Spy v. Spy: James Risen explains how the U.S. knows so much about the Russian cyber attack on the U.S. election

James Risen is a former New York Times national security reporter who won the 2006 Pulitzer Prize for National Reporting for his stories about President George W. Bush’s warrantless wiretapping program. He also was a member of The New York Times reporting team that won the 2002 Pulitzer Prize for explanatory reporting for coverage of the September 11th attacks and terrorism. Risen also authored two books about the CIA, The Main Enemy: The Inside Story of the CIA’s Final Showdown with the KGB (Random House) (2003), and State of War: The Secret History of the CIA and the Bush Administration (The Free Press) (2006).

You may recall that Risen was subject to being held in contempt for refusing to comply with a subpoena to testify about the sources of his information in United States v. Sterling. In the end, Risen was not called to testify at a trial, which ended a seven-year legal fight over whether he could/would be forced to identify his confidential sources.

James Risen is now working as an investigative reporter for The Intercept. In his first column for The Intercept, his latest investigative reporting is the provocatively titled IS DONALD TRUMP A TRAITOR?:Trump and Russia Part 1 (excerpts):

The fact that such an unstable egomaniac occupies the White House is the greatest threat to the national security of the United States in modern history.

Which brings me to the only question about Donald Trump that I find really interesting: Is he a traitor?

Did he gain the presidency through collusion with Russian President Vladimir Putin?

One year after Trump took office, it is still unclear whether the president of the United States is an agent of a foreign power. Just step back and think about that for a moment.

His 2016 campaign is the subject of an ongoing federal inquiry that could determine whether Trump or people around him worked with Moscow to take control of the U.S. government. Americans must now live with the uncertainty of not knowing whether the president has the best interests of the United States or those of the Russian Federation at heart.

[I]f a presidential candidate or his lieutenants secretly work with a foreign government that is a longtime adversary of the United States to manipulate and then win a presidential election, that is almost a textbook definition of treason.

In Article 3, Section 3, the U.S. Constitution states that “treason against the United States, shall consist only in levying War against them, or in adhering to their Enemies, giving them Aid and Comfort.”

Based on that provision in the Constitution, U.S. law – 18 U.S. Code § 2381 – states that “[w]hoever, owing allegiance to the United States, levies war against them or adheres to their enemies, giving them aid and comfort within the United States or elsewhere” is guilty of treason. Those found guilty of this high crime “shall suffer death, or shall be imprisoned not less than five years and fined under this title but not less than $10,000; and shall be incapable of holding any office under the United States.”

Now look at the mandate given to former FBI Director Robert Mueller when he was appointed special counsel by Deputy Attorney General Rod Rosenstein, who was acting in place of Attorney General Jeff Sessions, who had recused himself because of his role in the Trump campaign and the controversy surrounding his own meetings with the Russian ambassador to the United States.

On May 17, 2017, Rosenstein issued a letter stating that he was appointing a special counsel to “ensure a full and thorough investigation of the Russian government’s efforts to interfere in the 2016 presidential election.” He added that Mueller’s mandate was to investigate “any links and/or coordination between the Russian government and individuals associated with the campaign of President Donald Trump; and any matters that arose or may arise directly from the investigation.” Rosenstein noted that “[i]f the Special Counsel believes it is necessary and appropriate, the Special Counsel is authorized to prosecute federal crimes arising from the investigation of these matters.”

How closely aligned is Mueller’s mandate with the legal definition of treason? That boils down to the rhetorical differences between giving “aid and comfort, in the United States or elsewhere” to “enemies” of the United States and “any links and/or coordination” between the Russian government and Trump campaign aides related to “the Russian government’s efforts to interfere in the 2016 presidential election.”

Sounds similar to me.

As a practical matter, the special counsel is highly unlikely to pursue treason charges against Trump or his associates. Treason is vaguely defined in the law and very difficult to prove. To the extent that it is defined – as providing aid and comfort to an “enemy” of the United States – the question might come down to whether Russia is legally considered America’s “enemy.”

Russia may not meet the legal definition of an “enemy,” but it is certainly an adversary of the United States. It would make perfect sense for Russian President and de facto dictator Vladimir Putin to use his security services to conduct a covert operation to influence American politics to Moscow’s advantage. Such a program would fall well within the acceptable norms of great power behavior. After all, it is the kind of covert intelligence program the United States has conducted regularly against other nations – including Russia.

* * *

In fact, evidence of the connections between Trump’s bid for the White House and Russian ambitions to manipulate the 2016 U.S. election keeps piling up. Throughout late 2016 and early 2017, a series of reports from the U.S. intelligence community and other government agencies underlined and reinforced nearly every element of the Russian hacking narrative, including the Russian preference for Trump. The reports were notable in part because their findings exposed the agencies to criticism from Trump and his supporters and put them at odds with Trump’s public dismissals of reported Russian attempts to help him get elected, which he has called “fake news.”

In addition, a series of details has emerged through unofficial channels that seems to corroborate these authorized assessments. A classified NSA document obtained by The Intercept last year states that Russia’s military intelligence agency, the GRU, played a role in the Russian hack of the 2016 American election. In August, a Russian hacker confessed to hacking the Democratic National Committee under the supervision of an officer in Russia’s Federal Security Service, or FSB, who has separately been accused of spying for the U.S. And Dutch intelligence service AIVD has reportedly given the FBI significant inside information about the Russian hack of the Democratic Party.

Details follow later in Risner’s column.

On February 16, just hours after this column was published, the special counsel announced indictments of 13 Russians and three Russian entities for meddling in the U.S. election. The special counsel accused them of intervening to help Trump and damage the campaign of Hillary Clinton. The indictments mark the first time Mueller has brought charges against any Russians in his ongoing probe.

Given all this, it seems increasingly likely that the Russians have pulled off the most consequential covert action operation since Germany put Lenin on a train back to Petrograd in 1917.

THERE ARE FOUR important tracks to follow in the Trump-Russia story. First, we must determine whether there is credible evidence for the underlying premise that Russia intervened in the 2016 election to help Trump win. Second, we must figure out whether Trump or people around him worked with the Russians to try to win the election. [Third], we must scrutinize the evidence to understand whether Trump and his associates have sought to obstruct justice by impeding a federal investigation into whether Trump and Russia colluded. A fourth track concerns whether Republican leaders are now engaged in a criminal conspiracy to obstruct justice through their intense and ongoing efforts to discredit Mueller’s probe.

This, my first column for The Intercept, will focus on the first track of the Trump-Russia narrative. I will devote separate columns to each of the other tracks in turn.

The evidence that Russia intervened in the election to help Trump win is already compelling, and it grows stronger by the day.

There can be little doubt now that Russian intelligence officials were behind an effort to hack the DNC’s computers and steal emails and other information from aides to Hillary Clinton as a means of damaging her presidential campaign. Once they stole the correspondence, Russian intelligence officials used cutouts and fronts to launder the emails and get them into the bloodstream of the U.S. press. Russian intelligence also used fake social media accounts and other tools to create a global echo chamber both for stories about the emails and for anti-Clinton lies dressed up to look like news.

To their disgrace, editors and reporters at American news organizations greatly enhanced the Russian echo chamber, eagerly writing stories about Clinton and the Democratic Party based on the emails, while showing almost no interest during the presidential campaign in exactly how those emails came to be disclosed and distributed. The Intercept itself has faced such accusations [i.e., Glenn Greenwald]. The hack was a much more important story than the content of the emails themselves, but that story was largely ignored because it was so easy for journalists to write about Clinton campaign chair John Podesta.

To anyone who has studied the history of the KGB, particularly during the Cold War, the attack on the Clinton campaign and the Democratic Party during the 2016 U.S. election looks like the contemporary cyber-descendant of countless analog KGB propaganda efforts.

* * *

THE CHRONOLOGY OF the attack on the Democratic Party is a sad testament to the overconfidence of the Clinton campaign. It also highlights the inattention of American intelligence and law enforcement and their failure to adequately warn the major political parties of looming cyberthreats to the U.S. electoral system.

In September 2015, the FBI made a halfhearted effort to tell the DNC that its computer system had been invaded. In November 2015, the FBI told the DNC that its computers were sending data to Russia, but even that didn’t seem to prompt much concern on the Democrats’ part. In March 2016, Podesta’s email account was hacked in a phishing attack, giving thieves access to thousands of his emails.

In May 2016, CrowdStrike, a cybercompany hired by the DNC after the party finally recognized it had a problem, told DNC officials that its computers had been compromised in two separate attacks with two sets of malware associated with Russian intelligence.

While the DNC used CrowdStrike, a private contractor, to conduct an investigation, it did not give the FBI access to its computer systems. That fact has since been seized upon by skeptics who say that CrowdStrike’s analysis can’t be considered credible. But according to a November BuzzFeed story, CrowdStrike’s lead investigator, Robert Johnston, was a former Marine captain who had previously worked at the U.S. Cyber Command, where he had investigated an attempted hack of the Joint Chiefs of Staff that he identified as likely associated with the FSB. He had recent experience in identifying the signatures of hacking linked to Russian intelligence.

In June 2016, WikiLeaks founder Julian Assange said WikiLeaks had obtained emails associated with Clinton. Just days later, the Washington Post reported that Russian intelligence had hacked the DNC’s computers.

In July 2016, just before the Democratic National Convention, Wikileaks released thousands of DNC emails, and the party’s chairwoman, Debbie Wasserman Schultz, was forced to resign.

In September 2016, Sen. Dianne Feinstein, the ranking Democrat on the Senate Intelligence Committee, and Rep. Adam Schiff, the ranking Democrat on the House Intelligence panel, issued a statement that they had received classified briefings that made it clear that Russian intelligence was trying to intervene in the election.

“We believe that orders for the Russian intelligence agencies to conduct such actions could come only from very senior levels of the Russian government,” their statement noted.

The key moment in the 2016 campaign came on October 7, when three events unfolded one after another. That afternoon, the Department of Homeland Security and the Director of the Office of National Intelligence issued a statement that U.S. intelligence believed Russia was behind the Democratic Party hacks and email releases.

“The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of emails from US persons and institutions, including from US political organizations,” the statement read. “The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts. These thefts and disclosures are intended to interfere with the U.S. election process.”

That statement was immediately overshadowed later that afternoon when the Washington Post published the infamous “Access Hollywood” tape, in which Trump is heard talking about how easy it is for him to get away with sexual assault, including groping and forcibly kissing women.

Later that afternoon, WikiLeaks started tweeting links to emails hacked from Podesta’s account. WikiLeaks then began releasing Podesta emails on a regular basis throughout the last month of the campaign. Meanwhile, a group called DC Leaks, which is now believed to be a front for the Russian hackers who sought to intervene in the election, released more Democratic Party-related documents.

Within days, Trump was telling his supporters at rallies: “I love WikiLeaks.”

The scope of the impact of Russian hacking and subsequent disclosures of Democratic Party emails and data on the outcome of the 2016 election remains unclear. But the disclosures certainly helped take at least some of the media’s attention off Trump, and probably should be credited with giving him time to recover from the disastrous “Access Hollywood” tape. The pattern and timing of the disclosures also strongly suggests that the objective was to damage Hillary Clinton’s campaign and help Donald Trump.

IN DECEMBER 2016, a month after the election, the FBI and the National Cybersecurity and Communications Integration Center issued a joint report detailing the cybertools used by Russian intelligence to attack the Democratic Party.

The report is still illuminating today because it suggests that the original DNC hack in 2015 was part of a much broader Russian cyberassault on a wide array of American institutions, including government agencies. Originally, it seems, the Russians were not specifically targeting the Democrats, but were simply casting a wide net in Washington to see who might take the bait.

The agencies’ report determined that in the summer of 2015, “an APT29 [Advanced Persistent Threat 29, one of two Russian intelligence “actors” identified in the report, also known as Cozy Bear] spearphishing campaign directed emails containing a malicious link to over 1,000 recipients, including multiple U.S. Government victims. APT29 used legitimate domains, to include domains associated with U.S. organizations and educational institutions, to host malware and send spearphishing emails. In the course of that campaign, APT29 successfully compromised a U.S. political party.”

The report adds that the Russians quickly followed up when they gained access to the Democrats. “APT29 delivered malware to the political party’s systems, established persistence, escalated privileges, enumerated active directory accounts, and exfiltrated email from several accounts through encrypted connections back through operational infrastructure.”

While intervening in the 2016 election may not have been the initial purpose of the cyberattack, once the Russians opportunistically struck gold by breaking into the DNC, they went after the Democrats relentlessly.

“In spring 2016, APT28 [another Russian intelligence “actor”] compromised the same political party, again via targeted spearphishing,” the report states. “This time, the spearphishing email tricked recipients into changing their passwords through a fake webmail domain hosted on APT28 operational infrastructure. Using the harvested credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members.”

By luck or design, Russian intelligence had obtained a vast trove of inside information from the Democratic Party in the middle of a presidential campaign.

In January 2017, just days before Trump took office, a remarkable report from the CIA, FBI, and NSA was made public, plunging the U.S. intelligence community into American politics in an unprecedented way. Its aftershocks continue to reverberate a year later.

The report states that “we assess Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the US presidential election.” It continues: “Russia’s goals were to undermine public faith in the US democratic process, denigrate Secretary Clinton, and harm her electability and potential presidency. We further assess Putin and the Russian Government developed a clear preference for President-elect Trump. We have high confidence in these judgments. We also assess Putin and the Russian Government aspired to help President-elect Trump’s election chances when possible by discrediting Secretary Clinton and publicly contrasting her unfavorably to him.”

The report also notes that “further information has come to light since Election Day that, when combined with Russian behavior since early November 2016, increases our confidence in our assessments of Russian motivations and goals.”

Trump has sought to discredit the report, and by extension, the entire intelligence community, ever since. His cronies have chimed in, dismissing it as the work of the so-called deep state.

Yet interestingly, CIA Director Mike Pompeo – a Trump loyalist who has been criticized for transparently currying favor with Trump in hopes of being named secretary of state – still stands by the January intelligence assessment. In November, after Trump once again publicly trashed the intelligence community’s conclusions, the CIA issued a statement that “[t]he Director stands by and has always stood by the January 2017 Intelligence Community Assessment.” According to the CIA, “the intelligence assessment with regard to Russian election meddling has not changed.” Pompeo’s willingness to stand by the assessment is clearly not in his own political interest and thus, lends credibility to the assessment.

Earlier this week, meanwhile, top intelligence officials, including Pompeo and Director of National Intelligence Dan Coats, underlined their ongoing concerns about Russian election meddling, warning that Moscow once again seems to be seeking to intervene, this time in the 2018 midterm elections. In a congressional hearing, Coats suggested that the Russians believe they were successful in 2016 and want to build on their success in 2018. Coats said that “the 2018 midterm elections are a potential target for Russian influence operations,” and that “at a minimum, we expect Russia to continue using propaganda, social media, false flag personas, sympathetic spokespeople, and other means of influence to try to exacerbate social and political fissures in the United States.”

FURTHER DOCUMENTARY EVIDENCE of Russian intervention in the 2016 election came from an important story published by The Intercept last June.

The story was notable because it was based on a classified U.S. intelligence document about Russian election hacking obtained through an unauthorized leak. All the other U.S. intelligence assessments and reports that have so far been made public about the issue have come through officially authorized channels. Thus, the NSA report leaked to The Intercept has the enhanced credibility that comes from being disclosed against the will of the U.S. intelligence community.

The classified report is significant because it reveals that Russian interference in the election extended beyond the direct attack on the Democratic Party and included attempts to gain access to the basic infrastructure involved in actually counting American votes. It details how the GRU conducted a cyberattack on a U.S. voting software supplier and engaged in spear-phishing to try to hack local election officials before the 2016 vote.

The classified May 2017 NSA report, provided anonymously to The Intercept, shows that Russian hackers sought to pose as an e-voting vendor and trick local government officials into opening Microsoft Word documents loaded with malware that would let the hackers remotely control the government computers. To fool the local officials, the Russians first sought to gain access to the vendor’s internal systems, which they hoped would provide a convincing disguise.

“Russian General Staff Main Intelligence Directorate actors [redacted] executed cyber espionage operations against a named U.S. company in August, 2016, evidently to obtain information on elections-related software and hardware solutions, according to information that became available in April, 2017,” the report states. “The actors likely used data obtained from that operation to create a new email account and launch a voter registration-themed spear-phishing campaign targeting U.S. local government organizations.”

The compromise of the vendor would provide cover for the direct attack on the local officials. “It was likely that the threat actor was targeting officials involved in the management of voter registration systems,” the report adds. “It is unknown whether the aforementioned spear-phishing deployment successfully compromised the intended victims, and what potential data could have been accesses by the cyber actor.”

THE GROWING EVIDENCE that Russia was behind the attack on the Democratic Party now includes the confession of a Russian hacker in a Moscow court. The story of Konstantin Kozlovsky appears to be one of the most significant of the entire Trump-Russia saga. It is one of several intriguing tales now emerging that suggests that the secrecy surrounding the Russian hacking is beginning to unravel.

In December 2017, The Bell, an independent Russian news site, reported on Kozlovsky’s stunning testimony in Moscow City Court. Kozlovsky — a young Russian hacker who had been arrested, along with other members of the Lurk hacking group, in connection with the cybertheft of more than $50 million from Russian bank accounts — testified that he had conducted the Democratic Party hack on behalf of Russian intelligence. In an August 15 court hearing in Moscow, Kozlovsky said he “performed various tasks under the supervision of FSB officers,” including hacking “of the National Committee of the Democratic Party of the USA and electronic correspondence of Hillary Clinton,” and hacking “very serious military enterprises of the United States and other organizations,” according to the Bell.

The news site reported that Kozlovsky said he had conducted the hack at the direction of Dmitry Dokuchaev, a major in the FSB’s Information Security Center, the intelligence agency’s cyber arm.

When Kozlovsky made this statement in court, he was already facing serious criminal charges for hacking. He may have thought that claiming involvement in the DNC hack would help him with his ongoing criminal case, or he may have thought that he had nothing left to lose and so should tell all. He remains in pretrial detention in Moscow.

Dokuchaev, meanwhile, is a fascinating character, and his involvement in Kozlovsky’s story plunges it into the wilderness of mirrors of present-day espionage battles between the U.S. and Russia.

In December 2016, Dokuchaev was arrested in Moscow and charged with spying for the United States. He and three others have reportedly been accused of providing information to U.S. intelligence on the Russian hack of the Democratic Party. Along with Dokuchaev, FSB Col. Sergey Mikhailov, Ruslan Stoyanov of Kaspersky Labs, and Georgy Fomchenkov, a Russian businessman, have been charged with treason in the case.

Dokuchaev is now being detained in Russia, but since Kozlovsky’s confession was made public, Dokuchaev, through his lawyer, has told the Russian press that he doesn’t know the hacker and was not involved with the theft of documents from the Democratic Party.

In March 2017, just months after Dokuchaev was arrested in Moscow for spying for the United States, the U.S. Justice Department announced that he had been indicted by a federal grand jury on charges of hacking Yahoo’s network and webmail accounts. Dokuchaev, identified by the Justice Department as a 33-year-old FSB officer, was one of four men indicted in the case. “The defendants used unauthorized access to Yahoo’s systems to steal information from about at least 500 million Yahoo accounts and then used some of that stolen information to obtain unauthorized access to the contents of accounts at Yahoo, Google and other webmail providers, including accounts of Russian journalists, U.S. and Russian government officials, and private-sector employees of financial, transportation and other companies,” according to the Justice Department.

At the press conference announcing the indictments, officials displayed a large FBI wanted poster for Dokuchaev.

This chain of events leaves plenty of questions unanswered, but I wouldn’t be surprised if Dokuchaev’s December 2016 arrest for treason in Moscow and his March 2017 indictment in the United States were somehow related.

WHILE THE WASHINGTON press corps has been obsessing over Donald Trump’s tweets and a ginned-up memo from House Republicans seeking to discredit the Trump-Russia investigation, another major break in the story has just begun to unfold in the Netherlands. In late January, a Dutch newspaper, de Volkskrant, along with Nieuwsuur, a Dutch current affairs television program, reported that Dutch intelligence service AIVD has turned over to the FBI conclusive inside information about the Russian hack of the Democratic Party.

The two news organizations reported that in 2014, Dutch hackers working for the AIVD gained secret access to the Russian hacker group known as Cozy Bear – also known as Advanced Persistent Threat 29 – a Russian intelligence unit behind the hack of the DNC.

Dutch intelligence first told their American counterparts about their successful penetration of Cozy Bear in 2014, tipping off Washington that the Russian hackers were trying to break into the State Department’s computer system. That warning led the NSA to scramble to counter the Russian threat.

In 2015, the Dutch were also able to watch, undetected by the Russians, as the Cozy Bear hackers launched their first attack on the Democratic Party, according to the two news organizations. In addition to gaining access to the Cozy Bear computers, the Dutch were able to hack into a security camera that recorded who was working in Cozy Bear’s office in a university building in Moscow near Red Square. The Dutch discovered that there were about 10 people working there, and they were eventually able to match the faces to those of Russian intelligence officers who work for the SVR.

The information flowing from the Dutch was considered so vital by the Americans that the NSA opened a direct line with Dutch intelligence to get the data as fast as possible, according to the Dutch news organizations. To show their appreciation, the Americans sent cake and flowers to AIVD headquarters in the Dutch city of Zoetermeer.

If the Dutch story is accurate, it would help explain why the U.S. intelligence community is so confident in its assessment that Russian intelligence was behind the attack on the Democratic Party.

The Dutch news organizations say that the AIVD is no longer inside the Cozy Bear network, and that Dutch intelligence has become increasingly suspicious of working with the Americans.

Since Trump’s election, who can blame them?

Keep an eye out for Risen’s next column in this four-part series.

6 responses to “Spy v. Spy: James Risen explains how the U.S. knows so much about the Russian cyber attack on the U.S. election

  1. Sen. John Kavanagh

    So far, no evidence of collusion, which is what the Mueller investigation is all about. Must be very frustrating for all you Trump hating Dems.

    • It’s not frustrating. It’s a slow, serious, and thorough investigation by a respected prosecutor and not one of one of Trump’s slap-happy, punch-drunk tweets.
      Incidentally, James Risen is no democratic lackey. For years he criticized Obama in the strongest terms possible for prosecuting whistle blowers, leakers, and reporters and said his administration used “red-baiting, not to prosecute spies but to go after government officials who talked to journalists.”

    • For Sure Not Tom

      Donald Trump Jr admitted to collusion and Steve Bannon says the meeting Junior had with the Russians was treason. Flynn, Manafort, all colluded, the question is can conspiracy be proven and you know this.

      You are playing games with the word “collusion” and it’s embarrassing that you are a former LEO. You do realize that your students can read these comments. They do not show you in a good light.

      It’s also embarrassing that you are a grown man and a state rep who trolls like a child. You post this same “collusion” line every time, then when someone asks you a real question you run away like a child.

      • Sen. John Kavanagh

        If you have evidence that Mueller does not have, you should send it to him. Otherwise, there is no evidence of collusion. Using your loose definition, one could say there is collusion between the Hillary campaign and Russia because the campaign funded the dossier. That too is ridiculous.

        • How do you know what evidence Mueller has or doesn’t have?

        • For Sure Not Tom

          Mueller has plenty. You really need to turn off Hannity, he’s not a reliable source.

          Since a list including Don Jr, Flynn, Page, and Manafort colluding won’t wake you up, how about I appeal to your former law enforcement side.

          Trump Tweeted, among other incriminating things, that “Comey better hope there are no tapes” and then later had to admit there were no tapes.

          What’s that called? Witness tampering? Intimidation?

          So much smoke! But you keep defending the President of Trump University. And the same guy who sold “Trump Vitamins” back in 2009, a multi-level marketing scam that included a urine test to customize the vitamins for you, something doctors say isn’t a thing.

          Your boy is a con man.