Rod J. Rosenstein, the deputy attorney general, on Friday announced new charges against 12 Russian military intelligence officers accused of hacking the Democratic National Committee, the Clinton presidential campaign and the Democratic Congressional Campaign Committee.
The following are some of the key highlights of the indictment of the Russian agents and what Mr. Rosenstein said at the announcement on Friday.
Key portions of the indictment, annotated.
Analysis by David E. Sanger and Matthew Rosenberg
“4. By in or around April 2016, the conspirators also hacked into the computer networks of the Democratic Congressional Campaign Committee (“D.C.C.C.”) and the Democratic National Committee (“D.N.C.”). The conspirators covertly monitored the computers of dozens of D.C.C.C. and D.N.C. employees, implanted hundreds of files containing malicious computer code (“malware”), and stole emails and other documents from the D.C.C.C. and D.N.C. 5. By in or around April 2016, the conspirators began to plan the release of materials stolen from the Clinton campaign, D.C.C.C. and D.N.C.”
The indictment makes no reference to the previous hack of the D.N.C. by another Russian intelligence agency. That agency appeared to just be spying — it did not publish the committee’s documents, or go into the Clinton campaign itself. Mr. Mueller focused only on efforts to influence the election, not to spy.
“7. The conspirators also used the Guccifer 2.0 persona to release additional stolen documents through a website maintained by an organization (“Organization 1”), that had previously posted documents stolen from U.S. persons, entities and the U.S. government. The conspirators continued their U.S. election-interference operations through in or around November 2016.”
“Organization 1” appears to be WikiLeaks. It is not clear why the indictment does not name the organization. And it does not answer the mystery of whether WikiLeaks got the documents directly or through a cutout — a critical question for those examining whether there was any link to the Trump campaign.
“8. To hide their connections to Russia and the Russian government, the conspirators used false identities and made false statements about their identities. To further avoid detection, the conspirators used a network of computers located across the world, including in the United States, and paid for this infrastructure using cryptocurrency.”
We know that Russian hackers had posed as American citizens, but we did not know until now that they used cryptocurrency to hide their identities. That is a relatively new addition to traditional means of falsifying identities.
“22. The conspirators spearphished individuals affiliated with the Clinton campaign throughout the summer of 2016. For example, on or about July 27, 2016, the conspirators attempted after hours to spearphish for the first time email accounts at a domain hosted by a third-party provider and used by Clinton’s personal office. At or around the same time, they also targeted 76 email addresses at the domain for the Clinton campaign.”
The Russia hack was announced by CrowdStrike, a cybersecurity firm, in mid-June 2016. This suggests that the revelation did not slow the officers from the G.R.U., Russia’s military intelligence agency; they continued their hacking even though they had been exposed. This is consistent with the group’s activities when caught inside the White House computer systems, where it fought an National Security Agency operation to oust them.
“25. On or about April 19, 2016, KOZACHEK, YERSHOV, and their co-conspirators remotely configured an overseas computer to relay communications between X-Agent malware and the AMS panel and then tested X-Agent’s ability to connect to this computer. The conspirators referred to this computer as a ‘middle server.’ The middle server acted as a proxy to obscure the connection between malware at the D.C.C.C. and the conspirators’ AMS panel.”
This level of detail clearly indicates that intelligence agencies were inside Russian computers. That might be the N.S.A. — but it could also be the Dutch or the British, who were monitoring Russian activity and providing information secretly to the United States. It raises questions about why the United States did not act more quickly.
“33. In response to Company 1’s efforts, the conspirators took countermeasures to maintain access to the D.C.C.C. and D.N.C. networks.
a. On or about May 31, 2016, YERMAKOV searched for open-source information about Company 1 and its reporting on X-Agent and X-Tunnel. On or about June 1, 2016, the conspirators attempted to delete traces of their presence on the D.C.C.C. network using the computer program CCleaner.”
Company 1 is CrowdStrike. The countermeasures are similar to the G.R.U.’s action when caught in the White House system. It also shows an effort to cover the group’s tracks.
“35. More than a month before the release of any documents, the conspirators constructed the online persona DCLeaks to release and publicize stolen election-related documents. On or about April 19, 2016, after attempting to register the domain electionleaks.com, the conspirators registered the domain dcleaks.com through a service that anonymized the registrant.”
This says what has long been suspected: that the G.R.U. officers directly created DCLeaks.
“41. On or about June 15, 2016, the conspirators logged into a Moscow-based server used and managed by Unit 74455 and, between 4:19 PM and 4:56 PM Moscow Standard Time, searched for certain words and phrases.”
This was a day after the public revelation of the hack. It shows that the United States or one of its allies eventually got into the Russian servers to gather the evidence, or monitored the traffic from those servers.
“58. Although the conspirators caused transactions to be conducted in a variety of currencies, including U.S. dollars, they principally used Bitcoin when purchasing servers, registering domains and otherwise making payments in furtherance of hacking activity. Many of these payments were 21 processed by companies located in the United States that provided payment processing services to hosting companies, domain registrars and other vendors both international and domestic. The use of Bitcoin allowed the conspirators to avoid direct relationships with traditional financial institutions, allowing them to evade greater scrutiny of their identities and sources of funds.”
The indictment’s details about the Russians’ use of Bitcoin showed how cryptocurrencies — and the anonymity they provide — have become both a tool and a challenge for intelligence agencies in the battles between nation states. The Bitcoin network allows anyone to move millions of dollars across the world without any in-person meetings, and without requiring the approval of any financial institutions. For spies, that means gone are the days of covertly exchanging suitcases full of cash.
“The conspirators funded the purchase of computer infrastructure for their hacking activity in part by “mining” Bitcoin. Individuals and entities can mine Bitcoin by allowing their computing power to be used to verify and record payments on the Bitcoin public ledger, a service for which they are rewarded with freshly minted Bitcoin. The pool of Bitcoin generated from the G.R.U.’s mining activity was used, for example, to pay a Romanian company to register the domain dcleaks.com through a payment processing company located in the United States.”
Spies need to get their money somewhere, and Russia’s intelligence services are not nearly as well bankrolled as their American counterparts. So, in 2016, the Russians came up with a new way to secure money — they created it by mining their own Bitcoins.
“Today a grand jury in the District of Columbia returned an indictment presented by the special counsel’s office. The indictment charges 12 Russian military officers by name for conspiring to interfere with the 2016 presidential election. Eleven of the defendants are charged with conspiring to hack into computers, steal documents and release those documents with the intent to interfere in the election.
One of those defendants, and a 12th Russian military officer, are charged with conspiring to infiltrate computers of organizations involved in administering the elections, including state boards of election, secretaries of state, and companies that supply software used to administer elections.”
On the hackers’ strategy.
“According to the allegations in the indictment, the defendants worked for two units of the main intelligence directorate of the Russian general staff known as the G.R.U. The units engaged in active cyber operations to interfere in the 2016 presidential election.
There was one unit that engaged in active cyber operations by stealing information, and a different unit that was responsible for disseminating the stolen information. The defendants used two techniques to steal information. First, they used a scheme known as spearfishing which involves sending misleading email messages and tricking the users into disclosing their passwords and security information.
Secondly, the defendants hacked into computer networks and installed malicious software that allowed them to spy on users and capture keystrokes, take screenshots, and exfiltrate or remove data from those computers.”
The Russians used cryptocurrencies to conceal their efforts.
“In addition to releasing documents directly to the public, the defendants transferred stolen documents to another organization that is not identified by name in the indictment and they used that organization as a pass-through to release the documents. They discussed the timing of the release in an attempt to enhance the impact on the election. In an effort to conceal their connections to Russia, the defendants used a network of computers around the world and they paid for it using cryptocurrencies.”
No Americans were charged in the indictment.
“There is no allegation in this indictment that any American citizen committed a crime. There is no allegation that the conspiracy changed the vote count or affected any election result. The special counsel’s investigation is ongoing and there will be no comments on the special counsel at this time.”
Rosenstein subtly jabbed Congress weeks after testifying on Capitol Hill.
“We do not try cases on television or in congressional hearings. Most anonymous leaks are not from the government officials who are actually conducting these investigations. We follow the rule of law, which means that we follow procedures. And we reserve judgment. We complete our investigations and we evaluate all of the relevant evidence before we reach any conclusion.”
Rosenstein stressed focusing on holding criminals accountable, not partisan bickering.
“A partisan warfare fueled by modern technology does not fairly reflect the grace, dignity, and unity of the American people. The blame for election interference belongs to the criminals who committed election interference. We need to work together to hold the perpetrators accountable. And we need to keep moving forward to preserve our values, protect against future interference, and defend America.”