Sri Lanka Bombing Aftermath

The devastating Easter Sunday bombings in Sri Lanka were locally planned and executed, without direct guidance from the Islamic State militant group, investigators said.

1 St. Anthony’s Shrine A suicide blast went off at this Roman Catholic church in Kochchikade, Colombo, around 8:45 a.m. Witnesses described scenes of terror and carnage. “It was a river of blood,” said N. A. Sumanapala, a shopkeeper who works near the church. “Ash was falling like snow.”

2 Shangri-La hotel A suicide blast hit the Table One Restaurant, which was serving Easter brunch, on the hotel’s third floor just before 9 a.m. Another suicide bomb was detonated in hotel corridor.

3 Kingsbury Hotel A suicide bomb shattered windows and walls.

4 Cinnamon Grand Hotel The hotel had been blown up before, in 1984, when it was called the Hotel Lanka Oberoi.

5 Dematagoda housing complex At around 2:45 p.m., a few hours after the initial wave of bombings, a suspect who was being questioned by the police in a Colombo suburb detonated a suicide bomb, killing three officers, according to officials. Explosives were found inside, and three suspects were arrested.

6 Tropical Inn A blast occurred at this small hotel near the national zoo in Dehiwala, a suburb of Colombo later at around 2 p.m.
In the days leading up to Easter Sunday’s devastating suicide bombings that killed at least 250 people in Sri Lanka, the country’s security agencies had been closely watching a secretive cell of the national Thowheeth Jama’ath,  a little-known radical Islamist organization that security officials in Sri Lanka now say carried out the attacks and may have received help from abroad. They knew the group was dangerous. They had collected intelligence on the whereabouts of its leaders in the April 11 security memo, which warned of Catholic church bombings. They had been warned even earlier by India that the group, also known by the spelling National Thowheed Jama’ath, was plotting church attacks. They knew as far back as January that radical Islamists possibly tied to the group had stockpiled weapons and detonators. And within hours of when three churches and three hotels were bombed, Sri Lankan security services swooped down on at least 24 suspects — by Tuesday the number had grown to 40 — suggesting that officials also knew exactly where the group had been operating. Why the security agencies failed to act aggressively on the information before the bombings is now an enormous question. It has been further complicated by a feud between the president and prime minister, which left the prime minister, Ranil Wickremesinghe, ignorant of the information the security agencies possessed — leading to bitter recriminations that have created a new government crisis.

Two Sri Lankan Muslim extremists learned how to build the explosive devices that killed more than 250 people in churches and hotels by studying Islamic State designs on the internet and conducting trial-and-error tests, including one that cost a bomb maker several fingers last year, people involved in the probe said.

Raids on a supposed bomb workshop and an Islamic State hide-out left at least 15 dead and brought the total arrests so far to more than 70. Around midnight, explosions and a gun battle erupted at a house in the east as security forces closed in. The military said on Saturday morning that 15 people had been killed there, including four suicide bombers who detonated their explosives.

Given Sri Lanka’s nearly thirty-year-long civil war, which ended only a decade ago with the defeat of the Tamil Tigers (Liberation Tigers of Tamil Eleam, or LTTE), government intelligence, security, and law enforcement officers were likely focused on monitoring the country’s Tamil population and preventing a resurgence or resurrection of the Tigers. Far less attention would have been focused on Sri Lanka’s small Muslim community. This inattention could have created the opportunity for a local group—perhaps with external encouragement or support—to emerge from obscurity and perpetrate such horrifically lethal attacks.

Posted in Uncategorized | Tagged , , , , , | Leave a comment

X-Agent and X-Tunnel Malware

malware 18 2019 102

The Mueller Report release today released some new information. We were fascinated by this comment. Why did the computer anti-virus miss these two malwares?

Agent-X is a proxy server.

In order to run automatically when Windows starts up the Trojan creates
a hidden folder named sr64 under the current user’s Application Data
folder and copies itself to a randomly-named file in this folder. The
Trojan then creates the following registry entry:


Agent-X drops and loads a library file named sr32.dll in the same
hidden folder. This library file has stealth functionality which hides
the Trojan’s files and registry entries.

Agent-X runs a HTTP proxy and a SOCKS proxy, allowing a remote
attacker to route web or general-purpose traffic through the infected

Every 10 minutes the Trojan reports its presence and optionally attempts
to download an updated version of itself. Both the port numbers for the
proxy servers and the URLs for reporting and updating are stored in an
encrypted block of data at the end of the Trojan’s executable file.

The Trojan also creates the following registry entries for its own use:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\btidnt

X-Agent is a signature tool of Fancy Bear operations—a cross-platform backdoor toolset with variants for Windows, MacOS, Android, and iOS. The Windows and MacOS versions of X-Agent are capable of recording keystrokes, taking screenshots, and exfiltrating files from infected systems back to a command and control server.

Lieutenant Captain Nikolay Kozacheck (who used the hacker monikers “kazak” and “blablabla1234465”) was the primary developer and maintainer of X-Agent, according to the Mueller indictment, and he was assisted by another officer, Pavel Yershov, in preparing it for deployment. Once X-Agent was implanted on the DNC and DCCC networks, Second Lieutenant Artem Malyshev (AKA “djangomagicdev” and “realblatr”) monitored the implants through the command and control network configured for the task.

The XTunnel malware that was used by Russian actor Fancy Bear to penetrate the Democrat National Committee (DNC) network was specifically designed to work against this target, Invincea researchers say.

The attack was carried out in April this year, but was the second time a Russian threat actor targeted DNC, after another group going by the name of Cozy Bear managed to penetrate the network in the summer of 2015. The incidents were analyzed by Crowdstrike, after DNC employees started receiving alerts from Yahoo regarding their potential account compromises.

The researchers discovered that the Fancy Bear threat actor used the XTunnel malware for compromise purposes. After taking a closer look at the malware, Invincea discovered that the malware didn’t cluster with other known threats and says that it was likely a “purpose-built original piece of code” meant to target the DNC network specifically.

As it turns out, the XTunnel tool has several capabilities that allowed it to easily compromise the targeted network, including VPN-style capabilities and the use of encryption (it exchanges SSH keys, uses private encryption keys, compresses and decompresses data, etc.). The malware also supports access to locally stored passwords, and can access the LDAP server, researchers discovered.

What’s more, the threat is modular, meaning that it can download additional files when needed, and can also probe the network for open ports, PING hosts, and send and receive emails. The malware has many other capabilities, some of which are shared by legitimate programs, Invincea reveals.

Some of the most important functions of the tool, however, include the ability “to hook into system drivers, access the local LDAP server, access local passwords, use SSH, OpenSSL, search and replace local files, and of course be able to maintain a persistent connection to a pre-specified IP address, even if the host is behind a NATed firewall,” Invincea’s Pat Belcher explains.

As if these abilities weren’t enough, the threat was also found to be able to monitor keyboard and mouse movements, and even to access webcams and USB drives. “That is a lot of capabilities packed into a file that is less than 2 MB in size,” Belcher notes.

Another interesting aspect of XTunnel is that its code isn’t obfuscated, as most modern malware employs this technique to make analysis challenging. This piece of malware contains strings of code that appear to be transparently showing exactly what the binary is intended to do, “as if it were originally developed to be an open source tool to provide encrypted tunnel access to internet hosts,” the security researcher says.

The researchers also discovered that the hackers used a very old but reliable network module –associated with softphone and VoIP applications over a decade ago – to maintain a fully encrypted, end-to-end Remote Access Trojan (RAT). Thus, the DNC didn’t have many options when it came to detecting the malware’s network activity, except to catch it “port knocking” on the inside of the firewall.

However, the security company notes that, since many organizations run a firewall configuration where inside host are allowed outbound without restrictions, this type of activity would have been almost impossible to detect if only logs were used. Even with restricted outbound access, XTunnel could have used ICMP or UDP protocols to connect to the Russian command and control server, Invincea says.

Invincea released a report on these malware, but clearing away from any “Russian attribution” statements. Their report focuses on X-Tunnel, the malware used to steal the data from the DNC servers.

The company’s malware expert, Pat Belcher, says that this is a one-of-a-kind malware variant that appears to be custom-built and used only in limited, targeted attacks, not sharing any similarities with other malware families.

The malware has many capabilities that would allow it to be used as a RAT, a remote access trojan, but it appears that its role was to help the crooks steal data from compromised systems.

RAT features discovered inside X-Tunnel’s measly 2MB file include the ability to open SSH connections, encrypt traffic using SSL, access LDAP servers, read/write from Windows Console, compress/decompress data, steal passwords, download/upload files, capture mouse movements, use proxies, modify Windows services, and many other more.

Nevertheless, the vast majority of the features found by Invincea’s analysis show a tool designed for data exfiltration above all.

X-Tunnel is based on an open-source network tunneling protocol
Belcher claims that the name X-Tunnel, given to this tool, is not a coincidence. The malware seems to be a rough modification of the XTunnel PortMap open source project by Xten, a Chinese company.

This application was developed on XTunnel, a protocol used in the early days of softphones and VoIP communications, and was used to open connections from firewalled networks to IPs on the outside of the network without having to request system administrators to open special ports.

The XTunnel protocol would probe the firewall on its own, searching for open ports, and use the first port it found to open a connection.

Development of the protocol stopped when Xten was acquired by another company, who closed-source the project, taking it out of the hands of the open-source community.

“The Fancy Bear threat actors used, by today’s standards, a very old, but still reliable network module used for softphone and video and VoIP capabilities to maintain a fully encrypted, end-to-end Remote Access Trojan (RAT),” Belcher explains.

“Previous reports from Crowdstrike and others note that the XTunnel tool was used to maintain network connectivity. Whether the XTunnel tool was used for additional purposes as its capabilities suggest is unknown, but it had the potential to support a full range of additional activity,” Belcher also added, reconfirming X-Tunnel’s additional RAT features.

A theory of the malware’s possible infection vector stems from a trojan named Komplex, which was found in September 2016 to be infecting Macs through a combination of emails sent to specific targets (aka spear phishing) and containing a PDF attachment that held the malicious code that would lead to infecting the system upon opening the PDF.

While this is a common vector for infection for many trojans, it is nonetheless important for users to practice safe internet habits and not open or preview emails from unknown senders, and under no circumstances should you ever open an attachment that is sent to you from someone you don’t know.

Install software only from authorized developers
While computers are understandably used to make our lives easier, the software that runs on them interacts with a lot of potentially sensitive data and can be targeted by threat actors or even be designed by them. To minimize this risk, Apple has implemented several technologies throughout the years, such as Gatekeeper and System Integrity Protection (SIP), that serve to allow authorized software developers with verified signatures the right to have their apps installed on macOS and to prevent malware from running by protecting system directories from unauthorized modification by rouge applications.

These technologies come turned on, by default, but can be manually disabled by administrators. Given the threats posed by malware introduced as trojans, setting Gatekeeper to allow software installs by the App Store and identified developers is a safe bet. Safer still, allowing software that comes from the App Store is the best protection.





Posted in Uncategorized | Tagged , , , , , , | Leave a comment

Microwave Weapons Are Prime Suspect in Ills of U.S. Embassy Workers

In 2016 and 2017, 25 Americans, including CIA agents, who worked in the U.S. Embassy in Cuba suffered serious brain injuries causing impaired vision and memory loss among other persistent symptoms. Now, we’ve learned that at least 15 American officials in China suffered unexplained brain trauma soon after.

American military itself sought to develop microwave arms that could invisibly beam painfully loud booms and even spoken words into people’s heads. The aims were to disable attackers and wage psychological warfare.

Now, doctors and scientists say such unconventional weapons may have caused the baffling symptoms and ailments that, starting in late 2016, hit more than three dozen American diplomats and family members in Cuba and China. The Cuban incidents resulted in a diplomatic rupture between Havana and Washington.

In China, 60 Minutes found similar issues.

Catherine Werner: I woke up in the middle of the night. I could feel this sound in my head. Um, it was intense pressure on both of my temples. At the same time, I heard this low humming sound, and it was oscillating. And I remember looking around for where this sound was coming from, because it was painful.

Scott Pelley: When did you first notice that you weren’t feeling well?

Catherine Werner: October of 2017, I started to get hives all over my body. Really bad hives. I woke up with headaches every day. Um, I started to feel tired. The simplest things would just make me very, very tired.

Scott Pelley: Were these symptoms growing worse over time?

Catherine Werner: They were. Yes. My symptoms would get so bad that I would throw up, or I would wake up with nosebleeds.

She says even her dogs were throwing up blood. Werner assumed her illness was connected to China’s toxic smog. She didn’t know it at the time but her symptoms were the same that American officials in Havana had suffered since 2016. The U.S. Embassy there is all but closed as a result.

Catherine Werner became so ill, her mother traveled from the U.S. to live with her.

Catherine Werner: She spent almost three months with me. During that time she also got very ill. Um, and she and I shared the same symptoms.

Scott Pelley: What sort of symptoms did your mother have?

Catherine Werner: Headaches and um, ringing in our ears. Um, we also started to both um, have difficulty recalling words.

After reporting her experiences, Werner was medically evacuated to the U.S. for treatment. U.S. agencies are investigating, but Mark Lenzi has a theory.

Mark Lenzi: This was a directed standoff attack against my apartment.

Scott Pelley: It was a weapon?

Mark Lenzi: Oh, of course it was a weapon.

Scott Pelley: An energy weapon–

Mark Lenzi: Absolutely.

Scott Pelley: What sort of energy is this that we’re talking about?

Mark Lenzi: I believe it’s RF, radio frequency energy, in the microwave range.

A clue that supports that theory was revealed by the National Security Agency in 2014. This NSA statement describes such a weapon as a “high-powered microwave system weapon that may have the ability to weaken, intimidate, or kill an enemy over time without leaving evidence.” The statement goes on to say “…this weapon is designed to bathe a target’s living quarters in microwaves.” The NSA disclosed this in a worker’s compensation case filed by former NSA employee Mike Beck.

In her paper, scheduled to be published September 15 in Neural Computation, Golomb compared rates of described symptoms among diplomats with a published 2012 study of symptoms reported by people affected by electromagnetic radiation in Japan. By and large, she said the cited symptoms — headache, cognitive problems, sleep issues, irritability, nervousness or anxiety, dizziness and tinnitus (ringing in the ears) — occurred at strikingly similar rates.

Some diplomats reported hearing loss. That symptom was not assessed in both studies so rates could not be compared, but Golomb said it is widely reported in both conditions. She also noted that previous brain imaging research in persons affected by RF/ EMR “showed evidence of traumatic brain injury, paralleling reports in diplomats.”


Posted in Uncategorized | Tagged , , , , , , | Leave a comment

Monica Witt Iran Spy

Ms. Witt was born in El Paso 8 April 1979 .  Her family moved to Florida when she was quite young.

She enlisted in the Air Force and entered active duty about eight months after her 18th birthday, in 1997, just after the death of her mother. Slender, with straight brown hair, she was quickly assigned to the crew of an RC-135 spy plane — a jet packed with reconnaissance equipment.  She served as an airborne crypto linguist and later became a special agent with the Air Force Office of Special Investigations.

She first deployed to the Middle East in 2002, when she was sent to Saudi Arabia.

Eventually Witt was drawn into the all-consuming “war on terror”, posted to Thumrait air base in Oman and Irbil in Iraq, according to a posting on an Iraq veterans’ website. The experience seems to have been the key to her disillusion.

Other missions followed: to Diego Garcia, a British atoll in the Indian Ocean of immense strategic value to Western militaries, and to Greece. In 2005, she served an almost six-month deployment to Iraq at a time of growing sectarian violence and insurgent attacks. The next year, she began a roughly seven-month tour in Qatar.

She last served with the 2nd Field Investigations Squadron, Joint Base Andrews in Maryland, the Air Force said in the Military Times story. A spokesperson for the US Air Force told the BBC she was discharged in June 2008 with the rank of Technical Sergeant

In June 2008, she earned a bachelor’s degree from the University of Maryland University College, and later worked for two national security contractors. Eventually, she entered graduate school at George Washington, an academic proving ground for aspiring diplomats and researchers near the State Department’s headquarters.

“After viewing so much corruption and the damage we were doing both to Iraq/Afghanistan and to the perception of the US, I decided I needed to do as much as I could to help rectify the situation.”

However, after leaving the air force she stayed in the defence industry. She worked for five months as an intelligence analyst for the contractor Booz Allen Hamilton and then more than two years at another Virginia-based contractor, Chenega Federal Systems, where she said on her resume that she had “supervised, controlled, and coordinated the execution of highly sensitive counterintelligence operations against foreign intelligence services worldwide”.

George Washington University’s International Affairs Review published two articles by Ms Witt in 2012. She criticised the US for calling on Iran’s neighbours to sever relations with Tehran. “In enacting a policy of severe sanctions against Iran, the US should address the potential affects (sic) on other countries and not inadvertently alienate friends by making them choose between Iran and the US” wrote Ms Witt.

According to her online CV, she lived and worked within countries including Iraq, Qatar, Jordan, Turkey, the UAE, Tajikistan and Iran.

Stone.More than a year before she allegedly defected, U.S. Air Force counterintelligence officer Monica Witt attended a film conference in Iran – an event that U.S. officials and former intelligence officers said was likely a recruiting ground for Iranian spy masters.

“It’s an intelligence targeting platform for the Iranian security apparatus,” former longtime CIA case officer Darrell M. Blocker said of such conferences. “It’s not sold as an intel thing, but of course the [U.S.] intelligence community is aware of them.”

An indictment unsealed against Witt Wednesday alleges that in February 2012 she traveled to Iran for a conference called “Hollywoodism” put on by an organization known as New Horizon. On its website, the organization bills itself as a Tehran-based non-governmental organization (NGO) that hosts conferences that cover topics including “Iranophobia,” “Zionist Lobby” and “US State hostility towards Afro-Americans.”

Witt converted to Islam in a televised ceremony in 2012 on her first trip to Tehran, at the same time as a more high-profile convert, Sean Stone, the son of US film director Oliver

Witt’s change in allegiance became clearer after a series of contacts with an unnamed Iranian from 2012 to 2013, investigators said. Witt allegedly provided her personal biography and job history and, before taking a flight from Dubai to Tehran, emailed her contact, “I’m signing off and heading out! Coming home,” closing with a smile emoji.

Ms. Witt defected in 2013 and became a spy for the Iranian security service. It was the climax of a radicalization that was rooted in Ms. Witt’s military service and that accelerated while she was in graduate school. The F.B.I., around the time Ms. Witt earned her graduate degree, alerted her that Iran’s intelligence service had its eye on her.

She told an Iranian contact that she was “endeavoring to put the training I received to good use instead of evil,” according to prosecutors.

In the weeks after defecting, she also conducted several Facebook searches of her former colleagues, and is alleged to have exposed one agent’s true identity, “thereby risking the life of this individual”.

Former intelligence officials familiar with the case described the damage to national security as severe, in part because she is suspected of revealing the names of double agents run by the United States, and the American authorities have struggled to conclude exactly why she turned on her country.







Posted in Uncategorized | Tagged , , , , | Leave a comment

Jude Shao 1998

“Jude is a very honest person, and he was very clever when he was a boy. He had a strong sense of self-confidence, and he became very ambitious,” said Shao’s older sister, Jingli Shao, 48, an eye doctor who coordinates his legal defense campaign. As a teenager, she raised Shao when their parents and two older brothers were banished to the countryside during the chaos of the Cultural Revolution in the early 1970s.

The fraternal bonds run deep, especially after their father died in June 2002 at the age of 72. “If Jude is released I hope he can travel between the U.S. and China,” said Jingli Shao. “He’s a U.S. citizen, but his home and family are in Shanghai.”

Asked about his father in his jailhouse interview, Shao’s voice cracked. “That’s the background that shaped my attitude about many things,” he said.

Shao fought bitterly with prison officials for the privilege to wear plain clothes, not prison garb, when he made a deathbed visit—in irons—shortly before his father died, said cellmate Ohmert.

After becoming an American citizen in 1997, Shao was imprisoned in China’s Qing Pu Prison on tax fraud charges from 1998 to 2008.

Shao, 54, came to the United States in 1986 to study educational technology at Rhode Island College. He later earned a master’s degree at Stanford and began splitting his time between San Francisco and Shanghai, where he ran a company exporting U.S. medical imaging equipment to China. He became a naturalized U.S. citizen in 1997.

He was among the first class of expatriates to try their hand at business in China, as the country’s economy began to take off after years of strict central control. His business grew quickly until Shanghai officials came knocking at his door. Shao told tax auditors they could see the books, but after that he locked the door and refused to cooperate or pay a $50,000 bribe, he says.

His refusal, he says, landed him in more trouble with the authorities. They accused him of tax evasion and detained him at the Shanghai airport when he arrived on a flight from the United States.

Shao’s staff called the U.S. Consulate when he didn’t show up to work.

“Because I’m not white, I’m Chinese just like them, they didn’t know they were holding an American citizen,” Shao said. “By that time it was too late. They were playing hardball.”

Shao, 45, had about five years left on a 16-year sentence for tax evasion and fraud — allegations that his supporters say were false.

For years, Shao’s former classmates from the Stanford Graduate School of Business led a campaign seeking his freedom, and many members of Congress and the Bush administration pressed the Chinese government to release him.

Under China’s legal system, Shao had been eligible for parole since 2006 but had been denied, with no public explanation given. But Wednesday — a day after U.S. Secretary of State Condoleezza Rice concluded a visit to Beijing during which human rights were discussed — Shao walked out of Qingpu Prison, on the outskirts of Shanghai.

Shao’s release came a day after Secretary of State Condoleezza Rice concluded her visit to Beijing, and the LA Times reports several China specialists who noted, with the Olympics next month, Beijing was eager to buff up its image, which recently had been tarnished by deadly riots in Tibet and other incidents in which Chinese lawyers, journalists and human rights activists had been silenced.

OThers detained

HOME: Somerset, N.J.
ARRESTED: May 2005
STATUS: Released September 2005

Quit computer job to found natural products exporter. Sold $3 million of U.S.-made vitamins and supplements to China.Arrested at Chengdu airport on suspicion of spying for Taiwan, despite having no business or political ties there. Claims he was interrogated over three months, sometimes for 12 hours a day. Released after pressure from State Department, but he lost most Chinese contracts due to press accounts of alleged spying.

HOME: West Orange, N.J.
ARRESTED: February 2001
STATUS: Released October 2003

Worked as a consultant for foreign power companies in China. Arrested on business trip to Beijing, accused of paying $245,000 in bribes for secret documents. Disputed charges and claimed he was extorted by a local official. Held 20 months without a trial, according to Human Rights Watch. Eventually sentenced to fiveyears in prison. Released three and a half years early after exhibiting “repentant behavior.”

Posted in Uncategorized | Tagged , , , | Leave a comment

Paul Tatum Russia and a Hotel

Paul Tatum was born in 1955 in Edmond, Oklahoma. He graduated from Edmond Memorial High School.

When he was an undergraduate at Oklahoma State University, he persuaded friends to pool the money to send him on a “semester at sea” aboard a sort of sailing classroom. He tasted travel, and commerce too: On the streets of Tunis, he earned a quick 300% profit and a few thousand dollars selling cigarettes bought from the captain of his ship.

Tatum dropped out of college after his junior year and made what was, for a young person, a clever but genuinely odd career move: He borrowed $10,000 and donated it to the Republican National Committee. A donation that size made a person a “Republican Eagle” and guaranteed a certain amount of access. Tatum, perceiving a route to prominence, plunged into GOP fundraising in Oklahoma.

Tatum first came to Russia in 1985 at the age of 29 when he was with an American trade delegation.

By the time he was 30, Tatum had already made big money in oil and real estate and lost a million dollars when Oklahoma City’s Penn Square Bank collapsed in 1983.

In 1987, Tatum set up a business center for foreign firms in Moscow. He and several other American businessmen founded Americom International Corporation.

Two important associates in Americom were H.R. “Bob” Haldeman and Bernie Rome, two former members of President Nixon’s chief of Staff, Tatum came into contact with them while he was working as a fundraiser for the Republican Party. They helped Tatum get an ‘in’ with all the important people in Russia and enabled him to set up and expand his business without too much dificulties.

Tatum saw that even the best of the Moscow hotels were poorly lit, shabbily carpeted monoliths with plenty of bars but no place to find a good meal or a dependable telephone. His idea was to create oases where foreign businessmen could feel at home.

Image result for paul tatum hotel russia

Paul Tatum

Tatum formed a company called Americom Business Centers in 1989, and H.R. “Bob” Haldeman, Nixon’s former chief of staff, out of jail and dabbling in hotels, hooked up Americom with Apollo Acquisitions, a tiny holding company in Florida that was publicly traded, had cash to invest, and was looking for a good idea. Apollo and Americom merged.

That same year, Tatum found his property: a gray, half-finished monstrosity on Moscow’s Berezhkovskaya Embankment, facing east toward the Moscow River. It was owned by Intourist, the Soviet tourism monolith, which wanted to erect a hotel that could earn hard–that is, foreign–currency.

Tatum started talking to big U.S. hotel chains and found that Radisson Hotels International was itching to establish a beachhead in the Soviet Union, then a closed market.

By 1990, Tatum’s company RedAmer Partnership joined up with Radisson Hotel Corporation and signed a contract with Goskom Intourist and later the Moscow City Government that agreed to construct an American hotel combined with a business center that would go by the name Intourist Redamer Hotel and Business Center (later changed to Radisson Slavyanskaya Hotel). A year later in June of 1991 the Hotel opened it’s doors. Together, they would turn a half-finished Intourist hotel a mile west of the Kremlin into a Western-style luxury hotel and office center. Intourist got a 50% share of the business, Radisson 10% and Tatum’s company, Americom Business Centers, 40%.

The hotel was a moneymaker. Bill Clinton, Al Gore, Warren Christopher, and their armies of security men swarmed over the hotel during summits with Yeltsin; Sharon Stone sashayed across its polished marble floors; the NBC and Reuters Moscow news bureaus anchored the high-hat tenant list. In the hotel’s European restaurants, expatriates clinked imported beers and ate sirloins, grateful to escape the slog of daily life in Russia, if only for a few hours.

The four-star, 430-room Radisson-Slavjanskaya became a center for Moscow’s foreign community, offering business services, a press club, restaurants, a bank, swanky shops and an English-language movie house complete with popcorn.

The hotel–and Tatum–played host to many of Moscow’s most famous and well-heeled visitors, from businessmen and tourists to entertainers and diplomats.

Tatum, accompanied by pretty women, became a fixture of Moscow’s party scene. In 1992, a Russian magazine listed the sandy-haired American as one of the city’s most eligible bachelors.

President Yeltsin in 1993 handed Moscow mayor Yuri Luzhkov exclusive control over privatization of property and businesses within the city limits, in effect a monopoly on one of Europe’s most lucrative real estate markets. So Tatum had a new Russian partner once again: the Moscow City Property Committee, which overnight rose up as the most potent agency in town, a smoothly running profit center with a percentage cut in nearly every Russian and foreign business setting up shop. The Property Committee eventually settled on a dapper Chechen businessman, Umar Dzhabrailov, to represent its interest in the Radisson Slavyanskaya.

By 1994, the partnership Tatum had put together was unraveling.

Tatum and the Radisson Corp. were squabbling about finances. Radisson was flexing its muscles. It provided stopgap funding during the venture’s cash crunch, and it claimed that in return it was owed a larger stake in the RadAmer partnership. Tatum sued Radisson, and that same day, Radisson sued him back. John Norlander, then president of Radisson Hotels International, says, “We wanted to manage a hotel and … to expand globally. He wanted the same thing, we thought, and to manage the business center for fees.” But the headstrong Tatum hated ceding as much as a hint of control, even when his financial straits called for compromise. Radisson and Americom began to clash over everything, swapping accusations of bad management and shoddy bookkeeping.

Radisson had enough of Tatum. At the end of 1994, the company asked a U.S. court to release it from “the rotting corpse of the partnership” with Tatum’s Americom. The request was granted.

Tatum walked into the hotel one day in June 1994, and armed guards in double-breasted suits blocked his way. On orders of the hotel’s Russian general director, he was not to be allowed inside.

Tatum fought back.

He held a news conference in the hotel parking lot to denounce his Russian partners. A week-and-a-half later, accompanied by a dozen bodyguards and wearing a light-blue bulletproof vest, he bulled his way back into the hotel.

In January of 1995 problems arose with the General Director of the American Partnership. The American hadn’t received his Russian visa and wasn’t going to receive one either. The loss of the General Director was a big blow for Tatum because now that position would be taken over by someone from the Russian partnership. Umar Dzhabrailov was named General Director. Dzhabrailov was a Chechen who had heavy connections within the Moscow City Government and used those connections to get into the position of General Director. But those weren’t the only connections Umar Dzhabrailov had, several law enforcement agencies including the F.B.I. and Interpol list Dzhabrailov as a member of Chechen Organized Crime. A report in the Russian press went even further calling Dzhabrailov a “known contract killer and one of a handful of Chechen mafia bosses operating in Moscow.” Dzhabrailov doesn’t deny his ties to Organized Crime but says they are “only social”. With Dzhabrailov as General Director things made a turn for the worse for Paul Tatum.

Paul Tatum didn’t realize it that fast but the Russian partnership had made ousting him it`s priority….by any means possible. While Tatum went about his business the Russian side showed it’s teeth. On St Valentine’s Day 1995 one of Tatum’s bodyguards was found beaten and stabbed in the chest with a pen knife. The bodyguard also had a message from his attackers: “Tell Paul it’s high time he left for home.” Most businessmen would’ve gotten the message and would’ve left town immediately, but not Paul Tatum. Tatum had grown a fondness for the Moscow nightlife, the clubs, the women. Tatum had enough money and liked to spend it and some even say he started acting like a mobster throwing around cash and surrounding himself with gorgeous women. Meanwhile the cold war for control of the Hotel and business center continued. Tatum had upped his bodyguards and after the attack on his bodyguard took extra security measures he now always had his bodyguards guard empty rooms so no one could plant bombs in them. He also decided to fight Dzhabrailov in the media he called him a “genuine Mafioso” who “has threatened he can kill me at any time” The fight had turned ugly and was now spilling from the boardrooms onto the public scene.

Umar Dzhabrailov (right) attends a concert with TV personality Ksenia Sobchak in Moscow in February 2012.

Umar Dzhabrailov (right) attends a concert with TV personality Ksenia Sobchak in Moscow in February 2012
After months of warring between the Tatum and Dzhabrailov in February 1996 it looked like there would be a solution to Tatum’s problems. The solution was to bribe Dzhabrailov and the Moscow City Government. If Tatum would pay the sum of $1 millions dollars to a certain person all his troubles would end. $500.000 dollars would go to the Moscow City Government and the other $500.000 dollars would go to Dzhabrailov so that he would resign or step down as General Director. But instead of paying Tatum decided to take the matter to court. Tatum sued the Russian partners for $35 million dollars additional payments and payment of damages. In the media Tatum remained defiant as ever saying “They will have to shoot me to get rid of me” Things were heating up and Tatum was bracing himself for the hit. He now had said goodbye to the fast nightlife of Moscow preferring to stay in his Hotel in suites 850 and 852. Tatum was now told repeatedly by U.S. embassy oficials to leave Russia, Tatum replied in U.S.A. Today with: “I feel like I’m fighting a one-man battle.” “They’d rather pay than stand up and fight.” On September 30, 1996 Tatum went even further when he published a full page ad in a Moscow paper directed to Moscow mayor Yuri Luzhkov:

“Yuri M. Luzhkov: I must tell you that not one person here in Russia or abroad is fooled. All know of the dangerous activities. I implore you to show the world your resolve and commitment to become the catalyst to solve these grave problems-peacefully, efficiently, with fairness and justice for the investor and for the legal agreements under which their original activities were created. The world now awaits this signal. This is your choice and your crossroads. Where do you stand, Yuri M. Luzhkov? In the shadows or the bright sunlight?”

Tatum knew murder was a corporate strategy in Moscow. He knew 200 Russian business executives had been killed in Mafia-style hits in the city in the last year.

Vladislav Listyev, the popular television journalist, was shot dead outside his apartment in a crime linked to control of the lucrative TV advertising market. Ivan Kivelidi, chairman of the Russian Business Round Table, was killed by nerve toxin, applied, it was said, to his telephone receiver. The year 1995 produced roughly 560 recorded contract killings. Police solved just 60; of them, two-thirds were found to have been committed by the victims’ bodyguards.

The Russian business community was decimated. “I take a look around this room,” says Oleg Kiselev, the new president of the Russian Business Round Table, “and I see about a dozen empty seats. All my friends.”

The deliberate, gangland-style killing remained a Russian affair, however. When Western businessmen were threatened, they generally fled. A few, though, like Tatum, clung to the peculiarly American belief that Russia would bend to the inevitability of progress, free markets, the rule of law, and the force of their will.

The Russian share of the partnership kept changing hands. The Soviet Intourist Agency gave way to a Russian agency when the Soviet Union broke up. Then the Russian agency was replaced by the Moscow City Property Committee.

In the process, Tatum maintained, organized crime figures muscled their way in.

Tatum claimed the Russians were trying to push their foreign partners out so they could take over the hotel. The Russians said Tatum kept sloppy books and didn’t pay his debts.

It wasn’t unusual for the early Soviet joint ventures to collapse in acrimony. In most cases, the foreigners fled or found a way to settle quietly.

With millions of dollars at stake, Tatum refused to do either.

That April, Tatum decided to pitch what he hoped would be a decisive battle, filing a $35 million lawsuit against the Moscow City Property Committee for discriminating against foreign investors. The case would be heard in Stockholm at an international arbitration court, which increasingly had been sought out by embittered Westerners seeking an escape route from deteriorating joint ventures. But Tatum needed $150,000 to pay court costs. So he took out full-page ads in Moscow newspapers offering to sell investors “Freedom bonds,” promissory notes that would pay back a 100% return in six months, when he expected to be flush with court-awarded winnings. The bonds were to mature on April 2, 1997, his 42nd birthday.

But by 1996, the Radisson had become a model of how severely such ventures could go wrong. The Russian stake had changed hands three times and was being administered by a charming young Chechen whom Tatum suspected of having ties to the mob. Western lenders, fearful of Moscow’s deteriorating business climate, had turned down Tatum’s loan applications. Tatum had appealed to the public for funds to pursue his lawsuit, hoping other Western businessmen would, in effect, invest in his $35 million damages claim.

So when a call came late on a Sunday afternoon last November from someone with information–or offering to help finance his case, was it?–Tatum leaped to the phone. After a rapid conversation in English, he grabbed his coat and headed with two bodyguards for the dingy metro station a stone’s throw from the Radisson. Tatum’s Russian partners long before had taken away his cream-colored Mercedes. Lately the metro was the safest means for him to get around anyway, and certainly the cheapest. Bankers and other important people “got killed in cars,” he reminded anyone who would listen.

On November 3rd, 1996 around 5.00 PM Paul Tatum left his Hotel and headed towards the Kievskaya metro station, where he had arranged to meet someone.  The American and his two bodyguards started down the wide, worn steps to the subway. Behind them stood a figure carrying a large plastic bag. Concealed inside was a Kalashnikov assault rifle.

The businessman, Paul E. Tatum, 39, a native of Edmond, Okla., and a former fund-raiser for the Oklahoma Republican Party, was killed near the entrance to the Kievsky metro station in downtown Moscow, a police spokesman said. The station is located near the Radisson-Slavyanskaya hotel, where Mr. Tatum had his office.

When Tatum arrived there with his bodyguards the person he was supposed to meet wasn’t there, instead a man walked up towards Tatum and shot him eleven times from five meters distance with an AK-47. Tatum’s bodyguards did nothing to protect there boss, the killer dropped his weapon and fled the scene unharmed. Tatum’s bodyguards rushed their wounded boss to the hospital but to no avail Paul Tatum died shortly after his arrival.

Tatum’s killer took considerable care even with the date, according to Alexander Fefelov, a former KGB agent with his own security firm and an adviser to the American Chamber of Commerce security subcommittee. Sunday evening, November 3, was the perfect time for murder. Because of an upcoming midweek Wednesday holiday, many people were stretching the weekend into five days. Thomas Pickering, the longtime American ambassador in Moscow, had recently left his post; an interim ambassador was on duty. The U.S. embassy would close Tuesday to observe Election Day back home.

The 5.45-caliber Kalashnikov assault rifle was fired so expertly as to rule out a nonprofessional. Five of the 12 bullets entered at the neck, indicating the killer knew Tatum might be wearing his bulletproof vest. Whoever fired was well trained in preventing the weapon’s powerful kick from spraying passersby. Both Tatum’s bodyguards were unharmed.

The shooter threw down the rifle, serial numbers filed off, and leaped into a white Zhiguli sedan, perhaps the most common make in Moscow. The same day the car was found ten minutes from the scene on Rostovskaya Embankment, unlocked and empty. A week before, police said, the owner had sold it for $5,000 cash at an outdoor market to a man who did not give his name.

On January 27, the Stockholm tribunal handed down its judgment–in favor of the Russian partners’ claims that Americom had diverted funds to offshore bank accounts and failed to keep proper accounting records. Americom’s management contract to run the retail shops and business center is to be “terminated,” and Americom to pay $2.6 million in damages to the Russian partners.

Shortly after the news of Tatum’s death Dzahrailov and the Moscow City Government took undisputed control of the Radisson Slavyanskaya Hotel and businesscenter. He denied any role in the Tatum murder but did say: “What goes around, comes around”. Dzahrailov also saw to it that a planned memorial service at the hotel was nixed as well as Tatum’s wishes to be buried at the prestigious Novodevichy Cemetery. Tatum was eventually cremated and interred in the Moscow Novodevitsji cemetary. “Paul never learned it was their country,” said Tatum’s Americom associate Bernie Rome. “He was like a bull in a china shop. He didn’t understand you have to play by Russian rules. It’s all very sad.”

Dzhabrailov represented his native Chechnya region in Russia’s upper parliament house in 2004-09. He was a deputy chairman of the chamber’s International Relations Committee and a member of Russia’s delegation to the Parliamentary Assembly of the Council of Europe.

Dzhabrailov’s name became widely known amid a dispute over ownership of the Radisson Slavyanskaya hotel in Moscow. His partner in the project, American businessman Paul Tatum, was shot dead near the hotel in November 1996, months after he had publicly accused Dzhabrailov of planning to kill him.

Dzhabrailov ran for president in 2000, receiving about 80,000 votes in the election that handed President Vladimir Putin his first term.

He is the founder of Avanti, a lobby group that says its mission is the promotion of “patriotic business.”

Some of the murders before Paul Tatum:

November 3, 1996: Paul Tatum, U.S. businessman who co-owned one of Moscow’s most prestigious hotels, is shot dead with a submachine gun at Moscow subway underpass. Tatum was involved in long-running dispute with Russian partners over control of hotel.
June 13, 1996: Vladimir Oberderfer, a regional representative of nationalist presidential candidate Vladimir Zhirinovsky is shot dead in the Siberian mining city Novokuznetsk. Novokuznetsk police said the likely motive lay in Oberderfer’s activities as an owner of a trading business, rather than politics.
June 13, 1996: Viktor Mosalov, mayor of Zhukovsky in Moscow Oblast, is shot three times in the head Local police ruled out a political motive and said local officials are ”more economic than political leaders.”
June 6, 1996: Valery Shantsev, candidate for the post of deputy mayor of Moscow, was seriously wounded when a bomb exploded as he was leaving his apartment building.

Moscow police secure a murder scene (epa file photo)

November 28, 1995: State Duma Deputy Sergei Markidonov of the Stability faction, is shot in the head during a campaign trip to Petrovsk-Zabaikalsky in Chita Oblast.

October 17, 1995: Mosstroibank President Mikhail Zhuravlyov is killed in Moscow.
August 5, 1995: Russian Business Roundtable head and Rosbiznesbank Chairman Ivan Kivelidi is poisoned to death. Kivelidi had been openly critical of Russian police for failing to protect businesspeople or investigate their murders, especially in the wake of the July 21 killing of banker Oleg Kantor.
July 20, 1995: Yugorsky bank Chairman Oleg Kantor is killed by being repeatedly stabbed at his country house outside of Moscow. Yugorsky bank was heavily involved in the oil and gas sectors.
April 1995: Sergei Kushnaryov, a founding member of Russia’s Agrarian Party, is stabbed to death in a suspected contract killing.
March 1995: Alla Gnezdilova, a judge, is murdered in Birobidzhan, the capital of Russia’s far eastern Jewish Autonomous Region, in an apparent contract killing.
March 1, 1995: Russian Public Television head Vladislav Listyev is shot in the heart by an unknown gunman outside his Moscow home. The attack is linked to opponents of an advertising ban he had proposed for the television channel.
November 5, 1994: State Duma Deputy Valentin Martemyanov of the Communist Party, dies of wounds suffered during a vicious beating in Moscow several days earlier. The killing is never explained.
April 26, 1994: State Duma Deputy Andrei Aizderdis of the New Regional Policy faction, is shot to death with a hunting rifle outside his Moscow home.
February 2, 1994: State Duma Deputy Sergei Skorochkin of Vladimir Zhirinovsky’s Liberal Democratic Party is killed in Moscow, his body hand-cuffed to railway tracks.
October 17, 1994: Investigative journalist Dmitry Kholodov, who specialized on corruption in the Defense Ministry, is killed when a briefcase he picked up at a Moscow train station after an anonymous tip blows up in his office.

Posted in Uncategorized | Tagged , , , , , , , , , , , , | Leave a comment

Taipei Commercial Bank ATM heists

On July 9 and 10 of 2016, the ATM network of the First Commercial Bank in Taiwan was hit by a well-coordinated hack that took control of the system, forcing selected ATM machines to spew cash out to waiting bagmen. The criminals made off with over NT$83 million (US$2.5 million) in a single weekend, making this one of the biggest robberies ever in Taiwan.

“This is the first time that an international team of ATM thieves has committed a crime in Taiwan,” the head of the police’s Criminal Investigation Division, Lee Wen-chang, told the media.

As 2016 waned and investigators continued to pore over the available data, a report by international cybersecurity investigations firm Group-IB linked the hack and heist of First Bank to an international syndicate likely based in Russia or East Europe. The gang has been code-named “Cobalt” based on its use of a publicly available security testing tool, Cobalt Strike, to gain access to banks’ networks and thereby to its ATM machines.

The group has used this approach to pull off coordinated attacks enabling it to rob millions of US dollars beginning last June. Cobalt is linked to attacks on ATM networks mostly in Europe but also in Asia. Besides Taiwan, the other countries affected have included Britain, Estonia, Malaysia, the Netherlands, Poland, Russia, Spain, and Thailand.

The group that orchestrated the theft of over $2 million from cash machines at Taiwan’s First Commercial Bank in July was also behind an ATM hacking spree in more than a dozen European nations last year, according to cyber security firm Group-IB.

The methods that the so-called Cobalt group used in Europe matched those used in Taiwan, Group-IB said in its latest client report.

Wearing hats and antipollution masks, they loitered at the machine for a moment. Then, as the astonished couple in line behind them later told the police, the ATM started disgorging cash without either man touching it. The men shoved the bills into a satchel and brushed past them. As the Russians drove off in a black sedan, the couple spotted something on the ground: One of the guys had dropped his bank card.

By the time detectives traced Berezovsky and Berkman to the nearby Grand Hyatt the next day, the Russians had already jetted off to Moscow by way of Hong Kong. And they were just two of 15 “money mules” who’d hit 41 ATMs at 22 branches of First Commercial over that stormy weekend, the cops learned, taking 83 million New Taiwan dollars (NT$), or about $2.6 million. Hackers, investigators discovered, had forced the machines to spit out cash.

The Carbanak gang had struck again.

Before WannaCry, before the Sony Pictures hack, and before the breaches that opened up Equifax and Yahoo!, there was a nasty bit of malware known as Carbanak. Unlike those spectacular attacks, this malware wasn’t created by people interested in paralyzing institutions for ransom, publishing embarrassing emails, or taking personal data. The Carbanak guys just wanted loot, and lots of it.

Since late 2013, this band of cybercriminals has penetrated the digital inner sanctums of more than 100 banks in 40 nations, including Germany, Russia, Ukraine, and the U.S., and stolen about $1.2 billion, according to Europol, the European Union’s law enforcement agency. The string of thefts, collectively dubbed Carbanak—a mashup of a hacking program and the word “bank”—is believed to be the biggest digital bank heist ever. In a series of exclusive interviews with Bloomberg Businessweek, law enforcement officials and computer-crime experts provided revelations about their three-year pursuit of the gang and the mechanics of a caper that’s become the stuff of legend in the digital underworld.

Besides forcing ATMs to cough up money, the thieves inflated account balances and shuttled millions of dollars around the globe. Deploying the same espionage methods used by intelligence agencies, they appropriated the identities of network administrators and executives and plumbed files for sensitive information about security and account management practices. The gang operated through remotely accessed computers and hid their tracks in a sea of internet addresses. “Carbanak is the first time we saw such novel methods used to penetrate big financial institutions and their networks,” says James Chappell, co-founder and chief innovation officer of Digital Shadows Ltd., a London intelligence firm that works with the Bank of England and other lending institutions. “It’s the breadth of the attacks, that’s what’s truly different about this one.”

Three Eastern European men were arrested in Taiwan in July on suspicion of collecting cash stolen from ATMs owned by First Commercial Bank, a unit of First Financial Holding Co Ltd.

Attorneys for the three defendants in an ongoing trial in Taipei told Reuters their clients were not familiar with Cobalt.

The men – identified in court documents as Peregudovs Andrejs of Latvia, Colibaba Mihail of Romania and Pencov Nicolae of Moldova – were among a total of 22 individuals, all foreign nationals, that Taiwanese authorities suspect of taking part in the theft, where most of the money was subsequently recovered.

The suspects used malware dubbed “ATM spitter” in the First Commercial Bank attacks, as well as similar hacks in countries including Armenia, Belarus, Britain, Bulgaria, Estonia, Georgia, Kyrgyzstan, Moldova, the Netherlands, Poland, Romania, Russia and Spain, Group-IB said in a report to its customers that Reuters reviewed on Thursday.

Group-IB first detailed the European spree in a report published in November, identifying the hackers as the Cobalt group.

The firm linked Cobalt to the Taiwan heist in its report last week.

Investigators in Taiwan told Reuters they were not aware of any links between Cobalt and the hackers behind the First Commercial Bank heist.

“What we can say is the people behind this hacking were very good,” a Taiwanese investigator familiar with the case told Reuters, on condition of anonymity because the investigator was not authorized to speak with media.

The defendants, who maintain their innocence, said in a court hearing on Wednesday that they were not members of any international crime organization. Taipei prosecutors have said they suspect First Commercial Bank’s network was breached at a London branch office.

One of the suspected ringleaders of an ATM heist nearly two years ago has been arrested in Spain, the Criminal Investigation Bureau (CIB) said in a statement on Monday.

The investigation into the theft of more than NT$83 million (US$2.85 million at the current exchange rate) from state-run First Commercial Bank ATMs has lasted nearly 20 months and involved the joint efforts of Taiwanese authorities, the Spanish national police, the European Cybercrime Centre and private cybersecurity companies, the bureau said.

Identified only as Denys, the Russian is believed to be one of the leaders of a cybercrime syndicate called “Cobalt,” which is suspected of targeting banks, e-payment systems and financial institutions around the world using malware, known as Cobalt Strike, since 2016, the bureau said.

The group has allegedly infiltrated more than 100 financial institutions in 40 nations and stolen about 1 billion euros (US$1.2 billion).

A total of 22 suspects from six countries were involved in the high-profile theft in Taiwan from July 9 to July 11, 2016.

Nineteen of the suspects fled the nation and were placed on a wanted list.

Members of the international ring allegedly withdrew money from 51 First Commercial Bank ATMs in Taipei, New Taipei City and Taichung after using malware to hack into the bank’s computer system.

Authorities were alerted to the hack when members of the public in Taipei reported seeing two men collecting cash from an ATM in the middle of the night.

Police were able to track down and arrest three men — one who was allegedly indirectly involved in the heist and two who were allegedly in Taiwan to recover the money and transfer it out of the nation.

About NT$5.79 million of the stolen cash is still unaccounted for.

Posted in Uncategorized | Tagged , , , , , , , | Leave a comment