How a Russian Dangle about Shadow Brokers Started Dictating NSA’s Twitter Feed

As you may know, we’ve been fostering dogs. Our current dog, June Bug (pictured above), is a terrorist. She’s really smart. She creates diversions so she can try to steal our food. We can only get her to play with dog toys if we “trick” her, by hiding them in boxes that she first destroys. But today, she got outfoxed (heh) by a squirrel. We were walking south towards a bush and a big oak and she saw the squirrel under the bush. While we were walking past the oak, the squirrel bolted up the oak so high that June Bug (who at least is better at understanding a third dimension than McCaffrey the Millennial Lab was) couldn’t see her. June Bug kept looking under the bush until finally she turned to the oak but by then the squirrel was well beyond her vision up in the oak.

This story, reported in both the Intercept and the NYT, on the CIA and NSA’s efforts to reach out to Russia to get Shadow Brokers tools feels like that exchange. Reading the two in tandem, it’s clear that the Russians learned the CIA and NSA were trying to buy back the tools released by Shadow Brokers, and used the channel the US set up with a Russian “businessman” to provide likely disinformation about Trump’s ties to Russia instead. NYT describes obtaining,

Russian produced unverified and possibly fabricated information involving Mr. Trump and others, including bank records, emails and purported Russian intelligence data.

[snip]

All are purported to be Russian intelligence reports, and each focuses on associates of Mr. Trump. Carter Page, the former campaign adviser who has been the focus of F.B.I. investigators, features in one; Robert and Rebekah Mercer, the billionaire Republican donors, in another.

The Intercept said the government even obtained an FBI report that had been purloined.

Recently, the Russians have been seeking to provide documents said to be related to Trump officials and Russian meddling in the 2016 campaign, including some purloined FBI reports and banking records.

It’s equally clear that, as things soured, the source reached out to James Risen to make sure the story would come out with the spin that the CIA had cut off the exchange because it didn’t want to receive dirt on Trump. Note, the NYT story doesn’t include the agency split.

What’s perhaps most embarrassing about the story is that the NSA tweeted out pre-arranged tweets at least ten times (the Intercept describes which tweets they were) as a signal that the American businessman intermediary was really working on behalf of the US government. The last that Risen lists is one pertaining to Section 702 on December 13.

Effectively, Russia was yanking NSA’s chain, and possibly tracking communication pathways from the American intermediary through NSA to the Twitter feed.

The incident is interesting for several reasons. First, it may corroborate the “second source” theory I posited back in September (which I was pretty sure was in the neighborhood in any case given some curious attention the post got). It seems to confirm that the spooks at least came to believe that Russia was behind the Shadow Brokers and Vault 7 compromises (though Russia doesn’t appear to have shared any legitimate non-public files, so it’s not necessarily proven).

Trump is now using this effort at disinformation the same way he has used the Steele dossier: in a bid to claim his own innocence.

I’m perhaps most interested in the timing of this. The government seemed to treat the Nghia Hoang Pho plea in early December as its explanation for how the Shadow Brokers files got stolen. If that’s true, it should know what Russia or whoever else took (or they could at least ask Kaspersky nicely, which seems to have a pretty good idea of what was there). It wouldn’t need to chase this intermediary for two more months.

And yet they did.

The Timing of Mark Warner’s PseudoScandal Texts

By now, you’ve heard about Fox News’ scoop that Mark Warner made efforts last year to obtain testimony from two key figures in the Senate Intelligence Committee investigation into Russia’s involvement in the 2016 election via DC fixer Adam Waldman: Christopher Steele and Oleg Deripaska. (In my opinion, the news buried at the bottom of the story that Deripaska agreed to provide testimony if he could get immunity, but did not get it, is far more interesting than the rest of this, but I’m not a Fox News editor.)

“We have so much to discuss u need to be careful but we can help our country,” Warner texted the lobbyist, Adam Waldman, on March 22, 2017.

“I’m in,” Waldman, whose firm has ties to Hillary Clinton, texted back to Warner.

The story also includes this paragraph, which also has gotten less attention.

Warner began texting with Waldman in February 2017 about the possibility of helping to broker a deal with the Justice Department to get the WikiLeaks founder Julian Assange to the United States to potentially face criminal charges. That went nowhere, though a Warner aide told Fox News that the senator shared his previously undisclosed private conversations about WikiLeaks with the FBI.

Interestingly, the Fox story relies on texts that Warner and Richard Burr jointly requested in June (targeting Waldman’s phone, not Warner’s, apparently), and then turned over to the committee in October. I look forward to seeing how the notoriously anti-leak Burr deals with the apparent leak of committee sensitive materials to the right wing press.

Even while the story links to texts from SSCI, it comes a week after a woman duped the famously paranoid Julian Assange into exchanging texts with her fake Sean Hannity account promising news on Mark Warner.

[Dell] Gilliam, a technical writer from Texas, was bored with the flu when she created @SeanHannity__ early Saturday morning. The Fox News host’s real account was temporarily deleted after cryptically tweeting the phrase “Form Submission 1649 | #Hannity” on Friday night. Twitter said the account had been “briefly compromised,” according to a statement provided to The Daily Beast, and was back up on Sunday morning.

[snip]

Just minutes after @SeanHannity disappeared, several accounts quickly sprung up posing as the real Hannity, shouting from Twitter exile. None were as successful as Gilliam’s @SeanHannity__ account, which has since amassed over 24,000 followers.

Gilliam then used her newfound prominence to direct message Assange as Hannity within hours.

“I can’t believe this is happening. I mean… I can. It’s crazy. Nothing can be put past people,” Gilliam, posing as Hannity, wrote to Assange. “I’m exhausted from the whole night. What about you, though? You doing ok?”

“I’m happy as long as there is a fight!” Assange responded.

Gilliam reassured Assange that she, or Hannity, was also “definitely up for a fight” and set up a call for 9:30 a.m. Eastern, about six hours later.

“You can send me messages on other channels,” said Assange, the second reference to “other channels” he made since their conversation began.

“Have some news about Warner.”

With that in mind, I want to look at the timing of some security issues last year.

While the texts turned over to Congress date to February 14, the conversation pertaining to Steele started around March 22. That puts it not long after news of a massive hack involving T-Mobile, first reported March 16.

An unusual amount of highly suspicious cellphone activity in the Washington, D.C., region is fueling concerns that a rogue entity is surveying the communications of numerous individuals, likely including U.S. government officials and foreign diplomats, according to documents viewed by the Washington Free Beacon and conversations with security insiders.

A large spike in suspicious activity on a major U.S. cellular carrier has raised red flags in the Department of Homeland Security and prompted concerns that cellphones in the region are being tracked. Such activity could allow pernicious actors to clone devices and other mobile equipment used by civilians and government insiders, according to information obtained by the Free Beacon.

It remains unclear who is behind the attacks, but the sophistication and amount of time indicates it could be a foreign nation, sources said.

I would hope to hell that former cell company mogul and current Ranking Member on the Senate Intelligence Committee running an important counterintelligence investigation Mark Warner would be aware of the security problems with mobile phones. But what do I know? [Update: Not much. Looking more closely it looks like he was using Signal.] In the last several months we’ve learned that FBI’s investigators discuss the even more sensitive aspects of the more important side of counterintelligence investigation on SMS texts on their Samsung cell phones.

¯\_(ツ)_/¯

But who knows what Waldman (who apparently chats a lot with spies, mobbed up Russian oligarchs, and — as Mike Pompeo deemed Wikileaks — non-state hostile intelligence services) knows about cell phone security?

In any case, the day before that was reported publicly, Ron Wyden and Ted Lieu sent a letter to John Kelly (who, as a reminder, in spite of or because he ran DHS for a while, had his own cell phone compromised), stating in part,

We are also concerned that the government has not adequately considered the counterintelligence threat posed by SS7-enabled surveillance.

[snip]

What resources has DHS allocated to identifying and addressing SS7-related threats? Are these resources sufficient to protect U.S. government officials and the private sector.

If the government started considering such issues in March, they might have gotten around to discovering what kinds of problems were created by the T-Mobile hack in June, when Warner and Burr moved to get the texts for SSCI.

In any case, at around that point in time, APT 28 (one of the entities blamed for hacking the DNC the previous year) started a phishing campaign targeting the Senate’s email server.

Beginning in June 2017, phishing sites were set up mimicking the ADFS (Active Directory Federation Services) of the U.S. Senate. By looking at the digital fingerprints of these phishing sites and comparing them with a large data set that spans almost five years, we can uniquely relate them to a couple of Pawn Storm incidents in 2016 and 2017. The real ADFS server of the U.S. Senate is not reachable on the open internet, however phishing of users’ credentials on an ADFS server that is behind a firewall still makes sense. In case an actor already has a foothold in an organization after compromising one user account, credential phishing could help him get closer to high profile users of interest.

Reporting at the time suggested this was an effort in advance of the 2018 election (which aside from minimizing the damage Russia might do in the interim, ignores the fact that staffers are ostensibly prohibited from using Senate resources for election related activities). But it always seemed to me it would more profitably target policy.

Or, maybe the only reasonable work Congress is doing to investigate the Russians?

Whether there’s a connection between these two compromises last year or not, and Julian Assange, and this Mark Warner story, it’s clear that DC remains ill-prepared to address the counterintelligence problems they’re faced with.

Why Call Alice Donovan a Troll?

The WaPo and CounterPunch have the story of Alice Donovan, a pseudonymous persona the FBI suspected (it’s not clear starting when) of being part of a Russian influence operation. The WaPo makes it clear sources told them about the investigation (though without clearly revealing when FBI identified Donovan or when they learned about the investigation) and leaked the report behind this story (or perhaps it is all one report).

The FBI was tracking Donovan as part of a months-long counterintelligence operation code-named “NorthernNight.” Internal bureau reports described her as a pseudonymous foot soldier in an army of Kremlin-led trolls seeking to undermine America’s democratic institutions.

[snip]

The events surrounding the FBI’s NorthernNight investigation follow a pattern that repeated for years as the Russian threat was building: U.S. intelligence and law enforcement agencies saw some warning signs of Russian meddling in Europe and later in the United States but never fully grasped the breadth of the Kremlin’s ambitions.

CP first learned about it when Adam Entous called about the leaked intelligence report on her.

We received a call on Thursday morning, November 30, from Adam Entous, a national security reporter at the Washington Post. Entous said that he had a weird question to ask about one of our contributors. What did we know about Alice Donovan? It was indeed an odd question. The name was only faintly familiar. Entous said that he was asking because he’d been leaked an FBI document alleging that “Alice Donovan” was a fictitious identity with some relationship to Russia. He described the FBI document as stating that “Donovan” began pitching stories to websites in early 2016. The document cites an article titled “Cyberwarfare: Challenge of Tomorrow.”

And CP reveals they first came to believe that Donovan was fake (and not just a serial plagiarist) when a NYT story listed Donovan’s account among those that Facebook had shut down as fake.

This long story focused on dozens of phony Facebook accounts which the Times claims pushed pro-Russian messages during the election. Buried in the 28th paragraph of the story was the name “Alice Donovan.” Donovan’s Facebook page, the Times said, “pointed to documents from Mr. Soros’s Open Society Foundations that she said showed its pro-American tilt and — in rather formal language for Facebook — describe eventual means and plans of supporting opposition movements, groups or individuals in various countries.’” According to the Times, Facebook had deactivated the Donovan account after it failed a verification protocol.

CP ends by noting that for the entirety of the period when FBI was investigating this pseudonymous persona, they never informed CP.

If the FBI was so worried about the risks posed by Alice Donovan’s false persona, they could have tipped off some of the media outlets she was corresponding with. But in this case they refrained for nearly two years. Perhaps they concluded that Donovan was the hapless and ineffectual persona she appears to be. More likely, they wanted to continue tracking her. But they couldn’t do that without also snooping on American journalists and that represents an icy intrusion on the First Amendment. For a free press to function, journalists need to be free to communicate with whomever they want, without fear that their exchanges are being monitored by federal agencies. A free press needs to be free to make mistakes and learn from them. We did.

It’s an interesting example — and given my prior focus on Facebook’s intelligence apparatus (one reiterated by the revelation that Facebook has been taking down NK infrastructure of its own accord) — one that raises questions about whether FBI identified this persona or FB did.

But I’m wondering why both WaPo and CP are calling the Donovan persona a troll. While it sounds like Donovan’s election related interventions were trollish about Hillary, some of what she published at CP and other outlets clearly supported Russian policy objectives (that CP might legitimately agree with) or — as CP notes — mirrored mainstream reporting on Clinton’s emails.

Donovan served not just to poison debate, as trolls do.

So I’m wondering why people are using that term. I’m wondering, in part, why we should distinguish Donovan’s authorship (or plagiarism) of articles from leaks from foreign intelligence services, which news articles have long relied on, whether Israeli, Saudi, or Russian sources (remember, for example, how presumed Yemeni or Saudi sources have repeatedly revealed details of US or UK double agents). A number of people in DC have laughed with me about the way that Rinat Akhmetshin — a central figure in the June 9, 2016 Trump Tower meeting and as such suspected of doing Russian intelligence bidding — has long regaled mainstream journalists as a source. And I’ve suggested that Scott Balber — and American lawyer working for a Russian oligarch — may be fostering a cover story for the same meeting.

So why is one kind of intelligence disinformation called journalism and another called trolling?

Why Is Russia Finally Letting (Dubious) Details of Its Involvement in DNC Hack Out?

In recent days there have been a number of stories in Russia implicating the FSB (note, not GRU) in issues related to the DNC hack. First, there was this article from The Bell, claiming that the four Russian treason defendants (two of whom were FSB officers) are being prosecuted because they provided inside information to the US about GRU’s involvement in the DNC hack.

But it is impossible to identify which specific cyber group or groups were responsible for last year’s Democratic National Committee hack based on technical traces alone, four cyber experts polled by The Bell confirmed. To prove specifically that the GRU was involved, U.S. investigators would have needed inside sources — preferably with access to confidential state matters, one source explained. Mikhailov had that access.

Relations between intelligence agencies working on the cyber front were strained, one of Mikhailov’s acquaintances said. The FSB and GRU compete for funding and Mikhailov felt the FSB carried out cyber tasks more professionally than the GRU, according to one of his acquaintances.

He used to say that “the GRU breaks into servers in a brazen, clumsy, and brutish manner and it interfered with his own work”, the acquaintance said. Moreover “the GRU’s hackers didn’t even try to cover their tracks”.

The report said that Sergei Mikhailov — who was named (but not charged) the Yahoo hack case — shared information on Russian hackers who wouldn’t work with the FSB with western law enforcement agencies though a cut-out named Kimberly Zenz.

Mikhailov had been working closely with Western intelligence agencies since 2010. Report written for Vrublevsky said that Mikhailov had leaked sensitive information “on Russian cyber-criminals, who had refused to cooperate with him, to a U.S. citizen”. More specifically, Mikhailov reportedly handed the U.S. citizen — a woman — information on Russian state-sponsored hacker attacks against Estonia and Georgia in 2007 and 2008.

Burykh says he found that Mikhailov gave the information to Stoyanov, who then passed it on to  Kimberly Zenz  of the U.S. company iDefense Intelligence. From there, it went to the U.S. Department of Defense.

Then there’s this story, reporting that a hacker tied to the Lurk group, Konstantin Kozlovsky, hacked the DNC on behalf of the FSB.

Then there’s this, from Novaya Gazeta, laying out the news.

NG questions — as I do — why this is all coming out now. Of particular interest, it notes that Kozlovsky’s claims were posted in August, but for some reason the hashtags that would have alerted people to the posted claim were not triggering, meaning the information only got noticed (at least in Russia) now.

Interestingly, the first materials on this page were posted back in August of this year. And despite the fact that sensational publications were accompanied by tags # CIB, # FSB, # Dokoutchaev, # Mikhailov # Stoyanov, # hackers, # Kaspersky, the existence of a personal page Kozlovsky in Facebook for some reason became known only in early December.

Here’s the timeline we’re currently being presented with (I’ve made some additions):

April 28, 2015: FSB accesses Lurk servers with Kaspersky’s help.

May 18, 2016: Kozlovsky arrest.

May 19-25, 2016: DNC emails shared with WikiLeaks likely exfiltrated.

November 1, 2016: Date of Kozlovsky confession.

December 5, 2016: Arrest, for treason, of FSB officers.

August 14, 2017: Kozlovsky posts November 1 confession of hacking DNC on Facebook.

November 28, 2017: Karim Baratov (co-defendant of FSB handlers) plea agreement.

December 2, 2017: Kozlovsky’s claims posted on his Facebook page.

Of particular note, the emails exfiltrated from the DNC and shared with WikiLeaks were probably not exfiltrated until the days immediately after Kozlovsky’s arrest.

As NG notes, this all may well be true (though I wonder why Russia is now letting claims it was involved in the DNC hack go public, after claiming it was uninvolved for so long). But the reason it is coming out now is at least as interesting that it is coming out.

Update: I originally said that Mikhailov was charged in the Yahoo hack. He was described in it, but not charged.

Three Months After Problematic John Sipher Post, Just Security Makes Clear It Let Known Errors Sit for Two Months

This post was first published on September 6, the same day John Sipher’s post was published. Because of something that happened today, December 10, I’m reposting it in its entirety, along with the two updates that make it clear when Just Security corrected one of the egregious errors I pointed out on September 6 two months later, around November 4, they didn’t credit me. In other words, they let a significant error sit for two months (and presumably haven’t even reviewed all the other problems I point out here, in spite of an extended conversation Ryan Goodman and I had about this post on September 6). Given the lefties are still making some of the same errors (notably, when Rachel Maddow hid how badly the Steele dossier was on the hack-and-leak by not mentioning the Guccifer 2.0 publications), the continued errors are telling. 

If I were to write this post now, it’d show a bunch more problems. But I believe the analysis from September stands up.


I generally find former CIA officer John Sipher’s work rigorous and interesting, if not always persuasive. Which is why I find the shoddiness of this post — arguing, just as Republicans in Congress and litigious Russians start to uncover information about the Christopher Steele dossier, that the dossier is not garbage  — so telling.

I don’t think the Steele dossier is garbage.

But neither do I think it supports the claim that it predicted a lot of information we’ve found since, something Sipher goes to great pains to argue. And there are far more problems with the dossier and its production than Sipher, who claims to be offering his wisdom about how to interpret raw intelligence, lets on. So the dossier isn’t garbage (though the story behind its production may well be). But Sipher’s post is. And given that it appears to be such a desperate — and frankly, unnecessary — attempt to reclaim the credibility of the dossier, it raises questions about why he feels the need.

Making and claiming accuracy for a narrative out of raw intelligence

Sipher’s project appears to be taking what he admits is raw intelligence and providing a narrative that he says we should continue to use to understand Trump’s Russian ties.

Close to the beginning of his piece, Sipher emphasizes that the dossier is not a finished intelligence report, but raw intelligence; he blames the media for not understanding the difference.

I spent almost thirty years producing what CIA calls “raw reporting” from human agents.  At heart, this is what Orbis did.  They were not producing finished analysis, but were passing on to a client distilled reporting that they had obtained in response to specific questions.  The difference is crucial, for it is the one that American journalists routinely fail to understand.

[snip]

Mr. Steele’s product is not a report delivered with a bow at the end of an investigation.  Instead, it is a series of contemporaneous raw reports that do not have the benefit of hindsight.

Sipher explains that you need analysts to make sense of these raw reports.

The onus for sorting out the veracity and for putting the reporting in context against other reporting – which may confirm or deny the new report – rests with the intelligence community’s professional analytic cadre.

He then steps into that role, an old clandestine services guy doing the work of the analysts. The result, he says, is a narrative he says we should still use — even in the wake of eight months of aggressive reporting since the dossier came out — in trying to understand what went on with the election.

As a result, they offer an overarching framework for what might have happened based on individuals on the Russian side who claimed to have insight into Moscow’s goals and operational tactics.  Until we have another more credible narrative, we should do all we can to examine closely and confirm or dispute the reports.

[snip]

Looking at new information through the framework outlined in the Steele document is not a bad place to start.

How to read a dossier

One thing Sipher aspires to do — something that would have been enormously helpful back in January — is explain how an intelligence professional converts those raw intelligence reports into a coherent report. He describes the first thing you do is source validation.

In the intelligence world, we always begin with source validation, focusing on what intelligence professionals call “the chain of acquisition.”  In this case we would look for detailed information on (in this order) Orbis, Steele, his means of collection (e.g., who was working for him in collecting information), his sources, their sub-sources (witting or unwitting), and the actual people, organizations and issues being reported on.

He goes to great lengths to explain how credible Steele is, noting even that he “was the President of the Cambridge Union at university.” I don’t dispute that Steele is, by all accounts, an accomplished intelligence pro.

But Sipher unwisely invests a great deal of weight into the fact that the FBI sought to work with Steele.

The fact that the FBI reportedly sought to work with him and to pay him to develop additional information on the sources suggest that at least some of them were worth taking seriously.  At the very least, the FBI will be able to validate the credibility of the sources, and therefore better judge the information.  As one recently retired senior intelligence officer with deep experience in espionage investigations quipped, “I assign more credence to the Steele report knowing that the FBI paid him for his research.  From my experience, there is nobody more miserly than the FBI.  If they were willing to pay Mr. Steele, they must have seen something of real value.”

This is flat-out dumb for two reasons. First, it is one of the things the GOP has used to discredit the dossier and prosecution — complaining (rightly) that the FBI was using a document designed as opposition research, possibly even to apply for a FISA warrant. If the FBI did that, I’m troubled by it.

More importantly, the actual facts about whether FBI did pay Steele are very much in dispute, with three different versions in the public record and Chuck Grassley claiming the FBI has been giving conflicting details about what happened (it’s likely that FBI paid Steele’s travel to the US but not for the dossier itself).

WaPo reported that Steele had reached a verbal agreement that the FBI would pay him to continue his investigation of Russia’s involvement with Trump after still unnamed Democrats stopped paying him after the election. CNN then reported that FBI actually had paid Steele for his expenses. Finally, NBC reported Steele backed out of the deal before it was finalized.

If the FBI planned to pay Steele, but got cold feet after Steele briefed David Corn for a piece that made explicit reference to the dossier, it suggests FBI may have decided the dossier was too clearly partisan for its continued use. In any case, citing a “recently retired senior intelligence officer” claiming the FBI did pay Steele should either be accompanied by a “BREAKING, confirming the detail no one else has been able to!” tag, or should include a caveat that the record doesn’t affirmatively support that claim.

After vouching for Steele (again, I don’t dispute Steele’s credentials), Sipher lays out the other things that need to happen to properly vet raw intelligence, which he claims we can’t do.

The biggest problem with confirming the details of the Steele “dossier” is obvious: we do not know his sources, other than via the short descriptions in the reports.  In CIA’s clandestine service, we spent by far the bulk of our work finding, recruiting and validating sources.  Before we would ever consider disseminating an intelligence report, we would move heaven and earth to understand the access, reliability, trustworthiness, motivation and dependability of our source.  We believe it is critical to validate the source before we can validate the reliability of the source’s information.  How does the source know about what he/she is reporting?  How did the source get the information?  Who are his/her sub-sources?  What do we know about the sub-sources?  Why is the source sharing the information?  Is the source a serious person who has taken appropriate measures to protect their efforts?

The thing is, we actually know answers to two of these questions. First, Steele’s sources shared the information (at least in part) because they were paid. [Update, 11/15: According to CNN, Glenn Simpson testified that Steele did not pay his sources. That somewhat conflicts with suggestions made by Mike Morell, who said Steele paid intermediaries who paid his sources, but Simpson’s testimony may simply be a cute legal parse.] That’s totally normal for spying, of course, but if Sipher aspires to explain to us how to assess the dossier, he needs to admit that money changes hands and that’s just the way things are done (again, that’s all the more important given that it’s one of the bases the GOP is using to discredit the report).

More importantly, Sipher should note that Steele worked one step removed — from London, rather than from Moscow — than an intelligence officer otherwise might. The reports may still be great, but that additional step introduces more uncertainty into the validation. It’s all the more important that Sipher address these two issues, because they’re the ones the GOP has been and will continue to use to discredit the dossier.

Ultimately, though, in his section on vetting the document, Sipher doesn’t deal with some key questions about the dossier. Way at the end of his piece, he questions whether we’re looking at the entire dossier.

We also don’t know if the 35 pages leaked by BuzzFeed is the entirety of the dossier.  I suspect not.

He doesn’t raise two other key questions about the provenance of the dossier we’ve been given, some of which I laid out when the dossier came out when I also noted that the numbering of the dossier by itself makes it clear it’s not the complete dossier. Importantly: is the copy of the dossier leaked to BuzzFeed an unaltered copy of what Steele delivered to Fusion, in spite of the weird textual artifacts in it? And how and why did the dossier get leaked to BuzzFeed, which Steele has told us was not one of the six outlets that he briefed on its contents.

Finally, Sipher includes the obligation to “openly acknowledge the gaps in understanding” outside of the section on vetting, which is telling given that he notes only a few of the obvious gaps in this dossier.

Sipher claims the dossier predicted what wasn’t known

So there are a lot of aspects of vetting Sipher doesn’t do, whether or not he has the ability to. But having done the vetting of checking Steele’s college extracurricular record, he declares the dossier has proven to be “stunningly accurate.”

Did any of the activities reported happen as predicted?

To a large extent, yes.

The most obvious occurrence that could not have been known to Orbis in June 2016, but shines bright in retrospect is the fact that Russia undertook a coordinated and massive effort to disrupt the 2016 U.S. election to help Donald Trump, as the U.S. intelligence community itself later concluded.  Well before any public knowledge of these events, the Orbis report identified multiple elements of the Russian operation including a cyber campaign, leaked documents related to Hillary Clinton, and meetings with Paul Manafort and other Trump affiliates to discuss the receipt of stolen documents.  Mr. Steele could not have known that the Russians stole information on Hillary Clinton, or that they were considering means to weaponize them in the U.S. election, all of which turned out to be stunningly accurate.

Now as I said above, I don’t believe the dossier is junk. But this defense of the dossier, specifically as formulated here, is junk. Central to Sipher’s proof that Steele’s dossier bears out are these claims:

  • Russia undertook a coordinated and massive effort to disrupt the 2016 U.S. election to help Donald Trump
  • The Orbis report identified multiple elements of the Russian operation including
    • A cyber campaign
    • Leaked documents related to Hillary Clinton
    • Meetings with Paul Manafort and other Trump affiliates to discuss the receipt of stolen documents

As I’ll show, these claims are, with limited exceptions, not actually what the dossier shows. Far later into the dossier, the reason Sipher frames it this way is clear. He’s taking validation from recent details about the June 9, 2016 meeting.

Of course, to determine if collusion occurred as alleged in the dossier, we would have to know if the Trump campaign continued to meet with Russian representatives subsequent to the June meeting.

The Steele dossier was way behind contemporary reporting on the hack-and-leak campaign

I consider the dossier strongest in its reports on early ties between Trump associates and Russians, as I’ll lay out below. But one area where it is — I believe this is the technical term — a shit-show is the section claiming the report predicted Russia’s hacking campaign.

Here’s how Sipher substantiates that claim.

By late fall 2016, the Orbis team reported that a Russian-supported company had been “using botnets and porn traffic to transmit viruses, plant bugs, steal data and conduct ‘altering operations’ against the Democratic Party leadership.” Hackers recruited by the FSB under duress were involved in the operations. According to the report, Carter Page insisted that payments be made quickly and discreetly, and that cyber operators should go to ground and cover their tracks.

[snip]

Consider, in addition, the Orbis report saying that Russia was utilizing hackers to influence voters and referring to payments to “hackers who had worked in Europe under Kremlin direction against the Clinton campaign.” A January 2017 Stanford study found that “fabricated stories favoring Donald Trump were shared a total of 30 million times, nearly quadruple the number of pro-Hillary Clinton shares leading up to the election.”  Also, in November, researchers at Oxford University published a report based on analysis of 19.4 million Twitter posts from early November prior to the election.  The report found that an “automated army of pro-Trump chatbots overwhelmed Clinton bots five to one in the days leading up to the presidential election.”  In March 2017, former FBI agent Clint Watts told Congress about websites involved in the Russian disinformation campaign “some of which mysteriously operate from Eastern Europe and are curiously led by pro-Russian editors of unknown financing.”

The Orbis report also refers specifically to the aim of the Russian influence campaign “to swing supporters of Bernie Sanders away from Hillary Clinton and across to Trump,” based on information given to Steele in early August 2016. It was not until March 2017, however, that former director of the National Security Agency, retired Gen. Keith Alexander in Senate testimony said of the Russian influence campaign, “what they were trying to do is to drive a wedge within the Democratic Party between the Clinton group and the Sanders group.”

Here’s what the dossier actually shows about both kompromat on Hillary and hacking.

June 20: In the first report, issued 6 days after the DNC announced it had been hacked by Russia, and 5 days after Guccifer 2.0 said he had sent stolen documents to WikiLeaks, the dossier spoke of kompromat on Hillary, clearly described as years old wiretaps from when she was visiting Russia. While the report conflicts internally, one part of it said it had not been distributed abroad. As I note in this post, if true, that would mean the documents Natalia Veselnitsaka shared with Trump folks on June 9 was not the kompromat in question.

July 19: After Guccifer 2.0 had released 7 posts, most with documents, and after extended reporting concluding that he was a Russian front, the second report discussed kompromat — still seemingly meaning that dated FSB dossier — as if it were prospective.

July 26: Four days after WikiLeaks released DNC emails first promised in mid-June, Steele submitted a report claiming that Russian state hackers had had “only limited success in penetrating the ‘first tier’ of foreign targets. These comprised western (especially G7 and NATO) governments, security and intelligence services and central banks, and the IFIs.” There had been public reports of FSB-associated APT 29’s hacking of such targets since at least July 2015, and public reporting on their campaigns that should have been identified when DNC did a Google search in response to FBI’s warnings in September 2015. It’s stunning anyone involved in intelligence would claim Russia hadn’t had some success penetrating those first tier targets.

Report 095: An undated report, probably dating sometime between July 26 and July 30, did state that a Trump associate admitted Russia was behind WikiLeaks release of emails, something that had been widely understood for well over a month.

July 30: A few weeks before WikiLeaks reportedly got the second tranche of (Podesta) emails, a report states that Russia is worried that the email hacking operation is spiraling out of control so “it is unlikely that these [operations] would be ratcheted up.”

August 5: A report says Dmitry Peskov, who is reportedly in charge of the campaign, is “scared shitless” about being scapegoated for it.

August 10: Just days before WikiLeaks purportedly got the Podesta tranche of emails, a report says Sergei Ivanov said “Russians would not risk their position for the time being with new leaked material, even to a third party like WikiLeaks.”

August 10: Months after a contentious primary and over two weeks after Debbie Wasserman Schultz’s resignation during the convention (purportedly because of DNC’s preference for Hillary), a report cites an ethnic Russian associate of Russian US presidential candidate Donald TRUMP campaign insider, not a Russian, saying the email leaks were designed to “swing supporters of Bernie SANDERS and away from Hillary CLINTON and across to TRUMP.” It attributes that plan to Carter Page, but does not claim any Russian government involvement in that strategy. Nor would it take a genius for anyone involved in American politics to pursue such a strategy.

August 22: A report on Manafort’s “demise” doesn’t mention emails or any kompromat.

September 14: Three months after Guccifer 2.0 first appeared, the dossier for the first time treated the Russians’ kompromat as the emails, stating that more might be released in late September. That might coincide with Craig Murray’s reported contact with a go-between (Murray has been very clear he did not ferry the emails themselves though he did have some contact in late September).

October 12: A week after the Podesta emails first started appearing, a report states that “a stream of further hacked CLINTON materials already had been injected by the Kremlin into compliant media outlets like Wikileaks, which remained at least “plausibly deniable”, so the stream of these would continue through October and up to the election, something Julian Assange had made pretty clear. See this report for more.

October 18, 19, 19: Three reports produced in quick succession describe Michael Cohen’s role in covering up the Trump-Russia mess, without making any explicit (unredacted) mention of emails. See this post on that timing.

December 13: A virgin birth report produced as the US intelligence community scrambled to put together the case against Russia for the first time ties Cohen to the emails in unredacted form).

What the timeline of the hacking allegations in the Steele dossier (and therefore also “predictions” about leaked documents) reveal is not that his sources predicted the hack-and-leak campaign, but on the contrary, he and his sources were unbelievably behind in their understanding of Russian hacking and the campaign generally (or his Russian sources were planting outright disinformation). Someone wanting to learn about the campaign would be better off simply hanging out on Twitter or reading the many security reports issued on the hack in real time.

Perhaps Sipher wants to cover this over when he claims that, “The Russian effort was aggressive over the summer months, but seemed to back off and go into cover-up mode following the Access Hollywood revelations and the Obama Administration’s acknowledgement of Russian interference in the fall, realizing they might have gone too far and possibly benefitted Ms. Clinton.” Sure, that’s sort of (though not entirely) what the dossier described. But the reality is that WikiLeaks was dropping new Podesta emails every day, Guccifer 2.0 was parroting Russian (and Republican) themes about a rigged election, and Obama was making the first ever cyber “red phone” call to Moscow because of Russia’s continued probes of the election infrastructure (part of the Russian effort about which both the dossier and Sipher’s post are silent).

The quotes Sipher uses to defend his claim are even worse. The first passage includes two clear errors. The report in question was actually the December 13 one, not “late fall 2016” one. And the Trump associate who agreed (in the alleged August meeting in Prague, anticipating that Hillary might win) to making quick payments to hackers was Michael Cohen, not Carter Page. [Update, 12/10/17: Just Security has fixed this error.] Many things suggest this particular report should be read with great skepticism, not least that it post-dated both the disclosure of the existence of the dossier and the election, and that this intelligence was offered up to Steele, not solicited, and was offered for free.

Next, Sipher again cites the December 13 report to claim Steele predicted something reported in a November Oxford University report (and anyway widely reported by BuzzFeed for months), which seems to require either a time machine or an explanation for why Steele didn’t report that earlier. He attributes a quote sourced to a Trump insider as indicating Russian strategy, which that report doesn’t support. And if you need Keith Alexander to suss out the logic of Democratic infighting that had been clear for six months, then you’re in real trouble!

Sipher would have been better off citing the undated Report 095 (which is another report about which there should be provenance questions), which relies on the same ethnic Russian Trump insider as the August 10 report, which claims agents/facilitators within the Democratic Party and Russian émigré hackers working in the United States — a claim that is incendiary but (short of proof that the Al-Awan brothers or Seth Rich really were involved) — one that has not been substantiated.

In short, the evidence in the dossier simply doesn’t support the claim it predicted two of the three things Sipher claims it does, at least not yet.

The dossier is stronger in sketchy contacts with Russians

The dossier is stronger with respect to some, but not all Trump associates. But even there, Sipher’s defense demonstrates uneven analytic work.

First, note that Sipher relies on “renowned investigative journalist” Michael Isikoff to validate some of these claims.

Renowned investigative journalist Michael Isikoff reported in September 2016 that U.S. intelligence sources confirmed that Page met with both Sechin and Divyekin during his July trip to Russia.

[snip]

A June 2017 Yahoo News article by Michael Isikoff described the Administration’s efforts to engage the State Department about lifting sanctions “almost as soon as they took office.”

Among the six journalists Steele admits he briefed on his dossier is someone from Yahoo.

The journalists initially briefed at the end of September 2016 by [Steele] and Fusion at Fusion’s instruction were from the New York Times, the Washington Post, Yahoo News, the New Yorker and CNN. [Steele] subsequently participated in further meetings at Fusion’s instruction with Fusion and the New York Times, the Washington Post and Yahoo News, which took place in mid-October 2016.

That the Yahoo journalist is Isikoff would be a cinch to guess. But we don’t have to guess, because Isikoff made it clear it was him in his first report after the dossier got leaked.

Another of Steele’s reports, first reported by Yahoo News last September, involved alleged meetings last July between then-Trump foreign policy adviser Carter Page and two high-level Russian operatives, including Igor Sechin — a longtime associate of Russian President Vladimir Putin who became the chief executive of Rosneft, the Russian energy giant.

In other words, Sipher is engaging in navel-gazing here, citing a report based on the Steele dossier, to say it confirms what was in the Steele dossier.

Sipher similarly cites a NYT article that was among the most criticized for the way it interprets “senior Russian intelligence officials” loosely to include anyone who might be suspect of being a spook.

We have also subsequently learned of Trump’s long-standing interest in, and experience with Russia and Russians.  A February 2017 New York Times article reported that phone records and intercepted calls show that members of Trump’s campaign and other Trump associates had repeated contacts with senior Russian officials in the year before the election.  The New York Times article was also corroborated by CNN and Reuters independent reports.

The two reports he claims corroborate the NYT one fall far short of the NYT claim about talks with Russian intelligence officials — a distinction that is critical given what Sipher claims about Sergey Kislyak, which I note below.

Carter Page

Sipher cites the Carter Page FISA order as proof that some of these claims have held up.

What’s more, the Justice Department obtained a wiretap in summer 2016 on Page after satisfying a court that there was sufficient evidence to show Page was operating as a Russian agent.

But more recent reporting, by journalists Sipher elsewhere cites approvingly, reveals that Page had actually been under a FISA order as early as 2014.

Page had been the subject of a secret intelligence surveillance warrant since 2014, earlier than had been previously reported, US officials briefed on the probe told CNN.

Paul Manafort

I have no complaint with Sipher’s claims about Manafort — except to the extent he suggests Manafort’s Ukrainian corruption wasn’t know long before the election. Sipher does, however, repeat a common myth about Manafort’s influence on the GOP platform.

The quid pro quo as alleged in the dossier was for the Trump team to “sideline” the Ukrainian issue in the campaign.  We learned subsequently the Trump platform committee changed only a single plank in the 60-page Republican platform prior to the Republican convention.  Of the hundreds of Republican positions and proposals, they altered only the single sentence that called for maintaining or increasing sanctions against Russia, increasing aid for Ukraine and “providing lethal defensive weapons” to the Ukrainian military.  The Trump team changed the wording to the more benign, “appropriate assistance.”

Republicans have credibly challenged this claim about the platform. Bob Dole is credited with making the platform far harsher on China in the service of his Taiwanese clients. And Trump’s team also put in language endorsing the revival of Glass-Steagall, with support from Manafort and/or Carl Icahn.

Michael Cohen

Sipher’s discussion of Trump lawyer Michael Cohen is the weirdest of all, not least because the Cohen reports are the most incendiary but also because they were written at a time when Steele had already pitched the dossier to the media (making it far more likely the ensuing reports were the result of disinformation). Here’s how Sipher claims the Steele dossier reports have been validated.

We do not have any reporting that implicates Michael Cohen in meetings with Russians as outlined in the dossier.  However, recent revelations indicate his long-standing relationships with key Russian and Ukrainian interlocutors, and highlight his role in a previously hidden effort to build a Trump tower in Moscow. During the campaign, those efforts included email exchanges with Trump associate Felix Sater explicitly referring to getting Putin’s circle involved and helping Trump get elected.

Go look at that “recent revelations” link. It goes to this Josh Marshall post which describes its own sourcing this way:

TPM Reader BR flagged my attention to this 2007 article in The New York Post.

[snip]

Because two years ago, in February 2015, New York real estate trade sheet The Real Deal reported that Cohen purchased a $58 million rental building on the Upper East Side.

This is not recent reporting!! Again, this is stuff that was publicly known before the election.

More importantly, given Cohen’s rebuttal to the dossier, Marshall supports a claim that Cohen has ties to Ukraine, not Russia. The dossier, however, claims Cohen has ties to the latter, as Cohen mockingly notes.

Felix Sater

Then there are the Trump associates who are now known to have been central to any ties between Trump and the Russians that the Steele dossier didn’t cite — as least not as subjects (all could well be sources, which raises other questions). The first is Felix Sater, whom Sipher discusses three times in suggesting that the dossier accurately predicts Cohen’s involvement in the Russian negotiations.

To take one example, the first report says that Kremlin spokesman Dmitry Peskov was responsible for Russia’s compromising materials on Hillary Clinton, and now we have reports that Michael Cohen had contacted Peskov directly in January 2016 seeking help with a Trump business deal in Moscow (after Cohen received the email from Trump business associate Felix Sater saying “Our boy can become president of the USA and we can engineer it. I will get all of Putins team to buy in on this.”).

[snip]

Following the inauguration, Cohen was involved, again with Felix Sater, to engage in back-channel negotiations seeking a means to lift sanctions via a semi-developed Russian-Ukrainian plan (which also included the hand delivery of derogatory information on Ukrainian leaders) also fits with Orbis reporting related to Cohen.

Given that Sater’s publicly known links between mobbed up Russians and Trump go back a decade, why isn’t he mentioned in the dossier? And why does the dossier seemingly contradict these claims about an active Trump Tower deal?

Aras Agalarov and Rinat Akhmetshin

There are far more significant silences about two other Trump associates, Aras Agalarov and Rinat Akhmetshin.

To be fair, the dossier isn’t entirely silent about the former, noting in at one place that Agalarov would be the guy to go to to learn about dirt on Trump in Petersburg (elsewhere he could be a source).

Far, far more damning is the dossier’s silence (again, at least as a subject rather than source) about Akhmetshin. That’s long been one of the GOP complaints about the dossier — that Akhmetshin was closely involved with Fusion GPS on Magnitsky work in parallel with the Trump dossier, which (if Akhmetshin really is still tied to Russian intelligence) would provide an easy feedback loop to the Russians. The dossier’s silence on someone well known to Fusion GPS is all the more damning given the way that Sipher points to the June 9 meeting (which the dossier didn’t report, either) as proof that the dossier has been vindicated.

It was also apparently news to investigators when the New York Times in July 2017 published Don Jr’s emails arranging for the receipt of information held by the Russians about Hillary Clinton. How could Steele and Orbis know in June 2016 that the Russians were working actively to elect Donald Trump and damage Hillary Clinton?

[snip]

To take another example, the third Orbis report says that Trump campaign manager Paul Manafort was managing the connection with the Kremlin, and we now know that he was present at the June 9 2016 meeting with Donald Trump, Jr., Russian lawyer Natalia Veselnitskaya and Rinat Akhmetshin, who has reportedly boasted of his ties to ties and experience in Soviet intelligence and counterintelligence.  According to a recent New York Times story, “Akhmetshin told journalists that he was a longtime acquaintance of Paul J. Manafort.”

There’s no allegation that investigations didn’t know about June 2016 plan to hurt Hillary (indeed, the Guccifer 2.0 stuff that Sipher ignores was public to all). Rather they didn’t know — but neither did Fusion, who has an established relationship with Akhmetshin — about the meeting involving Akhmetshin. If you’re going to claim the June 9 meeting proves anything, it’s that the dossier as currently known has a big hole right in Fusion’s client/researcher list.

Sergey Kislyak

Which brings me — finally! — to Sipher’s weird treatment of Sergey Kislyak. Sipher argues (correctly) that Trump associates’ failure to report details of their contacts with Russians may support a conspiracy claim.

 Of course, the failure of the Trump team to report details that later leaked out and fit the narrative may make the Steele allegations appear more prescient than they otherwise might.  At the same time, the hesitancy to be honest about contacts with Russia is consistent with allegations of a conspiracy.

Of course, Trump’s folks have failed to report details of that June 9 meeting as well as meetings with Sergey Kislyak. Having now invested his vindication story on that June 9 meeting, he argues that reports about Kislyak (on which the NYT article he cites approvingly probably rely) are misguided; we need to look to that June 9 meeting intead.

It should be noted in this context, that the much-reported meetings with Ambassador Kislyak do not seem to be tied to the conspiracy. He is not an intelligence officer, and would be in the position to offer advice on politics, personalities and political culture in the United States, but would not be asked to engage in espionage activity.  It is likewise notable that Ambassador Kislyak receives only a passing reference in the Steele dossier and only having to do with his internal advice on the political fallout in the U.S. in reaction to the Russian campaign.

Of course, to determine if collusion occurred as alleged in the dossier, we would have to know if the Trump campaign continued to meet with Russian representatives subsequent to the June meeting.

This seems utterly bizarre. We know what happened after June 9, in part: Per Jared Kushner (who also is not mentioned in the dossier or Sipher’s column), immediately after the election Kislyak started moving towards meeting about Syria (not Ukraine). But in the process, Kushner may have asked for a back channel and at Kislyak’s urging, Kushner took a meeting with the head of a sanctioned bank potentially to talk about investments in his family’s debt-ridden empire. And all that is the lead-up to the Mike Flynn calls with Kislyak about sanctions relief which provide some of the proof that Trump was willing to deliver the quo that the dossier claims got offered for quids.

That latter story — of the meetings Kushner and Flynn did in the wake of the election and events that may have taken place since — is every bit as coherent a narrative as the Steele dossier or the entirely new narratives tied to the June 9 meeting (which Sipher claims are actually the Steele narrative).

Of course, neither is yet evidence of collusion. And that’s, frankly, what we as citizens should be after.

A narrative offered up by an intelligence contractor who was always trying to catch up to the central part of the story — the hack-and-leak — is not what we should be striving for. That’s why this dossier is probably mostly irrelevant to the Mueller probe, no matter how the GOP would like to insinuate the opposite. If there was collusion (or rather, coordination on all this stuff between the campaign and Russia), we should expect evidence of it. The Steele dossier, as I have noted, left out one of the key potential proofs of that, in spite of having ties with someone who attended the meeting.

All that said, it would be useful for someone responsible to respond to GOP criticisms and, where invented (such as with the claim that Steele paying sources diminishes its value), demonstrate that. It would be useful for someone to explain what we should take from the dossier.

Sipher didn’t do that, though. Indeed, his post largely suffers from the same bad analysis he accuses the media of.

Update: In the original I got the date of the final report incorrect. That has been corrected.

Update, 12/10/17: I didn’t realize it, but Just Security updated Sipher’s post to include this language, which it explains with an editor’s note saying “Editor’s note: This article was update to provide additional analysis on Carter Page.” Compare this with this. Here’s the language.

Admittedly, Isikoff’s reporting may have relied on Steele himself for that information. Isikoff, however, also reported that U.S. intelligence officials were confident enough in the information received about Page’s meeting Russian officials to brief senior members of Congress on it. There are also other indicia that are also consistent with the Orbis report but only developed or discovered later. In early December 2016, Page returned to Moscow where he said he had “the opportunity to meet with an executive from” Sechin’s state oil company. In April 2017, Page confirmed that he met with and passed documents to a Russian intelligence officer in 2013. Court documents include an intercept in April 2013 of conversations between the Russians discussing their effort to recruit Page as “as an intelligence source.” A Russian intelligence officer said of Page: “He got hooked on Gazprom … I don’t know, but it’s obvious that he wants to earn lots of money … For now his enthusiasm works for me. I also promised him a lot … You promise a favor for a favor. You get the documents from him and tell him to go fuck himself.” In late December 2016, Sechin’s chief of staff, Oleg Erovinkin “who may have been a source for ex-British spy Christopher Steele’s Trump dossier,” according to multiple reports, was found dead in the back of his car in Moscow.

But this passage introduces new errors for Sipher’s post!

First, here’s the language (in an article Just Security never links) Sipher relies on to justify using Isikoff’s Steele-based reporting to claim Steele had been proven correct.

After one of those briefings, Senate minority leader Harry Reid wrote FBI Director James Comey, citing reports of meetings between a Trump adviser (a reference to Page) and “high ranking sanctioned individuals” in Moscow over the summer as evidence of “significant and disturbing ties” between the Trump campaign and the Kremlin that needed to be investigated by the bureau.

Some of those briefed were “taken aback” when they learned about Page’s contacts in Moscow, viewing them as a possible back channel to the Russians that could undercut U.S. foreign policy, said a congressional source familiar with the briefings but who asked for anonymity due to the sensitivity of the subject. The source added that U.S. officials in the briefings indicated that intelligence reports about the adviser’s talks with senior Russian officials close to President Vladimir Putin were being “actively monitored and investigated.”

A senior U.S. law enforcement official did not dispute that characterization when asked for comment by Yahoo News. “It’s on our radar screen,” said the official about Page’s contacts with Russian officials. “It’s being looked at.”

It is true that “U.S. intelligence officials were confident enough in the information received about Page’s meeting Russian officials to brief senior members of Congress on it,” and that Harry Reid was leaking from the Steele dossier just like Isikoff was. But the “senior US law enforcement officer” does not back the identities of those Page met with, just that “it’s being looked at.”

That’s important for the way that Page’s meetings with people other than Igor Sechin have been used to claim the dossier has borne out. Not-A = A. Which is what Sipher does here, by pointing to Page saying he met with Rosneft but not Sechin. “Page says he was not referring to Sechin in his remarks,” the linked AP story says (as does Page’s congressional testimony).

Then Sipher points to language unsealed in a court filing in January 2015 that Page admitted — after reporting on it — was him. That Page was wrapped up in an earlier Russian spy prosecution is another of those things one might ask why Steele didn’t know, particularly given that the filing and the case was already public.

But the citation also exacerbates the problems with Sipher’s reliance on Page’s FISA wiretap as proof the Steele dossier proved out. As I noted above, later reports stated Page had been under FISA wiretap “since 2014, earlier than had been previously reported, US officials briefed on the probe told CNN.” That means it wasn’t the meetings in Russia, per se, that elicited the interest, but (at least) the earlier interactions with Russian spies.

Finally, Sipher points to the death of Oleg Erovinkin, something I’ve pointed to myself (and which would only be “Carter Page” analysis if Page actually had met with Sechin). Since Sipher updated this post, however, Luke Harding wrote (on page 101),

Steele was adamant that Erovinkin wasn’t his source and “not one of ours.”

As a person close to Steele put it to me: “Sometimes people just die.”

I’m not sure I find Harding entirely reliable elsewhere, and I can see why Steele would deny working with Erovinkin if the leak of his work had gotten the man killed. But if you buy Harding, then Erovinkin no longer proves the value of the Steele dossier either.

Update, 12/10: According to the Wayback Machine this change was made between October 25 and November 6. Ryan Goodman explained that he didn’t give me a hat-tip for this correction because he’s not sure whether he corrected because of me because a Daily Caller reporter also weighed in.

It is true that Chuck Ross (with whom I discuss the dossier regularly) tweeted that Sipher’s Isikoff reference was self-confirming on November 4, shortly before the change was made.

Ryan and I had a conversation about the errors in this piece on September 6, when the post first came out, both on Twitter then–late that evening–on DM. I included a link to my post and he said he was going to read it.

I guess Ryan is now confessing he never read this post, and let notice of egregious errors sit unreviewed for two months, because he didn’t like my tone.

 

Abbe Lowell Reveals the Complete Inadequacy of the Intelligence Committee Russian Investigations

As noted, the press has been focused on the Senate Judiciary Committee’s revelation that Jared Kushner failed to turn over several documents known to exist, which has led to more details about efforts by Aleksander Torshin to meet with people associated with the campaign.

Here are the things identified to be missing from Jared’s production to SJC.

In addition, there are several documents that are known to exist but were not included in your production. For example, other parties have produced September 2016 email communications to Mr. Kushner concerning WikiLeaks, which Mr. Kushner then forwarded to another campaign official. Such documents should have been produced in response to the third request but were not. Likewise, other parties have produced documents concerning a “Russian backdoor overture and dinner invite” which Mr. Kushner also forwarded. And still others have produced communications with Sergei Millian, copied to Mr. Kushner.

In response to the Feinstein letter revealing these details, Jared’s lawyer, the very capable Abbe Lowell, wrote back, scolding Feinstein (though the letter is also addressed to Chuck Grassley) for releasing her letter to the press. But in fact, Lowell’s letter is not responsive to four of the items laid out in Feinstein’s letter. And the way in which Lowell doesn’t respond reveals the complete inadequacy of the Intelligence Committee Russian investigations.

The four things (I noticed that) Lowell doesn’t address are:

  • A request for a copy of Jared’s own copy of his SF-86 applications
  • A privilege log
  • Call records pertaining to some of the requests
  • Communications “about” certain individuals

A request for a copy of Jared’s own copy of his SF-86 applications

Feinstein’s letter notes that Jared should have a copy of his SF-86 applications and asks for them.

However, if Mr. Kushner or his counsel retained copies of the forms, you should produce them. The SF-86 instructions explicitly advise the applicant to “retain a copy of the completed form for your records.” Moreover, with regard to your claim that the documents are confidential, while the Privacy Act limits the government’s authority to release the information provided to it, there is no restriction on your client’s ability to provide that information to Congress.

Lowell simply notes that SJC is pursuing this, and scoffs that Jared’s serially incomplete SF-86 forms might be relevant to the inquiry.

I explained to your staff that documents concerning the SF-86 are deemed government personnel records, and I know the Committee is pursuing these (again with whatever relevance they could possibly have to any real inquiry) from the proper channels.

A privilege log

Feinstein also asked that Jared work with the White House so he could release “certain documents” that might implicate executive privilege, with an eye towards providing a privilege log.

You also raised concerns that certain documents might implicate the President’s Executive Privilege and declined to produce those documents. We ask that you work with White House counsel to resolve any questions of privilege so that you can produce the documents that have been requested or provide a privilege log that describes the documents over which the President is asserting executive privilege.

While Lowell addresses documents that post-date the inauguration, he makes no comment about executive privilege at all.

Call records pertaining to some of the requests

Feinstein’s letter also notes that Jared included no phone records pertaining to some of the requests (she doesn’t say which ones).

You also have not produced any phone records that we presume exist and would relate to Mr. Kushner’s communications regarding several requests.

Lowell does not address that request at all.

Communications “about” certain individuals

Finally, and most interesting to me, even before Feinstein listed the known documents that Jared had failed to turn over, she noted that he had failed to search for communications about certain things.

For example, you limited your production in response to our second request in a manner that eliminates communications about the individuals identified in that request.[1] If, as you suggest, Mr. Kushner was unaware of, for example, any attempts at Russian interference in the 2016 presidential election, then presumably there would be few communications concerning many of the persons identified in our second request, and the corresponding burden of searching would be small.

[1] The Committee requested “[a]ll communications to, form, or copied to you relating to” certain individuals, but you stated that you “found no communications in which these individuals also appear in the to, from, or copy to lines of the communications.”

In fact, the three missing documents all might be considered such “about” communications, as they consist of forwarded emails adding further commentary.

Here’s where Lowell’s response gets really interesting. As with the request for call records, he doesn’t address the failure to search on communications “about” people at all. He doesn’t mention that he has failed to search for documents in the manner directed by the committee.

But for each of the missing documents, he explains why they wouldn’t be relevant in such a way that completely dodges the fact that, as communications “about” the persons in question, they definitely are.

A communication in which he was a copied recipient and was not about Russia contacts by him (or apparently by anyone else) was not responsive to any request about Mr. Kushner’s own contacts.

[snip]

The “Millian” email between Mr. Millian and a reporter, in which Mr. Millian is actually conferring with Michael Cohen and confirming that Mr. Millian has no relationship with the President, is also not one about contacts that Mr. Kushner, or really anyone, had that would be responsive to any relevant request.

[snip]

[of the Torshin email] Again, this was not any contact, call or meeting in which Mr. Kushner was involved.

[snip]

You can see there would be no reason for us not to provide such a clear expression that Mr. Kushner had no contacts with, nor was in collusion with, nor was pursuing any such relationship with Russia except that it was not responsive.

So not only does he offer disingenuous explanations for each of the missing documents — one after another he explains that these emails don’t involve any contact between Jared and the designated person — but he completely ignores that under the terms of the request, they were obviously responsive.

Of course, the only reason SJC learned of these emails is because the other participants in the email chains turned them over. But there are undoubtedly other emails or documents that are “about” these and presumably other requested individuals that others wouldn’t have been party to. And by ignoring the request for “about” documents, Lowell is basically completely blowing off providing those other documents, which would likely be even more interesting.

Just as an example, Jared could very well have had 100 other discussions “about” Wikileaks or Julian Assange with some unknown person, and Lowell’s incomplete search would have hidden it.

Now check out Lowell’s more general excuse for not turning over such documents:

With respect to the substance of your letter, let me start with the so-called “Missing Documents.” They are not missing at all. As you will note, after I spoke to your staff, I wrote a cover letter with our production. In that letter, I wrote: “We believe that our prior production [to the intelligence committees] contains the most pertinent documents to your inquiry into the June 9, 2016 meeting at Trump Tower, and related matters, and undercut any notion that there was collusion (or even any extensive interaction) between Mr. Kushner and Russia concerning the 2016 election.” The documents provided to those committees fully responded to their requests. That was why we said we would provide those documents to you first to see if anything else was relevant or new, and try to determine whether those documents satisfy your inquiry as well.

This production, which doesn’t include any documents about designated topics (including the June 9 meeting), satisfied the intelligence committees. That means the intelligence committees could not have asked for “about” documents (which is particularly ironic given that they’re both trying to find a way to help NSA turn “about” 702 collection back on). Which in turn means the intelligence committees likely have huge gaps in their understanding of Jared’s awareness of the Russian discussions.

And in addition to all his other contemptuous non-answers to Feinstein’s letter, Lowell says Jared shouldn’t have to sit for an interview with SJC because he already sat for 6 hours with the other committees, the committees that didn’t ask for “about” documents and therefore don’t have a complete picture of Jared’s involvement.

This is the scam that’s been going on for almost a year (which is probably why Michael Cohen has been dodging an interview with SJC too).

While his letter is otherwise totally unhelpful, it’s nice of Lowell to so clearly make evidence the inadequacies of the other congressional investigations.

Update: Perhaps Mueller is facing the same problem, because he just subpoenaed the Trump campaign for more documents, by keyword.

The subpoena, which requested documents and emails from the listed campaign officials that reference a set of Russia-related keywords, marked Mr. Mueller’s first official order for information from the campaign, according to the person. The subpoena didn’t compel any officials to testify before Mr. Mueller’s grand jury, the person said.

The subpoena caught the campaign by surprise, the person said. The campaign had previously been voluntarily complying with the special counsel’s requests for information, and had been sharing with Mr. Mueller’s team the documents it provided to congressional committees as part of their probes of Russian interference into the 2016 presidential election.

The Implicit Threat in Julian Assange’s Ambassador Tweet

The other day, I suggested the Twitter Direct Messages between Wikileaks and Don Jr were underwhelming, in that some of the more damning things we might have expected did not show up in those DMs. Since then, several things have become clear. First, there were some time zone inaccuracies behind the timestamps on one of the most inflammatory claims (that Trump immediately tweeted in response to an October 12 DM from Assange; it probably was 75 minutes). And the password Wikileaks shared with Don Jr had been made available to journalists and may have been passed on by Chuck Johnson, who was currying favor with Assange at the time; that minimizes the possibility that such sharing could be deemed a CFAA or other kind of technical violation though puts Johnson more centrally in this picture.

I didn’t say explicitly enough in that post and I should have, though, that I was speaking about Don Jr, not about Wikileaks.

Wikileaks’ contributions do show the organization (and Assange in particular, in those DMs we know involved him) to be self-interested and rabidly anti-Clinton If you haven’t known the latter fact to be true since Hillary did some pretty crazy things in 2010, then you’re new to this rodeo. That said, the tweets did elicit some righteous betrayal from Barrett Brown, which I totally respect given the price he has paid for the claimed idealism of Wikileaks (see also this story).

It’s worth remembering, as Emma Best notes, because they’ve been under unrelenting surveillance since 2010, “WikiLeaks *knew* the DMs were being monitored in real time. It was inevitable that this would leak. Simply calling this dumb misses the point and ignores the tradecraft at play.” Assange, from the refusal of inside information to the demand for an Ambassadorship, was staging a show, and we should remember that.

That said, I’m far more interested in Assange’s subsequent response to the disclosure of the emails, specifically this tweet. In the full DMs released by Don Jr (I think Wikileaks can fairly claim Atlantic took out some context — Atlantic came close to and I think should have just replicated the content of all the DMs, though Brown disagrees), this was the comment Assange made on December 16 asking to be Ambassador.

Hi Don. Hope you’re doing well! In relation to Mr. Assange: Obama/Clinton placed pressure on Sweden, UK and Australia (his home country) to illicitly go after Mr. Assange. It would be real easy and helpful for your dad to suggest that Australia appoint Assange ambassador to DC “That’s a really smart tough guy and the most famous australian you have! ” or something similar. They won’t do it, but it will send the right signals to Australia, UK + Sweden to start following the law and stop bending it to ingratiate themselves with the Clintons. 12/16/16 12:38PM

On Tuesday, Assange posted an ostensible follow-up to that one, renewing his offer to serve as Ambassador.

Note, Assange had originally misspelled Don Jr’s twitter handle, so deleted and reposted it.

This has been taking as trolling, with Assange’s notion that he’d open a hotel in DC, as the Trumps have, with “luxury immunity suites” for whistleblowers.

But even that’s not trolling. It’s a public renewal, more explicit this time, of Assange’s request for a pardon from Trump Sr, though here he drops the “offer” of the claims laundered through Dana Rohrabacher that the emails Assange published to help Trump get elected came from an insider and not Russia. Assange wants the fuck out of his embassy closet, and he’s willing to say that explicitly, now, in a public tweet (as Best noted, making this request visible for all).

Remember, Rohrabacher was always clear that someone (or someones, but Chuck Johnson is clearly one of those people) had made clear that Trump wanted this information. Was Don Jr in on that loop?

It’s the rest of the tweet that got less attention. First, Assange’s promise of “a turbo-charged flow of intel about the latest CIA plots to undermine democracy,” a remarkable reference coming as it does in the wake of Mike Pompeo’s consideration of an alternative narrative for how Wikileaks got emails (as I noted, scheduled even as John Kelly thwarted Rohrabacher’s attempts to meet with Trump directly), not to mention Trump’s screed at John Brennan and others over the weekend.

Assange is agreeing with Trump, even if no one else is, even as the two of them both seek to push an alternative narrative that doesn’t have the Russians orchestrating Assange’s actions for Trump’s benefit, that the CIA is undermining Trump’s presidency.

It’s the hashtag, though, that most observers missed: Vault 8.

Vault 8 is the name Wikileaks has given for its release — started just Friday — of actual source code for CIA’s hacking tools, after long releasing “just” the development notes and manuals for the same tools. I noted then both the way Wikileaks was picking up Shadow Brokers’ narrative about Kaspersky, but also the multiple references to Wikileaks having the same set of NSA files as Shadow Brokers had.

I noted last December that with the December 14 Shadow Brokers release of new NSA tools (just days before Assange joked about being ambassador), the persona seemed to be engaging in extortion: “Nice little NSA here, it’d be shame if anything would happen to it.” Since that time, Shadow Brokers made good on the threat, leading to global cyberattacks. What Assange seems to be doing is similar: no longer a quid pro quo for safety in DC, but now a threat, using CIA, and tools released in CIA’s name, as hostage.

Assange is not offering to release secrets about CIA, but instead weapons leaked or stolen from them. Sure, to the extent the Vault 7 releases haven’t already, that’ll allow others to attribute CIA attacks. But it’ll also devastate the agency and badly undermine US power.

That appears to be where Assange’s request for immunity has gotten.

At Some Point Trump’s Denials Are about Criminal Defense, Not Just Denial

After hanging out with Vladimir Putin informally in Da Nang, Donald Trump again said he believes Putin’s denials that he interfered with the election.

“He said he didn’t meddle. He said he didn’t meddle. I asked him again. You can only ask so many times,” Trump told reporters aboard Air Force One as he flew from Da Nang to Hanoi in Vietnam. Trump spoke to Putin three times on the sidelines of summit here, where the Russia meddling issue arose.

“Every time he sees me, he says, ‘I didn’t do that,'” Trump said. “And I believe, I really believe, that when he tells me that, he means it.”

“I think he is very insulted by it,” Trump added.

This has the chattering class horrified, again, about what this does for the intelligence community.

That’s all true, but I think this is about more than Trump preferring the analysis of an old KGB spy.

As this NYT story released last night makes clear, the Mueller investigation is closing in on Trump’s close aides, including Stephen Miller and (as I’ll point out later) Jeff Sessions. I have reason to believe something will be announced in the very near future that will blow the investigation wide open, in ways that may directly implicate the President.

But, as I’ve said repeatedly, the Russian operation built in multiple levels of deniability, not just the WikiLeaks cut-out. So it may be that whatever actions personally implicate Trump involve enough deniability he will be able to claim — or try to — that he didn’t know the actions he took involved working directly with the Russians.

In other words, at some point these repeated public claims aren’t about trusting Putin over his intelligence community. They’re about mounting a criminal defense.

About the Timing of the Binney Meeting

The Intercept is reporting that, on Trump’s orders, Mike Pompeo met with Bill Binney on October 24 to understand his theory arguing that the DNC hack was in fact a leak.

In an interview with The Intercept, Binney said Pompeo told him that President Donald Trump had urged the CIA director to meet with Binney to discuss his assessment that the DNC data theft was an inside job. During their hour-long meeting at CIA headquarters, Pompeo said Trump told him that if Pompeo “want[ed] to know the facts, he should talk to me,” Binney said.

[snip]

Binney said that Pompeo asked whether he would be willing to meet with NSA and FBI officials to further discuss his analysis of the DNC data theft. Binney agreed and said Pompeo said he would contact him when he had arranged the meetings.

I’ve got a few comments about this.

First, I’m particularly intrigued in the timing. on Twitter, Jim Sciutto said Trump had been pushing for Pompeo to meet with Binney for several weeks.

Pompeo took the meeting at the urging of President Trump over weeks. Pompeo told Binney: “The president told me I should talk to you”

I’ve been told the meeting was set up by October 14, which means Trump has been pushing for this meeting for over a month. That dates it to around the same time as reports that Chief of Staff John Kelly was preventing Dana Rohrabacher from meeting Trump to pass on Julian Assange’s claims explaining how the emails he received didn’t come from Russia, though that scheme went back further, to mid-August.

Effectively, though, that means Trump has been trying to find some way to magnify theories that argue culprits besides Russia did the hack. The guy who begged Russia to hack Hillary’s emails in the middle of last summer is looking for some alternative narrative to push, and it’s not clear whether he cares what that narrative is.

Though, as I noted in my post on these theories, now that we know the files Guccifer 2.0 leaked were from Podesta and as-yet unidentified sources, it makes all the arguments focusing on Guccifer beside the point (and disrupts Craig Murray’s claims).

On top of a lot of other implications of this, it shifts the entire debate about whether Guccifer 2.0 was WikiLeaks’ source, which has always focused on whether the documents leaked on July 22 came from Guccifer 2.0. Regardless of what you might conclude about that, it shifts the question to whether the Podesta emails WikiLeaks posted came from Guccifer 2.0, because those are the ones where there’s clear overlap. Russia’s role in hacking Podesta has always been easier to show than its role in hacking the DNC.

It also shifts the focus away from whether FBI obtained enough details from the DNC server via the forensic image it received from Crowdstrike to adequately assess the culprit. Both the DNC and Hillary (as well as the DCCC) servers are important. Though those that squawk about this always seem to miss that FBI, via FireEyedisagreed with Crowdstrike on a key point: the degree to which the two separate sets of hackers coordinated in targeted servers; I’ve been told by someone with independent knowledge that the FBI read is the correct one, so FBI certainly did their own assessment of the forensics and may have obtained more accurate results than Crowdstrike (I’ve noted elsewhere that public IC statements make it clear that not all public reports on the Russian hacks are correct).

In other words, given that the files that Guccifer 2.0 first leaked actually preempted WikiLeaks’ release of those files by four months, what you’d need to show about the DNC file leaks is something entirely different than what has been shown.

Binney and the other skeptics aren’t even arguing the right issue anymore.

Moreover, there’s a newly public detail that may moot two key strands of the argument. Last week the WSJ (here’s the Reuters version) reported that DOJ is thinking of charging 6 Russian officials in the hack of the DNC. I get it. People are skeptical that the FBI has any better data than the NSA (though I know others, outside of the FBI, believe they’ve pinpointed hackers by name). But as part of that story,  they described the four districts where the investigation into the hack (as distinct from Mueller’s investigation into the election tampering) live.

The U.S. Justice Department has gathered enough evidence to charge six members of the Russian government in the hacking of Democratic National Committee computers before the 2016 U.S. presidential election, the Wall Street Journal reported on Thursday, citing people familiar with the investigation.

Federal agents and prosecutors in Washington, Philadelphia, Pittsburgh and San Francisco have been cooperating on the DNC investigation and prosecutors could bring the case to court next year, it said.

[snip]

The hacking investigation, conducted by cybersecurity experts, predates the appointment in May of federal special counsel Robert Mueller to oversee the probe of alleged Russian meddling in the 2016 election and possible collusion with President Donald Trump’s campaign.

Mueller and the Justice Department agreed to allow the technical cyber investigation to continue under the original team of agents and prosecutors, the Journal said.

I’m not sure the report is 100% accurate; for example, I know of a non-political witness in the election-related hack being interviewed by Mueller’s people.

But it includes a little-noticed detail that I know to be accurate — and important to rebut the claim that the copying speed claimed by Forensicator requires a conclusion incompatible with Russia carrying out the hack. Part of the investigation is in Philadelphia.

When Reuters first reported a tripartite structure of the investigation in February, it included San Francisco (the Guccifer 2.0 investigation), Pittsburgh (the Russian side, probably focused on known APTs), and DC (the counterintelligence side — though that would significantly be Mueller’s investigation).

Philadelphia was not included. I only know a bit about the Philadelphia side of the investigation, but I do know that part of the investigation is located there because of a server in the district. So one way or another, we know that the FBI is conducting an investigation in an Eastern city as part of the hacking investigation based on the use of a server in the district. That doesn’t necessarily mean they’re investigating Russians. But it means even if you account for a server in the eastern time zone, you still have FBI preparing to charge Russians for the hack.

Which brings us to the last line of the Intercept article.

Binney said that since their meeting, he has not heard from Pompeo about scheduling follow-up meetings with the NSA and FBI.

Granted, it has only been two weeks. But in that time, not even Pompeo’s prodding has made the FBI (more likely) or the NSA (which still has bad blood with Binney) remotely curious about these theories.

On Metadata and Manipulation: the First Guccifer 2.0 Documents

In the AP’s (very worthwhile) coverage of the data it obtained from Secureworks it reveals at least the fifth piece of deception pertaining to the first documents released by Guccifer 2.0 on June 15, 2016. It revealed that Guccifer 2.0 added the word “confidential” (possibly as both the watermark shown on the front page and in the footer) to this document.

But there were signs of dishonesty from the start. The first document Guccifer 2.0 published on June 15 came not from the DNC as advertised but from Podesta’s inbox, according to a former DNC official who spoke on condition of anonymity because he was not authorized to speak to the press.

The official said the word “CONFIDENTIAL” was not in the original document.

Guccifer 2.0 had airbrushed it to catch reporters’ attention.

Here’s that watermark, which would have made reporters obtaining the document to ascribe it more value than it had.

On top of that change, we know that Guccifer 2.0 deliberately used the name Felix Edmundovich, invoking Iron Felix, the founder of the KGB (though another document invoked Che Guevaro in the same way) in the metadata of the document.

This analysis and this analysis compellingly shows, in my opinion, that the other Russian metadata in the documents was also deliberately placed there.

Finally, I believe that the addition of Warren Flood as author was also deliberate.

In addition, Guccifer 2.0 released these documents as DNC documents when in fact they are either Podesta documents or have not yet been sourced.

Now, Guccifer 2.0 in fact didn’t hide some of these alterations. Some were identified the same day the documents were released. But at the time they were interpreted as OpSec failures, rather than intentional deception. To this day, skeptics try to argue that the intentional deception of the rest of the metadata is somehow different than the tribute to Iron Felix (which is a mirror to the assumption in the early days that the Iron Felix was deliberate but the other Russian metadata was not, which I criticized here), without explaining why that would be the case.

In this post, I talked about how some of the other deception — pitching these Podesta (and other) documents as DNC documents — would have been a way to taunt the DNC and Crowdstrike for their false claims downplaying the hack. (Note, in the post, I ask why Guccifer 2.0 harped on VAN so much; the AP piece reveals that VAN officials and those working on voter registration were targeted, which suggests maybe the Russians did get VAN data and we simply don’t know about it.)

So contrary to the belief of some commentators, it has long been known that Guccifer 2.0 altered these documents. But I don’t think there has been a full accounting of all the ways that it worked (it’s not even clear we know the full extent of the deception).

For now, I’m going to leave these multiple layers of deception laid out (I’d add, that whatever cutout led Julian Assange to believe — or at least to claim — the documents were sourced to Americans is another layer of deception, a different kind of metadata.)

There were multiple layers of deception built into these first documents, alternately taunting the Democrats who would have known them to be deception, the analysts who mistook them as mistakes, and the press who took them to indicate real value. I suspect there are at least two more layers of deception here.

But it’s worth noting that no one was immune from this deception, and it’s likely there are still a few layers that we’re missing here.

Update: As Thomas Rid notes on Twitter, one of the first five documents Guccifer 2.0 released is a version of one that Guccifer 1.0 had released.

image_print