed to supplement data gleaned from almost daily U-2 reconnaissance flights. It had few assets on the ground. Its networks of Cuban agents had been progressively rolled up by Castro’s efficient counterintelligence service. And having severed diplomatic relations with Cuba in 1961, it had no embassy of its own through which to infiltrate American spies.

Soon after the summit meeting, Ottawa sent diplomat George Cowley to Havana.

Now deceased, Mr. Cowley, who had served in the Canadian embassy in Japan and sold encyclopedias in Africa, spent about two months in Havana in the late spring of 1963.

He was followed by Mr. Graham, seconded from his post as chargé d’affaires in the Dominican Republic.

His formal training, he told The Globe and Mail, was minimal – a few days at CIA headquarters in Langley, Va. At the end of it, an agency officer offered him a farewell gift – a sophisticated camera with an assortment of telephoto lenses.

He declined the present, arguing that if he were ever caught with it, he’d surely be arrested.

“But how will we know what the Soviet military convoys are carrying?” a CIA officer asked him. “We need precision. Configuration is essential for recognition.”

“I’ll draw you pictures,” Mr. Graham said. “It was a bit like the character in Graham Greene’s Our Man in Havana, but that’s what I did.”

In the Greene novel, an inept salesman, recruited to spy for Britain, sends illustrations of vacuum cleaner parts to his handler, calling them drawings of a military installation.

Mr. Graham’s sketches, however, were the real thing. To get them to Canada, he flew to Mexico City – the only regional air connection – and deposited the drawings at the Canadian embassy. From there, they were dispatched by diplomatic courier to Ottawa. Copies were subsequently sent to the CIA and, Mr. Graham later heard, to the Kennedy White House.

His written reports, sent by ciphered telegram to the Canadian embassy in Washington and then to Ottawa, contained details of electronic arrays in use at Soviet bases. “That information,” he said, “could tell an expert what weapons systems they had.”

Although Moscow had removed its nuclear arsenal by the time Mr. Graham arrived, it maintained a significant military presence. Russian soldiers typically dressed in civilian clothes, usually in plaid sport shirts, khaki pants and running shoes.

To fit in, Mr. Graham adopted the same ensemble – purchased at a Zellers store in Ottawa. Although many missions involved early morning surveillance of naval facilities, he was never followed. He was stopped only once by the police, roaming through a secure section of a communications building. He pretended to be a bumbling tourist and was let go.

On several occasions, Mr. Graham conducted joint reconnaissance with an agent of another Western country that he declines to identify. “He was brilliant and altogether remarkable. At parties, he composed Monty-Python-like lyrics to pet and lingerie commercials, accompanying himself on the piano.”

To relieve the stress of their missions, they would stop for seaside picnics on the way home. “Mr. X would pull out two crystal goblets and a Thermos of premixed martinis. I supplied the olives.”

Canadian officials, he said, went to extraordinary lengths to protect his identity as an agent. He stamped his sketches with the words, “For Canadian Eyes Only, Confidential.” But in Ottawa they were given an additional security designation – “Secret, Ottawa Only, Protect Source,” a classification he had never seen, before or since.

In 1964, Mr. Graham was promoted within the embassy and replaced in his espionage work by Alan McLaine.

In fact, he said, Canada’s role as CIA surrogate in Cuba continued for several years, even under the government of Pierre Trudeau, who had developed a personal friendship with Cuban leader Fidel Castro.

…

MICHAEL POSNER

OTTAWA — The Globe and Mail

Published Monday, Oct. 15 2012, 9:56 PM EDT

Last updated Tuesday, Oct. 16 2012, 5:02 AM EDT

Find this story at 15 October 2012

© Copyright 2013 The Globe and Mail Inc. All Rights Reserved.

During the past five years, a high-level cyber-espionage campaign has successfully infiltrated computer networks at diplomatic, governmental and scientific research organizations, gathering data and intelligence from mobile devices, computer systems and network equipment.

Kaspersky Lab’s researchers have spent several months analyzing this malware, which targets specific organizations mostly in Eastern Europe, former USSR members and countries in Central Asia, but also in Western Europe and North America.

The campaign, identified as “Rocra”, short for “Red October”, is currently still active with data being sent to multiple command-and-control servers, through a configuration which rivals in complexity the infrastructure of the Flame malware. Registration data used for the purchase of C&C domain names and PE timestamps from collected executables suggest that these attacks date as far back as May 2007.

Some key findings from our investigation:
The attackers have been active for at least five years, focusing on diplomatic and governmental agencies of various countries across the world. Information harvested from infected networks is reused in later attacks. For example, stolen credentials were compiled in a list and used when the attackers needed to guess passwords and network credentials in other locations. To control the network of infected machines, the attackers created more than 60 domain names and several server hosting locations in different countries (mainly Germany and Russia). The C&C infrastructure is actually a chain of servers working as proxies and hiding the location of the true -mothership- command and control server.
The attackers created a multi-functional framework which is capable of applying quick extension of the features that gather intelligence. The system is resistant to C&C server takeover and allows the attacker to recover access to infected machines using alternative communication channels.
Beside traditional attack targets (workstations), the system is capable of stealing data from mobile devices, such as smartphones (iPhone, Nokia, Windows Mobile); dumping enterprise network equipment configuration (Cisco); hijacking files from removable disk drives (including already deleted files via a custom file recovery procedure); stealing e-mail databases from local Outlook storage or remote POP/IMAP server; and siphoning files from local network FTP servers.
We have observed the use of at least three different exploits for previously known vulnerabilities: CVE-2009-3129 (MS Excel), CVE-2010-3333 (MS Word) and CVE-2012-0158 (MS Word). The earliest known attacks used the exploit for MS Excel and took place in 2010 and 2011, while attacks targeting the MS Word vulnerabilities appeared in the summer of 2012.

The exploits from the documents used in spear phishing were created by other attackers and employed during different cyber attacks against Tibetan activists as well as military and energy sector targets in Asia. The only thing that was changed is the executable which was embedded in the document; the attackers replaced it with their own code.

Sample fake image used in one of the Rocra spear phishing attacks.
During lateral movement in a victim’s network, the attackers deploy a module to actively scan the local area network, find hosts vulnerable for MS08-067 (the vulnerability exploited by Conficker) or accessible with admin credentials from its own password database. Another module used collected information to infect remote hosts in the same network.
Based on registration data of the C&C servers and numerous artifacts left in executables of the malware, we strongly believe that the attackers have Russian-speaking origins. Current attackers and executables developed by them have been unknown until recently, they have never related to any other targeted cyber attacks. Notably, one of the commands in the Trojan dropper switches the codepage of an infected machine to 1251 before installation. This is required to address files and directories that contain Cyrillic characters in their names.
Rocra FAQ:

What is Rocra? Where does the name come from? Was Operation Rocra targeting any specific industries, organizations or geographical regions?

Rocra (short for “Red October”) is a targeted attack campaign that has been going on for at least five years. It has infected hundreds of victims around the world in eight main categories:
Government
Diplomatic / embassies
Research institutions
Trade and commerce
Nuclear / energy research
Oil and gas companies
Aerospace
Military

It is quite possible there are other targeted sectors which haven’t been discovered yet or have been attacked in the past.

How and when was it discovered?

We have come by the Rocra attacks in October 2012, at the request of one of our partners. By analysing the attack, the spear phishing and malware modules, we understood the scale of this campaign and started dissecting it in depth.

Who provided you with the samples?

Our partner who originally pointed us to this malware prefers to remain anonymous.

How many infected computers have been identified by Kaspersky Lab? How many victims are there? What is the estimated size of Operation Red October on a global scale?

During the past months, we’ve counted several hundreds of infections worldwide – all of them in top locations such as government networks and diplomatic institutions. The infections we’ve identified are distributed mostly in Eastern Europe, but there are also reports coming from North America and Western European countries such as Switzerland or Luxembourg.

Based on our Kaspersky Security Network (KSN) here’s a list of countries with most infections (only for those with more than 5 victims):Country Infections

RUSSIAN FEDERATION 35
KAZAKHSTAN 21
AZERBAIJAN 15
BELGIUM 15
INDIA 14
AFGHANISTAN 10
ARMENIA 10
IRAN; ISLAMIC REPUBLIC OF 7
TURKMENISTAN 7
UKRAINE 6
UNITED STATES 6
VIET NAM 6
BELARUS 5
GREECE 5
ITALY 5
MOROCCO 5
PAKISTAN 5
SWITZERLAND 5
UGANDA 5
UNITED ARAB EMIRATES 5

For the sinkhole statistics see below.

Who is behind/responsible for this operation? Is this a nation-state sponsored attack?

The information we have collected so far does not appear to point towards any specific location, however, two important factors stand out:
The exploits appear to have been created by Chinese hackers.
The Rocra malware modules have been created by Russian-speaking operatives.

Currently, there is no evidence linking this with a nation-state sponsored attack. The information stolen by the attackers is obviously of the highest level and includes geopolitical data which can be used by nation states. Such information could be traded in the underground and sold to the highest bidder, which can be of course, anywhere.

Are there any interesting texts in the malware that can suggest who the attackers are?

Several Rocra modules contain interesting typos and mis-spellings:

network_scanner: “SUCCESSED”, “Error_massage”, “natrive_os”, “natrive_lan”
imapispool: “UNLNOWN_PC_NAME”, “WinMain: error CreateThred stop”
mapi_client: “Default Messanger”, “BUFEER IS FULL”
msoffice_plugin: “my_encode my_dencode”
winmobile: “Zakladka injected”, “Cannot inject zakladka, Error: %u”
PswSuperMailRu: “——-PROGA START—–“, “——-PROGA END—–”

The word “PROGA” used in here might refer to transliteration of Russian slang “ПРОГА”, which literally means an application or a program among Russian-speaking software engineers.

In particular, the word “Zakladka” in Russian can mean:
“bookmark”
(more likely) a slang term meaning “undeclared functionality”, i.e. in software or hardware. However, it may also mean a microphone embedded in a brick of the embassy building.

The C++ class that holds the C&C configuration parameters is called “MPTraitor” and the corresponding configuration section in the resources is called “conn_a”. Some examples include:

conn_a.D_CONN
conn_a.J_CONN
conn_a.D_CONN
conn_a.J_CONN

What kind of information is being hijacked from infected machines?

Information stolen from infected systems includes documents with extensions:

txt, csv, eml, doc, vsd, sxw, odt, docx, rtf, pdf, mdb, xls, wab, rst, xps, iau,
cif, key, crt, cer, hse, pgp, gpg, xia, xiu, xis, xio, xig, acidcsa, acidsca,
aciddsk, acidpvr, acidppr, acidssa.
In particular, the “acid*” extensions appear to refer to the classified software “Acid Cryptofiler”, which is used by several entities such as the European Union and/or NATO.

What is the purpose/objective of this operation? What were the attackers looking for by conducting this sustained cyber-espionage campaign for so many years?

The main purpose of the operation appears to be the gathering of classified information and geopolitical intelligence, although it seems that the information gathering scope is quite wide. During the past five years, the attackers collected information from hundreds of high profile victims although it’s unknown how the information was used.

It is possible that the information was sold on the black market, or used directly.

What are the infection mechanisms for the malware? Does it have self-propagating (worm) capabilities? How does it work? Do the attackers have a customized attack platform?

The main malware body acts as a point of entry into the system which can later download modules used for lateral movement. After initial infection, the malware won’t propagate by itself – typically, the attackers would gather information about the network for a few days, identify key systems and then deploy modules which can compromise other computers in the network, for instance by using the MS08-067 exploit.

In general, the Rocra framework is designed for executing “tasks” that are provided by its C&C servers. Most of the tasks are provided as one-time PE DLL libraries that are received from the server, executed in memory and then immediately discarded.

Several tasks however need to be constantly present in the system, i.e. waiting for the iPhone or Nokia mobile to connect. These tasks are provided as PE EXE files and are installed in the infected machine.
Examples of “persistent” tasks
Once a USB drive is connected, search and extract files by mask/format, including deleted files. Deleted files are restored using a built in file system parser
Wait for an iPhone or a Nokia phone to be connected. Once connected, retrieve information about the phone, its phone book, contact list, call history, calendar, SMS messages, browsing history
Wait for a Windows Mobile phone to be connected. Once connected, infect the phone with a mobile version of the Rocra main component
Wait for a specially crafted Microsoft Office or PDF document and execute a malicious payload embedded in that document, implementing a one-way covert channel of communication that can be used to restore control of the infected machine
Record all the keystrokes, make screenshots
Execute additional encrypted modules according to a pre-defined schedule
Retrieve e-mail messages and attachments from Microsoft Outlook and from reachable mail servers using previously obtained credentials
Examples of “one-time” tasks
Collect general software and hardware environment information
Collect filesystem and network share information, build directory listings, search and retrieve files by mask provided by the C&C server
Collect information about installed software, most notably Oracle DB, RAdmin, IM software including Mail.Ru agent, drivers and software for Windows Mobile, Nokia, SonyEricsson, HTC, Android phones, USB drives
Extract browsing history from Chrome, Firefox, Internet Explorer, Opera
Extract saved passwords for Web sites, FTP servers, mail and IM accounts
Extract Windows account hashes, most likely for offline cracking
Extract Outlook account information
Determine the external IP address of the infected machine
Download files from FTP servers that are reachable from the infected machine (including those that are connected to its local network) using previously obtained credentials
Write and/or execute arbitrary code provided within the task
Perform a network scan, dump configuration data from Cisco devices if available
Perform a network scan within a predefined range and replicate to vulnerable machines using the MS08-067 vulnerability
Replicate via network using previously obtained administrative credentials

The Rocra framework was designed by the attackers from scratch and hasn’t been used in any other operations.

Was the malware limited to only workstations or did it have additional capabilities, such as a mobile malware component?

Several mobile modules exist, which are designed to steal data from several types of devices:
Windows Mobile
iPhone
Nokia

These modules are installed in the system and wait for mobile devices to be connected to the victim’s machine. When a connection is detected, the modules start collecting data from the mobile phones.

How many variants, modules or malicious files were identified during the overall duration of Operation Red October?

During our investigation, we’ve uncovered over 1000 modules belonging to 30 different module categories. These have been created between 2007 with the most recent being compiled on 8th Jan 2013.

Here’s a list of known modules and categories:

Were initial attacks launched at select “high-profile” victims or were they launched in series of larger (wave) attacks at organizations/victims?

All the attacks are carefully tuned to the specifics of the victims. For instance, the initial documents are customized to make them more appealing and every single module is specifically compiled for the victim with a unique victim ID inside.

Later, there is a high degree of interaction between the attackers and the victim – the operation is driven by the kind of configuration the victim has, which type of documents the use, installed software, native language and so on. Compared to Flame and Gauss, which are highly automated cyberespionage campaigns, Rocra is a lot more “personal” and finely tuned for the victims.

Is Rocra related in any way to the Duqu, Flame and Gauss malware?

Simply put, we could not find any connections between Rocra and the Flame / Tilded platforms.

How does Operation Rocra compare to similar campaigns such as Aurora and Night Dragon? Any notable similarities or differences?

Compared to Aurora and Night Dragon, Rocra is a lot more sophisticated. During our investigation we’ve uncovered over 1000 unique files, belonging to about 30 different module categories. Generally speaking, the Aurora and Night Dragon campaigns used relatively simple malware to steal confidential information.

With Rocra, the attackers managed to stay in the game for over 5 years and evade detection of most antivirus products while continuing to exfiltrate what must be hundreds of Terabytes by now.

How many Command & Control servers are there? Did Kaspersky Lab conduct any forensic analysis on them?

During our investigation, we uncovered more than 60 domain names used by the attackers to control and retrieve data from the victims. The domain names map to several dozen IPs located mostly in Russia and Germany.

Here’s an overview of the Rocra’s command and control infrastructure, as we believe it looks from our investigations:

More detailed information about the Command and Control servers will be revealed at a later date.

Did you sinkhole any of the Command & Control servers?

We were able to sinkhole six of the over 60 domains used by the various versions of the malware. During the monitoring period (2 Nov 2012 – 10 Jan 2013), we registered over 55,000 connections to the sinkhole. The number of different IPs connecting to the sinkhole was 250.

From the point of view of country distribution of connections to the sinkhole, we have observed victims in 39 countries, with most of IPs being from Switzerland. Kazakhstan and Greece follow next.

Sinkhole statistics – 2 Nov 2012 – 10 Jan 2013

Is Kaspersky Lab working with any governmental organizations, Computer Emergency Response Teams (CERTs), law enforcement agencies or security companies as part of the investigation and disinfection efforts?

Kaspersky Lab, in collaboration with international organizations, Law Enforcement, Computer Emergency Response Teams (CERTs) and other IT security companies is continuing its investigation of Operation Red October by providing technical expertise and resources for remediation and mitigation procedures.

Kaspersky Lab would like to express their thanks to: US-CERT, the Romanian CERT and the Belarusian CERT for their assistance with the investigation.

If you are a CERT and would like more information about infections in your country, please contact us at theflame@kaspersky.com.

Here’s a link to the full paper (part 1) about our Red October research. During the next days, we’ll be publishing Part 2, which contains a detailed technical analysis of all the known modules. Please stay tuned.

A list of MD5s of known documents used in the Red October attacks:
114ed0e5298149fc69f6e41566e3717a
1f86299628bed519718478739b0e4b0c
2672fbba23bf4f5e139b10cacc837e9f
350c170870e42dce1715a188ca20d73b
396d9e339c1fd2e787d885a688d5c646
3ded9a0dd566215f04e05340ccf20e0c
44e70bce66cdac5dc06d5c0d6780ba45
4bfa449f1a351210d3c5b03ac2bd18b1
4ce5fd18b1d3f551a098bb26d8347ffb
4daa2e7d3ac1a5c6b81a92f4a9ac21f1
50bd553568422cf547539dd1f49dd80d
51edea56c1e83bcbc9f873168e2370af
5d1121eac9021b5b01570fb58e7d4622
5ecec03853616e13475ac20a0ef987b6
5f9b7a70ca665a54f8879a6a16f6adde
639760784b3e26c1fe619e5df7d0f674
65d277af039004146061ff01bb757a8f
6b23732895daaad4bd6eae1d0b0fef08
731c68d2335e60107df2f5af18b9f4c9
7e5d9b496306b558ba04e5a4c5638f9f
82e518fb3a6749903c8dc17287cebbf8
85baebed3d22fa63ce91ffafcd7cc991
91ebc2b587a14ec914dd74f4cfb8dd0f
93d0222c8c7b57d38931cfd712523c67
9950a027191c4930909ca23608d464cc
9b55887b3e0c7f1e41d1abdc32667a93
9f470a4b0f9827d0d3ae463f44b227db
a7330ce1b0f89ac157e335da825b22c7
b9238737d22a059ff8da903fbc69c352
c78253aefcb35f94acc63585d7bfb176
fc3c874bdaedf731439bbe28fc2e6bbe
bb2f6240402f765a9d0d650b79cd2560
bd05475a538c996cd6cafe72f3a98fae
c42627a677e0a6244b84aa977fbea15d
cb51ef3e541e060f0c56ac10adef37c3
ceac9d75b8920323477e8a4acdae2803
cee7bd726bc57e601c85203c5767293c
d71a9d26d4bb3b0ed189c79cd24d179a
d98378db4016404ac558f9733e906b2b
dc4a977eaa2b62ad7785b46b40c61281
dc8f0d4ecda437c3f870cd17d010a3f6
de56229f497bf51274280ef84277ea54
ec98640c401e296a76ab7f213164ef8c
f0357f969fbaf798095b43c9e7a0cfa7
f16785fc3650490604ab635303e61de2

GReAT
Kaspersky Lab Expert
Posted January 14, 13:00 GMT

Find this story at 14 Januar 2013

And “Red October” Diplomatic Cyber Attacks Investigation

Anti-Viren-Experten haben einen ausgeklügelten Spionagevirus auf Rechnern vor allem in Russland und Zentralasien entdeckt. Dateien und E-Mails wurden in großem Stil entwendet. Zu den Zielen gehörten Regierungen, Botschaften, Forschungseinrichtungen, Militär und Energiewirtschaft.

Moskau – Sicherheitsexperten haben einen großangelegten Spionageangriff auf diplomatische Vertretungen, Regierungsorganisationen und Forschungsinstitute in Osteuropa und Zentralasien entdeckt. Die Fachleute der russischen Sicherheitssoftware-Firma Kaspersky berichten, dass die Spionageprogramme über fünf Jahre hinweg unentdeckt auf den Computern und in den Netzwerken der betroffenen Organisationen systematisch nach hochsensiblen Dokumenten mit vertraulichen, oft geopolitisch relevanten Inhalten suchten. Weil die Spionagesoftware so lange unentdeckt blieb, haben die Kaspersky-Experten sie “Red October” (kurz Rocra) getauft – wie das lautlose U-Boot in Tom Clancys Thriller.

Die Angreifer nutzen demnach hochspezialisierte Schadprogramme. Die russischen Experten zeigen sich beeindruckt von der dabei genutzten Infrastruktur: Die Komplexität der Rocra-Software könnte es mit Flame aufnahmen, schreiben sie. Der Hightech-Schädling Flame galt bei der Entdeckung Anfang 2012 als eine der komplexesten Bedrohungen, die je entdeckt worden sind.

Rocras Komponenten spionierten verschiedene Plattformen aus: PC, iPhones, Nokia- und Window-Mobile-Smartphone sowie Business-Hardware des US-Konzerns Cisco.

Kommando-Rechner haben die Kaspersky-Experten an 60 verschiedenen Serverstandorten beobachtet, davon viele in Russland und Deutschland. Mit der Virenfamilie um Flame, Gauss und Duqu, deren Ziele sich vor allem in Iran und im Nahen Osten befinden, hat Rocra aber nichts zu tun, glauben die Kaspersky-Forscher. Man habe keine Verbindungen finden können, Rocra sei wesentlich “personalisierter” als Flame, Duqu und Gauss.

Wer ist betroffen?

Kaspersky schreibt, man habe “mehrere hundert” befallene Rechner weltweit entdeckt. Betroffen seien vor allem Computer und Netzwerke in Regierungsstellen, diplomatischen Vertretungen, Forschungsinstituten, im Nuklearsektor, in der Öl- und Gasindustrie, in Luftfahrtunternehmen und im Militär.

Kaspersky hat zudem über Monate hinweg analysiert, in welchen Staaten die eigene Software Spuren von Rocra-Infektionen findet. So entstand diese Rangliste der Infektionen nach Standort der betroffenen Systeme (in Klammern steht jeweils die Zahl der infizierten Systeme):

Russland (35)
Kasachstan (21)
Aserbaidschan (15)
Belgien (15)
Indien (14)
Afghanistan (10)
Armenien (10)
Iran (7)
Turkmenistan (7)

Außerdem betroffen sind demnach jeweils fünf oder sechs Rechner oder Netzwerke in der Ukraine, den USA, Vietnam, Weißrussland, Griechenland, Italien, Marokko, Pakistan, der Schweiz, Uganda und den Vereinigten Arabischen Emiraten.

Was suchten die Täter?

Laut Kaspersky wurden Dateien in großem Stil von den infizierten Rechnern kopiert. Die Beschreibung klingt eher nach einer breit angelegten Erkundung als nach zielgerichteten Angriffen. Die Täter haben nach Textdateien, Tabellen, Schlüsseln für die Kryptografie-Programme PGP und GnuPG gesucht. Auch E-Mails wurden kopiert, angeschlossene Laufwerke und Smartphones ausgelesen.

Dateiendungen, nach denen Rocra Ausschau hielt, deuten laut Kaspersky auch auf ein besonderes Interesse an Dateien hin, die mit dem von der EU und Nato genutzten Verschlüsselungsprogramm Acid Cryptofiler in Zusammenhang stehen. Die Dateiendung xia könnte ein Hinweis auf die deutsche Verschlüsselungssoftware Chiasmus sein.

Wie wurde der Angriff entdeckt?

Auf den Angriff wurde Kaspersky nach eigenen Angaben von einem Geschäftspartner hingewiesen, der anonym bleiben möchte. Die Analyse des entdeckten Schädlings brachte die Forscher dann auf die Spur weiterer Opfer. Mit einer Art Fallenkonstruktion, einem sogenannten Sinkhole, identifizierte Kaspersky schließlich sechs der 60 Kontrollserver, von denen die befallenen Rechner Befehle empfangen.

Wie gingen die Angreifer vor?

Die Attacken waren offenbar genau auf die jeweiligen Opfer zugeschnitten. So verschickten die Angreifer per E-Mail Dokumente, die für die Opfer interessant zu sein schienen. Als Beispiel präsentiert Kaspersky den Screenshot einer Werbeanzeige für ein gebrauchtes Diplomatenfahrzeug. Spätere Infektions-E-Mails seien offenbar auf Basis früher entwendeter Daten passgenau aufgesetzt worden. Die Dokumente waren mit einem Schadcode kombiniert, der bereits bekannte Sicherheitslücken ausnutzte, und zwar in Microsoft Word und Excel.

Sobald der Empfänger einen solchen Dateianhang öffnete, wurde ein Trojaner in die Rechner eingeschleust, der dann wiederum einen weiteren Schadcode aus einer gewaltigen Bibliothek nachlud. Gesteuert wurden die gekaperten Rechner dann von einer Kaskade von 60 sogenannten Command-&-Control-Servern (C&C). Die seien so hintereinander geschaltet, dass es unmöglich sei, die eigentliche Quelle der Steuerbefehle auszumachen, so Kaspersky.

Die Spionagewerkzeuge, die nachgeladen wurden, sind vielfältig und ausgeklügelt. Über tausend Software-Module habe man gefunden, die 34 verschiedene Funktionen erfüllten. Manche Module erkundeten das befallene Netzwerk, kopierten die Surf-History des installierten Browsers oder prüften, welche Laufwerke angeschlossen waren. Andere waren auf Passwort-Klau spezialisiert oder darauf, gleich den gesamten E-Mail-Verkehr oder ganze Verzeichnisse von dem befallenen Rechner zu kopieren. Andere Module waren auf das Auslesen von angeschlossenen USB-Laufwerken spezialisiert, einige sogar auf das Wiederherstellen gelöschter Daten auf solchen Laufwerken.

Auch an infizierte Rechner angeschlossene Mobiltelefone kann Rocra übernehmen oder zumindest auslesen, die Kontaktliste beispielsweise. Fast schon selbstverständlich, dass die Angreifer auch Hintertüren auf den befallenen Rechnern und Telefonen installierten, um später weitere Befehle ausführen oder Software nachladen zu können. Rocra überträgt die gefundenen Dateien schließlich gepackt und verschlüsselt über das Internet an Steuerungsrechner.

Wer könnte dahinterstecken?

Kaspersky zufolge enthält die Schadsoftware Hinweise auf Entwickler aus mindestens zwei unterschiedlichen Nationen. Die Exploits, also die Teile des Schadcodes, die bestimmte Sicherheitslücken ausnutzen, “scheinen von chinesischen Hackern entwickelt worden zu sein”, schreiben die Autoren des Berichts. Sie seien in der Vergangenheit auch schon bei Cyberangriffen gegen tibetische Aktivisten und Ziele aus dem Energie- und Militärbereich in Asien eingesetzt worden. Solche Exploits könnten auch auf dem Schwarzmarkt eingekauft worden sein. Der Malware-Code selbst aber scheine von “russischsprachigen” Entwicklern zu stammen.

So tauchte im Programmcode beispielsweise der russische Begriff “Zakladka” auf. Es kann Grundstein heißen oder für etwas “Eingebettetes” stehen. Der Begriff könnte aber auch “Lesezeichen” oder einfach “nicht näher definierte Funktion” bedeuten. Damit könnte aber auch ein “in der Wand einer Botschaft verstecktes Mikrofon” gemeint sein, heißt es in dem Kaspersky-Bericht.

…

14. Januar 2013, 18:37 Uhr

Von Konrad Lischka und Christian Stöcker

Find this story at 14 Januar 2013

© SPIEGEL ONLINE 2013