Spitfire List Web site and blog of anti-fascist researcher and radio personality Dave Emory.

For The Record  

FTR #965 Are We Going to Have a Third World War?

WFMU-FM is podcasting For The Record–You can subscribe to the podcast HERE.

You can subscribe to e-mail alerts from Spitfirelist.com HERE.

You can subscribe to RSS feed from Spitfirelist.com HERE.

You can subscribe to the comments made on programs and posts–an excellent source of information in, and of, itself HERE.

This broadcast was recorded in one, 60-minute segment.

Atomic BombNational Security AgencyIntroduction: Recent developments are suggestive of the ominous possibility of an imminent Third World War. We present some new information and recap and further analyze stories covered in previous programs in order to underscore and highlight the potential devastation of these events.

As the furor (“fuehrer”?) surrounding the potentially lethal political hoax known as “Russia-gate” gains momentum, it should be noted that the point man for the Trump business interests in their dealings with Russia is Felix Sater. A Russian-born immigrant, Sater is a professional criminal and a convicted felon with historical links to the Mafia. Beyond that, and more importantly, Sater is an FBI informant and a CIA contract agent:

  • Sater“. . . . There is every indication that the extraordinarily lenient treatment resulted from Sater playing a get-out-of-jail free card. Shortly before his secret guilty plea, Sater became a freelance operative of the Central Intelligence Agency. One of his fellow stock swindlers, Salvatore Lauria, wrote a book about it. The Scorpion and the Frog is described on its cover as ‘the true story of one man’s fraudulent rise and fall in the Wall Street of the nineties.’ According to Lauria–and the court files that have been unsealed–Sater helped the CIA buy small missiles before they got to terrorists. He also provided other purported national security services for a reported fee of $300,000. Stories abound as to what else Sater may or may not have done in the arena of national security. . . .”
  •  Sater was active on behalf of the Trumps in the fall of 2015: “. . . . Sater worked on a plan for a Trump Tower in Moscow as recently as the fall of 2015, but he said that had come to a halt because of Trump’s presidential campaign. . . .”
  • Sater was initiating contact between the Russians and “Team Trump” in January of this year: “ . . . . Nevertheless, in late January, Sater and a Ukrainian lawmaker reportedly met with Trump’s personal lawyer, Michael Cohen, at a New York hotel. According to the Times, they discussed a plan that involved the U.S. lifting sanctions against Russia, and Cohen said he hand-delivered the plan in a sealed envelope to then-national security advisor Michael Flynn. Cohen later denied delivering the envelope to anyone in the White House, according to the Washington Post. . . .”

A stunning development concerns extreme reticence on the part of the U.S. intelligence community:

The Office of the Director of National Intelligence had an “interesting” response to a Freedom of Information Act lawsuit demanding the release of the classified report given to President Obama back in January purporting to show the Russian government was behind the hacks. According to the ODNI, the requested document would present a risk to human intelligence sources by revealing the comparative weight given to human vs technical evidence, risking US sources and methods. But the ODNI went further, suggesting that even releasing a fully redacted document would present similar risks!

It is NOT easy to see the ODNI’s reluctance to release even a fully-redacted copy of the report as anything but disingenuous. In the context of potentially devastating deterioration of Russian/U.S. relations over Syria, Ukraine, and the Russian “election-hacking” uproar, the ODNI’s behavior cannot be anything but disquieting:

” . . . . The intelligence official argued that a redacted version of the original report would allow a trained eye to assess ‘comparative weight’ of human intelligence and signals intelligence reporting included in the compendium. Release of some of the information the privacy-focused organization wants made public ‘could prove fatal to U.S. human intelligence sources,’ [Deputy Director of National Intelligence for Intelligence Integration Edward] Gistaro warned.

Gistaro also appears to argue that even if officials blacked out the whole report, highly classified information would be at risk.

‘I agree with the [National Intelligence Council] that a heavily or even fully redacted version of the classified report can not be publicly released without jeopardizing national security information properly classified as SECRET or TOP SECRET,’ he wrote. . . . ‘The ODNI should release the complete report to EPIC so that the public and the Congress can understand the full extent of the Russian interference with the 2016 Presidential election,’ EPIC’s Marc Rotenberg told POLITICO Tuesday. ‘It is already clear that government secrecy is frustrating meaningful oversight. The FBI, for example, will not even identify the states that were targeted by Russia.’ . . . “

With the high-profile hacks being attributed–almost certainly falsely–to Russia, there are ominous developments taking place that may well lead to a Third World War. During the closing days of his Presidency, Obama authorized the planting of cyber weapons on Russian computer networks. Obama did this after talking with Putin on the Hot Line, established to prevent a Third World War. Putin denied interfering in the U.S. election.

The conclusion that Russia hacked the U.S. election on Putin’s orders appears to have been based on a CIA source in the Kremlin. Even when that intelligence was delivered, other agencies weren’t ready to accept the CIA’s conclusion and it took intelligence from another nation (not named) to provide the final intelligence tipping point that led to a broad-based conclusion the not only was the Russian government behind the cyberattacks but that Vladimir Putin himself ordered it.

That ally’s intelligence is described as “the most critical technical intelligence on Russia,” however the NSA still wasn’t convinced based on what sounds like a lack of confidence in that source. Thus, it looks like a CIA Kremlin source and an unnamed foreign intelligence agency with questionable credentials are the basis of what appears to be a likely future full-scale US/Russian cyberwar.

Of paramount significance is the fact that IF, on Putin’s orders (and we are to believe such) Russia continued to hack U.S. computer systems to influence the election, Putin would have to have gone utterly mad. Those hacks would have precluded any rapprochement between Russia and the United States under a President Trump. There is no indication that Putin went off the deep end.

Also auguring a possible Third World War are two developments in Syria. Seymour Hersh published an article in Die Welt revealing that, not only was the April 4 alleged Sarin attack NOT a chemical weapons attack but there was widespread knowledge of this in American military and intelligence circles.

What did the intelligence community know about the attack? The Russian and Syrian air force had informed the US in advance of that airstrike that they had intelligence that top level leaders of Ahrar al-Sham and Jabhat al-Nusra were meeting in that building and they informed of the US of the attack plan in advance of the attack and that it was on a “high-value” target. And the attack involved the unusual use of a guided bomb and Syria’s top pilots. ” . . . . Russian and Syrian intelligence officials, who coordinate operations closely with the American command posts, made it clear that the planned strike on Khan Sheikhoun was special because of the high-value target. ‘It was a red-hot change. The mission was out of the ordinary – scrub the sked,’ the senior adviser told me. ‘Every operations officer in the region’ – in the Army, Marine Corps, Air Force, CIA and NSA – ‘had to know there was something going on. The Russians gave the Syrian Air Force a guided bomb and that was a rarity. They’re skimpy with their guided bombs and rarely share them with the Syrian Air Force. And the Syrians assigned their best pilot to the mission, with the best wingman.’ The advance intelligence on the target, as supplied by the Russians, was given the highest possible score inside the American community. . . .”

Following the attack, US intelligence concluded that there was no sarin gas attack, Assad wouldn’t have been that politically suicidal. The symptoms of chemical poisoning following the bombing was likely due to a mixture of chlorine, fertilizers, and other chemicals stored in the building that was targeted by the Syrian airforce created by secondary explosions from the initial bombing” . . . ‘This was not a chemical weapons strike,’ the adviser said. ‘That’s a fairy tale. . . .”

The symptoms of chemical poisoning following the bombing was likely due to a mixture of chlorine, fertilizers, and other chemicals stored in the building that was targeted by the Syrian airforce created by secondary explosions from the initial bombing” . . . . A Bomb Damage Assessment (BDA) by the U.S. military later determined that the heat and force of the 500-pound Syrian bomb triggered a series of secondary explosions that could have generated a huge toxic cloud that began to spread over the town, formed by the release of the fertilizers, disinfectants and other goods stored in the basement, its effect magnified by the dense morning air, which trapped the fumes close to the ground. . . .”

The behavior of the Trump administration was not only in direct conflict with intelligence on the attack, but reinforced propaganda by some of the Al-Qaeda-linked jihadists the West has been using as proxy warriors in Syria and elsewhere:  ” . . . . The Salafists and jihadists got everything they wanted out of their hyped-up Syrian nerve gas ploy,’ the senior adviser to the U.S. intelligence community told me, referring to the flare up of tensions between Syria, Russia and America. ‘The issue is, what if there’s another false flag sarin attack credited to hated Syria? Trump has upped the ante and painted himself into a corner with his decision to bomb. And do not think these guys are not planning the next faked attack. Trump will have no choice but to bomb again, and harder. He’s incapable of saying he made a mistake.’ . . .”

Program Highlights Include: 

  • Review of a Trump administration warning of another supposed, impending “Syrian chemical weapons strike”–a warning that has since been retracted.
  • Discussion of brilliant Nazi hacker Andrew Auerenheimer’s orchestration of an “Alt-right” online intimidation campaign against CNN employees. Auerenheimer is currently residing in Ukraine. One of the ominous possibilities concerns the activation/manipulation of the NSA cyber-weapons installed on Russian computer networks by a third party.
  • Review of the observations by a German professor–opposed to Nazism/Hitler–who described the essence of what it was like, subjectively, to live through the rise of Hitler. His observation is presented in the context of the ODNI’s decision not to release even a fully-redacted version of the intelligence report on “Russian meddling” in the U.S. election. ” . . . . . . . . What happened here was the gradual habituation of the people, little by little, to being governed by surprise, to receiving decisions deliberated in secret, to believing that the situation was so complicated that the government had to act on information which the people could not understand because of nationality security, so dangerous that even if the people the people could understand it, it could not be released because of national security. . . .”

1. The Office of the Director of National Intelligence had an “interesting” response to a Freedom of Information Act lawsuit demanding the release of the classified report given to President Obama back in January purporting to show the Russian government was behind the hacks. According to the ODNI, the requested document would present a risk to human intelligence sources by revealing the comparative weight given to human vs technical evidence, risking US sources and methods. But the ODNI went further, suggesting that even releasing a fully redacted document would present similar risks!

“Feds Won’t Release Redacted Intelligence Report on Russian Election Meddling” by Josh Gerstein; Politico; 06/27/2017

The Trump administration is refusing to release a redacted version of a key report President Barack Obama received in January on alleged Russian interference in the 2016 presidential election, court filings show.

Then-Director of National Intelligence James Clapper made public an unclassified version of that report, but the Electronic Privacy Information Center brought a Freedom of Information Act lawsuit demanding a copy of the classified report given to Obama at the same time. EPIC said the unclassified version omitted “critical technical evidence” that could help the public assess U.S. intelligence agencies’ claims that Russia did make efforts to affect the outcome of the 2016 race.

However, a top official in the Office of the Director of National Intelligence said in a court declaration filed Monday that releasing the original report with classified information blacked out would be a field day for foreign intelligence operatives, including the very Russians the report accuses of undertaking the interference.

“Release of a redacted report would be of particular assistance to Russian intelligence, which, armed with both the declassified report and a redacted copy of the classified report, would be able to discern the volume of intelligence the U.S. currently possesses with respect to Russian attempts to influence the 2016 election,” Deputy Director of National Intelligence for Intelligence Integration Edward Gistaro wrote.

“This would reveal the maturity of the U.S. intelligence efforts and expose information about the [intelligence community’s] capabilities (including sources and methods) that could reasonably be expected to cause serious or exceptionally grave danger to U.S. national security.”

The intelligence official argued that a redacted version of the original report would allow a trained eye to assess “comparative weight” of human intelligence and signals intelligence reporting included in the compendium. Release of some of the information the privacy-focused organization wants made public “could prove fatal to U.S. human intelligence sources,” [Deputy Director of National Intelligence for Intelligence Integration Edward] Gistaro warned.

Gistaro also appears to argue that even if officials blacked out the whole report, highly classified information would be at risk.

“I agree with the [National Intelligence Council] that a heavily or even fully redacted version of the classified report can not be publicly released without jeopardizing national security information properly classified as SECRET or TOP SECRET,” he wrote.

EPIC sought the information in January, just days after officials released the public version of the report. The group filed suit in federal court in Washington in February after failing to get any records from ODNI.

“The ODNI should release the complete report to EPIC so that the public and the Congress can understand the full extent of the Russian interference with the 2016 Presidential election,” EPIC’s Marc Rotenberg told POLITICO Tuesday. “It is already clear that government secrecy is frustrating meaningful oversight. The FBI, for example, will not even identify the states that were targeted by Russia.”

Rotenberg said his group is pursuing two other related FOIA suits: one seeking records abou the FBI’s response to the alleged Russian meddling and another seeking Trump’s tax records from the IRS.

2. The ODNI’s response to the Freedom of Information Act Suit brings to mind an observation by a German professor who was opposed to Nazism and survived to relate what it was like subjectively to live through the rise of Hitler: “. . . .  What happened here was the gradual habituation of the people, little by little, to being governed by surprise, to receiving decisions deliberated in secret, to believing that the situation was so complicated that the government had to act on information which the people could not understand because of nationality security, so dangerous that even if the people the people could understand it, it could not be released because of national security. . . .”

They Thought they Were Free: The Germans 1933-1945; by Milton Mayer; copyright 1955 [SC]; University of Chicago Press; ISBN 0-226-51190-1; pp. 166-167.

. . . .  What happened here was the gradual habituation of the people, little by little, to being governed by surprise, to receiving decisions deliberated in secret, to believing that the situation was so complicated that the government had to act on information which the people could not understand because of nationality security, so dangerous that even if the people the people could understand it, it could not be released because of national security. . . . This separation of government from people, this widening of the gap, took place so gradually and so insensibly, each step disguised (perhaps not even intentionally) as a temporary emergency measure or associated with true patriotic allegiance or with real social purposes. . . . so occupied the people that they did not see the slow motion underneath, of the whole process of the Government growing remoter and remoter . . . .

3a. It sounds like the conclusion that Russia hacked the U.S. election on Putin’s orders was based on a CIA source in the Kremlin. Even when that intelligence was delivered, other agencies weren’t ready to accept the CIA’s conclusion and it took intelligence from another nation (not named) to provide the final intelligence tipping point that led to a broad-based conclusion the not only was the Russian government behind the cyberattacks but that Vladimir Putin himself ordered it. That ally’s intelligence is described as “the most critical technical intelligence on Russia,” however the NSA still wasn’t convinced based on what sounds like a lack of confidence in that source. Thus, it looks like a CIA Kremlin source and an unnamed foreign intelligence agency with questionable credentials are the basis of what appears to be a likely future full-scale US/Russian cyberwar.

” . . . .Inside was an intelligence bombshell, a report drawn from sourcing deep inside the Russian government that detailed Russian President Vladimir Putin’s direct involvement in a cyber campaign to disrupt and discredit the U.S. presidential race. . . .”

We are told that a CIA deep Russian government source is the primary source of the ‘Putin ordered it’ conclusion. Well, at least that’s better than the bad joke technical evidence that’s been provided thus far. But even that source’s claims apparently weren’t enough to convinced other parts of the intelligence community. It took the intelligence from the unnamed ally to do that:

” . . . . But it went further. The intelligence captured Putin’s specific instructions on the operation’s audacious objectives — defeat or at least damage the Democratic nominee, Hillary Clinton, and help elect her opponent, Donald Trump.

At that point, the outlines of the Russian assault on the U.S. election were increasingly apparent. Hackers with ties to Russian intelligence services had been rummaging through Democratic Party computer networks, as well as some Republican systems, for more than a year. In July, the FBI had opened an investigation of contacts between Russian officials and Trump associates. And on July 22, nearly 20,000 emails stolen from the Democratic National Committee were dumped online by WikiLeaks.

But at the highest levels of government, among those responsible for managing the crisis, the first moment of true foreboding about Russia’s intentions arrived with that CIA intelligence.

It took time for other parts of the intelligence community to endorse the CIA’s view. Only in the administration’s final weeks in office did it tell the public, in a declassified report, what officials had learned from Brennan in August — that Putin was working to elect Trump.

Despite the intelligence the CIA had produced, other agencies were slower to endorse a conclusion that Putin was personally directing the operation and wanted to help Trump. “It was definitely compelling, but it was not definitive,” said one senior administration official. “We needed more.”

Some of the most critical technical intelligence on Russia came from another country, officials said. Because of the source of the material, the NSA was reluctant to view it with high confidence. . . .

“. . . . The most difficult measure to evaluate is one that Obama alluded to in only the most oblique fashion when announcing the U.S. response.

“We will continue to take a variety of actions at a time and place of our choosing, some of which will not be publicized,” he said in a statement released by the White House.

He was referring, in part, to a cyber operation that was designed to be detected by Moscow but not cause significant damage, officials said. The operation, which entailed implanting computer code in sensitive computer systems that Russia was bound to find, served only as a reminder to Moscow of the United States’ cyber reach.

But Obama also signed the secret finding, officials said, authorizing a new covert program involving the NSA, CIA and U.S. Cyber Command.

Obama declined to comment for this article, but a spokesman issued a statement: ‘This situation was taken extremely seriously, as is evident by President Obama raising this issue directly with President Putin; 17 intelligence agencies issuing an extraordinary public statement; our homeland security officials working relentlessly to bolster the cyber defenses of voting infrastructure around the country; the President directing a comprehensive intelligence review, and ultimately issuing a robust response including shutting down two Russian compounds, sanctioning nine Russian entities and individuals, and ejecting 35 Russian diplomats from the country.’

The cyber operation is still in its early stages and involves deploying ‘implants’ in Russian networks deemed ‘important to the adversary and that would cause them pain and discomfort if they were disrupted,’ a former U.S. official said.

The implants were developed by the NSA and designed so that they could be triggered remotely as part of retaliatory cyber-strike in the face of Russian aggression, whether an attack on a power grid or interference in a future presidential race. [” . . . developed by the NSA”–Well, at least we can be sure that the NSA’s operations are secure, invulnerable to penetration and/or manipulation by outside interests (!)–D.E.]

Officials familiar with the measures said that there was concern among some in the administration that the damage caused by the implants could be difficult to contain. . . .”

Keep in mind that such a response from the US would be entirely predictable if the Russian government really did order this hack attack. Russia would be at a heightened risk for years or decades to come if Putin really did order this attack. There’s no reason to assume that the Russian government wouldn’t be well aware of this consequence. So if Putin really did order this hack he would have to have gone insane. That’s how stupid this attack was if Putin actually ordered it. But according to a CIA spy in the Kremlin, along with a questionable foreign ally, that’s exactly what Putin did. Because he apparently went insane and preemptively launched a cyberwar knowing full well how devastating the long-term consequences could be. Because he really, really, really hates Hillary. That’s the narrative we’re being given.

And now, any future attacks on US elections or the US electrical grid that can somehow be pinned on the Russians is going to trigger some sort of painful wave or retaliatory cyberbombs. Which, of course, will likely trigger a way of counter-retaliatory cyberbombs in the US. And a full-scale cyberwar will be born and we’ll just have to hope it stays in the cyber domain. That’s were we are now based on a CIA spy in the Kremlin and an unnamed foreign intelligence agency

“Obama’s secret struggle to punish Russia for Putin’s election assault” by Greg Miller, Ellen Nakashima and Adam Entous; The Washington Post; 06/23/2017

Early last August, an envelope with extraordinary handling restrictions arrived at the White House. Sent by courier from the CIA, it carried “eyes only” instructions that its contents be shown to just four people: President Barack Obama and three senior aides.

Inside was an intelligence bombshell, a report drawn from sourcing deep inside the Russian government that detailed Russian President Vladimir Putin’s direct involvement in a cyber campaign to disrupt and discredit the U.S. presidential race.

But it went further. The intelligence captured Putin’s specific instructions on the operation’s audacious objectives — defeat or at least damage the Democratic nominee, Hillary Clinton, and help elect her opponent, Donald Trump.

At that point, the outlines of the Russian assault on the U.S. election were increasingly apparent. Hackers with ties to Russian intelligence services had been rummaging through Democratic Party computer networks, as well as some Republican systems, for more than a year. In July, the FBI had opened an investigation of contacts between Russian officials and Trump associates. And on July 22, nearly 20,000 emails stolen from the Democratic National Committee were dumped online by WikiLeaks.

But at the highest levels of government, among those responsible for managing the crisis, the first moment of true foreboding about Russia’s intentions arrived with that CIA intelligence.

The material was so sensitive that CIA Director John Brennan kept it out of the President’s Daily Brief, concerned that even that restricted report’s distribution was too broad. The CIA package came with instructions that it be returned immediately after it was read. To guard against leaks, subsequent meetings in the Situation Room followed the same protocols as planning sessions for the Osama bin Laden raid.

It took time for other parts of the intelligence community to endorse the CIA’s view. Only in the administration’s final weeks in office did it tell the public, in a declassified report, what officials had learned from Brennan in August — that Putin was working to elect Trump.

Over that five-month interval, the Obama administration secretly debated dozens of options for deterring or punishing Russia, including cyberattacks on Russian infrastructure, the release of CIA-gathered material that might embarrass Putin and sanctions that officials said could “crater” the Russian economy.

But in the end, in late December, Obama approveda modest package combining measures that had been drawn up to punish Russia for other issues — expulsions of 35 diplomats and the closure of two Russian compounds — with economic sanctions so narrowly targeted that even those who helped design them describe their impact as largely symbolic.

Obama also approved a previously undisclosed covert measure that authorized planting cyber weapons in Russia’s infrastructure, the digital equivalent of bombs that could be detonated if the United States found itself in an escalating exchange with Moscow. The project, which Obama approved in a covert-action finding, was still in its planning stages when Obama left office. It would be up to President Trump to decide whether to use the capability.

In political terms, Russia’s interference was the crime of the century, an unprecedented and largely successful destabilizing attack on American democracy. It was a case that took almost no time to solve, traced to the Kremlin through cyber-forensics and intelligence on Putin’s involvement. And yet, because of the divergent ways Obama and Trump have handled the matter, Moscow appears unlikely to face proportionate consequences.

Those closest to Obama defend the administration’s response to Russia’s meddling. They note that by August it was too late to prevent the transfer to WikiLeaks and other groups of the troves of emails that would spill out in the ensuing months. They believe that a series of warnings — including one that Obama delivered to Putin in September — prompted Moscow to abandon any plans of further aggression, such as sabotage of U.S. voting systems.

Denis McDonough, who served as Obama’s chief of staff, said that the administration regarded Russia’s interference as an attack on the “heart of our system.”

“We set out from a first-order principle that required us to defend the integrity of the vote,” McDonough said in an interview. “Importantly, we did that. It’s also important to establish what happened and what they attempted to do so as to ensure that we take the steps necessary to stop it from happening again.”

But other administration officials look back on the Russia period with remorse.

“It is the hardest thing about my entire time in government to defend,” said a former senior Obama administration official involved in White House deliberations on Russia. “I feel like we sort of choked.”

This account of the Obama administration’s response to Russia’s interference is based on interviews with more than three dozen current and former U.S. officials in senior positions in government, including at the White House, the State, Defense and Homeland Security departments, and U.S. intelligence services. Most agreed to speak only on the condition of anonymity, citing the sensitivity of the issue.

The White House, the CIA, the FBI, the National Security Agency and the Office of the Director of National Intelligence declined to comment.

‘Deeply concerned’

The CIA breakthrough came at a stage of the presidential campaign when Trump had secured the GOP nomination but was still regarded as a distant long shot. Clinton held comfortable leads in major polls, and Obama expected that he would be transferring power to someone who had served in his Cabinet.

The intelligence on Putin was extraordinary on multiple levels, including as a feat of espionage.

For spy agencies, gaining insights into the intentions of foreign leaders is among the highest priorities. But Putin is a remarkably elusive target. A former KGB officer, he takes extreme precautions to guard against surveillance, rarely communicating by phone or computer, always running sensitive state business from deep within the confines of the Kremlin.

The Washington Post is withholding some details of the intelligence at the request of the U.S. government.

In early August, Brennan alerted senior White House officials to the Putin intelligence, making a call to deputy national security adviser Avril Haines and pulling national security adviser Susan E. Rice aside after a meeting before briefing Obama along with Rice, Haines and McDonough in the Oval Office.

Officials described the president’s reaction as grave. Obama “was deeply concerned and wanted as much information as fast as possible,” a former official said. “He wanted the entire intelligence community all over this.”

Concerns about Russian interference had gathered throughout the summer.

Russia experts had begun to see a troubling pattern of propaganda in which fictitious news stories, assumed to be generated by Moscow, proliferated across social-media platforms.

Officials at the State Department and FBI became alarmed by an unusual spike in requests from Russia for temporary visas for officials with technical skills seeking permission to enter the United States for short-term assignments at Russian facilities. At the FBI’s behest, the State Department delayed approving the visas until after the election.

Meanwhile, the FBI was tracking a flurry of hacking activity against U.S. political parties, think tanks and other targets. Russia had gained entry to DNC systems in the summer of 2015 and spring of 2016, but the breaches did not become public until they were disclosed in a June 2016 report by The Post.

Even after the late-July WikiLeaks dump, which came on the eve of the Democratic convention and led to the resignation of Rep. Debbie Wasserman Schultz (D-Fla.) as the DNC’s chairwoman, U.S. intelligence officials continued to express uncertainty about who was behind the hacks or why they were carried out.

At a public security conference in Aspen, Colo., in late July, Director of National Intelligence James R. Clapper Jr. noted that Russia had a long history of meddling in American elections but that U.S. spy agencies were not ready to “make the call on attribution” for what was happening in 2016.

“We don’t know enough … to ascribe motivation,” Clapper said. “Was this just to stir up trouble or was this ultimately to try to influence an election?”

Brennan convened a secret task force at CIA headquarters composed of several dozen analysts and officers from the CIA, the NSA and the FBI.

The unit functioned as a sealed compartment, its work hidden from the rest of the intelligence community. Those brought in signed new non-disclosure agreements to be granted access to intelligence from all three participating agencies.

They worked exclusively for two groups of “customers,” officials said. The first was Obama and fewer than 14 senior officials in government. The second was a team of operations specialists at the CIA, NSA and FBI who took direction from the task force on where to aim their subsequent efforts to collect more intelligence on Russia.

Don’t make things worse

The secrecy extended into the White House.

Rice, Haines and White House homeland-security adviser Lisa Monaco convened meetings in the Situation Room to weigh the mounting evidence of Russian interference and generate options for how to respond. At first, only four senior security officials were allowed to attend: Brennan, Clapper, Attorney General Loretta E. Lynch and FBI Director James B. Comey. Aides ordinarily allowed entry as “plus-ones” were barred.

Gradually, the circle widened to include Vice President Biden and others. Agendas sent to Cabinet secretaries — including John F. Kerry at the State Department and Ashton B. Carter at the Pentagon — arrived in envelopes that subordinates were not supposed to open. Sometimes the agendas were withheld until participants had taken their seats in the Situation Room.

Throughout his presidency, Obama’s approach to national security challenges was deliberate and cautious. He came into office seeking to end wars in Iraq and Afghanistan. He was loath to act without support from allies overseas and firm political footing at home. He was drawn only reluctantly into foreign crises, such as the civil war in Syria, that presented no clear exit for the United States.

Obama’s approach often seemed reducible to a single imperative: Don’t make things worse. As brazen as the Russian attacks on the election seemed, Obama and his top advisers feared that things could get far worse.

They were concerned that any pre-election response could provoke an escalation from Putin. Moscow’s meddling to that point was seen as deeply concerning but unlikely to materially affect the outcome of the election. Far more worrisome to the Obama team was the prospect of a cyber-assault on voting systems before and on Election Day.

They also worried that any action they took would be perceived as political interference in an already volatile campaign. By August, Trump was predicting that the election would be rigged. Obama officials feared providing fuel to such claims, playing into Russia’s efforts to discredit the outcome and potentially contaminating the expected Clinton triumph.

Before departing for an August vacation to Martha’s Vineyard, Obama instructed aides to pursue ways to deter Moscow and proceed along three main paths: Get a high-confidence assessment from U.S. intelligence agencies on Russia’s role and intent; shore up any vulnerabilities in state-run election systems; and seek bipartisan support from congressional leaders for a statement condemning Moscow and urging states to accept federal help.

The administration encountered obstacles at every turn.

Despite the intelligence the CIA had produced, other agencies were slower to endorse a conclusion that Putin was personally directing the operation and wanted to help Trump. “It was definitely compelling, but it was not definitive,” said one senior administration official. “We needed more.”

Some of the most critical technical intelligence on Russia came from another country, officials said. Because of the source of the material, the NSA was reluctant to view it with high confidence.

Brennan moved swiftly to schedule private briefings with congressional leaders. But getting appointments with certain Republicans proved difficult, officials said, and it was not until after Labor Day that Brennan had reached all members of the “Gang of Eight” — the majority and minority leaders of both houses and the chairmen and ranking Democrats on the Senate and House intelligence committees.

Jeh Johnson, the homeland-security secretary, was responsible for finding out whether the government could quickly shore up the security of the nation’s archaic patchwork of voting systems. He floated the idea of designating state mechanisms “critical infrastructure,” a label that would have entitled states to receive priority in federal cybersecurity assistance, putting them on a par with U.S. defense contractors and financial networks.

On Aug. 15, Johnson arranged a conference call with dozens of state officials, hoping to enlist their support. He ran into a wall of resistance.

The reaction “ranged from neutral to negative,” Johnson said in congressional testimony Wednesday.

Brian Kemp, the Republican secretary of state of Georgia, used the call to denounce Johnson’s proposal as an assault on state rights. “I think it was a politically calculated move by the previous administration,” Kemp said in a recent interview, adding that he remains unconvinced that Russia waged a campaign to disrupt the 2016 race. “I don’t necessarily believe that,” he said.

Stung by the reaction, the White House turned to Congress for help, hoping that a bipartisan appeal to states would be more effective.

In early September, Johnson, Comey and Monaco arrived on Capitol Hill in a caravan of black SUVs for a meeting with 12 key members of Congress, including the leadership of both parties.

The meeting devolved into a partisan squabble.

“The Dems were, ‘Hey, we have to tell the public,’?” recalled one participant. But Republicans resisted, arguing that to warn the public that the election was under attack would further Russia’s aim of sapping confidence in the system.

Senate Majority Leader Mitch McConnell (R-Ky.) went further, officials said, voicing skepticism that the underlying intelligence truly supported the White House’s claims. Through a spokeswoman, McConnell declined to comment, citing the secrecy of that meeting.

Key Democrats were stunned by the GOP response and exasperated that the White House seemed willing to let Republican opposition block any pre-election move.

On Sept. 22, two California Democrats — Sen. Dianne Feinstein and Rep. Adam B. Schiff — did what they couldn’t get the White House to do. They issued a statement making clear that they had learned from intelligence briefings that Russia was directing a campaign to undermine the election, but they stopped short of saying to what end.

A week later, McConnell and other congressional leaders issued a cautious statement that encouraged state election officials to ensure their networks were “secure from attack.” The release made no mention of Russia and emphasized that the lawmakers “would oppose any effort by the federal government” to encroach on the states’ authorities.

When U.S. spy agencies reached unanimous agreement in late September that the interference was a Russian operation directed by Putin, Obama directed spy chiefs to prepare a public statement summarizing the intelligence in broad strokes.

With Obama still determined to avoid any appearance of politics, the statement would not carry his signature.

On Oct. 7, the administration offered its first public comment on Russia’s “active measures,” in a three-paragraph statement issued by Johnson and Clapper. Comey had initially agreed to attach his name, as well, officials said, but changed his mind at the last minute, saying that it was too close to the election for the bureau to be involved.

“The U.S. intelligence community is confident that the Russian government directed the recent compromises of e-mails from U.S. persons and institutions, including from U.S. political organizations,” the statement said. “We believe, based on the scope and sensitivity of these efforts, that only Russia’s senior-most officials could have authorized these activities.”

Early drafts accused Putin by name, but the reference was removed out of concern that it might endanger intelligence sources and methods.

The statement was issued around 3:30 p.m., timed for maximum media coverage. Instead, it was quickly drowned out. At 4 p.m., The Post published a story about crude commentsTrump had made about women that were captured on an “Access Hollywood” tape. Half an hour later, WikiLeaks published its first batch of emails stolen from Clinton campaign chairman John Podesta.

‘Ample time’ after election

The Situation Room is actually a complex of secure spaces in the basement level of the West Wing. A video feed from the main room courses through some National Security Council offices, allowing senior aides sitting at their desks to see — but not hear — when meetings are underway.

As the Russia-related sessions with Cabinet members began in August, the video feed was shut off. The last time that had happened on a sustained basis, officials said, was in the spring of 2011 during the run-up to the U.S. Special Operations raid on bin Laden’s compound in Pakistan.

The blacked-out screens were seen as an ominous sign among lower-level White House officials who were largely kept in the dark about the Russia deliberations even as they were tasked with generating options for retaliation against Moscow.

Much of that work was led by the Cyber Response Group, an NSC unit with representatives from the CIA, NSA, State Department and Pentagon.

The early options they discussed were ambitious. They looked at sectorwide economic sanctions and cyberattacks that would take Russian networks temporarily offline. One official informally suggested — though never formally proposed — moving a U.S. naval carrier group into the Baltic Sea as a symbol of resolve.

What those lower-level officials did not know was that the principals and their deputies had by late September all but ruled out any pre-election retaliation against Moscow. They feared that any action would be seen as political and that Putin, motivated by a seething resentment of Clinton, was prepared to go beyond fake news and email dumps.

The FBI had detected suspected Russian attempts to penetrate election systems in 21 states, and at least one senior White House official assumed that Moscow would try all 50, officials said. Some officials believed the attempts were meant to be detected to unnerve the Americans. The patchwork nature of the United States’ 3,000 or so voting jurisdictions would make it hard for Russia to swing the outcome, but Moscow could still sow chaos.

“We turned to other scenarios” the Russians might attempt, said Michael Daniel, who was cybersecurity coordinator at the White House, “such as disrupting the voter rolls, deleting every 10th voter [from registries] or flipping two digits in everybody’s address.”

The White House also worried that they had not yet seen the worst of Russia’s campaign. WikiLeaks and DCLeaks, a website set up in June 2016 by hackers believed to be Russian operatives, already had troves of emails. But U.S. officials feared that Russia had more explosive material or was willing to fabricate it.

“Our primary interest in August, September and October was to prevent them from doing the max they could do,” said a senior administration official. “We made the judgment that we had ample time after the election, regardless of outcome, for punitive measures.”

The assumption that Clinton would win contributed to the lack of urgency.

Instead, the administration issued a series of warnings.

Brennan delivered the first on Aug. 4 in a blunt phone call with Alexander Bortnikov, the director of the FSB, Russia’s powerful security service.

A month later, Obama confronted Putin directly during a meeting of world leaders in Hangzhou, China. Accompanied only by interpreters, Obama told Putin that “we knew what he was doing and [he] better stop or else,” according to a senior aide who subsequently spoke with Obama. Putin responded by demanding proof and accusing the United States of interfering in Russia’s internal affairs.

In a subsequent news conference, Obama alluded to the exchange and issued a veiled threat. “We’re moving into a new era here where a number of countries have significant capacities,” he said. “Frankly, we’ve got more capacity than anybody both offensively and defensively.”

There were at least two other warnings.

On Oct. 7, the day that the Clapper-Johnson statement was released, Rice summoned Russian Ambassador Sergey Kislyak Sergey Kislyak to the White House and handed him a message to relay to Putin.

Then, on Oct. 31, the administration delivered a final pre-election message via a secure channel to Moscow originally created to avert a nuclear exchange. The message noted that the United States had detected malicious activity, originating from servers in Russia, targeting U.S. election systems and warned that meddling would be regarded as unacceptable interference. Russia confirmed the next day that it had received the message but replied only after the election through the same channel, denying the accusation.

As Election Day approached, proponents of taking action against Russia made final, futile appeals to Obama’s top aides: McDonough, Rice and Haines. Because their offices were part of a suite of spaces in the West Wing, securing their support on any national security issue came to be known as “moving the suite.”

One of the last to try before the election was Kerry. Often perceived as reluctant to confront Russia, in part to preserve his attempts to negotiate a Syria peace deal, Kerry was at critical moments one of the leading hawks.

In October, Kerry’s top aides had produced an “action memo” that included a package of retaliatory measures including economic sanctions. Knowing the White House was not willing to act before the election, the plan called for the measures to be announced almost immediately after votes had been securely cast and counted.

Kerry signed the memo and urged the White House to convene a principals meeting to discuss the plan, officials said. “The response was basically, ‘Not now,’” one official said.

Election Day arrived without penalty for Moscow.

A U.S. cyber-weapon

The most difficult measure to evaluate is one that Obama alluded to in only the most oblique fashion when announcing the U.S. response.

“We will continue to take a variety of actions at a time and place of our choosing, some of which will not be publicized,” he said in a statement released by the White House.

He was referring, in part, to a cyber operation that was designed to be detected by Moscow but not cause significant damage, officials said. The operation, which entailed implanting computer code in sensitive computer systems that Russia was bound to find, served only as a reminder to Moscow of the United States’ cyber reach.

But Obama also signed the secret finding, officials said, authorizing a new covert program involving the NSA, CIA and U.S. Cyber Command.

Obama declined to comment for this article, but a spokesman issued a statement: “This situation was taken extremely seriously, as is evident by President Obama raising this issue directly with President Putin; 17 intelligence agencies issuing an extraordinary public statement; our homeland security officials working relentlessly to bolster the cyber defenses of voting infrastructure around the country; the President directing a comprehensive intelligence review, and ultimately issuing a robust response including shutting down two Russian compounds, sanctioning nine Russian entities and individuals, and ejecting 35 Russian diplomats from the country.”

The cyber operation is still in its early stages and involves deploying “implants” in Russian networks deemed “important to the adversary and that would cause them pain and discomfort if they were disrupted,” a former U.S. official said.

The implants were developed by the NSA and designed so that they could be triggered remotely as part of retaliatory cyber-strike in the face of Russian aggression, whether an attack on a power grid or interference in a future presidential race.

Officials familiar with the measures said that there was concern among some in the administration that the damage caused by the implants could be difficult to contain.

As a result, the administration requested a legal review, which concluded that the devices could be controlled well enough that their deployment would be considered “proportional” in varying scenarios of Russian provocation, a requirement under international law.

The operation was described as long-term, taking months to position the implants and requiring maintenance thereafter. Under the rules of covert action, Obama’s signature was all that was necessary to set the operation in motion.

U.S. intelligence agencies do not need further approval from Trump, and officials said that he would have to issue a countermanding order to stop it. The officials said that they have seen no indication that Trump has done so.

3b. The person on the Daily Stormer calling for white supremacists to threaten to kill the family members of CNN employees as part of growing right-wing hysteria over CNN and “fake news” is Andrew “the weev” Auerheimer aka “weev”–a guest at Glenn Greenwald and Laura Poitras’ party celebrating their receipt of the Polk Award.

Currently residing in Ukraine, Auerenheimer exemplifies the brilliant, altogether capable cyber-fascists who might be in a position to exploit the NSA technology placed on Russian computer networks.

Never lose sight of the fact that the New Cold War, much of it “cyber” in nature, was begun with “Eddie the Friendly Spook” Snowden–the Peach Fuzz Fascist–journeying to Russia, courtesy of WikiLeaks. This, AFTER he journeyed to Hong Kong with apposite assistance from Jacob Applebaum of the CIA.

“Daily Stormer Troll Army Threatens CNN Staffers Over Reddit User Behind Trump/CNN GIF” by Keegan Hankes; Southern Poverty Law Center; 07/05/2017

Andrew Auernheimer, the notorious hacker and Internet troll known as ‘Weev,’ rallied the neo-Nazi Daily Stormer’s troll army for its latest campaign this morning, claiming that CNN was blackmailing a “teen shitposter.”

The events leading to this online call to arms began Sunday morning, President Trump tweeted a gif created by Reddit user HanAssholeSolodepicting a scene from Wrestlemania XXIII in which Trump body slams and pummels WWE promoter Vince McMahon. In the gif, the CNN logo is superimposed over McMahon’s face.

Auernheimer heralded the tweet as “easily the greatest tweet in the history of Twitter.”

After scouring HanAssholeSolo’s Reddit account, which contained scores of racist and xenophobic postings, CNN’s KFile was able to track down the user’s Facebook page and contact him.

Fearing public embarrassment and his safety, HanAssholeSolo published a lengthy apology on the Reddit group r/theDonald, asking that CNN not publish his identity. (The apology has since been removed.)

CNN obliged, on the condition that HanAssholeSolo remove his offending posts and cease his trolling, but that didn’t stop the self-proclaimed “real media” at the Daily Stormer from issuing an ultimatum to every staffer at CNN.

“Just like CNN tracked down this child and used media exposure as a bludgeon against him for posting (truthful and funny) things that they don’t like, we are going to begin tracking down their families as a bludgeon against them for publishing (seditiously fraudulent) things that we don’t like,” wrote Auernheimer. “CNN, this is your one singular chance to walk back this behavior of public blackmail. You have one week to fix this.”

Auernheimer’s list of demands includes the public firing of the KFile team, a denouncement of their alleged threats, a $50,000 college scholarship for HanAssholeSolo, and a public assurance that “he and his family will never be harmed by your organization.”

The only problem: HanAssholeSolo is an adult, according to CNN.

“We are going to track down your parents. We are going to track down your siblings. We are going to track down your spouses. We are going to track down your children. Because hey, that’s what you guys get to do, right? We’re going to see how you like it when our reporters are hunting down your children,” continued Auernheimer.

Auernheimer instructed CNN employees that do not want to be doxed to quit within the week and denounce the organization’s alleged blackmail.

“We didn’t make these rules – you did – and now we’re going to force you to play by them. Hope you enjoy what is coming, you filthy rat kike bastards. Kill yourselves, kike news fakers. You deserve every single bit of what you are about to get,” concluded Auernheimer.

The call to “kill the lying mass of shi t that is CNN” posted to 4chan’s politically incorrect forum, /pol/.

Within hours, personal information for multiple CNN staffers and their family members — alongside images and gifs of individuals with CNN superimposed over their faces being shot in the head — appeared in the comments of the posting.

The incident is a rare moment of unity for the far-right with members of r/theDonald, 4chan, the Daily Stormer, and the alt-lite banding together to attack CNN.

The 4chan message board /pol/, which is dedicated to politically incorrect discussion, dubbed the campaign “Operation:Autism Storm” and posted a four part plan of attack that includes banding together with other far right sites, going after CNN’s advertisers, discrediting everyone at CNN, and forming a legal strategy for HanAssholeSolo should he later be doxed.

At least nine separate hashtags trended across far-right accounts Tuesday evening – including #cnnblackmail, #cnndoxing, and #fraudnewscnn – as the controversy erupted.

….

4. Seymour Hersh has a piece in Die Welt about the intelligence that went into the Trump administration’s decision to launch a cruise missile strike against a Syrian airbase following the alleged sarin gas attack on the city of Khan Sheikhoun in Idlib.

What did the intelligence community know about the attack? The Russian and Syrian air force had informed the US in advance of that airstrike that they had intelligence that top level leaders of Ahrar al-Sham and Jabhat al-Nusra were meeting in that building and they informed of the US of the attack plan in advance of the attack and that it was on a “high-value” target. And the attack involved the unusual use of a guided bomb and Syria’s top pilots. Following the attack, US intelligence concluded that there was no sarin gas attack, Assad wouldn’t have been that politically suicidal, and the symptoms of chemical poisoning following the bombing was likely due to a mixture of chlorine, fertilizers, and other chemicals stored in the building that was targeted by the Syrian airforce created by secondary explosions from the initial bombing.

Key portions of Hersh’s story:

“. . . . The Syrian target at Khan Sheikhoun, as shared with the Americans at Doha, was depicted as a two-story cinder-block building in the northern part of town. Russian intelligence, which is shared when necessary with Syria and the U.S. as part of their joint fight against jihadist groups, had established that a high-level meeting of jihadist leaders was to take place in the building, including representatives of Ahrar al-Sham and the al-Qaida-affiliated group formerly known as Jabhat al-Nusra. The two groups had recently joined forces, and controlled the town and surrounding area. Russian intelligence depicted the cinder-block building as a command and control center that housed a grocery and other commercial premises on its ground floor with other essential shops nearby, including a fabric shop and an electronics store.

‘The rebels control the population by controlling the distribution of goods that people need to live – food, water, cooking oil, propane gas, fertilizers for growing their crops, and insecticides to protect the crops,’ a senior adviser to the American intelligence community, who has served in senior positions in the Defense Department and Central Intelligence Agency, told me. The basement was used as storage for rockets, weapons and ammunition, as well as products that could be distributed for free to the community, among them medicines and chlorine-based decontaminants for cleansing the bodies of the dead before burial. The meeting place – a regional headquarters – was on the floor above. ‘It was an established meeting place,’ the senior adviser said. ‘A long-time facility that would have had security, weapons, communications, files and a map center.’ The Russians were intent on confirming their intelligence and deployed a drone for days above the site to monitor communications and develop what is known in the intelligence community as a POL – a pattern of life. The goal was to take note of those going in and out of the building, and to track weapons being moved back and forth, including rockets and ammunition.

Russian and Syrian intelligence officials, who coordinate operations closely with the American command posts, made it clear that the planned strike on Khan Sheikhoun was special because of the high-value target. ‘It was a red-hot change. The mission was out of the ordinary – scrub the sked,’ the senior adviser told me. ‘Every operations officer in the region’ – in the Army, Marine Corps, Air Force, CIA and NSA – ‘had to know there was something going on. The Russians gave the Syrian Air Force a guided bomb and that was a rarity. They’re skimpy with their guided bombs and rarely share them with the Syrian Air Force. And the Syrians assigned their best pilot to the mission, with the best wingman.’ The advance intelligence on the target, as supplied by the Russians, was given the highest possible score inside the American community.

The Execute Order governing U.S. military operations in theater, which was issued by the Chairman of the Joint Chiefs of Staff, provide instructions that demarcate the relationship between the American and Russian forces operating in Syria. “It’s like an ops order – ‘Here’s what you are authorized to do,’” the adviser said. “We do not share operational control with the Russians. We don’t do combined operations with them, or activities directly in support of one of their operations. But coordination is permitted. We keep each other apprised of what’s happening and within this package is the mutual exchange of intelligence. If we get a hot tip that could help the Russians do their mission, that’s coordination; and the Russians do the same for us. When we get a hot tip about a command and control facility,” the adviser added, referring to the target in Khan Sheikhoun, “we do what we can to help them act on it.” “This was not a chemical weapons strike,” the adviser said. “That’s a fairy tale. If so, everyone involved in transferring, loading and arming the weapon – you’ve got to make it appear like a regular 500-pound conventional bomb – would be wearing Hazmat protective clothing in case of a leak. There would be very little chance of survival without such gear. Military grade sarin includes additives designed to increase toxicity and lethality. Every batch that comes out is maximized for death. That is why it is made. It is odorless and invisible and death can come within a minute. No cloud. Why produce a weapon that people can run away from?”

The target was struck at 6:55 a.m. on April 4, just before midnight in Washington. A Bomb Damage Assessment (BDA) by the U.S. military later determined that the heat and force of the 500-pound Syrian bomb triggered a series of secondary explosions that could have generated a huge toxic cloud that began to spread over the town, formed by the release of the fertilizers, disinfectants and other goods stored in the basement, its effect magnified by the dense morning air, which trapped the fumes close to the ground. According to intelligence estimates, the senior adviser said, the strike itself killed up to four jihadist leaders, and an unknown number of drivers and security aides. There is no confirmed count of the number of civilians killed by the poisonous gases that were released by the secondary explosions, although opposition activists reported that there were more than 80 dead, and outlets such as CNN have put the figure as high as 92. A team from Médecins Sans Frontières, treating victims from Khan Sheikhoun at a clinic 60 miles to the north, reported that “eight patients showed symptoms – including constricted pupils, muscle spasms and involuntary defecation – which are consistent with exposure to a neurotoxic agent such as sarin gas or similar compounds.” MSF also visited other hospitals that had received victims and found that patients there “smelled of bleach, suggesting that they had been exposed to chlorine.” In other words, evidence suggested that there was more than one chemical responsible for the symptoms observed, which would not have been the case if the Syrian Air Force – as opposition activists insisted – had dropped a sarin bomb, which has no percussive or ignition power to trigger secondary explosions. The range of symptoms is, however, consistent with the release of a mixture of chemicals, including chlorine and the organophosphates used in many fertilizers, which can cause neurotoxic effects similar to those of sarin. . . .

. . . . The crisis slid into the background by the end of April, as Russia, Syria and the United States remained focused on annihilating ISIS and the militias of al-Qaida. Some of those who had worked through the crisis, however, were left with lingering concerns. ‘The Salafists and jihadists got everything they wanted out of their hyped-up Syrian nerve gas ploy,’ the senior adviser to the U.S. intelligence community told me, referring to the flare up of tensions between Syria, Russia and America. ‘The issue is, what if there’s another false flag sarin attack credited to hated Syria? Trump has upped the ante and painted himself into a corner with his decision to bomb. And do not think these guys are not planning the next faked attack. Trump will have no choice but to bomb again, and harder. He’s incapable of saying he made a mistake.’ . . .”

“Trump‘s Red Line” by Seymour M. Hersh; Welt.de; 06/25/2017

On April 6, United States President Donald Trump authorized an early morning Tomahawk missile strike on Shayrat Air Base in central Syria in retaliation for what he said was a deadly nerve agent attack carried out by the Syrian government two days earlier in the rebel-held town of Khan Sheikhoun. Trump issued the order despite having been warned by the U.S. intelligence community that it had found no evidence that the Syrians had used a chemical weapon.

The available intelligence made clear that the Syrians had targeted a jihadist meeting site on April 4 using a Russian-supplied guided bomb equipped with conventional explosives. Details of the attack, including information on its so-called high-value targets, had been provided by the Russians days in advance to American and allied military officials in Doha, whose mission is to coordinate all U.S., allied, Syrian and Russian Air Force operations in the region.

Some American military and intelligence officials were especially distressed by the president’s determination to ignore the evidence. “None of this makes any sense,” one officer told colleagues upon learning of the decision to bomb. “We KNOW that there was no chemical attack … the Russians are furious. Claiming we have the real intel and know the truth … I guess it didn’t matter whether we elected Clinton or Trump.“

Within hours of the April 4 bombing, the world’s media was saturated with photographs and videos from Khan Sheikhoun. Pictures of dead and dying victims, allegedly suffering from the symptoms of nerve gas poisoning, were uploaded to social media by local activists, including the White Helmets, a first responder group known for its close association with the Syrian opposition.

The provenance of the photos was not clear and no international observers have yet inspected the site, but the immediate popular assumption worldwide was that this was a deliberate use of the nerve agent sarin, authorized by President Bashar Assad of Syria. Trump endorsed that assumption by issuing a statement within hours of the attack, describing Assad’s “heinous actions” as being a consequence of the Obama administration’s “weakness and irresolution” in addressing what he said was Syria’s past use of chemical weapons.

To the dismay of many senior members of his national security team, Trump could not be swayed over the next 48 hours of intense briefings and decision-making. In a series of interviews, I learned of the total disconnect between the president and many of his military advisers and intelligence officials, as well as officers on the ground in the region who had an entirely different understanding of the nature of Syria’s attack on Khan Sheikhoun. I was provided with evidence of that disconnect, in the form of transcripts of real-time communications, immediately following the Syrian attack on April 4. In an important pre-strike process known as deconfliction, U.S. and Russian officers routinely supply one another with advance details of planned flight paths and target coordinates, to ensure that there is no risk of collision or accidental encounter (the Russians speak on behalf of the Syrian military). This information is supplied daily to the American AWACS surveillance planes that monitor the flights once airborne. Deconfliction’s success and importance can be measured by the fact that there has yet to be one collision, or even a near miss, among the high-powered supersonic American, Allied, Russian and Syrian fighter bombers.

Russian and Syrian Air Force officers gave details of the carefully planned flight path to and from Khan Shiekhoun on April 4 directly, in English, to the deconfliction monitors aboard the AWACS plane, which was on patrol near the Turkish border, 60 miles or more to the north.

The Syrian target at Khan Sheikhoun, as shared with the Americans at Doha, was depicted as a two-story cinder-block building in the northern part of town. Russian intelligence, which is shared when necessary with Syria and the U.S. as part of their joint fight against jihadist groups, had established that a high-level meeting of jihadist leaders was to take place in the building, including representatives of Ahrar al-Sham and the al-Qaida-affiliated group formerly known as Jabhat al-Nusra. The two groups had recently joined forces, and controlled the town and surrounding area. Russian intelligence depicted the cinder-block building as a command and control center that housed a grocery and other commercial premises on its ground floor with other essential shops nearby, including a fabric shop and an electronics store.

“The rebels control the population by controlling the distribution of goods that people need to live – food, water, cooking oil, propane gas, fertilizers for growing their crops, and insecticides to protect the crops,” a senior adviser to the American intelligence community, who has served in senior positions in the Defense Department and Central Intelligence Agency, told me. The basement was used as storage for rockets, weapons and ammunition, as well as products that could be distributed for free to the community, among them medicines and chlorine-based decontaminants for cleansing the bodies of the dead before burial. The meeting place – a regional headquarters – was on the floor above. “It was an established meeting place,” the senior adviser said. “A long-time facility that would have had security, weapons, communications, files and a map center.” The Russians were intent on confirming their intelligence and deployed a drone for days above the site to monitor communications and develop what is known in the intelligence community as a POL – a pattern of life. The goal was to take note of those going in and out of the building, and to track weapons being moved back and forth, including rockets and ammunition.

One reason for the Russian message to Washington about the intended target was to ensure that any CIA asset or informant who had managed to work his way into the jihadist leadership was forewarned not to attend the meeting.I was told that the Russians passed the warning directly to the CIA. “They were playing the game right,” the senior adviser said. The Russian guidance noted that the jihadist meeting was coming at a time of acute pressure for the insurgents: Presumably Jabhat al-Nusra and Ahrar al-Sham were desperately seeking a path forward in the new political climate. In the last few days of March, Trump and two of his key national security aides – Secretary of State Rex Tillerson and UN Ambassador Nikki Haley – had made statements acknowledging that, as the New York Times put it, the White House “has abandoned the goal” of pressuring Assad “to leave power, marking a sharp departure from the Middle East policy that guided the Obama administration for more than five years.” White House Press Secretary Sean Spicer told a press briefing on March 31 that “there is a political reality that we have to accept,” implying that Assad was there to stay.

Russian and Syrian intelligence officials, who coordinate operations closely with the American command posts, made it clear that the planned strike on Khan Sheikhoun was special because of the high-value target. “It was a red-hot change. The mission was out of the ordinary – scrub the sked,” the senior adviser told me. “Every operations officer in the region” – in the Army, Marine Corps, Air Force, CIA and NSA – “had to know there was something going on. The Russians gave the Syrian Air Force a guided bomb and that was a rarity. They’re skimpy with their guided bombs and rarely share them with the Syrian Air Force. And the Syrians assigned their best pilot to the mission, with the best wingman.” The advance intelligence on the target, as supplied by the Russians, was given the highest possible score inside the American community.

The Execute Order governing U.S. military operations in theater, which was issued by the Chairman of the Joint Chiefs of Staff, provide instructions that demarcate the relationship between the American and Russian forces operating in Syria. “It’s like an ops order – ‘Here’s what you are authorized to do,’” the adviser said. “We do not share operational control with the Russians. We don’t do combined operations with them, or activities directly in support of one of their operations. But coordination is permitted. We keep each other apprised of what’s happening and within this package is the mutual exchange of intelligence. If we get a hot tip that could help the Russians do their mission, that’s coordination; and the Russians do the same for us. When we get a hot tip about a command and control facility,” the adviser added, referring to the target in Khan Sheikhoun, “we do what we can to help them act on it.” “This was not a chemical weapons strike,” the adviser said. “That’s a fairy tale. If so, everyone involved in transferring, loading and arming the weapon – you’ve got to make it appear like a regular 500-pound conventional bomb – would be wearing Hazmat protective clothing in case of a leak. There would be very little chance of survival without such gear. Military grade sarin includes additives designed to increase toxicity and lethality. Every batch that comes out is maximized for death. That is why it is made. It is odorless and invisible and death can come within a minute. No cloud. Why produce a weapon that people can run away from?”

The target was struck at 6:55 a.m. on April 4, just before midnight in Washington. A Bomb Damage Assessment (BDA) by the U.S. military later determined that the heat and force of the 500-pound Syrian bomb triggered a series of secondary explosions that could have generated a huge toxic cloud that began to spread over the town, formed by the release of the fertilizers, disinfectants and other goods stored in the basement, its effect magnified by the dense morning air, which trapped the fumes close to the ground. According to intelligence estimates, the senior adviser said, the strike itself killed up to four jihadist leaders, and an unknown number of drivers and security aides. There is no confirmed count of the number of civilians killed by the poisonous gases that were released by the secondary explosions, although opposition activists reported that there were more than 80 dead, and outlets such as CNN have put the figure as high as 92. A team from Médecins Sans Frontières, treating victims from Khan Sheikhoun at a clinic 60 miles to the north, reported that “eight patients showed symptoms – including constricted pupils, muscle spasms and involuntary defecation – which are consistent with exposure to a neurotoxic agent such as sarin gas or similar compounds.” MSF also visited other hospitals that had received victims and found that patients there “smelled of bleach, suggesting that they had been exposed to chlorine.” In other words, evidence suggested that there was more than one chemical responsible for the symptoms observed, which would not have been the case if the Syrian Air Force – as opposition activists insisted – had dropped a sarin bomb, which has no percussive or ignition power to trigger secondary explosions. The range of symptoms is, however, consistent with the release of a mixture of chemicals, including chlorine and the organophosphates used in many fertilizers, which can cause neurotoxic effects similar to those of sarin.

The internet swung into action within hours, and gruesome photographs of the victims flooded television networks and YouTube. U.S. intelligence was tasked with establishing what had happened. Among the pieces of information received was an intercept of Syrian communications collected before the attack by an allied nation. The intercept, which had a particularly strong effect on some of Trump’s aides, did not mention nerve gas or sarin, but it did quote a Syrian general discussing a “special” weapon and the need for a highly skilled pilot to man the attack plane. The reference, as those in the American intelligence community understood, and many of the inexperienced aides and family members close to Trump may not have, was to a Russian-supplied bomb with its built-in guidance system. “If you’ve already decided it was a gas attack, you will then inevitably read the talk about a special weapon as involving a sarin bomb,” the adviser said. “Did the Syrians plan the attack on Khan Sheikhoun? Absolutely. Do we have intercepts to prove it? Absolutely. Did they plan to use sarin? No. But the president did not say: ‘We have a problem and let’s look into it.’ He wanted to bomb the shit out of Syria.”

At the UN the next day, Ambassador Haley created a media sensation when she displayed photographs of the dead and accused Russia of being complicit. “How many more children have to die before Russia cares?” she asked. NBC News, in a typical report that day, quoted American officials as confirming that nerve gas had been used and Haley tied the attack directly to Syrian President Assad. “We know that yesterday’s attack was a new low even for the barbaric Assad regime,” she said. There was irony in America’s rush to blame Syria and criticize Russia for its support of Syria’s denial of any use of gas in Khan Sheikhoun, as Ambassador Haley and others in Washington did. “What doesn’t occur to most Americans” the adviser said, “is if there had been a Syrian nerve gas attack authorized by Bashar, the Russians would be 10 times as upset as anyone in the West. Russia’s strategy against ISIS, which involves getting American cooperation, would have been destroyed and Bashar would be responsible for pissing off Russia, with unknown consequences for him. Bashar would do that? When he’s on the verge of winning the war? Are you kidding me?”

Trump, a constant watcher of television news, said, while King Abdullah of Jordan was sitting next to him in the Oval Office, that what had happened was “horrible, horrible” and a “terrible affront to humanity.” Asked if his administration would change its policy toward the Assad government, he said: “You will see.” He gave a hint of the response to come at the subsequent news conference with King Abdullah: “When you kill innocent children, innocent babies – babies, little babies – with a chemical gas that is so lethal … that crosses many, many lines, beyond a red line . … That attack on children yesterday had a big impact on me. Big impact … It’s very, very possible … that my attitude toward Syria and Assad has changed very much.”

Within hours of viewing the photos, the adviser said, Trump instructed the national defense apparatus to plan for retaliation against Syria. “He did this before he talked to anybody about it. The planners then asked the CIA and DIA if there was any evidence that Syria had sarin stored at a nearby airport or somewhere in the area. Their military had to have it somewhere in the area in order to bomb with it.” “The answer was, ‘We have no evidence that Syria had sarin or used it,’” the adviser said. “The CIA also told them that there was no residual delivery for sarin at Sheyrat [the airfield from which the Syrian SU-24 bombers had taken off on April 4] and Assad had no motive to commit political suicide.”Everyone involved, except perhaps the president, also understood that a highly skilled United Nations team had spent more than a year in the aftermath of an alleged sarin attack in 2013 by Syria, removing what was said to be all chemical weapons from a dozen Syrian chemical weapons depots.

At this point, the adviser said, the president’s national security planners were more than a little rattled: “No one knew the provenance of the photographs. We didn’t know who the children were or how they got hurt. Sarin actually is very easy to detect because it penetrates paint, and all one would have to do is get a paint sample. We knew there was a cloud and we knew it hurt people. But you cannot jump from there to certainty that Assad had hidden sarin from the UN because he wanted to use it in Khan Sheikhoun.” The intelligence made clear that a Syrian Air Force SU-24 fighter bomber had used a conventional weapon to hit its target: There had been no chemical warhead. And yet it was impossible for the experts to persuade the president of this once he had made up his mind. “The president saw the photographs of poisoned little girls and said it was an Assad atrocity,” the senior adviser said. “It’s typical of human nature. You jump to the conclusion you want. Intelligence analysts do not argue with a president. They’re not going to tell the president, ‘if you interpret the data this way, I quit.’”

The national security advisers understood their dilemma: Trump wanted to respond to the affront to humanity committed by Syria and he did not want to be dissuaded. They were dealing with a man they considered to be not unkind and not stupid, but his limitations when it came to national security decisions were severe. “Everyone close to him knows his proclivity for acting precipitously when he does not know the facts,” the adviser said. “He doesn’t read anything and has no real historical knowledge. He wants verbal briefings and photographs. He’s a risk-taker. He can accept the consequences of a bad decision in the business world; he will just lose money. But in our world, lives will be lost and there will be long-term damage to our national security if he guesses wrong. He was told we did not have evidence of Syrian involvement and yet Trump says: ‘Do it.”’

On April 6, Trump convened a meeting of national security officials at his Mar-a-Lago resort in Florida. The meeting was not to decide what to do, but how best to do it – or, as some wanted, how to do the least and keep Trump happy. “The boss knew before the meeting that they didn’t have the intelligence, but that was not the issue,” the adviser said. “The meeting was about, ‘Here’s what I’m going to do,’ and then he gets the options.”

The available intelligence was not relevant. The most experienced man at the table was Secretary of Defense James Mattis, a retired Marine Corps general who had the president’s respect and understood, perhaps, how quickly that could evaporate. Mike Pompeo, the CIA director whose agency had consistently reported that it had no evidence of a Syrian chemical bomb, was not present. Secretary of State Tillerson was admired on the inside for his willingness to work long hours and his avid reading of diplomatic cables and reports, but he knew little about waging war and the management of a bombing raid. Those present were in a bind, the adviser said. “The president was emotionally energized by the disaster and he wanted options.” He got four of them, in order of extremity. Option one was to do nothing. All involved, the adviser said, understood that was a non-starter. Option two was a slap on the wrist: to bomb an airfield in Syria, but only after alerting the Russians and, through them, the Syrians, to avoid too many casualties. A few of the planners called this the “gorilla option”: America would glower and beat its chest to provoke fear and demonstrate resolve, but cause little significant damage. The third option was to adopt the strike package that had been presented to Obama in 2013, and which he ultimately chose not to pursue. The plan called for the massive bombing of the main Syrian airfields and command and control centers using B1 and B52 aircraft launched from their bases in the U.S. Option four was “decapitation”: to remove Assad by bombing his palace in Damascus, as well as his command and control network and all of the underground bunkers he could possibly retreat to in a crisis.

“Trump ruled out option one off the bat,” the senior adviser said, and the assassination of Assad was never considered. “But he said, in essence: ‘You’re the military and I want military action.’” The president was also initially opposed to the idea of giving the Russians advance warning before the strike, but reluctantly accepted it. “We gave him the Goldilocks option – not too hot, not too cold, but just right.” The discussion had its bizarre moments. Tillerson wondered at the Mar-a-Lago meeting why the president could not simply call in the B52 bombers and pulverize the air base. He was told that B52s were very vulnerable to surface-to-air missiles (SAMs) in the area and using such planes would require suppression fire that could kill some Russian defenders. “What is that?” Tillerson asked. Well, sir, he was told, that means we would have to destroy the upgraded SAM sites along the B52 flight path, and those are manned by Russians, and we possibly would be confronted with a much more difficult situation. “The lesson here was: Thank God for the military men at the meeting,” the adviser said. “They did the best they could when confronted with a decision that had already been made.”

Fifty-nine Tomahawk missiles were fired from two U.S. Navy destroyers on duty in the Mediterranean, the Ross and the Porter, at Shayrat Air Base near the government-controlled city of Homs. The strike was as successful as hoped, in terms of doing minimal damage. The missiles have a light payload – roughly 220 pounds of HBX, the military’s modern version of TNT. The airfield’s gasoline storage tanks, a primary target, were pulverized, the senior adviser said, triggering a huge fire and clouds of smoke that interfered with the guidance system of following missiles. As many as 24 missiles missed their targets and only a few of the Tomahawks actually penetrated into hangars, destroying nine Syrian aircraft, many fewer than claimed by the Trump administration. I was told that none of the nine was operational: such damaged aircraft are what the Air Force calls hangar queens. “They were sacrificial lambs,” the senior adviser said. Most of the important personnel and operational fighter planes had been flown to nearby bases hours before the raid began. The two runways and parking places for aircraft, which had also been targeted, were repaired and back in operation within eight hours or so. All in all, it was little more than an expensive fireworks display.

“It was a totally Trump show from beginning to end,” the senior adviser said. “A few of the president’s senior national security advisers viewed the mission as a minimized bad presidential decision, and one that they had an obligation to carry out. But I don’t think our national security people are going to allow themselves to be hustled into a bad decision again. If Trump had gone for option three, there might have been some immediate resignations.”

After the meeting, with the Tomahawks on their way, Trump spoke to the nation from Mar-a-Lago, and accused Assad of using nerve gas to choke out “the lives of helpless men, women and children. It was a slow and brutal death for so many … No child of God should ever suffer such horror.” The next few days were his most successful as president. America rallied around its commander in chief, as it always does in times of war. Trump, who had campaigned as someone who advocated making peace with Assad, was bombing Syria 11 weeks after taking office, and was hailed for doing so by Republicans, Democrats and the media alike. One prominent TV anchorman, Brian Williams of MSNBC, used the word “beautiful” to describe the images of the Tomahawks being launched at sea. Speaking on CNN, Fareed Zakaria said: “I think Donald Trump became president of the United States.” A review of the top 100 American newspapers showed that 39 of them published editorials supporting the bombing in its aftermath, including the New York TimesWashington Post and Wall Street Journal.

Five days later, the Trump administration gathered the national media for a background briefing on the Syrian operation that was conducted by a senior White House official who was not to be identified. The gist of the briefing was that Russia’s heated and persistent denial of any sarin use in the Khan Sheikhoun bombing was a lie because President Trump had said sarin had been used. That assertion, which was not challenged or disputed by any of the reporters present, became the basis for a series of further criticisms:

– The continued lying by the Trump administration about Syria’s use of sarin led to widespread belief in the American media and public that Russia had chosen to be involved in a corrupt disinformation and cover-up campaign on the part of Syria.

– Russia’s military forces had been co-located with Syria’s at the Shayrat airfield (as they are throughout Syria), raising the possibility that Russia had advance notice of Syria’s determination to use sarin at Khan Sheikhoun and did nothing to stop it.

– Syria’s use of sarin and Russia’s defense of that use strongly suggested that Syria withheld stocks of the nerve agent from the UN disarmament team that spent much of 2014 inspecting and removing all declared chemical warfare agents from 12 Syrian chemical weapons depots, pursuant to the agreement worked out by the Obama administration and Russia after Syria’s alleged, but still unproven, use of sarin the year before against a rebel redoubt in a suburb of Damascus.

The briefer, to his credit, was careful to use the words “think,” “suggest” and “believe” at least 10 times during the 30-minute event. But he also said that his briefing was based on data that had been declassified by “our colleagues in the intelligence community.” What the briefer did not say, and may not have known, was that much of the classified information in the community made the point that Syria had not used sarin in the April 4 bombing attack.

The crisis slid into the background by the end of April, as Russia, Syria and the United States remained focused on annihilating ISIS and the militias of al-Qaida. Some of those who had worked through the crisis, however, were left with lingering concerns. “The Salafists and jihadists got everything they wanted out of their hyped-up Syrian nerve gas ploy,” the senior adviser to the U.S. intelligence community told me, referring to the flare up of tensions between Syria, Russia and America. “The issue is, what if there’s another false flag sarin attack credited to hated Syria? Trump has upped the ante and painted himself into a corner with his decision to bomb. And do not think these guys are not planning the next faked attack. Trump will have no choice but to bomb again, and harder. He’s incapable of saying he made a mistake.”

5.  The White House issued an ominous message indicating it has evidence that Assad’s forces were planning a chemical attack and if that happens the consequences will be severe and Russian and Iran will be held responsible:

“White House says Syria’s Assad preparing another chemical attack, warns of ‘heavy’ penalty” by Abby Phillip and Dan Lamothe; The Washington Post; 06/26/2017

The White House issued an ominous warning to Syrian President Bashar al-Assad on Monday night, pledging that his regime would pay a “heavy price” if it carried out another chemical attack this year.

In a statement, White House press secretary Sean Spicer said that the United States had detected evidence of preparations for a chemical attack, similar to the preparations that occurred before an attack in April.

“The United States has identified potential preparations for another chemical weapons attack by the Assad regime that would likely result in the mass murder of civilians, including innocent children,” Spicer said in the statement. “The activities are similar to preparations the regime made before its April 4, 2017 chemical weapons attack.

“As we have previously stated, the United States is in Syria to eliminate the Islamic State of Iraq and Syria,” he continued. “If, however, Mr. Assad conducts another mass murder attack using chemical weapons, he and his military will pay a heavy price.”

Following the April attack, President Trump ordered an air strike against the Assad-controlled air field where the attack was believed to have been carried out.

At the time, Trump said that Assad’s use of chemical weapons against innocent women and children made action inevitable.

“When you kill innocent children, innocent babies, babies, little babies, with a chemical gas that is so lethal — people were shocked to hear what gas it was,” Trump said after the attack. “That crosses many, many lines, beyond a red line, many, many lines.”

Following Spicer’s statement on Monday night, Nikki Haley, the U.S. Ambassador to the United Nations said Assad and its allies would be squarely blamed if such an attack occurred.

“Any further attacks done to the people of Syria will be blamed on Assad, but also on Russia & Iran who support him killing his own people,”Haley wrote.

Any further attacks done to the people of Syria will be blamed on Assad, but also on Russia & Iran who support him killing his own people.— Nikki Haley (@nikkihaley) June 27, 2017

The U.S. military maintains a variety of weapons in the region that could be used in the event of another strike, including manned and unmanned aircraft in several Middle Eastern countries. But the most likely scenario is probably a strike using naval assets, which can be launched with fewer diplomatic issues than using bases in allied countries such as Turkey or the United Arab Emirates.

The Navy launched Tomahawk missiles at a Syrian military airfield April 6 in response to a previous alleged chemical weapons attack, using two guided-missile destroyers in the eastern Mediterranean Sea, the USS Ross and USS Porter, to do so.

A point of contention for the Pentagon after the last strike was the Syrian regime’s alleged use of a nerve agent, like sarin. It is far deadlier than some other chemicals that U.S. military and intelligence officials say that the regime has used, such as chlorine.

6. Critical to the understanding of the spinning of “Russia-gate” are the actions of Felix Sater.

Inside Trump’s Russia Connections: The Felon and The Pop Star” by Chase Peterson-Withorn; Forbes; 3/28/2017.

“ . . . . Nevertheless, in late January, Sater and a Ukrainian lawmaker reportedly met with Trump’s personal lawyer, Michael Cohen, at a New York hotel. According to the Times, they discussed a plan that involved the U.S. lifting sanctions against Russia, and Cohen said he hand-delivered the plan in a sealed envelope to then-national security advisor Michael Flynn. Cohen later denied delivering the envelope to anyone in the White House, according to the Washington Post. . . .”

7.  Sater was “walking point” for the Trump business interests in their attempts at building in Moscow in the fall of 2015.

“How the Miss Universe Pageant Led to Trump’s Son Meeting with a Russian Lawyer” by Steve Eder and Megan Twohey [The New York Times]; The Seattle Times; 7/10/2017.

“ . . . . Sater worked on a plan for a Trump Tower in Moscow as recently as the fall of 2015, but he said that had come to a halt because of Trump’s presidential campaign. . . .”

8. Another interesting, close associate of Donald Trump was Felix Sater, who changed the spelling of his name, adding an extra “T” to avoid being recognized on internet searches. Reviewing information from FTR #936:

The Making of Donald Trump by David Cay Johnston; Melville House [HC]; copyright 2016 by David Cay Johnston; ISBN 978-1-61219-632-9. p. 162.

 . . . ‘Satter’s’ name appears with just one ‘T’ in a host of places. There’s the deed to his home for example. It is also spelled with only one ‘T’ on New York State court papers from his 1991 felony conviction for stabbing a man in the face with the stem of a margarita glass. The name Sater with one ‘T’ also appears on federal court papers in a $40 million organized crime stock swindle he confessed to in 1998, a scheme that benefited him as well as the Genovese and Gambino crime families. The stock swindle involved fake stock brokerage firms using high-pressure tactics to get naive people to buy worthless shares from Sater and his mob friends. . . . 

9.Trump’s close associate Felix was able to escape serious legal retribution by going to work for the CIA.

The Making of Donald Trump by David Cay Johnston; Melville House [HC]; copyright 2016 by David Cay Johnston; ISBN 978-1-61219-632-9. p. 165.

. . . . There is every indication that the extraordinarily lenient treatment resulted from Sater playing a get-out-of-jail free card. Shortly before his secret guilty plea, Sater became a freelance operative of the Central Intelligence Agency. One of his fellow stock swindlers, Salvatore Lauria, wrote a book about it. The Scorpion and the Frog is described on its cover as ‘the true story of one man’s fraudulent rise and fall in the Wall Street of the nineties.’ According to Lauria–and the court files that have been unsealed–Sater helped the CIA buy small missiles before they got to terrorists. He also provided other purported national security services for a reported fee of $300,000. Stories abound as to what else Sater may or may not have done in the arena of national security. . . . 

 

Discussion

16 comments for “FTR #965 Are We Going to Have a Third World War?”

  1. Check out the person that appears to be emerging as the White House’s internal scapegoat for all the turmoil in recent days as a new cloud of paranoia envelops the White House staff amidst one report after another based on multiple anonymous White House sources: Reince Priebus. Yep, according to a recent report in the Washington Post reports, the Trump kids are convinced that Reince Priebus is one of the sources of all these embarrassing reports and their message to Trump is that Priebus has to go. It’s an interesting development. In part because Priebus, as one of the primary White House figures who comes from the traditional GOP ‘establishment’, really would be one of the primary suspects of any attempts to undermine the Trump administration but only if the rest of the GOP establishment gives him those orders. So you have to wonder if the Trump kids’ lobbying to get their dad to dump Priebus relfects a growing concern that the GOP establishment is getting ready to dump Trump:

    The Washington Post

    ‘Category 5 hurricane’: White House under siege by Trump Jr.’s Russia revelations

    By Philip Rucker and Ashley Parker
    July 12, 2017 at 6:42 AM

    The White House has been thrust into chaos after days of ever-worsening revelations about a meeting between Donald Trump Jr. and a lawyer characterized as representing the Russian government, as the president fumes against his enemies and senior aides circle one another with suspicion, according to top White House officials and outside advisers.

    President Trump — who has been hidden from public view since returning last weekend from a divisive international summit — is enraged that the Russia cloud still hangs over his presidency and is exasperated that his eldest son and namesake has become engulfed by it, said people who have spoken with him this week.

    The disclosure that Trump Jr. met with a Russian attorney, believing he would receive incriminating information about Hillary Clinton as part of the Kremlin’s effort to boost his father’s candidacy, has set back the administration’s faltering agenda and rattled the senior leadership team.

    On Wednesday, in his first Twitter posts since the email disclosures, Trump defended his son as “open, transparent and innocent” and repeated past claims that his administration is the subject of a “witch hunt” fueled by leakers.

    “My son Donald did a good job last night,” Trump wrote, referring to his son’s appearance on Fox News. “He was open, transparent and innocent. This is the greatest Witch Hunt in political history. Sad!”

    Trump also took aim at anonymous leaks from “sources” — even though Trump Jr. gave a step-by-step email chronology of the plans for the meeting with the Russian lawyer in 2016.

    Even supporters of Trump Jr. who believe he faces no legal repercussions privately acknowledged Tuesday that the story is a public relations disaster — for him as well as for the White House. One outside ally called it a “Category 5 hurricane,” while an outside adviser said a CNN graphic charting connections between the Trump team and Russians resembled the plot of the fictional Netflix series “House of Cards.”

    Vice President Pence sought to distance himself from the controversy, with his spokesman noting that Trump Jr.’s meeting occurred before Pence joined the ticket.

    Inside a White House in which infighting often seems like a core cultural value, three straight days of revelations in the New York Times about Trump Jr. have inspired a new round of accusations and recriminations, with advisers privately speculating about who inside the Trump orbit may be leaking damaging information about the president’s son.

    This portrait of the Trump White House under siege is based on interviews Tuesday with more than a dozen West Wing officials, outside advisers, and friends and associates of the president and his family, many of whom spoke on the condition of anonymity to be candid.

    The makeup of Trump’s inner circle is the subject of internal debate, as ever. Ivanka Trump, the president’s daughter and senior adviser; Jared Kushner, her husband and another senior adviser; and first lady Melania Trump have been privately pressing the president to shake up his team — most specifically by replacing Reince Priebus as the White House chief of staff, according to two senior White House officials and one ally close to the White House.

    The three family members are especially concerned about the steady stream of unauthorized leaks to journalists that have plagued the administration over the nearly six months that President Trump has been in office, from sensitive national security information to embarrassing details about the inner workings of the White House, the officials said.

    Stephanie Grisham, the first lady’s communications director, said: “Of course, the first lady is concerned about leaks from her husband’s administration, as all Americans should be. And while she does offer advice and perspectives on many things, Mrs. Trump does not weigh in on West Wing staff.”

    Lindsay Walters, a deputy White House press secretary, disputed reports about Priebus’s standing. “These sources have been consistently wrong about Reince, and they’re still wrong today,” she said.

    After this story first published, Josh Raffel, a White House spokesman, said in a statement on behalf of Kushner and Ivanka Trump: “Jared and Ivanka are focused on working with Reince and the team to advance the President’s agenda and not on pushing for staff changes.”

    Trump recently publicly praised Priebus’s work ethic, and the chief of staff’s allies note that Priebus has done as good a job as can be expected under the unique circumstances of this administration. Defenders of Priebus have long said they expect him to make it to a year in the position, and Trump is said to be hesitant to fire him or any other senior staffer amid the escalating Russia investigation led by special counsel Robert S. Mueller III.

    Pence found out about Trump Jr.’s meeting with the Russian attorney Friday evening in advance of the first Times story, said one person familiar with the discussions. Both Pence and his team view the Russia coverage as a distraction, and are working to keep the vice president clear of it and focused on Trump’s policy goals — such as health care, the subject of his scheduled visit to Kentucky on Wednesday.

    “The vice president is working every day to advance the president’s agenda, which is what the American people sent us here to do. The vice president was not aware of the meeting,” Pence’s press secretary, Marc Lotter, said in a statement. “He is not focused on stories about the campaign, particularly stories about the time before he joined the ticket.”

    On Capitol Hill — where Senate Majority Leader Mitch McConnell (R-Ky.) announced Tuesday that he is delaying his chamber’s August recess by two weeks — Republican senators were becoming increasingly frustrated with the White House, which they blame for Congress’s inability to pass any major legislation.

    A growing number of senators believe that the widening Russia probe — as well as the Trump-fueled tumult that seems to dominate nearly every news cycle — have stalled their legislative agenda, leaving them nothing to offer their constituents by way of achievements when they head home over the break.

    ———-

    “‘Category 5 hurricane’: White House under siege by Trump Jr.’s Russia revelations” by Philip Rucker and Ashley Parker; The Washington Post; 07/12/2017

    “The makeup of Trump’s inner circle is the subject of internal debate, as ever. Ivanka Trump, the president’s daughter and senior adviser; Jared Kushner, her husband and another senior adviser; and first lady Melania Trump have been privately pressing the president to shake up his team — most specifically by replacing Reince Priebus as the White House chief of staff, according to two senior White House officials and one ally close to the White House.”

    Melania is on the anti-Priebus bandwagon too? Ouch. But such fears and frustrations aren’t exactly outlandish given Priebus’s status as a key GOP establishment ‘outside’ inside the White House. After all, if there were other staffers the Trumps can’t trust Priebus would have been the person in charge of hiring them as the Chief of Staff. And if the broader GOP ‘establishment’ and its billionaire backers decide that Trump is becoming an obstacle to the fruition of their agenda and needs to be taken down, someone like Priebus would be very well positioned to help make that happen. It’s one of those situations where paranoia is pretty appropriate.

    So while there were plenty of denials about this intra-White House conflict, it’s hard to take those denials seriously given the wave of anonymously sourced stories coming out of the White House. Especially given the reports that Congressional GOPers are blaming Trump for their own inability to pass any meaningful legislation, instead of blaming themselves for crafting legislation so horrible and unpopular that even GOPers can’t support it. If the GOP ‘establishment’ is going to scapegoat Trump, counter-scapegoating Priebus kind of makes sense:


    On Capitol Hill — where Senate Majority Leader Mitch McConnell (R-Ky.) announced Tuesday that he is delaying his chamber’s August recess by two weeks — Republican senators were becoming increasingly frustrated with the White House, which they blame for Congress’s inability to pass any major legislation.

    A growing number of senators believe that the widening Russia probe — as well as the Trump-fueled tumult that seems to dominate nearly every news cycle — have stalled their legislative agenda, leaving them nothing to offer their constituents by way of achievements when they head home over the break.

    Might Priebus finally be on his way out the door? This isn’t the first time there’s been reports of the Trump White House infighting without any eventual departures. But that lack of departures doesn’t mean those previous fights were resolved so as the tensions and paranoia in the White House continue to grow, along with the anonymous insider leaks, we probably shouldn’t be super shocked if Priebus is either shown the door or runs for the exits himself.

    At the same time, given the incredibly bad optics the Trump administration is now facing following the disclosure of the meeting with the Russian lawyer – and the growing possibility that Trump is going to basically get convicted of colluding with Russia in the court of public opinion – and given the frustrations of the rest of the GOP – not to mention the GOP oligarchs – over the inability of Trump and the GOP on selling their agenda to the public, perhaps we shouldn’t be super shocked if Priebus’s time in the White House outlasts Trump. Especially now that Trump says he just learned about the June 9th, 2016 meeting days ago on the same day a GOP Senators reveals that the Senate Intelligence committee learned about this meeting back in April from Jared Kushner:

    Talking Points Memo
    Livewire

    GOP Senator: Intel Committee Knew In April That Kushner Met Russian Lawyer

    By Esme Cribb
    Published July 12, 2017 6:43 pm

    Sen. James Lankford (R-OK), a member of the Senate Intelligence Committee, on Wednesday said the panel knew about Jared Kushner’s attendance of a June 2016 meeting with a Kremlin-connected lawyer as early as April.

    “This meeting was known because it was turned in in the background checks in April, actually, for Jared Kushner,” Lankford said on CNN. “So it was a known meeting at that point. Getting the emails and getting the details of that meeting was not known.”

    President Donald Trump on Wednesday told Reuters he “didn’t know” about his eldest son Donald Trump Jr.’s meeting with Russian lawyer Natalia Veselnitskaya “until a couple of days ago.”

    ———-

    “GOP Senator: Intel Committee Knew In April That Kushner Met Russian Lawyer” by Esme Cribb; Talking Points Memo; 07/12/2017

    ““This meeting was known because it was turned in in the background checks in April, actually, for Jared Kushner,” Lankford said on CNN. “So it was a known meeting at that point. Getting the emails and getting the details of that meeting was not known.””

    The June 9th meeting was a known to the Senate Intelligence Committee since April, with Kushner being the source. And yet Donald Trump just came out and said he learned about this meeting “a couple of days ago”:


    President Donald Trump on Wednesday told Reuters he “didn’t know” about his eldest son Donald Trump Jr.’s meeting with Russian lawyer Natalia Veselnitskaya “until a couple of days ago.”

    We’re basically one revelation away from getting to the point where Trump is caught in a lie. And sure, he’s caught in lies all the time, but this would be a pretty big one. And while that June 9th meeting with the Russian lawyer doesn’t at all prove that the Trump team and Russian government were colluding to execute and dissimenate the hacked Democratic emails, legally proving that case doesn’t really matter if the whole situation ends up making Trump simply look really, really guilty to the American public. And really, really sleazy.

    So in addition to questions over whether or not pushing Reince Priebus out of the White House and doing a major staff overhaul is going to be one of the survival tactics the Trump team uses to try to circle the wagons and prevent insider leaks, those questions are paired with growing questions over how much more patience the GOP ‘establishment’ is going to have for Trump in general while the GOP policy agenda continues to fizzle. Because of the broader GOP establishment decides it’s time for Trump to resign it sure doesn’t look like it’s going to be very difficult for that ‘establishment’ to whip up any one of a number of potential Trump mega-scandals to force such a resignation. And someone like Reince Priebus is in just the right position to facilitate such an operation.

    Just because you’re paranoid doesn’t mean they aren’t out to get you. Especially when the paranoia has been going on uninterrupted for months as the situation deteriorates and now everyone seems out to get everyone. That’s definitely an appropriate time for collective paranoia. Yuuuuuge paranoia.

    And since starting a war or creating some other massive disaster to distract from the administration’s woes is one of the default tools in the Trump team’s toolbox as their situation gets more and more desperate, everyone else should probably be a little paranoid too.

    Posted by Pterrafractyl | July 12, 2017, 11:19 pm
  2. Well, now we know how Peter W. Smith – the long-time financier of right-wing opposition research who talked about his efforts to put together a team that allegedly included Trump officials and was dedicated to finding hacked copies of Hillary Clinton’s emails – ended up dying just 10 days after he gave his interviews: Smith appears to have committed suicide due to health issues:

    The Chicago Tribune

    Peter W. Smith, GOP operative who sought Clinton’s emails from Russian hackers, committed suicide, records show

    Katherine Skiba, David Heinzmann and Todd Lighty
    July 13, 2017, 5:34 PM

    A Republican donor and operative from Chicago’s North Shore who said he had tried to obtain Hillary Clinton’s missing emails from Russian hackers killed himself in a Minnesota hotel room days after talking to The Wall Street Journal about his efforts, public records show.

    In a room at a Rochester hotel used almost exclusively by Mayo Clinic patients and relatives, Peter W. Smith, 81, left a carefully prepared file of documents, which includes a statement police called a suicide note in which he said he was in ill health and a life insurance policy was expiring.

    Days earlier, the financier from suburban Lake Forest gave an interview to the Journal about his quest, and it published stories about his efforts beginning in late June. The Journal also reported it had seen emails written by Smith showing his team considered retired Lt. Gen. Michael Flynn, then a top adviser to Republican Donald Trump’s campaign, as an ally. Flynn briefly was President Trump’s national security adviser and resigned after it was determined he had failed to disclose contacts with Russia.

    At the time, the newspaper reported Smith’s May 14 death came about 10 days after he granted the interview. Mystery shrouded how and where he had died, but the lead reporter on the stories said on a podcast he had no reason to believe the death was the result of foul play and that Smith likely had died of natural causes.

    However, the Chicago Tribune obtained a Minnesota state death record filed in Olmsted County that says Smith committed suicide in a hotel near the Mayo Clinic at 1:17 p.m. on Sunday, May 14. He was found with a bag over his head with a source of helium attached. A medical examiner’s report gives the same account, without specifying the time, and a report from Rochester police further details his suicide.

    In the note recovered by police, Smith apologized to authorities and said that “NO FOUL PLAY WHATSOEVER” was involved in his death. He wrote that he was taking his own life because of a “RECENT BAD TURN IN HEALTH SINCE JANUARY, 2017” and timing related “TO LIFE INSURANCE OF $5 MILLION EXPIRING.”

    One of Smith’s former employees told the Tribune he thought the elderly man had gone to the famed clinic to be treated for a heart condition. Mayo spokeswoman Ginger Plumbo said Thursday she could not confirm Smith had been a patient, citing medical privacy laws.

    The Journal stories said it was on Labor Day weekend in 2016 that Smith had assembled a team to acquire emails the team theorized might have been stolen from the private server Clinton had used while secretary of state. Smith’s focus was the more than 30,000 emails Clinton said she deleted because they related to personal matters. A huge cache of other Clinton emails were made public.

    Smith told the Journal he believed the missing emails might have had been obtained by Russian hackers. He also said he thought the correspondence related to Clinton’s official duties. He told the Journal he worked independently and was not part of the Trump campaign. He also told the Journal he and his team found five groups of hackers — two of them Russian groups — who claimed to have Clinton’s missing emails.

    Smith had a history of doing opposition research, the formal term for unflattering information that political operatives dig up about rival candidates.

    For years, Democratic President Bill Clinton was Smith’s target. The wealthy businessman had a hand in exposing the “Troopergate” allegations about Bill Clinton’s sex life. And he discussed financing a probe of a 1969 trip Bill Clinton had taken while in college to the Soviet Union, according to Salon magazine.

    Investigations into any possible links between the Russian government and people associated with Trump’s presidential campaign now are underway in Congress and by former FBI chief Robert Mueller. He is acting as a special counsel for the Department of Justice. Mueller spokesman Peter Carr declined to comment on the Journal’s stories on Smith or his death. Washington attorney Robert Kelner, who represents Flynn, had no comment on Thursday.

    Smith’s death occurred at the Aspen Suites in Rochester, records show. They list the cause of death as “asphyxiation due to displacement of oxygen in confined space with helium.”

    Rochester Police Chief Roger Peterson on Wednesday called his manner of death “unusual,” but a funeral home worker said he’d seen it before.

    An employee with Rochester Cremation Services, the funeral home that responded to the hotel, said he helped remove Smith’s body from his room and recalled seeing a tank.

    The employee, who spoke on the condition he not be identified because of the sensitive nature of Smith’s death, described the tank as being similar in size to a propane tank on a gas grill. He did not recall seeing a bag that Smith would have placed over his head. He said the coroner and police were there and that he “didn’t do a lot of looking around.”

    “When I got there and saw the tank, I thought, ‘I’ve seen this before,’ and was able to put two and two together,” the employee said.

    An autopsy was conducted, according to the death record. The Southern Minnesota Regional Medical Examiner’s Office declined a Tribune request for the autopsy report and released limited information about Smith’s death.

    The Final Exit Network, a Florida-based nonprofit, provides information and support to people who suffer from a terminal illness and want to kill themselves.

    Fran Schindler, a volunteer with the group, noted that the best-selling book Final Exit, written by Derek Humphry in 1991 and revised several times since, explains in detail the helium gas method.

    “Many people obtain that information from his book,” Schindler said. “It’s a method that has been around for many years and is well known.”

    A private family memorial was planned, the obituary said. Friends posted online tributes to Smith after his death. One was from his former employee, Jonathan Safron, 26, who lives in Chicago’s Loop and worked for Smith for about two years.

    Safron, in an interview, said he was working for a tutoring firm when Smith became his client. His job entailed teaching Smith how to use a MacBook, Safron said. At the time Smith was living in a condominium atop the Four Seasons Hotel Chicago. Safron said Smith later employed him at Corporate Venture Alliances, a private investment firm that Smith ran, first out of the same condo and later from an office in the Hancock Building.

    Safron, who said he had a low-level job with the Illinois Republican Party in 2014, said he had no knowledge of Smith’s bid to find hackers who could locate emails missing from Clinton’s service as secretary of state. In his online tribute to his former employer, he called Smith the “best boss I could ever ask for … a mentor, friend and model human being.”

    Safron said he worked part-time for Smith, putting in about 15 hours a week. But the two grew close, often having lunch together at a favorite Smith spot: the Oak Tree Restaurant & Bakery Chicago on North Michigan Ave. He called Smith a serious man who was “upbeat,” “cosmopolitan” and “larger than life.” He was aware Smith was in declining health, saying the older man sometimes had difficulty breathing and told work colleagues he had heart problems. Weeks before he took his life, he had become fatigued walking down about four or five flights of stairs during a Hancock Building fire drill and later emailed Safron saying he was “dizzy,” he said.

    ———-

    “Peter W. Smith, GOP operative who sought Clinton’s emails from Russian hackers, committed suicide, records show” by Katherine Skiba, David Heinzmann and Todd Lighty; The Chicago Tribune; 07/13/2017

    However, the Chicago Tribune obtained a Minnesota state death record filed in Olmsted County that says Smith committed suicide in a hotel near the Mayo Clinic at 1:17 p.m. on Sunday, May 14. He was found with a bag over his head with a source of helium attached. A medical examiner’s report gives the same account, without specifying the time, and a report from Rochester police further details his suicide.”

    Despite the blockbuster nature of the interviews Smith gave, the fact that he was 81 years old precluded any sort of mysteriousness about the guy’s death just days after giving those interviews to the Wall Street Journal. Death happens. And to Smith’s credit, that was one hell of a parting shot, although given the explosive nature of his story it’s still unclear who he was aiming for with that parting shot.

    Fortunately, Politico just put out an article with some highly significant information about Smith’s operation that gives us a hint about why Smith chose to the interview at that point in time. The article is about the ‘Alt-Right’ network Smith’s operation teamed up with in their quest to find Hillary’s emails. Specifically, Charles C. Johnson, the far-right troll who runs the GotNews website and one of his partners. But that’s not all. Smith also reportedly reached out to “Guccifer 2.0”, the hacker persona who represents the public face of whoever did the DNC hacks, and Guccifer told Smith to contact a “White nationalist hacker in Ukraine”, which is almost certainly a reference to Andrew “the weev” Auernheimer who already is suspected of carrying out the “Macron hacks” and trying to make it look like Russia did it.

    Not only that, but Johnson explicitly told Smith to contact Auerheimer too. Johnson also notes how he actually worked with Auerheimer in the past and talks about how there’s a hidden network of right-wing opposition researchers that he’s in contact with and he let them know about Smith’s efforts. Don’t forget that ne of the reasons Auernheimer is suspected of the Macron hacks is due to fact that the hacked documents first showed up anonymously on 4chan and people started leaving comments like “Weev… you’re doing the lord’s work”. So that’s a pretty big revelation.

    Of course, this is all based on the accounts of people like Charles Johnson, so it has to be taken with a grain of salt. But as we’ve seen with the recent highly self-incriminating email dump by Donald Trump, Jr., as the investigations into the 2016 hackings unfolded there might be situations where the key players decide to get ahead of the news by spilling what they know. Especially if they thing the news is about to come out anyway from a different source. And that brings us to the clue left in the Politico article about why Smith may have chosen to give that interview when he did. First, note the comments from Johnathan Safron, Smith’s young assistant, in the above article where Safron states how he knew nothing about Smith’s attempts to track down Hillary’s emails:


    Safron, who said he had a low-level job with the Illinois Republican Party in 2014, said he had no knowledge of Smith’s bid to find hackers who could locate emails missing from Clinton’s service as secretary of state. In his online tribute to his former employer, he called Smith the “best boss I could ever ask for … a mentor, friend and model human being.”

    Well, Safron is interview in the Politico article as well. As in that article Safron talks about how he wasn’t involved in Smith’s efforts but he was copied on the emails. And it was Safron’s discovery that Shane Harris, the Wall Street Journal journalist who did the interview with Smith, was view Safron’s LinkedIn profile (you can see who views your profile on LinkedIn, which seems like a horrible feature, but oh well). It was after Safron told Smith about this that Smith granted Harris the interview, suggesting the Smith was willing to talk simply to get ahead of a huge story that he was at the center of and suspected a journalist was now discovering.

    As we can see, it’s a pretty important article in terms of understanding what Smith, and potentially the Trump team, was up to and why Smith may have decided to grant the interview in the first. And it’s a YUUUGE article if it’s true that “Guccifer 2.0” AND directed Smith towards “the weev”:

    Politico

    GOP Researcher Who Sought Clinton Emails Had Alt-Right Help

    Peter Smith’s quixotic effort to obtain Hillary Clinton’s deleted emails from Russian hackers got a boost from a pro-Trump activist with White House ties.

    By Ben Schreckinger

    July 11, 2017

    The saga of Peter Smith’s quest to obtain 33,000 emails deleted by Hillary Clinton—an effort now at the center of intrigue swirling around the Donald Trump campaign’s ties to Russia—keeps getting weirder.

    In his Hail Mary bid to tip the election to Trump, the Republican private equity executive enlisted two controversial alt-right activists to help him understand the workings of the internet and make contacts in Trump’s orbit, according to interviews with those involved and emails obtained by Politico.

    The activists, the journalist-turned-entrepreneur Charles Johnson and his former business partner Pax Dickinson, agreed to help Smith’s quixotic mission, which failed to track down copies of Clinton’s emails. Johnson is a polarizing figure who was banned from Twitter in 2015 after promoting an effort to “take out” a Black Lives Matter activist but maintains ties to White House officials. Smith also reached out to “Guccifer 2.0”—an alias the U.S. intelligence community has linked to Russian state hackers—and was advised to seek the help of a white nationalist hacker who lives in Ukraine.

    Smith’s doomed effort, which brought him into contact with hackers he believed were tied to the Kremlin and was first reported last month by the Wall Street Journal, has emerged as a topic of intense interest as investigators probe ties between the Trump campaign and Russia. Understanding Smith’s relationships could hold the key to the question of whether or not Trump’s campaign colluded with the Kremlin: Federal investigators are probing an apparent attempt by Russian government hackers to obtain the deleted emails and provide them to former national security adviser Michael Flynn through a third party, the Journal also reported. The paper was unable to identify the Russians’ intended intermediary but suggested it may have been Smith, who had boasted of his ties to Flynn.

    The new details of Smith’s operation, which were shared with Politico Magazine by Johnson and others, paint a picture of a determined but ill-equipped activist casting about far and wide in a frantic but ultimately futile quest to get ahold of Clinton’s deleted emails and publish them ahead of Election Day. As the ailing octogenarian was dealing with sophisticated hackers and navigating the darkest corners of the internet, for instance, he was being tutored in the use of basic computer technology.

    The details also illustrate the daunting task before investigators should they seek to examine the wide-ranging cast of colorful contacts Smith enlisted in his effort and the sometimes blurry lines between Trump’s lean, unorthodox campaign and the outside activists working to help it.

    In a recruiting document used for the effort, Smith—who died in May at age 81—listed the names of several senior Trump aides, including Flynn, former Breitbart chairman Steve Bannon, Kellyanne Conway and campaign chairman Sam Clovis, the Journal reported.

    Jonathan Safron, a former assistant to Smith in Chicago, said that Smith also spoke to him of knowing Clovis, who was a well-known conservative activist in nearby Iowa before becoming co-chairman of Trump’s campaign, and that he had seen Smith email Clovis about matters unrelated to Clinton’s emails. Safron said he does not know whether Clovis, who did not respond to requests for comment, ever replied.

    ***

    Smith, a former chairman of the College Republicans, had been pursuing freelance political adventures for years. In the 1990s, he was a chief promoter of stories damaging to Bill Clinton, working in the same small circle as Conway’s husband, George, to air allegations of sexual misconduct against the then-president, according to a 1999 Newsweek article.

    Johnson, a former Breitbart reporter, said he first encountered the Chicagoan around 2013 when the two collaborated on opposition research about Barack Obama.

    In the fall of 2015, Smith promoted Illinois Rep. Peter Roskam’s ambitions to succeed John Boehner as speaker of the House, and Johnson helped to sideline one of Roskam’s potential rivals for the position, Majority Leader Kevin McCarthy.

    Ironically, some of Smith’s emails related to the speaker’s race were released in a dump by D.C. Leaks, an outlet that, according to cybersecurity experts, was established to publish emails stolen by Russian hackers. In one leaked email from October 8, 2015, Smith wrote to Illinois’ Republican National Committeeman Rich Porter that he had just discussed the speaker’s race with Breitbart reporter Matt Boyle, now the outlet’s Washington bureau chief.

    In another leaked email, Smith forwarded a link to a story from GotNews, a website founded by Johnson, accusing McCarthy of carrying on an affair with North Carolina Rep. Renee Ellmers. The leak also includes an email in which Johnson provided Smith with Boyle’s contact information. Boyle and others at Breitbart aggressively covered the alleged affair, and McCarthy withdrew from the speaker’s race. (Boyle referred questions to Breitbart spokesman Chad Wilkinson, who declined to comment. Porter—who worked with Smith and George Conway to promote Clinton sex scandals back in the ’90s—did not respond to requests for comment.)

    Johnson said he and Smith stayed in touch, discussing “tactics and research” regularly throughout the presidential campaign, and that Smith sought his help tracking down Clinton’s emails. “He wanted me to introduce to him to Bannon, to a few others, and I sort of demurred on some of that,” Johnson said. “I didn’t think his operation was as sophisticated as it needed to be, and I thought it was good to keep the campaign as insulated as possible.”

    Instead, Johnson said, he put the word out to a “hidden oppo network” of right-leaning opposition researchers to notify them of the effort. Johnson declined to provide the names of any of the members of this “network,” but he praised Smith’s ambition.

    “The magnitude of what he was trying to do was kind of impressive,” Johnson said. “He had people running around Europe, had people talking to Guccifer.” (U.S. intelligence agencies have linked the materials provided by “Guccifer 2.0”—an alias that has taken credit for hacking the Democratic National Committee and communicated with Republican operatives, including Trump confidant Roger Stone—to Russian government hackers.)

    Johnson said he also suggested that Smith get in touch with Andrew Auernheimer, a hacker who goes by the alias “Weev” and has collaborated with Johnson in the past. Auernheimer—who was released from federal prison in 2014 after having a conviction for fraud and hacking offenses vacated and subsequently moved to Ukraine—declined to say whether Smith contacted him, citing conditions of his employment that bar him from speaking to the press.

    At the same time Johnson was working with Smith, he was promoting other initiatives aimed at electing Trump. In October, Johnson’s crowdfunding website, WeSearchr, raised $10,000 to send Kathy Shelton—an Arkansas woman who was raped in 1975 by a man who was represented at trial by a young Hillary Clinton—to the second presidential debate in St. Louis. In the hours before the debate, Trump hosted a news conference with Shelton and women who had accused Bill Clinton of sexual assault, and at the debate Trump’s campaign attempted to seat the women in the section reserved for the candidate’s family.

    Safron, who worked as an assistant to Smith at the time, said that Johnson—who met with Smith in Chicago before Smith died—had been seeking investment capital from Smith for WeSearchr. Johnson said he discussed an investment with Smith but that he “didn’t need or want his capital.”

    Smith also reached out to Matt Tait, a cybersecurity expert and former UK intelligence official, who served as a source for the Journal’s reporting. Tait recounted his conversations with the Republican activist in a recent blog post for the legal affairs website Lawfare, writing that Smith wanted help vetting a “dark web” contact who claimed to be in possession of Clinton’s missing emails. According to Tait, Smith seemed unconcerned about the possibility that by helping publish such emails, he could be aiding a Russian intelligence operation. Tait declined to comment for this article, saying he has recently been contacted “by a number of congressional and other investigators.”

    In an email chain from October obtained by Politico, Smith sought the advice of a tech-savvy business associate about concerns that WikiLeaks had been attacked by hackers. In the email, the associate, Royal O’Brien, a Jacksonville-based programmer Smith described as a dark web expert, advised Smith about the use of PGP keys for encryption and opined that anyone who launched an attack on WikiLeaks would likely face stiff blowback from the group’s web-savvy supporters.

    According to the Journal, Smith had been advising hacking groups claiming to have Clinton’s emails to turn them over to WikiLeaks. The next month, Smith asserted on his personal blog that “WikiLeaks has reported that they received the Clinton emails nine months ago, but have not released them. These emails were widely available.” It is not clear what led Smith to assert that WikiLeaks possessed the missing emails.

    “WikiLeaks does not keep newsworthy information from the public,” said a representative of the group in response to a question about Smith’s assertion. “Publication timing is influenced by workload, research, presentation and verification requirements as well as intensity of public interest.” The group declined to say whether it had contact with Smith, citing a policy of not disclosing its sources.

    O’Brien confirmed that Smith sought his advice on technical matters from time to time, including on the feasibility of obtaining Clinton’s deleted emails. “I told him that if they have access to the original hardware, anything is accessible,” O’Brien recounted. “That’s basic forensics.”

    Also copied on the October email chain is Dickinson, an alt-right activist who was Johnson’s partner at WeSearchr until the pair had a falling out this May. Dickinson said he participated in Smith’s efforts to obtain Clinton’s emails but declined to discuss the matter further, citing a distaste for reporters and “fake news.” Instead, Dickinson, who lost his job as the chief technology officer at Business Insider in 2013 over offensive social media posts and recently launched an alt-right crowd-funding platform called Counter.Fund that is governed by a “High Council” and a “House of Lords,” said he intended to share his story with the conspiracy theorist Alex Jones.

    ***

    At the same time Smith was learning to navigate the deepest reaches of the web, he was also struggling to overcome failing health and to master more rudimentary technology.

    Safron, who graduated from college in 2013 and has also done work for the Illinois Republican Party, said he had been hired by Smith through a tutoring service in 2015 for help using computers. Safron said he taught Smith, who had trouble typing, to use dictation software, and that he helped the aging executive make connections on the professional networking website LinkedIn. Safron said that he was not actively involved in Smith’s election-related efforts, though he was copied on emails related to those efforts.

    Johnson, O’Brien and Safron all said they have not heard from government investigators about the matter.

    Safron said that he noticed that Journal reporter Shane Harris had viewed his LinkedIn profile this spring and that he notified Smith, who granted Harris an interview in May, 10 days before he died. Neither his family nor local officials have revealed the cause of Smith’s death, but Safron said he had noticed his boss’ health waning in his final months.

    Safron’s social media profiles still link to an old Twitter handle, @JSaf17. Safron said he deleted the account several years ago. But in March, the handle was reused to create a new account, which has tweeted only once—in Russian.

    ———-

    “GOP Researcher Who Sought Clinton Emails Had Alt-Right Help” by Ben Schreckinger; Politico; 07/11/2017

    “The activists, the journalist-turned-entrepreneur Charles Johnson and his former business partner Pax Dickinson, agreed to help Smith’s quixotic mission, which failed to track down copies of Clinton’s emails. Johnson is a polarizing figure who was banned from Twitter in 2015 after promoting an effort to “take out” a Black Lives Matter activist but maintains ties to White House officials. Smith also reached out to “Guccifer 2.0”—an alias the U.S. intelligence community has linked to Russian state hackers—and was advised to seek the help of a white nationalist hacker who lives in Ukraine.”

    “Seek the help of a white nationalist hacker who lives in Ukraine.” That’s the advice “Guccifer 2.0” apparently gave to Smith and unless there’s another prominent white nationalist hacker in Ukraine that he was referring to that was almost certainly a reference to Andrew Auernheimer. Especially since that’s the explicit advice Charles Johnson also gave to Smith:


    Johnson said he and Smith stayed in touch, discussing “tactics and research” regularly throughout the presidential campaign, and that Smith sought his help tracking down Clinton’s emails. “He wanted me to introduce to him to Bannon, to a few others, and I sort of demurred on some of that,” Johnson said. “I didn’t think his operation was as sophisticated as it needed to be, and I thought it was good to keep the campaign as insulated as possible.”

    Instead, Johnson said, he put the word out to a “hidden oppo network” of right-leaning opposition researchers to notify them of the effort. Johnson declined to provide the names of any of the members of this “network,” but he praised Smith’s ambition.

    “The magnitude of what he was trying to do was kind of impressive,” Johnson said. “He had people running around Europe, had people talking to Guccifer.” (U.S. intelligence agencies have linked the materials provided by “Guccifer 2.0”—an alias that has taken credit for hacking the Democratic National Committee and communicated with Republican operatives, including Trump confidant Roger Stone—to Russian government hackers.)

    Johnson said he also suggested that Smith get in touch with Andrew Auernheimer, a hacker who goes by the alias “Weev” and has collaborated with Johnson in the past. Auernheimer—who was released from federal prison in 2014 after having a conviction for fraud and hacking offenses vacated and subsequently moved to Ukraine—declined to say whether Smith contacted him, citing conditions of his employment that bar him from speaking to the press.

    Yep, Johnson and Auernheimer are indeed past collaborators. And it wasn’t that long ago either. Back in October 2015, Johnson and Auernheimer released on teh internet videos taken by a right-wing ‘journalist’, David Daleiden, of Planned Parenthood employees that were under a temporary court restraining order. Auernheimer claimed at the time that he was in Macedonia – an implied he was under the protection of “local militias” should US authorities try to extradite him – and also talked about what being a big fan of Charles Johnson (that’s right, Auernheimer claimes he was in Macedonia as of the fall of 2015…recall how Macedonia somehow became the epicenter of a pro-Trump ‘fake news’ operation).

    So we already have very strong evidence that Auernheimer was behind the Macron hacks, which were also spear-phishing hacks like the DNC/Podesta hacks, and we know Auernheimer filled those Macron documents with “Russian” fingerprints. And now we learn that Chuck Johnson AND “Guccifer 2.0” both advised Smith to contract Auernheimer. And while Johnson’s friendship with Auernheimer would make him a a likely hacker that Johnson might recommend to Smith, keep in mind that the Macron hacks hadn’t taken place at this point so it’s not like Auernheimer would be an obvious person that “Guccifer 2.0” might recommend.

    And then, finally, we learn from Johnathan Safron why Peter Smith may have chosen that particular time to give this explosive interview:


    Safron, who graduated from college in 2013 and has also done work for the Illinois Republican Party, said he had been hired by Smith through a tutoring service in 2015 for help using computers. Safron said he taught Smith, who had trouble typing, to use dictation software, and that he helped the aging executive make connections on the professional networking website LinkedIn. Safron said that he was not actively involved in Smith’s election-related efforts, though he was copied on emails related to those efforts.

    Johnson, O’Brien and Safron all said they have not heard from government investigators about the matter.

    Safron said that he noticed that Journal reporter Shane Harris had viewed his LinkedIn profile this spring and that he notified Smith, who granted Harris an interview in May, 10 days before he died. Neither his family nor local officials have revealed the cause of Smith’s death, but Safron said he had noticed his boss’ health waning in his final months.

    And then there’s this very strange twist at the end:


    Safron’s social media profiles still link to an old Twitter handle, @JSaf17. Safron said he deleted the account several years ago. But in March, the handle was reused to create a new account, which has tweeted only once—in Russian.

    That’s some odd signaling from Safron. But overall it looks like Peter Smith may have revealed this operation for the simple reason that he was pretty sure it was going to be revealed anyway. Why not get out ahead of the story in that situation, which is exactly what he did…without ever mentioning Auernheimer, Chuck Johnson, or a lot of other highly relevant details.

    All in all, while Smith’s age and failing health certainly make a health-based suicide plausible, it’s hard to ignore the possibility that maybe it wasn’t simply failing health and a last opportunity to share his rather amazing story with the world before he died. Smith may have done that interview because he had to in order to get ahead of the story that he feared was coming out anyway. And then killed himself 10 days later. So, you know, maybe Smith’s decision to do that interview and then make a ‘final exit’ wasn’t just about failing health.

    Posted by Pterrafractyl | July 13, 2017, 6:46 pm
  3. With the number of figures from the Russian delegation growing by the day as we learn more about who attended the June 9th meeting between the Trump campaign and a delegation of Russian lobbyists – Rinat Russian American lobbyist , there was a piece at TPM that highlighted a potentially significance fact that could possibly explain the ‘keystone spies’ nature of that meeting: The June 3rd email from Rob Goldstone to Donald Trump Jr. came just one day after Hillary Clinton gave a notable speech charging Donald Trump with being overly cozy with Vladimir Putin. One day.

    So when you consider how the comically over-the-top nature of Goldstone’s email strikes many as as Russian government casual fishing expedition to just test the waters and see if the Trump campaign would be open to Russian government help, keep in mind that one possible reason for that over-the-top language could have been to simply send a signal to the Trump campaign “Hey, the Russian government likes you…if the Clintons start making a big deal about your ties to Russia just keep in mind that we totally like you way more than her. Be nice.” And it would have been a signal sent even had the Trump campaign done what it should have done and blown off the over-the-top invitation.

    Another possibility is that the Kremlin also has kompromat in Trump – seems extremely possible – and the purpose of the email was also intended to remind Trump of that, but in a very indirect way. A signal like, “hey, we got dirt on you, don’t let Hillary force you into an anti-Russian stance”. And it’s also possible that Goldstone’s email was intended to both be friendly and a warning.

    In other worlds, the purpose of Goldstone’s initial email could have simply been to send a signal of “we like you guys, please be nice and don’t go all anti-Russian to fend on Hillary’s criticisms (and you’ll regret it if you do)” that was intended to be so over-the-top that the Trump campaign would have the good sense of not taking them up on their offer. That way, the Trump campaign and Russian government wouldn’t find themselves in exactly the situation they find themselves in today. But then the Trump campaign took them up on their over-the-top offer and the meeting had to happen.

    Don’t forget, if we assume the Russian lobbyists really were representing the Kremlin, by arranging for this meeting and actually going through with it the Russian government was taking a pretty big risk. There was no guarantee that the meeting wouldn’t have been exposed somehow during the campaign. which could have been inflicted massive damage to Trump’s chances. And as the following TPM piece point out, the June 9th meeting took place just days before “Guccifer 2.0” started talking to the world and just a day after the DCLeaks website that Guccifer 2.0 used to disseminate the hacked materials made its first tweet to the world. So if the Russian government really was behind “Guccifer 2.0”, that June 9th meeting, it was engaging in remarkably risky behavior that was putting the chances of a Trump victory significant at risk. What if US intelligence agencies were tracking the movements of Natalia Veselnitskaya? Or Rinat Akhmetshin, the Russian American lobbyist suspected of GRU ties who we recently learned also attended the meeting? Having suspected Russian intelligence cut outs meeting with the Kremlin’s preferred candidate’s top campaign staff at Trump Tower days before your hacker persona starts talking to the world (while leaving all sort of hints of being a Russian) is some pretty cavalier spycraft. At the same time, if this whole meeting emerged from email that was intended to send a signal, but also intended to be rebuffed, the June 9th meeting sort of makes sense as something the Kremlin would have wanted to avoid but couldn’t avoid because the Trump campaign was too venal and corrupt to do the sane thing and just accept the friendly signal:

    Talking Points Memo
    Muckraker

    Don Jr. Meeting Came At A Seminal Moment In Russian Interference Story

    By Allegra Kirkland
    Published July 14, 2017 4:43 pm

    President Donald Trump and his team are casting it as absurdly conspiratorial to suggest there was anything odd about his oldest son accepting a meeting with a Kremlin-linked lawyer last June, noting that Russia was not a major campaign issue at the time.

    But a close look at the timeline suggests that Donald Trump, Jr. took a meeting billed as an opportunity to learn information obtained as “part of Russia and its government’s support for Mr. Trump” at a moment when his father was taking heat from his opponent for his sunny view of Russian President Vladimir Putin, and shortly before the Kremlin’s disinformation and targeted leaking campaign against the Democrats began in earnest.

    “You have to understand, when that took place, this was before Russia fever,” Trump told Reuters on Wednesday. “There was no Russia fever back then, that was at the beginning of the campaign, more or less.”

    Trump Jr. took a similar tack on Tuesday when he took the surprise step of releasing the email chain leading up to his June 2016 meeting with a woman described to him as a “Russian government lawyer” who was said to have “information that would incriminate Hillary” Clinton. “To put this in context, this occurred before the current Russian fever was in vogue,” Trump Jr. said in a statement accompanying the email release.

    This version of events does not tell the whole story. The campaign had already been underway for a year, and the news was full of articles about Trump’s “bromance” with Putin prior to the Trump Tower meeting between Trump Jr., his brother-in-law Jared Kushner, then-campaign chairman Paul Manafort, Russian lawyer Natalia Veselnitskaya, and lobbyist Rinat Akhmetshin. Headlines declared that Putin had ordered state-owned U.S. media outlets like RT to promote Trump’s candidacy and tear down Clinton’s, and questions swirled about Trump advisers’ business connections in Russia.

    On June 2, 2016 Clinton gave her first major speech on national security—in effect, a speech about Trump. The presumptive Democratic nominee repeatedly invoked Trump’s bond with Russia’s leader, accusing him of praising “dictators like Vladimir Putin” and having a “bizarre fascination with dictators and strongmen who have no love for America.”

    “He said if he were grading Vladimir Putin as a leader, he’d give him an A,” Clinton told the San Diego, California crowd of Trump, warning that such an unsavvy stance would allow a leader like Putin to “eat your lunch.”

    The very next day, Rob Goldstone, a British publicist and family friend of the Trumps, first contacted Trump Jr. about the “very interesting” information a client of his had on Clinton.

    While Goldstone and Trump Jr. worked out the details of the meeting in a series of back-and-forth emails, then-candidate Trump hinted at a June 7 campaign rally that he would soon give a “major speech” about Clinton.

    “I am going to give a major speech on probably Monday of next week, and we’re going to be discussing all of the things that have taken place with the Clintons,” Trump said at the time, promising information on their “corrupt dealings” to give “favorable treatment” to “the Russians” and other foreign governments. “I think you’re going to find it very informative and very, very interesting.”

    At the same time, the apparatus for publishing stolen emails and documents involving Democratic Party leaders and operatives—later determined to have been hacked by Russian operatives—was being put into place. On June 8, DC Leaks, a site established to publish some of the stolen documents, posted its first tweet.

    The Trump Tower meeting between Trump Jr., the campaign associates and the Russians came on June 9; both sides have said it was inconsequential, with Trump Jr. insisting he did not receive the damaging information he came for and the Russian participants claiming the conversation focused only on a defunct program enabling the adoption of Russian children by Americans.

    WikiLeaks founder Julian Assange, a longtime Clinton critic, hinted in a June 12 interview that his site had a “very big year ahead,” promising the imminent release of emails “related to Hillary Clinton.”

    Those emails wouldn’t drop until just before the Democratic National Convention in late July, but the public learned about the DNC breach at around this time via a June 14 Washington Post article that attributed it to hackers working on behalf of the Russian government. “Guccifer 2.0,” later determined by computer experts and U.S. officials to be a persona invented by Russian intelligence officials, began contacting U.S. news sites to claim credit for the hack and to offer stolen Democratic Party documents.

    Putin praised Trump as a “bright” person at the Russian Economic Forum in St. Petersburg on June 17.

    Amid this background and other major news events, Trump delayed his promised “major speech” on Clinton. After postponing it to account for the mass shooting at Pulse, a gay nightclub in Orlando, Florida, Trump promised in a June 21 tweet that a “big speech” about Clinton would come the next day.

    From a stage in New York, Trump held forth about Clinton’s handling of the Benghazi attacks, her support for free trade and her “temperament.” None of these criticisms were new, but Trump added what would later seem a prescient warning: emails Clinton deleted from her private server could make her vulnerable to “blackmail” from countries hostile to the United States, he said.

    As Trump cautioned, “We can’t hand over our government to someone whose deepest, darkest secrets may be in the hands of our enemies.”

    ———-

    “Don Jr. Meeting Came At A Seminal Moment In Russian Interference Story” by Allegra Kirkland; Talking Points Memo; 07/14/2017

    “But a close look at the timeline suggests that Donald Trump, Jr. took a meeting billed as an opportunity to learn information obtained as “part of Russia and its government’s support for Mr. Trump” at a moment when his father was taking heat from his opponent for his sunny view of Russian President Vladimir Putin, and shortly before the Kremlin’s disinformation and targeted leaking campaign against the Democrats began in earnest.”

    The timing is rather remarkable:


    On June 2, 2016 Clinton gave her first major speech on national security—in effect, a speech about Trump. The presumptive Democratic nominee repeatedly invoked Trump’s bond with Russia’s leader, accusing him of praising “dictators like Vladimir Putin” and having a “bizarre fascination with dictators and strongmen who have no love for America.”

    “He said if he were grading Vladimir Putin as a leader, he’d give him an A,” Clinton told the San Diego, California crowd of Trump, warning that such an unsavvy stance would allow a leader like Putin to “eat your lunch.”

    The very next day, Rob Goldstone, a British publicist and family friend of the Trumps, first contacted Trump Jr. about the “very interesting” information a client of his had on Clinton.

    And then, in the following days, we get Trump hinting at a big speech that will charge Hillary of having questionable ties to the Kremlin. The next day, DCLeaks makes its first tweet the world, and the next day there’s the now notorious June 9th meeting:


    While Goldstone and Trump Jr. worked out the details of the meeting in a series of back-and-forth emails, then-candidate Trump hinted at a June 7 campaign rally that he would soon give a “major speech” about Clinton.

    “I am going to give a major speech on probably Monday of next week, and we’re going to be discussing all of the things that have taken place with the Clintons,” Trump said at the time, promising information on their “corrupt dealings” to give “favorable treatment” to “the Russians” and other foreign governments. “I think you’re going to find it very informative and very, very interesting.”

    At the same time, the apparatus for publishing stolen emails and documents involving Democratic Party leaders and operatives—later determined to have been hacked by Russian operatives—was being put into place. On June 8, DC Leaks, a site established to publish some of the stolen documents, posted its first tweet.

    The Trump Tower meeting between Trump Jr., the campaign associates and the Russians came on June 9; both sides have said it was inconsequential, with Trump Jr. insisting he did not receive the damaging information he came for and the Russian participants claiming the conversation focused only on a defunct program enabling the adoption of Russian children by Americans.

    And keep in mind that when Trump finally that gave speech about Hillary, he didn’t have anything new. It was an actual “nothingburger”.

    And, intrigingly, according to Sam Biddle, one of the first journalists Guccifer 2.0 reached out to days after that June 9th meeting, Guccifer 2.0 was pitching all sorts of different documents to Biddle from the giant cache of not-yet-released hacked emails. And none of the stories Guccifer 2.0 pitched to Biddle had anything to do with the “Hillary is getting dirty money from Russian oligarchs” information that Goldstone and Veselnitskaya were pitching to Trump, Jr.:

    The Intercept

    Just Six Days After Trump Jr.’s Meeting, Guccifer 2.0 Emailed Me — But There Was One Key Difference

    Sam Biddle
    July 14 2017, 12:44 p.m.

    After 39 years of operating without an apparent conceptual understanding of “consequences,” this week Donald Trump Jr. tweeted out an email thread admitting to soliciting the help of the Russian government in order to damage Hillary Clinton and aid the family campaign. The emails are astounding for more than a few reasons, particularly because of what came next.

    On June 3, British music publicist Rob Goldstone contacted Donald Jr. with an explicit offer: “Official documents and information that would incriminate Hillary and her dealings with Russia.” In case Donald Jr. was slow on the uptake, Goldstone made sure to spell out exactly what was happening. “This is obviously very high level and sensitive information but is part of Russia and its government’s support for Mr. Trump,” he offered, as if he were writing his email to make the work of future investigators simpler. Thus begun an extremely busy couple of weeks. On June 7, as Philip Bump at the Washington Post points out, the elder Trump “pledged that he’d give a major speech the following Monday, June 13, ‘discussing all of the things that have taken place with the Clintons.’” On June 9, a meeting between Donald Jr., two other members of the Trump campaign, and Russian attorney Natalia Veselnitskaya took place in New York, on the basis of the aforementioned “official documents.” The AP also reports that Russian-American lobbyist Rinat Akhmetshin was present at the meeting, and claims “Veselnitskaya brought with her a plastic folder with printed-out documents that detailed what she believed was the flow of illicit funds to the Democratic National Committee.”

    Donald Jr. now says the meeting was a dud, and Veselnitskaya didn’t have the goods, but it was interesting enough that all of the participants conveniently forget to mention it at any point since then.

    Just six days after the Trump/Veselnitskaya meeting, and 12 days after the initial contact by Goldstone, while working as a reporter for Gawker, I received an email tip, including official strategy and financial documents from the Democratic Party:
    [see screenshot of email Guccifer 2.0 sent to Biddle]

    This timing is interesting for two reasons. The extreme proximity of promised Hillary-related documents and the arrival of Hillary-related documents just days later suggests Guccifer 2.0 could have been part of the plan Goldstone alluded to over email. But secondly, although the documents were surely “official” in that they originated from within the Democratic Party, no one ever found anything in them that could be considered “information that would incriminate Hillary and her dealings with Russia.” It doesn’t appear that any of the documents released by Guccifer, whether in private to reporters like myself or on the web, pertained to or referenced whatsoever any “dealings” between Clinton and Russia. Guccifer was very eager to “pitch” documents to me that he believed would be particularly damaging or newsworthy (virtually none of them were), so it stands to reason that he would have pushed the Russia/DNC angle were he in possession of documents along those lines. Guccifer mentioned Russia only a couple of times, first to deny to me that he was Russian, and secondly that “maybe russians were among” those who had hacked the DNC. So there’s nothing directly tying the contents of the Guccifer emails I (and reporters at other outlets) received to the contents Trump Jr. et al. were promised in this week’s explosive email thread.

    This leaves a lot of possibilities, unfortunately, and chalking the whole thing up to nothing more than giant coincidence feels strange and unwise. Of course, a campaign takes place in a compressed time frame — though, mercilessly, not compressed enough — so the likelihood of events coinciding in time is heightened. It’s possible that a British music publicist wasn’t exactly plugged in to the alleged activities of Russian military intelligence and got the nitty gritty wrong in his email to Trump Jr. It’s possible the offer emailed to Trump Jr. was just a means of testing how receptive he was to the idea of state-sponsored opposition research (very). It’s possible these people are all smarter than they look, and deliberately did not refer to the actual nature of the hacked documents in writing. It’s possible Goldstone and company were entirely separate from Guccifer, a second, discrete branch of campaign dirt-digging. It’s possible these are coincidences — if so, it would behoove Trumps old and young to explain why the most notorious hacker persona of the modern age started shopping around Hillary-related documents less than a week after similar documents were promised to the campaign.

    ———-

    “Just Six Days After Trump Jr.’s Meeting, Guccifer 2.0 Emailed Me — But There Was One Key Difference” by Sam Biddle; The Intercept; 07/14/2017

    “This timing is interesting for two reasons. The extreme proximity of promised Hillary-related documents and the arrival of Hillary-related documents just days later suggests Guccifer 2.0 could have been part of the plan Goldstone alluded to over email. But secondly, although the documents were surely “official” in that they originated from within the Democratic Party, no one ever found anything in them that could be considered “information that would incriminate Hillary and her dealings with Russia.” It doesn’t appear that any of the documents released by Guccifer, whether in private to reporters like myself or on the web, pertained to or referenced whatsoever any “dealings” between Clinton and Russia. Guccifer was very eager to “pitch” documents to me that he believed would be particularly damaging or newsworthy (virtually none of them were), so it stands to reason that he would have pushed the Russia/DNC angle were he in possession of documents along those lines. Guccifer mentioned Russia only a couple of times, first to deny to me that he was Russian, and secondly that “maybe russians were among” those who had hacked the DNC. So there’s nothing directly tying the contents of the Guccifer emails I (and reporters at other outlets) received to the contents Trump Jr. et al. were promised in this week’s explosive email thread.”

    So let’s just summarize some key facts here:
    1. Rob Goldstone send the stunningly worded June 3rd email about the Russian government wanting to help the Trump campaign by handing over information on Hillary and dirty Russian money flows.
    2. Donald Trump gives a June 7th speech that hints at dirty info on Hillary Clinton and Russia.
    3. They have the June 9th meeting that the Goldstone emails suggest are supposed to yield information of that nature. Information that’s never come to light.
    4. 6 days after that meeting, Guccifer 2.0 is reaching out to journalist, pitching all sorts of stories from the hacked emails. But nothing tying Clinton to Russia.

    So given the widely held suspicions that this whole meeting was set up for the purpose of privately hammering out the details of how the Russian government and the Trump campaign were going to collude in disseminating the hacked DNC emails, if that scenario is true it would appear that the opening email Goldstone sent to Trump, Jr. has the strange juxtaposition of being extremely forthright about the Russian government wanting to help the Trump campaign by providing dirty info on Hillary but also completely mislead the Trump team about the nature of the info that being provided.

    On the one hand, it makes a lot of sense that Goldstone wouldn’t divulge the nature of alleged dirty info in an email. But on the other hand, it makes very little sense that he would have been so open about “the Russian government wants to help you” if the Russian government was days away from unleashing “Guccifer 2.0” on the world. It’s just an incredible risk and one that would hand the Trump campaign. After all, whoever is behind “Guccifer 2.0” couldn’t have known in advance that all the “I’m Russian!” fingerprints would succeed in convincing most of the US public that the hacker was Russian. What if there was strong suspicion the Trump campaign was behind the hack and that become part of the media narrative that the Trump campaign had to deal with? The Russian government would have preemptively handed the Trump campaign an email that would have been incredibly useful for directing those suspicions back towards the Kremlin with Goldstone’s initial email. If the Kremlin was behind “Guccifer 2.0” and the June 9th meeting was actually a front for a Trump campaign-Kremlin meeting and the Kremlin was planning on unveiling “Guccifer 2.0” soon, that June 3rd Goldstone email is almost like a prearranged “get out of jail free” card for the Trump team in case it got any heat over the upcoming “Guccifer 2.0” campaign. But then Trump, Jr. totally screwed it up by not replying “Thanks, but no thanks! That would be wrong of us!” Of course, that’s assuming the Russian government would be totally cool about accepting the blame for such an inflammatory hacking operation. Of course, if we assume that this hacking operation was the Russian government all along and we assume that “Guccifer 2.0” and original hackers weren’t just completely incompetent operatives and left all those “I’m a Russian!” digital fingerprints by mistake, we would also have to be open to the idea that the Russian government would have intentionally handed the Trump campaign a “get out of jail free” card…that Trump, Jr. totally screwed up.

    Also keep in mind that if the Trump campaign itself was being “Guccifer 2.0” or had already received the hacked documents from “Guccifer 2.0” (perhaps from “the weev?”), the question of how to disseminate the hacked materials without making the Trump team suspects would have been looming large on the minds of the Trump team’s leadership. And that email from Goldstone that may have been exactly what the Trump team would have needed in that situation: evidence that could be used to direct culpability back towards the Kremlin. It could explain both the incredible overlap in the timing of the emergence “Guccifer 2.0” as well as all the implausibly stupid “I’m a Russian” ‘mistakes’ that “Guccifer 2.0” made that pointed towards being a Kremlin hacker. ‘Mistakes’ that didn’t just include signing the hacked documents with the name of a Soviet spy chief in Cyrillic characters but also the strange way Guccifer talked. Don’t forget, while “Guccifer 2.0” claimed to be Romanian, sometimes they wrote with mistakes that seemed kind of Russian/Eastern European-ish and sometimes in perfect English. And while this has often been interpreted as being a ‘mistake’ by sophisticated Russian intelligence agencies, for some reason the idea that “Guccifer 2.0” was a native English speaker trying to seem Russian never seemed to get serious consideration:

    Vice Motherboard

    Why Does DNC Hacker ‘Guccifer 2.0’ Talk Like This?

    Lorenzo Franceschi-Bicchierai
    Jun 23 2016, 12:10pm

    Despite the hacker’s confusing claims and denials about his origin, his own words might have betrayed his real origins.

    A week after a hacker going by the name of ‘Guccifer 2.0’ claimed responsibility for the hack on the Democratic National Committee, the mysterious individual spoke publicly for the first time. Guccifer 2.0 called himself a “hacker, manager, philosopher, women lover.” And of course, someone who likes Gucci.

    “I bring the light to people,” he added in an online chat with Motherboard. “I’m a freedom fighter!”

    More importantly, the hacker also denied being Russian and working for the Russian government, as many suspect he is. Just like the original Guccifer, whose handle and fame inspired his, Guccifer 2.0 claimed to be Romanian. But a linguistic analysis of his messages in Romanian, as well as his oftentimes broken English, might reveal more about his real origins than his claims.

    When he first appeared online last week, Guccifer 2.0 derided security firm CrowdStrike for pointing the finger at Russia, accusing two intelligence agencies of being behind the cyberattack.

    “I’m very pleased the company appreciated my skills so highly))) But in fact, it was easy, very easy,” the hacker wrote in a blog post, defining himself as a “lone hacker.”

    Several security experts, judging from extensive circumstantial evidence, the potential motives behind the hack, the subsequent public responsibility claim, as well as the timeline of the events, said that the Guccifer 2.0 persona was likely part of a Russian government’s effort to cover up its own hack and spread disinformation.

    Whether Guccifer 2.0 is Russian and, most importantly, part of a Russian government-orchestrated attack on a US political institution is crucial here. While it’s normal and expected for spies to spy on their own enemies, it’s unusual, and way more dangerous, if those spies disseminate the intelligence they gather with the intention of influencing the internal politics of their biggest enemy. For some, that crosses a red line, so the whodunnit in this case is a necessary question to answer.

    Is Guccifer 2.0 Really Romanian?

    Despite claiming to be Romanian, Guccifer 2.0 didn’t seem to be a native Romanian speaker, according to several Romanians who reviewed the transcript of our conversation with him, which was in part carried out in Romanian. (Disclosure: For my part, I used Google Translate).

    For example, he used the word “filigran” for “watermark,” which the Romanian speakers who reviewed our chat logs with Guccifer 2.0 said is an unusual translation. Moreover, after a short exchange in Romanian, the hacker refused to answer longer questions, saying he didn’t want me to “waste” his time.

    [see image of chart showing examples of discrepancies in Guccifer 2.0’s Romanian language usage]

    The Romanians who reviewed the logs also pointed out instances in which Guccifer 2.0’s sentence construction was off, and that while chatting, native speakers usually don’t bother to use diacritics, or letters such as “â” “a” or “?.”

    What About His English Skills?

    The hacker’s English is also clearly not native, and was at times excellent, and at times awful. In one particular exchange, he displayed this contradiction:

    Q: Do you work with Russia or the Russian government?
    A: No because I don’t like Russians and their foreign policy. I hate being attributed to Russia.
    Q: Why?

    A: I’ve already told! Also I made a big deal, why you glorify them?

    The first answer is perfect English. The second one, however, is far less eloquent. Also, the “I’ve already told” phrase could be a sign of a Russian, or at least Slavic, speaker, given the absence of the object, “you”, according to Maria Doubrovskaia, a Russian language instructor at Columbia University.

    This might suggest the hacker had some answers in proper English prepared in advance (perhaps to predictable questions such as “Are you Russian?” or “How did you hack the DNC?”), while for others he had to improvise and didn’t have time to proofread during our live chat. This seems to be confirmed by the fact that Guccifer 2.0 gave me and my colleague Joseph Cox the same, word-for-word answer to a question about how he hacked the DNC.

    It’s also entirely possible that the person, or people, behind Guccifer 2.0 are purposely making these sorts of mistakes and being inconsistent to throw people off.

    Guccifer 2.0 also sometimes did not use definite and indefinite (“the” and “a/an”) articles when writing in English. That could be a sign that his native language doesn’t use them, according to an American university professor who specializes in Slavic syntax and asked to remain anonymous.

    “Russian certainly lacks such articles…but so do all other East and West Slavic languages,” she wrote in an email. “As for Romanian, the language DOES have both indefinite and definite articles, so I wouldn’t necessarily expect such mistakes in English from a native speaker of Romanian.”

    #Guccifer2 Dossier on #HillaryClintonhttps://t.co/LGcRb1spRN pic.twitter.com/qweBMKR1Qg— GUCCIFER 2.0 (@GUCCIFER_2) June 21, 2016

    A Motherboard reader, who contacted me via email said he taught English to several Russian speakers, said Guccifer 2.0 “has very strong Russian-English syntax (word order) and in some cases unnecessary formality in vocabulary choices that say to me either educated in Russia, or a lot of time in Russia learning Russian-English.”

    But not everyone is that sure. M.J. Connolly, a professor of Slavic and Eastern European linguistics at Boston College, said that Russians tend not to carry the construction using the word “language” after the language name (such as “Russian language,” or “Romanian language”) when they speak English.

    Connolly added that Guccifer 2.0’s English actually doesn’t show some Russian traces he would have expected, such as how at times the hacker does use some indefinite articles, and doesn’t substitute present tenses for past tenses.

    “All I can say is: no smoking gun here,” Connolly said in an email. “The English is very East Euro web talk, which Russians and Romanians and all Eastern Europeans share but, as I’ve pointed out already, many of the traits are non-Russian.”

    For Connolly, the hacker could also be Moldovan, given that the country is a mixed Romanian-Russian environment and many Moldovans, especially the anti-Russian ones, “will identify as Romanian.”

    What Does Guccifer 2.0 Say?

    After I pressed him to speak more Romanian on Tuesday, Guccifer 2.0 stopped answering my questions via Twitter.

    “Man, I’m not a pupil at school,” he said in one of his last answers, in English. “If u have serious questions u can ask. Don’t waste my time.”

    But on Wednesday, a day later, he got back to me, saying he would provide more answers on his blog post, after collecting more inquiries from other reporters and choosing the most popular ones. He also announced this upcoming FAQ on his blog, adding that anyone can now send him questions via Twitter. As of Thursday morning, he has not yet posted anything, and he hasn’t responded to a series of detailed questions we sent him in Romanian.

    The hacker’s words, and language skills, have certainly raised even more questions about his real identity and motives.

    It’s possible that whoever is behind Guccifer 2.0 really is being deluged with questions. Or, perhaps, after he exposed himself in our interview, he’s decided that it’s safer to pick and choose the questions he wants to answer, and take more time to answer them in proper English.

    ———-

    “Why Does DNC Hacker ‘Guccifer 2.0’ Talk Like This?”
    by Lorenzo Franceschi-Bicchierai; Vice Motherboard; 06/23/2016

    “”All I can say is: no smoking gun here,” Connolly said in an email. “The English is very East Euro web talk, which Russians and Romanians and all Eastern Europeans share but, as I’ve pointed out already, many of the traits are non-Russian.””

    That was the take from at least one language specialist: “Guccifer 2.0” was showing all sort of linguistic signs. They couldn’t speak Romanian. They sometimes showed signs of Russian/Eastern European English mistakes that wouldn’t be consistent with a Romanian speaker’s English mistakes. And they sometimes spoke perfect English:


    The hacker’s English is also clearly not native, and was at times excellent, and at times awful. In one particular exchange, he displayed this contradiction:

    Q: Do you work with Russia or the Russian government?
    A: No because I don’t like Russians and their foreign policy. I hate being attributed to Russia.
    Q: Why?

    A: I’ve already told! Also I made a big deal, why you glorify them?

    The first answer is perfect English. The second one, however, is far less eloquent. Also, the “I’ve already told” phrase could be a sign of a Russian, or at least Slavic, speaker, given the absence of the object, “you”, according to Maria Doubrovskaia, a Russian language instructor at Columbia University.

    This might suggest the hacker had some answers in proper English prepared in advance (perhaps to predictable questions such as “Are you Russian?” or “How did you hack the DNC?”), while for others he had to improvise and didn’t have time to proofread during our live chat. This seems to be confirmed by the fact that Guccifer 2.0 gave me and my colleague Joseph Cox the same, word-for-word answer to a question about how he hacked the DNC.

    So if we are to believe that the GRU created “Guccifer 2.0” as a fake “Romanian” hacker front for the purpose of keeping suspicions away from Russia, we would have to assume the person behind this persona not only couldn’t speak Romanian correctly, but they also sometimes accidentally spoke perfect English. And had certain key phrases for expected questions that they decided to prepare in perfect English for some reason. But when this GRU persona got unexpected questions they kept botching their cover and revealing Russian/Eastern European idiosyncrasies. That’s the scenario we’re supposed to accept at face value.

    But for some reason the possibility that “Guccifer 2.0” is an English speaker trying to seem like a Russian never gets seriously considered. Yet just days ago we have reports that Peter Smith’s team of opposition researchers – a team that included Trump campaign officials – contacted Guccifer 2.0 who told them to contact Andrew “the weev” Auernheimer, an American neo-Nazi hacker who is the prime suspect behind the Macron hacks that also included fake “I’m a Russian” fingerprints. And Charles Johnson, the far-right “GotNews” troll, told Smith’s team to contact “the weev” and that he was in contact with a hidden “alt-right” network of opposition researchers”. And it’s a very good bet that Charles Johnson was in regular contact with the Trump team well before Smith reached out to him.

    So if “Guccifer 2.0” was either a Trump campaign operative or already working with the Trump campaign before that June 3rd email from Goldstone was ever sent, you have to wonder if that apparent overture from the Kremlin could have played a decisive role in “Guccifer 2.0” suddenly showing up and acting like a Russian pretending to be a Romanian shortly after that June 3rd email.

    At the same time, it’s important to recall that the “I”m a Russian!” digital fingerprints on this whole operation didn’t first emerge with Guccifer 2.0’s strange language and the Cyrillic meta-data in the documents. The first “I”m a Russian!” digital fingerprints happened when the original hacks took place. That included malware that shockingly had the IP address of the command and control server hard coded into the malware code. And IP address was the same one used in the 2015 hack of the German Bundestag. And the command and control server was itself vulnerable to hacking because it was using the version of OpenSSL that was vulnerable to the Heartbleed attack. And that vulnerability, which would have left that command and control server (that’s assumed to be under APT28/Fancy Bear control) open to a third party attack, was disclosed to the world in June of 2015, shortly before the initial DNC hack began in the fall of 2015 (and the DNC hacker hardcoded the IP address to this server, thus ensuring suspicion would fall back on APT28/Fancy Bear):

    Netzpolitik.org

    Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag

    am 19.06.2015 Gastbeitrag

    Servers of The Left in German Bundestag have been infected with malware, apparently by a state-sponsored group of Russian origin. This is the summary of an analysis by an IT security researcher, which we publish in full. The in-depth report provides an analysis of technology, impact, possible attribution – and a signature to detect the malware.

    This analysis of security researcher Claudio Guarnieri was originally written for The Left in German Bundestag. We’re publishing it here with permission from The Left.

    Von diesem Bericht existiert auch eine deutsche Übersetzung.

    Summary of Findings

    Two suspicious artifacts have been retrieved from two separate servers within the Die Linke infrastructure. One is an open source utility used to remotely issue commands on a Windows host from a Linux host. The other is a custom utility which, despite its large size, has limited functionality and acts as a tunnel, possibly used by the attackers to maintain persistence within the compromised network.

    The combination of the two utilities seems to be enough for the attackers to maintain a foothold inside the network, harvest data, and exfiltrate all the information they deemed interesting. It is, however, possible that there are additional malicious artifacts which have not yet been discovered.

    Attributes of one of the artifacts and intelligence gathered on the infrastructure operated by the attackers suggest that the attack was perpetrated by a state-sponsored group known as Sofacy (or APT28). Previous work published by security vendor FireEye in October 2014 suggests the group might be of Russian origin.

    Artifacts

    The first artifact – identified across this report as Artifact #1 – has the following attributes:

    Name winexesvc.exe
    Size 23552
    MD5 77e7fb6b56c3ece4ef4e93b6dc608be0
    SHA1 f46f84e53263a33e266aae520cb2c1bd0a73354e
    SHA256 5130f600cd9a9cdc82d4bad938b20cbd2f699aadb76e7f3f1a93602330d9997d

    The second artifact – identified across this report as Artifact #2 – -has the following attributes:

    Name svchost.exe.exe
    Size 1062912
    MD5 5e70a5c47c6b59dae7faf0f2d62b28b3
    SHA1 cdeea936331fcdd8158c876e9d23539f8976c305
    SHA256 730a0e3daf0b54f065bdd2ca427fbe10e8d4e28646a5dc40cbcfb15e1702ed9a
    Compile Time 2015-04-22 10:49:54

    Analysis of Artifact #1

    Artifact #1 was retrieved from a File Server operated by Die Linke. The file is a 64bit-compatible compiled binary of the open source utility Winexe. Winexe is software similar to the more popular PSExec and is designed to allow system administrators to execute commands on remote servers. While commercial solutions like Symantec pcAnywhere provide a larger feature-set, Winexe is lightweight, and doesn’t require any installation or configuration. One of the reasons Winexe is preferred over PSExec, is that it provides a Linux client, while PSExec doesn’t.

    Attackers are making growing use of utilities like Winexe and PSExec to perform lateral movement across compromised networks. Besides providing the ability to execute arbitrary commands on the target system, these utilities normally don’t raise suspicion as they are commonly whitelisted by Antivirus and other commercial security software.

    Winexe acts as a Windows service that can be configured to automatically start at boot and silently wait for incoming commands over a named pipe. Named pipes are a Windows inter-process communication method. Through named pipes, processes are able to communicate and exchange data even over a network. In the case of Artifact #1, the name of the pipe is „ahexec“, computers over the network could access the pipe server by simply opening a file handle on „\ServerNamepipeahexec“.

    Once connected to the pipe, a user or a program can easily provide information required to execute command (just as they would normally through a command-line). The provided information is then passed to a „CreateProcessAsUserA“ call and the specified command is executed.

    Once inside the network, Artifact #1 can be enough for the attacker to download or create additional scripts, execute commands and exfiltrate data (for example, simply through ftp). It is plausible that Artifact #1 could be present on other servers under different names, although it is also likely that the attacker only left it on servers to which they required maintainenance of persistent access.

    It is important that all the deployments of this utility are identified and removed, as they are self-sufficient and they provide easy and open access to execute commands on the host, potentially with administrator privileges.

    Analysis of Artifact #2

    Artifact #2 was recovered from the Admin Controller operated by Die Linke. This is custom malware, which despite large file size (1,1 MB), provides limited functionality. Artifact #2 operates as a backchannel for the attacker to maintain a foothold inside the compromised network. The properties of the artifact show that the same authors of the malware seem to have called it „Xtunnel“. As the same name suggests, the artifact appears in fact to act as a tunnel for the attacker to remotely access the internal network and maintain persistence.

    After initialization, the artifact will attempt to establish a connection by creating a socket. In case of failure, it will sleep for three seconds and try again. The authors of the malware didn’t appear to have spent any effort in concealing indicators or obfuscating code – the IP address with which it tries to communicate is hardcoded in clear-text inside the binary. We can observe below, the procedure through which the artifact attempts to establish a connection with the IP address „176.31.112.10“:

    This specific IP address is a critical piece of information that enables us to connect this attack to a spree of previous targeted campaigns. The details of this attribution is explained in a dedicated section below. We will refer to this IP address as „Command & Control“ (or „C&C“).

    The artifact is able of receiving multiple arguments, including -Si, -Sp, -Up, -Pp, -Pi and -SSL. Following are the beaconing packets the artifact will send to Command & Control:

    -Si
    00000000 2a 00 00 00 *…
    00000004 b2 23 16 85 ee 59 52 a6 79 3a 2a e2 da 11 c0 1b .#…YR. y:*…..
    00000014 de 77 ea 47 35 11 de 8a 76 1a ee 16 d9 fd 28 0d .w.G5… v…..(.

    -Sp
    00000000 22 00 00 00 „…
    00000004 90 ac c6 39 09 b6 23 72 9d 36 a6 3b 2e b7 02 ce …9..#r .6.;….
    00000014 dd 09 d4 e4 d3 e6 01 5f 6a 37 b2 39 01 b4 0a af ……._ j7.9….

    -Up
    00000000 07 00 00 00 ….
    00000004 7e e2 82 05 74 be 3f 9b 8e 6a dc 5c d1 fe 85 f7 ~…t.?. .j…..
    00000014 5f 33 26 6e 5e 62 c1 0e c0 da a3 b3 6c f9 ca 88 _3&n^b.. ….l…

    If the argument -SSL is given through command-line to the artifact, these beacons will be encapsulated in an SSL connection and a proper TLS handshake will be initiated with the C&C.

    Interestingly, the artifact bundles a copy of OpenSSL 1.0.1e, from February 2013, which causes the unusually large size of the binary. More importantly, the Command & Control server (176.31.112.10) also appears to be using an outdated version of OpenSSL and be vulnerable to Heartbleed attacks. While unlikely, it is worth considering that the same C&C server might have been the subject of 3rd-party attacks due to this vulnerability.

    Attribution

    While attribution of malware attacks is rarely simple or conclusive, during the course of this investigation I uncovered evidence that suggests the attacker might be affiliated with the state-sponsored group known as Sofacy Group (also known as APT28 or Operation Pawn Storm). Although we are unable to provide details in support of such attribution, previous work by security vendor FireEye suggests the group might be of Russian origin, however no evidence allows to tie the attacks to governments of any particular country.

    ———-

    “Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag” by Gastbeitrag; Netzpolitik.org; 06/19/2015

    “Interestingly, the artifact bundles a copy of OpenSSL 1.0.1e, from February 2013, which causes the unusually large size of the binary. More importantly, the Command & Control server (176.31.112.10) also appears to be using an outdated version of OpenSSL and be vulnerable to Heartbleed attacks. While unlikely, it is worth considering that the same C&C server might have been the subject of 3rd-party attacks due to this vulnerability.

    Yep, while it may have been unlikely in June of 2015 when this analysis was published that the command and control server at the 176.31.112.10 ip address was subject to a 3rd party attack (and therefore not actually being used by the Sofacy/APT28 group assumed to control it but someone else), it’s hard to say that it would have been unlikely after this vulnerability was published. Wouldn’t it be likely at that point? And the DNC hacks are presumed to have started shortly after this…with the same email address hard coded into the DNC hack malware.

    It’s also important to recall that there was a later “hack” of the Bundestag that committee that was investigating the NSA/Snowden Affair that was widely attributed to the Bundestag. It was quietly acknowledge was likely an inside leaker. But there does appear to be an actual Bundestag hack that took place.

    Still, even if whoever did the DNC hack really was a third party hacker who took control of that command and control server after it was revealed to the world that this was an option, it’s still the case that the world hadn’t yet officially attributed APT28/Sofacy/Fancy Bear to the Russian government. That happened in May of 2016 when the German government officially declared APT/Sofacy/Fancy Bear to be a Russian government operation:

    SCMagazineUK.com

    German Intelligence blames Russia for Parliament hack

    Germany’s domestic intelligence agency has pointed the official finger at the Russian state for the 2015 attacks on the Bundestag, the German Parliament

    by Max Metzger
    May 16, 2016

    Germany’s chief internal intelligence agency has blamed the Russian state for an attack on the German parliament.

    The Bundesamt für Verfassungsschutz (BfV), which oversees domestic security, has pointed the finger of blame at PawnStorm, an infamous APT group believed to work directly for the Russian state.

    The accusations were laid out by Hans Georg Massen, director of the BfV who said that PawnStorm is directed by the Russian state. The 2015 hacks on the German parliament and other German institutions, added Massen, were carried out in order to gather intelligence.

    However, he also told the press agency AFP that “Russian secret services have also shown a readiness to carry out sabotage.”

    The group’s six month assault on the German parliament is one of its most famous. Revealed in May last year, PawnStorm attempted to deploy malware on government servers that would have given the attackers a permanent backdoor into the parliament. All 20,000 accounts that resided on the system were believed to be compromised, including those of Germany’s foremost lawmakers.

    PawnStorm has been engaged in attacks against a variety of German institutions including critical infrastructure and, as was revealed earlier this month, the ruling Christian Democratic Union party.

    Open accusations are rare when it comes to cyber-security, even more so when it comes to espionage and intelligence. This rare moment of candour may confirm the suspicions of many in the cyber-security and intelligence community who believe that Russia uses powerful hacker proxies to further its geopolitical objectives.

    Cyber-security company Bitdefender made similar sounds late last year. The company released a report which all but labelled the Russian government the sponsors of PawnStorm.

    The prolific APT group is known by many names. In other instances it’s been called Sofacy, Fancy Bear or APT 28. PawnStorm, one of its more popular monikers, comes from the chess strategy wherein pawns are rapidly deployed against an opponent.

    Believed to be formed in 2004, the group’s fingerprints have been seen in the electronic crime scenes of plenty of high-level attacks. Late last year, the group attacked NATO and the White House while pretending to be the privacy advocacy group the Electronic Frontier Foundation.

    False flag tactics seem to be a favourite for this group, perhaps because Pawn Storm is so widely believed to be a proxy of the Russian state, attacking the enemies of Putin such as the embattled Syrian opposition.

    Much like the historical relationship Britain has had with pirates or privateers, the Russian state may want to strike at its enemies, but without the repercussions of an open operation said Ewan Lawson, a fellow at the Royal United Services Institute and expert in cyber-warfare.

    Germany’s response, Lawson told SCMagazineUK.com, shows “the Germans are clearly losing patience”.

    However, added Lawson, “Arguably the whole point of this approach is proving the link between ATP 28 and the Russian state and even further with Putin’s inner circle. As such, I think the Russians will smile knowingly but it won’t lead to any escalation at this stage. The bigger significance is the growing public conversation about the state/non-state nexus.”

    ———-

    “German Intelligence blames Russia for Parliament hack” by Max Metzger; SCMagazineUK.com; 05/16/2017

    “The Bundesamt für Verfassungsschutz (BfV), which oversees domestic security, has pointed the finger of blame at PawnStorm, an infamous APT group believed to work directly for the Russian state.”

    As of May of 2016, it was “official” that APT28/Fancy Bear was a Russian government operation. Which means anyone who may have commandeered that vulnerable command and control server to carry out the DNC hack would obviously want to make it look like they were Russians if they were going to create a public persona.

    While this might seem like getting deep into the weeds, these are important details to point out because if the Trump campaign, or a non-Russian government affiliate, was indeed behind the DNC hacks, you wouldn’t necessarily expect them to frame the Russian government given the Trump family’s long history with Russia. But it would make A LOT of sense to frame Russia if your hacker commandeered a server that was pinned on Russia by the German government.

    On a related not, you also have to wonder if the German government is the unnamed government that provided the “critical technical evidence” the US intelligence agencies used to conclude it was Russian hackers? Being the first government to public finger Russia after ostensibly the same hackers hacked the Bundestag the year before certainly suggests it could be Germany. Given all the problems with that technical analysis it might explain why the NSA expressed reservations about their conclusions.

    Anyway, that’s all part of why whoever carried out the DNC hacks had a strong incentive to make it look like it was the Russian government behind it if indeed it was carried out by non-Russian government hackers. And this was the case as of May of 2016 when the German government formally charged the Russian government, but even still before then since so many cybersecurity analysts were long-suspecting the Russian state of being behind APT28/Fancy Bear.

    So when Rob Goldstone sent that amazingly conspicuous June 3rd email saying the Russian government wants to help the Trump campaign, if the Trump campaign was sitting on a bunch of hacked emails and trying to determine what they were going to do with them, you have to wonder if that was the point when they may have decided to create a ‘Romanian’ (but very Russian-seeming) “Guccifer 2.0” persona, fill the documents with more Russian “fingerprints”, and just dump everything on the internet.

    Posted by Pterrafractyl | July 15, 2017, 6:11 pm
  4. @Pterrafractyl–

    In the “Russia-gate” counter-intelligence deception, it is important to remember that Rob Goldstone is a Rupert Murdoch protege.

    Donald Trump, Jr. is also an “Alt-right” patron, as we have seen in FTR #927. http://spitfirelist.com/for-the-record/ftr-927-the-trumpenkampfverbande-part-6-locker-room-eclipse/

    Roger Stone, BTW, was guided into political waters by Roy Cohn, the Joe McCarthy protege. https://consortiumnews.com/2016/06/19/how-roy-cohn-helped-rupert-murdoch-2/

    ” . . . .However, in the years before he died, Cohn gained some measure of revenge against his liberal enemies by helping to elect Ronald Reagan. Roger Stone, another Cohn associate, has asserted that at Cohn’s initiative he delivered an apparent bribe to a leader of New York’s Liberal Party in 1980 to arrange the endorsement of independent candidate John Anderson, who then siphoned off 7.5 percent of the vote and opened the way for Reagan to carry New York against President Jimmy Carter. . . .”

    It was McCarthy who introduced Murdoch to Reagan and helped initiate the right-wing GOP media attack colossus. https://consortiumnews.com/2016/06/19/how-roy-cohn-helped-rupert-murdoch-2/

    Robert Parry also has an interesting piece on the “Kremlin” lawyer who figures in the DT, Jr. gambit.

    https://consortiumnews.com/2017/07/13/how-russia-gate-met-the-magnitsky-myth/

    All of which is to say that, when the bells and whistles stop turning, one finds the far right and intelligence service–Felix Sater, Andrew Auerenheimer and friends.

    Best,

    Dave

    Posted by Dave Emory | July 17, 2017, 4:52 pm
  5. Here’s something to consider as destructive cyberbombs are being preemptively placed on networks as a form of cyber-MWDs and the US settles into a ‘Cold War’ modality with Russia: If any skilled hacker on the planet manages to hack a US nuclear power plan, that ‘cold war’ might heat up pretty fast whether Russia was behind it or not…especially if there’s a meltdown:

    E&E News

    ‘Who did it?’ zeroes in on Russian hacking

    Blake Sobczak,
    Energywire: Monday, July 10, 2017

    A sophisticated group of hackers has targeted U.S. nuclear plants in a wide-ranging hacking campaign since at least May, according to multiple U.S. authorities.

    The hackers tried to steal usernames and passwords in the hope of burrowing deep into nuclear power networks, in addition to other utility and manufacturing targets.

    But the Department of Homeland Security, the FBI, sources familiar with the ongoing investigation and nonpublic government alerts told E&E News that heavily guarded nuclear safety systems were left unscathed by any recent cyber intrusions. Experts say the evidence so far points to a remote threat that, while advanced, likely could not have leaped from corporate business networks to the critical but isolated computer networks keeping nuclear reactors operating safely.

    Still, the question that lingers is, who did it?

    Suspicion has fallen on hackers with ties to Russia, in part because of past intrusions into U.S. companies and for Russia-linked attacks on Ukraine’s power grid in 2015 and 2016.

    Ukrainian security services laid the blame for the grid hacks at Russian President Vladimir Putin’s feet. Several private U.S. cybersecurity companies have also drawn links between energy industry-focused hacking campaigns with names like “Energetic Bear” back to Russian intelligence services.

    The Washington Post reported Saturday that U.S. government officials have already pinned the recent nuclear cyber intrusions on Russia.

    Analysts remain quick to tamp down assertions that Russia’s fingerprint on the latest attack is a sure thing.

    Without mentioning any nation-state by name, former Energy Secretary Ernest Moniz noted on Twitter that “these ‘advanced persistent threats’ have long worried U.S. intelligence officials — and recent events prove they are very real.”

    Referencing reports of the recent nuclear cyber incidents, he added, “These breaches make plain that foreign actors are looking for ways to exploit US grid vulnerabilities. We saw this coming.”

    If U.S. intelligence agencies confirm Russian security services were involved in the attack on nuclear plants, tensions with Moscow could escalate. In a Twitter comment that attracted bipartisan ridicule, President Trump yesterday morning said that he and Putin had agreed to create an “impenetrable Cyber Security unit” to guard against hacking, only to apparently reverse his position hours later and suggest such an arrangement “can’t” happen.

    Sen. Maria Cantwell (D-Wash.), ranking member of the Senate Energy and Natural Resources Committee, reiterated her calls for the White House to assess energy-sector cyber vulnerabilities and abandon proposed budget cuts at the Department of Energy. “The disturbing reports of the past 24 hours indicate that our adversaries are trying to take advantage of the very real vulnerabilities of our energy infrastructure’s cyber defenses,” she said Friday.

    Drawing from the Ukraine playbook

    In 2015, a group of hackers set sights on several Ukrainian electric distribution companies. The intruders broke into the utilities’ business networks with “phishing” emails designed to lure employees into clicking on a document laced with malware.

    From there, the attackers mapped out their victims’ computer systems, even gaining access to the virtual private network utility workers used to remotely operate parts of Ukraine’s electric grid.

    On Dec. 23, 2015, after months of waiting and spying, the hackers struck, logging onto the operational network and flipping circuit breakers at electric substations. They succeeded in cutting power to several hundred thousand Ukrainian citizens for a few hours in what became the first known cyberattack on a power grid in the world.

    At first glance, the latest nuclear hackers appear to have drawn from the same playbook.

    They used a “fairly creative” phishing email to gain a foothold on targeted networks, according to Craig Williams, senior technical leader and global outreach manager for Cisco Talos, a cybersecurity research division of Cisco Systems Inc.

    Instead of stowing malware in the Word document itself, the hackers tweaked a control engineer’s résumé into beaconing out to a malicious server via a Microsoft communications protocol called Server Message Block. The cyber intruders could then swipe fragments of SMB traffic containing the victims’ login information to set up an authorized connection to the targeted network and move on from there, Williams explained.

    The technique points to “attackers who are dedicated and who’ve done their research,” he noted.

    While Williams said Cisco had detected a variety of energy companies hit by the phishing emails, he pointed out that “the nuclear sector is extremely hardened.”

    Getting blocked

    Nuclear power plant operators have to abide by their own set of cybersecurity rules established by the Nuclear Regulatory Commission. Following its most recent cybersecurity audits in 2015, the NRC reported “several very low security significance violations of cyber security plan requirements.”

    None of those violations could have resulted in an imminent threat to nuclear safety, the regulator said.

    The NRC plans to ramp up cybersecurity inspections later this year. The agency has declined to comment on reports of the recent cyber breaches at nuclear power generation sites.

    Nuclear power companies have had to account for the possibility of a cyberattack on their safety systems since 2002, according to NRC guidance.

    Electric utilities typically adhere to a three-step model for protecting their most sensitive systems from hackers. At a basic level, this setup involves an information technology network — such as a utility’s internet-connected corporate headquarters — and an operational network that includes grid control systems. Companies typically add a third layer or “demilitarized zone” bridging those two sides of the business, replete with firewalls, cybersecurity technologies and other safeguards.

    Nuclear operators add at least two more layers to that model, drawing lines among the public internet, the corporate network, onsite local area networks, industrial “data acquisition” networks and, finally, the core safety system overseeing radioactive materials, based on government guidelines.

    In the U.S., safety systems are often still “analogue,” having originally been built in the 1980s or earlier, before the recent spread of web-connected technologies.

    Within that last, critical zone — Level 4 in nuclear industry parlance — tight physical controls prevent phones and USB drives from getting in; and operational data is designed to flow only outward through “data diodes,” with no potential for online commands to enter from the public internet or even the site’s own local area network.

    “Anybody ever reports that somebody got a connection from the internet directly or indirectly into the heart of a nuclear control system is either full of crap, or is revealing a massive problem with some particular site, because there should be physically no way for that to actually be possible,” said Andrew Ginter, vice president of Waterfall Security Solutions, which markets one such “unidirectional gateway” or data diode to the U.S. nuclear sector. “To me, it’s almost inconceivable.”

    Marty Edwards, managing director of the Automation Federation, who until last month headed a team of industrial control security specialists at DHS, generally agreed that a remote connection would be nearly impossible to achieve. “When we tested those kinds of [one-way] devices in the lab, we found that you couldn’t circumvent any of them, basically, because they’re physics-based,” he said. “There’s no way to manipulate that stream.”

    One source familiar with nuclear information technology practices, who agreed to speak about security matters on condition of anonymity, said that “in order to have a catastrophic impact, you have to get by the human in the control room” — no easy feat. “You’re talking workers who are regularly screened for insider [threat] indicators and psychological stability.”

    Still, the source said a well-resourced attacker could try sneaking in thumb drives, planting an insider or even landing a drone equipped with wireless attack technology into a nuclear generation site. Reports indicate that the infamous Stuxnet worm, which damaged Iranian nuclear centrifuges in the late 2000s, probably snuck in on removable media. Once inside the “air gapped” target network, Stuxnet relied on its own hard-coded instructions, rather than any remote commands sent in through the internet, to cause costly and sensitive nuclear equipment to spin out of control.

    But the source, who had reviewed recent DHS and FBI warnings about recent nuclear cyberthreats, added that there was no indication the actor behind it got close to nuclear operators’ crown jewels.

    “To get around the data diodes and all the other defenses, it’d be unprecedented at this point,” at least from a U.S. perspective, said the source.

    Would it even be possible?

    “Maybe if you’re Vladimir Putin,” the source said.

    ———-

    “‘Who did it?’ zeroes in on Russian hacking” by Blake Sobczak; E&E News; 07/10/2017

    The Washington Post reported Saturday that U.S. government officials have already pinned the recent nuclear cyber intrusions on Russia.”

    As we should expect, the successful phishing campaign against nuclear plant employees has already been attributed to Russia. And, who knows, maybe it really was Russian government sponsored hackers, possibly in response to the reports about the US planting of ‘cyberbombs’ on Russian networks in retaliation for the 2016 US election hacks blamed on Russia. But, of course, maybe it wasn’t Russian:


    Analysts remain quick to tamp down assertions that Russia’s fingerprint on the latest attack is a sure thing.

    Still, it’s a pretty alarming situation regardless of who was behind it, in part because it’s an example of how potentially vulnerable things like nuclear plants are to any hacker, state-backed or not:


    Still, the source said a well-resourced attacker could try sneaking in thumb drives, planting an insider or even landing a drone equipped with wireless attack technology into a nuclear generation site. Reports indicate that the infamous Stuxnet worm, which damaged Iranian nuclear centrifuges in the late 2000s, probably snuck in on removable media. Once inside the “air gapped” target network, Stuxnet relied on its own hard-coded instructions, rather than any remote commands sent in through the internet, to cause costly and sensitive nuclear equipment to spin out of control.

    And as we’re going to see with the very strange case of Devon Arthurs – a neo-Nazi-turned-Muslim who murdered two of his neo-Nazi roommates back in May – and Brandon Russell – Arthurs’s third roommate who was found with possessing bomb-making materials, radioactive substances and a framed picture of Timothy McVeigh after police searched their residence – if we’re looking for a group that’s likely to actually try to cause a nuclear meltdown and all the death and destruction that goes along with it, it’s probably not the Russian government we have to worry about:

    Tampa Bay Times

    National Guard ‘neo-Nazi’ aimed to hit Miami nuclear plant, roommate says

    Dan Sullivan, Times Staff Writer
    Tuesday, June 13, 2017 4:20pm

    TAMPA — Brandon Russell, a National Guardsman and self-described neo-Nazi, had plans to blow up power lines in the Florida Everglades and launch explosives into a nuclear power plant near Miami, his roommate Devon Arthurs told police.

    Prosecutors on Tuesday played portions of a recorded interrogation Arthurs gave in the hours immediately after he was arrested in the killings of Jeremy Himmelman and Andrew Oneschuk. In the video, Arthurs offers a justification for the killings, claiming that Russell, the surviving roommate, was preparing to commit acts of terrorism.

    “The things they were planning were horrible,” Arthurs said. “These people were not good people.”

    The U.S. Attorney’s Office presented the video excerpts in an effort to get U.S. Magistrate Judge Thomas B. McCoun III to revoke an order granting Russell bail, arguing that he poses a danger to the community.

    Late Tuesday, the judge stayed the order. Russell will remain jailed while the judge reconsiders the issue.

    Russell, 21, faces explosives charges after bombmaking materials were found at his Tampa Palms apartment May 19 during the murder investigation. Arthurs, separately, has been charged with two counts of first-degree murder in state court.

    In the video, Arthurs sits beside a table in a white-walled interrogation room, his right leg resting over his left knee. He gestures with both hands as he casually describes Russell’s neo-Nazi beliefs and supposed plans to commit terrorist acts.

    He said Russell studied how to build nuclear weapons in school and is “somebody that literally has knowledge of how to build a nuclear bomb.”

    When a Tampa police detective asked Arthurs if his friends had any specific terrorist intentions, he said they had a plan to blow up power lines along Alligator Alley, the stretch of Interstate 75 linking Naples with Fort Lauderdale.

    He also said they had a plan to fire mortars loaded with nuclear material into the cooling units of a nuclear power plant near Miami.

    He said the damage would cause “a massive reactor failure” and spread “irradiated water” throughout the ocean.

    “Think about a BP oil spill, except it wipes out parts of the eastern seaboard,” Arthurs said.

    The detective asked why they wanted to do these things.

    “Because they wanted to build a Fourth Reich,” Arthurs said. He said Russell idolized Oklahoma City bomber Timothy McVeigh.

    “He said the only thing McVeigh did wrong was he didn’t put enough material into the truck to bring the whole building down.”

    Assistant U.S. Attorney Josephine Thomas noted during the hearing that the Turkey Point Nuclear Generating Station is near Miami. She also noted that when bomb squad members arrived at Russell’s apartment, their pagers alerted them to the presence of “two radiation sources.” The criminal complaint says those were thorium and americium, both radioactive metals.

    Russell’s defense attorney, Ian Goldstein, noted that authorities have not charged him with possession of nuclear materials.

    Goldstein questioned Arthurs’ credibility.

    “Devon Arthurs is a person who just murdered two individuals, who is desperate to save himself, and, quite frankly, I think he is a few cards short of a full deck,” Goldstein said. “I hope the government brings Mr. Arthurs to the trial as their prime witness. He’s insane.”

    Arthurs, according to court records, admitted to the killings, saying Himmelman and Oneschuk had disrespected his conversion to Islam.

    “I was like, ‘How could I have done this?’ ” he said in the video played Tuesday. “If I hadn’t done that, there would be a lot more people dead than just these two guys in this organization.”

    ———-

    “National Guard ‘neo-Nazi’ aimed to hit Miami nuclear plant, roommate says” by Dan Sullivan; Tampa Bay Times; 06/13/2017

    “He said Russell studied how to build nuclear weapons in school and is “somebody that literally has knowledge of how to build a nuclear bomb.””

    A neo-Nazi that literally has knowledge of how to build a nuclear bomb. That’s how Devon Arthurs, a neo-Nazi-turn-Muslim who killed two of his neo-Nazi roommates, characterized Brandon Russell. But Russell’s nuclear interests were limited to building bombs according to Arthur. He also wanted to fire nuclear-tipped mortars at Miami’s nuclear power plant to create a mass disaster…as part of a plan to create a Fourth Reich:


    When a Tampa police detective asked Arthurs if his friends had any specific terrorist intentions, he said they had a plan to blow up power lines along Alligator Alley, the stretch of Interstate 75 linking Naples with Fort Lauderdale.

    He also said they had a plan to fire mortars loaded with nuclear material into the cooling units of a nuclear power plant near Miami.

    He said the damage would cause “a massive reactor failure” and spread “irradiated water” throughout the ocean.

    “Think about a BP oil spill, except it wipes out parts of the eastern seaboard,” Arthurs said.

    The detective asked why they wanted to do these things.

    “Because they wanted to build a Fourth Reich,” Arthurs said. He said Russell idolized Oklahoma City bomber Timothy McVeigh.

    And Arthur claimed to police that it was these terrorist plots that, in part, prompted him to kill his roommates (although not Russell):


    Arthurs, according to court records, admitted to the killings, saying Himmelman and Oneschuk had disrespected his conversion to Islam.

    “I was like, ‘How could I have done this?’ ” he said in the video played Tuesday. “If I hadn’t done that, there would be a lot more people dead than just these two guys in this organization.”

    Also note that while the judge initially released Russell, saying there wasn’t evidence to back Arthurs’s claims, he reverse that ruling a day later.

    So was Devon Arthurs just making stuff up to the police is or is there some truth to the claims? Well, finding explosive and radioactive materials certainly lends some credibility to them:


    Assistant U.S. Attorney Josephine Thomas noted during the hearing that the Turkey Point Nuclear Generating Station is near Miami. She also noted that when bomb squad members arrived at Russell’s apartment, their pagers alerted them to the presence of “two radiation sources.” The criminal complaint says those were thorium and americium, both radioactive metals.

    Well, as the following article notes, the apartment these four neo-Nazis shared included a frame picture of Timothy McVeigh, enough explosives to create a bomb, and Russell himself admitted to belonging to a group call Atomwaffen, which is German for “atomic weapon”.

    On the other had, Russell, and the rest of Atomwaffen, got quite a testimony about their good character…from Andrew “the weev” Auernheimer. Yes, Auernheimer, who happens to be the kind of skilled hacker who actually might have the ability to trigger a nuclear melt down someday, wrote about the whole incident on The Daily Stormer. According to Auernheimer, the two killed roommates were “friends of friends” and the “Atomwaffen are a bunch of good dudes. They’ve posted tons of fliers with absolutely killer graphics at tons of universities over the years. They generally have a lot of fun and party”:

    Associated Press

    Neo-Nazi-turned-Muslim kills roommates over ‘disrespect,’ police say

    By JASON DEAREN and MICHAEL KUNZELMAN
    May 22, 2017 at 6:43 pm

    A man told police he killed his two roommates because they were neo-Nazis who disrespected his recent conversion to Islam, and investigators found bomb-making materials and Nazi propaganda after he led them to the bodies.

    Devon Arthurs, 18, told police he had until recently shared his roommates’ neo-Nazi beliefs, but that he converted to Islam, according to court documents and a statement the Tampa Police Department released Monday.

    In the apartment with the victims’ bodies on Friday, investigators found Nazi and white supremacist propaganda; a framed picture of Oklahoma City bomber Timothy McVeigh; and explosives and radioactive substances, according to the court documents.

    They also found a fourth roommate, Brandon Russell, crying and standing outside the apartment’s front door in his U.S. Army uniform.

    “That’s my roommate (Russell). He doesn’t know what’s going on and just found them like you guys did,” Arthurs told the police officers, according to the report.

    Federal agents arrested Russell, 21, on Saturday on charges related to the explosives.

    The FBI said Russell “admitted to his neo-Nazi beliefs” and said he was a member of a group called Atomwaffen, which is German for “atomic weapon.”

    Major Caitlin Brown, spokeswoman for the Florida National Guard, confirmed Russell was a current member of the Florida National Guard. But she couldn’t immediately provide any other information.

    Arthurs started the chain of events on Friday when he held two customers and an employee hostage at gunpoint at a Tampa smoke shop, police said. He was complaining about the treatment of Muslims.

    “He further informed all three victims that he was upset due to America bombing his Muslim countries,” police Detective Kenneth Nightlinger wrote in his report.

    Officers talked Arthurs into letting the hostages go and dropping his weapon, and took him into custody.

    While in custody, police said Arthurs started talking about killing two people, and then he directed them to a condominium complex where the four roommates shared an apartment.

    “I had to do it,” Arthurs told police. “This wouldn’t have had to happen if your country didn’t bomb my country.”

    Inside the apartment, the officers found the bodies of 22-year-old Jeremy Himmelman and 18-year-old Andrew Oneschuk. Both had been shot.

    Police called in the FBI and a bomb squad, which found enough explosives to constitute a bomb, according to federal agents.

    At first, Russell told agents he kept the explosives from his days in an engineering club at the University of South Florida in 2013, and that he used the substances to boost homemade rockets. The agents wrote that the substance found was “too energetic and volatile for these types of uses.”

    Russell has been charged with possession of an unregistered destructive device and unlawful storage of explosive material. Court records did not list an attorney for him.

    Andrew Auernheimer, a notorious computer hacker and internet troll, wrote a post about the killings for The Daily Stormer, a leading neo-Nazi website.

    Auernheimer, known online as “weev,” said in Sunday’s post that he knew the shooting suspect and both of the shooting victims. He said he banned Arthurs from The Daily Stormer’s Discord server, an online forum, for posting “Muslim terrorist propaganda” earlier this year.

    “He came in to convert people to Islam,” Auernheimer said during a telephone interview Monday. “It didn’t work out very well for him.”

    Auernheimer described Himmelman and Oneschuk as “friends of friends” and said they belonged to the Atomwaffen group.

    “Atomwaffen are a bunch of good dudes. They’ve posted tons of fliers with absolutely killer graphics at tons of universities over the years. They generally have a lot of fun and party,” he wrote.

    ———-

    “Neo-Nazi-turned-Muslim kills roommates over ‘disrespect,’ police say” by JASON DEAREN and MICHAEL KUNZELMAN; Associated Press; 05/22/2017

    “In the apartment with the victims’ bodies on Friday, investigators found Nazi and white supremacist propaganda; a framed picture of Oklahoma City bomber Timothy McVeigh; and explosives and radioactive substances, according to the court documents.”

    That sure sounds like the kind of stuff one would find in the apartment of someone with horrible plans. But according to neo-Nazi elite-hacker Andrew Auernheimer, the only problem in this situation was Arthurs posing “Muslim terrorist propaganda” on the Daily Stormer’s forums. Otherwise these Atomwaffen guys were great!


    Andrew Auernheimer, a notorious computer hacker and internet troll, wrote a post about the killings for The Daily Stormer, a leading neo-Nazi website.

    Auernheimer, known online as “weev,” said in Sunday’s post that he knew the shooting suspect and both of the shooting victims. He said he banned Arthurs from The Daily Stormer’s Discord server, an online forum, for posting “Muslim terrorist propaganda” earlier this year.

    “He came in to convert people to Islam,” Auernheimer said during a telephone interview Monday. “It didn’t work out very well for him.”

    Auernheimer described Himmelman and Oneschuk as “friends of friends” and said they belonged to the Atomwaffen group.

    “Atomwaffen are a bunch of good dudes. They’ve posted tons of fliers with absolutely killer graphics at tons of universities over the years. They generally have a lot of fun and party,” he wrote.

    And don’t forget, if any neo-Nazi hacker is capable of successfully taking down a nuclear plant, perhaps as part of a larger coordinated neo-Nazi attack or or just on his own, it’s Auernheimer.

    And in case it’s not obvious that Auernheimer shares in the McVeigh worship, it should be obvious now that he recently proposed crowd-funding a McVeigh monument:

    The Southern Poverty Law Center

    McVeigh Worship: The New Extremist Trend

    Bill Morlin
    June 27, 2017

    In extremist circles, there appears to be a bump of interest in Timothy James McVeigh.

    Yes, that Timothy McVeigh. The guy who used a Ryder truck to bomb the Alfred P. Murrah Federal Building in Oklahoma City on April 19, 1995, killing 168 innocent children and adults and wounding more than 600 others.

    His act 22 years ago, for those who may have forgotten, was the deadliest terrorist attack in the United States before the attacks of Sept. 11, 2001.

    McVeigh was convicted of terrorism and executed just three months before those attacks.

    His name and heinous crime are not forgotten, nor should they be, while there seems to be a growing admiration for McVeigh in some extremist circles. One militia honcho even likened McVeigh to Jesus Christ.

    Check out these recent mentions of McVeigh:

    In mid-May, police in Tampa, Florida, responded to the scene of a double-murder involving young, self-described neo-Nazis.

    Brandon Russell, who shared the apartment with the murder suspect, was charged with possession of bomb-making materials and chemicals, including ammonium nitrate – the same kind of material used by McVeigh.

    In Russell’s bedroom at the apartment he shared with the murder suspect and the two slain neo-Nazis, police found a framed photograph of Timothy McVeigh. Russell, who’s in custody, hasn’t publicly explained that fascination.

    More recently, neo-Nazi Andrew ‘Weev’ Auernheimer, who writes for the racist web site “Daily Stormer,” said he was serious in proposing a crowd-funding account to raise money to build a “permanent monument” in a memorial grove honoring McVeigh.

    “Think of it, a gigantic bronze statue of Timothy McVeigh poised triumphantly atop a Ryder truck, arms raised as if to form an Algiz rune from his body, with a plaque that states the honest truth,” Auernheimer wrote. “Nothing would be a greater insult to these pizza-party guarding federal swine than a permanent monument honoring [McVeigh’s] journey to Valhalla or Fólkvangr atop the piles of their corpses.”

    “I am not joking,” Auernheimer wrote. “This should be done. Imagine how angry it would make people.”

    ———-

    “McVeigh Worship: The New Extremist Trend” by Bill Morlin; The Southern Poverty Law Center; 06/27/2017

    “More recently, neo-Nazi Andrew ‘Weev’ Auernheimer, who writes for the racist web site “Daily Stormer,” said he was serious in proposing a crowd-funding account to raise money to build a “permanent monument” in a memorial grove honoring McVeigh.

    So, yes, while it seems very unlikely that the Russian government would resort to triggering nuclear meltdowns given the extreme retaliation that would follow, there’s no shortage of groups that just might be willing to trigger a meltdown and just might have the capacity to do so. Whether it’s a hack attack from someone like “the weev” or just a friend of the weev who happens to be a good shot with high-explosive mortars.

    Posted by Pterrafractyl | July 18, 2017, 4:14 pm
  6. Is is possible that the “Command & control” server used in the DNC server hacks was not only hacked and under 3rd party control during the 2015-2016 DNC hack but also the 2015 Bundestag hack? As we’re going to see, it’s possible.

    First, here’s something to keep in mind regarding the German government’s public attribution in mid-May of 2016 that APT28/Fancy Bear is a Russian government hacking group and was responsible for 2015 Bundestag hack: As security analyst Jeffrey Carr notes in the piece below, when Germany’s domestic intelligence agency, the BfV, issued a report in January of 2016 that attributed both APT28 and APT29 to the Russian government, the report didn’t appear to reference any classified information. The conclusions appeared to be based on exactly the same kind of technical ‘clues’ that were used for attribution in the 2016 DNC hacks. And as Carr also points out, relying on those technical ‘clues’ is a rather clueless way to go about attribution:

    Medium

    Principal consultant at 20KLeague.com; Founder of Suits and Spooks; Author of “Inside Cyber Warfare (O’Reilly Media, 2009, 2011)

    Jeffrey Carr
    Jul 27, 2016

    Yesterday, Professor Thomas Rid (Kings College London) published his narrative of the DNC breach and strongly condemned the lack of action by the U.S. government against Russia.

    Susan Hennessey, a Harvard-educated lawyer who used to work at the Office of the General Counsel at NSA called the evidence “about as close to a smoking gun as can be expected where a sophisticated nation state is involved.”

    Then late Monday evening, the New York Times reported that “American intelligence agencies have “high confidence” that the Russian government was behind the DNC breach.

    It’s hard to beat a good narrative “when explanations take such a dreadful time” as Lewis Carroll pointed out. And the odds are that nothing that I write will change the momentum that’s rapidly building against the Russian government.

    Still, my goal for this article is to address some of the factual errors in Thomas Rid’s Vice piece, provide some new information about the capabilities of independent Russian hackers, and explain why the chaos at GRU makes it such an unlikely home for an APT group.

    Fact-Checking The Evidence

    Thomas Rid wrote:

    One of the strongest pieces of evidence linking GRU to the DNC hack is the equivalent of identical fingerprints found in two burglarized buildings: a reused command-and-control address?—?176.31.112[.]10?—?that was hard coded in a piece of malware found both in the German parliament as well as on the DNC’s servers. Russian military intelligence was identified by the German domestic security agency BfV as the actor responsible for the Bundestag breach. The infrastructure behind the fake MIS Department domain was also linked to the Berlin intrusion through at least one other element, a shared SSL certificate.

    This paragraph sounds quite damning if you take it at face value, but if you invest a little time into checking the source material, its carefully constructed narrative falls apart.

    Problem #1: The IP address 176.31.112[.]10 used in the Bundestag breach as a Command and Control server has never been connected to the Russian intelligence services. In fact, Claudio Guarnieri, a highly regarded security researcher, whose technical analysis was referenced by Rid, stated that “no evidence allows to tie the attacks to governments of any particular country.”

    Problem #2: The Command & Control server (176.31.112.10) was using an outdated version of OpenSSL vulnerable to Heartbleed attacks. Heartbleed allows attackers to exfiltrate data including private keys, usernames, passwords and other sensitive information.

    The existence of a known security vulnerability that’s trivial to exploit opens the door to the possibility that the systems in question were used by one rogue group, and then infiltrated by a second rogue group, making the attribution process even more complicated. At the very least, the C2 server should be considered a compromised indicator.

    Problem #3: The BfV published a newsletter in January 2016 which assumes that the GRU and FSB are responsible because of technical indicators, not because of any classified finding; to wit: “Many of these attack campaigns have each other on technical similarities, such as malicious software families, and infrastructure—these are important indicators of the same authorship. It is assumed that both the Russian domestic intelligence service FSB and the military foreign intelligence service GRU run cyber operations.”

    Professor Rid’s argument depended heavily on conveying hard attribution by the BfV even though the President of the BfV didn’t disguise the fact that their attribution was based on an assumption and not hard evidence.

    Personally, I don’t want to have my government create more tension in Russian-U.S. relations because the head of Germany’s BfV made an assumption.

    In intelligence, as in other callings, estimating is what you do when you do not know. (Sherman Kent)

    When it came to attributing Fancy Bear to the GRU, Dmitry Alperovich used a type of estimative language because there was no hard proof: “Extensive targeting of defense ministries and other military victims has been observed, the profile of which closely mirrors the strategic interests of the Russian government, and may indicate affiliation with ??????? ???????????????? ?????????? (Main Intelligence Department) or GRU, Russia’s premier military intelligence service.”

    For Cozy Bear’s attribution to the FSB, Dmitry simply observed that there were two threat actor groups operating at the same time while unaware of each other’s presence. He noted that the Russian intelligence services also compete with each other, therefore Cozy Bear is probably either the FSB or the SVR: “we observed the two Russian espionage groups compromise the same systems and engage separately in the theft of identical credentials. While you would virtually never see Western intelligence agencies going after the same target without de-confliction for fear of compromising each other’s operations, in Russia this is not an uncommon scenario.”

    The Fidelis report on the malware didn’t mention the GRU or FSB at all. Their technical analysis only confirmed the APT groups involved: “Based on our comparative analysis we agree with CrowdStrike and believe that the COZY BEAR and FANCY BEAR APT groups were involved in successful intrusions at the DNC.”

    When it came to attributing the attack to the Russian intelligence services, Fidelis’ Mike Buratowski told reporter Michael Heller: “In a situation like this, we can’t say 100% that it was this person in this unit, but what you can say is it’s more probable than not that it was this group of people or this actor set.”

    As Mark Twain said, good judgment comes from experience, and experience comes from bad judgment. The problem with judgment calls and attribution is that since there’s no way to be proven right or wrong, there’s no way to discern if one’s judgment call is good or bad.

    The metadata in the leaked documents are perhaps most revealing: one dumped document was modified using Russian language settings, by a user named “?????? ??????????,” a code name referring to the founder of the Soviet Secret Police

    OK. Raise your hand if you think that a GRU or FSB officer would add Iron Felix’s name to the metadata of a stolen document before he released it to the world while pretending to be a Romanian hacker. Someone clearly had a wicked sense of humor.

    APT Groups Aren’t People. They‘re’ Indicators.

    [see image of different names for the APT groups assumed to be Russian]

    This is a partial spreadsheet for Russian APT threat groups. The one for China is about four times as big. If it looks confusing, that’s because it is. There is no formal process for identifying a threat group. Cybersecurity companies like to assign their own naming conventions so you wind up having multiple names for the same group. For example, CrowdStrike’s Fancy Bear group has the primary name of Sofacy, and alternative names of APT28, Sednit, Pawn Storm, and Group 74.

    While it’s natural to think of Sofacy as a group of individuals, it’s more like a group of technical indicators which include tools, techniques, procedures, target choices, countries of origin, and of course, people. Since most bad actors operate covertly, we are highly dependent on the forensics. Since many of the tools used are shared, and other indicators easily subverted, the forensics can be unreliable.

    Non-Government Russian Hacker Groups

    Russia’s Ministry of Communication reported that Russian cybercriminals are re-investing 40% of the millions of dollars that they earn each year in improving their technology and techniques as they continue to target the world’s banking system. Kaspersky Lab estimated earnings for one 20 member group at $1 billion over a three year period.

    A common (and erroneous) rationale for placing the blame of a network breach on a nation state is that independent hacker groups either don’t have the resources or that stolen data doesn’t have financial value. These recent reports by Kaspersky Lab and Russian Ministry of Communication make it clear that money is no object when it comes to these independent groups, and that sophisticated tools and encryption methods are constantly improved upon, just as they would be at any successful commercial enterprise or government agency.

    That, plus the occasional cross-over between independent Russian hackers and Russia’s security services makes differentiation between a State and non-State threat actor almost impossible. For that reason alone, it should be incumbent upon policymakers and journalists to question their sources about how they know that the individuals involved are part of a State-run operation.

    A Nightmare Scenario

    “Indeed, there will be some policymakers who could not pass a rudimentary test on the “facts of the matter” but who have the strongest views on what the policy should be and how to put it into effect.” (Sherman Kent)

    Here’s my nightmare. Every time a claim of attribution is made—right or wrong—it becomes part of a permanent record; an un-verifiable provenance that is built upon by the next security researcher or startup who wants to grab a headline, and by the one after him, and the one after her. The most sensational of those claims are almost assured of international media attention, and if they align with U.S. policy interests, they rapidly move from unverified theory to fact.

    Because each headline is informed by a report, and because indicators of compromise and other technical details are shared between vendors worldwide, any State or non-State actor in the world will soon have the ability to imitate an APT group with State attribution, launch an attack against another State, and generate sufficient harmful effects to trigger an international incident. All because some commercial cybersecurity companies are compelled to chase headlines with sensational claims of attribution that cannot be verified.

    I encourage my colleagues to leave attribution to the FBI and the agencies of the Intelligence Community, and I implore everyone else to ask for proof, even from the U.S. government, whenever you read a headline that places blame on a foreign government for an attack in cyberspace.

    ———–

    “Principal consultant at 20KLeague.com; Founder of Suits and Spooks; Author of “Inside Cyber Warfare (O’Reilly Media, 2009, 2011)” by Jeffrey Carr; Medium; 07/27/2017

    “While it’s natural to think of Sofacy as a group of individuals, it’s more like a group of technical indicators which include tools, techniques, procedures, target choices, countries of origin, and of course, people. Since most bad actors operate covertly, we are highly dependent on the forensics. Since many of the tools used are shared, and other indicators easily subverted, the forensics can be unreliable.”

    Yep, when cybersecurity firms publish reports about some “APT” (Advanced Persistent Threat) group, they’re not actually reporting on a specific group. They’re reporting on similar technical indicators that suggest an attack could have been the same group that did a previous hack, but that’s largely it.

    And if those technical indicators include code that’s available to 3rd party hackers and servers that have already been hacked or show vulnerabilities to hacking, as is the case with the 176.31.112[.]10 Command & Control server used by “APT28” in both the DNC server hack and the Bundestag hack (with that IP address hard coded in both cases), those technical indicators are indicative of very little other than some group might be up to their old tricks or some other group is copying (or framing) them:


    Problem #1: The IP address 176.31.112[.]10 used in the Bundestag breach as a Command and Control server has never been connected to the Russian intelligence services. In fact, Claudio Guarnieri, a highly regarded security researcher, whose technical analysis was referenced by Rid, stated that “no evidence allows to tie the attacks to governments of any particular country.”

    Problem #2: The Command & Control server (176.31.112.10) was using an outdated version of OpenSSL vulnerable to Heartbleed attacks. Heartbleed allows attackers to exfiltrate data including private keys, usernames, passwords and other sensitive information.

    The existence of a known security vulnerability that’s trivial to exploit opens the door to the possibility that the systems in question were used by one rogue group, and then infiltrated by a second rogue group, making the attribution process even more complicated. At the very least, the C2 server should be considered a compromised indicator.

    “he existence of a known security vulnerability that’s trivial to exploit opens the door to the possibility that the systems in question were used by one rogue group, and then infiltrated by a second rogue group, making the attribution process even more complicated. At the very least, the C2 server should be considered a compromised indicator.”

    And yet, despite these glaring issues with the technical indicators, when Germany’s BfV issued a report in January of 2016 pinning the blame for the Bundestag hacks on the GRU and FSB is an assumption based on technical indicators alone:

    ..
    Problem #3: The BfV published a newsletter in January 2016 which assumes that the GRU and FSB are responsible because of technical indicators, not because of any classified finding; to wit: “Many of these attack campaigns have each other on technical similarities, such as malicious software families, and infrastructure—these are important indicators of the same authorship. It is assumed that both the Russian domestic intelligence service FSB and the military foreign intelligence service GRU run cyber operations.”

    So it looks like the BfV’s attribution that the Russian government was behind the “APT28” Bundestag hack wasn’t a very solid attribution.

    And don’t forget that the attribution of the Bundestag hack is A LOT easier to make than the attribution of the DNC server hack. Why? Because after the Bundestag hack happen there was lots of discussion of it in the cybersecurity press, and that included discussion of how the Command & Control server at the 176.31.112[.]10 IP address was vulnerable to the Heartbleed attack.

    But how to do know that the server wasn’t being used by third parties during the Bundestag hack too? After all, there’s not only was the the same 176.31.112[.]10 Command & Control server used in both hacks, but that IP addresses was hard coded into the malware used in both attacks. In other words, “APT28” was already acting rather ‘buggy’ during the Bundestag hack and hackers had been seeking out Heartbleed-vulnerable servers almost immediately after Heartbleed was disclosed:

    Thomson Reuters

    Heartbleed bug-affected servers being sought by hackers
    ‘Now it is amateur hour. Everybody is doing it.’

    Posted: Apr 10, 2014 11:19 AM ET Last Updated: Apr 10, 2014 7:03 PM ET

    Researchers have observed sophisticated hacking groups conducting automated scans of the internet in search of web servers vulnerable to the theft of data, including passwords, confidential communications and credit card numbers, due to the Heartbleed bug.

    Servers may be vulnerable to the bug if they run popular versions of a web encryption program known as OpenSSL used on about two-thirds of all web servers. The issue has gone undetected for about two years.

    Kurt Baumgartner, a researcher with security software maker Kaspersky Lab, said his firm uncovered evidence on Monday that a few hacking groups believed to be involved in state-sponsored cyber espionage were running such scans shortly after news of the bug first surfaced the same day.

    That number had increased on Wednesday after security software company Rapid7 released a free tool for conducting such scans.

    “The problem is insidious,” Baumgartner said. “Now it is amateur hour. Everybody is doing it.”

    It isn’t known whether any data has actually been stolen by hackers or cybercriminals making use of the bug in the past couple of years, as such thefts would normally be undetectable.

    However, at least one technology specialist has reported signs that the Heartbleed bug may have already been exploited. Terrence Koeman, chief technology officer for the digital production agency MediaMonks, told the technology news site Ars Technica that he had detected scans for the vulnerability dating back to November 2013. And he said the scans came from a network suspected of harbouring “bot” servers — zombie computers controlled over the internet by cybercriminals using malware.

    OpenSSL software is used on servers that host websites but not PCs or mobile devices, so even though the bug exposes passwords and other data entered on those devices to hackers, it must be fixed by website operators.

    “There is nothing users can do to fix their computers,” said Mikko Hypponen, chief research officer with security software maker F-Secure.

    A scan of the internet Tuesday night suggested that about a third of servers with the vulnerability had been patched at that time, reported Robert David Graham of Atlanta-based Errata Security on his blog. Still, the scan detected roughly 600,000 servers that were still vulnerable.

    ———-

    “Heartbleed bug-affected servers being sought by hackers”; Thomson Reuters; 04/10/2014

    The problem is insidious…Now it is amateur hour. Everybody is doing it.”

    Everybody is doing it. That was the situation in April of 2014 after scanning tools that allowed people to scan the web for vulnerable servers. And yet the APT28 server used in both the Bundestag hacks and the DNC server hack was still apparently vulnerable to Heartbleed in 2015!

    So, again, was the Bundestag hack even done by “APT28” or just some random group that hijacked a server that had been previously attributed to APT28-ish behavior? It’s a pretty crucial question. Especially when you consider the article below from June of 2015 (before the DNC server hack) that explicitly pointed out how the server at 176.31.112[.]10 inexplicably hard coded into the Bundstag hack malware was vulnerable to Heartbleed. Not only does the article point out this vulnerability, but is also notes how the use of the particular malware “XTunnel” that was communicating with that server was not at that time a known technical indicator associated with APT28. In other words, the malware with the oddly hard coded IP address to the Heartbleed vulnerable server was new behavior for APT28:

    Netzpolitik.org

    Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag

    am 19.06.2015 Gastbeitrag

    Servers of The Left in German Bundestag have been infected with malware, apparently by a state-sponsored group of Russian origin. This is the summary of an analysis by an IT security researcher, which we publish in full. The in-depth report provides an analysis of technology, impact, possible attribution – and a signature to detect the malware.

    This analysis of security researcher Claudio Guarnieri was originally written for The Left in German Bundestag. We’re publishing it here with permission from The Left.

    Von diesem Bericht existiert auch eine deutsche Übersetzung.

    Summary of Findings

    Two suspicious artifacts have been retrieved from two separate servers within the Die Linke infrastructure. One is an open source utility used to remotely issue commands on a Windows host from a Linux host. The other is a custom utility which, despite its large size, has limited functionality and acts as a tunnel, possibly used by the attackers to maintain persistence within the compromised network.

    The combination of the two utilities seems to be enough for the attackers to maintain a foothold inside the network, harvest data, and exfiltrate all the information they deemed interesting. It is, however, possible that there are additional malicious artifacts which have not yet been discovered.

    Attributes of one of the artifacts and intelligence gathered on the infrastructure operated by the attackers suggest that the attack was perpetrated by a state-sponsored group known as Sofacy (or APT28). Previous work published by security vendor FireEye in October 2014 suggests the group might be of Russian origin.

    Artifacts

    The first artifact – identified across this report as Artifact #1 – has the following attributes:

    Name winexesvc.exe
    Size 23552
    MD5 77e7fb6b56c3ece4ef4e93b6dc608be0
    SHA1 f46f84e53263a33e266aae520cb2c1bd0a73354e
    SHA256 5130f600cd9a9cdc82d4bad938b20cbd2f699aadb76e7f3f1a93602330d9997d

    The second artifact – identified across this report as Artifact #2 – -has the following attributes:

    Name svchost.exe.exe
    Size 1062912
    MD5 5e70a5c47c6b59dae7faf0f2d62b28b3
    SHA1 cdeea936331fcdd8158c876e9d23539f8976c305
    SHA256 730a0e3daf0b54f065bdd2ca427fbe10e8d4e28646a5dc40cbcfb15e1702ed9a
    Compile Time 2015-04-22 10:49:54

    Analysis of Artifact #1

    Artifact #1 was retrieved from a File Server operated by Die Linke. The file is a 64bit-compatible compiled binary of the open source utility Winexe. Winexe is software similar to the more popular PSExec and is designed to allow system administrators to execute commands on remote servers. While commercial solutions like Symantec pcAnywhere provide a larger feature-set, Winexe is lightweight, and doesn’t require any installation or configuration. One of the reasons Winexe is preferred over PSExec, is that it provides a Linux client, while PSExec doesn’t.

    Attackers are making growing use of utilities like Winexe and PSExec to perform lateral movement across compromised networks. Besides providing the ability to execute arbitrary commands on the target system, these utilities normally don’t raise suspicion as they are commonly whitelisted by Antivirus and other commercial security software.

    Winexe acts as a Windows service that can be configured to automatically start at boot and silently wait for incoming commands over a named pipe. Named pipes are a Windows inter-process communication method. Through named pipes, processes are able to communicate and exchange data even over a network. In the case of Artifact #1, the name of the pipe is „ahexec“, computers over the network could access the pipe server by simply opening a file handle on „\ServerNamepipeahexec“.

    Once connected to the pipe, a user or a program can easily provide information required to execute command (just as they would normally through a command-line). The provided information is then passed to a „CreateProcessAsUserA“ call and the specified command is executed.

    Once inside the network, Artifact #1 can be enough for the attacker to download or create additional scripts, execute commands and exfiltrate data (for example, simply through ftp). It is plausible that Artifact #1 could be present on other servers under different names, although it is also likely that the attacker only left it on servers to which they required maintainenance of persistent access.

    It is important that all the deployments of this utility are identified and removed, as they are self-sufficient and they provide easy and open access to execute commands on the host, potentially with administrator privileges.

    Analysis of Artifact #2

    Artifact #2 was recovered from the Admin Controller operated by Die Linke. This is custom malware, which despite large file size (1,1 MB), provides limited functionality. Artifact #2 operates as a backchannel for the attacker to maintain a foothold inside the compromised network. The properties of the artifact show that the same authors of the malware seem to have called it „Xtunnel“. As the same name suggests, the artifact appears in fact to act as a tunnel for the attacker to remotely access the internal network and maintain persistence.

    After initialization, the artifact will attempt to establish a connection by creating a socket. In case of failure, it will sleep for three seconds and try again. The authors of the malware didn’t appear to have spent any effort in concealing indicators or obfuscating code – the IP address with which it tries to communicate is hardcoded in clear-text inside the binary. We can observe below, the procedure through which the artifact attempts to establish a connection with the IP address „176.31.112.10“:
    [see screenshot of how “Artifact 2” connects to the IP address 176.21.112.10]
    This specific IP address is a critical piece of information that enables us to connect this attack to a spree of previous targeted campaigns. The details of this attribution is explained in a dedicated section below. We will refer to this IP address as „Command & Control“ (or „C&C“).

    The artifact is able of receiving multiple arguments, including -Si, -Sp, -Up, -Pp, -Pi and -SSL. Following are the beaconing packets the artifact will send to Command & Control:

    -Si
    00000000 2a 00 00 00 *…
    00000004 b2 23 16 85 ee 59 52 a6 79 3a 2a e2 da 11 c0 1b .#…YR. y:*…..
    00000014 de 77 ea 47 35 11 de 8a 76 1a ee 16 d9 fd 28 0d .w.G5… v…..(.

    -Sp
    00000000 22 00 00 00 „…
    00000004 90 ac c6 39 09 b6 23 72 9d 36 a6 3b 2e b7 02 ce …9..#r .6.;….
    00000014 dd 09 d4 e4 d3 e6 01 5f 6a 37 b2 39 01 b4 0a af ……._ j7.9….

    -Up
    00000000 07 00 00 00 ….
    00000004 7e e2 82 05 74 be 3f 9b 8e 6a dc 5c d1 fe 85 f7 ~…t.?. .j…..
    00000014 5f 33 26 6e 5e 62 c1 0e c0 da a3 b3 6c f9 ca 88 _3&n^b.. ….l…

    If the argument -SSL is given through command-line to the artifact, these beacons will be encapsulated in an SSL connection and a proper TLS handshake will be initiated with the C&C.

    Interestingly, the artifact bundles a copy of OpenSSL 1.0.1e, from February 2013, which causes the unusually large size of the binary. More importantly, the Command & Control server (176.31.112.10) also appears to be using an outdated version of OpenSSL and be vulnerable to Heartbleed attacks. While unlikely, it is worth considering that the same C&C server might have been the subject of 3rd-party attacks due to this vulnerability.

    Attribution

    While attribution of malware attacks is rarely simple or conclusive, during the course of this investigation I uncovered evidence that suggests the attacker might be affiliated with the state-sponsored group known as Sofacy Group (also known as APT28 or Operation Pawn Storm). Although we are unable to provide details in support of such attribution, previous work by security vendor FireEye suggests the group might be of Russian origin, however no evidence allows to tie the attacks to governments of any particular country.

    Sofacy is a group dedicated to the compromise of high-profile targets and the theft of confidential information. They appear to have been active since 2006. They are believed to have successfully attacked the Ministries of Internal and Foreign Affairs of several ex-Soviet countries, as well as Eastern European governments and military institutions, and NATO and the White House.

    Sofacy is known for making extensive use of phishing attacks to lure targets into revealing their credentials via realistic reconstruction of internal systems, such as webmails, as employed against the Georgian Ministry of Internal Affairs in the infamous attacks that preceded the Georgian invasion of 2008:

    [see screenshot of fake website site used against the Georgian Ministry of INternal Affairs]

    In order to make the phishing attempts more credible, Sofacy Group has made use of „typesquatting“, intentionally using spelling mistakes (for example, replacing letters „i“ with „l“ and „g“ with „q“, or by adding punctuation) to register domains very similar to the original legitimate ones:

    While Sofacy is also known to use of custom exploit frameworks and spear-phishing attacks, it is possible in this case that they managed to obtain privileged credentials of network administrators within the Bundestag through the use of a phishing attack, which then allowed them to navigate through the network and gain access to more data. It is worth noting that shortly before the attack, security vendors reported the use of 0-day exploits in Flash Player and Microsoft Windows by the same threat actor.

    Shared Command & Control infrastructure

    While the artifacts don’t appear to show attributes useful for attribution, the network infrastructure used during the attack led instead to interesting results. During investigation of the Command & Control server (with IP „176.31.112.10“ hardcoded in Artifact #2), we managed to identify some operational mistakes made by the attackers, allowing us to connect the incident with attacks previously associated with the Sofacy Group.

    The address, 176.31.112.10, is a dedicated server provided by the French OVH hosting company, but is apparently operated by an offshore secure hosting company called CrookServers.com and seemingly located in Pakistan:

    Company Address:
    MUAnetworks
    U ashraf
    Village Kakra Town
    Mirpur AJK
    Pakistan

    It is common for attackers to make use of offshore hosting facilities which are less likely to cooperate with law enforcement on takedown requests or requests of disclosure of their customers‘ identity.

    CrookServers appears to have servers scattered in a number of datacenters and dedicated server hosting providers around the world.

    By researching historical data relevant to C&C 176.31.112.10, we discovered that on February 16th 2015, the server was sharing an SSL certificate with another IP address allocated to CrookServers and also hosted at OVH: „213.251.187.145“.

    The recovered shared SSL certificate, obtained by a public internet-wide scanning initiative, at the time had the following attributes:

    MD5 b84b66bcdecd4b4529014619ed649d76
    SHA1 fef1725ad72e4ef0432f8cb0cb73bf7ead339a7c
    Algorithm sha1WithRSAEncryption
    Self-Signed No
    Subject C: GB
    L: Salford
    ST: Greater Manchester
    CN: mail.mfa.gov.ua
    O: COMODO CA Limited
    all: C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
    Limited/CN=mail.mfa.gov.ua
    Serial 16474505314457171426
    Not before 20140414083521Z
    Not after 20410830083521Z

    As shown, the certificate uses „mail.mfa.gov.ua“ as a Common Name. This suggests that this certificate might have been previously used for a similar attack against the Ukrainian Ministry of Foreign Affairs, or associated targets, although there is no documentation of such attack available to the public.

    More importantly, the IP address this certificate was shared with – 213.251.187.145 – was previously identified as used by Sofacy Group for phishing attacks against Albanian government institutions by registering the domain „qov.al“ (notice, the letter „q“ instead of „g“) and creating realistic subdomains to lure victims into visiting. The domain was active on the IP 213.251.187.145 from July 2014 up until March 2015.

    These attacks against Albanian government institutions by the Sofacy Group were documented and reported by consultancy corporate PwC in December 2014. It is worth noting that this server also seems to be operated by CrookServers, since among other domains, 454-reverse.crookservers.net resolved to the same IP address.

    Similar Artifacts and root9B report

    While the evidence presented strongly suggests a connection with the Sofacy Group, the artifacts (in particular Artifact #2) are not publicly recognized to be part of the more traditional arsenal of these attackers.

    Nevertheless, on May 12th 2015 (a few weeks after the attack against Bundestag appears to have started) the American security firm root9B released a report containing details on malware samples very similar to Artifact #2. The report also includes a mention of the same IP address used as Command & Control server in the attack against Bundestag (176.31.112.10).

    While the report appears to contain numerous inaccuracies, some of the indicators of compromises are legitimate and appear to be correctly attributed to Sofacy.

    Following are hashes for malware artifacts showing very similar attributes to Artifact #2:

    566ab945f61be016bfd9e83cc1b64f783b9b8deb891e6d504d3442bc8281b092

    ———-

    “Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag” by Gastbeitrag; Netzpolitik.org; 06/19/2015

    “While the evidence presented strongly suggests a connection with the Sofacy Group, the artifacts (in particular Artifact #2) are not publicly recognized to be part of the more traditional arsenal of these attackers.”

    “Artifact #2” – the “Xtunnel” malware with the 176.31.112[.]10 hardcoded IP address – is “not publicly recognized to be part of the more traditional arsenal of these attackers.” It’s all rather odd.

    And note that “XTunnel” was amateurish and widely available for any hacker:

    Counter Punch

    Did the Russians Really Hack the DNC?

    by Gregory Elich
    January 13, 2017

    Russia, we are told, breached the servers of the Democratic National Committee (DNC), swiped emails and other documents, and released them to the public, to alter the outcome of the U.S. presidential election.

    How substantial is the evidence backing these assertions?

    APT28 relied on XTunnel, repurposed from open source code that is available to anyone, to open network ports and siphon data. The interesting thing about the software is its failure to match the level of sophistication claimed for APT28. The strings in the code quite transparently indicate its intent, with no attempt at obfuscation. [12] It seems an odd oversight for a nation-state operation, in which plausible deniability would be essential, to overlook that glaring point during software development.

    Command-and-control servers remotely issue malicious commands to infected machines. Oddly, for such a key component of the operation, the command-and-control IP address in both attacks was hard-coded in the malware. This seems like another inexplicable choice, given that the point of an advanced persistent threat is to operate for an extended period without detection. A more suitable approach would be to use a Domain Name System (DNS) address, which is a decentralized computer naming system. That would provide a more covert means of identifying the command-and-control server. [13] Moreover, one would expect that address to be encrypted. Using a DNS address would also allow the command-and-control operation to easily move to another server if its location is detected, without the need to modify and reinstall the code.

    One of the IP addresses is claimed to be a “well-known APT 28” command-and-control address, while the second is said to be linked to Russian military intelligence. [14] The first address points to a server located in San Jose, California, and is operated by a server hosting service. [15] The second server is situated in Paris, France, and owned by another server hosting service. [16] Clearly, these are servers that have been compromised by hackers. It is customary for hackers to route their attacks through vulnerable computers. The IP addresses of compromised computers are widely available on the Deep Web, and typically a hacked server will be used by multiple threat actors. These two particular servers may or may not have been regularly utilized by Russian Intelligence, but they were not uniquely so used. Almost certainly, many other hackers would have used the same machines, and it cannot be said that these IP addresses uniquely identify an infiltrator. Indeed, the second IP address is associated with the common Trojan viruses Agent-APPR and Shunnael. [17]

    “Everyone is focused on attribution, but we may be missing the bigger truth,” says Joshua Croman, Director of the Cyber Statecraft Initiative at the Atlantic Council. “[T]he level of sophistication required to do this hack was so low that nearly anyone could do it.” [18]

    ———-

    “Did the Russians Really Hack the DNC?” by Gregory Elich; Counter Punch; 01/13/2017

    APT28 relied on XTunnel, repurposed from open source code that is available to anyone, to open network ports and siphon data. The interesting thing about the software is its failure to match the level of sophistication claimed for APT28. The strings in the code quite transparently indicate its intent, with no attempt at obfuscation. [12] It seems an odd oversight for a nation-state operation, in which plausible deniability would be essential, to overlook that glaring point during software development.”

    So if “APT28” did the Bundestag hack, they suddenly changed their behavior by using unsophisticated code communicating with a server that had been open to 3rd party hijacking for well over a year. Pretty odd!

    And note in the June 2015 netzpolitik.org how that same 176.31.112.10 had previously been attributed to Sofacy/APT28/Fancy Bear by the cybersecurity firm root98. And report with an abundance of flaws:


    Similar Artifacts and root9B report

    While the evidence presented strongly suggests a connection with the Sofacy Group, the artifacts (in particular Artifact #2) are not publicly recognized to be part of the more traditional arsenal of these attackers.

    Nevertheless, on May 12th 2015 (a few weeks after the attack against Bundestag appears to have started) the American security firm root9B released a report containing details on malware samples very similar to Artifact #2. The report also includes a mention of the same IP address used as Command & Control server in the attack against Bundestag (176.31.112.10).

    While the report appears to contain numerous inaccuracies, some of the indicators of compromises are legitimate and appear to be correctly attributed to Sofacy.

    While the report appears to contain numerous inaccuracies, some of the indicators of compromises are legitimate and appear to be correctly attributed to Sofacy.”

    Yep, just weeks after the Bundestag hack, a really flawed report from root98 claimed to associated that same command & control server with Sofacy. And while the netzpolitik.org article described the report as largely correct despite the inaccuracies, other experts weren’t so impressed:

    Krebs on Security

    Security Firm Redefines APT: African Phishing Threat

    Brian Krebs
    May 20, 2015

    A security firm made headlines earlier this month when it boasted it had thwarted plans by organized Russian cyber criminals to launch an attack against multiple US-based banks. But a closer look at the details behind that report suggests the actors in question were relatively unsophisticated Nigerian phishers who’d simply registered a bunch of new fake bank Web sites.

    The report was released by Colorado Springs, Colo.-based security vendor root9B, which touts a number of former National Security Agency (NSA) and Department of Defense cybersecurity experts among its ranks. The report attracted coverage by multiple media outlets, including, Fox News, Politico, SC Magazine and The Hill. root9B said it had unearthed plans by a Russian hacking gang known variously as the Sofacy Group and APT28. APT is short for “advanced persistent threat,” and it’s a term much used among companies that sell cybersecurity services in response to breaches from state-funded adversaries in China and Russia that are bent on stealing trade secrets via extremely stealthy attacks.

    “While performing surveillance for a root9B client, the company discovered malware generally associated with nation state attacks,” root9B CEO Eric Hipkins wrote of the scheme, which he said was targeted financial institutions such as Bank of America, Regions Bank and TD Bank, among others.

    “It is the first instance of a Sofacy or other attack being discovered, identified and reported before an attack occurred,” Hipkins said. “Our team did an amazing job of uncovering what could have been a significant event for the international banking community. We’ve spent the past three days informing the proper authorities in Washington and the UAE, as well as the CISOs at the financial organizations.”

    However, according to an analysis of the domains reportedly used by the criminals in the planned attack, perhaps root9B should clarify what it means by APT. Unless the company is holding back key details about their research, their definition of APT can more accurately be described as “African Phishing Threat.”

    The report correctly identifies several key email addresses and physical addresses that the fraudsters used in common across all of the fake bank domains. But root9B appears to have scant evidence connecting the individual(s) who registered those domains to the Sofacy APT gang. Indeed, a reading of their analysis suggests their sole connection is that some of the fake bank domains used a domain name server previously associated with Sofacy activity: carbon2u[dot]com (warning: malicious host that will likely set off antivirus alerts).

    The problem with that linkage is although carbon2u[dot]com was in fact at one time associated with activity emanating from the Sofacy APT group, Sofacy is hardly the only bad actor using that dodgy name server. There is plenty of other badness unrelated to Sofacy that calls Carbon2u home for their DNS operations, including these clowns.

    From what I can tell, the vast majority of the report documents activity stemming from Nigerian scammers who have been conducting run-of-the-mill bank phishing scams for almost a decade now and have left quite a trail.

    For example, most of the wordage in this report from root9B discusses fake domains registered to a handful of email addresses, including “adeweb2001@yahoo.com,” adeweb2007@yahoo.com,” and “rolexzad@yahoo.com”.

    Each of these emails have long been associated with phishing sites erected by apparent Nigerian scammers. They are tied to this Facebook profile for a Showunmi Oluwaseun, who lists his job as CEO of a rather fishy-sounding organization called Rolexzad Fishery Nig. Ltd.

    The domain rolexad[dot]com was flagged as early as 2008 by aa419.org, a volunteer group that seeks to shut down phishing sites — particularly those emanating from Nigerian scammers (hence the reference to the Nigerian criminal code 419, which outlaws various confidence scams and frauds). That domain also references the above-mentioned email addresses. Here’s another phishy bank domain registered by this same scammer, dating all the way back to 2005!

    I wanted to know if I was alone in finding fault with the root9B report, so I reached out to Jaime Blasco, vice president and chief scientist at AlienVault — one of the security firms that first published the initial findings on the Sofacy/APT28 group back in October 2014. Blasco called the root9B research “very poor” (full disclosure: AlienVault is one of several advertisers on this blog).

    “Actually, there isn’t a link between what root9B published and Sofacy activity,” he said. “The only link is there was a DNS server that was used by a Sofacy domain and the banking stuff root9B published. It doesn’t mean they are related by any means. I’m really surprised that it got a lot of media attention due to the poor research they did, and [their use] of [terms] like ‘zeroday hashes’ in the report really blew my mind. Apart from that it really looks like a ‘marketing report/we want media coverage asap,’ since days after that report they published their Q1 financial results and probably that increased the value of their penny stocks.”

    Blasco’s comments may sound harsh, but it is true that root9B Chairman Joe Grano bought large quantities of the firm’s stock roughly a week before issuing this report. On May 14, 2015, root9B issued its first quarter 2015 financial results.

    There is an old adage: If the only tool you have is a hammer, you tend to treat everything as if it were a nail. In this case, if all you do is APT research, then you’ll likely see APT actors everywhere you look.

    ———-

    “Security Firm Redefines APT: African Phishing Threat” by Brian Krebs; Krebs on Security; 05/20/2015

    “However, according to an analysis of the domains reportedly used by the criminals in the planned attack, perhaps root9B should clarify what it means by APT. Unless the company is holding back key details about their research, their definition of APT can more accurately be described as “African Phishing Threat.”

    As far as Brian Krebs can tell, root98’s attribution to Sofacy/APT28/Fancy Bear of a particular looming attack on one of their clients (a preemptive defense) was based on some shared domain name server between past hacks attributed to Sofacy and the hackers they were observing on their client’s systems. And as Kreb’s point out, that shared domain name server had plenty of other ‘badness’ associated with it. Including Nigerian phishing scammers:


    The report correctly identifies several key email addresses and physical addresses that the fraudsters used in common across all of the fake bank domains. But root9B appears to have scant evidence connecting the individual(s) who registered those domains to the Sofacy APT gang. Indeed, a reading of their analysis suggests their sole connection is that some of the fake bank domains used a domain name server previously associated with Sofacy activity: carbon2u[dot]com (warning: malicious host that will likely set off antivirus alerts).

    The problem with that linkage is although carbon2u[dot]com was in fact at one time associated with activity emanating from the Sofacy APT group, Sofacy is hardly the only bad actor using that dodgy name server. There is plenty of other badness unrelated to Sofacy that calls Carbon2u home for their DNS operations, including these clowns.

    From what I can tell, the vast majority of the report documents activity stemming from Nigerian scammers who have been conducting run-of-the-mill bank phishing scams for almost a decade now and have left quite a trail.

    Were the hackers root98 identified as ‘Sophacy’ just a bunch of Nigerian scammers? Or perhaps hackers that utilized some of the same infrastructure, like domain name servers, with Nigerian scanners? That’s the conclusion Brian Krebs and others arrived at after reading the report.

    And if you download the report (available here, although be sure to only click the green “Download” button and not all the ads that are trying to get you to download freeware/spyware) you will find them referencing that same 176.31.112.10 IP address as the command & control server they attribute to Sofacy/APT28/Fance Bear. It’s just one more example of how that 176.31.112.10 server keeps getting attribute to APT28 on rather questionable grounds.

    Now, it’s entirely possible that a Russian hacking group APT28 was operating the 176.31.112.10 and running all sorts of hacking campaigns from it. But the point is that technical indicators used to attribute a hack to that group aren’t exactly compelling. Especially when that server is open to the Heartbleed attack. And especially when that server’s vulnerability to the Heartbleed attack is published for the world to read about. And in the case of the DNC server hack in the fall of 2015, that vulnerability was published. It was known.

    But even for the Bundestag hack, which happened before that Heartbleed vulnerability was published for that specific server, it’s not like there were hacking groups systematically scanning the internet looking for vulnerable servers. And as we saw in the netzpolitik.org article, the Bundestag hack’s use of the relatively unsophisticated “XTunnel” malware and the hardcoded IP address were not ‘artifacts’ previously associated with APT28.

    Sure, it’s possible that a Russian government hacking group is intentionally using unsophisticated malware for some mysterious reason that doesn’t hide what its doing and hard codes the IP address to the command & control server that’s vulnerable to a Heartbleed attack. It’s possible. It’s just very possible that it was someone else. For both the DNC hack and the Bundestag hack, which is a pretty big deal with it comes to the business of attribution. Especially when the attribution of the DNC hack refers to the attribution of the Bundestag hack.

    Posted by Pterrafractyl | July 18, 2017, 8:24 pm
  7. Uhhhh….so Donald Trump is now tweeting about his “complete power to pardon”. Seriously, he’s actually tweeting about it:

    Talking Points Memo
    Livewire

    Trump Asserts His ‘Complete Power’ To Pardon

    By Cristina Cabrera Published July 22, 2017 11:07 am

    President Donald Trump fired up his Twitter on Saturday morning to claim his “complete power to pardon” following reports that he had been asking about being able to pardon his friends, family, and himself in connection to the Russia probe.

    While all agree the U. S. President has the complete power to pardon, why think of that when only crime so far is LEAKS against us.FAKE NEWS— Donald J. Trump (@realDonaldTrump) July 22, 2017

    Talks of pardons arose with additional reports of Trump’s legal team trying to find ways to undermine special counsel Robert Mueller’s investigation into possible collusion between Russia and the Trump campaign.

    Trump’s lack of control over the probe has reportedly prompted him and his legal team to dig up reasons to discredit or possibly even fire Mueller.

    ——–

    “Trump Asserts His ‘Complete Power’ To Pardon” by Cristina Cabrera; Talking Points Memo; 07/22/2017

    “While all agree the U. S. President has the complete power to pardon, why think of that when only crime so far is LEAKS against us.FAKE NEWS— Donald J. Trump (@realDonaldTrump) July 22, 2017

    We’ve crossed the Rubicon. Via Twitter. Maybe. We’ll see. It sort of depend on how the US collectively responds to a president acting as guilty as he possibly could.

    And while this behavior is no doubt going to be seen as an admission that ALL of the suspicions related to Russian interference in the US election is true, it’s important to keep in mind what events preceded this sudden pardon talk. It wasn’t the investigation in the 2016 election hacks. It’s the talk that Special Counsel Robert Mueller is going to be looking into Trump’s long and shady business history with Russian oligarchs and mobsters. A history that appears to involve using Trump properties as money-laundering vehicles. Once Trump got wind that that whole history was going to become part of the Russian collusion probe, that’s when we started getting reports about Trump’s sudden interest in pardons.

    And this is all part of why it’s so important to recognize all the variously clues that point towards the 2016 hacks being done by someone trying to leave “I’m a Russian hacker!” clues and, in the case of the APT28/Fancy Bear hacks, being done by someone using a hacked a server that had been previously identified as an APT28 server. Because while it’s entirely plausible that someone – like maybe neo-Nazi hacker Andrew Auernheimer or maybe someone Roger Stone delegated to carry out the hacks – who wanted to help the Trump campaign, but who wasn’t familiar with his extensive history dealing with shady Russian mobster characters, would have thought it was a good idea to carry out a hack and make it look like some Russians did it, it’s a lot harder to imagine that actual Russian government or Russian underworld figures would have done the same thing. Even if the Russian government and mob wanted to help Donald Trump win. Because as the following piece by Craig Unger extensively documents, if there was one area of Donald Trump’s past he really wouldn’t want to draw attention to when running for public office, that would be his history as a Russian money laundromat. And the Russians using his laundromat services presumably wouldn’t be super happy to draw attention to this either:

    The New Republic

    Trump’s Russian Laundromat
    How to use Trump Tower and other luxury high-rises to clean dirty money, run an international crime syndicate, and propel a failed real estate developer into the White House.

    By Craig Unger
    July 13, 2017

    In 1984, a Russian émigré named David Bogatin went shopping for apartments in New York City. The 38-year-old had arrived in America seven years before, with just $3 in his pocket. But for a former pilot in the Soviet Army—his specialty had been shooting down Americans over North Vietnam—he had clearly done quite well for himself. Bogatin wasn’t hunting for a place in Brighton Beach, the Brooklyn enclave known as “Little Odessa” for its large population of immigrants from the Soviet Union. Instead, he was fixated on the glitziest apartment building on Fifth Avenue, a gaudy, 58-story edifice with gold-plated fixtures and a pink-marble atrium: Trump Tower.

    A monument to celebrity and conspicuous consumption, the tower was home to the likes of Johnny Carson, Steven Spielberg, and Sophia Loren. Its brash, 38-year-old developer was something of a tabloid celebrity himself. Donald Trump was just coming into his own as a serious player in Manhattan real estate, and Trump Tower was the crown jewel of his growing empire. From the day it opened, the building was a hit—all but a few dozen of its 263 units had sold in the first few months. But Bogatin wasn’t deterred by the limited availability or the sky-high prices. The Russian plunked down $6 million to buy not one or two, but five luxury condos. The big check apparently caught the attention of the owner. According to Wayne Barrett, who investigated the deal for the Village Voice, Trump personally attended the closing, along with Bogatin.

    If the transaction seemed suspicious—multiple apartments for a single buyer who appeared to have no legitimate way to put his hands on that much money—there may have been a reason. At the time, Russian mobsters were beginning to invest in high-end real estate, which offered an ideal vehicle to launder money from their criminal enterprises. “During the ’80s and ’90s, we in the U.S. government repeatedly saw a pattern by which criminals would use condos and high-rises to launder money,” says Jonathan Winer, a deputy assistant secretary of state for international law enforcement in the Clinton administration. “It didn’t matter that you paid too much, because the real estate values would rise, and it was a way of turning dirty money into clean money. It was done very systematically, and it explained why there are so many high-rises where the units were sold but no one is living in them.”When Trump Tower was built, as David Cay Johnston reports in The Making of Donald Trump, it was only the second high-rise in New York that accepted anonymous buyers.

    In 1987, just three years after he attended the closing with Trump, Bogatin pleaded guilty to taking part in a massive gasoline-bootlegging scheme with Russian mobsters. After he fled the country, the government seized his five condos at Trump Tower, saying that he had purchased them to “launder money, to shelter and hide assets.” A Senate investigation into organized crime later revealed that Bogatin was a leading figure in the Russian mob in New York. His family ties, in fact, led straight to the top: His brother ran a $150 million stock scam with none other than Semion Mogilevich, whom the FBI considers the “boss of bosses” of the Russian mafia. At the time, Mogilevich—feared even by his fellow gangsters as “the most powerful mobster in the world”—was expanding his multibillion-dollar international criminal syndicate into America.

    Since Trump’s election as president, his ties to Russia have become the focus of intense scrutiny, most of which has centered on whether his inner circle colluded with Russia to subvert the U.S. election. A growing chorus in Congress is also asking pointed questions about how the president built his business empire. Rep. Adam Schiff, the ranking Democrat on the House Intelligence Committee, has called for a deeper inquiry into “Russian investment in Trump’s businesses and properties.”

    The very nature of Trump’s businesses—all of which are privately held, with few reporting requirements—makes it difficult to root out the truth about his financial deals. And the world of Russian oligarchs and organized crime, by design, is shadowy and labyrinthine. For the past three decades, state and federal investigators, as well as some of America’s best investigative journalists, have sifted through mountains of real estate records, tax filings, civil lawsuits, criminal cases, and FBI and Interpol reports, unearthing ties between Trump and Russian mobsters like Mogilevich. To date, no one has documented that Trump was even aware of any suspicious entanglements in his far-flung businesses, let alone that he was directly compromised by the Russian mafia or the corrupt oligarchs who are closely allied with the Kremlin. So far, when it comes to Trump’s ties to Russia, there is no smoking gun.

    But even without an investigation by Congress or a special prosecutor, there is much we already know about the president’s debt to Russia. A review of the public record reveals a clear and disturbing pattern: Trump owes much of his business success, and by extension his presidency, to a flow of highly suspicious money from Russia. Over the past three decades, at least 13 people with known or alleged links to Russian mobsters or oligarchs have owned, lived in, and even run criminal activities out of Trump Tower and other Trump properties. Many used his apartments and casinos to launder untold millions in dirty money. Some ran a worldwide high-stakes gambling ring out of Trump Tower—in a unit directly below one owned by Trump. Others provided Trump with lucrative branding deals that required no investment on his part. Taken together, the flow of money from Russia provided Trump with a crucial infusion of financing that helped rescue his empire from ruin, burnish his image, and launch his career in television and politics. “They saved his bacon,” says Kenneth McCallion, a former assistant U.S. attorney in the Reagan administration who investigated ties between organized crime and Trump’s developments in the 1980s.

    It’s entirely possible that Trump was never more than a convenient patsy for Russian oligarchs and mobsters, with his casinos and condos providing easy pass-throughs for their illicit riches. At the very least, with his constant need for new infusions of cash and his well-documented troubles with creditors, Trump made an easy “mark” for anyone looking to launder money. But whatever his knowledge about the source of his wealth, the public record makes clear that Trump built his business empire in no small part with a lot of dirty money from a lot of dirty Russians—including the dirtiest and most feared of them all.

    Trump made his first trip to Russia in 1987, only a few years before the collapse of the Soviet Union. Invited by Soviet Ambassador Yuri Dubinin, Trump was flown to Moscow and Leningrad—all expenses paid—to talk business with high-ups in the Soviet command. In The Art of the Deal, Trump recounted the lunch meeting with Dubinin that led to the trip. “One thing led to another,” he wrote, “and now I’m talking about building a large luxury hotel, across the street from the Kremlin, in partnership with the Soviet government.”

    Over the years, Trump and his sons would try and fail five times to build a new Trump Tower in Moscow. But for Trump, what mattered most were the lucrative connections he had begun to make with the Kremlin—and with the wealthy Russians who would buy so many of his properties in the years to come. “Russians make up a pretty disproportionate cross section of a lot of our assets,” Donald Trump Jr. boasted at a real estate conference in 2008. “We see a lot of money pouring in from Russia.”

    The money, illicit and otherwise, began to rain in earnest after the Soviet Union fell in 1991. President Boris Yeltsin’s shift to a market economy was so abrupt that cash-rich gangsters and corrupt government officials were able to privatize and loot state-held assets in oil, coal, minerals, and banking. Yeltsin himself, in fact, would later describe Russia as “the biggest mafia state in the world.” After Vladimir Putin succeeded Yeltsin as president, Russian intelligence effectively joined forces with the country’s mobsters and oligarchs, allowing them to operate freely as long as they strengthen Putin’s power and serve his personal financial interests. According to James Henry, a former chief economist at McKinsey & Company who consulted on the Panama Papers, some $1.3 trillion in illicit capital has poured out of Russia since the 1990s.

    At the top of the sprawling criminal enterprise was Semion Mogilevich. Beginning in the early 1980s, according to the FBI, the short, squat Ukrainian was the key money-laundering contact for the Solntsevskaya Bratva, or Brotherhood, one of the richest criminal syndicates in the world. Before long, he was running a multibillion-dollar worldwide racket of his own. Mogilevich wasn’t feared because he was the most violent gangster, but because he was reputedly the smartest. The FBI has credited the “brainy don,” who holds a degree in economics from Lviv University, with a staggering range of crimes. He ran drug trafficking and prostitution rings on an international scale; in one characteristic deal, he bought a bankrupt airline to ship heroin from Southeast Asia into Europe. He used a jewelry business in Moscow and Budapest as a front for art that Russian gangsters stole from museums, churches, and synagogues all over Europe. He has also been accused of selling some $20 million in stolen weapons, including ground-to-air missiles and armored troop carriers, to Iran. “He uses this wealth and power to not only further his criminal enterprises,” the FBI says, “but to influence governments and their economies.”

    Mogilevich’s greatest talent, the one that places him at the top of the Russian mob, is finding creative ways to cleanse dirty cash. According to the FBI, he has laundered money through more than 100 front companies around the world, and held bank accounts in at least 27 countries. And in 1991, he made a move that led directly to Trump Tower. That year, the FBI says, Mogilevich paid a Russian judge to spring a fellow mob boss, Vyachelsav Kirillovich Ivankov, from a Siberian gulag. If Mogilevich was the brains, Ivankov was the enforcer—a vor v zakone, or “made man,” infamous for torturing his victims and boasting about the murders he had arranged. Sprung by Mogilevich, Ivankov made the most of his freedom. In 1992, a year after he was released from prison, he headed to New York on an illegal business visa and proceeded to set up shop in Brighton Beach.

    In Red Mafiya, his book about the rise of the Russian mob in America, investigative reporter Robert I. Friedman documented how Ivankov organized a lurid and violent underworld of tattooed gangsters. When Ivankov touched down at JFK, Friedman reported, he was met by a fellow vor, who handed him a suitcase with $1.5 million in cash. Over the next three years, Ivankov oversaw the mob’s growth from a local extortion racket to a multibillion-dollar criminal enterprise. According to the FBI, he recruited two “combat brigades” of Special Forces veterans from the Soviet war in Afghanistan to run the mafia’s protection racket and kill his enemies.

    Like Mogilevich, Ivankov had a lot of dirty money he needed to clean up. He bought a Rolls-Royce dealership that was used, according to The New York Times, “as a front to launder criminal proceeds.” The FBI concluded that one of Ivankov’s partners in the operation was Felix Komarov, an upscale art dealer who lived in Trump Plaza on Third Avenue. Komarov, who was not charged in the case, called the allegations baseless. He acknowledged that he had frequent phone conversations with Ivankov, but insisted the exchanges were innocent. “I had no reason not to call him,” Komarov told a reporter.

    The feds wanted to arrest Ivankov, but he kept vanishing. “He was like a ghost to the FBI,” one agent recalls. Agents spotted him meeting with other Russian crime figures in Miami, Los Angeles, Boston, and Toronto. They also found he made frequent visits to Trump Taj Mahal in Atlantic City, which mobsters routinely used to launder huge sums of money. In 2015, the Taj Mahal was fined $10 million—the highest penalty ever levied by the feds against a casino—and admitted to having “willfully violated” anti-money-laundering regulations for years.

    The FBI also struggled to figure out where Ivankov lived. “We were looking around, looking around, looking around,” James Moody, chief of the bureau’s organized crime section, told Friedman. “We had to go out and really beat the bushes. And then we found out that he was living in a luxury condo in Trump Tower.”

    There is no evidence that Trump knew Ivankov personally, even if they were neighbors. But the fact that a top Russian mafia boss lived and worked in Trump’s own building indicates just how much high-level Russian mobsters came to view the future president’s properties as a home away from home. In 2009, after being extradited to Russia to face murder charges, Ivankov was gunned down in a sniper attack on the streets of Moscow. According to The Moscow Times, his funeral was a media spectacle in Russia, attracting “1,000 people wearing black leather jackets, sunglasses, and gold chains,” along with dozens of giant wreaths from the various brotherhoods.

    Throughout the 1990s, untold millions from the former Soviet Union flowed into Trump’s luxury developments and Atlantic City casinos. But all the money wasn’t enough to save Trump from his own failings as a businessman. He owed $4 billion to more than 70 banks, with a mind-boggling $800 million of it personally guaranteed. He spent much of the decade mired in litigation, filing for multiple bankruptcies and scrambling to survive. For most developers, the situation would have spelled financial ruin. But fortunately for Trump, his own economic crisis coincided with one in Russia.

    In 1998, Russia defaulted on $40 billion in debt, causing the ruble to plummet and Russian banks to close. The ensuing financial panic sent the country’s oligarchs and mobsters scrambling to find a safe place to put their money. That October, just two months after the Russian economy went into a tailspin, Trump broke ground on his biggest project yet. Rising to 72 stories in midtown Manhattan, Trump World Tower would be the tallest residential building on the planet. Construction got underway in 1999—just as Trump was preparing his first run for the presidency on the Reform Party ticket— and concluded in 2001. As Bloomberg Businessweek reported earlier this year, it wasn’t long before one-third of the units on the tower’s priciest floors had been snatched up—either by individual buyers from the former Soviet Union, or by limited liability companies connected to Russia. “We had big buyers from Russia and Ukraine and Kazakhstan,” sales agent Debra Stotts told Bloomberg.

    Among the new tenants was Eduard Nektalov, a diamond dealer from Uzbekistan. Nektalov, who was being investigated by a Treasury Department task force for mob-connected money laundering, bought a condo on the seventy-ninth floor, directly below Trump’s future campaign manager, Kellyanne Conway. A month later he sold his unit for a $500,000 profit. The following year, after rumors circulated that Nektalov was cooperating with federal investigators, he was shot down on Sixth Avenue.

    Trump had found his market. After Trump World Tower opened, Sotheby’s International Realty teamed up with a Russian real estate company to make a big sales push for the property in Russia. The “tower full of oligarchs,” as Bloomberg called it, became a model for Trump’s projects going forward. All he needed to do, it seemed, was slap the Trump name on a big building, and high-dollar customers from Russia and the former Soviet republics were guaranteed to come rushing in. Dolly Lenz, a New York real estate broker, told USA Today that she sold some 65 units in Trump World Tower to Russians. “I had contacts in Moscow looking to invest in the United States,” Lenz said. “They all wanted to meet Donald.”

    To capitalize on his new business model, Trump struck a deal with a Florida developer to attach his name to six high-rises in Sunny Isles, just outside Miami. Without having to put up a dime of his own money, Trump would receive a cut of the profits. “Russians love the Trump brand,” Gil Dezer, the Sunny Isles developer, told Bloomberg. A local broker told The Washington Post that one-third of the 500 apartments he’d sold went to “Russian-speakers.” So many bought the Trump-branded apartments, in fact, that the area became known as “Little Moscow.”

    Many of the units were sold by a native of Uzbekistan who had immigrated from the Soviet Union in the 1980s; her business was so brisk that she soon began bringing Russian tour groups to Sunny Isles to view the properties. According to a Reuters investigation in March, at least 63 buyers with Russian addresses or passports spent $98 million on Trump’s properties in south Florida. What’s more, another one-third of the units—more than 700 in all—were bought by shadowy shell companies that concealed the true owners.

    The influx of Russian money did more than save Trump’s business from ruin—it set the stage for the next phase of his career. By 2004, to the outside world, it appeared that Trump was back on top after his failures in Atlantic City. That January, flush with the appearance of success, Trump launched his newly burnished brand into another medium.

    “My name’s Donald Trump,” he declared in his opening narration for The Apprentice, “the largest real estate developer in New York. I own buildings all over the place. Model agencies. The Miss Universe pageant. Jetliners, golf courses, casinos, and private resorts like Mar-a-Lago, one of the most spectacular estates anywhere in the world.”

    But it wouldn’t be Trump without a better story than that. “It wasn’t always so easy,” he confessed, over images of him cruising around New York in a stretch limo. “About 13 years ago, I was seriously in trouble. I was billions of dollars in debt. But I fought back, and I won. Big league. I used my brain. I used my negotiating skills. And I worked it all out. Now my company’s bigger than it ever was and stronger than it ever was.… I’ve mastered the art of the deal.”

    The show, which reportedly paid Trump up to $3 million per episode, instantly revived his career. “The Apprentice turned Trump from a blowhard Richie Rich who had just gone through his most difficult decade into an unlikely symbol of straight talk, an evangelist for the American gospel of success, a decider who insisted on standards in a country that had somehow slipped into handing out trophies for just showing up,” journalists Michael Kranish and Marc Fisher observe in their book Trump Revealed. “Above all, Apprentice sold an image of the host-boss as supremely competent and confident, dispensing his authority and getting immediate results. The analogy to politics was palpable.”

    But the story of Donald Trump, self-made business genius, left out any mention of the shady Russian investors who had done so much to make his comeback narrative possible. And Trump’s business, despite the hype, was hardly “stronger than it ever was”—his credit was still lousy, and two more of his prized properties in Atlantic City would soon fall into bankruptcy, even as his ratings soared.

    To further enhance his brand, Trump used his prime-time perch to unveil another big project. On the 2006 season finale of The Apprentice, as 11 million viewers waited to learn which of the two finalists was going to be fired, Trump prolonged the suspense by cutting to a promotional video for his latest venture. “Located in the center of Manhattan’s chic artist enclave, the Trump International Hotel and Tower in SoHo is the site of my latest development,” he narrated over swooping helicopter footage of lower Manhattan. The new building, he added, would be nothing less than a “$370 million work of art … an awe-inspiring masterpiece.”

    Trump SoHo was the brainchild of two development companies—Bayrock Group LLC and the Sapir Organization—run by a pair of wealthy émigrés from the former Soviet Union who had done business with some of Russia’s richest and most notorious oligarchs. Together, their firms made Trump an offer he couldn’t refuse: The developers would finance and build Trump SoHo themselves. In return for lending his name to the project, Trump would get 18 percent of the profits—without putting up any of his own money.

    One of the developers, Tamir Sapir, had followed an unlikely path to riches. After emigrating from the Soviet Union in the 1970s, he had started out driving a cab in New York City and ended up a billionaire living in Trump Tower. His big break came when he co-founded a company that sold high-tech electronics. According to the FBI, Sapir’s partner in the firm was a “member or associate” of Ivankov’s mob in Brighton Beach. No charges were ever filed, and Sapir denied having any mob ties. “It didn’t happen,” he told The New York Times. “Everything was done in the most legitimate way.”

    Trump, who described Sapir as a “great friend,” bought 200 televisions from his electronics company. In 2007, he hosted the wedding of Sapir’s daughter at Mar-a-Lago, and later attended her infant son’s bris.

    Sapir also introduced Trump to Tevfik Arif, his partner in the Trump SoHo deal. On paper, at least, Arif was another heartwarming immigrant success story. He had graduated from the Moscow Institute of Trade and Economics and worked as a Soviet trade and commerce official for 17 years before moving to New York and founding Bayrock. Practically overnight, Arif became a wildly successful developer in Brooklyn. In 2002, after meeting Trump, he moved Bayrock’s offices to Trump Tower, where he and his staff of Russian émigrés set up shop on the twenty-fourth floor.

    Trump worked closely with Bayrock on real estate ventures in Russia, Ukraine, and Poland. “Bayrock knew the investors,” he later testified. Arif “brought the people up from Moscow to meet with me.” He boasted about the deal he was getting: Arif was offering him a 20 to 25 percent cut on his overseas projects, he said, not to mention management fees. “It was almost like mass production of a car,” Trump testified.

    But Bayrock and its deals quickly became mired in controversy. Forbes and other publications reported that the company was financed by a notoriously corrupt group of oligarchs known as The Trio. In 2010, Arif was arrested by Turkish prosecutors and charged with setting up a prostitution ring after he was found aboard a boat—chartered by one of The Trio—with nine young women, two of whom were 16 years old. The women reportedly refused to talk, and Arif was acquitted. According to a lawsuit filed that same year by two former Bayrock executives, Arif started the firm “backed by oligarchs and money they stole from the Russian people.” In addition, the suit alleges, Bayrock “was substantially and covertly mob-owned and operated.” The company’s real purpose, the executives claim, was to develop hugely expensive properties bearing the Trump brand—and then use the projects to launder money and evade taxes.

    The lawsuit, which is ongoing, does not claim that Trump was complicit in the alleged scam. Bayrock dismissed the allegations as “legal conclusions to which no response is required.” But last year, after examining title deeds, bank records, and court documents, the Financial Times concluded that Trump SoHo had “multiple ties to an alleged international money-laundering network.” In one case, the paper reported, a former Kazakh energy minister is being sued in federal court for conspiring to “systematically loot hundreds of millions of dollars of public assets” and then purchasing three condos in Trump SoHo to launder his “ill-gotten funds.”

    During his collaboration with Bayrock, Trump also became close to the man who ran the firm’s daily operations—a twice-convicted felon with family ties to Semion Mogilevich. In 1974, when he was eight years old, Felix Sater and his family emigrated from Moscow to Brighton Beach. According to the FBI, his father—who was convicted for extorting local restaurants, grocery stores, and a medical clinic—was a Mogilevich boss. Sater tried making it as a stockbroker, but his career came to an abrupt end in 1991, after he stabbed a Wall Street foe in the face with a broken margarita glass during a bar fight, opening wounds that required 110 stitches. (Years later, in a deposition, Trump downplayed the incident, insisting that Sater “got into a barroom fight, which a lot of people do.”) Sater lost his trading license over the attack, and served a year in prison.

    In 1998, Sater pleaded guilty to racketeering—operating a “pump and dump” stock fraud in partnership with alleged Russian mobsters that bilked investors of at least $40 million. To avoid prison time, Sater turned informer. But according to the lawsuit against Bayrock, he also resumed “his old tricks.” By 2003, the suit alleges, Sater controlled the majority of Bayrock’s shares—and proceeded to use the firm to launder hundreds of millions of dollars, while skimming and extorting millions more. The suit also claims that Sater committed fraud by concealing his racketeering conviction from banks that invested hundreds of millions in Bayrock, and that he threatened “to kill anyone at the firm he thought knew of the crimes committed there and might report it.” In court, Bayrock has denied the allegations, which Sater’s attorney characterizes as “false, fabricated, and pure garbage.”

    By Sater’s account, in sworn testimony, he was very tight with Trump. He flew to Colorado with him, accompanied Donald Jr. and Ivanka on a trip to Moscow at Trump’s invitation, and met with Trump’s inner circle “constantly.” In Trump Tower, he often dropped by Trump’s office to pitch business ideas—“just me and him.”

    Trump seems unable to recall any of this. “Felix Sater, boy, I have to even think about it,” he told the Associated Press in 2015. Two years earlier, testifying in a video deposition, Trump took the same line. If Sater “were sitting in the room right now,” he swore under oath, “I really wouldn’t know what he looked like.” He added: “I don’t know him very well, but I don’t think he was connected to the mafia.”

    Trump and his lawyers say that he was unaware of Sater’s criminal past when he signed on to do business with Bayrock. That’s plausible, since Sater’s plea deal in the stock fraud was kept secret because of his role as an informant. But even after The New York Times revealed Sater’s criminal record in 2007, he continued to use office space provided by the Trump Organization. In 2010, he was even given an official Trump Organization business card that read: FELIX H. SATER, SENIOR ADVISOR TO DONALD TRUMP.

    Sater apparently remains close to Trump’s inner circle. Earlier this year, one week before National Security Advisor Michael Flynn was fired for failing to report meetings with Russian officials, Trump’s personal attorney reportedly hand-delivered to Flynn’s office a “back-channel plan” for lifting sanctions on Russia. The co-author of the plan, according to the Times: Felix Sater.

    In the end, Trump’s deals with Bayrock, like so much of his business empire, proved to be more glitter than gold. The international projects in Russia and Poland never materialized. A Trump tower being built in Fort Lauderdale ran out of money before it was completed, leaving behind a massive concrete shell. Trump SoHo ultimately had to be foreclosed and resold But his Russian investors had left Trump with a high-profile property he could leverage. The new owners contracted with Trump to run the tower; as of April, the president and his daughter Ivanka were still listed as managers of the property. In 2015, according to the federal financial disclosure reports, Trump made $3 million from Trump SoHo.

    In April 2013, a little more than two years before Trump rode the escalator to the ground floor of Trump Tower to kick off his presidential campaign, police burst into Unit 63A of the high-rise and rounded up 29 suspects in two gambling rings. The operation, which prosecutors called “the world’s largest sports book,” was run out of condos in Trump Tower—including the entire fifty-first floor of the building. In addition, unit 63A—a condo directly below one owned by Trump—served as the headquarters for a “sophisticated money-laundering scheme” that moved an estimated $100 million out of the former Soviet Union, through shell companies in Cyprus, and into investments in the United States. The entire operation, prosecutors say, was working under the protection of Alimzhan Tokhtakhounov, whom the FBI identified as a top Russian vor closely allied with Semion Mogilevich. In a single two-month stretch, according to the federal indictment, the money launderers paid Tokhtakhounov $10 million.

    Tokhtakhounov, who had been indicted a decade earlier for conspiring to fix the ice-skating competition at the 2002 Winter Olympics, was the only suspect to elude arrest. For the next seven months, the Russian crime boss fell off the radar of Interpol, which had issued a red alert. Then, in November 2013, he suddenly appeared live on international television—sitting in the audience at the Miss Universe pageant in Moscow. Tokhtakhounov was in the VIP section, just a few seats away from the pageant owner, Donald Trump.

    After the pageant, Trump bragged about all the powerful Russians who had turned out that night, just to see him. “Almost all of the oligarchs were in the room,” he told Real Estate Weekly. Contacted by Mother Jones, Tokhtakhounov insisted that he had bought his own ticket and was not a VIP. He also denied being a mobster, telling The New York Times that he had been indicted in the gambling ring because FBI agents “misinterpreted his Russian slang” on their Trump Tower wiretaps, when he was merely placing $20,000 bets on soccer games.

    Both the White House and the Trump Organization declined to respond to questions for this story. On the few occasions he has been questioned about his business entanglements with Russians, however, Trump has offered broad denials. “I tweeted out that I have no dealings with Russia,” he said at a press conference in January, when asked if Russia has any “leverage” over him, financial or otherwise. “I have no deals that could happen in Russia, because we’ve stayed away. And I have no loans with Russia. I have no loans with Russia at all.” In May, when he was interviewed by NBC’s Lester Holt, Trump seemed hard-pressed to think of a single connection he had with Russia. “I have had dealings over the years where I sold a house to a very wealthy Russian many years ago,” he said. “I had the Miss Universe pageant—which I owned for quite a while—I had it in Moscow a long time ago. But other than that, I have nothing to do with Russia.”

    But even if Trump has no memory of the many deals that he and his business made with Russian investors, he certainly did not “stay away” from Russia. For decades, he and his organization have aggressively promoted his business there, seeking to entice investors and buyers for some of his most high-profile developments. Whether Trump knew it or not, Russian mobsters and corrupt oligarchs used his properties not only to launder vast sums of money from extortion, drugs, gambling, and racketeering, but even as a base of operations for their criminal activities. In the process, they propped up Trump’s business and enabled him to reinvent his image. Without the Russian mafia, it is fair to say, Donald Trump would not be president of the United States.

    Semion Mogilevich, the Russian mob’s “boss of bosses,” also declined to respond to questions from the New Republic. “My ideas are not important to anybody,” Mogilevich said in a statement provided by his attorney. “Whatever I know, I am a private person.” Mogilevich, the attorney added, “has nothing to do with President Trump. He doesn’t believe that anybody associated with him lives in Trump Tower. He has no ties to America or American citizens.”

    Back in 1999, the year before Trump staged his first run for president, Mogilevich gave a rare interview to the BBC. Living up to his reputation for cleverness, the mafia boss mostly joked and double-spoke his way around his criminal activities. (Q: “Why did you set up companies in the Channel Islands?” A: “The problem was that I didn’t know any other islands. When they taught us geography at school, I was sick that day.”) But when the exasperated interviewer asked, “Do you believe there is any Russian organized crime?” the “brainy don” turned half-serious.

    “How can you say that there is a Russian mafia in America?” he demanded. “The word mafia, as far as I understand the word, means a criminal group that is connected with the political organs, the police and the administration. I don’t know of a single Russian in the U.S. Senate, a single Russian in the U.S. Congress, a single Russian in the U.S. government. Where are the connections with the Russians? How can there be a Russian mafia in America? Where are their connections?”

    Two decades later, we finally have an answer to Mogilevich’s question.

    ———-

    “Trump’s Russian Laundromat” by Craig Unger; The New Republic; 07/13/2017

    “But even without an investigation by Congress or a special prosecutor, there is much we already know about the president’s debt to Russia. A review of the public record reveals a clear and disturbing pattern: Trump owes much of his business success, and by extension his presidency, to a flow of highly suspicious money from Russia. Over the past three decades, at least 13 people with known or alleged links to Russian mobsters or oligarchs have owned, lived in, and even run criminal activities out of Trump Tower and other Trump properties. Many used his apartments and casinos to launder untold millions in dirty money. Some ran a worldwide high-stakes gambling ring out of Trump Tower—in a unit directly below one owned by Trump. Others provided Trump with lucrative branding deals that required no investment on his part. Taken together, the flow of money from Russia provided Trump with a crucial infusion of financing that helped rescue his empire from ruin, burnish his image, and launch his career in television and politics. “They saved his bacon,” says Kenneth McCallion, a former assistant U.S. attorney in the Reagan administration who investigated ties between organized crime and Trump’s developments in the 1980s.”

    As we can see, Donald Trump’s business empire has been relying on money flows from the former Soviet Union for decades:


    Trump made his first trip to Russia in 1987, only a few years before the collapse of the Soviet Union. Invited by Soviet Ambassador Yuri Dubinin, Trump was flown to Moscow and Leningrad—all expenses paid—to talk business with high-ups in the Soviet command. In The Art of the Deal, Trump recounted the lunch meeting with Dubinin that led to the trip. “One thing led to another,” he wrote, “and now I’m talking about building a large luxury hotel, across the street from the Kremlin, in partnership with the Soviet government.”

    Over the years, Trump and his sons would try and fail five times to build a new Trump Tower in Moscow. But for Trump, what mattered most were the lucrative connections he had begun to make with the Kremlin—and with the wealthy Russians who would buy so many of his properties in the years to come. “Russians make up a pretty disproportionate cross section of a lot of our assets,” Donald Trump Jr. boasted at a real estate conference in 2008. “We see a lot of money pouring in from Russia.”

    And despite all that Russian money throughout the 80’s and 90’s, Trump still ran into trouble. And when he did, there was more Russian money to save him:


    Throughout the 1990s, untold millions from the former Soviet Union flowed into Trump’s luxury developments and Atlantic City casinos. But all the money wasn’t enough to save Trump from his own failings as a businessman. He owed $4 billion to more than 70 banks, with a mind-boggling $800 million of it personally guaranteed. He spent much of the decade mired in litigation, filing for multiple bankruptcies and scrambling to survive. For most developers, the situation would have spelled financial ruin. But fortunately for Trump, his own economic crisis coincided with one in Russia.

    In 1998, Russia defaulted on $40 billion in debt, causing the ruble to plummet and Russian banks to close. The ensuing financial panic sent the country’s oligarchs and mobsters scrambling to find a safe place to put their money. That October, just two months after the Russian economy went into a tailspin, Trump broke ground on his biggest project yet. Rising to 72 stories in midtown Manhattan, Trump World Tower would be the tallest residential building on the planet. Construction got underway in 1999—just as Trump was preparing his first run for the presidency on the Reform Party ticket— and concluded in 2001. As Bloomberg Businessweek reported earlier this year, it wasn’t long before one-third of the units on the tower’s priciest floors had been snatched up—either by individual buyers from the former Soviet Union, or by limited liability companies connected to Russia. “We had big buyers from Russia and Ukraine and Kazakhstan,” sales agent Debra Stotts told Bloomberg.

    And when he started the new TV celebrity phase of his career in 2004, there was even more Russian money. And a growing relationship with Bayrock Group LLC and the now notorious Felix Sater:


    The influx of Russian money did more than save Trump’s business from ruin—it set the stage for the next phase of his career. By 2004, to the outside world, it appeared that Trump was back on top after his failures in Atlantic City. That January, flush with the appearance of success, Trump launched his newly burnished brand into another medium.

    “My name’s Donald Trump,” he declared in his opening narration for The Apprentice, “the largest real estate developer in New York. I own buildings all over the place. Model agencies. The Miss Universe pageant. Jetliners, golf courses, casinos, and private resorts like Mar-a-Lago, one of the most spectacular estates anywhere in the world.”

    But the story of Donald Trump, self-made business genius, left out any mention of the shady Russian investors who had done so much to make his comeback narrative possible. And Trump’s business, despite the hype, was hardly “stronger than it ever was”—his credit was still lousy, and two more of his prized properties in Atlantic City would soon fall into bankruptcy, even as his ratings soared.

    To further enhance his brand, Trump used his prime-time perch to unveil another big project. On the 2006 season finale of The Apprentice, as 11 million viewers waited to learn which of the two finalists was going to be fired, Trump prolonged the suspense by cutting to a promotional video for his latest venture. “Located in the center of Manhattan’s chic artist enclave, the Trump International Hotel and Tower in SoHo is the site of my latest development,” he narrated over swooping helicopter footage of lower Manhattan. The new building, he added, would be nothing less than a “$370 million work of art … an awe-inspiring masterpiece.”

    Trump SoHo was the brainchild of two development companies—Bayrock Group LLC and the Sapir Organization—run by a pair of wealthy émigrés from the former Soviet Union who had done business with some of Russia’s richest and most notorious oligarchs. Together, their firms made Trump an offer he couldn’t refuse: The developers would finance and build Trump SoHo themselves. In return for lending his name to the project, Trump would get 18 percent of the profits—without putting up any of his own money.

    One of the developers, Tamir Sapir, had followed an unlikely path to riches. After emigrating from the Soviet Union in the 1970s, he had started out driving a cab in New York City and ended up a billionaire living in Trump Tower. His big break came when he co-founded a company that sold high-tech electronics. According to the FBI, Sapir’s partner in the firm was a “member or associate” of Ivankov’s mob in Brighton Beach. No charges were ever filed, and Sapir denied having any mob ties. “It didn’t happen,” he told The New York Times. “Everything was done in the most legitimate way.”

    Trump, who described Sapir as a “great friend,” bought 200 televisions from his electronics company. In 2007, he hosted the wedding of Sapir’s daughter at Mar-a-Lago, and later attended her infant son’s bris.

    Sapir also introduced Trump to Tevfik Arif, his partner in the Trump SoHo deal. On paper, at least, Arif was another heartwarming immigrant success story. He had graduated from the Moscow Institute of Trade and Economics and worked as a Soviet trade and commerce official for 17 years before moving to New York and founding Bayrock. Practically overnight, Arif became a wildly successful developer in Brooklyn. In 2002, after meeting Trump, he moved Bayrock’s offices to Trump Tower, where he and his staff of Russian émigrés set up shop on the twenty-fourth floor.

    During his collaboration with Bayrock, Trump also became close to the man who ran the firm’s daily operations—a twice-convicted felon with family ties to Semion Mogilevich. In 1974, when he was eight years old, Felix Sater and his family emigrated from Moscow to Brighton Beach. According to the FBI, his father—who was convicted for extorting local restaurants, grocery stores, and a medical clinic—was a Mogilevich boss. Sater tried making it as a stockbroker, but his career came to an abrupt end in 1991, after he stabbed a Wall Street foe in the face with a broken margarita glass during a bar fight, opening wounds that required 110 stitches. (Years later, in a deposition, Trump downplayed the incident, insisting that Sater “got into a barroom fight, which a lot of people do.”) Sater lost his trading license over the attack, and served a year in prison.

    And ALL of this is part of the public record. It’s part of why it’s amazing Trump ran for president at all. This is all part of the public record. But it’s even more amazing if the Russian government pulled off a series of high profile hacks intended to become the center of the 2016 campaign using some sort of joke hacking campaign that leaves all these “I’m a Russian hacker!” clues.

    It’s all one more big reason to seriously look in the direction of a pro-Trump hacker who may not have been fully aware of just how deeply intertwined Trump’s past is with Russian money – a hacker like Andrew Auernheimer – who carried out the hacks and thought they were being clever by framing the Russians but didn’t have having any idea just how incredibly risky such a scheme would be for Trump if he actually won.

    It’s also all a pretty big explanation of why Trump is now openly talking about his pardoning powers and threatening Rober Mueller about not looking into his past business practices. There are decades of potential money-laundering charges and other corrupt practices that are just waiting to be unearthed. And all because of the incredible amount of attention being given towards Trump’s Russian ties. And that incredible amount of attention is primarily due to an incredibly high profile hacking campaign with ‘Russian fingerprints’ all over it.

    And that’s all also part of what makes this whole situation so remarkable: Trump had to know how incredibly vulnerable he would be to investigations into his past as a Russian money laundromat, and yet he stacked his campaign with people like Paul Manafort or Carter Page who, themselves, had highly questionable histories with shady Russian money and then Trump does highly conspicuous things like asking Russia to hack Hillary Clinton’s emails in the middle of the campaign. And that’s another important behavioral pattern when assessing the suspects for the hacks: while it would make little sense for either the Russian government, the Russian mob, or the Trump campaign to draw undo attention to their long history, it’s undeniable that the Trump campaign was routinely drawing attention to exactly that history by their conspicuous staffing and behavior. The Trump team apparently didn’t realize this would be a big deal. So while it’s possible a pro-Trump hacking operation that didn’t know about Trump’s vulnerability with his past ties to Russia might conduct the hacks and frame Russia, even if the hack was done by the Trump team itself we still can’t rule out that the Trump team may have done the hacks in way to frame the Russians. Because that’s just how cavalier the Trump team has been about all this stuff from the beginning.

    So one of the big questions now is just how wide spread is this pardon-o-rama going to get. Because one of the best ways to pardon himself and his family is to obscure all that in a maelstrom of pardons that could include all sorts of people. So why stop at just Trump and his family? This could becoming a new family business. Think about all the people who would love a pardon! How about the rest of the GOP leadership that may have participated in sort of Trumpian coverup. How about the hacker? Or maybe like 10 random people behind bars every day with questionable prosecutions? That could play well. Heck, he could start a TV show where people plead for a pardon. And who knows, Trump is always talking about prosecuting Hillary Clinton or Barack Obama for whatever crimes they allegedly committed. Maybe he’ll pardon them for their fantasy crimes? That would sort of sweeten the deal. Or how about all the leakers. He’ll just declared a blanket pardon for them at the same time he pardons himself. Who knows where this can go, but the pardon-o-rama won’t be able to continue without Trump pardoning himself first.

    Trump the Merciful. It has a nice ring to it. Although he’d have to drop the GOP’s merciless policy agenda and have a personality transplant to really fit the role so hopefully that’s also under consideration.

    Posted by Pterrafractyl | July 22, 2017, 2:51 pm
  8. Here’s a set of articles about the strange tale of the ‘peace plan’ that was apparently hatched by a Ukrainian politician (reportedly with ties to the Kremlin, although, as we’re going to see, the guy has ties to the virulently anti-Russian “Right Sector” neo-Nazi militia) and arranged by Felix Sater and the Trump attorney Michael Cohen: First off, it’s worth noting that Cohen and Sater apparently knew each other going all the way back to their teen years growing up in the same neighborhood:

    Talking Points Memo
    Muckraker

    Trump’s Conduits For Capital From The Former Soviet Bloc Are Actually Old Pals

    By Sam Thielman
    Published July 25, 2017 4:28 pm

    Two very different men have been instrumental in introducing financiers and clients from Russia and the former Soviet bloc to the Trump Organization’s real estate machine: Felix Sater, Donald Trump’s former business partner and a convicted felon, and Michael Cohen, Trump’s brash, longtime personal attorney.

    And TPM now has learned from conversations with both Sater and Cohen that the two men know each other dating back to their teenage years, when they were acquaintances from nearby towns on Long Island. Both went on to make their fortunes in real estate, eventually working with the same big-name businessman—although they insist that neither helped the other land his gig with the Trump Organization.

    “It isn’t a family atmosphere kind of thing,” Sater said of the several years he told TPM he worked directly for Trump scouting deals, some as far afield as Moscow. “You sort of ran around and did your own deals.”

    The two men say they arrived in business with Trump through different avenues. While Cohen declined to speak broadly about Sater, he agreed to confirm or deny some of Sater’s statements and add slightly to Sater’s explanation of how the two men entered the Trump orbit independently of each other.

    “The family knew about me because I purchased several Trump apartments over the years and Don, Jr. had sold me multiple apartments at one of the properties and was combining them [into a single deal] for me,” Cohen explained.

    Sater’s tale is a little more dramatic and harder to confirm in its particulars. In his telling, he began working with one of his neighbors, a Kazakh real estate developer named Tevfik Arif, at a new firm called Bayrock, the offices of which were downstairs from the Trumps. That’s how Sater said he landed a meeting with Trump.

    “I walked in and knocked on his door and told him I was going to be the biggest developer—this is 2000, 2001—first in the United States and then worldwide,” Sater said of the President. His braggadocio paid off, he said: “We got along very, very well.”

    But the Russian money didn’t begin to flow immediately. “There were no Russian investors at that point,” he told TPM. “1998, ’99, 2000—Russians did not have any money.” The reason, Sater said with a laugh: “$8-a-barrel oil!”

    He pegged the date to when Russians finally had money to spend abroad around 2005, the same year Bayrock signed a one-year deal to explore developing a Trump Tower in Moscow. The group even proposed the site of an old pencil factory for the building, but the deal never closed.

    Long before they were seeking such deals, Cohen and Sater were running in the same circles, in the area where Brooklyn bleeds into Long Island. Cohen is from Five Towns, the informal name for a few tony suburban hamlets—more than five, less than eight—in Nassau County, east of Jamaica Bay. Sater hails from the less genteel Brooklyn neighborhoods of Brighton Beach and Coney Island, west of the bay.

    “It was an emigrant enclave of Jews from the former Soviet Union,” Sater recalled. “Coney Island was kind of tough. I was one of the white kids on the block, which led to lots of beatings. It was difficult growing up but it toughens you up.”

    Sater said he most clearly remembers the beginning of his relationship with Cohen from the time the former Trump Organization attorney began dating his now-wife, whom Sater describes as a girl from his neighborhood of Jewish Soviet expatriates. Cohen told TPM the pair had known each other before then, in their teenage years, and that he hadn’t yet begun dating his wife, reportedly a Ukrainian émigré, when he was in his teens.

    “He wasn’t one of my close friends, just a guy dating a girl in the neighborhood and we had a bunch of mutual friends,” Sater said. “We eventually both started working at Trump Org. Prior to that, again, lots of mutual acquaintances.”

    Sater said he and Cohen still speak to each other, even if they seem a bit loath to speak about each other.

    “We did not own real estate together, but certainly looked at a bunch of stuff together, during Trump and post-Trump,” Sater says. “After I left there, I was still looking at deals for Trump, but I would think about real estate with Michael. [It] was just two real estate guys talking.” Sater starts to say something more, but cuts himself off and ends almost bashfully: “I would be more than happy to do a deal with Michael,” he says.

    Cohen was less forthcoming than his acquaintance. “I don’t give profile pieces on people,” he told TPM when asked about Sater. When asked why not, he answered, “I just don’t want to.”

    Still, the two men appear to know each other well enough for there to be considerable trust. They were both involved in a scheme to deliver a “peace plan” to the White House that proposed letting Ukrainian voters decide whether to lease Crimea to Russia in hopes that the move would lead to the relaxation of international sanctions.

    Sater told TPM he called the now-notorious meeting with Cohen and Ukrainian politician Andrii Artemenko in February to discuss the future of Ukraine. Cohen took the meeting, and told the New York Times that he ultimately left the proposal on the desk of then-National Security Adviser Michael Flynn (Cohen would later give several contradictory interviews in which he walked back his involvement).

    Nothing ever came of the plan, but it caused outcry from all corners of the diplomatic world—who were these men, and what were they doing?

    Asked why he arranged the meeting, Sater told TPM “Because I could!” Trump had distanced himself from Sater—in a 2013 deposition, he claimed not to know what Sater looked like—but he had Cohen’s ear, and the issue at hand pertained to a region of the world of interest to both men.

    In conversation, Sater framed his pursuit of the deal as deep concern for the region of his birth. “Everyone in the proposal, all three sides would have won,” he said. “As a side note, some civilians wouldn’t have been killed and shelled. In hindsight, I’m glad I did it. Anybody can paint it any way they want, but it was a peace deal.”

    ———-

    “Trump’s Conduits For Capital From The Former Soviet Bloc Are Actually Old Pals” by Sam Thielman; Talking Points Memo; 07/25/2017

    “And TPM now has learned from conversations with both Sater and Cohen that the two men know each other dating back to their teenage years, when they were acquaintances from nearby towns on Long Island. Both went on to make their fortunes in real estate, eventually working with the same big-name businessman—although they insist that neither helped the other land his gig with the Trump Organization.”

    Who knows how relevant this childhood tie is between Sater and Cohen but it’s certainly worth keeping in mind. Especially when we learn about the odd tale of that Ukrainiant peace proposal:


    Still, the two men appear to know each other well enough for there to be considerable trust. They were both involved in a scheme to deliver a “peace plan” to the White House that proposed letting Ukrainian voters decide whether to lease Crimea to Russia in hopes that the move would lead to the relaxation of international sanctions.

    Sater told TPM he called the now-notorious meeting with Cohen and Ukrainian politician Andrii Artemenko in February to discuss the future of Ukraine. Cohen took the meeting, and told the New York Times that he ultimately left the proposal on the desk of then-National Security Adviser Michael Flynn (Cohen would later give several contradictory interviews in which he walked back his involvement).

    Nothing ever came of the plan, but it caused outcry from all corners of the diplomatic world—who were these men, and what were they doing?

    Asked why he arranged the meeting, Sater told TPM “Because I could!” Trump had distanced himself from Sater—in a 2013 deposition, he claimed not to know what Sater looked like—but he had Cohen’s ear, and the issue at hand pertained to a region of the world of interest to both men.

    In conversation, Sater framed his pursuit of the deal as deep concern for the region of his birth. “Everyone in the proposal, all three sides would have won,” he said. “As a side note, some civilians wouldn’t have been killed and shelled. In hindsight, I’m glad I did it. Anybody can paint it any way they want, but it was a peace deal.”

    So that’s an interesting new twist about Sater and Cohen. But here’s a relatively old twist about that Ukrainian peace proposal that just hasn’t gotten much notice: Remember how that meeting was widely characterized as being an attempt to set up a back channel between Trump and the Kremlin? And still largely is suspected of that to this day? And remember how the Ukrainian politician in question, Andrey Artemenko, was widely reported as belonging to a “pro-Putin” party? Well, check out this peace on Artemenko that showed up in Foreign Policy back in April. It turns out that while Artemenko is indeed an Eastern Ukrainian politician, which was seen as an indicator that, of course, he’s a pro-Russian Ukrainian. Except he’s a member of the far-right anti-Russian “Radical Party” and has close ties to “Right Sector”, one of the most anti-Russian groups in the country:

    Foreign Policy

    Ukraine’s Back-Channel Diplomat Still Shopping Peace Plan to Trump

    As power struggles heat up back home, Andrey Artemenko is pushing policy in Washington to play politics in Kiev.

    By Reid Standish
    April 18, 2017

    The last two months have not been easy for Andrey Artemenko.

    On Feb. 19, the right-wing Ukrainian member of parliament was sucked into the scandal surrounding President Donald Trump and his alleged ties to Russia when the New York Times reported that Artemenko had served as a back channel between Moscow and Trump associates.

    In the aftermath of the report, Artemenko was forced out of his political faction in Ukraine, the far-right Radical Party, and the Prosecutor General’s Office of Ukraine has opened an investigation into whether his diplomatic outreach, which was done without Kiev’s approval, constitutes treason.

    Despite the political firestorm, Artemenko is still shopping his proposal in Washington and insists that now is the time to find a resolution to the nearly three-year war in eastern Ukraine that has claimed more than 10,000 lives. In an interview with Foreign Policy, Artemenko denied any connections between him and the Kremlin, praised the early stages of the Trump presidency, and rebuffed elements of the Times report, saying he was unfairly caught up in a fight between the U.S. president and the “liberal media.” The lawmaker also accused Ukrainian President Petro Poroshenko of not being interested in ending the war in the Donbass and said he was using Russia as an excuse to scapegoat his critics.

    “Anyone who has a personal opinion in Ukraine is automatically named a Russian spy,” Artemenko said. “But I don’t have any connections to Russia. That’s why I’m trying to involve the Trump administration on this issue and not the Kremlin.”

    Artemenko’s peace plan episode is just one small part of a rapidly mushrooming investigation in Washington over possible coordination between the Trump campaign and Russian intelligence to tilt the 2016 U.S. presidential election in Trump’s favor. But it’s also emblematic of another political fight unfolding against the backdrop of U.S. politics: the power struggle for the future of Ukraine.

    Since the 2014 Maidan revolution that ousted pro-Russian President Viktor Yanukovych, Washington has played an outsized role in Ukrainian domestic politics, where recognition and support from influential U.S. figures can make or break a politician’s career back home. The importance of these ties has taken on a new but uncertain dimension since the election of Trump in November 2016; a lack of clarity about the administration’s policies toward Kiev has been both a source of anxiety and opportunity for Ukraine’s political class.

    With key policy positions still unfilled at the State Department, many high-profile Ukrainians have sought back channels to the Trump administration to push for a solution to the war in Ukraine.

    That’s what Artemenko apparently did to pitch his loosely defined plan, which calls for Russian separatists to return eastern territory to Kiev, and the holding of a national referendum on leasing Crimea to Russia for an undetermined amount of time.

    “Maybe it’s dual management of Crimea, or maybe it’s a lease like the Panama Canal and Hong Kong,” said Artemenko, who prefers to call his proposal a “road map for peace” rather than a set plan. “It should be obvious that there is no military solution, only a diplomatic one.”

    Tall and brawny, Artemenko is a populist politician with ties to the far-right Ukrainian military-political group “Right Sector” and a member of the pro-Western opposition parliamentary coalition led by former Prime Minister Yulia Tymoshenko’s party. In Kiev, he’s known for being outspoken and politically ambitious.

    The lawmaker also professes an affinity for Trump, saying he wants to “make Ukraine great again” and has been trying to make inroads with the real estate mogul since he was a presidential candidate. In July 2016, Artemenko traveled to Cleveland for the Republican National Convention and later attended Trump’s inauguration in January.

    Artemenko used these connections in late January to arrange a meeting with Michael Cohen, Trump’s longtime personal lawyer who currently works at the Republican National Committee, to pass his peace plan to Mike Flynn, who served about three weeks as Trump’s national security advisor. Flynn was forced to resign in early February over a separate Russia-related controversy, but the Times reported that Cohen said he had “hand-delivered” the plan in a sealed envelope to the now former national security advisor.

    Artemenko confirmed to FP that Trump associate Felix Sater had arranged a meeting with Cohen and that he was told details of the plan were relayed to Flynn, although he says no physical documents were passed at the sit-down in Manhattan.

    The Kremlin denied any knowledge of the plan, and Cohen walked back his initial comments, saying he hadn’t delivered the plan to Flynn or discussed it with anyone in the White House. The Times has stood by its reporting.

    The Times also reported that Artemenko said he “received encouragement for his plans from top aides to Mr. Putin” and that he “emerged from the opposition” nurtured in Ukraine by Paul Manafort, Trump’s former campaign manager who previously worked as political operative in Ukraine.

    Artemenko told FP that he had no contacts with any Russian officials and has never met or dealt with Manafort. Trump’s former campaign manager made millions of dollars in assisting the rise of Yanukovych and lobbied for several pro-Kremlin causes in Washington.

    Artemenko insists that his intentions in pushing a peace plan for Ukraine are in the country’s best interests. But political observers see his freelance diplomacy as part of a rising groundswell in Kiev against Poroshenko by opposition forces ahead of parliamentary and presidential elections scheduled for 2019.

    “Alliances are shifting in Ukraine right now against Poroshenko,” said Balazs Jarabik, a nonresident scholar at the Carnegie Endowment for International Peace. “All this diplomatic maneuvering in Washington needs to be viewed through this lens.”

    Artemenko has emerged as a vocal critic of Poroshenko and says he has evidence showing corruption by the Ukrainian president. Moreover, Artemenko claims to have offered to organize a meeting between Trump and Valeriy Chaly, Ukraine’s ambassador to Washington, during the campaign. Chaly refused, Artemenko told FP, saying the Ukrainian government was backing Democratic nominee Hillary Clinton at the time.

    “They said they didn’t want to meet Mr. Trump,” Artemenko said.

    The Ukrainian Embassy has denied the charges and said it did not support any candidate in the U.S. election.

    Frustration at the slow pace of change in Ukraine has seen Poroshenko’s approval ratings plummet, allowing rivals to try to fill the void. Artemenko, who is a staunch ally of Valentyn Nalyvaichenko, a former head of Ukraine’s security service with lofty political ambitions, has aligned himself with other West-leaning populists like Tymoshenko. While it’s not saying much, she’s currently Ukraine’s most popular politician, with polls showing about 18 percent support for her party.

    Tymoshenko carried out some freelance diplomacy of her own on Feb. 2 when the former prime minister met Trump in Washington, before ever meeting Poroshenko or speaking with him on the phone. The conversation, which took place at the National Prayer Breakfast, was reportedly short and consisted of her seeking assurances that the Trump administration would “not abandon” Ukraine or lift sanctions on Russia. But the meetings worked to send a message back home that Tymoshenko was ascendant.

    Despite the backlash he has faced, Artemenko is still optimistic about his proposal, saying he has discussed it with the office of Sen. Rob Portman (R-Ohio), who has sponsored a resolution reaffirming support for Ukraine and outlining measures to stop the conflict. Artemenko says elements of his plan influenced the Portman measure. A spokesperson from Portman’s office confirmed meeting Artemenko but told FP that his peace plan is not part of the resolution.

    ———-

    “Ukraine’s Back-Channel Diplomat Still Shopping Peace Plan to Trump” by Reid Standish; Foreign Policy; 04/18/2017

    “In the aftermath of the report, Artemenko was forced out of his political faction in Ukraine, the far-right Radical Party, and the Prosecutor General’s Office of Ukraine has opened an investigation into whether his diplomatic outreach, which was done without Kiev’s approval, constitutes treason.”

    Yep, Artemenko was a member of the virulently anti-Russian Radical Party. And he has ties to one of the more violent neo-Nazi anti-Russian groups operating in the country, Right Sector/Pravy Sektor:


    Tall and brawny, Artemenko is a populist politician with ties to the far-right Ukrainian military-political group “Right Sector” and a member of the pro-Western opposition parliamentary coalition led by former Prime Minister Yulia Tymoshenko’s party. In Kiev, he’s known for being outspoken and politically ambitious.

    The lawmaker also professes an affinity for Trump, saying he wants to “make Ukraine great again” and has been trying to make inroads with the real estate mogul since he was a presidential candidate. In July 2016, Artemenko traveled to Cleveland for the Republican National Convention and later attended Trump’s inauguration in January.

    So while his criticisms of Petro Poroshenko helped frame him as a pro-Russian politicians, don’t forget that the Ukrainian far-right criticizes Poroshenko all the time. And threaten to “march on Kiev“.

    And like Sater in the TPM interview, Artemenko confirmed that it was Sater who arranged for the meeting. And he also claimed to the New York Times he received encouragement from top aides to Putin. Claims the Kremlin denies. And yet Artemenko asserts to to Foreign Policy that he had no contacts with any Russian officials (which would obviously complicate an reception of encouragement from Putin’s top aides):


    Artemenko confirmed to FP that Trump associate Felix Sater had arranged a meeting with Cohen and that he was told details of the plan were relayed to Flynn, although he says no physical documents were passed at the sit-down in Manhattan.

    The Kremlin denied any knowledge of the plan, and Cohen walked back his initial comments, saying he hadn’t delivered the plan to Flynn or discussed it with anyone in the White House. The Times has stood by its reporting.

    The Times also reported that Artemenko said he “received encouragement for his plans from top aides to Mr. Putin” and that he “emerged from the opposition” nurtured in Ukraine by Paul Manafort, Trump’s former campaign manager who previously worked as political operative in Ukraine.

    Artemenko told FP that he had no contacts with any Russian officials and has never met or dealt with Manafort. Trump’s former campaign manager made millions of dollars in assisting the rise of Yanukovych and lobbied for several pro-Kremlin causes in Washington.

    So that’s all rather interesting. And contradicting. Here’s more on what he said to the New York Times about that Kremlin encouragement for the peace plan:

    The New York Times

    A Back-Channel Plan for Ukraine and Russia, Courtesy of Trump Associates

    By MEGAN TWOHEY and SCOTT SHANE
    FEB. 19, 2017

    A week before Michael T. Flynn resigned as national security adviser, a sealed proposal was hand-delivered to his office, outlining a way for President Trump to lift sanctions against Russia.

    Mr. Flynn is gone, having been caught lying about his own discussion of sanctions with the Russian ambassador. But the proposal, a peace plan for Ukraine and Russia, remains, along with those pushing it: Michael D. Cohen, the president’s personal lawyer, who delivered the document; Felix H. Sater, a business associate who helped Mr. Trump scout deals in Russia; and a Ukrainian lawmaker trying to rise in a political opposition movement shaped in part by Mr. Trump’s former campaign manager Paul Manafort.

    At a time when Mr. Trump’s ties to Russia, and the people connected to him, are under heightened scrutiny — with investigations by American intelligence agencies, the F.B.I. and Congress — some of his associates remain willing and eager to wade into Russia-related efforts behind the scenes.

    Mr. Trump has confounded Democrats and Republicans alike with his repeated praise for the Russian president, Vladimir V. Putin, and his desire to forge an American-Russian alliance. While there is nothing illegal about such unofficial efforts, a proposal that seems to tip toward Russian interests may set off alarms.

    The amateur diplomats say their goal is simply to help settle a grueling, three-year conflict that has cost 10,000 lives. “Who doesn’t want to help bring about peace?” Mr. Cohen asked.

    But the proposal contains more than just a peace plan. Andrii V. Artemenko, the Ukrainian lawmaker, who sees himself as a Trump-style leader of a future Ukraine, claims to have evidence — “names of companies, wire transfers” — showing corruption by the Ukrainian president, Petro O. Poroshenko, that could help oust him. And Mr. Artemenko said he had received encouragement for his plans from top aides to Mr. Putin.

    “A lot of people will call me a Russian agent, a U.S. agent, a C.I.A. agent,” Mr. Artemenko said. “But how can you find a good solution between our countries if we do not talk?”


    ———-

    “A Back-Channel Plan for Ukraine and Russia, Courtesy of Trump Associates” by MEGAN TWOHEY and SCOTT SHANE; The New York Times; 02/19/2017

    ““A lot of people will call me a Russian agent, a U.S. agent, a C.I.A. agent,” Mr. Artemenko said. “But how can you find a good solution between our countries if we do not talk?””

    A US agent? CIA agent? Russian agent? How about Ukrainian far-right agent? How about a Ukrainian far-right agent arranging a meeting at the behest of an FBI/CIA informant Felix Sater? That seems like a more accurate characterization of Mr Artemenko.

    So that all adds a rather fascinating twist to the question of what role Felix Sater is playing with the Trump team’s contacts with the former Soviet Union. He clearly has ties to Russian figures, but they also clearly aren’t limited to Russia and he appears to have set up a meeting with a far-right anti-Russian Ukrainian politician and apparently has no problem with the widespread reporting of this meeting as being on behalf of the Kremlin. Because, sure, it’s possible the Kremlin’s denials of any knowledge or “encouragement” of this peace plan meeting and panning of it as absurd is false and they really did endorsement such talks. But considering the nature of the proposal – Russia gets to “lease” Crimea for 100 years, which doesn’t seem like an offer it would want at this point it sure seems extremely possible that a politician with an intensely anti-Russian pedigree simply made up the “Putin’s top aides encouraged me” line in order to obscure the nature of a meeting that was actually a way of Ukraine’s far-right passing something along to Trump. And Felix Sater set it up.

    Posted by Pterrafractyl | July 26, 2017, 1:02 pm
  9. @Pterrafractyl–

    BRILLIANT! So it is actually a Pravy Sektor-linked Ukrainian pol who is the pivot man for this “op.”

    Great, great work!

    Keep it up!

    Best,

    Dave

    Posted by Dave Emory | July 26, 2017, 4:17 pm
  10. Here’s a quick correction to the above comment that highlighted how the APT28/Fancy Bear malware pointed towards the same 76.31.112.10 command & control server IP address of the malware used the 2015 Bundestag hack and has that Bundestag hack indicated a server that was still vulnerable to the Heartbleed hack. The correction actually makes the hack by APT28/Fancy Beear more suspicious, so it’s a pretty important correction, and it’s followed by some new info.

    First, the correction:The hack of the DNC server by APT28 didn’t happen in the Fall of 2015. It happened in March of 2016. The hack that happened in the fall of 2015, which the FBI casually informed the DNC about in September, was a phishing hack done by APT29/Cozy Bear/The Dukes. And that indicates that whoever was operating that 76.31.112.10 command & control server would at least have had six extra months to patch that Heartbleed vulnerability before the March 2016 hack was launched vs if they had initially launched them in the fall of 2015. It’s important to note given that March of 2016 is a lot more time to patch something like that compared to the fall of 2015 when that Heartbleed vulnerability on that server was published in teh summer of 2015 reports on the Bundestag hack.

    But let’s not forget that what tied the DNC APT28 hack to the Bundestag hack was the curious hardcoding of the 76.31.112.10 IP address into the malware in both cases, which suggests that whoever carried out the Bundestag attack was also behind the March 2016 DNC hack. So, in that sense, the window of opportunity – the window for to hack into that server after that Heartbleed vulnerability was published in the various reports on the Bundestag hack – is kind of moot if other clues suggest it was the same person/group who carried out both hacks. And let’s also not forget that the 76.31.112.10 server was vulnerable to getting scanned as ‘Heartbleed vulnerable’ for over a year before the Bundestag hack took place because any server was vulnerable to the ‘Heartbleed’ attack going back to 2014 when systematic scanning for vulnerable servers across the internet was already underway.

    But here’s what makes the APT28 hack extra suspicious if it happened in March of 2016 vs fall of 2015: While the German government maybe have officially declared APT28 a Russian government hacking group in May of 2016, this charge was more quietly level by Germany’s BfV in newsletter it released in January of 2016. So if the GRU was truly running that 76.31.112.10 command & control server, it apparently decided to use the same malware as it used in the Bundestag hack with the same hardcoded IP address to the same server even after the Germany government was started to officially declare APT28 a GRU-run operation, which is some really, really bad operational security:

    Medium

    Can Facts Slow The DNC Breach Runaway Train?

    Jeffrey Carr
    Principal consultant at 20KLeague.com; Founder of Suits and Spooks; Author of “Inside Cyber Warfare (O’Reilly Media, 2009, 2011)

    Jul 27, 2016

    Yesterday, Professor Thomas Rid (Kings College London) published his narrative of the DNC breach and strongly condemned the lack of action by the U.S. government against Russia.

    Susan Hennessey, a Harvard-educated lawyer who used to work at the Office of the General Counsel at NSA called the evidence “about as close to a smoking gun as can be expected where a sophisticated nation state is involved.”

    Then late Monday evening, the New York Times reported that “American intelligence agencies have “high confidence” that the Russian government was behind the DNC breach.

    It’s hard to beat a good narrative “when explanations take such a dreadful time” as Lewis Carroll pointed out. And the odds are that nothing that I write will change the momentum that’s rapidly building against the Russian government.

    Still, my goal for this article is to address some of the factual errors in Thomas Rid’s Vice piece, provide some new information about the capabilities of independent Russian hackers, and explain why the chaos at GRU makes it such an unlikely home for an APT group.

    Problem #3: The BfV published a newsletter in January 2016 which assumes that the GRU and FSB are responsible because of technical indicators, not because of any classified finding; to wit: “Many of these attack campaigns have each other on technical similarities, such as malicious software families, and infrastructure—these are important indicators of the same authorship. It is assumed that both the Russian domestic intelligence service FSB and the military foreign intelligence service GRU run cyber operations.”

    Professor Rid’s argument depended heavily on conveying hard attribution by the BfV even though the President of the BfV didn’t disguise the fact that their attribution was based on an assumption and not hard evidence.

    Personally, I don’t want to have my government create more tension in Russian-U.S. relations because the head of Germany’s BfV made an assumption.


    ———-

    “Can Facts Slow The DNC Breach Runaway Train?” by Jeffrey Carr; Medium; 07/27/2016

    “Problem #3: The BfV published a newsletter in January 2016 which assumes that the GRU and FSB are responsible because of technical indicators, not because of any classified finding; to wit: “Many of these attack campaigns have each other on technical similarities, such as malicious software families, and infrastructure—these are important indicators of the same authorship. It is assumed that both the Russian domestic intelligence service FSB and the military foreign intelligence service GRU run cyber operations.”

    So, again, an APT28 hack in the fall of 2015 is pretty suspicious given the peculiarities with the actual malware employed like the hardcoded IP address and the Heartbleed vulnerable server. But an APT28 in March of 2016 is REALLY suspicious because those same malware digital “fingerprints” had just been attributed to a Russian government hacking operation two months earlier and the same “fingerprints” were left in the DNC hack!

    Anyway, here’s a source for that timeline correction::

    The New York Times

    The Perfect Weapon: How Russian Cyberpower Invaded the U.S.

    By ERIC LIPTON, DAVID E. SANGER and SCOTT SHANE
    DEC. 13, 2016

    WASHINGTON — When Special Agent Adrian Hawkins of the Federal Bureau of Investigation called the Democratic National Committee in September 2015 to pass along some troubling news about its computer network, he was transferred, naturally, to the help desk.

    His message was brief, if alarming. At least one computer system belonging to the D.N.C. had been compromised by hackers federal investigators had named “the Dukes,” a cyberespionage team linked to the Russian government.

    The F.B.I. knew it well: The bureau had spent the last few years trying to kick the Dukes out of the unclassified email systems of the White House, the State Department and even the Joint Chiefs of Staff, one of the government’s best-protected networks.

    Yared Tamene, the tech-support contractor at the D.N.C. who fielded the call, was no expert in cyberattacks. His first moves were to check Google for “the Dukes” and conduct a cursory search of the D.N.C. computer system logs to look for hints of such a cyberintrusion. By his own account, he did not look too hard even after Special Agent Hawkins called back repeatedly over the next several weeks — in part because he wasn’t certain the caller was a real F.B.I. agent and not an impostor.

    “I had no way of differentiating the call I just received from a prank call,” Mr. Tamene wrote in an internal memo, obtained by The New York Times, that detailed his contact with the F.B.I.

    The D.N.C.’s fumbling encounter with the F.B.I. meant the best chance to halt the Russian intrusion was lost. The failure to grasp the scope of the attacks undercut efforts to minimize their impact. And the White House’s reluctance to respond forcefully meant the Russians have not paid a heavy price for their actions, a decision that could prove critical in deterring future cyberattacks.

    The low-key approach of the F.B.I. meant that Russian hackers could roam freely through the committee’s network for nearly seven months before top D.N.C. officials were alerted to the attack and hired cyberexperts to protect their systems. In the meantime, the hackers moved on to targets outside the D.N.C., including Mrs. Clinton’s campaign chairman, John D. Podesta, whose private email account was hacked months later.

    By March, Mr. Tamene and his team had met at least twice in person with the F.B.I. and concluded that Agent Hawkins was really a federal employee. But then the situation took a dire turn.

    A second team of Russian-affiliated hackers began to target the D.N.C. and other players in the political world, particularly Democrats. Billy Rinehart, a former D.N.C. regional field director who was then working for Mrs. Clinton’s campaign, got an odd email warning from Google.

    “Someone just used your password to try to sign into your Google account,” the March 22 email said, adding that the sign-in attempt had occurred in Ukraine. “Google stopped this sign-in attempt. You should change your password immediately.”

    Mr. Rinehart was in Hawaii at the time. He remembers checking his email at 4 a.m. for messages from East Coast associates. Without thinking much about the notification, he clicked on the “change password” button and half asleep, as best he can remember, he typed in a new password.

    What he did not know until months later is that he had just given the Russian hackers access to his email account.

    Hundreds of similar phishing emails were being sent to American political targets, including an identical email sent on March 19 to Mr. Podesta, chairman of the Clinton campaign. Given how many emails Mr. Podesta received through this personal email account, several aides also had access to it, and one of them noticed the warning email, sending it to a computer technician to make sure it was legitimate before anyone clicked on the “change password” button.

    Only in March 2016 did Fancy Bear show up — first penetrating the computers of the Democratic Congressional Campaign Committee, and then jumping to the D.N.C., investigators believe. Fancy Bear, sometimes called A.P.T. 28 and believed to be directed by the G.R.U., Russia’s military intelligence agency, is an older outfit, tracked by Western investigators for nearly a decade. It was Fancy Bear that got hold of Mr. Podesta’s email.

    Attribution, as the skill of identifying a cyberattacker is known, is more art than science. It is often impossible to name an attacker with absolute certainty. But over time, by accumulating a reference library of hacking techniques and targets, it is possible to spot repeat offenders. Fancy Bear, for instance, has gone after military and political targets in Ukraine and Georgia, and at NATO installations.

    That largely rules out cybercriminals and most countries, Mr. Alperovitch said. “There’s no plausible actor that has an interest in all those victims other than Russia,” he said. Another clue: The Russian hacking groups tended to be active during working hours in the Moscow time zone.

    ———–

    “The Perfect Weapon: How Russian Cyberpower Invaded the U.S.” by ERIC LIPTON, DAVID E. SANGER and SCOTT SHANE; The New York Times; 12/13/2016

    Only in March 2016 did Fancy Bear show up — first penetrating the computers of the Democratic Congressional Campaign Committee, and then jumping to the D.N.C., investigators believe. Fancy Bear, sometimes called A.P.T. 28 and believed to be directed by the G.R.U., Russia’s military intelligence agency, is an older outfit, tracked by Western investigators for nearly a decade. It was Fancy Bear that got hold of Mr. Podesta’s email

    So that corrects the timeline: APT29, widely assumed to be the FSB, successfully “phished” it’s way into the DNC’s servers in the fall of 2015. Germany’s BfV attributes the 2015 Bundestag hack to Russia in January of 2016. And then two months later, APT28, widely assumed to be the GRU, apparently phishes its way into the DNC’s server during a wave of phishing attacks that appeared to be primarily targeting Democrats and deploys malware with the exact same digital “fingerprints” that the left in the Bundestag hack. That APT28 OPSEC sure does OPSUCK!

    Still, the fact that these hacks appear to have happened via phishing attacks does make clear that the hacks really did happen. DNC employs have the suspicious emails they accidentally clicked on which is pretty strong evidence that a hack took place. And that’s a critical finding at this point. Why? Because a recent analysis of the documents allegedly taken by “Guccifer 2.0” from the DNC servers that on July 5th, 2016 suggests that those hacked documents weren’t actually hacked but instead exfiltrated directly from the DNC networks. Yep!

    Except, as we’re going to see, there are some significant issues with this analysis. Still, it’s out there and getting more and more attention and now that analysis is now getting highlighted by The Veteran Intelligence Professionals for Sanity (VIPS) – a group of ex-US intelligence officer that got started back in 2003 in opposition to the intelligence findings that led up to the Iraq War and has been more recently raising questions about the 2016 election hacks. VIPS just challenged the official conclusion that the Russian government was behind that hacking campaign on some notable digital forensics analysis recently done by someone going by “The Forensicator”.

    So what did The Forensicator discover? Well, by looking at the timestamps on a particular DNC document dump made available by “Guccifer 2.0”, The Forensicator made all sorts of deductions about the software and hardware used to procure the emails. The documents in question weren’t emails, but instead other DNC documents in in an archived file called “NGP-VAN” that Guccifer 2.0 leaked live during a London Cyber Security show in September of 2016. “NGP-VAN” refers to the “NGP-VAN” ‘voter activation’ database software running on the DNC’s hacked server. Guccifer 2.0 claims he used a a 0-day (previously unknown) exploit to hack the DNC server in the summer of 2015, although it’s important to note that there are very serious big reasons to believe that the “NGP-VAN 0-day exploit” story is not plausible. And let’s not forget that both APT29 and APT28 phished their way into the server and there appears to be pretty good evidence that that phishing really did happen and was successful (evidence in the form of people saying “oops, I clicked on this phishing email and gave them my password”).

    Regardless of the issues with “NGP-VAN” hack claims, The Forensicator’s analysis doesn’t depend on whether or not the NGP-VAN exploit was used or not. Instead, the analysis focuses on when exactly all the files in the NGP-VAN document dump made in September were removed from the DNC server and how rapidly that happened.

    The metadata for these “NGP-VAN” files were analyzed by “The Forensicator”, primarily the timestamp metadata on the files. The Forensicator looked at peculiarities of the timestamp data to make educated guesses about the timezone of the operating system getting copied to from the DNC server, the operating systems of that device, and, perhaps most importantly, the rate of transfer between the DNC server and the hacker. And based on those educated guesses the Forensicator concluded the following:

    1. The operating system of the computer the documents were getting transferred to had an US East Coast timezone setting.

    2. The operating system of the computer the documents were getting transferred to was probably a Linux (ext4) OS.

    3. The rate of the data transfer was 23 MB/second, which is way too fast for a remote transfer over the internet.

    Based on these clues, the Forensicator concluded that the ‘hacked’ files were likely obtained locally, probably with a USB flash drive that had Linux on it (yes, you can boot up a server with a USB drive with an OS on it)

    Now, keep in mind that all of this file metadata could have been spoofed, much like the laughably in-your-face metadata ‘oopsies’ like all the Cyrillic characters and Soviet secret police names left in the documents that were immediately latched onto and treated as strong proof of Russia government hackers.

    But note the key difference: the timestamp-based metadata ‘oopsies’ weren’t in-your-face. It took basically a year for these observations to be made and published on the internet. We still can’t rule out that the timestamp anomalies The Forensicator discovered were a non-in-your-face second layer of metadata obfuscation. But in terms of being the kinds of ‘mistake’ that someone might legitimately make, the non-in-your-face mistakes seem much more plausible as a real mistake. But, again, let’s not forget that we can’t rule out that professional elite hackers might utilize tactics like setting up the file timestamp data to mimic the copying times you would find with a USB flashdrive connected directly to a server, unless The Forensicator’s analysis was novel and unprecedented. And while “Guccifer 2.0” claims to have done their hacks remotely and then proceeded to distribute documents with all sorts of in-your-face “I’m a Russian hacker!” clues in the metadata, it’s entirely possible that “Guccifer 2.0” was employing multiple layers of metadata ‘clues’. In-your-face clues and less-in-your-face clues. We can’t rule that out.

    But here’s another thing to keep in that that is a MAJOR potential problem with The Forensicator’s analysis: it assumes that July 5th, 2016 the timestamps on the NGP-VAN files indicate that that was when the files were copied from the DNC’s server. But by all indications the DNC server was secured by July 5th, 2016. Guccifer 2.0 was said to be kicked out in June. So that would point towards an insider directly grabbing the documents with a USB drive or something and handing them off to Guccifer. But there’s no compelling reason to assume that the July 5th timestamps are necessarily indicative of when those files were removed from the DNC server. Those timestamps could have been caused by copying the files from some local computer after they were removed or someone using a program like timestomp to change the metadata. So the evidence that any files were removed from the DNC server on July 5th isn’t exactly a slam dunk unless some of the leaked DNC documents in that NGP-VAN cache appear to be originally created on dates between late June-July 5th, 2016.

    But despite all the evidence that there really were remote hacks that hit the DNC server (like the phishing emails people clicked on), we also can’t rule out the possibility that there may have been an inside leaker who decided to grab a bunch of emails on July 5th and hand them over to Guccifer 2.0 too. We can’t rule it out, although that does seem like an incredibly pointless risk for an insider to do given that there were already reports about the DNC before July 5th and Guccifer 2.0 was already talking to reporters and dropping documents by then. But we definitely can’t rule it out, just as we can’t rule out the possibility that people were intentionally infiltrating the DNC for the purpose of stealing documents.
    Additionally, regarding The Forensicator’s conclusion that the download speeds were only consistent with local copying, don’t rule out the possibility that there was a remove hack of the DNC’s servers, but the files were transferred to a very close location, speeding up the transfer times.

    So there are a number of outstanding issues with The Forensicator’s analysis that need to be addressed. And since The Forensicator’s analysis is gaining steam and getting more and more attention let’s hope those issues are eventually addressed, along with the rest of the questions raised by the Veteran Intelligence Professionals for Sanity about the hack:

    Consortium News

    Intel Vets Challenge ‘Russia Hack’ Evidence

    July 24, 2017

    In a memo to President Trump, a group of former U.S. intelligence officers, including NSA specialists, cite new forensic studies to challenge the claim of the key Jan. 6 “assessment” that Russia “hacked” Democratic emails last year.

    MEMORANDUM FOR: The President

    FROM: Veteran Intelligence Professionals for Sanity (VIPS)

    mSUBJECT: Was the “Russian Hack” an Inside Job?

    Executive Summary

    Forensic studies of “Russian hacking” into Democratic National Committee computers last year reveal that on July 5, 2016, data was leaked (not hacked) by a person with physical access to DNC computers, and then doctored to incriminate Russia.

    After examining metadata from the “Guccifer 2.0” July 5, 2016 intrusion into the DNC server, independent cyber investigators have concluded that an insider copied DNC data onto an external storage device, and that “telltale signs” implicating Russia were then inserted.

    Key among the findings of the independent forensic investigations is the conclusion that the DNC data was copied onto a storage device at a speed that far exceeds an Internet capability for a remote hack. Of equal importance, the forensics show that the copying and doctoring were performed on the East coast of the U.S. Thus far, mainstream media have ignored the findings of these independent studies [see here and here].

    Independent analyst Skip Folden, a retired IBM Program Manager for Information Technology US, who examined the recent forensic findings, is a co-author of this Memorandum. He has drafted a more detailed technical report titled “Cyber-Forensic Investigation of ‘Russian Hack’ and Missing Intelligence Community Disclaimers,” and sent it to the offices of the Special Counsel and the Attorney General. VIPS member William Binney, a former Technical Director at the National Security Agency, and other senior NSA “alumni” in VIPS attest to the professionalism of the independent forensic findings.

    The recent forensic studies fill in a critical gap. Why the FBI neglected to perform any independent forensics on the original “Guccifer 2.0” material remains a mystery – as does the lack of any sign that the “hand-picked analysts” from the FBI, CIA, and NSA, who wrote the “Intelligence Community Assessment” dated January 6, 2017, gave any attention to forensics.

    NOTE: There has been so much conflation of charges about hacking that we wish to make very clear the primary focus of this Memorandum. We focus specifically on the July 5, 2016 alleged Guccifer 2.0 “hack” of the DNC server. In earlier VIPS memoranda we addressed the lack of any evidence connecting the Guccifer 2.0 alleged hacks and WikiLeaks, and we asked President Obama specifically to disclose any evidence that WikiLeaks received DNC data from the Russians [see here and here].

    Addressing this point at his last press conference (January 18), he described “the conclusions of the intelligence community” as “not conclusive,” even though the Intelligence Community Assessment of January 6 expressed “high confidence” that Russian intelligence “relayed material it acquired from the DNC … to WikiLeaks.”

    Obama’s admission came as no surprise to us. It has long been clear to us that the reason the U.S. government lacks conclusive evidence of a transfer of a “Russian hack” to WikiLeaks is because there was no such transfer. Based mostly on the cumulatively unique technical experience of our ex-NSA colleagues, we have been saying for almost a year that the DNC data reached WikiLeaks via a copy/leak by a DNC insider (but almost certainly not the same person who copied DNC data on July 5, 2016).

    From the information available, we conclude that the same inside-DNC, copy/leak process was used at two different times, by two different entities, for two distinctly different purposes:

    -(1) an inside leak to WikiLeaks before Julian Assange announced on June 12, 2016, that he had DNC documents and planned to publish them (which he did on July 22) – the presumed objective being to expose strong DNC bias toward the Clinton candidacy; and

    -(2) a separate leak on July 5, 2016, to pre-emptively taint anything WikiLeaks might later publish by “showing” it came from a “Russian hack.”

    * * *

    Mr. President:

    This is our first VIPS Memorandum for you, but we have a history of letting U.S. Presidents know when we think our former intelligence colleagues have gotten something important wrong, and why. For example, our first such memorandum, a same-day commentary for President George W. Bush on Colin Powell’s U.N. speech on February 5, 2003, warned that the “unintended consequences were likely to be catastrophic,” should the U.S. attack Iraq and “justfy” the war on intelligence that we retired intelligence officers could readily see as fraudulent and driven by a war agenda.

    The January 6 “Intelligence Community Assessment” by “hand-picked” analysts from the FBI, CIA, and NSA seems to fit into the same agenda-driven category. It is largely based on an “assessment,” not supported by any apparent evidence, that a shadowy entity with the moniker “Guccifer 2.0” hacked the DNC on behalf of Russian intelligence and gave DNC emails to WikiLeaks.

    The recent forensic findings mentioned above have put a huge dent in that assessment and cast serious doubt on the underpinnings of the extraordinarily successful campaign to blame the Russian government for hacking. The pundits and politicians who have led the charge against Russian “meddling” in the U.S. election can be expected to try to cast doubt on the forensic findings, if they ever do bubble up into the mainstream media. But the principles of physics don’t lie; and the technical limitations of today’s Internet are widely understood. We are prepared to answer any substantive challenges on their merits.

    You may wish to ask CIA Director Mike Pompeo what he knows about this. Our own lengthy intelligence community experience suggests that it is possible that neither former CIA Director John Brennan, nor the cyber-warriors who worked for him, have been completely candid with their new director regarding how this all went down.

    Copied, Not Hacked

    As indicated above, the independent forensic work just completed focused on data copied (not hacked) by a shadowy persona named “Guccifer 2.0.” The forensics reflect what seems to have been a desperate effort to “blame the Russians” for publishing highly embarrassing DNC emails three days before the Democratic convention last July. Since the content of the DNC emails reeked of pro-Clinton bias, her campaign saw an overriding need to divert attention from content to provenance – as in, who “hacked” those DNC emails? The campaign was enthusiastically supported by a compliant “mainstream” media; they are still on a roll.

    “The Russians” were the ideal culprit. And, after WikiLeaks editor Julian Assange announced on June 12, 2016, “We have emails related to Hillary Clinton which are pending publication,” her campaign had more than a month before the convention to insert its own “forensic facts” and prime the media pump to put the blame on “Russian meddling.” Mrs. Clinton’s PR chief Jennifer Palmieri has explained how she used golf carts to make the rounds at the convention. She wrote that her “mission was to get the press to focus on something even we found difficult to process: the prospect that Russia had not only hacked and stolen emails from the DNC, but that it had done so to help Donald Trump and hurt Hillary Clinton.”

    Independent cyber-investigators have now completed the kind of forensic work that the intelligence assessment did not do. Oddly, the “hand-picked” intelligence analysts contented themselves with “assessing” this and “assessing” that. In contrast, the investigators dug deep and came up with verifiable evidence from metadata found in the record of the alleged Russian hack.

    They found that the purported “hack” of the DNC by Guccifer 2.0 was not a hack, by Russia or anyone else. Rather it originated with a copy (onto an external storage device – a thumb drive, for example) by an insider. The data was leaked after being doctored with a cut-and-paste job to implicate Russia. We do not know who or what the murky Guccifer 2.0 is. You may wish to ask the FBI.

    The Time Sequence

    June 12, 2016: Assange announces WikiLeaks is about to publish “emails related to Hillary Clinton.”

    June 15, 2016: DNC contractor Crowdstrike, (with a dubious professional record and multiple conflicts of interest) announces that malware has been found on the DNC server and claims there is evidence it was injected by Russians.

    June 15, 2016: On the same day, “Guccifer 2.0” affirms the DNC statement; claims responsibility for the “hack;” claims to be a WikiLeaks source; and posts a document that the forensics show was synthetically tainted with “Russian fingerprints.”

    We do not think that the June 12 & 15 timing was pure coincidence. Rather, it suggests the start of a pre-emptive move to associate Russia with anything WikiLeaks might have been about to publish and to “show” that it came from a Russian hack.

    The Key Event

    July 5, 2016: In the early evening, Eastern Daylight Time, someone working in the EDT time zone with a computer directly connected to the DNC server or DNC Local Area Network, copied 1,976 MegaBytes of data in 87 seconds onto an external storage device. That speed is many times faster than what is physically possible with a hack.

    It thus appears that the purported “hack” of the DNC by Guccifer 2.0 (the self-proclaimed WikiLeaks source) was not a hack by Russia or anyone else, but was rather a copy of DNC data onto an external storage device. Moreover, the forensics performed on the metadata reveal there was a subsequent synthetic insertion – a cut-and-paste job using a Russian template, with the clear aim of attributing the data to a “Russian hack.” This was all performed in the East Coast time zone.

    ———-

    “Intel Vets Challenge ‘Russia Hack’ Evidence” by Veteran Intelligence Professionals for Sanity; Consortium News; 07/24/2017

    “Key among the findings of the independent forensic investigations is the conclusion that the DNC data was copied onto a storage device at a speed that far exceeds an Internet capability for a remote hack. Of equal importance, the forensics show that the copying and doctoring were performed on the East coast of the U.S. Thus far, mainstream media have ignored the findings of these independent studies [see here and here].”

    So that’s all part of why the VIPS is challenging the official investigations in the hack: if you assume the timestamp metadata can be taken at face value and wasn’t manipulated and the timezone setting also wasn’t manipulated, then, yes, it strongly suggests that someone had to of directly transferred to a flash drive hacked files that were released in the NGP-VAN archive. For at least some of the files. But, again, there’s no compelling reason to assume these timestamps weren’t manipulated, especially given all the other metadata manipulation found in the documents released by Guccifer 2.0. It’s not as if Guccifer 2.0 was interested in providing seemingly pristine documents.

    But here’s something else to keep in mind that ties back to the original correction about when APT28 and APT29 hacked the DNC servers: somehow the FBI suspected that “The Dukes” (APT29) hacked the DNC’s server without anyone at the DNC telling them. That call tha the DNC IT staff got in September of 2015 apparently came out of the blue. And one clear possibility is that US agencies detected data transfers from the DNC’s server to some server associated with APT 29. Presumably this wouldn’t be the same 76.31.112.10 command & control server used by APT28 but some other server. If that’s the case, that would be pretty strong proof that someone was indeed removing files remotely. Similarly, if the APT28 hack happened as we’re told, there definitely should be evidence of data moving form the DNC server to the 76.31.112.10 IP address. And that’s the kind of data that multiple parties, beyond just Crowdstrike, might have access to. Does the NSA have evidence of data exfiltration from the DNC servers to suspect servers? That’s another question the VIPS should probably add to their challenge.

    All in all, one of the most fascinating aspects of the story of the DNC hacks is that all the different theories are possible. Simultaneously:
    1. It’s possible Russian hackers did indeed hack the DNC’s server. It doesn’t mean they were the ones that handed over the data, but they still might have hacked it as just routine intelligence collection. Who knows, maybe APT29 really was a Russian government hacker.

    2. It’s extremely possible a non-Russian government hacker did indeed hack the DNC and decided to make it look like the Russians. Especially in the case of the APT28 hack in the March of 2016 with all its “I’m a Russian hacker!” anomalies and ties to the Bundestag hack using a server that, itself, could have easily been hacked.

    3. It’s also possible an insider working at the DNC grabbed a bunch of documents directly too.

    There were enough distinct hacking incidents and data dumps that an overall scenario where all three sub-scenarios are true is entirely possible. All we can say for certain is that it looks a lot like “Guccifer 2.0” and whoever was behind the APT28 hacks really, really, really wanted Russia to be the culprit.

    Isn’t cyber attribution fun?

    Posted by Pterrafractyl | July 26, 2017, 10:51 pm
  11. @Dave: Talking Points Memo has a new piece on that ‘peace plan’ that adds some important background to it: The ‘peace plan’ that Felix Sater and Andrii Artemenko hatched was apparently developed back in October of 2016 when the two were having discussions over a business proposal to rehab Ukraine’s nuclear power plants as part of a move to break the “Russian monopoly” on Ukraine’s energy and then sell the electricity to neighboring countries.

    An energy expert cited in the piece asserts that the plan would have benefited from the fruition of that ‘peace plan’, which is true in the sense of that an ongoing civil war probably doesn’t help with business deals involving nuclear plants. But they also point out how it was the conflict with Russia that was actually creating demand in Ukraine for creating alternative sources of energy for Ukraine and increasing regional demand for non-Russian energy sources. So if that ‘peace plan’ happened, it might be easier to cut an international deal to get someone to upgrade and/or build nuclear power plants. But it would also make it a lot easier for Russia to export its own energy to the same countries Ukraine wants to export to.

    In addition, as the piece points out, Lithuania, Latvia, and Estonia already have plans to break of the old Soviet-era electrical grid that connects the electrical systems of the former-Soviet nations and instead join them up through the EU’s grids. By 2025. And Sater says in the piece that he’s hoping to help that process along. And yet it’s hard to think of something that would derail such plans more effectively that a peace plan that normalizes relations with Russia.

    So that’s quite a twist on the mystery of the ‘peace plan’ meeting: it came about during negotiations between Sater and Artemenko back in October over plans to develop Ukraine’s nuclear energy sector as a means of breaking the Russian grip on Ukraine’s energy, which doesn’t seem like the kind of plan the Kremlin would be very enthusiastic about:

    Talking Points Memo
    Muckraker

    Trump’s Ex-Biz Partner Eyed Energy Deal As He Helped Push Ukraine ‘Peace Plan’

    By Sam Thielman
    Published July 27, 2017 2:43 pm

    When a former business partner of President Donald Trump’s and a Ukrainian politician approached an ally of the administration with a “peace plan,” they were already at work on an energy trading deal. That deal, said one of the region’s leading energy policy experts, stood to benefit from the scheme the pair proposed to resolve the ongoing conflict in Ukraine.

    Felix Sater, who worked obtaining financing for Trump projects including the Trump SoHo, told TPM that the “peace plan” came up in the course of his attempts to broker an agreement to sell energy abroad from Ukraine’s nuclear power plants with Andrii Artemenko, at the time a Ukrainian parliamentarian. The plan was to refurbish dilapidated nuclear power plants in that country and then sell the power generated by them into Eastern Europe, using established commodities trading companies as a means of retroactively financing the deal, Sater said.

    The business proposition would help break the Russian monopoly on energy, according to Sater. But Artemenko’s political proposal would have had Ukrainian voters decide whether to lease Crimea to Russia for 50 or 100 years—an idea encouraged by advisors to Russian president Vladimir Putin, and so offensive to his country’s government that Ukrainian prosecutors accused Artemenko of treasonous conspiring with Russia after the peace plan was first reported earlier this year.

    It’s been widely reported that Sater and Artemenko met with Michael Cohen, who was then Trump’s personal lawyer and who has known Sater since he was a teenager, in January; under discussion was the peace plan, which would have paved a path for the U.S. to lift sanctions on Russia. Cohen has given conflicting statements about his involvement. Sater said he came to be involved in the scheme through Artemenko.

    “We were trying to do a business deal at the same time,” Sater told TPM. “We were working on a business deal for about five months, and he kept telling me about the peace deal, and as the Trump administration won, that’s when I delivered it [the peace deal] to them.”

    He insisted the political and business propositions were unrelated, other than each involving himself and Artemenko as primary players.

    Sater had worked brokering major deals internationally for some time after the 1996 dissolution of White Rock, a firm at the center of a pump-and-dump securities fraud scandal that led to Sater’s conviction for fraud. Instead of going to prison, Sater paid a fine and went to work as an FBI informant. Those deals included a job for AT&T in Russia, as previously reported by Mother Jones, where Sater says the company was “trying to expand.”

    Sater said the business proposition with Artemenko “was to try to rehabilitate the existing nuclear power plants in the Ukraine and build new ones using either U.S. or Canadian [companies] like GE, or the Koreans.” Ukraine’s history with nuclear power includes the Chernobyl disaster, and Sater noted that the aging plants needed refurbishment in order to continue working without another incident. Otherwise, he noted, “they’re ready to [have] another Chernobyl any day now.”

    The pair further planned “to sell the excess power to [international energy companies] Trafigura or Vitol to sell the power to Eastern Europe, and in that way finance the plants,” Sater explained. He named Poland and Belarus as two potential state clients.

    “It was a way to break the energy monopoly the Russians have,” he said.

    Chi Kong Chyong, director of the Energy Policy Forum at Cambridge University’s Energy Policy Research Group, told TPM that energy independence from Russia was indeed a pressing issue in Ukraine, and noted a peace deal would ease the kind of international transaction Sater and Artemenko were proposing.

    Sources close to the matter told TPM that there were no records of any current conversations between Sater or Artemenko and American industrial conglomerate GE. Trafigura and Vitol are trading houses that deal heavily in energy; Victoria Dix, a spokeswoman for Trafigura, said there was “no element of truth whatsoever” to any suggestion that Sater was pursuing a proposal with the company. Andrea Schlaepfer, a spokeswoman for Vitol, said, “We don’t comment on commercial activities.” Neither the Ukrainian Embassy nor the Consulate immediately responded to requests for comment.

    For Artemenko, the fallout from the January meeting with Sater and Cohen was immediate and severe. He was expelled from his Verkhovna Rada political party the day after the New York Times reported the meeting, and by May, Ukrainian President Petro Poroshenko had stripped him of his citizenship.

    For his part, Sater said he had nothing to do with the documents filled with damaging information on Ukrainian politicians, including Poroshenko, that Artemenko reportedly brought to the January meeting. “I never saw them,” Sater said, adding that Cohen might have thrown them in trash but he wasn’t sure. “I don’t want to get into it.”

    Whether Sater and Artemenko’s energy trading plan was well underway or simply in the proposal stage by the time of the meeting, it would have been an easier sell with Artemenko’s Putin-approved ceasefire in place, according to Chyong.

    “Any military conflict in your neighborhood or close to you affects the transaction cost of arranging commercial deals, whether that is between Ukraine and the eastern [EU, where Poland lies] or Ukraine and Belarus, for example,” Chyong said. “It increases the transactional costs. The conflict itself, of course, forces the Ukraine to think about other ways and other sources of importation of energy—gas and electricity trading.

    Exporting energy from Ukraine would be easiest to places like Belarus and Russia, Chyong noted. Old electrical grids are among the strongest remaining ties between former Soviet bloc states and Russia itself; Ukraine hopes to break them by 2025, something Sater said he hoped he could help along.

    ———-

    “Trump’s Ex-Biz Partner Eyed Energy Deal As He Helped Push Ukraine ‘Peace Plan’” by Sam Thielman; Talking Points Memo; 07/27/2017

    “Felix Sater, who worked obtaining financing for Trump projects including the Trump SoHo, told TPM that the “peace plan” came up in the course of his attempts to broker an agreement to sell energy abroad from Ukraine’s nuclear power plants with Andrii Artemenko, at the time a Ukrainian parliamentarian. The plan was to refurbish dilapidated nuclear power plants in that country and then sell the power generated by them into Eastern Europe, using established commodities trading companies as a means of retroactively financing the deal, Sater said.”

    That was apparently the seed of the ‘peace plan’: a deal for rehabbing Ukraine’s nuke plants and exporting energy. And according to Chi Kong Chyong, director of the Energy Policy Forum at Cambridge University’s Energy Policy Research Group, such a plan would indeed be easier if there was peace. But as Chyong also points out, it’s the conflict itself that of course is what’s driving Ukraine to think about non-Russian energy sources:


    Chi Kong Chyong, director of the Energy Policy Forum at Cambridge University’s Energy Policy Research Group, told TPM that energy independence from Russia was indeed a pressing issue in Ukraine, and noted a peace deal would ease the kind of international transaction Sater and Artemenko were proposing.

    Whether Sater and Artemenko’s energy trading plan was well underway or simply in the proposal stage by the time of the meeting, it would have been an easier sell with Artemenko’s Putin-approved ceasefire in place, according to Chyong.

    “Any military conflict in your neighborhood or close to you affects the transaction cost of arranging commercial deals, whether that is between Ukraine and the eastern [EU, where Poland lies] or Ukraine and Belarus, for example,” Chyong said. “It increases the transactional costs. The conflict itself, of course, forces the Ukraine to think about other ways and other sources of importation of energy—gas and electricity trading.

    A nuclear plan designed to make Ukraine much less dependent on Russian energy, doesn’t exactly sound like the kind of thing a ‘pro-Russian’ Ukrainian politician would be working on. And neither does the plan to break up the Soviet bloc electrical grid that Felix Sater wants to help along:


    Exporting energy from Ukraine would be easiest to places like Belarus and Russia, Chyong noted. Old electrical grids are among the strongest remaining ties between former Soviet bloc states and Russia itself; Ukraine hopes to break them by 2025, something Sater said he hoped he could help along.

    So that’s the latest strange twist on the mystery of Felix Sater’s Ukrainian ‘peace plan’. But note that word of this nuclear plan was actually report back in May in The National Memo. And in that piece that point out one other person who Sater and Artemenko was apparently trying to get involved with these negotiations: Robert Armao, a rather colorful figure who had some ties to Ukraine. Including, according to Armao, his work advised individuals who were working with former Ukrainian president Viktor Yushchenko during the Orange Revolution protests of 2004-2005 (it’s not exactly a pro-Kremlin background):

    The National Memo

    How Felix Sater — Former Mob-linked Hustler And Ex-Trump Adviser — Sought To ‘Protect’ Ukraine’s Nuclear Plants

    Richard Behar
    May 25, 2017 3:10 pm

    The saga of Felix Sater — a twice-convicted one-time Mafia associate, real estate developer, sometime partner and former “senior adviser” to Donald Trump — continues to grow more complicated and bizarre. Details have now emerged of a second attempted diplomatic intervention by Sater, supposedly to prevent a possible nuclear power plant conflagration in Ukraine.

    In a recent investigation for DC Report, (reprinted here by The National Memo), I explored a series of controversial financial transactions that involved Sater and another former Trump Organization associate named Daniel Ridloff, which involved accusations that the two men had absconded with nearly $43 million from the sale of an Ohio shopping mall to Neil Bush, son and brother of the former presidents.

    While that case was settled (with Sater and Ridloff receiving roughly half of the contested money), and there was no evidence implicating Trump in those transactions, the president’s business appears to have benefited from them. Several condominiums in his troubled Trump Soho building were purchased with $3.1 million in cash that may have come from the same sources, with roots in Kazakhstan. Investigators have long suspected that figures seeking to hide illicit cash have used Trump businesses, including his casino and real estate holdings, whether or not Trump or his executives were cognizant of such suspicious transactions.

    Aside from Sater’s criminal past, which was cited by Trump critics during the 2016 election, he drew front-page attention last February, just one week before Michael Flynn resigned as national security adviser over his concealed discussions with the Russian ambassador, when news outlets revealed that Sater had hand-delivered a Kremlin “peace proposal” for Ukraine to Flynn’s office. The proposal suggested a way that President Trump could lift sanctions against Russia as part of a negotiated settlement

    Behind that proposition, according to the New York Times, were the Russian-born Sater; Michael Cohen, the president’s personal lawyer; and Andrii Artemenko, a Ukrainian parliament member leading a political opposition movement that was forged in part by former Trump campaign manager Paul Manafort.

    According to the Times, Sater, Cohen and Artemenko met in January in private conference rooms and the restaurant bar at New York’s Regency hotel to discuss the plan before it was delivered to the White House.

    Now I have learned that Sater and Artemenko met last October 7 for breakfast at the St. Regis Hotel in New York to discuss another major problem in Ukraine: Its aging cohort of nuclear power plants, which may pose safety risks as grave as the 1986 Chernobyl disaster. The meeting was convened a month before the U.S. presidential election. Sater declined to comment and Artemenko — whose parliamentary status and citizenship were revoked by the Ukraine government after the “peace plan” fiasco –could not be reached.

    Evidently Sater and Artemenko were seeking the assistance of a third person who attended the breakfast, Robert Armao — a well-connected international businessman who served as labor counsel to the late Vice President Nelson Rockefeller in the early 1970s. Armao says that Sater, whom he’d never met or spoken with prior to last fall, reached out to him through a mutual friend.

    “He said that Artemenko was in Washington meeting with members of Congress because of the worldwide effort to deal with nuclear power plants in Ukraine,” recalls the former Rockefeller aide. “Many are falling apart, like at the Chernobyl-level, and the plants need to be refurbished.”

    Armao was invited to the New York meeting because he’s a longtime expert on Ukraine. He says he once advised individuals who were working with former Ukrainian president Viktor Yushchenko during the Orange Revolution protests of 2004-2005. During the October 7 breakfast, Armao says he was asked whether he could intercede with Ukraine’s current energy minister in an attempt to revive a contract that Kiev had signed with South Korea to bring the nuclear plants up to global standards.

    Armao has also enjoyed close dealings in the past with the government of the Republic of Korea, he says, and has done business there for decades. “I said, have you officially asked [the Ukraine energy minister]?,” recalls Armao, but “[Artemenko] was sketchy on that. I told Sater and Artemenko that I’d find out what’s going on.”

    According to Armao, he reached out to sources and learned that the Ukrainian government was “in discussion with the Koreans and all was under control. So that was it.”

    In fact, just five weeks before the breakfast meeting, Korea’s state-controlled nuclear power utility reached an agreement with Ukraine to resume construction of two reactors. But it’s unclear whether that deal involves the servicing of the existing reactors that apparently concerned Sater and Artemenko.

    Armao admits that he was impressed by the former Trump associate. “When you talk to the guy, he wants to save the world. He said, ‘You know, [Ukrainian nuclear plant safety] is a big Washington concern.’ I do say, the man is brilliant. You sit with him, he talks about real estate, he talks about everything. And he can charm the pants off you, Sater.”

    Sater and Trump have been doing an odd dance around each other during the past few years, regarding how much they’ve interacted. Trump consistently has testified in civil cases that he barely knew Sater, barely dealt with him and “wouldn’t recognize him if he was sitting in this [deposition] room.” However, Sater, in a different civil case, testified that he would often pop his head into Trump’s office to give him updates on a Moscow hotel deal they had in the works. (It doesn’t appear that project ever came to fruition.) Last September, I half-joked to Sater that he must have a photo album filled with pictures of himself with Trump. “A photo album?” he responded. “How about six!”

    The Trump-Sater relationship is likely to receive sharp scrutiny soon in Washington, both in Congressional probes and perhaps even by special counsel Robert Mueller, who will investigate possible collusion between Russia officials and the Trump campaign in the 2016 election.

    In late March, then-FBI director James Comey was asked about Sater’s relationship with the FBI when he appeared before the House Intelligence Committee. Comey declined to comment, presumably because Sater spent a decade as a secret government cooperator for both the FBI and at times, the CIA. But in 2015, during her confirmation hearing for the post of U.S. Attorney General, Loretta Lynch offered a teaser. In response to a written question about Sater by Senator Orrin Hatch, she stated that his [decade-long] assistance as a federal cooperator was “crucial to national security.”

    For national security reasons, it is now crucial that the public learn all the details of Sater’s work for the government– and much more.

    ———–

    “How Felix Sater — Former Mob-linked Hustler And Ex-Trump Adviser — Sought To ‘Protect’ Ukraine’s Nuclear Plants” Richard Behar; The National Memo; 05/25/2017

    “Evidently Sater and Artemenko were seeking the assistance of a third person who attended the breakfast, Robert Armao — a well-connected international businessman who served as labor counsel to the late Vice President Nelson Rockefeller in the early 1970s. Armao says that Sater, whom he’d never met or spoken with prior to last fall, reached out to him through a mutual friend.”

    So Robert Armao enters into the mix. An individual who says he once advised people working with Viktor Yushchenko during the anti-Russian Orange Revolution protests of 2004-2005:


    He said that Artemenko was in Washington meeting with members of Congress because of the worldwide effort to deal with nuclear power plants in Ukraine,” recalls the former Rockefeller aide. “Many are falling apart, like at the Chernobyl-level, and the plants need to be refurbished.”

    Armao was invited to the New York meeting because he’s a longtime expert on Ukraine. He says he once advised individuals who were working with former Ukrainian president Viktor Yushchenko during the Orange Revolution protests of 2004-2005. During the October 7 breakfast, Armao says he was asked whether he could intercede with Ukraine’s current energy minister in an attempt to revive a contract that Kiev had signed with South Korea to bring the nuclear plants up to global standards.

    So we have Mr. Artemenko, a guy from the virulently anti-Russian Radical Party and ties to Pravy Sektor, teaming up with Felix Sater to enlist the help of Robert Armao, someone who advised the figures behind the Orange Revolution Again, to help them with their scheme to free Ukraine from its dependence on Russian energy. And it was during those meetings that the ‘peace plan’ idea emerged.

    And who knows, maybe Artemenko and Sater really did want to push this ‘peace plan’. But regardless, we have Felix Sater working with people who were clearly not ‘Kremlin-friendly’, and yet when this story breaks it’s all about how it was a pro-Putin peace plan and Sater apparently had no problem with that media spin on the story. He was interviewed about it many, many times, after all.

    Oh, and here’s a fun look at one of the more interesting business partnerships from Mr. Armao’s past: Armao was an advisor to the Shah of Iran, and both Armao and Marc Rich business partners with Francesco Pazienza, the Italian intelligence officer and aide to Roberto Calvi during a period when Francesco Pazienza was helping the US with the renewal of the lease for a United States intelligence tracking station in the Seychelles. It’s a relationship that came up during the investigation of the of the implosion of Banco Ambrosiano:

    The New York Times

    ITALIAN EX-AGENT ORDERED EXTRADITED FROM U.S.

    By RALPH BLUMENTHAL
    Published: September 12, 1985

    A former Italian intelligence official, in jail in New York since March, was ordered extradited to Italy yesterday to face financial fraud charges growing out of the 1981 bankruptcy of the Italian Banco Ambrosiano.

    The prisoner, Dr. Francesco Pazienza, a 39-year-old nonpracticing physician, has long been a subject of keen interest in Italy, where his name has also cropped up in investigations of the shooting of Pope John Paul II and of the purported plottings of a rightist underground.

    Since he was arrested and jailed under disputed circumstances, Dr. Pazienza, who formerly served in the Italian Information and Military Security Service, has been telling tales of secret missions and intrigues, including work he says he undertook without pay to aid the United States Government. A White House spokesman has denied that Dr. Pazienza ever performed any authorized missions.

    Claims Tip on Pope

    Dr. Pazienza has also said he performed diplomatic services for the Vatican, helped obtain information on a trip to Libya by Billy Carter and was tipped off about a possible plot against the Pope six months before the shooting.

    Concerning the fraud charges, Dr. Pazienza has denied any wrongdoing, asserting that the authorities in Italy were out to frame him and that he feared for his life if he was returned there.

    ”They’re trying to create a scapegoat,” Dr. Pazienza, clad in an orange prison jumpsuit, said in a recent three-hour interview in a conference room of the Manhattan Correctional Center in Foley Square.

    In the extradition ruling yesterday, Federal District Judge Charles L. Brieant Jr. found that Dr. Pazienza had been properly arrested by United States Customs Service agents when he appeared voluntarily as an informant at a prearranged meeting on March 4.

    He was granted a stay of the ruling pending an expected appeal.

    Plans Voluminous Appeal

    Dr. Pazienza, interviewed by telephone from the jail after the ruling was announced, said, ”I was expecting this kind of thing.” He added that he would personally prepare a voluminous appeal, which could go to the United States Supreme Court.

    The Italian charges on which the extradition is based accuse Dr. Pazienza and five other defendants of conspiring to defraud Banco Ambrosiano of about $3 million lent to another concern, Prato Verde, ”with the deliberate intention of defaulting on the loan and of using the funds for personal purposes,” according to Judge Brieant.

    The judge also said part of the money was supposed to have been used to bribe Italian magistrates hearing an appeal of the conviction of Banco Ambrosiano’s president, Roberto Calvi. Mr. Calvi was found hanging from a bridge in London in 1982, either a suicide or a murder victim.

    Much of the story of Dr. Pazienza, who has been the subject of more than 1,000 news articles in the last 18 months in Italy alone, remains perplexing.

    Much Remains Unverified

    Dennis Fagan, special agent in charge of the Customs Service in New York, said that there was ”some truth” as well as many inconsistencies in Dr. Pazienza’s assertions and that much remained to be verified.

    ”He’s thrown out little bones, but he’s put no meat on them,” Mr. Fagan said.

    A White House spokesman, Edward P. Djerejian, deputy press secretary for foreign affairs, said last week that Dr. Pazienza had never performed any missions for the United States. ”As far as we know, this is utter fantasy,” he said. ”No such mission or any other association with Pazienza ever took place or was even considered.”

    At the Vatican, the chief spokesman, Joaquin Navarro Valls, said the Vatican had consistently declined to discuss the Pazienza case.

    Tells of Vatican Link

    One of his first assignments, after joining the intelligence agency in early 1980, Dr. Pazienza said, was to exchange views between the Vatican and Saudi Arabia on the situation in Lebanon and on Israel’s position that foreign embassies be situated in Jerusalem rather than Tel Aviv. He said that position angered the Vatican.

    In 1980, Dr. Pazienza said, the military intelligence chief, Gen. Giuseppe Santovito, was asked by Michael A. Ledeen, an American foreign affairs consultant, to provide information on a trip that Mr. Carter, President Carter’s brother, had made to Libya.

    Mr. Ledeen – then a senior fellow at Georgetown University’s Center for Strategic and International Studies, editor of the Washington Quarterly and a specialist in Italian history – said in interviews that he had approached ”everyone I knew in Italy” for help in checking out information for a magazine article on Mr. Carter.

    The article, part of a series of columns written together with Arnaud de Borchgrave, now editor in chief of The Washington Times, appeared in The New Republic shortly before the 1980 Presidential election.

    Meeting With Arafat Reported

    It asserted that President Carter’s brother had met with Yasir Arafat, head of the Palestine Liberation Organization, and George Habash, leader of the Popular Front for the Liberation of Palestine, and had received $50,000 in travel money from the Libyans that he did not report to the United States Government, as required of those serving foreign governments. At the time, Mr. Carter was already a subject of controversy over his contacts with the Libyans.

    Mr. Carter later said he had met briefly with Mr. Habash but denied having met Mr. Arafat or having received unreported funds. A Justice Department investigation found that Mr. Carter had ”lied to Government agents,” but no charges were brought.

    Mr. de Borchgrave said last week that he did not know Dr. Pazienza but that Mr. Ledeen had used the Italian to help obtain a tape recording to confirm information on the Billy Carter article.

    Dr. Pazienza also said that on Dec. 9, 1980, he and Mr. Ledeen carried a message from General Santovito to Alexander M. Haig, then president of United Technologies Corporation and shortly to be named Secretary of State for the newly elected President Reagan.

    Haig Recalls ‘Courtesy Visit’

    General Haig, now a consultant in Washington, said he recalled receiving a ”courtesy visit” from Mr. Ledeen and Dr. Pazienza in 1980. He said he no longer remembered the subject but thought it had to do with what he called ”the Communist conspiracy.”

    Mr. Ledeen said he recalled the meeting but declined to discuss the subject.

    Dr. Pazienza said that after Mr. Reagan won the election, he traveled at Mr. Ledeen’s behest to Beirut in February 1981 to meet with Mr. Arafat to discuss international terrorism and the Palestinian leader’s standing with the new Administration.

    Mr. Ledeen, who began serving in the spring of 1981 as a salaried, full-time special adviser to Secretary of State Haig, denied sending Dr. Pazienza on such a mission.

    Ex-Envoy to Italy Comments

    Richard N. Gardner, United States Ambassador to Italy at the end of the Carter Administration, said Mr. Ledeen and Dr. Pazienza operated ”as a channel” between Italy and the Reagan Administration. ”I never found out who authorized it,” he said.

    As recently as last year, Dr. Pazienza said, he sought to be helpful to the Americans by trying to negotiate a renewal of the lease for a United States intelligence tracking station in the Seychelles. He said he and two partners were then exploring an oil venture with the Indian Ocean island nation off the east coast of Africa.

    He identified the partners as Robert Armao and Marc Rich. Mr. Rich is a commodities broker now under criminal investigation in the United States in connection with tax evasion charges, for which he has already paid a $200 million civil settlement.

    Mr. Armao, head of a New York public relations company and a former adviser to the Shah of Iran, largely confirmed Mr. Pazienza’s account. But he said that while a Marc Rich subsidiary had been involved in their discussions, the oil venture never came about.

    Mr. Djerejian, the White House spokesman, said he had no information on the matter.

    ‘I Had Beautiful Money’

    According to Dr. Pazienza, he left the Italian intelligence service in the spring of 1981 and was in Italy until that September. Then, he said, he came to New York, where he lived until March 1983 in the Regency Hotel, one of the city’s most expensive hotels. Between then and April 1984, he said, he lived in an apartment at 2 East 80th Street, where the rent, he said, was $5,000 a month.

    ”I had beautiful money,” he said, giving years of lucrative business consulting as the source.

    After that, he said, he left for the Seychelles, returning once to New York to meet voluntarily with Customs Service agents on Sept. 24, 1984, to provide information on missing funds of Banco Ambrosiano and on international terrorism. Last February, he said, he called the Customs Service from Mexico to arrange a meeting on March 4.

    Dr. Pazienza has contended that he went to the meeting as an informant and was instead improperly arrested and held without bail. His attorney, Edward A. Morrison, a former New York City deputy mayor, said, ”I was lied to, and my client was brought in falsely.”

    Denies Meeting With Agca

    In the case of the attempted assassination of Pope John Paul in May 1981, Dr. Pazienza denied an assertion made in court in June by the convicted gunman, Mehmet Ali Agca, that Dr. Pazienza visited him in Ascoli Piceno prison in March or April of 1982 to urge him to implicate Bulgaria in the attack.

    Dr. Pazienza contended that he was out of the Italian Military Security Service at that time and could not have gained access to the high-security prison. He said he had never met or talked to Mr. Agca.

    Dr. Pazienza also said that five or six months before the shooting of the Pope, he received what he called ”vague information” from a Palestinian informant working in a third-world press agency that ”something may be going on against the Pope.”

    Dr. Pazienza said he had asked General Santovito if he could pass the vague report on to Archbishop Achille Silvestrini at the Vatican. ”He told me absolutely not,” that it would have to be checked further, Dr. Pazienza recalled. He said he did not know what was finally done with the information.

    General Santovito was forced to resign after his name was found on the membership list of the secret Masonic lodge Propaganda 2, called P-2, which was accused of conspiring against the state. He died in 1984.

    Denies Belonging to Lodge

    Dr. Pazienza said he had never belonged to P-2 and had never met its leader, Licio Gelli, who escaped from a Swiss jail in 1983 and remains at large.

    Dr. Pazienza said he had also received information from the Palestinian source that certain duty-free trucks, known in Europe as TIR from their license plates, were arriving in Italy from Bulgaria with arms. But he said General Santovito ruled out stopping such trucks for fear of an international incident in the event the cargo proved harmless.

    This detail may be significant, because one of the few independently verifiable facts Mr. Agca has given as evidence was the existence of a TIR truck near the Bulgarian Embassy in Rome that was supposed to have whisked him away after the attack on the Pope. Soviet bloc governments have charged that the information was fed to him by Italian intelligence.

    Dr. Pazienza also said that he had learned from Customs agents that Stefano della Chiaie, a rightist fugitive wanted in the 1980 bombing of the Bologna train station that killed 85 people, had been reported seen in Miami in the company of a Turk. A report in the Italian Communist newspaper L’Unita quoted unidentified American Customs offiials as identifying the Turk as Oral Celik, a principal defendant in the Rome trial of the purported plot against the Pope. Mr. Agca has said Mr. Celik was with him in St. Peter’s Square the day the Pope was shot.

    ———-

    “ITALIAN EX-AGENT ORDERED EXTRADITED FROM U.S.” by RALPH BLUMENTHAL; The New York Times; 09/12/1985

    “The prisoner, Dr. Francesco Pazienza, a 39-year-old nonpracticing physician, has long been a subject of keen interest in Italy, where his name has also cropped up in investigations of the shooting of Pope John Paul II and of the purported plottings of a rightist underground.”

    Sounds like a great guy: an alleged P-2 lodge member with ties to the assassination attempt on Pope John Paul II. And who were his oil venture business partners? Robert Armao and Marc Rich:


    As recently as last year, Dr. Pazienza said, he sought to be helpful to the Americans by trying to negotiate a renewal of the lease for a United States intelligence tracking station in the Seychelles. He said he and two partners were then exploring an oil venture with the Indian Ocean island nation off the east coast of Africa.

    He identified the partners as Robert Armao and Marc Rich. Mr. Rich is a commodities broker now under criminal investigation in the United States in connection with tax evasion charges, for which he has already paid a $200 million civil settlement.

    Mr. Armao, head of a New York public relations company and a former adviser to the Shah of Iran, largely confirmed Mr. Pazienza’s account. But he said that while a Marc Rich subsidiary had been involved in their discussions, the oil venture never came about.

    So that’s a taste of Mr. Armao’s past dealings. And now we can add Felix Sater’s schemes to export Ukrainian nuclear energy in partnership with a Radical Party/Pravy Sektor Ukrainian politician to the list.

    Posted by Pterrafractyl | July 27, 2017, 3:19 pm
  12. Scott Ritter, the former UN weapons inspector who warned the world in the lead up to the Iraq war that it was unlikely that Iraq possessed weapons of mass destruction, has a post on the recent memorandum put out by the Veterans for Intelligence Sanity (VIPS). That’s the memorandum that endorses the findings of “The Forensicator” based on timestamp metadata from a Sept 13th, 2016 DNC document dump by “Guccifer 2.0” that concluded that the dumped documents must have been removed from the DNC via a flash drive, thus strongly suggesting a DNC insider or infiltrator was the source of the documents. As noted above, those findings are suspect because there is no reason whatsoever to conclude the timestamps of the dumped documents in any way reflects the timestamps of the initial removal of those files and yet The Forensicator’s analysis never even mentions that possibility and behaves as if their analysis is rock solid proof of something. Ritter’s piece makes those same critiques. And as Ritter notes, he himself is a member of the Veterans for Intelligence Sanity, but chose not to sign on to this particular memorandum. But as he also notes, the mistaken endorsement of this analysis by The Forensicator is by no means a reason to discount the myriad of major problems with the official DNC 2016 hacks investigation that have been raised by the VIPS and others:

    TruthDig

    Time to Reassess the Roles Played by Guccifer 2.0 and Russia in the DNC ‘Hack’

    By Scott Ritter
    Posted on Jul 27, 2017

    Editor’s note: The writer is a member of Veteran Intelligence Professionals for Sanity (VIPS), but he was not a signer of the July 24 memorandum that figures prominently in this article.

    The current American political canonical theology holds as an incontrovertible truth that Russia meddled in the 2016 presidential election. According to this dogma, which has been actively promulgated by former and current government officials and echoed by an unquestioning mainstream media, Russian intelligence services, directed by President Vladimir Putin, conducted cyber-operations against targets associated with the U.S. election for the purpose of denigrating the Democratic candidate, Hillary Clinton, to help her opponent, Donald Trump.

    It was with some interest, therefore, that I read a memorandum published earlier this week by a group of retired intelligence professionals who, like the president, dare to challenge the conventional wisdom of attributing to Russia the cyberattacks against the Democratic National Committee (DNC) in 2016 and the subsequent release of information obtained for the ostensible purpose of harming the candidacy of Clinton. This group, Veteran Intelligence Professionals for Sanity (VIPS), used a portion of its collective experience to closely examine a forensic analysis of metadata-related information that the U.S. intelligence community and its supporters in Congress claimed was “hacked” by Russia. Documents from the DNC were copied by the persona Guccifer 2.0 on July 5, 2016, collated on Sept. 1 and released to select members of the press on Sept. 13.

    The men and women who compose VIPS have, in their prior lives, briefed U.S. presidents and members of Congress. They have served as national intelligence officers, FBI special agents, CIA case officers, National Security Agency (NSA) technical directors, Defense Intelligence Agency and State Department analysts, and more. Their expertise is drawn from decades of highly sensitive work within the three agencies—the Central Intelligence Agency, the Federal Bureau of Investigation and the NSA—responsible for preparing the U.S. intelligence communities’ assessment of Russian meddling and within most, if not all, of the other agencies that make up the U.S. intelligence community.

    These are rational people whose collective body of work has always been in direct support of the national interest and never against it. They cut across the American political spectrum, holding views that are liberal, conservative and moderate—sometimes simultaneously, as is fitting those intellects that have been conditioned to be open to considering all sources of information. Since 2003, VIPS has published 50 memorandums similar to the one published this week, all addressing current issues on which the intelligence background of its collective membership could weigh in credibly. Like any intelligence collective, the group strives for accuracy but is susceptible to the all-too-human trait of fallibility. The retired professionals of VIPS, like their active counterparts, sometimes get it wrong.

    I agree with the argument of the July 24 VIPS memorandum that takes issue with the Jan. 6, 2017, Intelligence Community Assessment (ICA) on Russian meddling. This NIA evaluation assessed “with high confidence that Russian military intelligence (General Staff Main Intelligence Directorate or GRU) used the Guccifer 2.0 persona … to release U.S. victim data obtained in cyber operations publicly and in exclusives to media outlets and relayed material to WikiLeaks.” The assessments contained within the Russia ICA, which lies at the very heart of the ongoing controversy surrounding accusations of collusion by people affiliated with the Trump presidential campaign and Russia, is demonstrably wrong. The VIPS memorandum to President Trump is a valuable contribution to a larger discussion of the intelligence community’s erroneous assessment that is, otherwise, lacking.

    The heart of the VIPS memorandum can be found in two paragraphs that relate to Guccifer 2.0 and his alleged involvement in the cyberattack against the DNC:

    After examining metadata from the “Guccifer 2.0” July 5, 2016 intrusion into the DNC server, independent cyber investigators have concluded that an insider copied DNC data onto an external storage device, and that “telltale signs” implicating Russia were then inserted.

    Key among the findings of the independent forensic investigations is the conclusion that the DNC data was copied onto a storage device at a speed that far exceeds an Internet capability for a remote hack. [Boldface in original.] Of equal importance, the forensics show that the copying and doctoring were performed on the East Coast of the U.S.

    Two issues emerge from these passages. First, the ICA contends that Guccifer 2.0 accessed data from the DNC through a “cyber operation.” Technically, this could mean anything involving computers, including remote hacking and/or direct data removal using an external storage device, such as a thumb drive. However, Guccifer 2.0 has claimed he accessed the DNC server through remote hacking, and an investigation of unauthorized intrusions into the DNC server conducted by a private cybersecurity company, CrowdStrike, has attributed the theft of data to a hacking operation ostensibly overseen by Russian military intelligence, or the GRU. The FBI has endorsed the findings of CrowdStrike when it comes to the cyber-intrusion into the DNC server. As such, there is little doubt that the NIA is referring to a remote hack when it speaks of a “cyber operation” involving the DNC.

    The analysis contained in the VIPS memorandum contradicts such an assertion. Unfortunately, this conclusion is not supported by the data. I reached out to the forensic analysts who conducted the analysis of the metadata in question. They have stated that there is no way to use the available metadata to determine where the copying of the data was done. In short, one cannot state that this data proves Guccifer 2.0 had direct access to the DNC server or that the data was located in the DNC when it was copied on July 5, 2016. These same analysts also note that the July 5 date that is pervasive on the metadata probably overwrote all prior modification times, meaning it is impossible to ascertain if there were any prior copy operations.

    The VIPS memorandum also speaks of the insertion of “telltale” signs into data copied from the DNC server designed to implicate Russia. I have reached out to the analysts responsible for this assertion, and it appears that they mistakenly attributed actual document manipulation from an earlier date to the July 5 data transfer event. This in no way minimizes the seriousness of the underlying charge—other credible cyber-investigators have proved such data insertion on documents previously published by Guccifer 2.0 on June 15, 2016. Metadata analysis of several Word documents related to that release clearly shows that the contents of at least four documents were cut from the original document and then pasted into a Word template specifically set up for the Cyrillic alphabet, and which showed document attribution, in the Cyrillic alphabet, to “Felix Edmundovich,” the first name and patronymic of the founder of the Soviet intelligence service.

    This cut-and-paste activity was conducted after the documents were accessed by Guccifer 2.0, which means Guccifer 2.0, for no practical reason whatsoever, manipulated documents in a way that created the impression of a Russian connection at the same time he was denying any such link. While the July 5 event cannot be used to argue a continuation of the document manipulation that transpired on June 15, it is clear that the false Russian attribution that arose from this manipulation carried over when the July 5 data was finally released, on Sept. 13. “The DNC is the victim of a crime—an illegal cyberattack by Russian state-sponsored agents who seek to harm the Democratic Party and progressive groups in an effort to influence the presidential election” Donna Brazille, the interim chair of the Democratic Party at the time, proclaimed in an official statement after the documents were released by Guccifer 2.0.

    The implications of the conclusions reached in the VIPS memorandum (if not the actual technical analysis it relied on) are staggering: The DNC “hack” was actually a cyber-theft perpetrated by an insider with direct access to the DNC server, who then deliberately doctored documents to make them look as if they had been accessed by a Russian-speaking actor prior to releasing them to the public. This is not the narrative being pushed by the U.S. intelligence, Congress and the mainstream media. Moreover, if true, the conclusions reached by VIPS point to a broader conspiracy within the United States to undermine the credibility of an admittedly unpopular, yet legitimately elected president that borders on sedition.

    These are serious allegations that should not be made lightly. Indeed, if I were acting solely on the information contained within the VIPS memorandum, I would hesitate to make them—the issue of download rates for a data set dated July 5, 2016, seems irrelevant for a cyber-intrusion alleged to have taken place in April-May of 2016. Either Guccifer 2.0 regained access to the DNC server in an as-of-yet-unreported (and unclaimed) cyber-operation, or the download involved data previously removed from the DNC server, and, as such, is apropos of nothing. The VIPS memorandum does not provide any technical data that would sustain a finding that the information in question was physically in the possession of the DNC on July 5, 2016—the day Guccifer 2.0 supposedly oversaw the transmission from its point of origin. Indeed, the analysts say that assertion cannot be derived from the data.

    Such attention to detail, normally the signature of solid intelligence analysis, is not needed in this case. The VIPS memorandum serves a larger purpose here: It questions a premise that has become de rigueur in the national narrative—that Guccifer 2.0 was a Russian actor. “Guccifer 2.0 is known to be the Russians,” Brian Fallon, the press secretary for Hillary Clinton, opined in September 2016. Democratic operatives made similar statements throughout the summer and fall of 2016.

    On Oct. 6, 2016, the Office of the Director of National Intelligence and the Department of Homeland Security published a joint statement that noted that the “recent disclosures of alleged hacked e-mails” by Guccifer 2.0 (and others) “are consistent with the methods and motivations of Russian-directed efforts,” without further elaboration beyond declaring that “the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to influence public opinion there.”

    Rep. Schiff, the aforementioned Democratic co-chair of the House Intelligence Committee, stated in March 2017 that “a hacker who goes by the moniker, Guccifer 2.0, claims responsibility for hacking the DNC and giving the documents to WikiLeaks. … The U.S. intelligence community also later confirmed that the documents were in fact stolen by Russian intelligence, and Guccifer 2.0 acted as a front.”

    The problem is that there simply isn’t any hard data in the public domain to back up these statements of fact. What is known is that a persona using the name Guccifer 2.0 published documents said to be sourced from the DNC on several occasions starting from June 15, 2016. Guccifer 2.0 claims to have stolen these documents by perpetrating a cyber-penetration of the DNC server. However, the hacking methodology Guccifer 2.0 claims to have employed does not match the tools and techniques allegedly uncovered by the cybersecurity professionals from CrowdStrike when they investigated the DNC intrusion. Moreover, cyber-experts claim the Guccifer 2.0 “hack” could not have been executed as he described.

    What CrowdStrike did claim to have discovered is that sometime in March 2016, the DNC server was infected with what is known as an X-Agent malware. According to CrowdStrike, the malware was deployed using an open-source, remote administration tool known as RemCom. The malware in question, a network tunneling tool known as X-Tunnel, was itself a repurposed open-source tool that made no effort to encrypt its source code, meaning anyone who gained access to this malware would be able to tell exactly what it was intended to do.

    CrowdStrike claimed that the presence of the X-Agent malware was a clear “signature” of a hacking group—APT 28, or Fancy Bear—previously identified by German intelligence as being affiliated with the GRU, Russian military intelligence. Additional information about the command and control servers used by Fancy Bear, which CrowdStrike claims were previously involved in Russian-related hacking activity, was also reported.

    The CrowdStrike data is unconvincing. First and foremost, the German intelligence report it cites does not make an ironclad claim that APT 28 is, in fact, the GRU. In fact, the Germans only “assumed” that GRU conducts cyberattacks. They made no claims that they knew for certain that any Russians, let alone the GRU, were responsible for the 2015 cyberattack on the German Parliament, which CrowdStrike cites as proof of GRU involvement. Second, the malware in question is available on the open market, making it virtually impossible to make any attribution at all simply by looking at similarities in “tools and techniques.” Virtually anyone could have acquired these tools and used them in a manner similar to how they were employed against both the German Parliament and the DNC.

    The presence of open-source tools is, in itself, a clear indicator that Russian intelligence was not involved. Documents released by Edward Snowden show that the NSA monitored the hacking of a prominent Russian journalist, Anna Politkovskaya, by Russian intelligence, “deploying malicious software which is not available in the public domain.” The notion that the Russians would use special tools to hack a journalist’s email account and open-source tools to hack either the DNC or the German Parliament is laughable. My experience with Soviet/Russian intelligence, which is considerable, has impressed me with the professionalism and dedication to operational security that were involved. The APT 28/Fancy Bear cyber-penetration of the DNC and the Guccifer 2.0 operation as a whole are the antithesis of professional.

    Perhaps more important, however, is the fact that no one has linked the theft of the DNC documents to Guccifer 2.0. We do not know either the date or mechanism of penetration. We do not have a list of the documents accessed and exfiltrated from the DNC by APT 28, or any evidence that these documents ended up in Guccifer 2.0’s possession. It is widely assumed that the DNC penetration was perpetrated through a “spear-phishing” attack, in which a document is created that simulates a genuine communication in an effort to prompt a response by the receiver, usually by clicking a specified field, which facilitates the insertion of malware. Evidence of the Google-based documents believed to have been the culprits behind the penetration of the Democratic Congressional Campaign Committee (DCCC) and John Podesta’s email servers have been identified, along with the dates of malware infection. No such information has been provided about the DNC penetration.

    Which brings up perhaps the most curious aspect of this entire case: The DNC servers at the center of this controversy were never turned over to the FBI for forensic investigation. Instead, the FBI had to rely upon copies of the DNC server data provided by CrowdStrike. The fact that it was CrowdStrike, and not the FBI, that made the GRU attribution call based upon the investigation of the alleged cyber-penetration of the DNC server is disturbing. As shown here, there is good reason to doubt the viability of the CrowdStrike analysis. That the FBI, followed by the U.S. Congress, the U.S. intelligence community, and the mainstream media, has parroted this questionable assertion as fact is shocking.

    The Guccifer 2.0 story is at the center of the ongoing controversy swirling around the Trump White House concerning allegations of collusion with Russia regarding meddling in the 2016 presidential election. While APT 28/Fancy Bear is not the only alleged Russian hacking operation claimed to have been targeting the DNC, it is the one that has been singled out as “weaponizing” intelligence—employing stolen documents for the express purpose of altering public opinion against Hillary Clinton. This act has been characterized as an attack against America, and was cited by President Barack Obama when he imposed sanctions on Russia in December 2016 and expelled 35 Russian diplomats. Congress has also referred to this “attack” as the principal justification for a bill seeking new and tougher sanctions targeting Russia.

    The stakes could not be higher. The American people would do well to demand a proper investigation into what actually transpired at the DNC in the spring of 2016. To date there has been no examination worthy of the name regarding the facts that underpin the accusations at the center of the American argument against Russia—that the GRU hacked the DNC server and used Guccifer 2.0 as a conduit for the release of stolen documents in a manner designed to influence the American presidential election. The VIPS memorandum of July 24, 2017, questions the veracity of these claims. I believe these doubts are well founded.

    ———-

    “Time to Reassess the Roles Played by Guccifer 2.0 and Russia in the DNC ‘Hack’” by Scott Ritter; TruthDig; 07/27/2017

    “The analysis contained in the VIPS memorandum contradicts such an assertion. Unfortunately, this conclusion is not supported by the data. I reached out to the forensic analysts who conducted the analysis of the metadata in question. They have stated that there is no way to use the available metadata to determine where the copying of the data was done. In short, one cannot state that this data proves Guccifer 2.0 had direct access to the DNC server or that the data was located in the DNC when it was copied on July 5, 2016. These same analysts also note that the July 5 date that is pervasive on the metadata probably overwrote all prior modification times, meaning it is impossible to ascertain if there were any prior copy operations

    Yep, The Forensicator’s analysis is indeed one possible interpretation of the available data. But it is only one of many possibilities that fit the data. And yet it is being treated as some sort of rock solid proof that that one possible scenario – that a USB flash drive was used on July 5th to remove those DNC documents (which are separate from the dumped emails) – is that only scenario reasonably supported by the available evidence. Don’t forget that Wikileaks was heavily pushing the “Seth Rich may have been our source and was murdered by the DNC” meme well before the September 13, 2016, dump of those DNC documents, so that alone could have been incentive enough to modify the dump document timestamps to July 5th, five days before Rich’s murder. Again, the key problem with The Forensicator’s analysis is that timestamp metadata can be set to anything and there’s no way to no now many times its been modified. Thus, it tells us nothing about when the dump documents were initially removed from the DNC server.

    And as Ritter goes on to critique The Forensicator’s findings, he notes that the mistaken endorsement by the VIPS should in no way downplay the many other issues with the widely accepted conclusions about what actually happened:


    The VIPS memorandum also speaks of the insertion of “telltale” signs into data copied from the DNC server designed to implicate Russia. I have reached out to the analysts responsible for this assertion, and it appears that they mistakenly attributed actual document manipulation from an earlier date to the July 5 data transfer event. This in no way minimizes the seriousness of the underlying charge—other credible cyber-investigators have proved such data insertion on documents previously published by Guccifer 2.0 on June 15, 2016. Metadata analysis of several Word documents related to that release clearly shows that the contents of at least four documents were cut from the original document and then pasted into a Word template specifically set up for the Cyrillic alphabet, and which showed document attribution, in the Cyrillic alphabet, to “Felix Edmundovich,” the first name and patronymic of the founder of the Soviet intelligence service.

    This cut-and-paste activity was conducted after the documents were accessed by Guccifer 2.0, which means Guccifer 2.0, for no practical reason whatsoever, manipulated documents in a way that created the impression of a Russian connection at the same time he was denying any such link. While the July 5 event cannot be used to argue a continuation of the document manipulation that transpired on June 15, it is clear that the false Russian attribution that arose from this manipulation carried over when the July 5 data was finally released, on Sept. 13. “The DNC is the victim of a crime—an illegal cyberattack by Russian state-sponsored agents who seek to harm the Democratic Party and progressive groups in an effort to influence the presidential election” Donna Brazille, the interim chair of the Democratic Party at the time, proclaimed in an official statement after the documents were released by Guccifer 2.0.

    The implications of the conclusions reached in the VIPS memorandum (if not the actual technical analysis it relied on) are staggering: The DNC “hack” was actually a cyber-theft perpetrated by an insider with direct access to the DNC server, who then deliberately doctored documents to make them look as if they had been accessed by a Russian-speaking actor prior to releasing them to the public. This is not the narrative being pushed by the U.S. intelligence, Congress and the mainstream media. Moreover, if true, the conclusions reached by VIPS point to a broader conspiracy within the United States to undermine the credibility of an admittedly unpopular, yet legitimately elected president that borders on sedition.

    These are serious allegations that should not be made lightly. Indeed, if I were acting solely on the information contained within the VIPS memorandum, I would hesitate to make them—the issue of download rates for a data set dated July 5, 2016, seems irrelevant for a cyber-intrusion alleged to have taken place in April-May of 2016. Either Guccifer 2.0 regained access to the DNC server in an as-of-yet-unreported (and unclaimed) cyber-operation, or the download involved data previously removed from the DNC server, and, as such, is apropos of nothing. The VIPS memorandum does not provide any technical data that would sustain a finding that the information in question was physically in the possession of the DNC on July 5, 2016—the day Guccifer 2.0 supposedly oversaw the transmission from its point of origin. Indeed, the analysts say that assertion cannot be derived from the data.

    Such attention to detail, normally the signature of solid intelligence analysis, is not needed in this case. The VIPS memorandum serves a larger purpose here: It questions a premise that has become de rigueur in the national narrative—that Guccifer 2.0 was a Russian actor. “Guccifer 2.0 is known to be the Russians,” Brian Fallon, the press secretary for Hillary Clinton, opined in September 2016. Democratic operatives made similar statements throughout the summer and fall of 2016.

    Such attention to detail, normally the signature of solid intelligence analysis, is not needed in this case. The VIPS memorandum serves a larger purpose here: It questions a premise that has become de rigueur in the national narrative—that Guccifer 2.0 was a Russian actor. “Guccifer 2.0 is known to be the Russians,” Brian Fallon, the press secretary for Hillary Clinton, opined in September 2016. Democratic operatives made similar statements throughout the summer and fall of 2016.”

    So that’s where we are: despite the fact that the analysis by The Forensicator endorsed by VIPS has some glaring holes, at this point simply having a group like the VIPS raise questions off the official findings is net helpful in this situation, especially since the memorandum included other critiques beyond just the findings of The Forensicator. Although sending out a memorandum that noted the Forensicator’s analysis and the problems with it would have been more helpful.

    Posted by Pterrafractyl | July 29, 2017, 1:34 pm
  13. Following on the reports about the plans of Felix Sater and Andrey(Andreii/Andrii) Artemenko – the Ukrainian ‘pro-Russian’ politician behind the alleged ‘pro-Russian’ peace plan that Felix Sater had Michael Cohen hand deliver to Michael Flynn – to build up Ukraine’s nuclear energy sector as a means of freeing Ukraine from its dependence on Russian energy, here’s some more background info on Artemenko’s politics and business in an article in the Kyiv Post. And note the date of the article: February 20, 2017, which is one day after this ‘peace plan’ was initially reported in the New York Times. It highlights the fact that Ukrainian press was making it very clear very early on after this story broke that this guy’s political pedigree was anti-Russian in the extreme, with close ties to Right Sector/Pravy Sektor.

    The article also notes another interesting aspect of Artemenko’s business background: from 2007-2013, he founded several companies that provided military logistics services into the Middle Eastern conflict zones and traveled to Saudi Arabia, Syria, and Qatar for business trips.

    So a guy with a conflict-zone military supply business and ties to the virulently anti-Russian Right Sector and who was also working on breaking Ukraine’s dependence on Russian energy is the guy behind the ‘pro-Russian’ peace plan:

    Kyiv Post

    Andrey Artemenko: Who is this Ukrainian member of parliament with the peace plan?

    By Veronika Melkozerova.
    Published Feb. 20. Updated Feb. 20 at 8:24 pm

    Now ex-Radical Party member of parliament Andrey Artemenko came under criticism from all sides after the New York Times revealed on Feb. 19 that he was trying to broker his own peace plan to end Russia’s war against Ukraine.

    The plan was distinctly pro-Russian, but even the Russians rejected it and his freelance, amateurish diplomacy got him kicked out of his own party, although he remains a member of parliament.

    His ideas included leasing Crimea to Russia for 50 years and the lifting of economic sanctions against Russia by U.S. President Donald J. Trump.

    Dmitry Peskov, Vladimir Putin’s press secretary, denied prior knowledge of the sealed plan, which includes a suggestion that Ukraine lease Crimea to Russia, which annexed the region in 2014, the Telegraph in London quoted him as saying. “There’s nothing to talk about. How can Russia rent its own region from itself?” Peskov said.

    Artemenko described himself to the New York Times as a Trump-style politician.

    The 48-year-old lawmaker’s biography is colorful and controversial: He has a wife who is a model, he served 2.5 years in prison without a trial, he has business in U.S and he is involved in the military trade to the war zones in the Middle East. At home, he has close ties with the ultra-nationalistic Right Sector.

    “I demand Andrey Artemenko discard as a lawmaker. He has no rights to represent our faction and party. Our position is unchangeable – Russia is the aggressor and must get away from Ukrainian territories,” Oleh Lyashko, Radical Party leader said to the journalist in Verkhovna Rada on Feb. 20.

    “Nobody in Radical Party trades Ukraine,” Lyashko said. “To lease Crimea to Russia is the same as to give your own mother for rent to the traveling circus.”

    Artemenko told the New York Times that many people would criticize him as a Russian or American C.I.A. agent for his plan, but peace is what he’s after.

    “But how can you find a good solution between our countries if we do not talk?” Artemenko said.

    Before the New York Times story, Artemenko wasn’t famous. He may see himself as the next president of Ukraine, but others saw him as just another gray cardinal.

    Family, business in U.S.

    Artemenko hasn’t filed electronic declaration for 2016.

    However, according to his previous e-declaration in 2015, Artemenko has a wife, model Oksana Kuchma and four children, including two with U.S. citizenship — Edward Daniel, Amber Katherine. The children from the first marriage, Vitaly and Kristina Artemenko (Kraskovski), have Ukrainian citizenship but live in Ontario, Canada with their mother’s husband. In 2014 Artemenko’s elder daughter Kristina gave birth to Artemenko’s grandson.

    Artemenko owns land plots of 14,000 square meters and 5,000 square meters in Vyshenki village of Kyiv Oblast.
    And his wife Oksana Kuchma is not only a model but a businesswoman. According to Artemenko’s e-declaration, Kuchma has a land plot of 3,000 square meters and a house in Gnidyn village of Kyiv Oblast, an 850 square meter apartment in Lviv Oblast’s Zhovkva and also a 127-square meter apartment in Kyiv under construction.

    Artemenko also owns three luxury watches: De Grisogono (Hr 127,500), De Grisogono –Geneve (Hr 123,450), Franck Muller (Hr 118,950) and several luxury cars.

    Kuchma owns a company OKSY GLOBAL LLC, registered in the U.S. and also the private avian-transportation company, the Aviation Company Special Avia Alliance registered in Kyiv at the same address as the company Global Business Group GMBh, Artemenko used to work as a deputy director before he came to Rada after the parliament elections in 2014.
    According to the Ministry of Justice registry, the Global Business Group GMBh provides the variety of services: vehicles trade, various goods trade, restaurants business and business consulting.

    The shareholder of the Global Business Group GMBh is also a U.S. based company Global Assets Inc., registered in Miami, Florida.

    Start from Kyiv

    Artemenko came into politics after business and jail. According to the biography on his official website, in the early 1990s he founded a law firm that advocated the interests of professional athletes and then he became a president of CSK Kyiv soccer club. In 1998-2000, he was the adviser of than Kyiv Mayor Oleksandr Omelchenko, a member and one of the founders of his party Unity.

    In 2002, Artemenko was arrested by the Prosecutor’s General Office of Ukraine on accusations of money laundering and kept in pre-trial detention for more than two years. However, he successfully challenged his imprisonment as illegal and groundless. He said prosecutors were persecuting him in hopes of getting Omelchenko, who was also suspected of money laundering.

    In 2004, Artemenko released from pre-trial detention center Lukyanivske on bail of Mikhail Dobkin, a Party of Regions lawmaker.

    But in 2006 he became the head of the Kyiv department of Batkivshchyna Party, led by now ex-Prime Minister Yulia Tymoshenko.

    In 2007-2013 Artemenko founded several companies that provided military logistics services into the conflict zones and traveled to Saudi Arabia, Syria, and Qatar for business trips.

    Since 2013 he has his own charity foundation that helps internally displaced persons from the war-torn Donbas.

    True patriot?

    Artemenko came to the Verkhovna Rada in 2014 as a Radical Party lawmaker (16th on the party’s list). According to the parliament’s website, Artemenko is the deputy head of the European Integration Committee and responsible for diplomatic connections with Saudi Arabia, Qatar, United States, Kuwait, Lithuania and Belarus.

    The lawmaker took an active part in EuroMaidan Revolution in 2013-2014 that deposed President Viktor Yanukovych.
    In 2014 he joined the Right Sector political party and was rumored to be one of the sponsors of its leader, Dmytro Yarosh, during his presidential election campaign in 2014.

    There is even a photo of Artemenko, seating among the Right Sector Party founders at the first party meeting in March 2014.
    Right Sector spokesperson Artem Skoropadsky told the Kyiv Post on Feb. 20 that he couldn’t confirm or deny whether Artemenko financed the Right Sector Party.

    “I was never into all the ‘financial stuff,’ but I have no information about him giving the money. I remember all those guys like him (Artemenko) and (Borislav) Bereza just came to us after March 22. They weren’t Right Sector members during the Revolution of Dignity,” said Skoropadsky.

    He said that after the end of EuroMaidan Revolution there was a “mess” in Right Sector. Dozens of people a day was coming to the activists only in Kyiv.

    “The ones who could afford it gave us money, others help in different ways. But as soon as we started building the structure of the organization, the guys like Artemenko and Bereza went to the other parties, came in Rada or other government structures,” Skoropadsky recalled.

    ———-

    “Andrey Artemenko: Who is this Ukrainian member of parliament with the peace plan?” by Veronika Melkozerova; Kyiv Post; 02/20/2017

    “The lawmaker took an active part in EuroMaidan Revolution in 2013-2014 that deposed President Viktor Yanukovych.
    In 2014 he joined the Right Sector political party and was rumored to be one of the sponsors of its leader, Dmytro Yarosh, during his presidential election campaign in 2014.”

    Rumored to have sponsored Dmytro Yarosh’s presidential run! That’s quite a rumor, and even if there’s no truth to it, it’s hard to ignore things like photos of Artemenko seated among the Right Sector Party founders at the first party meeting. That sure sounds like he’s a founder. Even if Right Sector doesn’t want to acknowledge this:


    There is even a photo of Artemenko, seating among the Right Sector Party founders at the first party meeting in March 2014.
    Right Sector spokesperson Artem Skoropadsky told the Kyiv Post on Feb. 20 that he couldn’t confirm or deny whether Artemenko financed the Right Sector Party.

    And there’s his interesting business background: starting several military logistics services companies that operates in conflict zones in the Middle East. And a private aviation company registered in Miami, Florida:


    The 48-year-old lawmaker’s biography is colorful and controversial: He has a wife who is a model, he served 2.5 years in prison without a trial, he has business in U.S and he is involved in the military trade to the war zones in the Middle East. At home, he has close ties with the ultra-nationalistic Right Sector.

    Kuchma owns a company OKSY GLOBAL LLC, registered in the U.S. and also the private avian-transportation company, the Aviation Company Special Avia Alliance registered in Kyiv at the same address as the company Global Business Group GMBh, Artemenko used to work as a deputy director before he came to Rada after the parliament elections in 2014.
    According to the Ministry of Justice registry, the Global Business Group GMBh provides the variety of services: vehicles trade, various goods trade, restaurants business and business consulting.

    The shareholder of the Global Business Group GMBh is also a U.S. based company Global Assets Inc., registered in Miami, Florida.

    In 2007-2013 Artemenko founded several companies that provided military logistics services into the conflict zones and traveled to Saudi Arabia, Syria, and Qatar for business trips.

    And then there’s this interesting bit of background on Artemenko’s work in the Ukrainian parliament: he was the the deputy head of the European Integration Committee and responsible for diplomatic connections with Saudi Arabia, Qatar, United States, Kuwait, Lithuania and Belarus:


    Artemenko came to the Verkhovna Rada in 2014 as a Radical Party lawmaker (16th on the party’s list). According to the parliament’s website, Artemenko is the deputy head of the European Integration Committee and responsible for diplomatic connections with Saudi Arabia, Qatar, United States, Kuwait, Lithuania and Belarus.

    So Artemenko is the deputy head of the European Integration Committee and is responsible for diplomatic connections with Saudi Arabia, Qatar, United States, Kuwait, Lithuania and Belarus? European Integration and US diplomacy. That’s doesn’t sound like the assignments for a politician the rest of Ukraine’s politicians would consider ‘pro-Russian’.

    And regarding Artemenko’s responsibility for diplomatic connections with the US, note how, in the original New York Times article that broke the story about this whole secret ‘peace plan’ scheme, Artemenko talked on Facebook about he was peddling his peace plan to American lawmakers and even attended Trump’s inauguration. He also traveled to Cleveland last year for the GOP’s National Convention and met with members of the Trump team. So it would appear that Mr. Artemenko had quite a bit of contact with the Trump team long before reports about this ‘secret peace plan’:

    The New York Times

    A Back-Channel Plan for Ukraine and Russia, Courtesy of Trump Associates

    By MEGAN TWOHEY and SCOTT SHANE
    FEB. 19, 2017

    A week before Michael T. Flynn resigned as national security adviser, a sealed proposal was hand-delivered to his office, outlining a way for President Trump to lift sanctions against Russia.

    Mr. Flynn is gone, having been caught lying about his own discussion of sanctions with the Russian ambassador. But the proposal, a peace plan for Ukraine and Russia, remains, along with those pushing it: Michael D. Cohen, the president’s personal lawyer, who delivered the document; Felix H. Sater, a business associate who helped Mr. Trump scout deals in Russia; and a Ukrainian lawmaker trying to rise in a political opposition movement shaped in part by Mr. Trump’s former campaign manager Paul Manafort.

    At a time when Mr. Trump’s ties to Russia, and the people connected to him, are under heightened scrutiny — with investigations by American intelligence agencies, the F.B.I. and Congress — some of his associates remain willing and eager to wade into Russia-related efforts behind the scenes.

    Mr. Trump has confounded Democrats and Republicans alike with his repeated praise for the Russian president, Vladimir V. Putin, and his desire to forge an American-Russian alliance. While there is nothing illegal about such unofficial efforts, a proposal that seems to tip toward Russian interests may set off alarms.

    The amateur diplomats say their goal is simply to help settle a grueling, three-year conflict that has cost 10,000 lives. “Who doesn’t want to help bring about peace?” Mr. Cohen asked.

    But the proposal contains more than just a peace plan. Andrii V. Artemenko, the Ukrainian lawmaker, who sees himself as a Trump-style leader of a future Ukraine, claims to have evidence — “names of companies, wire transfers” — showing corruption by the Ukrainian president, Petro O. Poroshenko, that could help oust him. And Mr. Artemenko said he had received encouragement for his plans from top aides to Mr. Putin.

    “A lot of people will call me a Russian agent, a U.S. agent, a C.I.A. agent,” Mr. Artemenko said. “But how can you find a good solution between our countries if we do not talk?”

    Mr. Cohen and Mr. Sater said they had not spoken to Mr. Trump about the proposal, and have no experience in foreign policy. Mr. Cohen is one of several Trump associates under scrutiny in an F.B.I. counterintelligence examination of links with Russia, according to law enforcement officials; he has denied any illicit connections.

    While it is unclear if the White House will take the proposal seriously, the diplomatic freelancing has infuriated Ukrainian officials. Ukraine’s ambassador to the United States, Valeriy Chaly, said Mr. Artemenko “is not entitled to present any alternative peace plans on behalf of Ukraine to any foreign government, including the U.S. administration.”

    At a security conference in Munich on Friday, Mr. Poroshenko warned the West against “appeasement” of Russia, and some American experts say offering Russia any alternative to a two-year-old international agreement on Ukraine would be a mistake. The Trump administration has sent mixed signals about the conflict in Ukraine.

    But given Mr. Trump’s praise for Mr. Putin, John Herbst, a former American ambassador to Ukraine, said he feared the new president might be too eager to mend relations with Russia at Ukraine’s expense — potentially with a plan like Mr. Artemenko’s.

    It was late January when the three men associated with the proposed plan converged on the Loews Regency, a luxury hotel on Park Avenue in Manhattan where business deals are made in a lobby furnished with leather couches, over martinis at the restaurant bar and in private conference rooms on upper floors.

    Mr. Cohen, 50, lives two blocks up the street, in Trump Park Avenue. A lawyer who joined the Trump Organization in 2007 as special counsel, he has worked on many deals, including a Trump-branded tower in the republic of Georgia and a short-lived mixed martial arts venture starring a Russian fighter. He is considered a loyal lieutenant whom Mr. Trump trusts to fix difficult problems.

    The F.B.I. is reviewing an unverified dossier, compiled by a former British intelligence agent and funded by Mr. Trump’s political opponents, that claims Mr. Cohen met with a Russian representative in Prague during the presidential campaign to discuss Russia’s hacking of Democratic targets. But the Russian official named in the report told The New York Times that he had never met Mr. Cohen. Mr. Cohen insists that he has never visited Prague and that the dossier’s assertions are fabrications. (Mr. Manafort is also under investigation by the F.B.I. for his connections to Russia and Ukraine.)

    Mr. Cohen has a personal connection to Ukraine: He is married to a Ukrainian woman and once worked with relatives there to establish an ethanol business.

    Mr. Artemenko, tall and burly, arrived at the Manhattan hotel between visits to Washington. (His wife, he said, met the first lady, Melania Trump, years ago during their modeling careers, but he did not try to meet Mr. Trump.) He had attended the inauguration and visited Congress, posting on Facebook his admiration for Mr. Trump and talking up his peace plan in meetings with American lawmakers.

    He entered Parliament in 2014, the year that the former Ukrainian president Viktor Yanukovych fled to Moscow amid protests over his economic alignment with Russia and corruption. Mr. Manafort, who had been instrumental in getting Mr. Yanukovych elected, helped shape a political bloc that sprang up to oppose the new president, Mr. Poroshenko, a wealthy businessman who has taken a far tougher stance toward Russia and accused Mr. Putin of wanting to absorb Ukraine into a new Russian Empire. Mr. Artemenko, 48, emerged from the opposition that Mr. Manafort nurtured. (The two men have never met, Mr. Artemenko said.)

    Before entering politics, Mr. Artemenko had business ventures in the Middle East and real estate deals in the Miami area, and had worked as an agent representing top Ukrainian athletes. Some colleagues in Parliament describe him as corrupt, untrustworthy or simply insignificant, but he appears to have amassed considerable wealth.

    He has fashioned himself in the image of Mr. Trump, presenting himself as Ukraine’s answer to a rising class of nationalist leaders in the West. He even traveled to Cleveland last summer for the Republican National Convention, seizing on the chance to meet with members of Mr. Trump’s campaign.

    “It’s time for new leaders, new approaches to the governance of the country, new principles and new negotiators in international politics,” he wrote on Facebook on Jan. 27. “Our time has come!”

    Mr. Artemenko said he saw in Mr. Trump an opportunity to advocate a plan for peace in Ukraine — and help advance his own political career. Essentially, his plan would require the withdrawal of all Russian forces from eastern Ukraine. Ukrainian voters would decide in a referendum whether Crimea, the Ukrainian territory seized by Russia in 2014, would be leased to Russia for a term of 50 or 100 years.

    The Ukrainian ambassador, Mr. Chaly, rejected a lease of that kind. “It is a gross violation of the Constitution,” he said in written answers to questions from The Times. “Such ideas can be pitched or pushed through only by those openly or covertly representing Russian interests.”

    The reaction suggested why Mr. Artemenko’s project also includes the dissemination of “kompromat,” or compromising material, purportedly showing that Mr. Poroshenko and his closest associates are corrupt. Only a new government, presumably one less hostile to Russia, might take up his plan.

    Mr. Sater, a longtime business associate of Mr. Trump’s with connections in Russia, was willing to help Mr. Artemenko’s proposal reach the White House.

    Mr. Artemenko said a mutual friend had put him in touch with Mr. Sater. Helping to advance the proposal, Mr. Sater said, made sense.

    “I want to stop a war, number one,” he said. “Number two, I absolutely believe that the U.S. and Russia need to be allies, not enemies. If I could achieve both in one stroke, it would be a home run.”

    After speaking with Mr. Sater and Mr. Artemenko in person, Mr. Cohen said he would deliver the plan to the White House.

    Mr. Cohen said he did not know who in the Russian government had offered encouragement on it, as Mr. Artemenko claims, but he understood there was a promise of proof of corruption by the Ukrainian president.

    “Fraud is never good, right?” Mr. Cohen said.

    He said Mr. Sater had given him the written proposal in a sealed envelope. When Mr. Cohen met with Mr. Trump in the Oval Office in early February, he said, he left the proposal in Mr. Flynn’s office.

    Mr. Cohen said he was waiting for a response when Mr. Flynn was forced from his post. Now Mr. Cohen, Mr. Sater and Mr. Artemenko are hoping a new national security adviser will take up their cause. On Friday the president wrote on Twitter that he had four new candidates for the job.

    ———-

    “A Back-Channel Plan for Ukraine and Russia, Courtesy of Trump Associates” by MEGAN TWOHEY and SCOTT SHANE; The New York Times; 02/19/2017

    “Mr. Artemenko, tall and burly, arrived at the Manhattan hotel between visits to Washington. (His wife, he said, met the first lady, Melania Trump, years ago during their modeling careers, but he did not try to meet Mr. Trump.) He had attended the inauguration and visited Congress, posting on Facebook his admiration for Mr. Trump and talking up his peace plan in meetings with American lawmakers.”

    And before Mr. Artmenko traveled to DC for Trump’s inauguration, he was at the GOP national convention to meet with Trump’s team:


    He has fashioned himself in the image of Mr. Trump, presenting himself as Ukraine’s answer to a rising class of nationalist leaders in the West. He even traveled to Cleveland last summer for the Republican National Convention, seizing on the chance to meet with members of Mr. Trump’s campaign.

    And note how the peace plan Artemenko was advocating, a plan widely characterized as obviously pro-Russian, didn’t even include that Crimea would be leased to Russia for 100 years. It was a plan for a public referendum on the question of whether or not Crimea would be leased to Russia for 100 years:


    “It’s time for new leaders, new approaches to the governance of the country, new principles and new negotiators in international politics,” he wrote on Facebook on Jan. 27. “Our time has come!”

    Mr. Artemenko said he saw in Mr. Trump an opportunity to advocate a plan for peace in Ukraine — and help advance his own political career. Essentially, his plan would require the withdrawal of all Russian forces from eastern Ukraine. Ukrainian voters would decide in a referendum whether Crimea, the Ukrainian territory seized by Russia in 2014, would be leased to Russia for a term of 50 or 100 years.

    A referendum that would almost certainly be rejected by Ukrainian voters. It’s not exactly the kind of plan the Kremlin is going to get excited about.

    And yet Artemenko kept pushing this plan, along with the kompromat on Poroshenko. Because it wasn’t just a peace plan. It was a peace plan characterized as one that only a different future Ukrainian government could endorse, hence the komopromat:


    The Ukrainian ambassador, Mr. Chaly, rejected a lease of that kind. “It is a gross violation of the Constitution,” he said in written answers to questions from The Times. “Such ideas can be pitched or pushed through only by those openly or covertly representing Russian interests.”

    The reaction suggested why Mr. Artemenko’s project also includes the dissemination of “kompromat,” or compromising material, purportedly showing that Mr. Poroshenko and his closest associates are corrupt. Only a new government, presumably one less hostile to Russia, might take up his plan.

    “Only a new government, presumably one less hostile to Russia, might take up his plan.”

    Yes, this ‘peace plan’ will first require getting rid of Poroshenko using the kompromat and ushering in a new government. And we’re supposed to believe a more ‘pro-Russian’ government would follow and that’s all part of Artemenko’s plan. The plan being offered by a far-right associate of virulently anti-Russian forces who have long wanted to see Poroshenko replaced with someone even more far-right and more virulently anti-Russian.

    So it’s looking a lot like that whole peace plan scheme was actually a ‘dump Poroshenko’ scheme by Urkaine’s far-right. Considering the rumblings coming from groups like the Azov Battalion about how Ukraine should get its own nuclear weapons, you have to wonder if the plans for building up Ukraine’s nuclear plants that Artemenko and Felix Sater involved the generation of something more explosive than electricity. After all, when Svoboda, Right Sector, and the Avoz Battalion’s new “National Corps” parties signed a joint manifesto in March, their manifesto called for getting nukes for Ukraine:

    Kyiv Post

    Nationalists say Ukraine has right to nuclear weapons

    By Veronika Melkozerova.
    Published March 17. Updated March 17 at 4:36 pm

    Ukraine should have the right to arm itself again with nuclear weapons, according to a joint manifesto signed by three of the country’s nationalist parties on March 16 in Kyiv.

    The “National Manifesto” signed by Svoboda, Right Sector and National Corps – none of whom have any representation in parliament – calls for cooperation among the three to “fight for the prosperity of Ukraine as a powerful nation state.”

    Ukraine, which once had the third largest nuclear arsenal in the world, gave up the weapons in 1994 in exchange for security assurances from the United States, the United Kingdom and Russia under the Budapest Memorandum.

    The nationalists’ manifesto also includes reorienting Ukraine from the West and creating “a new European Union with the Baltic States.”

    They also said that Russian capital and businesses would be banned, and that “traditional values” should be promoted in the mass media.

    Speaking at the signing ceremony, Svoboda Party leader Oleh Tiahnybok slammed Ukraine’s current leadership for failing to “defend the interests of the Ukrainian nation.”

    “We saw that the democrats, liberals, and socialists … make shady deals, and do anything but stand for the interests of the masters of this land. Only nationalists, when they have the full power and authority, can develop the state in favor of all Ukrainians,” he said.

    However, Svoboda, Right Sector, and National Corps have no plans to unite into one organization or political party, Artem Skoropadsky, the spokesperson for Right Sector told the Kyiv Post on March 17.

    Moreover, the radical nationalists frequently have different views and adopt differing positions on a variety of issues.

    “The creation of a so-called nationalist bloc is nothing more than political PR,” Skoropadsky said. “Participation in elections is not our goal. We aim to take overall control and create a nation state.”

    Tiahnybok described the manifesto as more of a “coordination of efforts.”


    ———-
    “Nationalists say Ukraine has right to nuclear weapons” by Veronika Melkozerova; Kyiv Post; 03/17/2017

    “Ukraine should have the right to arm itself again with nuclear weapons, according to a joint manifesto signed by three of the country’s nationalist parties on March 16 in Kyiv.”

    And in addition to calling for nukes, they want Russian capital frozen out of the country, “traditional values” (i.e. far-right cultural norms) actively promoted by the mass media, and the formation of “a new EU with the Baltic States”. And they also slammed the current leadership (the leadership targeted by Artemenko’s kompromat on Poroshenko) but not doing enough to protest Ukraine’s interests:


    The nationalists’ manifesto also includes reorienting Ukraine from the West and creating “a new European Union with the Baltic States.”

    They also said that Russian capital and businesses would be banned, and that “traditional values” should be promoted in the mass media.

    Speaking at the signing ceremony, Svoboda Party leader Oleh Tiahnybok slammed Ukraine’s current leadership for failing to “defend the interests of the Ukrainian nation.”

    And how do these groups intend to obtain the political power required to achieve these manifesto objectives? Well, note the rather ominous warning from the Right Sector spokesperson:


    “The creation of a so-called nationalist bloc is nothing more than political PR,” Skoropadsky said. “Participation in elections is not our goal. We aim to take overall control and create a nation state.”

    Elections aren’t the goal. That’s the word from the Right Sector’s spokeperson to a Kyiv Post reporter reporting on this new ‘nationalist’/fascist manifesto. Although if there’s a bunch of scandalous kompromat that suddenly scandalizes Poroshenko, and presumably most non-far-right political parties too, and creates an opening for a far-right electoral surge, Right Sector and the rest of its allies will presumably be fine with obtaining power through elections.

    Posted by Pterrafractyl | July 31, 2017, 8:10 pm
  14. Here’s a potentially significant new twist to Robert Mueller’s special council investigation: Investigators are now investigating whether or not Michael Flynn was secretly paid by a foreign government in the final months of the 2016 campaign. But it’s not the Russian government. It’s an investigation into whether or not the Turkish government was secretly behind the payments for Flynn’s anti-Fethullah Gulen work. Work that the article describes as suspcious slapdash for a $530,000 contract:

    Inovo ultimately paid the Flynn Intel Group only $530,000 and received little more than slapdash research and a comically inept attempt to make an anti-Gulen video, which was never completed. The entire enterprise would probably have gone unnoticed if Mr. Flynn had not written an opinion piece advocating improved relations between Turkey and the United States and calling Mr. Gulen “a shady Islamic mullah.”

    Part of what the investigators are reportedly interested in is whether or certain refunds by the Flynn Intel Group back to the Turkish business who paid for his services constituted an illegal kickback.

    But here’s where it starts getting extra interesting: Flynn also recently amended his disclosure forms to include work for Cambridge Analytica’s parent SCL Group. And, intriguingly, investigators are now looking to the work of the White Canvas Group (actually, its spinoff VizSense), a data-mining company that was paid $200,000 by the Trump campaign for unspecified services. And as we’re going to see, White Canvas Group/VizSense appears to specialize in “military grade” social media campaigns (something similar to SCL’s military grade psy-op services) and the services it offered the Trump team involved creating social media targeting millenials. And as we’ll also see, it’s services include dark web search, which is extra interesting when you consider how right-wing operative Peter Smith’s team was not just working with Flynn (and Steve Bannon and Kellyanne Conway), but it was also searching the darkweb for signs of hackers who might have hacked Hillary Clinton’s personal email server. A quest that led them to Chuck Johnson and “Guccifer 2.0”, who both told them to contact Andrew Auernheimer.

    So, yeah, the Mueller investigation just started heading down a very interesting path:

    The New York Times

    Mueller Seeks White House Documents on Flynn

    By MATTHEW ROSENBERG, MATT APUZZO and MICHAEL S. SCHMIDT
    AUG. 4, 2017

    WASHINGTON — Investigators working for the special counsel, Robert S. Mueller III, recently asked the White House for documents related to the former national security adviser Michael T. Flynn, and have questioned witnesses about whether he was secretly paid by the Turkish government during the final months of the presidential campaign, according to people close to the investigation.

    Though not a formal subpoena, the document request is the first known instance of Mr. Mueller’s team asking the White House to hand over records.

    In interviews with potential witnesses in recent weeks, prosecutors and F.B.I. agents have spent hours poring over the details of Mr. Flynn’s business dealings with a Turkish-American businessman who worked last year with Mr. Flynn and his consulting business, the Flynn Intel Group.

    The company was paid $530,000 to run a campaign to discredit an opponent of the Turkish government who has been accused of orchestrating last year’s failed coup in the country.

    Investigators want to know if the Turkish government was behind those payments — and if the Flynn Intel Group made kickbacks to the businessman, Ekim Alptekin, for helping conceal the source of the money.

    The line of questioning shows that Mr. Mueller’s inquiry has expanded into a full-fledged examination of Mr. Flynn’s financial dealings, beyond the relatively narrow question of whether he failed to register as a foreign agent or lied about his conversations and business arrangements with Russian officials.

    Mr. Flynn lasted only 24 days as national security adviser, but his legal troubles now lie at the center of a political storm that has engulfed the Trump administration. For months, prosecutors have used multiple grand juries to issue subpoenas for documents related to Mr. Flynn.

    President Trump has publicly said Mr. Mueller should confine his investigation to the narrow issue of Russia’s attempts to disrupt last year’s presidential campaign, not conduct an expansive inquiry into the finances of Mr. Trump or his associates.

    After Mr. Flynn’s dismissal, Mr. Trump tried to get James B. Comey, the F.B.I. director, to drop the investigation, Mr. Comey said.

    Mr. Mueller is investigating whether Mr. Trump committed obstruction of justice in pressing for an end to the Flynn inquiry. The president fired Mr. Comey on May 9.

    Investigators are also examining the flow of money into and out of the Flynn Intel Group — a consulting firm Mr. Flynn founded after being forced out as the director of the Defense Intelligence Agency — according to several potential witnesses who have been interviewed by prosecutors and F.B.I. agents.

    Taking money from Turkey or any foreign government is not illegal. But failing to register as a foreign agent is a felony, and trying to hide the source of the money by routing it through a private company or some other entity, and then paying kickbacks to the middleman, could lead to numerous criminal charges, including fraud.

    Prosecutors have also asked during interviews about Mr. Flynn’s speaking engagements for Russian companies, for which he was paid more than $65,000 in 2015, and about his company’s clients — including work it may have done with the Japanese government.

    They have also asked about the White Canvas Group, a data-mining company that was reportedly paid $200,000 by the Trump campaign for unspecified services. The Flynn Intel Group shared office space with the White Canvas Group, which was founded by a former Special Operations officer who was a friend of Mr. Flynn’s.

    Mr. Flynn has now had to file three versions of his financial-disclosure forms. His first version did not disclose payments from Russia-linked companies. He added those payments to an amended version of the forms he submitted in March. This week he filed a new version, adding that he briefly had a contract with SCL Group, the parent company of Cambridge Analytica, a data-mining firm that worked with the Trump campaign.

    The new forms list at least $1.8 million in income, up from roughly the $1.4 million he had previously reported. It is unclear how much of that money was related to work Mr. Flynn did on Turkey issues.

    Mr. Flynn’s campaign to discredit the opponent of the Turkish government, Fethullah Gulen, began on Aug. 9 when his firm signed a $600,000 deal with Inovo BV, a Dutch company owned by Mr. Alptekin, the Turkish-American businessman.

    Mr. Gulen, a reclusive cleric, lives in rural Pennsylvania.

    The contract with Mr. Alptekin was brought in by Bijan R. Kian, an Iranian-American businessman who was one of Mr. Flynn’s business partners. Mr. Kian, who served until 2011 as a director of the Export-Import Bank, a United States federal agency, is also under scrutiny, according to witnesses questioned by Mr. Mueller’s investigators. A lawyer for Mr. Kian declined to comment.

    Inovo ultimately paid the Flynn Intel Group only $530,000 and received little more than slapdash research and a comically inept attempt to make an anti-Gulen video, which was never completed. The entire enterprise would probably have gone unnoticed if Mr. Flynn had not written an opinion piece advocating improved relations between Turkey and the United States and calling Mr. Gulen “a shady Islamic mullah.”

    The opinion piece appeared on Election Day. Soon after, The Daily Caller revealed that the Flynn Intel Group had a contract with Inovo, prompting the Justice Department look into Mr. Flynn’s relationship with Mr. Alptekin.

    The authorities quickly determined that Mr. Flynn had not registered as a foreign agent, as required by law. In March, he retroactively registered with the Justice Department.

    Mr. Mueller’s investigators have asked repeatedly about two payments of $40,000 each that the Flynn Intel Group made to Inovo, said witnesses who have been interviewed in the case.

    The investigators have indicated that they suspect that the payments were kickbacks, and in one interview pointed to the suspicious timing of the transfers. The first payment back to Inovo was made on Sept. 13, four days after the Dutch company made its first payout under the contract, sending $200,000 to the Flynn Intel Group.

    On Oct. 11, Inovo paid the Flynn Intel Group an additional $185,000. Then, six days later, the Flynn Intel Group sent $40,000 to Inovo.

    Mr. Alptekin said that both payments were refunds for work that the Flynn Intel Group had not completed.

    “Ekim maintains that all payments and refunds were for unfulfilled work, and that they were legal, ethical and above board,” said Molly Toomey, a spokeswoman for Mr. Alptekin. She described the reimbursements as “a business decision.”

    Another focus for investigators is the repeatedly changing explanation Mr. Alptekin has offered for why he hired Mr. Flynn. In March, he told a reporter that Mr. Flynn had been hired “to produce geopolitical analysis on Turkey and the region” for an Israeli energy company. But in an interview with The New York Times in June, he said he wanted a credible American firm to help discredit Mr. Gulen, whom President Recep Tayyip Erdogan of Turkey has blamed for the coup attempt.

    “Like many Americans rolling up their sleeves in 9/11 to do something, I decided to do something,” Mr. Alptekin said.

    He scoffed at the suggestion that he was a front for the Turkish government. Inovo, he noted, was registered in the Netherlands, where it is difficult to mask the ownership of a company. A clear paper trail linked the payments between his company and the Flynn Intel Group, he said.

    “If we were trying to hide,” he said, “you’d think we’d be good at it.”

    ———-

    “Mueller Seeks White House Documents on Flynn” by MATTHEW ROSENBERG, MATT APUZZO and MICHAEL S. SCHMIDT; The New York Times; 08/04/2017

    “They have also asked about the White Canvas Group, a data-mining company that was reportedly paid $200,000 by the Trump campaign for unspecified services. The Flynn Intel Group shared office space with the White Canvas Group, which was founded by a former Special Operations officer who was a friend of Mr. Flynn’s.”

    Note that it’s not quite accurate that documents show that $200,000 was paid by the Trump team to White Canvas Group last year. As we’ll see below, the $200,000 was paid to Colt Ventures, a Dallas-based venture-capital firm owned by a figure close to Bannon and who reportedly met with Bannon frequently during the campaign. Colt Venture is also an investor in VizSense And VizSense was spun off from White Canvas Group.

    So while the potential kickbacks and secret payments from the Turkish government are indeed quite interesting, when it comes to the investigation into the 2016 hacks it’s the Colt Ventures/White Canvas Group/VizSense that is the far more interest aspect of the investigation. Especially in light of the Trump campaign’s use of the military-grade psy-op services offered by the SCL Group, which we now learn briefly contracted Flynn too (which isn’t particularly shocking in this context, but still worth noting):


    Mr. Flynn has now had to file three versions of his financial-disclosure forms. His first version did not disclose payments from Russia-linked companies. He added those payments to an amended version of the forms he submitted in March. This week he filed a new version, adding that he briefly had a contract with SCL Group, the parent company of Cambridge Analytica, a data-mining firm that worked with the Trump campaign.

    So what exactly did VizSense do in service of the Trump campaign? Well, that’s unspecified. The Trump team goes as far as acknowledging it involved a social-media project that involved video-content creation and “millennial engagement” in the campaign’s final month and the founder reportedly frequently met with Steve Bannon. But as the following article shows, VizSense is described as a “DARPA” and has received numerous Pentagon contracts, including “deep and dark web capability and gap analysis.”

    So in light of the Peter Smith group efforts and their attempts to scour the dark web in search of ‘Russian hackers’ (recall they were advised by “Guccifer 2.0” to contact neo-Nazi hacker Andrew Auernheimer), and the work that Smith did with Flynn and Bannon, we now learn that White Canvas Group and VizSense are on the investigators’ radar:

    The Washington Post

    The mystery behind a Flynn associate’s quiet work for the Trump campaign

    By Matea Gold
    May 4, 2017

    Jon Iadonisi, a friend and business associate of former national security adviser Michael Flynn, had two under-the-radar projects underway in the fall of 2016.

    One of his companies was helping Flynn with an investigative effort for an ally of the Turkish government — details of which Flynn revealed only after he was forced to step down from his White House post.

    At the same time, Iadonisi was also doing work for the Trump campaign, although his role was not publicly reported, according to people familiar with his involvement.

    The project Iadonisi was engaged in for Trump’s campaign focused on social media, according to a person with knowledge of the arrangement. What that work consisted of — and why his company was not disclosed as a vendor in campaign finance reports — remains a mystery.

    The Trump campaign did not report any payments to Iadonisi or his firms. However, Federal Election Commission reports show that the Trump campaign paid $200,000 on Dec. 5 for “data management services” to Colt Ventures, a Dallas-based venture-capital firm that is an investor in VizSense, a social-media company co-founded by Iadonisi.

    The Washington Post made repeated inquiries to Iadonisi and other VizSense officials, but none responded to requests for comment.

    Michael Glassner, executive director of the Trump campaign committee, said invoices show Colt Ventures was paid for a ­social-media project that involved video-content creation and “millennial engagement” in the campaign’s final month. He declined to comment on why the payment went to a venture-capital firm and whether campaign officials were aware of the firm’s connection to VizSense and Iadonisi.

    It is common for political vendors to hire subcontractors whose work is not publicly reported. However, campaign committees cannot seek to avoid disclosure by paying an entity that does not have a legitimate relationship with the ultimate recipient, said Washington campaign-finance lawyer Daniel Petalas, who served as the FEC’s acting general counsel and head of enforcement.

    “A venture-capital company is certainly a strange entity for a campaign to be making an expenditure to, and I would want to look further to assess whether it was it an appropriate recipient,” he said.

    Colt Ventures was founded by Darren Blanton, a Dallas investor who later served as an adviser to Trump’s transition. Blanton met frequently with Trump strategist Stephen K. Bannon at Trump Tower during the campaign, according to people who saw him there. Colt also sent a report to Bannon about work done for the campaign, according to a person familiar with the matter.

    It is unclear who approved the contract with Colt Ventures. Bannon declined to comment, but a White House official said Bannon is “not aware of any of these companies or contracts.”

    Blanton did not respond to requests for comment. However, shortly after the The Post first contacted him, Colt Ventures updated an online list of companies that make up its investment portfolio and added VizSense.

    VizSense, based in Plano, Tex., promises on its website to “weaponize your brand’s influence” through “military-grade influencer marketing and intelligence services.”

    Iadonisi, a former Navy SEAL, started the company in 2015 with Tim Newberry, a nuclear engineer who served as a submarine officer. It was spun out of the duo’s consulting firm, White Canvas Group, which they once described as a “a privatized DARPA,” a reference to the Pentagon’s research arm.

    White Canvas has received numerous Pentagon contracts, including nearly $150,000 last year from the Navy for “deep and dark web capability and gap analysis,” according to contracting records.

    In a 2015 interview with the Dallas Morning News, Iadonisi said VizSense helps clients track online video performance and identify which social-media users drive the most traffic. He said he witnessed the power of viral media firsthand while serving in Iraq.

    “We know of a lot of bad guys who were killing my friends, and they were really good at making viral videos,” Iadonisi said. “These videos catalyze, and now we can look at data.”

    Iadonisi, who worked with the CIA as a Navy SEAL, according to an online biography, has close ties to Flynn, a retired Army lieutenant general with whom he served in Iraq. His LinkedIn page features an endorsement from Flynn, who called Iadonisi “one of the best problem solvers I have ever worked with” and “an incredible asset for any organization.”

    In late December, the official VizSense account tweeted praise of Flynn, writing that he “is going to construct an NSC that is custom built for what America needs to be first!@DanScavino @GenFlynn @realDonaldTrump.”

    Flynn declined to comment through his attorney. But a person with knowledge of their relationship said Flynn has no stake in Iadonisi’s companies and received no financial benefit from any of Iadonisi’s campaign work.

    Until recently, Iadonisi and Flynn’s firms shared an office suite in Alexandria, Va. Flynn’s now-closed consultancy, Flynn Intel Group, rented space from White Canvas Group, according to a person familiar with the arrangement.

    And last fall, Flynn tapped White Canvas Group to help him investigate Fethullah Gulen, a Turkish Islamic cleric who lives in Pennsylvania, Justice Department documents show.

    The research was financed by a company owned by Ekim Alptekin, a Turkish American businessman close to top officials in Turkey, the documents show. Turkey’s president, Recep Tayyip Erdogan, accuses Gulen of fomenting a coup attempt last summer and wants him extradited from the United States.

    Inovo, a Netherlands-based company owned by Alptekin, paid Flynn Intel Group $530,000 to activate an “investigative laboratory” made up of former top security and intelligence officials to research Gulen, according to documents Flynn filed under the Foreign Agents Registration Act. Flynn, in turn, paid White Canvas Group $15,000 for “public open source research,” according to disclosures.

    In its contract with Inovo, Flynn Intel Group said the Gulen investigation would be done by “its most senior principals,” including “the head of Flynn Intel Group’s Special Operations Cyber Force.”

    At the time, that role appeared to be filled by Newberry, Iadonisi’s partner and the chief executive of White Canvas Group.

    In August 2016, the same month the Inovo contract was signed, Newberry temporarily took on an additional post: chief executive of FIG Cyber, a unit of Flynn Intel Group, according to his LinkedIn profile. He held the title until November, when the Inovo contract ended. Newberry did not respond to requests for comment.

    The Defense Department’s inspector general is investigating payments Flynn received from Inovo and other foreign groups. Defense Department guidelines require former officers to obtain permission before working for foreign governments.

    ———-

    “The mystery behind a Flynn associate’s quiet work for the Trump campaign” by Matea Gold; The Washington Post; 05/04/2017

    “The project Iadonisi was engaged in for Trump’s campaign focused on social media, according to a person with knowledge of the arrangement. What that work consisted of — and why his company was not disclosed as a vendor in campaign finance reports — remains a mystery.”

    And not only is the work done by VizSense for the Trump Team largely a mystery, but the fact that Colt Ventures was an investor in VizSense was itself a secret until reporters started asking them about it:


    Colt Ventures was founded by Darren Blanton, a Dallas investor who later served as an adviser to Trump’s transition. Blanton met frequently with Trump strategist Stephen K. Bannon at Trump Tower during the campaign, according to people who saw him there. Colt also sent a report to Bannon about work done for the campaign, according to a person familiar with the matter.

    It is unclear who approved the contract with Colt Ventures. Bannon declined to comment, but a White House official said Bannon is “not aware of any of these companies or contracts.”

    Blanton did not respond to requests for comment. However, shortly after the The Post first contacted him, Colt Ventures updated an online list of companies that make up its investment portfolio and added VizSense.

    And when you look at the services VizSense offer and look at the work Flynn apparently did with Peter Smith’s operation to scour the dark web for ‘Russian hackers’ with Hillary’s emails, it’s not hard to imagine why they might have wanted to keep that VizSense investment a secret:


    VizSense, based in Plano, Tex., promises on its website to “weaponize your brand’s influence” through “military-grade influencer marketing and intelligence services.”

    Iadonisi, a former Navy SEAL, started the company in 2015 with Tim Newberry, a nuclear engineer who served as a submarine officer. It was spun out of the duo’s consulting firm, White Canvas Group, which they once described as a “a privatized DARPA,” a reference to the Pentagon’s research arm.

    White Canvas has received numerous Pentagon contracts, including nearly $150,000 last year from the Navy for “deep and dark web capability and gap analysis,” according to contracting records.

    So that was a pretty big new development in Mueller’s investigation. Let’s hope it keeps going down this particular path. Who knows where it might lead.

    Posted by Pterrafractyl | August 5, 2017, 2:54 pm
  15. Following up on the flawed analysis by “The Forensicator” that purports to use timestamp metadata from a batch of DNC documents dumped by “Guccifer 2.0” on September 13th, 2016, to conclusively prove that the files had to have been removed directly from the DNC’s server – flawed because the timestamp metadata in uploaded files tells us nothing when those files were initially copied from the DNC’s server and how many times they may have been copied after that – it looks like The Forensicator is acknowledging these problems in their analysis after someone directly asked them about this in the comments section of The Forensicator’s blog.

    First, here’s the question posed on July:

    Kevin Poulsen
    July 31, 2017 at 10:46 am

    Forensicator,

    Regarding this conclusion:

    “The initial copying activity was likely done from a computer system that had direct access to the data. By ‘direct access’ we mean that the individual who was collecting the data either had physical access to the computer where the data was stored, or the data was copied over a local high speed network (LAN).”

    How did you determine that the July 5 copying was the initial copying?

    And here’s The Forensicator’s reply:

    theforensicator
    July 31, 2017 at 12:13 pm

    How did you determine that the July 5 copying was the initial copying?

    The study discusses two copy operations: the first was done (per the metadata) on July 5, 2016 and the second on Nov. 1, 2016. In this context, initial copy is another way of referring to the first copy operation of the two.

    Some reviewers have noted that the July 5, 2016 dates present in the metadata overwrote any previously recorded dates/times, which of course is true. They further note that prior intermediate copy operations may have been performed, which is also true. Some have opined that if Guccifer 2 pulled data from his previously claimed hack and simply copied that data to say his local hard drive on July 5, 2016 that the pattern present in the metadata might result; also true.

    We should also keep in mind that the study concludes that Eastern time zone settings were in force on both the first (initial) and second copy operations. Some reviewers have noted that Guccifer 2 could have manually set his timezone to Eastern time – also true.

    Such an action (manually setting the time zone to Eastern time, when not physically being located there) seems out of character for Guccifer 2 who went to a lot of trouble to convince the public he is a foreign (Romanian) hacker.

    Further, for anyone who wants to claim that Guccifer 2 might have set his time zone to Eastern time in order to intentionally give the impression of being on the East Coast, that can only make sense if we are to believe that he thought ahead about the relationship between the local times recorded in the .rar files and the UTC times recorded in the 7zip file. That relationship is quite obscure and went unnoticed for almost a year. The idea that Guccifer 2 decided to depend upon someone stumbling onto that relationship as a method of disclosing his East Coast time setting is far-fetched, to say the least.

    “Some reviewers have noted that the July 5, 2016 dates present in the metadata overwrote any previously recorded dates/times, which of course is true. They further note that prior intermediate copy operations may have been performed, which is also true. Some have opined that if Guccifer 2 pulled data from his previously claimed hack and simply copied that data to say his local hard drive on July 5, 2016 that the pattern present in the metadata might result; also true

    So that pretty thoroughly undercuts the narrative based on The Forensicator’s blog that’s been building for weeks now. Which is what the person asking the initial question more or less says in their response:

    Kevin Poulsen
    July 31, 2017 at 2:42 pm

    You may not have intended it, but your report is being widely misread as addressing the original migration of the files off the DNC’s network, when, as you seem acknowledge, it actually addresses the packaging of the files for public release, which might have occurred weeks later on the attacker’s own machine. It’s sad to see your painstaking analysis so wildly misunderstood because of ambiguous language in the “key findings” section at the top.

    And that ends the back and forth between that person and The Forensicator and remains the only admission by The Forensicator of these critical details. so there’s that.

    At the same time, it’s worth keeping in mind that there is still some value in The Forensicator’s analysis since it does describe one of the many possible scenarios that fit the available evidence. Plus, the finding that the computer that the files were copied from on July 5, 2015, appeared to have an US East Coast timezone setting is notable even if we assume that July 5th event had nothing to do with the initial removal of the files from the DNC server. Especially considering the very real possibility that the stolen documents were being quietly passed around to all sorts of individuals, including people who may not have had been particular tech savvy and didn’t have the situational awareness to even think about something like leaving a possible clue in the timestamp metadata, it’s entirely possible the East Coast timestamp data really does reflect the location of the computer where those files were packaged. Yes, there’s no compelling reason to assume this is true since timezone settings could be changed on the computer or the metadata could have been set to anything on the files. But, who knows, maybe that timestamp signature really was indicative of the DNC documents passing through an East Coast-based computer at some point before their release. It’s a possibility worth keeping in mind. As long as we don’t exclusively keep it in mind.

    Posted by Pterrafractyl | August 8, 2017, 6:13 pm
  16. Oh great: It looks like The Forensicator’s analysis that purports to prove that at least some of the leaked DNC documents couldn’t have been remotely hacked and instead must have been removed via a USB drive – deeply flawed analysis that even the Forensicator has quietly and inadvertently debunked – is continue to get more press in the media. Both The Nation and Bloomberg put out pieces about the Veteran Intelligence Professionals for Sanity (VIPS) and their endorsement of the Forensicator’s analysis. The Bloomberg piece does a much better job in that it at least acknowledges the possible problems and links to Scott Ritter’s piece that points out the problems with it. The Nation piece, on the other hand, treats it as a slam dunk case and proof that the DNC files must have been extracted locally. And, again, in addition to Ritter’s critique, which the VIPS members almost surely have seen since he himself is a VIPS member, The Forensicator himself/herself debunked their own findings when pressed with questions about it on their own blog. So now this easily debunked analysis is increasingly becoming the most prominent attempt to question the ‘Russian hackers’ narrative.:

    New York Magazine

    The Nation Article About the DNC Hack Is Too Incoherent to Even Debunk

    By Brian Feldman
    August 10, 2017 4:31 pm

    Yesterday, The Nation published an article by journalist Patrick Lawrence purporting to demonstrate that last summer’s pivotal DNC hack was, in fact, an inside job. Maybe unsurprisingly, it’s proven especially popular among people who hold it as an article of political faith that the Russian government and intelligence services played no role in the theft and publication of a cache of emails from DNC staffers:

    Must read: It wasn't a hack. It was a DNC insider with a memory stick. Or how a "conspiracy theory" became reality. https://t.co/heyzYzLZSZ— Kim Dotcom (@KimDotcom) August 10, 2017

    The media conspiracy theory that Russia hacked the DNC is utterly debunked https://t.co/2zpYyRIGK9— Jack Posobiec ???? (@JackPosobiec) August 10, 2017

    Another Democratic Russian narrative bites the dust. https://t.co/IgfpzguPNT— Nick Short ???? (@PoliticalShort) August 10, 2017

    Conclusive proof, or even strong evidence, that the DNC emails were leaked by an insider and not by Russian-sponsored hackers would indeed be a huge story — among other things, it would contradict the near-unanimous opinion of U.S. intelligence agencies, and raise some very serious questions about their objectivity and neutrality.

    But this article is neither conclusive proof nor strong evidence. It’s the extremely long-winded product of a crank, and it’s been getting attention only because it appears in a respected left-wing publication like The Nation. Anyone hoping to read it for careful reporting and clear explanation is going to come away disappointed, however.

    If you want to get to the actual claims being made, you’ll have to skip the first 1,000 or so words, which mostly consist of breathtakingly elaborate throat-clearing. (“[H]ouses built on sand and made of cards are bound to collapse, and there can be no surprise that the one resting atop the ‘hack theory,’ as we can call the prevailing wisdom on the DNC events, appears to be in the process of doing so.”) About halfway through, you get to the crux of the article: A report, made by an anonymous analyst calling himself “Forensicator,” on the “metadata” of “locked files” leaked by the hacker Guccifer 2.0.

    This should, already, set off alarm bells: An anonymous analyst is claiming to have analyzed the “metadata” of “locked files” that only this analyst had access to? Still, if I’m understanding it correctly, Lawrence’s central argument (which, again, rests on the belief that Forensicator’s claims about “metadata” are meaningful and correct) is that the initial data transfer from the DNC occurred at speeds impossible via the internet. Instead, he and a few retired intel-community members and some pseudonymous bloggers believe the data was transferred to a USB stick, making the infiltration a leak from someone inside the DNC, not a hack.

    If that’s your strongest evidence, your argument is already in trouble. But the real problem isn’t that there’s a bizarre claim about internet speed that doesn’t hold up to scrutiny. It’s that Lawrence is writing in techno-gibberish that falls apart under even the slightest scrutiny. You could try to go on, but to what end? As an example: Lawrence writes that “researchers penetrated what Folden calls Guccifer’s top layer of metadata and analyzed what was in the layers beneath.” What on earth is that supposed to mean? We don’t know what “metadata” we’re talking about, or why it comes in “layers,” and all I’m left with is the distinct impression that Lawrence doesn’t either. Even if you wanted to take this seriously enough to engage with, you can’t, because it only intermittently makes sense. There may be evidence out there, somewhere, that a vast conspiracy theory has taken place to cover up a leak and blame Russia. But it’s going to need to be at least comprehensible.

    ———-

    “The Nation Article About the DNC Hack Is Too Incoherent to Even Debunk” by Brian Feldman; New York Magazine; 08/10/2017

    “But this article is neither conclusive proof nor strong evidence. It’s the extremely long-winded product of a crank, and it’s been getting attention only because it appears in a respected left-wing publication like The Nation. Anyone hoping to read it for careful reporting and clear explanation is going to come away disappointed, however.”

    Yep, much like how the official evidence for ‘Russian hackers’ lacks a clear explanation and relies on long-winded narratives that never actually provide meaningful evidence, the same is true with the narratives the VIPS folks are now pushing.

    But notice this curious part: In The Nation piece, the various IT professionals working with the VIPS note that The Forensicator wasn’t simply basing their analysis on the data Guccifer 2.0 public dump on September 13, 2016. Instead, The Forensicator apparently unlocked password protected directories. And it appears that ONLY The Forensicator had the password, or has somehow broken it:


    If you want to get to the actual claims being made, you’ll have to skip the first 1,000 or so words, which mostly consist of breathtakingly elaborate throat-clearing. (“[H]ouses built on sand and made of cards are bound to collapse, and there can be no surprise that the one resting atop the ‘hack theory,’ as we can call the prevailing wisdom on the DNC events, appears to be in the process of doing so.”) About halfway through, you get to the crux of the article: A report, made by an anonymous analyst calling himself “Forensicator,” on the “metadata” of “locked files” leaked by the hacker Guccifer 2.0.

    This should, already, set off alarm bells: An anonymous analyst is claiming to have analyzed the “metadata” of “locked files” that only this analyst had access to? Still, if I’m understanding it correctly, Lawrence’s central argument (which, again, rests on the belief that Forensicator’s claims about “metadata” are meaningful and correct) is that the initial data transfer from the DNC occurred at speeds impossible via the internet. Instead, he and a few retired intel-community members and some pseudonymous bloggers believe the data was transferred to a USB stick, making the infiltration a leak from someone inside the DNC, not a hack.

    Also note that the Forensicato’s blog describes, step by step, how others can repeat their analysis and link to a September 13th, 2016 at 5:13 PM CST posting on Pastebin where people can download the files and that posting includes a password. But that appears to just be the password to open open up the zipped documents. But The Forensicator apparently somehow access directories in that zipped file that also had their own passwords. So either The Forensicator is adept at cracking those passwords (which no one else has publicly done) or The Forensicator got the password from Guccifer 2.0. Or perhaps is Guccifer 2.0.

    And it gets even more mysterious when The Nation piece indicates that one of the IT experts working with the VIPS folks is acting as a liaison with The Forensicator:

    The Nation

    A New Report Raises Big Questions About Last Year’s DNC Hack
    Former NSA experts say it wasn’t a hack at all, but a leak—an inside job by someone with access to the DNC’s system.

    By Patrick LawrenceTwitter

    August 10, 2017 8:00 am

    It is now a year since the Democratic National Committee’s mail system was compromised—a year since events in the spring and early summer of 2016 were identified as remote hacks and, in short order, attributed to Russians acting in behalf of Donald Trump. A great edifice has been erected during this time. President Trump, members of his family, and numerous people around him stand accused of various corruptions and extensive collusion with Russians. Half a dozen simultaneous investigations proceed into these matters. Last week news broke that Special Counsel Robert Mueller had convened a grand jury, which issued its first subpoenas on August 3. Allegations of treason are common; prominent political figures and many media cultivate a case for impeachment.

    This article is based on an examination of the documents these forensic experts and intelligence analysts have produced, notably the key papers written over the past several weeks, as well as detailed interviews with many of those conducting investigations and now drawing conclusions from them. Before proceeding into this material, several points bear noting.

    One, there are many other allegations implicating Russians in the 2016 political process. The work I will now report upon does not purport to prove or disprove any of them. Who delivered documents to WikiLeaks? Who was responsible for the “phishing” operation penetrating John Podesta’s e-mail in March 2016? We do not know the answers to such questions. It is entirely possible, indeed, that the answers we deserve and must demand could turn out to be multiple: One thing happened in one case, another thing in another. The new work done on the mid-June and July 5 events bears upon all else in only one respect. We are now on notice: Given that we now stand face to face with very considerable cases of duplicity, it is imperative that all official accounts of these many events be subject to rigorously skeptical questioning. Do we even know that John Podesta’s e-mail was in fact “phished”? What evidence of this has been produced? Such rock-bottom questions as these must now be posed in all other cases.

    Two, houses built on sand and made of cards are bound to collapse, and there can be no surprise that the one resting atop the “hack theory,” as we can call the prevailing wisdom on the DNC events, appears to be in the process of doing so. Neither is there anything far-fetched in a reversal of the truth of this magnitude. American history is replete with similar cases. The Spanish sank the Maine in Havana harbor in February 1898. Iran’s Mossadegh was a Communist. Guatemala’s Árbenz represented a Communist threat to the United States. Vietnam’s Ho Chi Minh was a Soviet puppet. The Sandinistas were Communists. The truth of the Maine, a war and a revolution in between, took a century to find the light of day, whereupon the official story disintegrated. We can do better now. It is an odd sensation to live through one of these episodes, especially one as big as Russiagate. But its place atop a long line of precedents can no longer be disputed.

    Three, regardless of what one may think about the investigations and conclusions I will now outline—and, as noted, these investigations continue—there is a bottom line attaching to them. We can even call it a red line. Under no circumstance can it be acceptable that the relevant authorities—the National Security Agency, the Justice Department (via the Federal Bureau of Investigation), and the Central Intelligence Agency—leave these new findings without reply. Not credibly, in any case. Forensic investigators, prominent among them people with decades’ experience at high levels in these very institutions, have put a body of evidence on a table previously left empty. Silence now, should it ensue, cannot be written down as an admission of duplicity, but it will come very close to one.

    It requires no elaboration to apply the above point to the corporate media, which have been flaccidly satisfied with official explanations of the DNC matter from the start.

    Qualified experts working independently of one another began to examine the DNC case immediately after the July 2016 events. Prominent among these is a group comprising former intelligence officers, almost all of whom previously occupied senior positions. Veteran Intelligence Professionals for Sanity (VIPS), founded in 2003, now has 30 members, including a few associates with backgrounds in national-security fields other than intelligence. The chief researchers active on the DNC case are four: William Binney, formerly the NSA’s technical director for world geopolitical and military analysis and designer of many agency programs now in use; Kirk Wiebe, formerly a senior analyst at the NSA’s SIGINT Automation Research Center; Edward Loomis, formerly technical director in the NSA’s Office of Signal Processing; and Ray McGovern, an intelligence analyst for nearly three decades and formerly chief of the CIA’s Soviet Foreign Policy Branch. Most of these men have decades of experience in matters concerning Russian intelligence and the related technologies. This article reflects numerous interviews with all of them conducted in person, via Skype, or by telephone.

    The customary VIPS format is an open letter, typically addressed to the president. The group has written three such letters on the DNC incident, all of which were first published by Robert Parry at http://www.consortiumnews.com. Here is the latest, dated July 24; it blueprints the forensic work this article explores in detail. They have all argued that the hack theory is wrong and that a locally executed leak is the far more likely explanation. In a letter to Barack Obama dated January 17, three days before he left office, the group explained that the NSA’s known programs are fully capable of capturing all electronic transfers of data. “We strongly suggest that you ask NSA for any evidence it may have indicating that the results of Russian hacking were given to WikiLeaks,” the letter said. “If NSA cannot produce such evidence—and quickly—this would probably mean it does not have any.”

    The day after Parry published this letter, Obama gave his last press conference as president, at which he delivered one of the great gems among the official statements on the DNC e-mail question. “The conclusions of the intelligence community with respect to the Russian hacking,” the legacy-minded Obama said, “were not conclusive.” There is little to suggest the VIPS letter prompted this remark, but it is typical of the linguistic tap-dancing many officials connected to the case have indulged so as to avoid putting their names on the hack theory and all that derives from it.

    Until recently there was a serious hindrance to the VIPS’s work, and I have just suggested it. The group lacked access to positive data. It had no lump of cyber-material to place on its lab table and analyze, because no official agency had provided any.

    Donald Rumsfeld famously argued with regard to the WMD question in Iraq, “The absence of evidence is not evidence of absence.” In essence, Binney and others at VIPS say this logic turns upside down in the DNC case: Based on the knowledge of former officials such as Binney, the group knew that (1) if there was a hack and (2) if Russia was responsible for it, the NSA would have to have evidence of both. Binney and others surmised that the agency and associated institutions were hiding the absence of evidence behind the claim that they had to maintain secrecy to protect NSA programs. “Everything that they say must remain classified is already well-known,” Binney said in an interview. “They’re playing the Wizard of Oz game.”

    New findings indicate this is perfectly true, but until recently the VIPS experts could produce only “negative evidence,” as they put it: The absence of evidence supporting the hack theory demonstrates that it cannot be so. That is all VIPS had. They could allege and assert, but they could not conclude: They were stuck demanding evidence they did not have—if only to prove there was none.

    Research into the DNC case took a fateful turn in early July, when forensic investigators who had been working independently began to share findings and form loose collaborations wherein each could build on the work of others. In this a small, new website called http://www.disobedientmedia.com proved an important catalyst. Two independent researchers selected it, Snowden-like, as the medium through which to disclose their findings. One of these is known as Forensicator and the other as Adam Carter. On July 9, Adam Carter sent Elizabeth Vos, a co-founder of Disobedient Media, a paper by the Forensicator that split the DNC case open like a coconut.

    By this time Binney and the other technical-side people at VIPS had begun working with a man named Skip Folden. Folden was an IT executive at IBM for 33 years, serving 25 years as the IT program manager in the United States. He has also consulted for Pentagon officials, the FBI, and the Justice Department. Folden is effectively the VIPS group’s liaison to Forensicator, Adam Carter, and other investigators, but neither Folden nor anyone else knows the identity of either Forensicator or Adam Carter. This bears brief explanation.

    The Forensicator’s July 9 document indicates he lives in the Pacific Time Zone, which puts him on the West Coast. His notes describing his investigative procedures support this. But little else is known of him. Adam Carter, in turn, is located in England, but the name is a coy pseudonym: It derives from a character in a BBC espionage series called Spooks. It is protocol in this community, Elizabeth Vos told me in a telephone conversation this week, to respect this degree of anonymity. Kirk Wiebe, the former SIGINT analyst at the NSA, thinks Forensicator could be “someone very good with the FBI,” but there is no certainty. Unanimously, however, all the analysts and forensics investigators interviewed for this column say Forensicator’s advanced expertise, evident in the work he has done, is unassailable. They hold a similarly high opinion of Adam Carter’s work.

    Forensicator is working with the documents published by Guccifer 2.0, focusing for now on the July 5 intrusion into the DNC server. The contents of Guccifer’s files are known—they were published last September—and are not Forensicator’s concern. His work is with the metadata on those files. These data did not come to him via any clandestine means. Forensicator simply has access to them that others did not have. It is this access that prompts Kirk Wiebe and others to suggest that Forensicator may be someone with exceptional talent and training inside an agency such as the FBI. “Forensicator unlocked and then analyzed what had been the locked files Guccifer supposedly took from the DNC server,” Skip Folden explained in an interview. “To do this he would have to have ‘access privilege,’ meaning a key.”

    I concluded each of the interviews conducted for this column by asking for a degree of confidence in the new findings. These are careful, exacting people as a matter of professional training and standards, and I got careful, exacting replies.

    All those interviewed came in between 90 percent and 100 percent certain that the forensics prove out. I have already quoted Skip Folden’s answer: impossible based on the data. “The laws of physics don’t lie,” Ray McGovern volunteered at one point. “It’s QED, theorem demonstrated,” William Binney said in response to my question. “There’s no evidence out there to get me to change my mind.” When I asked Edward Loomis, a 90 percent man, about the 10 percent he held out, he replied, “I’ve looked at the work and it shows there was no Russian hack. But I didn’t do the work. That’s the 10 percent. I’m a scientist.”

    ———–

    “A New Report Raises Big Questions About Last Year’s DNC Hack” by Patrick Lawrence; The Nation; 08/10/2017

    “Qualified experts working independently of one another began to examine the DNC case immediately after the July 2016 events. Prominent among these is a group comprising former intelligence officers, almost all of whom previously occupied senior positions. Veteran Intelligence Professionals for Sanity (VIPS), founded in 2003, now has 30 members, including a few associates with backgrounds in national-security fields other than intelligence. The chief researchers active on the DNC case are four: William Binney, formerly the NSA’s technical director for world geopolitical and military analysis and designer of many agency programs now in use; Kirk Wiebe, formerly a senior analyst at the NSA’s SIGINT Automation Research Center; Edward Loomis, formerly technical director in the NSA’s Office of Signal Processing; and Ray McGovern, an intelligence analyst for nearly three decades and formerly chief of the CIA’s Soviet Foreign Policy Branch. Most of these men have decades of experience in matters concerning Russian intelligence and the related technologies. This article reflects numerous interviews with all of them conducted in person, via Skype, or by telephone.”

    That’s who is providing the strong VIPS endorsement of The Forensicator’s analysis: William Binney, formerly the NSA’s technical director for world geopolitical and military analysis and designer of many agency programs now in use; Kirk Wiebe, formerly a senior analyst at the NSA’s SIGINT Automation Research Center; Edward Loomis, formerly technical director in the NSA’s Office of Signal Processing; and Ray McGovern, an intelligence analyst for nearly three decades and formerly chief of the CIA’s Soviet Foreign Policy Branch.

    And they appear to have coordinating with Skip Folden, someone acting as a liaison with The Forensicator and “Adam Carter”, the pseudonym of another person that’s done quite a bit of work looking into the “Guccifer 2.0” persona (and there doesn’t appear to be anything suspect of Adam Carter’s work):


    By this time Binney and the other technical-side people at VIPS had begun working with a man named Skip Folden. Folden was an IT executive at IBM for 33 years, serving 25 years as the IT program manager in the United States. He has also consulted for Pentagon officials, the FBI, and the Justice Department. Folden is effectively the VIPS group’s liaison to Forensicator, Adam Carter, and other investigators, but neither Folden nor anyone else knows the identity of either Forensicator or Adam Carter. This bears brief explanation.

    The Forensicator’s July 9 document indicates he lives in the Pacific Time Zone, which puts him on the West Coast. His notes describing his investigative procedures support this. But little else is known of him. Adam Carter, in turn, is located in England, but the name is a coy pseudonym: It derives from a character in a BBC espionage series called Spooks. It is protocol in this community, Elizabeth Vos told me in a telephone conversation this week, to respect this degree of anonymity. Kirk Wiebe, the former SIGINT analyst at the NSA, thinks Forensicator could be “someone very good with the FBI,” but there is no certainty. Unanimously, however, all the analysts and forensics investigators interviewed for this column say Forensicator’s advanced expertise, evident in the work he has done, is unassailable. They hold a similarly high opinion of Adam Carter’s work

    And according to Folden, The Forensicator somehow obtained an “access key” to get inside “locked” documents that no one else could get:


    Forensicator is working with the documents published by Guccifer 2.0, focusing for now on the July 5 intrusion into the DNC server. The contents of Guccifer’s files are known—they were published last September—and are not Forensicator’s concern. His work is with the metadata on those files. These data did not come to him via any clandestine means. Forensicator simply has access to them that others did not have. It is this access that prompts Kirk Wiebe and others to suggest that Forensicator may be someone with exceptional talent and training inside an agency such as the FBI. “Forensicator unlocked and then analyzed what had been the locked files Guccifer supposedly took from the DNC server,” Skip Folden explained in an interview. “To do this he would have to have ‘access privilege,’ meaning a key.”

    “These data did not come to him via any clandestine means. Forensicator simply has access to them that others did not have. It is this access that prompts Kirk Wiebe and others to suggest that Forensicator may be someone with exceptional talent and training inside an agency such as the FBI. “Forensicator unlocked and then analyzed what had been the locked files Guccifer supposedly took from the DNC server,” Skip Folden explained in an interview. “To do this he would have to have ‘access privilege,’ meaning a key.””

    So did The Forensicator really need to use a special password to access some of the directories in that DNC document dump? Well, they aren’t at all explicit about it, but yes, they do indicate that they accessed password protected documents while never saying what password is or if they instead somehow broke the encryption:

    The Forensicator

    Guccifer 2.0 NGP/VAN Metadata Analysis

    07/09/2017

    Analysis

    The Guccifer 2 “NGP VAN” files are found in a password protected 7zip file; instructions for downloading this 7zip file can be found at https://pastebin.com/fN9uvUE0.

    Technical note: the size of the 7zip file is 711,396,436 bytes and the MD5 sum is: a6ca56d03073ce6377922171fc8b232d.

    This .7z file contains several .rar files – one for each top-level directory, as shown below.

    [see screenshot of unpacked DNC document dump]

    The times shown above are in Pacific Daylight Savings Time (PDT). The embedded .rar files are highlighted in yellow. The “*” after each file indicates that the file is password encrypted. This display of the file entries is shown when the .7z file is opened. A password is required to extract the constituent files. This aspect of the .7z file likely motivated zipping the sub-directories (e.g. CNBC and DNC) into .rar files; this effectively hides the structure of the sub-directories, unless the password is provided and the sub-directories are then extracted. The last modification dates indicate that the .rar files were built on 9/1/2016 and all the other files were copied on 7/5/2016. Note that all the times are even (accurate only to the nearest 2 seconds); the significance of this property will be discussed near the end of this analysis. The files copied on 7/5/2016 have last modified times that are closely clustered around 3:50 PM (PDT); the significance of those times will be described below.

    ———–

    “Guccifer 2.0 NGP/VAN Metadata Analysis” by theforensicator; The Forensicator; 07/09/2017

    “The times shown above are in Pacific Daylight Savings Time (PDT). The embedded .rar files are highlighted in yellow. The “*” after each file indicates that the file is password encrypted. This display of the file entries is shown when the .7z file is opened. A password is required to extract the constituent files. This aspect of the .7z file likely motivated zipping the sub-directories (e.g. CNBC and DNC) into .rar files; this effectively hides the structure of the sub-directories, unless the password is provided and the sub-directories are then extracted. The last modification dates indicate that the .rar files were built on 9/1/2016 and all the other files were copied on 7/5/2016. Note that all the times are even (accurate only to the nearest 2 seconds); the significance of this property will be discussed near the end of this analysis. The files copied on 7/5/2016 have last modified times that are closely clustered around 3:50 PM (PDT); the significance of those times will be described below.”

    So let’s review:
    1. The Forensicator puts out this analysis in early July purporting to demonstrate conclusively that the DNC documents MUST have been removed locally.

    2. Their analysis indicates a password was required to view some of the files, but they never indicate how they got past this password and barely address it at all.

    3. Their analysis is also deeply flawed since it in no way addresses the very real possibility that all of the metadata analysis they based their conclusions on was the metadata generated by subsequent copying of the data, something they quietly acknowledge much later (and subsequently ignore) when pressed on the issue by a commenter on their blog.

    4. A team of VIPS folks that includes former NSA analysts whole heartedly endorse their ‘slam dunk’ findings.

    5. Scott Ritter, also a VIPS member, slams his fellow VIPS members for putting out such a report given the flaws. And is apparently ignored.

    6. More articles continue to come out from the VIPS crew touting this as unassailable proof that the documents must have been removed locally.

    7. And now we learn that the VIPS team has been working with Skip Folden, an IT executive at IBM for 33 years who also consulted for Pentagon officials, the FBI, and the Justice Department. And Folden is apparently the VIPS group’s liaison to Forensicator, Adam Carter, and other investigators.

    8. Finally, Kirk Wiebe, one of the VIPS team members working on this, suggests that The Forensicator is probably “someone with exceptional talent and training inside an agency such as the FBI”. And according to Feldon, “Forensicator unlocked and then analyzed what had been the locked files Guccifer supposedly took from the DNC server…To do this he would have to have ‘access privilege,’ meaning a key.”

    So a group of IT experts has concluded that the Forensicator somehow has elite training on these matters and somehow got “access privilege” to those password-protected documents. And this team is doubling down on the assertion that The Forensicator’s analysis is strong evidence of the scenario that the DNC documents files were removed locally. And, again, even The Forensicator has admitted that their analysis is not evidence of that, although it appeared to be a grudging admission that they subsequently ignore along with almost everyone else pushing this theory.

    It raises the question: is there a group out there trying to put forth deeply analysis in order to eventually discredit inquiries into the ‘Russian hackers’ narrative? Or are they just trying to overwhelm the public with a bunch of technical analysis that almost no one even bothers closely critique? Considering the US government appeared to use the latter approach when pushing the ‘Russian hackers’ narrative, the answer isn’t obvious, although none of the available feasible answers are good.

    Posted by Pterrafractyl | August 11, 2017, 3:55 pm

Post a comment