More Russiagate: The New Yorker, Julian Assange and Guccifer 2.0

Every so often during the Russiagate story, whenever one senses growing doubts about some aspect of the story, a gigantic article appears in some part of the US media which appears intended to still those doubts.

The latest example a gigantic article by Raffi Khatchadourian which has recently appeared in the New Yorker, and which is purportedly about Julian Assange, but which when read carefully is actually about Russiagate.

A consistent feature of these articles is that though they present themselves as works of investigative journalism, in terms of actual new information they invariably provide little or nothing that is actually new.  This article in the New York Times is no exception, and as I will discuss what it actually does is repeat – at great length – claims about the persona known as Guccifer 2.0 which have appeared before.

The purpose of the article is to squash doubts about Russian intelligence involvement in the hacks  or alleged hacks of the computers of John Podesta and the DNC, and of Russian intelligence involvement in providing the results of those hacks or alleged hacks to Wikileaks.  It does this by giving heavy focus to the Guccifer 2.0, which it accepts as Russian, and by seeking to provide what it claims is conclusive evidence of a connection between Wikileaks and Guccifer 2.0.

The article provides a case study of the danger of the subject of such an article cooperating with its author.

The subject in this case is Julian Assange, who met with the writer of the article – Raffi Khatchadourian – and who provided Khatchadourian with much of the material which is used in the article.  His reward is an article that ignores his repeated denials of Russian involvement in Wikileaks’s publication of the DNC and Podesta emails, and which is filled with not-too-subtle smears of him.  These smears deserve an article in themselves, but this article is not the place for them.

Before discussing what the article says about Guccifer 2.0 I must however comment on one paragraph that I found especially misleading

Ambassador Craig Murray, the friend to WikiLeaks, insisted that Russia was not the source of the D.N.C. e-mails; he knew firsthand, he said, because he had met Assange’s source in the woods behind a chapel at American University. Kim Dotcom, a flamboyant Internet entrepreneur and a close associate of Assange, told me in April that he had firsthand knowledge of the source: an insider who had smuggled in a USB stick with malware on it. “It’s not a Russian hack,” he insisted. Anthony Shaffer, a retired lieutenant colonel, knew firsthand, too; he told me about an intricate conspiracy of retired intelligence workers, unhappy about Clinton’s handling of her State Department e-mails, who formed a “task organization” to dig up material. When I mentioned the theories to Assange, he laughed. “They totally contradict each other!” he said.

I know little of Kim Dotcom and nothing at all of lieutenant colonel Shaffer but what they are reported to have said in private to Khatchadourian cannot be compared to what Craig Murray – a known friend of Assange, and an acknowledged whistleblower and truthsayer – has repeatedly said in public.  Moreover Kim Dotcom’s alleged comment does not actually contradict what Craig Murray has publicly, though Shaffer’s alleged comment obviously does.  Note further that Assange’s reported response to these comments – “they totally contradict each other” – is not a denial that all or any them are true.

I do not know what Assange meant by his comment.  However if one assumes Craig Murray’s public repeated claims are true, then possibly what Assange meant was that Shaffer’s alleged comment contradicts Murray’s – which it does – whilst hinting that Kim Dotcom is pretending to know more than he does – which given Kim Dotcom’s background would not be at all surprising.  More than that Assange obviously did not feel able to say because doing so would have revealed more about his source than he – as Khatchadourian must know – is prepared to say.

This paragraph is clearly intended to discredit Craig Murray’s public claim of knowledge of who the leaker was.  Not only does Craig Murray however have a very well-established reputation for truth-telling, but he has repeatedly and publicly spoken of his surprise that he has not been interviewed about his claim by the FBI.  Nothing Khatchadourian says in the article actually casts doubt on the truth of what Craig Murray is saying, Assange’s reported response certainly does not do so.

Putting this frankly unattractive sleight of hand to one side, here is what Khatchadourian has to say about the identity of Guccifer 2.0 as a Russian intelligence front

Throughout June, cybersecurity analysts built a case that it was a Russian front—a conclusion that was amplified by Democratic operatives. Forensic traces in the records on WordPress, and in the persona’s linguistic quirks, linked it to Russia. Its handlers had also provided the Smoking Gun with the password to the Clinton press aide’s e-mails posted on DCLeaks, demonstrating its unique access to the site, and, by extension, its ties to a coördinated propaganda effort.

In other words the evidence that Guccifer 2.0 is a Russian intelligence front boils down to (1) ‘cybersecurity analysts’ – ie. Crowdstrike, though Khatchadourian in this instance fails to identify them – claiming to have found metadata which suggests that it is; and (2) Guccifer 2.0’s connection to DCLeaks, which supposedly shows that it is part of “a coordinated propaganda effort”.

Claim (2) is circular and should therefore be disregarded.  As for claim (1), it is precisely the fact that metadata associated with Guccifer 2.0 altogether too obviously points to a Russian connection that other cybersecurity analysts and retired intelligence officers have their doubts.  Here for example is what Scott Ritter – a former high ranking US intelligence officer about whom I will have much more to say below – says about precisely this point

My experience with Soviet/Russian intelligence, which is considerable, has impressed me with the professionalism and dedication to operational security that were involved. The APT 28/Fancy Bear cyber-penetration of the DNC and the Guccifer 2.0 operation as a whole are the antithesis of professional.

On any question involving the professionalism and “dedication to operational security” of the Russian intelligence services I prefer the opinion of someone like Scott Ritter – a former US intelligence officer who has actually dealt with them  – to the opinions of someone like Khatchadourian, who as far as I know has not.

If Khatchadourian’s assertion that Guccifer 2.0 is a front for Russian intelligence looks frankly threadbare, what of his assertion that Guccifer 2.0 is the source of the emails that Wikileaks hacked?

Khatchadourian is dismissive of Julian Assange’s vigorous denials that Russian intelligence was the source of the leaks, and in a long passage which touches on the alleged role of Guccifer 2.0 he explains why in a way that also explains what he believes was the role of Guccifer 2.0 in the whole Russiagate scandal

In our many conversations about the election, the most striking thing was Assange’s emotion: the frustration he expressed when faced with suggestions that his material was linked to Russian intelligence, or the way he shook his fist when he insisted that he had been robbed of credit. But his protestations that there were no connections between his publications and Russia were untenable.

There are several, and they go beyond Guccifer 2.0’s insistence that it was responsible for the WikiLeaks releases. In early July, for example, Guccifer 2.0 told a Washington journalist that WikiLeaks was “playing for time.” There was no public evidence for this, but from the inside it was clear that WikiLeaks was overwhelmed. In addition to the D.N.C. archive, Assange had received e-mails from the leading political party in Turkey, which had recently experienced a coup, and he felt that he needed to rush them out. Meanwhile, a WikiLeaks team was scrambling to prepare the D.N.C. material. (A WikiLeaks staffer told me that they worked so fast that they lost track of some of the e-mails, which they quietly released later in the year.) On several occasions, and in different contexts, Assange admitted to me that he was pressed for time. “We were quite concerned about meeting the deadline,” he told me once, referring to the Democratic National Convention.

His original release date for the D.N.C. archive, he explained, was July 18th, the Monday before the Convention; his team missed the deadline by four days. “We were only ready Friday,” he said. “We had these hiccups that delayed us, and we were given a little more time—” He stopped, and then added, strangely, “to grow.” (Later, when I asked about the comment, he argued that my recording of his saying it was faulty.) It was unclear who had given him time, but whoever it was clearly had leverage over his decisions.

A few weeks before WikiLeaks published, Guccifer 2.0 appeared to demonstrate just this type of leverage. Throughout June, as WikiLeaks staff worked on the e-mails, the persona had made frequent efforts to keep the D.N.C. leaks in the news, but also appeared to leave space for Assange by refraining from publishing anything that he had. On June 17th, the editor of the Smoking Gun asked Guccifer 2.0 if Assange would publish the same material it was then doling out. “I gave WikiLeaks the greater part of the files, but saved some for myself,” it replied. “Don’t worry everything you receive is exclusive.” The claim at that time was true. None of the first forty documents posted on WordPress can be found in the WikiLeaks trove; in fact, at least half of them do not even appear to be from the D.N.C., despite the way they were advertised.

But then, on July 6th, just before Guccifer 2.0 complained that WikiLeaks was “playing for time,” this pattern of behavior abruptly reversed itself. “I have a new bunch of docs from the DNC server for you,” the persona wrote on WordPress. The files were utterly lacking in news value, and had no connection to one another—except that every item was an attachment in the D.N.C. e-mails that WikiLeaks had. The shift had the appearance of a threat. If Russian intelligence officers were inclined to indicate impatience, this was a way to do it.

On July 18th, the day Assange originally planned to publish, Guccifer 2.0 released another batch of so-called D.N.C. documents, this time to Joe Uchill, of The Hill. Four days later, after WikiLeaks began to release its D.N.C. archive, Uchill reached out to Guccifer 2.0 for comment. The reply was “At last!”

Given that Assange had barely published before the Convention, I asked if his source ever expressed impatience. “I am not describing communications with a source,” he said. “The source did not mandate a publication time.”

I asked again if his source ever expressed impatience. “Sources have leverage,” I said. “They can take a pile of e-mails and they can give those e-mails to someone else.”

“They could give them to someone else,” he said, curtly. “Sure.”

Someone close to WikiLeaks told me that before Assange published the Podesta e-mails he faced this precise scenario. In mid-August, Guccifer 2.0 expressed interest in offering a trove of Democratic e-mails to Emma Best, a journalist and a specialist in archival research, who is known for acquiring and publishing millions of declassified government documents. Assange, I was told, urged Best to decline, intimating that he was in contact with the persona’s handlers, and that the material would have greater impact if he released it first.

Whatever one thinks of Assange’s election disclosures, accepting his contention that they shared no ties with the two Russian fronts requires willful blindness. Guccifer 2.0’s handlers predicted the WikiLeaks D.N.C. release. They demonstrated inside knowledge that Assange was struggling to get it out on time. And they proved, incontrovertibly, that they had privileged access to D.N.C. documents that appeared nowhere else publicly, other than in WikiLeaks publications. The twenty thousand or so D.N.C. e-mails that WikiLeaks published were extracted from ten compromised e-mail accounts, and all but one of the people who used those accounts worked in just two departments: finance and strategic communications. (The single exception belonged to a researcher who worked extensively with communications.) All the D.N.C. documents that Guccifer 2.0 released appeared to come from those same two departments.

The Podesta e-mails only make the connections between WikiLeaks and Russia appear stronger. Nearly half of the first forty documents that Guccifer 2.0 published can be found as attachments among the Podesta e-mails that WikiLeaks later published. Moreover, all of the hacked election e-mails on DCLeaks appeared to come from Clinton staffers who used Gmail, and of course Podesta was a Clinton staffer who used Gmail. The phishing attacks that targeted all of the staffers in the spring, and that targeted Podesta, are forensically linked; they originated from a single identifiable cybermechanism, like form letters from the same typewriter. SecureWorks, a cybersecurity firm with no ties to the Democratic Party, made this assessment, and it is uncontested. Speaking with Assange, I explained that I would have to acknowledge this. He nodded, and said nothing.

This is an over-complicated way of saying that Khatchadourian thinks that because Guccifer 2.0 at various times expressed impatience with Wikileaks’s delay in publishing the emails, that must means Guccifer 2.0 not only provided the emails to Wikileaks but had “inside knowledge” of what Wikileaks was doing, and was blackmailing Wikileaks to speed up publication of the emails.

In addition because DCLeaks published some of the same material as Wikileaks that supposedly proves it was Guccifer 2.0 which provided Wikileaks with the material.

This is strange logic.

Julian Assange announced in the middle of June 2016 that Wikileaks was preparing to publish information damaging to Hillary Clinton.   When Guccifer 2.0 appeared on the scene in early July 2016 several weeks had already passed after Assange’s announcement.  If Guccifer 2.0 wanted to claim credit for a leak of the emails it actually had nothing do with, then nothing would have been easier than for it to pretend to impatience as the days without the emails appearing.

As for the claim that Guccifer 2.0 was blackmailing Wikileaks by threatening to provide the emails to others unless Wikileaks published them, there is nothing in Khatchadourian’s claim that warrants that claim.  Besides if Guccifer 2.0 wanted the emails published as quickly as possible, why would it go to the trouble of blackmailing Wikileaks rather than simply providing the emails to someone else would be less careful about publishing them?  The blackmail theory not only lacks evidence but lacks logic.

As for some of the other claims Khatchadourian makes, such as that that some of the same material published by Wikileaks was also published by DCLeaks – which Khatchadourian assumes to be connected to Guccifer 2.0 basically because he assumes that both are connected to Russia – I am entirely unable to see why that proves that Wikileaks must have got this material from Guccifer 2.0, let alone from Russia.  As I will discuss below, Scott Ritter is also unable to follow this logic, and is of the same view.

Lastly, I will frankly admit that I don’t understand the point Khatchadourian is making in this paragraph

The Podesta e-mails only make the connections between WikiLeaks and Russia appear stronger. Nearly half of the first forty documents that Guccifer 2.0 published can be found as attachments among the Podesta e-mails that WikiLeaks later published. Moreover, all of the hacked election e-mails on DCLeaks appeared to come from Clinton staffers who used Gmail, and of course Podesta was a Clinton staffer who used Gmail. The phishing attacks that targeted all of the staffers in the spring, and that targeted Podesta, are forensically linked; they originated from a single identifiable cybermechanism, like form letters from the same typewriter. SecureWorks, a cybersecurity firm with no ties to the Democratic Party, made this assessment, and it is uncontested. Speaking with Assange, I explained that I would have to acknowledge this. He nodded, and said nothing.

(bold italics added)

What “single identifiable cybermechanism” is Khatchadourian talking about?  Is he saying that because all the emails published by Wikileaks and DCLeaks were originally sent via Gmail that proves that they must both be the product of a single hack?  If so then that conclusion seems to me unwarranted, especially given the insistence of Craig Murray and others that Wikileaks obtained the emails not as the result of a hack but through a leak.

Frankly the tortuous language of this paragraph – with the parallel it draws between traces left by hacking tools and the unique traces left by mechanical typewriters – which by the way I suspect is both wrong and misleading – looks to me to be intentionally confusing, as if written to suggest that there is more there than there actually is.

 If the question Khatchadourian says he posed to Assange was expressed in anything like the language of this paragraph then I find it completely unsurprising that Assange was baffled by it, so that he failed to respond to it.  Needless to say Khatchadourian treats that as an admission.

Let us now compare Khatchadourian’s vague and convoluted reasoning, with all its unwarranted assumptions and leaps of logic, to the tough minded and fact based assessment of Guccifer 2.0 by Scott Ritter, a senior veteran intelligence officer who incidentally does not share some of the opinions recently expressed by the Veteran Intelligence Professionals for Sanity (“VIPS”) group of which he is a member, whose recent report I discussed previously

On Oct. 6, 2016, the Office of the Director of National Intelligence and the Department of Homeland Security published a joint statement that noted that the “recent disclosures of alleged hacked e-mails” by Guccifer 2.0 (and others) “are consistent with the methods and motivations of Russian-directed efforts,” without further elaboration beyond declaring that “the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to influence public opinion there.”

Rep. Schiff, the aforementioned Democratic co-chair of the House Intelligence Committee, stated in March 2017 that “a hacker who goes by the moniker, Guccifer 2.0, claims responsibility for hacking the DNC and giving the documents to WikiLeaks. … The U.S. intelligence community also later confirmed that the documents were in fact stolen by Russian intelligence, and Guccifer 2.0 acted as a front.”

The problem is that there simply isn’t any hard data in the public domain to back up these statements of fact. What is known is that a persona using the name Guccifer 2.0 published documents said to be sourced from the DNC on several occasions starting from June 15, 2016. Guccifer 2.0 claims to have stolen these documents by perpetrating a cyber-penetration of the DNC server. However, the hacking methodology Guccifer 2.0 claims to have employed does not match the tools and techniques allegedly uncovered by the cybersecurity professionals from CrowdStrike when they investigated the DNC intrusion. Moreover, cyber-experts claim the Guccifer 2.0 “hack” could not have been executed as he described.

What CrowdStrike did claim to have discovered is that sometime in March 2016, the DNC server was infected with what is known as an X-Agent malware. According to CrowdStrike, the malware was deployed using an open-source, remote administration tool known as RemCom. The malware in question, a network tunneling tool known as X-Tunnel, was itself a repurposed open-source tool that made no effort to encrypt its source code, meaning anyone who gained access to this malware would be able to tell exactly what it was intended to do.

CrowdStrike claimed that the presence of the X-Agent malware was a clear “signature” of a hacking group—APT 28, or Fancy Bear—previously identified by German intelligence as being affiliated with the GRU, Russian military intelligence. Additional information about the command and control servers used by Fancy Bear, which CrowdStrike claims were previously involved in Russian-related hacking activity, was also reported.

The CrowdStrike data is unconvincing. First and foremost, the German intelligence report it cites does not make an ironclad claim that APT 28 is, in fact, the GRU. In fact, the Germans only “assumed” that GRU conducts cyberattacks. They made no claims that they knew for certain that any Russians, let alone the GRU, were responsible for the 2015 cyberattack on the German Parliament, which CrowdStrike cites as proof of GRU involvement. Second, the malware in question is available on the open market, making it virtually impossible to make any attribution at all simply by looking at similarities in “tools and techniques.” Virtually anyone could have acquired these tools and used them in a manner similar to how they were employed against both the German Parliament and the DNC.

The presence of open-source tools is, in itself, a clear indicator that Russian intelligence was not involved. Documents released by Edward Snowden show that the NSA monitored the hacking of a prominent Russian journalist, Anna Politkovskaya, by Russian intelligence, “deploying malicious software which is not available in the public domain.” The notion that the Russians would use special tools to hack a journalist’s email account and open-source tools to hack either the DNC or the German Parliament is laughable. My experience with Soviet/Russian intelligence, which is considerable, has impressed me with the professionalism and dedication to operational security that were involved. The APT 28/Fancy Bear cyber-penetration of the DNC and the Guccifer 2.0 operation as a whole are the antithesis of professional.

Perhaps more important, however, is the fact that no one has linked the theft of the DNC documents to Guccifer 2.0. We do not know either the date or mechanism of penetration. We do not have a list of the documents accessed and exfiltrated from the DNC by APT 28, or any evidence that these documents ended up in Guccifer 2.0’s possession. It is widely assumed that the DNC penetration was perpetrated through a “spear-phishing” attack, in which a document is created that simulates a genuine communication in an effort to prompt a response by the receiver, usually by clicking a specified field, which facilitates the insertion of malware. Evidence of the Google-based documents believed to have been the culprits behind the penetration of the Democratic Congressional Campaign Committee (DCCC) and John Podesta’s email servers have been identified, along with the dates of malware infection. No such information has been provided about the DNC penetration.

Which brings up perhaps the most curious aspect of this entire case: The DNC servers at the center of this controversy were never turned over to the FBI for forensic investigation. Instead, the FBI had to rely upon copies of the DNC server data provided by CrowdStrike. The fact that it was CrowdStrike, and not the FBI, that made the GRU attribution call based upon the investigation of the alleged cyber-penetration of the DNC server is disturbing. As shown here, there is good reason to doubt the viability of the CrowdStrike analysis. That the FBI, followed by the U.S. Congress, the U.S. intelligence community, and the mainstream media, has parroted this questionable assertion as fact is shocking.

The Guccifer 2.0 story is at the center of the ongoing controversy swirling around the Trump White House concerning allegations of collusion with Russia regarding meddling in the 2016 presidential election. While APT 28/Fancy Bear is not the only alleged Russian hacking operation claimed to have been targeting the DNC, it is the one that has been singled out as “weaponizing” intelligence—employing stolen documents for the express purpose of altering public opinion against Hillary Clinton. This act has been characterized as an attack against America, and was cited by President Barack Obama when he imposed sanctions on Russia in December 2016 and expelled 35 Russian diplomats. Congress has also referred to this “attack” as the principal justification for a bill seeking new and tougher sanctions targeting Russia….

To date there has been no examination worthy of the name regarding the facts that underpin the accusations at the center of the American argument against Russia—that the GRU hacked the DNC server and used Guccifer 2.0 as a conduit for the release of stolen documents in a manner designed to influence the American presidential election.

(bold italics added)

In other words it is so unlikely as to be all but impossible that Guccifer 2.0 has anything to do with Russian intelligence; there is no hard evidence that connects Guccifer 2.0 to the alleged hack of the computers of the DNC and John Podesta claimed by Crowdstrike; and there is no evidence which connects Guccifer 2.0 to Wikileaks.

I have nothing to add to Scott Ritter’s points save to say that if Guccifer 2.0 really were a Russian intelligence operation then the logic behind it escapes me.

Why if Guccifer 2.0 really were created by Russian intelligence would the Russians go out of their way through Guccifer 2.0 to claim that Wikileaks had obtained the emails because of a hack, when most people’s assumption would otherwise have been that Wikileaks obtained the emails through a leak?  Would the Russians not realise that claiming it was a hack would draw suspicion upon them? Would it not make far more sense to leave Wikileaks alone to do its job by publishing the emails?  Is that not far more consistent with the sort of covert operation a highly professional intelligence service like the Russian might be expected to carry out than the all-too public bragging of Guccifer 2.0?

As for the Russians needing to use Guccifer 2.0 to pressure Wikileaks to publish the emails, why – as I have said previously – would the Russians if they were becoming impatient with Wikileaks not have provided the emails through someone else?  Why if they wanted to blackmail Wikileaks could they not have done it privately?  Why create a whole public persona like Guccifer 2.0 to do it when again that would merely have drawn suspicion back upon them?

Needless to say, if the Russians nonetheless really did create Guccifer 2.0 in order to blackmail Wikileaks – implausible though that frankly is – would they not have taken basic precautions to ensure their identity was concealed?

Overall the whole Guccifer 2.0 persona looks just too childish and amateur to be the work of Russian intelligence, which is of course precisely the point Scott Ritter makes.

As anyone with knowledge of investigations knows, whenever some great but mysterious public crime or act takes place all sorts of narcisstic and self-aggrandising people come forward to claim responsibility, often doing so anonymously.  Sometimes – usually because of luck or coincidence – they hit on something which may make it appear that they have inside knowledge which in reality they do not have.  Examples of this are legion, starting with the infamous Jack the Ripper “Dear Boss” letter which confused the Victorian police.

The VIPS team on the basis of a forensic report whose conclusions are however questioned by Scott Ritter have hinted that Guccifer 2.0 may have been created as a ‘damage control’ tool by someone wanting to divert attention away from the publication of material by Wikileaks that might have been damaging to Hillary Clinton by casting suspicion that it originated in Russia

Another possibility must however be that Guccifer 2.0 is simply a narcissist who has no connection either to Wikileaks or to Russia to anyone else, but who wants to pretend to a role that he does not have out of a desire for self-aggrandisement.

Either of these theories about Guccifer 2.0 looks to me far more plausible that the threadbare and unconvincing claims made about Guccifer 2.0 by Raffi Khatchadourian in The New Yorker.