I’ve received a few requests to get a little more visibility behind the scenes into some of our techniques, so that’s what I wanted to offer today.

During the Sussmann trial we learned Rodney Joffe was a Confidential Human Source (CHS) for the FBI, providing information on Russian cyber crimes and other matters. We also got to see a 1023 for a still-unidentified CHS:

If you remember, there were 4 researchers primarily associated with the Alfa Bank allegations in the Sussmann indictment, Rodney Joffe, April Lorenzen, David Dagon, and Manos Antonakakis. A fifth individual named L. Jean Camp appears to be closely tied to the allegations. Others were identified in media reporting as “independent” analysts, such as Matt Blaze, Steve Bellovin, Paul Vixie etc.

During one interview, Sussmann provided 3 names to the FBI as cyber professionals to contact regarding the allegations, he gave them the names of Blaze, Bellovin, and a third individual named Susan Landau.

Given that Joffe is ruled out as the CHS on the form 1023 above, we have a rather small list of names of cyber researchers to consider.

So lets go to the 1023 for clues.

First, they are close enough to Joffe to be included or knowledgeable about his communications with Thomas Grasso. They reference David Dagon as someone the FBI should talk to, so that rules out Dagon being the CHS here.

This section suggests the CHS is part of the researcher team that provided analysis on the data:

How about this section?

Take a moment as an exercise, what does this section suggest?

To me, it provides an indication that the CHS here likely has ties to the media. If you consider who would be reaching out to Hope Hicks, and who she would take a call from, it would support a fairly prominent journalist as a confidential human source for the FBI.

But then we get to this section:

So does the CHS work for the Washington Post? Or were they just privvy to calls likely set up by journalists with Hope Hicks?

For what it’s worth, Hope Hicks could readily identify who she spoke to around that time and clear this up fairly easily. If it is a journalist, we saw stories from Franklin Foer, David Corn, and Eric Lichtblau around this time.

But we also have emails thanks to John Durham which show Fusion GPS pressuring journalists to cover the story:

and we also have some indications of who was speaking to Hope Hicks:

Unfortunately, Hosenball isn’t the only one. We know Hope provided a similar answer to Franklin Foer and a couple others around the same time.

So where would the sleuths go next?

Well let’s go here:

Lets consider the agents, where did they work out of?

Google says Trifiletti worked in the Springfield IL field office (which will be important soon), and also provided a link to this:

We also find Steere and Vos worked out of the Chicago office.

As best as we can tell, Agent Soo worked out of the Des Moines field office.

Returning to our header:

If we want to get the field office, a starting point is to count the redacted characters by referencing a line above or below. Sometimes that is very easy when they use monospace fonts, and sometimes it’s extremely challenging. (H/T Walkafyre for teaching me, though he is still the best).

The best confirmatory technique is to open the file in Adobe PDF, do text recognition, and create a text box (with no borders) over the redacted space. And then input your ideas until something fits.

A little outdated, but maps of FBI field offices are readily available:

What we see is that the redacted field office seems to be 10 characters long, and for a few reasons, our current consensus is that the field office named on the form 1023 is Springfield:

(I didn’t get it quite perfect, but the above is for demonstration purposes).

Springfield doesn’t quite fit anyone on our current list of names. The closest person would be L. Jean Camp, but there are closer field offices to where she lives.

This suggests this individual who is intimately knowledgeable about the Alfa Bank claims might be a new name (or there was some odd travel arrangement).

There is someone I have in mind, but they have not been previously connected to the Alfa Bank allegations.

Therein lines our current challenge on identifying this CHS, with a little insight into how we operate.

Happy sleuthing!