Mueller Juggles Plea Agreement Housekeeping

In the last two days, both Rick Gates’ and Paul Manafort’s plea deals have made news.

In Gates’ case, his lawyers have filed an unopposed motion to liberate him from his GPS device and curfew, arguing that the leverage of the plea deal itself is enough to keep him on the straight and narrow.

The plea agreement contains very serious consequences for Mr. Gates should he violate any of its terms or conditions. The advantages that attach to strict compliance with that agreement, and the extraordinary disincentives to violating that agreement, alone guarantee Mr. Gates’s appearance at any scheduled Court proceeding. Over a substantial period of time, now approaching one year, Mr. Gates has demonstrated his resolve to comply with all conditions of his release. Removing the GPS monitor and allowing Mr. Gates to travel within the Eastern District of Virginia and District of Columbia without restriction will surely not increase the risk of flight or make it less likely that Mr. Gates will appear in Court when required to do so.

The more interesting bit comes when, in a bid to talk up Gates’ cooperation, his attorneys reveal he’s been meeting with other prosecutors.

Both before the entry of the plea, and for many weeks thereafter, Mr. Gates, whenever requested, traveled to Washington, D.C., to appear at the Office of Special Counsel to be interviewed as part of his cooperation agreement. Those sessions have been numerous and they continue to this day.

[snip]

These meetings with the Office of Special Counsel continued during the weeks preceding the trial of co-defendant Paul Manafort in the United States District Court for the Eastern District of Virginia.

[snip]

Following that trial, Mr. Gates has continued to cooperate with the Special Counsel and with other federal investigators by attending current meetings at which he provides additional information. [my emphasis]

Rick Gates met in March and he met in July and he met in September, Thomas Green says. It’s the “other federal investigators” that’s of interest, as it suggests his cooperation extends beyond Mueller’s case in chief.

But that may not mean all that much. After all, Gates’ cooperation would be useful for the three cases Mueller referred to SDNY (involving Tony Podesta, Vin Weber, and Greg Craig), as well as for Stephen Calk, the Chicago banker who gave Manafort a loan in hopes of getting an appointment with the Trump Administration. Gates would surely also have information that might corroborate Sam Patten’s cooperation.

Still, it’s possible those “other federal investigators” include some of the “garden variety” Trump corruption I keep suggesting might also get spun off, such as the non-Russian Inauguration pay-to-play.

Meanwhile, in EDVA, TS Ellis is being TS Ellis. Yesterday, he filed an order saying that the parties in Manafort’s EDVA prosecution can’t just defer resolution of the ten hung counts against him until after Mueller is done with his cooperation. He scheduled a hearing for a week from Friday, on October 19, so the process of sentencing can begin. At that hearing, Ellis expects the parties to “address dismissal of the outstanding counts on which the jury deadlocked.”

Dismissing the charges may be no big deal. Manafort is on the hook for 210 – 262 months if he breaches his plea agreement in DC, before any state charges, and some of the charges that Ellis would dismiss could be charged in VA, aided by Manafort’s admission of guilt in them in the plea. As Popehat notes, cleaning up these charges is consistent with good docket management.

The push for the government to move forward on cooperation is more interesting as it may require the government to weigh in on the value of Manafort’s cooperation while he’s still discussing things with Mueller’s team. Of particular interest, any discussion on cooperation may reveal how much Manafort has cooperated against the President.

I’m also interested in timing. Manafort’s lawyers submitted their notice that they won’t challenge anything that happened in that trial right on schedule, on September 20. The government filed their response just under the week later that they had under Ellis’ schedule, on September 26. But Ellis took two weeks before he issued this hurry up and wait order, setting a hearing for October 19, at which any sentencing schedule is likely to be after Manafort’s next status hearing in DC.

In any case, it’s not clear that Ellis’ haste will help Manafort much. Even if Ellis is perturbed that Mueller used his courtroom to flip a witness against Trump, the PSR will show that Manafort is an admitted criminal in the DC charges, meaning his sentence should be harsher than it would with any kind of cooperation assistance. And prosecutors can just defer any 5K statement, and instead account for cooperation with a Rule 35 motion submitted after the fact. In any case, the plea envisions concurrent sentencing, and if Manafort does’t cooperate willingly, he’ll face 10 years in the DC plea, which is longer than Ellis is likely to have sentenced him on anyway.

So it seems like Mueller can still retain the breathtaking upper hand they have with Manafort, and defer any public statement on cooperation until later.

Offering John Podesta Emails While Selling Deleted Hillary Emails

Back in April 2017, I noted something problematic with Democratic theories about the advance knowledge of Roger Stone — and by association, the Trump camp — of Russia’s hack and leak plans: Democrats have largely focused on Stone’s warning, on August 21, 2016, that “it would soon be the Podesta’s time in the barrel,” arguing it reflected foreknowledge of the October 2016 dump of John Podesta’s emails. Stone has said he was talking about blaming Tony Podesta for his corruption, and while that does appear to be a projection-focused defense of Paul Manafort as his own corruption posed problems for the Trump campaign, none of that explains how Stone implicated John in his brother’s sleaze.

That one comment aside, virtually every time Stone predicted a WikiLeaks October Surprise, he implied it would be Clinton Foundation documents or other ones she deleted from her home server, not Podesta emails. That is, while Stone appears to have known the general timing of the October dump, Stone didn’t predict the Podesta emails. He predicted emails deleted from Hillary’s home server, emails that never got published. Here’s how it looks in a timeline (partly lifted from this CNN timeline).

August 12, 2016: Roger Stone says, “I believe Julian Assange — who I think is a hero, fighting the police state — has all of the emails that Huma and Cheryl Mills, the two Clinton aides thought that they had erased. Now, if there’s nothing damning or problematic in those emails, I assure you the Clintonites wouldn’t have erased them and taken the public heat for doing so. When the case is I don’t think they are erased. I think Assange has them. I know he has them. And I believe he will expose the American people to this information you know in the next 90 days.”

August 15, 2016: Stone tells WorldNetDaily that, “’In the next series of emails Assange plans to release, I have reason to believe the Clinton Foundation scandals will surface to keep Bill and Hillary from returning to the White House,’ … The next batch, Stone said, include Clinton’s communications with State Department aides Cheryl Mills and Huma Abedin.”

August 26, 2016: Stone tells Breitbart Radio that “I’m almost confident Mr. Assange has virtually every one of the emails that the Clinton henchwomen, Huma Abedin and Cheryl Mills, thought that they had deleted, and I suspect that he’s going to drop them at strategic times in the run up to this race.”

August 29, 2016: Stone suggests Clinton Foundation information might lead to prison. “Perhaps he has the smoking gun that will make this handcuff time.”

September 16, 2016: Stone says that “a payload of new documents” that Wikileaks will drop “on a weekly basis fairly soon … will answer the question of exactly what was erased on that email server.”

September 18, 2016 and following: Stone asks Randy Credico to get from Assange any emails pertaining to disrupting a peace deal in Libya, making it clear he believes Assange has emails that WikiLeaks has not yet released.

In a Sept. 18, 2016, message, Mr. Stone urged an acquaintance who knew Mr. Assange to ask the WikiLeaks founder for emails related to Mrs. Clinton’s alleged role in disrupting a purported Libyan peace deal in 2011 when she was secretary of state, referring to her by her initials.

“Please ask Assange for any State or HRC e-mail from August 10 to August 30–particularly on August 20, 2011,” Mr. Stone wrote to Randy Credico, a New York radio personality who had interviewed Mr. Assange several weeks earlier. Mr. Stone, a longtime confidant of Donald Trump, had no formal role in his campaign at the time.

Mr. Credico initially responded to Mr. Stone that what he was requesting would be on WikiLeaks’ website if it existed, according to an email reviewed by the Journal. Mr. Stone, the emails show, replied: “Why do we assume WikiLeaks has released everything they have ???”

In another email, Mr. Credico then asked Mr. Stone to give him a “little bit of time,” saying he thought Mr. Assange might appear on his radio show the next day. A few hours later, Mr. Credico wrote: “That batch probably coming out in the next drop…I can’t ask them favors every other day .I asked one of his lawyers…they have major legal headaches riggt now..relax.”

As I further noted, when WikiLeaks started dumping Podesta emails in October (including excerpts of Hillary’s private speeches), Stone focused more on accusing Bill Clinton of rape, another projection-based defense of Donald Trump (especially in light of the Access Hollywood tape) than he focused on the Podesta emails.

In other words, Stone may not have exhibited foreknowledge of the Podesta dump. By all appearances, he seemed to expect that WikiLeaks would publish emails obtained via the Peter Smith efforts — efforts that involved soliciting Russian hackers for assistance. That actually makes Stone’s foreknowledge more damning, as it suggests he was part of the conspiracy to pay Russian hackers for emails they had purportedly already hacked from Hillary’s server and that he expected WikiLeaks would be an outlet for the emails, as opposed to just learning that Podesta’s emails had been hacked some months after they had been.

It was Guccifer 2.0, not Assange, who claimed anyone had Clinton server documents (including in a tweet responding to my observation he was falsely billing documents as Clinton Foundation ones).

And Guccifer 2.0 was (according to Politico, not WSJ) in the loop of this effort, so may have been trying to pressure WikiLeaks to publish sets of files already sent, as he had tried to do with DCCC files earlier in August.

[Chuck] Johnson said he and [Peter] Smith stayed in touch, discussing “tactics and research” regularly throughout the presidential campaign, and that Smith sought his help tracking down Clinton’s emails. “He wanted me to introduce to him to Bannon, to a few others, and I sort of demurred on some of that,” Johnson said. “I didn’t think his operation was as sophisticated as it needed to be, and I thought it was good to keep the campaign as insulated as possible.”

Instead, Johnson said, he put the word out to a “hidden oppo network” of right-leaning opposition researchers to notify them of the effort. Johnson declined to provide the names of any of the members of this “network,” but he praised Smith’s ambition.

“The magnitude of what he was trying to do was kind of impressive,” Johnson said. “He had people running around Europe, had people talking to Guccifer.” (U.S. intelligence agencies have linked the materials provided by “Guccifer 2.0”—an alias that has taken credit for hacking the Democratic National Committee and communicated with Republican operatives, including Trump confidant Roger Stone—to Russian government hackers.)

Johnson said he also suggested that Smith get in touch with Andrew Auernheimer, a hacker who goes by the alias “Weev” and has collaborated with Johnson in the past. Auernheimer—who was released from federal prison in 2014 after having a conviction for fraud and hacking offenses vacated and subsequently moved to Ukraine—declined to say whether Smith contacted him, citing conditions of his employment that bar him from speaking to the press.

Two interesting issues of timing arise out of that, then.

First, to the extent that Stone’s tweets during the week of October 7 (the ones that exhibited foreknowledge of timing, if not content) predicted the timing of the next leak, they would seem to reflect an expectation that deleted emails were coming, not necessarily that Podesta ones were.

[O]n Saturday October 1 (or early morning on October 2 in GMT; the Twitter times in this post have been calculated off the unix time in the source code), Stone said that on Wednesday (October 5), Hillary Clinton is done.

Fewer of these timelines note that Wikileaks didn’t release anything that Wednesday. It did, however, call out Guccifer 2.0’s purported release of Clinton Foundation documents (though the documents were real, they were almost certainly mislabeled Democratic Party documents) on October 5. The fact that Guccifer 2.0 chose to mislabel those documents is worth further consideration, especially given public focus on the Foundation documents rather than other Democratic ones. I’ll come back to that.

Throughout the week — both before and after the Guccifer 2.0 release — Stone kept tweeting that he trusted the Wikileaks dump was still coming.

Monday, October 3:

Wednesday, October 5 (though this would have been middle of the night ET):

Thursday, October 6 (again, this would have been nighttime ET, after it was clear Wikileaks had not released on Wednesday):

But it also makes the October 11 email — which was shared with still unidentified recipients via foldering, not sent — reported by WSJ the other day all the more interesting. The email seems to suggest that on October 11, the “students” who were really pleased with email releases they had seen so far were talking about the Podesta emails.

“[A]n email in the ‘Robert Tyler’ [foldering] account [showing] Mr. Smith obtained $100,000 from at least four financiers as well as a $50,000 contribution from Mr. Smith himself.” The email was dated October 11, 2016 and has the subject line, “Wire Instructions—Clinton Email Reconnaissance Initiative.” It came from someone calling himself “ROB,” describing the funding as supporting “the Washington Scholarship Fund for the Russian students.” The email also notes, “The students are very pleased with the email releases they have seen, and are thrilled with their educational advancement opportunities.”

In a follow-up, WSJ confirmed the identities of three of the four alleged donors (they’re still trying to track down the real ID of the fourth).

He reached out to businessmen as financial backers, including Maine real-estate developer Michael Liberty, Florida-based investor John “Jack” Purcell and Chicago financier Patrick Haynes. They were named in an email reviewed by the Journal as among a group of people who pledged to contribute $100,000 to the effort, along with $50,000 of Mr. Smith’s own money.

If the Smith conspirators were referring to the Podesta emails stolen by GRU in the same breath as a funding solicitation for Clinton Foundation ones, it suggests that whoever Smith’s co-conspirators were, as late as October 11, they were referring to the Podesta emails in the same breath as the Clinton server ones they were still hunting for.

As I said in July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

The Psy-Group Proposal: A Way to Measure the Value that Russian Hackers Provided the Trump Campaign

On April 15, 2016, Russian hackers searched in DCCC and DNC networks for information on (among other things) Ted Cruz and the Democrats’ field plan.

The Conspirators searched for and identified computers within the DCCC and DNC networks that stored information related to the 2016 U.S. presidential election. For example, on or about April 15, 2016, the Conspirators searched one hacked DCCC computer for terms that included “hillary,” “cruz,” and “trump.” The Conspirators also copied select DCCC folders, including “Benghazi Investigations.” The Conspirators targeted computers containing information such as opposition research and field operation plans for the 2016 elections.

That’s an important detail with which to assess the recent NYT story that, in March, Rick Gates asked Israeli intelligence firm Psy-Group for a proposal on influence operations targeting both Ted Cruz and Hillary Clinton. As the NYT story notes, Gates wasn’t actually all that interested in the Psy-Group proposal and there’s no indication anyone in the Trump camp was either.

There is no evidence that the Trump campaign acted on the proposals, and Mr. Gates ultimately was uninterested in Psy-Group’s work, a person with knowledge of the discussions said, in part because other campaign aides were developing a social media strategy.

But he was interested in the services Psy-Group offered, including intelligence gathering and influence operations.

According to Mr. Birnbaum, Mr. Gates expressed interest during that meeting in using social media influence and manipulation as a campaign tool, most immediately to try to sway Republican delegates toward Mr. Trump.

“He was interested in finding the technology to achieve what they were looking for,” Mr. Birnbaum said in an interview. Through a lawyer, Mr. Gates declined to comment.

[snip]

The proposal to gather information about Mrs. Clinton and her aides has elements of traditional opposition research, but it also contains cryptic language that suggests using clandestine means to build “intelligence dossiers.” [I’ve switched the order of these passages]

So aside from context for the meeting Psy-Group owner Joel Zamel had with Don Jr (and any downstream arrangement the two had), it’s not clear what the report itself means for Mueller’s investigation, with regards to Psy-Group, particularly given claims that the group closely vetted their programs for legal compliance (though NYT was unable to learn whether Covington & Burling had given a green light for this campaign).

But the report that Gates was seeking proposals in March 2016 and the guts of the report are interesting for what they say about the mindset that Gates and Manafort brought to, first, the Convention and after that managing the entire campaign.

The materials Psy-Group provided in response to a Gates request provide at least three things that may be useful for a Mueller prosecution. First, they show that the Russian hackers were working on the same schedule that Gates and Manafort were, with initial data collection slotted for April.

The report also shows what kind of targets the Trump team knew would be resistant to messaging directly from Trump, and so should be targeted by unaffiliated online assets, including fictional avatars.

These groups — especially minority and swing voters — were precisely the groups that Russian trolls and Cambridge Analytica’s dark marketing targeted.

Likewise, Russian hackers may well have shared what amounted to intelligence dossiers with Trump.

Finally, the Psy-Group proposal also provides a dollar figure for the value of these kinds of services. That provides Mueller with a way to show the kind of financial benefit Trump received from both the Russian efforts and whatever efforts Cambridge Analytica gave to Trump for free (or coordinated on illegally): $3.31 million dollars.

The above proposed activity will cost $3,210,000. This does not include the cost of media, which will be billed at cost + 20% management fee and pre-approved with the client in advance prior to committing and spending. We estimate media cost at around $100,000 at this point (mostly social / online media).

One charge we know (from Manafort’s warrant applications) that Mueller is considering is receiving a thing of value from a foreigner. This proposal measures what kind of value Trump’s campaign received from the Russians.

It may be that Psy-Group poses a risk to Trump’s people directly, perhaps as a way to understand Israel’s role as a cut-out for Russia, or as a way to prove that Don Jr lied under oath about his willingness to accept gifts from foreigners. But even without that, the Psy-Group proposal provides a real time measure of how Trump’s campaign under Manafort planned to run their campaign.

 As I said in July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

Alfa-Trump Redux: Full Spectrum Circumstance

The Trump Tower – Alfa Bank story is back!

Back in October 2016, Franklin Foer wrote about some metadata analysis showing that a marketing server paid for by Trump Organization was messaging with a server at Russia’s Alfa Bank. The story, as Foer presented it, was quickly challenged. I myself focused on a side angle to the story: that in addition to communications with Alfa Bank, the Trump marketing server was also communicating with Grand Rapids’ Spectrum Health, which (the original public pitch of the story suggested) might show a tie between the DeVos family — or maybe Erik Prince — and Trump. From the vantage of October 2016, that didn’t make sense, as the DeVoses (as distinct from Betsy’s brother Erik) were actually remarkably hesitant to support Trump until after the DNS lookups ended.

Dexter Filkins has now reexamined the story. It concludes — via a proliferating set of academics and cybersecurity experts departing from the norm in both those fields and insisting on hiding their identities — that there must be some kind of communication going on.

(Max and his colleagues did not see any D.N.S. evidence that the Trump Organization was attempting to access the server; they speculated that the organization was using a virtual private network, or V.P.N., a common security measure that obscures users’ digital footprints.)

If this was a communications mechanism, it appeared to have been relatively simple, suggesting that it had been set up spontaneously and refined over time. Because the Trump Organization did not have administrative control of the server, Paul and Leto theorized that any such system would have incorporated software that one of the parties was already using. “The likely scenario is not that the people using the server were incredibly sophisticated networking geniuses doing something obscure and special,” Max said. “The likely scenario is that they adapted a server and vender already available to them, which they felt was away from prying eyes.” Leto told me that he envisioned “something like a bulletin-board system.” Or it could have been an instant-messaging system that was part of software already in use on the server.

Kramer, of Listrak, insisted that his company’s servers were used exclusively for mass marketing. “We only do one thing here,” he told me. But Listrak’s services can be integrated with numerous Cendyn software packages, some of which allow instant messaging. One possibility is Metron, used to manage events at hotels. In fact, the Trump Organization’s October, 2016, statement, blaming the unusual traffic on a “banking customer” of Cendyn, suggested that the communications had gone through Metron, which supports both messaging and e-mail.

The parties might also have been using Webmail—e-mail that leaves few digital traces, other than D.N.S. lookups. Or, Paul and Leto said, they could have been communicating through software used to compose marketing e-mails. They might have used a method called foldering, in which messages are written but not sent; instead, they are saved in a drafts folder, where an accomplice who also has access to the account can read them. “This is a very common way for people to communicate with each other who don’t want to be detected,” Leto told me.

I hope to return to some of the moves Filkins makes in his story generally after I come home from this trip. But for now, I just want to look at how Filkins deals with the Spectrum Health tie, which Filkins focuses on even more than Foer. Here’s how he introduces the connection:

Only one other entity seemed to be reaching out to the Trump Organization’s domain with any frequency: Spectrum Health, of Grand Rapids, Michigan. Spectrum Health is closely linked to the DeVos family; Richard DeVos, Jr., is the chairman of the board, and one of its hospitals is named after his mother. His wife, Betsy DeVos, was appointed Secretary of Education by Donald Trump. Her brother, Erik Prince, is a Trump associate who has attracted the scrutiny of Robert Mueller, the special counsel investigating Trump’s ties to Russia. Mueller has been looking into Prince’s meeting, following the election, with a Russian official in the Seychelles, at which he reportedly discussed setting up a back channel between Trump and the Russian President, Vladimir Putin. (Prince maintains that the meeting was “incidental.”) In the summer of 2016, Max and the others weren’t aware of any of this. “We didn’t know who DeVos was,” Max said.

This is a remarkable paragraph, repeating a lot of the shitty link analysis that people always do when they try to explain the Spectrum tie. In it, a children’s hospital named after Dick DeVos’ mother is the smoking gun in an international spy plot. Then, having utterly ignored the status of the relationship between the DeVoses and Trump at the time of the DNS lookups, Filkins looks at what has happened since: the appointment of close Mike Pence ally and leading GOP education ideologue Betsy to be Education Secretary, and Erik Prince’s covert meeting with an entirely different — and far more suspect — bank, using means that are precisely the kinds of means you’d expect Erik Prince to use (and not using the network of a hospital that his brother-in-law chairs but doesn’t run, because why the fuck would a Navy Seal use more covert methods that Navy Seals know well instead of using a server with an easily subpoenaed footprint in the US??).

The paragraph misses some other details of note. For example, after Dick got on a commercial puddle jumper to fly to interview with Trump, he was appointed to the FAA Advisory Board, another position for which he is an obvious and arguably well-qualified pick. It also doesn’t note that Prince — who is a separate political entity from his sister and brother-in-law — was threatening anti-Trump Republicans both before and after the election, something that might support this theory except for all the other more obvious ways Prince accomplished such efforts.

Which is to say that, while the piece acknowledges that to conclude the Trump – Alfa Bank records are suspect, you also have to explain why the Spectrum ones would be, it does no reporting to discern why that would be the case.

Later in the piece, after trying to explain DNC lookups involving a third entity that had previously only been alluded to (and only alluded to because without explanation, it would have and did problematize past claims), Filkins strains further to suggest the ties between Spectrum and Trump have been proven by events that have taken place since.

In one tranche of data that he gave them, they noticed that a third entity, in addition to Alfa Bank and Spectrum Health, had been looking up the Trump domain: Heartland Payment Systems, a payments processor based in Princeton. Of the thirty-five hundred D.N.S. queries seen for the Trump domain, Heartland made only seventy-six—but no other visible entity made more than two. Heartland had a link to Alfa Bank, but a tenuous one. It had recently been acquired by Global Payments, which, in 2009, had paid seventy-five million dollars for United Card Services, Russia’s leading credit-card-processing company; two years later, United Card Services bought Alfa Bank’s credit-card-processing unit. (A spokesperson for Global Payments said that her company had never had any relationship with the Trump Organization or with Alfa Bank, and that its U.S. and Russia operations functioned entirely independently.)

Spectrum Health has a similarly indirect business tie to Alfa Bank. Richard DeVos’ father co-founded Amway, and his brother, Doug, has served as the company’s president since 2002. In 2014, Amway joined with Alfa Bank to create an “Alfa-Amway” loyalty-card program in Russia. But such connections are circumstantial at best; the DeVos family seems far more clearly linked to Trump than to Russia.

It’s this sentence — “the DeVos family seems far more clearly linked to Trump than to Russia” — that exemplifies this story, and its epistemology, for me. It treats the DeVos family — Dick, his wife Betsy Prince DeVos, his brother Doug, his charitable mother Helen, and his brother-in-law Erik Prince, to say nothing of the hospital administrators that actually run Spectrum — as a monolith they’re simply not, reads their current varied relationships with Trump back into a history where only Erik’s relationship resembled his current one, and then concludes that a link with Dick through Helen-Betsy-Erik is all you need to explain why these presumed conspirators would use a hospital rather than any of the many entities the DeVoses privately hold (and therefore more directly manage) or the Prince entities that already have built-in covert channels with a proven past ability to reach out to oligarchs discretely.

I mean, I absolutely think there’s a place for more journalism on what Erik was doing during the election, his role as a cut-out to Trump, and how he has helped to discipline the Republican party since. Or, if you want to pursue some theory of nefarious plot explaining how the originally reluctant DeVoses came to become close Trump associates, you’d explore far more about Mike Pence’s obvious role in it all (to say nothing of Pence’s frequent meetings with the DeVoses since), something Jean Camp is well situated to do from Indiana.

But one thing any such journalism would show is that Prince has the ability to conduct convert communications via much more effective channels, and Betsy and Dick DeVos have the network to achieve their political goals via means that don’t require hijacking a hospital server they don’t directly control.

Meanwhile, the story doesn’t explore the tangential role of Alfa Bank, via Alex van der Zwaan, in the Skadden Arps part of the Paul Manafort story, and doesn’t explain that any focus on Alfa Bank prior to Trump’s inauguration might have distracted from the sanctioned Russian banks that, at least as far as is currently known, are the actual key players in the Trump Russia story. It also doesn’t explain that key events in any conspiracy between Trump and Russia were communicated via insecure Trump Organization hosted email, often (in Manafort’s case, for long after he had been indicted) backed up to the iCloud.

This Trump Tower – Alfa Bank story continues to spin journalists, not to mention academics and infosec experts, into uncharacteristic habits that don’t appear to be leading to any real clarity about the topic at hand.

Peter Smith Had a Penchant for Secrecy, But Whence Might Be More Interesting Than How

After a long period of press disinterest in the Peter Smith operation during election year, the WSJ has an important story that describes that “investigators” are (predictably) showing intense interesting in the Republican rat-fucker’s efforts, which extended to working with presumed Russian hackers, to find Hillary’s deleted emails.

Before I address the headline claim of the story — about Smith’s secrecy — I’d like to lay out what the story actually describes.

Way at the end of the story, it provides evidence that casts doubt on the claim Smith killed himself last year — an on the record quote from retired Wall Street financier Charles Ortel, who had been involved in the anti-Clinton effort, describing correspondence with Smith in the days before he died laying out optimistic future plans.

As regards the Clinton email effort itself, the story says that the Smith effort “remain[s] of intense interest to federal investigators working for special counsel Robert Mueller’s office and on Capitol Hill,” suggesting it relies on both Hill sources and people who know what Mueller is up to (the latter of which up to this point, has always been mediated through witnesses). In key places in the story, it conflates those two investigations, which doesn’t necessarily mean witnesses making claims about Mueller’s intensifying focus are wrong, but does show real sloppiness on the part of the reporting, which invites some skepticism about the significance of the conclusions offered (including the article’s focus on Mike Flynn role in Smith’s rat-fuck; click through to read that).

People familiar with the investigations described Mr. Smith’s activities as an area of expanding interest.

The article also relies on documents, which it describes to include emails and court records, including:

  • Court records involving Smith associate John Szobocsan’s efforts to get Smith’s estate to repay him for legal fees associated with three interviews with the Mueller team and an August grand jury appearance (which is pretty good evidence of Mueller’s focus, though not why).
  • Correspondence showing Smith asking associates to “folder,” writing drafts in a Gmail account under the fake name of Robert Tyler, that both the associates and Smith had access to.
  • “[A]n email in the ‘Robert Tyler’ [foldering] account [showing] Mr. Smith obtained $100,000 from at least four financiers as well as a $50,000 contribution from Mr. Smith himself.” The email was dated October 11, 2016 and has the subject line, “Wire Instructions—Clinton Email Reconnaissance Initiative.” It came from someone calling himself “ROB,” describing the funding as supporting “the Washington Scholarship Fund for the Russian students.” The email also notes, “The students are very pleased with the email releases they have seen, and are thrilled with their educational advancement opportunities.” The WSJ states that Ortel is not among the funders named in the email, which means they know who the other four funders are (if one or more were a source for the story, it might explain why WSJ is not revealing that really critical piece of news).

The WSJ really bolloxes describing the significance of the timing of this email as coming,

just days after WikiLeaks and the website DCLeaks began releasing emails damaging to Mrs. Clinton’s campaign and four days after the U.S. government publicly warned that Russia was attempting to interfere in the U.S. election

What it means is that it came just four days after the Podesta emails first started coming out, suggesting that the reference to Russian students is actually code for happiness about the emails already being released by the Russians.

For reasons I’ll return to, the suggestion Smith and his fellow rat-fuckers appear to have been using code to discuss already released emails that were neither Clinton Foundation nor deleted emails are really interesting.

With all that in mind, here are Smith’s adopted methods of secrecy (beyond whatever funding methods are described in the email; Buzzfeed talked about different suspicious transactions here):

  • The apparent code used by an unidentified person, which appears to show conspirators speaking about stolen emails in the guise of a student fund in DC
  • Foldering — a method for which law enforcement has had effective countermeasures that have been widely publicized since the David Petraeus case, the use of which Smith committed to correspondence that got shared outside of the immediate conspirators
  • A burner phone or phone number: “one phone number that he used for sensitive matters”
  • Proton Mail or similar: “a commercially available encrypted email account”
  • Encryption not described to be anything beyond typical full disk encryption (but which could be PGP)

The code is interesting and perhaps intentionally damning. But fat lot of good either the code or the foldering does if the emails in question bear the smoking gun subject line, “Wire Instructions—Clinton Email Reconnaissance Initiative,” to say nothing of the correspondence that commits to writing that they’re using foldering. Indeed, using code in an email with an uncoded subject line is the opposite of good operational security; it serves instead as a blinking red light telling investigators where to look and that the code is code. “Bobby Three Sticks Read Me!!!”

As for the other things — basically the use of encryption and a burner that, given that it was discovered, wasn’t narrowly enough executed — they show an effort to use secrecy. But not a successful effort to do so.

Further, with regards to encryption, this Politico article from last year reveals Royal O’Brien (who, except for the context, might be a candidate to be the October 11 email described by WSJ) advising Smith about PGP, which suggests any non-commercial encryption may have been adopted after key parts of the conspiracy took place.

In an email chain from October obtained by Politico, Smith sought the advice of a tech-savvy business associate about concerns that WikiLeaks had been attacked by hackers. In the email, the associate, Royal O’Brien, a Jacksonville-based programmer Smith described as a dark web expert, advised Smith about the use of PGP keys for encryption and opined that anyone who launched an attack on WikiLeaks would likely face stiff blowback from the group’s web-savvy supporters.

All of this leads me to be more interested in where the methods adopted imperfectly by this 80 year old came from than that he did. An obvious candidate is Chuck Johnson, whose cooperation with the Smith rat-fuck is detailed in the Politico article, and whose businesses have all been shutting down in recent months, and whose defense attorney did not respond to a question from me last week about whether he still represents Johnson. Though Johnson, and his Nazi friend living in Ukraine, Weev, are better at operational security than what the WSJ describes here.

Someone got this old rat-fucker to use just enough secrecy to serve as signposts for the interesting bits.

I’m as interested in who provided that advice (and when) as I am in the identity of the four donors whom WSJ must know but isn’t sharing.

As I said in July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

Kavanaugh Confirmation Standards of Nonsense

Okay, in case you have not already guessed, Marcy is away, mostly, for a couple of days. Even a prolific presence like her is entitled to that. So, you get me for today. Sorry!

Now, because I have been a little involved in trying to figure what is the “real standard of proof” for people in the shoes of, say, Susan Collins and Jeff Flake, I have been a tad predisposed this morning. But let us for now go back to Blasey Ford, Kavanaugh, Collins, Flake, Grassley and the “standard of proof”.

An executive branch nomination is NOT a criminal trial. Any talk about “presumed innocent” and “beyond a reasonable doubt” is asinine and duplicitous. There is no set standard for a nomination consideration, much less one for the Supreme Court. Senators, especially those on the screening Senate Judiciary Committee, get to make their own individual assessments. In a perverse kind of way, it is like impeachment’s “high crimes and misdemeanors”, it is easy for people to argue, but the net result is that it is whatever strikes Congress as being applicable.

Frankly, I think the argument over what Susan Collins’ standard was is kind of silly and diversionary. Collins stated on the record:

“This is not a criminal trial, and I do not believe that claims such as these need to be proved beyond a reasonable doubt. Nevertheless, fairness would dictate that the claims at least should meet a threshold of more likely than not as our standard.”

This is bullshit. As David Graham, again, pointed out:

Citing the lack of corroboration of Ford’s account as well as lacunas in Ford’s own recollection, Collins said she did not believe the “more likely than not” standard had been met.

Although she did not use the phrase, the standard that Collins offers appears to be the same as “the preponderance of the evidence,” which is the burden of proof required in civil trials—as opposed to the beyond-a-reasonable-doubt standard in criminal cases. This is also the standard that many colleges now use in evaluating sexual-violence claims under Title IX. Obama-era guidance required schools to use a preponderance-of-evidence standard, though the Trump Education Department has granted schools greater leeway, instructing that “findings of fact and conclusions should be reached by applying either a preponderance of the evidence standard or a clear and convincing evidence standard.”

So, what is the relevant standard? As propounded earlier, there is no set one in these circumstances. It certainly is not “beyond a reasonable doubt” as is in criminal trials. Anybody using that language, including most of the geriatric white geezers in the SJC, is lying.

“Clear and convincing evidence”? Nope, there is no precedent for that either. Preponderance of the evidence/more likely than not? Again, there is scant authority to establish that as a relevant standard. Bottom line is Susan Collins manufactured her own “standard” and then cynically applied it, all without any legitimate basis. And, maybe, that is the kind of intellectual malleability these SJC determinations engender, but, if so, people like Collins, and the journalists that cover her charade, should acknowledge it.

So, what is the real “standard”? Again, there is none I can find. But if the course and scope of “background investigations” conducted by the FBI at the behalf of an Article II Executive Branch request is any indication, it is far different than being duplicitously portrayed by both the White House and Senate Judiciary Republicans.

Here is a specialist in clearance and background investigation issues, Brad Moss:

Um, not totally true. It happens for high level national security operatives working for the NSC and related White House components. Those individuals have to hold TS/SCI access and often times can be subject to invasive polygraph screenings.

Actual vetting, not that Kushner BS.

Here is another, Kel McClanahan, of National Security Counselors:

The White House can’t order @FBI to just rummage through a random person’s life. They can definitely AUTHORIZE FBI to rummage through a person’s life who has agreed to be subjected to a background investigation.

If this is true, it was McGahn & not Trump who was playing games…

Yes. Exactly. And, as a Senator who was one of the maybe 115 American citizens able to actually read the “FBI Investigation” work product, for Susan Collins and Jeff Flake to blithely sign off on the limited, restricted and choked off nonsense, is beyond craven. It is straight up duplicitous. And the New York Times article is kind compared to the chicanery that was clearly afoot from Don McGahn, a close friend and Federalist Society gang member for decades with Brett Kavanaugh.

In short, it is NOT about the relative “standard of proof” used by Susan Collins. She used “more likely than not” standard (effectively a preponderance of evidence standard). When she said that was the standard, she was lying. It never has been, and never will be. That was manufactured bullshit.

People have also argued that the standard should have been “reasonable accusation” or “credible accusation”. And those are even lesser than than the preponderance/more likely than not” standard Collins artificially, self servingly and cynically utilized.

Is clearance on a Background Investigation warranted? Does anybody, including the high holy Brett Kavanaugh, have any god given right to have a clean BI and be elevated to the Supreme Court? Of course not (See Title 32 of the CFR), that is gibberish propounded by old white conservative and misogynistic demagogues, like Grassley, Hatch, Cornyn and Graham in the Senate Judiciary Committee. And it is pure rubbish.

And, so too is the manufactured “standard” Susan Collins magically announced in her drama queen dog and pony show yesterday that seemed to narcissistically go on forever.

The bottom line is that whether under Collins’ manufactured and elevated standard, or even lesser ones such as reasonable or credible allegations, Brett Kavanaugh was not fit for passage and subsequent confirmation.

As Mark J. Stern detailed in Slate, Susan Collins’ manifesto announced with all the drama of a royal wedding, was in incredible bad faith. Her “standard” was nonsense and nowhere close to any applicable standard. It was a joke.

But, even more so, under ANY standard Susan Collins could have cited, her “finding” thereunder was garbage. Even in criminal sex cases, not just occasionally, but often, finders of fact (usually juries), decisions come down to weighing the relative credibility of an accuser versus the accused. And, given the relentless series of outright lies Brett Kavanaugh stated under oath, there is no way that a sentient human could see his testimony as more credible than the measured, and admitting as to gaps, honesty of Dr. Christine Blasey Ford. And, again, credibility of witnesses is what criminal trials, much less less than even civil litigation burdens, as here, are decided by every day.

This is because there are usually zero other witnesses to such kidnapping, molestation and attempted rape cases as Dr. Christine Blasey Ford credibly alleged, but also because time and reticence of victims is often a factor. And, yet, cases are filed and determinations made on just such “he said/she said” allegations every day. The implication by Susan Collins, Chuck Grassley, the other wrinkled old entitled white men like Hatch in the SJC, not to mention their cynically hired criminal prosecutor, Rachel Mitchell, are complete baloney.

Somebody go ask Rachel Mitchell, and the sad old men that hired her before they fired her, how many times she has operated off of an accuser’s words. The answer will be a lie, because it happens all the time. And, yeah, that is enough to generate a full and meaningful “background investigation” despite the bullshit being proffered by the White House, Don McGahn and the SJC.

A Tale of Two GRU Indictments

Yesterday, DOJ indicted a bunch of GRU hackers again, in part for hacks in retaliation for anti-doping associations’ reports finding a state-run Russian effort to help its athletes cheat (though also including hacks of Westinghouse and the Organization for the Prohibition of Chemical Weapons (OPCW)).

As the DNC GRU indictment did, this indictment provides a snapshot of the division of labor in GRU, made easier by the capture of four of these guys, with all their hacking toys in the trunk of their rented car, in the Netherlands. I find a comparison of the two indictments — of some of the same people for similar activity spanning the same period of time — instructive for a number of reasons.

The team

Consider the team.

There are Aleksei Morenets and Evgenii Serebriakov, whom the indictment calls “on-site GRU hackers who traveled to foreign countries with other conspirators, in some instances using Russian government issued diplomatic passports to conduct on-site operations.” Serebriakov even has a title, “Deputy Head of Directorate,” which sounds like a pretty senior person to travel around sniffing WiFi networks.

There are the three men we met in the DNC indictment, Ivan Yermakov, Artem Malyshev, and Dmitriy Badin, all of whom work  out of Moscow running hacks. Yermakov and Malyshev were closely involved in both hacks in 2016 (as demonstrated by the timeline below).

Finally, there are Oleg Sotnikov and Alexey Minin, who joined Morenets and Serebriakov as they tried to hack the Organization for the Prohibition of Chemical Weapons (OPCW) and tried to hack the Spiez Chemical laboratory that was analyzing the Novichok used to poison Sergei Skripal.

There are slightly different tactics than in the DNC hack. For example, GRU used a bunch of bit.ly links in this operation (though some of those are an earlier campaign against Westinghouse). And they sent out hackers to tap into targets’ WiFi networks directly, whereas none of the DNC hackers are alleged to have left Russia.

But there’s a ton of common activity, notably the spearphishing of targeted individuals and the use of their X-Agent hacking tool to exploit targeted machines.

Overlapping hack schedule

I’m also interested in the way the WADA hack, in particular, overlaps with the DNC one. I’ve got a timeline, below, of the two indictments look like (I’ve excluded both the Westinghouse and OPCW hacks from this timeline to focus on the overlapping 2016 operations).

Yermakov and Malyshev are described by name doing specific tasks in the DNC hack though May 2016. By August, they have turned to hacking anti-doping targets. Yermakov, in particular, seems to play the same research role in both hacks.

Given the impact of these operations, it’s fairly remarkable that such a small team conducted both.

Common bitcoin habits and possibly even infrastructure

There are also paragraphs in the WADA indictment, particularly those pertaining to the use of bitcoin to fund the operation used to substantiate the money laundering charge, that appear to be lifted in their entirety from the DNC one (or perhaps both come from DOJ or Western PA US Attorney boilerplate — remember that the DNC hack was originally investigated in Western PA, so this language likely originates there).

These include:

  •  58/106: Describing how conspirators primarily used bitcoin to pay for infrastructure
  • 59/107: Describing how bitcoin works, with examples specific to each operation provided
  • 60/108: Describing how conspirators used dedicated email accounts to track bitcoin transactions
  • 61/109: Describing how conspirators used the same computers to conduct hacking operations and facilitate bitcoin payments
  • 62/110: Describing how conspirators also mined bitcoin and then used it to pay for servers, with examples specific to each operation
  • 64/111: Describing how conspirators used the same funding structure and sometimes the same pool of funds to pay for hacking infrastructure, with examples specific to each operation provided

The similarity of these two passages suggests two things. First, it suggests that the August 8, 2016 transaction in the WADA indictment may have been orchestrated from the gfade147 email noted in the DNC indictment. With both, the indictment notes that “One of these dedicated accounts … received hundreds of bitcoin payment requests from approximately 100 different email accounts,” with the DNC indictment including the gfade147 address. (Compare paragraphs 60 in the DNC indictment with 108 in the WADA one.)  That would suggest these two operations overlap even more than suspect.

That said, there’s one paragraph in the DNC indictment that doesn’t have an analogue in the WADA one, 63. It describes conspirators,

purchasing bitcoin through peer-to-peer exchanges, moving funds through other digital currencies, and using pre-paid cards. They also enlisted the assistance of one or more third-party exchangers who facilitated layered transactions through digital currency exchange platforms providing heightened anonymity.

Given how loud much of these operations were, it raises questions about why some of the DNC hack (but not, at least by description) the WADA one would require “heightened anonymity.”

Different treatment of InfoOps

I’m perhaps most interested in the different treatment of the InfoOps side of the operation. As I noted here, in general there seems to be a division of labor at GRU between the actual hackers, in Unit 26165, which is located at  20 Komsomolskiy Prospekt, and the information operations officers, in Unit 74455, which is located in the “Tower” at 22 Kirova Street, Khimki. Both units were involved in both operations.

Yet the WADA indictment does not name or charge any Unit 74455 officers, in spite of describing (in paragraphs 1 and 11) how the unit acquired and maintained online social media accounts and associated infrastructure (paragraph 76 describes that infrastructure to be “procured and managed, at least in part, by conspirators in GRU Unit 74455”). Five of the seven named defendants in the WADA indictment are in Unit 26165, with Oleg Sotnikov and Alexey Minin not identified by unit.

By comparison, three of the 11 officers charged in the DNC indictment belong to Unit 744555.

And the WADA campaign did have a significant media component, as explained in paragraphs 76-87. The indictment even complains (as did DOJ officials as the press conference announcing this indictment) about,

reporters press[ing] for and receiv[ing] promises of exclusivity in such reporting, with one such reporter attempting to make arrangements for a right of first refusal for articles on all future leaks and actively suggesting methods with whicch the conspiracy could search the stolen materials for documents of interest to that reporter (e.g., keywords of interest).

That said, the language in much of this discussion (see paragraphs 77 through 81) uses the passive voice — “were registered,” “were named,” “was posted,” “were released,” “were released,” “were released,” “were released” — showing less certainty about who was running that infrastructure.

That’s particularly interesting given that the government clearly had emails between the Fancy Bear personas and journalists.

One difference may be, in part, that in the DNC indictment, there are specific hacking (not InfoOps) actions attributed to two of the Unit 74455 officers: Aleksandr Osadchuk and Anatoliy Kovalev. Indeed, Kovalev seems to have been added on just for that charge, as he doesn’t appear in the introduction section at the beginning of the indictment.

Whereas Unit 74455’s role in the WADA indictment seems to be limited to running the InfoOps infrastructure.

Importance of WikiLeaks and sharing with Republicans

It’s not clear how much we can conclude form all that. But the different structure in the DNC indictment does allow it to foreground the role of a number of others, such as WikiLeaks and Roger Stone and — as I suggested drop in some or all of  those others in a future conspiracy indictment — that were a key part of the election operation.

Timeline

February 1, 2016: gfade147 0.026043 bitcoin transaction

March 2016: Conspirators hack email accounts of volunteers and employees of Hillary campaign, including John Podesta

March 2016: Yermakov spearphishes two accounts that would be leaked to DC Leaks

March 14, 2016 through April 28, 2016: Conspirators use same pool of bitcoin to purchase VPN and lease server in Malaysia

March 15, 2016: Yermakov runs technical query for DNC IP configurations and searches for open source info on DNC network, Dem Party, and Hillary

March 19, 2016: Lukashev spearphish Podesta personal email using john356gh

March 21, 2016: Lukashev steals contents of Podesta’s email account, over 50,000 emails (he is named Victim 3 later in indictment)

March 25, 2016: Lukashev spearphishes Victims 1 (personal email) and 2 using john356gh; their emails later released on DCLeaks

March 28, 2016: Yermakov researched Victims 1 and 2 on social media

April 2016: Kozachek customizes X-Agent

April 2016: Conspirators hack into DCCC and DNC networks, plant X-Agent malware

April 2016: Conspirators plan release of materials stolen from Clinton Campaign, DCCC, and DNC

April 6, 2016: Conspirators create email for fake Clinton Campaign team member to spearphish Clinton campaign; DCCC Employee 1 clicks spearphish link

April 7, 2016: Yermakov runs technical query for DCCC’s internet protocol configurations

April 12, 2016: Conspirators use stolen credentials of DCCC employee to access network; Victim 4 DCCC email victimized

April 14, 2016: Conspirators use X-Agent keylog and screenshot functions to surveil DCCC Employee 1

April 15, 2016: Conspirators search hacked DCCC computer for “hillary,” “cruz,” “trump” and copied “Benghazi investigations” folder

April 15, 2016: Victim 5 DCCC email victimized

April 18, 2016: Conspirators hack into DNC through DCCC using credentials of DCCC employee with access to DNC server; Victim 6 DCCC email victimized

April 19, 2016: Kozachek, Yershov, and co-conspirators remotely configure middle server

April 19, 2016: Conspirators register dcleaks using operational email [email protected]

April 20, 2016: Conspirators direct X-Agent malware on DCCC computers to connect to middle server

April 22, 2016: Conspirators use X-Agent keylog and screenshot function to surveil DCCC Employee 2

April 22, 2016: Conspirators compress oppo research for exfil to server in Illinois

April 26, 2016: George Papadopolous learns Russians are offering election assistance in the form of leaked emails

April 28, 2016: Conspirators use bitcoin associated with Guccifer 2.0 VPN to lease Malaysian server hosting dcleaks.com

April 28, 2016: Conspirators test IL server

May 2016: Yermakov hacks DNC server

May 10, 2016: Victim 7 DNC email victimized

May 13, 2016: Conspirators delete logs from DNC computer

May 25 through June 1, 2016: Conspirators hack DNC Microsoft Exchange Server; Yermakov researches PowerShell commands related to accessing it

May 30, 2016: Malyshev upgrades the AMS (AZ) server, which receives updates from 13 DCCC and DNC computers

May 31, 2016: Yermakov researches Crowdstrike and X-Agent and X-Tunnel malware

June 2016: Conspirators staged and released tens of thousands of stolen emails and documents

June 1, 2016: Conspirators attempt to delete presence on DCCC using CCleaner

June 2, 2016: Victim 2 personal victimized

June 8, 2016: Conspirators launch dcleaks.com, dcleaks Facebook account using Alive Donovan, Jason Scott, and Richard Gingrey IDs, and @dcleaks_ Twitter account, using same computer used for other

June 9, 2016: Don Jr, Paul Manafort, Jared Kushner have meeting expecting dirt from Russians, including Aras Agalarov employee Ike Kaveladze

June 10, 2016: Ike Kaveladze has calls with Russia and NY while still in NYC

June 14, 2016: Conspirators register actblues and redirect DCCC website to actblues

June 14, 2016: WaPo (before noon ET) and Crowdstrike announces DNC hack

June 15, 2016, between 4:19PM and 4:56 PM Moscow Standard Time (9:19 and 9:56 AM ET): Conspirators log into Moscow-based sever and search for words that would end up in first Guccifer 2.0 post, including “some hundred sheets,” “illuminati,” “think twice about company’s competence,” “worldwide known”

June 15, 2016, 7:02PM MST (12:02PM ET): Guccifer 2.0 posts first post

June 15 and 16, 2016: Ike Kaveladze places roaming calls from Russia, the only ones he places during the extended trip

June 20, 2016: Conspirators delete logs from AMS panel, including login history, attempt to reaccess DCCC using stolen credentials

June 22, 2016: Wikileaks sends a private message to Guccifer 2.0 to “send any new material here for us to review and it will have a much higher impact than what you are doing.”

June 27, 2016: Conspirators contact US reporter, send report password to access nonpublic portion of dcleaks

Late June, 2016: Failed attempts to transfer data to Wikileaks

July, 2016: Kovalev hacks into IL State Board of Elections and steals information on 500,000 voters

July 6, 2016: Conspirators use VPN to log into Guccifer 2.0 account

July 6, 2016: Wikileaks writes Guccifer 2.0 adding, “if you have anything hillary related we want it in the next tweo [sic] days prefabl [sic] because the DNC [Democratic National Convention] is approaching and she will solidify bernie supporters behind her after”

July 6, 2016: Victim 8 personal email victimized

July 10-19: Morenets travels to Rio de Janeiro

July 14, 2016: Conspirators send WikiLeaks an email with attachment titled wk dnc link1.txt.gpg providing instructions on how to access online archive of stolen DNC documents

July 18, 2016: WikiLeaks confirms it has “the 1Gb or so archive” and would make a release of stolen documents “this week”

July 22, 2016: WikiLeaks releases first dump of 20,000 emails

July 27, 2016: Trump asks Russia for Hillary emails

July 27, 2016: After hours, conspirators attempt to spearphish email accounts at a domain hosted by third party provider and used by Hillary’s personal office, as well as 76 email addresses at Clinton Campaign

August 2016: Kovalev hacks into VR systems

August 2-9, 2016: Conspirators use multiple IP addresses to connect to or scan WADA’s network

August 2-4, 2016: Yermakov researches WADA and its ADAM database (which includes the drug test results of the world’s athletes) and USADA

August 3, 2016: Conspirators register wada.awa.org

August 5, 9, 2016: Yermakov researches Cisco firewalls, he and Malyshev send specific WADA employees spearfish

August 8, 2016: Conspirators register wada-arna.org and tas-cass.org

August 8, 2016: .012684 bitcoin transaction directed by dedicated email account

August 13-19, 2016: Morenets and Serebriakov travel to Rio, while Yermakov supports with research in Moscow

August 14-18, 2016: SQL attacks against USADA

August 15, 2016: Conspirators receive request for stolen documents from candidate for US congress

August 15, 2016: First Guccifer 2.0 exchange with Roger Stone noted

August 19, 2016: Serebriakov compromises a specific anti-doping official and obtains credentials to access ADAM database

August 22, 2016: Conspirators transfer 2.5 GB of stolen DCCC data to registered FL state lobbyist Aaron Nevins

August 22, 2016: Conspirators send Lee Stranahan Black Lives Matter document

September 1, 2016: Domains fancybear.org and fancybear.net registered

September 6, 2016: Conspirators compromise credentials of USADA Board member while in Rio

September 7-14, 2016: Conspirators try, but fail, to use credentials stolen from USADA board member to access USADA systems

September 12, 2016: Data stolen from WADA and ADAMS first posted, initially focusing on US athletes

September 12, 2016 to January 17, 2018: Conspirators attempt to draw media attention to leaks via social media

September 18, 2016: Morenets and Serebriakov travel to Lausanne, staying in anti-doping hotels, to compromise hotel WiFi

September 19, 2016 to July 20, 2018: Conspirators attempt to draw media attention to leaks via email

September 2016: Conspirators access DNC computers hosted on cloud service, creating backups of analytics applications

October 2016: Linux version of X-Agent remains on DNC network

October 6, 2016: Emails stolen from USADA first released

October 7, 2016: WikiLeaks releases first set of Podesta emails

October 28, 2016: Kovalev visits counties in GA, IA, and FL to identify vulnerabilities

November 2016: Kovalev uses VR Systems email address to phish FL officials

December 6, 2016 – January 2, 2017: Using IP frequently used by Malyshev, conspirators compromise FIFA’s anti-doping files

December 13, 2016: Data stolen from CCES released

January 19-24, 2017: Conspirators compromise computers of four IAAF officials

June 22, 2017: Data stolen from IAAF’s network released

July 5, 2017: Data stolen from IAAF’s network released

August 28, 2017: Data stolen from FIFA released

As I said in July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

Mueller’s Inquiry Expands and Contracts: The Rat-Fucking Is More Interesting than the Manafort Plea

There were two pieces of news today on the Mueller inquiry.

Most intriguing is the news that the FBI has told Republican operative Cheri Jacobus that their investigation of her hack and catfish in 2016 has been referred to Mueller. Click through for the full account of what happened to Jacobus after she exposed a Corey Lewandowski PAC to be coordinating with the campaign. The short version, though, is that the campaign first used deceit to try to collect information on what anti-Trump PACs were planning, later carried out a sustained campaign of abuse, and finally hacked her email when she prepared to reveal the catfishing scheme.

The FBI has been investigating ever since. But on September 10, the agents she had been working with let her know that their inquiry had grown beyond the hack itself and so had referred the case.

Jacobus has been in regular contact with FBI agents since the bureau opened an investigation into the hacking of her email after Jacobus filed a complaint around September 2016.

Following Trump’s election, Jacobus relayed additional incidents she considered suspicious to the agents investigating the hack.

Jacobus said she was also interviewed by FBI agents in the Southern District of New York for several hours in February 2017 and has had dozens of phone calls with the agents over the past two years. A lawyer who worked for Jacobus at the time, Jay Butterman, said he also attended the February 2017 meeting and had follow-up conversations with FBI agents.

In November 2017, the FBI asked Jacobus to turn over the remainder of her communications related to the catfishing scheme, some of which she had already submitted, according to an email reviewed by POLITICO.

On Sept. 10 of this year, an FBI agent wrote to Jacobus that he would be calling her, which is when, she said, the bureau informed her of the case’s referral to Mueller.

To answer a question many have posed, I don’t think any investigation into what I perceived as threats mirrors this. That’s in part because the technical threats were more oblique. But it’s also because the FBI really doesn’t want to talk to me, and so (with one exception) generally only followed up via my lawyer. The one instance I involved the cops may have been different, but if so, I never heard about it directly.

I’m more interested in the possibility that Jacobus’ treatment mirrors some of the stuff that Roger Stone was doing with his Stop the Steal çampaign.

The possibility that Mueller’s interest in Stone (and Manafort) extends back to the primary is all the more interesting given how centrally some of Stone’s core skill-sets played out in the lead-up to the Convention. There were veiled threats of violence (and in the home of his dark money, actual violence), a smear story projecting on Cruz the infidelity more typical of Trump, and lots of money sloshing around.

It’s not entirely clear what crime that would implicate — besides potential campaign finance violations (particularly, given Trump’s repeated disavowals of any coordination between Stone and his old buddy Manafort).

And, given how rabidly Republican base voters support Trump, I could see why Republicans would let bygones be bygones. It’s not like the Republican party has ever before shown distaste for Stone’s rat-fucking. Plus, no one likes Ted Cruz, and he may not even survive his race against Beto O’Rourke. So, no, Republicans won’t be any more disposed against Stone if he is shown to have helped Trump cheat in the primary.

All that said, if Mueller indicts Stone in other crimes that Republicans would like to distance themselves from, any allegations about the primary may provide cover.

Indeed, the comparison is one a number of people made when I started focusing on Stone’s PACs.

With one caveat, I’d think these would probably be parallel efforts, with two different sets of dark money groups funding two different sets of dirty tricks, violating both campaign law and probably some other fraud statutes. I say that because Corey Lewandowski, who was behind the attack on Jacobus, and Roger Stone really don’t get along.

That said, the two parallel tracks likely show a tolerance among the principals who did get along with both Lewandowski and Stone (starting with Trump) for this kind of rat-fucking. And to the extent that some of the rat-fucking involved either intelligence obtained from Russians or coordinated voter suppression later in the campaign, then it’d have a solid Russian nexus.

The one caveat is this tweet from Jacobus, which reveals a text she received from a guy making explicit threats, which she clearly identifies as a Stone-related threat. (h/t TC)

So maybe Stone just took over all the rat-fucking after Jacobus busted Lewandowski’s PAC for illegal coordination?

Also remember that, the illegal coordination between PACs and the campaign is likely one way that the campaign benefitted from Cambridge Analytica.

And that’s why I find the referral of the attack on Jacobus to be one of the most important details to provide insight onto the Mueller investigation in some time.

I find the news that money laundering expert Kyle Freeny and National Security Division prosecutor Brandon Van Grack are moving back to their normal homes at DOJ less intriguing.

Kyle Freeny and Brandon Van Grack, two prosecutors who worked on Paul Manafort’s criminal cases, are ending their tenure working for special counsel Robert Mueller.

Van Grack left recently to return to his job in the National Security Division of the Justice Department, and Freeny will leave the office in mid-October to return to the Criminal Division.

The most obvious explanation for both moves is that the Paul Manafort and Mike Flynn plea deals have been sealed (CNN notes that Van Grack will continue to work on the Flynn sentencing, but has mostly moved back to NSD for now). Which would make the different timing — Van Grack has already left, apparently, whereas Freeny has a few more weeks of work — the most interesting part of the report. Perhaps Van Grack left as soon as Flynn got a sentencing date?

Though there is another possibility, particularly in Freeny’s case.

I’ve long said that it’s possible once Mueller puts together the conspiracy case, he may farm out the “garden variety” corruption to other parts of DOJ. One key part of that, for example, is the non-Russian inauguration pay-for-play. That might be the kind of thing Freeny would move with to another part of DOJ.

As for Van Grack, I don’t rule out a tidbit or two that he had touched being moved back under NSD, though if so, it’s not a part of the investigation that has any public sign yet.

Remember: We still haven’t seen what a good number of Mueller’s prosecutors have been up to for the last 15 months. Those are some of the prosecutors who remain quietly busy.

As I disclosed in July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

Kavanaugh’s Tell: “Revenge on Behalf of the Clintons,” Plural

There’s a part of Brett Kavanaugh’s bombastic statement Thursday that has stuck with me, because it reveals the foundational logic of his statement — indeed, his entire candidacy for a lifetime appointment on the Supreme Court.

After complaining about how the nomination has destroyed his family, he accuses a shady, largely fictional, mirror image of the Right Wing Noise Machine of seeking revenge.

This whole two-week effort has been a calculated and orchestrated political hit, fueled with apparent pent-up anger about President Trump and the 2016 election. Fear that has been unfairly stoked about my judicial record. Revenge on behalf of the Clintons. and millions of dollars in money from outside left-wing opposition groups.

This is a circus. The consequences will extend long past my nomination. The consequences will be with us for decades. This grotesque and coordinated character assassination will dissuade competent and good people of all political persuasions, from serving our country.

The guy who insisted that–

I am strongly opposed to giving the President any ‘break’ in the questioning regarding the details of the Lewinsky relationship — unless before questioning on Monday, he either (i) resigns or (ii) confesses perjury and issues a public apology to [sexual assault cover-up expert Ken Starr].

That guy thinks the scrutiny of his own sexual past is just “revenge on behalf of the Clintons,” plural. Not just Hillary for — as he explicitly mentions — “President Trump and the 2016 election.” But also Bill Clinton, the man whom Kavanaugh demanded describe details of his use of sex toys and enjoyment of blowjobs under oath, and perhaps even Chelsea, the young girl who had to watch her parents be humiliated before the entire nation.

In spite of Kavanaugh’s suggestion that this imagined campaign would have consequences for decades, his admission that it might be revenge means it must be revenge for something. For something done to the Clintons. Hillary. And Bill.

For a guy who is unashamed about using stolen emails, the notion that he considers this revenge for Hillary is troubling enough. If this is revenge, it is revenge for Hillary being wronged during the 2016 election, and a big part of that wrong was using stolen emails. And Kavanaugh is no more embarrassed about using stolen emails than the guy who appointed him.

Kavanaugh suggests, in the same breath, that Hillary was wronged, but that denying him a seat on the Supreme Court, even for behavior that resembles that wrong, would be an outrage, even if his nomination was due entirely to the fact that she was wronged.

Brett Kavanaugh is not going to quit, no matter if his entire nomination is illegitimate because Hillary was wronged.

Perhaps more plausibly, Kavanaugh’s use of the plural, “Clintons,” suggests he thinks this is revenge for his own actions 20 years ago, his own demand that a man and his family be publicly humiliated.

But, again, if this is revenge, it suggests what happened to Clinton — the insistence that Bill confess under oath to Kavanaugh about cumming into Monica’s mouth — was itself wrong.

And once again, Brett Kavanaugh, the guy whose career was launched by demanding to hear the sordid details of sex under oath, does not care. Kavanaugh does not care that (as David Brock laid out early in this process) he himself “set a perjury trap for Clinton, laying the foundation for a crazed national political crisis and an unjust impeachment over a consensual affair.” He may recognize this as revenge and in so doing acknowledge that it is akin to the coordinated campaign he wrongly assumes is amassed against him, but he does not care that Democrats are (he imagines) adopting his own playbook.

You may defeat me in the final vote, but you’ll never get me to quit. Never.

In using that word “revenge” and imagining that Democrats are exacting revenge for both the Clinton impeachment and the use of corrupt means as a means of winning the 2016 election, Kavanaugh admits that he’s just getting a taste of the medicine he once administered. But his response to that is not to take a step back from the edge of the abyss that he himself created (and imagines himself to be standing on), take a step back with the recognition that he himself is not immune from his own tactics, but instead to complete the next logical step, the adoption of those same measures on the highest court of the land.

Never mind that by imagining credible questions about his past treatment of women is solely about the Clintons strips the agency of the millions of women trying to prevent abusers from again getting promoted in spite of it.

Kavanaugh, wrongly, thinks this is revenge for tactics he pioneered long ago. Having faced those tactics and discovered how painful they are, he has doubled down.

The DNC-Centric Focus of the HPSCI Investigation

Through the duration of the various Russia investigations, skeptics always harp on two questions pertaining to the Russian election year hacks — why the Democrats never turned over the DNC “server,” singular, to the FBI, allegedly leaving the FBI to rely on Crowdstrike’s work, and whether several sets of files released via Guccifer 2.0 showed signs of non-Russian origin. That is, skeptics look exclusively at the DNC, not the totality of the known Russian targeting.

Looking at the list of witnesses the House Intelligence Committee called (which the committee will release in the coming weeks) shows one reason why: that the most public and propagandist of all the Russia investigations focused on the DNC to the detriment of other known Democratic targets.

Here’s what the list of the HPSCI interviews looks like arranged by date (HPSCI will not be releasing the bolded interviews).

  1. [Comey, Jim (May 2 and 4, 2017): Intel]
  2. [Rogers, Mike (May 4, 2017): Intel]
  3. [Brennan, John (May 23, 2017): Intel]
  4. Coats, Dan (June 22, 2017): Intel
  5. Farkas, Evelyn (June 26, 2017): Ukraine/RU DOD
  6. Podesta, John (June 27, 2017): Clinton Chair
  7. Caputo, Michael (July 14, 2017): RU tied Trump
  8. Clapper, James (July 17, 2017): Intel
  9. Kushner, Jared (July 25, 2017): June 9 etc
  10. Carlin, John (July 27, 2017): Early investigation
  11. Gordon, JD (July 26, 2017): Trump NatSec
  12. Brown, Andrew (August 30, 2017): DNC CTO
  13. Tamene, Yared (August 30, 2017): DNC tech contractor
  14. Rice, Susan (September 6, 2017): Obama response to hack/unmasking
  15. Stone, Roger (September 26, 2017): Trump associate
  16. Epshteyn, Boris (September 28, 2017): RU-tied Trump
  17. Tait, Matthew (October 6, 2017): Solicit hack
  18. Safron, Jonathan (October 12, 2017): Peter Smith
  19. Power, Samantha (October 13, 2017): Obama response to hack/unmasking
  20. Catan, Thomas (October 18, 2017): Fusion
  21. Fritsch, Peter (October 18, 2017): Fusion
  22. Lynch, Loretta (October 20, 2017): Investigation
  23. Parscale, Brad (October 24, 2017): Trump’s data
  24. Cohen, Michael (October 24, 2017): Trump lawyer
  25. Rhodes, Benjamin (October 25, 2017): Obama response to hack/unmasking
  26. McCord, Mary (November 1, 2017): Early investigation
  27. Kaveladze, Ike (November 2, 2017): June 9 meeting
  28. Yates, Sally (November 3, 2017): Early investigation
  29. Schiller, Keith (November 7, 2017): Trump bodyguard
  30. Akhmetshin, Rinat (November 13, 2017): June 9
  31. Samachornov, Anatoli (November 28, 2017): June 9
  32. Sessions, Jeff (November 30, 2017): Trump transition
  33. Podesta, John (December 4, 2017): Dossier
  34. Denman, Diana (December 5, 2017): RNC platform
  35. Henry, Shawn (December 5, 2017): Crowdstrike
  36. Trump, Jr. Donald (December 6, 2017): June 9
  37. Phares, Walid (December 8, 2017): Trump NatSec
  38. Clovis, Sam (December 12, 2017): Trump NatSec
  39. Goldfarb, Michael (December 12, 2017): Dossier
  40. Elias, Marc (December 13, 2017): Dossier
  41. Nix, Alexander (December 14, 2017): Cambridge Analytica
  42. Goldstone, Rob (December 18, 2017): June 9
  43. Sussmann, Michael (December 18, 2017): Hack and dossier
  44. McCabe, Andrew (December 19, 2017): Early investigation
  45. Kramer, David (December 19, 2017): Dossier
  46. Sater, Felix (December 20, 2017): RU connected Trump
  47. Gaeta, Mike (December 20, 2017): Dossier go-between
  48. Sullivan, Jake (December 21, 2017): Dossier
  49. [Rohrabacher, Dana (December 21, 2017): Russian compromise]
  50. [Wasserman Schultz, Debbie (December 21, 2017): dossier]
  51. Graff, Rhona (December 22, 2017): June 9
  52. Kramer, David (January 10, 2018): Dossier
  53. Bannon, Stephen (January 16, 2018): Trump official
  54. Lewandowski, Corey (January 17, 2018): Trump official
  55. Dearborn, Rick (January 17, 2018): Trump official
  56. Bannon, Stephen (February 15, 2018): Trump official
  57. Hicks, Hope (February 27, 2018): Trump official
  58. Lewandowski, Corey (March 8, 2018): Trump official

While John Podesta, one of the earliest spearphishing victims, was one of  the earliest witnesses (and, as HPSCI shifted focus to the dossier, one of the last as well), the other hack witnesses, DNC CTO Andrew Brown and DNC IT contractor Yared Tamene, represent the DNC. Perhaps that’s because of the NYT’s big story on the hack, which was obviously misleading in real time and eight months old by the time of those interviews. While Perkins Coie lawyer and former DOJ cyber prosecutor Michael Sussmann would surely have real insight into the scope of all the Democratic targets, he was interviewed during HPSCI’s dossier obsession, not alongside Brown and Tamene.

All of which is to say that the HPSCI investigation of the hack was an investigation of the hack of the DNC, not of the full election year attack.

To get a sense of some of what that missed, consider the victims described in the GRU indictment (which leaves out some of the earlier Republican targets, such as Colin Powell). I’ve included relevant paragraph numbers to ID these victims.

  1. Spearphish victim 3, March 21, 2016 (Podesta)
  2. Spearphish victim 1 Clinton aide, March 25, 2016 (released via dcleaks)
  3. Spearphish victim 4 (DCCC Employee 1), April 12, 2016 ¶24
  4. Spearphish victim 5 (DCCC Employee), April 15, 2016
  5. Spearphish victim 6 (possibly DCCC Employee 2), April 18, 2016 ¶26
  6. Spearphish victim 7 (DNC target), May 10, 2016
  7. Spearphish victim 2 Clinton aide, June 2, 2016 (released via dcleaks)
  8. Spearphish victim 8 (not described), July 6, 2016
  9. Ten DCCC computers ¶24
  10. 33 DNC computers ¶26
  11. DNC Microsoft Exchange Server ¶29
  12. Act Blue ¶33
  13. Third party email provider used by Clinton’s office ¶22 (in response to July 27 Trump request)
  14. 76 email addresses at Clinton campaign ¶22 (in response to July 27 Trump request)
  15. DNC’s Amazon server ¶34
  16. Republican party websites ¶71
  17. Illinois State Board of Elections ¶72
  18. VR Systems ¶73
  19. County websites in GA, IA, and FL ¶75
  20. VR Systems clients in FL ¶76

Effectively, HPSCI (and most hack skeptics) focused exclusively on item 11, the DNC Microsoft Exchange server from which the emails sent to WikiLeaks were stolen.

Yet, at least as laid out by Mueller’s team, the election year hack started elsewhere — with Podesta, then the DCCC, and only after that the DNC. It continued to target Hillary through the year (though with less success than they had with the DNC). And some key things happened after that — such as the seeming response to Trump’s call for Russia to find more Hillary emails, the Info-Ops led targeting of election infrastructure in the summer and fall, and voter registration software. Not to mention some really intriguing research on Republican party websites. And this barely scratches on the social media campaign, largely though not entirely carried out by a Putin-linked corporation.

HPSCI would get no insight on the overwhelming majority of the election year operation, then, by interviewing the witnesses they did. Of particular note, HPSCI would not review how the targeting and release of DCCC opposition research gave Republican congressmen a leg up over their Democratic opponents.

And while HPSCI did interview the available June 9 meeting witnesses, they refused to subpoena the information needed to really understand it. Nor did they interview all the witnesses or subpoena available information to understand the Stone operation and the Peter Smith outreach.

Without examining the other multiple threads via which Russia recruited Republicans, most notably via the NRA, HPSCI wouldn’t even get a sense of all the ways Russia was trying to make Republicans and their party infrastructure into the tools of a hostile foreign country. And there are other parts of the 2016 attack that not only don’t appear in these interviews, but which at least one key member on the committee was utterly clueless about well past the time the investigation finished.

The exception to the rule that HPSCI didn’t seek out information that might damn Republicans, of course, is the interview of Dana Rohrabacher, who (along with President Trump) proved reliably willing to entertain Russian outreach via all known channnels. But that’s one of the interviews Republicans intend to keep buried because — according to an anonymous Daily Beast source — they don’t want Rohrabacher’s constituents to know how badly Russia has pwned him before November 6.

“The Republicans are trying to conceal from the voters their colleague Dana Rohrabacher’s Russia investigation testimony,” said a committee source familiar with the issue. “There were highly concerning contacts between Rohrabacher and Russians during the campaign that the public should hear about.”

By burying the Comey, Rogers, and Brennan transcripts, Republicans suppress further evidence of the degree to which Russia specifically targeted Hillary, and did so to help not just Trump, but the Republican party.

I’m sure there will be some fascinating material in these transcripts when they’re released. But even before the selective release, designed to hide any evidence gathered of how lopsided the targeting was, the scope of these interviews makes clear that the HPSCI investigation was designed to minimize, as much as possible, evidence showing how aggressively Russia worked to help Republicans.

As I laid out in July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

image_print