Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- RESULT: 1
- PAGE: 2
- TEXT:
- U.S. Department of Justice At:t:ef'fle)' Werle Predttet /,' Ma;? CeHtail'l
- Material Preteeted UHder Fed. R. Crim. P. 6(e) TABLE OF CONTENTS -VOLUME I
- INTRODUCTION TO VOLUME I .......................................................
- ................................................... 1 EXECUTIVE SUMMARY TO
- VOLUME 1. ................................................ ,
- ............................................. 4 I. THE SPECIAL COUNSEL'S
- INVESTIGATION
- ......................................................................... ,
- ....... 11 II. RUSSIAN "ACTIVE MEASURES" SOCIAL MEDIA CAMPAIGN
- ..................................................... 14 A. Structure of the
- Internet Research Agency
- ................................................................. 15 B. Funding
- and Oversight from Concord and Prigozhin
- ................................................. 16 C. The IRA Targets U.S.
- Elections ......................................................................
- ............ 19 1. The IRA Ramps Up U.S. Operations As Early As 2014
- ....................... , .............. 19 2. U.S. Operations Through IRA-
- Controlled Social Media Accounts ..................... 22 3. U.S. Operations
- Through Facebook.
- ..................................................................... 24 4. U.S.
- Operations Through Twitter
- ......................................................................... 26 a.
- Individualized Accounts ........................................................
- ........................... 26 b. IRA Botnet Activities ........................
- .............................................................. 28 5. U.S.
- Operations Involving Political Rallies
- .......................................................... 29 6. Targeting and
- Recruitment of U.S. Persons
- .......................................................... 31 7. Interactions
- and Contacts with the Trump Campaign ...........................................
- 33 a. Trump Campaign Promotion ofIRA Political Materials
- ................................. 33 b. Contact with Trump Campaign Officials in
- Connection to Rallies ................. 35 Ill. RUSSIAN HACKING AND DUMPING
- OPERATIONS .....................................................................
- 36 A. GRU Hacking Directed at the Clinton Campaign
- ....................................................... 36 1. GRU Units Target
- the Clinton Campaign
- ............................................................. 36 2. Intrusions
- into the DCCC and DNC Networks
- ..................................................... 38 a. Initial Access .....
- ................................................................................
- ............... 3 8 b. Implantation ofMalware on DCCC and DNC Networks
- ................................ 38 c. Theft of Documents from DNC and DCCC
- Networks .................................... 40 B. Dissemination of the Hacked
- Materials ......................................................................
- 41 I. DCLeaks ..................................................................
- ............................................. 41 2. Guccifer 2.0 ...............
- ................................................................................
- ............ 42 3. Use of WikiLeaks .................................. :
- .............................................................. 44 a. WikiLeaks's
- Expressed Opposition Toward the Clinton Campaign ............... 44 b.
- WikiLeaks's First Contact with Guccifer 2.0 and DCLeaks
- ........................... 45
- RESULT: 2
- PAGE: 3
- TEXT:
- U.S. Department of Justice MterHey Werk Pretittet // Ma,? Cel'ltail'I Material
- Preteeteti UH:tier Fee. R. Crim. P. 6(e) c. The GRU's Transfer of Stolen
- Materials to WikiLeaks .................................. 45 d. ? WikiLeaks
- Statements Dissembling About the Source of Stolen Materials ....................
- ................................................................................
- .... 48 C. Additional GRU Cyber Operations
- ............................................................................. 49
- l. Summer and Fall 2016 Operations Targeting Democrat-Linked Victims
- ............ 49 2. Intrusions Targeting the Administration of U.S. Elections
- ................................... 50 D. Trump Campaign and the Dissemination
- of Hacked Materials .................................. 51 l. ...................
- ........................................................................... 51
- a. Background ..................................................................
- .................................... 51 b. Contacts with the Campaign about
- WikiLeaks ................................................ 52 C. Harm to Ongoing
- Matter .................... 54 d. WikiLeaks's October 7, 2016 Release of Stolen
- Podesta Emails .................... 58 e. Donald Trump Jr. Interaction with
- WikiLeaks ................................................ 59 2. Other Potential
- Campaign Interest in Russian Hacked Materials ......................... 61 a.
- Henry Oknyansky (a/k/a Henry Greenberg)
- .................................................... 61 b. Campaign Efforts to
- Obtain Deleted Clinton Emails ...................................... 62 IV.
- RUSSIAN GOVERNMENT LINKS To AND CONTACTS WITH THE TRUMP CAMPAIGN
- ................ 66 A. Campaign Period (September 2015 -November 8, 2016)
- ......................................... 66 1. Trump Tower Moscow Project
- ............................................................................. 67
- a. Trump Tower Moscow Venture with the Crocus Group (2013-2014) ............ 67
- b. Communications with LC. Expert Investment Company and Giorgi Rtskhiladze
- (Summer and Fall 2015)
- ............................................................ 69 c. Letter of
- Intent and Contacts to Russian Government (October 2015-January 2016) ..........
- ................................................................................
- ...... 70 i. Trump Signs the Letter of Intent on behalf of the Trump
- Organization .... 70 ii. Post-LOI Contacts with Individuals in Russia
- ......................................... 72 d. Discussions about Russia Travel
- by Michael Cohen or Candidate Trump (December 2015-June 2016)
- ......................................................................... 76 i.
- Sater's Overtures to Cohen to Travel to Russia
- ........................................ 76 ii. Candidate Trump's Opportunities
- to Travel to Russia ............................ 78 2. George Papadopoulos .....
- ................................................................................
- ...... 80 a. Origins of Campaign Work
- ..............................................................................
- 81 b. Initial Russia-Related Contacts
- ........................................................................ 82 c.
- March 31 Foreign Policy Team Meeting
- ......................................................... 85 ii
- RESULT: 3
- PAGE: 11
- TEXT:
- U.S. Department of Justice Atterrte~? Werk Predttet // May Cetttairt Material
- Preteetee Urteer Fee. R. Crim. P. 6(e) EXECUTIVE SUMMARY TO VOLUME I RUSSIAN
- SOCIAL MEDIA CAMPAIGN The Internet Research Agency (IRA) carried out the
- earliest Russian interference operations identified by the investigation-a
- social media campaign designed to provoke and amplify political and social
- discord in the United States. The IRA was based in St. Petersburg, Russia, and
- received funding from Russian oligarch Y evgeniy Prigozhin and companies he
- controlled. Pri ozhin is widel re orted to have ties to Russian President
- Vladimir Putin In mid-2014, the IRA sent em lo mission with instructions The IRA
- later used social media accounts and interest groups to sow discord in the U.S.
- political system through what it termed "information warfare." The campaign
- evolved from a generalized program designed in 2014 and 2015 to undermine the
- U.S. electoral system, to a targeted operation that by early 2016 favored
- candidate Trump and disparaged candidate Clinton. The IRA' s operation also
- included the purchase of political advertisements on social media in the names
- of U.S. persons and entities, as well as the staging of political rallies inside
- the United States. To organize those rallies, IRA employees posed as U.S.
- grassroots entities and persons and made contact with Trump supporters and Trump
- Campaign officials in the United States. The investigation did not identify
- evidence that any U.S. persons conspired or coordinated with the IRA. Section II
- of this report details the Office's investigation of the Russian social media
- campaign. RUSSIAN HACKING OPERATIONS At the same time that the IRA operation
- began to focus ?on supporting candidate Trump in early 2016, the Russian
- government employed a second form of interference: cyber intrusions (hacking)
- and releases of hacked materials damaging to the Clinton Campaign. The Russian
- intelligence service known as the Main Intelligence Directorate of the General
- Staff of the Russian Army (GRU) carried out these operations. In March 2016, the
- GRU began hacking the email accounts of Clinton Campaign volunteers and
- employees, including campaign chairman John Podesta. In April 2016, the GRU
- hacked into the computer networks of the Democratic Congressional Campaign
- Committee (DCCC) and the Democratic National Committee (DNC). The GRU stole
- hundreds of thousands of documents from the compromised email accounts and
- networks. Around the time that the DNC announced in mid-June 2016 the Russian
- government's role in hacking its network, the GRU began disseminating stolen
- materials through the fictitious online personas "DCLeaks" and "Guccifer 2.0."
- The GRU later released additional materials through the organization WikiLeaks.
- 4
- RESULT: 4
- PAGE: 12
- TEXT:
- U.S. Department of Justice AH:erHey \?Brit Pr6d1:1et // Mtty Cet1:tttifl
- Mttterittl Preteeted Ut1:der Fed. R. Ct1iffl. P. 6(e) The presidential campaign
- of Donald J. Trump ("Trump Campaign" or "Campaign") showed interest in
- WikiLeaks's releases of documents and welcomed their otential to damage
- candidate Clinton. Beginning in June 2016,
- llfilllillliliilfll~llliillllllilllilli forecast to senior Campaign officials
- that WikiLeaks would release information damaging to candidate Clinton.
- WikiLeaks's first release came in July 2016. Around the same time, candidate
- Trump announced that he hoped Russia would recover emails described as missing
- from a private server used b Clinton when she was Secreta of State he later said
- that he was s ? eakin sarcasticall . WikiLeaks began releasing Podesta' s stolen
- emails on October 7, 2016, less than one hour after a U.S. media outlet released
- video considered damaging to candidate Trump. Section lII of this Report details
- the Office's investigation into the Russian hacking operations, as well as other
- efforts by Trump Campaign supporters to obtain Clinton-related emails. RUSSIAN
- CONTACTS WITH THE CAMPAIGN The social media campaign and the GRU hacking
- operations coincided with a series of contacts between Trump Campaign officials
- and individuals with ties to the Russian government. The Office investigated
- whether those contacts reflected or resulted in the Campaign conspiring or
- coordinating with Russia in its election-interference activities. Although the
- investigation established that the Russian government perceived it would benefit
- from a Trump presidency and worked to secure that outcome, and that the Campaign
- expected it would benefit electorally from information stolen and released
- through Russian efforts, the investigation did not establish that members of the
- Trump Campaign conspired or coordinated with the Russian government in its
- election interference activities. The Russian contacts consisted of business
- connections, offers of assistance to the Campaign, invitations for candidate
- Trump and Putin to meet in person, invitations for Campaign officials and
- representatives of the Russian government to meet, and policy positions seeking
- improved U.S.-Russian relations. Section IV of this Report details the contacts
- between Russia and the Trump Campaign during the campaign and transition
- periods, the most salient of which are summarized below in chronological order.
- 2015. Some of the earliest contacts were made in connection with a Trump
- Organization real-estate project in Russia known as Trump Tower Moscow.
- Candidate Trump signed a Letter oflntent for Trump Tower Moscow by November
- 2015, and in January 2016 Trump Organization executive Michael Cohen emailed and
- spoke about the project with the office of Russian government press secretary
- Dmitry Peskov. The Trump Organization pursued the project through at least June
- 2016, including by considering travel to Russia by Cohen and candidate Trump.
- Spring 2016. Campaign foreign policy advisor George Papadopoulos made early
- contact with Joseph Mifsud, a London-based professor who had connections to
- Russia and traveled to Moscow in April 2016. Immediately upon his return to
- London from that trip, Mifsud told Papadopoulos that the Russian government had
- "dirt" on Hillary Clinton in the form of thousands 5
- RESULT: 5
- PAGE: 13
- TEXT:
- U.S. Department of Justice l\.ttortte~? Work Pt'od1:1et // Mtty Cotttttitt
- Mttterittl Proteeted Uttder Fed. R. Criffl. P. 6(e) of emails. One week later,
- in the first week of May 2016, Papadopoulos suggested to a representative of a
- foreign government that the Trump Campaign had received indications from the
- Russian government that it could assist the Campaign through the anonymous
- release of information damaging to candidate Clinton. Throughout that period of
- time and for several months thereafter, Papadopoulos worked with Mifsud and two
- Russian nationals to arrange a meeting between the Campaign and the Russian
- government. No meeting took place. Summer 2016. Russian outreach to the Trump
- Campaign continued into the summer of 2016, as candidate Trump was becoming the
- presumptive Republican nominee for President. On June 9, 2016, for example, a
- Russian lawyer met with senior Trump Campaign officials Donald Trump Jr., Jared
- Kushner, and campaign chairman Paul Manafort to deliver what the email proposing
- the meeting had described as "official documents and information that would
- incriminate Hillary." The materials were offered to Trump Jr. as "part of Russia
- and its government's support for Mr. Trump." The written communications setting
- up the meeting showed that the Campaign anticipated receiving information from
- Russia that could assist candidate Trump's electoral prospects, but the Russian
- lawyer's presentation did not provide such information. Days after the June 9
- meeting, on June 14, 2016, a cybersecurity firm and the DNC announced that
- Russian government hackers had infiltrated the DNC and obtained access to
- opposition research on candidate Trump, among other documents. In July 2016,
- Campaign foreign policy advisor Carter Page traveled in his personal capacity to
- Moscow and gave the keynote address at the New Economic School. Page had lived
- and worked in Russia between 2003 and 2007. After returning to the United
- States, Page became acquainted with at least two Russian intelligence officers,
- one of whom was later charged in 2015 with conspiracy to act as an unregistered
- agent of Russia. Page's July 2016 trip to Moscow and his advocacy for pro-
- Russian foreign policy drew media attention. The Campaign then distanced itself
- from Page and, by late September 2016, removed him from the Campaign. July 2016
- was also the month WikiLeaks first released emails stolen by the GRU from the
- DNC. On July 22, 2016, WikiLeaks posted thousands of internal DNC documents
- revealing information about the Clinton Campaign. Within days, there was public
- reporting that U.S. intelligence agencies had "high confidence" that the Russian
- government was.behind the theft of emails and documents from the DNC. And within
- a week of the release, a foreign government informed the FBI about its May 2016
- interaction with Papadopoulos and his statement that the Russian government
- could assist the Trump Campaign. On July 31, 2016, based on the foreign
- government rep01ting, the FBI opened an investigation into potential
- coordination between the Russian government and individuals associated with the
- Trump Campaign. Separately, on August 2, 2016, Trump campaign chairman Paul
- Manafort met in New York City with his long-time business associate Konstantin
- Kilimnik, who the FBI assesses to have ties to Russian intelligence. Kilimnik
- requested the meeting to deliver in person a peace plan for Ukraine that
- Manafort acknowledged to the Special Counsel's Office was a "backdoor" way for
- Russia to control part of eastern Ukraine; both men believed the plan would
- require candidate Trump's assent to succeed (were he to be elected President).
- They also discussed the status of the 6
- RESULT: 6
- PAGE: 14
- TEXT:
- U.S. Department of Justice Atteffle'.} 'Nm?k P1:1edttet // May Cm~taitt Material
- Preteetecl Uttcler Fed. R. C1:1im. P. 6(e) Trump Campaign and Manafort's
- strategy for winning Democratic votes in Midwestern states. Months before that
- meeting, Manafort had caused internal polling data to be shared with Kilimnik,
- and the sharing continued for some period of time after their August meeting.
- Fall 2016. On October 7, 2016, the media released video of candidate Trump
- speaking in graphic terms about women years earlier, which was considered
- damaging to his candidacy. Less than an hour later, WikiLeaks made its second
- release: thousands of John Podesta's emails that had been stolen by the GRU in
- late March 2016. The FBI and other U.S. government institutions were at the time
- continuing their investigation of suspected Russian government efforts to
- interfere in the presidential election. That same day, October 7, the Department
- of Homeland Security and the Office of the Director of National Intelligence
- issued a joint public statement "that the Russian Government directed the recent
- compromises of e-mails from US persons and institutions, including from US
- political organizations." Those "thefts" and the "disclosures" of the hacked
- materials through online platforms such as WikiLeaks, the statement continued,
- "are intended to interfere with the US election process." Post-2016 Election.
- Immediately after the November 8 election, Russian government officials and
- prominent Russian businessmen began trying to make inroads into the new
- administration. The most senior levels of the Russian government encouraged
- these efforts. The Russian Embassy made contact hours after the election to
- congratulate the President-Elect and to arrange a call with President Putin.
- Several Russian businessmen picked up the effort from there. Kirill Dmitriev,
- the chief executive officer of Russia's sovereign wealth fund, was among the
- Russians who tried to make contact with the incoming administration. In early
- December, a business associate steered Dmitriev to Erik Prince, a supporter of
- the Trump Campaign and an associate of senior Trump advisor Steve Bannon.
- Dmitriev and Prince later met face-to-face in January 2017 in the Seychelles and
- discussed U.S.-Russia relations. During the same period, another business
- associate introduced Dmitriev to a friend of Jared Kushner who had not served on
- the Campaign or the Transition Team. Dmitriev and Kushner's friend collaborated
- on a short written reconciliation plan for the United States and Russia, which
- Dmitriev implied had been cleared through Putin. The friend gave that proposal
- to Kushner before the inauguration, and Kushner later gave copies to Bannon and
- incoming Secretary of State Rex Tillerson. On December 29, 2016, then-President
- Obama imposed sanctions on Russia for having interfered in the election.
- Incoming National Security Advisor Michael Flynn called Russian Ambassador
- Sergey Kislyak and asked Russia not to escalate the situation in response to the
- sanctions. The following day, Putin announced that Russia would not take
- retaliatory measures in response to the sanctions at that time. Hours later,
- President-Elect Trump tweeted, "Great move on delay (by V. Putin)." The next
- day, on December 31, 2016, Kislyak called Flynn and told him the request had
- been received at the highest levels and Russia had chosen not to retaliate as a
- result of Flynn's request. * * * On January 6, 2017, members of the intelligence
- community briefed President-Elect Trump on a joint assessment-drafted and
- coordinated among the Central Intelligence Agency, FBI, and 7
- RESULT: 7
- PAGE: 43
- TEXT:
- U.S. Department of Justice Attem1:ey Work Prod1:1et /,' M1ty Cot1t1tit1
- Mftteri1tl Proteeted Ut1der Fed. R. Crifl'I. P. 6(e) III. RUSSIAN HACKING AND
- DUMPING OPERATIONS Beginning in March 2016, units of the Russian Federation's
- Main Intelligence Directorate of the General Staff (GRU) hacked the computers
- and email accounts of organizations, e?mployees, and volunteers supporting the
- Clinton Campaign, including the email account of campaign chairman John Podesta.
- Starting in April 2016, the GRU hacked into the computer networks of the
- Democratic Congressional Campaign Committee (DCCC) and the Democratic National
- Committee (DNC). The GRU targeted hundreds of email accounts used by Clinton
- Campaign employees, advisors, and volunteers. In total, the GRU stole hundreds
- of thousands of documents from the compromised email accounts and networks.109
- The GRU later released stolen Clinton Campaign and DNC documents through online
- personas, "DCLeaks" and "Guccifer 2.0," and later through the organization
- WikiLeaks. The release of the documents was designed and timed to interfere with
- the 2016 U.S. presidential election and undermine the Clinton Campaign. , the
- Trump Campaign about WikiLeaks's activities. The investigation was unable to
- resolve WikiLeaks's release of the stolen Podesta emails on October 7, 2016, the
- same day a video from years earlier was published of Trump using graphic
- language about women. A. GRU Hacking Directed at the Clinton Campaign 1. GRU
- Units Target the Clinton Campaign Two military units of the GRU carried out the
- computer intrusions into the Clinton Campaign, DNC, and DCCC: Military Units
- 26165 and 74455.110 Military Unit 26165 is a GRU cyber unit dedicated to
- targeting military, political, governmental, and non-governmental organizations
- outside of Russia, including in the United States.111 The unit was sub-divided
- into departments with different specialties. One department, for example,
- developed specialized malicious software "malware" , while another de artment
- conducted large-scale spearphishing campaigns.112 jfllllililliliilllilli
- lilillllll~ a bitcoin mining operation to 109 As discussed in Section V below,
- our Office charged 12 GRU officers for crimes arising from the hacking of these
- computers, principally with conspiring to commit computer intrusions, in
- violation of 18 U.S.C. ?? 1030 and 371. See Volume I, Section V.B, infra;
- Indictment, United States v. Netyksho, No. I :18-cr-215 (D.D.C. July 13, 2018),
- Doc. 1 ("Netyksho Indictment"). 110 Netyksho Indictment ,r 1. 111 Separate from
- this Office's indictment of GRU officers, in October 2018 a grand jury sitting
- in the Western District of Pennsylvania returned an indictment charging certain
- members of Unit 26165 with hacking the U.S. Anti-Doping Agency, the World Anti-
- Doping Agency, and other international sport associations. United States v.
- Aleksei Sergeyevich Morenets, No. 18-263 (W.D. Pa.). 112 A spearphishing email
- is designed to appear as though it originates from a trusted source, and
- solicits information to enable the sender to gain access to an account or
- network, or causes the recipient to 36
- RESULT: 8
- PAGE: 44
- TEXT:
- U.S. Department of Justice MorAey Work Prodttet // Ma:,? CoAiait\ Material
- Protected UAder Fed. R. Criffl. P. 6(e) secure bitcoins used to purchase
- computer infrastructure used in hacking operations.113 Military Unit 74455 is a
- related GRU unit with multiple departments that engaged in cyber operations.
- Unit 74455 assisted in the release of documents stolen by Unit 26165, the
- promotion of those releases, and the publication of anti-Clinton content on
- social media accounts operated by the GRU. Officers from Unit 74455 separately
- hacked computers belonging to state boards of elections, secretaries of state,
- and U.S. companies that supplied software and other technology related to the
- administration of U.S. elections.114 Beginning in mid-March 2016, Unit 26165 had
- primary responsibility for hacking the DCCC and DNC, as well as email accounts
- of individuals affiliated with the Clinton Campaign: 115 Unit 26165 used
- Investigative Technique began before the GRU had obtained any credentials or
- gained access to these networks, indicating that the later DCCC and DNC
- intrusions were not crimes of opportunity but rather the result of targeting.116
- GRU officers also sent hundreds of spearphishing emails to the work and personal
- email accounts of Clinton Campaign employees and volunteers. Between March 10,
- 2016 and March 15, 2016, Unit 26165 appears to have sent approximately 90
- spearphishing emails to email accounts at hillaryclinton.com. Starting on March
- 15, 2016, the GRU began targeting Google email accounts used by Clinton Campaign
- employees, along with a smaller number of dnc.org email accounts.117 The GRU
- spearphishing operation enabled it to gain access to numerous email accounts of
- Clinton Campaign employees and volunteers, including campaign chairman John
- Podesta, junior volunteers assigned to the Clinton Campaign's advance team,
- informal Clinton Campaign advisors, and a DNC employee.118 GRU officers stole
- tens of thousands of emails from spearphishing victims, including various
- Clinton Campaign-related communications. download malware that enables the
- sender to gain access to an account or network. Netyksho Indictment 10. 113
- Bitcoin mining consists of unlocking new bitcoins by solving computational
- problems. Ill 1111 kept its newly mined coins in an account on the bitcoin
- exchange platform CEX.io. To make purchases, the GRU routed funds into other
- accounts through transactions designed to obscure the source of funds. Netyksho
- Indictment~ 62. 114 Netyksho Indictment~ 69. 115 Netyksho Indictment~ 9. 116 See
- SM-2589105, serials 144 & 495. 118 Investigative Technique 37
- RESULT: 9
- PAGE: 45
- TEXT:
- U.S. Department of Justice Attert1ey Werk P12ed1:1et // :Mt:ty Cmttaitt
- Materit:tl Preteeted Ut1der Fed. R. Criffl. P. 6(e) 2. Intrusions into the DCCC
- and DNC Networks a. Initial Access By no later than April 12, 2016, the GRU had
- gained access to the DCCC computer network using the credentials stolen from a
- DCCC employee who had been successfully spearphished the week before. Over the
- ensuing weeks, the GRU traversed the network, identifying different computers
- connected to the DCCC network. By stealing network access credentials along the
- way (including those of IT administrators with unrestricted access to the
- system), the GRU compromised approximately 29 different computers on the DCCC
- network.119 Approximately six days after first hacking into the DCCC network, on
- April 18, 2016, GRU officers gained access to the DNC network via a virtual
- private network (VPN) connection120 between the DCCC and DNC networks.121
- Between April 18, 2016 and June 8, 2016, Unit 26165 compromised more than 30
- computers on the DNC network, including the DNC mail server and shared file
- server.122 b. Implantation of Ma/ware on DCCC and DNC Networks Unit 26165
- implanted on the DCCC and DNC networks two types of customized malware, 123
- known as "X-Agent" and "X-Tunnel"; Mimikatz, a credential-harvesting tool; and
- rar.exe, a tool used in these intrusions to compile and compress materials for
- exfiltration. X-Agent was a multi-function hacking tool that allowed Unit 26165
- to log keystrokes, take screenshots, and gather other data about the infected
- computers (e.g., file directories, operating systems).124 Tunnel was a hacking
- tool that created an encrypted connection between the victim DCCC/DNC computers
- and GRU-controlled computers outside the DCCC and DNC networks that was capable
- of large-scale data transfers.125 GRU officers then used X-Tunnel to exfiltrate
- stolen data from the victim computers. 120 A VPN extends a private network,
- allowing users to send and receive data across public networks (such as the
- internet) as if the connecting computer was directly connected to the private
- network. The VPN in this case had been created to give a small number of DCCC
- employees access to certain databases housed on the DNC network. Therefore,
- while the DCCC employees were outside the DNC's private network, they could
- access parts of the DNC network from their DCCC computers. Investigative
- Technique Investigative Technique 123 "Malware" is short for malicious software,
- and here refers to software designed to allow a third party to infiltrate a
- computer without the consent or knowledge of the computer's user or operator.
- 124 Investigative Technique 125 Investigative Technique 38
- RESULT: 10
- PAGE: 46
- TEXT:
- U.S. Department of Justice Att:on1ey Work Proattet // Mtty Col'l:tttil'I:
- Mttterittl Proteetea Unser Fea. R. Crim.. P. 6(e) To operate X-Agent and
- X-Tunnel on the DCCC and DNC networks, Unit 26165 officers set up a group of
- computers outside those networks to communicate with the implanted malware.126
- The first set of GRU-controlled computers, known by the GRU as "middle servers,"
- sent and received messages to and from malware on the DNC/DCCC networks. The
- middle servers, in turn, relayed messages to a second set of GRU-controlled
- com;?'ters, labeled internally by the GRU as an "AMS Panel." The AMS Panel jjjff
- 11'??\1flffl 1?j'1?-served as a nerve center through which GRU officers
- monitored and directed the malware's operations on the DNC/DCCC networks.127 ! .
- ? . ? ? ? : Investigative Technique Investigative Technique Investigative
- Technique 126 In connection with these intrusions, the GRU used computers
- (virtual private networks, dedicated servers operated by hosting companies,
- etc.) that it leased from third-party providers located all over the world. The
- investi ation identified rental a reements and payments for computers located
- in, inter alia, -~-~-Ii IIMliilili all of which were used in the operations
- targeting the U.S. election. 127 Netyksho Indictment ,r 25. 128 Netyksho
- Indictment ,r 24( c ). 129 Netyksho Indictment ,r 24(b ). 39
- RESULT: 11
- PAGE: 47
- TEXT:
- U.S. Department of Justice Atlorttey Work Prodttet // May Cotttaifl Material
- Proteeted Under Fed. R. Crim. P. 6Ee) The Arizona-based AMS Panel also stored
- thousands of files containing keylogging sessions captured through X-Agent.
- These sessions were captured as GRU officers monitored DCCC and DNC employees'
- work on infected computers regularly between April 2016 and June 2016. Data
- captured in these key logging sessions included passwords, internal
- communications between employees, banking information, and sensitive personal
- information. c. Theft of Documents from DNC and DCCC Networks Officers from Unit
- 26165 stole thousands of documents from the DCCC and DNC networks, including
- significant amounts of data pertaining to the 2016 U.S. federal elections.
- Stolen documents included internal strategy documents, fundraising data,
- opposition research, and emails from the work inboxes of DNC employeesY0 The GRU
- began stealing DCCC data shortly after it gained access to the network. On April
- 14, 2016 (approximately three days after the initial intrusion) GRU officers
- downloaded rar.exe onto the DCCC's document server. The following day, the GRU
- searched one compromised DCCC computer for files containing search terms that
- included "Hillary," "DNC," "Cruz," and "Trump."131 On April 25, 2016, the GRU
- collected and compressed PDF and Microsoft documents from folders on the DCCC's
- shared file server that pertained to the 2016 election.132 The GRU appears to
- have compressed and exfiltrated over 70 gigabytes of data from this file
- server.133 The GRU also stole documents from the DNC network shortly after
- gaining access. On April 22, 2016, the GRU copied files from the DNC network to
- GRU-controlled computers. Stolen documents included the DNC' s opposition
- research into candidate Trump.134 Between approximately May 25, 2016 and June 1,
- 2016, GRU officers accessed the DNC's mail server from a GRU-controlled computer
- leased inside the United States.135 During these connections, 130 Netyksho
- Indictment ,i,i 27-29; Investigative Technique 131 Investigative Technique
- Investigative Technique Investigative Technique ? Investigative Technique
- SM-2589105-HACK, serial 5. Investigative Technique 135 Investigative Technique
- -See SM-2589105-GJ, serial 649. As part of its investigation, the FBI later
- received images ofDNC servers and copies of relevant traffic logs. Netyksho
- Indictment ,i,i 28-29. 40
- RESULT: 12
- PAGE: 48
- TEXT:
- U.S. Department of Justice Attarl'ley Werk Predttet // Mey Cel'ltail'l Material
- Preteeted Unaer Fed. R. Cril'l'I. P. 6(e) Unit 26165 officers appear to have
- stolen thousands of emails and attachments, which were later released by
- WikiLeaks in July 2016.136 B. Dissemination of the Hacked Materials The GRU's
- operations extended beyond stealing materials, and included releasing documents
- stolen from the Clinton Campaign and its supporters. The GRU carried out the
- anonymous release through two fictitious online personas that it created-DCLeaks
- and Guccifer 2.0-and later through the organization WikiLeaks. 1. DCLeaks The
- GRU began planning the releases at least as early as April 19, 2016, when Unit
- 26165 registered the domain dcleaks.com through a service that anonymized the
- registrant.137 Unit 26165 paid for the registration using a pool of bitcoin that
- it had mined. 138 The dcleaks.com landing page pointed to different tranches of
- stolen documents, arranged by victim or subject matter. Other dcleaks.com pages
- contained indexes of the stolen emails that were being released (bearing the
- sender, recipient, and date of the email). To control access and the timing of
- releases, pages were sometimes password-protected for a period of time and later
- made unrestricted to the public. Starting in June 2016, the GRU posted stolen
- documents onto the website dcleaks.com, including documents stolen from a number
- of individuals associated with the Clinton Campaign. These documents appeared to
- have originated from personal email accounts (in particular, Google and
- Microsoft accounts), rather than the DNC and DCCC computer networks. DCLeaks
- victims included an advisor to the Clinton Campaign, a former DNC employee and
- Clinton Campaign employee, and four other campaign volunteers.139 The GRU
- released through dcleaks.com thousands of documents, including personal
- identifying and financial information, internal correspondence related to the
- Clinton Campaign and prior political jobs, and fundraising files and
- information.140 136 Netyksho Indictment ,i 29. The last-in-time DNC email
- released by WikiLeaks was dated May 25, 2016, the same period of time during
- which the GRU gained access to the DNC's email server. Netyksho Indictment ,i
- 45. 137 Netyksho Indictment ,i 35. Approximately a week before the registration
- of dcleaks.com, the same actors attem ted to re ister the website
- electionleaks.com using the same domain registration service. 138 See
- SM-2589105, serial 181; Netyksho Indictment ,i 2l(a). 140 See, e.g., Internet
- Archive, "htt s://dcleaks.com/" archive date Nov. 10, 2016). Additionally,
- DCLeaks released documents relating to , emails belonging to_, and emails from
- 2015 relating to Republican Party employees (under the portfolio name "The
- United States Republican Party"). "The United States Republican Party" portfolio
- contained approximately 300 emails from a variety of GOP members, PACs,
- campaigns, state parties, and businesses dated between May and October 2015.
- According to open-source reporting, these victims shared the same 41
- RESULT: 13
- PAGE: 49
- TEXT:
- U.S. Department of Justice AM:6rt~ey W6rk Prndttet // Mtty CetttttiH Mttterittl
- Pr6teeted Umler Fed. R. Criffl. P. 6(e) GRU officers operated a Facebook page
- under the DCLeaks moniker, which they primarily used to promote releases of
- materials.141 The Facebook page was administered through a small number of
- preexisting GRU-controlled Facebook accounts.142 GRU officers also used the
- DCLeaks Facebook account, the Twitter account @dcleaks_, and the email account
- dcleaksproject@gmail.com to communicate privately with reporters and ? other
- U.S. persons. GRU officers using the DCLeaks persona gave certain reporters
- early access to archives of leaked files by sending them links and passwords to
- pages on the dcleaks.com website that had not yet become public. For example, on
- July 14, 2016, GRU officers operating under the DCLeaks persona sent a link and
- password for a non-public DCLeaks webpage to a U.S. reporter via the Facebook
- account.143 Similarly, on September 14, 2016, GRU officers sent reporters
- Twitter direct messages from @dcleaks_, with a password to another non-public
- part of the dcleaks.com website. 144 The DCLeaks.com website remained
- operational and public until March 2017. 2. Guccifer 2.0 On June 14, 2016, the
- DNC and its cyber-response team announced the breach of the DNC network and
- suspected theft of DNC documents. In the statements, the cyber-response team
- alleged that Russian state-sponsored actors (which they referred to as "Fancy
- Bear") were responsible for the breach. 145 Apparently in response to that
- announcement, on June 15, 2016, GRU officers using the persona Guccifer 2.0
- created a WordPress blog. In the hours leading up to the launch of that
- WordPress blog, GRU officers logged into a Moscow-based server used and managed
- by Unit 74455 and searched for a number of specific words and phrases in
- English, including "some hundred sheets," "illuminati," and "worldwide known."
- Approximately two hours after the last of those searches, Guccifer 2.0 published
- its first post, attributing the DNC server hack to a lone Romanian hacker and
- using several of the unique English words and phrases that the GRU officers had
- searched for that day.146 Tennessee-based web-hosting company, called Smartech
- Corporation. William Bastone, RNC E-Mail Was, In Fact, Hacked By Russians, The
- Smoking Gun (Dec. 13, 2016). 141 Netyksho Indictment ,r 38. 142 See, e.g.,
- Facebook Account 100008825623541 (Alice Donovan). 143 7/14/16 Facebook Message,
- ID 793058100795341 (DC Leaks) to ID 144 See, e .. , 9/14/16 Twitter DM, @dcleaks
- _ to KvFsgo/o* 14@gPgu& enjoy;)." ; 9/14/16 Twitter OM, . The messages read:
- "Hi https://t.co/QTvKUjQcOx pass: 145 Dmitri Alperovitch, Bears in the Midst:
- Intrusion into the Democratic National Committee, CrowdStrike Blog (June 14,
- 2016). CrowdStrike updated its post after the June 15, 2016 post by Guccifer 2.0
- claiming responsibility for the intrusion. 146 Netyksho Indictment ,r,r 41-42.
- 42
- RESULT: 14
- PAGE: 50
- TEXT:
- U.S. Department of Justice AtterHey '1?ei-lc Pfed1:1et // May CeHtaiH Material
- Preteeted UHder Fed. R. Criffl. P. 6(e) That same day, June 15, 2016, the GRU
- also used the Guccifer 2.0 WordPress blog to begin releasing to the public
- documents stolen from the DNC and DCCC computer networks. The Guccifer 2.0
- persona ultimately released thousands of documents stolen from the DNC and DCCC
- in a series of blog posts between June 15, 2016 and October 18, 2016.147
- Released documents included opposition research performed by the DNC (including
- a memorandum analyzing potential criticisms of candidate Trump), internal policy
- documents (such as recommendations on how to address politically sensitive
- issues), analyses of specific congressional races, and fundraising documents.
- Releases were organized around thematic issues, such as specific states (e.g.,
- Florida and Pennsylvania) that were perceived as competitive in the 2016 U.S.
- presidential election. Beginning in late June 2016, the GRU also used the
- Guccifer 2.0 persona to release documents directly to reporters and other
- interested individuals. Specifically, on June 27, 2016, Guccifer 2.0 sent an
- email to the news outlet The Smoking Gun offering to provide "exclusive access
- to some leaked emails linked [to] Hillary Clinton's staff."148 The GRU later
- sent the reporter a password and link to a locked portion of the dcleaks.com
- website that contained an archive of emails stolen by Unit 26165 from a Clinton
- Campaign volunteer in March 2016.149 That the Guccifer 2.0 persona provided
- reporters access to a restricted portion of the DCLeaks website tends to
- indicate that both personas were operated by the same or a closely-related group
- of people.1so The GRU continued its release efforts through Guccifer 2.0 into
- August 2016. For example, on August 15, 2016, the Guccifer 2.0 persona sent a
- candidate for the U.S. Congress documents related to the candidate's
- opponent.1st On August 22, 2016, the Guccifer 2.0 persona transferred
- approximately 2.5 gigabytes of Florida-related data stolen from the DCCC to a
- U.S. blogger covering Florida politics.1s2 On August 22, 2016, the Guccifer 2.0
- persona sent a U.S. reporter documents stolen from the DCCC pertaining to the
- Black Lives Matter movement.1s3 147 Releases of documents on the Guccifer 2.0
- blog occurred on June 15, 2016; June 20, 2016; June 21, 2016; July 6, 2016; July
- 14, 2016; August 12, 2016; August 15, 2016; August 21, 2016; August 31, 2016;
- September 15, 2016; September 23, 2016; October 4, 2016; and October 18, 2016.
- ~~ccifer20@aol.fr to 149 6/27/16 Email, uccifer20@aol.fr to ; see also 612 7 /16
- (subject "leaked emails"); project"). (subject "leaked (sub' ect "leaked emails"
- ; uccifer20@aol.fr to ( claiming DCLeaks was a "Wikileaks sub 150 Before sending
- the reporter the link and password to the closed DCLeaks website, and in an
- apparent effort to deflect attention from the fact that DCLeaks and Guccifer 2.0
- were operated by the same organization, the Guccifer 2.0 persona sent the
- repm1er an email stating that DCLeaks was a "Wikileaks sub project" and that
- Guccifer 2.0 had asked DCLeaks to release the leaked emails with "closed access"
- to give reporters a preview of them. 151 Netyksho Indictment ,r 43(a). 152
- Netyksho Indictment ,r 43(b ). 153 Netyksho Indictment ,r 43(c). 43
- RESULT: 15
- PAGE: 51
- TEXT:
- U.S. Department of Justice AtierHey Werk Predttet // Moy CeHtttiH Material
- Preteeted UHeer Fed. R. Crim. P. 6(e) In early August 2016, Twitter's suspension
- of the Guccifer 2.0 Twitter account. After it was reinstated, GRU officers
- posing as Guccifer 2.0 wrote 1;c?)Wp ,,ia private message, "thank u for writing
- back ... do u find anyt[h]ing interesting in the docs i posted?" On August 17,
- 2016, the GRU added, "please tell me if i can help u anyhow ... it would be a
- great pleasure to me." On September 9, 2016, the GRUi;(T);f posing as Guccifer
- 2.0-referred to a stolen DCCC document posted online and asked ? "what do u
- think of the info on the turnout model for the democrats entire presidential
- campaign." -responded, "pretty standard."155 The investigation did not identify
- evidence of other communications between-and Guccifer 2.0. 3. Use of WikiLeaks
- In order to expand its interference in the 20 I 6 U.S. presidential election,
- the GRU units transferred many of the documents they stole from the DNC and the
- chairman of the Clinton Campaign to WikiLeaks. GRU officers used both the
- DCLeaks and Guccifer 2.0 personas to communicate with WikiLeaks through Twitter
- private messaging and through encrypted channels, including possibly through
- WikiLeaks's private communication system. . a. WikiLeaks's Expressed Opposition
- Toward the Clinton Campaign WikiLeaks, and particularly its founder Julian
- Assange, privately expressed opposition to candidate Clinton well before the
- first release of stolen documents. In November 2015, Assange wrote to other
- members and associates of WikiLeaks that "[w]e believe it would be much better
- for GOP to win ... Dems+Media+liberals woudl [sic] then form a block to reign in
- their worst qualities. . . . With Hillary in charge, GOP will be pushing for her
- worst qualities., dems+media+neoliberals will be mute .... She's a bright, well
- connected, sadisitic sociopath."156 In March 2016, WikiLeaks released a
- searchable archive of approximately 30,000 Clinton emails that had been obtained
- through FOIA litigation.157 While designing the archive, one WikiLeaks member
- explained the reason for building the archive to another associate: 154 155 Harm
- to Ongoing Matter 156 1 l/19/15 Twitter Group Chat, Group ID 594242937858486276,
- @WikiLeaks et al. Assange also wrote that, "GOP will generate a lot oposition
- [sic], including through dumb moves. Hillary will do the same thing, but co-opt
- the liberal opposition and the GOP opposition. Hence biliary has greater freedom
- to statt wars than the GOP and has the will to do so." Id. 157 WikiLeaks,
- "Hillary Clinton Email Archive," available at https://wikileaks.org/clinton-
- emails/. 44
- RESULT: 16
- PAGE: 52
- TEXT:
- U.S. Department of Justice AttorHey Work Prodttet // Mtty Cofl:tttifl:
- Mttterittl Proteeted UHder Fed. R. Criffl. P. 6(e) [W]e want this repository to
- become "the place" to search for background on hillary's plotting at the state
- department during 2009-2013. . . . Firstly because its useful and will annoy
- Hillary, but secondly because we want to be seen to be a resource/player in the
- US election, because eit [sic] may en[]courage people to send us even more
- important leaks.158 b. WikiLeaks's First Contact with Guccifer 2.0 and DCLeaks
- Shortly after the GRU's first release of stolen documents through dcleaks.com in
- June 2016, GRU officers also used the DCLeaks persona to contact WikiLeaks about
- possible coordination in the future release of stolen emails. On June 14, 2016,
- @dcleaks _ sent a direct message to @WikiLeaks, noting, "You announced your
- organization was preparing to publish more Hillary's emails. We are ready to
- support you. We have some sensitive information too, in particular, her
- financial documents. Let's do it to ether. What do ou think about ublishin our
- info at the same moment? Thank ou."159 Around the same time, WikiLeaks initiated
- communications with the GRU persona Guccifer 2.0 shortly after it was used to
- release documents stolen from the DNC. On June 22, 2016, seven days after
- Guccifer 2.0's first releases of stolen DNC documents, WikiLeaks used Twitter's
- direct message function to contact the Guccifer 2.0 Twitter account and suggest
- that Guccifer 2.0 "[s]end any new material [stolen from the DNC] here for us to
- review and it will have a much higher impact than what you are doing."160 On
- July 6, 2016, WikiLeaks again contacted Guccifer 2.0 through Twitter's private
- messaging function, writing, "if you have anything hillary related we want it in
- the next tweo [sic] days prefab le [sic] because the DNC is approaching and she
- will solidify bernie supporters behind her after." The Guccifer 2.0 persona
- responded, "ok ... i see." WikiLeaks also explained, "we think trump has only a
- 25% chance of winning against hillary ... so conflict between bernie and hillary
- is interesting." 161 c. The GRU's Transfer of Stolen Materials to WikiLeaks Both
- the GRU and WikiLeaks sought to hide their communications, which has limited the
- Office's ability to collect all of the communications between them. Thus,
- although it is clear that the stolen DNC and Podesta documents were transferred
- from the GRU to WikiLeaks, -Investigative Technique 158 3/14/16 Twitter DM,
- @WikiLeaks to Less than two weeks earlier, the same account had been used to
- send a private message opposing the idea of Clinton "in whitehouse with her
- bloodlutt and amitions [sic] of empire with hawkish liberal-interventionist
- appointees." 11/19/15 Twitter Group Chat, Group ID 594242937858486276,
- @WikiLeaks et al. 159 6/14/16 Twitter DM, @dcleaks_ to @WikiLeaks. 160 Netyksho
- Indictment ,r 47(a). 1617/6/16 Twitter DMs, @WikiLeaks & @guccifer_2. 45
- RESULT: 17
- PAGE: 53
- TEXT:
- U.S. Department of Justice Atterttey Werk Predttet // Ma:y Cettta:itt Mttteria:l
- Preteeted Uttder Fed. R. Criffl. P. 6(e) The Office was able to identify when
- the GRU ( operating through its personas Guccifer 2.0 and DCLeaks) transferred
- some of the stolen documents to WikiLeaks through online archives set up by the
- GRU. Assan e had access to the internet from the Ecuadorian Embass in London, En
- land. On July 14, 2016, GRU officers used a Guccifer 2.0 email account to send
- WikiLeaks an email bearing the subject "big archive" and the message "a new
- attempt."163 The email contained an encrypted attachment with the name "wk dnc
- link I .txt.gpg."164 Using the Guccifer 2.0 Twitter account, GRU officers sent
- WikiLeaks an encrypted file and instructions on how to open it.165 On July 18,
- 2016, WikiLeaks confirmed in a direct message to the Gucci fer 2.0 account that
- it had "the 1 Gb or so archive" and would make a release of the stolen documents
- "this week."166 On July 22, 2016, WikiLeaks released over 20,000 emails and
- other documents stolen from the DNC computer networks.167 The Democratic
- National Convention began three days later. Similar communications occurred
- between WikiLeaks and the GRU-operated persona DCLeaks. On September 15, 2016,
- @dcleaks wrote to @WikiLeaks, "hi there! I'm from DC Leaks. How could we discuss
- some submission-related issues? Am trying to reach out to you via your secured
- chat but getting no response. I've got something that might interest you. You
- won't be disappointed, I promise."168 The WikiLeaks account responded, "Hi
- there," without further elaboration. The @dcleaks_ account did not respond
- immediately. The same day, the Twitter account@guccifer_2 sent @dcleaks_ a
- direct message, which is the first known contact between the personas.169 During
- subsequent communications, the 163 This was not the GRU's first attempt at
- transferring data to WikiLeaks. On June 29, 2016, the GRU used a Guccifer 2.0
- email accou~ted file to a WikiLeaks email account. 6/29/16 Email,
- guccifer2@mail.com (The email appears to have been undelivered.) 164 See
- SM-2589105-DCLEAKS, serial 28 (analysis). 165 6/27/16 Twitter DM, @Guccifer_2 to
- @WikiLeaks. 166 7/18/16 Twitter OM, @Guccifer_2 & @WikiLeaks. 167 "DNC Email
- Archive," WikiLeaks (Jul. 22, 2016), available at https://wikileaks.org/dnc-
- emails. 168 9/15/16 Twitter DM, @dcleaks_ to @WikiLeaks. 169 9/15/16 Twitter DM,
- @guccifer _ 2 to @dcleaks _. 46
- RESULT: 18
- PAGE: 54
- TEXT:
- U.S. Department of Justice AtterRe;? Werk Predttet // Mtt;? CeRtail'l Mftferial
- Preteeted URder Fed. R. Crim. P. 6(e) Guccifer 2.0 persona informed DCLeaks that
- WikiLeaks was trying to contact DCLeaks and arrange for a way to speak through
- encrypted emails.170 An analysis of the metadata collected from the WikiLeaks
- site revealed that the stolen Podesta emails show a creation date of September
- 19, 2016.171 Based on information about Assange's computer and its possible
- operating system, this date may be when the GRU staged the stolen Podesta emails
- for transfer to WikiLeaks (as the GRU had previously done in July 2016 for the
- DNC emails).172 The WikiLeaks site also released PDFs and other documents taken
- from Podesta that were attachments to emails in his account; these documents had
- a creation date of October 2, 2016, which appears to be the date the attachments
- were separately staged by WikiLeaks on its site.173 Beginning on September 20,
- 2016, WikiLeaks and DCLeaks resumed communications in a brief exchange. On
- September 22, 2016, a DCLeaks email account dcleaksproject@gmail.com sent an
- email to a WikiLeaks account with the subject "Submission" and the message "Hi
- from DCLeaks." The email contained a PGP-encr ted with the filename
- "wiki_mail.txt.gpg."174 %?The email, however, bears a number of similarities to
- the July 14, 2016 email in which GRU officers used the Guccifer 2.0 persona to
- give WikiLeaks access to the archive of DNC files. On September 22, 2016 (the
- same day of DCLeaks' email to WikiLeaks), the Twitter account dcleaks sent a sin
- le messa e to WikiLeaks with the strin of characters The Office cannot rule out
- that stolen documents were transferred to WikiLeaks through intermediaries who
- visited during the summer of 2016. For example, public reporting identified A d
- M"'ll M h w?kiL k . t h h . t d "th th t fi fth Investigative Technique 170 See
- SM-2589105-DCLEAKS, serial 28; 9/15/16 Twitter DM, @Guccifer_2 & @WikiLeaks. 171
- See SM-2284941, serials 63 & 64 Investigative Technique At the time, certain
- Apple operating systems used a setting that left a downloaded file's creation
- date the same as the creation date shown on the host computer. This would
- explain why the creation date on WikiLeaks's version of the files was still
- September 19, 2016. See SM-Investigative Technique 2284941, serial 62 173 When
- WikiLeaks saved attachments separately from the stolen emails, its computer
- system appears to have treated each attachment as a new file and given it a new
- creation date. See SM-2284941, serials 63 & 64. 174 See 9/22/16 Email,
- dcleaksproject@gmail.com 175 Ellen Nakashima et al., A German Hacker Offers a
- Rare Look Inside the Secretive World of Julian Assange and WikiLeaks, Washington
- Post (Jan. 17, 2018). 47
- RESULT: 19
- PAGE: 55
- TEXT:
- U.S. Department of Justice Atton=iey Work Protl1:1et // Mtl:y Cottt:tl:ifl
- Mtl:teritl:l Proteetetl UAtier Fetl. R. Criffl. P. 6(e) Investigative Technique
- . On October 7, 2016, WikiLeaks released the first emails stolen from the
- Podesta email account. In total, WikiLeaks released 33 tranches of stolen emails
- between October 7, 2016 and November 7, 2016. The releases included private
- speeches given by Clinton; 177 internal communications between Podesta and other
- high-ranking members of the Clinton Campaign; 178 and correspondence related to
- the Clinton Foundation.179 In total, WikiLeaks released over 50,000 documents
- stolen from Podesta's personal email account. The last-in-time email released
- from Podesta' s account was dated March 21, 2016, two days after Podesta
- received a spearphishing email sent by the GRU. d. WikiLeaks Statements
- Dissembling About the Source of Stolen Materials As reports attributing the DNC
- and DCCC hacks to the Russian government emerged, WikiLeaks and Assange made
- several public statements apparently designed to obscure the source of the
- materials that WikiLeaks was releasing. The file-transfer evidence described
- above and other information uncovered during the investigation discredit
- WikiLeaks's claims about the source of material that it posted. Beginning in the
- summer of 2016, Assange and WikiLeaks made a number of statements about Seth
- Rich, a former DNC staff member who was killed in July 2016. The statements
- about Rich implied falsely that he had been the source of the stolen DNC emails.
- On August 9, 2016, the @WikiLeaks Twitter account posted: "ANNOUNCE: WikiLeaks
- has decided to issue a US$20k reward for information leading to conviction for
- the murder ofDNC staffer Seth Rich."180 Likewise, on August 25, 2016, Assange
- was asked in an interview, "Why are you so interested in Seth Rich's killer?"
- and responded, "We're very interested in anything that might be a threat to
- alleged Wikileaks sources." The interviewer responded to Assange's statement by
- commenting, "I know you don't want to reveal your source, but it certainly
- sounds like you're suggesting a man who leaked information to WikiLeaks was then
- murdered." Assange replied, "If there's someone who's potentially connected to
- our publication, and that person has been murdered in suspicious t79 Netyksho
- Indictment ,r 43. 180 @WikiLeaks 8/9/16 Tweet. 48
- RESULT: 20
- PAGE: 56
- TEXT:
- U.S. Department of Justice Attort1ey Work Prndttet ,'/ May Cot1:tait1: Material
- Proteeted Ut1:der Fed. R. Cri1fl. P. 6(e) circumstances, it doesn't necessarily
- mean that the two are connected. But it is a very serious matter ... that type
- of allegation is very serious, as it's taken very seriously by us."181 After the
- U.S. intelligence community publicly announced its assessment that Russia was
- behind the hacking operation, Assange continued to deny that the Clinton
- materials released by WikiLeaks had come from Russian hacking. According to
- media reports, Assange told a U.S. congressman that the DNC hack was an "inside
- job," and purported to have "physical proof' that Russians did not give
- materials to Assange. 182 C. Additional GRU Cyber Operations While releasing the
- stolen emails and documents through DCLeaks, Guccifer 2.0, and WikiLeaks, GRU
- officers continued to target and hack victims linked to the Democratic campaign
- and, eventually, to target entities responsible for election administration in
- several states. 1. Summer and Fall 2016 Operations Targeting Democrat-Linked
- Victims On July 27 2016, Unit 26165 targeted email accounts connected to
- candidate Clinton's personal office . Earlier that day, candidate Trump made
- public statements that included the following: "Russia, if you're listening, I
- hope you're able to find the 30,000 emails that are missing. I think you will
- probably be rewarded mightily by our press."183 The "30,000 emails" were
- apparently a reference to emails described in media accounts as having been
- stored on a personal server that candidate Clinton had used while serving as
- Secretary of State. Within approximately five hours of Trump's statement, GRU
- officers targeted for the first time Clinton's personal office. After candidate
- Trump's remarks, Unit 26165 created and sent malicious links targeting 15 email
- accounts at the domain including an email account belonging to Clinton aide The
- investigation did not find evidence of earlier GRU attempts to compromise
- accounts hosted on this domain. It is unclear how the GRU was able to identify
- these email accounts, which were not public.184 Unit 26165 officers also hacked
- into a DNC account hosted on a cloud-computing service copies of the DNC da
- databases (referred to On September 20, 2016, the GRU began to generate function
- designed to allow users to produce backups of as "snapshots"). The GRU then
- stole those snapshots by moving 181 See Assange: "Murdered DNC Staffer Was
- 'Potential' WikiLeaks Source," Fox News (Aug. 25, 2016)(containing video of
- Assange interview by Megyn Kelly). 182 M. Raju & Z. Cohen, A GOP Congressman's
- Lonely Quest Defending Julian Assange, CNN (May 23, 2018). 183 "Donald Trump on
- Russian & Missing Hillary Clinton Emails," YouTube Channel C-SPAN, Posted
- 7/27/16, available at https://www.youtube.com/watch?v=3kxG8uJUsWU (starting at
- 0:41). 49
- RESULT: 21
- PAGE: 57
- TEXT:
- U.S. Department of Justice Atteme;? :werk PFeauet // Moy Cef!ta.if! Material
- Preteetea Uflaef Fee. R. Crim.. P. 6(e) them to -account that they controlled;
- from there, the copies were moved to GRUcontrolled computers. The GRU stole
- approximately 300 gigabytes of data from the DNC based account.185 2. Intrusions
- Targeting the Administration of U.S. Elections In addition to targeting
- individuals involved in the Clinton Campaign, GRU officers also targeted
- individuals and entities involved in the administration of the elections.
- Victims included U.S. state and local entities, such as state boards of
- elections (SBOEs), secretaries of state, and county governments, as well as
- individuals who worked for those entities. 186 The GRU also targeted private
- technology firms responsible for manufacturing and administering election-
- related software and hardware, such as voter registration software and
- electronic polling stations.187 The GRU continued to target these victims
- through the elections in November 2016. While the investigation identified
- evidence that the GRU targeted these individuals and entities, the Office did
- not investigate further. The Office did not, for instance, obtain or examine
- servers or other relevant items belonging to these victims. The Office
- understands that the FBI, the U.S. Department of Homeland Security, and the
- states have separately investigated that activity. By at least the summer of
- 2016, GRU officers sought access to state and local computer networks by
- exploiting known software vulnerabilities on websites of state and local
- governmental entities. GRU officers, for example, targeted state and local
- databases of registered voters using a technique known as "SQL injection," by
- which malicious code was sent to the state or local website in order to run
- commands (such as exfiltrating the database contents).188 In one instance in
- approximately June 2016, the GRU compromised the computer network of the
- Illinois State Board of Elections by exploiting a vulnerability in the SBOE's
- website. The GRU then gained access to a database containing information on
- millions of registered Illinois voters, 189 and extracted data related to
- thousands of U.S. voters before the malicious activity was identified.190 GRU
- officers Investigative Technique scanned state and local websites for eriod in
- July 2016, GRU officers -for vulnerabilities on websites of more than 185
- Netyksho Indictment ,i 34; see also SM-2589105-HACK, serial 29 -? Investigative
- Technique 186 Netyksho Indictment ,i 69. 188 Investigative Technique -50
- RESULT: 22
- PAGE: 58
- TEXT:
- U.S. Department of Justice AttorHey Werle Proattet // Moy CoHtoiH Moteriol
- Proteetee UHeer Fee. R. Crtffl. P. 6(e) for vulnerabilities continued through
- the election. Unit 74455 also sent spearphishing emails to public officials
- involved in election administration and personnel a~ involved in voting
- technology. In August 2016, GRU officers targeted employees of ..... , a voting
- technology company that developed software used by numerous U.S. counties to
- manage voter rolls, and installed malware on the company network. Similarly, in
- November 2016, the GRU sent spearphishing emails to over 120 email accounts used
- by Florida county officials responsible for administering the 2016 U.S.
- election.191 The spearphishing emails contained an attached Word document coded
- with malicious software (commonly referred to as a Trojan) that permitted the
- GRU to access the infected computer.192 The FBI was separately responsible for
- this investigation. We understand the FBI believes that this operation enabled
- the GRU to gain access to the network of at least one Florida county government.
- The Office did not independently verify that belief and, as explained above, did
- not undertake the investigative steps that would have been necessary to do so.
- D. Trump Campaign and the Dissemination of Hacked Materials The Trump Campaign
- showed interest in WikiLeaks's releases hout the summer and fall of 2016. 1. a.
- Background I , Investigative Technique Investigative Technique 51
- RESULT: 23
- PAGE: 65
- TEXT:
- U.S. Department of Justice AM:erttey Wer:k Predttet // Mtty Cetttaitt Mttterial
- Preteeted Uttder FeE:I. R. Criffi. P. 6(e) d. WikiLeaks's October 7, 2016
- Release of Stolen Podesta Emails On October 7 2016 four days after the Assange
- press conference , the Washington Post published an Access Hollywood video that
- captured comments by candidate Trump some years earlier and that was expected to
- adversely affect the Campaign.239 Less than an hour after the video's
- publication, WikiLeaks released the first set of emails stolen by the GRU from
- the account of Clinton Campaign chairman John Podesta. Harm to Ongoing Matter
- 111Harm to Ongoing Matter -Harm to Ongoing Matter Harm to Ongoing Matter
- 1111Harm to Ongoing Matter Corsi said that, because he had no direct means o
- communicating with WikiLeaks, he told members of the news site WNO-who were
- participating on a conference call with him that day-to reach Assange
- immediately.244 Corsi claimed that the pressure was 239 Candidate Trump can be
- heard off camera making graphic statements about women. 240 241 242 243 244 In a
- later November 2018 interview, Corsi stated Harm to Ongoing Matter that he
- believed Malloch was on the call but then focused on other individuals who were
- on the call-invitation, which Malloch was not. (Separate travel records show
- that at the time of the call, Malloch was aboard a transatlantic flight). Corsi
- at one point stated that after WikiLeaks 's release of stolen emails on October
- 7, 2016, he concluded Malloch had gotten in contact with Assange. Corsi 11/1/18
- 302, at 6. 58
- RESULT: 24
- PAGE: 72
- TEXT:
- U.S. Department of Justice Att6rHey W6rle: Pr6dttet // May C6HtaiH Material
- Pr6teeted Una er Fee. R. Crim. P. 6(e) email claimed that WikiLeaks would
- release "All 33k deleted Emails" by "November 1st." No emails obtained from
- Clinton's server were subsequently released. Smith drafted multiple emails
- stating or intimating that he was in contact with Russian hackers. For example,
- in one such email, Smith claimed that, in August 2016, KLS Research had
- organized meetings with parties who had access to the deleted Clinton emails,
- including parties with "ties and affiliations to Russia."286 The investigation
- did not identify evidence that any such meetings occurred. Associates and
- security experts who worked with Smith on the initiative did not believe that
- Smith was in contact with Russian hackers and were aware of no such
- connection.287 The investigation did not establish that Smith was in contact
- with Russian hackers or that Smith, Ledeen, or other individuals in touch with
- the Trump Campaign ultimately obtained the deleted Clinton emails. * * * In sum,
- the investigation established that the GRU hacked into email accounts of persons
- affiliated with the Clinton Campaign, as well as the computers of the DNC and
- DCCC. The GRU then exfiltrated data related to the 2016 election from these
- accounts and computers, and disseminated that data through fictitious online
- personas (DCLeaks and Guccifer 2.0) and later through WikiLeaks. The
- investigation also established that the Trum Cam ai n dis la ed interest in the
- WikiLeaks releases, and that explained in Volume I, Section V.B, infra, the
- evidence was sufficient to support intrusion and other char es a ainst GRU
- officers for their role in election-related hackin . 286 8/31/16 Email, Smith to
- Smith. 287 Safron 3/20/18 302, at 3; Szobocsan 3/29/18 302, at 6. 65
- RESULT: 25
- PAGE: 90
- TEXT:
- U.S. Department of Justice Mterttey '.\'erk Preeittet // May Cetttaitt Material
- Preteeteel Ul'l:eler Feel. R. Criffl. P. 6(e) to Rome, Italy, as part of his
- duties with LCILP.411 The purpose of the trip was to meet officials affiliated
- with Link Campus University, a for-profit institution headed by a former Italian
- government official.412 During the visit, Papadopoulos was introduced to Joseph
- Mifsud. Mifsud is a Maltese national who worked as a professor at the London
- Academy of Diplomacy in London, England.413 Although Mifsud worked out of London
- and was also affiliated with LCILP, the encounter in Rome was the first time
- that Papadopoulos met him.414 Mifsud maintained various Russian contacts while
- living in London, as described further below. Among his contacts was ,415 a one-
- time employee of the IRA, the entity that carried out the Russian social media
- campaign (see Volume I Section II, supra). In January and February 2016, Mifsud
- and -discussed possibly meeting in Russia. The investigation did not~ meeting.
- Later, in the spring of 2016, -was also in contact -that was linked to an
- employee of the Russian Ministry of Defense, and that account had overlapping
- contacts with a group of Russian controlled Facebook accounts that included
- accounts used to promote the DCLeaks releases in the course of the GRU's hack-
- and-release operations (see Volume I, Section III.B.1, supra). According to
- Papadopoulos, Mifsud at first seemed uninterested in Papadopoulos when they met
- in Rome.416 After Papadopoulos informed Mifsud about his role in the Trump
- Campaign, however, Mifsud appeared to take greater interest in Papadopoulos.417
- The two discussed Mifsud's European and Russian contacts and had a general
- discussion about Russia; Mifsud also offered to introduce Papadopoulos to
- European leaders and others with contacts to the Russian government.418
- Papadopoulos told the Office that Mifsud's claim of substantial connections with
- Russian government officials interested Papadopoulos, who thought that such
- connections could increase his importance as a policy advisor to the Trump
- Campaign.419 411 Papadopoulos 8/10/17 302, at 2-3; Papadopoulos Statement of
- Offense ,r 5. 412 Papadopoulos 8/10/17 302, at 2-3; Stephanie Kirchgaessner et
- al., Joseph Mifsud: more questions than answers about mystery professor linked
- to Russia, The Guardian (Oct. 31, 2017) ("Link Campus University ... is headed
- by a former Italian interior minister named Vincenzo Scotti."). 413 Papadopoulos
- Statement of Offense ,r 5. 414 Papadopoulos 8/10/17 302, at 3. , , , ?
- Investigative Technique 1Harm to Ongoing Matter 416 Papadopoulos Statement of
- Offense ,r 5. 417 Papadopoulos Statement of Offense ,r 5. 418 Papadopoulos
- 8/10/17 302, at 3; Papadopoulos 8/11/17 302, at 2. 419 Papadopoulos Statement of
- Offense ,r 5. 83
- RESULT: 26
- PAGE: 100
- TEXT:
- U.S. Department of Justice Atlerl'le~? Werk Pree1:1et // May Ce!'ltaiH Material
- Preteetea UHaer Fee. R. Criffl. P. 6(e) Papadopoulos was dismissed from the
- Trump Campaign in early October 2016, after an interview he gave to the Russian
- news agency Inter/ax generated adverse publicity.492 f. Trump Campaign Knowledge
- of "Dirt" Papadopoulos admitted telling at least one individual outside of the
- specifically, the then-Greek foreign minister-about Russia's obtaining Clinton-
- related emails.493 In addition, a different foreign government informed the FBI
- that, 10 days after meeting with Mifsud in late April 2016, Papadopoulos
- suggested that the Trump Campaign had received indications from the Russian
- government that it could assist the Campaign through the anonymous release of
- information that would be damaging to Hillary Clinton.494 (This conversation
- occurred after the GRU spearphished Clinton Campaign chairman John Podesta and
- stole his emails, and the GRU hacked into the DCCC and DNC, see Volume l,
- Sections III.A & III.B, supra.) Such disclosures raised questions about whether
- Papadopoulos informed any Trump Campaign official about the emails. When
- interviewed, Papadopoulos and the Campaign officials who interacted with him
- told the Office that they could not recall Papadopoulos's sharing the
- information that Russia had obtained "dirt" on candidate Clinton in the form of
- emails or that Russia could assist the Campaign through the anonymous release of
- information about Clinton. Papadopoulos stated that he could not clearly recall
- having told anyone on the Campaign and wavered about whether he accurately
- remembered an incident in which Clovis had been upset after hearing Papadopoulos
- tell Clovis that Papadopoulos thought "they have her emails."495 The Campaign
- officials who interacted or corresponded with Papadopoulos have similarly
- stated, with varying degrees of certainty, that he did not tell them. Senior
- policy advisor Stephen Miller, for example, did not remember hearing anything
- from Papadopoulos or Clovis about Russia having emails of or dirt on candidate
- Clinton.496 Clovis stated that he did not recall anyone, including Papadopoulos,
- having given him non-public information that a forei n overnment mi ht be in
- ossession of material dama in to Hillar Clinton.497 492 George Papadopoulos:
- Sanctions Have Done Little More Than to Turn Russia Towards China, Interfax
- (Sept. 30, 2016). 493 Papadopoulos 9/19/17 302, at 14-15; Def. Sent. Mem.,
- United States v. George Papadopoulos, I :17-cr-182 (D.D.C. Aug. 31, 2018), Doc.
- 45. 494 See footnote 465 of Volume I, Section IV.A.2.d, supra. 495 Papadopoulos
- 8/10/17 302, at 5; Papadopoulos 8/11/17 302, at 5; Papadopoulos 9/20/17 302, at
- 2. 496 S. Miller 12/14/17 302, at 10. 497 498 93
- RESULT: 27
- PAGE: 127
- TEXT:
- U.S. Department of Justice Atlerftey Werk Predttet // May Cefttaifl. Mttterial
- Preteetea Ufl.aer Fed. R. Crim. P. 6(e) After the June 9 meetin Goldstone, he
- told Trump Jr. told Emin A alarov 745 Jr.743 According to 744 and Aras Agalarov
- asked Kaveladze to report in after the meeting, but before Kaveladze could call,
- Aras Agalarov called him.747 With Veselnitskaya next to him, Kaveladze reported
- that the meeting had gone well, but he later told Aras Agalarov that the meeting
- about the Magnitsky Act had been a waste of time because it was not with lawyers
- and they were "preaching to the wrong crowd."748 c. Post-June 9 Events
- Veselnitskaya and Aras Agalarov made at least two unsuccessful attempts after
- the election to meet with Trump representatives to convey similar information
- about Browder and the Magnitsky Act.749 On November 23, 2016, Kaveladze emailed
- Goldstone about setting up another meeting "with T people" and sent a document
- bearing allegations similar to those conveyed on June 9.75? Kaveladze followed
- up with Goldstone, stating that "Mr. A," which Goldstone understood to mean Aras
- Agalarov, called to ask about the meeting.751 Goldstone emailed the document to
- Rhona Graff, saying that "Aras Agalarov has asked me to pass on this document in
- the hope it can be passed on to the appropriate team. If needed, a lawyer
- representing the case is Goldstone 2/8/18 302, (and one text message shows)
- that, shortly after the DNC e ts co ecting the DNC hacking announcement to the
- June 9 OSC-KA V _00029 (6/14/16 Email, Goldstone to E. Agalarov & Kaveladze
- (10:09 a.m.)). The investigation did not identify evidence connecting the events
- of June 9 to the GRU's hack-and-dump operation. OSC-KA V _00029-30 (6/14/16
- Email, Goldstone to E. Agalarov). 746 747 Kaveladze 11/16/17 302, at 8; Call
- Records ofike. Kaveladze 748 Kaveladze 11/16/17 302, at 8; Call Records of Ike
- Kaveladze On June 14, 2016 Kaveladze's teenage daughter emailed asking how the
- June 9 meeting had gone, and Kaveladze responded, "meeting was boring. The
- Russians did not have an bad info on Hilar " KA V _00257 (6/14/16 Email, I.
- Kaveladze to A. Kaveladze; 749 Goldstone 2/8/18 302, at 11; 750 OSC-KA V 00138
- 11/23/16 Email, Goldstone to Kaveladze); 751 RG000196 (11/26-29/16 Text
- Messages, Goldstone & Kaveladze); 120
- RESULT: 28
- PAGE: 182
- TEXT:
- U.S. Department of Justice Atterfl:ey Werk Preettet // Moy Cefltoifl Material
- Preteetee Ufl:eef Pee. R. Criffl. P. 6Ee) Although members of the IRA had
- contact with individuals affiliated with the Trump Campaign, the indictment does
- not charge any Trump Campaign official or any other U.S. person with
- participating in the conspiracy. That is because the investigation did not
- identify evidence that any U.S. person who coordinated or communicated with the
- IRA knew that he or she was speaking with Russian nationals engaged in the
- criminal conspiracy. The Office therefore determined that such persons did not
- have the knowledge or criminal purpose required to charge them in the conspiracy
- to defraud the United States (Count One) or in the separate count alleging a
- wire-and bank-fraud conspiracy involving the IRA and two individual Russian
- nationals (Count Two). The Office did, however, charge one U.S. national for his
- role in supplying false or stolen bank account numbers that allowed the IRA
- conspirators to access U.S. online payment systems by circumventing those
- systems' security features. On February 12, 2018, Richard Pinedo pleaded guilty,
- pursuant to a single-count information, to identity fraud, in violation of 18 U
- .S.C. ? 1028(a)(7) and (b)(l)(D). Plea Agreement, United States v. Richard
- Pinedo, No. 1:18-cr-24 (D.D.C. Feb. 12, 2018), Doc. 10. The investigation did
- not establish that Pinedo was aware of the identity of the IRA members who
- purchased bank account numbers from him. Pinedo's sales of account numbers
- enabled the IRA members to anonymously access a financial network through which
- they transacted with U.S. persons and companies. See Gov't Sent. Mem. at 3,
- United States v. Richard Pinedo, No. 1:18-cr-24 (D.D.C. Sept. 26, 2018), Doc.
- 24. On October 10, 2018, Pinedo was sentenced to six months of imprisonment, to
- be followed by six months of home confinement, and was ordered to complete 100
- hours of community service. B. Russian Hacking and Dumping Operations 1. Section
- 1030 Computer-Intrusion Conspiracy a. Background On July 13, 2018, a federal
- grand jury in the District of Columbia returned an indictment charging Russian
- military intelligence officers from the GRU with conspiring to hack into various
- U.S. computers used by the Clinton Campaign, DNC, DCCC, and other U.S. persons,
- in violation of 18 U.S.C. ?? 1030 and 371 (Count One); committing identity theft
- and conspiring to commit money laundering in furtherance of that hacking
- conspiracy, in violation of 18 U.S.C. ?? I 028A and l 956(h) (Counts Two through
- Ten); and a separate conspiracy to hack into the computers of U.S. persons and
- entities responsible for the administration of the 2016 U.S. election, in
- violation of18U.S.C. ?? 1030and371 (CountEleven). Netyksholndictment.1277
- Asofthiswriting,all 12 defendants remain at large. The Netyksho indictment
- alleges that the defendants conspired with one another and with others to hack
- into the computers of U.S. persons and entities involved in the 2016 U.S.
- presidential election, steal documents from those computers, and stage releases
- of the stolen documents to interfere in the election. Netyksho Indictment ,r 2.
- The indictment also describes how, in staging 1277 The Office provided a more
- detailed explanation of the charging decision in this case in meetings with the
- Office of the Acting Attorney General before the indictment. 175
- RESULT: 29
- PAGE: 407
- TEXT:
- U.S. Department of Justice Att:erne)" Werle Prnelttet // Ma)' CeRtaiR Material
- Prnteeteel UReief Feel. R. Crim. P. 6(e) Oganov, Georgiy Oknyansky, Henry (a/k/a
- Henry Greenberg) Page, Carter Papadopoulos, George Parscale, Bradley Patten,
- William (Sam) Jr. Peskov, Dmitry Phares, Walid Pinedo, Richard Podesta, John Jr.
- Podobnyy, Victor Poliakova, Elena Polonskaya, Olga Pompeo, Michael Porter,
- Robert Priebus, Reince Advisor to Oleg Deripaska and a board member of
- investment company Basic Element. He met with Paul Manafort in Spain in early
- 2017. Florida-based Russian individual who claimed to have derogatory
- information pertaining to Hillary Clinton. He met with Roger Stone in May 2016.
- Foreign policy advisor to the Trump Campaign who advocated Russian views and
- made July 2016 and December 2016 visits to Moscow. Foreign policy advisor to the
- Trump Campaign who received information from Joseph Mifsud that Russians had
- "dirt" in the form of thousands of Clinton emails. He pleaded guilty to lying to
- the FBI about his contact with Mifsud. Digital media director for the 2016 Trump
- Campaign. Lobbyist and business partner of Konstantin Kilimnik. Deputy chief of
- staff of and press secretary for the Russian presidential administration.
- Foreign policy advisor to the Trump Campaign and co-secretary general of the
- Transatlantic Parliamentary Group on Counterterrorism (TAG). U.S. person who
- pleaded guilty to a single-count information of identity fraud. Clinton campaign
- chairman whose email account was hacked by the GRU. WikiLeaks released his
- stolen emails during the 2016 campaign. Russian intelligence officer who
- interacted with Carter Page while operating inside the United States; later
- charged in 2015 with conspiring to act as an unregistered agent of Russia.
- Personal assistant to Dmitry Peskov who responded to Michael Cohen's outreach
- about the Trump Tower Moscow project in January 2016. Russian national
- introduced to George Papadopoulos by Joseph Mifsud as an individual with
- connections to Vladimir Putin. U.S. Secretary of State; director of the Central
- Intelligence Agency (Jan. 2017-Apr. 2018). White House staff secretary (Jan.
- 2017 -Feb. 2018). White House chief of staff (Jan. 2017 -July 2017); chair of
- the Republican National Committee (Jan. 2011-Jan. 2017). Prigozhin, Yevgeniy
- Head of Russian companies Concord-Catering and Concord Management and
- Consulting; supported and financed the Internet Research Agency, which engaged
- in an "active measures" social media campaign to interfere in the 2016 U.S.
- presidential election. B-8
- RESULT: 30
- PAGE: 410
- TEXT:
- U.S. Department of Justice Attorne)' Wol'lt Prod1:1et // Ma)' CorHaiR Mate,?ial
- Prnteeted URder Fed. R. Criffl. P. 6(e) Yates, Sally Yatsenko, Sergey Zakharova,
- Maria Zayed al Nahyan, Mohammed bin Alfa-Bank Acting Attorney General (Jan. 20,
- 2017 -Jan. 30, 2017); Deputy Attorney General (Jan. 10, 2015 -Jan. 30, 2017).
- Deputy chief financial officer of Gazprom, a Russian state-owned energy company,
- and associate of Carter Page. Director of the Russian Ministry of Foreign
- Affair's Information and Press Department who received notification of Carter
- Page's speech in July 2016 from Denis Klimentov. Crown Prince of Abu Dhabi and
- deputy supreme commander of the United Arab Emirates (UAE) armed forces.
- Entities and Organizations Center for the National Interest (CNI) Russia's
- largest commercial bank, which is headed by Petr Aven. U.S.-based think tank
- with expertise in and connections to Russia. CNI's publication, the National
- Interest, hosted candidate Trump's foreign policy speech in April 2016. Concord
- Crocus Group or Crocus International DCLeaks Democratic Congressional Campaign
- Committee Democratic National Committee Duma Gazprom Global Energy Capital, LLC
- Global Partners in Diplomacy Umbrella term for Concord Management and
- Consulting, LLC and Concord Catering, which are Russian companies controlled by
- Yevgeniy Prigozhin. A Russian real-estate and property development company that,
- in 2013, hosted the Miss Universe Pageant, and from 2013 through 2014, worked
- with the Trump Organization on a Trump Moscow project. Fictitious online persona
- operated by the GRU that released stolen documents during the 2016 U.S.
- presidential campaign period. Political committee working to elect Democrats to
- the House of Representatives; hacked by the GRU in April 2016. Formal governing
- body for the Democratic Party; hacked by the GRU in April 2016. Lower House of
- the national legislature of the Russian Federation. Russian oil and gas company
- majority-owned by the Russian government. Investment and management firm founded
- by Carter Page. Event hosted in partnership with the U.S. Department of State
- and the Republican National Convention. In 2016, Jeff Sessions and J .D. Gordon
- delivered speeches at the event and interacted with Russian Ambassador Sergey
- Kislyak. B-11
- RESULT: 31
- PAGE: 411
- TEXT:
- U.S. Department of Justice Attorne)" Wol'lt Predttet // Mey Cofltttifl Meteriel
- Proteeted U1~der Fed. R. Criffi. P. 6(e) Guccifer 2.0 I.C. Expert Investment
- Company Internet Research Agency (IRA) KLS Research LLC Kremlin LetterOne Link
- Campus University London Centre of International Law Practice (LCILP) Main
- Intelligence Directorate of the General Staff (GRU) New Economic School in
- Moscow (NES) Opposition Bloc Party of Regions Pericles Emerging Market Partners
- LLP Prevezon Holdings Ltd. Roscongress Foundation Rosneft Russian Direct
- Investment Fund Fictitious online persona operated by the GRU that released
- stolen documents during the 2016 U.S. presidential campaign period. Russian
- real-estate and development corporation that signed a letter of intent with a
- Trump Organization subsidiary to develop a Trump Moscow property. Russian entity
- based in Saint Petersburg and funded by Concord that engaged in an "active
- measures" social media campaign to interfere in the 20 I 6 V,S. presidential
- election. Business established by an associate of and at the direction of Peter
- Smith to further Smith's search for Hillary Clinton emails. Official residence
- of the president of the Russian Federation; it is used colloquially to refer to
- the office of the president or the Russian government. Company that includes
- Petr Aven and Richard Burt as board members. During a board meeting in December
- 2016, Aven asked for Burt's help to make contact with the Presidential
- Transition Team. University in Rome, Italy, where George Papadopoulos was
- introduced to Joseph Mifsud. International law advisory organization in London
- that employed Joseph Mifsud and George Papadopoulos. Russian Federation's
- military intelligence agency. Moscow-based school that invited Carter Page to
- speak at its July 2016 commencement ceremony. Ukrainian political party that
- incorporated members of the defunct Party of Regions. Ukrainian political party
- of former President Yanukovych. It was generally understood to align with
- Russian policies. Company registered in the Cayman Islands by Paul Manafort and
- his business partner Rick Davis. Oleg Deripaska invested in the fund. Russian
- company that was a defendant in a U.S. civil action alleging the laundering of
- proceeds from fraud exposed by Sergei Magnitsky. Russian entity that organized
- the St. Petersburg International Economic Forum. Russian state-owned oil and
- energy company. Sovereign wealth fund established by the Russian Government in
- 2011 and headed by Kirill Dmitriev. B-12
- RESULT: 32
- PAGE: 412
- TEXT:
- U.S. Department of Justice Attorney \\'erk Prodttet // Ma)? C0Htait1 ~foterial
- Proteeted Ut1de1? Ped. R. Cri1T1. P. 6(e) Russian International Affairs Council
- Silk Road Group St. Petersburg International Economic Forum Tatneft
- Transatlantic Parliamentary Group on Counterterrorism Unit 26165 (GRU) Unit
- 74455 (GRU) Valdai Discussion Club WikiLeaks Russia-based nonprofit established
- by Russian government decree. It is associated with the Ministry of Foreign
- Affairs, and its members include Ivan Timofeev, Dmitry Peskov, and Petr Aven.
- Privately held investment company that entered into a licensing agreement to
- build a Trump-branded hotel in Georgia. Annual event held in Russia and attended
- by prominent Russian politicians and businessmen. Russian energy company.
- European group that sponsored a summit between European Parliament lawmakers and
- U.S. persons. George Papadopoulos, Sam Clovis, and Walid Phares attended the TAG
- summit in July 2016. GRU military cyber unit dedicated to targeting military,
- political, governmental, and non-governmental organizations outside of Russia.
- It engaged in computer intrusions of U.S. persons and organizations, as well as
- the subsequent release of the stolen data, in order to interfere in the 2016
- U.S. presidential election. GRU military unit with multiple departments that
- engaged in cyber operations. It engaged in computer intrusions of U.S. persons
- and organizations, as well as the subsequent release of the stolen data, in
- order to interfere in the 2016 U.S. presidential election. Group that holds a
- conference attended by Russian government officials, including President Putin.
- Organization founded by Julian Assange that posts information online, including
- data stolen from private, corporate, and U.S. Government entities. Released data
- stolen by the GRU during the 2016 U.S. presidential election. B-13
- RESULT: 33
- PAGE: 413
- TEXT:
- U.S. Department of Justice Attorne)' 'Norlc Prodttet // May Cm1taifl Material
- Proteeted URder Fed. R. Crim. P. 6(e) CNI DCCC DNC FBI FSB GEC GRU HPSCI HRC IRA
- LCILP NATO NES NSA ODNI PTT RDIF RIAC SBOE sco SJC SSCI TAG VEB Index of
- Acronyms Center for the National Interest Democratic Congressional Campaign
- Committee Democratic National Committee Federal Bureau oflnvestigation Russian
- Federal Security Service Global Energy Capital, LLC Russian Federation's Main
- Intelligence Directorate of the General Staff U.S. House of Representatives
- Permanent Select Committee on Intelligence Hillary Rodham Clinton Internet
- Research Agency London Centre of International Law Practice North Atlantic
- Treaty Organization New Economic School National Security Agency Office of the
- Director of National Intelligence Presidential Transition Team Russian Direct
- Investment Fund Russian International Affairs Council State boards of elections
- Special Counsel's Office U.S. Senate Judiciary Committee U.S. Senate Select
- Committee on Intelligence Transatlantic Parliamentary Group on Counterterrorism
- Vnesheconombank B-14
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement