Don Jr Provides Proof Obama Didn’t “Tapp” Trump

/83 Comments/in , /by

As you’ve no doubt heard, the NYT reported out the details of the meeting between Don Jr, Jared Kushner, Paul Manafort, and Natalia Veselnitskaya. It not only makes clear that Veselnitskaya was introduced as an agent of the Russian government, but that Rob Goldstone, who set up the meeting, presented it as part of Russia’s efforts to help Trump. (And yes, for those asking in this thread, I do consider this the kind of evidence that rises to the level of collusion which was not present in the first round of this story.)

The documents “would incriminate Hillary and her dealings with Russia and would be very useful to your father,” read the email, written by a trusted intermediary, who added, “This is obviously very high level and sensitive information but is part of Russia and its government’s support for Mr. Trump.”

If the future president’s elder son was surprised or disturbed by the provenance of the promised material — or the notion that it was part of a continuing effort by the Russian government to aid his father’s campaign — he gave no indication.

He replied within minutes: “If it’s what you say I love it especially later in the summer.”

Four days later, after a flurry of emails, the intermediary wrote back, proposing a meeting in New York on Thursday with a “Russian government attorney.”

In an attempt to beat the NYT’s reporting (and because he is painfully stupid), Don Jr posted the emails in question. The email metadata makes it clear that the meeting involved Russia and Hillary — and included Jared and Manafort. (I’m stealing Matt Tait’s screencaps, which are here.)

Matt Tait annotated the most damning line, making it clear this was an effort on the part of Russia — which Don Jr presumably already knew about — to help Trump.

This one line, once and for all, proves that the NSA under President Obama did not “tapp” Trump and his associates. That’s because in the the IC report on the Russia hack (and as recently as Admiral Mike Rogers’ most recent appearance before Congress), NSA only had moderate confidence in the conclusion that Putin affirmatively supported Trump.

Had the NSA collected this email, they would have had high confidence Putin was affirmatively helping Trump. (This is a point Tait also made not long after I made it.) But Rogers has said there was something about the source of the prior intelligence supporting this point that led NSA to adopt a more conservative stance than FBI and CIA.

So, yeah, the dumbass son not only incriminated himself, but he did away with one of the few talking points the GOP had left.

Share this entry

Be Careful How You Define Collusion: On the Veselnitskaya Bombshell and the Steele Dossier

/105 Comments/in , , /by

See update, below, which provides evidence that was not present when I wrote this post. 

The NYT has a new bombshell showing that Don Jr. was willing to meet with someone to get Russian dirt on Hillary. It is damning. But Democrats should be very careful about calling it collusion, yet.

On Saturday, the NYT reported that Don Jr, Paul Manafort, and Jared Kushner met on June 9 with Natalia Veselnitskaya, a Russian lawyer who has worked to overturn the Magnitsky sanctions. In Don Jr’s first response to the NYT, he admitted to the meeting, but said it focused primarily on adoptions (which means it focused on the sanctions).

Then, yesterday, NYT reported that Don Jr took the meeting because he was promised Russia-related dirt on Hillary. With that new detail, Don Jr changed his story, admitting that’s why he took the meeting, though he claimed that the information Veselnitskaya offered “made no sense.”

In a statement on Sunday, Donald Trump Jr. said he had met with the Russian lawyer at the request of an acquaintance. “After pleasantries were exchanged,” he said, “the woman stated that she had information that individuals connected to Russia were funding the Democratic National Committee and supporting Ms. Clinton. Her statements were vague, ambiguous and made no sense. No details or supporting information was provided or even offered. It quickly became clear that she had no meaningful information.”

He said she then turned the conversation to adoption of Russian children and the Magnitsky Act, an American law that blacklists suspected Russian human rights abusers. The law so enraged President Vladimir V. Putin of Russia that he retaliated by halting American adoptions of Russian children.

“It became clear to me that this was the true agenda all along and that the claims of potentially helpful information were a pretext for the meeting,” Mr. Trump said.

WaPo revealed that the meeting was set up by music publicist Rob Goldstone, and hints that he may have done so at the behest of Emin Agalarov (which Goldstone has since confirmed).

He did not name the acquaintance, but in an interview Sunday, Rob Goldstone, a music publicist who is friendly with Trump Jr., told The Washington Post that he had arranged the meeting at the request of a Russian client and had attended it along with Veselnitskaya.

Goldstone has been active with the Miss Universe pageant and works as a manager for Emin Agalarov, a Russian pop star whose father is a wealthy Moscow developer who sponsored the pageant in the Russian capital in 2013.

This news is damning for several reasons. Kushner failed to disclose it at first in his clearance application, and Don Jr didn’t reveal it in past interviews about meeting with Russians. Everyone tried to hide this at first.

But thus far, it is not evidence of collusion, contrary to what a lot of people are saying.

That’s true, most obviously, because we only have the implicit offer of a quid pro quo: dirt on Hillary — the source of which is unknown — in exchange for sanctions relief. We don’t (yet) have evidence that Don Jr and his co-conspirators acted on that quid pro quo.

But it’s also true because if that’s the standard for collusion, then Hillary’s campaign is in trouble for doing the same.

Remember: A supporter of Hillary Clinton paid an opposition research firm, Fusion GPS, to hire a British spy who in turn paid money to Russians — including people even closer to the Kremlin than Veselnitskaya — for Russia-related dirt on Don Jr’s dad.

Yes, the Clinton campaign was full of adults, and so kept their Russian-paying oppo research far better removed from the key players on the campaign than Trump’s campaign, which was run by incompetents. But if obtaining dirt from Russians — even paying Russians to obtain dirt — is collusion, then a whole bunch of people colluded with Russians (and a bunch of other foreign entities, I’m sure), including whatever Republican originally paid Fusion for dirt on Trump.

Breaking: Our political process is sleazy as fuck (but then, so are most of our politicians).

The claim that merely meeting with Veselnitskaya is collusion is all the more dangerous given that it invokes some weird details about the Fusion dossier. Most importantly, as Trump’s lawyer’s spox has pointed out (incoherently, at first), like whatever Clinton supporter retained the oppo research firm, Veselnitskaya also employed Fusion. An update to NYT’s Friday story laid some of this out, in the form of Mark Corallo’s more clever than you actually might think suggestion that the Democrats might have paid Fusion to set up this meeting.

In an interview, Mr. [Mark] Corallo explained that Ms. Veselnitskaya, in her anti-Magnitsky campaign, employs a private investigator whose firm, Fusion GPS, produced an intelligence dossier that contained unproven allegations against the president. In a statement, the firm said, “Fusion GPS learned about this meeting from news reports and had no prior knowledge of it. Any claim that Fusion GPS arranged or facilitated this meeting in any way is false.”

[snip]

One of Ms. Veselnitskaya’s clients is Denis Katsyv, the Russian owner of a Cyprus-based investment company called Prevezon Holdings. He is the son of Petr Katsyv, the vice president of the state-owned Russian Railways and a former deputy governor of the Moscow region. In a civil forfeiture case prosecuted by Mr. Bharara’s office, the Justice Department alleged that Prevezon had helped launder money tied to a $230 million corruption scheme exposed by Mr. Magnitsky by parking it in New York real estate and bank accounts. As a result, the government froze $14 million of its assets. Prevezon recently settled the case for $6 million without admitting wrongdoing.

[snip]

Besides the private investigator whose firm produced the Trump dossier, the lobbying team included Rinat Akhmetshin, an émigré to the United States who once served as a Soviet military officer and who has been called a Russian political gun for hire.

Republicans have already pointed to Akhmetshin’s work with Fusion as a way to discredit the Steele dossier. Now they are (or at least were, before the really damning bits came out) using it to attempt to discredit the most damning detail about Trump’s ties to Russians.

But there in one other interesting detail.

The first report (that we have) reflecting Christopher Steele’s work (and also the first report that some unknown Democrat paid for after earlier oppo research had been paid for by some Republican) is dated June 20.

The report, dated 11 days after the Veselnitskaya meeting, states that the Kremlin has a dossier on Clinton, but that it has not as yet been distributed abroad.

That claim is seemingly contradicted by the claims of Source A (a senior Russian Foreign Ministry figure) and Source D. Indeed, Source D appears to have claimed, in June, that dirt from Russia was helpful.

Ultimately, though, the memo seems to credit Source B, “a former top level Russian intelligence officer” and Source G, a senior Kremlin official, who said the dossier, attributed here to the FSB, had not yet been shared with Trump or anyone else in America.

Consider: First, Akhmetshin himself qualifies as a former intelligence officer (though it’s not clear how senior he was). He might have reason to deny that intelligence he tried to pass was the intelligence in question. And he’d likely be right, given that the Clinton dossier was purportedly a FSB, not a GRU, product. But it’s even possible that he didn’t want Hillary to know that he or a colleague was dealing dirt, however bad.

Nevertheless, the senior-most Russian quoted in the dossier compiled for Hillary Clinton claimed — and Steele appears to have believed — that Russia’s dirt on Hillary Clinton had not yet been released.

Which doesn’t really help the treatment of this as a scandal.

Don’t get me wrong. I suspect there is more to this story. But I also note that Democrats should be really careful not to get too far ahead of this one, for fear of where it will lead.

Update: NYT’s latest provides evidence that gets you far closer to collusion than the previous evidence.

Mr. Goldstone’s message, as described to The New York Times by the three people, indicates that the Russian government was the source of the potentially damaging information. It does not elaborate on the wider effort by Moscow to help the Trump campaign. There is no evidence to suggest that the promised damaging information was related to Russian government computer hacking that led to the release of thousands of Democratic National Committee emails.

Share this entry

James Clapper Updated Rules on Congressional Notice the Day before He Retired

/2 Comments/in , /by

On his very last full day in office on January 19, in the middle of an investigation that included then Senator Jeff Sessions’ discussions with the Russian Ambassador, James Clapper updated the rules on dissemination of the identities of members or staffers of Congress in intelligence reports.

One minor change to the previous procedures involved adding the Director of National Intelligence to the list of people whose requests to identify a MoC’s identity in a report don’t have to go through the same approval process as other people (which, in any case, involves approval by the DNI).

Here’s what that provision looked like in 2013.

As I suggested after Clapper most recently testified, his answers about unmasking the identity of a member of Congress or a Trump associate logically suggest he may have unmasked the identity of Jeff Sessions (though this process would involve someone else sharing the name of a member of Congress with Clapper, not Clapper unmasking the name).

LINDSEY GRAHAM: You made a request for unmasking on a Trump associate and maybe a member of Congress? Is that right, Mr. Clapper?

CLAPPER: Yes.

As I noted, the DNI is the person who has to approve the most sensitive requests. So by adding himself, Clapper only closed a loop, giving himself (or his successor) permission to ask for and receive information he himself had the authority to ask and receive in any case.

But I find the timing of the change interesting.

Share this entry

On Trump’s Impenetrable Cyber Security Unit to Guard Election Hacking

/30 Comments/in , /by

Man oh man did Vladimir Putin hand Trump his ass in their meeting the other day. While most the focus has been on Trump’s apparent refusal to confront Putin on the election hack (which Trump is now trying to spin — pity for him he excluded his credible aides who could tell us how it really went down or maybe that was precisely the point).

But I was more interested in Putin and Sergei Lavrov’s neat trick to get Trump to agree to a “joint working group on cybersecurity.”

Lavrov says Trump brought up accusations of Russian hacking; Moscow and DC will set up joint working group on cybersecurity.

Here’s how Trump has been talking about this in an [unthreaded] rant this morning.

People who’re just discovering this from Trump’s tweets are suitably outraged.

But I think even there they’re missing what a master stroke this was from Putin and Lavrov.

First, as I noted at the time, this comes at the moment Congress is trying to exclude Kaspersky Lab products from federal networks, accompanied by a more general witch hunt against the security firm. As I have said, I think the latter especially is problematic (and probably would have been designed at least partly to restore some asymmetry on US spying on the world, as Kaspersky is one of the few firms that will consistently ID US spying), even if there are reasons to want to keep Kaspersky out of sensitive networks. Kaspersky would be at the center of any joint cyber security effort, meaning Congress will have a harder time blackballing them.

Then there’s the fact that cooperation has been tried. Notably, the FBI has tried to share information with the part of FSB that does cyber investigations. Often, that ends up serving to tip off the FSB to which hackers the FBI is most interested in, leading to them being induced to spy for the FSB itself. More troubling, information sharing with US authorities is believed to partly explain treason charges against some FSB officers.

Finally, there’s the fact that the Russians asked for proof that they hacked our election.

SECRETARY TILLERSON: The Russians have asked for proof and evidence. I’ll leave that to the intelligence community to address the answer to that question. And again, I think the President, at this point, he pressed him and then felt like at this point let’s talk about how do we go forward. And I think that was the right place to spend our time, rather than spending a lot of time having a disagreement that everybody knows we have a disagreement.

If the US hadn’t been represented by idiots at this meeting, the obvious follow-up would be to point to Russia’s efforts to undermine US extradition of Russians against whom the US has offered proof, at least enough to get a grand jury to indict, most notably of the three Russians involved in the Yahoo hack, as well as Yevgeniy Nikulin. The US would be all too happy to offer proof in those cases, but Russia is resisting the process that will end up in that proof.

But instead, Trump and his oil-soaked sidekick instead agreed to make future hacking of the US easier.

Share this entry

Maddow’s Forgery and Mistaken Timing

/48 Comments/in , /by

Much of Rachel Maddow’s reporting on the Russian scandal has been overly drawn out and breathless. But you should watch this piece (which is not only overly drawn out and breathless, but doesn’t emphasize the most important point).

Rachel describes how, on June 7, her tip line received a smoking gun document, appearing to be a Top Secret NSA document, laying out collusion between a Trump campaign official she doesn’t name (I’m going to wildarseguess, for a lot of reasons, it is Mike Flynn) and the Russians who hacked the election. She describes multiple reasons her team determined the document to be a fake: some misspellings, a declassification date that is wrong, some spacing weirdness, and that the campaign official is actually named, rather than masked as US Citizen 1.

But she also describes how the printer dots and a seeming crease on the document appear to replicate those that appear in the document Reality Winner is alleged to have provided to the Intercept.

Which is interesting, because as she shows about 14 minutes in (but doesn’t emphasize enough), the document sent to her tip line appears to have been created between the time Reality Winner went to jail and the time the Intercept published the document (unless I missed it, she doesn’t say precisely when they got the document, just that it was the same week as the Intercept published it Update: Corrected above). The creation date appears to be three and a half hours before the publication date at the Intercept. [Update: but not the creation date for the document, see below.]

Rachel surmises, correctly, I think, that the person sent the document both to discredit her own reporting (in much the same way reliance on fake documents discredited Dan Rather’s reporting of George Bush’s real Air National Guard scandal) as well as to discredit the notion that the Trump campaign, and the person named in particular, colluded with the Russians. This was an attempt to undercut potentially real news with deliberately faked news, fed through a selected outlet.

That would mean one of two things. Either the person who created the document faked the metadata (or created the document from Alaska or someplace west of there). Or the person received a copy of the very same document, including the crease, either from Reality Winner or from the Intercept or one of their sources, and then used it as a template to create a fake NSA document (or had visibility into the FBI’s investigation about this document). If it’s the latter, then the number of people who might be involved is rather small.

I’ve suggested there are reasons to wonder whether Winner was directed towards this document. I’d say there are more questions now about whether that’s the case.

Update: as PaulMD notes on Twitter, the document Rachel received actually has the very same creation time as the document the Intercept uploaded.

Update: Glenn Greenwald is pretty pissed about Rachel’s insinuations.

Update: Changed the title given the mistaken timing in the Rachel story.

Share this entry

In Mistaking Surveillance for Sabotage, NYT Fearmongers Nukes Again

/8 Comments/in , /by

Last night, the NYT had an alarming story reporting that suspected Russian spies were compromising engineers that work at nuclear power plants across the United States. Amber! the story screamed.

Since May, hackers have been penetrating the computer networks of companies that operate nuclear power stations and other energy facilities, as well as manufacturing plants in the United States and other countries.

Among the companies targeted was the Wolf Creek Nuclear Operating Corporation, which runs a nuclear power plant near Burlington, Kan., according to security consultants and an urgent joint report issued by the Department of Homeland Security and the Federal Bureau of Investigation last week.

The joint report was released on June 28. It was obtained by The New York Times and confirmed by security specialists who have been responding to the attacks. It carried an urgent amber warning, the second-highest rating for the severity of the threat.

After screaming “Amber,” the story went on to scream “bears!”

The origins of the hackers are not known. But the report indicated that an “advanced persistent threat” actor was responsible, which is the language security specialists often use to describe hackers backed by governments.

The two people familiar with the investigation say that, while it is still in its early stages, the hackers’ techniques mimicked those of the organization known to cybersecurity specialists as “Energetic Bear,” the Russian hacking group that researchers have tied to attacks on the energy sector since at least 2012.

Ultimately, the story worked its way up to invoke StuxNet, an attack on the actual enrichment processes of a nuclear facility.

In 2008, an attack called Stuxnet that was designed by the United States and Israel to hit Iran’s main nuclear enrichment facility, demonstrated how computer attacks could disrupt and destroy physical infrastructure.

The government hackers infiltrated the systems that controlled Iran’s nuclear centrifuges and spun them wildly out of control, or stopped them from spinning entirely, destroying a fifth of Iran’s centrifuges.

In retrospect, [former chairman of the Federal Energy Regulatory Commission] Mr. Wellinghoff said that attack should have foreshadowed the threats the United States would face on its own infrastructure.

And yet, in the fourth paragraph of the story, NYT admitted it’s not really clear what the penetrations involved. With that admission, the story also revealed that the computer networks in question were not the control systems that manage the plants.

The report did not indicate whether the cyberattacks were an attempt at espionage — such as stealing industrial secrets — or part of a plan to cause destruction. There is no indication that hackers were able to jump from their victims’ computers into the control systems of the facilities, nor is it clear how many facilities were breached.

Still further down, the report admitted that this involved phishing and watering hole attacks on engineers, not attacks on control systems.

In most cases, the attacks targeted people — industrial control engineers who have direct access to systems that, if damaged, could lead to an explosion, fire or a spill of dangerous material, according to two people familiar with the attacks who could not be named because of confidentiality agreements.

[snip]

Hackers wrote highly targeted emails messages containing fake résumés for control engineering jobs and sent them to the senior industrial control engineers who maintain broad access to critical industrial control systems, the government report said.

[snip]

In some cases, the hackers also compromised legitimate websites that they knew their victims frequented — something security specialists call a watering hole attack.

That is, even while screaming “Amber Russian bear OMIGOSH StuxNet!!” the article admitted that this is not StuxNet. This amounts to spies, quite possibly Russian, “hunting SysAdmins,” just like the United States does (of course, the US and its buddy Israel also assassinate nuclear engineers, which for all its known assassinations, Russia is not known to have done).

That distinction is utterly critical to make, no matter how much you want to fearmonger with readers who don’t understand the distinction.

There is spying — the collection of information on accepted targets. And there is sabotage — the disruption of critical processes for malicious ends.

This is spying, what our own cyber doctrine calls “Cyber Collection.”

Cyber Collection: Operations and related programs or activities conducted by or on behalf of the United States Government, in or through cyberspace, for the primary purpose of collecting intelligence – including information that can be used for future operations – from computers, information or communications systems, or networks with the intent to remain undetected. Cyber collection entails accessing a computer, information system, or network without authorization from the owner or operator of that computer, information system, or network or from a party to a communication or by exceeding authorized access. Cyber collection includes those activities essential and inherent to enabling cyber collection, such as inhibiting detection or attribution, even if they create cyber effects. ( C/NF)

That doesn’t mean Russian spying on how our nuclear facilities work is not without risk. It does carry risks that they are collecting the information so they can one day sabotage our facilities.

But if we want to continue spying on North Korea’s or Iran’s nuclear program, we would do well to remember that we consider spying on nuclear facilities — even by targeting the engineers that run them — squarely within the bounds of acceptable international spying. By all means we should try to thwart this presumed Russian spying. But we should not suggest — as the NYT seems to be doing — that this amounts to sabotage, to the kinds of things we did with StuxNet, because doing so is likely to lead to very dangerous escalation.

And it’s not just me saying that. Robert M. Lee, who works on cyber defense for the energy industry and who recently authored a report on Crash Override, Russia’s grid-targeting sabotage tradecraft (and as such would have been an obvious person to cite in this article) had this to say:

So while the threat to nuclear from cyber is a real concern because of impact it’s very improbable and “what about Stuxnet” is a high bar

Or said more simply: phishing emails are lightyears removed from “what about Stuxnet” arguments. It’s simply otherworldly in comparison.

There’s one more, very real reason why the NYT should have been far more responsible in clarifying that this is collection, not sabotage. Among the things Shadow Brokers, with its presumed ties to Russia, has been threatening to expose is “compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs.” If the NYT starts inflating the threat from cyber collection on nuclear facilities, it could very easily lead to counter-inflation, with dangerous consequences for the US and its ability to monitor our adversaries.

There is very real reason to be concerned that Russia — or some other entity — is collecting information on how our nuclear and other power facilities work. But, as Lee notes, conflating that with StuxNet is “otherworldly.”

Share this entry

Revisiting Obama on the Weakness of American Democracy

/31 Comments/in , /by

It has become fashionable, of late, for pundits to say President Obama failed to respond accordingly to the Russian hack last year. As I showed in this analysis of WaPo’s 8300 word opus making that argument, such claims tend to give the views of the CIA and Democrats most emphasis, obscuring the degree to which even within the Intelligence Community there was less certainty than narrative reconstructions make out. They also tend to ignore some key events — like assassinations and indictments of Russian hackers — in claiming nothing has happened, effectively pretending that sanctions are the necessary and exclusive possible response. Significantly, they also tend to ignore ongoing developments, most notably the Shadow Brokers leaks and the global ransomware launched using it, that may constrain our possible responses for the moment.

In other words, the narrative condemning Obama inaction ignores a lot.

Such analyses also miss another important point, something Obama pointed out in his December speech on the Russian hack. It’s a point I’ve been thinking a lot about recently, especially today.

To the extent the Russian hack was effective, Obama argued, it’s because our own politics have made us vulnerable.

Our vulnerability to Russia or any other foreign power is directly related to how divided, partisan, dysfunctional our political process is. That’s the thing that makes us vulnerable.

If fake news that’s being released by some foreign government is almost identical to reports that are being issued through partisan news venues, then it’s not surprising that that foreign propaganda will have a greater effect, because it doesn’t seem that far-fetched compared to some of the other stuff that folks are hearing from domestic propagandists.

To the extent that our political dialogue is such where everything is under suspicion, everybody is corrupt and everybody is doing things for partisan reasons, and all of our institutions are full of malevolent actors — if that’s the storyline that’s being put out there by whatever party is out of power, then when a foreign government introduces that same argument with facts that are made up, voters who have been listening to that stuff for years, who have been getting that stuff every day from talk radio or other venues, they’re going to believe it.

So if we want to really reduce foreign influence on our elections, then we better think about how to make sure that our political process, our political dialogue is stronger than it’s been.

I’m unsympathetic to Obama’s complaints that people distrust our institutions. His DOJ, after all, failed to prosecute torturers, illegal wiretappers, and most of all, the banksters that crashed our economy. The distrust of our institutions, including the press that got us into the Iraq War, has been earned.

We need to start thinking about what they would need to do to earn trust anew.

But Obama is right about why the hack succeeded, to the extent it did. Almost everything Russia did — create fake scandals, try to tamper with the ability to vote — the Republicans (and occasionally, Democrats too) have been doing for decades. In fact, we now know that a long-time GOP ratfucker, Peter W Smith, was even trolling hacker forums looking for someone who might have hacked Hillary’s private server. So whatever the Russians did, they largely just joined the predictable and persistent GOP wave doing precisely the same.

And for decades, we have tolerated that — explicit voter suppression, fake scandals, cheating to win — from the GOP.

As I said last week, when Democrats were responding to Kris Kobach’s latest attempt to suppress the vote, it’s time for all patriotic Americans to establish and commit to a standard for our democracy, one that doesn’t tolerate the same tactics a foreign government would use to its advantage.

We’re stuck with the Republicans for at least two more years, and they’re determined to do as much damage to our democracy to prevent paying any price for the crap they’re currently pulling, so it may be longer than that. But we need to think of this about restoring our democracy, not just beating the other team.

Happy Fourth of July. May we find a way to keep the Republic.

Share this entry

What Would a Digital Sanctions Regime Relying on Malware Look Like?

/4 Comments/in , /by

A day ago, the second ransomware based on NSA tools leaked by Shadow Brokers hit. The attack was focused on Ukraine, in large part because “patient zero” appears to be a tax software update for a Ukrainian company M.E.Doc. But global giants include Maersk and Merck were also affected. Russian oil giant Rosneft was affected too, though there are conflicting claims about how badly it was disabled.

A day in, folks still can’t get a grasp on this attack, even down to the name (it started as Petya until security folks determined it’s not the ransomware of the same name, leading to the use of NotPetya).

While using far more attack vectors (and more toys from Shadow Brokers), this attack bears two similarities with last month’s WannaCry attack: the ransom requested $300 to decrypt locked data, and the ransom function was never really designed to work properly.

There is mounting evidence that the #GoldenEye / #Petya ransomware campaign might not have targeted financial gains but rather data destruction.

  • The choice of a regular, non-bulletproof e-mail service provider to act as a communication channel was obviously a wrong decision in terms of business.
  • The lack of automation in the payment & key retrieval process makes it really difficult for the attacking party to honor their end of the promise.
  • There is a total lack of usability in the payment confirmation: the user has to manually type an extremely long, mixed case “personal installation key” + “wallet” is prone to typos.

Update 6/28 06.00 GMT+3

The email address that was used by the threat actors to get payment confirmations has been suspended by Posteo. This means that all payments made overnight will be unable to get validated, and therefore will surely not receive the decryption key. Not that we have ever advised otherwise, but if you’re planning to pay the ransom, stop now. You’ll lose your data anyway, but you’ll contribute in funding the development of new malware. Even so, there have been 15 payments made after the suspension of the e-mail address. The wallet now totals 3.64053686 BTC out of 40 payments, with a net worth of $US 9,000.

Indeed, Matt Suiche argues the attack is better thought of as a wiper attack, designed to destroy rather than lock data, than a ransomware attack.

It will take some time to understand what the attack really is, particularly given the degree to which it appears to masquerade as things it’s not. But for the moment, I want to consider how a similar attack might be used as a counter to sanctions regimes. As far as we currently know, this attack made doing business with Ukraine a very expensive business proposition, as doing business with, say, some oligarchs in Russia is made costly for those subject to US sanctions because have to bank in the US. The attack served as a self-executing investigative method to identify just who had business tax dealing in Ukraine, and imposed an immediate cost. So whether or not that’s what this is, such an attack could be used to counteract sanctions imposed by the international banking community.

Again, I’m just spitballing.

But some dates are of interest.

On June 14, the Senate passed some harsh new sanctions on Russia, ostensibly just for Russia’s Ukrainian and Syrian related actions, not for its tampering in last year’s US election. The House mucked up that bill, but the Senate will continue to try to impose new sanctions. Trump might well veto the sanctions, but that will cause him a great deal of political trouble amid the Russian investigation.

The Petya/NotPetya malware was compiled on June 18.

Microsoft dates the attack to June 27 at 10:30 GMT.

We observed telemetry showing the MEDoc software updater process (EzVit.exe) executing a malicious command-line matching this exact attack pattern on Tuesday, June 27 around 10:30 a.m. GMT.

Today, June 28, is a public holiday in Ukraine, making it more difficult to deal with the attack.

Again, I’m not saying that’s what NotPetya is. I am saying that if you wanted to design a counter to financial sanctions using malware, NotPetya is close to what it’d look like.

Share this entry

In Defense of [Gulp] Mike Pompeo

/5 Comments/in /by

Let me say at the outset that I think Mike Pompeo is a totally inappropriate choice for CIA. I believe he is inclined to torture and engage in illegal surveillance. I believe he is among a long line of overly politicized Republicans appointed to this position. I believe he plans to criminalize journalism, if not my own journalism, specifically. And I believe it likely he’s hiding requests from Trump to downplay the Russian investigation.

But I’m uncomfortable with critiques of him about this interview with Hugh Hewitt.

To be clear: I’m appalled that a CIA Director would choose someone so nakedly partisan for his first exclusive interview. I don’t approve of the interview, generally.

But people are suggesting that this passage shows Pompeo denying known facts about the Russian investigation.

HUGH HEWITT, MSNBC HOST: Today, I bring to you my conversation with the Director of the Central Intelligence Agency, Mike Pompeo. This is his first interview with a news network since taking the job. I sat down with the former congressman, West Point and Harvard Law graduate at CIA headquarters in Langley. I started by asking him about Russia’s meddling in last year’s election, and what the administration is doing to stop it from happening again.

(BEGIN VIDEO CLIP)

MIKE POMPEO, DIRECTOR, CIA: I can’t talk about the details of the intelligence, but we have, the intelligence community has said, that this election was meddled with by the Russians in a way that is frankly not particularly original. They’ve been doing this for an awfully long time. And we are decades into the Russians trying to undermine American democracy. So in some ways, there’s no news, but it certainly puts a heightened emphasis on our ability to figure out how to stop them.

HEWITT: The news was actually that Putin personally directed. Do you think the Russian President did that?

POMPEO: I can’t confirm the intelligence related to that.

Perhaps this is semantics, but Hewitt used a different word than the Intelligence Community Assessment that everyone complaining is pointing to. Hewitt used “directed,” suggesting (to me, anyway) a hands on involvement. The ICA described Putin’s involvement as “ordering” the operation, suggesting (again, to me) a delegation of direction.

We assess with high confidence that Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the US presidential election, the consistent goals of which were to undermine public faith in the US democratic process, denigrate Secretary Clinton, and harm her electability and potential presidency. We further assess Putin and the Russian Government developed a clear preference for President-elect Trump. When it appeared to Moscow that Secretary Clinton was likely to win the election, the Russian influence campaign then focused on undermining her expected presidency.

We also assess Putin and the Russian Government aspired to help President-elect Trump’s election chances when possible by discrediting Secretary Clinton and publicly contrasting her unfavorably to him. All three agencies agree with this judgment. CIA and FBI have high confidence in this judgment; NSA has moderate confidence.

Add in a tolerance — by virtually all those complaining — for intelligence officials to defer public comments by refusing to stray from existing public comments. Indeed, even where Pompeo all but confirms something Hewitt raises — that the US and Russia continue to cooperate on counterterrorism issues — he engages in the tired charade of pretending not to confirm the confirmation.

POMPEO:  I don’t talk about the liaison partners that I speak with.  But it is important that we continue to work in places where we can on intelligence matters to keep Americans safe.  Counterterrorism is a perfect example.  Americans fly on Russian planes, Russians fly on American planes, to the extent we can keep planes in the sky.  All of those counter terrorism issues and places they overlap, where there are terrorists in Kazakhstan or Russia or other places where the Russians might have information, I certainly expect they’ll share that with us.  And by the same token, if we can help keep Russians or American interests in Russia alive by providing them with information, it’s the right thing to do.

So I took, and take, Pompeo’s refusal to confirm the intelligence related “to that” as a refusal to go beyond the ICA. Sure, perhaps Hewitt’s question was orchestrated. Perhaps this is Pompeo’s way of acceding to Trump’s request to downplay the Putin role in the election operation.

But you can’t pick and choose among public deferrals of answers. If John Brennan could get away with this kind of obfuscation (and he did, including with these journalists in particular) then similar obfuscation should not suddenly become an object of suspicion.

The point is no CIA director should get away with this kind of parsing. But what Pompeo has done here is more of the same kind of parsing that all CIA Directors, forever and ever, have engaged in, with the indulgence of their favored press outlets.

That’s not acceptable. But those who’ve permitted such indulgences in the past are in no position to demand more transparency from other CIA Directors.

By all means let’s criticize Pompeo for helping Trump to downplay the Russian investigation. But let’s apply the same standards we have to past CIA Directors, especially if we’re those who’ve gotten privileged access in the past.

Share this entry

Are Trump’s Associates Forgoing Lawyers because They Expect Pardons?

/19 Comments/in , /by

One of the numerous topics over which Attorney General Jeff Sessions invoked non-executive executive privilege when he testified earlier this month was whether the Trump Administration has started discussing pardoning those who might be criminally exposed for their ties with Russia.

WARNER: To your knowledge, have any Department of Justice officials been involved with conversations about any possibility of presidential pardons about any of the individuals involved with the Russia investigation?

SESSIONS: Mr. Chairman, I’m not able to comment on conversations with high officials within the white house. That would be a violation of the communications rule that I have to —

WARNER: Just so I can understand, is the basis of that unwilling to answer based on executive privilege?

SESSIONS: It’s a long standing policy. The department of justice not to comment on conversations that the attorney general had with the president of the united States for confidential reasons that rounded in the coequal branch.

WARNER: Just so I understand, is that mean you claim executive privilege?

SESSIONS: I’m not claiming executive privilege because that’s the president’s power and I have no power there.

WARNER: What about conversations with other Department of Justice or White House officials about potential pardons? Not the president, sir.

SESSIONS: Without in any way suggesting I had any conversations concerning pardons, totally apart from that, there are privileges of communication within the department of justice that we share all of us do. We have a right to have full and robust debate within the Department of Justice and encourage people to speak up and argue cases on different sides. Those arguments are not — historically we have seen they shouldn’t be revealed.

WARNER: I hope you agree since you recused yourself that if the president or others would pardon someone during the midst of this investigation while our investigation or Mr. Mueller’s investigation, that would be problematic.

After I watched this testimony I predicted Trump would pardon someone — probably Mike Flynn — within three months of the day I made the prediction (which was roughly June 14).

I said that, in part, because of Sessions’ sheer arrogance when he was providing obviously false answers (most especially to Kamala Harris). Sessions had the giddy look of someone who knew he’d get away with whatever he was pulling, even beyond the kind of a look you’d expect from a southern white man talking to a woman of color.

But I also say that because some of the people most exposed in this affair have had at least initial conversations with the FBI without a lawyer. That’s true of Mike Flynn in his first interview with the FBI at the White House. (Flynn has since retained Robert Kelner.)

WHITEHOUSE: Do you know where that interview took place or under what circumstances?

YATES: I believe it took place at the White House.

WHITEHOUSE: The Flynn interview?

YATES: Yes.

WHITEHOUSE: OK. Do you know if Flynn was represented by council at the time?

YATES: I don’t believe he was.

And — according to a new WaPo story — that’s true of the 10 hours of questioning that Carter Page underwent in March.

Over a series of five meetings in March, totaling about 10 hours of questioning, Page repeatedly denied wrongdoing when asked about allegations that he may have acted as a kind of go-between for Russia and the Trump campaign, according to a person familiar with Page’s account.

The interviews with the FBI are the most extensive known questioning of a potential suspect in the probe of possible Russian connections to associates of President Trump. The questioning of Page came more than a month before the Russian investigation was put under the direction of Special Counsel Robert S. Mueller III.

Page confirmed Monday that the interviews occurred, calling them “extensive discussions.” He declined to say if he’s spoken to investigators since the March interviews.

[snip]

Because it is against the law for an individual to lie to FBI agents about a material issue under investigation, many lawyers recommend their clients not sit for interviews with the bureau without a lawyer present. Page said he spoke without a lawyer and wasn’t concerned about the risks because he told the truth.

Now, it may be that after getting these men to incriminate themselves, the FBI encouraged them to lawyer up so they could be flipped. Certainly, Sheldon Whitehouse appears to believe Flynn has done just that.

Still, the kind of arrogance that would lead men as exposed as they are to forgo a lawyer makes me wonder whether they’ve already been promised pardons?

Update: Meanwhile, the most likely Trump associate to get a pardon, father of his grandchildren Jared Kushner, just hired Abbe Lowell, while still retaining Jamie Gorelick.

Share this entry