Published by The Lawfare Institute
in Cooperation With
The indictment Friday morning of 12 Russian military intelligence officials in connection with the 2016 election hacks and the resulting distribution of purloined emails was not a total surprise. Observers of the Mueller investigation have been expecting it for a long time, particularly since the Feb. 16 indictment of 13 Russian individuals and three companies over the social media campaign conducted by the so-called Internet Research Agency.
But if the hacking indictment was generally expected, nobody seemed to see it coming this week before today’s announcement of an 11:45 am press conference. Special Counsel Robert Mueller moved with his usual combination of patience and strict operational security, and even though Acting Attorney General Rod Rosenstein briefed President Trump on the coming action before the Leaker in Chief left town, the matter held until Rosenstein disclosed it at a Justice Department press conference.
Before turning to what the indictment alleges, and what we can learn from it, it’s worth zooming out to an important macro point about the investigation that led to this action: This was the investigation over which the president of the United States fired James Comey as FBI director.
This is the investigation Comey confirmed on March 20, 2017, when he told Congress, “I have been authorized by the Department of Justice to confirm that the FBI, as part of our counterintelligence mission, is investigating the Russian government's efforts to interfere in the 2016 presidential election.”
This was also the investigation that multiple congressional committees have spent more than a year seeking to discredit—most recently Thursday, when two House panels hauled the former deputy assistant director of the FBI’s Counterintelligence Department, Peter Strzok, a career FBI agent who worked on the Russia probe, up to Capitol Hill for 10 hours of public, televised, abusive conspiracy theorizing. When the president of the United States derides the Mueller investigation as a “witch hunt,” and when congressional Republicans scream at FBI agents, this is the investigation they are trying to harass out of existence.
It is, therefore, fitting that this indictment comes less than one day after the astonishing display House Republicans put on in the Strzok hearing. If Mueller had been trying to remind the public of what the investigation is really about and what the stakes are in it, if he had been trying to make a public statement in response to the Strzok hearing, he could not have timed this action better.
But, to be clear, Mueller was not trying to make a press statement. We know that not merely because that’s not the way Mueller operates but also because Rosenstein said specifically at his press conference that he had briefed the president on the matter before Trump left town—days before the Strzok hearing yet also mere days before Trump has a scheduled meeting with Russian President Vladimir Putin.
The timing of the indictment given the upcoming Helsinki summit is a powerful show of strength by federal law enforcement. Let’s presume that Mueller did not time this indictment to precede the summit by way of embarrassing Trump on the international stage. It is enough to note that he also did not hold off on the indictment for a few days by way of sparing Trump embarrassment—and that Rosenstein did not force him to. Indeed, Rosenstein said at his press conference that it is “important for the president to know what information was uncovered because he has to make very important decisions for the country” and therefore “he needs to know what evidence there is of foreign election interference.” But of course Rosenstein and Mueller did not just let Trump know. They also let the world know, which has the effect—intended or not—of boxing in the president as he meets with an adversary national leader.
Put less delicately: Rosenstein has informed the president, and the world, before Trump talks to Putin one-on-one that his own Justice Department is prepared to prove beyond a reasonable doubt, in public, using admissible evidence, that the president of the Russian Federation has been lying to Trump about Russian non-involvement in the 2016 election hacking.
What the Indictment Alleges
The indictment alleges a detailed and wide-ranging conspiracy to hack into the computers of the Democratic Congressional Campaign Committee (DCCC), the Democratic National Committee (DNC), Hillary Clinton’s presidential campaign and others and to reveal information in order to interfere with the 2016 U.S. presidential election. The special counsel charges 12 officials of the Russian military intelligence agency (“GRU”) with targeting more than 300 individuals affiliated with the Democratic Party or the campaign and leaking tens of thousands of stolen documents.
Starting in March 2016, the indictment alleges, a unit of Russia’s GRU military intelligence organization began sending emails to dozens of employees and volunteers in the Clinton campaign. The conspirators engaged in “spearphishing,” or sending fraudulent emails with embedded links to GRU-created websites disguised to look like trusted entities, such as Google security notifications, ostensibly asking recipients to change their password but, in reality, tricking the targeted users into revealing their login credentials.
Using these stolen credentials, the hackers logged into the targeted users’ personal and campaign email accounts. Later that month, the hackers began researching the computer networks of the DCCC and DNC to identify technical vulnerabilities and connected devices. In April 2016, the conspirators hacked into the DCCC computer network and installed malware to spy on users and steal information.
According to the indictment, the Russians designed their hacking operation to use an overseas computer to relay communications from their malware via a GRU-leased server in Arizona. By June of 2016, the hackers monitored DCCC employees’ computer activity—logging keystrokes and taking screenshots—on at least 10 different computers and transmitted this information to the Arizona server. The conspirators used their access to the DCCC network to hack into Democratic National Committee in mid-April 2016. Overall, the hackers accessed about 33 DNC computers by the end of June using stolen credentials. As they had with the DCCC, they used malware to explore the DNC network and steal documents, the indictment claims. As they explored the networks and removed data, the indictment alleges, the Russians deleted computer logs and files to obscure evidence of their activities.
Still, the intrusions did not go unnoticed. In May 2016, both the DCCC and the DNC hired cybersecurity firm CrowdStrike to discern the extent of the invasions, and the following month, the indictment alleges, the company worked to remove the intruders. Even so, according to the indictment, malware remained on the DNC network until October. The Russians also accessed DNC data through a third-party cloud service in September, the indictment says.
On June 8, 2016—one day before the Trump Tower meeting at which Russian actors met with senior Trump campaign officials promising “dirt” on Hillary Clinton—the indictment alleges that the conspirators launched the website DCLeaks.com, which they labeled as being started by “American hacktivists.” That month, according to the indictment, the group began releasing materials it had stolen from individuals tied to the Clinton campaign as well as documents stolen from other operations dating to 2015, including emails from individuals affiliated with the Republican Party. The conspirators used cryptocurrency to pay for the site, the government asserts, and emails connected to the domain name were also used in spearphishing efforts against the Clinton campaign chairman, John Podesta. The group also created Facebook and Twitter accounts to promote the DCLeaks site, according to the indictment.
In mid-June 2016, when the Democrats publicly acknowledged that they had been hacked, the indictment alleges that the conspirators created the online persona Guccifer 2.0, which they described as a “lone Romanian hacker” to undermine claims of Russian responsibility for the hacks. Interestingly, the Guccifer 2.0 Twitter account followed one of this article’s authors on Twitter that summer:
While that particular fact does not appear in the indictment, the indictment does allege that beginning in August 2016, certain other U.S. persons began interacting with the GRU through the Guccifer 2.0 persona. In mid-August, Guccifer 2.0 allegedly received and responded to a request from a candidate for U.S. Congress for documents stolen from the DCCC related to the candidate’s opponent. Guccifer 2.0 also allegedly sent documents to a reporter regarding the Black Lives Matter movement. The indictment then, in more detail, describes contact between Guccifer 2.0 and “a person who was in regular contact with senior members” of the Trump presidential campaign. These people are not named in the indictment.
To release their stolen data, the conspirators did not stop with DCLeaks and Guccifer 2.0, according to the indictment. It describes extensive interaction between the conspirators and an entity, called “Organization 1,” which the Washington Post and other news outlets have identified as Wikileaks. In late June 2016, Wikileaks allegedly solicited additional stolen information from Guccifer 2.0, saying that its release of the data “will have a much higher impact than what you are doing.” In early July, citing the upcoming Democratic convention, it allegedly messaged Guccifer 2.0 that “if you have anything hillary related we want it in the next tweo [sic] days” and that “we think trump has only a 25% chance of winning against hillary” so stoking conflict between Clinton and her rival Bernie Sanders “is interesting.”
On July 22, 2016, the government asserts, Wikileaks released more than 20,000 emails and documents stolen from the DNC network by the conspirators and “did not disclose Guccifer 2.0’s role in providing them.” The Democratic convention opened days later and was racked by protests from Sanders supports that led to the resignation of Debbie Wasserman Schultz as DNC chairman. The activities continued through the fall: Between Oct. 7 and Nov. 7, 2016, the indictment contends, Wikileaks released approximately 33 tranches of the more than 50,000 documents stolen from John Podesta.
Based on these factual allegations, the indictment includes 11 counts. The first count, citing all of the facts summarized above, charges nine defendants with conspiracy to violate the Computer Fraud and Abuse Act (18 U.S.C. §§ 1030(a)(2)(C), 1030(a)(5)(A), 1030(c)(2)(B), 1030(c)(4)(B), 371 and 3559(g)(1)). The defendants are specifically charged with:
- “knowingly access[ing] a computer without authorization and exceed[ing] authorized access to a computer, and to obtain thereby information from a protected computer, where the value of the information obtained exceeded $5,000”;
- “knowingly caus[ing] the transmission of a program, information, code, and command, and as a result of such conduct … intentionally caus[ing] damage without authorization to a protected computer, and … caus[ing] … loss aggregating $5,000 in value to at least one person during a one-year period from a related course of conduct affecting a protected computer, and damage affecting at least ten protected computers during a one-year period”; and
- “knowingly falsely register[ing] a domain name and knowingly us[ing] that domain name in the course of committing an offense.”
The second count charges 11 defendants with aggravated identity theft in violation of 18 U.S.C. §§ 1028A(a)(1) and(2). The indictment describes the offense as “knowingly transfer[ing], possess[ing], and us[ing], without lawful authority, a means of identification of another person during and in relation to” the commission of computer fraud. The count cites eight victims whose personal, DCCC or DNC email username and passwords the defendants allegedly stole between March 21 and July 6, 2016.
The 10th count charges the defendants with conspiracy to launder more than $95,000 in cryptocurrency with the intention of promoting unlawful activity in the United States in violation of 18 U.S.C. § 1956(h). The document outlines efforts the defendants made from roughly 2015 through 2016 to acquire and mine bitcoin for the purpose of funding their hacking activities, including the purchase of computer infrastructure, domain names and key accounts.
The last count charges two of the GRU officers, Aleksandr Vladimirovich Osadchuk and Anatoliy Sergeyevich Kovalev, with conspiracy to violate the Computer Fraud and Abuse Act, in violation of 18 U.S.C. § 371. The object of the conspiracy was to hack into and steal voter information stored on computers used by people and entities administering the 2016 election. The indictment alleges that in July 2016 Kovalev, along with others not named, hacked a state board of elections website and “stole information related to approximately 500,000 voters.” In August 2016, Kovalev and his co-conspirators allegedly used some of the same infrastructure to hack into a vendor that provided voter verification software. After the FBI issued an alert in August 2016 about the hacking of the state election board, Kovalev erased his search history, and he and his co-conspirators erased records from the accounts they used in hacking election boards and related entities, according to the indictment. In October, Kovalev and others targeted state and local election offices in Georgia, Iowa and Florida, seeking to identify their websites’ vulnerabilities. And in November 2016, the conspirators sent more than 100 spearphishing emails to state and local election officials in Florida.
What the Indictment Reveals About the Hacking Operation
This indictment provides a great deal of information about the extent and internal structure of the Russian government side of the 2016 hacking operation. It also confirms private-sector reporting about the DNC hack, the clean-up operation, the phishing of Podesta, and the operation to distribute stolen emails through Wikileaks and on social media.
Additionally, the indictment shows a massive, and successful, counterintelligence operation by the U.S. government against the Russian government. U.S. authorities do not rely merely on technical forensics for the conclusion that the hack and release of emails was a Russian operation; the indictment also lays out the departments within the Russian government that were behind it, specific individuals who were involved, which officers did what and when, the slang terms used internally, and the breakdown of responsibilities within the teams—down to identifying the specific officers with hands on keyboards.
The indictment describes a number of separate events associated with the 2016 operation, but let’s start with the hack of Hillary Clinton’s campaign manager, Podesta, in March 2016 by GRU officer Aleksey Lukashev. This event had been traced back to the GRU in the fall of 2016. The indictment strongly supports those earlier attributions and adds additional detail—such as the name of the person allegedly at the keyboard.
Based on the public record and the new information in the indictment, here is what we now know happened leading up to the hack and release of John Podesta’s emails.
On March 19, 2016, Podesta received a spearphishing email, ostensibly from Google but actually from the GRU. We knew this even before Friday’s indictment, ironically, because Wikileaks published all of John Podesta’s stolen emails, including the spearphishing email itself. The indictment names GRU officer Aleksey Lukashev as the sender, but the email itself and its public attribution to the GRU are not new. From the phishing email in the Wikileaks archive, we are able to reconstruct what the spearphishing email looked like and the actions taken by Podesta that resulted in his emails dominating headlines in the final few weeks of the 2016 election campaign.
John Podesta spearphishing email (reconstruction)
Although this email was carefully crafted by Russian intelligence officers to look authentic, this email did not come from Google; there had been no genuine attempt to log in to Podesta’s email from Ukraine, and the link on “Change Password” led to a website operated by the GRU. Steps taken with this email include tricks like constructing the text “Someone has your password” using non-English variants of the letter “o” so as to evade automatic detection by Google’s spam filters.
It was also known before Friday what happened next: Podesta forwarded the email to members of his staff. They wrongly concluded that the email was genuine, and Podesta clicked on the link. We know this because this email chain is among the messages leaked by Wikileaks.
This much we already knew: the “Change Password” button on the phishing email took Podesta to a website controlled by the GRU, but first it bounced through the URL shortening service Bit.ly. Unfortunately for the GRU, here the hackers screwed up. The Bitly link reveals a lot of information about the GRU operation, and using this information we can reconstruct what Podesta saw when he clicked the link:
Reconstruction of the John Podesta phishing page
The indictment confirms that although this website was designed to look like a login page for Google, it was, in fact, operated by the Russian government. But the GRU made a mistake that allowed private-sector researchers to tie the phishing of Podesta to the GRU even before Friday’s indictment. When shortening the spearphishing link to send to Podesta using URL-shortening service Bitly, the GRU officer running the operation was logged in. This error allowed private investigators to connect the Podesta phishing email to huge numbers of other phishing emails sent by the GRU. Mueller now adds that, the specific officer who was logged in was, in fact, Lukashev, and his account name was “john356gh.”
Although this attribution was previously known, the indictment makes public some previously unknown details. For example, it’s now clear that this phishing campaign wasn’t done merely on behalf of the GRU but was done internally by GRU officers directly. We now know which officers at the GRU were at the keyboard conducting the operation: Lukashev managed the spearphishing infrastructure, and another officer, Ivan Sergeyevich Yermakov, spent time researching the specific targets at the DNC who were sent the emails. All of this gives the lie to Russia’s claim Friday, in response to the indictment, that the charges are “mud-slinging” intended to “spoil the atmosphere” ahead of the Trump-Putin summit.
The indictment also sheds new light on the hack of the DNC and the DCCC. This is the intrusion that cybersecurity firm CrowdStrike was called in to clean up. In June 2016, Guccifer 2.0 claimed that this breach happened by means of a “zero-day vulnerabilty,” but we now know this is not true. The initial intrusion into the DCCC network took place on April 12, 2016, using the credentials of a DNC employee obtained by spearphishing. Using these stolen credentials, GRU officers Kozachek and Yershov implanted “X-Agent” malware on at least 10 DCCC computers, and using this access, the hackers stole passwords, monitored computer activity, and took documents from the DCCC network to distribute later.
This X-Agent malware was also known to the private sector before Friday’s indictment. X-Agent is a malware toolkit of APT28, one of the well-known Russian state hacker groups, and had been previously strongly attributed to the GRU by dozens of cybersecurity firms. Although not specifically mentioned in the indictment, the specific malware recovered from the DCCC network communicated with the same command-and-control infrastructure used by the GRU when APT28 hacked the German Bundestag in 2015.
But the indictment tells us something that wasn’t previously known about the extent of knowledge within the U.S. government of this specific operation. The U.S. was able to determine not merely that X-Agent was a GRU operative, and that GRU officer Yermakov was the man at the keyboard, but was able to see the actions Yermakov took as he performed target research against the DCCC and as he researched commands used to operate the malware and steal emails from the DCCC’s internal server.
The indictment also gives some additional details on how the emails got from the GRU to Wikileaks. Although no serious observers previously doubted the connection—Guccifer 2.0’s very first post openly announced that Wikileaks had been given documents—the indictment shows that the mechanism for this was an email from Guccifer 2.0 to Wikileaks containing an encrypted repository via email, entitled “wk dnc link1.txt.gpg.”
Finally, the indictment contains new information about the way the GRU paid for infrastructure to support the operation to hack and release documents. According to the indictment, the GRU made payments using the pseudonymous cryptocurrency Bitcoin. It should not be especially surprising that the GRU used Bitcoin—it allows payments to be made without a direct trail leading back to the Russian government—but the GRU officers were careful. Rather than just paying for Bitcoin with currency from an exchange and then trying to obfuscate through multiple Bitcoin wallets before spending it, the GRU also mined their own, allowing it to be anonymous from the start, as well as purchasing Bitcoin using prepaid cards in order to avoid direct connections between the GRU’s hacking infrastructure and the GRU itself. Still, the U.S. government was able to trace all these transactions back to the GRU.
In sum, the indictment confirms a great deal of reporting that was already public on technically attributing the 2016 hack and release of documents to the GRU. But it also shows a significant and successful U.S. counterintelligence operation that gives insights into the breadth and scope of U.S. attribution capabilities—technical, financial and intelligence-led attribution down to which individuals within the Russian government were behind aspects of the hack, their responsibilities within the organization, their communications and even the specific terms they searched for as they worked.
Identifying the Unknown
The indictment describes a number of interactions between the alleged conspirators, in the persona of Guccifer 2.0, and several unnamed U.S. persons and other entities whose identities the document obscures. Most of these individuals have already been publicly identified. The indictment, for example, mentions a “person in regular contact with senior members” of the Trump campaign, to whom the conspirators wrote on Aug. 15, 2016. As the indictment describes the interaction, Guccifer 2.0 wrote: “thank u for writing back ... do u find anyt[h]ing interesting in the docs i posted?” The indictment continues:
On or about August 17, 2016, the Conspirators added, “please tell me if i can help u anyhow ... it would be a great pleasure to me.” On or about September 9, 2016, the Conspirators, again posing as Guccifer 2.0, referred to a stolen DCCC document posted online and asked the person, “what do u think of the info on the turnout model for the democrats entire presidential campaign.” The person responded, “[p]retty standard.”
This person has been identified as Roger Stone—by Stone himself. Stone published the very exchange described in the indictment on his website, StoneColdTruth, in March 2017.
The indictment also briefly mentions an interaction between the conspirators and a reporter to whom they sent documents regarding the Black Lives Matter movement. Lee Stranahan of Breitbart News and Sputnik has publicly disclosed his interaction with Guccifer 2.0 and said Friday on Twitter that he is the journalist mentioned in the document. The special counsel also describes an exchange in which Guccifer 2.0 directly offers stolen emails from “Hillary Clinton’s staff” to a U.S. reporter. The Smoking Gun website has claimed to be this reporter.
The indictment describes a “state lobbyist and online source of political news” as having received 2.5 gigabytes of stolen data from Guccifer 2.0, including donor records and personal identifying information of more than 2,000 Democratic donors. The Wall Street Journal reported in March 2017 that this individual is Florida GOP operative Aaron Nevins. Nevins, who posted under the pen name Mark Miewurd on the website HelloFLA!, later described his interaction with Guccifer 2.0 in an interview with the Sun Sentinel.
There is one major U.S. interlocutor mentioned who remains something of a mystery. According to the indictment, on Aug. 15, 2016, Guccifer 2.0 received a request for stolen documents from a congressional candidate and sent documents to the candidate. While it is not immediately clear who the congressional candidate may have been, the New York Times in December 2016 reported on several Democratic congressional candidates who were victims of leaks of hacked DNC and DCCC information.
In response to the indictment, the White House released a statement saying,
As Deputy Attorney General Rod Rosenstein said today:
- There is no allegation in this indictment that Americans knew that they were corresponding with Russians.
- There is no allegation in this indictment that any American citizen committed a crime.
- There is no allegation that the conspiracy changed the vote count or affected any election result.
Today’s charges include no allegations of knowing involvement by anyone on the campaign and no allegations that the alleged hacking affected the election result. This is consistent with what we have been saying all along.
Leave aside the obvious falsity of the White House’s assertion that the indictment is “consistent” with the president’s prior statements, which have repeatedly questioned Russia’s involvement in election interference. Leave aside also the question of why the White House’s response to an indictment on this subject made no mention, at all, of the unprecedented attack by a foreign adversary on foundational elements of U.S. democracy and instead merely defended the president’s campaign as not having knowingly participated in it.
The statement is largely accurate, as is the Rosenstein statement on which it draws. This indictment does not charge or allege specific criminal misconduct by any American. And it is careful—as was the indictment in February—not to sweep broadly in its claims about people on this side of the Atlantic. That said, the indictment does not in any sense foreclose the possibility of substantial, knowing and even criminal involvement by Americans. And it actually moves the ball forward on possible collusion, which would likely take the legal form of criminal conspiracy, in important respects.
First, while the indictment does not charge any American with specific criminal conduct, it does describe conduct by Americans that, depending on further factual development, raises potentially serious questions. The most striking example of this occurs in paragraph 43(a): “On or about August 15, 2016, the Conspirators, posing as Guccifer 2.0, received a request for stolen documents from a candidate for the U.S. Congress. The Conspirators responded using the Guccifer 2.0 persona and sent the candidate stolen documents related to the candidate’s opponent.”
Soliciting stolen, hacked emails should be politically fatal to an aspiring—or possibly serving—member of Congress, particularly when the thief one petitions turns out to be an adversary foreign intelligence agency. It also raises questions about possible criminal liability for soliciting and receiving stolen information, at least to the extent that the government can prove that one knows the material is stolen. There is no indication that this American was involved with the Trump campaign. So to the extent that “collusion” is shorthand for collusion by individuals related to the Trump campaign, this incident many not meaningfully change the picture. The special counsel indictment announcement in February also named Americans unrelated to the Trump campaign as being dupes of the conspiracy, though those people were more clearly unwitting dupes.
Second, the indictment leaves open the possibility of conduct by Americans not described in this document. While the document does not allege any American who corresponded with these entities knew that they were part of the Russian conspiracy, it also does not say that they did not know or suspect these entities were part of a Russian operation. It leaves that question, about these actors and others, for another day. This document alleges that Americans—including at least one individual who was closely connected to the Trump campaign—had contact with the charged conspirators. Whether they did so with sufficient knowledge or criminal intent, and whether they took the necessary affirmative steps to create legal liability, is simply not addressed in this indictment. It clears no one, and it actually places publicly reported conduct in a more sinister light by clarifying that the individuals in question were, in fact, in contact with Russian conspirators, knowingly or otherwise.
Finally, the factual allegations in this document significantly improve the possibility of criminal conspiracy charges involving Americans. Until this action, there was little indication in the public record that the hacking operation persisted beyond the date the documents were released. While there were questions about whether the Trump campaign participated in some way in coordinating the release of these documents, the presumption based on public evidence was that the hacking scheme—that is, the violation of the Computer Fraud and Abuse Act, which constituted the most obvious criminal offense—was complete. This left a bit of a puzzle for “collusion” purposes. If the crime was completed at the time the hacking and theft were done, what crime could constitute conspiracy? One year ago to the day, Helen Murillo and Susan Hennessey analyzed the possibility of conspiracy to violate the CFAA. At the time, they noted a stumbling block to the analysis even if individuals in the Trump campaign encouraged the release of documents or coordinated timing:
While the precedent isn’t entirely clear on the matter, it is possible prosecutors here would need to prove not just that a member of the Trump team was aware of the CFAA scheme when he or she took steps to support the tortious act or violation of another state or federal law, but also that the Russians had the intention of publishing the emails at the time they obtained the information in the first instance. It isn’t at all clear from the public record that the Russians initially obtained the emails for the purpose of publishing them. Indeed, there is some suspicion the original intrusion was just in furtherance or ordinary espionage and the plan to release the emails came later.
The Internet Research Agency indictment, in February, offered a potential legal solution to that puzzle.
This indictment, by contrast, offers a potential factual breakthrough. It tells us that the prior factual premise was wrong: the alleged conduct violating the CFAA continued to occur throughout the summer of 2016. That affects the earlier analysis in two ways. First, it makes clear that the Russians did intend to release the information at the time the hacking occured. Second, and perhaps more important, the indictment alleges that the criminal hacking conspiracy was ongoing at the time individuals in the Trump campaign were in contact with charged and uncharged Russian conspirators, raising the possibility of more straightforward aiding and abetting liability.
In other words, stay tuned. This indictment represents a tightening of the ring in the story of criminal prosecution for the 2016 election hacking. The government has now alleged that the social media manipulations by Russian actors constituted a criminal conspiracy. It has alleged as well that the hacking of Democratic Party and Clinton campaign emails were crimes conducted by officers of the Russian state. The question remains: Who, if anyone, helped?