Rod J. Rosenstein, the deputy attorney general, on Friday announced new charges against 12 Russian military intelligence officers accused of hacking the Democratic National Committee, the Clinton presidential campaign and the Democratic Congressional Campaign Committee.
The following are some of the key highlights of the indictment of the Russian agents and what Mr. Rosenstein said at the announcement on Friday.
Key portions of the indictment, annotated.
Analysis by David E. Sanger and Matthew Rosenberg
“4. By in or around April 2016, the conspirators also hacked into the computer networks of the Democratic Congressional Campaign Committee (“D.C.C.C.”) and the Democratic National Committee (“D.N.C.”). The conspirators covertly monitored the computers of dozens of D.C.C.C. and D.N.C. employees, implanted hundreds of files containing malicious computer code (“malware”), and stole emails and other documents from the D.C.C.C. and D.N.C. 5. By in or around April 2016, the conspirators began to plan the release of materials stolen from the Clinton campaign, D.C.C.C. and D.N.C.”
The indictment makes no reference to the previous hack of the D.N.C. by another Russian intelligence agency. That agency appeared to just be spying — it did not publish the committee’s documents, or go into the Clinton campaign itself. Mr. Mueller focused only on efforts to influence the election, not to spy.
“7. The conspirators also used the Guccifer 2.0 persona to release additional stolen documents through a website maintained by an organization (“Organization 1”), that had previously posted documents stolen from U.S. persons, entities and the U.S. government. The conspirators continued their U.S. election-interference operations through in or around November 2016.”
“Organization 1” appears to be WikiLeaks. It is not clear why the indictment does not name the organization. And it does not answer the mystery of whether WikiLeaks got the documents directly or through a cutout — a critical question for those examining whether there was any link to the Trump campaign.
“8. To hide their connections to Russia and the Russian government, the conspirators used false identities and made false statements about their identities. To further avoid detection, the conspirators used a network of computers located across the world, including in the United States, and paid for this infrastructure using cryptocurrency.”
We know that Russian hackers had posed as American citizens, but we did not know until now that they used cryptocurrency to hide their identities. That is a relatively new addition to traditional means of falsifying identities.
“22. The conspirators spearphished individuals affiliated with the Clinton campaign throughout the summer of 2016. For example, on or about July 27, 2016, the conspirators attempted after hours to spearphish for the first time email accounts at a domain hosted by a third-party provider and used by Clinton’s personal office. At or around the same time, they also targeted 76 email addresses at the domain for the Clinton campaign.”
The Russia hack was announced by CrowdStrike, a cybersecurity firm, in mid-June 2016. This suggests that the revelation did not slow the officers from the G.R.U., Russia’s military intelligence agency; they continued their hacking even though they had been exposed. This is consistent with the group’s activities when caught inside the White House computer systems, where it fought an National Security Agency operation to oust them.
“25. On or about April 19, 2016, KOZACHEK, YERSHOV, and their co-conspirators remotely configured an overseas computer to relay communications between X-Agent malware and the AMS panel and then tested X-Agent’s ability to connect to this computer. The conspirators referred to this computer as a ‘middle server.’ The middle server acted as a proxy to obscure the connection between malware at the D.C.C.C. and the conspirators’ AMS panel.”
This level of detail clearly indicates that intelligence agencies were inside Russian computers. That might be the N.S.A. — but it could also be the Dutch or the British, who were monitoring Russian activity and providing information secretly to the United States. It raises questions about why the United States did not act more quickly.
“33. In response to Company 1’s efforts, the conspirators took countermeasures to maintain access to the D.C.C.C. and D.N.C. networks.
a. On or about May 31, 2016, YERMAKOV searched for open-source information about Company 1 and its reporting on X-Agent and X-Tunnel. On or about June 1, 2016, the conspirators attempted to delete traces of their presence on the D.C.C.C. network using the computer program CCleaner.”
Company 1 is CrowdStrike. The countermeasures are similar to the G.R.U.’s action when caught in the White House system. It also shows an effort to cover the group’s tracks.
“35. More than a month before the release of any documents, the conspirators constructed the online persona DCLeaks to release and publicize stolen election-related documents. On or about April 19, 2016, after attempting to register the domain electionleaks.com, the conspirators registered the domain dcleaks.com through a service that anonymized the registrant.”
This says what has long been suspected: that the G.R.U. officers directly created DCLeaks.
“41. On or about June 15, 2016, the conspirators logged into a Moscow-based server used and managed by Unit 74455 and, between 4:19 PM and 4:56 PM Moscow Standard Time, searched for certain words and phrases.”
This was a day after the public revelation of the hack. It shows that the United States or one of its allies eventually got into the Russian servers to gather the evidence, or monitored the traffic from those servers.
“58. Although the conspirators caused transactions to be conducted in a variety of currencies, including U.S. dollars, they principally used Bitcoin when purchasing servers, registering domains and otherwise making payments in furtherance of hacking activity. Many of these payments were 21 processed by companies located in the United States that provided payment processing services to hosting companies, domain registrars and other vendors both international and domestic. The use of Bitcoin allowed the conspirators to avoid direct relationships with traditional financial institutions, allowing them to evade greater scrutiny of their identities and sources of funds.”
The indictment’s details about the Russians’ use of Bitcoin showed how cryptocurrencies — and the anonymity they provide — have become both a tool and a challenge for intelligence agencies in the battles between nation states. The Bitcoin network allows anyone to move millions of dollars across the world without any in-person meetings, and without requiring the approval of any financial institutions. For spies, that means gone are the days of covertly exchanging suitcases full of cash.
“The conspirators funded the purchase of computer infrastructure for their hacking activity in part by “mining” Bitcoin. Individuals and entities can mine Bitcoin by allowing their computing power to be used to verify and record payments on the Bitcoin public ledger, a service for which they are rewarded with freshly minted Bitcoin. The pool of Bitcoin generated from the G.R.U.’s mining activity was used, for example, to pay a Romanian company to register the domain dcleaks.com through a payment processing company located in the United States.”
Spies need to get their money somewhere, and Russia’s intelligence services are not nearly as well bankrolled as their American counterparts. So, in 2016, the Russians came up with a new way to secure money — they created it by mining their own Bitcoins.