By Adam Carter --- May 6, 2019
On April 18, 2019, a redacted version of Robert Mueller's report on "RussiaGate" related activities was released to the public.
This article focuses on Volume I Part III titled "Russian Hacking & Dumping Operations" and provides details of the errors made, critical omissions, lack of conclusive evidence and reliance on assumptions and speculation.
We will also look at problems relating to attribution methods used, countervailing evidence that has clearly been disregarded and other problems that are likely to have affected the quality of the investigation and the report.
The Mueller Report: Context & Contradiction
We start with a read-through of this section of the report, highlighting missing context, contradictions and errors.
Page 36
[To minimize repetition, we'll deal with statements made in this introduction where the basis is explained or details are provided on other pages ahead.]
Page 36
While the Netyksho indictment does provide details of intrusions and infrastructure used, it's still unclear how the infrastructure has been attributed back to individuals in the GRU and no conclusive evidence has been presented to support that in the indictment or the report.
Page 37
Some of the claims relating to state boards of elections are contradicted by the Department of Homeland Security, we'll return to this where it's covered in more detail later in the report.
Page 37
Whatever the sources are the GRU did their "learning" from they seem to have been outdated as many of the phishing emails were bounced due to being for individuals that were not involved in Clinton's 2016 campaign and that no longer had mailboxes on the relevant domains (they were involved in earlier campaigns in previous years).
Page 39
In the Netyksho indictment it is stated that the "middle-servers" are overseas:
So, what was the point in having a US-based AMS Panel if you're using overseas servers as proxies?
This seems to be a needlessly noisy setup that somewhat defeats the purpose of having a US-based server for the AMS panel.
This setup makes the assets allegedly used by GRU officers subject to US laws, subject to Internet monitoring by US intelligence agencies and prone to being physically seized.
With the GRU using middle-servers, as alleged, there would have been absolutely no reason to have the AMS panel hosted on a server within the US and every reason to have it hosted elsewhere.
It almost seems like they wanted to get caught!
Page 40
We are told the GRU obtained files from the DNC network on April 22, 2016, (this is a little different to the Netyksho indictment that states the files were archived on April 22, 2016 and extracted later):
The problem with this is that it suggests the GRU had their implant on the DNC network earlier than what the available evidence supports.
The malware samples provided by CrowdStrike show that the earliest compile date of Fancy Bear malware reportedly discovered at the DNC was April 25, 2016.
Perhaps they didn't discover all the malware until later? (Though, with their flagship product installed across the network, one would think they'd have detected all the malware present by the time they reported on discoveries).
Regarding the stolen opposition research, we've only seen the document as an attachment to one of Podesta's emails and a deliberately tainted version of the same document released by Guccifer 2.0.
The implication that this was stolen from the DNC is questionable due to this.
Going further, the story surrounding this changed in November 2017 when the Associated Press published a story titled "How Russians hacked the Democrats’ emails" in which they cite an anonymous former DNC official who asserts that Guccifer 2.0’s first document (the Trump opposition report) did not originate in the DNC as initially reported.
Another interesting point relating to this is the "HRC_pass.zip" archive released by Guccifer 2.0 on June 21, 2016 (which also provided another US central timezone indication) contained files with last modification dates of April 26, 2016. While this fits within the above timeframe, the transfer of the files individually, the apparent transfer speeds involved and the presence of FAT-like 2-second rounding artifacts (noted elsewhere in Guccifer 2.0's releases) when the files came from an NTFS system (and the ZIP implementation was not the cause) does not correlate well with what the report outlines.
In spite of its name ("HRC_pass.zip") this archive appears to contain files that can be sourced to the DNC. Out of 200 files, only one showed up as an attachment (in the Podesta emails).
Regarding the May 25 - June 1 timeframe cited, this seems to exclude the date on which approximately 70% of the DNC's emails published on WikiLeaks' website were acquired (May 23, 2016)
What makes this interesting is that this is apparently being evaluated on evidence that was very likely to have been provided by CrowdStrike:
Page 40
How did Crowdstrike's evidence not inform the FBI and Special Counsel of the real initial acquisition date of WikiLeaks' DNC emails?
Was the May 23, 2016 activity not recorded?
Going back to the Netyksho indictment, we have also been told that Yermakov was searching for Powershell commands between the May 25 - June 1st period:
However, we know 70% of the DNC emails published by WikiLeaks had already been acquired prior to that time, before Yermakov had allegedly researched how to access and manage the Exchange server.
Page 41
We can tell from the use of "appear" here that the Special Counsel does not have conclusive evidence to demonstrate this.
Page 41
While the overlap between reported phishing victims and the output of DCLeaks cannot be denied, it is still unclear how bitcoin pools or leased infrastructure have been definitively tied back to any GRU officers or the GRU itself.
This isn't to say that there isn't evidence of it (I would assume there is some evidence or intelligence that supports the premise to some degree, at the very least) but we have no idea what that could be and there is no explanation of how associations to individual GRU officers were made (perhaps to protect HUMINT but this still leaves us completely in the dark as to how attributions were made).
We know already that things are assumed by the Special Counsel on the basis of circumstantial evidence, so there is good reason to question whether the attributions made are based on conclusive evidence.
Page 42
This is the first point at which to recall Assange's announcement on 12 June that WikiLeaks was working on a release of "emails related to Hillary Clinton" - two days before the DNC goes public about being hacked by Russians, and three days before the appearance of Guccifer 2.0.
It's also approximately one month before Mueller says Guccifer 2.0 first successfully sent anything to WikiLeaks.
Whoever was controlling the Guccifer 2.0 persona went out of their way to be perceived as Russian and made specious claims about having already sent WikiLeaks documents, even claiming that WikiLeaks would release them soon (all before Mueller records any initial contact between the parties).
While WikiLeaks did mention this via their Twitter feed on June 16, 2016, they were clearly skeptical of his claims to be a hacker and although they cite his claim about sending material to WikiLeaks, they don't confirm it:
It also seems a little odd that the GRU would do searches for already translated phrases (using Google translate to get English translations would be more understandable) and if it's Guccifer 2.0 doing it why did he not use the VPN he used for his other activities throughout the same day?
Why does the Mueller report not report on the IP address of the Moscow-based server from which searches occurred? It wouldn't really expose sources and methods to disclose it and it's unclear how it was determined to have been used and managed by a unit of the GRU. (Citation #146 references the Netyksho indictment, however, that fails to provide evidence or explanation of this too.)
Also, Guccifer 2.0 did not attribute the hack to a Romanian hacker in his first blog post, he didn't mention nationality until a week later (after he'd already gone out of his way to leave Russian breadcrumbs behind).
Page 43
The version of the opposition research document Guccifer 2.0 released was built using a prepared "Russian-tainted" template document.
The template was made by taking an attachment from one of John Podesta's emails (a document originally authored by Warren Flood in 2008), stripping out the content, adding in Russian language stylesheet entries, altering "Confidential Draft" in the background of the document to "Confidential", altering the footer and then stripping out the body content.
The body content of a Trump Opposition research document (originally authored by Lauren Dillon) that was attached to another of Podesta's emails was then copied into the template document.
The document was saved (with a Russian author name), its body content cleared and this was then re-used to produce two further "Russia-tainted" documents.
It was no accident that led to the documents being tainted in the way that they were and it looks like Guccifer 2.0's version of the Trump opposition research didn't really come from the DNC.
Page 43
The email sent to The Smoking Gun revealed that Guccifer 2.0 appeared to be operating from somewhere in the central (US) time zone. It is one of several inexplicable examples of US timezone indications from Guccifer 2.0.
Page 43
It should be noted that the data referenced above was also unrelated to the general election and didn't have any noticeable impact on it (the 2.5Gb of data Guccifer 2.0 provided to Aaron Nevins was unlikely to have hurt the Clinton campaign or affect the outcome of the general election).
In the states that the data related to, general election results didn't flip between the time of the publication of the documents and the election:
Page 43
Interesting to note that Guccifer 2.0 lied about DCLeaks being a "sub project" of WikiLeaks.
Page 44
The only materials Mueller alleges that WikiLeaks confirmed receipt of was a "1gb or so" archive, for which, instructions to access were communicated in an attached message (none-too-discreetly titled "wk dnc link1.txt.gpg") and sent by Guccifer 2 via unencrypted email.
It is an assumption that this was an archive of DNC emails (it could have contained other files Guccifer 2.0 subsequently released elsewhere).
We don't even know for sure whether WikiLeaks released what had been sent to them by either entity.
Even if, theoretically, the archive contained the emails, it couldn't have been the whole collection because the whole collection, when compressed, exceeds 2Gb of data.
This, of course, doesn't rule out the possibility of it being a portion of the overall collection but what the persona had sent to WikiLeaks could also easily have been other material relating to the DNC that we know Guccifer 2.0 later released or shared with other parties.
Page 45
This is the second point at which to recall Assange's 12 June TV announcement of upcoming "emails related to Hillary Clinton", coming two days before Guccifer 2.0's colleagues at DCLeaks reach out to WikiLeaks via unencrypted means on 14 June 2016 to offer "sensitive information" on Clinton.
Then, seven days after Guccifer 2 had already claimed to have sent material to WikiLeaks and stated that they'd soon release it (which made it sound as though he'd had confirmation back), we see that WikiLeaks reaches out to Guccifer 2.0 and suggests he sends material to them (as though there's never been any prior contact or provision of materials previously discussed).
Page 45
How is it "clear" that both the DNC and Podesta documents were transferred from the GRU to WikiLeaks when there is only around a gigabyte of data acknowledged as received (and we don't even know what that data is) and little is known about the rest (and the report just speculates at possibilities)?
Page 46
We aren't provided the full dialogue between WikiLeaks and Guccifer 2.0. Instead we have just a few words selected from the communication that could easily be out of context. The Netyksho indictment did exactly the same thing. Neither the indictment nor the report provide the full DM conversation in context.
(It certainly wouldn't harm HUMINT resources or expose methods if this evidence was released in full context.)
Would the GRU really engage in internal communications (eg GRU Guccifer 2.0 to GRU DCLeaks) via Twitter DMs? Maybe, but it seems insanely sloppy with regards to operational security of a clandestine organization communicating between its own staff.
The statement that concludes on the following page (see below) also seems a little bizarre. Would WikiLeaks really ask Guccifer 2.0 to DM DCLeaks to pass on such a message on their behalf?
Why doesn't Mueller provide the comms evidence of WikiLeaks asking Guccifer 2.0 for assistance in contacting DCLeaks?
As written, we are expected to take the words of Guccifer 2.0 (stating that the media organisation wished to talk to DCLeaks) at face value.
The problem with this is that we are talking about a persona who lied publicly about when he first sent material to WikiLeaks (claiming to have done so already on the day appeared), lied about the relationship between WikiLeaks and DCLeaks and who had gone to a great deal of trouble to leave false Russian fingerprints in his work output.
Page 47
It was actually the last-modification date, not the creation date that was recorded as 19 September, 2016.
This wasn't necessarily the creation date and is only indicative of the last recorded write/copy operation (unless last modification date is preserved when copying but there's no way to determine that based on the available evidence).
The gap between email file timestamps and attachment timestamps may simply be explained by WikiLeaks extracting the attachments from the EML files at a later stage. With the DNC emails we observed last-modifications dates as far back as May 23, 2016 but the attachments had last-modification dates that were much later (eg. July 21, 2016).
The wording is also worth noting: "Based on information about Assange's computer and its possible operating system" [emphasis mine] does not sound like it's based on reliable and factual information, it sounds like this is based on assessment/estimation. This also seems to be relying on an assumption that the only person handling files for WikiLeaks is Assange.
How have the Special Counsel cited WikiLeaks metadata for evidence where it's suited them yet, somehow, have managed to miss the May 23, 2016 date on which the DNC emails were initially being collected?
Going further, the report, based on speculation, suggests that the GRU staged releases in July (for DNC emails) and September (for Podesta emails). However, going off the same logic as the Special Counsel, with last-modification dates indicating when the email files are "staged", the evidence would theoretically point to the DNC emails being "staged" in May 2016).
It doesn't seem so reliable when the rule is applied multilaterally.
Of course, if both assumptions about staging dates are true, then we're left wondering what Julian Assange could have been talking about on June 12, 2016 when mentioning having emails relating to Hillary Clinton.
The speculation in the final paragraph of the above section also shows us that the Special Counsel lacks certainty on sources.
Page 48
Really, this correlation of dates (March 21, 2016 and the reported phishing incident relating to March 19, 2016) is one of the best arguments for saying that emails published by WikiLeaks were acquired through phishing or hacking incidents reported.
However, this merely suggests the method of acquisition, it says nothing of how the material got to WikiLeaks. We can make assumptions, but that's all we can do because the available evidence is circumstantial rather than conclusive.
Page 48
Far from "discredit[ing] WikiLeaks' claims about the source of the material it posted", the file transfer evidence doesn't conclusively demonstrate that WikiLeaks published anything sent to it by Guccifer 2.0 or DCLeaks.
Although there are hints that what was sent by Guccifer 2.0 related to the DNC, we don't know if this contained DNC emails or the other DNC related content he later released and shared with others.
"The statements about Seth Rich implied falsely that he had been the source of the stolen DNC emails" is itself a false statement. The reason Assange gave for offering a reward for information leading to the conviction of Seth Rich's killers was "Our sources take risks and they become concerned when they see things occurring like that [the death of DNC worker Seth Rich]... We have to understand how high the stakes are in the United States" (source).
This implies WikiLeaks is offering the reward for info about Seth Rich at the behest of its actual source/s.
Page 49
By the time Trump had made the statements cited above, it was already assumed that Hillary had been hacked by the Russians, so Trump saying he hoped the Russians would find the emails seems more likely to have been in reference to what he assumed was already in their possession.
Finding those 30,000 emails also wouldn't be achieved through hacking at that point in time as the emails had already been deleted by Hillary Clinton's IT consultants in March 2015.
Page 50
What is being described here is, to a considerable extent, just common exploit scanning on web services, scanning that will almost certainly have come from other nodes based in other nations too.
These scans are typically done via compromised machines, often with machines that are in nations completely separate to the nationality of those running the scanning effort.
The Department of Homeland Security threw cold water on this a long time ago.
DHS would not characterize these efforts as attacks, only “simple scanning ... which occurs all the time”.
Page 51
There was no alteration of ballots or results at all anywhere as of a testimony by DHS Secretary Jeh Johnson on June 21 2017 nor since that time, according to Brian Krebs, to the date of a hearing on November 27, 2017.
The remaining pages in this section of the report include a lot of redactions and mostly cover the actions of individuals in the US in relation to communications they had with or in relation to WikiLeaks. As this article is about the technical claims made in relation to hacking and so much is redacted, we'll only look at those really relevant to this.
Page 52
By the time Assange made the announcement referenced above, the Hillary Clinton emails obtained through FOIA had already been published by WikiLeaks.
Considering what WikiLeaks subsequently published, it would seem that Assange was making a reference to at least one of the upcoming leaks.
At this time, there was no record of contact between WikiLeaks and either of the parties alleged to be the GRU.
Page 58
Regarding the timing of the leaks and the Access Hollywood tape, it's important to note that journalist Stefani Maurizi, who had worked with WikiLeaks on the Podesta leaks, has stated publicly that she knew of WikiLeaks intention to publish on that date on the evening prior to it.
WikiLeaks stated the "timing conspiracy theory" was the other way round: "The [Access Hollywood] tape was moved forward to the day of our release, which WikiLeaks had been teasing" and was "well-documented".
[The remaining pages in this section have little relevance to the technical aspects of this section of the report and/or acquisition of materials that this article is intended to cover.]
Circumstantial Evidence & Understandable Assumptions
While the above does show numerous issues with the report, it's important not to fall into the trap of outright dismissing as false anything for which evidence is lacking or assuming there is no evidence at all to support assertions.
However, without knowing what evidence exists we're left to make assumptions about whether it's conclusive or circumstantial, we don't know if the source of evidence is dependable and it's clear in the report that the Special Counsel has relied on assumptions and made numerous statements on the basis of presuppositions.
There is also a considerable amount of circumstantial evidence that, although it doesn't conclusively prove what the report tries to convince us of, it does at least raise questions about relationships between different entities, especially with regards to any overlaps in resources and infrastructure used.
For example, based on the cited evidence, it is perfectly understandable that people will assume Guccifer 2.0 provided DNC emails to WikiLeaks and will also assume that WikiLeaks published whatever it was that Guccifer 2.0 had sent them (especially with Mueller presenting that conversation in the form of a couple of words devoid of all context).
The apparent overlap between a VPN service used by Guccifer 2.0 and by DCLeaks does suggest the two could be associated beyond Guccifer 2.0 just being a source of leaks for them.
Also, DCLeaks publishing some DNC emails that later appeared in the DNC email collection (though not necessarily from the same mailboxes) also suggests that DCLeaks and WikiLeaks could have had access to some of the same material and/or sources.
The same is true for Guccifer 2.0 releasing Podesta and DNC email attachments before WikiLeaks released both collections. Unless given good reason to consider any ulterior motive, the implied explanation, on the surface, seems to be that it was this persona that was a source for those emails. If nothing else, that's how it appears based on the little information typically made available to us by the mainstream press.
However, despite all of this, we still have not seen conclusive evidence showing that either of the entities was really controlled by the GRU and, when the countervailing evidence (which seems to have been completely ignored by the Special Counsel's investigation) is considered, there is reason to give consideration to Guccifer 2.0's efforts to not just associate himself with WikiLeaks and DCLeaks but also to associate third parties with each other through false claims.
The Mystery Of The May 23, 2016 Omission
One of the most notable omissions is the date on which emails from several mailboxes (including Luis Miranda's) were originally collected.
We know, from analysis of metadata of files hosted by WikiLeaks that this was May 23, 2016.
Not only is this prior to the May 25, 2016 - June 1, 2016 timeframe given for the DNC's exchange server being hacked, this activity is unmentioned throughout the entire report.
How has this failed to come to the surface when it should have been apparent in evidence CrowdStrike provided to the FBI and also apparent based on the WikiLeaks metadata? How is it the Special Counsel can cite some of the metadata in relation to WikiLeaks releases yet somehow manage to miss this?
Countervailing Evidence
What the Special Counsel's investigation also seems to have completely disregarded is the volume of countervailing evidence that has been discovered by several independent researchers in relation to the Guccifer 2.0 persona.
It's worth considering what evidence the Special Counsel has brought to the surface and comparing it with the evidence that has come to the surface as a result of discoveries being made by independent researchers over the past two years and the differences between the two sets of evidence (especially with regards to falsifiability and verifiability of evidence).
Some excellent examples are covered in the following articles:
- Guccifer 2.0 NGP/VAN Metadata Analysis
- Guccifer 2.0's First Five Documents: The Process
- Did Guccifer 2.0 Plant His Russian Fingerprints
- More Evidence that Guccifer 2 Planted His Russian Breadcrumbs
- Guccifer 2.0's US Time Zone Indicators
- Guccifer 2.0's Russian Breadcrumbs
- Guccifer 2 Returns to the East Coast
- When USB’s Fly: Recent Research Supports Forensicator’s Controversial Theory
- Data From Twitter And WordPress Is Giving Intelligence Committees The Opportunity To Gain Insights Into The Real "Guccifer 2.0"
- Guccifer 2.0 CF Files Metadata Analysis
- Timezone of Guccifer 2 cf.7z
- Guccifer 2.0 Email Time Zone
- A Closer Look At Guccifer 2.0's DNC Email Attachments
- Guccifer 2's West Coast Fingerprint
- Media Mishaps: Early Guccifer 2 Coverage
- Russia & WikiLeaks: The Case of The Gilded Guccifer
- Guccifer 2.0: A Two Tier Masquerade
- Fancy Frauds, Bogus Bears & Malware Mimicry?
- Sorting The WikiLeaks DNC Emails
- Email Dates In The WikiLeaks DNC Archive
- Mueller’s Latest Indictment Contradicts Evidence In The Public Domain
Reliability Of Attribution Methods
Skip Folden (who introduced me to VIPS members and has been a good friend ever since) recently shared with me his assessment of problems with the current attribution methods being relied on by the Special Counsel and others.
It covered several important points and was far more concise than anything I would have written, so, with his permission, I'm publishing his comments on this topic:
No basis whatsoever
APT28, aka Fancy Bear, Sofacy, Strontium, Pawn Storm, Sednit, etc., and APT29, aka Cozy Bear, Cozy Duke, Monkeys, CozyCar,The Dukes, etc., are used as ‘proof’ of Russia ‘hacking’ by Russian Intelligence agencies GRU and FSB respectively.
There is no basis whatsoever to attribute the use of known intrusion elements to Russia, not even if they were once reverse routed to Russia, which claim has never been made by NSA or any other of our IC.
On June 15, 2016 Dmitri Alperovitch himself, in an Atlantic Council article, gave only “medium-level of confidence that Fancy Bear is GRU” and “low-level of confidence that Cozy Bear is FSB.” These assessments, from the main source himself, that either APT is Russian intelligence, averages 37%-38% [(50 + 25) / 2].
Exclusivity :
None of the technical indicators, e.g., intrusion tools (such as X-Agent, X-Tunnel), facilities, tactics, techniques, or procedures, etc., of the 28 and 29 APTs can be uniquely attributed to Russia, even if one or more had ever been trace routed to Russia. Once an element of a set of intrusion tools is used in the public domain it can be reverse-engineered and used by other groups which precludes the assumption of exclusivity in future use. The proof that any of these tools have never been reverse engineered and used by others is left to the student - or prosecutor.
Using targets
Also, targets have been used as basis for attributing intrusions to Russia, and that is pure nonsense. Both many state and non-state players have deep interests in the same targets and have the technical expertise to launch intrusions. In Grizzly Steppe, page 2, second paragraph, beginning with, “Both groups have historically targeted ...,” is there anything in that paragraph which can be claimed as unique to Russia or which excludes all other major state players in the world or any of the non-state organizations? No.
Key Logger Consideration
On the subject of naming specific GRU officers initiating specific actions on GRU Russian facilities on certain dates / times, other than via implanted ID chips under the finger tips of these named GRU officers, the logical assumption would be by installed key logger capabilities, physical or malware, on one or more GRU Russian computers.
The GRU is a highly advanced Russian intelligence unit. It would be very surprising were the GRU open to any method used to install key logger capabilities. It would be even more surprising, if not beyond comprehension that the GRU did not scan all systems upon start-up and in real time, including key logger protection and anomalies of performance degradation and data transmissions.
Foreign intelligence source
Other option would be via a foreign intelligence unit source with local GRU access. Any such would be quite anti-Russian and be another nail in the coffin of any chain of evidence / custody validity at Russian site.
Chain Of Custody - Without An Anchor There Is No Chain
Another big problem with the whole RussiaGate investigation is the reliance on a private firm, hired by the DNC, to be the source of evidence.
As I don't have a good understanding of US law and processes surrounding evidence collection and handling, I will, again, defer to something that my aforementioned contact shared:
Chain of Evidence / Custody at US end, i.e., DNC and related computing facilitiesSummary: There is no US end Chain of Evidence / Custody
The anchor of any chain of evidence custody is the on-site crime scene investigation of a jurisdictional law enforcement agency and neutral jurisdictional forensic team which investigate, discover, identify where possible, log, mark, package, seal, or takes images there of, of all identified elements of potential evidence as discovered at the scene of a crime by the authorized teams. The chain of this anchor is then the careful, documented movement of each element of captured evidence from crime scene to court.
In the case of the alleged series of intrusions into the DNC computing facilities, there is no anchor to any chain of evidence / custody.
There has been no claim that any jurisdictional law enforcement agency was allowed access to the DNC computing facilities. The FBI was denied access to DNC facilities, thereby supposedly denying the FBI the ability to conduct any on-site investigation of the alleged crime scene for discovery or collection of evidence.
Nor did the FBI exercise its authority to investigate the crime scene of a purported federal crime. Since when does the FBI need permission to investigate an alleged crime site where it is claimed a foreign government’s intelligence attacked political files in order to interfere in a US presidential election?
Instead, the FBI accepted images of purported crime scene evidence from a contractor hired by and, therefore, working for the DNC. On July 05, 2017 a Crowdstrike statement said that they had provided “... forensic images of the DNC system to the FBI.” It was not stated when these images were provided. Crowdstrike was working for the DNC as a contractor at the time.
This scenario is analogous to an employee of a crime scene owner telling law enforcement, “Trust me; I have examined the crime scene for you and here’s what I’ve found. It’s not necessary for you to see the crime scene.”
Crowdstrike cannot be accepted as a neutral forensic organization. It was working for and being paid by the DNC. It is neither a law enforcement agency nor a federal forensic organization. Further Crowdstrike has serious conflicts of interest when it comes to any investigation of Russia.
Crowdstrike co-founder and Director of Technology, Dimitri Alperovitch, is a Nonresident Senior Fellow, Cyber Statecraft Initiative, of the Atlantic Council. Alperovitch has made it clear of his dislike of the government of Putin, and The Atlantic Council can not be considered neutral to Russia, receiving funding from many very staunch and outspoken enemies of Russia.
Summary: Not only was no federal jurisdictional law enforcement agency allowed to investigate the alleged crime scene, but the organization which allegedly collected and provided the ‘evidence’ was not neutral by being employed by the owner of the alleged crime scene, but seriously compromised by strong anti-Russian links.
This issue of this substitute for an anchor then leads us to our next problem: an apparent conflict of interest from the investigation's outset.
Conflict of Interest Inherent In The Investigation?
Would it seem like a conflict of interest if the person in charge of an investigation were friends with a witness and source of critical evidence relied upon by that investigation?
This is effectively the situation we have with the Special Counsel investigation because Robert Mueller and CrowdStrike's CSO (and President) Shawn Henry are former colleagues and friends.
Their history at the FBI is well known and their continued association after Henry had left the agency (having dinner together at an executive retreat) has been noted.
If nothing else, it's understandable for people to feel that the Special Counsel would have struggled to be truly impartial due to such relationships.
Conclusion
The Special Counsel seems to have been impervious to critical pieces of countervailing evidence (some of which demonstrates that Guccifer 2.0 deliberately manufactured Russian breadcrumbs) and they have failed to accurately account for the acquisition of WikiLeaks' DNC emails (missing the date on which approximately 70% of them were collected), which is, in itself, a stunning failure for a supposedly thorough investigation costing US taxpayers tens of millions of dollars.
There should have been a proper, thorough, independent and impartial investigation into the Guccifer 2.0 persona. The Special Counsel certainly hasn't done that job and, in retrospect, looks to have been ill-equipped (and perhaps somewhat reluctant) to do so from the outset.
http://g-2.space/muellerreport/
This article may be republished/reproduced in part or in full on condition that content above is unaltered and that the author is credited (or, alternatively, that a link to the full article is included).
Cyberwarrior! Robert Johnson, one time employee of Crowsdstrike, now with his own cyberwarrior! company, was pushing Russia, Russia, Russia on MSNBC just a few days ago.
https://www.msnbc.com/ali-velshi/watch/dnc-investigator-on-russian-meddling-it-s-the-new-normal-1499992643539
In the broadcast he states 1) there were months of planning (presumably by the Russians 2) the GRU personnel were “specifically assigned” and 3)“Instructions were to do nothing else but….”
One really does wonder just how he came to these conclusions.
It seems to me that there not only wasn't a "chain of custody" of the evidence but that he's just another link in the chain to whomever is the anchor of the this disinformation campaign. The Democratic Party organizations, to include Hilary's camapaign, spent almost a billion USD on a losing campaign. I have to wonder who were major recipients of any of that money and just what it would buy.
"Since when does the FBI need permission to investigate an alleged crime site where it is claimed a foreign government’s intelligence attacked political files in order to interfere in a US presidential election?"
A great question to ask that nice grandmother who met grandpa Clinton on the tarmac in Phoenix. Or her subornidate, FBI director Comey; or her boss, the guy defeated by Putin, Barack Obama.
Posted by: Fred | 10 May 2019 at 02:01 PM
Adam Carter’s critique of sections of Mueller’s report suffers from too strong a focus on CrowdStrike’s work as an attribution source. While CrowdStrike did provide the bulk of the forensic data of the target network, the IC and Mueller’s team made use of much more effective methods of attribution than just those digital forensics. It was clear from the indictment of the GRU 12, that the IC had much of the GRU hacker’s activities and infrastructure under surveillance. The story of the Dutch penetration of the FSB hackers illustrates a similar capability. This is a capability, at least to this level, not available to CrowdStrike. Bill Binney acknowledges the NSA’s capability to do a large part of this surveillance while admitting such evidence has not been made available to the public. Unfortunately, Bill Binney, Larry Johnson and others rely on NSA’s refusal to release such data as proof that such data does not exist and, therefore, Russia could not have hacked the DNC. I doubt that data will ever be make public. Frankly, I’m surprised so much was released in the GRU 12 indictment.
I was present at the birth of another aspect of this digital surveillance capability. We did what amounted to HUMINT operations on the internet, targeting both foreign nongovernment and government hackers. Coupled with NSA capabilities, this became an effective means to determine attribution and even plans and intentions. It worked and that’s all I say about that. It was far more effective that relying on forensic examination, even the long term forensic examination used by CrowdStrike and others to assert attribution.
Given that full accounts of major hacks of any government or major private systems have ever been released, my guess is that it will be years before more of the IC data regarding the DNC, GRU and Wikileaks is released, if at all. Too bad. I’m confident researchers like Adam Carter and Stephen McIntyre would do a bang up and honest job of getting to the full truth if they had access to that data.
Posted by: The Twisted Genius | 10 May 2019 at 09:27 PM
As more evidence is being uncovered like the the Kathy Kavalec contemporaneous notes & email to FBI on her meeting with Steele, it is getting more & more apparent that there was a program to entrap and smear Trump as a Putin stooge by top officials in the Obama administration, directly interfering in a presidential election.
Mueller was conflicted right from the very beginning. The fact that Strzok, Page & Weisman were on his initial staff points to that conflict. Considering the inherent bias it should be instructive that they could not find any evidence and had to conclude that the Trump campaign did not collude with agents of the Russian government.
Posted by: blue peacock | 11 May 2019 at 02:05 AM
TTG
Is it possible that the GRU may have hacked the DNC and used social media to sow discord but it didn't mount to a hill of beans considering the $1+billion spent by the Hillary campaign and the $100 million spent by the Trump campaign just on Facebook? Is it also possible that top officials in the Obama administration did interfere in the election campaign by attempting to entrap and then smeared Trump and his campaign?
Posted by: Jack | 11 May 2019 at 03:34 PM
You really do not understand the difference between evidence submitted to a court and intelligence. If we were talking strictly intelligence findings then you would be correct in stating that the full proof was being withheld in order to not disclose sources and methods. Once that information, however, is introduced as "EVIDENCE" in a judicial proceeding, you can no longer hide behind the normal protections accorded classified information. The failure to produce actual evidence and the Government's reliance on the CrowdStrike bullshit is prima facia evidence that the Russian hacking is a lie.
But Bill and I do not rely on that absence of evidence as the primary reason to dismiss the false claim of hacking. The actual forensic evidence from Guccifer 2.0 documents blows the Mueller case out of the water.
Posted by: Larry Johnson | 11 May 2019 at 04:58 PM
It very possible that I am completely out of my depth here, but is it also possible that this sentence needs a "never": "Given that full accounts of major hacks of any government or major private systems have ever been released. . . "?
Posted by: Haralambos | 11 May 2019 at 05:19 PM
Jack, all that's possible. As to the effectiveness of the Russian social media campaign, I offer the Congressional testimony of the Facebook GC from November 2017, "We estimate that roughly 29 million people were served content in their News Feeds directly from the IRA's 80,000 posts over the two years. Posts from these Pages were also shared, liked, and followed by people on Facebook, and, as a result, three times more people may have been exposed to a story that originated from the Russian operation. Our best estimate is that approximately 126 million people may have been served content from a Page associated with the IRA at some point during the two-year period." That effort cost near nothing. What did the Clinton campaign spend it's 1+ billion dollars on? Ineffective yard signs, campaign buttons and TV ads? The Clinton campeign's inability to grasp more effective marketing techniques is not Russia's fault. That's all on Clinton's people. Even with that, whether the Russian IO was effective or not was immaterial to the legitimacy of the 2016 election. It was a legitimate election with no votes illegally changed. Neither side seems to be willing to accept this fact.
The DOJ investigation of the FBI should offer more insight into whether there was attempted entrapment and smearing of Trump and his people. Perhaps this investigation will also shed light on the effect of Trump's denial of any Russian contacts and refusal to report Russian approaches on the normally suspicious and paranoid LE and IC. There was a time when our CI had suspicions of my Russian connections. Of course my refusing to tell a roomful of FBI lawyers what I did with viruses I created years ago didn't help matters. That lot has no sense of humor.
Posted by: The Twisted Genius | 11 May 2019 at 06:49 PM
Fred, Johnson was the lead CrowdStrike investigator of the DNC hack. Before that he was a DOD "cyberwarrior" fighting a very aggressive FSB penetration of DOS and DOD systems when he was still on active duty. Real time Intelligence from the Dutch AVID was ket to his ability to finally defeat that penetration.
I also believe there were months of planning and preparation prior to the Russian operation. I learned from individuals close to Putin that tactics, techniques and support structure for such operations were being actively developed prior to 2010 for such things.
Posted by: The Twisted Genius | 11 May 2019 at 07:23 PM
Having been tormented by the CI creeps for things that the NCA sent me to do, I can only share your feelings about them.
Posted by: turcopolier | 11 May 2019 at 07:43 PM
Yes, I meant they have never been released.
Posted by: The Twisted Genius | 11 May 2019 at 08:17 PM
TTG,
Yes, a contractor for the DNC, he had access to the evidence and the FBI did not. Kind of like former intelligence official Mr. Steele was a contractor for Fusion GPS, source of the evidence leading to the FISA warrants, which led to spying on the Trump campaign. That was our government not the Russians.
Posted by: Fred | 11 May 2019 at 08:49 PM
Larry, release of some intelligence information does not automatically require all such intelligence must be released. Even in an indictment, a prosecutor never releases all his evidence. Some of the indictment evidence may even be made deliberately vague. You're still relying on the fact that not all evidence is available to you and I as proof that evidence doesn't exist. That's just silly, as is your effort to attribute all such evidence only to CrowdStrike. You don't seriously think CrowdStrike identified GRU personnel do you?
I do agree that the analysis of Guccifer 2.0 documents is fairly solid and good work, but the conclusions you make from that analysis are desperately far reaching and off center. Even some of your fellow VIPS members find your conclusions troubling. The forensic data does not prove a local transfer to a thumb drive. OTOH, I have not seen any analysis (or alternate explanation) of the evidence concerning Guccifer 2.0 in the indictment of the GRU 12 or the Mueller report.
Posted by: The Twisted Genius | 11 May 2019 at 09:03 PM
More bullshit from you. The VIPS members who protested lack the technical background. They are not qualified to comment. You are wrong and future developments will prove that. Stop digging.
Posted by: Larry Johnson | 11 May 2019 at 11:34 PM
Dude,
You have never been involved in a criminal case that has used intel information. I have. I know what I'm talking about. You are offering up uninformed opinion. My first case was Pan Am 103. It is real simple. If the prosecutors are using actual intelligence for their allegations they will be forced to reveal it. That intel DOES NOT EXIST. If it did, they would have been able to track the packets back to the source. That did not happen. Please put aside your bias and deal with the facts.
Posted by: Larry Johnson | 11 May 2019 at 11:38 PM
TTG
80,000 posts on Facebook over a 2 year election campaign is rather small. Just for some perspective there are 500,000 new posts every minute and 300 million photo uploads every day on Facebook. How many posts do you think the Trump campaign who spent a $100 million on Facebook made in contrast?
IMO, the Russian influence on the 2016 presidential election is substantially over-stated. Of course the establishment of both parties and the media who were all in on the losing side needed a scapegoat rather than make a painful after-action analysis of the zeitgeist that enabled a candidate like Trump to defeat both the Bush & Clinton dynasties. No, that would require intellectual honesty. Unfortunately they're all so far down the rabbit hole of their own groupthink & propaganda that they can't see out of it.
Posted by: blue peacock | 12 May 2019 at 01:12 AM
The problem I have is that if, as TTG strongly suggests, the NSA and associated organisations were privy to Russian intentions and actions, why didn’t they blow the whistle early, protect the DNC, warn the Trump campaign and nip this whole Russian project in the bud?
Posted by: walrus | 12 May 2019 at 06:29 AM
Because the Obama administration felt its own spying on domestic political opponents was both necessary and more effective.
Posted by: Fred | 12 May 2019 at 10:22 AM
"How many posts do you think the Trump campaign who spent a $100 million on Facebook made in contrast?"
That's a good question. I did some quick calculations on what that money would buy on Facebook. It would pay for 10 ads to reach 37 million people. That's comparable to IRA's reaching 28 million directly and 126 million eventually. Compare that to the just under 139 million who voted in 2016. The IRA conducted a substantial operation.
Posted by: The Twisted Genius | 12 May 2019 at 10:24 AM
" Ineffective yard signs, campaign buttons and TV ads? "
That is quite disingenious when that information is readily available.
https://www.opensecrets.org/pres16/expenditures?id=N00000019
You'll notice that GMMB, recipient of $205 million from the Clinton campaign, doesn't advertise that success. And a whole lot of potential Clinton Administration employees lost a 4-8 year opportunity for involvement in setting government policy, starting lucrative government careers and all the potential civilian opportunities that come with a political victory. By all means don't discuss that complete failure in leadership, it had to be somebody's fault, Trump couldn't win on his own.
https://gmmb.com/political-campaigns
"The DOJ investigation of the FBI should offer more insight into whether there was attempted entrapment and smearing of Trump and his people."
You mean charge career FBI/DOJ employees for criminal conduct? I agree.
".... refusal to report Russian approaches..."
Just what the hell is the legal requirement is there for that? Did Senator Feinstein report on Chinese contacts, especially after her career staffer was caught spying for China?
https://nypost.com/2018/08/08/dianne-feinstein-was-an-easy-mark-for-chinas-spy/
Of course we should forget about Huma Abedin, Congressman Weinter, the laptop, the emails and the destruction of evidence because the head of the FBI said they were not significant. That would be James Comey. By all means lets talk about Trump not reporting
conmen trying to get money out of himcontacts with 'Russians'.https://www.judicialwatch.org/press-room/press-releases/judicial-watch-fbi-documents-detail-weiner-laptop-clinton-email-find-just-before-the-2016-election/
Posted by: Fred | 12 May 2019 at 10:41 AM
Walrus, remember that the FBI first warned the DNC of a Russian penetration in September 2015. Both the FBI and the DNC dropped the ball until it was too late. That was the same group that assaulted the JCS and DOS systems and not the GRU attackers that created such havoc in 2016. Both the DNC and the Trump campaign were warned of the potential hacking threat. Both the FBI and the DNC were taken by surprise when the material stolen was publicly released the way it was. IMO given the repeated pattern of disclosure of proprietary information by Wikileaks and others, that possibility should have been anticipated as a possibility. Unfortunately, such hactivism has been traditionally viewed more as a nuisance than a national security threat. The ability to "weaponize" social media was also downplayed by most of the IC. There was only a small minority who tried to sound the alarm about the growing capability and intentions of Russia in this field. The bureaucrats prevailed.
Systems get penetrated and information gets stolen all the time in spite of the surveillance capabilities of the NSA and others. I watched a group of hackers take down a major ISP in real time and couldn't do anything to stop it. The Dutch AVID allowed Johnson and others to defeat the FSB penetration of the JCS and DOS in 2014, but they did not prevent the attack. The DNC, like all other private organizations, are under near constant cyber attack. The FBI, beyond issuing warnings, can't step in until invited. Perhaps as CYBERCOM matures, a reliable capability to proactively keep the attackers heads down will be developed and employed.
Posted by: The Twisted Genius | 12 May 2019 at 11:05 AM
The numbers of 36 million and 126 million were never anything more than high-end guesstimates, based on all IRA activity over several years and with most of the postings not political in content.The real takeaway number is that IRA activity represented merely four ten-thousands of a single percentage point (0.0004) of total news feed activity. The term for that is "statistically insignificant". It is absurd to consider this as "substantial", "massive", or any of the other adjectives.
Posted by: jjc | 12 May 2019 at 01:40 PM
If your math is correct, then it would seem the IRA has a very good business opportunity. I recall they spent less than a $1 million. Google CEO in testimony to Congress said that Russian expenditure on his platform was less than $5,000.
Listening to Brad Pasrcale's interview on the 2016 election the ads on Facebook were only one part of how they used Facebook. I believe they also generated substantial ordinary posts like where rallies were being held and images from those rallies which were then liked and forwarded by many Trump supporters. Trump himself generates probably 5 tweets a day which I'm sure gets cross-posted to FB.
I unfortunately don't share your conviction that the Russian social media activities moved the influence needle in our 2016 election.
Posted by: blue peacock | 13 May 2019 at 12:32 PM
BP, you grasp the concept perfectly. The bulk of what the IRA did cost nothing, just setting up bogus accounts and releasing content through those accounts. Use more accounts and bot accounts to assist in spreading that content. It's an extension of guerrilla advertising currently in vogue in the marketing industry. The purchasing of ads was a small part of the campaign. Couple that with the ideas and techniques discussed by Parscale, who I think is one smart SOB, and you really have something going. Trump's tweets also cost nothing and are brilliant in execution coupled with his party rallies, far more effective that paid political ads.
I respect your view on the effectiveness of the Russian campaign. I don't think there is a way to measure it after the fact. I've always thought such an influence operation could only work on the edges of trends already in place.
Posted by: The Twisted Genius | 13 May 2019 at 08:05 PM
In case you want to check open ports visit Port Checker
Posted by: DJ | 06 August 2019 at 01:53 AM