MalwareTech’s Case Gets Complex
Today, prosecutor Michael Chmelar and Marcus Hutchins’ lawyers, Marcia Hofmann and Brian Klein, had a phone meeting with judge Nancy Johnson.
Hutchins’ lawyers got the judge to agree to further loosen his bail terms (putting him on a curfew rather than house arrest, it appears). But, after agreeing willingly to most requests last week, the government is now objecting to the change, asking for a stay and reconsideration. Recall, too, that AUSA Michael Chmelar had tacitly agreed to have Hutchins taken off GPS monitoring. We will likely see the substance of their complaint in a motion in the coming days.
The other thing that happened — again, as I reported would happen here — the case got deemed complex, meaning the trial can be delayed without a violation of the Speedy Trial Act. The minutes describe the judge’s approval of the motion for these reasons.
Based on the information presented here, the nature of the charges, the nature and amount of the discovery, the fact that discovery is coming from multiple sources and the fact that some of the information may need independent testing/review, the court will designate this matter COMPLEX.
The most interesting detail here is that independent testing may be required. Probably — especially given researchers are already raising doubts — Hutchins’ lawyers are going to get outside experts to check the government claims that the code sold in Kronos came from Hutchins.
Another detail from the minutes is that Hutchins’ lawyers object to the redaction of the indictment.
The Government gives background of this case and notes that defendant Hutchins is the only party to appear thus far.
[snip]
The defense notes that it objects to the redaction of the Indictment.
The WI courthouse already accidentally revealed the name of Hutchins’ co-defendant, Tran.
In spite of some effort, no one I’ve seen has identified a likely (and sufficiently interesting) co-defendant whose last name is Tran — or a connection between that name and VinnyK, the name currently associated with selling the malware. Presumably, if the co-defendant’s aliases were unsealed, it would be easier for researchers to understand what Hutchins has been accused of, and who he has been accused of conspiring with.
As for the discovery, some of that was provided in the minutes. As I noted, the government turned over Hutchins’ custodial interview (curiously, the minutes don’t specify that they were with the FBI) and the recordings of two calls.
The government will be following its open file policy. To date, the defendant has provided the defense with the following:
– 1 CD with post arrest statements
– CD with 2 audio recordings from the county jail in Nevada. (The government is awaiting a written transcript from the FBI.)
Here’s what’s left to discovery, with my comments interspersed.
In addition, there are:
– 150 pages of Jabber chats between the defendant and an individual (somewhat redacted).
Were these encrypted or group chats? If the former, via what means did FBI decrypt them? Did someone hand them over to the FBI?
– Business records from Apple, Google and Yahoo.
These would be accessible via Section 702 (though, given the lack of a FISA notice, would likely have been backstopped via subpoena if they were collected via 702).
– Statements (350 pages) to the defendant from another internet forum which were seized by the government in another District.
The government provides no details on what the location (US or overseas) of this forum is — and they describe it as statements to Hutchins rather than statements by him. But their existence shows that another District had enough interest in some conversations Hutchins happened to be involved in that they collected — via whatever means — this forum.
– 3-4 samples of malware
At a minimum, the government needs 3 pieces of malware: Kronos before Hutchins allegedly updated it, Kronos after he did, and the version of Kronos that got sold. Apparently, the government hasn’t decided how many versions they’ll give the defense. And all that still leaves the question of victims; to prove that anything Hutchins did affected any Americans they might need more malware.
In part for that reason, I suspect independent researchers will continue to look for their own publicly available samples.
– A search warrant executed on a third party which may contain some privileged information.
As with the other forum, this suggests the FBI or some other agency was interested enough in another case — or a corporation — such that some kind of privilege might apply. This could, in fact, be a victim.
All of that is what led the defense to request (after the government already said it would do the same, having initially said this wouldn’t be a complex case) that this should be deemed complex, in part so Hutchins’ team can have a couple of months to review what they’re looking at.
The parties agree that the case should be designated as complex. Information is still being obtained from multiple sources. The issues are complex[.] The defendant requests 45-60 days in which to review the discovery. The government notes that it is in agreement with the request.
So it’s a complex case and it’ll drag on until such time as the government gets more coercive to get whatever it is they’re after or they drop the case.
Huh, that is not all that much information so as to demand a complex designation. Is there voluminous wiretap info not listed in the post? Some other reason?
My guess is it due to third party.
Because they used the word ‘may’, it could be that the info has not been reviewed completely yet, or possibly the warrant had not yet been served at the time of the motion. It may be that Marcus told the FBI(?) about an entity that they should check out.
“A search warrant executed on a third party which may contain some privileged information.”
[The ‘privileged information’ is the interesting part. It could be a target that has already been backdoored by IC. If so, then you have the ‘sources and methods’ issue, which the government would not want to accidently expose thru discovery. That scenario would definitely make the case ‘complex’ in my book]
[Note that giving defense 45-60 days to review also buys some time for government. This will drag on for quite some time]
Eh, maybe, but if so, that was not noted in a way that makes any sense to me. I’d have to read a transcript to tell (assuming their are not unaccounted for affidavits as to need for complex status too). So far, though, I don’t see it based on the “amount of discovery”.
That said, if the defense agrees, fine, then everybody is happy. I would have thought the defense would want to press it along quickly though.
s/the defendant has provided the defense/the prosecution has provided the defense/
Or gooverment instead of prosecution.
Do not recall the wording, but it certainly was not defendant providing to defense.
Sheesh. What you posted Marcy is absolutely correct. I misread it yesterday.
Makes no sense.
So how did Marcus come into possesion of the CDs? Hint: he did not. No way.
Maybe legal team by now. Doubtful.
One with post arrest statements.
One with 2 recordings from jail.
Makes absolutely no sense. Especially since they are waiting for a transcription from FBI.
And Marcus himself wants to know about it.
This makes no sense.
Why would FBI or other government give defendant CDs so soon?
Makes no sense.
Does government realize they screwed up?
Is this some kind of Chewbacca Defense?
An out so government can save face?
This just not make sense.
Pretty clearly that was supposed to read government has provided defense.
Agree. But that is what is in the legal doc.
It makes no sense.
If it actually did happen, I would never ‘autorun’ those CDs.
They would have to be forenisically reviewed in a throw-away machine, never to be used again.
I would want in-depth audio analysis, and full transcript from at minimum of three trusted and experienced court reporters, not working for private companies.
Then, I would very carefully compare those independent transcripts to what the govrrnment will say was alegedly provided by FBI (the one they say is not availble yet).
Related, but not obvious. Marcy, you know my theory. Must read between the articles. One could call it ‘complex’.
First is APT related, second is defense against an APT.
https://amp.ibtimes.co.uk/russian-hackers-caught-using-hijacked-pdf-files-infiltrate-g20-task-force-1635691
https://www.google.com/amp/www.csoonline.com/article/3219848/vulnerabilities/show-the-proof-or-cut-it-out-with-the-kaspersky-lab-russia-rumors.amp.html
OT: Humpty Dumpty
This may be why US TLAs dissing Kaspersky.
Ties to Yahoo too.
FSB Agents Arrested for Giving CIA Information About Russian Hackers
https://www.bleepingcomputer.com/news/security/fsb-agents-arrested-for-giving-cia-information-about-russian-hackers/
Nancy Koppe or Nancy Johnson?
Third party in Texas?
The facts as ascribed by the judge do not seem to support a complex designation. Here is the text from the Speedy Trial Act (STA):
“Whether the case is so unusual or so complex, due to the number of defendants, the nature of the prosecution, or the existence of novel questions of fact or law, that it is unreasonable to expect adequate preparation for pretrial proceedings or for the trial itself within the time limits established by this section.”
So the STA lists three reasons to delay the trial. (1) The existence of novel questions of law. Not applicable here. (2) the number of defendants. Again, not applicable here. and (3) The nature of the prosecution. That doesn’t seem to be a good fit either. What is so complex about prosecuting a hacker?
“nature of the charges, the nature and amount of the discovery, the fact that discovery is coming from multiple sources and the fact that some of the information may need independent testing/review, the court will designate this matter COMPLEX.”
So the government asks and the court delivers. Because there is nothing inherent in anything the court lists that makes the trial complex.
OT: (re marcy tweet): why do foreign hackers use Gmail?
Because all the others suck more.
(I’m getting your snark now ;-) )
I’ve defended a number of cases – not a large number, but in each instance the case itself had a ‘large’ volume of government disclosure – where the government provided us with preliminary materials short of and pending (saying or implying pending, at least) transcription, including investigators’ notes, audio files, av files, picture portfolios, and surveillance summaries.
Sometimes it appears – sometimes it’s just blatant – that such ‘early incomplete’ disclosure has been tendered as a hook towards an early plea or a cooperation arrangement. In at least 2 instances we caught concurrent indications that left the smell that the government’s pleading was itself the hook, and, as emptywheel suggested could be so here, those 2 prosecution cases ended with what amounted to abandonment.
It’s not at all that this sort of ‘early’ disclosure makes no sense. Sometimes it makes all the sense there is to the case.
Memo to MWT LT:
If you have received the alleged CDs,
consider your LAN pwned if you loaded them into a computer CD/DVD drive.
If so, you now have three more projects.
1. All if your LAN is suspect, and should be rebuilt from scratch with new hardware all at once. Rebuild can not be peicemeal. All existing hardware should be considered compromised. Any off-LAN (USB drives) that have been used since that point in time should be considered compromised.
2. Cloud storage should be considered compromised too.
3. A deep dive forensics investigation of any electronic media received from government should be SOP at this point. I would have a sound-proof, light-proof faraday cage lab. No internet. All mains power highly filtered (better yet, go thru ac/dc conversions with batteries). Bring in audio and rf experts. Multiple. All involved in the lab should expect their equipment could become compromised and never to later be used on the internet. It should stay in the lab as long as needed.
Talk about ‘makes no sense’ …