Posts

Before John Durham’s Originator-1, There Was a Claimed BGP Hijack

In this post, I described that “Phil,” the guy I went to the FBI about because I suspected he had a role in the Guccifer 2.0 persona, had a role in the Alfa Bank story. As noted, Phil’s provable role in pushing the Alfa Bank story in October 2016 was minor and would have no effect on the false statement charge — for an alleged lie told in September 2016 — against Michael Sussmann. But because of Durham’s sweeping materiality claims, it might have an impact on discovery.

It has to do with the theory that Alfa Bank has about the DNS anomalies, a theory that Durham seems to share: that the data was faked.

As Alfa laid out in its now abandoned John Doe lawsuits, it claims that the anomalous DNS traffic that Michael Sussmann shared with the FBI in September 2016 was faked. The bank appears to believe not just that the data was faked, but that April Lorenzen is involved in some way. For example, it describes that Tea Leaves and “two accomplices” were sources for Franklin Foer (though elsewhere, the lawsuit claims that Tea Leaves was pointed to the data by the unknown John Doe defendants).

Durham seems even more sure that Lorenzen is the culprit. For example, he always refers to the data as “purported.” He refers to Lorenzen as “Originator-1” rather than “Data Scientist-1” or “Tea Leaves,” insinuating she fabricated the data. And when Sussmann asked for all evidence indicating that Durham had bullied witnesses, Durham provided emails involving Lorenzen’s lawyers.

Alfa Bank might be excused for imagining that Lorenzen is the primary culprit to have fabricated the data. According to Krypt3ia, when Alfa asked him for his communications, he only had one email, with a different journalist, to share. They quite clearly don’t understand that someone else was involved in publicizing these claims.

Durham doesn’t have the same excuse.

That’s because DOJ – of which Durham remains a part – knows at least some of the details about “Phil” that I laid out in my last post. Because they would have checked Twitter to vet some of my most basic claims, they almost certainly obtained the Twitter DMs (or at least the metadata) showing that Phil brokered the tie between Krypt3ia and the NYT.

To be clear: I have no evidence that Phil altered the DNS records. I’m agnostic about what caused the anomaly (though am convinced that the experts involved believe the anomaly is real, even if they offer varying explanations for the cause). But Durham has made the source of the anomaly an issue to bolster his claims about materiality. And, as Sussmann noted in a recent filing, “Much as the Special Counsel may now wish to ignore the allegations in the Indictment, he is bound by them.” So, it seems, Durham’s on the hook for telling Sussmann if DOJ knows of anyone else involved in pushing the Alfa Bank story who could be a possible culprit for fabricating the data, especially if that person was known to have clandestinely signed a comment, “Guccifer 2.0.”

Phil probably faked a BGP hijack

The fact that Phil alerted the NYT to the Russian proxy of Lorenzen’s data matters not just because he had, months earlier, claimed to work for an FSB-led company and, even before that, claimed to have been coerced by Russian intelligence at an overseas meeting before the known DNC operation started.

It also matters because (I believe) Phil faked an Internet routing record in the same month the Alfa/Trump/Spectrum anomalies started.

In May 2016, Phil shared what he claimed was a traceroute of a request to my site, an Internet routing record that is different than but related to the DNS records at the heart of the Alfa Bank story. The screencap he sent me purported to show that a request to my site had been routed through (to the best of my memory) some L3 routers in Chicago, to Australia, back to those L3 switches, to my site. Phil was claiming to show me proof that someone had diverted requests to my site overseas along the way – what is known as a BGP hijack. Phil showed this to me in the wake and context of a DDOS attack that had brought my site down for days, an attack which led me to rebuild my site, change hosts, and add Cloudflare DDOS protection.

May 2016, the month Phil showed me what I believe to be a faked traceroute, is the same month the anomalous traffic involving Alfa Bank, Spectrum Health, and a Trump-related server started.

Phil used that traceroute to claim that the US intelligence community was diverting and spying on traffic to my website.

The claim made no sense. The only thing that diverting my traffic would get spies is access to my readers’ metadata, which would be readily accessible via easier means, including with a subpoena to my host provider. Aside from a bunch of drafts that I’ve decided didn’t merit publication, there’s no non-public content on my site. I was not competent (and did not ask others) to assess the validity of the screencap itself, but I considered it unreliable because it didn’t show the query or originating IP address behind the record, which would be needed to test its provenance.

I don’t have that original traceroute (I replaced my phone not long after he sent it). But in June 2016 he shared a reverse DNS look-up related to my site that wasn’t altered but in which Phil invoked the earlier one.

I corrected him in this case – this IP address was readily explainable; it was Cloudflare (which Phil surely knew). But Phil nevertheless repeated his earlier claim that “they” were hijacking my traffic.

When I said that Phil had been tracking how requests to my site worked for some time before he left a comment signed [email protected] in July 2016, this weeks-long exchange is what I was referring to. He had, effectively, been watching as I added Cloudflare protection to my site.

These screencaps show that Phil, who months later would play a role in pushing the Alfa Bank story, was using DNS records — real and possibly faked — as a prop in a false story.

Phil tracked DOD contracts closely

That’s not the only detail that DOJ may know about that Durham should consider before insinuating that Lorenzen is the most likely culprit if this data was fabricated. DOJ may know that Phil tracked DOD contracts very closely. That’s important because it explains how Phil could have learned researchers would be looking closely at DNS records.

For years, I’ve believed that the Alfa-Trump-Spectrum Health effort was disinformation, because so much of what came out that year was and because I viewed the Spectrum Health stuff to be such a reach. My belief it might be disinformation only grew stronger when I discovered the focus on Spectrum Health, with its link to Erik Prince’s sister’s spouse, came just after Prince had asked Roger Stone about his efforts to reach out to WikiLeaks.

Certainly, Putin exploited the allegations afterwards to his advantage. He used them to push Alfa Bank’s Petr Aven to take a primary role in reaching out to Trump during the transition, at least as recounted in the Mueller Report.

According to Aven, at his Q4 2016 one-on-one meeting with Putin,981 Putin raised the prospect that the United States would impose additional sanctions on Russian interests, including sanctions against Aven and/or Alfa-Bank.982 Putin suggested that Aven needed to take steps to protect himself and Alfa-Bank.983

981 At the time of his Q4 2016 meeting with Putin, Aven was generally aware of the press coverage about Russian interference in the U.S. election. According to Aven, he did not discuss that topic with Putin at any point, and Putin did not mention the rationale behind the threat of new sanctions

Aven even used Richard Burt, one of the people scrutinized by the Fusion and DNS research, to reach out to Trump, effectively pursuing precisely the back channel between Alfa and Trump that Fusion suspected months earlier.

The relevant part of Aven’s interview is redacted, so it’s not clear whether Aven mentioned that Alfa Bank had been a key focus of the interference allegations. But that’s the presumptive subtext: along with the Steele dossier, the DNS anomaly – both of which, in several lawsuits since, Aven or Alfa have claimed were “gravely damaging” – raised suspicions about Alfa Bank and made it more likely the bank would be sanctioned than had been the case previously.

And before the bank did get sanctioned last month, Alfa was using the DNS anomaly to conduct a lawfare campaign to learn how the US uses DNS tracking to thwart hacks (one wonders if Putin ordered that campaign, like he personally ordered Aven to reach out to Trump). That campaign even got a bunch of frothy right-wingers to decry efforts to prevent and detect nation-state hacks on the US. So at the very least, Russia has exploited the Alfa-Trump allegations to great benefit, one measure of whether something could be deliberate disinformation.

But as I’ve talked to people who’ve tried to figure out what the anomaly was – including experts who believed it did reflect real communication as well as some who didn’t – they always explained that seeding disinformation in such a fashion would be useless. That’s because you couldn’t ensure that any disinformation you planted would be seen. That is, unlike the Steele dossier, which was being collected by an Oleg Deripaska associate and shared with the press (and for which there’s far more evidence Russia used it to plant disinformation), you could never expect the disinformation to be noisy enough to attract the desired attention.

In the years since the original story, how researchers who found the anomalous data obtained the DNS data has driven a lot of the hostility behind it. The researchers have tried to hide where they got the data for proprietary and cybersecurity reasons. John Durham has alleged there was some legal impropriety behind using it, even when used (as the researchers understood they were doing) to research ongoing nation-state hacks. And Alfa Bank was using lawfare to try to find out as much about the means by which this DNS traffic was observed by cybersecurity experts as possible. The full story of how the researchers accessed the data has yet to be reported, but as I understand it, there’s more complexity to the question than initially made out or than has made it into Durham’s court filings. That complexity would make it even harder to anticipate where DNS researchers were looking. So, multiple experts told me, it would be crazy to imagine anyone would have thought to seed disinformation in DNS records expecting it’d get picked up via those collection points in 2016, because no one would have expected anyone was observing all those collection points.

If a Fancy Bear shits in the DNS woods but there’s no one there to see it, did it really happen?

But there was, in fact, a way to anticipate it might get seen.

As the Sussmann indictment vaguely alluded to and this NYT story laid out in detail, researchers found the DNS anomalies in the context of preparing a bid for a DARPA research contract.

The involvement of the researchers traces back to the spring of 2016. DARPA, the Pentagon’s research funding agency, wanted to commission data scientists to develop the use of so-called DNS logs, records of when servers have prepared to communicate with other servers over the internet, as a tool for hacking investigations.

DARPA identified Georgia Tech as a potential recipient of funding and encouraged researchers there to develop examples. Mr. Antonakakis and Mr. Dagon reached out to Mr. Joffe to gain access to Neustar’s repository of DNS logs, people familiar with the matter said, and began sifting them.

Separately, when the news broke in June 2016 that Russia had hacked the Democratic National Committee’s servers, Mr. Dagon and Ms. Lorenzen began talking at a conference about whether such data might uncover other election-related hacking.

The DOD bidding process provided public notice that DARPA was asking researchers to explore multiple ways, including DNS traffic, to attribute persistent hacking campaigns in real time.

The initial DARPA RFP was posted on April 22, 2016, ten days before the anomalous traffic started but well after the Russian hacking campaign had launched (documents FOIAed by the frothers reveal that the project was under discussion for months before that). This RFP provided a way for anyone who tracked DOD contracts closely to know that people would be looking and the announcement itself included DNS records and network infrastructure among its desired measurements. Depending on the means by which DARPA communicated about the contract, it might also provide a way to find out who would be looking and how and where they would be looking, though as I understand it, the team at Georgia Tech would have been an obvious choice in any case.

Phil tracked DOD contracts very closely. In September 2016, for example, he sent me a text alerting me to a new Dataminr contract just 66 minutes after I published a post about the company (I later wrote up the contract).

Phil also told me, verbally, he was checking what contracts DOD had with one of the US tech companies for which a back door was exposed in summer 2016. He claimed he was doing so to see how badly the government had fucked itself with its failure to disclose the vulnerability. By memory (though I am not certain), I believe it was Juniper Networks, in the wake of the Shadow Brokers release of an NSA exploit targeting the company.

And even on top of Phil’s efforts to convince me that the DNC hack wasn’t done by APT 28, DOJ has other evidence that Phil tracked APT attribution efforts closely, even using official government resources to do so. So it would be unsurprising if he had taken an interest in a contract on APT attribution in real time.

Durham may have access to some or all of this

Durham insinuates the DNS records are faked and he appears to want to blame Lorenzen for faking them. But he may be ignoring evidence in DOJ’s possession that someone else who, I’ve now confirmed, played at least a minor role in pushing the Alfa Bank story was using Internet routing records, possibly faked, to support a false story in May 2016.

To be sure: while I know the investigation into Phil continued at least the better part of a year after my FBI interview about him, any feedback I’ve gotten about that investigation has been deliberately vague. So aside from the obvious things – like the Twitter records that would show Phil’s DMs with Krypt3ia and Nicole Perloth – I can’t be sure what is in DOJ’s possession.

I don’t even know whether the 302 from my FBI interview would mention Phil’s pitch of the Alfa Bank story to me. It was on a list of the things I had intended to describe in that interview. But I didn’t work from the list in the interview itself and I have no affirmative memory of having mentioned it. If I did, it would have amounted to me saying little more than, “he also was pushing the Alfa Bank story.”

That said, unless the FBI agents were epically incompetent, my 302 should mention Alfa Bank, because I’m absolutely certain I raised this post and its emphasis on the inclusion of Alfa Bank in an alarming April 2017 BGP hijack.

And in fact, there’s a way Durham could have found out about Phil’s role in the Alfa Bank story independent of my FBI interview. Of just two people in the US government with whom I shared some of the Alfa Bank-related texts I exchanged with Phil (both were Republicans), one was centrally involved in the investigations that fed into the Durham investigation. If this stuff matters, Durham should ask why several of his key source investigations didn’t focus on it.

Durham should know that Phil had a role in the Alfa Bank story.

And given his insinuations in the indictment that Lorenzen fabricated DNS data in May 2016, making the insinuation part of his materiality claims, Durham may be obligated to tell Michael Sussmann that DOJ already knows of someone who was pushing the Alfa Bank story who used DNS data to tell a false story in May and June 2016.

John Durham’s Top Prosecutor, Andrew DeFilippis, Allegedly Miffed that DARPA Investigated Guccifer 2.0

Vladimir Putin’s invasion of Ukraine and the sanctions imposed as a result has led lawyers in the US to drop the now-sanctioned Alfa Bank and its owners, leading to the dismissal of the John Doe, BuzzFeed, and Fusion GPS lawsuits filed by Alfa Bank or its owners. That has, for now, brought an end to a sustained Russian effort to use lawfare to discover “U.S. cybersecurity methods and means” (as some of Alfa’s targets described the effort).

But the dismissal of the Alfa Bank suits hasn’t halted the effort to expose US cybersecurity efforts in the guise of pursuing right wing conspiracy theories. Both Federalist Faceplant Margot Cleveland and “online sleuths” goaded, in part, by Sergei Millian have picked up where Alfa Bank left off. In recent days, for example, documents obtained via a Federalist FOIA to Georgia Tech exposed the members of a cybersecurity sharing group, including a bunch at Three-Letter Agencies, which has little news value but plenty of intelligence value to America’s adversaries (these names were released even while someone — either Georgia Tech or the Federalist — chose to redact the contact information for Durham’s investigators, some of which is otherwise public).

Even while doing her part to make America less safe (raising the perennial question of who funds the Federalist), Cleveland has continued to do astounding work misrepresenting Durham’s investigation. From the same FOIA release, she published a document in which research scientist Manos Antonakakis described that chief Durham AUSA Andrew DeFilippis insinuated to him that it was abusive for DARPA to try to discover the network behind the Guccifer 2.0 persona.

Finally, I will leave you with an anecdote and a thought. During one of my interviews with the Special Counsel prosecutor, I was asked point blank by Mr. DeFilippis, “Do you believe that DARPA should be instructing you to investigate the origins of a hacker (Guccifer_2.0) that hacked a political entity (DNC)?” Let that sync for a moment, folks. Someone hacked a political party (DNC, in this case), in the middle of an election year (2016), and the lead investigator of DoJ’s special council would question whether US researchers working for DARPA should conduct investigations in this matter is “acceptable”! While I was tempted to say back to him “What if this hacker hacked GOP? Would you want me to investigate him then?”, I kept my cool and I told him that this is a question for DARPA’s director, and not for me to answer.

Assuming this is an accurate description, this is a shocking anecdote, a betrayal of US national security.

It suggests that Durham’s lead prosecutor doesn’t believe the government should throw its most innovative research at a hostile nation-state attack while that nation-state is attempting to influence an election. Sadly, though, it’s not surprising.

It is consistent with things we’ve seen from Durham’s team throughout. It’s consistent with Durham’s treatment of a loose tie between an indirect and unwitting Steele dossier source and the Hillary campaign as a bigger threat than multiple ties to Russian intelligence (or Dmitry Peskov’s office, which knew that Michael Cohen and Donald Trump were lying about the former’s secret communications with Peskov’s office). It is consistent with Durham’s more recent suggestion that the victim of such a nation-state attack must wait until after an election to report a tip that might implicate her opponent.

I almost feel like DeFilippis will eventually say Hillary should have just laid back and enjoyed being hacked in 2016.

DeFilippis, and Durham generally, have consistently treated Hillary as a far graver threat than Russia, even now, even as Russia conducts a barbaric invasion of a peaceful democracy.

But Antonakakis’ anecdote is all the more troubling because it suggests that DeFilippis seems to misunderstand what happened with the DARPA contract in question in 2016. The Enhanced Attribution RFP’s description of the hacking campaigns it was targeting — “multiple concurrent independent malicious cyber campaigns, each involving several operators” — pretty obviously aims to tackle Advanced Persistent Threats, of which APT 28 and 29 (both of which targeted the DNC) were among the most pressing in 2016. DARPA presumably didn’t ask Antonakakis to focus on Guccifer 2.0 — a persona which didn’t exist when the contract was put up for bid in April 2016, much less in the months earlier when it was originally conceived. Rather, by description, they were asking bidders to look at APTs, and looking at APT 28 would have happened to include looking at Guccifer 2.0, the DNC hack, and a number of hacks elsewhere in the US and the world.  The reason DARPA would ask Georgia Tech to look at APT 28 is because APT 28 was hacking a lot of targets in the time period, all of which provided learning sets for a researcher like Antonakakis. DeFilippis, then, seems miffed that the APT that DARPA wanted to combat happened to be one of two that targeted Hillary.

That’s a choice Russia made, not DARPA.

While I think Cleveland did serious damage with some of her releases, I’m glad she released this document because it provides a way for Michael Sussmann to make DeFilippis’ troubling views on national security a central issue at trial, something that normally is difficult to do.

It also provided Cleveland another opportunity to faceplant in spectacular trademark Federalist fashion. Cleveland used this document to rile up the frothers by suggesting this is proof that Durham is investigating the DNC attribution.

Exclusive: Special Counsel’s Office Is Investigating The 2016 DNC Server Hack

The U.S. Department of Defense tasked the same Georgia Tech researcher embroiled in the Alfa Bank hoax with investigating the “origins” of the Democratic National Committee hacker, according to an email first obtained by The Federalist on Wednesday. That email also indicates the special counsel’s office is investigating the investigation into the DNC hack and that prosecutors harbor concerns about the DOD’s decision to involve the Georgia Tech researcher in its probe.

[snip]

The public storyline until now had been that CrowdStrike, the cybersecurity firm Sussmann hired in April 2016, had concluded Russians had hacked the DNC server, and that the FBI, which never examined the server, concurred in that conclusion. Intelligence agencies and former Special Counsel Robert Mueller likewise concluded that Russian agents were behind the DNC hack, but with little public details provided.

It now appears that DARPA had some role in that assessment, or rather Antonakakis did on behalf of DARPA, which leads to a whole host of other questions, including whether DARPA had access to the DNC server and data and, if so, from whom did the DOD’s research arm get that access? Was it Sussmann?

There’s no reason to believe this and every reason to believe that — as I said — DeFilippis is pissed that DARPA prioritized their research on a target that was badly affecting national security (and not just in US, but also in allied countries) in 2016, one that happened to attempt to help Trump get elected.

But look how many errors Faceplant’s Cleveland made in the process:

Cleveland repeats the Single Server Fallacy, imagining that the DNC, DCCC, and Hillary had just one server between them to be hacked and all the servers that got hacked were in the possession of one of those victims. That’s, of course, ridiculous. The server that GRU hacked to get John Podesta’s emails belonged to Google. The server that GRU hacked to get Hillary’s analytics belonged to AWS. There was a staging server in AZ; I have been told that the FBI seized at least one US-based server that did not belong to the DNC (that server is why the frothy right’s focus on what Shawn Henry testified to HPSCI is so painfully ignorant — because it ignores that the FBI had access to servers that Henry did not that did show exfiltration).

Cleveland apparently doesn’t know that FBI knew who was hacking the DNC when they warned them starting in September 2015 they were being hacked. The FBI’s awareness of that not only explains why APT 29 and 28 would have been included in DARPA’s targets for EA, but proves that the government was tracking these hacking groups above and beyond the attack on Hillary. This was never just a reaction to the election year hack.

Cleveland claims Mueller’s attribution of the DNC hack to the GRU provided “little public details,” when in fact the Mueller Report showed 29 sources other than CrowdStrike, including:

  • Gmail
  • Linked-In
  • Microsoft
  • Facebook
  • Twitter
  • WordPress
  • ActBlue
  • AWS
  • AOL
  • Smartech Corporation
  • URL shortening service
  • Bitcoin exchanges
  • VPN services

According to Mueller’s report, all these sources also corroborated the GRU attribution. And Mueller’s list doesn’t include a number of other known entities that corroborated the attribution, including NSA and Dutch intelligence, which couldn’t be named in a public DOJ document. Mueller’s list doesn’t include Georgia Tech either, but it wouldn’t need to, because there was so much other evidence.

The Mueller Report described obtaining almost 500 warrants, but the released list — from which FBI’s Cyber Division successfully withheld those pertaining to the GRU investigation — only includes around 370-400 warrants (based on an 156 pages of warrants with roughly three per page), suggesting there may be 100 warrants tied to the GRU attribution alone.

By the time Antonakakis started looking at the DNC hack as part of EA, multiple entities, including several Infosec contractors, non-US intelligence services, and non-governmental entities like tech giants (including at least three of the ones on Mueller’s list), had plenty of evidence that the Guccifer 2.0 campaign was run by the APT 28. Including Guccifer 2.0 as part of the research set would simply be part of the existing targeting of a dangerous APT.

But apparently neither DeFilippis nor Cleveland understand that 2016 was part of an ongoing identified threat to US national security.

One thing Putin did in 2016 was to use disinformation to train the frothy right to favor Russia more than fellow Americans from the opposing party. Even as Russia attacks Ukraine, that still seems to be true.

The Odd Projection by the Steele Dossier’s Claimed Alfa Bank Source

Way back in March 2017, I noted that there was a clear feedback loop behind the Steele dossier. As part of that post, I noted how weird the single report on Alfa Bank in the dossier was. Rather than writing damning information about Trump — which was the entire point of the dossier — it instead described the relationship between Putin and a guy named Oleg Govorun, who the dossier claimed worked for Alfa in the 1990s (that date was wrong but not the affiliation).

Consider report 112, dated September 14. It pertains to “Kremlin-Alpha Group Cooperation.” It doesn’t have much point in a dossier aiming to hurt Trump. None of his associates nor the Russian DNC hack are mentioned. It does suggest that that Alfa Group had a “bag carrier … to deliver large amounts of illicit cash to” Putin when he was Deputy Mayor of St. Petersburg, though describes the current relationship as “both carrot and stick,” relying in part on kompromat pertaining to Putin’s activities while Deputy Mayor. It makes no allegations of current bribery, though says mutual leverage helps Putin “do his political bidding.”

As I said, there’s no point to have that Alfa Bank passage in a dossier on Trump. But it does serve, in its disclosure, to add a data point (albeit not a very interesting one) to the Alfa Server story that (we now know) FBI was already reviewing but which hadn’t been pitched to the press yet. In Corn’s piece, he mentions the Alfa Bank story but not the report on Putin’s ties to it. It may be in there because someone — perhaps already in possession of the Alfa Bank allegations — asked Steele to lay out more about Alfa’s ties with Putin.

Here’s one reason that’s interesting, though. Even aside from all the other reasons the Alfa story is dodgy, it was deliberately packaged for press consumption. Rather than the at least 19 servers that Trump’s spam email was pinging, it revealed just two: Alfa Bank and Spectrum Health (the latter of which got spun, anachronistically, as a DeVos organization that thus had to be tight with Trump). Which is to say, the Alfa story was dodgy and packaged by yet unknown people.

Even though the report didn’t say anything really damning about current Alfa bank personnel, the oligarchs who own the bank have nevertheless engaged in protracted lawfare that seems set on ruining those behind the dossier. As part of the lawsuit against Fusion GPS, the Alfa oligarchs recently submitted declarations from the presumed sources of Igor Danchenko, Steele’s primary subsource. (And yes, two of these declarations claim to be Subsource 4, in both English and Russian.)

Subsource 1: Sergey Vladimirovich Abyshev

Subsource 2: Ivan Mikhailovich Vorontsov

Subsource 3: Olga Aleksandrovna Galkina

Subsource 4: Alexey Sergeyevich Dundich

Subsource 4: Ivan Ivanovich Kurilla

Subsource 5: Lyudmila Nikolayevna Podobedova

With the exception of Galkina, all of these purported subsources state that they have not read the dossier except for the Alfa Bank report, and then assert that they were not a source for the dossier. For example, this is how Dundich disclaimed being a source for the dossier as a whole, which he is sure is low-quality, while admitting he only read one report from it.

I am aware of the Steele Dossier (“Dossier”), but I have never read it save for Company Intelligence Report 112 (“CIR 112”).

[snip]

In contrast to what Mr. Danchenko told U.S. authorities, I was not a “source” of information for the Dossier. I never gave Mr. Danchenko (or anyone else) any information associated with the contents of the Dossier, including CIR 112, Mr. Fridman, Mr. Aven, Mr. Khan, or Alfa. I believe that Mr. Danchenko framed me as Sub-Source 4 to add credibility to his low-quality work, which is not based on real information or in-depth analysis.

Even Galkina, who stated that she had read the dossier when it was published by BuzzFeed, issues a non-denial denial, stating only that when she traveled to the US in 2016 she and Danchenko did not discuss anything about the dossier (the FBI interviewed her in August 2017, which she doesn’t mention here, and she does travel to the States, so she’d be at risk of prosecution if she said anything conflicting with her prior statements or material known to have been obtained from her via FISA 702).

Mr. Danchenko and I met once in 2016. In connection with my job at Servers.com, I traveled to the United States in the spring of 2016 to participate in the Game Developers Conference event and investigate the prospects of running a public relations campaign for the company in the United States. I asked Mr. Danchenko to assist those efforts, and he introduced me to a third party, Charles Dolan, whom he thought could help. Mr. Danchenko and I did not discuss anything related to the Dossier or its contents during this meeting.

But she doesn’t describe her communications with Danchenko via phone and text, which is how Danchenko said he got some of the most important stories sourced to her. And a later denial in her declaration seems to be a (poorly translated) denial limited to providing information specific to the Alfa Bank materials, not a denial of providing other information in it.

I did not provide Mr. Danchenko (or anyone else) with any information mentioned in the Dossier and that was connected to Mr. Fridman, Mr. Aven, Mr. Khan, or Alfa. I believe that Mr. Danchenko identified me as Sub-Source 3 to create more authoritativeness for his work.

In short, none of these declarations could be denials they provided Danchenko information in the dossier, because the one person who has actually read it doesn’t deny she did provide information (that said, her information was some of the most likely to be deliberate disinformation).

These declarations, then, don’t do what a filing attempting to use them to force Danchenko to set for a deposition claims they do, making general denials of being a source for the dossier.

Even more importantly, Mr. Danchenko’s claimed sub-sources have now denied, under penalty of perjury, providing Mr. Danchenko with information related to the contents of the dossier generally or with respect to CIR 112 and Plaintiffs specifically.7

Galkina’s the only one who’d be able to make such a denial, and she doesn’t do so in her declaration.

But I find Abyshev’s denials of interest for other reasons. He admits that he and Vorontsov met with Danchenko on June 15, 2016 and claims that Danchenko got very drunk (earlier he claimed that Danchenko had a drinking problem for a year or two after the compilation of the dossier).

I met with Mr. Danchenko once in 2016, the year that, as I understand, the Dossier was prepared. On June 15, 2016, Mr. Danchenko, Ivan Vorontsov, and I met in Moscow. I recall that Mr. Danchenko appeared very intoxicated and was not able to maintain a conversation. During the meeting, I spoke with Mr. Vorontsov about investments and finance. I do not recall any conversation related to the contents of the Dossier, including allegations related to CIR 112, Mr. Fridman, Mr. Aven, Mr. Khan, or Alfa. This was my last meeting with Mr. Danchenko.

He further admits that Danchenko raised Alfa on a phone call with him at some time that year, but claims he told Danchenko the subject was inappropriate and he should go find out the answers to the question himself.

On one occasion, during a phone call in 2016, Mr. Danchenko asked me how close Mr. Fridman is to President Putin and whether Mr. Fridman had met with President Putin in 2016. I did not respond to Mr. Danchenko’s questions. Instead, I made it clear that the questions were inappropriate and that Mr. Danchenko should seek out answers to them himself.

This denial comes on top of Abyshev’s more general denial about being a source for the report in question.

Contrary to what Mr. Danchenko told U.S. authorities, I was not a “source” of the Dossier. I never provided Mr. Danchenko (or anyone else) with any information related to the contents of the Dossier, including CIR 112, Mr. Fridman, Mr. Aven, Mr. Khan, or Alfa.

On this point, Abyshev’s denial is the only one that is really pertinent, because he’s the only one that Danchenko mentioned in his FBI interview in conjunction with this report (the FBI interviewed Danchenko two more times after this, but those interviews must not be helpful for Trump, because Republicans have never demanded those reports be declassified).

While Danchenko seems to suggest that Source 1, Abyshev, was involved in this story, he doesn’t actually say that. Instead, he explained that he had been working on this story for ten years and that Source 1 had provided him other information on corruption unrelated to Alfa.

That’s interesting, not least because Vorontsov actually said that if you wanted information about the oligarchs running Alfa, you’d look outside of Russia (probably London).

I do not believe that Mr. Danchenko asked anyone inside Russia about Mr. Fridman, Mr. Aven, or Mr. Khan. If Mr. Danchenko were interested in those individuals, he would have sought information from people living outside Russia who would have greater knowledge of Mr. Fridman, Mr. Aven, and Mr. Khan.

In Vorontsov’s opinion, this is the part of the dossier for which Danchenko wouldn’t need a source in Russia.

Here’s where things get interesting. Like everyone save Galkina, Abyshev says the only part of the dossier he read was the Alfa Bank report.

I am aware of the so-called Steele Dossier (“Dossier”), but I have never read it save for the Russian translation of Company Intelligence Report 112 (“CIR 112”), which raises various allegations about Mikhail Fridman, Petr Aven, German Khan, and Alfa.

Having not read the dossier, however, Abyshev claims that Danchenko’s job was to substantiate stories his clients want him to tell.

My understanding of Mr. Danchenko’s information-gathering process is that he first receives a story from his clients that he then must substantiate in any manner possible

This actually conflicts with Danchenko’s FBI interview, at least part of which Abyshev claims to have read, in which he says he tried to find information on Paul Manafort but failed to find much.

More interesting still, Abyshev offers up this explanation for what Danchenko was doing.

I infer from my interactions with Mr. Danchenko, from that 2016 telephone conversation, and from the content of what was ultimately published in CIR 112, that Mr. Danchenko had a working theory regarding the relationship between Alfa and its shareholders on the one hand, and President Putin on the other, and that Mr. Danchenko was fishing for information that would fit that preconceived narrative.

I believe it is likely that someone ensured that CIR 112 was included in the Dossier in an effort to persuade U.S. authorities to sanction Mr. Fridman, Mr. Aven, Mr. Khan, and Alfa.

I find that interesting — first, because decades old allegations of corruption would not substantiate a sanctions designation. Abyshev’s claims make no sense given the content that ended up in the report.

More interesting still is how closely Abyshev’s claims match Petr Aven’s testimony to Mueller’s team about how Putin pressured him to try to set up a back channel with Trump’s team during the transition by warning that Alfa would be sanctioned in the aftermath of the 2016 election.

Aven told the Office that he is one of approximately 50 wealthy Russian businessmen who regularly meet with Putin in the Kremlin; these 50 men are often referred to as “oligarchs.”977 Aven told the Office that he met on a quarterly basis with Putin, including in the fourth quarter (Q4) of 2016, shortly after the U.S. presidential election.978 Aven said that he took these meetings seriously and understood that any suggestions or critiques that Putin made during these meetings were implicit directives, and that there would be consequences for A ven if he did not follow through.979 As was typical, the 2016 Q4 meeting with Putin was preceded by a preparatory meeting with Putin’s chief of staff, Anton Vaino.980

According to Aven, at his Q4 2016 one-on-one meeting with Putin,981 Putin raised the prospect that the United States would impose additional sanctions on Russian interests, including sanctions against Aven and/or Alfa-Bank.982 Putin suggested that Aven needed to take steps to protect himself and Alfa-Bank.983 Aven also testified that Putin spoke of the difficulty faced by the Russian government in getting in touch with the incoming Trump Administration.984 According to Aven, Putin indicated that he did not know with whom formally to speak and generally did not know the people around the President-Elect.985

Aven [grand jury redaction] told Putin he would take steps to protect himself and the Alfa-Bank shareholders from potential sanctions, and one of those steps would be to try to reach out to the incoming Administration to establish a line of communication.986

[snip]

In December 2016, weeks after the one-on-one meeting with Putin described in Volume I, Section IV.B.1.b, supra, Petr Aven attended what he described as a separate “all-hands” oligarch meeting between Putin and Russia’s most prominent businessmen. 1167 As in Aven’s one-on-one meeting, a main topic of discussion at the oligarch meeting in December 2016 was the prospect of forthcoming U.S. economic sanctions. 1168

After the December 2016 all-hands meeting, Aven tried to establish a connection to the Trump team. Aven instructed Richard Burt to make contact with the incoming Trump Administration. Burt was on the board of directors for LetterOne (L 1 ), another company headed by Aven, and had done work for Alfa-Bank. 1169 Burt had previously served as U.S. ambassador to Germany and Assistant Secretary of State for European and Canadian Affairs, and one of his primary roles with Alfa-Bank and Ll was to facilitate introductions to business contacts in the United States and other Western countries. 1170

I’ve always believed the Trump Tower server story to be an elaborate disinformation effort, which had the added benefit of drawing attention to Erik Prince but not the things that Prince was doing that were key to the Russian operation (his communications about which were done via garden variety encrypted apps). I likewise always believed that Aven’s testimony might explain why Russia would craft such disinformation: not only to distract from the things that Prince and others really were doing, but to present a way to recruit Alfa’s oligarchs more centrally into Russia’s efforts to push back on sanctions, as oligarchs who weren’t as western-focused had long been.

Here, a filing in a lawsuit attempting to make maximal advantage of whatever success Russia had feeding an old nemesis of theirs disinformation as part of the larger 2016 operation makes the same argument that (according to Aven’s own testimony) Putin made to Aven, only insinuating that the argument would have come from Danchenko, not a Russian disinformation source.

Abyshev is, in addition to Danchenko’s source on the pee tape (at that meeting where Abyshev says Danchenko was badly drunk), also someone Danchenko understood to have close ties to Russian intelligence who appears to have known of Danchenko’s tie to Steele.

The Ohr 302 Exemptions

As I noted yesterday, the FD-302s of FBI’s conversations with Bruce Ohr released to Judicial Watch the other day are unremarkable. The scope of Judicial Watch’s request left out the time periods — before Ohr was handed off to another FBI Agent after the election, and after Mueller was hired — that would be the most interesting. But what we do see shows that FBI first reached out to Ohr in an effort to assess the Steele dossier production, and Ohr was able and willing to chase down answers for the FBI that go to issues of credibility. Later, Steele reached out to Ohr in a panic about what would happen as Congress scrutinized his work more closely; in what we see, those conversations were not inappropriate (which is not to say I’m sympathetic to Steele’s concerns, given how he publicized his work). Though given Ohr’s notes, they may have been later in the year; at a minimum, they show how aggressively Steele was trying to prepare a public story that ended up being quite partial.

In my opinion, the FOIA exemptions are the most interesting aspect to the 302s. We can learn a bit from the things DOJ chose (or felt obligated) to protect. Here’s a short guide to FOIA exemptions and here’s DOJ’s more thorough one.

The less interesting redactions are for the following purposes:

  • b7C/b6: Protects privacy, used here to protect everything from Steele’s name to other sources
  • b7D: Protects confidential sources (both Steele and his sub-sources would get some protection)
  • b7E: Protects law enforcement techniques, including the bureaucracy of writing up 302s

The exemption, b3, protects information protected by statute, often the National Security Act. For example, that’s one of the exemptions (along with privacy and law enforcement technique exemptions) used to protect boring bureaucratic details about the case file. But it’s interesting in one instance.

The discussions, starting on PDF 14, of how Steele was panicking about one of his sources are protected for privacy, source, and b3, statute (as well as, sometimes, law enforcement technique).

That’s interesting, because FBI is not saying this person’s identity is classified. Nor is it saying that this person is credibly at risk of being killed, which would be a b7F (which is what they’d use to protect our own recruited agents). But they are according Steele’s source some kind of statutory protection.

The exemption, b1, protects classified information. It’s a measure, in these discussions about someone who used to work as an intelligence officer for an ally and who continues to collect HUMINT, of what the DOJ or other agencies considers genuinely classified (and doesn’t always line up with the initial or FOIA review classification marks on the paragraphs). For example, a paragraph describing how Ohr first met Steele — which appears in unredacted form in Ohr’s congressional testimony as follows — is protected by both a b3 and b1 exemption, presumably to protect references to MI6.

I believe I met Chris Steele for the first time around 2007. That was an official meeting. At that time, he was still employed by the British Government. I went to London to talk with British Government officials about Russian organized crime and what they were doing to look at the threat, and the FBI office at the U.S. Embassy in London set up a meeting. That was with Chris Steele. And there were other members of different British Government agencies there. And we met and had a discussion. And afterwards, I believe the agent and I spoke with Chris Steele further over lunch.

A more interesting redaction appears on PDF 8, in a series of paragraphs where the Agent was asking Ohr whether about his personal knowledge of certain aspects of Steele’s work, such as whether he had witnessed Steele’s meetings with Jon Winer. One of those paragraphs is redacted, in part for b3 and b1 reasons, and classified Secret. Whatever that protects, it’s a reminder that Ohr and Steele had real discussions about organized crime in the past.

By far the most interesting exemptions, however, are what FBI has chosen to protect because of ongoing investigations, exemption b7A, starting with what they have not protected: these conversations, generally.

The frothy right believes that Bruce Ohr should go to prison because he shared information about suspected Russian crimes with other experts in the subject. Ohr’s role in the dossier has presumably been under scrutiny for some time as part of DOJ IG’s investigation into the basis for Carter Page’s FISA application. In addition, Christopher Steele and Glenn Simpson have both been referred to DOJ for suspected lies to Congress, the latter more credibly than the former. With one significant possible exception, there’s nothing in these 302s that has been protected for either of those reasons. Ohr’s earlier and later conversations with Steele would be more pertinent to those inquiries (and there’s reason to believe the later ones are being treated as such), but some of these 302s would clearly be too. But FBI has determined they can release these files. That’s interesting, especially, because of the history of this FOIA:

  • August 6, 2018: Initial Judicial Watch FOIA
  • September 10, 2018: JW sues
  • March 15, 2019: DOJ tells JW the files are being withheld in full
  • March 22, 2019: Conclusion of Mueller investigation
  • April 1, 2019: Status report states that FBI is evaluating impact of conclusion of that investigation on FOIA
  • May 8, 2019: DOJ still considering whether FBI can release the files
  • July 25, 2019: DOJ decides it can release the files in part

As recently as August 5, DOJ said it was “still engaged in internal discussions about the redactions necessary to release the requested records to the public.” In other words, a very recent review of these files has determined that files showing how FBI handled the mid-term discussions between Christopher Steele and Bruce Ohr may be released to the public.

The big possible exception pertains to details of the original conversation on Trump and Russia with Steele.

Steele’s initial conversation

The paragraph describing what Steele first told Ohr back on July 30, 2016 is redacted for b1, b3, and b7A reasons.

The redactions in this passage include the entirety of Steele’s explanation for the “over a barrel” comment, which is interesting because other agencies have released these details (which may name the people boasting they had kompromat on Trump). The paragraph also redacts part of the discussion of Deripaska preparing to bring details on Paul Manafort’s “theft” from him to US authorities. That may be for privacy reasons,  but — assuming the order is the same in the interview and the notes, but it seems Ohr was reading verbatim — both are redacted for ongoing investigation reasons in Ohr’s notes released in December.

If, as seems to be the case, Page was not redacted as part of an ongoing investigation in either of these suggests the early Ohr conversation is not one being scrutinized by DOJ IG on the FISA application (especially given the notes were released in December, well before the IG had come close to finishing, as has been reported).

Note, Ohr turned over notes from during and after the meeting with Steele to the Agent. Just these notes were released in December, meaning the notes he wrote after the meeting must be among the 6 pages of Ohr’s notes withheld in that December release, in part to protect an ongoing investigation (that could be consistent both with the known DOJ IG investigation into the origins of the investigation, and an investigation into those two allegations).

One other thing in that first interview pertains, per the redaction to an ongoing investigation: a discussion of a post-Ukrainian invasion meeting involving Ohr, Steele, and oligarchs (possibly, though not definitely, Russian).

 

The description seems to match a meeting Steele is known to have set up with Deripaska (though that meeting was in 2015).

Oleg Deripaska

The treatment of one known Deripaska reference and this reference to cultivating oligarchs as sources (earlier in 2016, Steele had been trying to get DOJ to use Deripaska as a source) is particularly interesting given that, what appear to be additional Deripaska references, are also redacted to protect an ongoing investigation.

A significant chunk of the 302 memorializing the February 6, 2017 interview protects an ongoing investigation.

There are good reasons to think this is a reference to Deripaska. Steele worked for Deripaska lawyer Paul Hauser, and Deripaska was interviewed in September 2016. Deripaska would be directly implicated in the election (two months after this interview, Deripaska was sanctioned).

This may reflect a conversation directly with Hauser though, as the Steele reference in this interview was covered in entirely in a WhatsApp chat. Given the redaction, it’s also possible that Ohr took notes, which would be among the 6 pages not turned over because of an ongoing investigation.

And while less definitive, this passage from the February 14 interview of Steele referring to which lawyers he was working for could also be the Hauser work.

Given the withholdings on Ohr’s note from the meeting, the ongoing investigation does pertain to Steele’s client.

If it is Deripaska, it would suggest that Steele was financially dependent on his Deripaska work, as the other client mentioned, Bilfinger, wasn’t paying him (which he complained about to Ohr).

[Note, this note also has what looks like a reference to “Snowden report,” which makes absolutely no sense to me, so I assume I’m misreading it.] Update: This is likely a reference to the report, from the day before, that Russia was offering Snowden to Trump.

It has long been troubling that Steele had an ongoing relationship with Deripaska during the time he worked on the dossier. It’s clear that Deripaska used Steele to misinform DOJ that he was upping the pressure on Manafort, hiding that Manafort was instead making a desperate — and somewhat successful bid — to get back on Deripaska’s payroll.

A good deal of the ongoing investigation redactions in these Ohr 302s suggest DOJ continues to be interested in all that, as well.

Alfa Bank

The other ongoing investigation redactions are far more surprising, as they suggest (though this is far less definitive than the Deripaska tie) that DOJ may continue to investigate … something pertaining to the Alfa Bank allegations.

The initial reference to Alfa Bank, from the November 22, 2016 interview and discussing his September 2016 meeting with Glenn Simpson, is not protected as part of an ongoing investigation — though what appears to be a continuation of a discussion of it is treated as classified.

But a follow-up reference to Alfa bank does seem to be redacted as part of an ongoing investigation. These two paragraphs from the December 12, 2016 interview of Ohr, at PDF 11, have just one exemption explanation, including the b7A ongoing investigation one.

It’s certainly possible that the second paragraph is unrelated, and that’s what pertains to the ongoing investigation. But treating them as the same FOIA exemptions suggests they’re related.

In the same interview, Ohr explained that when he asked Simpson if he was concerned about his personal safety, Simpson,

mentioned that someone called and asked him to find out where all of the Alfa Bank stories were coming from. Simpson did not state this was a threat from the Russians, but that was the impression made upon OHR based upon the timing of the comment and using that story as a response to OHR’s question.

This seems to suggest more than one Alfa Bank story.

Also note two things. First, when the NYT first got the story of Jared Kushner’s “back channel” meeting with Sergey Gorkov, they had it as a meeting with Alfa Bank (though they misspelled it in the same way that Steele’s dossier did). That meeting would take place four days after Simpson raised whatever crazy tip he got, on December 13.

Kushner agreed to meet with Gorkov. 1151 The one-on-one meeting took place the next day, December 13, 2016, at the Colony Capital building in Manhattan, where Kushner had previously scheduled meetings. 1152

Also, during this period, Petr Aven was trying to reach out to Trump’s people on direct orders from Putin.

In December 2016, weeks after the one-on-one meeting with Putin described in Volume I, Section IV.B.1.b, supra, Petr Aven attended what he described as a separate “all-hands” oligarch meeting between Putin and Russia’s most prominent businessmen. 1167 As in Aven’s one-on-one meeting, a main topic of discussion at the oligarch meeting in December 2016 was the prospect of forthcoming U.S. economic sanctions. 1168

After the December 2016 all-hands meeting, Aven tried to establish a connection to the Trump team. Aven instructed Richard Burt to make contact with the incoming Trump Administration

It’s highly unlikely that Simpson got wind of any of those things; we would have heard about it. I raise these other instances not because I think Simpson had them, but because it’s clear Mueller chased these Alfa leads much further than we otherwise knew, and the leads themselves still seem not to have amounted to anything (even while showing that Putin leveraged the threat of election-related sanctions on the one bank that was legally acceptable in the west at the time, Alfa, to get its oligarch to join his efforts to cultivate Trump).

These Alfa allegations all still seem to be fluff. But even so, the redactions in the second reference may suggest there’s something here of continued interest to the FBI.

Update: I’ve taken out Bill Priestap’s name, as that was incorrect reporting when this came out.

As I disclosed last July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post.