Bitcoin, malware and ‘spearphishing’ helped Russian agents hack Democratic Party computers in 2016 election

Russian President Vladimir Putin, second from right, at the Moscow headquarters of the Main Intelligence Directorate in 2006.
(Dmitry Astakhov / Associated Press)

The email landed in John Podesta’s crowded inbox around March 19, 2016, during the height of the presidential primaries, and it appeared to be a standard security request from Google for Hillary Clinton’s campaign chairman to change his password.

Doing so ultimately led to a political firestorm that is still raging.

The email was actually from Aleksey Lukashev, a senior lieutenant in Russian military intelligence, using the account “john356gh” to mask his purpose, U.S. officials say. The email contained an embedded link that secretly opened Podesta’s account to a hacking team at 20 Komsomolskiy Prospekt, near Moscow’s Red Square.

Two days later, the Russian cyber thieves stole — and later leaked — more than 50,000 of Podesta’s private emails, incalculably undercutting Clinton’s bid for the White House.


On Friday, the Justice Department indicted Lukashev and 11 other officers in the Main Intelligence Directorate of the General Staff, known as the GRU, for interfering in the 2016 presidential election by hacking and leaking tens of thousands of emails and other material from Clinton’s campaign, the Democratic National Committee, the Democratic Congressional Campaign Committee and others.

In all, the indictment said, the Russian hackers targeted more than 300 people, covertly monitored scores of computers and secretly implanted malicious computer code in hundreds of files using a hacking tool that the GRU called X-Agent, as if from Marvel Comics.

The malware allowed operatives in Moscow to remotely take screenshots and capture keystrokes of Democratic Party employees as they tapped on their computers, the indictment states. The GRU team used another program, called the X-Tunnel, to extract gigabytes of stolen documents through encrypted channels.

Some of the Russians used false names, and one had a particular affinity for American monikers, identifying himself variously as Kate S. Milton, James McMorgans and Karen W. Millen. Another was more pedestrian, going with blablabla1234565.

Lukashev’s team, called Unit 26165, used so-called spearphishing — ensnaring victims with emails that appear to be from known senders — and other tools to steal victims’ passwords and to penetrate the Democratic digital networks. They modified campaign websites to redirect visitors to a digital domain they had registered,, which appeared to be a fundraising platform for the Democrats — but wasn’t. Later they erased digital logs in an attempt to hide their tracks.

A separate group, Unit 74455, under control of a Russian colonel and working from a building called the Tower northwest of Red Square, released the stolen information in stages — starting in mid-2016 — using phony names like Guccifer 2.0 and Russian-controlled websites such as DCLeaks. It also spread anti-Clinton content on social media, according to the indictment.


Between June 2016 and March 2017, when it was shut down, DCLeaks received more than one million page views. Although it claimed to be run by “American hacktivists,” it was operated by the GRU, prosecutors said.

The Russians often relied on simple tricks. On April 6, 2016, Lukashev’s team created an email account that appeared to be from a senior member of the Clinton campaign, and sent it to more than 30 staffers. When they hit the embedded link, their computers were diverted to a GRU-created network.

A month later, the indictment said, the GRU teams pulled files from 13 Democratic Party computers in a single day. The material then was routed through a server in Arizona under a lease paid with bitcoin, a cryptocurrency. Another server was in Illinois.

On July 27, 2016, they “attempted after hours” for the first time to spearphish email accounts on the server used by Clinton’s personal office — an apparent reference to the private system that Clinton used as secretary of State that led to an extensive FBI investigation into whether she had compromised classified information.

Clinton was not charged, and the indictment does not indicate whether the Russians gained access to her private emails or any classified material.

But shortly before the Russians tried, Republican presidential candidate Donald Trump had urged Moscow to seek emails from Clinton’s server.


“Russia, if you’re listening, I hope you’re able to find the 30,000 emails that are missing,” he said at a news conference earlier that day.

The broad contours of the Russian operation have been known since a month after the 2016 election, when U.S. intelligence agencies accused Russia of a systemic assault on the U.S. political system. But the latest 29-page indictment, combined with the indictment of 13 other Russians in February, provides granular detail on how prosecutors say Vladimir Putin’s government sought to undermine Clinton and boost Trump.

None of the 25 Russians indicted is likely to ever see the inside of a federal court because the United States does not have an extradition treaty with Russia.

The indictments — which rely on financial records, social media accounts, intelligence sources and methods, and other evidence — will form the awkward backdrop Monday in Helsinki, Finland, when Trump and Putin hold their first formal summit.

Trump has repeatedly denounced the special counsel investigation into Russian meddling as a “rigged witch hunt,” and he did not condemn Moscow’s intervention in the campaign when the latest indictment was released. He instead has indicated that he accepts Putin’s denials that Russia was behind the hacking, although he said Friday he would ask again in Helsinki.

“I will absolutely, firmly ask the question, and hopefully we’ll have a very good relationship with Russia,” he told reporters.


The GRU wasn’t the only Russian organization meddling in the U.S. election. Another scheme, focused on spreading misinformation on social media, had begun two years earlier.

Prosecutors said this activity was run out of the Internet Research Agency, located in a four-story office building in St. Petersburg, Russia, and funded by Yevgeny Prigozhin, a businessman with close ties to Putin.

Prigozhin was among 13 Russians charged with conspiracy, wire fraud and identity theft in a 37-page indictment released in February. Also charged were the Internet Research Agency and two of Prigozhin’s companies.

One of those companies, Concord Management and Consulting, is the only Russian defendant to challenge the charges in federal court, calling the allegations a “make-believe crime.”

According to prosecutors, the Internet Research Agency’s political interference effort was started with the help of two Russian employees who visited the United States in June 2014 for on-the-ground reconnaissance.

Aleksandra Krylova and Anna Bogacheva crisscrossed the country that summer, posing as tourists but collecting intelligence, according to the February indictment. Other Russians tracked social media groups in the U.S.


Then they began creating fake accounts on Facebook, Twitter and Instagram to spread political messages and buy thousands of dollars of advertisements each month, according to the indictment.

Staffers in St. Petersburg worked on U.S. time zones and tracked American holidays to ensure their posts hit the right themes on the right days. Social Security numbers, home addresses and birthdays of U.S. citizens were stolen or purchased to open bank accounts.

The agency’s hierarchy, described by prosecutors, would be similar to an online media company anywhere. Teams created graphics, analyzed data, maintained computer systems and ensured work was optimized for search engines.

Workers tracked metrics for their social media posts and received lists of themes to emphasize.

“It is imperative to intensify criticizing Hillary Clinton,” one employee was told in September 2016, according to the indictment.

Nearly a year after the election, the indictment said, an employee named Irina Kaverzina described the scheme in an email to a family member.


“I created all these pictures and posts,” she wrote, “and the Americans believed that it was written by their people.”

No collaborator was more useful to the anti-Clinton operation than WikiLeaks, the anti-secrecy group that made a splash years earlier by leaking U.S. government documents about the wars in Iraq and Afghanistan. But prosecutors do not suggest WikiLeaks knew it was communicating with Russian agents when it sought files from Guccifer 2.0.

The first release from WikiLeaks, shortly before the Democratic National Convention in Philadelphia in July 2016, threatened Clinton’s tenuous alliance with Sen. Bernie Sanders of Vermont, her primary opponent.

Stolen emails from Podesta, Clinton’s campaign chairman, were released in October, creating more upheaval. WikiLeaks posted them in roughly three dozen batches, drawing media coverage for weeks in the closing stretch of the presidential race.

While Clinton blamed Russia, Trump wouldn’t accept the explanation.

“Maybe there is no hacking,” he said on Oct. 9 in the second presidential candidates’ debate. “They always blame Russia, and the reason they blame Russia is because they think they are trying to tarnish me with Russia.”

Still, Trump capitalized on the disclosures over and over during his rallies.

“We love WikiLeaks,” he said. “WikiLeaks. They have revealed a lot.”

Follow the latest news of the Trump administration on Essential Washington »


Twitter: @chrismegerian