WikiLeaks Cablegate: Indian Army left out of cybersecurity discussions
WikiLeaks Cablegate: Indian Army left out of cybersecurity discussions
India-related document from the leaked US embassy cables released by whistleblowing website WikiLeaks.

Reference ID: 09STATE67105

Created: 2009-06-29 16:04

Released: 2010-12-04 21:09

Classification: SECRET//NOFORN

Origin: Secretary of State

INFO LOG-00 MFA-00 EEB-00 AF-00 AID-00 A-00 CIAE-00

INL-00 DNI-00 DODE-00 DOTE-00 WHA-00 PERC-00 EAP-00

DHSE-00 EUR-00 OIGO-00 FAAE-00 FBIE-00 H-00 TEDE-00

INR-00 IO-00 L-00 MOFM-00 MOF-00 NEA-00 DCP-00

ISN-00 NSCE-00 OIG-00 PC-01 P-00 ISNE-00 DOHS-00

FMPC-00 SP-00 IRM-00 SSO-00 SS-00 DPM-00 USSS-00

NCTC-00 CBP-00 SCRS-00 DSCC-00 SCA-00 SAS-00 FA-00

SRAP-00 SGC-00 PESU-00 /001R

P 291659Z JUN 09

FM SECSTATE WASHDC

TO SECURITY OFFICER COLLECTIVE PRIORITY

AMEMBASSY TRIPOLI PRIORITY

INFO AMCONSUL CASABLANCA PRIORITY

XMT AMCONSUL JOHANNESBURG

AMCONSUL JOHANNESBURG

S E C R E T STATE 067105

NOFORN

E.O. 12958: DECL: MR

TAGS: ASEC

SUBJECT: DIPLOMATIC SECURITY DAILY

Classified By: Derived from Multiple Sources

SECRET//FGI//NOFORN

Declassify on: Source marked 25X1-human, Date of source: June

27, 2009

¶1. (U) Diplomatic Security Daily, June 27-29, 2009

¶2. (U) Iraq - Paragraphs 7-11

¶3. (U) Significant Events - Paragraphs 12-23

¶4. (U) Key Concerns - Paragraphs 24-43

¶5. (U) Cyber Threats - Paragraphs 44-57

¶6. (U) Suspicious Activity Incidents - Paragraphs 58-64

¶7. (U) Iraq

¶8. (S//NF) Alleged plans by various insurgent groups to

conduct attacks during anticipated U.S. military withdrawal

from urban areas: According to recent multiple source

reports, various insurgent groups and militias intend on

attacking multiple venues throughout Iraq in anticipation of

U.S. military forces withdrawal from urban areas. Specific

targets mentioned included the International Zone (IZ),

Victory Base Complex, joint security stations, and various

forward operating bases in Baghdad and in Maysan Province

(southern Iraq). Allegedly, insurgent groups also are

prepared to target key infrastructure, such as bridges and

major supply routes used by Coalition forces (CF) and Iraqi

Security Forces (ISF) convoys. According to one source, an

unidentified group had access to a large tank of chlorine, 16

V-8 rockets, and three torpedoes which were supposedly

recovered by the CF and ISF. The reports mentioned the

attacks would commence on or about July 1. The Government of

Iraq is anticipating the offensive and has placed ISF units

on alert and cancelled all leave effective June 28.

¶9. (S//NF) DS/TIA/ITA would like to note the series of

reports are consistent with other recent threat reporting

indicating the possibility of insurgent groups and militias

preparing to increase attacks in anticipation of troop

withdrawal from urban areas. It is possible that

extremist-affiliated groups would seek to target the IZ and

the Victory Base Complex, as the venues are symbolic of the

U.S. diplomatic and military presence in Iraq. It is also

plausible the groups may surmise that a large attack against

CF troops in these areas would be ideal, as it would serve as

propaganda for them, allowing them to take credit for driving

out "occupying forces."

¶10. (S//NF) DS/TIA/ITA would also highlight the allegation of

the existence of the weapons cache, as the materials could

possibly be used as components for improvised rocket-assisted

munitions or an improvised explosive device (IED). According

to the Multi-National Forces in Iraq Combined Intelligence

Operations Cell, the first documented chlorine attack

occurred in al-Anbar Province (western Iraq) on October 21,

2006, and the first documented chlorine vehicle-borne IED

(VBIED) in the Baghdad area occurred in Taji on February 20,

¶2007. Despite the claims by insurgent groups and militias of

chlorine-related attacks, their incident rates remain low and

inconsistent. While DS/TIA/ITA cannot corroborate the

veracity of the recent threat reporting, overall, there is

nothing to suggest that the intention to attack the U.S.

presence in Iraq will subside once a military troop

withdrawal is completed. (Appendix sources 1-7)

¶11. (SBU) Indirect fire (IDF) of unknown size was launched

against the IZ in Baghdad at 9:22 p.m. on June 24. The IDF

impacted in the river approximately 250 meters south of the

U.S. Embassy compound. No injuries or damages were reported.

(RSO TOC Baghdad Spot Report)

¶12. (U) Significant Events

¶13. (C) WHA Honduras - Honduran military forces arrested

President Manuel Zelaya June 28 according to orders issued by

the National Congress and the Supreme Court of Honduras.

Zelaya was taken to a local air force base and flown to Costa

Rica. Emergency Action Committee (EAC) Tegucigalpa

subsequently met to discuss the ramifications of the seizure

of the president by host-cost country military forces. The

RSO noted the general climate in the capital was calm;

however, a standfast order was issued, and additional

security measures were implemented. The Embassy released a

Warden Message regarding the actions against Zelaya and urged

AmCits to remain in the residences or hotels for the day.

¶14. (C) Later in the day, Congress officially named Roberto

Micheletti interim president. The U.S. Ambassador gave a

press conference outside the Embassy; he insisted that

President Zelaya was the only democratically elected

president of the country and urged that freedom of expression

and circulation be restored. He also demanded the release of

those government officials said to be in military custody.

The EAC reconvened to assess the situation. Protest activity

has centered around the presidential palace, some roads in

the capital were blocked, and there were some troops on the

street. However, traffic flow was reported normal in most of

the city. Authorized Departure for family members was

discussed, but not warranted at this time. Embassy personnel

were advised to remain in their homes for the rest of the day

and to limit their movements today, June 29. All Peace Corps

volunteers have been accounted for and are on standfast. Post

will be open today for emergency services only. The EAC will

continue monitoring events in-country and provide updated

information as available. (Tegucigalpa Spot Report; telcon;

Warden Message; Appendix sources 8-10)

¶15. (SBU) EUR Germany - A Local Guard Force (LGF) member of

U.S. Consulate General Frankfurt discovered two suspicious

cases with protruding wires June 26 while on foot patrol in

the clustered housing area. The guard notified his

supervisor, and the area and two nearby apartment buildings

were evacuated. Responding police requested canine and

Explosive Ordnance Disposal (EOD) support. After the EOD team

arrived, a local telecom technician, who had been working

nearby, arrived at the scene and claimed the unattended

cases; the technician had inadvertently left the cases. After

further investigation and corroboration with the technician,

police declare the area safe. (RSO Frankfurt Spot Report)

¶16. (SBU) AF Liberia - Two acts of vandalism were reported to

U.S. Embassy Monrovia on the night of June 27. One took place

at the residence of the chief of the DoD Office of Security

Cooperation, approximately 2.5 miles from Post, where

graffiti was spray painted on the perimeter wall stating,

"COL THE WAR HAS JUST BEGAN." The second incident occurred at

the facility of a USAID-funded project, approximately 1.5

miles from the Embassy, where the messages "INTERCON MUST

LEAVE NOW, TAKE INT" and "DANGER" were spray painted on the

compound wall. The RSO assesses these incidents are

consistent with the pattern of threats and intimidation used

by dismissed Embassy guards to obtain a favorable settlement

with their former employer through the Liberian Ministry of

Labor. (RSO Monrovia Spot Report)

¶17. (SBU) Mauritania - U.S. Embassy Nouakchott received a

credible threat June 27 regarding a kidnapping against an

American in the capital sometime during the night (NFI). The

RSO considers the information credible and made notifications

to staff to assure that all official Americans were accounted

for. All residential LGF posts were manned, and radio checks

were increased. Post also issued a Warden Message advising

AmCits in-country of the threat. Please see the Key Concerns

section for further information. (RSO Nouakchott Spot Report)

¶18. (C//NF) Mauritania - EAC Nouakchott met June 26 to

discuss developments surrounding the murder of an unofficial

American on June 23. Members were updated on the

investigative progress of local authorities. The EAC reviewed

the U.S. Embassy's tripwires for consideration of Authorized

Departure and/or drawdown and determined there was

insufficient information at this time to recommend either

action. EAC members were reminded of the importance of random

arrival arrivals at Post (effective June 25) along with other

augmented security measures.

¶19. (S//NF) The EAC reconvened June 28, and members were

introduced to FBI assets assigned to investigate the AmCit's

murder with host-country law enforcement personnel. Members

welcomed the team and support their efforts on the

investigation while in-country. Members also discussed the

credible kidnapping threat against an AmCit in-country and

reviewed the enhanced security measures already in place.

Post issued a Consular short message system alert to the

American community advising of the threat. The EAC will

continue to review all threat information as it becomes

available, while supporting the ongoing murder investigation,

and the EAC will reconvene as needed. (Appendix sources 11-12)

¶20. (SBU) Sudan Update - On June 24, verdicts were issued in

the trial of the five Sudanese men charged with the January

1, 2008, murder of U.S. Embassy Khartoum employees John

Granville and Abdelrahman Abbas. Four of the defendants were

found of guilty of intentional killing and sentenced to death

by hanging. The fifth defendant was found guilty on weapons

charges and sentenced to two years in prison, including

credit for time served since his January 2008 arrest.

(Khartoum 0790)

¶21. (SBU) The Gambia - EAC Banjul met June 23 for its monthly

meeting. It was determined that the recent activity in

Tehran, Iran, should not present any additional danger for

U.S. personnel or citizens in-country; however, the EAC

agreed U.S. Embassy staff must be more diligent in practicing

common-sense security measures. EAC members deemed Post's

current security posture is sufficient. (Banjul 0190)

¶22. (S//NF) NEA Yemen - EAC Sana'a met June 28 to discuss a

write-in threat concerning a VBIED attack against the U.S.

Embassy planned for today, June 29. The threat was traced to

Algeria, and, although such threats are considered relatively

common, Post officials are taking the threat seriously.

Members agreed that Post's current security upgrades were

sufficient to deter and, if need be, withstand an attack;

however, members deemed it would be prudent to request

additional security from the Republic of Yemen Government at

Post's perimeter, in light of the approaching July 4 holiday.

Please see the Key Concerns section for further details.

(Appendix source 13)

¶23. (C) SCA Bangladesh - U.S. Embassy Dhaka officials met

with the secretary of Home Affairs to discuss concerns over

an uptick in crimes directed against foreigners in Dhaka's

Diplomatic Enclave. The secretary stated the Government of

Bangladesh (GoB) had increased the police presence in the

enclave May 7, when threat letters were sent to several

diplomatic missions. Post officials will continue to monitor

the situation and keep pressure on the GoB to provide

adequate security to the U.S. Mission. (Appendix source 14)

¶24. (U) Key Concerns

¶25. (S//NF) AF Mauritania - AQIM threat to kidnap American

citizen: According to the Spanish National Intelligence

Service (CNI), an unidentified source for the CNI service

center stated al-Qa'ida in the Lands of the Islamic Maghreb

(AQIM) planned to kidnap an unidentified AmCit in Nouakchott

during the evening of June 27. According to the report's

context statement, a CNI official provided the information

during the course of a routine liaison meeting. There are no

additional details on this information, and the report's

originators are unable to assess the reliability of the

ultimate source(s) of the information. In addition, it is not

known what, if any, vetting or validation procedures the

Spanish service may use to evaluate its sources. In separate

reporting, AQIM, as of late June, had sent three unidentified

members to Mauritania from northern Mali to conduct

operations against government interests in Nouakchott and

Nouadhibou, according to the Mauritanian External

Intelligence Service. It was unknown, according to the

Mauritanian service, whether AQIM intended to attack

Mauritanian and/or foreign government facilities in those

cities. Separately, AQIM Tariq Ibn Ziyad battalion leader

'Abd al-Hamid (Abu Zaid), as of late June, had delayed an

order for four men to travel to Nouakchott to conduct

unspecified operations, according to the Mauritanian service.

DS/TIA/ITA notes the latest threat information follows last

week's killing of an American in Nouakchott and the possible

involvement of AQIM. (Appendix sources 15-16)

¶26. (S//NF) Nigeria - Extremists believed to be planning a

massive terrorist attack: (S//REL TO USA, FVEY) Tearline

states, "Unspecified extremist groups, suspected to be

operating in concert with Nigerian Shi'ites, Salafiya, or

Muhammad Yusuf's Nigerian Taliban are reportedly planning to

launch a massive surprise attack on some piece of critical

infrastructure or against high-profile targets within

Nigeria. Probable targets of this attack include top Nigerian

Government officials or security agents. Members of the

general public, who might be opposed to the attackers'

doctrines, were also believed to be possible targets. This

planned attack is reportedly aimed at sparking sectarian

clashes across Nigeria."

¶27. (S//NF) DS/TIA/ITA cannot immediately corroborate the

current threat with additional intelligence. While no

connection can be made between this threat and previous

reports, DS/TIA/ITA is concerned about recent activity

surrounding extremists associated with the Nigerian Taliban.

¶28. (S//NF) A well-trained veteran Chadian extremist,

Abu-Mahjin (Terrorist Identities Datamart Environment (TIDE)

number 24350378), who has limited ties to al-Qa'ida

associates, recently traveled to Nigeria. He may be planning

to conduct or facilitate a terrorist operation. Indeed,

tearline from May 1 claimed, "An Islamic extremist named

Abu-Muhjin has recently been in northeast Nigeria. It is

likely that he will be joined by other Islamic extremists in

the coming weeks." More recent tearline stated,

"Nigerian-based probable Chadian extremist Abu-Mahjin is keen

to obtain more funds in connection with some sort of

nefarious activity (possibly terrorism related) he is engaged

in. However, it is not clear when he will receive this

additional finance." Little more is known about Abu-Mahjin's

apparent efforts to organize a near-term operation.

¶29. (S//NF) Though neither the Nigerian Taliban nor its more

militant subset -- Tanzim al-Qa'ida group -- has ever

attacked Western interests, they have discussed targeting

foreign embassies in the past. In 2007, they reportedly

plotted to attack the U.S., British, and Israeli embassies in

Abuja, according to a single source that remains

unsubstantiated. (Appendix sources 17-19)

¶30. (C//NF) NEA Algeria/Yemen - Unsubstantiated threat

claiming suicide bombing against U.S. embassies: On June 26,

a write-in to a USG website provided a message involving an

unsubstantiated threat to U.S. embassies in Algiers, Algeria,

and Sana'a, Yemen. The message was posted in Arabic and

appeared to originate in Algeria. The writer warned of a "big

attack against your embassies in Algeria and Yaman by suicide

car on 29/06/2009" and claimed to be an agent of the Algerian

Intelligence Service. The writer provided an apparent

telephone number for confirming his information and warned,

"The second attack what you will see it is in Hassi Messaud

in Sahara by a big number of terrorists." The report's

originators note that they have no further information to

corroborate the information, and the source may have intended

to annoy, mislead, or disrupt rather than to provide

legitimate information. The originators further note that the

vast majority of such information is not true, but, since

volunteers have provided authentic leads on occasion, the

information is provided for evaluation purely due to its

threat content. (Appendix source 20)

¶31. (S//NF) Yemen - Al-Qa'ida possibly planning Embassy

attacks: (S//REL TO USA, FVEY) According to tearline

information, "Saudi authorities learned in late June that

al-Qa'ida may be planning an attack on Western and Middle

Eastern embassies in Yemen. There was no additional

information on the timing or exact location of the planned

attack."

¶32. (S//NF) DS/TIA/ITA notes this report is likely related to

recent information provided by a Yemeni security official in

late June regarding possible unspecified al-Qa'ida in the

Arabian Peninsula (AQAP) attacks against the embassies of the

U.S, Qatar, United Arab Emirates, Oman, Saudi Arabia, and

unnamed European nations in Sana'a. No further information

was provided on this general threat report.

¶33. (S//NF) DS/TIA/ITA also notes the continuing AQAP threat

to Western and host-nation interests both in Sana'a and

throughout Yemen. Previous AQAP attacks illustrate a

willingness and capability to target Western citizens and

diplomatic facilities, highlighted by the brazen attack

against U.S. Embassy Sana'a in mid-September 2008. The lack

of host-nation political will to combat AQAP contributes to

an extremely permissive operating environment for extremist

elements, suggesting threat reporting against U.S. and other

foreign interests in Yemen will continue in both the near and

medium term. (Appendix sources 21-22)

¶34. (S//NF) SCA Afghanistan - Threat to unspecified American

in Kandahar: As of late June, Kandahar Taliban members Sadiq,

Mullah Hamdullah, and Qari Yousef intended to kidnap an

unspecified American who travels from Kandahar Airfield to

work in Kandahar city to hold for ransom. The kidnappers

planned to use a local Afghan who the American trusted to

place a substance in his food to render him unconscious.

Hamdullah, a.k.a. Bari Alai, worked under the command of

Mullah Faizel who was currently in detention at Guantanamo

Bay.

¶35. (S//NF) While the Taliban operatives named in this report

are indeed active in and around Kandahar city to include

involvement in kidnapping plots, DS/TIA/ITA questions the

source's access to operational plans by the Taliban. In past

reporting, the source has reported primarily on Taliban

member atmospherics and movements in southern Afghanistan and

only occasionally on threats. DS/TIA/ITA assesses information

provided by the source regarding the January 2008 kidnapping

of an American non-governmental organization (NGO) worker to

be inaccurate.

¶36. (S//NF) That said, periodic reporting indicates

extremists remain keen to abduct another Westerner in

Kandahar city, possibly while traveling to/from Kandahar

Airfield. Tearline states, "Taliban insurgents reportedly

planned in late January to kidnap a U.S. national as he

traveled between Kandahar Airfield and Shur Andam Pass,

Kandahar Province." Reporting from November 2008 alleged the

Taliban planned to kidnap two foreign women possibly from

their residence in northeast Kandahar city or at the Rang

Rezano market they frequented.

¶37. (S//NF) Mullah Faizel (variants: Faisal, Fazilfazul; TIDE

number 72569) was being held at Guantanamo Bay as of early

April 2008. Mullah Hamdullah (possible TIDE number 75483) is

characterized in late-2008 sensitive reporting as a group

commander of a large number of Taliban in Helmand Province.

The same report noted Sadiq, the brother of the Taliban's

second-in-command Mullah Berader (TIDE number 76541), worked

at an unnamed U.S. NGO and was involved in planning an

unspecified kidnapping. (Appendix sources 23-30)

¶38. (S//FGI//NF) Pakistan - Militants may be planning to

abduct U.S. and UK citizens from NGOs and consulates;

dual-citizens in Peshawar: Tearline intelligence reports,

"Militants attached to Pakistan's Mumtaz Group may be

planning to kidnap U.S. and UK citizens working in NGOs and

consulates, as well as dual-citizen Pakistanis who are either

visiting or residing in Peshawar, as of June 26. Peshawar's

University Town could be the likely venue for such an

operation. Further, the following individuals who probably

reside in (the) Peshawar area could be supporters of the

Mumtaz Group: Fahim, son of Ihsanullah; Ayaz; Abdul Rehman

Khan (Awami National Party) and his son, Yunas Khan,

residents of Kafir Dheri, Peshawar; Garib Shah Badshah; and

Muazzam Badshah, son of Shah Badshah."

¶39. (S//FGI//NF) DS/TIA/ITA assesses the Mumtaz Group may be

a reference to operations linked to al-Qa'ida leader Hamza

al-Jawfi (a.k.a. Mumtaz; TIDE number 70390) who died in a

late-February explosion in North Waziristan. Mumtaz is an

oft-used alias by senior al-Qa'ida leaders that is arguably

inauspicious. The now-deceased Hamzah Rabi and Abu Khabab

al-Masri both used this alias as well. Worryingly, the other

operatives DS/TIA/ITA suspects belong to this group are

linked to ongoing, credible planning against Peshawar

cantonment as well as American personnel and convoys

belonging to U.S. Consulate Peshawar.

¶40. (S//FGI//NF) Although al-Jawfi is dead, it is possible

the operations referenced can be linked to al-Jawfi's former

courier and Imran (TIDE number 14399906), who collaborates

closely with Mohmand Agency-based Tehrik-e-Taliban Pakistan

(TTP) commander Hakimullah Mahsud. Early-April reporting from

Inter-Services Intelligence (ISI) links Imran -- described as

an Uzbeki militant responsible for the November 12, 2008,

murder of a USAID contractor and the August 26, 2008, ambush

of the principal officer's (PO's) vehicle in Peshawar -- to

TTP operative Faruq's ongoing planning for an attack on

Peshawar's cantonment using multiple suicide operatives.

Faruq is also likely involved in conducting al-Qa'ida-linked

operational surveillance against the PO of U.S. Consulate

Peshawar, a four-vehicle SUV protective convoy, and a vehicle

workshop also affiliated with Post. Of note, however, ISI

reported the capture of an individual named Imran in

mid-June; although, it cannot be confirmed if this is the

same Uzbeki Imran mentioned in earlier reporting. (Appendix

sources 31-38)

¶41. (S//FGI//NF) Pakistan - Threats against Punjab and

Islamabad: Reporting continues to circulate detailing ongoing

plans by Pakistani extremists to launch suicide operations in

Punjab Province and Islamabad. In Islamabad, threats specify

the targeting of embassies located in the F-6/2 sector,

police post Aabpara in Islamabad, the Imam Bargah in G-6/2,

Senator Tariq Azim, and Barri Imam Shrine. In Lahore and

greater Punjab Province, suicide operatives may seek to

strike against foreigners in crowded areas or the Barbar Data

Sahib Shrine. Although it remains unclear if these named

targets are an accurate reflection of extremists' operational

plans, it is of note late-June reporting also mentions the

cultivation and use of sympathetic madrassas and extremists

located in targeted cities to carry out future attacks.

¶42. (S//NF) As of late June, TTP reportedly tasked Abdul

Malik Mujahid to launch suicide attacks against unspecified

foreigners in crowded places in Punjab, with Mujahid

considering the use of sympathetic madrassas as shelter prior

to conducting an attack. Madrassas under consideration

included the Jami Ashrafia and Jamiat ul-Manzur ul-Islami in

Lahore. Separately, tearline from late June reports,

"Militant commander Khan Bahadur, son of Sher Bahadur, is the

local militant commander in the Watkai area. Bahadur

currently may be residing in Islamabad, while reorganizing

his group to operate in difference parts of Pakistan, as of

June 25." Although there is limited information regarding the

identity of Khan Bahadur (possible TIDE number 238258),

earlier sensitive intelligence suggests he has served as an

interlocutor in urban areas for Waziristan-based militants

since 2007. According to late-January 2008 tearline, "... A

Khan Bahadur (or Bhadur) in Lahore was involved in efforts to

arrange talks and perhaps a government announcement for a

cease-fire and helping coordinate a separate announcement

from the Mujahidin, hopefully by October 13...."

¶43. (S//FGI//NF) As underscored by the events during and

following the Lal Masjid (Red Mosque) confrontation in

Islamabad in July 2007, the continued existence of networks

in Islamabad that can organize and facilitate protests and

terrorist activity in the vicinity of the capital is indeed

troubling. Notably, a body of intelligence reporting

preceding the Lal Masjid confrontation suggests

Pakistan-based extremists viewed the brewing tension between

the madrassas and Islamabad one part of a larger

comprehensive effort to re-energize and expand their jihadi

operations from their strongholds in the tribal areas and

Northwest Frontier Province. Interestingly, reporting from

May 2007 citing a commander 10 corps lieutenant also noted 70

mosques in and around Islamabad would likely support

extremist activity associated with the now-infamous Lal

Masjid, which was also an unauthorized mosque. Of concern,

since 2008 attacks in Pakistan have repeatedly targeted

Westerners, coinciding with an unprecedented number of

attacks in both Lahore and Islamabad. (Appendix sources 39-47)

¶44. (U) Cyber Threats

¶45. (U) EUR CTAD comment: The latest version of the National

Security Strategy released by the UK Government includes a

public cyber security strategy. The report calls for the

establishment of two new offices with cyber security

responsibilities and approves the use of offensive operations

as a countermeasure to attacks against British systems. The

Office of Cyber Security, falling under the Cabinet Office,

will be the central body charged with coordinating with

industry and developing strategy. The Cyber Security

Operations Centre based at Government Communications

Headquarters, the UK's primary signals intelligence agency,

will be responsible for conducting offensive operations.

According to press reports, the UK Government has hired

several former hackers to staff the centre.

¶46. (S//NF) NEA CTAD comment: DoD reporting indicates as of

mid-May, several Persian-language hacker forums are sharing

information pertaining to a variety of hacking codes, tools,

and video tutorials. One of the more notable findings was a

PHP-based "simattacker code" -- a backdoor Trojan horse

program that allows for remote exploitation of an affected

system and can provide denial-of-service capabilities. This

particular malicious code is reportedly similar to a tool

used against Georgian systems in 2008 (NFI).

¶47. (SBU) EAP CTAD comment: According to South Korean press

reporting, the Republic of Korea's (RoK's) Defense Security

Command (DSC) has declared intrusion attempts against the

RoK's military computer networks have increased 20 percent in

2009, compared to those detected in 2008. The DSC further

stated that 89 percent of the attempts are unsophisticated

efforts to hack into servers and Internet homepages, whereas

the remaining 11 percent appear to be more advanced attempts

to obtain intelligence information. Of note, in an effort to

deal with the increasing cyber threat, the RoK's National

Intelligence Service has recommended President Lee Myung-bak

appoint an aide to assist with the country's cyber security

issues.

¶48. (S//NF) SCA CTAD comment: According to Defense

Intelligence Agency reporting, the Government of India (GoI)

continues efforts to advance its computer security programs

-- particularly in light of increased concerns over Chinese

computer network exploitation efforts -- but progress is

hampered by significant disagreements within its departments.

The key GoI organizations involved in developing and

implementing security policies are identified as the Ministry

of Telecommunications and the Research and Analysis Wing.

Although the Indian Army is primarily responsible for the

security of military networks, Indian officials acknowledge

Army representatives have been largely left out of

discussions. Additionally, some other key groups, such as the

National Technical Reconnaissance Organization and the Indian

Defense Intelligence Agency, have reportedly failed to offer

significant contributions. Private security companies are

also concerned that the lack of input from the private sector

may lead to unfair regulations regarding telecommunications

monitoring.

¶49. (SBU) Domestic CTAD comment: On June 22, Websense

Security Labs issued an alert after discovering the official

website of the Embassy of Ethiopia in Washington, DC, had

been subverted with obfuscated JavaScript code hidden in an

inline frame (IFrame) with the goal of infecting visitors to

the site with malicious software (malware). The code

redirected users to sites where malware, including Trojan

downloaders, were installed without explicit user action.

According to the alert, the site that hosted the malicious

JavaScript is currently down. On March 20, security company

Sophos discovered a similar IFrame infection on the same

website. At the time, researchers at Sophos noted it

resembled the attack on the Washington, DC, Embassy of

Azerbaijan website that occurred in early March. The

researchers also indicated the redirected sites had been used

by Russian cyber criminals in previous malware infections.

(Appendix sources 48-50)

¶50. (C) EAP China - Beijing TOPSEC founder indicates PRC

investment:

¶51. (S//NF) Key highlights:

o Founder of TOPSEC and iTrusChina notes PRC funding and

directive in media interview.

o TOPSEC is China's largest provider of information security

products and services.

o TOPSEC provides services and training for the PLA and has

recruited hackers in the past.

o Potential linkages of China's top companies with the PRC

illustrate the government's use of its "private sector" in

support of information warfare objectives.

¶52. (SBU) Source paragraph: "During an interview with

journalists from China News Network, chairman of both Beijing

TOPSEC and iTrusChina, He Weidong, spoke about the two

companies, to include investment and contract from the

Chinese Government (People's Republic of China (PRC)) ....

Tianrongxin's capital came from two parts. The Chinese

Government share one part of the investment, and the

management department (of Tianrongxin) share the other part.

He further stated that Tianrongxin was not really a company

but a research institute; in 1995, the company took contracts

from the government's research and development tasks."

¶53. (S//NF) CTAD comment: In November 1995, He Weidong

founded the security company Tianrongxin, a.k.a. Beijing

TOPSEC Network Security Technology Company, Ltd. TOPSEC is a

China Information Technology Security Center (CNITSEC)

enterprise and has grown to become China's largest provider

of information security products and services. TOPSEC is

credited with launching China's first indigenous firewall in

1996, as well as other information technology (IT) security

products to China's market, to include virtual private

networks, intrusion detection systems, filtering gateways,

and security auditing and management systems. Additionally,

in September 2000, Weidong founded the company

Tianweichengxin, a.k.a. iTrusChina, which became the first

experimental enterprise to develop business Public Key

Infrastructure/Certification Authority services approved by

China's Ministry of Industry and Information Technology.

¶54. (SBU) CTAD comment: During an interview with China News

Network, Weidong stated that half of TOPSEC's start-up

capital came from the PRC, with the other half coming from

the company's management department. Additionally, he pointed

out that TOPSEC began not as a company, but as a small

research institute that took contracts from the government's

research and development tasks (NFI). The turning point for

TOPSEC came in 1996 when the company won a significant

contract bid from the Chinese State Statistics Bureau. Since

winning the bid, TOPSEC maintained a 100-percent sales growth

in the following years. Weidong noted the company started out

with 30,000 RMB (approximately $4,400) in 1995, and by 2002,

had earnings of 3 billion RMB (approximately $440,000,000).

Interestingly, shareholders did not receive bonuses, as all

earnings went for future investment. Weidong also stated a

bank loan was never used.

¶55. (S//NF) CTAD comment: Of note, the CNITSEC is responsible

for overseeing the PRC's Information Technology (IT) security

certification program. It operates and maintains the National

Evaluation and Certification Scheme for IT security and

performs tests for information security products. In 2003,

the CNITSEC signed a Government Security Program (GSP)

international agreement with Microsoft that allowed select

companies such as TOPSEC access to Microsoft source code in

order to secure the Windows platform. XXXXXXXXXXXX

¶56. (S//NF) CTAD comment: Additionally, CNITSEC enterprises

has recruited Chinese hackers in support of nationally-funded

"network attack scientific research projects." From June 2002

to March 2003, TOPSEC employed a known Chinese hacker, Lin

Yong (a.k.a. Lion and owner of the Honker Union of China), as

senior security service engineer to manage security service

and training. Venus Tech, another CNITSEC enterprise privy to

the GSP, is also known to affiliate with XFocus, one of the

few Chinese hacker groups known to develop exploits to new

vulnerabilities in a short period of time, as evidenced in

the 2003 release of Blaster Worm (See CTAD Daily Read File

(DRF) April 4, 2008).

¶57. (S//NF) CTAD comment: While links between top Chinese

companies and the PRC are not uncommon, it illustrates the

PRC's use of its "private sector" in support of governmental

information warfare objectives, especially in its ability to

gather, process, and exploit information. As evidenced with

TOPSEC, there is a strong possibility the PRC is harvesting

the talents of its private sector in order to bolster

offensive and defensive computer network operations

capabilities. (Appendix sources 51-52)

¶58. (U) Suspicious Activity Incidents

¶59. (SBU) EUR Iceland - A man and a woman photographed in the

area north of U.S. Embassy Reykjavik June 25. They then

walked toward the backside of the Post, where they took

additional photographs before departing on foot. The man was

seen photographing in the neighborhood for an additional 3

hours. The Surveillance Detection Team found it unusual the

subjects photographed sites other than tourist attractions.

(SIMAS Event: Reykjavik-00257-2009)

¶60. (SBU) AF Guinea - Two young men were photographed U.S.

Embassy Conakry June 25. A gendarme stopped the pair and took

them to a nearby security booth where they were interviewed

by Post's foreign security national investigator. Their

photos of the Embassy were deleted, and the subjects were

released with a warning.

¶61. (SBU) Record Check/Investigation: Subject 1: Mamdou

Mouminatou Diallo. XXXXXXXXXXXX Labe, Guinea. Cell phone

number: XXXXXXXXXXXX Subject 2: Mamadou Diallo. XXXXXXXXXXXX

Koundara, Guinea. Cell phone number: XXXXXXXXXXXX (SIMAS

Event: Conakry-01492-2009)

¶62. (SBU) NEA Tunisia - A man sat at Marsaoul Caf in Tunis

focusing on the road leading to the U.S. Ambassador's

residence June 4. After 30 minutes, the subject got into his

car and departed the area. The man was previously seen at the

caf on May 15 for approximately 1 hour.

¶63. (SBU) RSO Action/Assessment: The caf is located at the

foot of the hill near the Ambassador's residence (the

residence is located at the end of the road, approximately

one-quarter to one-half mile away). This is the second time

the individual and vehicle were spotted. However, Tunisian

police do not share information concerning routine traffic

stops or suspicious persons questioned/seen near the Embassy

or Ambassador's residence. If the vehicle is seen again, the

RSO will attempt to retrieve information on the owner.

¶64. (SBU) Record Check/Investigation: Vehicle: Gray

Volkswagen; License plate: 8020TU97. (SIMAS Event:

Tunis-02054-2009)

SECRET//FGI//NOFORN

Full Appendix with sourcing available upon request.

CLINTON

(Reproduced from wikileaks.ch)

What's your reaction?

Comments

https://chuka-chuka.com/assets/images/user-avatar-s.jpg

0 comment

Write the first comment for this!