The Sussmann indictment and the Alfa Bank saga: A focused timeline

The most tangled web.

At Just the News, John Solomon reported a few days ago that according to the Justice Department’s IG, the FBI is still ignoring its own procedures in handling FISA surveillance applications.

Some of Solomon’s opening points:

“The FBI’s Woods Procedures are designed to ensure FISA applications are ‘scrupulously accurate’ and require agents to document support for all factual assertions contained in them,” Horowitz reported. “However, our audit found numerous instances where this did not occur.” 

Horowitz first flagged 29 applications in March 2020 that had problems including 209 errors. 

Twenty-nine applications in one month is not a small or inconsequential number of applications.  Keep in mind, this was still in Donald Trump’s presidency.  What readers think they may have done to clean out the Augean stable of D.C. bureaucracy, even Trump was not able to achieve, more than three years into his term.  It’s always useful to remember how much of the D.C. “establishment” was pulling against him the entire time he was in office.  FBI officials who ignored or gun-decked the Woods Procedures, as a slew of them did in 2016 under Obama, were likely to be prominent among them.

This timely observation from Solomon is by way of introducing a focused timeline that I hope will illuminate how very widespread and entrenched the scope of what John Durham has been investigating will turn out to be.

As Kash Patel pointed out to Maria Bartiromo this past weekend on Sunday Morning Futures, Durham is perhaps barely at the halfway point in the typical timeline of a major prosecution.

There’s likely to be more to come, beyond the Michael Sussmann indictment and the recent spate of subpoenas.  Patel is in a unique position to have some idea how much more, and even whether it’s prosecutable.  The latter will have to drive Durham’s focus to some extent; he’s a prosecutor, not an intelligence officer passing on his notes to an interested public.

(There was never a “Durham report” envisioned for his investigation, in spite of all the incessant talk about it.  Durham’s charter was originally to prosecute.  I don’t know if that formal arrangement will be altered at some point, but the Sussmann indictment is effectively Durham’s “report,” at least to date.  It contains a bigger picture of the charged false-statement crime than is necessary to establish it, revealing the outlines of a conspiracy.  With additional charges, the picture may be enlarged as well as filled out.)

We don’t know how the statute of limitations will affect what Durham is able to lay open in court.  It’s been more than five years now since many of the actions in 2015 and 2016 that may have been prosecutable.  Perhaps some material information will be revealed that can’t be prosecuted.  So be it.

For America’s understanding, the larger point is to see more clearly the reality we’ve been living with.  If it isn’t clear that the corruption is systemic, people won’t understand why nothing seems to be done about it.

The context of this timeline

Most of the work of this timeline has already been done, and presented in previous articles at Liberty Unyielding.  The links to those articles are woven into the timeline.

This isn’t a comprehensive timeline.  With the Sussmann indictment a few weeks ago, almost every commentary has laid out the period it concentrates on, from July to October of 2016.  I won’t be dwelling on that, or on the many things that aren’t mentioned in the timelines included in this article.

Michael Sussmann in an online forum in 2020. YouTube, Docket Media video

Rather, the purpose here is to overlay information about the Alfa Bank-related timeline – the one that ensnared Sussmann because of his connection with it – on the other major features of the Spygate/Russiagate timeline.

The startling coincidences in the overlaid timelines reinforce two important drivers of analysis.  One is that the top actors in this “problem set” were not working in a vacuum, or in information stovepipes.  People like Hillary Clinton, the circle of advisers she had in common with Barack Obama, Obama himself, and several of his senior officials such as John Brennan, Loretta Lynch, James Comey, and Susan Rice, could not have been in ignorance of the different things that were going on at the same exact time.

There is no reasonable likelihood, just to take one example, that Brennan, who had reportedly been receiving foreign intelligence on “Trump and Russia versus Hillary Clinton” since at least January 2016, and who briefed Obama in July 2016 that the Russians thought they had intel on Hillary Clinton, was unaware that James Comey – according to Comey’s account, repeated several times – had Russian intelligence that appeared to indicate collusion between the U.S. DOJ and the Hillary campaign on Hillary’s email “matter,” in March 2016.

That’s pretty much the whole, comprehensive intelligence problem-set, in fact: Russia, Trump, Hillary, her campaign, the DNC, the election, Hillary’s emails, and the Obama administration’s purported alarms and concerns about these various elements.  We know that in 2016, there was extensive common knowledge among the top actors about these elements.

The point isn’t whether Comey’s account of the “Russian intelligence” detail is true or not.  (We don’t even have to settle whether Comey thought it was.)  The point is what Comey says he was aware of from Russian intelligence, and the virtual impossibility that Brennan didn’t know anything about that – in March 2016, at the same time Comey says he was aware of it.

The brain trust, briefing Congress in 2014. (Image: Defense Intelligence Agency)

Demonstrating that their knowledge was common, in absolute terms that would pass the test of evidence in court, is not something that can be done with the information available to the public.

But such coincidences are exactly what cue law enforcement to investigate the hypothesis of a conspiracy.  The material events of a conspiracy are rarely the first things identified as a conspiracy.  It’s common motives, common timing, and common knowledge, perceived first as circumstantial, that cause investigators to suspect a conspiracy.

The second driver of analysis is the ever-growing probability that the common goal of Spygate, with Russiagate as its major subset, reached beyond the Clinton campaign and the DNC.  There are many, many reasons to think that.  Just one is that James Comey’s vacillating, triangulating behavior in 2016 makes sense if he was navigating within a larger operation whose outlines he was somewhat aware of, and in which he knew he was ensnared, but perhaps could not fully see.  For the FBI director, a mere oppo-research project of the Democratic candidate for president cannot be such an operation.

Another reason, of course, is that the Hillary campaign per se did only some of the work for this common enterprise.  A great deal of it was done by agencies of the federal executive, from Susan Rice and her “unmasking” spreadsheets and Brennan and his “foreign intelligence,” to the DOJ/FBI honchoing a surveillance effort falsely purported as legitimate (and thus inspectable and potentially usable before the public), and assets of the Pentagon (NSA, the Office of Net Assessment) being used to target and exploit persons in Trump’s orbit – in ways that were much less inspectable or potentially usable.

Those people were all working for Team Obama, not Hillary Clinton.

What I want readers to see is that, in light of the increasing obviousness of a common enterprise, it is less and less possible that coincidences in a timeline are mere coincidences.  We can conclude with confidence that there was substantial common knowledge among actors; there’s plenty of evidence of it.  If events relevant to the enterprise, and already linked to the actors, happened at the same time, the possibility that they were unconnected to the enterprise, including as signs of prior knowledge and planning, dwindles to near-zero.

That’s the context in which we need to understand how significant it is that Durham has indicted Michael Sussmann because he lied about the seeming sideline thread of “Alfa Bank.”  Alfa Bank’s big adventures punctuate the most freighted points of the overall Spygate/Russiagate timeline.

Skeptics of the Alfa Bank-Trump narrative originally pointed out that all the DNS lookups between the servers in question could well have been simple coincidence.  That professionally-sound assessment has colored much of the thinking on this sub-thread of the drama ever since.  DNS lookups are the commonest thing there is in Internet communication.  Without additional context – real context, not made-up supposition – they have a fully explicable ordinary meaning.

Mueller hearing, July 2019. C-SPAN video

But there is real context:  a ton of it.  We’re justified in doubting that the lookups were coincidence.  (As we are justified, in hindsight, in finding it curious that Mueller seemed to take so little interest in them.  Perhaps not pursuing them was more beneficial to the object of his report.)

Three key passages in the timeline demonstrate why.

Those are the passages we’ll focus on here.  They occurred in March 2016, May 2016, and February-March 2017.  If the “coincidences” have the meaning they appear to have, it’s no wonder the Internet sleuths who’ve been following the Spygate drama the most closely found the Sussmann indictment so significant.  Pulling the strings on the Alfa Bank plotline could well unravel the whole story.

The interest of March 2016

There’s a key Alfa Bank date in March 2016, and an interesting, alleged Alfa Bank event that could have been as early as March – which, if verified, would reshape our perspective on the role of the Alfa Bank plotline.

The key event is related to the so-called “Trump server” supposedly pinged repeatedly by an Alfa Bank server in 2016.  The “Trump server” was actually operated by a company named  Listrak in the small town of Lititz, Pennsylvania, and was under contract to the Florida-based marketing company Cendyn, which managed customer relations and sent promotional emails for the Trump Hotels.  The town of Lititz is in Lancaster County, in a part of southern Pennsylvania far enough west of the Philadelphia metro to qualify as relatively bucolic.  (The photos from the whole area convey delightful country charm.)

A problem recognized early on for the “Alfa Bank-Trump” narrative was that Cendyn’s contract with the Trump organization ended in March 2016.  The mainstream media reporting on the narrative later that year accepted the contention of the “union of Concerned Nerds,” who supposedly noticed the unusual server activity, that terminating that relationship wasn’t a showstopper for the “back-channel comms” theory.

But when Alfa Bank had a forensic analysis done in the following years, the key date of 9 March 2016 turned up.  Technical evidence stamped that as the date when the marketing company Cendyn’s contract support for the Trump organization apparently ended.  That was the last date on which the “A record,” or address record, for the Cendyn-registered domain name “mail1.trump-email.com” pointed to the Listrak server in Pennsylvania.  (Ankura report, p. 5)

The mail1.trump-email.com address was the one fingered in the “Alfa Bank-Trump” narrative as being at the center of the DNS lookup flurry between May and September 2016.

This 9 March 2016 end date was affirmed in DNS data compiled by the company Ankura for a “John Doe” lawsuit Alfa Bank brought in June 2020 in Pennsylvania.  The “John Doe” represents the unknown parties who, according to the evidence in the lawsuit, appear to have spoofed the communicating servers to make it appear they were in frequent contact.

In its report, Ankura observed that “the A record expiration in March 2016 [on the date “03/09/2016”; see the report link above] … supports the timeline in the New Yorker article that Cendyn was no longer used by the Trump Organization as a marketing provider after March 2016.”  (The New Yorker article is here.)

Says Ankura:  “According to multiple passive DNS sources, the domain [mail1.trump-email.com] actually ‘vanished’ from the web [i.e., it stopped pointing legitimately to a recognized server] on March 9, 2016.”

Ankura notes that this evidence, retrieved for the company’s analysis, tells a story different from the one in the New Yorker, which claims that the Trump-linked domain “vanished” on 23 September 2016, after months of exchanging suspicious transactions with the Alfa Bank server.  (Ankura report, p. 6)

Town center, Lititz, PA. YouTube video

It’s worth pointing out that Ankura’s evidence trail would suggest that even the most cognizant Trump functionary – someone riding herd on the IT details of online marketing – would not have expected to see any further “trump-email” related transactions involving the Listrak server after 9 March 2016.  And in fact, according to Ankura’s data, there were no such transactions observable to “passive DNS sources” after 9 March 2016.

Yet the central claim of the “Alfa Bank-Trump” narrative is, again, that the mail1.trump-email.com address was the subject of DNS requests from the Alfa Bank server to the Listrak server from May to September 2016.

The 9 March 2016 event did not involve the Alfa Bank server.  But it did occur on a remarkable Spygate date, as we’ll see below.

What the “two servers” story was not about

As regards that remarkable Spygate date, which will pop out of the timeline, I’ll take this opportunity to emphasize that what the two servers were doing is not what was happening with the unauthorized contractor access to raw data from NSA – a thread that also came to the fore in March 2016.

The unauthorized contractor access called out by Admiral Rogers at NSA was identifying information about the individual persons involved in human-content comms exchanges.

The two servers “talking” to each other were patterns of the mechanism, not patterns of a developing human cognitive exchange.  Humans, through spoofing, may have deliberately provoked the mechanism to go active according to its patterns, as Alfa Bank alleges.  But if so, it would have been in order to present the mechanism’s activity as evidence for something.  It wasn’t to discern, or “listen in” on, what humans in communication with each other were doing or thinking.

A set of cyber experts with government contracts and specialized access to the mechanism – the Internet – may have been involved in the Alfa Bank server subplot.  The Sussmann indictment appears to confirm that that’s the case.  But they weren’t doing the work contractors at the FBI were doing that brought them in contact with the raw comms information from NSA:  the information that revealed people’s identities.

A whiff of prior knowledge?

The second, alleged event, potentially as early as March 2016, is one that suggests prior planning by Spygate actors of a “Russia-Trump communication” hoax with the same features as the “Alfa Bank-Trump” narrative.

That event, which would require additional investigation to prove as to timeframe, is alluded to in the account of the so-called “second dossier” compiled by an old Clinton running-mate, Cody Shearer, in the spring and summer of 2016.  The Shearer “dossier,” like the Steele dossier, was supposedly opposition research on Trump (and mirrored much of the material in Steele’s).  It was fed into the federal agencies through Sidney Blumenthal and the State Department, rather than shopped to the FBI.

In his dossier, Shearer described speaking with a former CIA officer, Robert Baer, who later said their exchange occurred in March or April of 2016. 

Cody Shearer in 2008. (Image: Screen grab of Real News video)

According to Lee Smith at Real Clear Investigations, Baer’s significant information was this:  “Shearer writes that Baer told him ‘the Russians had established an encrypted communication system with a cut out between the Trump campaign and Putin.’  Baer told RCI that ‘he’d heard that story from acquaintances at the New York Times who were trying to run the story down.’”

As noted in this treatment, the “communication system with a cut out” sounds like the alleged Alfa Bank-Trump link – and is the only such communication pathway described in any of the subplots of Spygate/Russiagate. 

But the problem is that there’s no allegation in the narrative (and no evidence) that suspicious comms were observed between the two servers prior to May 2016.

There was nothing for anyone to “see.”  If Baer was speaking to Shearer of the later-alleged Alfa Bank link, he was speaking before anything was observed from it.  It didn’t start until 4 May 2016.

Baer gave his source as NYT acquaintances who were trying to run the story down.  It’s not at all infeasible – it would be in-pattern, in fact – for those NYT acquaintances to have gotten their information from people in the Hillary campaign, DNC, or even a federal agency.

But by Baer’s recollection, it would have been before there was “suspicious” server activity for “Concerned Nerds” to even notice, much less for Democratic leakers to have been aware of.

Stipulating again that this requires investigation, it would indicate that someone passing information to NYT knew of a plan to link Trump to a Russian comms waypoint – the Alfa Bank server – before the plan went into execution.

And again, it would be in character for the “someone” to want to load NYT with a prior perspective on such information, in anticipation of when it would begin to manifest itself.

The March 2016 timeline

Here’s a selection of other developments in March 2016.  Note the one on 9 March.  Events directly connected with the Alfa Bank subplot have the date underlined.

“Early March” 2016: Fusion GPS contacted law firm Perkins Coie about doing opposition research work for the 2016 election.

“March 2016”: James Comey later stated this was when he became aware of Russian intelligence indicating communication between Attorney General Loretta Lynch and the Hillary campaign about Hillary’s email “matter.”

“March or April” 2016:  Cody Shearer learned from retired CIA official Robert Baer of a “communications cut out” between Putin and Trump being tracked down by the New York Times.

6 March:  George Papadopoulos (who had left the Ben Carson campaign in January 2016, and begun an affiliation with the London Centre of International Law and Practice (LCILP) in February 2016), learns he will be a member of the Trump campaign’s foreign policy advisory team.

Between 7-14 March:  Probable period when John Brennan visited the Russian FSB in Moscow (the closest Russian counterpart to the national-security intelligence branches of the DOJ and FBI), supposedly to discuss “Syria.”  The visit was reported on 14 March 2016, so it would have occurred before then, and could have been as late as 14 March (but probably wasn’t).  I’ve outlined before why a discussion of Syria doesn’t make sense: largely because the FSB, per se, would have less than Russia’s other intel organizations to say to Brennan or anyone else about Syria.

9 March: Back in the U.S., an exceptionally important discovery was made. This discovery was revealed in 2017, when an opinion from the FISA Court, issued in October 2016, was made public in redacted form.

The FISC opinion stated that on this date, 9 March 2016, the Department of Justice learned the FBI had been improperly disclosing raw FISA information (that is, information that would include unmasked U.S. person identifying information, or USPI) to an entity largely staffed by private contractors.

On the same day, Lisa Page texted Peter Strzok about a blowup at the FBI’s Washington Field Office. The WFO made extensive use of contractors to perform tasks for the FBI missions of national security and counterintelligence, which is the most likely reason to find contractors in proximity to FISA intelligence that could involve U.S. persons.

It was several weeks later, on 18 April 2016, that NSA’s director, Admiral Mike Rogers, completely shut down such access to the relevant data fields of NSA information from telecom communications.

It was also the case that the company John Brennan had been president of just before joining the Obama administration – The Analysis Corporation (TAC) – had long-running contracts with both the FBI and the National Counterterrorism Center (NCTC) to process and administer just such information in the relevant databases.  (TAC was the company implicated in the improper accessing of John McCain’s and Barack Obama’s passport information in 2008.  See the links at the previous LU article above for the complete story.)  Of all the possibilities speculated on in regard to the 9 March revelation about contractor access, the possibility that it involved TAC contractors is the one with the most patterns-of-Washington aspect.

As I have pointed out before, the top trio of Brennan, DNI James Clapper, and James Comey was undoubtedly aware at least a day before, and possibly a few days before 9 March, of Mike Rogers’ intention to report to the FISA court on the exposure of USPI to contractors.

9 March 2016:  Technical evidence stamped this as the date on when the marketing company Cendyn’s contract support for the Trump organization apparently ended.  That was the last date on which the “A record,” or address record, for the Cendyn-registered domain name “mail1.trump-email.com” pointed to the Listrak server in Pennsylvania.  (Ankura report, p. 5; see extended discussion above.)

14 March 2016: Papadopoulos first meets with the extensively connected Joseph Mifsud, in Italy.  Mifsud purports to initially have little interest in Papadopoulos, but warms up when he learns Papadopoulos has a connection to the Trump campaign.

19 March 2016: Hackers, eventually proclaimed to be Russian, gain access to John Podesta’s email account.  Numerous emails between Podesta and Hillary Clinton are added to the Hillary emails previously made available by the “Guccifer” hack of Sidney Blumenthal’s email account.

21 March 2016: The Trump campaign publicly names Papadopoulos as one of its foreign policy advisers.

23 March 2016:  Rodney Joffe, thought to be “Tech Executive-1” in the Sussmann indictment (and one of the key figures of the Alfa Bank-Trump narrative), visited the Obama White House.

See the discussion of Pentagon IP addresses near the end of this article for more on Joffe.

CBS News video

24 March 2016: Papadopoulos meets with Mifsud in London, along with the Russian woman introduced to him at the time as “Putin’s niece.” (She is subsequently identified as Olga Polonskaya, former manager of a wine distribution company who was in London to discuss an internship with Mifsud.  She is not Putin’s niece.)

For our purpose, that closes March 2016.  The point of including these varied threads is that in hindsight, it’s obvious this entire Spygate/Russiagate saga was known to a set of interacting principals at the time, and could not possibly have been “about” a mere reaction to unexpected developments in Donald Trump’s life.  It was a plan being formed and executed, and had that character at least as early as March 2016 (and probably before).

April 2016 was a very interesting month, but to keep the focus on the Alfa Bank drama, fast-forward to May.

May 2016

This focus area opens with the last days of April 2016, when the DNC penetration by Fancy Bear was reportedly discovered.  Cozy Bear had already penetrated the DNC network in mid-late 2015, and it’s unlikely the DNC was unaware of that, given the warnings the FBI had issued since the late summer of 2015 about Russian cyber-attacks on U.S. political organizations.

29 April: The DNC reportedly discovers the penetration of its servers by unknown hackers.  (We don’t know how long this was after a notification by the FBI earlier in April that the DNC email system had been penetrated.  See link.)  An emergency meeting is called between Debbie Wasserman-Schultz (DNC Chief Executive), Amy Dacey (DNC Technology Director), Andrew Brown, and Michael Sussman, a lawyer for Perkins Coie.  Sussman is a former federal prosecutor for the DOJ whose expertise is computer crime.

2 May:  James Comey (then FBI director) emails his draft statement on the Hillary Clinton email investigationto Deputy Director Andrew McCabe, FBI General Counsel James Baker, and FBI Chief of Staff James Rybicki for comment.  This is two months before the statement was issued in July, and before key witnesses have been deposed.

3 May:  Trump wins the Indiana primary and Ted Cruz drops out.

4 May:  John Kasich also drops out of the GOP race.  Trump is now the only remaining candidate and presumptive GOP nominee.

4 May:  Five days after first discovering the server penetration at the DNC, Michael Sussman – of Perkins Coie – finally calls CrowdStrike to arrange for analysis of the problem.  Sussman’s call goes to CrowdStrike executive Shawn Henry, a long-time official at DOJ and FBI whose expertise is in computer crime, and who had been hired by CrowdStrike in 2012.  Sussman and Henry probably knew each other during their extensively overlapping time at DOJ/FBI, working in the same field. It isn’t clear why it took five days to make this decision.

Video via Twitter

4 May:  The Alfa Bank-Cendyn/Listrak DNS lookups begin.  As mentioned in the 9 March entry, there is discussion in both an Alfa Bank court filing in June 2020 and Durham’s Sussmann indictment of the possibility and/or likelihood that the lookups were provoked through spoofing by a third-party cyber actor (the John Doe in Alfa Bank’s lawsuit).

6 May: Andrew McCabe forwards Comey’s draft statement on the Hillary Clinton email investigation to top counterintelligence officials Peter Strzok and E.W. “Bill” Priestap, along with Jonathan Moffa, and an employee in the Office of General Counsel whose name was redacted in the documents viewed by the Senate. 

6 May: In London, Erika Thompson contacts George Papadopoulos to set up the social meeting with Alexander Downer.

9 May: Clues from redacted congressional testimony and Strzok-Page texts put Bill Priestap, Strzok’s FBI boss, in London.  It appears, based on the timing of a Peter Strzok text, that the decision for Priestap to go to London was made just before (or perhaps on) 6 May 2016.  Priestap, the chief of the FBI’s counterintelligence division, is thus in London just before (and probably on) the date of the next event below.

10 May:  George Papadopoulos has the meeting arranged with Alexander Downer in London.  Although the media have reported this event with an earlier date, Papadopoulos has it as 10 May 2016.  This meeting is later reported to have involved a drunken Papadopoulos bragging to Downer about the offer Joseph Mifsud made of Russian “dirt” and “thousands of emails” involving Hillary Clinton.  However, both Papadopoulos and Downer have denied an exchange taking place in such terms.

By the Russiagate narrative, Downer’s information about this meeting didn’t get to the FBI until late July 2016, whereupon the FBI began the Crossfire Hurricane “investigation.”

In the interim between this meeting and June, Christopher Steele was hired by Fusion GPS to compile the dossier on Trump, and the Democratic National Committee dealt with the intrusion on its IT system attributed to the Russians.

“May 2016”:  Researcher Nellie Ohr, who had been under contract with Fusion GPS since September 2015, was assigned by Fusion GPS to perform tasks that made her a key contributor to the Steele dossier.  Reasons this is significant to our current timeline include Ohr’s expertise in Russian cyber activity, her prior work for the CIA program Open Source Works (up through 2014), and the timing overlap of Ohr’s initial connection with Fusion and the September 2015 announcement of the Trump organization’s shift from Cendyn to Serenata for customer relations management (discussion further below).

We can’t know whether Ohr might have been hired because of that last consideration, or perhaps her hiring made Fusion and other Spygate planners aware of it due to her open source research skills.  It may be that she was unconnected to that “intelligence” about Trump at all.  But it’s an obscure point of information, of the kind Ohr excelled at unearthing.

25 May:  The last date on pilfered DNC emails later published by WikiLeaks.  The DNC emails, plucked out by the Fancy Bear intruders, were mostly sent and received after 29 April 2016, the day the intrusion was detected.  (Luke Rosiak – see the link – reported the date range for 75% of the emails as 5-25 May; i.e., after CrowdStrike was called in.)  CrowdStrike and the DNC let Fancy Bear continue to operate in the DNC network until 10 June 2016.  (See here also for more perspective on the Fancy Bear intrusion and the odd emphasis on it in media reporting and the Mueller investigation.)

The interim

Another fast-forward transition here, across ground already covered in excellent treatments of Michael Sussmann’s role in shopping the “Alfa Bank-Trump” narrative to the FBI and the media.  As noted earlier, the most active period for that thread was July through October 2016.  It kicked into high gear in the big week in late July when – during the Democratic National Convention – the media began firehosing the public with speculation about a Trump-Russia connection; Crossfire Hurricane was initiated; and Obama got key briefs from Brennan on the Russian intelligence about Hillary’s oppo effort, and reportedly about “foreign intelligence” on a Trump-Russia connection.

Obama meets with national security principals in the Situation Room in 2014. (Image: The Obama White House)

There are far too many interesting instances of “timing” to cram them all into one article.  The third passage of special interest here, as regards the “Alfa Bank” saga, is one highlighted in the Alfa Bank “John Doe” lawsuit filed in Pennsylvania in June 2020.  That suit gives three individual dates in February and March 2017 on which there were surges of pro forma contact involving the Alfa Bank server and a seemingly Trump-related domain name – a name that was invalid, but appeared to be a hybrid of domain names registered by Cendyn for its contract years with the Trump organization.

The context around those dates is very interesting.

February-March 2017

8 February:  James Comey had his notorious meeting at the White House with Donald Trump, memorialized by the memo later leaked via a Comey associate to the media.  Comey was in text communication with Senator Mark Warner’s office while he was at the White House.  (See link; at the same time, attorney Adam Waldman was working to set up a negotiation with Julian Assange over what became known as the “Vault 7” WikiLeaks release of stolen U.S. government cyber tools, and was trying to arrange for Warner to meet with Christopher Steele.)

9 February:  Michael Sussmann speaks to “Agency-2” (probably the CIA) about the Alfa Bank and Cendyn-contracted server activity, “including new details concerning the Russian Bank-1 allegations that he had not provided to the FBI General Counsel” and providing “several white papers, and … multiple data files containing purported DNS data, ranging from 2016 through early 2017.” (Sussmann indictment, p. 24)

10 February:  Jake Sullivan (one-time Hillary aide, today Joe Biden’s national security adviser) met with Daniel Jones (founder of the Soros-funded Democracy Integrity Project (TDIP)), two Fusion GPS staffers, and John Podesta to “hatch the post-election plan to resurrect rumors Trump was a tool of the Kremlin.”  Says Paul Sperry at Real Clear Investigations:   “In effect, Jones’ operation would replace the Clinton campaign’s operation, continuing the effort to undermine Trump.”

16-17 February:  During a period of hours, when Mark Warner and Adam Waldman texted about the negotiation with Assange over the cyber-tools leak, Comey intervened through Warner to spike the limited-immunity deal being offered to Assange as a means of containing the scope of the leak.  DOJ was reportedly prepared to approve a deal, but Comey’s intervention spooked Assange and it didn’t come off.  (See link above at 8 February.)

18 February:  According to the Alfa Bank lawsuit in Pennsylvania, the Alfa Bank server was queried multiple times for the hybrid (and invalid) domain name   “mail.trumpemail.com.MOSCow.AIFaintRa.nEt,” which “combines two valid domain names associated with The Trump Organization and Alfa Bank, ‘mail.trump-email.com’ and ‘moscow.alfaintra.net.’” (Alfa Bank lawsuit, p. 16)

4 March:  Trump sends his “wiretapping” email.

7 March:  WikiLeaks released a trove of information “revealing that the CIA had developed cyber tools that could mimic the profile of Russian hackers, and make it look as if a hack had been done by the Russians when it was actually the CIA.”  See additional information about the spring 2017 WikiLeaks releases in later reporting here.  This is the outset of the release the deal with Assange, blocked by Comey, was supposed to limit.

8 March: Following the Trump tweet of 4 March, Reps. Devin Nunes and Adam Schiff, the chairman and ranking member of the House Intelligence Committee, sent a letter to the acting attorney general (Dana Boente) requesting “copies of any applications the Justice Department submitted to the Foreign Intelligence Surveillance Court, any orders that the court released, and any copies of warrants issued by federal judges or magistrates regarding Trump, his campaign surrogates, business associates, employees, family and friends.”  The timeframe requested was the year 2016.  Nunes and Schiff gave the DOJ a deadline of 13 March to respond.

Note that this was national security information being requested.  Thus, the DOJ and FBI officials fielding the request would have been a laundry list of the Spygate principals:  the ones involved in the FISA requests, Crossfire Hurricane, and the handling of George Papadopoulos, Carter Page, and Michael Flynn.

Be sure that the Nunes/Schiff request was a major decision point for them.

11 March:  The first of some 20,000 more DNS lookups from the invalid “Trump address” of 18 February were sent to the Alfa Bank server.  The Pennsylvania lawsuit notes that this flurry occurred the day after CNN published a news item headlined “Sources: FBI investigation continues into ‘odd’ computer link between Russian bank and Trump Organization.” (Alfa Bank lawsuit, p. 16)

13 March:  DOJ requested more time for the Nunes/Schiff request.  Nunes’s office told the media that if there was no response before FBI Director James Comey testified to the House committee the following Monday (20 March), Nunes would request the information during Comey’s hearing, and would subpoena it if necessary.

13 March:  Thousands more lookups (i.e., the remainder of the 20,000 total in March 2017) were sent from the invalid “Trump address” to the Alfa Bank sever.  (Alfa Bank lawsuit, p. 16)

17 March:  Devin Nunes told media:  “The Committee is satisfied that the Department of Justice has fully complied with our request for information from our March 8 letter on possible surveillance related to Donald Trump or his associates.”  This was the day, according to a court document from the prosecution of Senate staffer James Wolfe (see 8 March link), that at least one FISA application was made available in the SCIF on Capitol Hill.  Wolfe was charged with leaking the initial FISA application from October 2016 to news media.  (He later got a two-month slap on the wrist for it, possibly because other people on the Hill knew what he was doing.)

After this date in March 2017, a number of media outlets had an unredacted copy of the initial Carter Page FISA application, a detail ferreted out by “sundance” at Conservative Treehouse.  As discussed at the 8 March link, the Spygate conspirators may well have decided between 8 and 17 March to allow the leak to happen.  Such a decision would have given the media significant context for the role they continued to play in fostering the Russiagate hoax.

That heavily-freighted week in March 2017 makes it extremely unlikely that the server activity spikes recounted by Alfa Bank on 11 and 13 March were mere happenstance.

Devin Nunes (Image: Screen grab of Fox News video, YouTube)

20 March:  Comey testified on Capitol Hill.

21 March:  Nunes made his famous visit to the White House complex and viewed material on the unmasking of U.S. persons, an inspection arranged for him by officials inside the White House.

22 March:  Nunes briefed his concerns about monitoring activity by the National Security Council against the Trump campaign to the media.

28 March:  Daniel Jones, who had conferred with Jake Sullivan and Fusion principals in February, “met with the FBI,” according to Paul Sperry, “to pass on supposedly fresh leads he and the cyber researchers had learned about the Alfa Bank server and Trump, and the FBI looked into the new leads after having closed its investigation a month earlier.”  The Alfa Bank narrative was thus still a live subplot being pushed by what in a sense became the anti-Trump Spygate war-room (TDIP) in early 2017.

Summary points

The Comey date with Trump (8 February 2017), and the approaches of Michael Sussmann to the CIA on 9 February 2017, and Daniel Jones to the FBI on 28 March, bracket the intense flurry of events from mid-February to the latter half of March.  The events are of startling scope in hindsight, but they revolve around the common, interwoven thread of cyber activity and surveillance.

And for some reason, there were three upticks in cyber activity purportedly involving the Alfa Bank server and a Trump-linked domain during that period.  The level of activity on each day in March 2017 greatly exceeded that of the “suspicious” period between May and September of 2016.  The analyses done for Alfa Bank’s 2020 “John Doe” lawsuit connects them with the same “John Doe” actors involved in 2016 with the Listrak server, which is why they’re part of the lawsuit filed in Pennsylvania.

Alfa Bank’s allegation is that cyber attackers spoofed the comms in the listed timeframes, in both 2016 and 2017, to make it appear that a Russian entity (the Alfa Bank server) was communicating with a real server, and then a fake domain, that had a connection to Trump.

Alfa Bank is unlikely to make such an allegation frivolously.  The bank offered the corroborating analyses of three different cyber services to support the allegation; inclusion in such a filing would be damaging to the cyber services, and become itself the basis for a lawsuit, if it were done for frivolous or malign purposes.  It’s most likely that Alfa Bank is acting straightforwardly here.

From a zoomed-out perspective, the events of March 2016 and February-March 2017 bracket the period of Michael Sussmann’s involvement, recounted in the Durham indictment.  In that larger context, the “Alfa Bank” plotline frankly doesn’t look like happenstance at all.

It doesn’t even look like a pickup game starting from the 9 March 2016 date when Listrak’s server stopped fielding the mail.trump-email.com domain.  It looks like an Internet arrangement that had been scoped out beforehand, possibly as early as September 2015, when Trump and the company Serenata NetHotel announced the new relationship that would supplant Cendyn’s role.

Trump, for all his quirks, was obviously a force to be reckoned with by that point in the early campaigning.  It’s very unlikely that planning for an elaborate subplot like the Alfa Bank drama didn’t start until two months before 4 May 2016, when the server chatter was launched.  To prepare such a plan in support of the “Trump-Russia” hoax narrative, longer and more comprehensive observation of the real Trump-Cendyn interactions (the ones before March 2016) would have been much preferable. 

Pixabay

A theory for that interpretation would be that planners who scoped it out were aware of the impending termination of the Trump-Cendyn contract, and may even have been reasonably sure, just before 9 March 2016, when the domain-name link to the Listrak server would be affected.

What were the potential ways to know that?

One way might, of course, be communications surveillance performed by a federal agency, under a National Security Letter dragnet that swept in the comms of foreign entities like Alfa Bank, whose cyber links, frequent or occasional, could have included Trump-linked cyber outlets like Cendyn and Listrak.

Another might have been through the two-hop associations of Paul Manafort, who had been under FISA surveillance before March 2016, when he became a Trump campaign official.  Whenever he was in contact with a Trump associate during that monitoring period, the FBI might have pulled comms going back far enough to map out the cyber relations between the Trump Hotels and Cendyn, including occasional client interlocutors like Alfa Bank.  (I see this as the least likely method, at least if it stood on its own.)

A third potential, and curious, method is suggested by the peculiar saga in 2021 of the Pentagon IP Addresses.

The Pentagon IP Addresses’ Big Day Out

The Pentagon IP addresses came up almost immediately after Durham filed his Sussmann indictment, because the Sussmann client of greatest interest, “Tech Executive-1,” is thought to be Rodney Joffe, formerly an executive with Neustar and a colleague of many years’ standing with Raymond Saulino, whose tiny, thin-profiled company Global Resource Systems, LLC (GRS) took over millions of Pentagon-held IP addresses on 20 January 2021.

This cyber event was eye-popping for the industry, although the general public didn’t learn about it until April 2021.  I reported on it here, and won’t regurgitate all the information about it. 

Rodney Joffe has no apparent connection to the GRS-Pentagon arrangement, but his role in the Alfa Bank saga was significant (see the Sussmann indictment, and the 23 March 2016 timeline entry, above).

As for the Pentagon IP addresses adventure, one of the noteworthy aspects is that GRS funding maps back in significant part to the political circles Obama ran in in Chicago and the investment firms they patronized.

Rodney Joffe. Neustar video, YouTube

But another noteworthy aspect is the end date of the Pentagon’s arrangement with GRS:  7 September 2021.  There was a minor blip about it on the mainstream media radar screen on 10 September, and then the information about the Sussmann indictment began to come out.

As noted by many, the IP addresses were shifted from the Pentagon to the GRS arrangement three minutes before Joe Biden’s statutory term began on 20 January 2021.  Now they’re back with the Pentagon.

Here’s a money quote on what can be done with those IP addresses, if properly-accoutered cyber actors are aware of their accessibility on the Internet:

[T]here is a lot of background noise that can be scooped up when announcing large ranges of IPv4 address space. A recent example is Cloudflare’s announcement of 1.1.1.0/24 and 1.0.0.0/24 in 2018. …

According to their blog post soon after the launch, Cloudflare received “~10Gbps of unsolicited background traffic” on their interfaces.

And that was just for 512 IPv4 addresses! Of course, those addresses were very special, but it stands to reason that 175 million IPv4 addresses will attract orders of magnitude more traffic. More misconfigured devices and networks that mistakenly assumed that all of this DoD address space would never see the light of day.

[…]

[W]e can certainly hope that the DoD uses the threat intel gleaned from the large amounts of background traffic for the benefit of everyone. …

[Y]our corporate network may be using the formerly unused DoD space internally, and if so, there is a risk you could be leaking it out to a party that is actively collecting it. 

Someone with more expertise would have to tell me if such a use is only available to third parties who’ve had the addresses “announced” to them by a public-facing entity such as GRS.

But my guess is that the same thing could be done by cyber actors with the right tools who have privileged access to the wider Web, and to the IP addresses when they’re under the ward of the Pentagon’s DOD Information Network, or DODIN, and “unannounced.”

One thing we can be sure of, after more than four years of watching Spygate unfold.  It’s quite possible those who had access to the Obama Pentagon’s IP addresses in 2016 were not confined to the authorized stewards of the IP addresses inside the Department of Defense.  If a questionable enterprise involving Pentagon IP addresses were undertaken through backroom-brokered access, there’s no reason it couldn’t flourish – if the requisite officials kept it under wraps.

I’d be asking, among other things, where the cyber records are of any activity the Pentagon IP addresses were implicated in, in 2016.  There could be more than one method of gleaning information from unsuspecting business (or other) networks; “listening in” via FISA methods on the Trump organization’s (or Alfa Bank’s) comms, from NSA and the FBI, might not have been the only way.

Where a Global Resource Systems LLC keeps popping up. Plantation, FL. Google Street View

In fact, as I’ve pointed out before, (see here, herehere, and here), such “listening in” would get only part of the job done.  Because of the separation of national-security and law-enforcement monitoring, which are not supposed to overlap due to Fourth Amendment constraints, it would require an enterprise unified above the level of enforceable accountability to make them work together and deliver the full picture that comes from content and identities as well as non-identity metadata.

That’s why the National Security Council staff level is the lowest at which Spygate could have been brought off.

What we haven’t seen clearly up to now is that having a whole bunch of idle IP addresses available for active data-gathering, through a virtually unknown back door, is another method to flesh out a surveillance picture.

It’s a separate form of data at issue.  And it is a another method:  this is not what NSA’s FISA-regulated apparatus does, and one has nothing to do with the other.  (See the discussion above on the 9 March 2016 events.  I’ve seen some observers speculating that the alleged DNS-lookup spoofing between the Alfa Bank and Cendyn servers was part of the NSA-centered monitoring done against the Trump campaign, and that’s incorrect.  The cyber experts who compiled the data on the Alfa Bank-Cendyn exchanges didn’t need access to the NSA information improperly exposed to contractors.  The latter is a whole separate issue.)

This niche opportunity would lie outside of most areas of expertise, and possibly even the prior arrangements of statute law.  It’s surreally arcane to almost everyone on the planet, and hard to absorb mentally as an option.  Any bets that in 2016, the Spygate planners were not using it?

14 thoughts on “The Sussmann indictment and the Alfa Bank saga: A focused timeline”

  1. Dear readers,

    I’m leaving the first “reply” to make a brief comment about comments.

    I believe it’s still the case that I will need to give one “approval” for a new commenter, after which your comments will appear automatically. Those with existing WordPress accounts I think can comment without needing an approval.

    Don’t be discouraged by the one-time approval requirement. Crowd in. I’ll be on the lookoout. My apologies in advance to anyone who has to wait for that first comment to appear.

    Welcome back.

    1. My dreams have come true. You are here by awarded a BUNNYS HAMBURGERS #2 basket with a medium size drink.

    1. Whoa – I can’t believe I missed that one. Thanks for posting the link, and welcome to the new TOC, Alex.

      So Clapper was in Oz mid-March 2016. Exact same time first contact was made between Mifsud and Papadopoulos, and 6-odd weeks before the meeting set-up with Alexander Downer in London. (Downer was well known to Stefan Halper as well; they plied the same circuit in the MI-6/Cambridge orbit.)

      Brennan was in Moscow sometime in the previous 7 days.

      And Bill Priestap went to London to be there for the Pdop-Downer meet on 10 May.

      1. Yeah. I can’t tell for sure but I’d surmise Clapper in New Zealand met with Iran’s FM Mohammed -Zarif. That would make the Brennan claims re: Syria somewhat more credible to my untrained eyes. My biggest suspicion concerns Priestap in London: I know that there are email exchanges between him and then-CIA London Station Chief Gina Haspel RE: George Papadopoulos. I have been wanting them declassified for about 18 months now. I haven’t seen them and I do t think they have been leaked but I know sone prominent people wa t them out. These people include Dan Bongino amd Chuck Grassley.

  2. Great relaunch!
    Can not help wondering what Perkins Coie emails no longer covered by attorney-client privilege will reveal.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: