Wednesday, June 30, 2010

Russian Spies - Tradecraft and Follow the Money

There are two documents that have been made public which consist of most of the "official" information about this week's Russian Spy cases. We reviewed the first of these documents, a deposition by FBI Special Agent Amit Kachhia-Patel, in our article Tuesday, on Anna Chapman and Mikhail Semenko. Wednesday morning we took an "Unofficial" look at the Four Russian Spy Couples (& Two Solo Acts) constructing bits of information about them from Internet-based records and the media.

In this post we'll be focusing on the longer deposition of FBI Special Agent Maria L. Ricci, who lays out the case against eight defendants before the Honorable James L. Cott, US Magistrate Judge, Southern District of New York.

Christopher R. Metsos
Richard Murphy
Cynthia Murphy
Donald Howard Heathfield
Tracey Lee Ann Foley
Michael Zottoli
Patricia Mills
Juan Lazaro
Vicky Pelaez

The charges are still primarily "Conspiracy to Act as Unregistered Agents of a Foreign Government", which is a violation of Title 18 USC Section 951.

The thirty-seven pages of the deposition got a bit confusing, so I found it helpful to draw some pictures, and try to figure out how many conspiracies were documented within.

The Group of Five Spies

This diagram focuses on the "Seattle Conspirators", Michael Zottoli and Patricia Mills, and the "Hoboken Conspirators", Richard Murphy and Cynthia Murphy.

Bags of Money and Exchanged Packages

Christopher R. Metsos seems to be the only one who is actually being called an SVR agent in these documents. Metsos works directly for the Russian government, and likely has a salary and a pension. The "Illegals", as the other eight co-conspirators are named, are citizens who work "unofficially" to gather intelligence and perform tasks at the direction of their handler. Metsos met Richard Murphy at least four times between February 2001 and April 2005. On March 31, 2002, Metsos brought a bag of money, likely $40,000 to the meeting, and Murphy left with the bag. By April 17, 2005 he chose to give him an ATM card with matching identification and a PIN number rather than large sacks of cash.

Metsos is observed on video doing a "Brush-pass", where two travelers with identical bags exchange bags while bumping into each other, crossing each other, or sitting beside one another without speaking. One of these brush passes is the only link to Zottoli and Mills, but there is a long time between. On May 16, 2004, Metsos trades identical orange bags with "Russian Government Official #2" in a brush-pass on a stariwell at the Forest Hills Train Station on the Long Island Railroad. Metsos then proceeds to meet with Richard Murphy at the Sunnyside Restaurant. He passes Murphy the package, instructing him to take his cut and tell the guy he meets "Uncle Paul loves him". Two weeks later Zottoli and Mills fly from Seattle-Tacoma airport to Newark Airport, check in to the Manhattan Hotel, and on June 19, 2004 enter Central Park. Intercepted communications reveal they couldn't find one another, but the next day they do meet at a subway entrance near Columbus Circle. Zottoli leaves the meeting with a red museum gift shop bag he had not possessed before the meeting.

Two years later, Zottoli and Mills fly to JFK from SeaTac. This time they proceed to a location near the Forest Hills Train station, and dig up a package buried in 2004 on the day of the Brush-pass. They are observed filling several wallets and a money belt with money back at their hotel, where they are under video surveillance.

In 2009 a similar brush-pass is arranged at the North White Plains train station on Harlem Line. Intercepted electronic messages gave the plan, where to meet in a "dead zone" on a certain stairwell, where Barnes and Noble bags will be exchanged. It is believed Murphy received $300K from Russian Government Official #3, and passed half of the money to Zottoli, along with a flash memory card.

Murphy and Zottoli were given a script for positive identification:
"Excuse me, did we meet in Bangkok in April last year?"
"I don't know about April, but I was in Thailand in May of that year."

The second half of the pass happened on a park bench in Fort Greene Park in Brooklyn. Electronic comms intercepted after the meeting reported "Meeting with M was successful. A passed to M the card and $150k."

Murphy met with other SVR agents to receive an Irish passport in the name of Doherty Eunan Gerard and money and tickets for travel. In January 2010 Murphy received instructions to purchase computer equipment and take it to the Moscow Center. He traveled to Europe with the laptop, and after returning met once more with Michael Zottoli at a coffee shop in Brooklyn and passed him the laptop, two memory sticks, and $9,000 cash, according to intercepted electronic records.

Electronic Tradecraft & Taskings

In addition to the typical "package exchange" tradecraft, there is significant evidence of sophisticated electronic tradecraft as well.

On July 27, 2005, the FBI conducted a search of the Hoboken, New Jersey residence of Richard & Cynthia Murphy. During the search, they uncovered a 27-character long password written on a piece of paper near the computer, beginning with "ctrl alt e".

The password turned out to be the key to unlocking a secret steganography program located among their disks. Also on the computer in their apartment, an address book was found indicating "hundreds of websites" where photos could be uploaded. According to court documents, these websites were reviewed and more than 100 images were discovered which actually contained text files hidden within the images.

Although I am well familiar with the concept of steganography - hiding a text message inside the "noisy bits" of a graphic file - I was only aware of one "in the wild" story of steganography before this case. In fact, I frequently ask the question when various professionals mention steg if they have ever seen it "in the wild". Only one person so far has answered me in the affirmative with a credible story - Dorothy Denning of the Naval Post-Graduate School, speaking at a cybercrime meeting at UNC Charlotte - with a case involving stolen credit cards hidden in graphical bullets on a website. This would be the second case of which I am aware. All of the other "scary stories" about steganography I have heard have proven to be unfounded.

Another case of electronics was the shortwave radio found in the Seattle search of Zottoli and Mills apartment February 17, 2006. In that case, a spiral-bound notebook of "radiograms", short coded groups of letters was found written beside the shortwave. Several of the couples, including Boston and New Jersey, were observed to reserve electronic messages referring to "RGs" or RadioGrams. In January 2009, a message to New Jersey read "Pls, make sure your radioequipment for RG rcptn is in order. We plan to send a couple of test Rgs." Pelaez and Lazaro were also overheard in surveillance discussing "receiving radio from over there."

Some of the decoded messages to the New Jersey conspirators gave specific taskings, or "infotasks". For example, in the spring of 2009 - SVR requested information prior to Obama's visit to Russia, any information on the US position with respect to a new Strategic Arms Limitation Treaty, Afghanistan, or Iran's nuclear program. Specific sub-cabinet officials were named from which information should be tried to be gained. It wasn't necessarily classified information that was being sought - in one message of October 18, Moscow instructs "to send more info on current international affairs vital for R, highlighting US approach and providing us w. comments made by local expert (political, economic) scientist's community. Try to single out tidbits unknown publicly but revealed in private by sources close to State department, Government, major think tanks."

As I revealed in yesterday's blog story, Four Russian Spy Couples and Two Solo Acts, those arrested had many important contacts through well-chosen schools and carefully selected career options to put them near these types of people. As Richard Murphy was contemplating how to improve his collection, he was warned by Moscow Center to avoid directly seeking government jobs, because his legend was not strong enough to pass a full government level background check.

One "job well done" message was sent back to Cynthia Murphy after she shared some closely held information regarding the global gold market. SVR responded "Info on gold v. usefull, it was sent directly to Min of Finance, Min of Ec Devel."

Intercepts to and from Murphy provide further insights. She was urged to strengthen relationships with classmates and professors who may be able to help with introductions or who may work with secret data. If she became aware of a potential information source, she was to pass the data to SVR, who would instruct her to proceed ("the target is clean") or hold back ("the target is dirty"). She was given a "clean target" report about one of her financial firm's clients, who has been since revealed in the media to be Alan Patrickof, a Hillary Clinton financier. Even "White House kitchen" gossip would make for interesting reports, and she was encouraged to try to get invitations from Patrickof to events such as Democratic Party conventions.

Murphy was also tasked to seek out particular classmates who may apply for jobs with the CIA. (Murphy has an International Business Degree from NYU's Stern School of Business, and an MBA from Columbia.) After many years with the same firm, in 2010 Moscow Center began pushing for Murphy to consider a job with a lobbying firm that would increase her access to US government sources.

The Other Couples

Juan Lazaro and Vicky Pelaez don't seem to have a clear link that I could see in the court record with the other couples or with Metsos. The primary activities documented regarding these two are money movement. At least two South American money transfers occurred involving the receipt of funds from Russian government representatives. On January 14, 2000, Pelaez received funds while under video surveillance at a park in a South American country. A telephone intercept confirms that Pelaez told Lazaro that same day that "all went well." Lazaro would later meet "Russian Government Official #1" at the same park on August 25, 2007, with the exchange again being videotaped. Lazaro waited at a park bench with an open shopping bag at his feet. RG#1 placed a smaller plastic bag into Lazaro's shopping bag, and the two parted ways. When Lazaro returned home he paid $8,000 in taxes almost immediately.

On January 8, 2003 the couple reports that Lazaro is writing a report "in invisible" in a notebook, and that while Pelaez is in South America she will pass the book to contacts there. This is believed to be a reference to invisible ink. After one of Pelaez's trips she returns with "eight bags of ten" and the two are heard counting money on surveillance, determining they actually had $76,000. Other conversations recorded at their residence made it clear they were being paid to provide information. One exchange is shared in the deposition where their handlers are complaining that some facts do not indicate their source, and that this makes them worthless. Pelaez replies to her husband "Then why do they have you? If they don't care about the country, what do we have Intelligence Services for?" Most of the intercepts from this couple are from 2002 and 2003.

One of the only things that ties the Boston conspirators, Donald Howard Heathfield and Ann Foley, to the others is their common technology. As mentioned above, the New Jersey search warrant found secret steganography software, developed by the SVR, that was only accessible if a particular 27 character password was entered. The same software, also only accessible by entering a 27 character password, was also found on their Boston computer after a search of their home on July 29, 2006. In that same search, a number of deleted files were recovered from their computer, including files that were obviously the draft messages which had been included in image files and posted online for retrieval by SVR. Aural communication intercepts of the couple at home also reveal that they were using the steganography, included one intercept shared in the deposition from March 7, 2010, where Foley and Heathfield are discussing whether they were allowed to place two messages in the same image.

In several of the intercepts, it is revealed that Donald (who is referred to as "Dv" by Moscow Center) has established contact with a former high-ranking US Government national security official whose name is provided. He also relays conversations about the capabilities and strategic planning for "small yield high penetration nuclear warheads" called bunker-busters. His infosources were given codenames such as "Farmer", "Parrot", and "Cat". Sometimes he was encouraged to proceed. Other times he was asked for more details about work position, background, habits, contacts, etc in order to determine whether the target was worthwhile to pursue.

Foley is elsewhere provided with a fraudulent British passport, a flight itinerary, and an invitation from the Russian Chamber of Commerce to visit Moscow.

At this point, it is not obvious from the published documents how Pelaez and Lazaro can be linked to the others in the public documents. One may speculate that the link is from common handlers on the official Russian side which cannot be disclosed publicly at this time.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.