The Justice Department’s Friday indictment of 12 Russian officials described them as midlevel functionaries staring at computer screens in windowless offices in the bowels of the vast Kremlin bureaucracy.
But Friday’s indictment also shows how the front-line Russian intelligence agents who U.S. officials believe hacked the 2016 presidential election — some of world’s most capable cyberwarriors — operate, and how they did a lot more than steal and disseminate embarrassing emails from Democratic party officials.
Story Continued Below
This browser does not support the Ad element.
The operatives from two units within Russia’s GRU military intelligence agency meddled in the election through an elaborate series of coordinated high-tech influence operations, and by using a global network of anonymous servers, bitcoin purchasers and other unwitting cutouts to cover the digital tracks, according to the indictment.
And, according to the 14-page charging document, the Russians deeply infiltrated two key Democratic Party organizations and key aspects of Democrat Hillary Clinton’s campaign—watching their every move via real-time digital surveillance until just weeks before the election.
That kind of extraordinary capability allowed the Russians “to virtually look over the shoulders of Democratic campaign staffers in real time throughout most of the 2016 campaign,” said Ed McAndrew, a former federal cybercrime prosecutor and Justice Department lawyer. He attributed the “extremely high level of sophistication of the Russian GRU hackers” to their ability to combine sophisticated social engineering techniques and custom-designed malware with more simple spearphishing techniques used to obtain passwords of more than 300 unsuspecting victims from the Democratic party.
“These GRU units are dedicated, well-organized and well-funded, and they’re perfectly capable of causing havoc in our electric grid as well as insecure election systems,” said Joel Brenner, a top official at the National Security Agency and Directorate of National Intelligence during the Bush and Obama administrations.
“Nasty,” was how Brenner described the GRU activities laid out in the 14-page indictment, which disclosed the names of the 12 Russian military officers who allegedly led the campaign. The indictment also disclosed for the first time the names of the units within the GRU, officially known as the Main Intelligence Directorate of the Russian General Staff, that prosecutors said led the effort.
One of them, Unit 26165, meticulously hacked and stole the information, while the other, 74455, set up the elaborate infrastructure around the world that was used to disseminate the material and make it look like a series of unrelated incidents.
At a news conference Friday, Deputy Attorney General Rod Rosenstein summarized the case against the 12 Russians as a crime of money laundering, aggravated identity theft and conspiracy to access computers without authorization — all done in furtherance of their efforts to influence the election.
The indictment went into far more detail, describing how Unit 26165 hacked and stole vast troves of data from the Democratic Congressional Campaign Committee beginning in March 2016, and then used that access to do the same thing to the Democratic National Committee.
Story Continued Below
This browser does not support the Ad element.
By April 2016, the GRU operatives hacked and stole more than 50,000 emails from Clinton campaign Chairman John Podesta and other campaign officials. Then they released them at strategically opportune times, the indictment said, through various cutouts and websites they set up and operated with fictitious personas, including Americans.
By capturing the keystrokes and computer activities of their victims, they also captured communications about fundraising, voter outreach projects, data about the DCCC’s finances, personal banking information and even files about Clinton’s Achilles Heel, the Benghazi investigations. They also accessed third-party cloud-computing services to obtain politically valuable data about the DNC’s analytics, the indictment said.
And both units covered their tracks so meticulously through an elaborate series of countersurveillance measures that they secretly remained inside the Democrats’ systems until October 2016, the indictment said, despite the efforts of a top U.S. cybersecurity firm to flush them out that began five months earlier.
CrowdStrike, the cybersecurity company hired by the DNC, declined to comment. DNC Chair Tom Perez didn’t address that issue specifically, except to say in a statement that the GRU units’ efforts to disrupt the U.S. electoral process “have grave implications for our democracy.”
“Today’s indictment makes clear just how vast this operation was,” Perez said. That scope included the GRU units’ penetration of a state election board’s website, from which they stole information related to about 500,000 voters.
On Saturday, CrowdStrike provided a statement from the DNC, in which it said that while some of the malware had remained in its system, it had been quarantined.
“This Linux based version of X-agent malware was a remnant of the original hack and had been quarantined during the remediation process in June 2016,” according to the statement from Adrienne Watson, the DNC’s deputy communications director. “While programmed to communicate with a GRU-registered domain, we do not have any information to suggest that it successfully communicated, exfiltrated data, corrupted our newly built systems, or breached our voter file following the remediation process.”
The former Justice Department and NSA cybersecurity officials said the indictment also was noteworthy for what it said about the multi-agency U.S. effort to unravel the GRU units’ activities back in 2016, and to gather enough evidence about the individuals responsible to prosecute them in federal court.
Story Continued Below
This browser does not support the Ad element.
Brenner, the former NSA senior official, said the investigation must have been “amazingly thorough,” for instance, to be able to identify the GRU agents operating behind the scenes, including those who engineered the custom malware used in the DNC intrusions.
“I don’t know how you do this except by penetrating the defendants’ systems,” Brenner said. “Our intel services should be congratulated.”