Report On The Investigation Into Russian Interference In The 2016 Presidential Election/Russian Hacking and Dumping Operations

From Wikisource
Jump to navigation Jump to search

III. Russian Hacking and Dumping Operations

Beginning in March 2016, units of the Russian Federation's Main Intelligence Directorate of the General Staff (GRU) hacked the computers and email accounts of organizations, employees, and volunteers supporting the Clinton Campaign, including the email account of campaign chairman John Podesta. Starting in April 2016, the GRU hacked into the computer networks of the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC). The GRU targeted hundreds of email accounts used by Clinton Campaign employees, advisors, and volunteers. In total, the GRU stole hundreds of thousands of documents from the compromised email accounts and networks.[1] The GRU later released stolen Clinton Campaign and DNC documents through online personas, "DCLeaks" and "Guccifer 2.0," and later through the organization WikiLeaks. The release of the documents was designed and timed to interfere with the 2016 U.S. presidential election and undermine the Clinton Campaign.

The Trump Campaign showed interest in the WikiLeaks releases and, in the summer and fall of 2016, Harm to Ongoing Matter  After HOM  WikiLeaks's first Clinton-related HOM , the Trump Campaign stayed in contact HOM  about WikiLeaks's activities. The investigation was unable to resolve Harm to Ongoing Matter Wikileaks's release of the stolen Podesta emails on October 7, 2016, the same day a video from years earlier was published of Trump using graphic language about women.

A. GRU Hacking Directed at the Clinton Campaign
1. GRU Units Target the Clinton Campaign

Two military units of the GRU carried out the computer intrusions into the Clinton Campaign, DNC, and DCCC: Military Units 26165 and 74455.[2] Military Unit 26165 is a GRU cyber unit dedicated to targeting military, political, governmental, and non-governmental organizations outside of Russia, including in the United States.[3] The unit was sub-divided into departments with different specialties. One department, for example, developed specialized malicious software ("malware"), while another department conducted large-scale spearphishing campaigns.[4] Investigative Technique  a bitcoin mining operation to

secure bitcoins used to purchase computer infrastructure used in hacking operations.[5]

Military Unit 74455 is a related GRU unit with multiple departments that engaged in cyber operations. Unit 74455 assisted in the release of documents stolen by Unit 26165, the promotion of those releases, and the publication of anti-Clinton content on social media accounts operated by the GRU. Officers from Unit 74455 separately hacked computers belonging to state boards of elections, secretaries of state, and U.S. companies that supplied software and other technology related to the administration of U.S. elections.[6]

Beginning in mid-March 2016, Unit 26165 had primary responsibility for hacking the DCCC and DNC, as well as email accounts of individuals affiliated with the Clinton Campaign:[7]

  • Unit 26165 used IT  to learn about Investigative Technique different Democratic websites, including democrats.org, hillaryclinton.com, dnc.org, and dccc.org. Investigative Technique 

     

      began before the GRU had obtained any credentials or gained access, indicating that the later DCCC and DNC intrusions were not crimes of opportunity but rather the result of targeting.[8]
  • GRU officers also sent hundreds of spearphishing emails to the work and personal email accounts of Clinton Campaign employees and volunteers. Between March 10, 2016 and March 15, 2016, Unit 26165 appears to have sent approximately 90 spearphishing emails to email accounts at hillaryclinton.com. Starting on March 15, 2016, the GRU began targeting Google email accounts used by Clinton Campaign employees, along with a smaller number of dnc.org email accounts. [9]

The GRU spearphishing operation enabled it to gain access to numerous email accounts of Clinton Campaign employees and volunteers, including campaign chairman John Podesta, junior volunteers assigned to the Clinton Campaign's advance team, informal Clinton Campaign advisors, and a DNC employee.[10] GRU officers stole tens of thousands of emails from spearphishing victims, including various Clinton Campaign-related communications.

2. Intrusions into the DCCC and DNC Networks
a. Initial Access

By no later than April 12, 2016, the GRU had gained access to the DCCC computer network using the credentials stolen from a DCCC employee who had been successfully spearphished the week before. Over the ensuing weeks, the GRU traversed the network, identifying different computers connected to the DCCC network. By stealing network access credentials along the way (including those of IT administrators with unrestricted access to the system), the GRU compromised approximately 29 different computers on the DCCC network.[11]

Approximately six days after first hacking into the DCCC network, on April 18, 2016, GRU officers gained access to the DNC network via a virtual private network (VPN) connection[12] between the DCCC and DNC networks.[13] Between April 18, 2016 and June 8, 2016, Unit 26165 compromised more than 30 computers on the DNC network, including the DNC mail server and shared file server.[14]

b. Implantation of Malware on DCCC and DNC Networks
Unit 26165 implanted on the DCCC and DNC networks two types of customized malware,[15] known as "X-Agent" and "X-Tunnel"; Mimikatz, a credential-harvesting tool; and rar.exe, a tool used in these intrusions to compile and compress materials for exfiltration. X-Agent was a multi-function hacking tool that allowed Unit 26165 to log keystrokes, take screenshots, and gather other data about the infected computers (e.g., file directories, operating systems).[16] X-Tunnel was a hacking tool that created an encrypted connection between the victim DCCC/DNC computers and GRU-controlled computers outside the DCCC and DNC networks that was capable of large-scale data transfers.[17] GRU officers then used X-Tunnel to exfiltrate stolen data from the victim computers.

To operate X-Agent and X-Tunnel on the DCCC and DNC networks, Unit 26165 officers set up a group of computers outside those networks to communicate with the implanted malware.[18] The first set of GRU-controlled computers, known by the GRU as "middle servers," sent and received messages to and from malware on the DNC/DCCC networks. The middle servers, in turn, relayed messages to a second set of GRU-controlled computers, labeled internally by the GRU as an "AMS Panel." The AMS Panel Investigative Technique   served as a nerve center through which GRU officers monitored and directed the malware's operations on the DNC/DCCC networks.[19]

The AMS Panel used to control X-Agent during the DCCC and DNC intrusions was housed on a leased computer located near IT   Arizona.[20] Investigative Technique   
 [21]

Investigative Technique 
         

Investigative Technique 
    The Arizona-based AMS Panel also stored thousands of files containing keylogging sessions captured through X-Agent. These sessions were captured as GRU officers monitored DCCC and DNC employees' work on infected computers regularly between April 2016 and June 2016. Data captured in these keylogging sessions included passwords, internal communications between employees, banking information, and sensitive personal information.

c. Theft of Documents from DNC and DCCC Networks

Officers from Unit 26165 stole thousands of documents from the DCCC and DNC networks, including significant amounts of data pertaining to the 2016 U.S. federal elections. Stolen documents included internal strategy documents, fundraising data, opposition research, and emails from the work inboxes of DNC employees.[22]

The GRU began stealing DCCC data shortly after it gained access to the network. On April 14, 2016 (approximately three days after the initial intrusion) GRU officers downloaded rar.exe onto the DCCC's document server. The following day, the GRU searched one compromised DCCC computer for files containing search terms that included "Hillary," "DNC," "Cruz," and "Trump."[23] On April 25, 2016, the GRU collected and compressed PDF and Microsoft documents from folders on the DCCC's shared file server that pertained to the 2016 election.[24] The GRU appears to have compressed and exfiltrated over 70 gigabytes of data from this file server.[25]

The GRU also stole documents from the DNC network shortly after gaining access. On April 22, 2016, the GRU copied files from the DNC network to GRU-controlled computers. Stolen documents included the DNC's opposition research into candidate Trump.[26] Between approximately May 25, 2016 and June 1, 2016, GRU officers accessed the DNC's mail server from a GRU-controlled computer leased inside the United States.[27] During these connections, Unit 26165 officers appear to have stolen thousands of emails and attachments, which were later released by WikiLeaks in July 2016.[28]

B. Dissemination of the Hacked Materials

The GRU's operations extended beyond stealing materials, and included releasing documents stolen from the Clinton Campaign and its supporters. The GRU carried out the anonymous release through two fictitious online personas that it created—DCLeaks and Guccifer 2.0—and later through the organization WikiLeaks.

1. DCLeaks

The GRU began planning the releases at least as early as April 19, 2016, when Unit 26165 registered the domain dcleaks.com through a service that anonymized the registrant.[29] Unit 26165 paid for the registration using a pool of bitcoin that it had mined.[30]The dcleaks.com landing page pointed to different tranches of stolen documents, arranged by victim or subject matter. Other dcleaks.com pages contained indexes of the stolen emails that were being released (bearing the sender, recipient, and date of the email). To control access and the timing of releases, pages were sometimes password-protected for a period of time and later made unrestricted to the public.

Starting in June 2016, the GRU posted stolen documents onto the website dceleaks.com, including documents stolen from a number of individuals associated with the Clinton Campaign. These documents appeared to have originated from personal email accounts (in particular, Google and Microsoft accounts), rather than the DNC and DCCC computer networks. DCLeaks victims included an advisor to the Clinton Campaign, a former DNC employee and Clinton Campaign employee, and four other campaign volunteers.[31] The GRU released through dcleaks.com thousands of documents, including personal identifying and financial information, internal correspondence related to the Clinton Campaign and prior political jobs, and fundraising files and information.[32]

GRU officers operated a Facebook page under the DCLeaks moniker, which they primarily used to promote releases of materials.[33] The Facebook page was administered through a small number of preexisting GRU-controlled Facebook accounts.[34]

GRU officers also used the DCLeaks Facebook account, the Twitter account @dcleaks_, and the email account dcleaksproject at gmail.com to communicate privately with reporters and other U.S. persons. GRU officers using the DCLeaks persona gave certain reporters early access to archives of leaked files by sending them links and passwords to pages on the dcleaks.com website that had not yet become public. For example, on July 14, 2016, GRU officers operating under the DCLeaks persona sent a link and password for a non-public DCLeaks webpage to a U.S. reporter via the Facebook account.[35] Similarly, on September 14, 2016, GRU officers sent reporters Twitter direct messages from @dcleaks_, with a password to another non-public part of the dcleaks.com website.[36]

The DCLeaks.com website remained operational and public until March 2017.

2. Guccifer 2.0

On June 14, 2016, the DNC and its cyber-response team announced the breach of the DNC network and suspected theft of DNC documents. In the statements, the cyber-response team alleged that Russian state-sponsored actors (which they referred to as "Fancy Bear") were responsible for the breach.[37] Apparently in response to that announcement, on June 15, 2016, GRU officers using the persona Guccifer 2.0 created a WordPress blog. In the hours leading up to the launch of that WordPress blog, GRU officers logged into a Moscow-based server used and managed by Unit 74455 and searched for a number of specific words and phrases in English, including "some hundred sheets," "illuminati," and "worldwide known." Approximately two hours after the last of those searches, Guccifer 2,0 published its first post, attributing the DNC server hack to a lone Romanian hacker and using several of the unique English words and phrases that the GRU officers had searched for that day.[38]

That same day, June 15, 2016, the GRU also used the Guccifer 2.0 WordPress blog to begin releasing to the public documents stolen from the DNC and DCCC computer networks. The Guccifer 2.0 persona ultimately released thousands of documents stolen from the DNC and DCCC in a series of blog posts between June 15, 2016 and October 18, 2016.[39] Released documents included opposition research performed by the DNC (including a memorandum analyzing potential criticisms of candidate Trump), internal policy documents (such as recommendations on how to address politically sensitive issues), analyses of specific congressional races, and fundraising documents. Releases were organized around thematic issues, such as specific states (e.g., Florida and Pennsylvania) that were perceived as competitive in the 2016 U.S. presidential election.

Beginning in late June 2016, the GRU also used the Guccifer 2.0 persona to release documents directly to reporters and other interested individuals. Specifically, on June 27, 2016, Guccifer 2.0 sent an email to the news outlet The Smoking Gun offering to provide "exclusive access to some leaked emails linked [to] Hillary Clinton's staff."[40] The GRU later sent the reporter a password and link to a locked portion of the deleaks.com website that contained an archive of emails stolen by Unit 26165 from a Clinton Campaign volunteer in March 2016.[41] That the Guccifer 2.0 persona provided reporters access to a restricted portion of the DCLeaks website tends fo indionte that both personas were operated by the same or a closely-related group of people.[42]

The GRU continued its release efforts through Guccifer 2.0 into August 2016. For example, on August 15, 2016, the Guccifer 2.0 persona sent a candidate for the U.S. Congress documents related to the candidate's opponent.[43] On August 22, 2016, the Guccifer 2.0 persona transferred approximately 2.5 gigabytes of Florida-related data stolen from the DCCC to a U.S. blogger covering Florida politics.[44] On August 22, 2016, the Guccifer 2.0 persona sent a U.S. reporter documents stolen from the DCCC pertaining to the Black Lives Matter movement.[45]

The GRU was also in contact through the Guccifer 2.0 persona with HOM a former Trump Campaign member Harm to Ongoing Matter 
   [46] In early August 2016, HOM  Twitter's suspension of the Guccifer 2.0 Twitter account. After it was reinstated, GRU officers posing as Guccifer 2.0 wrote HOM via private message, "thank u for writing back . . . do u find anyt[h]ing interesting in the docs i posted?" On August 17, 2016, the GRU added, "please tell me if i can help u anyhow . . . it would be a great pleasure to me." On September 9, 2016, the GRU—again posing as Guccifer 2.0—referred to a stolen DCCC document posted online and asked HOM "what do u think of the info on the turnout model for the democrats entire presidential campaign," HOM responded, "pretty standard."[47] The investigation did not identify evidence of other communications between HOM and Guccifer 2.0.

3. Use of WikiLeaks

In order to expand its interference in the 2016 U.S. presidential election, the GRU units transferred many of the documents they stole from the DNC and the chairman of the Clinton Campaign to WikiLeaks. GRU officers used both the DCLeaks and Guccifer 2.0 personas to communicate with WikiLeaks through Twitter private messaging and through encrypted channels, including possibly through WikiLeaks's private communication system.

a. WikiLeaks's Expressed Opposition Toward the Clinton Campaign

WikiLeaks, and particularly its founder Julian Assange, privately expressed opposition to candidate Clinton well before the first release of stolen documents. In November 2015, Assange wrote to other members and associates of WikiLeaks that "[w]e believe it would be much better for GOP to win . . . Dems+Media+liberals woudl [sic] then form a block to reign in their worst qualities. . . . With Hillary in own GOP will be pushing for her worst qualities., dems+media+neoliberals will be mute. . . . She's a bright, well connected, sadisitic sociopath."[48]

In March 2016, WikiLeaks released a searchable archive of approximately 30,000 Clinton emails that had been obtained through FOIA litigation.[49] While designing the archive, one WikiLeaks member explained the reason for building the archive to another associate:

[W]e want this repository to become "the place" to search for background on hillary's plotting at the state department during 2009-2013. . . . Firstly because its useful and will annoy Hillary, but secondly because we want to be seen to be a resource/player in the US election, because eit [sic] may en[]courage people to send us even more important leaks.[50]

b. WikiLeaks's First Contact with Guccifer 2.0 and DCLeaks

Shortly after the GRU's first release of stolen documents through dcleaks.com in June 2016, GRU officers also used the DCLeaks persona to contact WikiLeaks about possible coordination in the future release of stolen emails. On June 14, 2016, @dcleaks_ sent a direct message to @WikiLeaks, noting, "You announced your organization was preparing to publish more Hillary's emails. We are ready to support you. We have some sensitive information too, in particular, her financial documents. Let's do it together. What do you think about publishing our info at the same moment? Thank you."[51] Investigative Technique 

Around the same time, WikiLeaks initiated communications with the GRU persona Guccifer 2.0 shortly after it was used to release documents stolen from the DNC, On June 22, 2016, seven days after Guccifer 2.0's first releases of stolen DNC documents, WikiLeaks used Twitter's direct message function to contact the Guccifer 2.0 'Twitter account and suggest that Guccifer 2.0 "[s]end any new material [stolen from the DNC] here for us to review and it will have a much higher impact than what you are doing.[52]

On July 6, 2016, WikiLeaks again contacted Guccifer 2.0 through Twitter's private messaging function, writing, "if you have anything hillary related we want it in the next tweo [sic] days prefable [sic] because the DNC is approaching and she will solidify bernie supporters behind her after." The Guccifer 2.0 persona responded, "ok . . . i see." WikiLeaks also explained, "we think trump has only a 25% chance of winning against hillary . . . so conflict between bernie and hillary is interesting."[53]

c. The GRU's Transfer of Stolen Materials to WikiLeaks

Both the GRU and WikiLeaks sought to hide their communications, which has limited the Office's ability to collect all of the communications between them. Thus, although it is clear that the stolen DNC and Podesta documents were transferred from the GRU to WikiLeaks, Investigative Technique 

The Office was able to identify when the GRU (operating through its personas Guccifer 2.0 and DCLeaks) transferred some of the stolen documents to WikiLeaks through online archives set up by the GRU. Assange had access to the internet from the Ecuadorian Embassy in London, England. Investigative Technique 
 
 [54]

On July 14, 2016, GRU officers used a Guccifer 2.0 email account to send WikiLeaks an email bearing the subject "big archive" and the message "a new attempt."[55] The email contained an encrypted attachment with the name "wk dnc link1.txt.gpg."[56] Using the Guccifer 2.0 Twitter account, GRU officers sent WikiLeaks an encrypted file and instructions on how to open it.[57] On July 18, 2016, WikiLeaks confirmed in a direct message to the Guccifer 2.0 account that it had "the 1Gb or so archive" and would make a release of the stolen documents "this week."[58] On July 22, 2016, WikiLeaks released over 20,000 emails and other documents stolen from the DNC computer networks.[59] The Democratic National Convention began three days later.

Similar communications occurred between WikiLeaks and the GRU-operated persona DCLeaks. On September 15, 2016, @dcleaks wrote to @WikiLeaks, "hi there! I'm from DC Leaks. How could we discuss some submission-related issues? Am trying to reach out to you via your secured chat but getting no response. I've got something that might interest you. You won't be disappointed, I promise."[60] The WikiLeaks account responded, "Hi there," without further elaboration. The @dcleaks_ account did not respond immediately.

The same day, the Twitter account @guccifer_2 sent @dcleaks_ a direct message, which is the first known contact between the personas.[61] During subsequent communications, the Guccifer 2.0 persona informed DCLeaks that WikiLeaks was trying to contact DCLeaks and arrange for a way to speak through encrypted emails.[62]

An analysis of the metadata collected from the WikiLeaks site revealed that the stolen Podesta emails show a creation date of September 19, 2016.[63] Based on information about Assange's computer and its possible operating system, this date may be when the GRU staged the stolen Podesta emails for transfer to WikiLeaks (as the GRU had previously done in July 2016 for the DNC emails).[64] The WikiLeaks site also released PDFs and other documents taken from Podesta that were attachments to emails in his account; these documents had a creation date of October 2, 2016, which appears to be the date the attachments were separately staged by WikiLeaks on its site.[65]

Beginning on September 20, 2016, WikiLeaks and DCLeaks resumed communications in a brief exchange. On September 22, 2016, a DCLeaks email account dcleaksproject@gmail.com sent an email to a WikiLeaks account with the subject "Submission" and the message "Hi from DCLeaks." The email contained a PGP-encrypted message with the filename "wiki_mail.txt.gpg."[66] Investigative Technique  The email, however, bears a number of similarities to the July 14, 2016 email in which GRU officers used the Guccifer 2.0 persona to give WikiLeaks access to the archive of DNC files. On September 22, 2016 (the same day of DCLeaks' email to WikiLeaks), the Twitter account @dcleaks_ sent a single message to @WikiLeaks with the string of characters Investigative Technique 
 
 

The Office cannot rule out that stolen documents were transferred to WikiLeaks through intermediaries who visited during the summer of 2016. For example, public reporting identified Andrew Müller-Maguhn as a WikiLeaks associate who may have assisted with the transfer of these stolen documents to WikiLeaks.[67] Investigative Technique 
    Investigative Technique 
 [68]

On October 7, 2016, WikiLeaks released the first emails stolen from the Podesta email account, In total, WikiLeaks released 33 tranches of stolen emails between October 7, 2016 and November 7, 2016. The releases included private speeches given by Clinton;[69] internal communications between Podesta and other high-ranking members of the Clinton Campaign;[70] and correspondence related to the Clinton Foundation.[71] In total, WikiLeaks released over 50,000 documents stolen from Podesta's personal email account. The last-in-time email released from Podesta's account was dated March 21, 2016, two days after Podesta received a spearphishing email sent by the GRU.

d. WikiLeaks Statements Dissembling About the Source of Stolen Materials

As reports attributing the DNC and DCCC hacks to the Russian government emerged, WikiLeaks and Assange made several public statements apparently designed to obscure the source of the materials that WikiLeaks was releasing. The file-transfer evidence described above and other information uncovered during the investigation discredit WikiLeaks's claims about the source of material that it posted.

Beginning in the summer of 2016, Assange and WikiLeaks made a number of statements about Seth Rich, a former DNC staff member who was killed in July 2016. The statements about Rich implied falsely that he had been the source of the stolen DNC emails, On August 9, 2016, the @WikiLeaks Twitter account posted: "ANNOUNCE: WikiLeaks has decided to issue a US$20k reward for information leading to conviction for the murder of DNC staffer Seth Rich."[72]

Likewise, on August 25, 2016, Assange was asked in an interview, "Why are you so interested in Seth Rich's killer?" and responded, "We're very interested in anything that might be a threat to alleged Wikileaks sources." The interviewer responded to Assange's statement by commenting, "I know you don't want to reveal your source, but it certainly sounds like you're suggesting a man who leaked information to WikiLeaks was then murdered." Assange replied, "If there's someone who's potentially connected to our publication, and that person has been murdered in suspicious circumstances, it doesn't necessarily mean that the two are connected. But it is a very serious matter…that type of allegation is very serious, as it's taken very seriously by us."[73]

After the U.S. intelligence community publicly announced its assessment that Russia was behind the hacking operation, Assange continued to deny that the Clinton materials released by WikiLeaks had come from Russian hacking. According to media reports, Assange told a U.S. congressman that the DNC hack was an "inside job," and purported to have "physical proof" that Russians did not give materials to Assange.[74]

C. Additional GRU Cyber Operations

While releasing the stolen emails and documents through DCLeaks, Guccifer 2.0, and WikiLeaks, GRU officers continued to target and hack victims linked to the Democratic campaign and, eventually, to target entities responsible for election administration in several states.

1. Summer and Fall 2016 Operations Targeting Democrat-Linked Victims

On July 27, 2016, Unit 26165 targeted email accounts connected to candidate Clinton's personal office PP . Earlier that day, candidate Trump made public statements that included the following: "Russia, if you're listening, I hope you're able to find the 30,000 emails that are missing. I think you will probably be rewarded mightily by our press."[75] The "30,000 emails" were apparently a reference to emails described in media accounts as having been stored on a personal server that candidate Clinton had used while serving as Secretary of State.

Within approximately five hours of Trump's statement, GRU officers targeted for the first time Clinton's personal office. After candidate Trump's remarks, Unit 26165 created and sent malicious links targeting 15 email accounts at the domain PP  including an email account belonging to Clinton aide PP . The investigation did not find evidence of earlier GRU attempts to compromise accounts hosted on this domain. It is unclear how the GRU was able to identify these email accounts, which were not public.[76]

Unit 26165 officers also hacked into a DNC account hosted on a cloud-computing service Personal Privacy . On September 20, 2016, the GRU began to generate copies of the DNC data using PP  function designed to allow users to produce backups of databases (referred to PP   as "snapshots"). The GRU then stole those snapshots by moving them to PP  account that they controlled; from there, the copies were moved to GRU-controlled computers. The GRU stole approximately 300 gigabytes of data from the DNC cloud-based account.[77]

2. Intrusions Targeting the Administration of U.S. Elections

In addition to targeting individuals involved in the Clinton Campaign, GRU officers also targeted individuals and entities involved in the administration of the elections. Victims included U.S. state and local entities, such as state boards of elections (SBOEs), secretaries of state, and country governments, as well as individuals who worked for those entities.[78] The GRU also targeted private technology firms responsible for manufacturing and administering election-related software and hardware, such as voter registration software and election polling stations.[79] The GRU continued to target these victims through the elections in November 2016. While the investigation identified evidence that the GRU targeted these individuals and entities, the Office did not investigate further. The Office did not, for instance, obtain or examine servers or other relevant items belonging to these victims. The Office understands that the FBI, the U.S. Department of Homeland Security, and the states have separately investigated that activity.

By at least the summer of 2016, GRU officers sought access to state and local computer networks by exploiting known software vulnerabilities on websites of state and local governmental entities. GRU officers, for example, targeted state and local databases of registered voters using a technique known as "SQL injection," by which malicious code was sent to the state or local website in order to run commands (such as exfiltrating the database contents).[80] In one instance in approximately June 2016, the GRU compromised the computer network of the Illinois State Board of Elections by exploiting a vulnerability in the SBOE's website. The GRU then gained access to a database containing information on millions of registered Illinois voters,[81] and extracted data related to thousands of U.S. voters before the malicious activity was identified.[82]

GRU officers Investigative Technique  scanned state and local websites for vulnerabilites. For example, over a two-day period in July 2016, GRU officers Investigative Technique  for vulnerabilities on websites of more than two dozen states. Investigative Technique  Investigative Technique

Similar IT for vulnerabilities continued through the election.

Unit 74455 also sent spearphishing emails to public officials involved in election administration and personnel at companies involved in voting technology. In August 2016, GRU officers targeted employees of PP, a voting technology company that developed software used by numerous U.S. counties to manage voter rolls, and installed malware on the company network. Similarly, in November 2016, the GRU sent spearphishing emails to over 120 email accounts used by Florida county officials responsible for administering the 2016 U.S. election.[83] The spearphishing emails contained an attached Word document coded with malicious software (commonly referred to as a Trojan) that permitted the GRU to access the infected computer.[84] The FBI was separately responsible for this investigation. We understand the FBI believes that this operation enabled the GRU to gain access to the network of at least one Florida county government. The Office did not independently verify that belief and, as explained above, did not undertake the investigative steps that would have been necessary to do so.

D. Trump Campaign and the Dissemination of Hacked Materials

The Trump Campaign showed interest in WikiLeaks releases of hacked materials throughout the summer and fall of 2016. Harm to Ongoing Matter

1. HOM
a. Background

Harm to Ongoing Matter

b. Contacts with the Campaign about WikiLeaks

Harm to Ongoing Matter 
 [85]
Harm to Ongoing Matter 
 
  On June 12, 2016, Assange claimed in a televised interview to "have emails relating to Hillary Clinton which are pending publication,"[86] but provided no additional context.

In debriefings with the Office, former deputy campaign chairman Rick Gates said that Harm to Ongoing Matter 
 [87]
Harm to Ongoing Matter 
    Gates recalled candidate Trump being generally frustrated that the Clinton emails had not been found.[88]

Paul Manafort, who would later become campaign chairman, Harm to Ongoing Matter ,[89] Harm to Ongoing Matter 
 [90]

Micheal Cohen, former executive vice president of the Trump Organization and special counsel to Donald J. Trump,[91] told the Office that he recalled an incident in which he was in candidate Trump's office in Trump Tower Harm to Ongoing Matter 
 [92]

Harm to Ongoing Matter 
     [93] Cohen further told the Office that, after WikiLeaks's subsequent release of stolen DNC emails in July 2016, candidate Trump said to Cohen something to the effect of, HOM [94]

Harm to Ongoing Matter  According to Gates, Manafort expressed excitement about the release HOM [95] Manafort, for his part, told the Office that, shortly after WikiLeaks's July 22 release, Manafort also spoke with candidate Trump Harm to Ongoing Matter 
 [96] Harm to Ongoing Matter [97] Manafort also HOM  wanted to be kept apprised of any developments with WikiLeaks and separately told Gates to keep in touch HOM  about future WikiLeaks releases.[98]

According to Gates, by the late summer of 2016, the Trump Campaign was planning a press strategy, a communications campaign, and messaging based on the possible release of Clinton emails by WikiLeaks.[99] Harm to Ongoing Matter 
 .[100] Harm to Ongoing Matter 
  while Trump and Gates were driving to LaGuardia Airport. Harm to Ongoing Matter , shortly after the call candidate Trump told Gates that more releases of damaging information would be coming.[101]

Harm to Ongoing Matter 
       
 [102]

c. Harm to Ongoing Matter 

Harm to Ongoing Matter 
 
 [103] Corsi is an author who holds a doctorate in political science.[104] In 2016, Corsi also worked for the media outlet WorldNetDaily (WND). Harm to Ongoing Matter 
     
 [105] Harm to Ongoing Matter 
 [106] Corsi told the Office during interviews that he "must have" previously discussed Assange with Malloch.[107] 
Harm to Ongoing Matter 
 [108] Harm to Ongoing Matter 
 [109]

Grand Jury 
    According to Malloch, Corsi asked him to put Corsi in touch with Assange, whom Corsi wished to interview. Malloch recalled that Corsi also suggested that individuals in the "orbit" of U.K. politician Nigel Farage might be able to contact Assange and asked if Malloch knew them. Malloch told Corsi that he would think about the request but made no actual attempt to connect Corsi with Assange.[110]

Harm to Ongoing Matter 
       [111]   
Harm to Ongoing Matter 
   [112]

Malloch stated to investigators that beginning in or about August 2016, he and Corsi had multiple FaceTime discussions about WikiLeaks Harm to Ongoing Matter

had made a connection to Assange and that the hacked emails of John Podesta would be released prior to Election Day and would be helpful to the Trump Campaign. In one conversation in or around August or September 2016, Corsi told Malloch that the release of the Podesta emails was coming, after which "we" were going to be in the driver's seat.[113]


Harm to Ongoing Matter 
 [114] Harm to Ongoing Matter 
 [115] Harm to Ongoing Matter 
 [116] Harm to Ongoing Matter 
 [117]

Harm to Ongoing Matter 
 [118] Harm to Ongoing Matter 
 [119] Harm to Ongoing Matter 
 [120])

Harm to Ongoing Matter 
   [121] Harm to Ongoing Matter  Harm to Ongoing Matter [122] 
Harm to Ongoing Matter 
   [123] Harm to Ongoing Matter
 [124]


Harm to Ongoing Matter 
 [125] Harm to Ongoing Matter
   [126] Harm to Ongoing Matter
   [127] 
Harm to Ongoing Matter 
 [128] Harm to Ongoing Matter
     [129] 
Harm to Ongoing Matter 
     [130]

d. WikiLeaks's October 7, 2016 Release of Stolen Podesta Emails

On October 7, 2016, four days after the Assange press conference HOM, the Washington Post published an Access Hollywood video that captured comments by candidate Trump some years earlier and that was expected to adversely affect the Campaign.[131] Less than an hour after the video's publication, WikiLeaks released the first set of emails stolen by the GRU from the account of Clinton Campaign chairman John Podesta.

Harm to Ongoing Matter.[132]Harm to Ongoing Matter[133]Harm to Ongoing Matter[134] Corsi said that, because he had no direct means of communicating with WikiLeaks, he told members of the news site WND—who were participating on a conference call with him that day—to reach Assange immediately.[135] Corsi claimed that the pressure was enormous and recalled telling the conference call the Access Hollywood tape was coming.[136] Corsi stated that he was convinced that his efforts had caused WikiLeaks to release the emails when they did.[137] In a later November 2018 interview, Corsi stated that he thought that he had told people on a WND conference call about the forthcoming tape and had sent out a tweet asking whether anyone could contact Assange, but then said that maybe he had done nothing.[138]

The Office investigated Corsi's allegations about the events of October 7, 2016 but found little corroboration for his allegations about the day.[139] Harm to Ongoing Matter [140] Harm to Ongoing Matter [141] However, the phone records themselves do not indicate that the conversation was with any of the reporters who broke the Access Hollywood story, and the Office has not otherwise been able to identify the substance of the conversation. Harm to Ongoing Matter .[142] However, the Office has not identified any conference call participant, or anyone who spoke to Corsi that day, who says that they received non-public information about the tape from Corsi or acknowledged having contacted a member of WikiLeaks on October 7, 2016 after a conversation with Corsi.

e. Donald Trump Jr. Interaction with WikiLeaks

Donald Trump Jr. had direct electronic communications with WikiLeaks during the campaign period. On September 20, 2016, an individual named Jason Fishbein sent WikiLeaks the password for an unlaunched website focused on Trump's "unprecedented and dangerous" ties to Russia, PutinTrump.org.[143] WikiLeaks publicly tweeted: "'Let's bomb Iraq' Progress for America PAC to launch "PutinTrump.org' at 9:30am. Oops pw is 'putintrump' putintrump.org." Several hours later, WikiLeaks sent a Twitter direct message to Donald Trump Jr., "A PAC run anti-Trump site putintrump.org is about to launch. The PAC is a recycled pro-Iraq war PAC. We have guessed the password. It is 'putintrump.' See 'About' for who is behind it. Any comments?"[144]

Several hours later, Trump Jr. emailed a variety of senior campaign staff:
Guys I got a weird Twitter DM from wikileaks. See below. I tried the password and it works and the about section they reference contains the next pic in terms of who is behind it. Not sure if this is anything but it seems like it's really wikileaks asking me as I follow them and it is a DM. Do you know the people mentioned and what the conspiracy they are looking for could be? These are just screen shots but it's a fully built out page claiming to be a PAC let me know your thoughts and if we want to look into it.[145]

Trump Jr. attached a screenshot of the "About" page for the unlaunched site PutinTrump.org. The next day (after the website had launched publicly), Trump Jr. sent a direct message to WikiLeaks: "Off the record, I don't know who that is but I'Il ask around. Thanks."[146]

On October 3, 2016, WikiLeaks sent another direct message to Trump Jr., asking "you guys" to help disseminate a link alleging candidate Clinton had advocated using a drone to target Julian Assange. Trump Jr. responded that he already "had done so," and asked, "what's behind this Wednesday leak I keep reading about?"[147] WikiLeaks did not respond.

On October 12, 2016, WikiLeaks wrote again that it was "great to see you and your dad talking about our publications. Strongly suggest your dad tweets this link if he mentions us wlsearch.tk."[148] WikiLeaks wrote that the link would help Trump in "digging through" leaked emails and stated, "we just released Podesta emails Part 4."[149] Two days later, Trump Jr. publicly tweeted the wlsearch.tk link.[150]

2. Other Potential Campaign Interest in Russian Hacked Materials

Throughout 2016, the Trump Campaign expressed interest in Hillary Clinton's private email server and whether approximately 30,000 emails from that server had in fact been permanently destroyed, as reported by the media. Several individuals associated with the Campaign were contacted in 2016 about various efforts to obtain the missing Clinton emails and other stolen material in support of the Trump Campaign. Some of these contacts were met with skepticism, and nothing came of them; others were pursued to some degree. The investigation did not find evidence that the Trump Campaign recovered any such Clinton emails, or that these contacts were part of a coordinated effort between Russia and the Trump Campaign.

a. Henry Oknyansky (a/k/a Henry Greenberg)

In the spring of 2016, Trump Campaign advisor Michael Caputo learned through a Florida- based Russian business partner that another Florida-based Russian, Henry Oknyansky (who also went by the name Henry Greenberg), claimed to have information pertaining to Hillary Clinton. Caputo notified Roger Stone and brokered communication between Stone and Oknyansky. Oknyansky and Stone set up a May 2016 in-person meeting.[151]

Oknyansky was accompanied to the meeting by Alexei Rasin, a Ukrainian associate involved in Florida real estate. At the meeting, Rasin offered to sell Stone derogatory information on Clinton that Rasin claimed to have obtained while working for Clinton. Rasin claimed to possess financial statements demonstrating Clinton's involvement in money laundering with Rasin's companies. According to Oknyansky, Stone asked if the amounts in question totaled millions of dollars but was told it was closer to hundreds of thousands. Stone refused the offer, stating that Trump would not pay for opposition research.[152]

Oknyansky claimed to the Office that Rasin's motivation was financial. According to Oknyansky, Rasin had tried unsuccessfully to shop the Clinton information around to other interested parties, and Oknyansky would receive a cut if the information was sold.[153] Rasin is noted in public source documents as the director and/or registered agent for a number of Florida companies, none of which appears to be connected to Clinton. The Office found no other evidence that Rasin worked for Clinton or any Clinton-related entities.

In their statements to investigators, Oknyansky and Caputo had contradictory recollections about the meeting. Oknyansky claimed that Caputo accompanied Stone to the meeting and provided an introduction, whereas Caputo did not tell us that he had attended and claimed that he was never told what information Oknyansky offered. Caputo also stated that he was unaware Oknyansky sought to be paid for the information until Stone informed him after the fact.[154] The Office did not locate Rasin in the United States, although the Office confirmed Rasin had been issued a Florida driver's license. The Office otherwise was unable to determine the content and origin of the information he purportedly offered to Stone. Finally, the investigation did not identify evidence of a connection between the outreach or the meeting and Russian interference efforts.

b. Campaign Efforts to Obtain Deleted Clinton Emails

After candidate Trump stated on July 27, 2016, that he hoped Russia would "find the 30,000 emails that are missing," Trump asked individuals affiliated with his Campaign to find the deleted Clinton emails.[155] Michael Flynn—who would later serve as National Security Advisor in the Trump Administration—recalled that Trump made this request repeatedly, and Flynn subsequently contacted multiple people in an effort to obtain the emails.[156]

Barbara Ledeen and Peter Smith were among the people contacted by Flynn. Ledeen, a long-time Senate staffer who had previously sought the Clinton emails, provided updates to Flynn about her efforts throughout the summer of 2016.[157] Smith, an investment advisor who was active in Republican politics, also attempted to locate and obtain the deleted Clinton emails.[158]

Ledeen began her efforts to obtain the Clinton emails before Flynn's request, as early as December 2015.[159] On December 3, 2015, she emailed Smith a proposal to obtain the emails, stating, "Here is the proposal I briefly mentioned to you. The person I described to you would be happy to talk with you either in person or over the phone. The person can get the emails which 1. Were classified and 2. Were purloined by our enemies. That would demonstrate what needs to be demonstrated.[160]

Attached to the email was a 25-page proposal stating that the "Clinton email server was, in all likelihood, breached long ago," and that the Chinese, Russian, and Iranian intelligence services could "re-assemble the server's email content."[161] The proposal called for a three-phase approach. The first two phases consisted of open-source analysis. The third phase consisted of checking with certain intelligence sources "that have access through liaison work with various foreign services" to determine if any of those services had gotten to the server. The proposal noted, "Even if a single email was recovered and the providence [sic] of that email was a foreign service, it would be catastrophic to the Clinton campaign[.]" Smith forwarded the email to two colleagues and wrote, "we can discuss to whom it should be referred."[162] On December 16, 2015, Smith informed Ledeen that he declined to participate in her "initiative." According to one of Smith's business associates, Smith believed Ledeen's initiative was not viable at that time.[163]

Just weeks after Trump's July 2016 request to find the Clinton emails, however, Smith tried to locate and obtain the emails himself. He created a company, raised tens of thousands of dollars, and recruited security experts and business associates, Smith made claims to others involved in the effort (and those from whom he sought funding) that he was in contact with hackers with "ties and affiliations to Russia" who had access to the emails, and that his efforts were coordinated with the Trump Campaign.[164]

On August 28, 2016, Smith sent an email from an encrypted account with the subject "Sec. Clinton's unsecured private email server" to an undisclosed list of recipients, including Campaign co-chairman Sam Clovis. The email stated that Smith was "[j]ust finishing two days of sensitive meetings here in DC with involved groups to poke and probe on the above. It is clear that the Clinton's home-based, unprotected server was hacked with ease by both State-related players, and private mercenaries. Parties with varying interests, are circling to release ahead of the election.[165]

On September 2, 2016, Smith directed a business associate to establish KLS Research LLC in furtherance of his search for the deleted Clinton emails.[166] One of the purposes of KLS Research was to manage the funds Smith raised in support of his initiative.[167] KLS Research received over $30,000 during the presidential campaign, although Smith represented that he raised even more money.[168]

Smith recruited multiple people for his initiative, including security experts to search for and authenticate the emails.[169] In early September 2016, as part of his recruitment and fundraising effort, Smith circulated a document stating that his initiative was "in coordination" with the Trump Campaign, "to the extent permitted as an independent expenditure organization.[170] The document listed multiple individuals affiliated with the Trump Campaign, including Flynn, Clovis, Bannon, and Kellyanne Conway.[171] The investigation established that Smith communicated with at least Flynn and Clovis about his search for the deleted Clinton emails,[172] but the Office did not identify evidence that any of the listed individuals initiated or directed Smith's efforts.

In September 2016, Smith and Ledeen got back in touch with each other about their respective efforts. Ledeen wrote to Smith, "wondering if you had some more detailed reports or memos or other data you could share because we have come a long way in our efforts since we last visited.... We would need as much technical discussion as possible so we could marry it against the new data we have found and then could share it back to you 'your eyes only.'"[173]

Ledeen claimed to have obtained a trove of emails (from what she described as the "dark web") that purported to be the deleted Clinton emails, Ledeen wanted to authenticate the emails and solicited contributions to fund that effort. Erik Prince provided funding to hire a tech advisor to ascertain the authenticity of the emails. According to Prince, the tech advisor determined that the emails were not authentic.[174]

A backup of Smith's computer contained two files that had been downloaded from WikiLeaks and that were originally attached to emails received by John Podesta. The files on Smith's computer had creation dates of October 2, 2016, which was prior to the date of their release by WikiLeaks. Forensic examination, however, established that the creation date did not reflect when the files were downloaded to Smith's computer. (It appears the creation date was when WikiLeaks staged the document for release, as discussed in Volume I, Section III.B.3.c, supra.[175]) The investigation did not otherwise identify evidence that Smith obtained the files before their release by WikiLeaks.

Smith continued to send emails to an undisclosed recipient list about Clinton's deleted emails until shortly before the election. For example, on October 28, 2016, Smith wrote that there was a "tug-of-war going on within WikiLeaks over its planned releases in the next few days," and that WikiLeaks "has maintained that it will save its best revelations for last, under the theory this allows little time for response prior to the U.S. election November 8."[176] An attachment to the email claimed that Wikileaks would release "All 33k deleted Emails" by "November 1st." No emails obtained from Clinton's server were subsequently released.

Smith drafted multiple emails stating or intimating that he was in contact with Russian hackers. For example, in one such email, Smith claimed that, in August 2016, KLS Research had organized meetings with parties who had access to the deleted Clinton emails, including parties with "ties and affiliations to Russia."[177] The investigation did not identify evidence that any such meetings occurred. Associates and security experts who worked with Smith on the initiative did not believe that Smith was in contact with Russian hackers and were aware of no such connection.[178] The investigation did not establish that Smith was in contact with Russian hackers or that Smith, Ledeen, or other individuals in touch with the Trump Campaign ultimately obtained the deleted Clinton emails.

***

In sum, the investigation established that the GRU hacked into email accounts of persons affiliated with the Clinton Campaign, as well as the computers of the DNC and DCCC. The GRU then exfiltrated data related to the 2016 election from these accounts and computers, and disseminated that data through fictitious online personas (DCLeaks and Guccifer 2. 0) and later through WikiLeaks. The investigation also established that the Trump campaign displayed interest in the WikiLeaks releases, and that Harm to Ongoing Matter  As explained in Volume I, section V.B, infra, the evidence was sufficient to support computer-intrusion (and other) charges against GRU officers for their role in election-related hacking. Harm to Ongoing Matter 
 


    Harm to Ongoing Matter  
     

  1. As discussed in Section V below, our Office charged 12 GRU officers for crimes arising from the hacking of these computers, principally with conspiring to commit computer intrusions, in violation of 18 U.S.C. §§1030 and 371. See Volume I, Section V.B, infra: Indictment, United States v. Netyksho, No. 1:18-cr-215 (D.D.C. July 13, 2018), Doc. 1 ("Netyksho Indictment").
  2. Netyksho Indictment ¶ 1.
  3. Separate from this Office's indictment of GRU officers, in October 2018 a grand jury sitting in the Western District of Pennsylvania returned an indictment charging certain members of Unit 26165 with hacking the U.S. Anti Doping Agency, the World Anti-Doping Agency, and other international sport associations. United States v. Aleksei Sergeyevich Morenets, No. 18-263 (W.D. Pa.).
  4. A spearphishing email is designed to appear as though it originates from a trusted source, and solicits information to enable the sender to gain access to an account or network, or causes the recipient to download malware that enables the sender to gain access to an account or network. Netyksho Indictment ¶ 10.
  5. Bitcoin mining consists of unlocking new bitcoins by solving computational problems. IT  kept its newly mined coins in an account on the bitcoin exchange platform CEX.io. To make purchases, the GRU routed funds into other accounts through transactions designed to obscure the source of funds. Netyksho Indictment ¶ 62.
  6. Netyksho Indictment ¶ 69.
  7. Netyksho Indictment ¶ 9.
  8. See SM-2589105, serials 144 & 495.
  9. Investigative Technique 
     
  10. Investigative Technique
  11. Investigative Technique
  12. A VPN extends a private network, allowing users to send and receive data across public networks (such as the internet) as if the connecting computer was directly connected to the private network. The VPN in this case had been created to give a small number of DCCC employees access to certain databases housed on the DNC network. Therefore, while the DCCC employees were outside the DNC's private network, they could access parts of the DNC network from their DCCC computers.
  13. Investigative Technique   SM-2589105-HACK, serial 5.
  14. Investigative Technique   M-2589105-HACK, serial 5.
  15. "Malware" is short for malicious software, and here refers to software designed to allow a third party to infiltrate a computer without the consent or knowledge of the computer's user or operator.
  16. Investigative Technique  
  17. Investigative Technique  
  18. In connection with these intrusions, the GRU used computers (virtual private networks, dedicated servers operated by hosting companies, etc.) that it leased from third-party providers located all over the world, The investigation identified rental agreements and payments for computers located in, inter alia, Investigative Technique   all of which were used in the operations targeting the U.S. election.
  19. Netyksho Indictment ¶ 25
  20. Netyksho Indictment ¶ 24({c).
  21. Netyksho Indictment ¶ 24(b).
  22. Netyksho Indictment ¶¶ 27-29; Investigative Technique
  23. Investigative Technique
  24. Investigative Technique   
  25. Investigative Technique 
       
  26. Investigative Technique  SM-2589105-HACK, serial 5, Investigative Technique 
  27. Investigative Technique  See SM-2589105-GJ, serial 649. As part of its investigation, the FBI later received images of DNC servers and copies of relevant traffic logs. Netyksho Indictment ¶¶ 28-29.
  28. Netyksho Indictment ¶ 29. The last-in-time DNC email released by WikiLeaks was dated May 25, 2016, the same period of time during which the GRU gained access to the DNC's email server. Netyksho Indictment ¶ 45.
  29. Netyksho Indictment ¶ 35. Approximately a week before the registration of dcleaks.com, the same actors attempted to register the website electionleaks.com using the same domain registration service. Investigative Technique 
  30. See SM-2589105, serial 181; Netyksho Indictment ¶ 21(a).
  31. Investigative Technique 
  32. See, e.g., Internet Archive, "https://dcleaks.com/" (archive date Nov. 10, 2016). Additionally, DCLeaks released documents relating to Personal Privacy , emails belonging to PP , and emails from 2015 relating to Republican Party employees (under the portfolio name "The United States Republican Party"). "The United States Republican Party" portfolio contained approximately 300 emails from a variety of GOP members, PACs, campaigns, state parties, and businesses dated between May and October 2015. According to open-source reporting, these victims shared the same Tennessee-based web-hosting company, called Smartech Corporation. William Bastone, RNC E-Mail Was, in Fact, Hacked By Russians, The Smoking Gun (Dec. 13, 2016).
  33. Netyksho Indictment ¶ 38.
  34. See, e.g., Facebook Account 100008825623541 (Alice Donovan).
  35. 7/14/16 Facebook Message, ID 793058100795341 (DC Leaks) to ID Personal Privacy 
  36. See, e.g., 9/14/16 Twitter DM, @dcleaks_ to Personal Privacy ; 9/14/16 Twitter DM, @dcleaks_ to Personal Privacy . The messages read; "Hi https:// t.co/QTvKUjQcOx pass:KvFsg%*14@gPgu& enjoy ;)."
  37. Dmitri Alperovitch, Bears in the Midst: Intrusion into the Democratic National Committee, CrowdStrike Blog (June 14, 2016). CrowdStrike updated its post after the June 15, 2016 post by Guccifer 2.0 claiming responsibility for the intrusion.
  38. Netyksho Indictment ¶¶ 41–42.
  39. Releases of documents on the Guccifer 2.0 blog occurred on June 15, 2016; June 20, 2016; June 21, 2016; July 6, 2016; July 14, 2016; August 12, 2016; August 15, 2016; August 21, 2016; August 31, 2016; September 15, 2016; September 23, 2016; October 4, 2016; and October 18, 2016.
  40. 6/27/16 Email, guccifer20 at aol.fr to Personal Privacy (subject "leaked emails"); IT 
  41. 6/27/16 Email, guccifer20 at aol.fr to Personal Privacy (subject "leaked emails"); IT ; see also 6/27/16 Email, guccifer20 at aol.fr to Personal Privacy (subject "leaked emails"); IT  (claiming DCLeaks was a "Wikileaks sub project").
  42. Before sending the reporter the link and password to the closed DCLeaks website, and in an apparent effort to deflect attention from the fact that DCLeaks and Guccifer 2.0 were operated by the same organization, the Guccifer 2.0 persona sent the reporter an email stating that DCLeaks was a "Wikileaks sub project" and that Guccifer 2.0 had asked DCLeaks to release the leaked emails with "closed access" to give reporters a preview of them.
  43. Netyksho Indictment ¶ 43(a).
  44. Netyksho Indictment ¶ 43(b).
  45. Netyksho Indictment ¶ 43(c).
  46. HOM 
  47. Harm to Ongoing Matter 
  48. 11/19/15 Twitter Group Chat, Group ID 594242937858486276, @WikiLeaks et al. Assange also wrote that, "GOP will generate a lot oposition [sic], including through dumb moves. Hillary will do the same thing, but co-opt the liberal opposition and the GOP opposition. Hence hillary has greater freedom to start wars than the GOP and has the will to do so." Id.
  49. WikiLeaks, "Hillary Clinton Email Archive," available at https://wikileaks.org/clinton-emails/.
  50. 3/14/16 Twitter DM, @WikiLeaks to PP  Less than two weeks earlier, the same account had been used to send a private message opposing the idea of Clinton "in whitehouse with her bloodlutt and amitions [sic] of empire with hawkish liberal-interventionist appointees." 11/19/15 Twitter Group Chat, Group ID 594242937858486276, @WikiLeaks et al.
  51. 6/14/16 Twitter DM, @dcleaks_ to @WikiLeaks.
  52. Netyksho Indictment ¶ 47(a)
  53. 7/6/16 Twitter DMs, @WikiLeaks & guccifer_2.
  54. Investigative Technique  
       
  55. This was not the GRU's first attempt at transferring data to WikiLeaks. On June 29, 2016, the GRU used a Guccifer 2.0 email account to send a large encrypted file to a WikiLeaks email account. 6/29/16 Email, guccifer2@mail.com IT  (The email appears to have been undelivered.)
  56. See SM-2589105-DCLEAKS, serial 28 (analysis).
  57. 6/27/16 Twitter DM, @Guccifer_2 to @WikiLeaks.
  58. 7/18/16 Twitter DM, @Guccifer_2 & @WikiLeaks.
  59. "DNC Email Archive," WikiLeaks (Jul. 22, 2016), available at [1].
  60. 9/15/16 Twitter DM, @dcleaks_ to @WikiLeaks.
  61. 9/15/16 Twitter DM, @guccifer_2 to @dcleaks_.
  62. See SM-2589105-DCLEAKS, serial 28; 9/15/16 Twitter DM, @Guccifer_2 & @WikiLeaks.
  63. See SM-2284941, serials 63 & 64 Investigative Technique 
  64. Investigative Technique 
      At the time, certain Apple operating systems used a setting that left a downloaded file's creation date the same as the creation date shown on the host computer. This would explain why the creation date on WikiLeaks's version of the files was still September 19, 2016. See SM-2284941, serial 62 Investigative Technique 
  65. When WikiLeaks saved attachments separately from the stolen emails, its computer system appears to have treated each attachment as a new file and given it a new creation date. See SM-2284941, serials 63 & 64.
  66. See 9/22/16 Email, dcleaksproject@gmail.comIT 
  67. Ellen Nakashima et al., A German Hacker Offers a Rare Look Inside the Secretive World of Julian Assange and WikiLeaks, Washington Post (Jan. 17, 2018).
  68. Investigative Technique 
     
  69. Personal Privacy 
     
  70. Personal Privacy 
  71. Netyksho Indictment ¶ 43.
  72. @WikiLeaks 8/9/16 Tweet.
  73. See Assange: "Murdered DNC Staffer Was 'Potential' WikiLeaks Source," Fox News (Aug. 25, 2016)(containing video of Assange interview by Megyn Kelly).
  74. M. Raju & Z. Cohen, A GOP Congressman's Lonely Quest Defending Julian Assange, CNN (May 23, 2018).
  75. "Donald Trump on Russian & Missing Hillary Clinton Emails," YouTube Channel C-SPAN, Posted 7/27/16, available at https://www.youtube.com/watch?v=3kxG8uJUsWU (starting at 0:41).
  76. Investigative Technique 
     
  77. Netyksho Indictment ¶ 34; see also SM-2589105-HACK, serial 29Investigative Technique
  78. Netyksho Indictment ¶ 69.
  79. Netyksho Indictment ¶ 69.Investigative Technique 
  80. Investigative Technique 
  81. Investigative Technique 
  82. Investigative Technique 
  83. Netyksho Indictment ¶ 76; Investigative Technique
  84. Investigative Technique
  85. Harm to Ongoing Matter 
  86. See Mahita Gajanan, Julian Assange Timed DNC Email Release for Democratic Convention Time (July 27, 2016) (quoting the June 12, 2016 television interview).
  87. In February 2018, Gates pleaded guilty, pursuant to a plea agreement, to a superseding criminal information charging him with conspiring to defraud and commit multiple offenses (i.e. tax fraud, failure to report foreign bank accounts, and acting as an unregistered agent of a foreign principal) against the United States, as well as making false statements to our Office. Superseding Criminal Information United States v. Richard W. Gates III, 1:17-cr-201 (D.D.C. Feb. 23, 2018), Doc. 195 ("Gates Superseding Criminal Information"); Plea Agreement, United States v. Richard W. Gates III, 1:17-cr-201 (D.D.C. Feb. 23, 2018), Doc. 205 ("Gates Plea Agreement"). Gates has provided information and in-court testimony that the Office has deemed to be reliable.
  88. Gates 10/25/18 302, at 1-2.
  89. As explained further in Volume I, Section IV.A.8,Infra, Manafort entered into a plea agreement with our Office. We determined that he breached the agreement by being untruthful in proffer sessions and before the grand jury. We have generally recounted his version of events in this report only when his statements are sufficiently corroborated to be trustworthy; to identify issues on which Manafort's untruthful responses are sufficiently corroborated to be trustworthy, to identify issues on which Manafort's untruthful responses may themselves be of evidentiary value; or to provide Manafort's explanations for certain events, even when we were unable to determine whether that explanation was credible. His account appears here principally because it aligns with those of other witnesses.
  90. Grand Jury 
  91. In November 2018, Cohen pleaded guilty pursuant to a plea agreement to a single-count information charging him with making false statements to Congress, in violation of 18 U.S.C. § 1001(a) & (c). He had previously pleaded guilty to several other criminal charges brought by the U.S. Attorney's Office in the Southern District of New York, after a referral from this Office. In the months leading up to his false-statements guilty plea, Cohen met with our Office on multiple occasions for interviews and provided information that the Office has generally assessed to be reliable and that is included in this report.
  92. HOM 
  93. Harm to Ongoing Matter 
           
  94. Cohen 9/18/18 302, at 10. Harm to Ongoing Matter
    Harm to Ongoing Matter  
        Harm to Ongoing Matter 
     
  95. Gates 10/25/18 302 (serial 241), at 4.
  96. Grand Jury 
  97. Grand Jury 
  98. Grand Jury 
  99. Gates 4/10/18 302, at 3; Gates 4/11/18 302, at 1-2 (SM-2180998); Gates 10/25/18 302, at 2.
  100. HOM 
  101. Gates 10/25/18 302 (serial 241), at 4.
  102. HOM 
  103. HOM 
  104. Corsi first rose to public prominence in August 2004 when he published his book Unfit for Command: Swift Boat Veterans Speak Out Against John Kerry. In the 2008 election cycle, Corsi gained prominence for being a leading proponent of the allegation that Barack Obama was not born in the United States. Corsi told the Office that Donald Trump expressed interest in his writings, and that he spoke with Trump on the phone on at least six occasions. Corsi 9/6/18 302, at 3.
  105. Corsi 10/31/18 302, at 2; Grand Jury  Corsi was first interviewed on September 6, 2018 at the Special Counsel's offices in Washington, D.C. He was accompanied by counsel throughout the interview. Corsi was subsequently interviewed on September 17, 2018; September 21, 2018; October 31, 2018; November 1, 2018; and November 2, 2018. Counsel was present for all interviews, and the interviews beginning on September 21, 2018 were conducted pursuant to a proffer agreement that precluded affirmative use of his statements against him in limited circumstances.
  106. HOM 
  107. Corsi 10/31/18 302, at 4.
  108. HOM 
  109. HOM 
  110. Grand Jury  Malloch denied ever communicating with Assange or WikiLeaks, stating that he did not pursue the request to contact Assange because he believed he had no connection to Assange. Grand Jury 
  111. HOM 
  112. Harm to Ongoing Matter 
                 
  113. Grand Jury 
  114. Harm to Ongoing Matter 
       
  115. Harm to Ongoing Matter 
  116. Harm to Ongoing Matter 
  117. Harm to Ongoing Matter 
  118. Harm to Ongoing Matter 
  119. Harm to Ongoing Matter 
  120. HOM 
  121. Harm to Ongoing Matter 
     
  122. Harm to Ongoing Matter
  123. Harm to Ongoing Matter 
  124. HOM 
  125. Harm to Ongoing Matter 
           
  126. Harm to Ongoing Matter
  127. Harm to Ongoing Matter
  128. Harm to Ongoing Matter
  129. HOM 
  130. Harm to Ongoing Matter 
     
  131. Candidate Trump can be heard off camera making graphic statements about women.
  132. HOM
  133. HOM
  134. HOM
  135. In a later November 2018 interview, Corsi stated Harm to Ongoing Matter that he believed Malloch was on the call but then focused on other individuals who were on the call-invitation, which Malloch was not, (Separate travel records show that at the time of the call, Malloch was aboard a transatlantic flight), Corsi at one point stated that after WikiLeaks's release of stolen emails on October 7, 2016, he concluded Malloch had gotten in contact with Assange. Corsi 11/1/18 302, at 6.
  136. During the same interview, Corsi also suggested that he may have sent out public tweets because he knew Assange was reading his tweets. Our Office was unable to find evidence of any such tweets.
  137. Corsi 9/21/18 302, at 6-7.
  138. Corsi 11/1/18 302, at 6.
  139. Harm to Ongoing Matter  Grand Jury 
  140. Harm to Ongoing Matter 
  141. HOM Grand Jury Harm to Ongoing Matter 
  142. HOM Grand Jury Harm to Ongoing Matter  Grand Jury Harm to Ongoing Matter 
  143. 9/20/16 Twitter DM, @JasonFishbein to @WikiLeaks; see JF00587 (9/21/16 Messages, PP  @jabber.cryptoparty.is & PP @jabber.cryptoparty.is); Fishbein 9/5/18 302, at 4. When interviewed by our Office, Fishbein produced what he claimed to be logs from a chatroom in which the participants discussed U.S. politics; one of the other participants had posted the website and password that Fishbein sent to WikiLeaks.
  144. 9/20/16 Twitter DM, @WikiLeaks to @DonaldJTrumpJr.
  145. TRUMPORG_28_000629-33 (9/21/16 Email, Trump Jr, to Conway et al. (subject "Wikileaks")).
  146. 9/91/16 Twitter DM, @DonaldJTrumpJr to @WikiLeaks.
  147. 10/3/16 Twitter DMs, @DonaldJTrumpJr & @WikiLeaks.
  148. At the time, the link took users to a WikiLeaks archive of stolen Clinton Campaign documents.
  149. 10/12/16 Twitter DM, @WikiLeaks to @DonaldJTrumpJr.
  150. @DonaldJTrumpJr 10/14/16 (6:34 a.m.) Tweet.
  151. Caputo 5/2/18 302, at 4; Oknyansky 7/13/18 302, at 1.
  152. Oknyansky 7/13/18 302, at 1-2.
  153. Oknyansky 7/13/18 302, at 2.
  154. Caputo 5/2/18 302, at 4; Oknyansky 7/13/18 302, at 1.
  155. Flynn 4/25/18 302, at 5-6; Flynn 5/1/18 302, at 1-3.
  156. Flynn 5/1/18 302, at 1-3.
  157. Flynn 4/25/18 302, at 7; Flynn 5/4/18 302, at 1-2; Flynn 11/29/17 302, at 7-8.
  158. Flynn 11/29/17 302, at 7.
  159. Szobocsan 3/29/17 302, at 1.
  160. 12/3/15 Email, Ledeen to Smith.
  161. 12/3/15 Email, Ledeen to Smith (attachment).
  162. 12/3/15 Email, Smith to Szobocsan & Safron.
  163. Szobocsan 3/29/18 302, at 1.
  164. 8/31/16 Email, Smith to Smith.
  165. 8/28/16 Email, Smith to Smith.
  166. Incorporation papers of KLS Research LLC, 7/26/17 Grand Jury  Szobocsan 3/29/18 302, at 2.
  167. Szobocsan 3/29/18 302, at 3.
  168. Financial Institution Record of Peter Smith and KLS Research LLC, 10/31/17 Grand Jury  10/11/16 Email, Smith to Personal Privacy
  169. Tait 8/22/17 302, at 3; York 7/12/17 302, at 1-2; York 11/22/17 302, at 1.
  170. York 7/13/17 302 (attachment KLS Research, LLC, "Clinton Email Reconnaissance Initiative," Sept. 9, 2016).
  171. the same recruitment document listed Jerome Corsi under "Independent Groups/Organizations/Individuals," and described him as an "established author and writer from the right on President Obama and Sec. Clinton."
  172. Flynn 11/29/17 302, at 7-8; 10/15/16 Email, Smith to Flynn et al.; 8/28/16 Email, Smith to Smith (bcc: Clovis et al.).
  173. 9/16/16 Email, Ledeen to Smith.
  174. Prince 4/4/18 302, at 4-5.
  175. The forensic analysis of Smith's computer devices found that Smith used an older Apple operating system that would have preserved that October 2, 2016 creation date when it was downloaded (no matter what day it was in fact downloaded by Smith). See Volume I, Section III.B.3.c, supra. The Office tested this theory in March 2019 by downloading the two files found on Smith's computer from WikiLeaks's site using the same Apple operating system on Smith's computer; both files were successfully downloaded and retained the October 2, 2016 creation date. See SM-2284941, serial 62.
  176. 10/28/16 Email, Smith to Smith.
  177. 8/31/16 Email, Smith to Smith.
  178. Safron 3/20/18 302, at 3; Szobocsan 3/29/18 302, at 6.