The Mueller Report – III. Russian Hacking and Dumping Operations

A and B. GRU Hacking and Dissemination of the Hacked Materials

pp 36 – 49

It looks like Jerrold Nadler plans to make the Mueller report a central part of the leadup to impeachment proceedings, so we should continue to pay attention to it. I was concerned that it would go on the ever-mounting pile of Donald Trump’s misdeeds and fade from sight. With Nadler subpoenaing the materials behind the report, we will be hearing more about it. Lawfare continues to produce their podcasts. Here are Part II and Part III.

Section III is long. I am going to take it a bit at a time. We are now getting into the part of the report that describes how the Russians interfered in the 2016 election and how the Trump campaign interacted with them.

GRU is the acronym for the Russian-language name of Russia’s military intelligence organization, the Main Intelligence Directorate of the General Staff. The GRU competes in such things with the FSB, Russia’s Federal Security Service, roughly the equivalent of the FBI.

The hacking of computers belonging to various organizations and individuals in the Democratic Party was massive. The purpose was to release the documents in ways that would be damaging to the Democratic Party and the Clinton campaign.

The hacking began in March 2016 and continued into April, targeting

the computers and email accounts of organizations, employees, and volunteers supporting the Clinton Campaign, including the email account of campaign chairman John Podesta. (p. 36)

The computer networks of the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC) were compromised.

The hacking was carried out by spearphishing. It was hard to find a good definition of spearphishing. Many definitions come from the viewpoint of computer developers, rather than the users that are targeted. For example, the “spear” part indicates a relatively narrow targeting to a particular group of people, in this case the DCCC and DNC.

The FBI has a definition that can be helpful to users. The perpetrators get enough information to design emails that look like they come from a trusted source.

…the victims are asked to click on a link inside the e-mail that takes them to a phony but realistic-looking website, where they are asked to provide passwords, account numbers, user IDs, access codes, PINs, etc.

Only one person needed to fall for this to let the Russians into the Democratic Party networks. Twenty-nine computers on the DCCC network and more than 30 on the DNC network, including the mail server and shared file server, were compromised. Malware was implanted to record keystrokes and to download data.


Dissemination of the Hacked Materials (pp 41-48)

The simplicity of the statements in the report indicates a deep set of sources.

The GRU carried out the anonymous release through two fictitious online personas that it created – DCLeaks and Guccifer 2.0 – and later through the organization WikiLeaks. (p. 41)

DCLeaks had Facebook and Twitter accounts. The website remained operational and public until March 2017.

Posting of documents began in June 2016. The documents seem to have come from email accounts, including those of an advisor to the Clinton Campaign, a former DNC employee and Clinton Campaign employee, and four other campaign volunteers.

The GRU released through thousands of documents, including personal identifying and financial information, internal correspondence related to the Clinton Campaign and prior political jobs, and fundraising files and information. (p. 41)


Guccifer 2.0

On June 15, the day after the DNC announced the breach of its network, GRU officers using the persona Guccifer 2.0 created a WordPress blog, posing as a lone Romanian hacker. That same day, the website began to release DNC and DNCC documents, ultimately releasing thousands of them.

Released documents included opposition research performed by the DNC (including a memorandum analyzing potential criticisms of candidate Trump), internal policy documents (such as recommendations on how to address politically sensitive issues), analyses of specific congressional races, and fundraising documents. Releases were organized around thematic issues, such as specific states (e.g., Florida and Pennsylvania) that were perceived as competitive in the 2016 U.S. presidential election. (p. 43)

Later in June, the Guccifer 2.0 persona released documents to reporters and other interested individuals. This continued into August.

Through the Guccifer 2.0 persona, the GRU was in contact with a former Trump campaign member. The member’s identity is redacted because of Harm to Ongoing Matter.


Use of WikiLeaks

In November 2015, Julian Assange emailed WikiLeaks staff to set an anti-Clinton tone for the organization. In March 2016, WikiLeaks released a searchable archive of approximately 30,000 Clinton emails that had been obtained through FOIA litigation. Both actions were before the GRU hacked the DNC and DCCC.

Shortly after the GRU began releasing stolen documents through in June 2016, DCLeaks contacted WikiLeaks, and WikiLeaks contacted Guccifer 2.0. WikiLeaks wanted their material. The communications were partly hidden, but it is clear that the GRU transferred stolen DNC and Podesta documents to WikiLeaks.

The Office cannot rule out that stolen documents were transferred to WikiLeaks through intermediaries who visited during the summer of 2016. For example, public reporting identified Andrew Müeller-Maguhn as a WikiLeaks associate who may have assisted with the transfer of these stolen documents to Wikileaks. (p. 47)

On October 7, 2016, WikiLeaks released the first emails stolen from the Podesta email account. WikiLeaks released 33 tranches of stolen emails between October 7, 2016 and November 7, 2016, immediately before the election. The releases included private speeches given by Clinton; internal communications; and correspondence related to the Clinton Foundation. WikiLeaks released over 50,000 documents stolen from Podesta’s personal email account.

WikiLeaks and Assange made several public statements about the source of the materials designed to obscure that source. They implied that Seth Rich, a former DNC staff member who was killed in July 2016 and the subject of rightwing conspiracy theorizing, was the source. After the U.S. intelligence community publicly announced its assessment that Russia was behind the hacking operation, Assange continued to deny that the Clinton materials released by WikiLeaks had come from Russian hacking.


The report gives much more detail about how the communications took place.

The second paragraph of the section overview (p. 36) has significant redactions, the reason for which is given as “Harm to Ongoing Matter.” This probably refers to the counterintelligence investigation. Mueller referred to that investigation in his testimony on July 24. Obviously this is justifiable in terms of legal procedure, but we need to know more about that investigation. I’ll write a post about this later in this sequence.

Investigative methods are redacted. This is not important for understanding. Clearly the FBI hacked into the GRU’s communications and materials. That’s all we need to know. A couple of years ago, Dutch intelligence gained access to Russian government computers in 2014 and warned the US about potential hacking of Democratic Party organizations. The operation that provided information to Mueller must have been something like that.


One comment

  1. The Blog Fodder · August 6, 2019

    It is hard to believe only Democratic servers were hacked. Hacking of Republican servers would likely have provided enough material to send some or even many to jail. Holding this over their head, along with well placed “contributions” to campaigns might account for the GOP’s reluctance to condemn Russian interference past and present. That and it seems to help get them elected.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s