Chinese government hackers suspected of moonlighting for profit

FILE PHOTO: An attendee looks on during the 2016 Black Hat cyber-security conference in Las Vegas, Nevada, U.S. August 3, 2016. REUTERS/David Becker/File Photo

By Joseph Menn, Jack Stubbs and Christopher Bing

LAS VEGAS (Reuters) – One of the most effective teams of Chinese government-backed hackers is also conducting financially-motivated side operations, cybersecurity researchers said on Wednesday.

U.S. firm FireEye said members of the group it called Advanced Persistent Threat 41 (APT41) penetrated and spied on global tech, communications and healthcare providers for the Chinese government while using ransomware against game companies and attacking cryptocurrency providers for personal profit.

The findings, announced at the Black Hat security conference in Las Vegas, show how some of the world’s most advanced hackers increasingly pose a threat to consumers and companies not traditionally targeted by state-backed espionage campaigns.

“APT41 is unique among the China-Nexus actors we track in that it uses tools typically reserved for espionage campaigns in what appears to be activity for personal gain,” said FireEye Senior Vice President Sandra Joyce.

Officials in China did not immediately respond to Reuters request for comment. Beijing has repeatedly denied Western accusations of conducting widespread cyber espionage.

FireEye said the APT 41 group used some of the same tools as another group it has previously reported on, which FireEye calls APT17 and Russian security firm Kaspersky calls Winnti.

Current and former Western intelligence officials told Reuters Chinese hacking groups were known to pursue commercial crimes alongside their state-backed operations.

FireEye, which sells cybersecurity software and services, said one member of APT41 advertised as a hacker for hire in 2009 and listed hours of availability outside of the normal workday, circumstantial evidence of moonlighting.

The group has used spear-phishing, or trick emails designed to elicit login information. But it has also deployed root kits, which are relatively rare and give hard-to-detect control over computers. In all, the group has used nearly 150 unique pieces of malware, FireEye said.

The most technically impressive feats included tainting millions of copies of a utility called CCleaner, now owned by security company Avast. Only a small number of specially selected, high-value computers were fully compromised, making detection of the hack more difficult.

Avast said that it had worked with security researchers and law enforcement to stop the attack and that no damage was detected. The company did not have any immediate further comment on Wednesday.

In March, Kaspersky found the group hijacked Asus’ software update process to reach more than 1 million computers, again targeting a much smaller number of end-users. Asus said the next day it had issued a fix for the attack, which affected “a small number of devices.”

“We have evidence that at least one telecom company may have been the intended target during the Asus compromise, which is consistent with APT41’s espionage targeting over the past two years,” said FireEye spokesman Dan Wire.

But FireEye and Slovakia-based cybersecurity company ESET said the gaming compromises aligned with financial motives more than national espionage. Among other things, the group won access to a game’s production environment and generated tens of millions of dollars’ worth of virtual currency, FireEye said.

(Reporting by Joseph Menn, Jack Stubbs and Chris Bing; Editing by Greg Mitchell and Nick Zieminski)

U.S. charges WikiLeaks founder Julian Assange with espionage

FILE PHOTO: WikiLeaks founder Julian Assange leaves Southwark Crown Court after being sentenced in London, Britain, May 1, 2019. REUTERS/Henry Nicholls/File Photo

By Sarah N. Lynch and Mark Hosenball

WASHINGTON (Reuters) – The U.S. Justice Department unveiled 17 new criminal charges against WikiLeaks founder Julian Assange on Thursday, saying he unlawfully published the names of classified sources and conspired with and assisted ex-Army intelligence analyst Chelsea Manning in obtaining access to classified information.

The superseding indictment comes a little more than a month after the Justice Department unsealed a narrower criminal case against Assange.

Assange was initially charged with conspiring with Manning to gain access to a government computer as part of a 2010 leak by WikiLeaks of hundreds of thousands of U.S. military reports about the wars in Afghanistan and Iraq.

He now faces a total of 18 criminal counts and could face many decades in prison if convicted.

“These unprecedented charges demonstrate the gravity of the threat the criminal prosecution of Julian Assange poses to all journalists in their endeavor to inform the public about actions that have been taken by the U.S. government,” said Barry Pollack, an American attorney for Assange.

The Justice Department said that not only did Assange aid and encourage Manning with the theft of classified materials, but he jeopardized the lives of human sources that included Afghans, Iraqis, journalists, religious leaders, human rights advocates and political dissidents from repressive regimes by publishing their identities.

Law enforcement officials said on Thursday that the State Department had pleaded with Assange not to reveal the identities of such sources, but Wikileaks ignored the warning.

Manning was arrested in May 2010 and convicted by court-martial in 2013 of espionage in connection with the 2010 Wikileaks disclosures.

President Barack Obama reduced Manning’s sentence to 7 years from 35 years, but she is now in jail after repeatedly refusing to testify before a grand jury investigating Assange.

Wikileaks describes itself as specializing in the publication of “censored or otherwise restricted official materials involving war, spying and corruption.”

Assange is now fighting extradition to the United States, after Ecuador in April revoked his seven-year asylum in the country’s London embassy. He was arrested that day, April 11, by British police as he left the embassy.

He is now serving a 50-week sentence in a London jail for skipping bail when he fled to the Ecuadorean embassy in 2012.

The decision to charge Assange with espionage crimes is notable and unusual. Most cases involving the theft of classified information have targeted government employees, like Manning, and not the people who publish the information itself.

In the wake of Assange’s arrest, prosecutors in Sweden re-opened a criminal investigation into allegations that Assange sexually assaulted a woman during a visit to Sweden.

Swedish authorities recently indicated they may send British authorities a fresh request for Assange’s extradition.

The decision regarding which country should have its chance to prosecute him first is now in the hands of Home Secretary Sajid Javid, Britain’s interior security minister.

The Justice Department’s quick turnaround with the filing of a more substantial indictment against Assange is not surprising.

Under extradition rules, the United States had only a 60-day window from the date of Assange’s arrest in London to add more charges. After that, foreign governments do not generally accept superseding charges.

(Reporting by Sarah N. Lynch and Mark Hosenball; Editing by Leslie Adler and Phil Berlowitz)

Russia extends detention of ex-U.S. Marine accused of spying

Former U.S. marine Paul Whelan who is being held on suspicion of spying talks with his lawyers Vladimir Zherebenkov and Olga Kralova, as he stands in the courtroom cage after a ruling regarding extension of his detention, in Moscow, Russia, February 22, 2019. REUTERS/Shamil Zhumatov

By Tom Balmforth and Alexander Reshetnikov

MOSCOW (Reuters) – A Russian court on Friday ruled that Paul Whelan, a former U.S. Marine accused of spying, should be held in a pre-trial detention facility for a further three months to give investigators more time to look into his case.

Whelan, who holds U.S., British, Canadian and Irish passports, was detained in a Moscow hotel room on Dec. 28 and accused of espionage, a charge he denies. If found guilty, he could be imprisoned for up to 20 years.

The case has put further strain on already poor U.S.-Russia relations as has that of another detained American, private equity chief Michael Calvey.

Russia’s Federal Security Service detained Whelan after an acquaintance handed him a flash drive containing classified information. Whelan’s lawyer says his client was misled.

Whelan had met the same person in the town of Sergiev Possad in May last year where they visited the town’s monastery and other tourist sites, the lawyer, Vladimir Zherebenkov, told reporters on Friday.

When Whelan returned to Russia again in December to attend a wedding, the same acquaintance unexpectedly turned up and gave him a flash drive containing what Whelan thought were photographs of the earlier trip, the lawyer said.

“Paul and I consider this was a provocation and a crime by his acquaintance,” said Zherebenkov, saying Whelan had known the man, whom he did not name, for several years.

Whelan on Friday appeared in court in a cage and looked downcast when he spoke briefly to reporters before masked security officials cut him off.

“I could do with care packages, food, things like that, letters from home,” Whelan said.

The court on Friday said Whelan would be held in pre-trial detention until May 28, extending an earlier ruling to keep him in custody until Feb. 28.

The U.S. embassy in Moscow said a consular official had visited Whelan in custody on Thursday.

It said, however, that it was unable to provide further information as Whelan had not been allowed by investigators to sign a privacy act waiver (PAW) that would legally allow the U.S. government to release information about the case.

“In every other instance, we have been able to obtain a signed PAW, but in Mr. Whelan’s case, the Investigative Committee is not allowing this to happen. Why is this case any different?” embassy spokeswoman Andrea Kalan wrote on Twitter.

(Additional reporting by Maria Tsvetkova and Maxim Rodionov; editing by Andrew Osborn)

Ex-U.S. marine held in Russia for spying was misled, says lawyer

Former U.S. marine Paul Whelan, who was detained by Russia's FSB security service on suspicion of spying, looks out of a defendants' cage before a court hearing in Moscow, Russia January 22, 2019. REUTERS/Maxim Shemetov

By Andrew Osborn and Tom Balmforth

MOSCOW (Reuters) – The lawyer for a former U.S. Marine accused of spying by Russia said on Tuesday that his client had been misled before his arrest and believed that a thumb drive handed to him in a hotel room had contained holiday snaps rather than secret information.

Russia’s Federal Security Service detained Paul Whelan, who holds U.S., British, Canadian and Irish passports, in a Moscow hotel room on Dec. 28.

Whelan appeared in a Moscow court on Tuesday, where a judge rejected a release on bail. If found guilty of espionage, he could be jailed for up to 20 years.

Whelan, who denies the charges, was detained after receiving a thumb drive containing a list of all the employees of a secret Russian state agency, the Russian online news portal Rosbalt.ru reported this month.

Rosbalt cited an unnamed Russian intelligence source as saying that Whelan had been spying for 10 years, using the internet to identify targets from whom he could obtain information and that the list he was caught with had long been of interest to U.S. spies.

Russian Foreign Minister Sergei Lavrov appeared to support that version of events, later telling reporters Whelan had been “caught red-handed” carrying out “specific illegal actions” in his hotel room.

But Vladimir Zherebenkov, Whelan’s lawyer, said on Tuesday that his client had accepted the information unknowingly.

“Paul was actually meant to receive information from an individual that was not classified,” Zherebenkov told reporters.

“These were cultural things, a trip to a cathedral, Paul’s holiday … photographs. But as it turned out, it (the thumb drive) contained classified information.”

The lawyer said Whelan had not been able to see what was on the thumb drive because he had been detained before he had a chance to do so.

Wearing a blue shirt and dark trousers, he looked calm but somber as he stood inside a glass cage in the courtroom.

The hearing was closed to reporters, but his lawyer said afterward that Whelan had made a 15-minute speech rejecting the allegations against him in detail.

The lawyer declined to clarify if Whelan had known the individual who handed him the information.

He said Whelan had been experiencing some minor health problems in custody and was receiving treatment.

Whelan’s family have said he is innocent and was in Moscow to attend a wedding.

(Additional reporting by Katya Golubkova; Writing by Andrew Osborn; Editing by Christian Lowe and Kevin Liffey)

Retired U.S. Marine held in Russia for spying is innocent: family

Paul Whelan, a U.S. citizen detained in Russia for suspected spying, appears in a photo provided by the Whelan family on January 1, 2019. Courtesy Whelan Family/Handout via REUTERS

By Gabrielle T’trault-Farber and Barbara Goldberg

MOSCOW/NEW YORK (Reuters) – A retired U.S. Marine who has been detained by Russia for alleged spying was visiting Moscow for the wedding of a former fellow marine and is innocent of the espionage charges against him, his family said.

Paul Whelan had been staying with the wedding party at Moscow’s Metropol hotel when he went missing, his brother, David, said.

“His innocence is undoubted and we trust that his rights will be respected,” Whelan’s family said in a statement released on Twitter on Tuesday.

Russia’s FSB state security service said Whelan had been detained on Friday, but it gave no details of his alleged espionage activities. Espionage can carry a prison sentence of between 10 and 20 years under Russian law.

A U.S. State Department representative said Russia had notified it that a U.S. citizen had been detained and it expected Moscow to allow consular access to him.

“Russia’s obligations under the Vienna Convention require them to provide consular access. We have requested this access and expect Russian authorities to provide it,” the representative said, without providing details of the American’s identity or the reasons behind his detention.

David Whelan told CNN that his brother, who had served in Iraq, has been to Russia many times in the past for both work and personal trips, and had been serving as a tour guide for some of the wedding guests. He apparently disappeared on Friday and his friends filed a missing persons report in Moscow, his brother said.

David Whelan told the news channel that the family was relieved at first when they heard he was in custody.

“It’s knowing that he’s not dead, it weirdly really helps,” he said.

He declined to comment on his brother’s work status at the time of his arrest and whether his brother lived in Novi, Michigan, as address records indicate.

BorgWarner, a Michigan-based automotive parts supplier, said Whelan is the “company’s director, global security. He is responsible for overseeing security at our facilities in Auburn Hills, Michigan and at other company locations around the world.”

BUTINA CASE

Daniel Hoffman, a former CIA Moscow station chief, said it was “possible, even likely” that Russian President Vladimir Putin had ordered Whelan’s arrest to set up an exchange for Maria Butina, a Russian citizen who pleaded guilty on Dec. 13 to acting as an agent tasked with influencing U.S. conservative groups.

Russia says Butina was forced to make a false confession about being a Russian agent.

Putin’s aim was “to make us feel some pain and his family to feel some pain. That’s their (Moscow’s) pressure point,” Hoffman told Reuters.

“Putin knows there will be a lot of public square pressure to get this guy out,” he said.

Putin told U.S. President Donald Trump in a letter on Sunday that Moscow was ready for dialogue on a “wide-ranging agenda,” the Kremlin said following a series of failed attempts to hold a new summit.

At the end of November, Trump abruptly canceled a planned meeting with Putin on the sidelines of a G20 summit in Argentina, citing tensions about Russian forces opening fire on Ukrainian navy boats and then seizing them.

Trump’s relations with Putin have been under a microscope as a result of U.S. Special Counsel Robert Mueller’s investigation into alleged Russian meddling in the 2016 U.S. election and possible collusion with the Trump campaign.

Moscow has denied intervening in the election and Trump has branded Mueller’s probe as a witch hunt.

Russia’s relations with the United States plummeted when Moscow annexed the Crimean peninsula from Ukraine in 2014, and Washington and Western allies have imposed a broad range of sanctions on Russian officials, companies and banks.

(Reporting by Barbara Goldberg in New YorkAdditional reporting by Jonathan Landay in Washington and Rich McKay in Atlanta, Editing by Bill Tarrant, Paul Simao, Richard Balmforth)

U.S., allies to condemn China for economic espionage, charge hackers: source

FILE PHOTO: U.S. President Donald Trump takes part in a welcoming ceremony with China's President Xi Jinping at the Great Hall of the People in Beijing, China, November 9, 2017. REUTERS/Damir Sagolj/File Photo

WASHINGTON (Reuters) – The United States and about a dozen allies are expected on Thursday to condemn China for efforts to steal other countries’ trade secrets and technologies and to compromise government computers, according to a person familiar with the matter.

Australia, Britain, Canada, Japan, the Netherlands, New Zealand and Sweden are expected to be involved in the U.S. effort, according to the source, who spoke on condition of anonymity.

The U.S. Justice Department also is expected later on Thursday to unveil criminal charges against hackers affiliated with China’s main intelligence service for an alleged cyber-spying campaign targeting U.S. and other countries’ networks, according to the source.

The Washington Post first reported the coming action on Thursday.

The suspected hackers are expected to be charged with spying on some of the world’s largest companies by hacking into technology firms to which they outsource email, storage and other computing tasks. The attacks began as early as 2017.

Cloudhopper is considered a major cyber threat by private-sector cybersecurity researchers and government investigators because of the scale of the intrusions.

Over the past several years, as companies around the globe have sought to cut down information technology spending, they have increasingly relied on outside contractors to store and transfer their data.

When a managed service provider is hacked, it can unintentionally provide attackers access to secondary victims who are customers of that company and have their computer systems connected to them, according to experts.

The timing of the action may further escalate tensions between Washington and Beijing after the arrest of Meng Wanzhou, the chief financial officer of Chinese telecommunications giant Huawei Technologies, in Canada at the request of the United States.

The action also comes just weeks after the United States and China agreed to talks aimed at resolving an ongoing trade dispute that threatens global economic growth.

(Reporting by Diane Bartz, Lisa Lambert and Susan Heavey; Editing by Will Dunham)

France accuses Russia of spying on military from space

French Defence minister Florence Parly and her Finnish counterpart Jussi Niinisto (not pictured) during a joint news conference in Helsinki, Finland, August 23, 2018. Lehtikuva/Vesa Moilanen/via REUTERS

TOULOUSE, France (Reuters) – Russia attempted to intercept transmissions from a Franco-Italian satellite used by both nations’ armies for secure communications, French Defence Minister Florence Parly said on Friday, describing the move as an “act of espionage”.

In a speech outlining France’s space policy for the coming years, Parly said the Russian satellite Louch-Olymp had approached the Athena-Fidus satellite in 2017.

Parly said it came so close “that anyone would have thought it was attempting to intercept our communications.” She added: “Attempting to listen to your neighbors is not only unfriendly, it’s an act of espionage.

The minister’s remarks come a week after President Emmanuel Macron urged the European Union to modernize its post-Cold War ties with Moscow despite tensions with the West, including over allegations of meddling in foreign elections.

Built by Thales Alenia Space, the satellite provides secure communications to the French and Italian armed forces and emergency services.

Parly described the Russian efforts as a “little Star Wars” and said measures were taken immediately to prevent sensitive communications being compromised. The Louch-Olymp had since targeted other satellites, she added.

“We are in danger. Our communications, our military exercises, our daily lives are in danger if we do not react,” Parly said, emphasizing that Paris would complete a strategic space defense plan by the end of the year.

U.S. President Donald Trump’s administration in August announced an ambitious plan to usher in a new “Space Force” as the sixth branch of the U.S. military by 2020.

It would be responsible for a range of space-based U.S. military capabilities, which include everything from satellites enabling the Global Positioning System (GPS) to sensors that help track missile launches.

“I have heard many people mock the announcement of the creation of an American Space Force. I am not one of them… all I see is an extremely powerful sign, a sign of future confrontations,” Parly said.

(Editing by Johanna Decorse; writing by John Irish; editing by Richard Lough)

Cyber firms, Ukraine warn of planned Russian attack

Power lines are seen near the Trypillian thermal power plant in Kiev region, Ukraine November 23, 2017. REUTERS/Valentyn Ogirenko

By Jim Finkle and Pavel Polityuk

TORONTO/KIEV (Reuters) – Cisco Systems Inc warned on Wednesday that hackers have infected at least 500,000 routers and storage devices in dozens of countries with sophisticated malicious software – activity Ukraine said was preparation for a future Russian cyber attack.

Cisco’s Talos cyber intelligence unit has high confidence that the Russian government is behind the campaign, according to Cisco researcher Craig Williams, because the hacking software shares code with malware used in previous cyber attacks that the U.S. government has attributed to Moscow.

Ukraine’s SBU state security service said the activity showed Russia was readying a large-scale cyber attack against Ukraine ahead of the Champions League soccer final, due to be held in Kiev on Saturday.

“Security Service experts believe the infection of hardware on the territory of Ukraine is preparation for another act of cyber-aggression by the Russian Federation aimed at destabilizing the situation during the Champions League final,” it said in a statement after Cisco’s findings were released.

Russia has previously denied assertions by Ukraine, the United States, other nations and Western cyber-security firms that it is behind a massive global hacking program, which has included attempts to harm Ukraine’s economy and interfering in the 2016 U.S. presidential election.

The Kremlin did not immediately respond to a request for comment submitted by Reuters on Wednesday.

Cisco said the new malware, dubbed VPNFilter, could be used for espionage, to interfere with internet communications or launch destructive attacks on Ukraine, which has previously blamed Russia for massive hacks that took out parts of its energy grid and shuttered factories.

“With a network like this you could do anything,” Williams told Reuters.

CONSTITUTION DAY ATTACK

The warning about the malware – which includes a module that targets industrial networks like ones that operate the electric grid – will be amplified by alerts from members of the Cyber Threat Alliance (CTA), a nonprofit group that promotes the fast exchange of data on new threats between rivals in the cyber security industry.

Members include Cisco, Check Point Software Technologies Ltd, Fortinet Inc, Palo Alto Networks Inc, Sophos Group Plc  and Symantec Corp.

“We should be taking this pretty seriously,” CTA Chief Executive Officer Michael Daniel said in an interview.

The devices infected with VPNFilter are scattered across at least 54 countries, but Cisco determined the hackers are targeting Ukraine following a surge in infections in that country on May 8, Williams told Reuters.

Researchers decided to go public with what they know about the campaign because they feared the surge in Ukraine, which has the largest number of infections, meant Moscow is poised to launch an attack there next month, possibly around the time the country celebrates Constitution Day on June 28, Williams said.

Some of the biggest cyber attacks on Ukraine have been launched on holidays or the days leading up to them.

They include the June 2017 “NotPetya” attack that disabled computer systems in Ukraine before spreading around the globe, as well as hacks on the nation’s power grid in 2015 and 2016 that hit shortly before Christmas.

VPNFilter gives hackers remote access to infected machines, which they can use for spying, launching attacks on other computers or downloading additional types of malware, Williams said.

The researchers discovered one malware module that targets industrial computers, such as ones used in electric grids, other infrastructure and in factories. It infects and monitors network traffic, looking for login credentials that a hacker can use to seize control of industrial processes, Williams said.

The malware also includes an auto-destruct feature that hackers can use to delete the malware and other software on infected devices, making them inoperable, he said.

(Writing by Jim Finkle and Jack Stubbs; Editing by Mark Heinrich)

Lesser-known North Korea cyber-spy group goes international: report

Binary code is seen on a screen against a North Korean flag in this illustration photo November 1, 2017. REUTERS/Thomas White/Illustration

By Eric Auchard

FRANKFURT (Reuters) – A North Korean cyber espionage group previously known only for targeting South Korea’s government and private sector deepened its sophistication and hit further afield including in Japan and the Middle East in 2017, security researchers said on Tuesday.

Cyber attacks linked by experts to North Korea have targeted aerospace, telecommunications and financial companies in recent years, disrupting networks and businesses around the world. North Korea rejects accusations it has been involved in hacking.

U.S. cyber security firm FireEye said the state-connected Reaper hacking organization, which it dubbed APT37, had previously operated in the shadows of Lazarus Group, a better-known North Korean spying and cybercrime group widely blamed for the 2014 Sony Pictures and 2017 global WannaCry attacks.

APT37 had spied on South Korean targets since at least 2012 but has been observed to have expanded its scope and sophistication to hit targets in Japan, Vietnam and the Middle East only in the last year, FireEye said in a report.

The reappraisal came after researchers found that the spy group showed itself capable of rapidly exploiting multiple “zero-day” bugs – previously unknown software glitches that leave security firms no time to defend against attacks, John Hultquist, FireEye’s director of intelligence analysis said.

“Our concern is that their (international) brief may be expanding, along with their sophistication,” Hultquist said.

“We believe this is a big thing”.

APT37 has focused on covert intelligence gathering for North Korea, rather than destructive attacks or financial cyber crime, as Lazarus Group and other similar hacking groups have been shown to engage in order to raise funds for the regime, it said.

The group appears to be connected to attack groups previously described as ScarCruft by security researchers at Kaspersky and Group123 by Cisco’s Talos unit, FireEye said.

“We assess with high confidence that this activity is carried out on behalf of the North Korean government given malware development artefacts and targeting that aligns with North Korean state interests,” the security report said.

From 2014 until 2017, APT37 concentrated mainly on South Korean government, military, defense industrial organizations and the media sector, as well as targeting North Korean defectors and human rights groups, the report said.

Since last year, its focus has expanded to include an organization in Japan associated with the United Nations missions on human rights and sanctions against the regime and the director of a Vietnamese trade and transport firm.

Its spy targets included a Middle Eastern financial company as well as an unnamed mobile network operator, which FireEye said had provided mobile phone service in North Korea until business dealings with the government fell apart.

FireEye declined to name the firm involved, but Egypt’s Orascom <OTMT.CA> provided 3G phone service in the country via a joint venture from 2002 to 2015, until the North Korean regime seized control of the venture, according to media reports.

Asked for comment, a spokeswoman for Orascom said she had no immediate knowledge of the matter and was looking into it.

(Reporting by Eric Auchard, and Nadine Awadalla in Cairo, Editing by William Maclean)

Germany tells Turkey not to spy on Turks living on its soil

Turkish voters living in Germany wait to cast their ballots on the constitutional referendum at the Turkish consulate in Berlin, Germany, March 27, 2017. REUTERS/Fabrizio Bensch

By Madeline Chambers

BERLIN (Reuters) – Germany will not tolerate foreign espionage on its territory, the interior minister said on Tuesday, in a robust response to media reports that Turkish secret services were spying on supporters of the Gulen movement in Germany.

Fethullah Gulen, a U.S-based Muslim cleric with a large following in Turkey, is accused by Ankara of orchestrating a failed military coup last July. Ankara has purged state institutions, schools and universities and the media of tens of thousands of suspected supporters of the cleric.

The media reports of Turkish espionage in Germany have deepened a rift between the NATO allies in the run-up to a referendum next month in Turkey that proposes to significantly expand the powers of President Tayyip Erdogan.

The Sueddeutsche Zeitung newspaper and two broadcasters reported that Turkey’s National Intelligence Agency had given Germany’s foreign intelligence service a list of names of hundreds of supposed Gulen supporters living in Germany.

Interior Minster Thomas de Maiziere, speaking in Passau in southern Germany, said he was not surprised by the report and added that the lists would be looked at individually.

“We have told Turkey several times that such (activity) is not acceptable,” he said. “Regardless of what you think of the Gulen movement, German law applies here and citizens who live here won’t be spied on by foreign states,” he said.

The reports said the list included the names of more than 300 people and more than 200 associations, schools and other institutions and a German investigation indicated some of the photos may have been taken secretly.

WARNING

The northern state of Lower Saxony even said it was warning suspected Gulen movement supporters about possible reprisals if they traveled to their homeland.

“I think that is a justified and necessary measure to be able to warn people,” said state interior minister Boris Pistorius. “The intensity and ruthlessness being (used) on people living on foreign soil is remarkable.”

Concerns about Turkish spying are not confined to Germany.

Swedish public service radio broadcaster SR reported that Turkey’s ruling AK Party was putting pressure, via the Union of European Turkish Democrats, on Swedish Gulen supporters to supply information about fellow Gulen supporters in the country.

Germany is already investigating possible spying by Turkish imams in Germany.. A spokesman for the chief federal prosecutor’s office said that probe continued.

German politicians, including Chancellor Angela Merkel, are angry about Erdogan’s repeated comparisons of their country to Nazi Germany in response to cancellations of planned campaign events targeting the Turkish diaspora in Germany. Germany says the cancellations were prompted by security concerns.

The speaker of the Bundestag lower house of parliament said in a speech late on Monday that Turkey was turning into an authoritarian system and that its president was effectively staging a coup against his own country.

Norbert Lammert, a member of Merkel’s conservatives, said the referendum was about “transforming an undoubtedly fragile but democratic system into an authoritarian system – and this second coup attempt may well be successful”.

(Reporting by Madeline Chambers, Reuters TV, Andrea Shalal, Hans-Edzard Busemann and Daniel Dixon in Stockholm; Writing by Madeline Chambers; Editing by Gareth Jones)