By Patrick BAHZAD
There are nine days left until Inauguration Day and it feels like each one of these days is going to count. A shit-storm of epic proportions is blowing over the US, coast to coast, and I cannot remember having witnessed anything of this magnitude since, well, since 9/11 and the case for WMDs. You might think that is a bad analogy. Maybe. But I can smell when something is not right from a mile away and, believe me, something is not right here. I will not engage in lengthy speculations about what is going to happen now, or whether or not someone colluded with someone else. What I am going to do though is present a brief reminder of the facts (the evidence if you like) and then throw in a couple of thoughts based on my personal experience and gut feeling.
To be honest, I don't like Trump. He is a successful businessman though and I respect that. He campaigned hard, said a lot of things (some of which I found disgusting), but he also – obviously – touched on something that is dear to a significant segment of the electorate. He won the election fair and square, in line with the provisions of the US Constitution, and I would challenge anyone to prove otherwise. As far as I'm concerned, that is the end of the story. Now of course, the issues that we have been dealing with since early December are not linked to the election as such. Remember ? The current debate started when the dust had settled on all the claims about "Hillary won the popular vote", "let's do a recount" and so on. I'm not sure this is a coincidence, but that is just me …
The DHS/FBI "Joint Analysis Report"
Fact is however that the first official IC report to look into the matter of the DNC hack was the DHS/FBIS "Joint Analysis Report" of December 29th 2016. And what a strange report that was, starting with a disclaimer which read that the report was "provided for information purposes only. The Department of Homeland Security does not provide any warranties of any kind regarding any information contained within". Admittedly, you need to take a few basic precautions with Intel reports. But claiming as a matter of baseline, that you can't be held accountable to anything you're writing does sound a little weird.
There were weirder elements still in the report itself, which is basically a summary of findings made by private cybersecurity companies which dealt with the DNC hack, in particular "Crowdstrike". But those findings only make up for 3 pages out of the 13 contained in this JAR. The rest is related to barely relevant technical details or to mitigation strategies and practices any 5 year old should be aware of. There was also a list of suspicious IP adresses that organizations should be on the lookout for, because they could be linked potentially to the entities that attacked the DNC. Funny enough, some 40 % of these addresses were TOR exit nodes (you can make up your own mind about what this could mean) and some addresses were even attributed to the wrong country: IPs in Switzerland were identified as "Swaziland", Danish IPs as Germans (probably because ".dk" can be easily misread as ".de").
Typos and misunderstandings you might say. But that kind of error, in addition to the global layout of the report, definitely points to a very rushed approach, not to an intel report that is careful worded and thought through. Talking about intel, what did the JAR have to say in that regard ? Well, not much actually, at least not much more than the reports published weeks and months before by cybersecurity experts who had analyzed the DNC hack.
The only thing new or different in the December 29th report was actually that DHS and FBI came up with a new name for the hackers and that in itself is interesting: "Grizzly Steppe". Good title for a novel if you ask me, and definitely catchy. The thing is, up until then, everybody in the private sector who had been involved with the analysis of the hack basically had identified two different hacker groups, which had both hacked the DNC at various moments and for different periods of time.
In short, what DHS/FBI called "Grizzly Steppe" were actually known up until then as "Advanced Persistant Threat 28", aka "Fancy Bear", and "Advanced Persistant Threat 29", aka "Cosy Bear". Let's not burden ourselves with technical details here, there is plenty of literature out there about both groups, their methods and tools. Suffice to say that APT 28 is considered to be part of GRU (Russian Military Intelligence) and APT 29 of FSB (Russian domestic intelligence).
Questions arising from the JAR
Each of these two entities hacked the DNC at specific times that did not overlap and it seems that only material recovered by the GRU was subsequently leaked and damaged the democratic party in the election. The FSB hackers on the other hand seemed to stick more to intel work in the traditional and commonly accepted way, breaking into DNC servers, stealing information, but basically keeping it for further use, like any intelligence agency might do in similar circumstances.
Why then would the DHS/FBI bundle both these groups together into one big "Grizzly Steppe" hacking operation ? To be honest, I don't know, but it certainly makes things easier for anyone wishing to make an easy case about "Russia meddling in the US presidential election". After all, attribution of cyber-attacks is difficult enough when you got one attacker, let alone when you got two.
So maybe, just maybe, someone decided to cut corners a little for the sake of making the charges stick. To be honest, there is not much doubt in my mind that the first hacking, i.e. the "intelligence gathering" operation, was done by the Russians. There is ample evidence to back up such a claim. The second however, which is the one that really matters because it ended with the leaks, raises at least one question.
The "smoking gun" that was provided by "Crowdstrike" private cybersecurity to prove Russian GRU was behind this attack was a software tool known as "X-agent", of which Crowdstrike found traces in its forensic analysis of the DNC servers. That tool is closely associated with GRU hackers, so much so that it is considered by many experts as a kind of digital fingerprint or DNA of GRU involvement. The problem is that this tool is not used exclusively by GRU hackers anymore and the much hyped up analogy with a Russian cyber operation against Ukrainian artillery units in 2014, which allegedly also used "X-agent" to devastating effect against Kiev's forces, does not seem to provide the strength of evidence needed to be affirmative that "X-agent" is indeed solid proof of GRU involvement.
The CIA/FBI/NSA "Intelligence Community Assessment"
The JAR report however did not bother going into such details, as it just simply stated that two separate groups of Russian hackers were responsible for the hacks. Period. Overall, not really compelling evidence. This is where the "Intelligence Community Assessment" of January 7th 2017 comes into play. This unclassified/public version is the result of CIA, FBI and NSA analysis of evidence related to the the same substance as the JAR of December 29th 2016. Only seven days in between both documents. You have got to wonder why, if the first report felt already a bit rushed and unconvincing, did the IC feel compelled to produce a second one that quickly afterwards ?
Of course, some people did entertain the idea that the ICA report might contain stronger evidence or feature elements not mentioned in the first JAR report. And in truth, there was more detail in it. Only that it did amount to much, especially considering what various cybersecurity companies had argued already weeks or months earlier, just that it was now given the official seal of "approval" of the US intelligence community.
And oddly, the actual intelligence part in the ICA was only 5 pages long (out of a total 25) with the rest being barely relevant (and outdated) attachments relating mainly to Russian TV channel "Russia Today", dubbed as part of the Kremlin's media and propaganda machine. A case that could be made by any freshman studying journalism and certainly not the stuff intel reports should be made of. There were also a couple of minor mistakes in the assessment, but the main difference with the previous joint FBI/DHS report, was the strong wording attributing the hacks to the Kremlin and alleging Russia's very clearcut preference for a Trump, rather than an HRC presidency.
In other words, the evidence was still begging but this was definitely a step or two up in terms of the narrative that we were being fed. You might think that this should have been the end of it. At least, as far as the public was concerned. After all, the other (classified and compartmentalized) versions of the ICA were not intended for public disclosure and were discussed, as they should be, by those they were intended for. Therefore, yes, you might think this should have been the end of the exercise in public disclosure, but you would be mistaken.
Yesterday, on Tuesday 10th 2017, a mere three days after the release of the ICA which failed to make a big impression, a document was leaked by Buzzfeed and discussed – although not published – by CNN. This document makes some of the most extravagant accusations I have ever heard.
The Trump "dossier"
What CNN alluded to is actually a dossier containing 17 short "intelligence reports" drafted between June and December 2016 by a private intelligence company headed by a former (anonymous) MI6 officer with – allegedly – extensive sources networks in Russia and Eastern Europe. The various reports contain extremely serious allegations, based on anonymous HUMINT sources and – possibly – various SIGINT intercepts, although the reports do not state this clearly. In other words, this "dossier" is the work of an nameless former intelligence officer who quotes anonymous sources.
But the story doesn't end there. Turns out, the "dossier" itself was handed over to the FBI by no other than Sen. John McCain, sometime after December 13th, and was being analyzed carefully by the FBI because the MI6 person who had drafted those documents was considered credible to the intelligence community. Furthermore, it appears that this private intelligence work had been done as part of "opposition research" on Donald Trump. The ex-MI6 officer had been tasked with it first by Republican opponents of Mr. Trump, who quickly withdrew their request, which was then taken up by the Democratic Party.
Cherry on top, various parts of the "dossier" had been circulating among journalists in the US for weeks already, but had not been published, because basically the allegations in those reports could not by verified nor proven. And not only was it known to the media, but obviously also to politics who made suggestions in several instances as to potential wrongdoing by team Trump, prior, during and after the election campaign.
I am not going to discuss the content of those allegations. Anybody who is interested can find the document online and have a look at it. What strikes me is that this is either the most outrageous attempt at discrediting a President-elect or the most unheard of collusion between as US Presidential candidate and a foreign power aiming at disruption of democratic elections in the United States.
Trump gave a few pointers about what he thought of the "dossier" during his press conference this afternoon. Needless to say, he is not amused, as CNN's reporter found out. As was also to expect, the identity of the nameless former-MI6 person is about to be known, and probably commented nationwide. Meanwhile, the House Intelligence Committee voted to allow all members of the House to get access to Friday's classified briefing on the hacking report. Nine days to go. Nine long days …