How the Russians hacked the DNC and passed its emails to WikiLeaks
On a late July day in 2016, Donald Trump, the GOP nominee for president, stood at a lectern in Florida, next to an American flag, and urged a U.S. adversary to become involved in the election campaign and find tens of thousands of emails wiped from the server of his Democratic opponent, Hillary Clinton.
“Russia, if you’re listening,” he said at a news conference at one of his resorts, “I hope you’re able to find the 30,000 emails that are missing.”
That same day, July 27, several Russian government hackers launched an attack against the email accounts of staffers in Clinton’s personal office, according to a sweeping indictment Friday by special counsel Robert S. Mueller III. At or around the same time, the hackers also targeted 76 email addresses used by the Clinton campaign, investigators said.
Although the broad outlines of the hacking and influence campaign have been widely reported, the indictment describes for the first time the identities, techniques and tactics of the operation to disrupt American democracy.
It includes details on how the Russians, using an encrypted file with instructions, delivered their trove of hacked emails to WikiLeaks, the online anti-secrecy organization led by Julian Assange that became the main platform for the Russians to display their trove of hacked emails.
The indictment also reflects an aggressive but somewhat inartful operation in which hackers used the same computer servers to launder money by using the online currency bitcoin as they did to lure their victims and to register sites they used for hacking.
The hackers worked for the spy agency called the Main Intelligence Directorate of the General Staff, or GRU, the indictment said.
They also allegedly targeted a state election board, identified by U.S. officials as Illinois. The Russians stole information about 500,000 voters, including names, addresses, partial Social Security numbers, dates of birth and driver’s license numbers, according to the indictment.
Conspiracy to Commit an Offense Against the United States (by a foreign power)
1. In or around 2016, the Russian Federation operated a military intelligence agency called the Main Intelligence Directorate of the General Staff The GRU had multiple units, including Units 26165 and 74455, engaged in cyber operations that involved the staged releases of documents stolen through computer intrusions. These units conducted large-scale cyber operations to interfere with the 2016 US. presidential election.
2. Defendants VIKT OR BORISOVICH BORIS ALEKSEYEVICH ANTONOV, DMITRIY SERGEYEVICH IVAN SERGEYEVICH YERMAKOV, ALEKSEY VIKTOROVICH LUKASHEV, SERGEY ALEKSANDROVICH MORGACHEV, NIKOLAY YURYEVICH KOZACHEK, PAVEL VYACHESLAVOVICH YERSHOV, ARTEM
ANDREYEVICH ALEKSANDR VLADIMIROVICH OSADCHUK, and ALEKSEY ALEKSANDROVICH POTENIKIN were GRU officers who knowingly and intentionally conspired with each other, and with persons known and unknown to the Grand Jury (collectively the Conspirators), to gain unauthorized access (to hack) into the computers of U.S. persons and entities involved in the 2016 U.S. presidential election, steal documents from these computers, and stage releases of the stolen documents to interfere with the 2016 U.S. presidential election.
3. Starting in at least March 2016, the Conspirators used a variety of means to hack the email accounts of Volunteers and employees of the U.S. presidential campaign of Hillary Clinton, including the email account of the Clinton Campaign?s chairman.
4. By in or around April 2016, the Conspirators also hacked into the computer networks of the Democratic Congressional Campaign Committee and the Democratic National Committee. The Conspirators covertly monitored the computers of dozens of DNC employees, implanted hundreds of files containing malicious computer code (malware), and stole emails and other documents from the and DNC.
5. By in or around April 2016, the Conspirators began to plan the release of materials stolen
from the Clinton Campaign, and DNC.
6. Beginning in or around June 2016, the Conspirators staged and released tens of thousands of the stolen emails and documents. They did so using fictitious online personas, including DCLeaks and Guccifer
7. The Conspirators also used the Guccifer 2.0 persona to release additional stolen documents through a website maintained by an organization (?Organization that had previously posted documents stolen from U.S. persons, entities, and the U.S. government. The Conspirators continued their U.S. election-interference operations through in or around November 2016.
8. To hide their connections to Russia and the Russian government, the Conspirators used false identities and made false statements about their identities. To further avoid detection, the Conspirators used a network of computers located across the world, including in the United States, and paid for this infrastructure using
9. Defendant VIKTOR BORISOVICH was the Russian military officer in command of Unit 26165, located at 20 Komsomolskiy Prospekt, Moscow, Russia. Unit 26165 had primary responsibility for hacking the and DNC, as well as the email accounts of individuals affiliated with the Clinton Campaign.
10. Defendant BORIS ALEKSEYEVICH ANTONOV was a Major in the Russian military assigned to Unit 26165. ANTONOV oversaw a department within Unit 26165 dedicated to targeting military, political, governmental, and non-governmental organizations with spearphishing emails and other computer intrusion activity. ANTONOV held the title Head of Department. In or around 2016, ANTONOV supervised other co-conspirators who targeted the DNC, and individuals affiliated with the Clinton Campaign.
11. Defendant DMITRIY SERGEYEVICH BADIN (Sauna Cepreennu) was a Russian military officer assigned to Unit 26165 who held the title Assistant Head of Department. In or around 2016, BADIN, along with AN TONOV, supervised other co-conspirators who targeted the DNC, and individuals affiliated with the Clinton Campaign.
I2. Defendant IVAN SERGEYEVICH YERMAKOV was a Russian military officer assigned to department within Unit 26165. Since in or around 2010, YERMAKOV used various online personas, including Kate S. Milton, James McMorgans, and Karen W. Millen, to conduct hacking operations on behalf of Unit 26165. In or around March 2016, YERMAKOV participated in hacking at least two email accounts from
which campaign-related documents were released through DCLeaks. In or around May 2016, YERMAKOV also participated in hacking the DNC email server and stealing DNC emails that
were later released through Organization 1.
13. Defendant ALEKSEY VIKTOROVICH LUKASHEV was a Senior Lieutenant in the Russian military assigned to department within Unit 26165. LUKASHEV used various online personas, including Den Katenberg and Yuliana Martynova. In or around 2016, LUKASHEV sent spearphishing emails to members of the Clinton Campaign and affiliated individuals, including the chairman of the Clinton Campaign.
14. Defendant SERGEY ALEKSANDROVICH MORGACHEV was a Lieutenant Colonel in the Russian military assigned to Unit 26165. MORGACHEV oversaw a department within Unit 26165 dedicated to developing and managing malware, including a hacking tool used by the GRU known as ?X-Agent.? During the hacking of the DC CC and DNC networks, MORGACI-IEV supervised the co-conspirators who developed and monitored the X-Agent malware implanted on those computers.
15. Defendant NIKOLAY YURYEVICH KOZACHEK (Koaaqert was a Lieutenant Captain in the Russian military assigned to department within Unit 26165. KOZACHEK used a variety of monikers, including kazak and blablabla1234565. KOZACHEK developed, customized, and monitored X-Agent malware used to hack the and DNC networks beginning in or around April 2016.
16. Defendant PAVEL VYACHESLAVOVICH YERSHOV was a Russian military of?cer assigned to department within Unit 26165. In or around 2016, . YERSHOV assisted KOZACHEK and other co-conspirators in testing and customizing X-Agent malware before actual deployment and use.
17. Defendant ARTEM ANDREYEVICH MALYSHEV was a Second Lieutenant in the Russian military assigned to department within Unit 26165. MALYSHEV used a variety of monikers, including djangomagicdev and realblatr. In or around 2016, MALYSHEV monitored X-Agent malware implanted on the and DNC networks.
18. Defendant ALEKSANDR VLADIMJROVICH OSADCHUK was a Colonel in the Russian military and the commanding of?cer of Unit 7 445 5 . Unit 74455 was located at 22 Kirova Street, Khimki, Moscow, a building referred to within the GRU as the ?Tower.? Unit 74455 assisted in the release of stolen documents through the DCLeaks and Guccifer 2.0 personas, the promotion of those releases, and the publication of anti-Clinton content on social media accounts operated by the GRU.
19. Defendant ALEKSEY ALEKSANDROVICH POTEMKJN was an officer in the Russian military assigned to Unit 7445 5. POTEMKIN was a supervisor in a department within Unit 7445 5 responsible for the administration of computer infrastructure used in cyber operations. Infrastructure and social media accounts administered by department were used, among other things, to assist in the release of stolen documents through the DCLeaks and Guccifer 2.0 personas.
Object of the Conspiracy
20. The object of the conspiracy was to hack into the computers of U.S. persons and entities
involved in the 2016 U.S. presidential election, steal documents from those computers, and stage
releases of the stolen documents to interfere with the 2016 U.S. presidential election.
Manner and Means of the Conspiracv
21. ANTONOV, BADIN, YERMAKOV, LUKASHEV, and their co-conspirators targeted
victims using a technique known as spearphishing to steal Victims? passwords or otherwise gain
access to their computers. Beginning by at least March 2016, the Conspirators targeted over 300 individuals affliated with the Clinton Campaign, and DNC.
a. For example, on or about March 19, 2016, LUKASHEV and his co-conspirators created and sent a spearphishing email to the chairman of the Clinton Campaign. LUKASHEV used the account john356g at an online service that abbreviated website addresses (referred to as a URL-shortening service?).
LUKASHEV used the account to mask a link contained in the spearphishin email, which directed the recipient to a GRU created website. LUKASHEV altered the appearance of the sender email address in order to make it look like the email was a security noti?cation from Google (a technique known as spoofng), instructing the user to change his password by clicking the embedded link. Those instructions were followed. On or about March 21, 2016, LUKASHEV, YERMAKOV, and their co-conspirators stole the contents of the chairman?s email account, which consisted of over 50,000 emails.
b. Starting on or about March 19, 2016, LUKASHEV and his co?conspirators sent spearphishing emails to the personal accounts of other individuals affliated with the Clinton Campaign, including its campaign manager and a senior foreign policy adviser.
On or about March 25, 2016, LUKASHEV used the same john356gh account to mask additional links included in spearphishing emails sent to numerous individuals af?liated with the Clinton Campaign, including Victims and 2.
LUKASHEV sent these emails from the Russia-based email account firstname.lastname@example.org that he spoofed to appear to be from Google.
c. On or about March 28, 2016, YERMAKOV researched the names of Victims and 2 and their association with Clinton on various social media sites. Through their spearphishing operations, LUKASI-IEV, YERMAKOV, and their co-conspirators successfully stole email credentials and thousands of emails from numerous individuals affliated with the Clinton Campaign. Many of these stolen emails, including those from Victims and 2, were later released by the Conspirators through DCLeaks.
d. On or about April 6, 2016, the Conspirators created an email account in the name (with a one-letter deviation from the actual spelling) of a known member of the Clinton Campaign. The Conspirators then used that account to send spearphishing emails to the work accounts of more than thirty different Clinton Campaign employees. In the spearphishing emails, LUKASHEV and his co-conspirators embedded a link purporting to direct the recipient to a document titled hillary. In fact, this link directed the recipients? computers to a GRU created website.
22. The Conspirators spearphished individuals affliated with the Clinton Campaign throughout the summer of 2016. For example, on or about July 27, 2016, the Conspirators attempted after hours to spearphish for the first time email accounts at a domain hosted by a third- party provider and used by Clinton?s personal office. At or around the same time, they also targeted seventy-six email addresses at the domain for the Clinton Campaign.
Hacking into the Network
23. Beginning in or around March 2016, the Conspirators, in addition to their spearphishing efforts, researched the and DNC computer networks to identify technical specifcations and vulnerabilities.
For example, beginning on or about March 15, 2016, YERMAKOV ran a technical query for the internet protocol configurations to identify connected devices. 011 or about the same day, YERMAKOV searched for open-source information about the DNC network, the Democratic Party, and Hillary Clinton.
On or about April 7, 2016, YERMAKOV ran a technical query for the internet protocol configurations to identify connected devices.
24. By in or around April 2016, Within days of searches regarding the the Conspirators hacked into the computer network. Once they gained access, they installed and managed different types of malware to explore the network and steal data.
On or about April 12, 2016, the Conspirators used the stolen credentials of a Employee Employee to access the network. Employee 1 had received a spearphishing email from the Conspirators on or about April 6, 2016, and entered her password after clicking on the link.
Between in or around April 2016 and June 2016, the Conspirators installed multiple versions of their X-Agent malware on at least ten computers, which allowed them to monitor individual employees? computer activity, steal passwords, and maintain access to the network.
c. X-Agent malware implanted on the network transmitted information from the victims' computers to a GRU-leased server located in Arizona. The Conspirators referred to this server as their panel. KOZACHEK, MALYSHEV, and their co-conspirators logged into the AMS panel to use X Agent's keylog and screenshot functions in the course of monitoring and surveilling activity on the computers. The keylog function allowed the Conspirators to capture keystrokes entered by employees. The screenshot function allowed the Conspirators to take pictures of the employees' computer screens.
d. For example, on or about April 14, 2016, the Conspirators repeatedly activated X-Agent's keylog and screenshot functions to surveil Employee 1's computer activity over the course of eight hours. During that time, the Conspirators captured Employee 1?s communications with co-workers and the passwords she entered while working on fundraising and voter outreach projects. Similarly, on or about April 22, 2016, the Conspirators activated X-Agent?s keylog and screenshot functions to capture the discussions of another Employee Employee about the finances, as well as her individual
banking information and other personal topics.
25. On or about April 19, 2016, KOZACHEK, YERSHOV, and their co-conspirators remotely confgured an overseas computer to relay communications between X-Agent malware and the AMS panel and then tested X-Agent?s ability to connect to this computer. The Conspirators referred to this computer as a middle server. The middle server acted as a proxy to obscure the connection between malware at the and the Conspirators' AMS panel. On or about April 20, 2016, the Conspirators directed X-Agent malware on the computers to connect to this middle server and receive directions from the Conspirators.
Hacking into the DNC Network
26. On or about April 18, 2016, the Conspirators hacked into the computers through their access to the network. The Conspirators then installed and managed different types of malware (as they did in the network) to explore the DNC network and steal documents.
a. On or about April 18, 2016, the Conspirators activated X-Agent's keylog and screenshot functions to steal credentials of a employee who was authorized to access the DNC network. The Conspirators hacked into the DNC network from the network using stolen credentials. By in or around June 2016, they gained access to approximately thirty?three DNC computers.
b. In or around April 2016, the Conspirators installed X-Agent malware on the DNC network, including the same versions installed on the network. MALYSHEV and his co-conspirators monitored the X-Agent malware from the AMS panel and captured data from the victim computers. The AMS panel collected thousands of keylo and screenshot results from the and DNC computers, such as a screenshot and keystroke capture of Employee 2 viewing the online banking information.
Theft of and DNC Documents
27. The Conspirators searched for and identi?ed computers within the and DNC networks that stored information related to the 2016 US. presidential election. For example, on or about April 15, 2016, the Conspirators searched one hacked computer for terms that included hillary, cruz, and trump. The Conspirators also copied select folders, including ?Benghazi Investigations.? The Conspirators targeted computers containing information such as opposition research and ?eld operation plans for the 2016 elections.
28. To enable them to steal a large number of documents at once without detection, the Conspirators used a publicly available tool to gather and compress multiple documents on the and DNC networks. The Conspirators then used other GRU malware, known as X-Tunnel, to move the stolen documents outside the and DNC networks through channels.
a. For example, on or about April 22, 2016, the Conspirators compressed gigabytes of data from DNC computers, including opposition research. The Conspirators later moved the compressed DNC data using X-Tunnel to a GRU-leased computer located in Illinois.
b. On or about April 28, 2016, the Conspirators connected to and tested the same computer located in Illinois. Later that day, the Conspirators used X?Tunnel to connect to that computer to steal additional documents from the network.
29. Between on or about May 25, 2016 and June 1, 2016, the Conspirators hacked the DNC Microsoft Exchange Server and stole thousands of emails from the work accounts of DNC employees. During that time, YERMAKOV researched PowerShell commands related to accessing and managing the Microsoft Exchange Server.
30. On or about May 30, 2016, 1V1ALYSHEV accessed the AMS panel in order to upgrade custom AMS software on the server. That day, the AMS panel received updates from approximately thirteen different X-Agent malware implants on and DNC computers.
31. During the hacking of the and DNC networks, the Conspirators covered their tracks by intentionally deleting logs and computer ?les. For example, on or about May 13, 2016, the
Conspirators cleared the event logs from a DNC computer. On or about June 20, 2016, the 11 Conspirators deleted logs from the AMS panel that documented their activities on the panel, including the login history.
Efforts to Remain on the and DNC Networks
32. Despite the Conspirators? efforts to hide their activity, beginning in or around May 2016, both the and DNC became aware that they had been hacked and hired a security company to identify the extent of the intrusions. By in or around June 2016, Company 1 took steps to exclude intruders from the networks. Despite these efforts, a Linux-based version of X-Agent, programmed to communicate with the GRU registered domain remained on the DNC network until in or around October 2016.
33. In response to Company 1?s efforts, the Conspirators took countermeasures to maintain access to the and DNC networks.
a. On or about May 31, 2016, YERMAKOV searched for open~source information about Company 1 and its reporting on X-Agent and X-Tunnel. On or about June 1, 2016, the Conspirators attempted to delete traces of their presence on the network using the computer program CCleaner.
On or about June 14, 2016, the Conspirators registered the domain actblues.com, which mimicked the domain of a political fundraising platform that included a donations page. Shortly thereafter, the Conspirators used stolen credentials to modify the website and redirect Visitors to the actbluescom domain.
On or about June 20, 2016, after Company 1 had disabled X-Agent on the network, the Conspirators spent over seven hours unsuccessfully trying to connect to X-Agent. The Conspirators also tried to access the network using previously stolen credentials.
34. In or around September 2016, the Conspirators also successfully gained access to DNC
computers hosted on a third-party cloud-computing service. These computers contained test
applications related to the analytics. After conducting reconnaissance, the Conspirators
gathered data by creating backups, or ?snapshots,? of the cloud-based systems using the
cloud provider?s own technology. The Conspirators then moved the snapshots to cloud-based
accounts they had registered with the same service, thereby stealing the data from the DNC.
Stolen Documents Released through DCLeaks
35. More than a month before the release of any documents, the Conspirators constructed the
online persona DCLeaks to release and publicize stolen election-related documents. On or about
April 19, 2016, after attempting to register the domain electionleaks.com, the Conspirators
registered the domain dcleaks.com through a service that anonymized the registrant. The funds
used to pay for the dcleaks.com domain originated from an account at an online service that the Conspirators also used to fund the lease of a virtual private server registered with the operational email account email@example.com. The dirbinsaabol email account was also used to'register the john356gh URL-shortening account used by LUKASHEV to spearphish the Clinton Campaign chairman and other campaign-related individuals.
36. On or about June 8, 2016, the Conspirators launched the public website dcleaks.com, which
they used to release stolen emails. Before it shut down in or around March 2017, the site received
over one million page Views. The Conspirators falsely claimed on the site that DCLeaks was
started by a group of ?American hacktivists,? when in fact it was started by the Conspirators.
37. Starting in or around June 2016 and continuing through the 2016 US. presidential election,
the Conspirators used DCLeaks to release emails stolen from individuals affiliated with the Clinton
Campaign. The Conspirators also released documents they had stolen in other spearphishing operations, including those they had conducted in 2015 that collected emails from individuals affliated with the Republican Party.
38. On or about June 8, 2016, and at approximately the same time that the dcleaks.com website
was launched, the Conspirators created a DCLeaks Facebook page using a preexisting social media
account under the fictitious name Alice Donovan. In addition to the DCLeaks acebook page,
the Conspirators used other social media accounts in the names of fictitious U.S. persons such as
Jason Scott and Richard Gingrey to promote the DCLeaks website. The Conspirators accessed
these accounts from computers managed by POTEMKIN and his co-conspirators.
39. On or about June 8, 2016, the Conspirators created the Twitter account @dcleaksw. The
Conspirators operated the @dcleaks_ Twitter account from the same computer used for other efforts to interfere with the 2016 U.S. presidential election. For example, the Conspirators used the same computer to operate the Twitter account @BaltimoreIsWhr, through which they encouraged U.S. audiences to join our flash mob opposing Clinton and to post images with the hashtag #BlacksAgainstHillary.
Stolen Documents Released through Guccifer 2.0
40. On or about June 14, 2016, the DNC - through Company l - publicly announced that it
had been hacked by Russian government actors. In response, the Conspirators created the online
persona Guccifer 2.0 and falsely claimed to be a lone Romanian hacker to undermine the allegations of Russian responsibility for the intrusion.
41. On or about June 15, 2016, the Conspirators logged into a Moscow-based server used and managed by Unit 74455 and, between 4:19 PM and 4:56 PM Moscow Standard Time, searched for certain words and phrases, including:
some hundred sheets
some hundreds of sheets
mnpono useec'rnm nepeaon
[widely known translation]
think twice about
42. Later that day, at 7:02 PM Moscow Standard Time, the online persona Guccifer 2.0 published its FIrst post on a blog site created through WordPress.FULL TEXT pdf