During the past five years, a high-level cyber-espionage campaign has successfully infiltrated computer networks at diplomatic, governmental and scientific research organizations, gathering data and intelligence from mobile devices, computer systems and network equipment.

Kaspersky Lab’s researchers have spent several months analyzing this malware, which targets specific organizations mostly in Eastern Europe, former USSR members and countries in Central Asia, but also in Western Europe and North America.

The campaign, identified as “Rocra”, short for “Red October”, is currently still active with data being sent to multiple command-and-control servers, through a configuration which rivals in complexity the infrastructure of the Flame malware. Registration data used for the purchase of C&C domain names and PE timestamps from collected executables suggest that these attacks date as far back as May 2007.

Some key findings from our investigation:
The attackers have been active for at least five years, focusing on diplomatic and governmental agencies of various countries across the world. Information harvested from infected networks is reused in later attacks. For example, stolen credentials were compiled in a list and used when the attackers needed to guess passwords and network credentials in other locations. To control the network of infected machines, the attackers created more than 60 domain names and several server hosting locations in different countries (mainly Germany and Russia). The C&C infrastructure is actually a chain of servers working as proxies and hiding the location of the true -mothership- command and control server.
The attackers created a multi-functional framework which is capable of applying quick extension of the features that gather intelligence. The system is resistant to C&C server takeover and allows the attacker to recover access to infected machines using alternative communication channels.
Beside traditional attack targets (workstations), the system is capable of stealing data from mobile devices, such as smartphones (iPhone, Nokia, Windows Mobile); dumping enterprise network equipment configuration (Cisco); hijacking files from removable disk drives (including already deleted files via a custom file recovery procedure); stealing e-mail databases from local Outlook storage or remote POP/IMAP server; and siphoning files from local network FTP servers.
We have observed the use of at least three different exploits for previously known vulnerabilities: CVE-2009-3129 (MS Excel), CVE-2010-3333 (MS Word) and CVE-2012-0158 (MS Word). The earliest known attacks used the exploit for MS Excel and took place in 2010 and 2011, while attacks targeting the MS Word vulnerabilities appeared in the summer of 2012.

The exploits from the documents used in spear phishing were created by other attackers and employed during different cyber attacks against Tibetan activists as well as military and energy sector targets in Asia. The only thing that was changed is the executable which was embedded in the document; the attackers replaced it with their own code.

Sample fake image used in one of the Rocra spear phishing attacks.
During lateral movement in a victim’s network, the attackers deploy a module to actively scan the local area network, find hosts vulnerable for MS08-067 (the vulnerability exploited by Conficker) or accessible with admin credentials from its own password database. Another module used collected information to infect remote hosts in the same network.
Based on registration data of the C&C servers and numerous artifacts left in executables of the malware, we strongly believe that the attackers have Russian-speaking origins. Current attackers and executables developed by them have been unknown until recently, they have never related to any other targeted cyber attacks. Notably, one of the commands in the Trojan dropper switches the codepage of an infected machine to 1251 before installation. This is required to address files and directories that contain Cyrillic characters in their names.
Rocra FAQ:

What is Rocra? Where does the name come from? Was Operation Rocra targeting any specific industries, organizations or geographical regions?

Rocra (short for “Red October”) is a targeted attack campaign that has been going on for at least five years. It has infected hundreds of victims around the world in eight main categories:
Government
Diplomatic / embassies
Research institutions
Trade and commerce
Nuclear / energy research
Oil and gas companies
Aerospace
Military

It is quite possible there are other targeted sectors which haven’t been discovered yet or have been attacked in the past.

How and when was it discovered?

We have come by the Rocra attacks in October 2012, at the request of one of our partners. By analysing the attack, the spear phishing and malware modules, we understood the scale of this campaign and started dissecting it in depth.

Who provided you with the samples?

Our partner who originally pointed us to this malware prefers to remain anonymous.

How many infected computers have been identified by Kaspersky Lab? How many victims are there? What is the estimated size of Operation Red October on a global scale?

During the past months, we’ve counted several hundreds of infections worldwide – all of them in top locations such as government networks and diplomatic institutions. The infections we’ve identified are distributed mostly in Eastern Europe, but there are also reports coming from North America and Western European countries such as Switzerland or Luxembourg.

Based on our Kaspersky Security Network (KSN) here’s a list of countries with most infections (only for those with more than 5 victims):Country Infections

RUSSIAN FEDERATION 35
KAZAKHSTAN 21
AZERBAIJAN 15
BELGIUM 15
INDIA 14
AFGHANISTAN 10
ARMENIA 10
IRAN; ISLAMIC REPUBLIC OF 7
TURKMENISTAN 7
UKRAINE 6
UNITED STATES 6
VIET NAM 6
BELARUS 5
GREECE 5
ITALY 5
MOROCCO 5
PAKISTAN 5
SWITZERLAND 5
UGANDA 5
UNITED ARAB EMIRATES 5

For the sinkhole statistics see below.

Who is behind/responsible for this operation? Is this a nation-state sponsored attack?

The information we have collected so far does not appear to point towards any specific location, however, two important factors stand out:
The exploits appear to have been created by Chinese hackers.
The Rocra malware modules have been created by Russian-speaking operatives.

Currently, there is no evidence linking this with a nation-state sponsored attack. The information stolen by the attackers is obviously of the highest level and includes geopolitical data which can be used by nation states. Such information could be traded in the underground and sold to the highest bidder, which can be of course, anywhere.

Are there any interesting texts in the malware that can suggest who the attackers are?

Several Rocra modules contain interesting typos and mis-spellings:

network_scanner: “SUCCESSED”, “Error_massage”, “natrive_os”, “natrive_lan”
imapispool: “UNLNOWN_PC_NAME”, “WinMain: error CreateThred stop”
mapi_client: “Default Messanger”, “BUFEER IS FULL”
msoffice_plugin: “my_encode my_dencode”
winmobile: “Zakladka injected”, “Cannot inject zakladka, Error: %u”
PswSuperMailRu: “——-PROGA START—–“, “——-PROGA END—–”

The word “PROGA” used in here might refer to transliteration of Russian slang “ПРОГА”, which literally means an application or a program among Russian-speaking software engineers.

In particular, the word “Zakladka” in Russian can mean:
“bookmark”
(more likely) a slang term meaning “undeclared functionality”, i.e. in software or hardware. However, it may also mean a microphone embedded in a brick of the embassy building.

The C++ class that holds the C&C configuration parameters is called “MPTraitor” and the corresponding configuration section in the resources is called “conn_a”. Some examples include:

conn_a.D_CONN
conn_a.J_CONN
conn_a.D_CONN
conn_a.J_CONN

What kind of information is being hijacked from infected machines?

Information stolen from infected systems includes documents with extensions:

txt, csv, eml, doc, vsd, sxw, odt, docx, rtf, pdf, mdb, xls, wab, rst, xps, iau,
cif, key, crt, cer, hse, pgp, gpg, xia, xiu, xis, xio, xig, acidcsa, acidsca,
aciddsk, acidpvr, acidppr, acidssa.
In particular, the “acid*” extensions appear to refer to the classified software “Acid Cryptofiler”, which is used by several entities such as the European Union and/or NATO.

What is the purpose/objective of this operation? What were the attackers looking for by conducting this sustained cyber-espionage campaign for so many years?

The main purpose of the operation appears to be the gathering of classified information and geopolitical intelligence, although it seems that the information gathering scope is quite wide. During the past five years, the attackers collected information from hundreds of high profile victims although it’s unknown how the information was used.

It is possible that the information was sold on the black market, or used directly.

What are the infection mechanisms for the malware? Does it have self-propagating (worm) capabilities? How does it work? Do the attackers have a customized attack platform?

The main malware body acts as a point of entry into the system which can later download modules used for lateral movement. After initial infection, the malware won’t propagate by itself – typically, the attackers would gather information about the network for a few days, identify key systems and then deploy modules which can compromise other computers in the network, for instance by using the MS08-067 exploit.

In general, the Rocra framework is designed for executing “tasks” that are provided by its C&C servers. Most of the tasks are provided as one-time PE DLL libraries that are received from the server, executed in memory and then immediately discarded.

Several tasks however need to be constantly present in the system, i.e. waiting for the iPhone or Nokia mobile to connect. These tasks are provided as PE EXE files and are installed in the infected machine.
Examples of “persistent” tasks
Once a USB drive is connected, search and extract files by mask/format, including deleted files. Deleted files are restored using a built in file system parser
Wait for an iPhone or a Nokia phone to be connected. Once connected, retrieve information about the phone, its phone book, contact list, call history, calendar, SMS messages, browsing history
Wait for a Windows Mobile phone to be connected. Once connected, infect the phone with a mobile version of the Rocra main component
Wait for a specially crafted Microsoft Office or PDF document and execute a malicious payload embedded in that document, implementing a one-way covert channel of communication that can be used to restore control of the infected machine
Record all the keystrokes, make screenshots
Execute additional encrypted modules according to a pre-defined schedule
Retrieve e-mail messages and attachments from Microsoft Outlook and from reachable mail servers using previously obtained credentials
Examples of “one-time” tasks
Collect general software and hardware environment information
Collect filesystem and network share information, build directory listings, search and retrieve files by mask provided by the C&C server
Collect information about installed software, most notably Oracle DB, RAdmin, IM software including Mail.Ru agent, drivers and software for Windows Mobile, Nokia, SonyEricsson, HTC, Android phones, USB drives
Extract browsing history from Chrome, Firefox, Internet Explorer, Opera
Extract saved passwords for Web sites, FTP servers, mail and IM accounts
Extract Windows account hashes, most likely for offline cracking
Extract Outlook account information
Determine the external IP address of the infected machine
Download files from FTP servers that are reachable from the infected machine (including those that are connected to its local network) using previously obtained credentials
Write and/or execute arbitrary code provided within the task
Perform a network scan, dump configuration data from Cisco devices if available
Perform a network scan within a predefined range and replicate to vulnerable machines using the MS08-067 vulnerability
Replicate via network using previously obtained administrative credentials

The Rocra framework was designed by the attackers from scratch and hasn’t been used in any other operations.

Was the malware limited to only workstations or did it have additional capabilities, such as a mobile malware component?

Several mobile modules exist, which are designed to steal data from several types of devices:
Windows Mobile
iPhone
Nokia

These modules are installed in the system and wait for mobile devices to be connected to the victim’s machine. When a connection is detected, the modules start collecting data from the mobile phones.

How many variants, modules or malicious files were identified during the overall duration of Operation Red October?

During our investigation, we’ve uncovered over 1000 modules belonging to 30 different module categories. These have been created between 2007 with the most recent being compiled on 8th Jan 2013.

Here’s a list of known modules and categories:

Were initial attacks launched at select “high-profile” victims or were they launched in series of larger (wave) attacks at organizations/victims?

All the attacks are carefully tuned to the specifics of the victims. For instance, the initial documents are customized to make them more appealing and every single module is specifically compiled for the victim with a unique victim ID inside.

Later, there is a high degree of interaction between the attackers and the victim – the operation is driven by the kind of configuration the victim has, which type of documents the use, installed software, native language and so on. Compared to Flame and Gauss, which are highly automated cyberespionage campaigns, Rocra is a lot more “personal” and finely tuned for the victims.

Is Rocra related in any way to the Duqu, Flame and Gauss malware?

Simply put, we could not find any connections between Rocra and the Flame / Tilded platforms.

How does Operation Rocra compare to similar campaigns such as Aurora and Night Dragon? Any notable similarities or differences?

Compared to Aurora and Night Dragon, Rocra is a lot more sophisticated. During our investigation we’ve uncovered over 1000 unique files, belonging to about 30 different module categories. Generally speaking, the Aurora and Night Dragon campaigns used relatively simple malware to steal confidential information.

With Rocra, the attackers managed to stay in the game for over 5 years and evade detection of most antivirus products while continuing to exfiltrate what must be hundreds of Terabytes by now.

How many Command & Control servers are there? Did Kaspersky Lab conduct any forensic analysis on them?

During our investigation, we uncovered more than 60 domain names used by the attackers to control and retrieve data from the victims. The domain names map to several dozen IPs located mostly in Russia and Germany.

Here’s an overview of the Rocra’s command and control infrastructure, as we believe it looks from our investigations:

More detailed information about the Command and Control servers will be revealed at a later date.

Did you sinkhole any of the Command & Control servers?

We were able to sinkhole six of the over 60 domains used by the various versions of the malware. During the monitoring period (2 Nov 2012 – 10 Jan 2013), we registered over 55,000 connections to the sinkhole. The number of different IPs connecting to the sinkhole was 250.

From the point of view of country distribution of connections to the sinkhole, we have observed victims in 39 countries, with most of IPs being from Switzerland. Kazakhstan and Greece follow next.

Sinkhole statistics – 2 Nov 2012 – 10 Jan 2013

Is Kaspersky Lab working with any governmental organizations, Computer Emergency Response Teams (CERTs), law enforcement agencies or security companies as part of the investigation and disinfection efforts?

Kaspersky Lab, in collaboration with international organizations, Law Enforcement, Computer Emergency Response Teams (CERTs) and other IT security companies is continuing its investigation of Operation Red October by providing technical expertise and resources for remediation and mitigation procedures.

Kaspersky Lab would like to express their thanks to: US-CERT, the Romanian CERT and the Belarusian CERT for their assistance with the investigation.

If you are a CERT and would like more information about infections in your country, please contact us at theflame@kaspersky.com.

Here’s a link to the full paper (part 1) about our Red October research. During the next days, we’ll be publishing Part 2, which contains a detailed technical analysis of all the known modules. Please stay tuned.

A list of MD5s of known documents used in the Red October attacks:
114ed0e5298149fc69f6e41566e3717a
1f86299628bed519718478739b0e4b0c
2672fbba23bf4f5e139b10cacc837e9f
350c170870e42dce1715a188ca20d73b
396d9e339c1fd2e787d885a688d5c646
3ded9a0dd566215f04e05340ccf20e0c
44e70bce66cdac5dc06d5c0d6780ba45
4bfa449f1a351210d3c5b03ac2bd18b1
4ce5fd18b1d3f551a098bb26d8347ffb
4daa2e7d3ac1a5c6b81a92f4a9ac21f1
50bd553568422cf547539dd1f49dd80d
51edea56c1e83bcbc9f873168e2370af
5d1121eac9021b5b01570fb58e7d4622
5ecec03853616e13475ac20a0ef987b6
5f9b7a70ca665a54f8879a6a16f6adde
639760784b3e26c1fe619e5df7d0f674
65d277af039004146061ff01bb757a8f
6b23732895daaad4bd6eae1d0b0fef08
731c68d2335e60107df2f5af18b9f4c9
7e5d9b496306b558ba04e5a4c5638f9f
82e518fb3a6749903c8dc17287cebbf8
85baebed3d22fa63ce91ffafcd7cc991
91ebc2b587a14ec914dd74f4cfb8dd0f
93d0222c8c7b57d38931cfd712523c67
9950a027191c4930909ca23608d464cc
9b55887b3e0c7f1e41d1abdc32667a93
9f470a4b0f9827d0d3ae463f44b227db
a7330ce1b0f89ac157e335da825b22c7
b9238737d22a059ff8da903fbc69c352
c78253aefcb35f94acc63585d7bfb176
fc3c874bdaedf731439bbe28fc2e6bbe
bb2f6240402f765a9d0d650b79cd2560
bd05475a538c996cd6cafe72f3a98fae
c42627a677e0a6244b84aa977fbea15d
cb51ef3e541e060f0c56ac10adef37c3
ceac9d75b8920323477e8a4acdae2803
cee7bd726bc57e601c85203c5767293c
d71a9d26d4bb3b0ed189c79cd24d179a
d98378db4016404ac558f9733e906b2b
dc4a977eaa2b62ad7785b46b40c61281
dc8f0d4ecda437c3f870cd17d010a3f6
de56229f497bf51274280ef84277ea54
ec98640c401e296a76ab7f213164ef8c
f0357f969fbaf798095b43c9e7a0cfa7
f16785fc3650490604ab635303e61de2

GReAT
Kaspersky Lab Expert
Posted January 14, 13:00 GMT

Find this story at 14 Januar 2013

And “Red October” Diplomatic Cyber Attacks Investigation

Anti-Viren-Experten haben einen ausgeklügelten Spionagevirus auf Rechnern vor allem in Russland und Zentralasien entdeckt. Dateien und E-Mails wurden in großem Stil entwendet. Zu den Zielen gehörten Regierungen, Botschaften, Forschungseinrichtungen, Militär und Energiewirtschaft.

Moskau – Sicherheitsexperten haben einen großangelegten Spionageangriff auf diplomatische Vertretungen, Regierungsorganisationen und Forschungsinstitute in Osteuropa und Zentralasien entdeckt. Die Fachleute der russischen Sicherheitssoftware-Firma Kaspersky berichten, dass die Spionageprogramme über fünf Jahre hinweg unentdeckt auf den Computern und in den Netzwerken der betroffenen Organisationen systematisch nach hochsensiblen Dokumenten mit vertraulichen, oft geopolitisch relevanten Inhalten suchten. Weil die Spionagesoftware so lange unentdeckt blieb, haben die Kaspersky-Experten sie “Red October” (kurz Rocra) getauft – wie das lautlose U-Boot in Tom Clancys Thriller.

Die Angreifer nutzen demnach hochspezialisierte Schadprogramme. Die russischen Experten zeigen sich beeindruckt von der dabei genutzten Infrastruktur: Die Komplexität der Rocra-Software könnte es mit Flame aufnahmen, schreiben sie. Der Hightech-Schädling Flame galt bei der Entdeckung Anfang 2012 als eine der komplexesten Bedrohungen, die je entdeckt worden sind.

Rocras Komponenten spionierten verschiedene Plattformen aus: PC, iPhones, Nokia- und Window-Mobile-Smartphone sowie Business-Hardware des US-Konzerns Cisco.

Kommando-Rechner haben die Kaspersky-Experten an 60 verschiedenen Serverstandorten beobachtet, davon viele in Russland und Deutschland. Mit der Virenfamilie um Flame, Gauss und Duqu, deren Ziele sich vor allem in Iran und im Nahen Osten befinden, hat Rocra aber nichts zu tun, glauben die Kaspersky-Forscher. Man habe keine Verbindungen finden können, Rocra sei wesentlich “personalisierter” als Flame, Duqu und Gauss.

Wer ist betroffen?

Kaspersky schreibt, man habe “mehrere hundert” befallene Rechner weltweit entdeckt. Betroffen seien vor allem Computer und Netzwerke in Regierungsstellen, diplomatischen Vertretungen, Forschungsinstituten, im Nuklearsektor, in der Öl- und Gasindustrie, in Luftfahrtunternehmen und im Militär.

Kaspersky hat zudem über Monate hinweg analysiert, in welchen Staaten die eigene Software Spuren von Rocra-Infektionen findet. So entstand diese Rangliste der Infektionen nach Standort der betroffenen Systeme (in Klammern steht jeweils die Zahl der infizierten Systeme):

Russland (35)
Kasachstan (21)
Aserbaidschan (15)
Belgien (15)
Indien (14)
Afghanistan (10)
Armenien (10)
Iran (7)
Turkmenistan (7)

Außerdem betroffen sind demnach jeweils fünf oder sechs Rechner oder Netzwerke in der Ukraine, den USA, Vietnam, Weißrussland, Griechenland, Italien, Marokko, Pakistan, der Schweiz, Uganda und den Vereinigten Arabischen Emiraten.

Was suchten die Täter?

Laut Kaspersky wurden Dateien in großem Stil von den infizierten Rechnern kopiert. Die Beschreibung klingt eher nach einer breit angelegten Erkundung als nach zielgerichteten Angriffen. Die Täter haben nach Textdateien, Tabellen, Schlüsseln für die Kryptografie-Programme PGP und GnuPG gesucht. Auch E-Mails wurden kopiert, angeschlossene Laufwerke und Smartphones ausgelesen.

Dateiendungen, nach denen Rocra Ausschau hielt, deuten laut Kaspersky auch auf ein besonderes Interesse an Dateien hin, die mit dem von der EU und Nato genutzten Verschlüsselungsprogramm Acid Cryptofiler in Zusammenhang stehen. Die Dateiendung xia könnte ein Hinweis auf die deutsche Verschlüsselungssoftware Chiasmus sein.

Wie wurde der Angriff entdeckt?

Auf den Angriff wurde Kaspersky nach eigenen Angaben von einem Geschäftspartner hingewiesen, der anonym bleiben möchte. Die Analyse des entdeckten Schädlings brachte die Forscher dann auf die Spur weiterer Opfer. Mit einer Art Fallenkonstruktion, einem sogenannten Sinkhole, identifizierte Kaspersky schließlich sechs der 60 Kontrollserver, von denen die befallenen Rechner Befehle empfangen.

Wie gingen die Angreifer vor?

Die Attacken waren offenbar genau auf die jeweiligen Opfer zugeschnitten. So verschickten die Angreifer per E-Mail Dokumente, die für die Opfer interessant zu sein schienen. Als Beispiel präsentiert Kaspersky den Screenshot einer Werbeanzeige für ein gebrauchtes Diplomatenfahrzeug. Spätere Infektions-E-Mails seien offenbar auf Basis früher entwendeter Daten passgenau aufgesetzt worden. Die Dokumente waren mit einem Schadcode kombiniert, der bereits bekannte Sicherheitslücken ausnutzte, und zwar in Microsoft Word und Excel.

Sobald der Empfänger einen solchen Dateianhang öffnete, wurde ein Trojaner in die Rechner eingeschleust, der dann wiederum einen weiteren Schadcode aus einer gewaltigen Bibliothek nachlud. Gesteuert wurden die gekaperten Rechner dann von einer Kaskade von 60 sogenannten Command-&-Control-Servern (C&C). Die seien so hintereinander geschaltet, dass es unmöglich sei, die eigentliche Quelle der Steuerbefehle auszumachen, so Kaspersky.

Die Spionagewerkzeuge, die nachgeladen wurden, sind vielfältig und ausgeklügelt. Über tausend Software-Module habe man gefunden, die 34 verschiedene Funktionen erfüllten. Manche Module erkundeten das befallene Netzwerk, kopierten die Surf-History des installierten Browsers oder prüften, welche Laufwerke angeschlossen waren. Andere waren auf Passwort-Klau spezialisiert oder darauf, gleich den gesamten E-Mail-Verkehr oder ganze Verzeichnisse von dem befallenen Rechner zu kopieren. Andere Module waren auf das Auslesen von angeschlossenen USB-Laufwerken spezialisiert, einige sogar auf das Wiederherstellen gelöschter Daten auf solchen Laufwerken.

Auch an infizierte Rechner angeschlossene Mobiltelefone kann Rocra übernehmen oder zumindest auslesen, die Kontaktliste beispielsweise. Fast schon selbstverständlich, dass die Angreifer auch Hintertüren auf den befallenen Rechnern und Telefonen installierten, um später weitere Befehle ausführen oder Software nachladen zu können. Rocra überträgt die gefundenen Dateien schließlich gepackt und verschlüsselt über das Internet an Steuerungsrechner.

Wer könnte dahinterstecken?

Kaspersky zufolge enthält die Schadsoftware Hinweise auf Entwickler aus mindestens zwei unterschiedlichen Nationen. Die Exploits, also die Teile des Schadcodes, die bestimmte Sicherheitslücken ausnutzen, “scheinen von chinesischen Hackern entwickelt worden zu sein”, schreiben die Autoren des Berichts. Sie seien in der Vergangenheit auch schon bei Cyberangriffen gegen tibetische Aktivisten und Ziele aus dem Energie- und Militärbereich in Asien eingesetzt worden. Solche Exploits könnten auch auf dem Schwarzmarkt eingekauft worden sein. Der Malware-Code selbst aber scheine von “russischsprachigen” Entwicklern zu stammen.

So tauchte im Programmcode beispielsweise der russische Begriff “Zakladka” auf. Es kann Grundstein heißen oder für etwas “Eingebettetes” stehen. Der Begriff könnte aber auch “Lesezeichen” oder einfach “nicht näher definierte Funktion” bedeuten. Damit könnte aber auch ein “in der Wand einer Botschaft verstecktes Mikrofon” gemeint sein, heißt es in dem Kaspersky-Bericht.

…

14. Januar 2013, 18:37 Uhr

Von Konrad Lischka und Christian Stöcker

Find this story at 14 Januar 2013

© SPIEGEL ONLINE 2013

A major cyber-attack that may have been stealing confidential documents since 2007 has been discovered by Russian researchers.

Kaspersky Labs told the BBC the malware targeted government institutions such as embassies, nuclear research centres and oil and gas institutes.

It was designed to steal encrypted files – and was even able to recover files that had been deleted.

One expert described the attack find as “very significant”.

“It appears to be trying to suck up all the usual things – word documents, PDFs, all the things you’d expect,” said Prof Alan Woodward, from the University of Surrey.

“But a couple of the file extensions it’s going after are very specific encrypted files.”

In a statement, Kaspersky Labs said: “The primary focus of this campaign targets countries in Eastern Europe, former USSR Republics, and countries in Central Asia, although victims can be found everywhere, including Western Europe and North America.

“The main objective of the attackers was to gather sensitive documents from the compromised organisations, which included geopolitical intelligence, credentials to access classified computer systems, and data from personal mobile devices and network equipment.”
‘Carefully selected’

In an interview with the BBC, the company’s chief malware researcher Vitaly Kamluk said victims had been carefully selected.

“It was discovered in October last year,” Mr Kamluk said.

“We initiated our checks and quite quickly understood that is this a massive cyber-attack campaign.

“There were a quite limited set of targets that were affected – they were carefully selected. They seem to be related to some high-profile organisations.”

Red October – which is named after a Russian submarine featured in the Tom Clancy novel The Hunt For Red October – bears many similarities with Flame, a cyber-attack discovered last year.

Like Flame, Red October is made up of several distinct modules, each with a set objective or function.

“There is a special module for recovering deleted files from USB sticks,” Mr Kamluk said.

“It monitors when a USB stick is plugged in, and it will try to undelete files. We haven’t seen anything like that in a malware before.”

Also unique to Red October was its ability to hide on a machine as if deleted, said Prof Woodward.

“If it’s discovered, it hides.

“When everyone thinks the coast is clear, you just send an email and ‘boof’ it’s back and active again.”
Cracked encryption

Other modules were designed to target files encrypted using a system known as Cryptofiler – an encryption standard that used to be in widespread use by intelligence agencies but is now less common.

Prof Woodward explained that while Cryptofiler is no longer used for extremely sensitive documents, it is still used by the likes of Nato for protecting privacy and other information that could be valuable to hackers.

Red October’s targeting of Cryptofiler files could suggest its encryption methods had been “cracked” by the attackers.

Like most malware attacks, there are clues as to its origin – however security experts warn that any calling cards found within the attack’s code could in fact be an attempt to throw investigators off the real scent.

Kaspersky’s Mr Kamluk said the code was littered with broken, Russian-influenced English.

“We’ve seen use of the word ‘proga’ – a slang word common among Russians which means program or application. It’s not used in any other language as far as we know.”

But Prof Woodward added: “In the sneaky old world of espionage, it could be a false flag exercise. You can’t take those things at face value.”

Kaspersky’s research indicated there were 55,000 connection targets within 250 different IP addresses. In simpler terms, this means that large numbers of computers were infected in single locations – possibly government buildings or facilities.

A 100-page report into the malware is to be published later this week, the company said.

14 January 2013 Last updated at 13:26 GMT
By Dave Lee
Technology reporter, BBC News

Find this story at 14 Januar 2013

BBC © 2013 The BBC is not responsible for the content of external sites. Read more.

Researchers say the cyber attack has been in operation since 2007 – and is still running
Operation described as ‘massive’ and has stolen ‘several terabytes’ of data
Security firm which discovered the attacks claims there is ‘strong technical evidence the attackers have Russian-speaking origins’- but say a private firm or rogue nation could be behind the network.
Targets included diplomatic and governmental agencies of various countries across the world, research institutions, energy and nuclear groups, and trade and aerospace firms

A major cyber-attack that has been stealing information from high level government computers around the world since 2007 has been discovered.

Kaspersky Labs, which made the discovery, said in addition to diplomatic and governmental agencies of various countries across the world, Red October also targeted research institutions, energy and nuclear groups, and trade and aerospace targets.

The firm even said the malware was used to infiltrate smartphones of government workers to electronically steal information.

The full extent of the Red October operation is revealed in this infographic, showing how it has hit countries across the globe

WHAT HAS BEEN STOLEN?

The main objective of the attackers was to gather sensitive documents from the compromised organisations.

This included geopolitical intelligence, credentials to access classified computer systems, and data from personal mobile devices and network equipment.

Overall, Kaspersky said over 7 terabytes, or 7,000GB data has been stolen.

The primary focus of the campaign was targeting countries in eastern Europe.

‘Former USSR Republics and countries in Central Asia were targeted, although victims can be found everywhere, including Western Europe and North America’, said Kaspersky Lab, an antivirus software firm which made the discovery.

‘The main objective of the attackers was to gather sensitive documents from the compromised organisations, which included geopolitical intelligence, credentials to access classified computer systems, and data from personal mobile devices and network equipment,’

Red October, which has been active since at least 2007, appears to collect files encrypted with software used by several entities from the European Union to Nato.

Kaspersky said Red October also infected smartphones, including iPhones, Windows Mobile and Nokia handsets.

It is believed to be still operating, although since the research was published, the attackers are believed to have started dismantling the system to protect their identities.

‘The project started in October 2012, we received a suspicious executable from a partner,’ Vitaly Kamluk, Chief Malware Expert at Kaspersky Lab told MailOnline.

‘We checked and began to understand what we had was quite massive – we found 1,000 different files in a few weeks, each of them a personalised email.’

Mr Kamluk said the attacks were highly customised.

‘There are a very limited number of machines, around 1,000 around the world, but every target is carefully selected.’

‘We extracted language used and found Broken English was used, with Russian words thrown in, such as Proga, commonly used among Russian programmers.

‘However, we are not pointing fingers at Russia – just that Russian language has been spotted.

‘It could be any organisation or country behind this, it could be nation states or a private business or criminal group.

HOW RED OCTOBER WORKS

One of the fake emails used to infect computers

Red October is a malware attack.

Initially the malicious code was delivered via e-mail as attachments (Microsoft Excel, Word and, probably PDF documents) which were rigged with exploit code for known security vulnerabilities in the various applications.

Intended targets received personalised correspondence based on gathered intelligence on individual people (an example is on the right).

These attacks comprised of two major stages:

Initial infection: Right after the victim opens the malicious document on a vulnerable system, the embedded malicious code initiates the setup of the main Red October software on the machine.

This handles further communication with the master servers run by the hackers, and can survive the computer being restarted.

Spying: Next, the system receives a number of additional spy modules from the hacker’s server, including modules to handle infection of smartphones – the team said iPhones, Windows phones and Nokia handsets were seen on the network.

The specific modules are customised for each mobile depending on the infomration the hackers wanted.

The main purpose of the spying modules is to steal information.

All gathered information is packed, encrypted and only then transferred to the Red October command servers.

Other modules were designed to target files encrypted using a system known as Cryptofiler – an encryption standard that used to be in widespread use by intelligence agencies but is now less common

The campaign, identified as ‘Rocra’, short for ‘Red October’, is currently still active with data being sent to multiple command-and-control servers, through a configuration which rivals in complexity the infrastructure of the Flame malware.

Kaspersky’s research indicated there were 55,000 connection targets within 250 different IP addresses.

Most infection connections were found coming from Switzerland, followed by Kazakhstan and Greece.

‘There is senstitive geopolitical information being stolen, which is very valuable,’ said Mr Kamluk.

Kaspersky estimate there were 20-30 developers working full time on this, and all were ‘very experienced programmers’.

…

By Mark Prigg

PUBLISHED: 14:39 GMT, 16 January 2013 | UPDATED: 14:56 GMT, 16 January 2013

Find this story at 16 Januar 2013
© Associated Newspapers Ltd

Hoffman, 39, is set to remain in custody until a detention hearing on Tuesday.

A former U.S. Navy officer has been detained for attempting to hand over secret information on tracking U.S. submarines to Russian intelligence.

CNN reported Thursday that submarine specialist Robert Patrick Hoffman II was detained Thursday morning in Virginia Beach, Virginia, while trying to pass classified information to CIA operatives posing as Russian agents.

…

07 December 2012
The Moscow Times

Find this story at 6 December 2012

© Copyright 2013. The Moscow Times. All rights reserved.

A former Navy sailor has been arrested and charged with attempting to pass classified information about U.S. submarines to Russian spies.

Robert Patrick Hoffman II was arrested by agents from the FBI and the Naval Criminal Investigative Service (NCIS) this morning at his home in Virginia Beach.

According to the indictment returned by a federal grand jury in Norfolk, Va., Hoffman served in the Navy for 22 years and achieved the rank of petty officer first class. Hoffman worked as a cryptological technician where he had access to classified information about codes and signals intelligence. Hoffman, who served as a submarine warfare specialist, retired from active duty on Nov. 1, 2011.

The indictment alleges that on Oct. 21, 2012 Hoffman attempted to pass information “relating to the national defense of the United States, including information classified as SECRET that revealed and pertained to methods to track U.S. submarines, including the technology and procedures required.”

Hoffman believed he was meeting with representatives from the Russian government but in actuality they were undercover FBI agents.

“The indictment does not allege that the Russian Federation committed any offense under U.S. laws in this case,” the Justice Department noted in the press release announcing the case.

…

Dec 6, 2012 4:43pm

Find this story at 6 December 2012

Copyright © 2013 ABC News

A retired cryptologic technician allegedly attempted to deliver sub-tracking secrets to the Russians, but ended up caught in an FBI sting instead.

A federal grand jury charged retired Cryptologic Technician 1st Class (SS) Robert Patrick Hoffman II on Wednesday with attempted espionage, according to an FBI release. The former sailor earned a top secret security clearance while in the Navy, according to the release, and allegedly offered secret information to the Russians in October.

The “Russians” were actually part of an undercover FBI operation, according to the release. Hoffman, 39, was arrested Thursday morning “without incident” and is scheduled to be in federal court in Norfolk, Va., on Thursday afternoon.

…

He retired Oct. 31, 2011, about a year before his alleged espionage.

By Kevin Lilley – Staff writer
Posted : Thursday Dec 6, 2012 13:52:16 EST

Find this story at 6 December 2012

All content © 2013, Gannett Government Media Corporation

A CANADIAN spy who compromised Australian intelligence information has pleaded guilty to espionage, having reportedly sold secrets to Russia for $3000 a month.

Canadian naval officer Jeffrey Paul Delisle’s guilty plea in Nova Scotia’s supreme court on Wednesday has ensured that the Canadian, United States and Australian governments will not be embarrassed by a jury trial that would have revealed details of one of the worst Western security breaches since the end of the Cold War.

Delisle’s sale of top-secret intelligence to Russian agents was the subject of high-level consultation between the Australian and Canadian governments last January and was discussed at a secret international conference of Western security agencies at Queenstown, New Zealand, in February.

Fairfax Media reported in July that Australian security sources had privately acknowledged the massive security breach compromised Western intelligence information and capabilities.
Advertisement

The Australian Security Intelligence Organisation was also briefed on the case through liaison with the Canadian Security Intelligence Service.

Sub-Lieutenant Delisle worked at the Royal Canadian Navy’s Trinity intelligence and communications centre at Halifax, Nova Scotia. A naval intelligence and security analyst, he had access to a top-secret computer network code-named Stone Ghost that connects the defence intelligence agencies of the US, Britain, Canada, Australia and New Zealand.

Australian security sources say much of the information Delisle sold was top-secret signals intelligence collected by the five agencies.

Delisle’s guilty plea means that few details of the espionage case have or will be made public.

However, newly released information from Delisle’s bail hearing in January has revealed that facing chronic financial difficulties, he began a four-year espionage career by walking into the Russian Embassy in Ottawa in 2007. Wearing civilian clothes, Delisle displayed his Canadian military identification badge and asked to meet someone from GRU, the Russian military intelligence service.

…

October 12, 2012
Philip Dorling

Find this story at 12 October 2012

Copyright © 2013 Fairfax Media

Petty officer gathered secret coding programs and met two people he thought were Russian agents, court hears

Edward Devenney admitted discussing information relating to the movement of nuclear submarines. Photograph: Gaz Armes/ MoD Crown Copyright/PA

A Royal Navy submariner was caught trying to sell secrets to Russia in a sting operation led by the security services, the Guardian understands.

Edward Devenney, 30, pleaded guilty on Tuesday to collecting secret coding programs used by the British and attempting to pass the classified information on to Moscow.

Devenney, who is formerly from Northern Ireland, was a submariner on HMS Vigilant, a Trident nuclear submarine, when he decided to pass on secrets to the “enemy”, it is understood. The submarine – one of four that make up the UK’s nuclear deterrent – is normally based at Faslane in Scotland but had been refuelling at Devonport dock in Plymouth when Devenney’s activities raised the suspicions of his senior officers.

Devenney’s motivation, it is believed, was unhappiness with his situation and a degree of anger towards his employers after being passed over for promotion, rather than an issue of ideology or money.

A prolific tweeter, his behaviour raised the suspicions of his senior officers and over a period of months an undercover operation was carried out.

This led to Devenney contacting two people he believed were from the Russian secret service and discussing information relating to the movement of nuclear submarines with them. However, he was in fact talking to British agents.

Devenney was arrested and charged under the Official Secrets Act. He appeared at the Old Bailey in London and pleaded guilty to gathering details of encryption programs in breach of the act.

The charge related to collecting information for a purpose prejudicial to the safety of the state between 18 November 2011 and 7 March 2012. The information was described in court as “crypto material” – or codes used to encrypt secret information – which could be useful to an enemy.

Devenney also admitted a charge of misconduct in a public office in relation to a meeting with two people he believed were from the Russian secret service. He admitted meeting the two individuals and discussing the movement of nuclear submarines with them. He denied a further count of communicating information to another person. The Crown Prosecution Service would not pursue this charge, the court heard.

…

Sandra Laville, crime correspondent
guardian.co.uk, Tuesday 13 November 2012 13.15 GMT

Find this story at 13 November 2012
© 2013 Guardian News and Media Limited or its affiliated companies. All rights reserved.

Threat: Edward Devanney took photographs on board HMS Vigilant

A Royal Navy petty officer was jailed for eight years today after taking mobile phone pictures in the top-secret communications room of a nuclear submarine and planning to pass information to the Russians.

Edward Devanney secretly photographed canisters holding code systems used throughout Britain’s armed forces, which are normally locked in a safe.

Such a security breach could have jeopardised any chance of British submarines operating undetected by the enemy, the Old Bailey heard. Navy chiefs still do not know how he was able to open the safe and take the photos undetected.

Mr Justice Saunders told him: “You were prepared to betray your country and your colleagues. It needs to be understood by those who may be tempted to pass on secrets that long sentences will follow even unsuccessful attempts.”

Devanney rang the Russian embassy 11 times and later made contact with two men called Dimitri and Vladimir he believed to be enemy agents. He told them he was disillusioned with the Navy saying: “I’m just a bit p***** off with them. I know it’s petty but I just want to hurt them.”

…

Paul Cheston

12 December 2012

Find this story at 12 December 2012

© 2012 Evening Standard Limited

A disillusioned Royal Navy submariner betrayed his country by trying to pass nuclear sub secrets to Russian agents because he wanted to “hurt” the Navy.

Petty Officer Edward Devenney was jailed for eight years yesterday for breaching the official secrets act after being caught in an elaborate MI5 sting operation.

He spent three months in contact with men who he thought were two Russian spies but were actually British agents, the Old Bailey heard.

He continued with his plan, done in revenge for not being promoted, despite having suspicions and even told one: “Your accent sounds remarkably fake, like British intelligence”.

A communications engineer, he offered highly sensitive details of the movements of nuclear submarines and of a previous secret operation.

He also photographed top secret code information that could have caused “substantial damage to the security of the UK”.
The case last night also raised questions over Royal Navy security because Devenney had been able to access the code material from a locked safe.

He was also allowed to remain in his sensitive post despite having problems with drink and depression after being charged with rape, for which he was later acquitted, and had been warned he would be sacked after showing signs of erratic behaviour such as going absent without leave.

Passing sentence, Mr Justice Saunders said: “This is a very serious case. The defendant was prepared to betray his country and his colleagues.”

Devenney, 30, from County Tyrone, had been a “blue-eyed boy” with a promising future in the Royal Navy, which he had served loyally for more than ten years, the court heard.

Lord Carlile QC, defending, said his career went “awry” in 2010 after he was charged with alleged rape, for which he was acquitted.

He began drinking excessively and became depressed and the following year asked to be removed from a promotion training course for 12 months.

However, he later decided he had been treated badly by the Navy and wanted to “hurt” them, Mark Dennis, prosecuting, said.

In November last year he began calling the Russian embassy in London, including 11 calls on one day shortly after a 12 hour binge drinking session.

At the time he was stationed on the nuclear submarine HMS Vigilant, which was in Plymouth undergoing a refit.

The following month he was contacted by a man called “Dima” who claimed to be from the Russian embassy.

A week later another man called Vladimir called claiming to be a colleague of Dima.

A series of phone calls and text messages were exchanged in which Devenney said he was “****** off” with the Royal Navy and that they could “help each other”.

In January, it was arranged he would meet Vladimir at the British Museum in London and the pair then met Dima in a nearby hotel room.

During the secretly filmed meeting, Devenney offered details of a previous secret operation by HMS Trafalgar, a hunter killer submarine, and various movement dates of two nuclear submarines.

Such advance notice could allow an enemy state time to set up equipment to record the sub’s unique signature information which would have meant it could have been tracked anywhere in the world, the court heard.

Two days after first contacting the Russian embassy, Devenney also managed to get into a locked safe on board HMS Vigilant and take three photographs of part of a secret code for encrypted information.

The pictures were placed on his laptop but he never passed them on or even mentioned them during his later meeting with the “Russians”.

Devenney pleaded guilty to breaching the Official Secrets Act by gathering classified information and misconduct by meeting the supposed spies.

The judge said he was passing a deterrent sentence because “those who serve their country loyally must know that those who don’t will receive proper punishment.”

…

By Tom Whitehead, Security Editor

5:15PM GMT 12 Dec 2012

Find this story at 12 December 2012

© Copyright of Telegraph Media Group Limited 2013

An member of the British Royal Navy has been arrested in a counterintelligence sting operation, after trying to sell top-secret government documents to people he believed were Russian operatives. Petty Officer Edward Devenney, who has been in the Royal Navy for over a decade, was arrested earlier this week while meeting with two MI5 officers posing as Russian spies. Originally from Northern Ireland, Devenney, 29, appears to have been motivated by disgruntlement against the Navy, after his planned promotion to commissioned officer was halted due to financial austerity measures imposed on the military by the British government. According to the court indictment, Devenney contacted an unnamed “embassy of a foreign country” in London, offering to provide classified information in exchange for money. It is unknown at this point how exactly MI5, the British government’s foremost counterintelligence organization, became privy to the content of Devenney’s communication with officials at the unidentified embassy. What is known is that, after several messages were exchanged between the parties, Devenney arranged to meet two people he believed were Russian government employees. In reality, the two individuals were MI5 officers, who were able to film the clandestine meeting. Devenney was apparently arrested on the spot, having first announced that he wished to “hurt the Navy” because his promotion to a commissioned officer had been “binned” by the British government. He also shared with them classified information, which British government prosecutors say he collected meticulously between November 19, 2011, and March 7 of this year. The information consisted of cryptological material, including encryption codes for British naval communications, operational details about the now decommissioned submarine HMS Trafalgar, as well as “the comings and goings of two nuclear submarines”.

…

November 15, 2012 by Joseph Fitsanakis 5 Comments

By JOSEPH FITSANAKIS | intelNews.org |

Find this story at 15 December 2012

Vijfhonderdduizend euro zwijggeld heeft het ministerie van Defensie geboden aan ex-agent I.A. (42) van de militaire inlichtingendienst MIVD. Op geheime bandopnamen – in bezit van De Telegraaf – biedt mr. Marc Gazenbeek, directeur juridische zaken bij het ministerie van Defensie, duidelijk hoorbaar het ’ongelooflijk mooie’ geldbedrag aan, zoals hij zelf zegt.

In ruil moet de ex-agent alle juridische procedures staken tegen de ministeries van Defensie en van Buitenlandse Zaken. Bij de onderhandelingen tussen de ex-agent en Defensie waren ook landsadvocaat Eric Daalder aanwezig en I.A.’s advocaat Michael Ruperti.

…

door Bart Olmer en Charles Sanders

vr 18 jan 2013, 05:30

Find this story at 18 Januar 2013

© 1996-2013 TMG Online Media B.V., Amsterdam.

Willi Voss started as a petty criminal in Germany’s industrial Ruhr Valley. Before long, though, he found himself helping the PLO, even playing a minor role in the 1972 Munich Olympics attack. He went on to become a valuable CIA informant, and has now written a book about his life in the shadows. By SPIEGEL Staff

In the summer of 1975, Willi Voss was left with few alternatives: prison, suicide or betrayal. He chose betrayal. After all, he had just been betrayed by the two men whom he had trusted, and whose struggle had forced him to lead a clandestine existence.

It was Palestinian leader Yasser Arafat’s closest advisers who had used him and jeopardized his life: Abu Daoud, the mastermind behind the terror attack on Israeli athletes at the 1972 Summer Olympics in Munich, and Abu Iyad, head of the PLO intelligence service Razd.

Voss, a petty criminal from West Germany’s industrial Ruhr region, in cahoots with Palestinian leaders who were feared around the world? It took a number of coincidences and twists of fate in Voss’ life before he found himself in such a position, but here he was on a mission for the Palestinians — in a Mercedes-Benz, traveling from Beirut to Belgrade, together with his girlfriend Ellen, so it would all look like a vacation trip.

His job was to deliver the car, Iyad and Daoud had said. But they had neglected to mention that the Mercedes contained automatic weapons, a sniper rifle and explosives, which were hidden in a secret compartment and consisted of a number of packages, each weighing 20 kilos (44 pounds) — complete with fully assembled detonators made of mercury fulminate, a highly unstable substance. If Voss had gotten into an accident or hit a deep pothole, he, the car and his girlfriend would have been blown to pieces.

Voss only found out about his dangerous cargo when Romanian customs officials tore the vehicle apart. The only thing that saved the 31-year-old and his companion from ending up behind bars was the fact that the PLO maintained excellent ties with the Romanian regime. Romanian officials placed the two Germans in a car driven by a couple of pensioners from the Rhineland region, who were on their way back home to Germany after a vacation. Voss and his girlfriend hopped out in Belgrade. This was the end of the road for them — and, as Voss recalls today, the day when they had to make a fateful decision: prison, suicide or betrayal?

Becoming a Defector

Prison: In Germany there was a warrant for Voss’ arrest. A few years earlier, he had been taken into custody during a raid at the Munich home of a former SS officer who was in league with neo-Nazis. Investigators had secured weapons and explosives from the PLO along with plans for terror attacks and hostage-taking missions in Cologne and Vienna.

Suicide: Voss and his companion spent three days and nights in a tawdry hotel in Belgrade, where they continuously debated whether they should put an end to their lives. But they decided against this option as well.

That left only betrayal. Voss and his girlfriend went to the American embassy, demanded to speak to a diplomat and made the statements that would add yet another twist to his already eventful life: “I am an officer of Fatah. This is my wife. I’m in a position to make an interesting offer to your intelligence agency.”

Voss became a defector. He went from being an accomplice of Palestinian terrorists to a member of the US intelligence agency — from a handmaiden of terror to a CIA spy. As if his first life were not eventful enough, Voss opted for a second life: as a CIA spook with the codename “Ganymede,” named after the kidnapped lover of Zeus, the father of the gods in Greek mythology.

His career as an undercover agent took him from Milan and Madrid back to Beirut and the headquarters of the PLO intelligence service. “Ganymede” provided information and documents that helped thwart attacks in the Middle East and Europe. Duane Clarridge, the legendary and infamous founder of the CIA Counterterrorist Center, even gave him the mission of catching top terrorist Carlos, “The Jackal.”

Today, as he sits in a Berlin café and talks about his life, the gray-haired man clad in a black leather jacket appears at times bitingly ironic, at times shy and prone to depression — making it all the more difficult to reconcile him with the daredevil who lived through this lunacy.

‘Naked Fury’

Voss, who was called Pohl until he adopted the name of his first wife, often says: “That’s exactly how it was, but nobody believes it anyway” — as if he himself had trouble tying together all the loose ends of his life to create a coherent biography. He is 68 years old and wants to get one thing straight: He has never been a neo-Nazi, he insists. “I was a stray dog — one that had been kicked so often that it wanted to bite back, no matter how,” says Voss. “If I had met Andreas Baader at the time,” he contends, “I would have presumably ended up with the Red Army Faction.”

It’s a statement that only becomes plausible when one considers the other formative experiences of his life. He recounts that his childhood was marred by violence, sexual abuse and other humiliations. “As a child, I constantly faced situations in which I was completely powerless,” says Voss, “and that triggered a naked fury, utter shame and the feeling that I was the most worthless thing in the world.”

As a teenager, he sought to escape this world by joining a clique of young rowdies whose dares including stealing mopeds for joy rides. That got him a year in juvenile detention.

This could have led to a small, or even substantial, career as a criminal in the industrial Ruhr region. But in 1960, Voss met Udo Albrecht in prison, who later became a major figurehead in the German neo-Nazi scene. Albrecht fascinated his fellow prisoners with his dream of using mini submarines to smuggle in diamonds from the beaches of southwest Africa.

Yes, he actually believed this nonsense at the time, admits Voss. Politics didn’t come into the picture until later on, he says, when the two jailbirds met in another prison in 1968. This time Voss was doing time for breaking and entering. “Albrecht talked and acted then like an unabashed Nazi,” says Voss. But he says that this did nothing to diminish his friendship with the self-proclaimed leader of the “People’s Liberation Front of Germany.”

Hooking Up with the Palestinians

Voss’ connection with the PLO began when he helped smuggle his buddy Albrecht out of prison in a container. The neo-Nazi slipped away to Jordan, where he hooked up with the Palestinians. When Daoud, the architect of the Munich massacre, asked him if he knew a reliable man in Germany, Albrecht recommended his prison pal from the Ruhr region.

Voss made himself useful. In Dortmund he purchased a number of Mercedes sedans for Daoud — and he established contact to a passport forger in his circle of acquaintances. Today, Voss believes that he was even involved in the preparations for the Munich attack. For a number of weeks, he says, he drove the leader of Black September, a terrorist group with ties to the PLO, “all across Germany, where he met with Palestinians in various cities.”

The Palestinians used him to handle other jobs, as well: “I was to hold a press conference in Vienna, in which I would comment on a mission that I would only find out about once it was successfully completed,” as the PLO chief of intelligence Iyad had told him. When Voss saw the images on TV, he realized that the “mission” was the massacre at the 1972 Summer Olympics. Instead of securing the release of hundreds of Palestinian prisoners, as the hostage-takers had demanded, it ended in a bloodbath: Nine Israeli hostages, five Palestinian terrorists and one German policeman died.

Six weeks later, Voss was arrested in Germany. He had machine guns and hand grenades that stemmed from the same source as the weapons used by the Palestinian hostage-takers in Munich. This marked the beginning of wild negotiations initiated by Voss’ lawyer Wilhelm Schöttler, who sent a letter with a “classified” offer to Federal Minister for Special Affairs Egon Bahr.

The offer was simple: Release Voss to allow for negotiations with Black September. The objective was to prevent further attacks on German soil. Today, it is known that high-ranking officials at the Foreign Ministry met with the lawyer, who was considered a right-wing radical, and discussed an ongoing series of demands until March 1974, when then-Interior Minister Hans-Dietrich Genscher decided to end the negotiations.

Looking for Carlos
Six days later, a court in Munich handed Voss a relatively mild prison sentence of 26 months for contravening the War Weapons Control Act.

In December of 1974, his sentence was suspended despite the fact that he was still under investigation on suspicion of being a member of Black September. In Feb. 1975, he slipped out of Germany and headed back to Beirut, where he was soon serving the Palestinian cause again — right up until that big turning point in his life when he drove a car packed with weapons and explosives to the Romanian border in the summer of 1975.

Even today, one can sense the enormous respect that CIA veterans still have for their former German agent. “I’ve often wondered if he made it,” says Terrence Douglas, “although we are trained to keep our distance and to forget everything after the job is done and move on.”

Douglas, codename “Gordon,” was Voss’ commanding officer at the CIA. He has a very high opinion of his operative “Ganymede”: “Willi was a very cool guy. He was creative and a bit crazy — we spent a very, very intense time together.”

It takes a healthy dose of courage to secretly photograph documents at the PLO intelligence service headquarters. “Ganymede” foiled attacks in Sweden and Israel, identified terror cells in diverse countries and supplied information on collaborations between the neo-Nazi Albrecht and his accomplices with Arafat’s Fatah. And, as if all that were not enough, Voss lived next door to top terrorist Abu Nidal.

Surprisingly, though, the CIA agents stationed in Belgrade and Zagreb who Voss first met were not particularly thrilled with the young German. “They thought he was too boring,” says Douglas with a laugh. “But they had no clue. They didn’t know about the Black September list of people to be released with the hostage-taking at the Saudi Arabian embassy in Sudan in March 1973.”

Refusing to Tell the Truth

Members of the terror organization had also sought the release of a German during their operation in Sudan: Willi Voss. “That was his reference,” says Douglas. “That’s the reason why we were excited by him.”

The CIA made sure that Voss no longer had to fear being arrested in Germany. “It was clear to him that he couldn’t continue with his previous lifestyle,” says Douglas. “He wanted to survive and someday be able to settle again undisturbed in Germany,” he recalls. “After all, he had a wife, and she had a 10-year-old kid. It was a package deal, I took care of them.”

“As always in such situations, we informed the CIA office in Bonn, and they arranged everything with the BND or the BKA, depending on the situation,” says spymaster Clarridge, referring to Germany’s foreign intelligence agency and domestic criminal investigation agency respectively. Only a few weeks after the first meeting, the German arrest warrant had been rescinded.

Today, German authorities still refuse to tell the truth about these events. In the wake of revelations published in a June 2012 SPIEGEL article on the Munich massacre, Bavarian state parliamentarians Susanna Tausendfreund and Sepp Dürr of the Green Party demanded that the state government reveal “what documents from what Bavarian government agencies responsible at the time (exist) … on Willi Voss.”

In late August 2012, the Bavarian Interior Ministry responded — and it had a surprise. Ministry officials said that Voss had submitted a plea for clemency, which had received a positive response. “The content of this plea for clemency,” they noted, however, was “classified.” This is demonstrably false. Voss has never submitted a plea for clemency.

On the Terrace of an Athens Hotel

In any case, the deal certainly paid off for the Americans: Voss didn’t disappoint them, even at risk of life and limb. In the fall of 1975, the Christian Phalange militia in Lebanon held him captive because they thought he was what he pretended to be — a German member of Black September.

For weeks, Voss endured torture and mock executions without blowing his cover. For the CIA, this was a recommendation for an even riskier job. When Voss was released, he was told to hunt down Carlos, “The Jackal,” who, as a terror mercenary employed by Libyan revolutionary leader Moammar Gadhafi, had stormed OPEC headquarters in Vienna, and was committing murders for Palestinian terror groups.

Voss traveled to Athens. On the terrace of a hotel with a view of the Acropolis, not only Douglas, but also Clarridge — who had specially flown in from Washington — were waiting to meet the daring German operative. In his memoirs, Clarridge described the meeting as follows: “Just hours before I had left headquarters at Langley on this trip, a very senior clandestine service officer asked to see me alone in his office on the seventh floor. He could be excruciatingly elliptical when he desired — and this was such an occasion. Referring to my meeting with this agent in Athens, he hinted that if the agent could set up Carlos to be taken by a security service, it would be a boon for mankind and worth a bonus. I recall ten thousand dollars being mentioned. If Carlos were killed in the process, so be it. I acknowledged that I understood and left for Athens.”

Voss’ job was to find out where the Jackal was staying. But “Ganymede” lost his nerve this time. “Abu Daoud had told me that Carlos had a place in Damascus, not far from his own apartment,” Voss recalls today. “If something had happened to him, the people at the PLO intelligence service would have automatically suspected me. I found that too risky.”

‘CIA Beats Nazi’

In retrospect, his CIA contact Douglas was extremely happy about this decision. On December 6, 2012, after meeting with SPIEGEL, he sent an e-mail to his former agent: “I was delighted to hear that you are ageing gracefully — the alternative would have been unthinkable for me. … Let me say, I hold you in deep respect for your courage, quickness, wry humor, dedication and trustworthiness.” Douglas had written a book before he found out that Voss had survived his adventurous life. It’s a novel about a “plot in the Middle East” entitled: “Ganymede”.

Voss is also writing books; his third life. He specializes in crime thrillers and screenplays, having completed some 30 works since the late 1970s. But the author has never dared to tackle the most thrilling material of all — his complete life story.

Now, he’s telling the story for the first time. The German title of his book is “UnterGrund” (“Under Ground”) and, according to the preface, readers should not expect “a written confession seeking forgiveness.” Instead, he notes that “this is an account of events that, for security reasons, I thought I would have to keep secret forever.” Voss intends to save his honor and provide an explanation for his actions. In order to report on the 1972 Munich massacre, last spring SPIEGEL had applied for the release of classified files and written two articles mentioning Voss’ role in the attack. Afterwards, at least in the author’s eyes, his reputation was in tatters.

…

BY KARIN ASSMANN, FELIX BOHR, GUNTHER LATSCH and KLAUS WIEGREFE

01/02/2013 06:07 PM

Find this story at 2 January 2013

© SPIEGEL ONLINE 2013

A German far-right militant, whose animosity against Jews led him to aid Palestinians kill Israeli athletes in the 1972 Munich massacre, says he was later recruited by the United States Central Intelligence Agency. Willi Pohl, also known as Willi Voss, 68, was arrested by German authorities a few weeks after Palestinian terrorist group Black September stormed the Olympic village in Munich and took hostage 11 Israeli athletes. All of them were eventually killed by their captors during a botched escape attempt at the nearby Fürstenfeldbruck airport. Voss, who was a known neo-Nazi activist at the time, was charged with possession of weapons and providing logistical support to the Black September militants. However, after his sentence was suspended, Voss managed to secretly emigrate to Beirut, Lebanon, where he was recruited as an agent of Jihaz el-Razd, the intelligence service of the Fatah, the main group in the Palestine Liberation Organization. But in 1975, while on a PLO mission in Belgrade, Yugoslavia, he decided to switch sides. He made the decision after discovering that the car he and his girlfriend were transporting on behalf of the PLO from Beirut to Belgrade contained weapons and highly unstable explosives. He says that the PLO had apparently failed to mention the existence of the hidden items when they asked him to transport the car to Europe. According to Voss’ new book, which has just been published in Germany under the title UnterGrund (Underground), the guns and explosives were discovered by customs officers in Romania (then Rumania); but because at that time the communist country was an ally of the PLO, Voss and his girlfriend were allowed to travel to Belgrade, minus the car and the weapons. Once in the Yugoslav capital, they made the decision to walk in the US embassy, identify themselves as agents of the Jihaz el-Razd and offer their services to Washington. In an interview with German newsmagazine Der Spiegel, published this week, Voss claims he was recruited by the CIA and given the operational codename GANYMEDE. The interview in Der Spiegel includes confirmation of Voss’ CIA role by his intelligence handler CIA officer Terrence Douglas. Douglas says he instructed Voss to return to the service of the PLO and Black September, which was a separate group, and provide the US with information about the activities of leading Palestinian militants from various factions, including Abu Daoud, Abu Nidal, and Abu Jihad, who led the Jihaz el-Razd.

…

January 4, 2013 by intelNews 5 Comments

By JOSEPH FITSANAKIS | intelNews.org |

Find this story at 4 January 2013