Posts

The Theory of Prosecution You Love for Julian Assange May Look Different When Applied to Jason Leopold

The WaPo confirmed something Seamus Hughes disclosed last night: Sometime before August 22, EDVA had filed a sealed complaint (not indictment) against Julian Assange.

WikiLeaks founder Julian Assange has been charged under seal, prosecutors inadvertently revealed in a recently unsealed court filing — a development that could significantly advance the probe into Russian interference in the 2016 election and have major implications for those who publish government secrets.

The disclosure came in a filing in a case unrelated to Assange. Assistant U.S. Attorney Kellen S. Dwyer, urging a judge to keep the matter sealed, wrote that “due to the sophistication of the defendant and the publicity surrounding the case, no other procedure is likely to keep confidential the fact that Assange has been charged.” Later, Dwyer wrote the charges would “need to remain sealed until Assange is arrested.”

Dwyer is also assigned to the WikiLeaks case. People familiar with the matter said what Dwyer was disclosing was true, but unintentional.

The confirmation closely follows a WSJ story describing increased confidence that the US will succeed in extraditing Assange for trial.

The confirmation that Assange has been charged has set off a frenzy, both among Assange supporters who claim this proves their years of claims he was indicted back in 2011 and insisting that charging him now would amount to criminalizing journalism, and among so-called liberals attacking Assange lawyer Barry Pollack’s scolding of DOJ for breaking their own rules.

I’ve long been on record saying that I think most older theories of charging Assange would be very dangerous for journalism. More recently, though, I’ve noted that Assange’s actions with respect to Vault 7, which had original venue in EDVA where the Assange complaint was filed (accused leaker Joshua Schulte waived venue in his prosecution), go well beyond journalism. That said, I worry DOJ may have embraced a revised theory on Assange’s exposure that would have dire implications for other journalists, most urgently for Jason Leopold.

There are, roughly, four theories DOJ might use to charge Assange:

  • Receiving and publishing stolen information is illegal
  • Conspiring to release stolen information for maximal damage is illegal
  • Soliciting the theft of protected information is illegal
  • Using stolen weapons to extort the US government is illegal

Receiving and publishing stolen information is illegal

The first, theory is the one that Obama’s DOJ rejected, based on the recognition that it would expose NYT journalists to prosecution as well. I suspect the Trump Administration will have the same reservations with such a prosecution.

Conspiring to release stolen information for maximal damage is illegal

The second imagines that Assange would be charged for behavior noted in the GRU indictment — WikiLeaks’ solicitation, from someone using the persona of Guccifer 2.0, of material such that it would be maximally damaging to Hillary Clinton.

On or about June 22, 2016, Organization 1 sent a private message to Guccifer 2.0 to “[s]end any new material [stolen from the DNC] here for us to review and it will have a much higher impact than what you are doing.” On or about July 6, 2016, Organization 1 added, “if you have anything hillary related we want it in the next tweo [sic] days prefable [sic] because the DNC [Democratic National Convention] is approaching and she will solidify bernie supporters behind her after.” The Conspirators responded, “ok . . . i see.” Organization 1 explained, “we think trump has only a 25% chance of winning against hillary . . . so conflict between bernie and hillary is interesting.”

After failed attempts to transfer the stolen documents starting in late June 2016, on or about July 14, 2016, the Conspirators, posing as Guccifer 2.0, sent Organization 1 an email with an attachment titled “wk dnc link1.txt.gpg.” The Conspirators explained to Organization 1 that the encrypted file contained instructions on how to access an online archive of stolen DNC documents. On or about July 18, 2016, Organization 1 confirmed it had “the 1Gb or so archive” and would make a release of the stolen documents “this week.”

Significantly, WikiLeaks (but not Roger Stone) was referred to in the way an unidicted co-conspirator normally is, not named, but described in such a way to make its identity clear.

This is a closer call. There is a Supreme Court precedent protecting journalists who publish stolen newsworthy information. But it’s one already being challenged in civil suits in ways that have elicited a lot of debate. Prosecuting a journalist for trying to do maximal damage actually would criminalize a great deal of political journalism, starting but not limited to Fox. Note that when the founders write the First Amendment, the norm was political journalism, not the so-called objective journalism we have now, so they certainly didn’t expect press protections to be limited to those trying to be fair to both sides.

Such a charge may depend on the degree to which the government can prove foreknowledge of the larger agreement with the Russians to damage Hillary, as well as the illegal procurement of information after WikiLeaks expressed an interest in information damaging Hillary.

Mueller might have evidence to support this (though there’s also evidence that WikiLeaks refused to publish a number of things co-conspirators leaked to them, including but not limited to the DCCC documents). The point is, we don’t know what the fact pattern on such a prosecution would look like, and how it would distinguish the actions from protected politically engaged journalism.

Soliciting the theft of protected information is illegal

Then there’s the scenario that Emma Best just hit on yesterday: that DOJ would prosecute Assange for soliciting hacks of specific targets. Best points to Assange’s close coordination with hackers going back to at least 2011 (ironically, but in a legally meaningless way, with FBI’s mole Sabu).

This is, in my opinion, a possible way DOJ would charge Assange that would be very dangerous. I’m particularly worried because of the way the DOJ charged Natalie Mayflower Edwards for leaking Suspicious Activity Reports to Jason Leopold. Edwards was charged with two crimes: Unauthorized Disclosure of Suspicious Activity Reports and Conspiracy to Make Unauthorized Disclosures of Suspicious Activity Reports (using the same Conspiracy charge that Mueller has been focused on).

In addition to describing BuzzFeed stories relying on SARs that Edwards saved to a flash drive by October 18, 2017 and then January 8, 2018, it describes a (probably Signal) conversation from September 2018 where Leopold — described in the manner used to describe unindicted co-conspirators — directed Edwards to conduct certain searches for material that ended up in an October story on Prevezon, a story published the day before Edwards was charged.

As noted above, the October 2018 Article regarded, among other things, Prevezon and the Investment Company. As recently as September 2018, EDWARDS and Reporter-1 engaged in the following conversation, via the Encrypted Application, in relevant part:

EDWARDS: I am not getting any hits on [the CEO of the Investment Company] do you have any idea what the association is if I had more information i could search in different areas

Reporter-1: If not on his name it would be [the Investment Company]. That’s the only other one [The CEO] is associated with Prevezon Well not associated His company is [the Investment Company]

Based upon my training and experience, my participation in the investigation, and my conversations with other law enforcement agents familiar with the investigation, I believe that in the above conversation, EDWARDS was explaining that she had performed searches of FinCEN records relating to Prevezon, at Reporter-l’s request, in order to supply SAR information for the October 2018 Article.

Edwards still has not been indicted, two weeks after her arraignment. That suggests it’s possible the government is trying to persuade her to plead and testify against Leopold in that conspiracy, thereby waiving indictment. The argument, in that case, would be that Leopold went beyond accepting stolen protected information, to soliciting the theft of the information.

This is the model a lot of people are embracing for an Assange prosecution, and it’s something that a lot of journalists not named Jason Leopold also do (arguably, it’s similar but probably more active than what James Rosen got dubbed a co-conspirator in the Stephen Jin-Woo Kim case).

Charging Leopold in a bunch of leaks pertaining to Russian targets would be a nice way (for DOJ, not for journalism) to limit any claim that just Assange was being targeted under such a theory. Indeed, it would placate Trump and would endanger efforts to report on what Mueller and Congress have been doing. Furthermore, it would be consistent with the aggressive approach to journalists reflected in the prosecution of James Wolfe for a bunch of leaks pertaining to Carter Page, which involved subpoenaing years of Ali Watkins’ call records.

In short, pursuing Leopold for a conspiracy to leak charge would be consistent with — and for DOJ, tactically advantageous — the theory under which most people want Assange charged.

Using stolen weapons to extort the US government is illegal

Finally, there’s the fourth possibility, and one I think is highly likely: charging Assange for his serial efforts to extort a pardon from the US government by threatening to release the Vault 7 (and ultimately, a single Vault 8 live malware) files.

This post shows how, starting in January 2017, Assange (and Oleg Deripaska) representative Adam Waldman was reaching out to top DOJ officials trying to negotiate a deal and using the release of the Vault 7 documents as leverage.

This post shows how, the second time Assange tweeted Don Jr asking for an Ambassadorship, he included a threatening reference to Vault 8, WikiLeaks’ name for the actual malware stolen and leaked from CIA, the first file from which Assange had released days earlier.

[B]ack in November 2017, some outlets began to publish a bunch of previously undisclosed DMs between Don Jr and Wikileaks. Most attention focused on Wikileaks providing Don Jr access to an anti-Trump site during the election. But I was most interested in Julian Assange’s December 16, 2016 “offer” to be Australian Ambassador to the US — basically a request for payback for his help getting Trump elected.

Hi Don. Hope you’re doing well! In relation to Mr. Assange: Obama/Clinton placed pressure on Sweden, UK and Australia (his home country) to illicitly go after Mr. Assange. It would be real easy and helpful for your dad to suggest that Australia appoint Assange ambassador to DC “That’s a really smart tough guy and the most famous australian you have! ” or something similar. They won’t do it, but it will send the right signals to Australia, UK + Sweden to start following the law and stop bending it to ingratiate themselves with the Clintons. 12/16/16 12:38PM

In the wake of the releases, on November 14, 2017, Assange tweeted out a follow-up.

As I noted at the time, the offer included an implicit threat: by referencing “Vault 8,” the name Wikileaks had given to its sole release, on November 9, 2017 of an actual CIA exploit (as opposed to the documentation that Wikileaks had previously released), Assange was threatening to dump more hacking tools, as Shadow Brokers had done before it. Not long after, Ecuador gave Assange its first warning to stop meddling in other countries politics, explicitly pointing to his involvement in the Catalan referendum but also pointing to his tampering with other countries. That warning became an initial ban on visitors and Internet access in March of this year followed by a more formal one on May 10, 2018 that remains in place.

Notably, Ecuador may have warned Assange back then to stop releasing America’s malware from their Embassy; those warnings have laid the groundwork for the rigid gag rules recently imposed on Assange on risk of losing asylum.

Immediately after this exchange, accused Vault 7/8 leaker Joshua Schulte had some Tor accesses which led to him losing bail. They didn’t, however, lead BOP to take away his multiple devices (!?!?!). Which means that when they raided his jail cell on or around October 1, they found a bunch of devices and his activity from 13 email and social media accounts. Importantly, DOJ claims they also obtained video evidence of Schulte continuing his efforts to leak classified information.

The announcement of that raid, and the additional charges against Schulte, coincided with a period of increased silence from WikiLeaks, broken only by last night’s response to the confirmation Assange had been charged.

I think it possible and journalistically safe to go after Assange for releasing stolen weapons to extort a criminal pardon. But most of the other theories of prosecuting Assange would also pose real risks for other journalists that those rooting for an Assange prosecution appreciate and rely on.

As I disclosed in July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

Could Roger Stone Be Charged in a CFAA Conspiracy?

I just did an extended rant on Twitter about Jonathan Chait’s latest attempt to pretend to be covering the Russian investigation. Basically, though, I was making the same point I made in this post: Mueller is not going to charge Roger Stone just for talking to WikiLeaks — or even having advance knowledge about what WikiLeaks planned to do. So to try to understand what Mueller is after, you need more than a Chait-like titillation that Stone exchanged some DMs with Guccifer 2.0 or, much later, WikiLeaks.

In response to that, a number of people suggested that Mueller might charge Stone for conspiracy to hack (under the Computer Fraud and Abuse Act) after the fact.

You don’t charge people for entering into a conspiracy after the crimes have been committed.

In fact, in one of Roger Stone’s denials, to Chuck Todd earlier this year, he tried to make this point — that he can’t be held responsible for any hacking because the hacking happened before he started interacting with the purported hacker, Guccifer 2.0.

Todd: Why did you reach out to Guccifer? Why did you reach out to Wikileaks?

Stone: First of all, my direct messages with Guccifer 2.0, if that’s who it really is, come six weeks, almost six weeks after the DNC emails had been published by Wikileaks. So in order to collude in their hacking, which I had nothing whatsoever to do with, one would have needed a time machine.

And (at least based on what we know) I believe that’s true, with respect to the March 19, 2016 hack of John Podesta and the May 25, 2016 exfiltration of the DNC emails. Nothing we know suggests Stone was part of a conspiracy with the Russians that early (though I don’t rule it out, particularly given his recruitment of Paul Manafort around the same time as the Podesta hack). Nothing we know says Stone can be shown to have entered into a conspiracy with Russia before the hack of Podesta or the DNC.

But it is not the case that no hacking occurred after Trump and his allies are suspected of entering into a conspiracy. Mueller provided a really remarkable example in the GRU indictment, showing that after Trump asked the Russians for Hillary’s emails, they launched a new wave of attacks on targets close to Hillary.

The Conspirators spearphished individuals affiliated with the Clinton Campaign throughout the summer of 2016. For example, on or about July 27, 2016, the Conspirators attempted after hours to spearphish for the first time email accounts at a domain hosted by a third-party provider and used by Clinton’s personal office. At or around the same time, they also targeted seventy-six email addresses at the domain for the Clinton Campaign.

There’s another example in the indictment, involving Stone, which is more subtle.

The indictment summarizes key parts of Stone’s conversation with Guccifer 2.0, describing him as someone who “was in regular contact with senior members of the presidential campaign of Donald J. Trump.” It describes how Guccifer 2.0 asked Stone if he could be of assistance, then asked him what he thought of a turnout model earlier released to and highlighted by Aaron Nevins (whom the indictment describes as a “a then-registered state lobbyist and online source of political news”). As the indictment describes, Stone said that that turnout model was “pretty standard.”

The Conspirators, posing as Guccifer 2.0, also communicated with U.S. persons about the release of stolen documents. On or about August 15, 2016, the Conspirators, posing as Guccifer 2.0, wrote to a person who was in regular contact with senior members of the presidential campaign of Donald J. Trump, “thank u for writing back . . . do u find anyt[h]ing interesting in the docs i posted?” On or about August 17, 2016, the Conspirators added, “please tell me if i can help u anyhow . . . it would be a great pleasure to me.” On or about September 9, 2016, the Conspirators, again posing as Guccifer 2.0, referred to a stolen DCCC document posted online and asked the person, “what do u think of the info on the turnout model for the democrats entire presidential campaign.” The person responded, “[p]retty standard.”

It looked like this:

Sometime in September — the indictment is coy about whether it happened before or after September 9 — Russian hackers accessed the DNC’s analytics on an AWS server and made a copy, thereby stealing it.

In or around September 2016, the Conspirators also successfully gained access to DNC computers hosted on a third-party cloud-computing service. These computers contained test applications related to the DNC’s analytics. After conducting reconnaissance, the Conspirators gathered data by creating backups, or “snapshots,” of the DNC’s cloud-based systems using the cloud provider’s own technology. The Conspirators then moved the snapshots to cloud-based accounts they had registered with the same service, thereby stealing the data from the DNC.

Accessing the Democratic analytics program updated daily — even if, as I’ve been told happened, the Democrats discovered and shut down this effort before Russians could obtain more valuable trend data — would presumably be far more valuable than leaking a targeting document dating to February 9. It would be far more damning, too, if that theft came after a close associate of the candidate (and the recently departed campaign manager) had poo-pooed the dated targeting data as standard fare, suggesting Trump’s team wanted something more valuable.

We don’t know what happened to that analytics data after Russia stole it. But the GRU indictment does show not only that Stone was interacting with Guccifer 2.0 before that theft in September, but that he may have even provided feedback about similar information before the theft of more valuable, timely turnout information.

That probably still doesn’t get you to a CFAA conspiracy by itself (which is a different matter than a ConFraudUS conspiracy based off accepting a thing of value from a foreigner, for which there’s more solid evidence). But the two events taken in tandem suggest Russian hackers may have been responding to feedback from both the candidate and his longtime political advisor Roger Stone. The question, then, is what kind of agreement that responsiveness took part in.

As I disclosed in July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

On the Roger Stone Investigation: Talking to Guccifer 2.0 or WikiLeaks Is Not a Crime

Before I get further in my series on the known universe of hacked and leaked emails from 2016, I want to explain something about Roger Stone, especially given this WaPo story that provides interesting details but claims Mueller is pursuing them in hopes of answering this question:

Did longtime Trump adviser Roger Stone — or any other associate of the president — have advance knowledge of WikiLeaks’ plans to release hacked Democratic emails in 2016?

While I don’t claim to understand much more than the rest of the world about what the Mueller probe is doing, I say with a fair degree of certainty that Mueller has not had three prosecutors chasing leads on Roger Stone since February because he wants to know if Stone had advance knowledge of WikiLeaks’ plans on releasing emails. Knowing that WikiLeaks planned on releasing emails is not a crime.

Indeed, Assange at times (most notably on June 12) telegraphed what he was up to. There were WikiLeaks volunteers and some journalists who knew what WikiLeaks was up to. None of that, by itself, is a crime.

With that in mind, consider the following:

It matters what emails Stone claimed to know would be released

At the risk of spoiling my series, let me explain the significance of it. While knowing that WikiLeaks would release emails is not by itself a crime, advance knowledge becomes more interesting based on what Stone might have done with that knowledge. Here’s why:

  • DNC emails: Mueller has presumably tracked whether and to whom George Papadopoulos shared advance knowledge of the tip he got on April 26 that the Russians would release emails to help Trump. That’s important because if he can show meeting participants knew those emails had been offered, then June 9 meeting becomes an overt act in a conspiracy. While there’s no public allegation Stone knew that WikiLeaks would be releasing Hillary emails before Julian Assange stated that publicly on June 12 (after the Trump Tower meeting and therefore at most a response to the meeting), if Stone knew that WikiLeaks would be part of the delivery method it adds to evidence of a conspiracy.
  • Podesta emails: The Democrats’ focus on Stone has always been on his seeming advance knowledge that WikiLeaks would release the Podesta emails, though the public case that he did is in no way definitive. Even assuming he did learn in advance, there are multiple channels via which Stone might have learned the Podesta emails were coming (just as an example, Democrats have necessarily always been obfuscating about how much they knew). But any presumed advance knowledge is still only a crime if Stone in some way coordinated with it or encouraged ongoing hacking.
  • Deleted Hillary emails: While the evidence that Roger Stone knew that WikiLeaks would release Podesta’s emails is inconclusive, the evidence that he “knew” WikiLeaks had Hillary’s deleted emails is not. Stone made that claim over and over. It’s actually not public whether and when WikiLeaks obtained files purporting to be Hillary’s deleted emails, though we should assume they got at least some sets of purported emails via the Peter Smith effort. If Stone had involvement in that effort, it might be criminal (because operatives were soliciting stolen emails from criminal hackers, not just making use of what got released), though Stone says he was unaware of it.
  • DCCC emails: The DCCC files, which offered more operational data about downstream campaigns, might raise other problems under criminal law. That’s because the data offered was generally more operational than the DNC and Podesta emails offered, meaning operatives could use the stolen data to tweak their campaign efforts. And Guccifer 2.0 was sharing that data specifically with operatives, providing something of value to campaigns. Guccifer 2.0 tried to do the same with Stone. The text messages between Stone and Guccifer 2.0 show the persona trying to get Stone interested in some of the DCCC files pertaining to FL. But at least on those DMs, Stone demurred. That said, if Stone received and operationalized DCCC data in some of his rat-fucking, then it might raise criminal issues.

It matters from whom Stone learned (if he did) of WikiLeaks’ plans

A big part of Mueller’s focus seems to be on testing Stone’s public claims that his go-between with WikiLeaks was Randy Credico, who had ties to Assange but was not conspiring to help Trump win via those channels.

There are other possible go-betweens that would be of greater interest. For example, the public discussion of Stone’s potential advance knowledge seems to have forgotten the suspected role of Nigel Farage, with whom Stone dined at the RNC and later met at Trump’s inauguration. That would be of heightened interest, particularly given the way Stone suggested the vote had been rigged against Brexit and Trump when in reality Russians were rigging the vote for both.

It matters whether Stone lied about the whom or the what

Stone’s testimony to the House, in which he offered explanations about any advance knowledge and his Podesta comment, was sworn. If Mueller can show he lied in his sworn testimony, that is certainly technically a crime (indeed, Sam Patten got referred to Mueller based on on his false statements to the Senate Intelligence Committee). But it’s unlikely Mueller would charge, much less investigate, Stone for 8 months solely to prove whether he lied to Congress.

But if Stone did lie — claiming he learned of WikiLeaks’ plans from Credico when in fact he learned from someone also conspiring with the Russians — then those lies would lay out the import of Stone’s role, in what he was hypothetically trying to cover up.

Stone’s flip-flop on blaming the Russians at the moment he claimed to have knowledge of WikiLeaks’ plans is of likely interest

There’s a data point that seems very important in the Roger Stone story. On or around August 3, the very same day Stone told Sam Nunberg that he had dined with Julian Assange, Stone flip-flopped on his public statements about whether Russia had hacked Hillary or some 400 pound hacker in a basement had. During that period, he went from NY (where he met with Trump) to LA to coordinate with his dark money allies, then went home to Florida to write a column that became the first entry in Stone’s effort to obfuscate the Russian role in the hack. That flip-flop occurred just before Stone started making public claims about what WikiLeaks had.

I suspect that flip-flop is a real point of interest, and as such may involve some other kind of coordination that the press has no public visibility on (particularly given that his claimed meeting with Assange happened while he was meeting with his dark money people).

Mueller may have had probable cause Roger Stone broke the law by March

In the wake of Michael Caputo’s testimony, Roger Stone briefly claimed that he must have been targeted under FISA, apparently based on the fact that Mueller had (possibly encrypted) texts he didn’t provide himself showing that he and Caputo had had contact with a presumed Russian dangle they had hidden in prior sworn testimony. A more likely explanation is that Stone’s was one of the at-least five phones Mueller got a warrant for on March 9, in the wake of Rick Gates’ cooperation. But if that’s the case, then it means that Mueller already had shown probable cause Stone had committed some crime by the time he got this phone.

Mueller is scrutinizing Stone for more than just knowledge of WikiLeaks

Even the public reporting on Mueller’s investigative actions make it clear that he is scrutinizing Stone for more than just a hypothetical knowledge of, much less coordination with, WikiLeaks. He seems to have interest in the two incarnations of Stone’s Stop the Steal dark money group, which worked to intimidate Cruz supporters around the RNC and worked to suppress Democratic voters in the fall. There’s reason to suspect that the ways in which Stone and his people sloshed that money around did not follow campaign finance rules (in which case Don McGahn might have played a role). Certainly, Andrew Miller seems to worry that his own role in that sloshing might lead to criminal exposure. But Jerome Corsi has also suggested that Stone might have pitched some legally suspect actions to him, and those would constitute rat-fuckery, not campaign finance violations in the service of rat-fuckery.

Now, those other potential crimes might just be the gravy that Mueller has repeatedly used, charging people with unrelated crimes (like Mike Flynn’s Turkish influence peddling or Michael Cohen’s Stormy Daniel payoffs) to get their cooperation in the case in chief. Or they might be something that more closely ties to conspiracy with Russians.

The larger point, however, is that isolated details from Stone-friendly witnesses (and from Stone himself) may not be the most reliable way to understand where Mueller is going with his investigation of Stone. Certainly not witnesses who say Mueller has spent 8 months scrutinizing whether Stone lied about his foreknowledge of WikiLeaks’ actions.

As I disclosed in July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

The Universe of Hacked and Leaked Emails from 2016: DNC Emails

When Mueller’s team released George Papadopoulos’ plea deal last year, I noted that the initial denials that Papadopoulos had advance warning of the emails the Russians were preparing to hack and leak did not account for the entire universe of emails known to have been stolen. A year and several Mueller indictments later, we still don’t have a complete understanding of what emails were being dealt when. Because that lack of understanding hinders understanding what Mueller might be doing with Roger Stone, I wanted to lay out what we know about four sets of emails. This series will include posts on the following:

  • DNC emails
  • Podesta emails
  • DCCC emails
  • Emails Hillary deleted from her server

The series won’t, however, account for two more sets of emails, anything APT 29 stole when hacking the White House and State Department in 2015, or anything released via the several FOIAs of the Hillary emails turned over to the State Department from her home server. It also won’t deal with the following:

  • Emails from two Hillary staffers who had their emails released via dcleaks
  • The emails of other people released by dcleaks, which includes Colin Powell, some Republican party officials (including some 2015 emails Peter Smith sent to the IL Republican party), and others with interests in Ukraine
  • A copy of the Democrats’ analytics program copied on AWS
  • The NGP/VAN file, which was not directly released by Guccifer 2.0, but is central to one of the skeptics’ theories about an alternative source other than Russia

DNC Emails

The “DNC emails” are generally thought of as the 44,000 emails WikiLeaks released on July 22, 2016. The GRU indictment describes the theft and conveyance of those emails this way:

Between on or about May 25, 2016 and June 1, 2016, the Conspirators hacked the DNC Microsoft Exchange Server and stole thousands of emails from the work accounts of DNC employees. During that time, YERMAKOV researched PowerShell commands related to accessing and managing the Microsoft Exchange Server.

[snip]

On or about June 22, 2016, Organization 1 sent a private message to Guccifer 2.0 to “[s]end any new material [stolen from the DNC] here for us to review and it will have a much higher impact than what you are doing.” On or about July 6, 2016, Organization 1 added, “if you have anything hillary related we want it in the next tweo [sic] days prefable [sic] because the DNC [Democratic National Convention] is approaching and she will solidify bernie supporters behind her after.” The Conspirators responded, “ok . . . i see.” Organization 1 explained, “we think trump has only a 25% chance of winning against hillary . . . so conflict between bernie and hillary is interesting.”

After failed attempts to transfer the stolen documents starting in late June 2016, on or about July 14, 2016, the Conspirators, posing as Guccifer 2.0, sent Organization 1 an email with an attachment titled “wk dnc link1.txt.gpg.” The Conspirators explained to Organization 1 that the encrypted file contained instructions on how to access an online archive of stolen DNC documents. On or about July 18, 2016, Organization 1 confirmed it had “the 1Gb or so archive” and would make a release of the stolen documents “this week.”

On or about July 22, 2016, Organization 1 released over 20,000 emails and other documents stolen from the DNC network by the Conspirators. This release occurred approximately three days before the start of the Democratic National Convention. Organization 1 did not disclose Guccifer 2.0’s role in providing them. The latest-in-time email released through Organization 1 was dated on or about May 25, 2016, approximately the same day the Conspirators hacked the DNC Microsoft Exchange Server.

Raffi Khatchadourian (who has done as much work as anyone else on the known universe of emails) noted that by the time the July 14 exchange had happened, Julian Assange had already said he had emails and Guccifer 2.0 had already said he had shared them with WikiLeaks.

On June 12th, three days before the creation of Guccifer 2.0, Assange announced that he had a substantial trove of Clinton-related e-mails that were pending publication. Likewise, Guccifer 2.0 proclaimed, on its very first post on the WordPress site, “The main part of the papers, thousands of files and mails, I gave to Wikileaks. They will publish them soon.” Again and again, the G.R.U. officers tried to drive home this point—which, of course, was evidently the main point of creating the persona. “I sent a big part of docs to WikiLeaks,” Guccifer 2.0 told the editor of the Smoking Gun that same day. On June 17th, Guccifer 2.0 said in another e-mail, “I gave WikiLeaks the greater part of the files.” (For e-mail, the G.R.U. gave Guccifer 2.0 another fake identity: Stephan Orphan.)

In other words, both the G.R.U. and Assange appear to have confessed to the transmission and reception of a large trove of Clinton-related e-mails in mid-June, before Guccifer 2.0 was apparently created. The indictment does not address this. There is no way to say precisely what that trove was—if it was the Podesta archive given to WikiLeaks much earlier than is generally presumed, or the D.N.C. e-mails, or both, or something else. (There is also the possibility that both parties were not speaking truthfully.) But, if Assange did have the D.N.C. e-mails before Guccifer 2.0 was created, then the details in the indictment take on new meaning. Some version of the following may be true: it is mid-June, with the convention approaching, and Assange is about to release a bombshell, when he notices the sudden appearance of Guccifer 2.0, a “hacker” edging into his turf, inviting journalists to write in. So he writes in, asking for material that interests him. He has already gone through the D.N.C. e-mails and has recognized that the trove highlights conflict within the Democratic Party. He signals that he wants more on that specific issue. The G.R.U. is happy to comply, through its new cutout. Perhaps some of it overlaps with what the G.R.U. already provided, making Guccifer 2.0’s confessions literally accurate. Perhaps it is the same irrelevant dross that Guccifer 2.0 fed to others.

Last year, I visited Assange several times in the Ecuadorian Embassy in London. He often emphasized to me that the sourcing of his election publications was complex. I usually took this as a dodge. But the sourcing may indeed have been multilayered. There are many conceivable ways that G.R.U. officers could have provided e-mails to WikiLeaks before they created Guccifer 2.0. They could have used the WikiLeaks anonymous-submission system. They could have used a different fictitious online persona. They could have used a human intermediary. Last year, James Clapper told me, “It was done by a cutout, which of course afforded Assange plausible deniability.” In January, 2017, Clapper oversaw a formal intelligence assessment on Russian meddling. At the time, more than one news organization reported that a classified version of the assessment made clear that the intermediaries between the G.R.U. and WikiLeaks were already known. (Certainly, the intelligence community would also have been in possession of Guccifer 2.0’s Twitter D.M.s at that time, too.) One intelligence official, describing the report, indicated to Reuters last year that the e-mails relayed to WikiLeaks had followed a “circuitous route,” by a series of handoffs, on their journey from Moscow. Such a scenario seems to be at odds with the idea that Guccifer 2.0 merely sent WikiLeaks an encrypted link to download it all in one swoop.

An earlier Khatchadourian piece describes WikiLeaks experiencing some pressure to publish before the convention.

In early July, for example, Guccifer 2.0 told a Washington journalist that WikiLeaks was “playing for time.” There was no public evidence for this, but from the inside it was clear that WikiLeaks was overwhelmed. In addition to the D.N.C. archive, Assange had received e-mails from the leading political party in Turkey, which had recently experienced a coup, and he felt that he needed to rush them out. Meanwhile, a WikiLeaks team was scrambling to prepare the D.N.C. material. (A WikiLeaks staffer told me that they worked so fast that they lost track of some of the e-mails, which they quietly released later in the year.) On several occasions, and in different contexts, Assange admitted to me that he was pressed for time. “We were quite concerned about meeting the deadline,” he told me once, referring to the Democratic National Convention.

His original release date for the D.N.C. archive, he explained, was July 18th, the Monday before the Convention; his team missed the deadline by four days. “We were only ready Friday,” he said. “We had these hiccups that delayed us, and we were given a little more time—” He stopped, and then added, strangely, “to grow.”

Khatchadourian’s earlier mention of a July 18 deadline is quite interesting, given the response from WikiLeaks to a Guccifer 2.0 email, promising to publish that week, on the 18th.

Khatchadourian also describes WikiLeaks as doing significant work to verify the emails — more than they could have done in the time between July 14 and July 22.

Once they were in Assange’s hands, his overriding concern was to insure that they were genuine. “We had quite some difficulties to overcome, in terms of the technical aspects, and making sure we were comfortable with the forensics,” he recalled. As an Australian, he had only a vague grasp of the way the D.N.C. operated, which made deciphering the political significance of the e-mails difficult. “It’s like looking at a very complex Hieronymus Bosch painting from a distance,” he told me. “You have to get close and interact with it, then you start to get a feel.” Often, a first encounter with a WikiLeaks database submission can be overwhelming—as one former staffer told me, “My heart sinks a bit.”

To work on the material, Assange had to coördinate with operatives outside the building, and avoid surveillance inside it. “I have a lot of security issues in the Embassy,” he told me. “It’s not like you can be comfortable with your source material and read it.” He would not tell me how many people worked on the project, except that the number was small. “We’re all secret squirrels now,” he said.

All this raises questions about how much verification WikiLeaks did, and if instead this was a tale told to Khatchadourian, not to mention why they had confidence publishing them would not blow up on them.

Now, I have suggested that one possible second source of the emails — or at least one alternate explanation that Russia and WikiLeaks might claim that could provide GRU some plausible deniability — would be via the contents of email boxes stolen using passwords released just before the DNC hack from Yevgeniy Nikulin’s past hacks of Linked-In and MySpace. Nikulin has utterly stalled his prosecution until February by refusing not only to cooperate with his defense (though he has had repeated contacts from Russian diplomatic officials), but also with a competency evaluation. So we won’t learn anything (and Nikulin won’t be coerced to cooperate) anytime soon as a result of his extradition to the US.

But, as part of an effort to track changes to WikiLeaks’ website and the DNC emails, Emma Best identified what at first appeared to be a change in one email but ultimately just revealed that the cache includes both the sent and received copies of some emails.

After pointing this out on Twitter and listing the 36 known instances, one user checked a copy of the DNC emails they had retrieved months before. They found what appeared to be a modification to the email – a missing piece of metadata that identified the internal IP address that sent the email. After several hours of searching and comparing five different caches of DNC emails, the difference was both confirmed and explained – WikiLeaks’ copy of the DNC emails comes from several accounts, which resulted in some duplicates in their cache. The internal message ID for the duplicates would be the same, but differences in metadata would appear based on whether the email was being sent or received, and in the case of the former what device and client was sending the emails. Since the x-originating-ip metadata which seemed to appear and then disappear is added by the server when it’s sent, it would naturally be missing from the sender’s copy of the email. This addresses the most alarming question regarding the DNC emails, but does nothing to address the rest.

There are reasons to believe that this means the email in question comes from the Microsoft Exchange server and not from someone’s own mailbox (Update: though I may be 100% wrong on this point). Which, if my speculation that WikiLeaks might invoke the Nikulin alternate theory, might still show Assange got the emails in one batch early on, but then published what he got via the delivery identified in the indictment and didn’t spend much time vetting that delivery.

Meanwhile, it’s crucial to note, as Khatchadourian does in his earlier piece, that emails Guccifer 2.0 claimed were DNC documents when he released them the day after the WaPo revealed the DNC had been hacked didn’t come from the DNC; those that have been identified came, instead, from John Podesta. It wasn’t until July 6 that the Guccifer 2.0 documents billed as DNC ones actually were.

But then, on July 6th, just before Guccifer 2.0 complained that WikiLeaks was “playing for time,” this pattern of behavior abruptly reversed itself. “I have a new bunch of docs from the DNC server for you,” the persona wrote on WordPress. The files were utterly lacking in news value, and had no connection to one another—except that every item was an attachment in the D.N.C. e-mails that WikiLeaks had. The shift had the appearance of a threat. If Russian intelligence officers were inclined to indicate impatience, this was a way to do it.

The notion that the Guccifer 2.0 persona may have — in addition to discrediting the WaPo article and providing a quick cover for the Russian attribution of the hack — served to pressure Assange to keep to some kind of July 18 deadline raises more stakes on that detail from the GRU indictment, but also may relate to the kind of signaling we saw elsewhere.

Update: I should have laid out some of the logic behind emails we’ve got. First, WikiLeaks has claimed that all the emails they have come from the “accounts” of seven identified people.

The leaks come from the accounts of seven key figures in the DNC: Communications Director Luis Miranda (10520 emails), National Finance Director Jordon Kaplan (3799 emails), Finance Chief of Staff Scott Comer (3095 emails), Finanace Director of Data & Strategic Initiatives Daniel Parrish (1742 emails), Finance Director Allen Zachary (1611 emails), Senior Advisor Andrew Wright (938 emails) and Northern California Finance Director Robert (Erik) Stowe (751 emails).

Khatchadourian says they actually come from ten accounts.

The twenty thousand or so D.N.C. e-mails that WikiLeaks published were extracted from ten compromised e-mail accounts, and all but one of the people who used those accounts worked in just two departments: finance and strategic communications. (The single exception belonged to a researcher who worked extensively with communications.)

DNC automatically deleted emails after 30 days if they weren’t specifically saved (which is where this exfiltration estimate came from, which was off from the Mueller date by a week). Emails that precede the 30 day window (so April 19 or 25) or that weren’t part of one of the identified accounts may indicate another source.

As I disclosed July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

Guccifer 2.0 Cleaned Up His “Collusion” Three Months after the Fact

I discovered something curious when I was working on a timeline recently.

Most posts on the Guccifer 2.0 site appear to have been modified only in the immediate timeframe after publishing (though, significantly, the first post was modified after the some of the first documents were recorded as being tweaked). But one post was modified, very slightly, months after it was posted.

That’s the Guccifer FAQ post. When it was first published on June 30, 2016 and as late as September 27 of that year, a paragraph on Hillary in the post read this way:

As for me, I see great differences between Hillary Clinton and Donald Trump. Hillary seems so much false to me, she got all her money from political activities and lobbying, she is a slave of moguls, she is bought and sold. She never had to work hard and never risked everything she had. Her words don’t meet her actions. And her collision with the DNC turned the primaries into farce. [my emphasis]

On October 2, 2016, that paragraph was corrected to read like this:

As for me, I see great differences between Hillary Clinton and Donald Trump. Hillary seems so much false to me, she got all her money from political activities and lobbying, she is a slave of moguls, she is bought and sold. She never had to work hard and never risked everything she had. Her words don’t meet her actions. And her collusion with the DNC turned the primaries into farce. [my emphasis]

That is, over three months after the post was originally posted, someone went back in and changed “collision” into the word that has taken on such loaded meaning since, “collusion.” Probably, “collusion” was the word intended from the start; perhaps either a keyboard fat-finger (on an English language keyboard, with the “u” and the “i” adjacent) or an autocorrect produced “collision” instead. While the paragraph and the post are rife with the linguistic inaccuracies — such as the use of “mogul” in the same paragraph — seen in other Guccifer 2.0 posts, in context “collusion” is the word that makes sense.

To be clear: I’m not making a big deal about any likely explanations for the incorrect word in the first place, nor am I making a big deal that that word — “collusion” — is the one thing that someone cared enough about to correct months later. “Collusion” is not a word Guccifer 2.0 used elsewhere, not even in posts where it might have been easy to do so. I’m not ascribing any grand significance to this change. I just find it curious.

As I disclosed in July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

Offering John Podesta Emails While Selling Deleted Hillary Emails

Back in April 2017, I noted something problematic with Democratic theories about the advance knowledge of Roger Stone — and by association, the Trump camp — of Russia’s hack and leak plans: Democrats have largely focused on Stone’s warning, on August 21, 2016, that “it would soon be the Podesta’s time in the barrel,” arguing it reflected foreknowledge of the October 2016 dump of John Podesta’s emails. Stone has said he was talking about blaming Tony Podesta for his corruption, and while that does appear to be a projection-focused defense of Paul Manafort as his own corruption posed problems for the Trump campaign, none of that explains how Stone implicated John in his brother’s sleaze.

That one comment aside, virtually every time Stone predicted a WikiLeaks October Surprise, he implied it would be Clinton Foundation documents or other ones she deleted from her home server, not Podesta emails. That is, while Stone appears to have known the general timing of the October dump, Stone didn’t predict the Podesta emails. He predicted emails deleted from Hillary’s home server, emails that never got published. Here’s how it looks in a timeline (partly lifted from this CNN timeline).

August 12, 2016: Roger Stone says, “I believe Julian Assange — who I think is a hero, fighting the police state — has all of the emails that Huma and Cheryl Mills, the two Clinton aides thought that they had erased. Now, if there’s nothing damning or problematic in those emails, I assure you the Clintonites wouldn’t have erased them and taken the public heat for doing so. When the case is I don’t think they are erased. I think Assange has them. I know he has them. And I believe he will expose the American people to this information you know in the next 90 days.”

August 15, 2016: Stone tells WorldNetDaily that, “’In the next series of emails Assange plans to release, I have reason to believe the Clinton Foundation scandals will surface to keep Bill and Hillary from returning to the White House,’ … The next batch, Stone said, include Clinton’s communications with State Department aides Cheryl Mills and Huma Abedin.”

August 26, 2016: Stone tells Breitbart Radio that “I’m almost confident Mr. Assange has virtually every one of the emails that the Clinton henchwomen, Huma Abedin and Cheryl Mills, thought that they had deleted, and I suspect that he’s going to drop them at strategic times in the run up to this race.”

August 29, 2016: Stone suggests Clinton Foundation information might lead to prison. “Perhaps he has the smoking gun that will make this handcuff time.”

September 16, 2016: Stone says that “a payload of new documents” that Wikileaks will drop “on a weekly basis fairly soon … will answer the question of exactly what was erased on that email server.”

September 18, 2016 and following: Stone asks Randy Credico to get from Assange any emails pertaining to disrupting a peace deal in Libya, making it clear he believes Assange has emails that WikiLeaks has not yet released.

In a Sept. 18, 2016, message, Mr. Stone urged an acquaintance who knew Mr. Assange to ask the WikiLeaks founder for emails related to Mrs. Clinton’s alleged role in disrupting a purported Libyan peace deal in 2011 when she was secretary of state, referring to her by her initials.

“Please ask Assange for any State or HRC e-mail from August 10 to August 30–particularly on August 20, 2011,” Mr. Stone wrote to Randy Credico, a New York radio personality who had interviewed Mr. Assange several weeks earlier. Mr. Stone, a longtime confidant of Donald Trump, had no formal role in his campaign at the time.

Mr. Credico initially responded to Mr. Stone that what he was requesting would be on WikiLeaks’ website if it existed, according to an email reviewed by the Journal. Mr. Stone, the emails show, replied: “Why do we assume WikiLeaks has released everything they have ???”

In another email, Mr. Credico then asked Mr. Stone to give him a “little bit of time,” saying he thought Mr. Assange might appear on his radio show the next day. A few hours later, Mr. Credico wrote: “That batch probably coming out in the next drop…I can’t ask them favors every other day .I asked one of his lawyers…they have major legal headaches riggt now..relax.”

As I further noted, when WikiLeaks started dumping Podesta emails in October (including excerpts of Hillary’s private speeches), Stone focused more on accusing Bill Clinton of rape, another projection-based defense of Donald Trump (especially in light of the Access Hollywood tape) than he focused on the Podesta emails.

In other words, Stone may not have exhibited foreknowledge of the Podesta dump. By all appearances, he seemed to expect that WikiLeaks would publish emails obtained via the Peter Smith efforts — efforts that involved soliciting Russian hackers for assistance. That actually makes Stone’s foreknowledge more damning, as it suggests he was part of the conspiracy to pay Russian hackers for emails they had purportedly already hacked from Hillary’s server and that he expected WikiLeaks would be an outlet for the emails, as opposed to just learning that Podesta’s emails had been hacked some months after they had been.

It was Guccifer 2.0, not Assange, who claimed anyone had Clinton server documents (including in a tweet responding to my observation he was falsely billing documents as Clinton Foundation ones).

And Guccifer 2.0 was (according to Politico, not WSJ) in the loop of this effort, so may have been trying to pressure WikiLeaks to publish sets of files already sent, as he had tried to do with DCCC files earlier in August.

[Chuck] Johnson said he and [Peter] Smith stayed in touch, discussing “tactics and research” regularly throughout the presidential campaign, and that Smith sought his help tracking down Clinton’s emails. “He wanted me to introduce to him to Bannon, to a few others, and I sort of demurred on some of that,” Johnson said. “I didn’t think his operation was as sophisticated as it needed to be, and I thought it was good to keep the campaign as insulated as possible.”

Instead, Johnson said, he put the word out to a “hidden oppo network” of right-leaning opposition researchers to notify them of the effort. Johnson declined to provide the names of any of the members of this “network,” but he praised Smith’s ambition.

“The magnitude of what he was trying to do was kind of impressive,” Johnson said. “He had people running around Europe, had people talking to Guccifer.” (U.S. intelligence agencies have linked the materials provided by “Guccifer 2.0”—an alias that has taken credit for hacking the Democratic National Committee and communicated with Republican operatives, including Trump confidant Roger Stone—to Russian government hackers.)

Johnson said he also suggested that Smith get in touch with Andrew Auernheimer, a hacker who goes by the alias “Weev” and has collaborated with Johnson in the past. Auernheimer—who was released from federal prison in 2014 after having a conviction for fraud and hacking offenses vacated and subsequently moved to Ukraine—declined to say whether Smith contacted him, citing conditions of his employment that bar him from speaking to the press.

Two interesting issues of timing arise out of that, then.

First, to the extent that Stone’s tweets during the week of October 7 (the ones that exhibited foreknowledge of timing, if not content) predicted the timing of the next leak, they would seem to reflect an expectation that deleted emails were coming, not necessarily that Podesta ones were.

[O]n Saturday October 1 (or early morning on October 2 in GMT; the Twitter times in this post have been calculated off the unix time in the source code), Stone said that on Wednesday (October 5), Hillary Clinton is done.

Fewer of these timelines note that Wikileaks didn’t release anything that Wednesday. It did, however, call out Guccifer 2.0’s purported release of Clinton Foundation documents (though the documents were real, they were almost certainly mislabeled Democratic Party documents) on October 5. The fact that Guccifer 2.0 chose to mislabel those documents is worth further consideration, especially given public focus on the Foundation documents rather than other Democratic ones. I’ll come back to that.

Throughout the week — both before and after the Guccifer 2.0 release — Stone kept tweeting that he trusted the Wikileaks dump was still coming.

Monday, October 3:

Wednesday, October 5 (though this would have been middle of the night ET):

Thursday, October 6 (again, this would have been nighttime ET, after it was clear Wikileaks had not released on Wednesday):

But it also makes the October 11 email — which was shared with still unidentified recipients via foldering, not sent — reported by WSJ the other day all the more interesting. The email seems to suggest that on October 11, the “students” who were really pleased with email releases they had seen so far were talking about the Podesta emails.

“[A]n email in the ‘Robert Tyler’ [foldering] account [showing] Mr. Smith obtained $100,000 from at least four financiers as well as a $50,000 contribution from Mr. Smith himself.” The email was dated October 11, 2016 and has the subject line, “Wire Instructions—Clinton Email Reconnaissance Initiative.” It came from someone calling himself “ROB,” describing the funding as supporting “the Washington Scholarship Fund for the Russian students.” The email also notes, “The students are very pleased with the email releases they have seen, and are thrilled with their educational advancement opportunities.”

In a follow-up, WSJ confirmed the identities of three of the four alleged donors (they’re still trying to track down the real ID of the fourth).

He reached out to businessmen as financial backers, including Maine real-estate developer Michael Liberty, Florida-based investor John “Jack” Purcell and Chicago financier Patrick Haynes. They were named in an email reviewed by the Journal as among a group of people who pledged to contribute $100,000 to the effort, along with $50,000 of Mr. Smith’s own money.

If the Smith conspirators were referring to the Podesta emails stolen by GRU in the same breath as a funding solicitation for Clinton Foundation ones, it suggests that whoever Smith’s co-conspirators were, as late as October 11, they were referring to the Podesta emails in the same breath as the Clinton server ones they were still hunting for.

As I said in July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

A Tale of Two GRU Indictments

Yesterday, DOJ indicted a bunch of GRU hackers again, in part for hacks in retaliation for anti-doping associations’ reports finding a state-run Russian effort to help its athletes cheat (though also including hacks of Westinghouse and the Organization for the Prohibition of Chemical Weapons (OPCW)).

As the DNC GRU indictment did, this indictment provides a snapshot of the division of labor in GRU, made easier by the capture of four of these guys, with all their hacking toys in the trunk of their rented car, in the Netherlands. I find a comparison of the two indictments — of some of the same people for similar activity spanning the same period of time — instructive for a number of reasons.

The team

Consider the team.

There are Aleksei Morenets and Evgenii Serebriakov, whom the indictment calls “on-site GRU hackers who traveled to foreign countries with other conspirators, in some instances using Russian government issued diplomatic passports to conduct on-site operations.” Serebriakov even has a title, “Deputy Head of Directorate,” which sounds like a pretty senior person to travel around sniffing WiFi networks.

There are the three men we met in the DNC indictment, Ivan Yermakov, Artem Malyshev, and Dmitriy Badin, all of whom work  out of Moscow running hacks. Yermakov and Malyshev were closely involved in both hacks in 2016 (as demonstrated by the timeline below).

Finally, there are Oleg Sotnikov and Alexey Minin, who joined Morenets and Serebriakov as they tried to hack the Organization for the Prohibition of Chemical Weapons (OPCW) and tried to hack the Spiez Chemical laboratory that was analyzing the Novichok used to poison Sergei Skripal.

There are slightly different tactics than in the DNC hack. For example, GRU used a bunch of bit.ly links in this operation (though some of those are an earlier campaign against Westinghouse). And they sent out hackers to tap into targets’ WiFi networks directly, whereas none of the DNC hackers are alleged to have left Russia.

But there’s a ton of common activity, notably the spearphishing of targeted individuals and the use of their X-Agent hacking tool to exploit targeted machines.

Overlapping hack schedule

I’m also interested in the way the WADA hack, in particular, overlaps with the DNC one. I’ve got a timeline, below, of the two indictments look like (I’ve excluded both the Westinghouse and OPCW hacks from this timeline to focus on the overlapping 2016 operations).

Yermakov and Malyshev are described by name doing specific tasks in the DNC hack though May 2016. By August, they have turned to hacking anti-doping targets. Yermakov, in particular, seems to play the same research role in both hacks.

Given the impact of these operations, it’s fairly remarkable that such a small team conducted both.

Common bitcoin habits and possibly even infrastructure

There are also paragraphs in the WADA indictment, particularly those pertaining to the use of bitcoin to fund the operation used to substantiate the money laundering charge, that appear to be lifted in their entirety from the DNC one (or perhaps both come from DOJ or Western PA US Attorney boilerplate — remember that the DNC hack was originally investigated in Western PA, so this language likely originates there).

These include:

  •  58/106: Describing how conspirators primarily used bitcoin to pay for infrastructure
  • 59/107: Describing how bitcoin works, with examples specific to each operation provided
  • 60/108: Describing how conspirators used dedicated email accounts to track bitcoin transactions
  • 61/109: Describing how conspirators used the same computers to conduct hacking operations and facilitate bitcoin payments
  • 62/110: Describing how conspirators also mined bitcoin and then used it to pay for servers, with examples specific to each operation
  • 64/111: Describing how conspirators used the same funding structure and sometimes the same pool of funds to pay for hacking infrastructure, with examples specific to each operation provided

The similarity of these two passages suggests two things. First, it suggests that the August 8, 2016 transaction in the WADA indictment may have been orchestrated from the gfade147 email noted in the DNC indictment. With both, the indictment notes that “One of these dedicated accounts … received hundreds of bitcoin payment requests from approximately 100 different email accounts,” with the DNC indictment including the gfade147 address. (Compare paragraphs 60 in the DNC indictment with 108 in the WADA one.)  That would suggest these two operations overlap even more than suspect.

That said, there’s one paragraph in the DNC indictment that doesn’t have an analogue in the WADA one, 63. It describes conspirators,

purchasing bitcoin through peer-to-peer exchanges, moving funds through other digital currencies, and using pre-paid cards. They also enlisted the assistance of one or more third-party exchangers who facilitated layered transactions through digital currency exchange platforms providing heightened anonymity.

Given how loud much of these operations were, it raises questions about why some of the DNC hack (but not, at least by description) the WADA one would require “heightened anonymity.”

Different treatment of InfoOps

I’m perhaps most interested in the different treatment of the InfoOps side of the operation. As I noted here, in general there seems to be a division of labor at GRU between the actual hackers, in Unit 26165, which is located at  20 Komsomolskiy Prospekt, and the information operations officers, in Unit 74455, which is located in the “Tower” at 22 Kirova Street, Khimki. Both units were involved in both operations.

Yet the WADA indictment does not name or charge any Unit 74455 officers, in spite of describing (in paragraphs 1 and 11) how the unit acquired and maintained online social media accounts and associated infrastructure (paragraph 76 describes that infrastructure to be “procured and managed, at least in part, by conspirators in GRU Unit 74455”). Five of the seven named defendants in the WADA indictment are in Unit 26165, with Oleg Sotnikov and Alexey Minin not identified by unit.

By comparison, three of the 11 officers charged in the DNC indictment belong to Unit 744555.

And the WADA campaign did have a significant media component, as explained in paragraphs 76-87. The indictment even complains (as did DOJ officials as the press conference announcing this indictment) about,

reporters press[ing] for and receiv[ing] promises of exclusivity in such reporting, with one such reporter attempting to make arrangements for a right of first refusal for articles on all future leaks and actively suggesting methods with whicch the conspiracy could search the stolen materials for documents of interest to that reporter (e.g., keywords of interest).

That said, the language in much of this discussion (see paragraphs 77 through 81) uses the passive voice — “were registered,” “were named,” “was posted,” “were released,” “were released,” “were released,” “were released” — showing less certainty about who was running that infrastructure.

That’s particularly interesting given that the government clearly had emails between the Fancy Bear personas and journalists.

One difference may be, in part, that in the DNC indictment, there are specific hacking (not InfoOps) actions attributed to two of the Unit 74455 officers: Aleksandr Osadchuk and Anatoliy Kovalev. Indeed, Kovalev seems to have been added on just for that charge, as he doesn’t appear in the introduction section at the beginning of the indictment.

Whereas Unit 74455’s role in the WADA indictment seems to be limited to running the InfoOps infrastructure.

Importance of WikiLeaks and sharing with Republicans

It’s not clear how much we can conclude form all that. But the different structure in the DNC indictment does allow it to foreground the role of a number of others, such as WikiLeaks and Roger Stone and — as I suggested drop in some or all of  those others in a future conspiracy indictment — that were a key part of the election operation.

Timeline

February 1, 2016: gfade147 0.026043 bitcoin transaction

March 2016: Conspirators hack email accounts of volunteers and employees of Hillary campaign, including John Podesta

March 2016: Yermakov spearphishes two accounts that would be leaked to DC Leaks

March 14, 2016 through April 28, 2016: Conspirators use same pool of bitcoin to purchase VPN and lease server in Malaysia

March 15, 2016: Yermakov runs technical query for DNC IP configurations and searches for open source info on DNC network, Dem Party, and Hillary

March 19, 2016: Lukashev spearphish Podesta personal email using john356gh

March 21, 2016: Lukashev steals contents of Podesta’s email account, over 50,000 emails (he is named Victim 3 later in indictment)

March 25, 2016: Lukashev spearphishes Victims 1 (personal email) and 2 using john356gh; their emails later released on DCLeaks

March 28, 2016: Yermakov researched Victims 1 and 2 on social media

April 2016: Kozachek customizes X-Agent

April 2016: Conspirators hack into DCCC and DNC networks, plant X-Agent malware

April 2016: Conspirators plan release of materials stolen from Clinton Campaign, DCCC, and DNC

April 6, 2016: Conspirators create email for fake Clinton Campaign team member to spearphish Clinton campaign; DCCC Employee 1 clicks spearphish link

April 7, 2016: Yermakov runs technical query for DCCC’s internet protocol configurations

April 12, 2016: Conspirators use stolen credentials of DCCC employee to access network; Victim 4 DCCC email victimized

April 14, 2016: Conspirators use X-Agent keylog and screenshot functions to surveil DCCC Employee 1

April 15, 2016: Conspirators search hacked DCCC computer for “hillary,” “cruz,” “trump” and copied “Benghazi investigations” folder

April 15, 2016: Victim 5 DCCC email victimized

April 18, 2016: Conspirators hack into DNC through DCCC using credentials of DCCC employee with access to DNC server; Victim 6 DCCC email victimized

April 19, 2016: Kozachek, Yershov, and co-conspirators remotely configure middle server

April 19, 2016: Conspirators register dcleaks using operational email [email protected]

April 20, 2016: Conspirators direct X-Agent malware on DCCC computers to connect to middle server

April 22, 2016: Conspirators use X-Agent keylog and screenshot function to surveil DCCC Employee 2

April 22, 2016: Conspirators compress oppo research for exfil to server in Illinois

April 26, 2016: George Papadopolous learns Russians are offering election assistance in the form of leaked emails

April 28, 2016: Conspirators use bitcoin associated with Guccifer 2.0 VPN to lease Malaysian server hosting dcleaks.com

April 28, 2016: Conspirators test IL server

May 2016: Yermakov hacks DNC server

May 10, 2016: Victim 7 DNC email victimized

May 13, 2016: Conspirators delete logs from DNC computer

May 25 through June 1, 2016: Conspirators hack DNC Microsoft Exchange Server; Yermakov researches PowerShell commands related to accessing it

May 30, 2016: Malyshev upgrades the AMS (AZ) server, which receives updates from 13 DCCC and DNC computers

May 31, 2016: Yermakov researches Crowdstrike and X-Agent and X-Tunnel malware

June 2016: Conspirators staged and released tens of thousands of stolen emails and documents

June 1, 2016: Conspirators attempt to delete presence on DCCC using CCleaner

June 2, 2016: Victim 2 personal victimized

June 8, 2016: Conspirators launch dcleaks.com, dcleaks Facebook account using Alive Donovan, Jason Scott, and Richard Gingrey IDs, and @dcleaks_ Twitter account, using same computer used for other

June 9, 2016: Don Jr, Paul Manafort, Jared Kushner have meeting expecting dirt from Russians, including Aras Agalarov employee Ike Kaveladze

June 10, 2016: Ike Kaveladze has calls with Russia and NY while still in NYC

June 14, 2016: Conspirators register actblues and redirect DCCC website to actblues

June 14, 2016: WaPo (before noon ET) and Crowdstrike announces DNC hack

June 15, 2016, between 4:19PM and 4:56 PM Moscow Standard Time (9:19 and 9:56 AM ET): Conspirators log into Moscow-based sever and search for words that would end up in first Guccifer 2.0 post, including “some hundred sheets,” “illuminati,” “think twice about company’s competence,” “worldwide known”

June 15, 2016, 7:02PM MST (12:02PM ET): Guccifer 2.0 posts first post

June 15 and 16, 2016: Ike Kaveladze places roaming calls from Russia, the only ones he places during the extended trip

June 20, 2016: Conspirators delete logs from AMS panel, including login history, attempt to reaccess DCCC using stolen credentials

June 22, 2016: Wikileaks sends a private message to Guccifer 2.0 to “send any new material here for us to review and it will have a much higher impact than what you are doing.”

June 27, 2016: Conspirators contact US reporter, send report password to access nonpublic portion of dcleaks

Late June, 2016: Failed attempts to transfer data to Wikileaks

July, 2016: Kovalev hacks into IL State Board of Elections and steals information on 500,000 voters

July 6, 2016: Conspirators use VPN to log into Guccifer 2.0 account

July 6, 2016: Wikileaks writes Guccifer 2.0 adding, “if you have anything hillary related we want it in the next tweo [sic] days prefabl [sic] because the DNC [Democratic National Convention] is approaching and she will solidify bernie supporters behind her after”

July 6, 2016: Victim 8 personal email victimized

July 10-19: Morenets travels to Rio de Janeiro

July 14, 2016: Conspirators send WikiLeaks an email with attachment titled wk dnc link1.txt.gpg providing instructions on how to access online archive of stolen DNC documents

July 18, 2016: WikiLeaks confirms it has “the 1Gb or so archive” and would make a release of stolen documents “this week”

July 22, 2016: WikiLeaks releases first dump of 20,000 emails

July 27, 2016: Trump asks Russia for Hillary emails

July 27, 2016: After hours, conspirators attempt to spearphish email accounts at a domain hosted by third party provider and used by Hillary’s personal office, as well as 76 email addresses at Clinton Campaign

August 2016: Kovalev hacks into VR systems

August 2-9, 2016: Conspirators use multiple IP addresses to connect to or scan WADA’s network

August 2-4, 2016: Yermakov researches WADA and its ADAM database (which includes the drug test results of the world’s athletes) and USADA

August 3, 2016: Conspirators register wada.awa.org

August 5, 9, 2016: Yermakov researches Cisco firewalls, he and Malyshev send specific WADA employees spearfish

August 8, 2016: Conspirators register wada-arna.org and tas-cass.org

August 8, 2016: .012684 bitcoin transaction directed by dedicated email account

August 13-19, 2016: Morenets and Serebriakov travel to Rio, while Yermakov supports with research in Moscow

August 14-18, 2016: SQL attacks against USADA

August 15, 2016: Conspirators receive request for stolen documents from candidate for US congress

August 15, 2016: First Guccifer 2.0 exchange with Roger Stone noted

August 19, 2016: Serebriakov compromises a specific anti-doping official and obtains credentials to access ADAM database

August 22, 2016: Conspirators transfer 2.5 GB of stolen DCCC data to registered FL state lobbyist Aaron Nevins

August 22, 2016: Conspirators send Lee Stranahan Black Lives Matter document

September 1, 2016: Domains fancybear.org and fancybear.net registered

September 6, 2016: Conspirators compromise credentials of USADA Board member while in Rio

September 7-14, 2016: Conspirators try, but fail, to use credentials stolen from USADA board member to access USADA systems

September 12, 2016: Data stolen from WADA and ADAMS first posted, initially focusing on US athletes

September 12, 2016 to January 17, 2018: Conspirators attempt to draw media attention to leaks via social media

September 18, 2016: Morenets and Serebriakov travel to Lausanne, staying in anti-doping hotels, to compromise hotel WiFi

September 19, 2016 to July 20, 2018: Conspirators attempt to draw media attention to leaks via email

September 2016: Conspirators access DNC computers hosted on cloud service, creating backups of analytics applications

October 2016: Linux version of X-Agent remains on DNC network

October 6, 2016: Emails stolen from USADA first released

October 7, 2016: WikiLeaks releases first set of Podesta emails

October 28, 2016: Kovalev visits counties in GA, IA, and FL to identify vulnerabilities

November 2016: Kovalev uses VR Systems email address to phish FL officials

December 6, 2016 – January 2, 2017: Using IP frequently used by Malyshev, conspirators compromise FIFA’s anti-doping files

December 13, 2016: Data stolen from CCES released

January 19-24, 2017: Conspirators compromise computers of four IAAF officials

June 22, 2017: Data stolen from IAAF’s network released

July 5, 2017: Data stolen from IAAF’s network released

August 28, 2017: Data stolen from FIFA released

As I said in July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

The DNC-Centric Focus of the HPSCI Investigation

Through the duration of the various Russia investigations, skeptics always harp on two questions pertaining to the Russian election year hacks — why the Democrats never turned over the DNC “server,” singular, to the FBI, allegedly leaving the FBI to rely on Crowdstrike’s work, and whether several sets of files released via Guccifer 2.0 showed signs of non-Russian origin. That is, skeptics look exclusively at the DNC, not the totality of the known Russian targeting.

Looking at the list of witnesses the House Intelligence Committee called (which the committee will release in the coming weeks) shows one reason why: that the most public and propagandist of all the Russia investigations focused on the DNC to the detriment of other known Democratic targets.

Here’s what the list of the HPSCI interviews looks like arranged by date (HPSCI will not be releasing the bolded interviews).

  1. [Comey, Jim (May 2 and 4, 2017): Intel]
  2. [Rogers, Mike (May 4, 2017): Intel]
  3. [Brennan, John (May 23, 2017): Intel]
  4. Coats, Dan (June 22, 2017): Intel
  5. Farkas, Evelyn (June 26, 2017): Ukraine/RU DOD
  6. Podesta, John (June 27, 2017): Clinton Chair
  7. Caputo, Michael (July 14, 2017): RU tied Trump
  8. Clapper, James (July 17, 2017): Intel
  9. Kushner, Jared (July 25, 2017): June 9 etc
  10. Carlin, John (July 27, 2017): Early investigation
  11. Gordon, JD (July 26, 2017): Trump NatSec
  12. Brown, Andrew (August 30, 2017): DNC CTO
  13. Tamene, Yared (August 30, 2017): DNC tech contractor
  14. Rice, Susan (September 6, 2017): Obama response to hack/unmasking
  15. Stone, Roger (September 26, 2017): Trump associate
  16. Epshteyn, Boris (September 28, 2017): RU-tied Trump
  17. Tait, Matthew (October 6, 2017): Solicit hack
  18. Safron, Jonathan (October 12, 2017): Peter Smith
  19. Power, Samantha (October 13, 2017): Obama response to hack/unmasking
  20. Catan, Thomas (October 18, 2017): Fusion
  21. Fritsch, Peter (October 18, 2017): Fusion
  22. Lynch, Loretta (October 20, 2017): Investigation
  23. Parscale, Brad (October 24, 2017): Trump’s data
  24. Cohen, Michael (October 24, 2017): Trump lawyer
  25. Rhodes, Benjamin (October 25, 2017): Obama response to hack/unmasking
  26. McCord, Mary (November 1, 2017): Early investigation
  27. Kaveladze, Ike (November 2, 2017): June 9 meeting
  28. Yates, Sally (November 3, 2017): Early investigation
  29. Schiller, Keith (November 7, 2017): Trump bodyguard
  30. Akhmetshin, Rinat (November 13, 2017): June 9
  31. Samachornov, Anatoli (November 28, 2017): June 9
  32. Sessions, Jeff (November 30, 2017): Trump transition
  33. Podesta, John (December 4, 2017): Dossier
  34. Denman, Diana (December 5, 2017): RNC platform
  35. Henry, Shawn (December 5, 2017): Crowdstrike
  36. Trump, Jr. Donald (December 6, 2017): June 9
  37. Phares, Walid (December 8, 2017): Trump NatSec
  38. Clovis, Sam (December 12, 2017): Trump NatSec
  39. Goldfarb, Michael (December 12, 2017): Dossier
  40. Elias, Marc (December 13, 2017): Dossier
  41. Nix, Alexander (December 14, 2017): Cambridge Analytica
  42. Goldstone, Rob (December 18, 2017): June 9
  43. Sussmann, Michael (December 18, 2017): Hack and dossier
  44. McCabe, Andrew (December 19, 2017): Early investigation
  45. Kramer, David (December 19, 2017): Dossier
  46. Sater, Felix (December 20, 2017): RU connected Trump
  47. Gaeta, Mike (December 20, 2017): Dossier go-between
  48. Sullivan, Jake (December 21, 2017): Dossier
  49. [Rohrabacher, Dana (December 21, 2017): Russian compromise]
  50. [Wasserman Schultz, Debbie (December 21, 2017): dossier]
  51. Graff, Rhona (December 22, 2017): June 9
  52. Kramer, David (January 10, 2018): Dossier
  53. Bannon, Stephen (January 16, 2018): Trump official
  54. Lewandowski, Corey (January 17, 2018): Trump official
  55. Dearborn, Rick (January 17, 2018): Trump official
  56. Bannon, Stephen (February 15, 2018): Trump official
  57. Hicks, Hope (February 27, 2018): Trump official
  58. Lewandowski, Corey (March 8, 2018): Trump official

While John Podesta, one of the earliest spearphishing victims, was one of  the earliest witnesses (and, as HPSCI shifted focus to the dossier, one of the last as well), the other hack witnesses, DNC CTO Andrew Brown and DNC IT contractor Yared Tamene, represent the DNC. Perhaps that’s because of the NYT’s big story on the hack, which was obviously misleading in real time and eight months old by the time of those interviews. While Perkins Coie lawyer and former DOJ cyber prosecutor Michael Sussmann would surely have real insight into the scope of all the Democratic targets, he was interviewed during HPSCI’s dossier obsession, not alongside Brown and Tamene.

All of which is to say that the HPSCI investigation of the hack was an investigation of the hack of the DNC, not of the full election year attack.

To get a sense of some of what that missed, consider the victims described in the GRU indictment (which leaves out some of the earlier Republican targets, such as Colin Powell). I’ve included relevant paragraph numbers to ID these victims.

  1. Spearphish victim 3, March 21, 2016 (Podesta)
  2. Spearphish victim 1 Clinton aide, March 25, 2016 (released via dcleaks)
  3. Spearphish victim 4 (DCCC Employee 1), April 12, 2016 ¶24
  4. Spearphish victim 5 (DCCC Employee), April 15, 2016
  5. Spearphish victim 6 (possibly DCCC Employee 2), April 18, 2016 ¶26
  6. Spearphish victim 7 (DNC target), May 10, 2016
  7. Spearphish victim 2 Clinton aide, June 2, 2016 (released via dcleaks)
  8. Spearphish victim 8 (not described), July 6, 2016
  9. Ten DCCC computers ¶24
  10. 33 DNC computers ¶26
  11. DNC Microsoft Exchange Server ¶29
  12. Act Blue ¶33
  13. Third party email provider used by Clinton’s office ¶22 (in response to July 27 Trump request)
  14. 76 email addresses at Clinton campaign ¶22 (in response to July 27 Trump request)
  15. DNC’s Amazon server ¶34
  16. Republican party websites ¶71
  17. Illinois State Board of Elections ¶72
  18. VR Systems ¶73
  19. County websites in GA, IA, and FL ¶75
  20. VR Systems clients in FL ¶76

Effectively, HPSCI (and most hack skeptics) focused exclusively on item 11, the DNC Microsoft Exchange server from which the emails sent to WikiLeaks were stolen.

Yet, at least as laid out by Mueller’s team, the election year hack started elsewhere — with Podesta, then the DCCC, and only after that the DNC. It continued to target Hillary through the year (though with less success than they had with the DNC). And some key things happened after that — such as the seeming response to Trump’s call for Russia to find more Hillary emails, the Info-Ops led targeting of election infrastructure in the summer and fall, and voter registration software. Not to mention some really intriguing research on Republican party websites. And this barely scratches on the social media campaign, largely though not entirely carried out by a Putin-linked corporation.

HPSCI would get no insight on the overwhelming majority of the election year operation, then, by interviewing the witnesses they did. Of particular note, HPSCI would not review how the targeting and release of DCCC opposition research gave Republican congressmen a leg up over their Democratic opponents.

And while HPSCI did interview the available June 9 meeting witnesses, they refused to subpoena the information needed to really understand it. Nor did they interview all the witnesses or subpoena available information to understand the Stone operation and the Peter Smith outreach.

Without examining the other multiple threads via which Russia recruited Republicans, most notably via the NRA, HPSCI wouldn’t even get a sense of all the ways Russia was trying to make Republicans and their party infrastructure into the tools of a hostile foreign country. And there are other parts of the 2016 attack that not only don’t appear in these interviews, but which at least one key member on the committee was utterly clueless about well past the time the investigation finished.

The exception to the rule that HPSCI didn’t seek out information that might damn Republicans, of course, is the interview of Dana Rohrabacher, who (along with President Trump) proved reliably willing to entertain Russian outreach via all known channnels. But that’s one of the interviews Republicans intend to keep buried because — according to an anonymous Daily Beast source — they don’t want Rohrabacher’s constituents to know how badly Russia has pwned him before November 6.

“The Republicans are trying to conceal from the voters their colleague Dana Rohrabacher’s Russia investigation testimony,” said a committee source familiar with the issue. “There were highly concerning contacts between Rohrabacher and Russians during the campaign that the public should hear about.”

By burying the Comey, Rogers, and Brennan transcripts, Republicans suppress further evidence of the degree to which Russia specifically targeted Hillary, and did so to help not just Trump, but the Republican party.

I’m sure there will be some fascinating material in these transcripts when they’re released. But even before the selective release, designed to hide any evidence gathered of how lopsided the targeting was, the scope of these interviews makes clear that the HPSCI investigation was designed to minimize, as much as possible, evidence showing how aggressively Russia worked to help Republicans.

As I laid out in July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

The Mueller Investigation: What Happens on September 7?

I hesitate to write this post, partly because I think it’s a good idea to dismiss every single thing that Rudy Giuliani says, and partly because we’ve all learned that it is sheer folly to pretend anyone can anticipate what Mueller will do, much less when.

Nevertheless, I wanted to address questions about what might happen in the next two weeks, as we approach the 60-day mark before midterm elections.

Rudy G is wrong about everything

The aforementioned Rudy G, who has been saying that Mueller has to shut down his entire investigation (or even finish up and go home) on September 1 on account of DOJ’s policy against overt investigative action close to an election.

As I said, the policy only prohibits overt acts, and only 60 days before the election. Mueller might argue that it’s entirely irrelevant, given that none of his known targets (save, perhaps, Dana Rohrabacher) are on the ballot. But enough credible journalists have suggested that DOJ is taking this deadline seriously with respect to Trump’s associates (including Michael Cohen in SDNY, where DOJ actually leaks), that it’s probably correct he’ll avoid overt acts in the 60 days before the November 6 election.

But that timeline starts on September 7, not September 1.

Paul Manafort’s stall

One thing we know will dominate the press in that pre-election period is Manafort’s DC trial, scheduled to start on September 17.

Unless he flips.

While I still don’t think he will flip, he is stalling in both his trials. In EDVA, he asked for and got a 30-day deadline to move for an acquittal or mistrial. He may have done so to provide extra time to consider the complaints raised by one juror that others were deliberating before they should have, which Manafort had asked for a mistrial over. If that’s right, juror Paula Duncan’s comments, describing the one holdout and explaining that even she, a Trump supporter, found the case a slam dunk, may persuade Manafort that challenging this trial won’t bring about any other result and may mean he gets convicted on the remaining 10 counts.

In any case, however, by getting 30 days to decide, Manafort moved the deadline from (by my math) September 3 to September 21, when he’s scheduled to be deep into the DC case (and therefore too busy to submit such a motion). It did, however, move the decision date past that September 7 date.

Speaking of the DC case, after getting an extension on the pre-trial statement in that case, Manafort basically punted on many of the substantive issues, effectively saying he’ll provide the required input later.

He may not be flipping, but he’s not prepared to start this trial.

Is it Roger Stone’s time in the barrel?

The big question, for me, is whether Mueller has finished his six month effort to put together a Roger Stone indictment.

Tantalizingly, back on August 10, Mueller scheduled Randy Credico to explain to the grand jury how Stone threatened him about his testimony. That appearance is for September 7. Given how far out Mueller scheduled this, I wondered at the time whether Credico was being slated to put the finishing touches on a Stone indictment.

What might prevent Mueller from finalizing Stone’s indictment, however, is Stone associate Andrew Miller, from whom Mueller has been trying to get testimony since May 9. Miller is challenging his grand jury subpoena; he’s due to submit his opening brief in his appeal on September 7. That might mean that Mueller has to wait. But two filings (District, Circuit), the docket in his subpoena challenge, and this CNN report may suggest they can move forward without first getting Miller’s testimony.

Both the Circuit document and CNN provide more details about a May 9 interview with two FBI Agents, with no attorney present (no offense to Miller, but what the fuck kind of self-described libertarian, much less one in Roger Stone’s immediate orbit, agrees to an FBI interview without a lawyer present)?

Mr. Miller was first interviewed by two agents of the Federal Bureau of Investigation who visited him unannounced on or about May 9, 2018, in Saint Louis, MO, where he resides. He was cooperative, answering all their questions for approximately two hours, and at the conclusion of the interview, was handed a subpoena to produce documents and testify as a witness before the grand jury.

CNN describes that’s what poses a perjury concern for Miller with regards to his testimony before the grand jury because of that original interview.

Miller’s case is complicated by the fact that he initially cooperated with the special counsel’s investigation. When FBI agents first approached him in May, he spoke with them at his home in St. Louis for two hours without an attorney.

[snip]

Dearn said in an interview that she was just being “carefully paranoid” and protecting her client from accidentally committing perjury if he testifies and contradicts something he told investigators back in May without a lawyer present.

As the District filing seems to suggest, Miller got not one but two subpoenas (???), just one of which called for document production:

Mr. Miller was served with two subpoenas dated June 5, 2018, both requiring his appearance before the Grand Jury on June 8, but only one of which required that he search and bring with him the documents described in the Attachment to one of the subpoenas. See Exhibits 1 and 2. After a filing a motion to quash on grounds not raised herein, this Court issued a Minute Order on June 18 requiring Mr. Miller’s appearance before the Grand Jury on June 29 and to produce the documents requested as limited by agreement of the parties by June 25.

Miller turned over 100MB of documents on June 25, but shortly thereafter, Mueller prosecutor Aaron Zelinsky asked for more.

Mr. Miller has since complied with that part of the order producing voluminous documents in a file that is 100MB in size to government counsel on Monday, June 25. In her cover email to government counsel, Aaron Zelinsky, Miller’s counsel stated in pertinent part: “Mr. Miller does not waive and hereby preserves all rights he has to object to the subpoena requiring his appearance before the Grand Jury this Friday…and from any continuing duty or obligation to supply additional documents subject to the subpoena.” See Exhibit 6. Nevertheless, Mr. Zelinsky recently informed counsel that he is not satisfied with this production and is unreasonably requesting additional documents from Mr. Miller.

CNN reported that those documents pertained to WikiLeaks and Guccifer 2.0.

After a protracted back and forth between Dearn and Mueller’s team, Miller handed over a tranche of documents. In turn, the government had agreed to limit its search to certain terms such as Stone, WikiLeaks, Julian Assange, Guccifer 2.0, DCLeaks and the Democratic National Committee, according to court filings and interview with attorneys.

So at the very least, Mueller has 100MB of documents that relate to Wikileaks and Guccifer 2.0 (which raises real questions about how Miller can say he knows nothing about the topic), and 2 hours of testimony that Miller may not want to tell the grand jury now that he has lawyers who might help him avoid doing so.

Meanwhile, there are some filings from the end of his District Court docket.

The Circuit document mostly explains what filings 33, 34, 35, and 37 are (though doesn’t explain why Mueller refused to stipulate that Miller be held in contempt): they’re the process by which he was held in contempt and therefore legally positioned to appeal.

6. Because Mr. Miller desired to appeal the order denying his motion, ensuing discussions with Special Counsel to stipulate that Mr. Miller be held in contempt for not appearing on the upcoming appearance before the grand jury on August 10, 2018, and to stay the contempt pending appeal did not succeed.

7. Consequently, two days before his appearance, on the evening of August 8, 2018, counsel emailed government counsel and Judge Howell’s clerk (and on the following morning of August 9, hand-filed with the clerk’s office), a Motion By Witness Andrew Miller To Be Held In Civil Contempt For Refusing To Testify Before The Grand Jury And To Stay Such Order To Permit Him To Appeal It To The U.S. Court Of Appeals For The District Of Columbia Circuit and citing authorities for granting a stay of contempt. ECF No. 33. The government served and a response on the evening of August 9 ( ECF. No. 35) and Mr. Miller served a reply early morning on August 10. ECF No. 37.

8. On August 10, undersigned counsel for Mr. Miller met government counsel at 9:00 a.m. as previously agreed to at the entrance to the grand jury offices, and was advised by government counsel that a motion to show cause was filed shortly before 9:00 a.m. ECF No. 34.

9. Approximately two hours later, the court held the show cause hearing, with the Mr. Miller and local counsel appearing telephonically from Saint Louis, MO.

10. The court granted Mr. Miller’s and the government’s request that he be held in contempt and stayed the order if the notice of appeal were filed by 9:00 a.m. August 14, 2018. ECF No. 36.

That doesn’t explain what Document 38 is, to which Miller didn’t respond, and in response to which Beryl Howell issued an order.

CNN’s description of Miller’s attorney’s concern seems to split his testimony into two topics: Guccifer and Wikileaks, and Stone’s PACs. Miller’s only worried about legal jeopardy in the latter of those two. (For some details on what the legal exposure might pertain to, see this post.)

[Alicia] Dearn was adamant that Miller not be forced to testify to the grand jury about one topic in specific: Stone. She asked that her client be granted immunity, “otherwise he’s going to have to take the Fifth Amendment,” she said in a court hearing in June.

Aaron Zelinsky, one of Mueller’s prosecutors, noted Miller’s lawyer was making two seemingly contradictory arguments: “On the one hand, that the witness knows nothing, has nothing to hide, and has participated in no illegal activity. On the other hand, that there is a Fifth Amendment concern there.”

In the hearing, Dearn said she was concerned Miller would be asked about his finances and transactions related to political action committees he worked on with Stone.

Miller “had absolutely no communication with anybody from Russia or with Guccifer or WikiLeaks,” Dearn said in an interview.

By process of elimination, the only thing she believes her client could get caught up on are questions about his financial entanglements with Stone and his super PAC.

The Circuit document concedes that Miller may be the subject — but not target — of this grand jury investigation.

12. Lest there be any misunderstanding, Mr. Miller was not a “target of grand jury subpoenas” (Concord Mot. at 1), but rather a fact witness or at most a subject of the grand jury; nor was he a “recalcitrant witness.” Id. at 13. As the foregoing background demonstrates, Mr. Miller has been a cooperative witness in this proceeding.

It would be really weird if Miller really did get two subpoenas, and that’s not consistent with the Circuit document. So it may be there were two topics or crimes described in the subpoena: conspiring with Russia, and running a corrupt PAC. And if Miller’s only personally legally exposed in the latter of those, then it’s possible Mueller would treat these differently.

So it’s possible Mueller got what they need to move forward on the main conspiracy case against Stone, while it has to wait on Miller’s own involvement in Stone’s corrupt PACs until after the DC Circuit reviews things.

Other September deadlines

The September 7 timing is interesting for two other reasons. First, that’s also the day that George Papadopoulos — whose plea deal covers his lies and obstuction but not any conspiracy case — is due to be sentenced.

Just 10 days later Mike Flynn (whose plea deal was also limited to his lies) has a status report due, just a 24-day extension off his previous one. That timing suggests he’s about done with his cooperation. Perhaps that shortened time frame is only due to his team’s push to get him back earning money to pay for his lawyers again. Perhaps there’s some other explanation.

Timeline

August 24: Revised deadline for Manafort pre-trial statement — Manafort punted on many issues.

August 28: Hearing in DC Manafort case.

September 3: Current deadline for motions in EDVA Manafort trial

September 4: Brett Kavanaugh confirmation hearings scheduled to begin (projected to last 3-4 days)

September 7: Randy Credico scheduled to testify before grand jury; George Papadopoulos scheduled for sentencing; Andrew Miller brief due before DC Circuit; 60 days before November 6 mid-terms

September 17: DC Manafort trial starts, status report due in Mike Flynn case

September 21: Requested deadline for motions in EDVA Manafort trial

September 28: Government brief due in DC Circuit appeal of Andrew Miller subpoena

October 9: Miller reply due in DC Circuit

November 6: Mid-term election

November 10: Status report due in Rick Gates case

As I disclosed in July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

Andy McCarthy’s Misconception

I was struck, in reading Andy McCarthy’s review of the Michael Cohen and Paul Manafort guilty outcomes last week (in which he measures Trump via a vastly different standard than he once measured Bill Clinton), by this erroneous claim:

The Trump camp continues to stress that Manafort’s case had nothing to do with the original rationale for Mueller’s investigation, “collusion with Russia.” But as we’ve pointed out any number of times, Mueller took over a counterintelligence investigation of Russia’s interference in the 2016 election. Possible Trump-campaign collusion with Russia was just one thread in the larger probe.

The claim that the Trump-campaign “collusion” was just one thread of what Mueller originally took over is false, but utterly critical for McCarthy’s sustained belief that Mueller has not found evidence of a conspiracy between Trump and Russia. While it is true that when Comey confirmed the investigation, he did not specify the structure of the investigation,
I have been authorized by the Department of Justice to confirm that the FBI, as part of our counterintelligence mission, is investigating the Russian government’s efforts to interfere in the 2016 presidential election and that includes investigating the nature of any links between individuals associated with the Trump campaign and the Russian government and whether there was any coordination between the campaign and Russia’s efforts. As with any counterintelligence investigation, this will also include an assessment of whether any crimes were committed.
When Rod Rosenstein appointed Mueller, he described Mueller’s scope to include,
  • any links and/or coordination between the Russian government and individuals associated with the campaign of President Donald Trump; and
  • any matters that arose or may arise directly from the investigation; and
  • any other matters within the scope of 28 C.F.R. § 600.4(a)

Why McCarthy made this error is clear: he uses the existence of and Mueller’s indictments in a broader counterintelligence investigation to sustain his belief that Mueller doesn’t have a “collusion” case against Trump or his associates.

At this point, it does not appear that Mueller has a collusion case against Trump associates. His indictments involving Russian hacking and troll farms do not suggest complicity by the Trump campaign. I also find it hard to believe Mueller sees Manafort as the key to making a case on Trump when Mueller has had Gates — Manafort’s partner — as a cooperator for six months. You have to figure Gates knows whatever Manafort knows about collusion. Yet, since Gates began cooperating with the special counsel, Mueller has filed the charges against Russians that do not implicate Trump, and has transferred those cases to other Justice Department components.

When it comes to the president, I believe the special counsel’s focus is obstruction, not collusion. When it comes to Manafort, I believe the special counsel’s focus is Russia — specifically, Manafort’s longtime connections to Kremlin-connected operatives. Mueller may well be interested in what Manafort can add to his inquiry into the June 2016 Trump Tower meeting (arranged by Donald Trump Jr. in futile hopes of obtaining campaign dirt from Russia on Hillary Clinton). That, however, is not the more serious “collusion” allegation that triggered the Trump thread of the investigation — cyberespionage conspiracy (i.e., Russian hacking of Democratic party emails).

That is, because Mueller indicted trolls and GRU hackers and then spun those prosecutions off to other teams (in the GRU case, back to one of the teams that originally investigated it), it is proof, in McCarthy’s mind, that Mueller isn’t targeting Trump and his associates for conspiring with Russia.

The actual background of the Mueller investigation suggests precisely the opposite. As I noted when Lawfare made precisely the same error in a post on the GRU indictment,

Friday’s indictment is, rather, the result of investigations conducted primarily in San Francisco and Pittsburgh. At the time Comey confirmed the counterintelligence investigation into Trump’s camp and at the time Comey got fired for not shutting the Trump counterintelligence investigation down, those San Francisco and Pittsburgh investigations were totally separate. Those two investigations almost certainly had little if any involvement from Peter Strzok (indeed, they involved a bunch of FBI cyber agents, a division of FBI that Strzok never tired of mocking in his texts to Lisa Page). The DOJ press release from Friday states that explicitly.

This case was investigated with the help of the FBI’s cyber teams in Pittsburgh, Philadelphia and San Francisco and the National Security Division.

Those two investigations (plus the separate one noted in Philadelphia that started later, as I understand it from what a lawyer who represented a witness in that investigation described to me) got moved under the Mueller umbrella sometime in or just before November, and now the GRU officer part of the investigation will be moved back to Pittsburgh where it started, to languish forever like some other nation-state hacker indictments investigated by Western District of Pennsylvania.

Given that both public reporting (starting in February 2017 and extending into November 2017) and Mueller team changes (not to mention my own reporting about the Philadelphia grand jury’s activity in the second half of May 2017 and my own knowledge about where I interviewed and where my interview materials subsequently got moved to) support this narrative, McCarthy (and the Lawfare crowd) might ask why Mueller decided to integrate the cybersecurity parts of the investigation, only to spin the Russian defendants back to other teams once they were indicted?

We can begin to get an answer from the two indictments that — Andy wants to believe — are themselves evidence that Mueller doesn’t have evidence on Trump’s associates but actually are. The Internet Research Agency indictment actually describes three Florida-based Trump campaign officials inconclusively, as if they were either still under investigation or at some legal risk.

On approximately the same day, Defendants and their co-conspirators used the email address of a false U.S. persona, [email protected], to send an email to Campaign Official 1 at that donaldtrump.com email account, which read in part:

Hello [Campaign Official 1], [w]e are organizing a state-wide event in Florida on August, 20 to support Mr. Trump. Let us introduce ourselves first. “Being Patriotic” is a grassroots conservative online movement trying to unite people offline. . . . [W]e gained a huge lot of followers and decided to somehow help Mr. Trump get elected. You know, simple yelling on the Internet is not enough. There should be real action. We organized rallies in New York before. Now we’re focusing on purple states such as Florida.

The email also identified thirteen “confirmed locations” in Florida for the rallies and requested the campaign provide “assistance in each location.”

[snip]

Defendants and their co-conspirators used the false U.S. persona [email protected] account to send an email to Campaign Official 2 at that donaldtrump.com email account.

[snip]

On or about August 20, 2016, Defendants and their co-conspirators used the “Matt Skiber” Facebook account to contact Campaign Official 3.

And while the GRU indictment (on top of key clauses being misread by virtually everyone who has read it) doesn’t use the same convention to describe Roger Stone’s communications with Guccifer 2.0…

On or about August 15, 2016, the Conspirators, posing as Guccifer 2.0, wrote to a person who wasin regular contact with senior members of the presidential campaign of Donald J. Trump, “thank u for writing back . . . do u find anyt[h]ing interesting in the docs i posted?” On or about August 17, 2016, the Conspirators added, “please tell me if i can help u anyhow . . . it would be a great pleasure to me.” On or about September 9, 2016, the Conspirators, again posing as Guccifer 2.0, referred to a stolen DCCC document posted online and asked the person, “what do u think of the info on the turnout model for the democrats entire presidential campaign.” The person responded, “[p]retty standard.”

It pointed to Russia’s response to Donald Trump’s request that they hack Hillary without referring to him one way or another.

For example, on or about July 27, 2016, the Conspirators attempted after hours to spearphish for the first time email accounts at a domain hosted by a thirdparty provider and used by Clinton’s personal office. At or around the same time, they also targeted seventy-six email addresses at the domain for the Clinton Campaign.

What Mueller has done with both of the counterintelligence indictments that McCarthy takes solace in is lay out the Russian side of a conspiracy (and both are charged as conspiracies) with very clear spots into which American co-conspirators may be dropped when Mueller is prepared to do so. (I laid this out at more length in this post.)

Importantly, the fact that some of this investigation started out in other parts of DOJ but then got moved under Mueller make it clear that something came up in the investigation that Mueller and Rosenstein believed required they be moved under Special Counsel when they weren’t there, originally.

Let’s put it this way: Mueller didn’t subsume investigations located elsewhere at DOJ because the Special Counsel needed to be the one to indict a bunch of Russians. He did it to set up the conspiracies that would — that will — later be occupied by Russians and Americans.

As I disclosed in July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post.