Thursday, May 31, 2012

FLAME: Cyber-Espionage Revolutionised

The recent discovery of a computer virus has confirmed fears that the world has entered a new age of cyber espionage and sabotage.

Security experts discovered a highly complex computer virus, referred to as super virus, in Iran and other states of the Middle East which they believe was deployed at least five years ago to engage in espionage and the prime targets so far have been energy facilities. There is purportedly evidence to suggest that the virus named FLAME may have been commissioned by or on behalf of the same nation or group of nations that commissioned the STUXNET worm responsible for attacking Iran’s nuclear programme in 2010.

It is the third cyber attack weapon targeting systems in the Middle East to be exposed in recent years. 

Iran has alleged that the West and Israel are orchestrating a secret war of sabotage using cyber warfare and targeted assassinations of its scientists as part of the dispute over its nuclear programme. The suspicion is that, it is Israel’s crack Unit 8200 which possibly developed this cyber espionage tool.

Stuxnet attacked Iran's nuclear programme in 2010, while a related programme, Duqu, named after the Star Wars villain, stole data. Unlike the Stuxnet virus, which attacked an Iranian enrichment facility, causing centrifuges to fail, Flame does not disrupt or terminate systems. Flame can gather data files, remotely change settings on computers, turn on computer microphones to record conversations, take screen shots and copy instant messaging chats. Experts describe it as a multitasking mole. It can wipe data off hard drives, but also be a tireless eavesdropper by activating audio systems to listen in on Skype calls or office chatter. It also can also take screenshots, log keystrokes and - in one of its more novel functions- steal data from Bluetooth-enabled mobile phones.

Kaspersky Labs said the programme appeared to have been released five years ago and had infected machines in Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.
"If Flame went on undiscovered for five years, the only logical conclusion is that there are other operations ongoing that we don't know about," Roel Schouwenberg, a Kaspersky security senior researcher, said. 

Professor Alan Woodward from the department of computing at the University of Surrey said the virus was extremely invasive. It could "vacuum up" information by copying keyboard strokes and the voices of people nearby. 

The virus contains about 20 times as much code as Stuxnet, which attacked an Iranian uranium enrichment facility, causing centrifuges to fail. Iran's output of uranium was suffered a severe blow as a result of the Stuxnet activities. In fact, the Flame malware is much larger than Stuxnet and is protected by multiple layers of encryption.

Schouwenberg said there was evidence to suggest the code was commissioned by the same nation or nations that were behind Stuxnet and Duqu hinting thereby that Israel and/or the United States were the brains behind the virus.

Iran's Computer Emergency Response Team said it was "a close relation" of Stuxnet, which has itself been linked to Duqu, another complicated information-stealing virus which was believed to be the work of state intelligence. 

It said organisations had been given software to detect and remove the newly-discovered virus at the beginning of May. 

Crysys Lab, which analyses computer viruses at Budapest University said the technical evidence for a link between Flame and Stuxnet or Duqu was inconclusive. 

The newly-discovered virus does not spread itself automatically but only when hidden controllers allow it. 

Unprecedented layers of software allow Flame to penetrate remote computer networks undetected. 

The file, which infects Microsoft Windows computers, has five encryption algorithms, exotic data storage formats and the ability to steal documents, spy on computer users and more.
Components enable those behind it, who use a network of rapidly-shifting "command and control" servers to direct the virus, to turn microphone into listening devices, siphon off documents and log keystrokes. 

Eugene Kaspersky, the founder of Kaspersky Labs, noted that "it took us 6 months to analyse Stuxnet. [This] is 20 times more complicated". 

Once a machine is infected additional modules can be added to the system allowing the machine to undertake specific tracking projects. 

Flame uses at least 80 different servers and domain names to relay its data back home, so it is extremely difficult to track usage and where the information is transferred.

As has been stated, none of the experts in the field are willing to state on record as to who could be behind this complex super virus. Speculation has been that either Israel or Israel in conjunction with the US could possibly have developed this deadly programme. Israel has the necessary expertise in developing tools of cyber espionage and cyber warfare. Unit 8200 (Unit Eight Two-hundred) (or shmone matayim in Hebrew) referred to earlier is an Israeli Intelligence Corps unit, responsible for collection of signal intelligence and code decryption. It is also known in military publications as the Central Collection Unit of the Intelligence Corps. This Unit is alleged to have developed the computer worm Stuxnet which targetted the Iranian nuclear programme in 2010.

Israel is the master of cyber warfare. If Israel has been responsible for launching Flame using gaming code, then certainly Israel has revolutionized espionage by going high tech, obviating the necessity of sending in human agents. At this point of time one can only speculate as to how Israel might 'successfully' disable Iran’s nuclear enrichment program and its economy with greater dexterity than the bludgeon of more legislated 'tougher sanctions' or a conventional military strike. 

Cyber-snooping has indeed been revolutionised with the introduction of this new virus.

Friday, May 18, 2012

Eli Cohen – A Spy without Parallel

This post is in memory of Eli Cohen who was executed by Syrian authorities on 18th May 1965 in Damascus after being found guilty of spying for Israel. He was unlike any other spy in the annals of espionage – a spy without any parallel. This is his story.

Eliahu (Eli) ben Shaoul Cohen was born in Alexandria, Egypt in an orthodox Jewish family in 1924. His father had moved there from Aleppo in Syria in 1914. In January 1947, Cohen chose to enlist in the Egyptian army as an alternative to paying the proscribed sum all young Jews were supposed to pay, but was declared ineligible on grounds of questionable loyalty. Later that year, he left university and began studying at home after facing harassment by the Muslim Brotherhood. Though his parents and three brothers left for Israel in 1949, Cohen remained to finish a degree in electronics and to coordinate Jewish and Zionist activities. In 1951, in the aftermath of a military coup and anti-Zionist campaign, Cohen was arrested and interrogated over his Zionist activities. Cohen is alleged to have taken part in various Israeli covert operations in Egypt during the 1950s, though the Egyptian government could never verify and provide proof of his involvement in an Israeli operation to smuggle Egyptian Jews out of the country and resettle them in Israel.

Following the Suez Crisis, the Egyptian government stepped up persecution of Jews and expelled many of them. In December 1956, Cohen was forced to leave the country. With the assistance of the Jewish Agency, he migrated to Israel.

In 1957, Cohen was recruited by Israeli Military Intelligence. His work as a counterintelligence analyst bored him, and he attempted to join the Mossad. Cohen was offended when Mossad rejected him, and resigned from military counterintelligence. For the next two years, he worked as a filing clerk in a Tel Aviv insurance office. An introvert to the core, Cohen had very few friends. Most of his leisure time was spent mastering Arabic.

The Mossad recruited Cohen after Director-General Meir Amit, looking for a special agent to infiltrate the Syrian government, came across his name while looking through the agency's files of rejected candidates, after none of the current candidates seemed suitable for the job. For two weeks he was put under surveillance, and was judged suitable for recruitment and training. Cohen then underwent an intensive, six-month course at the Mossad training school, and his graduate report stated that he had all the qualities needed to become a katsa, or field agent.

Training and the making of a Spy

His training was rather unconventional. In 1960, armed with a false identity and a thick beard, Eli Cohen was introduced to one Sheikh Mohammed Salman as a student from the University of Jerusalem. Although Cohen knew quite a lot about the culture and the way of life of an Arab Moslem, Mossad wanted him to be trained to perfection so that he could act and react like a Moslem even under the greatest strain. He spent a few months with Sheikh Salman. Towards the end of 1960, Cohen began to learn a different trade.

On 1st March 1961, Eli Cohen boarded a Swiss Air flight from Zurich and flew to Buenos Aires. At the Argentinian capital, he passed off as a prosperous businessman who travelled first class. Cohen had become Kamel Amin Thaabet (commonly pronounced Saabet). His passport showed that he was a Syrian from Lebanon.  Buenos Aires has a large Syrian population. Cohen portrayed himself to be serious, generous, considerate and above all a devout Muslim and highly nationalistic. Thaabet gradually became a well-known and respectable member of the Syrian community in Buenos Aires.

Mossad had traversed half way round the globe to prepare a perfect “legend” for Cohen. Mossad had correctly assessed that Syrian intelligence would certainly check on Thaabet and therefore his cover was prepared with great care. Cohen’s new assumed identity was based on a real Kamel Amin Thaabet born in Lebanon of Syrian parents. The real Kamel Amin Thaabet had died long ago, but if he were alive he would have been of Cohen’s age.
The resurrected Kamel Amin Thaabet became a regular visitor to the parties and receptions hosted in the Syrian embassy in Buenos Aires. The military attaché in the Syrian Embassy, Major Amin Al-Hafiz was very impressed by Thaabet. Thaabet’s nationalist fervor and pro-Baathist views were respected by Al-Hafiz. As a result, the officer began to confide a great deal in him and urged him to shift to Damascus to serve the Baathist cause.

The Syrian intelligence in the Argentinian capital carried out a thorough check on Thaabet. One day when he came home late, he discovered that his papers and photo albums had been tampered with. Israeli intelligence had taken lot of pains to prepare ‘authentic’ papers and the old photographs of the Thaabet family were perfect. Cohen had successfully passed the final test as Thaabet. He was now a trusted Syrian national. Mossad instructed Cohen to move to Damascus. Major Al-Hafiz was posted in the Syrian capital at the time when Cohen was instructed to make the move to Syria. Thaabet, accordingly wrote to Al-Hafiz of his desire to serve the Baathist cause and his intention to shift to Damascus.
In December 1961, Cohen paid a quick visit to Munich and met his “control” from Tel Aviv. In a hotel room the katsa and his control discussed details of his mission in Damascus; they re-checked on the business procedures, the codes and the radio discipline. At the same time a technical team from Mossad prepared Cohen’s luggage. A powerful transmitter was hidden in the false bottom of an electric mixer. A Minox micro-film camera was given the shape of an electric shaver, its chord, when detached, would serve as a long range antenna. Chemicals for making explosives were stored in toothpaste tubes and cans of shaving cream.

Mission - Damascus

On 1st January 1962, Thaabet was on his way to Damascus. On arrival in Damascus he became a temporary guest of Major Al-Hafiz. Within a span of few days he settled himself on the fourth floor of a modern building in the prosperous Abu-Rummanah district across the Syrian Military High Command and close to the Indian Embassy.
Cohen alias Thaabet started an export business and was soon exporting Syrian antique furniture, backgammon tables, jewellery and objets d’art to European countries. He was often seen drinking Turkish coffee in the Hamidia market place discussing business and politics. At night, Thaabet was transformed into a deadly spy, passing information to Tel Aviv using the powerful transmitter set. The lengthy reports and microfilms were dispatched in the hollowed out antique furniture. With the help of highly placed contacts in government and friends, Thaabet visited military installations and was allowed to freely indulge in his hobby of photography even while visiting sensitive areas. His photographs of sensitive military installations proved extremely useful to Mossad and the Israeli Army during the 1967 Six-Day War. His most famous achievement was when he toured the Golan Heights, and collected intelligence on the Syrian fortifications there. Feigning sympathy for the soldiers being exposed to the sun, Cohen had trees planted at every position. The trees were used as targeting markers by the Israeli military during the 1967 War. Cohen made repeated visits to the southern frontier zone, providing photographs and sketches of Syrian positions. Cohen also learned of an important secret plan by Syria to create three successive lines of bunkers and mortars; the Israeli Army would otherwise have expected to encounter only a single line.

Capture and execution

How did Cohen get caught? There are conflicting versions as to what led to the unmasking of Thaabet. The Mossad blames the Indian Embassy in Damascus which they say, inadvertently led to Cohen getting caught. In early ’65, the Indian Mission is alleged to have complained to the Syrians that it was experiencing disturbances in its transmissions to New Delhi. The Syrians suspected, and rightly so, of an unauthorized radio transmission in the vicinity of the Indian Embassy. The Syrians pressed into a service a sophisticated mobile detection unit imported from the Soviet Union to track down the source of the illegal transmission. Thaabet was unaware of this development and he carried on his daily transmission to Tel Aviv. After a close surveillance for a few days, the Syrians caught Thaabet red handed in a pre-dawn raid on 24th January 1965. After a trial before a military tribunal, he was found guilty of espionage and sentenced to death, without the possibility of an appeal. Israel staged an international campaign to for clemency, hoping to persuade the Syrians not to execute him. Hoping to put international pressure on Syria to spare Cohen's life, the Israelis approached many governments to press for clemency, and even appealed to the Soviets to intercede. The Syrians were determined not to spare a spy, especially if he happened to be an Israeli. On 18th May 1965, Eli Cohen was publicly hanged in El Marga Square in Damascus.

Requests by Cohen's family for his remains to be returned to Israel have been repeatedly denied by the Syrian government. In August 2008 Monthir Maosily, the former bureau chief of the late Syrian leader Hafez al-Assad, said that Eli Cohen's burial site is unknown, claiming that the Syrians buried the executed Israeli spy three times, to stop the remains from being brought back to Israel via a special operation.

Mossad-Israel's Knuckle-Duster by H Jesse Kochar, Probe May 1981

Thursday, May 17, 2012

Countering Chinese Incursions - India's Options

The differing perceptions of the undemarcated and disputed boundary between India and China have resulted in Chinese troops ‘transgressing’ into the Indian side a whooping 505 times since January 2010.

The LAC is 4,057-km-long and traverses areas of Himalayan states, principally in Eastern Ladakh (J&K), parts of Uttarakhand, Sikkim and Arunachal Pradesh. Historically, there has never been a demarcated boundary. These are strategically vital portions which are contiguous with Tibet.

Explaining ‘transgressions’, officials said India and China do not agree on the LAC, hence soldiers on either side patrol up to the point they perceive as the LAC. Soldiers on both sides show a banner asking the other party to withdraw when the LAC is crossed. Despite the underlying tension, the process of withdrawing by both sides keeps a lid on the situation along the tense frontier between the two edgy neighbours. 

The matter of transgressions was raised in the Upper House of the Indian Parliament, the Rajya Sabha recently and the Minister of State for Home Affairs Mullappally Ramachandran said, “There have been 228 reported cases of transgression in 2010, 213 in 2011 and 64 till April this year. It was clarified, “There has been no intrusion along the India-China border. However, there are cases of transgression (by People’s Liberation Army, PLA) due to different perception of the LAC.” The word ‘intrusion’ is the official nomenclature to indicate a breach of the sanctity of the border and is different from transgression on LAC, that too on sections which are disputed. 

Similar figures have recorded in the past. According to the Indian Defence Minister, A. K. Antony, the number of Chinese transgressions has been generally as per established pattern during the last five years.

But one cannot overlook the fact that the People’s Liberation Army has been flexing its muscles through an aggressive border management policy in order to stake claim to the disputed areas in all the three sectors, viz. western (Ladakh), middle (Uttarakhand and Himachal Pradesh) and eastern (Sikkim and Arunachal Pradesh).

Incursions in the past
PLA soldiers, in 2011 damaged a 200-metre long wind-breaker wall in Yangtse area of Tawang in Arunachal Pradesh. India rebuilt the wall after lodging a strong protest with China. In September 2011, it was reported that two Chinese helicopters had entered into Indian air space and landed one-and-half kilometres into the Indian territory at Chumar in Chingthan area of Tehsil Nyoma. The Chinese troops also attempted to dismantle Indian army bunkers which lay unused for a long time. So also in July 2009, Chinese troops had intruded about 1.5 kilometres into Indian territory near Mount Gya, recognized as international border by both India and China, and painted boulders and rocks with red spray paint. (The 22,420 ft Mount Gya, also known as "fair princess of snow" by Army is located at the tri-junction of Ladakh in Jammu and Kashmir, Spiti in Himachal Pradesh, and Tibet).

Armed motorized as well as boat patrols by PLA in the strategically-located Trig Heights and Pangong Tso lake in eastern Ladakh have also intensified since 2009. Similarly, Chinese have stepped up claims along the 206-km border between Tibet and Sikkim, which India long considered was "a settled matter", with the so-called 2.1 sq km "finger area" in the northernmost tip of the state remaining a specific matter of concern. (See the author’s post on the flare up in the Finger Area

New Delhi hopes the new bilateral boundary coordination mechanism, which became operational two months ago after being inked during the 15th round of border talks between national security adviser Shivshankar Menon and his Chinese counterpart Dai Bingguo in January 2012, will help prevent border flare-ups between the two armies.

New Delhi also has been taking up specific incidents of transgression with the Chinese side through established mechanisms such as hotlines, flag meetings, border personnel meetings (BPM) and normal diplomatic channels. 

During the 4th India-China annual defence dialogue last December, India also told China that military patrols along the LAC should not be undertaken at night, nor should they "surprise each other". Moreover, laid-down stand-operating procedures to cool down tempers should be followed in the event of face-offs between the two armies.

Despite the transgressions, peace is maintained along the LAC following an agreement thrashed out in April 2005. India and China have worked out what is called a ‘banner drill’, which helps keep tension under check.

Whenever either side perceives that a transgression has been made across the LAC, soldiers show a 10-feet-wide banner with a slogan painted across to each other. The banner primarily cites the 2005 agreement and says there is a need to back off from the present positions of patrolling. 

The above-mentioned measures and mechanisms set up pursuant to an agreement by both the countries, howsoever commendable, only provide for peace in the short-term. These measures and mechanisms have utility for a limited duration only. These measures cannot bring about a resolution of the border dispute. 

India needs to counter China

India must not disregard the fact that Tawang is considered to be part of China’s core interests. In fact China claims the entire state of Arunachal Pradesh, referring to it as Southern Tibet. And China will not compromise on its core interests. In order to achieve its objective and in furtherance of protecting its core interests, China set up a massive military infrastructure in Tibet with five airbases, an extensive rail network through which it can rapidly mobilize troops and over 58,000 kilometres of road. With such infrastructure in place, China started resorting to what is referred to as “cartographic intrusions” in a slow and steady manner. India, instead of meeting this challenge head-on has played down the issue by referring to the intrusions as transgressions which have occurred due to differing perceptions about where exactly the LAC lies.  

India cannot expect the boundary dispute to be resolved by peaceful means if it is not adequately backed up by military force. China has been keeping up the pressure on India by means of intrusions only due to the fact that India does not have the requisite military means to counter China along the LAC and in part to its submissive attitude in dealing with Beijing. India’s poor infrastructure along the border is one of the biggest impediments facing the armed forces, especially in a crisis situation. This author, in earlier posts, has emphasized on the development of infrastructure particularly in the North-East apart from augmenting the number of troops.

Force Augmentation

In response to China's growing military strength in Tibet, India has raised two new mountain divisions with 30,000 troops in the North-East as a counter-measure and to augment its mountain warfare capabilities. The two new mountain divisions comprising of 1,260 officers and 35,011 soldiers, raised at a cost of Rs 700 crore/ Rs 7 billion each, will be under the command of the Rangapahar-based 3 Corps in Nagaland with headquarters in Zakama (56 Div) and the Tezpur-based 4 Corps in Assam with headquarters in Missamari (71 Div) of the army's Kolkata-based Eastern Command. New Delhi has also sanctioned a new mountain strike corps, of an additional 40,000 soldiers, to be permanently located in bases in northeast India. The new mountain strike corps will control two divisions, trained and equipped for an attack into Tibet. The new strike corps will have its own mountain artillery, combat engineers, anti-aircraft guns and radio equipment. It would also be supported by Indian Air Force (IAF) fighters, operating from newly renovated bases in North-Eastern India. The sanctioning of a strike corps, therefore, signals a dramatic new assertiveness in New Delhi.

India has also deployed a Sukhoi SU-30 air superiority fighter jet squadron in Tezpur as one of the aerial offensive measures apart from upgrading airfields and helipads in the North-East. The Cabinet Committee on Security had approved the raising of the two new divisions in early 2008 and preparations for raising the offensive infantry formations began the same year.

Under the first phase, the two new divisions' headquarters, along with a brigade each, have come up, including the headquarters' support elements such as signals, provost, and intelligence units. 

The divisions have been armed with state-of-the-art technology such as heavy-lift helicopters capable of carrying 50 troops each; ultra light howitzers that can be slung under the helicopters for transportation; missile and cannon-armed helicopter gunships; utility helicopters and unmanned aerial vehicles (UAVs). 

The air assets, such as the helicopter gunships and attack helicopters, will provide the two divisions capabilities to carry out manoeuvres for countering the terrain impediments. According to an officer, the gunships and attack choppers were necessary for providing the two formations firepower in a mountain terrain, as the army would not be in a position to deploy tanks and armoured vehicles.

Notwithstanding the proposed force enhancement in the North-East, the intrusions have continued unabated. The 64 intrusions in 2012 apart from being disturbing, clearly indicates the true nature of Chinese intent and policy towards India in general and the boundary dispute in particular. 

It is suggested that India adopts the following measures to enable it manage the border with China in an effective manner as well as to settle the boundary dispute satisfactorily without succumbing to Chinese pressure tactics-

·     India needs to send out an unequivocal message across to China that Arunachal Pradesh is part of India’s core interests and incursions (or intrusions or transgressions, irrespective of the nomenclature used) must cease.
·     Improve infrastructure in the North-East (build all-weather roads and extend railway network in remote areas of the region)
·     India needs to expeditiously operationalise the two newly-raised mountain divisions as well as raise the new mountain strike corps in a compressed time frame. (The mountain strike corps is slated to be raised under the 12th Defence Plan 2012-2017).
·     The Indian Air Force must operationalise the new airbases in the North-East in order to enable rapid deployment of air assets in case any conflict. (The former chief of the IAF had stated in June 2011 that Jorhat, Guwahati, Mohanbari, Bagdogra and Hashimara were being developed as air bases. It must be pointed out that IAF has already based Sukhoi-30MKI fighters at airbases like Tezpur and Chabua. Eastern sector ALGs (advanced landing grounds) like Pasighat, Mechuka, Walong, Tuting, Ziro and Vijaynagar as well as several helipads in Arunachal Pradesh are also now being upgraded, much like western sector ALGs like Daulat Beg Oldi, Fukche and Nyama in eastern Ladakh).
·     Operationalise and deploy the new nuclear capable Agni – V. (This will effectively counter the DF-21 deployed in Delingha in Tibet)
·     India must strengthen its military ties with Vietnam and South-East Asian states like Singapore and increase its naval presence in the South China Sea. 

In conclusion, the Ministry of Defence and Home Affairs ought to concentrate on formulating policies to counter China effectively and strengthen nation’s defences against Chinese incursions rather than keep count of the incursions like a statistician. The whole objective behind the qualitative and quantitative increase in force levels is not only to counter any possible Chinese adventure but also to enable India to negotiate settlement of the border issue from a position of strength rather than from a position of weakness.