Posts

What Was the Relationship Between FSB and GRU in the DNC Hack, Redux?

/27 Comments/in , /by

I want to return to last week’s House Intelligence Hearing on Russia (because that fecker Devin Nunes canceled my birthday hearing with James Clapper and John Brennan today), to revisit a question I’ve asked a number of times (in most detail here): what was the relationship between Russia’s FSB and GRU intelligence services in the DNC hack?

The public narrative (laid out in this post) goes like this: Sometime in summer 2015, APT (Advanced Persistent Threat) 29 (associated with FSB, Russia’s top intelligence agency) hacked the DNC along with 1,000 other targets and because DNC ignored FBI’s repeated warnings, remained in their network unnoticed. Then, in March 2016, APT 28 (generally though not universally associated with GRU, Russia’s military intelligence) hacked DNC and John Podesta. According to the public story, GRU oversaw the release (via DC Leaks and Guccifer 2.0) and leaking (to Wikileaks via as-yet unidentified cut-outs) of the stolen documents.

Under the public story, then, FSB did the same kind of thing the US does (for example, with Enrique Peña Nieto in 2012), collecting intelligence on a political campaign, whereas GRU did something new (though under FBI-directed Sabu, we did something similar to Bashar al-Assad in 2012), leaking documents to Wikileaks.

Obama’s sanctions to retaliate for the hack primarily focused on GRU, but did target FSB as well, though without sanctioning any FSB officers by name. And in its initial report on the Russian hack, the government conflated the two separate groups, renaming attack tools previously dubbed Cozy and Fancy Bear the “Grizzly Steppe,” making any detailed discussion of how they worked together more confusing. As I noted, however, the report may have offered more detail about what APT 29 did than what APT 28 did.

Last week’s hearing might have been an opportunity to clarify this relationship had both sides not been interested in partisan posturing. Will Hurd even asked questions that might have elicited more details on how this worked, but Admiral Mike Rogers refused to discuss even the most basic details  of the hacks.

HURD: Thank you, Chairman.

And gentlemen, thank you all for being here. And thank you for your continued service to your country. I’ve learned recently the value of sitting in one place for a long period of time and listening and today I’m has added to that understanding and I’m going to try to ask questions that y’all can answer in this format and are within your areas of expertise. And Director Rogers, my first question to you — the exploit that was used by the Russian’s to penetrate the DNC, was it sophisticated? Was it a zero day exploit? A zero day being some type of — for those that are watching, an exploit that has never been used before?

ROGERS: In an open unclassified forum, I am not going to talk about Russian tactics, techniques or procedures about how they executed their hacks.

HURD: If members of the DNC had not — let me rephrase this, can we talk about spear fishing?

ROGERS: Sure, in general terms, yes sir.

HURD: Spear fishing is when somebody sends an email and they — somebody clicks on something in that email…

ROGERS: Right, the user of things (inaudible) they’re receiving an email either of interest or from a legitimate user, they open it up and they’ll often click if you will on a link — an attachment.

HURD: Was that type of tactic used in the…

ROGERS: Again, I’m not in an unclassified forum just not going to be…

The refusal to discuss the most basic details of this hack — even after the government listed 31 reports describing APT 28 and 29 (and distinguishing between the two) in its updated report on the hacks — is weird, particularly given the level of detail DOJ released on the FSB-related hack of Yahoo. Given that the tactics themselves are not secret (and have been confirmed by FBI, regardless of what information NSA provided), it seems possible that the government is being so skittish about these details because they don’t actually match what we publicly know. Indeed, at least one detail I’ve learned about the documents Guccifer 2.0 leaked undermines the neat GRU-FSB narrative.

Comey did confirm something I’ve been told about the GRU side of the hack: they wanted to be found (whereas the FSB side of the hack had remained undiscovered for months, even in spite of FBI’s repeated efforts to warn DNC).

COMEY: The only thing I’d add is they were unusually loud in their intervention. It’s almost as if they didn’t care that we knew what they were doing or that they wanted us to see what they were doing. It was very noisy, their intrusions in different institutions.

There is mounting evidence that Guccifer 2.0 went to great lengths to implicate Russia in the hack. Confirmation GRU also went out of its way to make noise during the DNC hack may suggest both within and outside of the DNC the second hack wanted to be discovered.

I have previously pointed to a conflict between what Crowdstrike claimed in its report on the DNC hack and what the FBI told FireEye. Crowdstrike basically said the two hacking groups didn’t coordinate at all (which Crowdstrike took as proof of sophistication). Whereas FireEye said they did coordinate (which it took as proof of sophistication and uniqueness of this hack). I understand the truth is closer to the latter. APT 28 largely operated on its own, but at times, when it hit a wall of sorts, it got help from APT 29 (though there may have been some back and forth before APT 29 did share).

All of which brings me to two questions Elise Stefanik asked. First, she asked — casually raising it because it had “been in the news recently” — whether the FSB was collecting intelligence in its hack of Yahoo.

STEFANIK: Thank you. Taking a further step back of what’s been in the news recently, and I’m referring to the Yahoo! hack, the Yahoo! data breech, last week the Department of Justice announced that it was charging hackers with ties to the FSB in the 2014 Yahoo! data breech. Was this hack done to your knowledge for intelligence purposes?

COMEY: I can’t say in this forum.

STEFANIK: Press reporting indicates that Yahoo! hacked targeted journalists, dissidence and government officials. Do you know what the FSB did with the information they obtained?

COMEY: Same answer.

Again, in spite of the great deal of detail in the indictment, Comey refused to answer these obvious questions.

The question is all the more interesting given that the indictment alleges that Alexsey Belan (who was sanctioned along with GRU in December) had access to Yahoo’s network until December 2016, well after these hacks. More interestingly, Belan was “minting” Yahoo account credentials at least as late as May 20, 2016. That’s significant, because one of the first things that led DNC to be convinced Russia was hacking it was when Ali Chalupa, who was then collecting opposition research on Paul Manafort from anti-Russian entities in Ukraine, kept having her Yahoo account hacked in early May. With the ability to mint cookies, the FSB could have accessed her account without generating a Yahoo notice. Chalupa has recently gone public about some, though not all, of the other frightening things that happened to her last summer (she was sharing them privately at the time). So at a time when the FSB could have accomplished its goals unobtrusively, hackers within the DNC network, Guccifer 2.0 outside of it, and stalkers in the DC area were all alerting Chalupa, at least, to their presence.

While it seems increasingly likely the FSB officers indicted for the Yahoo hack (one of whom has been charged with treason in Russia) were operating at least partly on their own, it’s worth noting that overlapping Russian entities had three different ways to access DNC targets.

Note, Dianne Feinstein is the one other person I’m aware of who is fully briefed on the DNC hack and who has mentioned the Yahoo indictment. Like Comey, she was non-committal about whether the Yahoo hack related to the DNC hack.

Today’s charges against hackers and Russian spies for the theft of more than 500 million Yahoo user accounts is the latest evidence of a troubling trend: Russia’s sustained use of cyber warfare for both intelligence gathering and financial crimes. The indictment shows that Russia used these cyberattacks to target U.S. and Russian government officials, Russian journalists and employees of cybersecurity, financial services and commercial entities.

There seems to be a concerted effort to obscure whether the Yahoo hack had any role in the hack of the DNC or other political targets.

Finally, Stefanik asked Comey a question I had myself.

STEFANIK: OK, I understand that. How — how did the administration determine who to sanction as part of the election hacking? How — how familiar with that decision process and how is that determination made?

COMEY: I don’t know. I’m not familiar with the decision process. The FBI is a factual input but I don’t recall and I don’t have any personal knowledge of how the decisions are made about who to sanction.

One place you might go to understand the relationship between GRU and FSB would be to Obama’s sanctions, which described the intelligence targets this way.

  • The Main Intelligence Directorate (a.k.a. Glavnoe Razvedyvatel’noe Upravlenie) (a.k.a. GRU) is involved in external collection using human intelligence officers and a variety of technical tools, and is designated for tampering, altering, or causing a misappropriation of information with the purpose or effect of interfering with the 2016 U.S. election processes.
  • The Federal Security Service (a.k.a. Federalnaya Sluzhba Bezopasnosti) (a.k.a FSB) assisted the GRU in conducting the activities described above.

[snip]

  • Sanctioned individuals include Igor Valentinovich Korobov, the current Chief of the GRU; Sergey Aleksandrovich Gizunov, Deputy Chief of the GRU; Igor Olegovich Kostyukov, a First Deputy Chief of the GRU; and Vladimir Stepanovich Alexseyev, also a First Deputy Chief of the GRU.

Remember, by the time Obama released these sanctions, several FSB officers, including Dmitry Dokuchaev (who was named in the Yahoo indictment) had been detained for treason for over three weeks. But the officers named in the sanctions, unlike the private companies and individual hackers, are unlikely to be directly affected by the sanctions.

The sanctions also obscured whether Belan was sanctioned for any role in the DNC hack.

  • Aleksey Alekseyevich Belan engaged in the significant malicious cyber-enabled misappropriation of personal identifiers for private financial gain.  Belan compromised the computer networks of at least three major United States-based e-commerce companies.

Again, all of this suggests that the intelligence community has reason to want to obscure how these various parts fit together, even while publicizing the details of the Yahoo indictment.

Which suggests a big part of the story is about how the public story deviates from the real story the IC is so intent on hiding.

The Temporal Feint in Adam Schiff’s Neat Narrative

/32 Comments/in , , , /by

I did four — count them! four! — interviews on the Russian hearing yesterday. And one thing I realized over the course of the interviews is that people were far more impressed with Adam Schiff’s opening speech than they should have been.

I want to look closely at this passage which — if it were accurate — would be a tight little presentation of quid pro quo tied to the change of platform at the July 18-21, 2016 RNC. But it’s not. I’ve bolded the two claims that are most problematic, though the presentation as a whole is misleading.

In early July, Carter Page, someone candidate Trump identified as one of his national security advisors, travels to Moscow on a trip approved by the Trump campaign. While in Moscow, he gives a speech critical of the United States and other western countries for what he believes is a hypocritical focus on democratization and efforts to fight corruption.

According to Christopher Steele, a former British intelligence officer who is reportedly held in high regard by U.S. Intelligence, Russian sources tell him that Page has also had a secret meeting with Igor Sechin (SEH-CHIN), CEO of Russian gas giant Rosneft. Sechin is reported to be a former KGB agent and close friend of Putin’s. According to Steele’s Russian sources, Page is offered brokerage fees by Sechin on a deal involving a 19 percent share of the company. According to Reuters, the sale of a 19.5 percent share in Rosneft later takes place, with unknown purchasers and unknown brokerage fees.

Also, according to Steele’s Russian sources, the Trump campaign is offered documents damaging to Hillary Clinton, which the Russians would publish through an outlet that gives them deniability, like Wikileaks. The hacked documents would be in exchange for a Trump Administration policy that de-emphasizes Russia’s invasion of Ukraine and instead focuses on criticizing NATO countries for not paying their fare share – policies which, even as recently as the President’s meeting last week with Angela Merkel, have now presciently come to pass.

In the middle of July, Paul Manafort, the Trump campaign manager and someone who was long on the payroll of Pro-Russian Ukrainian interests, attends the Republican Party convention. Carter Page, back from Moscow, also attends the convention. According to Steele, it was Manafort who chose Page to serve as a go-between for the Trump campaign and Russian interests. Ambassador Kislyak, who presides over a Russian embassy in which diplomatic personnel would later be expelled as likely spies, also attends the Republican Party convention and meets with Carter Page and additional Trump Advisors JD Gordon and Walid Phares. It was JD Gordon who approved Page’s trip to Moscow. Ambassador Kislyak also meets with Trump campaign national security chair and now Attorney General Jeff Sessions. Sessions would later deny meeting with Russian officials during his Senate confirmation hearing.

Just prior to the convention, the Republican Party platform is changed, removing a section that supports the provision of “lethal defensive weapons” to Ukraine, an action that would be contrary to Russian interests. Manafort categorically denies involvement by the Trump campaign in altering the platform. But the Republican Party delegate who offered the language in support of providing defensive weapons to Ukraine states that it was removed at the insistence of the Trump campaign. Later, JD Gordon admits opposing the inclusion of the provision at the time it was being debated and prior to its being removed.

Later in July, and after the convention, the first stolen emails detrimental to Hillary Clinton appear on Wikileaks. A hacker who goes by the moniker Guccifer 2.0 claims responsibility for hacking the DNC and giving the documents to Wikileaks. But leading private cyber security firms including CrowdStrike, Mandiant, and ThreatConnect review the evidence of the hack and conclude with high certainty that it was the work of APT28 and APT29, who were known to be Russian intelligence services. The U.S. Intelligence community also later confirms that the documents were in fact stolen by Russian intelligence and Guccifer 2.0 acted as a front. [emphasis on most problematic claims mine]

What Schiff tries to do here is suggest that the Russians offered Trump kompromat on Hillary, Trump’s team changed the GOP platform, and then in response the Russians started releasing the DNC emails through Wikileaks.

Later in the hearing, several Republicans disputed the nature of the change in the platform. Both in and outside of the hearing, Republicans have noted that the changed platform matched the policy in place by the Obama Administration at the time: to help Ukraine, but stop short of arming them. All that said, the story on this has clearly changed. The change in the platform clearly shows the influence of Russophiles moving the party away from its hawkish stance, but it’s not enough, in my opinion, to sustain the claims of quid pro quo. [Update: One of the outside the hearing arguments that the platform was not weakened is this Byron York piece b linked, which argues the platform actually got more anti-Russian.]

The bigger problem with Schiff’s neat narrative is the way it obscures the timeline of events, putting the release of DNC emails after the change in platform. That is true with regards to the Wikileaks release, but not the Guccifer 2 release, which preceded the platform change.  Moreover, the references in Steele’s dossier Schiff invokes are not so clear cut — the dossier alleges Russia offered kompromat on Hillary unrelated to the stolen emails before any discussion of the Wikileaks emails. I’ve put what Schiff’s timeline would look like if it were not aiming to play up the quid pro quo of the RNC below (note this timeline doesn’t include all Steele reports, just those specifically on point; see also this site for a comprehensive Guccifer related timeline). It shows several things:

  • The changes to the platform preceded the meetings with Sergey Kislyak. Indeed, the first public report on the change in platform even preceded the Kislyak meetings by a day.
  • The stolen documents began to be released well before the platform got changed.
  • The early Steele report on discussions of sharing a dossier of kompromat on Hillary pertains to a dossier dating back decades (even though these reports all post-date the first Guccifer releases, so could have included a discussion of hacked materials). The first explicit reference to the DNC hack comes after Wikileaks started releasing documents (and earlier reports which ought to include such references don’t).
  • The later Steele report tying the Wikileaks release to a change in policy came after the policy had already changed and documents had already been released.
  • The alleged quid pro quo tied to the early July Carter Page meeting was for the lifting of sanctions, not the shift on NATO and Ukraine; the Steele dossier describes the latter as the quid pro quo in exchange for the Wikileaks release only after the emails start coming out from Wikileaks.

Also note: the report that first ties Wikileaks (but not Guccifer) to a quid pro quo is one of the reports that made me raise questions about the provenance of the report as we received it.

This is not lethal for the argument that the Trump campaign delivered on a quid pro quo. For example, if there was extensive coordination, Trump could have changed his policy in March after learning that the Russian military intelligence hack — the one allegedly designed to collect documents to leak — had started. Or perhaps the Guccifer leaks were a down-payment on the full batch. But there’s no evidence of either.

In any case, the narrative, as laid out by Adam Schiff, doesn’t hold together on several points. Trump’s team has not yet delivered on the quid pro quo allegedly tied to the Rosneft brokerage fees that were paid to someone (it’s not public whom) in December — that is, the lifting of sanctions. As laid out here, the descriptions of an offer of a dossier of information on Hillary prior to the Republican platform pertained to stuff going back decades, not explicitly to Wikileaks; the shift of discussion to Wikileaks only came after the emails had already appeared and any Ukraine related policy changes had already been made.

There’s plenty of smoke surrounding Trump and his associates. It doesn’t require fudging the timeline in order to make it appear like a full quid pro quo (and given Jim Comey’s reliance on “coordination” rather than “collusion” in Monday’s discussion, it’s not even clear such quid pro quo would be necessary for a conspiracy charge). Adam Schiff can and should be more careful about this evidence in future public hearings.

Update: Given how remarkably late the references to the stolen emails are in the dossier, I’m linking this post showing how later entries included a feedback loop.

March 19: John Podesta phished (DNC compromise generally understood to date to same time period).

March 31: Trump reportedly embraces pro-Russian stance in foreign policy meeting with advisors.

April 19th: DCLeaks.com registered.

June 8th: DCLeaks.com posts leaks (from post dates).

June 13th: First archived record of DCLeaks posts.

June 15: Crowdstrike report names Russia in DNC hack, first Guccifer 2.0 releases via TSG and Gawker.

June 18: Guccifer releases at WordPress site.

June 20: Steele report presents obviously conflicting information on exchanging intelligence with Trump. A senior Russian Foreign Ministry figure said “the Kremlin had been feeding TRUMP and his team valuable intelligence on his opponents, including … Hillary CLINTON, for several years.” A former top level intelligence officer still active in the Kremlin stated that the Kremlin had been collating a dossier on Hillary, “for many years, dating back to her husband Bill’s presidency, and comprised mainly eavesdropped conversations of various sorts. … Some of the conversations were from bugged comments CLINTON had made on her various trips to Russia and focused on things she had said which contradicted her current position on various issues.” A senior Kremlin official, however, said that the dossier “had not as yet been made available abroad, including to TRUMP or his campaign team.”

July 7-8: Carter Page in Moscow. Allegedly (per later Steele dossier reports) he is offered brokerage fees for the sale of a stake in Rosneft in exchange for ending sanctions on Russia.

July 11-12: Platform drafted.

July 18-21: RNC.

July 18: First report of changes to platform.

July 19: Sergey Kislyak meets numerous Trump associates after a Heritage sponsored Jeff Sessions talk.

July 19: Steele report provides first details of Carter Page meeting in Russia during which Divyekin raises “a dossier of ‘kompromat’ the Kremlin possessed on TRUMP’s Democratic presidential rival, Hillary CLINTON, and its possible release to the Republican’s campaign team.” In context (especially because the same report also warns Trump of kompromat Russia holds on him), this seems to be the dossier going back years also mentioned in the June 20 report, not Wikileaks emails. Certainly no explicit mention of Wikileaks or the hack appears in the report, even though the report is based off July reporting that post-date the first Guccifer 2.0 leaks.

July 22: Wikileaks starts releasing DNC emails.

July 26: Steele report describing conversations from June describes Russian hacking efforts in terms already publicly known to be false. For example, the report claims FSB had not yet had success penetrating American or other “first tier” targets. FSB had success hacking American targets the previous year, including the DNC. This report includes no discussion of the DNC hack or Wikileaks.

Undated July, probably because of report number between July 26 and 30: An “ethnic Russian close associate of Republican US presidential candidate Donald TRUMP” includes the first reference to the DNC hack and WikiLeaks:

[T]he Russian regime had been behind the recent leak of embarrassing e-mail messages, emanating from the Democratic National Committee (DNC) to the Wikileaks platform. The reason for using WikiLeaks was “plausible deniability” and the operation had been conducted with the full knowledge and support of TRUMP and senior members of his campaign team. In return the TRUMP team had agreed to sideline Russian intervention in Ukraine as a campaign issue and to raise US/NATO defence commitments in the Baltics and Eastern Europe to deflect attention away from Ukraine, a priority for PUTIN who needed to cauterise the subject.

July 30: A Russian emigre close to Trump describes concern in the campaign about the DNC email fallout. This report mentions that the Kremlin “had more intelligence on CLINTON and her campaign but he did not know the details or when or if it would be released.” In context, it is unclear whether this refers to stolen documents, though the reference to the campaign suggests that is likely.

August 5: Steele report describes Russian interference as a botched operation, discusses wishful thinking of Trump withdrawing.

August 10: Steele report discusses the “impact and results of Kremlin intervention in the US presidential election to date” claiming Russia’s role in the DNC hack was “technically deniable.” This report conflicts in some ways with the August 5 report, specifically with regards to the perceived success of the operation.

September 14: Steele report referencing kompromat on Hillary clearly in context of further emails.

October 18: More detailed Steele report account of Carter Page meeting, including date. It asserts that “although PAGE had not stated it explicitly to SECHIN, he had clearly implied that in terms of his comment on TRUMP’s intention to lift Russian sanctions if elected president, he was speaking with the Republican candidate’s authority.”

October 19: More Steele report accounting of Michael Cohen’s August attempts to clean up after Manafort and Page.

The Tripartite (At Least) Structure of the Russian Hack Investigation

/22 Comments/in /by

As I mentioned in this post, on Saturday, Reuters offered the most comprehensive description of the structure of the FBI investigation into the DNC hack. As it describes there are “at least” three different distinct probes into the FBI hack: one led by counterintelligence agents based in DC, one in Pittsburgh targeted at the hack of the DNC itself, and one in San Francisco targeted at the Guccifer 2 persona.

That structure is interesting for a number of reasons, not least that, in recent years, FBI has assigned cyber investigative teams to geographical offices that have developed certain expertise. I’m most interested that FBI has split the Guccifer 2 side of the investigation off from the hack of the DC.

DC: The Counterintelligence investigation

Let’s start with the DC investigation. Contrary to what you may think, a good deal of the attention on Trump’s close advisors stems from behavior that barely involves the DNC hack, if at all, but instead focuses on larger discussions of quid pro quo. Here’s what has been publicly alleged, mostly in the Trump dossier. Reminder, these are only allegations! 

Paul Manafort, using Carter Page as a go between, conducts on-going quid pro quo about attacks on Hillary in response for distracting from Ukraine issues. (PDF 8)

Carter Page conducts a meeting with Rosneft CEO (and US sanction target) Igor Sechin in Moscow. The two discuss a quid pro quo tying 19% transfer of Rosneft to Page in exchange for the lifting of sanctions.(PDF 9, 30) On the same visit, Page meets top Kremlin official Diyevkin, where the latter explains to Page what kind of compromising information they had on both Trump and Hillary. (PDF 9)

A Kremlin figure describes Russian efforts to reach out to some in the US, including Jill Stein, Mike Flynn, and Carter Page. (PDF 15)

At a meeting in August, Yanukovych admits to Putin that he had paid off Manafort, but had covered it up. According to Steele’s sources, Putin doubts how well Yanukovych had covered his tracks. (PDF 20-21)

Trump lawyer Michael Cohen meets with Russian Presidential Administration figures, including Oleg Solodukhin, operating under the cover of the Rossotrudnichestvo organization, in Prague in August. According to two pre-election reports, this meeting was to clean up fall-out of prior contacts with Manafort (here described exclusively in terms of his involvement in Ukraine) and Page (described as the quid pro quo on sanctions). (PDF 18, 31-32) According to a post-election report, the meeting also discusses payments and cover-up of Europe-based hackers, who would be paid by both the Russians and Trump. (PDF 34-35) The role of Cohen — whose wife is Russian and whose father-in-law is a key Russian developer — as liaison to Russia is key. Note, information likely indicating intelligence sourcing is redacted in two of these reports. (PDF 30, 34)

The one other Trump figure mentioned in allegations of Russian ties, Roger Stone, is not mentioned in the dossier, though his role has exclusively been described as a potential knowing go-between with Wikileaks. (The error I mentioned I made in my the OTM interview was in forgetting Cohen, whose role is central, and instead mentioning Stone.)

In other words, while allegations of involvement with Russia do touch on the DNC hack, for both Manafort and Page, the evidence focuses more on old-fashioned influence peddling. The evidence against Flynn in the dossier is exclusively that of cultivation.

Only Cohen, though, is strongly and repeatedly alleged in the dossier to have had a role in both the influence peddling and arranging — and paying! — for the DNC hack (though a weak allegation against Manafort is made in an early report).

Yesterday, NYT reported that Cohen tried to pitch a crazy “peace” deal for Ukraine to Mike Flynn not long before the latter was caught on an intercept with Russia’s Ambassador.

A week before Michael T. Flynn resigned as national security adviser, a sealed proposal was hand-delivered to his office, outlining a way for President Trump to lift sanctions against Russia.

Mr. Flynn is gone, having been caught lying about his own discussion of sanctions with the Russian ambassador. But the proposal, a peace plan for Ukraine and Russia, remains, along with those pushing it: Michael D. Cohen, the president’s personal lawyer, who delivered the document; Felix H. Sater, a business associate who helped Mr. Trump scout deals in Russia; and a Ukrainian lawmaker [named Andrii Artemenko].

Note that Sater, who has mobbed up business ties with Trump the latter has denied, also allegedly has worked for the CIA.

All of this is a way of saying that several of Trump’s advisors — especially Cohen — have been alleged to have dodgy ties to Russian, but much if not most of that pertains to influence peddling tied to Ukraine and sanctions imposed in retaliation for Russian involvement in Ukraine. So even beyond the different technical and security requirements of the investigation (not to mention any sensitivity involving the CIA), such an investigation sensibly would reside in FBI’s CI world. Thus the DC investigation.

Pittsburgh: The DNC hackers

As Reuters describes it, the Pittsburgh inquiry is examining who hacked the DNC (curiously, it makes no mention of John Podesta or any other hack target).

The FBI’s Pittsburgh field office, which runs many cyber security investigations, is trying to identify the people behind breaches of the Democratic National Committee’s computer systems, the officials said. Those breaches, in 2015 and the first half of 2016, exposed the internal communications of party officials as the Democratic nominating convention got underway and helped undermine support for Hillary Clinton.

The Pittsburgh case has progressed furthest, but Justice Department officials in Washington believe there is not enough clear evidence yet for an indictment, two of the sources said.

It’s not just that Pittsburgh conducts a lot of cyber security investigations — though it has been involved in some key multinational cybercrime investigations (and perhaps as importantly, infrastructure take-downs). In addition to international partnerships in those investigations, it partners closely with Carnegie Mellon’s CERT, which is best known for developing an attack on Tor the FBI uses (the legal follow-up to the 2014 Operation Onymous operation that exposed it went through SDNY in Manhattan, though that would have been before FBI started assigning investigations by geography).

Pittsburgh is also where the most discussed indictment of a nation-state hacking group — that of Chinese People’s Liberation Army hackers, mostly for spying on negotiations — came through (most of the victim companies were there too, but that was probably because they could all serve as victims without compromising national security). I will be interested to see whether the FBI assigned this investigation to Pittsburgh before or after Crowdstrike declared the DNC hack a state-sponsored hack.

San Francisco: Guccifer 2

Finally, there is the investigation into Guccifer 2, the persona who claimed to have hacked the DNC, who took credit for handing the documents to WikiLeaks, and who allegedly had ties to DC Leaks. Here’s how Reuters describes this part of the investigation:

Meanwhile the bureau’s San Francisco office is trying to identify the people who called themselves “Guccifer 2” and posted emails stolen from Clinton campaign manager John Podesta’s account, the sources said. Those emails contained details about fundraising by the Clinton Foundation and other topics.

The language here is really curious. The strongest case that Russia’s GRU hacked a Democratic target involves Podesta. And Guccifer didn’t post any Podesta emails. Guccifer claimed to have posted Clinton Foundation documents, though the documents appeared to be DCCC documents, my comment on which elicited an unsolicited response from Guccifer.

Reuters is actually not the first outlet to report that San Francisco was investigating Guccifer. I believe credit for that goes to Ellen Nakashima’s report, the day before Obama imposed sanctions, on how the US might retaliate.

Criminal indictments of Russians might become an option, officials said, but the FBI has so far not gathered enough evidence that could be introduced in a criminal case. At one point, federal prosecutors and FBI agents in San Francisco considered indicting Guccifer 2.0, a nickname for a person or people believed to be affiliated with the Russian influence operation and whose true identity was unknown.

In December, at least, it appears the FBI did not know Guccifer’s identity though they still believed it to be tied to Russia. Nevertheless that part of the investigation had already been spun out to San Francisco, the other side of the country from the Pittsburgh hack investigation.

Now, there have always been reasons to doubt the interpretation that Russian metadata invoking Felix Dzerzhinsky was proof that Guccifer was Russian, rather than disinformation casting blame on Russia. Here are two more recent pieces making that argument. And in Guccifer’s most recent posting — posted on January 12 but fairly obviously written and posted in advance — the persona used proper English. Nevertheless, that’s presumably not why this part of the investigation got spun off.

There are several other possibilities explaining why the Guccifer investigation is in San Francisco. That office, too, does a ton of cyber investigations, but virtually all of those involve Bay Area companies targeted as victims. So it’s possible the San Francisco office is leading the investigation because of some tie with an area company. Guccifer posted on WordPress, which is headquartered in San Francisco, so that could explain it. It’s also possible FBI believes there is a tie between Guccifer and Shadow Brokers. The latter persona is not mentioned by Reuters, but they are surely also being investigated, perhaps even separately from the Hal Martin investigation in Maryland. If that’s the case, the victim American firewall companies exposed in the first release are all headquartered in Silicon Valley (though they were initially victimized by NSA’s TAO hackers, unless the companies knew NSA was using those back doors).

There are two other interesting cases that might suggest why the Guccifer part of the investigation is out in San Francisco. First, the corrupt government agents who stole Bitcoin while they were investigating Silk Road were investigated and tried out there. I’ve always suspected that was done to make it harder for Ross Ulbricht to access information on that investigation in discovery (if that was the intent, it worked like a charm!). I’m not suggesting there’s anything like that going on here, but I can imagine reasons why the FBI might want to firewall some parts of this investigation from others.

Finally, note that Yevgeniy Aleksandrovich Nikulin, the credential theft hacker arrested in Prague in October, was investigated out of San Francisco, explicitly because his alleged victims are also located in the Bay Area. There have always been hints that that arrest might tie into the Russian investigation (not least because Nikulin is Russian), but this would seem to suggest there’s a tangential tie to it. So perhaps by the time FBI split up this investigation that theory had been developed.

Update: Laura Rozen reminds me via Twitter that Russia’s San Francisco Consulate was one of the locales from which diplomats were expelled.

A final comment. As interesting as it is that this investigation has split into three, I find it just as interesting that EDVA is not involved in it, which is where most international hacking investigations take place. I’ve got no explanation for why that might be, but it is as interesting a question as why the Guccifer investigation got sent out to San Francisco.

One thing is clear, though: For some reason, FBI thought it best to split two parts of what have widely believed to have been part of the same operation — the hacking and (some of) the leaking — and conduct them completely across the country from each other.

On the DNC-FBI Spat Over the DNC Server

/10 Comments/in , /by

The Ukrainian Ministry of Defense issued a statement in response to the media coverage following the CrowdStrike claim that malware in an artillery app had a role in massive casualties among Ukraine’s howitzer units. The Google translation (note, it has not yet been translated into English, which itself may say something about intended audience) of it reads,

In connection with the emergence in some media reports which stated that the alleged “80% howitzer D-30 Armed Forces of Ukraine removed through scrapping Russian Ukrainian hackers software gunners,” Land Forces Command of the Armed Forces of Ukraine informs that the said information is incorrect .

According Command Missile Forces and Artillery Land Forces of Ukraine, artillery weapons lost during the time of ATO times smaller than the above and are not associated with the specified cause. Currently, troops Missile Forces and Artillery Army Forces of Ukraine fully combat-ready, staffed and able to fulfill the missions.

Ministry of Defence of Ukraine asks journalists to publish only verified information received from the competent official sources. Spreading false information leads to increased social tension in society and undermines public confidence in the Armed Forces of Ukraine.

Understand what this is: it is in no way a denial that malware infected the artillery app (though it’s also, given that it comes from a country at war with Russia that wants people to stop using this to implicate Russia, not confirmation the malware is Russian). Rather, it is a correction for local journalists to an avowedly pro-Russian source used by Crowdstrike claiming that Ukraine faced 80% losses. And it is a statement that artillery losses from the period in question are due to something else (perhaps the drones that Crowdstrike admitted were involved in the fighting).

Mostly, it’s a complaint that Crowdstrike’s speculative report made Ukraine look bad. As I’ve noted, the report was released before Crowdstrike had spoken to the app developer (and as this statement makes clear, to Ukraine’s MOD), to explain why its previously “medium” confidence that GRU had hacked the DNC was now “high.”

I raise all that as background to the spat Buzzfeed’s Ali Watkins reported on yesterday between the DNC and FBI. In the morning, she reported the DNC claim that the FBI had inexplicably never, itself, accessed the DNC servers.

Six months after the FBI first said it was investigating the hack of the Democratic National Committee’s computer network, the bureau has still not requested access to the hacked servers, a DNC spokesman said. No US government entity has run an independent forensic analysis on the system, one US intelligence official told BuzzFeed News.

“The DNC had several meetings with representatives of the FBI’s Cyber Division and its Washington (DC) Field Office, the Department of Justice’s National Security Division, and U.S. Attorney’s Offices, and it responded to a variety of requests for cooperation, but the FBI never requested access to the DNC’s computer servers,” Eric Walker, the DNC’s deputy communications director, told BuzzFeed News in an email.

Over the course of the day, many people explained that that’s fairly normal. Crowdstrike would have imaged the server, which would provide FBI what it needed.

But the snipe to Watkins was not the first time DNC has presented their case in a light that makes FBI look as bad as possible — they did that with the NYT, too. And so it was inevitable that the FBI would eventually push back, as they did later in the day with Watkins.

“The FBI repeatedly stressed to DNC officials the necessity of obtaining direct access to servers and data, only to be rebuffed until well after the initial compromise had been mitigated. This left the FBI no choice but to rely upon a third party for information,” a senior law enforcement official told BuzzFeed News in a statement. “These actions caused significant delays and inhibited the FBI from addressing the intrusion earlier.”

Which promptly led the same DNC that originally leaked a claim making the FBI look bad to bitch about “haters.”

A DNC source familiar with the investigation tried to downplay that report on Thursday, hours before the FBI statement was issued. The fact that the FBI didn’t have direct access to the servers was not “significant,” the source said.

“I just don’t think that that’s really material or an important thing,” the source continued. “They had what they needed. There are always haters out here.”

In general, I think people are right that you can learn what you need to about a typical breach from an imaged server and the server logs. Indeed, the FBI rebuttal here doesn’t even address whether they needed to get the server. Rather, they just said that there was a delay in their access to the data, not that they didn’t eventually get the data they needed.

And it’s true that there was a delay.

FBI gave the DNC the information they needed to start responding to the FSB hack in September 2015, but the FBI wasn’t brought in formally until maybe June 2016. That doesn’t necessarily excuse that they didn’t escalate sooner (the FBI may have had other reasons not to and I expect we may one day learn that the FBI contacted people beyond just the contractor IT guy), but it does mean that the FBI repeatedly tried to help and the DNC did not accept that help until months later.

Underlying all this is surely the distrust that stems from a political party believing the FBI was conducting a witch hunt of its principal (they’d be proven right a month after the breach became public), though the FBI agents investigating the DNC hack were surely different than the ones investigating Hillary’s server. There may have even been other reasons the DNC didn’t want the FBI nosing around their servers.

Still, we now know they did not ever access DNC’s servers themselves.

And I think in this case they should have, for two reasons.

The Hill story covering this bickering includes this quote from a former FBI agent describing one reason why.

“In nine out of 10 cases, we don’t need access, we don’t ask for access, we don’t get access. That’s the normal [procedure],” Leo Taddeo, a former special agent in charge of the cyber division of the FBI’s New York office, told The Hill.

“It’s extraordinarily rare for the FBI to get access to the victim’s infrastructure because we could mess it up,” he added. “We usually ask for the logs and images, and 99 out of a hundred times, that’s sufficient.”

Asking for direct access to a server wouldn’t be necessary, Taddeo said, “unless there was a reason to think the victim was going to alter the evidence in some way.”

You don’t need access to the server itself unless you’ve got reason to believe the victim altered the evidence. From the very first, you had an entity, Guccifer 2.0, challenging the attribution Crowdstrike made on the server. Abundant analysis has proven that Guccifer is a liar, but Chinese and Iranians and Americans lie just as often as Russians do.

Plus, months after the hack, people started claiming that the source for the files that got to Wikileaks came from an insider. Which, if true (I don’t think it is, but nevertheless it is a competing theory, one that given the animosity within the Democratic party last year is not impossible), would mean that the victim might have altered the evidence.

There’s another reason why the FBI should have double checked the forensics, if they hadn’t already: because (we learned six months after the fact) Crowdstrike only ever had medium confidence that GRU had hacked the DNC based on the forensics they examined.

While CrowdStrike, which was hired by the DNC to investigate the intrusions and whose findings are described in a new report, had always suspected that one of the two hacker groups that struck the DNC was the GRU, Russia’s military intelligence agency, it had only medium confidence.

Now, said CrowdStrike co-founder Dmitri Alperovitch, “we have high confidence” it was a unit of the GRU. CrowdStrike had dubbed that unit “Fancy Bear.”

And Crowdstrike only came to have high confidence in that attribution by writing a paper that multiple Ukrainian sources (not exactly Russian shills) have now pushed back on. That is, nothing in the original forensics changed, as far as we know; external evidence, of whatever quality, led to a change in confidence.

Which means the forensics itself is not a slam dunk.

I’m beginning to see a hole in all the other security firms’ validation of Crowdstrike’s original attribution, which I hope to return to (though not before next week). In any case, it’d be useful for FBI to have really vetted this work, given that we’ve turned this into an international incident.

So, yeah, the FBI never obtained the DNC server full of political information the government really shouldn’t possess, particularly not an agency perceived to be really hostile to that political party.

But maybe, in this case, they should have.