Posts

How the Concord Management Prosecution Fell Apart

The frothy right and anti-Trump left both politicized DOJ’s decision to dismiss the single count of conspiracy charged against Concord Management and Concord Catering in the Russian troll indictment that Mueller’s team obtained on February 16, 2018. The right — including the President — and the alt-Left are falsely claiming the prosecution against all the trolls fell apart and suggesting this undermines the claims Russia tampered in the 2016 election.

The mainstream left speculated, without any apparent basis, that Bill Barr deliberately undermined the prosecution by classifying some of the evidence needed to prove the case.

The politicization of the outcome is unfortunate, because the outcome raises important policy questions about DOJ’s recent efforts to name-and-shame nation-state activities in cyberspace.

The IRA indictment intersects with a number of important policy discussions

The decision to indict the Internet Research Agency, its owner Yevgeniy Prigozhin, two of the shell companies he used to fund Internet Research Agency (Concord Management and Concord Catering, the defendants against which charges were dropped), and twelve of the employees involved in his troll operations intersects with three policy approaches adopted in bipartisan fashion in recent years:

  • The use of indictments and criminal complaints to publicly attribute and expose the methods of nation-state hackers and the vehicles (including shell companies) they use.
  • A recent focus on Foreign Agents Registration Act compliance and prosecutions in an attempt to crack down on undisclosed foreign influence peddling.
  • An expansive view of US jurisdiction, facilitated but not limited to the role of the US banking system in global commerce.

There is — or should be — more debate about all of these policies. Some of the prosecutions the US has pursued (one that particularly rankles Russia is of their Erik Prince equivalent, Viktor Bout, who was caught in a DEA sting selling weapons to FARC) would instill outrage if other countries tried them with US citizens. Given the way Trump has squandered soft power, that is increasingly likely. While DOJ has obtained some guilty pleas in FARA cases (most notably from Paul Manafort, but Mike Flynn also included his FARA violations with Turkey in his Statement of the Offense), the FARA prosecutions of Greg Craig (which ended in acquittal) and Flynn’s partner Bijan Kian (which ended in a guilty verdict that Judge Anthony Trenga overturned) have thus far faced difficulties. Perhaps most problematic of all, the US has indicted official members of foreign state intelligence services for activities (hacking), though arguably not targets (private sector technology), that official members of our own military and intelligence services also hack. That’s what indictments (in 2014 for hacks targeting a bunch of victims, most of them in Pittsburgh and this year for hacking Equifax) against members of China’s People’s Liberation Army and Russia’s military intelligence GRU (both the July 2018 indictment for the hack-and-leak targeting the 2016 election and an October 2018 one for targeting anti-doping organizations) amount to. Those indictments have raised real concerns about our intelligence officers being similarly targeted or arrested without notice when they travel overseas.

The IRA indictment is different because, while Prigozhin runs numerous mercenary activities (including his Wagner paramilitary operation) that coordinate closely with the Russian state, his employees work for him, not the Russian state. But the Yahoo indictment from 2017 included both FSB officers and criminal hackers and a number of the hackers DOJ has otherwise indicted at times work for the Russian government. So even that is not unprecedented.

The indictment did serve an important messaging function. It laid out the stakes of the larger Russian investigation in ways that should have been nonpartisan (and largely were, until Concord made an appearance in the courts and started trolling the legal system). It asserted that IRA’s efforts to thwart our electoral and campaign finance functions amounted to a fraud against the United States. And it explained how the IRA effort succeeded in getting Americans to unwittingly assist the Russian effort. The latter two issues, however, may be central to the issues that undid the prosecution.

Make no mistake: the IRA indictment pushed new boundaries on FARA in ways that may raise concerns and are probably significant to the decision to drop charges against Concord. It did so at a time when DOJ’s newfound focus on FARA was not yet well-established, meaning DOJ might have done it differently with the benefit of the lessons learned since early 2018. Here’s a shorter and a longer version of an argument from Joshua Fattal on this interpretation of FARA. Though I think he misses something about DOJ’s argument that became clear (or, arguably, changed) last fall, that DOJ is not just arguing that the trolls themselves are unregistered foreign agents, but that they tricked innocent Americans into being agents. And DOJ surely assumed it would likely never prosecute any of those charged, unless one of the human targets foolishly decided to vacation in Prague or Spain or any other country with extradition treaties with the US. So the indictment was a calculated risk, a risk that may not have paid off.

But that’s why it’s worth understanding the decision to drop the prosecution based off the record, rather than presumptions about DOJ and the Russia investigation.

Just the funding side of the conspiracy to defraud indictment got dropped

The first step to understanding why DOJ dropped the charges is to understand what the two Concord entities were charged with. The indictment as a whole charged eight counts:

  • Conspiracy to defraud the United States for preventing DOJ and FEC from policing our campaign finance and election system (and State for issuing visas)
  • Conspiracy to commit wire fraud and bank fraud by using stolen identities to open financial accounts with which to evade PayPal’s security
  • Six counts of aggravated identity theft for stealing the identities of Americans used in the wire and bank fraud

The wire and bank fraud charges remain untouched by DOJ’s decision. If any of those defendants shows up in court, DOJ remains fully prepared to hold them accountable for stealing Americans’ identities to thwart PayPal’s security protocols so as to fool Americans into doing Russia’s work. Such an identity theft prosecution would not rely on the aggressive FARA theory the Concord charge does.

Even still, most of the conspiracy to defraud (ConFraudUS) charge remains.

The two Concord entities were only named in the ConFraudUS charge. The overt acts involving Concord entail funding the entire operation and hiding those payments by laundering them through fourteen different affiliates and calling the payments “software support.”

3. Beginning as early as 2014, Defendant ORGANIZATION began operations to interfere with the U.S. political system, including the 2016 U.S. presidential election. Defendant ORGANIZATION received funding for its operations from Defendant YEVGENIY VIKTOROVICH PRIGOZHIN and companies he controlled, including Defendants CONCORD MANAGEMENT AND CONSULTING LLC and CONCORD CATERING (collectively “CONCORD”). Defendants CONCORD and PRIGOZHIN spent significant funds to further the ORGANIZATION’s operations and to pay the remaining Defendants, along with other uncharged ORGANIZATION employees, salaries and bonuses for their work at the ORGANIZATION.

[snip]

11. Defendants CONCORD MANAGEMENT AND CONSULTING LLC (Конкорд Менеджмент и Консалтинг) and CONCORD CATERING are related Russian entities with various Russian government contracts. CONCORD was the ORGANIZATION’s primary source of funding for its interference operations. CONCORD controlled funding, recommended personnel, and oversaw ORGANIZATION activities through reporting and interaction with ORGANIZATION management.

a. CONCORD funded the ORGANIZATION as part of a larger CONCORD-funded interference operation that it referred to as “Project Lakhta.” Project Lakhta had multiple components, some involving domestic audiences within the Russian Federation and others targeting foreign audiences in various countries, including the United States.

b. By in or around September 2016, the ORGANIZATION’s monthly budget for Project Lakhta submitted to CONCORD exceeded 73 million Russian rubles (over 1,250,000 U.S. dollars), including approximately one million rubles in bonus payments.

c. To conceal its involvement, CONCORD labeled the monies paid to the ORGANIZATION for Project Lakhta as payments related to software support and development. To further conceal the source of funds, CONCORD distributed monies to the ORGANIZATION through approximately fourteen bank accounts held in the names of CONCORD affiliates, including Glavnaya Liniya LLC, Merkuriy LLC, Obshchepit LLC, Potentsial LLC, RSP LLC, ASP LLC, MTTs LLC, Kompleksservis LLC, SPb Kulinariya LLC, Almira LLC, Pishchevik LLC, Galant LLC, Rayteks LLC, and Standart LLC.

Concord was likely included because it tied Prigozhin into the conspiracy, and through him, Vladimir Putin. That tie has been cause for confusion and outright disinformation during the course of the prosecution, as during pretrial motions there were two legal fights over whether DOJ could or needed to say that the Russian state had a role in the operation. Since doing so was never necessary to legally prove the charges, DOJ didn’t fight that issue, which led certain useful idiots to declare, falsely, that DOJ had disclaimed any tie, which is either absurd misunderstanding of how trials work and/or an outright bad faith representation of the abundant public evidence about the ties between Prigozhin and Putin.

By including Concord, the government asserted that it had proof not just that IRA’s use of fake identities had prevented DOJ and the FEC from policing electoral transparency, but also that Putin’s go-to guy in the private sector had used a series of shell companies to fund that effort.

By dropping the charges against the shell companies, that link is partly broken, but the overall ConFraudUS charge (and the charge against Prigozhin) remains, and all but one of the defendants are now biological persons who, if they mounted a defense, would also face criminal penalties that might make prosecution worth it. (I believe the Internet Research Agency has folded as a legal institution, so it would not be able to replay this farce.)

Going to legal war with a shell company

As noted, the indictment included two shell companies — Concord Management and Concord Catering — among the defendants in a period when Russia has increasingly pursued lawfare to try to discredit our judicial system. That’s precisely what happened: Prigozhin hired lawyers who relished trolling the courts to try to make DOJ regret it had charged the case.

As ceded above, DOJ surely didn’t expect that anyone would affirmatively show up to defend against this prosecution. That doesn’t mean they didn’t have the evidence to prove the crimes — both the first level one that bots hid their identities to evade electoral protections, and the second level conspiracy that Prigozhin funded all that through some shell companies. But it likely means DOJ didn’t account for the difficulties of going to legal war against a shell company.

One of the two explanations the government offered for dropping the prosecution admits that the costs of  trying a shell company have come to outweigh any judicial benefits.

When defense counsel first appeared on behalf of Concord, counsel stated that they were “authorized” to appear and “to make representations on behalf” of Concord, and that Concord was fully subjecting itself to the Court’s jurisdiction. 5/9/18 Tr. 5 (ECF No. 9). Though skeptical of Concord’s (but not counsel’s) asserted commitments at the initial appearance, the government has proceeded in good faith—expending the resources of the Department of Justice and other government agencies; incurring the costs of disclosing sensitive non-public information in discovery that has gone to Russia; and, importantly, causing the Court to expend significant resources in resolving dozens of often-complex motions and otherwise ensuring that the litigation has proceeded fairly and efficiently. Throughout, the government’s intent has been to prosecute this matter consistent with the interests of justice. As this case has proceeded, however, it has become increasingly apparent to the government that Concord seeks to selectively enjoy the benefits of the American criminal process without subjecting itself to the concomitant obligations.

From the start, there were ongoing disputes about whether the shell company Concord Management was really showing up to defend against this conspiracy charge. On May 5, 2018, DOJ filed a motion aiming to make sure that — given the uncertainty that Concord had been properly served with a summons, since, “Acceptance of service is ordinarily an indispensable precondition providing assurance that a defendant will submit to the jurisdiction of the court, obey its orders, and comply with any judgment.” Concord’s lawyers responded by complaining that DOJ was stalling on extensive discovery requests Concord made immediately.

Next, an extended and recurrent fight over a protective order for discovery broke out. Prigozhin was personally charged in the indictment along with his shell company. The government tried to prevent defense attorneys from sharing discovery deemed “sensitive” with officers of Concord (Prighozhin formally made himself an officer just before this effort started) who were also defendants without prior approval or at least a requirement such access to take place in the United States, accompanied by a defense attorney lawyer. That fight evolved to include a dispute about whether “sensitive” discovery was limited to just Personally Identifiable Information or included law enforcement sensitive information, too (unsurprisingly, Concord said it only wanted the latter and even demanded that DOJ sift out the former). The two sides established a protective order at start. But in December, after the government had delivered 4 million documents, of which it deemed 3.2 million “sensitive,” Concord renewed their demand that Prighozhin have access to discovery. They trollishly argued that only Prigozhin could determine whether the proper translation of the phrase “Putin’s chef” meant he was the guy who cooked for Putin or actually Putin’s boss. At this point, the US started filing sealed motions opposing the discovery effort, but did not yet resort to the Classified Information Procedures Act, meaning they still seemed to believe they could prove this case with unclassified, albeit sensitive, evidence.

Shortly thereafter, DOJ revealed that nothing had changed to alter the terms of the original protective order, and in the interim, some of the non-sensitive discovery (that is, the stuff that could be shared with Prigozhn) had been altered and used in a disinformation campaign.

The subsequent investigation has revealed that certain non-sensitive discovery materials in the defense’s possession appear to have been altered and disseminated as part of a disinformation campaign aimed (apparently) at discrediting ongoing investigations into Russian interference in the U.S. political system. These facts establish a use of the non-sensitive discovery in this case in a manner inconsistent with the terms of the protective order and demonstrate the risks of permitting sensitive discovery to reside outside the confines of the United States.

With a biological defendant, such a stunt might have gotten the defendant thrown in jail (and arguably, this is one of two moments when Judge Dabney Friedrich should have considered a more forceful response to defiance of her authority). Here, though, the prosecution just chugged along.

Perhaps the best proof that Prigozhin was using Concord’s defense as an intelligence-collecting effort came when, late last year, Concord demanded all the underlying materials behind Treasury’s Office of Foreign Assets Control decision to sanction Prigozhin and his companies. As Friedrich noted in her short notation denying the request, OFAC’s decision to sanction Prigozhin had nothing to do with the criminal charges against Concord. Nevertheless, Prigozhin used the indictment of his shell companies in an attempt to obtain classified information on the decision leading to sanctions being imposed on him.

Prigozhin’s goal of using his defense as a means of learning the US government’s sources and methods was clear from the first discovery request. That — and his unwavering efforts to continue the trolling operations — likely significantly influenced the later classification determination that contributed to DOJ dropping the case.

The government intended to try this case with unclassified information

That’s the other cited reason the government dismissed this case: because a classification determination made some of the evidence collected during the investigation unavailable as unclassified information.

[A]s described in greater detail in the classified addendum to this motion, a classification determination bearing on the evidence the government properly gathered during the investigation, limits the unclassified proof now available to the government at trial. That forces the prosecutors to choose between a materially weaker case and the compromise of classified material.

At the beginning of this case, the government said that all its evidence was unclassified, but that much of it was sensitive, either for law enforcement reasons or the privacy of victims in the case.

As described further in the government’s ex parte affidavit, the discovery in this case contains unclassified but sensitive information that remains relevant to ongoing national security investigations and efforts to protect the integrity of future U.S. elections. At a high level, the sensitive-but-unclassified discovery in this case includes information describing the government’s investigative steps taken to identify foreign parties responsible for interfering in U.S. elections; the techniques used by foreign parties to mask their true identities while conducting operations online; the relationships of charged and uncharged parties to other uncharged foreign entities and governments; the government’s evidence-collection capabilities related to online conduct; and the identities of cooperating individuals and, or companies. Discovery in this case contains sensitive information about investigative techniques and cooperating witnesses that goes well beyond the information that will be disclosed at trial.

Nevertheless, after the very long and serial dispute about how information could be shared with the defendant noted above (especially Prigozhin, as an officer of Concord), later in the process, something either became classified or the government decided they needed to present evidence they hadn’t originally planned on needing.

This is one way, Barr critics suggest, that the Attorney General may have sabotaged the prosecution: by deeming information prosecutors had planned to rely on classified, and therefore making key evidence inaccessible for use at trial.

That’s certainly possible! I don’t rule out any kind of maliciousness on Barr’s part. But I think the available record suggests that the government made a good faith classification decision, possibly in December 2019 or January 2020, that ended up posing new difficulties for proving the case at trial. One possibility is that, in the process of applying a very novel interpretation of FARA to this prosecution, the types of evidence the government needed to rely on may have changed. It’s also possible that Prigozhin’s continued trolling efforts — and maybe even evidence that his trolling operations had integrated lessons learned from discovery to evade detection — made sharing heretofore sensitive unclassified information far more damaging to US national security (raising its classification level).

As discussed below, the record also suggests that the government tried to access some evidence via other means, by subpoenaing it from Concord. But Concord’s ability to defy subpoenas without punishment (which gets back to trying to prosecute a shell company) prevented that approach.

The fight over what criminalizes a troll conspiring to fool DOJ (and FEC)

Over the course of the prosecution, the theory of the ConFraudUS conspiracy either got more detailed (and thereby required more specific kinds of evidence to prove) or changed. That may have contributed to changing evidentiary requirements.

Even as the dispute about whether Concord was really present in the court fighting these charges, Concord’s lawyers challenged the very novel application of FARA by attacking the conspiracy charge against it. This is precisely what you’d expect any good defense attorney to do, and our judicial system guarantees any defendant, even obnoxious Russian trolls who refuse to actually show up in court, a vigorous defense, which is one of the risks of indicting foreign corporate persons.

To be clear: the way Concord challenged the conspiracy charge was often frivolous (particularly in the way that Concord’s Reed Smith lawyers, led by Eric Dubelier, argued it). The government can charge a conspiracy under 18 USC § 371 without proving that the defendant violated the underlying crimes the implementation of which the conspiracy thwarted (as Friedrich agreed in one of the rulings on Concord’s efforts). And on one of the charged overt acts — the conspiracy to hide the real purpose of two reconnaissance trips to the US on visa applications — Concord offered only a half-hearted defense; at trial DOJ would likely have easily proven that when IRA employees came to the US in advance of the operation, they lied about the purpose of their travel to get a visa.

That said, while Concord never succeeded in getting the charges against it dismissed, it forced DOJ to clarify (and possibly even alter) its theory of the crime.

That started as part of a motion to dismiss the indictment based on a variety of claims about the application of FARA to conspiracy, arguing in part that DOJ had to allege that Concord willfully failed to comply with FECA and FARA. The government argued that that’s not how a ConFraudUS charge works — that the defendants don’t have to be shown to be guilty of the underlying crimes. Concord replied by claiming that its poor trolls had no knowledge of the government functions that their secrecy thwarted. Friedrich posed two questions about how this worked.

Should the Court assume for purposes of this motion that neither Concord nor its coconspirators had any legal duty to report expenditures or to register as a foreign agent?

Specifically, should the Court assume for purposes of this motion that neither Concord nor its co-conspirators knowingly or unknowingly violated any provision, civil or criminal, of FECA or FARA by failing to report expenditures or by failing to register as a foreign agent?

The government responded by arguing that whether or not the Russian trolls had a legal duty to register, their deception meant that regulatory agencies were still thwarted.

As the government argued in its opposition and at the motions hearing, the Court need not decide whether the defendants had a legal duty to file reports with the FEC or to register under FARA because “the impairment or obstruction of a governmental function contemplated by section 371’s ban on conspiracies to defraud need not involve the violation of a separate statute.” United States v. Rosengarten, 857 F.2d 76, 78 (2d Cir. 1988); Dkt. No. 56, at 9-13. Moreover, the indictment alleges numerous coordinated, structured, and organized acts of deception in addition to the failure to report under FECA or to register under FARA, including the use of false social media accounts, Dkt. No. 1 ¶¶ 32-34, 36, the creation and use of U.S.- based virtual computer infrastructure to “mask[] the Russian origin and control” of those false online identities, id. ¶¶ 5, 39, and the use of email accounts under false names, id. ¶ 40. The indictment alleges that a purpose of these manifold acts of deception was to frustrate the lawful government functions of the United States. Id. ¶ 9; see also id. ¶ 5 (alleging that U.S.-based computer infrastructure was used “to avoid detection by U.S. regulators and law enforcement”); id. ¶ 58 (alleging later obstructive acts that reflect knowledge of U.S. regulation of conspirators’ conduct). Those allegations are sufficient to support the charge of conspiracy to defraud the United States regardless of whether the defendants agreed to engage in conduct that violated FECA or FARA because the “defraud clause does not depend on allegations of other offenses.”

Friedrich ruled against the trolls, except in doing so stated strongly that the government had conceded that they had to have been acting to impair lawful government functions, though not which specific relevant laws were at issue.

Although the § 371 conspiracy alleged does not require willfulness, the parties’ disagreement may be narrower than it first appears. The government concedes that § 371 requires the specific intent to carry out the unlawful object of the agreement—in this case, the obstruction of lawful government functions. Gov’t’s Opp’n at 16 (“Because Concord is charged with conspiring to defraud the United States, . . . the requisite mental state is the intent of impairing, obstructing, or defeating the lawful function of any department of government through deception.” (internal quotation marks omitted)). Further, the government agrees that to form the intent to impair or obstruct a government function, one must first be aware of that function. See Hr’g Tr. at 40 (“[Y]ou can’t act with an intent to impair a lawful government function if you don’t know about the lawful government function.”). Thus, Concord is correct—and the government does not dispute—that the government “must, at a minimum, show that Concord knew what ‘lawful governmental functions’ it was allegedly impeding or obstructing.” Def.’s Mot. to Dismiss at 22; Def.’s Reply at 5. Here, as alleged in the indictment, the government must show that Concord knew that it was impairing the “lawful functions” of the FEC, DOJ, or DOS “in administering federal requirements for disclosure of foreign involvement in certain domestic activities.” Indictment ¶ 9. But Concord goes too far in asserting that the Special Counsel must also show that Concord knew with specificity “how the relevant laws described those functions.” Def.’s Mot. to Dismiss at 22; Def.’s Reply at 5. A general knowledge that U.S. agencies are tasked with collecting the kinds of information the defendants agreed to withhold and conceal would suffice.

Then Concord shifted its efforts with a demand for a Bill of Particulars. The demand itself — and the government’s opposition — included a demand for information about co-conspirators and VPNs, yet another attempt to get intelligence rather than discovery. But Friedrich granted the motion with respect to the application of FECA and FARA.

In other words, it will be difficult for the government to establish that the defendants intended to use deceptive tactics to conceal their Russian identities and affiliations from the United States if the defendants had no duty to disclose that information to the United States in the first place. For that reason, the specific laws—and underlying conduct—that triggered such a duty are critical for Concord to know well in advance of trial so it can prepare its defense.

The indictment alleges that the defendants agreed to a course of conduct that would violate FECA’s and FARA’s disclosure requirements, see Indictment ¶¶ 7, 25–26, 48, 51, and provides specific examples of the kinds of expenditures and activities that required disclosure, see id. ¶¶ 48– 57. Concord, 347 F. Supp. 3d at 50. But the indictment does not cite the specific statutory and regulatory disclosure requirements that the defendants violated. Nor does it clearly identify which expenditures and activities violated which disclosure requirements. Accordingly, the Court will order the government to:

  • Identify any statutory or regulatory disclosure requirements whose administration the defendants allegedly conspired to impair, along with supporting citations to the U.S. Code, Code of Federal Regulations, or comparable authority.
  • With respect to FECA, identify each category of expenditures that the government intends to establish required disclosure to the FEC. See, e.g., Indictment ¶ 48 (alleging that the defendants or their co-conspirators “produce[d], purchase[d], and post[ed] advertisements on U.S. social media and other online sites expressly advocating for the election of then-candidate Trump or expressly opposing Clinton”) (emphasis added)). The government must also identify for each category of expenditures which disclosure provisions the defendants or their co-conspirators allegedly violated.
  • With respect to FARA, identify each category of activities that the government intends to establish triggered a duty to register as a foreign agent under FARA. See, e.g., id. ¶ 48 (same); id. ¶ 51 (alleging that the defendants or their coconspirators “organized and coordinated political rallies in the United States” (emphasis added)). The government must also identify for each category of activities which disclosure provisions the defendants or their co-conspirators allegedly violated.

In a supplemental motion for a bill of particulars, Concord asked which defendants were obliged to file with DOJ and FEC.

That came to a head last fall. In a September 16, 2019 hearing, both sides and Friedrich discussed at length precisely what the legal theory behind the conspiracy was. On Friedrich’s order, the government provided Concord a list of people (whose names were redacted) that,

the defendants conspired to cause some or all of the following individuals or organizations to act as agents of a foreign principal while concealing from those individuals that they were acting as agents of a foreign principal [who should register under FARA].

That is, whether or not this was the original theory of the case, by last fall the government made it clear that it wasn’t (just) Prigozhin or his trolls who needed to register; rather, it was (also) the Americans who were duped into acting and spending money on their behalf. But because they didn’t know they were working on behalf of a foreign principal, they did not register.

Meanwhile, in a motion for clarification, the government argued that it had always intended to include foreigners spending money in the indictment. Friedrich held that that had not actually been included in the original indictment.

These two issues — the claim that duped Americans would have had to register if they knew they were working with a foreign agent, and the need to strengthen the assertion about foreign campaign expenditures — forced the government to go back and supersede the original indictment.

DOJ obtains a superseding indictment with more specific (and potentially new) theories of the case

On November 8, 2019, the government obtained a superseding indictment to include language about foreign donations that Friedrich had ruled was not in the original indictment and language covering the duped Americans who had unknowingly acted as agents of Russian trolls.

New language in the superseding indictment provided more detail of reporting requirements.

¶1 U.S. law also requires reporting of certain election-related expenditures to the Federal Election Commission.

[snip]

U.S. also imposes an ongoing requirement for such foreign agents to register with the Attorney General.

The paragraph explaining the means of the ConFraudUS added detail about what FEC, DOJ, and State functions the trolls’ deceit had thwarted.

¶7 In order to carry out their activities to interfere in the U.S. political and electoral processes without detection of their Russian affiliation, Defendants conspired to obstruct through fraud and deceit lawful functions of the United States government in monitoring, regulating, and enforcing laws concerning foreign influence on and involvement in U.S. elections and the U.S. political system. These functions include (a) the enforcement of the statutory prohibition on certain election-related expenditures by foreign nationals; (b) the enforcement of the statutory requirements for filing reports in connection with certain election-related expenditures; (c) the enforcement of the statutory ban on acting as an unregistered agent of a foreign principal in the United States; (d) the enforcement of the statutory requirements for registration as an agent of a foreign principal (e) the enforcement of the requirement that foreign national seeking entry into the United States provide truthful and accurate information to the government. The defendants conspired to do so by obtaining visas through false and fraudulent statements, camouflaging their activities by foreign nationals as being conducted by U.S. persons, making unlawful expenditures and failing to report expenditures in connection with the 2016 U.S. presidential election, and failing to register as foreign agents carrying out political activities within the United States, and by causing others to take these actions.

These allegations were repeated in ¶9 in the section laying out the ConFraudUs count.

The superseding indictment added a section describing what FEC and DOJ do.

¶25 One of the lawful functions of the Federal Election Commission is to monitor and enforce this prohibition. FECA also requires that individuals or entities who make certain independent expenditures in federal elections report those expenditures to the Federal Election Commission. Another lawful government function of the Federal Election Commission is to monitor and enforce this reporting requirement.

[snip]

¶26 The U.S. Department of Justice enforces the Foreign Agent Registration Act (“FARA”), which makes it illegal to act in the United States as an “agent of a foreign principal,” as defined at Title 22, United States Code, Section 661(c), without following certain registration, reporting, and disclosure requirements established by the Act. Under FARA, the term “foreign principal” includes foreign non-government individuals and entities. FARA requires, among other things, that persons subject to its requirements submit periodic registration statements containing truthful information about their activities and income earned from them. One of the lawful government functions of the Department of Justice is to monitor and enforce this registration, reporting, and disclosure regime.

In perhaps the most interesting addition, the superseding indictment also added language to include the actions of unwitting Americans.

¶48 …and caused unwitting persons to produce, purchase, and post advertisements on U.S. social media and other online sites expressly advocating for the election of then-candidate Trump or expressly opposing Clinton. Defendants and their co-conspirators did not report these expenditures to the Federal Election Commission, or register as foreign agents with the U.S. Department of Justice, nor did any of the unwitting persons they caused to engage in such activities.

The superseding indictment repeated this “unwitting” language in ¶51.

This superseding indictment is significant for two reasons, given the dismissal of the count against the two Concord defendants. First, the possibly changed theory of the conspiracy may have changed what evidence the government needed to prove the crime. For example, it may be that DOJ has evidence of IRA employees acknowledging, for the period of this indictment, that spending money on these activities was illegal, whether or not they knew they had to report such expenditures. It may be that DOJ has evidence of communications between the trolls and actual Americans they otherwise wouldn’t have had to rely on. It may be that DOJ has evidence about the regulatory knowledge of those same Americans about their own reporting obligations. Some of this evidence might well be classified.

Just as importantly, if Bill Barr wanted to jettison this prosecution, he could have done so last November by refusing to permit the superseding indictment. That likely would have undermined the case just as surely (and might have led Friedrich to dismiss it herself), and would have been far better for Trump’s messaging. Moreover, from that point in time, it would have been clear that trial might introduce evidence of how three Trump campaign officials coordinated (unknowingly) with the Russian trolls, something bound to embarrass Trump even if it posed no legal hazard. If Barr had wanted to undermine the prosecution to benefit Trump, November would have been the optimal time to do that, not February and March.

While it’s not clear whether this superseding indictment changed certain evidentiary challenges or not, three key strands of activity that seem to have resulted in the dismissal started only after the superseding: an effort to authenticate digital evidence on social media activity, an effort to subpoena some of that same evidence, and the CIPA process to try to substitute for classified information.

The government goes to some lengths to try to pre-approve normally routine evidence

The last of those efforts, chronologically, may hint at some of the evidentiary issues that led DOJ to drop the case.

In a motion submitted on February 17, the government sought to admit a great deal of the social media and related forensic data in the case. In many trials, this kind of evidence is stipulated into evidence, but here, Concord had been making it clear it would challenge the evidence at trial. So the government submitted a motion in limine to try to make sure it could get that evidence admitted in advance.

Among the issues raised in the motion was how the government planned to authenticate the IP addresses that tied the IRA trolls to specific Facebook and Twitter accounts and other members of the conspiracy (Prigozhin, Concord, and the interim shell companies) to each other. The government redacted significant sections of the filing describing how it intended to authenticate these ties (see, for example, the redaction on page 8, which by reference must discuss subscriber information and IP addresses, and footnote 7 on page 9, the redaction pertaining to how they were going to authenticate emails on page 16, the very long redaction on how they would authenticate emails between IRA and Concord starting on page 17, and the very long redaction on how they were going to authenticate Prigozhin to the IRA starting on page 21).

Concord got special permission to write an overly long 56-page response. Some of it makes it clear they’re undermining the government’s efforts to assert just that, for example on IP addresses.

IP addresses, subscriber information, and cookie data are not self-authenticating. The first link in the government’s authentication argument is that IP addresses,6 subscriber information, and cookie data are self-authenticating business records under Rules 803(6) and 902(11). But the cases the government cites are easily distinguishable and undercut its argument.

6 The IP addresses do not link an account to a specific location or fixed address. For example, for the Russian IP addresses the government indicates that they were somewhere within the city of St. Petersburg, Russia.

[snip]

It should come as no surprise then, given the lack of reliability and untrustworthiness in social media evidence such as that the government seeks to introduce, that the case law forecloses the government’s facile effort at authentication of content here. Unlike Browne, Lewisbey, and the other cases cited above, the government has offered no social media accounts bearing the name of any alleged conspirator and no pictures appearing to be a conspirator adorning such page.7 Nor has the government pointed to a single witness who can testify that she saw a conspirator sign up for the various social media accounts or send an email, or who can describe patterns of consistency across the various digital communications to indicate they come from the same source.

7 The government has indicated to Concord that it intends to introduce at trial Fed. R. Evid. 1006 summaries of IP address records, apparently to create the link between the social media accounts and IRA that is not addressed in the motion. See Ex. B, Jan. 6, 2020 letter. Despite repeated requests from undersigned counsel, the government has identified the 40 social media accounts for it intends to summarize but has not provided the summaries or indicated when it will do so.

Some of this is obviously bullshit, particularly given the government’s contention, elsewhere, that Concord (or IRA, if it was a typo) had dedicated IP addresses. Mostly, though, it appears to have been an attempt to put sand in the wheels of normal criminal prosecution by challenging stuff that is normally routine. That doesn’t mean it’s improper, from a defense standpoint. But given how often DOJ’s nation-state indictments rely on such forensic evidence, it’s a warning about potential pitfalls to them.

The government resorts to CIPA

Even while the government had originally set out to prove this case using only unclassified information, late in the process, it decided it needed to use the Classified Information Procedures Act. That process is where one would look for any evidence that Barr sabotaged the prosecution by classifying necessary evidence (though normally the approval for CIPA could come from Assistant Attorney General for National Security Division John Demers, who is not the hack that Barr is).

In October 2019, Friedrich had imposed a deadline for CIPA if the government were going to use it, of January 20, 2020.

On December 17, the government asked for a two week delay, “to ensure appropriate coordination within the Executive Branch that must occur prior to the filing of the motion,” a request Friedrich denied (even though Concord did not oppose it). This was likely when the classification determination referenced in the motion to withdraw was debated, given that such determinations would dictate what prosecutors had to do via CIPA.

On January 10, 2020, the government filed its first motion under CIPA Section 4, asking to substitute classified information for discovery and use at trial. According to the docket, Friedrich discussed CIPA issues at a hearing on January 24. Then on January 29 and February 10, she posted classified orders to the court security officer, presumably as part of the CIPA discussion.

On February 13, the government asked for and obtained a one-day extension to file a follow-up CIPA filing, from February 17 to February 18, “to complete necessary consultation within the Executive Branch regarding the filing and to ensure proper supervisory review.” If Barr intervened on classification issues, that’s almost certainly when he did, because this happened days after Barr intervened on February 11 in Roger Stone’s sentencing and after Jonathan Kravis, who had been one of the lead prosecutors in this case as well, quit in protest over Barr’s Stone intervention. At the very least, in the wake of that fiasco, Timothy Shea made damn sure he ran his decision by Barr. But the phrase, “consultation within the Executive Branch,” certainly entertains consultation with whatever agency owned the classified information prosecutors were deciding whether they could declassify (and parallels the language used in the earlier request for a filing extension). And Adam Jed, who had been part of the Mueller team, was added to the team not long before this and remained on it through the dismissal, suggesting nothing akin to what happened with Stone happened here.

The government submitted its CIPA filing on the new deadline of February 18, Friedrich issued an order the next day, the government filed another CIPA filing on February 20, Friedrich issued another order on February 28.

Under CIPA, if a judge rules that evidence cannot be substituted, the government can either choose not to use that evidence in trial or drop the prosecution. It’s likely that Friedrich ruled that, if the government wanted to use the evidence in question, they had to disclose it to Concord, including Prigozhin, and at trial. In other words, that decision — and the two earlier consultations (from December to early January, and then again in mid-February) within the Executive Branch — are likely where classification issues helped sink the prosecution.

It’s certainly possible Bill Barr had a key role in that. But there’s no explicit evidence of it. And there’s abundant reason to believe that Prigozhin’s extensive efforts to use the prosecution as an intelligence-gathering exercise both for ongoing disinformation efforts and to optimize ongoing trolling efforts was a more important consideration. Barr may be an asshole, but there’s no evidence in the public record to think that in this case, Prigozhin wasn’t the key asshole behind a decision.

DOJ attempts to treat Concord as a legit party to the court’s authority

Even before that CIPA process started playing out, beginning on December 3, the government pursued an ultimately unsuccessful effort to subpoena Concord. This may have been an attempt to obtain via other means evidence that either had been obtained using means that DOJ had since decided to classify or the routine authentication of which Concord planned to challenge.

DOJ asked to subpoena a number of things that would provide details of how Concord and Prigozhin personally interacted with the trolls. Among other requests, the government asked to subpoena Concord for the IP addresses it used during the period of the indictment (precisely the kind of evidence that Concord would later challenge).

3. Documents sufficient to identify any Internet Protocol address used by Concord Management and Consulting LLC from January 1, 2014 to February 1, 2018.

Concord responded with a load of absolute bullshit about why, under Russian law, Concord could not comply with a subpoena. Judge Friedrich granted the some of the government’s request (including for IP addresses), but directed the government to more narrowly tailor its other subpoena requests.

On December 20, the government renewed its request for other materials, providing some evidence of why it was sure Concord had responsive materials. Concord quickly objected again, again wailing mightily. In its reply, the government reminded Friedrich that she had the ability to order Concord to comply with the subpoena — and indeed, had gotten Concord’s assurances it would comply with orders of the court when it first decided to defend against the charges. It even included a declaration from an expert on Russian law, Paul Stephan, debunking many of the claims Concord had made about Russian law. Concord wailed, again. On January 24, Friedrich approved the 3 categories of the subpoena she had already approved. On January 29, the government tried again, narrowing the request even to — in one example — specific days.

Calendar entries reflecting meetings between Prigozhin and “Misha Lakhta” on or about January 27, 2016, February 1, 2016, February 2, 2016, February 14, 2016, February 23, 2016, February 29, 2016, May 22, 2016, May 23, 2016, May 28, 2016, May 29, 2016, June 7, 2016, June 27, 2016, July 1, 2016, September 22, 2016, October 5, 2016, October 23, 2016, October 30, 2016, November 6, 2016, November 13, 2016, November 26, 2016, December 3, 2016, December 5, 2016, December 29, 2016, January 19, 2017, and February 1, 2017.

Vast swaths of the motion (and five exhibits) explaining why the government was sure that Concord had the requested records are sealed. Concord responded, wailing less, but providing a helpful geography lesson to offer some alternative explanation for the moniker “Lakhta,” which the government has long claimed was the global term for Prigozhin’s information war against the US and other countries.

But the government fails to inform the Court that “Lakhta” actually means a multitude of other things, including: Lake Lakhta, a lake in the St. Petersburg area, and Lakhta Center, the tallest building in Europe, which is located in an area within St. Petersburg called the Lakhta-Olgino Municipal Okrug.

On February 7, Friedrich largely granted the government’s subpoena request, approving subpoenas to get communications involving Prigozhin and alleged co-conspirators, as well as records of payments and emails discussing them.  That same day and again on February 21, Concord claimed that it had communicated with the government with regards to the subpoenas, but what would soon be clear was non-responsive.

On February 27, the government moved to show cause for why Concord should not be held in contempt for blowing off the subpoenas, including the request for IP addresses and the entirety of the second subpoena (for meetings involving Prigozhin and records of payments to IRA). Concord wailed in response. The government responded by summarizing Concord’s response:

Concord’s 18-page pleading can be distilled to three material points: Concord’s attorneys will not make any representations about compliance; Concord will not otherwise make any representations about compliance; and Concord will not comply with a court order to send a representative to answer for its production. The Court should therefore enter a contempt order and impose an appropriate sanction to compel compliance.

Friedrich issued an order that subpoena really does mean subpoena, demanding some kind of representation from Concord explaining its compliance.  In response, Prigozhin sent a declaration partly stating that his businesses had deleted all available records, partly disclaiming an ability to comply because he had played games with corporate structure.

With respect to category one in the February 10, 2020 trial subpoena, Concord never had any calendar entries for me during the period before I became General Director, and I became General Director after February 1, 2018, so no searches were able to be performed in Concord’s documents. Concord did not and does not have access to the previous General Director’s telephone from which the prosecution claims to have obtained photographs of calendars and other documents, so Concord is unable to confirm the origin of such photographs.

He claimed to be unable to comply with the request for IP addresses because his contractors “cannot” provide them.

In order to comply with category three in the trial subpoena dated January 24, 2020, in Concord’s records I found contracts between Concord and Severen-Telecom JSC and Unitel LLC, the two internet service providers with which Concord contracted between January 1, 2014 and February 1, 2018. Because these contracts do not identify the internet protocol (“IP”) addresses used by Concord during that period, on January 7, 2020 I sent letters on behalf of Concord to Severen-Telecom JSC and Unitel LLC transmitting copies of these contracts and requesting that the companies advise as to which IP addresses were provided to or used by Concord during that period. Copies of these letters and English translations, as well as the attached contracts, are attached as Exhibits 2 and 3. Severen-Telecom JSC responded in writing that the requested information cannot be provided. A copy of Severen-Telecom JSC’s letter and an English translation are attached as Exhibit 2. Unitel LLC responded that information regarding IP addresses cannot be provided. A copy of Unitel LLC’s letter and an English translation of is attached as Exhibit 3. Accordingly, Concord does not have any documents that could be provided in response to category three (3) of the January 24, 2020 subpoena.

The government responded by pointing out how bogus Prigozhin’s declaration was, not least his insistence that any oligarch like him would really be the person in charge of his companies’ record-keeping. It also described evidence — which is redacted — that Concord had an in-house IT provider at the time (though notes that “as the Court knows, it appears that Concord [sic; this is probably IRA] registered and maintained multiple dedicated IP addresses during the relevant time period”). It further noted that the date that Prigozhin claimed his company started destroying records after 3 months perfectly coincided to cover the start date of this subpoena. In short, it provided fairly compelling evidence that Prigozhin, after agreeing that his company would be subject to the authority of the court when it first filed an appearance in the case, was trolling the court from the safety of Russia.

On March 5, Judge Friedrich nevertheless allowed that bullshit response in her court and declined to hold Concord in contempt. Eleven days later, the government moved to dismiss the case.

The government files the motion to dismiss before the evidentiary dispute finishes but after the subpoena and CIPA fail

On March 16 — 17 days after what appears to be the final CIPA order and 11 days after Friedrich declined to hold Concord or Prigozhin in contempt, and one day before the government was due to file a follow-up to its motion in limine to authenticate normally routine evidence in the case — the government moved to dismiss the case.

While it’s unclear what evidence was deemed to be classified late in the prosecution (likely in December), it seems fairly clear that it affected (and possibly was a source or method used to collect) key forensic proof in the case. It’s also unclear whether an honest response to the government’s trial subpoenas would have replaced that evidence.

What is clear, however, is that there is sufficient explanation in the public record to support the government’s explanation — that Prigozhin was using the prosecution to reap benefits of obtaining information about US government efforts to thwart his activities without risking anything himself. And whether or not the government would be able to prove its case with the classification and CIPA decisions reflected in the docket, the trial itself would shift more evidence into the category of information that would get shared with Prigozhin.

None of that disproves that Barr sabotaged the case. But it does provide sufficient evidence to explain why DOJ dismissed the case, without assuming that Barr sabotaged it.

Other cases of interest

As noted above, not only do the identity theft related charges remain, but so does the ConFraudUS case for all the biological defendants, including Prigozhin. It may be that, given the opportunity to imprison Prigozhin in the highly unlikely event that he ever showed up in the US for trial, the classification trade-offs would be very different.

But there are three other legal issues of interest, given this outcome.

First, there’s one more unsurprising detail about the superseding indictment: It also included an end-date, January 2018. That’s not surprising because adding later activities probably would presented all sorts of problems given how advanced the trial was last November. But it’s also significant because it means double jeopardy would not attach for later activities. So the government could, if the calculus on classification ever changed, simply charge all the things Prigozhin and his trolls have been doing since January 2018 in an indictment charged under its revised theory.

That’s particularly significant given that, in September 2018, prosecutors in EDVA charged Prigozhin’s accountant, Elena Alekseevna Khusyaynova. Even at the time, I imagined it might be a vehicle to move the IRA prosecution if anything happened to it in DC. Unsurprisingly, given that she’s the accountant at the center of all this, the Khusyaynova complaint focused more closely on the money laundering part of the prosecution. Plus, that complaint incorporated evidence of Prigozhin’s trolls reveling in their own indictment, providing easy proof of knowledge of the legal claims DOJ made that didn’t exist for the earlier indictment. None of that would change the calculus around classified evidence (indeed, some of the overt acts described in the Khusyaynova complaint seem like the kind of evidence that Prigozhin would have turned over had he complied with the Concord subpoena. So there is another vehicle for such a prosecution, if DOJ wanted to pursue it.

Finally, Prigozhin has not succeeded with all his attempts to wage lawfare in support of his disinformation efforts. In January, he lost his bid to force Facebook to reinstate his fake news site, Federal Agency of News, based off an argument that because Facebook worked so closely with the government, it cannot exercise its own discretion on its private site. As I laid out here, the suit intersected with both the IRA indictment and Khusyaynova complaint, and engaged in similar kinds of corporate laundry and trollish bullshit. The decision was a no-brainer decision based on Section 230 grounds, giving providers immunity when they boot entities from their services. But the decision also confirms what is already evident: when it comes to shell companies in the business of trolling, thus far whack-a-mole removals have worked more consistently than seemingly symbolic prosecution.

DOJ may well revisit how it charged this to try to attach a FARA liability onto online disinformation. But ultimately the biological humans, not the corporation shells or the bots, need to be targeted.

NSA Is Probably Withholding Details of the Alleged Burisma Hack from Congress

Over the weekend, Adam Schiff and other impeachment managers started alleging that the NSA is withholding information about Ukraine from the Intelligence Committees and impeachment team.

“And I’ll say something even more concerning to me, and that is the intelligence community is beginning to withhold documents from Congress on the issue of Ukraine,” Schiff said. “The NSA, in particular, is withholding what are potentially relevant documents to our oversight responsibilities on Ukraine, but also withholding documents potentially relevant that the senators might want to see during the trial.”

Schiff added: “There are signs that the CIA may be on the same tragic course. We are counting on the intelligence community not only to speak truth to power, but to resist pressure from the administration to withhold information from Congress because the administration fears that they incriminate them.”

An Intelligence Committee official later said, “Both the NSA and CIA initially pledged cooperation, and it appears now that the White House has interceded before production of documents could begin.”

Schiff had dropped the claim, at times, in his presentation to the Senate and to the press.

But in his stem-winding close last night, he mentioned the alleged Burisma hack in a way that strongly suggests that’s what NSA is withholding.

Now we just saw last week a report that Russia tried to hack, or maybe did hack, Burisma. Okay. I don’t know if they got in. I’m trying to find out. My colleagues on the Intel Committee, House and Senate, we’re trying to find out, did the Russians get in? What are the Russian plans and intentions? Well, let’s say they got in. And let’s say they start dumping documents to interfere in the next election. Let’s say they start dumping some real things they hacked from Burisma, let’s say they start dumping some fake things they didn’t hack from Burisma, but they want you to believe they did. Let’s say they start blatantly interfering in our election again, to help Donald Trump. Can you have the least bit of confidence that Donald Trump will stand up to them and protect the national interest over his own personal interest? You know you can’t.

Schiff’s speech was a planned show-stopper, climax, thus far, of the impeachment trial. It is highly unlikely Schiff included this mention, with the detail that he and both the Intelligence Committees are trying to figure out whether Burisma really got hacked, without very good reason.

But it also goes to the power of information war.

When NYT first reported that GRU had hacked Burisma, I had two thoughts.

The hackers fooled some of them into handing over their login credentials, and managed to get inside one of Burisma’s servers, Area 1 said.

“The attacks were successful,” said Oren Falkowitz, a co-founder of Area 1, who previously served at the National Security Agency. Mr. Falkowitz’s firm maintains a network of sensors on web servers around the globe — many known to be used by state-sponsored hackers — which gives the firm a front-row seat to phishing attacks, and allows them to block attacks on their customers.

“The timing of the Russian campaign mirrors the G.R.U. hacks we saw in 2016 against the D.N.C. and John Podesta,” the Clinton campaign chairman, Mr. Falkowitz said. “Once again, they are stealing email credentials, in what we can only assume is a repeat of Russian interference in the last election.”

[snip]

To steal employees’ credentials, the G.R.U. hackers directed Burisma to their fake login pages. Area 1 was able to trace the look-alike sites through a combination of internet service providers frequently used by G.R.U.’s hackers, rare web traffic patterns, and techniques that have been used in previous attacks against a slew of other victims, including the 2016 hack of the D.N.C. and a more recent Russian hack of the World Anti-Doping Agency.

“The Burisma hack is a cookie-cutter G.R.U. campaign,” Mr. Falkowitz said. “Russian hackers, as sophisticated as they are, also tend to be lazy. They use what works. And in this, they were successful.”

First, this attribution is not (yet) as strong as even the first attribution that GRU had hacked the DNC, to say nothing of the 30 non-government sources for that attribution since laid out in the GRU indictment and the Mueller Report. There’s good reason to remain cautious about this attribution until we get more than one not very well established contractor attributing the hack.

But to some degree, it doesn’t matter whether GRU hacked Burisma and whether they took documents with plans to leak them during the election. Indeed, disinformation may explain why this was an easily identifiable hack, whether done by GRU or someone else. Because the news that someone appearing to be GRU targeted Burisma in early November — when it was clear Trump would be impeached for extorting Volodymyr Zelensky to get dirt on Burisma — serves a clear purpose. It adds evidence that Trump is owned by Russia and, after the Senate doesn’t vote to remove him, will demonstration that Republicans don’t much give a damn that he is owned by Russia.

To be clear: There’s abundant evidence that Russia does have leverage over Trump, and more is likely to be forthcoming.

But that’s far more valuable, for Russia, if that’s public and if the Republicans in the Senate sanction it.

And that may explain why NSA is withholding the information, if indeed that’s what they’re withholding. In the same way that the FBI went to great lengths to withhold a letter they believed to be disinformation suggesting that Loretta Lynch would fix the Hillary investigation, information that appears to add to the already abundant case that Russia is in the tank for Trump. Given the stakes, that doesn’t justify it. But at this point, GRU wouldn’t need to hack Burisma for any point — the hack itself, in the middle of the impeachment investigation, is enough to lay a marker on Donald J. Trump.

He belongs to the GRU, the hack says, whether or not he does anything affirmatively to confirm that claim. But if the NSA is withholding that detail, it would seem to confirm the point.

Two Details That Many Are Missing in/about the Stone Indictment

I’ve been traveling most of the day to get out of the Midwest before the snow and record low temperatures show up, and will be buried for three days working on things that have nothing to do with any investigation Mueller has been involved in since 2013.

But I do want to add two details to the parlor game going on about whether or not the Roger Stone indictment is the tip of a conspiracy-burg or evidence there’s no there there. Joyce White Vance argues that Mueller charged Stone the way he did to hide the rest of the conspiracy prosecution.

Why didn’t Mueller charge Stone with conspiracy? The rules in federal cases require that prosecutors provide defendants with broad discovery. By indicting Stone on a fairly narrow set of charges, Mueller limits what has to be disclosed & can protect ongoing investigation.

Randall Eliason offers a respectable version of the argument that the indictment suggests there won’t be a conspiracy case.

There have always been at least two possible end games for the Mueller investigation. He could uncover evidence of a widespread criminal conspiracy between the Trump campaign and Russians to influence the election. Or he could conclude that the campaign’s numerous documented interactions with Russians seeking to help Trump win were not criminal, but people close to Trump lied to cover up those interactions because revealing them would have been politically devastating.

Stone’s indictment falls into the coverup category. Mueller may have evidence of the broader conspiracy, and more charges may well be coming. But every case like Stone’s, or those against former campaign manager Paul Manafort, that is filed without charging a conspiracy with the Russians makes it seem more likely that criminal charges brought by the special counsel will end up being primarily about the coverups.

Andy McCarthy offers a less respectable version of the same.

Neither Eliason nor McCarthy account for one of the only new details in the indictment, showing that an unidentified Steve Bannon associate congratulated Stone on October 7.

On or about October 7, 2016, Organization 1 released the first set of emails stolen from the Clinton Campaign chairman. Shortly after Organization 1’s release, an associate of the high-ranking Trump Campaign official sent a text message to STONE that read “well done.” In subsequent conversations with senior Trump Campaign officials, STONE claimed credit for having correctly predicted the October 7, 2016 release.

This detail shows that the Trump campaign at least believed that Stone succeeded in getting WikiLeaks to drop the John Podesta emails to distract attention from the Access Hollywood video, which in turn is consistent with a claim Jerome Corsi made about Stone having advance knowledge of the Access Hollywood video and that he and Stone succeeded in timing the email release.

 Corsi wrote in his forthcoming 57,000-word book that he told Zelinsky that Stone told him in advance that the “Access Hollywood” tape would be released.

He wrote that “although I could not remember exactly when Roger told me, or the precise substance of the discussion, I remembered Roger told me before the Washington Post went to press with the Billy Bush tape that the tape was coming and that it would be a bombshell.”

Corsi said he had three phone calls with Stone in the hours before the release of the tape.

“I know nothing about that, either does Jerry Corsi,” Stone told TheDCNF. When asked why Corsi might be motivated to make a false claim, Stone said: “He’s saying this because the prosecutors induced him to say it.”

Corsi also wrote that Zelinsky revealed that prosecutors had evidence of an email exchange between he and Stone “in which Stone expressed pleasure that Assange had released the Podesta emails as instructed.”

Corsi said he replied that he and Stone “should be given credit” for the release.

While Stone disputes Corsi’s claim and Corsi feigns forgetfulness about precisely what happened, by including a communication showing Stone getting credit for the timing, Mueller is suggesting that Corsi is right — and that he has credible, corroborating evidence to prove it.

That’s more coordination — between Corsi and Stone, but more importantly between some go-between and WikiLeaks — than would be the case if Stone’s indictment were all Mueller had. It would put Stone and Corsi in a conspiracy with WikiLeaks and their go-between(s).

Then there’s this detail from the motion to seal Stone’s indictment that no one has yet offered a full explanation for (indeed, most of the reports that noted that Amy Berman Jackson had been assigned the case didn’t explain this detail at all).

Someone — and it would almost certainly have to be the prosecutors (including one who, DC US Attorney’s office prosecutor Jonathan Kravis, is on the internet Research Agency case),  — told the court that Stone’s namby pamby “process crime” is related to the big conspiracy case involving WIkiLeaks with a bunch of Russian hackers. (I’ve updated my running docket of Mueller and potentially related cases to reflect Stone’s indictment.) And while it’s true that Stone is described in the GRU indictment, he is not named in a way that the court would identify that by themselves. WikiLeaks shows up in both, but there’s no need to tie WikiLeaks cases together unless some defendant is going to show up to face prosecution (and WikiLeaks is does not take any of the overt acts described in the Stone indictment).

I don’t pretend to understand how this happened or what it all means. But there’s nothing about the Stone obstruction prosecution that would overlap with the evidence in the GRU indictment. And, as charged, the GRU indictment won’t be prosecuted at all until Julian Assange or someone else involved in it ends up in DC to face charges.

By all means, continue the parlor game. But at least explain how those two details fit into your theory of nothing-“berder” or grand conspiracy.

Update: By popular demand, I’m including the definition of a “related case” under DC’s local rules.

A related case for the purpose of this Rule means as follows:

(1) Criminal cases are deemed related when

(i) a superseding indictment has been filed, or

(ii) more than one indictment is filed or pending against the same defendant or defendants, or

(iii) prosecution against different defendants arises from a common wiretap, search warrant, or activities which are a part of the same alleged criminal event or transaction. A case is considered pending until a defendant has been sentenced.

Certainly, WikiLeaks is named as a co-conspirator in both. But it is not yet a defendant. Though both cases may rely on a wiretap targeting Wikileaks. Or perhaps Stone’s search warrant included his conversations with Guccifer 2.0, and so the other indictment.

As I disclosed last July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

A Tale of Two GRU Indictments

Yesterday, DOJ indicted a bunch of GRU hackers again, in part for hacks in retaliation for anti-doping associations’ reports finding a state-run Russian effort to help its athletes cheat (though also including hacks of Westinghouse and the Organization for the Prohibition of Chemical Weapons (OPCW)).

As the DNC GRU indictment did, this indictment provides a snapshot of the division of labor in GRU, made easier by the capture of four of these guys, with all their hacking toys in the trunk of their rented car, in the Netherlands. I find a comparison of the two indictments — of some of the same people for similar activity spanning the same period of time — instructive for a number of reasons.

The team

Consider the team.

There are Aleksei Morenets and Evgenii Serebriakov, whom the indictment calls “on-site GRU hackers who traveled to foreign countries with other conspirators, in some instances using Russian government issued diplomatic passports to conduct on-site operations.” Serebriakov even has a title, “Deputy Head of Directorate,” which sounds like a pretty senior person to travel around sniffing WiFi networks.

There are the three men we met in the DNC indictment, Ivan Yermakov, Artem Malyshev, and Dmitriy Badin, all of whom work  out of Moscow running hacks. Yermakov and Malyshev were closely involved in both hacks in 2016 (as demonstrated by the timeline below).

Finally, there are Oleg Sotnikov and Alexey Minin, who joined Morenets and Serebriakov as they tried to hack the Organization for the Prohibition of Chemical Weapons (OPCW) and tried to hack the Spiez Chemical laboratory that was analyzing the Novichok used to poison Sergei Skripal.

There are slightly different tactics than in the DNC hack. For example, GRU used a bunch of bit.ly links in this operation (though some of those are an earlier campaign against Westinghouse). And they sent out hackers to tap into targets’ WiFi networks directly, whereas none of the DNC hackers are alleged to have left Russia.

But there’s a ton of common activity, notably the spearphishing of targeted individuals and the use of their X-Agent hacking tool to exploit targeted machines.

Overlapping hack schedule

I’m also interested in the way the WADA hack, in particular, overlaps with the DNC one. I’ve got a timeline, below, of the two indictments look like (I’ve excluded both the Westinghouse and OPCW hacks from this timeline to focus on the overlapping 2016 operations).

Yermakov and Malyshev are described by name doing specific tasks in the DNC hack though May 2016. By August, they have turned to hacking anti-doping targets. Yermakov, in particular, seems to play the same research role in both hacks.

Given the impact of these operations, it’s fairly remarkable that such a small team conducted both.

Common bitcoin habits and possibly even infrastructure

There are also paragraphs in the WADA indictment, particularly those pertaining to the use of bitcoin to fund the operation used to substantiate the money laundering charge, that appear to be lifted in their entirety from the DNC one (or perhaps both come from DOJ or Western PA US Attorney boilerplate — remember that the DNC hack was originally investigated in Western PA, so this language likely originates there).

These include:

  •  58/106: Describing how conspirators primarily used bitcoin to pay for infrastructure
  • 59/107: Describing how bitcoin works, with examples specific to each operation provided
  • 60/108: Describing how conspirators used dedicated email accounts to track bitcoin transactions
  • 61/109: Describing how conspirators used the same computers to conduct hacking operations and facilitate bitcoin payments
  • 62/110: Describing how conspirators also mined bitcoin and then used it to pay for servers, with examples specific to each operation
  • 64/111: Describing how conspirators used the same funding structure and sometimes the same pool of funds to pay for hacking infrastructure, with examples specific to each operation provided

The similarity of these two passages suggests two things. First, it suggests that the August 8, 2016 transaction in the WADA indictment may have been orchestrated from the gfade147 email noted in the DNC indictment. With both, the indictment notes that “One of these dedicated accounts … received hundreds of bitcoin payment requests from approximately 100 different email accounts,” with the DNC indictment including the gfade147 address. (Compare paragraphs 60 in the DNC indictment with 108 in the WADA one.)  That would suggest these two operations overlap even more than suspect.

That said, there’s one paragraph in the DNC indictment that doesn’t have an analogue in the WADA one, 63. It describes conspirators,

purchasing bitcoin through peer-to-peer exchanges, moving funds through other digital currencies, and using pre-paid cards. They also enlisted the assistance of one or more third-party exchangers who facilitated layered transactions through digital currency exchange platforms providing heightened anonymity.

Given how loud much of these operations were, it raises questions about why some of the DNC hack (but not, at least by description) the WADA one would require “heightened anonymity.”

Different treatment of InfoOps

I’m perhaps most interested in the different treatment of the InfoOps side of the operation. As I noted here, in general there seems to be a division of labor at GRU between the actual hackers, in Unit 26165, which is located at  20 Komsomolskiy Prospekt, and the information operations officers, in Unit 74455, which is located in the “Tower” at 22 Kirova Street, Khimki. Both units were involved in both operations.

Yet the WADA indictment does not name or charge any Unit 74455 officers, in spite of describing (in paragraphs 1 and 11) how the unit acquired and maintained online social media accounts and associated infrastructure (paragraph 76 describes that infrastructure to be “procured and managed, at least in part, by conspirators in GRU Unit 74455”). Five of the seven named defendants in the WADA indictment are in Unit 26165, with Oleg Sotnikov and Alexey Minin not identified by unit.

By comparison, three of the 11 officers charged in the DNC indictment belong to Unit 744555.

And the WADA campaign did have a significant media component, as explained in paragraphs 76-87. The indictment even complains (as did DOJ officials as the press conference announcing this indictment) about,

reporters press[ing] for and receiv[ing] promises of exclusivity in such reporting, with one such reporter attempting to make arrangements for a right of first refusal for articles on all future leaks and actively suggesting methods with whicch the conspiracy could search the stolen materials for documents of interest to that reporter (e.g., keywords of interest).

That said, the language in much of this discussion (see paragraphs 77 through 81) uses the passive voice — “were registered,” “were named,” “was posted,” “were released,” “were released,” “were released,” “were released” — showing less certainty about who was running that infrastructure.

That’s particularly interesting given that the government clearly had emails between the Fancy Bear personas and journalists.

One difference may be, in part, that in the DNC indictment, there are specific hacking (not InfoOps) actions attributed to two of the Unit 74455 officers: Aleksandr Osadchuk and Anatoliy Kovalev. Indeed, Kovalev seems to have been added on just for that charge, as he doesn’t appear in the introduction section at the beginning of the indictment.

Whereas Unit 74455’s role in the WADA indictment seems to be limited to running the InfoOps infrastructure.

Importance of WikiLeaks and sharing with Republicans

It’s not clear how much we can conclude form all that. But the different structure in the DNC indictment does allow it to foreground the role of a number of others, such as WikiLeaks and Roger Stone and — as I suggested drop in some or all of  those others in a future conspiracy indictment — that were a key part of the election operation.

Timeline

February 1, 2016: gfade147 0.026043 bitcoin transaction

March 2016: Conspirators hack email accounts of volunteers and employees of Hillary campaign, including John Podesta

March 2016: Yermakov spearphishes two accounts that would be leaked to DC Leaks

March 14, 2016 through April 28, 2016: Conspirators use same pool of bitcoin to purchase VPN and lease server in Malaysia

March 15, 2016: Yermakov runs technical query for DNC IP configurations and searches for open source info on DNC network, Dem Party, and Hillary

March 19, 2016: Lukashev spearphish Podesta personal email using john356gh

March 21, 2016: Lukashev steals contents of Podesta’s email account, over 50,000 emails (he is named Victim 3 later in indictment)

March 25, 2016: Lukashev spearphishes Victims 1 (personal email) and 2 using john356gh; their emails later released on DCLeaks

March 28, 2016: Yermakov researched Victims 1 and 2 on social media

April 2016: Kozachek customizes X-Agent

April 2016: Conspirators hack into DCCC and DNC networks, plant X-Agent malware

April 2016: Conspirators plan release of materials stolen from Clinton Campaign, DCCC, and DNC

April 6, 2016: Conspirators create email for fake Clinton Campaign team member to spearphish Clinton campaign; DCCC Employee 1 clicks spearphish link

April 7, 2016: Yermakov runs technical query for DCCC’s internet protocol configurations

April 12, 2016: Conspirators use stolen credentials of DCCC employee to access network; Victim 4 DCCC email victimized

April 14, 2016: Conspirators use X-Agent keylog and screenshot functions to surveil DCCC Employee 1

April 15, 2016: Conspirators search hacked DCCC computer for “hillary,” “cruz,” “trump” and copied “Benghazi investigations” folder

April 15, 2016: Victim 5 DCCC email victimized

April 18, 2016: Conspirators hack into DNC through DCCC using credentials of DCCC employee with access to DNC server; Victim 6 DCCC email victimized

April 19, 2016: Kozachek, Yershov, and co-conspirators remotely configure middle server

April 19, 2016: Conspirators register dcleaks using operational email [email protected]

April 20, 2016: Conspirators direct X-Agent malware on DCCC computers to connect to middle server

April 22, 2016: Conspirators use X-Agent keylog and screenshot function to surveil DCCC Employee 2

April 22, 2016: Conspirators compress oppo research for exfil to server in Illinois

April 26, 2016: George Papadopolous learns Russians are offering election assistance in the form of leaked emails

April 28, 2016: Conspirators use bitcoin associated with Guccifer 2.0 VPN to lease Malaysian server hosting dcleaks.com

April 28, 2016: Conspirators test IL server

May 2016: Yermakov hacks DNC server

May 10, 2016: Victim 7 DNC email victimized

May 13, 2016: Conspirators delete logs from DNC computer

May 25 through June 1, 2016: Conspirators hack DNC Microsoft Exchange Server; Yermakov researches PowerShell commands related to accessing it

May 30, 2016: Malyshev upgrades the AMS (AZ) server, which receives updates from 13 DCCC and DNC computers

May 31, 2016: Yermakov researches Crowdstrike and X-Agent and X-Tunnel malware

June 2016: Conspirators staged and released tens of thousands of stolen emails and documents

June 1, 2016: Conspirators attempt to delete presence on DCCC using CCleaner

June 2, 2016: Victim 2 personal victimized

June 8, 2016: Conspirators launch dcleaks.com, dcleaks Facebook account using Alive Donovan, Jason Scott, and Richard Gingrey IDs, and @dcleaks_ Twitter account, using same computer used for other

June 9, 2016: Don Jr, Paul Manafort, Jared Kushner have meeting expecting dirt from Russians, including Aras Agalarov employee Ike Kaveladze

June 10, 2016: Ike Kaveladze has calls with Russia and NY while still in NYC

June 14, 2016: Conspirators register actblues and redirect DCCC website to actblues

June 14, 2016: WaPo (before noon ET) and Crowdstrike announces DNC hack

June 15, 2016, between 4:19PM and 4:56 PM Moscow Standard Time (9:19 and 9:56 AM ET): Conspirators log into Moscow-based sever and search for words that would end up in first Guccifer 2.0 post, including “some hundred sheets,” “illuminati,” “think twice about company’s competence,” “worldwide known”

June 15, 2016, 7:02PM MST (12:02PM ET): Guccifer 2.0 posts first post

June 15 and 16, 2016: Ike Kaveladze places roaming calls from Russia, the only ones he places during the extended trip

June 20, 2016: Conspirators delete logs from AMS panel, including login history, attempt to reaccess DCCC using stolen credentials

June 22, 2016: Wikileaks sends a private message to Guccifer 2.0 to “send any new material here for us to review and it will have a much higher impact than what you are doing.”

June 27, 2016: Conspirators contact US reporter, send report password to access nonpublic portion of dcleaks

Late June, 2016: Failed attempts to transfer data to Wikileaks

July, 2016: Kovalev hacks into IL State Board of Elections and steals information on 500,000 voters

July 6, 2016: Conspirators use VPN to log into Guccifer 2.0 account

July 6, 2016: Wikileaks writes Guccifer 2.0 adding, “if you have anything hillary related we want it in the next tweo [sic] days prefabl [sic] because the DNC [Democratic National Convention] is approaching and she will solidify bernie supporters behind her after”

July 6, 2016: Victim 8 personal email victimized

July 10-19: Morenets travels to Rio de Janeiro

July 14, 2016: Conspirators send WikiLeaks an email with attachment titled wk dnc link1.txt.gpg providing instructions on how to access online archive of stolen DNC documents

July 18, 2016: WikiLeaks confirms it has “the 1Gb or so archive” and would make a release of stolen documents “this week”

July 22, 2016: WikiLeaks releases first dump of 20,000 emails

July 27, 2016: Trump asks Russia for Hillary emails

July 27, 2016: After hours, conspirators attempt to spearphish email accounts at a domain hosted by third party provider and used by Hillary’s personal office, as well as 76 email addresses at Clinton Campaign

August 2016: Kovalev hacks into VR systems

August 2-9, 2016: Conspirators use multiple IP addresses to connect to or scan WADA’s network

August 2-4, 2016: Yermakov researches WADA and its ADAM database (which includes the drug test results of the world’s athletes) and USADA

August 3, 2016: Conspirators register wada.awa.org

August 5, 9, 2016: Yermakov researches Cisco firewalls, he and Malyshev send specific WADA employees spearfish

August 8, 2016: Conspirators register wada-arna.org and tas-cass.org

August 8, 2016: .012684 bitcoin transaction directed by dedicated email account

August 13-19, 2016: Morenets and Serebriakov travel to Rio, while Yermakov supports with research in Moscow

August 14-18, 2016: SQL attacks against USADA

August 15, 2016: Conspirators receive request for stolen documents from candidate for US congress

August 15, 2016: First Guccifer 2.0 exchange with Roger Stone noted

August 19, 2016: Serebriakov compromises a specific anti-doping official and obtains credentials to access ADAM database

August 22, 2016: Conspirators transfer 2.5 GB of stolen DCCC data to registered FL state lobbyist Aaron Nevins

August 22, 2016: Conspirators send Lee Stranahan Black Lives Matter document

September 1, 2016: Domains fancybear.org and fancybear.net registered

September 6, 2016: Conspirators compromise credentials of USADA Board member while in Rio

September 7-14, 2016: Conspirators try, but fail, to use credentials stolen from USADA board member to access USADA systems

September 12, 2016: Data stolen from WADA and ADAMS first posted, initially focusing on US athletes

September 12, 2016 to January 17, 2018: Conspirators attempt to draw media attention to leaks via social media

September 18, 2016: Morenets and Serebriakov travel to Lausanne, staying in anti-doping hotels, to compromise hotel WiFi

September 19, 2016 to July 20, 2018: Conspirators attempt to draw media attention to leaks via email

September 2016: Conspirators access DNC computers hosted on cloud service, creating backups of analytics applications

October 2016: Linux version of X-Agent remains on DNC network

October 6, 2016: Emails stolen from USADA first released

October 7, 2016: WikiLeaks releases first set of Podesta emails

October 28, 2016: Kovalev visits counties in GA, IA, and FL to identify vulnerabilities

November 2016: Kovalev uses VR Systems email address to phish FL officials

December 6, 2016 – January 2, 2017: Using IP frequently used by Malyshev, conspirators compromise FIFA’s anti-doping files

December 13, 2016: Data stolen from CCES released

January 19-24, 2017: Conspirators compromise computers of four IAAF officials

June 22, 2017: Data stolen from IAAF’s network released

July 5, 2017: Data stolen from IAAF’s network released

August 28, 2017: Data stolen from FIFA released

As I said in July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

Three Things: Russia and China Spying, Kavanope

[NB: Yes, it’s Rayne, not Marcy. Check the byline.]

Huge news earlier today related to spying. Really big. MASSIVE.

And a MASSIVE cover-up pawned off on the feeble-minded as a ‘complete investigation‘ into Dr. Ford’s and Deborah Ramirez’s accusations against Brett Kavanaugh.

~ 3 ~

Bloomberg published an epic piece of investigative journalism this morning about China’s spying on U.S. businesses by way of tiny chips embedded in server motherboards. The photos in the story are just as important as the must-read story itself as they crystallize a challenge for U.S. intelligence and tech communities. Like this pic:

That tiny pale obelisk to the right of the penny represents one of the malicious chips found in affected Supermicro brand motherboards shipped to the U.S. market — nearly as small as the numbers in the date on the coin. Imagine looking for something this puny before a machine is turned on and begins to launch its operating system. Imagine trying to find it when it is sandwiched inside the board itself, embedded in the fiberglass on top of which components are cemented.

The chip could undermine encryption and passwords, making any system open to those who know about its presence. According to Bloomberg reporters  Jordan Robertson and Michael Riley, the chips found their way into motherboards used by Apple and Amazon.

Information security folks are scrambling right now because this report rocks their assumptions about the supply chain and their overall infosec worldview. Quite a few doubt this Bloomberg report, their skepticism heightened by the carefully worded denials offered by affected and relevant parties Apple, Amazon, Supermicro, and China. Apple provided an itemization of what it believed Bloomberg Businessweek got wrong along with its denial.

I’ll have more on this in a future post. Yes, indeedy.

~ 2 ~

A cooperative, organized response by Britain, The Netherlands, U.S., and Canada today included the indictment of seven Russians by the U.S. for conspiracy, conspiracy to commit wire fraud, wire fraud, aggravated identity theft, and conspiracy to launder money. The Russians have been identified as members of a GRU team organized out of a facility in Moscow, working on hacking and a disinformation influence campaign focused on anti-doping entities and non-Russian Olympic athletic competitors.

Note the underlined bit in this excerpt from the indictment (pdf) — the last indictment I copied with similar wording was that of Evgeny Buryakov and his two comrades, the three spies based in New York City who worked with “Male-1”, now known to be Carter Page. Who are the known and unknown? Persons who have flipped or co-conspirators yet to be named?

The UK released a statement as did the Canadians, and Netherlands issued a joint statement with the UK about the entirety of spying for which this GRU team is believed to be responsible, including an attempt to breach the Organisation for the Prohibition of Chemical Weapons’ (OPCW) facility analyzing the Novichok nerve agent used to poison the Skripals in the UK as well as chemicals used against Syrians.

Cryptocurrency news outlets report concerns that this indictment reveals the extent of USDOJ’s ability to trace cryptocurrency.

An interesting coincidence took place overnight as well — Russian Deputy Attorney General Saak Karapetyan died last night when an unauthorized helicopter flight crashed northeast of Moscow. Karapetyan had been linked this past January to Natalia Veselnitskaya and an attempt to recruit Switzerland’s top investigator as double-agents. But Karapetyan had also been involved in Russia’s response to the poisoning of Alexander Litvinenko and the aftermath of the Skripals’ poisoning in the UK.

What remarkable timing.

One might wonder if this accident had anything to do with the unusual release of GRU personnel details by the Dutch Military Intelligence and Security Service (MIVD) and the United Kingdom’s Ministry of Justice during their joint statement today.

By comparing the released identity documents, passports, automobile registrations and the address provided when cars were rented, the identities of a total 305 GRU agents may have been identified by bellingcat and The Insider including the four out of the seven men wanted by the U.S. for the anti-doping hackingas well as attempted breach of OPCW.

The identity of the four GRU agents accused of targeting the OPCW was cinched by a taxi receipt in one agent’s pocket from a location on the road next to the GRU’s facility in Russia. Four agents also had consecutive passport numbers.

What remarkably bad opsec.

~ 1 ~

As for the impending vote on Brett Kavanaugh:

– Senator Heidi Heitkamp is voting her conscience — NO on Kavanaugh.
– Senator Joe Manchin is now the lone Dem holdout; he says he’s still listening but hasn’t seen anything incriminating from Kavanaugh’s adulthood. (Gee, I wonder why.)
– Senator Bob Menendez didn’t mince words. He said “It’s a bullshit investigation.” (He should know what a thorough investigation looks like).

And the beer-loving former Yale frat boy had an op-ed published in the Wall Street Journal which pleads with us to lose all intelligence and believe that he is really very neutral. I am not even going to link to that POS which has re-enraged women all over the country.

GTFO.

Continue calling your senators to thank them for a NO vote on Kavanaugh so that they aren’t hearing right-wing demands alone. Congressional switchboard: (202) 224-3121

~ 0 ~

This is an open thread. Sic ’em.

Andy McCarthy’s Misconception

I was struck, in reading Andy McCarthy’s review of the Michael Cohen and Paul Manafort guilty outcomes last week (in which he measures Trump via a vastly different standard than he once measured Bill Clinton), by this erroneous claim:

The Trump camp continues to stress that Manafort’s case had nothing to do with the original rationale for Mueller’s investigation, “collusion with Russia.” But as we’ve pointed out any number of times, Mueller took over a counterintelligence investigation of Russia’s interference in the 2016 election. Possible Trump-campaign collusion with Russia was just one thread in the larger probe.

The claim that the Trump-campaign “collusion” was just one thread of what Mueller originally took over is false, but utterly critical for McCarthy’s sustained belief that Mueller has not found evidence of a conspiracy between Trump and Russia. While it is true that when Comey confirmed the investigation, he did not specify the structure of the investigation,
I have been authorized by the Department of Justice to confirm that the FBI, as part of our counterintelligence mission, is investigating the Russian government’s efforts to interfere in the 2016 presidential election and that includes investigating the nature of any links between individuals associated with the Trump campaign and the Russian government and whether there was any coordination between the campaign and Russia’s efforts. As with any counterintelligence investigation, this will also include an assessment of whether any crimes were committed.
When Rod Rosenstein appointed Mueller, he described Mueller’s scope to include,
  • any links and/or coordination between the Russian government and individuals associated with the campaign of President Donald Trump; and
  • any matters that arose or may arise directly from the investigation; and
  • any other matters within the scope of 28 C.F.R. § 600.4(a)

Why McCarthy made this error is clear: he uses the existence of and Mueller’s indictments in a broader counterintelligence investigation to sustain his belief that Mueller doesn’t have a “collusion” case against Trump or his associates.

At this point, it does not appear that Mueller has a collusion case against Trump associates. His indictments involving Russian hacking and troll farms do not suggest complicity by the Trump campaign. I also find it hard to believe Mueller sees Manafort as the key to making a case on Trump when Mueller has had Gates — Manafort’s partner — as a cooperator for six months. You have to figure Gates knows whatever Manafort knows about collusion. Yet, since Gates began cooperating with the special counsel, Mueller has filed the charges against Russians that do not implicate Trump, and has transferred those cases to other Justice Department components.

When it comes to the president, I believe the special counsel’s focus is obstruction, not collusion. When it comes to Manafort, I believe the special counsel’s focus is Russia — specifically, Manafort’s longtime connections to Kremlin-connected operatives. Mueller may well be interested in what Manafort can add to his inquiry into the June 2016 Trump Tower meeting (arranged by Donald Trump Jr. in futile hopes of obtaining campaign dirt from Russia on Hillary Clinton). That, however, is not the more serious “collusion” allegation that triggered the Trump thread of the investigation — cyberespionage conspiracy (i.e., Russian hacking of Democratic party emails).

That is, because Mueller indicted trolls and GRU hackers and then spun those prosecutions off to other teams (in the GRU case, back to one of the teams that originally investigated it), it is proof, in McCarthy’s mind, that Mueller isn’t targeting Trump and his associates for conspiring with Russia.

The actual background of the Mueller investigation suggests precisely the opposite. As I noted when Lawfare made precisely the same error in a post on the GRU indictment,

Friday’s indictment is, rather, the result of investigations conducted primarily in San Francisco and Pittsburgh. At the time Comey confirmed the counterintelligence investigation into Trump’s camp and at the time Comey got fired for not shutting the Trump counterintelligence investigation down, those San Francisco and Pittsburgh investigations were totally separate. Those two investigations almost certainly had little if any involvement from Peter Strzok (indeed, they involved a bunch of FBI cyber agents, a division of FBI that Strzok never tired of mocking in his texts to Lisa Page). The DOJ press release from Friday states that explicitly.

This case was investigated with the help of the FBI’s cyber teams in Pittsburgh, Philadelphia and San Francisco and the National Security Division.

Those two investigations (plus the separate one noted in Philadelphia that started later, as I understand it from what a lawyer who represented a witness in that investigation described to me) got moved under the Mueller umbrella sometime in or just before November, and now the GRU officer part of the investigation will be moved back to Pittsburgh where it started, to languish forever like some other nation-state hacker indictments investigated by Western District of Pennsylvania.

Given that both public reporting (starting in February 2017 and extending into November 2017) and Mueller team changes (not to mention my own reporting about the Philadelphia grand jury’s activity in the second half of May 2017 and my own knowledge about where I interviewed and where my interview materials subsequently got moved to) support this narrative, McCarthy (and the Lawfare crowd) might ask why Mueller decided to integrate the cybersecurity parts of the investigation, only to spin the Russian defendants back to other teams once they were indicted?

We can begin to get an answer from the two indictments that — Andy wants to believe — are themselves evidence that Mueller doesn’t have evidence on Trump’s associates but actually are. The Internet Research Agency indictment actually describes three Florida-based Trump campaign officials inconclusively, as if they were either still under investigation or at some legal risk.

On approximately the same day, Defendants and their co-conspirators used the email address of a false U.S. persona, [email protected], to send an email to Campaign Official 1 at that donaldtrump.com email account, which read in part:

Hello [Campaign Official 1], [w]e are organizing a state-wide event in Florida on August, 20 to support Mr. Trump. Let us introduce ourselves first. “Being Patriotic” is a grassroots conservative online movement trying to unite people offline. . . . [W]e gained a huge lot of followers and decided to somehow help Mr. Trump get elected. You know, simple yelling on the Internet is not enough. There should be real action. We organized rallies in New York before. Now we’re focusing on purple states such as Florida.

The email also identified thirteen “confirmed locations” in Florida for the rallies and requested the campaign provide “assistance in each location.”

[snip]

Defendants and their co-conspirators used the false U.S. persona [email protected] account to send an email to Campaign Official 2 at that donaldtrump.com email account.

[snip]

On or about August 20, 2016, Defendants and their co-conspirators used the “Matt Skiber” Facebook account to contact Campaign Official 3.

And while the GRU indictment (on top of key clauses being misread by virtually everyone who has read it) doesn’t use the same convention to describe Roger Stone’s communications with Guccifer 2.0…

On or about August 15, 2016, the Conspirators, posing as Guccifer 2.0, wrote to a person who wasin regular contact with senior members of the presidential campaign of Donald J. Trump, “thank u for writing back . . . do u find anyt[h]ing interesting in the docs i posted?” On or about August 17, 2016, the Conspirators added, “please tell me if i can help u anyhow . . . it would be a great pleasure to me.” On or about September 9, 2016, the Conspirators, again posing as Guccifer 2.0, referred to a stolen DCCC document posted online and asked the person, “what do u think of the info on the turnout model for the democrats entire presidential campaign.” The person responded, “[p]retty standard.”

It pointed to Russia’s response to Donald Trump’s request that they hack Hillary without referring to him one way or another.

For example, on or about July 27, 2016, the Conspirators attempted after hours to spearphish for the first time email accounts at a domain hosted by a thirdparty provider and used by Clinton’s personal office. At or around the same time, they also targeted seventy-six email addresses at the domain for the Clinton Campaign.

What Mueller has done with both of the counterintelligence indictments that McCarthy takes solace in is lay out the Russian side of a conspiracy (and both are charged as conspiracies) with very clear spots into which American co-conspirators may be dropped when Mueller is prepared to do so. (I laid this out at more length in this post.)

Importantly, the fact that some of this investigation started out in other parts of DOJ but then got moved under Mueller make it clear that something came up in the investigation that Mueller and Rosenstein believed required they be moved under Special Counsel when they weren’t there, originally.

Let’s put it this way: Mueller didn’t subsume investigations located elsewhere at DOJ because the Special Counsel needed to be the one to indict a bunch of Russians. He did it to set up the conspiracies that would — that will — later be occupied by Russians and Americans.

As I disclosed in July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

The Info Ops Unit at GRU, Not the Technical Hacking Unit, Hacked the State Boards of Election Servers

As I laid out a few weeks ago, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post.

Yesterday, there was a big to-do on Twitter about a story (which subsequently got pulled) claiming that vote totals got changed as part of the Russian attack on the 2016 election. I don’t care to engage the story — which I understand was very weak — directly. There are multiple ways for Russian efforts to have affected the outcome of the election, and the evidence increasingly supports a conclusion that that happened, without vote totals getting changed.

That said, given the focus on changing vote tallies, I want to note something about Mueller’s GRU hacker indictment that has gotten almost no attention. Twelve men were indicted, from two different units of GRU, Units 26165 and 74455. The indictment describes the activities of each department in a way that generally suggests a division of labor, with Unit 26165 carrying out core hacking activities and Unit 74455 carrying out information operations. Here’s what that breakdown looks like.

Unit 26165

Address: 20 Komsomolskiy Prospekt (this is the location spied on by the Dutch intelligence agency, AIVD).

Charged individuals:

  • Viktor Netyksho: Commands Unit 26165
    • Boris Antonov: “Head of Department” that oversees spear-phishing targeting
      • Dmitriy Badin: “Assistant Head of Department” conducting spear-phishing targeting
      • Ivan Yermakov: works for Antonov, uses identities Kate Milton, Kames McMorgans, Karen Millen. Hacked at least two email accounts the contents of which were released by DCLeaks. Helped hack DNC emails server released through WikiLeaks.
      • Aleksey Lukashev: Senior Lieutenant in Antonov’s department. Uses identities Den Katenberg, Yuliana Martynova. Sent spear-phishing emails to Clinton campaign, including the one to John Podesta.
    • Sergey Morgachev: Lieutenant Colonel who oversaw department that developed and managed X-Agent.
      • Nikolay Kozachek: Lieutenant Captain. Used monikers including “kazak” and “blablabla1234565.” Developed, customized, and monitored X-Agent used to hack DCCC.
      • Pavel Yershov: Helped customize and text X-Agent before deployment against DCCC.
      • Artem Malyshev: Second Lieutenant in Morgachev’s department. Used handles “djangomagicdev” and “realblatr.” Monitored X-Agent implanted in DCCC and DNC servers.

Charged actions attributed to named defendants:

  • ¶21-22: Spear-phishing targets
  • ¶23-25: Hacking into DCCC
  • ¶29-30: Stealing DCCC and DNC documents
  • ¶33: Persistence in DCCC and DNC servers

Crimes charged to named defendants:

  • Count One: CFAA
  • Counts Two through Nine: Aggravated Identity Theft
  • Count Ten: Conspiracy to Launder Money

Unit 74455

Address: 22 Korva Streett, Khimki (the Tower)

Charged individuals:

  • Aleksandr Osadchuk: Colonel and commanding officer of 74455, which assisted in release of stolen documents through DCLeaks, Guccifer 2.0, and the publication of anti-Clinton propaganda on social media.
    • Aleksey Potemkin (!!): A supervisor in department responsible for administration of computer infrastructure used to assist in release in DCLeaks and Guccifer 2.0 documents.
    • Anatoliy Kovalev: officer assigned to 74455 involved in hacks of State Boards of Election.

Charged actions attributed to named defendants:

  • ¶38: Operating fictitious personas promoting DCLeaks
  • ¶71-78: Hacking into State Boards of Election (SBOEs) and VR Systems

Crimes charged to named defendants:

  • Count One: CFAA
  • Counts Two through Nine: Aggravated Identity Theft
  • Count Ten: Conspiracy to Launder Money
  • Count Eleven: Conspiracy to Commit an Offense against the US

Generally, the indictment describes Unit 26165 as being in charge of the technical hacking, including excruciating detail on what named officer played what role in phishing and malware deployment activities (probably thanks to the AIVD intelligence). The description of the information operations — running DC Leaks and Guccifer 2.0 and working with WikiLeaks — is less specific as to which officer did what, but the indictment clearly assigns those activities to Unit 74455. In any case, the indictment appears to suggest a division of labor, where Unit 26165 carries out the technical hacking and Unit 74455 carries out the information operations.

All 12 GRU officers are charged in Counts One through Ten.

Count Eleven, the ConFraudUs charge, is an outlier, however, in two ways. First, just Unit 74455 officers — Osadchuk and Kovalev — are charged in this operation. And aside from the indictment’s description that Potemkin (!!) runs the infrastructure for Unit 74455, just the description of the phish of the State Boards of Election and VR Systems includes specific details about which Unit 74455 officer was involved in activities attributed to that unit.

All of which is to say that, for some reason, what is described as an information operations unit — Unit 74455 — conducted the hack of election infrastructure, not the technical hacking unit that carried out the other phishes of Democratic targets.

Perhaps the division of labor between these two units is not so clearcut as the indictment lays out. But if it is, then there may be an explanation why the information operations department would be hacking election infrastructure. Remember that in the days leading up to the election, Guccifer 2.0 — according to the indictment, a Unit 74455 operation — predicted the Democrats might “rig the elections.”

Hacks on SBOEs and election vendors would be an easy piece of evidence to point to to claim that Democrats had stolen the election. That is, it could be that these hacks (which, given that Illinois was targeted most aggressively, weren’t going to alter the presidential election) may have been propaganda designed to undermine the Hillary win that never materialized.

Mind you, I still await the results of the investigation into whether there was a tie between the VR Systems hack and oddities in Durham County, NC on election day, something that would amount to voter suppression rather than altering vote tallies.

But it is at least possible that the attacks on our voting infrastructure were designed as propaganda, this time at least, rather than as an attempt to use the information obtained.

What Was the Relationship Between FSB and GRU in the DNC Hack, Redux?

I want to return to last week’s House Intelligence Hearing on Russia (because that fecker Devin Nunes canceled my birthday hearing with James Clapper and John Brennan today), to revisit a question I’ve asked a number of times (in most detail here): what was the relationship between Russia’s FSB and GRU intelligence services in the DNC hack?

The public narrative (laid out in this post) goes like this: Sometime in summer 2015, APT (Advanced Persistent Threat) 29 (associated with FSB, Russia’s top intelligence agency) hacked the DNC along with 1,000 other targets and because DNC ignored FBI’s repeated warnings, remained in their network unnoticed. Then, in March 2016, APT 28 (generally though not universally associated with GRU, Russia’s military intelligence) hacked DNC and John Podesta. According to the public story, GRU oversaw the release (via DC Leaks and Guccifer 2.0) and leaking (to Wikileaks via as-yet unidentified cut-outs) of the stolen documents.

Under the public story, then, FSB did the same kind of thing the US does (for example, with Enrique Peña Nieto in 2012), collecting intelligence on a political campaign, whereas GRU did something new (though under FBI-directed Sabu, we did something similar to Bashar al-Assad in 2012), leaking documents to Wikileaks.

Obama’s sanctions to retaliate for the hack primarily focused on GRU, but did target FSB as well, though without sanctioning any FSB officers by name. And in its initial report on the Russian hack, the government conflated the two separate groups, renaming attack tools previously dubbed Cozy and Fancy Bear the “Grizzly Steppe,” making any detailed discussion of how they worked together more confusing. As I noted, however, the report may have offered more detail about what APT 29 did than what APT 28 did.

Last week’s hearing might have been an opportunity to clarify this relationship had both sides not been interested in partisan posturing. Will Hurd even asked questions that might have elicited more details on how this worked, but Admiral Mike Rogers refused to discuss even the most basic details  of the hacks.

HURD: Thank you, Chairman.

And gentlemen, thank you all for being here. And thank you for your continued service to your country. I’ve learned recently the value of sitting in one place for a long period of time and listening and today I’m has added to that understanding and I’m going to try to ask questions that y’all can answer in this format and are within your areas of expertise. And Director Rogers, my first question to you — the exploit that was used by the Russian’s to penetrate the DNC, was it sophisticated? Was it a zero day exploit? A zero day being some type of — for those that are watching, an exploit that has never been used before?

ROGERS: In an open unclassified forum, I am not going to talk about Russian tactics, techniques or procedures about how they executed their hacks.

HURD: If members of the DNC had not — let me rephrase this, can we talk about spear fishing?

ROGERS: Sure, in general terms, yes sir.

HURD: Spear fishing is when somebody sends an email and they — somebody clicks on something in that email…

ROGERS: Right, the user of things (inaudible) they’re receiving an email either of interest or from a legitimate user, they open it up and they’ll often click if you will on a link — an attachment.

HURD: Was that type of tactic used in the…

ROGERS: Again, I’m not in an unclassified forum just not going to be…

The refusal to discuss the most basic details of this hack — even after the government listed 31 reports describing APT 28 and 29 (and distinguishing between the two) in its updated report on the hacks — is weird, particularly given the level of detail DOJ released on the FSB-related hack of Yahoo. Given that the tactics themselves are not secret (and have been confirmed by FBI, regardless of what information NSA provided), it seems possible that the government is being so skittish about these details because they don’t actually match what we publicly know. Indeed, at least one detail I’ve learned about the documents Guccifer 2.0 leaked undermines the neat GRU-FSB narrative.

Comey did confirm something I’ve been told about the GRU side of the hack: they wanted to be found (whereas the FSB side of the hack had remained undiscovered for months, even in spite of FBI’s repeated efforts to warn DNC).

COMEY: The only thing I’d add is they were unusually loud in their intervention. It’s almost as if they didn’t care that we knew what they were doing or that they wanted us to see what they were doing. It was very noisy, their intrusions in different institutions.

There is mounting evidence that Guccifer 2.0 went to great lengths to implicate Russia in the hack. Confirmation GRU also went out of its way to make noise during the DNC hack may suggest both within and outside of the DNC the second hack wanted to be discovered.

I have previously pointed to a conflict between what Crowdstrike claimed in its report on the DNC hack and what the FBI told FireEye. Crowdstrike basically said the two hacking groups didn’t coordinate at all (which Crowdstrike took as proof of sophistication). Whereas FireEye said they did coordinate (which it took as proof of sophistication and uniqueness of this hack). I understand the truth is closer to the latter. APT 28 largely operated on its own, but at times, when it hit a wall of sorts, it got help from APT 29 (though there may have been some back and forth before APT 29 did share).

All of which brings me to two questions Elise Stefanik asked. First, she asked — casually raising it because it had “been in the news recently” — whether the FSB was collecting intelligence in its hack of Yahoo.

STEFANIK: Thank you. Taking a further step back of what’s been in the news recently, and I’m referring to the Yahoo! hack, the Yahoo! data breech, last week the Department of Justice announced that it was charging hackers with ties to the FSB in the 2014 Yahoo! data breech. Was this hack done to your knowledge for intelligence purposes?

COMEY: I can’t say in this forum.

STEFANIK: Press reporting indicates that Yahoo! hacked targeted journalists, dissidence and government officials. Do you know what the FSB did with the information they obtained?

COMEY: Same answer.

Again, in spite of the great deal of detail in the indictment, Comey refused to answer these obvious questions.

The question is all the more interesting given that the indictment alleges that Alexsey Belan (who was sanctioned along with GRU in December) had access to Yahoo’s network until December 2016, well after these hacks. More interestingly, Belan was “minting” Yahoo account credentials at least as late as May 20, 2016. That’s significant, because one of the first things that led DNC to be convinced Russia was hacking it was when Ali Chalupa, who was then collecting opposition research on Paul Manafort from anti-Russian entities in Ukraine, kept having her Yahoo account hacked in early May. With the ability to mint cookies, the FSB could have accessed her account without generating a Yahoo notice. Chalupa has recently gone public about some, though not all, of the other frightening things that happened to her last summer (she was sharing them privately at the time). So at a time when the FSB could have accomplished its goals unobtrusively, hackers within the DNC network, Guccifer 2.0 outside of it, and stalkers in the DC area were all alerting Chalupa, at least, to their presence.

While it seems increasingly likely the FSB officers indicted for the Yahoo hack (one of whom has been charged with treason in Russia) were operating at least partly on their own, it’s worth noting that overlapping Russian entities had three different ways to access DNC targets.

Note, Dianne Feinstein is the one other person I’m aware of who is fully briefed on the DNC hack and who has mentioned the Yahoo indictment. Like Comey, she was non-committal about whether the Yahoo hack related to the DNC hack.

Today’s charges against hackers and Russian spies for the theft of more than 500 million Yahoo user accounts is the latest evidence of a troubling trend: Russia’s sustained use of cyber warfare for both intelligence gathering and financial crimes. The indictment shows that Russia used these cyberattacks to target U.S. and Russian government officials, Russian journalists and employees of cybersecurity, financial services and commercial entities.

There seems to be a concerted effort to obscure whether the Yahoo hack had any role in the hack of the DNC or other political targets.

Finally, Stefanik asked Comey a question I had myself.

STEFANIK: OK, I understand that. How — how did the administration determine who to sanction as part of the election hacking? How — how familiar with that decision process and how is that determination made?

COMEY: I don’t know. I’m not familiar with the decision process. The FBI is a factual input but I don’t recall and I don’t have any personal knowledge of how the decisions are made about who to sanction.

One place you might go to understand the relationship between GRU and FSB would be to Obama’s sanctions, which described the intelligence targets this way.

  • The Main Intelligence Directorate (a.k.a. Glavnoe Razvedyvatel’noe Upravlenie) (a.k.a. GRU) is involved in external collection using human intelligence officers and a variety of technical tools, and is designated for tampering, altering, or causing a misappropriation of information with the purpose or effect of interfering with the 2016 U.S. election processes.
  • The Federal Security Service (a.k.a. Federalnaya Sluzhba Bezopasnosti) (a.k.a FSB) assisted the GRU in conducting the activities described above.

[snip]

  • Sanctioned individuals include Igor Valentinovich Korobov, the current Chief of the GRU; Sergey Aleksandrovich Gizunov, Deputy Chief of the GRU; Igor Olegovich Kostyukov, a First Deputy Chief of the GRU; and Vladimir Stepanovich Alexseyev, also a First Deputy Chief of the GRU.

Remember, by the time Obama released these sanctions, several FSB officers, including Dmitry Dokuchaev (who was named in the Yahoo indictment) had been detained for treason for over three weeks. But the officers named in the sanctions, unlike the private companies and individual hackers, are unlikely to be directly affected by the sanctions.

The sanctions also obscured whether Belan was sanctioned for any role in the DNC hack.

  • Aleksey Alekseyevich Belan engaged in the significant malicious cyber-enabled misappropriation of personal identifiers for private financial gain.  Belan compromised the computer networks of at least three major United States-based e-commerce companies.

Again, all of this suggests that the intelligence community has reason to want to obscure how these various parts fit together, even while publicizing the details of the Yahoo indictment.

Which suggests a big part of the story is about how the public story deviates from the real story the IC is so intent on hiding.

Sanctioning GRU … and FSB

While I was out and about today, President Obama rolled out his sanctions against Russia to retaliate for the Russian hack of Democrats this year. Effectively, the White House sanctioned two Russian intelligence agencies (GRU — Main Intelligence, and FSB –Federal Security Service), top leaders from one of them, and two named hackers.

In addition to sanctioning GRU, the White House also sanctioned FSB. I find that interesting because (as I laid out here), GRU has always been blamed for the theft of the DNC and John Podesta documents that got leaked to WikiLeaks. While FSB also hacked the DNC, there’s no public indication that it did anything aside from collect information — the kind of hacking the NSA and CIA do all the time (and have done during other countries’ elections). Indeed, as the original Crowdstrike report described, FSB and GRU weren’t coordinating while snooping around the DNC server.

At DNC, COZY BEAR intrusion has been identified going back to summer of 2015, while FANCY BEAR separately breached the network in April 2016. We have identified no collaboration between the two actors, or even an awareness of one by the other. Instead, we observed the two Russian espionage groups compromise the same systems and engage separately in the theft of identical credentials. While you would virtually never see Western intelligence agencies going after the same target without de-confliction for fear of compromising each other’s operations, in Russia this is not an uncommon scenario. “Putin’s Hydra: Inside Russia’s Intelligence Services”, a recent paper from European Council on Foreign Relations, does an excellent job outlining the highly adversarial relationship between Russia’s main intelligence services – Федеральная Служба Безопасности (FSB), the primary domestic intelligence agency but one with also significant external collection and ‘active measures’ remit, Служба Внешней Разведки (SVR), the primary foreign intelligence agency, and the aforementioned GRU. Not only do they have overlapping areas of responsibility, but also rarely share intelligence and even occasionally steal sources from each other and compromise operations. Thus, it is not surprising to see them engage in intrusions against the same victim, even when it may be a waste of resources and lead to the discovery and potential compromise of mutual operations.

Data provided by FireEye to War on the Rocks much later in the year suggested that the DNC hack was the only time both showed up in a server, which it took to mean the opposite of what Crowdstrike had, particularly high degree of coordination.

According to data provided for this article by the private cybersecurity company, FireEye, two separate but coordinated teams under the Kremlin are running the campaign. APT 28, also known as “FancyBear,” has been tied to Russia’s foreign military intelligence agency, the Main Intelligence Agency or GRU. APT 29, aka “CozyBear,” has been tied to the Federal Security Service or FSB. Both have been actively targeting the United States. According to FireEye, they have only appeared in the same systems once, which suggests a high level of coordination — a departure from what we have seen and come to expect from Russian intelligence.

The sanctioning materials offers only this explanation for the FSB sanction: “The Federal Security Service (a.k.a. Federalnaya Sluzhba Bezopasnosti) (a.k.a FSB) assisted the GRU in conducting the activities described above.”

So I’m not sure what to make of the fact that FSB was sanctioned along with GRU. Perhaps it means there was some kind of serial hack, with FSB identifying an opportunity that GRU then implemented — the more extensive coordination that FireEye claims. Perhaps it means the US has decided it’s going to start sanctioning garden variety information collection of the type the US does.

But I do find it an interesting aspect of the sanctions.