The first thing to understand about the latest round of indictments from the Mueller investigation is that, in terms of understanding what the Russians may have done, they tell us nothing significant that wasn’t already understood in the “Russian interference” narrative.
The indictment names 12 Russians who are accused of intruding into the John Podesta email account, the DCCC IT system, and the DNC IT system, starting in March and April 2016. From those intrusions, according to the indictment, came the leaks of Democratic emails in the summer and early fall of 2016. The indictment identifies Russians as being behind the Guccifer 2.0 persona and the DCLeaks website, purportedly the vehicles for leaking the Democratic emails.
The X-Agent “hacking” tool named in the indictment is associated with the “advanced persistent threat” – APT28 – that the public has been calling Fancy Bear, the name given to it by the cybersecurity firm CrowdStrike. Fancy Bear has been thought since we first heard of it to be the toolset of choice for a cyber operation against the U.S. election undertaken by the Russian GRU: the military intelligence directorate. The GRU performs functions similar to those of the NSA and DIA (Defense Intelligence Agency) in the U.S. military.
Will this presidential election be the most important in American history?
All of the “intrusion” information, we have known since 15 Jun 2016. Regarding leaked release of the Democratic emails, the official narrative has not changed since before the November 2016 election (see the Krebs on Security link below). The same thing reportedly suspected then is suspected now. Mueller has just gotten 12 GRU officials indicted for it.
The bottom line, then, is that no previously unlocated witch has been tracked down in the “witch hunt.” Rather, after more than two years, we finally have an indictment of a coven of witches whose location, affiliation, and identity in principle (i.e., “officials and operatives of the GRU”) have been “known” all along.
If it seems like there are a lot of scare quotes here, it’s because there are. It remains to be seen how well this indictment will hold up if it has to be seriously litigated in court. The dubiousness of it starts with the word “hack,” which many experts would say is not accurately descriptive of how APT28 was wielded against the Democratic IT targets in question.
In each case, the indictment says the cyber penetration was accomplished through spearphishing. That basically means exploiting a human vulnerability – gaining user credentials by deception – rather than exploiting a system vulnerability.
The difference between “hacking” and “spearphishing” may seem pedantic (even some old-school hackers have given up on making the distinction now), but in proving the crime beyond a reasonable doubt in court, method will matter. It could go to the heart of both the definition of the crime and the identities of the indicted persons and the state actor alleged to be behind them.
This is especially so because, as far as we know, the FBI has never physically examined the DCCC or DNC computers at issue. The entire case would revolve around the forensic reconstruction of transactions in cyberspace, tied by surmise and analysis to indictable humans. It’s an interesting question whether the allegations in the federal indictment would stand up to challenges in that regard.
But then, it’s an equally interesting question whether they will ever have to. The general public is still, at the moment, processing the fact that there’s been an indictment. But experts in the field, and those who’ve been following the Russiagate drama closely, have already moved beyond that stage. They’ve recognized quickly that Mueller must be counting on not having to litigate this indictment in court.
The indictment isn’t really for getting Russians convicted; they will never be extradited, after all. (Military analyst Rick Francona points out that officers of the GRU acting on military orders aren’t even engaged in “crime,” per se; certainly not from their own nation’s perspective.)
That basically leaves bolstering the Russiagate narrative as the motivation for the indictment.
It’s a weird situation, with absentee defendants. One potential advantage is that the prosecutor could present a one-sided story in court, and could reasonably hope for little blowback if he kept all the secrets he wanted to, while spinning the tale that best suits him.
He’d have to play by a judge’s rules. But he wouldn’t face the true adversarial defense of a real trial. Few if any judges are competent to question his presentation of material facts about the cyber transactions. It would take defense experts to do that effectively.
And whether they worked for the GRU in 2016 or not, cyber predators who can’t be touched by U.S. law enforcement are the least motivated defendants on the planet to bother with such a defense.
The other timing issue
There has been plenty of discussion of the political timing of the indictment. But the important timing issue related to the new indictment is actually contained within it.
That issue is when the counts in the indictment date to, and what that means about the intent of the indictment.
The earliest date in the indictment of a “hacking”-related event is 15 March 2016, when one of the GRU operatives researched the IP configurations of DNC systems to “identify connected devices.” This action and related activities through 7 April preceded the actual intrusion into a DCCC computer on an unnamed date in April.
The spearphishing of John Podesta’s account – the first intrusion, per se – is dated to 19 March 2016.
Russia-linked cyber intrusions on Democratic systems actually started much earlier than that, reportedly in July 2015. The cyber activity that began in 2015 has been attributed to APT29, or what CrowdStrike has dubbed Cozy Bear.
There are varying opinions on how firm the association with Russia is. But the public narrative for two years and counting is that Cozy Bear is a toolset wielded by the Russian FSB, or federal security service.
According to a joint analysis report (JAR) put out by the FBI and Homeland Security Department in late December 2016, both APT29 (Cozy Bear) and APT28 (Fancy Bear) used spearphishing to penetrate the Democrats’ systems in the run-up to the 2016 election. The JAR was published about a week before the publicly-released intelligence community assessment on Russian interference in the election (January 2017), and clearly connected both APTs to election interference.
But the indictment this week has chosen an inception date of 15 March 2016. That, and the specifics of the counts (including the link to the GRU), limit its scope to Fancy Bear – even though the Cozy Bear intruders did the same things, according to the December 2016 JAR, that the Fancy Bear intruders did.
Note that when Fancy Bear was discovered by the DNC on its system, on 29 April 2016, Cozy Bear had been on the system for months, siphoning off material. It was still there, and this was known by the DNC hierarchy within a very few days. It has never been disputed since.
So it is interesting that the indictment is pristinely focused on Fancy Bear, and is written as if the earliest cyber threat to the Democratic systems was launched on 15 March 2016.
Analysts have questioned all along why the Russians would set both the FSB and the GRU to intrude on the same Democratic computer systems. Some analysts have made a case that the two APTs occasionally worked together to accomplish their task. But others say no such collaboration can be demonstrated.
In any case, if both were active on the system at the same time, that would complicate assigning culpability and getting convictions for the GRU defendants – if, that is, the defendants were to mount a robust defense in court. That may or may not be the reason for dealing Cozy Bear out of this, at least for the moment.
Two more brief points about timing, before moving on to the big finish here. One, 15 March 2016 is a fascinating day. It falls the day after two extremely important events in the Russiagate timeline.
One is the first in-person encounter between George Papadopoulos and Maltese Professor Joseph Mifsud, two characters who have figured significantly in the narrative about the Trump campaign. The two men met on 14 March at Link Campus University in Rome, with the legend having it that Mifsud showed little interest in Papadopoulos until he learned that Papadopoulos had joined the Trump campaign as an adviser. Out of that meeting would come further contacts in which Mifsud reportedly spoke to Papadopoulos about setting up meetings for Trump officials with Russians, and told Papadopoulos about adverse material available on Hillary Clinton.
The other event has been far less reported, but I believe is more important. Also on 14 March 2016, Russian and U.S. media reported that CIA Director John Brennan made a quiet, unheralded – and very unusual – trip to Moscow to visit the FSB.
I’ve written about that trip before (link above and here). I don’t buy that the purpose of the visit was to discuss Syria. The visit itself was probably on Monday, 14 March, the day it was first reported. But it could have been as early as Friday the 11th. In either case, it immediately preceded the launch of the Fancy Bear intrusion on the Democratic systems.
Why Fancy Bear?
We don’t know yet if Mueller has plans to indict other Russians for the Cozy Bear activities, which started in July 2015 and also targeted Democratic systems (as well as others, including a list of prominent think-tanks).
But we do know that (a) we have an existing, long-running narrative about both cybercrime enterprises, and (b) Mueller has started with Fancy Bear.
The most obvious reason for that would be that Fancy Bear is the one that purportedly produced massive email leaks in 2016.
Cozy Bear, assuming we can accept what we’ve been told about it, yielded a lot of information for the Russians.
But the point of starting with an indictment of the Fancy Bear intruders would be to keep front and center the aspect of the email leaks, as a supposed influence on the course of the U.S. election.
That said, the proposition itself – that leaks of the emails affected the election – has always been paper-thin. Besides there being no way to demonstrate any impact from the emails on the voters who gave Trump the electoral college, there is the fact that few voters, in general, were ever paying enough attention to the emails to be swayed by their content.
The narrative that the email leaks somehow affected the election doesn’t actually make sense. The big crowds in MAGA hats in 2016 weren’t reading Democratic emails; they were listening to Trump’s stump speeches.
Something the Fancy Bear timeline and the email connection do, however, is set up the appearance of a link between those threads and the narrative on “Hillary emails” and “dirt” being offered by Russians to Trump campaign officials.
That takes labor. There are so many different ways the Russians – or anyone else – could have gotten hold of Hillary Clinton’s emails, it’s actually laughable to suggest that it took the Fancy Bear intrusion to make that plot element possible. But if you keep blinders on, and focus only on the timeline laid out in the Mueller indictments, the Fancy Bear intrusion is what you’ll key on.
And the big finish
Which brings us to the prophetic passage from former FBI Director Jim Comey, during congressional testimony in March 2017. What’s so interesting about this testimony is that it previews the same dimensions of significance that we now see outlined in the indictment of the GRU Russians.
But it’s especially illuminating because of what seemed to prompt Comey to say it. According to Comey, the Russian cyber attackers during the 2016 election cycle appeared to be trying to call attention to themselves.
Between his testimony and Admiral Mike Rogers’ (then director of NSA), the House hearing was discussing the 2016 intrusions in terms of Russian attacks being designed to lead to the email leaks. That is clear from the CNN transcript here, which includes this interlude with Rep. Ileana Ros-Lehtinen (R-FL):
ROS-LEHTINEN: … I want to assure the American people that there’s also bipartisan agreement on getting to the bottom of Russian meddling in our election which must remain the focus of this investigation and yours.
So Admiral Rogers, I agree in what you said that a public acknowledgement of this foreign meddling to be a problem is important as we move forward. And following on Congressman LoBiondo’s questions and based on this theme, I’d like to ask you gentlemen if you could describe what, if anything, Russia did in this election that to your knowledge they did or they didn’t do in previous elections, how — how it was — were their actions different in this election than — than in previous ones.
ROGERS: I’d say the biggest difference from my perspective was both the use of cyber, the hacking as a vehicle to physically gain access to information to extract that information and then to make it widely, publicly available without any alteration or change.
Note that this reference would be to Fancy Bear, which was the intrusion that we are to understand made information (Democratic emails and documents) widely, publicly available.
So the Comey follow-up is striking:
COMEY: The only thing I’d add is they were unusually loud in their intervention. It’s almost as if they didn’t care that we knew what they were doing or that they wanted us to see what they were doing. It was very noisy, their intrusions in different institutions.
A moment later, Ros-Lehtinen follows up:
ROS-LEHTINEN: And the loudness to which you refer, perhaps they were doing these kinds of actions previously in other elections but they were not doing it as loudly. What — why do you think that they did not mind being loud and being found out?
COMEY: I don’t know the answer for sure. I think part — their number one mission is to undermine the credibility of our entire democracy enterprise of this nation and so it might be that they wanted us to help them by telling people what they were doing.
Their loudness, in a way, would be counting on us to amplify it by telling the American people what we saw and freaking people out about how the Russians might be undermining our elections successfully. And so that might have been part of their plan, I don’t know for sure.
Well…yes. And in 2018, here are Mueller, the Democrats, and the media, amplifying it by indicting Russians over “what we saw,” and freaking people out about how the Russians might be undermining our elections successfully.
The point here is not to suggest that we should pay no attention if Russians are trying to attack our systems. It’s to highlight that Comey, in 2017, was retailing the wording of the Russiagate narrative in his testimony, and effectively uttered a self-fulfilling prophecy that is now unfolding with the Mueller indictment.
Comey nailed it – if we are to take all of this at face value. The Russians grabbed our attention with “noisy” cyber attacks, and got our authorities to amplify the effect and freak people out.
This does prompt the question why it has been so important to the Democrats to cooperate with this Russian plan, which Comey was able to scent 16 months ago.
It also raises another question. What if the Democrats hadn’t cooperated? What if, instead of amplifying the supposed Russian menace and freaking people out, they had addressed it with responsible, meaningful action — in 2016? Would we have the same narrative ruling our public information sphere today?
The question is important, because we clearly haven’t learned anything new since March 2017. We haven’t learned anything new about the Fancy Bear intrusion since June 2016. We already knew, two years ago, everything we were going to know – as long, that is, as we keep agreeing on what “the Fancy Bear intrusion” was, as the Russiagate narrative defines it.
That does really emphasize the question: why it was so important to the Democrats to cooperate with a purported Russian cyber campaign, which has been framed in the Mueller indictment to have “started” in March 2016, and which involved the intruders being “noisy” and grabbing attention.
A noisy enterprise whose inception date can be framed selectively, and which must be cooperated with, sounds more like a deliberate distraction than anything else. The ultimate question would be whose it is.
