The Tripartite (At Least) Structure of the Russian Hack Investigation

As I mentioned in this post, on Saturday, Reuters offered the most comprehensive description of the structure of the FBI investigation into the DNC hack. As it describes there are “at least” three different distinct probes into the FBI hack: one led by counterintelligence agents based in DC, one in Pittsburgh targeted at the hack of the DNC itself, and one in San Francisco targeted at the Guccifer 2 persona.

That structure is interesting for a number of reasons, not least that, in recent years, FBI has assigned cyber investigative teams to geographical offices that have developed certain expertise. I’m most interested that FBI has split the Guccifer 2 side of the investigation off from the hack of the DC.

DC: The Counterintelligence investigation

Let’s start with the DC investigation. Contrary to what you may think, a good deal of the attention on Trump’s close advisors stems from behavior that barely involves the DNC hack, if at all, but instead focuses on larger discussions of quid pro quo. Here’s what has been publicly alleged, mostly in the Trump dossier. Reminder, these are only allegations! 

Paul Manafort, using Carter Page as a go between, conducts on-going quid pro quo about attacks on Hillary in response for distracting from Ukraine issues. (PDF 8)

Carter Page conducts a meeting with Rosneft CEO (and US sanction target) Igor Sechin in Moscow. The two discuss a quid pro quo tying 19% transfer of Rosneft to Page in exchange for the lifting of sanctions.(PDF 9, 30) On the same visit, Page meets top Kremlin official Diyevkin, where the latter explains to Page what kind of compromising information they had on both Trump and Hillary. (PDF 9)

A Kremlin figure describes Russian efforts to reach out to some in the US, including Jill Stein, Mike Flynn, and Carter Page. (PDF 15)

At a meeting in August, Yanukovych admits to Putin that he had paid off Manafort, but had covered it up. According to Steele’s sources, Putin doubts how well Yanukovych had covered his tracks. (PDF 20-21)

Trump lawyer Michael Cohen meets with Russian Presidential Administration figures, including Oleg Solodukhin, operating under the cover of the Rossotrudnichestvo organization, in Prague in August. According to two pre-election reports, this meeting was to clean up fall-out of prior contacts with Manafort (here described exclusively in terms of his involvement in Ukraine) and Page (described as the quid pro quo on sanctions). (PDF 18, 31-32) According to a post-election report, the meeting also discusses payments and cover-up of Europe-based hackers, who would be paid by both the Russians and Trump. (PDF 34-35) The role of Cohen — whose wife is Russian and whose father-in-law is a key Russian developer — as liaison to Russia is key. Note, information likely indicating intelligence sourcing is redacted in two of these reports. (PDF 30, 34)

The one other Trump figure mentioned in allegations of Russian ties, Roger Stone, is not mentioned in the dossier, though his role has exclusively been described as a potential knowing go-between with Wikileaks. (The error I mentioned I made in my the OTM interview was in forgetting Cohen, whose role is central, and instead mentioning Stone.)

In other words, while allegations of involvement with Russia do touch on the DNC hack, for both Manafort and Page, the evidence focuses more on old-fashioned influence peddling. The evidence against Flynn in the dossier is exclusively that of cultivation.

Only Cohen, though, is strongly and repeatedly alleged in the dossier to have had a role in both the influence peddling and arranging — and paying! — for the DNC hack (though a weak allegation against Manafort is made in an early report).

Yesterday, NYT reported that Cohen tried to pitch a crazy “peace” deal for Ukraine to Mike Flynn not long before the latter was caught on an intercept with Russia’s Ambassador.

A week before Michael T. Flynn resigned as national security adviser, a sealed proposal was hand-delivered to his office, outlining a way for President Trump to lift sanctions against Russia.

Mr. Flynn is gone, having been caught lying about his own discussion of sanctions with the Russian ambassador. But the proposal, a peace plan for Ukraine and Russia, remains, along with those pushing it: Michael D. Cohen, the president’s personal lawyer, who delivered the document; Felix H. Sater, a business associate who helped Mr. Trump scout deals in Russia; and a Ukrainian lawmaker [named Andrii Artemenko].

Note that Sater, who has mobbed up business ties with Trump the latter has denied, also allegedly has worked for the CIA.

All of this is a way of saying that several of Trump’s advisors — especially Cohen — have been alleged to have dodgy ties to Russian, but much if not most of that pertains to influence peddling tied to Ukraine and sanctions imposed in retaliation for Russian involvement in Ukraine. So even beyond the different technical and security requirements of the investigation (not to mention any sensitivity involving the CIA), such an investigation sensibly would reside in FBI’s CI world. Thus the DC investigation.

Pittsburgh: The DNC hackers

As Reuters describes it, the Pittsburgh inquiry is examining who hacked the DNC (curiously, it makes no mention of John Podesta or any other hack target).

The FBI’s Pittsburgh field office, which runs many cyber security investigations, is trying to identify the people behind breaches of the Democratic National Committee’s computer systems, the officials said. Those breaches, in 2015 and the first half of 2016, exposed the internal communications of party officials as the Democratic nominating convention got underway and helped undermine support for Hillary Clinton.

The Pittsburgh case has progressed furthest, but Justice Department officials in Washington believe there is not enough clear evidence yet for an indictment, two of the sources said.

It’s not just that Pittsburgh conducts a lot of cyber security investigations — though it has been involved in some key multinational cybercrime investigations (and perhaps as importantly, infrastructure take-downs). In addition to international partnerships in those investigations, it partners closely with Carnegie Mellon’s CERT, which is best known for developing an attack on Tor the FBI uses (the legal follow-up to the 2014 Operation Onymous operation that exposed it went through SDNY in Manhattan, though that would have been before FBI started assigning investigations by geography).

Pittsburgh is also where the most discussed indictment of a nation-state hacking group — that of Chinese People’s Liberation Army hackers, mostly for spying on negotiations — came through (most of the victim companies were there too, but that was probably because they could all serve as victims without compromising national security). I will be interested to see whether the FBI assigned this investigation to Pittsburgh before or after Crowdstrike declared the DNC hack a state-sponsored hack.

San Francisco: Guccifer 2

Finally, there is the investigation into Guccifer 2, the persona who claimed to have hacked the DNC, who took credit for handing the documents to WikiLeaks, and who allegedly had ties to DC Leaks. Here’s how Reuters describes this part of the investigation:

Meanwhile the bureau’s San Francisco office is trying to identify the people who called themselves “Guccifer 2” and posted emails stolen from Clinton campaign manager John Podesta’s account, the sources said. Those emails contained details about fundraising by the Clinton Foundation and other topics.

The language here is really curious. The strongest case that Russia’s GRU hacked a Democratic target involves Podesta. And Guccifer didn’t post any Podesta emails. Guccifer claimed to have posted Clinton Foundation documents, though the documents appeared to be DCCC documents, my comment on which elicited an unsolicited response from Guccifer.

Reuters is actually not the first outlet to report that San Francisco was investigating Guccifer. I believe credit for that goes to Ellen Nakashima’s report, the day before Obama imposed sanctions, on how the US might retaliate.

Criminal indictments of Russians might become an option, officials said, but the FBI has so far not gathered enough evidence that could be introduced in a criminal case. At one point, federal prosecutors and FBI agents in San Francisco considered indicting Guccifer 2.0, a nickname for a person or people believed to be affiliated with the Russian influence operation and whose true identity was unknown.

In December, at least, it appears the FBI did not know Guccifer’s identity though they still believed it to be tied to Russia. Nevertheless that part of the investigation had already been spun out to San Francisco, the other side of the country from the Pittsburgh hack investigation.

Now, there have always been reasons to doubt the interpretation that Russian metadata invoking Felix Dzerzhinsky was proof that Guccifer was Russian, rather than disinformation casting blame on Russia. Here are two more recent pieces making that argument. And in Guccifer’s most recent posting — posted on January 12 but fairly obviously written and posted in advance — the persona used proper English. Nevertheless, that’s presumably not why this part of the investigation got spun off.

There are several other possibilities explaining why the Guccifer investigation is in San Francisco. That office, too, does a ton of cyber investigations, but virtually all of those involve Bay Area companies targeted as victims. So it’s possible the San Francisco office is leading the investigation because of some tie with an area company. Guccifer posted on WordPress, which is headquartered in San Francisco, so that could explain it. It’s also possible FBI believes there is a tie between Guccifer and Shadow Brokers. The latter persona is not mentioned by Reuters, but they are surely also being investigated, perhaps even separately from the Hal Martin investigation in Maryland. If that’s the case, the victim American firewall companies exposed in the first release are all headquartered in Silicon Valley (though they were initially victimized by NSA’s TAO hackers, unless the companies knew NSA was using those back doors).

There are two other interesting cases that might suggest why the Guccifer part of the investigation is out in San Francisco. First, the corrupt government agents who stole Bitcoin while they were investigating Silk Road were investigated and tried out there. I’ve always suspected that was done to make it harder for Ross Ulbricht to access information on that investigation in discovery (if that was the intent, it worked like a charm!). I’m not suggesting there’s anything like that going on here, but I can imagine reasons why the FBI might want to firewall some parts of this investigation from others.

Finally, note that Yevgeniy Aleksandrovich Nikulin, the credential theft hacker arrested in Prague in October, was investigated out of San Francisco, explicitly because his alleged victims are also located in the Bay Area. There have always been hints that that arrest might tie into the Russian investigation (not least because Nikulin is Russian), but this would seem to suggest there’s a tangential tie to it. So perhaps by the time FBI split up this investigation that theory had been developed.

Update: Laura Rozen reminds me via Twitter that Russia’s San Francisco Consulate was one of the locales from which diplomats were expelled.

A final comment. As interesting as it is that this investigation has split into three, I find it just as interesting that EDVA is not involved in it, which is where most international hacking investigations take place. I’ve got no explanation for why that might be, but it is as interesting a question as why the Guccifer investigation got sent out to San Francisco.

One thing is clear, though: For some reason, FBI thought it best to split two parts of what have widely believed to have been part of the same operation — the hacking and (some of) the leaking — and conduct them completely across the country from each other.

22 replies
  1. SpaceLifeForm says:

    s/FBI hack/DNC hack/

    Unless you know there is something else going on.  Who knows who has hacked whom at this point?

    It is all Mad Magazine (Spy vs Spy).



    • emptywheel says:

      A lot what he claims is WAY beyond what his evidence backs. I’d stay the fuck away from him, frankly, unless you just want fantasy.

  2. Maybevryan says:


    Is a subtext here that you wonder whether the FBI fears one of those offices has been compromised, so they’ve walled off parts of the investigation?

    • emptywheel says:

      It’s possible. I definitely think there are big CI concerns about the investigation. But I’m not positing that.

  3. Coach says:

    Adam Khan, John Schindler, Scott Dworkin, Louise Mensch and few others are turning over the same Rubics Cube of Trumps adult life and see slightly different ways to Russia.  The evidence, such as it is, is similar and largely based on public documents, except for that of Schindler who seems to pull some things out of his own experience.    In this regard, Twitter is a step ahead of the media.  However, given the plethora of documentation on Trumps business dealings, the IC must have had enough on him long ago to take him down or at a minimum set him straight. Why didnt they?

  4. emptywheel says:

    Folks; Just because there are public documents (Khan, Dworkin, Mensch) doesn’t mean the people reading them are logical or even sane. Please be cautious in reading their interpretations, especially given that at least some of these people are propagandists.

    The Russian stuff is real. No need to engage in conspiracy theories.

    • klynn says:

      Agreed.  However, it is worth investigating the propagandists from the standpoint of determining their MO.  It gives insight into the actual evidence pieces that are out there only as long as you are able to recognize the propagandist distortions. Tracking vranyo is sometimes  helpful in shedding light. The challenge is determining the crazies from the actual propagandists.

  5. harpie says:

    Hi Marcy,
    [Reply button isn’t working for me right now]
    OK. Sorry about bringing it here.
    I AM feeling pretty desperate. :-{, so it’s possible I’m more susceptible to fantasy than usual.

    • emptywheel says:

      I’d recommend you focus on issues that affect Americans directly, for which there is as much evidence, and evidence collected with more certainty. Like Trump’s AMERICAN fraud. And that of his appointees.

  6. Coach says:

    Skepticism should always be our guide and thus my question remains; given all the documentation coming to light, why, or better yet, how did Trump slip through “deep state” (IC) vetting to become a candidate in the first place? I find it hard to believe his lurid past was overlooked and not taken seriously.  Have we under estimated the depth of his support within the oligarchy (the deep media, if you will)?  It seems unusual  to impose this kind of hard and fast psycho-social stress on and already skittish people.

    • emptywheel says:

      I think the NatSec world vastly overestimates its judgment, and in its judgment there was no way Hillary would lose. I also think it was blind to the degree that her role in past NatSec adventures actually hurt her with a good number of voters.

  7. maybe ryan says:


    I can understand that LM may have loads of flaky things, or sinister things, going on. I didn’t know who she was nor even that she was the author when I clicked a link in comments here and was led to her weirdly-named conspiracy blog.

    But I tried to delve into some of what she wrote, and there is actually more evidence, not less, than what she has written. For instance, there are even more, and more unusual, literary quotes in the supposed letter of the 15 year old to Anthony Weiner. So what? you may say. But I find it surprising that a young woman, a girl, really, would profess that when she walked into her freshman English teacher’s room, she knew they would get along because there were posters of her favorite author – Martin Amis. Amis’s following may well extend beyond the 50 year old Englishmen that my caricature would allow him. But the idea that the girl had already become a huge fan of Martin Amis before entering high school seems pretty out there to me, and provides a bit more credence to LM’s idea this was a catfish – undertaken by someone with the literary tastes of an older, conservative, perhaps male reader. It’s also an odd choice for a high school English professor. I can see him liking Amis, maybe even teaching it, but it strikes me as an unlikely author to find a poster of in an American high school. As to Camus, I can more believe that a precocious, nearly high school aged kid had read Camus. Even so, it’s tempting to think that an older, Breitbart-y catfisher would be the one citing the author of the Stranger, with it’s plot about murdering an Arab.

    Still, such speculation doesn’t get us very far, I admit.

    The girl also describes herself as having the ‘moral backbone of an éclair.’ A very odd description in 2016 – eclairs aren’t even really a thing these days. It turns out to be a quote describing Pres. McKinley. There was a minor contretemps in the mid-80s when future veep Cheney and his wife suggested it wasn’t really Teddy Roosevelt who coined the putdown. Again, it seems like more like something an adult immersed in conservative politics would have come up with, rather than a 15-year old convulsed by the emotions of her sexting relationship with an older man.

    Still not much to go on. As others have replied to LM, just because you weren’t a precocious girl with the tastes and preoccupations of a blasé middle-aged man, doesn’t mean such girls don’t exist.

    So we come to the tweets. LM found a photo that links the woman who wrote the initial Weiner article for the Daily Mail to another woman who seems to have a background of political subterfuge, and a close relationship with a man who was involved in undercover political work for the FBI.

    So far, so what? She also found that this second woman has been fundraising for the “Crackas with Attitude” hackers.

    Here’s where it gets interesting to me – with evidence that I don’t believe LM noticed. The photo linking the Weiner journalist to the woman with connections to the hackers has a reply-tweet from someone with no visible link to any political occupation. His Twitter follows suggest he is a big fan of Trump, but he is not a big political tweeter or anything. Just occasional Trump trash talk. He’s a bit of a galoot – misspellings, etc. He tweets overwhelmingly about North Carolina weather!

    But he is a Twitter follower of Cassandra Fairbanks. All his other political follows are more standard Fox News/Breitbart stuff. Fairbanks fits in to a degree, but she’s so much lower on any conceivable totem pole than everyone else. She stands out on his list of follows. Still, that’s not saying very much.

    But he has two surprising tweets. On election night, he tweets a one-word message to Fairbanks. “Wow!”

    Something longer would seem like trying to bask in the shared glow of a victory by tweeting someone you don’t know, who was a larger participant. But “Wow” seemed like a tweet to someone he knew, sharing their surprise that a long-shot bet came through.

    Anyway, his other surprising tweet – to the photo of Goodman and Fairbanks, he replies “how much did he pay yall :)”

    It’s the smiley that got me. This isn’t criticism. It’s not “you sold your soul.” This is about the same as “wow.” It’s a shared bit of wonder. As if the longer sentiment were “Can’t believe you managed to pull something like that off. How much did he pay yall :)” (He didn’t write that first sentence. I’m just saying that’s roughly the sentiment I think he was expressing.)

    Could be completely nothing. But I certainly gulped when I read “how much did he pay yall :)”

    So I see significant evidence for LM’s theory that Fairbanks was paid for services by Trump, that the payment wasn’t just for being a prominent former Sanders supporter who tried to sway those voters to Trump, but rather, the payment was for something closely related to her friendship with Goodman; and that it was something significant. Ie, a normal salary for working for someone wouldn’t have covered the value of what was done, hence, “how much did he pay yall :)”

    And if you follow me so far, that there is evidence for some larger partnership between Goodman and Fairbanks, then Fairbanks’ attempt to fundraise for Crackas with Attitude and her surprising Twitter friendship with a North Carolina weather-watcher may suggest a link to the ‘North Carolina girl’ who was really someone else, catfishing Weiner in order to expose data, data which was already planted on Weiner’s laptop by Nikulin, if you believe LM. … this all suddenly seemed a lot more plausible.

    The McKinley put-down, the Amis attachment and the North Carolina weather fan who occasionally tweets meaningfully to Fairbanks … none of these is in LM’s work, which many people still find pretty interesting. These are all tidbits I noticed while following her links.

    For that matter, though I hadn’t thought of it till just now, if you believe that a significant factor in the election of Trump was someone taking a slice out of Anthony Weiner, then I might even surmise that a lone tweeter with little to suggest he had any political role at all might actually have been involved. At least, if his twitter handle is, as this guy’s was, Bobbitt, a name that will forever be linked to wieners getting sliced.

    Again, could be nothing. But it’s enough to keep me thinking about LM’s theories, daft, flaky and wildly conservative though she may be.

    • greengiant says:

      You should use image capture, and/both      Tweets are disappearing.  Another note,  spear phishing is not limited to links in emails.   They can buy directed ads with embedded links,  embed in links and photos from any social network spam such as linkedin,pinterest, twitter,  and blog pages themselves.   The goal may range from click revenue,  big data network analysis,  to actual hacking.  People are faking/editing photos, videos, news stories,  and now “creating” news.  If it is too good to be true,  then it is,  ( too good to be true),  Milo’s tape,  the 19.5 percent Rosneft offering payoff in the dossier,  the NYTimes reported Ukranian gambit,  ( lease the Crimea? WTF ). Already one website was taken temporarily off line merely on the allegation of libel by a Canadian court.

    • emptywheel says:

      I honestly don’t dismiss that some of these data points are of interest. But LM and others are WAY too simple and don’t really understand the tech they’re talking about. Nikulin is not going to be the one who hacked Weiner, for example, but I think it quite likely passwords he obtained were used by others to hack some of the people involved.

  8. maybe ryan says:

    Nikulin’s indictment says he stole password info and “damaged computers” by transmitting a program, information, code and command. Is all that just describing a sequel injection to get the password info? Or something similar?
    I took LM to be insinuating that he had somehow injected the Formspring app itself with a trojan. But admittedly, she writes like she spent time in a fortune cookie factory, so I can well believe she doesn’t actually understand what she’s writing about.

    • emptywheel says:

      On computer cases the govt often alleges damage when they mean code. And yes, her fortune cookie understanding of computers is one of many reasons why Mensch doesn’t make any sense.

Comments are closed.