Did GRU Learn that Democrats Had Hired Christopher Steele When They Hacked DNC’s Email Server?

As I laid out a few weeks ago, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post.

According to Glenn Simpson’s SJC testimony, he hired Christopher Steele in May or June of 2016 to investigate Trump’s ties to Russia.

Q. And when did you engage Mr. Steele to conduct opposition research on Candidate Trump?

A. I don’t specifically recall, but it would 10 have been in the — it would have been May or June  of 2016.

Q. And why did you engage Mr. Steele in May or June of 2016?

Simpson is maddeningly vague (undoubtedly deliberately) on this point. In one place he suggests he hired Steele after DCLeaks was registered and amid a bunch of chatter about Democrats being hacked, which would put it after June 8 and probably after June 15.

Q. So at the time you first hired him had it been publicly reported that there had been a cyber intrusion into the Democratic National Convention computer system?

A. I don’t specifically remember. What I know was that there was chatter around Washington about hacking of the Democrats and Democratic think tanks and other things like that and there was a site that had sprung up called D.C. Leaks that seemed to suggest that somebody was up to something. I don’t think at the time at least that we were particularly focused on — well, I don’t specifically remember.

But in his more informative HPSCI testimony, he suggests he may have started talking to Steele about collecting intelligence on Trump in May.

MR. QUIGLEY: When exactly did he start working under contract?

MR. SIMPSON: My recollection is that, you know, we began talking about the — I don’t remember when we started talking about the engagement, but the work started in June, I believe.


MR. SIMPSON: Possibly late May, but –

Given one detail in Mueller’s GRU Indictment, that difference may be critical.

Recall that the DNC figured out they had been hacked in April, and brought in Perkins Coie (the same firm that would engage Fusion GPS) for help. The attorney helping them respond to the hack, Michael Sussmann, warned them not to use DNC email to discuss the hack, because it might alert hackers they were onto them.

The day before the White House Correspondents’ Association dinner in April, Ms. Dacey, the D.N.C.’s chief executive, was preparing for a night of parties when she got an urgent phone call.

With the new monitoring system in place, Mr. Tamene had examined administrative logs of the D.N.C.’s computer system and found something very suspicious: An unauthorized person, with administrator-level security status, had gained access to the D.N.C.’s computers.

“Not sure it is related to what the F.B.I. has been noticing,” said one internal D.N.C. email sent on April 29. “The D.N.C. may have been hacked in a serious way this week, with password theft, etc.”

No one knew just how bad the breach was — but it was clear that a lot more than a single filing cabinet worth of materials might have been taken. A secret committee was immediately created, including Ms. Dacey, Ms. Wasserman Schultz, Mr. Brown and Michael Sussmann, a former cybercrimes prosecutor at the Department of Justice who now works at Perkins Coie, the Washington law firm that handles D.N.C. political matters.

“Three most important questions,” Mr. Sussmann wrote to his clients the night the break-in was confirmed. “1) What data was accessed? 2) How was it done? 3) How do we stop it?”

Mr. Sussmann instructed his clients not to use D.N.C. email because they had just one opportunity to lock the hackers out — an effort that could be foiled if the hackers knew that the D.N.C. was on to them.

“You only get one chance to raise the drawbridge,” Mr. Sussmann said. “If the adversaries know you are aware of their presence, they will take steps to burrow in, or erase the logs that show they were present.”

The D.N.C. immediately hired CrowdStrike, a cybersecurity firm, to scan its computers, identify the intruders and build a new computer and telephone system from scratch. Within a day, CrowdStrike confirmed that the intrusion had originated in Russia, Mr. Sussmann said.

But it’s not clear whether Sussmann warned this small team of people against using DNC emails at all, or just those emails discussing the hack.

Previously, I had always guesstimated how long after DNC brought Crowdstrike in the emails ultimately shared with WikiLeaks got exfiltrated from this analysis, based of the last dates of stolen emails and DNC’s email deletion policies in place at the time. It was a damned good estimate — May 19 to May 25.

But according to the indictment, the theft of the DNC emails happened later: starting on May 25, not ending on it.

Between on or about May 25, 2016 and June 1, 2016, the Conspirators hacked the DNC Microsoft Exchange Server and stole thousands of emails from the work accounts of DNC employees. During that time, YERMAKOV researched PowerShell commands related to accessing and managing the Microsoft Exchange Server.

The indictment doesn’t describe the entire universe of emails stolen — whether GRU stole just the 9 email boxes shared with WikiLeaks, or whether they obtained far more.

But the later date — possibly reaching as late as June 1 — means it’s possible GRU stole emails involving top DNC officials, officials involved in opposition research activities (as both Guccifer 2.0 and the DNC itself said had been a focus), including the activity of hiring a former MI6 officer to chase down Trump’s illicit ties to Russians.

Don’t get me wrong. If the Russians did, in fact, learn about the Steele effort and manage to inject his known reporting chain with disinformation, there were plenty of other possible ways they might have learned of the project: the several people overlapping between Fusion GPS’ Prevezon team and its Trump team, Rinat Akhmetshin who learned of the dossier from a chatty NYT editor, or maybe a close Trump ally like Sergei Millian. The sad thing about this disinformation project is it was so widely disseminated, any HUMINT integrity could have easily been compromised early in the process.

But the timeline laid out in the GRU indictment adds one more, even earlier possible way: that Russia learned the Democrats were seeking HUMINT from Russians about Russia’s efforts to help Trump from the Democrats’ own emails.

28 replies
    • Alan says:

      They were warned not to use their own email–if they used hosted email with 2 factor authentication (such as gmail), then it might be secure.

  1. Geoff says:

    The problem, as far as I know with the DNC, really wasn’t that they used email, but rather, when Podesta forwarded a suspicious gmail phish, his administrator told him it was OK. He then went and revealed his own login info. You pretty much should never fall for that. He shouldn’t even have been clueless enough to forward it, but rather should have just deleted it. The problem with email is mostly that people don’t know how to use it safely.

    • Bob Conyers says:

      I’d modify that point a bit – if most people don’t know how to use email, then admins, designers and programmers should also work harder to make it safer.

      Admins complain when people use simple passwords and don’t change them enough, and don’t follow proper security procedures. But admins tend not to take into account the overwhelming number of accounts people have, with wildly different rules and requirements, and I can feel pity for Tony Podesta, who probably had five times as many accounts to keep track of as I do.

    • bmaz says:

      So, wait, you are saying that the real problem is on the DNC, and NOT the malicious adversary state actors doing the criminal hack? Really? THAT is where you are?

    • Bob Conyers says:

      They’re impersonating anti-Trump groups, which suggests they’re working on a strategy of discrediting Democratic victories in the midterms. I’m sure part of their strategy is also spreading chaos, but I will bet it’s tied to Trump’s recent claims that the Russians are against him and Democrats are the actual colluders.

  2. cat herder says:

    Why would Fusion GPS’s work, started in late 2015, have only been of interest to the GRU after Steele was brought on in mid-2016? Are we still assuming none of the Republican-primary challengers (whoever was employing Fusion in the first phase from late ’15 to early ’16) were as easily hackable as the DNC? And wouldn’t GRU want to know who was poking around no matter who Fusion was doing the work for?

    • Avattoir says:

      Because Fusion GPS’ work to the point where it hired Steele primarily if not entirely was comprised of its usual vacuuming in of just public sources, something about as innocuous as what any of us does in spending time surfing the internet?

      Also, you’ve got Fusion GPS working on its Trump file around somewhere in the peak of 2015. I’ve thought for some time that the Free Bacon didn’t first engage Fusion until sometime early in 2016. Happy to be shown otherwise, so long as otherwise is accurate and true.

    • emptywheel says:

      Not all of it was RU focused in the early days (more generally organized crime). Plus it was not yet employing a former spook to chase down RU sources. Finally, Hillary was ultimately the real target here.

      • cat herder says:

        My gut says that if DT was a Russian asset (even if DT hisself didn’t realize that at the time) and somebody halfway competent was doing oppo research on him the Russians would want to keep an eye on it, even if the focus wasn’t specifically related – yet – to Russian elements. But, as Charlie Pierce says, the Gut is a moron.

  3. Charles says:

    Another possibility: the Russians hacked the Republican clients who had hired Steele.  Or one of those clients, wanting to protect the Republican nominee, informed Trump or the Russians of Steele’s work so the Russians could taint it.

    I actually think that Russian hacks are a less likely conduit, because Simpson would have anonymized Steele’s identity in reporting. So, sure, someone high up might have known that an MI-6 agent was the source. Given Steele’s history, that detail alone would have pretty much pinned down his identity.  But, if so, one would think something referencing Steele or oppo might have shown up in the e-mails that have been released. Maybe it has and I just haven’t seen it.

    It does seem likely to me that Republicans would have wanted to warn Trump about oppo research. So, just based on cui bono, that’s the completely speculative pathway I would put my money on.

    • Trip says:

      Supposedly, the original client was Jeb Bush. No way in hell he would tip Trump off, unless it was a diehard Republican on his staff who was in the know.

      • Avattoir says:

        That’s also my understanding. Except I though the original customer WAS named: the owner of the Free Beacon, acting as a blind for JEB.

      • Charles says:

        This has been disputed, so you may well be right. For example, The Telegraph reported:

        The British Broadcasting Corporation (BBC) reported that Steele was initially hired by Jeb Bush, one of Trump’s 16 opponents in the 2016 Republican primary.

        But then, other sources claim that Jeb denied it. And in Glenn Simpson’s testimony, he said:

        “Q. And when did you engage Mr. Steele to conduct opposition research on Candidate Trump?
        A. I don’t specifically recall, but it would have been in the — it would have been May or June of 2016.”

        By early May, Trump was the presumptive nominee. Steele could have been hired by a Republican in a Hail Mary attempt o destroy Trump ahead of the convention.

        But Simpson refused to answer whether any of his clients knew about Steele. So, I do see a bit of a loophole on the question of whether any Republican knew about Steele. But your point is well-taken, and at present one can say that we know no evidence that would lead us to believe that a Republican blew Steele’s cover. Neither do we have evidence that I know of that it came through hacks.

      • SpaceLifeForm says:

        Chris Singer started the mess, and somehow Mark Elias kept the ball rolling when Singer wanted to wash his hands.

  4. Andy says:

    What assertion(s) in the Steele dossier have been disproven and therefore could be attributed to GRU disinformation?  I don’t doubt there is a strong possibility that there could have been disinformation, but I am not aware of any having been identified.


  5. earlofhuntingdon says:

    I wish the MSM would grow up a little:

    Trump Wants Kelly to Stay At least Until 2020!

    That does not mean, as today’s headlines would have it, that Kelly will stay until 2020.  What it means is that Trump today found it useful to make that statement.

    Has the MSM not learned by now that Trump does not keep promises, that that’s not a promise, only a statement of current intent, that Trump frequently changes his mind, sometimes hourly, and that he might change his mind about Kelly at any time.  Please.

  6. Willis Warren says:

    I think the reason Mueller hasn’t come public with what he knows is that he doesn’t know how far back the conspiracy goes.  He’s probably got collusion proven, just doesn’t know how long the Russkies were grooming tRUmp.  I imagine Manafort probably has an idea.  So, if Manafort doesn’t flip, he may just release the collusion dogs.  Just a working theory, and would appreciate anyone disproving it if it’s wrong.

Comments are closed.