Posts

Bamford’s Silence about How Maria Butina Got Thrown Back into Solitary

A number of people have asked me what I make of this piece from James Bamford, pitching the case against Maria Butina as a grave injustice, just after Paul Erickson (who may be the real intended beneficiary of this piece) was charged in the first of what is likely to be two indictments, and as the government extends her cooperation by two weeks.

There are parts that are worthwhile — such as his argument that because Butina didn’t return a bragging email from JD Gordon, it suggests she wasn’t trying to recruit him.

There are other parts I find weak.

Bamford oversells the degree to which the press sustained the serial honeypot angle — after all, some of us were debunking that claim back in September, when he appears to have been silent — without mentioning the fact that Butina first started proffering cooperation with prosecutors, presumably against Paul Erickson and George O’Neill, on September 26. The word “visa” doesn’t appear in the article’s discussion of Butina’s status as a grad student, leaving unrebutted the government’s claim that Butina chose to come to the US as a student because it provided travel privileges that served her influence operation. Bamford (who hasn’t covered the Mueller investigation) grossly overstates the significance of Mueller’s choice not to integrate Butina’s case into his own investigation. He also falsely treats all counterintelligence investigations into Russia as one ongoing investigation (see this post for my ongoing complaints about virtually everyone doing the same). He suggests that Butina will need to be traded for Paul Nicholas Whelan, when the government has already said she’ll be deported once she serves her sentence (which will likely be time served). He quotes Putin’s interest in Butina’s case, without noting that Russia has only shown the interest they showed in her in one other defendant, Yevgeniy Nikulin. And those are just a few of the details with which I take issue.

But these passages, in particular, strike me as problematic.

Since August 17, Butina has been housed at the Alexandria Detention Center, the same fortresslike building that holds Donald Trump’s former campaign manager, Paul Manafort. On November 10, she spent her 30th birthday in solitary confinement, in cell 2F02, a seven-by-ten-foot room with a steel door, cement bed, and two narrow windows, each three inches wide. She has been allowed outside for a total of 45 minutes. On December 13, Butina pleaded guilty to conspiracy to act as an unregistered agent of the Russian Federation. She faces a possible five-year sentence in federal prison.

[snip]

On November 23, 2018, Butina went to sleep on a blue mat atop the gray cement bed in her cell, her 81st day in solitary confinement. Hours later, in the middle of the night, she was awakened and marched to a new cell, 2E05, this one with a solid steel door and no food slot, preventing even the slightest communication. No reason was given, but her case had reached a critical point.

That’s true not just for the way Bamford obscures the timeline here — suggesting she was always in solitary — but because by obscuring that timeline, Bamford serves to hide that it was Bamford’s own communications with and about Butina that got her thrown back into solitary.

Butina’s lawyers laid out her protective custody status in a filing on November 27.

In addition to general population prisoners, the Alexandria detention center houses federal detainees awaiting trial before this court in “administrative segregation,” more commonly known as solitary confinement. This form of restrictive housing is not a disciplinary measure, but is purportedly used by corrections personnel to isolate inmates for their own protection or the safe operation of the facility.

[snip]

Between her commitment at the Correctional Treatment Facility in Washington, DC and then Alexandria detention center, Ms. Butina has been isolated in solitary confinement for approximately 67 days straight. Despite a subsequent release into general population that came at the undersigned’s repeated requests, correctional staff reinstated her total isolation on November 21, 2018 although no infraction nor occurrence justified the same.

The timeline they lay out makes it clear Butina was in protective custody from July 15 to around September 21, but then placed in the general population. The timeline is absolutely consistent with Butina agreeing to cooperate in order to get placed in general population (the motion to transport her was submitted September 21, so at the same time she was placed in the general population). The fact that the government uses solitary to coerce cooperation from prisoners deserves condemnation, and that definitely seems to have been at play here.

But even at a time she had active orders to be transported for cooperation (the court authorized a second request for transfer from late October through the time she pled guilty), Butina was placed back in solitary. The timeline her defense attorneys lay out, however, suggests that Bamford was incorrect in stating she was in solitary on her birthday on November 10. She wasn’t moved back to solitary until November 21.

On the afternoon of November 21, 2018, counsel received a never-before urgent phone call from a jailhouse counselor regarding Ms. Butina. The basis for that call was her return to solitary confinement. The undersigned called Chief Joseph Pankey and Captain Craig Davie in Alexandria in response. After conferring with them, however, it has become clear that the facility’s use of administrative segregation is a false pretext to mask an indefinite solitary confinement that is unjust and without cause.

Staff purported to base their decision to segregate on Ms. Butina referring a fellow inmate to her lawyers (that is, she gave her lawyers’ phone number to a fellow inmate), but staff did not find a disciplinary violation—major or minor. Chief Pankey and Captain Davie then resorted to the decision being “for her safety,” knowing that administrative segregation disallows an appeal internally.

As of the date of this filing, Ms. Butina has now been in solitary confinement for 22 hours a day for 6 consecutive days with no prospective release date. According to at least one deputy, the move to solitary confinement has also not been entered into the Alexandria detention center computer system, and Ms. Butina’s status is disclosed only by a piece of tape with handwriting attached to the guard stand.

And that’s important because of a detail that Bamford remains utterly silent about.

As laid out in a hearing transcript, around that time, the government recorded calls from Butina to “certain journalists” suggesting the journalist consult someone who had her lawyers’ first name.

DRISCOLL: The conflict raised by the government, I think the government does not think there’s been any violation of order by defense counsel, but due to circumstances regarding recorded calls that the government had of Ms. Butina and to certain journalists, the government raised the concern to us; and we wanted to raise it with the Court so that there would be no question when the plea is entered that the plea is knowing and voluntary, and we wanted to kind of preemptively, if necessary, get Ms. Butina separate counsel briefly to advise her on her rights, to make sure that she got her constitutional right to conflict-free advice.

[snip]

MR. KENERSON: The basic nature of the potential conflict is that this Court, I think, issued in an order back in September regarding Local Rule 57.7. The government has some jail calls from Ms. Butina in which she is talking to a reporter numerous times on those calls. She makes some references on those calls to individuals who could be — we don’t know that they’re defense counsel, but shares first name with defense counsel potentially acting as go-between at a certain point. That’s part one of the potential conflict. Part two is —

THE COURT: Wait. So, wait. Stop. Part one is a potential conflict. Do you see a conflict because you believe she’s acting at the behest of her attorneys or as a conduit for her attorneys to violate the Court’s order?

MR. KENERSON: It’s — someone viewing that in the light least favorable to defense counsel might be able to argue that this is some quantum of evidence that defense counsel possibly were engaged in assisting Ms. Butina in violating the Court’s order.

THE COURT: All right. But that goes to whether counsel, with the aid of his client, violated my — and I’ll use the colloquial term for it, my “gag order.” How does that go to — and maybe you’ll tell me; I cut you off. But how does that go to the voluntariness of her plea?

MR. KENERSON: So if there is an allegation that defense counsel assisting her somehow in violating the, again, to use the colloquial term the “gag order,” that would give defense counsel a reason to want to basically plead the case to avoid that potential violation from becoming public. And curry favor with the government.

Driscoll went on to explain why his client was talking to a journalist with whom she had a friendship that “predates all of this” in spite of her being subject to a gag order.

The circumstances, just so the Court’s aware, Ms. Butina has a friendship with a particular journalist that predates all of this. The journalist was working on a story about Ms. Butina prior to any of this coming up, prior to her Senate testimony, prior to her arrest, and had numerous on-the-record conversations with her prior to any of this happening. At the time the gag order was entered, I took the step of informing the journalist that, although he could continue to talk to Ms. Butina, he could not use any of their post gag-order conversations as the basis for any reporting, and the journalist has not, in any event, made any public statement or done any public reporting on the case to date.

Bamford’s own description of “a number of long lunches starting last March at a private club in downtown Washington, D.C.” make it clear he is the journalist in question.

Judge Chutkan was none too impressed with Driscoll’s advice.

THE COURT: Well, putting aside the questionable advisability of having your client talk to a reporter while she is pending trial and there’s a gag order present — and I understand you told the reporter that they couldn’t make any public statements, but as a former criminal defense attorney myself, I find that curious strategy.

Now, to be clear: Bamford never did publish anything on Butina during the period when the gag was in place (Chutkan lifted the gag on December 21). Even if Bamford had published something during that period, so long as Bamford did respect Driscoll’s advice that their ongoing conversations should be off the record, there was nothing Bamford could publish that would directly reflect her own statements.

And there’s very good reason to question whether the government threw Butina back into solitary because Bamford was reporting on her treatment. That is, it’s not outside the realm of our criminal justice system that Butina was placed back in solitary because a reporter had been tracking her case since before the investigation became public.

Instead of laying out the case for that, however, Bamford instead hides his own role in the process.

To be honest, I think the story is better understood as one about Paul Erickson and not Maria Butina. This story won’t help her at sentencing — that’s going to be based on her cooperation, not what a journalist who has already antagonized the government says about her. But it may help to spin Erickson and George O’Neill’s interest, as well as that of the NRA.

The public record certainly sustains the case that the government used solitary to induce Butina to cooperate — presumably to cooperate against Erickson and O’Neill. That certainly merits attention.

But then the government also used solitary to cut off Butina’s communications with Bamford himself. If it’s this story the government was retaliating against, Bamford should say that, rather than obscuring it.

This is a story about America’s reprehensible use of solitary confinement. But it doesn’t explain a key part of that process here. Given that the story seems to most benefit Erickson, I find that silence remarkable.

Someone Has Already Been Charged for Most of the Actions the Steele Dossier Attributes to Michael Cohen

Because of a McClatchy story claiming two new details corroborating a Steele dossier claim that Michael Cohen had a meeting with people serving the interests of Putin’s Administration, people have gotten themselves into a tizzy again about what a smoking gun it would be if the allegations in the Steele dossier were proven true.

It’s an utterly bizarre tizzy, both because the allegations in the Steele dossier not only don’t match some more damning allegations Cohen has already pled guilty to, but because Mueller has already charged other people for some of the allegations about Cohen made in the dossier. In other words, the McClatchy story has people excited about the wrong allegations, rather than focusing on the damning things Cohen (and others) have already been charged with.

Indeed, most functional allegations made in the Steele dossier have already been publicly explained in either court filings or sworn testimony. That doesn’t rule out that Cohen had a role in some of them, however. Indeed, one detail from Cohen’s SDNY plea — that among the things Trump Organization reimbursed Cohen for in January 2017 was a $50,000 payment to a tech services company — actually could confirm a detail made in the dossier. But generally, Mueller and other entities have already explained away many of the allegations made against Cohen in the dossier.

I’ve put the substantive claims the Steele dossier made about Cohen below. I’ll take each and show public reporting that explains who did something attributed to Cohen in the dossier.

Cohen met with Russian Presidential Administration Legal Department officials

The central allegation involving Cohen is that he met with people from Putin’s Presidential Administration’s legal department or, in a later version, someone acting on their behalf.

By the time that allegedly happened in August or maybe September, however, Cohen had already established a paper trail with someone more central than some anonymous lawyers. Cohen’s Mueller plea describes Cohen receiving an email on January 20, 2016 from Dmitry Peskov’s personal assistant and shortly thereafter calling her. Somehow Mueller knows that the assistant “asked detailed questions and took notes.” The day after Cohen spoke with the personal assistant, someone from Putin’s office called Felix Sater.

Given that Cohen made reservations to travel to St. Petersburg (for a possible meeting directly with Putin) on June 9, then canceled those reservations on June 14 (after Russia’s role in the DNC hack was made public), those communications about a Trump Tower deal surely tie to the hack-and-leak operation.

It’s certainly possible that, later in the summer (or in the fall, during Cohen’s known trips to London), Cohen would attempt to reschedule that meeting, though the purpose was originally and probably would remain more central to a quid pro quo trading a Trump Tower and election assistance for sanctions relief and policy considerations. But having already exchanged easily collectable communications directly with Peskov’s office (whom the dossier calls “the main protagonist” in the operation), it’s not clear how helpful using Rossotrudnichestvo would be to hide the Trump role. Furthermore, there are other known cut-outs for related matters, including Steele dossier source Sergei Millian and the Agalrovs.

Cohen aimed to contain the Paul Manafort scandal

The three Cohen reports in October all claim that Cohen got involved to tamp down scandals connecting Trump to Russia. That’s not, at all, far-fetched. After all, Cohen was Trump’s fixer and he told a bunch of lies to Congress in an effort to hide Trump’s Moscow Project.

That said, a filing explaining why Mueller might have to mention the Trump campaign in Manafort’s aborted DC trial and a filing in Alex Van der Zwaan’s prosecution show that Manafort and Rick Gates themselves — with the direct involvement of Oleg Deripaska associate Konstantin Kilimnik — worked to contain this scandal.

As Mueller laid out in numerous ways, the Manafort-Gates-Kilimnik team went on a crime spree in the fall trying to cover up their past activities with Russian-backed oligarchs.

Indeed, that a claim that Cohen managed this pushback (and its timing) appeared in the dossier is particularly tantalizing for two reasons. First, one of the things Manafort reportedly lied about after agreeing to cooperate with Mueller pertained a boat trip he took with Tom Barrack; Mueller seems to know that Kilimnik joined the two men. If that happened, then it would show that someone did indeed hold a meeting in August to contain the damage of Manafort’s burgeoning scandals, but that meeting would have been between a key Trump funder, Manafort himself, and someone suspected of ongoing ties with GRU, the agency that conducted the DNC hack.

More intriguing still, as I noted above, Kilimnik was Manafort’s go-between with Oleg Deripaska. That’s interesting because in 2016, Christopher Steele was attempting to convince DOJ’s Bruce Ohr that Deripaska could be a useful source on Russian organized crime. If Steele thought Deripaska would be a useful source for DOJ, he may well have been relying on Deripaska himself. If so, the report that Cohen (who in fact did have communications with Peskov!) was containing the damage of Manafort’s ties to Russian oligarchs might be an attempt to distract from the way that a Russian oligarch was actually working through his handler, Kilimnik, to minimize that damage himself.

Cohen aimed to contain the Carter Page scandal

It likewise seems unlikely that Cohen was the one to try to contain the Carter Page scandal. While he shouldn’t be relied on for anything, several claims in Page’s testimony to HPSCI provide an alternate explanation about who was containing the scandal tied to him.

Page denied ever speaking to Cohen.

But he did describe Keith Kellogg discussing the allegations with him. And he did describe Steve Bannon, both by himself and with the assistance of Trump’s election lawfirm, Jones Day, trying to minimize the Page scandal.

That’s consistent with a number of on-the-record claims from the campaign in the days following Page’s resignation in September. Which is to say, minimizing the Page scandal fell to the campaign itself.

The people who carried out the information operation had been paid by Russia and Trump

The three initial reports on Cohen came, in suspiciously quick succession, in October, after the number of reporters briefed on the Steele dossier started to expand.

The one other report implicating Cohen was the December 13 report, based on intelligence Steele claimed he obtained for “free.”

The report is most notable for the legal battle it caused. The allegations most clearly resemble what Adrian Chen had identified and attributed to the Internet Research Agency year earlier and there had been extensive reporting on it all through the campaign. But instead of blaming Internet Research Agency, the report blames all that on Webzilla. And Webzilla’s owner, Aleksei Gubarev was sufficiently comfortable facing the prospect of discovery to sue BuzzFeed right away (though he lost his lawsuit a few weeks back).

There’s another reference in the report to a long debunked claim made by the Russians — that a Romanian hacker was involved, presumably an allusion to Guccifer 2.0’s half-hearted claim to be Romanian.

Still, much of that last report instead presented the most inflammatory claim in the entire dossier: that Trump’s campaign had helped pay for the information operation targeting Hillary.

On its face, that claim makes zero sense. The scenario as a whole assumes that the hack was done by independent hackers coerced to work for the FSB — perhaps people like Yevgeniy Nikulin, who had already been arrested in Prague by this point. As far as Mueller has shown publicly, however, the information operation was instead done by two entities: Russians in the employ of Putin crony Yevgeniy Prigozhin’s Internet Research Agency and officers in the employ of Russia’s military intelligence agency, GRU. In indictments of both conspirators, Mueller provided details about how the money was handled.

So we’ve already got explanations for how the information operation was funded: by Prigozhin and the Russian state, using a range of money laundering techniques to hide Russia’s role. We even have evidence that — contrary to the claim about information warriors’ loyalty to Sergei Ivanov — Prighozhin’s employees even sucked up to him in one of their dry runs getting Americans to perform IRL actions.

Cohen arranged deniable cash payments to hackers working in Europe against the Clinton campaign

As noted, the December report involving Cohen made the most incendiary claim of all: that the Trump organization planned to pay for some of the hackers that targeted Hillary.

In spite of the fact that Mueller has already explained how the two main groups of participants in the information operation got funded, this allegation gets more interesting given details laid out in Cohen’s SDNY plea. Several of his SDNY crimes, after all, involving making deniable payments, in that case to Stormy Daniels and Karen McDougal.

That shows Cohen’s modus operandi for paying off Trump’s illicit debts. Mind you, it shows that he didn’t use cash. He laundered the funds using more sophisticated money laundering. But it does show that Cohen was the guy who did that kind of thing.

Which makes this detail included — but not explained — in the same plea document intriguing.

Cohen paid some tech company $50,000 in connection with the campaign.

That’s not a whole lot of money, in any case. And if it went to pay off part of the information operation, it would have to have involved some part of the operation not yet publicly identified. Even the one known instance of Trump supporters reaching out to hackers in Europe — Peter Smith’s reported consultation of Weev — is known to have been paid for by other means (in that case, Smith’s own fundraising).

Still, it’s certainly possible that that $50,000 went to some still unidentified entity that played a role in the information operation that, for some reason, didn’t get paid for by Putin’s cronies or the Russian state.

As I disclosed in July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post.


18 October

Speaking separately to the same compatriot in mid-October 2016, a Kremlin insider with direct access to the leadership confirmed that a key role in the secret TRUMP campaign/Kremlin was being played by the Republican candidates personal lawyer Michael COHEN. [redacted line]

19 October

1. Speaking in confidence to a longstanding compatriot friend in mid-October 2016, a Kremlin insider highlighted the importance of Republican presidential candidate Donald TRUMP’s lawyer, Michael COHEN, in the ongoing secret liaison relationship between the New York tycoon’s campaign and the Russian leadership. COHEN’s role had grown following the departure of Paul MANNAFORT as campaign manager in August 2016. Prior to that MANNAFORT had led for the TRUMP side.

2. According to the Kremlin insider, COHEN now was heavily engaged in a cover up and damage limitation operation in the attempt to prevent the full details of relationship with Russia being exposed. In pursuit of this aim, COHEN had met secretly with several Russian Presidential Administration (PA) Legal Department officials in an EU country in August 2016. The immediate issues had been to contain further scandals involving MANNAFORT’s commercial and political role in Russia/Ukraine and to limit the damage arising from exposure of former TRUMP foreign policy advisor, Carter PAGE’s secret meetings with Russian leadership figures in Moscow the previous month. The overall objective had been to “to sweep it all under the carpet and make sure no connections could be fully established or proven”

3. Things had become even “hotter” since August on the TRUMP-Russia track. According to the Kremlin insider, this had meant that direct contact between the TRUMP team and Russia had been farmed out by the Kremlin to trusted agents of influence working in pro-government policy institutes like that of Law and Comparative Jurisprudence. COHEN however continued to lead for the TRUMP team.

[snip]

The Kremlin insider was unsure of the identities of the PA officials with whom COHEN met secretly in August, or the exact date/s and locations of the meeting/s. There were significant internal security barriers being erected in the PA as the TRUMP issue became more controversial and damaging. However s/he continued to try to obtain these.

20 October

1. Speaking to a compatriot and friend on 19 October 2016, a Kremlin insider provided further details of reported clandestine meeting/s between Republican presidential candidate, Donald lawyer Michael COHEN and Kremlin representatives in August 2016. Although the communication between them had to be cryptic for security reasons, the Kremlin insider clearly indicated to his/her friend that the reported contact/s took place in Prague, Czech Republic.

2. Continuing on this theme, the Kremlin insider highlighted the importance of the Russian parastatal organisation, Rossotrudnichestvo, in this contact between TRUMP campaign representative/3 and Kremlin officials. Rossotrudnichestvo was being used as cover for this relationship and its office in Prague may well have been used to host the COHEN Russian Presidential Administration (PA) meeting/s. It was considered a “plausibly deniable” vehicle for this, whilst remaining entirely under Kremlin control.

3. The Kremlin insider went on to identify leading pro-PUTIN Duma figure, Konstantin KOSACHEV (Head of the Foreign Relations Committee) as an important figure in the TRUMP campaign-Kremlin liaison operation. KOSACHEV, also “plausibly deniable” being part of the Russian legislature rather than executive, had facilitated the contact in Prague and by implication, may have attended the meeting/s with COHEN there in August.

Company Comment

We reported previously, in our Company Intelligence Report 2016/135 of 19 October 2016 from the same source, that COHEN met officials from the PA Legal Department clandestinely in an EU country in August 2016. This was in order to clean up the mess left behind by western media revelations of TRUMP ex-campaign manager corrupt relationship with the former pro-Russian YANUKOVYCH regime in Ukraine and TRUMP foreign policy advisor, Carter secret meetings in Moscow with senior regime figures in July 2016. According to the Kremlin advisor, these meeting/s were originally scheduled for COHEN in Moscow but shifted to what was considered an operationally “soft” EU country when it was judged too compromising for him to travel to the Russian capital.

13 December

1. We reported previously (2016/135 and /136) on secret meeting/s held in Prague, Czech Republic in August 2016 between then Republican presidential candidate Donald TRUMP’s representative, Michael COHEN and his interlocutors from the Kremlin working under cover of Russian ‘NGO’ Rossotrudnichestvo.

2. [two lines redacted] provided further details of these meeting/s and associated anti- CLINTON/Democratic Party operations. COHEN had been accompanied to Prague by 3 colleagues and the timing of the visit was either in the last week of August or the first week of September. One of their main Russian interlocutors was Oleg SOLODUKHIN operating under Rossotrudnichestvo cover. According to [redacted] the agenda comprised questions on how deniable cash payments were to be made to hackers who had worked in Europe under Kremlin direction against the CLINTON campaign and various contingencies for covering up these operations and Moscow’s secret liaison with the TRUMP team more generally.

3. [redacted] reported that over the period March-September 2016 a company called XBT/Webzilla and its affiliates had been using botnets and porn traffic to transmit viruses, plant bugs, steal data and conduct “altering operations” against the Democratic Party leadership. Entities linked to one Aleksei GUBAROV were involved and he and another hacking expert, both recruited under duress by the FSB, Seva KAPSUGOVICH, were significant players in this operation. In Prague, COHEN agreed contingency plans for various scenarios to protect the Operation, but in particular what was to be done in the event that Hillary CLINTON won the presidency. It was important in this event that all cash payments owed were made quickly and discreetly and that cyber and other operators were stood down/able to go effectively to ground to cover their traces. (We reported earlier that the involvement of political operatives Paul MANAFORT and Carter PAGE in the secret TRUMP-Kremlin liaison had been exposed in the media in the run-up to Prague and that damage limitation of these also was discussed by COHEN with the Kremlin representatives).

In terms of practical measures to be taken, it was agreed by the two sides in Prague to stand down various “Romanian hackers” (presumably based in their homeland or neighboring eastern Europe) and that other operatives should head for a bolt-hole in Plovdiv, Bulgaria where they should “lay low”. On payments, IVANOV’s associate said that the operatives involved had been paid by both TRUMP’s team and the Kremlin, though their orders and ultimately loyalty lay with IVANOV, as Head of the PA and thus ultimately responsible for the operation, and his designator successor/s after he was dismissed by president PUTIN in connection with the anti-CLINTON operation in mid August.

The Universe of Hacked and Leaked Emails from 2016: DNC Emails

When Mueller’s team released George Papadopoulos’ plea deal last year, I noted that the initial denials that Papadopoulos had advance warning of the emails the Russians were preparing to hack and leak did not account for the entire universe of emails known to have been stolen. A year and several Mueller indictments later, we still don’t have a complete understanding of what emails were being dealt when. Because that lack of understanding hinders understanding what Mueller might be doing with Roger Stone, I wanted to lay out what we know about four sets of emails. This series will include posts on the following:

  • DNC emails
  • Podesta emails
  • DCCC emails
  • Emails Hillary deleted from her server

The series won’t, however, account for two more sets of emails, anything APT 29 stole when hacking the White House and State Department in 2015, or anything released via the several FOIAs of the Hillary emails turned over to the State Department from her home server. It also won’t deal with the following:

  • Emails from two Hillary staffers who had their emails released via dcleaks
  • The emails of other people released by dcleaks, which includes Colin Powell, some Republican party officials (including some 2015 emails Peter Smith sent to the IL Republican party), and others with interests in Ukraine
  • A copy of the Democrats’ analytics program copied on AWS
  • The NGP/VAN file, which was not directly released by Guccifer 2.0, but is central to one of the skeptics’ theories about an alternative source other than Russia

DNC Emails

The “DNC emails” are generally thought of as the 44,000 emails WikiLeaks released on July 22, 2016. The GRU indictment describes the theft and conveyance of those emails this way:

Between on or about May 25, 2016 and June 1, 2016, the Conspirators hacked the DNC Microsoft Exchange Server and stole thousands of emails from the work accounts of DNC employees. During that time, YERMAKOV researched PowerShell commands related to accessing and managing the Microsoft Exchange Server.

[snip]

On or about June 22, 2016, Organization 1 sent a private message to Guccifer 2.0 to “[s]end any new material [stolen from the DNC] here for us to review and it will have a much higher impact than what you are doing.” On or about July 6, 2016, Organization 1 added, “if you have anything hillary related we want it in the next tweo [sic] days prefable [sic] because the DNC [Democratic National Convention] is approaching and she will solidify bernie supporters behind her after.” The Conspirators responded, “ok . . . i see.” Organization 1 explained, “we think trump has only a 25% chance of winning against hillary . . . so conflict between bernie and hillary is interesting.”

After failed attempts to transfer the stolen documents starting in late June 2016, on or about July 14, 2016, the Conspirators, posing as Guccifer 2.0, sent Organization 1 an email with an attachment titled “wk dnc link1.txt.gpg.” The Conspirators explained to Organization 1 that the encrypted file contained instructions on how to access an online archive of stolen DNC documents. On or about July 18, 2016, Organization 1 confirmed it had “the 1Gb or so archive” and would make a release of the stolen documents “this week.”

On or about July 22, 2016, Organization 1 released over 20,000 emails and other documents stolen from the DNC network by the Conspirators. This release occurred approximately three days before the start of the Democratic National Convention. Organization 1 did not disclose Guccifer 2.0’s role in providing them. The latest-in-time email released through Organization 1 was dated on or about May 25, 2016, approximately the same day the Conspirators hacked the DNC Microsoft Exchange Server.

Raffi Khatchadourian (who has done as much work as anyone else on the known universe of emails) noted that by the time the July 14 exchange had happened, Julian Assange had already said he had emails and Guccifer 2.0 had already said he had shared them with WikiLeaks.

On June 12th, three days before the creation of Guccifer 2.0, Assange announced that he had a substantial trove of Clinton-related e-mails that were pending publication. Likewise, Guccifer 2.0 proclaimed, on its very first post on the WordPress site, “The main part of the papers, thousands of files and mails, I gave to Wikileaks. They will publish them soon.” Again and again, the G.R.U. officers tried to drive home this point—which, of course, was evidently the main point of creating the persona. “I sent a big part of docs to WikiLeaks,” Guccifer 2.0 told the editor of the Smoking Gun that same day. On June 17th, Guccifer 2.0 said in another e-mail, “I gave WikiLeaks the greater part of the files.” (For e-mail, the G.R.U. gave Guccifer 2.0 another fake identity: Stephan Orphan.)

In other words, both the G.R.U. and Assange appear to have confessed to the transmission and reception of a large trove of Clinton-related e-mails in mid-June, before Guccifer 2.0 was apparently created. The indictment does not address this. There is no way to say precisely what that trove was—if it was the Podesta archive given to WikiLeaks much earlier than is generally presumed, or the D.N.C. e-mails, or both, or something else. (There is also the possibility that both parties were not speaking truthfully.) But, if Assange did have the D.N.C. e-mails before Guccifer 2.0 was created, then the details in the indictment take on new meaning. Some version of the following may be true: it is mid-June, with the convention approaching, and Assange is about to release a bombshell, when he notices the sudden appearance of Guccifer 2.0, a “hacker” edging into his turf, inviting journalists to write in. So he writes in, asking for material that interests him. He has already gone through the D.N.C. e-mails and has recognized that the trove highlights conflict within the Democratic Party. He signals that he wants more on that specific issue. The G.R.U. is happy to comply, through its new cutout. Perhaps some of it overlaps with what the G.R.U. already provided, making Guccifer 2.0’s confessions literally accurate. Perhaps it is the same irrelevant dross that Guccifer 2.0 fed to others.

Last year, I visited Assange several times in the Ecuadorian Embassy in London. He often emphasized to me that the sourcing of his election publications was complex. I usually took this as a dodge. But the sourcing may indeed have been multilayered. There are many conceivable ways that G.R.U. officers could have provided e-mails to WikiLeaks before they created Guccifer 2.0. They could have used the WikiLeaks anonymous-submission system. They could have used a different fictitious online persona. They could have used a human intermediary. Last year, James Clapper told me, “It was done by a cutout, which of course afforded Assange plausible deniability.” In January, 2017, Clapper oversaw a formal intelligence assessment on Russian meddling. At the time, more than one news organization reported that a classified version of the assessment made clear that the intermediaries between the G.R.U. and WikiLeaks were already known. (Certainly, the intelligence community would also have been in possession of Guccifer 2.0’s Twitter D.M.s at that time, too.) One intelligence official, describing the report, indicated to Reuters last year that the e-mails relayed to WikiLeaks had followed a “circuitous route,” by a series of handoffs, on their journey from Moscow. Such a scenario seems to be at odds with the idea that Guccifer 2.0 merely sent WikiLeaks an encrypted link to download it all in one swoop.

An earlier Khatchadourian piece describes WikiLeaks experiencing some pressure to publish before the convention.

In early July, for example, Guccifer 2.0 told a Washington journalist that WikiLeaks was “playing for time.” There was no public evidence for this, but from the inside it was clear that WikiLeaks was overwhelmed. In addition to the D.N.C. archive, Assange had received e-mails from the leading political party in Turkey, which had recently experienced a coup, and he felt that he needed to rush them out. Meanwhile, a WikiLeaks team was scrambling to prepare the D.N.C. material. (A WikiLeaks staffer told me that they worked so fast that they lost track of some of the e-mails, which they quietly released later in the year.) On several occasions, and in different contexts, Assange admitted to me that he was pressed for time. “We were quite concerned about meeting the deadline,” he told me once, referring to the Democratic National Convention.

His original release date for the D.N.C. archive, he explained, was July 18th, the Monday before the Convention; his team missed the deadline by four days. “We were only ready Friday,” he said. “We had these hiccups that delayed us, and we were given a little more time—” He stopped, and then added, strangely, “to grow.”

Khatchadourian’s earlier mention of a July 18 deadline is quite interesting, given the response from WikiLeaks to a Guccifer 2.0 email, promising to publish that week, on the 18th.

Khatchadourian also describes WikiLeaks as doing significant work to verify the emails — more than they could have done in the time between July 14 and July 22.

Once they were in Assange’s hands, his overriding concern was to insure that they were genuine. “We had quite some difficulties to overcome, in terms of the technical aspects, and making sure we were comfortable with the forensics,” he recalled. As an Australian, he had only a vague grasp of the way the D.N.C. operated, which made deciphering the political significance of the e-mails difficult. “It’s like looking at a very complex Hieronymus Bosch painting from a distance,” he told me. “You have to get close and interact with it, then you start to get a feel.” Often, a first encounter with a WikiLeaks database submission can be overwhelming—as one former staffer told me, “My heart sinks a bit.”

To work on the material, Assange had to coördinate with operatives outside the building, and avoid surveillance inside it. “I have a lot of security issues in the Embassy,” he told me. “It’s not like you can be comfortable with your source material and read it.” He would not tell me how many people worked on the project, except that the number was small. “We’re all secret squirrels now,” he said.

All this raises questions about how much verification WikiLeaks did, and if instead this was a tale told to Khatchadourian, not to mention why they had confidence publishing them would not blow up on them.

Now, I have suggested that one possible second source of the emails — or at least one alternate explanation that Russia and WikiLeaks might claim that could provide GRU some plausible deniability — would be via the contents of email boxes stolen using passwords released just before the DNC hack from Yevgeniy Nikulin’s past hacks of Linked-In and MySpace. Nikulin has utterly stalled his prosecution until February by refusing not only to cooperate with his defense (though he has had repeated contacts from Russian diplomatic officials), but also with a competency evaluation. So we won’t learn anything (and Nikulin won’t be coerced to cooperate) anytime soon as a result of his extradition to the US.

But, as part of an effort to track changes to WikiLeaks’ website and the DNC emails, Emma Best identified what at first appeared to be a change in one email but ultimately just revealed that the cache includes both the sent and received copies of some emails.

After pointing this out on Twitter and listing the 36 known instances, one user checked a copy of the DNC emails they had retrieved months before. They found what appeared to be a modification to the email – a missing piece of metadata that identified the internal IP address that sent the email. After several hours of searching and comparing five different caches of DNC emails, the difference was both confirmed and explained – WikiLeaks’ copy of the DNC emails comes from several accounts, which resulted in some duplicates in their cache. The internal message ID for the duplicates would be the same, but differences in metadata would appear based on whether the email was being sent or received, and in the case of the former what device and client was sending the emails. Since the x-originating-ip metadata which seemed to appear and then disappear is added by the server when it’s sent, it would naturally be missing from the sender’s copy of the email. This addresses the most alarming question regarding the DNC emails, but does nothing to address the rest.

There are reasons to believe that this means the email in question comes from the Microsoft Exchange server and not from someone’s own mailbox (Update: though I may be 100% wrong on this point). Which, if my speculation that WikiLeaks might invoke the Nikulin alternate theory, might still show Assange got the emails in one batch early on, but then published what he got via the delivery identified in the indictment and didn’t spend much time vetting that delivery.

Meanwhile, it’s crucial to note, as Khatchadourian does in his earlier piece, that emails Guccifer 2.0 claimed were DNC documents when he released them the day after the WaPo revealed the DNC had been hacked didn’t come from the DNC; those that have been identified came, instead, from John Podesta. It wasn’t until July 6 that the Guccifer 2.0 documents billed as DNC ones actually were.

But then, on July 6th, just before Guccifer 2.0 complained that WikiLeaks was “playing for time,” this pattern of behavior abruptly reversed itself. “I have a new bunch of docs from the DNC server for you,” the persona wrote on WordPress. The files were utterly lacking in news value, and had no connection to one another—except that every item was an attachment in the D.N.C. e-mails that WikiLeaks had. The shift had the appearance of a threat. If Russian intelligence officers were inclined to indicate impatience, this was a way to do it.

The notion that the Guccifer 2.0 persona may have — in addition to discrediting the WaPo article and providing a quick cover for the Russian attribution of the hack — served to pressure Assange to keep to some kind of July 18 deadline raises more stakes on that detail from the GRU indictment, but also may relate to the kind of signaling we saw elsewhere.

Update: I should have laid out some of the logic behind emails we’ve got. First, WikiLeaks has claimed that all the emails they have come from the “accounts” of seven identified people.

The leaks come from the accounts of seven key figures in the DNC: Communications Director Luis Miranda (10520 emails), National Finance Director Jordon Kaplan (3799 emails), Finance Chief of Staff Scott Comer (3095 emails), Finanace Director of Data & Strategic Initiatives Daniel Parrish (1742 emails), Finance Director Allen Zachary (1611 emails), Senior Advisor Andrew Wright (938 emails) and Northern California Finance Director Robert (Erik) Stowe (751 emails).

Khatchadourian says they actually come from ten accounts.

The twenty thousand or so D.N.C. e-mails that WikiLeaks published were extracted from ten compromised e-mail accounts, and all but one of the people who used those accounts worked in just two departments: finance and strategic communications. (The single exception belonged to a researcher who worked extensively with communications.)

DNC automatically deleted emails after 30 days if they weren’t specifically saved (which is where this exfiltration estimate came from, which was off from the Mueller date by a week). Emails that precede the 30 day window (so April 19 or 25) or that weren’t part of one of the identified accounts may indicate another source.

As I disclosed July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

How Yevgeniy Nikulin Might Play into the Mueller Investigation

For three reasons, Yevgeniy Nikulin, the Russian hacker alleged to be behind massive breaches of the LinkedIn and MySpace hacks, is in the news of late.

  • The report that Michael Cohen was tracked traveling from Germany to Czech Republic in 2016 has raised questions about whether both Cohen and Nikulin were in Prague at the same time, Mohammed Atta-like
  • Nikulin was suddenly extradited from Prague some weeks ago
  • His (Russian-provided) lawyer says he’ll entertain a plea deal

All of which provides a good opportunity to lay out what role he may have (or may be said to have) played in the DNC hack-and-leak.

The Michael Cohen in Prague story

The McClatchy report describing Robert Mueller receiving evidence of Cohen traveling from Germany to Czech Republic and some unknown date in 2016 seems to derive from outside investigators who have shared information with Mueller, not from Mueller’s team itself (which is consistent with his locked down shop). As such, it falls far short of being a confirmation of a meeting, or even validation that Mueller has confirmed any intelligence shared with his investigators. Moreover, the report has little detail as to timing, either of the visit or when Mueller actually got this intelligence.

And while it took a bit of time (Cohen can be forgiven for the delay because he apparently has very urgent business hanging with his homies smoking cigars), he did deny this report, offering the same partial story he offered last year.

That said, given the claimed timing, any coincidental presence in Prague by both Cohen and Nikulin is unlikely. Cohen’s presence in Prague is said to have roughly aligned with that reported in the dossier, so August or September. According to the FBI’s arrest affidavit for Nikulin he passed from Belarus into Poland on October 1, 2016, and probably was still there when posting from Warsaw on October 3; Nikulin was arrested in Prague on October 5. So unless Cohen went to Prague during his known October 2016 trip to England (definitely a possibility, but inconsistent with the dossier reporting), then they would no more have met in Prague (or planned to) than Mohammed Atta and Iraq’s Ahmad Samir al-Ani did.

The sudden Nikulin extradition

That said, I do think the sudden Nikulin extradition, even as pro-Russian Czech President Milos Zeman fought with Czech Justice Minister Robert Pelikan over it — even to the point of threatening to replace him — is worth noting. That’s true, first of all, because it appears Paul Ryan — purportedly on vacation with his family, but making appearances with everyone but Zeman — had a hand in it.

During a visit to the Czech Republic, U.S. House Speaker Paul Ryan said on March 27 that “we have every reason to believe and expect that Mr. Nikulin will be extradited to America.”

“The United States has the case to prevail on having him extradited, whether it’s the severity of the crime, which is clearly on the side of U.S., or the timing of the request for the extradition,” he told reporters.

In an interview with RFE/RL in Prague on March 26, Ryan said that the “case for extraditing [Nikulin] to America versus Russia is extremely clear.”

Ryan, who met with Prime Minister Andrej Babis and other Czech officials during his visit, told RFE/RL that he would raise the issue in those talks.

“He did violate our laws, he did hack these companies…. So the extradition claim is very legitimate,” he said. “And I just expect that the Czech system will go through its process, and at the end of that process, I am hopeful and expecting that he’ll be extradited.”

Nikulin was extradited just days later, even as the decision looked like it would be reviewed.

Zeman has since made very bizarre comments criticizing Ryan for his involvement.

Zeman said he had a different view of the Nikulin case than Justice Minister Robert Pelikan (ANO), who had given consent to the extradition of this Russian citizen to the USA, but that he fully respected the minister’s right to decide on this matter.

Apart from the United States, Russia was seeking Nikulin’s extradition, too, based on a suspected online theft.

“When Donald Trump was elected American president, (U.S. House of Representatives Speaker Paul) Ryan wore a black tie. The same Mr Ryan arrived in the Czech Republic (last week). He publicly stated that he had arrived basically in order to get Mr Nikulin to the United States, in which he succeeded. Well, one of the versions is that Mr Nikulin may in some way serve as a tool of the internal American political fight – to which the black tie served as well,” Zeman said.

“I do not consider this a very good solution if Czechs were to meddle in the American political situation,” Zeman added.

Ryan, who appreciated the Czech government for the extradition of Nikulin, did not meet Zeman during his recent visit to Prague without citing the reasons.

It may be that Ryan was doing the bidding of Trump. Or, more likely, Ryan may have made the move in what appears to be fairly unified NATO response to the attempted Sergei Skripal assassination.

Nikulin’s Russian-provided lawyer makes it clear they will negotiate

That said, I find it very interesting that Nikulin’s lawyer, whom the Russians asked to get involved, is explicitly already talking about a plea deal.

The legal team for Yevgeniy Nikulin, the Russian hacker accused of stealing data from LinkedIn and other American tech firms, will explore a plea deal with the U.S. government, according to Nikulin’s lawyer, Arkady Bukh.

“The likelihood of a trial is not very high,” Bukh said. The U.S. District Court for the Northern District of California, where Nikulin’s trial would occur, “has over a 99 percent conviction rate. We are not throwing clients under the bus,” Bukh said.

[snip]

Bukh was first contacted by the Russian consulate and asked to help on the case. He  was approved on Wednesday to act as a lawyer for Nikulin by the court. Although Bukh has been in regular and sustained contact with both Nikulin’s family and the Russian consulate, he had yet to speak with his client as of Wednesday night.

The Russian consulate has expressed concerns about Nikulin’s mental condition, and Bukh said he “appears to be depressed.”

Perhaps Bukh is taking this route because the Feds have Nikulin dead to rights and a plea is the most logical approach. Perhaps Russia has learned its lesson from Roman Seleznev, the son of a prominent Duma member, who has been shipped around to different jurisdictions to have additional onerous sentences added to his prison term; I’m fairly certain there are other sealed indictments against Nikulin besides the one he was charged under that DOJ could use similarly.

Or perhaps Russia has reason to want to bury any public airing of evidence regarding what Nikulin has done or could be said to have done.

How Nikulin might be involved in the 2016 operation

I’ve long suggested that Nikulin may have had a facilitating role in the 2016 operation. That’s because credentials from his LinkedIn hack were publicly sold for a ridiculously small amount just before May 18, 2016, rather inexplicably making them available outside the tight-knit group of Russians who had been using the stolen credentials up to that point.

Almost all of the people whose email boxes were sent to Wikileaks were affected by the LinkedIn (and/or MySpace) breach, meaning passwords and emails they had used became publicly available in the middle of the Russian operation. And those emails were exfiltrated in the days immediately following, probably May 19-25, the public release of those credentials.

In other words, it is possible that stolen credentials, and not GRU hacks, obtained the emails that were shared with WikiLeaks.

None of that is to say that Russia didn’t steal the emails shared with Wikileaks or arrange that handoff.

Rather, it’s to say that there is a counter-narrative that would provide convenient plausible deniability to both the Russians and Wikileaks that may or may not actually be how those emails were obtained, but also may be all wrapped up ready to offer as a narrative to undercut the claim that GRU itself handed off the emails.

Note, too, how that timing coincides with the public claims Konstantin Kozlovsky made last year, which I laid out here.

April 28, 2015: FSB accesses Lurk servers with Kaspersky’s help.

May 18, 2016: LinkedIn credentials allegedly stolen by Yevgeniy Nikulin made widely available.

May 18, 2016: Kozlovsky arrest.

May 19-25, 2016: DNC emails shared with WikiLeaks likely exfiltrated.

October 5, 2016: Yevgeniy Nikulin arrest in Prague.

October 20, 2016: Nikulin indictment.

November 1, 2016: Date of Kozlovsky confession.

December 5, 2016: Arrest, for treason, of FSB officers Dmitry Dokuchaev and Sergey Mikhailov.

February 28, 2017: Indictment (under seal) of FSB officers, including Dmitry Dokuchaev, Alexey Belan, and Karim Bartov for Yahoo hack.

March 15, 2017: Yahoo indictment unsealed.

August 14, 2017: Kozlovsky posts November 1 confession of hacking DNC on Facebook.

November 28, 2017: Karim Baratov (co-defendant of FSB handlers) plea agreement.

December 2, 2017: Kozlovsky’s claims posted on his Facebook page.

March 30, 2018: Extradition of Nikulin.

April 2, 2018: Report that Dokuchaev accepted a plea deal.

April 17, 2018: Scheduled court appearance for Nikulin.

With each new hacker delivered into US custody, something happens in Russia that may provide an alternate narrative.

And consider that in the wake of Nikulin’s extradition, Dmitry Dokuchaev and another of the people accused of treason in Russia have made a partial confession that will, like any Nikulin plea, serve to bury much of the claimed evidence against them.

Two of the four suspects in a Russian treason case, including a former agent in the FSB’s Information Security Center, have reportedly signed plea bargains where they confess to transferring data to foreign intelligence agencies. Three sources have confirmed to the magazine RBC that former FSB agent Dmitry Dokuchaev and entrepreneur Georgy Fomchenkov reached deals with prosecutors.

One of RBC’s sources says the two suspects claim to have shared information with foreign intelligence agencies “informally,” denying that there was anything criminal about the exchange. Dokuchaev and Fomchenkov say they were only trying to help punish cyber-criminals operating outside Russia and therefore outside their jurisdiction. Lawyers for the two suspects refused to comment on the story.

As a result of the plea bargains, the two men’s trials will be fast-tracked in a special procedure where the evidence collected against them isn’t reviewed. Dokuchaev and Fomchenkov will also face lighter sentences — no more than two-thirds of Russia’s maximum 20-year sentence for treason, says one of RBC’s sources.

The other two suspects in the treason case, former FSB Information Security Center agent Sergey Mikhailov and former Kaspersky Lab computer incidents investigations head Ruslan Stoyanov, have reportedly turned down plea bargains, insisting on their innocence.

All of which is to say that Nikulin offers at least a plausible counter-explanation for the DNC hack-and-leak, one that might shift blame for the operation to non-state actors rather than GRU, which is something Vladimir Putin has been doing since Nikulin’s extradition first became likely, even if he has changed his mind about whether such non-state Russians will be celebrated or demonized upon their roll-out.

Rolling out plea deals here and in Russia may be an effort to try to sell that counter-narrative, before Robert Mueller rolls out whatever he will about the hack-and-leak in coming days.

Update: A reader notes correctly that all the dossier’s reporting on Cohen, especially that describing a meeting in Prague, post-dates the Nikulin arrest. See this post for more on the timing of the Cohen reporting, piggy-backing off of PiNC’s analysis.

Putin Discovers He Needs to Indict Another Russian Hacker

Back when Russian hacker Yevgeniy Nikulin got arrested in Prague in association with US charges of hacking Linked in and DropBox, Russia quickly delivered up its own, far more minor indictment of him to set off a battle over his extradition. Months alter, Nikulin’s legal team publicized a claim that an FBI Agent had discussed a deal with him, related to the hack of the DNC — a claim that is not as nuts as it seems (because a number of the people hacked had passwords exposed in those breaches). Whatever the reason, Russia clearly would like to keep Nikulin out of US custody.

And not long after Russian hacker Alexander Vinnik got detained in Greece related to the Bitcoin-e charges, Russia dug up an indictment for him too. Russia has emphasized crypto-currencies of late, so it’s understandable why they’d want to keep a guy alleged to be an expert at using crypto-currencies to launder money out of US hands.

What’s a more interesting question is why Russia waited so long to manufacture a Russian indictment for Pyotr Levashov, the alleged culprit behind the Kelihos bot, who is currently facing extradition to the US from Spain. Levashov was detained in April, but Russia only claimed they wanted him, too, a few weeks ago, around the same time Levashov started claiming he had spied on behalf of Putin’s party.

Perhaps it’s harder to manufacture a Russian indictment on someone the state had had no problem with before. Perhaps Russia has just decided this ploy is working and has few downsides. Or perhaps other events — maybe the arrest of Marcus Hutchins in August or the extradition back to the UK of Daniel Kaye in September — have made Levashov’s exposure here in the US even more problematic for Russia.

But I find it really curious that it took five months after Levashov got arrested for the Russians to decide it’d be worth claiming they want to arrest him too.

Update: Spain has approved Levashov’s extradition to the US.

Did FBI Plan Russia’s Fire Sale in San Francisco for a Specific Reason?

You’ve no doubt seen pictures of the black smoke rising above Russia’s consulate yesterday, an apparently sour-smelling smoke on a day of record heat in San Francisco. A facility ordered to close in DC sported a more modest fire.

None of that’s surprising. When diplomatic facilities shut down, especially on short notice as happened here, they need to get rid of records, not least all the spying records. We did it in the MENA embassies closed in the face of attacks in 2012, including the facility in Benghazi. We burned documents in our embassy in Moscow in 1991. This is what diplomatic personnel, and spies operating under official cover, are trained to do.

It provides the same kind of spectacle that evicting Russians who’ve long inhabited suburban compounds did in December (and I confess to convincing EFF to sending an intern to sniff the air to figure out what besides paper might be burning). That said, it is to be expected.

But I wonder whether there’s not something more to the way this was carried out. Eli Lake took a break from scolding violence he otherwise champions if used by those he disagrees with to do some actual reporting. He explained that in late July, in an effort to minimize Russia’s reaction to the sanctions Congress pushed through over Trump’s objections, a top State Department official offered Russia a deal: they could have their NY and MD compounds back so long as they promised to use them only for recreation and agreed to let authorities search the compounds. But agreeing to those criminal searches was too much for Russia to agree to, which led State to revert to the normal processes.

U.S. officials tell me that Undersecretary of State Tom Shannon, a career foreign service official appointed during the Obama administration, made a last-minute effort to stop the Russians from retaliating against the new sanctions, a response to Russia’s election meddling that Trump reluctantly signed.

At the end of July, Shannon presented a “non-paper,” a proposal with no official diplomatic markings, to his Russian counterpart that offered the return of two diplomatic compounds President Barack Obama shuttered in December.

[snip]

Almost no one else in the government knew about Shannon’s efforts. Two U.S. officials who work closely on Russia told me that the FBI’s spy hunters in particular were furious when they found out Shannon had made the unofficial offer to return the compounds closed in December. Fiona Hill, the National Security Council’s senior director for European and Russian affairs, was also unaware of the offer, according to these officials.

Shannon’s non-paper was not a total giveaway. It included tougher terms for how the Russians could use their compounds, specifying they could only be used for recreational activities. It also explicitly gave U.S. authorities the right to enter the compounds if there was suspicion of criminal activity or espionage.

That apparently was too much for Moscow. They went ahead with the diplomatic expulsions anyway. This time when the Trump administration considered its response, it went through a more rigorous inter-agency process, according to U.S. officials who participated in it. The FBI in particular pressed for closing the consulate in San Francisco because it was a center for Russian espionage activities on the West Coast.

It’s this last bit I’m particularly interested in. The WaPo reported earlier this year something I had heard as well: the decisions on expulsions in December had reflected a last minute shift to include more people in San Francisco.

More broadly, the list of 35 names focused heavily on Russians known to have technical skills. Their names and bios were laid out on a dossier delivered to senior White House officials and Cabinet secretaries, although the list was modified at the last minute to reduce the number of expulsions from Russia’s U.N. mission in New York and add more names from its facilities in Washington and San Francisco.

And I’ve heard Russians pushed to have their Houston consulate shut down in lieu of the San Francisco one, to no avail.

It’s what came next that is really interesting. In both San Francisco and DC, apparently after the Russians had vacated their property (remember reports that the Russians may have gotten warning about their compounds in December), the US informed them Russians in San Francisco and the facility in DC would be subject to search.

On August 31, the US authorities announced unprecedented restrictive measures against Russian diplomatic and consular missions in the US, requiring us to close, in a matter of two days, the consulate general in San Francisco, one of the largest Russian consulates in the US that provides visa, notary and other consular services to Russian and US nationals from across a number of densely populated states. Russia is also required to close without delay its Trade Representation in Washington, D.C. and its annex in New York. The US also tightened requirements regarding the mobility of Russian diplomats and official delegations.

This move is yet another blatant violation of international law, including the commitments undertaken by the US under the Vienna Conventions on Diplomatic and Consular Relations. It goes far beyond Washington’s previous initiatives, which included the expropriation by the Barack Obama administration in December 2016 of countryside retreats of the Russian Embassy and Permanent Mission to the UN, despite their immunity status.

Following the illegal seizure of high-value Russian state property, we are being pushed to sell them. On top of that, the latest demands announced by the US pose a direct threat to the security and safety of Russian citizens. The US secret services intend to conduct a search of the Consulate General in San Francisco on September 2, including the apartments of its staff who live in the building and have immunity. In this connection, they were ordered to leave the premises for a period of 10 to 12 hours with their families, including small children and even infants. This is an intrusion into a consular office and the residence of diplomatic workers, who are forced outside so as not to stand in the way of the FBI agents.

I believed the Russians are right here — the tit for tat evictions are normal, and so are the fires before vacating a compound. The searches of diplomatic property are likely not (never mind that FBI could get FISA warrants to search them in a cinch — that just wouldn’t permit them to do this so quickly and aggressively).

The last time Putin spoke of retaliation like this came shortly before the NotPetya worm, and raised in the context of kompromat by a power that collected kompromat on Trump and the Republicans, may well be backed by a real ability to deliver on the threat.

So I’m wondering if the FBI had more specific reasons to use the opportunity of Russia refusing our sweetheart deal to want to close this consulate and flush whatever and whoever is in it out into the open? That’s true, especially given the criminal hacking cases targeting Silicon Valley companies we’re trying out there (the Yahoo and the Nikulin one both may have tangential ties to the DNC hack).

Undoubtedly, this is all happening because FBI believes it will make Russian spying, particularly that targeting our tech industry, far more difficult. But I wonder if some specific goal made the difference to really taking a hard line?

Yevgeniy Nikulin Writes The Donald

Back in July, I noted that Vladimir Putin started waxing about independent hackers’ “art” as it looked more and more likely that Yevgeniy Nikulin, the guy DOJ has accused of hacking Linked In and MySpace, among others, would be extradited to the US.  Nikulin also made some news by alleging that back in February, the FBI Agent who had interrogated him in Prague had asked him about the election hack.

Now Nikulin has gone one better, writing to President Trump with his claim that he was asked to perjure himself by claiming credit for the DNC hack. (h/t ME)

Obviously, this might just be a ploy to garner attention and give Russia some ammunition to bolster their (thus far reportedly losing) claim that they should get custody of Nikulin for a minor hack rather than the US for a number of very major ones. It is a good way to get attention, especially given the way Trump keeps raising doubts about who hacked the DNC.

But it is actually not crazy to think Nikulin had a role in the DNC hack. One fairly credible alternative theory for the source of the DNC emails dealt to WikiLeaks is that someone used easily cracked credentials from Nikulin’s alleged breaches to obtain the email boxes of about 9 people at the DNC. If that were the case, it would raise the stakes for the logic behind the hacks Nikulin is alleged to have committed and the timing of the more public release of the stolen credentials.

In which case Nikulin’s appeal to Trump (who of course has shown zero interest in the plight of unjust DOJ claims for anyone else, even American citizens, since being elected) would be far more interesting — a way for Trump to personally intervene to prevent potentially damning information from landing in the hands of American prosecutors.

It’s the kind of thing that might come up in hour long conversations on the sidelines of meetings between Putin and Trump.

On Trump’s Impenetrable Cyber Security Unit to Guard Election Hacking

Man oh man did Vladimir Putin hand Trump his ass in their meeting the other day. While most the focus has been on Trump’s apparent refusal to confront Putin on the election hack (which Trump is now trying to spin — pity for him he excluded his credible aides who could tell us how it really went down or maybe that was precisely the point).

But I was more interested in Putin and Sergei Lavrov’s neat trick to get Trump to agree to a “joint working group on cybersecurity.”

Lavrov says Trump brought up accusations of Russian hacking; Moscow and DC will set up joint working group on cybersecurity.

Here’s how Trump has been talking about this in an [unthreaded] rant this morning.

People who’re just discovering this from Trump’s tweets are suitably outraged.

But I think even there they’re missing what a master stroke this was from Putin and Lavrov.

First, as I noted at the time, this comes at the moment Congress is trying to exclude Kaspersky Lab products from federal networks, accompanied by a more general witch hunt against the security firm. As I have said, I think the latter especially is problematic (and probably would have been designed at least partly to restore some asymmetry on US spying on the world, as Kaspersky is one of the few firms that will consistently ID US spying), even if there are reasons to want to keep Kaspersky out of sensitive networks. Kaspersky would be at the center of any joint cyber security effort, meaning Congress will have a harder time blackballing them.

Then there’s the fact that cooperation has been tried. Notably, the FBI has tried to share information with the part of FSB that does cyber investigations. Often, that ends up serving to tip off the FSB to which hackers the FBI is most interested in, leading to them being induced to spy for the FSB itself. More troubling, information sharing with US authorities is believed to partly explain treason charges against some FSB officers.

Finally, there’s the fact that the Russians asked for proof that they hacked our election.

SECRETARY TILLERSON: The Russians have asked for proof and evidence. I’ll leave that to the intelligence community to address the answer to that question. And again, I think the President, at this point, he pressed him and then felt like at this point let’s talk about how do we go forward. And I think that was the right place to spend our time, rather than spending a lot of time having a disagreement that everybody knows we have a disagreement.

If the US hadn’t been represented by idiots at this meeting, the obvious follow-up would be to point to Russia’s efforts to undermine US extradition of Russians against whom the US has offered proof, at least enough to get a grand jury to indict, most notably of the three Russians involved in the Yahoo hack, as well as Yevgeniy Nikulin. The US would be all too happy to offer proof in those cases, but Russia is resisting the process that will end up in that proof.

But instead, Trump and his oil-soaked sidekick instead agreed to make future hacking of the US easier.

The Compartments in WaPo’s Russian Hack Magnum Opus

The WaPo has an 8300 word opus on the Obama Administration’s response to Russian tampering in the election. The article definitely covers new ground on the Obama effort to respond while avoiding making things worse, particularly with regards to imposing sanctions in December. It also largely lays out much of the coverage the three bylined journalists (Greg Miller, Ellen Nakashima, and Adam Entous) have broken before, with new details. The overall message of the article, which has a number of particular viewpoints and silences, is this: Moscow is getting away with their attack.

“[B]ecause of the divergent ways Obama and Trump have handled the matter, Moscow appears unlikely to face proportionate consequences.”

The Immaculate Interception: CIA’s scoop

WaPo starts its story about how Russia got away with its election op with an exchange designed to make the non-response to the attack seem all the more senseless. It provides a dramatic description of a detail these very same reporters broke on December 9: Putin, who was personally directing this effort, was trying to elect Trump.

Early last August, an envelope with extraordinary handling restrictions arrived at the White House. Sent by courier from the CIA, it carried “eyes only” instructions that its contents be shown to just four people: President Barack Obama and three senior aides.

Inside was an intelligence bombshell, a report drawn from sourcing deep inside the Russian government that detailed Russian President Vladi­mir Putin’s direct involvement in a cyber campaign to disrupt and discredit the U.S. presidential race.

[snip]

The material was so sensitive that CIA Director John Brennan kept it out of the President’s Daily Brief, concerned that even that restricted report’s distribution was too broad. The CIA package came with instructions that it be returned immediately after it was read.

[snip]

In early August, Brennan alerted senior White House officials to the Putin intelligence, making a call to deputy national security adviser Avril Haines and pulling national security adviser Susan Rice side after a meeting before briefing Obama along with Rice, Haines and McDonough in the Oval Office.

While the sharing of this information with just three aides adds to the drama, WaPo doesn’t consider something else about it. The inclusion of Rice and McDonough totally makes sense. But by including Avril Haines, Brennan was basically including his former Deputy Director who had moved onto the DNSA position, effectively putting two CIA people in a room with two White House people and the President. Significantly, Lisa Monaco — who had Brennan’s old job as White House Homeland Security Czar and who came from DOJ and FBI before that — was reportedly excluded from this initial briefing.

There are a number of other interesting details about all this. First, for thousands of wordspace, the WaPo presents this intelligence as irreproachable, even while providing this unconvincing explanation of why, if it is so secret and solid, the CIA was willing to let WaPo put it on its front page.

For spy agencies, gaining insights into the intentions of foreign leaders is among the highest priorities. But Putin is a remarkably elusive target. A former KGB officer, he takes extreme precautions to guard against surveillance, rarely communicating by phone or computer, always running sensitive state business from deep within the confines of the Kremlin.

The Washington Post is withholding some details of the intelligence at the request of the U.S. government.

If this intelligence is so sensitive, why is even the timing of its collection being revealed here, much less its access to Putin?

That seemingly contradictory action is all the more curious given that not all agencies were as impressed with this intelligence as CIA was. It’s not until much, much later in its report until WaPo explains what remains true as recently as Admiral Rogers’ latest Congressional testimony: the NSA wasn’t and isn’t as convinced by CIA’s super secret intelligence as CIA was.

Despite the intelligence the CIA had produced, other agencies were slower to endorse a conclusion that Putin was personally directing the operation and wanted to help Trump. “It was definitely compelling, but it was not definitive,” said one senior administration official. “We needed more.”

Some of the most critical technical intelligence on Russia came from another country, officials said. Because of the source of the material, the NSA was reluctant to view it with high confidence.

By the time this detail is presented, the narrative is in place: Obama failed to respond adequately to the attack that CIA warned about back in August.

The depiction of this top-level compartment of just Brennan, Rice, McDonough, and Haines is interesting background, as well, for the depiction of the way McDonough undermined a State Department plan to institute a Special Commission before Donald Trump got started.

Supporters’ confidence was buoyed when McDonough signaled that he planned to “tabledrop” the proposal at the next NSC meeting, one that would be chaired by Obama. Kerry was overseas and participated by videoconference.

To some, the “tabledrop” term has a tactical connotation beyond the obvious. It is sometimes used as a means of securing approval of an idea by introducing it before opponents have a chance to form counterarguments.

“We thought this was a good sign,” a former State Department official said.

But as soon as McDonough introduced the proposal for a commission, he began criticizing it, arguing that it would be perceived as partisan and almost certainly blocked by Congress.

Obama then echoed McDonough’s critique, effectively killing any chance that a Russia commission would be formed.

Effectively, McDonough upended the table on those (which presumably includes the CIA) who wanted to preempt regular process.

Finally, even after  these three WaPo journalists foreground their entire narrative with CIA’s super duper scoop (that NSA is still not 100% convinced is one), they don’t describe their own role in changing the tenor of the response on December 9 by reporting the first iteration of this story.

“By December, those of us working on this for a long time were demoralized,” said an administration official involved in the developing punitive options.

Then the tenor began to shift.

On Dec. 9, Obama ordered a comprehensive review by U.S. intelligence agencies of Russian interference in U.S. elections going back to 2008, with a plan to make some of the findings public.

The WaPo’s report of the CIA’s intelligence changed the tenor back in December, and this story about the absence of a response might change the tenor here.

Presenting the politics ahead of the intelligence

The WaPo’s foregrounding of Brennan’s August scoop is also important for the way they portray the parallel streams of the intelligence and political response. It portrays the Democrats’ political complaints about Republicans in this story, most notably the suggestion that Mitch McConnell refused to back a more public statement about the Russian operation when Democrats were pushing for one in September. That story, in part because of McConnell’s silence, has become accepted as true.

Except the WaPo’s own story provides ample evidence that the Democrats were trying to get ahead of the formal intelligence community with respect to attribution, both in the summer, when Clapper only alluded to Russian involvement.

Even after the late-July WikiLeaks dump, which came on the eve of the Democratic convention and led to the resignation of Rep. Debbie Wasserman Schultz (D-Fla.) as the DNC’s chairwoman, U.S. intelligence officials continued to express uncertainty about who was behind the hacks or why they were carried out.

At a public security conference in Aspen, Colo., in late July, Director of National Intelligence James R. Clapper Jr. noted that Russia had a long history of meddling in American elections but that U.S. spy agencies were not ready to “make the call on attribution” for what was happening in 2016.

And, more importantly, in the fall, when the public IC attribution came only after McConnell refused to join a more aggressive statement because the intelligence did not yet support it (WaPo makes no mention of it, but DHS’s public reporting from late September still attributed the the threat to election infrastructure to “cybercriminals and criminal hackers”).

Senate Majority Leader Mitch McConnell (R-Ky.) went further, officials said, voicing skepticism that the underlying intelligence truly supported the White House’s claims. Through a spokeswoman, McConnell declined to comment, citing the secrecy of that meeting.

Key Democrats were stunned by the GOP response and exasperated that the White House seemed willing to let Republican opposition block any pre-election move.

On Sept. 22, two California Democrats — Sen. Dianne Feinstein and Rep. Adam B. Schiff — did what they couldn’t get the White House to do. They issued a statement making clear that they had learned from intelligence briefings that Russia was directing a campaign to undermine the election, but they stopped short of saying to what end.

A week later, McConnell and other congressional leaders issued a cautious statement that encouraged state election officials to ensure their networks were “secure from attack.” The release made no mention of Russia and emphasized that the lawmakers “would oppose any effort by the federal government” to encroach on the states’ authorities.

When U.S. spy agencies reached unanimous agreement in late September that the interference was a Russian operation directed by Putin, Obama directed spy chiefs to prepare a public statement summarizing the intelligence in broad strokes.

I’m all in favor of beating up McConnell, but there is no reason to demand members of Congress precede the IC with formal attribution for something like this. So until October 7, McConnell had cover (if not justification) for refusing to back a stronger statement.

And while the report describes Brennan’s efforts to brief members of Congress (and the reported reluctance of Republicans to meet with him), it doesn’t answer what remains a critical and open question: whether Brennan’s briefing for Harry Reid was different — and more inflammatory — than his briefing for Republicans, and whether that was partly designed to get Reid to serve as a proxy attacker on Jim Comey and the FBI.

Brennan moved swiftly to schedule private briefings with congressional leaders. But getting appointments with certain Republicans proved difficult, officials said, and it was not until after Labor Day that Brennan had reached all members of the “Gang of Eight” — the majority and minority leaders of both houses and the chairmen and ranking Democrats on the Senate and House intelligence committees.

Nor does this account explain another thing: why Brennan serially briefed the Gang of Eight, when past experience is to brief them in groups, if not all together.

In short, while the WaPo provides new details on the parallel intelligence and political tracks, it reinforces its own narrative while remaining silent on some details that are critical to that narrative.

The compartments

The foregrounding of CIA in all this also raises questions about a new and important detail about (what I assume to be the subsequently publicly revealed, though this is not made clear) Task Force investigating this operation: it lives at CIA, not FBI.

Brennan convened a secret task force at CIA headquarters composed of several dozen analysts and officers from the CIA, the NSA and the FBI.

The unit functioned as a sealed compartment, its work hidden from the rest of the intelligence community. Those brought in signed new non-disclosure agreements to be granted access to intelligence from all three participating agencies.

They worked exclusively for two groups of “customers,” officials said. The first was Obama and fewer than 14 senior officials in government. The second was a team of operations specialists at the CIA, NSA and FBI who took direction from the task force on where to aim their subsequent efforts to collect more intelligence on Russia.

Much later in the story, WaPo reveals how, in the wake of Obama calling for a report, analysts started looking back at their collected intelligence and learning new details.

Obama’s decision to order a comprehensive report on Moscow’s interference from U.S. spy agencies had prompted analysts to go back through their agencies’ files, scouring for previously overlooked clues.

The effort led to a flurry of new, disturbing reports — many of them presented in the President’s Daily Brief — about Russia’s subversion of the 2016 race. The emerging picture enabled policymakers to begin seeing the Russian campaign in broader terms, as a comprehensive plot sweeping in its scope.

It’s worth asking: did the close hold of the original Task Force, a hold that appears to have been set by Brennan, contribute to the belated discovery of these details revealing a broader campaign?

The surveillance driven sanctions

I’m most interested in the description of how the Obama Admin chose whom to impose sanctions on, though it includes this bizarre claim.

But the package of measures approved by Obama, and the process by which they were selected and implemented, were more complex than initially understood.

The expulsions and compound seizures were originally devised as ways to retaliate against Moscow not for election interference but for an escalating campaign of harassment of American diplomats and intelligence operatives. U.S. officials often endured hostile treatment, but the episodes had become increasingly menacing and violent.

Several of the details WaPo presents as misunderstood (including that the sanctions were retaliation for treatment of diplomats) were either explicit in the sanction package or easily gleaned at the time.

One of those easily gleaned details is that the sanctions on GRU and FSB were mostly symbolic. WaPo uses the symbolic nature of the attack on those who perpetrated the attack as a way to air complaints that these sanctions were not as onerous as those in response to Ukraine.

“I don’t think any of us thought of sanctions as being a primary way of expressing our disapproval” for the election interference, said a senior administration official involved in the decision. “Going after their intelligence services was not about economic impact. It was symbolic.”

More than any other measure, that decision has become a source of regret to senior administration officials directly involved in the Russia debate. The outcome has left the impression that Obama saw Russia’s military meddling in Ukraine as more deserving of severe punishment than its subversion of a U.S. presidential race.

“What is the greater threat to our system of government?” said a former high-ranking administration official, noting that Obama and his advisers knew from projections formulated by the Treasury Department that the impact of the election-related economic sanctions would be “minimal.”

Three things that might play into the mostly symbolic targeting of FSB, especially, are not mentioned. First, WaPo makes no mention of the suspected intelligence sources who’ve been killed since the election, most credibly Oleg Erovinkin, as well as a slew of other suspect and less obviously connected deaths. It doesn’t mention the four men Russia charged with treason in early December. And it doesn’t mention DOJ’s indictment of the Yahoo hackers, including one of the FSB officers, Dmitry Dokuchaev, that Russia charged with treason (not to mention the inclusion within the indictment of intercepts between FSB officers). There’s a lot more spy vs. spy activity going on here that likely relates far more to retaliation or limits on US ability to retaliate, all of which may be more important in the medium term than financial sanctions.

Given the Yahoo and other indictments working through San Francisco (including that of Yevgeniey Nikulin, who claims FBI offered him a plea deal involving admitting he hacked the DNC), I’m particularly interested in the shift in sanctions from NY to San Francisco, where Nikulin and Dokuchaev’s victims are located.

The FBI was also responsible for generating the list of Russian operatives working under diplomatic cover to expel, drawn from a roster the bureau maintains of suspected Russian intelligence agents in the United States.

[snip]

The roster of expelled spies included several operatives who were suspected of playing a role in Russia’s election interference from within the United States, officials said. They declined to elaborate.

More broadly, the list of 35 names focused heavily on Russians known to have technical skills. Their names and bios were laid out on a dossier delivered to senior White House officials and Cabinet secretaries, although the list was modified at the last minute to reduce the number of expulsions from Russia’s U.N. mission in New York and add more names from its facilities in Washington and San Francisco.

And the WaPo’s reports confirm what was also obvious: the two compounds got shut down (and were a priority) because of all the spying they were doing.

The FBI had long lobbied to close two Russian compounds in the United States — one in Maryland and another in New York — on the grounds that both were used for espionage and placed an enormous surveillance burden on the bureau.

[snip]

Rice pointed to the FBI’s McCabe and said: “You guys have been begging to do this for years. Now is your chance.”

The administration gave Russia 24 hours to evacuate the sites, and FBI agents watched as fleets of trucks loaded with cargo passed through the compounds’ gates.

Finally, given Congress’ bipartisan fearmongering about Kaspersky Lab, I’m most interested that at one point Treasury wanted to include them in sanctions.

Treasury Department officials devised plans that would hit entire sectors of Russia’s economy. One preliminary suggestion called for targeting technology companies including Kaspersky Lab, the Moscow-based cybersecurity firm. But skeptics worried that the harm could spill into Europe and pointed out that U.S. companies used Kaspersky systems and software.

In spite of all the fearmongering, no one has presented proof that Kaspersky is working for Russia (there are even things, which I won’t go in to for the moment, that suggest the opposite). But we’re moving close to de facto sanctions against Kaspersky anyway, even in spite of the fact (or perhaps because) they’re providing better intelligence on WannaCry than half the witnesses called as witnesses to Congress. But discrediting Kaspersky undercuts one of the only security firms in the world who, in addition to commenting on Russian hacking, will unpack America’s own hacking. You sanction Kaspersky, and you expand the asymmetry with which security firms selectively scrutinize just Russian hacking, rather than all nation-state hacking.

The looming cyberattack and the silence about Shadow Brokers

Which brings me to the last section of the article, where, over 8000 words in, the WaPo issues a threat against Russia in the form of a looming cyberattack Obama approved before he left.

WaPo’s early description of this suggests the attack was and is still in planning stages and relies on Donald Trump to execute.

Obama also approved a previously undisclosed covert measure that authorized planting cyber weapons in Russia’s infrastructure, the digital equivalent of bombs that could be detonated if the United States found itself in an escalating exchange with Moscow. The project, which Obama approved in a covert-action finding, was still in its planning stages when Obama left office. It would be up to President Trump to decide whether to use the capability.

But if readers make it all the way through the very long article, they’ll learn that’s not the case. The finding has already been signed, the implants are already being placed (implants which would most likely be discovered by Kaspersky), and for Trump to stop it, he would have to countermand Obama’s finding.

The implants were developed by the NSA and designed so that they could be triggered remotely as part of retaliatory cyber-strike in the face of Russian aggression, whether an attack on a power grid or interference in a future presidential race.

Officials familiar with the measures said that there was concern among some in the administration that the damage caused by the implants could be difficult to contain.

As a result, the administration requested a legal review, which concluded that the devices could be controlled well enough that their deployment would be considered “proportional” in varying scenarios of Russian provocation, a requirement under international law.

The operation was described as long-term, taking months to position the implants and requiring maintenance thereafter. Under the rules of covert action, Obama’s signature was all that was necessary to set the operation in motion.

U.S. intelligence agencies do not need further approval from Trump, and officials said that he would have to issue a countermanding order to stop it. The officials said that they have seen no indication that Trump has done so.

Whatever else this article is designed to do, I think, it is designed to be a threat to Putin, from long gone Obama officials.

Given the discussion of a looming cyberattack on Russia, it’s all the more remarkable WaPo breathed not one word about Shadow Brokers, which is most likely to be a drawn out cyberattack by Russian affiliates on NSA. Even ignoring the Shadow Brokers’ derived global ransomware attack in WannaCry, Shadow Brokers has ratcheted up the severity of its releases, including doxing NSA’s spies and hacks of the global finance system, It has very explicitly fostered tensions between the NSA and private sector partners (as well as the reputational costs on those private sector partners). And it has threatened to leak still worse, including NSA exploits against current Microsoft products and details of NSA’s spying on hostile nuclear programs.

The WaPo is talking about a big cyberattack, but an entity that most likely has close ties to Russia has been conducting one, all in plain sight. I suggested back in December that Shadow Brokers was essentially holding NSA hostage in part as a way to constrain US intelligence retaliation against Russia. Given ensuing events, I’m more convinced that is, at least partly, true.

But in this grand narrative of CIA’s early warning and Obama’s inadequate response, details like that remain unsaid.

Putin Starts Talking about Hackers’ Art in Advance of Yevgeniy Nikulin Extradition

Yesterday, Vladimir Putin shifted from the public denials he has made about Russia’s role in the hack of the DNC. Whereas even just days ago, he had denied any involvement, yesterday he suggested Russian hackers might on their own decide to hack Russia’s adversaries out of patriotism.

Asked about suspicions that Russia might try to interfere in the coming elections in Germany, Mr. Putin raised the possibility of attacks on foreign votes by what he portrayed as free-spirited Russian patriots. Hackers, he said, “are like artists” who choose their targets depending how they feel “when they wake up in the morning.” Any such attacks, he added, could not alter the result of elections in Europe, America or elsewhere.

Artists, he said, paint if they wake up feeling in good spirits while hackers respond if “they wake up and read that something is going on in interstate relations” that prompts them to take action. “If they are patriotically minded, they start making their contributions — which are right, from their point of view — to the fight against those who say bad things about Russia,” Mr. Putin added, apparently referring to Hillary Clinton.

Putin’s change, to the extent it is one, may reflect recent events in Prague, where Russian hacker Yevgeniy Nikulin had a hearing on America’s extradition request. As the Guardian describes, the Czechs seem fairly close to approving Nikulin’s extradition to the US.

A 17-page affidavit by [FBI Agent Jeffrey] Miller, seen by the Guardian, outlines the evidence against Nikulin to the Czech court. The affidavit lists some of the aliases Nikulin is alleged to have used, including Chinabig01, Eugene, Uarebeenhacked, John Pattison and itBlackHat.

According to Miller’s affidavit, the FBI evidence is based on “witness interviews including confidential sources, ISP records, court-authorised electronic interceptions, and other sources”. Some of the electronic intercepts were emails from the Gmail account of Alexei Belan, a hacker on the FBI wanted list for allegedly conspiring with Russian FSB agents to perpetrate a huge hack on Yahoo in 2014. Belan is on the FBI’s cyber top 10 most wanted list. None of the raw evidence was provided to the court.

The affidavit relates solely to the hacking of LinkedIn, Dropbox and Formspring in 2012, and does not mention any election hacking.

However, Nikulin wrote in a letter from prison that Miller had interrogated him in Prague on 7 February and raised the election hacking. Excerpts of the letter were provided to the Guardian by Nikulin’s lawyers, but there is no way of substantiating the claims he made.

Nikulin claimed Miller demanded he admit to hacking the DNC servers as part of what the FBI is said to have claimed was a nefarious plot ultimately ordered by Trump, and promised him good treatment in the US if he cooperated. Nikulin wrote that he rejected the offer.

While the focus on the Russian hack has always centered on an alleged phish, in fact the mailboxes sent to Wikileaks better match up with credentials made available via the theft Nikulin is alleged to have carried out; the passwords of most of the people would have been available in barely encrypted format. And the mention of Alexey Belen might tie the Yahoo hack to the DNC hack as well.

Nikulin has been telegraphing his claim the US offered him a cooperation agreement for some time. It doesn’t sound legit — after all, the FBI would be as interested in implicating Russia as Trump. But it may be the best way for him to communicate with the Russian government, including Putin, about what kind of story he might proffer to the FBI.

If so, Putin appears to have gotten the message.