Durham’s ‘Clues’: Pentagon contractors, CrowdStrike, Georgia, and the IP addresses

Outlines of connections emerge.

Paul Sperry had an article at Real Clear Investigations on 7 October in which he reported that John Durham’s investigation of the federal government’s handling of “Russiagate” is focusing on Pentagon contractors.  Like the “speaking indictment” of Michael Sussmann, this framing of where Durham’s headed functions to shift perceptions somewhat, shedding new light on old information.

Like so much of the “new light,” the investigative pathways prompted by what has recently come out cause us to look further back and see the fresh likelihood of connections between the familiar events of Spygate/Russiagate and earlier events.

This treatment will not be at all comprehensive.  It’s a collection of such potential links, assembled in the last few weeks and presented in complete sentences as a marker, rather than as a finished analysis or theory.  Basically, these are research notes.  I want to get them out there as a service.

Rather than attempting to weave them as a story, I’m trusting readers to know the basic outline and recognize why dates and events are significant.  There has been prior work on all of the points here:  nothing is entirely new, as I think dedicated followers of the problem set are aware.  Hyperlinks will take you to more extended discussions and analyses.

Here is the grab-bag of interesting points, in no particular order.

Pentagon contractors

As a general observation at the outset, the mere focus on Pentagon contractors takes us in a different direction from previous probes.  There have been two thematic Spygate links to the Pentagon, neither of which has so far appeared to implicate “the Pentagon” per se in the Spygate conspiracy.  The links are the electronic surveillance capability managed for the whole intelligence community by NSA (a subordinate agency of the Pentagon for programming purposes), and the secretive activities of the Office of Net Assessment, for decades (1973 to 2015) the fiefdom of a single individual (founder Andrew Marshall) and operated with little apparent oversight by senior officials who come and go with SES rotations and political appointments.

In each case, the motives for using Pentagon assets were clearly centered elsewhere:  primarily at the NSC staff (i.e., the White House) and the DOJ and FBI, with collateral activity at ODNI, CIA, and the National Counterterrorism Center (NCTC).

Wikipedia

It was certainly possible to speculate before now that the Pentagon, qua Pentagon, was implicated in the motivated-collusion aspect of Spygate.  But the fresh revelations about Durham’s investigation – and their connection with the 2021 story of the Pentagon IP addresses – begin to make that more tangible and certain.

Paul Sperry’s article highlights the interest in cyber experts Rodney Joffe and April Lorenzen, the latter of whom Sperry identifies as the “Tea Leaves” personality from the Michael Sussmann indictment.  It’s not my interest here to regurgitate everything Sperry has already written, so I ask readers to consult his article for more on that.  Per the Sussmann indictment, the Joffe/Lorenzen work relates to the attempt to link the Trump organization to Alfa Bank.

The points that stands out to me include these:  that Joffe and Lorenzen worked together with researchers at Georgia Tech, to comb non-public information about Internet transactions, for signs that could be interpreted as dirt on Donald Trump and his organizations.

A key point of interest is that the Pentagon connection is ultimately through Georgia Tech and its researchers.  The researchers used by Joffe and Lorenzen during the 2016 campaign scored a $17 million Pentagon contract for cybersecurity research on 17 November 2016, right after the 2016 election but before Trump took office.

One likely implication of that contract is that similar work continued into the Trump presidency.  That isn’t demonstrated (Sperry hints at it) – which is why these are research notes – but it’s a possibility to file for reference.  The opportunity and motive are there.

The truly interesting aspect of this point, however, is the word “Georgia.”

Georgia in the pattern

Where did we see “Georgia” and “cyber” contracting with the federal government before?  That’s right:  in the Pentagon IP addresses caper, which is linked by numerous threads to Obama, as well as directly to Rodney Joffe, and to another institutional cyber contractor in Georgia, the Georgia Cyber Center.

In my article in April 2021 on the IP addresses, I turned up quite a bit on the Obama connections.  Those connections wended through the Pentagon and its Defense Digital Service (DDS), whose founders – with a neon-flashing founding date of November 2015 – were linked to Obama through Chicago’s Democratic machine, Obama’s 2008 campaign organization, and the IT raiding squad introduced in his second term within the Office of Management and Budget.  (I wrote extensively on the latter in earlier articles; see the links in the “Cry havoc” piece.)

As for Joffe, he of course was a long-time associate of Raymond Saulino, whose Global Resource Systems in Plantation, Florida suddenly took over 175 million Pentagon-held IP addresses two minutes and 25 seconds before Joe Biden’s term officially began on 20 January 2021.

Where a Global Resource Systems LLC keeps popping up. Plantation, FL. Google Street View

But the identification of both the Georgia Cyber Center and Georgia Tech as pivotal connections in – respectively – the IP addresses incident and Durham’s Spygate probe has turned up a most fascinating connection.

There is first of all the point that both entities have federal contracts for cybersecurity research.  That by itself has a satisfactory face-value explanation:  Georgia is working to establish itself as a go-to cyber activities research hub in the Eastern U.S., and is cultivating both contacts and federal contracts in pursuit of that goal.

Both entities’ contracts are with the Pentagon, which intensifies the interest.  The Georgia Cyber Center hosts a satellite site for the Pentagon DDS.  The site is nicknamed “Tatooine,” and was formally opened in 2019.

The Georgia Tech-Pentagon contract – again, awarded in November 2016, and later extended, according to Sperry – is for a project named “Rhamnousia” (an alternate name for the Greek mythological character Nemesis).

It’s of more than passing interest that the advertised purpose of the project is analyzing cyber events for attribution.  That iffy proposition has been the core of the company brand for the most famous cybersecurity player in Spygate:  CrowdStrike.  The recurrence of the “attribution” theme definitely needs to be filed for reference, as long as we’re logging research notes here.

But none of that is the really interesting part.  The really interesting part is about Georgia.

That’s because both of the cyber research entities, with their links to Obama’s political constellation, the Pentagon, and in Georgia Tech’s case the 2016 DNC/Hillary anti-Trump campaign, were drafted in early 2020 by Georgia Secretary of State Brad Raffensperger to collaborate with his office on cybersecurity for the 2020 election.

We would naturally expect the state of Georgia to look within Georgia for expert collaboration on election security.  But it’s arresting, shall we say, that after Governor Brian Kemp complained in 2016 of actors from the Obama federal executive trying to intrude into Georgia’s voting information database, research entities with so many connections to the Obama administration were enlisted to help secure the 2020 election in Georgia.

Tatooine satellite location in Augusta, Georgia. Image: Georgia Cyber Center

In January 2020, Raffensperger announced an election security partnership with the Georgia Cyber Center. 

And in February 2020, Georgia Tech’s researchers came onboard to help with election security as well.

File it for future reference.

Before leaving the Pentagon contractors connection, let us note what Sperry has to say about April Lorenzen’s current activities:

In her bio, Lorenzen also said she currently serves “as the principal investigator for a critical infrastructure supply-chain cybersecurity notification research project.” She did not provide further details about the project.

Supply-chain cybersecurity “notification,” under the heading of “critical infrastructure.”  Another one to file away.

CrowdStrike and a cybersecurity niche

This last freshly highlighted feature is not yet a well-developed one, and I won’t be making lengthy observations about it.  The set-up for it is twofold, in terms of prior persistent threads in the Spygate drama.

One is CrowdStrike’s role in handling the DNC intrusion in 2016.  Readers will be most familiar with this thread, I think, and in light of revelations from the Sussmann indictment, there has been much written about it over the last couple of weeks.

The treatments focus on the rapid loss of credibility for the “Russian hacking” proposition, which is perfectly fair.  But it’s not my focus here.  What principally strikes me about the “fresh look” from the Sussmann indictment is how very well-known CrowdStrike was to the FBI, and how little formality (or roadblocks to communication) there could have been between a set of actors who knew each other well.

It has been pointed out repeatedly, since we first learned the FBI never got the actual DNC server to inspect, that it’s quite odd the server was never simply subpoenaed.  Certainly the Mueller effort could have used it, if the objective was to prove something one way or the other about Russian hacking related to the 2016 election.

With the Roger Stone indictment, we learned that CrowdStrike’s analysis, relied on by the FBI, was forwarded only in redacted form due to “attorney-client privilege” involving Perkins Coie as the middleman.

Again, this tends to impugn the Russian-hacking thesis, and we’ve known that for some time.  But with Durham pursuing the possibility that cyber evidence was concocted, or faked, what really stands out is how not having the server, and not having a complete, unredacted report from CrowdStrike, would have kept key information out of FBI records, and therefore undiscoverable.  (It’s like admitting the FBI has the Hunter Biden laptop:  if it’s acknowledged, the FBI is on the hook for what’s being done with it.)

Direct forensics or a complete report from CrowdStrike could well have put inconvenient pieces of information into records a court could demand, or Congress, or the public.  The FBI (and DOJ) knowing CrowdStrike well – and having their own alumni roaming the halls at Perkins Coie – would have made it easier to agree without a paper trail on a less vulnerable arrangement.

Dmitri Alperovitch at an RSA Conference in 2020. RSAC video, YouTube

Now consider that point alongside less-remembered things we have known about CrowdStrike since 2017.  I’m providing a link here to an extensive survey I did in March 2017, just before CrowdStrike principals were supposed to testify in Congress on 11 March.

CrowdStrike’s connections to the Obama administration were quite as numerous as those of the Pentagon DDS founders; perhaps even more so.  A handful of observers pointed out at the time how overfreighted CrowdStrike was in this regard, for a cybersecurity firm we were supposed to accept as an independent expert on Russian activity in 2016.

And curiously enough, the very day of the scheduled hearing, CrowdStrike dropped out and didn’t show.

As a final exercise, let’s get the timeframe organized mentally.  Pull some threads together:  the Pentagon DDS was stood up in November 2015.  Its charter was cybersecurity and insight into Web activity.  In January 2021, it was the Defense entity that announced it was running a “pilot program” when the IP addresses were turned over to Raymond Saulino.  We can assume, given its links to the top levels of the Obama administration, that it didn’t twiddle its thumbs idly in the interim between those two dates.

The Joffe/Lorenzen collaboration with Georgia Tech, which got a Pentagon contract just after the election, occurred during the 2016 campaign.  Sussmann appears to have been using information from that collaboration, which was a key element in the DNC/Hillary Clinton oppo effort, to prime the pump at the FBI.  The focus of the Joffe/Lorenzen collaboration, as referenced in the Sussmann indictment, was the alleged Russia-Trump cyber connection through Alfa Bank.

CrowdStrike was brought in on the DNC intrusion in May 2016, in the same 24-hour period when Alfa Bank’s server supposedly started hammering the Listrak server in Pennsylvania, which actually was no longer under contract to Cendyn as the IP address for the Trump-connected domain mail1.trump-email.org.

All of the entities and persons in this mix were up one side and down the other with connections to the Obama administration.

But here’s where it gets interesting again.  CrowdStrike wasn’t a one-trick pony in the relevant timeframe:  2015-2016.  CrowdStrike in fact published an article at the time about investigative work it had done on multiple cyber intrusions, from 2014 to 2016, into … what do you know, the hospitality industry.  Hotels, event hosting, travel-customer relations (along with food services and gaming).

Rather than going in-depth into the particulars, I’ll just drop some excellent spadework done by a delightful Internet sleuth who goes by the user ID @wakeywakey16.  See the whole thread.  Most of it is background on the cyber intrusions against the Trump organization cited below.

CrowdStrike’s article didn’t focus on the Trump organization.  But in the timeframe of its reported investigation, the Trump organization experienced multiple costly cyber intrusions, all high-profile and all in the period leading up to the supposed Alfa Bank interactions in mid-2016.

The Trump organization worked with the FBI during that period to probe what was going on.  Think like Fusion GPS and note that this was a huge, gaping opportunity for the FBI to know the Trump organization’s business.

CrowdStrike’s 2016 blog article suggested that the company’s own investigation started right about the time Fusion GPS was first hired for oppo research on Republican candidates (mainly Trump) in September 2015.  That hire was made by the Washington Free Beacon with funding from key backer Paul Singer, a major Republican donor.

And the analytical point that emerges from this is about motive and opportunity of a kind we’ve seen repeatedly throughout the unfolding of Spygate.  It’s about the M.O. of Fusion GPS and the Democratic organizations it typically works for.

I wrote about it in one of my earliest analyses of Spygate principals, a December 2017 article about Bruce Ohr, the Justice Department, and the FBI.  Fusion’s Glenn Simpson had been covering their work on Russian oligarchs for years as a Wall Street Journal reporter.  It was a field he knew extremely well – as did Ohr, or course, and his running mates in the federal agencies.  They could confidently build a fictional anti-Trump scenario around that theme because they knew it so well.

It isn’t proven, by any means, that the “Alfa Bank” narrative was built around the intrusions of 2015 and 2016 on the Trump Hotels, which CrowdStrike and the cyber researchers now under Durham’s probe had opportunity to study.  (More than that, incidentally, it’s merely good analysis to acknowledge and file the possibility that these actors, or perhaps others linked to the anti-Trump oppo effort, didn’t just study those intrusions.  I stress that it would be entirely unproven that such entities had a hand in them.  But neither motive nor opportunity can be ruled out.)

And that’s the bottom line.  Motive and opportunity can’t be ruled out.  With the growing sense that cyber evidence may have been faked in 2016, it looks very different in hindsight that the weird Alfa Bank tale came and went in the immediate wake of extensive real-world intrusions into Trump organization servers, which cybersecurity experts working for the DNC and Hillary Clinton were assuredly aware of.  It looks less like the opportunity players “found” things going on than that they just made them up.

Mueller, supposedly determined to pursue Russian activities, found nothing actionable in the Alfa Bank subplot.  He basically dropped it without a ripple.  That’s informative, considering the lengths he went to to include non-probative detail in his report, and herald it with a proclamation that Trump was not “exonerated” by the absence of any substantive indictments.  If the Alfa Bank thread had been promising, it could have been worth the risk of what Durham is probing now.

But in spite of its prominence in the media – it wasn’t.  It looks increasingly likely that that’s not because there was too little information, but because there was too much.  It just wasn’t information about Trump and a bunch of cyber shenanigans.

10 thoughts on “Durham’s ‘Clues’: Pentagon contractors, CrowdStrike, Georgia, and the IP addresses”

  1. Can’t help but suspect that the non-governmental actors are the ones who are taking the falls for Durham now. McCabe gets a virtual expungement amd his back pay but the contractors get the shaft. That’s not justice.

    I do find it scary as hell, though, that someone would creat a super-internet above the level of even the national Security Council. That is basically like a foreign entity living in our country to hurt Americans.

    1. Yes, that “super Internet” possibility is unsettling, to say the least. I don’t know if there’s any way to recover info about what was being done with the 175 million Pentagon-held IP addresses in the period from 2015 to January 2021, but that’s at the top of the list of things I want to know right now.

      My going-in assumption until the Sussmann indictment was that Pentagon actors, other than ONA, weren’t consciously complicit *throughout* the whole period in all the back-room anti-Trump stuff going on. That perspective has been altered.

      It certainly reframes the major personnel replacements done right after the 2020 election. It was clear those shifts were about getting rid of active “resistance” figures, but it wasn’t clear until the last few weeks how far back the “resistance” activity probably went, or how pervasive and up-tooled it could have been.

      1. I can’t find a reference in this article of your others to the fact that the NSA have their second d headquarters at Fort Gordon in Augusta, Georgia. Sorry if I just can’t find that and you did say it. Either way, would that be significant here?

        1. It’s not NSA that has the “satellite” location in Georgia. It’s the Defense Digital Service, the one created by Obama in Nov 2015. It’s in the article.

          Fort Gordon has the Army cyber facility, which has significant links to the Defense Cyber Command. (The Fort Gordon info was in my earlier article on the IP addresses, back in April.)

          In turn the Def Cyber Command is co-located with NSA at Fort George G Meade in Maryland. For quite a while Cyber Command was a dual hat for NSA but that was split up a few years ago.

          That’s kind of housekeeping to get our terms straight. It probably is significant that Army cyber is in Fort Gordon, close to the DDS “Tatooine” facility. But it’s not because Army cyber is a “second HQ” for NSA. It’s because Army cyber is a service component in the same discipline as Defense Cyber Command — which is now its own joint specified command (like Strategic Command or Transportation Command).

  2. Interesting, as always.
    O/T, but, Mark just posted this on LTC Scheller’s case: Both reports by Davis Winkie:https://www.marinecorpstimes.com/news/your-marine-corps/2021/10/15/judge-blasts-command-gives-light-sentence-to-marine-who-demanded-accountability-on-social-media/
    preceded by Day 1 report on Oct 14: https://www.marinecorpstimes.com/news/your-marine-corps/2021/10/14/day-one-of-scheller-trial-brings-a-guilty-plea-and-a-political-sideshow-sentencing-tomorrow/
    Because I just read your tweet,”quoting” “Rob O’Donnell @odonnell_r · 10h
    Update: The judge recognized that LtCol Scheller issued a sincere call for accountability & recognized that caring for lost Marines isn’t criminal. It’s expected
    He rejected prosecutor’s request for a stiff sentence & called for investigation into possible government misconduct. ”
    But Rob fails to provide any citation for the judge, Col. Glen Hines, “calling for an investigation”, which is NOT mentioned in marinecorpstimes reports, which does quote Hines: “specter of unlawful command influence” which seems to be “a legal concept within American military law. ”

    Apologies that some of us are continuing at LU at an Oct. 5 post. Not sure how long, because, this week, without a moderator, every post gets multiple, Spam ‘comments’ and Hans does not read any comments. I don’t understand who y’all did not make LU a subscription site… or at least ask for a volunteer moderator just to delete the spam.

    1. No apology needed, D4x. I understand Disqus performs more as the flock wants it to than the WordPress comments do. (For obvious reasons, I think of y’all as the “flock.” :-))

      I get over at least once a day to delete the spam at LU, but sometimes it’s a few hours before one of my swings through. Since I still have a body of work in the archive there, and it gets linked a lot, I want to keep it clean. I see the flock’s comments but since Hans is running it now, I don’t plan to interact much. The live action isn’t our (HP’s and my) blog at this point, and I don’t want to raise expectations.

      I wouldn’t discount Rob O’Donnell’s tweet due to Marine Corps Times not including his point. The service Times outlets keep their access by not being very adversarial or highlighting things embarrassing to the services. O’Donnell may have gotten his info directly from someone in the courtroom, or at least second-hand from such a source. The presiding officer’s sentiments as reflected in the sentencing opinion were Marine-like. He certainly had reasons to rebuke the organization for its handling of Scheller’s case.

      I’ve been kicking back somewhat since closing out at LU, but will probably be picking the pace up next week.

      1. Thanks so much – yes, saw the spam is gone. Same spam is why I stopped commenting at amgreatness, even when I want to. Looking forward to ‘what happened to the Makran?’

        Considering the intimidation of lawyers, and judges, in civilian trials, and DoJ abuses, AG Judge Col. Glen Hines sets an example for all.

        O’Donnell’s “calling for an investigation” might have been referring to Rep. Goehmert’s testimony. UKDM included transcripts:
        “Oct 15, 2021 Judge conducts inquiry into plea: Scheller is required to state why he’s guilty
        Judge: Why did you do this?
        Scheller: A message of accountability was more important than the lawfulness of my behavior. I chose to speak out knowing it is unlawful in an effort to illustrate the hypocrisy of my senior leaders. […]” https://www.dailymail.co.uk/news/article-10098035/He-carefully-examined-evidence-gave-lenient-sentence-Lt-Col-Schellers-mother-thanks-judge.html

        Started using bird metaphors in 2020, to offset all the ugly images ‘in the news’ and headers for posts. Turned into online ornithology hobby, but, still mostly visual relief. Am actually more visual than words.

        fwiw, “the game’s afoot” with AFG. Goes back to this photo from Sept. 17, by KSA’s MbS ‘private office’: https://twitter.com/Badermasaker/status/1438892993352814595
        (That’s MbZ’s brother TbZ, the UAE’s NSA, in the sunglasses)
        Looks like MbS and MbZ got al-Thani to abide by the Jan 5 2021 Al-Ula agreement.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: