In a press conference two weeks ago, Deputy Attorney General Rod Rosenstein announced that the grand jury convened by Special Counsel Robert Mueller has returned an indictment against 12 employees of Russia’s First Intelligence Directorate of the General Staff of Russia ( well known as Glavnoye razvedyvatel’noye). upravleniye, or GRU). The indictment is for conducting “active cyber operations with the intent of interfering in the 2016 presidential election.”
Them filing (PDF) provides the Justice Department’s first official, public assessment of the most high-profile intelligence operations against the US presidential election to date. It provides details below to the names of those accused of being behind the intrusion into the networks of the Democratic National Committee and the Democratic Congressional Campaign Committee, stealing the emails of members of the former Secretary of State Hillary Clinton’s party presidential campaign, and various efforts. to steal voter data and undermine faith in electoral systems across several states in the run-up to the 2016 election.
The allegations are supported by data collected from service provider accounts, Bitcoin transaction tracking, and additional investigators. The DOJ also relies on information obtained by US (and possibly foreign) intelligence and law enforcement agencies. Reading between the lines, the indictment reveals that Mueller’s team and other US investigators may have access to things like Twitter direct messages and hosting company business records and accounts, and that they receive or monitor email messages. directly associated with the GRU (and perhaps WikiLeaks) . It also appears that the investigation has finally reached the level of access to the inner workings of two GRU offices.
This is the first time President Donald Trump’s Justice Department has formally charged members of a Russian government agency with taking actions intended to influence the outcome of the 2016 presidential campaign—though Rosenstein was careful to say that there is no allegation that the vote was changed by this operation. The alleged details match much of what has already been written about the GRU’s intelligence operations campaign. But the new findings go further, comfortably identifying the individual behind the various elements of the campaign, from the initial vehicle phish to the final data theft.
However, after a press conference with Russian President Vladimir Putin a few days after the indictment, Trump publicly expressed doubt that Russia was involved. The president has said that Putin opposes any interference in the election—even as America’s own director of national intelligence, Dan Coats, also concluded that Russia was responsible for the attacks. With such rhetoric, Trump has continued to send mixed messages about the findings of his own intelligence and law enforcement agencies, while seeming to put more stock in Putin’s insistence that the Russian government had nothing to do with any of this. .
After digging into this new allegation, the evidence suggests that Trump may not have made a very good call on this matter. But his accusation of the victims of the attacks for failing to have proper protection, while wrong, strikes a truth: the Clinton campaign, the DNC, and the DCC were not well prepared for this type of attack, failed to learn from it. history, and disregarding advice from highly skilled third parties they come to for help.
GRU strategy of war
The indictment includes a significant amount of information about the organizational structure of GRU units that were allegedly involved in wide-ranging intelligence operations during the US presidential election. The source of the attribute is not shown in the indictment. However, the level of information—including when certain individuals are connected to remote devices—indicates that US intelligence and law enforcement officials are working with more than forensic data provided by CrowdStrike. Trump “where is the server?” The protest seems even less good of the land in reality, than they did before.
The details in the latest indictment get down to the division of labor in the GRU. “There is a unit that is engaged in active cyber operations by stealing information,” said Rosenstein, “and a separate unit that is responsible for disseminating stolen information.”
The spy operation was carried out by Unit 26165, commanded by GRU Officer Viktor Borisovich Netykshko. Unit 26165 appears to be the organization behind at least part of the “threat group” of tools, techniques, and techniques known as “Fancy Bear,” “Sofacy,” “APT28,” and “Sednit. ” Within the unit, two divisions are involved in crimes: one that specializes in operations and the other in the development and maintenance of hacking tools and infrastructure.
The operational division, overseen by Major Boris Alekseyevich Antonov, specializes in targeting groups of intelligence interest through stealth campaigns and the exploitation of stolen credentials. Antonov’s group included Ivan Sergeyevich Yermakov and First Lieutenant Aleksey Viktorovich Lukashev, according to the indictment, and they were responsible for targeting email reports that were revealed on the “DCLeaks” site before the election activities.
The second division, overseen by Lieutenant Colonel Sergey Aleksandrovich Morgachev, oversees the development and maintenance of malware and hacking tools used by Unit 26165, including the X-Agent “embedded.” X-Agent is a signature tool of Fancy Bear services — a cross-platform backend tool with variants for Windows, MacOS, Android, and iOS. The Windows and MacOS versions of X-Agent are capable of downloading keystrokes, capturing screenshots, and exfilt files from infected systems back to the command and control server.
Lieutenant Captain Nikolay Kozacheck (who used the hacker monikers “kazak” and “blablabla1234465”) was the main founder and controller of X-Agent, according to the indictment, and was assisted by another officer, Pavel Yershov, in his preparation for deployment. . Once X-Agent was planted on the DNC and DCCC networks, Second Lieutenant Artem Malyshev (AKA “djangomagicdev” and “realblatr”) monitored the implants through a command and control network configured for the operation.
The intelligence operations unit, Unit 74455, was commanded by Colonel Aleksandr Vladimirovich Osadchuk. 74455 members will be responsible for sharing some of the data stolen from the crimes through the “DCLeaks” and “Guccifer 2.0” websites. This group also contacted WikiLeaks (referred to as “Organization 1” in the indictment) to increase their information service, and they promoted the leaks to journalists through GRU-controlled email and social media accounts.
Within Unit 74455, Officer Aleksy Potemkin—a department supervisor—oversees the infrastructure of information processing operations. His team configured the DCLeaks and Guccifer 2.0 blogs and social media accounts that would later be used to spread stolen data from the DNC, DCCC, and Clinton campaigns. Osadchuk will also lead another intelligence operation—sending GRU Officer Anatoly Kovalev and others to conduct a campaign against state electoral commissions and elections.