2. Intrusions into the DCCC and DNC Networks
a. Initial Access
By no later than April 12, 2016, the GRU had gained access to the DCCC computer
network using the credentials stolen from a DCCC employee who had been successfully
spearphished the week before. Over the ensuing weeks, the GRU traversed the network,
identifying different computers connected to the DCCC network. By stealing network access
credentials along the way (including those of IT administrators with unrestricted access to the
system), the GRU compromised approximately 29 different computers on the DCCC network. 119
Approximately six days after first hacking into the DCCC network, on April 18, 2016,
GRU officers gained access to the DNC network via a virtual private network (VPN) connection 120
between the DCCC and DNC networks. 121 Between April 18, 2016 and June 8, 2016, Unit 26165
compromised more than 30 computers on the DNC network, including the DNC mail server and
shared file server. 122
b. Implantation of Ma/ware on DCCC and DNC Networks
Unit 26165 implanted on the DCCC and DNC networks two types of customized
malware, 123 known as "X-Agent" and "X-Tunnel "; Mimikatz, a credential-harvesting tool ; and
rar.exe , a tool used in these intrusions to compile and compress materials for exfiltration. X-Agent
was a multi -function hacking tool that allowed Unit 26165 to log keystrokes , take screenshots, and
gather other data about the infected computers (e.g., file directories , operating systems). 124 XTunnel
was a hacking tool that created an encrypted connection between the victim DCCC/DNC
computers and GRU-controlled computers outside the DCCC and DNC networks that was capable
of large -scale data transfers. 125 GRU officers then used X-Tunnel to exfiltrate stolen data from the
victim computers.
120 A VPN extends a private network, allowing users to send and receive data across public
networks (such as the internet) as if the connecting computer was directly connected to the private network.
The VPN in this case had been created to give a small number of DCCC employees access to certain
databases housed on the DNC network. Therefore, while the DCCC employees were outside the DNC's
private network, they could access parts of the DNC network from their DCCC computers.
Investigative Technique
Investigative Technique
123 "Malware" is short for malicious software, and here refers to software designed to allow a third
party to infiltrate a computer without the consent or knowledge of the computer's user or operator.
124 Investigative Technique
125 Investigative Technique
38
U.S. Department of Justice
Att
n1eyW ork Proattet // Mtty Col'l:tttilM'I:t tterittlP roteetea Unser Fea. R. Crim.. P. 6(e)
To operate X-Agent and X-Tunnel on the DCCC and DNC networks, Unit 26165 officers
set up a group of computers outside those networks to communicate with the implanted
malware. 126 The first set of GRU-controlled computers, known by the GRU as "middle servers,"
sent and received messages to and from malware on the DNC/DCCC networks. The middle
servers, in turn, relayed messages to a second set of GRU-controlled com;§'ters, labeled internally
by the GRU as an "AMS Panel." The AMS Panel jjjf1f1 '•§\1flffl 1•j'1·- served as a
nerve center through which GRU officers monitored and directed the malware's operations on the
DNC/DCCC networks. 127
! . • . • • •
: Investigative Technique
Investigative Technique
Investigative Technique
126 In connection with these intrusions, the GRU used computers (virtual private networks,
dedicated servers operated by hosting companies, etc.) that it leased from third-party providers located all
over the world. The investi ation identified rental a reements and payments for computers located in, inter
alia, -~-~-Ii IIMliilili all of which were used in the operations
targeting the U.S. election.
127 Netyksho Indictment ,r 25.
128 Netyksho Indictment ,r 24( c ).
129 Netyksho Indictment ,r 24(b ).
39
U.S. Department of Justice
Atlorttey Work Prodttet // May Cotttaifl Material Proteeted Under Fed. R. Crim. P. 6Ee)
The Arizona-based AMS Panel also stored thousands of files containing keylogging
sessions captured through X-Agent. These sessions were captured as GRU officers monitored
DCCC and DNC employees' work on infected computers regularly between April 2016 and June
2016. Data captured in these key logging sessions included passwords, internal communications
between employees, banking information , and sensitive personal information.
c. Theft of Documents from DNC and DCCC Networks
Officers from Unit 26165 stole thousands of documents from the DCCC and DNC
networks, including significant amounts of data pertaining to the 2016 U.S. federal election s.
Stolen documents included internal strategy documents , fundraising data, opposition research , and
emails from the work inboxes of DNC employeesY 0
The GRU began stealing DCCC data shortly after it gained access to the network. On April
14, 2016 (approximately three days after the initial intrusion) GRU officers downloaded rar .exe
onto the DCCC's document server. The following day, the GRU searched one compromised
DCCC computer for files containing search terms that included "Hillary ," "DNC, " "Cruz ," and
"Trump." 131 On April 25, 2016 , the GRU collected and compressed PDF and Microsoft documents
from folders on the DCCC 's shared file server that pertained to the 2016 election. 132 The GRU
appears to have compressed and exfiltrated over 70 gigabytes of data from this file server. 133
The GRU also stole documents from the DNC network shortly after gaining access . On
April 22, 2016, the GRU copied files from the DNC network to GRU-controlled computers. Stolen
documents included the DNC' s opposition research into candidate Trump .134 Betwe en
approximately May 25, 2016 and June 1, 2016, GRU officers accessed the DNC's mail server
from a GRU-controlled computer leased inside the United States. 135 During these connection s,