AMITT/incidents/I00015.md

Incident I00015: ConcordDiscovery

• Summary: The Office of Special Counsel accused Concord Management (an IRA funder/handler) and its counsel of abusing the discovery process by leaking discovery materials under false pretences: the documents were altered; the documents were portrayed as material obtained by hacking, rather than legal process; the released documents are selected to maximize exposure targets and methods.

• incident type: incident

• Year started: 2019

• Countries: Russia , USA

• Found via:

• Date added: 2019-02-01

Technique	Description given for this incident
T0025 Leak altered documents	IT00000050 Forge ('release' altered hacked documents)
T0025 Leak altered documents	IT00000051 hack/leak/manipulate/distort
T0039 Bait legitimate influencers	IT00000053 journalist/media baiting
T0044 Seed distortions	IT00000052 Circulate to media via DM, then release publicly

DO NOT EDIT ABOVE THIS LINE - PLEASE ADD NOTES BELOW

Actors: Russian state actors, Concord Management

Timeframe: Fall 2018 - Winter 2019

Date: October 2018

Presumed goals:

• Discredit Mueller findings;
• sow doubt about Russian active measures;
• expose investigatory sources, priorities and methods;

Method:

• Release non-public documents with favorable amendments;
• Disguise document provenance as hacking (i.e. revelation);
• Circulate to media via DM, then release publicly

Counters:

• Media exposure;
• motions to limit future discovery

Related incidents:

• 2016 US election

References

• Document: Concord Management Used Discovery for Disinformation Campaign, Mueller Says
• Mueller says some private case files were used in 'disinformation campaign' to discredit Russia probe
• Mueller says Russians are using his discovery materials in disinformation effort
• Mueller says discovery materials in case against Russian firm were used in a cyber-disinformation campaign
• Mueller's Team Questions How Files in Russia Case Ended Up Online
• https://www.documentcloud.org/documents/5700929-Concord-Discovery-Opposition.html

Details

The special counsel's office has filed a memorandum in U.S. v. Concord Management and Consulting, LLC in opposition to Concord's motion to disclose documents identified as "sensitive" by the Special Counsel to certain Concord officers and employees. The memo alleges that subsequent investigations into Concord have "revealed that certain non-sensitive discovery materials in the defense’s possession appear to have been altered and disseminated as part of a disinformation campaign" apparently aimed at discrediting the special counsel's investigation into Russian interference in the 2016 U.S. election.

That discovery — evidence and documents traded between both sides of a lawsuit — appears to have been altered and disseminated as part of a disinformation campaign apparently aimed at discrediting the ongoing investigations in Russian interference in the U.S. political system, according to the documents.

Prosecutors said sensitive evidence also could reveal government investigative techniques and identify cooperating individuals and companies.

Concord is among 13 Russian individuals and entities charged last February in connection with Mueller’s probe. Concord is alleged to have funded the operation of the Internet Research Agency, a Russian troll farm that spread divisive content to U.S. audiences on social media as part of broader effort to meddle in the 2016 vote.

Prosecutors said that some nonpublic files supplied to Concord’s defense attorneys were apparently altered and disseminated using the Twitter account @HackingRedstone, which has since been suspended on the platform.

On Thursday, Mueller's team updated their filing with precise dates for the actions taken on Twitter, noting that the account @HackingRedstone started sending direct messages to members of the media on October 22, before making a public tweet on October 30 in regards to the supposed discovery documents.

The filing cites an Oct. 22, 2018, tweet in which the account claimed, “We’ve got access to the Special Counsel Mueller’s probe database as we hacked Russian server with info from the Russian troll case Concord LLC v. Mueller. You can view all the files Mueller had about the IRA and Russia collusion. Enjoy the reading!”

The tweet linked to a webpage with folders containing scores of files that mimicked names and folder structures of materials produced by the special counsel’s office in discovery, the filing states.

The prosecutors’ filing said the matching files included images of political memes from Facebook and other social media accounts used online by the Internet Research Agency, many of which are presumably still available elsewhere on the Internet, but not with the unique identifiers used in materials turned over by prosecutors.

Prosecutors said in their filing that an FBI review found no evidence of a hack of the special counsel’s office. The filing also said that defense lawyers told the Mueller team that the vendor it was using reported no unauthorized access to the nonsensitive files. Under a court protective order, sensitive evidence in the case must be reviewed by a U.S. government “firewall” counsel, and then a judge must give permission before the evidence can be given to any non-U.S. national.

The facts “establish that the person(s) who created the Web page had access to at least some of the nonsensitive discovery produced by the government in this case,” wrote Justice Department national security division attorney Heather N. Alpino for a team including prosecutors with Mueller’s office and the U.S. attorney’s office of the District.

Mueller’s team firmly pushed back on the request in the filing Wednesday, asserting releasing the files to the firm’s employees in Russia – including Prigozhin – would risk U.S. national security.

“Concord’s request to send the discovery to the Russian Federation unreasonably risks the national security interests of the United States,” the filing states. “The government’s concerns are only heightened by the apparent release and manipulation of information produced to Concord as ‘non-sensitive’ discovery in this case.”

The filing also notes that the discovery files labeled "sensitive" identify "uncharged individuals" who government investigators believe are "continuing to engage in operations to interfere with lawful U.S. government functions like those activities charged in the indictment.”

Mueller’s prosecutors did not oppose allowing Concord employees to view the files at their defense attorney’s offices under security protections, noting that “appearance in the United States would allow them to stand trial.”