Posts

The Parts of the Mueller Report withheld from Roger Stone Show the Centrality of His WikiLeaks Activities to Trump’s Obstruction

Along with denying most of Roger Stone’s frivolous challenges to his prosecution, Amy Berman Jackson also partly granted his motion to get some of the redacted Mueller Report. As she laid out, she permitted the government to withhold grand jury information, sources and methods, stuff that would harm the reputation of others, and prosecutorial deliberations.

But the Court was of the view that the Report of the Special Counsel should receive separate consideration since a great deal of deliberative material within the Report had already been released to the public.

[snip]

Having considered the defendant’s motion, the government’s response and supplemental submissions, and the Report itself, the Court has determined that the defense should have the limited access he requested to some, but not all, of the redacted material.32 Insofar as defendant’s motion to compel seeks any material that was redacted from the public report on the basis that its release would infringe upon the personal privacy of third parties or cause them reputational harm; pursuant to Federal Rule of Criminal Procedure 6(e); or on the basis of national security or law enforcement concerns, including information that if revealed, could potentially compromise sensitive information gathering sources, methods, or techniques or harm ongoing intelligence or law enforcement activities, the Court will deny the motion.33 With respect to material that was withheld solely on the basis that its release could affect the ongoing prosecution of this case, the Court has concluded that the material to be specified in the order issued with this opinion should be provided to counsel for the defendant subject to the terms and conditions of the Protective Order in this case.

As she described, the government “submit[ed] unredacted portions of the Report that relate to defendant ‘and/or “the dissemination of hacked materials.”‘” Then she and the government conducted a sealed discussion about what could be released to Stone. In addition to her opinion, she submitted an order describing which specific pages must now be released to Stone.

We can compare what the government identified as fitting her order — this includes anything that fits the order, whether redacted or not — with what she has ordered released to Stone (note, the government either did not include Appendix D, showing referrals, or ABJ didn’t mention it, because in addition to an unredacted reference to Stone, there are referrals that the FOIA copies show to be related to Stone; nor did it include questions to Trump).

ABJ has not ordered the government to turn over anything pertaining to how GRU got stolen documents to WikiLeaks. This is precisely the kind of thing Stone is trying to get with his demands for Crowdstrike reports; after ABJ pointed out if they really wanted the reports, they would have tried subpoenaing Crowdstrike and they are now launching an attempt to do that. That ABJ has not ordered the government to turn this material over does not bode well for Stone’s plans to make this trial about the hack-and-leak rather than his lies. I would not be surprised if Stone made a second effort to get this information.

She has permitted the government to withhold all the prosecutorial decisions covered by her order except the one pertaining to Stone’s own lies. In addition, she let the government withhold one line about how they hadn’t determined whether or not Stone and Corsi had managed to optimize the release of the Podesta emails in October (though she did give Stone the more detailed discussion of that).

But ABJ has not included any of the references in the main part of Volume II in her order (presumably to protect Trump’s reputation!). That Volume includes three references to Trump and the campaign’s enthusiasm for or attempts to optimize the WikiLeaks releases through Stone, the reference to Richard Burr leaking news of the targets of the investigation (including Stone) to the White House before Jim Comey got fired, and three instances describing Trump floating pardons to Stone or otherwise encouraging him to remain silent.

It also includes the page on which this passage appears:

After Flynn was forced to resign, the press raised questions about why the President waited more than two weeks after the DOJ notification to remove Flynn and whether the President had known about Flynn’s contacts with Kislyak before the DOJ notification.244 The press also continued to raise questions about connections between Russia and the President’s campaign.245 On February 15, 2017, the President told reporters, “General Flynn is a wonderful man. I think he’s been treated very, very unfairly by the media.”246 On February 16, 2017, the President held a press conference and said that he removed Flynn because Flynn “didn’t tell the Vice President of the United States the facts, and then he didn’t remember. And that just wasn’t acceptable to me.” 247 The President said he did not direct Flynn to discuss sanctions with Kislyak, but “it certainly would have been okay with me if he did. I would have directed him to do it if I thought he wasn’t doing it. I didn’t direct him, but I would have directed him because that’s his job.”248 In listing the reasons for terminating Flynn, the President did not say that Flynn had lied to him.249 The President also denied having any connection to Russia, stating, “I have nothing to do with Russia. I told you, I have no deals there. I have no anything.”250 The President also said he “had nothing to do with” WikiLeaks’s publication of information hacked from the Clinton campaign.251 [my emphasis]

Clearly, it was included for Trump’s public denials — at the moment he fired Flynn in an attempt to stop the Russian investigation — of having anything to do with WikiLeaks’ publication of materials stolen from Hillary’s campaign. It is, on its face, a reference to the publication of the stolen emails, and as such qualifies under ABJ’s order. At that level, it is unremarkable.

But the government is treating it not as Trump making empty denials, but instead to make a claim specifically disavowing any involvement in WikiLeaks’ publication of stolen emails. Mueller’s team put the claim right next to a claim we know to be false, a claim designed to hide his Trump Tower deals. And he put all that amid a discussion of why he first did not, and then did, fire Mike Flynn.

Now consider something else: While it doesn’t appear in the Mueller Report at all, one thing Flynn told prosecutors was that after WikiLeaks started dumping John Podesta’s emails, he took part in conversations during which the campaign discussed reaching out to WikiLeaks.

The defendant also provided useful information concerning discussions within the campaign about WikiLeaks’ release of emails. WikiLeaks is an important subject of the SCO’s investigation because a Russian intelligence service used WikiLeaks to release emails the intelligence service stole during the 2016 presidential campaign. On July 22, 2016, WikiLeaks released emails stolen from the Democratic National Committee. Beginning on October 7, 2016, WikiLeaks released emails stolen from John Podesta, the chairman of Hillary Clinton’s 2016 presidential campaign. The defendant relayed to the government statements made in 2016 by senior campaign officials about WikiLeaks to which only a select few people were privy. For example, the defendant recalled conversations with senior campaign officials after the release of the Podesta emails, during which the prospect of reaching out to WikiLeaks was discussed.

There’s nothing in the public record that suggests Flynn knew of Trump’s efforts, during the campaign, to build a Trump Tower. But he did know about Trump’s efforts to optimize WikiLeaks’ releases of stolen emails. And Trump would have known that when he considered the impact of Flynn’s ties to Russia being investigated by the FBI.

And the treatment of that references as a real denial — as Trump evincing guilt even as he fired Flynn — sure makes the Flynn firing more interesting.

Roger Stone Lawyer Bruce Rogow Concedes His CrowdStrike Ploy Was Just That

Most of the reporting on Roger Stone’s status hearing yesterday has focused on whether Judge Amy Berman Jackson would hold Stone in contempt for violating her gag. She did find he had violated her gag, but responded only by prohibiting him from using Twitter, Facebook, or Instagram — an outcome consistent with what I laid out here. Shortly after the hearing ended, Stone’s spouse, Nydia, posted a picture of the two of them on Instagram, though on terms that are within the terms permitted by ABJ’s gag.

I’m more interested, however, in the exchanges covering Stone’s Fourth Amendment challenge to all the warrants against him and his demand to obtain full copies of the CrowdStrike reports (including descriptions of what new defenses CrowdStrike implemented) provided to the Democrats and shared with the FBI, a pair of motions that Stone successfully used to inflame conspiracies among frothy right and denialist left.

It was always clear this was about disinformation. After all, the very same lawyers had argued for the very same client that Russia did do the hack in the DNC lawsuit.

Predictably, ABJ was clearly having none of the Fourth Amendment challenge. She repeatedly challenged Stone’s motion by undermining his false claim, noting that the FBI relied on the US Intelligence Committee’s attribution of the DNC hack to Russia and not — as Stone had claimed and the useful idiots responding to his motion had repeated unquestioningly — the CrowdStrike reports. Aaron Zelinsky sounded like a DFH blogger when he described the effort as an attempt, “to backdoor a debunked conspiracy theory.”

A more telling moment came when ABJ got Bruce Rogow to concede that Stone’s team had not acted as if they really needed the CrowdStrike reports, as they had claimed to inflame their useful idiots.

The government had represented they didn’t have the full reports (as noted, in the reports the Democrats shared with the FBI, they redacted the information describing what they did to harden their networks).

At the direction of the DNC and DCCC’s legal counsel, CrowdStrike prepared three draft reports.1 Copies of these reports were subsequently produced voluntarily to the government by counsel for the DNC and DCCC. 2 At the time of the voluntary production, counsel for the DNC told the government that the redacted material concerned steps taken to remediate the attack and to harden the DNC and DCCC systems against future attack. According to counsel, no redacted information concerned the attribution of the attack to Russian actors. The government has also provided defense counsel the opportunity to review additional reports obtained from CrowdStrike related to the hack.

[snip]

As the government has advised the defendant in a letter following the defendant’s filing, the government does not possess the material the defendant seeks; the material was provided to the government by counsel for the DNC with the remediation information redacted. However, the government has provided defense counsel the opportunity to review additional unredacted CrowdStrike reports it possesses, and defense counsel has done so. 3

1 Although the reports produced to the defendant are marked “draft,” counsel for the DNC and DCCC informed the government that they are the last version of the report produced.

2 The defendant describes the reports as “ heavily redacted documents,” Doc. 103, at 1. One report is thirty-one pages; only five lines in the executive summary are redacted. Another runs sixty-two pages, and redactions appear on twelve pages. The last report is fifty-four pages, and redactions appear on ten pages.

3 These materials are likewise not covered by Brady, but the government produced them for defense counsel review in an abundance of caution.

As ABJ noted, given the representation that the government doesn’t have full unredacted reports, asking for them from the government is pointless, something Rogow conceded. The way to get the full reports, ABJ noted, would be to subpoena them from the Democrats or CrowdStrike itself.

And Stone’s lawyer admitted they hadn’t done that.

This is tantamount to a confession that Stone never really needed the documents in the first place, but instead only wanted to use them to stake a false claim about them in the press.

And given the large number of people who repeated the claim credulously, that effort succeeded.

Update: After issuing a minute order yesterday, ABJ issued a written one today, making it clear that Stone can’t just move to Gab or have Nydia post for him to get around the gag.

As I disclosed last July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

A New Form of Victim Blaming: Demanding that Rat-Fucker Roger Stone Get to Learn the Defensive Measures DNC Implemented in 2016

Roger Stone’s ongoing effort to float hoaxes rather than mount a credible defense has gotten the left and right denialists into a tizzy about CrowdStrike again. But this time it’s not just an effort to raise doubts about whether Russia hacked the DNC, but an effort to suggest that Democrats can only obtain law enforcement help in response to being hacked if they’re willing to share their own network defenses with the FBI, and do so while their candidate is under active investigation by the FBI.

As I noted back in May, Stone demanded unredacted CrowdStrike reports in the guise of challenging warrants based off a claim that Russia didn’t actually hack the DNC. In the latter motion, Stone claimed to have received three redacted CrowdStrike reports (though as is typical of the sloppy work his lawyers do, they can’t even get that citation correct).

CrowdStrike’s three draft reports are dated [sic] August 8 and August 24, 2016. The Mueller Report states Unit 26165 officers also hacked into a DNC account hosted on a cloud-computing service on September 20, 2016, thereby illustrating the government’s reliance on CrowdStrike even though the DNC suffered another attack under CrowdStrike’s watch. (See Mueller Report at 49-50). [my emphasis]

The government’s response to the Fourth Amendment challenge notes that the fourteen warrant affidavits for hacking (Computer Fraud and Abuse Act) violations don’t rely on Russian attribution to establish probable cause, but instead point to Stone’s, WikiLeaks’, Guccifer 2.0’s, and Jerome Corsi’s communications to establish that a hack was committed and Stone’s facilities likely had evidence about it.

In brief, each of these affidavits (at a minimum) states that Stone communicated with the Twitter account Guccifer 2.0 about hacked materials Guccifer had posted. Each affidavit states that on June 15, 2016, Guccifer 2.0 publicly claimed responsibility for the hack of the computer systems of the Democratic National Committee (“DNC”). Each affidavit states that Organization 1 published materials stolen from the DNC in the hack. Each affidavit describes Stone’s communications (including his own public statements about them) with Guccifer 2.0, Organization 1, and the head of Organization 1. Each affidavit submits that, based on those communications, there was probable cause to believe that evidence related to the DNC hack would be found in the specified location.

[snip]

On the contrary, the 1030 warrant affidavits contain detailed descriptions of Stone’s communications with Guccifer 2.0, Organization 1, and the head of Organization 1, and, in some cases, detailed descriptions of witness tampering and false statements. See, e.g., Doc 109, Ex. 10 at ¶¶ 35-40 (discussing Stone’s communications with Organization 1 and the head of organization 1), Ex. 11 at ¶ 24 (discussing private Twitter message between Stone and Guccifer 2.0); Ex. 18 at ¶¶ 64-77 (relating to Stone’s conversations with Person 2).

[snip]

The various showings of probable cause in the 1030 warrant affidavits did not depend on the identity of the hacker, but rather were based on evidence showing that Stone communicated with a Twitter account that publicly claimed responsibility for the DNC hack, and that Stone communicated with the very organization that was disseminating materials from the DNC computers in the months after the hack. This evidence established probable cause that searches of the target locations would yield evidence of a violation of 18 U.S.C. § 1030, regardless of whether the Russian state was involved.

If Judge Amy Berman Jackson agrees that those warrant affidavits establish probable cause independent of any attribution, then then entire question of CrowdStrike reports is moot.

Yet the government still had to explain why the CrowdStrike demand was frivolous. In the response to the CrowdStrike demand, then, the government noted that these reports are unrelated to the false statements charges Stone is facing.

The defendant is not charged with conspiring to hack the DNC or DCCC. Cf. Netyksho, Doc. 1. The defendant is charged with making false statements to Congress regarding his interactions with Organization 1 and the Trump Campaign and intimidating a witness to cover up his criminal acts. Any information regarding what remediation steps CrowdStrike took to remove the Russian threat from the system and strengthen the DNC and DCCC computer systems against subsequent attacks is not relevant to these charges. And, in any case, the government does not need to prove at the defendant’s trial that the Russians hacked the DNC in order to prove the defendant made false statements, tampered with a witness, and obstructed justice into a congressional investigation regarding election interference.

But along with that, the government also provides some details about how it came into possession of the CrowdStrike reports — which basically amounts to the Democrats sharing them with the FBI when they informed the FBI of a crime. The government describes that the redacted materials don’t actually pertain to evidence about the hack, but instead pertain to what CrowdStrike did — while their client was trying to win a presidential election, remember, and while the party’s presidential candidate was being investigated by the FBI — to protect the Democrats against further hacking. The government also demonstrates that Stone exaggerates when he claims these are “heavily” redacted.

At the direction of the DNC and DCCC’s legal counsel, CrowdStrike prepared three draft reports.1 Copies of these reports were subsequently produced voluntarily to the government by counsel for the DNC and DCCC. 2 At the time of the voluntary production, counsel for the DNC told the government that the redacted material concerned steps taken to remediate the attack and to harden the DNC and DCCC systems against future attack. According to counsel, no redacted information concerned the attribution of the attack to Russian actors. The government has also provided defense counsel the opportunity to review additional reports obtained from CrowdStrike related to the hack.

[snip]

As the government has advised the defendant in a letter following the defendant’s filing, the government does not possess the material the defendant seeks; the material was provided to the government by counsel for the DNC with the remediation information redacted. However, the government has provided defense counsel the opportunity to review additional unredacted CrowdStrike reports it possesses, and defense counsel has done so. 3

1 Although the reports produced to the defendant are marked “draft,” counsel for the DNC and DCCC informed the government that they are the last version of the report produced.

2 The defendant describes the reports as “ heavily redacted documents,” Doc. 103, at 1. One report is thirty-one pages; only five lines in the executive summary are redacted. Another runs sixty-two pages, and redactions appear on twelve pages. The last report is fifty-four pages, and redactions appear on ten pages.

3 These materials are likewise not covered by Brady, but the government produced them for defense counsel review in an abundance of caution.

This makes it clear that, on top of being totally irrelevant to the probable cause consideration of the warrants for Stone’s communications, Stone is basically arguing that as part of asking the FBI to investigate a crime targeting them — at a time when the FBI was actively investigating Hillary!!! —  the Democrats should have had to share the new network security measures installed in response to the crime. This amounts to demanding that a crime victim who might also be under FBI investigation provide the FBI with investigative benefit — the equivalent of handing over their passwords — just to report the crime.

But what Stone has done is worse. He has demanded that he — modern America’s greatest rat-fucker, and someone against whom the FBI was able to show probable cause for hacking crimes — be informed of the opposing party’s defenses against being hacked for no good reason at all.

And a bunch of chumps are magnifying Stone’s demand, as if it has credibility, because they’re still clinging to some kind of hope that Russia didn’t hack the DNC.

Below, I’ve put a list of all the obvious investigative sources cited in the GRU indictment (cited by paragraph number) and the Mueller Report (cited as MR and page number) aside from CrowdStrike reports on the server activity and the witness reports of Democratic employees (hoaxsters often assume that no one in the Democratic Party conducted their own investigation, which is false). This is a fairly conservative list, and primarily consists of stuff the FBI would obtain from subpoenas for third party records. There are twenty-nine sources of information totally independent of CrowdStrike, and those sources include Google, Facebook,  Microsoft, and AWS — all of which have global visibility and conduct their own tracking of GRU’s hacking for their own security purposes, plus Twitter and WordPress (the latter of which also has superb security resources). The list also includes a server in AZ that I assume the FBI seized; it does not include a server in TX that I’ve also been told got seized in the FBI’s investigation.

And that’s just the unclassified stuff.

The notion that the attribution of the DNC hack to the GRU relies on CrowdStrike reports or FBI possession of the alleged single DNC server has always been nonsense. But that nonsense is now being wielded to demand that victims of a crime turn over to their political adversaries — and not just any adversary but an epic rat-fucker — details of what they did to make sure they would not be victimized in the next election. As Rayne explained in May, this is not just an attempt to obfuscate what happened in 2016; it’s an attempt to continue to damage the Democrats going forward.

And left and right wing denialists are playing along like chumps.

Update: I should have noted something that is obvious to anyone who follows cybersecurity but which hoaxsters pretend not to know: CrowdStrike gave the FBI forensic images of the servers and other affected hardware and software. That is the norm for computer investigations.

  1. URL-shortening service (WADA hack used bit.ly) [Indictment ¶21a]
  2. Gmail, including accounts of victims [Indictment ¶21b, MR 37]; accounts used by GRU [MR 47]; and their own security
  3. Linked In [Indictment 21c]
  4. Probe of DNC’s IP address
  5. Search on open source info on DNC [MR 37]
  6. AZ server — FBI with direct access, possible seizure [Indictment ¶24c, ¶58, MR 39]
  7. Malaysian server [Indictment ¶25, MR 39]
  8. Other redacted servers [MR 39]
  9. Microsoft  [MR 41]
  10. Romanian domain registration site [Indictment ¶¶33b, 35, 58]
  11. ActBlue [Indictment ¶33b]
  12. AWS [personal reporting, ¶34, MR 49]
  13. Smartech Corporation [¶37, MR 42]
  14. Facebook [¶38, MR 42]
  15. Twitter [¶¶39, 44, MR 44]
  16. WordPress [¶¶42-43, 46]
  17. BTC exchanges [¶63]
  18. VPN purchase [¶45a]
  19. gfade147 email account [¶60]
  20. US payment processor [¶62]
  21. Forensic images of DNC servers and traffic logs [MR 40]
  22. Stolen document forensics [MR 47]
  23. Aaron Nevins [MR 43]
  24. AOL [MR 43]
  25. Online archives [MR 46]
  26. Ecuadorian Embassy network [MR 46]
  27. [email protected] email [MR 46]
  28. WikiLeaks email [MR 47]
  29. Clinton personal office domain [MR 49]

As I disclosed last July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

In a Shoddy Attempt to Inflate the Single Server Fallacy, Roger Stone Suggests Communicating with Guccifer 2.0 Would Be Criminal

In a frivolous pair of motions, Roger Stone is going after CrowdStrike’s analysis of the Russian hack. In the first, he demands full unredacted copies of CrowdStrike’s reports on the hacks. He bases that demand on a claim the CrowdStrike reports are material to a motion to suppress the warrants against him because — he claims, falsely — the government relied exclusively on the CrowdStrike reports to decide Russia had hacked Democratic targets, so if the reports are faulty, then so are the warrants.

The entire stunt is based off what appears to be an inaccurate claim — that this government response to some other frivolous motions claimed they didn’t have to prove that Russia hacked Democratic targets.

The Government stated in its Opposition to Stone’s Motion to Dismiss (Dkt # 99) that it will not be required to prove that the Russians hacked either the Democratic National Committee (“DNC”) or Democratic Congressional Campaign Committee (“DCCC”) from outside their physical premises or that the Russians were responsible for delivering the data to WikiLeaks.

Maybe he’s thinking of another government response to his motions that notes they don’t have to prove an underlying crime to prove obstruction, but the one he cites (without paragraph citation) doesn’t make that claim. I mean, it is true that the government doesn’t have to prove the underlying crime, but that’s still another issue than having to prove what physical premises the Russians hacked the DNC from.

In his demand for the CrowdStrike servers, Stone at least claims he’s making the demand to distinguish his case from all the other Trump flunkies prosecuted for lying to Congress and mount a materiality challenge to his false statements prosecution.

As to selective prosecution, if the Russian state did not hack the DNC, DCCC, or Podesta’s servers, then Roger Stone was prosecuted for obstructing a congressional investigation into an unproven Russian state hacking conspiracy, while others similarly situated were not. Lastly, if the Russian state did not hack the servers or did not transfer the data to WikiLeaks, the exculpatory evidence regarding materiality, a factual issue for the jury, is amplified.

But in his Fourth Amendment challenge, Stone suggested that if Russia didn’t hack the Democrats and hand the documents to WikiLeaks, then speaking to WikiLeaks and Guccifer 2.0 would not be a crime.

If these premises are not the foundation for probable cause, Roger Stone communicating with a Twitter user named “Guccifer 2.0” or speaking with WikiLeaks, would not constitute criminal activity.

Hmm.

Speaking to WikiLeaks and Guccifer 2.0 would only be a crime if Stone engaged in a conspiracy with them, and a good bit of the redacted language on prosecutorial decisions in the Mueller Report probably says the First Amendment otherwise protects such speech. That said, the claim that talking to them would be a crime is interesting given some of the crimes for which the government showed probable cause in his warrant affidavits.

The search warrant applications however, allege that the FBI was investigating various crimes at different times, such as Stone for accessory after the fact, misprision of a felony, conspiracy, false statements, unauthorized access of a protected computer, obstruction of justice, witness tampering, wire fraud, attempt and conspiracy to commit wire fraud, and foreign contributions ban. The uncharged conduct particularly relied upon the assumptions the Russian state is responsible for hacking the DNC, DCCC,1 and even (although not as clear) Hillary Clinton campaign manager, John Podesta.

Stone is not, here, claiming that the government didn’t show a lot of evidence he engaged in these crimes (and remember, the government has told Andrew Miller that they’re likely to supersede Stone’s current indictment after they get Miller’s grand jury testimony, the content of which they know from an FBI interview last year). Rather, he’s claiming that these hacking-related crimes would only be illegal if the Russians did the hacking. (I really look forward to the government response to this, because some of these crimes would be crimes based on Julian Assange’s foreign status, not GRU’s, and wire fraud is a crime all by itself.)

Perhaps most interesting is the way Stone’s lawyers dismiss the Mueller Report (and the GRU indictment’s) focus on DCCC and Podesta documents. A footnote even suggests falsely that the Mueller Report said the DCCC documents did not get released.

WikiLeaks never released the DCCC documents. The Mueller report suggests the hack of the DCCC only provided additional keys to access the DNC servers.

At one point — perhaps a critical one — Stone uses the fact that the GRU hacked the DNC’s AWS server after Stone dismissed the value of the DCCC oppo research Guccifer 2.0 discussed with Stone in early September 2016 to suggest CrowdStrike was not competent.

CrowdStrike’s three draft reports are dated [sic] August 8 and August 24, 2016. The Mueller Report states Unit 26165 officers also hacked into a DNC account hosted on a cloud-computing service on September 20, 2016, thereby illustrating the government’s reliance on CrowdStrike even though the DNC suffered another attack under CrowdStrike’s watch.

Of course, CrowdStrike had little ability to protect AWS’ servers.

Ultimately, this is an attempt to misrepresent the Mueller Report and GRU indictment to shift the focus away from the Podesta and DCCC documents — where Stone’s greater criminal exposure might lie — and onto the Single Server Fallacy about the DNC server, which is irrelevant to those other documents.

And along the way, Stone lays out a good number of impressive crimes he was and may still be at risk for, and admits the government believed his actions are closely enough tied to the hacks to get redacted copies of the CrowdStrike reports in discovery. He also concedes (incorrectly) that simply speaking to WikiLeaks and Guccifer 2.0 may be a crime.

As I disclosed last July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

Fun with Dr. Corsi’s “Forensics”!

By far the most ridiculous part of Jerome Corsi’s book is where he spends an entire chapter pretending that he figured out on his own that WikiLeaks had John Podesta’s emails rather than being told that by someone whose identity he’s trying to avoid sharing with Mueller’s team.

The chapter is one of three in the book that he presents as having been written in real time, effectively as diary entries. Corsi presents it as the fevered narrative he writes on November 18, 2018, at a time when Mueller’s team was cracking down on him for his continued lies but before he refused the plea deal, after a night of nightmares.

Last night, I was plagued by nightmares that caused me to sleep very poorly.

His change in voice is followed with an even more direct address to readers, which he returns to as an interjection in the middle of his crazed explanation.

I am going to write this chapter to explain to you, the reader, how I used my basic intuitive skills as a reporter to figure out in August 2016 that Assange had Podesta’s emails, that Assange planned to start making the Podesta file public in October 2016, and that Assange would release the emails in a serial, day-by-day fashion, right up to election day.

[snip]

Now, I know this is tedious and will tax many readers, so I’ve decided here to take a break. You have to understand what I am going through is a roller-coaster. Sometimes I feel like everything is normal and that the federal government will understand that I am a reporter and should be protected by the First Amendment. Then, I realize that the next ring of the doorbell could be the FBI seeking to handcuff me and arrest me in full view of my family.

Resuming after a much-needed break, we need only a few more dates to complete the analysis.

The chapter consists of three things, none of which even remotely presents a case for how he could have concluded WikiLeaks was sitting on John Podesta’s emails:

  • An argument that claims he simply reasoned it all out, without proof
  • A chronology that makes no sense given the July and August 2016 emails he’s trying to explain away
  • Other crap theories designed to undermine Mueller’s argument about Russian involvement, most of which post-date the date when Corsi claims to have figured out the Podesta emails were coming

Corsi’s “argument”

Corsi’s main argument is this:

Clearly, I reasoned there had to have been Podesta emails on that server that would have discussed the Clinton/DNC plot to deny Bernie Sanders the Democratic Party presidential nomination in 2016. Where were these Podesta emails, I wondered?

[snip]

I felt certain that if Assange had Podesta’s emails he would wait to drop them in October 2016, capturing the chance to stage the 2016 “October Surprise,” a term that had been in vogue in U.S. presidential politics since 1980 when Jimmy Carter lost re-election to Ronald Reagan, largely because the Reagan camp finessed Ayatollah Khomeini to postpone the release of the hostages from the American embassy in Tehran until after that year’s November election. I also figured that Assange would release the Podesta emails in drip-drip fashion, serially, over a number of days, stretching right up to the Election Day. In presidential politics, the news cycle speeds up, such that what might take a month or a week to play out in a normal news cycle might take only a day or two in the heightened intensity of a presidential news cycle—especially a presidential news cycle in October, right at Election Day is nearing.

In spite of his claims, elsewhere, to have done forensic analysis that told him John Podesta’s emails were coming, ultimately his argument boils down to this: he figured out that Podesta’s emails (which he purportedly hadn’t read) would be the most damning possible thing and therefore WikiLeaks must have and intend to release them in a serial release because it made sense.

Corsi’s chronology

From there, Corsi proceeds to spin out the following bullshit about how he came to that conclusion:

  • Starting in February 2016, a woman named LH whose ex-husband was a former top NSA figure told him [why?] incorrect things about how the Democrats organize their servers. This information seems to be inflected by the flap over VAN space the previous December, but Corsi doesn’t mention that. This information is wrong in many of the ways later skeptics of the Russian hack would be wrong, but Corsi claims he had that wrong understanding well in advance of the crowd.
  • When Assange announced on June 12 that he had upcoming Hillary leaks, Corsi was “alerted to the possibility Assange had obtained emails from the DNC email server,” which he took to mean VAN.
  • When the WaPo reported on the DNC hack on June 14, 2016, Corsi took Democrats’ (false) reassurances about financial data to be true, matched it to his incorrect claimed understanding of how the Democrats organized their data, and assumed VAN had been hacked (this is the day before Guccifer 2.0 would claim he got in through VAN, remember). Corsi also claims to have noted from the WaPo story that Perkins Coie and Crowdstrike were involved, the latter of which he tied to Google’s Eric Schmidt (who was helping Dems on tech), which together he used to suggest that in real time he believed the Democrats had “manufactured” evidence to pin the hack on the Russians. Again, Corsi is suggesting he got to the conspiracy theories it took the rest of Republicans a year to get to, but in real time.
  • Corsi incorrectly read the Crowdstrike white paper (on which the WaPo story was obviously based and which Ellen Nakashima had had for about a week, and which includes an update written in response to the appearance of Guccifer 2.0) as a response to Guccifer 2.0’s post on June 15 and — in spite of the WaPo report that Cozy Bear had been “monitoring DNC’s email and chat communications” — concluded that the hackers had not taken email.
  • After the DNC emails were released, Corsi had what he claims was his big insight: that these emails largely came from DNC’s Comms Director and their finance staffers, which meant Podesta’s (and DWS’, which he logically should but did not, pursue) had to be what was left. Mind you, the former point is something WikiLeaks made clear on its website:

On July 22, 2016, Wikileaks began releasing over two days a total of 44,053 emails and17,761 email attachments from key figures in the DNC. What I noticed immediately was that the largest number of emails by far came from DNC Communications Director Luis Miranda (10,520 emails), who had approximately three-times the emails released for the next highest on the list, National Finance Director Jordon Kaplan (3,799 emails) and Finance Chief of Staff Scott Corner (3,095 emails). What I noticed immediately was that emails from Debbie Wasserman Schultz and John Podesta were missing. Yet, by analyzing the addresses in the emails, it was clear the “From,” “To,” and or “CC” listings indicate the email was sent by or to an addressee using the DNC email server, identified as @dnc.org.

  • In his narrative of how he “figured out” there must be Podesta emails, he relies not on the July 25 NBC story he cites earlier in his book, quoting Assange saying there was “no proof” the emails came from Russia (and suggesting his set were a different one than the ones analyzed by cybersecurity experts), but a CNN story he dates to July 26 but which got updated early morning July 27, citing Assange saying, “Perhaps one day the source or sources will step forward and that might be an interesting moment some people may have egg on their faces. But to exclude certain actors is to make it easier to find out who our sources are;” Corsi also cites a July 27 NYMag story citing the CNN one. Corsi claims that as he was listening to this interview, he realized that Assange had Podesta emails “lifted from the DNC server,” which would be incorrect even if it were true, given that Podesta’s emails were from his Gmail account.

Listening to this interview on CNN, all the pieces fit in place for me. Assange had Podesta emails that were also lifted from the DNC server and these were the emails he was holding to drop later in the campaign.

  • Corsi describes “the last piece of the puzzle” to be Seth Rich’s death on July 10, 2016, but which occurred before Assange’s post DNC release interviews, in one of which Assange suggested his sources were still alive to “step forward,” then points to Assange’s offer of a reward for information leading to a conviction on August 9. This happened after he had already suggested to Stone that Podesta’s emails were coming.

None of this explains how Corsi would not have decided that Clinton Foundation emails were what was missing, which is what Stone believed when he instructed Corsi to reach out to Ted Malloch on July 25, the day before the Assange interviews Corsi says led him to conclude WikiLeaks instead had Podesta’s emails. And much of it assumes that a unified hack occurred (otherwise it would be impossible to decide what was coming from what had already been released), an assumption he claims not to believe in much of the rest of his crap.

Corsi’s crap

In addition to that chronology, though, Corsi throws in a bunch of crap meant to discredit the evidence laid out in the Mueller GRU indictment. Much of this evidence post-dates the moment he claims he figured out that WikiLeaks had Podesta’s emails, which makes it irrelevant to his theory, nevertheless Corsi throws it out there.

  • Corsi takes the Guccifer 2.0 leak of DCCC files to Aaron Nevins — which didn’t happen until over a month after he told Stone that WikiLeaks had Podesta emails — to be “proof” not just that Guccifer 2.0 only hacked DNC files, which he again asserts incorrectly came from VAN, but also that Guccifer 2.0 had not hacked emails.
  • Corsi claims that Guccifer 2.0 “never bragged that he hacked the DNC email server that contained the Podesta emails,” even though Guccifer 2.0 did brag that WikiLeaks had published documents he gave them after the DNC leak.
  • Corsi claims that Guccifer 2.0 published donor lists and voter analysis at DCLeaks, which is generally inaccurate (indeed, some Podesta files came out via DCLeaks!), but also admits a tie between Guccifer 2.0 and DCLeaks that would either rely on contemporary reporting that asserted a tie, the GRU indictment, or some personal knowledge not otherwise explained.
  • Corsi claims that, unlike Marcel Lazar, “Guccifer 2.0 has never been positively identified let alone arrested,” without explaining how he’s sure that the 12 GRU officers Mueller indicted don’t amount to positively identifying the people running Guccifer 2.0. Indeed, rather than addressing that indictment, Corsi instead tries to rebut the Intelligence Community Assessment’s “high confidence” attribution of Guccifer 2.0 to GRU, which he claims relies on ‘tradecraft’ that relies on circumstantial evidence at best, presuming a hacker leaves a signature.” In the ICA, that discussion appears in a section that also notes that “Some analytic judgments are based directly on collected information,” as the Mueller indictment makes clear the GRU one was.
  • Corsi claims the Vault 7 release suggesting the CIA has a tool to falsely attribute its own hacks “undermined” the IC’s attribution of Cozy Bear and Fancy Bear, without realizing that’s a different issue from whether the CIA, NSA, and FBI can correctly attribute the hack (though if the Russians obtained those files in the weeks after Joshua Schulte allegedly stole them in 2016, it would have made it harder for CIA to chase down the Russians).
  • Corsi initially argues, providing no evidence except that he’s sure the DNC emails come from the DNC email server and not NGP-VAN or Hillary’s private server, that, “While the DNC email server could have been hacked by an outside agent, what is equally plausible is that the emails could have been stolen by someone on the inside of the DNC, perhaps an employee with their own @dnc.org email address.” He then feeds the Seth Rich conspiracy.
  • Corsi uses what he claims to have learned about serialization in a college course covering Dickens (but details of which, regarding the history of Dickens’ serialization, he gets entirely wrong) to explain how he knew the Podesta emails would come out in a serialized release.
  • Corsi dismisses the possibility the Russians used a cut-out with this garble:

The attempt to distinguish is disingenuous, suggesting the Russians may have been responsible for the hack, turning the information to a third party, not the Russians or a state actor, who handed WikiLeaks the emails and thus became “the source.”

  • Corsi cites the Nation’s August 9, 2017 version of the Bill Binney theory purportedly proving that a set of files purporting to be from the DNC — which were never released by WikiLeaks — were copied inside the US and also noting that the Russian metadata in the first Guccifer 2.0 documents was placed there intentionally. As I noted at the time, the two theories actually don’t — at all — disprove the claim that Russia hacked the DNC. But they’re even worse for Corsi’s claims, because (even though the set of files were called NGP/VAN) they undermine his false claim about the Democrats’ servers and they acknowledge that the files he said disproved that Guccifer 2.0 had Podesta files actually were Podesta files.

These things are utterly irrelevant to the soundness of Corsi’s own claim to have been able to guess that the Podesta emails were coming and — as I note — a number of them sharply contradict what he claims to believe.

Corsi’s mistaken notion of his role in proving “collusion”

But the crap does serve Corsi’s larger point, which is to undermine what he imagines Mueller’s theory of “collusion” to be.

Mueller & Company had decided the Trump campaign somehow encouraged Russia to steal the DNC emails and give them to Assange, so WikiLeaks could publish them. Then to establish “Russian collusion” with the Trump campaign, Mueller was out to connect his own dots. The Mueller prosecutors had been charged with the mission to grill me until

I would “give up” my source to Assange. I was their critical “missing link.” If Rhee, Zelinsky, and Goldstein only got me to confess, Mueller figured he could connect the dots from Roger Stone to me to Assange, and from Assange back again to me, and from me to Roger Stone, who would feed the information to Steve Bannon, then chairing the Trump campaign.

The final dots, the Mueller prosecutors assumed, would connect Bannon to Trump and the “Russian collusion” chain of communication would be complete. The only problem was that I did not have a source connecting me to Assange, so Mueller’s chain-link narrative does not connect.

While I actually think it possible that Corsi’s shenanigans may have harmed the neatness of Mueller’s case against Stone, perhaps even leading Mueller to charge Stone only with the obstruction charges rather than in a larger conspiracy, it doesn’t affect the understanding with which Mueller seems to be approaching the Don Jr side of any conspiracy, in which Trump’s son accepted a meeting offering dirt, thinking the family might make $300 million off it, and promised policy considerations that — even before he was sworn into office — his father took steps to pay off.

That conspiracy remains, even if Mueller can’t show that at the same time, Trump was maximizing the advantage of the WikiLeaks releases via his old political advisor Roger Stone.

But who knows? Perhaps Mueller may one day prove that, too?

One other thing that’s worth noting, however: As I laid out above, Corsi doesn’t just attempt to explain how he came to guess that WikiLeaks would release John Podesta’s emails. In the guise of doing that, he lays out what amounts to the Greatest Hits of the Denialist Conspiracies, throwing every possible claim mobilized to undermine the conclusion that Russia hacked the Democrats out there, even the ones that undermine Corsi’s own claimed beliefs.

And, as Corsi himself notes, Mueller has Corsi’s Google searches.

Truthfully, I was astounded because it seemed as if the FBI had studied me down to knowing the key strokes that I had used on my computer to do Google searches for articles. I realized my Google file would have much information about my locations and my Internet searches, but the way Zelinsky drilled down on how I wrote this article was shocking.

Repeatedly Zelinsky had warned me that I had no idea how truly extensive the Special Counselor’s investigation had been. Now, I imagined an army of FBI computer specialists at Quantico mapping out my every electronic communication in 2016, including my emails, my cellphone calls, and my use of the laptop and the Internet to conduct my research and write my various articles and memos.

They actually know whether he read this stuff (notably, the NBC, CNN, and NYMag articles he cites from late July 2016) in real time or only after the fact. They know when Corsi downloaded a bunch of other things (including the Guccifer 2.0 releases), and they know whether he read the GRU indictment. The FBI has also likely obtained what he was doing in November, 2018, as he was writing this stuff.

So it may be that when Corsi’s book comes out in hard cover on March 12, Mueller’s team will  already have put together the forensic evidence to prove that Corsi’s claims about how he came by his own forensic analysis — and the rest of these conspiracies — are absolute bullshit. It is, admittedly, frightening how much the government can obtain about our contemporaneous thinking.

But it would be an ironic and just outcome for Corsi if Mueller’s best demonstration about the power of FBI’s forensic analysis comes not in the GRU indictment Corsi so studiously avoided mentioning in the entire book attempting to discredit it, but in proving Corsi’s own claims about forensics to be utterly false.

Corsi’s Timeline

March 16, 2016: WikiLeaks indexes FOIAed Hillary emails

June 12, 2016: Assange announces he has more information on Hillary

In that interview, Assange disclosed that WikiLeaks has “upcoming leaks in relation to Hillary Clinton,” though Assange distinguished the Hillary Clinton emails WikiLeaks possessed pending publication came from a different source than the emails from Hillary’s private email server. This alerted me to the possibility Assange had obtained emails from the DNC email server.

June 14, 2016: WaPo announces the DNC hack

June 15, 2016: Crowdstrike publicly releases white paper on DNC hack and Guccifer 2.0 first posts

July 10, 2016: Seth Rich’s murder

July 22, 2016: WikiLeaks releases the DNC emails

July 25, 2016: Stone emails Corsi asking him to Get to Assange to “get the pending WikiLeaks emails;” Corsi forwards the email to Ted Malloch

July 26, 2016: Assange tells CNN a lot more material is coming and refuses to exclude Russia as a source because “to exclude certain actors is to make it easier to find out who our sources are”

July 28, 2016: Corsi and his wife leave for Italy

July 31, 2016: Stone emails Corsi to “call me MON” instructing him to get Malloch to see Assange

August 2, 2016: Corsi emails Stone,

Word is friend in embassy plans 2 more dumps. One shortly after I’m back. 2nd in Oct. Impact planned to be very damaging.… Time to let more than Podesta to be exposed as in bed w enemy if they are not ready to drop HRC. That appears to be the game hackers are now about. Would not hurt to start suggesting HRC old, memory bad, has stroke — neither he nor she well. I expect that much of next dump focus, setting stage for Foundation debacle.

August 9, 2016: WikiLeaks offers $20,000 reward for information leading to conviction for murder of Seth Rich

August 12, 2016: Corsi returns from Italy

March 7, 2017: WikiLeaks starts to release Vault 7 documents, including an Umbrage file showing that CIA uses disinformation to hide which attacks it launches

May 25, 2017: WSJ reports on Aaron Nevins files that Guccifer 2.0 noted in real time; Corsi deems this (in a Murdoch paper) to be part of the anti-Stone narrative

As I disclosed last July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

The DNC-Centric Focus of the HPSCI Investigation

Through the duration of the various Russia investigations, skeptics always harp on two questions pertaining to the Russian election year hacks — why the Democrats never turned over the DNC “server,” singular, to the FBI, allegedly leaving the FBI to rely on Crowdstrike’s work, and whether several sets of files released via Guccifer 2.0 showed signs of non-Russian origin. That is, skeptics look exclusively at the DNC, not the totality of the known Russian targeting.

Looking at the list of witnesses the House Intelligence Committee called (which the committee will release in the coming weeks) shows one reason why: that the most public and propagandist of all the Russia investigations focused on the DNC to the detriment of other known Democratic targets.

Here’s what the list of the HPSCI interviews looks like arranged by date (HPSCI will not be releasing the bolded interviews).

  1. [Comey, Jim (May 2 and 4, 2017): Intel]
  2. [Rogers, Mike (May 4, 2017): Intel]
  3. [Brennan, John (May 23, 2017): Intel]
  4. Coats, Dan (June 22, 2017): Intel
  5. Farkas, Evelyn (June 26, 2017): Ukraine/RU DOD
  6. Podesta, John (June 27, 2017): Clinton Chair
  7. Caputo, Michael (July 14, 2017): RU tied Trump
  8. Clapper, James (July 17, 2017): Intel
  9. Kushner, Jared (July 25, 2017): June 9 etc
  10. Carlin, John (July 27, 2017): Early investigation
  11. Gordon, JD (July 26, 2017): Trump NatSec
  12. Brown, Andrew (August 30, 2017): DNC CTO
  13. Tamene, Yared (August 30, 2017): DNC tech contractor
  14. Rice, Susan (September 6, 2017): Obama response to hack/unmasking
  15. Stone, Roger (September 26, 2017): Trump associate
  16. Epshteyn, Boris (September 28, 2017): RU-tied Trump
  17. Tait, Matthew (October 6, 2017): Solicit hack
  18. Safron, Jonathan (October 12, 2017): Peter Smith
  19. Power, Samantha (October 13, 2017): Obama response to hack/unmasking
  20. Catan, Thomas (October 18, 2017): Fusion
  21. Fritsch, Peter (October 18, 2017): Fusion
  22. Lynch, Loretta (October 20, 2017): Investigation
  23. Parscale, Brad (October 24, 2017): Trump’s data
  24. Cohen, Michael (October 24, 2017): Trump lawyer
  25. Rhodes, Benjamin (October 25, 2017): Obama response to hack/unmasking
  26. McCord, Mary (November 1, 2017): Early investigation
  27. Kaveladze, Ike (November 2, 2017): June 9 meeting
  28. Yates, Sally (November 3, 2017): Early investigation
  29. Schiller, Keith (November 7, 2017): Trump bodyguard
  30. Akhmetshin, Rinat (November 13, 2017): June 9
  31. Samachornov, Anatoli (November 28, 2017): June 9
  32. Sessions, Jeff (November 30, 2017): Trump transition
  33. Podesta, John (December 4, 2017): Dossier
  34. Denman, Diana (December 5, 2017): RNC platform
  35. Henry, Shawn (December 5, 2017): Crowdstrike
  36. Trump, Jr. Donald (December 6, 2017): June 9
  37. Phares, Walid (December 8, 2017): Trump NatSec
  38. Clovis, Sam (December 12, 2017): Trump NatSec
  39. Goldfarb, Michael (December 12, 2017): Dossier
  40. Elias, Marc (December 13, 2017): Dossier
  41. Nix, Alexander (December 14, 2017): Cambridge Analytica
  42. Goldstone, Rob (December 18, 2017): June 9
  43. Sussmann, Michael (December 18, 2017): Hack and dossier
  44. McCabe, Andrew (December 19, 2017): Early investigation
  45. Kramer, David (December 19, 2017): Dossier
  46. Sater, Felix (December 20, 2017): RU connected Trump
  47. Gaeta, Mike (December 20, 2017): Dossier go-between
  48. Sullivan, Jake (December 21, 2017): Dossier
  49. [Rohrabacher, Dana (December 21, 2017): Russian compromise]
  50. [Wasserman Schultz, Debbie (December 21, 2017): dossier]
  51. Graff, Rhona (December 22, 2017): June 9
  52. Kramer, David (January 10, 2018): Dossier
  53. Bannon, Stephen (January 16, 2018): Trump official
  54. Lewandowski, Corey (January 17, 2018): Trump official
  55. Dearborn, Rick (January 17, 2018): Trump official
  56. Bannon, Stephen (February 15, 2018): Trump official
  57. Hicks, Hope (February 27, 2018): Trump official
  58. Lewandowski, Corey (March 8, 2018): Trump official

While John Podesta, one of the earliest spearphishing victims, was one of  the earliest witnesses (and, as HPSCI shifted focus to the dossier, one of the last as well), the other hack witnesses, DNC CTO Andrew Brown and DNC IT contractor Yared Tamene, represent the DNC. Perhaps that’s because of the NYT’s big story on the hack, which was obviously misleading in real time and eight months old by the time of those interviews. While Perkins Coie lawyer and former DOJ cyber prosecutor Michael Sussmann would surely have real insight into the scope of all the Democratic targets, he was interviewed during HPSCI’s dossier obsession, not alongside Brown and Tamene.

All of which is to say that the HPSCI investigation of the hack was an investigation of the hack of the DNC, not of the full election year attack.

To get a sense of some of what that missed, consider the victims described in the GRU indictment (which leaves out some of the earlier Republican targets, such as Colin Powell). I’ve included relevant paragraph numbers to ID these victims.

  1. Spearphish victim 3, March 21, 2016 (Podesta)
  2. Spearphish victim 1 Clinton aide, March 25, 2016 (released via dcleaks)
  3. Spearphish victim 4 (DCCC Employee 1), April 12, 2016 ¶24
  4. Spearphish victim 5 (DCCC Employee), April 15, 2016
  5. Spearphish victim 6 (possibly DCCC Employee 2), April 18, 2016 ¶26
  6. Spearphish victim 7 (DNC target), May 10, 2016
  7. Spearphish victim 2 Clinton aide, June 2, 2016 (released via dcleaks)
  8. Spearphish victim 8 (not described), July 6, 2016
  9. Ten DCCC computers ¶24
  10. 33 DNC computers ¶26
  11. DNC Microsoft Exchange Server ¶29
  12. Act Blue ¶33
  13. Third party email provider used by Clinton’s office ¶22 (in response to July 27 Trump request)
  14. 76 email addresses at Clinton campaign ¶22 (in response to July 27 Trump request)
  15. DNC’s Amazon server ¶34
  16. Republican party websites ¶71
  17. Illinois State Board of Elections ¶72
  18. VR Systems ¶73
  19. County websites in GA, IA, and FL ¶75
  20. VR Systems clients in FL ¶76

Effectively, HPSCI (and most hack skeptics) focused exclusively on item 11, the DNC Microsoft Exchange server from which the emails sent to WikiLeaks were stolen.

Yet, at least as laid out by Mueller’s team, the election year hack started elsewhere — with Podesta, then the DCCC, and only after that the DNC. It continued to target Hillary through the year (though with less success than they had with the DNC). And some key things happened after that — such as the seeming response to Trump’s call for Russia to find more Hillary emails, the Info-Ops led targeting of election infrastructure in the summer and fall, and voter registration software. Not to mention some really intriguing research on Republican party websites. And this barely scratches on the social media campaign, largely though not entirely carried out by a Putin-linked corporation.

HPSCI would get no insight on the overwhelming majority of the election year operation, then, by interviewing the witnesses they did. Of particular note, HPSCI would not review how the targeting and release of DCCC opposition research gave Republican congressmen a leg up over their Democratic opponents.

And while HPSCI did interview the available June 9 meeting witnesses, they refused to subpoena the information needed to really understand it. Nor did they interview all the witnesses or subpoena available information to understand the Stone operation and the Peter Smith outreach.

Without examining the other multiple threads via which Russia recruited Republicans, most notably via the NRA, HPSCI wouldn’t even get a sense of all the ways Russia was trying to make Republicans and their party infrastructure into the tools of a hostile foreign country. And there are other parts of the 2016 attack that not only don’t appear in these interviews, but which at least one key member on the committee was utterly clueless about well past the time the investigation finished.

The exception to the rule that HPSCI didn’t seek out information that might damn Republicans, of course, is the interview of Dana Rohrabacher, who (along with President Trump) proved reliably willing to entertain Russian outreach via all known channnels. But that’s one of the interviews Republicans intend to keep buried because — according to an anonymous Daily Beast source — they don’t want Rohrabacher’s constituents to know how badly Russia has pwned him before November 6.

“The Republicans are trying to conceal from the voters their colleague Dana Rohrabacher’s Russia investigation testimony,” said a committee source familiar with the issue. “There were highly concerning contacts between Rohrabacher and Russians during the campaign that the public should hear about.”

By burying the Comey, Rogers, and Brennan transcripts, Republicans suppress further evidence of the degree to which Russia specifically targeted Hillary, and did so to help not just Trump, but the Republican party.

I’m sure there will be some fascinating material in these transcripts when they’re released. But even before the selective release, designed to hide any evidence gathered of how lopsided the targeting was, the scope of these interviews makes clear that the HPSCI investigation was designed to minimize, as much as possible, evidence showing how aggressively Russia worked to help Republicans.

As I laid out in July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

Did GRU Learn that Democrats Had Hired Christopher Steele When They Hacked DNC’s Email Server?

As I laid out a few weeks ago, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post.

According to Glenn Simpson’s SJC testimony, he hired Christopher Steele in May or June of 2016 to investigate Trump’s ties to Russia.

Q. And when did you engage Mr. Steele to conduct opposition research on Candidate Trump?

A. I don’t specifically recall, but it would 10 have been in the — it would have been May or June  of 2016.

Q. And why did you engage Mr. Steele in May or June of 2016?

Simpson is maddeningly vague (undoubtedly deliberately) on this point. In one place he suggests he hired Steele after DCLeaks was registered and amid a bunch of chatter about Democrats being hacked, which would put it after June 8 and probably after June 15.

Q. So at the time you first hired him had it been publicly reported that there had been a cyber intrusion into the Democratic National Convention computer system?

A. I don’t specifically remember. What I know was that there was chatter around Washington about hacking of the Democrats and Democratic think tanks and other things like that and there was a site that had sprung up called D.C. Leaks that seemed to suggest that somebody was up to something. I don’t think at the time at least that we were particularly focused on — well, I don’t specifically remember.

But in his more informative HPSCI testimony, he suggests he may have started talking to Steele about collecting intelligence on Trump in May.

MR. QUIGLEY: When exactly did he start working under contract?

MR. SIMPSON: My recollection is that, you know, we began talking about the — I don’t remember when we started talking about the engagement, but the work started in June, I believe.

MR. QUIGLEY: Okay.

MR. SIMPSON: Possibly late May, but –

Given one detail in Mueller’s GRU Indictment, that difference may be critical.

Recall that the DNC figured out they had been hacked in April, and brought in Perkins Coie (the same firm that would engage Fusion GPS) for help. The attorney helping them respond to the hack, Michael Sussmann, warned them not to use DNC email to discuss the hack, because it might alert hackers they were onto them.

The day before the White House Correspondents’ Association dinner in April, Ms. Dacey, the D.N.C.’s chief executive, was preparing for a night of parties when she got an urgent phone call.

With the new monitoring system in place, Mr. Tamene had examined administrative logs of the D.N.C.’s computer system and found something very suspicious: An unauthorized person, with administrator-level security status, had gained access to the D.N.C.’s computers.

“Not sure it is related to what the F.B.I. has been noticing,” said one internal D.N.C. email sent on April 29. “The D.N.C. may have been hacked in a serious way this week, with password theft, etc.”

No one knew just how bad the breach was — but it was clear that a lot more than a single filing cabinet worth of materials might have been taken. A secret committee was immediately created, including Ms. Dacey, Ms. Wasserman Schultz, Mr. Brown and Michael Sussmann, a former cybercrimes prosecutor at the Department of Justice who now works at Perkins Coie, the Washington law firm that handles D.N.C. political matters.

“Three most important questions,” Mr. Sussmann wrote to his clients the night the break-in was confirmed. “1) What data was accessed? 2) How was it done? 3) How do we stop it?”

Mr. Sussmann instructed his clients not to use D.N.C. email because they had just one opportunity to lock the hackers out — an effort that could be foiled if the hackers knew that the D.N.C. was on to them.

“You only get one chance to raise the drawbridge,” Mr. Sussmann said. “If the adversaries know you are aware of their presence, they will take steps to burrow in, or erase the logs that show they were present.”

The D.N.C. immediately hired CrowdStrike, a cybersecurity firm, to scan its computers, identify the intruders and build a new computer and telephone system from scratch. Within a day, CrowdStrike confirmed that the intrusion had originated in Russia, Mr. Sussmann said.

But it’s not clear whether Sussmann warned this small team of people against using DNC emails at all, or just those emails discussing the hack.

Previously, I had always guesstimated how long after DNC brought Crowdstrike in the emails ultimately shared with WikiLeaks got exfiltrated from this analysis, based of the last dates of stolen emails and DNC’s email deletion policies in place at the time. It was a damned good estimate — May 19 to May 25.

But according to the indictment, the theft of the DNC emails happened later: starting on May 25, not ending on it.

Between on or about May 25, 2016 and June 1, 2016, the Conspirators hacked the DNC Microsoft Exchange Server and stole thousands of emails from the work accounts of DNC employees. During that time, YERMAKOV researched PowerShell commands related to accessing and managing the Microsoft Exchange Server.

The indictment doesn’t describe the entire universe of emails stolen — whether GRU stole just the 9 email boxes shared with WikiLeaks, or whether they obtained far more.

But the later date — possibly reaching as late as June 1 — means it’s possible GRU stole emails involving top DNC officials, officials involved in opposition research activities (as both Guccifer 2.0 and the DNC itself said had been a focus), including the activity of hiring a former MI6 officer to chase down Trump’s illicit ties to Russians.

Don’t get me wrong. If the Russians did, in fact, learn about the Steele effort and manage to inject his known reporting chain with disinformation, there were plenty of other possible ways they might have learned of the project: the several people overlapping between Fusion GPS’ Prevezon team and its Trump team, Rinat Akhmetshin who learned of the dossier from a chatty NYT editor, or maybe a close Trump ally like Sergei Millian. The sad thing about this disinformation project is it was so widely disseminated, any HUMINT integrity could have easily been compromised early in the process.

But the timeline laid out in the GRU indictment adds one more, even earlier possible way: that Russia learned the Democrats were seeking HUMINT from Russians about Russia’s efforts to help Trump from the Democrats’ own emails.

On the DNC-FBI Spat Over the DNC Server

The Ukrainian Ministry of Defense issued a statement in response to the media coverage following the CrowdStrike claim that malware in an artillery app had a role in massive casualties among Ukraine’s howitzer units. The Google translation (note, it has not yet been translated into English, which itself may say something about intended audience) of it reads,

In connection with the emergence in some media reports which stated that the alleged “80% howitzer D-30 Armed Forces of Ukraine removed through scrapping Russian Ukrainian hackers software gunners,” Land Forces Command of the Armed Forces of Ukraine informs that the said information is incorrect .

According Command Missile Forces and Artillery Land Forces of Ukraine, artillery weapons lost during the time of ATO times smaller than the above and are not associated with the specified cause. Currently, troops Missile Forces and Artillery Army Forces of Ukraine fully combat-ready, staffed and able to fulfill the missions.

Ministry of Defence of Ukraine asks journalists to publish only verified information received from the competent official sources. Spreading false information leads to increased social tension in society and undermines public confidence in the Armed Forces of Ukraine.

Understand what this is: it is in no way a denial that malware infected the artillery app (though it’s also, given that it comes from a country at war with Russia that wants people to stop using this to implicate Russia, not confirmation the malware is Russian). Rather, it is a correction for local journalists to an avowedly pro-Russian source used by Crowdstrike claiming that Ukraine faced 80% losses. And it is a statement that artillery losses from the period in question are due to something else (perhaps the drones that Crowdstrike admitted were involved in the fighting).

Mostly, it’s a complaint that Crowdstrike’s speculative report made Ukraine look bad. As I’ve noted, the report was released before Crowdstrike had spoken to the app developer (and as this statement makes clear, to Ukraine’s MOD), to explain why its previously “medium” confidence that GRU had hacked the DNC was now “high.”

I raise all that as background to the spat Buzzfeed’s Ali Watkins reported on yesterday between the DNC and FBI. In the morning, she reported the DNC claim that the FBI had inexplicably never, itself, accessed the DNC servers.

Six months after the FBI first said it was investigating the hack of the Democratic National Committee’s computer network, the bureau has still not requested access to the hacked servers, a DNC spokesman said. No US government entity has run an independent forensic analysis on the system, one US intelligence official told BuzzFeed News.

“The DNC had several meetings with representatives of the FBI’s Cyber Division and its Washington (DC) Field Office, the Department of Justice’s National Security Division, and U.S. Attorney’s Offices, and it responded to a variety of requests for cooperation, but the FBI never requested access to the DNC’s computer servers,” Eric Walker, the DNC’s deputy communications director, told BuzzFeed News in an email.

Over the course of the day, many people explained that that’s fairly normal. Crowdstrike would have imaged the server, which would provide FBI what it needed.

But the snipe to Watkins was not the first time DNC has presented their case in a light that makes FBI look as bad as possible — they did that with the NYT, too. And so it was inevitable that the FBI would eventually push back, as they did later in the day with Watkins.

“The FBI repeatedly stressed to DNC officials the necessity of obtaining direct access to servers and data, only to be rebuffed until well after the initial compromise had been mitigated. This left the FBI no choice but to rely upon a third party for information,” a senior law enforcement official told BuzzFeed News in a statement. “These actions caused significant delays and inhibited the FBI from addressing the intrusion earlier.”

Which promptly led the same DNC that originally leaked a claim making the FBI look bad to bitch about “haters.”

A DNC source familiar with the investigation tried to downplay that report on Thursday, hours before the FBI statement was issued. The fact that the FBI didn’t have direct access to the servers was not “significant,” the source said.

“I just don’t think that that’s really material or an important thing,” the source continued. “They had what they needed. There are always haters out here.”

In general, I think people are right that you can learn what you need to about a typical breach from an imaged server and the server logs. Indeed, the FBI rebuttal here doesn’t even address whether they needed to get the server. Rather, they just said that there was a delay in their access to the data, not that they didn’t eventually get the data they needed.

And it’s true that there was a delay.

FBI gave the DNC the information they needed to start responding to the FSB hack in September 2015, but the FBI wasn’t brought in formally until maybe June 2016. That doesn’t necessarily excuse that they didn’t escalate sooner (the FBI may have had other reasons not to and I expect we may one day learn that the FBI contacted people beyond just the contractor IT guy), but it does mean that the FBI repeatedly tried to help and the DNC did not accept that help until months later.

Underlying all this is surely the distrust that stems from a political party believing the FBI was conducting a witch hunt of its principal (they’d be proven right a month after the breach became public), though the FBI agents investigating the DNC hack were surely different than the ones investigating Hillary’s server. There may have even been other reasons the DNC didn’t want the FBI nosing around their servers.

Still, we now know they did not ever access DNC’s servers themselves.

And I think in this case they should have, for two reasons.

The Hill story covering this bickering includes this quote from a former FBI agent describing one reason why.

“In nine out of 10 cases, we don’t need access, we don’t ask for access, we don’t get access. That’s the normal [procedure],” Leo Taddeo, a former special agent in charge of the cyber division of the FBI’s New York office, told The Hill.

“It’s extraordinarily rare for the FBI to get access to the victim’s infrastructure because we could mess it up,” he added. “We usually ask for the logs and images, and 99 out of a hundred times, that’s sufficient.”

Asking for direct access to a server wouldn’t be necessary, Taddeo said, “unless there was a reason to think the victim was going to alter the evidence in some way.”

You don’t need access to the server itself unless you’ve got reason to believe the victim altered the evidence. From the very first, you had an entity, Guccifer 2.0, challenging the attribution Crowdstrike made on the server. Abundant analysis has proven that Guccifer is a liar, but Chinese and Iranians and Americans lie just as often as Russians do.

Plus, months after the hack, people started claiming that the source for the files that got to Wikileaks came from an insider. Which, if true (I don’t think it is, but nevertheless it is a competing theory, one that given the animosity within the Democratic party last year is not impossible), would mean that the victim might have altered the evidence.

There’s another reason why the FBI should have double checked the forensics, if they hadn’t already: because (we learned six months after the fact) Crowdstrike only ever had medium confidence that GRU had hacked the DNC based on the forensics they examined.

While CrowdStrike, which was hired by the DNC to investigate the intrusions and whose findings are described in a new report, had always suspected that one of the two hacker groups that struck the DNC was the GRU, Russia’s military intelligence agency, it had only medium confidence.

Now, said CrowdStrike co-founder Dmitri Alperovitch, “we have high confidence” it was a unit of the GRU. CrowdStrike had dubbed that unit “Fancy Bear.”

And Crowdstrike only came to have high confidence in that attribution by writing a paper that multiple Ukrainian sources (not exactly Russian shills) have now pushed back on. That is, nothing in the original forensics changed, as far as we know; external evidence, of whatever quality, led to a change in confidence.

Which means the forensics itself is not a slam dunk.

I’m beginning to see a hole in all the other security firms’ validation of Crowdstrike’s original attribution, which I hope to return to (though not before next week). In any case, it’d be useful for FBI to have really vetted this work, given that we’ve turned this into an international incident.

So, yeah, the FBI never obtained the DNC server full of political information the government really shouldn’t possess, particularly not an agency perceived to be really hostile to that political party.

But maybe, in this case, they should have.

Sanctioning GRU … and FSB

While I was out and about today, President Obama rolled out his sanctions against Russia to retaliate for the Russian hack of Democrats this year. Effectively, the White House sanctioned two Russian intelligence agencies (GRU — Main Intelligence, and FSB –Federal Security Service), top leaders from one of them, and two named hackers.

In addition to sanctioning GRU, the White House also sanctioned FSB. I find that interesting because (as I laid out here), GRU has always been blamed for the theft of the DNC and John Podesta documents that got leaked to WikiLeaks. While FSB also hacked the DNC, there’s no public indication that it did anything aside from collect information — the kind of hacking the NSA and CIA do all the time (and have done during other countries’ elections). Indeed, as the original Crowdstrike report described, FSB and GRU weren’t coordinating while snooping around the DNC server.

At DNC, COZY BEAR intrusion has been identified going back to summer of 2015, while FANCY BEAR separately breached the network in April 2016. We have identified no collaboration between the two actors, or even an awareness of one by the other. Instead, we observed the two Russian espionage groups compromise the same systems and engage separately in the theft of identical credentials. While you would virtually never see Western intelligence agencies going after the same target without de-confliction for fear of compromising each other’s operations, in Russia this is not an uncommon scenario. “Putin’s Hydra: Inside Russia’s Intelligence Services”, a recent paper from European Council on Foreign Relations, does an excellent job outlining the highly adversarial relationship between Russia’s main intelligence services – Федеральная Служба Безопасности (FSB), the primary domestic intelligence agency but one with also significant external collection and ‘active measures’ remit, Служба Внешней Разведки (SVR), the primary foreign intelligence agency, and the aforementioned GRU. Not only do they have overlapping areas of responsibility, but also rarely share intelligence and even occasionally steal sources from each other and compromise operations. Thus, it is not surprising to see them engage in intrusions against the same victim, even when it may be a waste of resources and lead to the discovery and potential compromise of mutual operations.

Data provided by FireEye to War on the Rocks much later in the year suggested that the DNC hack was the only time both showed up in a server, which it took to mean the opposite of what Crowdstrike had, particularly high degree of coordination.

According to data provided for this article by the private cybersecurity company, FireEye, two separate but coordinated teams under the Kremlin are running the campaign. APT 28, also known as “FancyBear,” has been tied to Russia’s foreign military intelligence agency, the Main Intelligence Agency or GRU. APT 29, aka “CozyBear,” has been tied to the Federal Security Service or FSB. Both have been actively targeting the United States. According to FireEye, they have only appeared in the same systems once, which suggests a high level of coordination — a departure from what we have seen and come to expect from Russian intelligence.

The sanctioning materials offers only this explanation for the FSB sanction: “The Federal Security Service (a.k.a. Federalnaya Sluzhba Bezopasnosti) (a.k.a FSB) assisted the GRU in conducting the activities described above.”

So I’m not sure what to make of the fact that FSB was sanctioned along with GRU. Perhaps it means there was some kind of serial hack, with FSB identifying an opportunity that GRU then implemented — the more extensive coordination that FireEye claims. Perhaps it means the US has decided it’s going to start sanctioning garden variety information collection of the type the US does.

But I do find it an interesting aspect of the sanctions.

CloudStrike’s Own Announcement Makes It Clear It Doesn’t Have Proof of Ongoing Chinese Economic Cyberattacks

Many many many outlets are reporting that China has continued conducting economic espionage even after Xi Jinping agreed to stop doing it. They base that claim on this post from CloudStrike, a big cybersecurity contractor that spends a lot of time feeding the press scary stories about hacking.

Here’s the proof they offer:

Over the last three weeks, CrowdStrike Falcon platform has detected and prevented a number of intrusions into our customers’ systems from actors we have affiliated with the Chinese government. Seven of the companies are firms in the Technology or Pharmaceuticals sectors, where the primary benefit of the intrusions seems clearly aligned to facilitate theft of intellectual property and trade secrets, rather than to conduct traditional national-security related intelligence collection which the Cyber agreement does not prohibit.

[snip]

In addition to preventing these intrusions, the CrowdStrike Falcon platform also provided full visibility into every tool, command and technique used by the adversary. This allowed us to determine that the hackers saw no need to change their usual tradecraft or previously used infrastructure in an attempt to throw off their scent.

The include a timeline showing 9 attempted intrusions into Tech Sector companies, and 2 into Pharma companies since Xi and President Obama signed the hacking agreement.

Now, even assuming that CrowdStrike has accurately labeled these Chinese government hackers (CrowdStrike’s CTO was less confident in an interview with Motherboard) this still is not proof that China has violated the agreement.

After all, the key part of the agreement is on how stolen information gets used — whether it gets used to benefit individual companies or even entire sectors (the latter of which we do in our own spying, but never mind). If CrowdStrike prevented any data from being stolen, then it is impossible to assert that it was being stolen to benefit market actors without more evidence that the hackers were tasked by a market actor. Even the indictment everyone points to as proof that China engages in economic espionage did not allege that the People Liberation’s Army had shared the data involved in the single economic espionage charge with private sector companies, and given that the data in question pertained to nuclear technology ,it’s not something that is proven just because it was stolen in the context of an ongoing relationship with the victim (even if that is a logical presumption to make).

The same is true here. When China hacked Google to spy on dissidents, that was clearly national security spying. When the US hacked Huawei to figure out how to backdoor its equipment, that was clearly national security spying.When the US used Microsoft and Siemens products to carry out StuxNet, the tech companies were merely enabling targets. There are too many reasons to hack tech sector companies for solidly national security purposes to claim, just based on the sector itself, that it was done for economic espionage.

You can’t even point to the 2 Pharma intrusions to make the claim. A list of sites the State Department identified as critical infrastructure from a leaked 2009 cable includes over 25 pharmaceutical sites (including animal Pharma), many of them related to vaccines. If we’re treating pharmaceutical supply and research facilities as critical infrastructure, with the presumed consequent defensive surveillance of those sites, it is tough to argue the Chinese can’t consider our pharmaceutical companies making key drugs to be critical targets. Both can be argued to stem from the same public health concerns.

I’m not saying it’s impossible or even unlikely that these intrusions were attempted economic espionage. I’m saying that this isn’t evidence of it, and that the reporting repeating this claim has been far too credulous.

But that also points to one of the inherent problems with this deal (one pointed to by many people at the time). When last he testified on the subject, Jim Clapper didn’t even claim to have fully attributed the OPM hack. The same attribution and use problems exist here. China may steal data on an important new drug, but that’s not going to be enough to prove they stole it for commercial gain until they release their own copycat of the drug in several years and use it to undercut the US company’s product, and even then that may require a lot more data — collected by spying! — from inside the market companies themselves (in part because China engages in many other means of stealing data which aren’t the subject of a special agreement, which will make even the copycat instance hard to prove came from an intrusion).

China knew that, too, when it signed the agreement. It will take more than evidence of 11 attempted intrusions to prove that China is violating the agreement.