Article: https://www.foxnews.com/politics/ratcliffe-designates-space-force-as-18th-member-of-intel-community
The move will ensure that Space Force leaders have access to all intelligence it would need to be successful
Space Force personnel to be called 'Guardians' Director of National Intelligence John Ratcliffe on Friday announced the Space Force as the 18th member of the intelligence community, in a move to "break down barriers" to information sharing and to help inform the community's analysis of threats in space.
Fox News has learned that Ratcliffe announced the designation of the U.S. Space Force Intelligence, Surveillance and Reconnaissance Enterprise, which is the intelligence component of the Space Force.
The Office of the Director of National Intelligence (ODNI) called the designation is "a once-a-generation event."
"This accession reaffirms our commitment to securing outer space as a safe and free domain for America’s interests," Ratcliffe said Friday. "American power in space is stronger and more unified than ever before. Today we welcome Space Force to the Intelligence Community and look forward to the power and ingenuity of a space security team unrivaled by any nation."
"Through sharing space-related information and intelligence, the IC and DOD increase integration and coordination of our intelligence activities to achieve best effect and value in executing our missions," Ratcliffe said. "This move not only underscores the importance of space as a priority intelligence and military operational domain for national security, but ensures interoperability, future capability development and operations, and true global awareness for strategic warning."
Space Force chooses nearly 2.5K airmen to join ranksVideo The Space Force intelligence element is the first new organization to join the intelligence community since 2006, when the DEA’s Office of National Security Intelligence joined.
The move, according to ODNI, will break down barriers to information sharing and ensure that Space Force leaders have access to all intelligence that it would need to be successful.
The move also allows the intelligence community to have access to all operational space domain awareness that would help inform its analysis of threats in space.
Ratcliffe, at the National Space Council meeting last month, first signaled his intention to welcome the Space Force into the IC.
FLASHBACK: TRUMP PRAISES MILITARY, CALLS FOR 'SPACE FORCE' AS NEW BRANCH OF ARMED FORCES
A source familiar told Fox News that on the sidelines of that meeting, Ratcliffe spoke with Vice President Mike Pence and stressed that the Trump administration had made space more of a focus than any administration since the 1960s. The source said Ratcliffe urged Pence to help to make the Space Force part of the intelligence community.
The source told Fox News that after that conversation, Pence "hit the accelerator to get this done prior to Inauguration Day."
Meanwhile, during the National Space Council meeting, Pence dedicated Cape Canaveral Space Force Station and the Patrick Space Force Base, both in Florida, as the first two bases for the Space Force.
The Space Force became the sixth branch of the U.S. military last year.
Also last month, Pence announced that Space Force troops would be called "guardians."
PENCE ANNOUNCES FIRST SPACE FORCE BASES IN US
"It is my honor, on behalf of the president of the United States, to announce that henceforth the men and women of the United States Space Force will be known as guardians," Pence said at the White House. "Soldiers, sailors, airmen, Marines and guardians will be defending our nation for generations to come."
The new name came after the Space Force unveiled its logo, flag and "Sempra Supra" motto in December.
"Guardians is a name with a long history in space operations, tracing back to the original command motto of Air Force Space Command in 1983, 'Guardians of the High Frontier,'" the Space Force.
SPACE FORCE MEMBERS GET A NEW NAME: GUARDIANS
The Space Force was created one year ago with a projected size of 16,000 troops and an annual budget of $15.4 billion for now.
The branch's responsibilities include "developing military space professionals, acquiring military space systems, maturing the military doctrine for space power, and organizing space forces to present to our Combatant Commands."
President Trump first called for the creation of the Space Force in May 2018. Trump signed an order in December 2019 to establish the branch.
BY PETR SVAB January 8, 2021 Updated: January 9, 2021
John Sullivan, videographer and founder of “a group for racial justice and police reform,” posted a video on YouTube on Jan. 7 that shows him entering the Capitol building in Washington with a group of Trump supporters and possibly others on the previous day. He’s heard on video encouraging others and convincing Capitol police to let the trespassers through at several impasses. The video also reveals further details about the situation that led to the death of Ashley Babbitt, an Air Force veteran shot inside the building by Capitol Police.
Sullivan is known for taking part in protests and riots connected with the Black Lives Matter movement, which was founded by Marxist organizers.
In July, he was arrested in Utah for alleged rioting, making a threat of violence, and criminal mischief due to his part in a protest that resulted in the shooting of a motorist.
“As a protest organizer, John Sullivan is heard talking about seeing the shooting, looking at the gun, and seeing smoke coming from it. John did not condemn the attempted murder nor attempt to stop it nor aide in its investigation by police,” the police affidavit said, Desert News reported.
“An armed revolution is the only way to bring about change effectively,” he said in a Dec. 28 tweet.
On Jan. 2, Sullivan wrote in a tweet: “[Expletive] The System – Time To Burn It All Down. #blm #antifa #burn #[expletive]thesystem #abolishcapitalism #abolishthepolice #acab #[expletive]trump.”
Sullivan also uses the moniker “Jayden X” online and is the founder of “Insurgence USA,” which describes itself as started “in 2020 in response to the Gorge Floyd tragedy,” referring to the Minnesota man who died after ingesting a potentially lethal amount of Fentanyl and was then pinned down during an arrest with a police officer kneeling on his neck.
The aim of Insurgence USA is “to empower and uplift black and indigenous voices” and “build local powers to enable the community to intervene in violence enacted by the state and government vigilantes,” the description of its YouTube channel says.
In his graphic video from the Jan. 6 storming of the Capitol, Sullivan can be heard saying “let’s burn this [expletive] down,” before entering the building.
In response to criticism on Twitter, Sullivan responded by saying he was there only to report and his actions were “part of blending in, so I don’t get beat up.”
But the video shows he was actively helping convince Capitol police officers to let the trespassers through as well as encouraging the trespassers to continue pushing forward.
Shortly after entering the building through a broken window, Sullivan heads down a corridor, but then turns around and walks toward an entrance next to the broken window. A woman holding a camera enters the door and walks toward him. He doesn’t talk to her, turns around, and heads down the corridor again. He will talk to the woman later.
There appeared to be hundreds of people inside, wandering around.
Near the end of the corridor, Sullivan makes a right into another corridor. Several police officers on both sides are moving people along, preventing them from taking another turn. At the end of the corridor, there’s another entrance and several officers ushering people out.
When Sullivan reaches the door, he refuses to leave.
“I’m just recording the situation,” he tells one officer.
“You’ve got to do it from outside. C’mon guys,” the officer says.
The woman is seen keeping close to Sullivan.
“They are already inside, bro. Like, you’re not stopping anything from happening,” he tells the police.
The officers successfully get several more people out and seem to secure the door.
Sullivan manages to stay inside, arguing he can’t go out through this entrance because it’s blocked. The officers try to hold him and a small group of others near the door from going back deeper inside the building, but at one moment people just stream through to the corridor, Sullivan with them.
The group then rejoins the larger crowd inside, weaving their way through the building until reaching the majestic Capitol rotunda, a favorite tourist attraction lined with statues and paintings.
Sullivan sounds ecstatic about the experience.
“I never would have imagined that we would be here,” he says, talking to another man.
The woman then turns to Sullivan saying, “Let me give you a hug now. We did it. You were right. We did it.”
“Dude, I was trying to tell you. I couldn’t say much,” he replies.
There seems to be a short interruption in the video several seconds later.
The woman then says, “You aren’t recording, right?”
“I’ll delete that [expletive] up,” he replies. “But I didn’t record you I mean.”
He then enters another chamber.
“Do not deface the statues,” somebody says.
“I can respect the stat—well, people might burn this down, I’m not going to lie. So it might be too late for that,” he replies.
Shortly after, Sullivan and a group of other trespassers reaches the glass-pane door to the Speaker’s Lobby. The narrow corridor is barricaded from the other side with furniture.
Three police officers are standing in front of the door, guarding it. Some people shout at the officers. Jayden starts to talk to them.
“We want you to go home. I’m a reporter and there’s so many people. It’s just, they’re going to push their way up here. Bro, I’ve seen people out there get hurt. I don’t want to see you get hurt. We will make a path death [expletive] … Please, let us make a path. Just let us make a path. I want you to go home.”
The officers then walk away.
“Go. Go. Let’s go. Get this [expletive],” Sullivan shouts.
Three rioters proceed to break the door’s window panes with kicks, a flag pole, and a helmet.
“Yo! There’s a gun! There’s a gun! There’s a gun!” Sullivan shouts, his video showing a plainclothes police officer with his gun drawn in a door frame to the left on the other side of the glass-pane door. He’s aiming at the door.
“Hey, he’s got a gun!” somebody else shouts.
The rioters continue for a few more seconds, knocking two of the window panes out.
A graphic video taken by another person on the scene shows the first three officers leaving while four more officers with helmets and rifles stand by, just several feet from the door, one of them talking to a man in a black suit with a pin in the lapel.
A young woman climbs into one of the empty window frames. Her name is Ashli Babbitt.
The officer on the other side of the door fires a single shot, striking her in the neck.
She falls on her back.
One of the officers in helmets aims his rifle at the door. It appears he’s not sure who’s on the other side and who fired the shot. He quickly lowers the rifle and gestures. It appears he’s realized the shooter was a fellow officer.
The officers and some others try to help the woman.
Chaos intensifies.
“She’s dead. She’s dead,” Sullivan repeats.
Babbitt was pronounced dead on arrival at a hospital.
Sullivan didn’t immediately respond to questions submitted through a direct Twitter message.
Georgia’s elections director in November sent a memo warning counties that voting machine software was not subject to open record requests as public demand was growing for transparency over Dominion software and other electronic poll book data.
“Multiple counties have reported receiving Open Records Requests asking for data information such as, copies of original software for the voting equipment, copies of any software patches performed on Dominion voting machines in the State of Georgia prior to the November 3, 2020 General Election, as well as copies of any thumb drives provided to you containing software or software updates.” states the memo from Chris Harvey, Georgia Elections Division Director.
“Under the Open Records Act, providing copies of software, software updates, or thumb drives containing software or software updates is not subject to open records requests,” the memo says. “In addition, information that could harm the security of election equipment cannot be provided.”
The memo was made public on Dec. 17 by a local voter integrity campaigner.
The secretary of state’s office declined to comment on the matter, but did not deny the authenticity of the letter when contacted by the Epoch Times.
It was sent to county election officials and county registrars.
The memo also told them they could not release information in KNOWiNK poll book log files as it contains information protected under the Georgia Trade Secrets Act and the Open Records Act.
The memo cites Georgia law, which states “documents or information that, if made public, would endanger the security of any voting system used or being considered for use in this state, or any component thereof, including, but not limited to, electronic ballot markers, DREs, ballot scanners, poll books, and software or data bases used for voter registration, shall not be open for public inspection except upon order of a court of competent jurisdiction.”
Georgia's Secretary Of State Holds News Conference On Election Ballot Count Georgia Secretary of State Brad Raffensperger holds a press conference on the status of ballot counting in Atlanta, Ga., on Nov. 6, 2020. (Jessica McGowan/Getty Images) Those who are convinced of election irregularities in the state have been frustrated by the reluctance of state officials, including Republican Secretary of State Brad Raffensperger and Republican Gov. Brian Kemp, to scrutinize the voting process more closely.
Georgia’s House speaker on Thursday announced that he’s seeking to replace the state’s top election official amid a barrage of criticism from the GOP, President Donald Trump, and a bevy of state lawmakers.
Georgia’s House Speaker David Ralston, a Republican, told reporters in Atlanta that he is going to try to get a constitutional amendment passed that would take the power to select the secretary of state from voters and give it to legislators.
“I think it’s time in Georgia that we look at an alternative way of electing our secretary of state,” Ralston said at a press conference. “I’m dead serious about this.”
Issues of election security in the state are even more significant due to the impending run-off election that will settle the balance of power in the United States Senate.
After resisting the notion for some time, Raffensperger announced on Dec. 17 that the state will be conducting a state-wide check of signatures on mail-in ballots in all 159 counties.
Raffensperger asked researchers at the University of Georgia’s School of Public and International Affairs to conduct the check, including a “randomized signature match study of election materials handled at the county level in the November 3 Presidential contest.”
Researchers will also examine the county-level processes used to match signatures on absentee ballots and their envelopes.
WASHINGTON (Reuters) -President Donald Trump on Friday signed legislation that would kick Chinese companies off U.S. stock exchanges unless they adhere to American auditing standards, the White House said, giving the Republican one more tool to threaten Beijing with before leaving office next month.
"The Holding Foreign Companies Accountable Act" bars securities of foreign companies from being listed on any U.S. exchange if they have failed to comply with the U.S. Public Accounting Oversight Board's audits for three years in a row.
While it applies to companies from any country, the legislation's sponsors intended it to target Chinese companies listed in the United States, such as Alibaba (K:BABA), tech firm Pinduoduo (NASDAQ:PDD) Inc and oil giant PetroChina Co Ltd.
The legislation, like many others taking a harder line on Chinese businesses, had passed Congress by large margins earlier this year. Lawmakers - both Democrats and Trump's fellow Republicans - echo the president's hard line against Beijing, which became fiercer this year as Trump blamed China for the coronavirus ravaging the United States.
The act would also require public companies to disclose whether they are owned or controlled by a foreign government.
Chinese officials have dismissed the measure as a discriminatory policy that politically oppresses Chinese firms.
Chinese authorities have long been reluctant to let overseas regulators inspect local accounting firms, citing national security concerns.
The United States has sanctioned Ex-Cle Soluciones Biométricas C.A. (Ex-Cle C.A.) for their support of the illegitimate Maduro regime’s fraudulent December 6 legislative elections. The Treasury Department action also targets Guillermo Carlos San Agustin and Marcos Javier Machado Requena for having acted for or on behalf of Ex-Cle C.A. San Augustin, a dual Argentine and Italian national, is a co-director, the administrator, a majority shareholder, and ultimate beneficial owner of Ex-Cle C.A. Machado, a Venezuelan national, is a co-director, the president, and a minority shareholder of Ex-Cle C.A.
Ex-Cle C.A. has millions of dollars of contracts with the illegitimate Maduro regime, providing electoral hardware and software to regime-aligned government agencies. Ex-Cle C.A. was aware of and involved in the regime’s efforts to rig the fraudulent December 6 elections, thereby undermining democracy and suppressing the voices of the Venezuelan people. Ex-Cle C.A. also helped Maduro’s coopted National Electoral Council to purchase thousands of voting machines from China, routing payments thru the Russian financial system. They shipped the voting machines through Iran using rogue airlines Mahan Air and Conviasa, both previously targeted by the Treasury Department’s Office of Foreign Assets Control.
Those who seek to undermine free and fair elections in Venezuela must be held accountable. Maduro’s reliance on companies like Ex-Cle C.A., as well as recently-sanctioned PRC tech firm CEIEC, to rig the electoral processes should leave no doubt that the December 6 legislative elections were fraudulent and do not reflect the will of the Venezuelan people. We urge all countries committed to democracy to condemn the fraudulent December 6 elections and the illegitimate regime’s continuing efforts to destroy democracy in Venezuela.
On Monday, Dec. 14, Attorney General William Barr officially released a resignation letter he had written to President Trump.
In the letter, Barr had nothing but effusive praise for the President, and the President quickly tweeted out a public response in which he thanked Barr for his two years of service as the nation’s top law enforcement officer. Despite tensions being played up between the two men in the media, neither had a cross word to say about the other.
Rumors of a Barr resignation began swirling last week, but they were nothing new; every other month for the past year or so, corporate news stories based on anonymous officials familiar with the matter have appeared claiming Barr had finally had enough of the mercurial President and was looking for an exit.
Barr made it exceedingly clear in interviews that neither he nor Durham were rushing any of the current federal investigations to meet an election deadline. On Aug. 13, on the Sean Hannity program, in response to a question about the status of the Durham investigation, Barr said this:
“. . . I have said there are going to be developments, significant developments, before the election. But we’re not doing this on the election schedule. We’re aware of the election. We’re not going to do anything inappropriate before the election.
Now that it’s been confirmed that Hunter Biden is the subject of at least one federal investigation over tax records and purported money laundering, Barr was taking a lot of heat for not disclosing the investigation before the 2020 election was held.
How politically partisan would it have looked shortly before the election for the U.S. Attorney General to drop the bomb that the oldest surviving son of one of the candidates was the target of a federal criminal probe? For this reason, Barr waited until after the election.
Is Barr resigning because his biggest tasks have been accomplished? It very well could be Barr’s biggest jobs were to end the Mueller Special Counsel while preparing to unveil the fact that the very public and very corrupt Mueller Special Counsel was being shadowed the entire time by a secret Special Counsel’s Office led by John Durham.
As I recently wrote for The Epoch Times, I strongly suspect Durham was leading a de facto Special Counsel’s Office in coordination with an extensive team of prosecutors and investigators that included the multiple attorneys from other states long before Barr publicly gave him the official designation.
And Barr’s official letter dated Oct. 19 made it crystal clear that a criminal investigation of the Mueller team of prosecutors is a big part of the Durham Special Counsel’s scope.
If that is indeed the case, now that those two main tasks are completed, Barr is making way for a new attorney general who will handle the prosecutions once Durham begins unsealing indictments.
Barr’s exit should also be looked at in the light of two stunning declassifications about Special Counsel John Durham and his Russiagate investigation that occurred back in October of this year. Unfortunately, the media instantly dismissed both important disclosures on both the Left and the Right. Within just a day or two, both explosive stories sank out of sight and out of mind.
The two declassifications dealt with when Durham actually began his Russiagate investigation, and the true origin of the FBI’s Crossfire Hurricane probe of the Trump Presidential campaign during the 2016 election.
When did Durham really start investigating Spy-gate? It’s assumed by many people that Durham rolled up his sleeves and began digging into the Spygate scandal in May of 2019 when Barr made the formal announcement that he was putting Durham in charge—nothing could be further from reality.
Initially, due to this scoop published by The Epoch Times’ Jeff Carlson, it was thought that Durham must have begun his Spygate investigations some time in 2018. It was as former FBI General Counsel James Baker was testifying to the House committees on the Judiciary and Oversight in October of 2018 that a question from the lawmakers about a Spygate leak involving Mother Jones reporter David Corn led to Baker’s lawyer Daniel Levin speaking up to stop that line of questioning.
Levin revealed to the panel that his client was currently under investigation by a U.S. Attorney named John Durham about that matter, and so he was instructing his client not to answer questions about that leak.
From May 2019 to October of 2020, the agreed-upon timeline was that Durham was assigned to investigate how the Russiagate hoax started sometime in 2018. But now we know, thanks to another declassification, the assumption that Durham started up sometime in 2018 is also wrong.
Documentary evidence has revealed Durham was already selected by then Attorney General Jeff Sessions to begin investigating Spygate-related leaks in April of 2017, less than three months after Trump was inaugurated as the nation’s 45th President.
Redacted text messages exchanged between former FBI officials (and lovers) Peter Strzok and Lisa Page were declassified by Director of National Intelligence John Ratcliffe last October so General Michael Flynn’s counsel, Sidney Powell, could use them in a court filing. The unredacted text messages clearly show Strzok and Page uneasily discussing Durham.
In one message, from April 12, 2017, Strzok informs Page that despite their hopes, a certain leak investigation would stay “in house” and be handled by the FBI’s National Security Division (NSD), and he had to deliver some “bad news.” Attorney General Jeff Sessions had given that investigation to John Durham instead.
The very next month, Strzok and Page again are seen in a text message exchange dated May 17, 2017 where Strzok first asks if he should continue to put off sitting down with “John D” for an interview.
Strzok followed up that message by sending another to Page where he stated his intention to continue delaying his interview with Durham.
Silent professionals The entire time many conservative reporters, pundits, and personalities were loudly and angrily calling for the criminal leaks used to launch the Spygate scandal to be investigated by the DOJ, it had already happened.
And the name of the person in charge of investigating those leaks never became public until January of 2019. Beyond a few general remarks about ongoing leak investigations, Sessions never said one word about Durham having already started. This is amazing if you stop to think about how long Durham’s name was kept out of the public view.
Think about the rogues’ gallery of professional leakers involved in Spygate. You have James Comey, Andrew McCabe, Peter Stzrok, John Brennan, and James Clapper, all of whom have a long history of coordinating leaks with corporate news allies. Factor in the Mueller Special Counsel team, which also leaked early and often, and yet somehow, they, too, never managed to leak Durham’s name.
How did the DOJ manage to keep a lid on when Durham began his leak investigations into Spygate for four years, even when there was a transition from Sessions to temporary AG Matthew Whitaker to William Barr?
This amazing feat, however was accomplished.
Now, likely years after the fact, Barr has publicly revealed that Durham has been running a new Special Counsel’s Office that has a widely expanded scope that includes targeting the Mueller Special Counsel.
Appointing a new Special Counsel’s Office to investigate the last Special Counsel’s Office is exactly the kind of plot twist we needed in the Spygate scandal.
Representative Devin Nunes of CA has made two specific claims for several years now:
Crossfire Hurricane did not begin with a real intelligence predicate. The date given for the beginning of the FBI’s investigation of the Trump campaign for possible Russian collusion is not accurate. Nunes claims the targeting of the Trump campaign for a federal investigation started earlier than July 31, 2016, Crossfire’s official launch date. The official story for going on four years, is that a conversation between low-level Trump campaign advisor George Papadopoulos and Australian diplomat Alexander Downer in a wine room in the United Kingdom was the trigger event for Crossfire.
This is not true, as it is now abundantly clear that the fake Steele dossier was utilized as the predicate, and the FBI was using Steele’s fabricated allegations well before July of 2016. But later on, the DOJ and FBI officials involved didn’t want to admit they’d based their unprecedented targeting of a presidential campaign on manufactured allegations being given to them by a political operative working for another campaign in the race.
So all the major players involved agreed on a cover story that Papadopoulos’ chat with Downer was the trigger for Crossfire, and that before July 31, 2016, there were no active investigations of the Trump campaign in progress.
A new declassification just dropped that proves there were multiple federal investigations of Trump and his campaign and his associates already underway before July 31, 2016.
The Spygate plotters have been proved yet again to be lying.
In these previously unseen text messages, Strzok discusses multiple counterintelligence investigations that had already been opened targeting “Trump/Russia” on July 28, 2016, which is three days before Crossfire officially launched. That leads to another important question: What other counterintelligence investigations were being run targeting the Trump campaign that we don’t know about yet?
Stay tuned, I have a gut feeling we’ll be finding out before long.
Brian Cates entered the political arena in March 2012, following the death of Andrew Breitbart. He is currently a political writer for The Epoch Times and UncoverDC. Brian is based in South Texas and is the author of: Nobody Asked For My Opinion . . . But Here it is Anyway!
Another day, another hypocritical Democrat in power demanding that the public do things they won’t do themselves. This time around, the one that was caught was Democratic Governor Gina Raimondo of Rhode Island. She sent out this tweet telling the public to “stay home except for essential activities” and to “wear a mask anytime you’re with people you don’t live with.”
Then Raimondo went to a Wine and Paint Dinner at Barnaby’s Public House later in the week. What do you notice about this picture?
Apparently, Raimondo did wear her mask part of the night, but you can’t help but notice that she isn’t eating or drinking anything there, and yet, she doesn’t have it on. Raimondo, who went into a 14 quarantine the day after this picture was taken because the head of the Department of Health in her administration tested positive for the coronavirus and exposed her, doubled down on her rules for the “little people” later that same week.
Social gatherings limited to your household? Guess that rule is just for the peasants, not for “special people,” like Gina Raimondo. It’s the same thing all over the country. Liberals who are collecting a paycheck are demanding that other people be put out of work. Liberals who going out to fancy dinners are demanding that you stay home. It’s right out of Orwell.
The same liberals crushing businesses and wrecking lives with their draconian rules designed to stop the coronavirus aren’t even following their own rules. It’s pathetic and we shouldn’t put up with people like this in government.
Trump legal adviser Jenna Ellis on Dec. 16 urged the American people concerned with election integrity to have hope in the ongoing efforts aimed at exposing voter irregularities and alleged fraud.
“I would just say to the American people: Take heart. This is not over yet. And we absolutely have every intention of continuing to fight for election integrity,” Ellis told The Epoch Times’ American Thought Leaders.
Trump’s legal team, led by former New York Mayor Rudy Giuliani, is fighting against the clock to ensure that the sanctity of the ballot box is preserved. The team and its allies have been building a case to ensure that all concerns about voting irregularities and alleged unconstitutional actions passed by state and election officials in the 2020 election are investigated to secure confidence in the election outcome for all.
Although Dec. 14, the day that presidential electors cast their votes for president, has come and gone, Ellis argues that President Donald Trump still has time to challenge the election results and that state legislatures still have time to decide which set of votes from dueling slates of delegates to send to Congress on Jan. 6, the day when the electoral college votes are counted.
Republican electors in seven states have cast alternate votes for President Donald Trump, setting up a new challenge for Congress when it counts the votes next month. While critics argue that those votes are merely symbolic and have no force of law, alternate votes have been accepted by Congress before.
In 1960, Democrats successfully cast an alternative set of votes for John F. Kennedy in Hawaii after the state’s governor certified the electors for Richard Nixon amid a recount. Congress ultimately counted the votes from Kennedy electors, who were signed off by the governor as well, even though Kennedy wasn’t declared the winner in the election until 11 days after Nixon’s electors were certified.
Republicans in the seven states said their rationale for sending dueling electors to Congress was to preserve Trump’s legal claim in the election as his team pursues legal challenges over the counting of what they say are illegal votes. The offices of the Nevada and Pennsylvania secretary of state told The Epoch Times that they have received only the certificates of the vote from Democratic electors and not Republicans.
Ellis is urging state legislatures in the contested states to hold an electoral session to consider evidence of potential election fraud and pass a resolution to send the votes of the Republican slate of electors to Congress.
“If one state is willing to do this, I think others will follow,” she said.
She also believes it is the responsibility of every American to protect free and fair elections, noting that there’s a group of Americans who would like to get to the bottom of all the allegations.
“It’s incumbent, though, upon every American—regardless of who you voted for, whether or not you like the outcome of this election—to stop any cheating, to stop any lawlessness, to stop anything that runs afoul of the U.S. Constitution, to make sure to protect free and fair elections,” she said. “I think there is a movement among the American people who really want to get to the bottom of these questions.”
She added that every state legislature should also be looking at its own laws and its own administration to ensure the integrity of votes.
Ellis said Americans have the ultimate say in holding their leaders accountable for their actions, and there are a series of actions that can be taken to ensure that politicians are held responsible.
“We can do that through not only contacting them and through putting pressure on them to continue in this fight, not only in the media, but also to make sure that our elected officials know that that’s what we expect of them—to take election integrity seriously,” she said.
She said that Americans in some of the contested states could also consider initiating recall petitions—a procedure that allows citizens to recall and replace public officials before their term ends. The petition requires a specific number of signatures over a specified period of time. If a valid number of signatures is collected, then a recall election can be held. Different states have different rules for this procedure.
“And so now, when we’re looking at the state legislatures, if that branch fails, then it’s up to ‘We the People’ to make sure that we go through the constitutional processes, that we can then change those who are in authority, because no person in the United States is entitled to government authority,” she said.
Ivan Pentchoukov contributed to this report.
Dominion Voting Systems issued a warning to Georgia officials prior to the 2020 election that memory cards might need to be removed from vote tabulation machines prior to the end of the election to deal with a limitation in its system, according to records obtained by Just the News through an open-records request.
Officials acknowledged Thursday at least 36 memory cards had to be prematurely removed from vote tabulating machines in the Atlanta area that had reached counting limits. The cards were stored in a locked cabinet until polls closed, officials said.
Dominion, which has fiercely defended its technology since Election Day, issued the "customer advisory" on Oct. 26, according to a "bulletin" sent to county election officials from Georgia Elections Division Director Chris Harvey. The memo was obtained through a Freedom of Information Act request from Just the News to Fulton County, home to Atlanta, Georgia's largest city.
"Dominion Voting released a customer advisory yesterday stating that when an ImageCast Precinct (ICP) Tabulator reaches approximately 10,000 ballots cast for a single election, a message will appear that reads, 'Maximum Ballot Capacity Reached'," Harvey wrote in the memo.
File GABulletinDominionVotingMemCards.pdf Harvey directed officials to follow one of two policies outlined by Dominion "if [they] believe that a single ICP will reach 10,000 ballots cast." One of those was a directive to "remove the original memory cards from the tabulator that has reached or is nearing maximum capacity" and install new memory cards into it.
Harvey's memo directed officials to refrain from closing the polls on the cards "until 7:00 p.m. on Election Night" and to "store the memory cards securely."
In attached instructions coming directly from Dominion, the company as part of that protocol directed workers to "remove the original memory cards and for store [sic] tabulation at the appropriate time." Those instructions do not mention anything about secure storage.
The Secretary of State's office declined to comment on the state's implementation of Dominion's memory card directives, though the office said it had gone to significant lengths to ensure the integrity of both Dominion's machines and the election in general.
An official with Dominion, meanwhile, on Thursday evening gave a statement via email through Fulton County spokeswoman Regina Waller.
"Due to the amount of races that were on the November 2020 ballot and the large number of early voting polling sites that we have in Fulton County, the Dominion ICX scanner had the memory to hold ballot images of about 5,000 ballots," the official said. "After my staff and I did the test to confirm that the max was 5,000 ballots, we consulted upper management and made the determination that we would swap out memory cards at 3,000 ballots. We swapped out memory cards 36 times during the early voting period.
"For security, each set of memory cards was placed in a secure memory card bag that was locked and sealed and then placed in a locked cabinet," the official continued. "The memory cards were locked in the cabinet until election night after the polls closed at 7pm. At this time the cabinet was unlocked, the seals were broken on each bag and each memory card was uploaded into the Election Management System for tabulation."
Waller did not immediately respond when asked who exactly had given that statement, nor why Fulton County's machines apparently only had the capability to handle half the ballot capacity as had the tabulators mentioned in Harvey's memo.
The recently revealed directive throws new light on memory card-related controversies that have arisen in Georgia since the 2020 election last month.
In Walton County, Ga., officials discovered a memory card with nearly 300 votes on it several weeks after the election.
Around the same time, officials discovered a memory card with a similar number of votes in Douglas County.
In Fayette County, authorities found a memory card with over 2,700 votes on it, while in Floyd County officials found one memory card with 2,600 votes uncounted.
This was the first year that Georgia used Dominion to implement and process its elections. Secretary of State Brad Raffensperger announced in 2019 that the state had selected Dominion as its voting vendor. Raffensperger in that announcement described the firm as a "security-focused tech company."
In addition to the card-removal protocol, Dominion in its Oct. 26 advisory also offered election officials the opportunity to add more tabulators to their election setups rather than deploy new memory cards on original tabulators. That approach was the "preferred" option in Georgia, according to Harvey's memo.
Director of the Office of Trade and Manufacturing Policy Peter Navarro published a lengthy report Thursday outlining several examples of voting irregularities that are “more than sufficient” to swing the outcome of the election in President Trump’s favor.
The 36-page report “assesses the fairness and integrity of the 2020 Presidential Election by examining six dimensions of alleged election irregularities across six key battleground states” and concludes that “patterns of election irregularities ... are so consistent across the six battleground states that they suggest a coordinated strategy to, if not steal the election, strategically game the election process in such a way as to ... unfairly tilt the playing field in favor of the Biden-Harris ticket.”
The six dimensions of voting irregularities in the report include: outright voter fraud, ballot mishandling, contestable process fouls, equal protection clause violations, voting machine irregularities, and significant statistical anomalies.
All six of those voting issues were present in at least two key states, according to the report, and a total of six battleground states experienced multiple examples of the other dimensions.
Graph 1.png Recommended For You Biden says Hunter tax investigation being 'used to get to me' Top Biden adviser Cedric Richmond tests positive for COVID-19 Some people may have preexisting immunity to the coronavirus “Evidence used to conduct this assessment includes more than 50 lawsuits and judicial rulings, thousands of affidavits and declarations,1 testimony in a variety of state venues, published analyses by think tanks and legal centers, videos and photos, public comments, and extensive press coverage,” the report claims.
Additionally, the report cites affidavits alleging the exploitation of the elderly and the infirm by “effectively hijacking their identities and votes” and accuses Democrats of using the coronavirus pandemic to relax voter ID requirements to the point that ballot harvesting and fraud could slip by unnoticed.
The report outlined incidents in the key states of Wisconsin and Pennsylvania, where ballots allegedly were illegally harvested and dumped into drop boxes.
The election was marred with examples of dead people voting, according to the report.
“In Pennsylvania, for example, a statistical analysis conducted by the Trump Campaign matching voter rolls to public obituaries found what appears to be over 8,000 confirmed dead voters successfully casting mail-in ballots,” the report claims. “In Georgia — underscoring the critical role any given category of election irregularities might play in determining the outcome — the estimated number of alleged deceased individuals casting votes almost exactly equals the Biden victory margin.
The report concludes: “The ballots in question because of the identified election irregularities are more than sufficient to swing the outcome in favor of President Trump should even a relatively small portion of these ballots be ruled illegal.”
Navarro, who worked on the report in private capacity, is scheduled to hold a news conference at 1 p.m. Eastern Time on Thursday to discuss the findings.
President Trump has launched legal battles across the country since the November election, which has been called for President-elect Joe Biden by all major news networks and certified by the Electoral College, and as recently as this week stated that it’s “too soon to give up.”
Dozens of legal challenges across the country, however, have been lost, and the Supreme Court has declined to hear cases from both Texas and Pennsylvania challenging the election, which Trump’s supporters have decried as a politically motivated ducking.
Several Republicans, including Senate Majority Leader Mitch McConnell, have broken with the president and conceded that Biden is the winner of the election. McConnell congratulated Biden on Wednesday and said that “the Electoral College has spoken.”
Additionally, Biden slammed claims of voter fraud this week, saying, "Thankfully, a unanimous Supreme Court immediately and completely rejected" efforts to overturn the election.
LONDON (Reuters) - Suspected Russian hackers accessed the systems of a U.S. internet provider and a county government in Arizona as part of a sprawling cyber-espionage campaign disclosed this week, according to an analysis of publicly-available web records.
The hack, which hijacked ubiquitous network management software made by SolarWinds Corp to compromise a raft of U.S. government agencies and was first reported by Reuters, is one of the biggest ever uncovered and has sent security teams around the world scrambling to contain the damage.
The intrusions into networks at Cox Communications and the local government in Pima County, Arizona, show that alongside victims including the U.S. departments of Defence, State, and Homeland Security, the hackers also spied on less high-profile organisations.
A spokesman for Cox Communications said the company was working “around the clock” with the help of outside security experts to investigate any consequences of the SolarWinds compromise. “The security of the services we provide is a top priority,” he said.
In emailed comments sent to Reuters, Pima County Chief Information Officer Dan Hunt said his team had followed U.S. government advice to immediately take SolarWinds software offline after the hack was discovered. He said investigators had not found any evidence of a further breach.
Reuters identified the victims by running a coding script released on Friday here by researchers at Moscow-based cybersecurity firm Kaspersky to decrypt online web records left behind by the attackers.
The type of web record, known as a CNAME, includes an encoded unique identifier for each victim and shows which of the thousands of “backdoors” available to them the hackers chose to open, said Kaspersky researcher Igor Kuznetsov.
“Most of the time these backdoors are just sleeping,” he said. “But this is when the real hack begins.”
The CNAME records relating to Cox Communications and Pima County were included in a list of technical information published here by U.S. cybersecurity firm FireEye Inc, which was the first victim to discover and reveal it had been hacked.
RELATED COVERAGE
Small number of UK organisations impacted by SolarWinds hack - security source John Bambenek, a security researcher and president of Bambenek Consulting, said he had also used the Kaspersky tool to decode the CNAME records published by FireEye and found they connected to Cox Communications and Pima County.
The records show that the backdoors at Cox Communications and Pima County were activated in June and July this year, the peak of the hacking activity so far identified by investigators.
It is not clear what, if any, information was compromised.
SolarWinds, which disclosed its unwitting role at the centre of the global hack on Monday, has said that up to 18,000 users of its Orion software downloaded a compromised update containing malicious code planted by the attackers.
As the fallout continued to roil Washington on Thursday, with a breach confirmed at the U.S. Energy Department, U.S. officials warned that the hackers had used other attack methods and urged organisations not to assume they were protected if they didn’t use recent versions of the SolarWinds software.
Microsoft, which was one of the thousands of companies to receive the malicious update, said it had currently notified more than 40 customers whose networks were further infiltrated by the hackers.
Around 30 of those customers were in the United States, it said, with the remaining victims found in Canada, Mexico, Belgium, Spain, Britain, Israel and the United Arab Emirates. Most worked information technology companies, as well as some think tanks and government organisations.
"It's certain that the number and location of victims will keep growing," Microsoft President Brad Smith said in a blog post here.
“The installation of this malware created an opportunity for the attackers to follow up and pick and choose from among these customers the organizations they wanted to further attack, which it appears they did in a narrower and more focused fashion.”
Vice President Mike Pence and his wife Karen received an injection of the Pfizer coronavirus vaccine Friday morning at the White House.
The Pences are the highest-ranking American public officials to get the vaccine, getting their shot live in front of the media to promote the safety and effectiveness of the vaccine. Surgeon General Jerome Adams also received the vaccine.
“Karen and I wanted to step forward and take this vaccine to assure the American people that while we cut red tape, we cut no corners,” Pence said.
Walter Reed Medical staff administered the vaccine shots. Three screens in the background touted the vaccine as “safe and effective,” hailing the effort of Operation Warp Speed to develop a vaccine against the coronavirus. Dr. Anthony Fauci also was present for the event.
“I didn’t feel a thing,” Pence said after receiving the shot. “Well done.”
One physician asked them a series of questions before the vaccine was delivered, asking if they had experienced any serious reactions to previous vaccines, were taking blood thinners, were pregnant or breastfeeding, or immunocompromised. When they answered no to the questions, the vaccine was administered. “Make no mistake about it, it’s a medical miracle,” Pence said after receiving the vaccine, and added, “I also believe that history will record that this week was the beginning of the end of the coronavirus pandemic.”
Dr. Fauci stressed that the vaccine approval was not political, but based on science and an independent review panel.
“The decision as to whether or not it’s safe and effective is not in the hands of the company nor was it in the hands of the administration,” Fauci says about coronavirus vaccine, touting approval from “independent body”
Adams spoke directly to communities of color, noting that they understandably were skeptical of vaccines after the infamous government Tuskegee medical experiments on black people.
“To truly promote confidence in these vaccines, we must start by acknowledging this history of mistreatment and exploitation of minorities by the medical communities and the government,” he said.
Adams said that he worked with Dr. Fauci to make sure that people of color were included in the vaccine trials. Other government officials will be vaccinated in the coming days to stress the safety and effectiveness of the vaccine.
President-elect Joe Biden is expected to get vaccinated early next week, and other leaders such as Senate Majority Leader Mitch McConnell and House Speaker Nancy Pelosi are also expected to get the vaccine in the coming days.
President Donald Trump and First Lady Melania Trump already contracted and recovered from the coronavirus in October. President Trump has expressed his willingness to get the vaccine but has expressed his desire for frontline medical workers and seniors in long-term care to get the vaccine first.
Former presidents Jimmy Carter, Bill Clinton, George W. Bush, and Barack Obama have also expressed their willingness to take the vaccine, some of them willing to do so live on camera.
“If Anthony Fauci tells me this vaccine is safe and can vaccinate, you know, immunize you from getting COVID, absolutely, I’m going to take it,” Obama said on December 2. “I may end up taking it on TV or having it filmed. Just so that people know that I trust this science, and what I don’t trust is getting COVID.”
Thousands of organizations have been affected by a supply chain attack that compromised the update mechanism for SolarWinds Orion software in order to deliver a backdoor Trojan known as Sunburst (Backdoor.Sunburst) (aka Solorigate).
Details on the attacks were disclosed yesterday (December 13) by the security firm FireEye. SolarWinds has also published a security advisory for its customers.
The campaign has been underway since at least March 2020. Any Orion user who downloaded an update in this period is likely to have been infected with Sunburst. According to FireEye, the attackers conducted further malicious activity on a subset of victim organizations that were of interest to them.
By their nature, supply chain attacks are indiscriminate and will infect any user of the compromised software. They are carried out in order to provide the attacker with access to a large number of organizations, a subset of which will be identified as targets of interest for further compromise.
The Trojanized software was signed by a certificate marked as being issued by Symantec. Symantec sold its certificate authority business to Digicert in 2018. The certificate in question was a legacy certificate still using the Symantec brand name. Symantec has contacted Digicert, which has confirmed that it is investigating the issue.
Symantec has identified more than 2,000 computers at over 100 customers that received Trojanized software updates. We have found a small number of organizations where a second stage payload (Backdoor.Teardrop) was used.
Sunburst analysis An existing SolarWinds DLL called SolarWinds.Orion.Core.BusinessLayer.dll was modified by the attackers to include an added class.
The malware is designed to remain inactive for a period after installation. It will then attempt to resolve a subdomain of avsvmcloud[.]com. The DNS response will deliver a CNAME record that directs to a command and control (C&C) domain.
In SolarWinds.Orion.Core.BusinessLayer.BackgroundInventory.InventoryManager.RefreshInterval() code is added to call OrionImprovementBusinessLayer.Initialize().
OrionImprovementBusinessLayer is a malicious class added by the attacker. It has the following functionality: Terminates the backdoor thread Set delay time before execution Collect and upload system information including: Domain SID of administrator account Hostname Username Operating system version Path of system directory Days elapsed since the system started Information on network adapters, including: Description MACAddress DHCPEnabled DHCPServer DNSHostName DNSDomainSuffixSearchOrder DNSServerSearchOrder IPAddress IPSubnet DefaultIPGateway Download and run code Iterate the file system Create and delete files Calculate file hashes Read, write, and delete registry entries Reboot the system
Second-stage payload: Teardrop A second stage payload, a backdoor called Teardrop, is deployed against a targets of interest to the attackers. Symantec has observed two variants of Teardrop, both of which behave similarly and are used to deliver a further payload – the Cobalt Strike commodity malware.
The first variant (SHA256: b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07) is a DLL. The malicious code is contained in the export Tk_CreateImageType, ordinal 209. When executed, that malicious code reads a file named upbeat_anxiety.jpg from the current directory and ensures it has a jpg header. It will also check that the registry key HKCU\Software\Microsoft\CTF exists. An embedded copy of Cobalt Strike is then extracted and executed. That CobaltStrike sample connects to infinitysoftwares[.]com for command and control.
The second variant (SHA256:1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c) is similar, except that the file it loads is called festive_computer.jpg. The embedded CobaltStrike payload connects to ervsystem[.]com for command and control.
Post-compromise attack chain The post-compromise attack chain for one computer investigated saw the initial Sunburst malware, a modified solarwinds.orion.core.businesslayer.dll, installed through the Orion update process on the victim computer on the 7th of the month.
On the 28th of the month, 21 days later, the legitimate executable solarwinds.businesslayerhost.exe, which loads the malicious DLL, created a copy of Teardrop in a file called cbsys.dll, in the c:\windows\panther folder. This filename and path appear to be unusual since most instances of Teardrop were created in a file called netsetupsvc.dll in the c:\windows\syswow64 folder, as documented by FireEye.
The Backdoor.Teardrop sample is a DLL with malicious code contained in the export Tk_CreateImageType. When executed, that export reads a file named upbeat_anxiety.jpg from the current directory and ensures it has a jpg header. It will also check that the registry key HKCU\Software\Microsoft\CTF exists. An embedded copy of Cobalt Strike is then extracted. That CobaltStrike samples connects a C&C server - infinitysoftwares[.]com.
At this point, the attackers launch WMI to execute rundll32.exe to load another malicious DLL called resources.dll in the path csidl_windows\desktoptileresources. Resources.dll attempts to obtain credentials by accessing lsass.exe using similar techniques to Mimikatz, a widely used credential dumping tool...
The Department of Energy said that it was hacked by a malware injected into its networks after a SolarWinds update, but that its national security functions was not impacted, including for the agency that manages the nation’s nuclear weapons stockpile.
“The Department of Energy is responding to a cyber incident related to the Solar Winds compromise in coordination with our federal and industry partners,” DOE spokeswoman Shaylyn Hynes said in a statement to The Epoch Times.
“The investigation is ongoing and the response to this incident is happening in real time. At this point, the investigation has found that the malware has been isolated to business networks only, and has not impacted the mission essential national security functions of the Department, including the National Nuclear Security Administration (NNSA).
“When DOE identified vulnerable software, immediate action was taken to mitigate the risk, and all software identified as being vulnerable to this attack was disconnected from the DOE network.”
The NNSA, a semi-autonomous agency within the Energy department, oversees the country’s nuclear weapons stockpile and is responsible for strengthening the nation’s security through military application of nuclear energy and reducing the global threat from terrorism and weapons of mass destruction.
In a joint statement on Wednesday, three federal U.S. agencies confirmed that a recent hacking campaign has affected federal government networks and involved products from technology company Solarwinds. The FBI is now investigating the hack of SolarWinds technology, the statement said.
The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) called the hacking campaign “significant and ongoing” and have formed a group called the Cyber Unified Coordination Group (UCG) to respond to the hack.
SolarWinds technology is used by all five branches of the U.S. military and numerous government agencies. The SolarWinds Orion platform was compromised. The breach was achieved by inserting malware, or malicious code, into software updates for Orion, a widely used network management tool.
SolarWinds-Hack The United States Chamber of Commerce building in Washington in a 2009 file photograph. (Manuel Balce Ceneta/AP Photo) The Commerce Department confirmed to The Epoch Times on Dec. 13 that it had been hacked. The Treasury Department was also reportedly breached.
The federal Cybersecurity and Infrastructure Security Agency (CISA) said on Thursday that the hacking campaign is larger than previously known and that the alleged foreign actors gained backdoor access in more ways than through the SolarWinds software.
The “SolarWinds Orion supply chain compromise is not the only initial infection vector this advanced persistent threat actor leveraged,” CISA said in a statement on Thursday, noting that it has evidence of additional initial access vectors that are still being investigated. It also said that the hacking campaign started as early as March 2020.
CISA previously issued an emergency directive on Dec. 13 ordering all federal agencies to disconnect Solarwinds Orion products immediately, and check their networks for signs of compromise.
According to the new joint statement on Wednesday, CISA is in regular contact with other government agencies, private entities, and international partners, and is providing technical assistance when asked and making information and resources available to help those affected recover quickly from the hack.
SolarWinds said on Dec. 14 in a filing to the Securities and Exchange Commission that it believes up to 18,000 customers had installed the compromised software update.
SolarWinds serves over 300,000 customers around the world. A partial customer listing that was taken offline showed that its customers include all five branches of the U.S. military, more than 425 of the U.S. Fortune 500, as well as the Office of the President of the United States.
The same list includes Dominion Voting Systems, a company that provides its voting equipment and software to 28 states and has become a focus of election fraud allegations across the United States. Dominion’s CEO John Poulos told state lawmakers in Michigan on Dec. 15 that the company has never used the SolarWinds Orion products.
dominion-solarwinds A screenshot of Dominion Voting Systems’ website shows use of SolarWinds software. (Screenshot/Dominion Voting Systems)
But a screenshot of a Dominion webpage that The Epoch Times captured shows that Dominion does use SolarWinds technology. Dominion later altered the page to remove any reference to SolarWinds, but the SolarWinds website is still in the page’s source code.
A security researcher said that Solarwinds was warned in 2019 that its software update server could be accessed using a simple password.
Zachary Stieber and Jack Phillips contributed to this report.
Summary This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) version 8 framework. See the ATT&CK for Enterprise version 8 for all referenced threat actor tactics and techniques. The Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor beginning in at least March 2020. This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions. CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.
One of the initial access vectors for this activity is a supply chain compromise of the following SolarWinds Orion products (see Appendix A).
Orion Platform 2019.4 HF5, version 2019.4.5200.9083 Orion Platform 2020.2 RC1, version 2020.2.100.12219 Orion Platform 2020.2 RC2, version 2020.2.5200.12394 Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432 Note: CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated. CISA will update this Alert as new information becomes available.
On December 13, 2020, CISA released Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise, ordering federal civilian executive branch departments and agencies to disconnect affected devices. Note: this Activity Alert does not supersede the requirements of Emergency Directive 21-01 (ED-21-01) and does not represent formal guidance to federal agencies under ED 21-01.
CISA has determined that this threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations. CISA advises stakeholders to read this Alert and review the enclosed indicators (see Appendix B).
Key Takeaways This is a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks. The SolarWinds Orion supply chain compromise is not the only initial infection vector this APT actor leveraged. Not all organizations that have the backdoor delivered through SolarWinds Orion have been targeted by the adversary with follow-on actions. Organizations with suspected compromises need to be highly conscious of operational security, including when engaging in incident response activities and planning and implementing remediation plans.
Technical Details Overview CISA is aware of compromises, which began at least as early as March 2020, at U.S. government agencies, critical infrastructure entities, and private sector organizations by an APT actor. This threat actor has demonstrated sophistication and complex tradecraft in these intrusions. CISA expects that removing the threat actor from compromised environments will be highly complex and challenging. This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks. It is likely that the adversary has additional initial access vectors and tactics, techniques, and procedures (TTPs) that have not yet been discovered. CISA will continue to update this Alert and the corresponding indicators of compromise (IOCs) as new information becomes available.
Initial Infection Vectors [TA0001] CISA is investigating incidents that exhibit adversary TTPs consistent with this activity, including some where victims either do not leverage SolarWinds Orion or where SolarWinds Orion was present but where there was no SolarWinds exploitation activity observed. Volexity has also reported publicly that they observed the APT using a secret key that the APT previously stole in order to generate a cookie to bypass the Duo multi-factor authentication protecting access to Outlook Web App (OWA).[1] Volexity attributes this intrusion to the same activity as the SolarWinds Orion supply chain compromise, and the TTPs are consistent between the two. This observation indicates that there are other initial access vectors beyond SolarWinds Orion, and there may still be others that are not yet known.
SolarWinds Orion Supply Chain Compromise SolarWinds Orion is an enterprise network management software suite that includes performance and application monitoring and network configuration management along with several different types of analyzing tools. SolarWinds Orion is used to monitor and manage on-premise and hosted infrastructures. To provide SolarWinds Orion with the necessary visibility into this diverse set of technologies, it is common for network administrators to configure SolarWinds Orion with pervasive privileges, making it a valuable target for adversary activity.
The threat actor has been observed leveraging a software supply chain compromise of SolarWinds Orion products[2] (see Appendix A). The adversary added a malicious version of the binary solarwinds.orion.core.businesslayer.dll into the SolarWinds software lifecycle, which was then signed by the legitimate SolarWinds code signing certificate. This binary, once installed, calls out to a victim-specific avsvmcloud[.]com domain using a protocol designed to mimic legitimate SolarWinds protocol traffic. After the initial check-in, the adversary can use the Domain Name System (DNS) response to selectively send back new domains or IP addresses for interactive command and control (C2) traffic. Consequently, entities that observe traffic from their SolarWinds Orion devices to avsvmcloud[.]com should not immediately conclude that the adversary leveraged the SolarWinds Orion backdoor. Instead, additional investigation is needed into whether the SolarWinds Orion device engaged in further unexplained communications. If additional Canonical Name record (CNAME) resolutions associated with the avsvmcloud[.]com domain are observed, possible additional adversary action leveraging the back door has occurred.
Based on coordinated actions by multiple private sector partners, as of December 15, 2020, avsvmcloud[.]com resolves to 20.140.0[.]1, which is an IP address on the Microsoft blocklist. This negates any future use of the implants and would have caused communications with this domain to cease. In the case of infections where the attacker has already moved C2 past the initial beacon, infection will likely continue notwithstanding this action.
SolarWinds Orion typically leverages a significant number of highly privileged accounts and access to perform normal business functions. Successful compromise of one of these systems can therefore enable further action and privileges in any environment where these accounts are trusted.
Anti-Forensic Techniques The adversary is making extensive use of obfuscation to hide their C2 communications. The adversary is using virtual private servers (VPSs), often with IP addresses in the home country of the victim, for most communications to hide their activity among legitimate user traffic. The attackers also frequently rotate their “last mile” IP addresses to different endpoints to obscure their activity and avoid detection.
FireEye has reported that the adversary is using steganography (Obfuscated Files or Information: Steganography [T1027.003]) to obscure C2 communications.[3] This technique negates many common defensive capabilities in detecting the activity. Note: CISA has not yet been able to independently confirm the adversary’s use of this technique.
According to FireEye, the malware also checks for a list of hard-coded IPv4 and IPv6 addresses—including RFC-reserved IPv4 and IPv6 IP—in an attempt to detect if the malware is executed in an analysis environment (e.g., a malware analysis sandbox); if so, the malware will stop further execution. Additionally, FireEye analysis identified that the backdoor implemented time threshold checks to ensure that there are unpredictable delays between C2 communication attempts, further frustrating traditional network-based analysis.
While not a full anti-forensic technique, the adversary is heavily leveraging compromised or spoofed tokens for accounts for lateral movement. This will frustrate commonly used detection techniques in many environments. Since valid, but unauthorized, security tokens and accounts are utilized, detecting this activity will require the maturity to identify actions that are outside of a user’s normal duties. For example, it is unlikely that an account associated with the HR department would need to access the cyber threat intelligence database.
Taken together, these observed techniques indicate an adversary who is skilled, stealthy with operational security, and is willing to expend significant resources to maintain covert presence.
Privilege Escalation and Persistence [TA0004, TA0003] The adversary has been observed using multiple persistence mechanisms across a variety of intrusions. CISA has observed the threat actor adding authentication tokens and credentials to highly privileged Active Directory domain accounts as a persistence and escalation mechanism. In many instances, the tokens enable access to both on-premise and hosted resources. Microsoft has released a query that can help detect this activity.[4]
Microsoft reported that the actor has added new federation trusts to existing infrastructure, a technique that CISA believes was utilized by a threat actor in an incident to which CISA has responded. Where this technique is used, it is possible that authentication can occur outside of an organization’s known infrastructure and may not be visible to the legitimate system owner. Microsoft has released a query to help identify this activity.[5]
User Impersonation The adversary’s initial objectives, as understood today, appear to be to collect information from victim environments. One of the principal ways the adversary is accomplishing this objective is by compromising the Security Assertion Markup Language (SAML) signing certificate using their escalated Active Directory privileges. Once this is accomplished, the adversary creates unauthorized but valid tokens and presents them to services that trust SAML tokens from the environment. These tokens can then be used to access resources in hosted environments, such as email, for data exfiltration via authorized application programming interfaces (APIs).
CISA has observed in its incident response work adversaries targeting email accounts belonging to key personnel, including IT and incident response personnel.
These are some key functions and systems that commonly use SAML.
Hosted email services Hosted business intelligence applications Travel systems Timecard systems File storage services (such as SharePoint) Detection: Impossible Logins The adversary is using a complex network of IP addresses to obscure their activity, which can result in a detection opportunity referred to as “impossible travel.” Impossible travel occurs when a user logs in from multiple IP addresses that are a significant geographic distance apart (i.e., a person could not realistically travel between the geographic locations of the two IP addresses during the time period between the logins). Note: implementing this detection opportunity can result in false positives if legitimate users apply virtual private network (VPN) solutions before connecting into networks.
Detection: Impossible Tokens The following conditions may indicate adversary activity.
Most organizations have SAML tokens with 1-hour validity periods. Long SAML token validity durations, such as 24 hours, could be unusual. The SAML token contains different timestamps, including the time it was issued and the last time it was used. A token having the same timestamp for when it was issued and when it was used is not indicative of normal user behavior as users tend to use the token within a few seconds but not at the exact same time of issuance.
The U.S. government officials trying to test the country’s ability to respond to a major cyberattack thought they had pulled out all the stops. Engineers had planned to simulate the kind of security incident that would cause an electrical blackout, after all, and had even planned to hold the event on an isolated island off the coast of New York.
Even with all that preparation, a once-in-a-century pandemic still wasn’t in the script.
Until this year, National Guard personnel, Pentagon contractors and engineers at big U.S. utilities would typically gather in person to run through exercises involving dire scenarios, from a weeks-long power outage to a mock attack on utility computers that appeared to delete data.
In October, though, COVID-19 forced planners from the departments of Defense and Energy to figure out how to run the event virtually, with participants plugged in from around the country. And they used the pandemic as another opportunity to prepare for the unpredictable.
The goal of the recurring effort, which is backed by a $118-million Pentagon program, is to try anticipate how state-sponsored hacking groups could sabotage key utilities. The exercise provides important defensive insights for some of America’s largest electricity providers, and comes as an increasing number of hacking groups have taken an interest in the industrial control systems that those utilities use to deliver power.
This year’s unusual setup ended up being “useful for modeling how people would respond remotely to a widespread cyberattack,” said Walter Weiss, a cerebral program manager at the Pentagon’s R&D arm — the Defense Advanced Research Projects Agency — who helped plan the exercise. “That just added additional realism.”
Organizers allowed utility engineers and researchers to participate, despite the coronavirus, by accessing software tools used to defend against the simulated attacks. While most participants joined remotely, a diehard crew made the trek to the austere, windswept spit of land called Plum Island, off Long Island, that has hosted past exercises.
The exercise in October tasked mock electric utilities, staffed by real utility workers, with restoring power after a debilitating set of simulated cyberattacks. Participants had to use a generator to gradually restart a power system, substation by substation, and test DARPA-funded forensic tools in the process.
Weiss pointed to a 2019 threat assessment from U.S. intelligence agencies that said that China and Russia had the ability to use cyberattacks to, respectively, temporarily disrupt natural gas pipelines and electric distribution networks.
The exercise planners drew on real-world incidents, too. The 2015 suspected Russian cyberattack on Ukrainian electric infrastructure, which cut power for some 225,000 people, blinded utility operators to what was going on in power distribution networks. Plum Island combatants were trying to avoid a similar type of loss of visibility.
“That’s a great wake-up call and resonates with utilities we’re trying to work with,” Weiss said.
An eerie setting
The latest exercise was the seventh, and final drill, on Plum Island under a DARPA program called Rapid Attack Detection, Isolation and Characterization Systems (RADICS).
The number of electric utility employees and government contractors allowed on the island this year was kept under 30. Participants were regularly tested for the coronavirus before and after they stepped off the ferry and onto the island, which has a spooky effect on visitors that’s hard to overstate. (Plum Island has also been the government’s home for studying animal-borne diseases.)
“We had our own dedicated ferry schedule and didn’t interact with anyone other than the RADICS team, so it felt a bit more isolated,” said Tim Yardley, a senior researcher at the University of Illinois, who spent six weeks on Plum Island setting up infrastructure for the exercise. “The eerie part for me was the drive across the country [during a pandemic].”
Engineers installed high-speed fiber optic links on the island to allow people to take part digitally. They also helped configure a virtual private network so that members could log into the exercise from their laptops.
Yardley said participants were initially concerned that the remote environment would sap the exercise of its hands-on value. But the takeaway instead, he said, was that “you could actually do an incident response and make this work.”
“The tools were successful in that way,” said Yardley, a veteran of multiple Plum Island drills. “They automated many of the things that would take a person a lot longer to do in person.”
“Was it ideal? No,” he continued. “But technology could serve to aide in this way. I think it was eye-opening for many of the participants.”
Weiss and Yardley said the exercise participants were able to use the DARPA tools to help stabilize the grid on Plum Island, and eventually restore power.
Spotting the lie
The RADICS program funds technology including data-ingesting software that sorts normal from suspicious activity on a power network, and a system for conducting emergency communications between a substation and a control center.
Particularly handy during the latest Plum Island exercise was a dashboard that allowed users to accurately monitor network activity “even if your own systems are lying to you,” as Weiss put it. That means if a control panel is telling a utility operator that a substation is running normally, when it really isn’t, the dashboard would have been able to spot the lie.
Substation equipment is pictured on Plum Island, New York. Exercise participants had to restore power in the face of simulated cyberattacks. (Photo courtesy of DARPA) The 2015 attack on Ukrainian power companies remains a stark example of what might go wrong when detection fails. No cyberattack anywhere near that magnitude has happened on U.S. electric infrastructure, but utility operators still prepare to defend against such threats.
“Two things a cyberattack can do to the grid are make it not tell you the truth, or make it not work how you expect it to work,” Weiss said. “So in general, the whole scenario is about finding what parts of the grid are doing that to you.”
With the Plum Island project coming to a close, DARPA has handed off the software tools to the Department of Energy, which works closely with utilities, to introduce more of that technology out into the field, Weiss said. Some of that is already happening. New Jersey-based company Perspecta Labs, for example, is looking to market its malware-hunting system to utilities.
Valuable data in the vault
Six weeks after the Plum Island experiment in October, the U.S. government held another elaborate cybersecurity drill for the power sector.
The “tabletop exercise” hosted by the Department of Energy on Dec. 9 included executives from some of the biggest power companies in the U.S. Officials from multiple national security agencies were also on hand, according to exercise planners.
Like Plum Island, the exercise envisioned aggressive cyberattacks on the electric sector by a foreign adversary. Participants had to talk through how they would respond to the incident, trade intelligence and revert to backup power solutions. It’s part of a long-running DOE exercise series known as Liberty Eclipse, which has historically included the Plum Island program.
“Shaping these conversations under blue-sky conditions can help mitigate redundancy, bureaucracy, and frustration down the road,” said Brian Harrell, a former senior Department of Homeland Security official who is now chief security officer at renewable power company Avangrid, and who participated in the Liberty Eclipse tabletop exercise.
The Department of Energy did not respond to interview requests for this article, though the department said in a statement that the goal of Liberty Eclipse was “to validate tools that enhance information sharing capabilities and identify threats to the energy sector.”
Grid-focused cybersecurity officials in the government will be studying lessons learned from both sets of exercises for some time. It’s an example of the institutional knowledge on the resiliency of the grid that the Biden administration will inherit, and need to use, as foreign adversaries continue to probe such infrastructure.
For his part, Yardley is now preparing to send several hard drives of exercise data to U.S. government officials, including network traffic from the simulated attacks. He said he hopes the government will eventually make the data public so that researchers and the broader power industry can study it.
That kind of data is valuable, Yardley said, because “obviously, you can’t go download off the internet data of a utility being attacked by what looks like a nation-state.”
The investigation into how the attackers managed to compromise SolarWinds' internal network and poison the company's software updates is still underway, but we may be one step closer to understanding what appears to be a very meticulously planned and highly-sophisticated supply chain attack.
A new report published by ReversingLabs today and shared in advance with The Hacker News has revealed that the operators behind the espionage campaign likely managed to compromise the software build and code signing infrastructure of SolarWinds Orion platform as early as October 2019 to deliver the malicious backdoor through its software release process.
"The source code of the affected library was directly modified to include malicious backdoor code, which was compiled, signed, and delivered through the existing software patch release management system," ReversingLabs' Tomislav Pericin said.
Cybersecurity firm FireEye earlier this week detailed how multiple SolarWinds Orion software updates, released between March and June 2020, were injected with backdoor code ("SolarWinds.Orion.Core.BusinessLayer.dll" or SUNBURST) to conduct surveillance and execute arbitrary commands on target systems.
FireEye has not so far publicly attributed the attack to any specific nation-state actor, but multiple media reports have pinned the intrusion campaign on APT29 (aka Cozy Bear), a hacker group associated with Russia's foreign intelligence service.
Sneaky Injection of Malicious Code Although the first version containing the tainted Orion software was traced to 2019.4.5200.9083, ReversingLabs has found that an earlier version 2019.4.5200.8890, released in October 2019, also included seemingly harmless modifications that acted as the stepping stone for delivering the real attack payload down the line.
solarwinds cyberattack Empty .NET class prior to backdoor code addition [ver. 2019.4.5200.8890] The idea, according to Pericin, was to compromise the build system, quietly inject their own code in the source code of the software, wait for the company to compile, sign packages and at last, verify if their modifications show up in the newly released updates as expected.
Once confirmed, the adversary then took steps to blend the SUNBURST malware with the rest of the codebase by mimicking existing functions (GetOrCreateUserID) but adding their own implementations so as to remain stealthy and invoking them by modifying a separate class called "InventoryManager" to create a new thread that runs the backdoor.
What's more, malicious strings were obscured using a combination of compression and Base64 encoding in hopes that doing so would thwart YARA rules from spotting anomalies in the code as well as slip through undetected during a software developer review.
"The attackers went through a lot of trouble to ensure that their code looks like it belongs within the code base," Pericin said. "That was certainly done to hide the code from the audit by the software developers."
How did the Compromise Happen? This implies that not only did the attackers have a high degree of familiarity with the software, but also the fact that its existing software release management system itself was compromised — as the class in question was modified at the source code level to build a new software update containing the backdoored library, then signed, and ultimately released to the customers.
solarwinds cyberattack This also raises more questions than it answers in that a change of this magnitude could only have been possible if either the version control system was compromised or the trojanized software was placed directly on the build machine.
While it's not immediately clear how the attackers got access to the code base, security researcher Vinoth Kumar's disclosure about SolarWinds' update server being accessible with the password "solarwinds123" assumes new significance given the overlap in timelines.
Kumar, in a tweet on December 14, said he notified the company of a publicly accessible GitHub repository that was leaking the FTP credentials of the company's download website in plaintext, adding a hacker could use the credentials to upload a malicious executable and add it to a SolarWinds update.
"That Github repo was open to the public since June 17 2018," Kumar said, before the misconfiguration was addressed on November 22, 2019.
"SUNBURST illustrates the next generation of compromises that thrive on access, sophistication and patience," Pericin concluded. "For companies that operate valuable businesses or produce software critical to their customers, inspecting software and monitoring updates for signs of tampering, malicious or unwanted additions must be part of the risk management process."
"Hiding in plain sight behind a globally known software brand or a trusted business-critical process, gives this method access that a phishing campaign could only dream to achieve," he added.
Over 4,000 Sub-domains Compromised by SUNBURST SolarWinds said up to 18,000 of its customers may have been impacted by the supply chain attack while urging Orion platform users to update the software to version 2020.2.1 HF 2 as soon as possible to secure their environments.
According to security researcher R. Bansal (@0xrb), over 4,000 sub-domains belonging to prominent businesses and educational institutions were infected with the SUNBURST backdoor, including those of Intel, NVIDIA, Kent State University, and Iowa State University.
To make matters worse, malicious code added to an Orion software update may have gone unnoticed by antivirus software and other security tools on targeted systems owing to SolarWinds' own support advisory, which states its products may not work properly unless their file directories are exempted from antivirus scans and group policy object (GPO) restrictions.
"Prolific actors are constantly going after high-revenue customers like SolarWinds because they see an increased chance of making larger profits by selling access to ransomware partners and other buyers," cybersecurity firm Intel 471 said, responding to the possibility that criminals were selling access to the company's networks on underground forums.
"Whether it's by exploiting vulnerabilities, launching spam campaigns or leveraging credential abuse, access is typically advertised and auctioned to the highest bidder for a profit. Whether this was the motivation for the current SolarWinds incident remains to be seen."
The massive state-sponsored espionage campaign that compromised software maker SolarWinds also targeted Microsoft, as the unfolding investigation into the hacking spree reveals the incident may have been far more wider in scope, sophistication, and impact than previously thought.
News of Microsoft's compromise was first reported by Reuters, which also said the company's own products were then used to strike other victims by leveraging its cloud offerings, citing people familiar with the matter.
The Windows maker, however, denied the threat actor had infiltrated its production systems to stage further attacks against its customers.
In a statement to The Hacker News via email, the company said —
"Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others."
Characterizing the hack as "a moment of reckoning," Microsoft president Brad Smith said it has notified over 40 customers located in Belgium, Canada, Israel, Mexico, Spain, the UAE, the UK, and the US that were singled out by the attackers. 44% of the victims are in the information technology sector, including software firms, IT services, and equipment providers.
CISA Issues New Advisory The development comes as the US Cybersecurity and Infrastructure Security Agency (CISA) published a fresh advisory, stating the "APT actor [behind the compromises] has demonstrated patience, operational security, and complex tradecraft in these intrusions."
"This threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations," it added.
But in a twist, the agency also said it identified additional initial infection vectors, other than the SolarWinds Orion platform, that have been leveraged by the adversary to mount the attacks, including a previously stolen key to circumvent Duo's multi-factor authentication (MFA) to access the mailbox of a user via Outlook Web App (OWA) service.
Digital forensics firm Volexity, which tracks the actor under the moniker Dark Halo, said the MFA bypass was one of the three incidents between late 2019 and 2020 aimed at a US-based think tank.
The entire intrusion campaign came to light earlier this week when FireEye disclosed it had detected a breach that also pilfered its Red Team penetration testing tools.
Since then, a number of agencies have been found to be attacked, including the US departments of Treasury, Commerce, Homeland Security, and Energy, the National Nuclear Security Administration (NNSA), and several state department networks.
While many details continue to remain unclear, the revelation about new modes of attack raises more questions about the level of access the attackers were able to gain across government and corporate systems worldwide.
Microsoft, FireEye, and GoDaddy Create a Killswitch Over the last few days, Microsoft, FireEye, and GoDaddy seized control over one of the main GoDaddy domains — avsvmcloud[.]com — that was used by the hackers to communicate with the compromised systems, reconfiguring it to create a killswitch that would prevent the SUNBURST malware from continuing to operate on victims' networks.
For its part, SolarWinds has not yet disclosed how exactly the attacker managed to gain extensive access to its systems to be able to insert malware into the company's legitimate software updates.
Recent evidence, however, points to a compromise of its build and software release system. An estimated 18,000 Orion customers are said to have downloaded the updates containing the back door.
Symantec, which earlier uncovered more than 2,000 systems belonging to 100 customers that received the trojanized SolarWinds Orion updates, has now confirmed the deployment of a separate second-stage payload called Teardrop that's used to install the Cobalt Strike Beacon against select targets of interest.
A California judge on Thursday snubbed Governor Newsom’s authoritarian Covid order and said San Diego restaurants can resume indoor dining.
The case was originally brought to the court by two San Diego strip club owners.
Newsom recently put most of California in the most restrictive “purple tier” lockdown and closed virtually all indoor businesses. Only big box retailers that sell stuff made in China are allowed to stay open while small businesses are forced to close down.
Cheetahs Gentlemen’s Club and Pacers Showgirls International led the way and previously sued the county and state.
San Diego Superior Court Judge Joel Wohlfeil last month said strip clubs are exempt from Newsom’s Covid order and during a hearing on Thursday clarified his previous injunction also included all restaurants.
Thursday’s ruling will likely pave the way for other legal wins against Democrat tyrant Gavin Newsom.
ABC News reported:
San Diego Superior Court Judge Joel Wohlfeil told county officials who requested the hearing Thursday to get clarification that his order was “straightforward” and goes beyond the two strip clubs, Cheetahs Gentlemen’s Club and Pacers Showgirls International. The clubs had sued the county and state.
“It is intended to encompass all restaurants within the county of San Diego,” he said in a brief hearing that lasted all but eight minutes.
County and state officials did not provide immediate comment after the hearing.
Hours after the injunction was issued Wednesday, San Diego County had suspended enforcement of its restrictions barring indoor and outdoor dining and live entertainment in the county of 3 million, the state’s second-most populous.
Wohlfeil said in his ruling that “San Diego County businesses with restaurant services,” including the strip clubs, are exempt from shutdowns and “any related orders” that bar live adult entertainment and go beyond protocols “that are no greater than essential” to controlling the spread of COVID-19.
The judge noted that before being ordered to close in October, the two strip clubs operated for five weeks under their own safety measures — including keeping strippers 15 feet (4.6 meters) from tables, allowing no more than one stripper per stage and requiring them and other employees to wear masks.
Article: https://www.cnn.com/2021/01/08/politics/capitol-hill-republicans-impeachment-removal-trump/index.html
Washington (CNN)A growing number of Republicans want President Donald Trump to leave office before January 20, with some top lawmakers telling CNN they are considering supporting his impeachment.
Two Republican members of Congress who are former Trump allies told CNN they would support impeachment against the President over his role in Wednesday's deadly attack on the US Capitol if the articles are reasonable. One member said, "I think you will have GOP members vote for impeachment." While the window is narrowing for an impeachment vote and trial before Trump's term ends, one of the GOP lawmakers said the proceedings could be done quickly.
"We experienced the attack," the member said. "We don't need long hearings on what happened." House Democrats are currently planning to introduce articles of impeachment against Trump as soon as Monday, according to multiple sources familiar with the matter. That could set up a vote in the House sometime next week. Speaker of the House Nancy Pelosi has not explicitly said when this will go to the floor. In a Friday meeting with members, the California Democrat made clear that there is more backing within the House Democratic caucus for impeaching Trump now than there was in 2019.
By impeaching and removing Trump, even at this late stage of his term, the Senate could subsequently vote to disqualify him from ever holding federal office again.
Multiple Republican lawmakers on the Hill have told CNN they are done with Trump and hope he will leave office before the end of his term, either by his resignation, his removal via the 25th Amendment or by conviction in an impeachment trial. On Friday, Sen. Lisa Murkowski of Alaska became the first Republican in Congress to call on Trump to resign, telling the Anchorage Daily News, "I want him to resign. I want him out. He has caused enough damage." What's the 25th Amendment and how does it work? What's the 25th Amendment and how does it work?
Rep. Adam Kinzinger, a Republican from Illinois, has endorsed invoking the 25th Amendment. One Republican senator, Ben Sasse of Nebraska, said in radio interviews Friday that he would consider impeachment, though he questioned whether that was a prudent course of action. Even Trump's former chief of staff retired Gen. John Kelly told CNN's Jake Tapper on Thursday that he would vote to remove Trump under the 25th Amendment if he were still in the Cabinet.
All of this demonstrates how much the dynamic has changed for many Republicans since Trump incited his supporters to storm the Capitol on Wednesday. No Republican House members voted to impeach Trump in December 2019, and just one GOP senator, Mitt Romney of Utah, voted to convict him a month later.
After years of accommodating or embracing Trump, Republicans are angry at the President for encouraging the riot, which placed them in personal physical danger.
"He sent the mob to the Capitol, where we were engaged in carrying out our constitutional duties to count electoral votes and declare he lost the election," said one Republican lawmaker.
From the Democrats' point of view, impeachment would force Republicans to go on the record and vote on Trump's actions. If successful, it would make Trump the first President in history to be impeached twice. Democratic leaders also believe it would clear the deck for Joe Biden to pursue his agenda without having to worry about dealing with calls from angry Democrats hungry for retribution against Trump.
President-elect Biden has no appetite for opening an impeachment proceeding against Trump, people familiar with the matter told CNN. "What the Congress decides to do is for them to decide," Biden said on Friday. Multiple Republican sources have told CNN they are trying to keep pressure on Trump to restrain himself in his final days in office. Along with the talk of invoking the 25th Amendment and the litany of resignations from his administration, impeachment provides a useful pressure point. Furthermore, it would give House Republicans who want to put distance between themselves and Trump the opportunity to do so -- and give Republicans who feel the need to show solidarity with Trump the same.
But other Republicans say impeachment is not realistic given the short timeline before Biden's term begins. Sen. Roy Blunt of Missouri, a member of GOP leadership, told 41 Action News in his home state that another Trump impeachment is "not going to happen." "There is no way we're going to impeach the President. There's not the time to do it," Blunt said.