The Washington PostDemocracy Dies in Darkness

How the Russians hacked the DNC and passed its emails to WikiLeaks

July 13, 2018 at 7:26 p.m. EDT
Here's what we know about the Kremlin's playbook for creating division in the U.S. (Video: Jenny Starrs/The Washington Post, Photo: MICHAEL KLIMENTYEV/SPUTNIK/KREMLIN POOL/POOL/EPA-EFE/REX/Shutterstock/The Washington Post)

On a late July day in 2016, Donald Trump, the GOP nominee for president, stood at a lectern in Florida, next to an American flag, and urged a U.S. adversary to become involved in the election campaign and find tens of thousands of emails wiped from the server of his Democratic opponent, Hillary Clinton.

“Russia, if you’re listening,” he said at a news conference at one of his resorts, “I hope you’re able to find the 30,000 emails that are missing.”

That same day, July 27, several Russian government hackers launched an attack against the email accounts of staffers in Clinton’s personal office, according to a sweeping indictment Friday by special counsel Robert S. Mueller III. At or around the same time, the hackers also targeted 76 email addresses used by the Clinton campaign, investigators said.

The remarkable timing of the Russian attempt on Clinton’s servers is just one of the new details revealed in the indictment of 12 Russian military intelligence officers, who Mueller alleges hacked the email accounts and computers of Democratic officials and organizations in an audacious effort to influence the U.S. election.

Read the Mueller indictment of 12 Russian military intelligence officers

Although the broad outlines of the hacking and influence campaign have been widely reported, the indictment describes for the first time the identities, techniques and tactics of the operation to disrupt American democracy.

It includes details on how the Russians, using an encrypted file with instructions, delivered their trove of hacked emails to WikiLeaks, the online anti-secrecy organization led by Julian Assange that became the main platform for the Russians to display their trove of hacked emails.

The deputy attorney general announces the indictment of 12 Russian intelligence agents in connection with hacking during the 2016 election. (Video: The Washington Post)

The indictment also reflects an aggressive but somewhat inartful operation in which hackers used the same computer servers to launder money by using the online currency bitcoin as they did to lure their victims and to register sites they used for hacking.

The hackers worked for the spy agency called the Main Intelligence Directorate of the General Staff, or GRU, the indictment said.

They also allegedly targeted a state election board, identified by U.S. officials as Illinois. The Russians stole information about 500,000 voters, including names, addresses, partial Social Security numbers, dates of birth and driver’s license numbers, according to the indictment.

“This is maybe the last major missing piece of Mueller’s mosaic of charges on Russian election interference,” said David Kris, who headed the Justice Department’s national security division during the Obama administration and now leads consulting firm Culper Partners.

After being told of Russia indictments, Trump still sought friendship with Putin

Russia’s Foreign Ministry rejected the indictment’s allegations as lacking evidence and described the indictment as a clear effort to derail Monday’s Helsinki summit, where President Trump is to meet Russian President Vladi­mir Putin.

The new indictments follow earlier charges that Russian operators of social media accounts spread propaganda and false news stories during the 2016 campaign. Absent from Friday’s indictment are any allegations of conspiracy between Russian operatives and Americans, including members of the Trump campaign.

“The single most remarkable thing is that the special counsel names and shames 12 GRU officers, goes into detail of its operation and does this at a moment when we are days away from the Helsinki summit,” said Thomas Rid, a strategic studies professor at Johns Hopkins University who was one of the first researchers in 2016 to identify Guccifer 2.0, an online identity created as part of the GRU operation.

Deputy Attorney General Rod J. Rosenstein said Friday that the indictment’s timing was dictated purely by the determination of prosecutors that the information was sufficient to present to a grand jury.

While Russian hacking, especially for espionage purposes, is decades old, using digital tools to steal data and then release it to embarrass and stoke divisions — weaponizing information — was the innovation, one that U.S. spy agencies did not see coming until too late.

Another Russian spy agency, the SVR, allegedly hacked the network of the Democratic National Committee in 2015. But it was the military units whose alleged interference Mueller singled out, and the SVR is not mentioned in the indictment.

Two GRU teams in particular, Units 26165 and 74455, both located in Moscow, carried out most of the campaign, beginning in early 2016, according to the indictment.

One of Unit 26165’s officers, Senior Lt. Aleksey Lukashev, used various online fake personas, including “Den Katenberg” and “Yuliana Martynova,” to craft “spearphishing” emails to trick Clinton campaign members, including Chairman John Podesta, into clicking on links that enabled the hackers to obtain the victims’ login and password credentials, the indictment said.

Another unit mate, Capt. Nikolay Kozachek, allegedly crafted the X-Agent malware used to hack the Democratic Congressional Campaign Committee and DNC networks in April 2016. Both were among those indicted.

Unit 74455, also known as the Main Center for Special Technology, engineered the release of the stolen documents through a website it created called DCLeaks and the online persona Guccifer 2.0, according to the indictment.

The campaign began as early as March 2016, when Lukashev crafted and sent a spearphish email to Podesta that was designed to look like a security notification from Google, the indictment stated. The spoof email instructed the user to change his password by clicking on a link. Podesta’s assistant, following the instructions of a security technician, dutifully complied, according to people familiar with the incident.

Emails hacked from Podesta’s account would be released on WikiLeaks in a steady steam later that year, ensuring that material embarrassing to Clinton’s campaign would continue on a daily basis to deflect from her message in the weeks leading up to the election.

The GRU allegedly broke into the networks of the DCCC in April 2016, by spearphishing an employee.

The hackers installed keystroke loggers, which let them see what the employees were typing, and took images of employees’ computer screens, according to the indictment.

The DCCC served as the hackers’ gateway to the DNC. Armed with the credentials of a DCCC contractor authorized to gain access to the DNC network, the GRU infiltrated the national committee, eventually gaining access to 33 computers, according to the indictment.

Once inside the DCCC and DNC computers, the hackers searched for keywords related to the 2016 election, prosecutors allege. In mid-April 2016, they searched one DCCC computer for terms including “hillary,” “cruz” and “trump,” the indictment states. The hackers also copied particular DCCC folders, including one labeled “Benghazi Investigations.” And they “targeted” computers that contained information about opposition research and “field operation plans” for the 2016 election.

The hackers used computer network infrastructure that they leased inside the United States, including in Arizona and Illinois, to move files from the targeted computers.

On June 22, the indictment stated, WikiLeaks sent a private message to Guccifer 2.0 asking to have access to the material, saying “it will have a much higher impact” on its site.

The GRU made repeated attempts to transfer the stolen DNC emails to WikiLeaks beginning in late June 2016. On July 14, the Russians got an email to WikiLeaks with an attachment titled “wk dnc link1.txt.gpg.” The attachment contained an encrypted file with instructions on accessing an online archive of hacked DNC documents, the indictment said.

On July 18, WikiLeaks confirmed it had “the 1Gb or so archive” and would release the material “this week,” according to the indictment.

On July 22, three days before the Democratic National Convention opened, WikiLeaks put up the DNC email archive of more than 20,000 emails and other documents hacked by the GRU, the indictment said.

Anton Troianovski in Berlin contributed to this report.