Jude Shao 1998

“Jude is a very honest person, and he was very clever when he was a boy. He had a strong sense of self-confidence, and he became very ambitious,” said Shao’s older sister, Jingli Shao, 48, an eye doctor who coordinates his legal defense campaign. As a teenager, she raised Shao when their parents and two older brothers were banished to the countryside during the chaos of the Cultural Revolution in the early 1970s.

The fraternal bonds run deep, especially after their father died in June 2002 at the age of 72. “If Jude is released I hope he can travel between the U.S. and China,” said Jingli Shao. “He’s a U.S. citizen, but his home and family are in Shanghai.”

Asked about his father in his jailhouse interview, Shao’s voice cracked. “That’s the background that shaped my attitude about many things,” he said.

Shao fought bitterly with prison officials for the privilege to wear plain clothes, not prison garb, when he made a deathbed visit—in irons—shortly before his father died, said cellmate Ohmert.

After becoming an American citizen in 1997, Shao was imprisoned in China’s Qing Pu Prison on tax fraud charges from 1998 to 2008.

Shao, 54, came to the United States in 1986 to study educational technology at Rhode Island College. He later earned a master’s degree at Stanford and began splitting his time between San Francisco and Shanghai, where he ran a company exporting U.S. medical imaging equipment to China. He became a naturalized U.S. citizen in 1997.

He was among the first class of expatriates to try their hand at business in China, as the country’s economy began to take off after years of strict central control. His business grew quickly until Shanghai officials came knocking at his door. Shao told tax auditors they could see the books, but after that he locked the door and refused to cooperate or pay a $50,000 bribe, he says.

His refusal, he says, landed him in more trouble with the authorities. They accused him of tax evasion and detained him at the Shanghai airport when he arrived on a flight from the United States.

Shao’s staff called the U.S. Consulate when he didn’t show up to work.

“Because I’m not white, I’m Chinese just like them, they didn’t know they were holding an American citizen,” Shao said. “By that time it was too late. They were playing hardball.”

Shao, 45, had about five years left on a 16-year sentence for tax evasion and fraud — allegations that his supporters say were false.

For years, Shao’s former classmates from the Stanford Graduate School of Business led a campaign seeking his freedom, and many members of Congress and the Bush administration pressed the Chinese government to release him.

Under China’s legal system, Shao had been eligible for parole since 2006 but had been denied, with no public explanation given. But Wednesday — a day after U.S. Secretary of State Condoleezza Rice concluded a visit to Beijing during which human rights were discussed — Shao walked out of Qingpu Prison, on the outskirts of Shanghai.

Shao’s release came a day after Secretary of State Condoleezza Rice concluded her visit to Beijing, and the LA Times reports several China specialists who noted, with the Olympics next month, Beijing was eager to buff up its image, which recently had been tarnished by deadly riots in Tibet and other incidents in which Chinese lawyers, journalists and human rights activists had been silenced.

OThers detained

XIE (CHARLIE) CHUNREN, 56
HOME: Somerset, N.J.
ARRESTED: May 2005
STATUS: Released September 2005

Quit computer job to found natural products exporter. Sold $3 million of U.S.-made vitamins and supplements to China.Arrested at Chengdu airport on suspicion of spying for Taiwan, despite having no business or political ties there. Claims he was interrogated over three months, sometimes for 12 hours a day. Released after pressure from State Department, but he lost most Chinese contracts due to press accounts of alleged spying.

FONG FUMING, 70
HOME: West Orange, N.J.
ARRESTED: February 2001
STATUS: Released October 2003

Worked as a consultant for foreign power companies in China. Arrested on business trip to Beijing, accused of paying $245,000 in bribes for secret documents. Disputed charges and claimed he was extorted by a local official. Held 20 months without a trial, according to Human Rights Watch. Eventually sentenced to fiveyears in prison. Released three and a half years early after exhibiting “repentant behavior.”

Advertisements
Posted in Uncategorized | Tagged , , , | Leave a comment

Paul Tatum Russia and a Hotel

Paul Tatum was born in 1955 in Edmond, Oklahoma. He graduated from Edmond Memorial High School.

When he was an undergraduate at Oklahoma State University, he persuaded friends to pool the money to send him on a “semester at sea” aboard a sort of sailing classroom. He tasted travel, and commerce too: On the streets of Tunis, he earned a quick 300% profit and a few thousand dollars selling cigarettes bought from the captain of his ship.

Tatum dropped out of college after his junior year and made what was, for a young person, a clever but genuinely odd career move: He borrowed $10,000 and donated it to the Republican National Committee. A donation that size made a person a “Republican Eagle” and guaranteed a certain amount of access. Tatum, perceiving a route to prominence, plunged into GOP fundraising in Oklahoma.

Tatum first came to Russia in 1985 at the age of 29 when he was with an American trade delegation.

By the time he was 30, Tatum had already made big money in oil and real estate and lost a million dollars when Oklahoma City’s Penn Square Bank collapsed in 1983.

In 1987, Tatum set up a business center for foreign firms in Moscow. He and several other American businessmen founded Americom International Corporation.

Two important associates in Americom were H.R. “Bob” Haldeman and Bernie Rome, two former members of President Nixon’s chief of Staff, Tatum came into contact with them while he was working as a fundraiser for the Republican Party. They helped Tatum get an ‘in’ with all the important people in Russia and enabled him to set up and expand his business without too much dificulties.

Tatum saw that even the best of the Moscow hotels were poorly lit, shabbily carpeted monoliths with plenty of bars but no place to find a good meal or a dependable telephone. His idea was to create oases where foreign businessmen could feel at home.

Image result for paul tatum hotel russia

Paul Tatum

Tatum formed a company called Americom Business Centers in 1989, and H.R. “Bob” Haldeman, Nixon’s former chief of staff, out of jail and dabbling in hotels, hooked up Americom with Apollo Acquisitions, a tiny holding company in Florida that was publicly traded, had cash to invest, and was looking for a good idea. Apollo and Americom merged.

That same year, Tatum found his property: a gray, half-finished monstrosity on Moscow’s Berezhkovskaya Embankment, facing east toward the Moscow River. It was owned by Intourist, the Soviet tourism monolith, which wanted to erect a hotel that could earn hard–that is, foreign–currency.

Tatum started talking to big U.S. hotel chains and found that Radisson Hotels International was itching to establish a beachhead in the Soviet Union, then a closed market.

By 1990, Tatum’s company RedAmer Partnership joined up with Radisson Hotel Corporation and signed a contract with Goskom Intourist and later the Moscow City Government that agreed to construct an American hotel combined with a business center that would go by the name Intourist Redamer Hotel and Business Center (later changed to Radisson Slavyanskaya Hotel). A year later in June of 1991 the Hotel opened it’s doors. Together, they would turn a half-finished Intourist hotel a mile west of the Kremlin into a Western-style luxury hotel and office center. Intourist got a 50% share of the business, Radisson 10% and Tatum’s company, Americom Business Centers, 40%.

The hotel was a moneymaker. Bill Clinton, Al Gore, Warren Christopher, and their armies of security men swarmed over the hotel during summits with Yeltsin; Sharon Stone sashayed across its polished marble floors; the NBC and Reuters Moscow news bureaus anchored the high-hat tenant list. In the hotel’s European restaurants, expatriates clinked imported beers and ate sirloins, grateful to escape the slog of daily life in Russia, if only for a few hours.

The four-star, 430-room Radisson-Slavjanskaya became a center for Moscow’s foreign community, offering business services, a press club, restaurants, a bank, swanky shops and an English-language movie house complete with popcorn.

The hotel–and Tatum–played host to many of Moscow’s most famous and well-heeled visitors, from businessmen and tourists to entertainers and diplomats.

Tatum, accompanied by pretty women, became a fixture of Moscow’s party scene. In 1992, a Russian magazine listed the sandy-haired American as one of the city’s most eligible bachelors.

President Yeltsin in 1993 handed Moscow mayor Yuri Luzhkov exclusive control over privatization of property and businesses within the city limits, in effect a monopoly on one of Europe’s most lucrative real estate markets. So Tatum had a new Russian partner once again: the Moscow City Property Committee, which overnight rose up as the most potent agency in town, a smoothly running profit center with a percentage cut in nearly every Russian and foreign business setting up shop. The Property Committee eventually settled on a dapper Chechen businessman, Umar Dzhabrailov, to represent its interest in the Radisson Slavyanskaya.

By 1994, the partnership Tatum had put together was unraveling.

Tatum and the Radisson Corp. were squabbling about finances. Radisson was flexing its muscles. It provided stopgap funding during the venture’s cash crunch, and it claimed that in return it was owed a larger stake in the RadAmer partnership. Tatum sued Radisson, and that same day, Radisson sued him back. John Norlander, then president of Radisson Hotels International, says, “We wanted to manage a hotel and … to expand globally. He wanted the same thing, we thought, and to manage the business center for fees.” But the headstrong Tatum hated ceding as much as a hint of control, even when his financial straits called for compromise. Radisson and Americom began to clash over everything, swapping accusations of bad management and shoddy bookkeeping.

Radisson had enough of Tatum. At the end of 1994, the company asked a U.S. court to release it from “the rotting corpse of the partnership” with Tatum’s Americom. The request was granted.

Tatum walked into the hotel one day in June 1994, and armed guards in double-breasted suits blocked his way. On orders of the hotel’s Russian general director, he was not to be allowed inside.

Tatum fought back.

He held a news conference in the hotel parking lot to denounce his Russian partners. A week-and-a-half later, accompanied by a dozen bodyguards and wearing a light-blue bulletproof vest, he bulled his way back into the hotel.

In January of 1995 problems arose with the General Director of the American Partnership. The American hadn’t received his Russian visa and wasn’t going to receive one either. The loss of the General Director was a big blow for Tatum because now that position would be taken over by someone from the Russian partnership. Umar Dzhabrailov was named General Director. Dzhabrailov was a Chechen who had heavy connections within the Moscow City Government and used those connections to get into the position of General Director. But those weren’t the only connections Umar Dzhabrailov had, several law enforcement agencies including the F.B.I. and Interpol list Dzhabrailov as a member of Chechen Organized Crime. A report in the Russian press went even further calling Dzhabrailov a “known contract killer and one of a handful of Chechen mafia bosses operating in Moscow.” Dzhabrailov doesn’t deny his ties to Organized Crime but says they are “only social”. With Dzhabrailov as General Director things made a turn for the worse for Paul Tatum.

Paul Tatum didn’t realize it that fast but the Russian partnership had made ousting him it`s priority….by any means possible. While Tatum went about his business the Russian side showed it’s teeth. On St Valentine’s Day 1995 one of Tatum’s bodyguards was found beaten and stabbed in the chest with a pen knife. The bodyguard also had a message from his attackers: “Tell Paul it’s high time he left for home.” Most businessmen would’ve gotten the message and would’ve left town immediately, but not Paul Tatum. Tatum had grown a fondness for the Moscow nightlife, the clubs, the women. Tatum had enough money and liked to spend it and some even say he started acting like a mobster throwing around cash and surrounding himself with gorgeous women. Meanwhile the cold war for control of the Hotel and business center continued. Tatum had upped his bodyguards and after the attack on his bodyguard took extra security measures he now always had his bodyguards guard empty rooms so no one could plant bombs in them. He also decided to fight Dzhabrailov in the media he called him a “genuine Mafioso” who “has threatened he can kill me at any time” The fight had turned ugly and was now spilling from the boardrooms onto the public scene.

Umar Dzhabrailov (right) attends a concert with TV personality Ksenia Sobchak in Moscow in February 2012.

Umar Dzhabrailov (right) attends a concert with TV personality Ksenia Sobchak in Moscow in February 2012
After months of warring between the Tatum and Dzhabrailov in February 1996 it looked like there would be a solution to Tatum’s problems. The solution was to bribe Dzhabrailov and the Moscow City Government. If Tatum would pay the sum of $1 millions dollars to a certain person all his troubles would end. $500.000 dollars would go to the Moscow City Government and the other $500.000 dollars would go to Dzhabrailov so that he would resign or step down as General Director. But instead of paying Tatum decided to take the matter to court. Tatum sued the Russian partners for $35 million dollars additional payments and payment of damages. In the media Tatum remained defiant as ever saying “They will have to shoot me to get rid of me” Things were heating up and Tatum was bracing himself for the hit. He now had said goodbye to the fast nightlife of Moscow preferring to stay in his Hotel in suites 850 and 852. Tatum was now told repeatedly by U.S. embassy oficials to leave Russia, Tatum replied in U.S.A. Today with: “I feel like I’m fighting a one-man battle.” “They’d rather pay than stand up and fight.” On September 30, 1996 Tatum went even further when he published a full page ad in a Moscow paper directed to Moscow mayor Yuri Luzhkov:

“Yuri M. Luzhkov: I must tell you that not one person here in Russia or abroad is fooled. All know of the dangerous activities. I implore you to show the world your resolve and commitment to become the catalyst to solve these grave problems-peacefully, efficiently, with fairness and justice for the investor and for the legal agreements under which their original activities were created. The world now awaits this signal. This is your choice and your crossroads. Where do you stand, Yuri M. Luzhkov? In the shadows or the bright sunlight?”

Tatum knew murder was a corporate strategy in Moscow. He knew 200 Russian business executives had been killed in Mafia-style hits in the city in the last year.

Vladislav Listyev, the popular television journalist, was shot dead outside his apartment in a crime linked to control of the lucrative TV advertising market. Ivan Kivelidi, chairman of the Russian Business Round Table, was killed by nerve toxin, applied, it was said, to his telephone receiver. The year 1995 produced roughly 560 recorded contract killings. Police solved just 60; of them, two-thirds were found to have been committed by the victims’ bodyguards.

The Russian business community was decimated. “I take a look around this room,” says Oleg Kiselev, the new president of the Russian Business Round Table, “and I see about a dozen empty seats. All my friends.”

The deliberate, gangland-style killing remained a Russian affair, however. When Western businessmen were threatened, they generally fled. A few, though, like Tatum, clung to the peculiarly American belief that Russia would bend to the inevitability of progress, free markets, the rule of law, and the force of their will.

The Russian share of the partnership kept changing hands. The Soviet Intourist Agency gave way to a Russian agency when the Soviet Union broke up. Then the Russian agency was replaced by the Moscow City Property Committee.

In the process, Tatum maintained, organized crime figures muscled their way in.

Tatum claimed the Russians were trying to push their foreign partners out so they could take over the hotel. The Russians said Tatum kept sloppy books and didn’t pay his debts.

It wasn’t unusual for the early Soviet joint ventures to collapse in acrimony. In most cases, the foreigners fled or found a way to settle quietly.

With millions of dollars at stake, Tatum refused to do either.

That April, Tatum decided to pitch what he hoped would be a decisive battle, filing a $35 million lawsuit against the Moscow City Property Committee for discriminating against foreign investors. The case would be heard in Stockholm at an international arbitration court, which increasingly had been sought out by embittered Westerners seeking an escape route from deteriorating joint ventures. But Tatum needed $150,000 to pay court costs. So he took out full-page ads in Moscow newspapers offering to sell investors “Freedom bonds,” promissory notes that would pay back a 100% return in six months, when he expected to be flush with court-awarded winnings. The bonds were to mature on April 2, 1997, his 42nd birthday.

But by 1996, the Radisson had become a model of how severely such ventures could go wrong. The Russian stake had changed hands three times and was being administered by a charming young Chechen whom Tatum suspected of having ties to the mob. Western lenders, fearful of Moscow’s deteriorating business climate, had turned down Tatum’s loan applications. Tatum had appealed to the public for funds to pursue his lawsuit, hoping other Western businessmen would, in effect, invest in his $35 million damages claim.

So when a call came late on a Sunday afternoon last November from someone with information–or offering to help finance his case, was it?–Tatum leaped to the phone. After a rapid conversation in English, he grabbed his coat and headed with two bodyguards for the dingy metro station a stone’s throw from the Radisson. Tatum’s Russian partners long before had taken away his cream-colored Mercedes. Lately the metro was the safest means for him to get around anyway, and certainly the cheapest. Bankers and other important people “got killed in cars,” he reminded anyone who would listen.

On November 3rd, 1996 around 5.00 PM Paul Tatum left his Hotel and headed towards the Kievskaya metro station, where he had arranged to meet someone.  The American and his two bodyguards started down the wide, worn steps to the subway. Behind them stood a figure carrying a large plastic bag. Concealed inside was a Kalashnikov assault rifle.

The businessman, Paul E. Tatum, 39, a native of Edmond, Okla., and a former fund-raiser for the Oklahoma Republican Party, was killed near the entrance to the Kievsky metro station in downtown Moscow, a police spokesman said. The station is located near the Radisson-Slavyanskaya hotel, where Mr. Tatum had his office.

When Tatum arrived there with his bodyguards the person he was supposed to meet wasn’t there, instead a man walked up towards Tatum and shot him eleven times from five meters distance with an AK-47. Tatum’s bodyguards did nothing to protect there boss, the killer dropped his weapon and fled the scene unharmed. Tatum’s bodyguards rushed their wounded boss to the hospital but to no avail Paul Tatum died shortly after his arrival.

Tatum’s killer took considerable care even with the date, according to Alexander Fefelov, a former KGB agent with his own security firm and an adviser to the American Chamber of Commerce security subcommittee. Sunday evening, November 3, was the perfect time for murder. Because of an upcoming midweek Wednesday holiday, many people were stretching the weekend into five days. Thomas Pickering, the longtime American ambassador in Moscow, had recently left his post; an interim ambassador was on duty. The U.S. embassy would close Tuesday to observe Election Day back home.

The 5.45-caliber Kalashnikov assault rifle was fired so expertly as to rule out a nonprofessional. Five of the 12 bullets entered at the neck, indicating the killer knew Tatum might be wearing his bulletproof vest. Whoever fired was well trained in preventing the weapon’s powerful kick from spraying passersby. Both Tatum’s bodyguards were unharmed.

The shooter threw down the rifle, serial numbers filed off, and leaped into a white Zhiguli sedan, perhaps the most common make in Moscow. The same day the car was found ten minutes from the scene on Rostovskaya Embankment, unlocked and empty. A week before, police said, the owner had sold it for $5,000 cash at an outdoor market to a man who did not give his name.

On January 27, the Stockholm tribunal handed down its judgment–in favor of the Russian partners’ claims that Americom had diverted funds to offshore bank accounts and failed to keep proper accounting records. Americom’s management contract to run the retail shops and business center is to be “terminated,” and Americom to pay $2.6 million in damages to the Russian partners.

Shortly after the news of Tatum’s death Dzahrailov and the Moscow City Government took undisputed control of the Radisson Slavyanskaya Hotel and businesscenter. He denied any role in the Tatum murder but did say: “What goes around, comes around”. Dzahrailov also saw to it that a planned memorial service at the hotel was nixed as well as Tatum’s wishes to be buried at the prestigious Novodevichy Cemetery. Tatum was eventually cremated and interred in the Moscow Novodevitsji cemetary. “Paul never learned it was their country,” said Tatum’s Americom associate Bernie Rome. “He was like a bull in a china shop. He didn’t understand you have to play by Russian rules. It’s all very sad.”

Dzhabrailov represented his native Chechnya region in Russia’s upper parliament house in 2004-09. He was a deputy chairman of the chamber’s International Relations Committee and a member of Russia’s delegation to the Parliamentary Assembly of the Council of Europe.

Dzhabrailov’s name became widely known amid a dispute over ownership of the Radisson Slavyanskaya hotel in Moscow. His partner in the project, American businessman Paul Tatum, was shot dead near the hotel in November 1996, months after he had publicly accused Dzhabrailov of planning to kill him.

Dzhabrailov ran for president in 2000, receiving about 80,000 votes in the election that handed President Vladimir Putin his first term.

He is the founder of Avanti, a lobby group that says its mission is the promotion of “patriotic business.”

Some of the murders before Paul Tatum:

November 3, 1996: Paul Tatum, U.S. businessman who co-owned one of Moscow’s most prestigious hotels, is shot dead with a submachine gun at Moscow subway underpass. Tatum was involved in long-running dispute with Russian partners over control of hotel.
June 13, 1996: Vladimir Oberderfer, a regional representative of nationalist presidential candidate Vladimir Zhirinovsky is shot dead in the Siberian mining city Novokuznetsk. Novokuznetsk police said the likely motive lay in Oberderfer’s activities as an owner of a trading business, rather than politics.
June 13, 1996: Viktor Mosalov, mayor of Zhukovsky in Moscow Oblast, is shot three times in the head Local police ruled out a political motive and said local officials are ”more economic than political leaders.”
June 6, 1996: Valery Shantsev, candidate for the post of deputy mayor of Moscow, was seriously wounded when a bomb exploded as he was leaving his apartment building.

Moscow police secure a murder scene (epa file photo)

November 28, 1995: State Duma Deputy Sergei Markidonov of the Stability faction, is shot in the head during a campaign trip to Petrovsk-Zabaikalsky in Chita Oblast.

October 17, 1995: Mosstroibank President Mikhail Zhuravlyov is killed in Moscow.
August 5, 1995: Russian Business Roundtable head and Rosbiznesbank Chairman Ivan Kivelidi is poisoned to death. Kivelidi had been openly critical of Russian police for failing to protect businesspeople or investigate their murders, especially in the wake of the July 21 killing of banker Oleg Kantor.
July 20, 1995: Yugorsky bank Chairman Oleg Kantor is killed by being repeatedly stabbed at his country house outside of Moscow. Yugorsky bank was heavily involved in the oil and gas sectors.
April 1995: Sergei Kushnaryov, a founding member of Russia’s Agrarian Party, is stabbed to death in a suspected contract killing.
March 1995: Alla Gnezdilova, a judge, is murdered in Birobidzhan, the capital of Russia’s far eastern Jewish Autonomous Region, in an apparent contract killing.
March 1, 1995: Russian Public Television head Vladislav Listyev is shot in the heart by an unknown gunman outside his Moscow home. The attack is linked to opponents of an advertising ban he had proposed for the television channel.
November 5, 1994: State Duma Deputy Valentin Martemyanov of the Communist Party, dies of wounds suffered during a vicious beating in Moscow several days earlier. The killing is never explained.
April 26, 1994: State Duma Deputy Andrei Aizderdis of the New Regional Policy faction, is shot to death with a hunting rifle outside his Moscow home.
February 2, 1994: State Duma Deputy Sergei Skorochkin of Vladimir Zhirinovsky’s Liberal Democratic Party is killed in Moscow, his body hand-cuffed to railway tracks.
October 17, 1994: Investigative journalist Dmitry Kholodov, who specialized on corruption in the Defense Ministry, is killed when a briefcase he picked up at a Moscow train station after an anonymous tip blows up in his office.

Posted in Uncategorized | Tagged , , , , , , , , , , , , | Leave a comment

Taipei Commercial Bank ATM heists

On July 9 and 10 of 2016, the ATM network of the First Commercial Bank in Taiwan was hit by a well-coordinated hack that took control of the system, forcing selected ATM machines to spew cash out to waiting bagmen. The criminals made off with over NT$83 million (US$2.5 million) in a single weekend, making this one of the biggest robberies ever in Taiwan.

“This is the first time that an international team of ATM thieves has committed a crime in Taiwan,” the head of the police’s Criminal Investigation Division, Lee Wen-chang, told the media.

As 2016 waned and investigators continued to pore over the available data, a report by international cybersecurity investigations firm Group-IB linked the hack and heist of First Bank to an international syndicate likely based in Russia or East Europe. The gang has been code-named “Cobalt” based on its use of a publicly available security testing tool, Cobalt Strike, to gain access to banks’ networks and thereby to its ATM machines.

The group has used this approach to pull off coordinated attacks enabling it to rob millions of US dollars beginning last June. Cobalt is linked to attacks on ATM networks mostly in Europe but also in Asia. Besides Taiwan, the other countries affected have included Britain, Estonia, Malaysia, the Netherlands, Poland, Russia, Spain, and Thailand.

The group that orchestrated the theft of over $2 million from cash machines at Taiwan’s First Commercial Bank in July was also behind an ATM hacking spree in more than a dozen European nations last year, according to cyber security firm Group-IB.

The methods that the so-called Cobalt group used in Europe matched those used in Taiwan, Group-IB said in its latest client report.

Wearing hats and antipollution masks, they loitered at the machine for a moment. Then, as the astonished couple in line behind them later told the police, the ATM started disgorging cash without either man touching it. The men shoved the bills into a satchel and brushed past them. As the Russians drove off in a black sedan, the couple spotted something on the ground: One of the guys had dropped his bank card.

By the time detectives traced Berezovsky and Berkman to the nearby Grand Hyatt the next day, the Russians had already jetted off to Moscow by way of Hong Kong. And they were just two of 15 “money mules” who’d hit 41 ATMs at 22 branches of First Commercial over that stormy weekend, the cops learned, taking 83 million New Taiwan dollars (NT$), or about $2.6 million. Hackers, investigators discovered, had forced the machines to spit out cash.

The Carbanak gang had struck again.

Before WannaCry, before the Sony Pictures hack, and before the breaches that opened up Equifax and Yahoo!, there was a nasty bit of malware known as Carbanak. Unlike those spectacular attacks, this malware wasn’t created by people interested in paralyzing institutions for ransom, publishing embarrassing emails, or taking personal data. The Carbanak guys just wanted loot, and lots of it.

Since late 2013, this band of cybercriminals has penetrated the digital inner sanctums of more than 100 banks in 40 nations, including Germany, Russia, Ukraine, and the U.S., and stolen about $1.2 billion, according to Europol, the European Union’s law enforcement agency. The string of thefts, collectively dubbed Carbanak—a mashup of a hacking program and the word “bank”—is believed to be the biggest digital bank heist ever. In a series of exclusive interviews with Bloomberg Businessweek, law enforcement officials and computer-crime experts provided revelations about their three-year pursuit of the gang and the mechanics of a caper that’s become the stuff of legend in the digital underworld.

Besides forcing ATMs to cough up money, the thieves inflated account balances and shuttled millions of dollars around the globe. Deploying the same espionage methods used by intelligence agencies, they appropriated the identities of network administrators and executives and plumbed files for sensitive information about security and account management practices. The gang operated through remotely accessed computers and hid their tracks in a sea of internet addresses. “Carbanak is the first time we saw such novel methods used to penetrate big financial institutions and their networks,” says James Chappell, co-founder and chief innovation officer of Digital Shadows Ltd., a London intelligence firm that works with the Bank of England and other lending institutions. “It’s the breadth of the attacks, that’s what’s truly different about this one.”

Three Eastern European men were arrested in Taiwan in July on suspicion of collecting cash stolen from ATMs owned by First Commercial Bank, a unit of First Financial Holding Co Ltd.

Attorneys for the three defendants in an ongoing trial in Taipei told Reuters their clients were not familiar with Cobalt.

The men – identified in court documents as Peregudovs Andrejs of Latvia, Colibaba Mihail of Romania and Pencov Nicolae of Moldova – were among a total of 22 individuals, all foreign nationals, that Taiwanese authorities suspect of taking part in the theft, where most of the money was subsequently recovered.

The suspects used malware dubbed “ATM spitter” in the First Commercial Bank attacks, as well as similar hacks in countries including Armenia, Belarus, Britain, Bulgaria, Estonia, Georgia, Kyrgyzstan, Moldova, the Netherlands, Poland, Romania, Russia and Spain, Group-IB said in a report to its customers that Reuters reviewed on Thursday.

Group-IB first detailed the European spree in a report published in November, identifying the hackers as the Cobalt group.

The firm linked Cobalt to the Taiwan heist in its report last week.

Investigators in Taiwan told Reuters they were not aware of any links between Cobalt and the hackers behind the First Commercial Bank heist.

“What we can say is the people behind this hacking were very good,” a Taiwanese investigator familiar with the case told Reuters, on condition of anonymity because the investigator was not authorized to speak with media.

The defendants, who maintain their innocence, said in a court hearing on Wednesday that they were not members of any international crime organization. Taipei prosecutors have said they suspect First Commercial Bank’s network was breached at a London branch office.

One of the suspected ringleaders of an ATM heist nearly two years ago has been arrested in Spain, the Criminal Investigation Bureau (CIB) said in a statement on Monday.

The investigation into the theft of more than NT$83 million (US$2.85 million at the current exchange rate) from state-run First Commercial Bank ATMs has lasted nearly 20 months and involved the joint efforts of Taiwanese authorities, the Spanish national police, the European Cybercrime Centre and private cybersecurity companies, the bureau said.

Identified only as Denys, the Russian is believed to be one of the leaders of a cybercrime syndicate called “Cobalt,” which is suspected of targeting banks, e-payment systems and financial institutions around the world using malware, known as Cobalt Strike, since 2016, the bureau said.

The group has allegedly infiltrated more than 100 financial institutions in 40 nations and stolen about 1 billion euros (US$1.2 billion).

A total of 22 suspects from six countries were involved in the high-profile theft in Taiwan from July 9 to July 11, 2016.

Nineteen of the suspects fled the nation and were placed on a wanted list.

Members of the international ring allegedly withdrew money from 51 First Commercial Bank ATMs in Taipei, New Taipei City and Taichung after using malware to hack into the bank’s computer system.

Authorities were alerted to the hack when members of the public in Taipei reported seeing two men collecting cash from an ATM in the middle of the night.

Police were able to track down and arrest three men — one who was allegedly indirectly involved in the heist and two who were allegedly in Taiwan to recover the money and transfer it out of the nation.

About NT$5.79 million of the stolen cash is still unaccounted for.

Posted in Uncategorized | Tagged , , , , , , , | Leave a comment

NotPetya cyber-attacks

 

 

In 2017, Delivery company FedEx says a recent cyber-attack cost its TNT division about $300m (£221m).

The company was one of several to have its computer systems severely disrupted by the NotPetya ransomware outbreak in June.

Other international companies have also taken sizeable financial hits as a result of the malware.

Shipping company Maersk announced in August that it had costed its damage at “up to $300m”.

And consumer goods company Reckitt Benckiser warned the attack was likely to have cost it £110m.

For the past four and a half years, Ukraine has been locked in a grinding, undeclared war with Russia that has killed more than 10,000 Ukrainians and displaced millions more. The conflict has also seen Ukraine become a scorched-earth testing ground for Russian cyberwar tactics. In 2015 and 2016, while the Kremlin-linked hackers known as Fancy Bear were busy breaking into the US Democratic National Committee’s servers, another group of agents known as Sandworm was hacking into dozens of Ukrainian governmental organizations and companies. They penetrated the networks of victims ranging from media outlets to railway firms, detonating logic bombs that destroyed terabytes of data. The attacks followed a sadistic seasonal cadence. In the winters of both years, the saboteurs capped off their destructive sprees by causing widespread power outages—the first confirmed blackouts induced by hackers.

But those attacks still weren’t Sandworm’s grand finale. In the spring of 2017, unbeknownst to anyone at Linkos Group, Russian military hackers hijacked the company’s update servers to allow them a hidden back door into the thousands of PCs around the country and the world that have M.E.Doc installed. Then, in June 2017, the saboteurs used that back door to release a piece of malware called ­NotPetya, their most vicious cyberweapon yet.

The result was more than $10 billion in total damages, according to a White House assessment confirmed to WIRED by former Homeland Security adviser Tom Bossert, who at the time of the attack was President Trump’s most senior cybersecurity-­focused official. Bossert and US intelligence agencies also confirmed in February that Russia’s military—the prime suspect in any cyberwar attack targeting Ukraine—was responsible for launching the malicious code. (The Russian foreign ministry declined to answer repeated requests for comment.)

White House press secretary Sarah Sanders, meanwhile, described NotPetya as “the most destructive and costly cyberattack in history.”

“It was part of the Kremlin’s ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia’s involvement in the ongoing conflict. This was also a reckless and indiscriminate cyberattack that will be met with international consequences,” Sanders said.

The code that the hackers pushed out was honed to spread automatically, rapidly, and indiscriminately. “To date, it was simply the fastest-propagating piece of malware we’ve ever seen,” says Craig Williams, director of outreach at Cisco’s Talos division, one of the first security companies to reverse engineer and analyze Not­Petya. “By the second you saw it, your data center was already gone.”

NotPetya was propelled by two powerful hacker exploits working in tandem: One was a penetration tool known as EternalBlue, created by the US National Security Agency but leaked in a disastrous breach of the agency’s ultrasecret files earlier in 2017. EternalBlue takes advantage of a vulnerability in a particular Windows protocol, allowing hackers free rein to remotely run their own code on any unpatched machine.

NotPetya’s architects combined that digital skeleton key with an older invention known as Mimikatz, created as a proof of concept by French security researcher Benjamin Delpy in 2011. Delpy had originally released Mimikatz to demonstrate that Windows left users’ passwords lingering in computers’ memory. Once hackers gained initial access to a computer, Mimikatz could pull those passwords out of RAM and use them to hack into other machines accessible with the same credentials. On networks with multiuser computers, it could even allow an automated attack to hopscotch from one machine to the next.

Before NotPetya’s launch, Microsoft had released a patch for its EternalBlue vulnerability. But EternalBlue and Mimikatz together nonetheless made a virulent combination. “You can infect computers that aren’t patched, and then you can grab the passwords from those computers to infect other computers that are patched,” Delpy says.

NotPetya took its name from its resemblance to the ransomware Petya, a piece of criminal code that surfaced in early 2016 and extorted victims to pay for a key to unlock their files. But NotPetya’s ransom messages were only a ruse: The malware’s goal was purely destructive. It irreversibly encrypted computers’ master boot records, the deep-seated part of a machine that tells it where to find its own operating system. Any ransom payment that victims tried to make was futile. No key even existed to reorder the scrambled noise of their computer’s contents.

 

The NSA security leak.

Fifteen months into a wide-ranging investigation by the agency’s counterintelligence arm, known as Q Group, and the F.B.I., officials still do not know whether the N.S.A. is the victim of a brilliantly executed hack, with Russia as the most likely perpetrator, an insider’s leak, or both. Three employees have been arrested since 2015 for taking classified files, but there is fear that one or more leakers may still be in place. And there is broad agreement that the damage from the Shadow Brokers already far exceeds the harm to American intelligence done by Edward J. Snowden, the former N.S.A. contractor who fled with four laptops of classified material in 2013.

Mr. Snowden’s cascade of disclosures to journalists and his defiant public stance drew far more media coverage than this new breach. But Mr. Snowden released code words, while the Shadow Brokers have released the actual code; if he shared what might be described as battle plans, they have loosed the weapons themselves. Created at huge expense to American taxpayers, those cyberweapons have now been picked up by hackers from North Korea to Russia and shot back at the United States and its allies.

Inside the agency’s Maryland headquarters and its campuses around the country, N.S.A. employees have been subjected to polygraphs and suspended from their jobs in a hunt for turncoats allied with the Shadow Brokers. Much of the agency’s arsenal is still being replaced, curtailing operations. Morale has plunged, and experienced specialists are leaving the agency for better-paying jobs — including with firms defending computer networks from intrusions that use the N.S.A.’s leaked tools.

EternalBlue is the name of both a software vulnerability in Microsoft’s Windows operating system and an exploit the National Security Agency developed to weaponize the bug. In April 2017, the exploit leaked to the public, part of the fifth release of alleged NSA tools by the still mysterious group known as the Shadow Brokers. Unsurprisingly, the agency has never confirmed that it created EternalBlue, or anything else in the Shadow Brokers releases, but numerous reports corroborate its origin—and even Microsoft has publicly attributed its existence to the NSA.

The tool exploits a vulnerability in the Windows Server Message Block, a transport protocol that allows Windows machines to communicate with each other and other devices for things like remote services and file and printer sharing. Attackers manipulate flaws in how SMB handles certain packets to remotely execute any code they want. Once they have that foothold into that initial target device, they can then fan out across a network.

In the aftermath of WannaCry, Microsoft and others criticized the NSA for keeping the EternalBlue vulnerability a secret for years instead of proactively disclosing it for patching. Some reports estimate that the NSA used and continued to refine the EternalBlue exploit for at least five years, and only warned Microsoft when the agency discovered that the exploit had been stolen. EternalBlue can also be used in concert with other NSA exploits released by the Shadow Brokers, like the kernel backdoor known as DarkPulsar, which burrows deep into the trusted core of a computer where it can often lurk undetected.

At this point, EternalBlue has fully transitioned into one of the ubiquitous, name-brand instruments in every hacker’s toolbox—much like the password extraction tool Mimikatz. But EternalBlue’s widespread use is tinged with the added irony that a sophisticated, top-secret US cyber espionage tool is now the people’s crowbar. It is also frequently used by an array of nation state hackers, including those in Russia’s Fancy Bear group, who started deploying EternalBlue last year as part of targeted attacks to gather passwords and other sensitive data on hotel Wi-Fi networks.

New examples of EternalBlue’s use in the wild still crop up frequently. In February, more attackers leveraged EternalBlue to install cryptocurrency-mining software on victim computers and servers, refining the techniques to make the attacks more reliable and effective. “EternalBlue is ideal for many attackers because it leaves very few event logs,” or digital traces, Rendition Infosec’s Williams notes. “Third-party software is required to see the exploitation attempts.”

And just last week, security researchers at Symantec published findings on the Iran-based hacking group Chafer, which has used EternalBlue as part of its expanded operations. In the past year, Chafer has attacked targets around the Middle East, focusing on transportation groups like airlines, aircraft services, industry technology firms, and telecoms.

“It’s incredible that a tool which was used by intelligence services is now publicly available and so widely used amongst malicious actors,” says Vikram Thakur, technical director of Symantec’s security response. “To [a hacker] it’s just a tool to make their lives easier in spreading across a network. Plus they use these tools in trying to evade attribution. It makes it harder for us to determine whether the attacker was sitting in country one or two or three.”

It will be years before enough computers are patched against EternalBlue that hackers retire it from their arsenals. At least by now security experts know to watch for it—and to appreciate the clever innovations hackers come up with to use the exploit in more and more types of attacks.

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , | Leave a comment

Cryptocurrency Osaka Japan Hacked

Another cryptocurrency heist has shaken Japan. This time, 6.7 billion yen ($60 million USD) worth of company and user funds have vanished from Japanese cryptocurrency exchange platform Zaif.

Tech Bureau Corp, the Osaka-based company that operates Zaif, estimates the heist occured on September 14, 2018, between 5 p.m. and 7 p.m. local time. The exchange detected the breach on September 17, 2018, and reported the event to authorities the following day.

Of the stolen money, the hacker siphoned 4.5 billion yen (about $40 million USD) from user accounts and 2.2 billion yen (just under 19.5 million USD) from the company’s own assets. The three virtual currencies stolen include bitcoin, monacoin and bitcoin cash. Of those, $37.8 million were bitcoin funds (5,966 BTC).

Tech Bureau Corp will be able to tell the exact number of bitcoin cash and monacoin stolen once it gets its servers back up. All the cryptocurrency was taken from a server managing its hot wallet. A hot wallet refers to a wallet that remains online for immediate transactions. In contrast, a cold wallet represents more secure, long-term storage that is kept offline.

Early this year, Tokyo-based Coincheck saw a loss of $530 million worth of NEM tokens. That hack represented one of the largest financial losses since the introduction of bitcoin. Coincheck has since been acquired by Monex.

Since April 2017, Japan has required all of its crypto exchanges to be licensed. Both Coincheck and Tech Bureau Corp were founded in 2014, before the new laws went into effect. Coincheck was not fully licensed at the time it was hacked, but Tech Bureau Corp is a registered exchange.

 

The New York State Attorney General’s office has ratcheted up its war of words against cryptocurrency exchanges, warning consumers of the myriad of risks they face in depositing money on these platforms.

Crypto Exchanges at Risk of Manipulation
In a lengthy report on the “Virtual Markets Integrity Initiative,” New York’s Attorney General argues that online cryptocurrency exchanges are vulnerable to manipulation, fraud and other types of abuse. Consumers of these platforms therefore “face significant risks” from hackers and the exchange operators themselves, some of which have been known to exploit “deceptive and predatory practices, market manipulation, and insider abuses.

“[V]irtual asset trading platforms now in operation have not registered under state or federal securities or commodities laws,” the report says. “Nor have they implemented common standards for security, internal controls, market surveillance protocols, disclosures, or other investor and consumer protections. Accordingly, customers of virtual asset trading platforms face significant risks.”

The report, which examines ten cryptocurrency exchanges operating in the U.S. and internationally, concludes a six-month investigation that was initiated by New York Attorney General Eric T. Schneiderman. Back in April, Schneiderman sent letters to 13 exchanges requesting information on their operations and internal controls.

Several Exchanges in the Hot Seat
At least four cryptocurrency exchanges were outed by the Attorney General’s office as being most problematic and possibly operating illegally in the state of New York. Not coincidentally, these exchanges refused to participate in the Attorney General’s request for information.

The report reads:

“Customers should be aware that the platforms that refused to participate in the OAG’s Initiative (Binance, Gate.io, Huobi, and Kraken) may not disclose all order types offered to certain traders, some of which could preference those traders at the expense of others, and that the trading performance of other customers on those venues could be negatively affected as a result.”

June 2011: Bitcoin user loses $500,000 in bitcoin to hackers
In early 2011, Bitcoin had been a tight-knit community of hobbyists. Mining bitcoins was easier back then: people could generate thousands of bitcoins using a conventional home PC.

That’s what allinvain, a user on the Bitcoin Talk forums, claimed to have done, amassing a fortune of 25,000 bitcoins. Bitcoins were worth pennies in 2010, but, by early June 2011, the price of bitcoins had soared to $20, making his bitcoins worth around $500,000.

Then, on June 13, disaster struck for allinvain. “I just woke up to see a very large chunk of my Bitcoin balance gone,” he wrote. Allinvain believed that someone had hacked into his PC and stolen the bitcoins from his hard drive, transferring them to an account controlled by the hackers.

If those coins had not been stolen—and he’d held on to them until today—they would be worth around $250 million.

August 2011: Wallet service MyBitcoins disappears from the Web
Bitcoin wallet services offer to store bitcoins on users’ behalf. These were initially portrayed as a convenience to the customer, but many of them turned out to be either insecurely run or outright frauds (it can be hard to tell, since the frauds tend to claim they were hacked).

One wallet service that was popular in Bitcoin’s early days, for example, was called MyBitcoin. In August 2011, the company disappeared from the Web, claiming the site was hacked.

This and similar experiences have made the Bitcoin community suspicious of online wallet services. With no real regulation, there’s no way for users to verify that a wallet service is reliable.

An exception to this is client-side Web wallets like the one offered by Blockchain.info. In these services, customer data is only stored in encrypted form on the server. Data is encrypted on the client side with a customer-provided password. That approach makes users less vulnerable than traditional wallet services where the service provider has direct control of the bitcoins.

March 2012: Hacked Web host leads to stolen bitcoins
Hackers exploited a vulnerability in the shared online web host Linode to steal at least 46,703 bitcoins—then worth more than $200,000—from several Linode users. That included more than 43,000 bitcoins stolen from Bitcoinica, an early Bitcoin exchange.

Bitcoinica suffered a second hack in May 2012 that cost the company another 18,000 bitcoins. It was then taken offline for a security audit. Bitcoinica didn’t survive these incidents. In August 2012, the site was sued by several users seeking the return of $460,000 in deposits.

One lesson of the Linode debacle is that Bitcoin-related businesses have to be extremely careful when operating on shared hosting providers. Bitcoins are secured by encryption keys. If any third party—either other customers or rogue employees—has access to customer data, they will be able to read the encryption keys and use them to transfer bitcoins away from their owners.

August 2012: Bitcoin Ponzi scheme is shut down
The Bitcoin Savings and Trust was a classic Ponzi scheme. Customers were lured in with a promise of high returns—seven percent per week—and new customers’ deposits were used to pay profits to previous customers.

The scheme shut down in August 2012, and a year later the government indicted organizer Tendon Shavers. The government accused him of raising more than 700,000 bitcoins from gullible customers. In 2014, a judge ordered Shavers to repay victims more than $40 million. The judge found the scheme had cost victims 265,678 bitcoins.

September 2012: More exchanges get hacked, shut down
In September 2012, a Bitcoin exchange called Bitfloor suffered a catastrophic attack. Attackers stole 24,000 bitcoins, then worth around $250,000. Bitfloor didn’t have $250,000 in reserves, so the theft effectively made Bitfloor insolvent.

Bitfloor resumed operations a few weeks later, hoping to earn enough in fees to repay earlier customers. But the effort was unsuccessful; Bitfloor closed its doors for good in April 2013, leaving frustrated users in its wake.

February 2014: Hackers bring down the world’s then-largest exchange
The Bitcoin world’s biggest financial fiasco was the collapse of Mt. Gox—then the world’s leading Bitcoin exchange—in 2014. Operated by French-born CEO Mark Karpelès from a headquarters in Japan, Mt. Gox was the main way people bought and sold Bitcoins from its foundation in 2010 until February 2014. Then Mt. Gox announced that 850,000 bitcoins had gone missing—likely stolen by hackers, the company said.

At early 2014 prices, those bitcoins were worth around $450 million. Today, they’d be worth $8.5 billion.

In July, US law enforcement officials announced they had arrested a suspect in the massive theft. A Russian man named Alexander Vinnik was the owner and operator of a competing Bitcoin exchange called BTC-e. The feds allege that he knowingly accepted stolen bitcoins from Mt. Gox and laundered them through his own bitcoin exchange.

The collapse of Mt. Gox left no shortage of angry customers. Ironically, the continued appreciation of Bitcoin’s value means that the bankrupt company could eventually be able to repay its debts in full—with piles of money left over. Mt. Gox’s assets and liabilities were frozen while the company worked through the bankruptcy process. The liabilities were frozen in terms of Japanese yen, while the company’s remaining bitcoins have ballooned in value—from around $400 each at the time of the bankruptcy to around $11,000 today.

Obviously, Mt. Gox’s former creditors believe they should be repaid in appreciated bitcoins, but Japanese law might not be on their side.

January 2015: Bitstamp exchange is hacked
In January 2015, the popular Bitcoin exchange Bitstamp reported that it had lost around 19,000 bitcoins, then worth about $5 million. The exchange survived the attack and remains a leading Bitcoin exchange today.

August 2016: Another exchange loses 120,000 bitcoins to hackers
In August 2016, the Bitcoin exchange Bitfinex announced that hackers had stolen $77 million worth of bitcoins. The company foisted these costs on to users, forcing them to take a 36-percent reduction in the value of their deposits.

Bitfinex is still around, but there are big questions about the company’s credibility. As the New York Times puts it, Bitfinex is an “opaque operation that provides no information on its website about where it is or who operates the company.”

Posted in Uncategorized | Tagged , , , , , , , , , | Leave a comment

Cameroon’s civil war

Cameroon’s governance and security problems have historically attracted little outside attention. But this seems likely to change, for two reasons. The first is the growing political crisis in the Central African nation’s English-speaking region. The second is a presidential election scheduled for October 2018.

Roughly 20% of the country’s population of 24.6 million people are Anglophone. The majority are Francophone. The unfair domination of French-speaking politicians in government has long been the source of conflict.

For a year and a half, the Cameroonian military has been accused of beating and arresting people suspected of being separatists, torching homes and killing unarmed protesters

Activists in the country’s Anglophone western regions are protesting their forced assimilation into the dominant Francophone society. They argue that this process violates their minority rights, which are protected under agreements that date back to the 1960s. Anglophone political representation and involvement at many levels of society has dwindled since the Federal Republic of Cameroon became the United Republic of Cameroon in 1972. There are growing calls for the Anglophone region to secede from Cameroon.

After World War I, the territory was divided between France and the United Kingdom as League of Nations mandates. In 1960, the French-administered part of Cameroon became independent as the Republic of Cameroun. More than a decade later the southern part of British Cameroons federated with it in 1961 to form the Federal Republic of Cameroon. This was abandoned when it was also renamed the United Republic of Cameroon in 1972 and again in 1984 as the Republic of Cameroon.

It began in 2016 with demonstrations by English-speaking lawyers, students and teachers.
Protests against marginalisation by the French-speaking majority were met with a crackdown.
Activists were arrested, and several protesters shot by security forces.
Separatist demands for an independent state grew, resulting in increasing violence.
Some symbolically proclaimed the independence of a new state called “Ambazonia”.
Some 160,000 people have fled their homes in Cameroon, the UN says.
More than 20,000 have fled to Nigeria.
Journalists are being denied access to conflict zones.

On 12 June 2018, Amnesty International issued a report documenting human rights violations in Cameroon. The International Crisis Group says that at least 120 civilians and 43 members of security forces have been killed in the most recent waves of violence.

 

Posted in Uncategorized | Tagged , , , | Leave a comment

Trump Resignation Playbook

As the Cohen net encircles with Russian $500,000 and many texts from Trump to him for years. It is possible a scenario that Trump resigns before impeachment. Pence would take over.

It is probable that impeachment procedings would play out, but also could stop.

A year later, Pence pardons Trump as Ford did Nixon. September 2018 could be the month.

 

Posted in Uncategorized | Leave a comment