c. Theft of Documents from DNC and DCCC Networks
Officers from Unit 26165 stole thousands of documents from the DCCC and DNC
networks, including significant amounts of data pertaining to the 2016 U.S. federal elections.
Stolen documents included internal strategy documents, fundraising data, opposition research, and
emails from the work inboxes of DNC employees. 130
Most every candidate for office begins and works toward a list of supporters that contribute to their campaign. The idea a sovereign government can hack into a candidate's website and steal information completely compromises that candidate. It is unconscionable. But, I guess being Donald Trump and receiving support from Russia was the reason to ignore the crimes and not speak out to the unfortunate circumstances of his opponents.
See, the Russians were supplying cover to Trump. They would publish Clinton emails when there was bad news to the Trump Campaign. He knew who was pulling the strings. He didn't mind and he knew who obtained those emails and who was sabotaging the Clinton Campaign as often that was necessary. Trump also knew Russians were breaking USA law, but, he never once spoke out in abhorrence to the fact.
The GRU began stealing DCCC data shortly after it gained access to the network. On April
14, 2016 (approximately three days after the initial intrusion) GRU officers downloaded rar.exe
onto the DCCC's document server. The following day, the GRU searched one compromised
DCCC computer for files containing search terms that included "Hillary," "DNC," "Cruz," and
"Trump." 131 On April 25, 2016, the GRU collected and compressed PDF and Microsoft documents
from folders on the DCCC's shared file server that pertained to the 2016 election.132 The GRU
appears to have compressed and exfiltrated over 70 gigabytes of data from this file server. 133
The theft occurred before the malware was installed.
The GRU also stole documents from the DNC network shortly after gaining access. On
April 22, 2016, the GRU copied files from the DNC network to GRU-controlled computers. Stolen
documents included the DNC' s opposition research into candidate Trump.
134 Between
approximately May 25, 2016 and June 1, 2016, GRU officers accessed the DNC's mail server
from a GRU-controlled computer leased inside the United States.135 During these connections, Unit 26165 officers appear to have stolen thousands of emails and attachments, which were later
released by WikiLeaks in July 2016. 136
I am sure no one else sees it this way, but, I find the entire episode of stealing campaign information really creepy. They stole an enormous number of files and then installed malware to capture use of the compromised website by employees and volunteers. It is just creepy to think about. But, that isn't the worse part. Trump was receiving cover by Russia. It was obvious cover when stolen emails were deployed to end negative news about Trump. In my opinion, when he didn't speak out to end the document release, even if it was not successful in ending the document release; Trump was benefitting from stolen material. His silence indicts him and indebted him to Russia. The services of Russia in stealing invaluable information from the DNC, DCCC and the Clinton Campaign provided them leverage over Trump. He never tried to dilute that leverage. To me, he welcomed it.
130 Netyksho Indictment ,i,i 27-29; Investigative Technique
131 Investigative Technique
132 Investigative Technique
133 Investigative Technique
134 Investigative Technique SM-2589105-HACK-Serial 5 Investigative Technique
135 Investigative Technique See SM-2589105-GJ, serial 649. As part of its investigation, the FBI later received images ofDNC
servers and copies of relevant traffic logs. Netyksho Indictment ,i,i 28-29
I guess the real question is, was Wikileaks picking up clues from Russia to release those emails at strategic times? If Wikileaks was acting autonomously in releasing those emails at strategic times, the question then is why? Assange? Knowing that Clinton would not provide an easy out for Assange in the Ecuadorian embassy.
If Wikileaks was acting autonomously when releasing emails as a strategy, it changes the nature of Wikileaks. It no longer simply publishes information provided, it uses it strategically to an agenda that is unknown to it's readers.
I sincerely believe Russia controlled the emails and their release by Wikileaks by not providing all of them at one time, so much as when the IRA and GRU found it helpful.
136 Netyksho Indictment ,i 29. The last-in-time DNC email released by WikiLeaks was dated May
25, 2016, the same period of time during which the GRU gained access to the DNC's email server.
Netyksho Indictment ,i 45.
B. Dissemination of the Hacked Materials
The GRU's operations extended beyond stealing materials, and included releasing
documents stolen from the Clinton Campaign and its supporters. The GRU carried out the
anonymous release through two fictitious online personas that it created-DCLeaks and Guccifer
2.0-and later through the organization WikiLeaks.
So the Russians didi control the release through two autonomous entities it had created. The GRU, the Russian Federation, was supporting Trump directly by providing cover for negative news about Trump. Wikileaks didn't exert any power over the releases. All the documents did not go to Wikileaks.
1. DCLeaks
The GRU began planning the releases at least as early as April 19, 2016, when Unit 26165
registered the domain dcleaks.com through a service that anonymized the registrant.137 Unit 26165
paid for the registration using a pool of bitcoin that it had mined. 138 The dcleaks.com landing page
pointed to different tranches of stolen documents, arranged by victim or subject matter. Other
dcleaks.com pages contained indexes of the stolen emails that were being released (bearing the
sender, recipient, and date of the email). To control access and the timing of releases, pages were
sometimes password-protected for a period of time and later made unrestricted to the public.
Starting in June 2016, the GRU posted stolen documents onto the website dcleaks.com,
including documents stolen from a number of individuals associated with the Clinton Campaign.
These documents appeared to have originated from personal email accounts (in particular, Google
and Microsoft accounts), rather than the DNC and DCCC computer networks. DCLeaks victims
included an advisor to the Clinton Campaign, a former DNC employee and Clinton Campaign
employee, and four other campaign volunteers. 139 The GRU released through dcleaks.com
thousands of documents, including personal identifying and financial information, internal
correspondence related to the Clinton Campaign and prior political jobs, and fundraising files and
information. 140
In looking at the dates of the crime and then the releases, the GRU studied the documents before they were released. In other words, they did research from the documents before releasing them. That is how they found individuals of interest to publish emails. They weren't content with simply emails from the organizations of the election, they wanted more. Here again if Russia had been undetected as was the GRU's plans, those individuals were compromised. They could be sought after by Russia for it's own purpose.
137 Netyksho Indictment ,i 35. Approximately a week before the registration of dcleaks.com, the
same actors attempted to register the website electionleaks.com using the same domain registration service. Investigative Technique
138 See SM-2589105, serial 181; Netyksho Indictment ,i 2l(a).
139 Investigative Technique
140 See, e.g., Internet Archive, "https://dcleaks.com/" archive date Nov. 10, 2016). Additionally,
DCLeaks released documents relating to Personal Privacy , emails belonging
to_Personal Privacy, and emails from 2015 relating to Republican Party employees (under the portfolio name
"The United States Republican Party"). "The United States Republican Party" portfolio contained
approximately 300 emails from a variety of GOP members, PACs, campaigns, state parties, and businesses
dated between May and October 2015. According to open-source reporting, these victims shared the same Tennessee-based web-hosting company, called Smartech Corporation. William Bastone, RNC E-Mail Was,
In Fact, Hacked By Russians, The Smoking Gun (Dec. 13, 2016).
GRU officers operated a Facebook page under the DCLeaks moniker, which they primarily
used to promote releases of materials. 141 The Facebook page was administered through a small
number of preexisting GRU-controlled Facebook accounts. 142
GRU officers also used the DCLeaks Facebook account, the Twitter account @dcleaks_,
and the email account dcleaksproject@gmail.com to communicate privately with reporters and
· other U.S. persons. GRU officers using the DCLeaks persona gave certain reporters early access
to archives of leaked files by sending them links and passwords to pages on the dcleaks.com
website that had not yet become public. For example, on July 14, 2016, GRU officers operating
under the DCLeaks persona sent a link and password for a non-public DCLeaks webpage to a U.S.
reporter via the Facebook account. 143 Similarly, on September 14, 2016, GRU officers sent
reporters Twitter direct messages from @dcleaks_, with a password to another non-public part of
the dcleaks.com website. 144
The tangled webs they weaved. I am grateful to the FBI for being so very, very thorough in finding the criminal acts of these Russian agents in their official capacity for the Russian Federation. They did not leave a stone unturned. Putin was going to have his way and rule in the USA. So, Vlad, was this information fake news?
The DCLeaks.com website remained operational and public until March 2017
.
2. Guccifer 2.0
On June 14, 2016, the DNC and its cyber-response team announced the breach of the DNC
network and suspected theft of DNC documents. In the statements, the cyber-response team
alleged that Russian state-sponsored actors (which they referred to as "Fancy Bear") were
responsible for the breach. 145 Apparently in response to that announcement, on June 15, 2016,
GRU officers using the persona Guccifer 2.0 created a WordPress blog. In the hours leading up
to the launch of that WordPress blog, GRU officers logged into a Moscow-based server used and
managed by Unit 74455 and searched for a number of specific words and phrases in English,
including "some hundred sheets," "illuminati," and "worldwide known." Approximately two
hours after the last of those searches, Guccifer 2.0 published its first post, attributing the DNC
server hack to a lone Romanian hacker and using several of the unique English words and phrases
that the GRU officers had searched for that day. 146
They were prepared for every occasion. A lone wolf hacker from Russia, but, never Vladimir Putin. Of course not.
July 16, 2018
By Sophie Tatum
Washington - Russian President Vladimir Putin (click here for video) seemed to justify the hacking of Democrats because the information dispersed was true, after denying that Russia had interfered in the US 2016 presidential election.
The US intelligence community has concluded otherwise, and just on Friday the Justice Department announced charges against 12 Russian nationals as part of the special counsel's probe into Russian meddling in the election...
Many in the USA, including the press, did not appreciate the interference by Putin.
141 Netyksho Indictment ,r 38.
142 See, e.g., Facebook Account 100008825623541 (Alice Donovan).
143 7/14/16 Facebook Message, ID 793058100795341 (DC Leaks) to ID Personal Privacy
144 See, e .g. ,
9/14/16 Twitter DM, @dcleaks, to Personal Privacy
9/14/16 Twitter OM,
@dcleaks _ to Personal Privacy. The messages read: "Hi https://t.co/QTvKUjQcOx pass:
KvFsgo/o* 14@gPgu& enjoy;)."
145 Dmitri Alperovitch, Bears in the Midst: Intrusion into the Democratic National Committee,
CrowdStrike Blog (June 14, 2016). CrowdStrike updated its post after the June 15, 2016 post by Guccifer
2.0 claiming responsibility for the intrusion.
146 Netyksho Indictment ,r,r 41-42.
I am going to call it a day. I will start at the paragraph below tomorrow.
That same day, June 15, 2016, the GRU also used the Guccifer 2.0 WordPress blog to begin
releasing to the public documents stolen from the DNC and DCCC computer networks. The
Guccifer 2.0 persona ultimately released thousands of documents stolen from the DNC and DCCC
in a series of blog posts between June 15, 2016 and October 18, 2016. 147 Released documents
included opposition research performed by the DNC (including a memorandum analyzing
potential criticisms of candidate Trump), internal policy documents (such as recommendations on
how to address politically sensitive issues), analyses of specific congressional races, and
fundraising documents. Releases were organized around thematic issues, such as specific states
(e.g., Florida and Pennsylvania) that were perceived as competitive in the 2016 U.S. presidential
election.