The Russian Metadata in the Shadow Brokers Dump

/29 Comments/in , /by

When I first noted, back in April, that there was metadata in one of the Shadow Brokers dumps, I suggested two possible motives for the doxing of several NSA hackers. First (assuming Russia had a role in the operation), to retaliate against US indictments of Russian hackers, including several believed to be tied to the DNC hack.

A number of the few people who’ve noted this doxing publicly have suggested that it clearly supports the notion that a nation-state — most likely Russia — is behind the Shadow Brokers leak. As such, the release of previously unannounced documents to carry out this doxing would be seen as retaliation for the US’ naming of Russia’s hackers, both in December’s election hacking related sanctions and more recently in the Yahoo indictment, to say nothing of America’s renewed effort to arrest Russian hackers worldwide while they vacation outside of Russia.

But leaving the metadata in the documents might also make the investigation more difficult.

[F]our days before Shadow Brokers started doxing NSA hackers, Shadow Brokers made threats against those who’ve commented on the released Shadow Brokers files specifically within the context of counterintelligence investigations, even while bragging about having gone unexposed thus far even while remaining in the United States.

Whatever else this doxing may do, it will also make the investigation into how internal NSA files have come to be plastered all over the Internet more difficult, because Shadow Brokers is now threatening to expose members of TAO.

With that in mind, I want to look at a Brian Krebs piece that makes several uncharacteristic errors to get around to suggesting a Russian-American might have been the guy who leaked the files in question.

He sets out to read the metadata I noted (but did not analyze in detail, because why make the dox worse?) in April to identify who the engineer was that had NSA files discovered because he was running Kaspersky on his home machine.

In August 2016, a mysterious entity calling itself “The Shadow Brokers” began releasing the first of several troves of classified documents and hacking tools purportedly stolen from “The Equation Group,” a highly advanced threat actor that is suspected of having ties to the U.S. National Security Agency. According to media reports, at least some of the information was stolen from the computer of an unidentified software developer and NSA contractor who was arrested in 2015 after taking the hacking tools home. In this post, we’ll examine clues left behind in the leaked Equation Group documents that may point to the identity of the mysterious software developer.

He links to the WSJ and cites, but doesn’t link, this NYT story on the Kaspersky related breach.

Although Kaspersky was the first to report on the existence of the Equation Group, it also has been implicated in the group’s compromise. Earlier this year, both The New York Times and The Wall Street Journal cited unnamed U.S. intelligence officials saying Russian hackers were able to obtain the advanced Equation Group hacking tools after identifying the files through a contractor’s use of Kaspersky Antivirus on his personal computer. For its part, Kaspersky has denied any involvement in the theft.

Then he turns to NYT’s magnum opus on Shadow Brokers to substantiate the claim the government has investigations into three NSA personnel, two of whom were related to TAO.

The Times reports that the NSA has active investigations into at least three former employees or contractors, including two who had worked for a specialized hacking division of NSA known as Tailored Access Operations, or TAO.

[snip]

The third person under investigation, The Times writes, is “a still publicly unidentified software developer secretly arrested after taking hacking tools home in 2015, only to have Russian hackers lift them from his home computer.”

He then turns to the Shadow Brokers’ released metadata to — he claims — identify the two “unnamed” NSA employees and the contractor referenced in The Times’ reporter.”

So who are those two unnamed NSA employees and the contractor referenced in The Times’ reporting?

From there, he points to a guy that few reports that analyzed the people identified in the metadata had discussed, A Russian! Krebs decides that because this guy is Russian he’s likely to run Kaspersky and so he must be the guy who lost these files.

The two NSA employees are something of a known commodity, but the third individual — Mr. Sidelnikov — is more mysterious. Sidelnikov did not respond to repeated requests for comment. Independent Software also did not return calls and emails seeking comment.

Sidelnikov’s LinkedIn page (PDF) says he began working for Independent Software in 2015, and that he speaks both English and Russian. In 1982, Sidelnikov earned his masters in information security from Kishinev University, a school located in Moldova — an Eastern European country that at the time was part of the Soviet Union.

Sildelnikov says he also earned a Bachelor of Science degree in “mathematical cybernetics” from the same university in 1981. Under “interests,” Mr. Sidelnikov lists on his LinkedIn profile Independent Software, Microsoft, and The National Security Agency.

Both The Times and The Journal have reported that the contractor suspected of leaking the classified documents was running Kaspersky Antivirus on his computer. It stands to reason that as a Russian native, Mr. Sildelnikov might be predisposed to using a Russian antivirus product.

Krebs further suggests Sidelnikov must be the culprit for losing his files in the Kaspersky incident because the guy who first pointed him to this metadata, a pentester named Mike Poor, said a database expert like Sidelnikov shouldn’t have access to operational files.

“He’s the only one in there that is not Agency/TAO, and I think that poses important questions,” Poor said. “Such as why did a DB programmer for a software company have access to operational classified documents? If he is or isn’t a source or a tie to Shadow Brokers, it at least begets the question of why he accessed classified operational documents.”

There are numerous problems with Krebs’ analysis — which I pointed out this morning but which he blew off with a really snotty tweet.

First, the NYT story he cites but doesn’t link to notes specifically that the Kaspersky related breach is unrelated to the Shadow Brokers leak, something that I also  pointed out was logically obvious given how long the NSA claimed Hal Martin was behind the Shadow Brokers leak after the government was known to be investigating the Kaspersky related guy.

It does not appear to be related to a devastating leak of N.S.A. hacking tools last year to a group, still unidentified, calling itself the Shadow Brokers, which has placed many of them online.

Krebs also misreads the magnum opus NYT story. The very paragraph he quotes from reads like this:

The agency has active investigations into at least three former N.S.A. employees or contractors. Two had worked for T.A.O.: a still publicly unidentified software developer secretly arrested after taking hacking tools home in 2015, only to have Russian hackers lift them from his home computer; and Harold T. Martin III, a contractor arrested last year when F.B.I. agents found his home, garden shed and car stuffed with sensitive agency documents and storage devices he had taken over many years when a work-at-home habit got out of control, his lawyers say. The third is Reality Winner, a young N.S.A. linguist arrested in June, who is charged with leaking to the news site The Intercept a single classified report on a Russian breach of an American election systems vendor.

That is, there aren’t “two unnamed NSA employees and [a] contractor referenced in The Times’ reporting.” The paragraph he refers to names two of the targets: Hal Martin (the other TAO employee) and Reality Winner. Which leaves just the Kaspersky related guy.

Krebs seemed unaware of the WaPo versions of the story, which include this one where Ellen Nakashima (who was the first to identify this guy last year) described the engineer as a Vietnamese born US citizen. Not a Russian-American, a Vietnamese-American.

Mystery solved Scoob! All without even looking at the Shadow Brokers’ metadata. There’s one more part of the Krebs story which is weird — that he takes the same non-response he got from the known NSA guys doxed by Shadow Brokers from Sidelnikov as somehow indicative of anything, even while if he had been “arrested” as Krebs’ headline mistakenly suggests, then you’d think his phone might not be working at all.

There’s more I won’t say publicly about Krebs’ project, what he really seems to be up to.

But the reason I went through the trouble of pointing out the errors is precisely because Krebs went so far out of his way to find a Russian to blame for … something.

We’ve been seeing Russian metadata in documents for 17 months. Every time such Russian metadata is found, everyone says, Aha! Russians! That, in spite of the fact that the Iron Felix metadata was obviously placed there intentionally, and further analysis showed that some of the other Russian metadata was put there intentionally, too.

At some point, we might begin to wonder why we’re finding so much metadata screaming “Russia”?

Update: After the Vietnamese-American’s guilty plea got announced, Krebs unpublished his doxing post.

A note to readers: This author published a story earlier in the week that examined information in the metadata of Microsoft Office documents stolen from the NSA by The Shadow Brokers and leaked online. That story identified several individuals whose names were in the metadata from those documents. After the guilty plea entered this week and described above, KrebsOnSecurity has unpublished that earlier story.

The Seychelles Meeting Inches Kushner Closer to Quid Pro Quo with Sanctioned Russian Money

/70 Comments/in , , /by

The Intercept has an article that has gotten surprisingly little attention, particularly given the reports that Mike Flynn is prepping to flip on Trump and that the House Intelligence Committee will have Erik Prince testify in its investigation.

It reveals that the previously unknown identity of a Russian that Erik Prince met in the Seychelles in January is the CEO of the Russian Direct Investment Fund.

The identity of the Russian individual was not disclosed, but on January 11, a Turkish-owned Bombardier Global 5000 charter plane flew Kirill Dmitriev, CEO of the Russian Direct Investment Fund, to the Seychelles, flight records obtained by The Intercept show. Dmitriev’s plane was an unscheduled charter flight and flew to the island with two other Russian individuals, both women. The RDIF is a $10 billion sovereign wealth fund created by the Russian government in 2011.

[snip]

Although Prince repeatedly stated he couldn’t remember the Russian’s name — “We didn’t exchange cards” — a spokesperson for Frontier Services Group confirmed to The Intercept in September that Prince “crossed paths” with Dmitriev in the Seychelles.

The article goes on to note that the RDIF separated from its parent company Vnesheconombank in 2016 to evade sanctions.

While it is legal to do business with RDIF in certain circumstances, there are several nuanced restrictions that if ignored or overlooked can easily lead to a violation. The resulting uncertainty has created opportunities for companies and individuals to find loopholes to bypass sanctions.

Analysts say RDIF attempted to do this in 2016 when the fund distanced itself from its parent company, the Russian bank Vnesheconombank, or VEB, which is also subject to U.S. sanctions. Legislation signed by Putin in June 2016 enabled RDIF to transfer its management company, known as the RDIF Management Company LLC, to the Russian Federal Agency for State Property Management.

Sadly, the Intercept article doesn’t lay out the timeline this creates:

Early December: Flynn and Kushner meet with Sergei Kislyak

Later December: At the behest of Kislyak, Kushner meets with Vnesheconombank’s Sergey Gorkov

December: Mohammed bin Zayed holds undisclosed meeting in NY with Kushner and Steve Bannon

December 29: Flynn tells Kislyak Trump will ease sanctions

January 11: At behest of Mohammed bin Zayed, Erik Prince meets with Dmitriev

January 17: Anthony Scaramucci meets with RDIF in Davos

As We Face Our Current Emergency Let’s Not Forget How (and Who) Our Last One Contributed to This One

/31 Comments/in , , /by

All over Twitter yesterday, people introduced this Michael Hayden tweet decrying Trump’s “assault on truth, a free press or the first amendment” by emphasizing that he served as CIA and NSA Director.

They seem to forget that, in the name of supporting expansive executive authority, Hayden lied to Congress, targeted Thomas Drake for his unclassified communications with the press about Hayden’s support for profiteering contractors, and attacked journalists who have covered the Snowden leaks.

Also on Twitter, Ben Wittes wrote a long thread, advocating that “Americans do not need to be actively contesting right now across traditional left-right divisions” so long as “Americans of good faith collectively band together to face a national emergency.”

In a thread that singles out the First Amendment (though not, predictably, the Fourth), Wittes imagines two main entities that might conduct investigations into Trump: law enforcement and “men and women of the bureaucracy who are courageous enough to come forward and assist,” though he follows quickly with a generalized profession that this non-partisan truce he has unilaterally declared also involves supporting the spooks.

Having declared a truce on “important foreign policy questions,” he then emphasizes we have to keep our promises abroad.

And also we have to keep promises about rights.

The two, together, have set off a debate about what our national emergency really is — where Trump came from.

Remarkably, I’ve seen few pointing back to this remarkable Adam Serwer piece on the whiteness that got Trump elected. As he lays out, Trump got elected because white voters cared more about restoring “traditional” race, sex, and class roles than about all the horrible things Trump espoused.

Trump’s great political insight was that Obama’s time in office inflicted a profound psychological wound upon many white Americans, one that he could remedy by adopting the false narrative that placed the first black president outside the bounds of American citizenship. He intuited that Obama’s presence in the White House decreased the value of what W. E. B. Du Bois described as the “psychological wage” of whiteness across all classes of white Americans, and that the path to their hearts lay in invoking a bygone past when this affront had not taken place, and could not take place.

That the legacy of the first black president could be erased by a birther, that the woman who could have been the first female president was foiled by a man who confessed to sexual assault on tape—these were not drawbacks to Trump’s candidacy, but central to understanding how he would wield power, and on whose behalf.

Americans act with the understanding that Trump’s nationalism promises to restore traditional boundaries of race, gender, and sexuality. The nature of that same nationalism is to deny its essence, the better to salve the conscience and spare the soul.

Serwer’s piece is absolutely required reading.

But his exposition largely focuses on the domestic aspect of white supremacy. This paragraph is one of the few that focuses on the last emergency people like Wittes and Hayden screamed un-self critically about, the never-ending war on terror.

In the meantime, more than a decade of war nationalism directed at jihadist groups has shaped Republican attitudes toward Muslims—from seeing them as potential Republican voters in the late 1990s to viewing them as internal enemies currently. War nationalism always turns itself inward, but in the past, wars ended. Anti-Irish violence fell following the service of Irish American soldiers in the Civil War; Germans were integrated back into the body politic after World War II; and the Italians, Jews, and eastern Europeans who were targeted by the early 20th century’s great immigration scare would find themselves part of a state-sponsored project of assimilation by the war’s end. But the War on Terror is without end, and so that national consolidation has never occurred. Again, Trump is a manifestation of this trend rather than its impetus, a manifestation that began to rise not long after Obama’s candidacy.

And there’s no mention of white supremacy’s foreign counterpart, American exceptionalism, which has long led (white male) Americans to believe America had somehow earned its wealth and prestige without, at the same time, hurting the well-being of others around the world, one which has made Trump’s instinct to demand capitulation from other countries so popular.

Both are, after all, about assuming the capitulation of brown people is the natural order we deserve, whether in our neighborhoods or on the other side of the world.

I raise all this because, in addition to the whiteness problem Serwer lays out, I do think the exceptionalism and expansive executive power that Hayden and Wittes have championed are part of what created this emergency as well. Those who created and sustained that last emergency — those who insisted we needed exceptional measures the last time, exceptional measures that gave Trump far more tools with which to violate norms and persecute enemies — want us to divorce this emergency from their own actions that contributed to it and may make it harder to recover from.

By all means, those who newly admit problems with expansive executive power are welcome to join those of us who’ve long been fighting it. But I’m not sure why everyone wants them to take the lead.

How Did Christopher Steele Collect Information after Sources (Allegedly) Dried Up?

/16 Comments/in , /by

Sorry to those who think I’m overly focused on the Christopher Steele dossier, but I’m reading Luke Harding’s book on the Russian investigation, which uses the dossier as a centerpiece. I may do a longer post about what his overall narrative does, but for now there’s a weird paragraph that conveniently is in this long excerpt I want to focus on.

After introducing the first report of the dossier (the one that features the pee tape and dated, non-email kompromat), Harding writes,

The memo was sensational. There would be others, 16 in all, sent to Fusion between June and early November 2016. At first, obtaining intelligence from Moscow went well. For around six months – during the first half of the year – Steele was able to make inquiries in Russia with relative ease. It got harder from late July, as Trump’s ties to Russia came under scrutiny. Finally, the lights went out. Amid a Kremlin cover-up, the sources went silent and information channels shut down.

There are several details that conflict with known facts and/or claimed (in some cases, sworn) ones.

First, Harding suggests there were 16 reports in all. I’m not sure whether he’s suggesting the final total of reports written between June and early November was 16 or whether he’s suggesting there were 16 additional reports in all, for a total of 17. Either way the number works out (there were 17 total reports, one of which was written after November). But that makes the November reference weird. There was no report written in early November. The last known report before the election was dated October 20, and then there wasn’t another one until that December 13 one.

  • 080: June 20, 2016
  • 086: July 26, 2015 (citing events in 2016)
  • 095: not dated
  • 94: July 19, 2016
  • 097: July 30, 2016
  • 100: August 5, 2016
  • 101: August 10, 2016
  • 102: August 10, 2016
  • 136: October 20, 2016
  • 105: August 22, 2016
  • 111: September 14, 2016
  • 112: September 14, 2016
  • 113: September 14, 2016
  • 130: October 12, 2016
  • 134: October 18, 2016
  • 135: October 19, 2016
  • 166: December 13, 2016

In any case, Harding gets the December date sort of correct later in the passage. Except he describes Glenn Simpson giving John McCain the report, dated December 13, before McCain called Jim Comey about it on December 8.

Less than 24 hours later, Kramer returned to Washington. Glenn Simpson then shared a copy of the dossier confidentially with McCain, along with a final Steele memo on the Russian hacking operation, written in December.

McCain believed it was impossible to verify Steele’s claims without a proper investigation. He made a call and arranged a meeting with Comey. Their encounter on 8 December 2016 lasted five minutes. Not much was said. McCain gave Comey the dossier.

I explain the significance of these December dates in this post.

Things are even weirder with the third sentence in this passage.

For around six months – during the first half of the year – Steele was able to make inquiries in Russia with relative ease.

According to the public narrative, Steele wasn’t working for Fusion until the Democrats asked for a Russian focus in June. And the first of his released reports relies on reporting from June. But Harding here suggests Steele was working on it for the six months before that! I pointed to circumstantial evidence that Fusion paid Steele on March 22, April 6, and May 25, in payments they don’t associate with Perkins Coie, in addition to the payments that were probably to him on July 13, August 2, September 1, October 5, and November 1.

Now check out the following sentences. Starting in “late July … the lights went out and … the sources went silent and information channels shut down.”

As the timeline above makes clear, the numbering in the dossier gets funky almost immediately, but the most likely reading suggests after that first, June 20 report, there are 4 reports from late July, and the remaining 12 reports all postdate late July. Report 100, the first post-July one, is sourced to “early August 2016” (and dated August 5).

Now, maybe the paragraph is just totally screwy. But if there’s any basis in fact to it, it suggests the public timeline is wrong (something which may be backed by the payments). More importantly, it suggests Steele’s extensive (albeit very indirect) network of sources stopped providing intelligence not long after he allegedly started his inquiry.

Did the Steele Dossier Lead the Democrats To Be Complacent after They Got Hacked?

/46 Comments/in , , /by

I get asked, a lot, why I obsess over the Steele dossier. A lot of people believe that even if the dossier doesn’t pan out, it doesn’t matter because Mueller’s investigation doesn’t depend on it. I’d be more sympathetic to that view if people like Adam Schiff and John Podesta didn’t keep invoking the dossier in ways that makes their legitimate concerns easy to discredit.

But I now believe the dossier may have done affirmative damage.

Consider the timeline.

Perkins Coie lawyer Marc Elias reportedly engaged Fusion for opposition research in April (their first payment was May 24).

April 26, Joseph Mifsud told George Papadopoulos that Russians said they had “dirt” on Hillary Clinton, in the form of emails.

April 29, the DNC discovered they had been hacked. Perkins Coie partner Michael Sussman had a key role in their response.

“Not sure it is related to what the F.B.I. has been noticing,” said one internal D.N.C. email sent on April 29. “The D.N.C. may have been hacked in a serious way this week, with password theft, etc.”

No one knew just how bad the breach was — but it was clear that a lot more than a single filing cabinet worth of materials might have been taken. A secret committee was immediately created, including Ms. Dacey, Ms. Wasserman Schultz, Mr. Brown and Michael Sussmann, a former cybercrimes prosecutor at the Department of Justice who now works at Perkins Coie, the Washington law firm that handles D.N.C. political matters.

“Three most important questions,” Mr. Sussmann wrote to his clients the night the break-in was confirmed. “1) What data was accessed? 2) How was it done? 3) How do we stop it?”

Sometime in May, Robert Johnston (who then worked at Crowdstrike) briefed the DNC on the hack. He told them how much data had been stolen, but he told them intelligence hackers generally don’t do anything with the stolen data.

When he briefed the DNC in that conference room, Johnston presented a report that basically said, “They’ve balled up data and stolen it.” But the political officials were hardly experienced in the world of intelligence. They were not just horrified but puzzled. “They’re looking at me,” Johnston recalled, “and they’re asking, ‘What are they going to do with the data that was taken?’”

Back then, no one knew. In addition to APT 29, another hacking group had launched malware into the DNC’s system. Called APT 28, it’s also associated Russian intelligence. Andrei Soldatov, a Russian investigative journalist and security expert, said it’s not crystal clear which Russian spy service is behind each hacker group, but like many other cybersecurity investigators, he agreed that Russian intelligence carried out the attack.

So, Johnston said, “I start thinking back to all of these previous hacks by Russia and other adversaries like China. I think back to the Joint Chiefs hack. What did they do with this data? Nothing. They took the information for espionage purposes. They didn’t leak it to WikiLeaks.”

So, Johnston recalled, that’s what he told the DNC in May 2016: Such thefts have become the norm, and the hackers did not plan on doing anything with what they had purloined.

May 25 was likely the date on which the last emails shared with Wikileaks got exfiltrated.

On June 9, Natalia Veselnitskaya met with Don Jr, Jared Kushner, and Paul Manafort at Trump Tower. Both at a Prevezon court hearing that morning and after the Trump Tower meeting, she reportedly met with Fusion’s Glenn Simpson. Though there’s no sign of Baker Hostetler paying for any services anytime near that meeting. Sometime Fusion associate Rinat Akhmetshin accompanied Veselnitskaya to the meeting; it’s possible he was paid for work in June.

Sometime in “mid-June,” the Perkins Coie lawyer Sussman and the DNC first met with the FBI about the hack. They asked the FBI to attribute the hack to Russia.

The D.N.C. executives and their lawyer had their first formal meeting with senior F.B.I. officials in mid-June, nine months after the bureau’s first call to the tech-support contractor. Among the early requests at that meeting, according to participants: that the federal government make a quick “attribution” formally blaming actors with ties to Russian government for the attack to make clear that it was not routine hacking but foreign espionage.

“You have a presidential election underway here and you know that the Russians have hacked into the D.N.C.,” Mr. Sussmann said, recalling the message to the F.B.I. “We need to tell the American public that. And soon.”

The FBI would not attribute the hack formally until the following year.

On June 14, the DNC placed a story with the WaPo, spinning the hack to minimize the damage done.

On June 15, Guccifer 2.0 started posting. In his first post, he proved a number of the statements Crowdstrike or Democrats made to the WaPo were wrong, including that:

  • The hackers took just two documents
  • Only Trump-related documents had been stolen
  • Hillary’s campaign had not been hacked
  • The DNC had responded quickly
  • No donor information had been stolen

Now, you’d think this (plus Julian Assange’s claim to have Hillary emails) would alert the Democrats that Johnston’s advice — that the Russians probably wouldn’t do anything with the data they stole — was wrong. Except that (as far as is publicly known) none of the documents Guccifer 2.0 leaked in that first batch were from the DNC.

Around this same time, Perkins Coie lawyer Marc Elias asked Fusion to focus on Trump’s Russian ties, which led to Christopher Steele’s involvement in the already started oppo effort.

On June 20, Perkins Coie would have learned from a Steele report that the dirt Russia had on Hillary consisted of “bugged conversations she had on various visits to Russia and intercepted phone calls rather than any embarrassing conduct.” It would also have learned that “the dossier however had not yet been made available abroad, including to TRUMP or his campaign team.”

On July 19, Perkins Coie would have learned from a Steele report that at a meeting with a Kremlin official named Diyevkin which Carter Page insists didn’t take place, Diyevkin “rais[ed] a dossier of ‘kompromat’ the Kremlin possessed on TRUMP’s Democratic presidential rival, Hillary CLINTON, and its possible release to the Republican’s campaign team.” At that point in time, the reference to kompromat would still be to intercepted messages, not email.

On July 22, Wikileaks released the first trove of DNC emails.

On July 26 — days after Russian-supplied emails were being released to the press — Perkins Coie would receive a Steele report (based on June reporting) that claimed FSB had the lead on hacking in Russia. And the report would claim — counter to a great deal of publicly known evidence — that “there had been only limited success in penetrating the ‘first tier’ foreign targets.” That is, even after the Russian hacked emails got released to the public, Steele would still be providing information to the Democrats suggesting there was no risk of emails getting released because Russians just weren’t that good at hacking.

It appears likely that the Democrats asked Fusion to focus on Russia because they believed they had been badly hacked by Russia.

Everything they learned (and would have learned, if the June reporting on cybersecurity had been produced in timely fashion) between the time they were hacked and when Wikileaks would start releasing massive amounts of emails would have told the Democrats that the Russians hadn’t really succeeded with their hacking, and any kompromat they had on Hillary was not emails, but instead dated intercepts. The Steele dossier would have led them to be complacent, rather than prepping for the onslaught of the emails.

We don’t know how Steele’s intelligence was used within the party. But if they had paid attention to it, it would have done affirmative damage, because it might have led them to continue to rely on Johnston’s opinion that the stolen emails weren’t coming out.

The Dumb Ass Poker Faces in the White House Just Admitted Their Investigation Coincides with Mike Flynn’s

/28 Comments/in , /by

In a big scoop yesterday, NYT reported that Mike Flynn has withdrawn from a joint cooperation agreement with the White House, leading many people to believe that he is moving towards cooperating with Robert Mueller.

Lawyers for Michael T. Flynn, President Trump’s former national security adviser, notified the president’s legal team in recent days that they could no longer discuss the special counsel’s investigation, according to four people involved in the case — an indication that Mr. Flynn is cooperating with prosecutors or negotiating a deal.

Mr. Flynn’s lawyers had been sharing information with Mr. Trump’s lawyers about the investigation by the special counsel, Robert S. Mueller III, who is examining whether anyone around Mr. Trump was involved in Russian efforts to undermine Hillary Clinton’s presidential campaign.

[snip]

[T]he notification led Mr. Trump’s lawyers to believe that Mr. Flynn — who, along with his son, is seen as having significant criminal exposure — has, at the least, begun discussions with Mr. Mueller about cooperating.

[snip]

Mr. Flynn is regarded as loyal to Mr. Trump, but he has in recent weeks expressed serious concerns to friends that prosecutors will bring charges against his son, Michael Flynn Jr., who served as his father’s chief of staff and was a part of several financial deals involving the elder Mr. Flynn that Mr. Mueller is scrutinizing.

The WaPo confirmed NYT’s scoop, adding the detail that Flynn’s lawyer told Trump’s lawyer on Wednesday evening.

The call from Flynn lawyer Robert Kelner to Trump attorney John Dowd came Wednesday evening and is a potentially ominous sign for Trump and his close associates.

Along with all the reports that Mueller was implicating Flynn, Jr in his dad’s corruption, this timing would also closely follow the hints that Reza Zarrab, whose release Flynn reportedly discussed brokering, is now cooperating with prosecutors. It’s unclear how much Zarrab would have learned in jail about efforts to free him, but it’s certainly possible that the knowledge that he is likely cooperating changed Flynn’s calculus as well. And there may be other reasons, still not public, why Flynn reversed his determination to fight prosecution rather than cooperate.

But there’s something really funny about the White House’s confirmation that Flynn pulled out of the joint defense agreement, along with their pathetic claims this doesn’t mean Trump is in trouble.

Jay Sekulow, an attorney for Trump, said, “This is not entirely unexpected.”

“No one should draw the conclusion that this means anything about General Flynn cooperating against the president,” he said, adding, “It’s important to remember that General Flynn received his security clearance under the previous administration.”

Confirming to the press that Flynn pulled out of the joint defense agreement involves confirming that the White House had a joint defense agreement with his lawyers. And that entails confirming that the President is being targeted in matters closely tied to Flynn’s own actions.

Thus far, the crimes Flynn is most publicly being accused of — largely relating to his unreported influence peddling, for both Turkey and Russia — don’t necessarily impact Trump. Given the details that have thus far been made public, those actions could just reflect his own greed, not any overt work with Trump to implement the policies he promised to the Turks he would deliver. Indeed, there’d be little need for Flynn’s lawyers to work with Trump’s if that were the only criminal charges he was facing.

But now several Trump lawyers are on the record saying they viewed themselves as targeted by the same investigation as Flynn is. Which means (unsurprisingly) Trump was probably in the loop on Flynn’s influence peddling. And which also means Flynn’s discussions with Sergei Kislyak about sanctions relief — and his lies about them to the FBI — directly implicate Trump. That’s the stuff that would justify a joint defense agreement, and that’s the stuff the White House just confirmed by confirming the no longer operative joint defense agreement.

In spite of all the claims that Trump isn’t being investigated, Trump’s lawyers have just admitted that they have been treating Flynn’s criminal exposure as related to the President’s own.

Does the Fusion Ledger Explain Why They’ve Pled the Fifth?

/14 Comments/in , /by

When the first two Fusion employees, Peter Fritsch and Thomas Catán, testified before the House Intelligence Committee on October 18, they pled the Fifth. I’ve been wondering since then what basis they had to do so — as have the House Intelligence Committee lawyers fighting with them to obtain bank records related to their Russian related activities last year and this. Indeed, HPSCI suggests the invocation of the Fifth suggests there may be relevant and important materials still to hand over.

It logically follows either that Plaintiff’s principals may have been perjuring themselves when they testified to a purportedly good-faith belief that their answers would tend to incriminate them, and/or that they are in possession of incriminating information of relevance to the Committee’s investigation that they have not yet disclosed.

In my last post, I noted that the House Intelligence Committee believes Fusion GPS, the intelligence firm behind the dossier, paid three or four journalists (actually, two or three journalists, plus someone who has served as a source for such information), and is trying to get records pertaining to other law firms and two businesses as well.

Looking at the exhibits Fusion submitted, however, at least suggests what they might be trying to hide.

The interesting exhibits are:

Here’s what, taken together, we learn about the 112 transactions HPSCI is trying to access but Fusion is trying to hide. The HPSCI filing describes them this way:

30 + 12 transactions associated with those who worked on the Steele or Prevezon projects

The filings make clear Fusion originally turned over 30 transactions. They are bolded in the ledger, which include:

  1. Transactions 5-11 (7 total) totaling $523,650.62 dated March 7, March 18, August 18, September 6, October 27, October 31, and October 31 (again) 2016 which are Baker Hostetler payments associated with Prevezon
  2. Transactions 46 (dated June 28), 48 (dated September 8), and 51 (dated November 2) paid to someone whose redacted name is of a length that it might be Rinat Ahkmetshin (3 total transactions)
  3. Transactions 77-81 (5 total) dated July 13, August 2, September 1, October 5, November 1 paid to a Russian expert with a short name [see the HPSCI justification page 5]; this may be Steele
  4. Transactions 83-88 (5 total) which are payments to someone else dated August 16, October 5, November 1, November 2, January 5, 2017
  5. Transactions 89-95 (7 total) which are payments from Perkins Coie dated May 24, July 15, July 29, August 31, September 30, October 28, and December 28
  6. Transactions 96-98 (3 total) which are payments to someone with a relatively short name dated August 11, September 2, and October 5

There are also 12 other transactions associated with people involved in those original transactions. They include:

  • A credit (Transaction 40) totaling $20,000 paid to Baker Hostetler on December 13, 2016
  • 7 payments associated with the redacted name person in 2, above, dated March 11, March 22, August 23, October 4, November 1 (which is listed as the same Bates stamp as one disclosed already), December 27, 2016 and January 5, 2017
  • 3 payments paid to the Russian researcher with the short name in 3, above, dated March 22, April 6, and May 25
  • A credit dated May 11, 2016 from the redacted name in 4, above

Comments:

There are four items of particular interest, here (before you get into coincidental dates).

First, the Russian expert with the short name is probably Steele (unless bullet 4 is him). If so, Fusion turned over payment information tied to the DNC work, but not payment information for something else (three payments in March through May) before the DNC came in. That may be stuff associated with Beacon’s funding of the earlier Trump dossier. Or it may be something else.

Second, Perkins Coie’s payments seem to track when the Trump reports come out. Except there is one payment for $58,669.00 (a curiously even number) in late December, after the last and most inflammatory Russian related report comes out on December 13. Admittedly, by report number, there are 31 reports between the October 19 and December 13 report publicly released, but the October 28 Perkins Coie payment of $365,275.33, by far the largest, would seem to pay for that. This suggests it is likely that Perkins Coie continued to pay for the dossier even after Trump won, contrary to what these entities have said in sworn declarations elsewhere. Given reports of John Podesta meeting with Christopher Steele after the election, I think that quite possible that Democrats paid for that last report.

Third, there is no payment even remotely associated with Baker Hostetler around the time of the Trump Tower meeting. There’s a March 18 payment and an August 18 one. This, in spite of the fact that Fox reported that Natalia Veselnitskaya met with Fusion both before and after the June 9, 2016 Trump Tower meeting.

But there is a payment — which Fusion says is not related to Prevezon or DNC — to the person with the name of the length of Rinat Akmetshin, on June 28. I asked in September who paid Akhmetshin to be at that Trump Tower meeting. Is that the June 28 payment? If so, who paid for him to be at that meeting?

19 transactions pertaining to 8 law firms

Then there are the payments pertaining to 8 law firms. The HPSCI justification says those are:

  1. Transactions 1-3 (3 total), dated March 11, March 23, and August 17
  2. Transaction 17, dated February 12
  3. Transaction 65, dated June 6
  4. Transaction 67, dated March 30
  5. Transaction 70-73 (4 total), dated June 10, July 6, September 28, 2016, and February 17, 2017
  6. Transaction 88, dated May 10
  7. Transactions 99-105 (7 total), dated June 10, July 29, August 31, October 13, November 29, December 15, January 11
  8. Transaction 106, dated September 13

We have no idea what these are, and Fusion may well be correct saying this is just investigative work for real cases. Mind you, HPSCI has said it has classified information to justify some of these requests (not necessarily limited to the law firms). So I think it is worth noting.

8 transactions probably associated with Beacon

The HPSCI filing (paragraph 26) makes it clear they’re trying to get the payment information associated with Beacon, which reportedly paid for the Republican side of the dossier. The only otherwise unaccounted for 8 Transactions are 54-61, which suggest those are the Beacon transactions. The HPSCI justification backs this, as it says the committee seeks to investigate a public claim (as they note, Beacon has confirmed its role in paying for the dossier). Except that produces some really weird dates: March 31, June 7, July 12, September 30, October 17, November 30, 2016, and January 4, February 15, 2017.

Those dates don’t make sense at all (because we were led to believe the Republican sponsored research started earlier than February), and they go well beyond the time the Republicans were said to have stopped paying.

12 credits probably associated with a media outlet, possibly  Yahoo

As noted, the HPSCI filing suggests there are payments from (not to) a media company, which might be Yahoo.

As Mr. Steele has acknowledged in other dossier-related litigation, in addition to sharing memos comprising the dossier with Mother Jones, in fall 2016 he met with at least five major media outlets at Fusion GPS’ direction. Those outlets included Yahoo News, which on September 23, 2016, reported purported meetings between Trump campaign advisor Carter Page and specified high-ranking Russian officials, attributed to a single “well-placed Western intelligence service.” Substantively similar allegations were contained in the dossier. Given Fusion GPS’ demonstrated patter of dossier-related engagement with media outlets, the Requested Records include records from [line and a half redacted].

Those appear to be transactions 32-43, dated pretty much monthly: February 17, March 21, April 19, May 18, June 15, July 20, August 17, September 19, October 19, November 16, December 14, 2016 and January 8, 2017, though they clearly track the election and transition time frame.

Business A transactions

Then there are two businesses. Those appear to be Transactions 12-16, which are payments on June 9, June 23, October 16, November 14, 2016 and January 26, 2017, and Transactions 18-31, which are mostly monthly payments from February 2016 to February 2017, though with some odd bunching during summer 2016. Both Business A and B are likely lobbying firms — see the redaction in the filing:

Business A appears to work on Ukrainian issues, as a footnote justifying its inclusion describes Trump’s shift on Ukranian policy.

The hacked documents would be in exchange for a Trump Administration policy that de-emphasizes Russia’s invasion of Ukraine and instead focuses on criticizing NATO countries for not paying their fare share – policies which, even as recently as the President’s meeting last week with Angela Merkel, have now presciently come to pass.”).

But that’s recent representation — “since January 2017.”

Business B transactions

Business B represents a variety of interests, but one of them is the kind of business that got mentioned in the Steele dossier as potentially colluding with Trump.

The “Steele Dossier” directly implicates [redacted] in potential collusion between the Trump campaign and Russia;

Both these businesses appear to have names that can be referred to as a short acronym.

Journalist (and other) transactions

There are three journalist transactions (besides those tied to Yahoo and Beacon):

  • Transactions 62-64, payments dated May 16, June 9, and September 6
  • Transactions 68-69, payments dated June 15 and August 26
  • Transactions 107-112, payments dated September 1, October 25, November 14, December 2, January 9, February 2

Then there is this:

  • Transaction 66, a payment dated December 12

This is not a payment to a journalist, per se, but to “individuals on [sic] have contributed to press stories on Russian issues relevant to its investigation.” This last payment, generally treated in the “journalist” category, appears to be tied to someone being quoted in the press, not writing their own work.

It’s interesting because this payment happens in the time period when the last, allegedly free report was being prepared.

Update, 12/12/17: The researcher with the short name may be Nellie Ohr, the wife of a DOJ official who was in the loop on the dossier.

In Defense of Subpoena for Fusion Bank Records, HPSCI Alleges Fusion Paid Journalists

/10 Comments/in , /by

The House Intelligence Committee continues to fight with Fusion GPS over records and testimony. Most specifically, they continue to fight over how many of Fusion’s bank records it should have to turn over. Yesterday, HPSCI submitted a filing that suggests a number of fairly inflammatory things about Fusion’s work, most notably that they may have paid up to four journalists and/or researchers besides Steele in conjunction in relation to topics relating to Russia, if not the dossier.

HPSCI is currently asking for:

The context in the declaration from Scott Glabe suggests the following about these requests.

The 30 initial transactions would relate to Perkins Coie and BakerHostetler, as well as the payments to Steele’s firm, though a redaction elsewhere suggests there are 6 counterparties total that Fusion has already provided records on.

HPSCI is interested in the law firms because of the way Fusion’s true clients (the Democrats and Prevezon, for example) have had law firms pay Fusion to hide their role in the project. It wants to know if those 8 law firms served as cut-outs for other Russian related work.

It is interested in Business A because it might pertain in some way to “links between Russia and individuals associated with political campaigns or any other U.S. person,” particularly some policy matter at issue in the inquiry/reflected in the dossier. HPSCI is interested in Business B because it may pertain to collusion between Russia and the Trump campaign.

With regard to journalists or researchers, Fusion has apparently already provided records related to one journalist or researcher. HPSCI is seeking records pertaining to three more. Given the reference, below, which seems to suggest an earlier redacted reference to Mother Jones, I don’t rule out the earlier one being David Corn or someone else from Mother Jones, and MoJo has a specific effort associated with Russia coverage. The 8 transactions mentioned must pertain to payments from Beacon, which funded the early work on the dossier.

The 12 transactions appear to involve payments from Yahoo to Fusion, based on the following passage:

As Mr. Steele has acknowledged in other dossier-related litigation, in addition to sharing memos comprising the dossier with Mother Jones, in fall 2016 he met with at least five major media outlets at Fusion GPS’ direction. Those outlets included Yahoo News, which on September 23, 2016, reported purported meetings between Trump campaign advisor Carter Page and specified high-ranking Russian officials, attributed to a single “well-placed Western intelligence service.” Substantively similar allegations were contained in the dossier. Given Fusion GPS’ demonstrated patter of dossier-related engagement with media outlets, the Requested Records include records from [line and a half redacted].

Mind you, I don’t understand why Yahoo would be paying Fusion if they were at the same time publishing its dirt. But the allegation is of particular interest given the way Michael Isikoff’s September story has been a central self-referential piece of “proof” dossier boosters always rely on to prove its value.

First, note that Sipher relies on “renowned investigative journalist” Michael Isikoff to validate some of these claims.

Renowned investigative journalist Michael Isikoff reported in September 2016 that U.S. intelligence sources confirmed that Page met with both Sechin and Divyekin during his July trip to Russia.

[snip]

A June 2017 Yahoo News article by Michael Isikoff described the Administration’s efforts to engage the State Department about lifting sanctions “almost as soon as they took office.”

Among the six journalists Steele admits he briefed on his dossier is someone from Yahoo.

The journalists initially briefed at the end of September 2016 by [Steele] and Fusion at Fusion’s instruction were from the New York Times, the Washington Post, Yahoo News, the New Yorker and CNN. [Steele] subsequently participated in further meetings at Fusion’s instruction with Fusion and the New York Times, the Washington Post and Yahoo News, which took place in mid-October 2016.

That the Yahoo journalist is Isikoff would be a cinch to guess. But we don’t have to guess, because Isikoff made it clear it was him in his first report after the dossier got leaked.

Another of Steele’s reports, first reported by Yahoo News last September, involved alleged meetings last July between then-Trump foreign policy adviser Carter Page and two high-level Russian operatives, including Igor Sechin — a longtime associate of Russian President Vladimir Putin who became the chief executive of Rosneft, the Russian energy giant.

In other words, Sipher is engaging in navel-gazing here, citing a report based on the Steele dossier, to say it confirms what was in the Steele dossier.

Fusion is claiming a First Amendment interest in keeping this all hidden. Me, I’m actually a bit interested in which journalists and researchers were getting and giving Fusion money.

Abbe Lowell’s “No Apparent Evidence” of Jared Kushner Involvement Defense

/8 Comments/in , /by

The other day I examined how Abbe Lowell’s non-responsive answer to Senate Judiciary Committee concerns about the disclosure of his client Jared Kushner revealed that the Intelligence Committees are conducting thoroughly inadequate investigations. He claimed the disclosures to SJC matched those to the ICs, yet he totally blew off the request for documents “about” people and topics of interest. That means the ICs didn’t get Jared’s documents pertaining to people and topics of interest — which is a pretty good way of hiding what Jared knew about Russian tampering.

[C]heck out Lowell’s more general excuse for not turning over such documents:

With respect to the substance of your letter, let me start with the so-called “Missing Documents.” They are not missing at all. As you will note, after I spoke to your staff, I wrote a cover letter with our production. In that letter, I wrote: “We believe that our prior production [to the intelligence committees] contains the most pertinent documents to your inquiry into the June 9, 2016 meeting at Trump Tower, and related matters, and undercut any notion that there was collusion (or even any extensive interaction) between Mr. Kushner and Russia concerning the 2016 election.” The documents provided to those committees fully responded to their requests. That was why we said we would provide those documents to you first to see if anything else was relevant or new, and try to determine whether those documents satisfy your inquiry as well.

This production, which doesn’t include any documents about designated topics (including the June 9 meeting), satisfied the intelligence committees. That means the intelligence committees could not have asked for “about” documents (which is particularly ironic given that they’re both trying to find a way to help NSA turn “about” 702 collection back on). Which in turn means the intelligence committees likely have huge gaps in their understanding of Jared’s awareness of the Russian discussions.

And in addition to all his other contemptuous non-answers to Feinstein’s letter, Lowell says Jared shouldn’t have to sit for an interview with SJC because he already sat for 6 hours with the other committees, the committees that didn’t ask for “about” documents and therefore don’t have a complete picture of Jared’s involvement.

It turns out Adam Schiff now agrees that they didn’t have the documents necessary to provide adequate preparation to question Jared.

Rep. Adam Schiff (D., Calif.), the top Democrat on the House Intelligence Committee, said in an interview that Mr. Kushner had been interviewed “prematurely,” when the committee was “not ready.”

“We didn’t have the advantage of documents that we would have wanted to ask [him] about,” he said.

A failure to obtain and review the documents necessary to understand Jared’s action seems to be a trend.

Which is why I’m so interested in this comment, from Lowell, about whether Jared — widely reported to have been a key player in convincing Trump to fire Comey —

At the Oval Office meeting on Monday, May 8, Trump described his draft termination letter to top aides who wandered in and out of the room, including then-Chief of Staff Reince Priebus, White House Counsel Donald McGahn and senior adviser Hope Hicks. Pence arrived late, after the meeting had begun. They were also joined by Miller and Trump’s son-in-law, Jared Kushner, both of whom had been with Trump over the weekend in Bedminster. Kushner supported the president’s decision.

— Seems to have not heard of such thing. (See also this post.)

Mr. Lowell said in an interview, “When the president made the decision to fire FBI Director Comey, Mr. Kushner supported it.” A White House attorney added that Mr. Kushner had “no meaningful role” in the decision: “There’s no apparent evidence of Jared’s involvement in any decision-making process having to do with Mr. Comey’s firing.”

“No apparent evidence” sounds like the line of a lawyer that’s not budging beyond what he has seen in document review. But if he has designed all his document review — even to the point of ignoring the instructions from Congress — to avoid turning over any communications that reflect Kushner’s thinking about events he wasn’t personally involved in, then he’s not going to have stumbled across the most pertinent documents.

Which is to say, there may well be a good deal of evidence. But it does’t seem like Lowell’s working very hard to find out if there is.

In any case, while you’re reading this, about Mueller’s interest in Jared’s contacts, even beyond those with Russian bankers, this post on Jared’s so-called peace plan is on point.

The Continued “Oh, Trump Will Just Pardon Them” Meme Is Stupid

/35 Comments/in , , /by

I have constantly, and still do, think the fear of “pardons” from Trump is overblown.

First off, this thought is almost undoubtedly part of why Mueller has Michael Dreeben on his team. A point noted both here indirectly and numerous other places more directly.

Secondly, a pardon places any potential witness in the very untenable position of having to testify honestly (whether to a Grand Jury or trial jury) or face perjury charges. I really do not think most commentators have thought through this conundrum enough. The second Trump pardons, all 5th Amendment protections as to federal offenses are removed. That would be catnip for Bob Mueller.

Lastly, remember where Mueller started off. Obstruction of justice. Just because any particular act (like a pardon) is putatively “legal” does not mean it cannot be an element in a larger crime.

The brutal reality is far different than the “oh Trump will just pardon them” narrative. Trump cannot wave the magic pardon wand and make it all go away and stop affecting him. But, hey, surely Donald Trump is in better shape than John Dowd’s last huge political criminal defense case.