Muller Report - GRU


RESULT: 1

PAGE: 2

TEXT:

  U.S. Department of Justice At:t:ef'fle)' Werle Predttet /,' Ma;? CeHtail'l
  Material Preteeted UHder Fed. R. Crim. P. 6(e) TABLE OF CONTENTS -VOLUME I
  INTRODUCTION TO VOLUME I .......................................................
  ................................................... 1 EXECUTIVE SUMMARY TO
  VOLUME 1. ................................................ ,
  ............................................. 4 I. THE SPECIAL COUNSEL'S
  INVESTIGATION
  ......................................................................... ,
  ....... 11 II. RUSSIAN "ACTIVE MEASURES" SOCIAL MEDIA CAMPAIGN
  ..................................................... 14 A. Structure of the
  Internet Research Agency
  ................................................................. 15 B. Funding
  and Oversight from Concord and Prigozhin
  ................................................. 16 C. The IRA Targets U.S.
  Elections ......................................................................
  ............ 19 1. The IRA Ramps Up U.S. Operations As Early As 2014
  ....................... , .............. 19 2. U.S. Operations Through IRA-
  Controlled Social Media Accounts ..................... 22 3. U.S. Operations
  Through Facebook.
  ..................................................................... 24 4. U.S.
  Operations Through Twitter
  ......................................................................... 26 a.
  Individualized Accounts ........................................................
  ........................... 26 b. IRA Botnet Activities ........................
  .............................................................. 28 5. U.S.
  Operations Involving Political Rallies
  .......................................................... 29 6. Targeting and
  Recruitment of U.S. Persons
  .......................................................... 31 7. Interactions
  and Contacts with the Trump Campaign ...........................................
  33 a. Trump Campaign Promotion ofIRA Political Materials
  ................................. 33 b. Contact with Trump Campaign Officials in
  Connection to Rallies ................. 35 Ill. RUSSIAN HACKING AND DUMPING
  OPERATIONS .....................................................................
  36 A. GRU Hacking Directed at the Clinton Campaign
  ....................................................... 36 1. GRU Units Target
  the Clinton Campaign
  ............................................................. 36 2. Intrusions
  into the DCCC and DNC Networks
  ..................................................... 38 a. Initial Access .....
  ................................................................................
  ............... 3 8 b. Implantation ofMalware on DCCC and DNC Networks
  ................................ 38 c. Theft of Documents from DNC and DCCC
  Networks .................................... 40 B. Dissemination of the Hacked
  Materials ......................................................................
  41 I. DCLeaks ..................................................................
  ............................................. 41 2. Guccifer 2.0 ...............
  ................................................................................
  ............ 42 3. Use of WikiLeaks .................................. :
  .............................................................. 44 a. WikiLeaks's
  Expressed Opposition Toward the Clinton Campaign ............... 44 b.
  WikiLeaks's First Contact with Guccifer 2.0 and DCLeaks
  ........................... 45

RESULT: 2

PAGE: 3

TEXT:

  U.S. Department of Justice MterHey Werk Pretittet // Ma,? Cel'ltail'I Material
  Preteeteti UH:tier Fee. R. Crim. P. 6(e) c. The GRU's Transfer of Stolen
  Materials to WikiLeaks .................................. 45 d. ? WikiLeaks
  Statements Dissembling About the Source of Stolen Materials ....................
  ................................................................................
  .... 48 C. Additional GRU Cyber Operations
  ............................................................................. 49
  l. Summer and Fall 2016 Operations Targeting Democrat-Linked Victims
  ............ 49 2. Intrusions Targeting the Administration of U.S. Elections
  ................................... 50 D. Trump Campaign and the Dissemination
  of Hacked Materials .................................. 51 l. ...................
  ........................................................................... 51
  a. Background ..................................................................
  .................................... 51 b. Contacts with the Campaign about
  WikiLeaks ................................................ 52 C. Harm to Ongoing
  Matter .................... 54 d. WikiLeaks's October 7, 2016 Release of Stolen
  Podesta Emails .................... 58 e. Donald Trump Jr. Interaction with
  WikiLeaks ................................................ 59 2. Other Potential
  Campaign Interest in Russian Hacked Materials ......................... 61 a.
  Henry Oknyansky (a/k/a Henry Greenberg)
  .................................................... 61 b. Campaign Efforts to
  Obtain Deleted Clinton Emails ...................................... 62 IV.
  RUSSIAN GOVERNMENT LINKS To AND CONTACTS WITH THE TRUMP CAMPAIGN
  ................ 66 A. Campaign Period (September 2015 -November 8, 2016)
  ......................................... 66 1. Trump Tower Moscow Project
  ............................................................................. 67
  a. Trump Tower Moscow Venture with the Crocus Group (2013-2014) ............ 67
  b. Communications with LC. Expert Investment Company and Giorgi Rtskhiladze
  (Summer and Fall 2015)
  ............................................................ 69 c. Letter of
  Intent and Contacts to Russian Government (October 2015-January 2016) ..........
  ................................................................................
  ...... 70 i. Trump Signs the Letter of Intent on behalf of the Trump
  Organization .... 70 ii. Post-LOI Contacts with Individuals in Russia
  ......................................... 72 d. Discussions about Russia Travel
  by Michael Cohen or Candidate Trump (December 2015-June 2016)
  ......................................................................... 76 i.
  Sater's Overtures to Cohen to Travel to Russia
  ........................................ 76 ii. Candidate Trump's Opportunities
  to Travel to Russia ............................ 78 2. George Papadopoulos .....
  ................................................................................
  ...... 80 a. Origins of Campaign Work
  ..............................................................................
  81 b. Initial Russia-Related Contacts
  ........................................................................ 82 c.
  March 31 Foreign Policy Team Meeting
  ......................................................... 85 ii

RESULT: 3

PAGE: 11

TEXT:

  U.S. Department of Justice Atterrte~? Werk Predttet // May Cetttairt Material
  Preteetee Urteer Fee. R. Crim. P. 6(e) EXECUTIVE SUMMARY TO VOLUME I RUSSIAN
  SOCIAL MEDIA CAMPAIGN The Internet Research Agency (IRA) carried out the
  earliest Russian interference operations identified by the investigation-a
  social media campaign designed to provoke and amplify political and social
  discord in the United States. The IRA was based in St. Petersburg, Russia, and
  received funding from Russian oligarch Y evgeniy Prigozhin and companies he
  controlled. Pri ozhin is widel re orted to have ties to Russian President
  Vladimir Putin In mid-2014, the IRA sent em lo mission with instructions The IRA
  later used social media accounts and interest groups to sow discord in the U.S.
  political system through what it termed "information warfare." The campaign
  evolved from a generalized program designed in 2014 and 2015 to undermine the
  U.S. electoral system, to a targeted operation that by early 2016 favored
  candidate Trump and disparaged candidate Clinton. The IRA' s operation also
  included the purchase of political advertisements on social media in the names
  of U.S. persons and entities, as well as the staging of political rallies inside
  the United States. To organize those rallies, IRA employees posed as U.S.
  grassroots entities and persons and made contact with Trump supporters and Trump
  Campaign officials in the United States. The investigation did not identify
  evidence that any U.S. persons conspired or coordinated with the IRA. Section II
  of this report details the Office's investigation of the Russian social media
  campaign. RUSSIAN HACKING OPERATIONS At the same time that the IRA operation
  began to focus ?on supporting candidate Trump in early 2016, the Russian
  government employed a second form of interference: cyber intrusions (hacking)
  and releases of hacked materials damaging to the Clinton Campaign. The Russian
  intelligence service known as the Main Intelligence Directorate of the General
  Staff of the Russian Army (GRU) carried out these operations. In March 2016, the
  GRU began hacking the email accounts of Clinton Campaign volunteers and
  employees, including campaign chairman John Podesta. In April 2016, the GRU
  hacked into the computer networks of the Democratic Congressional Campaign
  Committee (DCCC) and the Democratic National Committee (DNC). The GRU stole
  hundreds of thousands of documents from the compromised email accounts and
  networks. Around the time that the DNC announced in mid-June 2016 the Russian
  government's role in hacking its network, the GRU began disseminating stolen
  materials through the fictitious online personas "DCLeaks" and "Guccifer 2.0."
  The GRU later released additional materials through the organization WikiLeaks.
  4

RESULT: 4

PAGE: 12

TEXT:

  U.S. Department of Justice AH:erHey \?Brit Pr6d1:1et // Mtty Cet1:tttifl
  Mttterittl Preteeted Ut1:der Fed. R. Ct1iffl. P. 6(e) The presidential campaign
  of Donald J. Trump ("Trump Campaign" or "Campaign") showed interest in
  WikiLeaks's releases of documents and welcomed their otential to damage
  candidate Clinton. Beginning in June 2016,
  llfilllillliliilfll~llliillllllilllilli forecast to senior Campaign officials
  that WikiLeaks would release information damaging to candidate Clinton.
  WikiLeaks's first release came in July 2016. Around the same time, candidate
  Trump announced that he hoped Russia would recover emails described as missing
  from a private server used b Clinton when she was Secreta of State he later said
  that he was s ? eakin sarcasticall . WikiLeaks began releasing Podesta' s stolen
  emails on October 7, 2016, less than one hour after a U.S. media outlet released
  video considered damaging to candidate Trump. Section lII of this Report details
  the Office's investigation into the Russian hacking operations, as well as other
  efforts by Trump Campaign supporters to obtain Clinton-related emails. RUSSIAN
  CONTACTS WITH THE CAMPAIGN The social media campaign and the GRU hacking
  operations coincided with a series of contacts between Trump Campaign officials
  and individuals with ties to the Russian government. The Office investigated
  whether those contacts reflected or resulted in the Campaign conspiring or
  coordinating with Russia in its election-interference activities. Although the
  investigation established that the Russian government perceived it would benefit
  from a Trump presidency and worked to secure that outcome, and that the Campaign
  expected it would benefit electorally from information stolen and released
  through Russian efforts, the investigation did not establish that members of the
  Trump Campaign conspired or coordinated with the Russian government in its
  election interference activities. The Russian contacts consisted of business
  connections, offers of assistance to the Campaign, invitations for candidate
  Trump and Putin to meet in person, invitations for Campaign officials and
  representatives of the Russian government to meet, and policy positions seeking
  improved U.S.-Russian relations. Section IV of this Report details the contacts
  between Russia and the Trump Campaign during the campaign and transition
  periods, the most salient of which are summarized below in chronological order.
  2015. Some of the earliest contacts were made in connection with a Trump
  Organization real-estate project in Russia known as Trump Tower Moscow.
  Candidate Trump signed a Letter oflntent for Trump Tower Moscow by November
  2015, and in January 2016 Trump Organization executive Michael Cohen emailed and
  spoke about the project with the office of Russian government press secretary
  Dmitry Peskov. The Trump Organization pursued the project through at least June
  2016, including by considering travel to Russia by Cohen and candidate Trump.
  Spring 2016. Campaign foreign policy advisor George Papadopoulos made early
  contact with Joseph Mifsud, a London-based professor who had connections to
  Russia and traveled to Moscow in April 2016. Immediately upon his return to
  London from that trip, Mifsud told Papadopoulos that the Russian government had
  "dirt" on Hillary Clinton in the form of thousands 5

RESULT: 5

PAGE: 13

TEXT:

  U.S. Department of Justice l\.ttortte~? Work Pt'od1:1et // Mtty Cotttttitt
  Mttterittl Proteeted Uttder Fed. R. Criffl. P. 6(e) of emails. One week later,
  in the first week of May 2016, Papadopoulos suggested to a representative of a
  foreign government that the Trump Campaign had received indications from the
  Russian government that it could assist the Campaign through the anonymous
  release of information damaging to candidate Clinton. Throughout that period of
  time and for several months thereafter, Papadopoulos worked with Mifsud and two
  Russian nationals to arrange a meeting between the Campaign and the Russian
  government. No meeting took place. Summer 2016. Russian outreach to the Trump
  Campaign continued into the summer of 2016, as candidate Trump was becoming the
  presumptive Republican nominee for President. On June 9, 2016, for example, a
  Russian lawyer met with senior Trump Campaign officials Donald Trump Jr., Jared
  Kushner, and campaign chairman Paul Manafort to deliver what the email proposing
  the meeting had described as "official documents and information that would
  incriminate Hillary." The materials were offered to Trump Jr. as "part of Russia
  and its government's support for Mr. Trump." The written communications setting
  up the meeting showed that the Campaign anticipated receiving information from
  Russia that could assist candidate Trump's electoral prospects, but the Russian
  lawyer's presentation did not provide such information. Days after the June 9
  meeting, on June 14, 2016, a cybersecurity firm and the DNC announced that
  Russian government hackers had infiltrated the DNC and obtained access to
  opposition research on candidate Trump, among other documents. In July 2016,
  Campaign foreign policy advisor Carter Page traveled in his personal capacity to
  Moscow and gave the keynote address at the New Economic School. Page had lived
  and worked in Russia between 2003 and 2007. After returning to the United
  States, Page became acquainted with at least two Russian intelligence officers,
  one of whom was later charged in 2015 with conspiracy to act as an unregistered
  agent of Russia. Page's July 2016 trip to Moscow and his advocacy for pro-
  Russian foreign policy drew media attention. The Campaign then distanced itself
  from Page and, by late September 2016, removed him from the Campaign. July 2016
  was also the month WikiLeaks first released emails stolen by the GRU from the
  DNC. On July 22, 2016, WikiLeaks posted thousands of internal DNC documents
  revealing information about the Clinton Campaign. Within days, there was public
  reporting that U.S. intelligence agencies had "high confidence" that the Russian
  government was.behind the theft of emails and documents from the DNC. And within
  a week of the release, a foreign government informed the FBI about its May 2016
  interaction with Papadopoulos and his statement that the Russian government
  could assist the Trump Campaign. On July 31, 2016, based on the foreign
  government rep01ting, the FBI opened an investigation into potential
  coordination between the Russian government and individuals associated with the
  Trump Campaign. Separately, on August 2, 2016, Trump campaign chairman Paul
  Manafort met in New York City with his long-time business associate Konstantin
  Kilimnik, who the FBI assesses to have ties to Russian intelligence. Kilimnik
  requested the meeting to deliver in person a peace plan for Ukraine that
  Manafort acknowledged to the Special Counsel's Office was a "backdoor" way for
  Russia to control part of eastern Ukraine; both men believed the plan would
  require candidate Trump's assent to succeed (were he to be elected President).
  They also discussed the status of the 6

RESULT: 6

PAGE: 14

TEXT:

  U.S. Department of Justice Atteffle'.} 'Nm?k P1:1edttet // May Cm~taitt Material
  Preteetecl Uttcler Fed. R. C1:1im. P. 6(e) Trump Campaign and Manafort's
  strategy for winning Democratic votes in Midwestern states. Months before that
  meeting, Manafort had caused internal polling data to be shared with Kilimnik,
  and the sharing continued for some period of time after their August meeting.
  Fall 2016. On October 7, 2016, the media released video of candidate Trump
  speaking in graphic terms about women years earlier, which was considered
  damaging to his candidacy. Less than an hour later, WikiLeaks made its second
  release: thousands of John Podesta's emails that had been stolen by the GRU in
  late March 2016. The FBI and other U.S. government institutions were at the time
  continuing their investigation of suspected Russian government efforts to
  interfere in the presidential election. That same day, October 7, the Department
  of Homeland Security and the Office of the Director of National Intelligence
  issued a joint public statement "that the Russian Government directed the recent
  compromises of e-mails from US persons and institutions, including from US
  political organizations." Those "thefts" and the "disclosures" of the hacked
  materials through online platforms such as WikiLeaks, the statement continued,
  "are intended to interfere with the US election process." Post-2016 Election.
  Immediately after the November 8 election, Russian government officials and
  prominent Russian businessmen began trying to make inroads into the new
  administration. The most senior levels of the Russian government encouraged
  these efforts. The Russian Embassy made contact hours after the election to
  congratulate the President-Elect and to arrange a call with President Putin.
  Several Russian businessmen picked up the effort from there. Kirill Dmitriev,
  the chief executive officer of Russia's sovereign wealth fund, was among the
  Russians who tried to make contact with the incoming administration. In early
  December, a business associate steered Dmitriev to Erik Prince, a supporter of
  the Trump Campaign and an associate of senior Trump advisor Steve Bannon.
  Dmitriev and Prince later met face-to-face in January 2017 in the Seychelles and
  discussed U.S.-Russia relations. During the same period, another business
  associate introduced Dmitriev to a friend of Jared Kushner who had not served on
  the Campaign or the Transition Team. Dmitriev and Kushner's friend collaborated
  on a short written reconciliation plan for the United States and Russia, which
  Dmitriev implied had been cleared through Putin. The friend gave that proposal
  to Kushner before the inauguration, and Kushner later gave copies to Bannon and
  incoming Secretary of State Rex Tillerson. On December 29, 2016, then-President
  Obama imposed sanctions on Russia for having interfered in the election.
  Incoming National Security Advisor Michael Flynn called Russian Ambassador
  Sergey Kislyak and asked Russia not to escalate the situation in response to the
  sanctions. The following day, Putin announced that Russia would not take
  retaliatory measures in response to the sanctions at that time. Hours later,
  President-Elect Trump tweeted, "Great move on delay (by V. Putin)." The next
  day, on December 31, 2016, Kislyak called Flynn and told him the request had
  been received at the highest levels and Russia had chosen not to retaliate as a
  result of Flynn's request. * * * On January 6, 2017, members of the intelligence
  community briefed President-Elect Trump on a joint assessment-drafted and
  coordinated among the Central Intelligence Agency, FBI, and 7

RESULT: 7

PAGE: 43

TEXT:

  U.S. Department of Justice Attem1:ey Work Prod1:1et /,' M1ty Cot1t1tit1
  Mftteri1tl Proteeted Ut1der Fed. R. Crifl'I. P. 6(e) III. RUSSIAN HACKING AND
  DUMPING OPERATIONS Beginning in March 2016, units of the Russian Federation's
  Main Intelligence Directorate of the General Staff (GRU) hacked the computers
  and email accounts of organizations, e?mployees, and volunteers supporting the
  Clinton Campaign, including the email account of campaign chairman John Podesta.
  Starting in April 2016, the GRU hacked into the computer networks of the
  Democratic Congressional Campaign Committee (DCCC) and the Democratic National
  Committee (DNC). The GRU targeted hundreds of email accounts used by Clinton
  Campaign employees, advisors, and volunteers. In total, the GRU stole hundreds
  of thousands of documents from the compromised email accounts and networks.109
  The GRU later released stolen Clinton Campaign and DNC documents through online
  personas, "DCLeaks" and "Guccifer 2.0," and later through the organization
  WikiLeaks. The release of the documents was designed and timed to interfere with
  the 2016 U.S. presidential election and undermine the Clinton Campaign. , the
  Trump Campaign about WikiLeaks's activities. The investigation was unable to
  resolve WikiLeaks's release of the stolen Podesta emails on October 7, 2016, the
  same day a video from years earlier was published of Trump using graphic
  language about women. A. GRU Hacking Directed at the Clinton Campaign 1. GRU
  Units Target the Clinton Campaign Two military units of the GRU carried out the
  computer intrusions into the Clinton Campaign, DNC, and DCCC: Military Units
  26165 and 74455.110 Military Unit 26165 is a GRU cyber unit dedicated to
  targeting military, political, governmental, and non-governmental organizations
  outside of Russia, including in the United States.111 The unit was sub-divided
  into departments with different specialties. One department, for example,
  developed specialized malicious software "malware" , while another de artment
  conducted large-scale spearphishing campaigns.112 jfllllililliliilllilli
  lilillllll~ a bitcoin mining operation to 109 As discussed in Section V below,
  our Office charged 12 GRU officers for crimes arising from the hacking of these
  computers, principally with conspiring to commit computer intrusions, in
  violation of 18 U.S.C. ?? 1030 and 371. See Volume I, Section V.B, infra;
  Indictment, United States v. Netyksho, No. I :18-cr-215 (D.D.C. July 13, 2018),
  Doc. 1 ("Netyksho Indictment"). 110 Netyksho Indictment ,r 1. 111 Separate from
  this Office's indictment of GRU officers, in October 2018 a grand jury sitting
  in the Western District of Pennsylvania returned an indictment charging certain
  members of Unit 26165 with hacking the U.S. Anti-Doping Agency, the World Anti-
  Doping Agency, and other international sport associations. United States v.
  Aleksei Sergeyevich Morenets, No. 18-263 (W.D. Pa.). 112 A spearphishing email
  is designed to appear as though it originates from a trusted source, and
  solicits information to enable the sender to gain access to an account or
  network, or causes the recipient to 36

RESULT: 8

PAGE: 44

TEXT:

  U.S. Department of Justice MorAey Work Prodttet // Ma:,? CoAiait\ Material
  Protected UAder Fed. R. Criffl. P. 6(e) secure bitcoins used to purchase
  computer infrastructure used in hacking operations.113 Military Unit 74455 is a
  related GRU unit with multiple departments that engaged in cyber operations.
  Unit 74455 assisted in the release of documents stolen by Unit 26165, the
  promotion of those releases, and the publication of anti-Clinton content on
  social media accounts operated by the GRU. Officers from Unit 74455 separately
  hacked computers belonging to state boards of elections, secretaries of state,
  and U.S. companies that supplied software and other technology related to the
  administration of U.S. elections.114 Beginning in mid-March 2016, Unit 26165 had
  primary responsibility for hacking the DCCC and DNC, as well as email accounts
  of individuals affiliated with the Clinton Campaign: 115 Unit 26165 used
  Investigative Technique began before the GRU had obtained any credentials or
  gained access to these networks, indicating that the later DCCC and DNC
  intrusions were not crimes of opportunity but rather the result of targeting.116
  GRU officers also sent hundreds of spearphishing emails to the work and personal
  email accounts of Clinton Campaign employees and volunteers. Between March 10,
  2016 and March 15, 2016, Unit 26165 appears to have sent approximately 90
  spearphishing emails to email accounts at hillaryclinton.com. Starting on March
  15, 2016, the GRU began targeting Google email accounts used by Clinton Campaign
  employees, along with a smaller number of dnc.org email accounts.117 The GRU
  spearphishing operation enabled it to gain access to numerous email accounts of
  Clinton Campaign employees and volunteers, including campaign chairman John
  Podesta, junior volunteers assigned to the Clinton Campaign's advance team,
  informal Clinton Campaign advisors, and a DNC employee.118 GRU officers stole
  tens of thousands of emails from spearphishing victims, including various
  Clinton Campaign-related communications. download malware that enables the
  sender to gain access to an account or network. Netyksho Indictment 10. 113
  Bitcoin mining consists of unlocking new bitcoins by solving computational
  problems. Ill 1111 kept its newly mined coins in an account on the bitcoin
  exchange platform CEX.io. To make purchases, the GRU routed funds into other
  accounts through transactions designed to obscure the source of funds. Netyksho
  Indictment~ 62. 114 Netyksho Indictment~ 69. 115 Netyksho Indictment~ 9. 116 See
  SM-2589105, serials 144 & 495. 118 Investigative Technique 37

RESULT: 9

PAGE: 45

TEXT:

  U.S. Department of Justice Attert1ey Werk P12ed1:1et // :Mt:ty Cmttaitt
  Materit:tl Preteeted Ut1der Fed. R. Criffl. P. 6(e) 2. Intrusions into the DCCC
  and DNC Networks a. Initial Access By no later than April 12, 2016, the GRU had
  gained access to the DCCC computer network using the credentials stolen from a
  DCCC employee who had been successfully spearphished the week before. Over the
  ensuing weeks, the GRU traversed the network, identifying different computers
  connected to the DCCC network. By stealing network access credentials along the
  way (including those of IT administrators with unrestricted access to the
  system), the GRU compromised approximately 29 different computers on the DCCC
  network.119 Approximately six days after first hacking into the DCCC network, on
  April 18, 2016, GRU officers gained access to the DNC network via a virtual
  private network (VPN) connection120 between the DCCC and DNC networks.121
  Between April 18, 2016 and June 8, 2016, Unit 26165 compromised more than 30
  computers on the DNC network, including the DNC mail server and shared file
  server.122 b. Implantation of Ma/ware on DCCC and DNC Networks Unit 26165
  implanted on the DCCC and DNC networks two types of customized malware, 123
  known as "X-Agent" and "X-Tunnel"; Mimikatz, a credential-harvesting tool; and
  rar.exe, a tool used in these intrusions to compile and compress materials for
  exfiltration. X-Agent was a multi-function hacking tool that allowed Unit 26165
  to log keystrokes, take screenshots, and gather other data about the infected
  computers (e.g., file directories, operating systems).124 Tunnel was a hacking
  tool that created an encrypted connection between the victim DCCC/DNC computers
  and GRU-controlled computers outside the DCCC and DNC networks that was capable
  of large-scale data transfers.125 GRU officers then used X-Tunnel to exfiltrate
  stolen data from the victim computers. 120 A VPN extends a private network,
  allowing users to send and receive data across public networks (such as the
  internet) as if the connecting computer was directly connected to the private
  network. The VPN in this case had been created to give a small number of DCCC
  employees access to certain databases housed on the DNC network. Therefore,
  while the DCCC employees were outside the DNC's private network, they could
  access parts of the DNC network from their DCCC computers. Investigative
  Technique Investigative Technique 123 "Malware" is short for malicious software,
  and here refers to software designed to allow a third party to infiltrate a
  computer without the consent or knowledge of the computer's user or operator.
  124 Investigative Technique 125 Investigative Technique 38

RESULT: 10

PAGE: 46

TEXT:

  U.S. Department of Justice Att:on1ey Work Proattet // Mtty Col'l:tttil'I:
  Mttterittl Proteetea Unser Fea. R. Crim.. P. 6(e) To operate X-Agent and
  X-Tunnel on the DCCC and DNC networks, Unit 26165 officers set up a group of
  computers outside those networks to communicate with the implanted malware.126
  The first set of GRU-controlled computers, known by the GRU as "middle servers,"
  sent and received messages to and from malware on the DNC/DCCC networks. The
  middle servers, in turn, relayed messages to a second set of GRU-controlled
  com;?'ters, labeled internally by the GRU as an "AMS Panel." The AMS Panel jjjff
  11'??\1flffl 1?j'1?-served as a nerve center through which GRU officers
  monitored and directed the malware's operations on the DNC/DCCC networks.127 ! .
  ? . ? ? ? : Investigative Technique Investigative Technique Investigative
  Technique 126 In connection with these intrusions, the GRU used computers
  (virtual private networks, dedicated servers operated by hosting companies,
  etc.) that it leased from third-party providers located all over the world. The
  investi ation identified rental a reements and payments for computers located
  in, inter alia, -~-~-Ii IIMliilili all of which were used in the operations
  targeting the U.S. election. 127 Netyksho Indictment ,r 25. 128 Netyksho
  Indictment ,r 24( c ). 129 Netyksho Indictment ,r 24(b ). 39

RESULT: 11

PAGE: 47

TEXT:

  U.S. Department of Justice Atlorttey Work Prodttet // May Cotttaifl Material
  Proteeted Under Fed. R. Crim. P. 6Ee) The Arizona-based AMS Panel also stored
  thousands of files containing keylogging sessions captured through X-Agent.
  These sessions were captured as GRU officers monitored DCCC and DNC employees'
  work on infected computers regularly between April 2016 and June 2016. Data
  captured in these key logging sessions included passwords, internal
  communications between employees, banking information, and sensitive personal
  information. c. Theft of Documents from DNC and DCCC Networks Officers from Unit
  26165 stole thousands of documents from the DCCC and DNC networks, including
  significant amounts of data pertaining to the 2016 U.S. federal elections.
  Stolen documents included internal strategy documents, fundraising data,
  opposition research, and emails from the work inboxes of DNC employeesY0 The GRU
  began stealing DCCC data shortly after it gained access to the network. On April
  14, 2016 (approximately three days after the initial intrusion) GRU officers
  downloaded rar.exe onto the DCCC's document server. The following day, the GRU
  searched one compromised DCCC computer for files containing search terms that
  included "Hillary," "DNC," "Cruz," and "Trump."131 On April 25, 2016, the GRU
  collected and compressed PDF and Microsoft documents from folders on the DCCC's
  shared file server that pertained to the 2016 election.132 The GRU appears to
  have compressed and exfiltrated over 70 gigabytes of data from this file
  server.133 The GRU also stole documents from the DNC network shortly after
  gaining access. On April 22, 2016, the GRU copied files from the DNC network to
  GRU-controlled computers. Stolen documents included the DNC' s opposition
  research into candidate Trump.134 Between approximately May 25, 2016 and June 1,
  2016, GRU officers accessed the DNC's mail server from a GRU-controlled computer
  leased inside the United States.135 During these connections, 130 Netyksho
  Indictment ,i,i 27-29; Investigative Technique 131 Investigative Technique
  Investigative Technique Investigative Technique ? Investigative Technique
  SM-2589105-HACK, serial 5. Investigative Technique 135 Investigative Technique
  -See SM-2589105-GJ, serial 649. As part of its investigation, the FBI later
  received images ofDNC servers and copies of relevant traffic logs. Netyksho
  Indictment ,i,i 28-29. 40

RESULT: 12

PAGE: 48

TEXT:

  U.S. Department of Justice Attarl'ley Werk Predttet // Mey Cel'ltail'l Material
  Preteeted Unaer Fed. R. Cril'l'I. P. 6(e) Unit 26165 officers appear to have
  stolen thousands of emails and attachments, which were later released by
  WikiLeaks in July 2016.136 B. Dissemination of the Hacked Materials The GRU's
  operations extended beyond stealing materials, and included releasing documents
  stolen from the Clinton Campaign and its supporters. The GRU carried out the
  anonymous release through two fictitious online personas that it created-DCLeaks
  and Guccifer 2.0-and later through the organization WikiLeaks. 1. DCLeaks The
  GRU began planning the releases at least as early as April 19, 2016, when Unit
  26165 registered the domain dcleaks.com through a service that anonymized the
  registrant.137 Unit 26165 paid for the registration using a pool of bitcoin that
  it had mined. 138 The dcleaks.com landing page pointed to different tranches of
  stolen documents, arranged by victim or subject matter. Other dcleaks.com pages
  contained indexes of the stolen emails that were being released (bearing the
  sender, recipient, and date of the email). To control access and the timing of
  releases, pages were sometimes password-protected for a period of time and later
  made unrestricted to the public. Starting in June 2016, the GRU posted stolen
  documents onto the website dcleaks.com, including documents stolen from a number
  of individuals associated with the Clinton Campaign. These documents appeared to
  have originated from personal email accounts (in particular, Google and
  Microsoft accounts), rather than the DNC and DCCC computer networks. DCLeaks
  victims included an advisor to the Clinton Campaign, a former DNC employee and
  Clinton Campaign employee, and four other campaign volunteers.139 The GRU
  released through dcleaks.com thousands of documents, including personal
  identifying and financial information, internal correspondence related to the
  Clinton Campaign and prior political jobs, and fundraising files and
  information.140 136 Netyksho Indictment ,i 29. The last-in-time DNC email
  released by WikiLeaks was dated May 25, 2016, the same period of time during
  which the GRU gained access to the DNC's email server. Netyksho Indictment ,i
  45. 137 Netyksho Indictment ,i 35. Approximately a week before the registration
  of dcleaks.com, the same actors attem ted to re ister the website
  electionleaks.com using the same domain registration service. 138 See
  SM-2589105, serial 181; Netyksho Indictment ,i 2l(a). 140 See, e.g., Internet
  Archive, "htt s://dcleaks.com/" archive date Nov. 10, 2016). Additionally,
  DCLeaks released documents relating to , emails belonging to_, and emails from
  2015 relating to Republican Party employees (under the portfolio name "The
  United States Republican Party"). "The United States Republican Party" portfolio
  contained approximately 300 emails from a variety of GOP members, PACs,
  campaigns, state parties, and businesses dated between May and October 2015.
  According to open-source reporting, these victims shared the same 41

RESULT: 13

PAGE: 49

TEXT:

  U.S. Department of Justice AM:6rt~ey W6rk Prndttet // Mtty CetttttiH Mttterittl
  Pr6teeted Umler Fed. R. Criffl. P. 6(e) GRU officers operated a Facebook page
  under the DCLeaks moniker, which they primarily used to promote releases of
  materials.141 The Facebook page was administered through a small number of
  preexisting GRU-controlled Facebook accounts.142 GRU officers also used the
  DCLeaks Facebook account, the Twitter account @dcleaks_, and the email account
  dcleaksproject@gmail.com to communicate privately with reporters and ? other
  U.S. persons. GRU officers using the DCLeaks persona gave certain reporters
  early access to archives of leaked files by sending them links and passwords to
  pages on the dcleaks.com website that had not yet become public. For example, on
  July 14, 2016, GRU officers operating under the DCLeaks persona sent a link and
  password for a non-public DCLeaks webpage to a U.S. reporter via the Facebook
  account.143 Similarly, on September 14, 2016, GRU officers sent reporters
  Twitter direct messages from @dcleaks_, with a password to another non-public
  part of the dcleaks.com website. 144 The DCLeaks.com website remained
  operational and public until March 2017. 2. Guccifer 2.0 On June 14, 2016, the
  DNC and its cyber-response team announced the breach of the DNC network and
  suspected theft of DNC documents. In the statements, the cyber-response team
  alleged that Russian state-sponsored actors (which they referred to as "Fancy
  Bear") were responsible for the breach. 145 Apparently in response to that
  announcement, on June 15, 2016, GRU officers using the persona Guccifer 2.0
  created a WordPress blog. In the hours leading up to the launch of that
  WordPress blog, GRU officers logged into a Moscow-based server used and managed
  by Unit 74455 and searched for a number of specific words and phrases in
  English, including "some hundred sheets," "illuminati," and "worldwide known."
  Approximately two hours after the last of those searches, Guccifer 2.0 published
  its first post, attributing the DNC server hack to a lone Romanian hacker and
  using several of the unique English words and phrases that the GRU officers had
  searched for that day.146 Tennessee-based web-hosting company, called Smartech
  Corporation. William Bastone, RNC E-Mail Was, In Fact, Hacked By Russians, The
  Smoking Gun (Dec. 13, 2016). 141 Netyksho Indictment ,r 38. 142 See, e.g.,
  Facebook Account 100008825623541 (Alice Donovan). 143 7/14/16 Facebook Message,
  ID 793058100795341 (DC Leaks) to ID 144 See, e .. , 9/14/16 Twitter DM, @dcleaks
  _ to KvFsgo/o* 14@gPgu&amp; enjoy;)." ; 9/14/16 Twitter OM, . The messages read:
  "Hi https://t.co/QTvKUjQcOx pass: 145 Dmitri Alperovitch, Bears in the Midst:
  Intrusion into the Democratic National Committee, CrowdStrike Blog (June 14,
  2016). CrowdStrike updated its post after the June 15, 2016 post by Guccifer 2.0
  claiming responsibility for the intrusion. 146 Netyksho Indictment ,r,r 41-42.
  42

RESULT: 14

PAGE: 50

TEXT:

  U.S. Department of Justice AtterHey '1?ei-lc Pfed1:1et // May CeHtaiH Material
  Preteeted UHder Fed. R. Criffl. P. 6(e) That same day, June 15, 2016, the GRU
  also used the Guccifer 2.0 WordPress blog to begin releasing to the public
  documents stolen from the DNC and DCCC computer networks. The Guccifer 2.0
  persona ultimately released thousands of documents stolen from the DNC and DCCC
  in a series of blog posts between June 15, 2016 and October 18, 2016.147
  Released documents included opposition research performed by the DNC (including
  a memorandum analyzing potential criticisms of candidate Trump), internal policy
  documents (such as recommendations on how to address politically sensitive
  issues), analyses of specific congressional races, and fundraising documents.
  Releases were organized around thematic issues, such as specific states (e.g.,
  Florida and Pennsylvania) that were perceived as competitive in the 2016 U.S.
  presidential election. Beginning in late June 2016, the GRU also used the
  Guccifer 2.0 persona to release documents directly to reporters and other
  interested individuals. Specifically, on June 27, 2016, Guccifer 2.0 sent an
  email to the news outlet The Smoking Gun offering to provide "exclusive access
  to some leaked emails linked [to] Hillary Clinton's staff."148 The GRU later
  sent the reporter a password and link to a locked portion of the dcleaks.com
  website that contained an archive of emails stolen by Unit 26165 from a Clinton
  Campaign volunteer in March 2016.149 That the Guccifer 2.0 persona provided
  reporters access to a restricted portion of the DCLeaks website tends to
  indicate that both personas were operated by the same or a closely-related group
  of people.1so The GRU continued its release efforts through Guccifer 2.0 into
  August 2016. For example, on August 15, 2016, the Guccifer 2.0 persona sent a
  candidate for the U.S. Congress documents related to the candidate's
  opponent.1st On August 22, 2016, the Guccifer 2.0 persona transferred
  approximately 2.5 gigabytes of Florida-related data stolen from the DCCC to a
  U.S. blogger covering Florida politics.1s2 On August 22, 2016, the Guccifer 2.0
  persona sent a U.S. reporter documents stolen from the DCCC pertaining to the
  Black Lives Matter movement.1s3 147 Releases of documents on the Guccifer 2.0
  blog occurred on June 15, 2016; June 20, 2016; June 21, 2016; July 6, 2016; July
  14, 2016; August 12, 2016; August 15, 2016; August 21, 2016; August 31, 2016;
  September 15, 2016; September 23, 2016; October 4, 2016; and October 18, 2016.
  ~~ccifer20@aol.fr to 149 6/27/16 Email, uccifer20@aol.fr to ; see also 612 7 /16
  (subject "leaked emails"); project"). (subject "leaked (sub' ect "leaked emails"
  ; uccifer20@aol.fr to ( claiming DCLeaks was a "Wikileaks sub 150 Before sending
  the reporter the link and password to the closed DCLeaks website, and in an
  apparent effort to deflect attention from the fact that DCLeaks and Guccifer 2.0
  were operated by the same organization, the Guccifer 2.0 persona sent the
  repm1er an email stating that DCLeaks was a "Wikileaks sub project" and that
  Guccifer 2.0 had asked DCLeaks to release the leaked emails with "closed access"
  to give reporters a preview of them. 151 Netyksho Indictment ,r 43(a). 152
  Netyksho Indictment ,r 43(b ). 153 Netyksho Indictment ,r 43(c). 43

RESULT: 15

PAGE: 51

TEXT:

  U.S. Department of Justice AtierHey Werk Predttet // Moy CeHtttiH Material
  Preteeted UHeer Fed. R. Crim. P. 6(e) In early August 2016, Twitter's suspension
  of the Guccifer 2.0 Twitter account. After it was reinstated, GRU officers
  posing as Guccifer 2.0 wrote 1;c?)Wp ,,ia private message, "thank u for writing
  back ... do u find anyt[h]ing interesting in the docs i posted?" On August 17,
  2016, the GRU added, "please tell me if i can help u anyhow ... it would be a
  great pleasure to me." On September 9, 2016, the GRUi;(T);f posing as Guccifer
  2.0-referred to a stolen DCCC document posted online and asked ? "what do u
  think of the info on the turnout model for the democrats entire presidential
  campaign." -responded, "pretty standard."155 The investigation did not identify
  evidence of other communications between-and Guccifer 2.0. 3. Use of WikiLeaks
  In order to expand its interference in the 20 I 6 U.S. presidential election,
  the GRU units transferred many of the documents they stole from the DNC and the
  chairman of the Clinton Campaign to WikiLeaks. GRU officers used both the
  DCLeaks and Guccifer 2.0 personas to communicate with WikiLeaks through Twitter
  private messaging and through encrypted channels, including possibly through
  WikiLeaks's private communication system. . a. WikiLeaks's Expressed Opposition
  Toward the Clinton Campaign WikiLeaks, and particularly its founder Julian
  Assange, privately expressed opposition to candidate Clinton well before the
  first release of stolen documents. In November 2015, Assange wrote to other
  members and associates of WikiLeaks that "[w]e believe it would be much better
  for GOP to win ... Dems+Media+liberals woudl [sic] then form a block to reign in
  their worst qualities. . . . With Hillary in charge, GOP will be pushing for her
  worst qualities., dems+media+neoliberals will be mute .... She's a bright, well
  connected, sadisitic sociopath."156 In March 2016, WikiLeaks released a
  searchable archive of approximately 30,000 Clinton emails that had been obtained
  through FOIA litigation.157 While designing the archive, one WikiLeaks member
  explained the reason for building the archive to another associate: 154 155 Harm
  to Ongoing Matter 156 1 l/19/15 Twitter Group Chat, Group ID 594242937858486276,
  @WikiLeaks et al. Assange also wrote that, "GOP will generate a lot oposition
  [sic], including through dumb moves. Hillary will do the same thing, but co-opt
  the liberal opposition and the GOP opposition. Hence biliary has greater freedom
  to statt wars than the GOP and has the will to do so." Id. 157 WikiLeaks,
  "Hillary Clinton Email Archive," available at https://wikileaks.org/clinton-
  emails/. 44

RESULT: 16

PAGE: 52

TEXT:

  U.S. Department of Justice AttorHey Work Prodttet // Mtty Cofl:tttifl:
  Mttterittl Proteeted UHder Fed. R. Criffl. P. 6(e) [W]e want this repository to
  become "the place" to search for background on hillary's plotting at the state
  department during 2009-2013. . . . Firstly because its useful and will annoy
  Hillary, but secondly because we want to be seen to be a resource/player in the
  US election, because eit [sic] may en[]courage people to send us even more
  important leaks.158 b. WikiLeaks's First Contact with Guccifer 2.0 and DCLeaks
  Shortly after the GRU's first release of stolen documents through dcleaks.com in
  June 2016, GRU officers also used the DCLeaks persona to contact WikiLeaks about
  possible coordination in the future release of stolen emails. On June 14, 2016,
  @dcleaks _ sent a direct message to @WikiLeaks, noting, "You announced your
  organization was preparing to publish more Hillary's emails. We are ready to
  support you. We have some sensitive information too, in particular, her
  financial documents. Let's do it to ether. What do ou think about ublishin our
  info at the same moment? Thank ou."159 Around the same time, WikiLeaks initiated
  communications with the GRU persona Guccifer 2.0 shortly after it was used to
  release documents stolen from the DNC. On June 22, 2016, seven days after
  Guccifer 2.0's first releases of stolen DNC documents, WikiLeaks used Twitter's
  direct message function to contact the Guccifer 2.0 Twitter account and suggest
  that Guccifer 2.0 "[s]end any new material [stolen from the DNC] here for us to
  review and it will have a much higher impact than what you are doing."160 On
  July 6, 2016, WikiLeaks again contacted Guccifer 2.0 through Twitter's private
  messaging function, writing, "if you have anything hillary related we want it in
  the next tweo [sic] days prefab le [sic] because the DNC is approaching and she
  will solidify bernie supporters behind her after." The Guccifer 2.0 persona
  responded, "ok ... i see." WikiLeaks also explained, "we think trump has only a
  25% chance of winning against hillary ... so conflict between bernie and hillary
  is interesting." 161 c. The GRU's Transfer of Stolen Materials to WikiLeaks Both
  the GRU and WikiLeaks sought to hide their communications, which has limited the
  Office's ability to collect all of the communications between them. Thus,
  although it is clear that the stolen DNC and Podesta documents were transferred
  from the GRU to WikiLeaks, -Investigative Technique 158 3/14/16 Twitter DM,
  @WikiLeaks to Less than two weeks earlier, the same account had been used to
  send a private message opposing the idea of Clinton "in whitehouse with her
  bloodlutt and amitions [sic] of empire with hawkish liberal-interventionist
  appointees." 11/19/15 Twitter Group Chat, Group ID 594242937858486276,
  @WikiLeaks et al. 159 6/14/16 Twitter DM, @dcleaks_ to @WikiLeaks. 160 Netyksho
  Indictment ,r 47(a). 1617/6/16 Twitter DMs, @WikiLeaks & @guccifer_2. 45

RESULT: 17

PAGE: 53

TEXT:

  U.S. Department of Justice Atterttey Werk Predttet // Ma:y Cettta:itt Mttteria:l
  Preteeted Uttder Fed. R. Criffl. P. 6(e) The Office was able to identify when
  the GRU ( operating through its personas Guccifer 2.0 and DCLeaks) transferred
  some of the stolen documents to WikiLeaks through online archives set up by the
  GRU. Assan e had access to the internet from the Ecuadorian Embass in London, En
  land. On July 14, 2016, GRU officers used a Guccifer 2.0 email account to send
  WikiLeaks an email bearing the subject "big archive" and the message "a new
  attempt."163 The email contained an encrypted attachment with the name "wk dnc
  link I .txt.gpg."164 Using the Guccifer 2.0 Twitter account, GRU officers sent
  WikiLeaks an encrypted file and instructions on how to open it.165 On July 18,
  2016, WikiLeaks confirmed in a direct message to the Gucci fer 2.0 account that
  it had "the 1 Gb or so archive" and would make a release of the stolen documents
  "this week."166 On July 22, 2016, WikiLeaks released over 20,000 emails and
  other documents stolen from the DNC computer networks.167 The Democratic
  National Convention began three days later. Similar communications occurred
  between WikiLeaks and the GRU-operated persona DCLeaks. On September 15, 2016,
  @dcleaks wrote to @WikiLeaks, "hi there! I'm from DC Leaks. How could we discuss
  some submission-related issues? Am trying to reach out to you via your secured
  chat but getting no response. I've got something that might interest you. You
  won't be disappointed, I promise."168 The WikiLeaks account responded, "Hi
  there," without further elaboration. The @dcleaks_ account did not respond
  immediately. The same day, the Twitter account@guccifer_2 sent @dcleaks_ a
  direct message, which is the first known contact between the personas.169 During
  subsequent communications, the 163 This was not the GRU's first attempt at
  transferring data to WikiLeaks. On June 29, 2016, the GRU used a Guccifer 2.0
  email accou~ted file to a WikiLeaks email account. 6/29/16 Email,
  guccifer2@mail.com (The email appears to have been undelivered.) 164 See
  SM-2589105-DCLEAKS, serial 28 (analysis). 165 6/27/16 Twitter DM, @Guccifer_2 to
  @WikiLeaks. 166 7/18/16 Twitter OM, @Guccifer_2 & @WikiLeaks. 167 "DNC Email
  Archive," WikiLeaks (Jul. 22, 2016), available at https://wikileaks.org/dnc-
  emails. 168 9/15/16 Twitter DM, @dcleaks_ to @WikiLeaks. 169 9/15/16 Twitter DM,
  @guccifer _ 2 to @dcleaks _. 46

RESULT: 18

PAGE: 54

TEXT:

  U.S. Department of Justice AtterRe;? Werk Predttet // Mtt;? CeRtail'l Mftferial
  Preteeted URder Fed. R. Crim. P. 6(e) Guccifer 2.0 persona informed DCLeaks that
  WikiLeaks was trying to contact DCLeaks and arrange for a way to speak through
  encrypted emails.170 An analysis of the metadata collected from the WikiLeaks
  site revealed that the stolen Podesta emails show a creation date of September
  19, 2016.171 Based on information about Assange's computer and its possible
  operating system, this date may be when the GRU staged the stolen Podesta emails
  for transfer to WikiLeaks (as the GRU had previously done in July 2016 for the
  DNC emails).172 The WikiLeaks site also released PDFs and other documents taken
  from Podesta that were attachments to emails in his account; these documents had
  a creation date of October 2, 2016, which appears to be the date the attachments
  were separately staged by WikiLeaks on its site.173 Beginning on September 20,
  2016, WikiLeaks and DCLeaks resumed communications in a brief exchange. On
  September 22, 2016, a DCLeaks email account dcleaksproject@gmail.com sent an
  email to a WikiLeaks account with the subject "Submission" and the message "Hi
  from DCLeaks." The email contained a PGP-encr ted with the filename
  "wiki_mail.txt.gpg."174 %?The email, however, bears a number of similarities to
  the July 14, 2016 email in which GRU officers used the Guccifer 2.0 persona to
  give WikiLeaks access to the archive of DNC files. On September 22, 2016 (the
  same day of DCLeaks' email to WikiLeaks), the Twitter account dcleaks sent a sin
  le messa e to WikiLeaks with the strin of characters The Office cannot rule out
  that stolen documents were transferred to WikiLeaks through intermediaries who
  visited during the summer of 2016. For example, public reporting identified A d
  M"'ll M h w?kiL k . t h h . t d "th th t fi fth Investigative Technique 170 See
  SM-2589105-DCLEAKS, serial 28; 9/15/16 Twitter DM, @Guccifer_2 & @WikiLeaks. 171
  See SM-2284941, serials 63 & 64 Investigative Technique At the time, certain
  Apple operating systems used a setting that left a downloaded file's creation
  date the same as the creation date shown on the host computer. This would
  explain why the creation date on WikiLeaks's version of the files was still
  September 19, 2016. See SM-Investigative Technique 2284941, serial 62 173 When
  WikiLeaks saved attachments separately from the stolen emails, its computer
  system appears to have treated each attachment as a new file and given it a new
  creation date. See SM-2284941, serials 63 & 64. 174 See 9/22/16 Email,
  dcleaksproject@gmail.com 175 Ellen Nakashima et al., A German Hacker Offers a
  Rare Look Inside the Secretive World of Julian Assange and WikiLeaks, Washington
  Post (Jan. 17, 2018). 47

RESULT: 19

PAGE: 55

TEXT:

  U.S. Department of Justice Atton=iey Work Protl1:1et // Mtl:y Cottt:tl:ifl
  Mtl:teritl:l Proteetetl UAtier Fetl. R. Criffl. P. 6(e) Investigative Technique
  . On October 7, 2016, WikiLeaks released the first emails stolen from the
  Podesta email account. In total, WikiLeaks released 33 tranches of stolen emails
  between October 7, 2016 and November 7, 2016. The releases included private
  speeches given by Clinton; 177 internal communications between Podesta and other
  high-ranking members of the Clinton Campaign; 178 and correspondence related to
  the Clinton Foundation.179 In total, WikiLeaks released over 50,000 documents
  stolen from Podesta's personal email account. The last-in-time email released
  from Podesta' s account was dated March 21, 2016, two days after Podesta
  received a spearphishing email sent by the GRU. d. WikiLeaks Statements
  Dissembling About the Source of Stolen Materials As reports attributing the DNC
  and DCCC hacks to the Russian government emerged, WikiLeaks and Assange made
  several public statements apparently designed to obscure the source of the
  materials that WikiLeaks was releasing. The file-transfer evidence described
  above and other information uncovered during the investigation discredit
  WikiLeaks's claims about the source of material that it posted. Beginning in the
  summer of 2016, Assange and WikiLeaks made a number of statements about Seth
  Rich, a former DNC staff member who was killed in July 2016. The statements
  about Rich implied falsely that he had been the source of the stolen DNC emails.
  On August 9, 2016, the @WikiLeaks Twitter account posted: "ANNOUNCE: WikiLeaks
  has decided to issue a US$20k reward for information leading to conviction for
  the murder ofDNC staffer Seth Rich."180 Likewise, on August 25, 2016, Assange
  was asked in an interview, "Why are you so interested in Seth Rich's killer?"
  and responded, "We're very interested in anything that might be a threat to
  alleged Wikileaks sources." The interviewer responded to Assange's statement by
  commenting, "I know you don't want to reveal your source, but it certainly
  sounds like you're suggesting a man who leaked information to WikiLeaks was then
  murdered." Assange replied, "If there's someone who's potentially connected to
  our publication, and that person has been murdered in suspicious t79 Netyksho
  Indictment ,r 43. 180 @WikiLeaks 8/9/16 Tweet. 48

RESULT: 20

PAGE: 56

TEXT:

  U.S. Department of Justice Attort1ey Work Prndttet ,'/ May Cot1:tait1: Material
  Proteeted Ut1:der Fed. R. Cri1fl. P. 6(e) circumstances, it doesn't necessarily
  mean that the two are connected. But it is a very serious matter ... that type
  of allegation is very serious, as it's taken very seriously by us."181 After the
  U.S. intelligence community publicly announced its assessment that Russia was
  behind the hacking operation, Assange continued to deny that the Clinton
  materials released by WikiLeaks had come from Russian hacking. According to
  media reports, Assange told a U.S. congressman that the DNC hack was an "inside
  job," and purported to have "physical proof' that Russians did not give
  materials to Assange. 182 C. Additional GRU Cyber Operations While releasing the
  stolen emails and documents through DCLeaks, Guccifer 2.0, and WikiLeaks, GRU
  officers continued to target and hack victims linked to the Democratic campaign
  and, eventually, to target entities responsible for election administration in
  several states. 1. Summer and Fall 2016 Operations Targeting Democrat-Linked
  Victims On July 27 2016, Unit 26165 targeted email accounts connected to
  candidate Clinton's personal office . Earlier that day, candidate Trump made
  public statements that included the following: "Russia, if you're listening, I
  hope you're able to find the 30,000 emails that are missing. I think you will
  probably be rewarded mightily by our press."183 The "30,000 emails" were
  apparently a reference to emails described in media accounts as having been
  stored on a personal server that candidate Clinton had used while serving as
  Secretary of State. Within approximately five hours of Trump's statement, GRU
  officers targeted for the first time Clinton's personal office. After candidate
  Trump's remarks, Unit 26165 created and sent malicious links targeting 15 email
  accounts at the domain including an email account belonging to Clinton aide The
  investigation did not find evidence of earlier GRU attempts to compromise
  accounts hosted on this domain. It is unclear how the GRU was able to identify
  these email accounts, which were not public.184 Unit 26165 officers also hacked
  into a DNC account hosted on a cloud-computing service copies of the DNC da
  databases (referred to On September 20, 2016, the GRU began to generate function
  designed to allow users to produce backups of as "snapshots"). The GRU then
  stole those snapshots by moving 181 See Assange: "Murdered DNC Staffer Was
  'Potential' WikiLeaks Source," Fox News (Aug. 25, 2016)(containing video of
  Assange interview by Megyn Kelly). 182 M. Raju & Z. Cohen, A GOP Congressman's
  Lonely Quest Defending Julian Assange, CNN (May 23, 2018). 183 "Donald Trump on
  Russian & Missing Hillary Clinton Emails," YouTube Channel C-SPAN, Posted
  7/27/16, available at https://www.youtube.com/watch?v=3kxG8uJUsWU (starting at
  0:41). 49

RESULT: 21

PAGE: 57

TEXT:

  U.S. Department of Justice Atteme;? :werk PFeauet // Moy Cef!ta.if! Material
  Preteetea Uflaef Fee. R. Crim.. P. 6(e) them to -account that they controlled;
  from there, the copies were moved to GRUcontrolled computers. The GRU stole
  approximately 300 gigabytes of data from the DNC based account.185 2. Intrusions
  Targeting the Administration of U.S. Elections In addition to targeting
  individuals involved in the Clinton Campaign, GRU officers also targeted
  individuals and entities involved in the administration of the elections.
  Victims included U.S. state and local entities, such as state boards of
  elections (SBOEs), secretaries of state, and county governments, as well as
  individuals who worked for those entities. 186 The GRU also targeted private
  technology firms responsible for manufacturing and administering election-
  related software and hardware, such as voter registration software and
  electronic polling stations.187 The GRU continued to target these victims
  through the elections in November 2016. While the investigation identified
  evidence that the GRU targeted these individuals and entities, the Office did
  not investigate further. The Office did not, for instance, obtain or examine
  servers or other relevant items belonging to these victims. The Office
  understands that the FBI, the U.S. Department of Homeland Security, and the
  states have separately investigated that activity. By at least the summer of
  2016, GRU officers sought access to state and local computer networks by
  exploiting known software vulnerabilities on websites of state and local
  governmental entities. GRU officers, for example, targeted state and local
  databases of registered voters using a technique known as "SQL injection," by
  which malicious code was sent to the state or local website in order to run
  commands (such as exfiltrating the database contents).188 In one instance in
  approximately June 2016, the GRU compromised the computer network of the
  Illinois State Board of Elections by exploiting a vulnerability in the SBOE's
  website. The GRU then gained access to a database containing information on
  millions of registered Illinois voters, 189 and extracted data related to
  thousands of U.S. voters before the malicious activity was identified.190 GRU
  officers Investigative Technique scanned state and local websites for eriod in
  July 2016, GRU officers -for vulnerabilities on websites of more than 185
  Netyksho Indictment ,i 34; see also SM-2589105-HACK, serial 29 -? Investigative
  Technique 186 Netyksho Indictment ,i 69. 188 Investigative Technique -50

RESULT: 22

PAGE: 58

TEXT:

  U.S. Department of Justice AttorHey Werle Proattet // Moy CoHtoiH Moteriol
  Proteetee UHeer Fee. R. Crtffl. P. 6(e) for vulnerabilities continued through
  the election. Unit 74455 also sent spearphishing emails to public officials
  involved in election administration and personnel a~ involved in voting
  technology. In August 2016, GRU officers targeted employees of ..... , a voting
  technology company that developed software used by numerous U.S. counties to
  manage voter rolls, and installed malware on the company network. Similarly, in
  November 2016, the GRU sent spearphishing emails to over 120 email accounts used
  by Florida county officials responsible for administering the 2016 U.S.
  election.191 The spearphishing emails contained an attached Word document coded
  with malicious software (commonly referred to as a Trojan) that permitted the
  GRU to access the infected computer.192 The FBI was separately responsible for
  this investigation. We understand the FBI believes that this operation enabled
  the GRU to gain access to the network of at least one Florida county government.
  The Office did not independently verify that belief and, as explained above, did
  not undertake the investigative steps that would have been necessary to do so.
  D. Trump Campaign and the Dissemination of Hacked Materials The Trump Campaign
  showed interest in WikiLeaks's releases hout the summer and fall of 2016. 1. a.
  Background I , Investigative Technique Investigative Technique 51

RESULT: 23

PAGE: 65

TEXT:

  U.S. Department of Justice AM:erttey Wer:k Predttet // Mtty Cetttaitt Mttterial
  Preteeted Uttder FeE:I. R. Criffi. P. 6(e) d. WikiLeaks's October 7, 2016
  Release of Stolen Podesta Emails On October 7 2016 four days after the Assange
  press conference , the Washington Post published an Access Hollywood video that
  captured comments by candidate Trump some years earlier and that was expected to
  adversely affect the Campaign.239 Less than an hour after the video's
  publication, WikiLeaks released the first set of emails stolen by the GRU from
  the account of Clinton Campaign chairman John Podesta. Harm to Ongoing Matter
  111Harm to Ongoing Matter -Harm to Ongoing Matter Harm to Ongoing Matter
  1111Harm to Ongoing Matter Corsi said that, because he had no direct means o
  communicating with WikiLeaks, he told members of the news site WNO-who were
  participating on a conference call with him that day-to reach Assange
  immediately.244 Corsi claimed that the pressure was 239 Candidate Trump can be
  heard off camera making graphic statements about women. 240 241 242 243 244 In a
  later November 2018 interview, Corsi stated Harm to Ongoing Matter that he
  believed Malloch was on the call but then focused on other individuals who were
  on the call-invitation, which Malloch was not. (Separate travel records show
  that at the time of the call, Malloch was aboard a transatlantic flight). Corsi
  at one point stated that after WikiLeaks 's release of stolen emails on October
  7, 2016, he concluded Malloch had gotten in contact with Assange. Corsi 11/1/18
  302, at 6. 58

RESULT: 24

PAGE: 72

TEXT:

  U.S. Department of Justice Att6rHey W6rle: Pr6dttet // May C6HtaiH Material
  Pr6teeted Una er Fee. R. Crim. P. 6(e) email claimed that WikiLeaks would
  release "All 33k deleted Emails" by "November 1st." No emails obtained from
  Clinton's server were subsequently released. Smith drafted multiple emails
  stating or intimating that he was in contact with Russian hackers. For example,
  in one such email, Smith claimed that, in August 2016, KLS Research had
  organized meetings with parties who had access to the deleted Clinton emails,
  including parties with "ties and affiliations to Russia."286 The investigation
  did not identify evidence that any such meetings occurred. Associates and
  security experts who worked with Smith on the initiative did not believe that
  Smith was in contact with Russian hackers and were aware of no such
  connection.287 The investigation did not establish that Smith was in contact
  with Russian hackers or that Smith, Ledeen, or other individuals in touch with
  the Trump Campaign ultimately obtained the deleted Clinton emails. * * * In sum,
  the investigation established that the GRU hacked into email accounts of persons
  affiliated with the Clinton Campaign, as well as the computers of the DNC and
  DCCC. The GRU then exfiltrated data related to the 2016 election from these
  accounts and computers, and disseminated that data through fictitious online
  personas (DCLeaks and Guccifer 2.0) and later through WikiLeaks. The
  investigation also established that the Trum Cam ai n dis la ed interest in the
  WikiLeaks releases, and that explained in Volume I, Section V.B, infra, the
  evidence was sufficient to support intrusion and other char es a ainst GRU
  officers for their role in election-related hackin . 286 8/31/16 Email, Smith to
  Smith. 287 Safron 3/20/18 302, at 3; Szobocsan 3/29/18 302, at 6. 65

RESULT: 25

PAGE: 90

TEXT:

  U.S. Department of Justice Mterttey '.\'erk Preeittet // May Cetttaitt Material
  Preteeteel Ul'l:eler Feel. R. Criffl. P. 6(e) to Rome, Italy, as part of his
  duties with LCILP.411 The purpose of the trip was to meet officials affiliated
  with Link Campus University, a for-profit institution headed by a former Italian
  government official.412 During the visit, Papadopoulos was introduced to Joseph
  Mifsud. Mifsud is a Maltese national who worked as a professor at the London
  Academy of Diplomacy in London, England.413 Although Mifsud worked out of London
  and was also affiliated with LCILP, the encounter in Rome was the first time
  that Papadopoulos met him.414 Mifsud maintained various Russian contacts while
  living in London, as described further below. Among his contacts was ,415 a one-
  time employee of the IRA, the entity that carried out the Russian social media
  campaign (see Volume I Section II, supra). In January and February 2016, Mifsud
  and -discussed possibly meeting in Russia. The investigation did not~ meeting.
  Later, in the spring of 2016, -was also in contact -that was linked to an
  employee of the Russian Ministry of Defense, and that account had overlapping
  contacts with a group of Russian controlled Facebook accounts that included
  accounts used to promote the DCLeaks releases in the course of the GRU's hack-
  and-release operations (see Volume I, Section III.B.1, supra). According to
  Papadopoulos, Mifsud at first seemed uninterested in Papadopoulos when they met
  in Rome.416 After Papadopoulos informed Mifsud about his role in the Trump
  Campaign, however, Mifsud appeared to take greater interest in Papadopoulos.417
  The two discussed Mifsud's European and Russian contacts and had a general
  discussion about Russia; Mifsud also offered to introduce Papadopoulos to
  European leaders and others with contacts to the Russian government.418
  Papadopoulos told the Office that Mifsud's claim of substantial connections with
  Russian government officials interested Papadopoulos, who thought that such
  connections could increase his importance as a policy advisor to the Trump
  Campaign.419 411 Papadopoulos 8/10/17 302, at 2-3; Papadopoulos Statement of
  Offense ,r 5. 412 Papadopoulos 8/10/17 302, at 2-3; Stephanie Kirchgaessner et
  al., Joseph Mifsud: more questions than answers about mystery professor linked
  to Russia, The Guardian (Oct. 31, 2017) ("Link Campus University ... is headed
  by a former Italian interior minister named Vincenzo Scotti."). 413 Papadopoulos
  Statement of Offense ,r 5. 414 Papadopoulos 8/10/17 302, at 3. , , , ?
  Investigative Technique 1Harm to Ongoing Matter 416 Papadopoulos Statement of
  Offense ,r 5. 417 Papadopoulos Statement of Offense ,r 5. 418 Papadopoulos
  8/10/17 302, at 3; Papadopoulos 8/11/17 302, at 2. 419 Papadopoulos Statement of
  Offense ,r 5. 83

RESULT: 26

PAGE: 100

TEXT:

  U.S. Department of Justice Atlerl'le~? Werk Pree1:1et // May Ce!'ltaiH Material
  Preteetea UHaer Fee. R. Criffl. P. 6(e) Papadopoulos was dismissed from the
  Trump Campaign in early October 2016, after an interview he gave to the Russian
  news agency Inter/ax generated adverse publicity.492 f. Trump Campaign Knowledge
  of "Dirt" Papadopoulos admitted telling at least one individual outside of the
  specifically, the then-Greek foreign minister-about Russia's obtaining Clinton-
  related emails.493 In addition, a different foreign government informed the FBI
  that, 10 days after meeting with Mifsud in late April 2016, Papadopoulos
  suggested that the Trump Campaign had received indications from the Russian
  government that it could assist the Campaign through the anonymous release of
  information that would be damaging to Hillary Clinton.494 (This conversation
  occurred after the GRU spearphished Clinton Campaign chairman John Podesta and
  stole his emails, and the GRU hacked into the DCCC and DNC, see Volume l,
  Sections III.A & III.B, supra.) Such disclosures raised questions about whether
  Papadopoulos informed any Trump Campaign official about the emails. When
  interviewed, Papadopoulos and the Campaign officials who interacted with him
  told the Office that they could not recall Papadopoulos's sharing the
  information that Russia had obtained "dirt" on candidate Clinton in the form of
  emails or that Russia could assist the Campaign through the anonymous release of
  information about Clinton. Papadopoulos stated that he could not clearly recall
  having told anyone on the Campaign and wavered about whether he accurately
  remembered an incident in which Clovis had been upset after hearing Papadopoulos
  tell Clovis that Papadopoulos thought "they have her emails."495 The Campaign
  officials who interacted or corresponded with Papadopoulos have similarly
  stated, with varying degrees of certainty, that he did not tell them. Senior
  policy advisor Stephen Miller, for example, did not remember hearing anything
  from Papadopoulos or Clovis about Russia having emails of or dirt on candidate
  Clinton.496 Clovis stated that he did not recall anyone, including Papadopoulos,
  having given him non-public information that a forei n overnment mi ht be in
  ossession of material dama in to Hillar Clinton.497 492 George Papadopoulos:
  Sanctions Have Done Little More Than to Turn Russia Towards China, Interfax
  (Sept. 30, 2016). 493 Papadopoulos 9/19/17 302, at 14-15; Def. Sent. Mem.,
  United States v. George Papadopoulos, I :17-cr-182 (D.D.C. Aug. 31, 2018), Doc.
  45. 494 See footnote 465 of Volume I, Section IV.A.2.d, supra. 495 Papadopoulos
  8/10/17 302, at 5; Papadopoulos 8/11/17 302, at 5; Papadopoulos 9/20/17 302, at
  2. 496 S. Miller 12/14/17 302, at 10. 497 498 93

RESULT: 27

PAGE: 127

TEXT:

  U.S. Department of Justice Atlerftey Werk Predttet // May Cefttaifl. Mttterial
  Preteetea Ufl.aer Fed. R. Crim. P. 6(e) After the June 9 meetin Goldstone, he
  told Trump Jr. told Emin A alarov 745 Jr.743 According to 744 and Aras Agalarov
  asked Kaveladze to report in after the meeting, but before Kaveladze could call,
  Aras Agalarov called him.747 With Veselnitskaya next to him, Kaveladze reported
  that the meeting had gone well, but he later told Aras Agalarov that the meeting
  about the Magnitsky Act had been a waste of time because it was not with lawyers
  and they were "preaching to the wrong crowd."748 c. Post-June 9 Events
  Veselnitskaya and Aras Agalarov made at least two unsuccessful attempts after
  the election to meet with Trump representatives to convey similar information
  about Browder and the Magnitsky Act.749 On November 23, 2016, Kaveladze emailed
  Goldstone about setting up another meeting "with T people" and sent a document
  bearing allegations similar to those conveyed on June 9.75? Kaveladze followed
  up with Goldstone, stating that "Mr. A," which Goldstone understood to mean Aras
  Agalarov, called to ask about the meeting.751 Goldstone emailed the document to
  Rhona Graff, saying that "Aras Agalarov has asked me to pass on this document in
  the hope it can be passed on to the appropriate team. If needed, a lawyer
  representing the case is Goldstone 2/8/18 302, (and one text message shows)
  that, shortly after the DNC e ts co ecting the DNC hacking announcement to the
  June 9 OSC-KA V _00029 (6/14/16 Email, Goldstone to E. Agalarov & Kaveladze
  (10:09 a.m.)). The investigation did not identify evidence connecting the events
  of June 9 to the GRU's hack-and-dump operation. OSC-KA V _00029-30 (6/14/16
  Email, Goldstone to E. Agalarov). 746 747 Kaveladze 11/16/17 302, at 8; Call
  Records ofike. Kaveladze 748 Kaveladze 11/16/17 302, at 8; Call Records of Ike
  Kaveladze On June 14, 2016 Kaveladze's teenage daughter emailed asking how the
  June 9 meeting had gone, and Kaveladze responded, "meeting was boring. The
  Russians did not have an bad info on Hilar " KA V _00257 (6/14/16 Email, I.
  Kaveladze to A. Kaveladze; 749 Goldstone 2/8/18 302, at 11; 750 OSC-KA V 00138
  11/23/16 Email, Goldstone to Kaveladze); 751 RG000196 (11/26-29/16 Text
  Messages, Goldstone & Kaveladze); 120

RESULT: 28

PAGE: 182

TEXT:

  U.S. Department of Justice Atterfl:ey Werk Preettet // Moy Cefltoifl Material
  Preteetee Ufl:eef Pee. R. Criffl. P. 6Ee) Although members of the IRA had
  contact with individuals affiliated with the Trump Campaign, the indictment does
  not charge any Trump Campaign official or any other U.S. person with
  participating in the conspiracy. That is because the investigation did not
  identify evidence that any U.S. person who coordinated or communicated with the
  IRA knew that he or she was speaking with Russian nationals engaged in the
  criminal conspiracy. The Office therefore determined that such persons did not
  have the knowledge or criminal purpose required to charge them in the conspiracy
  to defraud the United States (Count One) or in the separate count alleging a
  wire-and bank-fraud conspiracy involving the IRA and two individual Russian
  nationals (Count Two). The Office did, however, charge one U.S. national for his
  role in supplying false or stolen bank account numbers that allowed the IRA
  conspirators to access U.S. online payment systems by circumventing those
  systems' security features. On February 12, 2018, Richard Pinedo pleaded guilty,
  pursuant to a single-count information, to identity fraud, in violation of 18 U
  .S.C. ? 1028(a)(7) and (b)(l)(D). Plea Agreement, United States v. Richard
  Pinedo, No. 1:18-cr-24 (D.D.C. Feb. 12, 2018), Doc. 10. The investigation did
  not establish that Pinedo was aware of the identity of the IRA members who
  purchased bank account numbers from him. Pinedo's sales of account numbers
  enabled the IRA members to anonymously access a financial network through which
  they transacted with U.S. persons and companies. See Gov't Sent. Mem. at 3,
  United States v. Richard Pinedo, No. 1:18-cr-24 (D.D.C. Sept. 26, 2018), Doc.
  24. On October 10, 2018, Pinedo was sentenced to six months of imprisonment, to
  be followed by six months of home confinement, and was ordered to complete 100
  hours of community service. B. Russian Hacking and Dumping Operations 1. Section
  1030 Computer-Intrusion Conspiracy a. Background On July 13, 2018, a federal
  grand jury in the District of Columbia returned an indictment charging Russian
  military intelligence officers from the GRU with conspiring to hack into various
  U.S. computers used by the Clinton Campaign, DNC, DCCC, and other U.S. persons,
  in violation of 18 U.S.C. ?? 1030 and 371 (Count One); committing identity theft
  and conspiring to commit money laundering in furtherance of that hacking
  conspiracy, in violation of 18 U.S.C. ?? I 028A and l 956(h) (Counts Two through
  Ten); and a separate conspiracy to hack into the computers of U.S. persons and
  entities responsible for the administration of the 2016 U.S. election, in
  violation of18U.S.C. ?? 1030and371 (CountEleven). Netyksholndictment.1277
  Asofthiswriting,all 12 defendants remain at large. The Netyksho indictment
  alleges that the defendants conspired with one another and with others to hack
  into the computers of U.S. persons and entities involved in the 2016 U.S.
  presidential election, steal documents from those computers, and stage releases
  of the stolen documents to interfere in the election. Netyksho Indictment ,r 2.
  The indictment also describes how, in staging 1277 The Office provided a more
  detailed explanation of the charging decision in this case in meetings with the
  Office of the Acting Attorney General before the indictment. 175

RESULT: 29

PAGE: 407

TEXT:

  U.S. Department of Justice Att:erne)" Werle Prnelttet // Ma)' CeRtaiR Material
  Prnteeteel UReief Feel. R. Crim. P. 6(e) Oganov, Georgiy Oknyansky, Henry (a/k/a
  Henry Greenberg) Page, Carter Papadopoulos, George Parscale, Bradley Patten,
  William (Sam) Jr. Peskov, Dmitry Phares, Walid Pinedo, Richard Podesta, John Jr.
  Podobnyy, Victor Poliakova, Elena Polonskaya, Olga Pompeo, Michael Porter,
  Robert Priebus, Reince Advisor to Oleg Deripaska and a board member of
  investment company Basic Element. He met with Paul Manafort in Spain in early
  2017. Florida-based Russian individual who claimed to have derogatory
  information pertaining to Hillary Clinton. He met with Roger Stone in May 2016.
  Foreign policy advisor to the Trump Campaign who advocated Russian views and
  made July 2016 and December 2016 visits to Moscow. Foreign policy advisor to the
  Trump Campaign who received information from Joseph Mifsud that Russians had
  "dirt" in the form of thousands of Clinton emails. He pleaded guilty to lying to
  the FBI about his contact with Mifsud. Digital media director for the 2016 Trump
  Campaign. Lobbyist and business partner of Konstantin Kilimnik. Deputy chief of
  staff of and press secretary for the Russian presidential administration.
  Foreign policy advisor to the Trump Campaign and co-secretary general of the
  Transatlantic Parliamentary Group on Counterterrorism (TAG). U.S. person who
  pleaded guilty to a single-count information of identity fraud. Clinton campaign
  chairman whose email account was hacked by the GRU. WikiLeaks released his
  stolen emails during the 2016 campaign. Russian intelligence officer who
  interacted with Carter Page while operating inside the United States; later
  charged in 2015 with conspiring to act as an unregistered agent of Russia.
  Personal assistant to Dmitry Peskov who responded to Michael Cohen's outreach
  about the Trump Tower Moscow project in January 2016. Russian national
  introduced to George Papadopoulos by Joseph Mifsud as an individual with
  connections to Vladimir Putin. U.S. Secretary of State; director of the Central
  Intelligence Agency (Jan. 2017-Apr. 2018). White House staff secretary (Jan.
  2017 -Feb. 2018). White House chief of staff (Jan. 2017 -July 2017); chair of
  the Republican National Committee (Jan. 2011-Jan. 2017). Prigozhin, Yevgeniy
  Head of Russian companies Concord-Catering and Concord Management and
  Consulting; supported and financed the Internet Research Agency, which engaged
  in an "active measures" social media campaign to interfere in the 2016 U.S.
  presidential election. B-8

RESULT: 30

PAGE: 410

TEXT:

  U.S. Department of Justice Attorne)' Wol'lt Prod1:1et // Ma)' CorHaiR Mate,?ial
  Prnteeted URder Fed. R. Criffl. P. 6(e) Yates, Sally Yatsenko, Sergey Zakharova,
  Maria Zayed al Nahyan, Mohammed bin Alfa-Bank Acting Attorney General (Jan. 20,
  2017 -Jan. 30, 2017); Deputy Attorney General (Jan. 10, 2015 -Jan. 30, 2017).
  Deputy chief financial officer of Gazprom, a Russian state-owned energy company,
  and associate of Carter Page. Director of the Russian Ministry of Foreign
  Affair's Information and Press Department who received notification of Carter
  Page's speech in July 2016 from Denis Klimentov. Crown Prince of Abu Dhabi and
  deputy supreme commander of the United Arab Emirates (UAE) armed forces.
  Entities and Organizations Center for the National Interest (CNI) Russia's
  largest commercial bank, which is headed by Petr Aven. U.S.-based think tank
  with expertise in and connections to Russia. CNI's publication, the National
  Interest, hosted candidate Trump's foreign policy speech in April 2016. Concord
  Crocus Group or Crocus International DCLeaks Democratic Congressional Campaign
  Committee Democratic National Committee Duma Gazprom Global Energy Capital, LLC
  Global Partners in Diplomacy Umbrella term for Concord Management and
  Consulting, LLC and Concord Catering, which are Russian companies controlled by
  Yevgeniy Prigozhin. A Russian real-estate and property development company that,
  in 2013, hosted the Miss Universe Pageant, and from 2013 through 2014, worked
  with the Trump Organization on a Trump Moscow project. Fictitious online persona
  operated by the GRU that released stolen documents during the 2016 U.S.
  presidential campaign period. Political committee working to elect Democrats to
  the House of Representatives; hacked by the GRU in April 2016. Formal governing
  body for the Democratic Party; hacked by the GRU in April 2016. Lower House of
  the national legislature of the Russian Federation. Russian oil and gas company
  majority-owned by the Russian government. Investment and management firm founded
  by Carter Page. Event hosted in partnership with the U.S. Department of State
  and the Republican National Convention. In 2016, Jeff Sessions and J .D. Gordon
  delivered speeches at the event and interacted with Russian Ambassador Sergey
  Kislyak. B-11

RESULT: 31

PAGE: 411

TEXT:

  U.S. Department of Justice Attorne)" Wol'lt Predttet // Mey Cofltttifl Meteriel
  Proteeted U1~der Fed. R. Criffi. P. 6(e) Guccifer 2.0 I.C. Expert Investment
  Company Internet Research Agency (IRA) KLS Research LLC Kremlin LetterOne Link
  Campus University London Centre of International Law Practice (LCILP) Main
  Intelligence Directorate of the General Staff (GRU) New Economic School in
  Moscow (NES) Opposition Bloc Party of Regions Pericles Emerging Market Partners
  LLP Prevezon Holdings Ltd. Roscongress Foundation Rosneft Russian Direct
  Investment Fund Fictitious online persona operated by the GRU that released
  stolen documents during the 2016 U.S. presidential campaign period. Russian
  real-estate and development corporation that signed a letter of intent with a
  Trump Organization subsidiary to develop a Trump Moscow property. Russian entity
  based in Saint Petersburg and funded by Concord that engaged in an "active
  measures" social media campaign to interfere in the 20 I 6 V,S. presidential
  election. Business established by an associate of and at the direction of Peter
  Smith to further Smith's search for Hillary Clinton emails. Official residence
  of the president of the Russian Federation; it is used colloquially to refer to
  the office of the president or the Russian government. Company that includes
  Petr Aven and Richard Burt as board members. During a board meeting in December
  2016, Aven asked for Burt's help to make contact with the Presidential
  Transition Team. University in Rome, Italy, where George Papadopoulos was
  introduced to Joseph Mifsud. International law advisory organization in London
  that employed Joseph Mifsud and George Papadopoulos. Russian Federation's
  military intelligence agency. Moscow-based school that invited Carter Page to
  speak at its July 2016 commencement ceremony. Ukrainian political party that
  incorporated members of the defunct Party of Regions. Ukrainian political party
  of former President Yanukovych. It was generally understood to align with
  Russian policies. Company registered in the Cayman Islands by Paul Manafort and
  his business partner Rick Davis. Oleg Deripaska invested in the fund. Russian
  company that was a defendant in a U.S. civil action alleging the laundering of
  proceeds from fraud exposed by Sergei Magnitsky. Russian entity that organized
  the St. Petersburg International Economic Forum. Russian state-owned oil and
  energy company. Sovereign wealth fund established by the Russian Government in
  2011 and headed by Kirill Dmitriev. B-12

RESULT: 32

PAGE: 412

TEXT:

  U.S. Department of Justice Attorney \\'erk Prodttet // Ma)? C0Htait1 ~foterial
  Proteeted Ut1de1? Ped. R. Cri1T1. P. 6(e) Russian International Affairs Council
  Silk Road Group St. Petersburg International Economic Forum Tatneft
  Transatlantic Parliamentary Group on Counterterrorism Unit 26165 (GRU) Unit
  74455 (GRU) Valdai Discussion Club WikiLeaks Russia-based nonprofit established
  by Russian government decree. It is associated with the Ministry of Foreign
  Affairs, and its members include Ivan Timofeev, Dmitry Peskov, and Petr Aven.
  Privately held investment company that entered into a licensing agreement to
  build a Trump-branded hotel in Georgia. Annual event held in Russia and attended
  by prominent Russian politicians and businessmen. Russian energy company.
  European group that sponsored a summit between European Parliament lawmakers and
  U.S. persons. George Papadopoulos, Sam Clovis, and Walid Phares attended the TAG
  summit in July 2016. GRU military cyber unit dedicated to targeting military,
  political, governmental, and non-governmental organizations outside of Russia.
  It engaged in computer intrusions of U.S. persons and organizations, as well as
  the subsequent release of the stolen data, in order to interfere in the 2016
  U.S. presidential election. GRU military unit with multiple departments that
  engaged in cyber operations. It engaged in computer intrusions of U.S. persons
  and organizations, as well as the subsequent release of the stolen data, in
  order to interfere in the 2016 U.S. presidential election. Group that holds a
  conference attended by Russian government officials, including President Putin.
  Organization founded by Julian Assange that posts information online, including
  data stolen from private, corporate, and U.S. Government entities. Released data
  stolen by the GRU during the 2016 U.S. presidential election. B-13

RESULT: 33

PAGE: 413

TEXT:

  U.S. Department of Justice Attorne)' 'Norlc Prodttet // May Cm1taifl Material
  Proteeted URder Fed. R. Crim. P. 6(e) CNI DCCC DNC FBI FSB GEC GRU HPSCI HRC IRA
  LCILP NATO NES NSA ODNI PTT RDIF RIAC SBOE sco SJC SSCI TAG VEB Index of
  Acronyms Center for the National Interest Democratic Congressional Campaign
  Committee Democratic National Committee Federal Bureau oflnvestigation Russian
  Federal Security Service Global Energy Capital, LLC Russian Federation's Main
  Intelligence Directorate of the General Staff U.S. House of Representatives
  Permanent Select Committee on Intelligence Hillary Rodham Clinton Internet
  Research Agency London Centre of International Law Practice North Atlantic
  Treaty Organization New Economic School National Security Agency Office of the
  Director of National Intelligence Presidential Transition Team Russian Direct
  Investment Fund Russian International Affairs Council State boards of elections
  Special Counsel's Office U.S. Senate Judiciary Committee U.S. Senate Select
  Committee on Intelligence Transatlantic Parliamentary Group on Counterterrorism
  Vnesheconombank B-14