Scroll down to read the indictment
I don’t know what was more sophisticated, the Russian hacks or the U.S. Justice Department’s impressive computer forensics team that was able to break down these hacks in great specificity. As you’ll see from the indictment (below) the hackers employed both malware and “human engineering” to obtain information from the Democratic National Committee and the Democratic Congressional Campaign Committee. This included spearphising attacks against members of the Clinton campaign, tricking them into turning over their passwords as well as planting a malware program called X-Agent on DNC and DCC servers and computers.
The conspirators allegedly laundered money to be used to purchase infrastructure in the U.S. to aid in their hacking and distribution of materials, including hacking into “computers of U.S. persons.” And “they principally used bitcoin when purchasing servers, registering domains and otherwise making payments in furtherance of hacking activities.
Some key excerpts from the indictment:
Spearfishing & human engineering
- “Co-conspirators targeted victims using a technique known as spearphishing to steal victims’ passwords or otherwise gain access to their computers… The Conspirators targeted over 300 individuals affiliated with the Clinton Campaign, DCCC, and DNC. …v and sent a spearphishing email to the chairman of the Clinton Campaign. … Altered the appearance of the sender email address in order to make it look like the email was a security notification from Google (a technique known as “spoofing.”
- “Conspirators created an email account in the name (with a one-letter deviation from the actual spelling) of a known member of the Clinton Campaign. The Conspirators then used that account to send spearphishing emails to the work accounts of more than thirty different Clinton Campaign employees. … Embedded a link purporting to direct the recipient to a document titled “hillaryclinton—favorable-rating.xlsx.” In fact, this link directed the recipients’ computers to a GRU—created website.”
Malware
- “X-Agent malware implanted on the DCCC network transmitted information from the victims’ computers to a GRU-leased server located in Arizona. The Conspirators referred to this server as their “AMS” panel. … co-conspirators logged into the AMS panel to use X—Agent’s keylog and screenshot functions in the course of monitoring and
surveilling activity on the DCCC computers. The keylog function allowed the Conspirators to capture keystrokes entered by DCCC employees. The screenshot function allowed the Conspirators to take pictures of the DCCC employees’ computer screens.” - “The Conspirators searched for and identified computers within the DCCC and DNC networks that stored information related to the 2016 US. presidential election. For example, on or about April 15, 2016, the Conspirators searched one hacked DCCC computer for terms that included “hillary,” “cruz,” and “trump.” The Conspirators also copied select DCCC folders,
including “Benghazi Investigations.”
Distribution of stolen emails
- “Conspirators launched the public website dcleaks.com, which they used to release stolen emails. Before it shutdown in or around March 2017, the site received over one million page Views. The Conspirators falsely claimed on the site that DCLeaks was started by a group of “American hacktivists,” when in fact it was started by the Conspirators. 37. Starting in or around June 2016 and continuing through the 2016 US. presidential election, the Conspirators used DCLeaks to release emails stolen from individuals affiliated with the Clinton Campaign.”
- “On or about July 22, 2016, Organization 1 released over 20,000 emails and other documents stolen from the DNC network by the Conspirators. This release occurred approximately three days before the start of the Democratic National Convention. Organization 1 did not disclose Guccifer 2.0’s role in providing them. The latest-in—time email released through
Organization 1 was dated on or about May 25, 2016, approximately the same day the Conspirators hacked the DNC Microsoft Exchange Server.”
“Russia, if you’re listening…”
- “On or about July 27, 2016, the Conspirators attempted after hours to spearphish for the first time email accounts at a domain hosted by a third party
provider and used by Clinton’s personal office. At or around the same time, they also targeted seventy-six email addresses at the domain for the Clinton Campaign.”
(note: This was shortly after Donald Trump said ““Russia, if you’re listening, I hope you’re able to find the 30,000 emails that are missing,”
Bitcoin
- “The Conspirators funded the purchase of computer infrastructure for their hacking activity in part by “mining” bitcoin. Individuals and entities can mine bitcoin by allowing their computing power to be used to verify and record payments on the bitcoin public ledger, a service for which they are rewarded with freshly-minted bitcoin. The pool of bitcoin generated from the GRU’s mining activity was used, for example, to pay a Romanian company to register the domain dcleaks.com through a payment processing company located in the United States.”
- Conspirators used the same pool of bitcoin funds to purchase a virtual private network (“VPN”) account and to lease a server in Malaysia. In or around June 2016, the Conspirators used the Malaysian server to host the dcleaks.com website. On or about July 6, 2016, the Conspirators used the VPN to log into the @Guccifer_2 Twitter account. The Conspirators opened that VPN account from the same server that was also used to register malicious domains for the hacking of the DCCC and DNC networks.”
Interaction with US persons
- “On or about August 15, 2016, the Conspirators, posing as Guccifer 2.0, received a 15 request for stolen documents from a candidate for the US. Congress. The Conspirators responded using the Guccifer 2.0 persona and sent the candidate stolen documents related to the candidate’s opponent.
- On or about August 22, 2016, the Conspirators, posing as Guccifer 2.0, transferred approximately 2.5 gigabytes of data stolen from the DCCC to a then-registered state lobbyist and online source of political news. The stolen data included donor records and personal identifying information for more than 2,000 Democratic donors.”
- The Conspirators, posing as Guccifer 2.0, also communicated with US. persons about the release of stolen documents. On or about August 15, 2016, the Conspirators, posing as Guccifer
2.0, wrote to a person who was in regular contact with senior members of the presidential campaign of Donald J. Trump, “thank u for writing back . . . do u find anyt[h]ing interesting in the docs i posted?” On or about August 17, 2016, the Conspirators added, “please tell me if i can help u anyhow . . . it would be a great pleasure to me.” On or about September 9, 2016, the Conspirators, again posing as Guccifer 2.0, referred to a stolen DCCC document posted online and asked the person, “what do u think of the info on the turnout model for the democrats entire presidential campaign.” The person responded, “[p]retty standard.”