Posts

Fun with Dr. Corsi’s “Forensics”!

By far the most ridiculous part of Jerome Corsi’s book is where he spends an entire chapter pretending that he figured out on his own that WikiLeaks had John Podesta’s emails rather than being told that by someone whose identity he’s trying to avoid sharing with Mueller’s team.

The chapter is one of three in the book that he presents as having been written in real time, effectively as diary entries. Corsi presents it as the fevered narrative he writes on November 18, 2018, at a time when Mueller’s team was cracking down on him for his continued lies but before he refused the plea deal, after a night of nightmares.

Last night, I was plagued by nightmares that caused me to sleep very poorly.

His change in voice is followed with an even more direct address to readers, which he returns to as an interjection in the middle of his crazed explanation.

I am going to write this chapter to explain to you, the reader, how I used my basic intuitive skills as a reporter to figure out in August 2016 that Assange had Podesta’s emails, that Assange planned to start making the Podesta file public in October 2016, and that Assange would release the emails in a serial, day-by-day fashion, right up to election day.

[snip]

Now, I know this is tedious and will tax many readers, so I’ve decided here to take a break. You have to understand what I am going through is a roller-coaster. Sometimes I feel like everything is normal and that the federal government will understand that I am a reporter and should be protected by the First Amendment. Then, I realize that the next ring of the doorbell could be the FBI seeking to handcuff me and arrest me in full view of my family.

Resuming after a much-needed break, we need only a few more dates to complete the analysis.

The chapter consists of three things, none of which even remotely presents a case for how he could have concluded WikiLeaks was sitting on John Podesta’s emails:

  • An argument that claims he simply reasoned it all out, without proof
  • A chronology that makes no sense given the July and August 2016 emails he’s trying to explain away
  • Other crap theories designed to undermine Mueller’s argument about Russian involvement, most of which post-date the date when Corsi claims to have figured out the Podesta emails were coming

Corsi’s “argument”

Corsi’s main argument is this:

Clearly, I reasoned there had to have been Podesta emails on that server that would have discussed the Clinton/DNC plot to deny Bernie Sanders the Democratic Party presidential nomination in 2016. Where were these Podesta emails, I wondered?

[snip]

I felt certain that if Assange had Podesta’s emails he would wait to drop them in October 2016, capturing the chance to stage the 2016 “October Surprise,” a term that had been in vogue in U.S. presidential politics since 1980 when Jimmy Carter lost re-election to Ronald Reagan, largely because the Reagan camp finessed Ayatollah Khomeini to postpone the release of the hostages from the American embassy in Tehran until after that year’s November election. I also figured that Assange would release the Podesta emails in drip-drip fashion, serially, over a number of days, stretching right up to the Election Day. In presidential politics, the news cycle speeds up, such that what might take a month or a week to play out in a normal news cycle might take only a day or two in the heightened intensity of a presidential news cycle—especially a presidential news cycle in October, right at Election Day is nearing.

In spite of his claims, elsewhere, to have done forensic analysis that told him John Podesta’s emails were coming, ultimately his argument boils down to this: he figured out that Podesta’s emails (which he purportedly hadn’t read) would be the most damning possible thing and therefore WikiLeaks must have and intend to release them in a serial release because it made sense.

Corsi’s chronology

From there, Corsi proceeds to spin out the following bullshit about how he came to that conclusion:

  • Starting in February 2016, a woman named LH whose ex-husband was a former top NSA figure told him [why?] incorrect things about how the Democrats organize their servers. This information seems to be inflected by the flap over VAN space the previous December, but Corsi doesn’t mention that. This information is wrong in many of the ways later skeptics of the Russian hack would be wrong, but Corsi claims he had that wrong understanding well in advance of the crowd.
  • When Assange announced on June 12 that he had upcoming Hillary leaks, Corsi was “alerted to the possibility Assange had obtained emails from the DNC email server,” which he took to mean VAN.
  • When the WaPo reported on the DNC hack on June 14, 2016, Corsi took Democrats’ (false) reassurances about financial data to be true, matched it to his incorrect claimed understanding of how the Democrats organized their data, and assumed VAN had been hacked (this is the day before Guccifer 2.0 would claim he got in through VAN, remember). Corsi also claims to have noted from the WaPo story that Perkins Coie and Crowdstrike were involved, the latter of which he tied to Google’s Eric Schmidt (who was helping Dems on tech), which together he used to suggest that in real time he believed the Democrats had “manufactured” evidence to pin the hack on the Russians. Again, Corsi is suggesting he got to the conspiracy theories it took the rest of Republicans a year to get to, but in real time.
  • Corsi incorrectly read the Crowdstrike white paper (on which the WaPo story was obviously based and which Ellen Nakashima had had for about a week, and which includes an update written in response to the appearance of Guccifer 2.0) as a response to Guccifer 2.0’s post on June 15 and — in spite of the WaPo report that Cozy Bear had been “monitoring DNC’s email and chat communications” — concluded that the hackers had not taken email.
  • After the DNC emails were released, Corsi had what he claims was his big insight: that these emails largely came from DNC’s Comms Director and their finance staffers, which meant Podesta’s (and DWS’, which he logically should but did not, pursue) had to be what was left. Mind you, the former point is something WikiLeaks made clear on its website:

On July 22, 2016, Wikileaks began releasing over two days a total of 44,053 emails and17,761 email attachments from key figures in the DNC. What I noticed immediately was that the largest number of emails by far came from DNC Communications Director Luis Miranda (10,520 emails), who had approximately three-times the emails released for the next highest on the list, National Finance Director Jordon Kaplan (3,799 emails) and Finance Chief of Staff Scott Corner (3,095 emails). What I noticed immediately was that emails from Debbie Wasserman Schultz and John Podesta were missing. Yet, by analyzing the addresses in the emails, it was clear the “From,” “To,” and or “CC” listings indicate the email was sent by or to an addressee using the DNC email server, identified as @dnc.org.

  • In his narrative of how he “figured out” there must be Podesta emails, he relies not on the July 25 NBC story he cites earlier in his book, quoting Assange saying there was “no proof” the emails came from Russia (and suggesting his set were a different one than the ones analyzed by cybersecurity experts), but a CNN story he dates to July 26 but which got updated early morning July 27, citing Assange saying, “Perhaps one day the source or sources will step forward and that might be an interesting moment some people may have egg on their faces. But to exclude certain actors is to make it easier to find out who our sources are;” Corsi also cites a July 27 NYMag story citing the CNN one. Corsi claims that as he was listening to this interview, he realized that Assange had Podesta emails “lifted from the DNC server,” which would be incorrect even if it were true, given that Podesta’s emails were from his Gmail account.

Listening to this interview on CNN, all the pieces fit in place for me. Assange had Podesta emails that were also lifted from the DNC server and these were the emails he was holding to drop later in the campaign.

  • Corsi describes “the last piece of the puzzle” to be Seth Rich’s death on July 10, 2016, but which occurred before Assange’s post DNC release interviews, in one of which Assange suggested his sources were still alive to “step forward,” then points to Assange’s offer of a reward for information leading to a conviction on August 9. This happened after he had already suggested to Stone that Podesta’s emails were coming.

None of this explains how Corsi would not have decided that Clinton Foundation emails were what was missing, which is what Stone believed when he instructed Corsi to reach out to Ted Malloch on July 25, the day before the Assange interviews Corsi says led him to conclude WikiLeaks instead had Podesta’s emails. And much of it assumes that a unified hack occurred (otherwise it would be impossible to decide what was coming from what had already been released), an assumption he claims not to believe in much of the rest of his crap.

Corsi’s crap

In addition to that chronology, though, Corsi throws in a bunch of crap meant to discredit the evidence laid out in the Mueller GRU indictment. Much of this evidence post-dates the moment he claims he figured out that WikiLeaks had Podesta’s emails, which makes it irrelevant to his theory, nevertheless Corsi throws it out there.

  • Corsi takes the Guccifer 2.0 leak of DCCC files to Aaron Nevins — which didn’t happen until over a month after he told Stone that WikiLeaks had Podesta emails — to be “proof” not just that Guccifer 2.0 only hacked DNC files, which he again asserts incorrectly came from VAN, but also that Guccifer 2.0 had not hacked emails.
  • Corsi claims that Guccifer 2.0 “never bragged that he hacked the DNC email server that contained the Podesta emails,” even though Guccifer 2.0 did brag that WikiLeaks had published documents he gave them after the DNC leak.
  • Corsi claims that Guccifer 2.0 published donor lists and voter analysis at DCLeaks, which is generally inaccurate (indeed, some Podesta files came out via DCLeaks!), but also admits a tie between Guccifer 2.0 and DCLeaks that would either rely on contemporary reporting that asserted a tie, the GRU indictment, or some personal knowledge not otherwise explained.
  • Corsi claims that, unlike Marcel Lazar, “Guccifer 2.0 has never been positively identified let alone arrested,” without explaining how he’s sure that the 12 GRU officers Mueller indicted don’t amount to positively identifying the people running Guccifer 2.0. Indeed, rather than addressing that indictment, Corsi instead tries to rebut the Intelligence Community Assessment’s “high confidence” attribution of Guccifer 2.0 to GRU, which he claims relies on ‘tradecraft’ that relies on circumstantial evidence at best, presuming a hacker leaves a signature.” In the ICA, that discussion appears in a section that also notes that “Some analytic judgments are based directly on collected information,” as the Mueller indictment makes clear the GRU one was.
  • Corsi claims the Vault 7 release suggesting the CIA has a tool to falsely attribute its own hacks “undermined” the IC’s attribution of Cozy Bear and Fancy Bear, without realizing that’s a different issue from whether the CIA, NSA, and FBI can correctly attribute the hack (though if the Russians obtained those files in the weeks after Joshua Schulte allegedly stole them in 2016, it would have made it harder for CIA to chase down the Russians).
  • Corsi initially argues, providing no evidence except that he’s sure the DNC emails come from the DNC email server and not NGP-VAN or Hillary’s private server, that, “While the DNC email server could have been hacked by an outside agent, what is equally plausible is that the emails could have been stolen by someone on the inside of the DNC, perhaps an employee with their own @dnc.org email address.” He then feeds the Seth Rich conspiracy.
  • Corsi uses what he claims to have learned about serialization in a college course covering Dickens (but details of which, regarding the history of Dickens’ serialization, he gets entirely wrong) to explain how he knew the Podesta emails would come out in a serialized release.
  • Corsi dismisses the possibility the Russians used a cut-out with this garble:

The attempt to distinguish is disingenuous, suggesting the Russians may have been responsible for the hack, turning the information to a third party, not the Russians or a state actor, who handed WikiLeaks the emails and thus became “the source.”

  • Corsi cites the Nation’s August 9, 2017 version of the Bill Binney theory purportedly proving that a set of files purporting to be from the DNC — which were never released by WikiLeaks — were copied inside the US and also noting that the Russian metadata in the first Guccifer 2.0 documents was placed there intentionally. As I noted at the time, the two theories actually don’t — at all — disprove the claim that Russia hacked the DNC. But they’re even worse for Corsi’s claims, because (even though the set of files were called NGP/VAN) they undermine his false claim about the Democrats’ servers and they acknowledge that the files he said disproved that Guccifer 2.0 had Podesta files actually were Podesta files.

These things are utterly irrelevant to the soundness of Corsi’s own claim to have been able to guess that the Podesta emails were coming and — as I note — a number of them sharply contradict what he claims to believe.

Corsi’s mistaken notion of his role in proving “collusion”

But the crap does serve Corsi’s larger point, which is to undermine what he imagines Mueller’s theory of “collusion” to be.

Mueller & Company had decided the Trump campaign somehow encouraged Russia to steal the DNC emails and give them to Assange, so WikiLeaks could publish them. Then to establish “Russian collusion” with the Trump campaign, Mueller was out to connect his own dots. The Mueller prosecutors had been charged with the mission to grill me until

I would “give up” my source to Assange. I was their critical “missing link.” If Rhee, Zelinsky, and Goldstein only got me to confess, Mueller figured he could connect the dots from Roger Stone to me to Assange, and from Assange back again to me, and from me to Roger Stone, who would feed the information to Steve Bannon, then chairing the Trump campaign.

The final dots, the Mueller prosecutors assumed, would connect Bannon to Trump and the “Russian collusion” chain of communication would be complete. The only problem was that I did not have a source connecting me to Assange, so Mueller’s chain-link narrative does not connect.

While I actually think it possible that Corsi’s shenanigans may have harmed the neatness of Mueller’s case against Stone, perhaps even leading Mueller to charge Stone only with the obstruction charges rather than in a larger conspiracy, it doesn’t affect the understanding with which Mueller seems to be approaching the Don Jr side of any conspiracy, in which Trump’s son accepted a meeting offering dirt, thinking the family might make $300 million off it, and promised policy considerations that — even before he was sworn into office — his father took steps to pay off.

That conspiracy remains, even if Mueller can’t show that at the same time, Trump was maximizing the advantage of the WikiLeaks releases via his old political advisor Roger Stone.

But who knows? Perhaps Mueller may one day prove that, too?

One other thing that’s worth noting, however: As I laid out above, Corsi doesn’t just attempt to explain how he came to guess that WikiLeaks would release John Podesta’s emails. In the guise of doing that, he lays out what amounts to the Greatest Hits of the Denialist Conspiracies, throwing every possible claim mobilized to undermine the conclusion that Russia hacked the Democrats out there, even the ones that undermine Corsi’s own claimed beliefs.

And, as Corsi himself notes, Mueller has Corsi’s Google searches.

Truthfully, I was astounded because it seemed as if the FBI had studied me down to knowing the key strokes that I had used on my computer to do Google searches for articles. I realized my Google file would have much information about my locations and my Internet searches, but the way Zelinsky drilled down on how I wrote this article was shocking.

Repeatedly Zelinsky had warned me that I had no idea how truly extensive the Special Counselor’s investigation had been. Now, I imagined an army of FBI computer specialists at Quantico mapping out my every electronic communication in 2016, including my emails, my cellphone calls, and my use of the laptop and the Internet to conduct my research and write my various articles and memos.

They actually know whether he read this stuff (notably, the NBC, CNN, and NYMag articles he cites from late July 2016) in real time or only after the fact. They know when Corsi downloaded a bunch of other things (including the Guccifer 2.0 releases), and they know whether he read the GRU indictment. The FBI has also likely obtained what he was doing in November, 2018, as he was writing this stuff.

So it may be that when Corsi’s book comes out in hard cover on March 12, Mueller’s team will  already have put together the forensic evidence to prove that Corsi’s claims about how he came by his own forensic analysis — and the rest of these conspiracies — are absolute bullshit. It is, admittedly, frightening how much the government can obtain about our contemporaneous thinking.

But it would be an ironic and just outcome for Corsi if Mueller’s best demonstration about the power of FBI’s forensic analysis comes not in the GRU indictment Corsi so studiously avoided mentioning in the entire book attempting to discredit it, but in proving Corsi’s own claims about forensics to be utterly false.

Corsi’s Timeline

March 16, 2016: WikiLeaks indexes FOIAed Hillary emails

June 12, 2016: Assange announces he has more information on Hillary

In that interview, Assange disclosed that WikiLeaks has “upcoming leaks in relation to Hillary Clinton,” though Assange distinguished the Hillary Clinton emails WikiLeaks possessed pending publication came from a different source than the emails from Hillary’s private email server. This alerted me to the possibility Assange had obtained emails from the DNC email server.

June 14, 2016: WaPo announces the DNC hack

June 15, 2016: Crowdstrike publicly releases white paper on DNC hack and Guccifer 2.0 first posts

July 10, 2016: Seth Rich’s murder

July 22, 2016: WikiLeaks releases the DNC emails

July 25, 2016: Stone emails Corsi asking him to Get to Assange to “get the pending WikiLeaks emails;” Corsi forwards the email to Ted Malloch

July 26, 2016: Assange tells CNN a lot more material is coming and refuses to exclude Russia as a source because “to exclude certain actors is to make it easier to find out who our sources are”

July 28, 2016: Corsi and his wife leave for Italy

July 31, 2016: Stone emails Corsi to “call me MON” instructing him to get Malloch to see Assange

August 2, 2016: Corsi emails Stone,

Word is friend in embassy plans 2 more dumps. One shortly after I’m back. 2nd in Oct. Impact planned to be very damaging.… Time to let more than Podesta to be exposed as in bed w enemy if they are not ready to drop HRC. That appears to be the game hackers are now about. Would not hurt to start suggesting HRC old, memory bad, has stroke — neither he nor she well. I expect that much of next dump focus, setting stage for Foundation debacle.

August 9, 2016: WikiLeaks offers $20,000 reward for information leading to conviction for murder of Seth Rich

August 12, 2016: Corsi returns from Italy

March 7, 2017: WikiLeaks starts to release Vault 7 documents, including an Umbrage file showing that CIA uses disinformation to hide which attacks it launches

May 25, 2017: WSJ reports on Aaron Nevins files that Guccifer 2.0 noted in real time; Corsi deems this (in a Murdoch paper) to be part of the anti-Stone narrative

As I disclosed last July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

The DNC-Centric Focus of the HPSCI Investigation

Through the duration of the various Russia investigations, skeptics always harp on two questions pertaining to the Russian election year hacks — why the Democrats never turned over the DNC “server,” singular, to the FBI, allegedly leaving the FBI to rely on Crowdstrike’s work, and whether several sets of files released via Guccifer 2.0 showed signs of non-Russian origin. That is, skeptics look exclusively at the DNC, not the totality of the known Russian targeting.

Looking at the list of witnesses the House Intelligence Committee called (which the committee will release in the coming weeks) shows one reason why: that the most public and propagandist of all the Russia investigations focused on the DNC to the detriment of other known Democratic targets.

Here’s what the list of the HPSCI interviews looks like arranged by date (HPSCI will not be releasing the bolded interviews).

  1. [Comey, Jim (May 2 and 4, 2017): Intel]
  2. [Rogers, Mike (May 4, 2017): Intel]
  3. [Brennan, John (May 23, 2017): Intel]
  4. Coats, Dan (June 22, 2017): Intel
  5. Farkas, Evelyn (June 26, 2017): Ukraine/RU DOD
  6. Podesta, John (June 27, 2017): Clinton Chair
  7. Caputo, Michael (July 14, 2017): RU tied Trump
  8. Clapper, James (July 17, 2017): Intel
  9. Kushner, Jared (July 25, 2017): June 9 etc
  10. Carlin, John (July 27, 2017): Early investigation
  11. Gordon, JD (July 26, 2017): Trump NatSec
  12. Brown, Andrew (August 30, 2017): DNC CTO
  13. Tamene, Yared (August 30, 2017): DNC tech contractor
  14. Rice, Susan (September 6, 2017): Obama response to hack/unmasking
  15. Stone, Roger (September 26, 2017): Trump associate
  16. Epshteyn, Boris (September 28, 2017): RU-tied Trump
  17. Tait, Matthew (October 6, 2017): Solicit hack
  18. Safron, Jonathan (October 12, 2017): Peter Smith
  19. Power, Samantha (October 13, 2017): Obama response to hack/unmasking
  20. Catan, Thomas (October 18, 2017): Fusion
  21. Fritsch, Peter (October 18, 2017): Fusion
  22. Lynch, Loretta (October 20, 2017): Investigation
  23. Parscale, Brad (October 24, 2017): Trump’s data
  24. Cohen, Michael (October 24, 2017): Trump lawyer
  25. Rhodes, Benjamin (October 25, 2017): Obama response to hack/unmasking
  26. McCord, Mary (November 1, 2017): Early investigation
  27. Kaveladze, Ike (November 2, 2017): June 9 meeting
  28. Yates, Sally (November 3, 2017): Early investigation
  29. Schiller, Keith (November 7, 2017): Trump bodyguard
  30. Akhmetshin, Rinat (November 13, 2017): June 9
  31. Samachornov, Anatoli (November 28, 2017): June 9
  32. Sessions, Jeff (November 30, 2017): Trump transition
  33. Podesta, John (December 4, 2017): Dossier
  34. Denman, Diana (December 5, 2017): RNC platform
  35. Henry, Shawn (December 5, 2017): Crowdstrike
  36. Trump, Jr. Donald (December 6, 2017): June 9
  37. Phares, Walid (December 8, 2017): Trump NatSec
  38. Clovis, Sam (December 12, 2017): Trump NatSec
  39. Goldfarb, Michael (December 12, 2017): Dossier
  40. Elias, Marc (December 13, 2017): Dossier
  41. Nix, Alexander (December 14, 2017): Cambridge Analytica
  42. Goldstone, Rob (December 18, 2017): June 9
  43. Sussmann, Michael (December 18, 2017): Hack and dossier
  44. McCabe, Andrew (December 19, 2017): Early investigation
  45. Kramer, David (December 19, 2017): Dossier
  46. Sater, Felix (December 20, 2017): RU connected Trump
  47. Gaeta, Mike (December 20, 2017): Dossier go-between
  48. Sullivan, Jake (December 21, 2017): Dossier
  49. [Rohrabacher, Dana (December 21, 2017): Russian compromise]
  50. [Wasserman Schultz, Debbie (December 21, 2017): dossier]
  51. Graff, Rhona (December 22, 2017): June 9
  52. Kramer, David (January 10, 2018): Dossier
  53. Bannon, Stephen (January 16, 2018): Trump official
  54. Lewandowski, Corey (January 17, 2018): Trump official
  55. Dearborn, Rick (January 17, 2018): Trump official
  56. Bannon, Stephen (February 15, 2018): Trump official
  57. Hicks, Hope (February 27, 2018): Trump official
  58. Lewandowski, Corey (March 8, 2018): Trump official

While John Podesta, one of the earliest spearphishing victims, was one of  the earliest witnesses (and, as HPSCI shifted focus to the dossier, one of the last as well), the other hack witnesses, DNC CTO Andrew Brown and DNC IT contractor Yared Tamene, represent the DNC. Perhaps that’s because of the NYT’s big story on the hack, which was obviously misleading in real time and eight months old by the time of those interviews. While Perkins Coie lawyer and former DOJ cyber prosecutor Michael Sussmann would surely have real insight into the scope of all the Democratic targets, he was interviewed during HPSCI’s dossier obsession, not alongside Brown and Tamene.

All of which is to say that the HPSCI investigation of the hack was an investigation of the hack of the DNC, not of the full election year attack.

To get a sense of some of what that missed, consider the victims described in the GRU indictment (which leaves out some of the earlier Republican targets, such as Colin Powell). I’ve included relevant paragraph numbers to ID these victims.

  1. Spearphish victim 3, March 21, 2016 (Podesta)
  2. Spearphish victim 1 Clinton aide, March 25, 2016 (released via dcleaks)
  3. Spearphish victim 4 (DCCC Employee 1), April 12, 2016 ¶24
  4. Spearphish victim 5 (DCCC Employee), April 15, 2016
  5. Spearphish victim 6 (possibly DCCC Employee 2), April 18, 2016 ¶26
  6. Spearphish victim 7 (DNC target), May 10, 2016
  7. Spearphish victim 2 Clinton aide, June 2, 2016 (released via dcleaks)
  8. Spearphish victim 8 (not described), July 6, 2016
  9. Ten DCCC computers ¶24
  10. 33 DNC computers ¶26
  11. DNC Microsoft Exchange Server ¶29
  12. Act Blue ¶33
  13. Third party email provider used by Clinton’s office ¶22 (in response to July 27 Trump request)
  14. 76 email addresses at Clinton campaign ¶22 (in response to July 27 Trump request)
  15. DNC’s Amazon server ¶34
  16. Republican party websites ¶71
  17. Illinois State Board of Elections ¶72
  18. VR Systems ¶73
  19. County websites in GA, IA, and FL ¶75
  20. VR Systems clients in FL ¶76

Effectively, HPSCI (and most hack skeptics) focused exclusively on item 11, the DNC Microsoft Exchange server from which the emails sent to WikiLeaks were stolen.

Yet, at least as laid out by Mueller’s team, the election year hack started elsewhere — with Podesta, then the DCCC, and only after that the DNC. It continued to target Hillary through the year (though with less success than they had with the DNC). And some key things happened after that — such as the seeming response to Trump’s call for Russia to find more Hillary emails, the Info-Ops led targeting of election infrastructure in the summer and fall, and voter registration software. Not to mention some really intriguing research on Republican party websites. And this barely scratches on the social media campaign, largely though not entirely carried out by a Putin-linked corporation.

HPSCI would get no insight on the overwhelming majority of the election year operation, then, by interviewing the witnesses they did. Of particular note, HPSCI would not review how the targeting and release of DCCC opposition research gave Republican congressmen a leg up over their Democratic opponents.

And while HPSCI did interview the available June 9 meeting witnesses, they refused to subpoena the information needed to really understand it. Nor did they interview all the witnesses or subpoena available information to understand the Stone operation and the Peter Smith outreach.

Without examining the other multiple threads via which Russia recruited Republicans, most notably via the NRA, HPSCI wouldn’t even get a sense of all the ways Russia was trying to make Republicans and their party infrastructure into the tools of a hostile foreign country. And there are other parts of the 2016 attack that not only don’t appear in these interviews, but which at least one key member on the committee was utterly clueless about well past the time the investigation finished.

The exception to the rule that HPSCI didn’t seek out information that might damn Republicans, of course, is the interview of Dana Rohrabacher, who (along with President Trump) proved reliably willing to entertain Russian outreach via all known channnels. But that’s one of the interviews Republicans intend to keep buried because — according to an anonymous Daily Beast source — they don’t want Rohrabacher’s constituents to know how badly Russia has pwned him before November 6.

“The Republicans are trying to conceal from the voters their colleague Dana Rohrabacher’s Russia investigation testimony,” said a committee source familiar with the issue. “There were highly concerning contacts between Rohrabacher and Russians during the campaign that the public should hear about.”

By burying the Comey, Rogers, and Brennan transcripts, Republicans suppress further evidence of the degree to which Russia specifically targeted Hillary, and did so to help not just Trump, but the Republican party.

I’m sure there will be some fascinating material in these transcripts when they’re released. But even before the selective release, designed to hide any evidence gathered of how lopsided the targeting was, the scope of these interviews makes clear that the HPSCI investigation was designed to minimize, as much as possible, evidence showing how aggressively Russia worked to help Republicans.

As I laid out in July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

Did GRU Learn that Democrats Had Hired Christopher Steele When They Hacked DNC’s Email Server?

As I laid out a few weeks ago, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post.

According to Glenn Simpson’s SJC testimony, he hired Christopher Steele in May or June of 2016 to investigate Trump’s ties to Russia.

Q. And when did you engage Mr. Steele to conduct opposition research on Candidate Trump?

A. I don’t specifically recall, but it would 10 have been in the — it would have been May or June  of 2016.

Q. And why did you engage Mr. Steele in May or June of 2016?

Simpson is maddeningly vague (undoubtedly deliberately) on this point. In one place he suggests he hired Steele after DCLeaks was registered and amid a bunch of chatter about Democrats being hacked, which would put it after June 8 and probably after June 15.

Q. So at the time you first hired him had it been publicly reported that there had been a cyber intrusion into the Democratic National Convention computer system?

A. I don’t specifically remember. What I know was that there was chatter around Washington about hacking of the Democrats and Democratic think tanks and other things like that and there was a site that had sprung up called D.C. Leaks that seemed to suggest that somebody was up to something. I don’t think at the time at least that we were particularly focused on — well, I don’t specifically remember.

But in his more informative HPSCI testimony, he suggests he may have started talking to Steele about collecting intelligence on Trump in May.

MR. QUIGLEY: When exactly did he start working under contract?

MR. SIMPSON: My recollection is that, you know, we began talking about the — I don’t remember when we started talking about the engagement, but the work started in June, I believe.

MR. QUIGLEY: Okay.

MR. SIMPSON: Possibly late May, but –

Given one detail in Mueller’s GRU Indictment, that difference may be critical.

Recall that the DNC figured out they had been hacked in April, and brought in Perkins Coie (the same firm that would engage Fusion GPS) for help. The attorney helping them respond to the hack, Michael Sussmann, warned them not to use DNC email to discuss the hack, because it might alert hackers they were onto them.

The day before the White House Correspondents’ Association dinner in April, Ms. Dacey, the D.N.C.’s chief executive, was preparing for a night of parties when she got an urgent phone call.

With the new monitoring system in place, Mr. Tamene had examined administrative logs of the D.N.C.’s computer system and found something very suspicious: An unauthorized person, with administrator-level security status, had gained access to the D.N.C.’s computers.

“Not sure it is related to what the F.B.I. has been noticing,” said one internal D.N.C. email sent on April 29. “The D.N.C. may have been hacked in a serious way this week, with password theft, etc.”

No one knew just how bad the breach was — but it was clear that a lot more than a single filing cabinet worth of materials might have been taken. A secret committee was immediately created, including Ms. Dacey, Ms. Wasserman Schultz, Mr. Brown and Michael Sussmann, a former cybercrimes prosecutor at the Department of Justice who now works at Perkins Coie, the Washington law firm that handles D.N.C. political matters.

“Three most important questions,” Mr. Sussmann wrote to his clients the night the break-in was confirmed. “1) What data was accessed? 2) How was it done? 3) How do we stop it?”

Mr. Sussmann instructed his clients not to use D.N.C. email because they had just one opportunity to lock the hackers out — an effort that could be foiled if the hackers knew that the D.N.C. was on to them.

“You only get one chance to raise the drawbridge,” Mr. Sussmann said. “If the adversaries know you are aware of their presence, they will take steps to burrow in, or erase the logs that show they were present.”

The D.N.C. immediately hired CrowdStrike, a cybersecurity firm, to scan its computers, identify the intruders and build a new computer and telephone system from scratch. Within a day, CrowdStrike confirmed that the intrusion had originated in Russia, Mr. Sussmann said.

But it’s not clear whether Sussmann warned this small team of people against using DNC emails at all, or just those emails discussing the hack.

Previously, I had always guesstimated how long after DNC brought Crowdstrike in the emails ultimately shared with WikiLeaks got exfiltrated from this analysis, based of the last dates of stolen emails and DNC’s email deletion policies in place at the time. It was a damned good estimate — May 19 to May 25.

But according to the indictment, the theft of the DNC emails happened later: starting on May 25, not ending on it.

Between on or about May 25, 2016 and June 1, 2016, the Conspirators hacked the DNC Microsoft Exchange Server and stole thousands of emails from the work accounts of DNC employees. During that time, YERMAKOV researched PowerShell commands related to accessing and managing the Microsoft Exchange Server.

The indictment doesn’t describe the entire universe of emails stolen — whether GRU stole just the 9 email boxes shared with WikiLeaks, or whether they obtained far more.

But the later date — possibly reaching as late as June 1 — means it’s possible GRU stole emails involving top DNC officials, officials involved in opposition research activities (as both Guccifer 2.0 and the DNC itself said had been a focus), including the activity of hiring a former MI6 officer to chase down Trump’s illicit ties to Russians.

Don’t get me wrong. If the Russians did, in fact, learn about the Steele effort and manage to inject his known reporting chain with disinformation, there were plenty of other possible ways they might have learned of the project: the several people overlapping between Fusion GPS’ Prevezon team and its Trump team, Rinat Akhmetshin who learned of the dossier from a chatty NYT editor, or maybe a close Trump ally like Sergei Millian. The sad thing about this disinformation project is it was so widely disseminated, any HUMINT integrity could have easily been compromised early in the process.

But the timeline laid out in the GRU indictment adds one more, even earlier possible way: that Russia learned the Democrats were seeking HUMINT from Russians about Russia’s efforts to help Trump from the Democrats’ own emails.

On the DNC-FBI Spat Over the DNC Server

The Ukrainian Ministry of Defense issued a statement in response to the media coverage following the CrowdStrike claim that malware in an artillery app had a role in massive casualties among Ukraine’s howitzer units. The Google translation (note, it has not yet been translated into English, which itself may say something about intended audience) of it reads,

In connection with the emergence in some media reports which stated that the alleged “80% howitzer D-30 Armed Forces of Ukraine removed through scrapping Russian Ukrainian hackers software gunners,” Land Forces Command of the Armed Forces of Ukraine informs that the said information is incorrect .

According Command Missile Forces and Artillery Land Forces of Ukraine, artillery weapons lost during the time of ATO times smaller than the above and are not associated with the specified cause. Currently, troops Missile Forces and Artillery Army Forces of Ukraine fully combat-ready, staffed and able to fulfill the missions.

Ministry of Defence of Ukraine asks journalists to publish only verified information received from the competent official sources. Spreading false information leads to increased social tension in society and undermines public confidence in the Armed Forces of Ukraine.

Understand what this is: it is in no way a denial that malware infected the artillery app (though it’s also, given that it comes from a country at war with Russia that wants people to stop using this to implicate Russia, not confirmation the malware is Russian). Rather, it is a correction for local journalists to an avowedly pro-Russian source used by Crowdstrike claiming that Ukraine faced 80% losses. And it is a statement that artillery losses from the period in question are due to something else (perhaps the drones that Crowdstrike admitted were involved in the fighting).

Mostly, it’s a complaint that Crowdstrike’s speculative report made Ukraine look bad. As I’ve noted, the report was released before Crowdstrike had spoken to the app developer (and as this statement makes clear, to Ukraine’s MOD), to explain why its previously “medium” confidence that GRU had hacked the DNC was now “high.”

I raise all that as background to the spat Buzzfeed’s Ali Watkins reported on yesterday between the DNC and FBI. In the morning, she reported the DNC claim that the FBI had inexplicably never, itself, accessed the DNC servers.

Six months after the FBI first said it was investigating the hack of the Democratic National Committee’s computer network, the bureau has still not requested access to the hacked servers, a DNC spokesman said. No US government entity has run an independent forensic analysis on the system, one US intelligence official told BuzzFeed News.

“The DNC had several meetings with representatives of the FBI’s Cyber Division and its Washington (DC) Field Office, the Department of Justice’s National Security Division, and U.S. Attorney’s Offices, and it responded to a variety of requests for cooperation, but the FBI never requested access to the DNC’s computer servers,” Eric Walker, the DNC’s deputy communications director, told BuzzFeed News in an email.

Over the course of the day, many people explained that that’s fairly normal. Crowdstrike would have imaged the server, which would provide FBI what it needed.

But the snipe to Watkins was not the first time DNC has presented their case in a light that makes FBI look as bad as possible — they did that with the NYT, too. And so it was inevitable that the FBI would eventually push back, as they did later in the day with Watkins.

“The FBI repeatedly stressed to DNC officials the necessity of obtaining direct access to servers and data, only to be rebuffed until well after the initial compromise had been mitigated. This left the FBI no choice but to rely upon a third party for information,” a senior law enforcement official told BuzzFeed News in a statement. “These actions caused significant delays and inhibited the FBI from addressing the intrusion earlier.”

Which promptly led the same DNC that originally leaked a claim making the FBI look bad to bitch about “haters.”

A DNC source familiar with the investigation tried to downplay that report on Thursday, hours before the FBI statement was issued. The fact that the FBI didn’t have direct access to the servers was not “significant,” the source said.

“I just don’t think that that’s really material or an important thing,” the source continued. “They had what they needed. There are always haters out here.”

In general, I think people are right that you can learn what you need to about a typical breach from an imaged server and the server logs. Indeed, the FBI rebuttal here doesn’t even address whether they needed to get the server. Rather, they just said that there was a delay in their access to the data, not that they didn’t eventually get the data they needed.

And it’s true that there was a delay.

FBI gave the DNC the information they needed to start responding to the FSB hack in September 2015, but the FBI wasn’t brought in formally until maybe June 2016. That doesn’t necessarily excuse that they didn’t escalate sooner (the FBI may have had other reasons not to and I expect we may one day learn that the FBI contacted people beyond just the contractor IT guy), but it does mean that the FBI repeatedly tried to help and the DNC did not accept that help until months later.

Underlying all this is surely the distrust that stems from a political party believing the FBI was conducting a witch hunt of its principal (they’d be proven right a month after the breach became public), though the FBI agents investigating the DNC hack were surely different than the ones investigating Hillary’s server. There may have even been other reasons the DNC didn’t want the FBI nosing around their servers.

Still, we now know they did not ever access DNC’s servers themselves.

And I think in this case they should have, for two reasons.

The Hill story covering this bickering includes this quote from a former FBI agent describing one reason why.

“In nine out of 10 cases, we don’t need access, we don’t ask for access, we don’t get access. That’s the normal [procedure],” Leo Taddeo, a former special agent in charge of the cyber division of the FBI’s New York office, told The Hill.

“It’s extraordinarily rare for the FBI to get access to the victim’s infrastructure because we could mess it up,” he added. “We usually ask for the logs and images, and 99 out of a hundred times, that’s sufficient.”

Asking for direct access to a server wouldn’t be necessary, Taddeo said, “unless there was a reason to think the victim was going to alter the evidence in some way.”

You don’t need access to the server itself unless you’ve got reason to believe the victim altered the evidence. From the very first, you had an entity, Guccifer 2.0, challenging the attribution Crowdstrike made on the server. Abundant analysis has proven that Guccifer is a liar, but Chinese and Iranians and Americans lie just as often as Russians do.

Plus, months after the hack, people started claiming that the source for the files that got to Wikileaks came from an insider. Which, if true (I don’t think it is, but nevertheless it is a competing theory, one that given the animosity within the Democratic party last year is not impossible), would mean that the victim might have altered the evidence.

There’s another reason why the FBI should have double checked the forensics, if they hadn’t already: because (we learned six months after the fact) Crowdstrike only ever had medium confidence that GRU had hacked the DNC based on the forensics they examined.

While CrowdStrike, which was hired by the DNC to investigate the intrusions and whose findings are described in a new report, had always suspected that one of the two hacker groups that struck the DNC was the GRU, Russia’s military intelligence agency, it had only medium confidence.

Now, said CrowdStrike co-founder Dmitri Alperovitch, “we have high confidence” it was a unit of the GRU. CrowdStrike had dubbed that unit “Fancy Bear.”

And Crowdstrike only came to have high confidence in that attribution by writing a paper that multiple Ukrainian sources (not exactly Russian shills) have now pushed back on. That is, nothing in the original forensics changed, as far as we know; external evidence, of whatever quality, led to a change in confidence.

Which means the forensics itself is not a slam dunk.

I’m beginning to see a hole in all the other security firms’ validation of Crowdstrike’s original attribution, which I hope to return to (though not before next week). In any case, it’d be useful for FBI to have really vetted this work, given that we’ve turned this into an international incident.

So, yeah, the FBI never obtained the DNC server full of political information the government really shouldn’t possess, particularly not an agency perceived to be really hostile to that political party.

But maybe, in this case, they should have.

Sanctioning GRU … and FSB

While I was out and about today, President Obama rolled out his sanctions against Russia to retaliate for the Russian hack of Democrats this year. Effectively, the White House sanctioned two Russian intelligence agencies (GRU — Main Intelligence, and FSB –Federal Security Service), top leaders from one of them, and two named hackers.

In addition to sanctioning GRU, the White House also sanctioned FSB. I find that interesting because (as I laid out here), GRU has always been blamed for the theft of the DNC and John Podesta documents that got leaked to WikiLeaks. While FSB also hacked the DNC, there’s no public indication that it did anything aside from collect information — the kind of hacking the NSA and CIA do all the time (and have done during other countries’ elections). Indeed, as the original Crowdstrike report described, FSB and GRU weren’t coordinating while snooping around the DNC server.

At DNC, COZY BEAR intrusion has been identified going back to summer of 2015, while FANCY BEAR separately breached the network in April 2016. We have identified no collaboration between the two actors, or even an awareness of one by the other. Instead, we observed the two Russian espionage groups compromise the same systems and engage separately in the theft of identical credentials. While you would virtually never see Western intelligence agencies going after the same target without de-confliction for fear of compromising each other’s operations, in Russia this is not an uncommon scenario. “Putin’s Hydra: Inside Russia’s Intelligence Services”, a recent paper from European Council on Foreign Relations, does an excellent job outlining the highly adversarial relationship between Russia’s main intelligence services – Федеральная Служба Безопасности (FSB), the primary domestic intelligence agency but one with also significant external collection and ‘active measures’ remit, Служба Внешней Разведки (SVR), the primary foreign intelligence agency, and the aforementioned GRU. Not only do they have overlapping areas of responsibility, but also rarely share intelligence and even occasionally steal sources from each other and compromise operations. Thus, it is not surprising to see them engage in intrusions against the same victim, even when it may be a waste of resources and lead to the discovery and potential compromise of mutual operations.

Data provided by FireEye to War on the Rocks much later in the year suggested that the DNC hack was the only time both showed up in a server, which it took to mean the opposite of what Crowdstrike had, particularly high degree of coordination.

According to data provided for this article by the private cybersecurity company, FireEye, two separate but coordinated teams under the Kremlin are running the campaign. APT 28, also known as “FancyBear,” has been tied to Russia’s foreign military intelligence agency, the Main Intelligence Agency or GRU. APT 29, aka “CozyBear,” has been tied to the Federal Security Service or FSB. Both have been actively targeting the United States. According to FireEye, they have only appeared in the same systems once, which suggests a high level of coordination — a departure from what we have seen and come to expect from Russian intelligence.

The sanctioning materials offers only this explanation for the FSB sanction: “The Federal Security Service (a.k.a. Federalnaya Sluzhba Bezopasnosti) (a.k.a FSB) assisted the GRU in conducting the activities described above.”

So I’m not sure what to make of the fact that FSB was sanctioned along with GRU. Perhaps it means there was some kind of serial hack, with FSB identifying an opportunity that GRU then implemented — the more extensive coordination that FireEye claims. Perhaps it means the US has decided it’s going to start sanctioning garden variety information collection of the type the US does.

But I do find it an interesting aspect of the sanctions.

CloudStrike’s Own Announcement Makes It Clear It Doesn’t Have Proof of Ongoing Chinese Economic Cyberattacks

Many many many outlets are reporting that China has continued conducting economic espionage even after Xi Jinping agreed to stop doing it. They base that claim on this post from CloudStrike, a big cybersecurity contractor that spends a lot of time feeding the press scary stories about hacking.

Here’s the proof they offer:

Over the last three weeks, CrowdStrike Falcon platform has detected and prevented a number of intrusions into our customers’ systems from actors we have affiliated with the Chinese government. Seven of the companies are firms in the Technology or Pharmaceuticals sectors, where the primary benefit of the intrusions seems clearly aligned to facilitate theft of intellectual property and trade secrets, rather than to conduct traditional national-security related intelligence collection which the Cyber agreement does not prohibit.

[snip]

In addition to preventing these intrusions, the CrowdStrike Falcon platform also provided full visibility into every tool, command and technique used by the adversary. This allowed us to determine that the hackers saw no need to change their usual tradecraft or previously used infrastructure in an attempt to throw off their scent.

The include a timeline showing 9 attempted intrusions into Tech Sector companies, and 2 into Pharma companies since Xi and President Obama signed the hacking agreement.

Now, even assuming that CrowdStrike has accurately labeled these Chinese government hackers (CrowdStrike’s CTO was less confident in an interview with Motherboard) this still is not proof that China has violated the agreement.

After all, the key part of the agreement is on how stolen information gets used — whether it gets used to benefit individual companies or even entire sectors (the latter of which we do in our own spying, but never mind). If CrowdStrike prevented any data from being stolen, then it is impossible to assert that it was being stolen to benefit market actors without more evidence that the hackers were tasked by a market actor. Even the indictment everyone points to as proof that China engages in economic espionage did not allege that the People Liberation’s Army had shared the data involved in the single economic espionage charge with private sector companies, and given that the data in question pertained to nuclear technology ,it’s not something that is proven just because it was stolen in the context of an ongoing relationship with the victim (even if that is a logical presumption to make).

The same is true here. When China hacked Google to spy on dissidents, that was clearly national security spying. When the US hacked Huawei to figure out how to backdoor its equipment, that was clearly national security spying.When the US used Microsoft and Siemens products to carry out StuxNet, the tech companies were merely enabling targets. There are too many reasons to hack tech sector companies for solidly national security purposes to claim, just based on the sector itself, that it was done for economic espionage.

You can’t even point to the 2 Pharma intrusions to make the claim. A list of sites the State Department identified as critical infrastructure from a leaked 2009 cable includes over 25 pharmaceutical sites (including animal Pharma), many of them related to vaccines. If we’re treating pharmaceutical supply and research facilities as critical infrastructure, with the presumed consequent defensive surveillance of those sites, it is tough to argue the Chinese can’t consider our pharmaceutical companies making key drugs to be critical targets. Both can be argued to stem from the same public health concerns.

I’m not saying it’s impossible or even unlikely that these intrusions were attempted economic espionage. I’m saying that this isn’t evidence of it, and that the reporting repeating this claim has been far too credulous.

But that also points to one of the inherent problems with this deal (one pointed to by many people at the time). When last he testified on the subject, Jim Clapper didn’t even claim to have fully attributed the OPM hack. The same attribution and use problems exist here. China may steal data on an important new drug, but that’s not going to be enough to prove they stole it for commercial gain until they release their own copycat of the drug in several years and use it to undercut the US company’s product, and even then that may require a lot more data — collected by spying! — from inside the market companies themselves (in part because China engages in many other means of stealing data which aren’t the subject of a special agreement, which will make even the copycat instance hard to prove came from an intrusion).

China knew that, too, when it signed the agreement. It will take more than evidence of 11 attempted intrusions to prove that China is violating the agreement.