Scroll down to read the indictment
I don’t know what was more sophisticated, the Russian hacks or the U.S. Justice Department’s impressive computer forensics team that was able to break down these hacks in great specificity. As you’ll see from the indictment (below) the hackers employed both malware and “human engineering” to obtain information from the Democratic National Committee and the Democratic Congressional Campaign Committee. This included spearphising attacks against members of the Clinton campaign, tricking them into turning over their passwords as well as planting a malware program called X-Agent on DNC and DCC servers and computers.
The conspirators allegedly laundered money to be used to purchase infrastructure in the U.S. to aid in their hacking and distribution of materials, including hacking into “computers of U.S. persons.” And “they principally used bitcoin when purchasing servers, registering domains and otherwise making payments in furtherance of hacking activities.
Some key excerpts from the indictment:
Malware
- “X-Agent malware implanted on the DCCC network transmitted information from the victims’ computers to a GRU-leased server located in Arizona. The Conspirators referred to this server as their “AMS” panel. … co-conspirators logged into the AMS panel to use X—Agent’s keylog and screenshot functions in the course of monitoring and
surveilling activity on the DCCC computers. The keylog function allowed the Conspirators to capture keystrokes entered by DCCC employees. The screenshot function allowed the Conspirators to take pictures of the DCCC employees’ computer screens.” - “The Conspirators searched for and identified computers within the DCCC and DNC networks that stored information related to the 2016 US. presidential election. For example, on or about April 15, 2016, the Conspirators searched one hacked DCCC computer for terms that included “hillary,” “cruz,” and “trump.” The Conspirators also copied select DCCC folders,
including “Benghazi Investigations.”
Spearfishing
- “Co-conspirators targeted victims using a technique known as spearphishing to steal victims’ passwords or otherwise gain access to their computers… The Conspirators targeted over 300 individuals affiliated with the Clinton Campaign, DCCC, and DNC. …v and sent a spearphishing email to the chairman of the Clinton Campaign. … Altered the appearance of the sender email address in order to make it look like the email was a security notification from Google (a technique known as “spoofing.”
- ” Conspirators created an email account in the name (with a one-letter deviation from the actual spelling) of a known member of the Clinton Campaign. The Conspirators then used that account to send spearphishing emails to the work accounts of more than thirty different Clinton Campaign employees. … Embedded a link purporting to direct the recipient to a document titled “hillaryclinton—favorable-rating.xlsx.” In fact, this link directed the recipients’ computers to a GRU—created website.”
Distribution of stolen emails
- “Conspirators launched the public website dcleaks.com, which they used to release stolen emails. Before it shutdown in or around March 2017, the site received over one million page Views. The Conspirators falsely claimed on the site that DCLeaks was started by a group of “American hacktivists,” when in fact it was started by the Conspirators. 37. Starting in or around June 2016 and continuing through the 2016 US. presidential election, the Conspirators used DCLeaks to release emails stolen from individuals affiliated with the Clinton Campaign.”
- “On or about July 22, 2016, Organization 1 released over 20,000 emails and other documents stolen from the DNC network by the Conspirators. This release occurred approximately three days before the start of the Democratic National Convention. Organization 1 did not disclose Guccifer 2.0’s role in providing them. The latest-in—time email released through
Organization 1 was dated on or about May 25, 2016, approximately the same day the Conspirators hacked the DNC Microsoft Exchange Server.”
Bitcoin
- “The Conspirators funded the purchase of computer infrastructure for their hacking activity in part by “mining” bitcoin. Individuals and entities can mine bitcoin by allowing their computing power to be used to verify and record payments on the bitcoin public ledger, a service for which they are rewarded with freshly-minted bitcoin. The pool of bitcoin generated from the GRU’s mining activity was used, for example, to pay a Romanian company to register the domain dcleaks.com through a payment processing company located in the United States.”
- Conspirators used the same pool of bitcoin funds to purchase a virtual private network (“VPN”) account and to lease a server in Malaysia. In or around June 2016, the Conspirators used the Malaysian server to host the dcleaks.com website. On or about July 6, 2016, the Conspirators used the VPN to log into the @Guccifer_2 Twitter account. The Conspirators opened that VPN account from the same server that was also used to register malicious domains for the hacking of the DCCC and DNC networks.”