Government Won’t Be Able to Hide Its Informant in MalwareTech Case

While Paul Manafort was busy getting charged with 32 new charges (more on that tomorrow), I was in Milwaukee at a motion hearing in MalwareTech (Marcus Hutchins’) case.

Hutchins was asking for five things from the government:

  1. More information on his surveillance in Vegas, partly to challenge the claim he wasn’t drunk or exhausted when he waived Miranda rights, partly to understand whether he really understood how Miranda works in the US, and partly for probably unstated other reasons
  2. Information on Tran, his co-defendant, who remains at large in some other country, that he would have gotten if Tran were in custody facing the same charges with Hutchins
  3. More information on “Randy,” the informant who provided chat logs and a copy of the Kronos malware while trying to proffer his way out of his own cyber-crimes
  4. The instructions provided to the grand jury, to see if the importance of intentionality to the charges was properly emphasized
  5. Both the MLAT request used to get information on Tran and the search warrant used to search Randy’s home

Here are my pieces on the motion, the government’s response, and Hutchins’ reply.

At Thursday’s hearing, Judge Nancy Johnson made the following decisions:

  1. Based on the government’s representation that it had no more information on surveillance of Hutchins, she denied that motion barring any further evidence that it exists (though she did make the prosecution check again to make sure there weren’t text messages between Agents)
  2. Based on the government’s representation that there was nothing Hutchins would get about Tran were he in custody that he hasn’t already gotten, she denied that without prejudice
  3. Required the government to provide “Randy’s” identity 30 days before trial
  4. Took the request for grand jury instructions under advisement
  5. Denied the request for the search warrant for “Randy’s” house, but asked for more briefing on other cases pertaining to MLAT requests

While the discussion about materials pertaining to Tran were uninteresting, my comments about the other requests follow:

What surveillance happens in Vegas stays in Vegas

Much of this discussion pertained to clarifications that the defense wasn’t looking for the FBI Agents’ lunch place recommendations, though Hutchins’ lawyer Brian Klein said he’d take them if he got them. Klein admitted, however, that they want the surveillance materials, in part, because they think the government intentionally waited to arrest Hutchins until after he had been partying with other hackers for a week. “[W]e have our reasons to believe they arrested him at very end of Vegas trip, there was maybe a very pointed reason to believe they chose to wait until the end.” Note, I’m not sure they’re after (just) the exhaustion of DefCon, or even the government’s desire to hold off on a real rebellion if they had arrested Hutchins just as everyone was arriving to Las Vegas. 

The government claims it only has active surveillance from July 26, and August 2, as he headed for the airport. Prosecutor Michael Chmelar described the July 26 date as Hutchins’ arrival, though I think that’s incorrect as I noted here.

Note, while August 2 is the day Hutchins left Las Vegas, the 26th was not the day he arrived; that was July 21. So they conducted surveillance of him on at least one day while he was in the US hanging out with other hackers at Black Hat, but won’t tell him if they conducted surveillance on the other days.

Chmelar also seemed to describe a discussion about “certain preparations put in place if he did travel to the US,” which is curious given that Hutchins was publicly talking about his trip to Vegas for some time, and given the apparently weird start date of the surveillance. Chmelar also described, for the first time, a 302 on his unrecorded comments on the way to the detention facility. Chmelar made it clear that they want to force Hutchins to take the stand if he’s going to challenge his Miranda warning.

One more comment about this: Black Hat and DefCon are among the most spooked up conventions going. There would have been tons of law enforcement types wandering around unassociated with Hutchins, specifically. Would he get any surveillance from those guys?

FBI finally dug through its AlphaBay loot to find materials supporting a six month old arrest

Hutchins’ co-defendant, Tran, allegedly sold the Kronos malware at issue on AlphaBay. FBI, working with international partners (and probably using the Tor exception), took AlphaBay down on July 20, even before Hutchins’ arrest, and immediately started using those materials to prosecute crimes that, unlike Hutchins’ alleged crime, have actual American victims.

Out of the “several hundred” investigations cited by Phirippidis, other publicly known active US prosecutions arising out of AlphaBay sales involve clear American victims and perpetrators: a person in California suspected of paying an Israeli teenagerto phone and email bomb threats to Jewish Community Centers around the country;a group that fulfilled over 78,000 marijuana orders over the last two yearsmaking them largest vendor on AlphaBay; a transaction that led to the fentanyl overdose death of an 18-year old girl in Oregon; another transaction that led to a fentanyl overdose death, this time of a 24-year old Orlando woman; a fentanyl vendor suspected of making over $120,000 in profits who is tied to a non-lethal overdose; an investigation out of Atlanta into a still unidentified American who worked for AlphaBay. Other, earlier prosecutions, include the sales of heroin,fentanyl, and marijuana laid out in the indictment of AlphaBay’s head, Alexandre Cazes.

In Chmelar’s explanation that the government really doesn’t have any materials on Tran, he revealed what he (incorrectly) thought had been revealed in the government response: an unencrypted copy of AlphaBay material pertaining to the Kronos sale “just became available,” and they have put in a request for the material. “If anything is produced in that request,” Chmelar said he’d turn it over.

Again, the lackadaisical approach to establishing evidence of the sale of Kronos as compared to other AlphaBay prosecutions suggests the sale of Kronos really wasn’t that big of a priority.

As Klein noted, the government had spent three pages of their response arguing that Hutchins couldn’t have any material pertaining to Tran; at the hearing Chmelar represented nothing existed. Based on that representation, Johnson denied any further discovery.

“Randy” is not just a tipster

Michael Chmelar is a well-spoken guy. But he stumbled a lot, umming and uhing, during his discussion of “Randy,” the government informant who reportedly had chats with Hutchins about Kronos.

He received Kronos from Mr. Hutchins, before he was acting as a government , um um source, we’ve produced the malware that was received. As Mr. [Benjamin] Proctor and I noted, if we determine that uh this individual would be called as a witness, we would disclose him as district court requires.

The government really, really wants to hide certain details about “Randy” (and as Chmelar admitted, the 302 in which he proffered up Hutchins and others includes pages and pages of redacted details of “Randy’s” own crimes.

As Johnson pointed out, even if the government uses Hutchins’ own statements to admit “Randy’s” testimony, Hutchins’s team can decide to call “Randy” themselves.

In any case, while she said “Randy” wasn’t fully a transactional witness, he is closer to that than to the tipster the government is claiming. So while the defense won’t get his identity, yet, they will before trial.

The government seems to have dropped its enthusiasm for a superseding indictment

Hutchins wants the instructions given to the grand jury because two of the charges don’t include the necessary language about the required intentionality. Chmelar used one of the charges, where in parallel ones in the indictment the intentionality language is correct, to suggest this was just a scrivener’s error — something he could disappear away with a stipulation — to suggest both were. But Klein argued “These are not just little nits or typos, it goes to mens rea, [Hutchins’] alleged mental state.”

There was also an interesting subtext about whether the grand jury instructions exist. Chmelar claimed that normally he doesn’t instruct the grand jury. Klein noted the government had claimed, ‘We’re not required to instruct them.’ “Well, they did.” And it seems that Chmelar did, indeed, admit that the jury had gotten instructions on this point (I’d have to look at the transcript to make sure).

Ultimately, Johnson said she’d take the request under advisement and do more research on what constituted a compelling need to obtain grand jury instructions, but wouldn’t rule until the defense submitted their challenges to the indictment.  

But what was just as interesting about this discussion is that, whereas previously there had been discussion about the government obtaining a superseding indictment (perhaps to lard on charges that might be easier to defend), Chmelar seemed unenthused about doing so here.

The government continues to insist documents sent to other countries are internal documents

Because privacy rights are not transitive in the United States (meaning, the Fourth Amendment only protects the privacy of the person whose premise is being searched, not those who might be implicated by the search), Hutchins is not going to get the search warrant for “Randy’s” house that led to chat logs involving Kronos to be discovered.

But the question of whether he’ll get the MLAT request to whatever foreign country had information on his co-defendant, Tran (but may not be arresting him), is still a matter Johnson is weighing. The government at first argued that they didn’t have to turn over the request because it was written by lawyers, not law enforcement officers. In the hearing, Chmelar defended withholding the request because the request, which was sent to a foreign country, was an internal document.

Both sides will submit more caselaw on when and whether such requests get turned over (and the open file discovery here may make turning it over more likely).

FBI Decided Four Months after They Arrested MalwareTech that He Told Them He Hadn’t Been Drinking before the Arrest

Marcus Hutchins’ (AKA MalwareTech) defense team has replied to the government’s response to their motion to compel discovery; they are seeking evidence pertaining to his arrest and about the people (his co-defendant, Tran, and an informant, “Randy”) on whom Hutchins was incidentally collected. Here’s my post on the original defense motion, and the one on the government response showing that this case is all about incidental collection.

FBI’s discussions about what to do about a drunken MalwareTech

As I laid out, the defense claims that Hutchins was intoxicated and exhausted when he was arrested awaiting a transatlantic flight after a week of partying at hacker conferences in Las Vegas. The government claims they asked Hutchins if he had been drinking, and (they claim) he said no.

This latest filing shows that the FBI was concerned about just that. FBI Agents had an email discussion the day Hutchins was arrested discussing what they should do if he was drinking.

That production included one e-mail, dated August 2, 2017 (the day of Mr. Hutchins’ arrest), discussing what the agents should do if Mr. Hutchins started drinking at the airport (the plan: “pull him out of terminal”). This shows the agents’ contemporaneous awareness of, and concern about, the possibility of Mr. Hutchins being impaired. There surely might be other communications, including e-mails and text messages on agents’ phones, touching on the voluntariness of Mr. Hutchins’ supposed proper waiver of his Miranda rights, as well as the voluntariness of the resulting statement.

The government claims that the Agents asked Hutchins if he had been drinking as part of their interview (only part of which was recorded). Except they didn’t memorialize that contemporaneously. They wrote it up into a 302 “over four months after the arrest” — so sometime after December 2.

The government makes much of the fact that Mr. Hutchins was asked by FBI agents if he had been drinking. But even if the FBI 302 (which was written over four months after the arrest) is accurate, it does not mention exhaustion or other possible forms of intoxication (it only mentions drinking).

Consider how this looks, given another detail from the defense reply: that the FBI didn’t turn over that 302 (or the email showing the FBI was concerned that Hutchins might be drinking) until the day they submitted their response on January 19.

The government’s response neglects to mention that these records that the government references as being disclosed “recently” were produced to the defense earlier on the same day the response was filed.

Incorporating the details provided in this status report produces this timeline:

November 21: Defense and prosecution lawyers try to resolve these issues including questions about whether Hutchins was intoxicated, and conclude they weren’t going to be able to resolve them.

[C]ounsel for the government and counsel for Mr. Hutchins participated in a conference call in an attempt to resolve open issues related those discovery requests. Despite our best efforts, we have been unable to resolve those issues.

After December 2: FBI creates 302 memorializing claim that they asked Hutchins whether he had been drinking.

December 7: Hutchins’ lawyers tell the government they’re going to file a motion compelling this discovery.

[C]ounsel for Mr. Hutchins informed the government they intend to file a motion for an order that compels the government to produce certain materials to the defense.

January 5: Defense files motion to compel.

January 19: Government turns over 302 claiming they asked if Hutchins had been drinking when they arrested him and response to motion to compel.

In spite of the fact that FBI itself was worried on the day they arrested him about whether Hutchins would be sober enough for an interrogation, they never got around to claiming that they had made sure he was until after some time, potentially months, of discussions about that question and after they had decided they couldn’t get the defense to stop asking for it.

I’d say that’s pretty sketchy.

Government didn’t get around to surveilling Hutchins until July 26

In my post on the government response, I wondered why there would be a surveillance report from July 26, but not one from when Hutchins first arrived in Las Vegas on July 21.

The filing also reveals that there are,

two reports detailing limited surveillance of the defendant on July 26, 2017, and August 2, 2017.

Note, while August 2 is the day Hutchins left Las Vegas, the 26th was not the day he arrived; that was July 21. So they conducted surveillance of him on at least one day while he was in the US hanging out with other hackers at Black Hat, but won’t tell him if they conducted surveillance on the other days.

The defense reply explains it: for whatever reason, Agents in Wisconsin didn’t get around to asking Las Vegas FBI to start surveillance on Hutchins until July 26.

Since the agents started surveillance on July 26, 2017 and it ran through August 2, 2017, it is inconceivable that the agents actively surveilling him exchanged nothing but a single e-mail right before Mr. Hutchins’ arrest.1

1 The only other e-mail disclosed by the government appears to have been sent from an FBI agent in Milwaukee on July 26, 2017, and requests FBI Las Vegas assistance to conduct surveillance of Mr. Hutchins.

For some reason, the FBI either didn’t realize the guy they had just indicted on July 11 was coming to the US until well after he got here in spite of the fact that 1) he had been to Black Hat the year before 2) he was talking about coming again on Twitter 3) he tracked his flight into the country on Twitter, or they didn’t decide they were going to arrest him until after he had been here for a while.

So arresting Hutchins was so urgent they had to do it before he left the country (to avoid extradition), even if he had been drinking (and interviewing him while he was still confused and without counsel was such a priority they couldn’t let him just catch up on his sleep in jail).

But not so urgent they had prepared enough for his well-advertised arrival in the weeks before he arrived to have Las Vegas’ FBI ready to surveil him.

The Government Built Its Criminal Case against MalwareTech Off Incidental Collection

The government has responded to MalwareTech’s (Marcus Hutchins) demand for more evidence by refusing everything. Along the way, they reveal that the bulk of the case against Hutchins arises from him being incidentally collected off two other criminal suspects, Tran (his co-defendant) and Randy (an informant who provided testimony against him in conjunction with his own criminal exposure).

Twenty-somethings claiming they’re not drunk occifer

As for rebuttals of the points made in his demand, the government has two rebuttals as to the substance of Hutchins’ argument, versus the law. First, they claim that Hutchins told the FBI he wasn’t drunk when they arrested him, contrary to the claim made to support a demand for materials on the surveillance of him leading up to his arrest.

Before the interview started, Hutchins told agents that he was not under the influence of alcohol.

Apparently they made a separate 302 (of unknown date) to memorialize their claim he told them he wasn’t drunk.

In addition to those materials, the government recently disclosed an additional FBI 302 report memorializing the defendant’s statement that he was not under the influence of alcohol at the time of his arrest,

The filing also reveals that there are,

two reports detailing limited surveillance of the defendant on July 26, 2017, and August 2, 2017.

Note, while August 2 is the day Hutchins left Las Vegas, the 26th was not the day he arrived; that was July 21. So they conducted surveillance of him on at least one day while he was in the US hanging out with other hackers at Black Hat, but won’t tell him if they conducted surveillance on the other days.

The government’s “intentional” fuckups may lead to superseding indictments

The government seems to cede Hutchins’ suggestion that it flubbed the language on “intention” versus “knowledge” on at least one and maybe a second charge against him.

Hutchins claims that the indictment is defective because Count Two of the indictment states that the defendant acted “knowingly” instead of “intentionally.” 3 Likewise, despite the fact that Count Six charges an attempt, Hutchins argues Count Six fails to allege that defendant “intentionally” attempted to cause damage to a protected computer.4 This, however is not an allegation of “error in the grand jury proceedings” under Rule 12(b)(3)(A)(v). It is an allegation of a defect in the indictment under Rule 12(b)(3)(B)(v). Thus, if Hutchins truly believes Counts Two and Six are facially defective, he can file a motion dismiss those counts under Rule 12(b)(3)(B)(v).

3 Count Two appears to contain a drafting error because Counts Three and Four, which also allege violations of 18 U.S.C. § 2512, state that the defendant acted “intentionally” rather than “knowingly.” This further undermines Hutchins’ speculation that the grand jury was erroneously instructed.

4 According to Seventh Circuit jury instructions, an attempt means to take a substantial step towards committing the offense, with the “intent to commit the offense.” Therefore, because Count Six is charged as an attempt to violate section 1030, including the word “intentionally” before “attempted” would be unnecessary and redundant.

But they generously offer to fix that problem in a superseding indictment.

The government has already explained to the defense that it will likely seek a superseding indictment in this case. That superseding indictment would address any possible drafting errors noted by the defense.

Given that elsewhere they say the informant, Randy, who provided information against Hutchins, discussed “involvement in creating the Kronos banking Trojan, among other criminal conduct” [my emphasis] with him in online chats, they seem to be suggesting that if the defense makes too big a deal about this they’ll add charges against Hutchins.

Incidentally collected defendants get nothing

Perhaps most interesting, this filing demonstrates the degree to which Hutchins’ prosecution stems from his incidental collection in investigative efforts targeting Tran and Randy. In fact, precisely because he was incidentally collected and not personally targeted, the government claims it doesn’t have to provide affidavits that might explain how — and more importantly, why — they decided to arrest Hutchins.

For example, the government argues Hutchins can’t have the MLAT requests, which are used to ask other countries to provide information for a criminal prosecution. In this case, MLATs obtained  information on Tran, the guy who sold the Kronos malware Hutchins is alleged to have helped write. The government refuses to hand these over, in part, because they don’t get signed by FBI Agents, but instead get signed by lawyers.

Here, the defendant relies on Rule 16(a)(1)(E)(i) in seeking disclosure of MLATs and search warrant applications. But that Rule is inapplicable. With regard to MLATs, they are not signed or attested to by law enforcement agents. Instead, they are signed by an attorney representing the United States. Information received in response to an MLAT that is subject to disclosure under Rule 16 has been, and will continue to be, turned over to the defense in this case. Indeed, the defendant acknowledges that he has received materials responsive to an MLAT request. Doc. #44 at 17. The MLAT request itself, however, is not subject to production. In fact, MLAT requests (rather than the responsive materials) are explicitly excluded from production under Rule 16(a)(2).

Moreover, because the MLAT was targeted at Hutchins’ co-defendant, and not him, he doesn’t get it.

Moreover, the MLAT request submitted in this case related to Hutchins’s codefendant and not Hutchins. As noted above, the government has disclosed materials received in response to the MLAT, but the MLAT itself is not subject to production under Rule 16, Giglio, Brady, or § 3500.

There is one still undisclosed search warrant affidavit in the case. But because that was used to incriminate Randy, the informant, Hutchins won’t get that either.

With regard to search warrant materials, the government has explained to Hutchins that no search warrants were executed that focused on Hutchins’ activities. There was a search warrant executed in an unrelated case that revealed statements made by Hutchins to CS-1, and those statements were turned over in discovery under Rule 16. But, there is no authority supporting the production of that search warrant affidavit or other documents relating to that warrant. The warrant was executed at a residence in the United States and did not involve Hutchins’ property or privacy interests. The affidavit is not subject to disclosure under 18 U.S.C. § 3500 because it was made in connection with an unrelated investigation. Given the separation between this case and the other investigation, the government does not believe at this time that the affiant’s statements in the affidavit supporting that warrant “relate to the subject matter of the testimony” to be presented in this case. 18 U.S.C. § 3500.

The government seems pretty lackadaisical towards Hutchins’ co-defendant

The government’s unwillingness to turn over information on the other alleged criminals in this case is particularly interesting given how uninterested they seem in him. The filing reveals that someone working undercover for the FBI did have discussions with Tran about Kronos (again, this is malware that had no significant US victims in the form Hutchins is alleged to have been involved in it), and they collected postings on it off the Darkode forum.

In support of this request, Hutchins asserts that such items “must be material to preparing Mr. Hutchins’ defense” because the indictment alleges a conspiracy; that “the government may be withholding information that could exculpate Mr. Hutchins”; and that he has a right to “locate the codefendant.” Doc. #44 at 8-9. Because the government has disclosed information relating to the codefendant, and there is no authority supporting the defendant’s request for additional information, his motion to compel the production of this information should be denied.

Of note, Hutchins’ codefendant has not yet been arrested in connection with this case. And, the government has disclosed certain information relating to the codefendant to Hutchins. This includes (1) the codefendant’s name; (2) materials responsive to an MLAT request that included a redacted copy of the codefendant’s passport; (3) undercover chats between the codefendant and the FBI related to the marketing, sale, and distribution of Kronos; and (4) various Internet postings related to Kronos that are attributable to one of the aliases used by the codefendant, including on the now shuttered Darkode forum.

But the government hasn’t obtained any information about the other things Tran was selling on dark markets.

Hutchins’ speculation that “the government must be withholding substantial additional information in its possession,” including information that may show the codefendant acted independently of Hutchins, is not supported. Doc. #44 at 8. While it might be true that the codefendant was involved in criminal activity in addition to distributing Kronos with Hutchins, the government is not suppressing that information. It simply does not possess such information. If additional records in the government’s possession are identified and deemed material, the government will provide those records to the defendant.1

That suggests he’s not really the target here.

More interesting still, the government claims it hasn’t yet identified any records from its AlphaBay seizure pertaining this malware they claim is so important they’ve arrested the guy who stopped the WannaCry malware attack.

1 In his motion, Hutchins states that “the government likely has records of the codefendant’s activities on AlphaBay.” Doc. #44 at 9. The government is still pursing information from the AlphaBay marketplace, but it has not yet located any materials subject to disclosure.

It seems virtually impossible that they wouldn’t find information in the seized servers,  if it was, at all, a priority. Which seems to suggest the opposite — not finding anything — may be a priority.

By providing evidence that suggests the government simply isn’t all that interested in Tran (if, as his name suggests, he’s Vietnamese, he may be beyond any extradition treaty), the government dismisses the possibility that Hutchins or his friends could find Tran (not an unreasonable possibility, because that’s how hackers roll).

[Hutchins] told agents that he knew his codefendant only by various online aliases; his dealings with his codefendant were all online; and he has never met his codefendant in person or even seen a photograph of the codefendant. It therefore makes no sense for Hutchins to claim that, if provided the requested “materials and communications,” he will be able to locate the fugitive codefendant and obtain exculpatory information from that individual.

But along the way, this prevents Hutchins from arguing that this case is all trumped up to go after him, for some reason.

Hiding Randy and the carding charges he’s working off

More interesting, still, the government is going to some lengths to hide Randy, the informant they call CS-1 who provided information on Hutchins.

The list of what they have provided in discovery provides some outline of how they got to Randy.

In reality, the government has produced the following materials related to CS-1: (1) A redacted proffer letter between the government and CS-1; (2) undercover chats between a government cooperator and CS-1 regarding the sale of stolen credit card numbers; (3) chats between CS-1 and Hutchins regarding Hutchins’ involvement in creating the Kronos banking Trojan, among other criminal conduct; and (4) a redacted FBI 302 report (which Hutchins refers to in his motion) memorializing a FBI interview of CS-1 regarding Hutchins and others.

It seems that a third part (the “government cooperator,” who himself may be an informant working off criminal charges) provided the FBI chats showing discussions with Randy of carding activity. This led to the FBI to go after Randy. He, in turn, made a proffer to the government offering to cooperate, presumably in exchange for leniency in his own case. That led to an interview with the FBI where Randy provided information on Hutchins “and others.”

Note that the government doesn’t tell us when all this happened?

The government argues that Randy is a mere tipster who wasn’t (yet) being controlled by the FBI at the time, and so they won’t have to let Hutchins question Randy about these underlying circumstances unless they put Randy on the stand, even though they concede he might (as someone working off his own criminal exposure) might actually be a transactional witness.

CS-1’s position in this case is more of a like a “mere tipster” than a transactional confidential informant. Hutchins sent a copy of the Kronos malware to CS-1 in 2015, but CS-1 was not acting as an agent for the government at that time. If the government called CS-1 as a witness at trial, his/her primary role would be to testify about the third-party admissions Hutchins made during chats with CS-1. Even if the Court found CS-1 acted more like a transactional witness, that finding does not automatically justify disclosure of CS-1’s identity. United States v. McDowell, 687 F.3d 904, 911 (7th Cir. 2012). The defendant would still need to establish that knowing CS-1’s identity is “relevant and helpful to his defense or is essential to a fair determination of a cause,” Wilburn, 581 F.3d at 623. Here, his request for disclosure of CS-1’s identity is based on speculation, which is insufficient. See Valles, 41 F.3d at 358 (“The confidential informant privilege ‘will not yield to permit a mere fishing expedition, nor upon bare speculation that the information may possibly prove useful.’” (quoting Dole, 870 F.2d at 373)).

The government argues that Hutchins is only speculating that learning who Randy is would be material to his defense, and uses that to argue that they don’t have to reveal Randy’s name so Hutchins can test whether it’s material to his defense.

The government generously agrees to give Hutchins Randy’s real name if they call him to testify, but then boast that Hutchins’ jail phone calls mitigate the need to put Randy on the stand.

Nonetheless, the government agrees to disclose CS-1’s identity to the defense if it determines that CS-1 will be a testifying witness at trial.2

2 To be sure, it might not be necessary to call CS-1 as a witness at trial because the defendant was shown the chats he had with CS-1 during his post-arrest interview and the defendant admitted that he was one of the parties in those conversations. Later, the defendant made phone call from jail in which he described the chats as “undeniable.” Therefore, the admissions Mr. Hutchins made to CS-1 are admissible non-hearsay statements, which Mr. Hutchins previously identified as accurate.

There are a slew of reasons Randy’s identity is of particular interest. Not least, that unknown entities engaged in serial credit card fraud to try to disrupt Hutchins’ defense fundraisers. As I’ve suggested, that means that entities engaged in probable criminal credit card fraud made a concerted effort to thwart Hutchins’ ability to mount the most robust defense.

Is the FBI even investigating who disrupted Hutchins’ defense fundraising efforts? Would they do so if it would hurt their case?

All of which leaves the distinct impression that the government isn’t all that interested in the two suspected criminals implicated in the case against him, but are very interested in ratcheting up the pressure on Hutchins himself.

And because they got to Hutchins via incidental collection — and not direct targeting — they might succeed in doing so.


The Government’s MalwareTech Case Goes (Further) To Shit

MalwareTech’s lawyers just submitted a motion to compel discovery in his case. It makes it clear his case is going to shit — and that’s only the stuff that is public.

DOJ is hiding what drunken MalwareTech understood about un-common law

First, the motion reveals that even though the FBI recorded its interview with Marcus Hutchins at the Las Vegas airport, where Hutchins allegedly admitted to creating the Kronos malware (though in actuality Hutchins only admitted to creating that code), they somehow forgot to record (or even write down) the Miranda warning part.

After Mr. Hutchins was taken into custody, two law enforcement agents interviewed him at the airport. The memorandum of that interview generically states: “After being advised of the identity of the interviewing Agents, the nature of the interview and being advised of his rights, HUTCHINS provided the following information . . .” A lengthy portion of Mr. Hutchins’ interview with the agents was audio recorded. Importantly, however, the agents did not record the part of the interview in which they purportedly advised of him of his Miranda rights, answered any questions he might have had, and had him sign a Miranda waiver form.

This is important for several reasons. First, Hutchins is a foreign kid. And while I presume he has seen Miranda warnings a jillion times on the TV, those warnings are different in the US than they are in the UK, contrary to whatever else we might share as common law.

Mr. Hutchins is a citizen of the United Kingdom, where a defendant’s post-arrest rights are very different than in the United States.4 The United Kingdom’s version of Miranda contains no mention of the right to counsel, and if a defendant does not talk, it may later be used against him under certain circumstances.5 Because of this, any government communications in advance of Mr. Hutchins’ arrest and regarding how to advise him of his rights under Miranda are important to demonstrate that Mr. Hutchins would not have understood any purported Miranda warnings and that he was coerced to waive his rights.

4 United Kingdom law requires the following caution being given upon arrest (though minor wording deviations are allowed): “You do not have to say anything. But it may harm your defence if you do not mention when questioned something which you later rely on in Court. Anything you do say may be given in evidence.”

So the specific wording of the warning he got would be especially important to understand whether he was told how things are different here in the former colonies, where you’re always told you can have a lawyer.

Also Hutchins was drunk and — because he’d been at DefCon and Black Hat all week — exhausted. But the defense can’t show that because the government isn’t turning over any of the surveillance materials from the week the FBI was surely following Hutchins in Las Vegas.

The defense believes the requested discovery will show the government was aware of Mr. Hutchins’ activities while he was in Las Vegas, including the fact that he had been up very late the night before his arrest, and the high likelihood that the government knew he was exhausted and intoxicated at the time of his arrest.

The government doesn’t want you to know co-defendant Tran is just a convenient excuse to arrest MalwareTech

Next, the government is withholding both information about Hutchins’ co-defendant, and the MLAT request the government used to get that information. The co-defendant’s last name is Tran, but the government has been hiding that since it accidentally published the name when Hutchins’ docket went live. Tran has not yet been arrested, but apparently there was evidence relating to him in a country that would respond to an American MLAT request. The government hasn’t turned it over.

[T]he government may be withholding information that could exculpate Mr. Hutchins. For example, any material showing that the codefendant operated independently of Mr. Hutchins’ alleged conduct would tend to demonstrate that they did not conspire to commit computer fraud and abuse (Count 1). The indictment itself supports that notion: it alleges that the codefendant advertised and sold the Kronos malware independently of Mr. Hutchins. (Indictment at 3 ¶ 4(e)-(f).) Moreover, the indictment alleges that the malware was advertised on the AlphaBay market forum, which the Department of Justice seized and shut down on July 20, 2017 in cooperation with a number of foreign authorities.8 In connection with that case, the government likely has records of the co-defendant’s activities on AlphaBay that it has not produced (e.g., records obtained through MLAT requests).

They also haven’t turned over the MLAT application itself, which would explain why some country has turned over evidence on Tran, but not Tran himself.

To date, the government has produced materials responsive to a single MLAT request, and has declined to produce the MLAT request itself. The MLAT request, however, surely contains information regarding the government’s theory of the case and may have been signed by an agent who will testify at trial. MLAT requests vary from country to country, but they can be quite similar to search warrants, since they are often used to obtain documents.

DOJ won’t tell you which ham sandwiches the grand jury intended knowed to indict

Hutchins’ lawyers then ask for the grand jury instructions because the indictment as charged doesn’t get the mens rea necessary for the underlying charges. Basically, two of the charges against Hutchins were laid out as if the only thing needed for a crime was to knowingly do something, as opposed to intentionaly do it.

The defense needs the legal instructions for an anticipated motion to dismiss the indictment. One ground for that motion is that at least two of the charged counts are defective on their face, failing to include the appropriate mens rea. Since the two counts deviate materially from the required and heightened mental states set forth in the operative statutes, this demonstrates likely irregularities in how the grand jury was instructed on the law.


Count 6 suffers from a similar defect. It charges that the defendants:

[K]nowingly caused the transmission of a program, information and command and as a result of such conduct, attempted to cause damage without authorization, to 10 or more protected computers during a 1-year period. In violation of Title 18, United States Code, Sections 1030(a)(5)(A), (c)(4)(B)(i) and (ii), (c)(4)A(i)(VI), 1030(b), and 2.

(Indictment at 8 (emphasis added).)

But 1030(a)(5)(A) states it is illegal to:

[K]nowingly cause[] the transmission of a program, information and command, and as a result of such conduct, intentionally cause[] damage without authorization, to a protected computer[.] (Emphasis added.)

Likewise, the Seventh Circuit Pattern Jury Instructions state the elements of the offense are:

1. The defendant knowingly caused the transmission of a [program; information; code; command]; and

2. By doing so, the defendant intentionally caused damage to a protected computer without authorization. (Emphasis added.)

The plain text of 1030(a)(5)(A) and the Pattern Jury Instructions leave no doubt that Count 6, as it is pleaded, does not include the requisite “intentional” mens rea for causing damage without authorization, again failing to allege an essential element of the offense.

Effectively, they’re arguing that the government has charged Hutchins for knowingly done something when they had to charge him for intentionally doing something. Which, given that his code was probably used without his knowledge, is going to present difficulties. And so Hutschins’ team is going to attack the indictment itself.

Considering that Counts 2 and 6 misstate the required mental states specified in the statutes, there is a high likelihood the government did not properly instruct the grand jury on the law, and the grand jury returned a legally defective indictment, as a result of improper legal instructions.

What about “Randy”?

But the thing that intrigues me the most about this case is that some guy the government is naming “Randy” — because they don’t want to actually reveal anything about this dude — is a key witness against Hutchins. 

The defense expects “Randy” to testify at trial because he is alleged to have had extensive online chats with Mr. Hutchins around the time of the purported crimes in which Mr. Hutchins discussed his purported criminal activity. Any communications and materials relating to “Randy” are therefore material to defense preparations.

The defense argues that the government is treating Randy like a tipster rather than a witness as a way to hide who he is. This is worth citing at length (also note Marcia Hofmann and Brian Klein added local lawyer Daniel Stiller, who — I presume — is Seventh Circuit citing with great abandon).

The informant privilege does not permit the government to conceal a witness when, as here, disclosure “is relevant and helpful” to a defendant’s defense “or is essential to a fair determination of a cause.” United States v. McDowell, 687 F.3d 904, 911 (7th Cir. 2012) (quoting Roviaro v. United States, 353 U.S. 53, 60-61 (1957)). Indeed, the Seventh Circuit’s treatment of the privilege indicates that its reach is typically limited to background sources of information, as in a tipster who furnishes details that commence an investigation resulting in a prosecution premised on the fruits of the investigation, not the details of the background tip.

A mere tipster, according to the Seventh Circuit, is “someone whose only role was to provide the police with the relevant information that served as the foundation to obtaining a search warrant.” Id. Tipsters differ from what the Seventh Circuit terms “transactional witnesses,” who are individuals “who participated in the crime charged . . . or witnessed the event in question.” Id. For tipsters, “the rationale for the privilege is strong and the case for overriding it is generally weak.” Id. In contrast, “the case for overriding the privilege and requiring disclosure tends to be stronger” for transactional witnesses. Id.

Here, the government’s refusal to disclose even the identity of “Randy’s” attorney is apparently the result of miscategorizing an important witness as a mere tipster. “Randy” is a cooperating witness, one whose provision of information to law enforcement was facilitated by consideration—proffer immunity, at the least—from the government. This circumstance alone weighs against continuing confidentiality because “Randy” surely knows his cooperation will be revealed.

The government won’t even give the defense the name of this dude’s lawyer so the lawyer can tell them his client doesn’t want to talk to them.

Me? I’m guessing if the government were required to put “Randy” on the stand they’d contemplate dismissing the charges against Hutchins immediately. I’m guessing the government now realizes “Randy” took them for a ride — perhaps an enormous one. And given how easy it is to reconstitute chat logs — but here, it’s not even clear “Randy” has the chat logs, but just claimed to have been a part of them, in an effort to incriminate him — I’m guessing this part of the case against Hutchins won’t hold up.

It’d probably be a good time for the government to dismiss the charges against Hutchins and give him an H1B for his troubles so he can surf off the last 6 months of stress. But that’s not how the government works, when they realize they really stepped in a load of poo.

Fake Russian Metadata that Will Do Nothing to Prevent Nuclear War

Apparently I’m not the only one troubled by Tom Bossert’s attribution of WannaCry to North Korea the other day.

In this post, Jack Goldsmith suggests the attribution will do nothing for deterrence.

He said that he thought the public attribution alone, without more, accomplished something important in holding North Korea accountable. As he put it, somewhat confusingly, later:

It’s about simple culpability. We’ve determined who was behind the attack and we’re saying it. It’s pretty straightforward. All I learned about cybersecurity I learned in kindergarten. We’re going to hold them accountable and we’re going to say it. And we’re going to shame them for it.

There you have it: The U.S. government thinks that naming and shaming by itself is a useful response to a cyberattack that caused billions of dollars of damage (though relatively little in the United States) and targeted precisely the types of critical infrastructure officials have long warned was a red line.


it’s not just that name and shame is ineffective. For at least two reasons, it is counterproductive for the United States to take evident pride in an attribution of a major cyberattack that it at the same time concedes it lacks the tools to retaliate against or deter. First, the consequence of the attribution, and the emphasis on the damage caused by WannaCry, is to raise expectations, at least domestically, about a response. Second, the effect of such a drum-beating attribution and statement of damage, combined with a weak response, is to reveal what has been apparent for a while: “We currently cannot put a lot of stock … in cyber deterrence,” as former DNI Clapper last year. “It is … very hard to create the substance and psychology of deterrence.” When we overtly signal to North Korea that we have no tools to counteract their cyberattacks, we invite more attacks by North Korea and others—though to be fair, for the reasons Inglis stated, North Korea already has plenty of incentive, since cyber is a relatively inexpensive but very consequential tool for it, and since the United States has already imposed such extensive sanctions and seems out of tools.

I must be missing something here. Probably what I am missing is that the public attribution sends an important signal to the North Koreans about the extent to which we have penetrated their cyber operations and are watching their current cyber activities. But that message could have been delivered privately, and it does not explain why the United States delayed public attribution at least six months after its internal attribution, and two months after the U.K. had done so publicly.

In this thread, Emily Maxima notes that not everyone in the Infosec community agrees with this attribution (here’s an old piece I did on some oddities with it) and worries that the attribution might be used to justify war with North Korea.

So in the context of a potential hot-war with DPRK, the attribution chain from Wannacry to DPRK is *really* fucking important.

She then goes on to explain one of her concerns about the attribution to Lazarus group.

A few months back, I was doing some research into malware that used obfuscation mechanisms in their campaigns and code that could be used to misattribute them to other actors/nations.

It turns out, Lazarus group was one of these actors that had examples of misleading operation that made it seem like it was made in Russia, but was likely built to act as a false flag deus ex machina to lead researchers away from the true actors.


[W]e’re talking about an increasingly tense situation where the largest attack on networked computer infrastructure in probably the last 5 years may be pinned on a group known for running false flag operations.

She points to this article that shows that some 2016 watering hole attacks that had targeted Polish and Mexican bank supervisor sites, which might be associated with Lazarus, used Russian words as a false flag to hide their origin.

In spite of some ‘Russian’ words being used, it is evident that the malware author is not a native Russian speaker.

Of our previous examples, five of the commands were likely produced by an online translation. Below we provide the examples and the correct analogues for reference:

Word Type of error Correct analogue
“ustanavlivat” omitted sign at the end, verb tense error “ustanovit'” or “ustanoviti”
“poluchit” omitted sign at the end “poluchit'” or “poluchiti”
“pereslat” omitted sign at the end “pereslat'” or “pereslati”
“derzhat” omitted sign at the end “derzhat'” or “derzhati”
“vykhodit” omitted sign at the end, verb tense error “vyiti”

Another example is “kliyent2podklyuchit”. This is most likely a result of an online translation of “client2connect” (which means ‘client-to-connect’). In this case, the two words “client” and “connect”were translated separately, then transliterated from the Russian pronunciation form into the Latin alphabet and finally joined to produce “kliyent2podklyuchit”.


Internally, the ActionScript also uses transliterated Russian words, similar to the tactic seen in the bot code:

Transliterated Russian words used in AS Translated from Russian
Podgotovkaskotiny Preparation of farm animals
geigeigei3raza Hey, hey, hey 3 times
chainik Dummy (a stupid person)
chainikaddress Dummy’s address
poishemdatu Let’s search for data
poiskvpro Searching in ‘pro’
vyzov_chainika Calling the dummy (a stupid person)
daiadreschainika Get address of the dummy
runskotina Execute farm animals
babaLEna Old woman Lena

As seen in the table, while the words are technically Russian, their usage is out-of-context.

In one code fragment, the ActionScript contains both “chainik” and “dummy”:

01 private function put_dummy_args(param1:*) : *
02 {
03 return,param1);
04 }
05 private function vyzov_chainika() : *
06 {
07 return;
08 }

As such, it is obvious that the word “dummy” has been translated into “chainik”. However, the word “chainik” in Russian slang (with the literal meaning of “a kettle”) is used to describe an unsophisticated person, a newbie; while, the word “dummy” in the exploit code is used to mean a “placeholder” or an “empty” data structure/argument.

The BAE analysis suggests that this incorrect usage is evidence proving the attackers are not native Russian speakers (leaving open the possibility they’re North Korean, though the report doesn’t attribute that aggressively).

I point to all this because of my continuing obsession with attacks featuring Russian metadata — starting from the first stolen Democratic files released by Guccifer 2.0 in June 2016 to faked Macron leak documents and extending to metadata ShadowBrokers left in some SWIFT files released in April — that served to deflect blame.

Perhaps it’s just fashionable to blame Russians these days.

Mind you, that other Russian metadata is for a totally unrelated watering hole attack, not for WannaCry. It’s worth remembering, however, that in addition to using Lazarus code, WannaCry also appears to have used code from Metasploit.

Ah well. I guess none of this will matter when North Korea nukes Seoul.

The Bankrupt Attribution of WannaCry

I’ve been puzzling through this briefing, purportedly attributing the WannaCry hack to North Korea, which followed last night’s Axis of CyberEvil op-ed (here’s the text). The presser was … perhaps even more puzzling than the Axis of CyberEvil op-ed.

Unlike the op-ed, Homeland Security Czar Tom Bossert provided hints about how the government came to attribute this attack.

Bossert makes much of the fact that the Five Eyes plus Japan all agree on this.

We do so with evidence, and we do so with partners.

Other governments and private companies agree.  The United Kingdom, Australia, Canada, New Zealand, and Japan have seen our analysis, and they join us in denouncing North Korea for WannaCry.

He also points to the Microsoft and (unnamed — because it’d be downright awkward to name Kaspersky in the same briefing where you attack them as a cybersecurity target) security consultant attributions from months ago.

Commercial partners have also acted.  Microsoft traced the attack to cyber affiliates of the North Korean government, and others in the security community have contributed their analysis.

Here are the specific things he says about how the US, independent of Microsoft and villains like Kaspersky, made an attribution.

What we did was, rely on — and some of it I can’t share, unfortunately — technical links to previously identified North Korean cyber tools, tradecraft, operational infrastructure.  We had to examine a lot.  And we had to put it together in a way that allowed us to make a confident attribution.


[I]t’s a little tradecraft, to get to your second question.  It’s hard to find that smoking gun, but what we’ve done here is combined a series of behaviors.  We’ve got analysts all over the world, but also deep and experienced analysts within our intelligence community that looked at not only the operational infrastructure, but also the tradecraft and the routine and the behaviors that we’ve seen demonstrated in past attacks.  And so you have to apply some gumshoe work here, not just some code analysis.

Nevertheless, Bossert alludes to people launching this attack from “keyboards all over the world,” but says because these “intermediaries … had carried out those types of attacks on behalf of the North Korean government in the past,” they were confident in the attribution.

People operating keyboards all over the world on behalf of a North Korean actor can be launching from places that are not in North Korea.  And so that’s one of the challenges behind cyber attribution.


[T]here were actors on their behalf, intermediaries, carrying out this attack, and that they had carried out those types of attacks on behalf of the North Korean government in the past.  And that was one of the tradecraft routines that allowed us to reach that conclusion.

Taking credit for stuff the private sector did

In his prewritten statement, Bossert provides on explanation for the timing of all this. One of the reasons the US is attributing the WannaCry attack now — aside from the need to gin up war with North Korea — is that Facebook and Microsoft, “acting on their own initiative last week,” took action last week against North Korean targets.

We applaud our corporate partners, Microsoft and Facebook especially, for acting on their own initiative last week without any direction by the U.S. government or coordination to disrupt the activities of North Korean hackers.  Microsoft acted before the attack in ways that spared many U.S. targets.

Last week, Microsoft and Facebook and other major tech companies acted to disable a number of North Korean cyber exploits and disrupt their operations as the North Koreans were still infecting computers across the globe.  They shut down accounts the North Korean regime hackers used to launch attacks and patched systems.

Yet even while acknowledging that Microsoft and Facebook are busy keeping the US safe, he demands that the private sector … keep us safe.

We call today — I call today, and the President calls today, on the private sector to increase its accountability in the cyber realm by taking actions that deny North Korea and the bad actors the ability to launch reckless and disruptive cyber acts.

Golly how do you think the US avoided damage from the attack based on US tools so well?

Then Bossert invites Assistant Secretary for Cybersecurity and Communications at DHS Jeanette Manfra to explain not how the US attributed this attack (the ostensible point of this presser), but how the US magically avoided getting slammed — by an attack based on US tools — as badly as other countries did.

By midafternoon, I had all of the major Internet service providers either on the phone or on our watch floor sharing information with us about what they were seeing globally and in the United States.  We partnered with the Department of Health and Human Services to reach out to hospitals across the country to offer assistance.  We engaged with federal CIOs across our government to ensure that our systems were not vulnerable.  I asked for assistance from our partners in the IT and cybersecurity industry.  And by 9:00 p.m. that night, I had over 30 companies represented on calls, many of whom offered us analytical assistance throughout the weekend.

By working closely with these companies and the FBI throughout that night, we were able to issue a technical alert, publicly, that would assist defenders with defeating this malware.  We stayed on alert all weekend but were largely able to escape the impacts here in this country that other countries experienced.

Managing to avoid getting slammed by an attack that the US had far more warning of (because it would have recognized and had 96 days to prepare) is proof, Manfra argues, of our preparation to respond to attacks we didn’t write the exploit for.

[T]he WannaCry attack demonstrated our national capability to effectively operate and respond.

Ix-Nay on the AdowBrokers-Shay

Which brings us to the dramatic climax of this entire presser, where Tom Bossert plays dumb about the fact that his this attack exploited an NSA exploit. In his first attempt to deflect this question, Bossert tried to distinguish between vulnerabilities and the exploits NSA wrote for them.

Q    Had they not been able to take advantage of the vulnerabilities that got published in the Shadow Brokers website, do you think that would have made a significant difference in their ability to carry out the attack?

MR. BOSSERT:  Yeah.  So I think what Dave is alluding to here is that vulnerabilities exist in software.  They’re not — almost never designed on purpose.  Software producers are making a product, and they’re selling it for a purpose.

Pretending a vulnerability is the same thing as an exploit, Bossert pointed to the (more visible but still largely the same) Vulnerabilities Exploit Process Trump has instituted.

When we find vulnerabilities, the United States government, we generally identify them and tell the companies so they can patch them.

In this particular case, I’m fairly proud of that process, so I’d like to elaborate.  Under this President’s leadership and under the leadership of Rob Joyce, who’s serving as my deputy now and the cybersecurity coordinator, we have led the most transparent Vulnerabilities Equities Process in the world.

Hey, by the way, why isn’t Rob Joyce at this presser so the person in government best able to protect against cyber attacks can answer questions?

Oh, never mind–let’s continue with this VEP thing.

And what that means is the United States government finds vulnerabilities in software, routinely, and then, at a rate of almost 90 percent, reveals those.  They could be useful tools for us to then exploit for our own national security benefit.  But instead, what we choose to do is share those back with the companies so that they can patch and increase the collective defense of the country.  It’s not fair for us to keep those exploits while people sit vulnerable to those totalitarian regimes that are going to bring harm to them.

So, in this particular case, I’m proud of the VEP program.  And I’d go one step deeper for you:  Those vulnerabilities that we do keep, we keep for very specific purposes so that we can increase our national security.  And we use them for very specific purposes only tailored to our perceived threats.  I think that they’re used very carefully.  They need to be protected in such a way that we don’t leak them out and so that bad people can get them.  That has happened, unfortunately, in the past.

Hell! Let’s go for broke. Let’s turn the risk that someone can steal our toys and set off a global worm into the promise that we’ll warn people they’ve been hacked.

But one level even deeper.  When we do use those vulnerabilities to develop exploits for the purpose of national security for the classified work that we do, we sometimes find evidence of bad behavior.  Sometimes it allows us to attribute bad actions.  Other times it allows us to privately call — and we’re doing this on a regular basis, and we’re doing it better and in a more routine fashion as this administration advances — we’re able to call targets that aren’t subject to big rollouts.  We’re able to call companies, and we’re able to say to them, “We believe that you’ve been hacked.  You need to take immediate action.”  It works well; we need to get better at doing that.  And I think that allows us to save a lot of time and money.

We’re not yet broke yet, though! When Bossert again gets asked whether WannaCry was based off a US tool, he tried to argue the only tool involved was the final WannaCry one, not than the underlying NSA exploit.

Q    So you talked about the 90 percent of times when you guys share information back with companies rather than exploit those vulnerabilities.  Was this one of the 10 percent that you guys had held onto?

MR. BOSSERT:  So I think there’s a case to be made for the tool that was used here being cobbled together from a number of different sources.  But the vulnerability that was exploited — the exploit developed by the culpable party here — is the tool, the bad tool.

This soon descends into full-on Sergeant Schultz.

I don’t know what they got and where they got it, but they certainly had a number of things cobbled together in a pretty complicated, intentional tool meant to cause harm that they didn’t entirely create themselves.

MalwareTech took a risk doing what he always does [er, did, before the US government kidnapped him] with malware?

Then there’s weird bit — one of those Bossert moments (like when he said WannaCry was spread by phishing) that makes me think he doesn’t know what he’s talking about. When asked if this North Korean attribution changed the government’s intent to prosecute MalwareTech (Marcus Hutchins), Bossert dodged that tricksy question (the answer is, yes, the prosecution is still on track to go to trial next year) but then claimed that Hutchins “took a risk” doing something he has repeatedly said he always does when responding to malware.

I can’t comment on the ongoing criminal prosecution or judicial proceedings there.  But I will note that, to some degree, we got lucky.  In a lot of ways, in the United States we were well-prepared.  So it wasn’t luck — it was preparation, it was partnership with private companies, and so forth.  But we also had a programmer that was sophisticated, that noticed a glitch in the malware, a kill-switch, and then acted to kill it.  He took a risk, it worked, and it caused a lot of benefit.  So we’ll give him that.  Next time, we’re not going to get so lucky.

After dodging the issue of why the government is prosecuting the guy whose “luck” Bossert acknowledges saved the world, he has the gall to say — in the very next breath!! — we need to do the kind of information sharing that Hutchins’ prosecution disincents.

So what we’re calling on here today is an increased partnership, an increased rapidity in routine speed of sharing information so that we can prevent patient zero from being patient 150.

Whatever you do, don’t follow the lack of money

All that was bad enough. But then things really went off the rail when a journalist asked about what one of the poorest countries on earth — a country with a severe exchangeable currency shortage — did with the money obtained in this ransomware attack.

Q    Tom, the purpose of ransomware is to raise money.  So do you have a sense now of exactly how much money the North Koreans raised as a result of this?  And do you have any idea what they did with the money?  Did it go to fund the nuclear program?  Did it go just to the regime for its own benefit?  Or where did that money go?

MR. BOSSERT:  Yeah, it’s interesting.  There’s two conundrums here.  First, we don’t really know how much money they raised, but they didn’t seem to architect it in the way that a smart ransomware architect would do.  They didn’t want to get a lot of money out of this.  If they did, they would have opened computers if you paid.  Once word got out that paying didn’t unlock your computer, the payment stopped.

And so I think that, in this case, this was a reckless attack and it was meant to cause havoc and destruction.  The money was an ancillary side benefit.  I don’t think they got a lot of it.

Wow. A couple things here. First, of one of the poorest countries in the world, Bossert said with a straight face: “They didn’t want to get a lot of money out of this.”

He has to do that, because he has just said that, “They’ve got some smart programmers.” So he has to treat the attack, as implemented, as the attack that the perpetrators wanted. That apparently doesn’t mean he feels bound to offer some explanation for why North Korea would forgo the money that their smart programmers could have earned. Because he never offers that, without which you have zero credible attribution.

Still nuttier, at one level it cannot be true that “we don’t know how much money they raised.” Later in his presser he claims, “cryptocurrency might be difficult to track” and suggests the government only learned about how little they were making because, “targets seem to have reported to us, by and large, that they mostly didn’t pay. … So we were able to track the behavior of the targets in that case.”

Um. No. It was very public! We watched WannaCry’s perps collect $144,000 via the @Actual_ransom account, and we watched the account be cashed out in the immediate wake of the aforementioned MalwareTech arrest (as Hutchins noted, making it look like he had absconded with his Bitcoin rather than gotten arrested by the FBI).  That, too, is a detail that Bossert would have needed to address for this to be a marginally credible press conference.

But wait! There’s more! We also know that as soon as WannaCry’s perps publicly cashed out, Shapeshift blacklisted all its known accounts, making it impossible for WannaCry to launder the money, and adding still more transparency to the process. Which means Bossert should know well the answer to the question “how much did North Korea (or whatever perp) make off this?” is, zero. None. Because their money got cut off in the laundering process. (For some reason, Bossert gave Shapeshift zero credit here, which raises further questions I might return to at a later date.) Either attribution includes details about this process or … it’s not credible.

Bossert’s backflips to pretend Trump isn’t treating North Korea differently than Russia

Now, all this is before you get into the gymnastics Bossert performed to pretend that Trump isn’t treating North Korea — against whom this attribution will serve as justification for war — differently than Russia. After being asked about it, Bossert claimed,

President Trump not only continued the national emergency for cybersecurity, but he did so himself and sanctioned the Russians involved in the hacks of last year.

His effort to conflate last year’s hack-related sanctions with the sanctions imposed by Congress but not fully implemented looked really pathetic.

Q    Have all the sanctions been implemented?

MR. BOSSERT:  This was — yeah, this was the Continuation of the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities.  President Trump continued that national emergency, pursuant to the International Emergency Economic Powers Act, to deal with the “unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.”

Pivoting to one of the most important private companies

Immediately after which, perhaps in an act of desperation, Bossert pivoted to Kaspersky, one of the most important security firms in unpacking WannaCry and therefore utterly central to any claim the answer to cyberattacks is to share between the private and public sector. Bossert said this to defend the claim that the Trump administration is taking Russian threats seriously.

Now, look, in addition, if that’s not making people comfortable, this year we acted to remove Kaspersky from all of our federal networks.  We did so because having a company that can report back information to the Russian government constituted a risk unacceptable to our federal networks.

And then — in the same press conference where Bossert hailed cooperation, including with private security firms like Kaspersky, he boasted about how “in the spirit of cooperation” the US has gotten “providers, sellers, retail stores” to ban one of the firms that was critical in analyzing and minimizing the WannaCry impact.

In the spirit of cooperation, which is the second pillar of our strategy — accountability being one, cooperation being the second — we’ve had providers, sellers, retail stores follow suit.  And we’ve had other private companies and other foreign governments also follow suit with that action.

In case you’re counting, he has boasted about cooperation in the same breath as speaking of both MalwareTech and Kaspersky.

Whatever. From this we’re supposed to conclude we should go to war against North Korea and their non-NK keyboarders the world over and  that the way to defend ourselves against them is to simultaneously demand “cooperation” even while treating two of the most important entities who minimized the threat of WannaCry as outlaws.

Tom Bossert Brings You … Axis of CyberEvil!

I was struck, when reviewing the NYT article on the KT McFarland email, how central Homeland Security Czar Tom Bossert was to the discussion of asking Russia not blow off Obama’s Russia sanctions.

“Key will be Russia’s response over the next few days,” Ms. McFarland wrote in an email to another transition official, Thomas P. Bossert, now the president’s homeland security adviser.


Mr. Bossert forwarded Ms. McFarland’s Dec. 29 email exchange about the sanctions to six other Trump advisers, including Mr. Flynn; Reince Priebus, who had been named as chief of staff; Stephen K. Bannon, the senior strategist; and Sean Spicer, who would become the press secretary.


Mr. Bossert replied by urging all the top advisers to “defend election legitimacy now.”


Obama administration officials were expecting a “bellicose” response to the expulsions and sanctions, according to the email exchange between Ms. McFarland and Mr. Bossert. Lisa Monaco, Mr. Obama’s homeland security adviser, had told Mr. Bossert that “the Russians have already responded with strong threats, promising to retaliate,” according to the emails.

There Tom Bossert was, with a bunch of political hacks, undercutting the then-President as part of an effort to “defend election legitimacy now.”

Which is one of the reasons I find Bossert’s attribution of WannaCry to North Korea — in a ridiculously shitty op-ed — so sketchy now, as Trump needs a distraction and contemplates an insane plan to pick a war with North Korea.

The guy who — well after it was broadly known to be wrong — officially claimed WannaCry was spread by phishing is now offering this as his evidence that North Korea is the culprit:

We do not make this allegation lightly. It is based on evidence.

A representative of the government whose tools created this attack, said this without irony.

The U.S. must lead this effort, rallying allies and responsible tech companies throughout the free world to increase the security and resilience of the internet.

And the guy whose boss has, twice in the last week, made googly eyes at Vladimir Putin said this as if he could do so credibly.

As we make the internet safer, we will continue to hold accountable those who harm or threaten us, whether they act alone or on behalf of criminal organizations or hostile nations.

Much of the op-ed is a campaign ad falsely claiming a big break with the Obama Administration.

Change has started at the White House. President Trump has made his expectations clear. He has ordered the modernization of government information-technology to enhance the security of the systems we run on behalf of the American people. He continued sanctions on Russian hackers and directed the most transparent and effective government effort in the world to find and share vulnerabilities in important software. We share almost all the vulnerabilities we find with developers, allowing them to create patches. Even the American Civil Liberties Union praised him for that. He has asked that we improve our efforts to share intrusion evidence with hacking targets, from individual Americans to big businesses. And there is more to come.

A number of the specific items Bossert pointed to to claim action are notable for the shoddy evidence underlying them, starting with the Behzad Mesri case and continuing to Kaspersky — which has consistently had more information on the compromises we blame it for than the US government.

When we must, the U.S. will act alone to impose costs and consequences for cyber malfeasance. This year, the Trump administration ordered the removal of all Kaspersky software from government systems. A company that could bring data back to Russia represents an unacceptable risk on federal networks. Major companies and retailers followed suit. We brought charges against Iranian hackers who hacked several U.S. companies, including HBO. If those hackers travel, we will arrest them and bring them to justice. We also indicted Russian hackers and a Canadian acting in concert with them. A few weeks ago, we charged three Chinese nationals for hacking, theft of trade secrets and identity theft. There will almost certainly be more indictments to come.

The Yahoo case, which is backed by impressive evidence, was based on evidence gathered under Obama, from whose Administration Bossert claims to have made a break.

And this kind of bullshit — in an op-ed allegedly focused on North Korea — is worthy of David Frum playing on a TRS-80.

Going forward, we must call out bad behavior, including that of the corrupt regime in Tehran.

Especially ending as it does with a thinly disguised call for war.

As for North Korea, it continues to threaten America, Europe and the rest of the world—and not just with its nuclear aspirations. It is increasingly using cyberattacks to fund its reckless behavior and cause disruption across the world. Mr. Trump has already pulled many levers of pressure to address North Korea’s unacceptable nuclear and missile developments, and we will continue to use our maximum pressure strategy to curb Pyongyang’s ability to mount attacks, cyber or otherwise.

I mean, maybe dirt poor North Korea really did build malware designed not to make money. But this is not the op-ed to credibly make that argument.

Photo: Andy Brunner via unsplash

10 Years of emptywheel: Many Happy Rabbit Holes

Wow, it’s been ten years! Time sure flies when you’re having fun — and yes, some of us have a rather perverse sense of amusement, editors, contributors, and readers alike.

I’ve always enjoyed falling into yawning ‘rabbit holes’ begging for investigation. It’s often as frustrating as chasing an actual zippy white rabbit, the target evading capture. But following the trail, finding new leads, seeing the prey so far and so near — it can be exhilarating. Or it can be incredibly exasperating. No two investigative searches are ever the same, and emptywheel has offered some intense and heady chases over its ten years here.

Unlike the rest of my fellows here at emptywheel, I don’t have a Top 10 favorite posts. I do have three things which I am happy I had a chance to post here — my four-part series for The Angry Left, the timeline on Flint’s Water Crisis, and the post I wrote this past spring on WannaCry.

~ 3 ~

The Angry Left series was originally posted at Firedoglake but it needed to be revisited; it needs revisiting again even now as we work toward a revitalization of civics during resistance. Many new political groups have emerged, operating in parallel with the existing political parties. Their members need institutional knowledge from past organizing efforts to avoid making the mistakes of the past to become a more effective political force.

~ 2 ~

Flint’s Water Crisis timeline isn’t complete and remains a work in progress; there are a number of pieces still needed, and much of them come from this site’s community members who offered them in comments (I’m looking at you, harpie, especially — thank you). But even in its current condition, the timeline demands answers: what city and state officials were involved in the key decision on the night before the cutover, when Detroit’s water system made a last-ditch offer by email with a rate cheaper than the new Karegnondi pipeline’s water? Why was a pipeline to Saginaw, ~30 miles north, never suggested or evaluated, instead of the ~60-mile-long Karegnondi? How many Flint-originated cases of Legionnaires’ disease actually affected the state of Michigan besides the 12 known deaths in 2014-2015?

A new question emerged recently: why does Michigan’s attorney general Bill Schuette think he stands a chance as a gubernatorial candidate after failing to hold Governor Rick Snyder and his office accountable for the poisoning of an entire city, let alone failing to protect their interests before the poisoning began? Why has the state failed residential property owners in Flint after their property values crashed thanks to Snyder’s crappy governance?

The timeline was personal, too; my oldest adult child lived in Flint during the first two years of the water crisis, suffering a number of unusual health problems after the city’s water supply was cut over to the Flint River. We don’t know if or when health risks from exposure will end, for my eldest or the hundreds of children and their families who lived and continue to live in Flint.

~ 1 ~

This WannaCry post still haunts me; there are open questions which beg for answers, threats still hanging over head — this is one of the rabbits which has slipped away yet teases me to this day.

~ 0 ~

What do you think was the best of this ten years of emptywheel? Share your favorites in comments; we’d love to hear what you’ve found most interesting, educational, worthwhile.

And if you can afford it, please chip in to help keep the work you enjoy at emptywheel as independent as it has been this last ten years. We don’t take advertising dollars; this is a labor of love for our team of contributors. But bandwidth, server space, software maintenance and development cost money, and the more important our work is, the more likely it is to need more bandwidth and additional security to keep our work online, uninterrupted.

Thank you for making this ten years so worthwhile. We hope we’ll continue to see you in comments into the future at emptywheel.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Companies Victimized by Repurposed NSA Tools Don’t Share Those Details with Government

Reporting on an appearance by acting DHS undersecretary for the National Protection and Programs Directorate Christopher Krebs, CyberScoop explains that the government only heard from six victims of the WannaCry and NotPetya ransomware outbreaks (two known major victims are Maersk shipping, which had to shut down multiple terminals in the US, and the US law firm DLA Piper).

Christopher Krebs, acting undersecretary for the National Protection and Programs Directorate, told an audience of cybersecurity professionals Wednesday that the biggest issue with both incidents came from an absence of reports from businesses who were affected. While experts say that WannaCry and NotPetya disrupted business operations at American companies, it’s not clear how many enterprises were damaged or to what degree.

The government wanted to collect more information from affected companies in order to better assess the initial infection vector, track the spread of the virus and develop ways to deter similar future attacks.

Collecting data from victim organizations was important, a senior U.S. official who spoke on condition of anonymity told CyberScoop, because the information could have been used to inform policymakers about the perpetrator of the attack and potential responses

The rest of the story explains that private companies are generally reluctant to share details of being a ransomware victim (particularly if a company pays the ransom, there are even legal reasons for that).

But it doesn’t consider another factor. If a cop left his gun lying around and some nutjob stole the gun and killed a kid with it, how likely is that family going to trust the cop in question, who indirectly enabled the murder?

The same problem exists here. Having proven unable to protect its own powerful tools (this is more a factor in WannaCry than NotPetya, though it took some time before people understood that the latter didn’t rely primarily on the NSA’s exploit), the government as a whole may be deemed less trustworthy on efforts to respond to the attack.

Whether that was the intent or just a handy side benefit for the perpetrators of WannaCry (and of Shadow Brokers, who released the exploit) remains unclear. But the effect is clear: attacking people with NSA tools may undermine the credibility of the government, and in the process, its ability to respond to attacks.

EO 12333 Sharing Will Likely Expose Security Researchers Even More Via Back Door Searches

At Motherboard, I have piece arguing that the best way to try to understand the Marcus Hutchins (MalwareTech) case is not from what we see in his indictment for authoring code that appears in a piece of Kronos malware sold in 2015. Instead, we should consider why Hutchins would look different to the FBI in 2016 (when the government didn’t arrest him while he was in Las Vegas) and 2017 (when they did). In 2016, he’d look like a bit player in a minor dark market purchase made in 2015. In 2017, he might look like a guy who had his finger on the WannaCry malware, but also whose purported product, Kronos, had been incorporated into a really powerful bot he had long closely tracked, Kelihos.

Hutchins’ name shows up in chats obtained in an investigation in some other district. Just one alias for Hutchins—his widely known “MalwareTech”—is mentioned in the indictment. None of the four or more aliases Hutchins may have used, mostly while still a minor, was included in the indictment, as those aliases likely would have been if the case in chief relied upon evidence under that alias.

Presuming the government’s collection of both sets of chat logs predates the WannaCry outbreak, if the FBI searched on Hutchins after he sinkholed the ransomware, both sets of chat logs would come up. Indeed, so would any other chat logs or—for example—email communications collected under Section 702 from providers like Yahoo, Google, and Apple, business records from which are included in the discovery to be provided in Hutchins’ case in FBI’s possession at that time. Indeed, such data would come up even if they showed no evidence of guilt on the part of Hutchins, but which might interest or alarm FBI investigators.

There is another known investigation that might elicit real concern (or interest) at the FBI if Hutchins’s name showed up in its internal Google search: the investigation into the Kelihos botnet, for which the government obtained a Rule 41 hacking warrant in Alaska on April 10 and announced the indictment of Russian Pyotr Levashov in Connecticut on April 21. Eleven lines describing the investigation in the affidavit for the hacking warrant remain redacted. In both its announcement of his arrest and in the complaint against Levashov for operating the Kelihos botnet, the government describes the Kelihos botnet loading “a malicious Word document designed to infect the computer with the Kronos banking Trojan.”

Hutchins has tracked the Kelihos botnet for years—he even attributes his job to that effort. Before his arrest and for a period that extended after Levashov’s arrest, Hutchins ran a Kelihos tracker, though it has gone dead since his arrest. In other words, the government believes a later version of the malware it accuses Hutchins of having a hand in writing was, up until the months before the WannaCry outbreak—being deployed by a botnet he closely tracked.

There are a number of other online discussions Hutchins might have participated in that would come up in an FBI search (again, even putting aside more dated activity from when he was a teenager). Notably, the attack on two separate fundraisers for his legal defense by credit card fraudsters suggests that corner of the criminal world doesn’t want Hutchins to mount an aggressive defense.

All of which is to say that the FBI is seeing a picture of Hutchins that is vastly different than the public is seeing from either just the indictment and known facts about Kronos, or even open source investigations into Hutchins’ past activity online.

To understand why Hutchins was arrested in 2017 but not in 2016, I argue, you need to understand what a back door search conducted on him in May would look like in connection with the WannaCry malware, not what the Kronos malware looks like as a risk to the US (it’s not a big one).

I also note, however, that in addition to the things FBI admitted they searched on during their FBI Google searches — Customs and Border Protection data, foreign intelligence reports, FBI’s own case files, and FISA data (both traditional and 702) — there’s something new in that pot: data collected under EO 12333 shared under January’s new sharing procedures.

That data is likely to expose a lot more security researchers for behavior that looks incriminating. That’s because FBI is almost certainly prioritizing asking NSA to share criminal hacker forums — where security researchers may interact with people they’re trying to defend against in ways that can look suspicious if reviewed out of context. That’s true, first of all, because many of those forums (and other dark web sites) are overseas, and so are more accessible to NSA collection. The crimes those forums facilitate definitely impact US victims. But criminal hacking data — as distinct from hacking data tied to a group that the government has argued is sponsored by a nation-state — is also less available via Section 702 collection, which as far as we know still limits cybersecurity collection to the Foreign Government certificate.

If I were the FBI I would have used the new rules to obtain vast swaths of data sitting in NSA’s coffers to facilitate cybersecurity investigations.

So among the NSA-collected data we should expect FBI newly obtained in raw form in January is that from criminal hacking forums. Indeed, new dark web collection may have facilitated FBI’s rather impressive global bust of several dark web marketing sites this year. (The sharing also means FBI will no longer have to go the same lengths to launder such data it obtains targeting kiddie porn, which it appears to have done in the PlayPen case.)

As I think is clear, such data will be invaluable for FBI as it continues to fight online crime that operates internationally. But because back door searches happen out of context, at a time when the FBI may not really understand what it is looking at, it also risks exposing security researchers in new ways to FBI’s scrutiny.