Former WikiLeaks Task Force Member Charles McGonigal Didn’t Take Credit for the Josh Schulte Investigation

There’s something about the second Josh Schulte trial I’ve always meant to go back and lay out. It pertains to what I think of as Schulte’s “Guccifer Gotcha.”

Throughout the trial, Schulte, who was representing himself, often got caught up in proving — right there in the courtroom — that he was the smartest guy in the room. That often (particularly with prosecutors’ technical expert and a former supervisor) led Schulte to get entirely distracted from proving his innocence. He focused on proving he was smart, rather than not guilty.

A particularly revealing instance came with Richard Evanchec who, as a member of New York Field Office’s Counterintelligence Squad 6 that focused on insider threats, was one of the lead FBI agents on the Schulte investigation.

On direct, Evanchec had described how before, August 2016, Schulte had only done three searches — ever — on WikiLeaks, but he did 39 searches between August 2016 and January 2017, when WikiLeaks announced Vault 7. (This exhibit is from Schulte’s first, 2020 trial; because the exchange below describes the August 16 search as the first one, I believe the one from his 2020 trial may not have included the Snowden search.)

Schulte started his cross on this topic by asserting that Evanchec had “made [a] grave mistake” in calculating Schulte’s Google searches.

[Reminder: these transcripts were paid for by Wau Holland foundation, which has close ties to WikiLeaks.]

Q. Additionally, sir, did you realize that you made the grave mistake in calculating the Google searches during this time period?

A. I don’t.

Q. You don’t recall that.

A. No.

[snip]

Q. Did you not realize, sir, that 80 percent of the searches you claim that I conducted for WikiLeaks were not actually searches at all?

A. I don’t know that, sir, again.

Q. Sir, are you familiar with the service Google offers called Google News?

A. I am not. I don’t use Google regularly or gmail regularly so I don’t know what that is.

Schulte then walked Evanchec through how a Google News search and a related page visit search show up differently in the logs, demonstrating the concept with some activity from early morning UTC time on August 17, 2016 on Schulte’s Google account.

Q. Did you know that Google makes a special log in its search history when you are using Google News?

A. I don’t. I am not aware of that.

[snip]

Q. OK. Entry no. 12954.

A. Your question, sir?

Q. Can you read just the date that this search is conducted?

A. Appears to be August 17 of 2016 at 2:45:07 UTC.

Q. Can you read what the search is?

A. Searched for pgoapi.exceptions.notloggedinexception. Then there is: (https://www.Google.com/?Q=pgoapi.exceptions.notloggedinexception).

Q. OK. And then the search after it, Google has it, produces it in the opposite direction so the one after that. Can you read that?

A. You are referring to line 12953?

Q. Yes. I’m sorry. Thank you.

A. Tease [sic] OK. Again August 17, 2016, 2:35:27 https://www.google.com/search?Q=WikiLeaks&TBM=NWS).

Schulte then got Evanchec to admit that the FBI agent didn’t consult with any FBI experts on Google before he did his chart of Google searches.

Q. So you basically, just as a novice, opened up this document and just based on no experience, you just picked out lines; correct?

A. No.

Q. No. You did more?

A. Yes. I queried for every time this history set searched for and then included the search terms. That’s what I culminated in my summary.

Q. OK, but you didn’t run that by any of the technical experts at the FBI, did you?

A. Not that I recall.

Q. And you said you didn’t reach out to Google or anyone with expertise, correct?

In his close, Schulte claimed that the exchange showed that all the Google searches he did between August 2016 and January 2017 were based off a Google news alert, and what drove the number of searches was the degree to which WikiLeaks was in the news because of the DNC hack-and-leak.

Mr. Lockard then brings up the Google searches for WikiLeaks, but of course, as Agent Evanchec testified, there were multiple news events that occurred in the summer of 2016. WikiLeaks dumped the Clinton emails. Really? Come on. Everyone was reading that news — Guccifer 2.0. The Shadow brokers released data, and even WikiLeaks claimed to have that code.

No doubt Schulte did demonstrate clearly to Evanchec that he didn’t did look closely at the logs of these searches and that he — Schulte — knew more about Google searches than one of the agents who had led the investigation into him did.

He was the smartest guy in the room.

But in the particular search in question — one that would have been before midnight on August 16, 2016 on the East Coast — what Schulte appears to have shown is that among all the Google news alerts reporting on a flood of news about WikiLeaks, one of the only alerts that he clicked through was one reporting WikiLeaks’ claim to have a tie to ShadowBrokers.

WikiLeaks on Monday announced plans to release a collection of “cyber weapons” purportedly used by the National Security Agency following claims that hackers have breached a division of the NSA said to deal in electronic espionage.

“We had already obtained the archive of NSA cyber weapons released earlier today and will release our own pristine copy in due course,” WikiLeaks said through its official Twitter account Monday.

Individuals calling themselves the “Shadow Broker” claimed earlier in the week to have successfully compromised Equation Group — allegedly a hacking arm of the NSA — and offered to publicly release the pilfered contents in exchange for millions of dollars in bitcoins.

At a threshold level, Schulte’s gotcha doesn’t show what he claimed it did. It showed that among the flood of news about WikiLeaks — almost all focused on the DNC hack-and-leak — he clicked through on stories about an upcoming code release. “Everyone was reading that news — Guccifer 2.0,” Schulte said. But he wasn’t. He clicked on one Guccifer story. He was sifting past the Guccifer news and reading other stuff. Schulte caught Evanchec misreading the Google logs, but then went on to misrepresent the significance of what they showed, which is that amid a flood of news about the DNC hack-and-leak, he was mostly interested in other stuff.

More importantly, once you realize that Evanchec hadn’t looked closely at the logs of these Google searches, something about his first demonstrative — showing just these three searches before August 2016 — becomes evident.

July 29, 2010: Searched for “WikiLeaks”

  • Visited Wikileaks.org webiste [sic]

July 30, 2010: Searched for “WikiLeaks ‘Bastards’”

  • Visited website titled “WikiLeaks Plans to Post CIA Chiefs Hacked Emails” on The Hill

July 6, 2016: Searched for “WikiLeaks Clinton Emails”

  • Visited website titled “WikiLeaks Dismantling of DNC Is Clear Attack By Putin on Clinton” on The Observer

For at least two of these searches, the date in Evanchec’s demonstrative cannot reflect the actual date of the search.

The story, “WikiLeaks Dismantling of DNC Is Clear Attack By Putin on Clinton” — one of the first ones concluding from the DNC hack that Putin was involved — was not posted until July 25, 2016, yet Evanchec’s demonstrative says the search happened weeks earlier.

The story, “WikiLeaks Plans to Post CIA Chiefs Hacked Emails,” describing the Crackas With Attitude hacks of top intelligence community figures in advance of the 2016 operation, dates to October 21, 2015. Evanchec described Google records that say the search happened five years before the article was posted.

Neither of those searches could possibly have been done on the date in Evanchec’s demonstrative, which Schulte — in spite of his obsession with being the smartest guy in the room — undoubtedly knew but didn’t point out at trial.

Schulte got his gotcha. It didn’t help him secure acquittal (or even another hung jury). And it got me, at least, to look more closely at what it proves, which is that at least two of the manual searches Schulte did, searches that sought out very select stories, seemed to obscure the date of the search.

As I said, I’ve been meaning to post this ever since it happened at trial.

I’m revisiting it, though, because of something remarkable about Charles McGonigal’s sentencing memo. Unsurprisingly,  his attorney, former Bill Barr flunkie Seth DuCharme, lays out a bunch of the important FBI investigations that McGonigal was a part of over his 22-year FBI career to describe what service he has done for US security: TWA Flight 800, the 1997 investigation into attempted subway bombers Gazi Ibrahim Abu Mezer and Lafi Khalil, the investigation into the 1998 bombings of US embassies in Africa, the 9/11 attack, the 2002 abduction of a Wooster County, OH girl, the Sandy Berger investigation, the RICO investigation of Huawei Technologies Co.

The government, in their own sentencing memo, includes a footnote suggesting that McGonigal is fluffing his role in at least one of these investigations.

The law enforcement and counterintelligence agents who reviewed McGonigal’s cited exploits noted that he often claims credit for operations in which his personal involvement was less significant than the operation itself. For example, in both his classified and unclassified submissions, McGonigal may describe a significant investigation where he—along with many other officials—was simply somewhere in a lengthy chain of command. (See PSR ¶ 82). Thus, to the extent this Court is inclined to parse McGonigal’s career achievements, the Government respectfully submits that it should limit its analysis to the specific actions that McGonigal personally took. See United States v. Canova, 412 F.3d 331, 358-59 (2d Cir. 2005) (Guidelines departure for exceptional public service warranted where defendant served as volunteer firefighter “sustaining injuries in the line of duty three times,” “entering a burning building to rescue a threeyear old,” “participated in the successful delivery of three babies,” and administered CPR to persons in distress both while volunteering as a firefighter and as a civilian).

One example where McGonigal claimed credit for being in a lengthy chain of commend must be the Huawei investigation, one that Seth DuCharme would also have worked on in the period when he and McGonigal overlapped in NY, from 2016 until 2018. The 2020 press release that DuCharme links to about that investigation, from over a year after McGonigal retired, includes two paragraphs of recognition, including units far afield from counterintelligence.

But one investigation included in McGonigal’s sentencing memo where he did have more involvement is the original WikiLeaks Task Force.

Mr. McGonigal later led the FBI’s WikiLeaks Task Force investigating the release of over 200,000 classified documents to the WikiLeaks website—the largest in U.S. history—ultimately resulting in the 20-count conviction of Chelsea Manning for espionage and related charges.

Charles McGonigal did have a significant role in the first criminal investigation of WikiLeaks, one conducted five years before his retirement.

And that’s why it’s weird that McGonigal doesn’t describe that, in the 18 months before he retired, including in the period between May 2017, when he received a report describing Oleg Deripaska’s ties to GRU, and the period, starting in March 2018, when McGonigal first started interacting with Deripaska’s deputy, Yevgeny Fokin, whom McGonigal allegedly identified as a Russian intelligence officer and claimed to want to recruit, a unit McGonigal supervised solved a WikiLeaks compromise even more damaging and complex than Chelsea Manning’s had been four years before.

Charles McGonigal doesn’t claim credit for the arrest of Josh Schulte and charges filed, over two years after the compromise, for the Vault 7 attack, something in which his team had a more central role than in the Huawei case, something that was every bit as important to national security.

By that point, WikiLeaks had ties to Russia not just through Israel Shamir but also — at least through a shared lawyer — with Oleg Deripaska. That shared lawyer almost negotiated immunity for Assange in exchange for holding off on the Vault 7 leaks.

Now, I’m not at all suggesting that McGonigal was responsible for that fucked up Google analysis, which Schulte would mock five years later. There would have been several levels of management between McGonigal and that analysis. Evanchec simply didn’t look closely enough at the Google metadata, and so didn’t see that those searches were even more interesting than he understood.

But what McGonigal would have known, when he was meeting Deripaska personally in 2019, was that the FBI hadn’t discovered that Schulte had somehow obscured when he did his search on WikiLeaks’ role in embarrassing CIA Director John Brennan and National Security Director James Clapper in 2015, in advance of the 2016 election attack, that he had likewise obscured the date when he searched on Putin’s role in the DNC hack-and-leak. The FBI didn’t even know that in 2022, by the second trial.

McGonigal may also have known what someone associated with WikiLeaks told me, in 2019, that the FBI had learned about Schulte: that he had somehow attempted to reach out to Russia.

To be clear: None of this is charged. There’s no evidence that McGonigal shared details he learned as NYFO’s counterintelligence head, about the WikiLeaks investigation, to say nothing about NYFO’s investigation of oligarchs like Deripaska. McGonigal’s case has been treated as a public corruption case, not an espionage case. So it may be that SDNY has confidence that McGonigal didn’t do anything like that.

But this risk — the possibility that McGonigal could have shared investigative information with Deripaska — doesn’t show up in SDNY’s sentencing memo. SDNY makes no mention of how obscene it is that DuCharme wants his client to get probation when any witnesses implicated in the investigations McGonigal oversaw would never know whether he had shared that information with Deripaska.

That includes me: As I have written, in August 2018, the month before McGonigal retired, someone using one of the ProtonMail accounts Schulte and his cellmate used reached out to me. I have no idea why they did that. But I’d love to know. I’d also love to know whether McGonigal learned of it and shared it.

It makes sense that McGonigal doesn’t emphasize what SDNY did on their own sentencing memo: That McGonigal went from supervising investigations into Deripaska to working for him, allegedly knowing full well he had ties to Russian intelligence. But the tie between WikiLeaks and Deripaska is more obscure, and so he could have bragged that twice in his career he led substantial investigations into WikiLeaks. Schulte’s third trial, for Child Sexual Abuse Material, even happened after Judge Jennifer Rearden became a judge in October 2022.

McGonigal could have bragged that twice in his career, in 2014 and in 2018, teams he oversaw solved critical WikiLeaks compromises. He only claimed credit for the first of those.

Update: Corrected Fokin’s first name.

“That’s How … You End Up as a Defendant in a Court Room:” Some Days in the Life of a Named-and-Shamed Former GRU Hacker, Ivan Ermakov

In early 2018, Ivan [Y]Ermakov,* one of the hackers alleged to have stolen John Podesta’s emails two years earlier, was living it up.

For his April 10 birthday that year, he went on a stunning heli-ski trip with his future co-conspirator, Vladislav Klyushin (Ermakov is on the left in this picture, Klyushin, on the right and in the Featured Image picture).

In summer 2018, they were enjoying the Sochi World Cup together, too.

Just days after this trip to Sochi, however, on July 13, 2018, Robert Mueller would indict Ermakov, along with eleven of his former GRU colleagues, for hacking the DNC, DCCC, Hillary Clinton, election vendors, and registration websites, as well as orchestrating the release of the stolen files.

By the time of that first indictment against him — the first of three known indictments against the Russian hacker so far — Ermakov had already made one of the fatal slip-ups that would form part of the proof against Klyushin at trial, this time for a hack-and-trade scam. On May 9, 2018, Yermakov received three updates from his Apple iTunes account to the IP address 119.204.194.11. Just four minutes later, someone using that IP address downloaded an SEC filing using credentials stolen from a Donnelly Financial employee named Julie Soma. That download occurred hours before the report would be publicly filed with the SEC, one of dozens of such thefts of SEC filings that formed the basis of the hacking and securities fraud charges against the men.

So months before Mueller’s indictment alerted Ermakov that the FBI had discovered who he was and that they believed he was one of the hackers behind the 2016 hack, he had already left proof in US-based servers that would tie to him to a follow-up crime, the hack-and-insider trading conspiracy for which Klyushin was convicted in February.

Klyushin has challenged the verdict, largely based on a technical challenge to the venue of the charges in Massachusetts.

Per trial testimony, Ermakov left those tell-tale forensic tracks four months before Klyushin would first get involved in the hack-and-trade scheme, in August 2018. The scheme was doomed from the start — at least, it would be doomed if any of the identified co-conspirators traveled to a jurisdiction that would extradite to the US, as Klyushin did in March 2021.

In fact, there’s something curious about that.

One thing submitted as evidence at trial was a picture of a May 22, 2017 Reuters article reporting the US sentence for Ukrainian hacker Vadym Iermolovych, one of ten people prosecuted for a hack-and-trade conspiracy similar to the one for which Klyushin was convicted.

According to the FBI agent who introduced the exhibit, the picture itself was taken in August 2018. Someone printed out the article and packaged it up in a plastic folder over a year after the fact. That suggests Klyushin was in discussion with a very well-connected friend about the possibility of such charges in the same month that Klyushin first got involved in the scheme.

The possibility of prosecution hung over the conspiracy from the start.

Thanks to Klyushin’s promiscuous storage of damning evidence in his iCloud account, from which many of the pictures and chats in this post were obtained by the FBI, the Klyushin case offers an unprecedented public glimpse into the effect that US indictments against nation-state hackers like Ermakov might have on one of the target’s lives. In Ermakov’s case, it didn’t stop him from hacking US targets. Indeed, it’s possible that others used the indictments to pressure Ermakov to use his hacking skills for them.

Since 2014, DOJ has been indicting nation-state hackers in what have always been assumed to be name-and-shame documents, indictments that would never lead to trial. Indeed, that’s what the two earlier indictments of Ermakov have always been assumed to be: a public accusation that would never lead to Ermakov’s imprisonment. The wisdom of indicting nation-state hackers has never been obvious. Yevgeniy Prigozhin’s exploitation of his own name-and-shame indictment has revealed the potential perils of the policy. And Russian denialists brush off the July 2018 indictment charging Ermakov and others with the election year hack (as Matt Taibbi did in his recent congressional testimony), arguing that since the indictment will never be tested at trial, it could be mere government propaganda.

At least in the case of the 2016 Russian operation, the indictment has done little to persuade denialists, who simply refuse to read about the many places where the hackers left evidence.

In a follow-up, I’ll show how DOJ proved their case against Klyushin using the same kind of evidence they used in the earlier indictments against Ermakov and his colleagues, largely metadata and content obtained from US-based and a few foreign servers. DOJ may never get a chance to prove the first two indictments against Ermakov, but using the same investigative techniques, they did prove the case against Ermakov’s co-conspirator, Klyushin.

This case, where a sealed complaint ultimately led to the trial of one co-conspirator of a hacker previously charged, also provides a glimpse of what happened after one nation-state hacker got name-and-shamed in the US.

It’s not clear from the trial record when Ermakov left the GRU or who his formal employer was before he joined Klyushin’s M-13, an information services company with ties to Putin’s office that offered, among its services, pen testing.

The FBI found a contact card for Igor Sladkov, with whom Ermakov may have started the hack-and-trade scheme at least as early as October 2017, in Ermakov’s own iCloud account, one of the only interesting pieces of evidence they found there. It was dated November 16, 2016, just over a week after Donald Trump got elected with Ermakov’s help. Sladkov — whose iCloud OpSec was just as shoddy as Klyushin’s — had a bunch of photos of Ermakov in his iCloud account, including the hacker’s passport, a 2016 picture of Ermakov sitting before an enormous plate of some animal flesh, and a picture from Ermakov’s 2018 ski trip, as well as a picture of Klyushin’s yacht that Ermakov had shared.

Before trial, Klyushin’s team argued that Ermakov never worked for Klyushin’s company, bolstering the claim with a chat from May 2019 in which Ermakov bitched about his job to Klyushin and a certificate from the Russian tax service claiming that [Y]Ermakov never worked at M-13.

But days after that chat, per another pre-trial filing, Ermakov spoke longingly of being able to travel like Klyushin could. Klyushin responded that he would get Ermakov new identity papers so the two could travel to Europe together, but not — Klyushin conceded — London or America. Klyushin seemingly used that discussion as background to press Ermakov to get back to work, with the implication being he should get back to the hack-and-trade scheme.

That is, Ermakov appears to have included Klyushin in the hack-and-trade scheme while still working for someone else. And Klyushin seems to have used his promise to help Ermakov mitigate the risks created by those earlier indictments to pressure Ermakov to keep hacking. If that’s right, the vulnerability created by the earlier indictments gave Klyushin leverage to get Ermakov to keep hacking.

But Ermakov did eventually join M-13, at least informally. The government introduced an M-13 employee list reflecting Ermakov’s participation in specific project at trial. And they submitted a picture, from December 2019, showing Ermakov with an M-13 sticker, within days of the time when a staging server similar to the one used in the 2016 hack of the Democrats was set up.

Klyushin may have even incorporated Sladkov into M-13. The FBI found a proposal for a data analysis service, dated September 4, 2019, which M-13 would introduce on October 28, 2020, as well as encrypted communications from an M-13 chat application, in Sladkov’s iCloud account.

Klyushin fought hard to exclude one of the most telling pieces of evidence that the hacking scheme came to be tied to M-13 — the four Porsches that, Klyushin bragged to an investor, he had bought for himself, Ermakov, and one other co-conspirator with the proceeds of the insider trading.

But this currency — expensive gifts — seems to have been at least part of the way Erkamov was compensated for his role in the scheme.

Ermakov did not engage in any trading himself. Instead, two men in St. Petersburg, two associated with M-13 (including Klyushin himself), and three clients of M-13, profited off documents [Y]Ermakov seems to have stolen.

But in addition to the Porsche, on August 17, 2020, ten days before the delivery of the Porsches, Ermakov took possession of a Moscow house worth millions, the loan agreement for which Klyushin reportedly ripped up. Months earlier, Klyushin had tied paying for the house with continued hacking — which, Klyushin joked, amounted to just turning on the computer and thinking about making money.

Ermakov was effectively printing money for Klyushin, and his reward was that house.

In September 2020, the hack-and-trade scheme would be shut down for good.

Throughout the time it was going, however, those co-conspirators knew of the indictment against Ermakov. Sladkov downloaded Ermakov’s wanted poster from the FBI website on October 5, 2018, just a day after Ermakov was charged in the 2016 hack-and-leak of anti-doping agencies while Ermakov was still a GRU officer.

And on October 4, 2020, Klyushin took a screencap of Ermakov’s wanted poster from the FBI website.

By the time Klyushin took this screencap, the victim filing agencies had finally shut down Ermakov’s access to the site, after eight months of trying. Perhaps Klyushin was contemplating what that would mean or how it had happened? According to trial evidence, DOJ didn’t identify the hack-and-trade scheme by tracking what Ermakov was doing. Rather, the investigation started when the SEC started tracking some large-scale trading by a bunch of Russians together, then asked the filing agencies if they had been hacked. At least according to the public record, the involvement of Ermakov was disclosed only after working backwards from the forensic evidence. But in October 2020, Klyushin may have considered the risks of entering into a hack-and-trade scheme with a hacker whose habits were already known within the FBI.

By then it was too late. Indeed, Ermakov had already warned his boss about his shoddy OpSec. On July 18, 2019, Kluyshin asked Ermakov and the other M-13 co-conspirator Nikolai Rumiantcev how the hack-and-trade was going. He included pictures of two of the M-13 investors. In response, Ermakov warned his boss that that kind of OpSec is the kind of thing that would land him as a defendant in a courtroom.

Q. Okay, thank you. And now can we move to 3980, please. And this date is?

A. This is July 18 of 2019.

Q. Would you begin with 3980.

A. “Vladislav Klyushin: So what did we earn today?”

Q. And then there’s an attachment?

A. Correct.

Q. And then he says what?

A. Ermakov responds: “About 350 and another 350 in the mind. Sasha the most among the rest. “Klyushin: Our comrades are wondering.”

MR. FRANK: Could we stop right there, and I realize it’s hard, Ms. Lewis, because we’re in the Excel, but could you please display Exhibits 52 and Exhibit 50.

Q. Those are the attachments, Special Agent. Have you had an opportunity to review those?

A. Yes.

Q. Who’s depicted in Exhibits 52 and 50?

A. On the left, 52 is Sergey Uryadov. On the right is Boris Varshavksiy in Exhibit 50.

MR. FRANK: I offer 52 and 50. (Exhibits 50 and 52 received in evidence.)

Q. Okay. So those are the two attachments Mr. Klyushin has just transmitted in the chat?

A. Yes.

Q. Can we go back to the chat and pick up where we left off. So Mr. Klyushin says, “What did we earn today? Our comrades are wondering.” Could you continue, please, at 3987.

A. After sending those pictures we just looked at, Ermakov replies: “Vlad, you are exposing our organization. This is bad.” Nikolai Rumiantcev: Vlad, stop sending to Threema.” Klyushin replies, “So sorry.” “Ermakov: And that’s how they get you and you end up as a defendant in a courtroom.”

Q. How does Mr. Klyushin respond?

A. Klyushin responds, “Removed. Open a chat with us already. “Ermakov: Go ahead and create. It was a bad move now. “Klyushin: Sorry. Did a dumb thing. “Rumiantcev: I suggest to recreate the chat with the deletion of attachments in Threema, or switch to ours if ready. “Klyushin: I will delete this one on my end.”

Klyushin did delete this chat. Rumiantcev left it in his iCloud account, where the FBI found it.

At the time, the men appear to have been shifting their trading discussions to the encrypted M-13 chat application found in all their iCloud accounts, finally taking measures to cover their tracks going forward, over eighteen months into the hack-and-trade conspiracy. Going forward, those working with Ermakov might not exhibit the kind of abysmal OpSec that produced abundant trial evidence against his co-conspirator. Maybe they learned their lesson, and they’ll be able to exploit Ermakov’s skill more safely going forward.

It remains to be seen whether the prosecution of Klyushin, with his ties to high even higher ranking Russians, does more than hold him accountable for millions in fraudulent trades. But that may have little effect on the life of John Podesta’s suspected hacker.

* The government has used two different transliterations for [Y]Ermakov’s last name. In 2018, they used the one that aids in pronunciation. In 2021, they used the direct transliteration from the Cyrillic. Because evidence submitted at Klyushin’s trial uses the initials “IE” to refer to Ermakov, I’ll adopt that spelling here.

The Collective Response to Russia’s Ukraine Invasion

Yesterday, the government rolled out two hacking indictments from last year as part of its effort to use legal documents to expose Russian spying operations. While the indictments are important speaking documents, I realized from the response that the subset of journalists who focus primarily on cybersecurity were unaware that this effort was part of a larger effort to demonstrate Russia’s spying that DOJ (and, surely, other agencies of the IC) have been pursuing since the Russian invasion.

So I wanted to start collecting all instances here as a way to see the entire package of what DOJ is doing. I’ll try to keep this up-to-date.

February 22, 2022: Treasury sanctions Russian banks

Individual targets include Denis Aleksandrovich Bortnikov, Petr Mikhailovich Fradkov, Vladimir Sergeevich Kiriyenko.

(press release)

February 24, 2022: Treasury sanctions Russian banks

Targets include Sberbank, VTB, Gazprom, Rostelecom, Alfa Bank, Sergei Sergeevich Ivanov, Andrey Patrushev, Ivan Sechin (the latter sons of key oligarchs).

(press release)

February 25, 2022: Treasury sanctions Putin and Sergei Lavrov

(press release)

February 28, 2022: Treasury sanctions Kirill Dmitriev

Targets include Dmitriev and RDIF.

(press release)

US expels 12 Russian diplomats at UN.

March 3, 2022: Treasury sanctions key Putin cronies

Targets include Alisher Burhanovich Usmanov, Nikolay Petrovich Tokarev, Yevgeniy Prigozhin and their families.

(press release)

March 3, 2022: US v. Jack Hanick

November 4, 2021 sealed indictment against a former Fox employee who helped sanctioned oligarch Konstantin Malofeyev set up some media outlets to push Russian propaganda. Hanick was arrested in the UK on February 3, 2022 and is being extradited. (press release; my post)

SDNY 21-cr-676

March 7, 2022: US v. Elena Branson

March 7, 2022 complaint against the one-time chair of the Russian Community Council of the USA. Branson attempted to set up meetings with Trump. (press release; my post)

SDNY 22-mj-2178

March 11, 2022: Treasury sanctions Oligarchs

Targets include Dmitri Peskov and his family, Viktor Feliksovich Vekselberg, and the VTB board.

(press release)

March 14, 2022: US v. Andrey Muraviev

September 17, 2020 indictment against the funder for Lev Parnas’ cannabis donations, Andrey Murviev. The S2 indictment is otherwise identical to the S1 indictment obtained the same day, though with Muraviev identified. (press release; my post)

SDNY 19-cr-725

March 17, 2022: Treasury creates task force to target Oligarchs

(press release)

March 18, 2022: Baltic states expel diplomats

Baltic states expel 10 diplomats.

March 24, 2021: Treasury sanctions targeting industrial base

Sanctions targeting military industrial complex, Duma members, Herman Oskarovich Gref.

(press release)

March 24, 2022: US v. Evgeny Viktorovich Gladkikh

June 29, 2021 indictment against Evgeny Gladkikh for Triton hacking operations targeting refineries and other energy facilities

(press release)

DC 21-cr-442

March 24, 2022: US v. Pavel Aleksandrovich Akulov

August 26, 2021 indictment against three FSB officers working as part of the Dragonfly or Berzerk Bear hacking group for targeting ICS systems.

(press release)

KS 21-cr-20047

March 29, 2022: Europeans expel diplomats

Ireland expels 4 “diplomats.”

Lithuania expels

March 31, 2022: Treasury focuses on sanctions-evasion network

Treasury adds sanctions against companies used to evade sanctions, four key Russian tech companies, and the head of the organization for which Gladkikh works, TsNIIKhM’s General Director, Sergei Alekseevich Bobkov and itsDeputy General Director, Konstantin Vasilyevich Malevanyy.

April 4, 2022: FBI and Spanish authorities freeze Viktor Vekselberg’s yacht, Tango

FBI and Spanish authorities freeze Viktor Vekselberg’s yacht, Tango, for sanction violations and money laundering efforts to evade those sanctions.

Also Germany expels 40 “diplomats” and France expels 35.

April 5: Dmitry Pavlov and Hydra Market

DOJ charged Dmitry Pavlov and, with German assistance, shut down the Hydra Market to which he leased a server.

(press release)

April 6: Semion Meogilevich, Konstantin Malofeyev, additional sanctions on Sberbank, Alfa Bank, and Putin, Medvedev, and Lavrov’s families, Cyclops Blink

Department of State offers a $5 million reward for information leading to Semion Mogilevich’s arrest.

FBI wanted poster

DOJ charged Konstantin Malofeyev under the mirror charges to those against Jack Hanick.

(press release)

The White House added sanctions to Sberbank and Alfa Bank, added new restrictions on US investments in Russia, and added family members of Putin, Medvedev, and Lavrov’s families.

(press release)

DOJ rolled out the shut-down, in March, of the Cyclops Blink botnet run by Sandworm.

March 18 warrant

March 23 warrant

(press release)

April 14: Aleksandr Mikhaylovich Babakov

(press release)

Indictment

April 20: Malofeyev’s network

Treasury sanctions Malofeyev’s family, sanctions-evasion, and influence networks

(press release)

April 26: Sandworm

State offers a $10 million reward for six hackers involved in the Sandworm NotPetya attack.

(press release)

May 5: Pursuant to a US warrant, Fiji seizes Oligarch Suleiman Kerimov’s yacht

Fiji seized the $300 million yacht pursuant to a US based warrant.

(press release)

September 30: Treasury sanctions a ton of Duma and Federation members

These sanctions were prepared as a response to Russia’s claim to have annexed additional parts of Ukraine.

Poor Donald Trump Got Dumped

h/t rocksunderwater (public domain)

Poor Donald Trump.

He’s been having a terrible, horrible, no good, very bad day, every day for about the last six weeks. He lost the election, then in his battle to overturn things in court he lost and lost and lost and lost some more, each time more bigly than that last. But the worst day, the most terrible horrible no good very bad day of them all, had to be last Sunday, when the Russian electronic spying operation using Solar Wind to hack into highly sensitive government and corporate networks became public.

There has been a lot written about the potential damage of the Solar Wind mess, both in terms of national security and corporate secrets, most of which is speculation. But there is one bit of enormous damage that is obvious, not at all speculative, but is getting no attention at all from anyone.

Along with the rest of the world, Donald Trump just learned that he got dumped by Vladimir Putin.

We almost made it up where they are
But losing your love
Brought me down hard
Now I’m just hanging, just getting by
Where expectations aren’t that high, but

Here on cloud 8
A lotta nothing’s going on
I’m just drifting day to day
Out here on my own
While up on cloud 9
I hear ’em party all the time
They don’t hear my heart break
Down here on cloud 8

Poor Donald. He just learned that Putin has been doing stuff behind his back, all while Putin has been telling him that he’s Putin’s BFF. It’s been almost a week, and poor Donald still can’t come to grips with it.

He’s tweeted about getting the COVID-19 vaccines out (“Yay Me!”) He’s tweeted about the “fact” that he actually won the election and condemned everyone who has failed to have his back (Brian Kemp, he’s looking at you). He’s tweeted about bizarre public health theories (“masks and lockdowns don’t work!”). He’s tweeted about vetoing the defense bill in order to defend 19th century traitors. He’s tweeted about Senator-to-be Tommy Tuberville, on whom he’s pinning his hopes of overturning the election when the electoral college vote gets to Congress. He’s tweeted against Mitch McConnell for arguing against this. But despite this flood of tweets, the one thing he can’t bear to tweet about is being dumped.

And it’s not just that he got dumped. It’s that Putin cheated on him.

He cheated on Trump for months, privately whispering sweet nothings in his ear in their special phone calls, while working behind Trump’s back. Worst of all, in Trump’s mind the hack tells Trump that Putin believed that Trump would lose, and Putin needed to take advantage of Trump’s blindness while he could.

And it’s not just that Putin cheated on him and didn’t believe in him. It’s that everyone knows that Putin cheated on him

Angela Merkel knows. Boris Johnson knows. Emmanuel Macron knows. Justin Trudeau knows. Xi Jinping knows. Kim Jong Un knows. Jacinda Ardern knows. Even Andrés Manuel López Obrador knows about it, and Trump is sure that everyone in Mexico is laughing at him. Even the nobodies who rule those shithole countries know, and they’re laughing too. Putin made him look like a fool in front of everyone in the whole cafeteria world, and they’re all laughing at him.

And it’s not just that Putin made him look like a fool. It’s that there’s not a damn thing that Trump can do about it.

Everyone knows that Trump has been played, bigly. Trump can’t run a PR operation to deflect things. He can’t deny that it ever happened. He can’t say that he dumped Putin and not the other way around. He can’t pretend it doesn’t hurt. And he can’t keep everyone in the whole damn world from talking about it, and from laughing about him behind his back.

While up on cloud 9
I hear ’em party all the time
They don’t hear my heart break
Down here on cloud 8
They don’t hear my heart break
Down here on cloud 8

And before you think this is all a good laugh, and that Trump got what’s been coming to him, I’ve got two words for you: John Hinckley. Something tells me that Trump does not take well to being dumped, being cheated on, and being held up before the world as a fool.

And that scares me.

“These Actions Have Targeted Not Only against Russia, But Also Against the President Elect”

Given the news that Donald Trump is considering pardoning Edward Snowden, there has been a lot of discussion about why Trump would do this.

It’s actually not a deviation from past actions. Just seven days after the election, Trump’s rat-fucker started working on a pardon for Julian Assange, something that Trump offered a very circumscribed answer to Mueller about. He continued to entertain such proposals, and even ordered then CIA Director Mike Pompeo to consider a theory purporting to undermine the Russian attribution of the hack, one understood to be tied to an Assange pardon.

And on March 15, 2017, Trump shared information with Tucker Carlson that would have tipped off Joshua Schulte that the FBI considered him the culprit behind the Vault 7 leaks. While Trump shared that information hours before the FBI searched Schulte’s residence and seized his passports (including a diplomatic passport he never returned to CIA), there’s no evidence that information was made public before the FBI confronted Schulte that night. Had it, though, Trump’s comments might have led Schulte to accelerate a trip to Mexico he already had scheduled. John Solomon would even go on to blame Jim Comey for not pardoning Assange in advance of the Vault 7 releases.

So Trump has repeatedly undermined the prosecution of people who released large amounts of intelligence community secrets. Snowden would just be part of a pattern.

There’s some complaint that Trump opponents — including Adam Schiff — have suggested Trump would do this (dramatically altering his prior stance) because of Putin.

In fact, Russia has deliberately encouraged Trump to believe Russia and Trump were on the same side, opposed to the US intelligence community, since weeks before he was even inaugurated.

When, on December 31, 2016, Sergey Kislyak called Mike Flynn to tell him that his intervention to undermine sanctions on Russia for interfering in the 2016 election had succeeded in persuading Putin to take no action, Kislyak told Flynn that Russia considered the sanctions — for a hostile attack on this country!!! — to be an attack targeting not just Russia, but Trump himself.

KISLYAK: Uh, you know I have a small message to pass to you from Moscow and uh, probably you have heard about the decision taken by Moscow about action and counter-action.

FLYNN: yeah, yeah well I appreciate it, you know, on our phone call the other day, you know, I, I, appreciate the steps that uh your president has taken. I think that it is was wise.

KISLYAK: I, I just wanted to tell you that our conversation was also taken into account in Moscow and …

FLYNN: Good

KISLYAK: Your proposal that we need to act with cold heads~ uh, is exactly what is uh, invested in the decision.

FLYNN: Good

KISLYAK: And I just wanted to tell you that we found that these actions have targeted not only against Russia, but also against the president elect.

FLYNN: yeah, yeah.

“Yeah, yeah,” Trump’s weak-kneed National Security Advisor with 30 years intelligence experience said in reply.

We don’t need to speculate about whether Russia has encouraged Trump to view Russia as an ally against a hostile American Intelligence Community. We have proof. And even Mike Flynn, with a victim complex only a fraction as Yuge as Trump’s own, simply nodded along.

I mean, if Trump does pardon Snowden, by all means he should accept it — it likely would save his life.

But if you believe Trump is considering this out of any belief in whistleblowing or transparency — or even opposition to the surveillance that has ratcheted up and gotten less accountable under his Administration — you’re simply deceiving yourself.

And, yes, there is concrete evidence that Russia has cultivated Trump’s antagonism against the IC — well before Trump’s own actions led the FBI investigate him personally — so much that he might pardon Snowden to harm them.

George Papadopoulos Tied the Utility of Russian Dirt to the Campaign’s Plan to Use Dirt to Win

Judicial Watch has once again liberated documents from DOJ that undermine their narrative about the Russian investigation (and, in this case, provides yet another reason to question the fidelity of the DOJ IG Report on Carter Page).

In the DOJ IG Report, it provides a description of the tip Australia provided to State which got passed on to the FBI. The most complete description of that (pages 51 to 52) introduces a block quote describing the tip by explaining the Australian tip “stated, in part, that Papadopoulos”

suggested the Trump team had received some kind of suggestion from Russia that it could assist this process with the anonymous release of information during the campaign that would be damaging to Mrs. Clinton (and President Obama). It was unclear whether he or the Russians were referring to material acquired publicly of [sic] through other means. It was also unclear how Mr. Trump’s team reacted to the offer. We note the Trump team’s reaction could, in the end, have little bearing of what Russia decides to do, with or without Mr. Trump’s cooperation.

The IG Report never quotes what the other part of the memo is, but it does quote a long excerpt from a Bill Priestap transcript describing that Papadopoulos expressed confidence (in April!) that Trump would win, in part because of how much dirt the campaign had on Hillary.

In fact, the information we received indicated that Papadopoulos told the [FFG] he felt confident Mr. Trump would win the election, and Papadopoulos commented that the Clintons had a lot of baggage and that the Trump team had plenty of material to use in its campaign.

Priestap understood that the campaign planned to win by using the dirt it had on Hillary Clinton.

Judicial Watch just liberated the FBI document memorializing on the tip. It too, redacts that other part of what Australia passed on (bizarrely, under source and law enforcement exemptions, not privacy, which seem like easily challenged exemptions).

But laid out like this (particularly given the length of the redaction as compared to Priestap’s description), it makes the context more clear.

Papadopoulos said Trump would win because they had dirt on Hillary and then suggested Russia could “assist this process” — that is, using dirt to win the election — by anonymously releasing information damaging to Hillary.

The “this process” hidden behind the redaction is “using dirt to win the election.” The antecedent of “this process” must be (because that description does not and could not appear anywhere else), using dirt to win the election.

It is, perhaps, a subtle thing. But in context as the FBI received it, Papadopoulos tied Russia anonymously dropping dirt on Hillary to the centrality of dirt on Hillary in the Trump campaign’s plan to win. It is true that the tip does not describe Papadopoulos confirming that the campaign would use the Russian dirt or had entered into a relationship to do so.

But particularly given the way Roger Stone claimed WikiLeaks was going to release Clinton Foundation documents while he was boasting of ties to WikiLeaks — that is, the dirt Trump had treated as the Holy Grail all along — the way Papadopoulos tied anonymously released damaging information from Russia to the utility of using dirt to win the election explains the FBI reaction.

Papadopoulos didn’t just raise Russia offering dirt to help win. It raised it in the context of the Trump plan to win by using dirt.

The Kinds and Significance of Russian Interference — 2016 and 2020

Trump’s meltdown last week — in which he purged top staffers at the Director of National Intelligence after a briefing on Russian interference in the 2020 election, followed by National Security Advisor Robert O’Brien making shit up on Meet the Press — has created a firestorm about Russian interference in the 2020 election. That firestorm, however, has spun free of what ways Russia interfered in 2016 and what effect it had.

Five ways Russia interfered in 2016

First, remember that there were at least five ways Russia interfered in 2016:

  • Stealing information then releasing it in a way that treats it as dirt
  • Creating on-going security challenges for Hillary
  • Using trolls to magnify divisions and feed disinformation
  • Tampering with the voting infrastructure
  • Influence peddling and/or attempting to recruit Trump aides for policy benefits

Stealing information then releasing it in a way that treats it as dirt

The most obvious way Russia interfered in 2016 was by hacking the DNC, DCCC, and John Podesta (it also hacked some Republicans it did not like). It released both the DNC and Podesta data in such a way as to exaggerate any derogatory information in the releases, successfully distracting the press for much of the campaign and focusing attention on Hillary rather than Trump. It released DCCC information that was of some use for Republican candidates.

Roger Stone took steps — not all of which are public yet — to optimize this effort. In the wake of Stone’s efforts, he moved to pay off one participant in this effort by trying to get a pardon for Julian Assange.

Creating on-going security challenges for Hillary

In addition to creating a messaging problem, the hack-and-leak campaign created ongoing security challenges for Hillary. Someone who played a key role in InfoSec on the campaign has described the Russian effort as a series of waves of attacks. The GRU indictment describes one of those waves — the efforts to hack Hillary’s personal server — which came in seeming response to Trump’s “Russia are you listening” comment. An attack that is often forgotten, and from a data perspective was likely one of the most dangerous, involved a month-long effort to obtain Hillary’s analytics from the campaign’s AWS server.

Whatever happened with this data, the persistence of these attacks created additional problems for Hillary, as her staff had to spend time playing whack-a-mole with Russian hackers rather than optimizing their campaign efforts.

Using trolls to magnify divisions and feed disinformation

Putin’s “chef,” Yevgeniy Prigozhin, also had staffers from his troll factory in St. Petersburg shift an ongoing campaign that attempted to sow division in the US to adopt a specific campaign focus, pushing Trump and attacking Hillary. Importantly, Prigozhin’s US-based troll effort was part of a larger multinational effort. And it was in no way the only disinformation and trolling entity involved in the election. Both parties did some of this, other countries did some, and mercenaries trying to exploit social media algorithms for profit did some as well.

Tampering with the voting infrastructure

Russia also tampered with US voting infrastructure. In 2016, this consisted of probing most states and accessing voter rolls in at least two, though there’s no evidence that Russian hackers made any changes. In addition, Russian hackers targeted a vendor that provided polling books, with uncertain results. The most substantive evidence of possible success affecting the vote in 2016 involved failures of polling books in Durham County, NC, which created a real slowdown in voting in one of the state’s most Democratic areas.

In recent days, there have been reports of a ransomware attack hitting Palm Beach County in September 2016, but it is unclear whether this was part of the Russian effort.

Because there’s no certainty whether the Russian hack of VR Systems was behind the Durham County problems, there’s no proof that any of these efforts affected the outcome. But they point to the easiest way to use hacking to do so: by making it harder for voters in particular areas to vote and harder for specific localities to count the vote.

Some of what Russia did in 2016 — such as probes of a particularly conservative county in FL — may have been part of Russia’s effort to discredit the outcome. They didn’t fully deploy this effort because Trump won.

Influence peddling and/or attempting to recruit Trump aides for policy benefits

Finally, Russia accompanied its other efforts with various kinds of influence peddling targeting Trump’s aides. It was not the only country that did so: Saudi Arabia, Egypt, Turkey, UAE, and Israel were some of the others. Foreign countries were similarly trying to target Hillary’s campaign — and the UAE effort, at least, targeted both campaigns at once, through George Nader.

Importantly, however, these efforts intersected with Russia’s other efforts to interfere in the election in ways that tied specific policy outcomes to Russia’s interference:

  • An unrealistically lucrative Trump Tower deal involved a former GRU officer and sanctioned banks
  • At a meeting convened to offer Trump dirt about Hillary, Don Jr agreed in principle to revisit ending Magnitsky sanctions if Trump won
  • George Papadopoulos pitched ending sanctions to Joseph Mifsud, who had alerted him that Russia had emails they intended to drop to help Trump
  • Paul Manafort had a meeting that tied winning the Rust Belt, carving up Ukraine, and getting paid personally together; the meeting took place against the background of sharing internal polling data throughout the campaign

As I’ll note in a follow-up, information coming out in FOIAed 302s makes it clear that Mike Flynn’s effort to undercut Obama’s December 2016 sanctions was more systematic than the Mueller Report concludes. So not only did Russia make it clear it wanted sanctions relief, Trump moved to give it to them even before he got elected (and his Administration found a way to exempt Oleg Deripaska from some of these sanctions).

Manafort continued to pursue efforts to carve up Ukraine until he went to jail. In addition, Trump continues to take actions that undercut Ukraine’s efforts to fight Russia and corruption. Neither of these have been tied to a specific quid pro quo (though the investigation into Manafort’s actions, especially, remained inconclusive at the time of the Mueller Report).

So while none of these was charged as a quid pro quo or a conspiracy (and the reasons why they weren’t vary; Manafort lied about what he was doing, and why, whereas Mueller couldn’t prove Don Jr had the mens rea of entering into a quid pro quo), Russia tied certain policy outcomes to its interference.

Trump’s narcissism and legal exposure exacerbated the effects

The Russian attack was more effective than it otherwise would have been for two reasons. First, because he’s a narcissist and because Russia built in plausible deniability, Trump refused to admit that Russia did try to help him. Indeed, he clings more and more to Russian disinformation about what happened, leading the IC to refuse to brief him on the threat, leading to last week’s meltdown.

In addition, rather than let FBI investigate the people who had entered into discussions of a quid pro quo, Trump obstructed the investigation. Trump has spent years now attacking the rule of law and institutions of government rather than admit what DOJ IG found — there was reason to open the investigation, or admit what DOJ found — there was reason to prosecute six of his aides for lying about what happened.

The Russian effort was just one of the reasons Hillary lost

It’s also important to remember that Russia’s interference was just one of the many things that contributed to Hillary’s loss.

Other aspects were probably more important. For example, Republican voter suppression, particularly in Wisconsin and North Carolina, was far more important than any effect the VR Systems hack may have had in Durham County. Jim Comey’s public statements about the email investigation had at least as much effect as the Russian hack-and-leak campaign did on press focus. Hillary made some boneheaded choices — like barely campaigning in WI and MI; while I had worried that she made those choices because Russia tampered with her analytics (with the AWS hack), that doesn’t seem to have happened. Disinformation sent by the Trump campaign and associates was more significant than Russian disinformation. It didn’t help that the Obama Administration announced a sharp spike in ObamaCare prices right before the election.

The response matters

As noted, Trump’s narcissism dramatically increased the effect of the Russian efforts in 2016, because he has always refused to admit it happened.

Compare that to Bernie’s response to learning that Russia was trying to help his campaign, which accepted that it is happening and rejected the help.

“I don’t care, frankly, who [Russian President Vladimir] Putin wants to be president,” Sanders said in a statement. “My message to Putin is clear: Stay out of American elections, and as president I will make sure that you do.

“In 2016, Russia used Internet propaganda to sow division in our country, and my understanding is that they are doing it again in 2020. Some of the ugly stuff on the Internet attributed to our campaign may well not be coming from real supporters.”

This was not perfect — Bernie could have revealed this briefing himself weeks ago, Bernie blamed the WaPo for reporting it when it seems like the story was seeded by O’Brien. But it was very good, in that it highlighted the point of Russian interference — sowing divisions — and it reaffirmed the import of Americans selecting who wins. Plus, contrary to Trump, there’s no reason to believe Bernie would pursue policies that specifically advantaged Russia.

Other factors remain more important than Russian interference

There’s very serious reason to be concerned that Russia will hack the outcome of 2020. After all, it would need only to affect the outcome in a small number of precincts to tip the result, and the prospect of power outages or ransomware doing so in urgent fashion have grown since 2016.

That said, as with 2016, there are far more urgent concerns, and those concerns are entirely American.

Republicans continue to seek out new ways to suppress the vote, including by throwing large swaths of voters off the rolls without adequate vetting. There are real concerns about voting machines, particularly in Georgia (and there are credible concerns about the reliability of GA’s tally in past elections). Republicans have continued to make polling locations less accessible in Democratic precincts than in Republican ones.

Facebook refuses to police the accuracy of political ads, and Trump has flooded Facebook with disinformation.

And Bloomberg’s efforts this year — which include a good deal of trolling and disinformation — are unprecedented in recent memory. His ad spending has undercut the ability to weigh candidates. And his personnel spending is increasing the costs for other candidates.

Russian efforts to sway the vote are real. Denying them — as some of Bernie’s supporters are doing in ways that hurt the candidate — does not help. But, assuming DHS continues to work with localities to ensure the integrity of voting infrastructure, neither does overplaying them. Between now and November there’s far more reason to be concerned about American-funded disinformation and American money distorting our democratic process.

Cloud Computing and the Single Server

[NB: Check the byline, thanks. /~Rayne]

I’ve been meaning to write about this for a while. Push came to shove with Marcy’s post this past week on Roger Stone and the Russian hack of the DNC’s emails as well as her post on Rick Gates’ status update which intersects with Roger Stone’s case.

First, an abbreviated primer about cloud computing. You’ve likely heard the term before even if you’re not an information technology professional because many of the services you use on the internet rely on cloud computing.

Blogging, for example, wouldn’t have taken off and become popular if it wasn’t for the concept of software and content storage hosted somewhere in a data center. The first blogging application I used required users to download the application and then transfer their blogpost using FTP (file transfer protocol) to a server. What a nuisance. Once platforms like Blogger provided a user application accessible by a browser as well as the blog application and hosting on a remote server, blogging exploded. This is just one example of cloud computing made commonplace.

Email is another example of cloud computing you probably don’t even think about, though some users still do use a local email client application like Microsoft’s proprietary application Outlook or Mozilla’s open source application Thunderbird. Even these client applications at a user’s fingertips rely on files received, sent, managed, and stored by software in a data center.

I won’t get into more technical terms like network attached storage or storage area network or other more challenging topics like virtualization. What the average American needs to know is that a lot of computing they come in contact every day isn’t done on desktop or laptop computers, or even servers located in a small business’s office.

A massive amount of computing and the related storage operates and resides in the cloud — a cutesy name for a remotely located data center.

This is a data center:

Located in Council Bluffs, Iowa, this is one of Google’s many data centers. In this photo you can see racks of servers and all the infrastructure supporting the servers, though some of it isn’t readily visible to the untrained eye.

This is another data center:

This is an Amazon data center, possibly one supporting Amazon Web Services (AWS), one of the biggest cloud service providers. Many of the sites you visit on the internet every day purchase their hosting and other services from AWS. Some companies ‘rent’ hosting space for their email service from AWS.

Here’s a snapshot of a technician working in a Google data center:

Beneath those white tiles making up the ‘floor’ are miles and miles of network cables and wiring for power as well as ventilation systems. More cables, wires, and ventilation run overhead.

Note the red bubble I’ve added to the photo — that’s a single blade-type server inserted into a rack. It’s hard to say how much computing power and storage that one blade might have had on it because that information would have been (and remains) proprietary — made to AWS specifications, which change with technology’s improvements.

These blades are swapped out on a regular maintenance cycle, too, their load shifted to other blades as they are taken down and replaced with a new blade.

Now ask yourself which of these servers in this or some other data center might have hosted John Podesta’s emails, or those of 300 other people linked to the Clinton campaign and the Democratic Party targeted by Russia in the same March 2016 bulk phishing attack?

Not a single one of them — probably many of them.

And the data and applications may not stay in one server, one rack, one site alone. It could be spread all over depending on what’s most efficient and available at any time, and the architecture of failover redundancy.

~ ~ ~
Some enterprises may not rely on software-as-a-service (SaaS), like email, hosted in a massive data center cloud. They might instead operate their own email server farm. Depending on the size of the organization, this can be a server that looks not unlike a desktop computer, or it can be a server farm in a small data center.

(The Fortune 100 company for which I once worked had multiple data centers located globally, as well as smaller server clusters located on site for specialized needs, ex. a cluster collecting real-time telemetry from customers. Their very specific needs as well as the realistic possibility that smaller businesses could be spun off required more flexibility than purchasing hosted services could provide at the time.)

And some enterprises may rely on a mix of cloud-based SaaS and self-maintained and -hosted applications.

In 2016 the DNC used Microsoft Exchange Server software for its email across different servers. Like the much larger Google-hosted Gmail service, users accessed their mail through browsers or client applications on their devices. The diagrams reflecting these two different email systems aren’t very different.

This is a representation of Google’s Gmail:

[source: MakeInJava(.)com]

This is a representation of Microsoft Exchange Server:

Users, through client/browser applications, access their email on a remote server via the internet. Same-same in general terms, except for scale and location.

If you’ve been following along with the Trump-Russia investigation, you know that there’s been considerable whining on the part of the pro-Trump faction about the DNC’s email server. They question why a victim of a hack would not have turned over their server to the FBI for forensic investigation and instead went to a well-known cybersecurity firm, Crowdstrike, to both stop the hack, remove whatever invasive tools had been used, and determine the entity/ies behind the hack.

A number of articles have been written explaining the hacking scenario and laying out a timeline. A couple pieces in particular noted that turning over the server to the FBI would have been disruptive — see Kevin Poulsen in The Daily Beast last July, quoting former FBI cybercrime agent James Harris:

“In most cases you don’t even ask, you just assume you’re going to make forensic copies…For example when the Google breach happened back in 2009, agents were sent out with express instructions that you image what they allow you to image, because they’re the victim, you don’t have a search warrant, and you don’t want to disrupt their business.”

Poulsen also quantified the affected computing equipment as “140 servers, most of them cloud-based” meaning some email and other communications services may have been hosted outside the DNC’s site. It would make sense to use contracted cloud computing based on the ability to serve widespread locations and scale up as the election season crunched on.

But what’s disturbing about the demands for the server — implying the DNC’s email was located on a single computer within DNC’s physical control — is not just ignorance about cloud computing and how it works.

It’s that demands for the DNC to turn over their single server went all the way to the top of the Republican Party when Trump himself complained — from Helsinki, under Putin’s watchful eye — about the DNC’s server:

“You have groups that are wondering why the FBI never took the server. Why didn’t they take the server? Where is the server, I want to know, and what is the server saying?”

And the rest of the right-wing Trumpist ecosphere picked up the refrain and maintains it to this day.

Except none of them are demanding Google turn over the original Gmail servers through which John Podesta was hacked and hundreds of contacts phished.

And none of the demands are expressly about AWS servers used to host some of DNC’s email, communications, and data.

The demands are focused on some indeterminate yet singular server belonging to or used by the DNC.

~ ~ ~
The DNC had to shut down their affected equipment and remove it from their network in order to clean out the intrusion; some of their equipment had to be stripped down to “bare metal,” meaning all software and data on affected systems were removed before they were rebuilt or replaced. 180 desktops and laptops had to be replaced — a measure which in enterprise settings is highly disruptive.

Imagine, too, how sensitive DNC staff were going forward about sharing materials freely within their organization, not knowing whether someone might slip and fall prey to spearphishing. There must have been communications and impromptu retraining about information security after the hack was discovered and the network remediated.

All of this done smack in the middle of the 2016 election season — the most important days of the entire four-year-long election cycle — leading into the Democratic Party’s convention.

(This remediation still wasn’t enough because the Russians remained in the machines into October 2016.)

If the right-wing monkey horde cares only about the DNC’s “the server” and not the Google Gmail servers accessed in March 2016 or the AWS servers accessed April through October 2016, this should tell you their true aim: It’s to disrupt and shut down the DNC again.

The interference with the 2016 election wasn’t just Russian-aided disinformation attacking Hillary Clinton and allies, or Russian hacks stealing emails and other files in order to leak them through Wikileaks.

The interference included forcing the DNC to shut down and/or reroute parts of its operation:

(excerpt, p. 22, DNC lawsuit against Russian Federation, GRU, et al)

And the attack continues unabated, going into the 2020 general election season as long as the right-wing Trumpists continue to demand the DNC turn over the server.

There is no one server. The DNC shouldn’t slow or halt its operations to accommodate opponents’ and suspects’ bad faith.

~ ~ ~
As for Trump’s complaint from Helsinki: he knows diddly-squat about technology. It’s not surprising his comments reflected this.

But he made these comments in Helsinki, after meeting with Putin. Was he repeating part of what he had been told, that Russia didn’t hack the server? Was he not only parroting Putin’s denial but attempting to obstruct justice by interfering in the investigation by insisting the server needed to be physically seized for forensic inspection?

~ ~ ~
With regard to Roger Stone’s claims about Crowdstrike, his complaints aren’t just a means to distract and redirect from his personal exposure. They provide another means to disrupt the DNC’s normal business going forward.

The demands are also a means to verify what exactly the Special Counsel’s Office and Crowdstrike found in order to determine what will be more effective next time.

The interference continues under our noses.

This is an open thread.

What if Julian Assange Flipped?

I’ve said this before, I’ll say it again: I hope to hell Chelsea Manning’s advisors are cognizant of the ways her attempts to avoid testifying against Julian Assange may put her in unforeseen legal jeopardy.

I’m thinking of that anew given my consideration of what I consider to be a distant, but real, possibility: that the US government would offer Assange a plea deal on the current charge he faces in exchange for testimony in a range of other issues. The idea is crazy, but perhaps not as crazy as it sounds.

As I laid out in this post, it seems the US government has been carefully orchestrating the Assange arrest since Ecuador first applied for diplomatic status for him in 2017 in an attempt to exfiltrate him, possibly to Russia. They’re now on the clock, with (depending on which expert you ask) just 44 more days to lard on the additional charges multiple outlets have reported are coming. Meanwhile, he’s being held at Belmarsh, with conflicting stories about what kind of visitors he’s been permitted — though the UN Special Rapporteur for Privacy did visit him this week. Though I’ve asked some top experts, it’s not entirely clear whether, if he were being interrogated right now, that’d be under UK law or US law; the former has fewer protections against self-incrimination for people being detained.

One passage of the Mueller Report may provide an explanation for why his prosecutors didn’t obtain Julian Assange’s testimony.

The Office limited its pursuit of other witnesses and information-such as information known to attorneys or individuals claiming to be members of the media-in light of internal Department of Justice policies. See, e.g., Justice Manual §§ 9-13.400, 13.410.

Assange would fall squarely within DOJ policy covering people who are subjects or targets of an investigation for activities related to their news-gathering activities.

Member of the news media as subject or target. In matters in which a member of the Department determines that a member of the news media is a subject or target of an investigation relating to an offense committed in the course of, or arising out of, newsgathering activities, the member of the Department requesting Attorney General authorization to use a subpoena, 2703(d) order, or 3123 order to obtain from a third party the communications records or business records of a member of the news media shall provide all facts necessary to a determination by the Attorney General regarding both whether the member of the news media is a subject or target of the investigation and whether to authorize the use of such subpoena or court order. 28 C.F.R. 50.10(c)(5)(i). If the Attorney General determines that the member of the news media is a subject or target of an investigation relating to an offense committed in the course of, or arising out of, newsgathering activities, the Attorney General’s determination should take into account the principles reflected in 28 C.F.R. 50.10(a), but need not take into account the considerations identified in 28 C.F.R. 50.10(c)(5)(ii) – (viii). Id. Members of the Department must consult with the PSEU regarding whether a member of the news media is a subject or target of an investigation related to an offense committed in the course of, or arising out of, newsgathering activities.

The EDVA case appears to have gotten over this policy (perhaps by distinguishing the assistance on cracking a password from newsgathering activities); but it’s not clear Mueller did (especially given the discussion of First Amendment considerations in passages relating to WikiLeaks). In any case, this calculus may change given that he’s in British, not US custody.

And there has been very little reporting on what’s going on with him — or with US investigations into him.

There are a number of investigations the government would love to get his testimony on, including:

Testimony against Joshua Schulte

Schulte is the accused Vault 7 leaker. WikiLeaks has been far less circumspect about the possibility he’s their source than with other leakers (while also engaging in far less of an effort to lay the case that he’s a whistleblower). Plus, the government has video evidence of Schulte attempting to leak classified information.

But thus far, Schulte’s prosecution has been slowed by CIA’s reluctance to share the classified information Schulte needs to defend himself. Plus, the FBI apparently bolloxed up the initial search warrants for Schulte (in what I suspect was a sloppy effort at parallel construction), which Schulte has been trying to win the ability to speak publicly about for over a year; he recently appealed a decision denying him a request to exempt those initial warrants from his protective order.

To the extent that Assange and Schulte (if he is really the Vault 7 source) communicated — and there’s good reason to believe WikiLeaks did communicate in advance of this publication — then Assange might be able to provide testimony that would get beyond the classification problems.

Testimony about the response to his pardon requests (including Roger Stone’s role in it)

I also believe that DOJ continues to investigate the long effort — an effort that includes Roger Stone, whom prosecutors say is still under investigation — in brokering a pardon for Assange, possibly in part for Assange providing disinformation about where the Democratic documents came from. Consider that, as recently as November, Mueller was trying to learn whether Trump had discussed pardoning Assange before his inauguration, a question about which Trump was especially contemptuous, even given his overall contempt for responding to questions.

Then there’s a subtle point I find really interesting. When the Mueller Report lays out all the times Don Jr magnified Russian trolls, it noted that the failson’s fondness for Russian propaganda continued after the election.

96 See, e.g., @DonaldJTrumpJr 10/26/16 Tweet (“RT @TEN_GOP: BREAKING Thousands of names changed on voter rolls in Indiana. Police investigating #VoterFraud. #DrainTheSwamp.”); @DonaldJTrumpJr 11/2/16 Tweet (“RT @TEN_GOP: BREAKING: #VoterFraud by counting tens of thousands of ineligible mail in Hillary votes being reported in Broward County, Florida.”); @DonaldJTrumpJr 11/8/16 Tweet CRT @TEN_GOP: This vet passed away last month before he could vote for Trump. Here he is in his #MAGA hat. #voted #ElectionDay.”). Trump Jr. retweeted additional @TEN_GOP content subsequent to the election.

[snip]

103 @DonaldJTrumpJr 11/7/16 Tweet (“RT @Pamela jetonc13. Detroit residents speak out against the failed policies of Obama, Hillary & democrats . . . . “) [my emphasis]

The page-long section (page 60) that lays out Don Jr’s innocuous pre-election interactions (which is how I described them when they were first published) does not, similarly, note the President’s son’s more damning interactions with WikiLeaks that took place after the election, where Assange once privately

Hi Don. Hope you’re doing well! In relation to Mr. Assange: Obama/Clinton placed pressure on Sweden, UK and Australia (his home country) to illicitly go after Mr. Assange. It would be real easy and helpful for your dad to suggest that Australia appoint Assange ambassador to DC “That’s a really smart tough guy and the most famous australian you have! ” or something similar. They won’t do it, but it will send the right signals to Australia, UK + Sweden to start following the law and stop bending it to ingratiate themselves with the Clintons. 12/16/16 12:38PM

And then publicly asked for an Ambassadorship that would amount to a pardon.

Given the thoroughness of the report, I find the silence about these exchanges to be notable.

Admittedly, one aspect of the pardon campaign implicates Assange far more than (at least given the public details) it does Trump: his seeming attempt at extortion using the CIA’s hacking tools. But that doesn’t mean the government wouldn’t like his testimony about the larger effort, and I have reason to suspect that is something they were pursuing via other channels as well.

WikiLeaks’ ongoing interactions with Russia

Finally, I’m sure the US government would be willing to give Assange some consideration if he offered to describe his interactions with Russia over the years. The most public aspect of that was the WikiLeaks effort to get Snowden safely out of Hong Kong, which ended unexpectedly in Russia. But there are also credible allegations WikiLeaks engaged in some catch-and-kill of damning documents, most publicly with an incriminating document from the Syria Files. Emma Best looks more closely at that incident in a longer profile of a Russian hacker, Maksym Igor Popov, who seemed to shift loyalties back and forth from the US to Russia even while cultivating Anonymous.

Simultaneously, Sabu, who had been boasting about an alleged breach of Iranian systems, pivoted to the then-pending Syria files. “We owned central syrian bank and got all their emails,” he told Popov. There were “a lot of scandals” in those emails. In the 2012 exchange, Popov is told about an alleged email revealing that Syria had secretly sent Russia billions of Euros. Sabu appears to confuse the amount, which was 2 billion, with an amount from a similar transfer involving an Austrian bank. Reporting by The Daily Dot implies that the two emails were often discussed in the same conversation, while also revealing that the email Sabu was describing to the alleged Russian contractor was omitted from WikiLeaks’ eventual release.

WikiLeaks responded to the reporting by claiming that they “either never had the data or [that it was] in some strange MIME format so it isn’t indexed,” and that the reporting was an attack on WikiLeaks that was meant “to help HRC.”

Popov was impressed by Sabu’s description of the Syria emails, though he briefly confused them with another, unspecified cache that Sabu hinted Popov helped release. “If you want real access to the emails, I can [give it to you],” Sabu offered. Popov responded ecstatically, saying he could use it to create disinformation and fabricate conspiracies. Undaunted by Popov’s intended use for the emails, Sabu said he’d “try to set it all up soon.”

This exchange occurred several months after WikiLeaks received the first batch of the Syria files and several weeks after WikiLeaks gave the LulzSec hackers private access to a search engine to help parse the Stratfor emails which the group had also provided to WikiLeaks.

19:16 <Sabu> though we did very well on syria.. we owned central syrian bank and got all their emails 19:16 <LoD> and Nepalese hack 19:16 <Sabu> a lot of scandals ... like syria sending russia 5 billion euros before civil unrest and when russia sent warsip to trait of whateves its called 19:16 <LoD> Ive actually checked it RESPECT syria gave me some things to mastermind my next operations those email accounts were of much help to improve our strategy 19:17 <LoD> i give you thumbs up 19:17 <Sabu> well we didn't realease it yet ... that was another small hack you released. if you want real access to emails I can ive you 19:17 <LoD> really? 19:17 <LoD> can you? 19:17 <LoD> man I WILL BE in DEBT 19:17 <LoD> I can utilize it in my release 19:18 <LoD> to create a conspiracy 19:18 <Sabu> ya I'll try to set it all up soon

If Popov acquired early access to the Syria files, it would have been the score of a lifetime, giving him an exclusive early inside look at corporations and governments. However, as any later logs of discussions between Popov and Sabu aren’t part of the leaked file, it’s unclear if Popov actually received early access to the Syria files.

Already by this time period in 2011, some former Anons were expressing concern that their operations were being facilitated by Russian infrastructure.

Some followers came to believe that the leaders sought only personal aggrandisement or were effectively in cahoots with the organised criminals who may have raided Sony’s credit-card hoard after Anonymous knocked down the door. Even stalwarts such as Housh are unhappy that much of Anonymous’s infrastructure is now housed on computers used by Russian criminals. “It’s not like the Russians wanted us to get HBGary, but I want to know personally why they are doing this,” he says of the chat hosts. “Where is the money coming from?”

To be sure: a tie with Anonymous is different than a tie directly with WikiLeaks, even if Anonymous was serving as one of WikiLeaks’ important source streams at the time. Further, Best notes that there’s no evidence in available files that Popov interacted directly with WikiLeaks — nor would there be, given the scope of the publicly available chat logs.

But, particularly given the allegations that Assange fed the Seth Rich hoax as part of an effort to deny that he knew he had gotten the Democratic files from Russia, I’m sure the US government would love to know from him about any ties between WikiLeaks and Russia.

Offering Assange a plea deal might be one way to close the book on WikiLeaks without the political controversy of a trial.

The question, of course, is whether Assange would take one. Admittedly, it’s highly unlikely.

Still, as noted, he repeatedly claimed he’d love to tell all if he could avoid prison altogether. But even in a best case scenario, he’s looking at a long extradition fight from Belmarsh in conditions that are reportedly pretty shitty. A plea deal might be one way to limit how much more time in custody he faces.

Which could bode poorly for people like Chelsea Manning, making significant sacrifices to protect Assange.

As I disclosed last July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

Bamford’s Silence about How Maria Butina Got Thrown Back into Solitary

A number of people have asked me what I make of this piece from James Bamford, pitching the case against Maria Butina as a grave injustice, just after Paul Erickson (who may be the real intended beneficiary of this piece) was charged in the first of what is likely to be two indictments, and as the government extends her cooperation by two weeks.

There are parts that are worthwhile — such as his argument that because Butina didn’t return a bragging email from JD Gordon, it suggests she wasn’t trying to recruit him.

There are other parts I find weak.

Bamford oversells the degree to which the press sustained the serial honeypot angle — after all, some of us were debunking that claim back in September, when he appears to have been silent — without mentioning the fact that Butina first started proffering cooperation with prosecutors, presumably against Paul Erickson and George O’Neill, on September 26. The word “visa” doesn’t appear in the article’s discussion of Butina’s status as a grad student, leaving unrebutted the government’s claim that Butina chose to come to the US as a student because it provided travel privileges that served her influence operation. Bamford (who hasn’t covered the Mueller investigation) grossly overstates the significance of Mueller’s choice not to integrate Butina’s case into his own investigation. He also falsely treats all counterintelligence investigations into Russia as one ongoing investigation (see this post for my ongoing complaints about virtually everyone doing the same). He suggests that Butina will need to be traded for Paul Nicholas Whelan, when the government has already said she’ll be deported once she serves her sentence (which will likely be time served). He quotes Putin’s interest in Butina’s case, without noting that Russia has only shown the interest they showed in her in one other defendant, Yevgeniy Nikulin. And those are just a few of the details with which I take issue.

But these passages, in particular, strike me as problematic.

Since August 17, Butina has been housed at the Alexandria Detention Center, the same fortresslike building that holds Donald Trump’s former campaign manager, Paul Manafort. On November 10, she spent her 30th birthday in solitary confinement, in cell 2F02, a seven-by-ten-foot room with a steel door, cement bed, and two narrow windows, each three inches wide. She has been allowed outside for a total of 45 minutes. On December 13, Butina pleaded guilty to conspiracy to act as an unregistered agent of the Russian Federation. She faces a possible five-year sentence in federal prison.

[snip]

On November 23, 2018, Butina went to sleep on a blue mat atop the gray cement bed in her cell, her 81st day in solitary confinement. Hours later, in the middle of the night, she was awakened and marched to a new cell, 2E05, this one with a solid steel door and no food slot, preventing even the slightest communication. No reason was given, but her case had reached a critical point.

That’s true not just for the way Bamford obscures the timeline here — suggesting she was always in solitary — but because by obscuring that timeline, Bamford serves to hide that it was Bamford’s own communications with and about Butina that got her thrown back into solitary.

Butina’s lawyers laid out her protective custody status in a filing on November 27.

In addition to general population prisoners, the Alexandria detention center houses federal detainees awaiting trial before this court in “administrative segregation,” more commonly known as solitary confinement. This form of restrictive housing is not a disciplinary measure, but is purportedly used by corrections personnel to isolate inmates for their own protection or the safe operation of the facility.

[snip]

Between her commitment at the Correctional Treatment Facility in Washington, DC and then Alexandria detention center, Ms. Butina has been isolated in solitary confinement for approximately 67 days straight. Despite a subsequent release into general population that came at the undersigned’s repeated requests, correctional staff reinstated her total isolation on November 21, 2018 although no infraction nor occurrence justified the same.

The timeline they lay out makes it clear Butina was in protective custody from July 15 to around September 21, but then placed in the general population. The timeline is absolutely consistent with Butina agreeing to cooperate in order to get placed in general population (the motion to transport her was submitted September 21, so at the same time she was placed in the general population). The fact that the government uses solitary to coerce cooperation from prisoners deserves condemnation, and that definitely seems to have been at play here.

But even at a time she had active orders to be transported for cooperation (the court authorized a second request for transfer from late October through the time she pled guilty), Butina was placed back in solitary. The timeline her defense attorneys lay out, however, suggests that Bamford was incorrect in stating she was in solitary on her birthday on November 10. She wasn’t moved back to solitary until November 21.

On the afternoon of November 21, 2018, counsel received a never-before urgent phone call from a jailhouse counselor regarding Ms. Butina. The basis for that call was her return to solitary confinement. The undersigned called Chief Joseph Pankey and Captain Craig Davie in Alexandria in response. After conferring with them, however, it has become clear that the facility’s use of administrative segregation is a false pretext to mask an indefinite solitary confinement that is unjust and without cause.

Staff purported to base their decision to segregate on Ms. Butina referring a fellow inmate to her lawyers (that is, she gave her lawyers’ phone number to a fellow inmate), but staff did not find a disciplinary violation—major or minor. Chief Pankey and Captain Davie then resorted to the decision being “for her safety,” knowing that administrative segregation disallows an appeal internally.

As of the date of this filing, Ms. Butina has now been in solitary confinement for 22 hours a day for 6 consecutive days with no prospective release date. According to at least one deputy, the move to solitary confinement has also not been entered into the Alexandria detention center computer system, and Ms. Butina’s status is disclosed only by a piece of tape with handwriting attached to the guard stand.

And that’s important because of a detail that Bamford remains utterly silent about.

As laid out in a hearing transcript, around that time, the government recorded calls from Butina to “certain journalists” suggesting the journalist consult someone who had her lawyers’ first name.

DRISCOLL: The conflict raised by the government, I think the government does not think there’s been any violation of order by defense counsel, but due to circumstances regarding recorded calls that the government had of Ms. Butina and to certain journalists, the government raised the concern to us; and we wanted to raise it with the Court so that there would be no question when the plea is entered that the plea is knowing and voluntary, and we wanted to kind of preemptively, if necessary, get Ms. Butina separate counsel briefly to advise her on her rights, to make sure that she got her constitutional right to conflict-free advice.

[snip]

MR. KENERSON: The basic nature of the potential conflict is that this Court, I think, issued in an order back in September regarding Local Rule 57.7. The government has some jail calls from Ms. Butina in which she is talking to a reporter numerous times on those calls. She makes some references on those calls to individuals who could be — we don’t know that they’re defense counsel, but shares first name with defense counsel potentially acting as go-between at a certain point. That’s part one of the potential conflict. Part two is —

THE COURT: Wait. So, wait. Stop. Part one is a potential conflict. Do you see a conflict because you believe she’s acting at the behest of her attorneys or as a conduit for her attorneys to violate the Court’s order?

MR. KENERSON: It’s — someone viewing that in the light least favorable to defense counsel might be able to argue that this is some quantum of evidence that defense counsel possibly were engaged in assisting Ms. Butina in violating the Court’s order.

THE COURT: All right. But that goes to whether counsel, with the aid of his client, violated my — and I’ll use the colloquial term for it, my “gag order.” How does that go to — and maybe you’ll tell me; I cut you off. But how does that go to the voluntariness of her plea?

MR. KENERSON: So if there is an allegation that defense counsel assisting her somehow in violating the, again, to use the colloquial term the “gag order,” that would give defense counsel a reason to want to basically plead the case to avoid that potential violation from becoming public. And curry favor with the government.

Driscoll went on to explain why his client was talking to a journalist with whom she had a friendship that “predates all of this” in spite of her being subject to a gag order.

The circumstances, just so the Court’s aware, Ms. Butina has a friendship with a particular journalist that predates all of this. The journalist was working on a story about Ms. Butina prior to any of this coming up, prior to her Senate testimony, prior to her arrest, and had numerous on-the-record conversations with her prior to any of this happening. At the time the gag order was entered, I took the step of informing the journalist that, although he could continue to talk to Ms. Butina, he could not use any of their post gag-order conversations as the basis for any reporting, and the journalist has not, in any event, made any public statement or done any public reporting on the case to date.

Bamford’s own description of “a number of long lunches starting last March at a private club in downtown Washington, D.C.” make it clear he is the journalist in question.

Judge Chutkan was none too impressed with Driscoll’s advice.

THE COURT: Well, putting aside the questionable advisability of having your client talk to a reporter while she is pending trial and there’s a gag order present — and I understand you told the reporter that they couldn’t make any public statements, but as a former criminal defense attorney myself, I find that curious strategy.

Now, to be clear: Bamford never did publish anything on Butina during the period when the gag was in place (Chutkan lifted the gag on December 21). Even if Bamford had published something during that period, so long as Bamford did respect Driscoll’s advice that their ongoing conversations should be off the record, there was nothing Bamford could publish that would directly reflect her own statements.

And there’s very good reason to question whether the government threw Butina back into solitary because Bamford was reporting on her treatment. That is, it’s not outside the realm of our criminal justice system that Butina was placed back in solitary because a reporter had been tracking her case since before the investigation became public.

Instead of laying out the case for that, however, Bamford instead hides his own role in the process.

To be honest, I think the story is better understood as one about Paul Erickson and not Maria Butina. This story won’t help her at sentencing — that’s going to be based on her cooperation, not what a journalist who has already antagonized the government says about her. But it may help to spin Erickson and George O’Neill’s interest, as well as that of the NRA.

The public record certainly sustains the case that the government used solitary to induce Butina to cooperate — presumably to cooperate against Erickson and O’Neill. That certainly merits attention.

But then the government also used solitary to cut off Butina’s communications with Bamford himself. If it’s this story the government was retaliating against, Bamford should say that, rather than obscuring it.

This is a story about America’s reprehensible use of solitary confinement. But it doesn’t explain a key part of that process here. Given that the story seems to most benefit Erickson, I find that silence remarkable.

image_print