Decoding the GRU indictment

12 min readSep 23, 2019

The July 13, 2018 indictment of 12 GRU operatives provided extraordinary insight into how Fancy Bear operates. But it left several mysteries unresolved— and even injected a few new ones into the mix.

Here follows a point-by-point attempt to add some missing pieces to indictment’s puzzle, drawing on my past reporting and the data supplied to me by Secureworks in 2017. At the bottom is a diagram providing a granular look at how the Fancy Bear phishing operation worked in 2016. I may update this post if and when new information comes to light. And if you have anything to add, you can help by contacting me here.

The numbers below are in reference to the paragraphs in the indictment.

1-3. “Starting in at least March 2016 …”

The first recorded attempts to break into Hillary Clinton campaign staff members’ professional email accounts date to March 10, 2016 — at around noon Moscow time, according to data gathered by Secureworks and others. John Podesta’s work email was targeted on March 11. His personal account was targeted — and breached — on March 19. [See more on this below] Some Clinton loyalists and DNC staffers were targeted by Fancy Bear far earlier — one of them as far back as April 2015 — although the indictment makes no mention of this.

4. “By in or around April 2016 …”

This is consistent with the Secureworks data, which shows a spike of break-in attempts targeting DNC technical staff around early April. And it’s consistent with CrowdStrike’s report, which first pinpointed the GRU intrusion to April 2016. [See more below]

5–8. “… the Conspirators began to plan the release of materials … To further avoid detection, the Conspirators used a network of computers located across the world, including in the United States, and paid for this infrastructure using cryptocurrency.”

All of this is consistent with previous reporting, including the reference to the use of digital money to purchase infrastructure, which The Associated Press first reported in November of 2017.

9–20. “Defendants”

I’ve written a couple of stories on the defendants in this case, especially alleged phishing expert Lt. Aleksey Lukashev (aka “Den Katenberg”) and alleged military hacker Ivan Yermakov (aka “Kate S. Milton.”) One Russian journalist may even have gotten Yermakov on the phone. We may yet learn more about these two — and others — down the line.

21. “Beginning by at least March 2016, the Conspirators targeted over 300 individuals affiliated with the Clinton Campaign, DCCC, and DNC.”

These numbers are more than twice as high as the “more than 130 party employees, supporters and contractors” referred to in a November 2017 story for AP. That could in part be because the Secureworks data, which we relied on, comes to an abrupt end on May 17, when a change in Bitly’s API effectively blinded the firm to what Fancy Bear was doing. The indictment makes clear that the targeting continued “throughout the summer.” As a side note, these figures are eye-popping. Fancy Bear spies on an industrial scale, it’s true, but I’ve only rarely seen more than a half dozen people from a single organization targeted at once (an exception might be their effort to break into The New York Times back in 2014, when at least 50 reporters were targeted.) I’m not in a position to get into the hackers’ heads, but the data I have at my disposal suggests there was something unusually aggressive about Fancy Bear’s hack-them-all onslaught on the Democrats in 2016.

21.a. “… on or about March 19, 2016 …”

March 19 has previously been identified as the date Podesta was hacked, thanks in large part because the phishing email that fooled him was preserved amid the messages released by WikiLeaks. Curiously, the indictment alleges that the hackers only copied the contents of his inbox two days later. Did Podesta miss an opportunity to freeze them out of his email?

21.b-c. “… other individuals affiliated with the Clinton Campaign, including its campaign manager and a senior foreign policy advisor …”

A total of nine Clinton staffers were targeted alongside Podesta at their personal Gmail addresses on March 19, according to the Secureworks data. Among them were senior foreign policy adviser Jake Sullivan and campaign manager Robby Mook, whose identities are hinted at in the indictment. Also targeted at their personal accounts were: fixer Philippe Reines; organizer Adam Parkhomenko; strategist Adrienne Elrod; speechwriter Dan Schwerin; foreign policy adviser Meg Rooney; and communications director Nick Merrill. There’s no proof either way that any of them were compromised.

“… On or about March 25, 2016 … [the conspirators] sent [malicious links] to numerous individuals affiliated with the Clinton Campaign, including Victims 1 and 2.”

At least 18 Clinton-affiliated individuals or supporters were targeted on March 25, including people such as Mook and Sullivan but also Zach Leighton, Ian Mellul, Beanca Nicholson and Sarah Hamilton. Because the indictment says further down that Victims 1 and 2 were exposed by DCLeaks, they are likely to be among the latter.

21.d. “… On or about April 6, 2016, the Conspirators created an email account in the name (with a one-letter deviation from the actual spelling) of a known member of the Clinton Campaign …”

This carries an echo of something Donna Brazile mentions on page 174 of her book, “Hacks,” and of what a senior Clinton campaign official told a colleague of mine in 2017. Brazile wrote that, on three occasions, someone created lookalike email addresses to impersonate her, John Podesta, or press secretary Mark Pastenbauch, although in those cases the aim appears to have been to spread misinformation rather than compromise colleagues.

In 2017 a senior Clinton campaign official told AP about a similar incident, in late October 2016, in which “somebody on the campaign got a strange email saying it was from me.” The official said the email carried purported ideas for the final two weeks of the campaign and mentioned a dinner for female staff — complete with an invitation to click a link. “It was written very similar to how I would write,” the official said. “If you didn’t know me very well, but you knew me enough, you’d think it was from me.” The official said she forwarded it to campaign IT staff who confirmed the link was malicious. “It was very unsettling,” she said.

The AP has not been able to obtain copies of the rogue emails and it’s not clear whether the incidents flagged by the official or Brazile were genuinely linked to Fancy Bear. If they were, that could to point to a more persistent — and devious — hacking campaign than previously made public.

22. “… on or about July 27, 2016, the Conspirators attempted after hours to spearphish for the first time email accounts at a domain hosted by a third-party provider and used by Clinton’s personal office.”

As others have noted, this appears to be one of the most significant passages of the indictment.

23.a-b. “For example, beginning on or about March 15, 2016, YERMAKOV ran a technical query for the DNC’s internet protocol configurations …”

This dovetails with what I have seen. Secureworks’ data shows that the first attempts to break into the DNC staffers’ email inboxes began on March 15; three staffers’ professional addresses were targeted that day at around 5:35 p.m. Moscow time.

23. c. “On or about April 7, 2016, YERMAKOV ran a technical query for the DCCC’s internet protocol configurations …”

Secureworks data shows a surge of phishing attempts against the DNC the preceding day. [See more below.]

24. a. “DCCC Employee 1 had received a spearphishing email from the Conspirators on or about April 6, 2016, and entered her password after clicking on the link.”

Fancy Bear generated at least 50 phishing links on April 6 targeting a slew of DNC technology staffers, as well as to Democratic contractors such as tech provider NGP VAN and Washington-based consultancy 270 Strategies. Also on the list: A female DCCC technology staffer. The hackers waited six days before using her password.

24. c. “… a GRU-leased server located in Arizona. The Conspirators referred to this server as their ‘AMS’ panel.”

Do you know what server this was? Contact me here.

24. d. “DCCC Employee 2”

Do you know who this was? Contact me here.

25. “The middle server acted as a proxy …”

Do you know what server this was? Contact me here.

26. “On or about April 18, 2016, the Conspirators hacked into the DNC’s computers …”

This date is the same as the one alleged in the DNC’s lawsuit against the Russian government, WikiLeaks, the Trump campaign, and many others. A mid-April breach makes sense to me; Secureworks’ data suggests that attempts to break into individual email inboxes stopped after April 11.

28.To enable them to steal a large number of documents at once without detection, the Conspirators used a publicly available tool to gather and compress multiple documents …”

I don’t what tool this is, but Guccifer 2.0 delivered documents at least one reporter using 7zip. [See below.]

28.a. “… a GRU-leased computer located in Illinois.”

Do you know what server this was? Contact me here.

29. “Between on or about May 25, 2016 and June 1, 2016, the Conspirators hacked the DNC Microsoft Exchange Server and stole thousands of emails …”

The latest emails published by WikiLeaks date to May 25, 2016.

32. “… both the DCCC and the DNC became aware that they had been hacked and hired security company (‘Company 1’) to identify the extent of the intrustions. … Despite these efforts, a Linux-based version of X-Agent, programmed to communicate with the GRU-registered domain linuxkrnl[.]net, remained on the DNC network until in or around October 2016.”

“Company 1” in this passage is of course CrowdStrike. The reference to a Linux-based version of X-Agent lingering on one of the DNC’s servers was first made public by Brazile in her book. Democrats are split over the importance of the infection. Brazile said the server, called “Raider,” had the “keys to our whole digital kingdom.” But DNC spokeswoman Xochitl Hinojosa said the malware “had been quarantined months earlier during our remediation process, successfully ensuring it was unable to exfiltrate data …”

33.a. “On or about May 31, 2016 …”

This passage suggests that Fancy Bear became aware CrowdStrike had been called in almost immediately and began taking evasive action the next day.

34. “… a third-party cloud-computing service”

Know what service this was? Contact me here.

35. “On or about April 19, 2016, after attempting to register the domain electionleaks[.]com, the Conspirators registered the domain dcleaks[.]com through a service that anonymized the registrant.”

Both domains were registered using Bitcoin through Romanian internet hosting company THCServers, which I visited last year. (Note: THC stands for “The Hosting Company,” not that other THC.)

So why didn’t the GRU stick with electionleaks, which they registered on April 12? Data at my disposal suggests that they entered an incorrect email address when trying to register the website. Because THC doesn’t execute registrations unless a validation link (sent via email) is clicked, the site fell into a kind of digital limbo outside the hackers’ control and had to be abandoned.

40–42 “In response, the Conspirators created the online persona Guccifer 2.0 …”

I have little to add to this aspect of the timeline but it dovetails with the information at my disposal. The indictment says that Fancy Bear created the WordPress site at 7:02 p.m. Moscow time. Material I received from William Bastone of news website The Smoking Gun shows that the first known message from Guccifer 2.0 arrived in his inbox at 12:39 p.m. New York time — so 37 minutes later, as Moscow is seven hours ahead of the U.S. East Coast.

Guccifer 2.0’s first known email

43. “The Conspirators, posing as Guccifer 2.0, also shared stolen documents with certain individuals.”

An early chat with Guccifer 2.0, in August 2016

One of the individuals in receipt of those stolen documents was me. I was in touch with Guccifer 2.0 several times across August 2016, at one point unsuccessfully trying to goad the persona into a replay of Motherboard reporter Lorenzo Franceschi-Bicchierai’s Romanian conversational gambit. On August 22, Guccifer 2.0 sent me five archived files (in .7z format) from guccifer2[@]protonmail[.]com, all apparent DCCC documents related to races in Pennsylvania. The AP ultimately determined that the material was not newsworthy and did not publish it.

My August 22, 2016 Twitter conversation with Guccifer 2.0

More interesting in the long run was the conversation I had with the hackers controlling the account later that day. Why, I wondered, were they bothering to send me files when they already had a willing media partner in WikiLeaks? The answer — “I don’t know when or if they gonna publish them” — only made sense much later, in the context of The New Yorker writer’s Raffi Katchadourian’s suggestion that the GRU was losing patience with Assange.

I was not alone. According to an incomplete count, Guccifer 2.0’s alleged GRU operators sent documents to at least a 17 different reporters at a dozen different outlets, including Bastone of The Smoking Gun as well as Sam Biddle and Gabrielle Bluestone of Gawker, Rudy Takala of the Washington Examiner, Michael Sainato of The Observer, Joe Uchill of The Hill, Lee Stranahan of Breitbart [see below] and Lee Fang of The Intercept. The Daily Caller was a popular venue for Guccifer 2.0’s leaks; I counted no fewer than six separate stories by Peter Hasson or Alex Pfeiffer based on material allegedly provided by the GRU. Other journalists, such as Infowars’ Mikael Thalen, reported on material provided by DCLeaks, a Guccifer 2.0 precursor. [See below.]

The GRU appears to have displayed a mixture of savvy and stupidity in distributing the leaks, which mainly went either to right-wing, pro-Trump news outlets or progressive publications with an anti-Clinton line.

On the one hand, the spies seeded their material to bloggers whose low national profiles belied a strong, politically connected following in their home states, such as the pseudonymous “Mark Miewurd” of right-wing Florida blog HelloFLA! and William Tucker of New Hampshire-focused Miscellany Blue. On the other hand, they sometimes seem to have distributed their documents to whoever popped up asking for them, such as Salam Morcos of Progressive Army or cybersecurity executive John Bambenek.

Many more reporters, such as myself or Kevin Collier of Verge, may have received material but never published it.

43.a. “The Conspirators responded using the Guccifer 2.0 persona and sent the candidate the stolen documents …”

This is still a mystery. A U.S. Congressional candidate sought — and received — material on an opponent from Russia’s security services and no one has sniffed out who it was.

Know who was involved? Contact me.

44.c. “… The Conspirators, posing as Guccifer 2.0, sent a reporter stolen documents pertaining to the Black Lives Matter movement.”

This would be journalist Lee Stranahan, whose Twitter messages were collected here after being revealed on the Next News Network. At the time, Stranahan worked for Breitbart, which published a story on the leaked Black Lives Matter memo on August 31, albeit under the byline of Jerome Hudson. Stranahan now works for Sputnik, the Russian state-funded news outlet, which published his first-hand account of his interaction with Guccifer 2.0 a few days after the indictment was made public.

45.a. “… the Conspirators used the Malaysian server …”

This was a dedicated server run by Kuala Lumpur-based Shinjiru Technologies. I spoke to the company’s chief executive, Terence Choong, last year.

Note: in 2015 a server run by Shinjiru was also used to host the site cyb3rc[.]com — the homepage of the “CyberCaliphate.”

An archived version of the CyberCaliphate’s website when it was hosted by Shinjiru Technologies.

45.b. “… the Conspirators, posing as Guccifer 2.0, contacted a U.S. reporter …”

This would be Bastone, of The Smoking Gun. He detailed the experience here in one of the first exhaustive dissections of the Guccifer 2.0 and DCLeaks personas.

46. “On or about January 12, 2017, the Conspirators published a statement on the Guccifer 2.0 WordPress blog, falsely claiming that the intrusions and release of stolen documents had “totally no relation to the Russian government.”

This, I believe, was Guccifer 2.0’s last word. The persona appears to have been abandoned; my attempts to raise it on Twitter over the next few months went nowhere and the account has since been suspended.

47-49. “In order to expand their interference in the 2016 U.S. presidential election, the Conspirators transferred many of the documents they stole from the DNC and the chairman of the Clinton Campaign to Organization 1.”

I have little to add here beyond what Katchadourian noted in his recent New Yorker article. The indictment appears to indicate Organization 1 — WikiLeaks — took possession of the documents between July 14 and July 18 of 2016. But both WikiLeaks and Guccifer 2.0 have previously indicated the receipt of the material much earlier. As Katchadourian speculates, it’s possible WikiLeaks received a first batch of material via a non-Guccifer 2.0-branded channel, perhaps sometime between May 25 and June 12 or even earlier.

50–66. “… the Defendants conspired to launder the equivalent of more than $95,000 through a web of transactions structured to capitalize on the perceived anonymity of cryptocurrencies such as bitcoin. …”

I have little to say about the bitcoin transactions — for now.

Drawing on the Secureworks data, here’s a table showing the back-and-forth motion of Fancy Bear’s phishing operation during the month of March 2016. Check out, in particular, the self-test emails typically targeted just prior and just after a major volley of phishing messages: