By now most Americans have heard about last week’s indictment of 12 Russian military intelligence officers by Special Counsel Robert Mueller. While some details of the indictment have been reported in the media, the entire 29-page document is available online and contains surprising details about Russia’s clandestine operation to subvert American elections.
The first count of the indictment is conspiracy to commit an offense against the United States. The indictment describes how multiple units of the GRU, Russian military intelligence, conducted large-scale cyber operations to interfere with the 2016 US presidential election.” Two units, 26165 and 74455, are specifically mentioned.
The indictment describes how the GRU, beginning in March 2016, hacked volunteers and employees of the Hillary Clinton campaign. By April, the attacks had extended to the Democratic Congressional Campaign Committee and the Democratic National Committee. The attacks included the theft of emails and documents, covert monitoring and implanting malware.
By June, the GRU officers had begun to publicly release the stolen documents online using false personas. Among the accounts used by the Russians were “Guccifer 2.0” and “DC Leaks” and the website of “Organization 1,” publicly identified as Wikileaks.
The indictment goes on to say that the defendants, who are listed by name, used spearphishing techniques to penetrate the internet security of the Clinton campaign. Using emails that spoofed Google notifications and emails that appeared to come from other campaign staffers, the Russians stole internet credentials and emails from “numerous individuals associated with the Clinton campaign.” The spearphishing attacks continued throughout the summer and targeted both Democrat operatives and a third-party contractor.
The indictment references “Victims 1 and 2.” One of the victims has been previously publicly identified as John Podesta, the chairman of the Clinton campaign. Podesta became a spearphishing victim in March 2016 after he clicked on a fake email that spoofed a communication from Google.
In addition to the phishing attacks, the Russians also hacked the DCCC and DNC computers beginning in March 2016. The GRU then planted malware called “X-Agent” on the Democrat computers that allowed them to monitor computer activity and steal information. The hackers could even take screenshots of the computer activity of DNC employees. The stolen information was then transferred to servers in Arizona and Illinois that were leased by the GRU.
Once they had access to the Democrat computers, the Russians stole files related to opposition research and strategy for the 2016 election. The indictment notes that on April 15, 2016 the hackers searched Democrat computers for the words “Hillary,” “Cruz” and “Trump.” They also copied a folder titled “Benghazi investigations.” At that point, the Republican primary was a three-way race between Trump, Ted Cruz and John Kasich.
In May 2016, the Russians hacked a Microsoft Exchange server used by the DNC. The hack resulted in the theft of thousands of additional emails.
After the thefts, the Russians attempted to cover their tracks by deleting event logs and computer files on the compromised computers in May 2016. Despite these efforts, the DNC became aware of the hacks about the same time.
When the DNC became aware that their networks were compromised, they hired a third-party cybersecurity firm to identify the intruders and mitigate the damage. The indictment refers to this company as “Company 1,” but the firm was previously identified in the press as Crowdstrike.
As Crowdstrike cleaned the computers, the Russian hackers fought back and tried to maintain access. At one point, the hackers mimicked DCCC fundraising page and used stolen credentials to redirect donors to their own site.
Crowdstrike was able to remove X-Agent from the DNC computers, but the Russians successfully attacked again in September 2016. This time the hackers gained access to DNC networks through a cloud computing service. The hackers used this breach to steal analytical data from the DNC.
Preparations to release the stolen information began in April 2016. The dcleaks.com URL was registered through an anonymous service on April 19 using the same email address that had sent the spearphishing email to Podesta. The stolen documents were posted on the DC Leaks site operated from June 2016 through March 2017. The site received more than one million page views.
In addition to the stolen Democratic emails, the DC Leaks site also posted stolen Republican documents. The Republican hack occurred in 2015 and predated the 2016 Republican primary. There is no indication that the Russians targeted the GOP during the 2016 campaign season.
DC Leaks was promoted on a Facebook page run by fictitious accounts. There was also a DC Leaks twitter account. The DC Leaks twitter account was run from the same computer as another Twitter account that promoted the #BlacksAgainstHillary hashtag.
On June 14, 2016, the DNC announced that it had been hacked by the Russian government. The indictment says that the hackers created Guccifer 2.0 in response. Guccifer 2.0 claimed to be a lone Romanian hacker, but was linked to the Russians via internet searches for terms that appeared in Guccifer’s posts before they were published. The indictment also notes that the stolen information and financing records between the Russian hackers and Guccifer overlapped.
The indictment also says that Guccifer sent stolen documents to other individuals. In August 2016, Guccifer received a request for stolen documents from “a candidate for the US Congress” and sent back stolen documents related to the candidate’s opponent. The candidate has been identified as Brian Mast, a first-time candidate in Florida who is now a congressman. The Wall Street Journal reported in May 2017 that Aaron Nevins, a Republican consultant who worked for Mast, had received stolen data from Guccifer. Rep. Mast denies knowledge of wrongdoing.
On August 22, 2016, Guccifer also sent stolen DNC documents about Black Lives Matter. The reporter is not identified, but the content of the leak was discussed on Snopes.com at the time.
Guccifer also had contact with a “person who was in regular contact with senior members of the presidential campaign of Donald J. Trump.” This “US person” is Roger Stone, a Trump campaign advisor who left the campaign in August 2015. Stone admitted in August 2016 to being in contact with Guccifer and Wikileaks’ Julian Assange. In a tweet on August 21, Stone said, “Trust me, it will soon the Podesta’s time in the barrel.” More than a month later, on October 7, Wikileaks released the first stolen emails from John Podesta.
Counts two through nine are for aggravated identity theft from eight unidentified victims. The sources of the theft were personal email passwords in four cases and DCCC network passwords in the other four.
Count 10 is money laundering. This deals with transactions in numerous currencies including US dollars and bitcoin that were used by the hackers to finance the operation.
The eleventh count is conspiracy to hack into protected computers that dealt with the administration of US elections in order to steal voter data and other information. The indictment states that the hackers stole personal information about 500,000 voters in July 2016 from a state that public sources identify as Illinois.
The Russians also hacked an election software company identified as “vendor 1” in the indictment. This company is apparently VR Systems of Florida. The Intercept reported last year that the GRU had breached security at VR Systems based on an NSA report leaked by Reality Winner.
The attacks didn’t stop there. Numerous state and country election entities were attacked in the final days of the campaign. The indictment specifically mentions several counties in Georgia, Iowa and Florida.
While the indictment falls short of offering evidence of illegal collusion, it is interesting to note that the indictment mentions “failed attempts to transfer the stolen documents starting in late June 2016.” This seems very close to the meeting between Donald Trump, Jr. and Russian lawyer Natalia Veselnitskaya on June 9, 2016. This meeting and any follow-ups are likely to be investigated by the special counsel team.
It is also obvious from the indictment that Russian efforts in the 2016 were a one-sided affair. There was no known hack of the Republican Party after Donald Trump ascended to frontrunner status. Every leak that the Russians posted was calculated to hurt the Clinton campaign.
Roger Stone would also seem to be a likely focal point for the Mueller team. At this point, it isn’t clear whether Stone broke the law or passed any information from Guccifer to Trump campaign officials, but it seems likely that Mueller would want to ask Stone and his associates those questions.
The bottom line is that while President Trump and Rudy Giuliani talk about “witch hunts,” Robert Mueller and his team are quietly digging. Despite claims that the Mueller probe is dragging out too long, Mueller seems to be making rapid progress. The indictments of the 12 GRU officers, which seem purposefully timed to throw a cloud over the Trump’s meeting with Putin, are likely just the tip of the special counsel’s case. It makes one wonder what else Robert Mueller knows, but has yet to tell.
Originally published on The Resurgent