FireEye Report: Russian-Linked Influence Campaign Leveraging Compromised Websites, Including Legitimate News Websites, to Publish Fabricated Anti-NATO Content

On July 29, U.S. cybersecurity firm FireEye issued a report by Mandiant Threat Intelligence that identifies a particular influence campaign, aligned with Russian security interests, that consists of several information operations that have leveraged website compromises and fabricated content and “have primarily targeted audiences in Lithuania, Latvia, and Poland with narratives critical of the North Atlantic Treaty Organization’s (NATO) presence in Eastern Europe.”

FireEye labeled this campaign, which has been operating since at least Match 2017, as “Ghostwriter” because of “its use of inauthentic personas posing as locals, journalists, and analysts within the target countries to post articles and op-eds referencing the fabrications as source material to a core set of third-party websites that publish user-generated content.”

In particular, the report notes that “[m]ultiple Ghostwriter operations appear to have leveraged compromised websites, predominantly those of news outlets, to post fabricated news articles or documentation.”  Although there were some cases in which only the purported victim entity (e.g., a government agency) publicly claimed to have been compromised, in many cases FireEye “also located archived copies of Ghostwriter articles posted to the suspected compromised sites.”

Public reporting suggested “that in at least some of these cases, the fabricated articles were published using the sites’ content management systems (CMS) after obtaining user credentials.”  In addition, “it appears that rather than creating new CMS entries, the actors may have replaced existing legitimate articles on the sites with the fabrications.”

For example, in September 2019, a local Lithuanian news site “was reportedly compromised, and a false article published claiming that German soldiers had desecrated a Jewish Cemetery in Kaunas.”  FireEye “independently observed an archived version of that article having been posted to the site.”

Such falsified content, in turn, has been referenced as source material in articles and op-eds written by “inauthentic personas” – at least 14, by FireEye’s count – who pose “as locals, journalists, and analysts within those countries.” These articles and op-eds, which are “primarily written in English, have been consistently published to a core set of third-party websites that appear to accept user-submitted content, . . . as well as to suspected Ghostwriter-affiliated blogs.”

The report concluded that Ghostwriter “leverages traditional cyber threat activity and information operations tactics to promote narratives intended to chip away at NATO’s cohesion and undermine local support for the organization in Lithuania, Latvia, and Poland.”  While these operations so far have been targeting audiences in only those three countries, FireEye cautioned

that the same tactics employed in the Ghostwriter campaign can be readily repurposed and used against other target geographies. Given the established history of cyber threat and information operations tactics regularly migrating from targeting Eastern Europe to targeting Western Europe and the U.S., this campaign may warrant special attention, especially as elections near.

Note: This report should be of substantial concern to information-security teams in legitimate news organizations, not only in Eastern Europe but in Western Europe and North America.  Chief Information Security Officers in such news organizations should promptly bring the report to the attention of senior leadership, and increase their teams’ cyber surveillance for indications that this or other Russian-affiliated campaigns are seeking to compromise their sites and post fabricated news content.

Owners of “Iconic” South Philadelphia Cheesesteak Restaurant Indicted for Tax Evasion and Tax Fraud

On July 24, the U.S. Department of Justice announced the unsealing of an indictment that charged the owners of an “iconic” and popular South Philadelphia cheesesteak restaurant, Tony Luke’s, with conspiracy to defraud the IRS, tax evasion, and aiding and assisting in filing false tax returns.  From 2006 through 2016, Anthony Lucidonio Sr., and his son, Nicholas Lucidonio, allegedly hid from the Internal Revenue Service (IRS) more than $8 million in receipts, “by depositing only a portion of Tony Luke’s receipts into business bank accounts and filing with the IRS false business and personal tax returns that substantially understated their income.”

According to the indictment, the Lucidonios allegedly also committed employment tax fraud, by paying employees a portion of their wages and salaries “on the books” for some hours that they worked, but then paying substantial additional wages for the remaining hours that employees worked “off the books” in cash, without withholding and paying to the IRS the required employment taxes.  From 2014 through 2015, the Lucidonios “also allegedly filed false quarterly employment tax returns with the IRS substantially understating wages paid and taxes due.”

In addition, “after a dispute over franchising rights arose between the Lucidonios and another individual in 2015,” the Lucidonios, “concerned that their tax fraud scheme would be revealed, amended prior year tax returns to increase reported sales, but then falsely offset the increased income by inflating expenses.”  The Philadelphia Inquirer reported that the unnamed other individual was “Tony Luke Jr., the prominent face of the brand,” who “was fired from the family business in 2015 in a dispute over franchising rights and royalties from the Tony Luke’s brand.”

Note: On its face, this case appears to be a relatively simple example of alleged tax fraud and tax evasion by two individuals in a business that is largely cash-based.  But corporate compliance officers should take note of it as an example of how any type of noncompliance in any business, if not promptly identified and addressed, can spiral into even more severe and extensive noncompliance – with correspondingly severe consequences.

European Council Appoints 22 Prosecutors to European Public Prosecutor’s Office

On July 27, the European Council announced the appointment of 22 prosecutors to the European Public Prosecutor’s Office (EPPO).  According to the Council, the EPPO, which is scheduled to start operations in Luxembourg at the end of 2020,

will be an independent body of the EU responsible for investigating, prosecuting and bringing to judgment crimes against the financial interests of the Union (e.g. fraud, corruption, cross-border VAT fraud above 10 million euros). In that respect the EPPO shall undertake investigations, and carry out acts of prosecution and exercise the functions of prosecutor in the competent courts of the member states.

Each of the 22 prosecutors was appointed by the Council after reviewing nominations by the 22 European Union (EU) Member States participating in the EPPO.  The only EU Member States not participating in the EPPO are Hungary, Poland, Ireland, Sweden, and Denmark.

The appointed prosecutors are appointed for a non-renewable term of six years, although the Council may decide to extend the mandate for a maximum of three years at the end of that six-year period.  As part of the transitional process for the EPPO, European prosecutors from one-third of the participating states, as “determined by drawing lots,” will have only a three-year non-renewable mandate.

Note: This is the first significant public development in the formation of the EPPO since the Council’s approval of Laura Codruţa Kövesi in 2019 as the first European chief prosecutor.  It provides some indication of the progress that the EPPO is making toward the commencement of operations by the end of the year.

Although the EPPO was initially contemplated to have 118 full-time positions, as well as up to 90 positions transferred from the European Anti-Fraud Office (OLAF) in Brussels, Kövesi reportedly is still negotiating the size of her staff and budget with the European Commission.  The state of those negotiations is unknown, as some European Parliament members last week were dissatisfied with the EU’s €1.07 trillion draft budget and voiced concern about protecting both the budget and the rule of law.  There seems little doubt, in any event, that the EPPO will open as planned, adding a new and potentially significant prosecutive force to combat corruption and fraud across Europe.

Commonwealth Edison Enters into Bribery-Related Deferred Prosecution Agreement with Justice Department, Will Pay $200 Million Criminal Fine

On July 17, the U.S. Attorney’s Office for the Northern District of Illinois announced that Commonwealth Edison (ComEd), the largest electric utility in Illinois, had entered into a deferred prosecution agreement (DPA) with the U.S. Attorney’s Office “to resolve a federal criminal investigation into a years-long bribery scheme.”  With regard to the DPA, which requires ComEd to pay a $200 million criminal fine, ComEd admitted that “it arranged jobs, vendor subcontracts, and monetary payments associated with those jobs and subcontracts, for various associates of a high-level elected official for the state of Illinois, to influence and reward the official’s efforts to assist ComEd with respect to legislation concerning ComEd and its business.”

As part of the resolution, the U.S. Attorney’s Office filed a one-count information, charging ComEd with bribery concerning programs receiving federal funds.  Under the terms of the DPA, it will seek to dismiss the information after three years “if ComEd abides by certain conditions, including continuing to cooperate with ongoing investigations of individuals or other entities related to the conduct described in the bribery charge.”

Both the information and the Statement of Facts in the case identify the “high-level elected official” as “Public Official A.”  Without naming him, they further state that Public Official A “is the Speaker of the Illinois House of Representatives.”  The Speaker, Michael Madigan, also serves as the boss of the Illinois Democratic Party.

According to the U.S. Attorney’s Office, ComEd admitted that its efforts to influence and reward Madigan

began in or around 2011 and continued through in or around 2019.  During that time, the Illinois General Assembly considered bills and passed legislation that had a substantial impact on ComEd’s operations and profitability, including legislation that affected the regulatory process used to determine the electricity rates ComEd charged its customers.

Madigan allegedly “controlled what measures were called for a vote in the Illinois House of Representatives and exerted substantial influence over fellow lawmakers concerning legislation affecting ComEd.”  ComEd admitted that it arranged for jobs and vendor subcontracts for Madigan’s political allies and workers “even in instances where those people performed little or no work that they were purportedly hired by ComEd to perform.”

ComEd also admitted that it undertook other efforts to influence and reward Madigan, including by appointing an individual to ComEd’s Board of Directors at Madigan’s request; retaining a particular law firm at Madigan’s request; and “accepting into the company’s internship program a certain amount of students who resided in the Chicago ward where [Madigan] was associated.”

The U.S. Attorney’s Office credited ComEd with having provided “substantial cooperation with the federal investigations.”  It noted that under the DPA ComEd “will continue to provide such cooperation until all investigations and prosecutions arising out of the charged conduct are concluded.”  ComEd also agreed to enhance its compliance program and provide annual reports to the government regarding remediation and implementation of its compliance measures.

The DPA is subject to approval by the U.S. District Court in Chicago at a future date.

Note: While the investigation into Madigan is still ongoing, corporate ABC compliance officers should take note of this resolution, as it demonstrates the risks to companies that fail to maintain the effectiveness of their ABC compliance programs when addressing state and local corruption.  For that reason, they should use the DPA and the specific compliance obligations therein to benchmark their ABC programs.

Indivior Announces $600 Million Civil and Criminal Resolution on Suboxone Marketing

On July 24, two announcements by the U.S. Department of Justice and United Kingdom-based pharmaceuticals company Indivior stated that that Indivior had reached an agreement with the U.S. Department of Justice, the Federal Trade Commission (FTC), and state attorneys general to resolve pending criminal and civil cases and an FTC investigation into alleged fraudulent marketing of the Indivior drug Suboxone.

Under the terms of the agreement, according to the Justice Department, wholly-owned Indivior subsidiary Indivior Solutions pleaded guilty today to a one-count felony criminal information charging false statements relating to health care matters.  In connection with its guilty plea, Indivior Solutions admitted to making false statements to promote the film version of Suboxone to the Massachusetts Medicaid program (MassHealth) relating to the safety of Suboxone Film around children.  The resolution includes a criminal fine, forfeiture, and restitution totaling $289 million.

In total, Indivior will pay a total of $600 million over a seven-year period to the Department, the FTC, and state attorneys general.  The Department stated that in addition to the financial provisions, the agreement

includes novel provisions that:

    • Require Indivior Inc. to disband its Suboxone sales force and not reinstate it;
    • Require Indivior Inc.’s CEO to personally certify, under penalty of perjury, on an annual basis that during the prior year (a) Indivior was in compliance with the Food Drug and Cosmetic Act and did not commit health care fraud or (b) list all non-compliant activity and the steps taken by Indivior to remedy these acts;
    • Prohibit Indivior Inc. from using data obtained from surveys of health care providers for marketing, sales, and promotional purposes;
    • Require Indivior Inc. to remove health care providers from their promotional programs who are at a high risk of inappropriate prescribing; and
    • Make Indivior subject to contempt sanctions by the court and reinstatement of the dismissed charges if it violates the agreement.

With regard to Indivior Solutions’s guilty plea, federal District Judge James P. Jones accepted the guilty plea, but deferred acceptance of the plea agreement until after the preparation of a presentence report. Sentencing in that case is scheduled for October 20, 2020.  As for its 2019 indictment, Indivior reported that under the terms of the agreement, the Justice Department will move to dismiss all charges in that case.

In addition to the criminal and civil resolutions, the Department stated that

Indivior executed a five-year Corporate Integrity Agreement (CIA) with the Department of Health and Human Services Office of Inspector General (HHS-OIG).  The CIA requires that Indivior implement numerous accountability and auditing provisions.  On an annual basis, top executives and the Board of Directors must certify about compliance, Indivior must conduct annual risk assessments and other monitoring, and an independent review organization will conduct multi-faceted audits.

Indivior stated that as a consequence of the CIA, Indivior Solutions will be excluded from participating in government health programs, but that the exclusion “will not affect Indivior PLC or its other subsidiaries.”

Note:  This resolution is noteworthy for three reasons.  First, it appears to be the culmination of the Department’s and the FTC’s investigations relating to fraudulent marketing of Suboxone by Indivior and Indivior’s former parent, Reckitt Benckiser Group.  In 2019, Indivior was indicted on charges of fraudulently marketing Suboxone, and Reckitt agreed to its own resolution of $1.4 billion with the Department, the FTC, and various states.  In addition, just last month Indivior’s Chief Executive Officer, Shaun Thaxter, pleaded guilty to one misdemeanor count of violating the Federal Food, Drug, and Cosmetic Act by causing the distribution of misbranded Suboxone in interstate commerce.

Second, Indivior should count itself lucky that it reached the resolution it did.  At the time of its indictment last year, the company’s response went beyond simply declaring that it would contest the indictment vigorously, and declared that the Department’s action was

wholly unsupported by either the facts or the law. Key allegations made by the Justice Department are contradicted by the government’s own scientific agencies, they are almost exclusively based on years-old events from before Indivior became an independent company in 2014, and they are wrong. The department has apparently decided it would rather pursue self-serving headlines on a matter of national significance than achieve an appropriate resolution . . . .

Every company that finds itself under indictment is entitled, of course, to state publicly that it contests the charges.  It is never a good idea, however, to make categorical statements at the start of a criminal case that are contradicted by the company’s own subsequent actions and decisions.  Considering what Indivior stood to lose if it were convicted of the charges in the indictment — which included forfeiture of (1) a monetary judgment of not less than $3 billion, (2) seven Indivior-related business entities (including Indivior Solutions), (3) certain specified Indivior-related bank accounts; and (4) certain specified trademarks and patents – a $600 million resolution and debarring of Indivior Solutions is an onerous but bearable outcome for the company.

Third, the total resolution with the Department, the FTC, and states relating to the marketing of Suboxone is more than $2 billion.  That amount, according to the Department, is “the largest-ever resolution in a case brought by the Department of Justice involving an opioid drug.”

For those reasons, pharma Chief Compliance Officers should brief senior management in their firms about the Indivior resolution, including the novel compliance provisions, and include appropriate details from that resolution in future compliance training.