At one point, the Russians used servers located in the U.S. to carry out the massive data exfiltration effort, the report confirms.
Much of the information was previously learned from the indictment of Viktor Borisovich Netyksho, the Russian officer in charge of Unit 26165. Netyksho is believed to be still at large in Russia.
But new details in the 488-page redacted report released by the Justice Department on Thursday offered new insight into how the GRU operatives hacked.
The operatives working for the Russian intelligence directorate, the GRU, sent dozens of targeted spearphishing emails in just five days to the work and personal accounts of Clinton Campaign employees and volunteers, as a way to break into the campaign’s computer systems.
The GRU hackers also gained access to the email account of John Podesta, Clinton’s campaign chairman, of which its contents were later published.
Using credentials they stole along the way, the hackers broke into the networks of the Democratic Congressional Campaign Committee days later. By stealing the login details of a system administrator who had “unrestricted access” to the network, the hackers broke into 29 computers in the ensuing weeks, and more than 30 computers on the DNC.
The operatives, known collectively as “Fancy Bear,” comprised several units tasked with specific operations. Mueller formally blamed Unit 26165, a division of the GRU specializing in targeting government and political organizations, for taking on the “primary responsibility for hacking the DCCC and DNC, as well as email accounts of individuals affiliated with the Clinton Campaign,” said the Mueller report.
The hackers used Mimikatz, a hacking tool used once an intruder is already in a target network, to collect credentials, and two other kinds of malware: X-Agent for taking screenshots and logging keystrokes, and X-Tunnel used to exfiltrate massive amounts of data from the network to servers controlled by the GRU. Mueller’s report found that Unit 26165 used several “middle servers” to act as a buffer between the hacked networks and the GRU’s main operations. Those servers, Mueller said, were hosted in Arizona — likely as a way to obfuscate where the attackers were located but also to avoid suspicion or detection.
In all, some 70 gigabytes of data were exfiltrated from Clinton’s campaign servers and some 300 gigabytes of data were obtained from the DNC’s network.
Meanwhile, another GRU hacking unit, Unit 74455, which helped disseminate and publish hacked and stolen documents, pushed the stolen data out through two fictitious personas. DCLeaks was a website that hosted the hacked material, while Guccifer 2.0 was a hacker-like figure who had a social presence and would engage with reporters.
Under pressure from the U.S. government, the two GRU-backed personas were shut down by the social media companies. Later, tens of thousands of hacked files were funneled to and distributed by WikiLeaks.
Mueller’s report also found a cause-and-effect between Trump’s remarks in July 2016 and subsequent cyberattacks.
“I hope you’re able to find the 30,000 emails that are missing,” said then-candidate Trump at a press conference, referring to emails Clinton stored on a personal email server while she headed the State Department. Mueller’s report said “within approximately five hours” of those remarks, GRU officers began targeting for the first time Clinton’s personal office.
More than a dozen staffers were targeted by Unit 26165, including a senior aide. “It is unclear how the GRU was able to identify these email accounts, which were not public,” said Mueller.
Mueller said the Trump campaign made efforts to “find the deleted Clinton emails.” Trump is said to have privately asked would-be national security advisor Michael Flynn, since convicted following inquiries by the Special Counsel’s office, to reach out to associates to obtain the emails. One of those associates was Peter Smith, who died by suicide in May 2017, who claimed to be in contact with Russian hackers — claims which Mueller said were not true.
Does that implicate the Trump campaign in an illegal act? Likely not.
“Under applicable law, publication of these types of materials would not be criminal unless the publisher also participated in the underlying hacking conspiracy,” according to Elie Honig, a CNN legal analyst. “The special counsel’s report did not find that any person associated with the Trump campaign illegally participated in the dissemination of the materials.”