CI Flag Analysis vs. Chekist Deceptions: Thinking Critically About the Sensational

In November 2017, John Sipher — a former member of CIA’s Senior Intelligence Service — wrote a primer on the use of strategic deception by the Russian government to advance its goals abroad. Sipher used his analysis to place that practice, a tradition in the operational annals of Russia’s intelligence services, in the context of the active measures campaign that targeted the 2016 U.S. presidential election and how such a practice could be used to exploit the discord in current chaotic political climate. He even included an explicit warning: “While I can’t pretend to know when and how the Russians will undertake a deception operation [to deceive the American public], my sense is that it will be around the issue of collusion.”

As the United States undertakes a systematic examination and analysis of Russian interference in the 2016 election to determine its impact on our national security, it behooves Russian counterintelligence — those tasked with not only rooting out spies but also frustrating the efforts of adversaries — to attempt to distract, confuse, and deceive us while we conduct this damage assessment. In intelligence parlance, such offensive counterintelligence operations are often referred to as “degradation operations.” Russia’s intelligence officers, self-described “Chekists,” are deft practitioners of such distractions; and in this case, with Russia being led a former intelligence officer who is trying to undermine the conception of democracy as fundamentally feasible, it is a no-brainer for the Chekists to sow as much distraction into our national recovery as possible.

A particular historical case stands out as both an example of how skilled the Chekists are at this. In the 1980s, the Soviet Union’s Committee for State Security (KGB) launched a concentrated disinformation campaign as part of an effort to safeguard the identities two highly placed spies in the U.S. Intelligence Community: Aldrich Ames at CIA and Robert Hanssen at the FBI. Part of that campaign targeted CIA in particular through Aleksandr Zhomov, a KGB counterintelligence staff officer who was dangled at CIA’s Moscow Station as a double agent in the late 1980s. While reporting to CIA under the codename GTPROLOGUE — but secretly under KGB control all along — Zhomov became a key deception channel for the KGB. His goal: distract CIA counterintelligence investigators with the story that operational brilliance and ingenuity by the KGB, abetted by poor CIA tradecraft, had exposed Agency sources in Moscow that in reality had been betrayed by Ames. The KGB likely did not expect CIA to completely believe Zhomov’s claims about the exposed sources, but certainly it hoped to waste the time and resources of CIA’s counterintelligence staff by forcing it to chase down a dead-end lead: a distraction via deception.

When designing a deception, these concepts are instructions. When conducting source validation, they become counterintelligence flags: “indicators that should alert a source handler [or intelligence analyst] to suspicious action that may bring the source’s bona fides into question.”

In designing the Zhomov operation, the KGB adhered to five hallmarks of effective deception:

  1. Time your deception to coincide with efforts to investigate that which you are trying to conceal. By timing your deception correctly, you maximize your chance to confuse your target and hopefully waste their energies through fruitless avenues of activity at a critical point in time. When Zhomov approached CIA’s Moscow station chief, the KGB already knew — by both commonsense and reporting from Ames — that CIA was investigating how its sources in Moscow had been exposed.
  2. Play to your target’s preconceptions: use what they already know, are doing, and expecting against them. If you know the extent of your target’s knowledge, and how they are likely expect to learn more, you have the opportunity to make the narrative of your deception all the more digestible to the target. In the case of GTPROLOGUE, CIA already knew it had lost assets, was already engaged in a massive campaign to acquire intelligence about what caused those losses, and would expect potential sources who worked in KGB counterintelligence to have relevant information.
  3. Use as much truth as possible to distract from the real issue, which is often the one that makes people most uncomfortable. The most believable lies are wrapped in a bodyguard of truth, so use as much truth as possible in crafting your lie; and, if possible, play to your target’s human desire to avoid hearing bad news. Zhomov gave CIA a complete list of all the American spies that had been exposed but presented that valid information in the context of the lie that those spies had been caught purely through activity in Moscow. The truthful part of that information was already known to CIA, but a KGB officer willing to share such sensitive information (that CIA could easily corroborate to be true) would appear all the more valid as an asset. The lies about KGB brilliance and CIA incompetence also pointed away from the idea that there was a mole in U.S. intelligence, taking advantage of the reality that no one wants to believe being secretly betrayed.
  4. Use convincing messengers with plausible access, who behave and communicate in plausible ways. In a profession where everyone is worried about being lied to, the messenger is part and parcel of the message: if you don’t believe the former, you are less likely to believe the latter. Zhomov was a senior staff officer in the KGB department responsible for countering CIA activity in the Soviet Union, the kind of asset CIA was more inclined to believe because the KGB was highly averse to dangling due to the risk that the officer might turn for real. (Ames had previously told the KGB that CIA was inclined to believe KGB staff officers for this precise reason, and this likely factored into Zhomov’s selection for this operation.) His rank and billet gave him plausible access to relevant intelligence, and he communicated it to CIA in such a controlled manner (see below) as to reinforce CIA’s belief that he feared detection by his own colleagues.
  5. Control the narrative as much as you can. The best way you can ensure you own the message your target receives is by ensuring you own the messenger and their means of communication with the target. The entire GTPROLOGUE case took place in the Soviet Union — a “denied area” that afforded the KGB every advantage in controlling the movements of both Zhomov and his CIA handlers. That denied area reality also made it plausible for Zhomov to demand a highly impersonal communications plan from CIA, which made it impossible for CIA to ever actually interact with Zhomov for longer than about four minutes on any single occasion.

When designing a deception, these concepts are instructions. When conducting source validation, they become counterintelligence flags: “indicators that should alert a source handler [or intelligence analyst] to suspicious action that may bring the source’s bona fides into question.”

Since November 2017, there have been a proliferation of stories in the media that purport to offer insight into Russian active measures but, upon closer inspection, raise the same kind of counterintelligence flags that the Zhomov operation displays in hindsight. Six stories in particular stand out to me:

  • In October 2017, Alan Beskaev, a Russian national residing in Thailand, claimed on Russian television (in an account picked up by the Daily Beast) that he had worked in the American Department of Russia’s Internet Research Agency (IRA). He provided a scandalous account of the American Department’s operations and even accused Yevgeny Prigozhin of being the financial backer of the IRA.
  • In November 2017, Vitaly Bespalov, a Russian national residing in Russia who was a self-professed “troll” in the employ of the IRA, offered NBC News what appeared to be a detailed account of how the IRA’s operations against the United States are structured.
  • In December 2017, Konstantin Kozlovsky, a Russian national currently in custody of Russia’s Federal Security Service (FSB) on hacking charges, had his courtroom and Facebook statements — wherein he has claimed to have hacked the Democratic National Committee at the behest of two FSB officers also currently in custody under charges of treason and to have created the WannaCry malware that the U.S. government has attributed to North Korea — touted by the national security press as statements worthy of serious consideration.
  • On February 9, 2018, two stories were published regarding an apparent counterintelligence investigation of the U.S. Intelligence Community aimed at determining the bona fides of a Russian national in Germany who claimed he could serve as an “intermediary” whose connections in Russian intelligence could enable him to “recover” NSA cyberweapons stolen by the Shadow Brokers in return for cash. This Russian later tried offer information about ties between Donald Trump and the Russian government before CIA apparently assessed the entire line to be bunk and terminated contact with the individual.
  • On February 22, 2018, only few days after Special Counsel Robert Mueller’s indictments of the IRA and its Vladimir Putin-affiliated backer Yevgeny Prigozhin — rightly described as Putin’s cut-out of choice for sensitive, deniable operationsthe Economist published another account of operations at the IRA, cobbled together from Bespalov’s and Baskaev’s prior statements.
  • On February 27, 2018, Buzzfeed News published the account of Anna, a woman claims to be the mother of Joseph Mifsud’s child. Mifsud, a Maltese national and London-based academic, was the individual who approached George Papadopoulos and “promised him “dirt” on Hillary Clinton compiled by the Russians, including thousands of emails.” Anna claims to have been in a turbulent relationship with Mifsud, who claimed to her that he dined with Sergei Lavrov and to others that he had met with Vladimir Putin. Her entire account appears to be based on her word and media — email, text messages, and images — in her possession.

Each narrative has arrived during a period of escalating national interest into the work of Special Counsel Robert Mueller or increasing focus on other Russia-related matters, such as the memos drafted by the two sides of the House Permanent Select Committee on Intelligence. Each plays to preconceptions of the American audience, be they be about the existence and scope of Russian cyber operations, ties between the Trump campaign and Russian intelligence, or alleged biases in the Intelligence Community. To me, these sources feel like they are trying to broad-brush a veneer of truth onto salacious accounts by having the key players regurgitate relevant facts that are already in evidence elsewhere or would be easy to ascertain for U.S. intelligence.

Most importantly, two mechanisms of control are clearly evident. First, in the fact that the sources are all Russian or European nationals located in either Russia or countries where Russian operators could target them. All of these individuals — Beskaev, Bespalov, Kozlovsky, the“intermediary,” and Anna — must be supremely aware of Vladimir Putin’s ability to bring harm to them or their families should he or others in the Chekist services decide they have said the wrong thing to the wrong person. Second is that each of these sources appear to conform to the old Chekist tactic of having controlled assets present themselves as having only marginal or sporadic access to sort of information of the most interest to a target audience (in this case, the American public).

Our adversaries depend on our ignorance and confirmation biases to reinforce their deceptions and distractions, degrading our national resiliency against disinformation. So, as we all continue to plunge ahead into what looks like is going to be a third year of constant headlines and bombshells, I invite readers to apply the sort of counterintelligence flag analysis I laid out above to these and other stories that arise. Approach the sensational critically and you will help deny satisfaction to those who are happiest when they sow discord into our national dialogue.

Written by

Open source counterintelligence referent. Views here are personal, not my employer’s. All original content © Alex Orleans, 2014–2021.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store