Vol. 1 pp. 36-44 | Ongoing Matter

109 As discussed in Section V below, our Office charged 12 GRU officers for crimes arising from the hacking of these computers, principally with conspiring to commit computer intrusions, in violation of 18 U.S.C. §§1030 and 371. See Volume I, Section V.B, infra; Indictment, United States v. Netyksho, No. 1:18-cr-215 (D.D.C. July 13, 2018), Doc. 1 (“Netyksho Indictment”).

III. RUSSIAN HACKING AND DUMPING OPERATIONS

Beginning in March 2016, units of the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU) hacked the computers and email accounts of organizations, employees, and volunteers supporting the Clinton Campaign, including the email account of campaign chairman John Podesta. Starting in April 2016, the GRU hacked into the computer networks of the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC). The GRU targeted hundreds of email accounts used by Clinton Campaign employees, advisors, and volunteers. In total, the GRU stole hundreds of thousands of documents from the compromised email accounts and networks.¹⁰⁹ The GRU later released stolen Clinton Campaign and DNC documents through online personas, “DCLeaks” and “Guccifer 2.0,” and later through the organization WikiLeaks. The release of the documents was designed and timed to interfere with the 2016 U.S. presidential election and undermine the Clinton Campaign.

John Podesta

Clinton campaign chairman whose email account was hacked by the GRU. WikiLeaks released his stolen emails during the 2016 campaign.

Julian Assange

Founder of WikiLeaks, which in 2016 posted on the internet documents stolen from entities and individuals affiliated with the Democratic Party.

The Trump Campaign showed interest in the WikiLeaks releases and, in the summer and fall of 2016, Roger Stone tried to connect with WikiLeaks founder Julian Assange through intermediaries. Stone boasted to senior Campaign officials about his access to Assange. After Stone’s prediction of WikiLeaks’s first Clinton-related release proved true, the Trump Campaign stayed in contact with Stone about WikiLeaks’s activities. The investigation was unable to resolve whether Stone played a role in WikiLeaks’s release of the stolen Podesta emails on October 7, 2016, the same day a video from years earlier was published of Trump using graphic language about women.

Roger Stone

Advisor to the Trump Campaign Harm to Ongoing Matter

111 Separate from this Office’s indictment of GRU officers, in October 2018 a grand jury sitting in the Western District of Pennsylvania returned an indictment charging certain members of Unit 26165 with hacking the U.S. Anti-Doping Agency, the World Anti-Doping Agency, and other international sport associations. United States v. Aleksei Sergeyevich Morenets, No. 18-263 (W.D. Pa.).

A. GRU Hacking Directed at the Clinton Campaign

Two military units of the GRU carried out the computer intrusions into the Clinton Campaign, DNC, and DCCC: Military Units 26165 and 74455.¹¹⁰ Military Unit 26165 is a GRU cyber unit dedicated to targeting military, political, governmental, and non-governmental organizations outside of Russia, including in the United States.¹¹¹ The unit was sub-divided into departments with different specialties. One department, for example, developed specialized malicious software (“malware”), while another department conducted large-scale spearphishing campaigns.¹¹² Harm to Ongoing Matter a bitcoin mining operation to

110 Netyksho Indictment ¶ 1.

112 A spearphishing email is designed to appear as though it originates from a trusted source, and solicits information to enable the sender to gain access to an account or network, or causes the recipient to

114 Netyksho Indictment ¶ 1.

secure bitcoins used to purchase computer infrastructure used in hacking operations. ¹¹³

Military Unit 74455 is a related GRU unit with multiple departments that engaged in cyber operations. Unit 74455 assisted in the release of documents stolen by Unit 26165, the promotion of those releases, an d the publication of anti-Clinton content on social media accounts operated by the GRU. Officers from Unit 74455 separately hacked computers belonging to state boards of elections, separately of state, and U.S. companies that supplied software and other technology related to the administration of U.S. elections.¹¹⁴

Beginning in mid-March 2016, Unit 26165 had primarily responsibility for hacking the DCCC and DNC, as well as email accounts of individuals affiliated with the Clinton Campaign. ¹¹⁵

Unit 26165 used Harm to Ongoing Matter to learn about Harm to Ongoing Matter different Democratic websites, including democrats.org, hillaryclinton.com, dnc.org, and dccc.org.Harm to Ongoing Matter began before the GRU had obtained any credentials or gained access to these networks, indicating that the later DCCC and DNC intrusions were not crimes of opportunity but rather the result of targeting.¹¹⁶

GRU officers also sent hundreds of spearphishing emails to the work and personal email accounts of Clinton Campaign employees and volunteers. Between March 10, 2016 and March 15, 2016, Unit 26165 appears to have sent approximately 90 spearphishing emails to email
accounts at hillaryclinton.com. Stating on March 15, 2016, the GRU began targeting Google email accounts used by Clinton Campaign employees, along with a smaller number of dnc.org email accounts . ¹¹⁷

The GRU spearphishing operation enabled it to gain access to numerous email accounts of Clinton Campaign employees and volunteers, including campaign chair an John Podesta, junior volunteers assigned to the Clinton Campaign’s advance team, informal Clinton Campaign advisors, an d a DNC employee.¹¹⁸ GRU officers stole tens of thousands of emails from spearphishing victims, including various Clinton Campaign-related communications. Download malware that enables the sender to gain access to an account or network. Netyksho Indictment 10.

113 Bitcoin mining consists of unlocking new bitcoins by solving computational problems.Harm to Ongoing Matterkept its newly mined coins in an account on the bitcoin exchange platform CEX.io. To make purchases, the GRU routed funds into other accounts through transactions designed to obscure the source
of funds. Netyksho Indictment. 62

115 Netyksho Indictment ¶ 1.

116 See SM-2589105, serials 144 & 495.

Beginning in mid-March 2016, Unit 26165 had primarily responsibility for hacking the DCCC and DNC, as well as email accounts of individuals affiliated with the Clinton Campaign. ¹¹⁵

115 Netyksho Indictment ¶ 1.

114 Netyksho Indictment ¶ 1.

Beginning in mid-March 2016, Unit 26165 had primarily responsibility for hacking the DCCC and DNC, as well as email accounts of individuals affiliated with the Clinton Campaign. ¹¹⁵

download malware that enables the sender to gain access to an account or network. Netyksho Indictment 10.

115 Netyksho Indictment ¶ 1.

116 See SM-2589105, serials 144 & 495.

120 A VPN extends a private network, allowing users to send and receive data across public networks (such as the internet) as if the connecting computer was directly connected to the private network. The VPN in this case had been created to give a small number of DCCC employees access to certain databases housed on the DNC network. Therefore, while the DCCC employees were outside the DNC’s private network, they could access parts of the DNC network from their DCCC computers.

2. Intrusions into the DCCC and DNC Networks
a. Initial Access
By no later than April 12, 2016, the GRU had gained access to the DCCC computer network using the credentials stolen from a DCCC employee who had been successfully spearphished the week before. Over the ensuing weeks, the GRU traversed the network, identifying different computers connected to the DCCC network. By stealing network access credentials along the way (including those of IT administrators with unrestricted access to the system), the GRU compromised approximately 29 different computers on the DCCC network. ¹¹⁹

Approximately six days after first hacking into the DCCC network, on April 18, 2016, GRU officers gained access to the DNC network via a virtual private network (VPN) connection¹²⁰ between the DCCC and DNC networks. ¹²¹ Between April 18, 2016 and June 8, 2016, Unit 26165 compromised more than 30 computers on the DNC network, including the DNC mail server and shared file server. ¹²²

b. Implantation of Malware on DCCC and DNC Networks

Unit 26165 implanted on the DCCC and DNC networks two types of customized malware,¹²³ known as “X-Agent” and “X-Tunnel”; Mimikatz, a credential-harvesting tool; and rar.exe, a tool used in these intrusions to compile and compress materials for exfiltration. X-Agent was a multi-function hacking tool that allowed Unit 26165 to log keystrokes, take screenshots, and gather other data about the infected computers (e.g., file directories, operating systems).¹²⁴ XTunnel was a hacking tool that created an encrypted connection between the victim DCCC/DNC computers and GRU-controlled computers outside the DCCC and DNC networks that was capable of large-scale data transfers.¹²⁵ GRU officers then used X-Tunnel to exfiltrate stolen data from the victim computers.

123 “Malware” is short for malicious software, and here refers to software designed to allow a third party to infiltrate a computer without the consent or knowledge of the computer’s user or operator.

To operate X-Agent and X-Tunnel on the DCCC and DNC networks, Unit 26165 officers set up a group of computers outside those networks to communicate with the implanted malware.¹²⁶ The first set of GRU-controlled computers, known by the GRU as “middle servers,” sent and received messages to and from malware on the DNC/DCCC networks. The middle servers, in tum, relayed messages to a second set of GRU-controlled computers labeled internally by the GRU as an “AMS Panel.” The AMS Panel Harm to Ongoing Matter served as a nerve center through which GRU officers monitored and directed the malware’s operations on the DNC/DCCC networks. ¹²⁷

The AMS Panel used to control X-A ent during the DCCC and DNC intrusions was housed on a leased computer located nearHarm to Ongoing Matter Arizona. ¹²⁸Harm to Ongoing Matter

126 In connection with these intrusions, the GRU used computers (virtual private networks, dedicated servers operated by hosting companies, etc.) that it leased from third-party providers located all over the world. The investigation identified rental agreements and payments for computers located in, inter
alia,Harm to Ongoing Matter
all of which were used in the operations

The Arizona-based AMS Panel also stored thousands of files containing key-logging sessions captured through X-Agent. These sessions were captured as GRU officers monitored DCCC and DNC employees’ work on infected computers regularly between April 2016 and June 2016. Data captured in these key-logging sessions included passwords, internal communications between employees, banking information, and sensitive personal information.

c. Theft of Documents from DNC and DCCC Networks

Officers from Unit 26165 stole thousands of documents from the DCCC and DNC networks, including significant amounts of data pertaining to the 2016 U.S. federal elections. Stolen documents included internal strategy documents, fundraising data, opposition research, and emails from the work inboxes of DNC employees. ¹³⁰

The GRU began stealing DCCC data shortly after it gained access to the network. On April 14, 2016 (approximately three days after the initial intrusion) GRU officers downloaded rar.exe onto the DCCC’s document server. The following day, the GRU searched one compromised DCCC computer for files containing search terms that included “Hillary ,” “DNC,” “Cruz,” and “Trump. ” ¹³¹ On April 25, 2016, the GRU collected and compressed PDF and Microsoft documents from folders on the DCCC’s shared file server that pertained to the 2016 election.¹³² The GRU appears to have compressed and exfiltrated over 70 gigabytes of data from this file server. ¹³³

The GRU also stole documents from the DNC network shortly after gaining access. On April 22, 2016, the GRU copied files from the DNC network to GRU-controlled computers. Stolen documents included the DNC’s opposition research into candidate Trump. ¹³⁴ Between approximately May 25, 2016 and June 1, 2016, GRU officers accessed the DNC’s mail server from a GRU-controlled computer leased inside the United States.¹³⁵ During these connections,

137 Netyksho Indictment 35. Approximately a week before the registration of dcleaks.com, the same actors attempted to register the website electionleaks.com using the same domain registration service.Harm to Ongoing Matter

Unit 26165 officers appear to have stolen thousands of emails and attachments, which were later released by WikiLeaks in July 2016.¹³⁶

B. Dissemination of the Hacked Materials
The GRU’s operations extended beyond stealing materials, and included releasing documents stolen from the Clinton Campaign and its supporters. The GRU carried out the anonymous release through two fictitious online personas that it created-DCLeaks and Guccifer 2.0- and later through the organization WikiLeaks.

1. DCLeaks
The GRU began planning the releases at least as early as April 19, 2016, when Unit 26165 registered the domain dcleaks.com through a service that anonymized the registrant.¹³⁷ Unit 26165 paid for the registration using a pool of bitcoin that it had mined.¹³⁸ The dcleaks.com landing page pointed to different tranches of stolen documents, managed by victim or subject matter. Other dcleaks.com pages contained indexes of the stolen emails that were being released (bearing the sender, recipient, and date of the email). To control access and the timing of releases, pages were sometimes password-protected for a period of time and later made unrestricted to the public.

Starting in June 2016, the GRU posted stolen documents onto the website dcleaks.com, including documents stolen from a number of individuals associated with the Clinton Campaign. These documents appeared to have originated from personal email accounts (in particular, Google and Microsoft accounts), rather than the DNC and DCCC computer networks. DCLeaks victims included an advisor to the Clinton Campaign, a former DNC employee and Clinton Campaign employee, and four other campaign volunteers.¹³⁹ The GRU released through dcleaks.com thousands of documents, including personal identifying and financial information, internal correspondence related to the Clinton Campaign and prior political jobs, and fundraising files and information.¹⁴⁰

136 Netyksho Indictment 29. The last-in-time DNC email released by WikiLeaks was dated May 25, 2016, the same period of time during which the GRU gained access to the DNC’s email server. Netyksho Indictment 45.

See, e.g., Internet Archive, “https://dcleaks.com/” archive date Nov. 10, 2016). Additionally, DCLeaks released documents relating to. Harm to Ongoing Matter , emails belonging to Harm to Ongoing Matter and emails from 2015 relating to Republican Party employees un er the portfolio name “The United States Republican Patty”). “The United States Republican Party” portfolio contained approximately 300 emails from a variety of GOP members, PACs, campaigns, state parties, and businesses dated between May and October 2015. According to open-source reporting, these victims shared the same

GRU officers operated a Facebook page under the DCLeaks moniker, which they primarily used to promote releases of materials.¹⁴¹ The Facebook page was administered through a small number of preexisting GRU-controlled Facebook accounts.¹⁴²

GRU officers also used the DCLeaks Facebook account, the Twitter account @dcleaks_, and the email account [email protected] to communicate privately with reporters and other U.S. persons. GRU officers using the DCLeaks persona gave certain reporters early access to archives of leaked files by sending them links and passwords to pages on the dcleaks.com website that had not yet become public. For example, on July 14, 2016, GRU officers operating under the DCLeaks persona sent a link and password for a non-public DCLeaks webpage to a U.S. reporter via the Facebook account.¹⁴³ Similarly, on September 14, 2016, GRU officers sent reporters Twitter direct messages from @dcleaks_, with a password to another non-public part of the dcleaks.com website.¹⁴⁴

The DCLeaks.com website remained operational and public until March 2017.

2. Guccifer 2.0

On June 14, 2016, the DNC and its cyber-response team announced the breach of the DNC network and suspected theft of DNC documents. In the statements, the cyber-response team alleged that Russian state-sponsored actors (which they referred to as “Fancy Bear”) were responsible for the breach.¹⁴⁵ Apparently in response to that announcement, on June 15, 2016, GRU officers using the persona Guccifer 2.0 created a WordPress blog. In the hours leading up to the launch of that WordPress blog, GRU officers logged into a Moscow-based server used and managed by Unit 74455 and searched for a number of specific words and phrases in English, including “some hundred sheets,” “illuminati,” and “worldwide known.” Approximately two hours after the last of those searches, Guccifer 2.0 published its first post, attributing the DNC server hack to a lone Romanian hacker and using several of the unique English words and phrases that the GRU officers had searched for that day.¹⁴⁶

That same day, June 15, 2016, the GRU also used the Guccifer 2.0 WordPress blog to begin releasing to the public documents stolen from the DNC and DCCC computer networks. The Guccifer 2.0 persona ultimately released thousands of documents stolen from the DNC and DCCC in a series of blog posts between June 15, 2016 and October 18, 2016.¹⁴⁷ Released documents included opposition research performed by the DNC (including a memorandum analyzing potential criticisms of candidate Trump), internal policy documents (such as recommendations on how to address politically sensitive issues), analyses of specific congressional races, and fundraising documents. Releases were organized around thematic issues, such as specific states (e.g. , Florida and Pennsylvania) that were perceived as competitive in the 2016 U.S. presidential election.

Beginning in late June 2016, the GRU also used the Guccifer 2.0 persona to release documents directly to reporters and other interested individuals. Specifically, on June 27, 2016, Guccifer 2.0 sent an email to the news outlet The Smoking Gun offering to provide “exclusive access to some leaked emails linked [to] Hillary Clinton ‘s staff.”¹⁴⁸ The GRU later sent the reporter a password and link to a locked portion of the dcleaks.com website that contained an ai·chive of emails stolen by Unit 26165 from a Clinton Campaign volunteer in March 2016.¹⁴⁹ That the Guccifer 2.0 persona provided reporters access to a restricted portion of the DCLeaks website tends to indicate that both personas were operated by the same or a closely-related group of people.¹⁵⁰

The GRU continued its release efforts through Guccifer 2.0 into August 2016. For example, on August 15, 2016, the Guccifer 2.0 persona sent a candidate for the U.S. Congress documents related to the candidate’s opponent. ¹⁵¹ On August 22, 2016, the Guccifer 2.0 persona transferred approximately 2.5 gigabytes of Florida-related data stolen from the DCCC to a U.S. blogger covering Florida politics.¹⁵² On August 22, 2016, the Guccifer 2.0 persona sent a U.S. reported documents stolen from the DCCC pertaining to the Black Lives Matter movement. ¹⁵³

147 Releases of documents on the Guccifer 2.0 blog occurred on June 15, 2016; June 20, 2016; June 21, 2016; July 6, 2016; July 14, 2016; August 12, 2016; August 15, 2016; August 21, 2016; August 31, 2016; September 15, 2016; September 23, 2016; October 4, 2016; and October 18, 2016.

150 Before sending the reporter the link and password to the closed DCLeaks website, and in an apparent effort to deflect attention from the fact that DCLeaks and Guccifer 2.0 were operated by the same organization, the Guccifer 2.0 persona sent the report an email stating that DCLeaks was a “Wikileaks sub project” and that Guccifer 2.0 had asked DCLeaks to release the leaked emails with “closed access” to give reporters a preview of them.

157 WikiLeaks, “Hillary Clinton Email Archive,” available at https://wikileaks.org/clinton-emails/.

The GRU was also in contact through the Guccifer 2.0 persona with Roger Stone, a former Trump Campaign member whose interest in material stolen from the Clinton Campaign is further discussed in Volume I, Section III.D.1, infra. After the GRU had published stolen DNC documents through Guccifer 2.0, Stone told members of the Campaign that he was in contact with Guccifer 2.0.¹⁵⁴ In early August 2016, Stone publicly protested Twitter’s suspension of the Guccifer 2.0 Twitter account. After it was reinstated, GRU officers posing as Guccifer 2.0 wrote to Stone via private message, “thank u for writing back . . . do u find anyt[h]ing interesting in the docs i posted?” On August 17, 2016, the GRU added, “please tell me if i can help u anyhow . . . it would be a great pleasure to me.” On September 9, 2016, the GRU—again posing as Guccifer 2.0—referred to a stolen DCCC document posted online and asked Stone, “what do u think of the info on the turnout model for the democrats entire presidential campaign.” Stone responded, “pretty standard.”¹⁵⁵ The investigation did not identify evidence of other communications between Stone and Guccifer 2.0.

3. Use of WikiLeaks

In order to expand its interference in the 2016 U.S. presidential election, the GRU units transferred many of the documents they stole from the DNC and the chairman of the Clinton Campaign to WikiLeaks. GRU officers used both the DCLeaks and Guccifer 2.0 personas to communicate with WikiLeaks through Twitter private messaging and through encrypted channels, including possibly through WikiLeaks’s private communication system.

a. WikiLeaks’s Expressed Opposition Toward the Clinton Campaign
WikiLeaks, and particularly its founder Julian Assange, privately expressed opposition to candidate Clinton well before the first release of stolen documents. In November 2015, Assange wrote to other members and associates of WikiLeaks that “[w]e believe it would be much better for GOP to win . . . Dems+Media+liberals would [sic] then form a block to reign in their worst qualities. . . . With Hillary in charge, GOP will be pushing for her worst qualities., dems+media+neoliberals will be mute. . . . She’s a bright, well connected, sadistic sociopath.”¹⁵⁶

In March 2016, WikiLeaks released a searchable archive of approximately 30,000 Clinton emails that had been obtained through FOIA litigation.¹⁵⁷ While designing the archive, one WikiLeaks member explained the reason for building the archive to another associate:

156 11/19/15 Twitter Group Chat, Group ID 594242937858486276, @WikiLeaks et al. Assange also wrote that, “GOP will generate a lot opposition [sic], including through dumb moves. Hillary will do the same thing, but co-opt the liberal opposition and the GOP opposition. Hence Hillary has greater freedom to start wars than the GOP and has the will to do so.” Id.