A DEEP DIVE INTO THE OBAMA RESPONSE TO RUSSIAN DNC HACK (AND THEFT AND HARASSMENT)

Subject: A DEEP DIVE INTO THE OBAMA RESPONSE TO RUSSIAN DNC HACK (AND THEFT AND HARASSMENT)
Date: Sat, 7 Jan 2017
From: Andrei Liakhov <gaffriloff@yahoo.co.uk>

A DEEP DIVE INTO THE OBAMA RESPONSE TO RUSSIAN DNC HACK (AND THEFT AND HARASSMENT)

BY Andrei Liakhov
[Andrei Liakhov has over 20 years of experience with leading international law firms, private companies and government institutions in the United Kingdom, the Russian Federation, Lithuania, Canada, and Ukraine.]

In the mid 90s I was advising foreign investors on a gold project in Uzbekistan and was introduced to the then UK ambassador to Uzbekistan, Mr.Graig Murray. He later retired from the civil service and is currently involved with Wikileaks. Some weeks ago he was interviewed by the Daily Mail about the much discussed but very dubious Obama’s allegations about Russian hacking of the DNC. In this interview he stated that the bulk of email archive was passed to him by a disgruntled DNC employee. I was expecting all major media to pick up on this Watergate like story. However it was not reported anywhere, even by pro-Russian media like the RT and Sputnik. It even escaped the attention of the Russian watchers’ community and was not even covered by David Johnson’s Russia list – the most respectful internet resource for Russia-related news and analysis.

This prompted me to analyse the most recent set of President Obama’s Russia sanctions using my legal draftsman’s skills – it is how I read drafts of legal documents prepared by junior colleagues. I am a lawyer and am trained to look for inconsistencies, illogical combination of facts, mistakes, misstatements and manifest errors.

Lack of any relevant technical training is the main reason for much longer (and definitely excessive if this was prepared by an “anorak”) quotes from the most recent US sanctions documents I have taken the deep dive into whilst on a sailing holiday off the coast of West Africa.

Firstly let’s analyse the sanctions documents pack which includes:

(1) A “Voxsplainer” telling you “everything you need to know” about the package;
(2). An Obama statement;
(3). An additional list to Executive Order 13964 dated April 2015 (the date is really
Important) (the “EO”) expanding cyber sanctions addendum to include
elections related activities;
(4). State Department statement and expulsion order (note this is NOT directly related
to any alleged Russian activities in cyber space but rather as retaliation against
Russia for alleged harassment of US privileged staff); and
(5). Two documents about Russian hacking – which I will deal with at the end of this
rather long analysis.

1. THE VOXSPLAINER

Firstly there are two significant details in the Voxplanner which put a different prospective on the whole sanctions business.

The “response” is not just to “cyber operations aimed at our election” but also to “the Russian government’s aggressive harassment of U.S. officials.” Some of the most showy retaliation was actually specifically retaliation for the latter.

The other key detail is that, in describing Russia’s motive for the hack, the Voxsplainer steers very, very clear of the two more controversial Russian motives (to retaliate for covert operations against Russia, and to get Trump elected). Instead, the Voxsplainer provides the most vague (at best) description of Russia’s purpose.

Russia’s cyber activities were intended to influence (not clear how) the election, erode faith in U.S. democratic institutions, sow doubt about the integrity of US electoral process, and undermine confidence in the institutions of the U.S. government.

“Faith, integrity, and confidence” are pretty squishy things that don’t require much proof. Lack of specific reference to the aim of getting Trump elected leaves too many avenues for future pressure on Trump opened should he really deviate from the DC Obkom “party line”.

2. OBAMA’S STATEMENT

Obama’s statement is basically a description of what he ordered (here, he admits some of the individual sanctions are for cyber-crime UNRELATED to the hack and, by implication to the Russian government). The most important part of the statement is the last paragraph:

“These actions are not the sum total of our response to Russia’s aggressive activities. We will continue to take a variety of actions at a time and place of our choosing, some of which will not be publicized. In addition to holding Russia accountable for what it has done, the United States and friends and allies around the world must work together to oppose Russia’s efforts to undermine established international norms of behavior, and interfere with democratic governance. To that end, my Administration will be providing a report to Congress in the coming days about Russia’s efforts to interfere in our election, as well as malicious cyber activity related to our election cycle in previous elections.”

The bulk of overt sanctions Obama ordered are silly or downright counterproductive. But the actions took place alongside a claim that there would also be covert retaliation we won’t see. So we’ve got silly and counterproductive overt retaliation, with the promise of covert retaliation that may be much less silly, and could be extremely dangerous for the future of humankind as we know it. This is really scary for two reasons: (a) the way drone strikes are authorised; and (b) extra-judicial killing program being ran by several successive Administrations since the 1980 botched attempt to rescue US personnel in Iran through JSOC without any scrutiny and/or congressional or civil supervision. This program was expanded to include foreign leaders and US citizens under President Obama. Overt addition of GRU bosses to the sanctions list could make these persons legitimate targets for the JSOC. I would like to add that the way target selection process is designed and ran excludes the upper echelons of the White House from the list of people approving or being aware of particular targets and assasignation timings.

Obama also stated what the presumed goal of these actions are, to prevent Russia from undermining democratic norms, norms which the President-Elect has expressed intent to violate. This is clearly an attempt to put a bomb under Trump.

3. NEW CYBER-SANCTIONS

Obama extended the application of the EO to apply to election related hacking. The Voxsplainer doesn’t explicitly describe what’s new about the cyber-sanctions, leaving that to a separate fact sheet and an annex to the EO extending the sanctions. Instead, the Voxsplainer describes what the original EO had done, which basically permitted the President to sanction entities that hacked critical infrastructure or big money.

Curiously, the White House doesn’t appear to have issued a new version of the EO, relying solely on the fact sheet to explain the newly expanded scope. This is a clear deviation from the past practice of several predecessor Administrations and of President Obama’s himself.

Just as interesting there’s a subtle difference in the way the attached fact sheet describes the addition, and how Obama did in his statement. The fact sheet does not specify whether these sanctions only apply for the targeting of the US election processes or institutions, or for others. The fact sheet gives a rather general reason of including activities in cyber space aimed at tampering with the election process and only mentions unspecified “Russia’s recent activities” as the an example of an attempt to “interfere with elections” and is basically an excuse to authorize sanctions on those who:

“Tamper with, alter, or cause a misappropriation of information with the purpose or effect of interfering with or undermining election processes or institutions”.

However, Obama’s statement says the EO “provides additional authority for responding to certain cyber activity that seeks to interfere with or undermine our election processes and institutions, or those of our allies or partners.”

That Obama would extend such sanctions to protect US allies’ elections makes perfect sense if we apply a peculiar logic of “omnipotent, omnipresent aggressive Russia” currently prevailing in DC and its environs. Following this variety of political self delusion there could be a real concern about Russia’s plans for the upcoming French and German elections. But it’s also really funny given that the NSA and CIA have targeted the election institutions and processes of US allies Pakistan and Mexico and hacking into several election systems in the US. Does that mean Trump will have to sanction the NSA and CIA now? This is so confusing.

As to the sanctions themselves, they target the following:

1. Main Intelligence Directorate (a.k.a. Glavnoe Razvedyvatel’noe Upravlenie) (a.k.a. GRU); Moscow, Russia
2. Federal Security Service (a.k.a. Federalnaya Sluzhba Bezopasnosti) (a.k.a FSB); Moscow, Russia
3. Special Technology Center (a.k.a. STLC, Ltd. Special Technology Center St. Petersburg); St. Petersburg, Russia
4. Zorsecurity (a.k.a. Esage Lab); Moscow, Russia
5. Autonomous Noncommercial Organization “Professional Association of Designers of Data Processing Systems” (a.k.a. ANO PO KSI); Moscow, Russia Individuals

1. Igor Valentinovich Korobov; DOB Aug 3, 1956; nationality, Russian
2. Sergey Aleksandrovich Gizunov; DOB Oct 18, 1956; nationality, Russian
3. Igor Olegovich Kostyukov; DOB Feb 21, 1961; nationality, Russian
4. Vladimir Stepanovich Alexseyev; DOB Apr 24, 1961; nationality, Russian

Firstly let’s consider references to the GRU and the FSB. The former is a military intelligence agency whose principal brief is to go after military secrets and mount special operations outside of Russia. It was drastically reduced from some 45,000 personnel to just over 3000 in 2011 and following appointment of Mr.Shoigu Minister of Defence is reported to concentrate its operations on hunting terrorists in many parts of the world
The FSB’s brief is counter intelligence and fighting organised crime and home grown terrorism. It is perfectly equipped to monitor domestic terror cells communications but has no reason to engage in political active operations outside of Russia. Given the inter-agency rivalry it is logical to suggest that these two are kept within their principal brief. Abscence of the SVR (Foreign Intelligence Service) from the sanctioned persons list makes one wonder whether CIA/DIA/NSA Russia analysts were actually consulted when the addendum was being drafted. This looks like a standard trainee solicitor mistake of failing to verify the facts underlying the document being drafted. Inclusion of these two Russian agencies looks like vengeance for their role in pacifying Syria and fighting real international terrorism and smacks of gratuitous sanctioning. It will be interesting to see how seriously this part of the sanctions gets taken, given that the US needs to cooperate with these two agencies on things like bombing ISIS or flow of Islamic terrorists to the US.

There has been some befuddlement about why Zorsecurity got included on the list, as it is owned by a Kiev based entrepreneur Alisa Esage Shevchenko who claims she doesn’t work for the Russian state and has been celebrated for her security research in the past.

Her company has no accreditation with the FSB which is a mandatory requirement for any company to get state security related work (accreditation is public information easily verifiable for a nominal fee). Shevchenko is a Ukrainian which in the current environment makes it virtually impossible for the FSB (or any other state agency) to give security related work.

Furthermore, the company ceased trading which is clearly evident from public records. It failed to file its tax returns and the last tax return showed the company had no income for some time. Under Russian law this makes the company a target for a strike off from the register of companies. Of course proponents of conspiracy theory could argue that this is a deliberate coverup, but for those who are familiar with how the Russian state procurement system works, inclusion of Esage into the sanctions list sounds like a blank shot into the wild blue yonder, or an attempt to kill competition.

Two other entities included – the St. Petersburg-based Special Technology Center and the Autonomous Noncommercial Organization’s Professional Association of Designers of Data Processing Systems – are not involved in design or distribution of software. The latter is simply a professional association of software designers which does nothing more than lobbying and industry public relations.

It is evident that drafters of this set of sanctions failed to do their verification (fact chrcking) properly and this choice is almost random. It looks like the U.S. government does not know who is behind the DNC hack.

Four of the individuals sanctioned are top GRU officials (making this the equivalent of the post-Sony sanction on North Korean officials).

In addition to the top GRU personnel , the Department of the Treasury added two Russian individuals, Evgeniy Bogachev and Aleksey Belan, under a pre-existing portion of the Executive Order for using cyber-enabled means to cause misappropriation of funds and personal identifying information. Both individuals have been included for stealing money through hacking rather than tampering with elections anywhere in the world.

4. DIPLOMATIC RETALIATION

As noted above, this package of actions actually responds not just to the election (and Bogachev and Belan’s crimes), but also to the alleged harassment of US personnel in Russia, which looks very much as a Clinton State Department team’s revenge for the Russian diplomatic victories in the Middle East and Latin America.

The beginning of the Voxsplainer says that the diplomatic measures were in retaliation for harassment that has gone on in the last year.

The part of the Voxsplainer that explains the actual actions says it responds to two years of harassment. This is clearly bad drafting, which I have not seen in the White House Documents for as long as I read them (since 1982 to be precise).

The relevant passage could have been drafted by the John Dulles State Department. I quote this in full before summarising incidents of “harassment’ these relate to:

“Over the past two years, harassment of our diplomatic personnel in Russia by security personnel and police has increased significantly and gone far beyond international diplomatic norms of behavior. Other Western Embassies have reported similar concerns.”

Firstly I want to point to a manifest inconsistency – the period does not cover time immediately after Boston Marathon terror attack when numerous CIA officers, most notably Randy Fogle (caught in the act of espionage by the way) were getting expelled from Russia. It does, however, cover incidents that have been reported since at least July, including this apparent attempt to detain someone who just barely made it into the US embassy, with ABC providing more detail in October. It is appropriate to note here that neither the U.K. nor French or German Embassies in Moscow reported any harassment within the last 24 months except three very drunk driving incidents with Western diplomats widely covered by Russian TV and the BBC at the time.

Drafters of the Voxplainer made another manifest error – they have mixed up New York properties the Russian diplomatic community is banned from. The administration ordered the closure of Norwich House in Upper Brookville, N.Y, but not of the nearby Killenworth Mansion in Glen Cove, N.Y., also owned by the Russians. An accompanying picture that showed Killenworth Mansion should have been of Norwich House

5. TWO DOCUMENTS ON RUSSIAN HACKING

Finally, the government released two documents on Russian hacking: a document introducing a Joint Analysis Report and the Joint Analysis Report itself. It appears the introductory document served mostly to get FBI, ODNI, and DHS all listed on one document – so there’s no doubt that this comes from the entire intelligence community, as the FBI has previously declined to sign off on a similar report.

It has this odd endorsement of many – but not all – claims made by a number of – but not all – security industry reports.

It makes abundantly clear that the summary is based on previously released information and it clearly states so. The summary also uses a very strange term of “endorsement” of some, but not all of this information by the US Government. It is not clear what exactly is meant by this term. Does “endorsement” mean that the Government confirms that private research is correct or does it simply agree that some parts of it are possibly true? I guess we’ll just have to guess which parts the security firms got right and which they did not.

As for the Joint Analysis Report (JAR), it purports to be an alert to make everyone more vigilant against Russian hacks. A number of tech experts have criticized the contents. Robert Graham calls them a “political tool, to prove they have evidence pointing to Russia. They have limited utility to defenders, or those publicly analyzing attacks.” Robert M Lee says the report “reads like a poorly done vendor intelligence report stringing together various aspects of attribution without evidence.” Jerry Gamblin notes that a fifth of the IP addresses included were “Tor exit nodes, meaning they could be used by anyone”. Wordfence analyzes one malware sample and finds that it “is old, widely used and appears to be Ukrainian. It has no apparent relationship with Russian intelligence.” Ultimately, my British techhie friends I asked to comment complained that the report is utterly uselessl for defensive purposes, which is what it was designed for in the first place.

And even though the report is supposed to only address defense (with the yet to be submitted report to Congress designed to provide details on the actual attacks) there is an odd detail in the narrative about the attack. After describing APT 29 (associated with FSB) and APT 28 (associated with GRU) generally, the report includes these two paragraphs:

‘In summer 2015, an APT29 spearphishing campaign directed emails containing a malicious link to over 1,000 recipients, including multiple U.S. Government victims. APT29 used legitimate domains, to include domains associated with U.S. organizations and educational institutions, to host malware and send spearphishing emails. In the course of that campaign, APT29 successfully compromised a U.S. political party. At least one targeted individual activated links to malware hosted on operational infrastructure of opened attachments containing malware. APT29 delivered malware to the political party’s systems, established persistence, escalated privileges, enumerated active directory accounts, and exfiltrated email from several accounts through encrypted connections back through operational infrastructure.

In spring 2016, APT28 compromised the same political party, again via targeted spearphishing. This time, the spearphishing email tricked recipients into changing their passwords through a fake webmail domain hosted on APT28 operational infrastructure. Using the harvested credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members. The U.S. Government assesses that information was leaked to the press and publicly disclosed.

Of FSB’s attack (APT29 ), the report states that at least one person clicked a bad link. After infesting (not a technical term!) the DNC server, the report describes, FSB “exfiltrated email from several accounts through encrypted connections.”

I was advised that the effect of these paragraphs is that the US Government was aware of the alleged “GRU” penetration and was watching it as it was happening. This opens a very interesting line of enquiry: (a) why did the Government fail to do anything at the time; and (b) why no sanctions were imposed at the time?

Description of the “GRU” hack (APT 28) compares poorly with a rather general description of APT 29. It does not give any clues as to how the malvere was initiated or whether any information was actually exfiltrated.

That is an important admission by the Government, as the GRU is presumed to pass DNC information to Wikileaks. The Government admitted not only to the lack of any evidence that any documents were actually stolen, but it also admitted that it has no idea whether there is any link between the GRU and Wikileaks.

It would also be appropriate to note here that none of the documents in the pack refers to John Podesta or to the content of any of the documents allegedly stolen by the Russians.

Having been a civil servant for quite a long time and having advised several Governments for neatly 30 years I do not believe in any conspiracy theories. In my experience the simpliest explanation proves to be correct in 99% of cases.

I have not been closely following the alleged “Russian” hacking story as I thought it was a DNC hoax from the very start. This view was re-enforced by Murray’s revelations and highly dubious quality of the latest sanctions pack.

It seems that Russia is being used by the outgoing Administration to limit Trump’s ability to conduct policies materially different from those of the current Administration. It is within the realms of possible for the Democrats to attempt to use this as the basis to commence impeachment process against President Trump. Obama is keen to distort the truth to the extent necessary to be able to have a decisive (even if from the back seat) influence over Trump.

[featured image is file photo]