Posts

Done Cookin’: Putin’s Chef Moves to Belarus [UPDATE-1]

[NB: check the byline, thanks. Updates will appear at the bottom of this post. /~Rayne]

If you have a bead on what transpired in Russia from Friday through Saturday, you’re ahead of most folks.

I’ll let VOA’s Steve Herman give a tick-tock:

1:14 p.m. ET / 8:14 p.m. Moscow —

1:16 p.m. ET / 8:16 p.m. Moscow —

1:29 p.m. ET / 8:29 p.m. Moscow —

What the hell happened?

There’s a bit more in the audio:

Dmitri @[email protected]
Prigozhin says it’s over:

“They were going to dismantle PMC Wagner. We came out on 23 June to the March of Justice. In a day, we walked to nearly 200km away from Moscow. In this time, we did not spill a single drop of blood of our fighters. Now, the moment has come when blood may spill. That’s why, understanding the responsibility for spilling Russian blood on one of the sides, we are turning back our convoys and going back to field camps according to the plan.”

Audio: https://t.me/concordgroup_official/1303
1:31 PM · Jun 24, 2023

The recent order for mercenaries to sign a contract with Russia’s defense ministry does appear to be a trigger. It would be tantamount to disbanding Wagner group since its personnel would be directly subordinate to Russia’s Defense Ministry and not Prigozhin and Wagner leadership.

Many, MANY people are still scratching their heads about Belarus’s president Alexander Lukashenko acting as a peace broker.

For my part I thought Lukashenko had flown out of Belarus late last night Belarus time according to reports in social media. Indeed, The New Voice of Ukraine reported he’d left just after midnight and arrived in Turkey at 5:15 a.m. local time after taking a wide detour:

According to the map, the plane tried to bypass Russia’s Krasnodar and Stavropol Krais, flew over the Caspian Sea and then reached the Turkish resort via Georgia.

That’s nearly twice as long as necessary to get to Turkey, which one might do if concerned about missile launchers in or near eastern Ukraine/western Russia.

Why Lukashenko, who appears to be a rather inert figure save for Putin’s puppetmastery, especially since he’d been rumored to be quite sick for weeks?

At 2:20 p.m. ET the advisor to the Minister of Internal Affairs of Ukraine tweeted —

Anton Gerashchenko (@[email protected])

Former supporter of Prigozhin about alleged agreement between Prigozhin and Russian authorities:

“Now it’s finally allowed to say the three things he’s been promised. 1. Shoigu’s resignation. 2. Amnesty for “musicians” [Wagner mercenaries]. 3. The possibility to return to Africa. I’m sure that in reality he signed his own death sentence. And Wagner PMC as well, of course.”

In general, many “Wagner war correspondents” are extremely disappointed with the situation.

Some publicly resign. And curse Prigozhin.

2:20 PM · Jun 24, 2023

To be fair, let’s acknowledge before Prigozhin’s feint over the last day either Putin and/or Shoigu wanted to seize control of Wagner group personnel directly to augment what’s left of Russia’s armed forces.

But Prigozhin signing his own death warrant? Hmm — who’d execute it?

In the course of sorting through all the feeds and news articles related to the last 24 hours in Ukraine and Russia, I ran across several social media reports regarding the parties to the negotiations with Prigozhin. It contained a tidbit which at the time the deal was reported didn’t seem important.

Now I realize it may have been critical to understanding why Prigozhin traded away what looked like his leverage by stopping the march to Moscow and reversing Wagner personnel’s direction back to Rostov and the front.

In these reports it was noted Lukashenko was not the actual negotiator but that the other participant was key to the process — Tula’s governor Aleksey Dyumin. Lukashenko may instead have been a guarantor of the deal while Dyumin, a former member of FSB, GRU, presidential guard, and deputy defense minister, handled the negotiations.

Tula Oblast is a province located in Russia’s Central Federal District; its capital city, Tula, is located about 140 miles/224 km south of Moscow.

The M4 highway on which Wagner group personnel convoy worked its way toward Moscow runs right through the heart of Tula Oblast.

One could see why Tula’s governor might have a vested interest in negotiating a de-escalation of tensions since the convoy might begin to run into conflict in the middle of the oblast.

But if negotiations were between Lukashenko, Dyumin, and Prigozhin, why was Lukashenko given top billing with Dyumin’s role rarely mentioned in media?

This article in Meduza from last autumn, focusing on the relationship between Prigozhin and Chechnya’s Ramzan Kadyrov, also spells out their connections to Dyumin:

Meduza’s sources also say that Kadyrov’s and Prigozhin’s criticisms of the army are silently supported by “a group of ambitious young FSO-men” — that is, Putin’s former security officers, the Governor of Tula Alexey Dyumin and the former head of the Yaroslavl region, Dmitry Mironov, who is now an assistant to the President. According to sources close to the President’s Office, Mironov and Dyumin often talk and meet in person. Sources in the Yaroslavl and Tula regions confirm this information.

A source in Tula’s regional administration points out that, even before the war, Evgeny Prigozhin collaborated with the local government – for example, by bringing political consultants to manage elections. The Insider (a media project deemed a “foreign agent” and “undesirable” in Russia) has also written about Dyumin’s connection to Prigozhin.

According to two sources close to the President’s Office, Ramzan Kadyrov got to know both Dyumin and Prigozhin when they were still Putin’s bodyguards. Apparently, Kadyrov was friendly with both of them – and even called Dyumin his “elder brother.”

“FSO men” — members of the Federal Protective Service which includes Putin’s guards. What an interesting common link.

Lukashenko is also connected to Dyumin economically; Belarus and Tula Oblast have swapped commodities since a deal last autumn. It’s possible this is a means to get around sanctions on Russia though it’s not clear from financial reporting.

But Lukashenko has another relationship which hasn’t surfaced in all of today’s reporting. Belarus has been useful to Wagner group:

The last weeks of the 2020 presidential election campaign in Belarus brought an unexpected development: on July 29th, Belarusian authorities arrested 33 Russian citizens who allegedly belonged to the Wagner Group. While Belarusian President Aleksandr Lukashenko used the story of the arrested Wagner operatives for his election campaign, accusing them of planning to interfere with the elections, independent sources revealed that, in fact, the Wagner Group has been using Belarus regularly as a transit country to various operational theaters; thus their presence on Belarusian territory was by no means extraordinary.

Wagner uses Belarus to move to its other operations and programs while it also proved useful as a scapegoat — or willing partner — in the 2020 election.

One of the sources which mentioned Dyumin was the real negotiator also said he was the likely next Russian Defense Minister.

Which means that Dyumin may have had a vested interest in looking useful to Putin, making sure the negotiations included the removal of Sergei Shoigu as Defense Minister, and that Prigozhin would get something out of this show of force demanding Shoigu’s ouster.

Was all of this just theater by a handful of buddies who had shared histories in order to shift one of them into Defense Minister — the guy who’d likely award contracts to mercenaries?

~ ~ ~

One other critical point to keep in mind about Russian  private military companies (PMCs) like Wagner: they don’t technically exist in Russia. They’re not licensed in any way; the government looks the other way allowing weasel words to justify companies having their own security. They’re meant to be a means to do off-the-books work so they aren’t in public or government records.

By being off-the-books, Putin can opt for maximum plausible deniability while keeping head count and subsequent losses out of the public eye, undocumented by Russian Ministry of Defense in casualty reports.

Between this fact and the Defense Ministry’s move to consolidate head count between regular armed forces and PMCs, Putin and/or Russian military’s top brass can hide the mounting Russian casualties in Putin’s misbegotten war on Ukraine.

Prigozhin didn’t spell this out directly, but he did point out that he felt Wagner was going to be broken up. He made this seizure of his PMC public if not on the books, and he punctuated it with the march, ensuring the head count Wagner committed to this statement was in the public’s consciousness.

Which brings up another point: responsible as he was for the Internet Research Agency troll farm which has screwed with the U.S. through online influence operations since 2013, Prigozhin knows how to influence perception and public opinion even with this march on Moscow.

How much of the march was an influence operation?

How much of the subsequent negotiations and the response of other key players was an influence operation?

Who was the intended target of the operation(s), if that’s what Wagner group’s weekend’s march toward Moscow was?

What was the ultimate intent of the operation(s), assuming that’s what this was, apart from the concessions revealed to the public?

~ ~ ~

It will be quite some time before all the details fall into place to explain what really happened.

Ukrainians may be amused by some of it, may have taken advantage of the situation by pressing east along the front during the confusion, but Russian missiles continued to fall on Ukraine. Three died when Kyiv was hit though Ukraine’s air defenses managed to deter 80% of the attempted strikes.

The U.S. intelligence community, though, had information suggesting Prigozhin could attempt a coup two weeks ago.

At least one news report suggested this possibility the last week of May.

Let’s hope Ukraine had been informed and will continue to be informed about another potential coup. With Putin’s grip on power proven weak by Prigozhin, it’s more likely there will be more marches toward Moscow ahead, increasing confusion in Russia about its leadership, and improved opportunities to seize more of eastern Ukraine and Crimea.

~ ~ ~

UPDATE-1 — 11:45 A.M. 26-JUN-2023 —

Kevin Rothrock, managing editor at Meduza (English), reported Prigozhin uploaded an audio recording which was more than 11 minutes long some time before 10:30 a.m. ET/5:30 p.m. Moscow time. Rothrock has published both a Russian and an English transcript though both are AI generated.

This is the English transcript:

Today I opened the press service and received thousands of questions about the events. In order to avoid misunderstandings, I want to answer the main of these questions. First. What were the prerequisites for Masha Justice on 06/23/23? PMC “Wagner” is perhaps the most experienced and combat-ready unit in Russia, and possibly in the world. motivated, charged fighters who performed a huge number of tasks in the interests of the Russian Federation and always only in the interests of the Russian Federation, in Africa, in the Arab countries and around the world. Recently, this unit has achieved good results in Ukraine, having completed the most serious tasks.

As a result of the intrigues of ill-conceived decisions, this unit was supposed to cease to exist on July 1, 23. A council of commanders gathered, which brought all the information to the fighters. No one agreed to sign a contract with the Ministry of Defense, since everyone knows very well from the current situation of their experience during the NWO that this will lead to a complete loss of combat capability. Experienced fighters, experienced commanders will simply be smeared and will actually go to the meat, where they will not be able to use their combat potential and combat experience. Those fighters who decided that they were ready to move to the Ministry of Defense did. But this is the minimum amount, calculated by a percentage or two. All the arguments that were in order to keep the Wagner PMC safe and sound were used.

But none were implemented. in an attempt to enter into any other structure where we can really be useful. We were categorically against what they want to do. At the same time, the decision to transfer to the Ministry of Defense and understanding our attitude to close the Wagner PMC was made at the most inopportune moments. Nevertheless, we put the equipment on the grass, collected everything that was needed, made an inventory and were going, if the decision was not made, to leave on June 30 in a column to Rostov and publicly hand over the equipment near the headquarters of the NWO. Despite the fact that we did not show any aggression, we were attacked by missiles and immediately after that the helicopters worked. About 33 fighters of PMC “Wagner” were killed. Some were injured.

This prompted the Council of Commanders to immediately decide that we should move out immediately. I made a statement in which I said that we are not going to detect aggression in any way. But if we are hit, we will take it as an attempt to destroy and give an answer. During the entire march, which lasted 24 hours, one of the columns went to Rostov, the other in the direction of Moscow. During the day we covered 780 kilometers. Not a single soldier on earth was killed. We regret that we were forced to strike at air assets, but these assets were dropping bombs and delivering missile strikes. During the day we covered 780 kilometers, short of 200 small kilometers to Moscow. During this time, all military facilities that were along the road were blocked and neutralized. Nobody died, I repeat once again, from those who were on the ground. And this was our task. Among the fighters of the Wagner PMC, several people were wounded and two dead, who joined us, military personnel and the Ministry of Defense, of their own free will. None of the fighters of PMC “Wagner” was forced to this campaign, and everyone knew his ultimate goal.

The purpose of the campaign was to prevent the destruction of the PMC “Wagner” and to bring to justice those persons who, through their unprofessional actions, made a huge number of mistakes during the SVO. It was demanded by the public. All the servicemen who saw us during the march supported us. We did not reach about 200 kilometers to Moscow, having covered 780 kilometers in one and the other direction. We stopped at the moment when the first assault detachment, which had approached 200 kilometers from Moscow, deployed its artillery, reconnoitered the area, and it was obvious that at that moment a lot of blood would be shed. Therefore, we felt that the demonstration of what we were going to do, it is sufficient. And our decision to turn around was two major factors.

The first factor is that we did not want to shed Russian blood. The second factor is that we went to demonstrate our protest, and not to overthrow the government in the country. At this time, Alexander Grigoryevich Lukashenko extended his hand and offered to find solutions for the further work of Wagner PMC in legal jurisdiction. The columns turned back and went to the field camps. I want to point out that our march of justice showed a lot of the things that we talked about earlier. Serious security problems throughout the country. We blocked all the military units of the airfield that were in our way. In 24 hours, we covered the distance that corresponds to the distance from the launch site of Russian troops on February 24, 22 to Kyiv and from the same point to Uzhgorod.

Therefore, if the action on February 24, 22, at the time of the start of the special operation, was carried out by a unit in terms of the level of training, in terms of the level of moral composure and readiness to perform tasks, like the Wagner PMC, then perhaps the special operation would last a day. It is clear that there were other problems, but we showed the level of organization that the Russian army should correspond to. And when on June 23-24 we walked past Russian cities, civilians met us with the flags of Russia and with the emblems and flags of the Wagner PMC. They were all happy when we came and when we passed by. Many of them still write words of support, and some are disappointed that we stopped, because in the march of justice, in addition to our struggle for existence, they saw support for the fight against bureaucracy and other ailments that exist in our country today.

These are the main questions that I can answer in order to exclude rumors both in Russian social networks and the media and in foreign networks. So, we started our march because of justice. On the way, on the ground, we did not kill a single soldier. In a day, only 200 kilometers did not reach Moscow, they entered and completely took control of the city of Rostov. The civilians were glad to see us. We showed a master class on how February 24, 22 should look like. We did not have the goal of overthrowing the existing regime and the legally elected government, which has been said many times. We turned around in order not to shed the blood of Russian soldiers.

There’s a lot of fuzziness in this with regards to the terms of the Ministry of Defense’s subsumption of private military companies’ personnel (and possibly assets?).

Also a lot of fuzziness in this regarding the agreement Prigozhin negotiated to end his march to Moscow.

Up to now there have been weasel words with regard to the number of Russian armed forces killed/not killed. This transcript offers more specificity though I haven’t seen much information about the aircraft shooting on Wagner personnel during the march.

Assuming this is a legitimate audio recording and not an AI-generated fake from which an AI-generated transcript has been produced, there may be a dig at Shoigu and the Russian military industrial complex with the bit about bureaucracy. Shoigu is not a soldier by training and experience but a bureaucrat.

Another dig likely aimed at Putin: the reception of Wagner group by Russian citizens. Putin gets highly-produced crowds, not spontaneous pop-ups.

Watch this video pulled together by RFE/RFL showing Prigozhin and Wagner personnel leaving Rostov-on-Don late Saturday night/early Sunday morning. That’s in part what Prigozhin made reference to in his audio.

It’s also the real, lingering threat to Putin. The video looks much more like an extremely popular politician leaving a campaign event.

There have been wisecracks made about Russia’s army being the second most powerful army in Russia and the third most powerful in Ukraine, implying Wagner group had more clout than Russia’s armed forces.

Once Wagner has left Russia, Belarus may have a more powerful army than Russia. Food for thought.

GRU Adopted the Identity of Two UK Journalists to Phish the OPCW

Yesterday, the government rolled out another indictment against GRU. DOJ earlier indicted those involved in the 2016 election operation and those behind the WADA hack; one person, Antoliy Kovalev, was named in both yesterday’s indictment and the election one, and a second unit of the GRU was named in the earlier indictments along with Unit 74455, on which this focuses.

Down the road I’ll circle back to some of the similarities and differences between these three indictments (I compared the earlier two here). For now, I want to look at how the hackers targeted for spearphishing people at the Organisation for the Prohibition of Chemical Weapons (OPCW) and Defence Science and Technology Laboratory, which runs Porton Downs, after the two organizations attributed the Sergey Skripal attack on GRU.

The spoofed actual journalists:

66. On or about April 5, 2018, KOVALEV created an email account with a username that mimicked the name of a German national weekly newspaper. Shortly after creating the account, KOVALEV sent spearphishing emails regarding the “Incident in Salisbury,” purporting to be from a German journalist, to approximately 60 official DSTL email addresses. The next day, KOVALEV used the above-described Email Service to send emails, with malware attached, that appeared to be from a legitimate DSTL email address.

67. Also on or about April 6, 2018, the Conspirators conducted three related spearphishing campaigns that targeted the OPCW and U.K. agencies involved in the investigation of the poisoning.

a. On or about April 6, 2018, the Conspirators used an operational account which was created on or about April 5, 2018, and had a username mimicking the name of a U.K. journalist working for a U.K. media entity-to send approximately 20 spearphishing emails with the email subject line “Salisbury Spy Poisoning Investigation” to official OPCW email addresses. In the emails, the Conspirators purported to have information to share regarding the poisoning.

b. After the Conspirators received an email from OPCW directing them to instead share their information with certain U.K. authorities at three particular email addresses, the Conspirators used the same operational account to send spearphishing emails to those three email addresses.

c. Also on or about April 6, 2018, the Conspirators created another operational account, with a username mimicking the name of another U.K. journalist at the same U.K. media entity, and shortly thereafter sent approximately 19 spearphishing emails with the subject line “Salisbury Spy Poisoning Investigation” to official OPCW email addresses. In the emails, the Conspirators again purported to have information to share regarding the poisoning.

They provide no hints about who the journalists were (though I have some guesses), but obviously they would have pretended to be people with close ties and significant trust in the national security community. Effectively, then, they were banking on the trust NatSec officials would have in familiar journalists.

The tactic is particularly interesting given the way GRU has targeted journalists in phishing attempts in recent years, preferring the kind of NatSec friendly ones that might be useful for such a phish.

The indictment provides no other information about whether the GRU succeeded in this hack, and if so, what they did with it, leaving out any details obtained when the Netherlands caught the field hackers in the act later that year.

It’s as if this passage in the indictment exists solely to make public this tactic and signal that Kovalev (the one person also involved in the 2016 operation) was part of it.

Running Thread of emptywheel’s Running Threads on the SSCI Report

I’ve been doing running Twitter threads on each chapter of the SSCI Russia Report. It has gotten too unwieldy for Twitter, so I’ll collect all those threads here:

Here are the posts I’ve written so far:

Photo: Pavan Trikutam via Unsplash

Three Things: Bounties, Bounties, Bounce [UPDATE-1]

[NB: Update at bottom of post. /~Rayne]

There won’t be a quiz but there’s an action item at the end.

It’ll be more effort than Trump put into protecting our troops in Afghanistan.

You’ll want to brush up on the NYT report from Friday, Russia Secretly Offered Afghan Militants Bounties to Kill U.S. Troops, Intelligence Says.

Washington Post confirmed the story: Russian operation targeted coalition troops in Afghanistan, intelligence finds

As did the Wall Street Journal: Russian Spy Unit Paid Taliban to Attack Americans, U.S. Intelligence Says

~ 3 ~

Remember last year when Rep. Adam Schiff said he believed acting Director of National Intelligence Joseph Maguire was withholding from Congress an urgent whistleblower complaint in order to protect Trump?

We build a crowdsourced timeline to guess what the whistleblower’s subject matter might be. We didn’t see the Ukraine quid pro quo but we still compiled a bodacious chronology of foreign policy events.

I’m betting the bit about John Bolton’s exit in that timeline may be revisited in the near future.

But there was one topic we didn’t give a lot of attention which might be worth looking at again, like right now — the peace agreement negotiations in Afghanistan.

(Commenters added more material in comments not added to the original timeline — I think we were learning it was Ukraine and not Afghanistan or Iran which was the subject of the whistleblower’s complaint.)

Now that NYT’s report that Russia offered secret bounties on U.S. service members has been validated by the Washington Post and the Wall Street Journal, we need to look at the Afghanistan timeline — this time with more content from 2019 and up-to-date 2020 material.

28-AUG-2019 — Russia offered to oversee an agreement between the U.S. and Afghanistan; negotiations were in their ninth round when the Russian Foreign Ministry suggested it could be “a guarantor in the agreement” if the two sides wished.

01/02-SEP-2019 — US Special Rep. for Afghanistan Zalmay Khalizad met with Afghan president Ashraf Ghani in Kabul where the Taliban, Afghan government and the U.S. had “reached an agreement in principle” toward an eventual “total and permanent cease-fire.”

03-SEP-2019 — Russian media outlet Tass reported that Russian Deputy Foreign Minister said the U.S. and Taliban “insist that Russia must be present in one capacity or another at the possible signing of the agreements that the parties are working on now.”

05-SEP-2019 — Suicide blast in Kabul killed Army Sgt. 1st Class Elis A. Barreto Ortiz, 34, from Morovis, Puerto Rico.

06-SEP-2019 — Afghan President Ashraf Ghani postponed a trip to the U.S.

07-SEP-2019 — Over several tweets Saturday evening, Trump canceled the meeting with Ghani at Camp David.

Unclear whether Trump realized he might have been meeting over the anniversary of 9/11 on a peace agreement with both Afghanistan’s government and the Taliban.

07-SEP-2019 — Via Julia Davis (commenter Eureka):

Prof. Michael McFaul tweeted, “What? TASS has these details but USG has not released them? This is very strange. And why does Russia need to be present at signing? We’re they fighting Taliban and Al Qaeda in Afghanistan and I just missed that?”

09-SEP-2019 — CNN broke story of a CIA asset extracted from Russia in 2017; followed by NYT on the 9th (and then NBC’s Ken Dilanian appears at the asset’s house…)

09-SEP-2019 — Trump asked for Bolton’s resignation and tweeted about it the next morning.

10-SEP-2019 — “They’re dead. They’re dead. As far as I’m concerned, they’re dead,” Trump told the media about the peace talks with Afghanistan.

13-SEP-2019 — Taliban showed up in Moscow almost immediately after the Camp David meeting fell apart (commenter OldTulsaDude).

15-SEP-2019 — Small arms fire in central Warduk province killed Army Sgt. 1st Class Jeremy W. Griffin, 40.

20-NOV-2019 — Army Chief Warrant Officer 2 Kirk Fuchigami Jr., 25, and Army Chief Warrant Officer 2 David C. Knadle, 33, died in a helicopter crash in eastern Logar province. The Taliban claimed responsibility for the crash; Trump visited Dover AFB on Nov. 21 when the soldiers’ bodies were returned.

11-DEC-2019 — Unknown number of U.S. personnel were injured during a large bombing of Bagram Airfield.

23-DEC-2019 — Sgt. 1st Class Michael J. Goble, 33, was killed in a roadside bombing in northern Kunduz province.

31-DEC-2019 — A total of 22 service members were killed in Afghanistan in 2019. It’s not clear how many U.S. contractors may have been killed because the military doesn’t track them.

11-JAN-2020 — Two U.S. service members were killed by a roadside bomb in Afghanistan’s southern Kandahar province. Taliban claimed responsibility.

17-JAN-2020 — The Taliban offered a proposal to reduce violence and restart peace negotiations.

27-JAN-2020 — Two U.S. Air Force crew members were killed when an E-11A Battlefield Airborne Communications Node aircraft crashed. Taliban claimed responsibility for shooting the plane down.

08-FEB-2020 — Sgt. Javier Jaguar Gutierrez, 28; and Sgt. Antonio Rey Rodriguez, 28 were killed and six other service members were injured in an insider attack in Nangarhar province.

09-FEB-2020 — WaPo reported:

On Sunday, Suhail Shaheen, the Taliban spokesman in Qatar, where talks have been held, said Khalilzad met with Taliban representatives and Qatar’s foreign minister to discuss “some important issues on the results of the negotiations and the next moves,” according to a statement posted to Twitter.

20-FEB-2020 — Trump replaced Joseph Maguire as Acting Director of National Intelligence; Richard Grenell was named Maguire’s replacment.

21-FEB-2020 — U.S.-led coalition, Afghan forces, and the Taliban militia began a seven-day “reduction in violence” ahead of anticipated agreement.

28-FEB-2020 — Trump nominated John Ratcliffe as Director of National Intelligence.

29-FEB-2020 — U.S. and Taliban sign agreement addressing counterterrorism and the withdrawal of U.S. and international troops from Afghanistan.

03-MAR-2020 — Trump spoke by phone with Mullah Abdul Ghani Baradar, a Taliban leader and co-founder stationed in the Taliban’s Qatar offices.

23-MAR-2020 — After meeting Afghan President Ashraf Ghani and his main rival, Abdullah Abdullah in Afghanistan, Secretary of State Mike Pompeo said the U.S. would cut $1 billion in aid in 2020 and threatened to cut another $1 billion in 2021 because Ghani and Abdullah had not formed a unity government. Pompeo then met with the Taliban’s chief negotiator at Al Udeid Air Base, Doha, Qatar where he asked the Taliban to continue to adhere with the February agreement.

??-MAR-2020 — Administration learned that Russia offered secret bounties on U.S. troops.

The officials said administration leaders learned of reported bounties in recent months from U.S. intelligence agencies, prompting a series of internal discussions, including a large interagency meeting in late March. According to one person familiar with the matter, the responses discussed at that meeting included sending a diplomatic communication to relay disapproval and authorizing new sanctions.

30-MAR-2020 — Trump phone call with Putin.

03-APR-2020 — Trump fired Inspector General of the Intelligence Community Michael Atkinson, claiming he “no longer” had confidence in Atkinson. Atkinson was then on leave until the effective date of his termination 03-MAY-2020. As IG he notified Congress of the whistleblower’s report regarding the Ukraine quid pro quo, going around Joseph Maguire to do so.

07-APR-2020 — The Taliban pulled out of talks with the Afghan government after discussions over the unrealized prisoner exchange cratered. Under the February agreement, prisoners were to be exchanged at the end of March; the exchange was called off on March 30.

07-APR-2020 — Trump fired Acting Inspector General of the Department of Defense Glenn Fine; Fine had also been named Chair of the Pandemic Response Accountability Committee on 30-MAR. Fine’s termination made him ineligible to continue as chair of that committee.

09-APR-2020 — Trump phone call with Putin.

10-APR-2020 — Trump phone call with Putin (unclear if call was before/after Gen. Miller’s meeting).

10-APR-2020 — Gen. Austin Miller met with Taliban leaders in Qatar:

… The meeting between Gen. Austin “Scott” Miller and Taliban leaders came as both sides accuse each other of ramping up violence since signing a peace deal on Feb. 29, which could see all international troops withdraw from Afghanistan in 14 months.

The meeting, which focused on curbing violence, was part of a military channel established in the U.S.-Taliban deal, the U.S. military’s press office in Kabul told Stars and Stripes.

Taliban spokesman Suhail Shaheen said night raids and other operations in noncombat areas were discussed at the meeting, and Taliban officials “called for a halt to such attacks.” …

12-APR-2020 — Trump phone call with Putin.

25-APR-2020 — Trump made a joint statement with Putin observing the 75th anniversary of Elbe Day.

07-MAY-2020 — US Special Representative for Afghanistan Zalmay Khalilzad met members of the Taliban in Qatar along with the Special Envoy of Qatari Foreign Ministry for Counterterrorism and Mediation in Conflict Resolution, Mutlaq Al-Qahtani. They discussed the prisoner exchange and intra-Afghan talks.

07-MAY-2020 — Trump phone call with Putin; topics were COVID-19, arms control including Russia and China,  and the oil market.

26-MAY-2020 — John Ratcliffe approved by the Senate and sworn in as DNI.

30-MAY-2020 — Trump delays G7 meeting and invites Russia:

01-JUN-2020 — Trump phone call with Putin; delayed G7 meeting and oil market stabilization discussed.

08-JUN-2020 — Trump orders permanent draw down of 25% of U.S. troops stationed in Germany; he did not consult with NATO before this order.

Is there a pattern here (or more)? Was the violence juiced up to pressure the U.S. — specifically public opinion? What the heck did Russia’s Foreign Minister mean by a “guarantor” based on what we know today? How did Qatar become a player in the negotiations?

Did Trump really do nothing at all to protect our troops except talk with Putin and do some butt-kissing with a joint statement and an invitation to the G7 while undercutting Germany and NATO?

The Congressional Research Service policy brief on Afghanistan is worth a read to fill in some gaps. This paragraph is particularly important:

Afghan government representatives were not participants in U.S.-Taliban talks, leading some observers to conclude that the United States would prioritize a military withdrawal over a complex political settlement that preserves some of the social, political, and humanitarian gains made since 2001. The U.S.-Taliban agreement envisioned intra-Afghan talks beginning on March 10, 2020, but talks were held up for months by a number of complications. The most significant obstacles were an extended political crisis among Afghan political leaders over the contested 2019 Afghan presidential election and a disputed prisoner exchange between the Taliban and Afghan government. President Ghani and his 2019 election opponent Abdullah Abdullah signed an agreement ending their dispute in May 2020, and as of June 2020, the number of prisoners released by both sides appears to be reaching the level at which talks might begin, though the Afghan government may resist releasing high-profile prisoners that the Taliban demand as a condition of beginning negotiations.

~ 2 ~

It wasn’t just U.S. intelligence that learned U.S. troops who were the target of Russia’s secret bounties.

EU intelligence confirmed it had learned that Russia targeted both U.S. and UK troops, offering cash on British targets, too.

UK security officials also validate the report, attributing the work in Afghanistan to Russia’s GRU.

Why hasn’t Britain’s PM Boris Johnson or the Foreign Minister Dominic Raab said anything publicly about this?

Has the Johnson government done anything at all to communicate its displeasure with Russia? Has it taken any punitive action like sanctions?

Because there’s nothing obvious in UK or other international media to this effect as of 3:00 a.m. ET.

~ 1 ~

You’re going to read and hear a lot of folks talking about treason. We don’t encourage that word’s use because it has a specific legal meaning related to traditional warfare; a formal declaration of war establishing a defined enemy is necessary to accuse someone of providing aid and comfort to that enemy.

18 U.S. Code § 2381.Treason

Whoever, owing allegiance to the United States, levies war against them or adheres to their enemies, giving them aid and comfort within the United States or elsewhere, is guilty of treason and shall suffer death, or shall be imprisoned not less than five years and fined under this title but not less than $10,000; and shall be incapable of holding any office under the United States.

(June 25, 1948, ch. 645, 62 Stat. 807; Pub. L. 103–322, title XXXIII, § 330016(2)(J), Sept. 13, 1994, 108 Stat. 2148.)

We’re not in a formally declared state of war with Russia; they are not a defined enemy.

But this Russian secret bounties business may fall under another umbrella. U.S. troops are deployed to Afghanistan under Authorization for Use of Military Force of 2001:

Section 2 – Authorization For Use of United States Armed Forces

(a) IN GENERAL- That the President is authorized to use all necessary and appropriate force against those nations, organizations, or persons he determines planned, authorized, committed, or aided the terrorist attacks that occurred on September 11, 2001, or harbored such organizations or persons, in order to prevent any future acts of international terrorism against the United States by such nations, organizations or persons.
(b) War Powers Resolution Requirements-
(1) SPECIFIC STATUTORY AUTHORIZATION- Consistent with section 8(a)(1) of the War Powers Resolution, the Congress declares that this section is intended to constitute specific statutory authorization within the meaning of section 5(b) of the War Powers Resolution.
(2) APPLICABILITY OF OTHER REQUIREMENTS- Nothing in this resolution supersedes any requirement of the War Powers Resolution.

The brushstroke with regard to future acts of international terrorism against the United States is and has been interpreted broadly.

Bounce this around a bit: does the definition of terrorism include repeated attacks on U.S. service members and contractors deployed under the AUMF 2001?

Does failing to take reasonable affirmative effort to protect these targets constitute aiding those who attack U.S. service members and contractors deployed under the AUMF 2001?

Is there, if not 18 USC 2381 – Treason, another section of 18 U.S. Code Chapter 115 — Treason, Sedition, and Subversive Activities which may more accurately describe the dereliction of duty by members of this administration by failing to protect U.S. troops?

~ 0 ~

And now for the action item…

Guess who else hasn’t uttered a peep about the Russian secret bounties on our troops?

Senate Majority Leader Mitch McConnell.

House Ranking Member Kevin McCarthy.

None of the +20 GOP senators up for re-election  have uttered a peep, nor have the couple who are retiring.

Here’s your action item:

— If you have a GOP senator(s), call their office and ask for a statement from the senator about the Russian bounties. Where do they stand? What action will the senator take?

— Share the results of your call here in the comments.

Congressional switchboard number is (202) 224-3121. Or you can look up their local office number at https://www.senate.gov/senators/contact.

For everybody else, calling your representative and senators to demand hearings with testimony from the former acting Director of National Intelligence Rick Grenell and the current Director of National Intelligence John Ratcliffe about the presidential briefing that did/did not happen with regard to these Russian bounties.

 

Let’s stay on topic in this thread — this is plenty to chew on.

UPDATE — 29-JUN-2020 10:00 A.M. ET —

Several new line items have been added to this timeline. If you pulled a copy since publication you’ll want to get a new one.

The Washington Post published an article last evening, Russian bounties to Taliban-linked militants resulted in deaths of U.S. troops, according to intelligence assessments.

It’s clear from reading it that many people knew about this intelligence, that there was a concerted effort to address it though the action ultimately taken was none.

Rather like the pandemic response, about which Trump had been warned in adequate time and then did nothing for six or more weeks, followed by a lot of bullshit and bluster.

Congress had better get to the bottom of this because this is a gross dereliction of duty on the part of the executive branch.

How the Concord Management Prosecution Fell Apart

The frothy right and anti-Trump left both politicized DOJ’s decision to dismiss the single count of conspiracy charged against Concord Management and Concord Catering in the Russian troll indictment that Mueller’s team obtained on February 16, 2018. The right — including the President — and the alt-Left are falsely claiming the prosecution against all the trolls fell apart and suggesting this undermines the claims Russia tampered in the 2016 election.

The mainstream left speculated, without any apparent basis, that Bill Barr deliberately undermined the prosecution by classifying some of the evidence needed to prove the case.

The politicization of the outcome is unfortunate, because the outcome raises important policy questions about DOJ’s recent efforts to name-and-shame nation-state activities in cyberspace.

The IRA indictment intersects with a number of important policy discussions

The decision to indict the Internet Research Agency, its owner Yevgeniy Prigozhin, two of the shell companies he used to fund Internet Research Agency (Concord Management and Concord Catering, the defendants against which charges were dropped), and twelve of the employees involved in his troll operations intersects with three policy approaches adopted in bipartisan fashion in recent years:

  • The use of indictments and criminal complaints to publicly attribute and expose the methods of nation-state hackers and the vehicles (including shell companies) they use.
  • A recent focus on Foreign Agents Registration Act compliance and prosecutions in an attempt to crack down on undisclosed foreign influence peddling.
  • An expansive view of US jurisdiction, facilitated but not limited to the role of the US banking system in global commerce.

There is — or should be — more debate about all of these policies. Some of the prosecutions the US has pursued (one that particularly rankles Russia is of their Erik Prince equivalent, Viktor Bout, who was caught in a DEA sting selling weapons to FARC) would instill outrage if other countries tried them with US citizens. Given the way Trump has squandered soft power, that is increasingly likely. While DOJ has obtained some guilty pleas in FARA cases (most notably from Paul Manafort, but Mike Flynn also included his FARA violations with Turkey in his Statement of the Offense), the FARA prosecutions of Greg Craig (which ended in acquittal) and Flynn’s partner Bijan Kian (which ended in a guilty verdict that Judge Anthony Trenga overturned) have thus far faced difficulties. Perhaps most problematic of all, the US has indicted official members of foreign state intelligence services for activities (hacking), though arguably not targets (private sector technology), that official members of our own military and intelligence services also hack. That’s what indictments (in 2014 for hacks targeting a bunch of victims, most of them in Pittsburgh and this year for hacking Equifax) against members of China’s People’s Liberation Army and Russia’s military intelligence GRU (both the July 2018 indictment for the hack-and-leak targeting the 2016 election and an October 2018 one for targeting anti-doping organizations) amount to. Those indictments have raised real concerns about our intelligence officers being similarly targeted or arrested without notice when they travel overseas.

The IRA indictment is different because, while Prigozhin runs numerous mercenary activities (including his Wagner paramilitary operation) that coordinate closely with the Russian state, his employees work for him, not the Russian state. But the Yahoo indictment from 2017 included both FSB officers and criminal hackers and a number of the hackers DOJ has otherwise indicted at times work for the Russian government. So even that is not unprecedented.

The indictment did serve an important messaging function. It laid out the stakes of the larger Russian investigation in ways that should have been nonpartisan (and largely were, until Concord made an appearance in the courts and started trolling the legal system). It asserted that IRA’s efforts to thwart our electoral and campaign finance functions amounted to a fraud against the United States. And it explained how the IRA effort succeeded in getting Americans to unwittingly assist the Russian effort. The latter two issues, however, may be central to the issues that undid the prosecution.

Make no mistake: the IRA indictment pushed new boundaries on FARA in ways that may raise concerns and are probably significant to the decision to drop charges against Concord. It did so at a time when DOJ’s newfound focus on FARA was not yet well-established, meaning DOJ might have done it differently with the benefit of the lessons learned since early 2018. Here’s a shorter and a longer version of an argument from Joshua Fattal on this interpretation of FARA. Though I think he misses something about DOJ’s argument that became clear (or, arguably, changed) last fall, that DOJ is not just arguing that the trolls themselves are unregistered foreign agents, but that they tricked innocent Americans into being agents. And DOJ surely assumed it would likely never prosecute any of those charged, unless one of the human targets foolishly decided to vacation in Prague or Spain or any other country with extradition treaties with the US. So the indictment was a calculated risk, a risk that may not have paid off.

But that’s why it’s worth understanding the decision to drop the prosecution based off the record, rather than presumptions about DOJ and the Russia investigation.

Just the funding side of the conspiracy to defraud indictment got dropped

The first step to understanding why DOJ dropped the charges is to understand what the two Concord entities were charged with. The indictment as a whole charged eight counts:

  • Conspiracy to defraud the United States for preventing DOJ and FEC from policing our campaign finance and election system (and State for issuing visas)
  • Conspiracy to commit wire fraud and bank fraud by using stolen identities to open financial accounts with which to evade PayPal’s security
  • Six counts of aggravated identity theft for stealing the identities of Americans used in the wire and bank fraud

The wire and bank fraud charges remain untouched by DOJ’s decision. If any of those defendants shows up in court, DOJ remains fully prepared to hold them accountable for stealing Americans’ identities to thwart PayPal’s security protocols so as to fool Americans into doing Russia’s work. Such an identity theft prosecution would not rely on the aggressive FARA theory the Concord charge does.

Even still, most of the conspiracy to defraud (ConFraudUS) charge remains.

The two Concord entities were only named in the ConFraudUS charge. The overt acts involving Concord entail funding the entire operation and hiding those payments by laundering them through fourteen different affiliates and calling the payments “software support.”

3. Beginning as early as 2014, Defendant ORGANIZATION began operations to interfere with the U.S. political system, including the 2016 U.S. presidential election. Defendant ORGANIZATION received funding for its operations from Defendant YEVGENIY VIKTOROVICH PRIGOZHIN and companies he controlled, including Defendants CONCORD MANAGEMENT AND CONSULTING LLC and CONCORD CATERING (collectively “CONCORD”). Defendants CONCORD and PRIGOZHIN spent significant funds to further the ORGANIZATION’s operations and to pay the remaining Defendants, along with other uncharged ORGANIZATION employees, salaries and bonuses for their work at the ORGANIZATION.

[snip]

11. Defendants CONCORD MANAGEMENT AND CONSULTING LLC (Конкорд Менеджмент и Консалтинг) and CONCORD CATERING are related Russian entities with various Russian government contracts. CONCORD was the ORGANIZATION’s primary source of funding for its interference operations. CONCORD controlled funding, recommended personnel, and oversaw ORGANIZATION activities through reporting and interaction with ORGANIZATION management.

a. CONCORD funded the ORGANIZATION as part of a larger CONCORD-funded interference operation that it referred to as “Project Lakhta.” Project Lakhta had multiple components, some involving domestic audiences within the Russian Federation and others targeting foreign audiences in various countries, including the United States.

b. By in or around September 2016, the ORGANIZATION’s monthly budget for Project Lakhta submitted to CONCORD exceeded 73 million Russian rubles (over 1,250,000 U.S. dollars), including approximately one million rubles in bonus payments.

c. To conceal its involvement, CONCORD labeled the monies paid to the ORGANIZATION for Project Lakhta as payments related to software support and development. To further conceal the source of funds, CONCORD distributed monies to the ORGANIZATION through approximately fourteen bank accounts held in the names of CONCORD affiliates, including Glavnaya Liniya LLC, Merkuriy LLC, Obshchepit LLC, Potentsial LLC, RSP LLC, ASP LLC, MTTs LLC, Kompleksservis LLC, SPb Kulinariya LLC, Almira LLC, Pishchevik LLC, Galant LLC, Rayteks LLC, and Standart LLC.

Concord was likely included because it tied Prigozhin into the conspiracy, and through him, Vladimir Putin. That tie has been cause for confusion and outright disinformation during the course of the prosecution, as during pretrial motions there were two legal fights over whether DOJ could or needed to say that the Russian state had a role in the operation. Since doing so was never necessary to legally prove the charges, DOJ didn’t fight that issue, which led certain useful idiots to declare, falsely, that DOJ had disclaimed any tie, which is either absurd misunderstanding of how trials work and/or an outright bad faith representation of the abundant public evidence about the ties between Prigozhin and Putin.

By including Concord, the government asserted that it had proof not just that IRA’s use of fake identities had prevented DOJ and the FEC from policing electoral transparency, but also that Putin’s go-to guy in the private sector had used a series of shell companies to fund that effort.

By dropping the charges against the shell companies, that link is partly broken, but the overall ConFraudUS charge (and the charge against Prigozhin) remains, and all but one of the defendants are now biological persons who, if they mounted a defense, would also face criminal penalties that might make prosecution worth it. (I believe the Internet Research Agency has folded as a legal institution, so it would not be able to replay this farce.)

Going to legal war with a shell company

As noted, the indictment included two shell companies — Concord Management and Concord Catering — among the defendants in a period when Russia has increasingly pursued lawfare to try to discredit our judicial system. That’s precisely what happened: Prigozhin hired lawyers who relished trolling the courts to try to make DOJ regret it had charged the case.

As ceded above, DOJ surely didn’t expect that anyone would affirmatively show up to defend against this prosecution. That doesn’t mean they didn’t have the evidence to prove the crimes — both the first level one that bots hid their identities to evade electoral protections, and the second level conspiracy that Prigozhin funded all that through some shell companies. But it likely means DOJ didn’t account for the difficulties of going to legal war against a shell company.

One of the two explanations the government offered for dropping the prosecution admits that the costs of  trying a shell company have come to outweigh any judicial benefits.

When defense counsel first appeared on behalf of Concord, counsel stated that they were “authorized” to appear and “to make representations on behalf” of Concord, and that Concord was fully subjecting itself to the Court’s jurisdiction. 5/9/18 Tr. 5 (ECF No. 9). Though skeptical of Concord’s (but not counsel’s) asserted commitments at the initial appearance, the government has proceeded in good faith—expending the resources of the Department of Justice and other government agencies; incurring the costs of disclosing sensitive non-public information in discovery that has gone to Russia; and, importantly, causing the Court to expend significant resources in resolving dozens of often-complex motions and otherwise ensuring that the litigation has proceeded fairly and efficiently. Throughout, the government’s intent has been to prosecute this matter consistent with the interests of justice. As this case has proceeded, however, it has become increasingly apparent to the government that Concord seeks to selectively enjoy the benefits of the American criminal process without subjecting itself to the concomitant obligations.

From the start, there were ongoing disputes about whether the shell company Concord Management was really showing up to defend against this conspiracy charge. On May 5, 2018, DOJ filed a motion aiming to make sure that — given the uncertainty that Concord had been properly served with a summons, since, “Acceptance of service is ordinarily an indispensable precondition providing assurance that a defendant will submit to the jurisdiction of the court, obey its orders, and comply with any judgment.” Concord’s lawyers responded by complaining that DOJ was stalling on extensive discovery requests Concord made immediately.

Next, an extended and recurrent fight over a protective order for discovery broke out. Prigozhin was personally charged in the indictment along with his shell company. The government tried to prevent defense attorneys from sharing discovery deemed “sensitive” with officers of Concord (Prighozhin formally made himself an officer just before this effort started) who were also defendants without prior approval or at least a requirement such access to take place in the United States, accompanied by a defense attorney lawyer. That fight evolved to include a dispute about whether “sensitive” discovery was limited to just Personally Identifiable Information or included law enforcement sensitive information, too (unsurprisingly, Concord said it only wanted the latter and even demanded that DOJ sift out the former). The two sides established a protective order at start. But in December, after the government had delivered 4 million documents, of which it deemed 3.2 million “sensitive,” Concord renewed their demand that Prighozhin have access to discovery. They trollishly argued that only Prigozhin could determine whether the proper translation of the phrase “Putin’s chef” meant he was the guy who cooked for Putin or actually Putin’s boss. At this point, the US started filing sealed motions opposing the discovery effort, but did not yet resort to the Classified Information Procedures Act, meaning they still seemed to believe they could prove this case with unclassified, albeit sensitive, evidence.

Shortly thereafter, DOJ revealed that nothing had changed to alter the terms of the original protective order, and in the interim, some of the non-sensitive discovery (that is, the stuff that could be shared with Prigozhn) had been altered and used in a disinformation campaign.

The subsequent investigation has revealed that certain non-sensitive discovery materials in the defense’s possession appear to have been altered and disseminated as part of a disinformation campaign aimed (apparently) at discrediting ongoing investigations into Russian interference in the U.S. political system. These facts establish a use of the non-sensitive discovery in this case in a manner inconsistent with the terms of the protective order and demonstrate the risks of permitting sensitive discovery to reside outside the confines of the United States.

With a biological defendant, such a stunt might have gotten the defendant thrown in jail (and arguably, this is one of two moments when Judge Dabney Friedrich should have considered a more forceful response to defiance of her authority). Here, though, the prosecution just chugged along.

Perhaps the best proof that Prigozhin was using Concord’s defense as an intelligence-collecting effort came when, late last year, Concord demanded all the underlying materials behind Treasury’s Office of Foreign Assets Control decision to sanction Prigozhin and his companies. As Friedrich noted in her short notation denying the request, OFAC’s decision to sanction Prigozhin had nothing to do with the criminal charges against Concord. Nevertheless, Prigozhin used the indictment of his shell companies in an attempt to obtain classified information on the decision leading to sanctions being imposed on him.

Prigozhin’s goal of using his defense as a means of learning the US government’s sources and methods was clear from the first discovery request. That — and his unwavering efforts to continue the trolling operations — likely significantly influenced the later classification determination that contributed to DOJ dropping the case.

The government intended to try this case with unclassified information

That’s the other cited reason the government dismissed this case: because a classification determination made some of the evidence collected during the investigation unavailable as unclassified information.

[A]s described in greater detail in the classified addendum to this motion, a classification determination bearing on the evidence the government properly gathered during the investigation, limits the unclassified proof now available to the government at trial. That forces the prosecutors to choose between a materially weaker case and the compromise of classified material.

At the beginning of this case, the government said that all its evidence was unclassified, but that much of it was sensitive, either for law enforcement reasons or the privacy of victims in the case.

As described further in the government’s ex parte affidavit, the discovery in this case contains unclassified but sensitive information that remains relevant to ongoing national security investigations and efforts to protect the integrity of future U.S. elections. At a high level, the sensitive-but-unclassified discovery in this case includes information describing the government’s investigative steps taken to identify foreign parties responsible for interfering in U.S. elections; the techniques used by foreign parties to mask their true identities while conducting operations online; the relationships of charged and uncharged parties to other uncharged foreign entities and governments; the government’s evidence-collection capabilities related to online conduct; and the identities of cooperating individuals and, or companies. Discovery in this case contains sensitive information about investigative techniques and cooperating witnesses that goes well beyond the information that will be disclosed at trial.

Nevertheless, after the very long and serial dispute about how information could be shared with the defendant noted above (especially Prigozhin, as an officer of Concord), later in the process, something either became classified or the government decided they needed to present evidence they hadn’t originally planned on needing.

This is one way, Barr critics suggest, that the Attorney General may have sabotaged the prosecution: by deeming information prosecutors had planned to rely on classified, and therefore making key evidence inaccessible for use at trial.

That’s certainly possible! I don’t rule out any kind of maliciousness on Barr’s part. But I think the available record suggests that the government made a good faith classification decision, possibly in December 2019 or January 2020, that ended up posing new difficulties for proving the case at trial. One possibility is that, in the process of applying a very novel interpretation of FARA to this prosecution, the types of evidence the government needed to rely on may have changed. It’s also possible that Prigozhin’s continued trolling efforts — and maybe even evidence that his trolling operations had integrated lessons learned from discovery to evade detection — made sharing heretofore sensitive unclassified information far more damaging to US national security (raising its classification level).

As discussed below, the record also suggests that the government tried to access some evidence via other means, by subpoenaing it from Concord. But Concord’s ability to defy subpoenas without punishment (which gets back to trying to prosecute a shell company) prevented that approach.

The fight over what criminalizes a troll conspiring to fool DOJ (and FEC)

Over the course of the prosecution, the theory of the ConFraudUS conspiracy either got more detailed (and thereby required more specific kinds of evidence to prove) or changed. That may have contributed to changing evidentiary requirements.

Even as the dispute about whether Concord was really present in the court fighting these charges, Concord’s lawyers challenged the very novel application of FARA by attacking the conspiracy charge against it. This is precisely what you’d expect any good defense attorney to do, and our judicial system guarantees any defendant, even obnoxious Russian trolls who refuse to actually show up in court, a vigorous defense, which is one of the risks of indicting foreign corporate persons.

To be clear: the way Concord challenged the conspiracy charge was often frivolous (particularly in the way that Concord’s Reed Smith lawyers, led by Eric Dubelier, argued it). The government can charge a conspiracy under 18 USC § 371 without proving that the defendant violated the underlying crimes the implementation of which the conspiracy thwarted (as Friedrich agreed in one of the rulings on Concord’s efforts). And on one of the charged overt acts — the conspiracy to hide the real purpose of two reconnaissance trips to the US on visa applications — Concord offered only a half-hearted defense; at trial DOJ would likely have easily proven that when IRA employees came to the US in advance of the operation, they lied about the purpose of their travel to get a visa.

That said, while Concord never succeeded in getting the charges against it dismissed, it forced DOJ to clarify (and possibly even alter) its theory of the crime.

That started as part of a motion to dismiss the indictment based on a variety of claims about the application of FARA to conspiracy, arguing in part that DOJ had to allege that Concord willfully failed to comply with FECA and FARA. The government argued that that’s not how a ConFraudUS charge works — that the defendants don’t have to be shown to be guilty of the underlying crimes. Concord replied by claiming that its poor trolls had no knowledge of the government functions that their secrecy thwarted. Friedrich posed two questions about how this worked.

Should the Court assume for purposes of this motion that neither Concord nor its coconspirators had any legal duty to report expenditures or to register as a foreign agent?

Specifically, should the Court assume for purposes of this motion that neither Concord nor its co-conspirators knowingly or unknowingly violated any provision, civil or criminal, of FECA or FARA by failing to report expenditures or by failing to register as a foreign agent?

The government responded by arguing that whether or not the Russian trolls had a legal duty to register, their deception meant that regulatory agencies were still thwarted.

As the government argued in its opposition and at the motions hearing, the Court need not decide whether the defendants had a legal duty to file reports with the FEC or to register under FARA because “the impairment or obstruction of a governmental function contemplated by section 371’s ban on conspiracies to defraud need not involve the violation of a separate statute.” United States v. Rosengarten, 857 F.2d 76, 78 (2d Cir. 1988); Dkt. No. 56, at 9-13. Moreover, the indictment alleges numerous coordinated, structured, and organized acts of deception in addition to the failure to report under FECA or to register under FARA, including the use of false social media accounts, Dkt. No. 1 ¶¶ 32-34, 36, the creation and use of U.S.- based virtual computer infrastructure to “mask[] the Russian origin and control” of those false online identities, id. ¶¶ 5, 39, and the use of email accounts under false names, id. ¶ 40. The indictment alleges that a purpose of these manifold acts of deception was to frustrate the lawful government functions of the United States. Id. ¶ 9; see also id. ¶ 5 (alleging that U.S.-based computer infrastructure was used “to avoid detection by U.S. regulators and law enforcement”); id. ¶ 58 (alleging later obstructive acts that reflect knowledge of U.S. regulation of conspirators’ conduct). Those allegations are sufficient to support the charge of conspiracy to defraud the United States regardless of whether the defendants agreed to engage in conduct that violated FECA or FARA because the “defraud clause does not depend on allegations of other offenses.”

Friedrich ruled against the trolls, except in doing so stated strongly that the government had conceded that they had to have been acting to impair lawful government functions, though not which specific relevant laws were at issue.

Although the § 371 conspiracy alleged does not require willfulness, the parties’ disagreement may be narrower than it first appears. The government concedes that § 371 requires the specific intent to carry out the unlawful object of the agreement—in this case, the obstruction of lawful government functions. Gov’t’s Opp’n at 16 (“Because Concord is charged with conspiring to defraud the United States, . . . the requisite mental state is the intent of impairing, obstructing, or defeating the lawful function of any department of government through deception.” (internal quotation marks omitted)). Further, the government agrees that to form the intent to impair or obstruct a government function, one must first be aware of that function. See Hr’g Tr. at 40 (“[Y]ou can’t act with an intent to impair a lawful government function if you don’t know about the lawful government function.”). Thus, Concord is correct—and the government does not dispute—that the government “must, at a minimum, show that Concord knew what ‘lawful governmental functions’ it was allegedly impeding or obstructing.” Def.’s Mot. to Dismiss at 22; Def.’s Reply at 5. Here, as alleged in the indictment, the government must show that Concord knew that it was impairing the “lawful functions” of the FEC, DOJ, or DOS “in administering federal requirements for disclosure of foreign involvement in certain domestic activities.” Indictment ¶ 9. But Concord goes too far in asserting that the Special Counsel must also show that Concord knew with specificity “how the relevant laws described those functions.” Def.’s Mot. to Dismiss at 22; Def.’s Reply at 5. A general knowledge that U.S. agencies are tasked with collecting the kinds of information the defendants agreed to withhold and conceal would suffice.

Then Concord shifted its efforts with a demand for a Bill of Particulars. The demand itself — and the government’s opposition — included a demand for information about co-conspirators and VPNs, yet another attempt to get intelligence rather than discovery. But Friedrich granted the motion with respect to the application of FECA and FARA.

In other words, it will be difficult for the government to establish that the defendants intended to use deceptive tactics to conceal their Russian identities and affiliations from the United States if the defendants had no duty to disclose that information to the United States in the first place. For that reason, the specific laws—and underlying conduct—that triggered such a duty are critical for Concord to know well in advance of trial so it can prepare its defense.

The indictment alleges that the defendants agreed to a course of conduct that would violate FECA’s and FARA’s disclosure requirements, see Indictment ¶¶ 7, 25–26, 48, 51, and provides specific examples of the kinds of expenditures and activities that required disclosure, see id. ¶¶ 48– 57. Concord, 347 F. Supp. 3d at 50. But the indictment does not cite the specific statutory and regulatory disclosure requirements that the defendants violated. Nor does it clearly identify which expenditures and activities violated which disclosure requirements. Accordingly, the Court will order the government to:

  • Identify any statutory or regulatory disclosure requirements whose administration the defendants allegedly conspired to impair, along with supporting citations to the U.S. Code, Code of Federal Regulations, or comparable authority.
  • With respect to FECA, identify each category of expenditures that the government intends to establish required disclosure to the FEC. See, e.g., Indictment ¶ 48 (alleging that the defendants or their co-conspirators “produce[d], purchase[d], and post[ed] advertisements on U.S. social media and other online sites expressly advocating for the election of then-candidate Trump or expressly opposing Clinton”) (emphasis added)). The government must also identify for each category of expenditures which disclosure provisions the defendants or their co-conspirators allegedly violated.
  • With respect to FARA, identify each category of activities that the government intends to establish triggered a duty to register as a foreign agent under FARA. See, e.g., id. ¶ 48 (same); id. ¶ 51 (alleging that the defendants or their coconspirators “organized and coordinated political rallies in the United States” (emphasis added)). The government must also identify for each category of activities which disclosure provisions the defendants or their co-conspirators allegedly violated.

In a supplemental motion for a bill of particulars, Concord asked which defendants were obliged to file with DOJ and FEC.

That came to a head last fall. In a September 16, 2019 hearing, both sides and Friedrich discussed at length precisely what the legal theory behind the conspiracy was. On Friedrich’s order, the government provided Concord a list of people (whose names were redacted) that,

the defendants conspired to cause some or all of the following individuals or organizations to act as agents of a foreign principal while concealing from those individuals that they were acting as agents of a foreign principal [who should register under FARA].

That is, whether or not this was the original theory of the case, by last fall the government made it clear that it wasn’t (just) Prigozhin or his trolls who needed to register; rather, it was (also) the Americans who were duped into acting and spending money on their behalf. But because they didn’t know they were working on behalf of a foreign principal, they did not register.

Meanwhile, in a motion for clarification, the government argued that it had always intended to include foreigners spending money in the indictment. Friedrich held that that had not actually been included in the original indictment.

These two issues — the claim that duped Americans would have had to register if they knew they were working with a foreign agent, and the need to strengthen the assertion about foreign campaign expenditures — forced the government to go back and supersede the original indictment.

DOJ obtains a superseding indictment with more specific (and potentially new) theories of the case

On November 8, 2019, the government obtained a superseding indictment to include language about foreign donations that Friedrich had ruled was not in the original indictment and language covering the duped Americans who had unknowingly acted as agents of Russian trolls.

New language in the superseding indictment provided more detail of reporting requirements.

¶1 U.S. law also requires reporting of certain election-related expenditures to the Federal Election Commission.

[snip]

U.S. also imposes an ongoing requirement for such foreign agents to register with the Attorney General.

The paragraph explaining the means of the ConFraudUS added detail about what FEC, DOJ, and State functions the trolls’ deceit had thwarted.

¶7 In order to carry out their activities to interfere in the U.S. political and electoral processes without detection of their Russian affiliation, Defendants conspired to obstruct through fraud and deceit lawful functions of the United States government in monitoring, regulating, and enforcing laws concerning foreign influence on and involvement in U.S. elections and the U.S. political system. These functions include (a) the enforcement of the statutory prohibition on certain election-related expenditures by foreign nationals; (b) the enforcement of the statutory requirements for filing reports in connection with certain election-related expenditures; (c) the enforcement of the statutory ban on acting as an unregistered agent of a foreign principal in the United States; (d) the enforcement of the statutory requirements for registration as an agent of a foreign principal (e) the enforcement of the requirement that foreign national seeking entry into the United States provide truthful and accurate information to the government. The defendants conspired to do so by obtaining visas through false and fraudulent statements, camouflaging their activities by foreign nationals as being conducted by U.S. persons, making unlawful expenditures and failing to report expenditures in connection with the 2016 U.S. presidential election, and failing to register as foreign agents carrying out political activities within the United States, and by causing others to take these actions.

These allegations were repeated in ¶9 in the section laying out the ConFraudUs count.

The superseding indictment added a section describing what FEC and DOJ do.

¶25 One of the lawful functions of the Federal Election Commission is to monitor and enforce this prohibition. FECA also requires that individuals or entities who make certain independent expenditures in federal elections report those expenditures to the Federal Election Commission. Another lawful government function of the Federal Election Commission is to monitor and enforce this reporting requirement.

[snip]

¶26 The U.S. Department of Justice enforces the Foreign Agent Registration Act (“FARA”), which makes it illegal to act in the United States as an “agent of a foreign principal,” as defined at Title 22, United States Code, Section 661(c), without following certain registration, reporting, and disclosure requirements established by the Act. Under FARA, the term “foreign principal” includes foreign non-government individuals and entities. FARA requires, among other things, that persons subject to its requirements submit periodic registration statements containing truthful information about their activities and income earned from them. One of the lawful government functions of the Department of Justice is to monitor and enforce this registration, reporting, and disclosure regime.

In perhaps the most interesting addition, the superseding indictment also added language to include the actions of unwitting Americans.

¶48 …and caused unwitting persons to produce, purchase, and post advertisements on U.S. social media and other online sites expressly advocating for the election of then-candidate Trump or expressly opposing Clinton. Defendants and their co-conspirators did not report these expenditures to the Federal Election Commission, or register as foreign agents with the U.S. Department of Justice, nor did any of the unwitting persons they caused to engage in such activities.

The superseding indictment repeated this “unwitting” language in ¶51.

This superseding indictment is significant for two reasons, given the dismissal of the count against the two Concord defendants. First, the possibly changed theory of the conspiracy may have changed what evidence the government needed to prove the crime. For example, it may be that DOJ has evidence of IRA employees acknowledging, for the period of this indictment, that spending money on these activities was illegal, whether or not they knew they had to report such expenditures. It may be that DOJ has evidence of communications between the trolls and actual Americans they otherwise wouldn’t have had to rely on. It may be that DOJ has evidence about the regulatory knowledge of those same Americans about their own reporting obligations. Some of this evidence might well be classified.

Just as importantly, if Bill Barr wanted to jettison this prosecution, he could have done so last November by refusing to permit the superseding indictment. That likely would have undermined the case just as surely (and might have led Friedrich to dismiss it herself), and would have been far better for Trump’s messaging. Moreover, from that point in time, it would have been clear that trial might introduce evidence of how three Trump campaign officials coordinated (unknowingly) with the Russian trolls, something bound to embarrass Trump even if it posed no legal hazard. If Barr had wanted to undermine the prosecution to benefit Trump, November would have been the optimal time to do that, not February and March.

While it’s not clear whether this superseding indictment changed certain evidentiary challenges or not, three key strands of activity that seem to have resulted in the dismissal started only after the superseding: an effort to authenticate digital evidence on social media activity, an effort to subpoena some of that same evidence, and the CIPA process to try to substitute for classified information.

The government goes to some lengths to try to pre-approve normally routine evidence

The last of those efforts, chronologically, may hint at some of the evidentiary issues that led DOJ to drop the case.

In a motion submitted on February 17, the government sought to admit a great deal of the social media and related forensic data in the case. In many trials, this kind of evidence is stipulated into evidence, but here, Concord had been making it clear it would challenge the evidence at trial. So the government submitted a motion in limine to try to make sure it could get that evidence admitted in advance.

Among the issues raised in the motion was how the government planned to authenticate the IP addresses that tied the IRA trolls to specific Facebook and Twitter accounts and other members of the conspiracy (Prigozhin, Concord, and the interim shell companies) to each other. The government redacted significant sections of the filing describing how it intended to authenticate these ties (see, for example, the redaction on page 8, which by reference must discuss subscriber information and IP addresses, and footnote 7 on page 9, the redaction pertaining to how they were going to authenticate emails on page 16, the very long redaction on how they would authenticate emails between IRA and Concord starting on page 17, and the very long redaction on how they were going to authenticate Prigozhin to the IRA starting on page 21).

Concord got special permission to write an overly long 56-page response. Some of it makes it clear they’re undermining the government’s efforts to assert just that, for example on IP addresses.

IP addresses, subscriber information, and cookie data are not self-authenticating. The first link in the government’s authentication argument is that IP addresses,6 subscriber information, and cookie data are self-authenticating business records under Rules 803(6) and 902(11). But the cases the government cites are easily distinguishable and undercut its argument.

6 The IP addresses do not link an account to a specific location or fixed address. For example, for the Russian IP addresses the government indicates that they were somewhere within the city of St. Petersburg, Russia.

[snip]

It should come as no surprise then, given the lack of reliability and untrustworthiness in social media evidence such as that the government seeks to introduce, that the case law forecloses the government’s facile effort at authentication of content here. Unlike Browne, Lewisbey, and the other cases cited above, the government has offered no social media accounts bearing the name of any alleged conspirator and no pictures appearing to be a conspirator adorning such page.7 Nor has the government pointed to a single witness who can testify that she saw a conspirator sign up for the various social media accounts or send an email, or who can describe patterns of consistency across the various digital communications to indicate they come from the same source.

7 The government has indicated to Concord that it intends to introduce at trial Fed. R. Evid. 1006 summaries of IP address records, apparently to create the link between the social media accounts and IRA that is not addressed in the motion. See Ex. B, Jan. 6, 2020 letter. Despite repeated requests from undersigned counsel, the government has identified the 40 social media accounts for it intends to summarize but has not provided the summaries or indicated when it will do so.

Some of this is obviously bullshit, particularly given the government’s contention, elsewhere, that Concord (or IRA, if it was a typo) had dedicated IP addresses. Mostly, though, it appears to have been an attempt to put sand in the wheels of normal criminal prosecution by challenging stuff that is normally routine. That doesn’t mean it’s improper, from a defense standpoint. But given how often DOJ’s nation-state indictments rely on such forensic evidence, it’s a warning about potential pitfalls to them.

The government resorts to CIPA

Even while the government had originally set out to prove this case using only unclassified information, late in the process, it decided it needed to use the Classified Information Procedures Act. That process is where one would look for any evidence that Barr sabotaged the prosecution by classifying necessary evidence (though normally the approval for CIPA could come from Assistant Attorney General for National Security Division John Demers, who is not the hack that Barr is).

In October 2019, Friedrich had imposed a deadline for CIPA if the government were going to use it, of January 20, 2020.

On December 17, the government asked for a two week delay, “to ensure appropriate coordination within the Executive Branch that must occur prior to the filing of the motion,” a request Friedrich denied (even though Concord did not oppose it). This was likely when the classification determination referenced in the motion to withdraw was debated, given that such determinations would dictate what prosecutors had to do via CIPA.

On January 10, 2020, the government filed its first motion under CIPA Section 4, asking to substitute classified information for discovery and use at trial. According to the docket, Friedrich discussed CIPA issues at a hearing on January 24. Then on January 29 and February 10, she posted classified orders to the court security officer, presumably as part of the CIPA discussion.

On February 13, the government asked for and obtained a one-day extension to file a follow-up CIPA filing, from February 17 to February 18, “to complete necessary consultation within the Executive Branch regarding the filing and to ensure proper supervisory review.” If Barr intervened on classification issues, that’s almost certainly when he did, because this happened days after Barr intervened on February 11 in Roger Stone’s sentencing and after Jonathan Kravis, who had been one of the lead prosecutors in this case as well, quit in protest over Barr’s Stone intervention. At the very least, in the wake of that fiasco, Timothy Shea made damn sure he ran his decision by Barr. But the phrase, “consultation within the Executive Branch,” certainly entertains consultation with whatever agency owned the classified information prosecutors were deciding whether they could declassify (and parallels the language used in the earlier request for a filing extension). And Adam Jed, who had been part of the Mueller team, was added to the team not long before this and remained on it through the dismissal, suggesting nothing akin to what happened with Stone happened here.

The government submitted its CIPA filing on the new deadline of February 18, Friedrich issued an order the next day, the government filed another CIPA filing on February 20, Friedrich issued another order on February 28.

Under CIPA, if a judge rules that evidence cannot be substituted, the government can either choose not to use that evidence in trial or drop the prosecution. It’s likely that Friedrich ruled that, if the government wanted to use the evidence in question, they had to disclose it to Concord, including Prigozhin, and at trial. In other words, that decision — and the two earlier consultations (from December to early January, and then again in mid-February) within the Executive Branch — are likely where classification issues helped sink the prosecution.

It’s certainly possible Bill Barr had a key role in that. But there’s no explicit evidence of it. And there’s abundant reason to believe that Prigozhin’s extensive efforts to use the prosecution as an intelligence-gathering exercise both for ongoing disinformation efforts and to optimize ongoing trolling efforts was a more important consideration. Barr may be an asshole, but there’s no evidence in the public record to think that in this case, Prigozhin wasn’t the key asshole behind a decision.

DOJ attempts to treat Concord as a legit party to the court’s authority

Even before that CIPA process started playing out, beginning on December 3, the government pursued an ultimately unsuccessful effort to subpoena Concord. This may have been an attempt to obtain via other means evidence that either had been obtained using means that DOJ had since decided to classify or the routine authentication of which Concord planned to challenge.

DOJ asked to subpoena a number of things that would provide details of how Concord and Prigozhin personally interacted with the trolls. Among other requests, the government asked to subpoena Concord for the IP addresses it used during the period of the indictment (precisely the kind of evidence that Concord would later challenge).

3. Documents sufficient to identify any Internet Protocol address used by Concord Management and Consulting LLC from January 1, 2014 to February 1, 2018.

Concord responded with a load of absolute bullshit about why, under Russian law, Concord could not comply with a subpoena. Judge Friedrich granted the some of the government’s request (including for IP addresses), but directed the government to more narrowly tailor its other subpoena requests.

On December 20, the government renewed its request for other materials, providing some evidence of why it was sure Concord had responsive materials. Concord quickly objected again, again wailing mightily. In its reply, the government reminded Friedrich that she had the ability to order Concord to comply with the subpoena — and indeed, had gotten Concord’s assurances it would comply with orders of the court when it first decided to defend against the charges. It even included a declaration from an expert on Russian law, Paul Stephan, debunking many of the claims Concord had made about Russian law. Concord wailed, again. On January 24, Friedrich approved the 3 categories of the subpoena she had already approved. On January 29, the government tried again, narrowing the request even to — in one example — specific days.

Calendar entries reflecting meetings between Prigozhin and “Misha Lakhta” on or about January 27, 2016, February 1, 2016, February 2, 2016, February 14, 2016, February 23, 2016, February 29, 2016, May 22, 2016, May 23, 2016, May 28, 2016, May 29, 2016, June 7, 2016, June 27, 2016, July 1, 2016, September 22, 2016, October 5, 2016, October 23, 2016, October 30, 2016, November 6, 2016, November 13, 2016, November 26, 2016, December 3, 2016, December 5, 2016, December 29, 2016, January 19, 2017, and February 1, 2017.

Vast swaths of the motion (and five exhibits) explaining why the government was sure that Concord had the requested records are sealed. Concord responded, wailing less, but providing a helpful geography lesson to offer some alternative explanation for the moniker “Lakhta,” which the government has long claimed was the global term for Prigozhin’s information war against the US and other countries.

But the government fails to inform the Court that “Lakhta” actually means a multitude of other things, including: Lake Lakhta, a lake in the St. Petersburg area, and Lakhta Center, the tallest building in Europe, which is located in an area within St. Petersburg called the Lakhta-Olgino Municipal Okrug.

On February 7, Friedrich largely granted the government’s subpoena request, approving subpoenas to get communications involving Prigozhin and alleged co-conspirators, as well as records of payments and emails discussing them.  That same day and again on February 21, Concord claimed that it had communicated with the government with regards to the subpoenas, but what would soon be clear was non-responsive.

On February 27, the government moved to show cause for why Concord should not be held in contempt for blowing off the subpoenas, including the request for IP addresses and the entirety of the second subpoena (for meetings involving Prigozhin and records of payments to IRA). Concord wailed in response. The government responded by summarizing Concord’s response:

Concord’s 18-page pleading can be distilled to three material points: Concord’s attorneys will not make any representations about compliance; Concord will not otherwise make any representations about compliance; and Concord will not comply with a court order to send a representative to answer for its production. The Court should therefore enter a contempt order and impose an appropriate sanction to compel compliance.

Friedrich issued an order that subpoena really does mean subpoena, demanding some kind of representation from Concord explaining its compliance.  In response, Prigozhin sent a declaration partly stating that his businesses had deleted all available records, partly disclaiming an ability to comply because he had played games with corporate structure.

With respect to category one in the February 10, 2020 trial subpoena, Concord never had any calendar entries for me during the period before I became General Director, and I became General Director after February 1, 2018, so no searches were able to be performed in Concord’s documents. Concord did not and does not have access to the previous General Director’s telephone from which the prosecution claims to have obtained photographs of calendars and other documents, so Concord is unable to confirm the origin of such photographs.

He claimed to be unable to comply with the request for IP addresses because his contractors “cannot” provide them.

In order to comply with category three in the trial subpoena dated January 24, 2020, in Concord’s records I found contracts between Concord and Severen-Telecom JSC and Unitel LLC, the two internet service providers with which Concord contracted between January 1, 2014 and February 1, 2018. Because these contracts do not identify the internet protocol (“IP”) addresses used by Concord during that period, on January 7, 2020 I sent letters on behalf of Concord to Severen-Telecom JSC and Unitel LLC transmitting copies of these contracts and requesting that the companies advise as to which IP addresses were provided to or used by Concord during that period. Copies of these letters and English translations, as well as the attached contracts, are attached as Exhibits 2 and 3. Severen-Telecom JSC responded in writing that the requested information cannot be provided. A copy of Severen-Telecom JSC’s letter and an English translation are attached as Exhibit 2. Unitel LLC responded that information regarding IP addresses cannot be provided. A copy of Unitel LLC’s letter and an English translation of is attached as Exhibit 3. Accordingly, Concord does not have any documents that could be provided in response to category three (3) of the January 24, 2020 subpoena.

The government responded by pointing out how bogus Prigozhin’s declaration was, not least his insistence that any oligarch like him would really be the person in charge of his companies’ record-keeping. It also described evidence — which is redacted — that Concord had an in-house IT provider at the time (though notes that “as the Court knows, it appears that Concord [sic; this is probably IRA] registered and maintained multiple dedicated IP addresses during the relevant time period”). It further noted that the date that Prigozhin claimed his company started destroying records after 3 months perfectly coincided to cover the start date of this subpoena. In short, it provided fairly compelling evidence that Prigozhin, after agreeing that his company would be subject to the authority of the court when it first filed an appearance in the case, was trolling the court from the safety of Russia.

On March 5, Judge Friedrich nevertheless allowed that bullshit response in her court and declined to hold Concord in contempt. Eleven days later, the government moved to dismiss the case.

The government files the motion to dismiss before the evidentiary dispute finishes but after the subpoena and CIPA fail

On March 16 — 17 days after what appears to be the final CIPA order and 11 days after Friedrich declined to hold Concord or Prigozhin in contempt, and one day before the government was due to file a follow-up to its motion in limine to authenticate normally routine evidence in the case — the government moved to dismiss the case.

While it’s unclear what evidence was deemed to be classified late in the prosecution (likely in December), it seems fairly clear that it affected (and possibly was a source or method used to collect) key forensic proof in the case. It’s also unclear whether an honest response to the government’s trial subpoenas would have replaced that evidence.

What is clear, however, is that there is sufficient explanation in the public record to support the government’s explanation — that Prigozhin was using the prosecution to reap benefits of obtaining information about US government efforts to thwart his activities without risking anything himself. And whether or not the government would be able to prove its case with the classification and CIPA decisions reflected in the docket, the trial itself would shift more evidence into the category of information that would get shared with Prigozhin.

None of that disproves that Barr sabotaged the case. But it does provide sufficient evidence to explain why DOJ dismissed the case, without assuming that Barr sabotaged it.

Other cases of interest

As noted above, not only do the identity theft related charges remain, but so does the ConFraudUS case for all the biological defendants, including Prigozhin. It may be that, given the opportunity to imprison Prigozhin in the highly unlikely event that he ever showed up in the US for trial, the classification trade-offs would be very different.

But there are three other legal issues of interest, given this outcome.

First, there’s one more unsurprising detail about the superseding indictment: It also included an end-date, January 2018. That’s not surprising because adding later activities probably would presented all sorts of problems given how advanced the trial was last November. But it’s also significant because it means double jeopardy would not attach for later activities. So the government could, if the calculus on classification ever changed, simply charge all the things Prigozhin and his trolls have been doing since January 2018 in an indictment charged under its revised theory.

That’s particularly significant given that, in September 2018, prosecutors in EDVA charged Prigozhin’s accountant, Elena Alekseevna Khusyaynova. Even at the time, I imagined it might be a vehicle to move the IRA prosecution if anything happened to it in DC. Unsurprisingly, given that she’s the accountant at the center of all this, the Khusyaynova complaint focused more closely on the money laundering part of the prosecution. Plus, that complaint incorporated evidence of Prigozhin’s trolls reveling in their own indictment, providing easy proof of knowledge of the legal claims DOJ made that didn’t exist for the earlier indictment. None of that would change the calculus around classified evidence (indeed, some of the overt acts described in the Khusyaynova complaint seem like the kind of evidence that Prigozhin would have turned over had he complied with the Concord subpoena. So there is another vehicle for such a prosecution, if DOJ wanted to pursue it.

Finally, Prigozhin has not succeeded with all his attempts to wage lawfare in support of his disinformation efforts. In January, he lost his bid to force Facebook to reinstate his fake news site, Federal Agency of News, based off an argument that because Facebook worked so closely with the government, it cannot exercise its own discretion on its private site. As I laid out here, the suit intersected with both the IRA indictment and Khusyaynova complaint, and engaged in similar kinds of corporate laundry and trollish bullshit. The decision was a no-brainer decision based on Section 230 grounds, giving providers immunity when they boot entities from their services. But the decision also confirms what is already evident: when it comes to shell companies in the business of trolling, thus far whack-a-mole removals have worked more consistently than seemingly symbolic prosecution.

DOJ may well revisit how it charged this to try to attach a FARA liability onto online disinformation. But ultimately the biological humans, not the corporation shells or the bots, need to be targeted.

NSA Is Probably Withholding Details of the Alleged Burisma Hack from Congress

Over the weekend, Adam Schiff and other impeachment managers started alleging that the NSA is withholding information about Ukraine from the Intelligence Committees and impeachment team.

“And I’ll say something even more concerning to me, and that is the intelligence community is beginning to withhold documents from Congress on the issue of Ukraine,” Schiff said. “The NSA, in particular, is withholding what are potentially relevant documents to our oversight responsibilities on Ukraine, but also withholding documents potentially relevant that the senators might want to see during the trial.”

Schiff added: “There are signs that the CIA may be on the same tragic course. We are counting on the intelligence community not only to speak truth to power, but to resist pressure from the administration to withhold information from Congress because the administration fears that they incriminate them.”

An Intelligence Committee official later said, “Both the NSA and CIA initially pledged cooperation, and it appears now that the White House has interceded before production of documents could begin.”

Schiff had dropped the claim, at times, in his presentation to the Senate and to the press.

But in his stem-winding close last night, he mentioned the alleged Burisma hack in a way that strongly suggests that’s what NSA is withholding.

Now we just saw last week a report that Russia tried to hack, or maybe did hack, Burisma. Okay. I don’t know if they got in. I’m trying to find out. My colleagues on the Intel Committee, House and Senate, we’re trying to find out, did the Russians get in? What are the Russian plans and intentions? Well, let’s say they got in. And let’s say they start dumping documents to interfere in the next election. Let’s say they start dumping some real things they hacked from Burisma, let’s say they start dumping some fake things they didn’t hack from Burisma, but they want you to believe they did. Let’s say they start blatantly interfering in our election again, to help Donald Trump. Can you have the least bit of confidence that Donald Trump will stand up to them and protect the national interest over his own personal interest? You know you can’t.

Schiff’s speech was a planned show-stopper, climax, thus far, of the impeachment trial. It is highly unlikely Schiff included this mention, with the detail that he and both the Intelligence Committees are trying to figure out whether Burisma really got hacked, without very good reason.

But it also goes to the power of information war.

When NYT first reported that GRU had hacked Burisma, I had two thoughts.

The hackers fooled some of them into handing over their login credentials, and managed to get inside one of Burisma’s servers, Area 1 said.

“The attacks were successful,” said Oren Falkowitz, a co-founder of Area 1, who previously served at the National Security Agency. Mr. Falkowitz’s firm maintains a network of sensors on web servers around the globe — many known to be used by state-sponsored hackers — which gives the firm a front-row seat to phishing attacks, and allows them to block attacks on their customers.

“The timing of the Russian campaign mirrors the G.R.U. hacks we saw in 2016 against the D.N.C. and John Podesta,” the Clinton campaign chairman, Mr. Falkowitz said. “Once again, they are stealing email credentials, in what we can only assume is a repeat of Russian interference in the last election.”

[snip]

To steal employees’ credentials, the G.R.U. hackers directed Burisma to their fake login pages. Area 1 was able to trace the look-alike sites through a combination of internet service providers frequently used by G.R.U.’s hackers, rare web traffic patterns, and techniques that have been used in previous attacks against a slew of other victims, including the 2016 hack of the D.N.C. and a more recent Russian hack of the World Anti-Doping Agency.

“The Burisma hack is a cookie-cutter G.R.U. campaign,” Mr. Falkowitz said. “Russian hackers, as sophisticated as they are, also tend to be lazy. They use what works. And in this, they were successful.”

First, this attribution is not (yet) as strong as even the first attribution that GRU had hacked the DNC, to say nothing of the 30 non-government sources for that attribution since laid out in the GRU indictment and the Mueller Report. There’s good reason to remain cautious about this attribution until we get more than one not very well established contractor attributing the hack.

But to some degree, it doesn’t matter whether GRU hacked Burisma and whether they took documents with plans to leak them during the election. Indeed, disinformation may explain why this was an easily identifiable hack, whether done by GRU or someone else. Because the news that someone appearing to be GRU targeted Burisma in early November — when it was clear Trump would be impeached for extorting Volodymyr Zelensky to get dirt on Burisma — serves a clear purpose. It adds evidence that Trump is owned by Russia and, after the Senate doesn’t vote to remove him, will demonstration that Republicans don’t much give a damn that he is owned by Russia.

To be clear: There’s abundant evidence that Russia does have leverage over Trump, and more is likely to be forthcoming.

But that’s far more valuable, for Russia, if that’s public and if the Republicans in the Senate sanction it.

And that may explain why NSA is withholding the information, if indeed that’s what they’re withholding. In the same way that the FBI went to great lengths to withhold a letter they believed to be disinformation suggesting that Loretta Lynch would fix the Hillary investigation, information that appears to add to the already abundant case that Russia is in the tank for Trump. Given the stakes, that doesn’t justify it. But at this point, GRU wouldn’t need to hack Burisma for any point — the hack itself, in the middle of the impeachment investigation, is enough to lay a marker on Donald J. Trump.

He belongs to the GRU, the hack says, whether or not he does anything affirmatively to confirm that claim. But if the NSA is withholding that detail, it would seem to confirm the point.

Two Details That Many Are Missing in/about the Stone Indictment

I’ve been traveling most of the day to get out of the Midwest before the snow and record low temperatures show up, and will be buried for three days working on things that have nothing to do with any investigation Mueller has been involved in since 2013.

But I do want to add two details to the parlor game going on about whether or not the Roger Stone indictment is the tip of a conspiracy-burg or evidence there’s no there there. Joyce White Vance argues that Mueller charged Stone the way he did to hide the rest of the conspiracy prosecution.

Why didn’t Mueller charge Stone with conspiracy? The rules in federal cases require that prosecutors provide defendants with broad discovery. By indicting Stone on a fairly narrow set of charges, Mueller limits what has to be disclosed & can protect ongoing investigation.

Randall Eliason offers a respectable version of the argument that the indictment suggests there won’t be a conspiracy case.

There have always been at least two possible end games for the Mueller investigation. He could uncover evidence of a widespread criminal conspiracy between the Trump campaign and Russians to influence the election. Or he could conclude that the campaign’s numerous documented interactions with Russians seeking to help Trump win were not criminal, but people close to Trump lied to cover up those interactions because revealing them would have been politically devastating.

Stone’s indictment falls into the coverup category. Mueller may have evidence of the broader conspiracy, and more charges may well be coming. But every case like Stone’s, or those against former campaign manager Paul Manafort, that is filed without charging a conspiracy with the Russians makes it seem more likely that criminal charges brought by the special counsel will end up being primarily about the coverups.

Andy McCarthy offers a less respectable version of the same.

Neither Eliason nor McCarthy account for one of the only new details in the indictment, showing that an unidentified Steve Bannon associate congratulated Stone on October 7.

On or about October 7, 2016, Organization 1 released the first set of emails stolen from the Clinton Campaign chairman. Shortly after Organization 1’s release, an associate of the high-ranking Trump Campaign official sent a text message to STONE that read “well done.” In subsequent conversations with senior Trump Campaign officials, STONE claimed credit for having correctly predicted the October 7, 2016 release.

This detail shows that the Trump campaign at least believed that Stone succeeded in getting WikiLeaks to drop the John Podesta emails to distract attention from the Access Hollywood video, which in turn is consistent with a claim Jerome Corsi made about Stone having advance knowledge of the Access Hollywood video and that he and Stone succeeded in timing the email release.

 Corsi wrote in his forthcoming 57,000-word book that he told Zelinsky that Stone told him in advance that the “Access Hollywood” tape would be released.

He wrote that “although I could not remember exactly when Roger told me, or the precise substance of the discussion, I remembered Roger told me before the Washington Post went to press with the Billy Bush tape that the tape was coming and that it would be a bombshell.”

Corsi said he had three phone calls with Stone in the hours before the release of the tape.

“I know nothing about that, either does Jerry Corsi,” Stone told TheDCNF. When asked why Corsi might be motivated to make a false claim, Stone said: “He’s saying this because the prosecutors induced him to say it.”

Corsi also wrote that Zelinsky revealed that prosecutors had evidence of an email exchange between he and Stone “in which Stone expressed pleasure that Assange had released the Podesta emails as instructed.”

Corsi said he replied that he and Stone “should be given credit” for the release.

While Stone disputes Corsi’s claim and Corsi feigns forgetfulness about precisely what happened, by including a communication showing Stone getting credit for the timing, Mueller is suggesting that Corsi is right — and that he has credible, corroborating evidence to prove it.

That’s more coordination — between Corsi and Stone, but more importantly between some go-between and WikiLeaks — than would be the case if Stone’s indictment were all Mueller had. It would put Stone and Corsi in a conspiracy with WikiLeaks and their go-between(s).

Then there’s this detail from the motion to seal Stone’s indictment that no one has yet offered a full explanation for (indeed, most of the reports that noted that Amy Berman Jackson had been assigned the case didn’t explain this detail at all).

Someone — and it would almost certainly have to be the prosecutors (including one who, DC US Attorney’s office prosecutor Jonathan Kravis, is on the internet Research Agency case),  — told the court that Stone’s namby pamby “process crime” is related to the big conspiracy case involving WIkiLeaks with a bunch of Russian hackers. (I’ve updated my running docket of Mueller and potentially related cases to reflect Stone’s indictment.) And while it’s true that Stone is described in the GRU indictment, he is not named in a way that the court would identify that by themselves. WikiLeaks shows up in both, but there’s no need to tie WikiLeaks cases together unless some defendant is going to show up to face prosecution (and WikiLeaks is does not take any of the overt acts described in the Stone indictment).

I don’t pretend to understand how this happened or what it all means. But there’s nothing about the Stone obstruction prosecution that would overlap with the evidence in the GRU indictment. And, as charged, the GRU indictment won’t be prosecuted at all until Julian Assange or someone else involved in it ends up in DC to face charges.

By all means, continue the parlor game. But at least explain how those two details fit into your theory of nothing-“berder” or grand conspiracy.

Update: By popular demand, I’m including the definition of a “related case” under DC’s local rules.

A related case for the purpose of this Rule means as follows:

(1) Criminal cases are deemed related when

(i) a superseding indictment has been filed, or

(ii) more than one indictment is filed or pending against the same defendant or defendants, or

(iii) prosecution against different defendants arises from a common wiretap, search warrant, or activities which are a part of the same alleged criminal event or transaction. A case is considered pending until a defendant has been sentenced.

Certainly, WikiLeaks is named as a co-conspirator in both. But it is not yet a defendant. Though both cases may rely on a wiretap targeting Wikileaks. Or perhaps Stone’s search warrant included his conversations with Guccifer 2.0, and so the other indictment.

As I disclosed last July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

A Tale of Two GRU Indictments

Yesterday, DOJ indicted a bunch of GRU hackers again, in part for hacks in retaliation for anti-doping associations’ reports finding a state-run Russian effort to help its athletes cheat (though also including hacks of Westinghouse and the Organization for the Prohibition of Chemical Weapons (OPCW)).

As the DNC GRU indictment did, this indictment provides a snapshot of the division of labor in GRU, made easier by the capture of four of these guys, with all their hacking toys in the trunk of their rented car, in the Netherlands. I find a comparison of the two indictments — of some of the same people for similar activity spanning the same period of time — instructive for a number of reasons.

The team

Consider the team.

There are Aleksei Morenets and Evgenii Serebriakov, whom the indictment calls “on-site GRU hackers who traveled to foreign countries with other conspirators, in some instances using Russian government issued diplomatic passports to conduct on-site operations.” Serebriakov even has a title, “Deputy Head of Directorate,” which sounds like a pretty senior person to travel around sniffing WiFi networks.

There are the three men we met in the DNC indictment, Ivan Yermakov, Artem Malyshev, and Dmitriy Badin, all of whom work  out of Moscow running hacks. Yermakov and Malyshev were closely involved in both hacks in 2016 (as demonstrated by the timeline below).

Finally, there are Oleg Sotnikov and Alexey Minin, who joined Morenets and Serebriakov as they tried to hack the Organization for the Prohibition of Chemical Weapons (OPCW) and tried to hack the Spiez Chemical laboratory that was analyzing the Novichok used to poison Sergei Skripal.

There are slightly different tactics than in the DNC hack. For example, GRU used a bunch of bit.ly links in this operation (though some of those are an earlier campaign against Westinghouse). And they sent out hackers to tap into targets’ WiFi networks directly, whereas none of the DNC hackers are alleged to have left Russia.

But there’s a ton of common activity, notably the spearphishing of targeted individuals and the use of their X-Agent hacking tool to exploit targeted machines.

Overlapping hack schedule

I’m also interested in the way the WADA hack, in particular, overlaps with the DNC one. I’ve got a timeline, below, of the two indictments look like (I’ve excluded both the Westinghouse and OPCW hacks from this timeline to focus on the overlapping 2016 operations).

Yermakov and Malyshev are described by name doing specific tasks in the DNC hack though May 2016. By August, they have turned to hacking anti-doping targets. Yermakov, in particular, seems to play the same research role in both hacks.

Given the impact of these operations, it’s fairly remarkable that such a small team conducted both.

Common bitcoin habits and possibly even infrastructure

There are also paragraphs in the WADA indictment, particularly those pertaining to the use of bitcoin to fund the operation used to substantiate the money laundering charge, that appear to be lifted in their entirety from the DNC one (or perhaps both come from DOJ or Western PA US Attorney boilerplate — remember that the DNC hack was originally investigated in Western PA, so this language likely originates there).

These include:

  •  58/106: Describing how conspirators primarily used bitcoin to pay for infrastructure
  • 59/107: Describing how bitcoin works, with examples specific to each operation provided
  • 60/108: Describing how conspirators used dedicated email accounts to track bitcoin transactions
  • 61/109: Describing how conspirators used the same computers to conduct hacking operations and facilitate bitcoin payments
  • 62/110: Describing how conspirators also mined bitcoin and then used it to pay for servers, with examples specific to each operation
  • 64/111: Describing how conspirators used the same funding structure and sometimes the same pool of funds to pay for hacking infrastructure, with examples specific to each operation provided

The similarity of these two passages suggests two things. First, it suggests that the August 8, 2016 transaction in the WADA indictment may have been orchestrated from the gfade147 email noted in the DNC indictment. With both, the indictment notes that “One of these dedicated accounts … received hundreds of bitcoin payment requests from approximately 100 different email accounts,” with the DNC indictment including the gfade147 address. (Compare paragraphs 60 in the DNC indictment with 108 in the WADA one.)  That would suggest these two operations overlap even more than suspect.

That said, there’s one paragraph in the DNC indictment that doesn’t have an analogue in the WADA one, 63. It describes conspirators,

purchasing bitcoin through peer-to-peer exchanges, moving funds through other digital currencies, and using pre-paid cards. They also enlisted the assistance of one or more third-party exchangers who facilitated layered transactions through digital currency exchange platforms providing heightened anonymity.

Given how loud much of these operations were, it raises questions about why some of the DNC hack (but not, at least by description) the WADA one would require “heightened anonymity.”

Different treatment of InfoOps

I’m perhaps most interested in the different treatment of the InfoOps side of the operation. As I noted here, in general there seems to be a division of labor at GRU between the actual hackers, in Unit 26165, which is located at  20 Komsomolskiy Prospekt, and the information operations officers, in Unit 74455, which is located in the “Tower” at 22 Kirova Street, Khimki. Both units were involved in both operations.

Yet the WADA indictment does not name or charge any Unit 74455 officers, in spite of describing (in paragraphs 1 and 11) how the unit acquired and maintained online social media accounts and associated infrastructure (paragraph 76 describes that infrastructure to be “procured and managed, at least in part, by conspirators in GRU Unit 74455”). Five of the seven named defendants in the WADA indictment are in Unit 26165, with Oleg Sotnikov and Alexey Minin not identified by unit.

By comparison, three of the 11 officers charged in the DNC indictment belong to Unit 744555.

And the WADA campaign did have a significant media component, as explained in paragraphs 76-87. The indictment even complains (as did DOJ officials as the press conference announcing this indictment) about,

reporters press[ing] for and receiv[ing] promises of exclusivity in such reporting, with one such reporter attempting to make arrangements for a right of first refusal for articles on all future leaks and actively suggesting methods with whicch the conspiracy could search the stolen materials for documents of interest to that reporter (e.g., keywords of interest).

That said, the language in much of this discussion (see paragraphs 77 through 81) uses the passive voice — “were registered,” “were named,” “was posted,” “were released,” “were released,” “were released,” “were released” — showing less certainty about who was running that infrastructure.

That’s particularly interesting given that the government clearly had emails between the Fancy Bear personas and journalists.

One difference may be, in part, that in the DNC indictment, there are specific hacking (not InfoOps) actions attributed to two of the Unit 74455 officers: Aleksandr Osadchuk and Anatoliy Kovalev. Indeed, Kovalev seems to have been added on just for that charge, as he doesn’t appear in the introduction section at the beginning of the indictment.

Whereas Unit 74455’s role in the WADA indictment seems to be limited to running the InfoOps infrastructure.

Importance of WikiLeaks and sharing with Republicans

It’s not clear how much we can conclude form all that. But the different structure in the DNC indictment does allow it to foreground the role of a number of others, such as WikiLeaks and Roger Stone and — as I suggested drop in some or all of  those others in a future conspiracy indictment — that were a key part of the election operation.

Timeline

February 1, 2016: gfade147 0.026043 bitcoin transaction

March 2016: Conspirators hack email accounts of volunteers and employees of Hillary campaign, including John Podesta

March 2016: Yermakov spearphishes two accounts that would be leaked to DC Leaks

March 14, 2016 through April 28, 2016: Conspirators use same pool of bitcoin to purchase VPN and lease server in Malaysia

March 15, 2016: Yermakov runs technical query for DNC IP configurations and searches for open source info on DNC network, Dem Party, and Hillary

March 19, 2016: Lukashev spearphish Podesta personal email using john356gh

March 21, 2016: Lukashev steals contents of Podesta’s email account, over 50,000 emails (he is named Victim 3 later in indictment)

March 25, 2016: Lukashev spearphishes Victims 1 (personal email) and 2 using john356gh; their emails later released on DCLeaks

March 28, 2016: Yermakov researched Victims 1 and 2 on social media

April 2016: Kozachek customizes X-Agent

April 2016: Conspirators hack into DCCC and DNC networks, plant X-Agent malware

April 2016: Conspirators plan release of materials stolen from Clinton Campaign, DCCC, and DNC

April 6, 2016: Conspirators create email for fake Clinton Campaign team member to spearphish Clinton campaign; DCCC Employee 1 clicks spearphish link

April 7, 2016: Yermakov runs technical query for DCCC’s internet protocol configurations

April 12, 2016: Conspirators use stolen credentials of DCCC employee to access network; Victim 4 DCCC email victimized

April 14, 2016: Conspirators use X-Agent keylog and screenshot functions to surveil DCCC Employee 1

April 15, 2016: Conspirators search hacked DCCC computer for “hillary,” “cruz,” “trump” and copied “Benghazi investigations” folder

April 15, 2016: Victim 5 DCCC email victimized

April 18, 2016: Conspirators hack into DNC through DCCC using credentials of DCCC employee with access to DNC server; Victim 6 DCCC email victimized

April 19, 2016: Kozachek, Yershov, and co-conspirators remotely configure middle server

April 19, 2016: Conspirators register dcleaks using operational email [email protected]

April 20, 2016: Conspirators direct X-Agent malware on DCCC computers to connect to middle server

April 22, 2016: Conspirators use X-Agent keylog and screenshot function to surveil DCCC Employee 2

April 22, 2016: Conspirators compress oppo research for exfil to server in Illinois

April 26, 2016: George Papadopolous learns Russians are offering election assistance in the form of leaked emails

April 28, 2016: Conspirators use bitcoin associated with Guccifer 2.0 VPN to lease Malaysian server hosting dcleaks.com

April 28, 2016: Conspirators test IL server

May 2016: Yermakov hacks DNC server

May 10, 2016: Victim 7 DNC email victimized

May 13, 2016: Conspirators delete logs from DNC computer

May 25 through June 1, 2016: Conspirators hack DNC Microsoft Exchange Server; Yermakov researches PowerShell commands related to accessing it

May 30, 2016: Malyshev upgrades the AMS (AZ) server, which receives updates from 13 DCCC and DNC computers

May 31, 2016: Yermakov researches Crowdstrike and X-Agent and X-Tunnel malware

June 2016: Conspirators staged and released tens of thousands of stolen emails and documents

June 1, 2016: Conspirators attempt to delete presence on DCCC using CCleaner

June 2, 2016: Victim 2 personal victimized

June 8, 2016: Conspirators launch dcleaks.com, dcleaks Facebook account using Alive Donovan, Jason Scott, and Richard Gingrey IDs, and @dcleaks_ Twitter account, using same computer used for other

June 9, 2016: Don Jr, Paul Manafort, Jared Kushner have meeting expecting dirt from Russians, including Aras Agalarov employee Ike Kaveladze

June 10, 2016: Ike Kaveladze has calls with Russia and NY while still in NYC

June 14, 2016: Conspirators register actblues and redirect DCCC website to actblues

June 14, 2016: WaPo (before noon ET) and Crowdstrike announces DNC hack

June 15, 2016, between 4:19PM and 4:56 PM Moscow Standard Time (9:19 and 9:56 AM ET): Conspirators log into Moscow-based sever and search for words that would end up in first Guccifer 2.0 post, including “some hundred sheets,” “illuminati,” “think twice about company’s competence,” “worldwide known”

June 15, 2016, 7:02PM MST (12:02PM ET): Guccifer 2.0 posts first post

June 15 and 16, 2016: Ike Kaveladze places roaming calls from Russia, the only ones he places during the extended trip

June 20, 2016: Conspirators delete logs from AMS panel, including login history, attempt to reaccess DCCC using stolen credentials

June 22, 2016: Wikileaks sends a private message to Guccifer 2.0 to “send any new material here for us to review and it will have a much higher impact than what you are doing.”

June 27, 2016: Conspirators contact US reporter, send report password to access nonpublic portion of dcleaks

Late June, 2016: Failed attempts to transfer data to Wikileaks

July, 2016: Kovalev hacks into IL State Board of Elections and steals information on 500,000 voters

July 6, 2016: Conspirators use VPN to log into Guccifer 2.0 account

July 6, 2016: Wikileaks writes Guccifer 2.0 adding, “if you have anything hillary related we want it in the next tweo [sic] days prefabl [sic] because the DNC [Democratic National Convention] is approaching and she will solidify bernie supporters behind her after”

July 6, 2016: Victim 8 personal email victimized

July 10-19: Morenets travels to Rio de Janeiro

July 14, 2016: Conspirators send WikiLeaks an email with attachment titled wk dnc link1.txt.gpg providing instructions on how to access online archive of stolen DNC documents

July 18, 2016: WikiLeaks confirms it has “the 1Gb or so archive” and would make a release of stolen documents “this week”

July 22, 2016: WikiLeaks releases first dump of 20,000 emails

July 27, 2016: Trump asks Russia for Hillary emails

July 27, 2016: After hours, conspirators attempt to spearphish email accounts at a domain hosted by third party provider and used by Hillary’s personal office, as well as 76 email addresses at Clinton Campaign

August 2016: Kovalev hacks into VR systems

August 2-9, 2016: Conspirators use multiple IP addresses to connect to or scan WADA’s network

August 2-4, 2016: Yermakov researches WADA and its ADAM database (which includes the drug test results of the world’s athletes) and USADA

August 3, 2016: Conspirators register wada.awa.org

August 5, 9, 2016: Yermakov researches Cisco firewalls, he and Malyshev send specific WADA employees spearfish

August 8, 2016: Conspirators register wada-arna.org and tas-cass.org

August 8, 2016: .012684 bitcoin transaction directed by dedicated email account

August 13-19, 2016: Morenets and Serebriakov travel to Rio, while Yermakov supports with research in Moscow

August 14-18, 2016: SQL attacks against USADA

August 15, 2016: Conspirators receive request for stolen documents from candidate for US congress

August 15, 2016: First Guccifer 2.0 exchange with Roger Stone noted

August 19, 2016: Serebriakov compromises a specific anti-doping official and obtains credentials to access ADAM database

August 22, 2016: Conspirators transfer 2.5 GB of stolen DCCC data to registered FL state lobbyist Aaron Nevins

August 22, 2016: Conspirators send Lee Stranahan Black Lives Matter document

September 1, 2016: Domains fancybear.org and fancybear.net registered

September 6, 2016: Conspirators compromise credentials of USADA Board member while in Rio

September 7-14, 2016: Conspirators try, but fail, to use credentials stolen from USADA board member to access USADA systems

September 12, 2016: Data stolen from WADA and ADAMS first posted, initially focusing on US athletes

September 12, 2016 to January 17, 2018: Conspirators attempt to draw media attention to leaks via social media

September 18, 2016: Morenets and Serebriakov travel to Lausanne, staying in anti-doping hotels, to compromise hotel WiFi

September 19, 2016 to July 20, 2018: Conspirators attempt to draw media attention to leaks via email

September 2016: Conspirators access DNC computers hosted on cloud service, creating backups of analytics applications

October 2016: Linux version of X-Agent remains on DNC network

October 6, 2016: Emails stolen from USADA first released

October 7, 2016: WikiLeaks releases first set of Podesta emails

October 28, 2016: Kovalev visits counties in GA, IA, and FL to identify vulnerabilities

November 2016: Kovalev uses VR Systems email address to phish FL officials

December 6, 2016 – January 2, 2017: Using IP frequently used by Malyshev, conspirators compromise FIFA’s anti-doping files

December 13, 2016: Data stolen from CCES released

January 19-24, 2017: Conspirators compromise computers of four IAAF officials

June 22, 2017: Data stolen from IAAF’s network released

July 5, 2017: Data stolen from IAAF’s network released

August 28, 2017: Data stolen from FIFA released

As I said in July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

Three Things: Russia and China Spying, Kavanope

[NB: Yes, it’s Rayne, not Marcy. Check the byline.]

Huge news earlier today related to spying. Really big. MASSIVE.

And a MASSIVE cover-up pawned off on the feeble-minded as a ‘complete investigation‘ into Dr. Ford’s and Deborah Ramirez’s accusations against Brett Kavanaugh.

~ 3 ~

Bloomberg published an epic piece of investigative journalism this morning about China’s spying on U.S. businesses by way of tiny chips embedded in server motherboards. The photos in the story are just as important as the must-read story itself as they crystallize a challenge for U.S. intelligence and tech communities. Like this pic:

That tiny pale obelisk to the right of the penny represents one of the malicious chips found in affected Supermicro brand motherboards shipped to the U.S. market — nearly as small as the numbers in the date on the coin. Imagine looking for something this puny before a machine is turned on and begins to launch its operating system. Imagine trying to find it when it is sandwiched inside the board itself, embedded in the fiberglass on top of which components are cemented.

The chip could undermine encryption and passwords, making any system open to those who know about its presence. According to Bloomberg reporters  Jordan Robertson and Michael Riley, the chips found their way into motherboards used by Apple and Amazon.

Information security folks are scrambling right now because this report rocks their assumptions about the supply chain and their overall infosec worldview. Quite a few doubt this Bloomberg report, their skepticism heightened by the carefully worded denials offered by affected and relevant parties Apple, Amazon, Supermicro, and China. Apple provided an itemization of what it believed Bloomberg Businessweek got wrong along with its denial.

I’ll have more on this in a future post. Yes, indeedy.

~ 2 ~

A cooperative, organized response by Britain, The Netherlands, U.S., and Canada today included the indictment of seven Russians by the U.S. for conspiracy, conspiracy to commit wire fraud, wire fraud, aggravated identity theft, and conspiracy to launder money. The Russians have been identified as members of a GRU team organized out of a facility in Moscow, working on hacking and a disinformation influence campaign focused on anti-doping entities and non-Russian Olympic athletic competitors.

Note the underlined bit in this excerpt from the indictment (pdf) — the last indictment I copied with similar wording was that of Evgeny Buryakov and his two comrades, the three spies based in New York City who worked with “Male-1”, now known to be Carter Page. Who are the known and unknown? Persons who have flipped or co-conspirators yet to be named?

The UK released a statement as did the Canadians, and Netherlands issued a joint statement with the UK about the entirety of spying for which this GRU team is believed to be responsible, including an attempt to breach the Organisation for the Prohibition of Chemical Weapons’ (OPCW) facility analyzing the Novichok nerve agent used to poison the Skripals in the UK as well as chemicals used against Syrians.

Cryptocurrency news outlets report concerns that this indictment reveals the extent of USDOJ’s ability to trace cryptocurrency.

An interesting coincidence took place overnight as well — Russian Deputy Attorney General Saak Karapetyan died last night when an unauthorized helicopter flight crashed northeast of Moscow. Karapetyan had been linked this past January to Natalia Veselnitskaya and an attempt to recruit Switzerland’s top investigator as double-agents. But Karapetyan had also been involved in Russia’s response to the poisoning of Alexander Litvinenko and the aftermath of the Skripals’ poisoning in the UK.

What remarkable timing.

One might wonder if this accident had anything to do with the unusual release of GRU personnel details by the Dutch Military Intelligence and Security Service (MIVD) and the United Kingdom’s Ministry of Justice during their joint statement today.

By comparing the released identity documents, passports, automobile registrations and the address provided when cars were rented, the identities of a total 305 GRU agents may have been identified by bellingcat and The Insider including the four out of the seven men wanted by the U.S. for the anti-doping hackingas well as attempted breach of OPCW.

The identity of the four GRU agents accused of targeting the OPCW was cinched by a taxi receipt in one agent’s pocket from a location on the road next to the GRU’s facility in Russia. Four agents also had consecutive passport numbers.

What remarkably bad opsec.

~ 1 ~

As for the impending vote on Brett Kavanaugh:

– Senator Heidi Heitkamp is voting her conscience — NO on Kavanaugh.
– Senator Joe Manchin is now the lone Dem holdout; he says he’s still listening but hasn’t seen anything incriminating from Kavanaugh’s adulthood. (Gee, I wonder why.)
– Senator Bob Menendez didn’t mince words. He said “It’s a bullshit investigation.” (He should know what a thorough investigation looks like).

And the beer-loving former Yale frat boy had an op-ed published in the Wall Street Journal which pleads with us to lose all intelligence and believe that he is really very neutral. I am not even going to link to that POS which has re-enraged women all over the country.

GTFO.

Continue calling your senators to thank them for a NO vote on Kavanaugh so that they aren’t hearing right-wing demands alone. Congressional switchboard: (202) 224-3121

~ 0 ~

This is an open thread. Sic ’em.

Andy McCarthy’s Misconception

I was struck, in reading Andy McCarthy’s review of the Michael Cohen and Paul Manafort guilty outcomes last week (in which he measures Trump via a vastly different standard than he once measured Bill Clinton), by this erroneous claim:

The Trump camp continues to stress that Manafort’s case had nothing to do with the original rationale for Mueller’s investigation, “collusion with Russia.” But as we’ve pointed out any number of times, Mueller took over a counterintelligence investigation of Russia’s interference in the 2016 election. Possible Trump-campaign collusion with Russia was just one thread in the larger probe.

The claim that the Trump-campaign “collusion” was just one thread of what Mueller originally took over is false, but utterly critical for McCarthy’s sustained belief that Mueller has not found evidence of a conspiracy between Trump and Russia. While it is true that when Comey confirmed the investigation, he did not specify the structure of the investigation,
I have been authorized by the Department of Justice to confirm that the FBI, as part of our counterintelligence mission, is investigating the Russian government’s efforts to interfere in the 2016 presidential election and that includes investigating the nature of any links between individuals associated with the Trump campaign and the Russian government and whether there was any coordination between the campaign and Russia’s efforts. As with any counterintelligence investigation, this will also include an assessment of whether any crimes were committed.
When Rod Rosenstein appointed Mueller, he described Mueller’s scope to include,
  • any links and/or coordination between the Russian government and individuals associated with the campaign of President Donald Trump; and
  • any matters that arose or may arise directly from the investigation; and
  • any other matters within the scope of 28 C.F.R. § 600.4(a)

Why McCarthy made this error is clear: he uses the existence of and Mueller’s indictments in a broader counterintelligence investigation to sustain his belief that Mueller doesn’t have a “collusion” case against Trump or his associates.

At this point, it does not appear that Mueller has a collusion case against Trump associates. His indictments involving Russian hacking and troll farms do not suggest complicity by the Trump campaign. I also find it hard to believe Mueller sees Manafort as the key to making a case on Trump when Mueller has had Gates — Manafort’s partner — as a cooperator for six months. You have to figure Gates knows whatever Manafort knows about collusion. Yet, since Gates began cooperating with the special counsel, Mueller has filed the charges against Russians that do not implicate Trump, and has transferred those cases to other Justice Department components.

When it comes to the president, I believe the special counsel’s focus is obstruction, not collusion. When it comes to Manafort, I believe the special counsel’s focus is Russia — specifically, Manafort’s longtime connections to Kremlin-connected operatives. Mueller may well be interested in what Manafort can add to his inquiry into the June 2016 Trump Tower meeting (arranged by Donald Trump Jr. in futile hopes of obtaining campaign dirt from Russia on Hillary Clinton). That, however, is not the more serious “collusion” allegation that triggered the Trump thread of the investigation — cyberespionage conspiracy (i.e., Russian hacking of Democratic party emails).

That is, because Mueller indicted trolls and GRU hackers and then spun those prosecutions off to other teams (in the GRU case, back to one of the teams that originally investigated it), it is proof, in McCarthy’s mind, that Mueller isn’t targeting Trump and his associates for conspiring with Russia.

The actual background of the Mueller investigation suggests precisely the opposite. As I noted when Lawfare made precisely the same error in a post on the GRU indictment,

Friday’s indictment is, rather, the result of investigations conducted primarily in San Francisco and Pittsburgh. At the time Comey confirmed the counterintelligence investigation into Trump’s camp and at the time Comey got fired for not shutting the Trump counterintelligence investigation down, those San Francisco and Pittsburgh investigations were totally separate. Those two investigations almost certainly had little if any involvement from Peter Strzok (indeed, they involved a bunch of FBI cyber agents, a division of FBI that Strzok never tired of mocking in his texts to Lisa Page). The DOJ press release from Friday states that explicitly.

This case was investigated with the help of the FBI’s cyber teams in Pittsburgh, Philadelphia and San Francisco and the National Security Division.

Those two investigations (plus the separate one noted in Philadelphia that started later, as I understand it from what a lawyer who represented a witness in that investigation described to me) got moved under the Mueller umbrella sometime in or just before November, and now the GRU officer part of the investigation will be moved back to Pittsburgh where it started, to languish forever like some other nation-state hacker indictments investigated by Western District of Pennsylvania.

Given that both public reporting (starting in February 2017 and extending into November 2017) and Mueller team changes (not to mention my own reporting about the Philadelphia grand jury’s activity in the second half of May 2017 and my own knowledge about where I interviewed and where my interview materials subsequently got moved to) support this narrative, McCarthy (and the Lawfare crowd) might ask why Mueller decided to integrate the cybersecurity parts of the investigation, only to spin the Russian defendants back to other teams once they were indicted?

We can begin to get an answer from the two indictments that — Andy wants to believe — are themselves evidence that Mueller doesn’t have evidence on Trump’s associates but actually are. The Internet Research Agency indictment actually describes three Florida-based Trump campaign officials inconclusively, as if they were either still under investigation or at some legal risk.

On approximately the same day, Defendants and their co-conspirators used the email address of a false U.S. persona, [email protected], to send an email to Campaign Official 1 at that donaldtrump.com email account, which read in part:

Hello [Campaign Official 1], [w]e are organizing a state-wide event in Florida on August, 20 to support Mr. Trump. Let us introduce ourselves first. “Being Patriotic” is a grassroots conservative online movement trying to unite people offline. . . . [W]e gained a huge lot of followers and decided to somehow help Mr. Trump get elected. You know, simple yelling on the Internet is not enough. There should be real action. We organized rallies in New York before. Now we’re focusing on purple states such as Florida.

The email also identified thirteen “confirmed locations” in Florida for the rallies and requested the campaign provide “assistance in each location.”

[snip]

Defendants and their co-conspirators used the false U.S. persona [email protected] account to send an email to Campaign Official 2 at that donaldtrump.com email account.

[snip]

On or about August 20, 2016, Defendants and their co-conspirators used the “Matt Skiber” Facebook account to contact Campaign Official 3.

And while the GRU indictment (on top of key clauses being misread by virtually everyone who has read it) doesn’t use the same convention to describe Roger Stone’s communications with Guccifer 2.0…

On or about August 15, 2016, the Conspirators, posing as Guccifer 2.0, wrote to a person who wasin regular contact with senior members of the presidential campaign of Donald J. Trump, “thank u for writing back . . . do u find anyt[h]ing interesting in the docs i posted?” On or about August 17, 2016, the Conspirators added, “please tell me if i can help u anyhow . . . it would be a great pleasure to me.” On or about September 9, 2016, the Conspirators, again posing as Guccifer 2.0, referred to a stolen DCCC document posted online and asked the person, “what do u think of the info on the turnout model for the democrats entire presidential campaign.” The person responded, “[p]retty standard.”

It pointed to Russia’s response to Donald Trump’s request that they hack Hillary without referring to him one way or another.

For example, on or about July 27, 2016, the Conspirators attempted after hours to spearphish for the first time email accounts at a domain hosted by a thirdparty provider and used by Clinton’s personal office. At or around the same time, they also targeted seventy-six email addresses at the domain for the Clinton Campaign.

What Mueller has done with both of the counterintelligence indictments that McCarthy takes solace in is lay out the Russian side of a conspiracy (and both are charged as conspiracies) with very clear spots into which American co-conspirators may be dropped when Mueller is prepared to do so. (I laid this out at more length in this post.)

Importantly, the fact that some of this investigation started out in other parts of DOJ but then got moved under Mueller make it clear that something came up in the investigation that Mueller and Rosenstein believed required they be moved under Special Counsel when they weren’t there, originally.

Let’s put it this way: Mueller didn’t subsume investigations located elsewhere at DOJ because the Special Counsel needed to be the one to indict a bunch of Russians. He did it to set up the conspiracies that would — that will — later be occupied by Russians and Americans.

As I disclosed in July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post.