Posts

Of Spies and Casinos

[photo: liebeslakritze via Flickr]

Many have forgotten the case of Russian spies arrested in the U.S.

Not the ten from the Illegals Program sleeper cell spy ring rounded up in 2010, whose integration into the U.S. formed the backbone of the cable drama, The Americans.

No, the ones in New York City who attempted to recruit college students and collect economic intelligence.

Three in total were arrested a year ago January — Evgeny Buryakov, Igor Sporyshev and Victor Podobnyy — the latter two shipped out as they were here under diplomatic visas while the first was prosecuted and jailed.

The story is rather interesting though it didn’t garner much attention outside New York. The spies were tasked with not only recruiting but gathering intelligence in the financial sector about market destabilization and the status of development and investment in alternative energy.

Buryakov, who was not under diplomatic protection, wasn’t the sharpest pencil in the box. He was a little put out at having a less than glamorous gig, and he was rather imprudent. He was recorded easily, and his words used as evidence against him.

One interesting bit was thinly fleshed out in the USDOJ’s complaint.

Buryakov toured casinos in Atlantic City.

But which casinos?

In July 2014, a confidential contact working on behalf of the FBI, “posed as the representative of a wealthy investor looking to work with Bank-1 [the Russian bank for which Buryakov posed as an employee] to develop casinos in Russia,” and approached Buryakov about casino development in Russia. A tour of Atlantic City casinos was taken in August.

Combing through the complaint looking for the colleges from which they attempted to recruit revealed no mention of Trump University.

But the casinos visited aren’t clear. The Trump Plaza (closed September 2014) or the Trump Taj Mahal (closed October 2016) can’t be ruled out as sites visited by Buryakov — the Plaza closed only a few weeks later.

The skepticism with which they viewed the casino gambit was amusing (excerpt from complaint, p. 23-24):

It was a trap, just as suspected; did the confidential source not give off the right vibe, or were the Russians skeptical of any investment in casinos developed in Russia? Trump, after all, didn’t get his Trump Towers Moscow off the ground even after his 2013 trip for the Miss World Pageant. Did the skepticism worry the FBI they might lose their targets? Or did the FBI finally have enough of toying with these guys and decide it was time to drop the hammer? Was some other trigger which forced the FBI to wrap up this investigation?

A few other points worth noting:

• “Others known and unknown” were also involved in spying or supporting spies but were not included in the warrant according to the complaint (ex: CC-1 and CC-2 in complaint). Who were they and where are they now? Has the FBI continued to watch them? Were any of them among the Russians who were escorted out of the U.S. after former president Obama announced new sanctions this past December?

• “And then Putin even tried to justify that they weren’t even tasked to work, they were sleeper cells in case of martial law,” Victor Podobnyy remarked in a conversation about the Illegals Program sleeper cells. What did he mean by, “in case of martial law”? Is this a continuing concern with regard to any remaining undetected sleeper cells?

• A “leading Russian state-owned news organization” was mentioned in the complaint, “used for intelligence gathering purposes.” Which news outlet was this? How did this news organization figure into advanced methods used by this operation? It would be interesting to know if this was RT (formerly Russia Today) given Michael Flynn’s and Jill Stein’s attendance at an RT event in December 2015.

• The spies used an office in Manhattan for conveying information to their superiors. How was this done apart from phone calls; what technology and networks if any were involved?

There’s an important bit about aeronautics, but I’ll tackle that in another post. It’s important enough to be broken out on its own.

Oh, one last thing about this case: timing.

— On January 21, 2016 UK’s public inquest announced its final conclusions into the PO-210 poisoning death of Alexander Litivinenko, attributing the murder to orders from the top of Russia’s FSB — including Vladimir Putin.

— The next day, January 22,  the UK froze the assets of the escaped henchmen accused of the poisoning while seeking their extradition.

— A sealed complaint and a request for warrants were filed in Southern District of New York for the three Russian spies on January 23, 2016.

— The arrests of the spies was reported publicly on January 26, 2016.

These events on either side of the Atlantic didn’t happen in a vacuum. The casinos’ tour and the hand-off of government documents happened nearly six months before the complaint and warrants were filed and issued. But the Litvinenko inquest conclusion and the arrests happened within a couple of days — mere hours apart.

It shouldn’t be surprising to find coordinated retaliation occurred against both the UK and the US.

Blogger since 2002, political activist since 2003, geek since birth. Opinions informed by mixed-race, multi-ethnic, cis-female condition, further shaped by kind friends of all persuasions. Sci-tech frenemy, wannabe artist, decent cook, determined author, successful troublemaker. Mother of invention and two excessively smart-assed young adult kids. Attended School of Hard Knocks; Rather Unfortunate Smallish Private Business School in Midwest; Affordable Mid-State Community College w/evening classes. Self-employed at Tiny Consulting Business; previously at Large-ish Chemical Company with HQ in Midwest in multiple marginalizing corporate drone roles, and at Rather Big IT Service Provider as a project manager, preceded by a motley assortment of gigs before the gig economy was a thing. Blogging experience includes a personal blog at the original blogs.salon.com, managing editor for a state-based news site, and a stint at Firedoglake before landing here at emptywheel as technology’s less-virginal-but-still-accursed Cassandra.

Democrats Demand DOJ Release the Information that Has Christopher Steele Hiding for His Life

I have to say, the Democrats are beginning to convince me Russia’s involvement in the DNC hack is just one hoax.

Don’t get me wrong. I believe there is plenty of evidence — in public and stuff I’ve been told by people close to the hack — that the Russians did hack the DNC and John Podesta and share those documents with Wikileaks.

But given the bozo way the Democrats are trying to politicize it, I can only conclude the Democrats think this is less serious than I have believed and than Democrats claim. That’s because they’re now demanding that FBI give them the very same information that — we’ve been told by public reporting — led former MI6 officer Christopher Steele to hide for his life.

This morning, David Corn wrote a piece complaining about “the mysterious disappearance of the biggest scandal in Washington.”

After reviewing some of the facts in this case (and asserting without proof that Putin’s interference in the election “achieved its objectives,” which is only partly backed by declassified intelligence reports on the hack) and giving an incomplete list of the congressional committees that have announced investigations into the hack, Corn gave this inventory of what he claims to be the lack of outcry over the hack.

Yet these behind-closed-doors inquiries have generated minimum media notice, and, overall, there has not been much outcry.

Certainly, every once in a while, a Democratic legislator or one of the few Republican officials who have bothered to express any disgust at the Moscow meddling (namely Sens. John McCain, Lindsey Graham, and Marco Rubio) will pipe up. House Democratic leader Nancy Pelosi days ago called on the FBI to investigate Trump’s “financial, personal and political connections to Russia” to determine “the relationship between Putin, whom he admires, and Donald Trump.” Sen. Chris Murphy (D-Conn.), responding to Trump’s comparison of the United States to Putin’s repressive regime, said on CNN, “What is this strange relationship between Putin and Trump? And is there something that the Russians have on him that is causing him to say these really bizarre things on an almost daily basis?” A few weeks ago, Graham told me he wanted an investigation of how the FBI has handled intelligence it supposedly has gathered on ties between Trump insiders and Russia. And last month, Sen. Ron Wyden (D-Ore.) pushed FBI Director James Comey at a public hearing to release this information. Yet there has been no drumbeat of sound bites, tweets, or headlines. In recent days, the story has gone mostly dark.

The funniest detail in this is how Corn describes Chris Murphy’s response to the exchange that took up the entire weekend of news — Trump’s nonplussed response when Bill O’Reilly called Putin a killer.

O’Reilly: Do you respect Putin?

Trump: I do respect him but —

O’Reilly: Do you? Why?

Trump: Well, I respect a lot of people but that doesn’t mean I’m going to get along with him. He’s a leader of his country. I say it’s better to get along with Russia than not. And if Russia helps us in the fight against ISIS, which is a major fight, and Islamic terrorism all over the world — that’s a good thing. Will I get along with him? I have no idea.

O’Reilly: But he’s a killer though. Putin’s a killer.

Trump: There are a lot of killers. We’ve got a lot of killers. What do you think — our country’s so innocent. You think our country’s so innocent?

O’Reilly: I don’t know of any government leaders that are killers.

Trump: Well — take a look at what we’ve done too. We made a lot of mistakes. I’ve been against the war in Iraq from the beginning.

O’Reilly: But mistakes are different than —

Trump: A lot of mistakes, but a lot of people were killed. A lot of killers around, believe me.

This was a Super Bowl interview, for fuck’s sake, and both before and after the interview, political pundits on both sides of the aisle were up in arms about Trump’s affinity for Putin’s murderous ways! Google counts more than 70,000 articles on the exchange.

But to Corn, that translated into only one comment from Murphy.

From there, Corn goes onto complain that the White House press briefings — which have been a noted shitshow inhabited by people like Infowars — has only featured direct questions about the investigation twice, and that the questions about Trump’s call to Putin weren’t about the investigation (as opposed to, say, Trump’s ignorant comments about the START treaty, which could get us all killed).

The crazier thing is that, best as I can tell, Mother Jones — the media outlet that David Corn has a bit of influence over — seems to have ignored the indictment of Hal Martin yesterday, the arrest on treason charges of two FSB officers, allegedly for sharing information with the US intelligence community, or even today’s Senate Foreign Relations Committee hearing on our relations with Russia. Among other things, today’s hearing discussed the hack, Trump’s comments about Putin the killer, weaponization of information, sanctions, Trump’s lukewarm support for NATO. It also included multiple Democratic calls for a bipartisan investigation and assurances from Chairman Corker and Ranking Member Cardin that that would happen.

So effectively, David Corn should be complaining about his own outlet, which isn’t covering the things relating to the hack others of us are covering.

No matter. Corn made his sort of ridiculous call, that call got liked or RTed over 3,000 times, and as if magically in response, Jerry Nadler introduced a resolution of inquiry, calling on the Administration to (in part) release any document that relates or refers to “any criminal or counterintelligence investigation targeting President Donald J. Trump, National Security Advisor Michael Flynn, Paul Manafort, Carter Page, Roger Stone, or any employee of the Executive Office of the President.”

As I’ve already noted, two FSB officers recently got arrested on treason charges, an event many people fear came in response to details revealed about this investigation and if so would badly undermine any investigation. People equally wonder whether the curious death of former FSB General Oleg Erovinkin relates to the leaked Steele dossier that Corn himself played a central role in magnifying, which would represent another lost intelligence source. And, of course, there are the reports that the former MI6 officer that compiled the dossier, Christopher Steele, on which these allegations rest fled from his home out of fear for his life because of the way it got publicized.

Either Putin is a ruthless thug or he’s not. Either Steele had reason to flee because the dossier is true or he didn’t. Either this thuggery is serious or it’s just a political stunt.

I really do believe it is the former (though I have real questions about the provenance of the dossier, questions which Corn could but has not helped to provide clarity on). Which is why I’m absolutely mystified that Democrats are demanding every document pertaining to any counterintelligence investigation into it, the kind of exposure which —  recent history may already show — is totally counterproductive to actually pursuing that investigation.

As I’ll write shortly, I do deeply suspect the Senate Intelligence Committee investigation (especially) is designed to be counterproductive. The Hal Martin indictment yesterday seems to suggest FBI doesn’t have the evidence to figure out who Shadow Brokers is, if even it has ties to the DNC hack (as much evidence suggests it does). But I also think political stunts like this don’t help things.

But maybe that’s not the point?

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

One Day After Senior Intelligence Official Leaks Details of “Red Phone” Call, Russia Cuts Back Communications with the US

Yesterday, I expressed alarm that someone identified as a “senior intelligence official” not only leaked to NBC that President Obama had used the crisis “Red Phone” with Russia for the first time in his presidency (at least in a cyber context), but characterized the communication as muddled.

A month later, the U.S. used the vestige of an old Cold War communications system — the so-called “Red Phone” that connects Moscow to Washington — to reinforce Obama’s September warning that the U.S. would consider any interference on Election Day a grave matter.

This time Obama used the phrase “armed conflict.”

[snip]

A senior intelligence official told NBC News the message ultimately sent to the Russians was “muddled” — with no bright line laid down and no clear warning given about the consequences. The Russian response, said the official, was non-committal.

But it alarms me that someone decided it was a good idea to go leak criticisms of a Red Phone exchange. It would seem that such an instrument depends on some foundation of trust that, no matter how bad things have gotten, two leaders of nuclear armed states can speak frankly and directly.

Without that conversation being broadcast to the entire world via leaks.

Today, Reuters released a bizarre report — really signals within signals — claiming that most channels of dialogue are frozen.

The Kremlin said on Wednesday it did not expect the incoming U.S. administration to reject NATO enlargement overnight and that almost all communications channels between Russia and the United States were frozen, the RIA news agency reported.

“Almost every level of dialogue with the United States is frozen. We don’t communicate with one another, or (if we do) we do so minimally,” Peskov said

I say it’s bizarre because it’s not a firsthand report. It reports that RIA reported that Peskov said this in an interview with the Mir TV station. So it lacks context.

Moreover, it appears to be false, given that John Kerry spoke with Sergei Lavrov yesterday (with whom he seems to have a pretty good relationship).

MR KIRBY: Well, as you know, we weren’t a party to the talks, but Secretary Kerry did speak today to both Foreign Minister Lavrov and Foreign Minister Cavusoglu, who were there. And they provided the Secretary a sense of how the discussions went.

Nevertheless, this may be a kind of signaling.

It’s precisely the kind of possibility that I worried about when I noted the leak.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Now the Spooks Are Leaking Criticism of Obama’s Sole Use of the “Red Phone”

NBC, which seems to be sharing the role of spook leak central with WaPo, has upped the ante on previous leaks. Last night, it revealed that on October 31, Obama used the “Red Phone” (which is in reality an email system) designed to avert disasters with Russia for the first time in his Administration to warn Vladimir Putin not to fuck with our election process.

A month later, the U.S. used the vestige of an old Cold War communications system — the so-called “Red Phone” that connects Moscow to Washington — to reinforce Obama’s September warning that the U.S. would consider any interference on Election Day a grave matter.

This time Obama used the phrase “armed conflict.”

The reason we’re getting this leak seems fairly clear. Not only are Democrats peeved that Obama didn’t manage to recall or suppress documents already leaked to WikiLeaks, but one “senior intelligence official” is angry that Obama laid down no bright line.

A senior intelligence official told NBC News the message ultimately sent to the Russians was “muddled” — with no bright line laid down and no clear warning given about the consequences. The Russian response, said the official, was non-committal.

I’m pretty favorable to leaks (though not their use to preempt deliberative assessment of intelligence). They serve an important check on government, even on the President.

But it alarms me that someone decided it was a good idea to go leak criticisms of a Red Phone exchange. It would seem that such an instrument depends on some foundation of trust that, no matter how bad things have gotten, two leaders of nuclear armed states can speak frankly and directly.

Without that conversation being broadcast to the entire world via leaks.

It would seem such a leak might lead Putin to take such exchanges less seriously in the future knowing that the spooks reviewing the exchange don’t take the gravity of it all that seriously.

Ah well. Good things these spooks are so successfully combatting the inappropriate leak of information by leaking more information.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

16 Words: “The British government has learned that Vladimir Putin recently sought significant quantities of votes for Trump”

This morning, I managed to remind the NYT in the NYT of its role in spreading leaks that led us to war in Iraq. I did so not to defend Donald Trump, but to point out how the flood of leaks leading up to the Iraq War is similar to the one we’ve had in the last week, insisting that Putin hacked Hillary specifically to get Trump elected. Here’s the comparison, which you’re familiar with from my posts in the last week.

Trump is not quite right when he claims that, “These are the same people that said Saddam Hussein had weapons of mass destruction.” Neither the entire intelligence community nor even everyone at the C.I.A. was wrong about the Iraq intelligence. Rather, leaks like the ones we’re seeing now ensured elected officials didn’t hear from the skeptics who got it right.

That time, as members of Congress were demanding the Bush administration show its case for war, anonymous officials told this newspaper that aluminum tubes purchased by Iraq could only be used for nuclear enrichment. By the time Congress got a report, a month later, saying that might not be the case most members never read it; they had already been convinced that the case for war was a “slam dunk.”

This time, just hours after the White House revealed President Obama had ordered a (belated) review by the entire intelligence community of how hacks have tainted our democracy, the C.I.A.’s incendiary conclusion got leaked to the press: First, anonymous leaks said Russia had hacked Democrats not just to cause chaos, but specifically to get Trump elected. Last Wednesday the leaks went further: Putin himself oversaw the operation to put Trump in the White House. On Friday, another C.I.A. leak came out minutes before Obama started a news conference where he said, “I want to make sure … I give the intelligence community the chance to gather all the information.”

The point of my post is not — as numerous people who refute it without reading it suggest — to argue Russia didn’t hack Hillary. While I have lingering questions, I think that likely.

Rather, it is to ask why the CIA is so invested in the narrative that Putin specifically intervened to get Trump elected, rather than the more obvious explanation, which is that he intervened to retaliate for real and imagined CIA-led covert operations targeted at Russian interests?

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

In Latest Russian Plot, WikiLeaks Reveals Hillary Opposes ISDS

Among the emails released as part of the Podesta leaks yesterday, WikiLeaks released this one showing that, almost a year before she was making the same argument in debates with Bernie Sanders, Hillary was opposed to Investor State Dispute Settlement that is part of the Trans Pacific Partnership. (h/t Matt Stoller) ISDS is the means by which corporations have used trade agreements to operate above the domestic laws of party countries (if you haven’t read this three part series from BuzzFeed to learn about the more exotic ways business are profiting off of ISDS).

The email also appears to echo her later public concern that she had changed her mind on TPP because of KORUS.

After our last talk with HRC, we revised our letter to oppose ISDS and include her caution about South Korea.

Sure, other Podesta emails show Hillary supporting a broad region of free trade (and labor) in the Americas. But this more recent email confirms that the views she expressed in debate were more than just an attempt to counter Bernie’s anti-trade platform.

Whether or not this is newsworthy enough to justify the WL dump, it is noteworthy in light of NYT’s rather bizarre article from some weeks back suggesting that WL always sides with Putin’s goals. As I noted, the article made a really strained effort to claim that WL exposed TPP materials because it served Putin’s interests. Now, here, WL is is releasing information that makes Hillary look better on precisely that issue.

That doesn’t advance the presumed narrative of helping Trump defeat Hillary!

Then, as I noted yesterday, in spite of all the huff and puff from Kurt Eichenwald, the release of a Sid Blumenthal email used by Trump is another case where the WL release, as released, doesn’t feed the presumed goals of Putin.

Which brings me to this Shane Harris piece, which describes four different NatSec sources revealing there’s still a good deal of debate about WL’s ties to Russia.

Military and intelligence officials are convinced that WikiLeaks is an ongoing threat to U.S. national security and privacy owing to its leaks of classified documents and emails. But its precise relationship with Russia has been a subject of internal debate. Some do see the group as being in cahoots with the Kremlin. But others find that WikiLeaks is acting mainly as the beneficiary of stolen documents, not unlike a journalistic organization.

There are some funny aspects to this story. Nothing in it considers the significant evidence that WL is (and has reason to be) affirmatively anti-Hillary, which means its interests may align with Russia, even if it doesn’t take orders from Russia.

It also suggests that if the spooks can prove some tie between WL and Russia, they can spy on it as an agent of foreign power.

But those facts don’t mean WikiLeaks isn’t acting at Russia’s behest. And that’s not a trivial matter. If the United States were to determine that WikiLeaks is an agent of a foreign power, as defined in U.S. law, it could allow intelligence and law enforcement agencies to spy on the group—as they do on the Russian government. The U.S. can also bring criminal charges against foreign agents.

WL has been intimately involved in two separate charges cases of leaking-as-espionage in the US, Chelsea Manning and Edward Snowden. The government has repeatedly told courts that it has National Security/Criminal investigations, plural, into WikiLeaks, and when pressed for details about how and whether the government is collecting on supporters and readers of WikiLeaks, the government has in part hidden those details under a b3 FOIA exemption, meaning a statute prevents disclosing it, while extraordinarily refusing to reveal what statute that is. We certainly know that FBI has used multiple informants to spy on WL and used a variety of collection methods against Jacob Appelbaum, including (according to Appelbaum) physical tails.

So there’s not only no doubt that the US government believes it can spy on WikiLeaks (which is, after all, headed by a foreigner and not a US organization), but that it already does, and has been doing for at least six years.

Perhaps Harris’ sources really mean they’ve never found a way to indict Julian Assange before, but if they can claim he’s working for Putin, then maybe they’ll overcome past problems of indicting him because it would criminalize journalism. If that’s the case, it may be shading analysis of WL, because the government would badly like a reason to shut down WL (as the comments about the direct threat to the US in the story back up).

As I’ve said before, the role of WL in this and prior leak events is a pretty complex one, one that if approached too rashly (or too sloppily) could have ramifications for other publishers. While a lot of people are rushing to collapse this (in spite of what sounds like a continuing absence of directly incriminating evidence) into a nation-state conflict, things like this TPP email suggest it’s not that simple.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Argument: The DNC Hack Attribution Was A Response to Brick and Mortar Events

Last week, ODNI and DHS released a statement widely viewed as attributing the hack and leak of DNC and other Democratic materials to Russia. The statement was actually a bit more nuanced than that:

Assertion 1: Russia compromised DNC and other political organizations

The statement starts with a comment that is spook speak for “we’ve proven this.”

The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations.

Mind you, this is the bit the IC has been confident of all along: they found hackers at the DNC and the hackers have all the attributes of two different Russian hacking groups.

Assertion 2: The leaking is consistent with stuff Russia has done elsewhere

The next move is the most interesting, in my opinion. The IC strongly suggests the leaking of those hacked files is Russia, but doesn’t use the same spook speak confidence language.

The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts.

Here, the IC is not saying “we are confident Russia then handed all these files to WikiLeaks, as well as created two cover identities through which to leak them.” Instead, they are saying Russia has done similar things before and has the motivation to do so here. As they have for months, the spooks still appear not to have the same level of proof tying the hacking to the leaking that would allow them to say “we are confident” for this assertion, at least not that they’re willing to admit, which I find incredibly interesting.

Assertion 3: Russia is trying to interfere with the election

Having stated very confidently Russia did the hack and less confidently that it did the leak, the statement brings the nugget language: basically accusing Putin of masterminding the whole thing.

These thefts and disclosures are intended to interfere with the US election process. Such activity is not new to Moscow—the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to influence public opinion there. We believe, based on the scope and sensitivity of these efforts, that only Russia’s senior-most officials could have authorized these activities.

For my purposes here, I’m not interested in testing the truth of this statement — though I am a bit interested in how “influencing public opinion” is deemed to be “interfering with the US election,” because it’s something many people don’t seem to have thought through (nor have they thought through how it differs from the US’ own information operations or PR involvement of other foreign powers in our elections).

Especially given this bit:

Assertion 4: Hackers operating through a Russian server hacked some state election websites, but that may not be the Russian state

The statement goes out of its way to note that the Russian-attributed activity most directly connected to the election, the voter rolls, may not actually be the Russian state, but instead just servers operated by a Russian company.

Some states have also recently seen scanning and probing of their election-related systems, which in most cases originated from servers operated by a Russian company. However, we are not now in a position to attribute this activity to the Russian Government.

Remember, identity thieves have in the past stolen far more voter registration records for identity theft. It’s certainly possible that’s what went on here. More importantly, the IC appears to have nothing from collection on Russia they’re willing to share to claim that this hacking is part of Putin’s mastermind plot.

The rest of the statement goes on to talk about the ways (which I’ve talked about as well) that our localized system of elections makes it really hard to hack an election (though that also makes it really easy to botch an election or even to tamper with elections by disenfranchising select voters, which is what people should be far more concerned about, given that we know such efforts are effective and ongoing).

The IC has long known this but chose to release this statement now

The reason I’ve broken this out into four parts — 1) we know Russia hacked the DNC, 2) the leaks of hacked material is consistent with stuff Russia has done in the past, 3) Putin is in charge, 4) Russia may not have hacked the state websites — is to call attention to the fact that the IC has been leaking assertions 1, 2, and 4 for months. The stated (leaked) reason to hold off on a formal attribution was the uncertain status of assertion 2: the IC doesn’t yet know how the files got from the DNC hackers into Julian Assange’s hands.

But the IC chose to release this statement without growing any more certain about assertion 2 and without solving assertion 4.

In my opinion, that means the IC released this statement to get to assertion 3. Putin is trying to “interfere” in our election by “influencing public opinion.”

The release timing is more about kinetic events elsewhere than it is about IC certainty

So why release this statement now, when the IC doesn’t seem to have gotten any more certain about assertion 2 or 4?

At the end of what I think is an overly pessimistic piece on America’s inability to deter hacking, Jack Goldsmith considers the possibility that undeterred cyberattacks may be a response to brick and mortar conflict.

Without robust defenses or effective deterrence, the United States can expect many more, and more harmful, cyber intrusions by adversaries who are asymmetrically empowered by the rise of digital networks.  There is no end to the ways that they might spy in, steal from, or disrupt U.S. networks, public and private.  That sounds bad, buts the implications are worse.  Asymmetric offensive cyber operations by our adversaries can be an effective response to every element of U.S. foreign and military power.  For all we know the Russian DNC hack is a response to sanctions for Ukraine and an attempt to win leverage in Syria.  Imagine the United States wanted to do more—via sanctions, or through military operations, or in cyber—to slow Russian operations in Eastern Europe or Syria.  The Russians could easily respond via cyber, where it appears to have an asymmetrical advantage.  Indeed, the relatively tepid USG response to Russian aggression in Eastern Europe and Syria may be a result of USG worries about the implications of the DNC hack.  In other words, the Russians may already be using cyber to deter the United States from seemingly unrelated foreign policy actions it might otherwise take.

Aside from his totally inappropriate use of “asymmetric” here — there’s no lack of potential symmetry between the cyber capabilities of the US and Russia, just an emphasis of one tool over another — I agree with this passage. Indeed, I’ve been saying for a long time that the most obvious explanation for why Putin would do all this so blatantly is because in his view the US carried out a coup in Ukraine and is attempting regime change in Syria to choke Russia strategically.

And as Goldsmith argues, the US’ weak spot is its vulnerability to cyber attacks, absolutely. That weakness is made worse, too, by continued  US insistence on retaining access to all potential offensive tools, even if they can be most dangerous against US targets if they ever, say, show up on an online sale (Goldsmith was curiously silent about the Shadow Brokers release here).

I suspect China, in particular, has done the same kind of mapping we have with Treasure Map, with a focus on having cyberattacks ready to launch that would neutralize us if we ever got into a hot war.

But Goldsmith doesn’t consider the possibility that things may also work in the reverse way.

The US released this statement at a time when it was also making a big diplomatic push against Russia — proposing a ceasefire at the UN it knew Russia would veto, after having failed to negotiate a ceasefire with Russia directly because it asked for things (a no fly zone, basically) that Russia has neither the interest nor the legal necessity to agree to, because Russia is in Syria at the behest of the still-recognized government of the state, we’re not. As it happens, the US is ratcheting up this effort at a time when our Saudi allies’ activities in Yemen make it hard to make a principled stance against Russia, because we’re implicated in Yemen in the same way Russia is in Syria.

More importantly, things are getting very very hot, with Russia moving missiles to Kaliningrad and threatening retaliation for any strikes on Syrian controlled territory.

So I would suggest the timing of this announcement — basically confirming the same certainty and uncertainty the IC has had for months, then using it to accuse Putin of trying to intervene directly in our country — is actually our response to more concrete events elsewhere, not the reverse (though there admittedly may be some chicken-and-egg stuff here, in that we may have held off on attribution in hope we could negotiate directly with Russia).

That is, both sides seem intent on ratcheting up the conflict between Russia and the US, and blaming Putin for interfering in our elections is one tool to do that.

If I’m right, the statement may have nothing to do with deterrence. Rather, it may have everything to do with escalation of other conflicts, providing a reason to pitch Russia’s strategic moves elsewhere as a direct threat to the US. I’m not saying Russia isn’t a dangerous adversary. I’m saying that the release of this statement will do nothing to prevent more hacks, but it will provide cause to claim the increasingly hot conflict with Russia directly threatens the US.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

The Two Intelligence Agency Theory of Handing Trump the Election

There has been a lot written about Russian intelligence agencies allegedly hacking the DNC server and — by leaking it — attempting to influence the election. Some observers have, based on that assumption, called the hack an act of war.

I’m agnostic on whether Russian intelligence did one or both of the hacks, in part for reasons I’m still working through. I’m even more skeptical of some of the claims made about Russia’s motivations in launching this attack to put Trump in the presidency (which is not to say Trump wouldn’t be horrible for a whole slew of other reasons); on that topic, see this Josh Marshall piece and a fact-checking of it. And I’m frankly amused that, after using several other outlets for publicity and to release documents, the hacker(s’) cooperation with WikiLeaks (which irresponsibly released credit card and social security information on Democratic donors, but which almost certainly had its donors investigated by DOJ with the heavy involvement of Clinton after Wikileaks published the State cables) itself is a sign of Russian involvement. Does Russia also run The Hill, the last outlet used by DNC hacker(s)?

In short, there are a whole bunch of claims being made, all serving a narrative that Putin is playing in our elections, with little scrutiny of how you get from one level (what have been described as two separate hacks) to another (to Guccifer 2, to help Putin) to another (with the help of Wikileaks). It’s like the Rosetta stone of Cold War 2.0 paranoia. All may be true, but the case is thus far still fragile.

This post, from Thomas Rid, is the most sober analysis of the claim that Russian hackers hacked the DNC. Even still, there are some logical problems with the analysis (that are sadly typical of the underlying cybersecurity consultants). Take these two passages, for example.

The DNC knew that this wild claim would have to be backed up by solid evidence. APost story wouldn’t provide enough detail, so CrowdStrike had prepared a technical report to go online later that morning. The security firm carefully outlined some of the allegedly “superb” tradecraft of both intrusions: the Russian software implants were stealthy, they could sense locally-installed virus scanners and other defenses, the tools were customizable through encrypted configuration files, they were persistent, and the intruders used an elaborate command-and-control infrastructure. So the security firm claimed to have outed two intelligence operations.

[snip]

The metadata in the leaked documents are perhaps most revealing: one dumped document was modified using Russian language settings, by a user named “Феликс Эдмундович,” a code name referring to the founder of the Soviet Secret Police, the Cheka, memorialised in a 15-ton iron statue in front of the old KGB headquarters during Soviet times. The original intruders made other errors: one leaked document included hyperlink error messages in Cyrillic, the result of editing the file on a computer with Russian language settings. After this mistake became public, the intruders removed the Cyrillic information from the metadata in the next dump and carefully used made-up user names from different world regions, thereby confirming they had made a mistake in the first round.

They argue (based in part on CrowdStrike’s claims of expertise) both that the hacker(s) were really sophisticated and that they deliberately adopted a Russian name but accidentally left Russian metadata in the files. Particularly with regards to the Russian metadata, you don’t both adopt a notable Russian spook’s ID while engaging in a false flag but then “accidentally” leave metadata in the files, although the second paragraph here pertains to Guccifer 2 and not the Crowdstrike IDed hackers.

If Guccifer were a true false flag, he might well be pretending to be Russian to hide his real identity.

Add to that this post (from June), which notes some confirmation bias in the way that FireEye first attributed APT 28 (which CrowdStrike believes to be GRU, Russia’s military intelligence).

I chose to look at Fancy Bear (APT28 in FireEye’s ecosystem). The most comprehensive report on that threat actor was written by FireEye and released last October, 2014 so I started with that. To my surprise, the report’s authors declared that they deliberately excluded evidence that didn’t support their judgment that the Russian government was responsible for APT28’s activities:

“APT28 has targeted a variety of organizations that fall outside of the three themes we highlighted above. However, we are not profiling all of APT28’s targets with the same detail because they are not particularly indicative of a specific sponsor’s interests.” (emphasis added)

That is the very definition of confirmation bias. Had FireEye published a detailed picture of APT28’s activities including all of their known targets, other theories regarding this group could have emerged; for example, that the malware developers and the operators of that malware were not the same or even necessarily affiliated.

And even if you took the underlying report as definitive, APT 28 was primarily focused on military targets, which by itself ought to raise questions about why they’d go after the DNC.

Screen Shot 2016-07-25 at 12.42.18 PM

To make the argument based on targets that APT 28 is GRU you need to do even more adjusting of motivation (though more recent APT 28 attributed attacks are more similar to this one).

But one reason I find the Rid piece sober and useful is it emphasizes something that has been ignored by much of the inflamed reporting. First, even CrowdStrike claims that DNC was hacked twice, by two different Russian entities, which did not appear to be coordinating during the hack. From the CrowdStrike report:

At DNC, COZY BEAR intrusion has been identified going back to summer of 2015, while FANCY BEAR separately breached the network in April 2016. We have identified no collaboration between the two actors, or even an awareness of one by the other. Instead, we observed the two Russian espionage groups compromise the same systems and engage separately in the theft of identical credentials. While you would virtually never see Western intelligence agencies going after the same target without de-confliction for fear of compromising each other’s operations, in Russia this is not an uncommon scenario. “Putin’s Hydra: Inside Russia’s Intelligence Services”, a recent paper from European Council on Foreign Relations, does an excellent job outlining the highly adversarial relationship between Russia’s main intelligence services – Федеральная Служба Безопасности (FSB), the primary domestic intelligence agency but one with also significant external collection and ‘active measures’ remit, Служба Внешней Разведки (SVR), the primary foreign intelligence agency, and the aforementioned GRU. Not only do they have overlapping areas of responsibility, but also rarely share intelligence and even occasionally steal sources from each other and compromise operations. Thus, it is not surprising to see them engage in intrusions against the same victim, even when it may be a waste of resources and lead to the discovery and potential compromise of mutual operations.

And, as Rid points out, the proof that Guccifer is tied to Russia (it would be to GRU or APT 28 if the tie were real, so the less persistent of the two apparently unrelated hacks) is even less clear, though there still is a lot of circumstantial evidence.

The evidence linking the Guccifer 2.0 account to the same Russian operators is not as solid, yet a deception operation—a GRU false flag, in technical jargon—is still highly likely. Intelligence operatives and cybersecurity professionals long knew that such false flags were becoming more common. One noteworthy example was the sabotage of France’s TV5 Monde station on 9/10 April 2015, initially claimed by the mysterious “CyberCaliphate,” a group allegedly linked to ISIS. Then, in June, the French authoritiessuspected the same infamous APT 28 group behind the TV5 Monde breach, in preparation since January of that year. But the DNC deception is the most detailed and most significant case study so far. The technical details are as remarkable as its strategic context.

[snip]

Other features are also suspicious. One is timing, as ThreatConnect, another security company, has pointed out in a useful analysis: various timestamps indicate that the Guccifer-branded leaking operation was prompted by the DNC’s initial publicity, with preparation starting around 24 hours after CrowdStrike’s report came out. Both APT 28 and Guccifer were using French infrastructure for communications. ThreatConnect then pointed out that both the self-proclaimed hacker’s technical statements on the use of 0-day exploits as well as the alleged timeline of the DNC breach are most likely false. Another odd circumstantial finding: sock-puppet social media accounts may have been created specifically to amplify and extend Guccifer’s reach, as UK intelligence startup Ripjar told me.

Perhaps most curiously, the Guccifer 2.0 account, from the beginning, was not simply claiming to have breached the DNC network—but claiming that two Russian actors actually were not on the DNC network at the same time. It is common to find multiple intruders in tempting yet badly defended networks. Nevertheless the Guccifer 2.0 account claimed confidently, and with no supporting evidence, that the breach was simply a “lone hacker”—a phrasing that seems designed to deflect blame from Russia. Guccifer 2.0’s availability to the journalists was also surprising, and something new altogether.

The combative yet error-prone handling of the Guccifer account is in line with the GRU’s aggressive and risk-taking organizational culture and a wartime mindset prevalent in the Russian intelligence community. Russia’s agencies see themselves as instruments of direct action, working in support of a fragile Russia under siege by the West, especially the United States.

Now, again, I’m not saying the Russians didn’t do this hack, nor am I dismissing the idea that they’d prefer Trump to Hillary. By far the most interesting piece of this is the way those with the documents — both the hackers and Wikileaks — held documents until a really awkward time for some awkward disclosures, with what may be worse to come.

But discussions that want to make the case should explain several things: Which of the two agencies alleged to have hacked DNC are behind the operation — or are they both, even though they weren’t, at least according to the report that everyone is relying on without question, apparently cooperating? How certain can they be that the GRU is Guccifer, and if Guccifer is supposed to be a false flag why was it so incompetently done? What explains Guccifer’s sort of bizarre strategy along the way, encompassing both Wikileaks (an obvious one) and The Hill?

Again, I absolutely don’t put this kind of thing beyond Putin. Russia has used hacking to influence outcomes of elections and authority in various countries in the past and the only thing new here is that 1) we wouldn’t already be playing the other side and 2) we’re big and can fight back. But the story, thus far, is more complex than being laid out.

Update: Here’s an amusing debunking of a lot of the metadata analyses.

Meanwhile, after the WaPo story hit the wires the “lone hacker” created his wordpress site and dropped dox as we say on the intertubes. Shortly after the drop people were inspecting, detecting, infecting, and making circles and arrows with captions on the back to describe what you were seeing! … And the conspiracy theory machine went into overdrive. Pwnallthethings made some good comments on the metadata in the dropped dox but really, concluding that this is a Russian disinformation operation from metadata stripped documents on the idea that the machine name was cyrillic for Felix Dzerzhinsky (Феликс Эдмундович)  Really? Now that is fucking SOLID work man! Stellar! FUCK LET’S GO BOMB RUSSIA NOW!

Dr._Strangelove

NAILED IT!

You know at least Crowdstrike has like actual data, ya know, C2’s, malware, and shit like that. Anything else is totally speculative, I mean even more speculative than most attribution that these companies make with real data! Anyway, I took a look at the metadata on the documents and here is what I have found…

  • Much of the data was stamped out in saving from format to format
  • Emails of users though were still embedded in the excel files
  • The word docs have no more metadata than the Iron Felix machine name save, which, gee, kinda leads one to wonder…
  • The image files have no metadata.. none.. niente clean.
  • Grizzli777 is just someone who pirates

Yep, not a lot to see there and people are hanging their collective hats on the deliberate placement of Феликс Эдмундович as the machine name to it’s quite OBVIOUSLY being Mother Russia’s exclusive secret services.

*squint.. takes drag of cigarette*

So here’s my assessment…. Maybe Russia did it… OR Maybe this actor is the real thing and happens to want to take credit. The facts that this person(s) reads, writes, has, cyrillic on their machine and names it after the founder of the KGB is as reliable a means to saying it was Russia as it is to say that aliens built the pyramid because people just were fucking too stupid back then!

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

If US Won’t Share Intelligence with Those Hosting Snowden, Why Are We Engaged with Russia on ISIL?

Glenn Greenwald reports that, when he asked German Vice Chancellor Sigmar Gabriel why he doesn’t offer asylum to Edward Snowden, Gabriel revealed the US had threatened to cut Germany off from intelligence sharing if they did.

German Vice Chancellor Sigmar Gabriel (above) said this week in Homburg that the U.S. Government threatened to cease sharing intelligence with Germany if Berlin offered asylum to NSA whistleblower Edward Snowden or otherwise arranged for him to travel to that country. “They told us they would stop notifying us of plots and other intelligence matters,” Gabriel said.

The Vice Chancellor delivered a speech in which he praised the journalists who worked on the Snowden archive, and then lamented the fact that Snowden was forced to seek refuge in “Vladimir Putin’s autocratic Russia” because no other nation was willing and able to protect him from threats of imprisonment by the U.S. Government (I was present at the event to receive an award). That prompted an audience member to interrupt his speech and yell out: “why don’t you bring him to Germany, then?”

[snip]

Afterward, however, when I pressed the Vice Chancellor (who is also head of the Social Democratic Party, as well as the country’s Economy and Energy Minister) as to why the German government could not and would not offer Snowden asylum – which, under international law, negates the asylee’s status as a fugitive – he told me that the U.S. Government had aggressively threatened the Germans that if they did so, they would be “cut off” from all intelligence sharing. That would mean, if the threat were carried out, that the Americans would literally allow the German population to remain vulnerable to a brewing attack discovered by the Americans by withholding that information from their government.

Which is odd, because CIA Director John Brennan just implied — in a speech that was largely about information sharing — that the US continues to engage with Russia on terrorism issues, even though it hosts Snowden.

QUESTION: James Sitrick, Baker & McKenzie. You spent a considerable amount of your opening remarks talking about the importance of liaison relationships. Charlie alluded to this in one of his references to you, on the adage—the old adage has it that the enemy of your enemy is your friend. Are we in any way quietly, diplomatically, indirectly, liaisoning with Mr. Soleimani and his group and his people in Iraq?

BRENNAN: I am not engaging with Mr. Qasem Soleimani, who is the head of the Quds Force of Iran. So no, I am not.

I am engaged, though, with a lot of different partners, some of close, allied countries as well as some that would be considered adversaries, engaged with the Russians on issues related to terrorism.

We did a great job working with the Russians on Sochi. They were very supportive on Boston Marathon. We’re also looking at the threat that ISIL poses both to the United States as well as to Russia.

So I try to take advantage of all the different partners that are out there, because there is a strong alignment on some issues—on proliferation as well as on terrorism and others as well.

Admittedly, the timing on Snowden’s asylum in Russia is pretty remarkable, coming as it did after Sochi and two months after the Marathon attack, launched by brothers with ties to Chechnya. In fact, in Dzhokhar’s trial, we just learned that Tamerlan sent $900 back to Chechnya in the weeks before the attack. Thus, at the time Putin granted Snowden his first year of asylum, the US needed Russian cooperation more urgently than Russia needed America’s (and Putin was carefully managing that relationship).

Still, by tying cooperation with Russia to ISIL, Brennan implied it is ongoing (not least because the government was not as engaged against ISIL as it might have been until a year after Snowden arrived in Russia).

At least if we’re to believe Gabriel, the US threatened to cut off a close ally if it hosted Snowden, but it continues to share intelligence with one of our major adversaries on matters of common interest.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Is JP Morgan Crying Cyberwolf about Russia? Or Is Mike Rogers?

There was a weird spate of reporting on the cyberthreat to banks last week. Normally, security firms (and occasionally really good tech journalists) report under their own name on such attacks — after all, they have businesses to run! But not the story — first reported by Bloomberg Wednesday evening — that Russia had attacked JP Morgan. At first, these reports appeared to be coming from FBI — given that the FBI investigation served as the lede of the story.

Russian hackers attacked the U.S. financial system in mid-August, infiltrating and stealing data from JPMorgan Chase & Co. (JPM) and at least one other bank, an incident the FBI is investigating as a possible retaliation for government-sponsored sanctions, according to two people familiar with the probe.

The attack resulted in the loss of gigabytes of sensitive data, said the people, who asked not to be identified because the probe is still preliminary.

But over the course of the story — and two more sources introduced with no description beyond that they had been briefed on the probe — the FBI officially gave no comment.

The sophistication of the attack and technical indicators extracted from the banks’ computers provide some evidence of a government link. Still, the trail is muddy enough that investigators are considering the possibility that it’s cyber criminals from Russia or elsewhere in Eastern Europe. Other federal agencies, including the National Security Agency, are now aiding the investigation, a third person familiar with the probe said.

[snip]

J. Peter Donald, an FBI spokesman in New York, declined to comment.

[snip]

In at least one of the attacks, the hackers grabbed sensitive data from the files of bank employees, including executives, according to a fourth person briefed on the probe, who, like the other individuals with knowledge of the matter, declined to divulge the name of victims other than JPMorgan. Some data related to customers may also have been accessed, the person said.

The NYT’s version of the story, published later on Wednesday, also cited a bunch of people described only as “briefed on the continuing investigation.”

A number of United States banks, including JPMorgan Chase and at least four others, were struck by hackers in a series of coordinated attacks this month, according to four people briefed on a continuing investigation into the crimes.

The hackers infiltrated the networks of the banks, siphoning off gigabytes of data, including checking and savings account information, in what security experts described as a sophisticated cyberattack.

The motivation and origin of the attacks are not yet clear, according to investigators. The F.B.I. is involved in the investigation, and in the past few weeks a number of security firms have been brought in to conduct forensic studies of the penetrated computer networks.

[snip]

According to two other people briefed on the matter, hackers infiltrated the computer networks of some banks and stole checking and savings account information from clients.

Read more

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.