Updated Saturday at 10:45 a.m. ET
This week in the Russia investigations: Six insights about the latest master blast from special counsel Robert Mueller.
The big one
As the noted counterintelligence analyst Kenny Loggins once said: “This is it.”
Justice Department special counsel Robert Mueller unveiled his latest opus on Friday, one that gets to the heart of the Russian government’s attack on the 2016 election: its theft and release of private information to publicly embarrass political targets.
Deputy Attorney General Rod Rosenstein announced that a grand jury has returned an indictment against 12 intelligence officers in Russia’s military spy agency, the GRU.
The men are identified by name, rank and job description, and Mueller’s indictment describes in granular detail when and how they carried out the hack-and-dump scheme.
On Twitter on Saturday while in Scotland, the president apparently responded to the indictment — or at least the media coverage of it.
“The stories you heard about the 12 Russians yesterday took place during the Obama Administration, not the Trump Administration,” Trump wrote. “Why didn’t they do something about it, especially when it was reported that President Obama was informed by the FBI in September, before the Election?”
And in a second tweet, the president appeared to question the investigation into the hacking of the Democratic National Committee’s computer system — and to suggest the so-called deep state was somehow involved.
Here are six takeaways from the indictment and important lessons for the Russia imbroglio.
“Spear-phishing” is dangerously simple
How did these cyberspies get into the email accounts of Hillary Clinton’s campaign, the Democratic National Committee and their other targets? They created, among other things, an email account that appeared to be the name of a “known member” of the target’s team with one letter changed. They masked their Russian email addresses to appear to be from other Internet domains.
So targets who received these emails — thinking the messages were from colleagues — opened them and trusted the link they contained. In the case of the Clinton campaign, the emails apparently directed recipients to a document called “hillary-clinton-favorable-rating.xlsx.”
That actually was part of a GRU-created website that pushed custom software onto the targets’ computers, enabling the Russians to begin their spying.
This is important because of how common this type of attack remains today — and probably down the line. U.S. intelligence officials say Russia’s active measures targeting the West did not stop after 2016. The ubiquity of email means these techniques and the risk of Russians hacking and dumping will remain highly pernicious.
Large-scale data extraction
The GRU officers named in Friday’s Mueller indictment didn’t just target individuals. They also allegedly extracted large volumes of data as part of their focus on state-level elections systems.
At least 21 states were scanned, or more, by Russian cyberattacks, and in at least one, the GRU officers broke in to a state board of elections website. The indictment doesn’t identify which one. The cyberspies stole information related to 500,000 people, including names, addresses, partial Social Security numbers and other personal data.
That’s a small number of victims compared with the time that Target was hacked, for example, but it confirms that the scope of the Russian attack in 2016 was many orders of magnitude larger than just a handful of political targets.
The U.S. intelligence community suggested in the past that Russia’s cyberspies used a third party to fence the data they stole to WikiLeaks, which then released it publicly. But Friday’s indictment said the GRU officers may have done it themselves while trying to stay incognito.
One way the GRU officers engaged with the public and key specific Americans was via the persona they created on Twitter called “Guccifer 2.0.” That persona was used to “release additional stolen documents through a website maintained by an organization (‘Organization 1’), that had previously posted documents stolen from U.S. persons, entities and the U.S. government.”
If the Russians dealt with WikiLeaks directly, however, what the indictment does not address is whether founder Julian Assange or others involved knew that was the case. The U.S. intelligence community considers WikiLeaks to be a “hostile intelligence service,” but WikiLeaks and Assange weren’t part of the indictment on Friday.
Does that mean they won’t be charged? Or do Mueller, Rosenstein and the Justice Department have more in store down the line?
There have been informal indications — but few solid leads — that laundering money might have been another part of Russia’s attack on the 2016 election.
Wealthy Russians might have simply flown cash into the United States, according to some suggestions. Or, as Mueller’s office has now documented, the Russians might have used cryptocurrencies.
The GRU officers in Friday’s indictment used bitcoin, the famous high-value, decentralized electronic currency, to pay for the computer network infrastructure they used in their cyberattack. The GRU laundered more than $95,000 “through a web of transactions,” including with bitcoin, to pay for virtual private networks, servers and suchlike.
The confirmation that clandestine money flows were a part of the Russian attack on the election raises more questions about whether the GRU or other Russian spy agencies might have contributed money to American political campaigns or organizations, perhaps via “straw donors.”
The explosive political question within the United States remains whether any Americans were involved with the Russian active measures. The latest answer is yes — but the special counsel’s office says that in this indictment, none of the Americans knew they were involved.
“A person who was in regular contact with senior members of the presidential campaign of Donald J. Trump” communicated with the GRU officers posing as Guccifer 2.0, the indictment says. So did a “candidate for the U.S. Congress.” So did journalists.
And the indictment suggests that on July 27, 2016, when Trump said, “Russia, if you’re listening,” it should find Clinton’s deleted emails, the Russians were listening.
On that day, according to the court papers, the GRU officers “attempted after hours to spear-phish for the first time email accounts at a domain hosted by a third-party provider and used by Clinton’s personal office.” They also pinged 76 emails associated with the Clinton campaign.
The all-seeing eye
The special counsel’s office has again given the public a glimpse of the godlike vision the U.S. intelligence community can exercise over the world’s Internet traffic.
It describes how, in April 2016, the GRU officers named in the indictment “began to plan” how they would release the materials they were stealing from Democrats — suggesting how closely the National Security Agency has been able to watch, or reconstruct, emails or other intercepted communications in which these cyberspies talked about things they hadn’t even done yet.
The indictment describes how, in August 2016, one of the Russian cyberspies saw an FBI alert about the hacking of the state elections database and “deleted his search history.” Not only do the Americans know who was involved, by name, but they also know about browser files he deleted from his own workstation in Moscow.
The demonstration of this kind of eye-watering granularity makes it fascinating to imagine the kind of information the U.S. intelligence community asked Mueller to conceal from this indictment to protect its capabilities.
And to imagine what else Mueller might have up his sleeve.