Categories
Selected Articles

What the Latest Mueller Indictment Reveals About WikiLeaks’ Ties to Russia—and What It Doesn’t


Khatchadourian-Wikileaks-.jpg

When did Russian intelligence give WikiLeaks the e-mails that it hacked from the Democratic National Committee and John Podesta, and how did it transmit them? Shortly after the election, James Clapper, then the director of National Intelligence, testified before Congress that American intelligence officials could not clearly pinpoint these facts. “We don’t have good insight into the sequencing of the releases, or when the data may have been provided,” he said. Today, almost two years later, and after months of investigation, we know a lot more than we once did. But our insight into the timing—at least from publicly available information—remains uncertain.

The latest indictment issued by Robert Mueller, the special counsel, charged twelve members of the G.R.U., Russia’s military-intelligence directorate, with hacking and disseminating Democratic e-mails and other files during the election. It is a highly detailed document, in many ways remarkable. In it, we learn, for instance, that Western intelligence officers had penetrated the G.R.U. so thoroughly that they could track the keystrokes of individual Russian operatives at their desks in a Moscow building. We learn that these G.R.U. staff members essentially Googled vulnerabilities in the Democratic Congressional Campaign Committee before hacking into it. We learn that, from within the D.C.C.C., the G.R.U. hackers moved into the D.N.C. We learn that D.N.C. data were relayed to an American server in Illinois as they were being exfiltrated. We learn that G.R.U. officers used cryptocurrency to pay people around the world to provide things that the operation required—domain names, access to virtual private networks (V.P.N.s). The indictment may only be an accusation, but it hints at the remarkably granular forensic intelligence that has been gathered.

The over-all picture that the indictment offers of the “WikiLeaks connection,” as Clapper once put it, is entirely consistent with previous intelligence assessments, which said that the G.R.U. provided Julian Assange, the editor of WikiLeaks, with the D.N.C. and Podesta archives. But, at the level of evidence, the indictment offers a strange mix: tantalizing, fragmentary new details that suggest the when and how without quite revealing everything that happened.

Indictments are not the same as intelligence reports. They are sometimes intentionally written ambiguously, to give prosecutors flexibility in the way they decide to prove their case—emphasizing the strongest links in an argument while implying a bigger picture. It is likely that the charged G.R.U. officers will never face trial, but Mueller may still want to retain flexibility, given that his investigation is ongoing. It is also conceivable that this document was rushed out before Trump’s summit with the Russian President, Vladimir Putin. Herein lies the complication in using this to advance what we know. We can see only bits.

The “active measures” portion of the chronology in the indictment—including, by implication, the transmission of files to WikiLeaks—emerges for the first time in an early paragraph, under Count One, the charging of G.R.U. officers for conspiring to commit an offense against the United States:

6. Beginning in or around June 2016, the Conspirators staged and released tens of thousands of the stolen emails and documents. They
did so using fictitious online personas, including “DCLeaks” and
“Guccifer 2.0.

To make sense of these two sentences, a bit of context is necessary. In 2016, the G.R.U. began a spear-phishing campaign that targeted hundreds of Democratic operatives. People affiliated with Hillary Clinton were targeted as early as March 10th. Podesta, her campaign’s chairman, was targeted nine days later, and his e-mails were stolen on March 21st. The G.R.U. created multiple false online identities to aid its work. By April, it began to set up a mechanism to publish hacked material, a Web site called DCLeaks, purportedly run by American “hacktivists.” The site went live on June 8th, after Clinton became the presumptive Democratic nominee, and published tens of thousands of e-mails from at least seven Clinton-campaign staffers, along with other American officials. Seven days later, the G.R.U. created Guccifer 2.0, which never released e-mails in bulk but published on WordPress, in June, screenshots of a Clinton-related e-mail that were so blurry they were unreadable. By then it is also conceivable that the G.R.U. was releasing material to intermediaries: e-mails that were not yet public but were on their way to becoming so.

How WikiLeaks enters into this behavior is unclear. But, in the following paragraph, the indictment notes that the G.R.U. relayed an apparently different archive to Assange, explicitly through Guccifer 2.0:

7. The Conspirators also used the Guccifer 2.0 persona to release additional stolen documents through a website maintained by an
organization (“Organization 1”)
.

These two sections, together, suggest two separate acts: one, the staging and releasing of tens of thousands of e-mails starting in June; two, using Guccifer 2.0 to release documents to WikiLeaks.

What were those other documents?

It is worth taking a closer look at what happened in the spring and summer of 2016 to understand how the indictment’s sequence of facts and allegations leaves open some intriguing possibilities. On April 18th, the G.R.U. hacked the D.N.C. computers, and began to extract gigabytes’ worth of files, including opposition research, but it did not penetrate the D.N.C.’s Microsoft Exchange Server, to access its e-mails, until later. The indictment argues that the e-mails were stolen at some point between May 25th and June 1st.

What happens next seems significant. By June 1st, the G.R.U. was already in possession of tens of thousands of Clinton-campaign e-mails, including Podesta’s. It had gained access to the D.N.C. e-mails. It had just initiated steps to begin publishing hacked material, on DCLeaks. Then, on June 12th, four days after DCLeaks went live, Assange gave an interview to Britain’s ITV, in which he declared, “We have upcoming leaks in relation to Hillary Clinton, which is great. WikiLeaks has a very big year ahead.” A bit later in the interview, he added, “We have e-mails related to Hillary Clinton which are pending publication.”

At the time, the G.R.U. hacking operation had not been publicly exposed, and Assange had no reason to suspect that this admission would take on any special significance. What he could not have known was that the D.N.C. was quietly trying to address the G.R.U. hack. It had hired a cyber-security firm, CrowdStrike, to purge the Russian operatives from its computers. To manage the story, it had invited in the Washington Post, which published an article on June 14th disclosing the breach. The Mueller indictment describes in detail Moscow’s response to this news: G.R.U. officers “created the online persona Guccifer 2.0,” apparently rushing to mask the hacking operation by promoting the idea that the culprit was a lone Romanian hacker. As they scrambled, they looked up English translations for phrases that could be attributed to their imaginary hacker. Work on the persona, it appears, was finished within hours.

The G.R.U. gave Guccifer 2.0 a WordPress Web page, where, on June 15th, it introduced itself and began posting material that it claimed was hacked from the D.N.C. but which, in fact, appears to be drawn from earlier hacks of Clinton officials. Almost immediately, the Web site, in both its tone and content, attracted skepticism. It looked just like what it was: a hastily built Russian construct. It is still unclear if the many tells were left there out of sloppiness, or by design—an artifact of state-sponsored trolling.

On June 18th, Guccifer 2.0 released twenty documents on WordPress, which it said were from the D.N.C. but which were almost surely not. Two days later, it teased a “dossier on Hillary Clinton from DNC,” which was nothing of the sort. It implied that it was on a mission to release much more. Then, after establishing itself as a hacker with tons of material, Guccifer 2.0 began giving interviews—most notably on Vice’s Motherboard blog—and on June 22nd it invited people to write to it: “I’d like journalists to send me their questions via Twitter Direct Messages.”

That same day, WikiLeaks sent a private message to Guccifer 2.0, presumably over Twitter, saying, “Send any new material here for us to review and it will have a much higher impact than what you are doing.” (Assange later made a nearly identical pitch to Emma Best, a journalist he thought might publish a trove of Guccifer 2.0 material, urging her to route the information to him instead, because the WikiLeaks platform would make it easier to peruse: “Impact is very substantially reduced if the ‘news’ of a release doesn’t coincide with the ability to respond to the news by searching.”) He told Guccifer 2.0 that he hoped to publish before the Democratic National Convention, and he indicated that he had a specific interest—the “conflict between bernie and hillary.”

Throughout late June, the indictment notes, Guccifer 2.0 tried but failed to send an archive of “DNC documents” to WikiLeaks. The reasons for the failures—whether technical, organizational, or personal—are unstated. Coördinating with Assange is not easy. (When I interviewed him last year, he told me, “We had these hiccups that delayed us, and we were given a little more time.”) Finally, on July 14th, Guccifer 2.0 sent WikiLeaks an encrypted attachment that, according to the indictment, contained “instructions on how to access an online archive of stolen DNC documents.” Four days later, WikiLeaks confirmed that it had accessed the archive and claimed that it would release the material that week. Then, on July 22nd, Assange began publishing the D.N.C. “emails and other documents,” as the indictment notes, perhaps a reference to attachments. It also says that WikiLeaks “did not disclose Guccifer 2.0’s role in providing them.” This last statement suggests that WikiLeaks obtained the D.N.C. e-mails from Guccifer 2.0 in the summer, at some point after July 14th—although a legalistic gloss on “role” leaves open the possibility that Guccifer 2.0 provided only some D.N.C. material, such as copies of documents that were also attached to D.N.C. e-mails.

So did the G.R.U. use the Guccifer 2.0 persona to relay e-mails to WikiLeaks in the summer of 2016? Or did it provide them to Assange by some other means much earlier, in the spring?

Let’s look back at the chronology. On June 12th, three days before the creation of Guccifer 2.0, Assange announced that he had a substantial trove of Clinton-related e-mails that were pending publication. Likewise, Guccifer 2.0 proclaimed, on its very first post on the WordPress site, “The main part of the papers, thousands of files and mails, I gave to Wikileaks. They will publish them soon.” Again and again, the G.R.U. officers tried to drive home this point—which, of course, was evidently the main point of creating the persona. “I sent a big part of docs to WikiLeaks,” Guccifer 2.0 told the editor of the Smoking Gun that same day. On June 17th, Guccifer 2.0 said in another e-mail, “I gave WikiLeaks the greater part of the files.” (For e-mail, the G.R.U. gave Guccifer 2.0 another fake identity: Stephan Orphan.)

In other words, both the G.R.U. and Assange appear to have confessed to the transmission and reception of a large trove of Clinton-related e-mails in mid-June, before Guccifer 2.0 was apparently created. The indictment does not address this. There is no way to say precisely what that trove was—if it was the Podesta archive given to WikiLeaks much earlier than is generally presumed, or the D.N.C. e-mails, or both, or something else. (There is also the possibility that both parties were not speaking truthfully.) But, if Assange did have the D.N.C. e-mails before Guccifer 2.0 was created, then the details in the indictment take on new meaning. Some version of the following may be true: it is mid-June, with the convention approaching, and Assange is about to release a bombshell, when he notices the sudden appearance of Guccifer 2.0, a “hacker” edging into his turf, inviting journalists to write in. So he writes in, asking for material that interests him. He has already gone through the D.N.C. e-mails and has recognized that the trove highlights conflict within the Democratic Party. He signals that he wants more on that specific issue. The G.R.U. is happy to comply, through its new cutout. Perhaps some of it overlaps with what the G.R.U. already provided, making Guccifer 2.0’s confessions literally accurate. Perhaps it is the same irrelevant dross that Guccifer 2.0 fed to others.

Last year, I visited Assange several times in the Ecuadorian Embassy in London. He often emphasized to me that the sourcing of his election publications was complex. I usually took this as a dodge. But the sourcing may indeed have been multilayered. There are many conceivable ways that G.R.U. officers could have provided e-mails to WikiLeaks before they created Guccifer 2.0. They could have used the WikiLeaks anonymous-submission system. They could have used a different fictitious online persona. They could have used a human intermediary. Last year, James Clapper told me, “It was done by a cutout, which of course afforded Assange plausible deniability.” In January, 2017, Clapper oversaw a formal intelligence assessment on Russian meddling. At the time, more than one news organization reported that a classified version of the assessment made clear that the intermediaries between the G.R.U. and WikiLeaks were already known. (Certainly, the intelligence community would also have been in possession of Guccifer 2.0’s Twitter D.M.s at that time, too.) One intelligence official, describing the report, indicated to Reuters last year that the e-mails relayed to WikiLeaks had followed a “circuitous route,” by a series of handoffs, on their journey from Moscow. Such a scenario seems to be at odds with the idea that Guccifer 2.0 merely sent WikiLeaks an encrypted link to download it all in one swoop.

If the hacked e-mails had been provided in this way, to Assange in June, one can imagine a nearly slapstick scenario, in which he was receiving G.R.U. material from two different sources: once at the source’s instigation, and once at his own, receiving one tranche that he published and one that he did not. In our chats in the embassy, Assange sometimes offered hints. One evening, I asked him if he had released all of the election-related records that he had received. He looked up at the ceiling, thought for a long while, then spoke extremely slowly, stopping and starting: “We published everything that we received about the election that could be verified before the election—everything that was not already published that we could authenticate.”

I asked, What percentage did you hold back?

“We received quite a lot of submissions, of material that was already published in the rest of the press, and people seemingly submitted the Guccifer archives. We didn’t publish them. They were already published.”

Why not add them to the WikiLeaks library, to insure that they would not be taken down, and also to enrich the exclusive Democratic e-mails that WikiLeaks was putting online—to make the archive more complete?

“We might have done that. But the material from Guccifer 2.0—or on WordPress—we didn’t have the resources to independently verify.”

Assange, cut off from the Internet in the Embassy, has been unable to respond to the latest Mueller indictment. But, whenever Guccifer 2.0 came up in our conversations, he seemed uncomfortable and frustrated. In 2016, with the subject often in the news, he developed a canned P.R. maneuver to questions about the persona. He strove to convey (falsely) that the WikiLeaks publications and the Guccifer 2.0 publications had no overlap, and that therefore it was unfair to conflate the two. “It’s an incredible crunching together of these two archives,” he said. In February, 2017, Assange told me that any purported connection between the D.N.C. hack, Guccifer 2.0, and WikiLeaks was the result of “guesswork.”

Two months later, at the Embassy, I asked Assange what he thought Guccifer 2.0 was. Previously, he had been asked about the persona and its publications, and he had said, “Now, who is behind these, we don’t know. These look very much like they’re from Russians. But in some ways they look very amateur, and almost look too much like the Russians.” Once, he had casually implied to me that he thought Ukrainian operatives might be running the persona; he had also tried to steer people to the view that it was controlled by genuine Eastern European activists. Now I was asking directly what he thought, and he tensed up. “I have to think whether that limits any possibilities,” he told me. “I don’t—I don’t want to comment on the record.” I said that I did not understand why he needed the secrecy: if Guccifer 2.0 had no connection to WikiLeaks, then why not merely speak about it on the record, as an analyst would? Rather than elaborate, he told me, “I think we have already said that Guccifer 2.0 is not our source.”

I looked into it, and I could not find an instance when Assange had said such a thing. What he did say is that he did not receive the e-mails from the Kremlin; as he told Sean Hannity, on Fox News, “Our source is not the Russian government, and it is not a state party.” It is hard to know how he could say such a thing definitively, especially since the G.R.U. frequently worked through fronts, but when I asked him if he knew the full chain of custody of the e-mails he abruptly told me, “I’m not going into sourcing.”

In August of last year, Assange and I returned to the subject. I told him that I could not find his previous denial about Guccifer 2.0, and asked him if he would be willing to make one unambiguously.

“It’s bad form to rule people out,” he told me. Then Assange invoked a strange, transitive argument: because he had already declared that his source was not a state, he was willing to deny that Guccifer 2.0 was his source only in a context in which the persona was being defined as a state-run entity. Clearly, whether or not WikiLeaks received material from Guccifer 2.0’s handlers had nothing to do with how it was defined; he either had obtained the e-mails from the entity or he had not. So I gave him the following menu to choose from:

  1. Julian Assange has no comment on whether the D.N.C. e-mails that
    WikiLeaks published came from Guccifer 2.0.

  2. Julian Assange denies that the D.N.C. e-mails that WikiLeaks
    published came from Guccifer 2.0.

A) Julian Assange has no comment on whether the Podesta e-mails that
WikiLeaks published came from Guccifer 2.0.

B) Julian Assange denies that the Podesta e-mails that WikiLeaks
published came from Guccifer 2.0.

“Please just pick one letter and one number,” I said. He picked none, telling me instead, “I understand the political value to WikiLeaks in a denial. I also understand that if one day someone is arrested for being our source they may want to preserve the Guccifer 2.0 option.” In other words, he did not want to publicly rule out the persona as a source, because he wanted to give a hypothetically accused third party plausible deniability, since Guccifer 2.0 had claimed to be his source. (When he realized that I was ready to publish this, he tried to retroactively pull it off the record.) After kicking around other possible responses, all of them vague, he returned to his original, a denial contingent on how one defined the persona: “If there is a claim that Guccifer 2.0 is a state officer, then it’s easy to give a no answer without giving away more information.”