Posts

Why Accuracy about Wikileaks Matters

Let me preface this post by saying that I’m perfectly willing to accept that Julian Assange is a narcissist, accused rapist, destructive hypocrite serving as a willful tool of Russia. I’m also happy to concede that his role in publishing the DNC and Podesta emails may have played a significant part in getting Donald Trump elected (though I think it’s down the list behind Comey and Hillary’s own (in)actions). Please loathe Julian Assange–that is your right.

But please, also, try to be accurate about him and Wikileaks.

There have been two funny claims about Wikileaks since the leak of hacked emails from Emmanuel Macron associates was announced on 4Chan on Friday. First, analysis of how the hashtag #MacronLeaks spread emphasized that Wikileaks got more pickup than right wing propagandist Jack Posobiec or the other right wing promoters of it.

The most important surge came when WikiLeaks began tweeting the hashtag. The tweet itself was cautious, pointing out that the leak “could be a 4chan practical joke,” but it was retweeted over 2,000 times, compared with over 600 times for Posobiec.

Yet people have taken that to suggest that everyone who shared Wikileaks’ links to the materials were themselves promoting the emails positively. That is, they ignored the extent to which people share Wikileaks tweets critically, which itself added to the buzz about the dump. The surge in attention, in other words, was in part critical attention to what Wikileaks was doing with respect to the leak.

More troubling, still, outlets including NPR claimed that Wikileaks posted the documents (it has since issued a correction).

Finally, there are absurd pieces like this which, after babbling that, “Macron, by contrast, is favored by those who want … a France looking to the future rather than clinging to the fearful and fictional nostalgia promulgated by Le Pen,” states,

Literally at the 11th hour, before the blackout would silence it, the Macron campaign issued a statement saying it had been hacked and many of the documents that were dumped on the American 4Chan site and re-posted by Wikileaks were fakes.

On top of being poorly edited — Macron’s statement said nothing at all about who dumped the documents — the claims as to both 4Chan and Wikileaks are not technically correct. The documents weren’t dumped on 4Chan, a post on 4Chan included a link to a Pastebin with them. More importantly, Wikileaks didn’t “re-post” them, though it did post magnet links to them.

The importance of the distinction becomes evident just two paragraphs later when the article notes that some of the tweets in which Wikileaks linked to the documents described the vetting process it was undertaking.

Meanwhile, Wikileaks jumped on the document dump, but didn’t seem to be familiar with the material in it. Responding to the Macron statement that some of the items were bogus, Wikileaks tweeted, “We have not yet discovered fakes in #MacronLeaks & we are very skeptical that the Macron campaign is faster than us.”

Curiously, the article doesn’t link to WL’s first tweet, posted less than an hour after the 4Chan post, which said it could be a 4Chan practical joke.

In any case, contrary to what some idiotic readings of this article claim — that Macron succeeded in fooling Wikileaks — in fact, Macron has not succeeded, at least not yet, because Wikileaks has not posted the documents on its own site (Wikileaks could yet claim it had determined the documents to be real only to have Macron present proof they weren’t). Indeed, while Wikileaks expressed skepticism from the start, one thing that really raised questions for Wikileaks was that Macron so quickly claimed to have determined some were fake.

Plus, it’s not actually clear that Macron did fool the hackers who passed them onto the 4Chan source. Here’s the full description from Mounir Mahjoubi, the head of Macron’s digital team, on what their counteroffensive looked like.

“We also do counteroffensive against them,” says Mahjoubi.

[snip]

“We believe that they didn’t break through. We are sure of it,” said Mahjoubi. “But the only way to be ready is to train the people. Because what happened during the Hillary Clinton campaign is that one man, the most powerful, [campaign chairman] John Podesta, logged on to his [fake] page.”

To keep the entire Macron campaign aware of such dangers, Mahjoubi said, “Every week we send to the team screen captures of all the phishing addresses we have found during the week.” But that’s just the first phase of the response. Then the Macron team starts filling in the forms on the fake sites: “You can flood these addresses with multiple passwords and log-ins, true ones, false ones, so the people behind them use up a lot of time trying to figure them out.”

If Mahjoubi was being honest about his certainty the hackers didn’t succeed, then the campaign would have no reason or means to feed disinformation. And the details offered here appear to be about disinformation in response to phishing probes — that is, disinformation about metadata — not disinformation about content.

But now, between the Daily Beast’s gloating and the sharing of it with even less factual gloating, coupled with Macron’s quick declaration that the dump included fake documents, raises real (but potentially unjustified!) questions about whether the campaign added the Cyrillic metadata that got so much attention. Not only has Wikileaks’ vetting process not (yet) been exposed as a fraud, but the reporting may create even more distrust and uncertainty than there was. [Note, I posted a tweet to that effect that I have deleted now that I’m convinced there’s no evidence Macron faked any documents.]

Moreover, even if it is the case that GRU hacked Macron and Wikileaks would have happily published the emails if they passed its vetting process (which are both likely true), Wikileaks didn’t get and post the documents, which itself is worth noting and understanding.

In other words, some inaccuracies — and the rush to gloat against Wikileaks — may actually have been counterproductive to the truth and even the ability to understand what happened.

And this is not the only time. The other most celebrated case where inaccurate accusations against Wikileaks may have been counterproductive was last summer when something akin to what happened with the Macron leak did. Wikileaks posted a link to Michael Best’s archived copy of the AKP Turkish emails that doxed a bunch of Turkish women. A number of people — principally Zeynep Tufekci — blamed Wikileaks, not Best, for making the emails available, and in so doing (and like the Macron dump) brought attention to precisely what she was rightly furious about — the exposure of people to privacy violations and worse. Best argues that had Tufekci spoken to him directly rather than writing a piece drawing attention to the problem, some of the harm might have been avoided.

But I also think the stink surrounding Wikileaks distracted focus from the story behind the curious provenance of that leak. Here’s how Motherboard described it.

Here’s what happened:

First, Phineas Fisher, the hacker notorious for breaching surveillance companies Hacking Team and FinFisher, penetrated a network of the AKP, Turkey’s ruling party, according to their own statement. The hacker was sharing data with others in Rojava and Bakur, Turkey; there was apparently a bit of miscommunication, and someone sent a large file containing around half of akparti.org.tr’s emails to WikiLeaks.

WikiLeaks then published these emails on July 19, and as some pointed out, the emails didn’t actually seem to contain much public interest material.

Then Phineas Fisher dumped more files themselves. Thomas White, a UK-based activist also known as The Cthulhu, also dumped a mirror of the data, including the contentious databases of personal info. This is where Best, who uploaded a copy to the Internet Archive, comes in.

Best said he didn’t check the contents of the data beforehand in part because the files had already been released.

“I was archiving public information,” he said. “Given the volume, the source, the language barrier and the fact that it was being publicly circulated already, I basically took it on faith and archived a copy of it.”

Without laying out all the details here, I think there are some interesting issues about this hack-and-leak that might have gotten more scrutiny if the focus weren’t Wikileaks. But instead, the focus was entirely on what Wikileaks did (or actually, on blaming Wikileaks for what Best did), rather than how the hack-and-leak really happened.

I get that people have the need, emotionally, to attack Assange, and I have no problem with that. But when emotion disrupts any effort to understand what is really going on, it may make it more difficult to combat the larger problem (or, as lefties embrace coverage of the Bradley Foundation based on hacked documents and more mass hack-and-leak reporting gets journalism awards, to set norms for what might be legitimate and illegitimate hack-and-leaks).

If you hate Assange, your best approach may be to ignore him. But barring that, there really is a case for aspiring to factual accuracy even for Wikileaks.

Update: Fixed description of what WL actually linked to — h/t ErrataRob.

Update: This article provides more detail on the hack and Macron’s attempts to counter the hackers.

“Il y a des dossiers qui ont été ajoutés à ces archives. Des dossiers dont on ne sait pas à quoi ils correspondent. Qui ne sont pas des dossiers d’emails, par exemple. Ensuite, il y a des faux emails qui ont été ajoutés, qui ont été complétés. Il y a aussi des informations que nous-même on avait envoyées en contre-représailles des tentatives de phishing !”, a expliqué Mounir Mahjoubi.

So some of the added documents (which, incidentally, are the ones that show Cyrillic metadata) are from someplace unknown, not the five hacked email boxes. There are fake emails, described has “having been completed,” which may mean (this is a guess) the hackers sent emails that were sitting in draft; if so there might be fake emails that nevertheless come with authenticating DKIM codes. The description of what the campaign did — counter-attacks to phishing attempts — is still not clear as to whether it is metadata (faked emails) or content, but still seems most likely to be metadata.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

The FSB Purge: Two Narratives

I first mentioned the arrest of a Kaspersky researcher for treason last week.  Since then, more of the American press has been focusing on it, often simply assuming that what are now reported to be up to six arrests must have some tie to the Russian hack of the DNC and other election-related targets.

One way or another, the arrests—according to the Russian media accounts—are linked to the country’s hacking of the US election.

Such assumptions don’t even engage with some of the most obvious questions, such as what all these FSB-related arrests would have to do with the hack-and-leak of DNC and Podesta emails allegedly done by Russia’s military intelligence GRU.

Obviously, the timing of the arrests would suggest there might be a connection, but the presumption has been downright sloppy. So in an effort to unpack this story, I’m going to lay out some of the known claimed details

Some of the better English language sources on the arrests are stories in Bloomberg, Guardian, FT, NYT, and Forbes (as well as the Brian Krebs story quoted in detail below).

Committing crimes pre-dating 2012

When news of Stoyanov’s arrest was made public, Kaspersky released a statement saying the activity pre-dated his employment at the security firm, so before 2013. That would seem to rule out involvement in the DNC hack.

Exposing King Servers as key infrastructure in Russian hacks

A more public explanation behind the purge is that Stoyanov and Mikhailov served as sources for the FBI on the investigation into the probes of the state election sites.

On August 18, the FBI released a flash about two probes of US state election websites. Among the details, it released an IP address, 5.149.249.172, associated with the probe. “The FBI received information of an additional IP address, 5.149.249.172, which was detected in the July 2016 compromise of a state’s Board of Election Web site.” Why you would need two human sources for this information, I’m not sure, but the implication in this narrative is that it came from the Russians.

On September 2, ThreatConnect released a report analyzing the IP address, tying it to other suspected Russian hacks.

However, as we looked into the 5.149.249[.]172 IP address within the FBI Flash Bulletin, we uncovered a spearphishing campaign targeting Turkey’s ruling Justice and Development (AK) Party, Ukrainian Parliament, and German Freedom Party figures from March – August 2016 that fits a known Russian targeting focus and modus operandi. As we explored malicious activity in the IP ranges around 5.149.249[.]172 we found additional linkages back to activity that could be evidence of Russian advanced persistent threat (APT) activity. This connection around the 5.149.249[.]172 activity is more suggestive of state-backed rather than criminally motivated activity, although we are unable to assess which actor or group might be behind the attacks based on the current evidence.

At the time, the guy who owns King Servers, which hosts that IP, Vladimir Fomenko, played dumb, claiming that the entities tied to the election website hacks owed him money and that the FBI had never contacted him but that he’d be happy to provide information.

More recently, Brian Krebs pulled up some of his old reporting to note that Fomenko has long-established ties to spam businessman Pavel Vrublevsky, including with these servers. Vrublevsky has been trying to implicate Mikhaylov and Stoyanov in leaking Russian investigative details to people in the west for years.

Multiple Russian media outlets covering the treason case mention that King-Servers and its owner Fomenko rented the servers from a Dutch company controlled by Vrublevsky.

Both Fomenko and Vrublevsky deny this, but the accusations got me looking more deeply through my huge cache of leaked ChronoPay emails for any mention of Mikhaylov or Stoyanov — the cybercrime investigators arrested in Russia last week and charged with treason. I also looked because in phone interviews in 2011 Vrublevsky told me he suspected both men were responsible for leaking his company’s emails to me, to the FBI, and to Kimberly Zenz, a senior threat analyst who works for the security firm iDefense (now owned by Verisign).

In that conversation, Vrublevsky said he was convinced that Mikhaylov was taking information gathered by Russian government cybercrime investigators and feeding it to U.S. law enforcement and intelligence agencies and to Zenz. Vrublevsky told me then that if ever he could prove for certain Mikhaylov was involved in leaking incriminating data on ChronoPay, he would have someone “tear him a new asshole.”

Krebs’ story would date Stoyanov’s actions to before his ties with Kaspersky, which would explain that part. But it would also suggest this might be product of a long-standing feud — or that the long-standing feud provides cover for a fight for power within the FSB.

One thing that’s interesting about all this is that, for some time, the US intelligence community did not attribute the probes of voter registration databases to Russian intelligence. A September 20 DHS alert attributed it to criminal hackers seeking identity theft data. The October 7 ODNI/DHS statement affirmatively declined to attribute it. It was not until the January 6, 2017 report on the hacks that the IC first blamed Russian intelligence (without specifying whether it was FSB or GRU) for the probes.

So if the FSB purge pertains to revealing details about the voter database probes to US intelligence, the first US public acknowledgment of that intelligence came after most people allegedly involved in exposing the tie had been arrested (though people like former Russian Ambassador Michael McFaul were yapping about such things in public statements, and the WaPo had gotten soft leaks about it). That is, in spite of complaints that US reporting might have set off this molehunt, for the registration databases, the molehunt preceded the IC’s affirmative (public) use of the data.

Hack-and-leaking top Russians

The other major allegation against the Russians is that they were involved with a hacking group Shaltai Boltai (which translates as Humpty Dumpty from Alice in Wonderland). The group has blackmailed and/or exposed the emails of a number of top Russian leaders, including Prime Minister Dmitry Medvedev and his deputy Arkady Dvorkovich.

Reports claim that Anikeev started the group years earlier, and the FSB either tried to infiltrate it, but then got swept up, or always had ties to it. Ultimately, though, the implication is that FSB was working both sides, using an Anonymous-modeled hacking group to acquire materials on powerful Russians even while, perhaps, using such hackers for Russian ends.

In mid-to-late October, the group released the emails of Vladislav Surkov, the architect of Putin’s Ukrainian policy. There wasn’t much revealed, though it did make it clear planning for Russia’s Ukrainian intervention went back some time. The understanding behind this narrative is that releasing these emails got too close to Putin, which led to the crack-down on the group.

Even when the emails got released, there was no public discussion of the possibility that this was US retaliation against Russia — not even after NBC published a really dick-wagging story on October 14 promising CIA retaliation. That’s the public story, anyway, which was really weird, given that exposing Putin’s plotting in Ukraine would be a really logical retaliation for the DNC hack (even if American exceptionalists like to pretend we would never do a hack and dump). The private story is different, but any private opinions I’ve heard don’t describe who might have conducted such a hack.

It’s also not entirely clear the timing works out. But it’s not clear we’ve got all those details yet.

I’m still working through these issues — and warnings from Russian observers that both of these narratives may just be convenient front stories for something else and/or for pure power consolidation are well taken.

What has also gone unmentioned is that at a time when Russia and the US would be staring each other down on a “cyber” battlefield, Putin just apparently took out a number of the key players in that field. No one has mentioned that, but even if these guys were working both sides in a manner that brought value to Putin, having them removed may leave holes in Russia’s cyber offense for the near future.

Update: This FT piece, based off an interview with what is alleged to be the last remaining Shaltai Boltai member at large, would seem to confirm that that explains the arrests (it explains the SB got FSB handlers in early 2016). Though I’d ask why someone would return from Thailand to apply for asylum in Estonia if Putin were after them.

Known arrestees

Colonel Sergey Mikhailov, deputy head of the Information Security Center at the FSB

Major Dmitry Dokuchaev (AKA Forb), also with ISC

Ruslan Stoyanov, now with Kaspersky but with earlier with cybercrime investigation firm Indryk and before that Ministry of Interior’s Cyber Crime Unit

Journalist Vladimir Anikeev, believed to have been in Ukraine and alleged to have led the hack ofVladislav Surkov

Known dates

August 18: FBI flash identifying new King Servers-related IP address used in probes of election related sites

September 2: ThreatConnect report implicating King Servers

September 5: Obama and Putin discuss hacks at G-20

September 20: DHS alert attributes voter registration probes to criminal hackers in search of PII

September 27: King Servers owner Vladimir Fomenko claims FBI hasn’t contacted him

October 7: ODNI/DHS statement on Russian hacking declines to attribute voter database hacks to Russian state

October 14: CIA preparing possible cyber response on Russia

October 23-25: Hackers release emails of Vladislav Surkov, exposing Putin’s Ukrainian plans

October 31: Obama contacts Putin on red cyber phone for first time

November 9: Anikeev reportedly detained, begins cooperating

November 26: Anonymous White House statement affirms integrity of election

December 4: Arrests of Mikhailov and Stoyanov

December 9: CIA-based leaks (based off recent human intelligence) claim DNC hack designed to get Trump elected

December 13: Last date on (partial) dossier implicating Trump

January 6, 2017: In declassified Russian Hack Report, US Intelligence Community for the first time attributes probes of voter websites to Russian intelligence (not specifying FSB or GRU): “Russian intelligence obtained and maintained access to elements of multiple US state or local electoral boards.”

January 11: Partial anti-Trump dossier published by BuzzFeed; Christopher Steele flees his home

January 23: GCHQ head Robert Hannigan quits to spend more time with his family

January 25: Kommersant announces arrests

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.