The CIA falsely believed it was 'invincible' in China — here's how its spies were reportedly discovered and killed in one of the biggest blows to the agency

David Choi

Aug. 16, 2018, 4:27 AM

https://www.businessinsider.com/how-china-found-cia-spies-leak-2018-8

A new Foreign Policy report cites sources detailing how the communication system between the CIA's spies and handlers in China nearly a decade ago was compromised.

The vulnerability contributed to the deaths of at least 30 spies, the sources said.

This internet-based system, imported from operations in the Middle East, was apparently brought to China under the assumption that it could not be breached.

But, according to the report, the program actually had telltale links to the CIA that would have allowed China to work out what was going on.

A firewall used by the CIA to communicate with its spies in China compromised their identities and contributed to their executions by the Chinese government, several current and former intelligence officials told Foreign Policy magazine in a report published Wednesday.

In a two-year period starting in 2010, Chinese officials began accurately identifying spies working for the US.

Chinese authorities rounded up the suspects and executed or imprisoned them before their handlers were able to determine what was going on.

"You could tell the Chinese weren't guessing," one of the US officials said in the report. "The Ministry of State Security were always pulling in the right people."

"When things started going bad, they went bad fast."

US intelligence officials cited in the report are now placing the lion's share of the blame on what one official called a "f—– up" communications system used between spies and their handlers.

This internet-based system, brought over from operations in the Middle East, was taken to China under the assumption that it could not be breached and made the CIA "invincible," Foreign Policy reported.

"It migrated to countries with sophisticated counterintelligence operations, like China," an official said.

"The attitude was that we've got this, we're untouchable."

Intelligence officers and their sources were able to communicate with each other using ordinary laptops or desktop computers connected to the internet, marking a stark departure from some of the more traditional methods of covert communication.

More at Link!

Former CIA Officer Charged With Spying For China

May 9, 20182:12 AM ET

https://www.npr.org/sections/thetwo-way/2018/05/09/609632477/former-cia-officer-charged-with-spying-for-china

An ex-CIA officer arrested in January at New York's John F. Kennedy airport has been charged with conspiracy to commit espionage on behalf of China years after FBI agents turned up notebooks containing classified information in a search of his hotel room.

Jerry Chun Shing Lee, 53, a naturalized U.S. citizen, had a top-secret clearance and worked as a field agent for the Central Intelligence Agency from 1994 until 2007. He was living in Hong Kong at the time of his arrest, and had apparently been the target of an FBI investigation since 2012, when agents searching a Honolulu hotel room discovered handwritten notes on "asset meeting, operational meeting locations, operational phone numbers, true names of assets, and covert facilities" pertaining to China, according to a court affidavit.

After leaving the CIA, Lee worked for Japan Tobacco International, formed his own company and later joined Christie's auction house in Hong Kong, The South China Morning Post reports.

It is not known why the FBI waiting so long after uncovering the notebooks to arrest Lee; however, it is also not clear how frequently he traveled to the U.S., where his eventual arrest took place.

The charges on Tuesday also included two counts of unlawfully retaining documents related to U.S. national defense. He faces a maximum of life in prison.

"The allegations in this case are troubling," said Tracy Doherty-McCormick, acting U.S. attorney for the Eastern District of Virginia. "Conspiring with foreign agents poses a real and serious threat toward our national security."

Lee's attorney, Edward MacMahon, denies the charges: "Mr. Lee is not a Chinese spy," he said after his client's initial court appearance in February. "He is a loyal American who loves his country."

The New York Times has written that the information in Lee's notebooks is thought to have been used by Beijing to dismantle U.S. spy operations and identify informants inside China.

Two year before the FBI searched his hotel room, the CIA had begun "losing its informants in China" to the tune, eventually of more than a dozen killed or imprisoned.

More at Link!

Ohr is about to get his ass fired! I think they needed him to testify while he was still employed.

Chinese company pledged $2 million to Clinton Foundation in 2013

https://www.cbsnews.com/news/chinese-company-pledged-2-million-to-clinton-foundation-in-2013/

A CBS News investigation has found that at least one foreign company with close ties to its government has been giving generously to the foundation run by Bill, Hillary and Chelsea Clinton.

Since its founding, the Clinton Foundation has invested millions each year for work in fighting AIDS and empowering women, but its recent uptick in donations from foreign governments has been raising questions about the potential influence on Hillary Clinton, as she gets ready to run for president.

The foundation has raised at least $42 million from foreign governments - and according to an analysis by CBS News - at least $170 million from foreign entities and individuals.

One donor - Rilin Enterprises- pledged $2 million in 2013 to the Clinton Foundation's endowment. The company is a privately-held Chinese construction and trade conglomerate and run by billionaire Wang Wenliang, who is also a delegate to the Chinese parliament. Public records show the firm has spent $1.4 million since 2012, lobbying Congress and the State Department. The firm owns a strategic port along the border with North Korea and was also one of the contractors that built the Chinese embassy in Washington.

That contract is a direct tie to the Chinese government, according to Jim Mann, who has written several books on China's relationship with the U.S.

With "embassy construction, one of the most important tasks is making sure that there are no bugs there," he said. "So you want to have the closest security and intelligence connections with and approval of the person or company that's going to build your embassy."

The Clinton Foundation largely stopped taking money from foreign governments when Hillary Clinton became secretary of state in 2009. It resumed the practice once she left in 2013, but never stopped taking money from foreign companies or individuals.

In a statement, the foundation said that should Hillary Clinton run for president "we will continue to ensure the Foundation's policies and practices regarding support from international partners are appropriate, just as we did when she served as Secretary of State."

>>2783071

(contd)

But since the foundation never stopped taking money from foreign companies and individuals, even if the foundation were to return to the policies and practices in place while she was secretary, the launch of a Clinton presidential bid wouldn't preclude an individual, like Wang - with direct ties to the government - from contributing money. Further complicating Clinton's ties to her family foundation, is that when she was secretary of state, the foundation had a built-in infrastructure - in the State Department and the White House - to vet donations from foreign entities. That mechanism hasn't traditionally existed within a presidential candidate's campaign stricture.

The Rilin donation came at a time when the Clintons were aggressively raising money and when it was no secret she was readying a run for the White House. It underscores the types of questions the Clinton Foundation and Hillary Clinton's presidential campaign will have to answer as they reevaluate their policies.

"If the point is you are not going to take money from foreign governments, then his construction company is as close to not just the Chinese government, but its Ministry of State Security as they could possibly be," said Mann.

How detailed was Clinton's process for deleting emails?

Who should be in charge of handing over Hillary Clinton's emails?

"Indirectly the Clinton Foundation has political influence, that's why people give to it," said Mann. "People give to the Clinton Foundation particularly because it is the Clintons and because they are prominent politicians in the United States."

A Rilin spokesperson said Wang "was asked to join the NPC [National People's Congress], a largely ceremonial body, as a delegate in 2013."

Wang has given tens of millions of dollars to other organizations, including New York University, where he's a member of its Board of Trustees. In a statement, the Rilin spokesperson said, "Mr. Wang has a long history of generous philanthropic giving to institutions of higher education and organizations that work on and promote global relations. The Clinton Foundation is one of the many organizations Mr. Wang has donated to."

Rilin, however, has a history of complaints since 2001 regarding its treatment of embassy construction workers. Documents obtained by CBS News show Rilin was cited in 2011 and 2013 by officials in Jersey City, New Jersey for housing workers in unsafe, crowded and unsanitary conditions. The company settled the 2011 violations for $6,066 and says all the charges related to the 2013 inspection were dismissed.

Among the Clinton Foundation foreign donors, there are also a number that have come under fire from US agencies. Barclays Capital has given at least $1 million dollars to the foundation and last year, HSBC Holdings gave the foundation at least $500,000. Both British banks are under Justice Department investigations.

Asked about donations from foreign governments last week, Hillary Clinton defended the foundation's work, saying "I think that to people who want to support the foundation, know full well what it is we stand for and what we're working on."

>>2783090

(contd)

Campaign finance laws prohibit foreign interests from investing in U.S. elections to prevent foreigners from buying political influence at home, but those rules don't apply to the Clinton Foundation. Bill Allison, senior policy analyst at the Sunlight Foundation, a campaign finance watchdog group, says the Clinton foundation is a unique non-profit that can't be separated from the US political system.

"If there is foreign money coming into the Clinton Foundation, it will raise the question of - is the president going to be doing favors for a foreign business, a foreign government, a foreign individual? And you just cannot have that in the American system of government, where the president is supposed to represent the American people," Allison said.

Clinton officials say that many major institutions - financial, media, industrial or otherwise - have been subject to investigation at some point. They said many of these organizations are capable of significant and positive impact and the investigations alone shouldn't preclude them from contributing to improving lives.

>>2783071

>One donor - Rilin Enterprises- pledged $2 million in 2013 to the Clinton Foundation's endowment. The company is a privately-held Chinese construction and trade conglomerate and run by billionaire Wang Wenliang, who is also a delegate to the Chinese parliament. Public records show the firm has spent $1.4 million since 2012, lobbying Congress and the State Department. The firm owns a strategic port along the border with North Korea and was also one of the contractors that built the Chinese embassy in Washington.

>

>That contract is a direct tie to the Chinese government, according to Jim Mann, who has written several books on China's relationship with the U.S.

>

>With "embassy construction, one of the most important tasks is making sure that there are no bugs there," he said. "So you want to have the closest security and intelligence connections with and approval of the person or company that's going to build your embassy."

>

EXCLUSIVE: ANOTHER '90s scandal returns to haunt the Clintons - billionaire accused of being front for Chinese Communist bid to influence Bill's 1996 election finally faces being questioned after years on the run

Ng Lap Seng, 68, was at center of illegal foreign donations scandal during Bill Clinton's presidency

The Macau-based billionaire funneled $1.2 million to Bill Clinton's campaign through an Arkansas Chinese restaurant owner

Congress demanded he was questioned as it investigated whether the Chinese Communist party was trying to influence the 1996 election

But Ng went on the run while the Chinese restaurant owner was jailed

Ng is now facing bribery charges in New York after an FBI probe into corruption of United Nations officials

House Oversight Committee tells Daily Mail Online it is seeking interview with him - and lobby group Citizens United says he should get immunity

Clinton campaign currently trying to highlight fears Vladimir Putin's Russia is influencing election in favor of Donald Trump

http://www.dailymail.co.uk/news/article-3713478/ANOTHER-90s-scandal-returns-haunt-Clintons-Chinese-billionaire-illegal-donations-Bill-s-election-campaign-faces-Congress-quiz-arrested-FBI-bribery.html

Ng, a Macau businessman with ties to the Chinese government, was accused of funneling over $1 million in illegal foreign donations to support Bill Clinton's reelection campaign in 1996.

An End to “Smash-and-Grab” and a Move to More Targeted Approaches

December 20, 2017

Adam Kozy

Research & Threat Intel

https://www.crowdstrike.com/blog/an-end-to-smash-and-grab-more-targeted-approaches/

In late October and early November, 2017, CrowdStrike® Falcon Intelligence™ observed People’s Republic of China (PRC)-based actors conducting espionage-driven targeted attacks against at least four Western think tanks and an additional two non-governmental organizations (NGOs). This marks a significant increase in China-based activity from months prior, as the majority of observed activity in Q3 was predominantly focused on Southeast and East Asia. The previous “smash-and-grab” type of cyber operations, which typically characterized a majority of pre-2016 PRC espionage cases, appear to have ceased in favor of much more targeted intrusions focused on specific outcomes.

Previous operations targeting think tanks resembled the digital equivalents of so-called smash-and-grab robberies: the attackers indiscriminately exfiltrated data, vacuuming up whatever information was available. However, in these most recent incidents, adversaries specifically targeted the communications of foreign personnel involved in Chinese economic policy research and the Chinese economy, as well as users with noted expertise in defense, international finance, U.S.-Sino relations, cyber governance, and democratic elections.

The majority of these intrusions leveraged the China Chopper webshell and/or credential harvesting tools targeting the Microsoft Active Directory infrastructure such as Mimikatz to compromise credentials for lateral movement in victim networks. Typically, the adversary also retrieved second-stage tools from an external staging server. Actors often searched for very specific strings, such as “china”, “cyber”, “japan”, “korea”, “chinese” and “eager lion” — the latter is likely a reference to a multinational annual military exercise held in Jordan.

In at least two cases, adversaries were observed conducting email directory dumps for a full listing of departments within the victim organizations. Not only does this tactic help refine a list of targeted personnel within the organization, but access to a legitimate email server can provide a platform for conducting future spear-phishing operations. Nearly all the affected organizations likely maintain close ties to Western government officials. This makes them an attractive target for mounting further attacks against government-supporting sectors, since the intruders can masquerade as trusted sources when sending spear-phishing emails.

NOTICE IT SAYS EAGER LION didnt sm1 in past decode IRON EAGLE to this???

let me continue

>>2783349

PANDA vs. Falcon

An interesting case study was observed by both CrowdStrike Services and the Falcon OverWatch™ managed hunting team in late October 2017, when a China-based adversary attempted to compromise the web server of a think tank. The specific target appeared to be related to an ongoing military research project. As with many of the currently observed Chinese targeted intrusions, the adversary attempted to use China Chopper for reconnaissance and lateral movement after logging in via an account compromised by spear phishing. As is prevalent among CrowdStrike customers, webshell blocking was enabled in the Falcon platform, which prevented the actor from using the webshell to run any commands.

The operator attempted to access the server using the China Chopper shell for four days in a row, showing particular dedication to targeting this endpoint. The actor attempted several whoami requests during normal Beijing business hours. On the fourth day, after repeated failures, subsequent access attempts occurred at 11 p.m. Beijing time. This after-hours attempt was likely conducted by a different operator, or possibly someone called in to troubleshoot the webshell. After a quick series of tests, the activity ceased and no attempts were made over the weekend. Except for the 11 p.m. login, the observed activity suggests that the adversary is a professional outfit with normal operating hours and assigned tasks.

On the following Monday, the actors returned, logging into the same user account and attempting a different shell, however, this attempt was also quickly staunched by CrowdStrike Services. After being forced out again, the actor appeared to switch tactics and returned via the same account to conduct a SQL injection on the web server. When the attempt failed yet again, the user signed out and a separate host began conducting a low-volume DDoS attack on the think tank’s website.

This case is notable for several reasons. First, the adversary showed a high degree of persistence and dedication to compromising the target, over the course of a week. Also, they used a different shell, failed, and then attempted to conduct a SQL attack on the server. While this may not be unusual on its own, the short timeline in which it was carried out shows the adversary’s skill at adaptation. The multiple attempts to gain access also highlight the likely importance of the project and/or reveal that the adversary was under specific time constraints.

The final step of conducting a DDoS attack on the think tank’s site was unusual when viewed in the context of an espionage operation. The purpose of the attack is unclear, as it did not appear to benefit the espionage objective. Given the timing and subsequent failures at gaining access to what is presumably a high-value target, this DDoS attack could have been done out of frustration.

This is believed to be the first time CrowdStrike has observed a China-based adversary engaging in a disruptive attack against what was previously (and likely, still is) an espionage target as a follow-on to normal espionage activities.

Outlook

China’s renewed interest in targeting Western think tanks and NGOs is hardly surprising given President XI Jinping’s call to improve China’s think tanks, a response to myriad new strategic problems facing China as it seeks greater influence as a global player. The targeting of these six organizations may signal a more widespread and active campaign to collect sensitive material and enable future operations. Individuals and enterprises that maintain relationships with Western think tanks and NGOs are advised to take appropriate precautions — system security review, additional user awareness training, and ensuring comprehensive endpoint visibility are critical to identifying and preventing threats from advanced adversaries. The increase in operational tempo by Chinese associated intrusion actors that was observed during 2017 is covered in more detail in the upcoming CrowdStrike Global Threat Report 2017.

For more information on CrowdStrike Falcon Intelligence services, please visit https://www.crowdstrike.com/products/falcon-intelligence/.

The Latest on Chinese-affiliated Intrusions into Commercial Companies

October 19, 2015

Dmitri Alperovitch

Executive Viewpoint

https://www.crowdstrike.com/blog/the-latest-on-chinese-affiliated-intrusions-into-commercial-companies/

It has been nearly three weeks since the announcement on September 25th of the landmark Cyber agreement between the United States and China in which both nations agreed not to “conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”

On the day of the announcement, George Kurtz and I said that CrowdStrike will continue to leverage our CrowdStrike Falcon™ cloud-based endpoint technology, which is deployed across numerous Fortune 500 companies across many industry sectors, to monitor nation-state activities and to notify our customers of any attempted intrusions into their networks.

Today, we would like to give a public report of our observations. Over the last three weeks, CrowdStrike Falcon platform has detected and prevented a number of intrusions into our customers’ systems from actors we have affiliated with the Chinese government. Seven of the companies are firms in the Technology or Pharmaceuticals sectors, where the primary benefit of the intrusions seems clearly aligned to facilitate theft of intellectual property and trade secrets, rather than to conduct traditional national-security related intelligence collection which the Cyber agreement does not prohibit.

The very first intrusion conducted by China-affiliated actors after the joint Xi-Obama announcement at the White House took place the very next day – Saturday September 26th. We detected and stopped the actors, so no exfiltration of customer data actually took place, but the very fact that these attempts occurred highlights the need to remain vigilant despite the newly minted Cyber agreement.

We are releasing below the timeline of intrusions into these commercial entities that we detected over the course of the last 30 days. It is important to note that this is not an exhaustive list of all the intrusions from Chinese-government affiliated actors we have detected during this time period; it is limited only to commercial entities that fit squarely within the hacking prohibitions covered under the Cyber agreement. The intrusion attempts are continuing to this day, with many of the China-affiliated actors persistently attempting to regain access to victim networks even in the face of repeated failures.

>>2783386

We assess with a high degree of confidence that these intrusions were undertaken by a variety of different Chinese actors, including DEEP PANDA, which CrowdStrike has tracked for many years breaking into national-security targets of strategic importance to China, as well as commercial industries such as Agriculture, Chemical, Financial, Healthcare, Insurance, Legal, Technology and many others.

In addition to preventing these intrusions, the CrowdStrike Falcon platform also provided full visibility into every tool, command and technique used by the adversary. This allowed us to determine that the hackers saw no need to change their usual tradecraft or previously used infrastructure in an attempt to throw off their scent.

Many of the intrusions were done through Web server compromises, with SQL injection being the prefered vector of implanting China Chopper webshells which provide access to the internal networks of the victims. Since CrowdStrike Falcon uses an Indicator of Attack (IOA) behavioral engine, we instantly detected these actions and thwarted the adversary. In other cases, we’ve also detected and helped remediate the use of Derusbi and PlugX malware, preferred tools of a number of different Chinese actors.

So does this evidence of ongoing intrusions into the commercial sector from China indicate the failure of the U.S.-China cyber agreement? That depends on what is done about it and how long the current situation persists. As George Kurtz stated on the date of the agreement, “even under the best of circumstances, industry is left to wonder how quickly China’s bold intelligence gathering apparatus might be dismantled.” The fact that there is some time delay between agreement and execution is not entirely unexpected. But, we need to know the parameters for success, and whether the parties to the agreement discussed a timeframe for implementation or, instead, expected it to be immediate.

In the meantime, I personally remain encouraged by the Administration’s efforts to reduce the number and scope of Chinese intrusions and to have China draw a public distinction between national security-related espionage, which virtually every advanced nation engages in, and espionage done for commercial benefit, which the U.S. government and industry believe is unacceptable and must stop.

Call me an optimist, but I continue to have hope that meaningful progress can be made to turn the corner and establish norms of behavior for nation-states in cyberspace. In the meantime, CrowdStrike will remain vigilant and continue to protect our customers against breaches from all types of adversaries.

To learn more about how CrowdStrike Falcon platform can help your organization, please contact info@crowdstrike.com.

What is deal with all these bear names??

Deep Panda

Cozy Bear

Fancy Bear

etc