Guccifer 2.0 Archives - Page 6 of 10

Posts

Did GRU Learn that Democrats Had Hired Christopher Steele When They Hacked DNC’s Email Server?

As I laid out a few weeks ago, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post.

According to Glenn Simpson’s SJC testimony, he hired Christopher Steele in May or June of 2016 to investigate Trump’s ties to Russia.

Q. And when did you engage Mr. Steele to conduct opposition research on Candidate Trump?

A. I don’t specifically recall, but it would 10 have been in the — it would have been May or June of 2016.

Q. And why did you engage Mr. Steele in May or June of 2016?

Simpson is maddeningly vague (undoubtedly deliberately) on this point. In one place he suggests he hired Steele after DCLeaks was registered and amid a bunch of chatter about Democrats being hacked, which would put it after June 8 and probably after June 15.

Q. So at the time you first hired him had it been publicly reported that there had been a cyber intrusion into the Democratic National Convention computer system?

A. I don’t specifically remember. What I know was that there was chatter around Washington about hacking of the Democrats and Democratic think tanks and other things like that and there was a site that had sprung up called D.C. Leaks that seemed to suggest that somebody was up to something. I don’t think at the time at least that we were particularly focused on — well, I don’t specifically remember.

But in his more informative HPSCI testimony, he suggests he may have started talking to Steele about collecting intelligence on Trump in May.

MR. QUIGLEY: When exactly did he start working under contract?

MR. SIMPSON: My recollection is that, you know, we began talking about the — I don’t remember when we started talking about the engagement, but the work started in June, I believe.

MR. QUIGLEY: Okay.

MR. SIMPSON: Possibly late May, but –

Given one detail in Mueller’s GRU Indictment, that difference may be critical.

Recall that the DNC figured out they had been hacked in April, and brought in Perkins Coie (the same firm that would engage Fusion GPS) for help. The attorney helping them respond to the hack, Michael Sussmann, warned them not to use DNC email to discuss the hack, because it might alert hackers they were onto them.

The day before the White House Correspondents’ Association dinner in April, Ms. Dacey, the D.N.C.’s chief executive, was preparing for a night of parties when she got an urgent phone call.

With the new monitoring system in place, Mr. Tamene had examined administrative logs of the D.N.C.’s computer system and found something very suspicious: An unauthorized person, with administrator-level security status, had gained access to the D.N.C.’s computers.

“Not sure it is related to what the F.B.I. has been noticing,” said one internal D.N.C. email sent on April 29. “The D.N.C. may have been hacked in a serious way this week, with password theft, etc.”

No one knew just how bad the breach was — but it was clear that a lot more than a single filing cabinet worth of materials might have been taken. A secret committee was immediately created, including Ms. Dacey, Ms. Wasserman Schultz, Mr. Brown and Michael Sussmann, a former cybercrimes prosecutor at the Department of Justice who now works at Perkins Coie, the Washington law firm that handles D.N.C. political matters.

“Three most important questions,” Mr. Sussmann wrote to his clients the night the break-in was confirmed. “1) What data was accessed? 2) How was it done? 3) How do we stop it?”

Mr. Sussmann instructed his clients not to use D.N.C. email because they had just one opportunity to lock the hackers out — an effort that could be foiled if the hackers knew that the D.N.C. was on to them.

“You only get one chance to raise the drawbridge,” Mr. Sussmann said. “If the adversaries know you are aware of their presence, they will take steps to burrow in, or erase the logs that show they were present.”

The D.N.C. immediately hired CrowdStrike, a cybersecurity firm, to scan its computers, identify the intruders and build a new computer and telephone system from scratch. Within a day, CrowdStrike confirmed that the intrusion had originated in Russia, Mr. Sussmann said.

But it’s not clear whether Sussmann warned this small team of people against using DNC emails at all, or just those emails discussing the hack.

Previously, I had always guesstimated how long after DNC brought Crowdstrike in the emails ultimately shared with WikiLeaks got exfiltrated from this analysis, based of the last dates of stolen emails and DNC’s email deletion policies in place at the time. It was a damned good estimate — May 19 to May 25.

But according to the indictment, the theft of the DNC emails happened later: starting on May 25, not ending on it.

Between on or about May 25, 2016 and June 1, 2016, the Conspirators hacked the DNC Microsoft Exchange Server and stole thousands of emails from the work accounts of DNC employees. During that time, YERMAKOV researched PowerShell commands related to accessing and managing the Microsoft Exchange Server.

The indictment doesn’t describe the entire universe of emails stolen — whether GRU stole just the 9 email boxes shared with WikiLeaks, or whether they obtained far more.

But the later date — possibly reaching as late as June 1 — means it’s possible GRU stole emails involving top DNC officials, officials involved in opposition research activities (as both Guccifer 2.0 and the DNC itself said had been a focus), including the activity of hiring a former MI6 officer to chase down Trump’s illicit ties to Russians.

Don’t get me wrong. If the Russians did, in fact, learn about the Steele effort and manage to inject his known reporting chain with disinformation, there were plenty of other possible ways they might have learned of the project: the several people overlapping between Fusion GPS’ Prevezon team and its Trump team, Rinat Akhmetshin who learned of the dossier from a chatty NYT editor, or maybe a close Trump ally like Sergei Millian. The sad thing about this disinformation project is it was so widely disseminated, any HUMINT integrity could have easily been compromised early in the process.

But the timeline laid out in the GRU indictment adds one more, even earlier possible way: that Russia learned the Democrats were seeking HUMINT from Russians about Russia’s efforts to help Trump from the Democrats’ own emails.

The Info Ops Unit at GRU, Not the Technical Hacking Unit, Hacked the State Boards of Election Servers

July 28, 2018/19 Comments/in 2016 Presidential Election, Mueller Probe /by emptywheel

Yesterday, there was a big to-do on Twitter about a story (which subsequently got pulled) claiming that vote totals got changed as part of the Russian attack on the 2016 election. I don’t care to engage the story — which I understand was very weak — directly. There are multiple ways for Russian efforts to have affected the outcome of the election, and the evidence increasingly supports a conclusion that that happened, without vote totals getting changed.

That said, given the focus on changing vote tallies, I want to note something about Mueller’s GRU hacker indictment that has gotten almost no attention. Twelve men were indicted, from two different units of GRU, Units 26165 and 74455. The indictment describes the activities of each department in a way that generally suggests a division of labor, with Unit 26165 carrying out core hacking activities and Unit 74455 carrying out information operations. Here’s what that breakdown looks like.

Unit 26165

Address: 20 Komsomolskiy Prospekt (this is the location spied on by the Dutch intelligence agency, AIVD).

Charged individuals:

Viktor Netyksho: Commands Unit 26165
- Boris Antonov: “Head of Department” that oversees spear-phishing targeting
  - Dmitriy Badin: “Assistant Head of Department” conducting spear-phishing targeting
  - Ivan Yermakov: works for Antonov, uses identities Kate Milton, Kames McMorgans, Karen Millen. Hacked at least two email accounts the contents of which were released by DCLeaks. Helped hack DNC emails server released through WikiLeaks.
  - Aleksey Lukashev: Senior Lieutenant in Antonov’s department. Uses identities Den Katenberg, Yuliana Martynova. Sent spear-phishing emails to Clinton campaign, including the one to John Podesta.
- Sergey Morgachev: Lieutenant Colonel who oversaw department that developed and managed X-Agent.
  - Nikolay Kozachek: Lieutenant Captain. Used monikers including “kazak” and “blablabla1234565.” Developed, customized, and monitored X-Agent used to hack DCCC.
  - Pavel Yershov: Helped customize and text X-Agent before deployment against DCCC.
  - Artem Malyshev: Second Lieutenant in Morgachev’s department. Used handles “djangomagicdev” and “realblatr.” Monitored X-Agent implanted in DCCC and DNC servers.

Charged actions attributed to named defendants:

¶21-22: Spear-phishing targets
¶23-25: Hacking into DCCC
¶29-30: Stealing DCCC and DNC documents
¶33: Persistence in DCCC and DNC servers

Crimes charged to named defendants:

Count One: CFAA
Counts Two through Nine: Aggravated Identity Theft
Count Ten: Conspiracy to Launder Money

Unit 74455

Address: 22 Korva Streett, Khimki (the Tower)

Charged individuals:

Aleksandr Osadchuk: Colonel and commanding officer of 74455, which assisted in release of stolen documents through DCLeaks, Guccifer 2.0, and the publication of anti-Clinton propaganda on social media.
- Aleksey Potemkin (!!): A supervisor in department responsible for administration of computer infrastructure used to assist in release in DCLeaks and Guccifer 2.0 documents.
- Anatoliy Kovalev: officer assigned to 74455 involved in hacks of State Boards of Election.

Charged actions attributed to named defendants:

¶38: Operating fictitious personas promoting DCLeaks
¶71-78: Hacking into State Boards of Election (SBOEs) and VR Systems

Crimes charged to named defendants:

Count One: CFAA
Counts Two through Nine: Aggravated Identity Theft
Count Ten: Conspiracy to Launder Money
Count Eleven: Conspiracy to Commit an Offense against the US

Generally, the indictment describes Unit 26165 as being in charge of the technical hacking, including excruciating detail on what named officer played what role in phishing and malware deployment activities (probably thanks to the AIVD intelligence). The description of the information operations — running DC Leaks and Guccifer 2.0 and working with WikiLeaks — is less specific as to which officer did what, but the indictment clearly assigns those activities to Unit 74455. In any case, the indictment appears to suggest a division of labor, where Unit 26165 carries out the technical hacking and Unit 74455 carries out the information operations.

All 12 GRU officers are charged in Counts One through Ten.

Count Eleven, the ConFraudUs charge, is an outlier, however, in two ways. First, just Unit 74455 officers — Osadchuk and Kovalev — are charged in this operation. And aside from the indictment’s description that Potemkin (!!) runs the infrastructure for Unit 74455, just the description of the phish of the State Boards of Election and VR Systems includes specific details about which Unit 74455 officer was involved in activities attributed to that unit.

All of which is to say that, for some reason, what is described as an information operations unit — Unit 74455 — conducted the hack of election infrastructure, not the technical hacking unit that carried out the other phishes of Democratic targets.

Perhaps the division of labor between these two units is not so clearcut as the indictment lays out. But if it is, then there may be an explanation why the information operations department would be hacking election infrastructure. Remember that in the days leading up to the election, Guccifer 2.0 — according to the indictment, a Unit 74455 operation — predicted the Democrats might “rig the elections.”

Hacks on SBOEs and election vendors would be an easy piece of evidence to point to to claim that Democrats had stolen the election. That is, it could be that these hacks (which, given that Illinois was targeted most aggressively, weren’t going to alter the presidential election) may have been propaganda designed to undermine the Hillary win that never materialized.

Mind you, I still await the results of the investigation into whether there was a tie between the VR Systems hack and oddities in Durham County, NC on election day, something that would amount to voter suppression rather than altering vote tallies.

But it is at least possible that the attacks on our voting infrastructure were designed as propaganda, this time at least, rather than as an attempt to use the information obtained.

How to Charge Americans in Conspiracies with Russian Spies?

July 17, 2018/104 Comments/in 2016 Presidential Election, Mueller Probe /by emptywheel

In general, Jack Goldsmith and I have long agreed about the problems with charging nation-state spies in the United States. So I read with great interest his post laying out “Uncomfortable Questions in the Wake of Russia Indictment 2.0 and Trump’s Press Conference With Putin.” Among other larger normative points, Goldsmith asks two questions. First, does indicting 12 GRU officers in the US expose our own nation-state hackers to be criminally prosecuted in other countries?

This is not a claim about the relative moral merits of the two countries’ cyber intrusions; it is simply a claim that each side unequivocally breaks the laws of the other in its cyber-espionage activities.

How will the United States respond when Russia and China and Iran start naming and indicting U.S. officials? Maybe the United States thinks its concealment techniques are so good that the type of detailed attribution it made against the Russians is infeasible. (The Shadow Brokers revealed the identities of specific NSA operators, so even if the National Security Agency is great at concealment as a matter of tradecraft that is no protection against an insider threat.) Maybe Russia and China and Iran won’t bother indicting U.S. officials unless and until the indictments actually materialize into a trial, which they likely never will. But what is the answer in principle? And what is the U.S. policy (if any) that is being communicated to military and civilian operators who face this threat? What is the U.S. government response to former NSA official Jake Williams, who worked in Tailored Access Operations and who presumably spoke for many others at NSA when he said that “charging military/gov hackers is dumb and WILL eventually hurt the US”?

And, how would any focus on WikiLeaks expose journalists in the United States to risks of prosecution themselves.

There is a lot of anger against WikiLeaks and a lot of support for indicting Julian Assange and others related to WikiLeaks for their part in publishing the information stolen by the Russians. If Mueller goes in this direction, he will need to be very careful not to indict Assange for something U.S. journalists do every day. U.S. newspapers publish information stolen via digital means all the time. They also openly solicit such information through SecureDrop portals. Some will say that Assange and others at WikiLeaks can be prosecuted without threatening “real journalists” by charging a conspiracy to steal and share stolen information. I am not at all sure such an indictment wouldn’t apply to many American journalists who actively aid leakers of classified information.

I hope to come back to the second point. As a journalist who had a working relationship with someone she came to believe had a role in the attack, I have thought about and discussed the topic with most, if not all, the lawyers I consulted on my way to sitting down with the FBI.

For the moment, though, I want to focus on Goldsmith’s first point, one I’ve made in the past repeatedly. If we start indicting uniformed military intelligence officers — or even contractors, like the trolls at Internet Research Agency might be deemed — do we put the freedom of movement of people like Jake Williams at risk? Normally, I’d absolutely agree with Goldsmith and Williams.

But as someone who has already written extensively about the ConFraudUs backbone that Robert Mueller has built into his cases, I want to argue this is an exception.

As I’ve noted previously, while Rod Rosenstein emphasized that the Internet Research Agency indictment included no allegations that Americans knowingly conspired with Russians, it nevertheless did describe three Americans whose activities in response to being contacted by Russian trolls remain inconclusive.

Rod Rosenstein was quite clear: “There is no allegation in the indictment that any American was a knowing participant in the alleged unlawful activity.” That said, there are three (presumed) Americans who, both the indictment and subsequent reporting make clear, are treated differently in the indictment than all the other Americans cited as innocent people duped by Russians: Campaign Official 1, Campaign Official 2, and Campaign Official 3. We know, from CNN’s coverage of Harry Miller’s role in building a cage to be used in a fake “jailed Hillary” stunt, that at least some other people described in the indictment were interviewed — in his case, for six hours! — by the FBI. But no one else is named using the convention to indicate those not indicted but perhaps more involved in the operation. Furthermore, the indictment doesn’t actually describe what action (if any) these three Trump campaign officials took after being contacted by trolls emailing under false names.

On approximately the same day, Defendants and their co-conspirators used the email address of a false U.S. persona, [email protected], to send an email to Campaign Official 1 at that donaldtrump.com email account, which read in part:

Hello [Campaign Official 1], [w]e are organizing a state-wide event in Florida on August, 20 to support Mr. Trump. Let us introduce ourselves first. “Being Patriotic” is a grassroots conservative online movement trying to unite people offline. . . . [W]e gained a huge lot of followers and decided to somehow help Mr. Trump get elected. You know, simple yelling on the Internet is not enough. There should be real action. We organized rallies in New York before. Now we’re focusing on purple states such as Florida.

The email also identified thirteen “confirmed locations” in Florida for the rallies and requested the campaign provide “assistance in each location.”

[snip]

Defendants and their co-conspirators used the false U.S. persona [email protected] account to send an email to Campaign Official 2 at that donaldtrump.com email account.

[snip]

On or about August 20, 2016, Defendants and their co-conspirators used the “Matt Skiber” Facebook account to contact Campaign Official 3.

Again, the DOJ convention of naming makes it clear these people have not been charged with anything. But we know from other Mueller indictments that those specifically named (which include the slew of Trump campaign officials named in the George Papadopoulos plea, KT McFarland and Jared Kushner in the Flynn plea, Kilimnik in the Van der Zwaan plea, and the various companies and foreign leaders that did Manafort’s bidding, including the Podesta Group and Mercury Public Affairs in his indictment) may be the next step in the investigation.

In the GRU indictment, non US person WikiLeaks is given the equivalent treatment.

On or about June 22, 2016, Organization I sent a private message to Guccifer 2.0 to “[s]end any new material [stolen from the DNC] here for us to review and it will have a much higher impact than what you are doing.” On or about July 6, 2016, Organization 1 added, “if you have anything hillary related we want it in the next tweo [sic] days prefable [sic] because the DNC [DemocraticNationalConvention] is approaching and she Will solidify bernie supporters behind her after.” The Conspirators responded,“0k . . . i see.” Organization I explained,“we think trump has only a 25% chance of winning against hillary . . . so conflict between bernie and hillary is interesting.”

But the activities of other American citizens — most notably Roger Stone and Donald Trump — are discussed obliquely, even if they’re not referred to using the standard of someone still under investigation. Here’s the Roger Stone passage.

On or aboutAugust 15,2016, the Conspirators,posing as Guccifer 2.0,wrote to a person who was in regular contact with senior members of the presidential campaign of Donald J. Trump, “thank u for writing back. . . do u find anyt[h]ing interesting in the docs i posted?” On or about August 17, 2016, the Conspirators added, “please tell me if i can help u anyhow . . . it would be a great pleasureto me.” On or about September 9, 2016,the Conspirators, again posing as Guccifer 2.0, referred to a stolen DCCC document posted online and asked the person, “what do u think of the info on the turnout model for the democrats entire presidential campaign.” The person responded,“[p]retty standard.”

The Trump one, of course, pertains to the response GRU hackers appear to have made when he asked for Russia to find Hillary’s emails on July 27.

For example, on or about July 27, 2016, the Conspirators attempted after hours to spearphish for the first time email accounts at a domain hosted by a third‑party provider and used by Clinton’s personal office. At or around the same time, they also targeted seventy‐six email addresses at the domain for the Clinton Campaign.

Finally, there is yesterday’s Mariia Butina complaint, which charges her as an unregistered Russian spy and describes Aleksandr Torshin as her boss, but which also describes the extensive and seemingly willful cooperation with Paul Erickson and another American, as well as with the RNC and NRA. Here’s one of the Americans, for example, telling Butina that her Russian bosses should take the advice he had given her about which Americans she needed to meet.

If you were to sit down with your special friends and make a list of ALL the most important contacts you could find in America for a time when the political situation between the U.S. and Russia will change, you could NOT do better than the list that I just emailed you. NO one — certainly not the “official” Russian Federation public relations representative in New York — could build a better list.

[snip]

All that you friends need to know is that meetings with the names on MY list would not be possible without the unknown names in your “business card” notebook. Keep them focused on who you are NOW able to meet, NOT the people you have ALREADY met.

Particularly as someone whose communications (including, but not limited to, that text) stand a decent chance of being quoted in an indictment in the foreseeable future, let me be very clear: none of these people have been accused of any wrong-doing.

But they do suggest a universe of people who have attracted investigative scrutiny, both by Mueller and by NSD, as willing co-conspirators with Russian spies.

Granted, there are three different kinds of Russian spies included in these three documents:

Uniformed military intelligence officers working from Moscow
Civilian employees who might be considered intelligence contractors working from St. Petersburg (though with three reconnaissance trips to the US included)
Butina and Torshin, both of whom probably committed visa fraud to engage as unregistered spies in the US

We have a specific crime for the latter (and, probably, the reconnaissance trips to the US by IRA employees), and if any of the US persons and entities in Butina’s indictment are deemed to have willingly joined her conspiracy, they might easily be charged as well. Eventually, I’m certain, Mueller will move to start naming Americans (besides Paul Manafort and Rick Gates) in conspiracy indictments, including ones involving Russian spies operating from Russia (like Konstantin Kilimnik). It seems necessary to include the Russians in some charging documents, because otherwise you’ll never be able to lay out the willful participation of everyone, Russian and American, in the charging documents naming the Americans.

So while I generally agree with Goldsmith and Williams, this case, where we’re clearly discussing a conspiracy between Russian spies — operating both from the US and from Russia (and other countries), wearing uniforms and civilian clothing –and Americans, it seems important to include them in charging documents somewhere.

Yesterday, Roger Stone Answered, then Backtracked, on a Question Mueller Has Already Posed to Trump

July 14, 2018/43 Comments/in 2016 Presidential Election, Mueller Probe, WikiLeaks /by emptywheel

As I laid out last week, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post.

Contrary to Trump’s squeals about the hack indictment yesterday, it’s utterly damning for him. It shows:

Russian hackers responded to his plea for more Hillary emails by targeting her office that same day
Trump’s lifelong political advisor, Roger Stone, was described directly communicating with a GRU-run persona
Stone’s own advisor on these matters, then Breitbart and current Sputnik journalist Lee Stranahan, asked for and obtained files from the same GRU-run persona
GRU stole Hillary’s analytics in September, the heart of the general election, and did … the indictment doesn’t say what GRU did with the data
The same GRU persona made available information helping some of Trump’s most vocal defenders in Congress, ones he has discussed pushback strategies with on Air Force One

Like my own testimony, because this investigation started in Pittsburgh, and only later got moved under Mueller sometime last fall (I know one key witness who was about to speak to prosecutors when I saw him in October), it minimally overlaps with Peter Strzok’s involvement in the case, if at all.

In this post, I want to look at the second bullet: Roger Stone.

Since Stone got described in an indictment of those who helped Trump win the election, he has (as is his habit) provided conflicting explanations, first suggesting it wasn’t him, then suggesting it couldn’t be him because he wasn’t “a person who was in regular contact with senior members of the presidential campaign of Donald J. Trump,” as the indictment described.

My contact with the campaign in 2016 was Donald Trump. I was not in regular contact with campaign officials.

Only, this morning (as Ryan Goodman noted), Stone has changed his tune, admitting that he did talk to Trump campaign officials and probably is the person described in the indictment who said all the things he said in his DMs to Guccifer 2.0.

I certainly acknowledge that I was in touch with Trump campaign officials.

Here’s why Stone’s changing story about whether he only spoke with Trump or in fact spoke with other campaign officials. Among the questions (as interpreted by Jay Sekulow) that Mueller has already posed to Trump is this one:

What did you know about communication between Roger Stone, his associates, Julian Assange or Wikileaks?

Mueller wants to know how much of Stone’s discussions with election operation participants Trump knew about. And Stone’s first instinct when seeing himself mentioned in an indictment of those participants was to say he only spoke to Trump.

I guess it’s clear why he’s backtracking from that.

The Russian Hack

July 13, 2018/158 Comments/in 2016 Presidential Election, Mueller Probe /by emptywheel

Mueller’s team just announced (and announced the transfer, as I predicted) of the Russian hack indictment, naming 12 GRU officers for the hack of the Hillary campaign, the DNC, and the DCCC. This will be a working thread.

Rod Rosenstein, as he did with the Internet Research Agency, made clear there are no Americans named in this indictment (and that those who interacted with Guccifer 2.0 and DC Leaks did not know they were interacting with Russians). That said, here are some of the interesting nods in it.

Other known conspirators

The indictment names 12 officers — and (as conspiracy cases often do) — persons known and unknown to the Grand Jury.

Hillary’s campaign targeted more aggressively than previously reported

This is a detail I’ve known for quite some time: Hillary’s campaign actually faced far more persistent hacking threats than previously known. Of absolutely critical importance, the indictment makes it clear that GRU hackers spear-phished Hillary’s personal office on July 27, after Donald Trump asked Russia to find her emails.

For example, on or about July 27, 2016, the Conspirators attempted after hours to spearphish for the first time email accounts at a domain hosted by a third-party provider and used by Clinton’s personal office. At or around the same time, they also targeted seventy-six email addresses at the domain for the Clinton Campaign.

I know a key witness in that part of the hack has been waiting to share his story (he’s quite happy this is finally out), so expect far more details on the targeting of the Hillary campaign itself, rather than just the DNC and DCCC, in coming days.

Wikileaks

The indictment doesn’t name Wikileaks, but alleges that Guccifer 2.0 released additional stolen documents through a website maintained by “Organization 1.” There’s an entire section on communications between Guccifer 2.0 and Wikileaks (starting on page 17). Among other things it quotes Wikileaks as saying on July 6,

if you have anything hillary related we want it in the next tweo [sic] days prefabl [sic] because the DNC [Democratic National Convention] is approaching and she will solidify bernie supporters behind her after.

This makes it clear that WikiLeaks was not only working directly with Guccifer 2.0, but doing so in ways that would antagonize Bernie-supporting progressives.

Cryptocurrency

The computer infrastructure (including computers in the US) here was paid for by cryptocurrency, not via payments laundered through the embassy (one of several claims about funding made in the Steele dossier).

May through June 2016

The indictment names Ivan Sergeyovich Yermakov as the person who hacked into the DNC email server and stole the emails released via WikiLeaks. This hack date is critical to the timing of the narrative. The emails exfiltrated and provided to Wikileaks were stolen from May 25 through June 1.

Note, too, the indictment says hackers remained in the DNC computers through June.

Servers

The hackers used a server in AZ but then ran that through a server “overseas.” The hackers leased a DCCC computer in Illinois. The use of infrastructure within the US suggests much of the hot air around transfer times — one of the key attempts to debunk the hack — is just that, hot air.

Targeted information

The indictment gives the search terms for some of the targeted information. For example, on April 15, 2016, the conspirators searched for Hillary, Cruz, and Trump, as well as “Benghazi investigations.”

It describes a search on a server in Moscow for some of the terms used in the original Guccifer 2.0 post, including “some hundred sheets,” “illuminati,” “think twice about” “company’s competence” (referring to CrowdStrike).

Crowdstrike

The indictment describes Crowdstrike’s efforts to oust the hackers, but notes that a Linux based version of X-Agent remained on DNC’s network until October 2016.

Analytics

I have been saying forever that the easiest way to steal the election would be to steal Hillary’s analytics. The indictment revals that,

In or around September 2016, the Conspirators also successfully gained access to DNC computers hosted on a third-party cloud-computing service. These computers contained test applications related to the DNC’s analytics. After conducting reconnaissance, the Conspirators gathered data by creating backups, or “snapshots,” of the DNC’s cloud-based systems using the cloud provider’s own technology.

The indictment is silent about what happened to this stolen analytics data.

Republicans

The indictment notes that DCLeaks also released emails of Republicans that were hacked in 2015 (though I think it actually included some that were more recent than that).

Alice Donovan

Alice Donovan pitched news articles to various outlets. It was also the name used for DC Leaks’ Facebook account. This name (and a few others in the indictment) connects the hack and leak with the wider disinformation campaign.

Requested Stolen Information

The indictment describes how a candidate for Congress asked for information. I think I know who this is, but need to check.

It describes Guccifer 2.0 providing documents to Aaron Nevins, which I have covered repeatedly.

And it describes a journalist who obtained Black Lives Matters documents. As his DMs make clear, this was then Breitbart and current Sputnik journalist Lee Stranahan.

Stranahan is the journalist who helped Roger Stone write the column claiming that Guccifer 2.0 was an American.

It describes Guccifer 2.0’s interactions with Roger Stone (see paragraph 44).

State and vendor servers

The language describing the efforts to hack state sites, starting on page 25, is very specific, down to the named GRU officer. It describes Kovalev stealing the information of 500,000 voters (this is probably from Illinois).

Note, the indictment describes Kovalev deleting information in response to an FBI alert on the hacks of the state server. It doesn’t say whether he did so in response to public reporting on it.

Timeline

February 1, 2016: gfade147 0.026043 bitcoin transaction

March 2016: Conspirators hack email accounts of volunteers and employees of Hillary campaign, including John Podesta

March 2016: Yermakov spearphishes two accounts that would be leaked to DC Leaks

March 14, 2016 through April 28, 2016: Conspirators use same pool of bitcoin to purchase VPN and lease server in Malaysia

March 15, 2016: Yermakov runs technical query for DNC IP configurations and searches for open source info on DNC network, Dem Party, and Hillary

March 19, 2016: Lukashev spearphish Podesta personal email using john356gh

March 21, 2016: Lukashev steals contents of Podesta’s email account, over 50,000 emails (he is named Victim 3 later in indictment)

March 25, 2016: Lukashev spearphishes Victims 1 (personal email) and 2 using john356gh; their emails later released on DCLeaks

March 28, 2016: Yermakov researched Victims 1 and 2 on social media

April 2016: Kozachek customizes X-Agent

April 2016: Conspirators hack into DCCC and DNC networks, plant X-Agent malware

April 2016: Conspirators plan release of materials stolen from Clinton Campaign, DCCC, and DNC

April 6, 2016: Conspirators create email for fake Clinton Campaign team member to spearphish Clinton campaign; DCCC Employee 1 clicks spearphish link

April 7, 2016: Yermakov runs technical query for DCCC’s internet protocol configurations

April 12, 2016: Conspirators use stolen credentials of DCCC employee to access network; Victim 4 DCCC email victimized

April 14, 2016: Conspirators use X-Agent keylog and screenshot functions to surveil DCCC Employee 1

April 15, 2016: Conspirators search hacked DCCC computer for “hillary,” “cruz,” “trump” and copied “Benghazi investigations” folder

April 15, 2016: Victim 5 DCCC email victimized

April 18, 2016: Conspirators hack into DNC through DCCC using credentials of DCCC employee with access to DNC server; Victim 6 DCCC email victimized

April 19, 2016: Kozachek, Yershov, and co-conspirators remotely configure middle server

April 19, 2016: Conspirators register dcleaks using operational email [email protected]

April 20, 2016: Conspirators direct X-Agent malware on DCCC computers to connect to middle server

April 22, 2016: Conspirators use X-Agent keylog and screenshot function to surveil DCCC Employee 2

April 22, 2016: Conspirators compress oppo research for exfil to server in Illinois

April 26, 2016: George Papadopolous learns Russians are offering election assistance in the form of leaked emails

April 28, 2016: Conspirators use bitcoin associated with Guccifer 2.0 VPN to lease Malaysian server hosting dcleaks.com

April 28, 2016: Conspirators test IL server

May 2016: Yermakov hacks DNC server

May 10, 2016: Victim 7 DNC email victimized

May 13, 2016: Conspirators delete logs from DNC computer

May 25 through June 1, 2016: Conspirators hack DNC Microsoft Exchange Server; Yermakov researches PowerShell commands related to accessing it

May 30, 2016: Malyshev upgrades the AMS (AZ) server, which receives updates from 13 DCCC and DNC computers

May 31, 2016: Yermakov researches Crowdstrike and X-Agent and X-Tunnel malware

June 2016: Conspirators staged and released tens of thousands of stolen emails and documents

June 1, 2016: Conspirators attempt to delete presence on DCCC using CCleaner

June 2, 2016: Victim 2 personal victimized

June 8, 2016: Conspirators launch dcleaks.com, dcleaks Facebook account using Alive Donovan, Jason Scott, and Richard Gingrey IDs, and @dcleaks_ Twitter account, using same computer used for other

June 9, 2016: Don Jr, Paul Manafort, Jared Kushner have meeting expecting dirt from Russians, including Aras Agalarov employee Ike Kaveladze

June 10, 2016: Ike Kaveladze has calls with Russia and NY while still in NYC

June 14, 2016: Conspirators register actblues and redirect DCCC website to actblues

June 14, 2016: WaPo (before noon ET) and Crowdstrike announces DNC hack

June 15, 2016, between 4:19PM and 4:56 PM Moscow Standard Time (9:19 and 9:56 AM ET): Conspirators log into Moscow-based sever and search for words that would end up in first Guccifer 2.0 post, including “some hundred sheets,” “illuminati,” “think twice about company’s competence,” “worldwide known”

June 15, 2016, 7:02PM MST (12:02PM ET): Guccifer 2.0 posts first post

June 15 adn 16, 2016: Ike Kaveladze places roaming calls from Russia, the only ones he places during the extended trip

June 20, 2016: Conspirators delete logs from AMS panel, including login history, attempt to reaccess DCCC using stolen credentials

June 22, 2016: Wikileaks sends a private message to Guccifer 2.0 to “send any new material here for us to review and it will have a much higher impact than what you are doing.”

June 27, 2016: Conspirators contact US reporter, send report password to access nonpublic portion of dcleaks

Late June, 2016: Failed attempts to transfer data to Wikileaks

July, 2016: Kovalev hacks into IL State Board of Elections and steals information on 500,000 voters

July 6, 2016: Conspirators use VPN to log into Guccifer 2.0 account

July 6, 2016: Wikileaks writes Guccifer 2.0 adding, “if you have anything hillary related we want it in the next tweo [sic] days prefabl [sic] because the DNC [Democratic National Convention] is approaching and she will solidify bernie supporters behind her after”

July 6, 2016: Victim 8 personal email victimized

July 14, 2016: Conspirators send WikiLeaks an email with attachment titled wk dnc link1.txt.gpg providing instructions on how to access online archive of stolen DNC documents

July 18, 2016: WikiLeaks confirms it has “the 1Gb or so archive” and would make a release of stolen documents “this week”

July 22, 2016: WikiLeaks releases first dump of 20,000 emails

July 27, 2016: Trump asks Russia for Hillary emails

July 27, 2016: After hours, conspirators attempt to spearphish email accounts at a domain hosted by third party provider and used by Hillary’s personal office, as well as 76 email addresses at Clinton Campaign

August 2016: Kovalev hacks into VR systems

August 15, 2016: Conspirators receive request for stolen documents from candidate for US congress

August 15, 2016: First Guccifer 2.0 exchange with Roger Stone noted

August 22, 2016: Conspirators transfer 2.5 GB of stolen DCCC data to registered FL state lobbyist Aaron Nevins

August 22, 2016: Conspirators send Lee Stranahan Black Lives Matter document

September 2016: Conspirators access DNC computers hosted on cloud service, creating backups of analytics applications

October 2016: Linux version of X-Agent remains on DNC network

October 7, 2016: WikiLeaks releases first set of Podesta emails

October 28, 2016: Kovalev visits counties in GA, IA, and FL to identify vulnerabilities

November 2016: Kovalev uses VR Systems email address to phish FL officials

January 12, 2017: Conspirators falsely claim the intrusions and release of stolen documents have “totally no relation to the Russian government”

Roger Stone and ConFraudUs

June 23, 2018/82 Comments/in 2016 Presidential Election, emptywheel, Mueller Probe /by emptywheel

CNN’s David Gelles has an instructive tweet this morning showing how the rate at which Trump tweets about the Mueller “witch hunt” is accelerating.

Assuming this includes this morning’s two “witch hunt” tweets, Trump is on pace to use the phrase 28 times by the end of the month, though I bet he’ll continue to accelerate the use of it in the week remaining in the month.

The Mueller investigation is, I suspect, coming to a head.

I don’t claim I know how it will turn out. The president has an enormous amount of power and his flunkies in Congress promise they’re about to end Rod Rosenstein’s bend-don’t-break defense by impeaching him (though Rosenstein and Chris Wray have just thrown more documents out to slow the Republicans). It’s certainly possible that Trump will make a last ditch effort to undercut the Mueller investigation and that effort will be competently executed and none of the secondary fall-back defenses Mueller has put into place will work. For now, though, the Trump team seems intent on a delay and discredit strategy, which won’t stave off any imminent steps.

So we shall see whether Trump succeeds in undercutting the investigation. I keep thinking, “that’s why they play the game,” but this is no game.

There are a number of reasons I think Mueller’s investigation is coming to a head. But consider one detail. I’ve long explained that Mueller seems to be building a series of Conspiracy to Defraud the United States indictments that will ultimately incorporate the entire Russian operation (and may integrate the Trumpsters’ international self-dealing as well). As Mueller’s team has itself pointed out, for heavily regulated areas like elections, ConFraudUs indictments don’t need to prove intent for the underlying crimes. They just need to prove,

(1) two or more persons formed an agreement to defraud the United States;

(2) [each] defendant knowingly participated in the conspiracy with the intent to defraud the United States; and

(3) at least one overt act was committed in furtherance of the common scheme.

Let’s see how evidence Mueller has recently shown might apply in the case of Roger Stone, Trump’s lifelong political advisor. We already knew that Stone had communications that he did not immediately disclose with Guccifer 2.0 and Wikileaks. With both, Stone has contributed to and reinforced claims the entities were not Russian operations, though his conversion about the source of the Hillary emails was pretty sudden and curiously timed.

Now we know that in May, Stone had lunch with someone calling himself Henry Greenberg offering dirt on Hillary. His explanation — based only on the texts that Michael Caputo was asked about in a Mueller interview — is not that he didn’t entertain the offer, but that he didn’t take Greenberg up on the offer as made in late May because Greenberg was asking for big money.

Both clearly recognized Greenberg as a Russian, therefore a foreigner offering something of value during an election.

Bizarrely, in trying to rebut the import of this exchange publicly, Caputo and Stone are doing nothing more than working the public refs, claiming to assume this was an FBI sting. Mueller knows whether it was an FBI sting, and there’s virtually no way he’d be asking questions about it if it were (particularly if Stone really didn’t take the bait). In short, Stone has no justification for this he’s willing to offer publicly; instead, he’s just adopting the SpyGate narrative in an attempt to discredit the investigation. And that’s assuming there were no follow-ups or other damning texts that didn’t involve someone willing to leak them to the press.

And all that happened before Peter Smith came on the scene, someone who, unlike Donald Trump, was willing to spend money for such things, an operation Stone is suspected of being involved in but which he studiously avoids mentioning when trying to explain himself. Smith did obtain emails from people Matt Tait advised him might be part of a Russian operation, and when he couldn’t validate them, sent them on to Wikileaks.

Which is to say Stone repeatedly entertained offers from foreigners illegally offering dirt that would benefit the Trump campaign — Greenberg, Guccifer 2.0, possibly Peter Smith’s Dark Web hackers. He may even have exhibited a belief that Australian Julian Assange had and could release the latter dirt, possibly with the knowledge they came from Russians.

So we’ve got Stone meeting with other people, repeatedly agreeing to bypass US election law to obtain a benefit for Trump, evidence (notwithstanding Stone’s post-hoc attempts to deny a Russian connection with Guccifer 2.0 and Wikileaks) that Stone had the intent of obtaining that benefit, and tons of overt acts committed in furtherance of the scheme.

And all that’s without leaning on the the other stuff Mueller found on Stone’s phone, which Stone is also trying to explain away by public conspiracies (in this case that the phone content was obtained with a FISA order rather than with a probable cause warrant obtained on March 9).

This is just one of the people Mueller has publicly focused on in recent days. We could lay out similar arguments for Michael Cohen, Paul Manafort, and Brad Parscale, at a minimum. Mueller had — and acted on — probable cause warrants covering five AT&T phones in March, all of which probably had close ties to Rick Gates. Assuming those targets are distributed proportionately with the US population, he’s likely to have obtained warrants for as many as 15 phones just in that go-around.

So if Roger Stone is any indication, the Mueller investigation may soon be moving into a new phase.

The Quid Pro Quo: a Putin Meeting and Election Assistance, in Exchange for Sanctions Relief (Part Two in a Series)

May 2, 2018/30 Comments/in 2016 Presidential Election, emptywheel, Mueller Probe /by emptywheel

As I explained in Part One of this series, I think the Mueller questions leaked by the Trump people actually give a far better understanding of a damning structure to the Mueller investigation — one mapping out cultivation, a quid pro quo, and a cover-up — than the coverage has laid out. This post will lay out how, over the course of the election, the Russians and Trump appear to have danced towards a quid pro quo, involving a Putin meeting and election assistance in exchange for sanctions relief if Trump won (as noted, the Russians dangled real estate deals to entice Trump based on the assumption he wouldn’t win).

April 27, 2016: During the campaign, what did you know about Russian hacking, use of social media, or other acts aimed at the campaign?

Given the structure of George Papadopoulos’ plea, it’s highly likely Mueller knows that Papadopoulos passed on news that the Russians had thousands of Hillary emails they planned to release to help Trump to people in the campaign. Papadopoulos could have passed on that news to Stephen Miller and Corey Lewandowski as early as April 27. On the same day, Papadopoulos helped draft Trump’s first foreign policy speech, which Papadopoulos reportedly told Ivan Timofeev signaled a willingness to meet.

Between the time the GRU first exfiltrated DNC emails in April and the election, Trump invoked “emails” 21 times on Twitter (usually to refer to emails from Hillary’s server). The first of those times came on June 9, less than an hour after the Trump Tower meeting. The most famous of those came on July 27, when Trump addressed Russia directly.

Earlier in the day, Trump had called on Russia to release the emails not to the FBI, but to the press.

Russia, if you’re listening, I hope you’re able to find the 30,000 emails that are missing. I think you will probably be rewarded mightily by our press.

The timing may reflect awareness among some in the campaign that the call to Russia was a step too far legally. (h/t TC for the addition)

That Trump’s email comments pertain mostly to Hillary’s home-based server doesn’t actually exonerate him. Right after the DNC release (and therefore the July 27 Trump tweet), GOP rat-fucker Peter Smith started reaching out to Russian hackers in hopes of finding hacked versions of those emails. His support documents named Steve Bannon, Kellyanne Conway, Sam Clovis, and Mike Flynn. If those people actually learned of the effort (there’s reason to believe Smith was just overselling the ties to the campaign), it’s possible that Trump learned about it as well.

As to social media, while it has gotten virtually no attention, the reference to three Florida-based Trump campaign officials in the Internet Research Agency indictment suggests further investigative interest in them.

[T]here are three (presumed) Americans who, both the indictment and subsequent reporting make clear, are treated differently in the indictment than all the other Americans cited as innocent people duped by Russians: Campaign Official 1, Campaign Official 2, and Campaign Official 3. We know, from CNN’s coverage of Harry Miller’s role in building a cage to be used in a fake “jailed Hillary” stunt, that at least some other people described in the indictment were interviewed — in his case, for six hours! — by the FBI. But no one else is named using the convention to indicate those not indicted but perhaps more involved in the operation. Furthermore, the indictment doesn’t actually describe what action (if any) these three Trump campaign officials took after being contacted by trolls emailing under false names.

So Mueller may be pursuing whether there was state-level coordination going on, and if so, how far up the campaign chain of command knowledge of that coordination extended.

May 31, 2016: What discussions did you have during the campaign regarding any meeting with Mr. Putin? Did you discuss it with others?

On June 16, 2015, the day Trump announced his campaign, the Agalarovs offered to serve as an intermediary between him and Putin.

Then, starting at least as early as March 31, 2016 (with Trump’s first foreign policy meeting), his aides started floating pitches for meetings with increasingly senior campaign officials that would hypothetically lead up to one between Trump and Putin.

Those include at least:

The George Papadopoulos thread, spanning from March 21 through August 15
The Carter Page thread, including his Moscow trip in July, and possibly continuing through his December Moscow trip
The NRA thread, focusing on the NRA meeting in Kentucky in May; NRA’s longer outreach includes Trump associates John Bolton and David Clarke

We know Trump was present and did not object when Papadopoulos pitched this in the May 31 meeting. Several of the other entrees went through Don Jr. Many of the offers got briefed at least as far as Jared Kushner and Paul Manafort. We don’t know how many of the other offers he learned about. We just know that years earlier he had joked about becoming Putin’s best friend, and over the course of the campaign, Russian intermediaries made repeated, persistent efforts to work towards a meeting between Trump and Putin, with a meeting between Agalarov representatives (who, again, had offered to serve as intermediaries with Putin when Trump kicked off the campaign) and the most senior people on the campaign happening just as Trump sealed up the nomination.

May 31, 2016: What discussions did you have during the campaign regarding Russian sanctions?

This is an open-ended question that might pose particular problems for Trump given the misleading statement claiming the June 9 meeting was about adoptions and not the Magnitsky sanctions. More interesting still are hints that Mueller sees a signaling going back and forth involving Papadopoulos; some of this may have involved signaling a willingness to provide sanctions relief.

Both Aras Agalarov and Natalia Veselnitskaya followed up after the election pushing for sanctions relief.

June 9, 2016: When did you become aware of the Trump Tower meeting?

Sam Nunberg has suggested Trump probably learned of the Trump Tower meeting before it happened. While he is unreliable on that point, the original June 3, 2016 email Rob Goldstone sent to Don Jr suggests reaching out to Trump’s assistant Rhona Graff.

I can also send this info to your father via Rhona, but it is ultra sensitive so wanted to send to you first.

Democrats suspect that between two calls Don Jr had with Emin Agalarov about the meeting on June 6, 2016, he called his dad.

Trump Jr.’s phone records show two calls to and from the same Russian number on June 6, 2016.62 The first call occurred at 4:04 pm on June 6, 2916 – just 21 minutes after Goldstone emailed Trump Jr. to say that Emin Agalarov was “on stage in Moscow but should be off within 20 minutes so I am sure can call. [emphasis added]” 63 At 4:38 pm, Trump Jr emailed Goldstone, “Rob, thanks for the help.”64

This documentary evidence indicates that a call likely took place between Trump Jr. and Emin Agalarov. During his interview, Trump Jr. confirmed that the Russian phone number belonged to Agalarov, though he claimed to not recall whether he actually spoke with him. Rather, despite one of the two calls reflecting a two-minute connection, Trump Jr. suggested that Agalarov may have left voice messages.65

The phone records also show a “blocked” number at 4:27 pm, between the two calls to and from Emin Agalarov. Trump Jr. claimed he did not know who was associated with the blocked number.66 While the Committee has not pursued leads to determine who called Trump Jr. at this crucial time from a blocked number, Corey Lewandowski told the Committee that Mr. Trump’s “primary residence has a blocked [phone] line.” 67

Mueller, of course, almost certainly has the phone records the Democrats weren’t able to obtain.

Finally, Steve Bannon has stated that he’s certain Don Jr “walk[ed] these jumos up to his father’s office on the twenty-sixth floor” on the day of the meeting. There’s reason to believe Ike Kaveladze and Goldstone could have done so, including the new piece of evidence that “Kaveladze left [a meeting with Rinat Akhmetshin and Natalia Veselnitskaya] after a few minutes to take a call from Agalarov to discuss the meeting.”

The day after the meeting — and four days before Trump’s birthday — Agalarov sent Trump an expensive painting as a present.

The June 9 meeting is, as far as is public, the most important cornerstone in a presumed quid pro quo. Russians offered unnamed dirt that Don Jr seemed to know what it entailed even before speaking to Emin Agalarov personally. Having offered dirt, four Russians — including two representatives of Trump’s long-time handler Aras Agalarov — laid out a pitch to end the Magnitsky sanctions. And less than a week later, a presumed Russian agent released the first dirt stolen from Hillary Clinton.

July 7, 2016: What knowledge did you have of any outreach by your campaign, including by Paul Manafort, to Russia about potential assistance to the campaign?

We don’t have many details on what Mueller knows about Manafort’s requests for help on the campaign. We do know he remained in close touch with Russians via someone the FBI believed was a Russian intelligence agent, Konstantin Kilimnik, through whom he remained in communications with Russian oligarch Oleg Deripaska. Deripaska is named in some court documents in a way that suggests his relationship with Manafort may be the still hidden third prong of investigation into Manafort approved by August 2, 2017.

Starting in April, Manafort and Kilimnik (whom Rick Gates and therefore presumably Manafort knew was a former GRU officer), exchanged a series of cryptic emails, suggesting that Manafort might be able to pay off the $20 million he owed Deripaska with certain actions on the campaign. In an email sent on July 7, Manafort offered to provide briefings on the campaign to Deripaska. On or around August 2, Manafort and Kilimnik met in person at the Grand Havana Club, in Kushner’s building at 666 5th Avenue. Both deny that anything about the campaign came up. Shortly after this meeting, one of Deripaska’s jets came to Newark, and Russian opposition figure Viktor Navalny has claimed to have proof the jet went from there to a meeting between Deripaska and Russian deputy prime minister Sergei Prikhodko.

An August 2017 report describes intercepts picking up “Russian operatives discussing their efforts to work with Manafort, … relay[ing] what they claimed were conversations with Manafort, encouraging help from the Russians.”

There’s one more area of potential assistance I find of interest. Since January, we’ve been getting hints that Oleg Deripaska has some tie to the Steele dossier, possibly through a lawyer he and Steele share. I’ve raised repeated concerns that the Russians learned about the dossier and found ways to feed Steele disinformation. If they did, the disinformation would have led Democrats to be complacent about the hacks that targeted them. And whether or not the dossier is disinformation (and whether or not Deripaska had a role in that, if true), Paul Manafort coached Reince Priebus on how to attack the dossier as a way to discredit the investigation into the campaign’s ties with Russia.

With regards to this Manafort question: remember that Rick Gates flipped on February 23, and the questions date to early March. So Gates may have proffered confirmation about these details. In any case, Mueller likely has learned far more about them two months after Gates flipped.

July 10-12, 2016: What involvement did you have concerning platform changes regarding arming Ukraine?

The Majority HPSCI Russia Report explains that the RNC platform was changed by staffers at the convention based off Trump’s public statements on sanctions.

[Rick] Dearborn generated a memorandum, dated August 1, 2016, outlining a detailed sequence of events that occurred between July 10 and 12, 2016. As part of that memo, J.D. Gordon created a timeline that noted candidate Trump’s policy statements–including at a March 31, 2016, national security meeting–served as the basis for the modification of [Diana] Denman’s amendments. Gordon’s timeline made it clear that the change was initiated by campaign staffers at the convention–not by Manafort or senior officials.

J.D. Gordon has not confirmed that he was asked about this, but he surely was. I would expect Mueller to have tested the timeline Gordon laid out in summer 2016 (when the platform change was a big political issue) against the testimony and communications records of everyone else involved.

Of course, by asking the question in this fashion, Mueller doesn’t reveal what he has already confirmed about the platform changes.

August 5, 2016: What did you know about communication between Roger Stone, his associates, Julian Assange or WikiLeaks?

After multiple public statements that the Russians were behind the hack-and-leak, on August 5, 2016 (after traveling from NY to LA to his home in FL), Roger Stone wrote a column claiming to believe that Guccifer 2.0 was a hacktivist with no ties to Russia. Stone’s purportedly changed beliefs about Guccifer 2.0 coincide with an August 4 claim he made in an email to Sam Nunberg that he had met with Julian Assange the night before. Stone’s claimed belief that Guccifer 2.0 is not Russian is key to his denials of any involvement or pre-knowledge of hack-and-leak events. It also kicked off an alternative story that others, up to and including Trump, have adopted to excuse their own embrace of the stolen emails. In other words, a key prong in the plausible deniability the Russians built into the hack-and-leak campaign came from long-time Trump associate Roger Stone, after a dramatic and unexplained change in beliefs (Lee Stranahan, who used to work for Breitbart and now works for Sputnik, has claimed some credit for the change, and given how lucid the August 5 column is, someone had to have helped Stone write it).

Ten days later, after Stone had called on Twitter to let him out of Twitter jail, Guccifer 2.0 and Stone started exchanging (fairly innocuous) DMs.

There are events both before and after that which suggest Stone — probably through more interesting go-betweens than Randy Credico — sought information on what dirt Assange and Wikileaks had, and what and when planned to do with it.

Much has been made, especially in the DNC lawsuit, about Stone’s seeming prediction that “it would soon be Podesta’s time in the barrel.” Perhaps that’s true (and Stone’s explanation for the tweet is garbage), but any explanation of Stone’s supposed prediction needs to acknowledge that he more often predicted Wikileaks would release Clinton Foundation emails, not Podesta ones, that he got the timing somewhat wrong, and that he didn’t dwell on the Podesta emails at all once Wikileaks started releasing them (preferring, instead, to talk about Bill Clinton’s lady problems). Still, that may reflect Stone involvement in the Peter Smith operation, and efforts to get WikiLeaks to release purported Clinton Foundation emails passed on via hackers.

That Mueller is even asking this suggests (if the several grand jury witnesses in recent months dedicated to it don’t already) that Mueller has a pretty good idea that Stone’s communications were more extensive than his denials let on. That he thinks Stone may have shared that information with Trump is all the more interesting.

All of which is to say that the known answers to Mueller’s questions map out a quid pro quo set up during the election, in which Russians offered a Putin meeting and dirt on Hillary, with the expectation that Trump would lift the Magnitsky sanctions if he won (and would get a Trump Tower in Moscow if he lost). I suspect there are other pieces to the quid pro quo, dealing with Ukraine and Syria. But certainly the June 9 meeting set up an understanding: dirt in exchange for Magnitsky relief. The release of the Guccifer 2.0 emails may indicate the Trump camp provided some signal they had formally accepted the offer.

Update: Fixed syntax in last paragraph, h/t LT.

RESOURCES

These are some of the most useful resources in mapping these events.

Mueller questions as imagined by Jay Sekulow

CNN’s timeline of investigative events

Majority HPSCI Report

Minority HPSCI Report

Trump Twitter Archive

Jim Comey March 20, 2017 HPSCI testimony

Comey May 3, 2017 SJC testimony

Jim Comey June 8, 2017 SSCI testimony

Jim Comey written statement, June 8, 2017

Jim Comey memos

Sally Yates and James Clapper Senate Judiciary Committee testimony, May 8, 2017

NPR Timeline on Trump’s ties to Aras Agalarov

George Papadopoulos complaint

George Papadopoulos statement of the offense

Mike Flynn statement of the offense

Internet Research Agency indictment

Text of the Don Jr Trump Tower Meeting emails

Jared Kushner’s statement to Congress

Erik Prince HPSCI transcript

THE SERIES

Part One: The Mueller Questions Map Out Cultivation, a Quid Pro Quo, and a Cover-Up

Part Two: The Quid Pro Quo: a Putin Meeting and Election Assistance, in Exchange for Sanctions Relief

Part Three: The Quo: Policy and Real Estate Payoffs to Russia

Part Four: The Quest: Trump Learns of the Investigation

Part Five: Attempting a Cover-Up by Firing Comey

Part Six: Trump Exacerbates His Woes

Was Trump’s Birthday Present a Painting? Or Stolen Emails?

April 28, 2018/73 Comments/in 2016 Presidential Election, Mueller Probe /by emptywheel

Donald Trump was born on June 14, 1946.

According to the Minority HPSCI Russian Report, the day after Trump’s spawn, spawn’s husband, and campaign manager met with a bunch of Russian envoys (including Aras Agalarov’s representative Ike Kaveladze), Agalarov sent the presidential candidate an expensive painting.

[O]n June 10, 2016, Aras Agalarov delivered to candidate Trump an expensive painting for the candidate’s birthday.

An email from Rob Goldstone identified it as a birthday gift.

Email from Rob Goldstone to Rhona Graff, Subject: Birthday gift for Mr. Trump, June 10, 2016

On June 14, 2016 — Donald Trump’s birthday — the Washington Post revealed that Hillary had been hacked by Russia.

According to Nakashima, she was first contacted about this story, “About a week before the story published online.”

On June 15, in what has always been presumed to be a rushed response to the WaPo story, Russian cut-out Guccifer 2.0 published a bunch of stolen documents, including Hillary’s (dated) oppo research on Trump.

On June 17, a Trump staffer sent an Agalarov staffer a Trump thank you note, one that did not (at least in the bit quoted in the Minority HPSCI report) describe what the gift in question was.

“There are few things better than receiving a sensational gift from someone you admire – and that’s what I’ve received from you. You made my birthday a truly special event by your thoughtfulness – not to mention your remarkable talent. I’m rarely at a loss for words, but right now I can only say how much I appreciate your friendship and to thank you for this fantastic gift. This is one birthday that I will always remember.”

Was the gift a painting? Or stolen emails?

Counterintelligence versus Criminal: George Papadopoulos

April 23, 2018/64 Comments/in 2016 Presidential Election, Mueller Probe /by emptywheel

While I was playing in an undisclosed location in Europe, Chuck Ross wrote two stories based off access to people in the immediate vicinity of George Papadopoulos.

The first purports to answer whether Papadopoulos [thinks he] colluded with Russia. The second reports that someone with close ties to CIA and MI6 reached out to Papadopoulos after the US government learned of Papadopoulos’ comments to Alexander Downer about Hillary emails.

There’s a funny movement between the two. In the first, Ross feigns concern about how long it took the FBI to reach out to Papadopoulos after learning of his email conversation.

Papadopoulos was not interviewed by FBI agents until Jan. 27, 2017, nearly six months after the start of the investigation. That six month delay is puzzling to both congressional investigators and to Papadopoulos. He has wondered to associates why, if he was actually suspected of conspiring with the Russian government, the bureau would have waited so long to contact him.

He doesn’t mention, of course, that the FBI reached out to Papadopoulos just one week after the presidential transition period — which Papadopoulos played a role in — ended. That is, there was virtually no delay between the time Papadopoulos separated from Trump’s retinue and the FBI investigated. That doesn’t feed the poutrage about FBI’s investigation of politics, however, and so goes unmentioned.

Meanwhile, the second piece expresses shock that someone tied into Anglo-American intelligence reached out to Papadopoulos, Page, and one other Trump aide during the election.

Two months before the 2016 election, George Papadopoulos received a strange request for a meeting in London, one of several the young Trump adviser would be offered — and he would accept — during the presidential campaign.

The meeting request, which has not been reported until now, came from Stefan Halper, a foreign policy expert and Cambridge professor with connections to the CIA and its British counterpart, MI6.

Halper’s September 2016 outreach to Papadopoulos wasn’t his only contact with Trump campaign members. The 73-year-old professor, a veteran of three Republican administrations, met with two other campaign advisers, The Daily Caller News Foundation learned.

Papadopoulos questioned Halper’s motivation for contacting him, according to a source familiar with Papadopoulos’ thinking. That’s not just because of the randomness of the initial inquiry but because of questions Halper is said to have asked during their face-to-face meetings in London.

According to a source with knowledge of the meeting, Halper asked Papadopoulos: “George, you know about hacking the emails from Russia, right?”

While Ross focuses on the FBI investigation, which started as a counterintelligence investigation, he doesn’t mention the separate Task Force run out of CIA (or, for that matter, the Steele dossier, though given how shitty the dossier is on the hack-and-leak, I question whether that’s what this was).

In any case, there were several investigations, even within the US, and while law enforcement has certain squeamishness about engaging in politics, our foreign allies do not.

All that said, Ross provides details about Papadopoulos’ reported timeline and beliefs which are useful to understanding the events of 2016. Chief among those, he dates the meeting between Papadopoulos and Downer to May 10.

On around May 10, 2016, two weeks after the Mifsud meeting, Papadopoulos met with Downer at Kensington Gardens in London.

Ross also relays Papadopoulos’ reported belief that the emails floated by Joseph Mifsud were the deleted Clinton Foundation emails.

Papadopoulos has also said he believes that the emails in question were the 30,000-plus emails that Clinton deleted in Dec. 2014 before turning her State Department emails over to the agency. Clinton’s deleted records were a hot topic of debate during the 2016 presidential campaign, well before WikiLeaks began releasing emails that were stolen from the DNC and Clinton campaign.

This is entirely unsurprising (and useful for Papadopoulos to have out there). It means Papadopoulos doesn’t claim to have had more advance details about the stolen Hillary emails, and instead just assumed Mifsud (and his sources) were responding to the burning issue of the day, the Hillary investigation.

The confirmation that the Republicans had early likely been fed an expectation they might have gotten those emails provides important insight on the later Peter Smith effort to get those emails, the reported outreach by people associated with the campaign to Guccifer 2.0 to get those emails, and Guccifer 2.0’s false claims to be leaking them. Papadopoulos likely confirmed to Mifsud that that’s what the Republicans thought of as valuable oppo research, and multiple later efforts focused on making Trump aides believe they would get them.

To understand just how much Ross’ sources were feeding an exonerating narrative, however, consider that he or they refused to say whether Papadopoulos passed on news of the emails to other campaign people.

Miller did not respond to the email, but it is unclear whether Papadopoulos told Miller, who currently works in the White House, or anyone else on the campaign about Mifsud’s comments about emails. TheDCNF’s sources did not say whether Papadopoulos told the campaign of Mifsud’s remarks.

Instead of the answer to the critical issue (to which we have good reason to suspect the answer, even if it hasn’t been confirmed), Ross instead passes on a non-denial denial of something Papadopoulos has never been accused of.

[S]ources familiar with Papadopoulos’ thinking say he has told associates he did not see, handle or disseminate Clinton emails.

Further, Ross claims there’s no evidence that meetings between Russia and the Trump campaign took place, in spite of the fact that Don Jr, Jared, and Trump’s campaign manager took a meeting 6 weeks after the emails-as-dirt got floated based on a promise they’d get dirt on Hillary.

There is no evidence that those meetings took place.

To back this no collusion claim, you’d have to prove both that none of the participants in the Trump Tower meeting had heard about Papadopoulos promise of emails (in spite of Don Jr’s reference to “if it’s what I think it is”), and you’d have to prove that the Russians didn’t consider a meeting with the campaign manager a high level meeting.

George Papadopoulos does not, by himself, prove “collusion.” But neither does this transparent attempt to deny collusion by issuing a non-denial denial disprove it. Moreover, it was never going to be the case that one person — not even Paul Manafort, not even Michael Cohen, possibly not even Trump himself — would offer the Rosetta stone on what happened in 2016.

The Access Hollywood Search Doesn’t Mean Trump Coordinated with Assange

April 12, 2018/84 Comments/in 2016 Presidential Election, emptywheel, Mueller Probe /by emptywheel

As I noted, yesterday several outlets reported that among the things included in the FBI warrant for Michael Cohen’s premises was communications between Trump, Cohen, and others (whom I suspect to include Steve Bannon and Marc Kasowitz) “regarding the infamous ‘Access Hollywood'” video.

FBI agents who raided the home, office and hotel of Donald Trump’s personal lawyer sought communications that Trump had with attorney Michael Cohen and others regarding the infamous “Access Hollywood” tape that captured Trump making lewd remarks about women a month before the election, according to sources familiar with the matter.

[snip]

The search warrant also sought communications between then-candidate Trump and his associates regarding efforts to prevent disclosure of the tape, according to one of the sources. In addition, investigators wanted records and communications concerning other potential negative information about the candidate that the campaign would have wanted to contain ahead of the election. The source said the warrant was not specific about what this additional information would be.

From that, people on both the right and the left have assumed, without presenting hard evidence, that this means there must be a tie to Russia. Most often, people assume this must mean Trump somehow managed the events of October 7, when the Intelligence Committee report blaming Russia for the DNC hack, the Access Hollywood video, and the first Podesta emails all came out in quick succession.

That’s certainly possible, but thus far there’s no reason to believe that’s the case.

Mueller and Rosenstein referred this

That’s true, first of all, because after consulting with Rod Rosenstein, Robert Mueller referred this to the Southern District of New York for execution and prosecution, rather than dealing with it himself. He did that surely knowing what a sieve for leaks SDNY is, and therefore knowing that doing so would undercut his remarkably silent teamwork thus far.

In spite of a lot of reporting on this raid this week, we don’t yet have a clear understanding of why the two chose to refer it (or, tangentially, why interim SDNY US Attorney Geoffrey Berman recused himself from this matter).

There are two options. The first is that Rosenstein believed hush payments and taxi medallion money laundering sufficiently attenuated to the Russian investigation that it should properly be referred. In which case, the fact that it was referred is itself reason to believe that Mueller — even while he had abundant evidence supporting the search warrant — has no reason to believe those releases were orchestrated with Wikileaks, and therefore have no direct interest to his investigation (though they may cough up one to three witnesses who will be more willing to cooperate when faced with their own fraud indictments). In which case, the Access Hollywood video would be just another example, like the Stormy Daniels and the Karen McDougal payoffs, of Trump’s efforts to bury embarrassing news, using whatever means necessary.

The other option is that Mueller does have evidence that Trump in some way managed the October 7 events, which would be one of the most inflammatory pieces of evidence we would have heard of so far, but that there was some other reason to refer the matter.

Michael Cohen wasn’t serving as an attorney for much of the reported documents

The really good reason to refer the warrant would be so that SDNY would serve as a natural clean team, sorting through seized items for privileged communications, only to hand them back to Mueller’s team in DC once they’ve sorted through them. It’s an idea Preet Bharara and Matt Miller, among others, have floated.

Before we conclude that SDNY is only serving as a clean team for Mueller’s team here, consider that coverage has vastly overstated the degree to which the items being searched will fall under attorney-client privilege.

The search also sought information on Cohen’s taxi medallions, a business in which he has had really corrupt partners, some Russian, with their own legal problems, and one that has reportedly left Cohen with some debt problems that make his purported personal payment to Stormy Daniels all the more sketchy.

In addition, as soon as Trump claimed to know nothing of the hush payment to Daniels last Friday, the government could credibly claim that either Cohen was not representing Trump when paying off Daniels, or involved in fraud.

The NYT has reported that the raid also sought all communications between Cohen and National Enquirer’s top brass, communications that would in no way be privileged.

Even the reported communications about the Access Hollywood video may not be privileged. If they involved four people, then the only way they’d be covered by privilege is if they counted as campaign emails and Marc Kasowitz, not Cohen, was the attorney providing privileged advice in question. In that case, Cohen would have been playing the press contact role he often did during the campaign.

Still, just because Cohen was not playing the role of an attorney during most of the activities the FBI is interested in doesn’t mean the FBI won’t be really careful to make sure they don’t violate privilege, and I’m sure they’ll still use a taint team.

Mueller has already dealt with (at least) two sensitive attorney-client relationships in his investigation

Even on top of the eight members of the White House Counsel’s office who have spoken with the Special Counsel, Mueller’s team has dealt with (at least) two other sensitive attorney-client relationships.

The first was Melissa Laurenza, a lawyer for Paul Manafort whom he had write false declarations for FARA registry. Judge Amy Berman Jackson permitted Mueller’s team to ask her seven of eight proposed question after proving Manafort had used her services to engage in fraud.

More recently, we’ve gotten hints — but only hints — of what must be extensive cooperation from Skadden Arps and its partner Greg Craig, describing how Manafort and Gates laundered money to pay the firm loads of money to write a report they hoped would exonerate Ukraine’s persecution of Yulia Tymoshenko. While the cooperation of Skadden itself was probably effusive in its voluntary nature (the firm seems determined to avoid the taint that Tony Podesta’s firm has acquired in this process), Mueller did subpoena Alex Van der Zwaan and it’s unclear what methods the FBI used to obtain some of the materials he tried to hide from prosecutors.

Neither of those exchanges involves a search warrant. But they do show that Mueller is willing to take on the tricky issue of attorney testimony first-hand. Using SDNY as a clean team still may be the easiest option in the Cohen case, but Mueller clearly isn’t shying away from managing all such issues in-house in other cases.

The other possible explanations for the Access Hollywood search and the October 7 timing

Which brings us finally to the other possibilities behind the Access Hollywood search.

It’s certainly possible that the coincidental release of all these things was coordination, entirely orchestrated by the Trump campaign. But there are a number of reasons — on top of the fact that Mueller isn’t keeping this search far tighter under his own control — I think that’s not the most likely explanation.

Consider this story, arguing that the real story of Access Hollywood isn’t that it leaked on October 7 — the piece notes that David Farenthold had only received it that day — but that it didn’t leak earlier in the process, when it might have led Trump to lose the primary.

t is just impossible to believe that the tape not coming out at the start of Trump’s campaign, when logic dictates that it would have blown Trump instantly out of the water (before he was in a position where Republicans had no choice other than to keep backing him against the evil Hillary Clinton), was anything but a highly unethical political decision by someone at NBC. The fact that no one has ever even gotten an answer from NBC about how this could have happened is equally unfathomable and yet, given the news media’s overall incompetence, kind of expected.

[snip]

It has always struck me as EXTREMELY odd that it was the Washington Post, not NBC, who first released the tape on Friday Oct. 7, 2016, barely beating NBC which, it should be noted, was clearly ready to go with it immediately after the Post did. I presumed that perhaps NBC wanted this to be the case because it might take some of the focus off why they had not released it during the primaries (and thus chose not to prematurely kill off the media’s Golden Goose which was Trump’s ratings-friendly campaign).

However, there is another aspect of the Post being the outlet which got the big scoop that has always struck me as potentially very significant. The Post’s reporter, David Fahrenthold, has said that he was only made aware of the tape, via an unnamed source, THAT day — which is a clear indication that whomever was trying to get the Post to release it had decided to do so in tremendous haste. After all, if the source had planned it sooner they would have made contact with Fahrenthold well before then because he might have been out of pocket that day.

[snip]

For instance, what if it was actually someone from the TRUMP team who leaked the tape. At first glance, this seems ludicrous because no one thought that Trump would be anything but greatly harmed by the tape (though he clearly was not). But what if someone in Trump World got wind that the tape was about to be released and decided that stepping all over the Russia news (which would normally have dominated the narrative for the remainder of the campaign) would at least create the least bad outcome for them?

I don’t agree that the release was released when it was to distract from the Russia announcement that day. As I’ve long noted, in reality, the Access Hollywood distracted from the Podesta emails, effectively burying the most damning release in the bunch, the excerpts of Hillary’s speeches that even Democrats had been demanding she release since the primary. And while the Trump team might claim they didn’t control the release of the Podesta emails directly — and Roger Stone’s predictions that Wikileaks would release Clinton Foundation rather than Podesta emails were dead wrong — the Trump team at least knew something was coming (indeed, Wikileaks had made that clear themselves). So there’s little reason they would stomp on what they had long welcomed with the Access Hollywood tape. As this post alludes, I also think the Trump team and Russians or Wikileaks may have been squabbling over whether Wikileaks would release possibly faked Clinton Foundation emails that week, only to scramble when Wikileaks refused to release whatever the Peter Smith effort had gotten dealt to them.

Like the Mediate piece, I’m interested in the way that Steve Bannon had Clinton accusers all lined up to go that weekend (indeed, I noted how quickly Stone moved to that after having raised expectations for a Clinton Foundation release). But I also think there are some reasons to believe that attack was in the works for other reasons (though I agree it might reflect advance knowledge that the video might come out, or even that Stormy Daniels might come forward). Finally, I don’t think the release came from Trump because of all the reports of Republicans trying to convince Trump to step down (though it’s possible the GOP dropped the video in one last bid to get him to do so).

One alternative narrative, then, is that the real story about the Access Hollywood suppression goes back months or years earlier, as one of the things Trump managed to suppress throughout the campaign, but something happened internally to breach that agreement. And, separately, that either Assange by himself, with Russian help, or with Trump assistance, timed the Podesta emails to come out as the Russian attribution was coming out. That is, it could be that the real story remains that whoever orchestrated the Wikileaks release did so in an attempt to bury the Russian attribution, but that the coincidental release of the Access Hollywood video in turn buried the Podesta emails.

Finally, it’s possible that Democrats got ahold of the Access Hollywood video and they released it to (successfully) drown out the Podesta emails, which they (and the intelligence community) also would have known were coming, but by doing so, they also drowned out the all-important Russian attribution in the process.

The point is, we don’t know. And nothing we know thus far about the process leading to this warrant or about the suppression and release of either the video or the women’s stories suggest it all took place that week of October. Trump’s usual m.o. is about suppression, not timing.

That said, I’m curious if this raid will reveal details about one other item Trump probably tried to suppress: the nude Melania photos that NYPost released on July 31, 2016, just as campaign season got going in earnest.