Andy McCarthy’s Misconception

I was struck, in reading Andy McCarthy’s review of the Michael Cohen and Paul Manafort guilty outcomes last week (in which he measures Trump via a vastly different standard than he once measured Bill Clinton), by this erroneous claim:

The Trump camp continues to stress that Manafort’s case had nothing to do with the original rationale for Mueller’s investigation, “collusion with Russia.” But as we’ve pointed out any number of times, Mueller took over a counterintelligence investigation of Russia’s interference in the 2016 election. Possible Trump-campaign collusion with Russia was just one thread in the larger probe.

The claim that the Trump-campaign “collusion” was just one thread of what Mueller originally took over is false, but utterly critical for McCarthy’s sustained belief that Mueller has not found evidence of a conspiracy between Trump and Russia. While it is true that when Comey confirmed the investigation, he did not specify the structure of the investigation,
I have been authorized by the Department of Justice to confirm that the FBI, as part of our counterintelligence mission, is investigating the Russian government’s efforts to interfere in the 2016 presidential election and that includes investigating the nature of any links between individuals associated with the Trump campaign and the Russian government and whether there was any coordination between the campaign and Russia’s efforts. As with any counterintelligence investigation, this will also include an assessment of whether any crimes were committed.
When Rod Rosenstein appointed Mueller, he described Mueller’s scope to include,
  • any links and/or coordination between the Russian government and individuals associated with the campaign of President Donald Trump; and
  • any matters that arose or may arise directly from the investigation; and
  • any other matters within the scope of 28 C.F.R. § 600.4(a)

Why McCarthy made this error is clear: he uses the existence of and Mueller’s indictments in a broader counterintelligence investigation to sustain his belief that Mueller doesn’t have a “collusion” case against Trump or his associates.

At this point, it does not appear that Mueller has a collusion case against Trump associates. His indictments involving Russian hacking and troll farms do not suggest complicity by the Trump campaign. I also find it hard to believe Mueller sees Manafort as the key to making a case on Trump when Mueller has had Gates — Manafort’s partner — as a cooperator for six months. You have to figure Gates knows whatever Manafort knows about collusion. Yet, since Gates began cooperating with the special counsel, Mueller has filed the charges against Russians that do not implicate Trump, and has transferred those cases to other Justice Department components.

When it comes to the president, I believe the special counsel’s focus is obstruction, not collusion. When it comes to Manafort, I believe the special counsel’s focus is Russia — specifically, Manafort’s longtime connections to Kremlin-connected operatives. Mueller may well be interested in what Manafort can add to his inquiry into the June 2016 Trump Tower meeting (arranged by Donald Trump Jr. in futile hopes of obtaining campaign dirt from Russia on Hillary Clinton). That, however, is not the more serious “collusion” allegation that triggered the Trump thread of the investigation — cyberespionage conspiracy (i.e., Russian hacking of Democratic party emails).

That is, because Mueller indicted trolls and GRU hackers and then spun those prosecutions off to other teams (in the GRU case, back to one of the teams that originally investigated it), it is proof, in McCarthy’s mind, that Mueller isn’t targeting Trump and his associates for conspiring with Russia.

The actual background of the Mueller investigation suggests precisely the opposite. As I noted when Lawfare made precisely the same error in a post on the GRU indictment,

Friday’s indictment is, rather, the result of investigations conducted primarily in San Francisco and Pittsburgh. At the time Comey confirmed the counterintelligence investigation into Trump’s camp and at the time Comey got fired for not shutting the Trump counterintelligence investigation down, those San Francisco and Pittsburgh investigations were totally separate. Those two investigations almost certainly had little if any involvement from Peter Strzok (indeed, they involved a bunch of FBI cyber agents, a division of FBI that Strzok never tired of mocking in his texts to Lisa Page). The DOJ press release from Friday states that explicitly.

This case was investigated with the help of the FBI’s cyber teams in Pittsburgh, Philadelphia and San Francisco and the National Security Division.

Those two investigations (plus the separate one noted in Philadelphia that started later, as I understand it from what a lawyer who represented a witness in that investigation described to me) got moved under the Mueller umbrella sometime in or just before November, and now the GRU officer part of the investigation will be moved back to Pittsburgh where it started, to languish forever like some other nation-state hacker indictments investigated by Western District of Pennsylvania.

Given that both public reporting (starting in February 2017 and extending into November 2017) and Mueller team changes (not to mention my own reporting about the Philadelphia grand jury’s activity in the second half of May 2017 and my own knowledge about where I interviewed and where my interview materials subsequently got moved to) support this narrative, McCarthy (and the Lawfare crowd) might ask why Mueller decided to integrate the cybersecurity parts of the investigation, only to spin the Russian defendants back to other teams once they were indicted?

We can begin to get an answer from the two indictments that — Andy wants to believe — are themselves evidence that Mueller doesn’t have evidence on Trump’s associates but actually are. The Internet Research Agency indictment actually describes three Florida-based Trump campaign officials inconclusively, as if they were either still under investigation or at some legal risk.

On approximately the same day, Defendants and their co-conspirators used the email address of a false U.S. persona, [email protected]l.com, to send an email to Campaign Official 1 at that donaldtrump.com email account, which read in part:

Hello [Campaign Official 1], [w]e are organizing a state-wide event in Florida on August, 20 to support Mr. Trump. Let us introduce ourselves first. “Being Patriotic” is a grassroots conservative online movement trying to unite people offline. . . . [W]e gained a huge lot of followers and decided to somehow help Mr. Trump get elected. You know, simple yelling on the Internet is not enough. There should be real action. We organized rallies in New York before. Now we’re focusing on purple states such as Florida.

The email also identified thirteen “confirmed locations” in Florida for the rallies and requested the campaign provide “assistance in each location.”

[snip]

Defendants and their co-conspirators used the false U.S. persona [email protected] account to send an email to Campaign Official 2 at that donaldtrump.com email account.

[snip]

On or about August 20, 2016, Defendants and their co-conspirators used the “Matt Skiber” Facebook account to contact Campaign Official 3.

And while the GRU indictment (on top of key clauses being misread by virtually everyone who has read it) doesn’t use the same convention to describe Roger Stone’s communications with Guccifer 2.0…

On or about August 15, 2016, the Conspirators, posing as Guccifer 2.0, wrote to a person who wasin regular contact with senior members of the presidential campaign of Donald J. Trump, “thank u for writing back . . . do u find anyt[h]ing interesting in the docs i posted?” On or about August 17, 2016, the Conspirators added, “please tell me if i can help u anyhow . . . it would be a great pleasure to me.” On or about September 9, 2016, the Conspirators, again posing as Guccifer 2.0, referred to a stolen DCCC document posted online and asked the person, “what do u think of the info on the turnout model for the democrats entire presidential campaign.” The person responded, “[p]retty standard.”

It pointed to Russia’s response to Donald Trump’s request that they hack Hillary without referring to him one way or another.

For example, on or about July 27, 2016, the Conspirators attempted after hours to spearphish for the first time email accounts at a domain hosted by a thirdparty provider and used by Clinton’s personal office. At or around the same time, they also targeted seventy-six email addresses at the domain for the Clinton Campaign.

What Mueller has done with both of the counterintelligence indictments that McCarthy takes solace in is lay out the Russian side of a conspiracy (and both are charged as conspiracies) with very clear spots into which American co-conspirators may be dropped when Mueller is prepared to do so. (I laid this out at more length in this post.)

Importantly, the fact that some of this investigation started out in other parts of DOJ but then got moved under Mueller make it clear that something came up in the investigation that Mueller and Rosenstein believed required they be moved under Special Counsel when they weren’t there, originally.

Let’s put it this way: Mueller didn’t subsume investigations located elsewhere at DOJ because the Special Counsel needed to be the one to indict a bunch of Russians. He did it to set up the conspiracies that would — that will — later be occupied by Russians and Americans.

As I disclosed in July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

Reality Gets A Harsh Sentence

With Update Below!

As many of you may already know, this morning was the sentencing for Reality Winner. She was sentenced to 63 months of incarceration and three years of supervised release upon completion of her term. The supervised release term is rather standard. She will be housed at the Federal Medical Center, Carswell in Fort Worth, Texas. The stated reason was because she is bulimic, but it seems more like a nod to her, and her family, who requested a Texas posting so they would be near. There is no pecuniary fine. I have not seen the official sentencing order yet, but have little to no doubt she will be credited with the time served in pre-trial detention since her arrest on June 3, 2017; i.e. nearly 15 months. So, assuming that, she should be released in about 4 years.

Okay, that is the hard nuts and bolts of Ms. Winner’s sentencing. If you want some more background, please see our old friend Kevin Gosztola at Shadowproof, who has been covering all the Reality Winner court appearances.

All that said, let me address a couple of things. First, the sentence was not unexpected, indeed it was stipulated to in the plea agreement Ms. Winner both signed and allocuted to in open court. While the court technically “could” have deviated downward, there was little to no chance it would given the plea language. Anybody shocked by today’s sentencing has not been paying attention.

Secondly, the government did not “block” Winner’s defenses. I had a discussion on this point with a good friend, Will Bunch, who has admirably written extensively on, and in favor of, Reality. Sadly, the law here is what it is, and not what Will and I would like it to be. Winner’s attorneys filed every motion they could, both to try to win and to protect the record. But those motions were never going to work, they never do, and they did not here.

Jeffrey Sterling also tried all of that. It did not work then, for him, either. Sterling got 42 months in prison. It is hard to compare disparate cases, but in the long run, I personally have a hard time seeing why Reality Winner was worse or more damaging than Jeff Sterling, and yet she got 1.5 times as much incarceration as Sterling. Different DOJ’s, different times and the Trump Administration was already on the record as head hunting for leakers when Winner fell into their lap. So, I guess it is not shocking. They were looking to make an example and there she was.

Now to the after show doings. The United States Attorney for the Southern District of Florida, Bobby L. Christine (never trust a man with two first names), cravenly issued a pompous press release on the sentencing. This is just a taste of the Christine hyperbolic:

The document Winner compromised did, in fact, contain TOP SECRET information about the sources and methods used to acquire the intelligence described in the report. That means it revealed how U.S. Intelligence Agencies obtained information. U.S. Government subject matter experts have determined that Winner’s willful, purposeful disclosure caused exceptionally grave damage to U.S. national security. That harm included, but was not limited to, impairing the ability of the United States to acquire foreign intelligence information similar to the information the defendant disclosed. This was, by no means, a victimless crime.

What’s more, Winner’s exceptionally damaging disclosure was not a spontaneous, unplanned event, but was the calculated culmination of a series of acts. She researched whether it was possible to insert a thumb drive into a Top Secret computer without being detected, and then inserted a thumb drive, WHICH THE GOVERNMENT NEVER RECOVERED, into a Top Secret computer. She researched job opportunities that would provide her access to classified information. At the same time, she searched for information about anti-secrecy organizations, and she celebrated claimed compromises in U.S. classified information.

Note the Trump like raging capital letters? Ooof. It was an unnecessary and prickish public release by somebody that had won and driven the vanquished into the ground. And while Bobby L. Christine took all the glory, he did not do diddly squat himself, the matter was handled by a team of career AUSA’s that he did not even have the common courtesy to mention. Very Trump like.

Okay, so why did Ms. Winner end up here? There are a lot of reasons. First off, while Winner would have pretty clearly been discovered anyway, she disclosed her material to The Intercept, which was far from the only cause of her discovery, but did her no favors either. And the Government, especially the NSA, hates, with a capital H, The Intercept. But again, Reality’s discovery was inevitable even despite that, but it is a factor.

Secondly, the Government has thought all along that she had more material than what The Intercept and Matt Cole received and published. In its sentencing memorandum, the government addressed other areas of concern as to Winner including: her insertion of flash drive into a TS/SCI NSA computer at Fort Meade; her Internet history (which other filings make clear included details on Anonymous, Vault 7, Hal Martin, Assange, and Snowden); her download of Tor; her seeking out employment at Pluribus; and her screenshots of secure drop information.

These bases were generally also why she was detained without bail. That does not make it right, and it is, and remains true, that there is far too much secrecy and cheap classification in the face of the American public’s interest. This is a textbook example of just that. But Reality Winner tried to be a whistleblower and fell into the lurch where there are no such protections for the acts she did. She paid an overly, and draconian, price for what she did because the Trump Administration needed a head on a pike. They got hers. And this morning’s sentencing was the ugly culmination of that.

UPDATE: alright, Trevor Timm at The Intercept, has posted an interesting coda to the Reality Winner goings on today.

WHEN THE INTERCEPT first published the top-secret document, reporters and editors went to the government — as they do every time The Intercept publishes classified documents — to hear the NSA’s views about any information that might truly harm national security. After listening to the agency’s arguments, and out of an abundance of caution, The Intercept redacted a few pieces of information from the document before publishing it.

A key phrase that the government wanted withheld was the specific name of the Russian unit identified in the document. The government was particularly insistent on that point. Since it wasn’t vital to the story that the unit’s name be revealed, nor was it clear — at least at the time — that revealing the unit’s name was in the public interest, The Intercept agreed to withhold it.

But in the indictment of alleged Russian military intelligence operatives that Mueller’s office released last month, the Justice Department revealed the same name: GRU unit 74455. (The unit is also known as the Main Center for Special Technology or GTsST.) The indictment went on to reveal information almost identical to that contained in the document Winner admits to disclosing:

In or around June 2016, KOVALEV and his co-conspirators researched domains used by U.S. state boards of elections, secretaries of state, and other election-related entities for website vulnerabilities. KOVALEV and his co-conspirators also searched for state political party email addresses, including filtered queries for email addresses listed on state Republican Party websites.

In or around July 2016, KOVALEV and his co-conspirators hacked the website of a state board of elections (“SBOE 1”) and stole information related to approximately 500,000 voters, including names, addresses, partial social security numbers, dates of birth, and driver’s license numbers

In or around August 2016, KOVALEV and his co-conspirators hacked into the computers of a U.S. vendor (“Vendor 1”) that supplied software used to verify voter registration information for the 2016 U.S. elections. KOVALEV and his co-conspirators used some of the same infrastructure to hack into Vendor 1 that they had used to hack into SBOE 1.

The Justice Department is trying to have it both ways: It’s OK for Mueller to publicly release this information in an attempt to prosecute alleged Russian hackers because it’s in the public interest. But at the exact same time, the government is also claiming that a document including very similar information causes grave harm to national security when disclosed to the public by someone else.

There is a lot more there at Trevor’s post. Without doubling the size of this post, I would like to second the expert opinions submitted by Bill Leonard that Trevor Timm describes and have been long a staple here. There literally is no greater expert on classification than Bill Leonard. That said, it is like the discussion in the main original post. The fight is against archaic, authoritarian and totalitarian laws and legal precedent. Until those are changed, there is reality, and then there is the regrettable case of Reality Winner.

GRU’s Alice Donovan Persona Warned of a WannaCry-Like Event a Year before It Happened

As I disclosed last month, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

In this post, I suggested that The Shadow Brokers persona served as a stick to the carrots Vladimir Putin dangled in front of Donald Trump. When Donald Trump took an action — bombing Syria to punish Bashar al-Assad — that violated what I believe to be one of the key payoffs in the election quid pro quo, Shadow Brokers first bitched mightily, then released a bunch of powerful NSA tools that would soon lead to the WannaCry global malware attack.

It turns out GRU warned of that kind of attack a year before it happened.

One of the tidbits dropped into a very tidbit-filled GRU indictment is that GRU ran the Alice Donovan propaganda persona.

On or about June 8, 2016, and at approximately the same time that the dcleaks.com website was launched, the Conspirators created a DCLeaks Facebook page using a preexisting social media account under the fictitious name “Alice Donovan.”

That tidbit has led to some follow-up on the Donovan figure, including this typically great DFRLab piece arguing that Russia had two parallel streams of troll campaigns, the Internet Research Agency one focused on the election, and the GRU one focused on foreign policy.

Donovan was first exposed in December of last year after WaPo reported on and CounterPunch did a review of “her” work after then WaPo reporter Adam Entous contacted CP after learning the FBI believed “she” had some tie to Russia.

We received a call on Thursday morning, November 30, from Adam Entous, a national security reporter at the Washington Post. Entous said that he had a weird question to ask about one of our contributors. What did we know about Alice Donovan? It was indeed an odd question. The name was only faintly familiar. Entous said that he was asking because he’d been leaked an FBI document alleging that “Alice Donovan” was a fictitious identity with some relationship to Russia. He described the FBI document as stating that “Donovan” began pitching stories to websites in early 2016. The document cites an article titled “Cyberwarfare: Challenge of Tomorrow.”

As both pieces emphasize, the first article that Donovan pitched — and “she” pitched it to multiple outlets — pertained to cyberattacks, specifically to ransomware attacks on hospitals.

The article was first published in Veterans Today on April 26, 2016. That’s the same day that Joseph Mifsud first told George Papadopoulos Russia had emails — emails hacked by Donovan’s operators — they planned to leak to help defeat Hillary Clinton.

CounterPunch published the cybersecurity article on April 29. That’s the day the DNC first figured out that GRU (and FSB’s APT 29) had hacked them.

Those dates may well be coincidences (though they make it clear the Donovan persona paralleled the hack-and-leak campaign). I’m less sure about the third publication of the article, in Mint Press, on August 17, 2016, just four days after Shadow Brokers went live. So just days after Shadow Brokers had called out, “!!! Attention government sponsors of cyber warfare and those who profit from it !!!” an article was republished with the penultimate paragraph accusing the US of planning to shut down Iran’s power grid.

Moreover, the U.S. has been designing crippling cyber attack plans targeting the civilian sector. In case its nuclear negotiations with Iran failed, the U.S. was prepared to shut down the country’s power grid and communications networks.

The basis for that accusation was actually this article, but “Donovan” took out the reference (bolded below) to GRU’s attack on Ukraine’s power grid in the original.

Today such ransomware attacks are largely the work of criminal actors looking for a quick payoff, but the underlying techniques are already part of military planning for state-sponsored cyberwarfare. Russia showcased the civilian targeting of modern hybrid operations in its attack on Ukraine’s power grid, which included software designed to physically destroy computer equipment. Even the US has been designing crippling cyberattack plans targeting the civilian sector. In case its nuclear negotiations with Iran failed, the US was prepared to shut down the country’s power grid and communications networks.

Imagine a future “first strike” cyberattack in which a nation burrowed its way deeply into the industrial and commercial networks of another state and deployed ransomware across its entire private sector, flipping a single switch to hold the entire country for ransom. Such a nightmare scenario is unfortunately far closer than anyone might think. [my emphasis]

And “Donovan” adds in this sentence (from elsewhere in the Forbes article).

Government itself, including its most senior intelligence and national security officials are no better off when a single phishing email can redirect their home phone service and personal email accounts.

When this article was first published, the memory was still fresh of the Crackas with Attitude hack, where self-described teenagers managed to hack John Brennan and James Clapper and forward the latter’s communications (among the men serving prison sentences for this attack are two adult Americans, Andrew Otto Boggs and Justin Liverman).

Most of the rest of the article uses the threat of malware attacks on hospitals to illustrate the vulnerability of civilian infrastructure to cyberattack. It cites a Kaspersky proof of concept (recall that Shadow Brokers included a long play with Kaspersky). It cites an FBI agent attributing much of this hacking to Eastern Europe.

Stangl said the hackers, most of them from Eastern Europe, have increasingly targeted businesses, which are often able to pay more than individuals to unlock data. The hackers “scan the Internet for companies that post their contact information,” then send them email phishing attacks. Unsuspecting employees, Stangl said, are asked to click on what seem to be innocuous links or attachments — perhaps something as simple as a .PDF purporting to be a customer complaint — and before they know it, their computers are infected.

And the “Donovan” article explains at length — stealing from this article — why hospitals are especially vulnerable to malware attacks.

Such attacks may all sound like nightmare scenarios, but the experts say they’re becoming almost routine. And hospitals have not made cybersecurity a priority in their budgets. On average hospitals spent about 2 percent on IT, and security might be 10 percent of that. Compare that percentage to the security spending by financial institutions: for example, Fidelity spends 35 percent of its budget on IT.

Moreover, medical facilities are vulnerable to these attacks in part because they don’t properly train their employees on how to avoid being hacked, according to Sinan Eren, who has worked in cybersecurity for government and health-care organizations for two decades.

“It’s not like the financial-services industry, where they train employees how to spot suspicious emails,” said Eren, general manager at Avast Mobile Enterprise. Also, many hospital computer systems are outdated, bulky and in dire need of upgrades or newer software, he said. But such institutions often don’t have — or don’t want to spend — the money to make sweeping changes.

While it’s still unclear which computer WannaCry first infected in May 2017, Britain’s National Health Service was easily the most famous victim, with about a third of the system being shut down. Not long after WannaCry, NotPetya similarly spanned the globe in wiperware designed to appear as ransomware (though the latter’s use of NSA tools was mostly just show). While the US and UK have publicly attributed WannaCry to North Korea (I’m not convinced), NotPetya was pretty clearly done by entities close to GRU.

And a year before those global pseudo-ransomware worms were launched, repeated just days after Shadow Brokers started releasing NSA’s own tools, GRU stole language to warn of “a nation burrow[ing] its way deeply into the industrial and commercial networks of another state and deploy[ing] ransomware across its entire private sector, flipping a single switch to hold the entire country for ransom. Such a nightmare scenario is unfortunately far closer than anyone might think.”

(h/t TC for the heads up on this file and a number of the insights in this piece)

Update: MB noted that the “added” sentence actually also comes from the original Forbes article (it links to an earlier column that notes the Crackas tie explicitly).

The MalwareTech Case Resets to Zero: A Dialogue Wherein the Government Repeats “YouTube” Over and Over

Yesterday, the government responded to Marcus Hutchins (MalwareTech)’s renewed challenges, submitted two weeks ago, to the superseding indictment the government used to replace its previous crappy-ass indictment and thereby set the motions process almost back to zero. Here’s my abbreviated summary of what Hutchins argues in the renewed motions, with the government response.

1) Motion for a Bill of Particulars with respect to CFAA charges

Hutchins: Name the 10 or more protected computers I allegedly damaged and the damage I did, because recording and exfiltrating data is not damaging a computer. Also, name the computers I allegedly tried to access without authorization.

Government: We’re going to revert to the outdated definition of malware the Seventh Circuit has already rejected to claim it is damage. Also, we’re going to pretend we used the word intent where you keep nagging us for not doing so.

2) Challenge to Seventh Count (CFAA)

Hutchins: You’ve rewritten the CFAA language, “[K]nowingly cause[] the transmission of a program, information and command, and as a result of such conduct, intentionally cause[] damage without authorization, to a protected computer[.],” but not included the intentionality language.

Government: Correct! We’ve simply replaced the word “intentionally” with “attempted,” so it’s all good.

[A]n attempt means to take a substantial step towards committing the offense, with the “intent to commit the offense.” (emphasis added) Because Count Seven is charged as an attempt to violate section 1030, including the word “intentionally” before “attempted” (which Hutchins believes to be necessary) would be unnecessary and redundant. See United States v. Rutherford, 54 F.3d 370, 373 (7th Cir. 1995) (stating attempts are intentional acts; and under common law, “an attempt includes the specific intent to commit an unlawful act”).

emptywheel: There are some cases where the government succeeded in convicting people of CFAA without the charged person causing the damage himself, but I’d have to look closer to see if this will fly under Seventh Circuit precedents.

3) Motion to dismiss the whole damn indictment

Hutchins: There was no damage in the damage charges, no wiretapping device in the wiretapping charges, nor did Marcus advertise any such device, and laying out how MalwareTech writes blog posts analyzing malware does not mean he advertised a wiretapping device.

The superseding indictment states that Mr. Hutchins “hacked control panels” associated with a so-called competing malware called Phase Bot and wrote a blog post about it. (First Superseding Indictment ¶ 4(h).) It does not appear that this allegation alone is the basis of any count, as Mr. Hutchins would presumably be charged with a direct—rather than inchoate—violation of § 1030(a)(2)(C) if that were the case. To the extent it is a basis for any count, however, the defense notes that analyzing malware is, in fact, what Mr. Hutchins does professionally. In total, Mr. Hutchins wrote a total of three lengthy blog posts to educate the public about Phase Bot’s structure and functionality. These blog posts were based on Mr. Hutchins’ analysis of Phase Bot installed on his own computers. Any attempt to punish or interfere with Mr. Hutchins’ lawful security research and publishing activities would, of course, violate his First Amendment rights.

Government: We’re going to define malware however we damn well please, even if we have to use a British dictionary rather than the American one the Seventh Circuit uses to throw a Brit in the pokey. Hell, we’re willing to play word games with four different reference books if we need to! But if you use a dictionary to argue the law means what the law says, then you’re cheating.

Therefore, the Court should resist Hutchins’s attempt to limit the scope of sections 2511 and 2512 based on a definition found in one online dictionary; or because “malware” or “spyware” or “software” is not specifically listed in the definition of “electronic, mechanical, or other device.” The reference to “any device or apparatus” is written broadly in order to capture changes in technology.

Also, because Hutchins’ co-conspirator showed a video of malware operating on a computer and both talked about malware operating on a computer in forums, that turns the malware into a device! Presto!

4) Motion to dismiss wiretapping because Congress never intended to charge foreigners with wiretapping and none of the rest of this happened in the United States

Hutchins: “A foreign defendant like Mr. Hutchins is not subject to the jurisdiction of the United States merely because someone else posted a video on the Internet.” And “to the extent that Mr. Hutchins and Individual B interacted while Individual B was purportedly in the United States, that circumstance cannot, as the first superseding indictment tries to do, subject Mr. Hutchins’ alleged dealings with Individual A to domestic prosecution.”

Government: So what if Congress didn’t intend wiretapping to apply extraterritorially? There’s a YouTube! Also, you’re being hypertechnical by arguing Congress’ intent in passing a law. Besides, that was so long ago!

[B]ecause the conduct charged in Counts Two and Three occurred in the U.S. there is no extraterritorial application of U.S. law to foreign conduct. This is true even if Hutchins and Individual A were abroad when the conduct occurred in the U.S.

Also, there’s a YouTube!

emptywheel: One interesting aspect of the government’s desperate attempt to claim the actions of two people outside of the US took place in the US is that the malware in question was sold on location obscuring sites, Darkode and AlphaBay. That doesn’t change that an officer in Easter (as the government calls it at least twice) District of WI bought the malware in WI. But it will do interesting things to the government’s claim that Hutchins and VinnyK “directed” such sales at the US. It all seems to come down to the YouTube.

5) Motion to compel the identity of Randy

Hutchins: In order to shore up your dodgy indictment, you’ve made Randy into an uncharged co-conspirator. Now you really have to give us his ID.

Government: Sure, sure, we’ve included Randy in overt acts to get around the fact that Randy, but not you, intended to steal data so we can argue you’re guilty. But that doesn’t change his role in the investigation. You’re just using a local rule against us. Plus, you were mean to Sabu once on Twitter so obviously you just want to call for reprisal against Randy.

emptywheel: As far as I know MalwareTech has not called for reprisal against me for cooperating with the government against a cybercriminal. Maybe he’s just opposed to cybercriminals blaming others for their own crimes, as Randy appears to have done?


More seriously, I’m going to pull out two more things.

First, here’s some language from the government response in 4 that pretty much sums up their argument.

Second, Hutchins misunderstands the nature of the charges in Count One and Seven and the government’s burden at trial. Conspiracy punishes an illegal agreement. United States v. Read, 658 F.2d 1225, 1240 (7th Cir. 1981) (describing liability for a conspiracy and mail fraud). And it is well established that under conspiracy law, the object of the conspiracy does not need to be achieved for liability to attach. United States v. Donner, 497 F.2d 184, 190 (7th Cir. 1974). Therefore, the government only needs to prove Hutchins conspired to damage computers, not the actual damage he intended.

The same is true for Count Seven. An attempt is a substantial step towards completing the crime with the intent to complete the crime. United States v. Sanchez, 615 F.3d 836, 843-44 (7th Cir. 2010). As with Count One, the government does not have a burden to prove damage; only an attempt to damage.

What the government has done has charged crimes that permit Hutchins to be held liable for criminal acts his co-conspirator maybe possibly intended, even though it’s not clear he had the same intent as his co-conspirator, even if neither had the intent to facilitate wiretapping or damage to computers (depending on what dictionary you use). I make light above, but this is a very powerful aspect of US law, and it shouldn’t be dismissed outright.

Finally, the only place either side addresses false statements (one of the two new charges that’s not just smearing old charges more thinly and using the part of CFAA they should have charged under in the first place, the other being wire fraud) is in argument 4. Hutchins says that because everything else is bunk there are not false statements that can be charged.

If the Court grants this motion as to Counts One Through Eight and Ten, it should also dismiss Count Nine. That count charges a violation of 18 U.S.C. § 1001 and flows from an allegedly false statement Mr. Hutchins made to law enforcement during a post-arrest interrogation focusing on the conduct charged in the broader indictment. Section 1001 is violated only when a false statement is made about a “matter within the jurisdiction of the executive, legislative, or judicial branch of the Government of the United States.” 18 U.S.C. § 1001(a). This motion asserts a lack of domestic jurisdiction over the alleged offenses such that any false statement made by Mr. Hutchins about those offenses is not subject to prosecution under § 1001.

The government (predictably) doesn’t agree. It says jurisdiction doesn’t matter, what matters is that the FBI was investigating.

In this case, the FBI was conducting a criminal investigation which falls within the meaning of “any matter” as used in 18 U.S.C. § 1001. United States v. Rogers, 466 U.S. 475, 476-484 (1984); see also 28 U.S.C. § 533; 28 C.F.R. § 0.85. Additionally, the term “jurisdiction” as used in section 1001 “merely differentiates the official, authorized functions of an agency or department from matters peripheral to the business of that body.” United States v. Rogers, 466 U.S. 475, 476- 484 (1984). Therefore, even if all the other counts of the superseding indictment were dismissed, Count Nine would survive. Hutchins’s motion should therefore be denied.

I fear this argument might well work: that because the FBI was investigating something mostly in a poorly executed attempt to strand Hutchins here so they could make him inform on others, he can be charged with false statements. That’s crazy. But that’s also the way false statements may work.

All of which is to say, a great deal of the government’s argument boils down to, “YouTube! Try this dictionary! YouTube! Or maybe this dictionary! YouTube!” But that doesn’t mean it won’t all work.

Hybrid or Ambiguous, Asymmetric Warfare is Here to Stay

[As always, check the byline — this is Rayne with another minority report.]

After the hacking of the U.S. Office of Personnel Management, I wrote in early 2013 about asymmetric warfare. At the time I was puzzled by Americans’ surprise at such an extensive breach of a government asset by China.

We were warned in 1999 by the PRC in a white paper, Unrestricted Warfare, written by two Chinese military officers. They told us what they perceived about U.S.’ defense stance and where they were likely to press given their perception of our weaknesses and strengths.

Our own military processed this warning; it was incorporated into a number of military white papers. The U.S. intelligence community likewise digested the same white paper and military assessments of the same.

And yet the U.S. was not ready for an asymmetric attack.

More disturbingly, we were warned in 2013 — possibly earlier — that Russia was adopting asymmetric warfare. Valery Gerasimov, Chief of the General Staff of the Armed Forces of Russia, wrote a paper discussing the application of “hybrid warfare” or “ambiguous warfare,” partially exemplified in Russia’s 2014 annexation of Crimea.

Our Defense Department analyzed Gerasimov’s Doctrine, as it is now known. The CNA, a nonprofit research and analysis organization working for DOD, published a paper defining “ambiguous warfare” (pdf):

“Ambiguous warfare” is a term that has no proper definition and has been used within U.S. government circles since at least the 1980s. Generally speaking, the term applies in situations in which a state or non-state belligerent actor deploys troops and proxies in a deceptive and confusing manner—with the intent of achieving political and military effects while obscuring the belligerent’s direct participation. Russia’s actions in Crimea and Ukraine clearly align with this concept, though numerous participants pointed out that it is not a new concept for Russia.

CNA even applied a term used by the U.S. to describe Russia’s military action in Crimea — and yet the U.S. was not ready for an asymmetric attack.

The earlier paper PRC paper, Unrestricted Warfare, elaborated,

War in the age of technological integration and globalization has eliminated the right of weapons to label war and, with regard to the new starting point, has realigned the relationship of weapons to war, while the appearance of weapons of new concepts, and particularly new concepts of weapons, has gradually blurred the face of war. Does a single “hacker” attack count as a hostile act or not? Can using financial instruments to destroy a country’s economy be seen as a battle? Did CNN’s broadcast of an exposed corpse of a U.S. soldier in the streets of Mogadishu shake the determination of the Americans to act as the world’s policeman, thereby altering the world’s strategic situation? And should an assessment of wartime actions look at the means or the results? Obviously, proceeding with the traditional definition of war in mind, there is no longer any way to answer the above questions. When we suddenly realize that all these non-war actions may be the new factors constituting future warfare, we have to come up with a new name for this new form of war: Warfare which transcends all boundaries and limits, in short: unrestricted warfare.

If this name becomes established, this kind of war means that all means will be in readiness, that information will be omnipresent, and the battlefield will be everywhere. It means that all weapons and technology can be superimposed at will, it means that all the boundaries lying between the two worlds of war and non-war, of military and non-military, will be totally destroyed, and it also means that many of the current principles of combat will be modified, and even that the rules of war may need to be rewritten.

In spite of this warning, the U.S. has not been adequately prepared for asymmetric warfare.

More importantly, the U.S. has not grasped what is meant that “all the boundaries lying between the worlds of war and non-war” no longer exist.

We are in a permanent state of non-war warfare.

And we were warned.

If the CNA’s paper is any indication, the U.S. has been blinded by the lens of traditional warfare. This is an unintended conclusion we can take away from this paper: we are smack in the middle of a debris field in which our entire democratic system has been rattled hard and our president and his dominant political party in thrall to at least one other country’s leader, without a single traditional combat weapon aimed and fired at our military. Yet the paper on “Russia’s ‘Ambiguous Warfare'” looked at the possible effect such war would have on traditional defense, making only the barest effort to include information warfare. The shoot-down over Ukraine of Malaysian Airline flight MH-17 carrying EU citizens offers an example — there is little mention in this paper of Russian and separatists’ efforts to mask the source of the shooting using information warfare, thereby managing to avoid an official invocation of NATO Article 5.

Perhaps the scale of our traditional defense spending and the commitment to sustaining this spending driven by both states’ economies and by corporatocracy locked us into an unwieldy and obstructive mindset unable to respond quickly to new threats. But PRC warned us in 1999 — we have no excuses save for a lack of imagination at national scale, combined with a detrimental perception of American exceptionalism.

If there is something we can still use in this permanent state of non-war warfare, it is one of the oldest lessons of warfare, transcending place, culture, and tradition:

All warfare is based on deception. … Keep him under strain and wear him down. When he is united, divide him. Attack where he is unprepared; sally out when he does not expect you. … 

— Sun Tzu, The Art of War

What were we not expecting? For what were we not prepared? What form may the next ambiguous attack assume, and are we ready to defend ourselves?

More importantly, what does an effective, ambiguous offense look like?

As the Summit Arrives, Keep in Mind that Putin Manages Trump with Carrots and Sticks

As I laid out last week, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

In my post revealing that I went to the FBI with information about someone who played a significant role in Russia’s attack on US elections, I revealed that the person sent me a text less than 15 hours after polls closed indicating Trump had ordered Mike Flynn to start working on Syrian issues.

Both Jared Kushner’s public statement and Mike Flynn’s anonymous confidant’s comments corroborate that Trump focused on Syria immediately after the election. I have taken from that that conceding to Russian plans to leave Bashar al-Assad in place is one of the payoffs Trump owed Putin for help winning the election.

For that reason, I want to look at the Shadow Brokers Don’t Forget Your  Base post, posted on April 9, 2017, just three days after Trump retaliated against Syria for a chemical weapons attack on civilians. It was the first post after Shadow Brokers had announced he was going away on January 12 (which, I now realize, was the day after the Seychelles meeting set up a back channel with Russia through Erik Prince). It preceded by days the Lost in Translation post, which released powerful NSA hacking tools that would lead directly to the WannaCry malware attack in May. And while the Don’t Forget Your Base post did release files, it was mostly about messaging.

That messaging included a bunch of things. Among other things (such as that Trump shouldn’t have fired Steve Bannon and should refocus on his racist domestic policies), the post argues that Trump should just own up to Russia helping Trump win the election.

Your Supporters:

  • Don’t care what is written in the NYT, Washington Post, or any newspaper, so just ignore it.
  • Don’t care if you swapped wives with Mr Putin, double down on it, “Putin is not just my firend he is my BFF”.
  • Don’t care if the election was hacked or rigged, celebrate it “so what if I did, what are you going to do about it”.

It talks about what the people who got Trump elected expect.

The peoples whose voted for you, voted against the Republican Party, the party that tried to destroying your character in the primaries. The peoples who voted for you, voted against the Democrat Party, the party that hates, mocks, and laughs at you. Without the support of the peoples who voted for you, what do you think will be happening to your Presidency? Without the support of the people who voted for you, do you think you’ll be still making America great again?

It claims that embracing Russian foreign policy will make America great.

TheShadowBrokers isn’t not fans of Russia or Putin but “The enemy of my enemy is my friend.” We recognize Americans’ having more in common with Russians than Chinese or Globalist or Socialist. Russia and Putin are nationalist and enemies of the Globalist, examples: NATO encroachment and Ukraine conflict. Therefore Russia and Putin are being best allies until the common enemies are defeated and America is great again.

And it argues (in a thoroughly muddled description of what happened) that Trump shouldn’t have bombed Syria.

Respectfully, what the fuck are you doing? TheShadowBrokers voted for you. TheShadowBrokers supports you. TheShadowBrokers is losing faith in you. Mr. Trump helping theshadowbrokers, helping you. Is appearing you are abandoning “your base”, “the movement”, and the peoples who getting you elected.

Good Evidence:

#1 — Goldman Sach (TheGlobalists) and Military Industrial Intelligence Complex (MIIC) cabinet
#2 — Backtracked on Obamacare
#3 — Attacked the Freedom Causcus (TheMovement)
#4 — Removed Bannon from the NSC
#5 — Increased U.S. involvement in a foreign war (Syria Strike)

[snip]

Because from theshadowbrokers seat is looking really bad. If you made deal(s) be telling the peoples about them, peoples is appreciating transparency. But what kind of deal can be resulting in chemical weapons used in Syria, Mr. Bannon’s removal from the NSC, US military strike on Syria, and successful vote for SCOTUS without change rules?

[snip]

Mr Trump, we getting it. You having special empathy for father whose daughter is killed. We know this is root cause for anti-illegal immigrant policy. Illegal immigrant shoot man’s daughter in San Francisco. Now is Syrian man daughter killed by chemical gas. We agree its needless tragedy. But tragedies happening everyday and wars endangers all the children not just Syrian.

There is, admittedly, a lot going on here, even ignoring that it sounds like a batshit insane rant.

But is also that case that Shadow Brokers had gone away in the transition period. And then shortly after Trump bombed Syria, he came back, and very quickly released tools he had threatened to release during the transition period. The release of those tools did significant damage to the NSA (and its relations with Microsoft and other US tech companies) and led directly to one of the most damaging malware attacks in history.

It is my opinion that Russia manages Trump with both carrots — in the form of election year assistance and promises of graft — and sticks — in this case, in the form of grave damage to US security and to innocent people around the world.

And Trump is poised to head into a meeting with Vladimir Putin on Monday — showing no embarrassment about the proof laid out yesterday that without Putin, Trump wouldn’t have won the election — to discuss (among other things) a deal on Syria.

Meanwhile, Trump’s own Director of National Intelligence, Dan Coats, says the lights are blinking red like they were in advance of 9/11.

Director of National Intelligence Dan Coats raised the alarm on growing cyberattack threats against the United States, saying the situation is at a “critical point” and coming out forcefully against Russia.

“The warning signs are there. The system is blinking. It is why I believe we are at a critical point,” Coats said, addressing the Hudson Institute in Washington, DC, on Friday.

“Today, the digital infrastructure that serves this country is literally under attack,” he said.
Coats compared the “warning signs” to those the United States faced ahead of the September 11 terrorist attacks.

Rather than doing the things to prepare for an attack, Trump has virtually stood down, firing his very competent cyber czar and providing no order to take more assertive steps to prepare for an attack.

This is why I came forward two weeks ago to talk about how quickly someone involved in the election attack learned of Trump’s policy shift on Syria. I believe Trump is cornered — has allowed himself to be cornered. And in spite of everything, Trump is prepared to go alone into a meeting on Monday with Vladimir Putin — the guy wielding both carrots and sticks against Trump — and make a deal.

Everyone is worried that Putin might release a pee tape. I think what Putin holds over Trump may be far more serious. And if something happens, know that there’s good reason to believe Trump brought it on the country himself, willingly.

The Tea Leaves on Mueller’s Hand Off

As part of writing this post, I confirmed for the first time that the prosecutor I spoke with regarding the Russian attack is not and never has been part of the Mueller team (among other things, I think that means Peter Strzok never got within a mile of my testimony, which is why I asked). But a prosecutor who was involved in discussions setting up my interview is, and the Special Counsel’s Office certainly seemed to recognize my interview as part of the investigation when I alerted them I was going to publish that text. Given that the FBI agents I spoke with didn’t know what topics I cover for a living (and seemed to get wiser about the person we were discussing over two breaks), my guess is that DOJ assigned a team segmented off from the investigation to ensure that no one accidentally dropped hints about the investigation. That’s all just a wildarseguess, though. DOJ has gone to great lengths to ensure I don’t learn anything from the process, as is proper.

Having that tiny glimpse into how DOJ used a prosecutor uninvolved in the case in chief to talk to me about what may have become part of the case in chief is background to explain why I doubt some of the conclusions made in this piece, reporting that Mueller has divvied up tasks to career prosecutors from elsewhere in DOJ.

As Mueller pursues his probe, he’s making more use of career prosecutors from the offices of U.S. attorneys and from Justice Department headquarters, as well as FBI agents — a sign that he may be laying the groundwork to hand off parts of his investigation eventually, several current and former U.S. officials said.

Mueller and his team of 17 federal prosecutors are coping with a higher-then-expected volume of court challenges that has added complexity in recent months, but there’s no political appetite at this time to increase the size of his staff, the officials said.

[snip]

Investigators in New York; Alexandria, Virginia; Pittsburgh and elsewhere have been tapped to supplement the work of Mueller’s team, the officials said. Mueller has already handed off one major investigation — into Trump’s personal lawyer, Michael Cohen — to the Southern District of New York.

The only thing that is clearly new in this paragraph is that Mueller has involved prosecutors in Pittsburgh. As the paragraph itself notes, [part of] the investigation into Michael Cohen got handed off to SDNY. But that’s because it involves conduct — a hush money payment that Cohen arranged from Manhattan and taxi medallion fraud — that don’t clearly relate to Russian election interference. Other reports suggest that conduct more closely tied to the election, such as Cohen’s involvement in inauguration graft, remains in Mueller’s hands.

Similarly, we know of at least one EDVA prosecutor involved in Mueller’s investigation. Uzo Asonye got moved onto the team to placate TS Ellis. He will presumably present a good part of the trial that starts later this month, freeing up another member of that team to focus on the DC side of Manafort’s corruption. But that move was driven, in significant part, from Ellis’ direction.

With Michael Cohen and Paul Manafort, there’s plenty of corruption to spread across multiple districts! Heck, Manafort’s former son-in-law is cooperating against him based off a case in LA, and Dmitri Firtash, who is under indictment in Chicago, is one of four oligarchs explicitly named in Manafort’s search warrant.

And, frankly, I’m offended by this passage.

Mueller indicted 13 Russian individuals and three entities in February on charges of violating criminal laws with the intent to interfere with the U.S. election through the manipulation of social media.

None of the targets are in the U.S., but one of them, the Internet Research Agency, has forced Mueller into another legal fight in federal court. The two sides have been sparring most recently over how to protect sensitive investigative materials from disclosure. Mueller has enlisted prosecutors with the U.S. Attorney’s office in Washington to handle the case.

I’m offended not just because the passage is factually false: the entity mounting a defense is Concord Management, not Internet Research Agency. But because one should never label a defendant mounting a defense as “forc[ing the prosecutor] into another legal fight.” Yes, Concord’s defense is trollish lawfare aiming to discover intelligence. But that is the risk of using indictments to lay out nation-state information operations.

Also, as I suggested in this post and this post, commentators have made far too much of the technical requirements of the Concord case. The government will use no classified data in the trial, if the trial ever really happens. Which suggests the case will be a glorified call records case, showing that the people running certain accounts were operating from certain IP addresses. That’s not to minimize the import of call records in proving crimes. But it’s just not the most technically difficult case to prove.

Which brings us back to Pittsburgh. In fact, Pittsburgh has already been involved in this case — back when the investigation of the hack of the DNC lived there, as many nation-state hacking cases do. Now, it is definitely true that the hack investigation had, at some point, been moved under Mueller; I know of a witness to the hack who was interviewed at Mueller’s office. But if Mueller’s team of 17 were focused more closely on the “collusion” case, I could imagine them moving the hack case back to where it started.

If that’s actually what happened, it would amount to a hand off, of sorts. But it may not be all that momentous a development. Rather, it might reflect Mueller’s (and Rod Rosenstein’s) continued efforts to keep the matters he will prosecute (as distinct from investigate) closely related to the “collusion” case. That seems like a sound decision both form a resourcing perspective, but it’s a good way to rebut claims that he’s a runaway prosecutor.

What Seems to be Going on with MalwareTech’s New Charges

When I wrote this post on the superseding indictment against Marcus Hutchins (MalwareTech) I deferred assessment of the new charges — a differently charged CFAA, a wire fraud, and a false statements charge — until the lawyers weighed in. Last night, the two sides submitted a status report on the superseding indictment, and it’s clear that the government has fixed some glaring problems with its case. (Along the way the defense has argued they need to tweak all but one of the motions they had fully briefed, adding two months to this process, on top of the extra charges.)

By my read, the government has taken a detrimental ruling — that Hutchins will learn of the informant, Randy’s, identity at least a month before trial, if not before, as well as the fact that Hutchins did not, maybe could not, have admitted what they wanted to in his original interrogation but did admit to some other things, and used those setbacks to fix a number of problems with their case.

By my read (not a lawyer, not a judge, looking at just scraps of evidence), the original indictment against Hutchins was drawn up sloppily only as a means to detain him in this country and quickly — the government believed, because this is how things happen in the U S of A — get him to agree to inform on VinnyK and other online criminals. Indeed, fragments of the original interrogation now make it clear that was the intent.

Chartier: I mean, you know, Marcus, I’ll be honest with you. You’re in a fair bit of trouble.

Hutchins: Mmm-hmm.

Chartier: So I think it’s important that you try to give us the best picture, and if you tell me you haven’t talked to these guys for months, you know, you can’t really help yourself out of this hole. Does that make sense?

Hutchins: Yeah.

Chartier: Now, I’m not trying to tell you to do something you’re not doing, but I know you’re more active than you’re letting on, too. Okay?

Hutchins: I’m really not. I have ceased all criminal activity involving

Chartier: Yeah, but you still have access and information about these guys.

Hutchins: What do you mean? Like, give me a name and I’ll tell you what I know about that.

Chartier: All right, why don’t you start out with this list of nics.

As a result of that sloppiness, the government had just thrown a bunch of crimes — CFAA and wiretapping — into the indictment, with the assumption that it’d be enough to turn the guy who stopped WannaCry into the US government’s latest informant.

While there are no guarantees in criminal cases, I think the defense’s arguments that the government had no proof Hutchins intended to damage the requisite 10 computers in Wisconsin, nor that he had intended to install a device to wiretap, were sound. Indeed, this superseding indictment is largely tacit admission that those arguments may well succeed and blow their original case up. Moreover, I suspect there is and will remain (until this thing goes to trial, if it does) a dispute about how much code someone has to contribute to a piece of malware to be considered its author.

But as I said, now that the government is facing going to trial with their informant, Randy, fully exposed, they’ve turned that into a way to revamp the alleged crimes against Hutchins such that they might be sustainable. That’s because — as I pointed out here — while VinnyK is accused of selling malware, Randy has already told the FBI that he used it, and used it to engage in financial crimes.

  • VinnyK (Individual A), a guy who sold a UPAS kit on July 3, 2012, days after Hutchins turned 18, and then on June 11, 2015, sold Kronos, a piece of malware with no known US victims. Altogether VinnyK made $3,500 for the two sales of malware alleged in this indictment. When this whole thing started, the government charged Hutchins mostly if not entirely to coerce him to provide information on VinnyK (information which he said in a chat in the government’s possession he doesn’t have). He’s the guy they’re supposed to be after, but now they’re after Hutchins exclusively.
  • “Randy” (Individual B), an actual criminal “involved in the various cyber-based criminal enterprises including the unauthorized access of point-of-sale systems and the unauthorized access of ATMs.” At some point, in an attempt to limit or avoid his own criminal exposure, Randy implicated Hutchins.

With that in mind, consider the two new main charges the government has added, and added to the conspiracy, in what I imagine is a bid to sustain the prosecution if the earlier problems with the indictment get parts of the rest of it thrown out. In addition to charging Hutchins with the part of CFAA that makes it a crime to attempt to damage 10 or more protected computers, the government is now charging him with the part of CFAA that makes it a crime to intentionally access a computer to obtain information for the purpose of private financial gain. That is, they’ve added the part of CFAA that makes it a crime to profit from stealing information. They’ve also charged Hutchins with wire fraud for attempting to obtain money by false and fraudulent pretenses. (The defense now agrees the government has venue in EDWI, which I suspect has to do with both the focus on advertising here as opposed to operation of code, as well as the claim that Hutchins’ alleged lies thwarted an investigation in the district.)

The first of these is easy to understand. Even in the fragments of Hutchins’ interrogation publicly available, he admitted to selling code.

Chartier: So you haven’t had any other involvement in any other pieces of malware that are out or have been out?

Hutchins: Only the form-grabber and the bot.

Chartier: Okay. So you did say the form-grabber for Kronos, then?

Hutchins: Not the form-grabber for Kronos. It was an earlier one released in about I’m gonna say 2014?

Chartier: And what was the name of that?

Hutchins: Oh, fuck. I really can’t remember. No, I’m drawing a blank. I mean, like, I actually sell the code. I sell it to people and then they do what the fuck they want with it.

They also have a jail transcript of Hutchins telling his boss that he gave Randy malware to pay off a debt. [Note, the defense has taken issue with the accuracy of this transcript.]

Hutchins: Yeah, and there were also some logs that I gave the compiled binary to someone to repay a debt

Salim Neino: You gave a compiled binary to somebody on the chat log?

Hutchins: To repay a debt yeah

[snip]

Neino: Okay, um was the nature of the debt anything significant?

Hutchins: It was about five grand

Neino: Oh not the amount, but was the nature of the debt significant, like was it related to something else, or just your personal debt?

Hutchins: Um he, no he asked me to hold some Bitcoins for him, and my software fucked up, and I lost some of the money

Neino: Oh so you had to pay him back?

Hutchins: Yeah

So while Hutchins did not himself use malware to steal information for the purpose of financial gain, they arguably have him admitting that he sold code that stole information for financial gain and that he gave code that did the same to someone who stole information for financial gain in order to pay off a $5,000 debt. Now, the government still has some work to do to prove that Hutchins’ code had that intent, but at least for this charge they don’t have to point to 10 computers that he intended to damage.

As for the wire fraud, I’m not sure (and I’m not sure the defense is either) but I think they’re now taking a post Hutchins did, criticizing weaknesses in a piece of malware competing with Kronos, and claiming that the post served to defraud upstanding malware purchasers into believing that Kronos was a better product by comparison.

On or about December 23, 2014, defendant MARCUS HUTCHINS hacked control panels associated with Phase Bot, malware HUTCHINS perceived to be competing with Kronos. In a chat with [Randy], HUTCHINS stated, “well we found exploit (sic) [sic] in this panel just hacked all his customers and posted it on my blog sucks that these [] idiots who cant (sic) [sic] code make money off this :|” HUTCHINS then published an article on his Malwaretech blog titled “Phase Bot — Exploiting C&C Panel” describing the vulnerability.

The government may even be planning on arguing that Hutchins used his research into the competition to update Kronos.

In or around February 2015, MARCUS HUTCHINS and [VinnyK], updated Kronos. On February 9, 2015, in a chat with [Randy], HUTCHINS described the update. [Randy] asked, “[D]id you guys just happen to make a (sic) update?” HUTCHINS responded, “[W]e made a few fixes to both the panel and bot.” [Randy] replied, “ah okay yeah read something that vinny posted was curious on what it was exactly.”

In any case, now that the government knows they’re not going to be able to hide Randy, they can use Hutchins’ interactions with him to try to put Hutchins in a cage, when they’ve decided to spare Randy that same cage or at least limit the time he’ll be there.

If I’m right about this, a lot of it brings us back to the final new charge, false statements. The government has charged Hutchins with lying to the same FBI agents that Hutchins accused (with some basis) of lying on the stand. They claim he lied when he told the FBI that “he did not know his computer code was part of Kronos until he reverse engineered the malware sometime in 2016,” because “as early as November 2014, HUTCHINS made multiple statements to [Randy] in which HUTCHINS acknowledged his role in developing Kronos and his partnership with [VinnyK].”

In yesterday’s status report, the defense said they’re going to “request that the government particularize the alleged false statement of Count Nine.” Presumably, they want to know how it is that AUSA Dan Cowhig, on August 4, 2017, represented to a judge that, “Hutchins admitted that he was the author of the code that became the Kronos malware” but are now claiming that he did not admit that. It may well be the language I’ve cited above, where Hutchins cites the UPAS Kit (which he coded as a minor), but says that was not the form grabber used in Kronos.

That’s the kind of charge that not only will depend on the specific language the government has in mind (which is why the defense may well succeed with a bill of particulars demand where they otherwise might not), but also the understanding of how fragments of code become malware, something on which (if Agent Chartier’s past testimony was any indication) the defense is likely to have a much better grasp than the government.

Understand where that puts us, though.

Probably after rediscovering Hutchins’ access to VinnyK and his friends because he had saved the world from repurposed NSA hacking tools, the government slapped together charges in a bid to turn Marcus Hutchins into an informant. When that didn’t work, when Hutchins had the gall to point out how problematic the charges were, the government then upped the ante, turning Hutchins into the primary target, whereas previously VinnyK had been.

We’ve got VinnyK, who used to be considered a big enough criminal to do this to Hutchins, Randy, who the government readily admits stole money from actual Americans, and the guy who saved the world from tools the NSA couldn’t keep safe. You’ve got two FBI agents who have done remarkable work damaging their own credibility (to say nothing of their ability to appear knowledgable about computer code on the stand). And the American taxpayers are going to spend thousands of dollars to try to put Hutchins — and possibly only Hutchins — in prison. That, even though the false statements charges may well come down to a dispute — which both sides have already been arguing — what the definition of malware is.

This is, in many ways, all too typical of how our justice system works; Hutchins is not unique in being targeted this way, nor in having the government double down when he had the nerve to avail himself of the justice system.

But I keep coming back to this: why does the government think that the interests of justice are served for punishing a guy because he achieved renewed notice by doing something good?

Two Days after Julian Assange Threatened Don Jr, Accused Vault 7 Leaker Joshua Schulte Took to Tor

Monday, the government rolled out a superseding indictment for former NSA and CIA hacker Joshua Schulte, accusing him (obliquely) of leaking the CIA’s hacking tools that became the Vault 7 release from Wikileaks. The filings in his docket (as would the search warrants his series of defense attorneys would have seen) make it clear that the investigation into him, launched just days after the first CIA release, was always about the CIA leak. But when the government took his computer last spring, they found thousands of child porn pictures dating back to 2009. It took the government over three months and a sexual assault indictment in VA to convince a judge to revoke his bail last December, and then another six months to solidify the leaking charges they had been investigating him from the start.

But the case appears to have taken a key turn on November 16, 2017, when he did something — it’s not clear what — on the Tor network. While there are several things that might explain why he chose to put his release at risk by accessing Tor that day, it’s notable that it occurred two days after Julian Assange tweeted publicly to Donald Trump Jr that he’d still be happy to be Australian Ambassador to the US, implicitly threatening to release more CIA hacking tools.

Schulte was, from days after the initial Vault 7 release, apparently the prime suspect to be the leaker. As such, the government was always interested in what Schulte was doing on Tor. In response to a warrant to Google served in March 2017, the government found him searching, on May 8, 2016, for how to set up a Tor bridge (Schulte has been justifiably mocked for truly abysmal OpSec, and Googling how to set up a bridge is one example). That was right in the middle of the time he was deleting logs from his CIA computer to hide what he was doing on it.

When he was granted bail, he was prohibited from accessing computers. But because the government had arrested him on child porn charges and remained coy (in spite of serial hold-ups with his attorneys regarding clearance to see the small number of classified files the government found on his computer) about the Vault 7 interest, the discussions of how skilled he was with a computer remained fairly oblique. But in their finally successful motion to revoke Schulte’s bail, the government revealed that Schulte had not only accessed his email (via his roommate, Schulte’s lawyer would later claim), but had accessed Tor five times in the previous month, on November 16, 17, 26, and 30, and on December 5, 2017, which appears to be when the government nudged Virginia to get NYPD to arrest him on a sexual assault charge tied to raping a passed out acquaintance at his home in VA in 2015.

Perhaps the most obvious explanation for why Schulte accessed Tor starting on November 16, 2017, is that he was trying to learn about the assault charges filed in VA the day before.

But there is a more interesting explanation.

As you recall, back in November 2017, some outlets began to publish a bunch of previously undisclosed DMs between Don Jr and Wikileaks. Most attention focused on Wikileaks providing Don Jr access to an anti-Trump site during the election. But I was most interested in Julian Assange’s December 16, 2016 “offer” to be Australian Ambassador to the US — basically a request for payback for his help getting Trump elected.

Hi Don. Hope you’re doing well! In relation to Mr. Assange: Obama/Clinton placed pressure on Sweden, UK and Australia (his home country) to illicitly go after Mr. Assange. It would be real easy and helpful for your dad to suggest that Australia appoint Assange ambassador to DC “That’s a really smart tough guy and the most famous australian you have! ” or something similar. They won’t do it, but it will send the right signals to Australia, UK + Sweden to start following the law and stop bending it to ingratiate themselves with the Clintons. 12/16/16 12:38PM

In the wake of the releases, on November 14, 2017, Assange tweeted out a follow-up.

As I noted at the time, the offer included an implicit threat: by referencing “Vault 8,” the name Wikileaks had given to its sole release, on November 9, 2017 of an actual CIA exploit (as opposed to the documentation that Wikileaks had previously released), Assange was threatening to dump more hacking tools, as Shadow Brokers had done before it. Not long after, Ecuador gave Assange its first warning to stop meddling in other countries politics, explicitly pointing to his involvement in the Catalan referendum but also pointing to his tampering with other countries. That warning became an initial ban on visitors and Internet access in March of this year followed by a more formal one on May 10, 2018 that remains in place.

There’s a reason I think those Tor accesses may actually be tied to Assange’s implicit threat. In January of this year, when his then lawyer Jacob Kaplan made a bid to renew bail, he offered an excuse for those Tor accesses. He claimed Schulte was using Tor to research the diaries on his experience in the criminal justice system.

In this case, the reason why TOR was accessed was because Mr. Schulte is writing articles, conducting research and writing articles about the criminal justice system and what he has been through, and he does not want the government looking over his shoulder and seeing what exactly he is searching.

Someone posted those diaries to a Facebook account titled “John Galt’s Defense Fund” on April 20, 2018 (in addition to being an accused rapist and child porn fan, Schulte’s public postings show him to be an anti-Obama racist and an Ayn Rand worshiping libertarian).

Yesterday, Wikileaks linked those diaries, which strikes me as an attempt to corroborate the alibi Schulte has offered for his access to Tor last November.

The government seems to have let Schulte remain free for much of 2017, perhaps in search of evidence to implicate him in the Vault 7 release. Whether it was a response to a second indictment or to Assange’s implicit threats to Don Jr, Schulte’s use of Tor last year (and, surely, the testimony of the roommate he was using as a go-between) may have been one of the keys to getting the proof the government had been searching for since March 2017.

Whatever it is, both Wikileaks and Schulte would like you to believe he did nothing more nefarious than research due process websites when he put his bail at risk by accessing Tor last year. I find that a dubious claim.


2009: IRC discussions of child porn

2011 and 2012: Google searches for child porn

April 2015: Rapes a woman (possibly partner) who is passed out and takes pictures of it

March to June 2016: Schulte deleting logs of access to CIA computer

May 8, 2016: Schulte Googles how to set up a Tor bridge

November 2016: Leaves CIA, moves to NY, works for Bloomberg

December 16, 2016: Assange DM to Don Jr about becoming Ambassador

Hi Don. Hope you’re doing well! In relation to Mr. Assange: Obama/Clinton placed pressure on Sweden, UK and Australia (his home country) to illicitly go after Mr. Assange. It would be real easy and helpful for your dad to suggest that Australia appoint Assange ambassador to DC “That’s a really smart tough guy and the most famous australian you have! ” or something similar. They won’t do it, but it will send the right signals to Australia, UK + Sweden to start following the law and stop bending it to ingratiate themselves with the Clintons. 12/16/16 12:38PM

February 4, 2017: Wikileaks starts prepping Vault 7

March 7, 2017: Wikileaks starts releasing Vault 7

March 13, 2017: Google search warrant

March 20, 2017: Search (including of cell phone, from which passwords to his desktop obtained)

June 2017: Interview

August 17, 2017: Dana Rohrabacher tries to broker deal for Assange with Trump

August 23, 2017: Arrest affidavit

August 24, 2017: Arraignment

THE COURT: Well, it sounds like, based on the interview, that he knew what the government was looking at.

MR. LAROCHE: That wasn’t the basis of the interview, your Honor.

 

MR. KOSS: I think it was either two or three [interviews]. I think it was three occasions. I was there on all three, including one of which where we handed over the telephone and unblocked the password to the phone, which they did not have, and gave that to them. And as I said, I have been in constant contact with the three assistant U.S. attorneys working on this matter literally on a weekly basis for the last 4, 5, 6 months. And any time Mr. Schulte even thought about traveling, I provided them an itinerary. I cleared it with them first and made sure it was okay. On any occasion that they said they might want him close so that he could speak to them, I cancelled the travel and rescheduled it so that we would be available if they needed him at any given time.

October 2, 2017: Bail hearing

MR. LAROCHE: Well, I believe there still is a danger because it’s not just computers, your Honor, but electronic devices are all over society and easy to procure and this type of defendant having the type of knowledge he has does in terms of accessing things — so he has expertise and not only just generally computers but using things such as wiping tools that would allow him to access certain website and leave no trace of it. Those can be done from not just a computer but from other electronic devices.

But the child pornography itself is located on the defendant’s desktop computer. They can be accessed irrespective of those servers. So if all the government had was this desktop computer, we could recover the child pornography. So I think this idea that numerous people had access to the serves and potentially could have put it there, is simply a red herring. This was on the defendant’s desktop computer. And the location where it was found, this sub-folder within several layers of encryption, there were other personal information of the defendant in that area. There was his bank accounts. I think there was even a resume for the defendant where he was storing this information. And the passwords that were used to get into that location, those passwords were the same passwords the defendant used to access his bank account, to access various other accounts that are related to him. So this idea that he shared them with other people, the government just strongly disagrees.

October 11, 2017: Schulte lawyer Spiro withdraws

October 24, 2017: At Trump’s request Bill Binney meets with Mike Pompeo to offer alternate theory of the DNC hack

November 8, 2017: Status hearing

SMITH: I believe the government has told us that there’s more data in this case than in any other like case that they have prosecuted.

MR. STANSBURY: Let me just clarify that part first. We proposed this just in an abundance of caution given the defendant’s former employer and the fact that — and I meant to flag this before. I apologize now for not. There’s a small body of documents that were found in the defendant’s residence that were taken from his former employer that might implicate some classified issues. We have been in the process of having those reviewed and I think we’re going to be in a position to produce those in the next probably few days. But we wanted to just make sure that we were acting out of an abundance of caution in case any SEPA [sic] issues come about in the case. I don’t expect them too at this point but we wanted to do that out of an abundance of caution.

November 9, 2017: Wikileaks publishes Vault 8 exploit

November 14, 2017: Assange posts Vault 8 Ambassador follow-up

November 14, 2017: Arrest warrant in VA

November 15, 2017: Charged in Loudon County for sexual assault

November 16, 2017: Use of Tor

November 17, 2017: Use of Tor

November 26, 2017: Use of Tor

November 29, 2017: Abundance of caution, attorney should obtain clearance

November 30, 2017: Use of Tor

December 5, 2017: Use of Tor, Smith withdraws

December 7, 2017: NYPD arrests on VA warrant for sexual assault

December 12, 2017: Move for detention, including description of email and Tor access

Separately, since the defendant was released on bail, the Government has obtained evidence that he has been using the Internet. First, the Government has obtained data from the service provider for the defendant’s email account (the “Schulte Email Account”), which shows that the account has regularly been logged into and out of since the defendant was released on bail, most recently on the evening of December 6, 2017. Notably, the IP address used to access the Schulte Email Account is almost always the same IP address associated with the broadband internet account for the defendant’s apartment (the “Broadband Account”)—i.e., the account used by Schulte in the apartment to access the Internet via a Wi-Fi network. Moreover, data from the Broadband Account shows that on November 16, 2017, the Broadband Account was used to access the “TOR” network, that is, a network that allows for anonymous communications on the Internet via a worldwide network of linked computer servers, and multiple layers of data encryption. The Broadband Account shows that additional TOR connections were made again on November 17, 26, 30, and December 5.

[snip]

First, there is clear and convincing evidence that the defendant has violated a release condition—namely, the condition that he shall not use the Internet without express authorization from Pretrial Services to do so. As explained above, data obtained from the Schulte Email Account and the Broadband Account strongly suggests that the defendant has been using the Internet since shortly after his release on bail. Especially troubling is the defendant’s apparent use on five occasions of the TOR network. TOR networks enable anonymous communications over the Internet and could be used to download or view child pornography without detection. Indeed, the defendant has a history of using TOR networks. The defendant’s Google searches obtained in this investigation show that on May 8, 2016, the defendant conducted multiple searches related to the use of TOR to anonymously transfer encrypted data on the Internet. In particular, the defendant had searched for “setup for relay,” “test bridge relay,” and “tor relay vs bridge.” Each of these searches returned information regarding the use of interconnected computers on TOR to convey information, or the use of a computer to serve as the gateway (or bridge) into the TOR network.

December 14, 2017: US custody in NY

MR. KAPLAN: Well, your Honor, we’ve obtained the discovery given to prior counsel, and I’ve started to go through that. In addition, there was one other issue which I believe was raised at our prior conference, which was a security clearance for counsel to go through some of the national security evidence that might be present in the case.

While most of the national security stuff does not involve the charges, the actual charges against Mr. Schulte, the basis for the search warrants in this case involve national security.

So I’m starting the process with their office to hopefully get clearance to go through some of the information on that with an eye towards possibly a Franks motion going forward. So I would ask for more time just to get that rolling.

January 8, 2018: Bail appeal hearing

MR. KAPLAN: Judge, on the last court date, when we left, the idea was that we had consented to detention with the understanding that Mr. Schulte would be sent down to Virginia to face charges based on a Virginia warrant. None of that happened. Virginia never came to get him. Virginia just didn’t do anything in this case. But before I address the bail issues, I think it’s important that this Court hear the full story of how we actually get here. At one of the previous court appearances, I believe it was the November 8th date, this Court asked why the defense attorney in this case would need security clearance. And the answer that was given by one of the prosecutors, I believe, was that there was some top secret government information that was found in Mr. Schulte’s apartment, and that out of an abundance of caution it would be prudent that the defense attorney get clearance. But I don’t think that’s entirely accurate.

While the current indictment charges Mr. Schulte with child pornography, this case comes out of a much broader perspective. In March of 2017, there was the WikiLeaks leak, where 8,000 CIA documents were leaked on the Internet. The FBI believed that Mr. Schulte was involved in that leak. As part of their investigation, they obtained numerous search warrants for Mr. Schulte’s phone, for his computers, and other items, in order to establish the connection between Mr. Schulte and the WikiLeaks leak.

As we will discuss later in motion practice, we believe that many of the facts relied on to get the search warrants were just flat inaccurate and not true, and part of our belief is because later on, in the third or fourth search warrant applications, they said some of the facts that we mentioned earlier were not accurate. So we will address this in a Franks motion going forward, but what I think is important for the Court is, in April or May of 2017, the government had full access to his computers and his phone, and they found the child pornography in this case, but what they didn’t find was any connection to the WikiLeaks investigation. Since that point, from May going forward, although they later argued he was a danger to the community, they let him out; they let him travel. There was no concern at all. That changed when they arrested him in August on the child pornography case.

[snip]

The second basis that the government had in its letter for detaining Mr. Schulte was the usage of computers. In the government’s letter, they note how, if you search the IP address for Mr. Schulte’s apartment, they found numerous log-ons to his Gmail account, in clear violation of this court’s order. But what the government’s letter doesn’t mention is that Mr. Schulte had a roommate, his cousin, Shane Presnall, and this roommate, who the government and pretrial services knew about, was allowed to have a computer.

And more than that, based on numerous conversations, at least two conversations between pretrial services, John Moscato, Josh Schulte and Shane Presnall, it was Shane’s understanding that pretrial services allowed him to check Mr. Schulte’s e-mail and to do searches for him on the Internet, with the idea that Josh Schulte himself would not have access to the computer.

And the government gave 14 pages of log-on information to establish this point. And, Judge, we have gone through all 14 pages, and every single access and log-in corresponds to a time that Shane Presnall is in the apartment. His computer has facial recognition, it has an alphanumeric code, and there is no point when Josh Schulte is left himself with the computer without Shane being there, and that was their understanding.

LAROCHE: And part of that investigation is analyzing whether and to what extent TOR was used in transmitting classified information. So the fact that the defendant is now, while on pretrial release, using TOR from his apartment, when he was explicitly told not to use the Internet, is extremely troubling and suggests that he did willfully violate his bail conditions.

 

KAPLAN: In this case, the reason why TOR was accessed was because Mr. Schulte is writing articles, conducting research and writing articles about the criminal justice system and what he has been through, and he does not want the government looking over his shoulder and seeing what exactly he is searching.

 

LAROCHE: Because there is a classified document that is located on the defendant’s computer, it is extremely difficult, and we have determined not possible, to remove that document forensically and still provide an accurate copy of the desktop computer to the defendant.

So in those circumstances, defense counsel is going to require a top secret clearance in order to view these materials. It’s my understanding that that process is ongoing, and we have asked them to expedite it. As soon as the defendant’s application is in, we believe he will get an interim classification to review this material within approximately two to three weeks. Unfortunately, that hasn’t occurred yet. So the defendant still does not have access to that particular aspect of discovery. So we are working through that as quickly as we can.

January 17, 2018: Bail appeal denied

March 15, 2018: Sabrina Shroff appointed

March 28, 2018: Initial ban of Internet access and visitors for Assange

April 20, 2018: Schulte’s diaries (ostensibly the purpose of using Tor) posted

May 10, 2018: Ecuador bans visitors for Assange

May 16, 18, 2018: Documents placed in vault

May 16, 2018: Schulte Facebook site starts legal defense fund

June 18, 2018: Schulte superseding indictment

June 19, 2018: Wikileaks posts links to diary

The New Cyber Sanctions

Even as Trump was working hard to get Russia admitted back into the G-7, Treasury was preparing new cyber sanctions against a number of “Russian” entities. This appears to be an effort to apply sanctions for activities exploiting routers and other network infrastructure (activities that the US and its partners engage in too) that US-CERT released a warning about in April.

One of the designated entities in controlled by and has provided material and technological support to Russia’s Federal Security Service (FSB), while two others have provided the FSB with material and technological support.  OFAC is also designating several entities and individuals for being owned or controlled by, or acting for or on behalf of, the three entities that have enabled the FSB.

[snip]

Examples of Russia’s malign and destabilizing cyber activities include the destructive NotPetya cyber-attack; cyber intrusions against the U.S. energy grid to potentially enable future offensive operations; and global compromises of network infrastructure devices, including routers and switches, also to potentially enable disruptive cyber-attacks.  Today’s action also targets the Russian government’s underwater capabilities.  Russia has been active in tracking undersea communication cables, which carry the bulk of the world’s telecommunications data.

I’ve included the entire list of sanction targets below.

On paper, at least, it looks like Treasury is sanctioning:

  • An entity, Divetechnoservices, that helps Russia tap into submarine cables along with three of its employees (another thing our spooks do, but one the US and especially UK have been increasingly worried about from Russia); the Treasury release notes that Divetechnoservices got the contract for a FSB submersible craft way back in 2011
  • An entity, Kvant Scientific Research Institute, that has been a research institute for FSB since August 2015 and, since April 2017, the prime contractor on an FSB project
  • An entity, Digital Security, that as of 2015 worked on a project that would expand Russia’s offensive cyber capabilities; the sanctions also include two companies the release claims are Digital Security subsidiaries, both which have US and Israeli locations

All of these were sanctioned under E.O. 13694, which, as amended, included attacks on election processes; given the dates, they might be implicated in the election year hacks, or might just be deemed a threat to national security. Just Kvant was also sanctioned under CAATSA, which is the more general sanctions program forced onto Trump by Congress. I’ve also put the language for the two of those below.

And, as Lorenzo F-B notes, the heads of two of the sanctioned alleged subsidiaries of Digital Security, ERPScan and Embedi, say they have nothing to do with the company.

But one of the security companies named in the new sanctions, ERPScan, denied having anything to do with the Russian government in an email to Motherboard.

“The only issue is that I and some of my peers were born in Russia, oh, cmon, I’m sorry but I can’t change it,” ERPScan’s founder Alexander Polyakov told me. “We don’t have any ties to Russian government.”

ERPScan is mostly known for its product that hunts for vulnerabilities in companies’ systems provided by SAP, a popular German enterprise software maker. Cyber Defense Magazine gave ERPScan an award this year for “best product” in its artificial intelligence and machine learning category.

[snip]

Polyakov, however, claimed that as of 2014, ERPScan is a “private company registered in the Netherlands” and that it has no connections “with other companies listed in this document.”

[snip]

“The news came to us as an unpleasant surprize. We never worked for Russian government, but indeed we have some former Russian researchers in our Research Team (some of them are former employees of Digital Security),” Alex Kruglov, Embedi’s head of marketing, told Motherboard in an email. “It is the only reason we can figure out to be added to a sanctions list.”

And they’re both legit cybersecurity companies, which at the very least raises questions (as the Kaspersky targeting did) about whether this is just infosec protectionism. If these protestations are correct, however, it renews real questions about the accuracy of sanction claims made under Treasury Secretary Steve Mnuchin.

The first indication that Mnuchin’s Treasury Department was offering bullshit to fulfill Congress’ demand for sanctions came when Treasury released a list of Russian oligarchs in January that was basically just the Forbes list of richest Russians, including a number that oppose Putin.

President Trump’s Treasury Department releaseda list of prominent Russian political figures and business leaders who have prospered while Vladimir Putin has led Russia.

The list features 210 people, including politicians such as Prime Minister Medvedev and Minister of Defense Sergey Shoygu. Also on the list are 96 “oligarchs.” Within hours of the list’s posting , media organizations began pointing out the similarity between the 96 billionaires listed and the Russians that appear on Forbes’ 2017 list of the World’s Billionaires.

Forbes went through the lists and confirmed that indeed the Treasury Department’s list is an exact replica of the Russians on the 2017 billionaires list.

For a bit, I thought the list released in March, which added a few new GRU officers, might have reflected new knowledge about GRU officers involved in the targeting of the DNC. Except it turned out those officers were just people readily identifiable off public GRU records. Treasury basically could have gotten them from a spook phone book.

Treasury did better with non-cyber Ukraine-related sanctions in April. It actually named several figures — most obviously Oleg Deripaska and Alexander Torshin — suspected of having played key roles in the election interference. Since then, Deripaska and his aluminum company Rusal have pursued financial games to shield Rusal from sanctions. He’s doing this with the help of Mercury Public Affairs — the Vin Weber lobbying group that shows up in a lot of Manafort’s indictments — and former Trump aide Brian Lanza, who now works there. So it’s not clear whether Deripaska will be significantly impacted.

With that history in mind, it’s worth asking whether Treasury simply can’t do cyber sanctions well, both because it’s hard to distinguish infosec from hacking (it would be equally difficult to do so for any of a number of contractors with close ties to FBI, the analogue of the companies that got sanctioned yesterday), and perhaps because Treasury doesn’t have good intelligence on who is hacking for Russia. Or perhaps Mnuchin is just obstinate.

But thus far, the history of Treasury’s selections on Russian related cyber sanctions leaves quite a bit to be desired.


Today’s action includes the designation of five Russian entities and three Russian individuals pursuant to E.O. 13694, as amended, as well as a concurrent designation pursuant to Section 224 of CAATSA.

Digital Security was designated pursuant to E.O. 13694, as amended, for providing material and technological support to the FSB.  As of 2015, Digital Security worked on a project that would increase Russia’s offensive cyber capabilities for the Russian Intelligence Services, to include the FSB.

ERPScan was designated pursuant to E.O. 13694, as amended, for being owned or controlled by Digital Security.  As of August 2016, ERPScan was a subsidiary of Digital Security.

Embedi was designated pursuant to E.O. 13694, as amended.  As of May 2017, Embedi was owned or controlled by Digital Security.

Kvant Scientific Research Institute (Kvant) was designated pursuant to E.O. 13694, as amended, and Section 224 of CAATSA for being owned or controlled by the FSB.  In August 2010, the Russian government issued a decree that identified Kvant as a federal state unitary enterprise that would be supervised by the FSB.

Kvant was also designated pursuant to E.O. 13694, as amended, for providing material and technological support to the FSB.  As of August 2015, Kvant was a research institute with extensive ties to the FSB.  Furthermore, as of April 2017, Kvant was the prime contractor on a project for which the FSB was the end user.

Divetechnoservices was designated pursuant to E.O. 13694, as amended, for providing material and technological support to the FSB.  Since 2007, Divetechnoservices has procured a variety of underwater equipment and diving systems for Russian government agencies, to include the FSB.  Further, in 2011, Divetechnoservices was awarded a contract to procure a submersible craft valued at $1.5 million for the FSB.

Aleksandr Lvovich Tribun (Tribun) was designated pursuant to E.O. 13694, as amended, for acting for or on behalf of Divetechnoservices.  As of December 2017, Tribun was Divetechnoservices’ General Director.

Oleg Sergeyevich Chirikov (Chirikov) was designated pursuant to E.O. 13694, as amended, for acting for or on behalf of Divetechnoservices.  As of March 2018, Chirikov was Divetechnoservices’ Program Manager.

Vladimir Yakovlevich Kaganskiy (Kaganskiy) was designated pursuant to E.O. 13694, as amended, for acting for or on behalf of Divetechnoservices.  As of December 2017, Kaganskiy was Divetechnoservices’ owner.  Previously, Kaganskiy also served as Divetechnoservices’ General Director.


EO 13694 as amended

E.O. 13694 authorized the imposition of sanctions on individuals and entities determined to be responsible for or complicit in malicious cyber-enabled activities that result in enumerated harms that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.  The authority has been amended to also allow for the imposition of sanctions on individuals and entities determined to be responsible for tampering, altering, or causing the misappropriation of information with the purpose or effect of interfering with or undermining election processes or institutions.

CAATSA Section 224

IN GENERAL.—On and after the date that is 60 days after the date of the enactment of this Act, the President shall— (1) impose the sanctions described in subsection (b) with respect to any person that the President determines— (A) knowingly engages in significant activities undermining cybersecurity against any person, including a democratic institution, or government on behalf of the Government of the Russian Federation; or (B) is owned or controlled by, or acts or purports to act for or on behalf of, directly or indirectly, a person described in subparagraph (A);

[snip]

SIGNIFICANT ACTIVITIES UNDERMINING CYBERSECURITY DEFINED.—In this section, the term ‘‘significant activities undermining cybersecurity’’ includes— (1) significant efforts— (A) to deny access to or degrade, disrupt, or destroy an information and communications technology system or network; or (B) to exfiltrate, degrade, corrupt, destroy, or release information from such a system or network without authorization for purposes of— (i) conducting influence operations; or (ii) causing a significant misappropriation of funds, economic resources, trade secrets, personal identifications, or financial information for commercial or competitive advantage or private financial gain; (2) significant destructive malware attacks; and (3) significant denial of service activities.


image_print