Stephen Miller’s and Trump’s Gross Re-Politicization of DOJ

/58 Comments/in , , , , , /by

There was some legitimate concern about inappropriate machination of the Department of Justice when Trump named and confirmed Jeff Sessions as his Attorney General. Typical discussion followed this by Isaac Arnsdorf at Politico:

Donald Trump suggested on the campaign trail that he could use the Justice Department to fulfill his political agenda, taunting Hillary Clinton by threatening to throw her in jail over her email scandal.

Now, Sen. Jeff Sessions, Trump’s pick for attorney general, will have to decide whether to follow his predecessors by vowing to not let politics drive the DOJ’s decision-making.

That was one, and a serious, level of concern. Today we find said concern not close to being deep enough as to how the Trump White House would try to run Justice as merely a lever of their extreme politics.

But, via the New York Daily News, comes a little noticed, and truly frightening report of just how renegade and ridiculous the “fine tuned machine” the Trump White House is determined to be in politicizing the DOJ. In an article captioned “Stephen Miller called Brooklyn U.S. Attorney at home and told him how to defend travel ban in court”, comes the stunning news that:

In the chaotic hours after President Trump signed on a Friday afternoon the sloppily written executive order meant to fulfill his Muslim ban campaign promise, Stephen Miller called the home of Robert Capers to dictate to the U.S. Attorney for the Eastern District how he should defend that order at a Saturday emergency federal court hearing.

That’s according to a federal law enforcement official with knowledge of the call, which happened as Department of Justice attorneys cancelled plans, found babysitters and rushed back to their Brooklyn office to try and find out what exactly it was they were defending and who was being affected by it — how many people were already being held in America, how many were being barred from arriving here and the exact status of each person.

The full article at the NYDN is mandatory reading, but let that sink in for a second. 31 year old Stephen Miller, a wet behind the ears extreme right wing ideologue with white nationalist leanings and NO, repeat NO legal training, much less law degree, called up a United States Attorney – at home! – to “dictate” how the DOJ would operate in an emergency litigation situation in an United States District Court.

Stunning is too weak of a response. Shocking is insufficient. It is actually hard to know what the proper words for this are.

I asked Matthew A. Miller, former OPA head under the Obama DOJ for a thought on the implications of Stephen Miller’s hubris in this instance. His reply was:

The last time a White House started dictating demands to U.S. attorneys, the sitting Attorney General had to resign in disgrace. This raises yet another in a series of questions about whether the Sessions Justice Department will be independent from the Trump White House.

Exactly. I would have said “unprecedented” above along with “stunning” and “shocking”, but for what occurred during a period of the Bush/Cheney regime when the interaction and control of the DOJ from the White House was extreme. And, ultimately, blown up as beyond unacceptable and appropriate by more reasoned minds and authorities. And, I might add, substantially due to the Fourth Estate of the press, that Trump blithely and ignorantly describes as “enemies of the American people”.

Yes, it is really that important of a moment now with Stephen Miller (note: NO relation to Matthew A. Miller) and the extreme hubris and lack of institutional awareness, competence or control, and obvious disdain for any, by the Trump Administration.

Back in 2007 Senator Sheldon Whitehouse created, and displayed at a Senate hearing, a stunning graphic displaying the shocking difference between communication between the Clinton White House and DOJ, and the ridiculous political input that the Bush Cheney White House had to DOJ.

With the grossly inappropriate statements of President Donald Trump as to how “he” will direct prosecutions of political enemies and other criminal and military defendants, leakers and others, to the literally insane conduct of Stephen Miller here, it is time to remember Senator Whitehouse’s chart.

It is also time to wonder if Sheldon Whitehouse and other members of the Senate Judiciary Committee have the cojones to take the fight for the Constitution and integrity of the justice system once again to a renegade White House. And the Trump White House has quickly made the Bush/Cheney White house look better in the rear view mirror, as truly craven as they were.

And, yes, the situation is exactly that dire if you recall the same Stephen Miller, being sent out and directed to all the Sunday political shows to declare and mandate that:

“…our opponents, the media and the whole world will soon see as we begin to take further actions, that the powers of the president to protect our country are very substantial and will not be questioned.”

This is straight up an Article II Branch declaration of pure tyranny by Stephen Miller and Trump. This is a serious problem, and this is an Administration making good on its promise and determination in that regard.

Super Bowl 2017 Trash Talk

/61 Comments/in , , /by

Here we are at the end of another NFL season. And the biggest sports day of the year. As you can see in the title, I have given up on the league’s insistence on Roman numeral designators. We are not in Rome, and they make my head hurt after a while. We are past that while.

The Falcons and the Patriots in Houston. It has, from all appearances, been a fantastic week in Houston, the city has really shined. I am not surprised, Houston has been an under appreciated gem as to municipal government competence and civic activity for quite a while now. And a great town for a wide diversity of excellent food!

A couple of news and notes: Matt Ryan was named the NFL MVP last night, beating out Tom Brady by far more than he should have, but still a fair choice. On a local note, Larry Fitzgerald was made the co-recipient of the Man of the Year Award with Eli Manning. Spidey Fitz is incredible, both here in Phoenix and back in his original home of Minnesota. Well deserved. Also, Kurt Warner was named to the Hall of Fame. Any man that can get both the Cardinals and Rams to the Super Bowl absolutely belongs in the Hall of Fame. Here is a complete list of all the NFL honors announced last night.

As to the game itself, it is quite clear that the politicization from the abject racism and bigotry of Trump, and especially his Muslim ban, are going to spill into the spotlight. Given the publicity platform of an event like the Super Bowl, that is not surprising, but it is stunning as to how much it seems to be so this year. Things are not normal in the US anymore, even if the old “normal” had its warts.

But today’s game is being broadcast by the right wing bastion of Rupert Murdoch’s FOX network. And they are, predictably, censoring the paid advertising content they will show. The video at the top was a 90 second spot that Lumber 84 was desirous of paying full freight for a 90 second ad that bills out at about $5 million per 30 seconds. Would FOX take that money from Lumber 84 for one of the most beautifully produced ads you will ever see? Nope, too “controversial” for the assholes at Fox. Guess they figured their nutjob boy Trump might be watching. Selective censorship.

Interestingly, FOX apparently will air a similarly themed ad from Anheuser Busch, an advertising juggernaut that they cannot risk pissing off. That ad is to the right. Why is it less objectionable than the Lumber 84 spot? Basically because Busch has real ad buying power and Lumber 84 does not. The AB ad is great too, but the complete craven hypocrisy of FOX is on full display here. Can’t have too much advertising space that might upset Dear Leader Donald! I mean, shit, he might lash out in an incoherent tweet!

Alright, to the game. As always, the actual football has been micro-analyzed endlessly for the last two weeks, so I do not have a ton of analysis to add. The focus seems to have been more slanted to the two teams’ offensive capabilities. I will say, I think that is wrong. Both offenses are relatively healthy and potent (except Falcons’ star center Alex Mack will play with a small fracture in his fibula). A decent team matchup rundown from the AP is here.

Instead, I think, as it turns out is usually the case, defense will decide the winner. The Pats have a deceptively decent defense, and, as also is usually the case, they have really gelled down the stretch. The game’s outcome will be decided by how well New England’s defense plays. I have no idea who will win, but I hope it is the Patriots so that the odious Roger Goodell has to hand the trophy to Bob Kraft and Tom Bady.

That is it folks. Eat some food, drink some beer and spirits, and have a ball.

The Three Most Believed Fake News Stories of the Election (Tested by Stanford) Favored Hillary

/34 Comments/in , /by

In a piece repeating erroneous BuzzFeed reporting, the Atlantic expresses concern that the left is now sharing fake news stories just like the right shared them during the election.

If progressives are looking to be shocked, terrified, or incensed, they have plenty of options. Yet in the past two weeks, many have turned to a different avenue: They have shared “fake news,” online stories that look like real journalism but are full of fables and falsehoods.It’s a funny reversal of the situation from November. In the weeks after the election, the press chastised conservative Facebook users for sharing stories that had nothing to do with reality. Hundreds of thousands of people shared stories asserting incorrectly that President Obama had banned the pledge of allegiance in public schools, that Pope Francis had endorsed Donald Trump, and that Trump had dispatched his personal plane to save 200 starving marines.
The phenomenon seemed to confirm theorists’ worst fears about the internet. Given the choice, democratic citizens will not seek out news that challenges their beliefs;  instead, they will opt for content that confirms their suspicions. A BuzzFeed News investigation found that more people shared these fake stories than shared real news in the three months before the election. A follow-up survey suggested that most Americans believed fake news after seeing it on Facebook. When held to the laissez faire editorial standards of Facebook, the market of ideas fails.

As I laid out, BuzzFeed’s claim that most Americans believe fake news was not what BuzzFeed’s poll actually showed; rather, it showed that those who remember fake stories believe them, but that works out to be a small fraction of the people who see the story. And this piece is one of many that points out some methodological problems with BuzzFeed’s count of fake news sharing.

The Atlantic then goes onto cite stuff (like the @AltNatParSer and @RoguePOTUSStaff) that is not verified but might be true but in any case is critique as the left’s new habit of fake news.

All that said, the Atlantic is right that the left can be sucked in by not-true news — but that was true during the election, too. Consider this Stanford study that, generally, found that fake news wasn’t as impactful as often claimed.

We estimate that in order for fake news to have changed the election result, the average fake story would need to have f ≈ 0.0073, making it about as persuasive as 36 television campaign ads.

Buried deep inside the story is a detail one or two people have noted, but not mentioned prominently. Among the fake news stories studied by the authors (which were limited to stories debunked at places like Snopes, which is a significant limit to the study), two stories favorable to Hillary were the most believed.

Blue here is the percentage of the US adult population that believed a story and red is being “not sure.” Both if you aggregate those two categories and if you take only those who affirmatively say they believed something, this story — claiming Congressman Jeff Denham helped broker Trump’s deal for the Trump Hotel in DC — and this story — repeating Kurt Eichenwald’s claim that he had proof WikiLeaks led all the fake stories Stanford tested, with close to 30% definitely believing both (see my post on that story). This story claiming Clinton paid Beyonce for a campaign appearance was the most-believed anti-Hillary story, which came after a third Hillary-friendly story claiming Trump was going to deport Lin Manuel-Miranda (note, as also shown in other studies, the fake news stories weren’t recalled or believed at the same rates as the true ones, though in the aggregate, the Denham story rivaled “small true” stories).

Note, the Stanford study did not test this story, which also claimed Wikileaks had doctored emails. It appeared on the same Clinton site three days earlier, which was itself based off a fake news created by a Hillary supporter (with some spooky ties), and magnified by Malcolm Nance and Joy Reid. Those two stories likely reinforced each other.

I’m interested in both of these stories — in part, because the reality about Trump’s corruption and his ties to Russia are both bad enough, without Democratic operatives inventing stories about it. But obviously, I’m particularly interested in the latter, in part because so even in spite of the real evidence implicating Russia in the hack of the DNC, Democrats tend to believe anything involving Russia without evidence.

That’s ironic, given that the risk of fake news is supposed to stem from Putin poisoning our airwaves.

Update: I’ve added “three” to the title because a number of people said it would make it more clear. Thanks to those who suggested it.

The Problems with Pompeo: A Willingness to Use Information on Americans Russia Hacked and Shared with Trump

/20 Comments/in , , , /by

On Friday, the Senate confirmed the first two of President Trump’s nominees: Generals Mattis and Kelly to run DOD and DHS, respectfully. But it did not confirm the third nominee slotted for that day, Mike Pompeo. In part because the nomination was not dealt with in regular fashion in the Senate Intelligence Committee (which did not vote out his nomination), Ron Wyden managed to force Mitch McConnell to hold 6 hours of debate tomorrow on his nomination.

Wyden has suggested we need to have more debate because Pompeo hasn’t answered all the questions posed to him. And it is true that Wyden has concerns about the following issues. But perhaps most of all, Wyden’s questions suggest he is concerned that the Trump administration will use information the Russians hacked against Americans.

In follow-up questions posed to Pompeo, Wyden expressed concern about Pompeo’s:

  • Enthusiasm for using bulk collections of “lifestyle” information on Americans
  • Willingness to have the CIA engage in activities the Ambassador or other Chief of Mission disagrees with
  • Squirminess about when the CIA can kill a US person
  • Dodginess on classifying torture information that reveals illegal, embarrassing, competitive, or otherwise unclassified information

But as I said, Wyden’s chief concern appears that Pompeo will use information the Russians have or will give the Trump administration against Americans.

Enthusiasm for using bulk collections of “lifestyle” information on Americans

A big point of concern for Wyden and Martin Heinrich throughout Pompeo’s confirmation process is this op-ed he wrote at the beginning of last year. Based in part on the fact that the intelligence community didn’t find the Tashfeen Malik’s anti-American statements on non-public social media, and in part on the demonstrably false claim that the IC didn’t find the Garland attackers beforehand (in reality, the FBI was cheering them on), Pompeo argued we need to collect still more data. “Congress should pass a law re-establishing collection of all metadata, and combining it with publicly available financial and lifestyle information into a comprehensive, searchable database,” he wrote.

Pompeo has dodged questions about precisely what “lifestyle” information he wants to collect — though it surely includes Twitter’s firehose of data from Dataminr. Sadly, he repeatedly pointed to executive orders in his answers, and the new EO 12333 sharing rules permit the access of “public” information, which can include information from data brokers (though Pompeo claims ignorance of what he might want to use). So while Wyden is concerned that Pompeo will start dragnetting Americans, sadly he has been enabled to do so by one of the last things Obama did.

Willingness to have the CIA engage in activities the Ambassador or other Chief of Mission disagrees with

Another concern Wyden raised pertains to disagreements between the Chief of Mission (the top diplomat in a country) and the CIA Station Chief. This has been an issue in the past at least as it pertains to drone strikes in Pakistan and the torture program, where the Ambassador was either not informed or not properly consulted on CIA activities within a country.

When asked a yes or no question whether he would permit CIA to conduct activities even while an outstanding disagreement remained, Pompeo refused to answer, stating instead that he would seek an expeditious decision from the President. Effectively, he suggested if he were losing a disagreement with State, he’d get Trump to override State.

Squirminess about when the CIA can kill a US person

Wyden, who has long sought guidelines on when the US can kill an American citizen, returned to pre-hearing questions on this topic. After citing the Drone Rule Book requirement that DOJ be involved before taking action against a US person, he asked whether Pompeo agreed with the requirement. Pompeo basically said the US “must consider an American citizen’s constitutional rights prior to targeting him” and “CIA attorneys frequently consult with” DOJ (though left open the possibility of relying on less formal analysis). Ultimately, Pompeo dodged laying out any additional checks he’d following before killing an American.

Dodginess on classifying torture information that reveals illegal, embarrassing, competitive, or otherwise unclassified information

Wyden asked Pompeo if he disagreed with the prohibitions on classifying information to “(1) conceal violations of law, inefficiency, or administrative error; (2) prevent embarrassment to a person, organization, or agency; (3) restrain  competition; or ( 4) prevent or delay the release of information that does not require protection in the interest of national security,” prohibitions that existed in Clinton’s, George W. Bush’s, and Obama’s EOs on classified information. Pompeo said he did not. However, immediately in that context, Wyden asked about the Torture Report, and Pompeo dodged all questions about declassifying the torture report.

Willingness to use information obtained by Russians hacking Americans

But as I said, Wyden’s persistent concerns in his post-hearing questions pertained to whether and how Pompeo would be willing to cooperate with the Russians. Raising a Pompeo hearing comment that if a foreign partner gave the CIA information on US persons “independently,” “it may be appropriate of CIA to collect [that] information in bulk,” Wyden raised Trump’s encouragement of Russian hacking and asked what circumstances would make foreign collection so improper that CIA should not receive such information. Pompeo responded, “information obtained through such egregious conduct may be appropriate for the CIA to use or disseminate.”

Wyden then listed out a bunch of conditions, such as information coming from an adversary, to disrupt US democracy, information implicating First Amendment protected political activity, or information affecting thousands or millions of Americans. “The listed conditions could all be relevant,” Pompeo responded, remaining non-committal.

Wyden raised a Pompeo comment suggesting rules for accessing US person communications under EO 12333 and asked if that was true of information known to include significant US person information. Pompeo said he would consult experts and AGG guidelines (which, arguably, are this flexible).

Wyden raised Pompeo’s promise to expand intelligence cooperation with state and non-state partners, and asked specifically whether this included Russia, and if so how Pompeo planned on dealing with the counterintelligence risks of doing so. Pompeo said he as not referring to “any specific partners,” said, “CIA already has a strong counterintelligence program,” and said anything he did would comply with law and standard practices and be noticed to Congress.

Wyden then asked if “it is legal or appropriate for the White House to obtain from a foreign partner…information that includes the communications of U.S. persons” and if he learned that they were doing so, whether he would inform Congress of it. Pompeo responded “I am not aware of a DCIA role in supervising White House activities or providing legal counsel to the White House on its activities,” apparently committing only to informing Congress of CIA’s own activities.

In short, there are a lot of reasons to be worried about Pompeo as Director of CIA. But Wyden seems most worried that CIA (and the White House) will use information Russia gives them against American citizens.

Brennan Makes Even Crazier Plausible Deniability Claims about Trump Dossier

/19 Comments/in , /by

As I have laid out, the intelligence community has been making some odd claims about the Trump dossier. First, James Clapper claimed that the IC was the last to learn of the dossier, in spite of the fact that IC member FBI was getting the reports at least by August and probably earlier. Then, Sunday, John Brennan claimed the IC couldn’t be held responsible for leaking the dossier (though without denying that the IC had leaked it), because the dossier had already been out there; except the dossier — released with a report that post-dates all known public versions of the dossier — therefore post-dates what “was already out there.”

Brennan’s back with yet another claim, this in response to Trump’s insinuation that Brennan might have leaked it: Brennan claimed he has never read the dossier.

“Was I a leaker of this? No,” Mr. Brennan said Monday in an interview at CIA headquarters, days before he ends a career that has spanned more than three decades and that took him from entry-level recruit to head of the nation’s most storied spy service.

“First of all, this is not intelligence community information,” Mr. Brennan said. He noted that the dossier had been circulating “many months” and that he first heard about it from inquiring reporters last fall. To date, he hasn’t read the document and gave it no particular credence, he said.

“I would have no interest in trying to give that dossier any additional airtime,” Mr. Brennan said.

I mean, sure, you’re conducting one of the most sensitive briefings of recent history. The briefers here are all principals — along with Brennan and Clapper, Admiral Mike Rogers and Jim Comey. And you don’t even read the stuff that goes into it? You don’t review the underlying dossier that, you claim, you’re briefing just so Trump knows what the Russians have on him?

That may well be true. But if it is, it suggests a very deliberately cultivated plausible deniability, one that the decision to have Comey brief the dossier to Trump by himself only adds to. Most charitably, Brennan cultivated such deniability only to ensure he can claim that the CIA is not engaging in domestic politics (and that may well be enough).

But along with the pointedly false claims about what the IC knew when, the claim raises questions about why CIA would go so far out of its way to be able to claim they didn’t know.

The Significance of the December 13 Trump Dossier Report

/40 Comments/in , /by

John Brennan and Donald Trump are in a fight.

In his press conference last week, Trump called out the intelligence community for “allowing … information that turned out to be so false and fake” out, likening the leak to something that would happen in Nazi Germany.

I think it was disgraceful, disgraceful that the intelligence agencies allowed any information that turned out to be so false and fake out. I think it’s a disgrace. And I say that and I say that.

And that’s something that Nazi Germany would have done and did do. It’s a disgrace. That information that was false and fake and never happened got released to the public, as far as BuzzFeed, which is a failing pile of garbage, writing it, I think they’re going to suffer the consequences.

Over the weekend, Brennan went on Fox News to scold Trump for the Nazi analogy. At that appearance, he said this about the release of the dossier.

I think as the Director of National Intelligence said in his statement, this is information that’s been out there, circulating, for many months. So it’s not a question of the intelligence community leaking or releasing this information. It was already out there.

[snip]

There is no basis for Mr. Trump to point fingers at the intelligence community for leaking information that was already available publicly.

In response to Brennan’s appearance (and his suggestion Trump didn’t know what the fuck he was doing in Syria and Russia), Trump insinuated that Brennan may have leaked the dossier.

Let’s unpack this. Because while I have no idea who leaked the document (though I highly doubt Brennan would have done so personally), the intelligence community’s claims are really suspect.

As I noted last week, the James Clapper statement rather bizarrely claimed the IC was the last to know about the document. The dossier, according to Clapper, was “widely circulated in recent months among the media, members of Congress and Congressional staff even before the IC became aware of it.”

That (as some people have pointed out) cannot be true.

The stories about what Christopher Steele did when have been evolving. But David Corn’s description, based off a conversation that occurred before the IC started making public claims, strongly suggests that Steele started sharing documents with the FBI “soon” after “the end of June.”

By the end of June, he was sending reports of what he was finding to the American firm.

The former spy said he soon decided the information he was receiving was “sufficiently serious” for him to forward it to contacts he had at the FBI. He did this, he said, without permission from the American firm that had hired him. “This was an extraordinary situation,” he remarked.

Some other reports, based off claims made after the Clapper statement, put this date later — maybe August — even while the implication has always been that the FBI request for a FISA warrant in June stems from these reports.

Even if that information sharing dates to August, however, it would mean the FBI — a member of the IC — had regular updates from the dossier at least by then, if not by June. Sure, you might claim that FBI investigative teams are not part of the IC, but given that this would be a counterintelligence investigation, that’d be a laughable claim.

In other words, even assuming the claims about where the dossier came from and who paid for it are true, the IC was not the last to know, but one of the first.

There are two other dates of note that go into the claim the dossier was widely circulated before it got briefed to Trump this month. We know that the IC briefed the Gang of Eight on this dossier in October. Shortly thereafter, Corn received a copy of the dossier and wrote about it (though he has not revealed who gave it to him). Then in December, John McCain got a copy from Sir Andrew Wood. According to a Guardian article published around 9AM on the same day as the Clapper statement, McCain had not only received the dossier, but handed it over — yet another copy — to the FBI on December 9.

Senator John McCain, who was informed about the existence of the documents separately by an intermediary from a western allied state, dispatched an emissary overseas to meet the source and then decided to present the material to Comey in a one-on-one meeting on 9 December, according to a source aware of the meeting. The documents, which were first reported on last year by Mother Jones, are also in the hands of officials in the White House.

McCain, in a statement released midday on the day of the Clapper statement, is more vague about the hand-off date, describing it only as “late last year.”

I’m working on the specific times, but it is significant that the Guardian with the exact date came out in the morning on January 11, the vague McCain statement came out mid-day sometime, and Clapper’s statement came out that evening.

That’s significant because some people assume that McCain is the one who released the dossier — the dossier he received on December 9.

If that date is correct, the dossier couldn’t have come from McCain, because the last report in the dossier is dated four days later, December 13.

Very significantly, this last report, which talks about the Russian cover-up of the hack, alleges “the operatives involved had been paid by both TRUMP’s team and the Kremlin.” This is, in my opinion, one of the most incendiary claims in the entire dossier — that Trump not only encouraged Russia’s campaign, but paid operatives involved in it.

Just as significantly, the date completely undermines the substance of Brennan’s defense. When he says, “this is information that’s been out there, circulating, for many months. … It was already out there. … There is no basis for Mr. Trump to point fingers at the intelligence community for leaking information that was already available publicly,” he’s wrong. The full set of information released to BuzzFeed — including the allegation Trump paid for this operation — actually hasn’t been out there, because it post-dates all known circulation of the document.

Also remember that journalists have suggested they got copies of the dossier that redacted all the sources. This one didn’t. At least one likely source named in the report has died in curious circumstances since the release of the report.

I really have no idea where the dossier got leaked from — that is one reason I’m so interested in artifacts in the document that may raise questions about the provenance of the released dossier. I also wouldn’t, at this point, be surprised if Trump were getting his own stream of intelligence, possibly even from Russia, about where and how it got released.

But thus far, the IC’s claims about the dossier are even more dodgy than Trump’s, which is saying something.

The Trump Dossier Alleges DNC Insiders Were Involved in Anti-Clinton Operation

/54 Comments/in , /by

I still have questions about the provenance of the Trump dossier, particularly with respect to how we’ve received it. While this article has been touted as answering a lot of questions, it actually creates new ones (plus, it would seem to violate the D Notice that formally prohibits talking about Christopher Steele and his role).

But I did want to point to a passage in the dossier that seems critically important, if it can be deemed true. (Note, Cannonfire has an OCRed version of the dossier here.) According to a July report from Steele, there were DNC insiders involved in the operation.

Agreed exchange of information established in both directions. team using moles within DNC and hackers in the US as well as outside in Russia. PUTIN motivated by fear and hatred of Hillary CLINTON. Russians receiving intel from team on Russian oligarchs and their families in US

[snip]

2. Inter alia, Source E, acknowledged that the Russian regime had been behind the recent leak of embarrassing e-mail messages, emanating from the Democratic National Committee (DNC), to the WikiLeaks platform. The reason for using WikiLeaks was “plausible deniability” and the operation had been conducted with the full knowledge and support of TRUMP and senior members of his campaign team. In return the TRUMP team had agreed to sideline Russian intervention in Ukraine as a campaign issue and to raise defence commitments in the Baltics and Eastern Europe to deflect attention away from Ukraine, a priority for PUTIN who needed to cauterise the subject.

3. In the wider context campaign/Kremlin co-operation, Source E claimed that the intelligence network being used against CLINTON comprised three elements. Firstly there were agents/facilitators within the Democratic Party structure itself; secondly Russian emigre and associated offensive cyber operators based in the US [note: corrected OCE error] and thirdly, state-sponsored cyber operatives working in Russia. All three elements had played an important role to date. On the mechanism for rewarding relevant assets based in the US, and effecting a two-way flow of intelligence and other useful information, Source E claimed that Russian diplomatic staff in key cities such as New York, Washington DC and Miami were using the emigre ‘pension’ distribution system as cover. The operation therefore depended on key people in the US Russian emigre community for its success. Tens of thousands of dollars were involved. [my emphasis]

The claim there were “moles” within the DNC would be perfectly consistent with something Julian Assange has long claimed: that he got the documents from a disgruntled DNC insider.

The Declassified Russian Hack Report

/45 Comments/in , /by

The Intelligence Community’s report on Russia’s tampering in the election is here.

What we see of it is uneven. I think the report is strongest on Russia’s motive for tampering with the election, even if the report doesn’t provide evidence. I think there are many weaknesses in the report’s discussion of media. That raises concerns that the material on the actual hack — which we don’t get in any detail at all — is as weak as the media section.

This will be a working thread.

The first 5 pages are front-matter and fluff, which means this is less than a 10 page report, plus a media annex which is problematic.

Scope

Here’s how the report describes the scope of the assessment.

It covers the motivation and scope of Moscow’s intentions regarding US elections and Moscow’s use of cyber tools and media campaigns to influence US public opinion. The assessment focuses on activities aimed at the 2016 US presidential election and draws on our understanding of previous Russian influence operations. When we use the term “we” it refers to an assessment by all three agencies.

I checked with ODNI, and the classified report has the exact same conclusions as this one, suggesting the scope is the same. That seems to be a significant problem to me. At a minimum, it should address whether Shadow Brokers was part of the same campaign. But there are other, less obvious things that would need to be included that would not be under this scope, things that I believe should be considered in the process of drawing conclusions.

The scope also includes this, which Director Clapper had already noted in yesterday’s hearing.

We did not make an assessment of the impact that Russian activities had on the outcome of the 2016 election. The US Intelligence Community is charged with monitoring and assessing the intentions, capabilities, and actions of foreign actors; it does not analyze US political processes or US public opinion.

It’s a bit of a cop-out, but a fair one: our nation’s spooks should not be delving into electoral outcomes (aside from the way the FBI’s Jim Comey was the most important player in this election after Hillary).

Sourcing

I’m fascinated by the entirety of the sourcing section. First, it doesn’t even say that it is relying on private contractor reports, which it surely is.

Many of the key judgments in this assessment rely on a body of reporting from multiple sources that are consistent with our understanding of Russian behavior.

Then there’s this section that pretends the government doesn’t have Putin and his associates lit up like Christmas trees.

Insights into Russian efforts—including specific cyber operations—and Russian views of key US players derive from multiple corroborating sources. Some of our judgments about Kremlin preferences and intent are drawn from the behavior of Kremlin loyal
political figures, state media, and pro-Kremlin social media actors, all of whom the Kremlin either directly uses to convey messages or who are answerable to the Kremlin.

On top of all the other problems with the media section, this use of media is tautological: a statement that because Russia has propaganda all its propaganda must be a clear representation of Russia’s views.

The Russian leadership invests significant resources in both foreign and domestic propaganda and places a premium on transmitting what it views as consistent, self-reinforcing narratives regarding its desires and redlines, whether on Ukraine, Syria, or relations with the United States.

Key Judgements

While it is nowhere near this bad elsewhere, check out how the IC conceives of Russia’s efforts in terms of US exceptionalism, the “US-led liberal democratic order.”

Russian efforts to influence the 2016 US presidential election represent the most recent expression of Moscow’s longstanding desire to undermine the US-led liberal democratic order, but these activities demonstrated a significant escalation in directness, level of activity, and scope of effort compared to previous operations. [my emphasis]

I mean, Putin also wants to disrupt US backing of Saudi/Qatari regime change in Syria, and US backing for Neo-Nazis in Ukraine. But the IC pitches US hegemony as exclusively ponies and daisies.

Contrary to what you might read at other outlets, the assessment of Russia’s motive describes Putin’s animosity towards Clinton before it addresses his fondness for Trump.

Russia’s goals were to undermine public faith in the US democratic process, denigrate Secretary Clinton, and harm her electability and potential presidency. We further assess Putin and the Russian Government developed a clear preference for President-elect Trump. We have high confidence in these judgments.

In fact, the judgment that Putin affirmatively wanted Trump is broken out largely because the NSA has less confidence in this than the CIA and FBI.

We also assess Putin and the Russian Government aspired to help President-elect Trump’s election chances when possible by discrediting Secretary Clinton and publicly contrasting her unfavorably to him. All three agencies agree with this judgment. CIA and FBI have high confidence in this judgment; NSA has moderate confidence.

That’s especially interesting given the reference to what we know to be, in part, intercepts showing Putin and his buddies celebrating.

Further information has come to light since Election Day that, when combined with Russian behavior since early November 2016, increases our confidence in our assessments of Russian motivations and goals.

That says that the folks who spend the most time reading SIGINT are the least convinced the SIGINT supports the case that Putin was hoping to get Trump elected.

Here’s the key finding on the hack: that GRU not only hacked the targets but used the cut-outs to get the information to the outlets to publish.

We assess with high confidence that Russian military intelligence (General Staff Main Intelligence Directorate or GRU) used the Guccifer 2.0 persona and DCLeaks.com to release US victim data obtained in cyber operations publicly and in exclusives to media outlets and relayed material to WikiLeaks.

We know the classified report describes the cut-outs that got the documents to Assange.

The one new disclosure in this document is that the IC now assesses the probes of state-related election outlets to be Russian, which they had never before done.

Russian intelligence obtained and maintained access to elements of multiple US state or local electoral boards. DHS assesses that the types of systems Russian actors targeted or compromised were not involved in vote tallying.

I’ll come back to this point.

I noted in my deep dive on the sanctions package that the sanctions apply to those who tamper in our allies’ elections. This finding — that Russia wants to do more of this — is why the EO was written that way.

We assess Moscow will apply lessons learned from its Putin-ordered campaign aimed at the US presidential election to future influence efforts worldwide, including against US allies and their election processes.

Russia’s influence campaign

In addition to restating the top-line motives, the section describing why Putin ordered this operation (and it does say that, explicitly) this section describes a few of the motives that the IC hasn’t been as ready to leak to the press. It describes Putin’s retaliation for Panama Papers and the Olympic doping scandal this way:

Putin publicly pointed to the Panama Papers disclosure and the Olympic doping scandal as US-directed efforts to defame Russia, suggesting he sought to use disclosures to discredit the image of the United States and cast it as hypocritical.

Note how the passage does not deny that the US was behind Panama Papers (for which there is no public evidence) and the doping scandal (which would fit more squarely in the way the US wields its power). I assume the most compartmented version of this report explains whether we did have a role in Panama Papers.

The report also admits that Putin did this to retaliate for what protests he believes Clinton incited in Russia.

Putin most likely wanted to discredit Secretary Clinton because he has publicly blamed her since 2011 for inciting mass protests against his regime in late 2011 and early 2012, and because he holds a grudge for comments he almost certainly saw as disparaging him.

Again, this passage is remarkably non-committal about whether the US did incite those protests.

The timing on the description of how Russia came to love the Donald is interesting — beginning in June.

Beginning in June, Putin’s public comments about the US presidential race avoided directly praising President-elect Trump,

In its description of Putin’s desire to force an international ISIL coalition, the report doesn’t address a number of things, most notably the reasons why we don’t have an international coalition now. Again, this is a bullet point that I’m sure the most classified report has far more detail on.

Moscow also saw the election of Presidentelect Trump as a way to achieve an international counterterrorism coalition against the Islamic State in Iraq and the Levant (ISIL).

Likewise, I wonder whether there’s backup to this discussion of Putin’s comfort in working with people who have business ties to Russia.

Putin has had many positive experiences working with Western political leaders whose business interests made them more disposed to deal with Russia, such as former Italian Prime Minister Silvio Berlusconi and former German Chancellor Gerhard Schroeder.

How much did CIA lay out what Trump’s business interests in Russia are?

The section on the actual hack is interesting. It starts by saying “Russian intelligence” got into the DNC in July 2015, which would refer to the FSB hack. Here’s how it talks about the GRU hack(s).

The General Staff Main Intelligence Directorate (GRU) probably began cyber operations aimed at the US election by March 2016. We assess that the GRU operations resulted in the compromise of the personal e-mail accounts of Democratic Party officials and political figures. By May, the GRU had exfiltrated large volumes of data from the DNC.

So:

  • The report admits that they don’t know when GRU started this. This is interesting for a slew of reasons, not least that it shows some uncertainty in the forensics.
  • Note how it refers to “Democratic party officials and political figures,” but never Podesta by name. It also doesn’t name Colin Powell, though the follow-up language must include him too.
  • Here, unlike in the JAR, the report says GRU exfiltrated a lot of data.

I’m not terrifically impressed by their paragraph on Guccifer 2.0, which is a problem, because this is one of the weakest parts of their argument.

Guccifer 2.0, who claimed to be an independent Romanian hacker, made multiple contradictory statements and false claims about his likely Russian identity throughout the election. Press reporting suggests more than one person claiming to be Guccifer 2.0 interacted with journalists.

I’ll come back to this. I just think it’s weak in a number of places.

The DC Leaks passage is stronger.

Content that we assess was taken from e-mail accounts targeted by the GRU in March 2016 appeared on DCLeaks.com starting in June.

Here’s the passage on WikiLeaks.

We assess with high confidence that the GRU relayed material it acquired from the DNC and senior Democratic officials to WikiLeaks. Moscow most likely chose WikiLeaks because of its selfproclaimed reputation for authenticity. Disclosures through WikiLeaks did not contain any evident forgeries.

The passage doesn’t talk about cut-outs, but earlier leaks make it clear that’s how it happened. I think the sentence “Moscow most likely chose WL” is either bullshit or not very smart.

Others have complained that this passage confirms there were no “obvious forgeries.” The passage as a whole undermines some claims IC affiliates were saying in real time. So behind this paragraph, there’s a whole lot of real-time assessments that were revisited. Indeed, several paragraphs later, the report makes the claim that forgeries are the MO for GRU.

Such efforts have included releasing or altering personal data, defacing websites, or releasing emails.

I’m going to come back to the passage on WL and RT.

Note, the report includes the WADA hacking, even though the scope of this is supposed to be the election.

Again, I’m going to come back to the section on the info ops. I think it is weak, in part because it doesn’t seem to distinguish genuinely held belief from outright propaganda. But this passage really gets to the core of the problem with it.

RT’s coverage of Secretary Clinton throughout the US presidential campaign was consistently negative and focused on her leaked e-mails and accused her of corruption, poor physical and mental health, and ties to Islamic extremism. Some Russian officials echoed Russian lines for the influence campaign that Secretary Clinton’s election could lead to a war between the United States and Russia.

After all, you could say the same about most mainstream US outlets (some of which were ahead of RT on Hillary’s health). There is almost nothing in the RT section that couldn’t be said by a lot of  US based outlets, some of which got bigger play. So how do you prove something is propaganda if it is doing what everyone else is doing? Moreover, much of what the passage points to depends on social media, and therefore algorithms built in Silicon Valley. Are they not a part of this propaganda? Also note, there’s no discussion of Sputnik here, which was if anything more obvious in its opposition to Hillary. Why?

There’s a long section from 2012 that deals with RT. I’ll return to it when I return to the media section. It’s really bad, though.

The report says it’s not going to weigh in on whether Russia’s efforts affected the election. But it does, here.

We assess the Russian intelligence services would have seen their election influence campaign as at least a qualified success because of their perceived ability to impact public discussion.

 

Thom Tillis Reminds James Clapper that the US Tampers in Elections, Too

/8 Comments/in , /by

Several times in today’s hearing on foreign cyberattacks on the US, James Clapper explained why he never favored big retaliation for China’s hack of OPM: because he considers it the kind of espionage we engage in too. “People who live in glass houses shouldn’t throw rocks.”

When North Carolina Republican Thom Tillis got his turn, he addressed Clapper’s comment, pointing out that on election-tampering, as with espionage, the US lives in a big glass house.

The glass house comment is something that I think is very important. There’s been research done by a professor up at Carnegie Mulligan that um Mellon that estimated that the United States has been involved in one way or another in 81 different elections since World War II. That doesn’t include coups or regime changes. Tangible evidence where we’ve tried to affect an outcome to our purpose. Russia’s done it some 36 times. In fact, when Russia apparently was trying to influence our election, we had the Israelis accusing us of trying to influence their election.

So I’m not here to talk about that. But I am here to say we live in a big glass house and there are a lot of rocks to throw and I think that that’s consistent with what you said on other matters.

With regards to comparative numbers on US and Russian intervention in elections, Tillis is discussing research published by Dov Levin last year (see WaPo version), who found that either the US or Russia intervened in 11.3% of all elections since World War II, with the US — indeed — intervening far more often (and more broadly) than Russia.

Overall, 117 partisan electoral interventions were made by the US and the USSR/Russia between 1 January 1946 and 31 December 2000. Eighty-one (or 69%) of these interventions were done by the US while the other 36 cases (or 31%) were conducted by the USSR/ Russia. To put this number in the proper perspective, during the same period 937 competitive national-level executive elections, or plausible targets for an electoral intervention, were conducted within independent countries.20 Accordingly, 11.3% of these elections, or about one of every nine competitive elections since the end of the Second World War, have been the targets of an electoral intervention.

With regards to tampering in the Israeli election, Tillis is probably referring to State Department support for an NGO that worked to oust Bibi Netanyahu.

Curiously, Tillis made no mention of his own state party’s rather spectacular tampering to suppress the votes of African Americans, though perhaps his local experience explains why he presents all this data about American hypocrisy on election tampering as a reality about elections rather than a cautionary tale to be avoided.

Still, even if he’s trying to whitewash Russia’s involvement to help Trump get elected, he does have a point: the US has done this to a lot of other countries.

As Chilean-American Ariel Dorfman put it in an op-ed last year, America’s own election-tampering doesn’t make Russia’s this year’s right, but it should elicit a determination that the US will never again do unto others what we have just had done to us.

The United States cannot in good faith decry what has been done to its decent citizens until it is ready to face what it did so often to the equally decent citizens of other nations. And it must firmly resolve never to engage in such imperious activities again.

If ever there was a time for America to look at itself in the mirror, if ever there was a time of reckoning and accountability, it is now.

By all means, let’s pursue Russia for its intervention in this year’s election. But let’s, at the same time, engage in some accountability for what the US has itself done.

Russia Hacked the DNC. But What, Specifically, Did GRU Do?

/6 Comments/in , , /by

I’m working on a series of posts to point out existing holes in the claim that Russia hacked the DNC. None of them mean I am yet convinced it is someone besides Russia. But there are holes in the story that no one wants to acknowledge. And those who want to argue the case is solid would do well to at least answer them. In this one, I want to point to a curious piece of evidence in a necessary part of the evidence: how GRU is alleged to have hacked the DNC.

You need to separate attribution of FSB’s hack of the DNC from GRU’s hack of the DNC

One thing a lot of people don’t realize about the Russian hack attribution is there’s some slippage in the argument.

There are two groups in question: APT 29, which has been publicly associated with FSB, and APT 28, which has been publicly associated with GRU. As I laid out here, those two groups must be kept separate, because the story is that these two groups did different things: FSB hung around DNC’s servers for months and stole a lot of information, but never leaked it. That’s the kind of stuff intelligence services do all the time, including our own. Our government has no reason to make a case against that — which is unwanted but nevertheless normal espionage — because they do it too, such as when, in 2012, they stole communications between then Mexican presidential candidate Enrique Peña Nieto and his closest allies.

GRU, by contrast, was believed to have been in DNC’s servers briefly — and John Podesta’s Gmail account even more briefly — but to have, in that time, stolen the documents that ultimately made their way to Wikileaks. That’s the action that was deemed newly beyond the pale (even if the US has probably had documents leaked to Wikileaks itself).

In a sense, then, only the APT 28 attribution matters, because that’s the entity that is believed to have been involved in hacking and leaking; that’s the entity believed to have done things that might have affected the outcome of the election.

But people have long either intentionally or unknowingly conflated the two, claiming that “Russia” hacked the DNC. If FSB hacked the DNC, the claim is true, but that doesn’t prove that Russia is behind the tampering in the election, because unless you prove that GRU is APT 28, then the stuff you’re bugged about hasn’t been properly attributed.

I’ve come to distrust the claims of anyone who has paid close attention to this that doesn’t assiduously maintain the distinction between the APT 29 and APT 28 hacks.

The Administration’s creation of Grizzly Steppe conflates APT 29 and APT 28 more than ever before

So, reports on this hack should scrupulously avoid conflating the APT 29 hack and the APT 28 hack. But Obama’s response last month did the opposite. Whereas every infosec outfit treats APT 28 (which CrowdStrike calls Fancy Bear) and APT 29 (which CrowdStrike calls Cozy Bear) as distinct entities (regardless of how confident they are that one or the other are Russian intelligence), and even though within the reports the Administration retained this distinction, the materials released by the Obama Administration invented an entirely new entity: Grizzly Steppe.

Get it? This entity is not a soft and cuddly Cozy Bear or an entirely distinct suave Fancy Bear anymore. Put the two together and you get a Grizzly Bear!

RAWRRRRRRR!

Aside from just the fact that the Administration did this (which would permit them to say, correctly, that Russia hacked the DNC even if they were less certain about GRU, though I don’t think they are), there are two other interesting aspects of this conflation in their package of sanctions.

First, as I noted here, the Administration sanctioned FSB as well GRU. That’s weird because our intelligence community believes what FSB did is solidly within the norms of intelligence gathering. It’s possible the IC has some evidence that FSB did something to facilitate this operation that is not yet public. But the only explanation the sanctioning document offers is that, “The Federal Security Service (a.k.a. Federalnaya Sluzhba Bezopasnosti) (a.k.a FSB) assisted the GRU in conducting the activities described above.”

The other notable thing about the Obama package is the differential language the Joint Analysis Report uses to describe the APT 29 and APT 28 hacks, which I pointed out here.

In summer 2015, an APT29 spearphishing campaign directed emails containing a malicious link to over 1,000 recipients, including multiple U.S. Government victims. APT29 used legitimate domains, to include domains associated with U.S. organizations and educational institutions, to host malware and send spearphishing emails. In the course of that campaign, APT29 successfully compromised a U.S. political party. At least one targeted individual activated links to malware hosted on operational infrastructure of opened attachments containing malware. APT29 delivered malware to the political party’s systems, established persistence, escalated privileges, enumerated active directory accounts, and exfiltrated email from several accounts through encrypted connections back through operational infrastructure.

In spring 2016, APT28 compromised the same political party, again via targeted spearphishing. This time, the spearphishing email tricked recipients into changing their passwords through a fake webmail domain hosted on APT28 operational infrastructure. Using the harvested credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members. The U.S. Government assesses that information was leaked to the press and publicly disclosed.

I admit I may be over-reading these differences. But there is a difference in the certitude with which this report speaks of the APT 29 hack and the APT 28 hack. Regarding the former, the report describes how APT 29 stole the documents: it “exfiltrated email from several accounts through encrypted connections back through operational infrastructure.” And whereas the report affirmatively says APT 28 “was able to gain access and steal content,” it seems far less sure about how much data it stole, saying the hack “likely [led] to the exfiltration of information from multiple senior party members.” Maybe that means it’s likely APT 28 stole documents from more than one person; maybe that means it is likely they exfiltrated documents period. But remember, matching precisely what documents GRU stole to those Wikileaks released was one of the things the FBI was still working on a month and a half after the DNC hack.

The bureau is trying to determine whether the emails obtained by the Russians are the same ones that appeared on the website of the anti-secrecy group WikiLeaks on Friday, setting off a firestorm that roiled the party in the lead-up to the convention.

The FBI is also examining whether APT 28 or an affiliated group passed those emails to WikiLeaks, law enforcement sources said.

That’s just one of several piece of evidence that suggests they don’t have (or at least didn’t have) as clear forensics on.

One more note about the JAR report: It makes no mention of Podesta. Again, we should not draw any conclusions for that, as they may have just chosen to focus on the DNC (which people often forget is a distinct entity from Hillary’s campaign). But, as I hope to show in a follow-up post, the IC may have either less information — or perhaps even some sheepishness — about the Podesta leak, which is remarkable because that’s the actual hack for which there is the best evidence tying it to APT 28.

The Administration materials endorse some, but not all, of what infosec companies have published

Which brings me to a point I’ve made before but deserves more focus. In the introduction to the JAR, the Administration has this to say about the great work infosec companies have done about this hack.

A great deal of analysis and forensic information related to Russian government activity has been published by a wide range of security companies. The U.S. Government can confirm that the Russian government, including Russia’s civilian and military intelligence services, conducted many of the activities generally described by a number of these security companies.

It confirms that Russia’s intelligence services have indeed done “many of the activities” described by “a number of these security companies.” That’s not a confirmation that Russia’s spooks have done all the things alleged by all the security companies. Indeed, it seems to suggest that the infosec reports are wrong on some (perhaps very minor) points. We just don’t know which ones those are.

What were FSB and GRU doing hacking the same target anyway?

Which brings me to an important side discussion, one for which everyone has an answer but about which there is no agreement.

While FSB and GRU have been portrayed as adversarial intelligence agencies (perhaps in the way that FBI and CIA don’t always get along, sometimes to spectacular effect), it’s not actually normal for them to be hacking the same target. The original CrowdStrike report on the hack noted that the two groups of hackers appeared not to be coordinating as they rooted around DNC’s servers.

At DNC, COZY BEAR intrusion has been identified going back to summer of 2015, while FANCY BEAR separately breached the network in April 2016. We have identified no collaboration between the two actors, or even an awareness of one by the other. Instead, we observed the two Russian espionage groups compromise the same systems and engage separately in the theft of identical credentials. While you would virtually never see Western intelligence agencies going after the same target without de-confliction for fear of compromising each other’s operations, in Russia this is not an uncommon scenario. “Putin’s Hydra: Inside Russia’s Intelligence Services”, a recent paper from European Council on Foreign Relations, does an excellent job outlining the highly adversarial relationship between Russia’s main intelligence services – Федеральная Служба Безопасности (FSB), the primary domestic intelligence agency but one with also significant external collection and ‘active measures’ remit, Служба Внешней Разведки (SVR), the primary foreign intelligence agency, and the aforementioned GRU. Not only do they have overlapping areas of responsibility, but also rarely share intelligence and even occasionally steal sources from each other and compromise operations. Thus, it is not surprising to see them engage in intrusions against the same victim, even when it may be a waste of resources and lead to the discovery and potential compromise of mutual operations.

It explains this away by the competition between the agencies. Still: note that according to CrowdStrike, there were two groups of Russians sniffing through the DNC servers that appeared unaware of each other’s presence.

A competing infosec company, Fire Eye, has come up with a completely different explanation for the presence of FSB and GRU in the same servers. It deems that proof of superior coordination.

According to data provided for this article by the private cybersecurity company, FireEye, two separate but coordinated teams under the Kremlin are running the campaign. APT 28, also known as “FancyBear,” has been tied to Russia’s foreign military intelligence agency, the Main Intelligence Agency or GRU. APT 29, aka “CozyBear,” has been tied to the Federal Security Service or FSB. Both have been actively targeting the United States. According to FireEye, they have only appeared in the same systems once, which suggests a high level of coordination — a departure from what we have seen and come to expect from Russian intelligence.

Frankly, I’m agnostic about what the answer to this question might be, and find either one plausible. Or, it’s possible we should pay more attention to how unusual it is to have FSB and GRU digging in the same holes and think about whether it might, instead, tell us something else about who did this hack. But it is a datapoint that any theory of the hack should at least acknowledge and try to explain. Most don’t.

Why is GRU using open source tools?

All of which is my long-winded explanation for why I went back and re-read specifically what CrowdStrike said about APT 28 (at a time, we now know but didn’t then, CrowdStrike only had “medium” confidence that the APT 28 hackers of DNC were GRU). It made me realize why the stakes on the APT 28 tool X-Agent — which is not the only tool associated with APT 28 — are so high.

FANCY BEAR adversary used different tradecraft, deploying X-Agent malware with capabilities to do remote command execution, file transmission and keylogging. It was executed via rundll32 commands such as:

rundll32.exe “C:\Windows\twain_64.dll”

In addition, FANCY BEAR’s X-Tunnel network tunneling tool, which facilitates connections to NAT-ed environments, was used to also execute remote commands. Both tools were deployed via RemCOM, an open-source replacement for PsExec available from GitHub. They also engaged in a number of anti-forensic analysis measures, such as periodic event log clearing (via wevtutil cl System and wevtutil cl Security commands) and resetting timestamps of files.

So after a longer section describing APT 29’s tools (which we now know, but which was not known then, were the less important part of the hack), Crowdstrike describes APT 28’s use of X-Agent and X-Tunnel (the latter of which I may come back to), but then also explains that these hackers deployed the APT 28 tools via an open source tool available on GitHub.

I’m no tech wizard, but this detail seems to beg some explanation, as it is awfully curious to have GRU resorting to an outdated open source tool to hack an American political party.

None of this is definitive. None of it changes my inclination that Russia probably is behind the APT 28 hack of the DNC (and, even more convincingly, behind the hack of John Podesta). But these are some details that deserve more attention amid the claims that all the case against GRU (as distinct from Russia) is rock solid.