Wikileaks Permadrip: “Other Vault 7 Documents”

WikiLeaks has released the second in what they promise to be many further releases of CIA hacking tools it calls Vault 7. This release, which it dubs Dark Matter, consists of just 12 documents, which means (if WikiLkeak’s past claims about how big this leak is are true) the releases could go on forever.

As Motherboard lays out, the tools that got released are old — they date from 2008 to 2013.

While the documents are somewhat dated at this point, they show how the CIA was perhaps ahead of the curve in finding new ways to hacking and compromising Macs, according to Pedro Vilaca, a security researcher who’s been studying Apple computers for years.

Judging from the documents, Vilaca told Motherboard in an online chat, it “looks like CIA were very early adopters of attacks on EFI.”

“It looks like CIA is very interested in Mac/iOS targets, which makes sense since high value targets like to use [those],” Vilaca told me. “Also interesting the lag between their tools and public research. Of course there’s always unpublished research but cool to see them ahead.”

But — because I’m as interested in how Wikileaks is releasing these tools as I am in what it is releasing — it appears that WL may be sitting on more recent documents related to compromising Apple products. WL’s press release describes other Vault 7 documents, plural, that refer to more recent versions of a tool designed to attack MacBook Airs. But it includes just one of those more recent documents in this dump.

While the DerStake1.4 manual released today dates to 2013, other Vault 7 documents show that as of 2016 the CIA continues to rely on and update these systems and is working on the production of DerStarke2.0.

That seems to suggest that there are other, more current Apple tools in WikiLeaks’ possession besides the one developmental document linked. If so it raises the same questions I raised here: is it doing so as a pose of responsible release, withholding the active exploits until Apple can fix them? Or is it withholding the best tools for its own purposes, potentially its own or others’ use? Or, given this account, perhaps Wikileaks is playing a game of chicken with the CIA, seeing whether CIA will self-disclose the newer, still unreleased exploits before Wikileaks posts them. Thus far, neither side is being forthcoming with affected tech companies, if public reports are to be believed.

In either case, I’m just as interested in what Wikileaks is doing with the files it is sitting on as I am the dated ones that have been released.

Update: In his presser the other day, Julian Assange did provide a list of tech companies he had reached out to.

In his March 23 press conference, Assange offered the following timeline relating to WikiLeaks’ communications with technology firms:

  • March 12: WikiLeaks reached out to Apple, Google, Microsoft and Mozilla.

  • March 12: Mozilla replied to WikiLeaks, agreeing to its terms. The aforementioned Cisco engineer also reached out.

  • March 13: Google “acknowledged receipt of our initial approach but didn’t address the terms,” Assange said.

  • March 15: MikroTek contacted WikiLeaks; it makes a controller that’s widely used in VoIP equipment.

  • March 17: Mozilla replied, asked for more files.

  • March 18: WikiLeaks told Mozilla it’s looking for the information.

  • March 20: First contact from Microsoft “not agreeing to the standard terms, but pointing to their standard procedures,” Assange said, including providing a PGP email key. Google also replied the same day, pointing to their standard procedures, and including a PGP email key.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

The Temporal Feint in Adam Schiff’s Neat Narrative

I did four — count them! four! — interviews on the Russian hearing yesterday. And one thing I realized over the course of the interviews is that people were far more impressed with Adam Schiff’s opening speech than they should have been.

I want to look closely at this passage which — if it were accurate — would be a tight little presentation of quid pro quo tied to the change of platform at the July 18-21, 2016 RNC. But it’s not. I’ve bolded the two claims that are most problematic, though the presentation as a whole is misleading.

In early July, Carter Page, someone candidate Trump identified as one of his national security advisors, travels to Moscow on a trip approved by the Trump campaign. While in Moscow, he gives a speech critical of the United States and other western countries for what he believes is a hypocritical focus on democratization and efforts to fight corruption.

According to Christopher Steele, a former British intelligence officer who is reportedly held in high regard by U.S. Intelligence, Russian sources tell him that Page has also had a secret meeting with Igor Sechin (SEH-CHIN), CEO of Russian gas giant Rosneft. Sechin is reported to be a former KGB agent and close friend of Putin’s. According to Steele’s Russian sources, Page is offered brokerage fees by Sechin on a deal involving a 19 percent share of the company. According to Reuters, the sale of a 19.5 percent share in Rosneft later takes place, with unknown purchasers and unknown brokerage fees.

Also, according to Steele’s Russian sources, the Trump campaign is offered documents damaging to Hillary Clinton, which the Russians would publish through an outlet that gives them deniability, like Wikileaks. The hacked documents would be in exchange for a Trump Administration policy that de-emphasizes Russia’s invasion of Ukraine and instead focuses on criticizing NATO countries for not paying their fare share – policies which, even as recently as the President’s meeting last week with Angela Merkel, have now presciently come to pass.

In the middle of July, Paul Manafort, the Trump campaign manager and someone who was long on the payroll of Pro-Russian Ukrainian interests, attends the Republican Party convention. Carter Page, back from Moscow, also attends the convention. According to Steele, it was Manafort who chose Page to serve as a go-between for the Trump campaign and Russian interests. Ambassador Kislyak, who presides over a Russian embassy in which diplomatic personnel would later be expelled as likely spies, also attends the Republican Party convention and meets with Carter Page and additional Trump Advisors JD Gordon and Walid Phares. It was JD Gordon who approved Page’s trip to Moscow. Ambassador Kislyak also meets with Trump campaign national security chair and now Attorney General Jeff Sessions. Sessions would later deny meeting with Russian officials during his Senate confirmation hearing.

Just prior to the convention, the Republican Party platform is changed, removing a section that supports the provision of “lethal defensive weapons” to Ukraine, an action that would be contrary to Russian interests. Manafort categorically denies involvement by the Trump campaign in altering the platform. But the Republican Party delegate who offered the language in support of providing defensive weapons to Ukraine states that it was removed at the insistence of the Trump campaign. Later, JD Gordon admits opposing the inclusion of the provision at the time it was being debated and prior to its being removed.

Later in July, and after the convention, the first stolen emails detrimental to Hillary Clinton appear on Wikileaks. A hacker who goes by the moniker Guccifer 2.0 claims responsibility for hacking the DNC and giving the documents to Wikileaks. But leading private cyber security firms including CrowdStrike, Mandiant, and ThreatConnect review the evidence of the hack and conclude with high certainty that it was the work of APT28 and APT29, who were known to be Russian intelligence services. The U.S. Intelligence community also later confirms that the documents were in fact stolen by Russian intelligence and Guccifer 2.0 acted as a front. [emphasis on most problematic claims mine]

What Schiff tries to do here is suggest that the Russians offered Trump kompromat on Hillary, Trump’s team changed the GOP platform, and then in response the Russians started releasing the DNC emails through Wikileaks.

Later in the hearing, several Republicans disputed the nature of the change in the platform. Both in and outside of the hearing, Republicans have noted that the changed platform matched the policy in place by the Obama Administration at the time: to help Ukraine, but stop short of arming them. All that said, the story on this has clearly changed. The change in the platform clearly shows the influence of Russophiles moving the party away from its hawkish stance, but it’s not enough, in my opinion, to sustain the claims of quid pro quo. [Update: One of the outside the hearing arguments that the platform was not weakened is this Byron York piece b linked, which argues the platform actually got more anti-Russian.]

The bigger problem with Schiff’s neat narrative is the way it obscures the timeline of events, putting the release of DNC emails after the change in platform. That is true with regards to the Wikileaks release, but not the Guccifer 2 release, which preceded the platform change.  Moreover, the references in Steele’s dossier Schiff invokes are not so clear cut — the dossier alleges Russia offered kompromat on Hillary unrelated to the stolen emails before any discussion of the Wikileaks emails. I’ve put what Schiff’s timeline would look like if it were not aiming to play up the quid pro quo of the RNC below (note this timeline doesn’t include all Steele reports, just those specifically on point; see also this site for a comprehensive Guccifer related timeline). It shows several things:

  • The changes to the platform preceded the meetings with Sergey Kislyak. Indeed, the first public report on the change in platform even preceded the Kislyak meetings by a day.
  • The stolen documents began to be released well before the platform got changed.
  • The early Steele report on discussions of sharing a dossier of kompromat on Hillary pertains to a dossier dating back decades (even though these reports all post-date the first Guccifer releases, so could have included a discussion of hacked materials). The first explicit reference to the DNC hack comes after Wikileaks started releasing documents (and earlier reports which ought to include such references don’t).
  • The later Steele report tying the Wikileaks release to a change in policy came after the policy had already changed and documents had already been released.
  • The alleged quid pro quo tied to the early July Carter Page meeting was for the lifting of sanctions, not the shift on NATO and Ukraine; the Steele dossier describes the latter as the quid pro quo in exchange for the Wikileaks release only after the emails start coming out from Wikileaks.

Also note: the report that first ties Wikileaks (but not Guccifer) to a quid pro quo is one of the reports that made me raise questions about the provenance of the report as we received it.

This is not lethal for the argument that the Trump campaign delivered on a quid pro quo. For example, if there was extensive coordination, Trump could have changed his policy in March after learning that the Russian military intelligence hack — the one allegedly designed to collect documents to leak — had started. Or perhaps the Guccifer leaks were a down-payment on the full batch. But there’s no evidence of either.

In any case, the narrative, as laid out by Adam Schiff, doesn’t hold together on several points. Trump’s team has not yet delivered on the quid pro quo allegedly tied to the Rosneft brokerage fees that were paid to someone (it’s not public whom) in December — that is, the lifting of sanctions. As laid out here, the descriptions of an offer of a dossier of information on Hillary prior to the Republican platform pertained to stuff going back decades, not explicitly to Wikileaks; the shift of discussion to Wikileaks only came after the emails had already appeared and any Ukraine related policy changes had already been made.

There’s plenty of smoke surrounding Trump and his associates. It doesn’t require fudging the timeline in order to make it appear like a full quid pro quo (and given Jim Comey’s reliance on “coordination” rather than “collusion” in Monday’s discussion, it’s not even clear such quid pro quo would be necessary for a conspiracy charge). Adam Schiff can and should be more careful about this evidence in future public hearings.

Update: Given how remarkably late the references to the stolen emails are in the dossier, I’m linking this post showing how later entries included a feedback loop.


March 19: John Podesta phished (DNC compromise generally understood to date to same time period).

March 31: Trump reportedly embraces pro-Russian stance in foreign policy meeting with advisors.

April 19th: DCLeaks.com registered.

June 8th: DCLeaks.com posts leaks (from post dates).

June 13th: First archived record of DCLeaks posts.

June 15: Crowdstrike report names Russia in DNC hack, first Guccifer 2.0 releases via TSG and Gawker.

June 18: Guccifer releases at WordPress site.

June 20: Steele report presents obviously conflicting information on exchanging intelligence with Trump. A senior Russian Foreign Ministry figure said “the Kremlin had been feeding TRUMP and his team valuable intelligence on his opponents, including … Hillary CLINTON, for several years.” A former top level intelligence officer still active in the Kremlin stated that the Kremlin had been collating a dossier on Hillary, “for many years, dating back to her husband Bill’s presidency, and comprised mainly eavesdropped conversations of various sorts. … Some of the conversations were from bugged comments CLINTON had made on her various trips to Russia and focused on things she had said which contradicted her current position on various issues.” A senior Kremlin official, however, said that the dossier “had not as yet been made available abroad, including to TRUMP or his campaign team.”

July 7-8: Carter Page in Moscow. Allegedly (per later Steele dossier reports) he is offered brokerage fees for the sale of a stake in Rosneft in exchange for ending sanctions on Russia.

July 11-12: Platform drafted.

July 18-21: RNC.

July 18: First report of changes to platform.

July 19: Sergey Kislyak meets numerous Trump associates after a Heritage sponsored Jeff Sessions talk.

July 19: Steele report provides first details of Carter Page meeting in Russia during which Divyekin raises “a dossier of ‘kompromat’ the Kremlin possessed on TRUMP’s Democratic presidential rival, Hillary CLINTON, and its possible release to the Republican’s campaign team.” In context (especially because the same report also warns Trump of kompromat Russia holds on him), this seems to be the dossier going back years also mentioned in the June 20 report, not Wikileaks emails. Certainly no explicit mention of Wikileaks or the hack appears in the report, even though the report is based off July reporting that post-date the first Guccifer 2.0 leaks.

July 22: Wikileaks starts releasing DNC emails.

July 26: Steele report describing conversations from June describes Russian hacking efforts in terms already publicly known to be false. For example, the report claims FSB had not yet had success penetrating American or other “first tier” targets. FSB had success hacking American targets the previous year, including the DNC. This report includes no discussion of the DNC hack or Wikileaks.

Undated July, probably because of report number between July 26 and 30: An “ethnic Russian close associate of Republican US presidential candidate Donald TRUMP” includes the first reference to the DNC hack and WikiLeaks:

[T]he Russian regime had been behind the recent leak of embarrassing e-mail messages, emanating from the Democratic National Committee (DNC) to the Wikileaks platform. The reason for using WikiLeaks was “plausible deniability” and the operation had been conducted with the full knowledge and support of TRUMP and senior members of his campaign team. In return the TRUMP team had agreed to sideline Russian intervention in Ukraine as a campaign issue and to raise US/NATO defence commitments in the Baltics and Eastern Europe to deflect attention away from Ukraine, a priority for PUTIN who needed to cauterise the subject.

July 30: A Russian emigre close to Trump describes concern in the campaign about the DNC email fallout. This report mentions that the Kremlin “had more intelligence on CLINTON and her campaign but he did not know the details or when or if it would be released.” In context, it is unclear whether this refers to stolen documents, though the reference to the campaign suggests that is likely.

August 5: Steele report describes Russian interference as a botched operation, discusses wishful thinking of Trump withdrawing.

August 10: Steele report discusses the “impact and results of Kremlin intervention in the US presidential election to date” claiming Russia’s role in the DNC hack was “technically deniable.” This report conflicts in some ways with the August 5 report, specifically with regards to the perceived success of the operation.

September 14: Steele report referencing kompromat on Hillary clearly in context of further emails.

October 18: More detailed Steele report account of Carter Page meeting, including date. It asserts that “although PAGE had not stated it explicitly to SECHIN, he had clearly implied that in terms of his comment on TRUMP’s intention to lift Russian sanctions if elected president, he was speaking with the Republican candidate’s authority.”

October 19: More Steele report accounting of Michael Cohen’s August attempts to clean up after Manafort and Page.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Password: [email protected]

Remember how infosec people made fun of John Podesta when they learned his iCloud password — which got exposed in the Wikileaks dump of his stolen emails — was Runner4567? 4Chan used the password to hack a bunch of Podesta’s accounts.

Among the pages that got exposed in this week’s Wikileaks dumps of CIA’s hacking tools was a page of Operational Support Branch passwords. For some time the page showed the root password for the network they used for development purposes.

These passwords, as well as one (“password”) for another part of their server, were available on the network site as well.

Throughout the period of updates, it included a meme joking about setting your password to Incorrect.

At the beginning of January 2015, it included the passwords for two unclassified laptops used by the department, one of which was the very guessable [email protected]

OSB unclass laptop #1 password (tag 2005K676, Dell service tag: 7731Y32): “OSBDemoLap9W53!” (Without quotes)

OSB unclass laptop #2 password (tag 2005K677, Dell service tag: CN81Y32): “[email protected]” (no quotes, first chracter is a zero)

Remember, Assange has claimed that CIA treated its exploits as unclassified so they could be spread outside of CIA facilities.

A discussion ensued about what a bad security practice this was.

2015-01-30 14:30 [User #14588054]:

Am I the only one who looked at this page and thought, “I wonder if security would have a heart attack if they saw this.”?

2015-01-30 14:50 [User #7995631]:

Its locked down to the OSB group… idk if that helps.

2015-01-30 15:10 [User #14588054]:

I noticed, but I still cringed when I first saw the page.

I have no idea whether these passwords exacerbated CIA’s exposure. The early 2015 discussion happened well before — at least as we currently understand it — the compromise that led to Wikileaks’ obtaining the files. The laptops themselves were unclassified, and would only be a problem if someone got physical custody of them. Though shared devices like laptops were one of the things for which CIA had a multi-factor authentication problem up until at least August of 2016.

But if we’re going to make fun of John Podesta for password hygiene exposed in a Wikileaks dump, we ought to at least acknowledge that CIA’s hackers, people who spent their days exploiting hygiene sloppiness like this, had (simple) passwords lying around on a server that — as it turns out — was nowhere near as secure as it needed to be.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

No More Secrets: Vault 7

Several days after Shadow Brokers first announced an auction of a bunch of NSA tools last August, Wikileaks announced it had its own “pristine” copy of the files, which it would soon release.

Wikileaks never did release that archive.

On January 7-8, Shadow Brokers got testy with Wikileaks, suggesting that Wikileaks had grown power hungry.

Shadow Brokers threw in several hashtags, two of which could be throw-offs or cultural references to a range of things (though as always with pop culture references, help me out if I’m missing something obvious). The third — “no more secrets” — in context invokes Sneakers, a movie full of devious US intelligence agencies, double dealing Russians, and the dilemma of what you do when you’ve got the power that comes from the ability to hack anything.

Moments later, Shadow Brokers called out Wikileaks, invoking (in the language of this season’s South Park) Wikileaks’ promise to release the file.

Of course, within a week, Shadow Brokers had reneged on a promise of sorts. Less than an hour before calling out Wikileaks for growing power hungry, Shadow Brokers suggested it would sell a range of Windows exploits. Four days later, it instead released a limited (and dated) subset of Windows files — ones curiously implicating Kaspersky Labs. All the “bullshit political talk,” SB wrote in a final message, was just marketing.

Despite theories, it always being about bitcoins for TheShadowBrokers. Free dumps and bullshit political talk was being for marketing attention.

And with that, the entity called Shadow Brokers checked out, still claiming to be in possession of a range of (dated) NSA hacking exploits.

Less than a month later (and over a month before Monday’s release), Wikileaks started the prep for the Vault 7 release of CIA’s hacking tools. (Given the month of lead hype and persistent attention throughout, I’m not sure why any claimed rapid and “overwhelming” response to the release should be attributed to Russian bots.)

Having been called out for sitting on the Shadow Brokers’ files (if, indeed, Wikileaks actually had them), Wikileaks this time gave the appearance of being forthcoming, claiming “the largest ever publication of confidential documents on the [CIA].”

Except …

While Wikileaks released a great deal of information about CIA’s hacking, it didn’t release the code itself, or the IP addresses that would reveal targets or command and control servers.

Wikileaks has carefully reviewed the “Year Zero” disclosure and published substantive CIA documentation while avoiding the distribution of ‘armed’ cyberweapons until a consensus emerges on the technical and political nature of the CIA’s program and how such ‘weapons’ should analyzed, disarmed and published.

Wikileaks has also decided to redact and anonymise some identifying information in “Year Zero” for in depth analysis. These redactions include ten of thousands of CIA targets and attack machines throughout Latin America, Europe and the United States.

Now, perhaps Wikileaks really is doing all this out of a sense of responsibility. More likely, it is designed to create a buzz for more disclosure that WL can use to shift responsibility for further disclosure. Yesterday, Wikileaks even did a silly Twitter poll designed to get thousands to endorse further leaks.

In reality, whether for their own PR reasons or because it reflects the truth, tech companies have been issued statements reassuring users that some of the flaws identified in the Wikileaks dump have already been fixed (and in fact, for some of them, that was already reflected in the Wikileaks documents).

Thus far, however, Wikileaks is sitting on a substantial quantity of recent CIA exploits and may be sitting on a significant quantity of dated NSA exploits. Mind you, the CIA seems to know (belatedly) precisely what Wikileaks has; while NSA has a list of the exploits Shadow Brokers was purportedly trying to sell, it’s not clear whether NSA knew exactly what was in that dump. But CIA and NSA can’t exactly tell the rest of the world what might be coming at them in the form of repurposed leaked hacking tools.

There has been a lot of conversation — most lacking nuance — about what it means that CIA uses code from other hackers’ exploits (including Shamoon, the Iranian exploit that has recently been updated and deployed against European targets). There has been less discussion about what it means that Wikileaks and Shadow Brokers and whatever go-betweens were involved in those leaks might be involved have been sitting on US intelligence community exploits.

That seems like a worthwhile question.

Update: as his delayed presser on this release, Assange stated that he would work with tech companies to neutralize the exploits, then release them.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

CIA Did Not Have Multi-Factor Authentication Controls for All Users as Recently as August 2016

I know I keep harping on the disclosures about the intelligence community’s security practices disclosed in the House Intelligence Report on Edward Snowden. But they go some way to explain why people keep walking out of spy agencies with those agencies’ hacking tools.

Over three years after the Snowden leaks, multiple Intelligence Inspector General Reports show, agencies still hadn’t plugged holes identified in response to Snowden’s leaks. When the CIA did an audit mandated by 2015’s CISA bill, for example, it revealed that “CIA has not yet implemented multi-factor authentication controls such as a physical token for general or privileged users of the Agency’s enterprise or mission systems.”

As I understand it, this had something to do with multi-factor use on devices used by multiple persons. So it may not have been as bad as this sounds (and — again, as I understand it, the problem has since been fixed).

Nevertheless, the CIA is whining about how evil Wikileaks is for publishing documents that (per Wikileaks, anyway) CIA stored with inadequate protection.

The American public should be deeply troubled by any Wikileaks disclosure designed to damage the Intelligence Community’s ability to protect America against terrorists and other adversaries. Such disclosures not only jeopardize US personnel and operations, but also equip our adversaries with tools and information to do us harm.

Sorry. I mean, Americans can be pissed that its premier intelligence agency got pwned.

But Americans should also be pissed that CIA is storing powerful weapons in a way such that they can easily be leaked. We wouldn’t excuse this with CIA’s anthrax stash. We should not give the Agency a pass here.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Wikileaks Dumps CIA’s Hacking Tools

Today, Wikileaks released a big chunk of documents pertaining to CIA’s hacking tools.

People will — and already have — treated this as yet another Russian effort to use Wikileaks as a cutout to release documents it wants out there. And that may well be the case. It would follow closely on the release, by Shadow Brokers, of a small subset of what were billed as NSA hacking tools (more on that in a bit).

Wikileaks attributes the files to two sources. First, it suggests a “US government hacker and contractor … provided WikiLeaks with portions of the archive.”

Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.

In an apparent reference to this source, Wikileaks explains,

In a statement to WikiLeaks the source details policy questions that they say urgently need to be debated in public, including whether the CIA’s hacking capabilities exceed its mandated powers and the problem of public oversight of the agency. The source wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons.

It also notes that developers may steal tools without a trace (though speaks of this in terms of proliferation, not this leak).

Securing such ‘weapons’ is particularly difficult since the same people who develop and use them have the skills to exfiltrate copies without leaving traces — sometimes by using the very same ‘weapons’ against the organizations that contain them.

But Wikileaks also suggests that, because the CIA doesn’t classify its attack tools, it leaves them more vulnerable to theft.

In what is surely one of the most astounding intelligence own goals in living memory, the CIA structured its classification regime such that for the most market valuable part of “Vault 7” — the CIA’s weaponized malware (implants + zero days), Listening Posts (LP), and Command and Control (C2) systems — the agency has little legal recourse.

The CIA made these systems unclassified.

Why the CIA chose to make its cyberarsenal unclassified reveals how concepts developed for military use do not easily crossover to the ‘battlefield’ of cyber ‘war’.

To attack its targets, the CIA usually requires that its implants communicate with their control programs over the internet. If CIA implants, Command & Control and Listening Post software were classified, then CIA officers could be prosecuted or dismissed for violating rules that prohibit placing classified information onto the Internet. Consequently the CIA has secretly made most of its cyber spying/war code unclassified. The U.S. government is not able to assert copyright either, due to restrictions in the U.S. Constitution. This means that cyber ‘arms’ manufactures and computer hackers can freely “pirate” these ‘weapons’ if they are obtained. The CIA has primarily had to rely on obfuscation to protect its malware secrets.

Wikileaks is trying to appear more responsible than it was with recent leaks, which doxed private individuals. It explains that it has anonymized names. (It very helpfully replaces those names with numbers, which leaves enough specificity such that over 30 CIA hackers will know Wikileaks has detailed information on them, down to their favorite memes.) And it has withheld the actual exploits, until such time — it claims — that further consensus can be developed on how such weapons should be analyzed. In addition, Wikileaks has withheld targets.

Wikileaks has carefully reviewed the “Year Zero” disclosure and published substantive CIA documentation while avoiding the distribution of ‘armed’ cyberweapons until a consensus emerges on the technical and political nature of the CIA’s program and how such ‘weapons’ should analyzed, disarmed and published.

Wikileaks has also decided to redact and anonymise some identifying information in “Year Zero” for in depth analysis. These redactions include ten of thousands of CIA targets and attack machines throughout Latin America, Europe and the United States. While we are aware of the imperfect results of any approach chosen, we remain committed to our publishing model and note that the quantity of published pages in “Vault 7” part one (“Year Zero”) already eclipses the total number of pages published over the first three years of the Edward Snowden NSA leaks.

Several comments about this: First, whether for reasonable or unreasonable purpose, withholding such details (for now) is responsible. It prevents Wikileaks’ release from expanding the use of these tools. Wikileaks’ password for some of these files is, “SplinterItIntoAThousandPiecesAndScatterItIntoTheWinds,” suggesting the motive.

Of course, by revealing that these tools exist, but not releasing them, Wikileaks could (hypothetically) itself use them. Wikileaks doesn’t explain how it obtained upcoming parts of this release, but it’s possible that someone used CIA’s tools against itself.

In addition, by not revealing CIA’s targets, Wikileaks both explicitly and implicitly prevents CIA (and the US generally) to offer the excuse they always offer for their surveillance tools: that they’re chasing terrorists — though of course, this is just a matter of agency vocabulary.

Among the list of possible targets of the collection are ‘Asset’, ‘Liason [sic] Asset’, ‘System Administrator’, ‘Foreign Information Operations’, ‘Foreign Intelligence Agencies’ and ‘Foreign Government Entities’. Notably absent is any reference to extremists or transnational criminals.

We will no doubt have further debate about whether Wikileaks was responsible or not with this dump. But consider: various contractors (and to a much lesser degree, the US intelligence community) have been releasing details about Russian hacking for months. That is deemed to be in the common interest, because it permits targets to prevent being hacked by a state actor.

Any hacking CIA does comes on top of the simplified spying the US can do thanks to the presence of most tech companies in the US.

So why should CIA hacking be treated any differently than FSB or GRU hacking, at least by the non-American part of the world?

This leak may well be what Wikileaks claims it to be — a concerned insider exposing the CIA’s excesses. Or perhaps it’s part of a larger Russian op. (Those two things could even both be true.) But as we talk about cybersecurity, we would do well to remember that all nation-state hackers pose a threat to the digital commons.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Updates from the Russian Front

I’m working on a post on the fight over Congressional investigations into the Russian hack, but for the moment I wanted to point to two other pieces of news.

Buzzfeed gets sued

First, BuzzFeed is getting sued.

One of the people named in the partial Trump dossier published by BuzzFeed last month, Aleksej Gubarev, has sued for defamation to himself and his companies, which include the hosting company Webzilla. Gubarev also sued Christopher Steele in the UK. In an interview with CNN, Gubarev described the injury suffered as a result of the publication of the unredacted dossier.

The lawsuit criticizes BuzzFeed for publishing the memos, alleging that “BuzzFeed itself admitted it had no idea what — if anything — in the dossier was truthful.”

Indeed, when the news website published the memos on January 10, it justified “publishing the full document so that Americans can make up their own minds about allegations about the president-elect that have circulated at the highest levels of the US government.”

The lawsuit notes that the BuzzFeed story has been viewed almost six million times, and the news site has written eight follow-up articles that all link back to the unsubstantiated dossier.

Before he filed the lawsuit, Gubarev spoke to CNNMoney about the damage he had already experienced from the leaked dossier.

“I’m really damaged by this story. This is why I’m ready to spend money and go to court about this,” he told CNNMoney in mid-January.

“I have a multimillion dollar business. Why do I need these connections with hackers?” he said, speaking by phone from the Mediterranean island of Cyprus where he lives. “It’s absolutely not true, and I can go to the court and say this.”

In his interview with CNNMoney, Gubarev said that three of XBT’s European bank partners froze the company’s $5 million credit line because of reports about the memos. Gubarev declined to provide CNNMoney proof of those frozen credit lines.

After the suit got filed, Buzzfeed redacted Gubaev’s names from the still-published dossier and apologized.

I’m interested in this development for several reasons. First, Donald Trump has repeatedly suggested that he might have sued Steele had the former British spy not gone into hiding. Furthermore, this feels a bit like Peter Thiel. So I wonder whether Gubarev has been advanced as a proxy to go after Buzzfeed.

Also, as noted, the (now-redacted) reference to Gubarev appears in the last entry of the partial dossier Buzzfeed published. As I explained, that last entry is significant because it post-dates any known sharing of the dossier on the part of Steele. That, plus some other aspects of the dossier as released, might have raised more caution in Buzzfeed about provenance before publication. If this suit goes forward, Gubarev would have an opportunity to probe these areas.

Wikileaks didn’t release all DNC emails

Then there’s this story, that reveals numerous DNC staffers and reporters have identified emails of theirs that didn’t get released by WikiLeaks. While multiple people quoted in the story suggest the emails may have been curated to take out worthwhile context, they also admit that there was nothing “explosive” that was excluded.

The question of whether the emails were curated in some way, to appear as damaging as possible to the Democratic Party, has long been whispered about among campaign staffers.

“There was the fact that they were released in drips and drabs, and then, the fact that entire parts of an email chain were missing, which would have given a bit of context to the discussion, but a lot of us weren’t about to say, ‘Hey, you missed some emails!’” said one Democratic Party campaign staffer, who, like others, asked for anonymity to discuss the data breach while investigations continue.

“I think it is unknown that these emails were not just dumped, there was curation happening here,” said another campaign staffer, who also requested anonymity in exchange for discussing the emails. “I would find part of an email chain, but not other parts. At times, the parts missing were the parts that would have given context to the whole discussion.”

Still, he said, among the missing emails was nothing “explosive, or holy shit… a lot of it was mundane stuff or stuff that flushed out and gave context.”

The implication in the story is that WikiLeaks curated the emails (and Assange did not answer Buzzfeed’s query about the missing files).

“The idea that Wikileaks and Julian Assange is about some kind of high minded transparency is totally completely full of shit,” said one former Democratic campaign staffer. “What they wanted was to create the maximum amount of political pain.”

There is precedent for a time when Wikileaks did not publish the entire set of a known dataset — in 2012, when Wikileaks’ version of the Syria files did not include a letter from a Syrian bank to a Russian one reflecting 2 billion Euro in deposits.

[T]he Syria Files should still contain the central bank’s emails from Oct. 26, 2011, concerning its €2 billion and bank account in Moscow: For one, WikiLeaks has published several emails received by the same account ([email protected]) from that day. Secondly, the court records leaked to the Daily Dot reveal the Moscow bank’s emails were, in fact, part of the larger backup file containing numerous emails currently found on the WikiLeaks site. One such email, discussed in depth by RevoluSec members more than nine months before the WikiLeaks release, details the transfer of €5 million from a bank in Frankfurt, Germany, to a European central bank in Austria, the recipient of the email being Central Bank of Syria.

When asked about the missing file, a WikiLeaks spox responded aggressively.

In response to a request for comment, WikiLeaks said the preceding account “is speculation and it is false.” The spokesperson continued: “The release includes many emails referencing Syrian-Russian relations. As a matter of long standing policy we do not comment on claimed sources. It is disappointing to see Daily Dot pushing the Hillary Clinton campaign’s neo-McCarthyist conspiracy theories about critical media.” (WikiLeaks threatened to retaliate against the reporters if they pursued the story: “Go right ahead,” they said, “but you can be sure we will return the favour one day.”)

[snip]

Asked about the possibility it could be duped, WikiLeaks responded flatly: “All Syria files obtained by WikiLeaks have been published and are authentic.”

In both cases, of course, it is possible that WikiLeaks didn’t get all of the documents.

Indeed, perhaps the most interesting detail in this new report — one noted without considering the implications of it — is that at least some staffers at DNC had emails set to delete after 30 days.

Many of the Democratic Party campaign staffers who spoke to BuzzFeed News said it was hard to tell exactly how many messages were missing, since their emails were set to automatically delete every 30 days.

The emails go back to early 2015. Yet GRU — the Russian intelligence service attributed with stealing these emails — didn’t break in until March 2016. The emails would have been backed up (or perhaps not all staffers did have their emails set to delate). But the detail may suggest other things about how the emails obtained by Wikileaks were stolen.

Remember: when the emails were first released, FBI was unsure whether the emails hacked by GRU were the same ones released by Wikileaks.

Trump eyes Poland

Finally, to the actual Russian front. According to this review of Trump’s foreign policy so far, his aides have been seeking information on an alleged incursion by Poland into Belarus, a close Russian ally.

According to one U.S. official, national security aides have sought information about Polish incursions in Belarus, an eyebrow-raising request because little evidence of such activities appears to exist. Poland is among the Eastern European nations worried about Trump’s friendlier tone on Russia.

That suggests the aides in question are getting some wacky ideas from … somewhere.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

On Wikileaks and Chelsea Manning’s Commutation

Today, President Obama commuted Chelsea Manning’s sentence, effective May 17. May she have the fortitude to withstand five more months of prison.

Among the many responses to the commutation, many people are pointing to a tweet Julian Assange wrote in September, promising to agree to US prison if Manning got clemency.

Assange made a very similar comment more recently, on January 12.

To Assange’s credit, he has long called for clemency for Manning; and whatever you think of Assange, his anger against Hillary was in significant part motivated by Clinton’s response to the Manning leaks. Manning might have been able to cooperate against Assange for a lesser sentence, but there was nothing Assange did that was not, also, what the NYT has done.

Indeed, the oddity of Assange’s original tweet is that, as far as has been made public, he has never been charged, not even for aiding Edward Snowden as a fugitive.

Nevertheless, since the comments, Assange’s European lawyer said he stands by his earlier comment (though she points out the US has not asked for extradition).

But I’d like to point to a third tweet, which might explain why Assange would be so willing to be extradited now.

The day after Assange repeated his promise to undergo extradition, just as the uproar over the Trump dossier led Christopher Steele to go into hiding has been roiling, Assange also tweeted a comment at least pretending he thought he might be murdered.

Sure, Assange is paranoid. But while Assange has been hiding behind purportedly American IDed cutouts, claiming plausible deniability that he got the DNC emails from the Russians, he surely knows, now, those people were cut-outs. The Russians, Trump, and any American cutouts that Assange could ID would badly like him to sustain that plausible deniability.

And the Russians have a way of silencing people like that, even in fairly protected places in London.

So while Assange could just be blowing smoke, Assange may well be considering his options, coming to the US on a plea deal versus dealing with Putin’s goons.

All of which might make such deals more attractive.

Update: Here’s Assange’s latest on this.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Lefties Learn to Love Leaks Again

Throughout the presidential campaign, observers have noted with irony that many on the right discovered a new-found love for WikiLeaks. Some of the same people who had earlier decried leaks, even called Chelsea Manning a traitor, were lapping up what Julian Assange was dealing on a daily basis.

There was a similar, though less marked, shift on the left. While many on the left had criticized — or at least cautioned about — WikiLeaks from the start, once Assange started targeting their presidential candidate, such leaks became an unprecedented, unparalleled assault on decency, which no one seemed to say when similar leaks targeted Bashar al-Assad.

Which is why I was so amused by the reception of this story yesterday.

After revealing that Donald Trump’s Secretary of State nominee “was the long-time director of a US-Russian oil firm based in the tax haven of the Bahamas, leaked documents show” in the first paragraph, the article admits, in the fourth paragraph that,

Though there is nothing untoward about this directorship, it has not been reported before and is likely to raise fresh questions over Tillerson’s relationship with Russia ahead of a potentially stormy confirmation hearing by the US senate foreign relations committee. Exxon said on Sunday that Tillerson was no longer a director after becoming the company’s CEO in 2006.

The people sharing it on Twitter didn’t seem to notice that (nor did the people RTing my ironic tweet about leaks seem to notice). Effectively, the headline “leaks reveal details I have sensationalized” served its purpose, with few people reading far enough to the caveats that admit this is fairly standard international business practice (indeed, it’s how Trump’s businesses work too). This is a more sober assessment of the import of the document detailing Tillerson’s ties with the Exxon subsidiary doing business in Russia.

This Guardian article worked just like all the articles about DNC and Podesta emails worked, even with — especially with — the people decrying the press for the way it irresponsibly sensationalized those leaks.

The response to this Tillerson document is all the more remarkable given the source of this leak. The Guardian reveals it came from an anonymous source for Süddeutsche Zeitung, which in turn shared the document with the Guardian and the International Consortium of Investigative Journalists.

The leaked 2001 document comes from the corporate registry in the Bahamas. It was one of 1.3m files given to the Germany newspaper Süddeutsche Zeitung by an anonymous source.

[snip]

The documents from the Bahamas corporate registry were shared by Süddeutsche Zeitung with the Guardian and the International Consortium of Investigative Journalists in Washington DC.

That is, this document implicating Vladimir Putin’s buddy Rex Tillerson came via the very same channel that the Panama Papers had, which Putin claimed, back in the time Russia was rifling around the DNC server, was a US intelligence community effort to discredit him and his kleptocratic cronies, largely because that was the initial focus of the US-NGO based consortium that managed the documents adopted, a focus replicated at outlets participating.

See this column for a worthwhile argument that Putin hacked the US as retaliation for the Panama Papers, which makes worthwhile points but would only work chronologically if Putin had advance notice of the Panama Papers (because John Podesta got hacked on March 19, before the first releases from the Panama Papers on April 3).

There really has been a remarkable lack of curiosity about where these files came from. That’s all the more striking in this case, given that the document (barely) implicating Tillerson comes from the Bahamas, where the US at least was collecting every single phone call made.

That’s all the more true given the almost non-existent focus on the Bahamas leaks before — from what I can tell just one story has been done on this stash, though the documents are available in the ICIJ database. Indeed, if the source for the leaks was the same, it would seem to point to an outside hacker rather than an inside leaker. That doesn’t mean the leak was done just to hurt Tillerson. The leak, which became public on September 21, precedes the election of Trump, much less the naming of Tillerson. But it deserves at least some notice.

For what it’s worth, I think it quite possible the US has been involved in such leaks — particularly given how few Americans get named in them. But I don’t think the Panama Papers, which implicated plenty of American friends and even the Saudis, actually did target Putin.

Still, people are going to start believing Putin’s claims that this effort is primarily targeted at him if documents conveniently appear from the leak as if on command.

I am highly interested in who handed off documents allegedly stolen by Russia’s GRU to Wikileaks. But I’m also interested in who the source enabling asymmetric corruption claims, as if on demand, is.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

The Evidence to Prove the Russian Hack

In this post, I’m going to lay out the evidence needed to fully explain the Russian hack. I think it will help to explain some of the timing around the story that the CIA believes Russia hacked the DNC to help win Trump win the election, as well as what is new in Friday’s story. I will do rolling updates on this and eventually turn it into a set of pages on Russia’s hacking.

As I see it, intelligence on all the following are necessary to substantiate some of the claims about Russia tampering in this year’s election.

  1. FSB-related hackers hacked the DNC
  2. GRU-related hackers hacked the DNC
  3. Russian state actors hacked John Podesta’s emails
  4. Russian state actors hacked related targets, including Colin Powell and some Republican sites
  5. Russian state actors hacked the RNC
  6. Russian state actors released information from DNC and DCCC via Guccifer 2
  7. Russian state actors released information via DC Leaks
  8. Russian state actors or someone acting on its behest passed information to Wikileaks
  9. The motive explaining why Wikileaks released the DNC and Podesta emails
  10. Russian state actors probed voter registration databases
  11. Russian state actors used bots and fake stories to make information more damaging and magnify its effects
  12. The level at which all Russian state actors’ actions were directed and approved
  13. The motive behind the actions of Russian state actors
  14. The degree to which Russia’s efforts were successful and/or primary in leading to Hillary’s defeat

I explain all of these in more detail below. For what it’s worth, I think there was strong publicly available information to prove 3, 4, 7, 11. I think there is weaker though still substantial information to support 2. It has always been the case that the evidence is weakest at point 6 and 8.

At a minimum, to blame Russia for tampering with the election, you need high degree of confidence that GRU hacked the DNC (item 2), and shared those documents via some means with Wikileaks (item 8). What is new about Friday’s story is that, after months of not knowing how the hacked documents got from Russian hackers to Wikileaks, CIA now appears to know that people close to the Russian government transferred the documents (item 8). In addition, CIA now appears confident that all this happened to help Trump win the presidency (item 13).

1) FSB-related hackers hacked the DNC

The original report from Crowdstrike on the DNC hack actually said two separate Russian-linked entities hacked the DNC: one tied to the FSB, which it calls “Cozy Bear” or APT 29, and one tied to GRU, which it calls “Fancy Bear” or APT 28. Crowdstrike says Cozy Bear was also responsible for hacks of unclassified networks at the White House, State Department, and US Joint Chiefs of Staff.

I’m not going to assess the strength of the FSB evidence here. As I’ll lay out, the necessary hack to attribute to the Russians is the GRU one, because that’s the one believed to be the source of the DNC and Podesta emails. The FSB one is important to keep in mind, as it suggests part of the Russian government may have been hacking US sites solely for intelligence collection, something our own intelligence agencies believe is firmly within acceptable norms of spying. In the months leading up to the 2012 election, for example, CIA and NSA hacked the messaging accounts of a bunch of Enrique Peña Nieto associates, pretty nearly the equivalent of the Podesta hack, though we don’t know what they did with that intelligence. The other reason to keep the FSB hack in mind is because, to the extent FSB hacked other sites, they also may be deemed part of normal spying.

2) GRU-related hackers hacked the DNC

As noted, Crowdstrike reported that GRU also hacked the DNC. As it explains, GRU does this by sending someone something that looks like an email password update, but which instead is a fake site designed to get someone to hand over their password. The reason this claim is strong is because people at the DNC say this happened to them.

Note that there are people who raise questions of whether this method is legitimately tied to GRU and/or that the method couldn’t be stolen and replicated. I will deal with those questions at length elsewhere. But for the purposes of this post, I will accept that this method is a clear sign of GRU involvement. There are also reports that deal with GRU hacking that note high confidence GRU hacked other entities, but less direct evidence they hacked the DNC.

Finally, there is the real possibility that other people hacked the DNC, in addition to FSB and GRU. That possibility is heightened because a DNC staffer was hacked via what may have been another method, and because DNC emails show a lot of password changes off services for which DNC staffers had had their accounts exposed in other hacks.

All of which is a way of saying, there is some confidence that DNC got hacked at least twice, with those two revealed efforts being done by hackers with ties to the Russian state.

3) Russian state actors (GRU) hacked John Podesta’s emails

Again, assuming that the fake Gmail phish is GRU’s handiwork, there is probably the best evidence that GRU hacked John Podesta and therefore that Russia, via some means, supplied Wikileaks, because we have a copy of the actual email used to hack him. The Smoking Gun has an accessible story describing how all this works. So in the case of Podesta, we know he got a malicious phish email, we know that someone clicked the link in the email, and we know that emails from precisely that time period were among the documents shared with Wikileaks. We just have no idea how they got there.

4) Russian state actors hacked related targets, including some other Democratic staffers, Colin Powell and some Republican sites

That same Gmail phish was used with victims — including at a minimum William Rinehart and Colin Powell — that got exposed in a site called DC Leaks. We can have the same high degree of confidence that GRU conducted this hack as we do with Podesta. As I note below, that’s more interesting for what it tells us about motive than anything else.

5) Russian state actors hacked the RNC

The allegation that Russia also hacked the RNC, but didn’t leak those documents — which the CIA seems to rely on in part to argue that Russia must have wanted to elect Trump — has been floating around for some time. I’ll return to what we know of this. RNC spox Sean Spicer is denying it, though so did Hillary’s people at one point deny that they had been hacked.

There are several points about this. First, hackers presumed to be GRU did hack and release emails from Colin Powell and an Republican-related server. The Powell emails (including some that weren’t picked up in the press), in particular, were detrimental to both candidates. The Republican ones were, like a great deal of the Democratic ones, utterly meaningless from a news standpoint.

So I don’t find this argument persuasive in its current form. But the details on it are still sketchy precisely because we don’t know about that hack.

6) Russian state actors released information from DNC and DCCC via Guccifer 2

Some entity going by the name Guccifer 2 started a website in the wake of the announcement that the DNC got hacked. The site is a crucial part of this assessment, both because it released DNC and DCCC documents directly (though sometimes misattributing what it was releasing) and because Guccifer 2 stated clearly that he had shared the DNC documents with Wikileaks. The claim has always been that Guccifer 2 was just a front for Russia — a way for them to adopt plausible deniability about the DNC hack.

That may be the case (and obvious falsehoods in Guccifer’s statements make it clear deception was part of the point), but there was always less conclusive (and sometimes downright contradictory) evidence to support this argument (this post summarizes what it claims are good arguments that Guccifer 2 was a front for Russia; on the most part I disagree and hope to return to it in the future). Moreover, this step has been one that past reporting said the FBI couldn’t confirm. Then there are other oddities about Guccifer’s behavior, such as his “appearance” at a security conference in London, or the way his own production seemed to fizzle as Wikileaks started releasing the Podesta emails. Those details of Guccifer’s behavior are, in my opinion, worth probing for a sense of how all this was orchestrated.

Yesterday’s story seems to suggest that the spooks have finally figured out this step, though we don’t have any idea what it entails.

7) Russian state actors released information via DC Leaks

Well before many people realized that DC Leaks existed, I suspected that it was a Russian operation. That’s because two of its main targets — SACEUR Philip Breedlove and George Soros — are targets Russia would obviously hit to retaliate for what it treats as a US-backed coup in Ukraine.

DC Leaks is also where the publicly released (and boring) GOP emails got released.

Perhaps most importantly, that’s where the Colin Powell emails got released (this post covers some of those stories). That’s significant because Powell’s emails were derogatory towards both candidates (though he ultimately endorsed Hillary).

It’s interesting for its haphazard targeting (if someone wants to pay me $$ I would do an assessment of all that’s there, because some just don’t make any clear sense from a Russian perspective, and some of the people most actively discussing the Russian hacks have clearly not even read all of it), but also because a number of the victims have been affirmatively tied to the GRU phishing methods.

So DC Leaks is where you get obvious Russian targets and Russian methods all packaged together. But of the documents it released, the Powell emails were the most interesting for electoral purposes, and they didn’t target Hillary as asymmetrically as the Wikileaks released documents did.

8) Russian state actors or someone acting on its behest passed information to Wikileaks

The basis for arguing that all these hacks were meant to affect the election is that they were released via Wikileaks. That is what was supposed to be new, beyond just spying (though we have almost certainly hacked documents and leaked them, most probably in the Syria Leaks case, but I suspect also in some others).

And as noted, how Wikileaks got two separate sets of emails has always been the big question. With the DNC emails, Guccifer 2 clearly said he had given them to WL, but the Guccifer 2 ties to Russia was relatively weak. And with the Podesta emails, I’m not aware of any known interim step between the GRU hack and Wikileaks.

A late July report said the FBI was still trying to determine how Russia got the emails to Wikileaks or even if they were the same emails.

The FBI is still investigating the DNC hack. The bureau is trying to determine whether the emails obtained by the Russians are the same ones that appeared on the website of the anti-secrecy group WikiLeaks on Friday, setting off a firestorm that roiled the party in the lead-up to the convention.

The FBI is also examining whether APT 28 or an affiliated group passed those emails to WikiLeaks, law enforcement sources said.

An even earlier report suggested that the IC wasn’t certain the files had been passed electronically.

And the joint DHS/ODNI statement largely attributed its confidence that Russia was involved in the the leaking (lumping Guccifer 2, DC Leaks, and Wikileaks all together) not because it had high confidence in that per se (a term of art saying, effectively, “we have seen the evidence”), but instead because leaking such files is consistent with what Russia has done elsewhere.

The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts.

Importantly, that statement came out on October 7, so well after the September briefing at which CIA claimed to have further proof of all this.

Now, Julian Assange has repeatedly denied that Russia was his source. Craig Murray asserted, after having meeting with Assange, that the source is not the Russian state or a proxy. Wikileaks’ tweet in the wake of yesterday’s announcement — concluding that an inquiry directed at Russia in this election cycle is targeted at Wikileaks — suggests some doubt. Also, immediately after the election, Sergei Markov, in a statement deemed to be consistent with Putin’s views, suggested that “maybe we helped a bit with WikiLeaks,” even while denying Russia carried out the hacks.

That’s what’s new in yesterday’s story. It stated that “individuals with connections to the Russian government” handed the documents to Wikileaks.

Intelligence agencies have identified individuals with connections to the Russian government who provided WikiLeaks with thousands of hacked emails from the Democratic National Committee and others, including Hillary Clinton’s campaign chairman, according to U.S. officials. Those officials described the individuals as actors known to the intelligence community and part of a wider Russian operation to boost Trump and hurt Clinton’s chances.

[snip]

[I]ntelligence agencies do not have specific intelligence showing officials in the Kremlin “directing” the identified individuals to pass the Democratic emails to WikiLeaks, a second senior U.S. official said. Those actors, according to the official, were “one step” removed from the Russian government, rather than government employees. Moscow has in the past used middlemen to participate in sensitive intelligence operations so it has plausible deniability.

I suspect we’ll hear more leaked about these individuals in the coming days; obviously, the IC says it doesn’t have evidence of the Russian government ordering these people to share the documents with Wikileaks.

Nevertheless, the IC now has what it didn’t have in July: a clear idea of who gave Wikileaks the emails.

9) The motive explaining why Wikileaks released the DNC and Podesta emails

There has been a lot of focus on why Wikileaks did what it did, which notably includes timing the DNC documents to hit for maximum impact before the Democratic Convention and timing the Podesta emails to be a steady release leading up to the election.

I don’t rule out Russian involvement with all of that, but it is entirely unnecessary in this case. Wikileaks has long proven an ability to hype its releases as much as possible. More importantly, Assange has reason to have a personal gripe against Hillary, going back to State’s response to the cable release in 2010 and the subsequent prosecution of Chelsea Manning.

In other words, absent really good evidence to the contrary, I assume that Russia’s interests and Wikileaks’ coincided perfectly for this operation.

10) Russian state actors probed voter registration databases

Back in October, a slew of stories reported that “Russians” had breached voter related databases in a number of states. The evidence actually showed that hackers using a IP tied to Russia had done these hacks. Even if the hackers were Russian (about which there was no evidence in the first reports), there was also no evidence the hackers were tied to the Russian state. Furthermore, as I understand it, these hacks used a variety of methods, some or all of which aren’t known to be GRU related. A September DHS bulletin suggested these hacks were committed by cybercriminals (in the past, identity thieves have gone after voter registration lists). And the October 7 DHS/ODNI statement affirmatively said the government was not attributing the probes to the Russians.

Some states have also recently seen scanning and probing of their election-related systems, which in most cases originated from servers operated by a Russian company. However, we are not now in a position to attribute this activity to the Russian Government.

In late November, an anonymous White House statement said there was no increased malicious hacking aimed at the electoral process, though remains agnostic about whether Russia ever planned on such a thing.

The Federal government did not observe any increased level of malicious cyber activity aimed at disrupting our electoral process on election day. As we have noted before, we remained confident in the overall integrity of electoral infrastructure, a confidence that was borne out on election day. As a result, we believe our elections were free and fair from a cybersecurity perspective.

That said, since we do not know if the Russians had planned any malicious cyber activity for election day, we don’t know if they were deterred from further activity by the various warnings the U.S. government conveyed.

Absent further evidence, this suggests that reports about Russian trying to tamper with the actual election infrastructure were at most suspicions and possibly just a result of shoddy reporting conflating Russian IP with Russian people with Russian state.

11) Russian state actors used bots and fake stories to make information more damaging and magnify its effects

Russia has used bots and fake stories in the past to distort or magnify compromising information. There is definitely evidence some pro-Trump bots were based out of Russia. RT and Sputnik ran with inflammatory stories. Samantha Bee famously did an interview with some Russians who were spreading fake news. But there were also people spreading fake news from elsewhere, including Macedonia and Surburban LA. A somewhat spooky guy even sent out fake news in an attempt to discredit Wikileaks.

As I have argued, the real culprit in this economy of clickbait driven outrage is closer to home, in the algorithms that Silicon Valley companies use that are exploited by a whole range of people. So while Russian directed efforts may have magnified inflammatory stories, that was not a necessary part of any intervention in the election, because it was happening elsewhere.

12) The level at which all Russian state actors’ actions were directed and approved

The DHS/ODNI statement said clearly that “We believe, based on the scope and sensitivity of these efforts, that only Russia’s senior-most officials could have authorized these activities.” But the WaPo story suggests they still don’t have proof of Russia directing even the go-between who gave WL the cables, much less the go-between directing how Wikileaks released these documents.

Mind you, this would be among the most sensitive information, if the NSA did have proof, because it would be collection targeted at Putin and his top advisors.

13) The motive behind the actions of Russian state actors

The motive behind all of this has varied. The joint DHS/ODNI statement said it was “These thefts and disclosures are intended to interfere with the US election process.” It didn’t provide a model for what that meant though.

Interim reporting — including the White House’s anonymous post-election statement — had suggested that spooks believed Russia was doing it to discredit American democracy.

The Kremlin probably expected that publicity surrounding the disclosures that followed the Russian Government-directed compromises of e-mails from U.S. persons and institutions, including from U.S. political organizations, would raise questions about the integrity of the election process that could have undermined the legitimacy of the President-elect.

At one level, that made a lot of sense — the biggest reason to release the DNC and Podesta emails, it seems to me, was to confirm the beliefs a lot of people already had about how power works. I think one of the biggest mistakes of journalists who have political backgrounds was to avoid discussing how the sausage of politics gets made, because this material looks worse if you’ve never worked in a system where power is about winning support. All that said, there’s nothing in the emails (especially given the constant release of FOIAed emails) that uniquely exposed American democracy as corrupt.

All of which is to say that this explanation never made any sense to me; it was mostly advanced by people who live far away from people who already distrust US election systems, who ignored polls showing there was already a lot of distrust.

Which brings us to the other thing that is new in the WaPo story: the assertion that CIA now believes this was all intended to elect Trump, not just make us distrust elections.

The CIA has concluded in a secret assessment that Russia intervened in the 2016 election to help Donald Trump win the presidency, rather than just to undermine confidence in the U.S. electoral system, according to officials briefed on the matter.

[snip]

“It is the assessment of the intelligence community that Russia’s goal here was to favor one candidate over the other, to help Trump get elected,” said a senior U.S. official briefed on an intelligence presentation made to U.S. senators. “That’s the consensus view.”

For what it’s worth, there’s still some ambiguity in this. Did Putin really want Trump? Or did he want Hillary to be beat up and weak for an expected victory? Did he, like Assange, want to retaliate for specific things he perceived Hillary to have done, in both Libya, Syria, and Ukraine? That’s unclear.

14) The degree to which Russia’s efforts were successful and/or primary in leading to Hillary’s defeat

Finally, there’s the question that may explain Obama’s reticence about this issue, particularly in the anonymous post-election statement from the White House, which stated that the “election results … accurately reflect the will of the American people.” It’s not clear that Putin’s intervention, whatever it was, had anywhere near the effect as (for example) Jim Comey’s letters and Bret Baier’s false report that Hillary would be indicted shortly. There are a lot of other factors (including Hillary’s decision to ignore Jake Sullivan’s lonely advice to pay some attention to the Rust Belt).

And, as I’ve noted repeatedly, it is no way the case that Vladimir Putin had to teach Donald Trump about kompromat, the leaking of compromising information for political gain. Close Trump associates, including Roger Stone (who, by the way, may have had conversations with Julian Assange), have been rat-fucking US elections since the time Putin was in law school.

But because of the way this has rolled out (and particularly given the cabinet picks Trump has already made), it will remain a focus going forward, perhaps to the detriment of other issues that need attention.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.