On the Timing of the Nghia Hoang Pho Plea

Last Friday, the guy responsible for getting a bunch of NSA hacking tools stolen from his home computer, 67-year old Nghia Hoang Pho, pled guilty to willful retention of classified information. His plea hearing was held in secret; according to the NYT which broke the story, “one courtroom official described the charges against Mr. Pho as ‘super-sealed’ before the hearing.”

According to the information supporting his guilty plea, Pho had been bringing NSA files home for 5 years, from 2010 to 2015.

I want to note something about the timing of the plea. The actual plea deal is dated October 11. It states that “if this offer has not been accepted by October 25, 2017, it will be deemed withdrawn.” The information itself was actually signed on November 29. Friday, the actual plea, was December 1.

So while there’s not a substantial cooperation component in the plea deal, certainly a substantial amount of time took place in that window, enough time to cooperate.

And consider the news coverage that has happened during that period. The initial plea offer was made in the week following a big media blitz of stories blaming Pho (and through him Kaspersky) for the Russian theft of NSA tools. In the interim period between the offer and the acceptance of the plea deal, Kaspersky confirmed both verbally and then in a full incident report that his AV had found the files in question, while noting that a third party hacker had compromised Pho’s machine during the period he had TAO’s tools on it.

In other words, after at least an 18 month investigation, Pho finally signed a plea agreement as the media started blaming him for the compromise of these tools.

During much of that period, Harold Martin was in custody and under investigation for a similar crime: bringing a bunch of TAO tools home and putting them on his computer. Only, unlike Pho, Martin got slammed with a 20-count indictment, laying a range of files, and not just files from NSA. Indeed, the Pho plea notes,

This Office and the Defendant agree that the Defendant’s conduct could have been charged as multiple counts. This Office and the Defendant further agree that had the Defendant been convicted of additional counts, … those counts would not group with the count of conviction, and the final offense level would have increased by 5 levels.

That is, the government implicity threatened Pho to treat him as Martin had been, with a separate charge tied to the individual files he took.

Since April, Martin’s docket has featured continuation after continuation that might reflect cooperation with the government.

All this leads me to believe that these two investigations may have worked in tandem. Whereas the government originally insinuated Martin had provided the files that Shadow Brokers started leaking in August 2016, the Martin cooperation may have led the government to understand the Pho compromise differently. That is, it’s possible that Pho was the source for Shadow Brokers’ tools (or rather, that both men were), but the government didn’t come to understand that until Martin started cooperating.

It’s not clear whether, between the two of them, it would account for all the files that Shadow Brokers had (nor is it clear that Shadow Brokers ever had all the files made available by one or the other of them by loading them onto their home machine). For example, it’s not clear either would have had the San Antonio files at the center of the Second Source theory.

Whatever the details, the timing of the Nghia Hoang Pho plea may suggest that the government only belatedly came to understand how, by loading a bunch of TAO tools running on his Kaspersky-running computer, made the tools available to a third party hack. Certainly, that would explain why Kaspersky has a better understanding of the timing of all this than the government does.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

10 Years of emptywheel: Key Non-Surveillance Posts 2016-2017

Happy Birthday to me! To us! To the emptywheel community!

On December 3, 2007, emptywheel first posted as a distinct website. That makes us, me, we, ten today.

To celebrate, over the next few days, the emptywheel team will be sharing some of our favorite work from the last decade. I’ll be doing probably 3 posts featuring some of my most important or — in my opinion — resilient non-surveillance posts, plus a separate post bringing together some of my most important surveillance work. I think everyone else is teeing up their favorites, too.

Putting together these posts has been a remarkable experience to see where we’ve been and the breadth of what we’ve covered, on top of mainstays like surveillance. I’m really proud of the work I’ve done, and proud of the community we’ve maintained over the years.

For years, we’ve done this content ad free, relying on donations and me doing freelance work for others to fund the stuff you read here. I would make far more if I worked for some free-standing outlet, but I wouldn’t be able to do the weedy, iterative work that I do here, which would amount to not being able to do my best work.

If you’ve found this work valuable — if you’d like to ensure it remains available for the next ten years — please consider supporting the site.

2016

Why Doesn’t Dianne Feinstein Want to Prevent Murders Like those Robert Dear Committed?

I’ve written a lot about how the focus on Islamic terrorism, based on a claim it’s foreign, creates gross inequalities for Muslims in this country, and does nothing to address some of our most dangerous mass killers (as the Stephen Paddock massacre in Las Vegas makes all too clear). This post is one of that series. It focuses on how the ill-advised efforts to use the No Fly List to create a list of those who couldn’t own guns would be discriminatory and wouldn’t add much to safety.

“Only Facts Matter:” Jim Comey Is Not the Master Bureaucrat of Integrity His PR Sells Him As

From the periods when Jim Comey was universally revered as a boy scout through those when Democrats blamed him for giving us Trump (through the time Democrats predictably flip flopped on that point), I have consistently pointed to a more complicated story, particularly with regards to surveillance and torture. I think the lesson of Comey isn’t so much he’s a bad person — it’s that he’s human, and no human fits into the Manichean world of good guys and bad guys that he viewed justice through.

NSA and CIA Hacked Enrique Peña Nieto before the 2012 Election

As Americans came to grips with the fact that Russia had hacked Democrats to influence last year’s election, many people forgot that the US does the same. And it’s not even just in the bad old days of Allen Dulles. The Snowden documents revealed that NSA and CIA hacked Enrique Peña Nieto in the weeks before he was elected in 2012. The big difference is we don’t know what our spooks did with that information.

Why Is HPSCI’s Snowden Report So Inexcusably Shitty?

In 2016, HPSCI released its Devin Nunes-led investigation into Edward Snowden’s leaks. It was shitty. Really shitty.

Now that the HPSCI investigation into the Russian hack (which has not been subjected to the same limitations as the Snowden investigation was) has proven to be such a shit show, people should go back and review how shitty this review was (including its reliance on Mike Flynn’s inflammatory claims). There absolutely should have been a review of Snowden’s leaks. But this was worse than useless.

Look Closer to Home: Russian Propaganda Depends on the American Structure of Social Media

As people began to look at the role of fake news in the election, I noted that we can’t separate the propaganda that supported Trump from the concentrated platforms that that propaganda exploited. A year later, that’s a big part of what the Intelligence Committees have concluded.

The Evidence to Prove the Russian Hack

In this post I did a comprehensive review of what we knew last December about the proof Russia was behind the tampering in last year’s election.

Obama’s Response to Russia’s Hack: An Emphasis on America’s More Generalized Vulnerability

Last year, in a speech on the hack, Obama focused more on America’s vulnerability that made it possible for Russia to do so much damage than he did on attacking Putin. I think it’s a really important point, one I’ve returned to a lot in the last year.

The Shadow Brokers: “A Nice Little NSA You’ve Got Here; It’d Be a Shame If…”

In December, I did a review of all the posts Shadow Brokers had done and suggested he was engaged in a kind of hostage taking, threatening to dump more NSA tools unless the government met his demands. I was particularly interested in whether such threats were meant to prevent the US from taking more aggressive measures to retaliate against Russia for the hack.

2017

On “Fake News”

After getting into a bunch of Twitter wars over whether we’re at a unique moment with Fake News, I did this post, which I’ve often returned to.

How Hal Martin Stole 75% of NSA’s Hacking Tools: NSA Failed to Implement Required Security Fixes for Three Years after Snowden

The government apparently is still struggling to figure out how its hacking tools (both NSA and CIA) got stolen. I noted back in January that an IG report from 2016 showed that in the three years after Snowden, the IC hadn’t completed really basic things to make itself more safe from such theft.

The Doxing of Equation Group Hackers Raises Questions about the Legal Role of Nation-State Hackers

One thing Shadow Brokers did that Snowden and WikiLeaks, with its Vault 7 releases, have not is to reveal the identities of NSA’s own hackers. Like DOJ’s prosecution of nation-state hackers, I think this may pose problems for the US’ own hackers.

Reasons Why Dems Have Been Fucking Stupid on the Steele Dossier: a Long Essay

I believe Democrats have been ill-advised to focus their Russia energy on the Steele dossier, not least because there has been so much more useful reporting on the Russia hack that the Steele dossier only makes their case more vulnerable to attack. In any case, I continue to post this link, because I continue to have to explain the dossier’s problems.

Other Key Posts Threads

10 Years of emptywheel: Key Non-Surveillance Posts 2008-2010

10 Years of emptywheel: Key Non-Surveillance Posts 2011-2012

10 Years of emptywheel: Key Non-Surveillance Posts 2013-2015

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

10 Years of emptywheel: Key Non-Surveillance Posts 2013-2015

Happy Birthday to me! To us! To the emptywheel community!

On December 3, 2007, emptywheel first posted as a distinct website. That makes us, me, we, ten today.

To celebrate, over the next few days, the emptywheel team will be sharing some of our favorite work from the last decade. I’ll be doing 4 posts featuring some of my most important or — in my opinion — resilient non-surveillance posts, plus a separate post bringing together some of my most important surveillance work. I think everyone else is teeing up their favorites, too.

Putting together these posts has been a remarkable experience to see where we’ve been and the breadth of what we’ve covered, on top of mainstays like surveillance. I’m really proud of the work I’ve done, and proud of the community we’ve maintained over the years.

For years, we’ve done this content ad free, relying on donations and me doing freelance work for others to fund the stuff you read here. I would make far more if I worked for some free-standing outlet, but I wouldn’t be able to do the weedy, iterative work that I do here, which would amount to not being able to do my best work.

If you’ve found this work valuable — if you’d like to ensure it remains available for the next ten years — please consider supporting the site.

2013

What a Targeted Killing in the US Would Look Like

Amid now-abandoned discussions about using the FISA court to review targeted killing, I pointed out that a targeted killing in the US would look just like the October 28, 2009 killing of Imam Luqman Abdullah.

Article II or AUMF? “A High Level Official” (AKA John Brennan) Says CIA Can Murder You

When the second memo (as opposed to the first 7-page version) used to authorize the killing of Anwar al-Awlaki, it became clear that OLC never really decided whether the killing was done under Article II or the AUMF. That’s important because if it’s the latter, it suggests the President can order anyone killed.

John Brennan Sworn in as CIA Director Using Constitution Lacking Bill of Rights

I know in the Trump era we’re supposed to forget that John Brennan sponsored a whole lot of drone killing and surveillance. But I spent a good deal of the Obama Administration pointing that out. Including by pointing out that the Constitution he swore to protect and defend didn’t have the First, Fourth, Fifth, and Sixth amendment in it.

2014

The Day After Government Catalogs Data NSA Collected on Tsarnaevs, DOJ Refuses to Give Dzhokhar Notice

I actually think it’s unreasonable to expect the government’s dragnets to prevent all attacks. But over and over (including with 9/11), NSA gets a pass when we do reviews of why an attack was missed. This post lays out how that happened in the Boston Marathon case. A follow-up continued that analysis.

A Guide to John Rizzo’s Lies, For Lazy Journalists

Former CIA General Counsel John Rizzo lies, a lot. But that doesn’t seem to lead journalists to treat his claims skeptically, nor did it prevent them from taking his memoir as a statement of fact. In this post I summarized all the lies he told in the first 10 pages of it.

Obama to Release OLC Memo after Only 24 Congressional Requests from 31 Members of Congress

Over the year and a half when one after another member of Congress asked for the OLC memos that authorized the drone execution of Anwar al-Awlaki, I tracked all those requests. This was the last post, summarizing all of them.

The West’s Ideological Vacuum

With the rise of Trump and the success of Russia intervening in US and European politics, I’ve been talking about how the failures of US neoliberal ideology created a vacuum to allow those things to happen. But I’ve been talking about the failures of our ideology for longer than that, here in a post on ISIS.

KSM Had the CIA Believing in Black Muslim Convert Jihadist Arsonists in Montana for 3 Months

There weren’t a huge number of huge surprises in the SSCI Torture Report for me (indeed, its scope left out some details about the involvement of the White House I had previously covered). But it did include a lot of details that really illustrate the stupidity of the torture program. None was more pathetic than the revelation that KSM had the CIA convinced that he was recruiting black Muslim converts to use arson in Montana.

2015

The Jeffrey Sterling Trial: Merlin Meets Curveball

A big part of the Jeffrey Sterling trial was CIA theater, with far more rigorous protection for 10 year old sources and methods than given to 4 year old Presidential Daily Briefs in the Scooter Libby trial. Both sides seemed aware that the theater was part of an attempt, in part, to help the CIA gets its reputation back after the Iraq War debacle. Except that the actual evidence presented at trial showed CIA was up to the same old tricks. That didn’t help Sterling at all. But neither did it help CIA as much as government prosecutors claimed.

The Real Story Behind 2014 Indictment of Chinese Hackers: Ben Rhodes Moves the IP Theft Goal Posts

I’ve written a lot about the first indictment of nation-state hackers — People’s Liberation Army hackers who compromised some mostly Pittsburgh located entities, including the US Steel Workers. Contrary to virtually all the reporting on the indictment, the indictment pertained to things we nation-state hack for too: predominantly, spying on negotiations. The sole exception involves the theft of some nuclear technology from Westinghouse that might have otherwise been dealt to China as part of a technology transfer arrangement.

Obama’s Terrorism Cancer Speech, Carter’s Malaise Speech

In response to a horrible Obama speech capitulating to Republican demands he treat the San Bernardino attack specially, as Islamic terrorism, I compared the speech to Jimmy Carter’s malaise speech. Along the way, I noted that Carter signed the finding to train the mujahadeen at almost the exactly moment he gave the malaise speech. The trajectory of America has never been the same since.

Other Key Posts Threads

10 Years of emptywheel: Key Non-Surveillance Posts 2008-2010

10 Years of emptywheel: Key Non-Surveillance Posts 2011-2012

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

10 Years of emptywheel: Key Non-Surveillance Posts 2011-2012

Happy Birthday to me! To us! To the emptywheel community!

On December 3, 2007, emptywheel first posted as a distinct website. That makes us, me, we, ten today.

To celebrate, over the next few days, the emptywheel team will be sharing some of our favorite work from the last decade. I’ll be doing probably 3 posts featuring some of my most important or — in my opinion — resilient non-surveillance posts, plus a separate post bringing together some of my most important surveillance work. I think everyone else is teeing up their favorites, too.

Putting together these posts has been a remarkable experience to see where we’ve been and the breadth of what we’ve covered, on top of mainstays like surveillance. I’m really proud of the work I’ve done, and proud of the community we’ve maintained over the years.

For years, we’ve done this content ad free, relying on donations and me doing freelance work for others to fund the stuff you read here. I would make far more if I worked for some free-standing outlet, but I wouldn’t be able to do the weedy, iterative work that I do here, which would amount to not being able to do my best work.

If you’ve found this work valuable — if you’d like to ensure it remains available for the next ten years — please consider supporting the site.

 

2011

DOJ Points to David Passaro’s Trial as Proof We Investigate Torture, But It Actually Proves John Yoo Should Be Tried

I’v written a lot about the David Passaro case — the only one associated with the CIA (he was a contractor training Afghans) to be prosecuted for abuse. This post summarizes a lot of the problems with his case and its use to claim that the US ever held itself responsible for torture.

One Year After Collateral Murder Release, DOD’s Networks Are Still Glaring Security Problem

I’ve done a ton of posts on how the government complains about leaks even while it fails to close gaping security holes in its networks. This was one of the first. A day later I noted that DOD wasn’t aspiring to fix these problems until 2013; as it would turn out, Edward Snowden managed to download NSA’s crown jewels before they would fix them.

The Drone War on Westphalia

For Independence Day in 2011, I wrote a post arguing that the damage the use of drones will do to sovereignty will pose a real problem, particularly with regard to the consent of the governed. In a follow-up I argued against invoking “national security” to defend policies that weaken the nation.

Pakistani Bounty Claims: Adnan Farhan Abd Al Latif and TD-314/00684-02

In the first of a bunch of posts on Adnan Farhan abd al Latif, I showed that the intelligence report on which his detention relied — which Judge Henry Kennedy had originally deemed unreliable — probably was used to detain a bunch of people turned over with bounties.

49% of Michigan’s African Americans to Lose Their Right to Self-Governance

As the country started focusing on MI’s disastrous policy of  emergency managers, I was the first to note the moment when half of Michigan’s African Americans lost their right to local self-governance.

2012

Why Has the Government Story about Who Ordered the UndieBomber to Attack the US Changed?

As part of an effort to justify drone-killing Anwar al-Awlaki, the government publicly blamed him for all of Umar Farouk Abdulmutallab’s attack on the US, blame which should have been shared with others in AQAP. This was the first post where I made that clear.

“The Gloves Come Off” Memorandum of Notification

I discovered that language the government was trying to keep classified in the ACLU torture FOIA was not (as ACLU mistakenly believed) a description about waterboarding, but instead an admission that torture was authorized by the September 17, 2001 Memorandum of Notification that authorized a bunch of other programs. This was a key post in a series of posts on the MON.

US Climate Inaction: Blame Dick Cheney

I believe the US invaded Iraq as part of a Cheney-backed decision to double down on our petroleum-based hegemonic position in the world, in the apparent belief that we can clean up the damage from climate change at some later time. Even our shift to fracking is more about power than the environment. Given how catastrophic the Iraq war was, and given everything that has occurred since — not least our singular abstention from the Paris Accord — I think it a particularly ironic choice.

Lanny Breuer Covers Up Material Support for Terrorism

I wrote a ton about Obama’s failure to prosecute the banks that blew up the world’s economy. One of the most important ones was the post where I laid out Lanny Breuer’s efforts to hide the fact that HSBC had materially supported al Qaeda. Of course, it got no more than a hand slap even as Pete Seda was in prison for closely related actions (Seda’s case ultimately blew up).

Other Key Post Threads

10 Years of emptywheel: Key Non-Surveillance Posts 2008-2010

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

The Thin Indictment against Behzad Mesri

I have long cautioned against DOJ’s increasingly frequent practice of indicting hackers from other states as some kind of nation-state escalation. Once we normalize that practice, our own nation-state hackers risk a whole lot of new challenges in retaliation.

But at least for the prior cases, DOJ has shown evidence the substantiate its claims. When, in 2014, DOJ indicted some People’s Liberation Army hackers for spying on the negotiations (and, in just one case, stealing IP) from US entities including the Steelworkers, the indictment described the subject lines of phishing emails, the dates malware was implanted, the file names, the computer hostnames, and the command and control domain names used.

When, in 2016, DOJ indicted some Iranians for DDOS attacks on some banks, the described what roles each hacker played, though, they did not substantiate the claim that the hacking groups, Mersad, “performed work on behalf of the Iranian Government, including the Islamic Revolutionary Guard Corps.”

The indictment against two FSB officers and two criminal hackers for pwning Yahoo earlier this year was remarkably detailed, going so far as describing communications between the two FSB officers. It provided a screenshot of the cookie manager used to access a Yahoo engineer’s account. It described a long list of victims both within and outside Russia. It listed the dates on which the hackers had shared passwords of victims and provided the transfer details for payments.

It is admittedly possible DOJ provided so many details because the two FSB officers had already been arrested for treason by the time of the indictment.

When, later this year, DOJ indicted Yu Pingan, who reportedly had a role in the OPM hack but who was indicted in conjunction with some compromises of defense contractors, it described the actual dates of compromise, named the exploit, tied Yu and his co-conspirators to domain names used in the hacks, listed those domain IPs, and then used intercepted communications to tie him to his co-conspirators.

Of course, with both Yu (who was picked up while he visited the US for a conference) and Yahoo defendant Karim Baratov who has since been extradited from Canada and appears to be cooperating), there will be an actual prosecution, which explains why DOJ included so much more detail.

But the indictment against Behzad Mesri, an Iranian DOJ today accused of hacking HBO, includes very little meaningful detail.

The indictment foregrounds, in the first paragraph, claims about Mesri’s past ties to the Iranian state, though it never substantiates that claim.

MESRI as a self-proclaimed expert in computer hacking techniques, and had worked on behalf of the Iranian military to conduct computer network attacks that targeted military systems, nuclear software systems, and Israeli infrastructure.

The actual details proving Mesri’s role in the the attack are far less detailed. While it provides the general timeline of the compromise (May through July), it doesn’t show evidence it knows which accounts got compromised (though it does list the shows that got stolen). It also doesn’t tie Mesri to the pseudonym, Mr. Smith, publicly used by the hackers who released HBO’s files.

Significantly, the most detailed part of the indictment, which describes the extortion, repeatedly describes messages sent from an anonymous email, without tying those emails to Mesri beyond an introductory paragraph alleging he sent them. It asserts Mesri sent emails publicizing his acts — and includes the graphic he included, which made a nice graphic for mainstream reports of the indictment — but doesn’t provide much detail of that, either.

None of that’s to say DOJ doesn’t have the evidence to support this indictment. It just says they seem to have no reason to present it. And why should they? Given that Mesri is almost certainly not going to be extradited, this case will never go to trial.

The thin details here support the reporting from WaPo that DOJ has been pushing prosecutors to unseal indictments in cases against Iranians to support bringing more pressure on the regime.

[T]he HBO case is one of several that senior officials would like to unseal in coming weeks. The push to announce Iran-related cases has caused internal alarm, according to people familiar with the discussions, with some law enforcement officials fearing that senior Justice Department officials want to reveal the cases because the Trump administration wants Congress to impose new sanctions on Iran.

A series of criminal cases could increase pressure on lawmakers to act, these people said.

Asked about that report, [Acting SDNY US Attorney Joon] Kim did not give a direct answer, saying he decided to unseal the charges in the HBO hacking case before the story published. He did acknowledge the short amount of time it took to unseal the charges was unusual for such a case but said that was because of the FBI’s exemplary investigative work.

It may be great investigative work. Perhaps, too, DOJ is just trying to hide any sources and methods that will never need to be disclosed in a trial. But treating this indictment any differently than any other one, particularly than ones that DOJ knows will have to face adversarial challenge, threatens to politicize claims that already carry the potential for international backlash.

By all means, let’s pursue international hackers, and where they have real current ties to their state, lay out that tie. But don’t turn hacking indictments into spectacle to serve larger political whims, because it will diminish the value of other DOJ claims on hacking.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Kaspersky’s Carrot-and-Stick TAO Compromise Incident Report

Last week, Kaspersky released its investigation into the reported collection of NSA hacking tools off an employee’s computer. Kim Zetter did an excellent story on it, so read that for analysis of what the report said.

The short version, though, is that Kaspersky identified a computer in the Baltimore, MD area that was sending a whole slew of alerts in response to a silent signature for Equation Group software from September to November 2014 — a year earlier than the leaked reports about the incident claimed the compromise had happened. Kaspersky pulled in an archive including those signatures as well as some associated files in the normal course of collecting analysis (and, according to Zetter, did not pull other archives of malware also associated with the machine). Kaspersky IDed it as irregular, and — so they’re claiming — the analyst who found it told Eugene Kaspersky (referred to throughout in the third person “CEO” here), who told told the analyst to destroy the source code and related documents immediately. The report claims Kaspersky subsequently instituted a policy mandating such destruction going forward.

As Zetter notes, the timing of events gets awfully murky about when the file got destroyed and the new destruction policy was instituted.

The company didn’t respond to questions about when precisely it instituted this policy, nor did it provide a written copy of the distributed policy before publication of this article.

Meanwhile, during the same period this machine was sending out all the Equation Group alerts, someone hacked it.

It appears the system was actually compromised by a malicious actor on October 4, 2014 at 23:38 local time,

The report explains this compromise at length, providing (in addition to the precise time), the C&C server URL, a list of 121 other virus signatures found on the machine during the period the Equation Group signatures were alerting. It also links to Kaspersky’s analysis of the backdoor in question, which was developed by Russian criminal hackers.

“It looks like a huge disaster the way it happened with running all this malware on his machine. It’s almost unbelievable,” [Zetter quotes Kaspersky’s director of the company’s Global Research and Analysis Team Costin Raiu].

Thus far, consider what this report does: it makes it clear that Kaspersky has far more detail about the compromise than the anonymous sources leaking to the press are willing to share (all the time with Eugene Kaspersky inviting them to provide more details). It elaborates on the story it had already shared about who the likely culprit was to have stolen and used the files. And it suggests (though I’m not sure I believe it), that it’s entirely the fault of the hacker who turned off Kaspersky’s AV in order to run a pirated copy of Windows Office.

That’s the carrot. Here, Kaspersky is saying, we’ve figured out who stole those files your idiot developer loaded onto his malware-riddled computer. Go get them. Free incident response, three years after the fact!

But it’s the stick I’m just as interested in.

First, as part of its explanation of the process Kaspersky used to hone in on the incident, the report includes a list of hits and false positives on NSA signatures just from September 2014 — effectively providing a list of (dated) malware signatures. While the report notes many of these alerts are false positives, Kaspersky is nevertheless saying, here’s a list of all the victims of your spying we identified for just one month out of the 40 months we just analyzed. Presumably, the hits after September 2014 would have come to include far more true victims.

Then, the report provides a list of all the Equation Group signatures found on the TAO engineers’ computer, providing a snapshot of what one person might work on, a snapshot that would provide useful for those trying to understand NSA’s work patterns.

Even while it provides lists of signatures that will provide others some insight into NSA activity, the report makes a grand show of concern for privacy, redacting the name of the archive as [undisclosed] and including a discussion about how it could have — but chose not to — include the complete file paths of the archive.

Looking at this metadata during current investigation we were tempted to include the full list of detected files and file paths into current report, however, according to our ethical standards, as well as internal policies, we cannot violate our users’ privacy. This was a hard decision, but should we make an exception once, even for the sake of protecting our own company’s reputation, that would be a step on the route of giving up privacy and freedom of all people who rely on our products. Unless we receive a legitimate request originating from the owner of that system or a higher legal authority, we cannot release such information.

Mind you, FSB is the “higher legal authority” in Russia for such things.

Then, in the guise of claiming how little information Kaspersky has on the individual behind all this, the report makes it clear it retains his IP, from which they could reconstitute his identity.

Q3 – Who was this person?

A3 – Because our software anonymizes certain aspects of users’ information, we are unable to pinpoint specifically who the user was. Even if we could, disclosing such information is against our policies and ethical standards. What we can determine is that the user was originating from an IP address that is supposedly assigned to a Verizon FiOS address pool for the Baltimore, MD and surrounding area.

In short, along with providing a detailed description of what likely happened — the hacker got pwned by someone else — Kaspersky lays out all the information on NSA’s hacking activities that it could, if it so chose, make public: who NSA hacked when, who the developer in question is, and more details on how the NSA develops its tools.

But (in the interest of privacy, you understand?) Kaspersky’s not going to do that unless some higher authority forces it to.

Of course, Kaspersky’s collection of all that data on NSA’s hacking is undoubtedly one of the reasons the NSA would prefer it not exist.

A carrot, and a stick.

At the end of her piece, Zetter quotes Rob Joyce laying out the more modest attack on Kaspersky (this stuff shouldn’t be run on sensitive government computers, which it shouldn’t), even while admitting that other AV products have the same privileged access to collect such information on users.

Asked about Kaspersky’s discovery of multiple malware samples on the NSA worker’s home computer, Rob Joyce, the Trump administration’s top cybersecurity adviser who was head of the NSA’s elite hacking division when the TAO worker took the NSA files home and put them on his work computer, declined to respond to Kaspersky’s findings but reiterated the government’s contention that Kaspersky software should be banned from government computers.

“Kaspersky as an entity is a rootkit you run on a computer,” he told Motherboard, using the technical term for stealth and persistent malware that has privileged access to all files on a machine.

He acknowledged that software made by other antivirus companies has the same potential for misuse Kaspersky has but said, Kaspersky is “a Russian company subjected to FSB control and law, and the US government is not comfortable accepting that risk on our networks.”

We shall see if this report serves to halt all the (inaccurate at least with respect to timing, if this report is to be believed) leaks to the press or even the other attacks on Kaspersky.

All that said, there are two parts of this story that still don’t make sense.

First, I share Zetter’s apparent skepticism about the timing of the decision to destroy the source code, which the report describes this way:

Upon further inquiring about this event and missing files, it was later discovered that at the direction of the CEO, the archive file, named “[undisclosed].7z” was removed from storage. Based on description from the analyst working on that archive, it contained a collection of executable modules, four documents bearing classification markings, and other files related to the same project. The reason we deleted those files and will delete similar ones in the future is two-fold; We don’t need anything other than malware binaries to improve protection of our customers and secondly, because of concerns regarding the handling of potential classified materials. Assuming that the markings were real, such information cannot and will not [note this typo] consumed even to produce detection signatures based on descriptions.

This concern was later translated into a policy for all malware analysts which are required to delete any potential classified materials that have been accidentally collected during anti-malware research or received from a third party. Again to restate: to the best of our knowledge, it appears the archive files and documents were removed from our storage, and only individual executable files (malware) that were already detected by our signatures were left in storage.

The key sentence — “it was later discovered … the archive file … was removed” — is a master use of the passive voice. And unlike all the other things for which the report offers affirmative data, the data offered here is the absence of data. “It appears” that the archive is no longer in storage, without any details about when it got removed. The report is also silent about whether any of these events — the removal and claimed destruction and the institution of a new policy to destroy such things going forward — were a response to the Duqu 2 hack discovering such files, as well as the one silent signature integrating the word “secret” described elsewhere in the report, on Kaspersky’s servers.

Then there’s the implausibility of an NSA developer 1) running Kaspersky then 2) turning it off 3) to load a bunch of malware onto his computer in the guise of loading a pirated copy of Office 4) only to have a bunch of other malware infect the computer in the same window of time, finally 5) turning the Kaspersky back on to discover what happened after the fact.

Really? I mean, maybe this guy is that dumb, or maybe there’s another explanation for these forensic details.

In any case, the entire report is a cheeky chess move. I eagerly wait to see if the US’ anonymous leakers respond.

 

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

The Implicit Threat in Julian Assange’s Ambassador Tweet

The other day, I suggested the Twitter Direct Messages between Wikileaks and Don Jr were underwhelming, in that some of the more damning things we might have expected did not show up in those DMs. Since then, several things have become clear. First, there were some time zone inaccuracies behind the timestamps on one of the most inflammatory claims (that Trump immediately tweeted in response to an October 12 DM from Assange; it probably was 75 minutes). And the password Wikileaks shared with Don Jr had been made available to journalists and may have been passed on by Chuck Johnson, who was currying favor with Assange at the time; that minimizes the possibility that such sharing could be deemed a CFAA or other kind of technical violation though puts Johnson more centrally in this picture.

I didn’t say explicitly enough in that post and I should have, though, that I was speaking about Don Jr, not about Wikileaks.

Wikileaks’ contributions do show the organization (and Assange in particular, in those DMs we know involved him) to be self-interested and rabidly anti-Clinton If you haven’t known the latter fact to be true since Hillary did some pretty crazy things in 2010, then you’re new to this rodeo. That said, the tweets did elicit some righteous betrayal from Barrett Brown, which I totally respect given the price he has paid for the claimed idealism of Wikileaks (see also this story).

It’s worth remembering, as Emma Best notes, because they’ve been under unrelenting surveillance since 2010, “WikiLeaks *knew* the DMs were being monitored in real time. It was inevitable that this would leak. Simply calling this dumb misses the point and ignores the tradecraft at play.” Assange, from the refusal of inside information to the demand for an Ambassadorship, was staging a show, and we should remember that.

That said, I’m far more interested in Assange’s subsequent response to the disclosure of the emails, specifically this tweet. In the full DMs released by Don Jr (I think Wikileaks can fairly claim Atlantic took out some context — Atlantic came close to and I think should have just replicated the content of all the DMs, though Brown disagrees), this was the comment Assange made on December 16 asking to be Ambassador.

Hi Don. Hope you’re doing well! In relation to Mr. Assange: Obama/Clinton placed pressure on Sweden, UK and Australia (his home country) to illicitly go after Mr. Assange. It would be real easy and helpful for your dad to suggest that Australia appoint Assange ambassador to DC “That’s a really smart tough guy and the most famous australian you have! ” or something similar. They won’t do it, but it will send the right signals to Australia, UK + Sweden to start following the law and stop bending it to ingratiate themselves with the Clintons. 12/16/16 12:38PM

On Tuesday, Assange posted an ostensible follow-up to that one, renewing his offer to serve as Ambassador.

Note, Assange had originally misspelled Don Jr’s twitter handle, so deleted and reposted it.

This has been taking as trolling, with Assange’s notion that he’d open a hotel in DC, as the Trumps have, with “luxury immunity suites” for whistleblowers.

But even that’s not trolling. It’s a public renewal, more explicit this time, of Assange’s request for a pardon from Trump Sr, though here he drops the “offer” of the claims laundered through Dana Rohrabacher that the emails Assange published to help Trump get elected came from an insider and not Russia. Assange wants the fuck out of his embassy closet, and he’s willing to say that explicitly, now, in a public tweet (as Best noted, making this request visible for all).

Remember, Rohrabacher was always clear that someone (or someones, but Chuck Johnson is clearly one of those people) had made clear that Trump wanted this information. Was Don Jr in on that loop?

It’s the rest of the tweet that got less attention. First, Assange’s promise of “a turbo-charged flow of intel about the latest CIA plots to undermine democracy,” a remarkable reference coming as it does in the wake of Mike Pompeo’s consideration of an alternative narrative for how Wikileaks got emails (as I noted, scheduled even as John Kelly thwarted Rohrabacher’s attempts to meet with Trump directly), not to mention Trump’s screed at John Brennan and others over the weekend.

Assange is agreeing with Trump, even if no one else is, even as the two of them both seek to push an alternative narrative that doesn’t have the Russians orchestrating Assange’s actions for Trump’s benefit, that the CIA is undermining Trump’s presidency.

It’s the hashtag, though, that most observers missed: Vault 8.

Vault 8 is the name Wikileaks has given for its release — started just Friday — of actual source code for CIA’s hacking tools, after long releasing “just” the development notes and manuals for the same tools. I noted then both the way Wikileaks was picking up Shadow Brokers’ narrative about Kaspersky, but also the multiple references to Wikileaks having the same set of NSA files as Shadow Brokers had.

I noted last December that with the December 14 Shadow Brokers release of new NSA tools (just days before Assange joked about being ambassador), the persona seemed to be engaging in extortion: “Nice little NSA here, it’d be shame if anything would happen to it.” Since that time, Shadow Brokers made good on the threat, leading to global cyberattacks. What Assange seems to be doing is similar: no longer a quid pro quo for safety in DC, but now a threat, using CIA, and tools released in CIA’s name, as hostage.

Assange is not offering to release secrets about CIA, but instead weapons leaked or stolen from them. Sure, to the extent the Vault 7 releases haven’t already, that’ll allow others to attribute CIA attacks. But it’ll also devastate the agency and badly undermine US power.

That appears to be where Assange’s request for immunity has gotten.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Mueller Has Enough Prosecutors to Continue Walking and Chewing Gum While We’ve Been Watching Manafort

NBC has a clickbait story reporting that Robert Mueller has enough evidence to indict Michael Flynn that — by describing that Mueller is still interviewing witnesses about Flynn’s lobbying — undermines its headline.

Mueller is applying renewed pressure on Flynn following his indictment of Trump campaign chairman Paul Manafort, three sources familiar with the investigation told NBC News.

The investigators are speaking to multiple witnesses in coming days to gain more information surrounding Flynn’s lobbying work, including whether he laundered money or lied to federal agents about his overseas contacts, according to three sources familiar with the investigation.

Remember: on high profile investigations like this, interested parties sometimes try to force a prosecutor’s hand by leaking stuff like this (we should also expect people to leak to the press to create pressure for pardons), and in this case the leaking is exacerbated because of the multiple congressional investigations.

Moreover, there’s good reason to doubt the notion that Mueller is moving from target to target sequentially, which some have interpreted the description of Mueller “renewing” pressure on Flynn to suggest. Remember: Mueller has 15 prosecutors, every one of whom is capable of leading this kind of investigation themselves. And there’s at least a hint that Mueller has separate teams working on separate parts of the investigation.

Consider this detail from the motion to unseal the Manafort docket. The motion specifically asked for the whole thing to be unsealed except for this redaction at the top of the indictment itself.

[T]he government respectfully moves for an order unsealing the docket, with the exception of the original indictment, which contains, at the top, administrative information relating to the Special Counsel’s Office.

There are a lot of things that the redaction might hide. One of those is some kind of marking that indicates the organization of the investigation, one which would disclose investigative strategy if it were disclosed now, but would be really useful for historians if it were unsealed after whatever happens happens.

Couple that with the fact that there is no overlap between the prosecutors appearing thus far in the Manafort docket, who are:

  • Andrew Weismann
  • Greg Andres
  • Kyle Freeny

Adam Jed, an appellate specialist, has appeared with these lawyers in grand jury appearances.

And the prosecutors appearing in the Papadopoulos docket, who are:

  • Jeannie Rhee
  • Andrew Goldstein
  • Aaron Zelinsky

It would make sense that the teams would be focused on different parts of the investigation. After all, Mueller has drawn on a fair range of expertise, which I laid out here (see this article for Carrie Johnson’s description of where these folks are on loan from); if I were to do this over, I’d add a special category for money laundering:

  1. Mob specialists: Andrew Weissman and [Lisa Page *] are mob prosecutors.
  2. Fraud specialists: Weissman and Rush Atkinson are also fraud prosecutors.
  3. Corporate crime specialists: Weissman also led the Enron Task force. One of Dreeben’s key SCOTUS wins pertained to corporate crime. Jeannie Rhee has also worked on white collar defense. [Kyle Freeny, who was the last attorney to join the team, is a money laundering expert.]
  4. Public corruption specialists: Mueller hired someone with Watergate experience, James Quarles. And Andrew Goldstein got good press in SDNY for prosecuting corrupt politicians (even if Sheldon Silver’s prosecution has since been overturned).
  5. International experts: Zainab Ahmad, who worked terrorism cases in EDNY, which has some of the most expansive precedents for charging foreigners flown into JFK (including Russia’s darling Viktor Bout), knows how to bring foreigners to the US and successfully prosecute them in this country. Aaron Zelinsky has also worked in international law. Elizabeth Prelogar did a Fulbright in Russia and reportedly speaks it fluently. And, as noted, [Greg] Andres has worked on foreign bribery
  6. Cyber and spying lawyers: Brandon Van Grack is the guy who had been leading the investigation into Mike Flynn; he’s got a range of National Security experience. Aaron Zebley, Mueller’s former chief of staff at FBI, also has that kind of NSD experience.
  7. Appellate specialists: With Michael Dreeben, Mueller already has someone on the team who can win any appellate challenges; Adam Jed and Elizabeth Prelogar are also appellate specialists. Mueller’s hires also include former clerks for a number of SCOTUS justices, which always helps out if things get that far.

In other words, the team that has thus far been involved in the Manafort prosecution have experience prosecuting corporate crime and money laundering, as well as flipping people. The team that has thus far handled Papadopoulos includes Goldstein, a top public corruption prosecutor (who curiously would have had visibility into Manafort related prosecutions in SDNY), Zelinsky, who has both mob and international law expertise, and Jeannie Rhee whose relevant experience includes time in Congress, prosecuting national security related conspiracies, and cybersecurity investigations. The experience of the latter team, in particular, suggests where they might be headed, probably including people in or recently in government, but Rhee’s ties to leaks and cybersecurity might suggest the emails are a bigger part of that investigation than most people have noticed.

Notably absent from these two teams is Brandon Van Grack, who started the prosecution of Mike Flynn and presumably has remained focused on that. So there’s no reason to believe Van Grack would have to renew pressure, aside from pointing to the example of Manafort to prove the seriousness of this investigation, because he probably has just kept up the pressure as we’ve been distracted.

Also of note: we’re still not seeing all the mob and international expertise on Mueller’s team.

All of which is to say we’ve only seen the involvement of at most 7 out of the 15 lawyers on Mueller’s team. I’m sure the remaining 8 haven’t been sitting idle while we’ve all been focusing on Manafort and Papadopoulos.

Update: Because it’s related, I’ll remind that in Papadopoulos’ plea deal, Zelinsky said they wanted to sustain the prohibition on FOIA because,

in the process of his ongoing efforts to cooperate, the Government has shared substantial information with the Defendant that has provided a road map of sorts, to information that might be sought on FOIA. And it will chill the Government’s ability to continue to have the Defendant cooperate if the information that’s being provided by the Defendant and the continued efforts to jog his memory are then used to create a road map to the ongoing investigation.

Update: When this post was first posted I accidentally swapped Weissman for Goldstein in one reference. My apologies.

*Update: As Peredonov notes below, Page left the SCO after I wrote the underlying post. I’ve marked it in the quote and adjusted numbers accordingly.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

We Have No Idea What Emails the Papadopoulos Plea Refer To

In response to yesterday’s server hiccups and in anticipation that Mueller is nowhere near done, we expanded our server capacity overnight. If you think you’ll rely on emptywheel reporting on the Mueller probe, please consider a donation to support the site

As I’ve noted, the George Papadopoulos plea information, reveals that Papadopoulos learned that Russia had “dirt” consisting of “thousands of emails of Clinton” three days before the DNC learned they had been hacked.

And it makes it clear that on April 26 — three days before the DNC figured out Russia had hacked them — Papadopoulos’ handler told him Moscow had dirt on clinton.

The Professor told defendant PAPADOPOULOS that on that trip he (the Professor) learned that the Russians had obtained “dirt” on then-candidate Clinton. The Professor told defendant PAPADOPOULOS, as PAPADOPOULOS later described to the FBI, that “They [the Russians] have dirt on her”; “the Russians had emails of Clinton”; “they have thousands of emails.”

After learning the Russians had emails on Clinton even before Clinton learned it, Papadopoulos “continued to correspond with Campaign officials,” including his Senior Policy Advisor and a High-Ranking Campaign Official.

From this detail, I’ve seen endless amount of shite premised on what these emails were.

For example, Julian Assange tweeted something bizarre about the emails being the emails released mostly in response to a Jason Leopold FOIA. I thought he was trying to pretend he had no inside information from the Russians?

Others are tying the emails to the registration of the DC Leaks website, which had occurred by this point, but which also released more emails pertaining to Ukraine than Democrats.

Others are suggesting that because no one ever found the emails Hillary deleted from her server, the claim must not be correct because there were no emails of Hillary out there.

Others are tying the comment to Podesta’s emails (he was first hacked on March 19). Or they’re claiming incorrectly that the Papadopoulos report must be wrong because the DNC emails were the ones released early on, not the Podesta ones (in fact, the source for about half the earliest released Guccifer 2.0 “DNC” emails appears to be the Podesta emails, and for most of the rest has not be identified).

Others are pointing out — I’m not sure why — that Russia hacked some Republicans.

All of this suggests that people have this mistaken belief that the general public knows the universe of emails that have been hacked, and that all the hacked emails have been released.

Most annoyingly, most people who know better are saying that Russia started hacking the Democrats in spring 2016. But as the Intelligence Committee Assessment lays out, “In July 2015, Russian intelligence gained access to Democratic National Committee (DNC) networks and maintained that access until at least June 2016.” And the ICA was always deliberately coy about who else the earlier wave of hacking, by APT 29 associated with FSB, may have hacked (I assure you its targets were prominent), to say nothing of the later APT 28 attribution known to be associated with released emails.

And as I was bitching about this, I was reminded by a Kaspersky researcher that APT 29 had spent the previous year hacking the White House and State Department.

All of which is to say, without more evidence (which Mueller has chosen not to give us yet) we cannot conclude anything about Papadopoulos learning, in April, that Russians were talking about having dirt against Hillary with regards to which emails were on offer; we can only conclude that a person in the campaign learned (and probably shared that knowledge, though Mueller is deliberately withholding that detail too) very early on that Russians were offering up emails as campaign dirt.

Update: In related news, the AP got ahold of a list of APT 28’s targets (though doesn’t emphasize, as it should, that these targets may not have been successfully breached).

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Shorter Kaspersky: Our Home AV Found NSA’s Lost Tools Six Months Before NSA Did

Kaspersky has what it calls a preliminary investigation into the allegations that it obtained NSA tools by taking them from an NSA hacker who loaded them onto his home computer. It follows by just a few days and directly refutes the silly accusations made by Rick Ledgett the other day in Lawfare, most notably that Kaspersky found the tools by searching on “TS/SCI,” much less the “proprietary” Ledgett claimed. I assume the word “preliminary” here means, “Okay, you’ve made your public accusation, now Imma badly discredit you, but I’m holding other details back for your next accusation.”

Instead of finding the hacking tools in early 2015, Kaspersky says, they found the GrayFish tool back on September 11, 2014, probably six months before the anonymous government sources have been saying it was discovered.

And they found it with their home AV.

  • The incident where the new Equation samples were detected used our line of products for home users, with KSN enabled and automatic sample submission of new and unknown malware turned on.
  • The first detection of Equation malware in this incident was on September 11 2014. The following sample was detected:
    • 44006165AABF2C39063A419BC73D790D
    • mpdkg32.dll
    • Verdict: HEUR:Trojan.Win32.GrayFish.gen

After that, what Kaspersky describes as “the user” disabled the AV and downloaded a pirated Microsoft copy onto his computer, which created a backdoor that could have been used by anyone.

  • After being infected with the Backdoor.Win32.Mokes.hvl malware, the user scanned the computer multiple times which resulted in detections of new and unknown variants of Equation APT malware.

Once that backdoor was loaded, “the user” scanned the computer and found other Equation Group tools.

What Kaspersky is not saying is that this probably wasn’t the TAO hacker, but probably was someone pretending to be the user (perhaps using NSA’s own tools?!), who stole a slew of files then.

Two other points: Kaspersky claims to have called the cops — or probably the FBI, which would have been the appropriate authority, and he claims to call the cops whenever they find malware in the US.

  • Some of these infections have been observed in the USA.
  • As a routine procedure, Kaspersky Lab has been informing the relevant U.S. Government institutions about active APT infections in the USA.

It’s possible that Kaspersky did inform the FBI, and that FBI routinely gets such notice, but that FBI routinely ignores such notice because they don’t care if NSA is hacking people in the US (which given what we know, is at least sometimes, and would have been during this period, Americans approved for 705(b) surveillance that doesn’t get turned off as is legally required when they return to the US).

In other words, it’s possible that FBI learned about this, but ignored it because they ignore NSA’s illegal hacking the US. Only this time it wasn’t NSA’s illegal hacking, but NSA’s incompetence, which in turn led an NSA hacker to get hacked by … someone else.

Finally, there’s this bit, which is the least credible thing in this announcement. The Kaspersky statement says Eugene himself was informed of the discovery, and ordered the tool (in a kind of one-man Vulnerabilities Equities Process) to be destroyed.

  • After discovering the suspected Equation malware source code, the analyst reported the incident to the CEO. Following a request from the CEO, the archive was deleted from all our systems. The archive was not shared with any third parties.

I don’t so much doubt that Eugene ordered the malware to be destroyed. Once Kaspersky finished its analysis of the tool, they would have no use for it, and it would add to risk for Kaspersky itself. I just find it remarkable that he would have made the personal decision to destroy this malware at some point after its discovery, but not have raised it until now.

Unless, of course, he was just waiting for someone like Rick Ledgett to go on the sort of record.

Though note how Kaspersky gets conspicuously silent about the timing of that part of the story.

One final point: this new timeline doesn’t explain how Israel (possibly with the involvement of the US) would have found this tool by hacking Kaspersky (unless the decision to destroy the tool came after Kaspersky discovered the hack). But it does suggest the Duqu chicken was chasing the TAO hacker egg, and not vice versa as anonymous sources have been claiming.

That is, the scenario laid out by this timeline (which of course, with the notable exceptions of the Duqu hack and the destruction date for GrayFish, comes with dates and file names and so at least looks more credible than Rick Ledgett’s farcical “proprietary” claims) is that Kaspersky found the file, reported it as an infection to the cops, which likely told NSA about it, leading to the attack on Kaspersky to go try to retrieve it or discover how much else they obtained. That is, Duqu didn’t hack Kaspersky and then find the file. They hacked Kaspersky to find the file that some dopey TAO hacker had made available by running Kaspersky home AV on his computer.

Update: Changed “probable” involvement of US in Duqu hack to “possible.”

Update: Changed “stolen” in title to “lost.”

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.