Spitfire List Web site and blog of anti-fascist researcher and radio personality Dave Emory.

For The Record  

FTR #965 Are We Going to Have a Third World War?

WFMU-FM is podcasting For The Record–You can subscribe to the podcast HERE.

You can subscribe to e-mail alerts from Spitfirelist.com HERE.

You can subscribe to RSS feed from Spitfirelist.com HERE.

You can subscribe to the comments made on programs and posts–an excellent source of information in, and of, itself HERE.

This broadcast was recorded in one, 60-minute segment.

Atomic BombNational Security AgencyIntroduction: Recent developments are suggestive of the ominous possibility of an imminent Third World War. We present some new information and recap and further analyze stories covered in previous programs in order to underscore and highlight the potential devastation of these events.

As the furor (“fuehrer”?) surrounding the potentially lethal political hoax known as “Russia-gate” gains momentum, it should be noted that the point man for the Trump business interests in their dealings with Russia is Felix Sater. A Russian-born immigrant, Sater is a professional criminal and a convicted felon with historical links to the Mafia. Beyond that, and more importantly, Sater is an FBI informant and a CIA contract agent:

  • Sater“. . . . There is every indication that the extraordinarily lenient treatment resulted from Sater playing a get-out-of-jail free card. Shortly before his secret guilty plea, Sater became a freelance operative of the Central Intelligence Agency. One of his fellow stock swindlers, Salvatore Lauria, wrote a book about it. The Scorpion and the Frog is described on its cover as ‘the true story of one man’s fraudulent rise and fall in the Wall Street of the nineties.’ According to Lauria–and the court files that have been unsealed–Sater helped the CIA buy small missiles before they got to terrorists. He also provided other purported national security services for a reported fee of $300,000. Stories abound as to what else Sater may or may not have done in the arena of national security. . . .”
  •  Sater was active on behalf of the Trumps in the fall of 2015: “. . . . Sater worked on a plan for a Trump Tower in Moscow as recently as the fall of 2015, but he said that had come to a halt because of Trump’s presidential campaign. . . .”
  • Sater was initiating contact between the Russians and “Team Trump” in January of this year: “ . . . . Nevertheless, in late January, Sater and a Ukrainian lawmaker reportedly met with Trump’s personal lawyer, Michael Cohen, at a New York hotel. According to the Times, they discussed a plan that involved the U.S. lifting sanctions against Russia, and Cohen said he hand-delivered the plan in a sealed envelope to then-national security advisor Michael Flynn. Cohen later denied delivering the envelope to anyone in the White House, according to the Washington Post. . . .”

A stunning development concerns extreme reticence on the part of the U.S. intelligence community:

The Office of the Director of National Intelligence had an “interesting” response to a Freedom of Information Act lawsuit demanding the release of the classified report given to President Obama back in January purporting to show the Russian government was behind the hacks. According to the ODNI, the requested document would present a risk to human intelligence sources by revealing the comparative weight given to human vs technical evidence, risking US sources and methods. But the ODNI went further, suggesting that even releasing a fully redacted document would present similar risks!

It is NOT easy to see the ODNI’s reluctance to release even a fully-redacted copy of the report as anything but disingenuous. In the context of potentially devastating deterioration of Russian/U.S. relations over Syria, Ukraine, and the Russian “election-hacking” uproar, the ODNI’s behavior cannot be anything but disquieting:

” . . . . The intelligence official argued that a redacted version of the original report would allow a trained eye to assess ‘comparative weight’ of human intelligence and signals intelligence reporting included in the compendium. Release of some of the information the privacy-focused organization wants made public ‘could prove fatal to U.S. human intelligence sources,’ [Deputy Director of National Intelligence for Intelligence Integration Edward] Gistaro warned.

Gistaro also appears to argue that even if officials blacked out the whole report, highly classified information would be at risk.

‘I agree with the [National Intelligence Council] that a heavily or even fully redacted version of the classified report can not be publicly released without jeopardizing national security information properly classified as SECRET or TOP SECRET,’ he wrote. . . . ‘The ODNI should release the complete report to EPIC so that the public and the Congress can understand the full extent of the Russian interference with the 2016 Presidential election,’ EPIC’s Marc Rotenberg told POLITICO Tuesday. ‘It is already clear that government secrecy is frustrating meaningful oversight. The FBI, for example, will not even identify the states that were targeted by Russia.’ . . . “

With the high-profile hacks being attributed–almost certainly falsely–to Russia, there are ominous developments taking place that may well lead to a Third World War. During the closing days of his Presidency, Obama authorized the planting of cyber weapons on Russian computer networks. Obama did this after talking with Putin on the Hot Line, established to prevent a Third World War. Putin denied interfering in the U.S. election.

The conclusion that Russia hacked the U.S. election on Putin’s orders appears to have been based on a CIA source in the Kremlin. Even when that intelligence was delivered, other agencies weren’t ready to accept the CIA’s conclusion and it took intelligence from another nation (not named) to provide the final intelligence tipping point that led to a broad-based conclusion the not only was the Russian government behind the cyberattacks but that Vladimir Putin himself ordered it.

That ally’s intelligence is described as “the most critical technical intelligence on Russia,” however the NSA still wasn’t convinced based on what sounds like a lack of confidence in that source. Thus, it looks like a CIA Kremlin source and an unnamed foreign intelligence agency with questionable credentials are the basis of what appears to be a likely future full-scale US/Russian cyberwar.

Of paramount significance is the fact that IF, on Putin’s orders (and we are to believe such) Russia continued to hack U.S. computer systems to influence the election, Putin would have to have gone utterly mad. Those hacks would have precluded any rapprochement between Russia and the United States under a President Trump. There is no indication that Putin went off the deep end.

Also auguring a possible Third World War are two developments in Syria. Seymour Hersh published an article in Die Welt revealing that, not only was the April 4 alleged Sarin attack NOT a chemical weapons attack but there was widespread knowledge of this in American military and intelligence circles.

What did the intelligence community know about the attack? The Russian and Syrian air force had informed the US in advance of that airstrike that they had intelligence that top level leaders of Ahrar al-Sham and Jabhat al-Nusra were meeting in that building and they informed of the US of the attack plan in advance of the attack and that it was on a “high-value” target. And the attack involved the unusual use of a guided bomb and Syria’s top pilots. ” . . . . Russian and Syrian intelligence officials, who coordinate operations closely with the American command posts, made it clear that the planned strike on Khan Sheikhoun was special because of the high-value target. ‘It was a red-hot change. The mission was out of the ordinary – scrub the sked,’ the senior adviser told me. ‘Every operations officer in the region’ – in the Army, Marine Corps, Air Force, CIA and NSA – ‘had to know there was something going on. The Russians gave the Syrian Air Force a guided bomb and that was a rarity. They’re skimpy with their guided bombs and rarely share them with the Syrian Air Force. And the Syrians assigned their best pilot to the mission, with the best wingman.’ The advance intelligence on the target, as supplied by the Russians, was given the highest possible score inside the American community. . . .”

Following the attack, US intelligence concluded that there was no sarin gas attack, Assad wouldn’t have been that politically suicidal. The symptoms of chemical poisoning following the bombing was likely due to a mixture of chlorine, fertilizers, and other chemicals stored in the building that was targeted by the Syrian airforce created by secondary explosions from the initial bombing” . . . ‘This was not a chemical weapons strike,’ the adviser said. ‘That’s a fairy tale. . . .”

The symptoms of chemical poisoning following the bombing was likely due to a mixture of chlorine, fertilizers, and other chemicals stored in the building that was targeted by the Syrian airforce created by secondary explosions from the initial bombing” . . . . A Bomb Damage Assessment (BDA) by the U.S. military later determined that the heat and force of the 500-pound Syrian bomb triggered a series of secondary explosions that could have generated a huge toxic cloud that began to spread over the town, formed by the release of the fertilizers, disinfectants and other goods stored in the basement, its effect magnified by the dense morning air, which trapped the fumes close to the ground. . . .”

The behavior of the Trump administration was not only in direct conflict with intelligence on the attack, but reinforced propaganda by some of the Al-Qaeda-linked jihadists the West has been using as proxy warriors in Syria and elsewhere:  ” . . . . The Salafists and jihadists got everything they wanted out of their hyped-up Syrian nerve gas ploy,’ the senior adviser to the U.S. intelligence community told me, referring to the flare up of tensions between Syria, Russia and America. ‘The issue is, what if there’s another false flag sarin attack credited to hated Syria? Trump has upped the ante and painted himself into a corner with his decision to bomb. And do not think these guys are not planning the next faked attack. Trump will have no choice but to bomb again, and harder. He’s incapable of saying he made a mistake.’ . . .”

Program Highlights Include: 

  • Review of a Trump administration warning of another supposed, impending “Syrian chemical weapons strike”–a warning that has since been retracted.
  • Discussion of brilliant Nazi hacker Andrew Auerenheimer’s orchestration of an “Alt-right” online intimidation campaign against CNN employees. Auerenheimer is currently residing in Ukraine. One of the ominous possibilities concerns the activation/manipulation of the NSA cyber-weapons installed on Russian computer networks by a third party.
  • Review of the observations by a German professor–opposed to Nazism/Hitler–who described the essence of what it was like, subjectively, to live through the rise of Hitler. His observation is presented in the context of the ODNI’s decision not to release even a fully-redacted version of the intelligence report on “Russian meddling” in the U.S. election. ” . . . . . . . . What happened here was the gradual habituation of the people, little by little, to being governed by surprise, to receiving decisions deliberated in secret, to believing that the situation was so complicated that the government had to act on information which the people could not understand because of nationality security, so dangerous that even if the people the people could understand it, it could not be released because of national security. . . .”

1. The Office of the Director of National Intelligence had an “interesting” response to a Freedom of Information Act lawsuit demanding the release of the classified report given to President Obama back in January purporting to show the Russian government was behind the hacks. According to the ODNI, the requested document would present a risk to human intelligence sources by revealing the comparative weight given to human vs technical evidence, risking US sources and methods. But the ODNI went further, suggesting that even releasing a fully redacted document would present similar risks!

“Feds Won’t Release Redacted Intelligence Report on Russian Election Meddling” by Josh Gerstein; Politico; 06/27/2017

The Trump administration is refusing to release a redacted version of a key report President Barack Obama received in January on alleged Russian interference in the 2016 presidential election, court filings show.

Then-Director of National Intelligence James Clapper made public an unclassified version of that report, but the Electronic Privacy Information Center brought a Freedom of Information Act lawsuit demanding a copy of the classified report given to Obama at the same time. EPIC said the unclassified version omitted “critical technical evidence” that could help the public assess U.S. intelligence agencies’ claims that Russia did make efforts to affect the outcome of the 2016 race.

However, a top official in the Office of the Director of National Intelligence said in a court declaration filed Monday that releasing the original report with classified information blacked out would be a field day for foreign intelligence operatives, including the very Russians the report accuses of undertaking the interference.

“Release of a redacted report would be of particular assistance to Russian intelligence, which, armed with both the declassified report and a redacted copy of the classified report, would be able to discern the volume of intelligence the U.S. currently possesses with respect to Russian attempts to influence the 2016 election,” Deputy Director of National Intelligence for Intelligence Integration Edward Gistaro wrote.

“This would reveal the maturity of the U.S. intelligence efforts and expose information about the [intelligence community’s] capabilities (including sources and methods) that could reasonably be expected to cause serious or exceptionally grave danger to U.S. national security.”

The intelligence official argued that a redacted version of the original report would allow a trained eye to assess “comparative weight” of human intelligence and signals intelligence reporting included in the compendium. Release of some of the information the privacy-focused organization wants made public “could prove fatal to U.S. human intelligence sources,” [Deputy Director of National Intelligence for Intelligence Integration Edward] Gistaro warned.

Gistaro also appears to argue that even if officials blacked out the whole report, highly classified information would be at risk.

“I agree with the [National Intelligence Council] that a heavily or even fully redacted version of the classified report can not be publicly released without jeopardizing national security information properly classified as SECRET or TOP SECRET,” he wrote.

EPIC sought the information in January, just days after officials released the public version of the report. The group filed suit in federal court in Washington in February after failing to get any records from ODNI.

“The ODNI should release the complete report to EPIC so that the public and the Congress can understand the full extent of the Russian interference with the 2016 Presidential election,” EPIC’s Marc Rotenberg told POLITICO Tuesday. “It is already clear that government secrecy is frustrating meaningful oversight. The FBI, for example, will not even identify the states that were targeted by Russia.”

Rotenberg said his group is pursuing two other related FOIA suits: one seeking records abou the FBI’s response to the alleged Russian meddling and another seeking Trump’s tax records from the IRS.

2. The ODNI’s response to the Freedom of Information Act Suit brings to mind an observation by a German professor who was opposed to Nazism and survived to relate what it was like subjectively to live through the rise of Hitler: “. . . .  What happened here was the gradual habituation of the people, little by little, to being governed by surprise, to receiving decisions deliberated in secret, to believing that the situation was so complicated that the government had to act on information which the people could not understand because of nationality security, so dangerous that even if the people the people could understand it, it could not be released because of national security. . . .”

They Thought they Were Free: The Germans 1933-1945; by Milton Mayer; copyright 1955 [SC]; University of Chicago Press; ISBN 0-226-51190-1; pp. 166-167.

. . . .  What happened here was the gradual habituation of the people, little by little, to being governed by surprise, to receiving decisions deliberated in secret, to believing that the situation was so complicated that the government had to act on information which the people could not understand because of nationality security, so dangerous that even if the people the people could understand it, it could not be released because of national security. . . . This separation of government from people, this widening of the gap, took place so gradually and so insensibly, each step disguised (perhaps not even intentionally) as a temporary emergency measure or associated with true patriotic allegiance or with real social purposes. . . . so occupied the people that they did not see the slow motion underneath, of the whole process of the Government growing remoter and remoter . . . .

3a. It sounds like the conclusion that Russia hacked the U.S. election on Putin’s orders was based on a CIA source in the Kremlin. Even when that intelligence was delivered, other agencies weren’t ready to accept the CIA’s conclusion and it took intelligence from another nation (not named) to provide the final intelligence tipping point that led to a broad-based conclusion the not only was the Russian government behind the cyberattacks but that Vladimir Putin himself ordered it. That ally’s intelligence is described as “the most critical technical intelligence on Russia,” however the NSA still wasn’t convinced based on what sounds like a lack of confidence in that source. Thus, it looks like a CIA Kremlin source and an unnamed foreign intelligence agency with questionable credentials are the basis of what appears to be a likely future full-scale US/Russian cyberwar.

” . . . .Inside was an intelligence bombshell, a report drawn from sourcing deep inside the Russian government that detailed Russian President Vladimir Putin’s direct involvement in a cyber campaign to disrupt and discredit the U.S. presidential race. . . .”

We are told that a CIA deep Russian government source is the primary source of the ‘Putin ordered it’ conclusion. Well, at least that’s better than the bad joke technical evidence that’s been provided thus far. But even that source’s claims apparently weren’t enough to convinced other parts of the intelligence community. It took the intelligence from the unnamed ally to do that:

” . . . . But it went further. The intelligence captured Putin’s specific instructions on the operation’s audacious objectives — defeat or at least damage the Democratic nominee, Hillary Clinton, and help elect her opponent, Donald Trump.

At that point, the outlines of the Russian assault on the U.S. election were increasingly apparent. Hackers with ties to Russian intelligence services had been rummaging through Democratic Party computer networks, as well as some Republican systems, for more than a year. In July, the FBI had opened an investigation of contacts between Russian officials and Trump associates. And on July 22, nearly 20,000 emails stolen from the Democratic National Committee were dumped online by WikiLeaks.

But at the highest levels of government, among those responsible for managing the crisis, the first moment of true foreboding about Russia’s intentions arrived with that CIA intelligence.

It took time for other parts of the intelligence community to endorse the CIA’s view. Only in the administration’s final weeks in office did it tell the public, in a declassified report, what officials had learned from Brennan in August — that Putin was working to elect Trump.

Despite the intelligence the CIA had produced, other agencies were slower to endorse a conclusion that Putin was personally directing the operation and wanted to help Trump. “It was definitely compelling, but it was not definitive,” said one senior administration official. “We needed more.”

Some of the most critical technical intelligence on Russia came from another country, officials said. Because of the source of the material, the NSA was reluctant to view it with high confidence. . . .

“. . . . The most difficult measure to evaluate is one that Obama alluded to in only the most oblique fashion when announcing the U.S. response.

“We will continue to take a variety of actions at a time and place of our choosing, some of which will not be publicized,” he said in a statement released by the White House.

He was referring, in part, to a cyber operation that was designed to be detected by Moscow but not cause significant damage, officials said. The operation, which entailed implanting computer code in sensitive computer systems that Russia was bound to find, served only as a reminder to Moscow of the United States’ cyber reach.

But Obama also signed the secret finding, officials said, authorizing a new covert program involving the NSA, CIA and U.S. Cyber Command.

Obama declined to comment for this article, but a spokesman issued a statement: ‘This situation was taken extremely seriously, as is evident by President Obama raising this issue directly with President Putin; 17 intelligence agencies issuing an extraordinary public statement; our homeland security officials working relentlessly to bolster the cyber defenses of voting infrastructure around the country; the President directing a comprehensive intelligence review, and ultimately issuing a robust response including shutting down two Russian compounds, sanctioning nine Russian entities and individuals, and ejecting 35 Russian diplomats from the country.’

The cyber operation is still in its early stages and involves deploying ‘implants’ in Russian networks deemed ‘important to the adversary and that would cause them pain and discomfort if they were disrupted,’ a former U.S. official said.

The implants were developed by the NSA and designed so that they could be triggered remotely as part of retaliatory cyber-strike in the face of Russian aggression, whether an attack on a power grid or interference in a future presidential race. [” . . . developed by the NSA”–Well, at least we can be sure that the NSA’s operations are secure, invulnerable to penetration and/or manipulation by outside interests (!)–D.E.]

Officials familiar with the measures said that there was concern among some in the administration that the damage caused by the implants could be difficult to contain. . . .”

Keep in mind that such a response from the US would be entirely predictable if the Russian government really did order this hack attack. Russia would be at a heightened risk for years or decades to come if Putin really did order this attack. There’s no reason to assume that the Russian government wouldn’t be well aware of this consequence. So if Putin really did order this hack he would have to have gone insane. That’s how stupid this attack was if Putin actually ordered it. But according to a CIA spy in the Kremlin, along with a questionable foreign ally, that’s exactly what Putin did. Because he apparently went insane and preemptively launched a cyberwar knowing full well how devastating the long-term consequences could be. Because he really, really, really hates Hillary. That’s the narrative we’re being given.

And now, any future attacks on US elections or the US electrical grid that can somehow be pinned on the Russians is going to trigger some sort of painful wave or retaliatory cyberbombs. Which, of course, will likely trigger a way of counter-retaliatory cyberbombs in the US. And a full-scale cyberwar will be born and we’ll just have to hope it stays in the cyber domain. That’s were we are now based on a CIA spy in the Kremlin and an unnamed foreign intelligence agency

“Obama’s secret struggle to punish Russia for Putin’s election assault” by Greg Miller, Ellen Nakashima and Adam Entous; The Washington Post; 06/23/2017

Early last August, an envelope with extraordinary handling restrictions arrived at the White House. Sent by courier from the CIA, it carried “eyes only” instructions that its contents be shown to just four people: President Barack Obama and three senior aides.

Inside was an intelligence bombshell, a report drawn from sourcing deep inside the Russian government that detailed Russian President Vladimir Putin’s direct involvement in a cyber campaign to disrupt and discredit the U.S. presidential race.

But it went further. The intelligence captured Putin’s specific instructions on the operation’s audacious objectives — defeat or at least damage the Democratic nominee, Hillary Clinton, and help elect her opponent, Donald Trump.

At that point, the outlines of the Russian assault on the U.S. election were increasingly apparent. Hackers with ties to Russian intelligence services had been rummaging through Democratic Party computer networks, as well as some Republican systems, for more than a year. In July, the FBI had opened an investigation of contacts between Russian officials and Trump associates. And on July 22, nearly 20,000 emails stolen from the Democratic National Committee were dumped online by WikiLeaks.

But at the highest levels of government, among those responsible for managing the crisis, the first moment of true foreboding about Russia’s intentions arrived with that CIA intelligence.

The material was so sensitive that CIA Director John Brennan kept it out of the President’s Daily Brief, concerned that even that restricted report’s distribution was too broad. The CIA package came with instructions that it be returned immediately after it was read. To guard against leaks, subsequent meetings in the Situation Room followed the same protocols as planning sessions for the Osama bin Laden raid.

It took time for other parts of the intelligence community to endorse the CIA’s view. Only in the administration’s final weeks in office did it tell the public, in a declassified report, what officials had learned from Brennan in August — that Putin was working to elect Trump.

Over that five-month interval, the Obama administration secretly debated dozens of options for deterring or punishing Russia, including cyberattacks on Russian infrastructure, the release of CIA-gathered material that might embarrass Putin and sanctions that officials said could “crater” the Russian economy.

But in the end, in late December, Obama approveda modest package combining measures that had been drawn up to punish Russia for other issues — expulsions of 35 diplomats and the closure of two Russian compounds — with economic sanctions so narrowly targeted that even those who helped design them describe their impact as largely symbolic.

Obama also approved a previously undisclosed covert measure that authorized planting cyber weapons in Russia’s infrastructure, the digital equivalent of bombs that could be detonated if the United States found itself in an escalating exchange with Moscow. The project, which Obama approved in a covert-action finding, was still in its planning stages when Obama left office. It would be up to President Trump to decide whether to use the capability.

In political terms, Russia’s interference was the crime of the century, an unprecedented and largely successful destabilizing attack on American democracy. It was a case that took almost no time to solve, traced to the Kremlin through cyber-forensics and intelligence on Putin’s involvement. And yet, because of the divergent ways Obama and Trump have handled the matter, Moscow appears unlikely to face proportionate consequences.

Those closest to Obama defend the administration’s response to Russia’s meddling. They note that by August it was too late to prevent the transfer to WikiLeaks and other groups of the troves of emails that would spill out in the ensuing months. They believe that a series of warnings — including one that Obama delivered to Putin in September — prompted Moscow to abandon any plans of further aggression, such as sabotage of U.S. voting systems.

Denis McDonough, who served as Obama’s chief of staff, said that the administration regarded Russia’s interference as an attack on the “heart of our system.”

“We set out from a first-order principle that required us to defend the integrity of the vote,” McDonough said in an interview. “Importantly, we did that. It’s also important to establish what happened and what they attempted to do so as to ensure that we take the steps necessary to stop it from happening again.”

But other administration officials look back on the Russia period with remorse.

“It is the hardest thing about my entire time in government to defend,” said a former senior Obama administration official involved in White House deliberations on Russia. “I feel like we sort of choked.”

This account of the Obama administration’s response to Russia’s interference is based on interviews with more than three dozen current and former U.S. officials in senior positions in government, including at the White House, the State, Defense and Homeland Security departments, and U.S. intelligence services. Most agreed to speak only on the condition of anonymity, citing the sensitivity of the issue.

The White House, the CIA, the FBI, the National Security Agency and the Office of the Director of National Intelligence declined to comment.

‘Deeply concerned’

The CIA breakthrough came at a stage of the presidential campaign when Trump had secured the GOP nomination but was still regarded as a distant long shot. Clinton held comfortable leads in major polls, and Obama expected that he would be transferring power to someone who had served in his Cabinet.

The intelligence on Putin was extraordinary on multiple levels, including as a feat of espionage.

For spy agencies, gaining insights into the intentions of foreign leaders is among the highest priorities. But Putin is a remarkably elusive target. A former KGB officer, he takes extreme precautions to guard against surveillance, rarely communicating by phone or computer, always running sensitive state business from deep within the confines of the Kremlin.

The Washington Post is withholding some details of the intelligence at the request of the U.S. government.

In early August, Brennan alerted senior White House officials to the Putin intelligence, making a call to deputy national security adviser Avril Haines and pulling national security adviser Susan E. Rice aside after a meeting before briefing Obama along with Rice, Haines and McDonough in the Oval Office.

Officials described the president’s reaction as grave. Obama “was deeply concerned and wanted as much information as fast as possible,” a former official said. “He wanted the entire intelligence community all over this.”

Concerns about Russian interference had gathered throughout the summer.

Russia experts had begun to see a troubling pattern of propaganda in which fictitious news stories, assumed to be generated by Moscow, proliferated across social-media platforms.

Officials at the State Department and FBI became alarmed by an unusual spike in requests from Russia for temporary visas for officials with technical skills seeking permission to enter the United States for short-term assignments at Russian facilities. At the FBI’s behest, the State Department delayed approving the visas until after the election.

Meanwhile, the FBI was tracking a flurry of hacking activity against U.S. political parties, think tanks and other targets. Russia had gained entry to DNC systems in the summer of 2015 and spring of 2016, but the breaches did not become public until they were disclosed in a June 2016 report by The Post.

Even after the late-July WikiLeaks dump, which came on the eve of the Democratic convention and led to the resignation of Rep. Debbie Wasserman Schultz (D-Fla.) as the DNC’s chairwoman, U.S. intelligence officials continued to express uncertainty about who was behind the hacks or why they were carried out.

At a public security conference in Aspen, Colo., in late July, Director of National Intelligence James R. Clapper Jr. noted that Russia had a long history of meddling in American elections but that U.S. spy agencies were not ready to “make the call on attribution” for what was happening in 2016.

“We don’t know enough … to ascribe motivation,” Clapper said. “Was this just to stir up trouble or was this ultimately to try to influence an election?”

Brennan convened a secret task force at CIA headquarters composed of several dozen analysts and officers from the CIA, the NSA and the FBI.

The unit functioned as a sealed compartment, its work hidden from the rest of the intelligence community. Those brought in signed new non-disclosure agreements to be granted access to intelligence from all three participating agencies.

They worked exclusively for two groups of “customers,” officials said. The first was Obama and fewer than 14 senior officials in government. The second was a team of operations specialists at the CIA, NSA and FBI who took direction from the task force on where to aim their subsequent efforts to collect more intelligence on Russia.

Don’t make things worse

The secrecy extended into the White House.

Rice, Haines and White House homeland-security adviser Lisa Monaco convened meetings in the Situation Room to weigh the mounting evidence of Russian interference and generate options for how to respond. At first, only four senior security officials were allowed to attend: Brennan, Clapper, Attorney General Loretta E. Lynch and FBI Director James B. Comey. Aides ordinarily allowed entry as “plus-ones” were barred.

Gradually, the circle widened to include Vice President Biden and others. Agendas sent to Cabinet secretaries — including John F. Kerry at the State Department and Ashton B. Carter at the Pentagon — arrived in envelopes that subordinates were not supposed to open. Sometimes the agendas were withheld until participants had taken their seats in the Situation Room.

Throughout his presidency, Obama’s approach to national security challenges was deliberate and cautious. He came into office seeking to end wars in Iraq and Afghanistan. He was loath to act without support from allies overseas and firm political footing at home. He was drawn only reluctantly into foreign crises, such as the civil war in Syria, that presented no clear exit for the United States.

Obama’s approach often seemed reducible to a single imperative: Don’t make things worse. As brazen as the Russian attacks on the election seemed, Obama and his top advisers feared that things could get far worse.

They were concerned that any pre-election response could provoke an escalation from Putin. Moscow’s meddling to that point was seen as deeply concerning but unlikely to materially affect the outcome of the election. Far more worrisome to the Obama team was the prospect of a cyber-assault on voting systems before and on Election Day.

They also worried that any action they took would be perceived as political interference in an already volatile campaign. By August, Trump was predicting that the election would be rigged. Obama officials feared providing fuel to such claims, playing into Russia’s efforts to discredit the outcome and potentially contaminating the expected Clinton triumph.

Before departing for an August vacation to Martha’s Vineyard, Obama instructed aides to pursue ways to deter Moscow and proceed along three main paths: Get a high-confidence assessment from U.S. intelligence agencies on Russia’s role and intent; shore up any vulnerabilities in state-run election systems; and seek bipartisan support from congressional leaders for a statement condemning Moscow and urging states to accept federal help.

The administration encountered obstacles at every turn.

Despite the intelligence the CIA had produced, other agencies were slower to endorse a conclusion that Putin was personally directing the operation and wanted to help Trump. “It was definitely compelling, but it was not definitive,” said one senior administration official. “We needed more.”

Some of the most critical technical intelligence on Russia came from another country, officials said. Because of the source of the material, the NSA was reluctant to view it with high confidence.

Brennan moved swiftly to schedule private briefings with congressional leaders. But getting appointments with certain Republicans proved difficult, officials said, and it was not until after Labor Day that Brennan had reached all members of the “Gang of Eight” — the majority and minority leaders of both houses and the chairmen and ranking Democrats on the Senate and House intelligence committees.

Jeh Johnson, the homeland-security secretary, was responsible for finding out whether the government could quickly shore up the security of the nation’s archaic patchwork of voting systems. He floated the idea of designating state mechanisms “critical infrastructure,” a label that would have entitled states to receive priority in federal cybersecurity assistance, putting them on a par with U.S. defense contractors and financial networks.

On Aug. 15, Johnson arranged a conference call with dozens of state officials, hoping to enlist their support. He ran into a wall of resistance.

The reaction “ranged from neutral to negative,” Johnson said in congressional testimony Wednesday.

Brian Kemp, the Republican secretary of state of Georgia, used the call to denounce Johnson’s proposal as an assault on state rights. “I think it was a politically calculated move by the previous administration,” Kemp said in a recent interview, adding that he remains unconvinced that Russia waged a campaign to disrupt the 2016 race. “I don’t necessarily believe that,” he said.

Stung by the reaction, the White House turned to Congress for help, hoping that a bipartisan appeal to states would be more effective.

In early September, Johnson, Comey and Monaco arrived on Capitol Hill in a caravan of black SUVs for a meeting with 12 key members of Congress, including the leadership of both parties.

The meeting devolved into a partisan squabble.

“The Dems were, ‘Hey, we have to tell the public,’?” recalled one participant. But Republicans resisted, arguing that to warn the public that the election was under attack would further Russia’s aim of sapping confidence in the system.

Senate Majority Leader Mitch McConnell (R-Ky.) went further, officials said, voicing skepticism that the underlying intelligence truly supported the White House’s claims. Through a spokeswoman, McConnell declined to comment, citing the secrecy of that meeting.

Key Democrats were stunned by the GOP response and exasperated that the White House seemed willing to let Republican opposition block any pre-election move.

On Sept. 22, two California Democrats — Sen. Dianne Feinstein and Rep. Adam B. Schiff — did what they couldn’t get the White House to do. They issued a statement making clear that they had learned from intelligence briefings that Russia was directing a campaign to undermine the election, but they stopped short of saying to what end.

A week later, McConnell and other congressional leaders issued a cautious statement that encouraged state election officials to ensure their networks were “secure from attack.” The release made no mention of Russia and emphasized that the lawmakers “would oppose any effort by the federal government” to encroach on the states’ authorities.

When U.S. spy agencies reached unanimous agreement in late September that the interference was a Russian operation directed by Putin, Obama directed spy chiefs to prepare a public statement summarizing the intelligence in broad strokes.

With Obama still determined to avoid any appearance of politics, the statement would not carry his signature.

On Oct. 7, the administration offered its first public comment on Russia’s “active measures,” in a three-paragraph statement issued by Johnson and Clapper. Comey had initially agreed to attach his name, as well, officials said, but changed his mind at the last minute, saying that it was too close to the election for the bureau to be involved.

“The U.S. intelligence community is confident that the Russian government directed the recent compromises of e-mails from U.S. persons and institutions, including from U.S. political organizations,” the statement said. “We believe, based on the scope and sensitivity of these efforts, that only Russia’s senior-most officials could have authorized these activities.”

Early drafts accused Putin by name, but the reference was removed out of concern that it might endanger intelligence sources and methods.

The statement was issued around 3:30 p.m., timed for maximum media coverage. Instead, it was quickly drowned out. At 4 p.m., The Post published a story about crude commentsTrump had made about women that were captured on an “Access Hollywood” tape. Half an hour later, WikiLeaks published its first batch of emails stolen from Clinton campaign chairman John Podesta.

‘Ample time’ after election

The Situation Room is actually a complex of secure spaces in the basement level of the West Wing. A video feed from the main room courses through some National Security Council offices, allowing senior aides sitting at their desks to see — but not hear — when meetings are underway.

As the Russia-related sessions with Cabinet members began in August, the video feed was shut off. The last time that had happened on a sustained basis, officials said, was in the spring of 2011 during the run-up to the U.S. Special Operations raid on bin Laden’s compound in Pakistan.

The blacked-out screens were seen as an ominous sign among lower-level White House officials who were largely kept in the dark about the Russia deliberations even as they were tasked with generating options for retaliation against Moscow.

Much of that work was led by the Cyber Response Group, an NSC unit with representatives from the CIA, NSA, State Department and Pentagon.

The early options they discussed were ambitious. They looked at sectorwide economic sanctions and cyberattacks that would take Russian networks temporarily offline. One official informally suggested — though never formally proposed — moving a U.S. naval carrier group into the Baltic Sea as a symbol of resolve.

What those lower-level officials did not know was that the principals and their deputies had by late September all but ruled out any pre-election retaliation against Moscow. They feared that any action would be seen as political and that Putin, motivated by a seething resentment of Clinton, was prepared to go beyond fake news and email dumps.

The FBI had detected suspected Russian attempts to penetrate election systems in 21 states, and at least one senior White House official assumed that Moscow would try all 50, officials said. Some officials believed the attempts were meant to be detected to unnerve the Americans. The patchwork nature of the United States’ 3,000 or so voting jurisdictions would make it hard for Russia to swing the outcome, but Moscow could still sow chaos.

“We turned to other scenarios” the Russians might attempt, said Michael Daniel, who was cybersecurity coordinator at the White House, “such as disrupting the voter rolls, deleting every 10th voter [from registries] or flipping two digits in everybody’s address.”

The White House also worried that they had not yet seen the worst of Russia’s campaign. WikiLeaks and DCLeaks, a website set up in June 2016 by hackers believed to be Russian operatives, already had troves of emails. But U.S. officials feared that Russia had more explosive material or was willing to fabricate it.

“Our primary interest in August, September and October was to prevent them from doing the max they could do,” said a senior administration official. “We made the judgment that we had ample time after the election, regardless of outcome, for punitive measures.”

The assumption that Clinton would win contributed to the lack of urgency.

Instead, the administration issued a series of warnings.

Brennan delivered the first on Aug. 4 in a blunt phone call with Alexander Bortnikov, the director of the FSB, Russia’s powerful security service.

A month later, Obama confronted Putin directly during a meeting of world leaders in Hangzhou, China. Accompanied only by interpreters, Obama told Putin that “we knew what he was doing and [he] better stop or else,” according to a senior aide who subsequently spoke with Obama. Putin responded by demanding proof and accusing the United States of interfering in Russia’s internal affairs.

In a subsequent news conference, Obama alluded to the exchange and issued a veiled threat. “We’re moving into a new era here where a number of countries have significant capacities,” he said. “Frankly, we’ve got more capacity than anybody both offensively and defensively.”

There were at least two other warnings.

On Oct. 7, the day that the Clapper-Johnson statement was released, Rice summoned Russian Ambassador Sergey Kislyak Sergey Kislyak to the White House and handed him a message to relay to Putin.

Then, on Oct. 31, the administration delivered a final pre-election message via a secure channel to Moscow originally created to avert a nuclear exchange. The message noted that the United States had detected malicious activity, originating from servers in Russia, targeting U.S. election systems and warned that meddling would be regarded as unacceptable interference. Russia confirmed the next day that it had received the message but replied only after the election through the same channel, denying the accusation.

As Election Day approached, proponents of taking action against Russia made final, futile appeals to Obama’s top aides: McDonough, Rice and Haines. Because their offices were part of a suite of spaces in the West Wing, securing their support on any national security issue came to be known as “moving the suite.”

One of the last to try before the election was Kerry. Often perceived as reluctant to confront Russia, in part to preserve his attempts to negotiate a Syria peace deal, Kerry was at critical moments one of the leading hawks.

In October, Kerry’s top aides had produced an “action memo” that included a package of retaliatory measures including economic sanctions. Knowing the White House was not willing to act before the election, the plan called for the measures to be announced almost immediately after votes had been securely cast and counted.

Kerry signed the memo and urged the White House to convene a principals meeting to discuss the plan, officials said. “The response was basically, ‘Not now,’” one official said.

Election Day arrived without penalty for Moscow.

A U.S. cyber-weapon

The most difficult measure to evaluate is one that Obama alluded to in only the most oblique fashion when announcing the U.S. response.

“We will continue to take a variety of actions at a time and place of our choosing, some of which will not be publicized,” he said in a statement released by the White House.

He was referring, in part, to a cyber operation that was designed to be detected by Moscow but not cause significant damage, officials said. The operation, which entailed implanting computer code in sensitive computer systems that Russia was bound to find, served only as a reminder to Moscow of the United States’ cyber reach.

But Obama also signed the secret finding, officials said, authorizing a new covert program involving the NSA, CIA and U.S. Cyber Command.

Obama declined to comment for this article, but a spokesman issued a statement: “This situation was taken extremely seriously, as is evident by President Obama raising this issue directly with President Putin; 17 intelligence agencies issuing an extraordinary public statement; our homeland security officials working relentlessly to bolster the cyber defenses of voting infrastructure around the country; the President directing a comprehensive intelligence review, and ultimately issuing a robust response including shutting down two Russian compounds, sanctioning nine Russian entities and individuals, and ejecting 35 Russian diplomats from the country.”

The cyber operation is still in its early stages and involves deploying “implants” in Russian networks deemed “important to the adversary and that would cause them pain and discomfort if they were disrupted,” a former U.S. official said.

The implants were developed by the NSA and designed so that they could be triggered remotely as part of retaliatory cyber-strike in the face of Russian aggression, whether an attack on a power grid or interference in a future presidential race.

Officials familiar with the measures said that there was concern among some in the administration that the damage caused by the implants could be difficult to contain.

As a result, the administration requested a legal review, which concluded that the devices could be controlled well enough that their deployment would be considered “proportional” in varying scenarios of Russian provocation, a requirement under international law.

The operation was described as long-term, taking months to position the implants and requiring maintenance thereafter. Under the rules of covert action, Obama’s signature was all that was necessary to set the operation in motion.

U.S. intelligence agencies do not need further approval from Trump, and officials said that he would have to issue a countermanding order to stop it. The officials said that they have seen no indication that Trump has done so.

3b. The person on the Daily Stormer calling for white supremacists to threaten to kill the family members of CNN employees as part of growing right-wing hysteria over CNN and “fake news” is Andrew “the weev” Auerheimer aka “weev”–a guest at Glenn Greenwald and Laura Poitras’ party celebrating their receipt of the Polk Award.

Currently residing in Ukraine, Auerenheimer exemplifies the brilliant, altogether capable cyber-fascists who might be in a position to exploit the NSA technology placed on Russian computer networks.

Never lose sight of the fact that the New Cold War, much of it “cyber” in nature, was begun with “Eddie the Friendly Spook” Snowden–the Peach Fuzz Fascist–journeying to Russia, courtesy of WikiLeaks. This, AFTER he journeyed to Hong Kong with apposite assistance from Jacob Applebaum of the CIA.

“Daily Stormer Troll Army Threatens CNN Staffers Over Reddit User Behind Trump/CNN GIF” by Keegan Hankes; Southern Poverty Law Center; 07/05/2017

Andrew Auernheimer, the notorious hacker and Internet troll known as ‘Weev,’ rallied the neo-Nazi Daily Stormer’s troll army for its latest campaign this morning, claiming that CNN was blackmailing a “teen shitposter.”

The events leading to this online call to arms began Sunday morning, President Trump tweeted a gif created by Reddit user HanAssholeSolodepicting a scene from Wrestlemania XXIII in which Trump body slams and pummels WWE promoter Vince McMahon. In the gif, the CNN logo is superimposed over McMahon’s face.

Auernheimer heralded the tweet as “easily the greatest tweet in the history of Twitter.”

After scouring HanAssholeSolo’s Reddit account, which contained scores of racist and xenophobic postings, CNN’s KFile was able to track down the user’s Facebook page and contact him.

Fearing public embarrassment and his safety, HanAssholeSolo published a lengthy apology on the Reddit group r/theDonald, asking that CNN not publish his identity. (The apology has since been removed.)

CNN obliged, on the condition that HanAssholeSolo remove his offending posts and cease his trolling, but that didn’t stop the self-proclaimed “real media” at the Daily Stormer from issuing an ultimatum to every staffer at CNN.

“Just like CNN tracked down this child and used media exposure as a bludgeon against him for posting (truthful and funny) things that they don’t like, we are going to begin tracking down their families as a bludgeon against them for publishing (seditiously fraudulent) things that we don’t like,” wrote Auernheimer. “CNN, this is your one singular chance to walk back this behavior of public blackmail. You have one week to fix this.”

Auernheimer’s list of demands includes the public firing of the KFile team, a denouncement of their alleged threats, a $50,000 college scholarship for HanAssholeSolo, and a public assurance that “he and his family will never be harmed by your organization.”

The only problem: HanAssholeSolo is an adult, according to CNN.

“We are going to track down your parents. We are going to track down your siblings. We are going to track down your spouses. We are going to track down your children. Because hey, that’s what you guys get to do, right? We’re going to see how you like it when our reporters are hunting down your children,” continued Auernheimer.

Auernheimer instructed CNN employees that do not want to be doxed to quit within the week and denounce the organization’s alleged blackmail.

“We didn’t make these rules – you did – and now we’re going to force you to play by them. Hope you enjoy what is coming, you filthy rat kike bastards. Kill yourselves, kike news fakers. You deserve every single bit of what you are about to get,” concluded Auernheimer.

The call to “kill the lying mass of shi t that is CNN” posted to 4chan’s politically incorrect forum, /pol/.

Within hours, personal information for multiple CNN staffers and their family members — alongside images and gifs of individuals with CNN superimposed over their faces being shot in the head — appeared in the comments of the posting.

The incident is a rare moment of unity for the far-right with members of r/theDonald, 4chan, the Daily Stormer, and the alt-lite banding together to attack CNN.

The 4chan message board /pol/, which is dedicated to politically incorrect discussion, dubbed the campaign “Operation:Autism Storm” and posted a four part plan of attack that includes banding together with other far right sites, going after CNN’s advertisers, discrediting everyone at CNN, and forming a legal strategy for HanAssholeSolo should he later be doxed.

At least nine separate hashtags trended across far-right accounts Tuesday evening – including #cnnblackmail, #cnndoxing, and #fraudnewscnn – as the controversy erupted.

….

4. Seymour Hersh has a piece in Die Welt about the intelligence that went into the Trump administration’s decision to launch a cruise missile strike against a Syrian airbase following the alleged sarin gas attack on the city of Khan Sheikhoun in Idlib.

What did the intelligence community know about the attack? The Russian and Syrian air force had informed the US in advance of that airstrike that they had intelligence that top level leaders of Ahrar al-Sham and Jabhat al-Nusra were meeting in that building and they informed of the US of the attack plan in advance of the attack and that it was on a “high-value” target. And the attack involved the unusual use of a guided bomb and Syria’s top pilots. Following the attack, US intelligence concluded that there was no sarin gas attack, Assad wouldn’t have been that politically suicidal, and the symptoms of chemical poisoning following the bombing was likely due to a mixture of chlorine, fertilizers, and other chemicals stored in the building that was targeted by the Syrian airforce created by secondary explosions from the initial bombing.

Key portions of Hersh’s story:

“. . . . The Syrian target at Khan Sheikhoun, as shared with the Americans at Doha, was depicted as a two-story cinder-block building in the northern part of town. Russian intelligence, which is shared when necessary with Syria and the U.S. as part of their joint fight against jihadist groups, had established that a high-level meeting of jihadist leaders was to take place in the building, including representatives of Ahrar al-Sham and the al-Qaida-affiliated group formerly known as Jabhat al-Nusra. The two groups had recently joined forces, and controlled the town and surrounding area. Russian intelligence depicted the cinder-block building as a command and control center that housed a grocery and other commercial premises on its ground floor with other essential shops nearby, including a fabric shop and an electronics store.

‘The rebels control the population by controlling the distribution of goods that people need to live – food, water, cooking oil, propane gas, fertilizers for growing their crops, and insecticides to protect the crops,’ a senior adviser to the American intelligence community, who has served in senior positions in the Defense Department and Central Intelligence Agency, told me. The basement was used as storage for rockets, weapons and ammunition, as well as products that could be distributed for free to the community, among them medicines and chlorine-based decontaminants for cleansing the bodies of the dead before burial. The meeting place – a regional headquarters – was on the floor above. ‘It was an established meeting place,’ the senior adviser said. ‘A long-time facility that would have had security, weapons, communications, files and a map center.’ The Russians were intent on confirming their intelligence and deployed a drone for days above the site to monitor communications and develop what is known in the intelligence community as a POL – a pattern of life. The goal was to take note of those going in and out of the building, and to track weapons being moved back and forth, including rockets and ammunition.

Russian and Syrian intelligence officials, who coordinate operations closely with the American command posts, made it clear that the planned strike on Khan Sheikhoun was special because of the high-value target. ‘It was a red-hot change. The mission was out of the ordinary – scrub the sked,’ the senior adviser told me. ‘Every operations officer in the region’ – in the Army, Marine Corps, Air Force, CIA and NSA – ‘had to know there was something going on. The Russians gave the Syrian Air Force a guided bomb and that was a rarity. They’re skimpy with their guided bombs and rarely share them with the Syrian Air Force. And the Syrians assigned their best pilot to the mission, with the best wingman.’ The advance intelligence on the target, as supplied by the Russians, was given the highest possible score inside the American community.

The Execute Order governing U.S. military operations in theater, which was issued by the Chairman of the Joint Chiefs of Staff, provide instructions that demarcate the relationship between the American and Russian forces operating in Syria. “It’s like an ops order – ‘Here’s what you are authorized to do,’” the adviser said. “We do not share operational control with the Russians. We don’t do combined operations with them, or activities directly in support of one of their operations. But coordination is permitted. We keep each other apprised of what’s happening and within this package is the mutual exchange of intelligence. If we get a hot tip that could help the Russians do their mission, that’s coordination; and the Russians do the same for us. When we get a hot tip about a command and control facility,” the adviser added, referring to the target in Khan Sheikhoun, “we do what we can to help them act on it.” “This was not a chemical weapons strike,” the adviser said. “That’s a fairy tale. If so, everyone involved in transferring, loading and arming the weapon – you’ve got to make it appear like a regular 500-pound conventional bomb – would be wearing Hazmat protective clothing in case of a leak. There would be very little chance of survival without such gear. Military grade sarin includes additives designed to increase toxicity and lethality. Every batch that comes out is maximized for death. That is why it is made. It is odorless and invisible and death can come within a minute. No cloud. Why produce a weapon that people can run away from?”

The target was struck at 6:55 a.m. on April 4, just before midnight in Washington. A Bomb Damage Assessment (BDA) by the U.S. military later determined that the heat and force of the 500-pound Syrian bomb triggered a series of secondary explosions that could have generated a huge toxic cloud that began to spread over the town, formed by the release of the fertilizers, disinfectants and other goods stored in the basement, its effect magnified by the dense morning air, which trapped the fumes close to the ground. According to intelligence estimates, the senior adviser said, the strike itself killed up to four jihadist leaders, and an unknown number of drivers and security aides. There is no confirmed count of the number of civilians killed by the poisonous gases that were released by the secondary explosions, although opposition activists reported that there were more than 80 dead, and outlets such as CNN have put the figure as high as 92. A team from Médecins Sans Frontières, treating victims from Khan Sheikhoun at a clinic 60 miles to the north, reported that “eight patients showed symptoms – including constricted pupils, muscle spasms and involuntary defecation – which are consistent with exposure to a neurotoxic agent such as sarin gas or similar compounds.” MSF also visited other hospitals that had received victims and found that patients there “smelled of bleach, suggesting that they had been exposed to chlorine.” In other words, evidence suggested that there was more than one chemical responsible for the symptoms observed, which would not have been the case if the Syrian Air Force – as opposition activists insisted – had dropped a sarin bomb, which has no percussive or ignition power to trigger secondary explosions. The range of symptoms is, however, consistent with the release of a mixture of chemicals, including chlorine and the organophosphates used in many fertilizers, which can cause neurotoxic effects similar to those of sarin. . . .

. . . . The crisis slid into the background by the end of April, as Russia, Syria and the United States remained focused on annihilating ISIS and the militias of al-Qaida. Some of those who had worked through the crisis, however, were left with lingering concerns. ‘The Salafists and jihadists got everything they wanted out of their hyped-up Syrian nerve gas ploy,’ the senior adviser to the U.S. intelligence community told me, referring to the flare up of tensions between Syria, Russia and America. ‘The issue is, what if there’s another false flag sarin attack credited to hated Syria? Trump has upped the ante and painted himself into a corner with his decision to bomb. And do not think these guys are not planning the next faked attack. Trump will have no choice but to bomb again, and harder. He’s incapable of saying he made a mistake.’ . . .”

“Trump‘s Red Line” by Seymour M. Hersh; Welt.de; 06/25/2017

On April 6, United States President Donald Trump authorized an early morning Tomahawk missile strike on Shayrat Air Base in central Syria in retaliation for what he said was a deadly nerve agent attack carried out by the Syrian government two days earlier in the rebel-held town of Khan Sheikhoun. Trump issued the order despite having been warned by the U.S. intelligence community that it had found no evidence that the Syrians had used a chemical weapon.

The available intelligence made clear that the Syrians had targeted a jihadist meeting site on April 4 using a Russian-supplied guided bomb equipped with conventional explosives. Details of the attack, including information on its so-called high-value targets, had been provided by the Russians days in advance to American and allied military officials in Doha, whose mission is to coordinate all U.S., allied, Syrian and Russian Air Force operations in the region.

Some American military and intelligence officials were especially distressed by the president’s determination to ignore the evidence. “None of this makes any sense,” one officer told colleagues upon learning of the decision to bomb. “We KNOW that there was no chemical attack … the Russians are furious. Claiming we have the real intel and know the truth … I guess it didn’t matter whether we elected Clinton or Trump.“

Within hours of the April 4 bombing, the world’s media was saturated with photographs and videos from Khan Sheikhoun. Pictures of dead and dying victims, allegedly suffering from the symptoms of nerve gas poisoning, were uploaded to social media by local activists, including the White Helmets, a first responder group known for its close association with the Syrian opposition.

The provenance of the photos was not clear and no international observers have yet inspected the site, but the immediate popular assumption worldwide was that this was a deliberate use of the nerve agent sarin, authorized by President Bashar Assad of Syria. Trump endorsed that assumption by issuing a statement within hours of the attack, describing Assad’s “heinous actions” as being a consequence of the Obama administration’s “weakness and irresolution” in addressing what he said was Syria’s past use of chemical weapons.

To the dismay of many senior members of his national security team, Trump could not be swayed over the next 48 hours of intense briefings and decision-making. In a series of interviews, I learned of the total disconnect between the president and many of his military advisers and intelligence officials, as well as officers on the ground in the region who had an entirely different understanding of the nature of Syria’s attack on Khan Sheikhoun. I was provided with evidence of that disconnect, in the form of transcripts of real-time communications, immediately following the Syrian attack on April 4. In an important pre-strike process known as deconfliction, U.S. and Russian officers routinely supply one another with advance details of planned flight paths and target coordinates, to ensure that there is no risk of collision or accidental encounter (the Russians speak on behalf of the Syrian military). This information is supplied daily to the American AWACS surveillance planes that monitor the flights once airborne. Deconfliction’s success and importance can be measured by the fact that there has yet to be one collision, or even a near miss, among the high-powered supersonic American, Allied, Russian and Syrian fighter bombers.

Russian and Syrian Air Force officers gave details of the carefully planned flight path to and from Khan Shiekhoun on April 4 directly, in English, to the deconfliction monitors aboard the AWACS plane, which was on patrol near the Turkish border, 60 miles or more to the north.

The Syrian target at Khan Sheikhoun, as shared with the Americans at Doha, was depicted as a two-story cinder-block building in the northern part of town. Russian intelligence, which is shared when necessary with Syria and the U.S. as part of their joint fight against jihadist groups, had established that a high-level meeting of jihadist leaders was to take place in the building, including representatives of Ahrar al-Sham and the al-Qaida-affiliated group formerly known as Jabhat al-Nusra. The two groups had recently joined forces, and controlled the town and surrounding area. Russian intelligence depicted the cinder-block building as a command and control center that housed a grocery and other commercial premises on its ground floor with other essential shops nearby, including a fabric shop and an electronics store.

“The rebels control the population by controlling the distribution of goods that people need to live – food, water, cooking oil, propane gas, fertilizers for growing their crops, and insecticides to protect the crops,” a senior adviser to the American intelligence community, who has served in senior positions in the Defense Department and Central Intelligence Agency, told me. The basement was used as storage for rockets, weapons and ammunition, as well as products that could be distributed for free to the community, among them medicines and chlorine-based decontaminants for cleansing the bodies of the dead before burial. The meeting place – a regional headquarters – was on the floor above. “It was an established meeting place,” the senior adviser said. “A long-time facility that would have had security, weapons, communications, files and a map center.” The Russians were intent on confirming their intelligence and deployed a drone for days above the site to monitor communications and develop what is known in the intelligence community as a POL – a pattern of life. The goal was to take note of those going in and out of the building, and to track weapons being moved back and forth, including rockets and ammunition.

One reason for the Russian message to Washington about the intended target was to ensure that any CIA asset or informant who had managed to work his way into the jihadist leadership was forewarned not to attend the meeting.I was told that the Russians passed the warning directly to the CIA. “They were playing the game right,” the senior adviser said. The Russian guidance noted that the jihadist meeting was coming at a time of acute pressure for the insurgents: Presumably Jabhat al-Nusra and Ahrar al-Sham were desperately seeking a path forward in the new political climate. In the last few days of March, Trump and two of his key national security aides – Secretary of State Rex Tillerson and UN Ambassador Nikki Haley – had made statements acknowledging that, as the New York Times put it, the White House “has abandoned the goal” of pressuring Assad “to leave power, marking a sharp departure from the Middle East policy that guided the Obama administration for more than five years.” White House Press Secretary Sean Spicer told a press briefing on March 31 that “there is a political reality that we have to accept,” implying that Assad was there to stay.

Russian and Syrian intelligence officials, who coordinate operations closely with the American command posts, made it clear that the planned strike on Khan Sheikhoun was special because of the high-value target. “It was a red-hot change. The mission was out of the ordinary – scrub the sked,” the senior adviser told me. “Every operations officer in the region” – in the Army, Marine Corps, Air Force, CIA and NSA – “had to know there was something going on. The Russians gave the Syrian Air Force a guided bomb and that was a rarity. They’re skimpy with their guided bombs and rarely share them with the Syrian Air Force. And the Syrians assigned their best pilot to the mission, with the best wingman.” The advance intelligence on the target, as supplied by the Russians, was given the highest possible score inside the American community.

The Execute Order governing U.S. military operations in theater, which was issued by the Chairman of the Joint Chiefs of Staff, provide instructions that demarcate the relationship between the American and Russian forces operating in Syria. “It’s like an ops order – ‘Here’s what you are authorized to do,’” the adviser said. “We do not share operational control with the Russians. We don’t do combined operations with them, or activities directly in support of one of their operations. But coordination is permitted. We keep each other apprised of what’s happening and within this package is the mutual exchange of intelligence. If we get a hot tip that could help the Russians do their mission, that’s coordination; and the Russians do the same for us. When we get a hot tip about a command and control facility,” the adviser added, referring to the target in Khan Sheikhoun, “we do what we can to help them act on it.” “This was not a chemical weapons strike,” the adviser said. “That’s a fairy tale. If so, everyone involved in transferring, loading and arming the weapon – you’ve got to make it appear like a regular 500-pound conventional bomb – would be wearing Hazmat protective clothing in case of a leak. There would be very little chance of survival without such gear. Military grade sarin includes additives designed to increase toxicity and lethality. Every batch that comes out is maximized for death. That is why it is made. It is odorless and invisible and death can come within a minute. No cloud. Why produce a weapon that people can run away from?”

The target was struck at 6:55 a.m. on April 4, just before midnight in Washington. A Bomb Damage Assessment (BDA) by the U.S. military later determined that the heat and force of the 500-pound Syrian bomb triggered a series of secondary explosions that could have generated a huge toxic cloud that began to spread over the town, formed by the release of the fertilizers, disinfectants and other goods stored in the basement, its effect magnified by the dense morning air, which trapped the fumes close to the ground. According to intelligence estimates, the senior adviser said, the strike itself killed up to four jihadist leaders, and an unknown number of drivers and security aides. There is no confirmed count of the number of civilians killed by the poisonous gases that were released by the secondary explosions, although opposition activists reported that there were more than 80 dead, and outlets such as CNN have put the figure as high as 92. A team from Médecins Sans Frontières, treating victims from Khan Sheikhoun at a clinic 60 miles to the north, reported that “eight patients showed symptoms – including constricted pupils, muscle spasms and involuntary defecation – which are consistent with exposure to a neurotoxic agent such as sarin gas or similar compounds.” MSF also visited other hospitals that had received victims and found that patients there “smelled of bleach, suggesting that they had been exposed to chlorine.” In other words, evidence suggested that there was more than one chemical responsible for the symptoms observed, which would not have been the case if the Syrian Air Force – as opposition activists insisted – had dropped a sarin bomb, which has no percussive or ignition power to trigger secondary explosions. The range of symptoms is, however, consistent with the release of a mixture of chemicals, including chlorine and the organophosphates used in many fertilizers, which can cause neurotoxic effects similar to those of sarin.

The internet swung into action within hours, and gruesome photographs of the victims flooded television networks and YouTube. U.S. intelligence was tasked with establishing what had happened. Among the pieces of information received was an intercept of Syrian communications collected before the attack by an allied nation. The intercept, which had a particularly strong effect on some of Trump’s aides, did not mention nerve gas or sarin, but it did quote a Syrian general discussing a “special” weapon and the need for a highly skilled pilot to man the attack plane. The reference, as those in the American intelligence community understood, and many of the inexperienced aides and family members close to Trump may not have, was to a Russian-supplied bomb with its built-in guidance system. “If you’ve already decided it was a gas attack, you will then inevitably read the talk about a special weapon as involving a sarin bomb,” the adviser said. “Did the Syrians plan the attack on Khan Sheikhoun? Absolutely. Do we have intercepts to prove it? Absolutely. Did they plan to use sarin? No. But the president did not say: ‘We have a problem and let’s look into it.’ He wanted to bomb the shit out of Syria.”

At the UN the next day, Ambassador Haley created a media sensation when she displayed photographs of the dead and accused Russia of being complicit. “How many more children have to die before Russia cares?” she asked. NBC News, in a typical report that day, quoted American officials as confirming that nerve gas had been used and Haley tied the attack directly to Syrian President Assad. “We know that yesterday’s attack was a new low even for the barbaric Assad regime,” she said. There was irony in America’s rush to blame Syria and criticize Russia for its support of Syria’s denial of any use of gas in Khan Sheikhoun, as Ambassador Haley and others in Washington did. “What doesn’t occur to most Americans” the adviser said, “is if there had been a Syrian nerve gas attack authorized by Bashar, the Russians would be 10 times as upset as anyone in the West. Russia’s strategy against ISIS, which involves getting American cooperation, would have been destroyed and Bashar would be responsible for pissing off Russia, with unknown consequences for him. Bashar would do that? When he’s on the verge of winning the war? Are you kidding me?”

Trump, a constant watcher of television news, said, while King Abdullah of Jordan was sitting next to him in the Oval Office, that what had happened was “horrible, horrible” and a “terrible affront to humanity.” Asked if his administration would change its policy toward the Assad government, he said: “You will see.” He gave a hint of the response to come at the subsequent news conference with King Abdullah: “When you kill innocent children, innocent babies – babies, little babies – with a chemical gas that is so lethal … that crosses many, many lines, beyond a red line . … That attack on children yesterday had a big impact on me. Big impact … It’s very, very possible … that my attitude toward Syria and Assad has changed very much.”

Within hours of viewing the photos, the adviser said, Trump instructed the national defense apparatus to plan for retaliation against Syria. “He did this before he talked to anybody about it. The planners then asked the CIA and DIA if there was any evidence that Syria had sarin stored at a nearby airport or somewhere in the area. Their military had to have it somewhere in the area in order to bomb with it.” “The answer was, ‘We have no evidence that Syria had sarin or used it,’” the adviser said. “The CIA also told them that there was no residual delivery for sarin at Sheyrat [the airfield from which the Syrian SU-24 bombers had taken off on April 4] and Assad had no motive to commit political suicide.”Everyone involved, except perhaps the president, also understood that a highly skilled United Nations team had spent more than a year in the aftermath of an alleged sarin attack in 2013 by Syria, removing what was said to be all chemical weapons from a dozen Syrian chemical weapons depots.

At this point, the adviser said, the president’s national security planners were more than a little rattled: “No one knew the provenance of the photographs. We didn’t know who the children were or how they got hurt. Sarin actually is very easy to detect because it penetrates paint, and all one would have to do is get a paint sample. We knew there was a cloud and we knew it hurt people. But you cannot jump from there to certainty that Assad had hidden sarin from the UN because he wanted to use it in Khan Sheikhoun.” The intelligence made clear that a Syrian Air Force SU-24 fighter bomber had used a conventional weapon to hit its target: There had been no chemical warhead. And yet it was impossible for the experts to persuade the president of this once he had made up his mind. “The president saw the photographs of poisoned little girls and said it was an Assad atrocity,” the senior adviser said. “It’s typical of human nature. You jump to the conclusion you want. Intelligence analysts do not argue with a president. They’re not going to tell the president, ‘if you interpret the data this way, I quit.’”

The national security advisers understood their dilemma: Trump wanted to respond to the affront to humanity committed by Syria and he did not want to be dissuaded. They were dealing with a man they considered to be not unkind and not stupid, but his limitations when it came to national security decisions were severe. “Everyone close to him knows his proclivity for acting precipitously when he does not know the facts,” the adviser said. “He doesn’t read anything and has no real historical knowledge. He wants verbal briefings and photographs. He’s a risk-taker. He can accept the consequences of a bad decision in the business world; he will just lose money. But in our world, lives will be lost and there will be long-term damage to our national security if he guesses wrong. He was told we did not have evidence of Syrian involvement and yet Trump says: ‘Do it.”’

On April 6, Trump convened a meeting of national security officials at his Mar-a-Lago resort in Florida. The meeting was not to decide what to do, but how best to do it – or, as some wanted, how to do the least and keep Trump happy. “The boss knew before the meeting that they didn’t have the intelligence, but that was not the issue,” the adviser said. “The meeting was about, ‘Here’s what I’m going to do,’ and then he gets the options.”

The available intelligence was not relevant. The most experienced man at the table was Secretary of Defense James Mattis, a retired Marine Corps general who had the president’s respect and understood, perhaps, how quickly that could evaporate. Mike Pompeo, the CIA director whose agency had consistently reported that it had no evidence of a Syrian chemical bomb, was not present. Secretary of State Tillerson was admired on the inside for his willingness to work long hours and his avid reading of diplomatic cables and reports, but he knew little about waging war and the management of a bombing raid. Those present were in a bind, the adviser said. “The president was emotionally energized by the disaster and he wanted options.” He got four of them, in order of extremity. Option one was to do nothing. All involved, the adviser said, understood that was a non-starter. Option two was a slap on the wrist: to bomb an airfield in Syria, but only after alerting the Russians and, through them, the Syrians, to avoid too many casualties. A few of the planners called this the “gorilla option”: America would glower and beat its chest to provoke fear and demonstrate resolve, but cause little significant damage. The third option was to adopt the strike package that had been presented to Obama in 2013, and which he ultimately chose not to pursue. The plan called for the massive bombing of the main Syrian airfields and command and control centers using B1 and B52 aircraft launched from their bases in the U.S. Option four was “decapitation”: to remove Assad by bombing his palace in Damascus, as well as his command and control network and all of the underground bunkers he could possibly retreat to in a crisis.

“Trump ruled out option one off the bat,” the senior adviser said, and the assassination of Assad was never considered. “But he said, in essence: ‘You’re the military and I want military action.’” The president was also initially opposed to the idea of giving the Russians advance warning before the strike, but reluctantly accepted it. “We gave him the Goldilocks option – not too hot, not too cold, but just right.” The discussion had its bizarre moments. Tillerson wondered at the Mar-a-Lago meeting why the president could not simply call in the B52 bombers and pulverize the air base. He was told that B52s were very vulnerable to surface-to-air missiles (SAMs) in the area and using such planes would require suppression fire that could kill some Russian defenders. “What is that?” Tillerson asked. Well, sir, he was told, that means we would have to destroy the upgraded SAM sites along the B52 flight path, and those are manned by Russians, and we possibly would be confronted with a much more difficult situation. “The lesson here was: Thank God for the military men at the meeting,” the adviser said. “They did the best they could when confronted with a decision that had already been made.”

Fifty-nine Tomahawk missiles were fired from two U.S. Navy destroyers on duty in the Mediterranean, the Ross and the Porter, at Shayrat Air Base near the government-controlled city of Homs. The strike was as successful as hoped, in terms of doing minimal damage. The missiles have a light payload – roughly 220 pounds of HBX, the military’s modern version of TNT. The airfield’s gasoline storage tanks, a primary target, were pulverized, the senior adviser said, triggering a huge fire and clouds of smoke that interfered with the guidance system of following missiles. As many as 24 missiles missed their targets and only a few of the Tomahawks actually penetrated into hangars, destroying nine Syrian aircraft, many fewer than claimed by the Trump administration. I was told that none of the nine was operational: such damaged aircraft are what the Air Force calls hangar queens. “They were sacrificial lambs,” the senior adviser said. Most of the important personnel and operational fighter planes had been flown to nearby bases hours before the raid began. The two runways and parking places for aircraft, which had also been targeted, were repaired and back in operation within eight hours or so. All in all, it was little more than an expensive fireworks display.

“It was a totally Trump show from beginning to end,” the senior adviser said. “A few of the president’s senior national security advisers viewed the mission as a minimized bad presidential decision, and one that they had an obligation to carry out. But I don’t think our national security people are going to allow themselves to be hustled into a bad decision again. If Trump had gone for option three, there might have been some immediate resignations.”

After the meeting, with the Tomahawks on their way, Trump spoke to the nation from Mar-a-Lago, and accused Assad of using nerve gas to choke out “the lives of helpless men, women and children. It was a slow and brutal death for so many … No child of God should ever suffer such horror.” The next few days were his most successful as president. America rallied around its commander in chief, as it always does in times of war. Trump, who had campaigned as someone who advocated making peace with Assad, was bombing Syria 11 weeks after taking office, and was hailed for doing so by Republicans, Democrats and the media alike. One prominent TV anchorman, Brian Williams of MSNBC, used the word “beautiful” to describe the images of the Tomahawks being launched at sea. Speaking on CNN, Fareed Zakaria said: “I think Donald Trump became president of the United States.” A review of the top 100 American newspapers showed that 39 of them published editorials supporting the bombing in its aftermath, including the New York TimesWashington Post and Wall Street Journal.

Five days later, the Trump administration gathered the national media for a background briefing on the Syrian operation that was conducted by a senior White House official who was not to be identified. The gist of the briefing was that Russia’s heated and persistent denial of any sarin use in the Khan Sheikhoun bombing was a lie because President Trump had said sarin had been used. That assertion, which was not challenged or disputed by any of the reporters present, became the basis for a series of further criticisms:

– The continued lying by the Trump administration about Syria’s use of sarin led to widespread belief in the American media and public that Russia had chosen to be involved in a corrupt disinformation and cover-up campaign on the part of Syria.

– Russia’s military forces had been co-located with Syria’s at the Shayrat airfield (as they are throughout Syria), raising the possibility that Russia had advance notice of Syria’s determination to use sarin at Khan Sheikhoun and did nothing to stop it.

– Syria’s use of sarin and Russia’s defense of that use strongly suggested that Syria withheld stocks of the nerve agent from the UN disarmament team that spent much of 2014 inspecting and removing all declared chemical warfare agents from 12 Syrian chemical weapons depots, pursuant to the agreement worked out by the Obama administration and Russia after Syria’s alleged, but still unproven, use of sarin the year before against a rebel redoubt in a suburb of Damascus.

The briefer, to his credit, was careful to use the words “think,” “suggest” and “believe” at least 10 times during the 30-minute event. But he also said that his briefing was based on data that had been declassified by “our colleagues in the intelligence community.” What the briefer did not say, and may not have known, was that much of the classified information in the community made the point that Syria had not used sarin in the April 4 bombing attack.

The crisis slid into the background by the end of April, as Russia, Syria and the United States remained focused on annihilating ISIS and the militias of al-Qaida. Some of those who had worked through the crisis, however, were left with lingering concerns. “The Salafists and jihadists got everything they wanted out of their hyped-up Syrian nerve gas ploy,” the senior adviser to the U.S. intelligence community told me, referring to the flare up of tensions between Syria, Russia and America. “The issue is, what if there’s another false flag sarin attack credited to hated Syria? Trump has upped the ante and painted himself into a corner with his decision to bomb. And do not think these guys are not planning the next faked attack. Trump will have no choice but to bomb again, and harder. He’s incapable of saying he made a mistake.”

5.  The White House issued an ominous message indicating it has evidence that Assad’s forces were planning a chemical attack and if that happens the consequences will be severe and Russian and Iran will be held responsible:

“White House says Syria’s Assad preparing another chemical attack, warns of ‘heavy’ penalty” by Abby Phillip and Dan Lamothe; The Washington Post; 06/26/2017

The White House issued an ominous warning to Syrian President Bashar al-Assad on Monday night, pledging that his regime would pay a “heavy price” if it carried out another chemical attack this year.

In a statement, White House press secretary Sean Spicer said that the United States had detected evidence of preparations for a chemical attack, similar to the preparations that occurred before an attack in April.

“The United States has identified potential preparations for another chemical weapons attack by the Assad regime that would likely result in the mass murder of civilians, including innocent children,” Spicer said in the statement. “The activities are similar to preparations the regime made before its April 4, 2017 chemical weapons attack.

“As we have previously stated, the United States is in Syria to eliminate the Islamic State of Iraq and Syria,” he continued. “If, however, Mr. Assad conducts another mass murder attack using chemical weapons, he and his military will pay a heavy price.”

Following the April attack, President Trump ordered an air strike against the Assad-controlled air field where the attack was believed to have been carried out.

At the time, Trump said that Assad’s use of chemical weapons against innocent women and children made action inevitable.

“When you kill innocent children, innocent babies, babies, little babies, with a chemical gas that is so lethal — people were shocked to hear what gas it was,” Trump said after the attack. “That crosses many, many lines, beyond a red line, many, many lines.”

Following Spicer’s statement on Monday night, Nikki Haley, the U.S. Ambassador to the United Nations said Assad and its allies would be squarely blamed if such an attack occurred.

“Any further attacks done to the people of Syria will be blamed on Assad, but also on Russia & Iran who support him killing his own people,”Haley wrote.

Any further attacks done to the people of Syria will be blamed on Assad, but also on Russia & Iran who support him killing his own people.— Nikki Haley (@nikkihaley) June 27, 2017

The U.S. military maintains a variety of weapons in the region that could be used in the event of another strike, including manned and unmanned aircraft in several Middle Eastern countries. But the most likely scenario is probably a strike using naval assets, which can be launched with fewer diplomatic issues than using bases in allied countries such as Turkey or the United Arab Emirates.

The Navy launched Tomahawk missiles at a Syrian military airfield April 6 in response to a previous alleged chemical weapons attack, using two guided-missile destroyers in the eastern Mediterranean Sea, the USS Ross and USS Porter, to do so.

A point of contention for the Pentagon after the last strike was the Syrian regime’s alleged use of a nerve agent, like sarin. It is far deadlier than some other chemicals that U.S. military and intelligence officials say that the regime has used, such as chlorine.

6. Critical to the understanding of the spinning of “Russia-gate” are the actions of Felix Sater.

Inside Trump’s Russia Connections: The Felon and The Pop Star” by Chase Peterson-Withorn; Forbes; 3/28/2017.

“ . . . . Nevertheless, in late January, Sater and a Ukrainian lawmaker reportedly met with Trump’s personal lawyer, Michael Cohen, at a New York hotel. According to the Times, they discussed a plan that involved the U.S. lifting sanctions against Russia, and Cohen said he hand-delivered the plan in a sealed envelope to then-national security advisor Michael Flynn. Cohen later denied delivering the envelope to anyone in the White House, according to the Washington Post. . . .”

7.  Sater was “walking point” for the Trump business interests in their attempts at building in Moscow in the fall of 2015.

“How the Miss Universe Pageant Led to Trump’s Son Meeting with a Russian Lawyer” by Steve Eder and Megan Twohey [The New York Times]; The Seattle Times; 7/10/2017.

“ . . . . Sater worked on a plan for a Trump Tower in Moscow as recently as the fall of 2015, but he said that had come to a halt because of Trump’s presidential campaign. . . .”

8. Another interesting, close associate of Donald Trump was Felix Sater, who changed the spelling of his name, adding an extra “T” to avoid being recognized on internet searches. Reviewing information from FTR #936:

The Making of Donald Trump by David Cay Johnston; Melville House [HC]; copyright 2016 by David Cay Johnston; ISBN 978-1-61219-632-9. p. 162.

 . . . ‘Satter’s’ name appears with just one ‘T’ in a host of places. There’s the deed to his home for example. It is also spelled with only one ‘T’ on New York State court papers from his 1991 felony conviction for stabbing a man in the face with the stem of a margarita glass. The name Sater with one ‘T’ also appears on federal court papers in a $40 million organized crime stock swindle he confessed to in 1998, a scheme that benefited him as well as the Genovese and Gambino crime families. The stock swindle involved fake stock brokerage firms using high-pressure tactics to get naive people to buy worthless shares from Sater and his mob friends. . . . 

9.Trump’s close associate Felix was able to escape serious legal retribution by going to work for the CIA.

The Making of Donald Trump by David Cay Johnston; Melville House [HC]; copyright 2016 by David Cay Johnston; ISBN 978-1-61219-632-9. p. 165.

. . . . There is every indication that the extraordinarily lenient treatment resulted from Sater playing a get-out-of-jail free card. Shortly before his secret guilty plea, Sater became a freelance operative of the Central Intelligence Agency. One of his fellow stock swindlers, Salvatore Lauria, wrote a book about it. The Scorpion and the Frog is described on its cover as ‘the true story of one man’s fraudulent rise and fall in the Wall Street of the nineties.’ According to Lauria–and the court files that have been unsealed–Sater helped the CIA buy small missiles before they got to terrorists. He also provided other purported national security services for a reported fee of $300,000. Stories abound as to what else Sater may or may not have done in the arena of national security. . . . 

 

Discussion

6 comments for “FTR #965 Are We Going to Have a Third World War?”

  1. Check out the person that appears to be emerging as the White House’s internal scapegoat for all the turmoil in recent days as a new cloud of paranoia envelops the White House staff amidst one report after another based on multiple anonymous White House sources: Reince Priebus. Yep, according to a recent report in the Washington Post reports, the Trump kids are convinced that Reince Priebus is one of the sources of all these embarrassing reports and their message to Trump is that Priebus has to go. It’s an interesting development. In part because Priebus, as one of the primary White House figures who comes from the traditional GOP ‘establishment’, really would be one of the primary suspects of any attempts to undermine the Trump administration but only if the rest of the GOP establishment gives him those orders. So you have to wonder if the Trump kids’ lobbying to get their dad to dump Priebus relfects a growing concern that the GOP establishment is getting ready to dump Trump:

    The Washington Post

    ‘Category 5 hurricane’: White House under siege by Trump Jr.’s Russia revelations

    By Philip Rucker and Ashley Parker
    July 12, 2017 at 6:42 AM

    The White House has been thrust into chaos after days of ever-worsening revelations about a meeting between Donald Trump Jr. and a lawyer characterized as representing the Russian government, as the president fumes against his enemies and senior aides circle one another with suspicion, according to top White House officials and outside advisers.

    President Trump — who has been hidden from public view since returning last weekend from a divisive international summit — is enraged that the Russia cloud still hangs over his presidency and is exasperated that his eldest son and namesake has become engulfed by it, said people who have spoken with him this week.

    The disclosure that Trump Jr. met with a Russian attorney, believing he would receive incriminating information about Hillary Clinton as part of the Kremlin’s effort to boost his father’s candidacy, has set back the administration’s faltering agenda and rattled the senior leadership team.

    On Wednesday, in his first Twitter posts since the email disclosures, Trump defended his son as “open, transparent and innocent” and repeated past claims that his administration is the subject of a “witch hunt” fueled by leakers.

    “My son Donald did a good job last night,” Trump wrote, referring to his son’s appearance on Fox News. “He was open, transparent and innocent. This is the greatest Witch Hunt in political history. Sad!”

    Trump also took aim at anonymous leaks from “sources” — even though Trump Jr. gave a step-by-step email chronology of the plans for the meeting with the Russian lawyer in 2016.

    Even supporters of Trump Jr. who believe he faces no legal repercussions privately acknowledged Tuesday that the story is a public relations disaster — for him as well as for the White House. One outside ally called it a “Category 5 hurricane,” while an outside adviser said a CNN graphic charting connections between the Trump team and Russians resembled the plot of the fictional Netflix series “House of Cards.”

    Vice President Pence sought to distance himself from the controversy, with his spokesman noting that Trump Jr.’s meeting occurred before Pence joined the ticket.

    Inside a White House in which infighting often seems like a core cultural value, three straight days of revelations in the New York Times about Trump Jr. have inspired a new round of accusations and recriminations, with advisers privately speculating about who inside the Trump orbit may be leaking damaging information about the president’s son.

    This portrait of the Trump White House under siege is based on interviews Tuesday with more than a dozen West Wing officials, outside advisers, and friends and associates of the president and his family, many of whom spoke on the condition of anonymity to be candid.

    The makeup of Trump’s inner circle is the subject of internal debate, as ever. Ivanka Trump, the president’s daughter and senior adviser; Jared Kushner, her husband and another senior adviser; and first lady Melania Trump have been privately pressing the president to shake up his team — most specifically by replacing Reince Priebus as the White House chief of staff, according to two senior White House officials and one ally close to the White House.

    The three family members are especially concerned about the steady stream of unauthorized leaks to journalists that have plagued the administration over the nearly six months that President Trump has been in office, from sensitive national security information to embarrassing details about the inner workings of the White House, the officials said.

    Stephanie Grisham, the first lady’s communications director, said: “Of course, the first lady is concerned about leaks from her husband’s administration, as all Americans should be. And while she does offer advice and perspectives on many things, Mrs. Trump does not weigh in on West Wing staff.”

    Lindsay Walters, a deputy White House press secretary, disputed reports about Priebus’s standing. “These sources have been consistently wrong about Reince, and they’re still wrong today,” she said.

    After this story first published, Josh Raffel, a White House spokesman, said in a statement on behalf of Kushner and Ivanka Trump: “Jared and Ivanka are focused on working with Reince and the team to advance the President’s agenda and not on pushing for staff changes.”

    Trump recently publicly praised Priebus’s work ethic, and the chief of staff’s allies note that Priebus has done as good a job as can be expected under the unique circumstances of this administration. Defenders of Priebus have long said they expect him to make it to a year in the position, and Trump is said to be hesitant to fire him or any other senior staffer amid the escalating Russia investigation led by special counsel Robert S. Mueller III.

    Pence found out about Trump Jr.’s meeting with the Russian attorney Friday evening in advance of the first Times story, said one person familiar with the discussions. Both Pence and his team view the Russia coverage as a distraction, and are working to keep the vice president clear of it and focused on Trump’s policy goals — such as health care, the subject of his scheduled visit to Kentucky on Wednesday.

    “The vice president is working every day to advance the president’s agenda, which is what the American people sent us here to do. The vice president was not aware of the meeting,” Pence’s press secretary, Marc Lotter, said in a statement. “He is not focused on stories about the campaign, particularly stories about the time before he joined the ticket.”

    On Capitol Hill — where Senate Majority Leader Mitch McConnell (R-Ky.) announced Tuesday that he is delaying his chamber’s August recess by two weeks — Republican senators were becoming increasingly frustrated with the White House, which they blame for Congress’s inability to pass any major legislation.

    A growing number of senators believe that the widening Russia probe — as well as the Trump-fueled tumult that seems to dominate nearly every news cycle — have stalled their legislative agenda, leaving them nothing to offer their constituents by way of achievements when they head home over the break.

    ———-

    “‘Category 5 hurricane’: White House under siege by Trump Jr.’s Russia revelations” by Philip Rucker and Ashley Parker; The Washington Post; 07/12/2017

    “The makeup of Trump’s inner circle is the subject of internal debate, as ever. Ivanka Trump, the president’s daughter and senior adviser; Jared Kushner, her husband and another senior adviser; and first lady Melania Trump have been privately pressing the president to shake up his team — most specifically by replacing Reince Priebus as the White House chief of staff, according to two senior White House officials and one ally close to the White House.”

    Melania is on the anti-Priebus bandwagon too? Ouch. But such fears and frustrations aren’t exactly outlandish given Priebus’s status as a key GOP establishment ‘outside’ inside the White House. After all, if there were other staffers the Trumps can’t trust Priebus would have been the person in charge of hiring them as the Chief of Staff. And if the broader GOP ‘establishment’ and its billionaire backers decide that Trump is becoming an obstacle to the fruition of their agenda and needs to be taken down, someone like Priebus would be very well positioned to help make that happen. It’s one of those situations where paranoia is pretty appropriate.

    So while there were plenty of denials about this intra-White House conflict, it’s hard to take those denials seriously given the wave of anonymously sourced stories coming out of the White House. Especially given the reports that Congressional GOPers are blaming Trump for their own inability to pass any meaningful legislation, instead of blaming themselves for crafting legislation so horrible and unpopular that even GOPers can’t support it. If the GOP ‘establishment’ is going to scapegoat Trump, counter-scapegoating Priebus kind of makes sense:


    On Capitol Hill — where Senate Majority Leader Mitch McConnell (R-Ky.) announced Tuesday that he is delaying his chamber’s August recess by two weeks — Republican senators were becoming increasingly frustrated with the White House, which they blame for Congress’s inability to pass any major legislation.

    A growing number of senators believe that the widening Russia probe — as well as the Trump-fueled tumult that seems to dominate nearly every news cycle — have stalled their legislative agenda, leaving them nothing to offer their constituents by way of achievements when they head home over the break.

    Might Priebus finally be on his way out the door? This isn’t the first time there’s been reports of the Trump White House infighting without any eventual departures. But that lack of departures doesn’t mean those previous fights were resolved so as the tensions and paranoia in the White House continue to grow, along with the anonymous insider leaks, we probably shouldn’t be super shocked if Priebus is either shown the door or runs for the exits himself.

    At the same time, given the incredibly bad optics the Trump administration is now facing following the disclosure of the meeting with the Russian lawyer – and the growing possibility that Trump is going to basically get convicted of colluding with Russia in the court of public opinion – and given the frustrations of the rest of the GOP – not to mention the GOP oligarchs – over the inability of Trump and the GOP on selling their agenda to the public, perhaps we shouldn’t be super shocked if Priebus’s time in the White House outlasts Trump. Especially now that Trump says he just learned about the June 9th, 2016 meeting days ago on the same day a GOP Senators reveals that the Senate Intelligence committee learned about this meeting back in April from Jared Kushner:

    Talking Points Memo
    Livewire

    GOP Senator: Intel Committee Knew In April That Kushner Met Russian Lawyer

    By Esme Cribb
    Published July 12, 2017 6:43 pm

    Sen. James Lankford (R-OK), a member of the Senate Intelligence Committee, on Wednesday said the panel knew about Jared Kushner’s attendance of a June 2016 meeting with a Kremlin-connected lawyer as early as April.

    “This meeting was known because it was turned in in the background checks in April, actually, for Jared Kushner,” Lankford said on CNN. “So it was a known meeting at that point. Getting the emails and getting the details of that meeting was not known.”

    President Donald Trump on Wednesday told Reuters he “didn’t know” about his eldest son Donald Trump Jr.’s meeting with Russian lawyer Natalia Veselnitskaya “until a couple of days ago.”

    ———-

    “GOP Senator: Intel Committee Knew In April That Kushner Met Russian Lawyer” by Esme Cribb; Talking Points Memo; 07/12/2017

    ““This meeting was known because it was turned in in the background checks in April, actually, for Jared Kushner,” Lankford said on CNN. “So it was a known meeting at that point. Getting the emails and getting the details of that meeting was not known.””

    The June 9th meeting was a known to the Senate Intelligence Committee since April, with Kushner being the source. And yet Donald Trump just came out and said he learned about this meeting “a couple of days ago”:


    President Donald Trump on Wednesday told Reuters he “didn’t know” about his eldest son Donald Trump Jr.’s meeting with Russian lawyer Natalia Veselnitskaya “until a couple of days ago.”

    We’re basically one revelation away from getting to the point where Trump is caught in a lie. And sure, he’s caught in lies all the time, but this would be a pretty big one. And while that June 9th meeting with the Russian lawyer doesn’t at all prove that the Trump team and Russian government were colluding to execute and dissimenate the hacked Democratic emails, legally proving that case doesn’t really matter if the whole situation ends up making Trump simply look really, really guilty to the American public. And really, really sleazy.

    So in addition to questions over whether or not pushing Reince Priebus out of the White House and doing a major staff overhaul is going to be one of the survival tactics the Trump team uses to try to circle the wagons and prevent insider leaks, those questions are paired with growing questions over how much more patience the GOP ‘establishment’ is going to have for Trump in general while the GOP policy agenda continues to fizzle. Because of the broader GOP establishment decides it’s time for Trump to resign it sure doesn’t look like it’s going to be very difficult for that ‘establishment’ to whip up any one of a number of potential Trump mega-scandals to force such a resignation. And someone like Reince Priebus is in just the right position to facilitate such an operation.

    Just because you’re paranoid doesn’t mean they aren’t out to get you. Especially when the paranoia has been going on uninterrupted for months as the situation deteriorates and now everyone seems out to get everyone. That’s definitely an appropriate time for collective paranoia. Yuuuuuge paranoia.

    And since starting a war or creating some other massive disaster to distract from the administration’s woes is one of the default tools in the Trump team’s toolbox as their situation gets more and more desperate, everyone else should probably be a little paranoid too.

    Posted by Pterrafractyl | July 12, 2017, 11:19 pm
  2. Well, now we know how Peter W. Smith – the long-time financier of right-wing opposition research who talked about his efforts to put together a team that allegedly included Trump officials and was dedicated to finding hacked copies of Hillary Clinton’s emails – ended up dying just 10 days after he gave his interviews: Smith appears to have committed suicide due to health issues:

    The Chicago Tribune

    Peter W. Smith, GOP operative who sought Clinton’s emails from Russian hackers, committed suicide, records show

    Katherine Skiba, David Heinzmann and Todd Lighty
    July 13, 2017, 5:34 PM

    A Republican donor and operative from Chicago’s North Shore who said he had tried to obtain Hillary Clinton’s missing emails from Russian hackers killed himself in a Minnesota hotel room days after talking to The Wall Street Journal about his efforts, public records show.

    In a room at a Rochester hotel used almost exclusively by Mayo Clinic patients and relatives, Peter W. Smith, 81, left a carefully prepared file of documents, which includes a statement police called a suicide note in which he said he was in ill health and a life insurance policy was expiring.

    Days earlier, the financier from suburban Lake Forest gave an interview to the Journal about his quest, and it published stories about his efforts beginning in late June. The Journal also reported it had seen emails written by Smith showing his team considered retired Lt. Gen. Michael Flynn, then a top adviser to Republican Donald Trump’s campaign, as an ally. Flynn briefly was President Trump’s national security adviser and resigned after it was determined he had failed to disclose contacts with Russia.

    At the time, the newspaper reported Smith’s May 14 death came about 10 days after he granted the interview. Mystery shrouded how and where he had died, but the lead reporter on the stories said on a podcast he had no reason to believe the death was the result of foul play and that Smith likely had died of natural causes.

    However, the Chicago Tribune obtained a Minnesota state death record filed in Olmsted County that says Smith committed suicide in a hotel near the Mayo Clinic at 1:17 p.m. on Sunday, May 14. He was found with a bag over his head with a source of helium attached. A medical examiner’s report gives the same account, without specifying the time, and a report from Rochester police further details his suicide.

    In the note recovered by police, Smith apologized to authorities and said that “NO FOUL PLAY WHATSOEVER” was involved in his death. He wrote that he was taking his own life because of a “RECENT BAD TURN IN HEALTH SINCE JANUARY, 2017” and timing related “TO LIFE INSURANCE OF $5 MILLION EXPIRING.”

    One of Smith’s former employees told the Tribune he thought the elderly man had gone to the famed clinic to be treated for a heart condition. Mayo spokeswoman Ginger Plumbo said Thursday she could not confirm Smith had been a patient, citing medical privacy laws.

    The Journal stories said it was on Labor Day weekend in 2016 that Smith had assembled a team to acquire emails the team theorized might have been stolen from the private server Clinton had used while secretary of state. Smith’s focus was the more than 30,000 emails Clinton said she deleted because they related to personal matters. A huge cache of other Clinton emails were made public.

    Smith told the Journal he believed the missing emails might have had been obtained by Russian hackers. He also said he thought the correspondence related to Clinton’s official duties. He told the Journal he worked independently and was not part of the Trump campaign. He also told the Journal he and his team found five groups of hackers — two of them Russian groups — who claimed to have Clinton’s missing emails.

    Smith had a history of doing opposition research, the formal term for unflattering information that political operatives dig up about rival candidates.

    For years, Democratic President Bill Clinton was Smith’s target. The wealthy businessman had a hand in exposing the “Troopergate” allegations about Bill Clinton’s sex life. And he discussed financing a probe of a 1969 trip Bill Clinton had taken while in college to the Soviet Union, according to Salon magazine.

    Investigations into any possible links between the Russian government and people associated with Trump’s presidential campaign now are underway in Congress and by former FBI chief Robert Mueller. He is acting as a special counsel for the Department of Justice. Mueller spokesman Peter Carr declined to comment on the Journal’s stories on Smith or his death. Washington attorney Robert Kelner, who represents Flynn, had no comment on Thursday.

    Smith’s death occurred at the Aspen Suites in Rochester, records show. They list the cause of death as “asphyxiation due to displacement of oxygen in confined space with helium.”

    Rochester Police Chief Roger Peterson on Wednesday called his manner of death “unusual,” but a funeral home worker said he’d seen it before.

    An employee with Rochester Cremation Services, the funeral home that responded to the hotel, said he helped remove Smith’s body from his room and recalled seeing a tank.

    The employee, who spoke on the condition he not be identified because of the sensitive nature of Smith’s death, described the tank as being similar in size to a propane tank on a gas grill. He did not recall seeing a bag that Smith would have placed over his head. He said the coroner and police were there and that he “didn’t do a lot of looking around.”

    “When I got there and saw the tank, I thought, ‘I’ve seen this before,’ and was able to put two and two together,” the employee said.

    An autopsy was conducted, according to the death record. The Southern Minnesota Regional Medical Examiner’s Office declined a Tribune request for the autopsy report and released limited information about Smith’s death.

    The Final Exit Network, a Florida-based nonprofit, provides information and support to people who suffer from a terminal illness and want to kill themselves.

    Fran Schindler, a volunteer with the group, noted that the best-selling book Final Exit, written by Derek Humphry in 1991 and revised several times since, explains in detail the helium gas method.

    “Many people obtain that information from his book,” Schindler said. “It’s a method that has been around for many years and is well known.”

    A private family memorial was planned, the obituary said. Friends posted online tributes to Smith after his death. One was from his former employee, Jonathan Safron, 26, who lives in Chicago’s Loop and worked for Smith for about two years.

    Safron, in an interview, said he was working for a tutoring firm when Smith became his client. His job entailed teaching Smith how to use a MacBook, Safron said. At the time Smith was living in a condominium atop the Four Seasons Hotel Chicago. Safron said Smith later employed him at Corporate Venture Alliances, a private investment firm that Smith ran, first out of the same condo and later from an office in the Hancock Building.

    Safron, who said he had a low-level job with the Illinois Republican Party in 2014, said he had no knowledge of Smith’s bid to find hackers who could locate emails missing from Clinton’s service as secretary of state. In his online tribute to his former employer, he called Smith the “best boss I could ever ask for … a mentor, friend and model human being.”

    Safron said he worked part-time for Smith, putting in about 15 hours a week. But the two grew close, often having lunch together at a favorite Smith spot: the Oak Tree Restaurant & Bakery Chicago on North Michigan Ave. He called Smith a serious man who was “upbeat,” “cosmopolitan” and “larger than life.” He was aware Smith was in declining health, saying the older man sometimes had difficulty breathing and told work colleagues he had heart problems. Weeks before he took his life, he had become fatigued walking down about four or five flights of stairs during a Hancock Building fire drill and later emailed Safron saying he was “dizzy,” he said.

    ———-

    “Peter W. Smith, GOP operative who sought Clinton’s emails from Russian hackers, committed suicide, records show” by Katherine Skiba, David Heinzmann and Todd Lighty; The Chicago Tribune; 07/13/2017

    However, the Chicago Tribune obtained a Minnesota state death record filed in Olmsted County that says Smith committed suicide in a hotel near the Mayo Clinic at 1:17 p.m. on Sunday, May 14. He was found with a bag over his head with a source of helium attached. A medical examiner’s report gives the same account, without specifying the time, and a report from Rochester police further details his suicide.”

    Despite the blockbuster nature of the interviews Smith gave, the fact that he was 81 years old precluded any sort of mysteriousness about the guy’s death just days after giving those interviews to the Wall Street Journal. Death happens. And to Smith’s credit, that was one hell of a parting shot, although given the explosive nature of his story it’s still unclear who he was aiming for with that parting shot.

    Fortunately, Politico just put out an article with some highly significant information about Smith’s operation that gives us a hint about why Smith chose to the interview at that point in time. The article is about the ‘Alt-Right’ network Smith’s operation teamed up with in their quest to find Hillary’s emails. Specifically, Charles C. Johnson, the far-right troll who runs the GotNews website and one of his partners. But that’s not all. Smith also reportedly reached out to “Guccifer 2.0”, the hacker persona who represents the public face of whoever did the DNC hacks, and Guccifer told Smith to contact a “White nationalist hacker in Ukraine”, which is almost certainly a reference to Andrew “the weev” Auernheimer who already is suspected of carrying out the “Macron hacks” and trying to make it look like Russia did it.

    Not only that, but Johnson explicitly told Smith to contact Auerheimer too. Johnson also notes how he actually worked with Auerheimer in the past and talks about how there’s a hidden network of right-wing opposition researchers that he’s in contact with and he let them know about Smith’s efforts. Don’t forget that ne of the reasons Auernheimer is suspected of the Macron hacks is due to fact that the hacked documents first showed up anonymously on 4chan and people started leaving comments like “Weev… you’re doing the lord’s work”. So that’s a pretty big revelation.

    Of course, this is all based on the accounts of people like Charles Johnson, so it has to be taken with a grain of salt. But as we’ve seen with the recent highly self-incriminating email dump by Donald Trump, Jr., as the investigations into the 2016 hackings unfolded there might be situations where the key players decide to get ahead of the news by spilling what they know. Especially if they thing the news is about to come out anyway from a different source. And that brings us to the clue left in the Politico article about why Smith may have chosen to give that interview when he did. First, note the comments from Johnathan Safron, Smith’s young assistant, in the above article where Safron states how he knew nothing about Smith’s attempts to track down Hillary’s emails:


    Safron, who said he had a low-level job with the Illinois Republican Party in 2014, said he had no knowledge of Smith’s bid to find hackers who could locate emails missing from Clinton’s service as secretary of state. In his online tribute to his former employer, he called Smith the “best boss I could ever ask for … a mentor, friend and model human being.”

    Well, Safron is interview in the Politico article as well. As in that article Safron talks about how he wasn’t involved in Smith’s efforts but he was copied on the emails. And it was Safron’s discovery that Shane Harris, the Wall Street Journal journalist who did the interview with Smith, was view Safron’s LinkedIn profile (you can see who views your profile on LinkedIn, which seems like a horrible feature, but oh well). It was after Safron told Smith about this that Smith granted Harris the interview, suggesting the Smith was willing to talk simply to get ahead of a huge story that he was at the center of and suspected a journalist was now discovering.

    As we can see, it’s a pretty important article in terms of understanding what Smith, and potentially the Trump team, was up to and why Smith may have decided to grant the interview in the first. And it’s a YUUUGE article if it’s true that “Guccifer 2.0” AND directed Smith towards “the weev”:

    Politico

    GOP Researcher Who Sought Clinton Emails Had Alt-Right Help

    Peter Smith’s quixotic effort to obtain Hillary Clinton’s deleted emails from Russian hackers got a boost from a pro-Trump activist with White House ties.

    By Ben Schreckinger

    July 11, 2017

    The saga of Peter Smith’s quest to obtain 33,000 emails deleted by Hillary Clinton—an effort now at the center of intrigue swirling around the Donald Trump campaign’s ties to Russia—keeps getting weirder.

    In his Hail Mary bid to tip the election to Trump, the Republican private equity executive enlisted two controversial alt-right activists to help him understand the workings of the internet and make contacts in Trump’s orbit, according to interviews with those involved and emails obtained by Politico.

    The activists, the journalist-turned-entrepreneur Charles Johnson and his former business partner Pax Dickinson, agreed to help Smith’s quixotic mission, which failed to track down copies of Clinton’s emails. Johnson is a polarizing figure who was banned from Twitter in 2015 after promoting an effort to “take out” a Black Lives Matter activist but maintains ties to White House officials. Smith also reached out to “Guccifer 2.0”—an alias the U.S. intelligence community has linked to Russian state hackers—and was advised to seek the help of a white nationalist hacker who lives in Ukraine.

    Smith’s doomed effort, which brought him into contact with hackers he believed were tied to the Kremlin and was first reported last month by the Wall Street Journal, has emerged as a topic of intense interest as investigators probe ties between the Trump campaign and Russia. Understanding Smith’s relationships could hold the key to the question of whether or not Trump’s campaign colluded with the Kremlin: Federal investigators are probing an apparent attempt by Russian government hackers to obtain the deleted emails and provide them to former national security adviser Michael Flynn through a third party, the Journal also reported. The paper was unable to identify the Russians’ intended intermediary but suggested it may have been Smith, who had boasted of his ties to Flynn.

    The new details of Smith’s operation, which were shared with Politico Magazine by Johnson and others, paint a picture of a determined but ill-equipped activist casting about far and wide in a frantic but ultimately futile quest to get ahold of Clinton’s deleted emails and publish them ahead of Election Day. As the ailing octogenarian was dealing with sophisticated hackers and navigating the darkest corners of the internet, for instance, he was being tutored in the use of basic computer technology.

    The details also illustrate the daunting task before investigators should they seek to examine the wide-ranging cast of colorful contacts Smith enlisted in his effort and the sometimes blurry lines between Trump’s lean, unorthodox campaign and the outside activists working to help it.

    In a recruiting document used for the effort, Smith—who died in May at age 81—listed the names of several senior Trump aides, including Flynn, former Breitbart chairman Steve Bannon, Kellyanne Conway and campaign chairman Sam Clovis, the Journal reported.

    Jonathan Safron, a former assistant to Smith in Chicago, said that Smith also spoke to him of knowing Clovis, who was a well-known conservative activist in nearby Iowa before becoming co-chairman of Trump’s campaign, and that he had seen Smith email Clovis about matters unrelated to Clinton’s emails. Safron said he does not know whether Clovis, who did not respond to requests for comment, ever replied.

    ***

    Smith, a former chairman of the College Republicans, had been pursuing freelance political adventures for years. In the 1990s, he was a chief promoter of stories damaging to Bill Clinton, working in the same small circle as Conway’s husband, George, to air allegations of sexual misconduct against the then-president, according to a 1999 Newsweek article.

    Johnson, a former Breitbart reporter, said he first encountered the Chicagoan around 2013 when the two collaborated on opposition research about Barack Obama.

    In the fall of 2015, Smith promoted Illinois Rep. Peter Roskam’s ambitions to succeed John Boehner as speaker of the House, and Johnson helped to sideline one of Roskam’s potential rivals for the position, Majority Leader Kevin McCarthy.

    Ironically, some of Smith’s emails related to the speaker’s race were released in a dump by D.C. Leaks, an outlet that, according to cybersecurity experts, was established to publish emails stolen by Russian hackers. In one leaked email from October 8, 2015, Smith wrote to Illinois’ Republican National Committeeman Rich Porter that he had just discussed the speaker’s race with Breitbart reporter Matt Boyle, now the outlet’s Washington bureau chief.

    In another leaked email, Smith forwarded a link to a story from GotNews, a website founded by Johnson, accusing McCarthy of carrying on an affair with North Carolina Rep. Renee Ellmers. The leak also includes an email in which Johnson provided Smith with Boyle’s contact information. Boyle and others at Breitbart aggressively covered the alleged affair, and McCarthy withdrew from the speaker’s race. (Boyle referred questions to Breitbart spokesman Chad Wilkinson, who declined to comment. Porter—who worked with Smith and George Conway to promote Clinton sex scandals back in the ’90s—did not respond to requests for comment.)

    Johnson said he and Smith stayed in touch, discussing “tactics and research” regularly throughout the presidential campaign, and that Smith sought his help tracking down Clinton’s emails. “He wanted me to introduce to him to Bannon, to a few others, and I sort of demurred on some of that,” Johnson said. “I didn’t think his operation was as sophisticated as it needed to be, and I thought it was good to keep the campaign as insulated as possible.”

    Instead, Johnson said, he put the word out to a “hidden oppo network” of right-leaning opposition researchers to notify them of the effort. Johnson declined to provide the names of any of the members of this “network,” but he praised Smith’s ambition.

    “The magnitude of what he was trying to do was kind of impressive,” Johnson said. “He had people running around Europe, had people talking to Guccifer.” (U.S. intelligence agencies have linked the materials provided by “Guccifer 2.0”—an alias that has taken credit for hacking the Democratic National Committee and communicated with Republican operatives, including Trump confidant Roger Stone—to Russian government hackers.)

    Johnson said he also suggested that Smith get in touch with Andrew Auernheimer, a hacker who goes by the alias “Weev” and has collaborated with Johnson in the past. Auernheimer—who was released from federal prison in 2014 after having a conviction for fraud and hacking offenses vacated and subsequently moved to Ukraine—declined to say whether Smith contacted him, citing conditions of his employment that bar him from speaking to the press.

    At the same time Johnson was working with Smith, he was promoting other initiatives aimed at electing Trump. In October, Johnson’s crowdfunding website, WeSearchr, raised $10,000 to send Kathy Shelton—an Arkansas woman who was raped in 1975 by a man who was represented at trial by a young Hillary Clinton—to the second presidential debate in St. Louis. In the hours before the debate, Trump hosted a news conference with Shelton and women who had accused Bill Clinton of sexual assault, and at the debate Trump’s campaign attempted to seat the women in the section reserved for the candidate’s family.

    Safron, who worked as an assistant to Smith at the time, said that Johnson—who met with Smith in Chicago before Smith died—had been seeking investment capital from Smith for WeSearchr. Johnson said he discussed an investment with Smith but that he “didn’t need or want his capital.”

    Smith also reached out to Matt Tait, a cybersecurity expert and former UK intelligence official, who served as a source for the Journal’s reporting. Tait recounted his conversations with the Republican activist in a recent blog post for the legal affairs website Lawfare, writing that Smith wanted help vetting a “dark web” contact who claimed to be in possession of Clinton’s missing emails. According to Tait, Smith seemed unconcerned about the possibility that by helping publish such emails, he could be aiding a Russian intelligence operation. Tait declined to comment for this article, saying he has recently been contacted “by a number of congressional and other investigators.”

    In an email chain from October obtained by Politico, Smith sought the advice of a tech-savvy business associate about concerns that WikiLeaks had been attacked by hackers. In the email, the associate, Royal O’Brien, a Jacksonville-based programmer Smith described as a dark web expert, advised Smith about the use of PGP keys for encryption and opined that anyone who launched an attack on WikiLeaks would likely face stiff blowback from the group’s web-savvy supporters.

    According to the Journal, Smith had been advising hacking groups claiming to have Clinton’s emails to turn them over to WikiLeaks. The next month, Smith asserted on his personal blog that “WikiLeaks has reported that they received the Clinton emails nine months ago, but have not released them. These emails were widely available.” It is not clear what led Smith to assert that WikiLeaks possessed the missing emails.

    “WikiLeaks does not keep newsworthy information from the public,” said a representative of the group in response to a question about Smith’s assertion. “Publication timing is influenced by workload, research, presentation and verification requirements as well as intensity of public interest.” The group declined to say whether it had contact with Smith, citing a policy of not disclosing its sources.

    O’Brien confirmed that Smith sought his advice on technical matters from time to time, including on the feasibility of obtaining Clinton’s deleted emails. “I told him that if they have access to the original hardware, anything is accessible,” O’Brien recounted. “That’s basic forensics.”

    Also copied on the October email chain is Dickinson, an alt-right activist who was Johnson’s partner at WeSearchr until the pair had a falling out this May. Dickinson said he participated in Smith’s efforts to obtain Clinton’s emails but declined to discuss the matter further, citing a distaste for reporters and “fake news.” Instead, Dickinson, who lost his job as the chief technology officer at Business Insider in 2013 over offensive social media posts and recently launched an alt-right crowd-funding platform called Counter.Fund that is governed by a “High Council” and a “House of Lords,” said he intended to share his story with the conspiracy theorist Alex Jones.

    ***

    At the same time Smith was learning to navigate the deepest reaches of the web, he was also struggling to overcome failing health and to master more rudimentary technology.

    Safron, who graduated from college in 2013 and has also done work for the Illinois Republican Party, said he had been hired by Smith through a tutoring service in 2015 for help using computers. Safron said he taught Smith, who had trouble typing, to use dictation software, and that he helped the aging executive make connections on the professional networking website LinkedIn. Safron said that he was not actively involved in Smith’s election-related efforts, though he was copied on emails related to those efforts.

    Johnson, O’Brien and Safron all said they have not heard from government investigators about the matter.

    Safron said that he noticed that Journal reporter Shane Harris had viewed his LinkedIn profile this spring and that he notified Smith, who granted Harris an interview in May, 10 days before he died. Neither his family nor local officials have revealed the cause of Smith’s death, but Safron said he had noticed his boss’ health waning in his final months.

    Safron’s social media profiles still link to an old Twitter handle, @JSaf17. Safron said he deleted the account several years ago. But in March, the handle was reused to create a new account, which has tweeted only once—in Russian.

    ———-

    “GOP Researcher Who Sought Clinton Emails Had Alt-Right Help” by Ben Schreckinger; Politico; 07/11/2017

    “The activists, the journalist-turned-entrepreneur Charles Johnson and his former business partner Pax Dickinson, agreed to help Smith’s quixotic mission, which failed to track down copies of Clinton’s emails. Johnson is a polarizing figure who was banned from Twitter in 2015 after promoting an effort to “take out” a Black Lives Matter activist but maintains ties to White House officials. Smith also reached out to “Guccifer 2.0”—an alias the U.S. intelligence community has linked to Russian state hackers—and was advised to seek the help of a white nationalist hacker who lives in Ukraine.”

    “Seek the help of a white nationalist hacker who lives in Ukraine.” That’s the advice “Guccifer 2.0” apparently gave to Smith and unless there’s another prominent white nationalist hacker in Ukraine that he was referring to that was almost certainly a reference to Andrew Auernheimer. Especially since that’s the explicit advice Charles Johnson also gave to Smith:


    Johnson said he and Smith stayed in touch, discussing “tactics and research” regularly throughout the presidential campaign, and that Smith sought his help tracking down Clinton’s emails. “He wanted me to introduce to him to Bannon, to a few others, and I sort of demurred on some of that,” Johnson said. “I didn’t think his operation was as sophisticated as it needed to be, and I thought it was good to keep the campaign as insulated as possible.”

    Instead, Johnson said, he put the word out to a “hidden oppo network” of right-leaning opposition researchers to notify them of the effort. Johnson declined to provide the names of any of the members of this “network,” but he praised Smith’s ambition.

    “The magnitude of what he was trying to do was kind of impressive,” Johnson said. “He had people running around Europe, had people talking to Guccifer.” (U.S. intelligence agencies have linked the materials provided by “Guccifer 2.0”—an alias that has taken credit for hacking the Democratic National Committee and communicated with Republican operatives, including Trump confidant Roger Stone—to Russian government hackers.)

    Johnson said he also suggested that Smith get in touch with Andrew Auernheimer, a hacker who goes by the alias “Weev” and has collaborated with Johnson in the past. Auernheimer—who was released from federal prison in 2014 after having a conviction for fraud and hacking offenses vacated and subsequently moved to Ukraine—declined to say whether Smith contacted him, citing conditions of his employment that bar him from speaking to the press.

    Yep, Johnson and Auernheimer are indeed past collaborators. And it wasn’t that long ago either. Back in October 2015, Johnson and Auernheimer released on teh internet videos taken by a right-wing ‘journalist’, David Daleiden, of Planned Parenthood employees that were under a temporary court restraining order. Auernheimer claimed at the time that he was in Macedonia – an implied he was under the protection of “local militias” should US authorities try to extradite him – and also talked about what being a big fan of Charles Johnson (that’s right, Auernheimer claimes he was in Macedonia as of the fall of 2015…recall how Macedonia somehow became the epicenter of a pro-Trump ‘fake news’ operation).

    So we already have very strong evidence that Auernheimer was behind the Macron hacks, which were also spear-phishing hacks like the DNC/Podesta hacks, and we know Auernheimer filled those Macron documents with “Russian” fingerprints. And now we learn that Chuck Johnson AND “Guccifer 2.0” both advised Smith to contract Auernheimer. And while Johnson’s friendship with Auernheimer would make him a a likely hacker that Johnson might recommend to Smith, keep in mind that the Macron hacks hadn’t taken place at this point so it’s not like Auernheimer would be an obvious person that “Guccifer 2.0” might recommend.

    And then, finally, we learn from Johnathan Safron why Peter Smith may have chosen that particular time to give this explosive interview:


    Safron, who graduated from college in 2013 and has also done work for the Illinois Republican Party, said he had been hired by Smith through a tutoring service in 2015 for help using computers. Safron said he taught Smith, who had trouble typing, to use dictation software, and that he helped the aging executive make connections on the professional networking website LinkedIn. Safron said that he was not actively involved in Smith’s election-related efforts, though he was copied on emails related to those efforts.

    Johnson, O’Brien and Safron all said they have not heard from government investigators about the matter.

    Safron said that he noticed that Journal reporter Shane Harris had viewed his LinkedIn profile this spring and that he notified Smith, who granted Harris an interview in May, 10 days before he died. Neither his family nor local officials have revealed the cause of Smith’s death, but Safron said he had noticed his boss’ health waning in his final months.

    And then there’s this very strange twist at the end:


    Safron’s social media profiles still link to an old Twitter handle, @JSaf17. Safron said he deleted the account several years ago. But in March, the handle was reused to create a new account, which has tweeted only once—in Russian.

    That’s some odd signaling from Safron. But overall it looks like Peter Smith may have revealed this operation for the simple reason that he was pretty sure it was going to be revealed anyway. Why not get out ahead of the story in that situation, which is exactly what he did…without ever mentioning Auernheimer, Chuck Johnson, or a lot of other highly relevant details.

    All in all, while Smith’s age and failing health certainly make a health-based suicide plausible, it’s hard to ignore the possibility that maybe it wasn’t simply failing health and a last opportunity to share his rather amazing story with the world before he died. Smith may have done that interview because he had to in order to get ahead of the story that he feared was coming out anyway. And then killed himself 10 days later. So, you know, maybe Smith’s decision to do that interview and then make a ‘final exit’ wasn’t just about failing health.

    Posted by Pterrafractyl | July 13, 2017, 6:46 pm
  3. With the number of figures from the Russian delegation growing by the day as we learn more about who attended the June 9th meeting between the Trump campaign and a delegation of Russian lobbyists – Rinat Russian American lobbyist , there was a piece at TPM that highlighted a potentially significance fact that could possibly explain the ‘keystone spies’ nature of that meeting: The June 3rd email from Rob Goldstone to Donald Trump Jr. came just one day after Hillary Clinton gave a notable speech charging Donald Trump with being overly cozy with Vladimir Putin. One day.

    So when you consider how the comically over-the-top nature of Goldstone’s email strikes many as as Russian government casual fishing expedition to just test the waters and see if the Trump campaign would be open to Russian government help, keep in mind that one possible reason for that over-the-top language could have been to simply send a signal to the Trump campaign “Hey, the Russian government likes you…if the Clintons start making a big deal about your ties to Russia just keep in mind that we totally like you way more than her. Be nice.” And it would have been a signal sent even had the Trump campaign done what it should have done and blown off the over-the-top invitation.

    Another possibility is that the Kremlin also has kompromat in Trump – seems extremely possible – and the purpose of the email was also intended to remind Trump of that, but in a very indirect way. A signal like, “hey, we got dirt on you, don’t let Hillary force you into an anti-Russian stance”. And it’s also possible that Goldstone’s email was intended to both be friendly and a warning.

    In other worlds, the purpose of Goldstone’s initial email could have simply been to send a signal of “we like you guys, please be nice and don’t go all anti-Russian to fend on Hillary’s criticisms (and you’ll regret it if you do)” that was intended to be so over-the-top that the Trump campaign would have the good sense of not taking them up on their offer. That way, the Trump campaign and Russian government wouldn’t find themselves in exactly the situation they find themselves in today. But then the Trump campaign took them up on their over-the-top offer and the meeting had to happen.

    Don’t forget, if we assume the Russian lobbyists really were representing the Kremlin, by arranging for this meeting and actually going through with it the Russian government was taking a pretty big risk. There was no guarantee that the meeting wouldn’t have been exposed somehow during the campaign. which could have been inflicted massive damage to Trump’s chances. And as the following TPM piece point out, the June 9th meeting took place just days before “Guccifer 2.0” started talking to the world and just a day after the DCLeaks website that Guccifer 2.0 used to disseminate the hacked materials made its first tweet to the world. So if the Russian government really was behind “Guccifer 2.0”, that June 9th meeting, it was engaging in remarkably risky behavior that was putting the chances of a Trump victory significant at risk. What if US intelligence agencies were tracking the movements of Natalia Veselnitskaya? Or Rinat Akhmetshin, the Russian American lobbyist suspected of GRU ties who we recently learned also attended the meeting? Having suspected Russian intelligence cut outs meeting with the Kremlin’s preferred candidate’s top campaign staff at Trump Tower days before your hacker persona starts talking to the world (while leaving all sort of hints of being a Russian) is some pretty cavalier spycraft. At the same time, if this whole meeting emerged from email that was intended to send a signal, but also intended to be rebuffed, the June 9th meeting sort of makes sense as something the Kremlin would have wanted to avoid but couldn’t avoid because the Trump campaign was too venal and corrupt to do the sane thing and just accept the friendly signal:

    Talking Points Memo
    Muckraker

    Don Jr. Meeting Came At A Seminal Moment In Russian Interference Story

    By Allegra Kirkland
    Published July 14, 2017 4:43 pm

    President Donald Trump and his team are casting it as absurdly conspiratorial to suggest there was anything odd about his oldest son accepting a meeting with a Kremlin-linked lawyer last June, noting that Russia was not a major campaign issue at the time.

    But a close look at the timeline suggests that Donald Trump, Jr. took a meeting billed as an opportunity to learn information obtained as “part of Russia and its government’s support for Mr. Trump” at a moment when his father was taking heat from his opponent for his sunny view of Russian President Vladimir Putin, and shortly before the Kremlin’s disinformation and targeted leaking campaign against the Democrats began in earnest.

    “You have to understand, when that took place, this was before Russia fever,” Trump told Reuters on Wednesday. “There was no Russia fever back then, that was at the beginning of the campaign, more or less.”

    Trump Jr. took a similar tack on Tuesday when he took the surprise step of releasing the email chain leading up to his June 2016 meeting with a woman described to him as a “Russian government lawyer” who was said to have “information that would incriminate Hillary” Clinton. “To put this in context, this occurred before the current Russian fever was in vogue,” Trump Jr. said in a statement accompanying the email release.

    This version of events does not tell the whole story. The campaign had already been underway for a year, and the news was full of articles about Trump’s “bromance” with Putin prior to the Trump Tower meeting between Trump Jr., his brother-in-law Jared Kushner, then-campaign chairman Paul Manafort, Russian lawyer Natalia Veselnitskaya, and lobbyist Rinat Akhmetshin. Headlines declared that Putin had ordered state-owned U.S. media outlets like RT to promote Trump’s candidacy and tear down Clinton’s, and questions swirled about Trump advisers’ business connections in Russia.

    On June 2, 2016 Clinton gave her first major speech on national security—in effect, a speech about Trump. The presumptive Democratic nominee repeatedly invoked Trump’s bond with Russia’s leader, accusing him of praising “dictators like Vladimir Putin” and having a “bizarre fascination with dictators and strongmen who have no love for America.”

    “He said if he were grading Vladimir Putin as a leader, he’d give him an A,” Clinton told the San Diego, California crowd of Trump, warning that such an unsavvy stance would allow a leader like Putin to “eat your lunch.”

    The very next day, Rob Goldstone, a British publicist and family friend of the Trumps, first contacted Trump Jr. about the “very interesting” information a client of his had on Clinton.

    While Goldstone and Trump Jr. worked out the details of the meeting in a series of back-and-forth emails, then-candidate Trump hinted at a June 7 campaign rally that he would soon give a “major speech” about Clinton.

    “I am going to give a major speech on probably Monday of next week, and we’re going to be discussing all of the things that have taken place with the Clintons,” Trump said at the time, promising information on their “corrupt dealings” to give “favorable treatment” to “the Russians” and other foreign governments. “I think you’re going to find it very informative and very, very interesting.”

    At the same time, the apparatus for publishing stolen emails and documents involving Democratic Party leaders and operatives—later determined to have been hacked by Russian operatives—was being put into place. On June 8, DC Leaks, a site established to publish some of the stolen documents, posted its first tweet.

    The Trump Tower meeting between Trump Jr., the campaign associates and the Russians came on June 9; both sides have said it was inconsequential, with Trump Jr. insisting he did not receive the damaging information he came for and the Russian participants claiming the conversation focused only on a defunct program enabling the adoption of Russian children by Americans.

    WikiLeaks founder Julian Assange, a longtime Clinton critic, hinted in a June 12 interview that his site had a “very big year ahead,” promising the imminent release of emails “related to Hillary Clinton.”

    Those emails wouldn’t drop until just before the Democratic National Convention in late July, but the public learned about the DNC breach at around this time via a June 14 Washington Post article that attributed it to hackers working on behalf of the Russian government. “Guccifer 2.0,” later determined by computer experts and U.S. officials to be a persona invented by Russian intelligence officials, began contacting U.S. news sites to claim credit for the hack and to offer stolen Democratic Party documents.

    Putin praised Trump as a “bright” person at the Russian Economic Forum in St. Petersburg on June 17.

    Amid this background and other major news events, Trump delayed his promised “major speech” on Clinton. After postponing it to account for the mass shooting at Pulse, a gay nightclub in Orlando, Florida, Trump promised in a June 21 tweet that a “big speech” about Clinton would come the next day.

    From a stage in New York, Trump held forth about Clinton’s handling of the Benghazi attacks, her support for free trade and her “temperament.” None of these criticisms were new, but Trump added what would later seem a prescient warning: emails Clinton deleted from her private server could make her vulnerable to “blackmail” from countries hostile to the United States, he said.

    As Trump cautioned, “We can’t hand over our government to someone whose deepest, darkest secrets may be in the hands of our enemies.”

    ———-

    “Don Jr. Meeting Came At A Seminal Moment In Russian Interference Story” by Allegra Kirkland; Talking Points Memo; 07/14/2017

    “But a close look at the timeline suggests that Donald Trump, Jr. took a meeting billed as an opportunity to learn information obtained as “part of Russia and its government’s support for Mr. Trump” at a moment when his father was taking heat from his opponent for his sunny view of Russian President Vladimir Putin, and shortly before the Kremlin’s disinformation and targeted leaking campaign against the Democrats began in earnest.”

    The timing is rather remarkable:


    On June 2, 2016 Clinton gave her first major speech on national security—in effect, a speech about Trump. The presumptive Democratic nominee repeatedly invoked Trump’s bond with Russia’s leader, accusing him of praising “dictators like Vladimir Putin” and having a “bizarre fascination with dictators and strongmen who have no love for America.”

    “He said if he were grading Vladimir Putin as a leader, he’d give him an A,” Clinton told the San Diego, California crowd of Trump, warning that such an unsavvy stance would allow a leader like Putin to “eat your lunch.”

    The very next day, Rob Goldstone, a British publicist and family friend of the Trumps, first contacted Trump Jr. about the “very interesting” information a client of his had on Clinton.

    And then, in the following days, we get Trump hinting at a big speech that will charge Hillary of having questionable ties to the Kremlin. The next day, DCLeaks makes its first tweet the world, and the next day there’s the now notorious June 9th meeting:


    While Goldstone and Trump Jr. worked out the details of the meeting in a series of back-and-forth emails, then-candidate Trump hinted at a June 7 campaign rally that he would soon give a “major speech” about Clinton.

    “I am going to give a major speech on probably Monday of next week, and we’re going to be discussing all of the things that have taken place with the Clintons,” Trump said at the time, promising information on their “corrupt dealings” to give “favorable treatment” to “the Russians” and other foreign governments. “I think you’re going to find it very informative and very, very interesting.”

    At the same time, the apparatus for publishing stolen emails and documents involving Democratic Party leaders and operatives—later determined to have been hacked by Russian operatives—was being put into place. On June 8, DC Leaks, a site established to publish some of the stolen documents, posted its first tweet.

    The Trump Tower meeting between Trump Jr., the campaign associates and the Russians came on June 9; both sides have said it was inconsequential, with Trump Jr. insisting he did not receive the damaging information he came for and the Russian participants claiming the conversation focused only on a defunct program enabling the adoption of Russian children by Americans.

    And keep in mind that when Trump finally that gave speech about Hillary, he didn’t have anything new. It was an actual “nothingburger”.

    And, intrigingly, according to Sam Biddle, one of the first journalists Guccifer 2.0 reached out to days after that June 9th meeting, Guccifer 2.0 was pitching all sorts of different documents to Biddle from the giant cache of not-yet-released hacked emails. And none of the stories Guccifer 2.0 pitched to Biddle had anything to do with the “Hillary is getting dirty money from Russian oligarchs” information that Goldstone and Veselnitskaya were pitching to Trump, Jr.:

    The Intercept

    Just Six Days After Trump Jr.’s Meeting, Guccifer 2.0 Emailed Me — But There Was One Key Difference

    Sam Biddle
    July 14 2017, 12:44 p.m.

    After 39 years of operating without an apparent conceptual understanding of “consequences,” this week Donald Trump Jr. tweeted out an email thread admitting to soliciting the help of the Russian government in order to damage Hillary Clinton and aid the family campaign. The emails are astounding for more than a few reasons, particularly because of what came next.

    On June 3, British music publicist Rob Goldstone contacted Donald Jr. with an explicit offer: “Official documents and information that would incriminate Hillary and her dealings with Russia.” In case Donald Jr. was slow on the uptake, Goldstone made sure to spell out exactly what was happening. “This is obviously very high level and sensitive information but is part of Russia and its government’s support for Mr. Trump,” he offered, as if he were writing his email to make the work of future investigators simpler. Thus begun an extremely busy couple of weeks. On June 7, as Philip Bump at the Washington Post points out, the elder Trump “pledged that he’d give a major speech the following Monday, June 13, ‘discussing all of the things that have taken place with the Clintons.’” On June 9, a meeting between Donald Jr., two other members of the Trump campaign, and Russian attorney Natalia Veselnitskaya took place in New York, on the basis of the aforementioned “official documents.” The AP also reports that Russian-American lobbyist Rinat Akhmetshin was present at the meeting, and claims “Veselnitskaya brought with her a plastic folder with printed-out documents that detailed what she believed was the flow of illicit funds to the Democratic National Committee.”

    Donald Jr. now says the meeting was a dud, and Veselnitskaya didn’t have the goods, but it was interesting enough that all of the participants conveniently forget to mention it at any point since then.

    Just six days after the Trump/Veselnitskaya meeting, and 12 days after the initial contact by Goldstone, while working as a reporter for Gawker, I received an email tip, including official strategy and financial documents from the Democratic Party:
    [see screenshot of email Guccifer 2.0 sent to Biddle]

    This timing is interesting for two reasons. The extreme proximity of promised Hillary-related documents and the arrival of Hillary-related documents just days later suggests Guccifer 2.0 could have been part of the plan Goldstone alluded to over email. But secondly, although the documents were surely “official” in that they originated from within the Democratic Party, no one ever found anything in them that could be considered “information that would incriminate Hillary and her dealings with Russia.” It doesn’t appear that any of the documents released by Guccifer, whether in private to reporters like myself or on the web, pertained to or referenced whatsoever any “dealings” between Clinton and Russia. Guccifer was very eager to “pitch” documents to me that he believed would be particularly damaging or newsworthy (virtually none of them were), so it stands to reason that he would have pushed the Russia/DNC angle were he in possession of documents along those lines. Guccifer mentioned Russia only a couple of times, first to deny to me that he was Russian, and secondly that “maybe russians were among” those who had hacked the DNC. So there’s nothing directly tying the contents of the Guccifer emails I (and reporters at other outlets) received to the contents Trump Jr. et al. were promised in this week’s explosive email thread.

    This leaves a lot of possibilities, unfortunately, and chalking the whole thing up to nothing more than giant coincidence feels strange and unwise. Of course, a campaign takes place in a compressed time frame — though, mercilessly, not compressed enough — so the likelihood of events coinciding in time is heightened. It’s possible that a British music publicist wasn’t exactly plugged in to the alleged activities of Russian military intelligence and got the nitty gritty wrong in his email to Trump Jr. It’s possible the offer emailed to Trump Jr. was just a means of testing how receptive he was to the idea of state-sponsored opposition research (very). It’s possible these people are all smarter than they look, and deliberately did not refer to the actual nature of the hacked documents in writing. It’s possible Goldstone and company were entirely separate from Guccifer, a second, discrete branch of campaign dirt-digging. It’s possible these are coincidences — if so, it would behoove Trumps old and young to explain why the most notorious hacker persona of the modern age started shopping around Hillary-related documents less than a week after similar documents were promised to the campaign.

    ———-

    “Just Six Days After Trump Jr.’s Meeting, Guccifer 2.0 Emailed Me — But There Was One Key Difference” by Sam Biddle; The Intercept; 07/14/2017

    “This timing is interesting for two reasons. The extreme proximity of promised Hillary-related documents and the arrival of Hillary-related documents just days later suggests Guccifer 2.0 could have been part of the plan Goldstone alluded to over email. But secondly, although the documents were surely “official” in that they originated from within the Democratic Party, no one ever found anything in them that could be considered “information that would incriminate Hillary and her dealings with Russia.” It doesn’t appear that any of the documents released by Guccifer, whether in private to reporters like myself or on the web, pertained to or referenced whatsoever any “dealings” between Clinton and Russia. Guccifer was very eager to “pitch” documents to me that he believed would be particularly damaging or newsworthy (virtually none of them were), so it stands to reason that he would have pushed the Russia/DNC angle were he in possession of documents along those lines. Guccifer mentioned Russia only a couple of times, first to deny to me that he was Russian, and secondly that “maybe russians were among” those who had hacked the DNC. So there’s nothing directly tying the contents of the Guccifer emails I (and reporters at other outlets) received to the contents Trump Jr. et al. were promised in this week’s explosive email thread.”

    So let’s just summarize some key facts here:
    1. Rob Goldstone send the stunningly worded June 3rd email about the Russian government wanting to help the Trump campaign by handing over information on Hillary and dirty Russian money flows.
    2. Donald Trump gives a June 7th speech that hints at dirty info on Hillary Clinton and Russia.
    3. They have the June 9th meeting that the Goldstone emails suggest are supposed to yield information of that nature. Information that’s never come to light.
    4. 6 days after that meeting, Guccifer 2.0 is reaching out to journalist, pitching all sorts of stories from the hacked emails. But nothing tying Clinton to Russia.

    So given the widely held suspicions that this whole meeting was set up for the purpose of privately hammering out the details of how the Russian government and the Trump campaign were going to collude in disseminating the hacked DNC emails, if that scenario is true it would appear that the opening email Goldstone sent to Trump, Jr. has the strange juxtaposition of being extremely forthright about the Russian government wanting to help the Trump campaign by providing dirty info on Hillary but also completely mislead the Trump team about the nature of the info that being provided.

    On the one hand, it makes a lot of sense that Goldstone wouldn’t divulge the nature of alleged dirty info in an email. But on the other hand, it makes very little sense that he would have been so open about “the Russian government wants to help you” if the Russian government was days away from unleashing “Guccifer 2.0” on the world. It’s just an incredible risk and one that would hand the Trump campaign. After all, whoever is behind “Guccifer 2.0” couldn’t have known in advance that all the “I’m Russian!” fingerprints would succeed in convincing most of the US public that the hacker was Russian. What if there was strong suspicion the Trump campaign was behind the hack and that become part of the media narrative that the Trump campaign had to deal with? The Russian government would have preemptively handed the Trump campaign an email that would have been incredibly useful for directing those suspicions back towards the Kremlin with Goldstone’s initial email. If the Kremlin was behind “Guccifer 2.0” and the June 9th meeting was actually a front for a Trump campaign-Kremlin meeting and the Kremlin was planning on unveiling “Guccifer 2.0” soon, that June 3rd Goldstone email is almost like a prearranged “get out of jail free” card for the Trump team in case it got any heat over the upcoming “Guccifer 2.0” campaign. But then Trump, Jr. totally screwed it up by not replying “Thanks, but no thanks! That would be wrong of us!” Of course, that’s assuming the Russian government would be totally cool about accepting the blame for such an inflammatory hacking operation. Of course, if we assume that this hacking operation was the Russian government all along and we assume that “Guccifer 2.0” and original hackers weren’t just completely incompetent operatives and left all those “I’m a Russian!” digital fingerprints by mistake, we would also have to be open to the idea that the Russian government would have intentionally handed the Trump campaign a “get out of jail free” card…that Trump, Jr. totally screwed up.

    Also keep in mind that if the Trump campaign itself was being “Guccifer 2.0” or had already received the hacked documents from “Guccifer 2.0” (perhaps from “the weev?”), the question of how to disseminate the hacked materials without making the Trump team suspects would have been looming large on the minds of the Trump team’s leadership. And that email from Goldstone that may have been exactly what the Trump team would have needed in that situation: evidence that could be used to direct culpability back towards the Kremlin. It could explain both the incredible overlap in the timing of the emergence “Guccifer 2.0” as well as all the implausibly stupid “I’m a Russian” ‘mistakes’ that “Guccifer 2.0” made that pointed towards being a Kremlin hacker. ‘Mistakes’ that didn’t just include signing the hacked documents with the name of a Soviet spy chief in Cyrillic characters but also the strange way Guccifer talked. Don’t forget, while “Guccifer 2.0” claimed to be Romanian, sometimes they wrote with mistakes that seemed kind of Russian/Eastern European-ish and sometimes in perfect English. And while this has often been interpreted as being a ‘mistake’ by sophisticated Russian intelligence agencies, for some reason the idea that “Guccifer 2.0” was a native English speaker trying to seem Russian never seemed to get serious consideration:

    Vice Motherboard

    Why Does DNC Hacker ‘Guccifer 2.0’ Talk Like This?

    Lorenzo Franceschi-Bicchierai
    Jun 23 2016, 12:10pm

    Despite the hacker’s confusing claims and denials about his origin, his own words might have betrayed his real origins.

    A week after a hacker going by the name of ‘Guccifer 2.0’ claimed responsibility for the hack on the Democratic National Committee, the mysterious individual spoke publicly for the first time. Guccifer 2.0 called himself a “hacker, manager, philosopher, women lover.” And of course, someone who likes Gucci.

    “I bring the light to people,” he added in an online chat with Motherboard. “I’m a freedom fighter!”

    More importantly, the hacker also denied being Russian and working for the Russian government, as many suspect he is. Just like the original Guccifer, whose handle and fame inspired his, Guccifer 2.0 claimed to be Romanian. But a linguistic analysis of his messages in Romanian, as well as his oftentimes broken English, might reveal more about his real origins than his claims.

    When he first appeared online last week, Guccifer 2.0 derided security firm CrowdStrike for pointing the finger at Russia, accusing two intelligence agencies of being behind the cyberattack.

    “I’m very pleased the company appreciated my skills so highly))) But in fact, it was easy, very easy,” the hacker wrote in a blog post, defining himself as a “lone hacker.”

    Several security experts, judging from extensive circumstantial evidence, the potential motives behind the hack, the subsequent public responsibility claim, as well as the timeline of the events, said that the Guccifer 2.0 persona was likely part of a Russian government’s effort to cover up its own hack and spread disinformation.

    Whether Guccifer 2.0 is Russian and, most importantly, part of a Russian government-orchestrated attack on a US political institution is crucial here. While it’s normal and expected for spies to spy on their own enemies, it’s unusual, and way more dangerous, if those spies disseminate the intelligence they gather with the intention of influencing the internal politics of their biggest enemy. For some, that crosses a red line, so the whodunnit in this case is a necessary question to answer.

    Is Guccifer 2.0 Really Romanian?

    Despite claiming to be Romanian, Guccifer 2.0 didn’t seem to be a native Romanian speaker, according to several Romanians who reviewed the transcript of our conversation with him, which was in part carried out in Romanian. (Disclosure: For my part, I used Google Translate).

    For example, he used the word “filigran” for “watermark,” which the Romanian speakers who reviewed our chat logs with Guccifer 2.0 said is an unusual translation. Moreover, after a short exchange in Romanian, the hacker refused to answer longer questions, saying he didn’t want me to “waste” his time.

    [see image of chart showing examples of discrepancies in Guccifer 2.0’s Romanian language usage]

    The Romanians who reviewed the logs also pointed out instances in which Guccifer 2.0’s sentence construction was off, and that while chatting, native speakers usually don’t bother to use diacritics, or letters such as “â” “a” or “?.”

    What About His English Skills?

    The hacker’s English is also clearly not native, and was at times excellent, and at times awful. In one particular exchange, he displayed this contradiction:

    Q: Do you work with Russia or the Russian government?
    A: No because I don’t like Russians and their foreign policy. I hate being attributed to Russia.
    Q: Why?

    A: I’ve already told! Also I made a big deal, why you glorify them?

    The first answer is perfect English. The second one, however, is far less eloquent. Also, the “I’ve already told” phrase could be a sign of a Russian, or at least Slavic, speaker, given the absence of the object, “you”, according to Maria Doubrovskaia, a Russian language instructor at Columbia University.

    This might suggest the hacker had some answers in proper English prepared in advance (perhaps to predictable questions such as “Are you Russian?” or “How did you hack the DNC?”), while for others he had to improvise and didn’t have time to proofread during our live chat. This seems to be confirmed by the fact that Guccifer 2.0 gave me and my colleague Joseph Cox the same, word-for-word answer to a question about how he hacked the DNC.

    It’s also entirely possible that the person, or people, behind Guccifer 2.0 are purposely making these sorts of mistakes and being inconsistent to throw people off.

    Guccifer 2.0 also sometimes did not use definite and indefinite (“the” and “a/an”) articles when writing in English. That could be a sign that his native language doesn’t use them, according to an American university professor who specializes in Slavic syntax and asked to remain anonymous.

    “Russian certainly lacks such articles…but so do all other East and West Slavic languages,” she wrote in an email. “As for Romanian, the language DOES have both indefinite and definite articles, so I wouldn’t necessarily expect such mistakes in English from a native speaker of Romanian.”

    #Guccifer2 Dossier on #HillaryClintonhttps://t.co/LGcRb1spRN pic.twitter.com/qweBMKR1Qg— GUCCIFER 2.0 (@GUCCIFER_2) June 21, 2016

    A Motherboard reader, who contacted me via email said he taught English to several Russian speakers, said Guccifer 2.0 “has very strong Russian-English syntax (word order) and in some cases unnecessary formality in vocabulary choices that say to me either educated in Russia, or a lot of time in Russia learning Russian-English.”

    But not everyone is that sure. M.J. Connolly, a professor of Slavic and Eastern European linguistics at Boston College, said that Russians tend not to carry the construction using the word “language” after the language name (such as “Russian language,” or “Romanian language”) when they speak English.

    Connolly added that Guccifer 2.0’s English actually doesn’t show some Russian traces he would have expected, such as how at times the hacker does use some indefinite articles, and doesn’t substitute present tenses for past tenses.

    “All I can say is: no smoking gun here,” Connolly said in an email. “The English is very East Euro web talk, which Russians and Romanians and all Eastern Europeans share but, as I’ve pointed out already, many of the traits are non-Russian.”

    For Connolly, the hacker could also be Moldovan, given that the country is a mixed Romanian-Russian environment and many Moldovans, especially the anti-Russian ones, “will identify as Romanian.”

    What Does Guccifer 2.0 Say?

    After I pressed him to speak more Romanian on Tuesday, Guccifer 2.0 stopped answering my questions via Twitter.

    “Man, I’m not a pupil at school,” he said in one of his last answers, in English. “If u have serious questions u can ask. Don’t waste my time.”

    But on Wednesday, a day later, he got back to me, saying he would provide more answers on his blog post, after collecting more inquiries from other reporters and choosing the most popular ones. He also announced this upcoming FAQ on his blog, adding that anyone can now send him questions via Twitter. As of Thursday morning, he has not yet posted anything, and he hasn’t responded to a series of detailed questions we sent him in Romanian.

    The hacker’s words, and language skills, have certainly raised even more questions about his real identity and motives.

    It’s possible that whoever is behind Guccifer 2.0 really is being deluged with questions. Or, perhaps, after he exposed himself in our interview, he’s decided that it’s safer to pick and choose the questions he wants to answer, and take more time to answer them in proper English.

    ———-

    “Why Does DNC Hacker ‘Guccifer 2.0’ Talk Like This?”
    by Lorenzo Franceschi-Bicchierai; Vice Motherboard; 06/23/2016

    “”All I can say is: no smoking gun here,” Connolly said in an email. “The English is very East Euro web talk, which Russians and Romanians and all Eastern Europeans share but, as I’ve pointed out already, many of the traits are non-Russian.””

    That was the take from at least one language specialist: “Guccifer 2.0” was showing all sort of linguistic signs. They couldn’t speak Romanian. They sometimes showed signs of Russian/Eastern European English mistakes that wouldn’t be consistent with a Romanian speaker’s English mistakes. And they sometimes spoke perfect English:


    The hacker’s English is also clearly not native, and was at times excellent, and at times awful. In one particular exchange, he displayed this contradiction:

    Q: Do you work with Russia or the Russian government?
    A: No because I don’t like Russians and their foreign policy. I hate being attributed to Russia.
    Q: Why?

    A: I’ve already told! Also I made a big deal, why you glorify them?

    The first answer is perfect English. The second one, however, is far less eloquent. Also, the “I’ve already told” phrase could be a sign of a Russian, or at least Slavic, speaker, given the absence of the object, “you”, according to Maria Doubrovskaia, a Russian language instructor at Columbia University.

    This might suggest the hacker had some answers in proper English prepared in advance (perhaps to predictable questions such as “Are you Russian?” or “How did you hack the DNC?”), while for others he had to improvise and didn’t have time to proofread during our live chat. This seems to be confirmed by the fact that Guccifer 2.0 gave me and my colleague Joseph Cox the same, word-for-word answer to a question about how he hacked the DNC.

    So if we are to believe that the GRU created “Guccifer 2.0” as a fake “Romanian” hacker front for the purpose of keeping suspicions away from Russia, we would have to assume the person behind this persona not only couldn’t speak Romanian correctly, but they also sometimes accidentally spoke perfect English. And had certain key phrases for expected questions that they decided to prepare in perfect English for some reason. But when this GRU persona got unexpected questions they kept botching their cover and revealing Russian/Eastern European idiosyncrasies. That’s the scenario we’re supposed to accept at face value.

    But for some reason the possibility that “Guccifer 2.0” is an English speaker trying to seem like a Russian never gets seriously considered. Yet just days ago we have reports that Peter Smith’s team of opposition researchers – a team that included Trump campaign officials – contacted Guccifer 2.0 who told them to contact Andrew “the weev” Auernheimer, an American neo-Nazi hacker who is the prime suspect behind the Macron hacks that also included fake “I’m a Russian” fingerprints. And Charles Johnson, the far-right “GotNews” troll, told Smith’s team to contact “the weev” and that he was in contact with a hidden “alt-right” network of opposition researchers”. And it’s a very good bet that Charles Johnson was in regular contact with the Trump team well before Smith reached out to him.

    So if “Guccifer 2.0” was either a Trump campaign operative or already working with the Trump campaign before that June 3rd email from Goldstone was ever sent, you have to wonder if that apparent overture from the Kremlin could have played a decisive role in “Guccifer 2.0” suddenly showing up and acting like a Russian pretending to be a Romanian shortly after that June 3rd email.

    At the same time, it’s important to recall that the “I”m a Russian!” digital fingerprints on this whole operation didn’t first emerge with Guccifer 2.0’s strange language and the Cyrillic meta-data in the documents. The first “I”m a Russian!” digital fingerprints happened when the original hacks took place. That included malware that shockingly had the IP address of the command and control server hard coded into the malware code. And IP address was the same one used in the 2015 hack of the German Bundestag. And the command and control server was itself vulnerable to hacking because it was using the version of OpenSSL that was vulnerable to the Heartbleed attack. And that vulnerability, which would have left that command and control server (that’s assumed to be under APT28/Fancy Bear control) open to a third party attack, was disclosed to the world in June of 2015, shortly before the initial DNC hack began in the fall of 2015 (and the DNC hacker hardcoded the IP address to this server, thus ensuring suspicion would fall back on APT28/Fancy Bear):

    Netzpolitik.org

    Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag

    am 19.06.2015 Gastbeitrag

    Servers of The Left in German Bundestag have been infected with malware, apparently by a state-sponsored group of Russian origin. This is the summary of an analysis by an IT security researcher, which we publish in full. The in-depth report provides an analysis of technology, impact, possible attribution – and a signature to detect the malware.

    This analysis of security researcher Claudio Guarnieri was originally written for The Left in German Bundestag. We’re publishing it here with permission from The Left.

    Von diesem Bericht existiert auch eine deutsche Übersetzung.

    Summary of Findings

    Two suspicious artifacts have been retrieved from two separate servers within the Die Linke infrastructure. One is an open source utility used to remotely issue commands on a Windows host from a Linux host. The other is a custom utility which, despite its large size, has limited functionality and acts as a tunnel, possibly used by the attackers to maintain persistence within the compromised network.

    The combination of the two utilities seems to be enough for the attackers to maintain a foothold inside the network, harvest data, and exfiltrate all the information they deemed interesting. It is, however, possible that there are additional malicious artifacts which have not yet been discovered.

    Attributes of one of the artifacts and intelligence gathered on the infrastructure operated by the attackers suggest that the attack was perpetrated by a state-sponsored group known as Sofacy (or APT28). Previous work published by security vendor FireEye in October 2014 suggests the group might be of Russian origin.

    Artifacts

    The first artifact – identified across this report as Artifact #1 – has the following attributes:

    Name winexesvc.exe
    Size 23552
    MD5 77e7fb6b56c3ece4ef4e93b6dc608be0
    SHA1 f46f84e53263a33e266aae520cb2c1bd0a73354e
    SHA256 5130f600cd9a9cdc82d4bad938b20cbd2f699aadb76e7f3f1a93602330d9997d

    The second artifact – identified across this report as Artifact #2 – -has the following attributes:

    Name svchost.exe.exe
    Size 1062912
    MD5 5e70a5c47c6b59dae7faf0f2d62b28b3
    SHA1 cdeea936331fcdd8158c876e9d23539f8976c305
    SHA256 730a0e3daf0b54f065bdd2ca427fbe10e8d4e28646a5dc40cbcfb15e1702ed9a
    Compile Time 2015-04-22 10:49:54

    Analysis of Artifact #1

    Artifact #1 was retrieved from a File Server operated by Die Linke. The file is a 64bit-compatible compiled binary of the open source utility Winexe. Winexe is software similar to the more popular PSExec and is designed to allow system administrators to execute commands on remote servers. While commercial solutions like Symantec pcAnywhere provide a larger feature-set, Winexe is lightweight, and doesn’t require any installation or configuration. One of the reasons Winexe is preferred over PSExec, is that it provides a Linux client, while PSExec doesn’t.

    Attackers are making growing use of utilities like Winexe and PSExec to perform lateral movement across compromised networks. Besides providing the ability to execute arbitrary commands on the target system, these utilities normally don’t raise suspicion as they are commonly whitelisted by Antivirus and other commercial security software.

    Winexe acts as a Windows service that can be configured to automatically start at boot and silently wait for incoming commands over a named pipe. Named pipes are a Windows inter-process communication method. Through named pipes, processes are able to communicate and exchange data even over a network. In the case of Artifact #1, the name of the pipe is „ahexec“, computers over the network could access the pipe server by simply opening a file handle on „\ServerNamepipeahexec“.

    Once connected to the pipe, a user or a program can easily provide information required to execute command (just as they would normally through a command-line). The provided information is then passed to a „CreateProcessAsUserA“ call and the specified command is executed.

    Once inside the network, Artifact #1 can be enough for the attacker to download or create additional scripts, execute commands and exfiltrate data (for example, simply through ftp). It is plausible that Artifact #1 could be present on other servers under different names, although it is also likely that the attacker only left it on servers to which they required maintainenance of persistent access.

    It is important that all the deployments of this utility are identified and removed, as they are self-sufficient and they provide easy and open access to execute commands on the host, potentially with administrator privileges.

    Analysis of Artifact #2

    Artifact #2 was recovered from the Admin Controller operated by Die Linke. This is custom malware, which despite large file size (1,1 MB), provides limited functionality. Artifact #2 operates as a backchannel for the attacker to maintain a foothold inside the compromised network. The properties of the artifact show that the same authors of the malware seem to have called it „Xtunnel“. As the same name suggests, the artifact appears in fact to act as a tunnel for the attacker to remotely access the internal network and maintain persistence.

    After initialization, the artifact will attempt to establish a connection by creating a socket. In case of failure, it will sleep for three seconds and try again. The authors of the malware didn’t appear to have spent any effort in concealing indicators or obfuscating code – the IP address with which it tries to communicate is hardcoded in clear-text inside the binary. We can observe below, the procedure through which the artifact attempts to establish a connection with the IP address „176.31.112.10“:

    This specific IP address is a critical piece of information that enables us to connect this attack to a spree of previous targeted campaigns. The details of this attribution is explained in a dedicated section below. We will refer to this IP address as „Command & Control“ (or „C&C“).

    The artifact is able of receiving multiple arguments, including -Si, -Sp, -Up, -Pp, -Pi and -SSL. Following are the beaconing packets the artifact will send to Command & Control:

    -Si
    00000000 2a 00 00 00 *…
    00000004 b2 23 16 85 ee 59 52 a6 79 3a 2a e2 da 11 c0 1b .#…YR. y:*…..
    00000014 de 77 ea 47 35 11 de 8a 76 1a ee 16 d9 fd 28 0d .w.G5… v…..(.

    -Sp
    00000000 22 00 00 00 „…
    00000004 90 ac c6 39 09 b6 23 72 9d 36 a6 3b 2e b7 02 ce …9..#r .6.;….
    00000014 dd 09 d4 e4 d3 e6 01 5f 6a 37 b2 39 01 b4 0a af ……._ j7.9….

    -Up
    00000000 07 00 00 00 ….
    00000004 7e e2 82 05 74 be 3f 9b 8e 6a dc 5c d1 fe 85 f7 ~…t.?. .j…..
    00000014 5f 33 26 6e 5e 62 c1 0e c0 da a3 b3 6c f9 ca 88 _3&n^b.. ….l…

    If the argument -SSL is given through command-line to the artifact, these beacons will be encapsulated in an SSL connection and a proper TLS handshake will be initiated with the C&C.

    Interestingly, the artifact bundles a copy of OpenSSL 1.0.1e, from February 2013, which causes the unusually large size of the binary. More importantly, the Command & Control server (176.31.112.10) also appears to be using an outdated version of OpenSSL and be vulnerable to Heartbleed attacks. While unlikely, it is worth considering that the same C&C server might have been the subject of 3rd-party attacks due to this vulnerability.

    Attribution

    While attribution of malware attacks is rarely simple or conclusive, during the course of this investigation I uncovered evidence that suggests the attacker might be affiliated with the state-sponsored group known as Sofacy Group (also known as APT28 or Operation Pawn Storm). Although we are unable to provide details in support of such attribution, previous work by security vendor FireEye suggests the group might be of Russian origin, however no evidence allows to tie the attacks to governments of any particular country.

    ———-

    “Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag” by Gastbeitrag; Netzpolitik.org; 06/19/2015

    “Interestingly, the artifact bundles a copy of OpenSSL 1.0.1e, from February 2013, which causes the unusually large size of the binary. More importantly, the Command & Control server (176.31.112.10) also appears to be using an outdated version of OpenSSL and be vulnerable to Heartbleed attacks. While unlikely, it is worth considering that the same C&C server might have been the subject of 3rd-party attacks due to this vulnerability.

    Yep, while it may have been unlikely in June of 2015 when this analysis was published that the command and control server at the 176.31.112.10 ip address was subject to a 3rd party attack (and therefore not actually being used by the Sofacy/APT28 group assumed to control it but someone else), it’s hard to say that it would have been unlikely after this vulnerability was published. Wouldn’t it be likely at that point? And the DNC hacks are presumed to have started shortly after this…with the same email address hard coded into the DNC hack malware.

    It’s also important to recall that there was a later “hack” of the Bundestag that committee that was investigating the NSA/Snowden Affair that was widely attributed to the Bundestag. It was quietly acknowledge was likely an inside leaker. But there does appear to be an actual Bundestag hack that took place.

    Still, even if whoever did the DNC hack really was a third party hacker who took control of that command and control server after it was revealed to the world that this was an option, it’s still the case that the world hadn’t yet officially attributed APT28/Sofacy/Fancy Bear to the Russian government. That happened in May of 2016 when the German government officially declared APT/Sofacy/Fancy Bear to be a Russian government operation:

    SCMagazineUK.com

    German Intelligence blames Russia for Parliament hack

    Germany’s domestic intelligence agency has pointed the official finger at the Russian state for the 2015 attacks on the Bundestag, the German Parliament

    by Max Metzger
    May 16, 2016

    Germany’s chief internal intelligence agency has blamed the Russian state for an attack on the German parliament.

    The Bundesamt für Verfassungsschutz (BfV), which oversees domestic security, has pointed the finger of blame at PawnStorm, an infamous APT group believed to work directly for the Russian state.

    The accusations were laid out by Hans Georg Massen, director of the BfV who said that PawnStorm is directed by the Russian state. The 2015 hacks on the German parliament and other German institutions, added Massen, were carried out in order to gather intelligence.

    However, he also told the press agency AFP that “Russian secret services have also shown a readiness to carry out sabotage.”

    The group’s six month assault on the German parliament is one of its most famous. Revealed in May last year, PawnStorm attempted to deploy malware on government servers that would have given the attackers a permanent backdoor into the parliament. All 20,000 accounts that resided on the system were believed to be compromised, including those of Germany’s foremost lawmakers.

    PawnStorm has been engaged in attacks against a variety of German institutions including critical infrastructure and, as was revealed earlier this month, the ruling Christian Democratic Union party.

    Open accusations are rare when it comes to cyber-security, even more so when it comes to espionage and intelligence. This rare moment of candour may confirm the suspicions of many in the cyber-security and intelligence community who believe that Russia uses powerful hacker proxies to further its geopolitical objectives.

    Cyber-security company Bitdefender made similar sounds late last year. The company released a report which all but labelled the Russian government the sponsors of PawnStorm.

    The prolific APT group is known by many names. In other instances it’s been called Sofacy, Fancy Bear or APT 28. PawnStorm, one of its more popular monikers, comes from the chess strategy wherein pawns are rapidly deployed against an opponent.

    Believed to be formed in 2004, the group’s fingerprints have been seen in the electronic crime scenes of plenty of high-level attacks. Late last year, the group attacked NATO and the White House while pretending to be the privacy advocacy group the Electronic Frontier Foundation.

    False flag tactics seem to be a favourite for this group, perhaps because Pawn Storm is so widely believed to be a proxy of the Russian state, attacking the enemies of Putin such as the embattled Syrian opposition.

    Much like the historical relationship Britain has had with pirates or privateers, the Russian state may want to strike at its enemies, but without the repercussions of an open operation said Ewan Lawson, a fellow at the Royal United Services Institute and expert in cyber-warfare.

    Germany’s response, Lawson told SCMagazineUK.com, shows “the Germans are clearly losing patience”.

    However, added Lawson, “Arguably the whole point of this approach is proving the link between ATP 28 and the Russian state and even further with Putin’s inner circle. As such, I think the Russians will smile knowingly but it won’t lead to any escalation at this stage. The bigger significance is the growing public conversation about the state/non-state nexus.”

    ———-

    “German Intelligence blames Russia for Parliament hack” by Max Metzger; SCMagazineUK.com; 05/16/2017

    “The Bundesamt für Verfassungsschutz (BfV), which oversees domestic security, has pointed the finger of blame at PawnStorm, an infamous APT group believed to work directly for the Russian state.”

    As of May of 2016, it was “official” that APT28/Fancy Bear was a Russian government operation. Which means anyone who may have commandeered that vulnerable command and control server to carry out the DNC hack would obviously want to make it look like they were Russians if they were going to create a public persona.

    While this might seem like getting deep into the weeds, these are important details to point out because if the Trump campaign, or a non-Russian government affiliate, was indeed behind the DNC hacks, you wouldn’t necessarily expect them to frame the Russian government given the Trump family’s long history with Russia. But it would make A LOT of sense to frame Russia if your hacker commandeered a server that was pinned on Russia by the German government.

    On a related not, you also have to wonder if the German government is the unnamed government that provided the “critical technical evidence” the US intelligence agencies used to conclude it was Russian hackers? Being the first government to public finger Russia after ostensibly the same hackers hacked the Bundestag the year before certainly suggests it could be Germany. Given all the problems with that technical analysis it might explain why the NSA expressed reservations about their conclusions.

    Anyway, that’s all part of why whoever carried out the DNC hacks had a strong incentive to make it look like it was the Russian government behind it if indeed it was carried out by non-Russian government hackers. And this was the case as of May of 2016 when the German government formally charged the Russian government, but even still before then since so many cybersecurity analysts were long-suspecting the Russian state of being behind APT28/Fancy Bear.

    So when Rob Goldstone sent that amazingly conspicuous June 3rd email saying the Russian government wants to help the Trump campaign, if the Trump campaign was sitting on a bunch of hacked emails and trying to determine what they were going to do with them, you have to wonder if that was the point when they may have decided to create a ‘Romanian’ (but very Russian-seeming) “Guccifer 2.0” persona, fill the documents with more Russian “fingerprints”, and just dump everything on the internet.

    Posted by Pterrafractyl | July 15, 2017, 6:11 pm
  4. @Pterrafractyl–

    In the “Russia-gate” counter-intelligence deception, it is important to remember that Rob Goldstone is a Rupert Murdoch protege.

    Donald Trump, Jr. is also an “Alt-right” patron, as we have seen in FTR #927. http://spitfirelist.com/for-the-record/ftr-927-the-trumpenkampfverbande-part-6-locker-room-eclipse/

    Roger Stone, BTW, was guided into political waters by Roy Cohn, the Joe McCarthy protege. https://consortiumnews.com/2016/06/19/how-roy-cohn-helped-rupert-murdoch-2/

    ” . . . .However, in the years before he died, Cohn gained some measure of revenge against his liberal enemies by helping to elect Ronald Reagan. Roger Stone, another Cohn associate, has asserted that at Cohn’s initiative he delivered an apparent bribe to a leader of New York’s Liberal Party in 1980 to arrange the endorsement of independent candidate John Anderson, who then siphoned off 7.5 percent of the vote and opened the way for Reagan to carry New York against President Jimmy Carter. . . .”

    It was McCarthy who introduced Murdoch to Reagan and helped initiate the right-wing GOP media attack colossus. https://consortiumnews.com/2016/06/19/how-roy-cohn-helped-rupert-murdoch-2/

    Robert Parry also has an interesting piece on the “Kremlin” lawyer who figures in the DT, Jr. gambit.

    https://consortiumnews.com/2017/07/13/how-russia-gate-met-the-magnitsky-myth/

    All of which is to say that, when the bells and whistles stop turning, one finds the far right and intelligence service–Felix Sater, Andrew Auerenheimer and friends.

    Best,

    Dave

    Posted by Dave Emory | July 17, 2017, 4:52 pm
  5. Here’s something to consider as destructive cyberbombs are being preemptively placed on networks as a form of cyber-MWDs and the US settles into a ‘Cold War’ modality with Russia: If any skilled hacker on the planet manages to hack a US nuclear power plan, that ‘cold war’ might heat up pretty fast whether Russia was behind it or not…especially if there’s a meltdown:

    E&E News

    ‘Who did it?’ zeroes in on Russian hacking

    Blake Sobczak,
    Energywire: Monday, July 10, 2017

    A sophisticated group of hackers has targeted U.S. nuclear plants in a wide-ranging hacking campaign since at least May, according to multiple U.S. authorities.

    The hackers tried to steal usernames and passwords in the hope of burrowing deep into nuclear power networks, in addition to other utility and manufacturing targets.

    But the Department of Homeland Security, the FBI, sources familiar with the ongoing investigation and nonpublic government alerts told E&E News that heavily guarded nuclear safety systems were left unscathed by any recent cyber intrusions. Experts say the evidence so far points to a remote threat that, while advanced, likely could not have leaped from corporate business networks to the critical but isolated computer networks keeping nuclear reactors operating safely.

    Still, the question that lingers is, who did it?

    Suspicion has fallen on hackers with ties to Russia, in part because of past intrusions into U.S. companies and for Russia-linked attacks on Ukraine’s power grid in 2015 and 2016.

    Ukrainian security services laid the blame for the grid hacks at Russian President Vladimir Putin’s feet. Several private U.S. cybersecurity companies have also drawn links between energy industry-focused hacking campaigns with names like “Energetic Bear” back to Russian intelligence services.

    The Washington Post reported Saturday that U.S. government officials have already pinned the recent nuclear cyber intrusions on Russia.

    Analysts remain quick to tamp down assertions that Russia’s fingerprint on the latest attack is a sure thing.

    Without mentioning any nation-state by name, former Energy Secretary Ernest Moniz noted on Twitter that “these ‘advanced persistent threats’ have long worried U.S. intelligence officials — and recent events prove they are very real.”

    Referencing reports of the recent nuclear cyber incidents, he added, “These breaches make plain that foreign actors are looking for ways to exploit US grid vulnerabilities. We saw this coming.”

    If U.S. intelligence agencies confirm Russian security services were involved in the attack on nuclear plants, tensions with Moscow could escalate. In a Twitter comment that attracted bipartisan ridicule, President Trump yesterday morning said that he and Putin had agreed to create an “impenetrable Cyber Security unit” to guard against hacking, only to apparently reverse his position hours later and suggest such an arrangement “can’t” happen.

    Sen. Maria Cantwell (D-Wash.), ranking member of the Senate Energy and Natural Resources Committee, reiterated her calls for the White House to assess energy-sector cyber vulnerabilities and abandon proposed budget cuts at the Department of Energy. “The disturbing reports of the past 24 hours indicate that our adversaries are trying to take advantage of the very real vulnerabilities of our energy infrastructure’s cyber defenses,” she said Friday.

    Drawing from the Ukraine playbook

    In 2015, a group of hackers set sights on several Ukrainian electric distribution companies. The intruders broke into the utilities’ business networks with “phishing” emails designed to lure employees into clicking on a document laced with malware.

    From there, the attackers mapped out their victims’ computer systems, even gaining access to the virtual private network utility workers used to remotely operate parts of Ukraine’s electric grid.

    On Dec. 23, 2015, after months of waiting and spying, the hackers struck, logging onto the operational network and flipping circuit breakers at electric substations. They succeeded in cutting power to several hundred thousand Ukrainian citizens for a few hours in what became the first known cyberattack on a power grid in the world.

    At first glance, the latest nuclear hackers appear to have drawn from the same playbook.

    They used a “fairly creative” phishing email to gain a foothold on targeted networks, according to Craig Williams, senior technical leader and global outreach manager for Cisco Talos, a cybersecurity research division of Cisco Systems Inc.

    Instead of stowing malware in the Word document itself, the hackers tweaked a control engineer’s résumé into beaconing out to a malicious server via a Microsoft communications protocol called Server Message Block. The cyber intruders could then swipe fragments of SMB traffic containing the victims’ login information to set up an authorized connection to the targeted network and move on from there, Williams explained.

    The technique points to “attackers who are dedicated and who’ve done their research,” he noted.

    While Williams said Cisco had detected a variety of energy companies hit by the phishing emails, he pointed out that “the nuclear sector is extremely hardened.”

    Getting blocked

    Nuclear power plant operators have to abide by their own set of cybersecurity rules established by the Nuclear Regulatory Commission. Following its most recent cybersecurity audits in 2015, the NRC reported “several very low security significance violations of cyber security plan requirements.”

    None of those violations could have resulted in an imminent threat to nuclear safety, the regulator said.

    The NRC plans to ramp up cybersecurity inspections later this year. The agency has declined to comment on reports of the recent cyber breaches at nuclear power generation sites.

    Nuclear power companies have had to account for the possibility of a cyberattack on their safety systems since 2002, according to NRC guidance.

    Electric utilities typically adhere to a three-step model for protecting their most sensitive systems from hackers. At a basic level, this setup involves an information technology network — such as a utility’s internet-connected corporate headquarters — and an operational network that includes grid control systems. Companies typically add a third layer or “demilitarized zone” bridging those two sides of the business, replete with firewalls, cybersecurity technologies and other safeguards.

    Nuclear operators add at least two more layers to that model, drawing lines among the public internet, the corporate network, onsite local area networks, industrial “data acquisition” networks and, finally, the core safety system overseeing radioactive materials, based on government guidelines.

    In the U.S., safety systems are often still “analogue,” having originally been built in the 1980s or earlier, before the recent spread of web-connected technologies.

    Within that last, critical zone — Level 4 in nuclear industry parlance — tight physical controls prevent phones and USB drives from getting in; and operational data is designed to flow only outward through “data diodes,” with no potential for online commands to enter from the public internet or even the site’s own local area network.

    “Anybody ever reports that somebody got a connection from the internet directly or indirectly into the heart of a nuclear control system is either full of crap, or is revealing a massive problem with some particular site, because there should be physically no way for that to actually be possible,” said Andrew Ginter, vice president of Waterfall Security Solutions, which markets one such “unidirectional gateway” or data diode to the U.S. nuclear sector. “To me, it’s almost inconceivable.”

    Marty Edwards, managing director of the Automation Federation, who until last month headed a team of industrial control security specialists at DHS, generally agreed that a remote connection would be nearly impossible to achieve. “When we tested those kinds of [one-way] devices in the lab, we found that you couldn’t circumvent any of them, basically, because they’re physics-based,” he said. “There’s no way to manipulate that stream.”

    One source familiar with nuclear information technology practices, who agreed to speak about security matters on condition of anonymity, said that “in order to have a catastrophic impact, you have to get by the human in the control room” — no easy feat. “You’re talking workers who are regularly screened for insider [threat] indicators and psychological stability.”

    Still, the source said a well-resourced attacker could try sneaking in thumb drives, planting an insider or even landing a drone equipped with wireless attack technology into a nuclear generation site. Reports indicate that the infamous Stuxnet worm, which damaged Iranian nuclear centrifuges in the late 2000s, probably snuck in on removable media. Once inside the “air gapped” target network, Stuxnet relied on its own hard-coded instructions, rather than any remote commands sent in through the internet, to cause costly and sensitive nuclear equipment to spin out of control.

    But the source, who had reviewed recent DHS and FBI warnings about recent nuclear cyberthreats, added that there was no indication the actor behind it got close to nuclear operators’ crown jewels.

    “To get around the data diodes and all the other defenses, it’d be unprecedented at this point,” at least from a U.S. perspective, said the source.

    Would it even be possible?

    “Maybe if you’re Vladimir Putin,” the source said.

    ———-

    “‘Who did it?’ zeroes in on Russian hacking” by Blake Sobczak; E&E News; 07/10/2017

    The Washington Post reported Saturday that U.S. government officials have already pinned the recent nuclear cyber intrusions on Russia.”

    As we should expect, the successful phishing campaign against nuclear plant employees has already been attributed to Russia. And, who knows, maybe it really was Russian government sponsored hackers, possibly in response to the reports about the US planting of ‘cyberbombs’ on Russian networks in retaliation for the 2016 US election hacks blamed on Russia. But, of course, maybe it wasn’t Russian:


    Analysts remain quick to tamp down assertions that Russia’s fingerprint on the latest attack is a sure thing.

    Still, it’s a pretty alarming situation regardless of who was behind it, in part because it’s an example of how potentially vulnerable things like nuclear plants are to any hacker, state-backed or not:


    Still, the source said a well-resourced attacker could try sneaking in thumb drives, planting an insider or even landing a drone equipped with wireless attack technology into a nuclear generation site. Reports indicate that the infamous Stuxnet worm, which damaged Iranian nuclear centrifuges in the late 2000s, probably snuck in on removable media. Once inside the “air gapped” target network, Stuxnet relied on its own hard-coded instructions, rather than any remote commands sent in through the internet, to cause costly and sensitive nuclear equipment to spin out of control.

    And as we’re going to see with the very strange case of Devon Arthurs – a neo-Nazi-turned-Muslim who murdered two of his neo-Nazi roommates back in May – and Brandon Russell – Arthurs’s third roommate who was found with possessing bomb-making materials, radioactive substances and a framed picture of Timothy McVeigh after police searched their residence – if we’re looking for a group that’s likely to actually try to cause a nuclear meltdown and all the death and destruction that goes along with it, it’s probably not the Russian government we have to worry about:

    Tampa Bay Times

    National Guard ‘neo-Nazi’ aimed to hit Miami nuclear plant, roommate says

    Dan Sullivan, Times Staff Writer
    Tuesday, June 13, 2017 4:20pm

    TAMPA — Brandon Russell, a National Guardsman and self-described neo-Nazi, had plans to blow up power lines in the Florida Everglades and launch explosives into a nuclear power plant near Miami, his roommate Devon Arthurs told police.

    Prosecutors on Tuesday played portions of a recorded interrogation Arthurs gave in the hours immediately after he was arrested in the killings of Jeremy Himmelman and Andrew Oneschuk. In the video, Arthurs offers a justification for the killings, claiming that Russell, the surviving roommate, was preparing to commit acts of terrorism.

    “The things they were planning were horrible,” Arthurs said. “These people were not good people.”

    The U.S. Attorney’s Office presented the video excerpts in an effort to get U.S. Magistrate Judge Thomas B. McCoun III to revoke an order granting Russell bail, arguing that he poses a danger to the community.

    Late Tuesday, the judge stayed the order. Russell will remain jailed while the judge reconsiders the issue.

    Russell, 21, faces explosives charges after bombmaking materials were found at his Tampa Palms apartment May 19 during the murder investigation. Arthurs, separately, has been charged with two counts of first-degree murder in state court.

    In the video, Arthurs sits beside a table in a white-walled interrogation room, his right leg resting over his left knee. He gestures with both hands as he casually describes Russell’s neo-Nazi beliefs and supposed plans to commit terrorist acts.

    He said Russell studied how to build nuclear weapons in school and is “somebody that literally has knowledge of how to build a nuclear bomb.”

    When a Tampa police detective asked Arthurs if his friends had any specific terrorist intentions, he said they had a plan to blow up power lines along Alligator Alley, the stretch of Interstate 75 linking Naples with Fort Lauderdale.

    He also said they had a plan to fire mortars loaded with nuclear material into the cooling units of a nuclear power plant near Miami.

    He said the damage would cause “a massive reactor failure” and spread “irradiated water” throughout the ocean.

    “Think about a BP oil spill, except it wipes out parts of the eastern seaboard,” Arthurs said.

    The detective asked why they wanted to do these things.

    “Because they wanted to build a Fourth Reich,” Arthurs said. He said Russell idolized Oklahoma City bomber Timothy McVeigh.

    “He said the only thing McVeigh did wrong was he didn’t put enough material into the truck to bring the whole building down.”

    Assistant U.S. Attorney Josephine Thomas noted during the hearing that the Turkey Point Nuclear Generating Station is near Miami. She also noted that when bomb squad members arrived at Russell’s apartment, their pagers alerted them to the presence of “two radiation sources.” The criminal complaint says those were thorium and americium, both radioactive metals.

    Russell’s defense attorney, Ian Goldstein, noted that authorities have not charged him with possession of nuclear materials.

    Goldstein questioned Arthurs’ credibility.

    “Devon Arthurs is a person who just murdered two individuals, who is desperate to save himself, and, quite frankly, I think he is a few cards short of a full deck,” Goldstein said. “I hope the government brings Mr. Arthurs to the trial as their prime witness. He’s insane.”

    Arthurs, according to court records, admitted to the killings, saying Himmelman and Oneschuk had disrespected his conversion to Islam.

    “I was like, ‘How could I have done this?’ ” he said in the video played Tuesday. “If I hadn’t done that, there would be a lot more people dead than just these two guys in this organization.”

    ———-

    “National Guard ‘neo-Nazi’ aimed to hit Miami nuclear plant, roommate says” by Dan Sullivan; Tampa Bay Times; 06/13/2017

    “He said Russell studied how to build nuclear weapons in school and is “somebody that literally has knowledge of how to build a nuclear bomb.””

    A neo-Nazi that literally has knowledge of how to build a nuclear bomb. That’s how Devon Arthurs, a neo-Nazi-turn-Muslim who killed two of his neo-Nazi roommates, characterized Brandon Russell. But Russell’s nuclear interests were limited to building bombs according to Arthur. He also wanted to fire nuclear-tipped mortars at Miami’s nuclear power plant to create a mass disaster…as part of a plan to create a Fourth Reich:


    When a Tampa police detective asked Arthurs if his friends had any specific terrorist intentions, he said they had a plan to blow up power lines along Alligator Alley, the stretch of Interstate 75 linking Naples with Fort Lauderdale.

    He also said they had a plan to fire mortars loaded with nuclear material into the cooling units of a nuclear power plant near Miami.

    He said the damage would cause “a massive reactor failure” and spread “irradiated water” throughout the ocean.

    “Think about a BP oil spill, except it wipes out parts of the eastern seaboard,” Arthurs said.

    The detective asked why they wanted to do these things.

    “Because they wanted to build a Fourth Reich,” Arthurs said. He said Russell idolized Oklahoma City bomber Timothy McVeigh.

    And Arthur claimed to police that it was these terrorist plots that, in part, prompted him to kill his roommates (although not Russell):


    Arthurs, according to court records, admitted to the killings, saying Himmelman and Oneschuk had disrespected his conversion to Islam.

    “I was like, ‘How could I have done this?’ ” he said in the video played Tuesday. “If I hadn’t done that, there would be a lot more people dead than just these two guys in this organization.”

    Also note that while the judge initially released Russell, saying there wasn’t evidence to back Arthurs’s claims, he reverse that ruling a day later.

    So was Devon Arthurs just making stuff up to the police is or is there some truth to the claims? Well, finding explosive and radioactive materials certainly lends some credibility to them:


    Assistant U.S. Attorney Josephine Thomas noted during the hearing that the Turkey Point Nuclear Generating Station is near Miami. She also noted that when bomb squad members arrived at Russell’s apartment, their pagers alerted them to the presence of “two radiation sources.” The criminal complaint says those were thorium and americium, both radioactive metals.

    Well, as the following article notes, the apartment these four neo-Nazis shared included a frame picture of Timothy McVeigh, enough explosives to create a bomb, and Russell himself admitted to belonging to a group call Atomwaffen, which is German for “atomic weapon”.

    On the other had, Russell, and the rest of Atomwaffen, got quite a testimony about their good character…from Andrew “the weev” Auernheimer. Yes, Auernheimer, who happens to be the kind of skilled hacker who actually might have the ability to trigger a nuclear melt down someday, wrote about the whole incident on The Daily Stormer. According to Auernheimer, the two killed roommates were “friends of friends” and the “Atomwaffen are a bunch of good dudes. They’ve posted tons of fliers with absolutely killer graphics at tons of universities over the years. They generally have a lot of fun and party”:

    Associated Press

    Neo-Nazi-turned-Muslim kills roommates over ‘disrespect,’ police say

    By JASON DEAREN and MICHAEL KUNZELMAN
    May 22, 2017 at 6:43 pm

    A man told police he killed his two roommates because they were neo-Nazis who disrespected his recent conversion to Islam, and investigators found bomb-making materials and Nazi propaganda after he led them to the bodies.

    Devon Arthurs, 18, told police he had until recently shared his roommates’ neo-Nazi beliefs, but that he converted to Islam, according to court documents and a statement the Tampa Police Department released Monday.

    In the apartment with the victims’ bodies on Friday, investigators found Nazi and white supremacist propaganda; a framed picture of Oklahoma City bomber Timothy McVeigh; and explosives and radioactive substances, according to the court documents.

    They also found a fourth roommate, Brandon Russell, crying and standing outside the apartment’s front door in his U.S. Army uniform.

    “That’s my roommate (Russell). He doesn’t know what’s going on and just found them like you guys did,” Arthurs told the police officers, according to the report.

    Federal agents arrested Russell, 21, on Saturday on charges related to the explosives.

    The FBI said Russell “admitted to his neo-Nazi beliefs” and said he was a member of a group called Atomwaffen, which is German for “atomic weapon.”

    Major Caitlin Brown, spokeswoman for the Florida National Guard, confirmed Russell was a current member of the Florida National Guard. But she couldn’t immediately provide any other information.

    Arthurs started the chain of events on Friday when he held two customers and an employee hostage at gunpoint at a Tampa smoke shop, police said. He was complaining about the treatment of Muslims.

    “He further informed all three victims that he was upset due to America bombing his Muslim countries,” police Detective Kenneth Nightlinger wrote in his report.

    Officers talked Arthurs into letting the hostages go and dropping his weapon, and took him into custody.

    While in custody, police said Arthurs started talking about killing two people, and then he directed them to a condominium complex where the four roommates shared an apartment.

    “I had to do it,” Arthurs told police. “This wouldn’t have had to happen if your country didn’t bomb my country.”

    Inside the apartment, the officers found the bodies of 22-year-old Jeremy Himmelman and 18-year-old Andrew Oneschuk. Both had been shot.

    Police called in the FBI and a bomb squad, which found enough explosives to constitute a bomb, according to federal agents.

    At first, Russell told agents he kept the explosives from his days in an engineering club at the University of South Florida in 2013, and that he used the substances to boost homemade rockets. The agents wrote that the substance found was “too energetic and volatile for these types of uses.”

    Russell has been charged with possession of an unregistered destructive device and unlawful storage of explosive material. Court records did not list an attorney for him.

    Andrew Auernheimer, a notorious computer hacker and internet troll, wrote a post about the killings for The Daily Stormer, a leading neo-Nazi website.

    Auernheimer, known online as “weev,” said in Sunday’s post that he knew the shooting suspect and both of the shooting victims. He said he banned Arthurs from The Daily Stormer’s Discord server, an online forum, for posting “Muslim terrorist propaganda” earlier this year.

    “He came in to convert people to Islam,” Auernheimer said during a telephone interview Monday. “It didn’t work out very well for him.”

    Auernheimer described Himmelman and Oneschuk as “friends of friends” and said they belonged to the Atomwaffen group.

    “Atomwaffen are a bunch of good dudes. They’ve posted tons of fliers with absolutely killer graphics at tons of universities over the years. They generally have a lot of fun and party,” he wrote.

    ———-

    “Neo-Nazi-turned-Muslim kills roommates over ‘disrespect,’ police say” by JASON DEAREN and MICHAEL KUNZELMAN; Associated Press; 05/22/2017

    “In the apartment with the victims’ bodies on Friday, investigators found Nazi and white supremacist propaganda; a framed picture of Oklahoma City bomber Timothy McVeigh; and explosives and radioactive substances, according to the court documents.”

    That sure sounds like the kind of stuff one would find in the apartment of someone with horrible plans. But according to neo-Nazi elite-hacker Andrew Auernheimer, the only problem in this situation was Arthurs posing “Muslim terrorist propaganda” on the Daily Stormer’s forums. Otherwise these Atomwaffen guys were great!


    Andrew Auernheimer, a notorious computer hacker and internet troll, wrote a post about the killings for The Daily Stormer, a leading neo-Nazi website.

    Auernheimer, known online as “weev,” said in Sunday’s post that he knew the shooting suspect and both of the shooting victims. He said he banned Arthurs from The Daily Stormer’s Discord server, an online forum, for posting “Muslim terrorist propaganda” earlier this year.

    “He came in to convert people to Islam,” Auernheimer said during a telephone interview Monday. “It didn’t work out very well for him.”

    Auernheimer described Himmelman and Oneschuk as “friends of friends” and said they belonged to the Atomwaffen group.

    “Atomwaffen are a bunch of good dudes. They’ve posted tons of fliers with absolutely killer graphics at tons of universities over the years. They generally have a lot of fun and party,” he wrote.

    And don’t forget, if any neo-Nazi hacker is capable of successfully taking down a nuclear plant, perhaps as part of a larger coordinated neo-Nazi attack or or just on his own, it’s Auernheimer.

    And in case it’s not obvious that Auernheimer shares in the McVeigh worship, it should be obvious now that he recently proposed crowd-funding a McVeigh monument:

    The Southern Poverty Law Center

    McVeigh Worship: The New Extremist Trend

    Bill Morlin
    June 27, 2017

    In extremist circles, there appears to be a bump of interest in Timothy James McVeigh.

    Yes, that Timothy McVeigh. The guy who used a Ryder truck to bomb the Alfred P. Murrah Federal Building in Oklahoma City on April 19, 1995, killing 168 innocent children and adults and wounding more than 600 others.

    His act 22 years ago, for those who may have forgotten, was the deadliest terrorist attack in the United States before the attacks of Sept. 11, 2001.

    McVeigh was convicted of terrorism and executed just three months before those attacks.

    His name and heinous crime are not forgotten, nor should they be, while there seems to be a growing admiration for McVeigh in some extremist circles. One militia honcho even likened McVeigh to Jesus Christ.

    Check out these recent mentions of McVeigh:

    In mid-May, police in Tampa, Florida, responded to the scene of a double-murder involving young, self-described neo-Nazis.

    Brandon Russell, who shared the apartment with the murder suspect, was charged with possession of bomb-making materials and chemicals, including ammonium nitrate – the same kind of material used by McVeigh.

    In Russell’s bedroom at the apartment he shared with the murder suspect and the two slain neo-Nazis, police found a framed photograph of Timothy McVeigh. Russell, who’s in custody, hasn’t publicly explained that fascination.

    More recently, neo-Nazi Andrew ‘Weev’ Auernheimer, who writes for the racist web site “Daily Stormer,” said he was serious in proposing a crowd-funding account to raise money to build a “permanent monument” in a memorial grove honoring McVeigh.

    “Think of it, a gigantic bronze statue of Timothy McVeigh poised triumphantly atop a Ryder truck, arms raised as if to form an Algiz rune from his body, with a plaque that states the honest truth,” Auernheimer wrote. “Nothing would be a greater insult to these pizza-party guarding federal swine than a permanent monument honoring [McVeigh’s] journey to Valhalla or Fólkvangr atop the piles of their corpses.”

    “I am not joking,” Auernheimer wrote. “This should be done. Imagine how angry it would make people.”

    ———-

    “McVeigh Worship: The New Extremist Trend” by Bill Morlin; The Southern Poverty Law Center; 06/27/2017

    “More recently, neo-Nazi Andrew ‘Weev’ Auernheimer, who writes for the racist web site “Daily Stormer,” said he was serious in proposing a crowd-funding account to raise money to build a “permanent monument” in a memorial grove honoring McVeigh.

    So, yes, while it seems very unlikely that the Russian government would resort to triggering nuclear meltdowns given the extreme retaliation that would follow, there’s no shortage of groups that just might be willing to trigger a meltdown and just might have the capacity to do so. Whether it’s a hack attack from someone like “the weev” or just a friend of the weev who happens to be a good shot with high-explosive mortars.

    Posted by Pterrafractyl | July 18, 2017, 4:14 pm
  6. Is is possible that the “Command & control” server used in the DNC server hacks was not only hacked and under 3rd party control during the 2015-2016 DNC hack but also the 2015 Bundestag hack? As we’re going to see, it’s possible.

    First, here’s something to keep in mind regarding the German government’s public attribution in mid-May of 2016 that APT28/Fancy Bear is a Russian government hacking group and was responsible for 2015 Bundestag hack: As security analyst Jeffrey Carr notes in the piece below, when Germany’s domestic intelligence agency, the BfV, issued a report in January of 2016 that attributed both APT28 and APT29 to the Russian government, the report didn’t appear to reference any classified information. The conclusions appeared to be based on exactly the same kind of technical ‘clues’ that were used for attribution in the 2016 DNC hacks. And as Carr also points out, relying on those technical ‘clues’ is a rather clueless way to go about attribution:

    Medium

    Principal consultant at 20KLeague.com; Founder of Suits and Spooks; Author of “Inside Cyber Warfare (O’Reilly Media, 2009, 2011)

    Jeffrey Carr
    Jul 27, 2016

    Yesterday, Professor Thomas Rid (Kings College London) published his narrative of the DNC breach and strongly condemned the lack of action by the U.S. government against Russia.

    Susan Hennessey, a Harvard-educated lawyer who used to work at the Office of the General Counsel at NSA called the evidence “about as close to a smoking gun as can be expected where a sophisticated nation state is involved.”

    Then late Monday evening, the New York Times reported that “American intelligence agencies have “high confidence” that the Russian government was behind the DNC breach.

    It’s hard to beat a good narrative “when explanations take such a dreadful time” as Lewis Carroll pointed out. And the odds are that nothing that I write will change the momentum that’s rapidly building against the Russian government.

    Still, my goal for this article is to address some of the factual errors in Thomas Rid’s Vice piece, provide some new information about the capabilities of independent Russian hackers, and explain why the chaos at GRU makes it such an unlikely home for an APT group.

    Fact-Checking The Evidence

    Thomas Rid wrote:

    One of the strongest pieces of evidence linking GRU to the DNC hack is the equivalent of identical fingerprints found in two burglarized buildings: a reused command-and-control address?—?176.31.112[.]10?—?that was hard coded in a piece of malware found both in the German parliament as well as on the DNC’s servers. Russian military intelligence was identified by the German domestic security agency BfV as the actor responsible for the Bundestag breach. The infrastructure behind the fake MIS Department domain was also linked to the Berlin intrusion through at least one other element, a shared SSL certificate.

    This paragraph sounds quite damning if you take it at face value, but if you invest a little time into checking the source material, its carefully constructed narrative falls apart.

    Problem #1: The IP address 176.31.112[.]10 used in the Bundestag breach as a Command and Control server has never been connected to the Russian intelligence services. In fact, Claudio Guarnieri, a highly regarded security researcher, whose technical analysis was referenced by Rid, stated that “no evidence allows to tie the attacks to governments of any particular country.”

    Problem #2: The Command & Control server (176.31.112.10) was using an outdated version of OpenSSL vulnerable to Heartbleed attacks. Heartbleed allows attackers to exfiltrate data including private keys, usernames, passwords and other sensitive information.

    The existence of a known security vulnerability that’s trivial to exploit opens the door to the possibility that the systems in question were used by one rogue group, and then infiltrated by a second rogue group, making the attribution process even more complicated. At the very least, the C2 server should be considered a compromised indicator.

    Problem #3: The BfV published a newsletter in January 2016 which assumes that the GRU and FSB are responsible because of technical indicators, not because of any classified finding; to wit: “Many of these attack campaigns have each other on technical similarities, such as malicious software families, and infrastructure—these are important indicators of the same authorship. It is assumed that both the Russian domestic intelligence service FSB and the military foreign intelligence service GRU run cyber operations.”

    Professor Rid’s argument depended heavily on conveying hard attribution by the BfV even though the President of the BfV didn’t disguise the fact that their attribution was based on an assumption and not hard evidence.

    Personally, I don’t want to have my government create more tension in Russian-U.S. relations because the head of Germany’s BfV made an assumption.

    In intelligence, as in other callings, estimating is what you do when you do not know. (Sherman Kent)

    When it came to attributing Fancy Bear to the GRU, Dmitry Alperovich used a type of estimative language because there was no hard proof: “Extensive targeting of defense ministries and other military victims has been observed, the profile of which closely mirrors the strategic interests of the Russian government, and may indicate affiliation with ??????? ???????????????? ?????????? (Main Intelligence Department) or GRU, Russia’s premier military intelligence service.”

    For Cozy Bear’s attribution to the FSB, Dmitry simply observed that there were two threat actor groups operating at the same time while unaware of each other’s presence. He noted that the Russian intelligence services also compete with each other, therefore Cozy Bear is probably either the FSB or the SVR: “we observed the two Russian espionage groups compromise the same systems and engage separately in the theft of identical credentials. While you would virtually never see Western intelligence agencies going after the same target without de-confliction for fear of compromising each other’s operations, in Russia this is not an uncommon scenario.”

    The Fidelis report on the malware didn’t mention the GRU or FSB at all. Their technical analysis only confirmed the APT groups involved: “Based on our comparative analysis we agree with CrowdStrike and believe that the COZY BEAR and FANCY BEAR APT groups were involved in successful intrusions at the DNC.”

    When it came to attributing the attack to the Russian intelligence services, Fidelis’ Mike Buratowski told reporter Michael Heller: “In a situation like this, we can’t say 100% that it was this person in this unit, but what you can say is it’s more probable than not that it was this group of people or this actor set.”

    As Mark Twain said, good judgment comes from experience, and experience comes from bad judgment. The problem with judgment calls and attribution is that since there’s no way to be proven right or wrong, there’s no way to discern if one’s judgment call is good or bad.

    The metadata in the leaked documents are perhaps most revealing: one dumped document was modified using Russian language settings, by a user named “?????? ??????????,” a code name referring to the founder of the Soviet Secret Police

    OK. Raise your hand if you think that a GRU or FSB officer would add Iron Felix’s name to the metadata of a stolen document before he released it to the world while pretending to be a Romanian hacker. Someone clearly had a wicked sense of humor.

    APT Groups Aren’t People. They‘re’ Indicators.

    [see image of different names for the APT groups assumed to be Russian]

    This is a partial spreadsheet for Russian APT threat groups. The one for China is about four times as big. If it looks confusing, that’s because it is. There is no formal process for identifying a threat group. Cybersecurity companies like to assign their own naming conventions so you wind up having multiple names for the same group. For example, CrowdStrike’s Fancy Bear group has the primary name of Sofacy, and alternative names of APT28, Sednit, Pawn Storm, and Group 74.

    While it’s natural to think of Sofacy as a group of individuals, it’s more like a group of technical indicators which include tools, techniques, procedures, target choices, countries of origin, and of course, people. Since most bad actors operate covertly, we are highly dependent on the forensics. Since many of the tools used are shared, and other indicators easily subverted, the forensics can be unreliable.

    Non-Government Russian Hacker Groups

    Russia’s Ministry of Communication reported that Russian cybercriminals are re-investing 40% of the millions of dollars that they earn each year in improving their technology and techniques as they continue to target the world’s banking system. Kaspersky Lab estimated earnings for one 20 member group at $1 billion over a three year period.

    A common (and erroneous) rationale for placing the blame of a network breach on a nation state is that independent hacker groups either don’t have the resources or that stolen data doesn’t have financial value. These recent reports by Kaspersky Lab and Russian Ministry of Communication make it clear that money is no object when it comes to these independent groups, and that sophisticated tools and encryption methods are constantly improved upon, just as they would be at any successful commercial enterprise or government agency.

    That, plus the occasional cross-over between independent Russian hackers and Russia’s security services makes differentiation between a State and non-State threat actor almost impossible. For that reason alone, it should be incumbent upon policymakers and journalists to question their sources about how they know that the individuals involved are part of a State-run operation.

    A Nightmare Scenario

    “Indeed, there will be some policymakers who could not pass a rudimentary test on the “facts of the matter” but who have the strongest views on what the policy should be and how to put it into effect.” (Sherman Kent)

    Here’s my nightmare. Every time a claim of attribution is made—right or wrong—it becomes part of a permanent record; an un-verifiable provenance that is built upon by the next security researcher or startup who wants to grab a headline, and by the one after him, and the one after her. The most sensational of those claims are almost assured of international media attention, and if they align with U.S. policy interests, they rapidly move from unverified theory to fact.

    Because each headline is informed by a report, and because indicators of compromise and other technical details are shared between vendors worldwide, any State or non-State actor in the world will soon have the ability to imitate an APT group with State attribution, launch an attack against another State, and generate sufficient harmful effects to trigger an international incident. All because some commercial cybersecurity companies are compelled to chase headlines with sensational claims of attribution that cannot be verified.

    I encourage my colleagues to leave attribution to the FBI and the agencies of the Intelligence Community, and I implore everyone else to ask for proof, even from the U.S. government, whenever you read a headline that places blame on a foreign government for an attack in cyberspace.

    ———–

    “Principal consultant at 20KLeague.com; Founder of Suits and Spooks; Author of “Inside Cyber Warfare (O’Reilly Media, 2009, 2011)” by Jeffrey Carr; Medium; 07/27/2017

    “While it’s natural to think of Sofacy as a group of individuals, it’s more like a group of technical indicators which include tools, techniques, procedures, target choices, countries of origin, and of course, people. Since most bad actors operate covertly, we are highly dependent on the forensics. Since many of the tools used are shared, and other indicators easily subverted, the forensics can be unreliable.”

    Yep, when cybersecurity firms publish reports about some “APT” (Advanced Persistent Threat) group, they’re not actually reporting on a specific group. They’re reporting on similar technical indicators that suggest an attack could have been the same group that did a previous hack, but that’s largely it.

    And if those technical indicators include code that’s available to 3rd party hackers and servers that have already been hacked or show vulnerabilities to hacking, as is the case with the 176.31.112[.]10 Command & Control server used by “APT28” in both the DNC server hack and the Bundestag hack (with that IP address hard coded in both cases), those technical indicators are indicative of very little other than some group might be up to their old tricks or some other group is copying (or framing) them:


    Problem #1: The IP address 176.31.112[.]10 used in the Bundestag breach as a Command and Control server has never been connected to the Russian intelligence services. In fact, Claudio Guarnieri, a highly regarded security researcher, whose technical analysis was referenced by Rid, stated that “no evidence allows to tie the attacks to governments of any particular country.”

    Problem #2: The Command & Control server (176.31.112.10) was using an outdated version of OpenSSL vulnerable to Heartbleed attacks. Heartbleed allows attackers to exfiltrate data including private keys, usernames, passwords and other sensitive information.

    The existence of a known security vulnerability that’s trivial to exploit opens the door to the possibility that the systems in question were used by one rogue group, and then infiltrated by a second rogue group, making the attribution process even more complicated. At the very least, the C2 server should be considered a compromised indicator.

    “he existence of a known security vulnerability that’s trivial to exploit opens the door to the possibility that the systems in question were used by one rogue group, and then infiltrated by a second rogue group, making the attribution process even more complicated. At the very least, the C2 server should be considered a compromised indicator.”

    And yet, despite these glaring issues with the technical indicators, when Germany’s BfV issued a report in January of 2016 pinning the blame for the Bundestag hacks on the GRU and FSB is an assumption based on technical indicators alone:

    ..
    Problem #3: The BfV published a newsletter in January 2016 which assumes that the GRU and FSB are responsible because of technical indicators, not because of any classified finding; to wit: “Many of these attack campaigns have each other on technical similarities, such as malicious software families, and infrastructure—these are important indicators of the same authorship. It is assumed that both the Russian domestic intelligence service FSB and the military foreign intelligence service GRU run cyber operations.”

    So it looks like the BfV’s attribution that the Russian government was behind the “APT28” Bundestag hack wasn’t a very solid attribution.

    And don’t forget that the attribution of the Bundestag hack is A LOT easier to make than the attribution of the DNC server hack. Why? Because after the Bundestag hack happen there was lots of discussion of it in the cybersecurity press, and that included discussion of how the Command & Control server at the 176.31.112[.]10 IP address was vulnerable to the Heartbleed attack.

    But how to do know that the server wasn’t being used by third parties during the Bundestag hack too? After all, there’s not only was the the same 176.31.112[.]10 Command & Control server used in both hacks, but that IP addresses was hard coded into the malware used in both attacks. In other words, “APT28” was already acting rather ‘buggy’ during the Bundestag hack and hackers had been seeking out Heartbleed-vulnerable servers almost immediately after Heartbleed was disclosed:

    Thomson Reuters

    Heartbleed bug-affected servers being sought by hackers
    ‘Now it is amateur hour. Everybody is doing it.’

    Posted: Apr 10, 2014 11:19 AM ET Last Updated: Apr 10, 2014 7:03 PM ET

    Researchers have observed sophisticated hacking groups conducting automated scans of the internet in search of web servers vulnerable to the theft of data, including passwords, confidential communications and credit card numbers, due to the Heartbleed bug.

    Servers may be vulnerable to the bug if they run popular versions of a web encryption program known as OpenSSL used on about two-thirds of all web servers. The issue has gone undetected for about two years.

    Kurt Baumgartner, a researcher with security software maker Kaspersky Lab, said his firm uncovered evidence on Monday that a few hacking groups believed to be involved in state-sponsored cyber espionage were running such scans shortly after news of the bug first surfaced the same day.

    That number had increased on Wednesday after security software company Rapid7 released a free tool for conducting such scans.

    “The problem is insidious,” Baumgartner said. “Now it is amateur hour. Everybody is doing it.”

    It isn’t known whether any data has actually been stolen by hackers or cybercriminals making use of the bug in the past couple of years, as such thefts would normally be undetectable.

    However, at least one technology specialist has reported signs that the Heartbleed bug may have already been exploited. Terrence Koeman, chief technology officer for the digital production agency MediaMonks, told the technology news site Ars Technica that he had detected scans for the vulnerability dating back to November 2013. And he said the scans came from a network suspected of harbouring “bot” servers — zombie computers controlled over the internet by cybercriminals using malware.

    OpenSSL software is used on servers that host websites but not PCs or mobile devices, so even though the bug exposes passwords and other data entered on those devices to hackers, it must be fixed by website operators.

    “There is nothing users can do to fix their computers,” said Mikko Hypponen, chief research officer with security software maker F-Secure.

    A scan of the internet Tuesday night suggested that about a third of servers with the vulnerability had been patched at that time, reported Robert David Graham of Atlanta-based Errata Security on his blog. Still, the scan detected roughly 600,000 servers that were still vulnerable.

    ———-

    “Heartbleed bug-affected servers being sought by hackers”; Thomson Reuters; 04/10/2014

    The problem is insidious…Now it is amateur hour. Everybody is doing it.”

    Everybody is doing it. That was the situation in April of 2014 after scanning tools that allowed people to scan the web for vulnerable servers. And yet the APT28 server used in both the Bundestag hacks and the DNC server hack was still apparently vulnerable to Heartbleed in 2015!

    So, again, was the Bundestag hack even done by “APT28” or just some random group that hijacked a server that had been previously attributed to APT28-ish behavior? It’s a pretty crucial question. Especially when you consider the article below from June of 2015 (before the DNC server hack) that explicitly pointed out how the server at 176.31.112[.]10 inexplicably hard coded into the Bundstag hack malware was vulnerable to Heartbleed. Not only does the article point out this vulnerability, but is also notes how the use of the particular malware “XTunnel” that was communicating with that server was not at that time a known technical indicator associated with APT28. In other words, the malware with the oddly hard coded IP address to the Heartbleed vulnerable server was new behavior for APT28:

    Netzpolitik.org

    Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag

    am 19.06.2015 Gastbeitrag

    Servers of The Left in German Bundestag have been infected with malware, apparently by a state-sponsored group of Russian origin. This is the summary of an analysis by an IT security researcher, which we publish in full. The in-depth report provides an analysis of technology, impact, possible attribution – and a signature to detect the malware.

    This analysis of security researcher Claudio Guarnieri was originally written for The Left in German Bundestag. We’re publishing it here with permission from The Left.

    Von diesem Bericht existiert auch eine deutsche Übersetzung.

    Summary of Findings

    Two suspicious artifacts have been retrieved from two separate servers within the Die Linke infrastructure. One is an open source utility used to remotely issue commands on a Windows host from a Linux host. The other is a custom utility which, despite its large size, has limited functionality and acts as a tunnel, possibly used by the attackers to maintain persistence within the compromised network.

    The combination of the two utilities seems to be enough for the attackers to maintain a foothold inside the network, harvest data, and exfiltrate all the information they deemed interesting. It is, however, possible that there are additional malicious artifacts which have not yet been discovered.

    Attributes of one of the artifacts and intelligence gathered on the infrastructure operated by the attackers suggest that the attack was perpetrated by a state-sponsored group known as Sofacy (or APT28). Previous work published by security vendor FireEye in October 2014 suggests the group might be of Russian origin.

    Artifacts

    The first artifact – identified across this report as Artifact #1 – has the following attributes:

    Name winexesvc.exe
    Size 23552
    MD5 77e7fb6b56c3ece4ef4e93b6dc608be0
    SHA1 f46f84e53263a33e266aae520cb2c1bd0a73354e
    SHA256 5130f600cd9a9cdc82d4bad938b20cbd2f699aadb76e7f3f1a93602330d9997d

    The second artifact – identified across this report as Artifact #2 – -has the following attributes:

    Name svchost.exe.exe
    Size 1062912
    MD5 5e70a5c47c6b59dae7faf0f2d62b28b3
    SHA1 cdeea936331fcdd8158c876e9d23539f8976c305
    SHA256 730a0e3daf0b54f065bdd2ca427fbe10e8d4e28646a5dc40cbcfb15e1702ed9a
    Compile Time 2015-04-22 10:49:54

    Analysis of Artifact #1

    Artifact #1 was retrieved from a File Server operated by Die Linke. The file is a 64bit-compatible compiled binary of the open source utility Winexe. Winexe is software similar to the more popular PSExec and is designed to allow system administrators to execute commands on remote servers. While commercial solutions like Symantec pcAnywhere provide a larger feature-set, Winexe is lightweight, and doesn’t require any installation or configuration. One of the reasons Winexe is preferred over PSExec, is that it provides a Linux client, while PSExec doesn’t.

    Attackers are making growing use of utilities like Winexe and PSExec to perform lateral movement across compromised networks. Besides providing the ability to execute arbitrary commands on the target system, these utilities normally don’t raise suspicion as they are commonly whitelisted by Antivirus and other commercial security software.

    Winexe acts as a Windows service that can be configured to automatically start at boot and silently wait for incoming commands over a named pipe. Named pipes are a Windows inter-process communication method. Through named pipes, processes are able to communicate and exchange data even over a network. In the case of Artifact #1, the name of the pipe is „ahexec“, computers over the network could access the pipe server by simply opening a file handle on „\ServerNamepipeahexec“.

    Once connected to the pipe, a user or a program can easily provide information required to execute command (just as they would normally through a command-line). The provided information is then passed to a „CreateProcessAsUserA“ call and the specified command is executed.

    Once inside the network, Artifact #1 can be enough for the attacker to download or create additional scripts, execute commands and exfiltrate data (for example, simply through ftp). It is plausible that Artifact #1 could be present on other servers under different names, although it is also likely that the attacker only left it on servers to which they required maintainenance of persistent access.

    It is important that all the deployments of this utility are identified and removed, as they are self-sufficient and they provide easy and open access to execute commands on the host, potentially with administrator privileges.

    Analysis of Artifact #2

    Artifact #2 was recovered from the Admin Controller operated by Die Linke. This is custom malware, which despite large file size (1,1 MB), provides limited functionality. Artifact #2 operates as a backchannel for the attacker to maintain a foothold inside the compromised network. The properties of the artifact show that the same authors of the malware seem to have called it „Xtunnel“. As the same name suggests, the artifact appears in fact to act as a tunnel for the attacker to remotely access the internal network and maintain persistence.

    After initialization, the artifact will attempt to establish a connection by creating a socket. In case of failure, it will sleep for three seconds and try again. The authors of the malware didn’t appear to have spent any effort in concealing indicators or obfuscating code – the IP address with which it tries to communicate is hardcoded in clear-text inside the binary. We can observe below, the procedure through which the artifact attempts to establish a connection with the IP address „176.31.112.10“:
    [see screenshot of how “Artifact 2” connects to the IP address 176.21.112.10]
    This specific IP address is a critical piece of information that enables us to connect this attack to a spree of previous targeted campaigns. The details of this attribution is explained in a dedicated section below. We will refer to this IP address as „Command & Control“ (or „C&C“).

    The artifact is able of receiving multiple arguments, including -Si, -Sp, -Up, -Pp, -Pi and -SSL. Following are the beaconing packets the artifact will send to Command & Control:

    -Si
    00000000 2a 00 00 00 *…
    00000004 b2 23 16 85 ee 59 52 a6 79 3a 2a e2 da 11 c0 1b .#…YR. y:*…..
    00000014 de 77 ea 47 35 11 de 8a 76 1a ee 16 d9 fd 28 0d .w.G5… v…..(.

    -Sp
    00000000 22 00 00 00 „…
    00000004 90 ac c6 39 09 b6 23 72 9d 36 a6 3b 2e b7 02 ce …9..#r .6.;….
    00000014 dd 09 d4 e4 d3 e6 01 5f 6a 37 b2 39 01 b4 0a af ……._ j7.9….

    -Up
    00000000 07 00 00 00 ….
    00000004 7e e2 82 05 74 be 3f 9b 8e 6a dc 5c d1 fe 85 f7 ~…t.?. .j…..
    00000014 5f 33 26 6e 5e 62 c1 0e c0 da a3 b3 6c f9 ca 88 _3&n^b.. ….l…

    If the argument -SSL is given through command-line to the artifact, these beacons will be encapsulated in an SSL connection and a proper TLS handshake will be initiated with the C&C.

    Interestingly, the artifact bundles a copy of OpenSSL 1.0.1e, from February 2013, which causes the unusually large size of the binary. More importantly, the Command & Control server (176.31.112.10) also appears to be using an outdated version of OpenSSL and be vulnerable to Heartbleed attacks. While unlikely, it is worth considering that the same C&C server might have been the subject of 3rd-party attacks due to this vulnerability.

    Attribution

    While attribution of malware attacks is rarely simple or conclusive, during the course of this investigation I uncovered evidence that suggests the attacker might be affiliated with the state-sponsored group known as Sofacy Group (also known as APT28 or Operation Pawn Storm). Although we are unable to provide details in support of such attribution, previous work by security vendor FireEye suggests the group might be of Russian origin, however no evidence allows to tie the attacks to governments of any particular country.

    Sofacy is a group dedicated to the compromise of high-profile targets and the theft of confidential information. They appear to have been active since 2006. They are believed to have successfully attacked the Ministries of Internal and Foreign Affairs of several ex-Soviet countries, as well as Eastern European governments and military institutions, and NATO and the White House.

    Sofacy is known for making extensive use of phishing attacks to lure targets into revealing their credentials via realistic reconstruction of internal systems, such as webmails, as employed against the Georgian Ministry of Internal Affairs in the infamous attacks that preceded the Georgian invasion of 2008:

    [see screenshot of fake website site used against the Georgian Ministry of INternal Affairs]

    In order to make the phishing attempts more credible, Sofacy Group has made use of „typesquatting“, intentionally using spelling mistakes (for example, replacing letters „i“ with „l“ and „g“ with „q“, or by adding punctuation) to register domains very similar to the original legitimate ones:

    While Sofacy is also known to use of custom exploit frameworks and spear-phishing attacks, it is possible in this case that they managed to obtain privileged credentials of network administrators within the Bundestag through the use of a phishing attack, which then allowed them to navigate through the network and gain access to more data. It is worth noting that shortly before the attack, security vendors reported the use of 0-day exploits in Flash Player and Microsoft Windows by the same threat actor.

    Shared Command & Control infrastructure

    While the artifacts don’t appear to show attributes useful for attribution, the network infrastructure used during the attack led instead to interesting results. During investigation of the Command & Control server (with IP „176.31.112.10“ hardcoded in Artifact #2), we managed to identify some operational mistakes made by the attackers, allowing us to connect the incident with attacks previously associated with the Sofacy Group.

    The address, 176.31.112.10, is a dedicated server provided by the French OVH hosting company, but is apparently operated by an offshore secure hosting company called CrookServers.com and seemingly located in Pakistan:

    Company Address:
    MUAnetworks
    U ashraf
    Village Kakra Town
    Mirpur AJK
    Pakistan

    It is common for attackers to make use of offshore hosting facilities which are less likely to cooperate with law enforcement on takedown requests or requests of disclosure of their customers‘ identity.

    CrookServers appears to have servers scattered in a number of datacenters and dedicated server hosting providers around the world.

    By researching historical data relevant to C&C 176.31.112.10, we discovered that on February 16th 2015, the server was sharing an SSL certificate with another IP address allocated to CrookServers and also hosted at OVH: „213.251.187.145“.

    The recovered shared SSL certificate, obtained by a public internet-wide scanning initiative, at the time had the following attributes:

    MD5 b84b66bcdecd4b4529014619ed649d76
    SHA1 fef1725ad72e4ef0432f8cb0cb73bf7ead339a7c
    Algorithm sha1WithRSAEncryption
    Self-Signed No
    Subject C: GB
    L: Salford
    ST: Greater Manchester
    CN: mail.mfa.gov.ua
    O: COMODO CA Limited
    all: C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
    Limited/CN=mail.mfa.gov.ua
    Serial 16474505314457171426
    Not before 20140414083521Z
    Not after 20410830083521Z

    As shown, the certificate uses „mail.mfa.gov.ua“ as a Common Name. This suggests that this certificate might have been previously used for a similar attack against the Ukrainian Ministry of Foreign Affairs, or associated targets, although there is no documentation of such attack available to the public.

    More importantly, the IP address this certificate was shared with – 213.251.187.145 – was previously identified as used by Sofacy Group for phishing attacks against Albanian government institutions by registering the domain „qov.al“ (notice, the letter „q“ instead of „g“) and creating realistic subdomains to lure victims into visiting. The domain was active on the IP 213.251.187.145 from July 2014 up until March 2015.

    These attacks against Albanian government institutions by the Sofacy Group were documented and reported by consultancy corporate PwC in December 2014. It is worth noting that this server also seems to be operated by CrookServers, since among other domains, 454-reverse.crookservers.net resolved to the same IP address.

    Similar Artifacts and root9B report

    While the evidence presented strongly suggests a connection with the Sofacy Group, the artifacts (in particular Artifact #2) are not publicly recognized to be part of the more traditional arsenal of these attackers.

    Nevertheless, on May 12th 2015 (a few weeks after the attack against Bundestag appears to have started) the American security firm root9B released a report containing details on malware samples very similar to Artifact #2. The report also includes a mention of the same IP address used as Command & Control server in the attack against Bundestag (176.31.112.10).

    While the report appears to contain numerous inaccuracies, some of the indicators of compromises are legitimate and appear to be correctly attributed to Sofacy.

    Following are hashes for malware artifacts showing very similar attributes to Artifact #2:

    566ab945f61be016bfd9e83cc1b64f783b9b8deb891e6d504d3442bc8281b092

    ———-

    “Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag” by Gastbeitrag; Netzpolitik.org; 06/19/2015

    “While the evidence presented strongly suggests a connection with the Sofacy Group, the artifacts (in particular Artifact #2) are not publicly recognized to be part of the more traditional arsenal of these attackers.”

    “Artifact #2” – the “Xtunnel” malware with the 176.31.112[.]10 hardcoded IP address – is “not publicly recognized to be part of the more traditional arsenal of these attackers.” It’s all rather odd.

    And note that “XTunnel” was amateurish and widely available for any hacker:

    Counter Punch

    Did the Russians Really Hack the DNC?

    by Gregory Elich
    January 13, 2017

    Russia, we are told, breached the servers of the Democratic National Committee (DNC), swiped emails and other documents, and released them to the public, to alter the outcome of the U.S. presidential election.

    How substantial is the evidence backing these assertions?

    APT28 relied on XTunnel, repurposed from open source code that is available to anyone, to open network ports and siphon data. The interesting thing about the software is its failure to match the level of sophistication claimed for APT28. The strings in the code quite transparently indicate its intent, with no attempt at obfuscation. [12] It seems an odd oversight for a nation-state operation, in which plausible deniability would be essential, to overlook that glaring point during software development.

    Command-and-control servers remotely issue malicious commands to infected machines. Oddly, for such a key component of the operation, the command-and-control IP address in both attacks was hard-coded in the malware. This seems like another inexplicable choice, given that the point of an advanced persistent threat is to operate for an extended period without detection. A more suitable approach would be to use a Domain Name System (DNS) address, which is a decentralized computer naming system. That would provide a more covert means of identifying the command-and-control server. [13] Moreover, one would expect that address to be encrypted. Using a DNS address would also allow the command-and-control operation to easily move to another server if its location is detected, without the need to modify and reinstall the code.

    One of the IP addresses is claimed to be a “well-known APT 28” command-and-control address, while the second is said to be linked to Russian military intelligence. [14] The first address points to a server located in San Jose, California, and is operated by a server hosting service. [15] The second server is situated in Paris, France, and owned by another server hosting service. [16] Clearly, these are servers that have been compromised by hackers. It is customary for hackers to route their attacks through vulnerable computers. The IP addresses of compromised computers are widely available on the Deep Web, and typically a hacked server will be used by multiple threat actors. These two particular servers may or may not have been regularly utilized by Russian Intelligence, but they were not uniquely so used. Almost certainly, many other hackers would have used the same machines, and it cannot be said that these IP addresses uniquely identify an infiltrator. Indeed, the second IP address is associated with the common Trojan viruses Agent-APPR and Shunnael. [17]

    “Everyone is focused on attribution, but we may be missing the bigger truth,” says Joshua Croman, Director of the Cyber Statecraft Initiative at the Atlantic Council. “[T]he level of sophistication required to do this hack was so low that nearly anyone could do it.” [18]

    ———-

    “Did the Russians Really Hack the DNC?” by Gregory Elich; Counter Punch; 01/13/2017

    APT28 relied on XTunnel, repurposed from open source code that is available to anyone, to open network ports and siphon data. The interesting thing about the software is its failure to match the level of sophistication claimed for APT28. The strings in the code quite transparently indicate its intent, with no attempt at obfuscation. [12] It seems an odd oversight for a nation-state operation, in which plausible deniability would be essential, to overlook that glaring point during software development.”

    So if “APT28” did the Bundestag hack, they suddenly changed their behavior by using unsophisticated code communicating with a server that had been open to 3rd party hijacking for well over a year. Pretty odd!

    And note in the June 2015 netzpolitik.org how that same 176.31.112.10 had previously been attributed to Sofacy/APT28/Fancy Bear by the cybersecurity firm root98. And report with an abundance of flaws:


    Similar Artifacts and root9B report

    While the evidence presented strongly suggests a connection with the Sofacy Group, the artifacts (in particular Artifact #2) are not publicly recognized to be part of the more traditional arsenal of these attackers.

    Nevertheless, on May 12th 2015 (a few weeks after the attack against Bundestag appears to have started) the American security firm root9B released a report containing details on malware samples very similar to Artifact #2. The report also includes a mention of the same IP address used as Command & Control server in the attack against Bundestag (176.31.112.10).

    While the report appears to contain numerous inaccuracies, some of the indicators of compromises are legitimate and appear to be correctly attributed to Sofacy.

    While the report appears to contain numerous inaccuracies, some of the indicators of compromises are legitimate and appear to be correctly attributed to Sofacy.”

    Yep, just weeks after the Bundestag hack, a really flawed report from root98 claimed to associated that same command & control server with Sofacy. And while the netzpolitik.org article described the report as largely correct despite the inaccuracies, other experts weren’t so impressed:

    Krebs on Security

    Security Firm Redefines APT: African Phishing Threat

    Brian Krebs
    May 20, 2015

    A security firm made headlines earlier this month when it boasted it had thwarted plans by organized Russian cyber criminals to launch an attack against multiple US-based banks. But a closer look at the details behind that report suggests the actors in question were relatively unsophisticated Nigerian phishers who’d simply registered a bunch of new fake bank Web sites.

    The report was released by Colorado Springs, Colo.-based security vendor root9B, which touts a number of former National Security Agency (NSA) and Department of Defense cybersecurity experts among its ranks. The report attracted coverage by multiple media outlets, including, Fox News, Politico, SC Magazine and The Hill. root9B said it had unearthed plans by a Russian hacking gang known variously as the Sofacy Group and APT28. APT is short for “advanced persistent threat,” and it’s a term much used among companies that sell cybersecurity services in response to breaches from state-funded adversaries in China and Russia that are bent on stealing trade secrets via extremely stealthy attacks.

    “While performing surveillance for a root9B client, the company discovered malware generally associated with nation state attacks,” root9B CEO Eric Hipkins wrote of the scheme, which he said was targeted financial institutions such as Bank of America, Regions Bank and TD Bank, among others.

    “It is the first instance of a Sofacy or other attack being discovered, identified and reported before an attack occurred,” Hipkins said. “Our team did an amazing job of uncovering what could have been a significant event for the international banking community. We’ve spent the past three days informing the proper authorities in Washington and the UAE, as well as the CISOs at the financial organizations.”

    However, according to an analysis of the domains reportedly used by the criminals in the planned attack, perhaps root9B should clarify what it means by APT. Unless the company is holding back key details about their research, their definition of APT can more accurately be described as “African Phishing Threat.”

    The report correctly identifies several key email addresses and physical addresses that the fraudsters used in common across all of the fake bank domains. But root9B appears to have scant evidence connecting the individual(s) who registered those domains to the Sofacy APT gang. Indeed, a reading of their analysis suggests their sole connection is that some of the fake bank domains used a domain name server previously associated with Sofacy activity: carbon2u[dot]com (warning: malicious host that will likely set off antivirus alerts).

    The problem with that linkage is although carbon2u[dot]com was in fact at one time associated with activity emanating from the Sofacy APT group, Sofacy is hardly the only bad actor using that dodgy name server. There is plenty of other badness unrelated to Sofacy that calls Carbon2u home for their DNS operations, including these clowns.

    From what I can tell, the vast majority of the report documents activity stemming from Nigerian scammers who have been conducting run-of-the-mill bank phishing scams for almost a decade now and have left quite a trail.

    For example, most of the wordage in this report from root9B discusses fake domains registered to a handful of email addresses, including “adeweb2001@yahoo.com,” adeweb2007@yahoo.com,” and “rolexzad@yahoo.com”.

    Each of these emails have long been associated with phishing sites erected by apparent Nigerian scammers. They are tied to this Facebook profile for a Showunmi Oluwaseun, who lists his job as CEO of a rather fishy-sounding organization called Rolexzad Fishery Nig. Ltd.

    The domain rolexad[dot]com was flagged as early as 2008 by aa419.org, a volunteer group that seeks to shut down phishing sites — particularly those emanating from Nigerian scammers (hence the reference to the Nigerian criminal code 419, which outlaws various confidence scams and frauds). That domain also references the above-mentioned email addresses. Here’s another phishy bank domain registered by this same scammer, dating all the way back to 2005!

    I wanted to know if I was alone in finding fault with the root9B report, so I reached out to Jaime Blasco, vice president and chief scientist at AlienVault — one of the security firms that first published the initial findings on the Sofacy/APT28 group back in October 2014. Blasco called the root9B research “very poor” (full disclosure: AlienVault is one of several advertisers on this blog).

    “Actually, there isn’t a link between what root9B published and Sofacy activity,” he said. “The only link is there was a DNS server that was used by a Sofacy domain and the banking stuff root9B published. It doesn’t mean they are related by any means. I’m really surprised that it got a lot of media attention due to the poor research they did, and [their use] of [terms] like ‘zeroday hashes’ in the report really blew my mind. Apart from that it really looks like a ‘marketing report/we want media coverage asap,’ since days after that report they published their Q1 financial results and probably that increased the value of their penny stocks.”

    Blasco’s comments may sound harsh, but it is true that root9B Chairman Joe Grano bought large quantities of the firm’s stock roughly a week before issuing this report. On May 14, 2015, root9B issued its first quarter 2015 financial results.

    There is an old adage: If the only tool you have is a hammer, you tend to treat everything as if it were a nail. In this case, if all you do is APT research, then you’ll likely see APT actors everywhere you look.

    ———-

    “Security Firm Redefines APT: African Phishing Threat” by Brian Krebs; Krebs on Security; 05/20/2015

    “However, according to an analysis of the domains reportedly used by the criminals in the planned attack, perhaps root9B should clarify what it means by APT. Unless the company is holding back key details about their research, their definition of APT can more accurately be described as “African Phishing Threat.”

    As far as Brian Krebs can tell, root98’s attribution to Sofacy/APT28/Fancy Bear of a particular looming attack on one of their clients (a preemptive defense) was based on some shared domain name server between past hacks attributed to Sofacy and the hackers they were observing on their client’s systems. And as Kreb’s point out, that shared domain name server had plenty of other ‘badness’ associated with it. Including Nigerian phishing scammers:


    The report correctly identifies several key email addresses and physical addresses that the fraudsters used in common across all of the fake bank domains. But root9B appears to have scant evidence connecting the individual(s) who registered those domains to the Sofacy APT gang. Indeed, a reading of their analysis suggests their sole connection is that some of the fake bank domains used a domain name server previously associated with Sofacy activity: carbon2u[dot]com (warning: malicious host that will likely set off antivirus alerts).

    The problem with that linkage is although carbon2u[dot]com was in fact at one time associated with activity emanating from the Sofacy APT group, Sofacy is hardly the only bad actor using that dodgy name server. There is plenty of other badness unrelated to Sofacy that calls Carbon2u home for their DNS operations, including these clowns.

    From what I can tell, the vast majority of the report documents activity stemming from Nigerian scammers who have been conducting run-of-the-mill bank phishing scams for almost a decade now and have left quite a trail.

    Were the hackers root98 identified as ‘Sophacy’ just a bunch of Nigerian scammers? Or perhaps hackers that utilized some of the same infrastructure, like domain name servers, with Nigerian scanners? That’s the conclusion Brian Krebs and others arrived at after reading the report.

    And if you download the report (available here, although be sure to only click the green “Download” button and not all the ads that are trying to get you to download freeware/spyware) you will find them referencing that same 176.31.112.10 IP address as the command & control server they attribute to Sofacy/APT28/Fance Bear. It’s just one more example of how that 176.31.112.10 server keeps getting attribute to APT28 on rather questionable grounds.

    Now, it’s entirely possible that a Russian hacking group APT28 was operating the 176.31.112.10 and running all sorts of hacking campaigns from it. But the point is that technical indicators used to attribute a hack to that group aren’t exactly compelling. Especially when that server is open to the Heartbleed attack. And especially when that server’s vulnerability to the Heartbleed attack is published for the world to read about. And in the case of the DNC server hack in the fall of 2015, that vulnerability was published. It was known.

    But even for the Bundestag hack, which happened before that Heartbleed vulnerability was published for that specific server, it’s not like there were hacking groups systematically scanning the internet looking for vulnerable servers. And as we saw in the netzpolitik.org article, the Bundestag hack’s use of the relatively unsophisticated “XTunnel” malware and the hardcoded IP address were not ‘artifacts’ previously associated with APT28.

    Sure, it’s possible that a Russian government hacking group is intentionally using unsophisticated malware for some mysterious reason that doesn’t hide what its doing and hard codes the IP address to the command & control server that’s vulnerable to a Heartbleed attack. It’s possible. It’s just very possible that it was someone else. For both the DNC hack and the Bundestag hack, which is a pretty big deal with it comes to the business of attribution. Especially when the attribution of the DNC hack refers to the attribution of the Bundestag hack.

    Posted by Pterrafractyl | July 18, 2017, 8:24 pm

Post a comment