A master lock with ones and zeroes instead of the regular numbers.

Hello, and welcome to this week’s Codebook, where we’re thinking about how intelligence agencies tailor their information operations to the environments in which they act.

Today's newsletter is 1,356 words, a 5-minute read.

1 big thing: The hazy line between politics and influence campaigns

Illustration of a business arm with the imprint of two hands, one is giving a peace sign, the other has it's fingers crossed.
Illustration: Aïda Amer/Axios

The recent firestorm over the New York Post’s publication of stories relying on data from a hard drive allegedly belonging to Hunter Biden shows the increasingly hazy line between domestic political “dirty tricks” and a foreign-sponsored disinformation operation.

Why it matters: This haziness could give determined actors cover to conduct influence operations aimed at undermining U.S. democracy through channels that just look like old-fashioned hard-nosed politics.

Catch up quick: The stories by the Post, which were dogged by controversy within the newspaper itself, have focused on Hunter Biden’s international business dealings as well as raw tabloid exposés of his personal life.

  • The most serious Ukraine-related allegation — the recycled claim that Joe Biden pressured Ukrainian officials to fire a prosecutor because the then-vice president wanted to kill an investigation into energy giant Burisma, where the younger Biden sat on the board — has been extensively debunked as false. (Hunter Biden’s business activities abroad while his father was in office do nevertheless raise potential conflict-of-interest questions.)

Possibly more consequential than the data trove itself are the unusual circumstances surrounding its discovery and dissemination.

  • According to the Post, Hunter Biden dropped a waterlogged laptop off at a computer repair shop in Delaware — though the repairman says he never actually saw the person who left it — where it languished for over a year.
  • The repairman eventually contacted an associate of Trump lawyer Rudy Giuliani, who passed the contents of the laptop’s hard drive on to the New York Post. (Former Trump adviser Steve Bannon also somehow obtained a copy.)

Between the lines: It’s a byzantine account, and the chain-of-custody issues alone raise many questions. It would be easy for anyone along that chain to, for instance, mix in forged documents or content that's otherwise particularly damning.

  • Russian intelligence services have a long history of doing just that, a technique they employed as recently as in a hack-and-leak campaign during the 2017 French elections.
  • Although administration allies like Giuliani — and, unusually, even DNI director John Ratcliffe — have pushed back against allegations that the cache may be part of a Russian disinformation campaign, the FBI is reportedly investigating precisely this possibility.
  • No clear evidence has yet emerged to settle the matter either way.

Our thought bubble: Questionable sourcing doesn’t necessarily negate the newsworthiness of genuine leaked communications. (Forgeries are another matter, and the legitimacy of the documents behind the Post story remains an open question.)

  • Just because it was the GRU, the Russian military intelligence agency, that hacked the DNC’s emails and passed them to WikiLeaks doesn’t automatically mean mainstream outlets shouldn’t have covered them.

Yes, but: Understanding where leaked documents and similar material come from helps us grasp if there are larger forces at work so that we don't miss the forest for the trees.

  • In 2016, the “trees” were the internal squabbles and maneuvering within the DNC, as revealed in the leaked emails.
  • The “forest” was that Russian intelligence services had launched an unprecedented covert-action campaign against the United States aimed in part at tilting the scale toward their preferred presidential candidate.

Be smart: We don’t have that kind of clarity right now about Hunter Biden’s hard drive. Giuliani may indeed have obtained it through some kind of highly fortuitous domestic legerdemain.

  • But the potential for foreign skulduggery is also impossible to ignore, particularly given Giuliani's role as President Trump's point man in Ukraine, working to dig up Biden dirt in close collaboration with Ukrainian officials — including one the Treasury Department identified as a known "active Russian agent for over a decade."
  • Trump and some White House staffers reportedly received warnings last year that Giuliani was entangled with Russian assets in Ukraine.

The bottom line: We can’t ignore the larger context of Giuliani’s actions. We may not be able to see through the entire forest of the 2020 elections yet, but that doesn’t mean we are required to only gaze at solitary trees, either.

2. Sandworm cyber spy unit hit with U.S. charges

In a major move Monday, the Justice Department unsealed an indictment accusing six Russian nationals of working as cyber spies for the GRU.

Why it matters: Russia won’t give up the men to stand trial in the U.S., but the indictment stands as a public rebuke to the country as it grows ever bolder about engaging in cyberattacks around the world.

What they’re saying: The indictment identifies the men as working for the GRU’s Main Center for Special Technologies, a group of Russian cyber operators commonly identified in U.S. threat intelligence circles as Sandworm.

Background: Sandworm is considered to be among the world’s most aggressive units of cyber operators.

  • It has launched highly destructive attacks on infrastructure worldwide, including the devastating 2017 NotPetya ransomware attack that originated in Ukraine before spreading across the globe.

Details: In addition to affirming Sandworm’s responsibility for the NotPetya attack, the indictment says the group masterminded, among other activities:

  • Earlier attacks in 2015 and 2016 on Ukraine’s power grid and other Ukraine government and private institutions.
  • The hack-and-leak campaign targeting the 2017 French elections.
  • A destructive malware campaign targeting the 2018 Olympics in South Korea.
  • A spying campaign against the Organization for the Prohibition on Chemical Weapons and other institutions investigating the attempted assassination of a Russian defector living in England.
  • Disruptive attacks in 2019 on websites in the country of Georgia.

Of note: One of the GRU operators named in the indictment, Anatoliy Sergeyevich Kovalev, was previously charged in 2018 with helping perpetrate the 2016 U.S. electoral interference operation.

  • Kovalev and his co-conspirators “stole information related to approximately 500,000 voters, including names, addresses, partial social security numbers, dates of birth, and driver’s license numbers” from a state board of elections, according to this earlier indictment.

Meanwhile: U.K. officials released a statement asserting that the same GRU unit has “conducted cyber reconnaissance against officials and organisations” related to the Tokyo Olympics, originally slated for this year but postponed due to the coronavirus pandemic.

  • U.K. officials also said that, during its operations during the 2018 Olympics, Sandworm tried to mask its activities by posing as Chinese and North Korean state hackers.

3. Biden's possible intel picks

Illustration of dialogue windows with Joe Biden
Illustration: Eniola Odetunde/Axios

The Biden camp is considering bringing back a handful of top intelligence community veterans to “hit the ground running” should the former vice president win in November, according to Politico.

Context: Some officials, like former NSA and CIA Director Michael Hayden, believe that, should Biden win, he will need to replace top DNI officials as well as “probably” CIA Director Gina Haspel, because of the politicization of the IC under the Trump administration.

Details: Some of the key figures being looked at include “former acting CIA director Michael Morell, former Obama national security adviser and close Biden confidant Tom Donilon, former Obama deputy national security adviser Avril Haines, former Deputy NSA Director Chris Inglis, and former deputy director of the Defense Intelligence Agency Robert Cardillo,” writes Politico.

  • The Politico story also recounts a meeting in 2017 between Trump and top CIA officials, including the leader of the agency’s paramilitary Special Activities Center, where the president interrupted a briefing on highly sensitive operations in Afghanistan to ask for a milkshake.

4. U.S. businessman sues Indian hackers over dumped emails

An Iranian American aviation magnate with alleged CIA connections has sued a private investigator and two Indian “hacker-for-hire” firms for allegedly compromising his email accounts and dumping them online in 2016, according to Bloomberg and Reuters.

Why it matters: The suit illustrates the convoluted and opaque nexus of state-backed cyber espionage and the global marketplace of hacker-for-hire firms.

What’s happening: The lawsuit filed by the businessman, Farhad Azima, claims that two Indian firms, CyberRoot Risk Advisory and BellTroX InfoTech Services, were hired to hack into his personal data by a private investigator — who was himself hired by a law firm acting on behalf of Ras Al Khaimah, a component emirate of the UAE.

Background: According to Bloomberg, “Belltrox is under investigation by federal prosecutors in Manhattan. ... [and] has allegedly attempted to hack climate activists, hedge fund employees and journalists on behalf of its clients.”

  • Azima’s original dispute with Ras Al Khaimah centered on a failed hotel sale deal in the country of Georgia and involved three Iranian businessmen later identified by the Treasury Department as laundering money on behalf of Iran’s Revolutionary Guard.
  • Around the time the Georgia hotel deal collapsed, an employee of Azima’s, visiting family in Iran, was imprisoned and tortured by the Revolutionary Guard and accused of working for the CIA.

5. Odds and ends

  • The hacking by law enforcement of Encrochat, “an encrypted phone network used heavily by organized crime,” has been challenged repeatedly in a U.K. court. (Motherboard)
  • The NSA warned defense contractors of 25 vulnerabilities used by Chinese hackers to target them. (CyberScoop News)
  • The Justice Department brought its long-anticipated suit against Google for alleged monopolistic practices. (Axios)
  • Elliott Broidy, a former top RNC official, has pleaded guilty to acting as an unregistered agent of a foreign power, working on behalf of Chinese and Malaysian interests. (Washington Post)
  • Conservative media figures are falsely linking the Black Lives Matter Movement to the Chinese Communist Party. (Axios)