Having established that Russian specialists had successfully weaponized American social media with fake news and pro-Trump and anti-Clinton posts, the Mueller team now describes the sophisticated and extensive Russian GRU (intelligence agency) infiltration of computers used by Democratic Party offices and workers, including those used by the Clinton campaign.
The report does not address whether the GRU similarly hacked into Republican organization computers. If the GRU did, it has not released anything it may have found.
As a reminder, the Russian hacking and disinformation efforts were clearly intended to favor a Trump win and damage the Clinton campaign.
* * *
[EDITOR: As before, the footnotes appear in the same location as they do in the original PDF version of the Mueller report. Links to external websites have been added, and are not in the original report.]
III. RUSSIAN HACKING AND DUMPING OPERATIONS
Beginning in March 2016, units of the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU) hacked the computers and email accounts of organizations, employees, and volunteers supporting the Clinton Campaign, including the email account of campaign chairman John Podesta. Starting in April 2016, the GRU hacked into the computer networks of the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC). The GRU targeted hundreds of email accounts used by Clinton Campaign employees, advisors, and volunteers. In total, the GRU stole hundreds of thousands of documents from the compromised email accounts and networks. 109 The GRU later released stolen Clinton Campaign and DNC documents through online personas, “DCLeaks” and “Guccifer 2.0,” and later through the organization WikiLeaks. The release of the documents was designed and timed to interfere with the 2016 U.S. presidential election and undermine the Clinton Campaign.
The Trump Campaign showed interest in the WikiLeaks releases, and in the summer and fall of 2016 HARM TO ONGOING MATTER. After HARM TO ONGOING MATTER, WikiLeaks first Clinton-related release HARM TO ONGOING MATTER the Trump Campaign stayed in contact HARM TO ONGOING MATTER about WikiLeaks’s activities. The investigation was unable to resolve HARM TO ONGOING MATTER WikiLeaks’s release of the stolen Podesta emails on October 7, 2016, the same day a video from years earlier was published of Trump using graphic language about women.
[EDITOR: This is a reference to the Access Hollywood “pussy grabbing” tape. The WikiLeaks dump of Podesta’s emails came less than an hour later. See the link above for more details.]
A. GRU Hacking Directed at the Clinton Campaign
1. GRU Units Target the Clinton Campaign
Two military units of the GRU carried out the computer intrusions into the Clinton Campaign, DNC, and DCCC: Military Units 26165 and 74455. 110 Military Unit 26165 is a GRU cyber unit dedicated to targeting military, political, governmental, and non-governmental organizations outside of Russia, including in the United States. 111 The unit was sub-divided into departments with different specialties. One department, for example, developed specialized malicious software “malware”, while another department conducted large-scale spearphishing campaigns. 112 [INVESTIGATIVE TECHNIQUE] a bitcoin mining operation to
– – – – –
109 As discussed in Section V below, our Office charged 12 GRU officers for crimes arising from the hacking of these computers, principally with conspiring to commit computer intrusions, in violation of 18 U.S.C. §§ 1030 and 371. See Volume I, Section V.B, infra; Indictment, United States v. Netyksho, No. I :18-cr-215 (D.D.C. July 13, 2018), Doc. 1 (“Netyksho Indictment”).
110 Netyksho Indictment ¶1.
111 Separate from this Office’s indictment of GRU officers, in October 2018 a grand jury sitting in the Western District of Pennsylvania returned an indictment charging certain members of Unit 26165 with hacking the U.S. Anti-Doping Agency, the World Anti-Doping Agency, and other international sport associations. United States v. Aleksei Sergeyevich Morenets, No. 18-263 (W.D. Pa.).
112 A spearphishing email is designed to appear as though it originates from a trusted source, and solicits information to enable the sender to gain access to an account or network, or causes the recipient to
– – – – –
secure bitcoins used to purchase computer infrastructure used in hacking operations. 113
Military Unit 74455 is a related GRU unit with multiple departments that engaged in cyber operations. Unit 74455 assisted in the release of documents stolen by Unit 26165, the promotion of those releases, and the publication of anti-Clinton content on social media accounts operated by the GRU. Officers from Unit 74455 separately hacked computers belonging to state boards of elections, secretaries of state, and U.S. companies that supplied software and other technology related to the administration of U.S. elections. 114 EMPHASIS ADDED
[EDITOR: It’s possible that the Russians can still interfere with local, state and federal elections, depending on how extensive their intrusions were.]
Beginning in mid-March 2016, Unit 26165 had primary responsibility for hacking the DCCC and DNC, as well as email accounts of individuals affiliated with the Clinton Campaign: 115
- Unit 26165 used INVESTIGATIVE TECHNIQUE to learn about INVESTIGATIVE TECHNIQUE different Democratic websites, including democrats.org, hillaryclinton.com, dnc.org and dccc.org INVESTIGATIVE TECHNIQUE began before the GRU had obtained any credentials or gained access to these networks, indicating that the later DCCC and DNC intrusions were not crimes of opportunity but rather the result of targeting. 116 [EDITOR: In other words, deliberate hacking attempts.]
- GRU officers also sent hundreds of spearphishing emails to the work and personal email accounts of Clinton Campaign employees and volunteers. Between March 10, 2016 and March 15, 2016, Unit 26165 appears to have sent approximately 90 spearphishing emails to email accounts at hillaryclinton.com. Starting on March 15, 2016, the GRU began targeting Google email accounts used by Clinton Campaign employees, along with a smaller number of dnc.org email accounts. 117
The GRU spearphishing operation enabled it to gain access to numerous email accounts of Clinton Campaign employees and volunteers, including campaign chairman John Podesta, junior volunteers assigned to the Clinton Campaign’s advance team, informal Clinton Campaign advisors, and a DNC employee. 118 GRU officers stole tens of thousands of emails from spearphishing victims, including various Clinton Campaign-related communications.
– – – – –
download malware that enables the sender to gain access to an account or network. Netyksho Indictment ¶10.
113 Bitcoin mining consists of unlocking new bitcoins by solving computational problems. INVESTIGATIVE TECHNIQUE kept its newly mined coins in an account on the bitcoin exchange platform CEX.io. To make purchases, the GRU routed funds into other accounts through transactions designed to obscure the source of funds. Netyksho Indictment ¶62.
114 Netyksho Indictment ¶69.
115 Netyksho Indictment ¶9.
116 See SM-2589105, serials 144 & 495.
117 INVESTIGATIVE TECHNIQUE
118 INVESTIGATIVE TECHNIQUE
– – – – –
2. Intrusions into the DCCC and DNC Networks
a. Initial Access
By no later than April 12, 2016, the GRU had gained access to the DCCC computer network using the credentials stolen from a DCCC employee who had been successfully spearphished the week before. Over the ensuing weeks, the GRU traversed the network, identifying different computers connected to the DCCC network. By stealing network access credentials along the way (including those of IT administrators with unrestricted access to the system), the GRU compromised approximately 29 different computers on the DCCC network. 119
Approximately six days after first hacking into the DCCC network, on April 18, 2016, GRU officers gained access to the DNC network via a virtual private network (VPN) connection 120 between the DCCC and DNC networks. 121 Between April 18, 2016 and June 8, 2016, Unit 26165 compromised more than 30 computers on the DNC network, including the DNC mail server and shared file server. 122
b. Implantation of Malware on DCCC and DNC Networks
Unit 26165 implanted on the DCCC and DNC networks two types of customized malware, 123 known as “X-Agent” and “X-Tunnel “; Mimikatz, a credential-harvesting tool; and rar.exe, a tool used in these intrusions to compile and compress materials for exfiltration. X-Agent was a multi-function hacking tool that allowed Unit 26165 to log keystrokes, take screenshots, and gather other data about the infected computers (e.g., file directories , operating systems). 124 Xtunnel was a hacking tool that created an encrypted connection between the victim DCCC/DNC computers and GRU-controlled computers outside the DCCC and DNC networks that was capable of large-scale data transfers. 125 GRU officers then used X-Tunnel to exfiltrate stolen data from victim computers.
– – – – –
119 INVESTIGATIVE TECHNIQUE
120 A VPN extends a private network, allowing users to send and receive data across public networks (such as the internet) as if the connecting computer was directly connected to the private network. The VPN in this case had been created to give a small number of DCCC employees access to certain databases housed on the DNC network. Therefore, while the DCCC employees were outside the DNC’s private network, they could access parts of the DNC network from their DCCC computers.
121 INVESTIGATIVE TECHNIQUE SM-2589105-HACK, serial 5
122 INVESTIGATIVE TECHNIQUE SM-2589105-HACK, serial 5
123 “Malware” is short for malicious software, and here refers to software designed to allow a third party to infiltrate a computer without the consent or knowledge of the computer’s user or operator.
124 INVESTIGATIVE TECHNIQUE
125 INVESTIGATIVE TECHNIQUE
– – – – –
To operate X-Agent and X-Tunnel on the DCCC and DNC networks, Unit 26165 officers set up a group of computers outside those networks to communicate with the implanted malware. 126 The first set of GRU-controlled computers, known by the GRU as “middle servers,” sent and received messages to and from malware on the DNC/DCCC networks. The middle servers, in turn, relayed messages to a second set of GRU-controlled computers, labeled internally by the GRU as an “AMS Panel.” The AMS Panel INVESTIGATIVE TECHNIQUE served as a nerve center through which GRU officers monitored and directed the malware’s operations on the DNC/DCCC networks. 127
The AMS Panel used to control X-Agent during the DCCC and DNC intrusions was housed on a leased computer located near INVESTIGATIVE TECHNIQUE Arizona. INVESTIGATIVE TECHNIQUE 129
– – – – –
126 In connection with these intrusions, the GRU used computers (virtual private networks, dedicated servers operated by hosting companies, etc.) that it leased from third-party providers located all over the world. The investigation identified rental agreements and payments for computers located in, inter alia, INVESTIGATIVE TECHNIQUE all of which were used in the operations targeting the U.S. election.
127 Netyksho Indictment, ¶25.
128 Netyksho Indictment, ¶24(c).
129 Netyksho Indictment, ¶24(b).
– – – – –
The Arizona-based AMS Panel also stored thousands of files containing keylogging sessions captured through X-Agent. These sessions were captured as GRU officers monitored DCCC and DNC employees’ work on infected computers regularly between April 2016 and June 2016. Data captured in these key logging sessions included passwords, internal communications between employees, banking information, and sensitive personal information.
c. Theft of Documents from DNC and DCCC Networks
Officers from Unit 26165 stole thousands of documents from the DCCC and DNC networks, including significant amounts of data pertaining to the 2016 U.S. federal elections. Stolen documents included internal strategy documents, fundraising data, opposition research, and emails from the work inboxes of DNC employees. 130
The GRU began stealing DCCC data shortly after it gained access to the network. On April 14, 2016 (approximately three days after the initial intrusion) GRU officers downloaded rar.exe onto the DCCC’s document server. The following day, the GRU searched one compromised DCCC computer for files containing search terms that included “Hillary,” “DNC,” “Cruz,” and “Trump.” 131 On April 25, 2016, the GRU collected and compressed PDF and Microsoft documents from folders on the DCCC’s shared file server that pertained to the 2016 election. 132 The GRU appears to have compressed and exfiltrated over 70 gigabytes of data from this file server. 133
The GRU also stole documents from the DNC network shortly after gaining access. On April 22, 2016, the GRU copied files from the DNC network to GRU-controlled computers. Stolen documents included the DNC’s opposition research into candidate Trump. 134 Between approximately May 25, 2016 and June 1, 2016, GRU officers accessed the DNC’s mail server from a GRU-controlled computer leased inside the United States. 135 During these connections,
– – – – –
130 Netyksho Indictment, ¶¶27-29; INVESTIGATIVE TECHNIQUE
131 INVESTIGATIVE TECHNIQUE
132 INVESTIGATIVE TECHNIQUE
133 INVESTIGATIVE TECHNIQUE
134 INVESTIGATIVE TECHNIQUE SM-2589105-HACK, serial 5. INVESTIGATIVE TECHNIQUE
135 INVESTIGATIVE TECHNIQUE – See SM-2589105-GJ, serial 649. As part of its investigation, the FBI later received images of DNC servers and copies of relevant traffic logs. Netyksho Indictment , ¶¶28-29.
– – – – –
Unit 26165 officers appear to have stolen thousands of emails and attachments, which were later released by WikiLeaks in July 2016. 136
NEXT: DCLeaks, Guccifer 2.0 and WikiLeaks publish the stolen material
* * *