Obama vs. China President Xi, Hacking

A new unit of the People’s Liberation Army was identified last week by cyber security researchers as Unit 78020 based in Kunming, in Yunnan Province.
The unit’s operations have been tracked for five years and have included targeted attacks on states in the region that are challenging Beijing’s strategic program of seeking to control the sea through building up small islands and reefs and then deploying military forces on them.
“Unit 78020 conducts cyber espionage against Southeast Asian military, diplomatic, and economic targets,” according to a security report on the unit that included a satellite photo of the unit’s Kunming compound.
“The targets include government entities in Cambodia, Indonesia, Laos, Malaysia, Myanmar, Nepal, the Philippines, Singapore, Thailand, and Vietnam as well as international bodies such as United Nations Development Program (UNDP) and the Association of Southeast Asian Nations (ASEAN).” More details here.

Chinese president Xi Jinping is supposed to have dinner this evening with U.S. president Barack Obama. Wonder if the name Ge Xing will come up?Ge Xing is the subject of a joint report published this morning by ThreatConnect and Defense Group Inc., computer and national security service providers respectively. Ge is alleged to be a member of the People’s Liberation Army unit 78020, a state-sponsored hacking team whose mission is to collect intelligence from political and military sources to advance China’s interests in the South China Sea, a key strategic and economic region in Asia with plenty of ties to the U.S.

The report connects PLA 78020 to the Naikon advanced persistent threat group, a state-sponsored outfit that has followed the APT playbook to the letter to infiltrate and steal sensitive data and intellectual property from military, diplomatic and enterprise targets in a number of Asian countries, as well as the United Nations Development Programme and the Association of Southeast Asian Nations (ASEAN).

Control over the South China Sea is a focal point for China; through this region flows trillions of dollars of commerce and China has not been shy about claiming its share of the territory. The report states that China uses its offensive hacking capabilities to gather intelligence on adversaries’ military and diplomatic intentions in the regions, and has leveraged the information to strengthen its position.“The South China Sea is seen as a key geopolitical area for China,” said Dan Alderman, deputy director of DGI. “With Naikon, we see their activity as a big element of a larger emphasis on the region and the Technical Reconnaissance Bureau fitting into a multisector effort to influence that region.”The report is just the latest chess piece hovering over Jinping’s U.S. visit this week, which began in earnest yesterday with a visit to Seattle and meetings with giant technology firms such as Microsoft, Apple and Google, among others.

Those companies want to tap into the growing Chinese technology market and the government there is using its leverage to get them to support stringent Internet controls imposed by the Chinese government. A letter sent to American technology companies this summer, a New York Times report last week, said that China would ask American firms to store Chinese user data in China. China also reportedly asked U.S.-built software and devices sold in China to be “secure and controllable,” which likely means the Chinese would want backdoor access to these products, or access to private encryption keys.Jinping, meanwhile, tried to distance himself from the fray when he said in a Wall Street Journal interview: “Cyber theft of commercial secrets and hacking attacks against government networks are both illegal; such acts are criminal offences and should be punished according to law and relevant international conventions.”Journal reporter Josh Chin connected with Ge Xing over the phone and Ge confirmed a number of the dots connected in the report before hanging up on the reporter and threatening to report him to the police.

While that never happened, the infrastructure connected to Ge and this slice of the Naikon APT group, was quickly shut down and taken offline. In May, researchers at Kaspersky Lab published a report on Naikon and documented five years of activity attributed to the APT group. It describes a high volume of geo-politically motivated attacks with a high rate of success infiltrating influential organizations in the region. The group uses advanced hacking tools, most of which were developed externally and include a full-featured backdoor and exploit builder.Like most APT groups, they craft tailored spear phishing messages to infiltrate organizations, in this case a Word or Office document carrying an exploit for CVE-2012-0158, a favorite target for APT groups. The vulnerability is a buffer overflow in the ActiveX controls of a Windows library, MSCOMCTL.OCX. The exploit installs a remote administration tool, or RAT, on the compromised machine that opens a backdoor through which stolen data is moved out and additional malware and instructions can be moved in.Chin’s article describes a similar attack initiated by Ge, who is portrayed not only as a soldier, but as an academic.

The researchers determined through a variety of avenues that Ge is an active member of the military, having published research as a member of the military, in addition to numerous postings to social media as an officer and via his access to secure locations believed to be headquarters to the PLA unit’s technical reconnaissance bureau.“Doing this kind of biopsy, if you will, of this threat through direct analysis of the technical and non-technical evidence allows us to paint a picture of the rest of this group’s activity,” said Rich Barger, CIO and cofounder of ThreatConnect. “We’ve had hundreds of hashes, hundreds of domains, and thousands of IPs [related to PLA unit 78020].

Only looking at this from a technical lens only gives you so much. When you bring in a regional, cultural and even language aspect to it, you can derive more context that gets folded over and over into the technical findings and continues to refine additional meaning that we can apply to the broader group itself.”The report also highlights a number of operational security mistakes Ge made to inadvertently give himself away, such as using the same handle within the group’s infrastructure, even embedding certain names in families of malware attributed to them. All of this combined with similar mistakes made across the command and control infrastructure and evidence pulled from posts on social media proved to be enough to tie Ge to the Naikon group and elite PLA unit that is making gains in the region.“If you look at where China is and how assertive they are in region, it might be a reflection of some of the gains and wins this group has made,” Barger said. “You don’t influence what they’re influencing in the region if you don’t have the intel support capabilities fueling that operational machine.”


Hotel Chains Credit Cards Hacked

Not the first case for hotel chains not protecting guest records.

FromHotelManagement: A U.S. appeals court said the Federal Trade Commission has authority to regulate corporate cyber security, and may pursue a lawsuit accusing hotel operator Wyndham Worldwide Corp of failing to properly safeguard consumers’ information.

The 3-0 decision by the 3rd U.S. Circuit Court of Appeals in Philadelphia on Monday upheld an April 2014 lower court ruling allowing the case to go forward. The FTC wants to hold Wyndham accountable for three breaches in 2008 and 2009 in which hackers broke into its computer system and stole credit card and other details from more than 619,000 consumers, leading to over $10.6 million in fraudulent charges.

The FTC originally sued Wyndham in 2012 over the lack of security that led to its massive hack. But before the case proceeded, Wyndham appealed to a higher court to dismiss it, arguing that the FTC didn’t have the authority to punish the hotel chain for its breach. The third circuit court’s new decision spells out that Wyndham’s breach is exactly the sort of “unfair or deceptive business practice” the FTC is empowered to stop, reports Wired.

BusinessInsider: In August, Visa alerted numerous financial institutions of a breach. Five different banks determined the commonality between the cards included in that alert was that they were used at Hilton properties — including Embassy Suites, Doubletree, Hampton Inn and Suites, and the upscale Waldorf Astoria Hotels & Resorts, Krebs reports.

Hilton Hotels investigates customer credit card security hack

FNC: Hilton Hotels announced that it is looking into a possible security breach that occurred at gift shops, restaurants, bars, and other stores located on Hilton owned properties across the U.S.

According to cyber-security expert Brian Krebs, Visa sent confidential alerts to several financial institutions warning of a security breach at various retail locations earlier this year from April 21 to July 27. While the alerts named individual card numbers that had allegedly been compromised, per Visa’s policy, the notifications did not name the breached retail location. But sources at five different banks have now determined that the hacks all had one thing in common–they occurred at Hilton property point-of-sale registers.

Currently, the breach does not appear to have comprised the guest reservation systems at the associated properties. The company released the following statement regarding the incident:

“Hilton Worldwide is strongly committed to protecting our customers’ credit card information. We have many systems in place and work with some of the top experts in the field to address data security.  Unfortunately the possibility of fraudulent credit card activity is all too common for every company in today’s marketplace.  We take any potential issue very seriously, and we are looking into this matter.”

The breach includes other Hilton brand name properties including Embassy Suites, Doubletree, Hampton Inn and Suites, and Waldorf Astoria Hotels & Resorts. The hotel group is advising customers who may have made purchases at Hilton properties during the time indicated to carefully scan bank records for any unusual activity and contact their bank immediately.

According to USA Today, evidence from the investigation indicates that the hack may have affected credit card transactions as far back as Nov. 2014 and security breaches could possibly be ongoing.

OPM Hack, Lies Came First, Truth Creeps out Slowly

We are conditioned to hearing the lies first from the administration stemming from an event affecting the homeland security and the citizens within. It takes months, sometimes years for the truth to be known, and it must be said, suspicions still remain. Stinks huh?

Such is the case with the Office of Personnel Management hack that took place several months ago. The numbers and depth of the hack are getting published that are closer to the truth….. the truth has no agenda but achieving the whole truth takes enduring tenacity.

Unconfirmed chatter but apparently during the diplomatic and business visit by China President Xi, Barack Obama will not address the hacking except perhaps is a side meeting with lower level staffers. The mission by the White House is to defer to the corporations such as Boeing and Microsoft to target the matter of hacking with China.

OPM Now Admits 5.6 Million Fed’s Fingerprints were Stolen by Hackers

Wired: by Andy Greenberg > When hackers steal your password, you change it. When hackers steal your fingerprints, they’ve got an unchangeable credential that lets them spoof your identity for life. When they steal 5.6 million of those irrevocable biometric identifiers from U.S. federal employees—many with secret clearances—well, that’s very bad.

On Wednesday, the Office of Personnel Management admitted that the number of federal employees’ fingerprints compromised in the massive breach of its servers revealed over the summer has grown from 1.1 million to 5.6 million. OPM, which serves as a sort of human resources department for the federal government, didn’t respond to WIRED’s request for comment on who exactly those fingerprints belong to within the federal government. But OPM had previously confirmed that the data of 21.5 million federal employees was potentially compromised by the hack—which likely originated in China—and that those victims included intelligence and military employees with security clearances.

The revelation comes at a particularly ironic time: During the U.S. visit of Chinese president Xi Jinping, who said at a public appearance in Seattle that the Chinese government doesn’t condone hacking of U.S. targets, and pledged to partner with the U.S. to curb cybercrime.

“As part of the government’s ongoing work to notify individuals affected by the theft of background investigation records, the Office of Personnel Management and the Department of Defense have been analyzing impacted data to verify its quality and completeness,” reads OPM’s statement posted to its website. “During that process, OPM and [the Department of Defense] identified archived records containing additional fingerprint data not previously analyzed. Of the 21.5 million individuals whose Social Security Numbers and other sensitive information were impacted by the breach, the subset of individuals whose fingerprints have been stolen has increased from a total of approximately 1.1 million to approximately 5.6 million.”

OPM adds that it’s mailing letters to all affected victims, and notes that it’s also offering them free credit monitoring. But that identity theft protection, which cost $133 million in likely misspent tax dollars, doesn’t begin to address the national security implications of having the fingerprints of high-level federal officials in the hands of hackers who are potentially employed by a foreign government.

OPM downplayed the significance of that biometric breach in its statement, adding that “federal experts believe that, as of now, the ability to misuse fingerprint data is limited.” When WIRED asked about those limitations, however, an OPM spokesperson wrote only that “law enforcement and intelligence communities are best positioned to give the most fulsome answer.”

The agency’s statement does admit that hackers’ ability to exploit the stolen fingerprints “could change over time as technology evolves,” perhaps as more biometric authentication features are built into federal government security systems. And it says it’s assembled an interagency working group that includes officials from the Pentagon, FBI, DHS, and intelligence agencies to review the problem. “This group will also seek to develop potential ways to prevent such misuse,” the statement reads. “If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach.”

The increased number of stolen fingerprints represents only the latest in a series of calamitous revelations from OPM about the hacker intrusion that led to the resignation of the agency’s director Katherine Archuleta in July. Aside from the 21.5 million social security numbers taken by attackers and the newly confessed 5.6 million fingerprints, the agency has also confirmed that hackers gained access to many victims’ SF-86 forms, security clearance questionnaires that include highly personal information such as previous drug use or extramarital affairs that could be used for blackmail.

“The American people have no reason to believe that they’ve heard the full story and every reason to believe that Washington assumes they are too stupid or preoccupied to care about cyber security,” Senator Ben Sasse wrote today in an email.

For the hackers who cracked OPM’s vault of highly private information, it’s the gift to foreign intelligence that keeps on giving.


Hey Vegas, Seen this Clintonista at a Casino Lately?


Charlie Trie’s and Ng Lap Seng’s Laundered Contributions to the DNC Introduction
Former Little Rock, Arkansas, restaurateur Yah Lin “Charlie” Trie and Macau-based businessman Ng Lap Seng collaborated in a scheme to contribute hundreds of thousands of dollars in foreign funds to the DNC. Ng wired over one million dollars from accounts he maintains in Macau and Hong Kong to accounts maintained by or accessible to Trie in Little Rock and Washington, D.C. Although Trie held himself out as an international trader (and, in fact, actively sought to develop an international trading business he called Daihatsu International Trading Corporation), he was never successful. Trie’s bank records and tax returns reveal that he received little or no income from sources other than Ng Lap Seng.
Although he failed to establish a successful, income-generating international trading business, Trie, his wife and his businesses managed to contribute a total of $220,000 to the DNC between 1994 and 1996. Trie and Ng also reimbursed the contributions made by a number of other DNC contributors who were recruited by Trie in order to further disguise the ultimate source of the contributions. As Trie earned little money through his own business activities, the Committee concludes that Trie used the foreign-source funds wired from Ng to make his (and his wife’s and businesses’) DNC contributions and to reimburse the conduit contributors. The Justice Department indicted Trie for these illegal activities on January 28, 1998. More here.

Over this past weekend:

Chinese Businessman Arrested For Sneaking $4.5M in Cash into US

FreeBeacon: A Chinese businessman accused of illegally funneling foreign money to the Democratic National Committee ahead of Bill Clinton’s reelection in 1996 has been arrested for sneaking upwards of $4.5 million into the United States.

The New York Post reported that 68-year-old Ng Lap Seng, a real estate developer, and interpreter Jeff Yin were arrested Saturday for smuggling millions in cash from China to U.S. airports over two years, Manhattan federal court records indicate.

Ng smuggled the total of more than $4.5 million in cash into the U.S. over roughly 10 trips between China and the states between 2013 and 2015, according to the criminal complaint.

The businessman and his interpreter were scooped up by authorities after they told Customs and Border Patrol that the $400,000 in cash they had on hand was for gambling and purchasing paintings and then brought the money to Queens, N.Y.

It is unclear what has happened to the rest of the money.

Though never ultimately charged, Ng played a role in the “Donorgate” scandal before the 1996 elections that resulted in Clinton ally Charlie Trie pleading guilty to violating campaign finance laws in 1999.

Ng transferred approximately $1.4 million to Trie, also a Chinese businessman, who then gave the funds to the DNC before Bill Clinton’s reelection.

FBI Declines Cooperation with State Dept. Hillary Server

Update: More data released via Judicial Watch

Judicial Watch today released more than 50 pages of new emails from the clintonemail.com server account of Huma Abedin, a former top aide to Hillary Clinton during her tenure in the State Department. The emails discuss seemingly sensitive security and foreign affairs issues and raise questions about the handling of classified material during Hillary Clinton’s tenure at the State Department.  The documents were obtained as result of Freedom of Information Act (FOIA) lawsuit seeking Huma Abedin’s government business emails conducted on non-state.gov email accounts (Judicial Watch, Inc. v. U.S. Department of State (No. 1:15-cv-00684)).  The emails were produced from a search of State Department records, as the agency continues to delay full production of records turned over by Ms. Abedin recently.

In 2012, then-Secretary of State Clinton traveled to Finland (June 27-28), Latvia (June 28), Russia (June 28-29), and Switzerland (June 29-30).  On June 26, 2012, former Principal Deputy Executive Secretary Pamela Quanrud, writes to Abedin:

Huma – if I could lobby to get to Geneva on Friday night. We have a big data dump to get from beth jones and others there to prep for Saturday, and it would be a lot better for us to work through the night there (with access to classified) than be stuck in St. Pete with no classified at all.

Abedin responds from her [email protected] account the next morning (June 27):

i had no idea about no comms

of course

we need secure

makes total sense

The emails show Abedin used the non-secure clintonemail.com server to discuss sensitive travel and operations security information that could have placed the personal security of Clinton and other government officials at risk, such as real-time location information while traveling abroad, and other hotel and travel arrangements.

On May 31, 2012, as Clinton and her State Department entourage are traveling in Scandinavia, Abedin writes to Clinton’s then-Special Assistant Lona J. Valmoro:

Abedin to Valmoro: “Let me know when u r leaving.”

Valmoro: “We are en route to airport now. Could we do during the 45 minute drive from Oslo airport to hotel.  Everyone can dial into Ops and will have minis.”

Abedin: “When? Who’s in car with her?”

Valmoro: “Cheryl is with her now. If we are wheels up by 9:35 pm, land at 11:25, start call by 11:35 or 5:35 pm EDT?

Abedin: “[I] could barely hear [Hillary Clinton] with the background….”

On June 25, 2012, Abedin writes that she is willing to discuss travel details while on a “packed train.” With the subject line “Could we get on the phone together at 11:30 – in advance of the [Russia] trip call?” Abedin writes to several people, including Quanrud:

I see call got moved to noon. We can talk right before then if you want. All shuttles were canceled this morning and I am sitting on a packed train so hard for me to talk but we can def do calls. [Emphasis added]

Other emails also provide details of Clinton’s plans and schedules for the 2012 trip that included Russia, including the timing of calls on trip planning.

The documents show that State Department officials sent duplicate emails about government business to Abedin’s official State Department address and her clintonemail.com account.

Other emails show sensitive foreign affairs information is contained on Abedin’s Clinton server account.  A June29, 2012, email discloses a move to hold a meeting concerning Syria in Geneva.  Pamela Quanrud writes Abedin and Clinton aide Valmoro an email with the subject:  “UK and P3 meeting requests”:

UK has asked to meet at 8:45 ahead of a 9:30 with UK.US and France to coordinate. Jake thought P3 meeting necessary – what about UK? Should we say yes to 8:45?

Abedin writes back two hours later:

UK meaning hague?

Another email details a request from the Iraqi Foreign Minister for a bilateral discussion with Clinton.  Abedin uses her clintonemail.com account to approve the “pull aside,” writing, “fine to add to list.”

Another document shows Abedin approving, weeks ahead of time, the Hanoi Sheraton for Clinton’s trip on July 10-11, 2013, to Vietnam.  A June 22, 2012, email from Tulinabo S. Mushingi, who is now the U.S. Ambassador to Burkina Faso, details the hotel options in Hanoi for Abedin, with Sheraton as the number one option.  The email details both the luxury and security aspects of the hotel:

The Sheraton hosted the Secretary in July 2010 and October 2010 and much of the hotel staff remains, so they know the drill The July 2010 visit S stayed in the Imperial Suite (shown in attachment and the suite available for this visit); in October 2010, since another Head of State was also in the Sheraton and occupied the Imperial Suite S stayed in the Presidential Suite. The Imperial suite is spacious and very bright and airy, with lake views. It has a large bathroom with Jacuzzi style tub and walk in shower. The Sheraton was redecorated and refurbished within the past 12 months, so it is in excellent condition and is very attractive. From a logistics perspective the hotel is excellent as it has a very large parking area for staging motorcades. It’s location is in close proximity to government buildings where most meetings are likely to be held.


P.S. Post reminded us that the entire focus of the Hanoi stop is to promote U.S. businesses and trade. Given the purpose of the stop, the optics of staying at the available quality American name brand hotels would carry the same message, hence another for choosing The Sheraton.

Mushingi also suggests that one other hotel choice is not up to par in that “the suite bathroom is nice, but not quite to the standard of the Sheraton.”

Again, Abedin receives and responds to this email on her non-government account, writing back the next day:

Sheraton worked perfectly fine.

On August 8, in response to a FOIA lawsuit, Judicial Watch obtained a sworn declaration from the former secretary of state in which she claimed to have turned over to the agency “all my e-mails on clintonemail.com” and conceded that “Huma Abedin did have such an account which was used at times for government business.”  Neither the State Department, Clinton, nor Abedin has provided information about the status of Abedin’s emails (or the emails of any other government employee) on the clintonemail.com server.

“These emails Judicial Watch forced out through a federal lawsuit show that Huma Abedin used her separate clintonemail.com account to conduct the most sensitive government business, endangering not only her safety but the safety of Hillary Clinton and countless others,” said Judicial Watch President Tom Fitton.  “And why would Ms. Abedin and Mrs. Clinton use this unsecure system to discuss foreign affairs and sensitive matters such as the Syria conflict?  Hillary Clinton’s email games were a danger to the nation’s security.”

The FBI is probing Hillary Clinton’s personal email and data server but will not provide any progress report or findings to the Department of Justice or the State Department. Further, the FBI refuses to even reveal to the State Department exactly what the FBI technology team is researching. The judge has forced the State Department to cooperate with the FBI but it is clearly not a two way street.

One particular area of concern for the FBI team is to determine the evidence of hacking which could in fact be used to build on existing foreign hacking investigations. For the FBI to determine digital traces of foreign intelligence services and even more the likelihood of damage assessments is tantamount to the FBI investigation in the realm of cyber-espionage. The FBI is owning this process exclusively and not collaborating with the National Counterintelligence and Security Center, at least at this time.


FBI refuses to cooperate in Hillary Clinton email server probe

WashingtonTimes: The FBI refused to cooperate Monday with a court-ordered inquiry into former Secretary of State Hillary Rodham Clinton’s email server, telling the State Department that they won’t even confirm they are investigating the matter themselves, much less willing to tell the rest of the government what’s going on.

Judge Emmet G. Sullivan had ordered the State Department to talk with the FBI and see what sort of information could be recovered from Mrs. Clinton’s email server, which her lawyer has said she turned over to the Justice Department over the summer.

The FBI’s refusal, however, leaves things muddled. “At this time, consistent with long-standing Department of Justice and FBI policy, we can neither confirm nor deny the existence of any ongoing investigation, nor are we in a position to provide additional information at this time,” FBI General Counsel James A. Baker wrote in a letter dated Monday — a week after the deadline the Justice Department had set for the FBI to reply.

Judicial Watch, a conservative public interest law firm that is pursuing at least 16 open-records cases seeking emails from Mrs. Clinton and her top aides, said at this point it’s not even clear what Mrs. Clinton provided, since all that’s been made public at this point are the former secretary of state’s public comments and some assertions, made through her lawyer, to the State Department.

Judicial Watch is prodding the courts to try to delve more deeply into Mrs. Clinton’s emails, and the group said a number of questions persevere about both Mrs. Clinton and top aides such as Huma Abedin, who did public business on an account tied to the server Mrs. Clinton maintained.

“We still do not know whether the FBI – or any other government agency for that matter – has possession of the email server that was used by Mrs. Clinton and Ms. Abedin to conduct official government business during their four years of employment at the State Department,” Judicial Watch said.

“We also do not know whether the server purportedly in the possession of the FBI – an assumption based on unsworn statements by third parties – is the actual email server that was used by Mrs. Clinton and Ms. Abedin to conduct official government business during their four years of employment at the State Department or whether it is a copy of such an email server. Nor do we know whether any copies of the email server or copies of the records from the email server exist,” the group said in its own court filingMonday afternoon.

Judicial Watch did release more than 50 pages Monday of emails it obtained from Ms. Abedin’s account on Mrs. Clinton’s server, and said it was clear she was talking about “sensitive” topics that shouldn’t have been discussed on an insecure account.

Many of those were details of Mrs. Clinton’s movements overseas, such as hotels she was staying at.

“These emails Judicial Watch forced out through a federal lawsuit show that Huma Abedin used her separate clintonemail.com account to conduct the most sensitive government business, endangering not only her safety but the safety of Hillary Clinton and countless others,” said Judicial Watch President Tom Fitton.

He questioned what reason Ms. Abedin — who did maintain an account, [email protected], on State.gov servers — would have for using the other account for important business. Mrs. Clinton said she kept only one account, the one on the clintonemail.com server, because it was more convenient, but that reasoning does not appear to apply to Ms. Abedin.

The State Department is making all of Mrs. Clinton’s emails public under order of Judge Rudolph Contreras. But the department has said it won’t make all of the emails public from Ms. Abedin or other top Clinton aides Cheryl Mills or Philippe Reines. Instead the department only plans to release those messages specifically requested in open-records demands.

Mrs. Clinton turned over about 30,000 email messages in December, while her aides turned over more than 100,000 pages between them, with the final set only being returned, by Ms. Abedin, earlier this month, the department said in court filings.

Without those documents in hand, the State Department has been unable to do full and complete searches in response to subpoenas, congressional inquiries or Freedom of Information Act requests.

The State Department has asked for dozens of cases to be put on hold while it tries to get a single judge to coordinate all of its searches in more than two dozen cases. But the people requesting the records have objected, and say the State Department has nobody to blame but itself.

“The State Department acts as if Ms. Abedin’s and Ms. Mills’ documents fell from the sky on the eve of the State Department’s production deadline, but that is not remotely the case,” Citizens United, one of the plaintiffs who’s sued under the FOIA, said in a filing late last week.

Citizens United says the State Department missed its own deadline for producing Ms. Mills’s and Ms. Abedin’s documents.

The Obama administration countered that it went above and beyond its duties under the law by asking Ms. Abedin and Ms. Mills to return their records and then to search them in response to open-records requests. The State Department says it’s moving as quickly as possible, but says the sheer number of documents — and the number of requests for them — calls for a stay in most cases.

But of the 26 requests where the State Department has sought to halt proceedings, six have already been denied. Only one has been granted, one was granted in part and denied in part by the same judge, and another is being held in abeyance.

The State Department told one of the federal judges Monday that it’s facing nearly 100 different open-records lawsuits — not all of them related to Mrs. Clinton’s email server — that have stretched officials to their limit.

Monday’s FBI letter underscores the tangled situation Mrs. Clinton’s emails have produced. The letter was addressed to Mary McLeod, a lawyer at the Justice Department, which oversees the FBI — and which means, in effect, that the FBI is refusing to talk to its own parent department about the matter.

Mr. Baker pointedly noted in his letter that he was aware the response would be submitted to the court, which would presumably make it public.

Earlier this month the Justice Department, in another pleading, insisted Mrs. Clinton didn’t do anything wrong in being the one who decided which of her messages were official business records that must be returned to the government, and which were purely personal and able to be expunged.

Judicial Watch said that raises thorny questions for a department that is supposedly investigating Mrs. Clinton.

Last week Sen. John Cornyn, the second-ranking Republican in the Senate, called for Attorney General Loretta Lynch to name a special counsel to oversee the investigation, citing too many potential conflicts of interest.