The Mueller Report Book Club

A and B. GRU Hacking and Dissemination of the Hacked Materials

pp 36 – 49

Thanks to all for the feedback on whether we should continue.

It looks like Jerrold Nadler plans to make the Mueller report a central part of the leadup to impeachment proceedings, so we should continue to pay attention to it. I was concerned that it would go on the ever-mounting pile of Donald Trump’s misdeeds and fade from sight. With Nadler subpoenaing the materials behind the report, we will be hearing more about it. Lawfare continues to produce their podcasts. Here are Part II and Part III.

Section III is long. I am going to take it a bit at a time. We are now getting into the part of the report that describes how the Russians interfered in the 2016 election and how the Trump campaign interacted with them.

GRU is the acronym for the Russian-language name of Russia’s military intelligence organization, the Main Intelligence Directorate of the General Staff. The GRU competes in such things with the FSB, Russia’s Federal Security Service, roughly the equivalent of the FBI.

The hacking of computers belonging to various organizations and individuals in the Democratic Party was massive. The purpose was to release the documents in ways that would be damaging to the Democratic Party and the Clinton campaign.

The hacking began in March 2016 and continued into April, targeting

the computers and email accounts of organizations, employees, and volunteers supporting the Clinton Campaign, including the email account of campaign chairman John Podesta. (p. 36)

The computer networks of the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC) were compromised.

The hacking was carried out by spearphishing. It was hard to find a good definition of spearphishing. Many definitions come from the viewpoint of computer developers, rather than the users that are targeted. For example, the “spear” part indicates a relatively narrow targeting to a particular group of people, in this case the DCCC and DNC.

The FBI has a definition that can be helpful to users. The perpetrators get enough information to design emails that look like they come from a trusted source.

…the victims are asked to click on a link inside the e-mail that takes them to a phony but realistic-looking website, where they are asked to provide passwords, account numbers, user IDs, access codes, PINs, etc.

Only one person needed to fall for this to let the Russians into the Democratic Party networks. Twenty-nine computers on the DCCC network and more than 30 on the DNC network, including the mail server and shared file server, were compromised. Malware was implanted to record keystrokes and to download data.

 

Dissemination of the Hacked Materials (pp 41-48)

The simplicity of the statements in the report indicates a deep set of sources.

The GRU carried out the anonymous release through two fictitious online personas that it created – DCLeaks and Guccifer 2.0 – and later through the organization WikiLeaks. (p. 41)

DCLeaks had Facebook and Twitter accounts. The DCLeaks.com website remained operational and public until March 2017.

Posting of documents began in June 2016. The documents seem to have come from email accounts, including those of an advisor to the Clinton Campaign, a former DNC employee and Clinton Campaign employee, and four other campaign volunteers.

The GRU released through dcleaks.com thousands of documents, including personal identifying and financial information, internal correspondence related to the Clinton Campaign and prior political jobs, and fundraising files and information. (p. 41)

 

Guccifer 2.0

On June 15, the day after the DNC announced the breach of its network, GRU officers using the persona Guccifer 2.0 created a WordPress blog, posing as a lone Romanian hacker. That same day, the website began to release DNC and DNCC documents, ultimately releasing thousands of them.

Released documents included opposition research performed by the DNC (including a memorandum analyzing potential criticisms of candidate Trump), internal policy documents (such as recommendations on how to address politically sensitive issues), analyses of specific congressional races, and fundraising documents. Releases were organized around thematic issues, such as specific states (e.g., Florida and Pennsylvania) that were perceived as competitive in the 2016 U.S. presidential election. (p. 43)

Later in June, the Guccifer 2.0 persona released documents to reporters and other interested individuals. This continued into August.

Through the Guccifer 2.0 persona, the GRU was in contact with a former Trump campaign member. The member’s identity is redacted because of Harm to Ongoing Matter.

 

Use of WikiLeaks

In November 2015, Julian Assange emailed WikiLeaks staff to set an anti-Clinton tone for the organization. In March 2016, WikiLeaks released a searchable archive of approximately 30,000 Clinton emails that had been obtained through FOIA litigation. Both actions were before the GRU hacked the DNC and DCCC.

Shortly after the GRU began releasing stolen documents through dcleaks.com in June 2016, DCLeaks contacted WikiLeaks, and WikiLeaks contacted Guccifer 2.0. WikiLeaks wanted their material. The communications were partly hidden, but it is clear that the GRU transferred stolen DNC and Podesta documents to WikiLeaks.

The Office cannot rule out that stolen documents were transferred to WikiLeaks through intermediaries who visited during the summer of 2016. For example, public reporting identified Andrew Müeller-Maguhn as a WikiLeaks associate who may have assisted with the transfer of these stolen documents to Wikileaks. (p. 47)

On October 7, 2016, WikiLeaks released the first emails stolen from the Podesta email account. WikiLeaks released 33 tranches of stolen emails between October 7, 2016 and November 7, 2016, immediately before the election. The releases included private speeches given by Clinton; internal communications; and correspondence related to the Clinton Foundation. WikiLeaks released over 50,000 documents stolen from Podesta’s personal email account.

WikiLeaks and Assange made several public statements about the source of the materials designed to obscure that source. They implied that Seth Rich, a former DNC staff member who was killed in July 2016 and the subject of rightwing conspiracy theorizing, was the source. After the U.S. intelligence community publicly announced its assessment that Russia was behind the hacking operation, Assange continued to deny that the Clinton materials released by WikiLeaks had come from Russian hacking.

 

The report gives much more detail about how the communications took place.

The second paragraph of the section overview (p. 36) has significant redactions, the reason for which is given as “Harm to Ongoing Matter.” This probably refers to the counterintelligence investigation. Mueller referred to that investigation in his testimony on July 24. Obviously this is justifiable in terms of legal procedure, but we need to know more about that investigation. I’ll write a post about this later in this sequence.

Investigative methods are redacted. This is not important for understanding. Clearly the FBI hacked into the GRU’s communications and materials. That’s all we need to know. A couple of years ago, Dutch intelligence gained access to Russian government computers in 2014 and warned the US about potential hacking of Democratic Party organizations. The operation that provided information to Mueller must have been something like that.

 

The Mueller Report Book Club – III. Russian Hacking and Dumping OperationsPost + Comments (36)

(pp 14-35)

Much of this chapter is redacted under “Harm to Ongoing Matter,” (HOM) presumably referring to the court case against 13 employees of the Internet Research Agency (IRA). A few redactions are labeled “Personal Privacy” (PP) and “Investigative Technique,” (IT) and there seems no need to try to decipher them.

The unredacted part of the chapter is a story that has appeared in the news many times. I’ll outline it and provide a few juicy quotes.

The IRA is funded by Yevgeniy Viktorovich Prigozhin and companies he controlled, including Concord Management and Consulting LLC and Concord Catering. It conducted social media operations in the United States with objectives of sowing discord and later electing Donald Trump president, starting in at least 2014. By February 2016, the IRA was supporting Trump against Clinton. Proghozin was sanctioned by the US Treasury Department in December 2016.

The operations included running accounts on Twitter, Facebook, and Instagram, holding rallies, and buying advertisements. The accounts looked like they belonged to individuals, groups, and activists of various sorts – rightwing, black, political, and religious. The IRA also ran a bot network on Twitter to amplify their messages. By the end of the 2016 election, they had reached millions of people.

(testimony of Colin Stretch, General Counsel of Facebook) (“We estimate that roughly 29 million people were served content in their News Feeds directly from the IRA’s 80,000 posts over the two years. Posts from these Pages were also shared, liked, and followed by people on Facebook, and, as a result, three times more people may have been exposed to a story that originated from the Russian operation. Our best estimate is that approximately 126 million people may have been served content from a Page associated with the IRA at some point during the two-year period.”). The Facebook representative also testified that Facebook had identified 170 Instagram accounts that posted approximately 120,000 pieces of content during that time. Facebook did not offer an estimate of the audience reached via Instagram. (Footnote 6, p. 15)

The chapter contains numerous specific examples of tweets and other social media from the IRA, including @TEN_ GOP, which pretended to be “the informal voice of the Tennessee GOP,” and “Miners for Trump,” which held rallies in Pennsylvania.

“Main idea: Use any opportunity to criticize Hillary [Clinton] and the rest (except Sanders and Trump – we support them)”

The IRA recruited Americans across the political spectrum to help spread its message. This section, starting on page 31, also contains both HOM and PP redactions. Members of the Trump campaign shared or retweeted IRA matter. Donald Trump Jr., Eric Trump, Kellyanne Conway, Brad Parscale, and Michael T. Flynn all retweeted IRA tweets against Hillary Clinton.

IRA employees also tried to contact Trump campaign members directly, representing themselves as US persons. The IRA’s contacts included requests for signs and other materials for rallies and requests to promote the rallies and help coordinate Iogistics. Some campaign volunteers agreed to provide the requested support (for example, agreeing to set aside a number of signs), the investigation has not identified evidence that any Trump campaign official understood the requests were coming from foreign nationals.

A name that may be worth keeping in the back of your mind is “Project Lakhta,” which is mentioned as a larger project that includes the IRA operations. The rest of that paragraph is redacted.

 

The Mueller Report Book Club – II. Russian “Active Measures” Social Media CampaignPost + Comments (23)

(pp 11-13)

This section lays the basis for and scope of the investigation. It first cites Rod Rosenstein’s Appointment Order. (The report uses more capitalization than I usually do. It is helpful in pointing to specific documents.) The subjects of investigation are:

(i) any links and/or coordination between the Russian government and individuals associated with the campaign of President Donald Trump; and

(ii) any matters that arose or may arise directly from the investigation; and

(iii) any other matters within the scope of 28 C.F.R. § 600.4(a).

The last covers “federal crimes committed in the course of, and with intent to interfere with, the Special Counsel’s investigation, such as perjury, obstruction of justice, destruction of evidence, and intimidation of witnesses.” It also covers similar crimes committed during the FBI’s investigation that was wrapped into the Special Counsel’s investigation.

Later memos confirmed that the investigation includes

• allegations that three Trump campaign officials – Carter Page, Paul Manafort, and George Papadopoulos – “committed a crime or crimes by colluding with Russian government officials with respect to the Russian government’s efforts to interfere with the 2016 presidential election”
• Manafort’s crime arising from payments he received from the Ukrainian government
• Manafort’s crimes arising from his receipt of loans from a bank whose CEO was then seeking a position in the Trump Administration
• allegations that Papadopoulos committed a crime or crimes by acting as an unregistered agent of the Israeli government
• four sets of allegations involving Michael Flynn, the former National Security Advisor to President Trump
• the “pertinent activities” of Michael Cohen, Richard Gates, Roger Stone, and two names redacted for personal privacy (PP) reasons
• leads related to Cohen’ s establishment and use of Essential Consultants LLC to, among other things, receive funds from Russian-backed entities
• individuals who might be working with people being investigated
• allegations that then-Attorney General Jeff Sessions made false statements to the United States Senate.

That’s a big investigation. Mueller inherited parts of this from the ongoing FBI investigation. It speaks to Mueller’s care that he confirmed with the Acting Attorney General that the bulleted points were indeed to be investigated. Two district court cases have confirmed the office’s authority to investigate these matters.

The Special Counsel’s office operated like a US Attorney’s office. The Office made its own judgements about what to investigate within the stated parameters and, for example, didn’t chase down every news item about a Russian contact with the campaign.

“Certain proceedings associated with the Office’s work” continue and have been transferred to the Department of Justice and the FBI.

The Special Counsel’s team at its max:

• 19 attorneys – five of whom joined the Office from private practice and 14 on detail or assigned from other Department of Justice components
• a filter team of Department lawyers and FBI personnel who screened materials for privileged information before turning those materials over to investigators
• three paralegals on detail from the Department’s Antitrust Division
• an administrative staff of nine responsible for budget, finance, purchasing, human resources, records, facilities, security, information technology, and administrative support.

They worked alongside approximately 40 FBI agents, intelligence analysts, forensic accountants, a paralegal, and professional staff assigned by the FBI to assist the Special Counsel’s investigation.

The Office

• issued more than 2,800 grand jury subpoenas
• executed nearly 500 search-and-seizure warrants
• obtained more than 230 orders for communications records
• obtained almost 50 orders authorizing use of pen registers
• made 13 requests to foreign governments
• and interviewed approximately 500 witnesses, including almost 80 before a grand jury.

The FBI also embedded personnel at the Office who did not work on the Special Counsel’s investigation, but rather reviewed the results of the investigation and sent written summaries of foreign intelligence and counterintelligence information to FBIHQ and FBI Field Offices. Not all of that information is included in this report.

This ends the preliminary materials in the report. They are important because they tell us some things about what Mueller thinks is important (that Russia interfered in the 2016 election) and how he went about the investigation.

Articles of interest:

Just Security: Unfinished Business: What Mueller Didn’t Cover, But Congress Can

Washington Post: Was Mueller’s dodge on obstruction a blunder — or brilliant?

 

The Mueller Report Book Club – The Special Counsel’s InvestigationPost + Comments (20)