Paul Sperry had an article at Real Clear Investigations on 7 October in which he reported that John Durham’s investigation of the federal government’s handling of “Russiagate” is focusing on Pentagon contractors. Like the “speaking indictment” of Michael Sussmann, this framing of where Durham’s headed functions to shift perceptions somewhat, shedding new light on old information.
Like so much of the “new light,” the investigative pathways prompted by what has recently come out cause us to look further back and see the fresh likelihood of connections between the familiar events of Spygate/Russiagate and earlier events.
This treatment will not be at all comprehensive. It’s a collection of such potential links, assembled in the last few weeks and presented in complete sentences as a marker, rather than as a finished analysis or theory. Basically, these are research notes. I want to get them out there as a service.
Rather than attempting to weave them as a story, I’m trusting readers to know the basic outline and recognize why dates and events are significant. There has been prior work on all of the points here: nothing is entirely new, as I think dedicated followers of the problem set are aware. Hyperlinks will take you to more extended discussions and analyses.
Here is the grab-bag of interesting points, in no particular order.
As a general observation at the outset, the mere focus on Pentagon contractors takes us in a different direction from previous probes. There have been two thematic Spygate links to the Pentagon, neither of which has so far appeared to implicate “the Pentagon” per se in the Spygate conspiracy. The links are the electronic surveillance capability managed for the whole intelligence community by NSA (a subordinate agency of the Pentagon for programming purposes), and the secretive activities of the Office of Net Assessment, for decades (1973 to 2015) the fiefdom of a single individual (founder Andrew Marshall) and operated with little apparent oversight by senior officials who come and go with SES rotations and political appointments.
In each case, the motives for using Pentagon assets were clearly centered elsewhere: primarily at the NSC staff (i.e., the White House) and the DOJ and FBI, with collateral activity at ODNI, CIA, and the National Counterterrorism Center (NCTC).
It was certainly possible to speculate before now that the Pentagon, qua Pentagon, was implicated in the motivated-collusion aspect of Spygate. But the fresh revelations about Durham’s investigation – and their connection with the 2021 story of the Pentagon IP addresses – begin to make that more tangible and certain.
Paul Sperry’s article highlights the interest in cyber experts Rodney Joffe and April Lorenzen, the latter of whom Sperry identifies as the “Tea Leaves” personality from the Michael Sussmann indictment. It’s not my interest here to regurgitate everything Sperry has already written, so I ask readers to consult his article for more on that. Per the Sussmann indictment, the Joffe/Lorenzen work relates to the attempt to link the Trump organization to Alfa Bank.
The points that stands out to me include these: that Joffe and Lorenzen worked together with researchers at Georgia Tech, to comb non-public information about Internet transactions, for signs that could be interpreted as dirt on Donald Trump and his organizations.
A key point of interest is that the Pentagon connection is ultimately through Georgia Tech and its researchers. The researchers used by Joffe and Lorenzen during the 2016 campaign scored a $17 million Pentagon contract for cybersecurity research on 17 November 2016, right after the 2016 election but before Trump took office.
One likely implication of that contract is that similar work continued into the Trump presidency. That isn’t demonstrated (Sperry hints at it) – which is why these are research notes – but it’s a possibility to file for reference. The opportunity and motive are there.
The truly interesting aspect of this point, however, is the word “Georgia.”
Georgia in the pattern
Where did we see “Georgia” and “cyber” contracting with the federal government before? That’s right: in the Pentagon IP addresses caper, which is linked by numerous threads to Obama, as well as directly to Rodney Joffe, and to another institutional cyber contractor in Georgia, the Georgia Cyber Center.
In my article in April 2021 on the IP addresses, I turned up quite a bit on the Obama connections. Those connections wended through the Pentagon and its Defense Digital Service (DDS), whose founders – with a neon-flashing founding date of November 2015 – were linked to Obama through Chicago’s Democratic machine, Obama’s 2008 campaign organization, and the IT raiding squad introduced in his second term within the Office of Management and Budget. (I wrote extensively on the latter in earlier articles; see the links in the “Cry havoc” piece.)
As for Joffe, he of course was a long-time associate of Raymond Saulino, whose Global Resource Systems in Plantation, Florida suddenly took over 175 million Pentagon-held IP addresses two minutes and 25 seconds before Joe Biden’s term officially began on 20 January 2021.
But the identification of both the Georgia Cyber Center and Georgia Tech as pivotal connections in – respectively – the IP addresses incident and Durham’s Spygate probe has turned up a most fascinating connection.
There is first of all the point that both entities have federal contracts for cybersecurity research. That by itself has a satisfactory face-value explanation: Georgia is working to establish itself as a go-to cyber activities research hub in the Eastern U.S., and is cultivating both contacts and federal contracts in pursuit of that goal.
Both entities’ contracts are with the Pentagon, which intensifies the interest. The Georgia Cyber Center hosts a satellite site for the Pentagon DDS. The site is nicknamed “Tatooine,” and was formally opened in 2019.
The Georgia Tech-Pentagon contract – again, awarded in November 2016, and later extended, according to Sperry – is for a project named “Rhamnousia” (an alternate name for the Greek mythological character Nemesis).
It’s of more than passing interest that the advertised purpose of the project is analyzing cyber events for attribution. That iffy proposition has been the core of the company brand for the most famous cybersecurity player in Spygate: CrowdStrike. The recurrence of the “attribution” theme definitely needs to be filed for reference, as long as we’re logging research notes here.
But none of that is the really interesting part. The really interesting part is about Georgia.
That’s because both of the cyber research entities, with their links to Obama’s political constellation, the Pentagon, and in Georgia Tech’s case the 2016 DNC/Hillary anti-Trump campaign, were drafted in early 2020 by Georgia Secretary of State Brad Raffensperger to collaborate with his office on cybersecurity for the 2020 election.
We would naturally expect the state of Georgia to look within Georgia for expert collaboration on election security. But it’s arresting, shall we say, that after Governor Brian Kemp complained in 2016 of actors from the Obama federal executive trying to intrude into Georgia’s voting information database, research entities with so many connections to the Obama administration were enlisted to help secure the 2020 election in Georgia.
In January 2020, Raffensperger announced an election security partnership with the Georgia Cyber Center.
And in February 2020, Georgia Tech’s researchers came onboard to help with election security as well.
File it for future reference.
Before leaving the Pentagon contractors connection, let us note what Sperry has to say about April Lorenzen’s current activities:
In her bio, Lorenzen also said she currently serves “as the principal investigator for a critical infrastructure supply-chain cybersecurity notification research project.” She did not provide further details about the project.
Supply-chain cybersecurity “notification,” under the heading of “critical infrastructure.” Another one to file away.
CrowdStrike and a cybersecurity niche
This last freshly highlighted feature is not yet a well-developed one, and I won’t be making lengthy observations about it. The set-up for it is twofold, in terms of prior persistent threads in the Spygate drama.
One is CrowdStrike’s role in handling the DNC intrusion in 2016. Readers will be most familiar with this thread, I think, and in light of revelations from the Sussmann indictment, there has been much written about it over the last couple of weeks.
The treatments focus on the rapid loss of credibility for the “Russian hacking” proposition, which is perfectly fair. But it’s not my focus here. What principally strikes me about the “fresh look” from the Sussmann indictment is how very well-known CrowdStrike was to the FBI, and how little formality (or roadblocks to communication) there could have been between a set of actors who knew each other well.
It has been pointed out repeatedly, since we first learned the FBI never got the actual DNC server to inspect, that it’s quite odd the server was never simply subpoenaed. Certainly the Mueller effort could have used it, if the objective was to prove something one way or the other about Russian hacking related to the 2016 election.
With the Roger Stone indictment, we learned that CrowdStrike’s analysis, relied on by the FBI, was forwarded only in redacted form due to “attorney-client privilege” involving Perkins Coie as the middleman.
Again, this tends to impugn the Russian-hacking thesis, and we’ve known that for some time. But with Durham pursuing the possibility that cyber evidence was concocted, or faked, what really stands out is how not having the server, and not having a complete, unredacted report from CrowdStrike, would have kept key information out of FBI records, and therefore undiscoverable. (It’s like admitting the FBI has the Hunter Biden laptop: if it’s acknowledged, the FBI is on the hook for what’s being done with it.)
Direct forensics or a complete report from CrowdStrike could well have put inconvenient pieces of information into records a court could demand, or Congress, or the public. The FBI (and DOJ) knowing CrowdStrike well – and having their own alumni roaming the halls at Perkins Coie – would have made it easier to agree without a paper trail on a less vulnerable arrangement.
Now consider that point alongside less-remembered things we have known about CrowdStrike since 2017. I’m providing a link here to an extensive survey I did in March 2017, just before CrowdStrike principals were supposed to testify in Congress on 11 March.
CrowdStrike’s connections to the Obama administration were quite as numerous as those of the Pentagon DDS founders; perhaps even more so. A handful of observers pointed out at the time how overfreighted CrowdStrike was in this regard, for a cybersecurity firm we were supposed to accept as an independent expert on Russian activity in 2016.
And curiously enough, the very day of the scheduled hearing, CrowdStrike dropped out and didn’t show.
As a final exercise, let’s get the timeframe organized mentally. Pull some threads together: the Pentagon DDS was stood up in November 2015. Its charter was cybersecurity and insight into Web activity. In January 2021, it was the Defense entity that announced it was running a “pilot program” when the IP addresses were turned over to Raymond Saulino. We can assume, given its links to the top levels of the Obama administration, that it didn’t twiddle its thumbs idly in the interim between those two dates.
The Joffe/Lorenzen collaboration with Georgia Tech, which got a Pentagon contract just after the election, occurred during the 2016 campaign. Sussmann appears to have been using information from that collaboration, which was a key element in the DNC/Hillary Clinton oppo effort, to prime the pump at the FBI. The focus of the Joffe/Lorenzen collaboration, as referenced in the Sussmann indictment, was the alleged Russia-Trump cyber connection through Alfa Bank.
CrowdStrike was brought in on the DNC intrusion in May 2016, in the same 24-hour period when Alfa Bank’s server supposedly started hammering the Listrak server in Pennsylvania, which actually was no longer under contract to Cendyn as the IP address for the Trump-connected domain mail1.trump-email.org.
All of the entities and persons in this mix were up one side and down the other with connections to the Obama administration.
But here’s where it gets interesting again. CrowdStrike wasn’t a one-trick pony in the relevant timeframe: 2015-2016. CrowdStrike in fact published an article at the time about investigative work it had done on multiple cyber intrusions, from 2014 to 2016, into … what do you know, the hospitality industry. Hotels, event hosting, travel-customer relations (along with food services and gaming).
Rather than going in-depth into the particulars, I’ll just drop some excellent spadework done by a delightful Internet sleuth who goes by the user ID @wakeywakey16. See the whole thread. Most of it is background on the cyber intrusions against the Trump organization cited below.
CrowdStrike’s article didn’t focus on the Trump organization. But in the timeframe of its reported investigation, the Trump organization experienced multiple costly cyber intrusions, all high-profile and all in the period leading up to the supposed Alfa Bank interactions in mid-2016.
The Trump organization worked with the FBI during that period to probe what was going on. Think like Fusion GPS and note that this was a huge, gaping opportunity for the FBI to know the Trump organization’s business.
CrowdStrike’s 2016 blog article suggested that the company’s own investigation started right about the time Fusion GPS was first hired for oppo research on Republican candidates (mainly Trump) in September 2015. That hire was made by the Washington Free Beacon with funding from key backer Paul Singer, a major Republican donor.
And the analytical point that emerges from this is about motive and opportunity of a kind we’ve seen repeatedly throughout the unfolding of Spygate. It’s about the M.O. of Fusion GPS and the Democratic organizations it typically works for.
I wrote about it in one of my earliest analyses of Spygate principals, a December 2017 article about Bruce Ohr, the Justice Department, and the FBI. Fusion’s Glenn Simpson had been covering their work on Russian oligarchs for years as a Wall Street Journal reporter. It was a field he knew extremely well – as did Ohr, or course, and his running mates in the federal agencies. They could confidently build a fictional anti-Trump scenario around that theme because they knew it so well.
It isn’t proven, by any means, that the “Alfa Bank” narrative was built around the intrusions of 2015 and 2016 on the Trump Hotels, which CrowdStrike and the cyber researchers now under Durham’s probe had opportunity to study. (More than that, incidentally, it’s merely good analysis to acknowledge and file the possibility that these actors, or perhaps others linked to the anti-Trump oppo effort, didn’t just study those intrusions. I stress that it would be entirely unproven that such entities had a hand in them. But neither motive nor opportunity can be ruled out.)
And that’s the bottom line. Motive and opportunity can’t be ruled out. With the growing sense that cyber evidence may have been faked in 2016, it looks very different in hindsight that the weird Alfa Bank tale came and went in the immediate wake of extensive real-world intrusions into Trump organization servers, which cybersecurity experts working for the DNC and Hillary Clinton were assuredly aware of. It looks less like the opportunity players “found” things going on than that they just made them up.
Mueller, supposedly determined to pursue Russian activities, found nothing actionable in the Alfa Bank subplot. He basically dropped it without a ripple. That’s informative, considering the lengths he went to to include non-probative detail in his report, and herald it with a proclamation that Trump was not “exonerated” by the absence of any substantive indictments. If the Alfa Bank thread had been promising, it could have been worth the risk of what Durham is probing now.
But in spite of its prominence in the media – it wasn’t. It looks increasingly likely that that’s not because there was too little information, but because there was too much. It just wasn’t information about Trump and a bunch of cyber shenanigans.