Posts

The Silent Cast of Characters in the Very Noisy Recent Mueller Moves

A fuck-ton has happened in the Mueller investigation already this month. Amid the noisy pleas and indictments, we’ve seen indications of hidden cooperation from a range of people, cooperation that may point to where Mueller’s next steps are.

Here, arranged by the date of the development, are hints at who either was or soon is likely to be talking to Mueller’s team.

February 1: In a proffer to Mueller’s team, Rick Gates lied about a March 19, 2013 meeting with Paul Manafort, Vin Weber, and Dana Rohrabacher.

Rohrabacher’s statement in response to the guilty plea is inconsistent with the version laid out in the plea, suggesting he’s not the means by which Mueller’s team learned it was a lie.

After the guilty plea on Friday, a spokesman for Rohrabacher, who has sought better relations with Russia, said: “As the congressman has acknowledged before, the meeting was a dinner with two longtime acquaintances –- Manafort and Weber –- from back in his White House and early congressional days.”

“The three reminisced and talked mostly about politics,” the spokesman said. “The subject of Ukraine came up in passing. It is no secret that Manafort represented Viktor Yanukovych’s interests, but as chairman of the relevant European subcommittee, the congressman has listened to all points of view on Ukraine.”

This suggests someone else provided the version of the meeting the government included in the plea. While it’s possible the other version came from Gates’ former lawyers, it’s more likely the version came from someone else. Vin Weber is the most likely source of that information.

Back in August 2016, as news of the secret ledger was breaking,Weber suggested he may have been misled by Manafort, both as to the purpose of his lobbying and regarding the need to register as a foreign agent for Ukraine. If he felt that way in August 2016, I imagine he came to feel that even more strongly as Manafort’s legal woes intensified.

February 9: Returning a call from John Kelly but speaking to Don McGahn, Rod Rosenstein spoke of “important new information” about Jared Kushner that will delay his clearance.

Given all the evidence that suggests Jared faces very significant exposure in this investigation, this new information could be any number of things. But two possibilities are likely. First, it might reflect Jared’s January 3 disclosure of additional business interests in yet another update to his SF-86, or his family’s increasing debt over the last year.

More likely, it reflects things the government has learned from Mike Flynn (who has an incentive to burn Jared, given that the President’s son-in-law was asked for and didn’t provide exonerating information tied to Flynn’s own lies to the FBI). Indeed, that seems to be one theory of those who reported on this phone call.

Kushner’s actions during the transition have been referenced in the guilty plea of former Trump national security adviser Michael Flynn, who admitted he lied to the FBI about contacts with then-Russian Ambassador Sergey Kislyak. Prosecutors said Flynn was acting in consultation with a senior Trump transition official, whom people familiar with the matter have identified as Kushner.

All that said, there are two more possibilities. Given that she appears to have lied to the Senate Foreign Relations Committee in her confirmation process, KT McFarland would be an obvious follow-up interview after the Mike Flynn plea; she asked Trump to withdraw her nomination to be Ambassador to Singapore on February 3. And February 9 might be (though probably isn’t, quite) late enough to catch the first sessions of Steve Bannon’s 20 hours of interviews with Mueller, and Bannon has long had it in for Jared.

February 14: Alex Van der Zwaan got caught and pled guilty to lying about communications he had with Rick Gates, Konstantin Kilimnik, and Greg Craig in September 2016. On top of whatever he had to say to prosecutors between his second interview on December 1 and his plea on February 14, both Craig and Skadden Arps have surely provided a great deal of cooperation before and since September 2016. (As I was finishing this, NYT posted this story that details some, but not all, of that cooperation.)

February 16: As I noted in my post on the Internet Research Agency indictment, Rod Rosenstein was quite clear: “There is no allegation in the indictment that any American was a knowing participant in the alleged unlawful activity.” That said, there are three (presumed) Americans who, both the indictment and subsequent reporting make clear, are treated differently in the indictment than all the other Americans cited as innocent people duped by Russians: Campaign Official 1, Campaign Official 2, and Campaign Official 3. We know, from CNN’s coverage of Harry Miller’s role in building a cage to be used in a fake “jailed Hillary” stunt, that at least some other people described in the indictment were interviewed — in his case, for six hours! — by the FBI. But no one else is named using the convention to indicate those not indicted but perhaps more involved in the operation. Furthermore, the indictment doesn’t actually describe what action (if any) these three Trump campaign officials took after being contacted by trolls emailing under false names.

On approximately the same day, Defendants and their co-conspirators used the email address of a false U.S. persona, [email protected], to send an email to Campaign Official 1 at that donaldtrump.com email account, which read in part:

Hello [Campaign Official 1], [w]e are organizing a state-wide event in Florida on August, 20 to support Mr. Trump. Let us introduce ourselves first. “Being Patriotic” is a grassroots conservative online movement trying to unite people offline. . . . [W]e gained a huge lot of followers and decided to somehow help Mr. Trump get elected. You know, simple yelling on the Internet is not enough. There should be real action. We organized rallies in New York before. Now we’re focusing on purple states such as Florida.

The email also identified thirteen “confirmed locations” in Florida for the rallies and requested the campaign provide “assistance in each location.”

[snip]

Defendants and their co-conspirators used the false U.S. persona [email protected] account to send an email to Campaign Official 2 at that donaldtrump.com email account.

[snip]

On or about August 20, 2016, Defendants and their co-conspirators used the “Matt Skiber” Facebook account to contact Campaign Official 3.

Again, the DOJ convention of naming makes it clear these people have not been charged with anything. But we know from other Mueller indictments that those specifically named (which include the slew of Trump campaign officials named in the George Papadopoulos plea, KT McFarland and Jared Kushner in the Flynn plea, Kilimnik in the Van der Zwaan plea, and the various companies and foreign leaders that did Manafort’s bidding, including the Podesta Group and Mercury Public Affairs in his indictment) may be the next step in the investigation. As a reminder: Florida Republicans are those who most tangibly can be shown to have benefitted from Russia’s hack-and-leak, given that Guccifer 2.0 leaked a slew of Democratic targeting data for the state. (In perhaps related news, this week Tom Rooney became the third Florida Republican member of Congress to announce his retirement this cycle, which is all the more interesting given that he’s been involved in the HPSCI investigation into Russian tampering.)

February 23: Manafort’s superseding indictment (a version of which was originally filed February 16) added the description of the Hapsburg Group for former European officials who lobbied at the direction (to some degree via cut-outs) of Manafort.

MANAFORT explained in an “EYES ONLY” memorandum created in or about June 2012 that the purpose of the “SUPER VIP” effort would be to “assemble a small group of high-level European highly influencial [sic] champions and politically credible friends who can act informally and without any visible relationship with the Government of Ukraine.” The group was managed by a former European Chancellor, Foreign Politician A, in coordination with MANAFORT.

It may be that the government only recently obtained this document (meaning it was not among the 590,000 pages of documents obtained and turned over to Manafort in discovery thus far). But it’s likely this also reflects further testimony. Former Austrian Chancellor Alfred Gusenbauer denied he is Foreign Politician A to BBC, though that may be a non-denial denial tied to his claim he wasn’t directed by Manafort and only met him a few times (this Austrian story suggests only he doesn’t remember what American or English firm paid him). NYT reported that Gusenbauer’s lobbying during the relevant time period was registered under Mercury Public Affairs. This is another piece of evidence suggesting the group — and Vin Weber personally — has been cooperating since the original indictment.

Note, I assume that Mercury/Weber’s cooperation has been mirrored by Tony Podesta’s.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

What Did Mueller Achieve with the Internet Research Agency Indictment?

Back during Nunes Week, Trey Gowdy described the importance of Robert Mueller’s investigation by stating that we were only seeing half of what he was doing. The other half of his work, Gowdy said, was the counterintelligence side, the investigation into what Russia did to the US in 2016.

Friday, Rod Rosenstein rolled out the first glimpse of the other half of that investigation, an indictment of 13 Russians tied to the Internet Research Agency, the Russian troll factory. The indictment accuses IRA of 8 crimes: criminal conspiracy to defraud the United States, conspiracy to commit wire fraud and bank fraud, and five counts of aggravated identity theft.

In the wake of that indictment, the court unsealed a February 7  plea agreement with Californian Richard Pinedo, for identity theft (basically, selling bank account numbers; the information doesn’t identify the users who purchased the bank account numbers as IRA personnel who used them to set up “American” identities, but that is clearly what happened).

The 13 Russians charged in the IRA indictment — which include Yevgeniy Prigozhin, the close Putin associate who owns the company, those in charge of the operation (which was not limited to US targeting), down to a few of the analysts who did the troll work — will never be extradited to the US, though the most senior among them will surely be sanctioned. Nor will Putin in any way retaliate against them — they were doing work he approved of! Further, by criminalizing “information warfare” (as the Russians admitted they were engaged in, and as we do too, under the same name) we risk our own information warriors being indicted in other countries.

So what purpose did the indictment serve? Here are some thoughts:

Creating a paper trail

Rosenstein and Chris Wray have both said they believe investigators should speak through indictments and other official documents, not through Comeyesque press conferences. Here we have an indictment that serves as a record of what Mueller’s team has found.

We would probably have gotten it in any case, as Jeff Sessions’ DOJ has emphasized bringing more cybersecurity related indictments.

But that we did get it addresses one of the questions we’ve gotten about the Mueller investigation: whether we’ll get to read a report of what he has found.

To the extent that something is indictable, even if that indictment would name Russians or others located overseas, I guess we should expect more of the same.

Establishing bipartisan credibility for the larger investigation

The reason I keep pointing to Gowdy’s statements in support of the investigation in the last several weeks is because his actions seem to reflect one of the most partisan Republicans reacting soberly to an attack on the country, rather than just one party.

And while the details of the indictment — most notably that the trolls affirmatively supported Bernie Sanders as well as Trump — have resurfaced the old primary recriminations, for the most part, the indictment has provided a way for people from both parties to agree to the reality of the attack. Trump said Mueller did a good job with the indictment (admittedly, he may be currying favor). Trump’s National Security Advisor HR McMaster responded to the indictment by declaring the evidence that Russia interfered in the election “incontrovertible.” This indictment offers a way for even self-interested Republicans to start acknowledging the reality of what happened.

The indictment also gave Rod Rosenstein an opportunity to own this investigation with a press conference announcing it. None of the prosecutors tied to the case appeared (since I track these things, know that Jeannie Rhee, Rush Atkinson, and Ryan Dickey are on the docket), just Rosenstein. Hopefully, tying him to this non-offensive indictment will make it harder to fire Rosenstein, and thereby further protect Mueller.

Reiterating the crime of conspiracy to defraud the United States

The most interesting of the three crimes charged in the IRA indictment is the first, the conspiracy to defraud the United States. The indictment describes the conspiracy this way:

U.S. law bans foreign nationals from making certain expenditures or financial disbursements for the purpose of influencing federal elections. U.S. law also bars agents of any foreign entity from engaging in political activities within the United States without first registering with the Attorney General. And U.S. law requires certain foreign nationals seeking entry to the United States to obtain a visa by providing truthful and accurate information to the government.

Effectively, Mueller is saying that it’s not illegal, per se, to engage in political trolling (AKA information warfare), but it is if you don’t but are legally obliged to register before you do so. That’s an important distinction, because much of what these trolls did is accepted behavior in American politics — all sides did this in 2016, including people employed by campaigns and others expressing their own political opinions. Trolling (AKA information warfare) only becomes illegal when you don’t carry out the required transparency or reporting before you do so.

The charge of a conspiracy to defraud the United States has a very important parallel elsewhere in this investigation, in the first charge in the Paul Manafort and Rick Gates indictment. The indictment explains,

It is illegal to act as an agent of a foreign principal engaged in certain United States influence activities without registering the affiliation. Specifically, a person who engages in lobbying or public relations work in the United States (hereafter collectively referred to as lobbying) for a foreign principal such as the Government of Ukraine or the Party of Regions is required to provide a detailed written registration statement to the United States Department of Justice. The filing, made under oath, must disclose the name of the foreign principal, the financial payments to the lobbyist, and the measures undertaken for the foreign principal, among other information. A person required to make such a filing must further make in all lobbying material a “conspicuous statement” that the materials are distributed on behalf of the foreign principal, among other things. The filing thus permits public awareness and evaluation of the activities of a lobbyist who acts as an agent of a foreign power or foreign political party in the United States.

The Manafort indictment then argues that by hiding that the lobbying work they were doing was on behalf of Ukraine’s Party of Regions they, “knowingly and intentionally conspired to defraud the United States by impeding impairing, obstructing, and defeating the lawful governmental functions of a government agency, namely the Department of Justice and the Department of the Treasury.” I’ll have more to say about this parallel in coming days, but suffice it to say that Mueller is alleging that Manafort is the mirror image of the troll farm, engaging in politics while hiding on whose behalf he’s doing it (he was arguably doing the same in Ukraine). [Update: see this post for more on how this might work.]

In both cases, the indictments substantiate the conspiracy by naming a variety of crimes, like money laundering and identity theft.

I suspect we’ll be seeing more of this structure going forward (and suspect it’s something the numerous appellate specialists on Mueller’s team have been spending a lot of time thinking about).

Laying out how Americans might be involved with or without “colluding”

Much has been made of Rosenstein’s line, “There is no allegation in the indictment that any American was a knowing participant in the alleged unlawful activity.” I don’t read too much into that. Rather, I think Rosenstein included it because the indictment does explicitly and implicitly describe actions many Americans and possible Americans took that were part of this conspiracy. That includes:

Illegal compensated acvitities

  • Richard Pinedo: Selling Russian trolls (and others) bank account numbers they can use to conduct identity fraud
  • Unknown persons: Providing social security numbers and fake US drivers licenses of Americans
  • Unknown persons: Selling stolen credit card information

Presumptively legal compensated activities

  • Unknown Americans: Renting servers in the US to run VPNs to hide their foreign location
  • Yahoo, Gmail, Paypal: Providing email and PayPal accounts the Russians used as the basis for social media accounts
  • Twitter, Instagram, Facebook: Providing those social media accounts
  • Twitter, Instagram, Facebook: Selling advertisements on social media
  • Unknown Trump associates: Paying for IRA rally expenses
  • Paid providers: Building a cage, acquiring a costume, and posing as Hillary in prison stunt at a FL event
  • Unknown US person: Providing posters for a Support Hillary, Save American Muslims rally
  • Unknown American: Holding a sign in front of the White House on May 29, 2016

Uncompensated activities

  • Unknown Americans: Interacting with Aleksandra Krylova and Anna Bogacheva when they traveled to the US sometime between June 4 and June 26, 2014 to conduct reconnaissance and another co-conspirator that November
  • Members of the media: Accepting tips and promoting IRA events
  • A member of a real TX-based Tea Party organization: Advising the conspirators to focus on the purple states “like Colorado, Virginia & Florida”
  • Unwitting members, volunteers, and supporters of the Trump Campaign involved in local community outreach, as well as grassroots groups that supported then-candidate Trump: Distributing IRA materials through existing channels of those groups
  • Administrators of large social media groups focused on U.S. politics: Promoting IRA events
  • Trump volunteer: Providing signs for the March for Trump event and otherwise recruiting for it
  • A Florida-based political activist identified as the “Chair for the Trump Campaign” in a particular Florida county: Advising on more locations and logistics for the Florida Trump event
  • Campaign Officials 1, 2, and 3: discussing the Florida events

Later the indictment describes a database of 100 real US persons whom the trolls treated as recruiting targets, complete with profiling.

On or about August 24, 2016, Defendants and their co-conspirators updated an internal ORGANIZATION list of over 100 real U.S. persons contacted through ORGANIZATION-controlled false U.S. persona accounts and tracked to monitor recruitment efforts and requests. The list included contact information for the U.S. persons, a summary of their political views, and activities they had been asked to perform by Defendants and their co-conspirators.

Here’s the important thing about all this. While Pinedo pled guilty and faces 12-18 months even with his cooperation agreement (and even there, while the information makes it clear he knew he was dealing with foreigners, his lawyer has made it clear he didn’t know who or what he was dealing with), there are only two other known illegal roles in this conspiracy, and there’s no reason those roles would have had to be carried out by Americans. Perhaps Mueller has others cooperating, perhaps those other criminals are unknown. But as for the rest, they are (as Rosenstein made clear) not guilty of any kind of conspiracy with Russia.

DOJ just rolled out an indictment in which probably 20 Americans can recognize themselves (many of whom were likely interviewed), about as many as all the Trump officials named in one or another plea agreement so far. Yet, as far as Mueller knows, none of these people did anything but conduct business or engage in sincerely held politics. They almost certainly had far less reason to be suspicious of the trolls they were being used by than Facebook and Twitter. Those actions have been tainted now through no fault of their own.

Which is something to remember: I’ve seen Hillary supporters, in the same breath, criticize Bernie or Jill Stein supporters because their preferred candidate was treated favorably by the trolls, yet in the same breath suggesting the black and Muslim activists targeted are innocent victims.

Obviously, Hillary and her supporters are victims. But everyone is, even the Trump volunteers. Because to the extent they had honestly held beliefs, the Russian operation tainted those beliefs, it diminished the weight of their honestly held beliefs. They were used by Russian trolls, most of them without the same profit motive that led Facebook and Twitter to allow themselves to be used. And we should remember that.

Hinting at what the US has

There are, however, a few tactical things this indictment does, starting with hinting at what other evidence the US has. This indictment was relatively easy, in that Adrian Chen (in a June 2015 article that still gets too little attention), Facebook and (to a lesser extent) other social media outlets, the Daily Beast, and SSCI generally have already laid out what IRA did. The indictment slaps some criminal charges on fraudulent behavior that enabled it, and without showing much about any additional evidence Mueller collected, you’ve got a showy indictment.

There are two hints, however, of the additional evidence used (which, given that the named conspirators will never face trial, will never need to be disclosed or explained). First, in a passage about how IRA started to cover their tracks after Mueller started focusing on this activity, there’s the reference to Irina Kaverzina.

On or about September 13, 2017, KAVERZINA wrote in an email to a family member: “We had a slight crisis here at work: the FBI busted our activity (not a joke). So, I got preoccupied with covering tracks together with the colleagues.”

Kaverzina was just a low-level troll and this may be nothing more than Section 702 collected email off GMail or Yahoo, or it may be a more formal intercept. But Mueller obtained communications from at least one of the indictees. Emails from more senior people, such as Prigozhin or his more senior managers (or the IT guys buying server space in the US) would be more interesting.

Plus, Mueller likely obtained cooperation from one IRA employee, the unnamed person who traveled to Atlanta in November 2014 for reconnaissance. Had that person not cooperated, he or she would have been named in the indictment.

Nevertheless establishing the political stakes

I said above that none of the hundred-plus Americans who were unknowingly used by trolls should be considered anything but victims. Their chosen political views, loathsome or not, have now been tainted, and not because of anything they’ve done except perhaps show too much trust or credulity.

But there are hints that Mueller is using this indictment to set up a more important point.

For example, the indictment (perhaps because of Mueller’s mandate) focuses on political activities supporting or opposing one or another 2016 candidate. Even where topics (immigration, Muslim religion, race) are not necessarily tied to the election, they’re presented here as such. Unless Facebook’s public reports are wrong, this is a very different emphasis than what Facebook has said the IRA focused on. Which is to say that Mueller’s team are focusing on a subset of the known IRA trolling, the subset that involves the 2016 contest between Trump and Hillary.

And there are several events, in particular, that may one day serve as details in a larger conspiracy. Most interesting, for the timing and location, are the twin anti-Hillary and pro-Trump events in NYC in June and July 2016.

In or around June and July 2016, Defendants and their co-conspirators used the Facebook group “Being Patriotic,” the Twitter account @March_for_Trump, and other ORGANIZATION accounts to organize two political rallies in New York. The first rally was called “March for Trump” and held on June 25, 2016. The second rally was called “Down with Hillary” and held on July 23, 2016.

a. In or around June through July 2016, Defendants and their co-conspirators purchased advertisements on Facebook to promote the “March for Trump” and “Down with Hillary” rallies.

b. Defendants and their co-conspirators used false U.S. personas to send individualized messages to real U.S. persons to request that they participate in and help organize the rally. To assist their efforts, Defendants and their co-conspirators, through false U.S. personas, offered money to certain U.S. persons to cover rally expenses.

c. On or about June 5, 2016, Defendants and their co-conspirators, while posing as a U.S. grassroots activist, used the account @March_for_Trump to contact a volunteer for the Trump Campaign in New York. The volunteer agreed to provide signs for the “March for Trump” rally.

[snip]

On or about July 23, 2016, Defendants and their co-conspirators used the email address of a false U.S. persona, [email protected], to send out press releases to over thirty media outlets promoting the “Down With Hillary” rally at Trump Tower in New York City.

The description of a IRA-organized event at Trump Tower the day after WikiLeaks dropped the DNC emails, in particular, suggests the possibility of a great deal of coordination, coordination with people in the US.

Similarly, the extended descriptions of events in Florida may also take on added relevance in the future, particularly coming as they did in tandem with Guccifer 2.0’s release of DCCC data targeting FL. (And this, in turn, should focus even more attention on the FL congressmen like Matt Gaetz and Ron DeSantis who’re leading the pushback on Mueller’s investigation.)

Using the term “co-conspirator” 119 times

Perhaps most interesting, given the tiny nods to what other intelligence Mueller might have, are the 119 uses of the word “co-conspirators.” Almost all of these uses seem to necessarily mean unnamed IRA employees working from the same St. Petersburg location described as trolling. Several times the co-conspirators are clearly described as located in Russia. So it may be that all references to co-conspirators here are just a way to refer to the 70 other people involved in this operation at IRA. But that’s not necessarily the case.

Other uses of “co-conspirator” involve wider knowledge, perhaps an outsider’s knowledge of a go-between role Prigozhin might have had.

But others are things that might have involved a stateside co-conspirator, such as the mention of co-conspirators helping to set up the May 29, 2016 Prigozhin birthday tribute in front of the White House, co-conspirators tracking US social media use, co-conspirators engaged in identity theft, co-conspirators promoting claims of voter fraud, co-conspirators destroying data. Several of those things (such as tracking US social media use or claiming Hillary was going to steal the election) are things we know Trump associates were also doing. Others might be facilitated by someone stateside. So those uses of the term could be people not employed by IRA.

Which is to say, this indictment might be (probably is) intended to address just the activities of those employed by IRA. But that’s not necessarily the case.

Update: added the public indictment part.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Why Did Trump Tweet an “In the Ball Park” Accurate Number for Hillary’s Total Staffers on June 9, 2016?

In this post, I showed how the George Papadopoulos filings suggest there was a signaling process that went on during 2016, as he and other staffers sent public signals to the Russians that may have suggested further commitment to a deal of some kind. In this post, I laid out a bunch of circumstantial evidence suggesting that the current, public story about the June 9, 2016 meeting is just a limited hangout, one that hides more damning details about what happened after Natalia Veselnitskaya and Rinat Akhmetshin left the meeting. I also examined the first Guccifer 2.0 documents and noted that, in addition to responding to and debunking the June 14 WaPo story, they might serve well to lay out (arguably, to oversell) the breadth of what the Russians had stolen.

With those details in mind, I want to return to a detail many others have already noted, Donald Trump’s tweet, just 40 minutes after the Trump Tower meeting started, referencing Hillary emails (albeit the ones she deleted off her server, not the still secret stolen ones).

Given that George Papadopoulos seemed to treat other public statements from the campaign (most notably Trump’s April 27 foreign policy speech) as signals to the Russians the campaign was prepared to take the next step, could this tweet be the same? A response, seemingly from the candidate himself, accepting a deal presented in the meeting?

The tweet may have involved one or another of the campaign’s data guys

Mind you, as Pseudonymous in NC noted, the tweet was done on an iPhone — this is the period from before Trump had switched to iPhones — meaning someone else, perhaps either Brad Parscale or Dan Scavino, tweeted it. PINC lays out reasons either one of Trump’s data guys might be of particular interest:

Per the Bloomberg pre-election “bunker” story, Parscale was one of the few with credentials to the boss’s account. Pre-written tweets during events like the debates went through the web client, but my guess is that Scavino and Parscale represent most of the ‘Twitter for iPhone’ tweets in 2016 and early 2017. Some of them are RTing Scavino’s personal account, and Caddy Dan is that kinda guy. Parscale has consistently used an iPhone, including the June 8th photo from the Tower.

Remember that Feinstein is interested in Scavino’s contacts with, er, VKontakte, and that’s before considering Parscale’s data op. Pretty much everything tweeted out during 2016 that relates to the specifics of hacked emails is sent from an iPhone.

And the intermediary for the VK connection was Goldstone, going back to January 2016. It’s interesting that neither Scavino nor Parscale have apparently been called in for chats with investigators, or if they have, we haven’t heard about it.

[snip]

What I’m thinking is that if there was indeed an after-meeting about “dirt in the form of emails”, Scavino or Parscale may have been brought into the room. And Goldstone had been put in touch with Scavino earlier that year.

This story revealing Goldstone’s communications about his role in brokering the VK contact doesn’t support the possibility that one of the data guys was brought into the room. Rather, Goldstone’s emails suggest he discussed the idea with Don Jr and Paul Manafort, presumably on June 9, but that Scavino was not included in the meeting, even though he had been looped in during earlier discussions about it.

The newly disclosed emails show that Goldstone was in contact with the campaign about two weeks after visiting Trump Tower.

“I’m following up on an email [from] a while back of something I had mentioned to Don and Paul Manafort during a meeting recently,” Goldstone wrote to Scavino on June 29. Goldstone wrote that his client, Emin Agalarov, and a “contact” at VK wanted to create a “Vote Trump 2016” promotion.

“At the time, Paul had said he would welcome it, and so I had the VK folks mock up a basic sample page, which I am resending for your approval now,” Goldstone wrote. “It would merely require Mr. Trump to drop in a short message to Russian-American voters or a generic message, depending on your choice, and the page can be up and running very quickly.”

In any case, the discussion about VK is yet another detail that makes it pretty likely Goldstone, at least, arrived early or stayed after Natalia Veselnitskaya and Rinat Akhmetshin left (in the WaPo story on this, Scott Balber denies VK came up at any meeting Ike Kaveladze attended).

One other possibility for who sent that Tweet, though: It would not be surprising if Don Jr had access to Pop’s account. At least recently, he has alternated between an iPhone and the web client to send his own tweets, so it’s possible any tweets he sent on Dad’s behalf would also be from an iPhone.

Where’s Trump get that number, 823? And why’d he use it?

But I’m at least as interested in why Trump (or rather, Scavino or Parscale or Don Jr) used the number “823” in the tweet. In the aftermath of the John Sipher interview Jeremy Scahill did, Sipher suggested to me might be some kind of signal, a code; he’s the pro–maybe he’s right.

But I was wondering whether it might, instead, reflect real-time knowledge of the Hillary campaign’s finances and resources. That is, I wondered whether that number might have, itself, reflected the sharing of some kind of data that could verify the Russians had compromised Hillary’s campaign (or at least researched it substantively enough to know more than the Trump camp did). The public use of the number, then, might serve as a signal that that message, and the inside data, had been received.

While the specific number is difficult to check, I’ve been told the 823 number would have been at least “in the ball park” of the real number of Hillary’s campaign staffers on June 9, 2016.

Politico’s analysis of the Hillary campaign’s May 20 FEC filing showed Hillary had 732 staffers at the time of the report. The day after the June 9 meeting, Philip Bump did a story comparing Hillary and Trump’s staffing (a slew of such stories in the weeks after the June 9 meeting was one reason Corey Lewandowski got replaced as campaign manager), referencing the tweet. But his analysis reflected the month’s long lag in FEC filings. Without doing cleanup (to figure out who got paid that frequently, whether anyone got paid monthly rather than bi-monthly), Clinton’s FEC filings seem to show 587 individual payroll disbursements at her headquarters on June 15, 2016.

I talked to a couple of people on the campaign who remember thinking about the tweet, and its use of the 823 number, in real time. Someone who was working on responding to such issues told me he thought, when the tweet came out, that it might have been just a guess (though now thinks it might come from misreading a report). But another Hillary staffer described taking note of the specific number in real time. That person did about 10 minutes of follow-up at the time, checking real-time FEC filings, and concluded that it might be an accurate number. Between headquarters staff, working (policy) teams, advance, and field staff, the person believes the 823 number could very well represent a close to real number of staffers Hillary had “working” on her campaign.

Of course, none of this would mean the number came from the Russians. Such estimates are done by (competent) political campaigns all the time. So it could have come from Trump’s data people — the same people who could have tweeted the tweet in Trump’s name — itself.

That said, in none of the other Trump tweets using the 30,000 or the 33,000 email number does he include a similarly specific detail — the closest comparison is one invocation of Chelsea’s wedding. Note, too, just one other of those tweets also came from an iPhone — the equally suspicious one on July 27, 2016 asking Russia to release those emails (though one of the others came from the web client).

One more point on the number: That night, at 8:22PM ET, someone on Reddit’s The_Donald thread posted, “Hillary has a staggering 823 staffers on her campaign; Donald Trump  has over 142,000.” Best as I understand it, the comment was almost immediately removed by moderators. I find that worth noting.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

The June 9 Trump Tower Limited Hangout

I did two podcasts this week where I elaborated on my theory that the current story we have about the June 9, 2016 Trump Tower meeting is just a limited hangout, a partial story that I suspect serves to hide a later, more damning part of the meeting:

I first started suspecting that the current story — that Natalia Veselnitskaya pitched a request for Magnitsky sanctions relief in exchange for … almost no dirt on Hillary — was a limited hangout as I tracked Scott Balber’s repeated heavy-handed attempts to craft a story that could explain the known emails and documents.

I want to lay out my evolving, more developed theory here.

For weeks, Russians had been offering emails in exchange for meetings

The Trump campaign first learned about “dirt” on Hillary in the form of thousands of emails on April 26. The day after learning of those emails, George Papadopoulos sent two emails to Trump campaign staffers, that may have reflected a discussion of an early quid pro quo: some meetings — meant to lead to one between Trump and Putin — in exchange for emails.

To Stephen Miller, Papadopoulos wrote, “Have some interesting messages coming in from Moscow about a trip when the time is right.” To Corey Lewandowski, it appears he asked for a phone call “to discuss Russia’s interest in hosting Mr. Trump. Have been receiving a lot of calls over the last month about Putin wanting to host him and the  team  when the time is right.”

That same day, he sent his Russian handler, Ivan Timofeev, an email saying that the first major Trump foreign policy speech he helped author was a “signal to meet.” The speech spoke, in part, about making a great deal with Russia.

I believe an easing of tensions, and improved relations with Russia from a position of strength only is possible, absolutely possible. Common sense says this cycle, this horrible cycle of hostility must end and ideally will end soon. Good for both countries.

Some say the Russians won’t be reasonable. I intend to find out. If we can’t make a deal under my administration, a deal that’s great — not good, great — for America, but also good for Russia, then we will quickly walk from the table. It’s as simple as that. We’re going to find out.

Over the course of the next month, Papadopoulos sent a Timofeev invitation for a meeting  to move towards setting up a Putin-Trump meeting via email to Lewandowski (on May 4), to Sam Clovis (on May 5, after which they spoke by phone), and to Paul Manafort (on May 21), with additional back and forth in between.

Who is the Crown Prosecutor?

Around that time in late May, Natalia Veselnitskaya met with long-time Trump associate Aras Agalarov and mentioned her efforts to help Denis Katsyv in his legal fight with Bill Browder (note, elsewhere Veselnitskaya claimed she normally keeps her clients’ business compartmented, but claims not to have done so in this case) and to lobby against the Magnitsky sanctions. That’s where, according to Veselnitskaya, the idea of connecting her with Don Jr first came about, though she doesn’t remember who came up with the idea.

Around the end of May 2016, during a conversation with a good acquaintance of mine, being my client, Aras Agalarov on a topic that was not related to the United States, I shared the story faced when defending another client, Denis Katsyv, about how terribly misled the US Congress had been by the tax defrauder William Browder, convicted in Russia, who, through his lobbyists and his close-minded rank-and-file Congress staffers, succeeded in adopting the Act in the name of a person whom Browder practically hardly ever knew.

I considered it my duty to inform the Congress people about it and asked Mr. Agalarov if there was any possibility of helping me or my colleagues to do this. I do not remember who of us was struck by the idea that maybe his son could talk about this with Donald Trump, Jr., who, although a businessman, was sure to have some acquaintances among Congress people. After my conversation with Mr. Agalarov, I prepared a reference in case it would be necessary to hand over the request – to support the hearings in the Subcommittee in the US House Committee on Foreign Affairs as to the Magnitsky’s and Browder’s story, scheduled for mid-June.

The timing of this meeting is important. We know that the date on the document alleged to be the “dirt” handed to Don Jr — one that she claims she prepared “in case it would be necessary to hand over” is May 31. Either this meeting happened before May 31 (which is when Veselnitskaya described it to have taken place), or the document was instead drawn up exclusively for lobbying purposes (which would be unsurprising, but would be inconsistent with the testimony that uses the talking points to prove the meeting was only about Magnitsky sanctions). Elsewhere she gets sketchy about the date of the document, and produced as it was by Agalarov lawyer Scott Balber, we can’t be sure about the forensics of the document.

The reason the date is important, however, is that, in pitching the Trump Tower meeting on June 3, Rob Goldstone told Don Jr that Emin Agalarov’s father met with “the Crown Prosecutor” that morning.

Emin just called and asked me to contact you with something very interesting.

The Crown prosecutor of Russia met with his father Aras this morning and in their meeting offered to provide the Trump campaign with some official documents and information that would incriminate Hillary and her dealings with Russia and would be very useful to your father.

This is obviously very high level and sensitive information but is part of Russia and its government’s support for Mr. Trump – helped along by Aras and Emin. [my emphasis]

Admittedly, any discrepancy on dates might be due to the game of telephone going on — Aras to Emin to Goldstone. But if the meeting in question really did happen on June 3, then it significantly increases the likelihood that “Crown Prosecutor” is not at all a reference to Veselnitskaya (who claims to have met with Agalarov earlier), as has been claimed, but is to someone else, dealing a different kind of dirt.

Spoiler alert: I suspect it is not a reference to her.

In his version of this story, Goldstone says he only played this broker role reluctantly.

“I remember specifically saying to Emin, you know, we probably shouldn’t get involved in this. It’s politics, it’s Hillary Clinton and Donald Trump. Neither of us have any experience in this world. It’s not our forte. I deal with music. You’re a singer and a businessman.”

Don Jr seems to have shown no such reluctance. He emailed back 17 minutes later saying, “if it’s what you say I love it especially later in the summer.” He says that, in spite of the claim he made in his testimony that, “I had no additional information to validate what Rob was saying, I did not quite know what to make of his email.” Whatever Don Jr expected it to include on June 3, he may have gotten a clearer sense of what it was on June 6, when he spoke to Emin in a phone call set up in about an hour’s time, just as Emin got off the stage.

In fact, Don Jr had three “very short” phone calls in this period, but he’s getting forgetful in his old age and so doesn’t remember what transpired on them.

My phone records show three very short phone calls between Emin and me between June 6th and 7th. I do not recall speaking to Emin. It is possible that we left each other voice mail messages. I simply do not remember.

Veselnitskaya did not get her visa to come to the US until June 6. That’s the day when Goldstone, referencing Don Jr’s earlier instructions on timing, followed-up about a meeting.

Let me know when you are free to talk with Emin by phone about this Hillary info.

Ike Kaveladze’s still unexplained late inclusion in the meeting

Goldstone was still finalizing the meeting time on June 8 at 10:34 AM. But sometime, presumably after the time on June 7 at 6:14PM, when Don Jr told Goldstone that Paul Manafort and Jared Kushner would also attend, fellow Agalarov employee Ike Kaveladze got invited, though without Veselnitskaya ever learning why. At some unidentified time, Kaveladze called an associate of Goldstone’s and learned that the meeting would be about discussing “dirt” on Hillary Clinton — the same word Papadopoulos’ handlers had used.

Scott Balber, Kaveladze’s attorney, told The Daily Beast that before Kaveladze headed from Los Angeles to New York for the meeting, he saw an email noting that Kushner, Manafort, and Trump Jr. would all be involved. He thought it would be odd for them to attend the meeting, so he called Beniaminov before heading to New York. Both Beniaminov and Kaveladze have worked with the Agalarov’s real estate development company, the Crocus Group.

Balber said that Beniaminov told Kaveladze that he heard Rob Goldstone— Emin Agalarov’s music manager—discuss “dirt” on Hillary Clinton. It’s never become completely clear what kind of “dirt” the Russians were talking about.

Having learned of a meeting dealing dirt that included Don Jr, Kushner, and Manafort, Kaveladze got on a plane and flew to NYC.

According to Veselnitskaya’s very sketchy account, she got an email finalizing the meeting when she arrived in NYC on June 8 — an email that was also CC’ed to Kaveladze. She and Kaveladze spoke by phone sometime that day, and met sometime before the meeting.

With those present at the meeting, Samochernov, Kaveladze, and Akhmetshin, I spoke about the meeting on the day it was to be held, possibly, I mentioned it the day I arrived in New York when speaking with Kaveladze by phone, but I do not have exact information about it.

[snip]

We got acquainted first by phone when I was in Moscow. I met him personally first on June 9 shortly before the meeting.

[snip]

We had a phone call and met at a café, I do not remember where and at what café. I told him briefly what I knew about the Browder case, about the Ziffs and their possible support when lobbying his interests in the United States.

Like Don Jr’s memory of his phone calls with Emin, Veselnitskaya claims to have forgotten what got said in that phone call with Kaveladze.

Competing versions of the meeting

Which brings us to June 9.

We don’t know what Kaveladze’s schedule was. We do know that on the morning of June 9 — before lunch, which is when Veselnitskaya said Akhmetshin first got involved — Veselnitskaya asked Goldstone if she could bring Akhmetshin, whom she claimed had just “arrived that day in New York for an evening performance of Russian theatre stars.” Goldstone responded a half hour later, “Please bring them with you and meet Ike for your meeting at 4PM today.” (The copy of the email publicly released does not include the CC to Kaveladze that Veselnitskaya said was included.)

As I laid out in this post, Veselnitskaya says she arrived at the meeting with her translator, Kaveladze, and Akhmetshin, was met by Goldstone there, and brought to a board room where Don Jr and Manafort were already present.

I came to the meeting with Anatoly Samochornov, a translator, Irakly Kaveladze, a lawyer of my client who helped to arrange for the meeting, Rinat Akhmetshin, my colleague who was working with me on the Prevezon case. We were met by a big, stout man who introduced himself as Rob and escorted us on the elevator to the boardroom. I saw two men in the boardroom – one of them introduced himself as Donald Trump Jr., while the other did not introduce himself. Another young man entered the boardroom a little later and left it shortly afterwards. I found out much later that the two unidentified gentlemen were P. Manafort and J. Kushner.

According to Veselnitskaya, Kaveladze was introduced — to the extent he was — as “Ike.” Remember that he attended the 2013 dinner celebrating the Agalarov-brokered deal to bring Miss Universe to Moscow, meaning at least some in the Trump camp should know him.

Veselnitskaya’s account seems to line up with Jared Kushner’s, which basically has him arriving late, staying for about 10 minutes of Veselnitskaya’s discussion of adoptions (though he seems to be claiming not to be present for any discussion of Magnitsky sanctions), then asked his assistant to give him an excuse to leave.

I arrived at the meeting a little late. When I got there, the person who has since been identified as a Russian attorney was talking about the issue of a ban on U.S. adoptions of Russian children. I had no idea why that topic was being raised and quickly determined that my time was not well-spent at this meeting. Reviewing emails recently confirmed my memory that the meeting was a waste of our time and that, in looking for a polite way to leave and get back to my work, I actually emailed an assistant from the meeting after I had been there for ten or so minutes and wrote “Can u pls call me on my cell? Need excuse to get out of meeting.” I had not met the attorney before the meeting nor spoken with her since. I thought nothing more of this short meeting until it came to my attention recently. I did not read or recall this email exchange before it was shown to me by my lawyers when reviewing documents for submission to the committees. No part of the meeting I attended included anything about the campaign, there was no follow up to the meeting that I am aware of, I do not recall how many people were there (or their names), and I have no knowledge of any documents being offered or accepted.

Jared claims not to know who was at the meeting, which is somewhat credible given that he arrived after introductions.

For some reason, Goldstone holds out the claim this meeting started by talking about Democratic campaign donations then moved to sanctions.

Goldstone tells me that he only half-listened to the presentation from Natalia Veselnitskaya, the Russian lawyer, as he checked emails on his phone. But he insists, as Trump Jr has done, that the meeting ended awkwardly after she switched tack from discussing Democratic funding to US sanctions legislation and Moscow’s retaliatory policy that restricts Americans from adopting Russian children. “It was vague, generic nonsense,” Goldstone says.

[snip]

“Within minutes of starting, Jared said to her, ‘Could you just get to the point? I’m not sure I’m following what you’re saying,’ ” Goldstone says.

It was then that she started talking in detail about the provisions of the Magnitsky legislation and adoptions, he says. “I believe that she practised a classic bait-and-switch. She got in there on one pretext and really wanted to discuss something else.”

Don Jr’s memory of the meeting is somewhat different. Not only doesn’t he remember Akhmetshin’s presence at all, but he remembers Manafort arriving after the visitors were already in the conference room (mind you, I don’t consider this a significant discrepancy). And he definitely remembers adoptions being discussed at the same time as the sanctions.

As I recall, at or around 4 pm, Rob Goldstone came up to our offices and entered our conference room with a lawyer who I now know to be Natalia Veselnitskaya. Joining them was a translator and a man who was introduced to me as Irakli Kaveladze. After a few minutes, Jared and Paul joined. While numerous press outlets have reported that there were a total of eight people present at the meeting, I only recall seven. Because Rob was able to bring the entire group up by only giving his name to the security guard in the lobby, I had no advance warning regarding who or how many people would be attending. There is no attendance log to refer back to and I did not take notes.

After perfunctory greetings, the lawyer began telling the group very generally something about individuals connected to Russia supporting or funding Democratic Presidential Candidate Hillary Clinton or the Democratic National Committee. It was quite difficult for me to understand what she was saying or why. Given our busy schedules, we politely asked if she could be more specific and provide more clarity about her objective for the meeting. At that point, Ms. Veselnitskaya pivoted and began talking about the adoption of Russian children by U.S. citizens and something called the Magnitsky Act.

Until that day, I had never heard of the Magnitsky Act and had no familiarity with this issue. It was clear to me that her real purpose in asking for the meeting all along was to discuss Russian adoptions and the Magnitsky Act. At this point, Jared excused himself from the meeting to take a phone call.

Despite some minor differences in choreography, thus far the differences in the stories are not that substantial.

That changes, though, in the descriptions of how the meeting ended.

Don Jr claims he said that Trump was a private citizen so could do nothing to help.

I proceeded to quickly and politely end the meeting by telling Ms. Veselnitskaya that because my father was a private citizen there did not seem to be any point to having this discussion.

Goldstone claims something similar — that Don Jr told Veselnitskaya she should talk to Obama’s Administration, not the future Trump one.

“Don Jr ended it by telling her that she should be addressing her concerns to the Obama administration, because they were the ones in power.”

But in an an interview with Bloomberg that Veselnitskaya disavowed in her statement to SJC, she said that Don Jr suggested he would reconsider the sanctions “if we came to power.”

“Looking ahead, if we come to power, we can return to this issue and think what to do about it,’’ Trump Jr. said of the 2012 law, she recalled. “I understand our side may have messed up, but it’ll take a long time to get to the bottom of it,” he added, according to her.

The extra details in the contemporaneous record as interpreted by Glenn Simpson

As far as we know, there’s only one contemporaneous record of this meeting: the notes that Manafort — whom Veselnitskaya claimed “closed his eyes and fell asleep” during the 20 minute meeting — took on his phone. Glenn Simpson was asked to comment on Manafort’s notes in his Senate testimony. Some of what he describes confirms these public accounts: the early reference to Browder, the other reference to Juliana Glover, the reference to adoptions.

MR. DAVIS: These are the meeting notes from 3 the June 9th meeting at Trump Tower. These are Mr. Manafort’s notes or they’re contemporaneous.

BY THE WITNESS:

A. I could tell — obviously you know who Bill Browder is. Cyprus Offshore, Bill Browder’s structure, you know, investment — Hermitage Capital, his hedge fund, set up numerous companies in Cyprus to engage in inward investment into Russia, which is a common structure, both partially for tax reasons but also to have entities outside of Russia, you know, managing specific investments. I can only tell you I assume that’s what that references. I don’t know what the 133 million —

[snip]

A. I can skip down a couple. So “Value in Cyprus as inter,” I don’t know what that means. “Illici,” I don’t know what that means. “Active sponsors of RNC,” I don’t know what that means. “Browder hired Joanna Glover” is a mistaken reference to Juliana Glover, who was Dick Cheney’s press secretary during the Iraq war and associated with another foreign policy controversy. “Russian adoptions by American families” I assume is a reference to the adoption issue.

While Simpson doesn’t recognize the reference, in addition to the passing reference to Cyprus shell companies, the notes allegedly used for the meeting explain the 133 million reference.

In the period of late 1999 to 2004, two companies – Speedwagon Investments 1 and 2, registered in New York, and owned by the said U.S. investors, acting through three Cypriot companies, Giggs Enterprises Limited, Zhoda Limited, Peninsular Heights Limited illegally acquired more than 133 million Gazprom shares in the amount exceeding $80 million in the name of the Russian companies Kameya, Lor, Excalibur, Sterling Investments.

But there seems to be more extensive reference to Cyprus (the laundering of money through which, of course, Manafort is himself an expert; it features centrally in his indictment).

And none of the accounts of the meeting seem to explain Manafort’s half-written “illicit,” nor does “Active sponsors of RNC” appear anywhere.

So there appear to be two things in Manafort’s notes that aren’t explained by the several accounts of the meeting: RNC support (elsewhere attributed to the reference to Ziff brothers’ political donations, something which Manafort might independently know) and, most intriguingly, “illicit” (as well, as perhaps, the more central focus on Cyprus than reflected in the talking points).

Who left the conference room when?

This brings me to the question of who left the conference room when.

According to the LAT, Mueller’s team seems newly interested in an exchange between Ivanka, Veselnitskaya, and Akhmetshin, which attests to Ivanka’s awareness — whatever her spouse’s and brother’s ignorance — of Akhmetshin’s presence.

Investigators also are exploring the involvement of the president’s daughter, Ivanka Trump, who did not attend the half-hour sit-down on June 9, 2016, but briefly spoke with two of the participants, a Russian lawyer and a Russian-born Washington lobbyist. Details of the encounter were not previously known.

It occurred at the Trump Tower elevator as the Russian lawyer, Natalia Veselnitskaya, and the lobbyist, Rinat Akhmetshin, were leaving the building and consisted of pleasantries, a person familiar with the episode said. But Mueller’s investigators want to know every contact the two visitors had with Trump’s family members and inner circle.

But it also may suggest that, after arriving with the two Russians, Ike Kaveladze may have stayed on for a bit afterwards.

Which may be backed by another detail in the various accounts of the meeting. Both Don Jr …

She thanked us for our time and everyone left the conference room. As we walked out, I recall Rob coming over to me to apologize.

And Goldstone claim that the music promoter apologized for the meeting at the end.

As he emerged from the meeting, Goldstone says that he told Trump Jr he was “deeply embarrassed” that it had been an apparent waste of time.

If Goldstone “apologized” for the meeting, as he and Don Jr claim, it suggests Goldstone, at least, stayed behind long enough to say something that would otherwise be rude to say in front of Veselnitskaya. Don Jr’s claim of an apology might provide convenient excuse.

Perhaps most curious among the first-hand accounts is Goldstone’s claim that he thought the 20-30 minute meeting was “dragging on.”

He had not even planned to attend, but was encouraged to stay by Trump Jr. His biggest concern, he says, was that if the meeting dragged on, he would be caught in the notorious Lincoln Tunnel traffic on his journey home.

But her emails

At 4:40 PM, 40 minutes after the meeting started, Trump tweeted what would become one of the most famous exchanges of the campaign, his retort to Hillary Clinton’s taunt that he should delete his Twitter account with this response,

Did you say “dirt” in the form of Hillary emails?

Six days after that meeting, Guccifer 2.0 released the first of the documents stolen by hacking Democratic targets (though note, none of these are known to have come from the DNC, which is the only hack the WaPo reported on the day before; while some have been traced to Podesta’s emails, the others remain unaccounted for).

While I have argued that the specific content in that dump can be explained, in significant part, as an effort to respond to and rebut the claims CrowdStrike and the Democrats made to the WaPo, some of the documents would be particularly valuable in selling the Trump team on the value of any “dirt” on offer. That includes the oppo research on Trump himself (though that was definitely also a response to the WaPo), but also what purports to be a secret policy document stolen from Hillary’s Secretary of State computer, and a document on Hillary’s election plans. Significantly, all three of these documents were among the ones with the altered metadata, in part bearing the signature of Felix Edmundovich Dzerzhinsky.

In short, that first post from Guccifer 2.0 would not only refute the confident claims the Democrats made to the WaPo, but it would provide the Trump camp with a sense of the scope of documents on offer. Within that first week, Guccifer 2.0 would even offer what claimed to be a (heh) “dossier” on Hillary Clinton. (Given my concerns that Russians learned of the Steele dossier and filled it with disinformation, I find it rather interesting that Guccifer 2.0 first advertised this dossier on the same day, June 20, that Steele submitted the first report in his dossier.)

Eerie

If, in fact, there was a second part of this meeting, it seems to be the high level meeting that George Papadopoulos had been working on setting up for weeks, meetings discussed in the context of offering dirt in the form of emails. The Russians laid out a quo — relief of the Magnitsky sanctions — and a week later, provided the first installments of the quid — oppo research from Hillary Clinton.

That would more readily explain why, on June 14, Goldstone would forward this account of the DNC hack to Emin and Ike (but not the other attendees) declaring the DNC hack to be eerie in the wake of what transpired at the meeting.

In one email dated June 14, 2016, Goldstone forwarded a CNN story on Russia’s hacking of DNC emails to his client, Russian pop star Emin Agalarov, and Ike Kaveladze, a Russian who attended the meeting along with Trump Jr., Trump’s son-in-law Jared Kushner and Manafort, describing the news as “eerily weird” given what they had discussed at Trump Tower five days earlier.

And that, I suspect, is the real story that Scott Balber has been working so hard to obscure.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

The Simpson Transcript: The Dossier as Predicate

I’m working towards a big post (or a series of small ones) on the Glenn Simpson transcript. I address some of my impressions in this Real News Network video with Aaron Maté from the other day.

Before I do that larger post, however, I want to address something Maté asked me about: whether the Simpson transcript — in which he says that Christopher Steele learned from the FBI about (what independent reporting confirms) the Papadopoulos tip from the Australians — supports or refutes the sharply contested arguments about whether the Steele dossier started the counterintelligence investigation or served as a key source for a FISA warrant against either Carter Page or Paul Manafort. Skeptics of the report that the investigation actually arose from the George Papadopoulos tip have argued that the latest PR effort around the dossier is an attempt to paper over the dossier as the true source of either the investigation or the FISA orders.

As I noted on RNN, the dossier doesn’t actually help the anti-Trump narrative as much as people have made out. Simpson testified that Steele decided to reach out to the FBI towards the end of June or beginning of July (after only the first dossier report had been done), and the conversation actually happened the first week of July (a questioner later refers to it as occurring July 5).

Q. And do you recall when you — when you and Mr. Steele decided kind of that he could or should take this to the FBI, approximately the time frame of that?

A. I believe it was sometime around the turn of the month. It would have been in late June or at latest early July. That’s my recollection.

[snip]

Q. Do you have any knowledge of when that first conversation actually then took place?

A. Over the last several months that this has become a public controversy I’ve learned the general date and I believe it was if first week of July, but I don’t believe he told me — if he told me the time, I don’t remember when he told me.

Simpson later admits his certainty about these dates comes from Fusion’s response to speculation and other reporting.

Q. And that information about that time, that first week of July, where does that come from?

A. It comes from news accounts of these events and conversations between Chris and I and some of my — presumably my business partners too. Generally speaking, we have, as you know, not been eager to discuss any of this in public and there’s been a lot of speculation and guessing and stories, many of which are wrong. So when an incorrect story comes out we would, you know, talk about it. So, you know, in the course of those kinds of things I generally obtained a sense of when things occurred that I might otherwise not be able to provide you.

Regardless of how accurate or not this report, it means that Steele spoke with the FBI weeks before the Australian tip is supposed to have come in, which was after Wikileaks started dumping the emails on July 22 (though as I noted with Maté, there are aspects of that story that are sketchy as well). The reference to Steele learning about what he now believes was the Papadopoulos tip reflects feedback from mid to late September, when the FBI told him his story had been corroborated by a human source, not from that first FBI meeting.

Essentially what he told me was they had other intelligence about this matter from an internal Trump campaign source and that — that they — my understanding was that they believed Chris at this point — that they believed Chris’s information might be credible because they had other intelligence that indicated the same thing and one of those pieces of intelligence was a human source from inside the Trump organization.

Later in the transcript Simpson responds in a way that suggests Steele was reading the FBI response rather than learning actual details of the tip; certainly he might have been able to corroborate it back in London.

Q. And did Mr. Steele tell you that the FBI had relayed this information to him?

A. He didn’t specifically say that.

Q. I’m going to have you take a look at one of the filings —

MR. FOSTER: I thought you said earlier that he did say the FBI told him.

MR. SIMPSON: I think I was saying we did not have the detailed conversations where he would debrief me on his discussions with the FBI. He would say very generic things like I saw them, they asked me a lot of questions, sounds like they have another source or they have another source. He wouldn’t put words in their mouth.

In other words, the record shows that (unless the public story about the Australian tip is really inaccurate) the pee tape report came in first, and then the Oz tip did.

That said, both of these tips came in before late July, which is when Jim Comey testified the CI investigation started.

Which is where this predicate debate has always gone wrong. It imagines that the FBI opened an investigation into one and only one thing. In addition to those two things, there were the actual hack and the Guccifer 2.0 persona — already perceived to be a Russian operation before the first Steele report came in — along with clear indications Wikileaks was involved with it. There was Carter Page’s publicly reported trip and speech in Russia, and the beginnings of the reawakening Paul Manafort scandal. And there were the concerns raised about the change in the GOP platform (though I think that got more press than the evidence justified).

So there were a whole bunch of things leading up to the opening of the investigation. And there’s no reason to believe just one predicated the investigation.

Similarly, the case on the FISA orders is mixed (though this is an area, in particular, where the FBI would have an incentive to release partial stories). One of the first reports on Carter Page’s FISA order dates it to late summer, when the Trump campaign was distancing itself from him. But later reporting said he had been tapped even before he joined the campaign, in conjunction with his earlier recruitment by Russian spies.

Manafort, too, was reportedly targeted under FISA because of his earlier dalliances with Russia. In his case, the wiretap had lapsed, but was restarted after new details of his corruption forced him off the campaign in August.

As I’ll write in my larger post on the Simpson transcript, I don’t think all this means the tie between the dossier and the FBI investigation is above reproach. But it does seem clear that, even if the dossier is one thing that justified the investigation, it was neither the earliest thing nor the only thing.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

NYT Does Not Have the Smoking Gun on Trump Campaign Email Knowledge

The NYT had a complex story today, reporting three things:

  1. The counterintelligence investigation into the Trump campaign followed from a drunken conversation George Papadopoulos had in May 2016 with Aussie Ambassador to the UK, Alexander Downer
  2. Papadopoulos was more influential than Trump’s team has made out
  3. Papadopoulos pitched an April 2016 Trump foreign policy speech as a signal to Russia that Trump would be willing to meet

It’s the first detail that has attracted all the attention. NYT reported it this way:

During a night of heavy drinking at an upscale London bar in May 2016, George Papadopoulos, a young foreign policy adviser to the Trump campaign, made a startling revelation to Australia’s top diplomat in Britain: Russia had political dirt on Hillary Clinton.

About three weeks earlier, Mr. Papadopoulos had been told that Moscow had thousands of emails that would embarrass Mrs. Clinton, apparently stolen in an effort to try to damage her campaign.

Exactly how much Mr. Papadopoulos said that night at the Kensington Wine Rooms with the Australian, Alexander Downer, is unclear. But two months later, when leaked Democratic emails began appearing online, Australian officials passed the information about Mr. Papadopoulos to their American counterparts, according to four current and former American and foreign officials with direct knowledge of the Australians’ role.

[snip]

Not long after, however, he opened up to Mr. Downer, the Australian diplomat, about his contacts with the Russians. It is unclear whether Mr. Downer was fishing for that information that night in May 2016. The meeting at the bar came about because of a series of connections, beginning with an Israeli Embassy official who introduced Mr. Papadopoulos to another Australian diplomat in London.

It is also not clear why, after getting the information in May, the Australian government waited two months to pass it to the F.B.I. In a statement, the Australian Embassy in Washington declined to provide details about the meeting or confirm that it occurred.

NYT’s story does pose a good question: why the Australians didn’t tell the US about this conversation until July, after Wikileaks started releasing DNC emails.

But the few GOPers who have responded to this news raise another question: did the Aussies even know what emails Papadopoulos was talking about?

As I noted in October, we actually don’t know what emails Joseph Misfud was talking about when he told Papadopoulos the Russians had dirt on Hillary. Trumpsters are now suggesting these emails might be those Guccifer 1.0 stole from Hillary, but they could be a range of other emails.

This story would be far more damning if the NYT knew for sure that the emails were ones freshly stolen from DNC, John Podesta, or the Hillary campaign itself, but they don’t.

The uncertainty about what emails Papadopoulos learned about — and revealed to Downer — might explain why the Aussies didn’t tell the US right away. If the Australians didn’t know what emails the Russians had, it might explain their lack of urgency. If the emails were known Guccifer 1.0 emails, it wouldn’t be news. But it doesn’t explain why the Aussies didn’t tell the US in June, when Guccifer 2.0 started releasing documents, but instead waited until their own citizen, Julian Assange, started releasing some on July 22.

All this could be a lot more easily explained if we knew the one detail the NYT admits it didn’t confirm: whether and when Papadopoulos told the campaign that the Russians had emails (and whether he knew which emails the Russians had).

In late April, at a London hotel, Mr. Mifsud told Mr. Papadopoulos that he had just learned from high-level Russian officials in Moscow that the Russians had “dirt” on Mrs. Clinton in the form of “thousands of emails,” according to court documents. Although Russian hackers had been mining data from the Democratic National Committee’s computers for months, that information was not yet public. Even the committee itself did not know.

Whether Mr. Papadopoulos shared that information with anyone else in the campaign is one of many unanswered questions. He was mostly in contact with the campaign over emails. The day after Mr. Mifsud’s revelation about the hacked emails, he told Mr. [Stephen] Miller in an email only that he had “interesting messages coming in from Moscow” about a possible trip. The emails obtained by The Times show no evidence that Mr. Papadopoulos discussed the stolen messages with the campaign.

NYT makes clear Papadopoulos (who was, after all, remote and traveling a lot) primarily communicated via emails. But the emails they obtained (but didn’t share) don’t include any evidence of him telling the campaign about the emails (much less which ones they were).

Which brings us to a point I made in November: when the FBI arrested Papadopoulos in July, they believed he lied to hide whether he told the campaign about the emails, but they de-emphasized that detail in the October plea deal.

[T]he description of the false statements makes the import of them far more clear (import that the Special Counsel seems to want to obscure for now). Papadopoulos lied about the circumstances of his conversations with Mifsud — the FBI appears to have believed when they arrested him in July — as part of a story to explain why, after having heard about dirt in the form of thousands of emails from Hillary, he didn’t tell anyone else on the campaign about them. Laid out like this, it’s clear Papadopoulos was trying to hide both when he learned about the emails (just three days before the DNC did, as it turns out, not much earlier as he seems to have suggested in January), but also how important he took those emails to be (which in his false story, he tied to to a false story about how credible he found Mifsud to be).

FBI found those lies to be significant enough to arrest him over because they obscured whether he had told anyone on the campaign that the Russians had dirt in the form of Hillary emails.

To be sure, nothing in any of the documents released so far answer the questions that Papadopoulos surely spent two months explaining to the FBI: whether he told the campaign (almost certainly yes, or he wouldn’t have lied in the first place) and when (with the big import being on whether that information trickled up to Paul Manafort and Jared Kushner before they attended a meeting on June 9, 2016 in hopes of obtaining such dirt).

I’m sure that’s intentional. You gotta keep everyone else guessing about what Mueller knows.

The NYT’s sources are described as “four current and former American and foreign officials with direct knowledge of the Australians’ role,” though this statement — and a past willingness on behalf of Papadopoulos’ fiancée to provide details and emails — suggests that people close to Papadopoulos cooperated as well: ” Papadopoulos’s lawyers declined to provide a statement.”

The point being, we still don’t have the most important detail of this story: whether Papadopoulos told the campaign about the emails, but more importantly, what the emails were.

Thus far, everyone seems intent on withholding that detail.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Chuck Johnson’s Narrowed Scope of What a Russian Is Excludes Known Conspirators in Operation

Michael Tracey has a story that purports to show that the Senate Intelligence Committee, in negotiating voluntary cooperation with Chuck Johnson, is criminalizing being Russian.

The Senate committee probing alleged Russian interference in the U.S. political system has deemed anyone “of Russian nationality or Russian descent” relevant to its investigation, according to a document obtained by TYT.

[snip]

On July 27, 2017, Charles C. Johnson, a controversial right-wing media figure, received a letter from Sens. Burr and Warner requesting that he voluntarily provide materials in his possession that are “relevant” to the committee’s investigation. Relevant materials, the letter went on, would include any records of interactions Johnson had with “Russian persons” who were involved in some capacity in the 2016 U.S. elections.

The committee further requested materials related to “Russian persons” who were involved in some capacity in “activities that related in any way to the political election process in the U.S.” Materials may include “documents, emails, text messages, direct messages, calendar appointments, memoranda, [and] notes,” the letter outlined.

Doss’s statement was in response to a request made by Robert Barnes, an attorney for Johnson, for clarification as to the SSCI’s definition of a “Russian person.”

How the committee expects subjects to go about ascertaining whether a person is of “Russian descent” is unclear. “It does indicate that the committee is throwing a rather broad net,” Jonathan Turley, a professor of law at George Washington University, said. “It is exceptionally broad.” In terms of constitutionality, Turley speculated that “most courts would view that as potentially too broad, but not unlawful.”

Johnson played a key role in several known parts of the election operation. In addition to brokering Dana Rohrabacher’s meeting with Julian Assange, all designed to provide some alternative explanation for the DNC hack, Johnson worked with Peter Smith and Weev to try to find the deleted emails from Hillary’s server.

Johnson said he and Smith stayed in touch, discussing “tactics and research” regularly throughout the presidential campaign, and that Smith sought his help tracking down Clinton’s emails. “He wanted me to introduce to him to Bannon, to a few others, and I sort of demurred on some of that,” Johnson said. “I didn’t think his operation was as sophisticated as it needed to be, and I thought it was good to keep the campaign as insulated as possible.”

Instead, Johnson said, he put the word out to a “hidden oppo network” of right-leaning opposition researchers to notify them of the effort. Johnson declined to provide the names of any of the members of this “network,” but he praised Smith’s ambition.

“The magnitude of what he was trying to do was kind of impressive,” Johnson said. “He had people running around Europe, had people talking to Guccifer.” (U.S. intelligence agencies have linked the materials provided by “Guccifer 2.0”—an alias that has taken credit for hacking the Democratic National Committee and communicated with Republican operatives, including Trump confidant Roger Stone—to Russian government hackers.)

Johnson said he also suggested that Smith get in touch with Andrew Auernheimer, a hacker who goes by the alias “Weev” and has collaborated with Johnson in the past. Auernheimer—who was released from federal prison in 2014 after having a conviction for fraud and hacking offenses vacated and subsequently moved to Ukraine—declined to say whether Smith contacted him, citing conditions of his employment that bar him from speaking to the press.

Tracey’s claims are based on this email (and, clearly, cooperation with Johnson).

Except Tracey (and so presumably Johnson) appear to be misrepresenting what is going on.

When SSCI originally asked for Johnson’s cooperation in July, they asked him to provide communications “with Russian persons, or representatives of Russian government, business, or media interest” relating to the 2016 election and any hack related to it.

And while Tracey calls the December follow-up a “clarification,” Doss clearly considers it a “narrowing” of that July description. So the description Tracey finds so outrageous — people of Russian nationality or descent — appears to be a subset of what might be included in the original request.

Moreover, the narrowing might be really detrimental to SSCI’s ability to learn what Johnson was up to when he was seeking out Russian hackers who might have Hillary’s server. Consider just the examples of Karim Baratov or Ike Kaveladze. Both are likely suspects for involvement in the events of 2016. Baratov — the hacker who recently pled guilty to compromising selected Google and Yandex accounts for FSB — is a Canadian citizen born in Kazakhstan. Kaveladze — who works for Aras Agalarov, has past ties to money laundering, and attended the June 9, 2016 meeting — is an American citizen born in Georgia. Neither is ethnically Russian. So if Johnson had any hypothetical interactions with them, he could cabin off those interactions based on this narrowed definition of what counts as a Russian.

To say nothing of Johnson’s interactions with Assange, who is Australian, yet whose ties to Russia are unclear. Effectively, even if Johnson knew that Assange had coordinated with Russia last year, he wouldn’t have to turn over his communications with him, because he’s not himself Russian.

According to Tracey’s piece, Johnson says he won’t cooperate regardless, in spite of his lawyer’s efforts to narrow the scope of any cooperation.

But I find it interesting that his lawyer attempted to narrow any testimony in a fashion that might hide important parts of Johnson’s actions.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Fake Russian Metadata that Will Do Nothing to Prevent Nuclear War

Apparently I’m not the only one troubled by Tom Bossert’s attribution of WannaCry to North Korea the other day.

In this post, Jack Goldsmith suggests the attribution will do nothing for deterrence.

He said that he thought the public attribution alone, without more, accomplished something important in holding North Korea accountable. As he put it, somewhat confusingly, later:

It’s about simple culpability. We’ve determined who was behind the attack and we’re saying it. It’s pretty straightforward. All I learned about cybersecurity I learned in kindergarten. We’re going to hold them accountable and we’re going to say it. And we’re going to shame them for it.

There you have it: The U.S. government thinks that naming and shaming by itself is a useful response to a cyberattack that caused billions of dollars of damage (though relatively little in the United States) and targeted precisely the types of critical infrastructure officials have long warned was a red line.

[snip]

it’s not just that name and shame is ineffective. For at least two reasons, it is counterproductive for the United States to take evident pride in an attribution of a major cyberattack that it at the same time concedes it lacks the tools to retaliate against or deter. First, the consequence of the attribution, and the emphasis on the damage caused by WannaCry, is to raise expectations, at least domestically, about a response. Second, the effect of such a drum-beating attribution and statement of damage, combined with a weak response, is to reveal what has been apparent for a while: “We currently cannot put a lot of stock … in cyber deterrence,” as former DNI Clapper last year. “It is … very hard to create the substance and psychology of deterrence.” When we overtly signal to North Korea that we have no tools to counteract their cyberattacks, we invite more attacks by North Korea and others—though to be fair, for the reasons Inglis stated, North Korea already has plenty of incentive, since cyber is a relatively inexpensive but very consequential tool for it, and since the United States has already imposed such extensive sanctions and seems out of tools.

I must be missing something here. Probably what I am missing is that the public attribution sends an important signal to the North Koreans about the extent to which we have penetrated their cyber operations and are watching their current cyber activities. But that message could have been delivered privately, and it does not explain why the United States delayed public attribution at least six months after its internal attribution, and two months after the U.K. had done so publicly.

In this thread, Emily Maxima notes that not everyone in the Infosec community agrees with this attribution (here’s an old piece I did on some oddities with it) and worries that the attribution might be used to justify war with North Korea.

So in the context of a potential hot-war with DPRK, the attribution chain from Wannacry to DPRK is *really* fucking important.

She then goes on to explain one of her concerns about the attribution to Lazarus group.

A few months back, I was doing some research into malware that used obfuscation mechanisms in their campaigns and code that could be used to misattribute them to other actors/nations.

It turns out, Lazarus group was one of these actors that had examples of misleading operation that made it seem like it was made in Russia, but was likely built to act as a false flag deus ex machina to lead researchers away from the true actors.

[snip]

[W]e’re talking about an increasingly tense situation where the largest attack on networked computer infrastructure in probably the last 5 years may be pinned on a group known for running false flag operations.

She points to this article that shows that some 2016 watering hole attacks that had targeted Polish and Mexican bank supervisor sites, which might be associated with Lazarus, used Russian words as a false flag to hide their origin.

In spite of some ‘Russian’ words being used, it is evident that the malware author is not a native Russian speaker.

Of our previous examples, five of the commands were likely produced by an online translation. Below we provide the examples and the correct analogues for reference:

Word Type of error Correct analogue
“ustanavlivat” omitted sign at the end, verb tense error “ustanovit'” or “ustanoviti”
“poluchit” omitted sign at the end “poluchit'” or “poluchiti”
“pereslat” omitted sign at the end “pereslat'” or “pereslati”
“derzhat” omitted sign at the end “derzhat'” or “derzhati”
“vykhodit” omitted sign at the end, verb tense error “vyiti”

Another example is “kliyent2podklyuchit”. This is most likely a result of an online translation of “client2connect” (which means ‘client-to-connect’). In this case, the two words “client” and “connect”were translated separately, then transliterated from the Russian pronunciation form into the Latin alphabet and finally joined to produce “kliyent2podklyuchit”.

[snip]

Internally, the ActionScript also uses transliterated Russian words, similar to the tactic seen in the bot code:

Transliterated Russian words used in AS Translated from Russian
Podgotovkaskotiny Preparation of farm animals
geigeigei3raza Hey, hey, hey 3 times
chainik Dummy (a stupid person)
chainikaddress Dummy’s address
poishemdatu Let’s search for data
poiskvpro Searching in ‘pro’
vyzov_chainika Calling the dummy (a stupid person)
daiadreschainika Get address of the dummy
runskotina Execute farm animals
babaLEna Old woman Lena

As seen in the table, while the words are technically Russian, their usage is out-of-context.

In one code fragment, the ActionScript contains both “chainik” and “dummy”:

01 private function put_dummy_args(param1:*) : *
02 {
03 return chainik.call.apply(null,param1);
04 }
05 private function vyzov_chainika() : *
06 {
07 return chainik.call(null);
08 }

As such, it is obvious that the word “dummy” has been translated into “chainik”. However, the word “chainik” in Russian slang (with the literal meaning of “a kettle”) is used to describe an unsophisticated person, a newbie; while, the word “dummy” in the exploit code is used to mean a “placeholder” or an “empty” data structure/argument.

The BAE analysis suggests that this incorrect usage is evidence proving the attackers are not native Russian speakers (leaving open the possibility they’re North Korean, though the report doesn’t attribute that aggressively).

I point to all this because of my continuing obsession with attacks featuring Russian metadata — starting from the first stolen Democratic files released by Guccifer 2.0 in June 2016 to faked Macron leak documents and extending to metadata ShadowBrokers left in some SWIFT files released in April — that served to deflect blame.

Perhaps it’s just fashionable to blame Russians these days.

Mind you, that other Russian metadata is for a totally unrelated watering hole attack, not for WannaCry. It’s worth remembering, however, that in addition to using Lazarus code, WannaCry also appears to have used code from Metasploit.

Ah well. I guess none of this will matter when North Korea nukes Seoul.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Two (Three) Possibilities on the “WikiLeaks” Archive Story

Don Jr’s testimony to Congress yesterday has brought out several new details on the evidence he was provided. In this post I want to look at the report that someone sent key Trump figures a link to a Wikileaks archive and an encryption key.

Candidate Donald Trump, his son Donald Trump Jr. and others in the Trump Organization received an email in September 2016 offering a decryption key and website address for hacked WikiLeaks documents, according to an email provided to congressional investigators.

The September 14 email was sent during the final stretch of the 2016 presidential race.

CNN originally reported the email was released September 4 — 10 days earlier — based on accounts from two sources who had seen the email. The new details appear to show that the sender was relying on publicly available information. The new information indicates that the communication is less significant than CNN initially reported.

After this story was published, The Washington Post obtained a copy of the email Friday afternoon and reported that the email urged Trump and his campaign to download archives that WikiLeaks had made public a day earlier. The story suggested that the individual may simply have been trying to flag the campaign to already public documents.

CNN has now obtained a copy of the email, which lists September 14 as the date sent and contains a decryption key that matches what WikiLeaks had tweeted out the day before.

First, note there’s no explanation in the story why these are described as Wikileaks emails, aside from the fact that Julian Assange has on occasion posted archives with a key. Indeed, it sounds like this archive is more closely related to the DC Leaks side of the house, given the reference to Colin Powell emails in the larger story. So absent a more fulsome explanation of what makes these WikiLeaks documents, I wouldn’t necessarily bet that these documents are related to Wikileaks.

Second, one possible explanation for this archive is that it’s the same one that is the center of the skeptics’ theory. They focus on an archive called NGP/VAN (but which is not NGP/VAN), which was curated on September 1. In public form, the archive was pointed to by Guccifer 2.0 on September 12, but never posted on his site.

the files were posted during a speech given in London by another hacker as a proxy for G2.0 on that day. The Forensicator relies on a copy posted by NatSecGeek. And while on Twitter G2.0 pointed to the speech the day before it was given, he never actually pointed back to the data on his WordPress site.

It’s true that the “speech” that was read for G2.0 relied on and posted a link to these files at the conference.

This scheme shows how NGP VAN is incorporated in the DNC infrastructure. It’s for detailed examination, if you are interested. And here are a couple of NGP VAN’s documents from their network. If you r interested in their internal documents, you can have them via the link on the screen. The password is usual. It’s also on the screen. You may also ask the conference producers for them later.

But at the very least, it seems any analysis of these forensics needs to account for the hand-off and proxy involved.

The timing of this would suggest that (if this is the same archive) three days after the archive was curated but over a week before it was posted publicly, top campaign officials got a link.

But there is another possibility, a detail I’ve often alluded to but never laid out publicly. There is or was a grand jury investigation into some script kiddies that tried to hijack Guccifer 2.0’s password or ID or something like that. It is or was in Philadelphia, based on the location of an archive involved. As I understand it the thought was that this effort was unrelated to the chief Russian info op, but was a lead the FBI had to chase down. I’ve been waiting to see if that grand jury investigation was ever going to show up publicly, and it’s one possible explanation for this email.

Update: I should make clear, I lay out three possibilities here:

  1. These are actually DC Leaks emails, not WikiLeaks ones; this is consistent with what recipients of those emails say about timing.
  2. This is the NGP/VAN archive released in mid-September, associated with Guccifer 2.0.
  3. This is an effort from the unknown skiddies being investigated in Philly.

Update: By description, WaPo makes it clear that this was an email sending the Trumps to this material, though using a different link and password.

That means it is, in fact, the NGP/VAN materials at the heart of the skeptics’ counterarguments about Guccifer being Russian (number 2, above), being sent under an apparently Anglo name (albeit with a few errors; making number 3 possible), but branded as Guccifer 2.0 materials, not WikiLeaks materials (sort of, 1).

In other words, the emails are much more interesting for all these other related theories than for the fact that the Trump folks received it, apparently unsolicited.

Update: I’ve subbed in the corrected language from CNN confirming that this was a September 14 email.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

On Metadata and Manipulation: the First Guccifer 2.0 Documents

In the AP’s (very worthwhile) coverage of the data it obtained from Secureworks it reveals at least the fifth piece of deception pertaining to the first documents released by Guccifer 2.0 on June 15, 2016. It revealed that Guccifer 2.0 added the word “confidential” (possibly as both the watermark shown on the front page and in the footer) to this document.

But there were signs of dishonesty from the start. The first document Guccifer 2.0 published on June 15 came not from the DNC as advertised but from Podesta’s inbox, according to a former DNC official who spoke on condition of anonymity because he was not authorized to speak to the press.

The official said the word “CONFIDENTIAL” was not in the original document.

Guccifer 2.0 had airbrushed it to catch reporters’ attention.

Here’s that watermark, which would have made reporters obtaining the document to ascribe it more value than it had.

On top of that change, we know that Guccifer 2.0 deliberately used the name Felix Edmundovich, invoking Iron Felix, the founder of the KGB (though another document invoked Che Guevaro in the same way) in the metadata of the document.

This analysis and this analysis compellingly shows, in my opinion, that the other Russian metadata in the documents was also deliberately placed there.

Finally, I believe that the addition of Warren Flood as author was also deliberate.

In addition, Guccifer 2.0 released these documents as DNC documents when in fact they are either Podesta documents or have not yet been sourced.

Now, Guccifer 2.0 in fact didn’t hide some of these alterations. Some were identified the same day the documents were released. But at the time they were interpreted as OpSec failures, rather than intentional deception. To this day, skeptics try to argue that the intentional deception of the rest of the metadata is somehow different than the tribute to Iron Felix (which is a mirror to the assumption in the early days that the Iron Felix was deliberate but the other Russian metadata was not, which I criticized here), without explaining why that would be the case.

In this post, I talked about how some of the other deception — pitching these Podesta (and other) documents as DNC documents — would have been a way to taunt the DNC and Crowdstrike for their false claims downplaying the hack. (Note, in the post, I ask why Guccifer 2.0 harped on VAN so much; the AP piece reveals that VAN officials and those working on voter registration were targeted, which suggests maybe the Russians did get VAN data and we simply don’t know about it.)

So contrary to the belief of some commentators, it has long been known that Guccifer 2.0 altered these documents. But I don’t think there has been a full accounting of all the ways that it worked (it’s not even clear we know the full extent of the deception).

For now, I’m going to leave these multiple layers of deception laid out (I’d add, that whatever cutout led Julian Assange to believe — or at least to claim — the documents were sourced to Americans is another layer of deception, a different kind of metadata.)

There were multiple layers of deception built into these first documents, alternately taunting the Democrats who would have known them to be deception, the analysts who mistook them as mistakes, and the press who took them to indicate real value. I suspect there are at least two more layers of deception here.

But it’s worth noting that no one was immune from this deception, and it’s likely there are still a few layers that we’re missing here.

Update: As Thomas Rid notes on Twitter, one of the first five documents Guccifer 2.0 released is a version of one that Guccifer 1.0 had released.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.