Unwinding a Multithreaded Beast

This is more than the usual caveat asking readers to note the byline on this post. I’m not the expert at this site on the investigations by Special Counsel’s Office or any other law enforcement body — for that see Marcy’s or bmaz’s posts and comments.

However I spend a lot of time on information technology, which is how I ended up reading a report on internet-mediated information warfare.

Last year the Senate Select Committee on Intelligence held a hearing about Foreign Influence on Social Media. One of the commissioned and invited research organizations was New Knowledge (NK), a cybersecurity/information integrity consultancy. NK’s director of research delivered prepared remarks and a whitepaper providing an overview of Russia’s influence operations and information warfare program.

The paper is a peppy read; it will little surprise those who have followed the Trump-Russia investigation and the role social media played in the 2016 election. But there are still bits which are intriguing — more so months after the paper was first delivered,  in light of long-time ratfucker Roger Stone’s indictment this past week.

Note these two excerpts from the report:

There wasn’t a link in the indictment last year of the Russian Internet Research Agency personnel with Stone’s indictment. The IRA charges don’t overlap with Stone’s at all (count numbers from indictments in paren.).

Stone:
(1) Obstruction of Proceeding
(2-6) False Statements
(7) Witness Tampering

IRA:
(1) Conspiracy (to gain unauthorized access, hack and steal information)
(1) Wire Fraud Conspiracy
(3-7) Wire Fraud
(8,9) Aggravated Identity Theft
(10) Conspiracy Commit to Money Laundering

But Stone’s indictment reveals an interesting overlap of threads between Stone’s efforts on behalf of the Trump campaign and the information warfare operation the IRA conducted in 2016.

Why was the IRA propelling content to fluff Assange’s credibility in the days before the release of the hacked emails Stone was trying to manage? This is a rather odd service to offer as a tenth anniversary gift to a so-called journalism outlet which should be able to point to its achievements on its own.

The IRA wasn’t alone in its Assange cred-fluffing. What a coincidence the UK tabloid DailyMail also touted Assange’s ability to affect Clinton’s campaign with a release of hacked emails — and at nearly the same time the IRA was pumping up Assange’s image.

How odd this DailyMail piece was pegged to Wikileaks’ anniversary, but the headline on the article and subhead treat the anniversary as an afterthought compared to the hacked emails and their effect on the Clinton campaign.

It doesn’t look like social media alone manipulated public perception, or that manipulation was confined to U.S. media.

Perhaps these two threads — the IRA’s influence operation/information warfare and Stone’s hacked email ratfucking — weren’t directed by a common entity. The public may not know depending on the course of SCO’s criminal and counterintelligence investigations and what information is released. But they certainly sewed toward the same outcome.

Three Things: Russia and China Spying, Kavanope

[NB: Yes, it’s Rayne, not Marcy. Check the byline.]

Huge news earlier today related to spying. Really big. MASSIVE.

And a MASSIVE cover-up pawned off on the feeble-minded as a ‘complete investigation‘ into Dr. Ford’s and Deborah Ramirez’s accusations against Brett Kavanaugh.

~ 3 ~

Bloomberg published an epic piece of investigative journalism this morning about China’s spying on U.S. businesses by way of tiny chips embedded in server motherboards. The photos in the story are just as important as the must-read story itself as they crystallize a challenge for U.S. intelligence and tech communities. Like this pic:

That tiny pale obelisk to the right of the penny represents one of the malicious chips found in affected Supermicro brand motherboards shipped to the U.S. market — nearly as small as the numbers in the date on the coin. Imagine looking for something this puny before a machine is turned on and begins to launch its operating system. Imagine trying to find it when it is sandwiched inside the board itself, embedded in the fiberglass on top of which components are cemented.

The chip could undermine encryption and passwords, making any system open to those who know about its presence. According to Bloomberg reporters  Jordan Robertson and Michael Riley, the chips found their way into motherboards used by Apple and Amazon.

Information security folks are scrambling right now because this report rocks their assumptions about the supply chain and their overall infosec worldview. Quite a few doubt this Bloomberg report, their skepticism heightened by the carefully worded denials offered by affected and relevant parties Apple, Amazon, Supermicro, and China. Apple provided an itemization of what it believed Bloomberg Businessweek got wrong along with its denial.

I’ll have more on this in a future post. Yes, indeedy.

~ 2 ~

A cooperative, organized response by Britain, The Netherlands, U.S., and Canada today included the indictment of seven Russians by the U.S. for conspiracy, conspiracy to commit wire fraud, wire fraud, aggravated identity theft, and conspiracy to launder money. The Russians have been identified as members of a GRU team organized out of a facility in Moscow, working on hacking and a disinformation influence campaign focused on anti-doping entities and non-Russian Olympic athletic competitors.

Note the underlined bit in this excerpt from the indictment (pdf) — the last indictment I copied with similar wording was that of Evgeny Buryakov and his two comrades, the three spies based in New York City who worked with “Male-1”, now known to be Carter Page. Who are the known and unknown? Persons who have flipped or co-conspirators yet to be named?

The UK released a statement as did the Canadians, and Netherlands issued a joint statement with the UK about the entirety of spying for which this GRU team is believed to be responsible, including an attempt to breach the Organisation for the Prohibition of Chemical Weapons’ (OPCW) facility analyzing the Novichok nerve agent used to poison the Skripals in the UK as well as chemicals used against Syrians.

Cryptocurrency news outlets report concerns that this indictment reveals the extent of USDOJ’s ability to trace cryptocurrency.

An interesting coincidence took place overnight as well — Russian Deputy Attorney General Saak Karapetyan died last night when an unauthorized helicopter flight crashed northeast of Moscow. Karapetyan had been linked this past January to Natalia Veselnitskaya and an attempt to recruit Switzerland’s top investigator as double-agents. But Karapetyan had also been involved in Russia’s response to the poisoning of Alexander Litvinenko and the aftermath of the Skripals’ poisoning in the UK.

What remarkable timing.

One might wonder if this accident had anything to do with the unusual release of GRU personnel details by the Dutch Military Intelligence and Security Service (MIVD) and the United Kingdom’s Ministry of Justice during their joint statement today.

By comparing the released identity documents, passports, automobile registrations and the address provided when cars were rented, the identities of a total 305 GRU agents may have been identified by bellingcat and The Insider including the four out of the seven men wanted by the U.S. for the anti-doping hackingas well as attempted breach of OPCW.

The identity of the four GRU agents accused of targeting the OPCW was cinched by a taxi receipt in one agent’s pocket from a location on the road next to the GRU’s facility in Russia. Four agents also had consecutive passport numbers.

What remarkably bad opsec.

~ 1 ~

As for the impending vote on Brett Kavanaugh:

– Senator Heidi Heitkamp is voting her conscience — NO on Kavanaugh.
– Senator Joe Manchin is now the lone Dem holdout; he says he’s still listening but hasn’t seen anything incriminating from Kavanaugh’s adulthood. (Gee, I wonder why.)
– Senator Bob Menendez didn’t mince words. He said “It’s a bullshit investigation.” (He should know what a thorough investigation looks like).

And the beer-loving former Yale frat boy had an op-ed published in the Wall Street Journal which pleads with us to lose all intelligence and believe that he is really very neutral. I am not even going to link to that POS which has re-enraged women all over the country.

GTFO.

Continue calling your senators to thank them for a NO vote on Kavanaugh so that they aren’t hearing right-wing demands alone. Congressional switchboard: (202) 224-3121

~ 0 ~

This is an open thread. Sic ’em.

Three Things: Still Active Measures

[Note the byline. This post contains some speculative content. / ~Rayne]

Whether counter-arguments or conspiracy theories, it’s interesting how certain narratives are pushed when tensions rise. But are they really theories or conditioning? And if conditioning, could other media infrastructure changes create more successful conditioning?

~ 3 ~

In an interview with Fox News post-Helsinki summit, Vladmir Putin made a point of blaming the Democratic Party for “manipulations of their party.”

…“The idea was about hacking an email account of a Democratic candidate. Was it some rigging of facts? Was it some forgery of facts? That’s the important thing that I am trying to — point that I’m trying to make. Was this — any false information planted? No. It wasn’t.”

The hackers, he said, entered “a certain email account and there was information about manipulations conducted within the Democratic Party to incline the process in favor of one candidate.” …

Have to give Putin props for sticking with a game plan — increase friction within the American left and fragment Democratic Party support to the benefit of Trump and the Republican Party at the polls and ultimately Putin himself if sanctions are lifted. Christopher Steele indicated in the Trump-Russia dossier that the Kremlin was using active measures to this effect in 2016 to widen the divide between Sanders and Clinton supporters; apparently left-splitting active measures continue.

But this is only part of an attack on the Democratic Party; another narrative undermines both the DNC and the FBI by questioning the investigation into the DNC’s hacking. Why didn’t the FBI take possession of the server itself rather than settle for an image of the system? A key technical reason is that any RAM-resident malware used by hackers will disappear into the ether if the machine is turned off; other digital footprints found only in RAM memory would likewise disappear. “The server” isn’t one machine with a single hard drive, either, but 140 devices — some of which were cloud-based. Not exactly something the FBI can power down and take back to a forensic lab with ease, especially during the hottest part of a campaign season.

But these points are never effectively made as a counter narrative, though some have tried with explainers, and certainly not featured in broadcast or cable news programs. The doubt is left to hang in the public’s consciousness, conditioning them to question FBI’s competence and the validity of their investigative work.

If Putin is still using active measures to divide Democratic Party voters, is it possible this narrative about the hacked DNC server is also an ongoing active measure? What if the active measure isn’t meant to undermine the FBI by questioning its actions? What if instead the lingering doubt is intended to shape future investigations into hacked materials which may also rely on server images rather than physical possession of the hardware? What if this active measure is pre-crime, intended to tamper with future evidence collection?

~ 2 ~

I’d begun drafting this post more than a week ago, but came to a halt when FCC chair Ajit Pai did something surprisingly uncorrupt by putting the brakes on the Sinclair-Tribune merger.

Sinclair Broadcast Group is a propaganda outlet masquerading as a broadcast media company. The mandatory airing of Boris Epsteyn’s program across all Sinclair stations offers evidence of Sinclair’s true raison d’etre; Epsteyn is a Russian-born former GOP political strategist who has been responsible for messaging in both the McCain-Palin campaign and the Trump administration, including the egregious 2017 Holocaust Remembrance Day statement which omitted any mention of Jews. The mandatory statement Sinclair management forced its TV stations to air earlier this year about “fake news” is yet another. The forced ubiquity and uniformity of messaging is a new element at Sinclair, which already had a history of right-wing messaging including the attempt to run a Kerry-bashing political movie to “swiftboat” the candidate just before the 2004 elections.

Sinclair and Tribune Media announced a proposed acquisition deal last May. If approved, the completed acquisition would give Sinclair access to 72% of U.S. homes — an insanely large percentage of the local broadcast TV market effectively creating a monopoly. There was bipartisan Congressional pushback about this deal because of this perceived potential monopoly.

FCC’s Ajit Pai wanted to relax regulations covering UHF stations — they would be counted as less than a full VHF station and therefore appear to reduce ownership of marketshare. Democrats protested this move as it offered Sinclair unfavorable advantage when evaluating stations it would acquire or be forced to sell during its Tribune acquisition.

Fortunately, Pai had “serious concerns” about the Sinclair-Tribune deal:

We have no idea to which administrative judge this deal may be handed, let alone their sentiments on media consolidation. We don’t know if this judge might be Trump-friendly and rule in favor of Sinclair, taking this horror off Ajit Pai’s back — which might be the real reason Pai punted after his egregious handling of net neutrality and the pummeling he’s received for it, including the hacking of the FCC’s comments leading up to his decision to end Obama-era net neutrality regulations and subsequent “misleading” statements to the media about the hack. New York State is currently investigating misuse of NY residents’ identities in the hack; one might wonder if Pai is worried about any personal exposure arising from this investigation.

BUT WAIT…the reason I started this post began not in New York but in the UK, after reading that Remain turnout may have been suppressed by news reports about “travel chaos,” bad weather, and long lines at the polls. Had the traditional media played a role in shaping turnout with its reporting?

I went looking for similar reports in the U.S. — and yes, news reports of long lines may have discouraged hundreds of thousands of voters in Florida in 2012. This wasn’t the only location with such reports in the U.S. during the last three general elections; minority voters are also far more likely to experience these waits than voters in majority white areas.

Probabilistic reports about a candidate’s win/loss may also suppress turnout, according to a Pew Research study.

Think about low-income voters who can’t afford cable TV or broadband internet, or live in a rural location where cable TV and broadband internet isn’t available. What news source are they likely to rely upon for news about candidates and voting, especially local polling places?

Hello, local broadcast network television station.

Imagine how voter turnout could be manipulated with reports of long lines and not-quite-accurate probabilistic reports about candidates and initiatives.

Imagine how a nationwide vote could be manipulated by a mandatory company-wide series of reports across a system of broadcast TV stations accessing 72% of U.S. homes.

How else might a media company with monopolistic access to American households condition the public’s response to issues?

~ 1 ~

There was all kinds of hullabaloo about the intersection of retiring Justice Anthony Kennedy, his son Justin, and Justin’s employment at Deutsche Bank at the same time DB extended financing to Donald Trump. It looks bad on the face of it.

And of course one prominent defense-cum-fact-check portrays Justin’s relationship to DB’s loans to Trump as merely administrative:

The extent to which Kennedy worked with Trump on this loan, or possibly on other Deutsche Bank matters, is unclear. “In that role, as the trader, he would have no contact with Trump … unless Eric [Schwartz] was trying to get Justin in front of Trump for schmoozing reasons,” Offit said, adding that he had recently spoken with former colleagues at the bank about Kennedy’s work.

Seems odd there has been little note made of Jared Kushner’s relationship with LNR Partners LLC — a company which Manta says has only 17 employees — and its subsidiary LNR Property which financed the Kushner 666 Fifth Avenue property in 2012. There was a report in Medium and another on DailyKos but little note made in mainstream news media.

I’m sure it’s just a coincidence that along with his business partner, Justin Kennedy was named 26th on the 50 Most Important People in Commercial Real Estate Finance in 2013 by the Commercial Observer — a publication of Observer Media, then owned by Jared Kushner.

I wonder what Justin’s rank was on this list while he worked at Deutsche Bank (also with current business partner Toby Cobb).

How odd this deal and the relationship wasn’t defended. I guess it’s just coincidence all the amphibians and reptiles know each other well in the swamp.

~ 0 ~

Let’s not forget:

587 Puerto Rican homes still don’t have electricity.

All asylum seeking families haven’t been reunited. Children may still be in danger due to poor care and lack of adequate tracking. As of yesterday only 364 children of more than 2500 torn from their families were reunited.

Treat this as an open thread.

The Gaping Holes in the SSCI Voting Security Report: Vendors and Mitch McConnell

The Senate Intelligence Committee released a 6-page report, titled “Russian Targeting of Election Infrastructure During the 2016 Election: Summary of Initial Findings and Recommendations,” on how to secure elections last night.

While it is carefully hedged (noting that states may have missed forensic evidence and new evidence may become available), it confirms that “cyber actors affiliated with the Russian Government” conducted the operation and that no “vote tallies were manipulated or [] voter registration information was deleted or modified.” It says the intrusions were “part of a larger campaign to prepare to undermine confidence in the voting process,” but in its admission that, “the Committee does not know whether the Russian government-affiliated actors intended to exploit vulnerabilities during the 2016 elections and decided against taking action,” doesn’t explain that the reason Russia would have decided against action was because Trump won.

The report is laudable for the care with which it describes the various levels of intrusion: scan, malicious access attempts, and successful access attempts. As it concludes, in a small number of states (which must be six or fewer), hackers could have changed registration data, but could not have changed vote totals.

In a small number of states, Russian-affiliated cyber actors were able to gain access to restricted elements of election infrastructure. In a small number of states, these cyber actors were in a position to, at a minimum, alter or delete voter registration data; however, they did not appear to be in a position to manipulate individual votes or aggregate vote totals.

Among its recommendations, the report suggests that,

Election experts, security officials, cybersecurity experts, and the media should develop a common set of precise and well-defined election security terms to improve communication.

This would avoid shitty NBC reporting that falsely leads voters to believe over 20 states were successfully hacked.

Ultimately, though, this report offers weak suggestions, using the word “should” 18 times, never once calling on Congress to fulfill some of its recommendations (such as providing resources to states), and simply suggesting that the Executive warn of consequences for further attacks.

U.S. Government should clearly communicate to adversaries that an attack on our election infrastructure is a hostile act, and we will respond accordingly.

Predictably (especially coming from a Chair whose own reelection in 2016 is due, in part, to his party’s abuse of North Carolina’s administration of elections, the report affirms the importance of states remaining in charge.

States should remain firmly in the lead on running elections, and the Federal government should ensure they receive the necessary resources and information.

I guess Richard Burr would like the Federal government to give his colleagues more money to disenfranchise brown people.

But it’s not just in its weak suggestions that the report falls short. There are two significant silences that discredit the report as a whole: Mitch McConnell, and vendors.

For example, in a long section discussing laying out why DHS’ warnings in 2016 were insufficient, the report complains that the October 7, 2016 statement was not adequate warning.

DHS’s notifications in the summer of 2016 and the public statement by DHS and the ODNI in October 2016 were not sufficient warning.

The report remains utterly silent about Mitch McConnell’s refusal to back a more forceful statement (and, as I’ve noted, Burr and fellow Trump advisor Devin Nunes himself never joined any statement about the attacks).

In other words, while this report talks about gaps and is happy to blame DHS, it doesn’t consider the past and proposed role of top members of Congress.

The other big gap in this report has to do with the vendors on which our election system relies. To be sure, the report does, twice, acknowledge the importance of private sector companies in counting our vote, first when it describes that the vendors would are enticing targets that might need to be bound by more than voluntary guidelines.

Vendors of election software and equipment play a critical role in the U.S. election system, and the Committee continues to be concerned that vendors represent an enticing target or malicious cyber actors. State local, territorial, tribal, and federal government authorities have very little insight into the cyber security practices of many of these vendors, and while the Election Assistance Commission issues guidelines for Security, abiding by those guidelines is currently voluntary.

As a solution, it said that state and local officials should perform risk assessments for election infrastructure vendors, not that they should do so themselves (or be held to any mandated standards).

Perform risk assessments for any current or potential third-party vendors to ensure they are meeting the necessary cyber security standards in protecting their election systems.

Not all  states and almost no local officials are going to have the ability to do this risk assessment, and there’s no reason why it should be done over and over again across the country.

That’s particularly true given the fact that (as the report addresses the vulnerability posed by, but provides no remedy) the election vendor market has gotten increasingly concentrated.

Voting systems across the United States are outdated, and many do not have a paper record of votes as a backup counting system that can be reliably audited, should there be allegations of machine manipulation. In addition, the number of vendors selling machines is shrinking, raising concerns about supply chain vulnerability.

The report also suggests that DHS educate vendors.

DHS should work with vendors to educate them about the potential vulnerabilities of both voting machines and the supply chains.

But in a report that acknowledges the key role played by vendors in administering our elections, the report remains silent about Russian efforts to compromise them in 2016. Indeed, in its accounting of how many states were affected, the report admits its numbers don’t include vendors.

In addition, the numbers do not include any potential attacks on third-party vendors.

And yet — thanks in large part to Reality Winner — we know Russia did target vendors. Not only did they target them, but they appear to have succeeded, and succeeded in a way that may have affected the vote in North Carolina, Burr’s state.

In short, the report leaves a key aspect of known Russian efforts to target the vote completely unexamined, and it doesn’t consider the many ways that by compromising vendors in ways beyond cyberattacks might affect the vote.

Perhaps the report is silent about vendors precisely because of Winner’s pending case, to avoid publicly mentioning in unclassified form the attacks that the document she is accused of leaking. Or perhaps the committee just did an inadequate job of reviewing what happened in 2016.

Whichever it is, it’s unacceptable.

The Daily Beast Guccifer Scoop and Those GRU Officers Sanctioned Last Week

The Daily Beast has a story reporting (in addition to the already reported news that the DNC hack got moved under Robert Mueller) that the person behind the Guccifer 2.0 persona “slipped up” once and failed to use the VPN hiding his location in the GRU headquarters in Moscow.

[O]n one occasion, The Daily Beast has learned, Guccifer failed to activate the VPN client before logging on. As a result, he left a real, Moscow-based Internet Protocol address in the server logs of an American social media company, according to a source familiar with the government’s Guccifer investigation.

The US identified which particular officer was behind the Guccifer persona.

Working off the IP address, U.S. investigators identified Guccifer 2.0 as a particular GRU officer working out of the agency’s headquarters on Grizodubovoy Street in Moscow.

And then, according to TDB, the Guccifer persona was handed off to a more experienced GRU officer, with better English skills.

Sometime after its hasty launch, the Guccifer persona was handed off to a more experienced GRU officer, according to a source familiar with the matter. The timing of that handoff is unclear, but Guccifer 2.0’s last blog post, from Jan. 12, 2017, evinced a far greater command of English that the persona’s earlier efforts.

TDB’s sources did not reveal the name of the officer identified from the VPN “slip up.”

The Daily Beast’s sources did not disclose which particular officer worked as Guccifer.

But we may already know the name or names of the GRU officers involved. As I noted last week, Treasury added two names to the list of GRU officers sanctioned in conjunction with the DNC hack: Sergei Afanasyev and Grigoriy Viktorovich Molchanov. Both would actually be (very) experienced officers — they are 55 and 62. And both include very interesting “as of” dates identifying the last point when our intelligence officials identified their positions: February 2017 and April 2016, respectively.

The latter is of particular interest, as it came during the period when Guccifer 2.0 was setting up his infrastructure. But the government doesn’t know a ton about this guy — they know his birth year, but not his birth date, and possibly not even his passport information.

In any case, last week, the government revealed two new people it blames (and therefore sanctioned) for the DNC hack.

As TDB notes, the revelation that the government has tied Guccifer 2.0 to a known GRU officer is utterly damning for Roger Stone, who has admitted talking to him. But they don’t lay out how squirrelly Stone was in early March when trying to deny he was in trouble for his dalliances with Guccifer 2.0 and Wikileaks, which I laid out here.

In his response he does the following:

  • Raises doubts that he was actually talking to Guccifer 2.0 (even though Guccifer 2.0’s only identity was virtual, so Stone’s online interactions with any entity running the Guccifer Twitter account would by definition be communication with Guccifer 2.0)
  • Repeats his earlier doubts that Guccifer 2.0 is a Russian operative
  • Emphasizes that he couldn’t have couldn’t have been involved in any hack of the DNC Guccifer 2.0 had done because he first spoke to him six weeks after the email release (in reality, he was speaking to him three weeks after the Wikileaks release)
  • Admits he once believed Guccifer 2.0 did the hack but (pointing to the Bill Binney analysis, and giving it a slightly different focus than he had in September) claims he no longer believes that
  • Invents something about a WaPo report that’s not true, thereby shifting the focus to receiving documents (as opposed to, say, information)
  • Denies he received documents from anyone but not that he saw documents (other than the Wikileaks ones) before they were released

This denial stops well short of explaining why he reached out to Guccifer. And it does nothing to change the record — one backed by his own writing — that Stone reached out because he believed Guccifer, whoever he might be, had hacked the DNC.

At the time Stone reached out to Guccifer (as I pointed out, he misrepresented the timing of this somewhat in his testimony), he believed Guccifer had violated the law by hacking the DNC.

He never does explain to Todd why he did reach out.

Guccifer 2.0 never comes back in the remainder of the interview.

Just weeks ago, when his buddy Sam Nunberg was giving (potentially immunized) testimony to the grand jury, Stone was really really squirrelly about whether his conversations with Guccifer 2.0 put him at legal jeopardy. The confirmation of the GRU tie may provide one reason why he’s so squirrelly.

Update: As Kaspersky’s Aleks Gostev notes, Treasury should know far more on Sergei Afanasyev. RT publicly described him as Deputy Chief of GRU in April 2016. And Molchanov is, at least now, head of GRU’s academy.

The New Russian Hack Sanctions

The Treasury Department issued new Russian sanctions today, partly fulfilling the congressionally-mandated requirement it do so, but also adding to the retaliatory sanctions President Obama imposed in December 2016. Effectively, this applied the Countering America’s Adversaries Through Sanctions Act of 2017 (CAATSA) sanctions ordered by Congress to the Russian spooks (but not the private hackers) Obama sanctioned, and applies the Obama EO-based sanctions to the Russians and companies listed in the Internet Research Agency indictment.

The breadth of accused activities

Given the limited number of people actually newly sanctioned (and the symbolic nature of sanctions imposed on people who are unlikely to travel to or have money in the US), this may be just Steve Mnuchin’s effort to buy time for the Administration; the Treasury press release even includes a promise for more CAATSA sanctions at a later date.

“The Administration is confronting and countering malign Russian cyber activity, including their attempted interference in U.S. elections, destructive cyber-attacks, and intrusions targeting critical infrastructure,” said Treasury Secretary Steven T. Mnuchin. “These targeted sanctions are a part of a broader effort to address the ongoing nefarious attacks emanating from Russia. Treasury intends to impose additional CAATSA sanctions, informed by our intelligence community, to hold Russian government officials and oligarchs accountable for their destabilizing activities by severing their access to the U.S. financial system.”

That said, the press release for the sanctions is rather interesting in the breadth of activities these sanctions are said to be retaliation for. It includes the election hack, the NotPetya attack recently attributed to GRU (the rough equivalent to DIA) by the UK and US, and ongoing attacks on American critical infrastructure. (DHS and FBI issued a report on the latter.)

Today’s action counters Russia’s continuing destabilizing activities, ranging from interference in the 2016 U.S. election to conducting destructive cyber-attacks, including the NotPetya attack, a cyber-attack attributed to the Russian military on February 15, 2018 in statements released by the White House and the British Government. This cyber-attack was the most destructive and costly cyber-attack in history. The attack resulted in billions of dollars in damage across Europe, Asia, and the United States, and significantly disrupted global shipping, trade, and the production of medicines. Additionally, several hospitals in the United States were unable to create electronic records for more than a week.

Since at least March 2016, Russian government cyber actors have also targeted U.S. government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. Indicators of compromise, and technical details on the tactics, techniques, and procedures, are provided in the recent technical alert issued by the Department of Homeland Security and Federal Bureau of Investigation.

The move happens to come when the White House issued both a formal statement joining European allies in pinning the attempted assassination of former GRU officer Sergei Skripal on Russia and Trump endorsing that view in statements to the press.

FSB not SVR sanctions

In addition to not resanctioning the private individuals named in December 2016, today’s sanctions are interesting in that they continue to blame FSB (a more thuggish equivalent of FBI) alongside GRU for the hack. I described why the inclusion of FSB was interesting here.

But it’s interesting for another reason: recent reporting. Both Dutch reporting on how its intelligence service caught Russian hackers in real time and a recent David Sanger article have instead credited SVR (the rough equivalent of CIA) with the hack. The head of SVR is already sanctioned, but it would seem that if the most up to date intelligence says SVR did the hack, they might be included here.

Two new GRU sanctionees — of the age they might have overlapped with Skripal

The sanctions also add two new GRU officers described only as senior GRU officers.

AFANASYEV, Sergei (a.k.a. AFANASYEV, Sergey), Russia; DOB 16 May 1963; Gender Male (individual) [CAATSA – RUSSIA] (Linked To: MAIN INTELLIGENCE DIRECTORATE).

MOLCHANOV, Grigoriy Viktorovich; DOB 01 Jan 1956 to 31 Dec 1956; citizen Russia; Gender Male (individual) [CAATSA – RUSSIA] (Linked To: MAIN INTELLIGENCE DIRECTORATE).

At roughly 55 and 62, these guys may have overlapped with Skripal (as would the others, whom the US obviously has more information on).

The last known dates

Perhaps most interesting, however, the Treasury press release description of the targeted GRU officers includes fascinating “as of” dates that would seem to indicate the last time it’s willing to admit we’ve gotten intelligence on these people.

Korobov came to the US in late January (and he’s a public figure that our own intelligence services would coordinate with), so it’s unsurprising his information is the most up-to-date, to that same time.

But we apparently (admit to having) more recent data, dating to last February, on one of the people newly added to this list — Afanasyev — than on the First Deputies originally sanctioned. That precedes the NotPetya activity being sanctioned here.

Most interesting is Molchanov. We not only don’t have passport information for him (though that’s not definitive, as none of the IRA people have passports listed, and we must have passport numbers for the ones that traveled to the US), but we don’t even have a solid date of birth. The “as of” date for him, April 2016, comes before the DNC hack was public, but around the time George Papadopoulos was learning about it. It also comes from before the sanctions in December 2016. Clearly, we’ve learned something about him since then that has won him significantly more focus, even if we don’t know when to send his birthday greetings.

These two new additions are both pretty old to be doing any hacking themselves (indeed, they’re contemporaries of all the top brass). But their addition may suggest we’ve learned more about how GRU’s hacking operates.

Why Has Putin Changed His Mind about Whether Russians Who Hacked the US Are Patriots Or Others?

Now, with even more performed disdain! As you’ve no doubt heard, Megyn Kelly came out from wherever NBC has been hiding her to do another interview with Vladimir Putin. Over and over, Putin effectively said he doesn’t give a fuck if some Russians interfered in the US election, but that this was not a state effort.

His most noted denial suggested that even if Russians did tamper in the US election, the might not be real Russians: they might be Ukrainians, Tatars, or Jews.

“So what if they’re Russians?” Putin said of the people named in last month’s indictment. “There are 146 million Russians. So what? … I don’t care. I couldn’t care less. … They do not represent the interests of the Russian state.”

Putin even suggested that Jews or other ethnic groups had been involved in the meddling.

“Maybe they’re not even Russians,” he said. “Maybe they’re Ukrainians, Tatars, Jews, just with Russian citizenship. Even that needs to be checked. Maybe they have dual citizenship. Or maybe a green card. Maybe it was the Americans who paid them for this work. How do you know? I don’t know.”

Most of the coverage of this exchange is shocked that Putin made such an anti-semitic (and otherwise bigoted) comment.

But I’m more interested why he did so.

When I last commented on what I saw as a shift from outright denial to admission that Russian hackers might have been involved, Putin was describing the offending Russians as patriots.

Putin raised the possibility of attacks on foreign votes by what he portrayed as free-spirited Russian patriots. Hackers, he said, “are like artists” who choose their targets depending how they feel “when they wake up in the morning.” Any such attacks, he added, could not alter the result of elections in Europe, America or elsewhere.

Artists, he said, paint if they wake up feeling in good spirits while hackers respond if “they wake up and read that something is going on in interstate relations” that prompts them to take action. “If they are patriotically minded, they start making their contributions — which are right, from their point of view — to the fight against those who say bad things about Russia,” Mr. Putin added, apparently referring to Hillary Clinton.

Here, he’s suggesting any freelancing Russian offenders are the opposite, the kind of internal others that Putin has increasingly demonized as part of his formula to stay in power (curiously, however, he didn’t suggest they might be gay). He’s responding to the first accusations of Russian tampering, the Internet Research Agency indictment, by suggesting that any Russian that took part must be other than Russian. He does this even while he mocks the possibility Russia might extradite any of the accused, based on Russia’s standard refusal to extradite “Russians.”

So any Russians accused of tampering in the US election are labeled, post hoc and preemptively (assuming Robert Mueller is on his way to indicting Russians for the hack, as well), Russians for legal purposes, but not-Russian for cultural ones, for the political expediency of having natural scapegoats.

Why is he doing this, and who is his audience?

That he suspects he will need to scapegoat any Russian accused in the operation suggests something about it will be unpleasant, will need deniability in a way it might not have last June.

But is he playing to American prejudices in blaming Jews (and Ukrainians and Tatars, which wouldn’t trigger even the most bigoted Americans)? That might make sense given that this (unlike the June comments, which were for St. Petersburg journalists.

Or is he playing to Russian prejudices (which makes more sense, given the targets)? It would mean Putin’s open disdain for Kelly is a performance for his domestic audience, as well.

Most interestingly, if he is prepping scapegoats for his domestic audience, does he think Russian response to any upcoming exposure at the hands of Mueller will be negative in a way he once believed it’d be positive? That would surprise me … but it is the most logical explanation given how he is pre-emptively demonizing what he once claimed would be patriotic.

Roger Stone’s Rat-Eating Swiss Cheese Denials

Back when Roger Stone leaked his September testimony to HPSCI, I noted that it misrepresented the key allegations against him, meaning he never denied the important parts.

I’m even more interested in how he depicts what he claims are the three allegations made against him.

Members of this Committee have made three basic assertions against me which bust be rebutted her today. The charge that I knew in advance about, and predicted, the hacking of the Clinton campaign chairman John Podesta’s email, that I had advanced knowledge of the source or actual content of the WikiLeaks disclosures regarding Hillary Clinton or that, my now public exchange with a persona that our intelligence agencies claim, but cannot prove, is a Russian asset, is anything but innocuous and are entirely false.

In point of fact, this tripartite accusation is actually a misstatement of the allegations against him (though in his rebuttal of them, he is helped immensely by the sloppiness of public statements made by Democrats, especially those on the panel, which I’ve criticized myself). Generally, the accusation is more direct: that in conversing with both Julian Assange (though a cut-out) and Guccifer 2.0, Stone was facilitating or in some way helping the Trump campaign maximally exploit the Russian releases that were coming.

The same is true of his interview with Chuck Todd yesterday.

I’m most interested in the way Stone addresses his direct exchange with Guccifer 2.0, then restricts the rest of his denials to Wikileaks. When Todd asks Stone why he reached out to both Guccifer and Wikileaks, Stone focuses his attention on the former.

Todd: Why did you reach out to Guccifer? Why did you reach out to Wikileaks?

Stone: First of all, my direct messages with Guccifer 2.0, if that’s who it really is, come six weeks, almost six weeks after the DNC emails had been published by Wikileaks. So in order to collude in their hacking, which I had nothing whatsoever to do with, one would have needed a time machine. Secondarily, I wrote a very long piece, you can find it still at the Stone Cold Truth. I doubt that Guccifer is, indeed, a Russian operative. I also once believed that he had hacked the DNC. I don’t believe that anymore either. I believe it was an inside job and the preponderance of evidence points to a load to a thumb drive or some other portable device and the device is coming out the back door. But, Chuck, ten days ago, the Washington Post that based on the Democratic minority that the Russians had sent documents to me for review. I never received any documents from the Russians or anybody representing them. I never had any contact with any

Todd: Did you receive any documents and you didn’t know it was a Russian?

Stone: I never received any documents from anyone purporting to be a Russian or otherwise, and I never saw the Wikileaks documents in advance.

In his response he does the following:

  • Raises doubts that he was actually talking to Guccifer 2.0 (even though Guccifer 2.0’s only identity was virtual, so Stone’s online interactions with any entity running the Guccifer Twitter account would by definition be communication with Guccifer 2.0)
  • Repeats his earlier doubts that Guccifer 2.0 is a Russian operative
  • Emphasizes that he couldn’t have couldn’t have been involved in any hack of the DNC Guccifer 2.0 had done because he first spoke to him six weeks after the email release (in reality, he was speaking to him three weeks after the Wikileaks release)
  • Admits he once believed Guccifer 2.0 did the hack but (pointing to the Bill Binney analysis, and giving it a slightly different focus than he had in September) claims he no longer believes that
  • Invents something about a WaPo report that’s not true, thereby shifting the focus to receiving documents (as opposed to, say, information)
  • Denies he received documents from anyone but not that he saw documents (other than the Wikileaks ones) before they were released

This denial stops well short of explaining why he reached out to Guccifer. And it does nothing to change the record — one backed by his own writing — that Stone reached out because he believed Guccifer, whoever he might be, had hacked the DNC.

At the time Stone reached out to Guccifer (as I pointed out, he misrepresented the timing of this somewhat in his testimony), he believed Guccifer had violated the law by hacking the DNC.

He never does explain to Todd why he did reach out.

Guccifer 2.0 never comes back in the remainder of the interview. The first time Todd asks Stone if there had been “collusion” with the Russians, Stone answers it generally, insisting Trump needed no help to beat Hillary.

Todd: You have made the case here that there was no collusion here that you’re aware of. Would it have been wrong to collude with a foreign adversary to undermine Hillary Clinton’s campaign?

Stone: Well, there’s no evidence that this happened, you’re asking me to answer a hypothetical question. It seems to me that Mr. Steele was colluding with the Russians.

Todd: Let me ask you this. Do you think it’s fair game to get incriminating evidence from a foreign government about your political opponent?

Stone: But that didn’t happen, Chuck, so I’m not going to answer a hypothetical question. It was unnecessary. The idea that Donald Trump needed help from the Russians to beat Hillary Clinton it’s an excuse, a canard, a fairy tale. I don’t believe it ever happened.

The next time — when Stone first labels then backs way the fuck off labeling conspiring with the Russians as treason — Stone then focuses on how such conspiring would only be treason if you believed that Assange was a Russian agent.

Stone: Chuck I’ve been accused of being a dirty trickster. There’s one trick that’s not in my bag. That’s treason. I have no knowledge or involvement with Russians–

Todd: And you believe

Stone: And I have no knowledge of anybody else who does.

Todd: Let me establish something. You believe, if unbeknownst to you, there is somebody on the Trump campaign who worked with the Russians on these email releases, that’s a treasonous act?

Stone: No, actually, I don’t think so because for it to be a treasonous act, Assange would have to be provably a Russian asset, and Wikileaks would have to be a Russian front and I do not believe that’s the case.

Todd: Let me back you up there. You think it’s possible Wikileaks and the Trump campaign coordinated the release?

Stone: I didn’t say that at all. I have no knowledge of that and I make no such claim.

Todd: No, I understand that. You just issued that hypothetical. So what you’re saying is had that occurred you don’t believe that’s, you don’t believe, you don’t believe that that’s against the law?

Stone: This is all based on a premise that Wikileaks is a Russian front and Assange is a Russian agent. As I said I reject that. On the other hand I have no knowledge that that happened. It’s certainly did not happen in my case. That isn’t something I was involved in.

When asked whether it would be illegal to work with Wikileaks (Stone’s contacts with Guccifer at a time he believed Guccifer to have hacked the DNC go unmentioned) Stone again focuses on whether Wikileaks was Russian, not on the conspiracy to hack and leak documents.

This focus on Wikileaks instead of Guccifer 2.0 carries over to the statement Stone issued to ABC:

I never received anything whatsoever from WikiLeaks regarding the source, content or timing of their disclosures regarding Hillary Clinton, the DNC or Podesta. I never received any material from them at all. I never received any material from any source that constituted the material ultimately published by WikiLeaks. I never discussed the WikiLeaks disclosures regarding Hillary Clinton or the DNC with candidate or President Donald Trump before during or after the election. I don’t know what Donald Trump knew about the WikiLeaks disclosures regarding Hillary or the DNC if anything and who he learned it from if anyone.

No one, including Sam Nunberg is in possession If any evidence to the contrary because such evidence does not exist … This will be an impossible case to bring because the allegation that I knew about the WikiLeaks disclosures beyond what Assange himself had said in interviews and tweets or that I had and shared this material with anyone in the Trump campaign or anyone else is categorically false. Assange himself has said and written that I never predicted anything that he had not already stated in public.

There’s very good reason Stone would want to focus on Wikileaks rather than Guccifer.

Even by his own dodgy explanation, at the time he reached out to Guccifer, he believed that Guccifer had hacked the DNC. While it’s true that the public record shows Stone stopping short of accepting documents from Guccifer (all this ignores Stone’s reported involvement in a Guccifer-suggested Peter Smith effort to obtain Hillary’s Clinton Foundation emails), Stone’s interest in coordinating with the hack-and-leak is clear.

And it seems Sam Nunberg may fear that his past testimony and communications with Stone would document that interest. If he knows Stone did have non-public communications with Guccifer, but didn’t believe Guccifer to be Russian, it would also explain why Nunberg said he thought Putin was too smart to collude with Trump, but that his testimony might hurt Stone.

Adding one more point to this: early in the interview, Stone goes to some lengths to say that he proved he had actually separated from the Trump campaign by contemporaneously showing two reporters his resignation letter. This is akin to something Carter Page did in his HPSCI testimony. But given how many of those conspiring with Russia on the Trump campaign (Carter Page — especially after his departure, George Papadopoulos, and Paul Manafort) didn’t have formal roles, it’s not clear that letter would be definitive. Indeed, it might be the opposite, one of a group of people who arranged plausible deniability by getting or staying off the campaign payroll.

Update: Fixed my misrepresentation of Stone’s claim about the six week delay, and fact-checked it to note it was only three weeks.

Reality Winner Seeks to Use Trump’s Denials of Russian Hacking in Her Defense

Last week, Reality Winner had a hearing on her bid to get her interview with the FBI thrown out because they didn’t issue her a Miranda warning (Kevin Gosztola covered and discussed it on Democracy Now). Given the precedents on Miranda, I think that bid is unlikely to succeed.

But there is a tack her defense is taking that, as far as I’ve seen, has gotten no notice, one that is far more interesting. Winner is seeking to use Trump’s comments denying that the Russians hacked the election to argue the document she is accused of leaking to The Intercept isn’t actually National Defense Information, the standard the government has to prove to secure an Espionage conviction.

In her discovery requests, Winner asked for three (entirely redacted) categories of documents “reflecting statements made by high-ranking governmental officials regarding information contained in the document,” all of which were denied (see PDF 87).

A discovery appeal submitted in January (but only released on February 13) makes clear that Winner’s defense attorneys are going to argue that the intelligence in the report she is accused of leaking cannot be National Defense Information because the President’s statements would be taken to suggest the intelligence is not true.

However, high-ranking government officials, including the President of the United States, have made statements undermining and/or contradicting that contention. 44 That, is of great import because, if the information in the Document is inaccurate (as the President and other high-ranking officials have said), it cannot be NDI. While the defense may seek to capture some of this information in the public domain, 45 it cannot capture statements made privately by these high-ranking officials.

Bill Leonard, the former head of the federal classification authority, ISOO, who has served as expert witness on two other cases involving Espionage charges, laid out the logic of the argument this way (PDF 102-3)

[T]here are governmental actors, including high-level governmental actors (such as the President of the United States), that have made conflicting and/or contradicting statements in comparison to the Government’s position here. In other words, these high-level governmental officials have made statements undermining the veracity of the information contained in the Document, which would impact whether the Document actually contains “national defense information” because, if inaccurate, the Government’s contention that its disclosure could harm the national security of the United States would be severely undermined. Indeed, the President is the highest level of authority in our classification system and has virtually unrestricted access to information in our intelligence system. He is, therefore, in the best position to know the particulars of any piece of intelligence, including its sensitivity and its veracity. Consequently, records reflecting statements made by high-ranking governmental officials, including and in particular, the President of the United States, relating to the information contained in the Document (including statements contradicting the truth or veracity of the information at issue) are highly relevant and are critical to the determination of whether or not it is closely held and/or whether or not its disclosure would potentially damage the national security.

There are a number of other challenges the government is facing with this case (not least that — as I’ve pointed out — similar information has been leaked to the press without any apparent prosecution arising from it).

But Trump’s self-interested denials are the most interesting. After all, he cannot admit that Russia affected the election, because he has staked so much on the claim that that will lessen his legitimacy (not to mention any risk such an admission exposes him to in the Mueller investigation). As Leonard notes, the entire classification system is built on presidential authority, and if he says something isn’t true, it will seriously undermine any claim a prosecutor can make at trial that Winner leaked true National Defense Information.

Effectively, some prosecutor will be in a position of having to point out what we all know, that the President is a liar. Given Trump’s propensity towards rage-induced firings, I imagine the government would like to avoid this pickle.

NBC’s Broken Story about Mueller Charging the DNC Hackers

NBC has a BROKEN story reporting that Robert Mueller is contemplating charges against the people who carried out the hack of the DNC (and other targets) in 2016.

Special Counsel Robert Mueller is assembling a case for criminal charges against Russians who carried out the hacking and leaking of private information designed to hurt Democrats in the 2016 election, multiple current and former government officials familiar with the matter tell NBC News.

Much like the indictment Mueller filed last month charging a different group of Russians in a social media trolling and illegal-ad-buying scheme, the possible new charges are expected to rely heavily on secret intelligence gathered by the CIA, the FBI, the National Security Agency (NSA) and the Department of Homeland Security (DHS), several of the officials say.

Mueller’s consideration of charges accusing Russians in the hacking case has not been reported previously. Sources say he has long had sufficient evidence to make a case, but strategic issues could dictate the timing. Potential charges include violations of statutes on conspiracy, election law as well as the Computer Fraud and Abuse Act. One U.S. official briefed on the matter said the charges are not imminent, but other knowledgeable sources said they are expected in the next few weeks or months. It’s also possible Mueller opts not to move forward because of concerns about exposing intelligence or other reasons — or that he files the indictment under seal, so the public doesn’t see it initially.

As they have frequently of late, they misunderstand the story they’re telling. They misunderstand this sentence, entirely.

Mueller’s consideration of charges accusing Russians in the hacking case has not been reported previously.

It’s not news, at all, that DOJ was considering charges against those who carried out the hack. Nor is it news that DOJ had enough evidence to charge people in it.

Here’s what WSJ reported on those two topics in November, almost exactly four months ago.

The Justice Department has identified more than six members of the Russian government involved in hacking the Democratic National Committee’s computers and swiping sensitive information that became public during the 2016 presidential election, according to people familiar with the investigation.

Prosecutors and agents have assembled evidence to charge the Russian officials and could bring a case next year, these people said. Discussions about the case are in the early stages, they said.

[snip]

The pinpointing of particular Russian military and intelligence hackers highlights the exhaustive nature of the government’s probe. It also suggests the eagerness of some federal prosecutors and Federal Bureau of Investigation agents to file charges against those responsible, even if the result is naming the alleged perpetrators publicly and making it difficult for them to travel, rather than incarcerating them. Arresting Russian operatives is highly unlikely, people familiar with the probe said.

So: not news that DOJ had pinpointed Russians responsible, not news they were planning on charges “next year” last year, which would mean, “this year” this year.

What is news is that this reporting from the WSJ report is no longer operative.

Federal prosecutors and federal agents working in Washington, Pittsburgh, San Francisco and Philadelphia have been collaborating on the DNC investigation. The inquiry is being conducted separately from Special Counsel Robert Mueller’s investigation of alleged Russian meddling in the 2016 election and any possible collusion by President Donald Trump’s associates.

[snip]

The Justice Department and FBI investigation into the DNC hack had been under way for nearly a year, by prosecutors and agents with cyber expertise, before Mr. Mueller was appointed in May. Rather than take over the relatively technical cyber investigation, Mr. Mueller and the Justice Department agreed that it would be better for the original prosecutors and agents to retain that aspect of the case, the people familiar with the Justice Department-FBI probe said. [my emphasis]

Mind you, we’ve since learned that Ryan Dickey got added to Mueller’s team … oh, in November. And contrary to what NBC says about the heavy reliance, in the Internet Research Agency indictment, “on secret intelligence gathered by the CIA, the FBI, the National Security Agency (NSA) and the Department of Homeland Security (DHS),” it really wasn’t all that sophisticated from a cybersecurity standpoint. Especially not once you consider the interesting forensics on it (aside from IDing the IRA’s VPNs) would have come from Facebook and Twitter.

You don’t need Dickey’s talents for the IRA indictment. You need him for something that is technical.

I’ll leave it for you to consider what it means that Mueller subsumed this part of the investigation even as WSJ was reporting he wasn’t going to do that. I’ll leave you to consider, too, what it means that they brought in a prosecutor with the ability to try these things.

But understand that the news here is not that DOJ is contemplating indicting the people behind the DNC hack. WSJ already scooped that story. It’s that Mueller, not prosecutors in Pittsburgh, San Francisco and Philadelphia, are going to charge it.

image_print