FBI Decided Four Months after They Arrested MalwareTech that He Told Them He Hadn’t Been Drinking before the Arrest

Marcus Hutchins’ (AKA MalwareTech) defense team has replied to the government’s response to their motion to compel discovery; they are seeking evidence pertaining to his arrest and about the people (his co-defendant, Tran, and an informant, “Randy”) on whom Hutchins was incidentally collected. Here’s my post on the original defense motion, and the one on the government response showing that this case is all about incidental collection.

FBI’s discussions about what to do about a drunken MalwareTech

As I laid out, the defense claims that Hutchins was intoxicated and exhausted when he was arrested awaiting a transatlantic flight after a week of partying at hacker conferences in Las Vegas. The government claims they asked Hutchins if he had been drinking, and (they claim) he said no.

This latest filing shows that the FBI was concerned about just that. FBI Agents had an email discussion the day Hutchins was arrested discussing what they should do if he was drinking.

That production included one e-mail, dated August 2, 2017 (the day of Mr. Hutchins’ arrest), discussing what the agents should do if Mr. Hutchins started drinking at the airport (the plan: “pull him out of terminal”). This shows the agents’ contemporaneous awareness of, and concern about, the possibility of Mr. Hutchins being impaired. There surely might be other communications, including e-mails and text messages on agents’ phones, touching on the voluntariness of Mr. Hutchins’ supposed proper waiver of his Miranda rights, as well as the voluntariness of the resulting statement.

The government claims that the Agents asked Hutchins if he had been drinking as part of their interview (only part of which was recorded). Except they didn’t memorialize that contemporaneously. They wrote it up into a 302 “over four months after the arrest” — so sometime after December 2.

The government makes much of the fact that Mr. Hutchins was asked by FBI agents if he had been drinking. But even if the FBI 302 (which was written over four months after the arrest) is accurate, it does not mention exhaustion or other possible forms of intoxication (it only mentions drinking).

Consider how this looks, given another detail from the defense reply: that the FBI didn’t turn over that 302 (or the email showing the FBI was concerned that Hutchins might be drinking) until the day they submitted their response on January 19.

The government’s response neglects to mention that these records that the government references as being disclosed “recently” were produced to the defense earlier on the same day the response was filed.

Incorporating the details provided in this status report produces this timeline:

November 21: Defense and prosecution lawyers try to resolve these issues including questions about whether Hutchins was intoxicated, and conclude they weren’t going to be able to resolve them.

[C]ounsel for the government and counsel for Mr. Hutchins participated in a conference call in an attempt to resolve open issues related those discovery requests. Despite our best efforts, we have been unable to resolve those issues.

After December 2: FBI creates 302 memorializing claim that they asked Hutchins whether he had been drinking.

December 7: Hutchins’ lawyers tell the government they’re going to file a motion compelling this discovery.

[C]ounsel for Mr. Hutchins informed the government they intend to file a motion for an order that compels the government to produce certain materials to the defense.

January 5: Defense files motion to compel.

January 19: Government turns over 302 claiming they asked if Hutchins had been drinking when they arrested him and response to motion to compel.

In spite of the fact that FBI itself was worried on the day they arrested him about whether Hutchins would be sober enough for an interrogation, they never got around to claiming that they had made sure he was until after some time, potentially months, of discussions about that question and after they had decided they couldn’t get the defense to stop asking for it.

I’d say that’s pretty sketchy.

Government didn’t get around to surveilling Hutchins until July 26

In my post on the government response, I wondered why there would be a surveillance report from July 26, but not one from when Hutchins first arrived in Las Vegas on July 21.

The filing also reveals that there are,

two reports detailing limited surveillance of the defendant on July 26, 2017, and August 2, 2017.

Note, while August 2 is the day Hutchins left Las Vegas, the 26th was not the day he arrived; that was July 21. So they conducted surveillance of him on at least one day while he was in the US hanging out with other hackers at Black Hat, but won’t tell him if they conducted surveillance on the other days.

The defense reply explains it: for whatever reason, Agents in Wisconsin didn’t get around to asking Las Vegas FBI to start surveillance on Hutchins until July 26.

Since the agents started surveillance on July 26, 2017 and it ran through August 2, 2017, it is inconceivable that the agents actively surveilling him exchanged nothing but a single e-mail right before Mr. Hutchins’ arrest.1

1 The only other e-mail disclosed by the government appears to have been sent from an FBI agent in Milwaukee on July 26, 2017, and requests FBI Las Vegas assistance to conduct surveillance of Mr. Hutchins.

For some reason, the FBI either didn’t realize the guy they had just indicted on July 11 was coming to the US until well after he got here in spite of the fact that 1) he had been to Black Hat the year before 2) he was talking about coming again on Twitter 3) he tracked his flight into the country on Twitter, or they didn’t decide they were going to arrest him until after he had been here for a while.

So arresting Hutchins was so urgent they had to do it before he left the country (to avoid extradition), even if he had been drinking (and interviewing him while he was still confused and without counsel was such a priority they couldn’t let him just catch up on his sleep in jail).

But not so urgent they had prepared enough for his well-advertised arrival in the weeks before he arrived to have Las Vegas’ FBI ready to surveil him.

The Government Built Its Criminal Case against MalwareTech Off Incidental Collection

The government has responded to MalwareTech’s (Marcus Hutchins) demand for more evidence by refusing everything. Along the way, they reveal that the bulk of the case against Hutchins arises from him being incidentally collected off two other criminal suspects, Tran (his co-defendant) and Randy (an informant who provided testimony against him in conjunction with his own criminal exposure).

Twenty-somethings claiming they’re not drunk occifer

As for rebuttals of the points made in his demand, the government has two rebuttals as to the substance of Hutchins’ argument, versus the law. First, they claim that Hutchins told the FBI he wasn’t drunk when they arrested him, contrary to the claim made to support a demand for materials on the surveillance of him leading up to his arrest.

Before the interview started, Hutchins told agents that he was not under the influence of alcohol.

Apparently they made a separate 302 (of unknown date) to memorialize their claim he told them he wasn’t drunk.

In addition to those materials, the government recently disclosed an additional FBI 302 report memorializing the defendant’s statement that he was not under the influence of alcohol at the time of his arrest,

The filing also reveals that there are,

two reports detailing limited surveillance of the defendant on July 26, 2017, and August 2, 2017.

Note, while August 2 is the day Hutchins left Las Vegas, the 26th was not the day he arrived; that was July 21. So they conducted surveillance of him on at least one day while he was in the US hanging out with other hackers at Black Hat, but won’t tell him if they conducted surveillance on the other days.

The government’s “intentional” fuckups may lead to superseding indictments

The government seems to cede Hutchins’ suggestion that it flubbed the language on “intention” versus “knowledge” on at least one and maybe a second charge against him.

Hutchins claims that the indictment is defective because Count Two of the indictment states that the defendant acted “knowingly” instead of “intentionally.” 3 Likewise, despite the fact that Count Six charges an attempt, Hutchins argues Count Six fails to allege that defendant “intentionally” attempted to cause damage to a protected computer.4 This, however is not an allegation of “error in the grand jury proceedings” under Rule 12(b)(3)(A)(v). It is an allegation of a defect in the indictment under Rule 12(b)(3)(B)(v). Thus, if Hutchins truly believes Counts Two and Six are facially defective, he can file a motion dismiss those counts under Rule 12(b)(3)(B)(v).

3 Count Two appears to contain a drafting error because Counts Three and Four, which also allege violations of 18 U.S.C. § 2512, state that the defendant acted “intentionally” rather than “knowingly.” This further undermines Hutchins’ speculation that the grand jury was erroneously instructed.

4 According to Seventh Circuit jury instructions, an attempt means to take a substantial step towards committing the offense, with the “intent to commit the offense.” Therefore, because Count Six is charged as an attempt to violate section 1030, including the word “intentionally” before “attempted” would be unnecessary and redundant.

But they generously offer to fix that problem in a superseding indictment.

The government has already explained to the defense that it will likely seek a superseding indictment in this case. That superseding indictment would address any possible drafting errors noted by the defense.

Given that elsewhere they say the informant, Randy, who provided information against Hutchins, discussed “involvement in creating the Kronos banking Trojan, among other criminal conduct” [my emphasis] with him in online chats, they seem to be suggesting that if the defense makes too big a deal about this they’ll add charges against Hutchins.

Incidentally collected defendants get nothing

Perhaps most interesting, this filing demonstrates the degree to which Hutchins’ prosecution stems from his incidental collection in investigative efforts targeting Tran and Randy. In fact, precisely because he was incidentally collected and not personally targeted, the government claims it doesn’t have to provide affidavits that might explain how — and more importantly, why — they decided to arrest Hutchins.

For example, the government argues Hutchins can’t have the MLAT requests, which are used to ask other countries to provide information for a criminal prosecution. In this case, MLATs obtained  information on Tran, the guy who sold the Kronos malware Hutchins is alleged to have helped write. The government refuses to hand these over, in part, because they don’t get signed by FBI Agents, but instead get signed by lawyers.

Here, the defendant relies on Rule 16(a)(1)(E)(i) in seeking disclosure of MLATs and search warrant applications. But that Rule is inapplicable. With regard to MLATs, they are not signed or attested to by law enforcement agents. Instead, they are signed by an attorney representing the United States. Information received in response to an MLAT that is subject to disclosure under Rule 16 has been, and will continue to be, turned over to the defense in this case. Indeed, the defendant acknowledges that he has received materials responsive to an MLAT request. Doc. #44 at 17. The MLAT request itself, however, is not subject to production. In fact, MLAT requests (rather than the responsive materials) are explicitly excluded from production under Rule 16(a)(2).

Moreover, because the MLAT was targeted at Hutchins’ co-defendant, and not him, he doesn’t get it.

Moreover, the MLAT request submitted in this case related to Hutchins’s codefendant and not Hutchins. As noted above, the government has disclosed materials received in response to the MLAT, but the MLAT itself is not subject to production under Rule 16, Giglio, Brady, or § 3500.

There is one still undisclosed search warrant affidavit in the case. But because that was used to incriminate Randy, the informant, Hutchins won’t get that either.

With regard to search warrant materials, the government has explained to Hutchins that no search warrants were executed that focused on Hutchins’ activities. There was a search warrant executed in an unrelated case that revealed statements made by Hutchins to CS-1, and those statements were turned over in discovery under Rule 16. But, there is no authority supporting the production of that search warrant affidavit or other documents relating to that warrant. The warrant was executed at a residence in the United States and did not involve Hutchins’ property or privacy interests. The affidavit is not subject to disclosure under 18 U.S.C. § 3500 because it was made in connection with an unrelated investigation. Given the separation between this case and the other investigation, the government does not believe at this time that the affiant’s statements in the affidavit supporting that warrant “relate to the subject matter of the testimony” to be presented in this case. 18 U.S.C. § 3500.

The government seems pretty lackadaisical towards Hutchins’ co-defendant

The government’s unwillingness to turn over information on the other alleged criminals in this case is particularly interesting given how uninterested they seem in him. The filing reveals that someone working undercover for the FBI did have discussions with Tran about Kronos (again, this is malware that had no significant US victims in the form Hutchins is alleged to have been involved in it), and they collected postings on it off the Darkode forum.

In support of this request, Hutchins asserts that such items “must be material to preparing Mr. Hutchins’ defense” because the indictment alleges a conspiracy; that “the government may be withholding information that could exculpate Mr. Hutchins”; and that he has a right to “locate the codefendant.” Doc. #44 at 8-9. Because the government has disclosed information relating to the codefendant, and there is no authority supporting the defendant’s request for additional information, his motion to compel the production of this information should be denied.

Of note, Hutchins’ codefendant has not yet been arrested in connection with this case. And, the government has disclosed certain information relating to the codefendant to Hutchins. This includes (1) the codefendant’s name; (2) materials responsive to an MLAT request that included a redacted copy of the codefendant’s passport; (3) undercover chats between the codefendant and the FBI related to the marketing, sale, and distribution of Kronos; and (4) various Internet postings related to Kronos that are attributable to one of the aliases used by the codefendant, including on the now shuttered Darkode forum.

But the government hasn’t obtained any information about the other things Tran was selling on dark markets.

Hutchins’ speculation that “the government must be withholding substantial additional information in its possession,” including information that may show the codefendant acted independently of Hutchins, is not supported. Doc. #44 at 8. While it might be true that the codefendant was involved in criminal activity in addition to distributing Kronos with Hutchins, the government is not suppressing that information. It simply does not possess such information. If additional records in the government’s possession are identified and deemed material, the government will provide those records to the defendant.1

That suggests he’s not really the target here.

More interesting still, the government claims it hasn’t yet identified any records from its AlphaBay seizure pertaining this malware they claim is so important they’ve arrested the guy who stopped the WannaCry malware attack.

1 In his motion, Hutchins states that “the government likely has records of the codefendant’s activities on AlphaBay.” Doc. #44 at 9. The government is still pursing information from the AlphaBay marketplace, but it has not yet located any materials subject to disclosure.

It seems virtually impossible that they wouldn’t find information in the seized servers,  if it was, at all, a priority. Which seems to suggest the opposite — not finding anything — may be a priority.

By providing evidence that suggests the government simply isn’t all that interested in Tran (if, as his name suggests, he’s Vietnamese, he may be beyond any extradition treaty), the government dismisses the possibility that Hutchins or his friends could find Tran (not an unreasonable possibility, because that’s how hackers roll).

[Hutchins] told agents that he knew his codefendant only by various online aliases; his dealings with his codefendant were all online; and he has never met his codefendant in person or even seen a photograph of the codefendant. It therefore makes no sense for Hutchins to claim that, if provided the requested “materials and communications,” he will be able to locate the fugitive codefendant and obtain exculpatory information from that individual.

But along the way, this prevents Hutchins from arguing that this case is all trumped up to go after him, for some reason.

Hiding Randy and the carding charges he’s working off

More interesting, still, the government is going to some lengths to hide Randy, the informant they call CS-1 who provided information on Hutchins.

The list of what they have provided in discovery provides some outline of how they got to Randy.

In reality, the government has produced the following materials related to CS-1: (1) A redacted proffer letter between the government and CS-1; (2) undercover chats between a government cooperator and CS-1 regarding the sale of stolen credit card numbers; (3) chats between CS-1 and Hutchins regarding Hutchins’ involvement in creating the Kronos banking Trojan, among other criminal conduct; and (4) a redacted FBI 302 report (which Hutchins refers to in his motion) memorializing a FBI interview of CS-1 regarding Hutchins and others.

It seems that a third part (the “government cooperator,” who himself may be an informant working off criminal charges) provided the FBI chats showing discussions with Randy of carding activity. This led to the FBI to go after Randy. He, in turn, made a proffer to the government offering to cooperate, presumably in exchange for leniency in his own case. That led to an interview with the FBI where Randy provided information on Hutchins “and others.”

Note that the government doesn’t tell us when all this happened?

The government argues that Randy is a mere tipster who wasn’t (yet) being controlled by the FBI at the time, and so they won’t have to let Hutchins question Randy about these underlying circumstances unless they put Randy on the stand, even though they concede he might (as someone working off his own criminal exposure) might actually be a transactional witness.

CS-1’s position in this case is more of a like a “mere tipster” than a transactional confidential informant. Hutchins sent a copy of the Kronos malware to CS-1 in 2015, but CS-1 was not acting as an agent for the government at that time. If the government called CS-1 as a witness at trial, his/her primary role would be to testify about the third-party admissions Hutchins made during chats with CS-1. Even if the Court found CS-1 acted more like a transactional witness, that finding does not automatically justify disclosure of CS-1’s identity. United States v. McDowell, 687 F.3d 904, 911 (7th Cir. 2012). The defendant would still need to establish that knowing CS-1’s identity is “relevant and helpful to his defense or is essential to a fair determination of a cause,” Wilburn, 581 F.3d at 623. Here, his request for disclosure of CS-1’s identity is based on speculation, which is insufficient. See Valles, 41 F.3d at 358 (“The confidential informant privilege ‘will not yield to permit a mere fishing expedition, nor upon bare speculation that the information may possibly prove useful.’” (quoting Dole, 870 F.2d at 373)).

The government argues that Hutchins is only speculating that learning who Randy is would be material to his defense, and uses that to argue that they don’t have to reveal Randy’s name so Hutchins can test whether it’s material to his defense.

The government generously agrees to give Hutchins Randy’s real name if they call him to testify, but then boast that Hutchins’ jail phone calls mitigate the need to put Randy on the stand.

Nonetheless, the government agrees to disclose CS-1’s identity to the defense if it determines that CS-1 will be a testifying witness at trial.2

2 To be sure, it might not be necessary to call CS-1 as a witness at trial because the defendant was shown the chats he had with CS-1 during his post-arrest interview and the defendant admitted that he was one of the parties in those conversations. Later, the defendant made phone call from jail in which he described the chats as “undeniable.” Therefore, the admissions Mr. Hutchins made to CS-1 are admissible non-hearsay statements, which Mr. Hutchins previously identified as accurate.

There are a slew of reasons Randy’s identity is of particular interest. Not least, that unknown entities engaged in serial credit card fraud to try to disrupt Hutchins’ defense fundraisers. As I’ve suggested, that means that entities engaged in probable criminal credit card fraud made a concerted effort to thwart Hutchins’ ability to mount the most robust defense.

Is the FBI even investigating who disrupted Hutchins’ defense fundraising efforts? Would they do so if it would hurt their case?

All of which leaves the distinct impression that the government isn’t all that interested in the two suspected criminals implicated in the case against him, but are very interested in ratcheting up the pressure on Hutchins himself.

And because they got to Hutchins via incidental collection — and not direct targeting — they might succeed in doing so.

 

Let the Pro-Oprah Resistance Beware: Scam in Progress?

A majority of Americans are really frustrated right now but they shouldn’t let their guard down at the first sign of hope. Tapping someone’s anger is an easy way for scammers and other hostile agents to get access to personal information and in some cases, money.

One likely example of opportunism is the National Committee to Draft Oprah Winfrey for President of the United States 2020. There have been emails sent to folks soliciting their support to recruit Oprah Winfrey to run for president in 2020 — except the entity sending the emails looks like vaporware.

There’s a simple yet attractive website with a countdown clock to Election Day 2020 and a sign up form as well as a donate button, along with a means to share the website across social media.

A press release announcing this effort is published as a separate page at the website, too.

Except that the press release — unlike authentic press releases — gives zero information about the organization except for an email address.

The website itself has no About Us, no Directors or Founders or Managers or Team page. There’s no information about a nonprofit or other political entity behind this, only an organization name, a claim to copyright, and the two pages — Home and Press Release.

And absolutely no Privacy Policy or Terms of Use provided, nor is the page set up for Hyper Text Transfer Protocol Secure (HTTPS) protocol (for this reason I am not providing a link to the site).

The website’s domain registration is masked, only showing DomainsByProxy as the registrar. Do a WhoIs lookup on the Democratic Party’s domain for comparison; you’ll find the domain isn’t masked at all and both a physical address as well as contact information are readily available.

The worst part of this is the repeated use of a quote by Winfrey’s long-time partner, Stedman Graham, as a justification for this ‘movement’. Yet nowhere on the site does Graham appear as a founder, director, manager, team member, or even an endorser.

If one of these emails should show up in my inbox, I’m going to treat it as a spearphishing attempt and mark it spam. Because I haven’t received and looked at one of these emails, I can’t rule out these emails are, in fact, phishing attempts of some kind.

The website itself should be treated with suspicion; without more evidence of a legitimate organization behind it, it’s merely a pretty address harvesting tool and an opportunity for a scam artist to pick up some easy liberal cash.

How easily could an outfit like Cambridge Analytica match up these harvested addresses against Facebook and voters’ records, to identify which voters to suppress with Oprah-flavored micro-targeted messaging via social media? It’d be worth a pretty penny to an opponent (and their sponsors) facing stiff headwinds in 2020.

If there is a real movement which is serious about recruiting Oprah, for goodness sake show up at local Democratic Party meetings and learn how to do this correctly. Don’t let Oprah get turned unknowingly and without her consent into another Russian tool to fragment the party by drafting her from outside the party.

P.S. Hey Tom Perez and Keith Ellison — perhaps a little tighter control on domains.democrat addresses is worth your time, to prevent Democratic Party supporters? Didn’t the DNC learn anything from the past two years about cybersecurity?

[Image on home page via National Committee to Draft Oprah Winfrey for President of the United States 2020, published here under Fair Use.]

The Government’s MalwareTech Case Goes (Further) To Shit

MalwareTech’s lawyers just submitted a motion to compel discovery in his case. It makes it clear his case is going to shit — and that’s only the stuff that is public.

DOJ is hiding what drunken MalwareTech understood about un-common law

First, the motion reveals that even though the FBI recorded its interview with Marcus Hutchins at the Las Vegas airport, where Hutchins allegedly admitted to creating the Kronos malware (though in actuality Hutchins only admitted to creating that code), they somehow forgot to record (or even write down) the Miranda warning part.

After Mr. Hutchins was taken into custody, two law enforcement agents interviewed him at the airport. The memorandum of that interview generically states: “After being advised of the identity of the interviewing Agents, the nature of the interview and being advised of his rights, HUTCHINS provided the following information . . .” A lengthy portion of Mr. Hutchins’ interview with the agents was audio recorded. Importantly, however, the agents did not record the part of the interview in which they purportedly advised of him of his Miranda rights, answered any questions he might have had, and had him sign a Miranda waiver form.

This is important for several reasons. First, Hutchins is a foreign kid. And while I presume he has seen Miranda warnings a jillion times on the TV, those warnings are different in the US than they are in the UK, contrary to whatever else we might share as common law.

Mr. Hutchins is a citizen of the United Kingdom, where a defendant’s post-arrest rights are very different than in the United States.4 The United Kingdom’s version of Miranda contains no mention of the right to counsel, and if a defendant does not talk, it may later be used against him under certain circumstances.5 Because of this, any government communications in advance of Mr. Hutchins’ arrest and regarding how to advise him of his rights under Miranda are important to demonstrate that Mr. Hutchins would not have understood any purported Miranda warnings and that he was coerced to waive his rights.

4 United Kingdom law requires the following caution being given upon arrest (though minor wording deviations are allowed): “You do not have to say anything. But it may harm your defence if you do not mention when questioned something which you later rely on in Court. Anything you do say may be given in evidence.”

So the specific wording of the warning he got would be especially important to understand whether he was told how things are different here in the former colonies, where you’re always told you can have a lawyer.

Also Hutchins was drunk and — because he’d been at DefCon and Black Hat all week — exhausted. But the defense can’t show that because the government isn’t turning over any of the surveillance materials from the week the FBI was surely following Hutchins in Las Vegas.

The defense believes the requested discovery will show the government was aware of Mr. Hutchins’ activities while he was in Las Vegas, including the fact that he had been up very late the night before his arrest, and the high likelihood that the government knew he was exhausted and intoxicated at the time of his arrest.

The government doesn’t want you to know co-defendant Tran is just a convenient excuse to arrest MalwareTech

Next, the government is withholding both information about Hutchins’ co-defendant, and the MLAT request the government used to get that information. The co-defendant’s last name is Tran, but the government has been hiding that since it accidentally published the name when Hutchins’ docket went live. Tran has not yet been arrested, but apparently there was evidence relating to him in a country that would respond to an American MLAT request. The government hasn’t turned it over.

[T]he government may be withholding information that could exculpate Mr. Hutchins. For example, any material showing that the codefendant operated independently of Mr. Hutchins’ alleged conduct would tend to demonstrate that they did not conspire to commit computer fraud and abuse (Count 1). The indictment itself supports that notion: it alleges that the codefendant advertised and sold the Kronos malware independently of Mr. Hutchins. (Indictment at 3 ¶ 4(e)-(f).) Moreover, the indictment alleges that the malware was advertised on the AlphaBay market forum, which the Department of Justice seized and shut down on July 20, 2017 in cooperation with a number of foreign authorities.8 In connection with that case, the government likely has records of the co-defendant’s activities on AlphaBay that it has not produced (e.g., records obtained through MLAT requests).

They also haven’t turned over the MLAT application itself, which would explain why some country has turned over evidence on Tran, but not Tran himself.

To date, the government has produced materials responsive to a single MLAT request, and has declined to produce the MLAT request itself. The MLAT request, however, surely contains information regarding the government’s theory of the case and may have been signed by an agent who will testify at trial. MLAT requests vary from country to country, but they can be quite similar to search warrants, since they are often used to obtain documents.

DOJ won’t tell you which ham sandwiches the grand jury intended knowed to indict

Hutchins’ lawyers then ask for the grand jury instructions because the indictment as charged doesn’t get the mens rea necessary for the underlying charges. Basically, two of the charges against Hutchins were laid out as if the only thing needed for a crime was to knowingly do something, as opposed to intentionaly do it.

The defense needs the legal instructions for an anticipated motion to dismiss the indictment. One ground for that motion is that at least two of the charged counts are defective on their face, failing to include the appropriate mens rea. Since the two counts deviate materially from the required and heightened mental states set forth in the operative statutes, this demonstrates likely irregularities in how the grand jury was instructed on the law.

[snip]

Count 6 suffers from a similar defect. It charges that the defendants:

[K]nowingly caused the transmission of a program, information and command and as a result of such conduct, attempted to cause damage without authorization, to 10 or more protected computers during a 1-year period. In violation of Title 18, United States Code, Sections 1030(a)(5)(A), (c)(4)(B)(i) and (ii), (c)(4)A(i)(VI), 1030(b), and 2.

(Indictment at 8 (emphasis added).)

But 1030(a)(5)(A) states it is illegal to:

[K]nowingly cause[] the transmission of a program, information and command, and as a result of such conduct, intentionally cause[] damage without authorization, to a protected computer[.] (Emphasis added.)

Likewise, the Seventh Circuit Pattern Jury Instructions state the elements of the offense are:

1. The defendant knowingly caused the transmission of a [program; information; code; command]; and

2. By doing so, the defendant intentionally caused damage to a protected computer without authorization. (Emphasis added.)

The plain text of 1030(a)(5)(A) and the Pattern Jury Instructions leave no doubt that Count 6, as it is pleaded, does not include the requisite “intentional” mens rea for causing damage without authorization, again failing to allege an essential element of the offense.

Effectively, they’re arguing that the government has charged Hutchins for knowingly done something when they had to charge him for intentionally doing something. Which, given that his code was probably used without his knowledge, is going to present difficulties. And so Hutschins’ team is going to attack the indictment itself.

Considering that Counts 2 and 6 misstate the required mental states specified in the statutes, there is a high likelihood the government did not properly instruct the grand jury on the law, and the grand jury returned a legally defective indictment, as a result of improper legal instructions.

What about “Randy”?

But the thing that intrigues me the most about this case is that some guy the government is naming “Randy” — because they don’t want to actually reveal anything about this dude — is a key witness against Hutchins. 

The defense expects “Randy” to testify at trial because he is alleged to have had extensive online chats with Mr. Hutchins around the time of the purported crimes in which Mr. Hutchins discussed his purported criminal activity. Any communications and materials relating to “Randy” are therefore material to defense preparations.

The defense argues that the government is treating Randy like a tipster rather than a witness as a way to hide who he is. This is worth citing at length (also note Marcia Hofmann and Brian Klein added local lawyer Daniel Stiller, who — I presume — is Seventh Circuit citing with great abandon).

The informant privilege does not permit the government to conceal a witness when, as here, disclosure “is relevant and helpful” to a defendant’s defense “or is essential to a fair determination of a cause.” United States v. McDowell, 687 F.3d 904, 911 (7th Cir. 2012) (quoting Roviaro v. United States, 353 U.S. 53, 60-61 (1957)). Indeed, the Seventh Circuit’s treatment of the privilege indicates that its reach is typically limited to background sources of information, as in a tipster who furnishes details that commence an investigation resulting in a prosecution premised on the fruits of the investigation, not the details of the background tip.

A mere tipster, according to the Seventh Circuit, is “someone whose only role was to provide the police with the relevant information that served as the foundation to obtaining a search warrant.” Id. Tipsters differ from what the Seventh Circuit terms “transactional witnesses,” who are individuals “who participated in the crime charged . . . or witnessed the event in question.” Id. For tipsters, “the rationale for the privilege is strong and the case for overriding it is generally weak.” Id. In contrast, “the case for overriding the privilege and requiring disclosure tends to be stronger” for transactional witnesses. Id.

Here, the government’s refusal to disclose even the identity of “Randy’s” attorney is apparently the result of miscategorizing an important witness as a mere tipster. “Randy” is a cooperating witness, one whose provision of information to law enforcement was facilitated by consideration—proffer immunity, at the least—from the government. This circumstance alone weighs against continuing confidentiality because “Randy” surely knows his cooperation will be revealed.

The government won’t even give the defense the name of this dude’s lawyer so the lawyer can tell them his client doesn’t want to talk to them.

Me? I’m guessing if the government were required to put “Randy” on the stand they’d contemplate dismissing the charges against Hutchins immediately. I’m guessing the government now realizes “Randy” took them for a ride — perhaps an enormous one. And given how easy it is to reconstitute chat logs — but here, it’s not even clear “Randy” has the chat logs, but just claimed to have been a part of them, in an effort to incriminate him — I’m guessing this part of the case against Hutchins won’t hold up.

It’d probably be a good time for the government to dismiss the charges against Hutchins and give him an H1B for his troubles so he can surf off the last 6 months of stress. But that’s not how the government works, when they realize they really stepped in a load of poo.

Why I Left The Intercept: The Surveillance Story They Let Go Untold for 15 Months

The Intercept has a long, must-read story from James Risen about the government’s targeting of him for his reporting on the war on terror. It’s self-serving in many ways — there are parts of his telling of the Wen Ho Lee, the Valerie Plame, and the Jeffrey Sterling stories he leaves out, which I may return to. But it provides a critical narrative of DOJ’s pursuit of him. He describes how DOJ tracked even his financial transactions with his kids (which I wrote about here).

The government eventually disclosed that they had not subpoenaed my phone records, but had subpoenaed the records of people with whom I was in contact. The government obtained my credit reports, along with my credit card and bank records, and hotel and flight records from my travel. They also monitored my financial transactions with my children, including cash I wired to one of my sons while he was studying in Europe.

He also reveals that DOJ sent him a letter suggesting he might be a subject of the investigation into Stellar Wind.

But in August 2007, I found out that the government hadn’t forgotten about me. Penny called to tell me that a FedEx envelope had arrived from the Justice Department. It was a letter saying the DOJ was conducting a criminal investigation into “the unauthorized disclosure of classified information” in “State of War.” The letter was apparently sent to satisfy the requirements of the Justice Department’s internal guidelines that lay out how prosecutors should proceed before issuing subpoenas to journalists to testify in criminal cases.

[snip]

When my lawyers called the Justice Department about the letter I had received, prosecutors refused to assure them that I was not a “subject” of their investigation. That was bad news. If I were considered a “subject,” rather than simply a witness, it meant the government hadn’t ruled out prosecuting me for publishing classified information or other alleged offenses.

But a key part of the story lays out the NYT’s refusals to report Risen’s Merlin story and its reluctance — until Risen threatened to scoop him with his book — to publish the Stellar Wind one.

Glenn Greenwald is rightly touting the piece, suggesting that the NYT was corrupt for acceding to the government’s wishes to hold the Stellar Wind story. But in doing so he suggests The Intercept would never do the same.

That’s not correct.

One of two reasons I left The Intercept is because John Cook did not want to publish a story I had written — it was drafted in the content management system — about how the government uses Section 702 to track cyberattacks. Given that The Intercept thinks such stories are newsworthy, I’m breaking my silence now to explain why I left The Intercept.

I was recruited to work with First Look before it was publicly announced. The initial discussions pertained to a full time job, with a generous salary. But along the way — after Glenn and Jeremy Scahill had already gotten a number of other people hired and as Pierre Omidyar started hearing from friends that the effort was out of control — the outlet decided that they were going to go in a different direction. They’d have journalists — Glenn and Jeremy counted as that. And they’d have bloggers, who would get paid less.

At that point, the discussion of hiring me turned into a discussion of a temporary part time hire. I should have balked at that point. What distinguishes my reporting from other journalists — that I’m document rather than source-focused (though by no means exclusively), to say nothing of the fact that I was the only journalist who had read both the released Snowden documents and the official government releases — should have been an asset to The Intercept. But I wanted to work on the Snowden documents, and so I agreed to those terms.

There were a lot of other reasons why, at that chaotic time, working at The Intercept was a pain in the ass. But nevertheless I set out to write stories I knew the Snowden documents would support. The most important one, I believed, was to document how the government was using upstream Section 702 for cybersecurity — something it had admitted in its very first releases, but something that it tried to hide as time went on. With Ryan Gallagher’s help, I soon had the proof of that.

The initial hook I wanted to use for the story was how, in testimony to PCLOB, government officials misleadingly suggested it only used upstream to collect on things like email addresses.

Bob Litt:

We then target selectors such as telephone numbers or email addresses that will produce foreign intelligence falling within the scope of the certifications.

[snip]

It is targeted collection based on selectors such as telephone numbers or email addresses where there’s reason to believe that the selector is relevant to a foreign intelligence purpose.

[snip]

It is also however selector-based, i.e. based on particular phone numbers or emails, things like phone numbers or emails.

Raj De:

Selectors are things like phone numbers and email addresses.

[snip]

A term like selector is just an operational term to refer to something like an email or phone number, directive being the legal process by which that’s effectuated, and tasking being the sort of internal government term for how you start the collection on a particular selector.

[snip]

So all collection under 702 is based on specific selectors, things like phone numbers or email addresses.

Brad Wiegmann:

A selector would typically be an email account or a phone number that you are targeting.

[snip]

So that’s when we say selector it’s really an arcane term that people wouldn’t understand, but it’s really phone numbers, email addresses, things like that.

[snip]

So putting those cases aside, in cases where we just kind of get it wrong, we think the email account or the phone is located overseas but it turns out that that’s wrong, or it turns out that we think it’s a non-U.S. person but it is a  U.S. person, we do review every single one to see if that’s the case.

That PCLOB’s witnesses so carefully obscured the fact that 702 is used to collect cybersecurity and other IP-based or other code collection is important for several reasons. First, because collection on a chat room or an encryption key, rather than an email thread, has very different First Amendment implications than collecting on the email of a target. But particularly within the cybersecurity function, identifying foreignness is going to be far more difficult to do because cyberattacks virtually by definition obscure their location, and you risk collecting on victims (whether they are hijacked websites or emails, or actual theft victims) as well as the perpetrator.

Moreover, the distinction was particularly critical because most of the privacy community did not know — many still don’t — how NSA interpreted the word “facility,” and therefore was missing this entire privacy-impacting aspect of the program (though Jameel Jaffer did raise the collection on IP addresses in the hearing).

I had, before writing up the piece, done the same kind of iterative work (one, two, three) I always do; the last of these would have been a worthy story for The Intercept, and did get covered elsewhere. That meant I had put in close to 25 hours working on the hearing before I did other work tied to the story at The Intercept.

I wrote up the story and started talking to John Cook, who had only recently been brought in, about publishing it. He told me that the use of 702 with cyber sounded like a good application (it is!), so why would we want to expose it. I laid out why it would be questionably legal under the 2011 John Bates opinion, but in any case would have very different privacy implications than the terrorism function that the government liked to harp on.

In the end, Cook softened his stance against spiking the story. He told me to keep reporting on it. But in the same conversation, I told him I was no longer willing to work in a part time capacity for the outlet, because it meant The Intercept benefitted from the iterative work that was as much a part of my method as meetings with sources that reveal no big scoop. I told him I was no longer willing to work for The Intercept for free.

Cook’s response to that was to exclude me from the first meeting at which all Intercept reporters would be meeting. The two things together — the refusal to pay me for work and expertise that would be critical to Intercept stories, as well as the reluctance to report what was an important surveillance story, not to mention Cook’s apparent opinion I was not a worthy journalist — are why I left.

And so, in addition to losing the person who could report on both the substance and the policy of the spying that was so central to the Snowden archives, the story didn’t get told until 15 months later, by two journalists with whom I had previously discussed 702’s cybersecurity function specifically with regards to the Snowden archive. In the interim period, the government got approval for the Tor exception (which I remain the only reporter to have covered), an application that might have been scrutinized more closely had the privacy community been discussing the privacy implications of collecting location-obscured data in the interim.

As recently as November, The Intercept asked me questions about how 702 is actually implemented because I am, after all, the expert.

So by all means, read The Intercept’s story about how the NYT refused to report on certain stories. But know that The Intercept has not always been above such things itself. In 2014 it was reluctant to publish a story the NYT thought was newsworthy by the time they got around to publishing it 15 months later.

Fake Russian Metadata that Will Do Nothing to Prevent Nuclear War

Apparently I’m not the only one troubled by Tom Bossert’s attribution of WannaCry to North Korea the other day.

In this post, Jack Goldsmith suggests the attribution will do nothing for deterrence.

He said that he thought the public attribution alone, without more, accomplished something important in holding North Korea accountable. As he put it, somewhat confusingly, later:

It’s about simple culpability. We’ve determined who was behind the attack and we’re saying it. It’s pretty straightforward. All I learned about cybersecurity I learned in kindergarten. We’re going to hold them accountable and we’re going to say it. And we’re going to shame them for it.

There you have it: The U.S. government thinks that naming and shaming by itself is a useful response to a cyberattack that caused billions of dollars of damage (though relatively little in the United States) and targeted precisely the types of critical infrastructure officials have long warned was a red line.

[snip]

it’s not just that name and shame is ineffective. For at least two reasons, it is counterproductive for the United States to take evident pride in an attribution of a major cyberattack that it at the same time concedes it lacks the tools to retaliate against or deter. First, the consequence of the attribution, and the emphasis on the damage caused by WannaCry, is to raise expectations, at least domestically, about a response. Second, the effect of such a drum-beating attribution and statement of damage, combined with a weak response, is to reveal what has been apparent for a while: “We currently cannot put a lot of stock … in cyber deterrence,” as former DNI Clapper last year. “It is … very hard to create the substance and psychology of deterrence.” When we overtly signal to North Korea that we have no tools to counteract their cyberattacks, we invite more attacks by North Korea and others—though to be fair, for the reasons Inglis stated, North Korea already has plenty of incentive, since cyber is a relatively inexpensive but very consequential tool for it, and since the United States has already imposed such extensive sanctions and seems out of tools.

I must be missing something here. Probably what I am missing is that the public attribution sends an important signal to the North Koreans about the extent to which we have penetrated their cyber operations and are watching their current cyber activities. But that message could have been delivered privately, and it does not explain why the United States delayed public attribution at least six months after its internal attribution, and two months after the U.K. had done so publicly.

In this thread, Emily Maxima notes that not everyone in the Infosec community agrees with this attribution (here’s an old piece I did on some oddities with it) and worries that the attribution might be used to justify war with North Korea.

So in the context of a potential hot-war with DPRK, the attribution chain from Wannacry to DPRK is *really* fucking important.

She then goes on to explain one of her concerns about the attribution to Lazarus group.

A few months back, I was doing some research into malware that used obfuscation mechanisms in their campaigns and code that could be used to misattribute them to other actors/nations.

It turns out, Lazarus group was one of these actors that had examples of misleading operation that made it seem like it was made in Russia, but was likely built to act as a false flag deus ex machina to lead researchers away from the true actors.

[snip]

[W]e’re talking about an increasingly tense situation where the largest attack on networked computer infrastructure in probably the last 5 years may be pinned on a group known for running false flag operations.

She points to this article that shows that some 2016 watering hole attacks that had targeted Polish and Mexican bank supervisor sites, which might be associated with Lazarus, used Russian words as a false flag to hide their origin.

In spite of some ‘Russian’ words being used, it is evident that the malware author is not a native Russian speaker.

Of our previous examples, five of the commands were likely produced by an online translation. Below we provide the examples and the correct analogues for reference:

Word Type of error Correct analogue
“ustanavlivat” omitted sign at the end, verb tense error “ustanovit'” or “ustanoviti”
“poluchit” omitted sign at the end “poluchit'” or “poluchiti”
“pereslat” omitted sign at the end “pereslat'” or “pereslati”
“derzhat” omitted sign at the end “derzhat'” or “derzhati”
“vykhodit” omitted sign at the end, verb tense error “vyiti”

Another example is “kliyent2podklyuchit”. This is most likely a result of an online translation of “client2connect” (which means ‘client-to-connect’). In this case, the two words “client” and “connect”were translated separately, then transliterated from the Russian pronunciation form into the Latin alphabet and finally joined to produce “kliyent2podklyuchit”.

[snip]

Internally, the ActionScript also uses transliterated Russian words, similar to the tactic seen in the bot code:

Transliterated Russian words used in AS Translated from Russian
Podgotovkaskotiny Preparation of farm animals
geigeigei3raza Hey, hey, hey 3 times
chainik Dummy (a stupid person)
chainikaddress Dummy’s address
poishemdatu Let’s search for data
poiskvpro Searching in ‘pro’
vyzov_chainika Calling the dummy (a stupid person)
daiadreschainika Get address of the dummy
runskotina Execute farm animals
babaLEna Old woman Lena

As seen in the table, while the words are technically Russian, their usage is out-of-context.

In one code fragment, the ActionScript contains both “chainik” and “dummy”:

01 private function put_dummy_args(param1:*) : *
02 {
03 return chainik.call.apply(null,param1);
04 }
05 private function vyzov_chainika() : *
06 {
07 return chainik.call(null);
08 }

As such, it is obvious that the word “dummy” has been translated into “chainik”. However, the word “chainik” in Russian slang (with the literal meaning of “a kettle”) is used to describe an unsophisticated person, a newbie; while, the word “dummy” in the exploit code is used to mean a “placeholder” or an “empty” data structure/argument.

The BAE analysis suggests that this incorrect usage is evidence proving the attackers are not native Russian speakers (leaving open the possibility they’re North Korean, though the report doesn’t attribute that aggressively).

I point to all this because of my continuing obsession with attacks featuring Russian metadata — starting from the first stolen Democratic files released by Guccifer 2.0 in June 2016 to faked Macron leak documents and extending to metadata ShadowBrokers left in some SWIFT files released in April — that served to deflect blame.

Perhaps it’s just fashionable to blame Russians these days.

Mind you, that other Russian metadata is for a totally unrelated watering hole attack, not for WannaCry. It’s worth remembering, however, that in addition to using Lazarus code, WannaCry also appears to have used code from Metasploit.

Ah well. I guess none of this will matter when North Korea nukes Seoul.

The Bankrupt Attribution of WannaCry

I’ve been puzzling through this briefing, purportedly attributing the WannaCry hack to North Korea, which followed last night’s Axis of CyberEvil op-ed (here’s the text). The presser was … perhaps even more puzzling than the Axis of CyberEvil op-ed.

Unlike the op-ed, Homeland Security Czar Tom Bossert provided hints about how the government came to attribute this attack.

Bossert makes much of the fact that the Five Eyes plus Japan all agree on this.

We do so with evidence, and we do so with partners.

Other governments and private companies agree.  The United Kingdom, Australia, Canada, New Zealand, and Japan have seen our analysis, and they join us in denouncing North Korea for WannaCry.

He also points to the Microsoft and (unnamed — because it’d be downright awkward to name Kaspersky in the same briefing where you attack them as a cybersecurity target) security consultant attributions from months ago.

Commercial partners have also acted.  Microsoft traced the attack to cyber affiliates of the North Korean government, and others in the security community have contributed their analysis.

Here are the specific things he says about how the US, independent of Microsoft and villains like Kaspersky, made an attribution.

What we did was, rely on — and some of it I can’t share, unfortunately — technical links to previously identified North Korean cyber tools, tradecraft, operational infrastructure.  We had to examine a lot.  And we had to put it together in a way that allowed us to make a confident attribution.

[snip]

[I]t’s a little tradecraft, to get to your second question.  It’s hard to find that smoking gun, but what we’ve done here is combined a series of behaviors.  We’ve got analysts all over the world, but also deep and experienced analysts within our intelligence community that looked at not only the operational infrastructure, but also the tradecraft and the routine and the behaviors that we’ve seen demonstrated in past attacks.  And so you have to apply some gumshoe work here, not just some code analysis.

Nevertheless, Bossert alludes to people launching this attack from “keyboards all over the world,” but says because these “intermediaries … had carried out those types of attacks on behalf of the North Korean government in the past,” they were confident in the attribution.

People operating keyboards all over the world on behalf of a North Korean actor can be launching from places that are not in North Korea.  And so that’s one of the challenges behind cyber attribution.

[snip]

[T]here were actors on their behalf, intermediaries, carrying out this attack, and that they had carried out those types of attacks on behalf of the North Korean government in the past.  And that was one of the tradecraft routines that allowed us to reach that conclusion.

Taking credit for stuff the private sector did

In his prewritten statement, Bossert provides on explanation for the timing of all this. One of the reasons the US is attributing the WannaCry attack now — aside from the need to gin up war with North Korea — is that Facebook and Microsoft, “acting on their own initiative last week,” took action last week against North Korean targets.

We applaud our corporate partners, Microsoft and Facebook especially, for acting on their own initiative last week without any direction by the U.S. government or coordination to disrupt the activities of North Korean hackers.  Microsoft acted before the attack in ways that spared many U.S. targets.

Last week, Microsoft and Facebook and other major tech companies acted to disable a number of North Korean cyber exploits and disrupt their operations as the North Koreans were still infecting computers across the globe.  They shut down accounts the North Korean regime hackers used to launch attacks and patched systems.

Yet even while acknowledging that Microsoft and Facebook are busy keeping the US safe, he demands that the private sector … keep us safe.

We call today — I call today, and the President calls today, on the private sector to increase its accountability in the cyber realm by taking actions that deny North Korea and the bad actors the ability to launch reckless and disruptive cyber acts.

Golly how do you think the US avoided damage from the attack based on US tools so well?

Then Bossert invites Assistant Secretary for Cybersecurity and Communications at DHS Jeanette Manfra to explain not how the US attributed this attack (the ostensible point of this presser), but how the US magically avoided getting slammed — by an attack based on US tools — as badly as other countries did.

By midafternoon, I had all of the major Internet service providers either on the phone or on our watch floor sharing information with us about what they were seeing globally and in the United States.  We partnered with the Department of Health and Human Services to reach out to hospitals across the country to offer assistance.  We engaged with federal CIOs across our government to ensure that our systems were not vulnerable.  I asked for assistance from our partners in the IT and cybersecurity industry.  And by 9:00 p.m. that night, I had over 30 companies represented on calls, many of whom offered us analytical assistance throughout the weekend.

By working closely with these companies and the FBI throughout that night, we were able to issue a technical alert, publicly, that would assist defenders with defeating this malware.  We stayed on alert all weekend but were largely able to escape the impacts here in this country that other countries experienced.

Managing to avoid getting slammed by an attack that the US had far more warning of (because it would have recognized and had 96 days to prepare) is proof, Manfra argues, of our preparation to respond to attacks we didn’t write the exploit for.

[T]he WannaCry attack demonstrated our national capability to effectively operate and respond.

Ix-Nay on the AdowBrokers-Shay

Which brings us to the dramatic climax of this entire presser, where Tom Bossert plays dumb about the fact that his this attack exploited an NSA exploit. In his first attempt to deflect this question, Bossert tried to distinguish between vulnerabilities and the exploits NSA wrote for them.

Q    Had they not been able to take advantage of the vulnerabilities that got published in the Shadow Brokers website, do you think that would have made a significant difference in their ability to carry out the attack?

MR. BOSSERT:  Yeah.  So I think what Dave is alluding to here is that vulnerabilities exist in software.  They’re not — almost never designed on purpose.  Software producers are making a product, and they’re selling it for a purpose.

Pretending a vulnerability is the same thing as an exploit, Bossert pointed to the (more visible but still largely the same) Vulnerabilities Exploit Process Trump has instituted.

When we find vulnerabilities, the United States government, we generally identify them and tell the companies so they can patch them.

In this particular case, I’m fairly proud of that process, so I’d like to elaborate.  Under this President’s leadership and under the leadership of Rob Joyce, who’s serving as my deputy now and the cybersecurity coordinator, we have led the most transparent Vulnerabilities Equities Process in the world.

Hey, by the way, why isn’t Rob Joyce at this presser so the person in government best able to protect against cyber attacks can answer questions?

Oh, never mind–let’s continue with this VEP thing.

And what that means is the United States government finds vulnerabilities in software, routinely, and then, at a rate of almost 90 percent, reveals those.  They could be useful tools for us to then exploit for our own national security benefit.  But instead, what we choose to do is share those back with the companies so that they can patch and increase the collective defense of the country.  It’s not fair for us to keep those exploits while people sit vulnerable to those totalitarian regimes that are going to bring harm to them.

So, in this particular case, I’m proud of the VEP program.  And I’d go one step deeper for you:  Those vulnerabilities that we do keep, we keep for very specific purposes so that we can increase our national security.  And we use them for very specific purposes only tailored to our perceived threats.  I think that they’re used very carefully.  They need to be protected in such a way that we don’t leak them out and so that bad people can get them.  That has happened, unfortunately, in the past.

Hell! Let’s go for broke. Let’s turn the risk that someone can steal our toys and set off a global worm into the promise that we’ll warn people they’ve been hacked.

But one level even deeper.  When we do use those vulnerabilities to develop exploits for the purpose of national security for the classified work that we do, we sometimes find evidence of bad behavior.  Sometimes it allows us to attribute bad actions.  Other times it allows us to privately call — and we’re doing this on a regular basis, and we’re doing it better and in a more routine fashion as this administration advances — we’re able to call targets that aren’t subject to big rollouts.  We’re able to call companies, and we’re able to say to them, “We believe that you’ve been hacked.  You need to take immediate action.”  It works well; we need to get better at doing that.  And I think that allows us to save a lot of time and money.

We’re not yet broke yet, though! When Bossert again gets asked whether WannaCry was based off a US tool, he tried to argue the only tool involved was the final WannaCry one, not than the underlying NSA exploit.

Q    So you talked about the 90 percent of times when you guys share information back with companies rather than exploit those vulnerabilities.  Was this one of the 10 percent that you guys had held onto?

MR. BOSSERT:  So I think there’s a case to be made for the tool that was used here being cobbled together from a number of different sources.  But the vulnerability that was exploited — the exploit developed by the culpable party here — is the tool, the bad tool.

This soon descends into full-on Sergeant Schultz.

I don’t know what they got and where they got it, but they certainly had a number of things cobbled together in a pretty complicated, intentional tool meant to cause harm that they didn’t entirely create themselves.

MalwareTech took a risk doing what he always does [er, did, before the US government kidnapped him] with malware?

Then there’s weird bit — one of those Bossert moments (like when he said WannaCry was spread by phishing) that makes me think he doesn’t know what he’s talking about. When asked if this North Korean attribution changed the government’s intent to prosecute MalwareTech (Marcus Hutchins), Bossert dodged that tricksy question (the answer is, yes, the prosecution is still on track to go to trial next year) but then claimed that Hutchins “took a risk” doing something he has repeatedly said he always does when responding to malware.

I can’t comment on the ongoing criminal prosecution or judicial proceedings there.  But I will note that, to some degree, we got lucky.  In a lot of ways, in the United States we were well-prepared.  So it wasn’t luck — it was preparation, it was partnership with private companies, and so forth.  But we also had a programmer that was sophisticated, that noticed a glitch in the malware, a kill-switch, and then acted to kill it.  He took a risk, it worked, and it caused a lot of benefit.  So we’ll give him that.  Next time, we’re not going to get so lucky.

After dodging the issue of why the government is prosecuting the guy whose “luck” Bossert acknowledges saved the world, he has the gall to say — in the very next breath!! — we need to do the kind of information sharing that Hutchins’ prosecution disincents.

So what we’re calling on here today is an increased partnership, an increased rapidity in routine speed of sharing information so that we can prevent patient zero from being patient 150.

Whatever you do, don’t follow the lack of money

All that was bad enough. But then things really went off the rail when a journalist asked about what one of the poorest countries on earth — a country with a severe exchangeable currency shortage — did with the money obtained in this ransomware attack.

Q    Tom, the purpose of ransomware is to raise money.  So do you have a sense now of exactly how much money the North Koreans raised as a result of this?  And do you have any idea what they did with the money?  Did it go to fund the nuclear program?  Did it go just to the regime for its own benefit?  Or where did that money go?

MR. BOSSERT:  Yeah, it’s interesting.  There’s two conundrums here.  First, we don’t really know how much money they raised, but they didn’t seem to architect it in the way that a smart ransomware architect would do.  They didn’t want to get a lot of money out of this.  If they did, they would have opened computers if you paid.  Once word got out that paying didn’t unlock your computer, the payment stopped.

And so I think that, in this case, this was a reckless attack and it was meant to cause havoc and destruction.  The money was an ancillary side benefit.  I don’t think they got a lot of it.

Wow. A couple things here. First, of one of the poorest countries in the world, Bossert said with a straight face: “They didn’t want to get a lot of money out of this.”

He has to do that, because he has just said that, “They’ve got some smart programmers.” So he has to treat the attack, as implemented, as the attack that the perpetrators wanted. That apparently doesn’t mean he feels bound to offer some explanation for why North Korea would forgo the money that their smart programmers could have earned. Because he never offers that, without which you have zero credible attribution.

Still nuttier, at one level it cannot be true that “we don’t know how much money they raised.” Later in his presser he claims, “cryptocurrency might be difficult to track” and suggests the government only learned about how little they were making because, “targets seem to have reported to us, by and large, that they mostly didn’t pay. … So we were able to track the behavior of the targets in that case.”

Um. No. It was very public! We watched WannaCry’s perps collect $144,000 via the @Actual_ransom account, and we watched the account be cashed out in the immediate wake of the aforementioned MalwareTech arrest (as Hutchins noted, making it look like he had absconded with his Bitcoin rather than gotten arrested by the FBI).  That, too, is a detail that Bossert would have needed to address for this to be a marginally credible press conference.

But wait! There’s more! We also know that as soon as WannaCry’s perps publicly cashed out, Shapeshift blacklisted all its known accounts, making it impossible for WannaCry to launder the money, and adding still more transparency to the process. Which means Bossert should know well the answer to the question “how much did North Korea (or whatever perp) make off this?” is, zero. None. Because their money got cut off in the laundering process. (For some reason, Bossert gave Shapeshift zero credit here, which raises further questions I might return to at a later date.) Either attribution includes details about this process or … it’s not credible.

Bossert’s backflips to pretend Trump isn’t treating North Korea differently than Russia

Now, all this is before you get into the gymnastics Bossert performed to pretend that Trump isn’t treating North Korea — against whom this attribution will serve as justification for war — differently than Russia. After being asked about it, Bossert claimed,

President Trump not only continued the national emergency for cybersecurity, but he did so himself and sanctioned the Russians involved in the hacks of last year.

His effort to conflate last year’s hack-related sanctions with the sanctions imposed by Congress but not fully implemented looked really pathetic.

Q    Have all the sanctions been implemented?

MR. BOSSERT:  This was — yeah, this was the Continuation of the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities.  President Trump continued that national emergency, pursuant to the International Emergency Economic Powers Act, to deal with the “unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.”

Pivoting to one of the most important private companies

Immediately after which, perhaps in an act of desperation, Bossert pivoted to Kaspersky, one of the most important security firms in unpacking WannaCry and therefore utterly central to any claim the answer to cyberattacks is to share between the private and public sector. Bossert said this to defend the claim that the Trump administration is taking Russian threats seriously.

Now, look, in addition, if that’s not making people comfortable, this year we acted to remove Kaspersky from all of our federal networks.  We did so because having a company that can report back information to the Russian government constituted a risk unacceptable to our federal networks.

And then — in the same press conference where Bossert hailed cooperation, including with private security firms like Kaspersky, he boasted about how “in the spirit of cooperation” the US has gotten “providers, sellers, retail stores” to ban one of the firms that was critical in analyzing and minimizing the WannaCry impact.

In the spirit of cooperation, which is the second pillar of our strategy — accountability being one, cooperation being the second — we’ve had providers, sellers, retail stores follow suit.  And we’ve had other private companies and other foreign governments also follow suit with that action.

In case you’re counting, he has boasted about cooperation in the same breath as speaking of both MalwareTech and Kaspersky.

Whatever. From this we’re supposed to conclude we should go to war against North Korea and their non-NK keyboarders the world over and  that the way to defend ourselves against them is to simultaneously demand “cooperation” even while treating two of the most important entities who minimized the threat of WannaCry as outlaws.

Tom Bossert Brings You … Axis of CyberEvil!

I was struck, when reviewing the NYT article on the KT McFarland email, how central Homeland Security Czar Tom Bossert was to the discussion of asking Russia not blow off Obama’s Russia sanctions.

“Key will be Russia’s response over the next few days,” Ms. McFarland wrote in an email to another transition official, Thomas P. Bossert, now the president’s homeland security adviser.

[snip]

Mr. Bossert forwarded Ms. McFarland’s Dec. 29 email exchange about the sanctions to six other Trump advisers, including Mr. Flynn; Reince Priebus, who had been named as chief of staff; Stephen K. Bannon, the senior strategist; and Sean Spicer, who would become the press secretary.

[snip]

Mr. Bossert replied by urging all the top advisers to “defend election legitimacy now.”

[snip]

Obama administration officials were expecting a “bellicose” response to the expulsions and sanctions, according to the email exchange between Ms. McFarland and Mr. Bossert. Lisa Monaco, Mr. Obama’s homeland security adviser, had told Mr. Bossert that “the Russians have already responded with strong threats, promising to retaliate,” according to the emails.

There Tom Bossert was, with a bunch of political hacks, undercutting the then-President as part of an effort to “defend election legitimacy now.”

Which is one of the reasons I find Bossert’s attribution of WannaCry to North Korea — in a ridiculously shitty op-ed — so sketchy now, as Trump needs a distraction and contemplates an insane plan to pick a war with North Korea.

The guy who — well after it was broadly known to be wrong — officially claimed WannaCry was spread by phishing is now offering this as his evidence that North Korea is the culprit:

We do not make this allegation lightly. It is based on evidence.

A representative of the government whose tools created this attack, said this without irony.

The U.S. must lead this effort, rallying allies and responsible tech companies throughout the free world to increase the security and resilience of the internet.

And the guy whose boss has, twice in the last week, made googly eyes at Vladimir Putin said this as if he could do so credibly.

As we make the internet safer, we will continue to hold accountable those who harm or threaten us, whether they act alone or on behalf of criminal organizations or hostile nations.

Much of the op-ed is a campaign ad falsely claiming a big break with the Obama Administration.

Change has started at the White House. President Trump has made his expectations clear. He has ordered the modernization of government information-technology to enhance the security of the systems we run on behalf of the American people. He continued sanctions on Russian hackers and directed the most transparent and effective government effort in the world to find and share vulnerabilities in important software. We share almost all the vulnerabilities we find with developers, allowing them to create patches. Even the American Civil Liberties Union praised him for that. He has asked that we improve our efforts to share intrusion evidence with hacking targets, from individual Americans to big businesses. And there is more to come.

A number of the specific items Bossert pointed to to claim action are notable for the shoddy evidence underlying them, starting with the Behzad Mesri case and continuing to Kaspersky — which has consistently had more information on the compromises we blame it for than the US government.

When we must, the U.S. will act alone to impose costs and consequences for cyber malfeasance. This year, the Trump administration ordered the removal of all Kaspersky software from government systems. A company that could bring data back to Russia represents an unacceptable risk on federal networks. Major companies and retailers followed suit. We brought charges against Iranian hackers who hacked several U.S. companies, including HBO. If those hackers travel, we will arrest them and bring them to justice. We also indicted Russian hackers and a Canadian acting in concert with them. A few weeks ago, we charged three Chinese nationals for hacking, theft of trade secrets and identity theft. There will almost certainly be more indictments to come.

The Yahoo case, which is backed by impressive evidence, was based on evidence gathered under Obama, from whose Administration Bossert claims to have made a break.

And this kind of bullshit — in an op-ed allegedly focused on North Korea — is worthy of David Frum playing on a TRS-80.

Going forward, we must call out bad behavior, including that of the corrupt regime in Tehran.

Especially ending as it does with a thinly disguised call for war.

As for North Korea, it continues to threaten America, Europe and the rest of the world—and not just with its nuclear aspirations. It is increasingly using cyberattacks to fund its reckless behavior and cause disruption across the world. Mr. Trump has already pulled many levers of pressure to address North Korea’s unacceptable nuclear and missile developments, and we will continue to use our maximum pressure strategy to curb Pyongyang’s ability to mount attacks, cyber or otherwise.

I mean, maybe dirt poor North Korea really did build malware designed not to make money. But this is not the op-ed to credibly make that argument.

Why Is Russia Finally Letting (Dubious) Details of Its Involvement in DNC Hack Out?

In recent days there have been a number of stories in Russia implicating the FSB (note, not GRU) in issues related to the DNC hack. First, there was this article from The Bell, claiming that the four Russian treason defendants (two of whom were FSB officers) are being prosecuted because they provided inside information to the US about GRU’s involvement in the DNC hack.

But it is impossible to identify which specific cyber group or groups were responsible for last year’s Democratic National Committee hack based on technical traces alone, four cyber experts polled by The Bell confirmed. To prove specifically that the GRU was involved, U.S. investigators would have needed inside sources — preferably with access to confidential state matters, one source explained. Mikhailov had that access.

Relations between intelligence agencies working on the cyber front were strained, one of Mikhailov’s acquaintances said. The FSB and GRU compete for funding and Mikhailov felt the FSB carried out cyber tasks more professionally than the GRU, according to one of his acquaintances.

He used to say that “the GRU breaks into servers in a brazen, clumsy, and brutish manner and it interfered with his own work”, the acquaintance said. Moreover “the GRU’s hackers didn’t even try to cover their tracks”.

The report said that Sergei Mikhailov — who was named (but not charged) the Yahoo hack case — shared information on Russian hackers who wouldn’t work with the FSB with western law enforcement agencies though a cut-out named Kimberly Zenz.

Mikhailov had been working closely with Western intelligence agencies since 2010. Report written for Vrublevsky said that Mikhailov had leaked sensitive information “on Russian cyber-criminals, who had refused to cooperate with him, to a U.S. citizen”. More specifically, Mikhailov reportedly handed the U.S. citizen — a woman — information on Russian state-sponsored hacker attacks against Estonia and Georgia in 2007 and 2008.

Burykh says he found that Mikhailov gave the information to Stoyanov, who then passed it on to  Kimberly Zenz  of the U.S. company iDefense Intelligence. From there, it went to the U.S. Department of Defense.

Then there’s this story, reporting that a hacker tied to the Lurk group, Konstantin Kozlovsky, hacked the DNC on behalf of the FSB.

Then there’s this, from Novaya Gazeta, laying out the news.

NG questions — as I do — why this is all coming out now. Of particular interest, it notes that Kozlovsky’s claims were posted in August, but for some reason the hashtags that would have alerted people to the posted claim were not triggering, meaning the information only got noticed (at least in Russia) now.

Interestingly, the first materials on this page were posted back in August of this year. And despite the fact that sensational publications were accompanied by tags # CIB, # FSB, # Dokoutchaev, # Mikhailov # Stoyanov, # hackers, # Kaspersky, the existence of a personal page Kozlovsky in Facebook for some reason became known only in early December.

Here’s the timeline we’re currently being presented with (I’ve made some additions):

April 28, 2015: FSB accesses Lurk servers with Kaspersky’s help.

May 18, 2016: Kozlovsky arrest.

May 19-25, 2016: DNC emails shared with WikiLeaks likely exfiltrated.

November 1, 2016: Date of Kozlovsky confession.

December 5, 2016: Arrest, for treason, of FSB officers.

August 14, 2017: Kozlovsky posts November 1 confession of hacking DNC on Facebook.

November 28, 2017: Karim Baratov (co-defendant of FSB handlers) plea agreement.

December 2, 2017: Kozlovsky’s claims posted on his Facebook page.

Of particular note, the emails exfiltrated from the DNC and shared with WikiLeaks were probably not exfiltrated until the days immediately after Kozlovsky’s arrest.

As NG notes, this all may well be true (though I wonder why Russia is now letting claims it was involved in the DNC hack go public, after claiming it was uninvolved for so long). But the reason it is coming out now is at least as interesting that it is coming out.

Update: I originally said that Mikhailov was charged in the Yahoo hack. He was described in it, but not charged.

Three Months After Problematic John Sipher Post, Just Security Makes Clear It Let Known Errors Sit for Two Months

This post was first published on September 6, the same day John Sipher’s post was published. Because of something that happened today, December 10, I’m reposting it in its entirety, along with the two updates that make it clear when Just Security corrected one of the egregious errors I pointed out on September 6 two months later, around November 4, they didn’t credit me. In other words, they let a significant error sit for two months (and presumably haven’t even reviewed all the other problems I point out here, in spite of an extended conversation Ryan Goodman and I had about this post on September 6). Given the lefties are still making some of the same errors (notably, when Rachel Maddow hid how badly the Steele dossier was on the hack-and-leak by not mentioning the Guccifer 2.0 publications), the continued errors are telling. 

If I were to write this post now, it’d show a bunch more problems. But I believe the analysis from September stands up.


I generally find former CIA officer John Sipher’s work rigorous and interesting, if not always persuasive. Which is why I find the shoddiness of this post — arguing, just as Republicans in Congress and litigious Russians start to uncover information about the Christopher Steele dossier, that the dossier is not garbage  — so telling.

I don’t think the Steele dossier is garbage.

But neither do I think it supports the claim that it predicted a lot of information we’ve found since, something Sipher goes to great pains to argue. And there are far more problems with the dossier and its production than Sipher, who claims to be offering his wisdom about how to interpret raw intelligence, lets on. So the dossier isn’t garbage (though the story behind its production may well be). But Sipher’s post is. And given that it appears to be such a desperate — and frankly, unnecessary — attempt to reclaim the credibility of the dossier, it raises questions about why he feels the need.

Making and claiming accuracy for a narrative out of raw intelligence

Sipher’s project appears to be taking what he admits is raw intelligence and providing a narrative that he says we should continue to use to understand Trump’s Russian ties.

Close to the beginning of his piece, Sipher emphasizes that the dossier is not a finished intelligence report, but raw intelligence; he blames the media for not understanding the difference.

I spent almost thirty years producing what CIA calls “raw reporting” from human agents.  At heart, this is what Orbis did.  They were not producing finished analysis, but were passing on to a client distilled reporting that they had obtained in response to specific questions.  The difference is crucial, for it is the one that American journalists routinely fail to understand.

[snip]

Mr. Steele’s product is not a report delivered with a bow at the end of an investigation.  Instead, it is a series of contemporaneous raw reports that do not have the benefit of hindsight.

Sipher explains that you need analysts to make sense of these raw reports.

The onus for sorting out the veracity and for putting the reporting in context against other reporting – which may confirm or deny the new report – rests with the intelligence community’s professional analytic cadre.

He then steps into that role, an old clandestine services guy doing the work of the analysts. The result, he says, is a narrative he says we should still use — even in the wake of eight months of aggressive reporting since the dossier came out — in trying to understand what went on with the election.

As a result, they offer an overarching framework for what might have happened based on individuals on the Russian side who claimed to have insight into Moscow’s goals and operational tactics.  Until we have another more credible narrative, we should do all we can to examine closely and confirm or dispute the reports.

[snip]

Looking at new information through the framework outlined in the Steele document is not a bad place to start.

How to read a dossier

One thing Sipher aspires to do — something that would have been enormously helpful back in January — is explain how an intelligence professional converts those raw intelligence reports into a coherent report. He describes the first thing you do is source validation.

In the intelligence world, we always begin with source validation, focusing on what intelligence professionals call “the chain of acquisition.”  In this case we would look for detailed information on (in this order) Orbis, Steele, his means of collection (e.g., who was working for him in collecting information), his sources, their sub-sources (witting or unwitting), and the actual people, organizations and issues being reported on.

He goes to great lengths to explain how credible Steele is, noting even that he “was the President of the Cambridge Union at university.” I don’t dispute that Steele is, by all accounts, an accomplished intelligence pro.

But Sipher unwisely invests a great deal of weight into the fact that the FBI sought to work with Steele.

The fact that the FBI reportedly sought to work with him and to pay him to develop additional information on the sources suggest that at least some of them were worth taking seriously.  At the very least, the FBI will be able to validate the credibility of the sources, and therefore better judge the information.  As one recently retired senior intelligence officer with deep experience in espionage investigations quipped, “I assign more credence to the Steele report knowing that the FBI paid him for his research.  From my experience, there is nobody more miserly than the FBI.  If they were willing to pay Mr. Steele, they must have seen something of real value.”

This is flat-out dumb for two reasons. First, it is one of the things the GOP has used to discredit the dossier and prosecution — complaining (rightly) that the FBI was using a document designed as opposition research, possibly even to apply for a FISA warrant. If the FBI did that, I’m troubled by it.

More importantly, the actual facts about whether FBI did pay Steele are very much in dispute, with three different versions in the public record and Chuck Grassley claiming the FBI has been giving conflicting details about what happened (it’s likely that FBI paid Steele’s travel to the US but not for the dossier itself).

WaPo reported that Steele had reached a verbal agreement that the FBI would pay him to continue his investigation of Russia’s involvement with Trump after still unnamed Democrats stopped paying him after the election. CNN then reported that FBI actually had paid Steele for his expenses. Finally, NBC reported Steele backed out of the deal before it was finalized.

If the FBI planned to pay Steele, but got cold feet after Steele briefed David Corn for a piece that made explicit reference to the dossier, it suggests FBI may have decided the dossier was too clearly partisan for its continued use. In any case, citing a “recently retired senior intelligence officer” claiming the FBI did pay Steele should either be accompanied by a “BREAKING, confirming the detail no one else has been able to!” tag, or should include a caveat that the record doesn’t affirmatively support that claim.

After vouching for Steele (again, I don’t dispute Steele’s credentials), Sipher lays out the other things that need to happen to properly vet raw intelligence, which he claims we can’t do.

The biggest problem with confirming the details of the Steele “dossier” is obvious: we do not know his sources, other than via the short descriptions in the reports.  In CIA’s clandestine service, we spent by far the bulk of our work finding, recruiting and validating sources.  Before we would ever consider disseminating an intelligence report, we would move heaven and earth to understand the access, reliability, trustworthiness, motivation and dependability of our source.  We believe it is critical to validate the source before we can validate the reliability of the source’s information.  How does the source know about what he/she is reporting?  How did the source get the information?  Who are his/her sub-sources?  What do we know about the sub-sources?  Why is the source sharing the information?  Is the source a serious person who has taken appropriate measures to protect their efforts?

The thing is, we actually know answers to two of these questions. First, Steele’s sources shared the information (at least in part) because they were paid. [Update, 11/15: According to CNN, Glenn Simpson testified that Steele did not pay his sources. That somewhat conflicts with suggestions made by Mike Morell, who said Steele paid intermediaries who paid his sources, but Simpson’s testimony may simply be a cute legal parse.] That’s totally normal for spying, of course, but if Sipher aspires to explain to us how to assess the dossier, he needs to admit that money changes hands and that’s just the way things are done (again, that’s all the more important given that it’s one of the bases the GOP is using to discredit the report).

More importantly, Sipher should note that Steele worked one step removed — from London, rather than from Moscow — than an intelligence officer otherwise might. The reports may still be great, but that additional step introduces more uncertainty into the validation. It’s all the more important that Sipher address these two issues, because they’re the ones the GOP has been and will continue to use to discredit the dossier.

Ultimately, though, in his section on vetting the document, Sipher doesn’t deal with some key questions about the dossier. Way at the end of his piece, he questions whether we’re looking at the entire dossier.

We also don’t know if the 35 pages leaked by BuzzFeed is the entirety of the dossier.  I suspect not.

He doesn’t raise two other key questions about the provenance of the dossier we’ve been given, some of which I laid out when the dossier came out when I also noted that the numbering of the dossier by itself makes it clear it’s not the complete dossier. Importantly: is the copy of the dossier leaked to BuzzFeed an unaltered copy of what Steele delivered to Fusion, in spite of the weird textual artifacts in it? And how and why did the dossier get leaked to BuzzFeed, which Steele has told us was not one of the six outlets that he briefed on its contents.

Finally, Sipher includes the obligation to “openly acknowledge the gaps in understanding” outside of the section on vetting, which is telling given that he notes only a few of the obvious gaps in this dossier.

Sipher claims the dossier predicted what wasn’t known

So there are a lot of aspects of vetting Sipher doesn’t do, whether or not he has the ability to. But having done the vetting of checking Steele’s college extracurricular record, he declares the dossier has proven to be “stunningly accurate.”

Did any of the activities reported happen as predicted?

To a large extent, yes.

The most obvious occurrence that could not have been known to Orbis in June 2016, but shines bright in retrospect is the fact that Russia undertook a coordinated and massive effort to disrupt the 2016 U.S. election to help Donald Trump, as the U.S. intelligence community itself later concluded.  Well before any public knowledge of these events, the Orbis report identified multiple elements of the Russian operation including a cyber campaign, leaked documents related to Hillary Clinton, and meetings with Paul Manafort and other Trump affiliates to discuss the receipt of stolen documents.  Mr. Steele could not have known that the Russians stole information on Hillary Clinton, or that they were considering means to weaponize them in the U.S. election, all of which turned out to be stunningly accurate.

Now as I said above, I don’t believe the dossier is junk. But this defense of the dossier, specifically as formulated here, is junk. Central to Sipher’s proof that Steele’s dossier bears out are these claims:

  • Russia undertook a coordinated and massive effort to disrupt the 2016 U.S. election to help Donald Trump
  • The Orbis report identified multiple elements of the Russian operation including
    • A cyber campaign
    • Leaked documents related to Hillary Clinton
    • Meetings with Paul Manafort and other Trump affiliates to discuss the receipt of stolen documents

As I’ll show, these claims are, with limited exceptions, not actually what the dossier shows. Far later into the dossier, the reason Sipher frames it this way is clear. He’s taking validation from recent details about the June 9, 2016 meeting.

Of course, to determine if collusion occurred as alleged in the dossier, we would have to know if the Trump campaign continued to meet with Russian representatives subsequent to the June meeting.

The Steele dossier was way behind contemporary reporting on the hack-and-leak campaign

I consider the dossier strongest in its reports on early ties between Trump associates and Russians, as I’ll lay out below. But one area where it is — I believe this is the technical term — a shit-show is the section claiming the report predicted Russia’s hacking campaign.

Here’s how Sipher substantiates that claim.

By late fall 2016, the Orbis team reported that a Russian-supported company had been “using botnets and porn traffic to transmit viruses, plant bugs, steal data and conduct ‘altering operations’ against the Democratic Party leadership.” Hackers recruited by the FSB under duress were involved in the operations. According to the report, Carter Page insisted that payments be made quickly and discreetly, and that cyber operators should go to ground and cover their tracks.

[snip]

Consider, in addition, the Orbis report saying that Russia was utilizing hackers to influence voters and referring to payments to “hackers who had worked in Europe under Kremlin direction against the Clinton campaign.” A January 2017 Stanford study found that “fabricated stories favoring Donald Trump were shared a total of 30 million times, nearly quadruple the number of pro-Hillary Clinton shares leading up to the election.”  Also, in November, researchers at Oxford University published a report based on analysis of 19.4 million Twitter posts from early November prior to the election.  The report found that an “automated army of pro-Trump chatbots overwhelmed Clinton bots five to one in the days leading up to the presidential election.”  In March 2017, former FBI agent Clint Watts told Congress about websites involved in the Russian disinformation campaign “some of which mysteriously operate from Eastern Europe and are curiously led by pro-Russian editors of unknown financing.”

The Orbis report also refers specifically to the aim of the Russian influence campaign “to swing supporters of Bernie Sanders away from Hillary Clinton and across to Trump,” based on information given to Steele in early August 2016. It was not until March 2017, however, that former director of the National Security Agency, retired Gen. Keith Alexander in Senate testimony said of the Russian influence campaign, “what they were trying to do is to drive a wedge within the Democratic Party between the Clinton group and the Sanders group.”

Here’s what the dossier actually shows about both kompromat on Hillary and hacking.

June 20: In the first report, issued 6 days after the DNC announced it had been hacked by Russia, and 5 days after Guccifer 2.0 said he had sent stolen documents to WikiLeaks, the dossier spoke of kompromat on Hillary, clearly described as years old wiretaps from when she was visiting Russia. While the report conflicts internally, one part of it said it had not been distributed abroad. As I note in this post, if true, that would mean the documents Natalia Veselnitsaka shared with Trump folks on June 9 was not the kompromat in question.

July 19: After Guccifer 2.0 had released 7 posts, most with documents, and after extended reporting concluding that he was a Russian front, the second report discussed kompromat — still seemingly meaning that dated FSB dossier — as if it were prospective.

July 26: Four days after WikiLeaks released DNC emails first promised in mid-June, Steele submitted a report claiming that Russian state hackers had had “only limited success in penetrating the ‘first tier’ of foreign targets. These comprised western (especially G7 and NATO) governments, security and intelligence services and central banks, and the IFIs.” There had been public reports of FSB-associated APT 29’s hacking of such targets since at least July 2015, and public reporting on their campaigns that should have been identified when DNC did a Google search in response to FBI’s warnings in September 2015. It’s stunning anyone involved in intelligence would claim Russia hadn’t had some success penetrating those first tier targets.

Report 095: An undated report, probably dating sometime between July 26 and July 30, did state that a Trump associate admitted Russia was behind WikiLeaks release of emails, something that had been widely understood for well over a month.

July 30: A few weeks before WikiLeaks reportedly got the second tranche of (Podesta) emails, a report states that Russia is worried that the email hacking operation is spiraling out of control so “it is unlikely that these [operations] would be ratcheted up.”

August 5: A report says Dmitry Peskov, who is reportedly in charge of the campaign, is “scared shitless” about being scapegoated for it.

August 10: Just days before WikiLeaks purportedly got the Podesta tranche of emails, a report says Sergei Ivanov said “Russians would not risk their position for the time being with new leaked material, even to a third party like WikiLeaks.”

August 10: Months after a contentious primary and over two weeks after Debbie Wasserman Schultz’s resignation during the convention (purportedly because of DNC’s preference for Hillary), a report cites an ethnic Russian associate of Russian US presidential candidate Donald TRUMP campaign insider, not a Russian, saying the email leaks were designed to “swing supporters of Bernie SANDERS and away from Hillary CLINTON and across to TRUMP.” It attributes that plan to Carter Page, but does not claim any Russian government involvement in that strategy. Nor would it take a genius for anyone involved in American politics to pursue such a strategy.

August 22: A report on Manafort’s “demise” doesn’t mention emails or any kompromat.

September 14: Three months after Guccifer 2.0 first appeared, the dossier for the first time treated the Russians’ kompromat as the emails, stating that more might be released in late September. That might coincide with Craig Murray’s reported contact with a go-between (Murray has been very clear he did not ferry the emails themselves though he did have some contact in late September).

October 12: A week after the Podesta emails first started appearing, a report states that “a stream of further hacked CLINTON materials already had been injected by the Kremlin into compliant media outlets like Wikileaks, which remained at least “plausibly deniable”, so the stream of these would continue through October and up to the election, something Julian Assange had made pretty clear. See this report for more.

October 18, 19, 19: Three reports produced in quick succession describe Michael Cohen’s role in covering up the Trump-Russia mess, without making any explicit (unredacted) mention of emails. See this post on that timing.

December 13: A virgin birth report produced as the US intelligence community scrambled to put together the case against Russia for the first time ties Cohen to the emails in unredacted form).

What the timeline of the hacking allegations in the Steele dossier (and therefore also “predictions” about leaked documents) reveal is not that his sources predicted the hack-and-leak campaign, but on the contrary, he and his sources were unbelievably behind in their understanding of Russian hacking and the campaign generally (or his Russian sources were planting outright disinformation). Someone wanting to learn about the campaign would be better off simply hanging out on Twitter or reading the many security reports issued on the hack in real time.

Perhaps Sipher wants to cover this over when he claims that, “The Russian effort was aggressive over the summer months, but seemed to back off and go into cover-up mode following the Access Hollywood revelations and the Obama Administration’s acknowledgement of Russian interference in the fall, realizing they might have gone too far and possibly benefitted Ms. Clinton.” Sure, that’s sort of (though not entirely) what the dossier described. But the reality is that WikiLeaks was dropping new Podesta emails every day, Guccifer 2.0 was parroting Russian (and Republican) themes about a rigged election, and Obama was making the first ever cyber “red phone” call to Moscow because of Russia’s continued probes of the election infrastructure (part of the Russian effort about which both the dossier and Sipher’s post are silent).

The quotes Sipher uses to defend his claim are even worse. The first passage includes two clear errors. The report in question was actually the December 13 one, not “late fall 2016” one. And the Trump associate who agreed (in the alleged August meeting in Prague, anticipating that Hillary might win) to making quick payments to hackers was Michael Cohen, not Carter Page. [Update, 12/10/17: Just Security has fixed this error.] Many things suggest this particular report should be read with great skepticism, not least that it post-dated both the disclosure of the existence of the dossier and the election, and that this intelligence was offered up to Steele, not solicited, and was offered for free.

Next, Sipher again cites the December 13 report to claim Steele predicted something reported in a November Oxford University report (and anyway widely reported by BuzzFeed for months), which seems to require either a time machine or an explanation for why Steele didn’t report that earlier. He attributes a quote sourced to a Trump insider as indicating Russian strategy, which that report doesn’t support. And if you need Keith Alexander to suss out the logic of Democratic infighting that had been clear for six months, then you’re in real trouble!

Sipher would have been better off citing the undated Report 095 (which is another report about which there should be provenance questions), which relies on the same ethnic Russian Trump insider as the August 10 report, which claims agents/facilitators within the Democratic Party and Russian émigré hackers working in the United States — a claim that is incendiary but (short of proof that the Al-Awan brothers or Seth Rich really were involved) — one that has not been substantiated.

In short, the evidence in the dossier simply doesn’t support the claim it predicted two of the three things Sipher claims it does, at least not yet.

The dossier is stronger in sketchy contacts with Russians

The dossier is stronger with respect to some, but not all Trump associates. But even there, Sipher’s defense demonstrates uneven analytic work.

First, note that Sipher relies on “renowned investigative journalist” Michael Isikoff to validate some of these claims.

Renowned investigative journalist Michael Isikoff reported in September 2016 that U.S. intelligence sources confirmed that Page met with both Sechin and Divyekin during his July trip to Russia.

[snip]

A June 2017 Yahoo News article by Michael Isikoff described the Administration’s efforts to engage the State Department about lifting sanctions “almost as soon as they took office.”

Among the six journalists Steele admits he briefed on his dossier is someone from Yahoo.

The journalists initially briefed at the end of September 2016 by [Steele] and Fusion at Fusion’s instruction were from the New York Times, the Washington Post, Yahoo News, the New Yorker and CNN. [Steele] subsequently participated in further meetings at Fusion’s instruction with Fusion and the New York Times, the Washington Post and Yahoo News, which took place in mid-October 2016.

That the Yahoo journalist is Isikoff would be a cinch to guess. But we don’t have to guess, because Isikoff made it clear it was him in his first report after the dossier got leaked.

Another of Steele’s reports, first reported by Yahoo News last September, involved alleged meetings last July between then-Trump foreign policy adviser Carter Page and two high-level Russian operatives, including Igor Sechin — a longtime associate of Russian President Vladimir Putin who became the chief executive of Rosneft, the Russian energy giant.

In other words, Sipher is engaging in navel-gazing here, citing a report based on the Steele dossier, to say it confirms what was in the Steele dossier.

Sipher similarly cites a NYT article that was among the most criticized for the way it interprets “senior Russian intelligence officials” loosely to include anyone who might be suspect of being a spook.

We have also subsequently learned of Trump’s long-standing interest in, and experience with Russia and Russians.  A February 2017 New York Times article reported that phone records and intercepted calls show that members of Trump’s campaign and other Trump associates had repeated contacts with senior Russian officials in the year before the election.  The New York Times article was also corroborated by CNN and Reuters independent reports.

The two reports he claims corroborate the NYT one fall far short of the NYT claim about talks with Russian intelligence officials — a distinction that is critical given what Sipher claims about Sergey Kislyak, which I note below.

Carter Page

Sipher cites the Carter Page FISA order as proof that some of these claims have held up.

What’s more, the Justice Department obtained a wiretap in summer 2016 on Page after satisfying a court that there was sufficient evidence to show Page was operating as a Russian agent.

But more recent reporting, by journalists Sipher elsewhere cites approvingly, reveals that Page had actually been under a FISA order as early as 2014.

Page had been the subject of a secret intelligence surveillance warrant since 2014, earlier than had been previously reported, US officials briefed on the probe told CNN.

Paul Manafort

I have no complaint with Sipher’s claims about Manafort — except to the extent he suggests Manafort’s Ukrainian corruption wasn’t know long before the election. Sipher does, however, repeat a common myth about Manafort’s influence on the GOP platform.

The quid pro quo as alleged in the dossier was for the Trump team to “sideline” the Ukrainian issue in the campaign.  We learned subsequently the Trump platform committee changed only a single plank in the 60-page Republican platform prior to the Republican convention.  Of the hundreds of Republican positions and proposals, they altered only the single sentence that called for maintaining or increasing sanctions against Russia, increasing aid for Ukraine and “providing lethal defensive weapons” to the Ukrainian military.  The Trump team changed the wording to the more benign, “appropriate assistance.”

Republicans have credibly challenged this claim about the platform. Bob Dole is credited with making the platform far harsher on China in the service of his Taiwanese clients. And Trump’s team also put in language endorsing the revival of Glass-Steagall, with support from Manafort and/or Carl Icahn.

Michael Cohen

Sipher’s discussion of Trump lawyer Michael Cohen is the weirdest of all, not least because the Cohen reports are the most incendiary but also because they were written at a time when Steele had already pitched the dossier to the media (making it far more likely the ensuing reports were the result of disinformation). Here’s how Sipher claims the Steele dossier reports have been validated.

We do not have any reporting that implicates Michael Cohen in meetings with Russians as outlined in the dossier.  However, recent revelations indicate his long-standing relationships with key Russian and Ukrainian interlocutors, and highlight his role in a previously hidden effort to build a Trump tower in Moscow. During the campaign, those efforts included email exchanges with Trump associate Felix Sater explicitly referring to getting Putin’s circle involved and helping Trump get elected.

Go look at that “recent revelations” link. It goes to this Josh Marshall post which describes its own sourcing this way:

TPM Reader BR flagged my attention to this 2007 article in The New York Post.

[snip]

Because two years ago, in February 2015, New York real estate trade sheet The Real Deal reported that Cohen purchased a $58 million rental building on the Upper East Side.

This is not recent reporting!! Again, this is stuff that was publicly known before the election.

More importantly, given Cohen’s rebuttal to the dossier, Marshall supports a claim that Cohen has ties to Ukraine, not Russia. The dossier, however, claims Cohen has ties to the latter, as Cohen mockingly notes.

Felix Sater

Then there are the Trump associates who are now known to have been central to any ties between Trump and the Russians that the Steele dossier didn’t cite — as least not as subjects (all could well be sources, which raises other questions). The first is Felix Sater, whom Sipher discusses three times in suggesting that the dossier accurately predicts Cohen’s involvement in the Russian negotiations.

To take one example, the first report says that Kremlin spokesman Dmitry Peskov was responsible for Russia’s compromising materials on Hillary Clinton, and now we have reports that Michael Cohen had contacted Peskov directly in January 2016 seeking help with a Trump business deal in Moscow (after Cohen received the email from Trump business associate Felix Sater saying “Our boy can become president of the USA and we can engineer it. I will get all of Putins team to buy in on this.”).

[snip]

Following the inauguration, Cohen was involved, again with Felix Sater, to engage in back-channel negotiations seeking a means to lift sanctions via a semi-developed Russian-Ukrainian plan (which also included the hand delivery of derogatory information on Ukrainian leaders) also fits with Orbis reporting related to Cohen.

Given that Sater’s publicly known links between mobbed up Russians and Trump go back a decade, why isn’t he mentioned in the dossier? And why does the dossier seemingly contradict these claims about an active Trump Tower deal?

Aras Agalarov and Rinat Akhmetshin

There are far more significant silences about two other Trump associates, Aras Agalarov and Rinat Akhmetshin.

To be fair, the dossier isn’t entirely silent about the former, noting in at one place that Agalarov would be the guy to go to to learn about dirt on Trump in Petersburg (elsewhere he could be a source).

Far, far more damning is the dossier’s silence (again, at least as a subject rather than source) about Akhmetshin. That’s long been one of the GOP complaints about the dossier — that Akhmetshin was closely involved with Fusion GPS on Magnitsky work in parallel with the Trump dossier, which (if Akhmetshin really is still tied to Russian intelligence) would provide an easy feedback loop to the Russians. The dossier’s silence on someone well known to Fusion GPS is all the more damning given the way that Sipher points to the June 9 meeting (which the dossier didn’t report, either) as proof that the dossier has been vindicated.

It was also apparently news to investigators when the New York Times in July 2017 published Don Jr’s emails arranging for the receipt of information held by the Russians about Hillary Clinton. How could Steele and Orbis know in June 2016 that the Russians were working actively to elect Donald Trump and damage Hillary Clinton?

[snip]

To take another example, the third Orbis report says that Trump campaign manager Paul Manafort was managing the connection with the Kremlin, and we now know that he was present at the June 9 2016 meeting with Donald Trump, Jr., Russian lawyer Natalia Veselnitskaya and Rinat Akhmetshin, who has reportedly boasted of his ties to ties and experience in Soviet intelligence and counterintelligence.  According to a recent New York Times story, “Akhmetshin told journalists that he was a longtime acquaintance of Paul J. Manafort.”

There’s no allegation that investigations didn’t know about June 2016 plan to hurt Hillary (indeed, the Guccifer 2.0 stuff that Sipher ignores was public to all). Rather they didn’t know — but neither did Fusion, who has an established relationship with Akhmetshin — about the meeting involving Akhmetshin. If you’re going to claim the June 9 meeting proves anything, it’s that the dossier as currently known has a big hole right in Fusion’s client/researcher list.

Sergey Kislyak

Which brings me — finally! — to Sipher’s weird treatment of Sergey Kislyak. Sipher argues (correctly) that Trump associates’ failure to report details of their contacts with Russians may support a conspiracy claim.

 Of course, the failure of the Trump team to report details that later leaked out and fit the narrative may make the Steele allegations appear more prescient than they otherwise might.  At the same time, the hesitancy to be honest about contacts with Russia is consistent with allegations of a conspiracy.

Of course, Trump’s folks have failed to report details of that June 9 meeting as well as meetings with Sergey Kislyak. Having now invested his vindication story on that June 9 meeting, he argues that reports about Kislyak (on which the NYT article he cites approvingly probably rely) are misguided; we need to look to that June 9 meeting intead.

It should be noted in this context, that the much-reported meetings with Ambassador Kislyak do not seem to be tied to the conspiracy. He is not an intelligence officer, and would be in the position to offer advice on politics, personalities and political culture in the United States, but would not be asked to engage in espionage activity.  It is likewise notable that Ambassador Kislyak receives only a passing reference in the Steele dossier and only having to do with his internal advice on the political fallout in the U.S. in reaction to the Russian campaign.

Of course, to determine if collusion occurred as alleged in the dossier, we would have to know if the Trump campaign continued to meet with Russian representatives subsequent to the June meeting.

This seems utterly bizarre. We know what happened after June 9, in part: Per Jared Kushner (who also is not mentioned in the dossier or Sipher’s column), immediately after the election Kislyak started moving towards meeting about Syria (not Ukraine). But in the process, Kushner may have asked for a back channel and at Kislyak’s urging, Kushner took a meeting with the head of a sanctioned bank potentially to talk about investments in his family’s debt-ridden empire. And all that is the lead-up to the Mike Flynn calls with Kislyak about sanctions relief which provide some of the proof that Trump was willing to deliver the quo that the dossier claims got offered for quids.

That latter story — of the meetings Kushner and Flynn did in the wake of the election and events that may have taken place since — is every bit as coherent a narrative as the Steele dossier or the entirely new narratives tied to the June 9 meeting (which Sipher claims are actually the Steele narrative).

Of course, neither is yet evidence of collusion. And that’s, frankly, what we as citizens should be after.

A narrative offered up by an intelligence contractor who was always trying to catch up to the central part of the story — the hack-and-leak — is not what we should be striving for. That’s why this dossier is probably mostly irrelevant to the Mueller probe, no matter how the GOP would like to insinuate the opposite. If there was collusion (or rather, coordination on all this stuff between the campaign and Russia), we should expect evidence of it. The Steele dossier, as I have noted, left out one of the key potential proofs of that, in spite of having ties with someone who attended the meeting.

All that said, it would be useful for someone responsible to respond to GOP criticisms and, where invented (such as with the claim that Steele paying sources diminishes its value), demonstrate that. It would be useful for someone to explain what we should take from the dossier.

Sipher didn’t do that, though. Indeed, his post largely suffers from the same bad analysis he accuses the media of.

Update: In the original I got the date of the final report incorrect. That has been corrected.

Update, 12/10/17: I didn’t realize it, but Just Security updated Sipher’s post to include this language, which it explains with an editor’s note saying “Editor’s note: This article was update to provide additional analysis on Carter Page.” Compare this with this. Here’s the language.

Admittedly, Isikoff’s reporting may have relied on Steele himself for that information. Isikoff, however, also reported that U.S. intelligence officials were confident enough in the information received about Page’s meeting Russian officials to brief senior members of Congress on it. There are also other indicia that are also consistent with the Orbis report but only developed or discovered later. In early December 2016, Page returned to Moscow where he said he had “the opportunity to meet with an executive from” Sechin’s state oil company. In April 2017, Page confirmed that he met with and passed documents to a Russian intelligence officer in 2013. Court documents include an intercept in April 2013 of conversations between the Russians discussing their effort to recruit Page as “as an intelligence source.” A Russian intelligence officer said of Page: “He got hooked on Gazprom … I don’t know, but it’s obvious that he wants to earn lots of money … For now his enthusiasm works for me. I also promised him a lot … You promise a favor for a favor. You get the documents from him and tell him to go fuck himself.” In late December 2016, Sechin’s chief of staff, Oleg Erovinkin “who may have been a source for ex-British spy Christopher Steele’s Trump dossier,” according to multiple reports, was found dead in the back of his car in Moscow.

But this passage introduces new errors for Sipher’s post!

First, here’s the language (in an article Just Security never links) Sipher relies on to justify using Isikoff’s Steele-based reporting to claim Steele had been proven correct.

After one of those briefings, Senate minority leader Harry Reid wrote FBI Director James Comey, citing reports of meetings between a Trump adviser (a reference to Page) and “high ranking sanctioned individuals” in Moscow over the summer as evidence of “significant and disturbing ties” between the Trump campaign and the Kremlin that needed to be investigated by the bureau.

Some of those briefed were “taken aback” when they learned about Page’s contacts in Moscow, viewing them as a possible back channel to the Russians that could undercut U.S. foreign policy, said a congressional source familiar with the briefings but who asked for anonymity due to the sensitivity of the subject. The source added that U.S. officials in the briefings indicated that intelligence reports about the adviser’s talks with senior Russian officials close to President Vladimir Putin were being “actively monitored and investigated.”

A senior U.S. law enforcement official did not dispute that characterization when asked for comment by Yahoo News. “It’s on our radar screen,” said the official about Page’s contacts with Russian officials. “It’s being looked at.”

It is true that “U.S. intelligence officials were confident enough in the information received about Page’s meeting Russian officials to brief senior members of Congress on it,” and that Harry Reid was leaking from the Steele dossier just like Isikoff was. But the “senior US law enforcement officer” does not back the identities of those Page met with, just that “it’s being looked at.”

That’s important for the way that Page’s meetings with people other than Igor Sechin have been used to claim the dossier has borne out. Not-A = A. Which is what Sipher does here, by pointing to Page saying he met with Rosneft but not Sechin. “Page says he was not referring to Sechin in his remarks,” the linked AP story says (as does Page’s congressional testimony).

Then Sipher points to language unsealed in a court filing in January 2015 that Page admitted — after reporting on it — was him. That Page was wrapped up in an earlier Russian spy prosecution is another of those things one might ask why Steele didn’t know, particularly given that the filing and the case was already public.

But the citation also exacerbates the problems with Sipher’s reliance on Page’s FISA wiretap as proof the Steele dossier proved out. As I noted above, later reports stated Page had been under FISA wiretap “since 2014, earlier than had been previously reported, US officials briefed on the probe told CNN.” That means it wasn’t the meetings in Russia, per se, that elicited the interest, but (at least) the earlier interactions with Russian spies.

Finally, Sipher points to the death of Oleg Erovinkin, something I’ve pointed to myself (and which would only be “Carter Page” analysis if Page actually had met with Sechin). Since Sipher updated this post, however, Luke Harding wrote (on page 101),

Steele was adamant that Erovinkin wasn’t his source and “not one of ours.”

As a person close to Steele put it to me: “Sometimes people just die.”

I’m not sure I find Harding entirely reliable elsewhere, and I can see why Steele would deny working with Erovinkin if the leak of his work had gotten the man killed. But if you buy Harding, then Erovinkin no longer proves the value of the Steele dossier either.

Update, 12/10: According to the Wayback Machine this change was made between October 25 and November 6. Ryan Goodman explained that he didn’t give me a hat-tip for this correction because he’s not sure whether he corrected because of me because a Daily Caller reporter also weighed in.

It is true that Chuck Ross (with whom I discuss the dossier regularly) tweeted that Sipher’s Isikoff reference was self-confirming on November 4, shortly before the change was made.

Ryan and I had a conversation about the errors in this piece on September 6, when the post first came out, both on Twitter then–late that evening–on DM. I included a link to my post and he said he was going to read it.

I guess Ryan is now confessing he never read this post, and let notice of egregious errors sit unreviewed for two months, because he didn’t like my tone.

 

image_print