Some Issues of Timing Revealed by Manafort’s Filings

/68 Comments/in , , /by

New disclosure statement: As you all know, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

On Tuesday, Mueller’s team gave Paul Manafort the contents of Rick Gates’ electronic devices for the first time. Yesterday, after receiving another large dump of evidence, Manafort moved to delay his July 25 trial, a motion the Mueller team objected to.

Those are just a few of the details revealed by a slew of filings submitted in Manafort’s EDVA case yesterday. Those filings include:

  1. The government’s opposition to a motion Manafort submitted in June trying to keep all mention of the Trump campaign, the DC case against him, and the fact he got thrown in jail in the DC case from being introduced in his EDVA trial
  2. A motion to move his trial from Alexandria to Roanoke based on some crazy claims but ultimately boiling down to Manafort’s belief that if he is tried by a jury of his sleazy political influence peddling peers, he’s more likely to go to prison
  3. A supplement to Manafort’s bid to get a hearing on leaks, which includes January and February discovery request letters and two electronic communications describing a meeting between the FBI and the AP from April 2017; all of those exhibits are worth reading but I won’t deal with them here
  4. A motion to delay his trial until sometime after the DC one

It’s the first and the fourth items that I’m interested in here.

emptywheel’s Continuing Obsession with Paul Manafort’s 404(b) Notice

Folks seem to pretty much understand my continuing obsession with Paul Manafort’s iPod habit (or rather, his efforts to deem the seizure of his eight iPods improper). Perhaps less obviously interesting is my continuing obsession with the 404(b) notices in his two cases, which are the way lawyers fight over whether evidence of related crimes can be admitted in trial. In Manafort’s case, I think this fight may reveal something about how Mueller sees the various pieces of the puzzle fitting together.

As I previously noted, the government fought to delay disclosure of 404(b) in the DC case until June 15. When they did submit the 404(b) notice in that case, the government said they want to include evidence of three other crimes, two of which happen to be New York State crimes (the apartment in question is a Trump Tower one) that might be charged in the state.

Here’s the 404(b) motion. Mueller wants to introduce three things:

  • Evidence that one reason that Manafort and others arranged for [Skadden Arps] to be retained for the de minimis sum of approximately $12,000—even though they knew at the time that Law Firm A proposed a budget of at least $4 million—was to avoid certain limitations imposed by Ukrainian public procurement law.
  • Evidence that Manafort was treating a NYC apartment as a business property with the IRS but as a personal dwelling with a lender.
  • Evidence that Manafort structured intra-Cypriot funds to hide income.

The first of those two, of course, involve crimes in NY state.

In the EDVA case, I had suspected that the government asked TS Ellis to issue a discovery order to make it clear they wouldn’t provide 404(b) notice in this case until a week before trial — I got the date wrong but I think it’d be July 18 — but can move to avoid any pretrial notice.

So maybe that’s what Mueller’s trying to get Manafort to agree to. The EDVA standard order he’s trying to get him to use would require 404(b) notice by July 17, but permits the government to request avoiding such pretrial notice.

It is further ORDERED that, no later than seven calendar days before trial, the government shall provide notice to the defendant, in accordance with FED. R. EVID. 404(b), of the general nature of any evidence of other crimes, wrongs, or acts of defendant which it intends to introduce at trial, except that, upon motion of the government and for good cause shown, the court may excuse such pretrial notice.

Yesterday’s opposition to Manafort’s bid to limit what it can say about the Trump campaign and the DC case confirms I was (at least partly) correct — the government wanted a discovery order so they can avoid telling Manafort what they want to raise at trial.

The defendant’s request to preclude evidence relating to the District of Columbia case is a premature effort to preclude evidence under Rule 404(b). See Doc. 93 at 5 n.1 (“[T]his motion is being filed in the event that the Special Counsel seeks at trial to introduce evidence or advance arguments concerning ‘other act’ evidence.”). The standard practice in the Eastern District of Virginia, as referenced in the Government’s proposed discovery order (Doc. 83 at 7), is that the government provide notice of Rule 404(b) evidence it intends to introduce at trial seven days before trial. Although the defendant has not responded to the Government’s Motion for Entry of Discovery Order, the government intends to follow the District’s standard practice with respect to Rule 404(b) notice. It nevertheless bears noting that contrary to the defendant’s characterization, there is substantial overlap between the evidence in District of Columbia case and the one before this Court. The Superseding Indictment in the District of Columbia alleges tax fraud that overlaps with the substantive tax charges in the Eastern District of Virginia.

In other words, in a filing arguing that the government should be able to bring in details about both the Trump campaign (because some of the loans he’s being tried for he only obtained by getting the banker a position on the Trump campaign) and about Gates’ guilty plea in DC (but not about the crimes that Manafort allegedly committed while on bail that got him thrown in prison), Mueller’s team makes it clear they intend to wait to tell Manafort what other crimes they might mention at the EDVA trial until July 18.

In any case, this opposition motion would seem to limit how much Mueller can mention about the collusion case in chief to a description of that loan. So it’s probably just that Mueller has some other activity, akin to the NY based crime they plan to introduce in the DC case, perhaps some criminal activity that can be charged in VA, that they plan to introduce at trial. In any case, they’re not going to release it for another 10 days or so.

The big discovery dump

Sometime after 6:28 yesterday, Manafort submitted his motion to delay his trial to sometime after his other one. Now, as Josh Gerstein noted in response to my pestering him to review Manafort’s “rocket docket” strategy of splitting this trial from his DC one, Manafort lawyer Kevin Downing always wanted to do the DC one first.

Manafort attorney Kevin Downing requested the Virginia case be set for sometime in November, after the Washington trial. Downing told Ellis the defense needs time to assemble legal motions in both cases and to prepare for the back-to-back trials.

“This is a massive indictment,” the defense attorney said. “We were envisioning a trial in this case in November, following the case in D.C.”

So effectively, what Manafort did was wait until the very last minute, and then ask for what they wanted in the first place, this trial to go second. To justify the delay, his lawyers are citing the difficulties posed by him being in jail (which is a fair reason, but one most similarly situated defendants don’t get concessions for).

But I’m interested in the depiction of the latest discovery received that they also use to make the request.

Indeed, in terms of discovery, defense counsel has continued to receive voluminous amounts from the Special Counsel up-to-the-moment. Thus far, there have been twenty-three (23) discovery productions, the most recent of which was produced to the defense at 6:28 p.m. today, July 6, 2018 (i.e., the same date that this motion for a continuance is being filed)—a mere 19 days before the scheduled trial in this case. The Special Counsel’s production today appears to contain approximately 50,000 pages of new documents. Indeed, this is despite the Special Counsel’s representations earlier this year that discovery was complete, or nearly complete.4 In fact, since May the defense has received seven discovery productions which include at least 140,000 pages of material. The Special Counsel’s next most-recent disclosure—coming on July 3, 2018 (a mere 22 days prior to the scheduled trial)—includes data obtained from the primary cooperating witness’s personal electronic devices and will require extensive review and analysis. (This is the same witness who resolved his case in the District of Columbia in February of this year.) Moreover, defense counsel’s review of the discovery produced to date has been unusually timeconsuming because discovery relevant to this case has often been co-mingled with discovery that appears relevant solely to the D.C. Case. As the Court observed at the recent motions hearing, this is primarily a documents case, and defense counsel require additional time to thoroughly review and analyze with their client the voluminous documents produced by the Special Counsel. It is critically important for the defense to have sufficient time to review the discovery with Mr. Manafort because he understands many of the relevant documents (and their context) better than anyone else.

4 See, e.g., Doc. 20 (filed Feb. 28, 2018) at 7 (“[W]e believe that almost all of the relevant discovery in this matter in our possession has already been produced in the course of the District of Columbia prosecution.”); see also D.C. Case, Doc. 146 (filed Jan. 12, 2018) at 1 (“As of the date of this filing, the government has completed a substantial portion of the discovery in this case.”).

Now, I await Mueller’s response to this, as I suspect Manafort is obscuring that, to the extent it pertains to this trial, this recent discovery has more to do with Mueller’s obligations to give Manafort discovery on incriminating evidence against people who will be witnesses at the trial. He’s also obscuring how discovery happened in this case, which started coming 20 days after he was indicted in DC in October and for which the most pertinent materials were identified as “hot.” The full context of the document he cites in that footnote reads,

In addition, we believe that almost all of the relevant discovery in this matter in our possession has already been produced in the course of the District of Columbia prosecution. The government made its first production on November 17, 2017, which included: (1) foreign bank account records for the accounts in Cyprus and Saint Vincent & the Grenadines; (2) domestic financial records; and (3) documents from Manafort’s tax preparer that were identified by the government as particularly relevant. In ensuing ten productions, the government has produced a range of emails, financial documents and other records, as well as materials obtained from a number of different devices and media. 4 As of February 28, 2018, the government had made eleven separate discovery productions to the defendant. In addition, the government also has produced for the defendant documents that it identified as “hot.”

So Manafort had 7 months to review the most important discovery in this case working from home confinement. Manafort is also, surely, obscuring how much of this discovery pertains to the DC case (which is still two months away), not this EDVA one.

These motions were due on Friday in any case, and as Gerstein pointed out, Downing always wanted to do this trial after the DC one, so it’s unlikely this request for a continuance is a response to the discovery he got last week. And the late filing might be best explained by a late edit to incorporate yesterday’s production in the motion. The motion for a continuance is far, far better drafted than the goofy venue change one.

But I do find it interesting that Mueller is just now showing Manafort what he found in Rick Gates’ electronic devices. I wonder if, in doing so, he expected Manafort to rethink his willingness to run interference for Donald Trump? If so, then the request for a continuance would be rather interesting.

Share this entry

Roger Stone and ConFraudUs

/82 Comments/in , , /by

CNN’s David Gelles has an instructive tweet this morning showing how the rate at which Trump tweets about the Mueller “witch hunt” is accelerating.

Assuming this includes this morning’s two “witch hunt” tweets, Trump is on pace to use the phrase 28 times by the end of the month, though I bet he’ll continue to accelerate the use of it in the week remaining in the month.

The Mueller investigation is, I suspect, coming to a head.

I don’t claim I know how it will turn out. The president has an enormous amount of power and his flunkies in Congress promise they’re about to end Rod Rosenstein’s bend-don’t-break defense by impeaching him (though Rosenstein and Chris Wray have just thrown more documents out to slow the Republicans). It’s certainly possible that Trump will make a last ditch effort to undercut the Mueller investigation and that effort will be competently executed and none of the secondary fall-back defenses Mueller has put into place will work. For now, though, the Trump team seems intent on a delay and discredit strategy, which won’t stave off any imminent steps.

So we shall see whether Trump succeeds in undercutting the investigation. I keep thinking, “that’s why they play the game,” but this is no game.

There are a number of reasons I think Mueller’s investigation is coming to a head. But consider one detail. I’ve long explained that Mueller seems to be building a series of Conspiracy to Defraud the United States indictments that will ultimately incorporate the entire Russian operation (and may integrate the Trumpsters’ international self-dealing as well). As Mueller’s team has itself pointed out, for heavily regulated areas like elections, ConFraudUs indictments don’t need to prove intent for the underlying crimes. They just need to prove,

(1) two or more persons formed an agreement to defraud the United States;

(2) [each] defendant knowingly participated in the conspiracy with the intent to defraud the United States; and

(3) at least one overt act was committed in furtherance of the common scheme.

Let’s see how evidence Mueller has recently shown might apply in the case of Roger Stone, Trump’s lifelong political advisor. We already knew that Stone had communications that he did not immediately disclose with Guccifer 2.0 and Wikileaks. With both, Stone has contributed to and reinforced claims the entities were not Russian operations, though his conversion about the source of the Hillary emails was pretty sudden and curiously timed.

Now we know that in May, Stone had lunch with someone calling himself Henry Greenberg offering dirt on Hillary. His explanation — based only on the texts that Michael Caputo was asked about in a Mueller interview — is not that he didn’t entertain the offer, but that he didn’t take Greenberg up on the offer as made in late May because Greenberg was asking for big money.

Both clearly recognized Greenberg as a Russian, therefore a foreigner offering something of value during an election.

Bizarrely, in trying to rebut the import of this exchange publicly, Caputo and Stone are doing nothing more than working the public refs, claiming to assume this was an FBI sting. Mueller knows whether it was an FBI sting, and there’s virtually no way he’d be asking questions about it if it were (particularly if Stone really didn’t take the bait). In short, Stone has no justification for this he’s willing to offer publicly; instead, he’s just adopting the SpyGate narrative in an attempt to discredit the investigation. And that’s assuming there were no follow-ups or other damning texts that didn’t involve someone willing to leak them to the press.

And all that happened before Peter Smith came on the scene, someone who, unlike Donald Trump, was willing to spend money for such things, an operation Stone is suspected of being involved in but which he studiously avoids mentioning when trying to explain himself. Smith did obtain emails from people Matt Tait advised him might be part of a Russian operation, and when he couldn’t validate them, sent them on to Wikileaks.

Which is to say Stone repeatedly entertained offers from foreigners illegally offering dirt that would benefit the Trump campaign — Greenberg, Guccifer 2.0, possibly Peter Smith’s Dark Web hackers. He may even have exhibited a belief that Australian Julian Assange had and could release the latter dirt, possibly with the knowledge they came from Russians.

So we’ve got Stone meeting with other people, repeatedly agreeing to bypass US election law to obtain a benefit for Trump, evidence (notwithstanding Stone’s post-hoc attempts to deny a Russian connection with Guccifer 2.0 and Wikileaks) that Stone had the intent of obtaining that benefit, and tons of overt acts committed in furtherance of the scheme.

And all that’s without leaning on the the other stuff Mueller found on Stone’s phone, which Stone is also trying to explain away by public conspiracies (in this case that the phone content was obtained with a FISA order rather than with a probable cause warrant obtained on March 9).

This is just one of the people Mueller has publicly focused on in recent days. We could lay out similar arguments for Michael Cohen, Paul Manafort, and Brad Parscale, at a minimum. Mueller had — and acted on — probable cause warrants covering five AT&T phones in March, all of which probably had close ties to Rick Gates. Assuming those targets are distributed proportionately with the US population, he’s likely to have obtained warrants for as many as 15 phones just in that go-around.

So if Roger Stone is any indication, the Mueller investigation may soon be moving into a new phase.

Share this entry

What Seems to be Going on with MalwareTech’s New Charges

/29 Comments/in , /by

When I wrote this post on the superseding indictment against Marcus Hutchins (MalwareTech) I deferred assessment of the new charges — a differently charged CFAA, a wire fraud, and a false statements charge — until the lawyers weighed in. Last night, the two sides submitted a status report on the superseding indictment, and it’s clear that the government has fixed some glaring problems with its case. (Along the way the defense has argued they need to tweak all but one of the motions they had fully briefed, adding two months to this process, on top of the extra charges.)

By my read, the government has taken a detrimental ruling — that Hutchins will learn of the informant, Randy’s, identity at least a month before trial, if not before, as well as the fact that Hutchins did not, maybe could not, have admitted what they wanted to in his original interrogation but did admit to some other things, and used those setbacks to fix a number of problems with their case.

By my read (not a lawyer, not a judge, looking at just scraps of evidence), the original indictment against Hutchins was drawn up sloppily only as a means to detain him in this country and quickly — the government believed, because this is how things happen in the U S of A — get him to agree to inform on VinnyK and other online criminals. Indeed, fragments of the original interrogation now make it clear that was the intent.

Chartier: I mean, you know, Marcus, I’ll be honest with you. You’re in a fair bit of trouble.

Hutchins: Mmm-hmm.

Chartier: So I think it’s important that you try to give us the best picture, and if you tell me you haven’t talked to these guys for months, you know, you can’t really help yourself out of this hole. Does that make sense?

Hutchins: Yeah.

Chartier: Now, I’m not trying to tell you to do something you’re not doing, but I know you’re more active than you’re letting on, too. Okay?

Hutchins: I’m really not. I have ceased all criminal activity involving

Chartier: Yeah, but you still have access and information about these guys.

Hutchins: What do you mean? Like, give me a name and I’ll tell you what I know about that.

Chartier: All right, why don’t you start out with this list of nics.

As a result of that sloppiness, the government had just thrown a bunch of crimes — CFAA and wiretapping — into the indictment, with the assumption that it’d be enough to turn the guy who stopped WannaCry into the US government’s latest informant.

While there are no guarantees in criminal cases, I think the defense’s arguments that the government had no proof Hutchins intended to damage the requisite 10 computers in Wisconsin, nor that he had intended to install a device to wiretap, were sound. Indeed, this superseding indictment is largely tacit admission that those arguments may well succeed and blow their original case up. Moreover, I suspect there is and will remain (until this thing goes to trial, if it does) a dispute about how much code someone has to contribute to a piece of malware to be considered its author.

But as I said, now that the government is facing going to trial with their informant, Randy, fully exposed, they’ve turned that into a way to revamp the alleged crimes against Hutchins such that they might be sustainable. That’s because — as I pointed out here — while VinnyK is accused of selling malware, Randy has already told the FBI that he used it, and used it to engage in financial crimes.

  • VinnyK (Individual A), a guy who sold a UPAS kit on July 3, 2012, days after Hutchins turned 18, and then on June 11, 2015, sold Kronos, a piece of malware with no known US victims. Altogether VinnyK made $3,500 for the two sales of malware alleged in this indictment. When this whole thing started, the government charged Hutchins mostly if not entirely to coerce him to provide information on VinnyK (information which he said in a chat in the government’s possession he doesn’t have). He’s the guy they’re supposed to be after, but now they’re after Hutchins exclusively.
  • “Randy” (Individual B), an actual criminal “involved in the various cyber-based criminal enterprises including the unauthorized access of point-of-sale systems and the unauthorized access of ATMs.” At some point, in an attempt to limit or avoid his own criminal exposure, Randy implicated Hutchins.

With that in mind, consider the two new main charges the government has added, and added to the conspiracy, in what I imagine is a bid to sustain the prosecution if the earlier problems with the indictment get parts of the rest of it thrown out. In addition to charging Hutchins with the part of CFAA that makes it a crime to attempt to damage 10 or more protected computers, the government is now charging him with the part of CFAA that makes it a crime to intentionally access a computer to obtain information for the purpose of private financial gain. That is, they’ve added the part of CFAA that makes it a crime to profit from stealing information. They’ve also charged Hutchins with wire fraud for attempting to obtain money by false and fraudulent pretenses. (The defense now agrees the government has venue in EDWI, which I suspect has to do with both the focus on advertising here as opposed to operation of code, as well as the claim that Hutchins’ alleged lies thwarted an investigation in the district.)

The first of these is easy to understand. Even in the fragments of Hutchins’ interrogation publicly available, he admitted to selling code.

Chartier: So you haven’t had any other involvement in any other pieces of malware that are out or have been out?

Hutchins: Only the form-grabber and the bot.

Chartier: Okay. So you did say the form-grabber for Kronos, then?

Hutchins: Not the form-grabber for Kronos. It was an earlier one released in about I’m gonna say 2014?

Chartier: And what was the name of that?

Hutchins: Oh, fuck. I really can’t remember. No, I’m drawing a blank. I mean, like, I actually sell the code. I sell it to people and then they do what the fuck they want with it.

They also have a jail transcript of Hutchins telling his boss that he gave Randy malware to pay off a debt. [Note, the defense has taken issue with the accuracy of this transcript.]

Hutchins: Yeah, and there were also some logs that I gave the compiled binary to someone to repay a debt

Salim Neino: You gave a compiled binary to somebody on the chat log?

Hutchins: To repay a debt yeah

[snip]

Neino: Okay, um was the nature of the debt anything significant?

Hutchins: It was about five grand

Neino: Oh not the amount, but was the nature of the debt significant, like was it related to something else, or just your personal debt?

Hutchins: Um he, no he asked me to hold some Bitcoins for him, and my software fucked up, and I lost some of the money

Neino: Oh so you had to pay him back?

Hutchins: Yeah

So while Hutchins did not himself use malware to steal information for the purpose of financial gain, they arguably have him admitting that he sold code that stole information for financial gain and that he gave code that did the same to someone who stole information for financial gain in order to pay off a $5,000 debt. Now, the government still has some work to do to prove that Hutchins’ code had that intent, but at least for this charge they don’t have to point to 10 computers that he intended to damage.

As for the wire fraud, I’m not sure (and I’m not sure the defense is either) but I think they’re now taking a post Hutchins did, criticizing weaknesses in a piece of malware competing with Kronos, and claiming that the post served to defraud upstanding malware purchasers into believing that Kronos was a better product by comparison.

On or about December 23, 2014, defendant MARCUS HUTCHINS hacked control panels associated with Phase Bot, malware HUTCHINS perceived to be competing with Kronos. In a chat with [Randy], HUTCHINS stated, “well we found exploit (sic) [sic] in this panel just hacked all his customers and posted it on my blog sucks that these [] idiots who cant (sic) [sic] code make money off this :|” HUTCHINS then published an article on his Malwaretech blog titled “Phase Bot — Exploiting C&C Panel” describing the vulnerability.

The government may even be planning on arguing that Hutchins used his research into the competition to update Kronos.

In or around February 2015, MARCUS HUTCHINS and [VinnyK], updated Kronos. On February 9, 2015, in a chat with [Randy], HUTCHINS described the update. [Randy] asked, “[D]id you guys just happen to make a (sic) update?” HUTCHINS responded, “[W]e made a few fixes to both the panel and bot.” [Randy] replied, “ah okay yeah read something that vinny posted was curious on what it was exactly.”

In any case, now that the government knows they’re not going to be able to hide Randy, they can use Hutchins’ interactions with him to try to put Hutchins in a cage, when they’ve decided to spare Randy that same cage or at least limit the time he’ll be there.

If I’m right about this, a lot of it brings us back to the final new charge, false statements. The government has charged Hutchins with lying to the same FBI agents that Hutchins accused (with some basis) of lying on the stand. They claim he lied when he told the FBI that “he did not know his computer code was part of Kronos until he reverse engineered the malware sometime in 2016,” because “as early as November 2014, HUTCHINS made multiple statements to [Randy] in which HUTCHINS acknowledged his role in developing Kronos and his partnership with [VinnyK].”

In yesterday’s status report, the defense said they’re going to “request that the government particularize the alleged false statement of Count Nine.” Presumably, they want to know how it is that AUSA Dan Cowhig, on August 4, 2017, represented to a judge that, “Hutchins admitted that he was the author of the code that became the Kronos malware” but are now claiming that he did not admit that. It may well be the language I’ve cited above, where Hutchins cites the UPAS Kit (which he coded as a minor), but says that was not the form grabber used in Kronos.

That’s the kind of charge that not only will depend on the specific language the government has in mind (which is why the defense may well succeed with a bill of particulars demand where they otherwise might not), but also the understanding of how fragments of code become malware, something on which (if Agent Chartier’s past testimony was any indication) the defense is likely to have a much better grasp than the government.

Understand where that puts us, though.

Probably after rediscovering Hutchins’ access to VinnyK and his friends because he had saved the world from repurposed NSA hacking tools, the government slapped together charges in a bid to turn Marcus Hutchins into an informant. When that didn’t work, when Hutchins had the gall to point out how problematic the charges were, the government then upped the ante, turning Hutchins into the primary target, whereas previously VinnyK had been.

We’ve got VinnyK, who used to be considered a big enough criminal to do this to Hutchins, Randy, who the government readily admits stole money from actual Americans, and the guy who saved the world from tools the NSA couldn’t keep safe. You’ve got two FBI agents who have done remarkable work damaging their own credibility (to say nothing of their ability to appear knowledgable about computer code on the stand). And the American taxpayers are going to spend thousands of dollars to try to put Hutchins — and possibly only Hutchins — in prison. That, even though the false statements charges may well come down to a dispute — which both sides have already been arguing — what the definition of malware is.

This is, in many ways, all too typical of how our justice system works; Hutchins is not unique in being targeted this way, nor in having the government double down when he had the nerve to avail himself of the justice system.

But I keep coming back to this: why does the government think that the interests of justice are served for punishing a guy because he achieved renewed notice by doing something good?

Share this entry

Two Days after Julian Assange Threatened Don Jr, Accused Vault 7 Leaker Joshua Schulte Took to Tor

/43 Comments/in , , , , /by

Monday, the government rolled out a superseding indictment for former NSA and CIA hacker Joshua Schulte, accusing him (obliquely) of leaking the CIA’s hacking tools that became the Vault 7 release from Wikileaks. The filings in his docket (as would the search warrants his series of defense attorneys would have seen) make it clear that the investigation into him, launched just days after the first CIA release, was always about the CIA leak. But when the government took his computer last spring, they found thousands of child porn pictures dating back to 2009. It took the government over three months and a sexual assault indictment in VA to convince a judge to revoke his bail last December, and then another six months to solidify the leaking charges they had been investigating him from the start.

But the case appears to have taken a key turn on November 16, 2017, when he did something — it’s not clear what — on the Tor network. While there are several things that might explain why he chose to put his release at risk by accessing Tor that day, it’s notable that it occurred two days after Julian Assange tweeted publicly to Donald Trump Jr that he’d still be happy to be Australian Ambassador to the US, implicitly threatening to release more CIA hacking tools.

Schulte was, from days after the initial Vault 7 release, apparently the prime suspect to be the leaker. As such, the government was always interested in what Schulte was doing on Tor. In response to a warrant to Google served in March 2017, the government found him searching, on May 8, 2016, for how to set up a Tor bridge (Schulte has been justifiably mocked for truly abysmal OpSec, and Googling how to set up a bridge is one example). That was right in the middle of the time he was deleting logs from his CIA computer to hide what he was doing on it.

When he was granted bail, he was prohibited from accessing computers. But because the government had arrested him on child porn charges and remained coy (in spite of serial hold-ups with his attorneys regarding clearance to see the small number of classified files the government found on his computer) about the Vault 7 interest, the discussions of how skilled he was with a computer remained fairly oblique. But in their finally successful motion to revoke Schulte’s bail, the government revealed that Schulte had not only accessed his email (via his roommate, Schulte’s lawyer would later claim), but had accessed Tor five times in the previous month, on November 16, 17, 26, and 30, and on December 5, 2017, which appears to be when the government nudged Virginia to get NYPD to arrest him on a sexual assault charge tied to raping a passed out acquaintance at his home in VA in 2015.

Perhaps the most obvious explanation for why Schulte accessed Tor starting on November 16, 2017, is that he was trying to learn about the assault charges filed in VA the day before.

But there is a more interesting explanation.

As you recall, back in November 2017, some outlets began to publish a bunch of previously undisclosed DMs between Don Jr and Wikileaks. Most attention focused on Wikileaks providing Don Jr access to an anti-Trump site during the election. But I was most interested in Julian Assange’s December 16, 2016 “offer” to be Australian Ambassador to the US — basically a request for payback for his help getting Trump elected.

Hi Don. Hope you’re doing well! In relation to Mr. Assange: Obama/Clinton placed pressure on Sweden, UK and Australia (his home country) to illicitly go after Mr. Assange. It would be real easy and helpful for your dad to suggest that Australia appoint Assange ambassador to DC “That’s a really smart tough guy and the most famous australian you have! ” or something similar. They won’t do it, but it will send the right signals to Australia, UK + Sweden to start following the law and stop bending it to ingratiate themselves with the Clintons. 12/16/16 12:38PM

In the wake of the releases, on November 14, 2017, Assange tweeted out a follow-up.

As I noted at the time, the offer included an implicit threat: by referencing “Vault 8,” the name Wikileaks had given to its sole release, on November 9, 2017 of an actual CIA exploit (as opposed to the documentation that Wikileaks had previously released), Assange was threatening to dump more hacking tools, as Shadow Brokers had done before it. Not long after, Ecuador gave Assange its first warning to stop meddling in other countries politics, explicitly pointing to his involvement in the Catalan referendum but also pointing to his tampering with other countries. That warning became an initial ban on visitors and Internet access in March of this year followed by a more formal one on May 10, 2018 that remains in place.

There’s a reason I think those Tor accesses may actually be tied to Assange’s implicit threat. In January of this year, when his then lawyer Jacob Kaplan made a bid to renew bail, he offered an excuse for those Tor accesses. He claimed Schulte was using Tor to research the diaries on his experience in the criminal justice system.

In this case, the reason why TOR was accessed was because Mr. Schulte is writing articles, conducting research and writing articles about the criminal justice system and what he has been through, and he does not want the government looking over his shoulder and seeing what exactly he is searching.

Someone posted those diaries to a Facebook account titled “John Galt’s Defense Fund” on April 20, 2018 (in addition to being an accused rapist and child porn fan, Schulte’s public postings show him to be an anti-Obama racist and an Ayn Rand worshiping libertarian).

Yesterday, Wikileaks linked those diaries, which strikes me as an attempt to corroborate the alibi Schulte has offered for his access to Tor last November.

The government seems to have let Schulte remain free for much of 2017, perhaps in search of evidence to implicate him in the Vault 7 release. Whether it was a response to a second indictment or to Assange’s implicit threats to Don Jr, Schulte’s use of Tor last year (and, surely, the testimony of the roommate he was using as a go-between) may have been one of the keys to getting the proof the government had been searching for since March 2017.

Whatever it is, both Wikileaks and Schulte would like you to believe he did nothing more nefarious than research due process websites when he put his bail at risk by accessing Tor last year. I find that a dubious claim.

2009: IRC discussions of child porn

2011 and 2012: Google searches for child porn

April 2015: Rapes a woman (possibly partner) who is passed out and takes pictures of it

March to June 2016: Schulte deleting logs of access to CIA computer

May 8, 2016: Schulte Googles how to set up a Tor bridge

November 2016: Leaves CIA, moves to NY, works for Bloomberg

December 16, 2016: Assange DM to Don Jr about becoming Ambassador

Hi Don. Hope you’re doing well! In relation to Mr. Assange: Obama/Clinton placed pressure on Sweden, UK and Australia (his home country) to illicitly go after Mr. Assange. It would be real easy and helpful for your dad to suggest that Australia appoint Assange ambassador to DC “That’s a really smart tough guy and the most famous australian you have! ” or something similar. They won’t do it, but it will send the right signals to Australia, UK + Sweden to start following the law and stop bending it to ingratiate themselves with the Clintons. 12/16/16 12:38PM

February 4, 2017: Wikileaks starts prepping Vault 7

March 7, 2017: Wikileaks starts releasing Vault 7

March 13, 2017: Google search warrant

March 20, 2017: Search (including of cell phone, from which passwords to his desktop obtained)

June 2017: Interview

August 17, 2017: Dana Rohrabacher tries to broker deal for Assange with Trump

August 23, 2017: Arrest affidavit

August 24, 2017: Arraignment

THE COURT: Well, it sounds like, based on the interview, that he knew what the government was looking at.

MR. LAROCHE: That wasn’t the basis of the interview, your Honor.

 

MR. KOSS: I think it was either two or three [interviews]. I think it was three occasions. I was there on all three, including one of which where we handed over the telephone and unblocked the password to the phone, which they did not have, and gave that to them. And as I said, I have been in constant contact with the three assistant U.S. attorneys working on this matter literally on a weekly basis for the last 4, 5, 6 months. And any time Mr. Schulte even thought about traveling, I provided them an itinerary. I cleared it with them first and made sure it was okay. On any occasion that they said they might want him close so that he could speak to them, I cancelled the travel and rescheduled it so that we would be available if they needed him at any given time.

September 13, 2017: Bail hearing

MR. LAROCHE: Well, I believe there still is a danger because it’s not just computers, your Honor, but electronic devices are all over society and easy to procure and this type of defendant having the type of knowledge he has does in terms of accessing things — so he has expertise and not only just generally computers but using things such as wiping tools that would allow him to access certain website and leave no trace of it. Those can be done from not just a computer but from other electronic devices.

But the child pornography itself is located on the defendant’s desktop computer. They can be accessed irrespective of those servers. So if all the government had was this desktop computer, we could recover the child pornography. So I think this idea that numerous people had access to the serves and potentially could have put it there, is simply a red herring. This was on the defendant’s desktop computer. And the location where it was found, this sub-folder within several layers of encryption, there were other personal information of the defendant in that area. There was his bank accounts. I think there was even a resume for the defendant where he was storing this information. And the passwords that were used to get into that location, those passwords were the same passwords the defendant used to access his bank account, to access various other accounts that are related to him. So this idea that he shared them with other people, the government just strongly disagrees.

October 11, 2017: Schulte lawyer Spiro withdraws

October 24, 2017: At Trump’s request Bill Binney meets with Mike Pompeo to offer alternate theory of the DNC hack

November 8, 2017: Status hearing

SMITH: I believe the government has told us that there’s more data in this case than in any other like case that they have prosecuted.

MR. STANSBURY: Let me just clarify that part first. We proposed this just in an abundance of caution given the defendant’s former employer and the fact that — and I meant to flag this before. I apologize now for not. There’s a small body of documents that were found in the defendant’s residence that were taken from his former employer that might implicate some classified issues. We have been in the process of having those reviewed and I think we’re going to be in a position to produce those in the next probably few days. But we wanted to just make sure that we were acting out of an abundance of caution in case any SEPA [sic] issues come about in the case. I don’t expect them too at this point but we wanted to do that out of an abundance of caution.

November 9, 2017: Wikileaks publishes Vault 8 exploit

November 14, 2017: Assange posts Vault 8 Ambassador follow-up

November 14, 2017: Arrest warrant in VA

November 15, 2017: Charged in Loudon County for sexual assault

November 16, 2017: Use of Tor

November 17, 2017: Use of Tor

November 26, 2017: Use of Tor

November 29, 2017: Abundance of caution, attorney should obtain clearance

November 30, 2017: Use of Tor

December 5, 2017: Use of Tor, Smith withdraws

December 7, 2017: NYPD arrests on VA warrant for sexual assault

December 12, 2017: Move for detention, including description of email and Tor access

Separately, since the defendant was released on bail, the Government has obtained evidence that he has been using the Internet. First, the Government has obtained data from the service provider for the defendant’s email account (the “Schulte Email Account”), which shows that the account has regularly been logged into and out of since the defendant was released on bail, most recently on the evening of December 6, 2017. Notably, the IP address used to access the Schulte Email Account is almost always the same IP address associated with the broadband internet account for the defendant’s apartment (the “Broadband Account”)—i.e., the account used by Schulte in the apartment to access the Internet via a Wi-Fi network. Moreover, data from the Broadband Account shows that on November 16, 2017, the Broadband Account was used to access the “TOR” network, that is, a network that allows for anonymous communications on the Internet via a worldwide network of linked computer servers, and multiple layers of data encryption. The Broadband Account shows that additional TOR connections were made again on November 17, 26, 30, and December 5.

[snip]

First, there is clear and convincing evidence that the defendant has violated a release condition—namely, the condition that he shall not use the Internet without express authorization from Pretrial Services to do so. As explained above, data obtained from the Schulte Email Account and the Broadband Account strongly suggests that the defendant has been using the Internet since shortly after his release on bail. Especially troubling is the defendant’s apparent use on five occasions of the TOR network. TOR networks enable anonymous communications over the Internet and could be used to download or view child pornography without detection. Indeed, the defendant has a history of using TOR networks. The defendant’s Google searches obtained in this investigation show that on May 8, 2016, the defendant conducted multiple searches related to the use of TOR to anonymously transfer encrypted data on the Internet. In particular, the defendant had searched for “setup for relay,” “test bridge relay,” and “tor relay vs bridge.” Each of these searches returned information regarding the use of interconnected computers on TOR to convey information, or the use of a computer to serve as the gateway (or bridge) into the TOR network.

December 14, 2017: US custody in NY

MR. KAPLAN: Well, your Honor, we’ve obtained the discovery given to prior counsel, and I’ve started to go through that. In addition, there was one other issue which I believe was raised at our prior conference, which was a security clearance for counsel to go through some of the national security evidence that might be present in the case.

While most of the national security stuff does not involve the charges, the actual charges against Mr. Schulte, the basis for the search warrants in this case involve national security.

So I’m starting the process with their office to hopefully get clearance to go through some of the information on that with an eye towards possibly a Franks motion going forward. So I would ask for more time just to get that rolling.

January 8, 2018: Bail appeal hearing

MR. KAPLAN: Judge, on the last court date, when we left, the idea was that we had consented to detention with the understanding that Mr. Schulte would be sent down to Virginia to face charges based on a Virginia warrant. None of that happened. Virginia never came to get him. Virginia just didn’t do anything in this case. But before I address the bail issues, I think it’s important that this Court hear the full story of how we actually get here. At one of the previous court appearances, I believe it was the November 8th date, this Court asked why the defense attorney in this case would need security clearance. And the answer that was given by one of the prosecutors, I believe, was that there was some top secret government information that was found in Mr. Schulte’s apartment, and that out of an abundance of caution it would be prudent that the defense attorney get clearance. But I don’t think that’s entirely accurate.

While the current indictment charges Mr. Schulte with child pornography, this case comes out of a much broader perspective. In March of 2017, there was the WikiLeaks leak, where 8,000 CIA documents were leaked on the Internet. The FBI believed that Mr. Schulte was involved in that leak. As part of their investigation, they obtained numerous search warrants for Mr. Schulte’s phone, for his computers, and other items, in order to establish the connection between Mr. Schulte and the WikiLeaks leak.

As we will discuss later in motion practice, we believe that many of the facts relied on to get the search warrants were just flat inaccurate and not true, and part of our belief is because later on, in the third or fourth search warrant applications, they said some of the facts that we mentioned earlier were not accurate. So we will address this in a Franks motion going forward, but what I think is important for the Court is, in April or May of 2017, the government had full access to his computers and his phone, and they found the child pornography in this case, but what they didn’t find was any connection to the WikiLeaks investigation. Since that point, from May going forward, although they later argued he was a danger to the community, they let him out; they let him travel. There was no concern at all. That changed when they arrested him in August on the child pornography case.

[snip]

The second basis that the government had in its letter for detaining Mr. Schulte was the usage of computers. In the government’s letter, they note how, if you search the IP address for Mr. Schulte’s apartment, they found numerous log-ons to his Gmail account, in clear violation of this court’s order. But what the government’s letter doesn’t mention is that Mr. Schulte had a roommate, his cousin, Shane Presnall, and this roommate, who the government and pretrial services knew about, was allowed to have a computer.

And more than that, based on numerous conversations, at least two conversations between pretrial services, John Moscato, Josh Schulte and Shane Presnall, it was Shane’s understanding that pretrial services allowed him to check Mr. Schulte’s e-mail and to do searches for him on the Internet, with the idea that Josh Schulte himself would not have access to the computer.

And the government gave 14 pages of log-on information to establish this point. And, Judge, we have gone through all 14 pages, and every single access and log-in corresponds to a time that Shane Presnall is in the apartment. His computer has facial recognition, it has an alphanumeric code, and there is no point when Josh Schulte is left himself with the computer without Shane being there, and that was their understanding.

LAROCHE: And part of that investigation is analyzing whether and to what extent TOR was used in transmitting classified information. So the fact that the defendant is now, while on pretrial release, using TOR from his apartment, when he was explicitly told not to use the Internet, is extremely troubling and suggests that he did willfully violate his bail conditions.

 

KAPLAN: In this case, the reason why TOR was accessed was because Mr. Schulte is writing articles, conducting research and writing articles about the criminal justice system and what he has been through, and he does not want the government looking over his shoulder and seeing what exactly he is searching.

 

LAROCHE: Because there is a classified document that is located on the defendant’s computer, it is extremely difficult, and we have determined not possible, to remove that document forensically and still provide an accurate copy of the desktop computer to the defendant.

So in those circumstances, defense counsel is going to require a top secret clearance in order to view these materials. It’s my understanding that that process is ongoing, and we have asked them to expedite it. As soon as the defendant’s application is in, we believe he will get an interim classification to review this material within approximately two to three weeks. Unfortunately, that hasn’t occurred yet. So the defendant still does not have access to that particular aspect of discovery. So we are working through that as quickly as we can.

January 17, 2018: Bail appeal denied

March 15, 2018: Sabrina Shroff appointed

March 28, 2018: Initial ban of Internet access and visitors for Assange

April 20, 2018: Schulte’s diaries (ostensibly the purpose of using Tor) posted

May 10, 2018: Ecuador bans visitors for Assange

May 16, 18, 2018: Documents placed in vault

May 16, 2018: Schulte Facebook site starts legal defense fund

June 18, 2018: Schulte superseding indictment

June 19, 2018: Wikileaks posts links to diary

Share this entry

Why Was George Papadopoulos Bitching about the UK While Working on His Presentencing Report?

/27 Comments/in , , /by

The government and the lawyers for George Papadopoulos have a joint status report due on Friday. That means the lawyers are all, surely, in communication right now. Probably, Papadopoulos has already seen a draft if not the final of his presentencing report, which among other things, will talk about whether he met the terms of his plea deal. The plea deal, unlike virtually all the others we know Mueller’s team to have signed, included a list of people Papadopoulos was not permitted to contact.

That’s why I find this tweet from Papadopoulos, which TCleveland4Real caught on Twitter, to be so interesting.

TCleveland4Real noted two more things: first, this seems to be an allusion to “perfidious Albion,” the notion that the UK will sell you out in international diplomacy and spying. Perfidious Albion has also been used, repeatedly, to discuss Brexit. And shortly after TCleveland4Real noted it, Papadopoulos deleted the Tweet.

Perhaps this is all utterly unrelated to the filings that will determine whether Papadopoulos does prison time this week. But I sure do wonder whether this curse about Great Britain pertained to what he’s looking at, or even if this tweet was meant as some kind of signal to others.

Update: Here’s the release conditions language he would have violated if he compared notes with others about talking to Stefan Halper.

And he was directed not to have any contact, direct or indirect, with individuals relating to the campaign or to any of the conduct set forth in the complaint. The Government provided a list of those individuals to the Defendant and defense counsel.

Arguably, even Simona asking for a pardon constitutes indirect communication with an individual relating to the campaign, given that only Trump could be the audience for that.

Update, 9/1/18: I realize that Papadopoulos couldn’t have been reviewing his PSR. That only got done on August 1. So something else made him realize he was screwed.

Share this entry

Who Taught Trump about Weaponized Migration?

/67 Comments/in , , /by

Amid the ongoing family separation crisis, I want to look back at something that raised a few eyebrows among the more generalized nausea at Trump’s behavior at the G-7. The WSJ reported this comment Trump made to Shinzo Abe in the context of the horror it elicited from European leaders and along with a related comment he made to Emmanuel Macron.

At one point, Mr. Trump brought up migration as a big problem for Europe and then told Mr. Abe, “Shinzo, you don’t have this problem, but I can send you 25 million Mexicans and you’ll be out of office very soon,” according to the senior EU official who was in the room. A sense of irritation with Mr. Trump could be felt, “but everyone tried to be rational and calm,” the person said.

The EU official said at another point, in a discussion over Iran and terrorism, Mr. Trump verbally jabbed at Mr. Macron, “You must know about this, Emmanuel, because all the terrorists are in Paris,’” the senior official said.

What Trump is talking about when he suggests he could send 25 million Mexicans to Japan is weaponized migration, as envisioned here, the deliberate creation of migration influxes to take out a political leader. In spite of the salience of racism in our politics, it’s not a common concept here. But in Europe, where migration from a destabilized Northern Africa and Middle East poses (as I heard a few MEPs say just before the election in 2016) the single biggest threat to the EU project, it’s a very real concern. For some time, the political cost of her human rights approach to migration has been the key weakness Angela Merkel’s opponents exploit. And in the days since the G-7, the topic of migration has threatened, for the second time this year, to collapse Merkel’s governing coalition.

For some time, there have been signs that the migration from (especially) Syria had been weaponized in two ways: first, by the seeming release of waves of migration that in their intensity would overwhelm Europe’s ability to respond. And more importantly, by the inclusion of terrorists, including returning European Arabs, among the waves of migrations. Most notably, four of the men who attacked the Stade de France on November 13, 2015 came in with a wave of other migrants. While Europeans respond more rationally to terrorist attacks than Americans do, by tying this one to migration, it made the waves of migrants in Europe far more politically toxic than they would otherwise be.

And while it was clear that the migration from Libya and Syria was being orchestrated for maximum damage, at the time (and still) it wasn’t clear who was behind it. Turkey (as the host of many of the Syrian refugees), Saudi Arabia (which maximized the instability of Syria to support ousting Assad), and Syria itself were all possibilities. On February 25, 2016 testimony viewed as particularly inflammatory, then NATO Commander Phillip Breedlove placed the blame squarely on Russia and Syria.

To the South from the Levant through North Africa, Europe faces a complicated mix of mass migration spurred by state instability and state collapse.

And masking the movement of criminals, terrorists and foreign fighters. Within this mix, Daesh — ISIL or Daesh, as I called them, is spreading like a cancer, taking advantage of paths of least resistance, threatening European nations and our own with terrorist attacks. Its brutality is driving millions to flee from Syria and Iraq, creating an almost unprecedented humanitarian challenge.

Russia’s enter into the fight in Syria has wildly exacerbated the problem, changing the dynamic in the air and on the ground. Despite public pronounces (sic) to the contrary, Russia (inaudible) has done little to counter Daesh but a great deal to bolster the Assad regime and its allies. Together, Russia and the Assad regime are deliberately weaponizing migration from Syria. In an attempt to overwhelm European structures and break European resolve.

Around the time Breedlove gave this testimony, GRU hackers would hack Breedlove as a key focus of the DC Leaks campaign that paralleled — but should in my opinion be considered a separate campaign from — the hack and leak of the DNC.

So Trump’s comment, while addressed to Abe, was instead intended for the benefit of Macron and, even more specifically, Merkel, and subsequent events have only borne out the salience of the comment.

I want to know who prepped the fantastically unprepared Trump to deliver this line. Trump knows virtually no policy well enough to deliver a zinger like this, and yet he knew how best to deliver a line to exploit the real vulnerabilities of all the European members of the G-7. And while, from the comments kicking off his campaign by inventing rapist immigrations from Mexico, Trump is perhaps at his best when he’s mobilizing racism, this comment had a more sophisticated vector than his usual bombast. Further, Trump public comments are, so often, just a regurgitation of the last person he engaged closely with. Which makes me acutely interested in who has both the access and the ability to direct his interests such that he managed this line.

There are certainly candidates in his orbit. Obviously, Stephen Miller is all too happy to politicize immigration. But in truth, it’s not clear (though the jury may still be out) that he’s any good at it. The Muslim ban has serially backfired (though we’ll see what SCOTUS says in a few hours), and unified centrists and even conservative supporters of America’s wonderful diversity against Trump in early days of his regime. The family separation policy, thus far, has provided Democrats an effective way to humanize Trump’s vicious policies, and the White House’s failure to manage the messaging of Miller’s hostage-taking has only made things worse. The other key policy effort to politicize immigration, Jeff Sessions’ focus on MS-13, has largely been a laughable dud, both because those who actually comment on the policy recognize that MS-13 is an American phenomenon, and because MS-13 has never done anything as spectacular as ISIS and Al Qaeda with which to generate visceral fear or even much press attention on the policy.

Steve Bannon, who has hob-nobbed with the European far right and is far more sophisticated than Miller, is another likely source for Trump’s remarkably sophisticated understanding of weaponized migration.

I think neither John Bolton nor John Kelly would be the culprit, the former because he’s a different kind of asshole than the racists Miller and Bannon, the latter because his racism has always lagged Trump’s and he seems to have lost much of the control he has over Trump in recent days. Mike Pompeo is also a racist, and a savvy one at that, but I’m not sure even he is cynical enough to prep this line from Trump.

Whoever it was, that line is not just horrifying on its face, but horrifying because whoever explained how weaponized migration works when wielded by competent actors seems to have privileged access to Trump right now.

Update: I first posted this at 8:27. At , Trump tweeted this:

Share this entry

James Wolfe: The Distinction Between FBI’s Investigation of Leaking Classified versus Non-Public Information

/7 Comments/in , /by

There’s something about the James Wolfe case that has stuck with me. For an article published after Wolfe’s indictment was released, Ali Watkins’ lawyer, Mark MacDougall, tempered his concern about Watkins’ call records being seized by suggesting that the scope of charges might somehow legitimate it.

Watkins’ attorney, Mark MacDougall, had described the seizure as “disconcerting.”

“Whether it was really necessary here will depend on the nature of the investigation and the scope of any charges,” MacDougall said in a statement.

While MacDougall has gone silent since then, this comment suggested there might be a reasonable premise for DOJ to seize all of Watkins call records for her entire journalistic career, which is fairly shocking. FBI gets all the call records of someone, these days, to identify all the devices she uses to check that activity as much as they do so to identify specific calls made. There’s nothing revealed by the indictment that would justify that, and a lot (notably, the evidence they had ready access to Wolfe’s phone content) that suggests it wasn’t justified.

With that in mind, I want to look at some details about the known timeline of the investigation:

March 2017: Exec Branch provides SSCI “the Classified Document,” which includes both Secret and Top Secret information, with details pertaining to Page classified as Secret.

March 2, 2017: James Comey briefs HPSCI on counterintelligence investigations, with a briefing to SSCI at almost the same time.

March 17, 2017: 82 text messages between Wolfe and Watkins.

April 3, 2017: Watkins confirms that Carter Page is Male-1.

April 11, 2017: WaPo reports FBI obtained FISA order on Carter Page.

June 2017: End date of five communications with Reporter #1 via Wolfe’s SSCI email.

June 2017: Using pretext of serving as a source, CBP agent Jeffrey Rambo grills Watkins about her travel with Wolfe.

October 2017: Wolfe offers up to be anonymous source for Reporter #4 on Signal.

October 16, 2017: Wolfe Signals Reporter #3 about Page’s subepoena.

October 17, 2017: NBC reports Carter Page subpoena.

October 24, 2017: Wolfe informs Reporter #3 of timing of Page’s testimony.

October 30, 2017: FBI informs James Wolfe of investigation.

November 15, 2017: 90 days before DOJ informs Ali Watkins they’ve seized her call records.

December 14, 2017: FBI approaches Watkins about Wolfe.

Prior to December 15, 2017 interview: Wolfe writes text message to Watkins about his support for her career.

December 15, 2017: FBI interviews Wolfe.

February 13, 2018: DOJ informs Watkins they’ve seized her call records.

June 6, 2018: Senate votes to make official records available to DOJ.

That the Chairman and Vice Chairman of the Senate Select Committee on Intelligence, acting jointly, are authorized to provide to the United States Department of Justice copies of Committee records sought in connection with a pending investigation arising out of allegations of the unauthorized disclosure of information, except concerning matters for which a privilege should be asserted.

June 7, 2018: Grand jury indicts Wolfe.

June 7, 2018: Richard Burr and Mark Warner release a statement:

We are troubled to hear of the charges filed against a former member of the Committee staff. While the charges do not appear to include anything related to the mishandling of classified information, the Committee takes this matter extremely seriously. We were made aware of the investigation late last year, and have fully cooperated with the Federal Bureau of Investigation and the Department of Justice since then. Working through Senate Legal Counsel, and as noted in a Senate Resolution, the Committee has made certain official records available to the Justice Department.

June 13, 2018: Wolfe arraigned in DC. His lawyers move to prohibit claims he leaked classified information.

The indictment is quite clear: the investigation leading to Wolfe’s indictment started as an investigation into “multiple unauthorized disclosures of classified information” to the press. It’s clear from Burr and Warner’s statement that they were a bit surprised that the “charges do not appear to include anything related to the mishandling of classified information.” The indictment doesn’t charge Wolfe with leaking classified information.

And the timeline laid out in the indictment suggests that the document provided SSCI in March 2017 led to Watkins confirming that Page was Male-1 in the Victor Podobnyy complaint, the complaint itself is probably not classified. Nor would it, with its reference to Page as Male-1 (also used in this indictment!), be enough to ID Page as the guy Podobnyy was trying to recruit.

As I suggested in this post, for all the focus on Watkins, the indictment actually seemed to prioritize Reporter #1, including on the questionnaire the FBI gave Wolfe when they interviewed him in December. It first asked if Wolfe knew any of the reporters behind that still unidentified story, then asked a question that his relationship with Watkins would clearly refute, which agents contextualized even further by asking specific questions about details they had already confirmed about their relationship, including the international travel Rambo had identified as early as June. Then, after asking a question that would clearly pertain to Wolfe’s undeniable relationship with Watkins, the questionnaire asked whether he had given classified or unclassified documents to any of the journalists he might have admitted to contacting in Question 10, covering the basis for that Podobnyy story.

c. During the interview, FBI agents showed WOLFE a copy of a news article authored by three reporters, including REPORTER #1, about an individual (referred to herein as “MALE-l)”, that contained classified information that had been provided to the SSCI by the Executive Branch for official purposes.

d. Question 9 of the lnvestigative Questionnaire asked “Have you had any contact with” any of those three reporters. As to each reporter, WOLFE stated and checked “No.”

e. Question 10 of the Investigative Questionnaire asked, “Besides [the three named reporters], do you currently have or had any contact with any other reporters (professional, official, personal)?” Before answering this question, WOLFE stated orally to the FBI agents that although he had no official or professional contact with reporters, he saw reporters every day, and so to “feel comfortable” he would check “Yes.” He did so, and initialed this answer.

f. Question 10 of the Investigative Questionnaire further asked, “If yes, who and describe the relationship (professional, official, personal).” In the space provided, WOLFE hand wrote “Official – No” and “Professional – No.” WOLFE then orally volunteered that he certainly did not talk to reporters about anything SSCl-related. FBI agents orally asked WOLFE if he had traveled internationally with any reporter, gone to a baseball game or to the movies with a reporter, or had weekly or regular electronic communication with a reporter. To each question WOLFE verbally responded ‘No.” WOLFE then wrote “Personal – No” on the Investigative Questionnaire.

g. Question 11 of the lnvestigative Questionnaire asked, “If yes to question ten, did you discuss or disclose any official U.S. government information or documents whether classified or unclassified which is the property of the U.S. government without express authorization from the owner of the information?” WOLFE stated and checked “No” and initialed this answer.

Now consider the vote to release official SSCI documents to DOJ, which DOJ appears to have needed before they presented the indictment to the grand jury the next day, but which DOJ knew enough about to already be prepped to indict. That is, DOJ surely already knew what those records showed; what the vote did was permit DOJ to use the records in a prosecution. There are surely records pertaining to the SSCI SCIF that DOJ wanted, including the specific treatment of the Classified Document delivered to SSCI in March 2017.

On or about March 17,2017,the Classified Document was transported to the SSCI. As Director of Security, WOLFE received, maintained, and managed the Classified Document on behalf of the SSCI.

It’s also possible (though unlikely) that SSCI, and not the Executive Branch, counts as custodian of Wolfe’s Non-Disclosure Agreements.

But the only actual SSCI record described in the indictment is the email account he used to communicate with Reporter #1, as well as emails that Page sent to the committee to complain about leaks.

For example, between in or around December 2015 and in or around June 2017, WOLFE and REPORTER #1 communicated at least five times using his SSCI email account.

[snip]

26. On or about October 18, 2011, MALE-1 sent an email to the SSCI, complaining that the news organization had published REPORTER #3’s news article of the previous day, reporting that he had been subpoenaed.

27. On or about October 24,2017, at 7:00 a.m., WOLFE informed REPORTER #3, using Signal, that MALE-1 would testify in closed hearing before the SSCI “this week.” At 9:58 a.m., REPORTER #3 sent an email to MALE-I, asking him to confirm that he would be ‘paying a visit to Senate Intelligence staffers this week.” At 9:23 p.m., MALE-I sent an email to the SSCI, forwarding the email he had received from REPORTER #3, and complaining that the details of his appearance had been leaked to the press.

So it’s possible that, having had SSCI’s cooperation since the time FBI was interviewing Wolfe, DOJ only needed to ensure it could access these email records. It’s possible that DOJ believes convicting Wolfe of false statements charges, and avoiding the hassle of exposing classified information at a trial charging that he leaked classified information, is sufficient punishment.

Or it’s possible that this indictment is just the next step in an investigative process that aims to get confirmation — public or tacit, the latter obtained via a guilty plea with cooperation — regarding the source for that other, still unidentified story that incorporated classified information. I also think FBI may be particularly interested that Wolfe was approaching journalists offering to be a source, as he did in October with Reporter #4, and not vice-versa.

Share this entry

Ty Cobb’s Claim about White House Counsel Recusal Can Only Be Narrowly True

/47 Comments/in , /by

Politico has a story that has generated favorable press for White House Counsel Don McGahn. He had his entire office recuse from the Russia investigation, it claims, basing the claim on public comments by Ty Cobb.

White House Counsel Don McGahn recused his entire staff last summer from working on the Russia investigation because many of his office’s lawyers played significant roles in key episodes at the center of the probe, former White House attorney Ty Cobb said on Wednesday.

McGahn made the decision to halt his staff’s interactions with Special Counsel Robert Mueller because many of his own attorneys “had been significant participants” surrounding the firings of national security adviser Michael Flynn and FBI Director James Comey, Cobb said.

[snip]

While it’s been widely known that McGahn handed over day-to-day responsibilities to Cobb when he started working in the White House last July, neither of the Trump lawyers had ever specified that the entire White House legal office had been recused from the Russia probe in its entirety.

The story explains something I’ve long been struck by — the claim in a John Dowd document from January that eight members of the White House Counsel underwent voluntary interviews with Mueller’s team.

Over 20 White House personnel (not including Campaign team members) voluntarily gave interviews; including 8 people from the White House Counsel’s Office.

Two-fifths of those Mueller interviewed by January were personnel from the White House Counsel’s Office?!?!

Perhaps it’s better to say that this new Ty Cobb story is best explained by that factoid: The White House Counsel’s office was a subject of real scrutiny for Mueller.

After all, public reporting makes it clear that Ty Cobb did not take over all Russian investigation matters, at least not immediately. He was hired by July 14. As late as mid-September, he was publicly bitching about tensions with McGahn and making it clear McGahn was withholding probably responsive documents.

The debate in Mr. Trump’s West Wing has pitted Donald F. McGahn II, the White House counsel, against Ty Cobb, a lawyer brought in to manage the response to the investigation. Mr. Cobb has argued for turning over as many of the emails and documents requested by the special counsel as possible in hopes of quickly ending the investigation — or at least its focus on Mr. Trump.

Mr. McGahn supports cooperation, but has expressed worry about setting a precedent that would weaken the White House long after Mr. Trump’s tenure is over. He is described as particularly concerned about whether the president will invoke executive or attorney-client privilege to limit how forthcoming Mr. McGahn could be if he himself is interviewed by the special counsel as requested.

The friction escalated in recent days after Mr. Cobb was overheard by a reporter for The New York Times discussing the dispute during a lunchtime conversation at a popular Washington steakhouse. Mr. Cobb was heard talking about a White House lawyer he deemed “a McGahn spy” and saying Mr. McGahn had “a couple documents locked in a safe” that he seemed to suggest he wanted access to.

[snip]

Complicating the situation is that Mr. McGahn himself is a likely witness. Mr. Mueller wants to interview him about Mr. Comey’s dismissal and the White House’s handling of questions about a June 2016 meeting between Donald Trump Jr. and a Russian lawyer said to be offering incriminating information about Hillary Clinton.

Mr. McGahn is willing to meet with investigators and answer questions, but his lawyer, Bill Burck, has asked Mr. Cobb to tell him whether the president wants to assert either attorney-client or executive privilege, according to lawyers close to the case. Mr. McGahn could face legal jeopardy or lose his law license should he run afoul of rules governing which communications he can divulge. He did not respond to requests for comment.

Unless NYT’s reporting — and Cobb’s public blabbing — was entirely wrong, then Cobb can only mean McGahn later recused (or recused sometime just before the Fall Equinox last year, so technically still summer). It’s possible this incident precipitated McGahn’s recusal — not to mention made Mueller even more interested in interviewing him. More likely, the discovery that McGahn could be interviewed — including about his transparently bad defense of the Mike Flynn firing — led Trump to decide that White House Counsel staffers had to be totally recused from matters that pertained to his legal exposure (though if that’s true, I wonder what Emmet Flood is doing).

Alternately, it’s possible that McGahn recognized that his continued exposure to Trump’s obstruction in conjunction with the Russia investigation exposed him to legal jeopardy. If that’s the case, his recusal wasn’t about ethics, it was about self-preservation.

Update: LemonSlayer noted on Twitter there’s a much later indication of the purported recusal McGahn has adopted: collaborating with the Devin Nunes effort.

Nunes, meanwhile, has purposefully not been talking to Trump, to avoid accusations that he is providing sensitive information to the president, according to these people. Instead, Nunes has been relaying the status of his battle with the Justice Department to White House Counsel Donald McGahn.

Share this entry

Mueller to Yevgeniy Prigozhin: Sure You Can Have Discovery … If You Come to the United States to Get It

/25 Comments/in , , , /by

This Concord Management filing, from Mueller’s team, is attracting a lot of attention because Mueller predictably asked for a protective order and said Russians are still engaging in information operations (so are we!!). Since we covered the certainty that there’d be a protective order in this case over a month ago, I’m going to focus on some other interesting tidbits about this filing.

As a reminder, Concord Management is a company owned by close Putin ally Yevgeniy Prigozhin. Concord is accused in the Internet Research Agency indictment of funding the troll operation.

Defendants CONCORD MANAGEMENT AND CONSULTING LLC (Конкорд Менеджмент и Консалтинг) and CONCORD CATERING are related Russian entities with various Russian government contracts. CONCORD was the ORGANIZATION’s primary source of funding for its interference operations. CONCORD controlled funding, recommended personnel, and oversaw ORGANIZATION activities through reporting and interaction with ORGANIZATION management.

[snip]

To conceal its involvement, CONCORD labeled the monies paid to the ORGANIZATION for Project Lakhta as payments related to software support and development. To further conceal the source of funds, CONCORD distributed monies to the ORGANIZATION through approximately fourteen bank accounts held in the names of CONCORD affiliates, including Glavnaya Liniya LLC, Merkuriy LLC, Obshchepit LLC, Potentsial LLC, RSP LLC, ASP LLC, MTTs LLC, Kompleksservis LLC, SPb Kulinariya LLC, Almira LLC, Pishchevik LLC, Galant LLC, Rayteks LLC, and Standart LLC.

The indictment accuses Prigozhin of supervising the operation closely enough to have been saluted by troll operations in the US.

PRIGOZHIN approved and supported the ORGANIZATION’s operations, and Defendants and their co-conspirators were aware of PRIGOZHIN’s role.

For example, on or about May 29, 2016, Defendants and their co-conspirators, through an ORGANIZATION-controlled social media account, arranged for a real U.S. person to stand in front of the White House in the District of Columbia under false pretenses to hold a sign that read “Happy 55th Birthday Dear Boss.” Defendants and their co-conspirators informed the real U.S. person that the sign was for someone who “is a leader here and our boss . . . our funder.” PRIGOZHIN’s Russian passport identifies his date of birth as June 1, 1961.

When Concord moved to defend itself, it presented the possibility that it and Prigozhin would obtain discovery, and via Prigozhin, everyone else in Russia who was part of this operation, up to and including Putin. Indeed, the Mueller filing makes it quite clear that is the intent of the defense attorneys. They explicitly asked to share information with co-defendants that serve as officers of Concord, which can only mean they want to share information with Prigozhin.

In its initial proposed protective order, the government proposed a complete prohibition on sharing discovery with any co-defendant charged in this criminal case, whether individual or organizational. Defense counsel proposed that they be permitted to share discovery with a codefendant if that co-defendant is an officer or employee of Concord Management. To the government’s knowledge, the only charged defendant in this category is Yevgeniy Viktorovich Prigozhin, who was charged individually for conspiring to defraud the United States, in violation of 18 U.S.C. § 371.

So this dispute over the protective order is an effort to continue with the prosecution, while ensuring that Russia doesn’t obtain important information on the investigation into the operation by doing so.

Before I get into how Mueller’s team proposes to resolve the dispute, it’s worth reviewing the data in question, because that’s actually one of the most interesting parts of this filings. Apparently, the government used no classified information in the investigation of social media trolling (or parallel constructed whatever they did use).

As described further in the government’s ex parte affidavit, the discovery in this case contains unclassified but sensitive information that remains relevant to ongoing national security investigations and efforts to protect the integrity of future U.S. elections. [my emphasis]

Later, the filing makes it clear that much of the evidence in the case came from US providers — surely Facebook and Twitter and others.

The evidence includes data related to hundreds of social media accounts, as well as evidence obtained from email providers, internet service providers, financial institutions, and other sources. Additionally, the need to produce much of the data in its original format (formats that include, for example, Excel and HTML files) makes it infeasible to make certain redactions without compromising expeditious review of the data.

These two details confirm a point I made in March: this indictment really doesn’t rely on information as secret as many reporters claimed. It relies on stuff you get from social media providers.

And contrary to what NBC says about the heavy reliance, in the Internet Research Agency indictment, “on secret intelligence gathered by the CIA, the FBI, the National Security Agency (NSA) and the Department of Homeland Security (DHS),” it really wasn’t all that sophisticated from a cybersecurity standpoint. Especially not once you consider the interesting forensics on it (aside from IDing the IRA’s VPNs) would have come from Facebook and Twitter.

That detail — that much of this indictment comes from the social media providers that Russia exploited in 2016 — is important background to this passage (this is the one that has gotten all the press), which asserts that Russia continues to do what Prigozhin’s trolls did in 2016.

Public or unauthorized disclosure of this case’s discovery would result in the release of information that would assist foreign intelligence services, particularly those of the Russian Federation, and other foreign actors in future operations against the United States. First, the substance of the government’s evidence identifies uncharged individuals and entities that the government believes are continuing to engage in interference operations like those charged in the present indictment. Second, information within this case’s discovery identifies sources, methods, and techniques used to identify the foreign actors behind these interference operations, and disclosure of such information will allow foreign actors to learn of these techniques and adjust their conduct, thus undermining ongoing and future national security investigations.

And that, in turn, explains much of the logic for the larger protective order request: the government is trying to prevent Prigozhin and through him Putin from learning what the US is doing to counter its information operations.

The government’s description of what it considers “sensitive” information that it wants to require a special review before sharing with foreign nationals reveals it is also trying to prevent Prigozhin and others from learning about the status of the investigation and its targets.

a. Witness statements provided pursuant to 18 U.S.C. § 3500;

b. Information that could lead to the identification of potential witnesses, including civilian, foreign and domestic law enforcement witnesses and cooperating witnesses;

c. Information related to ongoing investigations, including information that could identify the targets of such investigations; and

d. Information related to sensitive law enforcement or intelligence collection techniques.

Finally, the government is trying to hide what it knows about relationships between parties involved in this operation and “other uncharged foreign entities and governments.”

At a high level, the sensitive-but-unclassified discovery in this case includes information describing the government’s investigative steps taken to identify foreign parties responsible for interfering in U.S. elections; the techniques used by foreign parties to mask their true identities while conducting operations online; the relationships of charged and uncharged parties to other uncharged foreign entities and governments; the government’s evidence-collection capabilities related to online conduct; and the identities of cooperating individuals and, or companies. Discovery in this case contains sensitive information about investigative techniques and cooperating witnesses that goes well beyond the information that will be disclosed at trial. [my emphasis]

So one thing the government wants to protect is what it knows about the relationship between Prigozhin and Putin, and the Russian government’s involvement in this trolling operation more generally.

And to do that, the government is demanding the ability to prohibit Concord’s lawyers from sharing information with Prigozhin (or any other defendant) without prior court review.

Notwithstanding the previous categories of authorized persons, no co-defendant charged in this criminal case, whether individual or organizational, shall be deemed an authorized person for purposes of discovery until the co-defendant appears before this Court. Defense counsel shall not disclose or discuss the material or their contents to any co-defendant charged in this criminal case, whether individual or organizational, until the co-defendant appears before this Court unless otherwise directed by this Court. If defense counsel, after reviewing discovery in this matter, believes it necessary to seek to disclose or discuss any material with a co-defendant who has not appeared before this Court, counsel must first seek permission from this Court and a modification of this Order.

Perhaps more interesting, it is demanding that Concord’s lawyers keep anything deemed sensitive in the US, firewalled from the Internet.

Neither defense counsel nor any person authorized by this Court is permitted at any time to inspect or review Sensitive materials outside of the U.S. offices of Reed Smith LLP, without prior permission from of this Court. Defense counsel or a designated and identified employee of Reed Smith LLP must accompany any person at all times while he or she is reviewing Sensitive materials at U.S. offices of Reed Smith LLP, unless otherwise authorized by this Court.

[snip]

Sensitive materials shall not be viewed or stored on any device that is connected to or accessible from the Internet.

Sensitive materials may under no circumstances be transported or transmitted outside the United States.

The logic here is nifty: even if they lose on the ability to protect all materials from Prigozhin, they’ve already succeeded in requiring that he come to the US if he wants to read it. At which point, he’d be met by authorities at customs and promptly put in custody.

On one point I was mistaken. I thought there would be classified discovery of some sort, that would require the use of the Classified Intelligence Protection Act procedures. It will apparently never get to that. The government will either win on this protective order, which will largely moot much of the logic for Concord to contest the case, or it will lose, which will likely lead it to dismiss the indictment against Concord.

Update: Fixed protective for protection, h/t mw.

Share this entry

The New Cyber Sanctions

/27 Comments/in , , /by

Even as Trump was working hard to get Russia admitted back into the G-7, Treasury was preparing new cyber sanctions against a number of “Russian” entities. This appears to be an effort to apply sanctions for activities exploiting routers and other network infrastructure (activities that the US and its partners engage in too) that US-CERT released a warning about in April.

One of the designated entities in controlled by and has provided material and technological support to Russia’s Federal Security Service (FSB), while two others have provided the FSB with material and technological support.  OFAC is also designating several entities and individuals for being owned or controlled by, or acting for or on behalf of, the three entities that have enabled the FSB.

[snip]

Examples of Russia’s malign and destabilizing cyber activities include the destructive NotPetya cyber-attack; cyber intrusions against the U.S. energy grid to potentially enable future offensive operations; and global compromises of network infrastructure devices, including routers and switches, also to potentially enable disruptive cyber-attacks.  Today’s action also targets the Russian government’s underwater capabilities.  Russia has been active in tracking undersea communication cables, which carry the bulk of the world’s telecommunications data.

I’ve included the entire list of sanction targets below.

On paper, at least, it looks like Treasury is sanctioning:

  • An entity, Divetechnoservices, that helps Russia tap into submarine cables along with three of its employees (another thing our spooks do, but one the US and especially UK have been increasingly worried about from Russia); the Treasury release notes that Divetechnoservices got the contract for a FSB submersible craft way back in 2011
  • An entity, Kvant Scientific Research Institute, that has been a research institute for FSB since August 2015 and, since April 2017, the prime contractor on an FSB project
  • An entity, Digital Security, that as of 2015 worked on a project that would expand Russia’s offensive cyber capabilities; the sanctions also include two companies the release claims are Digital Security subsidiaries, both which have US and Israeli locations

All of these were sanctioned under E.O. 13694, which, as amended, included attacks on election processes; given the dates, they might be implicated in the election year hacks, or might just be deemed a threat to national security. Just Kvant was also sanctioned under CAATSA, which is the more general sanctions program forced onto Trump by Congress. I’ve also put the language for the two of those below.

And, as Lorenzo F-B notes, the heads of two of the sanctioned alleged subsidiaries of Digital Security, ERPScan and Embedi, say they have nothing to do with the company.

But one of the security companies named in the new sanctions, ERPScan, denied having anything to do with the Russian government in an email to Motherboard.

“The only issue is that I and some of my peers were born in Russia, oh, cmon, I’m sorry but I can’t change it,” ERPScan’s founder Alexander Polyakov told me. “We don’t have any ties to Russian government.”

ERPScan is mostly known for its product that hunts for vulnerabilities in companies’ systems provided by SAP, a popular German enterprise software maker. Cyber Defense Magazine gave ERPScan an award this year for “best product” in its artificial intelligence and machine learning category.

[snip]

Polyakov, however, claimed that as of 2014, ERPScan is a “private company registered in the Netherlands” and that it has no connections “with other companies listed in this document.”

[snip]

“The news came to us as an unpleasant surprize. We never worked for Russian government, but indeed we have some former Russian researchers in our Research Team (some of them are former employees of Digital Security),” Alex Kruglov, Embedi’s head of marketing, told Motherboard in an email. “It is the only reason we can figure out to be added to a sanctions list.”

And they’re both legit cybersecurity companies, which at the very least raises questions (as the Kaspersky targeting did) about whether this is just infosec protectionism. If these protestations are correct, however, it renews real questions about the accuracy of sanction claims made under Treasury Secretary Steve Mnuchin.

The first indication that Mnuchin’s Treasury Department was offering bullshit to fulfill Congress’ demand for sanctions came when Treasury released a list of Russian oligarchs in January that was basically just the Forbes list of richest Russians, including a number that oppose Putin.

President Trump’s Treasury Department releaseda list of prominent Russian political figures and business leaders who have prospered while Vladimir Putin has led Russia.

The list features 210 people, including politicians such as Prime Minister Medvedev and Minister of Defense Sergey Shoygu. Also on the list are 96 “oligarchs.” Within hours of the list’s posting , media organizations began pointing out the similarity between the 96 billionaires listed and the Russians that appear on Forbes’ 2017 list of the World’s Billionaires.

Forbes went through the lists and confirmed that indeed the Treasury Department’s list is an exact replica of the Russians on the 2017 billionaires list.

For a bit, I thought the list released in March, which added a few new GRU officers, might have reflected new knowledge about GRU officers involved in the targeting of the DNC. Except it turned out those officers were just people readily identifiable off public GRU records. Treasury basically could have gotten them from a spook phone book.

Treasury did better with non-cyber Ukraine-related sanctions in April. It actually named several figures — most obviously Oleg Deripaska and Alexander Torshin — suspected of having played key roles in the election interference. Since then, Deripaska and his aluminum company Rusal have pursued financial games to shield Rusal from sanctions. He’s doing this with the help of Mercury Public Affairs — the Vin Weber lobbying group that shows up in a lot of Manafort’s indictments — and former Trump aide Brian Lanza, who now works there. So it’s not clear whether Deripaska will be significantly impacted.

With that history in mind, it’s worth asking whether Treasury simply can’t do cyber sanctions well, both because it’s hard to distinguish infosec from hacking (it would be equally difficult to do so for any of a number of contractors with close ties to FBI, the analogue of the companies that got sanctioned yesterday), and perhaps because Treasury doesn’t have good intelligence on who is hacking for Russia. Or perhaps Mnuchin is just obstinate.

But thus far, the history of Treasury’s selections on Russian related cyber sanctions leaves quite a bit to be desired.

Today’s action includes the designation of five Russian entities and three Russian individuals pursuant to E.O. 13694, as amended, as well as a concurrent designation pursuant to Section 224 of CAATSA.

Digital Security was designated pursuant to E.O. 13694, as amended, for providing material and technological support to the FSB.  As of 2015, Digital Security worked on a project that would increase Russia’s offensive cyber capabilities for the Russian Intelligence Services, to include the FSB.

ERPScan was designated pursuant to E.O. 13694, as amended, for being owned or controlled by Digital Security.  As of August 2016, ERPScan was a subsidiary of Digital Security.

Embedi was designated pursuant to E.O. 13694, as amended.  As of May 2017, Embedi was owned or controlled by Digital Security.

Kvant Scientific Research Institute (Kvant) was designated pursuant to E.O. 13694, as amended, and Section 224 of CAATSA for being owned or controlled by the FSB.  In August 2010, the Russian government issued a decree that identified Kvant as a federal state unitary enterprise that would be supervised by the FSB.

Kvant was also designated pursuant to E.O. 13694, as amended, for providing material and technological support to the FSB.  As of August 2015, Kvant was a research institute with extensive ties to the FSB.  Furthermore, as of April 2017, Kvant was the prime contractor on a project for which the FSB was the end user.

Divetechnoservices was designated pursuant to E.O. 13694, as amended, for providing material and technological support to the FSB.  Since 2007, Divetechnoservices has procured a variety of underwater equipment and diving systems for Russian government agencies, to include the FSB.  Further, in 2011, Divetechnoservices was awarded a contract to procure a submersible craft valued at $1.5 million for the FSB.

Aleksandr Lvovich Tribun (Tribun) was designated pursuant to E.O. 13694, as amended, for acting for or on behalf of Divetechnoservices.  As of December 2017, Tribun was Divetechnoservices’ General Director.

Oleg Sergeyevich Chirikov (Chirikov) was designated pursuant to E.O. 13694, as amended, for acting for or on behalf of Divetechnoservices.  As of March 2018, Chirikov was Divetechnoservices’ Program Manager.

Vladimir Yakovlevich Kaganskiy (Kaganskiy) was designated pursuant to E.O. 13694, as amended, for acting for or on behalf of Divetechnoservices.  As of December 2017, Kaganskiy was Divetechnoservices’ owner.  Previously, Kaganskiy also served as Divetechnoservices’ General Director.

EO 13694 as amended

E.O. 13694 authorized the imposition of sanctions on individuals and entities determined to be responsible for or complicit in malicious cyber-enabled activities that result in enumerated harms that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.  The authority has been amended to also allow for the imposition of sanctions on individuals and entities determined to be responsible for tampering, altering, or causing the misappropriation of information with the purpose or effect of interfering with or undermining election processes or institutions.

CAATSA Section 224

IN GENERAL.—On and after the date that is 60 days after the date of the enactment of this Act, the President shall— (1) impose the sanctions described in subsection (b) with respect to any person that the President determines— (A) knowingly engages in significant activities undermining cybersecurity against any person, including a democratic institution, or government on behalf of the Government of the Russian Federation; or (B) is owned or controlled by, or acts or purports to act for or on behalf of, directly or indirectly, a person described in subparagraph (A);

[snip]

SIGNIFICANT ACTIVITIES UNDERMINING CYBERSECURITY DEFINED.—In this section, the term ‘‘significant activities undermining cybersecurity’’ includes— (1) significant efforts— (A) to deny access to or degrade, disrupt, or destroy an information and communications technology system or network; or (B) to exfiltrate, degrade, corrupt, destroy, or release information from such a system or network without authorization for purposes of— (i) conducting influence operations; or (ii) causing a significant misappropriation of funds, economic resources, trade secrets, personal identifications, or financial information for commercial or competitive advantage or private financial gain; (2) significant destructive malware attacks; and (3) significant denial of service activities.

Share this entry