Facebook Claims Just .1% of Election Related Sharing Was Information Operations

/2 Comments/in , , , /by

In a fascinating report on the use of the social media platform for Information Operations released yesterday, Facebook make a startling claim. Less than .1% of what got shared during the election was shared by accounts set up to engage in malicious propaganda.

Concurrently, a separate set of malicious actors engaged in false amplification using inauthentic Facebook accounts to push narratives and themes that reinforced or expanded on some of the topics exposed from stolen data. Facebook conducted research into overall civic engagement during this time on the platform, and determined that the reach of the content shared by false amplifiers was marginal compared to the overall volume of civic content shared during the US election.12

In short, while we acknowledge the ongoing challenge of monitoring and guarding against information operations, the reach of known operations during the US election of 2016 was statistically very small compared to overall engagement on political issues.

12 To estimate magnitude, we compiled a cross functional team of engineers, analysts, and data scientists to examine posts that were classified as related to civic engagement between September and December 2016. We compared that data with data derived from the behavior of accounts we believe to be related to Information Operations. The reach of the content spread by these accounts was less than one-tenth of a percent of the total reach of civic content on Facebook.

That may seem  like a totally bogus number — and it may well be! But to assess it, understand what they’re measuring.

That’s one of the laudable aspects of the report: it tries to break down the various parts of the process, distinguishing things like “disinformation” — inaccurate information spread intentionally — from “misinformation” — inaccurate information spread without malicious intent.

Information (or Influence) Operations – Actions taken by governments or organized non-state actors to distort domestic or foreign political sentiment, most frequently to achieve a strategic and/or geopolitical outcome. These operations can use a combination of methods, such as false news, disinformation, or networks of fake accounts (false amplifiers) aimed at manipulating public opinion.

False News– News articles that purport to be factual, but which contain intentional misstatements of fact with the intention to arouse passions, attract viewership, or deceive.

False Amplifiers – Coordinated activity by inauthentic accounts with the intent of manipulating political discussion (e.g., by discouraging specific parties from participating in discussion, or amplifying sensationalistic voices over others).

Disinformation – Inaccurate or manipulated information/content that is spread intentionally. This can include false news, or it can involve more subtle methods, such as false flag operations, feeding inaccurate quotes or stories to innocent intermediaries, or knowingly amplifying biased or misleading information. Disinformation is distinct from misinformation, which is the inadvertent or unintentional spread of inaccurate information without malicious intent.

Having thus defined those terms, Facebook distinguishes further between false news sent with malicious intent from that sent for other purposes — such as to make money. In this passage, Facebook also acknowledges the important detail for it: false news doesn’t work without amplification.

Intent: The purveyors of false news can be motivated by financial incentives, individual political motivations, attracting clicks, or all the above. False news can be shared with or without malicious intent. Information operations, however, are primarily motivated by political objectives and not financial benefit.

Medium: False news is primarily a phenomenon related to online news stories that purport to come from legitimate outlets. Information operations, however, often involve the broader information ecosystem, including old and new media.

Amplification: On its own, false news exists in a vacuum. With deliberately coordinated amplification through social networks, however, it can transform into information operations

So the stat above — the amazingly low .1% — is just a measure of the amplification of stories by Facebook accounts created for the purpose of maliciously amplifying certain fake stories; it doesn’t count the amplification of fake stories by people who believe them or who aren’t formally engaged in an information operation. Indeed, the report notes that after an entity amplifies something falsely, “organic proliferation of the messaging and data through authentic peer groups and networks [is] inevitable.” The .1% doesn’t count Trump’s amplification of stories (or of his followers).

Furthermore, the passage states it is measuring accounts that “reinforced or expanded on some of the topics exposed from stolen data,” which would seem to limit which fake stories it tracked, including things like PizzaGate (which derived in part from a Podesta email) but not the fake claim that the Pope endorsed Trump (though later on the report says it identifies false amplifiers by behavior, not by content).

The entire claim raises questions about how Facebook identifies which are the false amplifiers and which are the accounts “authentically” sharing false news. In a passage boasting of how it has already suspended 30,000 fake accounts in the context of the French election, the report includes an image that suggests part of what it does to identify the fake accounts is identifying clusters of like activity.

But in the US election section, the report includes a coy passage stating that it cannot definitively attribute who sponsored the false amplification, even while it states that its data does not contradict the Intelligence Community’s attribution of the effort to Russian intelligence.

Facebook is not in a position to make definitive attribution to the actors sponsoring this activity. It is important to emphasize that this example case comprises only a subset of overall activities tracked and addressed by our organization during this time period; however our data does not contradict the attribution provided by the U.S. Director of National Intelligence in the report dated January 6, 2017.

That presents the possibility (one that is quite likely) that Facebook has far more specific forensic data on the .1% of accounts it deems malicious amplifiers that it coyly suggests it knows to be Russian intelligence. Note, too, that the report is quite clear that this is human-driven activity, not bot-driven.

So the .1% may be a self-serving number, based on a definition drawn so narrowly as to be able to claim that Russian spies spreading propaganda make up only a tiny percentage of activity within what it portrays as the greater vibrant civic world of Facebook.

Alternately, it’s a statement of just how powerful Facebook’s network effect is, such that a very small group of Russian spies working on Facebook can have an outsized influence.

 

Turns Out Alaskans Won’t Get to See Russian Hacker Pyotr Levashov from Their Windows

/4 Comments/in , /by

Earlier this month, DOJ got some good press by releasing the first known Rule 41 nationwide hacking warrant. It targeted Pyotr Levashov, who ran a big botnet infecting tons of Americans’ computers. He was arrested on April 9 in Barcelona and DOJ shut down the botnet.

The good press continued when EFF lauded the way the Rule 41 hacking warrant was handled. I’m not aware that anyone has reviewed the Pen Register application that went along with the warrant, about which I have more concerns, but having EFF’s blessing goes some way to rolling out a new authority without controversy.

Last week, DOJ announced the indictment, last Thursday, of Levashov. Whereas the Rule 41 warrant was submitted in Alaska, the indictment (and much of the investigation) was done in New Haven. Levashov was charged with eight different counts. Of note, the indictment includes two conspiracy-related charges against Levashov without naming any co-conspirators.

What I find interesting about all this is that there’s a still sealed complaint, dated March 24, against Levashov in the New Haven docket, with its own affidavit.

So I’m wondering why the Rule 41 action was taken in Alaska whereas the prosecution (assuming Levashov is extradited) appears slotted for New Haven.

The Alaska affidavit makes abundant reference to the investigative activities in New Haven. It describes that New Haven FBI Agents tested the Kelihos malware, identified how Kelihos harvested credentials, and tracked how Kelihos installed WinPCAP to intercept traffic.

It also includes a footnote describing other cases against Levashov.

I am also aware that an indictment was filed in 2007 in the Eastern District of Michigan for conspiracy to commit electronic mail fraud, mail fraud, and wire fraud in violation of 18 U.S.C. $$ 371, 1037(a)(2)-(a)(B), 1037(b)(2)(C), 1341, and 1343 and several substantive counts of violating 18 U.S.C. $$ 1037(a)(2), 1037(b)(2)(C), and Section 2. That indictment remains pending. I am also aware that a criminal complaint fi1ed in the U.S. District Court for the District of Columbia, which in 2009 charged LEVASHOV in his true name with two substantive counts of violating 18 U.S.C. $$ 1030(a)(5)(A)(i), 1030(a)(5)(B)(i), 1030(a)(5)(A)(i) and 1030(a)(5XBXV), as well as one count of conspiracy to commit these offenses in violation of 18 U.S.C. $ 371. These charges resulted from LEVASHOV’s operating the Storm Botnet from January 2007 until September 22,2008. That botnet, like that which is the subject of this prosecution, sent spam to facilitate pump and dump schemes and the purchase of grey market pharmaceuticals. Because the government was unable to apprehend and detain LEVASHOV, it dismissed the complaint in 2014.

But it doesn’t mention the complaint, which had already been filed, in CT — unless that’s what the almost paragraph long redaction in the affidavit was.

One possible explanation for the jurisdictional oddity is just that DOJ could. To test their new authorities, perhaps, they chose to obtain a warrant in a totally different jurisdiction from the one they were prosecuting in, just to lay out the precedent of doing so. And as noted, it’s possible the big redacted passage in the AK affidavit explains all this.

I’d feel better about that if the FBI affidavit submitted in AK hadn’t (possibly) hidden the already existing complaint in CT, though.

I’ve got a question into DOJ and will update if they provide an explanation. But for now, know that Alaska won’t get to host a high profile hacking trial after all.

Upated, fixed DOJ announce date h/t EG.

The Virgin Birth of the Most Inflammatory Trump Dossier Claims

/3 Comments/in /by

In a response to Alexsej Gubarev’s British libel lawsuit, Christopher Steele has submitted a defense making certain claims about the dossier on Trump he reportedly did for Trump’s opponents. (Washington Times published the filing along with this story.) The defense provides some limited information on the dossier, while remaining entirely silent about known details.

The defense provides further explanation of how Steele came to share the dossier with John McCain. Sir Andrew Wood is an Associate of Steele’s firm, which is how he knew about the dossier. At an undated meeting between Wood and John McCain and his associate David Kramer, Wood told the Americans about the dossier. That piqued McCain’s interest, so Kramer met with Steele in Surrey on November 28. After Kramer returned to DC, he arranged to get a hard copy of the dossier for McCain, and requested that “any further intelligence gathered by the Defendants about alleged Russian interference in the US Presidential election” be provided to him on behalf of McCain.

Steele denies he shared the dossier with journalists

Of critical importance, to substantiate a claim that he wasn’t spreading the document all over creation, Steele states,

The Defendants did not, however, provide any of the pre-election memoranda to media organizations or journalists. Nor did they authorize anyone to do so. Nor did they provide the confidential December memorandum to media organizations or journalists. Nor did they authorize anyone to do so.

[snip]

[Steele] gave off the record briefings to a small number of journalists about the pre-election memoranda in late summer/autumn 2016.

I find the claim rather suspicious.

The changing (BBC) story about how it got (shown) the Steele dossier

Steele’s claim that he wasn’t sharing the dossier itself is dubious for several reasons. For example, the defense makes no mention of Steele sharing the dossier with the FBI, in spite of multiple reports of him doing so.

More damning, one of the reporters with whom the dossier was shared before the election, BBC’s Paul Wood, has changed a published story about receiving the dossier on two occasions. The original story appeared like this.

Sometime between the original publication and 14:06 GMT, the paragraph claiming the American oppo research company, Fusion, disseminated the document was removed from the story.

Then, by 15:32 GMT — roughly 20 minutes after I did a post noting the first change — that passage was again changed, this time to suggest the pages were shown, but not given, to journalists.

I’ve been told second-hand that actual pages were given, not shown, to at least one journalist, suggesting the middle story may be the accurate one. Moreover, the actual dossier would have had to have been shared for James Clapper’s claim that the dossier “was widely circulated … among the media, members of Congress and Congressional staff ” to be true.

Steele’s free report based off unsolicited intelligence

All that pertains to the dossier, generally, though. It’s actually irrelevant to the lawsuit, since Gubarev is suing over claims made in the last report, dated December 13 (see this post for why that date is important).

Here’s what Steele claims about that last report.

The Defendants continued to receive unsolicited intelligence on the matters covered by the pre-election memoranda after the US Presidential election and the conclusion of the assignment for Fusion.

After receiving some such intelligence [Steele] prepared the confidential December memorandum, … on his own initiative on or around 13 December 2016.

[snip]

Accordingly, [Steele] provided a copy of the December memorandum to:

a. A senior UK government national security official acting in his official capacity, on a confidential basis in hard copy form; and

b. Fusion, by enciphered email with an instruction to Fusion to provide a hard copy to Sen. McCain via Mr Kramer.

Nowhere in this defense does Steele specify when he gave McCain the dossier, aside from sometime after November 28. Presumably it was on or before December 9, when McCain reportedly handed the dossier over to the FBI (though McCain was a bit sketchier about when he got and handed on the dossier and — very significantly — doesn’t describe doing so twice).

Steele does confirm he also shared the dossier with “a senior UK government national security official,” which is another way the US intelligence community might have gotten the dossier they shared with Trump before BuzzFeed leaked it, contrary to their utterly ridiculous claims to have been the last to know of it.

In any case, the timeline suggests that, after sources started leaking aggressively about Putin affirmatively trying to elect Trump on December 9 (even as Obama called for a review of the intelligence), Steele all of a sudden got new intelligence (or, less plausibly, decided to write down the intelligence he had before he sent McCain the dossier but hadn’t written up).

Multiple reports have said that Steele was working for free in that period. Apparently, too, the sources that Steele had been paying up to this point decided they would provide unsolicited intelligence.

Did they get paid, either?

The virgin birth of the most inflammatory claims

And this is all very interesting because — as I have noted before — this last brief includes three far more inflammatory claims than Steele had ever provided before.

First, as part of the claims Gubarev is suing over, Steele claimed he had been told that in addition to using botnets to “transmit viruses, plant bugs, and steal data,” (which sounds nothing like what allegedly actually happened in the hack), XBT also conducted “altering operations,” a suggestion that Russia was tampering with data rather than just stealing it.

Second, whereas earlier reporting on Michael Cohen’s role had been more vague, this report described him discussing “deniable cash payments to the hackers who had worked in Europe under Kremlin direction against the CLINTON campaign.” That is, the dossier made far stronger claims that Trump’s team had discussed the hack itself, rather than making quid pro quo deals to alter US policy.

Finally, and most importantly, Steele’s “unsolicited” intelligence claimed that Trump had paid the hackers.

On payments, IVANOV’s associate said that the operatives involved had been paid by both TRUMP’s team and the Kremlin, though their orders and ultimate loyalty lay with IVANOV.

This is the report that wraps up all the allegations in a neat little bow, setting up the impeachment of Trump, and it came unsolicited after the spooks were upping the pressure on McCain.

Right wing outlets are (rightly) making much of the fact that Steele claimed the intelligence “needed to be analysed and further investigated/verified.” But I’m just as struck by the rather neat claim that by far the most inflammatory intelligence in the dossier came in the days after Democrats and the IC started ratcheting up pressure on Trump, and that it came unsolicited.

Update: This post has been updated for clarity.

Update: David Corn’s account of interacting with Steele is inconsistent on the point of whether he got the dossier. At first he says he was able to “review” the memos.

I also was able to review the memos the former spy had written, and I quoted a few key portions in my article.

But by the end of the paragraph, he says the reason he didn’t publish the dossier is not because he didn’t have it, but because it would have revealed some of Steele’s sources (as it eventually did).

I also didn’t post the memos, as BuzzFeed did this week, because the documents contained information about the former spy’s sources that could place these people at risk.

And technically, Corn’s description of how Steele directed him to treat the information is not “off the record” (though I can still remember the moment during the Scooter Libby trial when, after one after another top journalist provided a different definition of the term on the stand, journalists in the media room — Corn was there — acknowledged that everyone has a different definition of the term). In his article, Corn says he was simply told not to ID Steele’s nationality or MI6 but suggests he was permitted to quote the dossier, which he did.

For my story in October, I spoke with the former spy who wrote these memos, under the condition that I not name him or reveal his nationality or the spy service where he had worked for nearly two decades, mostly on Russian matters.

Update: It’s worth comparing Steele’s claims with those made in this Vanity Fair feature on the dossier. Of particular note, VF makes no mention of Wood being an associate of Steele’s firm, and instead suggests he may have been sent to the conference in question to contact McCain.

It was at some point in this busy weekend that Senator John McCain and David J. Kramer, a former State Department official whose bailiwick was Russia and who now toils at Arizona State University’s Washington-based McCain Institute for International Leadership, found themselves huddling with Sir Andrew Wood, a former British ambassador to Russia.

Sir Andrew, 77, had served in Moscow for five years starting in 1995, a no-holds-barred time when Putin was aggressively consolidating power. And in London Station, the M.I.6 puppeteer pulling all the clandestine strings was Christopher Steele. Sir Andrew knew Steele well and liked what he knew. And the former diplomat, who always had a few tough words to say about Putin, had heard the rumors about Steele’s memo.

Had Sir Andrew arrived in Halifax on his own covert mission? Was it just an accident that his conversation with Senator McCain happened to meander its way to the findings in Steele’s memos? Or are there no accidents in international intrigue? Sir Andrew offered no comment to Vanity Fair. He did, however, tell the Independent newspaper, “The issue of Donald Trump and Russia was very much in the news and it was natural to talk about it.

Note, this account would put Kramer in Surrey meeting Steele around December 5, which would mean Steele’s most inflammatory intelligence came in (“unsolicited,” he claimed) during a period of 11 days. It also says that Kramer brought the dossier back with him, undermining Steele’s claims that Fusion had been in the loop. VF also suggests there may have been more to the dossier Steele handed Kramer; Steele goes so far out of his way in his defense to claim he did no reports in November that I suspect he did report in November (perhaps directly for FBI?).

NSA’s Spying on Le Pen Is Probably Working Better than GRU’s Spying on Macron

/9 Comments/in , /by

In advance of this report on APT 28 (the hacking group presumed to be tied to Russia’s military intelligence, GRU, blamed for the DNC hack-and-leak), Trend Micro got a lot of publicity for its report that APT 28 had targeted Emmanuel Macron, who just won the most votes in France’s presidential election and will face a run-off against Marine Le Pen in a few weeks.

At least according to Macron’s campaign, the attempts to phish his campaign were unsuccessful.

Mounir Mahjoubi, digital director of Mr. Macron’s campaign, confirmed the attempted hacking, saying that several staffers had received emails leading to the fake websites. The phishing emails were quickly identified and blocked, and it was unlikely others went undetected, Mr. Mahjoubi said.

“We can’t be 100% sure,” he said, “but as soon as we saw the intrusion attempts, we took measures to block access.”

The timing of all this is all rather interesting. Back in early February, France’s Le Canard Enchaîné exclusively reported that France’s security officials worried that Macron would be hacked, a vague report that was picked up really broadly without confirmation. Shortly thereafter, Macron claimed that his campaign had been the target of thousands of attacks from entities within Russia’s border, including a DDOS attack that took down his website for nine minutes. According to the sole mention of Macron in the Trend Micro report, the OneDrive-based phish targeting Macron took place a month later, on March 15.

These hacking attempts accompanied a great deal of fake news (and leaked gossip) targeting Macron. But at least if Macron’s own campaign is to believed, APT 28 never succeeded in its attempt to hack the favorite to be France’s next president, and so presumably has not yet succeeded in stealing emails that Russia might use to attack Macron during the run-off.

Which gives the hype about APT 28’s attempted hack a really curious character. It is treated as if Russia is the only state actor that might be spying on French presidential candidates.

Does anyone honestly believe that the United States is not spying on Le Pen, for example, given that the CIA and NSA have a history of spying on candidates with whom the US is even friendlier than Le Pen? Indeed, earlier this year, WikiLeaks published a tasking order for CIA to collect HUMINT and open source intelligence on all the parties in the 2012 French election, though without any cyber element specified. In 2010, the incumbent Pakistan People’s Party was included in NSA’s foreign government Section 702 certificate by name. And in 2012, CIA and NSA partnered to target Enrique Peña Nieto and nine of his closest associates in the weeks leading up to his victory. With both the PPP and EPN, these were nominally political parties friendly to US interests.

By comparison, it would seem that targeting Le Pen, at a time when the intelligence community has a very public concern about collusion between Russia and populist parties in Europe to destabilize Europe, would be a no-brainer.

And here’s what else gets left out of the coverage of GRU’s attempts to spy on Macron: how much easier a job the NSA might have than GRU, even ignoring NSA’s greater capabilities.

Many (though not all) of the phishing attempts detailed in the Trend Micro report pretend to be the email log-ins for US-based email providers: with virtually all the most detailed attention on Yahoo, Gmail, and Microsoft. The attempted Macron targeting exploited his campaign’s use of OneDrive. That means all the entities GRU targeted with phishes pretending to be US providers are available to NSA via Section 702, or PRISM.

In other words, to collect on the very same targets that GRU is targeting via phishing attacks that users continue to be better informed about (and that Macron claims to have withstood entirely), the NSA could just add LePen’s email address to the list over 93,000 targets being targeted under Section 702 (as they presumably did with PPP in 2010). And unlike a phishing campaign, which can be made more difficult with the use of two factor authentication, Le Pen would have no defense against collection targeting her or her campaign’s PRISM provider accounts, beyond encrypting everything that resided in an American-owned cloud (and even there, there would be a great deal of interesting metadata available). If she or key aides uses any of the major American tech providers, stealing their emails would be as easy as providing a foreign intelligence justification (one that would be bolstered by her close ties with Russia) and tracking to make sure her accounts are detasked when she comes to the US to visit Trump Tower.

All that’s on top of any more sophisticated targeting of Le Pen akin to what CIA and NSA did against EPN.

And therein lies the rub, the reason you shouldn’t be saying, “So what? We should spy on that fascist Le Pen, she’s a menace to civilization” (though I agree she is).

The NSA’s spying on Marine Le Pen is likely having more success than GRU’s spying on Emmanuel Macron. But is there any reason to believe — particularly given CIA’s targeting of all French parties in 2012 and given Trump’s stated preference for Le Pen — to think that NSA is not also targeting Macron, targeting his OneDrive in a way that would be immune from whatever defenses he is using against phishing attacks?

Here’s where folks will say, “but we don’t leak stolen communications,” in spite of some evidence that we have in the past, albeit perhaps not in a democratic election. (On that note, this Politico story exposing Mike Flynn’s ties, via his Turkish lobbying client, to Russia, relies on a WikiLeaks-released email, which is a notable instance where evidence made available by WikiLeaks may help those investigating Russia’s influence on the Trump administration.). Of course, GRU can only leak what it can steal, and Macron believes that GRU hasn’t succeeded in stealing anything.

Furthermore, we have no visibility what US policymakers in the past have done with intelligence collected on political parties. We certainly have no current limits on what Trump can do with it, aside from limits on the dissemination of that actual raw emails. We’ve always given the President great discretion on such issues, in the name of ensuring a unified foreign policy. And there are plenty of ways Trump’s administration could intervene to help Le Pen beyond just leaking any derogatory information on Macron.

All this is not to say that GRU’s reported continued attempts to hack democratic targets is not a concern (indeed, I’m at least as worried that FSB is conducting similar intelligence collection without the same easily identifiable tracks).

But it is to say that, particularly in the era where Donald Trump sets this country’s foreign policy, we need to be a lot more mindful of NSA’s own far more considerable ability to steal information on democratic candidates.

How to Spy on Carter Page

/2 Comments/in , , /by

I have no personal knowledge of the circumstances surrounding the alleged wiretapping of Carter Page, aside from what WaPo and NYT have reported. But, in part because the release of the new, annual FISC report has created a lot of confusion, I wanted to talk about the legal authorities that might have been involved, as a way of demonstrating (my understanding, anyway, of) how FISA works.

FISC did not (necessarily) reject more individual orders last year

First, let’s talk about what the FISC report is. It is a new report, mandated by the USA Freedom Act. As the report itself notes, because it is new (a report covering the period after passage of USAF), it can’t be compared with past years. More importantly, because the FISA Court uses a different (and generally more informative) reporting approach, you cannot — as both privacy groups and journalists erroneously have — compare these numbers with the DOJ report that has been submitted for years (or even the I Con the Record report that ODNI has released since the Snowden leaks); that’s effectively an apples to grapefruit comparison. Those reports should be out this week, which (unless the executive changes its reporting method) will tell us how last year compared with previous years.

But comparing last year’s report to the report from the post-USAF part of 2015 doesn’t sustain a claim that last year had record rejections. If we were to annualize last year’s report (covering June to December 2015) showing 5 rejected 1805/1824 orders (those are the individual orders often called “traditional FISA”) across roughly 7 months, it is actually more (.71 rejected orders a month or .58% of all individual content applications) than the 8 rejected 1805/1824 orders last year (.67 rejected orders a month or .53% of all individual content applications). In 2016, the FISC also rejected an 1861 order (better known as Section 215), but we shouldn’t make too much of that either given that that authority changed significantly near the end of 2015, plus we don’t have this counting methodology for previous years (as an example, 2009 almost surely would have at least one partial rejection of an entire bulk order, when Reggie Walton refused production of Sprint records in the summertime).

Which is a long-winded way of saying we should not assume that the number of traditional content order rejections reflects the reports that FBI applied for orders on four Trump associates but got rejected (or maybe only got one approved for Page). As far as we can tell from this report, 2016 had a similar number of what FISC qualifies as rejections as 2015.

The non-approval of Section 702 certificates has no bearing on any Russian-related spying, which means Page would be subject to back door searches

Nor should my observation — that the FISC did not approve any certifications for 1881a (better known as Section 702, which covers both upstream and PRISM) reflect on any Carter Page surveillance. Given past practice when issues delayed approvals of certifications, it is all but certain FISC just extended the existing certifications approved in 2015 until the matters that resulted in an at least 2 month delay were resolved.

Moreover, the fact that the number of certificates (which is probably four) is redacted doesn’t mean anything either: it was redacted last year as well. That number would be interesting because it would permit us to track any expansions in the application of FISA 702 to new uses (perhaps to cover cybersecurity, or transnational crime, for example). But the number of certificates pertains to the number of people targeted only insofar as any additional certificates represent one more purpose to use Section 702 on.

In any case, Snowden documents, among other things, show that a “foreign government” certificate has long been among the existing certificates. So we should assume that the NSA has collected the conversations of known or suspected Russian spies located overseas conducted on PRISM providers; we should also assume that as a counterintelligence issue implicating domestic issues, these intercepts are routinely shared in raw form with FBI. Therefore, unless last year’s delay involved FBI’s back door searches, we should assume that when the FBI started focusing on Carter Page again last spring or summer, they would have routinely searched on his known email addresses and phone numbers in a federated search and found any PRISM communications collected. In the same back door search, they would have also found any conversations Page had with Russians targeted domestically, such as Sergey Kislyak.

The import of the breakdown between 1805 and 1824

Perhaps the most important granular detail in this report — one that has significant import for Carter Page — is the way the report breaks down authorizations for 1805 and 1824.

1805 covers electronic surveillance — so the intercept of data in motion. It might be used to collect phone calls and other telephony communication, as well as (perhaps?) email communication collected via upstream collection (that is, non-PRISM Internet communication that is not encrypted); it may well also cover prospective PRISM and other stored communication collection. 1824 covers “physical search,” which when it was instituted probably covered primarily the search of physical premises, like a house or storage unit. But it now also covers the search of stored communication, such as someone’s Gmail or Dropbox accounts. In addition, a physical search FISA order covers the search of hard drives on electronic devices.

As we can see for the first time with these reports, most individual orders cover both 1805 and 1824 (92% last year, 88% in 2015), but some will do just one or another. (I wonder if FBI sometimes gets one kind of order to acquire evidence to get the other kind?)

As filings in the Keith Gartenlaub case make clear, “physical search” conducted under a FISA order can be far more expansive than the already overly expansive searches of devices under a Article III warrant. Using a FISA 1824 order, FBI Agents snuck into Gartenlaub’s house and imaged the hard drives from a number of his devices, ostensibly looking for proof he was spying on Boeing for China. They found no evidence to support that. They did, however, find some 9-year old child pornography files, which the government then “refound” under a criminal search warrant and used to prosecute him. Among the things Gartenlaub is challenging on appeal is the breadth of that original FISA search.

Consider how this would work with Carter Page. The NYT story on the Page order makes it clear that FBI waited until Page had left the Trump campaign before it requested an order covering him.

The Foreign Intelligence Surveillance Court issued the warrant, the official said, after investigators determined that Mr. Page was no longer part of the Trump campaign, which began distancing itself from him in early August.

I suspect this is a very self-serving description on the part of FBI sources, particularly given reports that FISC refused orders on others. But regardless of whether FISC or the FBI was the entity showing discretion, let’s just assume that someone was distinguishing any communications Page may have had while he was formally tied to the campaign from those he had after — or before.

This is a critical distinction for stored communications because (as the Gartenlaub case makes clear) a search of a hard drive can provide evidence of completely unrelated crime that occurred nine years in the past; in Gartenlaub’s case, they reportedly used it to try to get him to spy on China and they likely would do the equivalent for Page if they found anything. For Page, a search of his devices or stored emails in September 2016 would include emails from during his service on Trump’s campaign, as well as emails between the time Page was interviewed by FBI on suspicion of being recruited by Victor Podobnyy and the time he started on the campaign, as well as communications going back well before that. So if FISC (or, more generously, the FBI) were trying to exclude materials from during the campaign, that might involve restrictions built into the request or the final order

The report covering 2016 for the first time distinguishes between orders FISC modifies (FISC interprets this term more broadly than DOJ has in its reports) and orders FISC partly denies. FISC will modify an order to, among other things,

(1) impos[e] a new reporting requirement or modifying one proposed by the government;

(2)  chang[e] the description or specification of a targeted person, of a facility to be subjected to electronic surveillance or of property to be searched;

(3)  modify[] the minimization procedures proposed by the government; or

(4)  shorten[] the duration of some or all of the authorities requested

Using Page as an example, if the FISC were permitting FBI to obtain communications from before the time Page joined the campaign but not during it, it might modify an order to require additional minimization procedures to ensure that none of those campaign communications were viewed by the FBI.

The FISC report explains that the court will partly deny orders and “by approving some targets, some facilities, places, premises, property or specific selection terms, and/or some forms of collection, but not others.” Again, using Page as an example, if the court wanted to really protect the election related communications, it might permit a search of Page’s homes and offices under 1824, but not his hard drives, making any historic searches impossible.

There’s still no public explanation of how Section 704/Section 705b work, which would impact Page

Finally, the surveillance of Carter Page implicates an issue that has been widely discussed during and since passage of the FISA Amendments Act in 2008, but not in a way that fully supports a democratic debate: how NSA spies on Americans overseas.

Obviously, the FBI would want to spy on Page both while he was in the US, but especially when he was traveling abroad, most notably on his frequent trips to Russia.

The FISA Amendments Act for the first time required the NSA to obtain FISC approval before doing that. As I explain in this post, for years, public debate has claimed that was done under Section 703 (1881b in this report). But abundant evidence shows it is all done under 704 (1881c in this report). The biggest difference between the two, according to an internal NSA document, is the government doesn’t explain its methods in the latter case. With someone who would be spied on both in the US and overseas, that spying would be done under 705b (conducted under 1881d section b), which permits the AG to approve of spying overseas (effectively, 704 authority) for those already approved under a traditional order.

This matters in the context of spying on Carter Page for two reasons. First, as noted government doesn’t share details about how it spies overseas with the court. And some of the techniques we know NSA to use — such as XKeyscore searches drawing on bulk overseas collection — would seem to present additional privacy concerns on top of the domestic authorities. If the FBI (or more likely, the FISC) is going to try to bracket off any communications that occur during the period Page was associated with the campaign, that would have to be done for overseas surveillance as well, most critically, for Page’s July trip to Russia.

This report shows that 704, like the domestic authorities, also gets modified sometimes, so it may be that FISC did just that — permitted NSA to collect information covering that July meeting, but imposed some minimization procedures to protect the campaign.

But it’s unclear whether the court would have an opportunity to do so for 705b, which derives from Attorney General authorization, not court authorization. I assume that’s why 1881d was not included in this reporting requirement, but it seems adding 705b reporting to Title VII reauthorization this year would be a fairly minor change, but one that might reveal how often the government uses more powerful overseas spying techniques on Americans. It’s unclear to me, for example, whether any modifications or partial approvals the FISC made on a joint 1805/1824 order covering Page would translate into a 705b order, particularly if the modifications in question included additional reporting to the FISC.

Carter Page might one day be the first American to get review of his FISA dossier

All of which is why, no matter what you think of Carter Page’s alleged role in influencing the Trump campaign to favor Russia, I hope he one day gets to review his FISA dossier.

No criminal defendant has ever gotten a review of the FISA materials behind the spying, in spite of clear Congressional intent, when the law was passed in 1978, to allow that in certain cases. Because of the publicity surrounding this case, and the almost unprecedented leaking about FISA orders, Page stands a better chance than anyone else of getting such review (particularly if, as competing stories from CNN and Business Insider claim, the dossier formed a key, potentially uncorroborated part of the case against him). Whatever else happens with this case, I think Page should get that review.

Thoughts on the NYT Comey Blockbuster

/15 Comments/in , , /by

The NYT has a big piece on Jim Comey’s involvement in the election you should definitely read. Rather than share my thoughts in a tweet storm I thought I’d share here so we can all gab about it.

Consensus coming closer to Jim Comey being self-righteous

As long time readers know, I think Jim Comey is self-righteous. He creates a heroic self-image that is often overblown (as it was regarding the post hospital hero events). So I was happy to see this paragraph — and observations matching it — through out the story.

Mr. Comey made those decisions with the supreme self-confidence of a former prosecutor who, in a distinguished career, has cultivated a reputation for what supporters see as fierce independence, and detractors view as media-savvy arrogance.

Comey deserves all the criticism he has gotten for his statements about the Hillary investigation. But we’re stuck with Comey for now; he’s one of the few checks against Trump’s arbitrary rule (and Comey is enough of a media hound to be able to create the space to conduct the investigation into Trump).

But one way or another I’m happy people are beginning to understand Comey not as the hospital hero, nor as a partisan, but as someone who doesn’t (or didn’t?) assess his own actions with a fair measure.

The secret David Margolis meeting

One of two really interesting new details in this story is that, when Comey was trying to decide what to do, he consulted with David Margolis, who has long been treated as the conscience of DOJ by DOJers. (See this bmaz post for more background on Margolis.)

Mr. Comey sought advice from someone he has trusted for many years. He dispatched his deputy to meet with David Margolis, who had served at the Justice Department since the Johnson administration and who, at 76, was dubbed the Yoda of the department.

What exactly was said is not known. Mr. Margolis died of heart problems a few months later. But some time after that meeting, Mr. Comey began talking to his advisers about announcing the end of the Clinton investigation himself, according to a former official.

This meeting (and the description of how they staged Margolis’ funeral so the DOJ people criticizing Comey wouldn’t have to share a stage with him) plays a weird role in the story, as if just the mention of the meeting serves to exonerate Comey’s terrible decision to announce the end of the Hillary investigation.

But what the story doesn’t note is that Comey was effectively consulting with the person who for years always intervened to make sure DOJ’s lawyers don’t get held accountable for their misconduct (most notably, he did this for John Yoo). Now, I’m not sure whether as FBI Director Comey’s behavior might have been reviewed by the Office of Professional Responsibility; as it happens DOJ IG is doing so. But it is not ethical to have the guy who, later on, would bless your actions, bless them before the fact. It’s like getting pre-approval to break the rules.

Loretta Lynch should have recused

One of the details others find most interesting is that the FBI acted as they did, in part, because a Democratic operative suggested in an email that Loretta Lynch would ensure nothing came of the investigation.

During Russia’s hacking campaign against the United States, intelligence agencies could peer, at times, into Russian networks and see what had been taken. Early last year, F.B.I. agents received a batch of hacked documents, and one caught their attention.

The document, which has been described as both a memo and an email, was written by a Democratic operative who expressed confidence that Ms. Lynch would keep the Clinton investigation from going too far, according to several former officials familiar with the document.

Read one way, it was standard Washington political chatter. Read another way, it suggested that a political operative might have insight into Ms. Lynch’s thinking.

Normally, when the F.B.I. recommends closing a case, the Justice Department agrees and nobody says anything. The consensus in both places was that the typical procedure would not suffice in this instance, but who would be the spokesman?

The document complicated that calculation, according to officials. If Ms. Lynch announced that the case was closed, and Russia leaked the document, Mr. Comey believed it would raise doubts about the independence of the investigation.

I’ve got a slew of hacking related questions about this document — starting with why it hasn’t, as far as I know, been leaked. The described timing as “early last year” suggests that it may have been hacked in the FSB phase of the hacking. But the document would have solidified the narrative the Russians were reportedly fostering about Hillary.

The article doesn’t pursue those questions, but it notes that in response to finding it, Comey did not ask Lynch to recuse. He should have. You recuse whether or not there’s basis for recusal but because of appearances as well. Moreover, so much awfulness could have been avoided had she recused. This was one of the big own goals of this whole mess.

CIA Directors should not meet with just one Gang of Eight member

The second detail I find most interesting in this story is that John Brennan privately briefed Harry Reid about his concerns about the Russians.

John O. Brennan, the C.I.A. director, was so concerned about the Russian threat that he gave an unusual private briefing in the late summer to Harry Reid, then the Senate Democratic leader.

Top congressional officials had already received briefings on Russia’s meddling, but the one for Mr. Reid appears to have gone further. In a public letter to Mr. Comey several weeks later, Mr. Reid said that “it has become clear that you possess explosive information about close ties and coordination between Donald Trump, his top advisors, and the Russian government — a foreign interest openly hostile to the United States.”

While I’m generally sympathetic to Democrats’ complaints that DOJ should have either remained silent about both investigations or revealed both of them, it was stupid for Brennan to give this private briefing (and I hope he gets grilled about it by HPSCI when he testifies in a few weeks). In addition to the things Reid said publicly about the investigation, it’s fairly clear he and his staffers were also behind some of the key leaks here (and, as CNN reported yesterday, leaks about the investigation actually led targets of it to alter their behavior). For reasons beyond what appears in this story, I think it likely Reid served as a cut-out for Brennan.

And that’s simply not appropriate. There may well have been reasons to avoid briefing Richard Burr (who was advising Trump). But spooks should not be sharing information with just one party. CIA did so during its torture cover-up in ways that are particularly troubling and I find this — while not as bad — equally problematic.

Two missing details: the leaks and the delayed notice to Congress

While this is already a comprehensive story (though its telling of October 7 omits key details), there are two parts that seem critical that are missing: the flood of leaks from FBI and the decision to delay notifying the Gang of Four of the CI investigation.

This week, CNN reported that the FBI was “clarifying” an earlier policy fostering more contact between FBI employees with the media in response to leaks about the Trump campaign. (Click through to read about the TV series coming out focusing on FBI heroism that the FBI exercised editorial control over!!!)

The FBI is overhauling its media policy, restricting contacts between the news media and its employees amid controversy over alleged leaks, bureau officials told CNN.

The new media policy was rolled out this week at a conference in Washington attended by FBI special agents in charge of its 56 field offices, according to officials who attended.
Media access to top officials at the FBI became more common in recent years under FBI Director James Comey, part of a transparency effort he said was aiming at demystifying the FBI and helping the public understand its mission. But the new policy appears to curtail that access.
An official familiar with the development of the new policy described it as largely a “clarification” intended to reinforce existing rules on who is authorized to talk to reporters, not a step back from Comey’s transparency initiatives.

Not only should this policy have been put in place before people leaked details of FISA orders, but it should have been put in place in early 2016, when it was clear FBI Agents were leaking details of the Hillary investigation to try to force their supervisors to expand its scope to include the Clinton Foundation.

Instead, the possibility that FBI Agents would leak was one of the reasons why Comey did what he did. The correct thing, instead of making unprecedented public statements as he did, would have been to shut down the leaking.

Additionally, according to Comey’s testimony, FBI actually delayed notifying at least the heads of the Intelligence Committees  until fairly recently. The NYT acknowledges that this detail was hidden. But I’d love to understand how this departure from normal briefing affected all the other decisions (particularly in light of the the Brennan meeting).

In any case, read the whole thing. It’s very frustrating. But it also lays out a series of things that Comey — and other Obama officials — should have done differently.

The Think Tank Story Actually Suggests the Think Tank Wasn’t That Important

/3 Comments/in , , /by

Reuters has what at first seemed to be an important story, based on three current and four former US officials (a descriptor which can include members of Congress or their staffers) noting that a think tank close to Putin laid out a plan to influence the US election in two separate reports last year. But in fact, the story actually may undermine some of its own claims.

Before I describe the reports, consider two inconsistent claims made in the story. First, the article claims that these two reports were central to the Obama Administration’s conclusions on Russian interference.

The documents were central to the Obama administration’s conclusion that Russia mounted a “fake news” campaign and launched cyber attacks against Democratic Party groups and Clinton’s campaign, the current and former officials said.

These officials — seven of them!! — suggest there’s a tie between these two reports and the total conclusion, the fake news and the hacking.

But then later in the story, half the officials state that the reports never once mentioned the hacks. They explain that detail away by saying that the two parts of the campaign — the hacking and the propaganda — reinforced each other because RT and Sputnik do what RT and Sputnik allegedly do anyway, make the most of opportunities to cause the US discomfort.

Neither of the Russian institute documents mentioned the release of hacked Democratic Party emails to interfere with the U.S. election, according to four of the officials. The officials said the hacking was a covert intelligence operation run separately out of the Kremlin.

The overt propaganda and covert hacking efforts reinforced each other, according to the officials. Both Russia Today and Sputnik heavily promoted the release of the hacked Democratic Party emails, which often contained embarrassing details.

Again, before we get into the reports themselves, note that the sources here appear to have oversold this story. Or the Obama Administration thinking on this is … problematic. Because there’s no way two reports on propaganda — of the sort American think tanks and the CIA develop for elections and adversaries all over the world, even if the CIA doesn’t run state media outlets like Russia does to implement them — that don’t mention the hack should be presented as proof of (or proof against) the whole kit and kaboodle, the hack-and-leak plus propaganda. Either these reports weren’t central to the plan, or the propaganda effort had nothing to do with the hacking one. In other words, these documents should in no way lead Obama (or us) to conclude anything about the hacking.

That’s all the more true when you consider the description of these reports.

[The seven sources] described two confidential documents from the think tank as providing the framework and rationale for what U.S. intelligence agencies have concluded was an intensive effort by Russia to interfere with the Nov. 8 election. U.S. intelligence officials acquired the documents, which were prepared by the Moscow-based Russian Institute for Strategic Studies [en.riss.ru/], after the election.

The institute is run by retired senior Russian foreign intelligence officials appointed by Putin’s office.

The first Russian institute document was a strategy paper written last June that circulated at the highest levels of the Russian government but was not addressed to any specific individuals.

It recommended the Kremlin launch a propaganda campaign on social media and Russian state-backed global news outlets to encourage U.S. voters to elect a president who would take a softer line toward Russia than the administration of then-President Barack Obama, the seven officials said.

A second institute document, drafted in October and distributed in the same way, warned that Democratic presidential candidate Hillary Clinton was likely to win the election. For that reason, it argued, it was better for Russia to end its pro-Trump propaganda and instead intensify its messaging about voter fraud to undermine the U.S. electoral system’s legitimacy and damage Clinton’s reputation in an effort to undermine her presidency, the seven officials said.

The first report was done in June (no date specified). Per the description, it didn’t even take an anti-Hillary stance, but instead an anti-Obama stance, which translates into anti-Hillary but not as strongly as it could, given Hillary’s specific actions that have infuriated Putin. The second was done in October (again, no date specified) and by description adopted a stance Republicans in this country have adopted towards elections for decades, to delegitimize elections your preferred candidate loses.

The dates are more important (and I find the non-disclosure of the actual dates to be telling, whether that decision was made by the seven sources or by Reuters, as the dates would provide another detail that would allow us to assess the credibility of this story).

Let’s review the timeline of the hack-and-leak narrative. APT 29, associated with FSB, hacked the DNC during summer 2015, and stayed there, quietly. Then, according to the existing narrative, as part of the kind of operation we’ve seen many times, in mid-March 2016 APT 28, associated with GRU also hacked the DNC, as well as John Podesta. DC Leaks, which is supposed to be part of the same operation, registered its domain on April 19. As Thomas Rid pointed out yesterday, FireEye believes the same people tried to register “electionleaks” a week earlier, on April 12. A persona calling himself Guccifer 2.0 appeared on June 15 and started leaking documents currently (and not entirely correctly, I believe) attributed to the DNC hack, immediately after the WaPo and Crowdstrike revealed the hack and attributed it to Russia. Which is to say the first think tank document (which again, is described as anti-Obama, not anti-Hillary) post-dated the beginning of what is considered the hack-and-leak campaign by three months and the beginning of the set-up to leak stolen documents by two. If the report is dated after June 15, it post-dated the first Guccifer 2.0 leaks, yet made no mention of their possible exploitation as part of the propaganda campaign (there are still unexplained problems with claims about the Guccifer persona, but I will bracket them here).

Then there’s the second report, from some unrevealed date in October. Again, it’s crucially important whether the report was done before or after October 7, when even outside observers learned there was going to be a second batch of leaks because Wikileaks started releasing the Podesta emails. Nevertheless, anyone following closely would have known (at least from Roger Stone) more might be coming, and insiders in both the Democratic Party and the Kremlin knew there were more documents that could be released. But this second report once again made no mention of hacked documents, not the ones that had leaked in the summer, and not the ones that were already or were about to be leaked.

That’s some pretty remarkable disinterest in available propaganda material that everyone following closely knew about. Though it’s worth noting that the Podesta emails didn’t support the “illegitimate election” narrative being pushed by the think tank in October as well as the DNC emails that were already public and available for propaganda purposes.

Taking just the think tank documents as evidence, which is what the seven sources behind this story do in advancing them as proof, you would conclude that there was actually not a strong tie between the hack-and-leak campaign and the propaganda one, because even after the entire world knew about the former, those strategizing the latter didn’t accommodate for the former.

All of which is to say that if we’re to believe these think tank documents provided “the framework and rationale” for the Russian election operation story, then we should conclude the dominant narrative is incorrect, that there actually was no intention of coordinating the hack-and-leak part of the operation with the propaganda part, or even that the hack-and-leak wasn’t part of that grand framework. Alternately, we might conclude that these think tank documents represent what tangential people with close ties to Putin thought smart advice, but which aren’t actually proof of Putin’s intent except insofar as sycophants reflect the perceived intent of those they’re serving.

Later the article does provide an explanation that sustains the current narrative of a coordinated hack-and-leak and propaganda campaign. Even before the first strategy document that purportedly provided the rationale and framework for the campaign, Reuters’ sources reveal, the Kremlin had already instructed media outlets to favor Trump.

Four of the officials said the approach outlined in the June strategy paper was a broadening of an effort the Putin administration launched in March 2016. That month the Kremlin instructed state-backed media outlets, including international platforms Russia Today and Sputnik news agency, to start producing positive reports on Trump’s quest for the U.S. presidency, the officials said.

That order, coming from the Kremlin itself which therefore might accommodate for what Reuters’ sources call a covert campaign even though by all reports, starting in March, the second wave of hacking stopped all effort at maintaining persistent secrecy from its targets, certainly could reflect coordination between the propaganda and the hack-and-leak parts of the campaign. It would suggest the Kremlin moved its propaganda arms at the same time APT 28 set out to ostentatiously collect what APT 29 had already been secretly collecting, documents that could provide material for the propaganda.

If so (and I have no problem interpreting it as such), then it suggests that the think tank documents should not be considered all that informative, as they appear to ignore stuff even Americans were commenting heavily on. Indeed, the story provides more evidence to suggest they weren’t that key in directing the campaign. In the US, at least, think tanks often recommend policies that coincide with (blatantly obvious) policies already chosen; it’s a good way to appear to influence policy even while chasing it. But that doesn’t mean we or anyone else should take it as definitive proof of anything.

One more comment. As stunning as it is to learn of Russian think tank documents that made no mention of the hack-and-leak campaign, or even the documents that became available as a result, months after the leaking started, it’s worth reminding that the Trump dossier, for whatever juicy evidence it presents about Trump associates potentially colluding with Russians, also doesn’t reflect any prospective knowledge of the hack-and-leak campaign (though it certainly discusses its implementation after the fact). In fact, its retrospective reports suggest that in mid-September, the consensus was that the hack-and-leak campaign was backfiring, with advisors suggesting they didn’t need to release more documents to make Hillary look “weak and stupid.” And when, five days after the Podesta emails first started coming out, the dossier reported on the emails being released, it suggested a great deal of anger within the Kremlin both that the emails hadn’t done more besides create backlash and that Trump was such a divisive figure.

The two data points, taken together, might support a close hold on the hack-and-leak effort (in spite of the obviousness with which it was carried out). But it’s worth noting that in spite of rampant leaking and some vague allegations of more, we have yet to see or learn of a data point that predicted the hack-and-leak campaign, not even via intelligence agencies that knew about the earlier APT 29 hack for nine months.

One final note. I’ve long mocked the intelligence community for calling the combined efforts of APT 28 and 29, along with the propaganda effort, “Grizzly Steppe” for the way it dissolves all distinction between the various parts of the program. This is an example of why I think it unwise: because it clouds people’s ability to assess and try to address flaws in the individual parts of the campaign which may be quite important.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

The Doxing of Equation Group Hackers Raises Questions about the Legal Role of Nation-State Hackers

/6 Comments/in , /by

Update: I should have caveated this post much more strongly. I did not confirm the names and IDs released in the dump are NSA’s hackers. It could be Shadow Brokers added names to cast blame on someone else. So throughout, take this as suspected doxing, with the possibility that it is, instead, disinformation. 

In 2014, DOJ indicted five members of China’s People Liberation Army, largely for things America’s own hackers do themselves. Contrary to what you’ve read in other reporting, the overwhelming majority of what those hackers got indicted for was the theft of information on international negotiations, something the US asks its NSA (and military industrial contractor) hackers to do all the time. The one exception to that — the theft of information on nuclear reactors from Westinghouse within the context of a technology transfer agreement — was at least a borderline case of a government stealing private information for the benefit of its private companies, but even there, DOJ did not lay out which private Chinese company received the benefit.

A month ago, DOJ indicted two Russian FSB officers and two criminal hackers (one, Alexey Belan, who was already on FBI’s most wanted list) that also worked for the Russian government. Rather bizarrely, DOJ deemed the theft of Yahoo tools that could be used to collect on Yahoo customers “economic espionage,” even though it’s the kind of thing NSA’s hackers do all the time (and notably did do against Chinese telecom Huawei). The move threatens to undermine the rationalization the US always uses to distinguish its global dragnet from the oppressive spying of others: we don’t engage in economic espionage, US officials always like to claim. Only, according to DOJ’s current definition, we do.

On Friday, along with details about previously unknown, very powerful Microsoft vulnerabilities and details on the 2013 hacking of the SWIFT financial transfer messaging system, ShadowBrokers doxed a number of NSA hackers (I won’t describe how or who it did so — that’s easy enough to find yourself). Significantly, it exposed the name of several of the guys who personally hacked EastNets SWIFT service bureau, targeting (among other things) Kuwait’s Fund for Arab Economic Development and the Palestinian al Quds bank. They also conducted reconnaissance on at least one Belgian-based EastNets employee. These are guys who — assuming they moved on from NSA into the private sector — would travel internationally as part of their job, even aside from any vacations they take overseas.

In other words, ShadowBrokers did something the Snowden releases and even WikiLeaks’ Vault 7 releases have avoided: revealing the people behind America’s state-sponsored hacking.

Significantly, in the context of the SWIFT hack, it did so in an attack where the victims (particularly our ally Kuwait and an apparent European) might have the means and the motive to demand justice. It did so for targets that the US has other, legal access to, via the Terrorist Finance Tracking Program negotiated with the EU and administered by Europol. And it did so for a target that has subsequently been hacked by people who might be ordinary criminals or might be North Korea, using access points (though not the sophisticated techniques) that NSA demonstrated the efficacy of targeting years earlier and which had already been exposed in 2013. Much of the reporting on the SWIFT hack has claimed — based on no apparent evidence and without mentioning the existing, legal TFTP framework — that these hacks were about tracking terrorism finance. But thus far, there’s no reason to believe that’s all that the NSA was doing, particularly with targets like the Kuwait development fund.

Remember, too, that in 2013, just two months after NSA continued to own the infrastructure for a major SWIFT service bureau, the President’s Review Group advised that governments should not use their offensive cyber capabilities to manipulate financial systems.

Governments should not use their offensive cyber capabilities to change the amounts held in financial accounts or otherwise manipulate the financial systems;

[snip]

[G]overnments should abstain from penetrating the systems of financial institutions and changing the amounts held in accounts there. The policy of avoiding tampering with account balances in financial institutions is part of a broader US policy of abstaining from manipulation of the financial system. These policies support economic growth by allowing all actors to rely on the accuracy of financial statements without the need for costly re-verification of account balances. This sort of attack could cause damaging uncertainty in financial markets, as well as create a risk of escalating counter-attacks against a nation that began such an effort. The US Government should affirm this policy as an international norm, and incorporate the policy into free trade or other international agreements.

No one has ever explained where the PRG came up with the crazy notion that governments might tamper with the world’s financial system. But since that time, our own spooks continue to raise concerns that it might happen to us, Keith Alexander — the head of NSA for the entire 5-year period we know it to have been pawning SWIFT — is making a killing off of such fears, and the G-20 recently called for establishing norms to prevent it.

A number of the few people who’ve noted this doxing publicly have suggested that it clearly supports the notion that a nation-state — most likely Russia — is behind the Shadow Brokers leak. As such, the release of previously unannounced documents to carry out this doxing would be seen as retaliation for the US’ naming of Russia’s hackers, both in December’s election hacking related sanctions and more recently in the Yahoo indictment, to say nothing of America’s renewed effort to arrest Russian hackers worldwide while they vacation outside of Russia.

While that’s certainly a compelling argument, there may be another motive that could explain it.

In a little noticed statement released between its last two file dumps, Shadow Brokers did a post explaining (and not for the first time) that what gets called its “broken” English is instead operational security (along with more claims about what it’s trying to do). As part of that statement, Shadow Brokers claims it writes (though the tense here may be suspect) documents for the federal government and remains in this country.

The ShadowBrokers is writing TRADOC, Position Pieces, White Papers, Wiki pages, etc for USG. If theshadowbrokers be using own voices, theshadowbrokers be writing peoples from prison or dead. TheShadowBrokers is practicing obfuscation as part of operational security (OPSEC). Is being a spy thing. Is being the difference between a contractor tech support guy posing as a infosec expert but living in exile in Russia (yes @snowden) and subject matter experts in Cyber Intelligence like theshadowbrokers. TheShadowBrokers has being operating in country for many months now and USG is still not having fucking clue.

On the same day and, I believe though am still trying to confirm the timing, before that post, Shadow Brokers had reacted to a Forbes piece asking whether it was about to be unmasked (quoting Snowden), bragging that “9 months still living in homeland USA USA USA our country theshadowbrokers not run, theshadowbrokers stay and fight.” Shadow Brokers then started attacking Jake Williams for having a big mouth for writing this post, claiming to expose him as a former Equation Group member, specifically invoking OddJob (the other file released on Friday that doxed NSA hackers, though not Williams), and raising the “gravity” of talking to Q Group, NSA’s counterintelligence group.

trying so hard so helping out…you having big mouth for former member what was name of.

leak OddJob? Windows BITS persistence? CCI? Maybe not understand gravity of situation USG investigating members talked to Q group yet

theshadowbrokers ISNOT in habit of outing members but had make exception for big mouth, keep talking shit your next

Which is to say that, four days before Shadow Brokers started doxing NSA hackers, Shadow Brokers made threats against those who’ve commented on the released Shadow Brokers files specifically within the context of counterintelligence investigations, even while bragging about having gone unexposed thus far even while remaining in the United States.

Whatever else this doxing may do, it will also make the investigation into how internal NSA files have come to be plastered all over the Internet more difficult, because Shadow Brokers is now threatening to expose members of TAO.

Which is not to say such a motivation, if true, is mutually exclusive of Russia retaliating for having its own hackers exposed.

All of which brings me back to the question of norms. Even as the US has been discussing other norms about hacking in recent years, I’ve seen next to no discussion about how state hackers — and remember, this post discusses NSA hackers, including uniformed members of the Armed Services, government contractors, spies, and criminal hackers working for a state (a practice we do too, though in a different form than what Russia does) — fit into international law and norms about immunities granted to individuals acting on behalf of the state. The US seems to have been proceeding half-blindly, giving belated consideration to how the precedents it sets with its offensive hacking might affect the state, without considering how it is exposing the individuals it relies on to conduct that hacking.

If nothing else, Shadow Brokers’ doxing of NSA’s own hackers needs to change that. Because these folks have just been directly exposed to the kind of international pursuit that the US aggressively conducts against Russians and others.

Because of international legal protections, our uniformed service members can kill for the US without it exposing them to legal ramifications for the rest of their lives. The folks running our spying and justice operations, however, apparently haven’t thought about what it means that they’re setting norms that deprive our state-sponsored hackers of the same protection.

Update: I forgot to mention the most absurd example of us indicting foreign hackers: when, last year, DOJ indicted 7 Iranians for DDOS attacks. In addition to the Jack Goldsmith post linked in that post, which talks about the absurdity of it,  Dave Aitel and Jake Williams talked about how it might expose people like them to international retaliation.

Dana Boente Still Has a Job and Why That’s of Interest for WikiLeaks

/in , /by

WaPo has a weird story reporting, erroneously, that Donald Trump has no US Attorneys.

Attorney General Jeff Sessions is making aggressive law enforcement a top priority, directing his federal prosecutors across the country to crack down on illegal immigrants and “use every tool” they have to go after violent criminals and drug traffickers.

But the attorney general does not have a single U.S. attorney in place to lead his tough-on-crime efforts across the country. Last month, Sessions abruptly told the dozens of remaining Obama administration U.S. attorneys to submit their resignations immediately — and none of them, or the 47 who had already left, have been replaced.

“We really need to work hard at that,” Sessions said when asked Tuesday about the vacancies as he opened a meeting with federal law enforcement officials. The 93 unfilled U.S. attorney positions are among the hundreds of critical Trump administration jobs that remain open.

While it is true that Trump had Sessions ask for the remaining 93 US Attorneys’ resignations, he subsequently announced he was keeping Rod Rosenstein (who contrary to WaPo’s claim that he “served as U.S. attorney for Maryland” is still there, and who will become Deputy Attorney General as soon as he’s confirmed in the next few weeks) and Dana Boente (who is US Attorney for EDVA but also acting AG for the Russia investigation).

Both Boente and Rosenstein made press announcements today; the guys whose custody they announced probably would prefer if they weren’t on the job.

I guess the WaPo wanted to suck up to Jeff Sessions and so didn’t consider the possibility that we’re better off with 91 US Attorney vacancies than 91 racist hacks like Sessions, pushing through his regressive policies.

Anyway, since we’ve established that Boente still has a job and in fact oversees the Russia investigation, I thought I’d point out something I was considering during last week’s threats from CIA Director Mike Pompeo against WikiLeaks.

During Pompeo’s comments at CSIS last week, he said,

Julian Assange and his kind are not the slightest bit interested in improving civil liberties or enhancing personal freedom. They have pretended that America’s First Amendment freedoms shield them from justice. They may have believed that, but they are wrong.

[snip]

[W]e have to recognize that we can no longer allow Assange and his colleagues the latitude to use free speech values against us. To give them the space to crush us with misappropriated secrets is a perversion of what our great Constitution stands for. It ends now.

As some people observed, Pompeo’s comments are inconsistent with the practice of Obama’s DOJ, particularly under Holder. While Holder would have happily prosecuted Julian Assange for his role in release of files leaked by Chelsea Manning, he realized that if he did, he’d be criminalizing stuff that the press does.

Pompeo, at least, seems to disagree.

And the reason why Boente’s continued tenure as Eastern District US Attorney — and his role overseeing the Russian investigation — is that he has also been overseeing the ongoing investigation into Wikileaks since 2013.

Consider the fact that Assange’s actions of late may be more incriminating than those involving Manning (even assuming Assange can credibly claim he has no way of knowing whether Russia is responsible for the DNC hack, Assange’s comments about both the DNC and the Vault 7 leak suggest more coordination than in the past). Then add in the fact that Boente, for the next few weeks anyway, might be able to claim to be both US Attorney and Acting AG on any role by WikiLeaks in the publication of the DNC emails. And it raises the possibility that Boente would use this window to indict Assange.

I think that’s unlikely. Moreover, while an indictment would give the US reason to pressure Ecuador even more to boot Assange, it’s not clear they would. But it’s possible.

Ruslan Stoyanov and Two Degrees of Separation from Protected Criminal Hackers

/3 Comments/in , /by

Ruslan Stoyanov, the former head of cyber investigations at Kaspersky and now in prison fighting accusations of treason, got some press yesterday when letters he sent to his lawyers got released by a Russian TV station, Dozhd. Moscow Times covered Stoyanov’s accusation that Russia exchanges intelligence related hacking for impunity for foreign cybercrimes.

“The essence of the deal is that the state gets access to the technologies and information of ‘cyberthieves,’ in exchange for allowing them to steal abroad with impunity,” Stoyanov said, claiming that this agreement has lead to “a new crime wave” perpetuated by “patriotic thieves.”

Stoyanov also warned that hackers are liable to turn their attention back to Russia, once their “patriotic fervor” wears off.

Dozhd’s coverage is here, which makes one additional focus of Stoyanov’s letters clear: Stoyanov pits the dangers to Russia of formerly protected hackers engaging in crimes within Russia against his own value to Russia in taking down the Lurk hackers last year. As Stoyanov’s report from last year claims, Lurk’s members managed to steal over 3 billion rubles before they were arrested with the help of Kaspersky.

It’s a nice play to the public, Stoyanov’s attempt to challenge Russia’s accusations of treason by pointing out that protected criminal hackers pose a greater threat to Russia.

But there’s a problem with it (though one of which Stoyanov may be unaware).

Stoyanov’s arrest for treason has been tied to that of FSB officers Sergei Mikhailov and Dmitry Dokuchaev. The best public (and, I believe, partial) explanation for their arrest so far is that the arrest arose, in part, out of an old grudge from spammer Pavel Vrublevsky, who believed Mikhailov and Stoyanov shared information on his operations with the FBI.

But that explanation pre-dates the unsealing of the indictment against four people — including Dokuchaev — for the hack of Yahoo from 2014 to 2016. In the indictment’s description of Dokuchayev and in some of its description of the alleged hacks, it describes an FSB officer 3 who, because he is described as “supervisory,” is likely Mikhailov (which, as I suggested in my original post on this, raises interesting questions about why he wasn’t also charged).

DMITRY ALEKSANDROVICH DOKUCHAEV, also known as “Patrick Nagel,” was a Russian national and resident. DOKUCHAEV was an FSB officer assigned to Second Division ofFSB Center 18, also known as the FSB Center for Information Security. He was an associate ofFSB officer IGOR SUSHCHIN; another, supervisory FSB officer known to the Grand Jury (“FSB Officer 3”), who was the senior FSB official assigned to Center 18; and other FSB officers known and unknown.

[snip]

From at least in or around December 2015 until May 2016, the conspirators sought access to accounts ofthe former Minister ofEconomic Development of a country bordering Russia (“Victim A”) and his wife (“Victim B”). DOKUCHAEV, SUSHCHIN, and BELAN worked with FSB Officer 3 to access_Victims A and B’s accounts by minting cookies and to share information obtained from those accounts. In one instance, on or about December 18, 2015, FSB Officer 3 provided SUSHCHIN with information regarding a company controlled by Victims A and B. On or about December 21, 2015, DOKUCHAEV sent a cookie for Victim B’s account to SUSHCHIN, who then later that day sent DOKUCHAEV a report on Victims A and B. On or about May 20, 2016, BELAN minted a cookie for the same Victim B account.

And the rest of the indictment describes how Dokuchaev, in particular, worked closely with prominent criminal hacker Alexsey Belan to access Yahoo. The indictment even describes how they helped Belan avoid legal troubles in Russia.

One of the criminal hackers, BELAN, has been the subject of an Interpol “Red Notice” and listed as one of the Federal Bureau ofInvestigation’s (“FBI”) “Most Wanted” hackers since 2012. BELAN resides in Russia, within the FSB’ s jurisdiction to arrest and prosecute. Rather than arrest him, however, the FSB officers used him. They also provided him with sensitive FSB law enforcement and intelligence information that would have helped him avoid detection by law enforcement, including information regarding FSB investigations of computer hacking and FSB techniques for identifying criminal hackers.

That is, Dokuchaev and, at least by presumed extension, Mikhailov, are allegedly involved in precisely the thing Stoyanov is trying to distinguish himself against, protecting prominent hackers so as to use their skills for FSB’s goals.

But then, there are also the reasons to ask whether all that Dokuchaev, at least, was doing was official FSB business. On top of targeting a Russian email provider (which is probably Yandex) via unofficial means, Dokuchaev used a number of tools, such as Yahoo and Paypal, that would be readily accessible to American authorities, but inaccessible to Russian authorities. Which, if he was spying against Russian authorities themselves, might explain why Russia would arrest Dokuchaev for treason.

Along with Stoyanov.

As I said, there’s no reason to assume Stoyanov knows that Dokuchaev just got credibly accused of using Belan to help hack Yahoo. The Yahoo indictment likely got minimal attention in Russia to begin with, and it’s not clear how much access to the media Stoyanov has in prison in any case.

But while his accusation against Russian authorities served its presumed purpose of making a media splash, both in Russia and internationally, given that he was accused of treason along with a guy who does just what he’s claiming, it’s not clear how much it helps his case (except perhaps to distinguish himself from those he got charged with).

image_print