Bitcoin, malware helped Russian agents hack Democratic Party computers in 2016 election
The email landed in John Podesta’s crowded inbox around March 19, 2016, during the height of the presidential primaries, and it appeared to be a standard security request from Google for Hillary Clinton’s campaign chairman to change his password.
Doing so ultimately led to a political firestorm that is still raging.
The email was actually from Aleksey Lukashev, a senior lieutenant in Russian military intelligence, using the account “john356gh” to mask his purpose, U.S. officials say. The email contained an embedded link that secretly opened Podesta’s account to a hacking team at 20 Komsomolskiy Prospekt, near Moscow’s Red Square.
Two days later, the Russian cyber thieves stole – and later leaked – more than 50,000 of Podesta’s private emails, incalculably undercutting Clinton’s bid for the White House.
On Friday, the Justice Department indicted Lukashev and 11 other officers in the Main Intelligence Directorate of the General Staff, known as the GRU, for interfering in the 2016 presidential election by hacking and leaking tens of thousands of emails and other material from Clinton’s campaign, the Democratic National Committee, the Democratic Congressional Campaign Committee and others.
In all, the indictment said, the Russian hackers targeted more than 300 people, covertly monitored scores of computers, and secretly implanted malicious computer code in hundreds of files using a hacking tool that the GRU called X-agent, as if from Marvel Comics.
The malware allowed operatives in Moscow to remotely take screenshots and capture keystrokes of Democratic Party employees as they tapped on their computers, the indictment states. The GRU team used another program, called the X-tunnel, to extract gigabytes of stolen documents through encrypted channels.
Some of the Russians used false names, and one had a particular affinity for American monikers, identifying himself variously as Kate S. Milton, James Mcmorgans and Karen W. Millen. Another was more pedestrian, going with blablabla1234565.
Lukashev’s team, called Unit 26165, used so-called spearphishing – ensnaring victims with emails that appear to be from known senders – and other tools to steal victims’ passwords and to penetrate the Democratic digital networks. They modified campaign web sites to redirect visitors to a digital domain they had registered, actblues.com, which appeared to be a fundraising platform for the Democrats _ but wasn’t. Later they erased digital logs in an attempt to hide their tracks.
A separate group, Unit 74455, under control of a Russian colonel and working from a building called the Tower northwest of Red Square, released the stolen information in stages – starting in mid-2016 – using phony names like Guccifer 2.0 and Russiancontrolled web sites such as Dcleaks. It also spread anticlinton content on social media, according to the indictment.
Between June 2016 and March 2017, when it was shut down, Dcleaks received more than 1 million page views. Although it claimed to be run by “American hactivists,” it was operated by the GRU, prosecutors said.
The Russians often relied on simple tricks. On April 6, 2016, Lukashev’s team created an email account that appeared to be from a senior member of the Clinton campaign, and sent it to more than 30 staffers. When they hit the embedded link, their computers were diverted to a Grucreated network.
A month later, the indictment Vladimir Putin, Russia’s president, speaks at the St. Petersburg International Economic Forum in St. Petersburg, Russia, on May 25.
said, the GRU teams pulled files from 13 Democratic Party computers in a single day. The material then was routed through a server in Arizona under a lease paid with bitcoin, a cryptocurrency. Another server was in Illinois.
On July 27, 2016, they “attempted after hours” for the first time to spearphish email accounts on the server used by Clinton’s personal office – an apparent reference to the private system that Clinton used as secretary of State that led to an extensive FBI investigation into whether she had compromised classified information.
Clinton was not charged, and the indictment does not indicate whether the Russians gained access to her private emails or any classified material.
But shortly before the Russians tried, Republican presidential candidate Donald Trump had urged Moscow to seek emails from Clinton’s server.
“Russia, if you’re listening, I hope you’re able to find the 30,000 emails that are missing,” he said at a news conference earlier that day.
The broad contours of the Russian operation have been known since a month after the 2016 election, when U.S. intelligence agencies accused Russia of a systemic
assault on the U.S. political system. But the latest 29-page indictment, combined with the indictment of 13 other Russians in February, provides granular detail on how prosecutors say Vladimir Putin’s government sought to undermine Clinton and boost Trump.
None of the 25 Russians indicted is likely to ever see the inside of a federal court since the United States does not have an extradition treaty with Russia.
The indictments – which rely on financial records, social media accounts, intelligence sources and methods, and other evidence – will form the awkward backdrop Monday in Helsinki, Finland, when Trump and Putin hold their first formal summit.
Trump has repeatedly denounced the special counsel investigation into Russian meddling as a “rigged witch hunt,” and he did not condemn Moscow’s intervention in the campaign when the latest indictment was released. He instead has indicated that he accepts Putin’s denials that Russia was behind the hacking, although he said Friday he would ask again in Helsinki.
“I will absolutely, firmly ask the question, and hopefully we’ll have a very good relationship with Russia,” he told reporters.