Special counsel Robert Mueller’s indictment Friday of 12 Russian intelligence officers for hacking the Democratic National Committee and other liberal targets establishes a vivid timeline of how Moscow used a range of digital intrusion techniques to interfere in the 2016 election.
The indictment spells out not only who the hackers were, but what techniques they used to breach and maintain a foothold in the computer systems of the DNC and the Democratic Congressional Campaign Committee. It also details precisely how Russia used cryptocurrencies to fund its operations — underscoring how deeply the U.S. intelligence community has managed to delve after the fact into the 2016 meddling operation.
The charges also lay out the hackers' interactions with an array of Americans, including journalists, an unnamed congressional candidate and "a person who was in regular contact with senior members" of Donald Trump's presidential campaign.
According to the indictment, the scheme unfolded this way:
• Breaching Podesta: The timeline begins on March 19, 2016, when the Russian hackers sent John Podesta, Hillary Clinton’s campaign chairman, a "spearphishing" email — a fake message designed to trick him into thinking that Google was urging him to reset his password. As has been previously reported, Podesta clicked the link and entered his current password, giving Moscow the keys to his account. Two days later, according to the indictment, the Russians swept up his inbox of more than 50,000 emails.
• Widening the hunt: On the same day that they spearphished Podesta, the hackers directed similar messages at other Clinton campaign officials, including campaign manager Robby Mook and “a senior foreign policy advisor.”
The Russians also created an email account with a name one letter off from that of a Clinton campaign official and used it to spearphish more than 30 other staffers.
On July 27, 2016 — the same day Trump urged Russia to find the deleted emails that Clinton had sent and received on her private server as secretary of State — the Russian hackers launched their first attempt to spearphish email accounts belonging to Clinton’s aides “at a domain hosted by a third-party provider.”
March 2016 was also when the Russians began their intrusions into the DNC and the DCCC. They conducted reconnaissance that involved looking up the internet addresses that supported the campaigns’ computer systems, and they looked up public information that could help them fool their victims.
They got their first hit at the DCCC on April 12, accessing the committee’s network using credentials stolen from a female employee six days earlier.
• Peering over DCCC employees' shoulders: Between April and June 2016, the hackers installed malware called X-Agent on “at least ten DCCC computers,” according to the indictment. The malware silently lurked on the DCCC network, stealing employees’ passwords and watching their keystrokes and their screens as they typed sensitive details about finances and other sensitive information. It also transferred DCCC files to a server in Arizona that the Russians had leased.
On April 14, the Russians used the malware to watch their first DCCC victim communicating with colleagues and planning “fundraising and voter outreach projects.” Eight days later, they watched a second employee discuss the committee’s finances.
• Breaking into the DNC: The indictment reveals that the Russians got into the DNC through their access to the DCCC. On April 18, they used their malware to steal the credentials of a DCCC employee who had access to the DNC network. From there, they set to work gaining wider access to the DNC. By the end of June 2016, they had accessed around 33 DNC computers.
Four days after first breaching the DNC, the Russians bundled up several gigabytes of committee data for transfer. They later moved it to a server they leased in Illinois.
Between late May and early June 2016, according to the indictment, the hackers breached the DNC’s Microsoft-hosted email service and stole “thousands of emails” from committee workers.
• Thwarting the Democrats' defenses: The indictment sheds some light on the Russians’ attempts to maintain access to their victims’ systems even after they were discovered. For example, despite cybersecurity firm CrowdStrike completely wiping and reconfiguring DNC employees’ computers, the Russian malware “remained on the DNC network” until around October 2016 — weeks before the election.
• Using WikiLeaks and other outlets: The charges also describe how the Russians set up a website called DC Leaks to publish many of their stolen files, how they used their “Guccifer 2.0” lone-hacker persona to reject experts’ charges of Russian meddling, and how they transferred a large collection of stolen material to an unidentified organization that published more than 20,000 DNC emails and documents on July 22, 2016.
Based on the date provided, the unnamed organization is WikiLeaks. The indictment says the organization discussed the best timing for releasing the pilfered documents, telling the hackers in a private message it wanted to seize on "conflict between bernie and hillary" before the Democratic National Convention.
"[W]e think trump has only a 25% chance of winning against hillary," the organization added, according to the indictment.
Mueller’s indictment also reveals that a congressional candidate contacted the Russians’ “Guccifer 2.0” persona on August 15, 2016, seeking stolen documents on the candidate’s opponent. According to the indictment, the Russians provided the candidate with the files.
The hackers also provided unnamed reporters with access to stolen documents, the indictment says, including emails stolen from Podesta's account.
Meanwhile, the indictment’s description of how the Russians funded their activities reflects the breadth of U.S. intelligence agencies’ monitoring capabilities. Several paragraphs describe how investigators linked specific purchases — including payments for the DC Leaks website and for a server used to store stolen files — to the same cryptocurrency accounts. One paragraph reveals that American spies even know which computer in Russia was used to activate a Twitter account for the Russians’ social media activities — it was the same computer that the hackers used to pose as DC Leaks.