SPY NEWS: 2024 — Week 38

SPY NEWS: 2024 — Week 38

Summary of the espionage-related news stories for the Week 38 (September 15–21) of 2024.

1. Czech Republic/China: Czech Academics Face Dangerous Espionage Threat from China

RegTech Times reported on September 15th that “in a startling report, the Czech Security Information Service (BIS) has raised serious concerns about China’s growing espionage activities in the Czech Republic. One of the key tactics China is using involves exploiting professional networking platforms like LinkedIn. By creating fake profiles, Chinese intelligence operatives are reaching out to Czech academics and professionals, attempting to gather sensitive information and establish influence. According to BIS, Chinese agents often disguise themselves as employees of fictitious consulting or headhunting companies, most commonly appearing to be based in places like Singapore or Hong Kong. These agents then approach Czech professionals, typically through LinkedIn, with offers of financial rewards in exchange for research and reports. At first glance, these offers may appear to be legitimate opportunities, but they often serve as a gateway for Chinese intelligence to gain access to valuable, non-public information. The initial contact might seem harmless, but it can quickly escalate. Chinese operatives offer financial incentives for the creation of studies that align with China’s political goals. Once a relationship is established, the individuals targeted may find themselves slowly being pulled into deeper levels of cooperation, sometimes without even realizing the extent of the involvement. The information shared in these cases could pose a significant risk to the security and interests of the Czech Republic and the broader Euro-Atlantic region.”

2. Worldwide: Tradecraft Sunday: Episode 14: Cyber Espionage Using Browser Extensions

On September 15th we published this episode of Tradecraft Sunday. As per its description, “modern Signals Intelligence (SIGINT) collection relies heavily on the cyber domain. An over a decade old CNE (Computer Network Exploitation) technique is the use of web browser extensions/plug-ins, that’s the topic of this episode. We briefly cover how it works and present several real-world cyber espionage operations employing this method from 2014 all the way to this day. This video aims on providing a historical and educational perspective on this subject, and all the material mentioned are available in the references section below.”

3. Lebanon/Israel/Palestine: “Islamic Resistance” Targets Enemy’s Espionage Equipment at Ramia Outpost

NNA reported on September 15th that “the “Islamic Resistance” issued a communiqué this evening, in which it indicated that in support of the steadfast Palestinian people in the Gaza Strip, the Islamic Resistance fighters targeted at 5:15 pm today the enemy’s espionage equipment at the Ramia outpost with a guided missile that hit it directly, leading to its destruction.”

4. Thailand: Spy Agency Keeps Move Quiet Amid Revamp

Intelligence Online reported on September 16th that “Intelligence Online has learned that the Thai National Intelligence Agency will be relocating amid broader changes to revamp the service.” Intelligence Online also stated on X about this that “the National Intelligence Agency is preparing to move out of its long-standing headquarters in the Paruskavan Palace to a new building in Bangkok’s Phaya Thai district by the end of next year.”

5. Kazakhstan: President of Kazakhstan Dismisses Heads of Foreign Intelligence Service and Anti-Terrorism Service

Trend News Agency reported on September 16th that “Kazakh President Kassym-Jomart Tokayev has dismissed the director of the Foreign Intelligence Service and the head of the Anti-Terrorism Service, the presidential press service said, Trend reports. “Ruslan Temirgalievich Seisembayev has been dismissed from the post of deputy chairman of the National Security Committee of the Republic of Kazakhstan — head of the Anti-Terrorism Service. Askar Baimerdenovich Amerkhanov has been dismissed from the post of deputy chairman of the National Security Committee of the Republic of Kazakhstan — director of the Foreign Intelligence Service,” the statement said.”

6. Turkey/Kurdistan: PKK Accuses PUK Cadres of Spying for Turkey Amid Rising Tensions

BasNews reported on September 15th that “the Kurdistan Workers’ Party (PKK) has accused dozens of cadres from the Patriotic Union of Kurdistan (PUK) of espionage on behalf of Turkey, further intensifying tensions between the two Kurdish factions. Kamal Hama Reza, the director of the PKK’s Chatr company and head of the group’s media network in the Kurdistan Region, made the allegations during an interview with a Sulaymaniyah-based channel. Despite these claims, he emphasized that the PKK has no political disputes with the PUK. “I am sure there are dozens of lines within the PUK working for agencies engaged in spy networks, which may not only spy on us but also on the PUK itself,” Reza said. He also noted, “There is no doubt about it. The entire crew is local, and the information is provided to the Turkish MIT.” The PKK’s accusations come as the PUK has consistently denied involvement in actions targeting PKK officials and fighters, while accusing other factions of aiding Turkey. Ankara, which considers the PKK a “terrorist organization”, has repeatedly claimed that the PUK maintains strong ties with the PKK, facilitating their activities in Sulaymaniyah and surrounding areas. Ankara accuses the PUK of allowing the PKK to establish headquarters in Sulaymaniyah and providing military training for PKK members traveling from Syrian Kurdistan (Rojava) to the region, according to Turkey’s state-run Anadolu Agency.”

7. Spain/Venezuela/Czech Republic: Spain ‘Rejects’ Claim of Involvement in Plot to ‘Destabilise’ Venezuela

The Times of India reported on September 15th that “Spain rejects allegations by Venezuela that Madrid was involved in a plot to destabilise the government of the Latin American country, a foreign ministry source said Sunday. “Spain denies and categorically rejects any insinuation that it is involved in a political destabilisation operation in Venezuela,” the source told AFP after three Americans, two Spaniards and a Czech citizen were detained in Venezuela and accused of involvement in a plot against the government. The government “has confirmed” that the two Spanish detainees “are not part of” Spain’s CNI spy agency “or any other state body”, the source added. “Spain defends a democratic and peaceful solution to the situation in Venezuela,” the source said. Venezuela’s interior minister Diosdado Cabello said Saturday that the foreign nationals were being held on suspicion of planning an attack on President Nicolas Maduro and his government. He said two Spaniards were recently detained in Puerto Ayacucho in the southwest over the alleged plot linked to intelligence agencies in the United States and Spain as well as to Venezuelan opposition leader Maria Corina Machado.”

8. United States/United Kingdom/Germany/Canada/Australia/New Zealand/France/Belgium/Netherlands/China: In New York Case, Signs of a Familiar China Playbook

The New York Times published this article on September 16th stating that “a prominent lawyer in Britain, accused of trying to advance Beijing’s interests in Parliament. An aide to a far-right politician in Germany, suspected of passing information about the inner workings of the European Parliament to China. A politician in Canada, accused of receiving help from the Chinese Consulate organizing busloads of international students from China to vote for him in party elections. Even before Linda Sun, a former senior aide in the New York governor’s office, was charged this month with using her position to benefit the Chinese government, suspected cases of Chinese foreign meddling had been on the rise in Western democracies. Allegations of Chinese political interference have also surfaced in Australia, New Zealand, France, Belgium and the Netherlands in recent years. The clandestine activity usually follows a pattern, analysts said. China recruits members of Chinese diaspora communities to infiltrate halls of power, or to silence Chinese dissidents and other critics of Beijing. Covert Chinese operations abroad have long centered on seizing industrial secrets and technology in sensitive sectors such as the military, aviation or telecommunications, with the aim of trying to erode the United States’ edge. What Ms. Sun is accused of doing is part of a different side of Chinese intelligence work — one that is focused on influencing political discourse so that it leans more favorably toward China’s positions on contentious issues like the status of Taiwan, the self-governing island claimed by Beijing, or the repression of China’s ethnic Uyghur minority. Federal prosecutors said Ms. Sun, who served as a liaison to the Asian community, blocked Taiwanese officials from having access to the governor’s office and removed references to Taiwan and Uyghurs from state communications. In return, prosecutors say, she and her husband, Chris Hu, received millions of dollars in benefits. “These are classic tactics that we are seeing,” said Anne-Marie Brady, a political scientist at the University of Canterbury in Christchurch, New Zealand, who specializes in Chinese influence efforts, referring to the allegations against Ms. Sun. “China is very proactive at trying to make use of overseas Chinese communities and ethnic Chinese politicians and officials to get information and shape policy.”.”

9. United States: CIA Declassified Marathon — 2+ Hours Exposing the CIA’s Darkest Secret Missions

Real Stories published this documentary on September 15th. As per its description, “declassified CIA documents form the basis for dramatic re-enactments of some of the most clandestine military operations in U.S. history. The inside stories detail how the spy agency formulated and executed campaigns to address foreign enemies, including what really happened during the missions that inspired the films “Zero Dark Thirty” and “Argo.” The reconstructions are buffeted with comments by, among others, journalist Bob Woodward and CIA agent Michael Scheuer, who was in charge of finding Osama bin Laden.”

10. United States/Iran: Iranian Cyber Influence Operations — Targeting the 2024 US Election

Grey Dynamics published this article on September 15th. As per its introduction, “Iran has a history of cyber warfare operations and meddling in the US presidential election process. The first cyber-enabled interference operations were seen by the public in the 2016 US presidential election cycle. Since that time Iran played a more active role in election interference activities. The goals of influence operations can include spreading disinformation, stoking conflict over contentious debate topics, and even encouraging violence. The 2024 US presidential election cycle faces new challenges with adversaries employing new tools such as generative AI to make content harder to detect by average citizens, and networks of websites disguised as news organizations putting out divisive content. Key Judgment 1. Iran will likely continue to target high-level political figures from both the Republican and Democrat political parties. Key Judgment 2. Iranian Cyber influence operations are likely to increase earlier in the election cycle than in previous elections. Key Judgment 3. As the 2024 US presidential election cycle progresses, Iranian cyber influence operations will likely grow in volume and sophistication.”

11. United States: CIA Bicentennial Commemorative Constitution Edition (1987)

On September 16th we published this video. As per its description, “every year the Constitution Day (officially known as Constitution Day and Citizenship Day) in the United States of America takes place on September 17th. On that day in 1787 delegates to the Constitutional Convention signed the Constitution in Philadelphia. This episode is about a Central Intelligence Agency (CIA) printed copy of the Constitution of the United States of America from 1987, meaning exactly 200 years after its ratification. Thus, making it a bicentennial commemorative constitution, opening with some words from the then Director of Central Intelligence (DCI), William J. Casey. In the video we also present another perspective referencing a more recent printed copy from the US Intelligence Community.”

12. Ukraine/Russia: SBU Detained Russian Agent in Odesa

On September 16th Ukraine’s Security Service (SBU) announced that they “detained a Russian agent in Odesa who was spying on mobile air defence groups and the “Lyut” assault brigade. The Security Service detained an agent of the Russian intelligence services in Odesa. The attacker was preparing coordinates for a new series of missile and drone strikes on the city. The priority targets of the enemy were the temporary bases of units of the combined assault brigade of the National Police “Lyut”, which perform tasks on the southern front. Also, the occupiers planned to hit the locations of the deployment of mobile anti-aircraft fire groups. In order to obtain geolocations for the attacks, the Russian intelligence service remotely recruited a 63-year-old man from Odessa who agreed to cooperate in exchange for money. To carry out enemy tasks, he regularly went around the city, where under the guise of walks, he secretly photographed military assets. To transmit intelligence to the aggressor, the agent used e-mail. SBU officers documented the intelligence activity of the suspect step by step and arrested him “red handed” when he was conducting reconnaissance near a military facility. Additional measures were also taken to secure the bases of Ukrainian troops. During the search of the detainee’s apartment, a mobile phone and computer equipment with evidence of criminal activity were seized.”

13. Norway/China: The Potential for Espionage by Chinese Electric Cars Raises Concerns at NATO Member Norway’s Military Bases

TIVI reported on September 16th that “in Norway, Chinese cars at military bases are causing concern, report the Norwegian newspaper Teknisk Ukeblad and the Swedish Ny Teknik. Audun Jøsang, a professor of telecommunications technology at the University of Oslo, criticizes the country’s authorities for their naivety.”

14. United States: “Active Suppression of Witnesses”: CIA Lied About “Havana Syndrome,” Whistleblower Documents Reveal

Salon published this exclusive story on September 16th stating that “the CIA has consistently lied to the American public about anomalous health incidents (AHI) for the last several years and may be guilty of obstruction of justice, according to documents recently released by the U.S. government. Often referred to as “Havana Syndrome,” AHIs became widely known when American officials and their families living and working in the U.S. Embassy in Havana, Cuba, first reported symptoms which include balance and cognitive problems, insomnia and headaches. Salon reported in March 2023 that a then-newly obtained declassified report, prepared for the director of national intelligence by a panel of experts, appears to show conclusively that “Havana syndrome” — a cluster of unexplained symptoms experienced by diplomats and government personnel abroad — is not a naturally occurring health problem. The new information verifies the former report. A whistleblower filed a complaint last year with the Office of the Director of National Intelligence’s Inspector General. We obtained the information via a FOIA request and subsequent lawsuit brought by the James Madison Project and attorney Mark Zaid. “This whistleblower complaint represents the most significant and lawful disclosure of information that undermines the public posture of the Intelligence Community, and specifically the CIA, concerning AHIs,” Zaid said. “The information seen first-hand by this whistleblower directly contradicts the asserted conclusions that U.S. personnel, particularly within the IC, are not being attacked by a foreign power using some sort of directed energy. It asserts the existence of classified documents, which are specifically identified in the complaint, is being deliberately covered up, including being withheld from other investigating federal agencies.” Several members of Congress, when contacted, said they thought the “matter had been settled” and there “wasn’t anything to this,” prior to the release of the information. The information just released by the government, however, shows that Congress and the FBI were among the government institutions that were either lied to or had information withheld from them. “The IC Inspector General investigated this complaint and deemed it to constitute an ‘urgent concern’ and forwarded it to the House and Senate Intelligence Committees. In fact, the formal HPSCI investigation that was initiated earlier this year was, in large part, because of the information that was presented by this whistleblower and others connected to the evidence,” Zaid explained. “AHI victims are dedicated federal civil servants, military members and their families, and they deserve better than the treatment they have received for injuries sustained in the line of duty,” Zaid said. He represents more than two dozen current and former federal employees who have been recognized as AHI victims, as well as the whistleblower whose complaint was released.”

15. United States/Iran: The CIA Coup that Changed the Middle East Forever

Dr. Ahmed Zaidi published this video on September 15th. As per its description, “the CIA coup that changed the Middle East forever.”

16. Russia/Ukraine/Turkey/Moldova: “Buried Explosives Under a Flower, Threw the Components into the River.” Why the Girlfriend of a Fighter of the RDC Fighting in Ukraine was Accused of Treason

Media Zone reported on September 16th that “in September last year, Samara artist and eco-activist Irina Izmailova was detained on charges of manufacturing explosives. Initially, her family believed that the real reason for the persecution was that the girl had been in a relationship with Alexander Kudashev, an eco-activist who joined the ranks of the RDC, for several years and had visited him in Moldova. It later turned out that the case was based on her own testimony: in Chisinau, Irina met people who introduced themselves to her as Ukrainian agents, went to meet them in Istanbul and, on their instructions, tried to manufacture explosives. The girl explained to investigators that she later buried the substance she had manufactured in her yard. In June, 35-year-old Izmailova was charged with treason. Mediazona tells what is known about the case and what Gembird headphones and a polygraph test in an Istanbul apartment have to do with it.”

17. United States: Citizen S2 — Building an Intelligence Shop — A Primer

S2 Underground published this video on September 16th.

18. United States/Israel/Greece/Italy/British Virgin Islands/North Macedonia/Cyprus: Treasury Sanctions Enablers of the Intellexa Commercial Spyware Consortium

The US Department of the Treasury issued this press release on September 16th stating that “today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned five individuals and one entity associated with the Intellexa Consortium for their role in developing, operating, and distributing commercial spyware technology that presents a significant threat to the national security of the United States. These designations complement concerted U.S. government actions against commercial spyware vendors, including previous sanctions against individuals and entities associated with the Intellexa Consortium; the Department of Commerce’s addition of commercial spyware vendors to the Entity List; and the Department of State’s visa ban policy targeting those who misuse or profit from the misuse of commercial spyware, subsequently exercised on thirteen individuals.” The press release also stated that: “the Intellexa Consortium is a complex international web of decentralized companies that built and commercialized a comprehensive suite of highly invasive spyware products, primarily marketed under the brand-name “Predator.” The consortium was founded by Tal Jonathan Dilian (Dilian), an individual designated pursuant to E.O. 13694, as amended by E.O. 13757 (“E.O. 13694, as amended”). Predator spyware can be used to gain access to data stored and transmitted from the target’s device, such as a cellphone, through one-click and zero-click attacks that require no user interaction for the spyware to infect the device.Successful Predator spyware attacks can provide the spyware’s operators with access to sensitive information on the victim’s device, including photos, geolocation data, personal messages, and microphone records. As a part of the growing commercial spyware industry, the Intellexa Consortium maintains operations around the world, and its clients include state-sponsored actors and governments. Past targets of the Intellexa Consortium’s spyware products include government officials, journalists, policy experts, and opposition politicians. Felix Bitzios (Bitzios) is the beneficial owner of an Intellexa Consortium company that was used to supply Predator spyware to a foreign government client. Bitzios also acted as the manager of Intellexa S.A., a company in the Intellexa Consortium that was designated pursuant to E.O. 13694, as amended. Andrea Nicola Constantino Hermes Gambazzi is the beneficial owner of Thalestris Limited and Intellexa Limited, members of the Intellexa Consortium that were designated pursuant to E.O. 13694, as amended. Thalestris Limited holds distribution rights to the Predator spyware, and is the parent company to Intellexa S.A. Thalestris Limited has been involved in processing transactions on behalf of other entities within the Intellexa Consortium. Merom Harpaz is a top executive of the Intellexa Consortium, and acted as a manager of Intellexa S.A. Panagiota Karaoli is the director of multiple Intellexa Consortium entities that are controlled by or are a subsidiary of Thalestris Limited. Artemis Artemiou (Artemiou) is the general manager and member of the board of Cytrox Holdings Zartkoruen Mukodo Reszvenytarsasag (Cytrox Holdings), a member of the Intellexa Consortium that was designated pursuant to E.O. 13694, as amended. Artemiou is also an employee of Intellexa S.A. Aliada GroupInc. (Aliada Group), a British Virgin Islands-based company and member of the Intellexa Consortium, has enabled tens of millions of dollars of transactions involving the network. The Aliada Group is directed by Dilian. The Aliada Group was associated with Intellexa S.A. and Intellexa Limited, and held shares in Cytrox Holdings. Felix Bitzios, Andrea Nicola Constantino Hermes Gambazzi, Merom Harpaz, Panagiota Karaoli, Artemis Artemiou¸ and the Aliada Group Inc. are being designated pursuant to E.O. 13694, as amended, for being responsible for or complicit in, or having engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that have the purpose or effect of causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.”

19. Ukraine/Russia: SBU Neutralised GRU Group of Two in Zaporizhzhia

On September 17th Ukraine’s SBU announced that they “neutralised an agent group of the military intelligence of the Russian Federation that spied on units of the Armed Forces of Ukraine in Zaporizhzhia. The perpetrators were preparing coordinates for Russian airstrikes on military and critical infrastructure facilities in the region. Among the priority targets of the enemy were air defense systems, deployment points of the Defence Forces and enterprises of the defence-industrial complex. The occupiers were also interested in the routes of transporting Ukrainian weapons and ammunition to the front line. According to the case file, two residents of Zaporozhye turned out to be agents of the Russian military intelligence. One of the detainees is an employee of the Zaporizhzhia Strategic Defence Plant. The woman gave information to the enemy about the location of workshops where military products are produced, and also reported on missile damage to the enterprise where she worked. Another SBU agent was caught red-handed when he was spying on units of the Armed Forces of Ukraine based in Zaporizhzhia. To collect data, the suspect not only went around the city, but also “in the dark” asked for the information he needed during everyday conversations with acquaintances. During the searches, mobile phones and computer equipment with evidence of working for the enemy were found in the persons involved.”

20. Turkey/Israel: Mossad Suspects Nabbed in Türkiye Face 45 Years in Jail for Espionage

Daily Sabah reported on September 16th that “a Turkish prosecutor is seeking a total of 45 years in prison for 20 suspects, who are charged with spying on Palestinian nationals and Hamas-linked people targeted by Israeli intelligence agency Mossad. The public prosecutor in Istanbul filed a lawsuit on Monday against some 20 suspects, 16 of whom are under arrest, on charges of committing “international espionage” and transferring intelligence on foreign nationals living in Türkiye to a Mossad unit of online operations. The prosecutor’s indictment said the defendants seized private information, including addresses and footage, of Palestinian citizens and people linked to Hamas, a Palestinian resistance group ruling the besieged Gaza Strip, in Türkiye on behalf of Mossad. The Israeli agency unit “utilized” the suspects for remotely obtaining sources, surveilling its targets, including taking photographs and videos, as well as other tactical jobs such as following, battery, robbery or kidnapping, according to the indictment. The suspects especially tried to discover places or addresses where people targeted by Israel gather or live in Türkiye, it said. “Therefore, it is possible the next steps could have been the execution or abduction of these individuals,” the prosecution said, adding that official phone records made it evident the suspects earned advantages and made money in exchange for their activities for Mossad. According to the indictment, the defendants were paid via direct money transfers, Western Union or in cryptocurrency, in exchange for the jobs they did for Israeli intelligence. A swathe of evidence in the indictment includes conversations the suspects made with phone numbers belonging to the Mossad unit, as well as footage on their phones and bank receipts. Mossad contacted the defendants through communication applications and job postings on social media platforms to seize information on its targets. The agency later used seven different phone numbers to contact the suspects without ever making any video or audio phone calls.”

21. United States: Washington’s Foreign Interference Flagging Headache

Intelligence Online reported on September 17th that “US intelligence’s new centre for detecting foreign interference is facing its first test. In the run-up to November’s presidential election, it must coordinate the analysis of such threats and make itself heard by the general public and decision-makers.” Intelligence Online also stated on X about this that “concern is growing in Washington about the new mechanism for combating foreign interference in the run-up to the 5 November election, in particular the capabilities of the Foreign Malign Influence Center (FMIC). The FMIC has been operational since 2022, three years after Congress called for it, and coordinates the intelligence community’s analyses of foreign interference, particularly around elections, and then alerts decision-makers and the public. While the FMIC is stepping up its activities, such as publishing reports and briefings for the press, its ability to make itself heard by decision-makers and the general public is being called into question. At issue are the resources of this newcomer to an already dense bureaucratic structure, but above all its particularly cumbersome procedure for notifying the general public, which is fuelling lawmakers’ doubts about its effectiveness.”

22. Belarus/United States/Japan: Belarus Claims AR Game ‘Pokémon GO’ Spied on its Military Assets

The Defense Post reported on September 16th that “Belarus’ defense ministry has claimed that the 2016 augmented reality (AR) mobile game Pokémon GO was used for espionage. The ministry’s department head of ideological work Alexander Ivanov shared his suspicions on the national talk show, Po Suschestvu, during a discussion about potential targets for spies. “Where do you think there were the most Pokémon at that time?” he asked before stating that the bulk of virtual Pokémon were present at the “territory of the 50th air base, where the runway is, where there is a lot of military aviation equipment.” Pokémon GO relies on GPS tracking as it invites users to turn on location and use their phone camera to search their physical surroundings and collect virtual pocket monsters. The mobile game was developed as a collaboration among Niantic Inc., Nintendo, and The Pokémon Company.”

23. Azerbaijan: Coordinated Efforts of Intelligence Agencies Crucial in Combating International Terrorism

Trend reported on September 17th that “coordinating the activities of intelligence agencies is crucial in the fight against international terrorism and broader security threats, the head of Azerbaijan’s State Security Service (SSS) Colonel General Ali Nagiyev said during his speech at the II Baku Security Forum, Trend reports. The head of the service highlighted that the timing of the current forum on the eve of COP29 was deliberate. “Terrorist attacks targeting transport lines for energy resources could lead to global economic and environmental disasters, underscoring the need for enhanced joint efforts and overall effectiveness,” he stated.”

24. Ukraine/Russia: SBU Detained 2 Saboteurs in Kyiv and Kramatorsk

On September 16th Ukraine’s SBU announced that they “detained two 16-year-old arsonists who were carrying out the order of the Russian Federation in Kyiv and Kramatorsk. The perpetrators “hunted” for SUVs of the Armed Forces, equipped for combat missions on the front line. First, those involved would find potential targets and coordinate them with their Russian handlers. Then they arrived at the parking places of military vehicles and set them on fire with gasoline and flammable mixtures. For a “report” to the occupiers, those involved filmed the fire on their phone cameras, hoping for “easy money.” However, none of the arsonists did not wait for the promised money from the Rashists. In Kyiv, a 16-year-old suspect who came from Cherkasy region to set fire to military vehicles in the capital was detained. For the “test” task, the young man had to burn an SUV that volunteers had purchased for one of the combat brigades of the Armed Forces of Ukraine fighting on the Eastern Front. Officers of the Security Service detained the intruder “on hot pursuit”. In Donetsk, a resident of Kramatorsk who also wanted to “make money” by setting fire to cars of the Defence Forces was detained. Immediately after the first attempt to destroy the Ukrainian soldier’s SUV, the Security Service detained the young man and seized incendiary devices from him.”

25. China/Fiji: China Suspected of Hacking Diplomatic Body for Pacific Islands Region

The Record reported on September 16th that “Chinese state-sponsored hackers are reportedly suspected of compromising the networks of the Pacific Islands Forum (PIF) Secretariat, a regional diplomatic body based in Fiji. The cyberattack was first reported by ABC News, which learned that Australia’s government had sent specialists to Suva, Fiji’s capital city, after discovering the PIF’s systems had been penetrated. At a press conference following the Australian news report, PIF Secretary General Baron Waqa — who administrates the forum on behalf of its 18 member states, including Australia, New Zealand and Fiji — confirmed “that there was indeed a cybersecurity incident here this year.” Waqa said the forensic report into the incident was still being finalized and as such the PIF could not confirm which threat actor was responsible, as reported by Radio Free Asia. China, which does not avow any intelligence gathering activities, dismissed ABC’s report. The disclosure of the incident follows controversy during this year’s PIF meeting — which Beijing contested with its largest ever delegation to the forum — over a reference to Taiwan in the communique, describing the independently governed island as a “developing partner.” Beijing strongly contests Taiwan’s independent governance — established following the Chinese civil war — and has repeatedly refused to discount achieving a reunification by military means. In his New Year’s message, Chinese President Xi Jinping repeated his assertion that Taiwan would “surely be reunified” with the mainland. According to ABC, the cyber breach occurred in February, months before the meeting took place, and was “extensive,” providing the attackers with information about PIF and its operations as well as communications between the secretariat and member states. Citing a Pacific island government source, ABC said PIF had quietly alerted member states to the breach but had not publicly disclosed the attack or attributed it to China.”

26. Greece/Turkey: Greek Authorities Warn of Turkish Mafia’s Espionage Risk

Kathimerini reported on September 16th that “a confidential report authored by Greek security authorities charting the activity of the Turkish mafia in Greece has issued a stern warning about the risk of its being used as a tool by secret services. The multi-page report coincides with the recent arrest of armed Turkish mobsters in Greece on two separate occasions within the space of three days. The authors of the report characterize the potential recruitment of criminal law offenders by espionage networks as an “escalating threat.” Among other things, the report notes that Greece risks becoming a sphere for settling scores between rival groups of organized crime in Turkey, as happened in the case of the six-person murder in September 2023 in Loutsa. However, it also stressed that Turkish criminal groups can be leveraged by “politically motivated actors and intelligence services to carry out covert operations, such as conducting hybrid operations.” Organized crime has historically served as a lucrative target for secret services worldwide. “This is an escalating threat,” says the report, stressing that Turkish criminal networks operating in the country can be “effectively instrumentalized by foreign state actors.” From the analysis of incidents in Greece involving the Turkish mafia since September 2023, common characteristics emerge regarding the methodology employed. For example, when entering Greece illegally, they claim to be members of the Kurdish PKK or supporters of the Gulen network, in order to apply for asylum. In some cases they state that they are facing trumped-up persecutions in Turkey. They lead a luxurious life using expensive vehicles, post their photos and videos on social networks, while for their accommodation they use properties rented through Airbnb — mainly in the center of Athens and East Attica — using fellow Turks residing in Greece, who have not concerned the prosecuting authorities, to complete the agreements. “They are looking for synergies with Turks living in Greece or other countries of the European Union or the Western Balkans,” the secret report said. As well as the fact that the presence of Turkish criminals in the country of Kurdish origin entails the risk of developing connections and contacts with people from the anarchist-anti-authoritarian space, who usually participate in solidarity initiatives for persecuted Kurds.”

27. Russia/Ukraine/United States/Europe: Leaked Files from Putin’s Troll Factory — How Russia Manipulated European Elections

VSquare published this story on September 16th. As per its introduction, “leaked internal documents from a Kremlin-controlled propaganda center reveal how a well-coordinated Russian campaign supported far-right parties in the European Parliament elections — and planted disinformation across social media platforms to undermine Ukraine. In a video resembling a movie trailer, the head of Russia’s secret propaganda project, Ilya Gambashidze, removes his sunglasses and sits behind a computer, wearing a camouflage-patterned hoodie with the words “Russian Ideological Troops” spelled out on his sleeve. Text flashes on the screen: “Narrative production, content creation, 300 media outlets, 20 think tanks…” The video, part of a leak from Russia’s IT organization Social Design Agency (SDA), appears to be aimed at partners interested in their information operations services. “Gambashidze is responsible for numerous projects in various countries,” a source connected to EU intelligence told us. The organization and Gambashidze are already sanctioned both in the EU and the U.S. Amid the ongoing full-scale war in Ukraine, the Russian presidential administration has emerged as a key client of SDA. Recently, the U.S Department of Justice and FBI revealed that Russian officials, including Sergei Kiriyenko, the Russian presidential administration’s chief of staff and often referred to as Vladimir Putin’s right-hand man, have attended several project meetings with Gambashidze. (We exposed his role in supervising influence operations in our previous investigative series, KremlinLeaks). Sofia Zakharova, another staffer in Putin’s administration, is also a frequent participant in these meetings. “Between April 2022 and April 2023, Gambashidze took notes related to at least 20 Russian Presidential Administration meetings,” the U.S. affidavit claims, citing several documents that are now also available to VSquare. The leaked documents, comprising thousands of files from SDA servers, were obtained by Delfi Estonia, Süddeutsche Zeitung, NDR and WDR, who shared the data with international partners: De Standaard, NRC, Schemes, Shomrim, DR, Profil, Dossier Center, FRONTSTORY.PL and VSquare. The latest FBI files on Russian influence operations correspond with the data from the leak, and refers to the SDA as “a public relations company, specializing in election campaigns, with deep ties to the Russian government.” The leak reveals how the SDA operates as a center for psychological warfare. Its “army” consists not of soldiers, but of meme creators and internet trolls. According to internal records, the agency employs “ideologists”, eight “commentators,” and a “bot farm operator.” The scale of disinformation production is astonishing. A leaked report claims that in the first four months of 2024, the SDA’s bot army, dubbed the “Russian Digital Army,” generated 33.9 million comments. They also claim to have produced 39,899 “content units” on social media, including 4,641 videos and 2,516 memes and graphics.”

28. Turkey: Intelligence Academy Starts 1st Lessons with MIT Chief Kalın

Daily Sabah reported on September 16th that “Türkiye’s prestigious National Intelligence Academy, launched earlier this year, started its first lessons with a lecture by the head of the National Intelligence Agency (MIT) Ibrahim Kalın on Monday. Highlighting the importance of having a global voice in intelligence theory and methodology, Kalın said the academy’s mission aims to produce concepts in intelligence and create new literature. “We’re embarking on a new journey for our world and our country. In this journey, the National Intelligence Academy will bring together theory and practice, as well as conceptual thought and application, create our own set of concepts and widen our horizons,” the spymaster said. Its vision is summed up as “establishing a competent intelligence community in Türkiye that is receptive to global engagement in the current competitive landscape of the multipolar world.” He continued by adding that the academy aims to embed and develop the area of intelligence as a field of study, raise field experts in necessary fields, and pave the way for new areas of study. The academy will also be open to international students, and will also offer training to public institutions in some fields, according to Kalın. Referring to constantly evolving technologies, Kalın said the academy will train analysts in the fields of artificial intelligence and data analysis, cyber security, cryptology, satellite and space technologies. It will enroot a strategic mindset that will lead the way for changes and transformations by following global developments in the field of intelligence. “The work conducted in line with the Türkiye axis will contribute to our country and our academy acquiring new opportunities and skills in the spheres of intelligence and security,” Kalın said. The newly established academy will offer two postgraduate programs in Intelligence Work and Security Work.”

29. United States/Italy/Greece/Cyprus/Russia/Syria/United Kingdom: Monitoring Russian Fleet?

ItaMilRadar reported on September 17th that “this morning, an interesting mission was carried out by a US Navy Triton (reg. 169804 — c/s BLACKCAT5) drone that took off from Sigonella. The drone headed toward the eastern Mediterranean, executing a series of orbits along its route. The first orbit, which lasted about an hour, between 3 and 4 AM, took place southwest of Crete. It could, though this is speculative, be the location of the Russian submarine Novorossiysk, which is reportedly heading toward Syria. Another orbit occurred (both on the outbound and return journeys) south of Cyprus. It’s possible that Russian naval units are present in the area. In addition to the BLACKCAT mission, a surveillance mission by a Royal Air Force Boeing RC-135W (reg. ZZ666) was also observed. The aircraft first orbited off the coast of Syria, then moved over Iraq (likely near the Syrian border), before returning to the eastern Mediterranean, where it is currently operating (12:30 CEST). While part of this activity is routine, it appears more intense than usual, possibly in connection with Russian naval activity in the region, which may be related to the Okean-24 exercise.”

30. North Korea: An Offer You Can Refuse — UNC2970 Backdoor Deployment Using Trojanized PDF Reader

On September 17th Mandiant published this threat intelligence report. As per its introduction, “in June 2024, Mandiant Managed Defense identified a cyber espionage group suspected to have a North Korea nexus, tracked by Mandiant under UNC2970. Later that month, Mandiant discovered additional phishing lures masquerading as an energy company and as an entity in the aerospace industry to target victims in these verticals. UNC2970 targets victims under the guise of job openings, masquerading as a recruiter for prominent companies. Mandiant has observed UNC2970 copy and tailor job descriptions to fit their respective targets. UNC2970 engaged with the victim over email and WhatsApp and ultimately shared a malicious archive that is purported to contain the job description in PDF file format. The PDF file has been encrypted and can only be opened with the included trojanized version of SumatraPDF to ultimately deliver MISTPEN backdoor via BURNBOOK launcher. Mandiant observed UNC2970 modify the open source code of an older SumatraPDF version as part of this campaign. This is not a compromise of SumatraPDF, nor is there any inherent vulnerability in SumatraPDF. Upon discovery, Mandiant alerted SumatraPDF of this campaign for general awareness.”

31. Armenia/Russia: Russia Tried to Stage Coup in Armenia, Prosecutors Allege

Politico reported on September 18th that “Moscow paid and trained a ring of insurgents in a bid to overthrow Armenia’s pro-Western government earlier this year, prosecutors in the country have said, but local security forces disrupted the alleged plot. In a statement on Wednesday, the Investigative Committee of the Republic of Armenia said seven people would be charged with “preparing to usurp power … using violence and the threat of violence to take over the powers of government.” According to the officials, six Armenians were recruited to undergo three months of training in Russia and were paid monthly salaries of 220,000 rubles ($2,377) while learning how to use weaponry. They also reportedly underwent background checks and polygraph tests to determine their allegiances, before being transferred to “Arbat military base” in Rostov-on-Don, southern Russia. The Russian Ministry of Defense did not immediately respond to a request for comment.”

32. Iran/Israel/Turkey: Israeli Arrested over Iran Plot to Kill Netanyahu, Israeli Security Services Say

BBC reported on September 19th that “an Israeli citizen has been arrested on suspicion of being involved in a plot by Iran to assassinate Prime Minister Benjamin Netanyahu and other top officials, Israel’s security services say. Israeli police and domestic intelligence said the man was twice smuggled into Iran and received payment to carry out missions. In a joint statement, they said the suspect was a businessman who had lived in Turkey and had Turkish contacts who had helped get him into Iran. The announcement comes at a time of soaring tension between Iran and Israel, regional arch-enemies. The statement said the suspect, who was not identified, was arrested last month. It said his targets were the prime minister, the defence minister and the head of Israel’s internal security agency Shin Bet. It said that in April and May, the suspect twice travelled to Samandag in Turkey to meet a wealthy Iranian businessman called Eddie, and was helped by two Turkish citizens. The statement said Eddie had problems leaving Iran on both occasions, so the Israeli citizen was smuggled from Turkey into Iran instead. It said that the man met both Eddie and “an Iranian security operative” there. It said Eddie asked the Israeli to “carry out various security missions within Israel for the Iranian regime”. According to the statement, these included transferring money or a gun, photographing crowded places in Israel and sending them to “Iranian elements”, and threatening other Israeli citizens who had been recruited by Iran but had not completed their tasks. At the second rendezvous in Iran, Iranian intelligence agents are said to have asked the Israeli to carry out terrorist activities in Israel, including the assassination of Netanyahu, defence minister Yoav Gallant, or Shin Bet chief Ronen Bar. According to the investigation, it was also suggested assassinating former Prime Minister Naftali Bennett and other public figures, in revenge for the killing of Hamas leader Ismail Haniyeh in Iran in July 2024. Iran blamed Israel for that attack, which Israel neither confirmed nor denied involvement in. Investigators say the Israeli demanded an advance payment of $1m.”

33. Moldova/Russia: Moldova’s Ex-military Chief Charged with Treason over Alleged Espionage for Russia

The Kyiv Independent reported on September 19th that “Igor Gorgan, the former chief of staff of the Moldovan military, has been charged with treason, Radio Free Europe/Radio Liberty reported on Sept. 19, citing the country’s prosecutors. The Prosecutor’s Office for Combating Organized Crime and Special Cases said that Gorgan stands “accused in the case concerning alleged espionage on behalf of Russia.” The investigative outlet The Insider wrote in June that Gorgan had been an informant of the Russian military intelligence agency (GRU) for years. The Moldovan officer served as the chief of the General Staff between 2013 and 2016 and was reappointed to the position in 2019 under pro-Russian President Igor Dodon before losing the position again in 2021 at pro-Western President Maia Sandu’s request. Even after losing office, the general has been using his contacts in the Defense Ministry and has passed sensitive information on Moldova and Ukraine to Russia, The Insider wrote. This reportedly included intelligence on military aid routes from Romania to Ukraine and on the political situation in Moldova. While it is unclear when Gorgan’s alleged cooperation with GRU began, their mutual communication reportedly became particularly active in April 2022, that is, shortly after the start of the full-scale war in Ukraine. Following the media investigation, Moldovan authorities launched a criminal case regarding data transmission related to the national defense system. The prosecutors said the investigation into “the nature and content of the allegedly transmitted information” is ongoing. Gorgan has denied the accusations and called the media investigation fake.”

34. Taiwan/China: 23 Indicted for China Espionage, Including 8 Active Servicemen

Focus Taiwan reported on September 19th that “prosecutors have indicted 23 people, including eight active servicemen, for spying for China, the Tainan Branch of the Taiwan High Prosecutors Office announced on Wednesday. Tainan prosecutors launched an investigation into the case in April this year after the Political Warfare Bureau received a tip-off from a soldier in 2022, the branch told CNA. Forty-nine people were summoned for questioning, following four waves of searches in 29 locations. Cellphones, computers, nine pieces of confidential military information and one classified document were all seized. The alleged ringleaders, two brothers surnamed Hsu (許), and another accomplice identified as Sun (孫) were held incommunicado, the branch said. The eight servicemen, who allegedly spied around on military bases nationwide, were from three branches of the Armed Forces and the Coast Guard Administration. The highest-ranked officer served as an Army captain, prosecutors said. The Hsu brothers were found to have traveled various times to Macao and the Guangdong-Macao In-Depth Cooperation Zone in Zhuhai, Guandong Province, where they were recruited in September 2021 by two Chinese businessmen tasked with collecting Taiwan-related military information, prosecutors said. From January 2022, the Hsu brothers succeeded in luring Sun and 12 other people, offering them compensation ranging from NT$2,000 (US$65)-NT$30,000 for each active serviceman they recruited. The two also sought to woo active servicemen who were in debt through pawnshops and online loan companies, encouraging them to steal military information or secretly photograph military bases. The Hsu brothers approached 21 active servicemen, with eight agreeing to obtain information and send intelligence to them and Sun, who would reproduce the information and send it to their Chinese associates. Prosecutors estimated that the Hsu brothers could have racked up as much as NT$3.97 million in illicit gains over the past two years. Sun, meanwhile, could have gained up to NT$266,400. Furthermore, the eight indicted active servicemen may have each earned between NT$10,000 and NT$193,736. They were all indicted on charges of contravening the Criminal Code of the Armed Forces and the Anti-Corruption Act.”

35. Ukraine/Russia: SBU Detained Two Russian Agents in Kyiv and Kupyansk

On September 19th Ukraine’s SBU announced that they “detained two more female collaborators who worked for the occupying administrations of the Rashists. One of the figures was the “deputy director of the lyceum of the LNR”, which the Rashists created on the basis of the captured school in temporarily occupied Luhansk. According to the investigation, the collaborator obliged the lyceum teachers to teach the history of Ukraine exclusively according to the “methodology” of the Russian Federation, in which the facts of the formation of our statehood were completely falsified. The collaborator also praised Putin and the full-scale invasion of Russia, which she regularly spoke about in front of the school community. In August of this year, the defendant arrived in Kyiv via EU countries to resolve social issues. She planned to stay hidden in the city for a while, and then return to Luhansk. SBU officers located her and detained her in a rented apartment. According to the investigation, the suspect is a 42-year-old resident of Luhansk region, who in 2014 went to cooperate with the enemy. Before being appointed to the “position”, she underwent “retraining courses” in Rostov-on-Don. Another collaborator was detained in the Kharkiv region. The accomplice of the aggressor turned out to be a 58-year-old resident of Kupyansk, who after the capture of the city joined the local occupation administration of the Russian Federation. There, she was appointed to a “position” where she drew up documentation for the maintenance of military barracks and occupation authorities of the Russian Federation.”

36. France: Former Spies Now the Hot Ticket for Top Administration Jobs

On September 18th Intelligence Online reported that “senior French civil servants who had spent even a short time in the country’s DGSE foreign intelligence agency used to be shunned by top politicians. But they have now become a coveted commodity in ministerial offices.”

37. Yemen/United States: Houthi Shot Down 7th US MQ-9 Reaper Spy Drone in Yemen (Aug. 2024)

On September 20th we published this video in our archived content/footage playlist. As per its description, “on August 4th, 2024 Houthi Forces (officially known as Ansar Allah) released this footage showing the interception of a United States General Atomics MQ-9 Reaper UAV conducting ISR mission using a surface-to-air missile. According to the last past part of the video, it was shot down by anti-aircraft weapon in the Saada governorate of Yemen while conducting “espionage work” inside Yemen’s airspace. Reuters stated that “the attack would be the first to be claimed by the Houthis since Israel carried out a retaliatory airstrike against the group in the port of Hodeidah.” This is the seventh MQ-9 that Houthi have shot down since October 2023.”

38. United States: Geospatial Intelligence Agency Shakes Up Service Providers for Economic Surveillance

Intelligence Online reported on September 18th that “the recent award of the LUNO A contracts by the National Geospatial-Intelligence Agency, expected for months, has highlighted the role of a number of discreet players. At the same time, the agency is getting rid of three long-standing service providers.”

39. Ukraine/Russia: SBU Detained GRU Agent in Kharkiv

On September 19th Ukraine’s SBU announced that they “ddetained a traitor who pointed Russian anti-aircraft missiles at the defenders of Kharkiv region. The Security Service detained an agent of the Russian military intelligence in Kharkiv. The attacker was correcting Russian rocket-bomb attacks on the front-line city and nearby territories. The priority targets of the enemy were the points of temporary basing of the Ukrainian troops involved in hostilities in the Kharkiv direction. In order to direct guided aerial bombs and missile weapons to the locations of the Defence Forces, the Russian special service remotely recruited a 42-year-old unemployed man from the regional centre. The man came to the attention of the occupiers because of his pro-Kremlin posts in Telegram channels. There, a staff member of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (better known as GRU) approached him and offered cooperation. On the instructions of a Russian intelligence service agent, the agent regularly visited the city’s districts and secretly recorded the location of the Defence Forces. Then he marked the corresponding coordinates on Google Maps and sent a “report” to his Russian handler via messenger. SBU officers exposed the agent at the initial stage of his intelligence activity, which made it possible to secure the positions of Ukrainian troops in a timely manner. After documenting every step of the criminal actions of the person involved, he was detained in his own apartment. During the searches, a mobile phone was seized from the agent, which he used to photograph military objects and communicate with the Russian GRU.”

40. Israel/Lebanon: Shin Bet Says it Foiled Hezbollah Attempt to Kill Former Top Israeli Security Official

The Times of Israel reported on September 17th that “the Shin Bet foiled a recent attempt by Hezbollah to assassinate a former senior Israeli security official using a remotely detonated explosive device, the security agency announced on Tuesday. The attack was intended to have been carried out in the coming days, according to the Shin Bet. The agency said that the Hezbollah network behind the attempted attack was also responsible for a bombing in Tel Aviv last year. The Shin Bet said it uncovered a Claymore-style anti-personnel mine, known to be in possession of Hezbollah, which was intended to have been used to target the former official. The bomb had a remote detonation system, including a camera and a cellular connection, which would have allowed Hezbollah to activate it from Lebanon. The former official, who was not named, was notified by security officials of the incident. Further details were not immediately permitted for publication. The Shin Bet said that the bomb was nearly identical to one that exploded in Hayarkon Park on September 15, 2023, in an attempted attack that caused no injuries. Two suspects were detained over that bombing on a nearby highway. They were identified as Israeli citizens from the West Bank Palestinian town of al-Eizariya near Jerusalem, living intermittently in the Tel Aviv suburb of Jaffa.”

41. Ukraine/Russia: (attempted) Drone Strike in Yaroslavl Oil Refinery in Russia (Jan. 2024)

On September 18th we published this video in our archived content/footage playlist. As per its description, “coordinates: 57°32’50.9”N 39°47’25.6″E // 57.547467, 39.790441. According to Russian officials, this was the first sabotage attempt of Ukraine’s Security Service (SBU) to target this infrastructure. SBU operatives used 4 drones which were, according to Russian officials, disrupted using Electronic Warfare (EW) weapons before they hit their target(s). According to Yaroslavl region Governor, Mikhail Yevrayev, “the Electronic Warfare system (EW) of the Slavneft-Yanos oil refinery prevented a drone attack. Law enforcement agencies and intelligence services are working at the scene. There are no casualties, no fire.” Quoting The Moscow Times, “the strike attempt marks the first in the Yaroslavl region — which is located over 100 kilometers northeast of Moscow and 700 kilometers from the border with Ukraine — since Moscow invaded Ukraine nearly two years ago. Yevrayev said no one was injured in the drone incident and no infrastructure was damaged, adding that “law enforcement agencies and special services are working at the scene.”.”

42. France/Azerbaijan: Baku Hunts for DGSE Informers Amid Diplomatic Jousting with Paris

Intelligence Online reported on September 17th that “as the two countries engage in a new diplomatic spat, the pre-trial detention of a Frenchman accused by Baku of spying for Paris has been extended. An exiled Azerbaijani who claims to be an informer for a French spy agency has also been refused asylum in France.” They also stated on X about this that “the diplomatic tussle between France and Azerbaijani’s Foreign Ministries, followed by the prison sentence handed down to French artist Théo Clerc for graffiti in Baku, has brought the thorny issue of Martin Ryan back to the fore. Accused by Baku of associating with DGSE intelligence officers stationed in Azerbaijan, Ryan remains in custody pending trial. However, he may not have been the only source for the intelligence service. An Azerbaijani journalist claims to have cooperated with DGSE officers in Baku, whom he had not identified as such. He was spotted and arrested by the police and the Azerbaijan State Security Service (DTX).”

43. Ukraine/Russia: SBU Detained Three Saboteurs in Chernivtsi

On September 17th Ukraine’s SBU announced that they “detained three arsonists who tried to destroy the relay cabinets of Ukrzaliznytsia in Bukovyna. The Security Service and the National Police detained three henchmen of the Russian Federation in Chernivtsi. Extras were preparing a series of arsons at Ukrzaliznytsia facilities on the order of Russian intelligence services. According to the case file, two of the detainees are brothers. The third is their mutual acquaintance. The attackers were recruited by the Russian intelligence service through Telegram channels, where they were looking for “easy money”. At first, only the brothers engaged in subversive activities. At the beginning of September, a Russian handler came to them and gave them a “test” task: for a small reward, make seven provocative graffiti on different streets of Chernivtsi. After that, a representative of the Russian intelligence service offered a “more serious” job — to set fire to relay cabinets, which was supposed to disrupt railway traffic in the region. The perpetrators committed the first arson, and in the second — involved their acquaintance, an unemployed man from Chernivtsi. As evidenced by the proceedings, the three of them planned to carry out all subsequent arsons. However, the Security Service of Ukraine and the National Police prevented further arsons and arrested all three perpetrators “on hot pursuit.” During searches of their homes, mobile phones with evidence of subversive activities in favor of the Russian Federation were seized.”

44. China/United States/Taiwan: Chinese Botnet Infects 260,000 SOHO Routers, IP Cameras with Malware

Bleeping Computer reported on September 18th that “the FBI and cybersecurity researchers have disrupted a massive Chinese botnet called “Raptor Train” that infected over 260,000 networking devices to target critical infrastructure in the US and in other countries. The botnet has been used to target entities in the military, government, higher education, telecommunications, defense industrial base (DIB), and IT sectors, mainly in the US and Taiwan. Over four years, Raptor Train has grown into a complex, multi-tiered network with an enterprise-grade control system for handling tens of servers and a large number of infected SOHO and consumer devices: routers and modems, NVRs and DVRs, IP cameras, and network-attached storage (NAS) servers. Raptor Train started in May 2020 and appears to have remained under the radar until last year when it was discovered by researchers at Black Lotus Labs, the threat research and operations arm at Lumen Technologies, while investigating compromised routers. While the primary payload is a variant of the Mirai malware for distributed denial-of-service (DDoS) attacks, which the researchers call Nosedive, the botnet has not been seen deploying such attacks. In a report today, the researchers describe three tiers of activity within Raptor Train, each for specific operations, e.g. sending out tasks, managing exploitation or payload servers, and command and control (C2) systems.” The Record also reported that “the U.S. has accused a company listed on the Shanghai stock exchange of being directly involved in China’s state-sponsored hacking activities. Integrity Technology Group (Integrity Tech), also known as Yongxin Zhicheng, is a cybersecurity business named on Wednesday morning by FBI Director Christopher Wray as responsible for running a botnet associated with the hacking group tracked as Flax Typhoon. A joint cybersecurity advisory, published following Wray’s statements at the Aspen Cyber Summit, accused the company of compromising hundreds of thousands of internet of things (IoT) devices dating back to 2021 — with a MySQL database for controlling the botnet containing over 1.2 million records of compromised devices. According to the advisory, Integrity Tech’s botnet had infected more than 260,000 machines as of June. It was also seen to be using the same IP addresses to control its botnet that were being used in other incidents to access “operational infrastructure employed in computer intrusion activities against U.S. victims.” The FBI stated it had engaged with multiple of these victims and assessed that the compromises were consistent with the tactics, techniques and infrastructure associated with Flax Typhoon, a threat group previously observed conducting espionage on organizations in Taiwan.”

45. Israel/Lebanon: How Did Pagers Explode in Lebanon and Why was Hezbollah Using Them? Here’s What We Know

CNN reported on September 18th that “hundreds of pagers carried by Hezbollah members in Lebanon blew up nearly simultaneously on Tuesday in an unprecedented attack that surpasses a series of covert assassinations and cyber-attacks in the region over recent years in its scope and execution. The Iran-backed militant group said the wireless devices began to explode around 3:30 p.m. local time in a targeted Israeli attack on Hezbollah operatives. CNN learned that Israel was behind the attack, which was a joint operation between Israel’s intelligence service, the Mossad, and the Israeli military. The Lebanese government condemned the attack as “criminal Israeli aggression.” Israel’s military, which has engaged in tit-for-tat strikes with Hezbollah since the start of the war with Iran-backed Palestinian militant group Hamas in Gaza last year, has refused to comment publicly on the explosions. The pagers that exploded were new and had been purchased by Hezbollah in recent months, a Lebanese security source told CNN. A Taiwanese manufacturer said on Wednesday the pagers, which bore the company’s mark, had been made by a European distributor. The Lebanese source did not provide any information on the exact date the pagers were bought or their model. Experts say the explosions, unprecedented in their scale and nature, underscore Hezbollah’s vulnerability as its communication network was compromised to deadly effect.”

46. Israel/Lebanon: Hezbollah Device Blasts — How Did Pagers and Walkie-talkies Explode and What Do We Know About the Attacks?

The Guardian reported on September 19th that “in an unprecedented security breach, thousands of pagers belonging to members of Hezbollah detonated across Lebanon simultaneously, killing 12 people and wounding almost 3,000 others. Hospitals across Lebanon were overwhelmed with an influx of patients, and a field hospital was set up in the southern city of Tyre to accommodate the wounded. Hezbollah has blamed Israel and vowed to retaliate. Israel has declined to comment on the blasts, but they came just hours after the military announced it was broadening its aims in the war sparked by the Hamas attacks on 7 October to include its fight against Hezbollah along the border with Lebanon. It remains unclear how exactly such an audacious attack was carried out, but here is what we know so far. A small amount of explosives were planted inside a new batch of 5,000 pagers ordered by Hezbollah for its members, according to a senior Lebanese security source who spoke to the Reuters news agency. Israel’s intelligence services were responsible, the source said. “The Mossad injected a board inside of the device that has explosive material that receives a code. It’s very hard to detect it through any means. Even with any device or scanner,” the source said. The Mossad has not commented on the attack. Another security source told Reuters that up to 3g of explosives had been hidden in the new pagers and had gone “undetected” by Hezbollah for months. The source said 3,000 of the pagers had exploded when a coded message was sent to them, simultaneously activating the explosives. An American official who spoke anonymously to the New York Times made similar claims, adding that the devices had been tampered with before they reached Lebanon. Explosive material was reportedly hidden in each pager next to the battery, along with a switch that could remotely detonate the device. According to the New York Times, the pagers received a message at 3.30pm local time that appeared to have come from the group’s leadership. It was this message that is believed to have activated the explosives. Several videos being circulated of the explosions appear to show victims checking their pagers in the seconds before they exploded. The plot appeared to have been many months in the making, several sources told Reuters. Hezbollah ordered 5,000 pagers marketed by the Taiwan-based company Gold Apollo, according to the Lebanese official, and it was these new devices that exploded. Other sources told Reuters that these pagers had been brought into the country in the northern hemisphere spring. Analysts at the open-source intelligence group Bellingcat also identified the pagers as coming from Gold Apollo. A source close to Hezbollah told the AFP news agency that “the pagers that exploded concern a shipment recently imported by Hezbollah”, which appeared to have been “sabotaged at source”. A senior Lebanese source told Reuters the devices, identified as the AR-924 model, had been modified by Israel’s spy service “at the production level”. There is no suggestion that Taiwan-based Gold Apollo was aware its devices had been tampered with. The company’s founder, Hsu Ching-kuang, told reporters on Wednesday that the pagers used in the attack had not been manufactured by Gold Apollo but by BAC Consulting, a company based in Hungary that had the right to use the Taiwanese firm’s brand.”

47. Israel/Lebanon: Second Wave of Exploding Devices Raises Fears of Wider Israel-Lebanon Conflict

Reuters reported on September 19th that “hand-held radios used by armed group Hezbollah detonated on Wednesday across Lebanon’s south in the country’s deadliest day since cross-border fighting erupted between the militants and Israel nearly a year ago, stoking tensions after similar explosions of the group’s pagers the day before. Lebanon’s health ministry said 20 people were killed and more than 450 injured on Wednesday in Beirut’s suburbs and the Bekaa Valley, while the death toll from Tuesday’s explosions rose to 12, including two children, with nearly 3,000 injured. Israeli officials have not commented on the blasts, but security sources said Israel’s spy agency Mossad was responsible. One Hezbollah official said the episode was the biggest security breach in the group’s history.”

48. Russia/Ukraine: Kerch Resident Sentenced to 20 Years in Prison for Preparing Assassination Attempt on FSB Officer on Orders from Ukraine

Media Zone reported on September 19th that “the Southern District Military Court sentenced Kerch resident Artur Agasaryan to 20 years in prison in the case of an attempted murder of an FSB officer. This was reported by the court’s press service. The first three years of the sentence will be spent in prison, the rest of the term — in a maximum security penal colony. In addition to imprisonment, he was also fined 500 thousand rubles. The man was found guilty of treason, preparation for a terrorist act, acquisition of explosives and preparation for making a homemade explosive device from them. Along with Agasaryan, another man, Aleksey Vasyutin, was also convicted . He was sentenced to six years in a maximum security penal colony and a fine of 350 thousand rubles under the article on illegal acquisition of weapons. According to the investigation, from February 1 to April 16, 2023, employees of the Main Intelligence Directorate of the Ministry of Defence of Ukraine established contact with Agasaryan and attracted him to cooperation. In May of the same year, on instructions from the intelligence service, as Kommersant writes, the Crimean followed one of the local security officials, and then filmed and transmitted to Ukraine videos of freight trains and cargo, including weapons and military equipment. In the summer of 2023, as the prosecution claimed, Agasaryan received an assignment from the GUR: he was supposed to follow a local FSB officer, study his travel routes, and then assemble a bomb and attach it to the security officer’s car. The man was given a cache of components for making a bomb by the coordinators, but there were not enough of them. On June 26, 2023, Agasaryan bought the missing components together with his acquaintance Vasyutin, after which they were both detained and a criminal case was opened.”

49. United States: NSA — The Women of NSA: Codemakers and Codebreakers

On September 19th NSA published this podcast episode. As per its description, “they cracked the Enigma machine and defeated Nazi Germany. They helped us stay a step ahead of the Soviet Union’s spies. They led cybersecurity modernizations to keep us safe. And today, they’re leading NSA efforts to defend the nation. These are the women of NSA. Learn from a historian and a mathematician about the storied history of women’s contributions to the NSA mission and national security. From World War II through the Cold War to the present day, women have been critical contributors to NSA’s foreign signals intelligence and cybersecurity missions.”

50. Ukraine/Russia: SBU Announced 15 Year Prison Sentence for GRU Mole Detained in February 2023

On September 17th Ukraine’s SBU announced that “thanks to the evidence base of the Security Service, another Russian agent who operated in Kyiv received a real prison term. The attacker spied on the movement of Ukrainian weapons in the direction of the eastern and southern fronts. According to the investigation, the enemy accomplice turned out to be a 50-year-old local resident who worked for the military intelligence of the Russian Federation. To fulfil an enemy mission, he got a job at one of the capital’s factories, which fulfilled state defence orders. The traitor also monitored the consequences of the aggressor’s airstrikes on the territory of the region and “leaked” relevant information to the Russian handler. The counter-intelligence agents of the Security Service exposed the enemy accomplice in advance, documented his intelligence activity and detained him as a result of a special operation in Kyiv in early February 2023. According to SBU materials, the court sentenced him to 15 years in prison with confiscation of property. As the investigation established, the agent came to the attention of the occupiers through his acquaintances from Russia, with whom he maintained contact. In order to obtain information about the consequences of the enemy’s “arrivals”, the suspect traveled around the city and secretly photographed the damaged buildings of the capital with reference to the area. He forwarded the received intelligence by messenger to the Russian handler, who then “reported” to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (better known as GRU).”

51. United States: Dustin Carmack, the Meta Boss Who Wrote Project 2025’s Radical Intelligence Reform Plan

Intelligence Online reported on September 19th that “the new, controversial, right-wing political initiative to extend the authority of the US president includes plans to increase centralisation of intelligence powers in the hands of the Director of National Intelligence. This will be to the detriment of the CIA, deemed to be insufficiently loyal.” They also stated on X about this that “the intelligence component of Project 2025, the roadmap for a future Trump presidency, was designed by one of the most influential Republican experts on these issues, now employed by Facebook’s parent company, Meta. Dustin Cormack headed the office of the Director of National Intelligence (DNI), John Ratcliffe, during the turbulent final months of the Trump presidency. This experience, marked by an intense politicisation of intelligence, adds colour to the drastic reforms he calls for. The increased centralisation of intelligence, through strengthened management powers for the DNI, is part of the primary objective of Project 2025, which aims to extend presidential authority over the entire state apparatus. The DNI’s new remit would be to cover the whole spectrum of intelligence, including cyber and its military players. In areas such as strategic analysis and OSINT, this is to the detriment of the CIA’s influence. These reforms should also give the president and the DNI the means to purge the intelligence community of personnel deemed insufficiently loyal. This is to ensure that the agencies are able to rigorously implement the president’s agenda.”

52. Greece/Russia/Syria/Spain: Hellenic Heron Monitoring Novorossiysk?

On September 19th ItaMilRadar reported that “the image shows an aerial surveillance operation conducted by an asset of the Hellenic Coast Guard in the Mediterranean Sea, south of the island of Crete. The identified aircraft is an IAI Heron drone (reg. UC-02), an unmanned surveillance system used for maritime patrol and monitoring missions. Its flight path is highlighted in green, drawing various orbits and zigzag maneuvers in the area, indicating a targeted monitoring operation in that zone. At the center of the scene, surrounded by the drone’s maneuvers, is the probable position of a Russian submarine, the Novorossiysk, identified by pennant number B-261. The Novorossiysk is a Kilo-class submarine, en route to the Russian base in Tartus, Syria. The proximity between the Greek Coast Guard drone and the Russian submarine suggests a monitoring or tracking situation. The drone might to be engaged in a patrol activity to observe the submarine’s movements, thus ensuring the security and control of Greek territorial waters but we don’t know if the presence of the drone is directly related to that of the submarine. The drone could also be operating in the area to combat illegal immigration. In the same zone, a Spanish Air Force CASA CN-235M-100 (reg. D.4–05) that took off from Souda is also operating. The island of Crete, visible at the top of the image, holds a strategic position in the Mediterranean. Souda Bay Naval Base, located in western Crete, is an important installation for NATO forces and could be one of the reasons for the increased surveillance activity.”

53. Spain: National Intelligence Centre — Spain’s Intelligence Service

Grey Dynamics published this article on September 19th with its introduction stating that “the National Intelligence Centre (in Spanish: Centro Nacional de Inteligencia or CNI), known colloquially as “La Casa” (The House), is Spain’s main foreign and domestic intelligence service. CNI was created in 2002 as the successor to the Centro Superior de Información de la Defensa (CESID), Spain’s prior intelligence agency. The CNI is integrated into the Ministry of Defence as a public body with functional autonomy. It has legal personhood and full capacity to act. CNI is also a “top advisor” to the Spanish Government in matters of national security and intelligence. The CNI collaborates with Spain’s other intelligence agencies, including the Armed Forces Intelligence Centre (military intelligence) and the Intelligence Center for Counter-Terrorism and Organized Crime or CITCO (Ministry of the Interior). It also collaborates with foreign intelligence counterparts to address transnational threats and contribute to global security efforts. This includes working with the EU Intelligence and Situation Centre (EU INTCEN). In this article, we analyse the history, functions, structure and key operations of the CNI.”

54. United States: CIA — How To Sound Like A Spy: Five Colloquialisms at CIA

CIA published this article on September 19th stating that “the spy world can be so… hmmm, how should we say it? Shadowy yet fascinating? Many have read up on the history of espionage or binge watched spy movies and shows. Some may even have tried to go incognito at imagined spy hangouts donning a trench coat and greeting others with a breezy, “How do you do, fellow spies?” But how can you tell if that mysterious acquaintance is the real deal? Well, if they refer to themselves as CIA “agents” instead of “officers,” you can rule them out right away. Digging deeper, real CIA officers use unique lingo that only those on the inside know. Read on to learn some everyday spy slang.”

55. Ukraine/Russia: SBU Detained FSB Agent in Pokrovsk

On September 18th Ukraine’s SBU announced that they “detained a traitor to whom the FSB promised 1 million rubles for the coordinates of the combat positions of the Armed Forces of Ukraine near Pokrovsk. The Security Service detained another FSB agent in Donetsk region. He was preparing a series of airstrikes by the Russian Federation against the locations of Ukrainian troops on one of the hottest areas of the front — Pokrovsky. According to the military counter-intelligence of the SBU, under the enemy’s sights were the support and command posts of one of the brigades of the Armed Forces, which maintains the defence in the area of ​​the front-line city. In order to obtain the coordinates for fire damage, the occupiers remotely recruited a Ukrainian serviceman who serves in this same brigade. In exchange for cooperation, the FSB “guaranteed” its agent 1 million rubles. However, he never received the promised amount, because the topic of monetary “reward” was used exceptionally by the Russian intelligence service to recruit a traitor. Officers of the Security Service exposed the agent in advance and detained him when he was fixing the geolocation of the forward positions of the Armed Forces for the aggressor. At the place of detention, the suspect’s mobile phone was seized, which he used to communicate with his Russian supervisor — an operative of the FSB. His identity has already been established. In addition, during the investigation, it was additionally established that, on the instructions of a Russian intelligence service officer, the agent had to “merge” the organisational and staff structure of the FSB with the personnel of the Armed Forces brigade where he served. The occupiers hoped to use this information for new recruitment and to obtain intelligence about the defence of Pokrovsk.”

56. Israel/Palestine: Gaza War Sparks New Israeli Intelligence Influence Industry

Haaretz reported on September 17th that “since the outbreak of the war in Gaza, at least six new intelligence software systems designed for monitoring social media have been developed and deployed in Israel. Their role includes aiding the country’s public diplomacy efforts, fighting online antisemitism, identifying and thwarting foreign influence campaigns and even gathering crucial intelligence from online sources. Before Hamas’ October 7 attack, the relevant Israeli agencies, including both the military and key ministries, lacked the technology, knowledge and infrastructure for monitoring platforms like Instagram, TikTok and Telegram. Tracking such networks proved essential for intelligence and later for public diplomacy purposes, particularly given the scale of the death and devastation in Gaza. Despite substantial investment, Israel continues to struggle with this challenge, locally described as the social media intelligence failure. According to 10 sources who spoke with Haaretz, this is both a national failure and a difficult problem facing all Western countries. The sources, from both a military and a public diplomacy background, including people with experience in countering the problem, say the resources required for monitoring social media at scale are immense. Plus, it is nearly impossible to do so without active state assistance and active cooperation from the tech giants that created these platforms. While tracking inauthentic activity is a risky and expensive challenge, further muddled by technical obstacles put up by social media firms to prevent misuse of their platforms, the sources say creating fake accounts and deploying them en masse is relatively simple, allowing operators to hide behind a veil of anonymity. With millions of genuine users criticizing Israel amid the massive destruction and death in Gaza, the sources say the war proved how hostile groups can operate networks of fake accounts with little to no action from social media firms, which critics say are slow and selective in their takedowns of such operations. Recent developments in artificial intelligence have made it possible to quickly scale up such operations and artificially amplify “anti-Israel” discourse and wage influence campaigns.”

57. Iran: UNC1860 and the Temple of Oats — Iran’s Hidden Hand in Middle Eastern Networks

Mandiant published this intelligence report on September 19th. As per its executive summary, “UNC1860 is a persistent and opportunistic Iranian state-sponsored threat actor that is likely affiliated with Iran’s Ministry of Intelligence and Security (MOIS). A key feature of UNC1860 is its collection of specialized tooling and passive backdoors that Mandiant believes supports several objectives, including its role as a probable initial access provider and its ability to gain persistent access to high-priority networks, such as those in the government and telecommunications space throughout the Middle East. UNC1860’s tradecraft and targeting parallels with Shrouded Snooper, Scarred Manticore, and Storm-0861, Iran-based threat actors publicly reported to have targeted the telecommunications and government sectors in the Middle East. These groups have also reportedly provided initial access for destructive and disruptive operations that targeted Israel in late October 2023 with BABYWIPER and Albania in 2022 using ROADSWEEP. Mandiant cannot independently corroborate that UNC1860 was involved in providing initial access for these operations. However, we identified specialized UNC1860 tooling including GUI-operated malware controllers, which are likely designed to facilitate hand-off operations, further supporting the initial access role played by UNC1860. UNC1860 additionally maintains an arsenal of utilities and collection of “main-stage” passive backdoors designed to gain strong footholds into victim networks and establish persistent, long-term access. Among these main-stage backdoors includes a Windows kernel mode driver repurposed from a legitimate Iranian anti-virus software filter driver, reflecting the group’s reverse engineering capabilities of Windows kernel components and detection evasion capabilities. These capabilities demonstrate that UNC1860 is a formidable threat actor that likely supports various objectives ranging from espionage to network attack operations. As tensions continue to ebb and flow in the Middle East, we believe this actor’s adeptness in gaining initial access to target environments represents a valuable asset for the Iranian cyber ecosystem that can be exploited to answer evolving objectives as needs shift.”

58. United States/Italy/Libya: Triton on Task

ItaMilRadar reported on September 20th that “this morning we’revtracking a mission carried out by an USNavy Northrop Grumman MQ-4C (reg. 169804, c/s BLACKCAT5). The drone followed a significant trajectory, taking off from NAS Sigonella and heading south, flying along the Sicilian Channel, passing west of Malta, and then heading toward the Libyan coast, near Tripoli and Benghazi. The route includes a series of turns and loops, typical of surveillance or patrol missions. The Northrop Grumman MQ-4C Triton is a high-altitude drone primarily designed for maritime reconnaissance missions, and its presence in this area highlights the strategic interest of the United States and NATO in monitoring the coasts of North Africa and the Eastern Mediterranean. This area is crucial for controlling migration flows, countering terrorism, and protecting energy resources. The presence of this drone may be related to maritime surveillance operations, monitoring naval activities, or preventing illegal trafficking in this geopolitically sensitive area. Libya, in particular, remains a critical point for regional stability, and reconnaissance missions like this are common to monitor suspicious activities or militia movements. Moreover, the fact that the aircraft departed from Sicily underscores the strategic importance of Italian military bases in the Mediterranean for NATO and U.S. operations.”

59. Ukraine/Russia: SBU Shared Details on GRU Agents from Kyiv and Lviv

On September 18th Ukraine’s SBU announced that “thanks to the evidence base collected by the Ukrainian intelligence service, several perpetrators face life imprisonment with confiscation of property. On the eve of May 9, those involved were preparing a series of large-scale explosions in construction hypermarkets and near cafes in Kyiv. According to the case materials, the agents received such a task from their Russian handler, Yuriy Syzov, a staff member of the Main Directorate of the General Staff of the Russian Armed Forces (better known as GRU). On his instructions, the agents arrived in Kyiv, where they installed explosive devices in three construction hypermarkets. Homemade explosives were disguised in tea packages and were to detonate in hypermarkets to cause maximum damage to the civilian population. At the same time, attackers were preparing another explosion near a popular cafe in the capital. For this, they planned to replace the car parked nearby. Counter-intelligence and SBU investigators worked to anticipate and prevent a series of terrorist attacks. As a result of a multi-stage special operation, the subversive activities of the entire intelligence-combat group GRU together with its Russian handler were documented step by step. The Security Service caught enemy agents red-handed when they were setting up explosive devices in a Kyiv hypermarket. Subsequently, the SBU detained two more members of the enemy group. They turned out to be smugglers who were transporting explosives from Russia for the perpetrators of terrorist attacks. It was established that the explosives suppliers were to ensure the “evacuation” of one of the bombers to the territory of the Russian Federation by order of the Russian military. It was planned to bring him to the border with Russia and provide detailed instructions on crossing it. In addition, as evidenced by the proceedings, Yuriy Syzov, an officer of the Russian Army, was also responsible for the sabotage that was to take place in Lviv Oblast in February 2024. Then the SBU once again acted in advance and prevented explosions at one of the defence enterprises.”

60. United States/Uzbekistan: The Star Broker of Computer Flaws Sold in Central Asia Moves to Miami

Intelligence Online reported on September 17th that “the Florida-based Zero Security Research Labs has been expanding into Central Asia, where one of its co-founders, Azizjon Mamashoev, had long been a prominent figure in the field.”

61. United States: Mike Benz – Inside the Censorship Industrial Complex

On September 19th Shawn Ryan Show published this podcast episode. As per its description, “Mike Benz is a former official with the U.S. Department of State, known for his work in international communications and digital freedom. He has played a significant role in advocating for internet freedom and the protection of online expression. Benz is the founder of the Foundation for Freedom Online, an organization dedicated to promoting free speech and digital rights around the world. His work focuses on countering authoritarian censorship and supporting the rights of individuals to access and share information freely. His background includes expertise in foreign affairs and digital policy, often emphasizing the importance of a free and open internet as a fundamental human right. Through his advocacy, Benz has sought to engage policymakers and the public on issues related to digital governance, censorship, and the implications of technology for democracy.”

62. Finland: Drone Crash at Yle HQ Investigated as Suspected Espionage, but was Likely Accidental

Yle reported on September 19th that “Finland’s National Bureau of Investigation (NBI) is working on a suspected case of espionage, due to an incident in July in which a drone entered restricted airspace at Yle’s headquarters in Helsinki. Authorities do not suspect the incident was intentional, because the drone pilot notified Yle about the collision. However, investigators have not yet interviewed the suspect. The airspace over Yle’s headquarters is restricted and using drones in such areas requires operators to obtain a special permit. Generally, consumer models of the remote-controlled devices are programmed to automatically avoid restricted areas, usually referred to as no-fly zones. The NBI suspects that the drone operator flew the device near Yle’s broadcast tower and then lost contact with it. When that happens, the agency explained, the drone automatically returns to the remote control device. However, the drone crashed and got stuck in the tower’s mast on its way back, according to the NBI. The device was retrieved by an employee of Digita, a telecommunications firm which works with Yle on antenna maintenance. Investigators examined the drone’s flight log and found that it had flown a few blocks away by the Mall of Tripla, then passed the Helsinki Police Department’s headquarters before heading towards Yle HQ. The incident is being investigated as a case of suspected espionage because it occurred in an area of critical infrastructure, according to the NBI. But authorities still think that, based on current information, the incident was an accident. Cases of suspected espionage are rare in Finland, with only a few such investigations opened in recent years. People convicted of espionage face prison sentences ranging from a minimum of one to a maxium of ten years.”

63. Lithuania/Belarus: Lithuanian Man Sentenced to 9 Years in Prison over Spying for Belarus

LRT reported on September 20th that “the Vilnius Regional Court on Friday found Lithuanian lawyer Mantas Danielius guilty of spying for Belarus and sentenced him to nine years in prison. Danielius, who was present at the hearing, called the case an attack on freedom of speech. Prosecutors have said that the pre-trial investigation into espionage was opened in late September 2022. According to the investigation, since January 2022, Danielius had been carrying out tasks for a Belarusian national cooperating with Belarusian intelligence, gathering and passing on information to her. It is believed that Danielius posed as a volunteer to gain access to Lithuania-based organisations bringing together the opposition to the Minsk regime and to communicate with individuals who fled Belarus after the August 2020 presidential election. Investigators say that Danielius visited the offices of Belarusian opposition groups and attended events, collecting and passing on information about their activities, ongoing projects, funding sources, and organisation members and their meetings. The Lithuanian citizen is accused of not only collecting and possibly sharing information about Belarusian opposition groups in Lithuania but also about the Kalinoŭski Regiment, a Belarusian unit fighting in Ukraine.”

64. France: Spy Way of Life — The Peninsula Paris, a Luxury Hotel Turned Spy Hub by Gaza and Ukraine Crisis

This week’s selection for Intelligence Online’s Spy Way of Life was he Peninsula hotel in France. As per the article, “when the new head of France’s foreign intelligence agency DGSE (Direction Générale de la Sécurité Extérieure), Nicolas Lerner, dived into the deep end of global intelligence intrigue, his surroundings could not have been more luxurious: barely a month after his appointment, he found himself on 28 January at the entrance of The Peninsula Paris on Avenue Kléber in the French capital’s chic 16th arrondissement. Once past the kitsch oriental statues, he made his way to the luxury hotel’s suites that have been reserved for the world’s finest intelligence officers, ever hard at work. CIA chief William Burns and his team have their own suite, requiring ever increasing security measures and countermeasures — everyone here has only a relative degree of trust for each other — as does his Mossad counterpart, David Barnea. Qatari Prime Minister Mohammed bin Abdulrahman al-Thani is playing at home as the hotel has belonged to his country since 2007. They are all there to negotiate a ceasefire in Gaza. The French intelligence chief’s presence had not been revealed until now, but, representing the talks’ host power, he had to come and greet his counterparts. Nine months on, they have yet to yield a result. Lerner did not, however, spend the night, which would cost at least €1,500.”

65. Ukraine/Russia: SBU Detained Armed Forces Member Who Became GRU Agent in Zaporizhzhia

On September 20th Ukraine’s SBU announced that they “detained a demobilised conscript of the Armed Forces of Ukraine who started working for the Russian military intelligence. The Security Service detained an agent of the Russian military intelligence in Zaporizhzhia. The intruder was spying on Ukrainian troops engaged in hostilities on the southern front. According to SBU counter-intelligence data, the enemy was most interested in the geolocations of command posts, ammunition depots, and fortified areas of the Defence Forces in the Zaporozhye region. The occupiers also wanted to know about the main routes of movement, the estimated number and names of combat equipment of the Armed Forces of Ukraine, which is heading to the front line. To obtain intelligence, the occupiers recruited a 22-year-old demobilised conscript who had previously served in one of the military garrisons of Ukraine. The young man came to the attention of the military intelligence of the Russian Federation through his parents, who live in the temporarily occupied part of the territory of the Zaporizhia region and cooperate with the Russian intelligence service. In May of this year, he retired to the reserve and settled in the regional centre. Later, a staff member of the 316th Intelligence Centre of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (better known as the GRU), based in Sevastopol, approached him remotely. The identity of the occupier has already been established by SBU officers. First, the enemy intelligence officer requested from his agent the coordinates of the combat units and logistics warehouses of the military unit in which the former soldier was serving. Then, on the instructions of the Russian military, the traitor began to go around the front-line city, where he secretly recorded the locations of the units of the Armed Forces of Ukraine and the bridges through which they move in the direction of the front line. The enemy planned to use the intelligence to prepare strikes against the Defence Forces using guided aerial bombs, kamikaze drones and heavy artillery. The Security Service worked ahead of time and arrested the agent “in the act” when he was conducting reconnaissance near a military facility. At the scene, a mobile phone was seized from the detainee, which he used to communicate with his Russian handler.”

66. Israel/Hungary/Bulgaria/Lebanon/Syria: Israel Didn’t Tamper with Hezbollah’s Exploding Pagers, it Made Them

The Times of Israel reported on September 19th that “a report Thursday alleged that a Hungarian firm that apparently supplied pagers used by Hezbollah was secretly set up by Israeli spies as part of a widescale operation that appeared to culminate this week when the devices exploded, killing several and maiming thousands of Hezbollah operatives and others in Lebanon and Syria. The New York Times claimed that rather than merely managing to tamper with the devices at some stage of their production or distribution, Israel actually “manufactured them as part of an elaborate ruse.” The report was the latest to seemingly pull the covers back on what is widely believed to have been a secret Israeli operation that burst into the open Tuesday as thousands of devices blew up in Hezbollah strongholds. Then on Wednesday, hundreds of walkie-talkies used by the group exploded as well, sowing fresh fears across Lebanon and underlining how much remains unknown about the apparent plot. Citing three unnamed intelligence officers with knowledge of the operation, The New York Times reported that BAC Consulting was part of a front set up by figures in Israeli intelligence. Two other shell companies were also created to help mask the link between BAC and the Israelis, according to the report. The company was listed in Hungary as a limited liability company in May 2022, though a website for BAC Consulting was officially registered almost two years earlier, in October 2020, according to internet domain records. As of April 2021, the company website offered political and business consulting, with the firm changing addresses and expanding its offerings at least three times by 2024, archival research by The Times of Israel showed. According to the New York Times, the company supplied other firms with pagers as well, though only the ones transferred to Hezbollah were fitted with batteries that contained explosive materiel known as PETN. The devices first began to reach Lebanon in 2022, according to the newspaper, with production ramping up as Hezbollah chief Hassan Nasrallah denounced the use of cellphones due to concerns they could be tracked by Israel. “The phone in your hands, in your wife’s hands, and in your children’s hands is the agent… Bury it. Put it in an iron box and lock it,” Nasrallah told supporters in February, the New York Times report noted, and it added: “Israeli intelligence officials saw an opportunity.” As Hezbollah increasingly relied on the explosive-laced devices, Israeli intelligence officers saw them as “buttons” that could be pressed at any time, setting off the explosions that rocked Lebanon Tuesday, according to the Times.” It also stated that “Bulgaria, meanwhile, said it would investigate a third company linked to the sale of the pagers. The DANS state security agency said in a statement that it was working with the interior ministry to probe the role of a company registered in Bulgaria, without naming it. Bulgarian media reports alleged that a Sofia-based company called Norta Global Ltd had facilitated the sale of the pagers. Reuters was not immediately able to confirm the link to Norta, and company officials did not immediately respond to requests for comment. A lawyer that registered the company at an apartment block in Sofia did not respond to Reuters questions. Israel has declined to comment on either the pager or the walkie-talkie explosions.”

67. United States/China/Cuba: Chinese Military Spy Base in Cuba Exposed

On September 20th Task & Purpose published this video. As per its description, “the Chinese Communist Party is operating a network of spy bases in Cuba just 90 miles off the coast of Florida. In July 2024 the Center for Strategic and International Studies published a a report outlining how they are growing a network of signals intelligence bases here. Similar to how the United States military runs intelligence gathering operations in Taiwan right near China — it appears like China is trying to turn the turntables back around.”

68. Poland/Australia/United Arab Emirates/Italy: EDA Underwater Drones Undergo Final Tests, UXMachines Arms AUKUS Drones, SecurCube in Dubai

Intelligence Online reported on September 19th that “from SIGINT to GEOINT and OSINT and a dose of cyber, each week we report on events both big and small that matter in the community of technical intelligence providers.” Intelligence Online also stated on X about this that “Poland/EU runs final tests on underwater ISR project SABUVIS II. Australian UXMachines algorithms used on AUKUS drones. Italy’s SecurCube scouts for contracts in the UAE.”

69. Lebanon/Israel: Hezbollah Launches Missile Attacks on Israeli Espionage Bases

Mehr News Agency reported on September 20th that “in line with supporting the steadfast Palestinian nation in Gaza and helping its brave and honorable resistance, and in response to the attacks of the Israeli enemy on the villages and homes of southern Lebanon, Hezbollah forces on Friday targeted a military headquarters of the Zionist regime, the Resistance movement said in a statement. In another statement, Hezbollah said that it has attacked an Israeli espionage center in Mishar with Katyusha missiles. Hezbollah forces also targeted the Israeli enemy’s air observation and operation headquarters in Meron base with dozens of missiles. The Lebanese Resistance movement Hezbollah has been conducting regular attacks since early October last year against the Israeli regime’s military positions in retaliation for the occupying regime’s offensives against Gaza and southern Lebanon.”

70. United States/China/Russia: GOP Senator Joni Ernst Demands Data on Possible Chinese, Russian Infiltration of US Laboratories: ‘Prime Targets for Espionage’

New York Post reported on September 20th that “Republican Sen. Joni Ernst is sounding the alarm on “foreign adversaries,” including China and Russia, infiltrating US laboratories — after a recent congressional report revealed that thousands of foreign citizens were granted access to the research facilities last year. “National Laboratories are prime targets for espionage and theft by foreign adversaries,” the Iowa lawmaker wrote in a letter to Energy Secretary Jennifer Granholm on Wednesday. “For decades, the People’s Republic of China (PRC) has been actively recruiting scientists from National Labs to work on their own military programs and stealing our research using visiting students and scholars.” Ernst has demanded data from the Department of Energy about the access that Chinese, Russian and Iranian nationals have garnered to the department’s 17 national laboratories over recent years. She cited a report from the Senate Intelligence Committee that revealed “approximately 40,000 citizens of foreign countries, including more than 8,000 citizens from China and Russia, were granted access to the premises, information, or technology” of the labs in fiscal year 2023.”

71. Australia/China: Chinese Defector Exposes Beijing’s Secret Spy Network

60 Minutes Australia published this video on September 17th. As per its description, “he was a rising star of the Chinese diplomatic service, and Chen Yonglin was very good at his job — a job that included spying and informing on Chinese-Australians. But what the communists didn’t count on is that Chen had a conscience and a craving for freedom. He, his wife and young daughter decided to defect. And he has secrets — big secrets. 1,000 Chinese informers operating in our country, and even Government-sanctioned abductions. And that’s left our Government grappling with its own conscience. Is the life of one man more important than diplomatic peace and quiet?”

72. Finland/Russia: Finland’s Intelligence Service Says Russia May Blackmail the Country with Hostages

Ukrainska Pravda reported on September 21st that “the large prisoner swap between the West and Russia in early August could set a precedent that would encourage Russia to continue blackmailing Western countries using hostages, and this could also threaten Finland. Source: Petteri Lalu, Senior Analyst at the Finnish Security and Intelligence Service (SUPO), in a comment to Finnish news agency STT. Details: Lalu noted that Finns who are in Russia or travelling to it might become prisoners whom Moscow could use as hostages. Quote: “Russia is an authoritarian state that uses hostage diplomacy to release people important to it from prison. We have a recent example from early August. This is a real phenomenon, and the threat also concerns Finns in Russia.” More details: One of the prisoners in Finland who may be of interest to the Russians as part of a swap may be Vojislav Torden of the neo-Nazi group Rusich, who was detained at Helsinki airport in July 2023. Torden is under investigation by the Finnish Central Criminal Police on suspicion of war crimes committed in Ukraine in 2014–2015. “If Torden is as important to the Russian leadership as the people who were brought back to Russia in the August prisoner swap, then I, for one, see no reason why Russia should not use hostage diplomacy against Finland,” says Lalu.”

73. United Kingdom/Germany: The British Banker Turned Spy That Sabotaged the German Nuclear Programme

War Stories published this documentary on September 16th. As per its description, “at the outbreak of war in 1939, the British government hired banker Charles Jocelyn Hambro as part of their spy unit SOE. Hamrbo’s intelligence and quick thinking soon worked his way up the ranks. His crowning glory was the operation he devised to disrupt the German nuclear program in the early years of WW2.”

74. Ukraine/Russia: SBU Announced 16 Year Prison Term for FSB Agent Detained in March 2023

On September 20th Ukraine’s SBU announced that “a deserter who escaped from the battlefield and “drained” the positions of the Armed Forces near Bakhmut was sentenced to 16 years in prison. Thanks to the evidence base of the Security Service, another FSB agent who operated in Donetsk received a real prison term. The intruder was spying on the Ukrainian troops fighting near Bakhmut. SBU officers detained a Russian agent in March 2023. The extra was a 29-year-old former contractor of one of the military units of Ukraine, who on the first day of the full-scale war ran away from the place of service and hid in the front-line territory of the Donetsk region. Later, an FSB officer approached him remotely and offered cooperation in exchange for money. In order not to “light up” during the execution of enemy missions, the agent “in the dark” involved his acquaintance in collecting information about the places of temporary bases and the routes of movement of the Defence Forces. The enemy was most interested in the approximate coordinates of the firing positions of the barrel and reactive artillery of the Armed Forces of Ukraine, which kept under fire control the assault groups of the invaders attacking Bakhmut. The agent also sought out information about the consequences of enemy shelling on the territory of the district. To communicate with the Russian intelligence service, the person involved used an anonymous chat in a popular messenger. In addition to text messages, he transmitted information in the form of voice messages. During the arrest, the traitor was seized with 5 mobile phones and a laptop with evidence of intelligence and subversive activities in favour of the Russian Federation.”

75. Iran/United States: US Agency Plotted to Channel Government Funds into Anti-Iran Campaign after 2022 Riots

Press TV reported on September 20th that “a new report has revealed that the US National Endowment for Democracy (NED) privately plotted to direct government resources into an anti-Iran campaign established after 2022 foreign-backed riots. Citing leaked documents and emails, The Grayzone news website reported Thursday that the NED had tried to channel US State Department resources into the so-called Iran Freedom Coalition. The coalition, that is composed of pro-Western Iranian figures and warmongering US neoconservative operatives, represents a clear attempt to impose an “exiled leadership” over anti-Iran opposition, the report added. It further said that the initiative against the Islamic Republic was spearheaded by Carl Gershman, the longtime director of the NED, which is considered Washington’s regime-change arm or the CIA spy agency in disguise. “Regardless of the listed members’ level of participation, the composition of Gershman’s proposed Iran Freedom Coalition demonstrates how Iran’s self-proclaimed pro-democracy movement has become a plaything for the Bomb Iran lobby,” it said. “Among those handpicked by Gershman to lead the initiative was William Kristol, the neocon impresario who has led a decades-long lobbying campaign for a US military invasion of Iran. Also selected was Joshua Muravchik, a flamboyant supporter of Israel’s Likud Party who insists that ‘war with Iran is probably our best option.’” The report also said that the anti-Iran campaign’s Iranian members consist heavily of US government-sponsored cultural figures and staffers at interventionist Western think tanks like the Tony Blair Institute.”

76. Canada: Canadian National Security Q&A — September 2024

Andrew Kirsch published this video on September 21st. As per its description, “former Canadian Security Intelligence Service (CSIS) Intelligence Officer Andrew Kirsch speaks with former Surveillant Pat D about the role of surveillance officer, what it’s like to do the job and how it fits in to the National Security and Intelligence Community.”

77. Philippines/China: Philippine Senator Won’t Rule Out Ex-mayor Alice Guo is a Chinese Spy

Reuters reported on September 20th that “a Philippine senator leading an investigation into a former mayor’s alleged links to Chinese criminal syndicates said on Friday she would not rule out her possible involvement in espionage. Alice Guo, who ran for mayor of Bamban as a Filipino but is also known as Chinese national Guo Hua Ping, is facing criminal charges that include graft, stemming from accusations she abused her power to allow offshore gambling to flourish in her town. “I’m not yet prepared to conclude that she is not involved, or that the people associated with her are not involved in espionage,” Senator Risa Hontiveros told foreign correspondents. A senate committee headed by Hontiveros launched an investigation into Guo in May after a casino raid in Bamban in the province of Tarlac uncovered what law enforcers described as scams run from a facility on land that she partly owned. In earlier hearings, Hontiveros had asked Guo if she was an “asset” for China. Guo, who maintains she is a natural-born Philippine citizen, has denied she is a spy, as well as other accusations against her, calling them malicious. Her case has gripped the Philippines at a time of growing suspicion about China’s activities following an escalation of disputes in the South China Sea where the two nations have overlapping claims. China’s embassy in Manila and Guo’s lawyer did not immediately respond to requests for comment on the remarks by Hontiveros. A court postponed Guo’s scheduled arraignment on Friday while it decides on her plea to have the case dismissed. She arrived in court wearing a mask and ballistics helmet.”

78. United States/Russia/Mexico: Russia Uses Mexico as a Hub for Spying on the US

NBC News reported on September 21st that “Russian intelligence services are building up their presence in Mexico for spy operations targeting the United States, a return to Cold War tactics by an increasingly aggressive regime, according to U.S. officials and former intelligence officers. Russia has added dozens of personnel to its embassy staff in Mexico City in the past few years, even though Moscow has only limited trade ties with the country. U.S. officials say the trend is concerning and believe the extensive buildup is aimed at bolstering the Kremlin’s intelligence operations targeting the U.S., as well as its propaganda efforts aimed at undermining Washington and Ukraine. The Biden administration has raised the issue with the Mexican government, a U.S. official told NBC News. “Russia has really invested in Mexico in terms of seeking to extend their presence,” the official said. The Mexican Embassy and the Russian Embassy did not respond to a request for comment. CIA Director William Burns said earlier this month his agency and the U.S. government are “sharply focused” on Russia’s expanding footprint in Mexico, which he said was partly the result of Russian spies being expelled from foreign capitals after Moscow’s full-scale invasion of Ukraine. “Part of this is a function of the fact that so many Russian intelligence officers have been kicked out of Europe. … So they’re looking for places to go and looking for places in which they can operate,” Burns said in London this month when asked about suspected Russian spying out of Mexico. “But we’re very sharply focused on that.” Russia’s actions in Mexico reflect a more aggressive posture by its intelligence services across multiple fronts, as the Kremlin seeks to silence critics abroad, undermine support for Ukraine and weaken Western democracies, former intelligence officials said. That approach has included sabotage and attempted sabotage in Europe, assassination plots, relentless cyberattacks and large-scale global disinformation campaigns, according to U.S. and European officials.”

79. Ukraine: Government Bans Use of Telegram over Security Concerns

Vanguard reported on September 21st that “Ukraine has taken a decisive step to protect its national security by banning the use of the Telegram messaging app on official devices used by government officials, military personnel, and critical workers. The country’s National Security and Defence Council made this announcement after receiving evidence from Ukraine’s GUR military intelligence agency that Russian special services have the ability to spy on both messages and users through the platform. While the restrictions apply only to official devices and not personal phones, according to Andriy Kovalenko, head of the security council’s centre on countering disinformation, the move underscores the growing concerns about Telegram’s security during the ongoing war with Russia. Telegram, a popular messaging app widely used in both Ukraine and Russia, has served as a critical source of information since the Russian invasion in February 2022. However, Ukrainian security officials have repeatedly raised concerns about its potential use by Russian forces for espionage and disinformation. Founded by Russian-born Pavel Durov, Telegram has faced its own controversies. Durov, who left Russia in 2014 after refusing to comply with demands to shut down opposition communities on his social media platform VKontakte, was recently arrested in France in connection with an investigation into crimes related to child pornography, drug trafficking, and fraudulent transactions on Telegram. The National Security and Defence Council’s decision to ban Telegram on official devices is based on evidence presented by Kyrylo Budanov, head of Ukraine’s GUR military intelligence agency. Budanov revealed that Russian special services can access Telegram messages, including deleted ones, as well as users’ personal data. He emphasized that the decision is not about freedom of speech but rather a matter of national security. In response to the ban, Telegram issued a statement denying any involvement in data disclosure or message interception. The company asserted that it has never provided any messaging data to any country, including Russia, and that deleted messages are permanently deleted and technically impossible to recover. Telegram attributed any instances of “leaked messages” to compromised devices, such as those affected by malware.”