The United States intelligence community has been conducting a top-secret operation to recover stolen classified U.S. government documents from Russian operatives, according to sources familiar with the matter. The operation has also inadvertently yielded a cache of documents purporting to relate to Donald Trump and Russian meddling in the 2016 presidential election.
Over the past year, American intelligence officials have opened a secret communications channel with the Russian operatives, who have been seeking to sell both Trump-related materials and documents stolen from the National Security Agency and obtained by Russian intelligence, according to people involved with the matter and other documentary evidence. The channel started developing in early 2017, when American and Russian intermediaries began meeting in Germany. Eventually, a Russian intermediary, apparently representing some elements of the Russian intelligence community, agreed to a deal to sell stolen NSA documents back to the U.S. while also seeking to include Trump-related materials in the package.
The CIA declined to comment on the operation. The NSA did not immediately respond to a request for comment.
The secret U.S. intelligence channel with the Russians is separate from efforts by former British intelligence officer Christopher Steele to obtain information about Trump and his ties with Russia. Steele worked with Fusion GPS, an American private investigations firm that was first hired by Republican and later Democratic opponents of Trump to dig up information on him during the 2016 campaign.
By contrast, the more recent secret negotiations began after Trump’s election and have been conducted by U.S. intelligence officials working with intermediaries who mainly operate in Europe. When American intelligence officials initiated efforts to broker a communications channel in 2017, however, their primary objective was to recover stolen NSA documents, not to obtain material about Trump.
At the time, the NSA was desperate to recover documents that intelligence officials believed Russia had obtained through a mysterious group known as the Shadow Brokers. The group stole highly secret NSA hacking tools and began releasing them on the internet in the summer of 2016. The Shadow Brokers theft of the hacking tools devastated morale at the NSA, putting its custom-built offensive cyber weapons out in the open. It was as if a bioweapons laboratory had lost some of its most deadly and dangerous viruses. U.S. officials wanted to identify which NSA documents the Shadow Brokers had stolen, so they could determine how badly the agency had been damaged by the theft.
But once the communications channel opened, the Russians on the other side offered to sell documents related to Trump along with the stolen NSA documents.
A Russian who has been acting as a go-between for other Russians with access to Russian government materials has sought payment for the materials he is offering. In an extensive interview with The Intercept in Germany, the Russian intermediary provided detailed information about the channel. When contacted by The Intercept for this story, the American intermediary declined to comment.
Even many involved in the secret communications channel between U.S. intelligence and the Russians are said to be uncertain about what is really going on with the operation. Recently, the Russians have been seeking to provide documents said to be related to Trump officials and Russian meddling in the 2016 campaign, including some purloined FBI reports and banking records. It is not clear whether those documents are in possession of American officials. It is also unclear whether the secret channel has helped the U.S. recover significant amounts of data from the NSA documents believed to have been stolen by the Shadow Brokers.
Further, it is not known whether the Russians involved in the channel are acting on their own or have been authorized by the Russian government to try to sell the materials to the United States. As a result, the Americans are uncertain whether the Russians involved are part of a disinformation campaign orchestrated by Moscow, either to discredit Trump or to discredit efforts by American officials investigating Trump’s possible ties to Russia, including Special Counsel Robert Mueller.
The CIA, which is now headed by a Trump loyalist, CIA Director Mike Pompeo, has at times been reluctant to stay involved in the operation, apparently for fear of obtaining the Trump-related material offered by the Russians, according to sources close to the negotiations. In the period in which the communications channel has been open, CIA officials are said to have repeatedly changed their views about it. They have sometimes expressed interest, only to later back away from any involvement with the channel and the intermediaries. At some points, the CIA has been serious enough about buying materials through the channel that agency officials said they had transported cash to the CIA’s station in Berlin to complete the transaction. But at other points, agency officials backed off and shut down their communications. Some people involved with the channel believe that the CIA has grown so heavily politicized under Pompeo that officials there have become fearful of taking possession of any materials that might be considered damaging to Trump.
The CIA’s wariness shows that the reality within the U.S. intelligence community is a far cry from the right-wing conspiracy theory that a “deep state” is working against Trump. Instead, the agency’s behavior seems to indicate that U.S. intelligence officials are torn about whether to conduct any operations at all that might aid Mueller’s ongoing investigation into whether Trump or his aides colluded with Russia to win the 2016 presidential election.
Many intelligence officials are reluctant to get involved with anything related to the Trump-Russia case for fear of blowback from Trump himself, who might seek revenge by firing senior officials and wreaking havoc on their agencies. For example, Dan Coats, the director of national intelligence and thus the man supposedly in charge of the entire U.S. intelligence community, has said he does not see it as his role to push for an aggressive Trump-Russia investigation, according to a source familiar with the matter.
Because of the CIA’s reluctance to take an aggressive role, officials at the NSA have taken the lead on the communications channel, with a primary focus on recovering their own stolen documents. They have viewed the Trump-related material as an annoying sidelight, even as they understand that it is potentially the most explosive material to have come through the channel.
The channel has been operating in the shadows even as Mueller’s investigation has been basking in the spotlight. Last year, three former Trump campaign officials faced charges as part of Mueller’s investigation, and the special counsel continues to investigate both possible collusion between the Trump campaign and Russia and evidence of efforts by Trump or others close to him to obstruct justice in the Mueller probe.
Over the past year, those involved with the secret communications channel have experienced a series of dramatic highs and lows. Until recently, it wasn’t clear whether the conversations would produce any materials about Trump or lead to the recovery of any NSA documents.
It took months of meetings and negotiations between American and Russian intermediaries to try to determine what documents might be available from the Russians – and at what price. Inconsistent interest in the channel by U.S. intelligence officials, particularly at the CIA, complicated the negotiations.
According to documents obtained by The Intercept that summarize much of the channel’s history, a key American intermediary with the Russians was first approached by U.S. intelligence officials in late December 2016. The officials asked him to help them recover NSA documents believed to have been stolen by the Shadow Brokers.
The American was able to identify a hacker in Germany who claimed to have access to some of the stolen data believed to be held by the Shadow Brokers, and who accurately provided advance notice of several Shadow Broker data releases. The hacker’s cooperation with the U.S. intelligence community broke down over his demands for full immunity from U.S. prosecution for his hacking activities — negotiations that failed largely because the hacker refused to provide his full personal identification to the Americans.
Eventually, the relationship with the hacker in Germany led the Americans to begin talks with a Russian who became a key intermediary in the channel. The Russian is believed to have ties to officials in Russian intelligence.
In March 2017, the Russian met with the American intermediary and a U.S. official in Berlin and agreed to provide the stolen NSA data from the Shadow Brokers in exchange for payment. The U.S. government used “certain messaging techniques” that the Russian accepted as proof that the U.S. government was behind the negotiations and the proposed deal, according to the documents obtained by The Intercept.
Officials gave the Russians advance knowledge that on June 20, 2017, at 12:30 p.m., the official NSA Twitter account would tweet: “Samuel Morse patented the telegraph 177 years ago. Did you know you can still send telegrams? Faster than post & pay only if it’s delivered.”
That tweet, in exactly those words, was issued at that time.
The NSA used that messaging technique repeatedly over the following months, each time officials wanted to communicate with the Russians or reassure them that the U.S. was still supporting the channel. Each time, the Russians were told the text of the tweets in advance and the exact time they would be released. Each tweet looked completely benign but was in fact a message to the Russians.
On August 17, 2017, officials communicated with the Russians by having the NSA account issue a tweet saying:“The 1st telegraph communications exchange occurred between Queen Victoria and President Buchanan in 1858.”
In October, 2017, officials communicated again with the Russians when the NSA tweeted:“This week in history, Robert Lamphere began working on the Verona program in 1948.”
That same month, officials gave the Russians early notice that the NSA account would tweet:“Can you help Kandice the Kangaroo save her baby Jory in this month’s #PuzzlePeriodical?”
In early November, three NSA tweets were part of the communications channel. One said:“#NSA inducts 5 #CryptologicPioneers into the Cryptologic Hall of Honor. Learn more about their distinguished service.” Another stated: “People are our greatest assets. The #NSA workforce makes 65 years of service possible #NSA65.” And a third:“23,725 days, 31,164,000 min. 2,049,840,000 sec and counting…At #NSA the mission never sleeps. #NSA65.”
Later that month, a message was sent to the Russians when the NSA account tweeted:“The ADONIS cipher machine replaced WWI-era SIGABA machine. It was one of the first machines to print on-the-fly.”
And in December, the NSA gave advance warning to the Russians that its official account would tweet:“Section 702 is a law that can also be a lifesaver. Take a look at how #Section 702 protects troops and helps the nation.”
But the channel broke down several times, often over disagreements between the U.S. and the Russians about how money would be exchanged and what data was to be received. In May 2017, U.S. officials were upset that the first tranche of data they received contained files already known to have been stolen because they had already been released by the Shadow Brokers. But the Russian intermediary continued to insist that he could provide data held by the Shadow Brokers, as well as materials related to Trump officials and Russian activity in the 2016 campaign. Throughout 2017, the U.S. officials sought to limit the scope of their investigation to data stolen by the Shadow Brokers, leaving aside the materials related to Trump. U.S. officials also began to wonder whether the Russian intermediary was part of a so-called dangle operation involving Russian disinformation.
But by last fall, the Russian began passing information to the American intermediary that was unrelated to the Shadow Brokers, including the names of specific individuals and corporate entities allegedly tied to Russian interference in the 2016 U.S. election. The American intermediary turned the information over to U.S. intelligence for the purpose of determining the Russian’s credibility. U.S. intelligence officials continued to stress that they were only interested in recovering stolen U.S. data. Still, it was understood that if the Russian provided material related to Trump, the American intermediary would debrief U.S. officials on its content.
In December 2017, the Russian turned over documents and files, some of them in Russian. The documents appeared to include FBI investigative reports, financial records, and other materials related to Trump officials and the 2016 campaign.
“The information was vetted and ultimately determined that while a significant part of it was accurate and verifiable, other parts of the data were impossible to verify and could be controversial,” the documents obtained by The Intercept state. It is not clear who vetted the material.
At a meeting last month in Spain, the Russian told the American intermediary of his desire to move forward with the delivery of the Shadow Brokers data, as well as material related to the 2016 election. The American questioned him on the credibility of his data and told him the data he was providing on Trump officials and election activities was “unsolicited.” The Russian also expressed interest in giving the material to media outlets, which the American told the Russian he found “disconcerting.”
The Russian told the American that he had first become aware of Russian efforts targeting U.S. political activities in late 2014 or early 2015, according to the documents reviewed by The Intercept. The Russian stated that he had no knowledge of a “master plan” to cause major disruption to U.S. election activities, but the effort was generally understood as a “green light” from Russian security officials to enlist cyber-related groups in probing and harassing activities directed at U.S. targets.
Update: February 9, 2018
This story has been updated to include more details about the NSA’s use of its official Twitter account to communicate with Russian operatives.