Posts

Hours before Trump Pardoned Flynn, “Phil” Weighed in a Pardon

Update: This was not Phil. It was someone testing Phil’s identity. I’m removing the post (though I’m sure it’s archived).

Some Details of Mueller’s GRU Indictment You Probably Missed

When the Mueller team wrote the GRU indictment, they were hiding that Roger Stone might one day be included in it.

Last week,  DOJ unsealed language making it clear that, when Mueller closed up shop in March 2019, they were still investigating whether Roger Stone was part of a conspiracy with Russia’s GRU to hack-and-leak documents stolen from the Democrats in 2016.

The Office determined that it could not pursue a Section 1030 conspiracy charge against Stone for some of the same legal reasons. The most fundamental hurdles, though, are factual ones.1279 As explained in Volume I, Section III.D.1, supra, Corsi’s accounts of his interactions with Stone on October 7, 2016 are not fully consistent or corroborated. Even if they were, neither Corsi’s testimony nor other evidence currently available to the Office is sufficient to prove beyond a reasonable doubt that Stone knew or believed that the computer intrusions were ongoing at the time he ostensibly encouraged or coordinated the publication of the Podesta emails. Stone’s actions would thus be consistent with (among other things) a belief that he was aiding in the dissemination of the fruits of an already completed hacking operation perpetrated by a third party, which would be a level of knowledge insufficient to establish conspiracy liability. See State v. Phillips, 82 S.E.2d 762, 766 (N.C. 1954) (“In the very nature of things, persons cannot retroactively conspire to commit a previously consummated crime.”) (quoted in Model Penal Code and Commentaries § 5.03, at 442 (1985)).

1279 Some of the factual uncertainties are the subject of ongoing investigations that have been referred by this Office to the D.C. U.S. Attorney’s Office.

That means, eight months after they charged a bunch of GRU officers for the hack-and-leak, DOJ still hadn’t decided whether Stone had criminally participated in that very same conspiracy.

That raises questions about why they obtained the indictment before deciding whether to include Stone in it.

In his book, Andrew Weissmann provides an explanation for the timing of it.

A problem arose, however, when it came to the timing of this indictment. Having secured the Intelligence Community’s and Justice Department’s go-ahead, Jeannie aimed to have the indictment completed by July 2018. However, Team M’s first case against Manafort was scheduled to go to trial in Virginia in mid-July and, with Manafort showing little sign of wanting to plead, much less cooperate, with our office, we had few doubts that the trial would go forward. If we brought Team R’s indictment just before the trial, the judge in the Manafort case would go bonkers, justifiably concerned that such an indictment from the Special Counsel’s Office could generate adverse pretrial publicity, even if it didn’t relate directly to the Manafort charges.

But we couldn’t afford to wait to bring the hacking indictment until after both of Manafort’s trials concluded—the trial in Virginia was slated to start in July and the trial in Washington in early September. By then, we would be running up on the midterms, and we would not announce any new charges that close to the election (consistent with Department policy). But waiting until mid-November would be intolerable to Mueller. I told Jeannie I thought we could safely defend ourselves from any objections from the Virginia judge if she brought her case at least two weeks before the start of our July trial—that, I hoped, would give us a reasonable buffer.

Jeannie said she could manage that, then quickly noted that the new timetable created yet another problem: Two weeks before our trial, the president was scheduled to be in Helsinki, where he would be meeting privately with Vladimir Putin. Our indictment would require alerting the State Department, given their diplomatic concerns in preparing for and running a summit, as the indictment would accuse the Russians explicitly of election interference. That was standard operating procedure, but there was also the real perception issue that the indictment could look like a commentary on Trump’s decision to meet alone with Putin, which we did not intend.

We brought the dilemma to Mueller. He suggested we determine whether the White House would take issue with our proceeding just before the president’s trip—would it pose any diplomatic issues? The answer we got back was no: The administration would not object to the timing. I suspect the White House Counsel’s Office did not want to be perceived as dictating to us how or when to bring our indictment, or as hiding evidence of Russian election interference. In retrospect, a less generous interpretation of their blessing to move forward was that they knew dropping the indictment just before the trip would provide Trump and Putin an opportunity to jointly deny the attack on a global stage—that they were playing us, as Barr would later on. [my emphasis]

The indictment was ready in July. If it wasn’t announced then and if both Manafort trials went forward, then prohibitions on pre-election indictments would kick in, meaning the indictment wouldn’t be released in mid-November. That would have been “intolerable” for Mueller’s purposes. Weissmann doesn’t note that mid-November would also be after the election, meaning that the indictment might not get released before a hypothetical post-election Mueller firing and so might not get released at all. That may be what intolerable means.

Other possible factors on the GRU indictment timing

One thing that almost certainly played a factor in DOJ obtaining the indictment before they decided whether to include Stone in it, however, was Andrew Miller’s appeal.

Stone’s former aide Andrew Miller was interviewed for two hours at his home on May 9, 2018; this is almost certainly the 302 from the interview. Assuming that is his 302, Miller was asked about his relationship with Stone, Stone’s relationship with Trump, a bunch of Stone’s right wing nut-job friends, and someone whom Miller knew under a different name. Nothing in the unredacted passages of the interview reflects Miller’s role coordinating Stone’s schedule at the RNC, even though that was the focus of a follow-up subpoena after Miller testified to the grand jury. At the end of the interview, Miller agreed to appear voluntarily for a follow-up and grand jury testimony.

But then Stone learned about the interview.

We know that from the description of a pen register Mueller obtained on Stone a week later, described in affidavits. The PRTT showed that Miller had called Stone twice in the days after his interview with the FBI. On May 11, 2018, Miller lawyered up and his new lawyer, Alicia Dearn, told Mueller that Miller would no longer appear voluntarily (remember that Stone had offered to get a lawyer who would help Randy Credico refuse to testify).

This timeline lays out the early part of Miller’s subpoena challenge.

Miller emailed Stone over a hundred times over the month after his FBI interview. Miller did schedule a grand jury appearance, but then blew it off. Mueller started moving to hold Miller in contempt on June 11. In the days between then and a hearing on the subpoena, Miller and Stone exchanged five more emails. Then, in late June, Miller added another lawyer, Paul Kamenar (whom Stone would add to his team after his sentencing, presumably to allow Kamenar to access the evidence against him under the protective order). Kamenar made it clear he would appeal Miller’s subpoena.

In other words, in late June, the Mueller team learned that they would have to wait a while to get Miller before the grand jury (it ultimately took until the moment Mueller closed up shop on May 29, 2019). All the back and forth also would have made it clear how damaging Stone believed Miller’s testimony against him to be. When Mueller obtained a second warrant for Stone’s emails in early August 2018, the team would have gotten the content of those emails to learn precisely what Stone had to say to Miller about his testimony.

So Miller’s challenge to his subpoena meant that Mueller’s team would not obtain testimony that — it seems clear — they knew went to the heart of whether Stone was conspiring with Russia until well after the midterm election.

If my concerns that “Phil” had a role in the Guccifer 2.0 operation were correct, there’s a chance my big mouth had a role in the timing, too. Starting on June 28, I started considering revealing that I had gone to the FBI in what would eventually become this post. Contrary to the invented rants of people like Glenn Greenwald and Eli Lake, even a year into an investigation into what I had shared with the FBI, long after the time they would have been able to dismiss my concerns if they had no merit, prosecutors did not blow me off.

My interaction with Mueller’s press person in advance of going forward extended over five days. I emailed the press person on June 28 and said I wanted to run something by him. He blew it off for a day (there was a Manafort hearing), then on Friday I wrote again saying I run my decision by my lawyer, and was still planning on going forward. He still blew it off. The next day, I suggested he go check with a particular prosecutor; while the prosecutor hadn’t been in my interview, he was involved in setting it up. The press guy called back within an hour, far more interested in the discussion, and chatty about the fact that I live(d) in Michigan. He asked me to explain the threats I believed I had gotten after I went to the FBI. He asked me generally what I wanted to say. I noted that I believed if people guessed why I had gone to the FBI, they would guess the Shadow Brokers side of it, since TSB had dedicated its last words to a tribute to me, but probably not the Guccifer 2.0 side.

He told me “some people” needed to discuss it. Early on Monday July 1, we spoke again first thing in the morning. He asked me to describe more specifically what I would say. I described the select parts of my post that I suspected would be most sensitive, and read the text that I planned to publish. He said some people needed to discuss it and I would hear by the end of the day. At the end of the workday, he apologized for a further delay. After some more back-and-forth, he told me, around 10PM, that my post would not damage the investigation. The Special Counsel’s Office took no view on whether it was a stupid idea or not (it probably was, not least because one can never understand the moving parts in an investigation like this).

I posted the next day, part of a mostly-failed attempt to get Republicans to care about the non-partisan sides of this investigation. That was 11 days before the actual indictment.

I didn’t know then and frankly I still can’t rule out whether, over those two days, when “some people” discussed my plans, they reached a final conclusion that my concerns about an American who might have a role in the Guccifer 2.0 operation were either baseless or could not be proven.

But the aftermath shows they were still investigating Stone’s ties to Guccifer 2.0, whether not I was right about an American involved in it. Later in July, after the GRU indictment was released, prosecutors would obtain a warrant on several of Stone’s Google accounts in an attempt to determine whether he was the person looking up dcleaks and Guccifer 2.0 before the sites went live. A month and a half later, they would get two warrants, two minutes apart, one for Stone’s cell site location, and another for a Guccifer 2.0 email account, possibly an attempt to co-locate Stone and someone using the Guccifer account. That was the beginning of the period when Mueller’s team would start gagging warrant applications to hide the scope of the investigation from Stone.

For several months after releasing an indictment that made it appear as if all the answers about the hack-and-leak were answered, then, Mueller’s team took a number of steps that aimed to understand any tie between Stone and Guccifer 2.0. Even sixteen months after the GRU indictment, the Guccifer 2.0 persona ended up being an unstated focus of Stone’s trial — a trial about his lies to hide his true go-between with WikiLeaks — too.

Whatever the reason for the timing of the GRU indictment, given the confirmation that Mueller’s team was still investigating whether Stone had foreknowledge of ongoing GRU hacks that would merit including him in the hack-and-leak conspiracy when they closed up shop in March 2019, it’s worth revisiting the GRU indictment. At the time Mueller’s team wrote it, they knew at a minimum they were killing time to get Miller’s testimony, and subsequent steps they took show they they continued to pursue a prong of the investigation pertaining to Guccifer 2.0 that they planned to hide from Stone. So it’s worth seeing how they wrote the indictment to allow for the possibility of later including Stone in it, without telegraphing that that was a still open part of the investigation.

The Stone investigation parallels several of the counts charged in Mueller’s GRU indictment

The indictment charges 12 GRU officers for several intersecting conspiracies: Conspiracy against the US by hacking to interfere in the 2016 election (incorporating various CFAA charges and 18 USC §371), conspiracy to commit wire fraud for using false domain names (18 USC §3559(g)(1)), aggravated identity theft for stealing the credentials of victims (18 USC 1028A(a)(1)), conspiracy to launder money for using bitcoin to hide who was funding the hacking infrastructure (18 USC §1956(h)), and conspiracy against the US for tampering with election infrastructure (18 USC §371). In addition there’s an abetting charge (18 USC §2). Those charges are similar to, but do not exactly line up with, the other GRU indictment obtained in 2018, for hacking international doping agencies, which I’ll call the WADA indictment. The WADA indictment includes hacking, wire fraud, money laundering conspiracies, along with identity theft, as well. But it doesn’t include the abetting charge. And as described below, it deals with the leaking part of the operation differently.

DOJ used the abetting charge in Julian Assange’s indictments, a way to try to hold him accountable for the theft of documents by Chelsea Manning. Given the mention of Company 1, WikiLeaks, in the indictment, that may be why the abetting charge is there.

But the charges in the Mueller GRU indictment also parallel those for which the office was investigating Stone: he was investigated for CFAA charges from the start (that first affidavit focused exclusively on Guccifer 2.0), 371 was added in the next affidavit, aiding and abetting a conspiracy was added in the third affidavit, and wire fraud was added in March 2018 (the campaign finance charges that would be declined in the Mueller Report were added in November 2017). While the wire fraud investigation might be tied to Stone’s own disinformation on social media, the rest all stems from the charges eventually filed against the GRU in July 2018. Those same charges remained in Stone’s affidavits through 2018 (though did not appear in the early 2019 warrants used to search his houses and devices).

Mueller charged Unit 74455 officers for “assisting” in the DNC leak, without describing whom they assisted

Given the overlap on charges between those for which Mueller investigated Stone and those that appeared in the indictment, the treatment of the information operation in the GRU indictment — particularly when compared with the WADA indictment — is of particular interest. In both cases, the indictment described the InfoOps side to be conducted by Russian military intelligence GRU Unit 74455, as distinct from Unit 26165, which did most (but not all, in the case of the election operation) of the hacking.

In the WADA indictment, none of the personnel involved in the hack-and-leak at Unit 74455 are named or charged. Instead the indictment explains that, “these [Fancy Bears Hack Team social media accounts] were acquired and maintained by GRU Unit 74455.” Later, the indictment describes these accounts as being “managed, at least in part, by conspirators in GRU 74455,” notably allowing for the possibility that someone else may have been involved as well. The actions associated with that infrastructure are generally described in the passive voice: “were registered,” “were released” (several times). For other actions, the personas were the subject of the action: “”@fancybears and @fancybearHT Twitter accounts sent direct messages…”

The Mueller indictment, however, names three Unit 74455 officers: It charges Aleksandr Osadchuk and Anatoliy Kovalev in the hack of the election infrastructure (Kovalev got charged in the recent GRU indictment covering the Seoul Olympics and NotPetya, as well).

And it charges Osadchuk and the improbably named Aleksey Potemkin in the hack-and-leak conspiracy. The Mueller indictment describes that those two Unit 74455 officers set up the infrastructure for the leaking part of the operation. Significantly, it describes that these officers “assisted” in the release of the stolen documents.

Unit 74455 assisted in the release of stolen documents through the DCLeaks and Guccifer 2.0 personas, the promotion of those releases, and the publication of anti-Clinton content on social media accounts operated by the GRU.

[snip]

Infrastructure and social media accounts administered by POTEMKIN’s department were used, among other things, to assist in the release of stolen documents through the DCLeaks and Guccifer 2.0 personas.

The indictment doesn’t describe whom these officers assisted in releasing the documents.

Unlike the WADA indictment, the Mueller indictment also includes specific details proving that GRU did control the social media infrastructure. It describes how the conspirators used the same cryptocurrency account to register “dcleaks.com” as they used in the spear-phishing operation, and the same email used to register the server was also used in the spear-phishing effort.

The funds used to pay for the dcleaks.com domain originated from an account at an online cryptocurrency service that the Conspirators also used to fund the lease of a virtual private server registered with the operational email account [email protected]. The dirbinsaabol email account was also used to register the john356gh URL-shortening account used by LUKASHEV to spearphish the Clinton Campaign chairman and other campaign-related individuals.

[snip]

For example, between on or about March 14, 2016 and April 28, 2016, the Conspirators used the same pool of bitcoin funds to purchase a virtual private network (“VPN”) account and to lease a server in Malaysia. In or around June 2016, the Conspirators used the Malaysian server to host the dcleaks.com website. On or about July 6, 2016, the Conspirators used the VPN to log into the @Guccifer_2 Twitter account. The Conspirators opened that VPN account from the same server that was also used to register malicious domains for the hacking of the DCCC and DNC networks.

(Note, this is some of the evidence collected via subpoenas to tech companies that the denialists ignore when they claim that CrowdStrike was the only entity to attribute the effort to Russia.)

The Mueller indictment describes how Potemkin controlled the computers used to launch the dcleaks Facebook account.

On or about June 8, 2016, and at approximately the same time that the dcleaks.com website was launched, the Conspirators created a DCLeaks Facebook page using a preexisting social media account under the fictitious name “Alice Donovan.” In addition to the DCLeaks Facebook page, the Conspirators used other social media accounts in the names of fictitious U.S. persons such as “Jason Scott” and “Richard Gingrey” to promote the DCLeaks website. The Conspirators accessed these accounts from computers managed by POTEMKIN and his co-conspirators.

Finally, there’s the most compelling evidence, that some conspirators logged into a Unit 74455-controlled server in Moscow hours before the initial Guccifer 2.0 post went up and searched for the phrases that would be used in the first post.

On or about June 15, 2016, the Conspirators logged into a Moscow-based server used and managed by Unit 74455 and, between 4:19 PM and 4:56 PM Moscow Standard Time, searched for certain words and phrases, including:

Search Term(s)

“some hundred sheets”

“some hundreds of sheets”

dcleaks

illuminati

широко известный перевод [widely known translation]

“worldwide known”

“think twice about”

“company’s competence”

Later that day, at 7:02 PM Moscow Standard Time, the online persona Guccifer 2.0 published its first post on a blog site created through WordPress. Titled “DNC’s servers hacked by a lone hacker,” the post used numerous English words and phrases that the Conspirators had searched for earlier that day (bolded below):

Worldwide known cyber security company [Company 1] announced that the Democratic National Committee (DNC) servers had been hacked by “sophisticated” hacker groups.

I’m very pleased the company appreciated my skills so highly))) [. . .]

Here are just a few docs from many thousands I extracted when hacking into DNC’s network. [. . .]

Some hundred sheets! This’s a serious case, isn’t it? [. . .] I guess [Company 1] customers should think twice about company’s competence.

F[***] the Illuminati and their conspiracies!!!!!!!!! F[***] [Company 1]!!!!!!!!! [emphasis original]

Remember: in the weeks after DOJ released this indictment, Mueller’s team took steps to try to obtain proof of whether Roger Stone was the person in Florida searching on Guccifer’s moniker on June 15, 2016, before the initial post was published. If Stone did learn about this effort in advance, it would suggest he learned about Guccifer 2.0 operation around the same time as someone was searching on these phrases in a GRU server located in Moscow. It would mean Stone learned about the upcoming Guccifer post in the same timeframe as these GRU officers were reviewing it.

It’s not really clear what was going on here. The assumption has always been that GRU officers were looking for translations into English from a post they drafted in Russian, even though the quotation marks suggests the Russian officers were searching on English phrases.

The one exception to that seems to confirm that. Those conducting these searches appear to have searched on a Russian phrase, a phrase they would have easily understood.

широко известный перевод

Moreover, it would take a shitty-ass translation application to come up with the stilted English used in the post. Plus, “illuminati,” at least, is an easily recognized cognate, even for someone (me!) whose Russian is surely worse than the English of any one of these Russian intelligence officers.

Still, proof of this  activity — obtained via undescribed means — clearly ties the Guccifer operation to the GRU. It’s just not clear what to make of it. And the possibility that there’s an American component to the Guccifer 2.0 operation — whether “Phil” or someone else — one that may have alerted Stone to what was going on, provides explanations other than straight up translation. Indeed, it may be that GRU officers were approving the content that someone else wrote, originally in English. Which might also explain why Stone may have known about it in advance.

Whatever else, the GRU indictment only claims that these GRU officers “assisted” this effort. It doesn’t claim they wrote this post.

The Stone-adjacent Guccifer 2.0 activity

One other detail of Mueller’s GRU indictment of interest pertains to which Stone-adjacent activity it chose to highlight.

Stone had first made his DMs with Guccifer 2.0 public himself, in March 2017. They were covered in his House Intelligence Committee testimony. But when Mueller included them in the GRU indictment, Stone first denied, and then sort of conceded the reference to them might be him.  His initial denial was an attempt to deny he had spoken with people in the campaign other than Trump himself, even though he had released the communications himself over a year earlier.

Remember — Mueller was still weighing whether Stone was criminally involved in this conspiracy when Stone issued the initial denial!

But that’s not the most interesting detail of the part of the indictment that lays out with whom Guccifer 2.0 shared stolen documents (even ignoring one or two tidbits I’m still working on).

Mueller’s GRU indictment included — along with the reference to the Roger Stone DMs they still hadn’t determined whether reflected part of a criminal conspiracy or not — the Lee Stranahan exchange with Guccifer 2.0 that ended in Stranahan, a Breitbart employee who would later move to Sputnik, obtaining early copies of a document purportedly about Black Lives Matter.

On or about August 22, 2016, the Conspirators, posing as Guccifer 2.0, sent a reporter stolen documents pertaining to the Black Lives Matter movement. The reporter responded by discussing when to release the documents and offering to write an article about their release.

These Stranahan exchanges are really worth attention, not just for the way they prove that Stone-adjacent people got early releases on request (which, lots of evidence suggests, also happened with Stone with respect to the Podesta files pertaining to Joule Holdings), but also for the way Guccifer 2.0 ignored Stranahan’s claim in early August 2016 to have convinced Stone that Guccifer 2.0 was not Russian.

Note what this indictment didn’t mention, though: Guccifer 2.0’s outreach to Alex Jones (about whom, unlike Stranahan, the FBI questioned Andrew Miller).

As I’ve pointed out, in the SSCI Report, there’s a long section on Jones that remains almost entirely redacted. Citing to five pages of a report the title of which is also redacted, the four paragraphs appear between the discussions of Guccifer 2.0’s outreach to then-InfoWars affiliate Roger Stone and Guccifer 2.0 and dcleaks’ communication with each other.

According to Thomas Rid’s book, Active Measures, both dcleaks and Guccifer 2.0 tried to reach out to Jones on October 18, 2016.

On October 18, for example, as the election campaign was white hot and during the daily onslaught of Podesta leaks, both GRU fronts attempted to reach out to Alex Jones, a then-prominent conspiracy theorist who ran a far-right media organization called Infowars. The fronts contacted two reporters at Infowars, offered exclusive material, and asked to be put in touch with the boss directly. One of the reporters was Mikael Thalen, who then covered computer security. First it was DCleaks that contacted Thalen. Then, the following day, Guccifer 2.0 contacted him in a similar fashion. Thalen, however, saw through the ruse and was determined not to “become a pawn” of the Russian disinformation operation; after all, he worked at Infowars. So Thalen waited until his boss was live on a show and distracted, then proceeded to impersonate Jones vis-à-vis the Russian intelligence fronts.23

“Hey, Alex here. What can I do for you?” the faux Alex Jones privately messaged to the faux Guccifer 2.0 on Twitter, later on October 18.

“hi,” the Guccifer 2.0 account responded, “how r u?”

“Good. Just in between breaks on the show,” said the Jones account. “did u see my last twit about taxes?”

Thalen, pretending to be Jones, said he didn’t, and kept responses short. The officers manning the Guccifer 2.0 account, meanwhile, displayed how bad they were at media outreach work, and consequently how much value Julian Assange added to their campaign. “do u remember story about manafort?” they asked Jones in butchered English, referring to Paul Manafort, Donald Trump’s former campaign manager. But Thalen no longer responded. “dems prepared to attack him earlier. I found out it from the docs. is it interesting for u?”24

Rid describes just one of two outreaches to Jones (through his IC sources, he may know of the report the SSCI relies on). But a key detail is that this outreach used as entrée some stolen documents from May 2016 showing that the Democrats were doing basic campaign research on Trump’s financials. It then purports to offer “Alex Jones” information on early Democratic attacks on Paul Manafort’s substantial Ukrainian graft, possibly part of the larger GRU effort to claim that Ukraine had planned an election year attack on Trump.

That is, unlike Stranahan’s request for advance documents, this discussion intended for “Alex Jones,” ties directly to Stone’s efforts to optimize the Podesta release. And it’s something that some entity prevented SSCI from publishing.

It’s also something Mueller’s team left out of an indictment aiming to lay out the hack-and-leak case before they might get fired, but in such a way as to hide the then-current state of the investigation from Roger Stone.

There were actually a number of Stone-adjacent associates in contact with GRU’s personas. And as recently as just a few months ago, the government wanted to hide the nature of those ties.

“Show Me the Metadata:” A Forensic Tie Between Shadow Brokers and Guccifer 2.0

On October 16, 2017, some of the last words the persona Shadow Brokers (TSB) ever wrote hailed my journalism.

TSB special shouts outs to Marcy “EmptyWheel” Wheeler, is being what true journalist and journalism is looking like thepeoples!

TheShadowBrokers, brokers of shadows.

As I noted at the time, I really didn’t need or appreciate the shout-out. I wrote a serious post analyzing that TSB post, but mostly I was trying to tell TSB to fuck off and leave me alone.

That was months after I told the FBI that I thought that someone I knew, whom I will refer by the pseudonym “Phil,” might be the voice of TSB, and less than a week after I got a Psycho-themed threat I deemed worthy of calling the cops.

As I laid out here, I told the FBI that months before Phil had left a comment on my site on July 28, 2016, signed [email protected], he had done some paranoid things starting on June 14, 2016, including making multiple references to ties he claimed to have with Russia. He then attended a Trump rally on August 13, 2016, taking pictures he would later suggest were really sensitive.

In addition to my suspicions about Guccifer 2.0, I also told the FBI that I suspected Phil was part of the operation that had been dumping NSA exploits and other records on the Internet starting in August 2016.

Unlike with Guccifer 2.0, Phil never signed a comment at the site under the name TSB — though on September 21, 2017, someone left a comment asking for my opinion about the ways the government was pursuing TSB.

‘Merican

September 21, 2017 at 1:58 am

Is what you say easier get FISA than Criminal warrant or FISA keep secret from rest of government, but Criminal warrant maybe not? FBI is not intelligence agency is law enforcement agency why have access FISA? You write many articles about the shadow brokers, what you think FISA or Criminal for the shadow brokers? You thinking anyone in US government is looking for the shadow brokers? US government not even say name “name that shall never be spoken”. What is best way discover national security letter sent to your service provider? …asking for a friend!

I thought Phil might be TSB, in part, because Phil had said almost identical things to me in private that TSB said publicly months later. There were other things in TSB’s writing that resonated with stuff I knew about Phil. And while Phil and I never (as far as I recall) talked about TSB, at least once he did say some other things that went a long way to convincing me he could be TSB; I thought he was seeking my approval for what TSB was doing, approval I was unwilling to give.

There are, however, public exchanges between the persona TSB and me, in addition to that shout out in what turned out to be TSB’s swan song.

For example, after I wrote a post on January 5, 2017 wondering why the government hadn’t included TSB in any of its discussions of election year hacking, TSB tweeted to me, complaining that I had described TSB as “bitching” about the coverage, rather than calling it “trolling.” (Note, the language in these screen caps reflects the language used by the people who first archived these tweets, so don’t go nuts about the Russian.)

TSB then RTed my article, suggesting other outlets were complicit for not asking the same questions.

The first tweet, at least, didn’t adopt the fake Borat voice that TSB used to mask a very fluent English, though I think there were some other tweets TSB sent that day where that may be true as well. In neither of these tweets did TSB mock me for misspelling “Whither” (the post’s title originally spelled it “Wither”); that’s a bit odd, because TSB rarely passed up any opportunity to be an asshole on Twitter.

Then, on July 18, 2018, after I had revealed I had shared information with the FBI, someone started a Twitter account under the name LexingtonAl that ultimately claimed to be — and was largely viewed as, by those who followed it — TSB (the persona deleted most tweets in February 2019, but many are saved here). Starting in December 2018, Lex and I had several exchanges about what TSB had actually done. 

Here’s my side of one from that month where I pointed out a problem with Lex’s claim that TSB consisted of just three contractors who leaked the files to reveal US complicity with tech companies to other Americans. The claim didn’t accord with having sent the files to WikiLeaks (as both WikiLeaks and TSB claimed in real time).

At the time, Lex went on an anti-Semitic rant about things he hated. Assuming that Lex is TSB (as he claimed), I got demoted from being TSB’s favorite journalist to third on the list of things Lex hated.

Note: when I interacted with Phil, he was never anti-Semitic (though he was a raging asshole when angry), but Lex was clearly even more disturbed than Phil was in the period when I interacted with him.

Then, in January, Lex bitched (again, in anti-Semitic terms) about a post I had done noting that, given Twitter’s poor security at the time, the Twitter DMs that Hal Martin allegedly sent Kaspersky might have served to frame him.

The post had noted that the early TSB posts — including a number sent after Martin was arrested — had relied on similar cultural allusions as the DMs sent from Martin’s Twitter account. Shortly thereafter the FBI arrested Martin in a guns-wagging raid on his home in Maryland. Per this Kim Zetter story, the Tweets had mentioned the 2016 version of Jason Bourne and Inception. I reiterated that on Twitter.

It was a factual observation supported by the content of the earlier TSB posts, not a comment about any spookiness behind the release of the files.

I asked why TSB was so defensive about having those cultural allusions called out.

Lex responded with another anti-Semitic rant.

I responded,

Finally, in February 2019, Lex invoked me — including that I had “had a breakdown and outed her source” — sort of out of the blue in the middle of what might be called his claimed doctrine behind the leaks.

I noted that if his claimed doctrinal explanation were true, then TSB would have done a victory lap (and stopped dropping files) when Microsoft President Brad Smith started advocating for a Digital Geneva Convention in February 2017, which would have brought about an end to the practice that, Lex claimed, was his reason for dumping the files.

Not only didn’t TSB mention that in real time (instead choosing to exacerbate the tensions between the US and Microsoft), but TSB kept dropping files for six months after that.

Lex responded with another attack.

I have far less evidence that I could share to prove that TSB or Lex are Phil. But little noticed in the midst of TSB’s widely-discussed obsession with Jake Williams, a former NSA hacker whom TSB probably tried to frame as the source of the files, TSB also had an obsession with me — and certainly took notice when I revealed that I had gone to the FBI.

All that said, virtually all of these communications post-dated the time when I went to the FBI.

I went to the FBI in the wake of the WannaCry attack. The attack, reportedly a North Korean effort to make use of the tools dropped by TSB that went haywire, ended up causing a global worm attack that shut down hospitals and caused hundreds of billions of dollars in damage. When I have alluded to the ongoing damage I was trying to prevent, that’s what I mean: the indiscriminate release of NSA exploits to the public which, in that case, literally shut down hospitals on the other side of the world. 

There’s no defense for that.

While I had been trying to find some way to share my concerns long before that, I may never have met directly with the FBI about any of my suspicions except for another detail: I learned that there was a forensic tie between the Guccifer 2.0 and TSB personas. While, at the time, I had moderate confidence about both my belief that Phil had a role in the Guccifer operation and moderate confidence that he was TSB, when I learned there was a forensic tie between the two of them, it increased my confidence in both. 

A strong caveat is in order: the forensic tie isn’t decisive; it could be insignificant, or untrue.

The forensic tie is that someone logged into one of the Guccifer 2.0 accounts — I think the WordPress account — using the same IP address as someone who logged into the early staging sites — either Pastebin or GitHub — for the TSB operation.

If someone using the same IP address accessed both sites — probably using a VPN — it could mean either that the same person was involved, or whoever staged these things was doing little to cover their tracks and outsiders were accessing their infrastructure. One of the people who told me about this forensic tie interpreted it as a deliberate attempt to tie the two operations together, sort of yanking the government’s chain.

I learned of this forensic tie from multiple people, all of whom are credible. That said, I can’t rule out that they learned it from the same person. No one has reported on this in the years since these operations, even though I’ve tried to get better sourced journalists to go chase it down. Indeed, I recently learned that a top outside expert on issues related to TSB did not know this forensic detail.

The FBI had to chase down a lot of weird forensic shit pertaining to these influence operations, because that’s how this kind of operation works. I have noted in the past, for example, that some script kiddies tried to hijack an early Guccifer 2.0 email account; that was investigated by a Philadelphia grand jury in spring of 2017. So this forensic tidbit could be similarly unrelated to the people behind the operation.

So I don’t want to oversell this forensic tie. I do want to encourage others to try to chase it down. 

But it was something that significantly influenced my understanding of all this in 2017, when files released by TSB had just caused the worst damage of any cyber attack in history, to date.

When I mentioned the forensic tie during my FBI interview, the lead agent responded that they couldn’t confirm or deny anything during the interview. I wasn’t there to get confirmation.

Still, if it’s true — given what we’ve learned since about the Guccifer 2.0 operation — it is hugely significant.

TSB started staging its release — per this really helpful SwitHak timeline — on July 25, the same day Trump directed people to get Roger Stone to chase down the next WikiLeaks releases. The first files were encrypted on August 1, after Stone had already pitched Paul Manafort on a way to “save Trump’s ass.” TSB loaded the NSA files on GitHub just after Stone published a piece suggesting that Guccifer 2.0, and not Russia, had hacked the DNC. TSB went live overnight on August 12-13, not long after Guccifer 2.0 publicly tweeted to Stone, “Thanks that u believe in the real #Guccifer2.” WikiLeaks publicized the effort on August 15, after some private back and forth between Guccifer 2.0 and Stone, including Guccifer 2.0’s question, “thank u for writing back . . . do u find anyt[h]ing interesting in the docs i posted?” And, per the SSCI analysis and my own, WikiLeaks helped to boost TSB the same day Jerome Corsi may have started giving Roger Stone advance information about the content of the John Podesta emails that wouldn’t be dropped for another two months (SSCI appears not to have considered, much less concluded, that Guccifer 2.0 might be Stone’s source).

If the forensic tie between Guccifer 2.0 and TSB is real, it means that during precisely the same period when Roger Stone was desperately trying to optimize the release of the John Podesta files to save his buddies Paul Manafort and Donald Trump, related actor TSB was beginning a year-long effort to burn the NSA to the ground.

The WikiLeaks Conspiracy: The Government Prepares to Argue WikiLeaks Has Always Been an Organized Crime Syndicate

Last June, I ran into some folks who remain very close to Julian Assange. One of them scheduled dinner with me solely to scold me for writing honestly about the things that WikiLeaks had done in the past three years rather than focusing exclusively on the EDVA Espionage indictment charging Assange for things he did almost a decade ago.

The person complained that my factual reporting on 2016 election and — especially — the Vault 7 leak (I think this was the offending post) would undercut whatever unanimity there was among journalists (unanimity that I joined) that the existing charges against Assange were a dangerous precedent for actual journalists. Reporting true details about shitty things Assange had done in recent years on my humble little blog, it was claimed, would dangerously and singlehandedly undercut Assange’s defense.

No, I did not much appreciate the irony of being criticized for accurate reporting by someone purportedly defending journalism.

But I also thought the concerted effort to suppress what Assange had done recently, while perhaps necessary to generate the statements of support from journalists that were forthcoming, was short-sighted, because it misrepresents what Assange is actually facing. The grand jury in EDVA remains (as far as we know) active. The government specifically said, in June, that it needed Chelsea Manning’s testimony for subjects or charges not yet charged and said such charges were not time barred (as would be true of any ongoing conspiracy).

As the government’s ex parte submissions reflect, Manning’s testimony remains relevant and essential to an ongoing investigation into charges or targets that are not included in the superseding indictment. See Gov’t’s Ex Parte Mem. (May 23, 2019). The offenses that remain under investigation are not time barred, see id., and the submission of the government’s extradition request in the Assange case does not preclude future charges based on those offenses, see Gov’t’s Supplement to Ex Parte Mem. (June 14, 2019).

Since then, Jeremy Hammond has joined Manning in believing he can wait out whatever EDVA has in store.

Most of all, Joshua Schulte’s prosecution for the Vault 7 leak — a leak almost no WikiLeaks supporters I know will offer an enthusiastic defense of — kept chugging along. In recent weeks, Schulte has submitted a number of questionable filings claiming the dog ate his homework so he can’t be prepared in time for his trial:

  • The attorney appointed after defense attorneys said they needed one more attorney to prep for trial in time said he couldn’t prep for trial in time, but can’t talk about why not until he’s done with a week-long vacation
  • The government’s (admittedly long) motion in limine repeating details the government disclosed several times before took the defense by surprise
  • The defense can’t make a constitutional challenge to CIPA generally until the judge rules on CIPA specifically (this is the one arguably reasonable request)
  • The defense had no idea the government wasn’t claiming Schulte downloaded a terabyte of data onto a thumb drive that can’t hold that terabyte even though the government told the defense that a year ago and then again in November

But as of now, Schulte’s trial is due to start on January 13, a month and a half before Assange’s first substantive extradition hearing starting on February 25.

And at that trial, the government is preparing to argue that Schulte intended to harm the United States when he leaked these files to WikiLeaks, a stronger level of mens rea than needed to prove guilt under the Espionage Act (normally the government aims to prove someone should have known it could cause harm, relying on their Non-Disclosure Agreements to establish that), and one the government has, in other places, described as the difference between being a leaker and a spy.

To make that argument, the government is preparing to situate Schulte’s leaks in the context of prior WikiLeaks releases, in a move that looks conspicuously like the kind of ongoing conspiracy indictment one might expect to come out of the WikiLeaks grand jury, one that builds off some aspects of the existing Assange indictment.

In a motion opposing Schulte’s effort to disqualify Paul Rosenzweig as an expert witness (see this post for background), the government lays out some of the things it plans to have Rosenzweig explain to the jury. Some of this is dangerous criminalization of security, most notably tying WikiLeaks’ endorsement of Tor and Tails to Schulte’s own use of it.

But some of it fleshes out the scope the government laid out when it first requested to call Rosenzweig.

The Government recognizes the need to avoid undue prejudice, and will therefore limit Mr. Rosenzweig’s testimony to prior WikiLeaks leaks that have a direct relationship with particular aspects of the conduct relevant to this case, for example by linking specific harms caused by WikiLeaks in the past to Schulte’s own statements of his intent to cause similar harms to the United States or conduct. Those leaks include (i) the 2010 disclosure of documents provided to WikiLeaks illegally by Chelsea Manning; (ii) the 2010 disclosure of U.S. diplomatic cables; (iii) the 2012 disclosure of files stolen from the intelligence firm Stratfor; and (iv) the 2016 disclosure of emails stolen from a server operated by the Democratic National Committee.

For example, it will tie WikiLeaks’ failure to redact the identities of US sources in Chelsea Manning’s leaks — something charged in counts 15 through 17 of Assange’s indictment — to Schulte’s behavior. It sounds like Rosenzweig will explain something I’ve alluded to: WikiLeaks apparently left the names of some of Schulte’s colleagues unredacted, which given WikiLeaks’ big show of redacting the files could only have been intentional and would have required coordination with Schulte to do.

Mr. Rosenzweig will testify that WikiLeaks does not typically redact the information that it publicly discloses (even when that information may reveal confidential sources). The Government will introduce evidence, however, that the Classified Information was purportedly redacted when posted online. Mr. Rosenzweig’s testimony will help the jury understand the significance of WikiLeaks’ unique claim to have redacted the Classified Information, including, for example, the period of delay between when Schulte disclosed the Classified Information to WikiLeaks (in or about the spring of 2016) and when WikiLeaks first announced that it would begin to disclose the Classified Information (in or about the spring of 2017). [my emphasis]

One reason Assange made a show of redacting the identities was because he was attempting to extort a pardon at the time, so he had to appear willing to negotiate with DOJ. But it seems likely Rosenzweig will explain that that was just a show and that even as WikiLeaks was making that show it was also ensuring that other CIA SysAdmins might be targeted by foreign governments.

Likewise, Rosenzweig will tie the embarrassment caused by Manning’s releases to Schulte’s own intent to cause damage with his self-described Information War against the US.

The Government intends to introduce evidence (including his statements) of Schulte’s knowledge of Manning’s leak and the need for the U.S. government to maintain secrecy over certain information. Furthermore, the Government also plans to introduce evidence of how Schulte, from the Metropolitan Correctional Center (the “MCC”), declared an “information war” against the United States, pursuant to which he intended to publicly disclose classified information and misinformation, including through WikiLeaks (such as the Fake FBI Document), for the purpose of destroying the United States’ “diplomatic relationships,” and encouraged other U.S. government employees to disclose confidential information to WikiLeaks. Mr. Rosenzweig will explain to the jury generally information other leakers have transmitted to WikiLeaks that the organization published and how foreign governments reacted negatively to WikiLeaks’ disclosure of that information—leading, for example, to the highly-publicized resignation of the U.S. Ambassador to Mexico.

Effectively, the government will argue that if you want to conduct an Information War on the US, you choose to leak to WikiLeaks and ensure it will be as damaging as possible. Whatever the circumstances of Manning’s leaks, this uses Schulte’s stated desire to damage the US to retroactively taint what WikiLeaks has claimed in the past was mere journalistic exposure of wrong-doing. That doesn’t necessarily change the First Amendment danger in charging Assange. But it surely attempts to undercut WikiLeaks’ brand as a journalistic entity.

Most interestingly, the government will point to a claim Schulte made to a journalist while writing from jail (one that is plausible given some of his past public postings, but if true, is an unfathomable indictment of CIA’s vetting process) that he once belonged to Anonymous. Rosenzweig will tie this to Anonymous’ decisions to leak the Stratfor cables to WikiLeaks in 2012.

As described in the Government Motions in Limine, in encrypted communications from one of the Contraband Cellphones, Schulte (posing as a third person) stated that he had previously been a member of Anonymous, a group of online hacker activists. Mr. Rosenzweig will testify about how, in 2012, Anonymous and WikiLeaks worked together to release information from a private U.S. intelligence firm.

Of course, Anonymous didn’t just leak the Stratfor cables to WikiLeaks. They also shared files stolen during the Arab Spring and the Syria files. The latter leak provides one of the earliest indicators where the process by which WikiLeaks obtained files may have involvement of Russia, because somehow a file that would have been very damning for Russia never got published. But both would make the story the US wants to tell more complex (though still potentially consistent).

In any case, the focus on Stratfor may explain why the government is holding Jeremy Hammond in contempt to try to get him to testify in the EDVA grand jury, particularly if the government has reason to believe that Schulte was part of that hack.

Finally, the government will use Rosenzweig to explain how, in the wake of the DNC leak and at a time he was in a huff at his CIA bosses again, Schulte did … something in August 2016.

The Government intends to introduce evidence that Schulte transmitted the Classified Information to WikiLeaks in the spring of 2016, that WikiLeaks did not begin to disclose the Classified Information until March 2017, that Schulte was angry with CIA management in August 2016 over a performance review he received, that Schulte’s protective order against Employee-1 was vacated in August 2016, and that, around that same time (i.e., in August 2016), Schulte began to conduct extensive research online about WikiLeaks. The Government intends to offer evidence relating to those searches, including the specific queries Schulte conducted. Schulte has argued in his writings that his August 2016 research was related to WikiLeaks’ August 2016 disclosure of information stolen from a Democratic National Committee server (the “DNC Leak”). Mr. Rosenzweig will testify about the DNC Leak, including the type of information that WikiLeaks actually disclosed in connection with that leak, which will demonstrate why Schulte’s WikiLeaksrelated searches include queries that had nothing to do with the DNC Leak

Side note: Part of the media blitz Assange did in the wake of the DNC leaks included a claim to Chuck Todd that if WikiLeaks ever received information from US intelligence, they would publish it.

Well, it’s a meta story. If you’re asking would we accept information from U.S. intelligence that we had verified to be completely accurate, and would we publish that, and would we protect our sources in U.S. intelligence, the answer is yes, of course we would.

No one else would have, but Schulte would presumably have recognized this as a nod to him, reassurance provided on heavily watched TV that WikiLeaks was progressing towards releasing the files Schulte had leaked. Which is why the likelihood that Schulte also stole a single file reflecting CIA collecting information on who might win the 2012 French presidential election, which WikiLeaks subsequently falsely portrayed as proof that CIA had infiltrated political parties in France rather than asked well-placed sources for readily available information, is of particular interest.

The government, however, is going to point to other Google searches by Schulte from August 2016 that lump Edward Snowden and Shadow Brokers in with WikiLeaks.

For example, in addition to searching for information about WikiLeaks and Julian Assange, its primary leader, Schulte also conducted searches using the search terms “narcissist snowden,” “wikileaks code,” “wikileaks 2017,” “shadow brokers,” and “shadow broker’s auction bitcoin.” “Snowden” was presumably a reference to Edward Snowden, the former NSA contractor who disclosed information about a purported NSA surveillance program, and “Shadow Brokers” was a reference to a group of hackers who disclosed online computer code that they purportedly obtained from the NSA, beginning in or about August 2016.

I have long wondered whether Vault 7 was not a free-standing leak but instead part of the Shadow Brokers operation.  This seems to suggest the government knows they are. If that’s right, it would suggest that in the period when the government was trying to figure out precisely what Russia had done in 2016, both the NSA and CIA’s ability to spy on Russia (and other countries) would have been been deliberately burnt to the ground. And if Schulte knowingly participated in that — in an effort to ensure that the US would struggle to even learn what Russia had done in 2016 — it would explain why they’re planning on arguing he is more of a spy than a leaker.

Which would, in turn, explain why they took the first steps towards arresting Assange as FBI started putting together the evidence needed to charge Schulte on these leaks in 2017.

Let me be clear: I’m not saying I’m sure they’ll fill all these details in a superseding Assange indictment (though the government said it could not provide Assange the underlying evidence even for the 2010 charges until around Christmas — at which point Schulte will have gone through the CIPA process of declassifying classified information for use in his defense, and they could add charges at least until the February 25 hearing). It may still be that the government won’t want to get into the level of classified detail they’d need to to flesh out that case, particularly if they can’t coerce Manning and Hammond to cooperate.

I’m also not making a normative judgment that this eliminates the very real problems with the way Assange is charged now. Without seeing the government’s case, it’s too soon to tell.

What I’m trying to do is lay out what the government seems to be preparing to argue about WikiLeaks in the Schulte case. No doubt this will get me invited for another stern scolding at dinner, but it’s time to stop pretending Assange is being prosecuted for the understanding of WikiLeaks that existed in 2010. By all means, people can and will still defend Assange for taking on an imperialist America. For much of the world (though presumably not among any Five Eyes governments, including Assange’s home country), that still makes him an important dissident taking on a superpower. There is some merit to that stance, but it also requires arguing that superpowers shouldn’t have democratic elections.

But the government is preparing to argue that, after helping Russia tamper in America’s election, WikiLeaks deliberately burned some of CIA’s collection abilities to the ground, making it harder for the US to figure out how Russia did so. The government is preparing to argue that such actions are consistent with what WikiLeaks has been up to since 2010.

I’ve been expecting we might see an indictment alleging WikiLeaks and its associates were and remain engaged in an ongoing conspiracy (a possibility that, if Manning and Hammond’s lawyers haven’t warned them about, they are being utterly negligent, because the government could well argue that obstructing this investigation by refusing to provide immunized testimony is an overt act furthering the conspiracy).

The citations the government has used to justify Rosenzweig’s testimony are heavily focused on terrorism and mob cases (United States v. Farhane and United States v. Mustafa, which are al Qaeda cases; United States v. El Gammal, which is an ISIL one, and United States v. Rahimi, the self-radicalized Chelsea bomber; United States v. Lombardozzi and United States v. Locascio which are Gambino cases, United States v. Amuso, a Lucchese case), including one RICO case. That’s undoubtedly why Schulte’s lawyers really want Rosenzweig’s testimony excluded, to avoid having WikiLeaks treated like an organized crime syndicate.

But if the government is preparing to claim that WikiLeaks worked with Schulte not only to obtain files it tried to use to extort a pardon but then released them in a way that would hurt America’s efforts to respond to Russia’s 2016 operation, that’s a pretty compelling analogy.

Update: After comments from Stefania Maurizi, I’ve rephrased how I described what happened with the Syria Files. I want to be clear the statement in the post was not based on what I’ve been told by reliable sources about the process by which those files got shared with WikiLeaks.

As I disclosed last year, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Hal Martin Sentencing Leaves All Questions Unanswered

Hal Martin was sentenced Friday. He received the nine years agreed upon as part of his plea agreement. But — as the many reports of his sentencing emphasize — closure on this case still doesn’t offer closure on the Shadow Brokers case. Of course the sentencing hasn’t solved the Shadow Brokers case, which has been true since Martin was charged in 2018 but was recently reiterated by AP.

But it also hasn’t provided much clarity on some of the other issues about this case. For example, his lawyer Jim Wyda seems to have confirmed that the cryptic DMs sent to some Kaspersky researchers in advance of the original Shadow Brokers release were his, denying that Martin intended the “Shelf life, three weeks,” DM to be an offer to sell the NSA’s exploits that would be offered for sale less than an hour later. [Note: this sentencing was difficult to cover remotely because the filings weren’t released in PACER, so I’m particularly grateful for other’s coverage, especiall this excellent CyberScoop story on it.]

Jim Wyda, Martin’s public defender, said Friday there was no indication Martin intended for any transaction to take place by that tweet.

I had noted that, given the lack of 2FA at the time of the DMs, hacking Martin’s Twitter account to send the DMs would have been child’s play, something an account claiming to be Shadow Brokers responded to fairly aggressively.

The government, however, offered no comment on those DMs. In response to Judge Richard Bennett’s reminder that the Tweets had been the subject of a Martin challenge to the warrants searching his house, prosecutor Zachary Myers refused to comment, even though classification wouldn’t prevent comment.

Bennett reminded U.S. attorneys of the tweet and the timeline on Friday in court. Assistant U.S. Attorney Zachary Myers said the U.S. government would not be commenting further than noting that the timeline is, indeed, in the facts of the case.

Then there’s the question of whether Martin was a hoarder or a thief. His attorneys insisted his collection of documents was an expression of mental health issues. But the government pointed to how organized it all was (which is hard to square with the descriptions of the chaos of his house from the time of the arrest).

“This is not a case of hoarding, this is stealing,” Myers said Friday at a federal court house in Baltimore. The stolen information “was not in a disorganized manner,” he said, adding what the government found was “logical” and “repetitive.”

Bennett noted Friday he had concerns about the case regarding whether Martin’s alleged hoarding problem, noting that for someone who is a hoarder, he seemed well organized.

Martin’s wife described to CBS how he had recognized his illness before his arrest, but was afraid that if he sought treatment, he would lose clearance and his job.

Mental illness may explain why parts of Martin’s statement expressing remorse make no sense. WaPo:

Martin spoke for about 20 minutes, his voice calm, soft and sometimes difficult to hear as he read nearly verbatim from a letter he’d written earlier this month to the judge.

He made clear that what he’d done was wrong.

“The manner and method of my approach was unorthodox, unconventional, uncanny,” he wrote. “But also unauthorized, illegal and just plain wrong. One step beyond black. Please do not copy this. It is not the easy or correct path. I took shortcuts, went backwards, sideways and around things, crossing major borders and boundaries. It is not good, it’s very, very BAD.”

NYT:

He stood in a striped jersey labeled “Inmate” and read for nearly 30 minutes a rambling statement apologizing to family, friends and his former colleagues at the N.S.A.

“I have been called a walking encyclopedia,” he said, describing himself at another point as “an intellectually curious adventurer.” His words were often cryptic, at one point addressed to “that cool dude in a loose mood” and at another citing the N.S.A. motto, “They serve in silence.”

All that said, one of the most telling details from coverage of yesterday’s sentencing is in the the government’s press release on the sentencing. It emphasizes the resources diverted to investigating Martin’s activities, which sure makes it sound like they don’t think he’s the culprit behind the Shadow Brokers leak.

In court documents and at today’s sentencing hearing, the government noted that crimes such as Martin’s not only create a risk of unauthorized disclosure of, or access to, highly classified information, but often require the government to treat the stolen material as compromised, resulting in the government having to take remedial actions including changing or abandoning national security programs.  In addition, Martin’s criminal conduct caused the government to expend substantial investigative and analytical resources.  The diversion of those resources resulted in significant costs.

Bennett believes the nine year sentence will serve as deterrent for other intelligence personnel. But it’s not clear whether those are the people who need to be deterred.

Twitter Only Had SMS 2FA When Hal Martin’s Twitter Account DMed Kaspersky

In a post late last month, I suggested that the genesis of FBI’s interest in Hal Martin may have stemmed from a panicked misunderstanding of DMs Martin sent.

What appears to have happened is that the FBI totally misunderstood what it was looking at (assuming, as the context seems to suggest, that this is a DM, it would be an account they were already monitoring closely), and panicked, thinking they had to stop Martin before he dropped more NSA files.

Kim Zetter provides the back story — or at least part of one. The FBI didn’t find the DMs on their own. Amazingly, Kaspersky Lab, which the government has spent much of the last four years demonizing, alerted NSA to them.

As Zetter describes, the DMs were cryptic, seemingly breaking in mid-conversation. The second set of DMs referenced the closing scenes of both the 2016 version of Jason Bourne and Inception.

The case unfolded after someone who U.S. prosecutors believe was Martin used an anonymous Twitter account with the name “HAL999999999” to send five cryptic, private messages to two researchers at the Moscow-based security firm. The messages, which POLITICO has obtained, are brief, and the communication ended altogether as abruptly as it began. After each researcher responded to the confusing messages, HAL999999999 blocked their Twitter accounts, preventing them from sending further communication, according to sources.

The first message sent on Aug. 13, 2016, asked for him to arrange a conversation with “Yevgeny” — presumably Kaspersky Lab CEO Eugene Kaspersky, whose given name is Yevgeny Kaspersky. The message didn’t indicate the reason for the conversation or the topic, but a second message following right afterward said, “Shelf life, three weeks,” suggesting the request, or the reason for it, would be relevant for a limited time.

The timing was remarkable — the two messages arrived just 30 minutes before an anonymous group known as Shadow Brokers began dumping classified NSA tools online and announced an auction to sell more of the agency’s stolen code for the price of $1 million Bitcoin. Shadow Brokers, which is believed to be connected to Russian intelligence, said it had stolen the material from an NSA hacking unit that the cybersecurity community has dubbed the Equation Group.

[snip]

The sender’s Twitter handle was not familiar to the Kaspersky recipient, and the account had only 104 followers. But the profile picture showed a silhouette illustration of a man sitting in a chair, his back to the viewer, and a CD-ROM with the word TAO2 on it, using the acronym of the NSA’s Tailored Access Operations. The larger background picture on the profile page showed various guns and military vehicles in silhouette.

The Kaspersky researcher asked the sender, in a reply message, if he had an email address and PGP encryption key they could use to communicate. But instead of responding, the sender blocked the researcher’s account.

Two days later, the same account sent three private messages to a different Kaspersky researcher.

“Still considering it..,” the first message said. When the researcher asked, “What are you considering?” the sender replied: “Understanding of what we are all fighting for … and that goes beyond you and me. Same dilemma as last 10 min of latest Bourne.” Four minutes later he sent the final message: “Actually, this is probably more accurate” and included a link to a YouTube video showing the finale of the film “Inception.”

As it is, it’s an important story. As Zetter lays out, it makes it clear the NSA didn’t — couldn’t — find Martin on its own, and the government kept beating up Kaspersky even after they helped find Martin.

But, especially given the allusions to the two movies, I wonder whether these DMs actually came from Martin at all. There’s good reason to wonder whether they actually come from Shadow Brokers directly.

Certainly, that’d be technically doable, even though court filings suggest Martin had far better operational security than your average target. It would take another 16 months before Twitter offered Authenticator 2 factor authorization. For anyone with the profile of Shadow Brokers, it would be child’s play to break SMS 2FA, assuming Martin used it.

Moreover, the message of the two allusions fits solidly within both the practice of cultural allusions as well as the themes employed by Shadow Brokers made over the course of the operation, allusions that have gotten far too little notice.

Finally, that Kaspersky would get DMs from someone hijacking Martin’s account would be consistent with other parts of the operation. From start to finish, Shadow Brokers used Kaspersky as a foil, just like it used Jake Williams. With Kaspersky, Shadow Brokers repeatedly provided reason to think that the security company had a role in the leak. In both cases, the government clearly chased the chum Shadow Brokers threw out, hunting innocent people as suspects, rather than looking more closely at what the evidence really suggested. And (as Zetter lays out), Martin would be a second case where Kaspersky was implicated in the identification of such chum, the other being Nghia Pho (the example of whom might explain why the government responded to Kaspersky’s help in 2016 with such suspicion).

Mind you, there’s nothing in the public record — not Martin’s letter asking for fully rendered versions of his social media so he could prove the context, and not Richard Bennett’s opinion ruling the warrants based off Kaspersky’s tip were reasonable, even if the premise behind them proved wrong — that suggests Martin is contesting that he sent those DMs. That said, virtually the entire case is sealed, so we wouldn’t know (and the government really wouldn’t want us to know if it were the case).

As Zetter also lays out, Martin had a BDSM profile that might have elicited attention from hostile entities looking for such chum.

A Google search on the Twitter handle found someone using the same Hal999999999 username on a personal ad seeking female sex partners. The anonymous ad, on a site for people interested in bondage and sado-masochism, included a real picture of Martin and identified him as a 6-foot-4-inch 50-year-old male living in Annapolis, Md. A different search led them to a LinkedIn profile for Hal Martin, described as a researcher in Annapolis Junction and “technical advisor and investigator on offensive cyber issues.” The LinkedIn profile didn’t mention the NSA, but said Martin worked as a consultant or contractor “for various cyber related initiatives” across the Defense Department and intelligence community.

And when Kaspersky’s researchers responded to Martin’s DM, he blocked their accounts, suggesting he treated the communications unfavorably (or, if someone had taken over the account, they wanted to limit any back-and-forth, though Martin would presumably have noted that).

After each researcher responded to the confusing messages, HAL999999999 blocked their Twitter accounts, preventing them from sending further communication, according to sources.

Martin’s attorneys claim he has a mental illness that leads him to horde things, which is the excuse they give for his theft of so many government files. That’s different than suggesting he’d send strangers out-of-context DMs that, at the very least, might make him lose his clearance.

So I’d like to suggest it’s possible that Martin didn’t send those DMs.

It Is False and Defamatory to Accuse WikiLeaks of a Bunch of Things that Aren’t the Key Allegations against It

WikiLeaks decided it was a good idea to release a long list of claims about Julian Assange and WikiLeaks that it considers defamatory. Emma Best obtained and liberated the list. Given that the list clearly attempts (unsuccessfully in some places, and hilariously in other places where they deem matters of opinion defamatory) to be factually correct, I’m interested in the way WikiLeaks uses the list to try to deny a bunch of things that might end up in a US criminal indictment.

The US is only angry with Assange because Ecuador has lots of debt

Pretty far down the list, WikiLeaks denies being gagged for claims made about Sergey Skripal in such a way as to falsely suggest the only concerns the US had over Assange came to do with debt pressure.

It is false and defamatory to suggest that Ecuador isolated and gagged Mr. Assange due to his comments on Sergei Skripal [in fact, he was isolated over his refusal to delete a factually accurate tweet about the arrest of the president of Catalonia by Spain in Germany, along with U.S. debt pressure on Ecuador. The president of Ecuador Lenin Moreno admitted that these two countries were the issue, see https://defend.wikileaks.org/about-julian/].

It’s nonsensical to claim that Assange was gagged just because of debt pressure, but it’s a good way to hide how the timing of his gag correlated with actions he took to piss of the US government, including by releasing a live CIA malware file.

The US charged Assange for actions it already decided not to charge him for, on which statutes of limitation have expired

The rest of the list is sprinkled with efforts to spin the US government’s legal interest in Assange. There’s an extended series of items that attempt to claim, as WikiLeaks has since DOJ accidentally revealed the existence of a recently filed complaint against Assange, that the charges instead relate to long-past publications (like Cablegate).

It is false and defamatory to deny that Julian Assange has been formally investigated since 2010 and charged by the U.S. federal government over his publishing work [it is defamatory because such a claim falsely imputes that Mr. Assange’s asylum is a sham and that he is a liar, see https://defend.wikileaks.org/].

It is false and defamatory to suggest that such U.S. charges have not been confirmed [in fact, they have, most recently by Associated Press (AP) and the Washington Post in November 2018].
– It is false and defamatory to suggest that the U.S. government denies the existence of such charges.
– It is false and defamatory to suggest that Julian Assange is not wanted for extradition by the U.S. government [in fact, public records from the Department of Justice show that the U.S. government says it had been intentionally concealing its charges against Mr. Assange from the public specifically to decrease his ability to “avoid arrest and extradition”].
– It is false and defamatory to suggest that the U.S. government has not publicly confirmed that it has an active grand jury, or pending or prospective proceedings, against Julian Assange or WikiLeaks, each year since 2010.

These claims are all true. WikiLeaks has been under investigation since well before 2010. There are charges that the US would like to extradite Assange for.

But all the public evidence suggests those charges relate to WikiLeaks’ recent actions, almost certainly involving Vault 7 and probably involving Russia’s election year operation.

Julian Assange is not a hacker, which is different from being someone who solicits or assists in hacks

WikiLeaks makes repeated claims that might appear to deny that the organization has solicited or assisted in hacks. The list denies that the DNC (which doesn’t have all the evidence Mueller does) has accused Assange of soliciting hacks of the DNC or Podesta. (Everywhere, this list is silent about the DCCC and other election year targets).

It is false and defamatory to suggest that the Democratic National Committee has claimed that Julian Assange directed, conspired, or colluded to hack the Democratic National Committee or John Podesta [in fact, the DNC makes no such claim: https://www.courthousenews.com/wp-content/uploads/2018/12/WikiLeaksDNC.pdf].

It denies that France has claimed that the MacronLeaks came from Russia (which again stops short of saying that the MacronLeaks came from Russia).

It is false and defamatory to suggest that the French government found that “MacronLeaks” were hacked by Russia [in fact, the head of the French cyber-security agency, ANSSI, said that they did not have evidence connecting the hack with Russia, see https://wikileaks.org/macron-emails/].

It denies that Assange has hacked the state of Ecuador (but not the Embassy of Ecuador or other states, including the US or Iceland).

It is false and defamatory to suggest that Julian Assange has ever hacked the state of Ecuador.

And it denies that Assange is, himself, a hacker.

It is false and defamatory to suggest that Julian Assange is a “hacker”.

All of these hacking denials stop well short of denying that WikiLeaks has solicited hacks before, including by publicizing a “most wanted” list that Russian hackers might respond to.

Mueller described WikiLeaks as an unindicted co-conspirator but that doesn’t mean Mueller has any interest in the organization

Close to the top of the list, WikiLeaks makes two claims to suggest the organization and Assange are not targets in the Mueller investigation.

It is false and defamatory to suggest that WikiLeaks or Julian Assange has ever been contacted by the Mueller investigation.

It is false and defamatory to suggest that there is any evidence that the U.S. charges against Julian Assange relate to the Mueller investigation.

This is misdirection hiding a great deal of evidence that WikiLeaks is a target in the Mueller investigation. The list is silent, for example, on whether Congressional investigators have contacted Assange, whether Assange ultimately did accept SSCI’s renewed request last summer to meet with Assange, and whether Assange demanded immunity to travel to the US to respond to such inquiries.

Nor does WikiLeaks deny having been described — in a fashion usually reserved for unindicted co-conspirators — in a Mueller indictment.

WikiLeaks doesn’t deny that WikiLeaks denied Russians were its source for 2016 materials

WikiLeaks twice denies, in very similar language, that it suggested that Seth Rich was its source for the DNC emails.

It is false and defamatory to suggest that WikiLeaks or Julian Assange claimed that any person or entity was their source for WikiLeaks’ 2016 U.S. election publications [it is defamatory because Julian Assange’s professional reputation is substantially based on source protection].

[snip]

It is false and defamatory to suggest that WikiLeaks or Julian Assange has ever stated or suggested that any particular person was their source for any publication, including Seth Rich.

A good lawyer would be able to sustain a claim that Assange had indeed “suggested” that Rich was his source, though it would make an interesting legal battle.

But when WikiLeaks denies feeding Seth Rich conspiracies, it does so only by denying the most extreme conspiracy, that the Democrats had Rich killed.

It is false and defamatory to suggest that WikiLeaks or Julian Assange has ever published, uttered or tried to promote alleged conspiracy theories claiming “John Podesta engaged in satanic rituals”, the “Democratic Party had Seth Rich Killed”, “Clinton wore earpieces to the 2016 US election debates”, on “Clinton’s health” or “Clinton kidnapping children”.

All of this, of course, dodges the way that WikiLeaks repeatedly tried to claim that Russia was not its ultimate source for the 2016 files.

Should we take the silence on this point as an admission?

Marcy Wheeler is false and defamatory

Finally, there are four claims relating to Vault 7, three of which pertain to my coverage of the way WikiLeaks attempted to leverage the Vault 7 releases in conversations with the Trump Administration. WikiLeaks denies that the two times Assange suggested to the President’s spawn that he should be made an ambassador to the US constituted an effort by WikiLeaks to get Trump to appoint Assange ambassador (note, this is also a denial that Assange tried to serve in another diplomatic role, which is different than being Ambassador).

It is false and defamatory to suggest that WikiLeaks tried to have the Trump administration appoint Julian Assange as an ambassador or to have any other person or state appoint him as an ambassador.

I find it notable that this claim departs from the form used in many of these denials, speaking for both Assange and WikiLeaks.

Then the list twice denies that Assange suggested he wouldn’t release the Vault 7 files if the Trump Administration provided him immunity.

It is false and defamatory to suggest that Julian Assange has ever extorted the United States government.

It is false and defamatory to suggest that Julian Assange has ever proposed that he not publish, censor or delay a publication in exchange for any thing.

Assange would and will claim that the discussions with Adam Waldman where just this arrangement was floated are protected by Attorney-Client privilege. But Waldman may have said enough to people at DOJ to refute this denial regardless.

Finally, WikiLeaks insisted it has never retracted any of the bullshit claims it made about its Vault 7 files.

It is false and defamatory to suggest that any of WikiLeaks’ claims about its 2017 CIA leak, Vault 7, “were later retracted”.

Given that one of the claims directly parroted the bullshit claims Shadow Brokers was making, a claim it made in a release that will probably be part of the charges against it, this non-retraction doesn’t necessarily help it much.

Note that one other thing WikiLeaks is silent about here are its public statements about Joshua Schulte, whose attempts to continue leaking from jail the FBI got on video. I find that interesting both for WikiLeaks’ attempt to corroborate Schulte’s thin excuse for using Tor after he was charged, and for its relative silence about whether he would be a whistleblower if he were its source for CIA’s hacking tools.

Update: WikiLeaks has released a revised version that takes out, among other things, the Ambassador claim, the Seth Rich claims, and also a denial that it is close to Russia.

As I disclosed last July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

Hal Martin Manages to Obtain a Better Legal Outcome than Reality Winner, But It Likely Doesn’t Matter

I’d like to comment on what I understand happened in a Hal Martin order issued earlier this month. In it, Judge Richard Bennett denied two requests from Martin to throw out the warrants for the search of his house and cell site tracking on his location, but granted an effort to throw out his FBI interrogation conducted the day they raided his house.

Hal Martin did not tweet to Shadow Brokers

The filing has received a bit of attention because of a redaction that reveals how the government focused on Martin so quickly: a Tweet (apparently a DM) he had sent hours before the Shadow Brokers files were first dropped on August 13, 2016.

The passage has been taken to suggest that Martin DMed with Shadow Brokers before he published any files.

That’s impossible, for two reasons.

First, it is inconsistent with Shadow Brokers’ known timeline. Shadow Brokers didn’t set up a Twitter account until after the first batch of files were initially posted. And both the Martin warrant — dated August 25 — and the search — which took place the afternoon of August 27 — preceded the next dump from Shadow Brokers on August 28.

But it’s also impossible for how Bennett ruled.

While the underlying motion remains sealed (like virtually everything else in this case), Martin was arguing the warrant used to obtain his Twitter content and later search his house was totally unreasonable under the Fourth Amendment. It’s clear from a letter Martin sent the judge asking for his social media accounts as they actually appeared that he believes the FBI read the content of his Tweet out of context. And the judge actually considered the argument that the search was unreasonable to have merit, and in ruling that the FBI did have substantial basis for the search warrant, conceded that in another context the Tweet would not appear to be so damning.

Significantly, the Fourth Amendment exclusionary rule does not bar the admission of evidence obtained by officers acting in reasonable reliance on a search warrant issued by a magistrate later,found to be invalid. United States v. Leon, 468 U.S. 897,913-14 (1984). The evidence will be suppressed only if (1) the issuing judge was misled by information that the affiant knew or should have known was false, (2) the judge “wholly abandoned” her neutral role, (3) the affidavit was “so lacking in indicia of probable cause as to render official belief in its existence entirely unreasonable,” or (4) the warrant is so facially deficient that no reasonable officer could presume it to be valid. !d. at 923 (citations omitted).

[snip]

In this case, there was a substantial basis for the Magistrate’s fInding of probable cause to issue the search warrant for information associated with the Defendant’s Twitter account. See Upton, 466 U.S. at 728. The affIdavit provides that the Defendant’s Twitter messages [redacted] in which he requested a meeting [redacted] and stated “shelf life, three weeks” – were sent just hours before what was purported to be stolen government property was advertised and posted on multiple online content-sharing sites, including Twitter. (ECF No. 140-1 ~~ 14-23.) Further, and signifIcantly,the affIant averred that the Defendant was a former government contractor who had accessto the information that appeared to be what was purported to be stolen government property that was publicly posted on the Internet. (Id. ~~ 25-27.) Thus, although the Defendant’s Twitter messages could have had any number of innocuous meanings in another setting, these allegations regarding the context of Defendant’s messages provide a substantial basis for the Magistrate’s conclusion that there was a “fair probability” that evidence of the crime of Theft of Government Property, in violation of 18 U.S.c. ~ 641, would be found in information associated with the Defendant’s Twitter account. See Gates, 462 U.S. at 238.

You would never see language like this if Martin really were tweeting with Shadow Brokers, particularly not given the timeline (as it would suggest that he knew of Shadow Brokers before he ever posted). The warrant would, in that case, not be a close call at all. Indeed, the language is inconsistent with Martin’s interlocutor having anything to do with Shadow Brokers.

What appears to have happened is that the FBI totally misunderstood what it was looking at (assuming, as the context seems to suggest, that this is a DM, it would be an account they were already monitoring closely), and panicked, thinking they had to stop Martin before he dropped more NSA files.

Hal Martin got a similar FBI interrogation to Reality Winner’s thrown out

The sheer extent of FBI’s panic is probably what made Martin’s effort to get his FBI interrogation thrown out more successful than Reality Winner’s effort.

Their interrogations were similar. Ten FBI Agents came to Winner’s house, whereas nine SWAT team members, plus eight other FBI Agents, and a few Maryland State Troopers came to Martin’s. In both cases, the FBI segregated the NSA contractors in their home while Agents conducted a search. In Winner’s case, they also segregated her from her pets. In Martin’s case, they segregated him from his partner, Deborah Shaw, and when they did finally let him talk to her, they told Martin “you can’t touch her or any of that stuff.” When the NSA contractors wanted to get something from another part of their home, the FBI accompanied them.

Aside from the even greater number of FBI Agents and that Martin had a partner to be separated from, the biggest difference in Martin’s case is that that they set off a flash-bang device to disorient Martin, and the FBI originally put him face down on the ground and handcuffed him. Those factors, Bennett judged, meant it was reasonable for Martin to believe he was under arrest, and therefore the FBI should have given him a Miranda warning.

That is, on the afternoon of the interrogation, approximately 17-20 law enforcement officers swarmed the Defendant’s property. The Defendant was initially approached by nine armed SWAT agents, handcuffed, and forced to lay on the ground. During the four-hour interrogation, the Defendant was isolated from his partner, his freedom of movement was significantly restricted, and he was confronted with incriminating evidence discovered on his property. In this police dominated environment, a reasonable person in the Defendant’s position would have believed he was not free to leave, notwithstanding the agents’ statements to the contrary.

So unlike Winner, Martin will have his interrogation (in which he admitted to taking files home from his job as a contractor and explained how he did so) thrown out.

But it probably won’t matter.

As a reminder, the FBI charged Martin with taking home 20 highly classified files in February 2017, but they included no allegation that he (willfully) served as a source for Shadow Brokers. It’s possible they know he was an inadvertent source for Shadow Brokers (unlike Nghia Pho, who was likely also a source for Shadow Brokers, they charged Martin for 20 files, larding on the legal exposure; they charged Pho with taking home just one file, while getting him to admit that he could have been charged for each individually). But an earlier opinion in this case ruled that the government only has to prove that by taking hordes of files from of his employers that included National Defense Information, he knowingly possessed the ones he got charged for.

In any case, Martin has already been in jail for 28 months, almost half the amount of time that Pho will serve for doing the same thing, and his trial is not due to start on June 17, a full 34 months after he was arrested. As with Winner, the delay stems from the Classified Information Protection Act process, which ensures that — once the government successfully argues that the secrets in your head make it impossible to release you on bail for fear a foreign intelligence agency will steal those secrets — you serve the equivalent of a sentence before the government even has to prove your guilt.

Again, it may be that Martin unwittingly served as a source for Shadow Brokers. But if he didn’t, then the heavy hand they’re taking with him appears to stem from sheer embarrassment at fucking up with the initial panicked pursuit of him.

Update: Corrected the post to reflect that the search actually preceded the August 28 dump.

In media res: the FBI’s WannaCry Attribution

I’ve been working through the complaint charging Park Jin Hyok with a slew of hacking attributed to the Lazarus group associated with North Korea. Reading it closely has led me to be even less convinced about the government’s attribution of the May 2017 WannaCry outbreak to North Korea. It’s going to take me a series of posts (and some chats with actual experts on this topic) to explain why. But for now, I want to point to a really suspect move the complaint makes.

The FBI’s proof that Park and Lazarus and North Korea did WannaCry consists, speaking very broadly, of proof that the first generation of the WannaCry malware shared some key elements with other attacks attributed to Lazarus, and then an argument that the subsequent two generations of WannaCry were done by the same people as the first one. While the argument consists of a range of evidence and this post vastly oversimplifies what the FBI presents, three key moves in it are:

  • The earlier generations of WannaCry are not known to be publicly available
  • Subjects using a known Lazarus IP address were researching how to exploit the Microsoft vulnerability in the weeks before the attack
  • Both WannaCry versions 1 and 2 cashed out Bitcoin in a similar way (which the complaint doesn’t describe)

For now, I’m just interested in that middle point, which the complaint describes this way:

221. On March 14, 2017, Microsoft released a patch for a Server Message Block (SMB) vulnerability that was identified as CVE-2017-0144 on its website, https://technet.microsoft.com/en-us/library/security/ms17-010.aspx. Microsoft attempted to remedy the vulnerability by releasing patches to versions of Microsoft Windows operating systems that Microsoft supported at the time. Patches were not initially released for older versions of Windows that were no longer supported, such as Windows XP and Windows 8.

222. The next month, on April 15, 2017, an exploit that targeted the CVE-2017-0144 vulnerability (herein the “CVE-2017-0144 exploit”) was publicly released by a group calling itself the “Shadow Brokers.”

223. On April 18, 2017 and April 21, 2017, a senior security analyst at private cyber security company RiskSense, Inc. (“RiskSense”) posted research on that exploit on his website: https://zerosum0x0.blogspot.com.

224. On May 9, 2017, RiskSense released code on the website github.com with the stated purpose of allowing legal “white hat” penetration testers to test the CVE-2017-0144 exploit on unpatched systems. Essentially, RiskSense posted source code that its employees had reverse-engineered for the CVE-2017-0144 exploit, which cyber security researchers could then use to test vulnerabilities in client computer systems. I know based on my training and experience that penetration testers regularly seek to exploit vulnerabilities with their customers’ consent as a proof-of-concept to demonstrate how hackers could illegally access their customers’ systems.

225. On May 12, 2017, a ransomware attack called “WannaCry” (later identified as “WannaCry Version 2,” as discussed below) began affecting computers around the globe.

[snip]

242. Records that I have obtained show that the subjects of this investigation were monitoring the release of the CVE-2017-0144 exploit and the efforts by cyber researchers to develop the source code that was later packaged into WannaCry Version 2:

a. On numerous days between March 23 and May 12, 2017, a subject using North Korean IP Address #6 visited technet.microsoft.com, the general domain where Microsoft hosted specific webpages that provide information about Microsoft products, including information on Windows vulnerabilities (including CVE-2017-0144), although the exact URL or whether the information on this particular CVE was being accessed is not known.

b. On April 23, April 26, May 10, May 11, and May 12, 2017, a subject using North Korean IP Address #6 visited the blog website zerosum0x0.blogspot.com, where, on April 18, 2017 and 21, 2017, a RiskSense researcher had posted information about research into the CVE-2017-0144 exploit and progress on reverse-engineering the exploit; RiskSense subsequently released the exploit code on GitHub.com.

According to the in media res story told by the FBI, the following is the chronology:

March 14: Microsoft drops a vulnerability seemingly out of the blue without publicly calling attention to it

Starting on March 23: Someone using known Lazarus IP address #6 tracks Microsoft’s vulnerabilities reports (note, the FBI doesn’t mention whether this was typical behavior or unique for this period)

April 15: Shadow Brokers releases the Eternal Blue exploit

April 18 and 23: RiskSense releases a reverse engineered version of Eternal Blue

Starting on April 23 and leading up to May 12: Someone using that same known Lazarus IP #6 makes a series of visits to the RiskSense site that released an exploit reverse engineered off the Shadow Brokers release

May 12: A version of WannaCry spreads across the world using the RiskSense exploit

Of course, that’s not how things really happened. FBI neglects to mention that on January 8, Shadow Brokers offered to auction off files that NSA knew included the SMB exploit that Microsoft issued a patch for on March 14.

Along with that important gap in the narrative, the FBI Agent who wrote the affidavit behind this complaint, Nathan Shields, is awfully coy in describing Shadow Brokers simply as “a group calling itself the ‘Shadow Brokers.'” While the complaint remained sealed for three months, by June 8, 2018, when the affidavit was written, the FBI assuredly knew far more about Shadow Brokers than that it was a group with a spooky name.

As public proof, DOJ signed a plea agreement with Nghia Pho on November 29 of last year. Pho was reportedly the guy from whose home computer some of these same files were stolen. While the publicly released plea has no cooperation agreement, the plea included a sealed supplement, which given the repeated delays in sentencing, likely did include a cooperation agreement.

Pho is due to be sentenced next Tuesday. The sentencing memos in the case remain sealed, but it’s clear from the docket entry for Pho’s that he’s making a bid to be treated in the same way that David Petraeus and John Deutsch were — that is, to get a misdemeanor treatment and probation for bringing code word documents home to store in an unlocked desk drawer — which would be truly remarkable treatment for a guy who allegedly made NSA’s hacking tools available for theft.

And while it’s possible that FBI Agent Shields doesn’t know anything more about what the government knows about Shadow Brokers than that it has a spooky name, some of the folks who quoted in the dog-and-pony reveal of this complaint on September 6, not least Assistant Attorney General John Demers, do know whatever else the government knows about Shadow Brokers.

Including that the announcement of the sale of Eternal Blue on January 8 makes the searches on Microsoft’s site before the exploit was actually released on April 15 one of the most interesting details in this chronology. There are lots of possible explanations for the fact that someone was (as the FBI’s timeline suggests) searching Microsoft’s website for a vulnerability before the import of it became publicly known.

But when you add the January 8 Shadow Brokers post to the timeline, it makes culprits other than North Korea far more likely than the FBI affidavit makes out.

GRU’s Alice Donovan Persona Warned of a WannaCry-Like Event a Year before It Happened

As I disclosed last month, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

In this post, I suggested that The Shadow Brokers persona served as a stick to the carrots Vladimir Putin dangled in front of Donald Trump. When Donald Trump took an action — bombing Syria to punish Bashar al-Assad — that violated what I believe to be one of the key payoffs in the election quid pro quo, Shadow Brokers first bitched mightily, then released a bunch of powerful NSA tools that would soon lead to the WannaCry global malware attack.

It turns out GRU warned of that kind of attack a year before it happened.

One of the tidbits dropped into a very tidbit-filled GRU indictment is that GRU ran the Alice Donovan propaganda persona.

On or about June 8, 2016, and at approximately the same time that the dcleaks.com website was launched, the Conspirators created a DCLeaks Facebook page using a preexisting social media account under the fictitious name “Alice Donovan.”

That tidbit has led to some follow-up on the Donovan figure, including this typically great DFRLab piece arguing that Russia had two parallel streams of troll campaigns, the Internet Research Agency one focused on the election, and the GRU one focused on foreign policy.

Donovan was first exposed in December of last year after WaPo reported on and CounterPunch did a review of “her” work after then WaPo reporter Adam Entous contacted CP after learning the FBI believed “she” had some tie to Russia.

We received a call on Thursday morning, November 30, from Adam Entous, a national security reporter at the Washington Post. Entous said that he had a weird question to ask about one of our contributors. What did we know about Alice Donovan? It was indeed an odd question. The name was only faintly familiar. Entous said that he was asking because he’d been leaked an FBI document alleging that “Alice Donovan” was a fictitious identity with some relationship to Russia. He described the FBI document as stating that “Donovan” began pitching stories to websites in early 2016. The document cites an article titled “Cyberwarfare: Challenge of Tomorrow.”

As both pieces emphasize, the first article that Donovan pitched — and “she” pitched it to multiple outlets — pertained to cyberattacks, specifically to ransomware attacks on hospitals.

The article was first published in Veterans Today on April 26, 2016. That’s the same day that Joseph Mifsud first told George Papadopoulos Russia had emails — emails hacked by Donovan’s operators — they planned to leak to help defeat Hillary Clinton.

CounterPunch published the cybersecurity article on April 29. That’s the day the DNC first figured out that GRU (and FSB’s APT 29) had hacked them.

Those dates may well be coincidences (though they make it clear the Donovan persona paralleled the hack-and-leak campaign). I’m less sure about the third publication of the article, in Mint Press, on August 17, 2016, just four days after Shadow Brokers went live. So just days after Shadow Brokers had called out, “!!! Attention government sponsors of cyber warfare and those who profit from it !!!” an article was republished with the penultimate paragraph accusing the US of planning to shut down Iran’s power grid.

Moreover, the U.S. has been designing crippling cyber attack plans targeting the civilian sector. In case its nuclear negotiations with Iran failed, the U.S. was prepared to shut down the country’s power grid and communications networks.

The basis for that accusation was actually this article, but “Donovan” took out the reference (bolded below) to GRU’s attack on Ukraine’s power grid in the original.

Today such ransomware attacks are largely the work of criminal actors looking for a quick payoff, but the underlying techniques are already part of military planning for state-sponsored cyberwarfare. Russia showcased the civilian targeting of modern hybrid operations in its attack on Ukraine’s power grid, which included software designed to physically destroy computer equipment. Even the US has been designing crippling cyberattack plans targeting the civilian sector. In case its nuclear negotiations with Iran failed, the US was prepared to shut down the country’s power grid and communications networks.

Imagine a future “first strike” cyberattack in which a nation burrowed its way deeply into the industrial and commercial networks of another state and deployed ransomware across its entire private sector, flipping a single switch to hold the entire country for ransom. Such a nightmare scenario is unfortunately far closer than anyone might think. [my emphasis]

And “Donovan” adds in this sentence (from elsewhere in the Forbes article).

Government itself, including its most senior intelligence and national security officials are no better off when a single phishing email can redirect their home phone service and personal email accounts.

When this article was first published, the memory was still fresh of the Crackas with Attitude hack, where self-described teenagers managed to hack John Brennan and James Clapper and forward the latter’s communications (among the men serving prison sentences for this attack are two adult Americans, Andrew Otto Boggs and Justin Liverman).

Most of the rest of the article uses the threat of malware attacks on hospitals to illustrate the vulnerability of civilian infrastructure to cyberattack. It cites a Kaspersky proof of concept (recall that Shadow Brokers included a long play with Kaspersky). It cites an FBI agent attributing much of this hacking to Eastern Europe.

Stangl said the hackers, most of them from Eastern Europe, have increasingly targeted businesses, which are often able to pay more than individuals to unlock data. The hackers “scan the Internet for companies that post their contact information,” then send them email phishing attacks. Unsuspecting employees, Stangl said, are asked to click on what seem to be innocuous links or attachments — perhaps something as simple as a .PDF purporting to be a customer complaint — and before they know it, their computers are infected.

And the “Donovan” article explains at length — stealing from this article — why hospitals are especially vulnerable to malware attacks.

Such attacks may all sound like nightmare scenarios, but the experts say they’re becoming almost routine. And hospitals have not made cybersecurity a priority in their budgets. On average hospitals spent about 2 percent on IT, and security might be 10 percent of that. Compare that percentage to the security spending by financial institutions: for example, Fidelity spends 35 percent of its budget on IT.

Moreover, medical facilities are vulnerable to these attacks in part because they don’t properly train their employees on how to avoid being hacked, according to Sinan Eren, who has worked in cybersecurity for government and health-care organizations for two decades.

“It’s not like the financial-services industry, where they train employees how to spot suspicious emails,” said Eren, general manager at Avast Mobile Enterprise. Also, many hospital computer systems are outdated, bulky and in dire need of upgrades or newer software, he said. But such institutions often don’t have — or don’t want to spend — the money to make sweeping changes.

While it’s still unclear which computer WannaCry first infected in May 2017, Britain’s National Health Service was easily the most famous victim, with about a third of the system being shut down. Not long after WannaCry, NotPetya similarly spanned the globe in wiperware designed to appear as ransomware (though the latter’s use of NSA tools was mostly just show). While the US and UK have publicly attributed WannaCry to North Korea (I’m not convinced), NotPetya was pretty clearly done by entities close to GRU.

And a year before those global pseudo-ransomware worms were launched, repeated just days after Shadow Brokers started releasing NSA’s own tools, GRU stole language to warn of “a nation burrow[ing] its way deeply into the industrial and commercial networks of another state and deploy[ing] ransomware across its entire private sector, flipping a single switch to hold the entire country for ransom. Such a nightmare scenario is unfortunately far closer than anyone might think.”

(h/t TC for the heads up on this file and a number of the insights in this piece)

Update: MB noted that the “added” sentence actually also comes from the original Forbes article (it links to an earlier column that notes the Crackas tie explicitly).