Posts

Nothing Happens in a Vacuum: Diplomatic Scuffles and Academic Speeches in Moscow

In front of a brick building one pre-dawn summer morning, a security guard tackled a man as he walked toward the entrance after exiting a cab. The security guard slammed the man onto the building’s concrete steps, choking him as he restrained the man. The man managed to open the door and gain partial egress into the foyer without use of his hands while the guard continued to choke him.

The guard was Russian.

The man was an American.

The building was the U.S. Embassy in Moscow.

The two-man scuffle happened June 6, 2016, exactly one month before Trump campaign foreign policy adviser Carter Page would view the EUFA Portugal vs. Wales semi-final match at a Morgan Stanley-hosted event in Moscow.

On June 26, WaPo’s Josh Rogin wrote about increasing harassment of U.S diplomats across Europe by Russia. Episodes included breaking into diplomats’ homes and stalking diplomats’ children. Norm Eisen, U.S. ambassador the Czech Republic from 2011 to 2014, called this harassment “gray war.”

On June 29, Rogin wrote about the June 6 scuffle; the American was not identified by name or by employment. He may have been a diplomat or a spy under diplomatic cover; different sources gave different possible explanations.

But the guard who beat up the American was an FSB employee. The American’s shoulder was broken; the severity of his injuries required a flight out of Russia for urgent medical care.

On June 30, Foreign Ministry Spokesperson Maria Zakharova issued a statement* and claimed WaPo, the U.S. State Department and ‘special services’ had spread false information about the June 6 event. The FSB guard acted when the American didn’t show his ID; further, the “police officer on duty was attacked” and can be seen in surveillance video.

On July 7, Josh Rogin wrote that Congress had begun to investigate the June 6 event, concerned the FSB guard’s actions violated the Vienna Convention on diplomatic relations. The Obama administration had refused comment though State Department’s John Kirby said the Russian’s statements were “inaccurate” while administration officials quietly briefed members of Congress about the episode.

This same day Carter Page gave a speech at the New Economic School in Moscow, the day after he attended the EUFA semifinals viewing party, meeting Rosneft’s Directer of Investor Relations Andrey Baranov, Gazprom Investproekt’s CEO Oleg Nagovitsyn, Russia’s Deputy Prime Minister Arkady Dvorkovich, and members of the Duma. A video of Page’s speech is uploaded that day to YouTube by a think tank.

On July 8, RT (Russia Today) publishes on YouTube a tightly edited excerpt from a surveillance camera videotape which captured the June 6 scuffle. The FSB guard clearly had the upper hand from the moment he slammed the unnamed diplomat to the concrete.

This same day Carter Page would give a commencement speech at the New Economic School; it, too, is captured on video and uploaded to YouTube, though not until months later.

How odd that it took a little over a month for RT to acquire the video and upload it to their YouTube channel.

How odd that RT never asked Carter Page, a foreign policy adviser, what he might recommend to Trump to prevent future “gray war” events like the June 6 scuffle.

How odd that the “gray war” episodes which concerned Republican members of Congress so much are now inert about the sanctions they placed on Russia, with little concern for the effect on NATO.

“The problem is there have been no consequences for Russia,” said Rep. Mike Turner (R-Ohio), who serves as president of the NATO Parliamentary Assembly. “The administration continues to pursue a false narrative that Russia can be our partner. They clearly don’t want to be our partner, they’ve identified us as an adversary, and we need to prepare for that type of relationship.”

What changed since June 2016 besides the presidency?

* Open with caution; link is to a Russian government site.

 

What Was the Relationship Between FSB and GRU in the DNC Hack, Redux?

I want to return to last week’s House Intelligence Hearing on Russia (because that fecker Devin Nunes canceled my birthday hearing with James Clapper and John Brennan today), to revisit a question I’ve asked a number of times (in most detail here): what was the relationship between Russia’s FSB and GRU intelligence services in the DNC hack?

The public narrative (laid out in this post) goes like this: Sometime in summer 2015, APT (Advanced Persistent Threat) 29 (associated with FSB, Russia’s top intelligence agency) hacked the DNC along with 1,000 other targets and because DNC ignored FBI’s repeated warnings, remained in their network unnoticed. Then, in March 2016, APT 28 (generally though not universally associated with GRU, Russia’s military intelligence) hacked DNC and John Podesta. According to the public story, GRU oversaw the release (via DC Leaks and Guccifer 2.0) and leaking (to Wikileaks via as-yet unidentified cut-outs) of the stolen documents.

Under the public story, then, FSB did the same kind of thing the US does (for example, with Enrique Peña Nieto in 2012), collecting intelligence on a political campaign, whereas GRU did something new (though under FBI-directed Sabu, we did something similar to Bashar al-Assad in 2012), leaking documents to Wikileaks.

Obama’s sanctions to retaliate for the hack primarily focused on GRU, but did target FSB as well, though without sanctioning any FSB officers by name. And in its initial report on the Russian hack, the government conflated the two separate groups, renaming attack tools previously dubbed Cozy and Fancy Bear the “Grizzly Steppe,” making any detailed discussion of how they worked together more confusing. As I noted, however, the report may have offered more detail about what APT 29 did than what APT 28 did.

Last week’s hearing might have been an opportunity to clarify this relationship had both sides not been interested in partisan posturing. Will Hurd even asked questions that might have elicited more details on how this worked, but Admiral Mike Rogers refused to discuss even the most basic details  of the hacks.

HURD: Thank you, Chairman.

And gentlemen, thank you all for being here. And thank you for your continued service to your country. I’ve learned recently the value of sitting in one place for a long period of time and listening and today I’m has added to that understanding and I’m going to try to ask questions that y’all can answer in this format and are within your areas of expertise. And Director Rogers, my first question to you — the exploit that was used by the Russian’s to penetrate the DNC, was it sophisticated? Was it a zero day exploit? A zero day being some type of — for those that are watching, an exploit that has never been used before?

ROGERS: In an open unclassified forum, I am not going to talk about Russian tactics, techniques or procedures about how they executed their hacks.

HURD: If members of the DNC had not — let me rephrase this, can we talk about spear fishing?

ROGERS: Sure, in general terms, yes sir.

HURD: Spear fishing is when somebody sends an email and they — somebody clicks on something in that email…

ROGERS: Right, the user of things (inaudible) they’re receiving an email either of interest or from a legitimate user, they open it up and they’ll often click if you will on a link — an attachment.

HURD: Was that type of tactic used in the…

ROGERS: Again, I’m not in an unclassified forum just not going to be…

The refusal to discuss the most basic details of this hack — even after the government listed 31 reports describing APT 28 and 29 (and distinguishing between the two) in its updated report on the hacks — is weird, particularly given the level of detail DOJ released on the FSB-related hack of Yahoo. Given that the tactics themselves are not secret (and have been confirmed by FBI, regardless of what information NSA provided), it seems possible that the government is being so skittish about these details because they don’t actually match what we publicly know. Indeed, at least one detail I’ve learned about the documents Guccifer 2.0 leaked undermines the neat GRU-FSB narrative.

Comey did confirm something I’ve been told about the GRU side of the hack: they wanted to be found (whereas the FSB side of the hack had remained undiscovered for months, even in spite of FBI’s repeated efforts to warn DNC).

COMEY: The only thing I’d add is they were unusually loud in their intervention. It’s almost as if they didn’t care that we knew what they were doing or that they wanted us to see what they were doing. It was very noisy, their intrusions in different institutions.

There is mounting evidence that Guccifer 2.0 went to great lengths to implicate Russia in the hack. Confirmation GRU also went out of its way to make noise during the DNC hack may suggest both within and outside of the DNC the second hack wanted to be discovered.

I have previously pointed to a conflict between what Crowdstrike claimed in its report on the DNC hack and what the FBI told FireEye. Crowdstrike basically said the two hacking groups didn’t coordinate at all (which Crowdstrike took as proof of sophistication). Whereas FireEye said they did coordinate (which it took as proof of sophistication and uniqueness of this hack). I understand the truth is closer to the latter. APT 28 largely operated on its own, but at times, when it hit a wall of sorts, it got help from APT 29 (though there may have been some back and forth before APT 29 did share).

All of which brings me to two questions Elise Stefanik asked. First, she asked — casually raising it because it had “been in the news recently” — whether the FSB was collecting intelligence in its hack of Yahoo.

STEFANIK: Thank you. Taking a further step back of what’s been in the news recently, and I’m referring to the Yahoo! hack, the Yahoo! data breech, last week the Department of Justice announced that it was charging hackers with ties to the FSB in the 2014 Yahoo! data breech. Was this hack done to your knowledge for intelligence purposes?

COMEY: I can’t say in this forum.

STEFANIK: Press reporting indicates that Yahoo! hacked targeted journalists, dissidence and government officials. Do you know what the FSB did with the information they obtained?

COMEY: Same answer.

Again, in spite of the great deal of detail in the indictment, Comey refused to answer these obvious questions.

The question is all the more interesting given that the indictment alleges that Alexsey Belan (who was sanctioned along with GRU in December) had access to Yahoo’s network until December 2016, well after these hacks. More interestingly, Belan was “minting” Yahoo account credentials at least as late as May 20, 2016. That’s significant, because one of the first things that led DNC to be convinced Russia was hacking it was when Ali Chalupa, who was then collecting opposition research on Paul Manafort from anti-Russian entities in Ukraine, kept having her Yahoo account hacked in early May. With the ability to mint cookies, the FSB could have accessed her account without generating a Yahoo notice. Chalupa has recently gone public about some, though not all, of the other frightening things that happened to her last summer (she was sharing them privately at the time). So at a time when the FSB could have accomplished its goals unobtrusively, hackers within the DNC network, Guccifer 2.0 outside of it, and stalkers in the DC area were all alerting Chalupa, at least, to their presence.

While it seems increasingly likely the FSB officers indicted for the Yahoo hack (one of whom has been charged with treason in Russia) were operating at least partly on their own, it’s worth noting that overlapping Russian entities had three different ways to access DNC targets.

Note, Dianne Feinstein is the one other person I’m aware of who is fully briefed on the DNC hack and who has mentioned the Yahoo indictment. Like Comey, she was non-committal about whether the Yahoo hack related to the DNC hack.

Today’s charges against hackers and Russian spies for the theft of more than 500 million Yahoo user accounts is the latest evidence of a troubling trend: Russia’s sustained use of cyber warfare for both intelligence gathering and financial crimes. The indictment shows that Russia used these cyberattacks to target U.S. and Russian government officials, Russian journalists and employees of cybersecurity, financial services and commercial entities.

There seems to be a concerted effort to obscure whether the Yahoo hack had any role in the hack of the DNC or other political targets.

Finally, Stefanik asked Comey a question I had myself.

STEFANIK: OK, I understand that. How — how did the administration determine who to sanction as part of the election hacking? How — how familiar with that decision process and how is that determination made?

COMEY: I don’t know. I’m not familiar with the decision process. The FBI is a factual input but I don’t recall and I don’t have any personal knowledge of how the decisions are made about who to sanction.

One place you might go to understand the relationship between GRU and FSB would be to Obama’s sanctions, which described the intelligence targets this way.

  • The Main Intelligence Directorate (a.k.a. Glavnoe Razvedyvatel’noe Upravlenie) (a.k.a. GRU) is involved in external collection using human intelligence officers and a variety of technical tools, and is designated for tampering, altering, or causing a misappropriation of information with the purpose or effect of interfering with the 2016 U.S. election processes.
  • The Federal Security Service (a.k.a. Federalnaya Sluzhba Bezopasnosti) (a.k.a FSB) assisted the GRU in conducting the activities described above.

[snip]

  • Sanctioned individuals include Igor Valentinovich Korobov, the current Chief of the GRU; Sergey Aleksandrovich Gizunov, Deputy Chief of the GRU; Igor Olegovich Kostyukov, a First Deputy Chief of the GRU; and Vladimir Stepanovich Alexseyev, also a First Deputy Chief of the GRU.

Remember, by the time Obama released these sanctions, several FSB officers, including Dmitry Dokuchaev (who was named in the Yahoo indictment) had been detained for treason for over three weeks. But the officers named in the sanctions, unlike the private companies and individual hackers, are unlikely to be directly affected by the sanctions.

The sanctions also obscured whether Belan was sanctioned for any role in the DNC hack.

  • Aleksey Alekseyevich Belan engaged in the significant malicious cyber-enabled misappropriation of personal identifiers for private financial gain.  Belan compromised the computer networks of at least three major United States-based e-commerce companies.

Again, all of this suggests that the intelligence community has reason to want to obscure how these various parts fit together, even while publicizing the details of the Yahoo indictment.

Which suggests a big part of the story is about how the public story deviates from the real story the IC is so intent on hiding.

Sanctioning GRU … and FSB

While I was out and about today, President Obama rolled out his sanctions against Russia to retaliate for the Russian hack of Democrats this year. Effectively, the White House sanctioned two Russian intelligence agencies (GRU — Main Intelligence, and FSB –Federal Security Service), top leaders from one of them, and two named hackers.

In addition to sanctioning GRU, the White House also sanctioned FSB. I find that interesting because (as I laid out here), GRU has always been blamed for the theft of the DNC and John Podesta documents that got leaked to WikiLeaks. While FSB also hacked the DNC, there’s no public indication that it did anything aside from collect information — the kind of hacking the NSA and CIA do all the time (and have done during other countries’ elections). Indeed, as the original Crowdstrike report described, FSB and GRU weren’t coordinating while snooping around the DNC server.

At DNC, COZY BEAR intrusion has been identified going back to summer of 2015, while FANCY BEAR separately breached the network in April 2016. We have identified no collaboration between the two actors, or even an awareness of one by the other. Instead, we observed the two Russian espionage groups compromise the same systems and engage separately in the theft of identical credentials. While you would virtually never see Western intelligence agencies going after the same target without de-confliction for fear of compromising each other’s operations, in Russia this is not an uncommon scenario. “Putin’s Hydra: Inside Russia’s Intelligence Services”, a recent paper from European Council on Foreign Relations, does an excellent job outlining the highly adversarial relationship between Russia’s main intelligence services – Федеральная Служба Безопасности (FSB), the primary domestic intelligence agency but one with also significant external collection and ‘active measures’ remit, Служба Внешней Разведки (SVR), the primary foreign intelligence agency, and the aforementioned GRU. Not only do they have overlapping areas of responsibility, but also rarely share intelligence and even occasionally steal sources from each other and compromise operations. Thus, it is not surprising to see them engage in intrusions against the same victim, even when it may be a waste of resources and lead to the discovery and potential compromise of mutual operations.

Data provided by FireEye to War on the Rocks much later in the year suggested that the DNC hack was the only time both showed up in a server, which it took to mean the opposite of what Crowdstrike had, particularly high degree of coordination.

According to data provided for this article by the private cybersecurity company, FireEye, two separate but coordinated teams under the Kremlin are running the campaign. APT 28, also known as “FancyBear,” has been tied to Russia’s foreign military intelligence agency, the Main Intelligence Agency or GRU. APT 29, aka “CozyBear,” has been tied to the Federal Security Service or FSB. Both have been actively targeting the United States. According to FireEye, they have only appeared in the same systems once, which suggests a high level of coordination — a departure from what we have seen and come to expect from Russian intelligence.

The sanctioning materials offers only this explanation for the FSB sanction: “The Federal Security Service (a.k.a. Federalnaya Sluzhba Bezopasnosti) (a.k.a FSB) assisted the GRU in conducting the activities described above.”

So I’m not sure what to make of the fact that FSB was sanctioned along with GRU. Perhaps it means there was some kind of serial hack, with FSB identifying an opportunity that GRU then implemented — the more extensive coordination that FireEye claims. Perhaps it means the US has decided it’s going to start sanctioning garden variety information collection of the type the US does.

But I do find it an interesting aspect of the sanctions.

The FBI’s Improving Cooperation with FSB

There were a number of questions about security threats to the Sochi Olympics at the Global Threat hearing the other day. One of them provided Jim Comey the opportunity to say this:

National Counterterrorism Center Director Matthew Olsen: So we’re very focused on the problem of terrorism in the run-up to the Olympics. I would add that I traveled to Sochi last December and met with Russian security officials. They understand the threat; they are very focused on this and devoting substantial resources. The biggest issue, from my perspective, is not the games themselves, the venues themselves; there is extensive security at those locations — the sites of the events. The greater threat is to softer targets in the greater Sochi area and in the outskirts, beyond Sochi, where there is a substantial potential for a terrorist attack.

Dianne Feinstein: Thank you very much. Mr. Comey, would you tell us what you can about cooperation between Russia and your organization?

FBI Director Jim Comey: Certainly, Senator. The cooperation between the FSB and the FBI in particular has been steadily improving over the last year. We’ve had exchanges at all levels, particularly in connection with Sochi, including me directly to my counterpart at FSB, and I think that we have a good level of cooperation there. It can always improve; we’re looking for ways to improve it, as are they, but this, as Director Olsen said, remains a big focus of the FBI. [my emphasis]

In the middle of a hearing at which James Clapper railed against Edward Snowden, claiming that counterintelligence threats — by which he largely meant Snowden — presented the second biggest threat to the country, the FBI Director stated that cooperation between his agency and the Russian spy agency has been improving for the last year (I’m guessing he means it has been improving since the Boston attack, because relations were quite chilly before that).

Snowden’s the second biggest threat to this country, and yet our relations with Russia, and specifically with Russia’s spy agency, have been steadily improving over the entire period Snowden has had asylum in Russia.

I don’t pretend to know precisely what that means.

At a minimum, it poses real questions about the unsubstantiated and whispered claims that Snowden has provided Russia great intelligence on NSA’s activities. After all, if Russia was busy exploiting Snowden’s secrets, it presumably would present challenges for this budding new cooperation between the FSB and those investigating Snowden’s leaks.

(The Global Threats report actually raises the case of Jeffrey Paul Delisle, a Canadian intelligence officer who gave Russia Five Eyes secrets for five years, as proof the Russians are soliciting more spies as part of its cyberwar efforts.)

There is, of course, another (remote) possibility: that we worked out a deal with Russia, whereby they’d give Snowden asylum and report back what he had taken. I have no reason to believe Snowden has shared secrets (though don’t doubt Putin will take whatever he can get his hands on), and the thought that Russia would agree to tell us what Snowden got is far-fetched. Still, Putin’s enough of a statist he might do it (and might misinform us along the way). While far-fetched, if that were the case, though, it’d give the US several things: the security in knowing Snowden was in the hands of security forces who would prevent any non-state or weaker states from getting to him, who were also limiting what Snowden could say publicly. Some clue about what Snowden had taken. And a political situation which would help US efforts to propagndize against Snowden.

Alternately, one of the things the FBI has learned as it has worked more closely with the FSB is that Snowden hasn’t shared any secrets with Russia (perhaps, as many have suggested, Russia got enough from Delisle that they would rather use Snowden solely to discomfit us).

I don’t know what it means. But I do find it rather implausible that the FBI would continue to expand cooperation with the FSB even as it extracted NSA’s family jewels from Snowden. Yet that’s the story Snowden’s biggest detractors would like you to believe.