North Korean Cyber Operations

This brief includes remarks by James Clapper on cyber-deterrence and North Korea given while he was Director of National Intelligence, a significant report by Kaspersky Lab on North Korea-linked advanced persistent threat (APT) group Lazarus, a letter from Congress to Treasury Secretary Steven Mnuchin expressing concern over Lazarus cyber-operations targeting banks in 18 countries, an alert by the US Computer Emergency Response Team (US-CERT) on North Korean botnet activity, and a Congressional Research Service brief on North Korean capabilities in cyberspace.

Office of the Director of National Intelligence, Remarks as delivered by DNI James R. Clapper on "National Intelligence, North Korea, and the National Cyber Discussion" at the International Conference on Cyber Security. January 7 2015. Unclassified.

In this speech, Clapper uses an anecdote about a trip to North Korea to argue that a form of cyber deterrence would be appropriate for increasing the cost of North Korean cyber operations.

> https:// nsarchive2.gwu.edu/dc.html?doc=4115022-Office-of-the-Director-of-National-Intelligence

Kaspersky Lab, Lazarus Under the Hood, 2017. Not classified.

This report focuses on a group (Lazarus) whose cyber activities go back at least to 2009, and whose malware has been discovered in a number of serious cyber-attacks (including the 2014 intrusion into the Sony Pictures computer system in 2014 and a 2013 cyber espionage campaign in South Korea). It reports on the results of the lab's forensic investigations in two geographically dispersed banks.

> https:// nsarchive2.gwu.edu/dc.html?doc=3673007-Document-07-Kaspersky-Lab-Lazarus-Under-the-Hood

Robin L. Kelly and James A. Himes, U.S. Congress, Letter to Secretary Steven T. Mnuchin, April 6, 2017. Unclassified.

In this letter to the Secretary of the Treasury, two members of Congress note recent reports that the Lazarus group, a hacking operation linked to the North Korean regime, had targeted banks in 18 different countries. In addition to providing more information about North Korean hacking activities, the authors request a briefing on Treasury Department interaction with private sector organizations to counter such activities.

> https:// nsarchive2.gwu.edu/dc.html?doc=3673011-Document-11-Robin-L-Kelly-and-James-A-Himes-U-S

U.S. Computer Emergency Readiness Team, Alert (TA17-164A), HIDDEN COBRA - North Korea's DDoS Botnet Infrastructure, June 13, 2017. Unclassified.

This alert - intended to help cyber defenders detect malicious cyber activity conducted by the North Korean government (designated HIDDEN COBRA) - contains indicators of compromise, malware descriptions, and network signatures.

> https:// nsarchive2.gwu.edu/dc.html?doc=3869009-U-S-Computer-Emergency-Readiness-Team-Alert-TA17

Congressional Research Service, North Korean Cyber Capabilities: In Brief, August 3, 2017. Unclassified.

This report surveys North Korea's cyber capabilities, offers potential motivations for North Korea's strategy, and examines four case studies.

> https:// nsarchive2.gwu.edu/dc.html?doc=3986441-Congressional-Research-Service-North-Korean

Usually every BND operation ends up, sooner or later, in DER SPIEGEL.

> http:// www.spiegel.de/international/world/us-secretary-of-state-seeks-to-redefine-us-foreign-policy-a-984346.html

"Several sources in the intelligence community have confirmed to SPIEGEL that a large part of these discussions, which ran over satellite uplinks, were listened in on by at least two intelligence services, including that of the Israelis. The Chinese and the Russians were also probably monitoring the calls. As a result, the Israelis often knew exactly what Kerry had discussed with the other side. Kerry knew the risk, but he wanted results – and the conversations were more important to him than his security people's concerns. Neither the Israelis nor the State Department would comment on the phone monitoring."

So 1) Spiegel says he has several sources in the intelligence community.

2) If Spiegel has no certain information on whether the Russians or Chinese are listening, it would have to be another service that has good signals intelligence.

Either Spiegel has sources in the Israeli service, or that was just the "several sources" Spiegel has at BND….

In the book DER NSA KOMPLEX, spiegel indeed says that they got the message on Merkel's phone from a source first, and not from Snowden. In its articles between NSA and germany, Spiegel says:

> http:// www.spiegel.de/international/germany/the-german-bnd-and-american-nsa-cooperate-more-closely-than-thought-a-975445.html

"SPIEGEL has seen from the archive of whistleblower Edward Snowden, when combined with SPIEGEL's own reporting, open up a much broader panorama."

The official nature of the cooperation between Germany and the US in Bad Aibling is documented in a contract, written two years prior to the NSA's official departure, drafted under the auspices of then-Chancellery Chief of Staff Frank-Walter Steinmeier, now Germany's foreign minister. The "Memorandum of Agreement," signed on April 28, 2002, is six pages long and marked Top Secret. It is not from Snowden's material.

And I still wonder where they get information like this:

> http:// www.spiegel.de/politik/ausland/russland-putins-propaganda-wird-dreister-und-funktioniert-a-984074.html

"the reality is: The Russian intercontinental missile SS-18 consists of parts where over 2/3 come from Ukraine. The turbines of the transport airplane AN-124 and the Russian army helicopters come from the Ukrainian city Saporischja and 90% of the machines from which Russia creates material for its army are bought from western countries."

Der Spiegel has the largest fact checking department of a newspaper worldwide, with over 50 full time fact checkers going over each article before it gets published.

In order to determine that 2/3 of the parts of an intercontinental missile comes from Ukraine, you need to know how much parts this rocket consists of and who delivers which parts. Similarly, in order to know how many percent of the machines that build Russian army gear come from the west you need to have detailed insight how these things are produced.

Military Times Crash Database

Military Times has published a searchable database that includes more than 7,500 individual records for military aviation mishap reports for the fiscal years 2011 through 2017. An analysis of the data shows that manned warplane accidents have spiked nearly 40 percent since 2013, the year the mandated budget cuts known as sequestration took effect. The data was obtained through multiple Freedom of Information requests and includes every Class A through Class C aviation mishap. The records can be searched by aircraft type, base, fiscal year and location.

> https:// www.militarytimes.com/news/your-military/2018/04/06/military-times-aviation-database/

Insights in Signals Intelligence, Communications Security and Top Level Telecommunications equipment.

> https:// electrospaces.blogspot.com/

Institution M: the German spy on trial for evading millions in tax

From negotiating with Hezbollah to tracing stolen toxic waste, Werner Mauss was one of Germany’s most prolific secret agents

In secret service circles, he was either known as “Institution M” or “The Man with Nine Fingers”, because of a missing digit on his left hand. Locals in his village thought he was called “Richard Nelson” but his bank clerk knew him as “Claus Möllner”. Politicians at the top of government simply referred to their top secret agent as “007”.

CIA declassifies more of "Zendebad, Shah!" – internal study of 1953 Iran coup

Dozens of formerly Secret passages released, but many operational details still withheld

Internal critique of tensions between CIA directorates sheds light on U.S. approach to covert activities

> https:// nsarchive.gwu.edu/briefing-book/iran/2018-02-12/cia-declassifies-more-zendebad-shah-internal-study-1953-iran-coup

New Findings on Clerical Involvement in the 1953 Coup in Iran

“Large Sums of Money” from U.S. Embassy Sent to “Influential People” in Tehran Prior to August 19, Declassified British Memo Alleges

Latest Declassification of Internal CIA History “The Battle for Iran” Adds More Detail to the Public Record

> https:// nsarchive.gwu.edu/briefing-book/iran/2018-03-07/new-findings-clerical-involvement-1953-coup-iran