Narrative
III. RUSSIAN HACKING AND DUMPING OPERATIONS
Beginning in March 2016, units of the Russian Federation ' s Main Intelligence Directorate of the General Staff( GRU) hacked the computers and email accounts of organizations, employees, and volunteers supporting the Clinton Campaign, including the email account of campaign chairman John Podesta. Starting in April 2016, the GRU hacked into the computer networks of the Democratic Congressional Campaign Committee( DCCC) and the Democratic National Committee( DNC). The GRU targeted hundreds of email accounts used by Clinton Campaign employees, advisors, and volunteers. In total, the GRU stole hundreds of thousands of documents from the compromised email accounts and networks. 109 The GRU later released stolen Clinton Campaign and DNC documents through online personas," DCLeaks'' and" Guccifer 2.0,'' and later through the organization WikiLeaks. The release of the documents was designed and timed to interfere with the 2016 U.S. presidential election and undermine the Clinton Campaign.
The Trump Campaign showed interest in the WikiLeaks releases and, in the summer and fall of 2016,[ REDACTED-HARM TO ONGOING MATTER]. After[ REDACTED-HARM TO ONGOING MATTER] WikiLeaks 's first Clinton-related release[ REDACTED-HARM TO ONGOING MATTER], the Trump Campaign stayed in contact[ REDACTED-HARM TO ONGOING MATTER] about WikiLeaks 's activities. The investigation was unable to resolve[ REDACTED-HARM TO ONGOING MATTER] WikiLeaks 's release of the stolen Podesta emails on October 7, 2016, the same day a video from years earlier was published of Trump using graphic language about women.
A. GRU Hacking Directed at the Clinton Campaign
1. GRU Units Target the Clinton Campaign
Two military units of the GRU carried out the computer intrusions into the Clinton Campaign, DNC, and DCCC: Military Units 26165 and 74455. Military Unit 26165 is a GRU cyber unit dedicated to targeting military, political, governmental, and non-governmental organizations outside of Russia, including in the United States. The unit was sub-divided into departments with different specialties. One department, for example, developed specialized malicious software(" malware'') while another department conducted large-scale spearphishing campaigns.[ REDACTED-INVESTIGATIVE TECHNIQUE] a bitcoin mining operation to secure bitcoins used to purchase computer infrastructure used in hacking operations.
Military Unit 74455 is a related GRU unit with multiple departments that engaged in cyber operations. Unit 74455 assisted in the release of documents stolen by Unit 26165, the promotion of those releases, and the publication of anti-Clinton content on social media accounts operated by the GRU. Officers from Unit 74455 separately hacked computers belonging to state boards of elections, secretaries of state, and U.S. companies that supplied software and other technology related to the administration of U.S. elections.
Beginning in mid-March 2016, Unit 26165 had primary responsibility for hacking the DCCC and DNC, as well as email accounts of individuals affiliated with the Clinton Campaign:
Investigative Technique Unit 26165 used[ REDACTED-INVESTIGATIVE TECHNIQUE] to learn about[ REDACTED-INVESTIGATIVE TECHNIQUE] different Democratic websites, including democrats.org, hillaryclinton.com, dnc.org, and dccc.org[ REDACTED-INVESTIGATIVE TECHNIQUE] began before the GRU had obtained any credentials or gained access to these networks, indicating that the later DCCC and DNC intrusions were not crimes of opportunity but rather the result of targeting.
GRU officers also sent hundreds of spearphishing emails to the work and personal email accounts of Clinton Campaign employees and volunteers. Between March 10, 2016 and March 15, 2016, Unit 26165 appears to have sent approximately 90 spearphishing emails to email accounts at hillaryclinton.com. Starting on March 15, 2016, the GRU began targeting Google email accounts used by Clinton Campaign employees, along with a smaller number of dnc.org email accounts.
The GRU spearphishing operation enabled it to gain access to numerous email accounts of Clinton Campaign employees and volunteers, including campaign chairman John Podesta, junior volunteers assigned to the Clinton Campaign 's advance team, informal Clinton Campaign advisors, and a DNC employee. GRU officers stole tens of thousands of emails from spearphishing victims, including various Clinton Campaign-related communications. 2. Intrusions into the DCCC and DNC Networks
a. Initial Access
By no later than April 12, 2016, the GRU had gained access to the DCCC computer network using the credentials stolen from a DCCC employee who had been successfully spearphished the week before. Over the ensuing weeks, the GRU traversed the network, identifying different computers connected to the DCCC network. By stealing network access credentials along the way( including those of IT administrators with unrestricted access to the system), the GRU compromised approximately 29 different computers on the DCCC network.
Approximately six days after first hacking into the DCCC network, on April 18, 2016, GRU officers gained access to the DNC network via a virtual private network( VPN) connection between the DCCC and DNC networks. Between April 18, 2016 and June 8, 2016, Unit 26165 compromised more than 30 computers on the DNC network, including the DNC mail server and shared file server.
b. Implantation of Ma/ware on DCCC and DNC Networks
Unit 26165 implanted on the DCCC and DNC networks two types of customized malware, known as" X-Agent'' and" X-Tunnel''; Mimikatz, a credential-harvesting tool; and rar.exe, a tool used in these intrusions to compile and compress materials for exfiltration. X-Agent was a multi-function hacking tool that allowed Unit 26165 to log keystrokes, take screenshots, and gather other data about the infected computers( e.g., file directories, operating systems). X-Tunnel was a hacking tool that created an encrypted connection between the victim DCCC/DNC computers and GRU-controlled computers outside the DCCC and DNC networks that was capable of large-scale data transfers. GRU officers then used X-Tunnel to exfiltrate stolen data from the victim computers.
To operate X-Agent and X-Tunnel on the DCCC and DNC networks, Unit 26165 officers set up a group of computers outside those networks to communicate with the implanted malware. The first set of GRU-controlled computers, known by the GRU as" middle servers,'' sent and received messages to and from malware on the DNC/DCCC networks. The middle servers, in turn, relayed messages to a second set of GRU-controlled computers labeled internally by the GRU as an" AMS Panel.'' The AMS Panel[ REDACTED-INVESTIGATIVE TECHNIQUE] served as a nerve center through which GRU officers monitored and directed the malware 's operations on the DNC/DCCC networks.
The AMS Panel used to control X-Agent during the DCCC and DNC intrusions was housed on a leased computer located near[ REDACTED-INVESTIGATIVE TECHNIQUE] Arizona. 128[ REDACTED-INVESTIGATIVE TECHNIQUE][ REDACTED-INVESTIGATIVE TECHNIQUE][ REDACTED-INVESTIGATIVE TECHNIQUE]
The Arizona-based AMS Panel also stored thousands of files containing keylogging sessions captured through X-Agent. These sessions were captured as GRU officers monitored DCCC and DNC employees ' work on infected computers regularly between April 2016 and June 2016. Data captured in these key logging sessions included passwords, internal communications between employees, banking information, and sensitive personal information.
c. Theft of Documents from DNC and DCCC Networks
Officers from Unit 26165 stole thousands of documents from the DCCC and DNC networks, including significant amounts of data pertaining to the 2016 U.S. federal elections. Stolen documents included internal strategy documents, fundraising data, opposition research, and emails from the work inboxes of DNC employees.
The GRU began stealing DCCC data shortly after it gained access to the network. On April 14, 2016( approximately three days after the initial intrusion) GRU officers downloaded rar.exe onto the DCCC 's document server. The following day, the GRU searched one compromised DCCC computer for files containing search terms that included" Hillary,''" DNC,''" Cruz,'' and" Trump.'' On April 25, 2016, the GRU collected and compressed PDF and Microsoft documents from folders on the DCCC 's shared file server that pertained to the 2016 election. The GRU appears to have compressed and exfiltrated over 70 gigabytes of data from this file server.
The GRU also stole documents from the DNC network shortly after gaining access. On April 22, 2016, the GRU copied files from the DNC network to GRU-controlled computers. Stolen documents included the DNC ' s opposition research into candidate Trump. Between approximately May 25, 2016 and June 1, 2016, GRU officers accessed the DNC 's mail server from a GRU-controlled computer leased inside the United States. During these connections, Unit 26165 officers appear to have stolen thousands of emails and attachments, which were later released by WikiLeaks in July 2016.
B. Dissemination of the Hacked Materials
The GRU 's operations extended beyond stealing materials, and included releasing documents stolen from the Clinton Campaign and its supporters. The GRU carried out the anonymous release through two fictitious online personas that it created- DCLeaks and Guccifer 2.0 -and later through the organization WikiLeaks.
1. DCLeaks
The GRU began planning the releases at least as early as April 19, 2016, when Unit 26165 registered the domain dcleaks.com through a service that anonymized the registrant. Unit 26165 paid for the registration using a pool of bitcoin that it had mined. The dcleaks.com landing page pointed to different tranches of stolen documents, arranged by victim or subject matter. Other dcleaks.com pages contained indexes of the stolen emails that were being released( bearing the sender, recipient, and date of the email). To control access and the timing of releases, pages were sometimes password-protected for a period of time and later made unrestricted to the public.
Starting in June 2016, the GRU posted stolen documents onto the website dcleaks.com, including documents stolen from a number of individuals associated with the Clinton Campaign. These documents appeared to have originated from personal email accounts( in particular, Google and Microsoft accounts), rather than the DNC and DCCC computer networks. DCLeaks victims included an advisor to the Clinton Campaign, a former DNC employee and Clinton Campaign employee, and four other campaign volunteers. The GRU released through dcleaks.com thousands of documents, including personal identifying and financial information, internal correspondence related to the Clinton Campaign and prior political jobs, and fundraising files and information.
GRU officers operated a Facebook page under the DCLeaks moniker, which they primarily used to promote releases of materials. The Facebook page was administered through a small number of preexisting GRU-controlled Facebook accounts.
GRU officers also used the DCLeaks Facebook account, the Twitter account @dcleaks_, and the email account dcleaksproject@gmail.com to communicate privately with reporters and other U.S. persons. GRU officers using the DCLeaks persona gave certain reporters early access to archives of leaked files by sending them links and passwords to pages on the dcleaks.com website that had not yet become public. For example, on July 14, 2016, GRU officers operating under the DCLeaks persona sent a link and password for a non-public DCLeaks webpage to a U.S. reporter via the Facebook account. Similarly, on September 14, 2016, GRU officers sent reporters Twitter direct messages from @dcleaks_, with a password to another non-public part of the dcleaks.com website.
The DCLeaks.com website remained operational and public until March 2017. 2. Guccifer 2.0
On June 14, 2016, the DNC and its cyber-response team announced the breach of the DNC network and suspected theft of DNC documents. In the statements, the cyber-response team alleged that Russian state-sponsored actors( which they referred to as" Fancy Bear'') were responsible for the breach. Apparently in response to that announcement, on June 15, 2016, GRU officers using the persona Guccifer 2.0 created a WordPress blog. In the hours leading up to the launch of that WordPress blog, GRU officers logged into a Moscow-based server used and managed by Unit 74455 and searched for a number of specific words and phrases in English, including" some hundred sheets,''" illuminati,'' and" worldwide known.'' Approximately two hours after the last of those searches, Guccifer 2.0 published its first post, attributing the DNC server hack to a lone Romanian hacker and using several of the unique English words and phrases that the GRU officers had searched for that day.
That same day, June 15, 2016, the GRU also used the Guccifer 2.0 WordPress blog to begin releasing to the public documents stolen from the DNC and DCCC computer networks. The Guccifer 2.0 persona ultimately released thousands of documents stolen from the DNC and DCCC in a series of blog posts between June 15, 2016 and October 18, 2016. Released documents included opposition research performed by the DNC( including a memorandum analyzing potential criticisms of candidate Trump), internal policy documents( such as recommendations on how to address politically sensitive issues), analyses of specific congressional races, and fundraising documents. Releases were organized around thematic issues, such as specific states( e.g., Florida and Pennsylvania) that were perceived as competitive in the 2016 U.S. presidential election.
Beginning in late June 2016, the GRU also used the Guccifer 2.0 persona to release documents directly to reporters and other interested individuals. Specifically, on June 27, 2016, Guccifer 2.0 sent an email to the news outlet The Smoking Gun offering to provide" exclusive access to some leaked emails linked[ to] Hillary Clinton 's staff.'' The GRU later sent the reporter a password and link to a locked portion of the dcleaks.com website that contained an archive of emails stolen by Unit 26165 from a Clinton Campaign volunteer in March 2016. That the Guccifer 2.0 persona provided reporters access to a restricted portion of the DCLeaks website tends to indicate that both personas were operated by the same or a closely-related group of people.
The GRU continued its release efforts through Guccifer 2.0 into August 2016. For example, on August 15, 2016, the Guccifer 2.0 persona sent a candidate for the U.S. Congress documents related to the candidate 's opponent. On August 22, 2016, the Guccifer 2.0 persona transferred approximately 2.5 gigabytes of Florida-related data stolen from the DCCC to a U.S. blogger covering Florida politics. On August 22, 2016, the Guccifer 2.0 persona sent a U.S. reporter documents stolen from the DCCC pertaining to the Black Lives Matter movement.
The GRU was also in contact through the Guccifer 2.0 persona with[ REDACTED-HARM TO ONGOING MATTER] a former Trump campaign member[ REDACTED-HARM TO ONGOING MATTER]. In early August 2016, 's suspension of the Guccifer 2.0 Twitter account. After it was reinstated, GRU officers posing as Guccifer 2.0[ REDACTED-HARM TO ONGOING MATTER] via private message," thank u for writing back... do u find anyt[ h] ing interesting in the docs i posted? '' On August 17, 2016, the GRU added," please tell me if i can help u anyhow... it would be a great pleasure to me.'' On September 9, 2016, the GRU-- again posing as Guccifer 2.0 -referred to a stolen DCCC document posted online and asked[ REDACTED-HARM TO ONGOING MATTER]" what do u think of the info on the turnout model for the democrats entire presidential campaign.'' responded," pretty standard.'' The investigation did not identify evidence of other communications between[ REDACTED-HARM TO ONGOING MATTER] and Guccifer 2.0.
3. Use of WikiLeaks
In order to expand its interference in the 20 I 6 U.S. presidential election, the GRU units transferred many of the documents they stole from the DNC and the chairman of the Clinton Campaign to WikiLeaks. GRU officers used both the DCLeaks and Guccifer 2.0 personas to communicate with WikiLeaks through Twitter private messaging and through encrypted channels, including possibly through WikiLeaks 's private communication system.
a. WikiLeaks 's Expressed Opposition Toward the Clinton Campaign
WikiLeaks, and particularly its founder Julian Assange, privately expressed opposition to candidate Clinton well before the first release of stolen documents. In November 2015, Assange wrote to other members and associates of WikiLeaks that''[ w] e believe it would be much better for GOP to win... Dems + Media + liberals woudl[ sic] then form a block to reign in their worst qualities.... With Hillary in charge, GOP will be pushing for her worst qualities., dems + media + neoliberals will be mute.... She' s a bright, well connected, sadisitic sociopath.''
In March 2016, WikiLeaks released a searchable archive of approximately 30,000 Clinton emails that had been obtained through FOIA litigation. While designing the archive, one WikiLeaks member explained the reason for building the archive to another associate:
[ W] e want this repository to become" the place'' to search for background on hillary 's plotting at the state department during 2009-2013.... Firstly because its useful and will annoy Hillary, but secondly because we want to be seen to be a resource/player in the US election, because eit[ sic] may en[] courage people to send us even more important leaks.
b. WikiLeaks 's First Contact with Guccifer 2.0 and DCLeaks
Shortly after the GRU 's first release of stolen documents through dcleaks.com in June 2016, GRU officers also used the DCLeaks persona to contact WikiLeaks about possible coordination in the future release of stolen emails. On June 14, 2016, @dcleaks _ sent a direct message to @WikiLeaks, noting," You announced your organization was preparing to publish more Hillary 's emails. We are ready to support you. We have some sensitive information too, in particular, her financial documents. Let 's do it to ether. What do you think about publishing our info at the same moment? Thank you.''[ REDACTED-INVESTIGATIVE TECHQNIQUE]
Around the same time, WikiLeaks initiated communications with the GRU persona Guccifer 2.0 shortly after it was used to release documents stolen from the DNC. On June 22, 2016, seven days after Guccifer 2.0 's first releases of stolen DNC documents, WikiLeaks used 's direct message function to contact the Guccifer 2.0 Twitter account and suggest that Guccifer 2.0''[ s] end any new material[ stolen from the DNC] here for us to review and it will have a much higher impact than what you are doing.''
On July 6, 2016, WikiLeaks again contacted Guccifer 2.0 through Twitter 's private messaging function, writing," if you have anything hillary related we want it in the next tweo[ sic] days prefab le[ sic] because the DNC is approaching and she will solidify bernie supporters behind her after.'' The Guccifer 2.0 persona responded," ok... i see.'' WikiLeaks also explained," we think trump has only a 25 % chance of winning against hillary... so conflict between bernie and hillary is interesting.'' c. The GRU 's Transfer of Stolen Materials to WikiLeaks
Both the GRU and WikiLeaks sought to hide their communications, which has limited the Office 's ability to collect all of the communications between them. Thus, although it is clear that the stolen DNC and Podesta documents were transferred from the GRU to WikiLeaks,[ REDACTED-INVESTIGATIVE TECHQNIQUE]
The Office was able to identify when the GRU( operating through its personas Guccifer 2.0 and DCLeaks) transferred some of the stolen documents to WikiLeaks through online archives set up by the GRU. Assan e had access to the internet from the Ecuadorian Embassy in London, England.[ REDACTED-INVESTIGATIVE TECHQNIUE]
On July 14, 2016, GRU officers used a Guccifer 2.0 email account to send WikiLeaks an email bearing the subject" big archive'' and the message" a new attempt.'' The email contained an encrypted attachment with the name" wk dnc link I. txt.gpg.'' Using the Guccifer 2.0 Twitter account, GRU officers sent WikiLeaks an encrypted file and instructions on how to open it. On July 18, 2016, WikiLeaks confirmed in a direct message to the Guccifer 2.0 account that it had" the 1 Gb or so archive'' and would make a release of the stolen documents" this week.'' On July 22, 2016, WikiLeaks released over 20,000 emails and other documents stolen from the DNC computer networks. The Democratic National Convention began three days later.
Similar communications occurred between WikiLeaks and the GRU-operated persona DCLeaks. On September 15, 2016, @dcleaks wrote to @WikiLeaks," hi there! I 'm from DC Leaks. How could we discuss some submission-related issues? Am trying to reach out to you via your secured chat but getting no response. I 've got something that might interest you. You wo n't be disappointed, I promise.'' The WikiLeaks account responded," Hi there,'' without further elaboration. The @dcleaks_ account did not respond immediately.
The same day, the account@guccifer _ 2 sent @dcleaks_ a direct message, which is the first known contact between the personas. During subsequent communications, the Guccifer 2.0 persona informed DCLeaks that WikiLeaks was trying to contact DCLeaks and arrange for a way to speak through encrypted emails.
An analysis of the metadata collected from the WikiLeaks site revealed that the stolen Podesta emails show a creation date of September 19, 2016. Based on information about Assange 's computer and its possible operating system, this date may be when the GRU staged the stolen Podesta emails for transfer to WikiLeaks( as the GRU had previously done in July 2016 for the DNC emails). The WikiLeaks site also released PDFs and other documents taken from Podesta that were attachments to emails in his account; these documents had a creation date of October 2, 2016, which appears to be the date the attachments were separately staged by WikiLeaks on its site.
Beginning on September 20, 2016, WikiLeaks and DCLeaks resumed communications in a brief exchange. On September 22, 2016, a DCLeaks email account dcleaksproject@gmail.com sent an email to a WikiLeaks account with the subject" Submission'' and the message" Hi from DCLeaks.'' The email contained a PGP-encrypted with the filename" wiki_mail.txt. gpg.''[ REDACTED-INVESTIGATIVE TECHQNIQUE] The email, however, bears a number of similarities to the July 14, 2016 email in which GRU officers used the Guccifer 2.0 persona to give WikiLeaks access to the archive of DNC files. On September 22, 2016( the same day of DCLeaks ' email to WikiLeaks), the Twitter account @dcleaks_ sent a single message to @WikiLeaks with the string of characters[ REDACTED-INVESTIGATIVE TECHQNIQUE]
The Office can not rule out that stolen documents were transferred to WikiLeaks through intermediaries who visited during the summer of 2016. For example, public reporting identified Andrew Muller-Maguhn as a WikiLeaks associate who may have assisted with the transfer of these stolen document to WikiLeaks.[ REDACTED-INVESTIGATIVE TECHQNIQUE][ REDACTED-INVESTIGATIVE TECHQNIQUE]
On October 7, 2016, WikiLeaks released the first emails stolen from the Podesta email account. In total, WikiLeaks released 33 tranches of stolen emails between October 7, 2016 and November 7, 2016. The releases included private speeches given by Clinton; internal communications between Podesta and other high-ranking members of the Clinton Campaign; and correspondence related to the Clinton Foundation. In total, WikiLeaks released over 50,000 documents stolen from Podesta 's personal email account. The last-in-time email released from Podesta ' s account was dated March 21, 2016, two days after Podesta received a spearphishing email sent by the GRU.
d. WikiLeaks Statements Dissembling About the Source of Stolen Materials
As reports attributing the DNC and DCCC hacks to the Russian government emerged, WikiLeaks and Assange made several public statements apparently designed to obscure the source of the materials that WikiLeaks was releasing. The file-transfer evidence described above and other information uncovered during the investigation discredit WikiLeaks 's claims about the source of material that it posted.
Beginning in the summer of 2016, Assange and WikiLeaks made a number of statements about Seth Rich, a former DNC staff member who was killed in July 2016. The statements about Rich implied falsely that he had been the source of the stolen DNC emails. On August 9, 2016, the @WikiLeaks Twitter account posted:" ANNOUNCE: WikiLeaks has decided to issue aUS$ 20k reward for information leading to conviction for the murder of DNC staffer Seth Rich.'' Likewise, on August 25, 2016, Assange was asked in an interview," Why are you so interested in Seth Rich 's killer? '' and responded," We 're very interested in anything that might be a threat to alleged Wikileaks sources.'' The interviewer responded to Assange 's statement by ," I know you do n't want to reveal your source, but it certainly sounds like you 're suggesting a man who leaked information to WikiLeaks was then murdered.'' Assange replied," If there 's someone who 's potentially connected to our publication, and that person has been murdered in suspicious circumstances, it does n't necessarily mean that the two are connected. But it is a very serious matter... that type of allegation is very serious, as it 's taken very seriously by us.''
After the U.S. intelligence publicly announced its assessment that Russia was behind the hacking operation, Assange continued to deny that the Clinton materials released by WikiLeaks had come from Russian hacking. According to media reports, Assange told a U.S. congressman that the DNC hack was an" inside job,'' and purported to have" physical proof' that Russians did not give materials to Assange.
C. Additional GRU Cyber Operations
While releasing the stolen emails and documents through DCLeaks, Guccifer 2.0, and WikiLeaks, GRU officers continued to target and hack victims linked to the Democratic campaign and, eventually, to target entities responsible for election administration in several states.
1. Summer and Fall 2016 Operations Targeting Democrat-Linked Victims
On July 27, 2016, Unit 26165 targeted email accounts connected to candidate Clinton 's personal office[ REDACTED-PERSONAL PRIVACY]. Earlier that day, candidate Trump made public statements that included the following:" Russia, if you 're listening, I hope you 're able to find the 30,000 emails that are missing. I think you will probably be rewarded mightily by our press.'' The" 30,000 emails'' were apparently a reference to emails described in media accounts as having been stored on a personal server that candidate Clinton had used while serving as Secretary of State.
Within approximately five hours of Trump 's statement, GRU officers targeted for the first time Clinton 's personal office. After candidate Trump 's , Unit 26165 created and sent malicious links targeting 15 email accounts at the domain[ REDACTED-PERSONAL PRIVACY] including an email account belonging to Clinton aide[ REDACTED-PERSONAL PRIVACY]. The investigation did not find evidence of earlier GRU attempts to compromise accounts hosted on this domain. It is unclear how the GRU was able to identify these email accounts, which were not public.
Unit 26165 officers also hacked into a DNC account hosted on a cloud-computing service[ REDACTED-PERSONAL PRIVACY]. On September 20, 2016, the GRU began to generate copies of the DNC data using[ REDACTED-PERSONAL PRIVACY] function designed to allow users to produce backups of as" snapshots''). The GRU then stole those snapshots by moving them to[ REDACTED-PERSONAL PRIVACY] account that they controlled; from there, the copies were moved to GRUcontrolled computers. The GRU stole approximately 300 gigabytes of data from the DNC cloudbased account. 2. Intrusions Targeting the Administration of U.S. Elections
In addition to targeting individuals involved in the Clinton Campaign, GRU officers also targeted individuals and entities involved in the administration of the elections. Victims included U.S. state and local entities, such as state boards of elections( SBOEs), secretaries of state, and county governments, as well as individuals who worked for those entities. The GRU also targeted private technology firms responsible for manufacturing and administering election-related software and hardware, such as voter registration software and electronic polling stations. The GRU continued to target these victims through the elections in November 2016. While the investigation identified evidence that the GRU targeted these individuals and entities, the Office did not investigate further. The Office did not, for instance, obtain or examine servers or other relevant items belonging to these victims. The Office understands that the FBI, the U.S. Department of Homeland Security, and the states have separately investigated that activity.
By at least the summer of 2016, GRU officers sought access to state and local computer networks by exploiting known software vulnerabilities on websites of state and local governmental entities. GRU officers, for example, targeted state and local databases of registered voters using a technique known as" SQL injection,'' by which malicious code was sent to the state or local website in order to run commands( such as exfiltrating the database contents). In one instance in approximately June 2016, the GRU compromised the computer network of the Illinois State Board of Elections by exploiting a vulnerability in the SBOE 's website. The GRU then gained access to a database containing information on millions of registered Illinois voters, and data related to thousands of U.S. voters before the malicious activity was identified.
GRU officers[ REDACTED-INVESTIGATIVE TECHNIQUE] scanned state and local websites for vulnerabilities. For example, over a two-day period in July 2016, GRU officers[ REDACTED-INVESTIGATIVE TECHNIQUE] for vulnerabilities on websites of more than two dozen states.[ REDACTED-INVESTIGATIVE TECHNIQUE].[ REDACTED-INVESTIGATIVE TECHNIQUE]. Similar[ REDACTED-INVESTIGATIVE TECHNIQUE] for vulnerabilities continued through the election Unit 74455 also sent spearphishing emails to public officials involved in election administration and personnel at involved in voting technology. In August 2016, GRU officers targeted employees of[ REDACTED-PERSONAL PRIVACY], a voting technology company that developed software used by numerous U.S. counties to manage voter rolls, and installed malware on the company network. Similarly, in November 2016, the GRU sent spearphishing emails to over 120 email accounts used by Florida county officials responsible for administering the 2016 U.S. election .191 The spearphishing emails contained an attached Word document coded with malicious software( commonly referred to as a Trojan) that permitted the GRU to access the infected computer .192 The FBI was separately responsible for this investigation. We understand the FBI believes that this operation enabled the GRU to gain access to the network of at least one Florida county government. The Office did not independently verify that belief and, as explained above, did not undertake the investigative steps that would have been necessary to do so.
D. Trump Campaign and the Dissemination of Hacked Materials
The Trump Campaign showed interest in WikiLeaks 's releases of hacked materials through the summer and fall of 2016.[ REDACTED-HARM TO ONGONG MATTER].
1.[ REDACTED-HARM TO ONGONG MATTER]
a. Background[ REDACTED-HARM TO ONGONG MATTER]
b. Contacts with the Campaign about WikiLeaks[ REDACTED-HARM TO ONGONG MATTER].[ REDACTED-HARM TO ONGONG MATTER]. On June 12, 2016, Assange claimed in a televised interview to" have emails relating to Hillary Clinton which are pending publication,'' but provided no additional context. In debriefings with the Office, former deputy campaign chairman Rick Gates said that,[ REDACTED-HARM TO ONGOING MATTER].[ REDACTED-HARM TO ONGOING MATTER] Gates recalled candidate Trump being generally frustrated that the Clinton emails had not been found. Paul Manafort, who would later become campaign chairman,[ REDACTED-HARM TO ONGOING MATTER].[ REDACTED-HARM TO ONGOING MATTER].
Michael Cohen, former executive vice president of the Trump Organization and special counsel to Donald J. Trump, told the Office that he recalled an incident in which he was in candidate Trump 's office in Trump Tower[ REDACTED-HARM TO ONGING MATTER].[ REDACTED-HARM TO ONGING MATTER]. Cohen further told the Office that, after WikiLeaks 's subsequent release of stolen mails in July 2016, candidate Trump said to Cohen something to the effect of[ REDACTED-HARM TO ONGING MATTER].[ REDACTED-HARM TO ONGING MATTER]. According to Gates, Manafort expressed excitement about the release[ REDACTED-HARM TO ONGING MATTER]. Manafort, for his part, told the Office that, shortly after WikiLeaks 's July22 release, Manafort also spoke with candidate Trump[ REDACTED-HARM TO ONGING MATTER].[ REDACTED-HARM TO ONGING MATTER]. Manafort also[ REDACTED-HARM TO ONGING MATTER] wanted to be kept apprised of any developments with WikiLeaks and separately told Gates to keep in touch[ REDACTED-HARM TO ONGOING MATTER] about future WikiLeaks releases.
According to Gates, by the late summer of 2016, the Trump Campaign was planning a press strategy, a communications cam and messaging based on the possible release of Clinton emails by WikiLeaks.[ REDACTED-HARM TO ONGOING MATTER].[ REDACTED-HARM TO ONGOING MATTER] while Trump and Gates were driving to LaGuardia Airport.[ REDACTED-HARM TO ONGOING MATTER], shortly after the call candidate Trump told Gates that more releases of damaging information would be coming.[ REDACTED-HARM TO ONGOING MATTER].
c.[ REDACTED-HARM TO ONGOING MATTER][ REDACTED-HARM TO ONGOING MATTER]. Corsi is an author who holds a doctorate in political science. In 2016, Corsi also worked for the media outlet WorldNetDaily( WND).[ REDACTED-HARM TO ONGOING MATTER].[ REDACTED-HARM TO ONGOING MATTER] .214 Corsi told the Office during interview that he" must have'' previously discussed Assange with Malloch .215[ REDACTED-HARM TO ONGOING MATTER] .216[ REDACTED HARM TO ONGOING MATTER] .217
[ REDACTED-GRAND JURY]. According to Malloch, Corsi asked him to put Corsi in touch with Assange, whom Corsi wished to interview. Malloch recalled that Corsi also suggested that individuals in the" orbit'' of U.K. politician Nigel Farage might be able to contact Assange and asked if Malloch knew them. Malloch told Corsi that he would think about the request but made no actual attempt to connect Corsi with Assange.[ REDACTED-HARM TO ONGOING MATTER].[ REDACTED-HARM TO ONGOING MATTER].
Malloch stated to investigators that beginning in or about August 2016, he and Corsi had multiple Face Time discussions about WikiLeaks[ REDACTED-HARM TO ONGOING MATTER] had made a connection to Assange and that the hacked emails of John Podesta would be released prior to Election Day and would be helpful to the Trump Campaign. In one conversation in or around August or September 2016, Corsi told Malloch that the release of the Podesta emails was coming, after which" we'' were going to be in the driver 's seat.[ REDACTED-HARM TO ONGOING MATTER].[ REDACTED-HARM TO ONGOING MATTER].[ REDACTED-HARM TO ONGOING MATTER].[ REDACTED-HARM TO ONGOING MATTER].[ REDACTED-HARM TO ONGOING MATTER].[ REDACTED-HARM TO ONGOING MATTER].[ REDACTED-HARM TO ONGOING MATTER].[ REDACTED-HARM TO ONGOING MATTER].[ REDACTED-HARM TO ONGOING MATTER].[ REDACTED-HARM TO ONGOING MATTER].[ REDACTED-HARM TO ONGOING MATTER].[ REDACTED-HARM TO ONGOING MATTER].[ REDACTED-HARM TO ONGOING MATTER].[ REDACTED-HARM TO ONGOING MATTER].[ REDACTED-HARM TO ONGOING MATTER].[ REDACTED-HARM TO ONGOING MATTER].[ REDACTED-HARM TO ONGOING MATTER].
d. WikiLeaks 's October 7, 2016 Release of Stolen Podesta Emails
On October 7 2016 four days after the Assange press conference,[ REDACTED-HARM TO ONGOING MATTER], the Washington Post published an Access Hollywood video that captured by candidate Trump some years earlier and that was expected to adversely affect the Campaign. Less than an hour after the video 's publication, WikiLeaks released the first set of emails stolen by the GRU from the account of Clinton Campaign chairman John Podesta.[ REDACTED-HARM TO ONGOING MATTER].[ REDACTED-HARM TO ONGOING MATTER].[ REDACTED-HARM TO ONGOING MATTER].[ REDACTED-HARM TO ONGOING MATTER]. Corsi said that, because he had no direct means o communicating with WikiLeaks, he told members of the news site WNO-who were participating on a conference call with him that day-to reach Assange immediately. Corsi claimed that the pressure was enormous and recalled telling the conference call the Access Hollywood tape was coming. Corsi stated that he was convinced that his efforts had caused WikiLeaks to release the emails when they did. In a later November 2018 interview, Corsi stated that he thought that he had told people on a WND conference call about the forthcoming tape and had sent out a asking whether anyone could contact Assange, but then said that maybe he had done nothing.
The Office investigated Corsi ' s allegations about the events of October 7, 2016 but found little corroboration for his allegations about the day.[ REDACTED-HARM TO ONGOING MATTER].[ REDACTED-HARM TO ONGOING MATTER]. However, the phone records themselves do not indicate that the conversation was with any of the reporters who broke the Access Hollywood story, and the Office has not otherwise been able to identify the substance of the conversation.[ REDACTED-HARM TO ONGOING MATTER]. However, the Office has not identified any conference call participant, or anyone who spoke to Corsi that day, who says that they received non-public information about the tape from Corsi or acknowledged having contacted a member of WikiLeaks on October 7, 2016 after a conversation with Corsi.
e. Donald Trump Jr.. Interaction with WikiLeaks
Donald Trump Jr. had direct electronic communications with WikiLeaks during the campaign period. On September 20, 2016, an individual named Jason Fishbein sent WikiLeaks the password for an unlaunched website focused on Trump 's" unprecedented and dangerous'' ties to Russia, PutinTrump.org. WikiLeaks publicly :'" Let 's bomb Iraq ' Progress for America PAC to launch "PutinTrump.org' at 9:30 am. Oops pw is` putintrump' putintrump.org.'' Several hours later, WikiLeaks sent a Twitter direct message to Donald Trump Jr.," A PAC run anti-Trump site putintrump.org is about to launch. The PAC is a recycled pro-Iraq war PAC. We have guessed the password. It is` putintrump.' See` About' for who is behind it. Any ? ''
Several hours later, Trump Jr. emailed a variety of senior campaign staff:
Guys I got a weird Twitter DM from wikileaks. See below. I tried the password and it works and the about section they reference contains the next pie in terms of who is behind it. Not sure if this is anything but it seems like it 's really wikileaks asking me as I follow them and it is a DM. Do you know the people mentioned and what the conspiracy they are looking for could be? These are just screen shots but it' s a fully built out page claiming to be a PAC let me know your thoughts and ifwe want to look into it.
Trump Jr. attached a screenshot of the" About'' page for the unlaunched site PutinTrump.org. The next day( after the website had launched publicly), Trump Jr. sent a direct message to WikiLeaks:" Off the record, l do n't know who that is but I 'll ask around. Thanks.''
On October 3, 2016, WikiLeaks sent another direct message to Trump Jr., asking" you guys'' to help disseminate a link alleging candidate Clinton had advocated using a drone to target Julian Assange. Trump Jr. responded that he already" had done so,'' and asked," what 's behind this Wednesday leak I keep reading about? '' WikiLeaks did not respond.
On October 12, 2016, WikiLeaks wrote again that it was" great to see you and your dad talking about our publications. Strongly suggest your dad this link if he mentions us wlsearch.tk.'' WikiLeaks wrote that the link would help Trump in" digging through'' leaked emails and stated," we just released Podesta emails Part 4.'' Two days later, Trump Jr. publicly the wlsearch.tk link.. 2. Other Potential Campaign Interest in Russian Hacked Materials
Throughout 2016, the Trump Campaign expressed interest in Hillary Clinton 's private email server and whether approximately 30,000 emails from that server had in fact been permanently destroyed, as reported by the media. Several individuals associated with the Campaign were contacted in 2016 about various efforts to obtain the missing Clinton emails and other stolen material in support of the Trump Campaign. Some of these contacts were met with skepticism, and nothing came of them; others were pursued to some degree. The investigation did not find evidence that the Trump Campaign recovered any such Clinton emails, or that these contacts were part of a coordinated effort between Russia and the Trump Campaign.
a. Henry Oknyansky( a/k/a Henry Greenberg)
In the spring of 2016, Trump Campaign advisor Michael Caputo learned through a Florida based Russian business partner that another Florida-based Russian, Henry Oknyansky( who also went by the name Henry Greenberg), claimed to have information pertaining to Hillary Clinton. Caputo notified Roger Stone and brokered communication between Stone and Oknyansky. Oknyansky and Stone set up a May 2016 in-person meeting.
Oknyansky was accompanied to the meeting by Alexei Rasin, a Ukrainian associate involved in Florida real estate. At the meeting, Rasin offered to sell Stone derogatory information on Clinton that Rasin claimed to have obtained while working for Clinton. Rasin claimed to possess financial statements demonstrating Clinton 's involvement in money laundering with Rasin 's companies. According to Oknyansky, Stone asked if the amounts in question totaled millions of dollars but was told it was closer to hundreds of thousands. Stone refused the offer, stating that Trump would not pay for opposition research.
Oknyansky claimed to the Office that Rasin 's motivation was financial. According to Oknyansky, Rasin had tried unsuccessfully to shop the Clinton information around to other interested parties, and Oknyansky would receive a cut if the information was sold. Rasin is noted in public source documents as the director and/or registered agent for a number of Florida companies, none of which appears to be connected to Clinton. The Office found no other evidence that Rasin worked for Clinton or any Clinton-related entities.
In their statements to investigators, Oknyansky and Caputo had contradictory recollections about the meeting. Oknyansky claimed that Caputo accompanied Stone to the meeting and provided an introduction, whereas Caputo did not tell us that he had attended and claimed that he was never told what information Oknyansky offered. Caputo also stated that he was unaware Oknyansky sought to be paid for the information until Stone informed him after the fact.
The Office did not locate Rasin in the United States, although the Office confirmed Rasin had been issued a Florida driver 's license. The Office otherwise was unable to determine the content and origin of the information he purportedly offered to Stone. Finally, the investigation did not identify evidence of a connection between the outreach or the meeting and Russian interference efforts.
b. Campaign Efforts to Obtain Deleted Clinton Emails
After candidate Trump stated on July 27, 2016, that he hoped Russia would" find the 30,000 emails that are missing,'' Trump asked individuals affiliated with his Campaign to find the deleted Clinton emails. Michael Flynn -who would later serve as National Security Advisor in the Trump Administration- recalled that Trump made this request repeatedly, and Flynn subsequently contacted multiple people in an effort to obtain the emails.
Barbara Ledeen and Peter Smith were among the people contacted by Flynn. Ledeen, a long-time Senate staffer who had previously sought the Clinton emails, provided updates to Flynn about her efforts throughout the summer of 2016. Smith, an investment advisor who was active in Republican politics, also attempted to locate and obtain the deleted Clinton emails.
Ledeen began her efforts to obtain the Clinton emails before Flynn 's request, as early as December 2015. On December 3, 2015, she emailed Smith a proposal to obtain the emails, stating," Here is the proposal I briefly mentioned to you. The person I described to you would be happy to talk with you either in person or over the phone. The person can get the emails which 1. Were classified and 2. Were purloined by our enemies. That would demonstrate what needs to be demonstrated.''
Attached to the email was a 25-page proposal stating that the" Clinton email server was, in all likelihood, breached long ago,'' and that the Chinese, Russian, and Iranian intelligence services could" re-assemble the server 's email content.'' The proposal called for a three-phase approach. The first two phases consisted of open-source analysis. The third phase consisted of checking with certain intelligence sources" that have access through liaison work with various foreign services'' to determine if any of those services had gotten to the server. The proposal noted," Even if a single email was recovered and the providence[ sic] of that email was a foreign service, it would be catastrophic to the Clinton campaign[.]'' Smith forwarded the email to two colleagues and wrote," we can discuss to whom it should be referred.'' On December 16, 2015, Smith informed Ledeen that he declined to participate in her" initiative.'' According to one of Smith 's business associates, Smith believed Ledeen 's initiative was not viable at that time.
Just weeks after Trump 's July 2016 request to find the Clinton emails, however, Smith tried to locate and obtain the emails himself. He created a company, raised tens of thousands of dollars, and recruited security experts and business associates. Smith made claims to others involved in the effort( and those from whom he sought funding) that he was in contact with hackers with" ties and affiliations to Russia'' who had access to the emails, and that his efforts were coordinated with the Trump Campaign.
On August 28, 2016, Smith sent an email from an encrypted account with the subject" Sec. Clinton 's unsecured private email server'' to an undisclosed list of recipients, including Campaign co-chairman Sam Clovis. The email stated that Smith was''[ j] ust finishing two days of sensitive meetings here in DC with involved groups to poke and probe on the above. It is clear that the Clinton 's home-based, unprotected server was hacked with ease by both State-related players, and private mercenaries. Parties with varying interests, are circling to release ahead of the election.''
On September 2, 2016, Smith directed a business associate to establish KLS Research LLC in furtherance of his search for the deleted Clinton emails. One of the purposes of KLS Research was to manage the funds Smith raised in support of his initiative. KLS Research received over$ 30,000 during the presidential campaign, although Smith represented that he raised even more money.
Smith recruited multiple people for his initiative, including security experts to search for and authenticate the emails. In early September 2016, as part of his recruitment and fundraising effort, Smith circulated a document stating that his initiative was" in coordination'' with the Trump Campaign," to the extent permitted as an independent expenditure organization.'' The document listed multiple individuals affiliated with the Trump Campaign, including Flynn, Clovis, Bannon, and Kellyanne Conway. The investigation established that Smith communicated with at least Flynn and Clovis about his search for the deleted Clinton emails, but the Office did not identify evidence that any of the listed individuals initiated or directed Smith 's efforts.
In September 2016, Smith and Ledeen got back in touch with each other about their respective efforts. Ledeen wrote to Smith," wondering if you had some more detailed reports or memos or other data you could share because we have come a long way in our efforts since we last visited.... We would need as much technical discussion as possible so we could marry it against the new data we have found and then could share it back to you` your eyes only.'''
Ledeen claimed to have obtained a trove of emails( from what she described as the" dark web'') that purpo1ted to be the deleted Clinton emails. Ledeen wanted to authenticate the emails and solicited contributions to fund that effort. Erik Prince provided funding to hire a tech advisor to ascertain the authenticity of the emails. According to Prince, the tech advisor determined that the emails were not authentic.
A backup of Smith 's computer contained two files that had been downloaded from WikiLeaks and that were originally attached to emails received by John Podesta. The files on Smith 's computer had creation dates of October 2, 2016, which was prior to the date of their release by WikiLeaks. Forensic examination, however, established that the creation date did not reflect when the files were downloaded to Smith ' s computer.( It appears the creation date was when WikiLeaks staged the document for release, as discussed in Volume I, Section III.B.3.c, supra.) The investigation did not otherwise identify evidence that Smith obtained the files before their release by WikiLeaks.
Smith continued to send emails to an undisclosed recipient list about Clinton ' s deleted emails until shortly before the election. For example, on October 28, 2016, Smith wrote that there was a" tug-of-war going on within WikiLeaks over its planned releases in the next few days,'' and that WikiLeaks" has maintained that it will save its best revelations for last, under the theory this allows little time for response prior to the U.S. election November 8.'' An attachment to the email claimed that WikiLeaks would release" All 33k deleted Emails'' by" November 1st.'' No emails obtained from Clinton 's server were subsequently released.
Smith drafted multiple emails stating or intimating that he was in contact with Russian hackers. For example, in one such email, Smith claimed that, in August 2016, KLS Research had organized meetings with parties who had access to the deleted Clinton emails, including parties with" ties and affiliations to Russia.'' The investigation did not identify evidence that any such meetings occurred. Associates and security experts who worked with Smith on the initiative did not believe that Smith was in contact with Russian hackers and were aware of no such connection. The investigation did not establish that Smith was in contact with Russian hackers or that Smith, Ledeen, or other individuals in touch with the Trump Campaign ultimately obtained the deleted Clinton emails.
In sum, the investigation established that the GRU hacked into email accounts of persons affiliated with the Clinton Campaign, as well as the computers of the DNC and DCCC. The GRU then exfiltrated data related to the 2016 election from these accounts and computers and disseminated that data through fictitious online personas( DCLeaks and Guccifer 2.0) and later through WikiLeaks. The investigation also established that the Trump Cam ai n displayed interest in the WikiLeaks releases, and that[ REDACTED-HARM TO ONGOING MATTER]. As explained in Volume I, Section V.B, infra, the evidence was sufficient to support computer intrusion and other charges against GRU officers for their role in election-related hacking.[ REDACTED-HARM TO ONGOING MATTER].