Pan Flu and War

Influenza pandemics occur when a novel animal flu virus acquires the ability to infect humans and they, in turn, transmit it to other humans. The 1918-19 Spanish flu epidemic (which despite the name may have originated in the American Midwest) killed 50 million to 100 million around the globe. Accounts at the time described people falling ill in the morning and dying that night.

The first confirmed outbreak occurred at Camp Funston, Fort Riley, Kansas, an American military facility that at the time was training American troops during World War I.

The first recorded victim was a mess cook, Private Albert Mitchell, who was diagnosed with a new strain of flu on March 11, 1918

pan flu mar 4 2018 2

Often times the patient would develop dark spots on their cheeks.

The lungs filled with a thick fluid.

As the fluid filled the lungs, the body parts that could not get oxygen began to turn blue. Many Spanish flu victims suffocated.

spanish-flu-1918 2


  • First Waves: Spring / Summer 1918
  • Peak of epidemic: mid September to early November 1918
  • Later Waves:

Winter-Spring 1919,

Fall-Winter 1920

pan flu mar 4 2018 5


  • 675,000 estimated deaths in the US due to influenza
  • 25% of population infected
  • 50 million to 100 million dead in the world
  • Highest mortality among 20-40 age group

After the lethal second wave struck in late 1918, new cases dropped abruptly – almost to nothing after the peak in the second wave.

In Philadelphia, for example, 4,597 people died in the week ending 16 October, but by 11 November, influenza had almost disappeared from the city.


pan flu mar 4 2018 4

Many Theories of why it stopped. Mutated to less lethal strain. Better care. Better Hygiene.

1958-59 The Asian flu of 1958 and 1959 had a global death toll as high as 2 million and an estimated 70,000 of those in the US alone.

Although the 2009 pandemic of influenza A H1N1 ended up being relatively mild—killing about one in 10,000 people who came down with it—it still claimed more than 14,000 lives across the globe.

2001 – Anthrax stolen kills seven. Long Island’s Brookhaven National Laboratory, University of Michigan and Louisana State University were doing research on live anthrax.

2008 – Lab workers at different sites accidentally jabbed themselves with needles contaminated by anthrax or West Nile virus. An air-cleaning system meant to filter dangerous microbes out of a lab failed, but no one knew because the alarms had been turned off. A batch of West Nile virus, improperly packed in dry ice, burst open at a Federal Express shipping center. Mice infected with bubonic plague or Q fever went missing. And workers exposed to Q fever, brucellosis or tuberculosis did not realize it until they either became ill or blood tests detected the exposure.

2011 – Ron Fouchier, also of Erasmus Medical Center, and his team “mutated the hell out of H5N1” and looked at how readily it would bind with cells in the respiratory tract. What they found is that with as few as five single mutations it gained the ability to latch onto cells in the nasal and tracheal passageways, which, Fouchier added as understated emphasis, “seemed to be very bad news.”

The variety that they had created, however, when tested in ferrets (the best animal model for influenza research) still did not transmit very easily just through close contact. It wasn’t until “someone finally convinced me to do something really, really stupid,” Fouchier said, that they observed the deadly H5N1 become a viable aerosol virus. In the derided experiment, they let the virus itself evolve to gain that killer capacity. To do that, they put the mutated virus in the nose of one ferret; after that ferret got sick, they put infected material from the first ferret into the nose of a second. After repeating this 10 times, H5N1 became as easily transmissible as the seasonal flu.

The lesson from these admittedly high-risk experiments is that “the H5N1 virus can become airborne,” Fouchier concluded—and that “re-assortment with mammalian viruses is not needed” for it to evolve to spread through the air. And each of these mutations has already been observed in animals. “The mutations are out there, but they have not gotten together yet,” Osterhaus said.

2014 – “Influenza virus genome consists not of a single DNA or RNA molecule as many other viruses do, but of eight individual segments resembling in some sense the chromosomes of the human genome. Every segment is a separate RNA molecule.” If different strains co-infect a single cell, their genomes may exchange these segments in a process called reassortment. This may lead to emergence of a novel genome consisting, for instance, of three segments obtained from one viral genome and five segments from another.

2014 – In the UK, High-security laboratories that handle lethal viruses and bacteria have reported more than 100 accidents or near-misses to safety regulators in the past five years, official reports have disclosed. One error led to live anthrax being sent from a government facility to unsuspecting labs across the UK, a mistake that exposed other scientists to the disease. Another caused the failure of an air handling system that helped contain foot and mouth disease at a large animal lab.

2014 – Vials of smallpox and other infectious agents were discovered in a government laboratory on the campus of the National Institutes of Health after being stored and apparently forgotten about 50 years ago.

2015 – The Department of Defense discovered that one of its labs had inadvertently sent live anthrax to almost 200 other labs worldwide over 12 years.

2015 – The Department of Defense discovered that one of its labs had inadvertently sent live anthrax to almost 200 other labs worldwide over 12 years.

2016 – One avian influenza strain, H7N9, is causing widespread infection in Chinese poultry and occasionally infecting humans. During the 2016-17 flu season, 759 Chinese who had been in contact with infected poultry were stricken; 281 of them died.

So the flu can be weaponized.

chicago ebola

Would the future soldier have to wear this?

The budget for disease analysis and science is at a record high. USA has over 200 labs handling and researching pathogens and virus. Errors in handling are more prevalent.

Now flash to 2020.

The flu has the ability to mutate easily.  Try to imagine a pandemic that infects 30% of your neighbors and kills 60% of those it infects. That means 18% of the population would die from the flu. Nobody can predict how many more would die from the collapse of society—from riots, perhaps, from other diseases (with hospitals unable to function and medicines unattainable), or from shortages of food, energy, or potable water.

Airplanes and ships are a source vehicle for flu transmission.  Little to no screening for infected passengers is done using these modes of transports. Location will likely prove a key factor in how quickly the virus is blocked, and how many people lose their lives first. People densely packed into megacities are like kindling for an outbreak of any disease

War would be impacted as the quaranteens of the 1918 flu would re-emerge.  30% flu in the  military means the ground war is non existent. Planes with healthy pilots would be used. Ships cannot excape the flu due to thier confined ment.  Rockets and bombs do not capture cities.  War becomes a stalement option.

Then the purposely infection of the flu as a weapon is a concern. One vial in a local well can inflect many as easily as well as a misting of the virus on a hot summer day. at a local festival.  Handling these viruses has been a problem.

It will take a complete rethink of several issues.




Posted in Uncategorized | Tagged , , , , , , , , , , , , , , | Leave a comment

Food Terroism

Munir Mohammed began buying chemicals for a homemade pressure cooker bomb and offered himself as a “lone wolf” attacker to an IS commander communicating with him over Facebook.

Munir Mohammed
Munir Mohammed

He also investigated making poison while working at a supermarket ready-meals factory.

The Islamic State group used prisoners as “human guinea pigs,” carrying out chemical weapons experiments in order to plan for attacks against the West, documents found in Mosul have revealed. The papers detailing the tests, which led to the agonizing deaths of prisoners, were discovered at Mosul University in January when it was recaptured by Iraqi special forces.

Prisoners had their food and water contaminated by the sprinkling of chemicals found in easily accessible pesticides. The U.S. and Britain now fear that the same methods could be used on a larger scale to contaminate food supplies in the West.

In one of the experiments detailed, a man was gradually poisoned with thallium sulfate, a colorless, tasteless toxin made famous by the Agatha Christie mystery, The Pale Horse. ISIS described it as an “ideal lethal poison” and its test subject, having been given it over a period of 10 days, suffered nausea, fever, swelling of his stomach and brain and eventually an excruciating death.

The Department of Homeland Security has issued a warning raising concern about the vulnerability of the U.S. food and beverage supply chains.

 “While we have not seen any specific, credible terrorist threats against Homeland food production and distribution infrastructure, we cannot rule out the possibility of inspired violent extremists or disgruntled insiders attempting to adulterate or poison food and beverages,” DHS said, according to a roll call bulletin for police, fire/EMS and security personnel issued on May 27 2017.
According to the alert, “a South African farmworker in early 2017 added 20 liters of gramoxone — a dipyridinium-based herbicide — to a milk storage tank. While the contamination was detected prior to distribution, the level of gramoxone was likely sufficient to have killed or sickened at least hundreds of people.
In another case, a Nigerian man allegedly introduced an unknown poison into the food at a restaurant in Ogoja, Nigeria, in late March 2017, killing two and sickening 40 others.Closer to home, an offshoot of Greek environmental terrorist groups, Combative Anarchy/Informal Anarchist Federation, “threatened to poison food and beverages made by Nestle, Unilever, Delta Foods, and a named U.S. business in late 2016, leading to mass recalls,” said the bulletin.

In 2010, a plot uncovered  is said to involve the use of two poisons – ricin and cyanide – slipped into salad bars and buffets. Of particular concern: The plotters are believed to be tied to the same terror group that attempted to blow up cargo planes over the east coast in October, al Qaeda in the Arabian Peninsula.



Posted in Uncategorized | Tagged , , , , , , , , , , , | Leave a comment

London lawsuit accuses oligarch Kolomoisky of stealing over $500 million

After a former business partner called in hundreds of millions of dollars in loans, a new lawsuit alleges that billionaire oligarch Ihor Kolomoisky begged the creditor not to “beat a man who is down.”

The lawsuit — filed in London by Ukrainian businessman Vadim Shulman and exclusively obtained by the Kyiv Post — accuses Kolomoisky and his partner, Gennadiy Bogolyubov, of stealing more than $500 million from the Kryvyi Rih-born multimillionaire, who made his fortune in the 1990s by moving coal from Donetsk Oblast to factories in Dnipro.

Shulman is demanding repayment from Kolomoisky and Bogolyubov, claiming that they used a 15-year friendship to defraud him in business deals from Russia’s Altai Mountains to Warren, Ohio.

The lawsuit details a trail of self-dealing and lawlessness that extends from the late 1990s to 2016, featuring cameos from ex-Prime Minister and Batkivschyna Party leader Yulia Tymoshenko, Russian oligarch Roman Abramovich, and Vladimir Putin friend Viktor Medvedchuk.

The case, filed in May 2017, offers an inside look at Kolomoisky’s shady “Privat” group of companies and factories. It also provides more detail over how PrivatBank was used as a piggy bank for its owners, and often as a stand-in for Kolomoisky’s own bank account.

The Ukrainian government nationalized the bank in December 2016, pumping $5.5 billion in taxpayer dollars to cover up a gaping hole in the lender’s balance sheet created by a decades-long campaign of embezzlement by the former owners.

Representatives of Kolomoisky and Bogolyubov did not reply to requests for comment. Kolomoisky has denied the allegations in the past.

Who is Vadim Shulman?

The story begins with Shulman’s Soviet career as a coal miner in Krivyi Rih. Thanks to a connection to a top local official, Shulman became responsible for supplying coal from Donetsk Oblast to Dnipro in the early 1990s.

The 58-year-old businessman met Kolomoisky in 1999 through Dmitry Mishalov, a Dnipro-based businessman often associated with Privat.

Vadim Shulman, 57, broke with Ihor Kolomoisky over hundreds of millions of dollars in debts.

From there, Shulman and Kolomoisky invested into joint ventures across Ukraine and around the world, including the Petrovsky Metallurgical Plant in Dnipro and an Ohio steel mill. The pair also formed a friendship that saw them and their families “holiday together every summer and winter.”

Shulman, though claiming huge debts from Kolomoisky and Bogolyubov, has moved most of his business activities out of Ukraine and into the United States in recent years. He owns a San Diego-based company called Pathway Genomics, which develops mobile apps that support genetic testing.

Shulman recently took out a $12.5 million mortgage to buy a $25 million beachside mansion in Malibu, while the Paradise Papers show him dropping $35 million on a brand new private jet in 2012. Documents showed that intermediaries referred to the Krivyi Rih native as “high risk.”

Privat indiscretions

The lawsuit alleges that Kolomoisky began to defraud Shulman from the start of their business relationship: the 2000 sale of the Yuzhny mineral enrichment plant in Krivyi Rih and the Petrovsky steel factory in Dnipro.

At an April 2000 meeting at Shulman’s home in Israel, the lawsuit alleges, Tymoshenko stand-in Alexander Gravets sold a roughly 25 percent stake in the Krivyi Rih factory to both Shulman and Russian-Ukrainian oligarch Vadim Novinsky, allegedly defrauding both at the time that Tymoshenko was in office as deputy prime minister for fuel and energy.

A Tymoshenko spokeswoman declined to comment, while a Medvedchuk spokesman said the political figure would only discuss business issues with the tax authorities.

Novinsky agreed to split the shares with Shulman and Kolomoisky. The lawsuit claims that Kolomoisky then brought in Putin associate Medvedchuk as an intermediary to hold shares in the factory, along with the brothers Igor and Grigory Surkis.

At the same time, the Dnipro clan of oligarchs were struggling to manage three central Ukrainian coking plants: Dneprodzerzhinsk, Bagleykoks and Dneprkoks.

Shulman would manage the coke plants and provide technical staff to Kolomoisky and Bogolyubov to run the Petrovsky steel factory and Krivyi Rih enrichment plants.

Shulman alleges that from 2000 to 2007, he failed to receive his shares of the profits from his stakes in these factories, and that Kolomoisky repeatedly misstated the amount he owned in the factories.

PrivatBank worked as a cash cow to keep the factories running during this time, the lawsuit alleges.

In one episode, the Petrovsky steel mill did not have cash to pay for coke it had received from Privat’s three coking plants.

To “solve” the problem, Kolomoisky allegedly moved cash earmarked for the coke payments into PrivatBank. Shulman, in charge of operating the coke plants, then made a $100 million loan available in exchange for “loans from PrivatBank which were used for the benefit of the Coke Plants,” the case says.

Money, problems

Privat’s control over part of Ukraine’s steelmaking supply chain led to a round of negotiations with Roman Abramovich in 2007.

Abramovich, a billionaire with ties to the Kremlin, offered to buy out Kolomoisky’s stakes in his Ukrainian factories for “$1.06 billion in cash” and 10 percent ownership in Evraz Group SA, one of Abramovich’s companies.

Shulman argues that Kolomoisky essentially ignored Shulman’s stake in the companies being sold to Abramovich during the deal.

After a byzantine set of cash transfers involving PrivatBank’s Cyprus branch and one of Abramovich’s offshores, Shulman claims he was left with $284 million less than he was owed for the sale, taking into account changes in share value over time.

The Evraz deal didn’t push Shulman to break with Kolomoisky. Shulman himself had owed Kolomoisky money at the time, including a $100 million sum related to an unspecified “business investment.”

Rather, it was an investigation into an Ohio steel plant that the two bought in 2001 which led to the split. Along with Bogolyubov, they acquired Warren Steel in Warren, Ohio as part of a plan to gut the plant of its machinery for use in Ukraine.

Shulman claims that in 2012, he launched an internal investigation into whether his co-owners in the plant were dumping their debts onto his ownership stake, and found that $30 million which he had entrusted to Kolomoisky to invest in the firm had disappeared.

The 57-year old, who had spent years apparently trying to collect on various debts owed to him by Kolomoisky and Bogolyubov, started filing lawsuits in the U.S. and the British Virgin Islands.

By summer 2016, Kolomoisky was starting to feel pressure from the impending nationalization of PrivatBank. The oligarch tried to delay, imploring Shulman not to “beat a man who is down” and repeatedly saying he would pay in installments every few months.

But at a spring 2016 meeting in Monaco’s Hotel de Paris, Bogolyubov allegedly suggested to Shulman they wouldn’t pay.

“Just business,” the lawsuit quotes Bogolyubov as saying. “Not personal.”

Posted in Uncategorized | Tagged , , , , , , , , , , , , | Leave a comment

Romania in Chaos

Romania’s prime minister resigned Monday after his party withdrew its support for him amid a power struggle with the party chairman. Liviu Dragnea rules over the party but is barred from political office because of a criminal conviction.

The ruling left-wing Social Democratic Party revoked its backing of Prime Minister Mihai Tudose after a meeting lasting more than five hours.

Tudose, 50, said he was quitting after a little more than six months in office “with my head high” and would clear out his office immediately

Tudose told reporters after the party vote: “I did not want to break the party. They named me, they removed me. I take responsibility for my deeds and I do not regret anything in my actions (as premier).”

The party has been riven by a power struggle which also claimed his predecessor, Sorin Grindeanu, in June.

Romania's prime minister designate Viorica Dancila in Bucharest, Romania, January 16, 2018

European lawmaker Viorica Dancila has been named as Prime Minister-designate in Romania making her the country’s third head of government in a year and its first female premier.

President Klaus Iohannis announced the appointment which still has to be approved by parliament.

It had been widely thought Iohannis might veto the Social Democrats’ (PSD) pick to replace Mihai Tudose, who quit after falling out with powerful party leader Liviu Dragnea.

Dragnea is one of a number of ruling coalition members facing trial on graft charges, while the president has become an outspoken critic of the PSD’s record on combating corruption. Dragnea denies any wrongdoing.

Iohannis however said it was clear that the Social Democrats have a majority in parliament and that after weighing up the arguments he decided to give them another chance and have named their proposal as premier.

Mrs Dancila has 10 days to name her cabinet ministers and faces a formal approval vote in parliament on January 29.

Posted in Uncategorized | Tagged , , , , | Leave a comment

Iran on the edge?

Six days of demonstrations — which have left at least 20 people dead — showed no signs of easing as the anger from the streets found new targets. What began as frustration over Iran’s sluggish economy has broadened to include open defiance of Iran’s Islamic leadership itself.

Ayatollah Ali Khamenei, the Iranian supreme leader, blamed “enemies” of Iran on Tuesday for protests that have left more than 20 people dead, in his first comments since the unrest started last week.

Nine people, including a child, died overnight in violence in central Iran, state media say.

The protests are the largest since the disputed 2009 presidential election. That time the security forces cracked down hard, and they have threatened to do so again.

“In recent days, enemies of Iran used different tools including cash, weapons, politics and intelligence services to create troubles for the Islamic Republic,” Iran’s supreme leader was quoted as saying in a post on his official website.

The regime has started shutting down social media platforms like Telegram that Iranians use to organize these protests. President Hassan Rouhani — remember when he was everybody’s favorite “moderate”? — is warning demonstrators about destroying public property.

Ahmad Alamolhoda, the leader of Friday prayers in Mashhad and a hard-line cleric close to the supreme leader, is accused of encouraging his supporters to protest against President Hassan Rouhani, a political opponent.

Similarities between the current protests and the 2009 uprising are quite limited. While the current demonstrations started outside of Tehran—in Mashhad and Qom—and quickly spread to other cities, their size remains relatively small compared to what the world observed after Iran’s fraudulent 2009 elections.

The 2009-10 protests were suppressed through the use of excessive force and widespread atrocities committed by the Islamic Revolutionary Guard Corps (IRGC) and the paramilitary Basij. The Green movement was symbolized by Neda Agha-Soltan, a young woman who was shot dead in broad daylight and whose last moments were captured by cameras and broadcast the world over.

In the first few days after that election, more than one million people protested in the streets of Tehran. Though quite ferocious, the current protests have rarely numbered more than a few thousand in any specific locality.

The protests in 2009 also had very specific goals—at least initially. They were prompted by accusations of fraud in the presidential election, and the protestors were demanding the votes be recounted. The protests also had strong leadership from then-presidential candidates Mir Hossein Mousavi and Mehdi Karroubi, who gave the movement much-needed organization.

The current protests appear much more sporadic, with no clear leadership and with objectives that have shifted over the course of the past four days. According to witnesses I’ve spoken to, the protests were initiated in Mashhad by religious hardliners who sought to take advantage of the population’s legitimate economic grievances to score points against the Hassan Rouhani government, which they consider too moderate.

Many young Iranians are frustrated by limits on reformers, including President Hassan Rouhani, to push for greater social freedoms and political openness in a country where the ruling clerics still hold all the cards. Working-class Iranians and others, meanwhile, are increasingly unhappy with a stagnant economy despite the lifting of international sanctions under the nuclear accord with world powers.

Posted in Uncategorized | Leave a comment

Russia releases Ruthenium

Oct. 9, regional authorities in the Chelyabinsk region, home of the plant, issued a statement saying that the Russian state nuclear corporation, Rosatom, had regularly tested the air and that “the radiation background in the region is within norms.”

“From October 25 to October 1, excess beta activity was recorded in radioactive aerosol samples and precipitations in the southern Uralis. In radioactive aerosol samples from Argayash and Novogorny observation points, the radioisotope Ru-106 (368.2 days of decay time), “says the  Roshydromet Department’s report.

The highest concentration was registered at the station in Argayash, a village in the Chelyabinsk region in the southern Urals, which had ‘extremely high pollution’ of Ru-106, exceeding natural background pollution by 986 times, the service said.

While the source of the pollution remains unclear, the highest concentration was registered at the station in Argayash, a village in the Chelyabinsk region in the southern Urals, which had 'extremely high pollution' of Ru-106

Ruthenium 106, which is obtained from spent fuel, is used mostly in medicine. It is considered not particularly dangerous because of its short half-life, 373 days, and harmless at the low concentrations that have turned up in Europe.

Ruthenium-106 is a radioactive, naturally non-existent isotope of the element ruthenium. It is produced by the fission of uranium-235 in nuclear power plants, but also in the reprocessing of nuclear fuel rods. Because ruthenium-106 releases both beta and gamma radiation upon decay, it is considered toxic and carcinogenic when ingested at higher concentrations.


Argayash is about 20 miles from Mayak, a facility that reprocesses spent nuclear fuel. The plant facility issued a denial on Tuesday. “The contamination of the atmosphere with ruthenium-106 isotope registered by Rosgidromet is not linked to the activity of Mayak,” a statement said.

Posted in Uncategorized | Tagged , , , , | Leave a comment

Russian hit list

It wasn’t just Hillary Clinton’s emails they went after.

The hackers who disrupted the U.S. presidential election last year had ambitions that stretched across the globe, targeting the emails of Ukrainian officers, Russian opposition figures, U.S. defense contractors and thousands of others of interest to the Kremlin, according to a previously unpublished digital hit list obtained by The Associated Press.

The list provides the most detailed forensic evidence yet of the close alignment between the hackers and the Russian government, exposing an operation that went back years and tried to break into the inboxes of 4,700 Gmail users — from the pope’s representative in Kiev to the punk band Pussy Riot in Moscow. The targets were spread among 116 countries.

About 19,000 lines of data, recently shared by cybersecurity firm Secureworks, show that Fancy Bear — the hacking group blamed by U.S. intelligence agencies for disrupting last year’s presidential election — tried to break into more than 4,700 Gmail inboxes in at least 116 countries between March 2015 and May 2016.

It’s effectively a hit list — one that experts say points to the Kremlin.

“There is only one country whose interests this list would serve,” said Keir Giles, the director of the Conflict Studies Research Center in Cambridge, England, and one of five experts who reviewed the AP’s findings.

“Regardless of the inevitable denials from Moscow, it is the only explanation that makes sense,” he said.

Russian officials have described claims that they orchestrated the hacking as “ludicrous” and “verging on fantasy.” On Wednesday, Russian Deputy Foreign Minister Sergei Ryabkov said there was “not a single piece of evidence” to back the allegations.

But the Fancy Bear targets identified by the AP tell a different story. In more than 100 interviews, many blamed Moscow for the hacking.

“We have no doubts about who is behind these attacks,” said Artem Torchinskiy, a Navalny lieutenant who was targeted by Fancy Bear in 2015. “I am sure these are hackers controlled by Russian secret services.”

The largest groups of targets were in the United States, Ukraine, Russia, Georgia and Syria. The hackers tried to compromise employees of major U.S. defense contractors and attempted to steal the emails of then-Secretary of State John Kerry and former U.S. Army Gen. Wesley Clark. Also on the list were more than 130 Democrats and members of Clinton’s inner circle, including campaign chairman John Podesta, whose correspondence was leaked in the closing days of the presidential race.

Focus on Russia and former Soviet states

Most of the targeted accounts are linked to intelligence gathering or information control within Russia or former Soviet states. The majority of the activity appears to focus on Russia’s military involvement in eastern Ukraine; for example, the email address targeted by the most phishing attempts (nine) was linked to a spokesperson for the Ukrainian prime minister. Other targets included individuals in political, military, and diplomatic positions in former Soviet states, as well as journalists, human rights organizations, and regional advocacy groups in Russia.

Other targets worldwide

Analysis of targeted individuals outside of Russia and the former Soviet states revealed that they work in a wide range of industry verticals (see Figure 6). The groups can be divided into two broad categories:

  • Authors, journalists, NGOs, and political activists (36%)
  • Government personnel, military personnel, government supply chain, and aerospace researchers (64%)


TG-4127 likely targeted the groups in the first category because they criticized Russia. The groups in the second category may have information useful to the Russian government.

Threat Group-4127 Targets Google Accounts Threat Analysis
Figure 6. TG-4127 targeting outside of Russia and former Soviet states. (Source: SecureWorks)

Authors and journalists

More than half (53%) of the targeted authors and journalists are Russia or Ukraine subject matter experts (see Figure 7). It is likely that the Russian state has an interest in how it is portrayed in the media. U.S.-based military spouses who wrote online content about the military and military families were also targeted. The threat actors may have been attempting to learn about broader military issues in the U.S., or gain operational insight into the military activity of the target’s spouse.

Threat Group-4127 Targets Google Accounts Threat Analysis
Figure 7. Subject matter expertise of authors and journalists targeted by TG-4127. (Source: SecureWorks)

Government supply chain

CTU researchers identified individuals who were likely targeted due to their position within the supply chain of organizations of interest to TG-4127 (e.g., defense and government networks). Figure 8 shows the distribution by category. The targets included a systems engineer working on a military simulation tool, a consultant specializing in unmanned aerial systems, an IT security consultant working for NATO, and a director of federal sales for the security arm of a multinational technology company. The threat actors likely aimed to exploit the individuals’ access to and knowledge of government clients’ information.

Threat Group-4127 Targets Google Accounts Threat Analysis
Figure 8. Categories of supply chain targets. (Source: SecureWorks)

Government / military personnel

TG-4127 likely targeted current and former military and government personnel for potential operational insight gained from access to their personal communications. Most of the activity focused on individuals based in the U.S. or working in NATO-linked roles (see Figure 9).

Threat Group-4127 Targets Google Accounts Threat Analysis
Figure 9. Nation or organization of government/military targets. (Source: SecureWorks)

TG-4127 targeted high-profile Syrian rebel leaders, including a leader of the Syrian National Coalition. Russian forces have supported Syrian President Bashar al-Assad’s regime since September 2015, so it is likely the threat actors are seeking to gain intelligence on rebel forces to assist Russian and Assad regime military operations.

Success of the phishing campaign

CTU researchers analyzed 4,396 phishing URLs sent to 1,881 Google Accounts between March and September, 2015. More than half (59%) of the URLs were accessed, suggesting that the recipients at least opened the phishing page. From the available data, it is not possible to determine how many of those Google Accounts were compromised. Most of the targeted accounts received multiple phishing attempts, which may indicate that previous attempts had been unsuccessful. However, 35% of accounts that accessed the malicious link were not subject to additional attempts, possibly indicating that the compromise was successful.
Of the accounts targeted once, CTU researchers determined that 60% of the recipients clicked the malicious Bitly. Of the accounts that were targeted more than once, 57% of the recipients clicked the malicious link in the repeated attempts. These results likely encourage threat actors to make additional attempts if the initial phishing email is unsuccessful.

Posted in Uncategorized | Tagged , , , , , , , , | Leave a comment