Scribd Logo
Upload

Welcome to Scribd!

  • Report PDF

    Uploaded by

    aladdin4d
    9 views448 pages

    Original Title

    report.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF or read online from Scribd
    Flag for inappropriate content
    9 views448 pages

    Report PDF

    Uploaded by

    aladdin4d

    Copyright:

    © All Rights Reserved
    Download as PDF or read online from Scribd
    Flag for inappropriate content
    of 448
    US. Department of Justice ‘Attomey Werle Prout “ Report On The Investigation Into Russian Interference In The 2016 Presidential Election Volume I of II Special Counsel Robert S. Mueller, IIL Submited Pursuant 028 CER. §600.8(e) Washington, D.C March 2019) US, Department of Justice Attomey- Work Brdet My- Centar Materiel roteeted tinder Fed Crim Pte} US, Department of Justice Attorney orl Prot // May Conia Material Protected Under Fed R- Ctn-B6fe) ‘TABLE OF CONTENTS VOLUME T IIRODUCTION TO VOLUME Tn | Execuvive Susatany To VoLuMe rene I. The SpeciaL. COUNSEL'S INVESTIGATION : seve ML 1, RUSSIAN “ACTIVE MEASURES" SOCIAL MEDIA CAMPAIGN vss EA ‘A. Structure of the Internet Research Agency " 1S 1B, Funding and Oversight from Concord and Prigozhin 16 C. The IRA Targets US. Elton ns : 9 1 The IRA Ramps Up U.S, Operations As Eacly As 2014 9 2. US. Operations Through IRA-Controlled Social Media Accounts 2 3. USS. Operations Through Facebook, — 4 4. US. Operations Through Twitter o 26 a. Individualized Accounts, b. IRA Botnet Activities USS. Operations Involving Politial Rallis ..srnnsnsnnnnnnnnnn 2 ‘Targeting and Recruitment of U.S. Persons. 31 Interactions and Contacts with the Trump Campaign, 33 ‘8, Trump Campaign Promotion of IRA Political Materials es b. Contact with Trump Campaign Officials in Connection to Rallies ruvnon 38 TI, RUSSIAN HACKING AND DUMPING OPERATIONS. _ sci 6 A. GRU Hacking Directed at the Clinton Campaign. ns 36 |. GRU Units Target the Clinton Campaign. 2. Inusions into the DCCC and DNC Newwotks on 8 Iii AceeS$ smn sets 38 Implantation of Malware on DCCC and DNC Network ness 38 «©. Theft of Documents ftom DNC and DECC NetWotks nnnnnnnnn A 18. Dissemination ofthe Hacked Materials 1. DCLeaks Gucciter 20. a 3. Use OF WiKTLe@KS nnn “4 1, WikiLeaks's Expressed Opposition Toward the Clinton Campaign 44 b, WikiLeaks's First Contact with Guesfer 2.0 and DCLOAKS soso AS US, Department of Justice te en Sse vires Se tt 1. Summeran F216 Opts Teng Dowie Vin nn 2. ines Taint iit oS eons 0 Bek : 31 '. Contacts with the Campaign about WikiLeaks, LL 44. WikiLoaks's October 7, 2016 Release of Stolen Podesta Emails. 38 Donald Trump Jr, Interaction with WiKiLe@kS on 39 2. Other Potential Campaign Interest in Russian Hacked Materials su 6 4 Henry Oknyansky (a/k/a Henry Greenberg) 6 . Campaign Efforts to Obtain Deleted Clinton Emails 2 IV, RUSSIAN GOVERNMENT LINKS TO AND CONTACTS WITH THE TRUMP CAMPAIGN one 6 ‘A. Campaign Period (September 2015 November 8, 2016). 66 1, Trump Tower Moscow Project. o 4, Trump Tower Moscow Venture with the Crocus Group (2013-2014) .n.na: 67 5. Communications with LC. Expat lavenment Company and Go Rtskhiladze (Summer and Fall 2015)... sn 69 Lote of nia and Contacts Rosin Goverament (Octaber2015- Tanuary 2016) 70 5. Trump Signs the Letter of Intent on behalf ofthe Trump Organization ..70 ii, Post-LOI Contacts with Individuals in Russia, n 4. Discussions about Russa Travel by Michael Cohen or Candidate Trump (December 2015-June 2016) 16 i, Sater’s Overtures to Cohen to Travel to Russa. secs ii, Candidate Trump's Opportunities to Travel to Russia vie 7 2. George Papadopoulos 7 8, Origins of Campaign Work... 81 b. Initial Russa-Related Contacts ns se «, March 31 Foreign Policy Team Mectng 85 US. Department of Justice Sevan Woe Brae | ay omeqnr latent Rin Bt «4. George Papadopoulos Leaens That Russia Has “Diet” in the Form of Clinton Emails «Rus Related Communications With The Campsign £, Trump Campaign Knowledge of £2. Additional George Papadopoulos Contact. 3. Carter Page. Buchysound b. Origins of and Early Campaign Work «Carter Page's July 2016 Trip To Moscow 4, Later Campaign Work and Removal from the Campaign 4, Dimitri Simes and the Center forthe Nationa Interest ‘a. CNLand Dimitri Simes Connest withthe Trump Campaign. 5. Nation Inert Hons Foreign Policy Specht th Mayflower Hoe! «Jef Sessions Pst Speech Ineratons wit CN 4, Jared Kushner's Continuing Contacts with Simes. 5. June 9, 2016 Meeting at Trump Tower, 4. Setting Up the June 9 Meeting. i, Outreach to Donald Trump Je fi, Awareness ofthe Meeting Within the Campaign b, The Events of Fune 9, 2016... i. Arrangements forthe Mesting li, Conduct ofthe Mesting, «, PostJune 9 Events 6 Events tthe Republican Natal Convention. 8, Ambassador Kislyak’s Encounters with Senator Sessions and J.D, Gordon the Weck ofthe RNC 'b, Change to Republican Party Platform. 171. Post-Convention Contacts with Kislya. Ambassador Kislyak Invites J.D. Gordon to Breakfast at the Ambassador's Residence. 2. Senator Sesionss September 2016 Meeting with Ambasador Kis. 8, Paul Manafort. 1, Paul Manafort’s Ties to Russia and Ukraine. 86 eessese 102 03 103 os 07 108 0 10 110 us 116 116 n7 120 123 123 128 oa a 7 129 31 US. Department of Justice at ii, Political Consulting Work. i Konstantin Kili n senna ID $6. Contacts rng Pl Manafows Te withthe Tramp Campaign i §, Paul Manafort Joins the Campaign Be fi, Paul Manafort's Campsign-Period Contct.. soc 1S i, Paul Manafo's Two Campsige-Paiod Mertngs with Konan Kilimnik in the United States 138 «. Post-Resignation Activ a B, Post-Election and Transition-Period Comte nn ut 1. Immediate Post-Election Activity seuss rn 14 4. Outreach from the Russian Government. sone 5 ', High-Level Encouragement of Contacts through Alternative Channels... 146 2, Kirill Dmiteev's Transition-Era Outreach tothe Incoming Adminstration... 147 4. Background, ur '. Kisll Dmitriev's Post-Election Contacts With the Incoming. ‘Administration, vnnen 9 «, Brik Prine and Kirill Dmitviev Meet inthe Seychelles 151 i Gorge Nader and Erik Princ Anange Seshles Mesing with Dmitiev, = a 151 li, The Seychelles Meetngs..nn 153 i, Erk Prince's Mesting wih Steve Bannon afer he Seyeles Tp 158 44 it Dit’ Pose ston Contact wth Rick Gerson Reping US Russia Relations : 156 3. Ambassador Kislyak’s Meeting with Jared Kushner and Michael Flynn in “Trump Tower Following the Ele os 159 4. Jared Kushner's Meeting with Sergey GoIkOV essen 161 5. Pete Aven’s Outreach Efforts tothe Transition Team sn soo 1B (6. Carter Fage Contact with Deputy Prime Minister Arkady DvorKOVIER ncn. 168 7. Contacts With and Through Michael T. Flynn... er ‘. United Nations Vote on Israeli Setlements. sosnsnnn OT b, US, Sanctions Against Russa svn 168 \V. PROSECUTION AND DECLINATION DECISIONS : 174 A. Russian “Active Measures” Social Media Campaign rane 14 US, Department of Justice Attomey- Work Bret May-Comtain Materiel Protected Linder Fed-R-Ctim Pie} B, Russian Hacking and Dumping Operations os 175 1. Section 1030 Computer-Inrusion Conspiracy soon IS 2, Background : 178 '. Charging Decision As to EIREXCTEMPUEIO ie 2. Potential Section 1030 Violson 7 I 19 . Russian Government Outreach and Contacts 180 |. Potential Coordination: Conspiracy and ColUsi ns 180 2. Potential Coordination: Foreign Agent Statutes (PARA and 18 U.S.C. § 951). 181 a. Governing Law, = 11 ». Application. : os ie 3, Campaign Finance 183 1. Overview OF Governing Lawson 84 ', Application to June 9 Trump Tower Meeting. son BBS J, Thing-of-Value Element o 186 i, Willftness . 187 il, Difficulties in Valuing Promised Information 188 «6. Application to WikiL sks 188 i. Questions Over 189 1. Wiss 10 i Consol Considers 180 iv. Ana sis sue 190 4. Patton Dat areal is & Ovevew Of Governing Law is Applian Corunna isa 1 ergs Ppp. i recor | 194 i. Misha Fyn i iy MihaelCaben cs ’ 196 Wet Sens i vil, Others Interviewed Du the Investigation, 198 US. Department of Justice Attomey-Worke Product May-Centet Materiel Protected: Under Fed-Rt-Geim- Pe} US, Department of Justice Attorney Werke Broduet ay Comba barrie Protected Linder edo 8m Hey yrRopucTioN 10 VouuME ‘This report is submitted tothe Attorney General pursuant to 28 CFR. § 600.80), which stats that, “af the conclusion of the Special Counse's work, he... shall provide the Attorney General a confidential report explaining the prosecution or declination decisions [the Special Counsel] reached.” ‘The Russian government interfered in the 2016 presidental election in sweeping and systematic fashion, Evidence of Russian government operations began to surface in mid-2016, In Jie, the Democratic National Committe and its eyber response team publicly announced that Russian hackers had compromised its computer network, Releases of hacked materals—hacks that publie reporting soon atrbuted to the Russian government—began that same month ‘Adaitinal leases followed in July though te organization WikiLeaks, with further releases in ‘October and Novernber In late July 2016, soon after WikiLeaks's fist release of stolen documents, a foreign ‘government contacted the FBI about a May 2016 encounter with Trump Campaign foreign policy advisor George Papadopoulos. Papadopoulos had suggested toa representative of that foreign ‘govemment thatthe Trump Campaign hid received indications from the Russian government that it could assist the Campaign through the anonymous release of information damaging tw Democratic presidental candidate Hillary Clinton. That information prompted the FBI on July 31, 2016, to open an investigation into whether individuals associated withthe Trump Campaign ‘were coordinating withthe Russian government in its interference activites. “That fll, two federal agencies jointly announced thatthe Russian government “rected recent compromises of e-mails from US persons and institutions, ineluding US political “organizations,” and, “these thefts and disclosures are intended to interfere with the US elect process.” After the election, in late December 2016, the United States imposed sanctions on Russia for having interfered in the election. By carly 2017, several congressional committees were ‘examining Russia's interference inthe election. Within the Executive Branch, these investigatory efforts ukimatey led to the May 2017 appointment of Special Counsel Robert S. Mueller, Ill. The order appointing the Special Counsel authorized him to investigate “the Russian government's efforts to interfere in the 2016 presidential election,” including any links of coordination between the Russian government and ‘individuals associated with the Trump Campaign ‘As set forth in detail inthis report, the Special Counsel’s investigation established that Russia inverfered in the 2016 presidental elecsion prineipaly tough two opeations. Fis Russian entity carted out a social media campaign that favored presidential candidate Donald J. ‘Trump and disparaged presidential candidate Hillary Clinton. Second, a Russian intelligence service conducted computeriniusion operations against entities, employees, and. volunteers ‘Working on the Clinton Campaign and then released stolen documents. The investigation also ‘denied numerous Finks between the Russian government and the Trump Campaign. Although the investigation established thatthe Russian goversment perceived it would benefit from a Trump presidency and worked to secure that outcome, and thatthe Campaign expected it would benefit 1 US. Depactment of Justice Scores Woe bsesey Slyeconsae titantron te eo Ing Matter See, eg, Neil MacFarquhar, Yevgeny Prigoohin, Russian Oligarch Indicted by US, Js Krown ‘a “Putin's Cook" New York Ties (Feb. 16, 2018) > OEE > IE » Ero see also SM: 2230634, seat RM "7 US, Department of Justice Attomey-Worke Pret May- Conia Materiel Protected: Under ederim P62} oy Ps OME EO (ELITE * The erm “vol” refers to internet users—in his context, pid operatives —who post inflammatory orosberise disruptive content on socal media or ater websites. 18 US. Department of Justice ‘May-Gontair Mattie Preieeted Linder ed-R- Crim P-6(e) Set Person TIA employecs were aware that Pigochin was involved in the IRA's US. of Barrera ccs recruited U'S, persons to hold signs (including one in front of the White House) that read “Happy Ssth Birthday Dear Boss.” as an homage to Prigorhin (whose SSth birthday was on June 12016)" mero The IRA Targets U.S. Elections 1, The JRA Ramps Up U.S. Operations As Barly As 2014 ‘The IRA's US. operations sought to influence public opinion through online media and By the spring of 2014, the IRA began to consolidate U.S. operations within a si seneral_ department, known internally as the “Translator” (Tlepesosuin) Soa forums. i © Translator Department ino diferent responsibties, ranging fom operations on different social media platforms to analytics to "EE see 8M.2030604, serials 131 @ 208 » See SM-2230654, sera 156 % Iugrnet Research Agency Inditmest § 1479936895656787 (United Muslims of Ameria) &| 120 see al S26/16 Facebok Messages, 1D US. Department of Justice Atcorney Work: Prduet/) May-Gontsin-Meterat Protected Under Fad R-Crim-PrOfe) sraphios and IT Pe) Crone See SM0634 See SM-2250604, svat 204 EU XDRETPIETIE 20 US. Department of Justice ee IRA employees also traveled to the United States on ineligeneo-gathering missions. In June 2014, four IRA employees applied tothe U.S, Department of Stat to enter the United States, ‘while lying about the purpose of their tp and claiming tobe four fiends who had met at party." Ukimately, two IRA employees—Anna Bogacheva and Aleksandra Krylova—received visas and entered the United States on June 4, 2014 Prioro traveling, Krylova and Bogacheva compiled itineraries ad instructions for thet vee » ER > BESTEL Farm to Ongoing Matter Sue SM 2730654, sve 150 & 172 GENIN TET > oR S, Deparment of lustce 2, US. Operations Through IRA-Contolled Social Media Accounts, Dozens of IRA employees were responsible for operating accounts and personas on Afferent U.S. social media platforms. The TRA refered to emplayees assigned to operate the oval iin accouuts as “specialiss."? Starting as carly ax 2014, the IRAs U.S. operations included socal media specialists focusing on Facebook, YouTube, and Twiter"® The IRA later faded specialists who operated on Tumblr and Instagram accounts. Initially, the TRA ereated social media accounts that pretended to be the personal accounts of US. persons ® By eatly 2015, the IRA began to create larger social media groups or public social media pages that claimed (falsely) to be affiliated with U.S. political and grassroots ‘organizations, In certain cases the IRA created accounts that mimicked real U.S. organizations. Fer example, one IRA-contolled Twitter acount, @TEN_GOP, purported tobe connected tothe Tennessee Republican Party. More commonly, the IRA created accounts in the names of fittious U.S. organizations and grassroots groups and used these aecounts tO pose as ant- immigration groups, Tea Party activists, Black Lives Mater protestors, and other U.S. social and political activi, The IRA closely monitored the activity ofits social media accounts ‘leas EliFiarmto Ongoing Matter, siiealiai “ Se, Facebook 1D 1000159046680 (Alex Anderson; Facebook ID 100009626173204 (Andrea Hansen: Facebook ID 100009728618427 (Gary Wiliams); Facebook ID 100013640043337 (Cakisha Richardson, mo. TOUTE © The acount climed tobe the “Uno Twiter of Tennessee Republicans that appeared to be endorsements of the sate poical par. See, 0, (Tennessee GOP backs GrelDonaldTrump period #nakeA mercagrestagain wed made posts TEN. GOP, 4/3/16 Tweet, gop tennessee #09") 2 US, Department of Justice Attomey-WorkeProdet / May-Contair Material Protected tinder Fed-Rt-Crite P60} farm to Ongoing Matter Pec nay By February 2016, internal TRA documents relered 1 su and opposition to candidate Clinton. Fo for the Trump Campaign Go Ee LE dirctions to IRA fra feu Use any opportunity were Hilary rand the rest (except SEHarm to Ongoing Matter “The focus on the U.S. presidental campaign continued throug eho i 20 reviewing the IRA-controled Facebook group “Secured Bowes” the ea “Se eg,5M220064 srl 1 ©The TRA posted content about the Clinton candidacy before Clinton officially enmounced her ential campaign IRA-controled social media secount State and promoted various rtigus of her caniac ined Clinton's record as Secretary of The (RA also used ote echaigucs ee SMezzs003, seal 7 ORI 2B US. Department of Justice author criticized the “Iower number of posts dedicated to criticizing illary Clinton” and reminded the Facebook spocalst iis imperative to intensify criticizing Hillary Clinton." TRA employees also acknowledged that dhe work focused on influencing the US. _ (IE pos 3, US. Operations Throueh Facebook Many IRA operations used Facebook accounts created and operated by its specialists Drees fing the 2016 campargn covereda range oF porical ssues and included purported conservative Effiarm to Ongoing Matter : EOI (LE + ROPES US. Department of Justice roups (vith names such as “Being Patriot,” “Stop All Immigrants," “Secured Borders,” and “Tea Party News"), purported Black social justice groups ("Black Matters,” “Blacktivs.” and “Don't Shoot Us"), LGBTQ groups (LGBT United), and religious groups ("United Muslims of America”), ‘Throughout 2016, IRA accounts published an increasing number of materials supporting the Trurnp Campaign and opposing the Clinton Campaign. For example, on May 31, 2016, the ‘operational account "Matt liber” began to privately message dozens of pro-Trump Facebook {groupe acing them to help plan a Spo- Tramp rally nae Trump Tower." ‘To reach lager US. audiences, the IRA purchased advertisements ftom Facebook that promoted the IRA groups on the newsfeeds of U.S. audience members, According to Facebook, the IRA puchasi over 3.500 advisement, and the expenditures totaled approximately $100,000." During the U.S. presidental campaign, many IRA-purchased advertisements explicitiy supported ot opposed a presidental candidate or promoted US. rallies organized by the IRA {iscussed below), AS early a8 March 2016, the IRA purchased advertisements that ovetiy ‘opposed the Clinton Campaign. For example, on March 18, 2016, the [RA purchased an aavertsement depicting candidate Clinton ad caption that read in part, “If one day God lets this lar enter the White Houso as president ~ that day would be real national tragedy." Similarly, on April 6, 2016, the TRA purchased advertisements for is account “Black Mates” calling fora “flashmob” of U.S. persons to “take a photo with #HilaryClintonForPrson2016 or Yrohillary2016°" IRA-purchased adverisements fesaing Clinton were, with very few ‘exceptions, negatives” IRA-purchased advertiscments referencing candidate Trump largely supported his campaign, ‘The fst known IRA advertisement explicitly endorsing the Trump Campaign was purchased on April 19, 2016. The IRA bought an advertisement for is Instagram account “Tea Party News" asking US. persons to help them “make a patriotic team of young Trump supporters” by uploading photos with the hashtag “¥KIDS4TRUMP."® In subsequent months, the IRA purchased dozens of advertisements supporting the Trump Campaign predominantly through the Facebook groups “Being Patriotic," “Stop All Invaders," and “Secured Borders.” alas 1D I0seoez08t6! at Site) o 1 TT S/S1/16 Facebook Message, 1D 100009922908461 (Mae SHE) (0 5 Social Meda Influence inthe 2016 US. Becton, Hearing Before the Senate Select Commitee ‘on Iligence, 115th Cong 13 (1/1/17) (testimony of Colin Swatch, General Counsel o Faeboak). 2 3/1816 Facebook Advertisement ID 6048505152575 * 4joi6 Facebook Advertisement ID 6045740225319 * See SM-2230634, serial 213 (documenting polticallyoriented advertisements from the lager st provided by Facebook) © 4719716 Facebook Advertisement ID 6045151094235 5 S16 25 US. Department of Justice Collectively, the IRA's social media accounts reached tens of millions of U.S. persons. Inividyal IRA social media accounts airacted hundreds of thousands of followers, For example, at the time they were deactivated by Facebook in mid-2017, the IRA's “United Muslims of ‘Ametiea” Facebook group had over 300,000 followers, the "Don’t Shoot Us" Facebook group had ver 250,000 followers, the "Being Patriotic” Facebaok group had over 200,000 followers, and the "Secured Borders” Facebook group had over 130,000 followers" According to Facebook, i total the IRA-controlled accounts made over 80,000 posts before their deactivation in August 2017, and these posts reached a least 29 million U.S persons and “may have reached an estimated 126 million poopie 4, US, Operations Through Twiver corain Twitter accounts to create individual US, personas, UROL Separttely, he IRA operated a network of automated Twitter accounts (Commonly referred (0 as a bot network) that enabled the IRA to amplify existing content on Twitter, 4 Individualized Accounts eo Harm to Ongoing M: "See Facebook ID 1479936895656147 (United Muslims of America; Facebook ID 1137233400960125 (Don't Shoot); Facebook ID 1601685693457389 (Being Patti) Facebook ID 957716200 (Secared Borer). (EE Media Influence inthe 2016 US. Hletion, Hearing Before the Senate on Intelligence, 115th Cong. 13 (1/1/17) (testimony of Colin Stech, General Counsel of Facebook) ° ETE + Commitee + OES «I 26 Department of Justice SS eee TRA operated individualized Twiter accouns similar to the operation of is Facebook sccouns, by continuously postin original content othe accounts while also communicating with US. Twine users directly (through public tweeting or Twiter's private messaging) The IRA used many of these accounts f0 attempt to influence U.S. audiences on the lection. Individualized accounts used to influence the U.S. presidential election included @TEN. GOP (described above); @jean_abrams (claiming to bea Virginian Trump supporter with 0,000 Followers); @Pamcla.Moore13 (claiming to be a Toxan Trump supporter with 70,000 followers); and @America_Ist_(an anti-immigration persona with 24,000 followers)."" In May 2016, the IRA created the Twilier account @march for trump, which promoted IRA-organized rallies in support ofthe Trump Campaign (described below) er Using these accounts and others, the IRA provoked reactions from users and the media. Multiple IRA-posted tweets gained popularity.” U.S. media outlets also quoted tweets from IRA-contolled ‘ceounts and afrbuted them to the reactions of real U.S. persons." Similarly, numerous high= Erfarm to Ongoing Matter © omer individuaire sccouns incinded @Misvour NewsU (an account with 3,800 followers ‘hat posted pro-Sades and antlinton teria, © Soe Gimarch_ for ump, 5/30/16 Tweet (st os row accoun) * For example, one IRA account tweeted, “To those people, who hate the Confederate fla. Did you know that he flag tthe war wast about slavery, was all about meney.”"The tweet received over @enn_Abeams 424/17 (2:37 pm.) Tweet, ine Lukito & Chris Wells, Most Major Onaets ave Uted Russian Tweets a Soroes for Partisan Opinion: Study, Colutbia Journalism Review (Mat 8, 2018); ee also Twiter Steps Up to Expl New YorkValus to Ted Cr, Washington Post an 15,2016) iting IRA tweet); People Are Slamming th CLA for Claiming Russa Fried to Help Donald Trunp, US. News & World Report (De. 12,2016). 2 US. Department of Justice _Sttoney Heork Preet! May-Comtorn Matenetrotectee tinder pedir Peet profile U.S. persons, including former Ambassador Michael MeFaul,” Roger Stone,” Sean Hannity, and Michael Flynn Jr,* retweeted or responded to tweets posted t0 these IRA~ controlled accounts. Multiple individuals affiliated with the Trump Campaign also promoted IRA. tects (discussed below), b, IRA Botnet Activites or In January 2018, Twitter publicly identified 3,814 Twitter accounts associated with the IRA.” According to Twit, inthe ton Weeks before the 2016 U.S. presidental election, these accounts posted approximately 175,993 iweets, “approximately 84% of which were election 7 anteFaul 4/30/16 Tweet responding to tweut by @ean_Abvans) 7” @Roger!Stonelr 5/3016 Twest(rtweeting, @Pamela Moorel3); @RogeelStonle 4 Tweet ame. % @scanhanity 721/17 Tweet (eweting @Pamcla Moore!3) » Gamma 612217 Tee (ORT @enn_Abrans: This is wht happens when you athe voice over ofan old documentary about mental illness ano video of SIWs ™ A boinet refers 10 8 network of prlvate computers r accounts controlled as a greup to send specific automated mossage.On te Twitter network, bouts ean be used to promete and republish fic twets or hashtags in ode fr them o gain ager eulencs, OE > EOE > Eli Rosenberg Twitter o Tell 77,000 User they Were Had hy the Rassias. Sum Signs Show ‘the Problem Contes, Washington Post Jn, 19, 2019. 28 US. Department of Justice ‘Attorney Worle Prout / Mey- Conta Material Protected tinder Fed Grim 6fe) telated™” Twitter also announced that it had notified approximately 1.4 million people who ‘Twitter believed may have been in contact with an IRA-controlled account" 5, U.S, Operations Involving Politial Rallies The IRA organized and promoted political ais inside the United States while posing as USS. grasstoots activists, Firs, the IRA used one of its preexisting social media personas (Facebook groups and Twittr accounts, for example) to announce and promote the event. The IRA then ent lange number of dict mortages to followers of tx xocal media account asking ‘them toattend the event, From those who responded with interest in attending, the IRA then sought 44 USS. person to serve as the events coordinator, In most cases, the IRA account operator would tell the US. person that they personally could not attend the event due to some preexisting conflict ‘or because they were somewhere else inthe United States ‘The IRA then further promoted the «ven by contacting U.S, media about the event and directing them to speak with the coordinator ‘Aft te event, the IRA posted videos and photographs ofthe event othe IRA's social media The Office identified dozens of U.S. allies organized by the IRA. ‘The earliest evidence of arlly was a “confederate rally” in November 2015. The IRA continued to organize rallies even after the 2016 U.S. presidental election. The atendance a rallies varied. Some rallies appear to have drawn few (if any) participants, while others drew. hundeeds. The reach and success ofthese ionitored Titer, “Update on Twiter's Review ofthe 2016 US Election" (updated Jan 31,2018). Twine stk reported identifying $0,258 automated accounts conneced to the Russian government, which tweeted ‘more than a milion times inte ten weeks before the election “update on Twiters Review ofthe 2016 US Election” (updated Jan, 31, 2018). 0 (Mat Site) oP TT © See eg, T2VI6 Emil joshuitonsaernsitcom «0 TE: 721/16 Emil, josmaitonon agus con TT march for tramp 6/25/16 Tweet (posting phots ftom ally ouside Trump Tower) * Instagram ID 2228012168 (Stand For Freedom) 11/3/15 Post (“Good evening bud! Well [am planing to organize a confederate rally [in Houston onthe 14 of Noversber and I want more people foatend”. “Twi 2» US, Department -May-Contnn- Materiot Proteted Linder Fed-H-Crim Pot) Harm to Ongoing Matter US. Department of Justice joes Seedaot ay an ‘From June 2016 until the end ofthe presidential campaign, almost all ofthe U.S. rallies organized by the IRA focused on the U.S. election, often promoting the Trump Campaign and opposing the Clinton Campaign. Pro-Trump rallies included three in New York: a series of pro-Trump rallies in Florida in August 2016; and a series of pro-Trump allies in October 2016 in Pennsylvania. The Florida rallies drew the attention of the Trump Campaign, which posted about the Miami rally on candidate Trump's Facebook EINUW AIIM account (as discussed below). Many of the same IRA employees who oversaw the IRA's EUR IAU UMM soci! media accounts also conducted the day-to-day recruiting for J alles inside the United) States 1A Poste for ennsivania Relies organised by th RA 6, ‘Targeting and Recruitment of US. Persons ‘As early as 2014, the IRA instructed its employees to target US. persons who could be used to advance its operational goals. Initially, recruitment focused on U.S. persons who could amplify the content posted by the IRA. ero IRA employees frequently used I SEERAEIIETEMI titer, Facchook, and Instagram to contact and recruit U.S. persons who followed the group. The IRA recruited USS. ersons from across the political spectrum. For example, the IRA targeted the family oi RRM os rns of lsc soca jusice sete "The pro“Trump rallies wore organized through multiple Facebook, Twitter, and emal accounts, 2, eg» Facebook ID 100009922908461 (Matt Skiber); Facebook ID 1601685693632389 (Being Patio), Twitter Account @march for trump; beingpatritic@gmailcom. (Rallies were organized in ‘New York oa June 25,2016; Florida on August 20, 2016; and Penneyivanis on October 2, 2016) US. Department of Justice —_ st " while posing asa grassroots group called “lack Matters US." In Februaty 2017, the persona “Black Fist” (purporting to want to teach Aftican-Americans to protect themselves when contacted by law enforcement) hired a self-defense instctor in Now York to offer classes sponsored by Black Fist, The IRA also recruited moderators of conservative social media groups to promote IRA-generated conten,” ae well as recruited individuals to perform politial act (such as walking around New York City dressed up a8 Santa Claus with a Tramp mask)" re farm to Ongoing Matter Pe) TUM 1's otine ase cae ng, IRA wacked US persons wit whom fey communicated and had successfully tasked (vith tasks rang Poeere) Matter © SIN6 Facebook Advertisement 1D 60480 9928, S16N6 Facebook Advertisement ID 651652403578, 1012616 Faccbook Advertisement ID 6055238604687; 102716 Facebook Message, 1D RNIN © 1D 1000118570461 rayon Brot. wigs Facebook Messe, ID 10G008822008461 (Mat Skbe) o 1D 12/16 Email, robow@ersigsistong to beingpatrode@emsilcom (confirming Crsigsit advertisement "WISI9N6 Twiter DMs, @merch for np 9 Sogo IUILITI6 Facebook Messages. 1D 1000116957646) (Taylor Brooks) & [ranging to pay for plane tickets and fora bulbar, 21 Ses og O/1UIG Facchook Message, ID 100009922008461 (Matt Skiber)& i (Giscussing payment for rally supplies; 8/18/16 Titer DM, @mareh_for tmp iscesing payment for constuction materials), 2 US. Department of Justice 7. [Interactions and Contacts with the Trump Campaign ‘The investigation identified two different forms of connections between the IRA. and embers ofthe Trump Campaign. (The investigation identified no similar connections between tne IRA and the Clinton Campaign.) First, on multiple occasions, members and surrogates ofthe Trump Campaign promoted —typically by inking rtweating, oF similar methods of reposting — pro-Trump or antiClinton content published by the IRA through IRA-contolled social media accounts. Additionaly, ina few instances, IRA employees represented themselves as U.S. persons to communicate with members of the Trump Campaign in an effort to seck assistance and coordination on IRA-organized political rallies inside the United States, ‘4 Trump Campaign Promotion of IRA Political Materials ‘Among the US. “leaders of public opinion” targeted by the TRA were various members and surrogates ofthe Trump Campaign. In total, Trump Campaign affiliates promoted dazens of ‘wees, posts, and other political content created by the IRA Posts from the IRA-contrlled Twitter account @TEN_GOP were cited or retweeted by ‘multiple Trump Campaign officials and surrogates, including Donald J. Trump Ir,” Eric * see, 2g, @DonaldFTrumplr 1026/16 Tweet CRT @TEN_GOP: BREAKING Thousands of ames changed on vole rosin Indiana. Police investigating #VotaFraud. #DraisTheSwamp”) Donald! Trumplr 14/26 Tweet CRT @TEN GOP: BREAKING: #VoterFraud by counting tens of Thousands of ineligible mail in Hilly votes ting reported in Broward County, Fira, (@Donald)Trumplr 1/8/16 Tweet ORT @TEN_GOP: This vet passed sway last moath afore he could ‘ote for Trp Here be is his #MAGA hut, oted #EletionDay.”), Trump Jr rebweetedaditional (@TEN_GOP content subsequent othe election. 3B US. Department of Justice _Attomey Work Brodet I! May- Contain Materiel Protected tinder Fed Grimm Pte} “Trump, Kellyanne Conway Brad Parsale,” and Michael. Flyon.!® These posts included allegations of voter fraud," as well as allegations that Secretary Clinton had mishandled classified information. + A November 7, 2016 post ftom the IRA-controlled ‘Twitter account @Pamela Moorel3 was retwested by Donald J. Trump J" = On September 19. 2017. President Trump's personal account @realDonaldTrump responded toa tweet from the IRA-conteolled account @10_gop (the backup sccount of @TEN GOP, which bed already been deactivated by Twitter), The tweet read: “We love you, Mr. President IRA employees monitored the reaction ofthe Tramp ‘Campaign and, ltr, Trump Administation officials to thei tweets. For example, on August 23, 2016, the IRA- contoled persona "Matt Skibor" Facebook account sent a message t0 a US. Tea Party activist, wring that "Mi ‘Trump posted about our event in Miri! This i great!" ‘The IRA employee included a screenshot of candidate ‘Trumps Facebook account, which included a post about the Senha of Tramp Fassbook ‘Auguste 20,2016 politcal lies organized by the TRA. ecm om Sb) % @bricTrump 1020/16 Tweet (RT @TEN_GOP: BREAKING Hillary shuts down pres conference when asked abou DNC Operatives corruption & #Voterrail #debotenight #TrumpB) % @kellyannePolls 11/6/16 Tweet “RT @ITEN_GOP: Mother of ale sailor: ‘Hold Hilary to same standards a8 my son on Clasified info” #illarysemail #WeinerGate" parseale 1015/16 Tweet (“Thousands of deplorable chanting tothe media: “Tel Te Truth ART if you are also done w/bitsed Media! #Friday Feeling”), © @GonFiynn 11/716 (reteeing @TEN GOP post that included in par “@realDonaléTrump & @iks_ponce wll be our next POTUS & VPOTUS.”, ° @TEN_GOP 10/11/16 Tweet (Nort Carling finds 2,214 voters over the age of 1101") © @TEN_GOP 11/616 Tweet (Mother of jaled sailor: "Hold Hillary to same standards as my on on clasifed info Hllaryemail# Weinert") 8 @DonaldJTrumplr 11/7/16 Tweet “RT @Pamela. Moore13: Detroit residents speak out agaist ‘he filed policies of Oba, Hillary & democrats...) °% @realDonalTrump 9/19/17 (733 rm.) Tweet (“THANK YOU for yout support Mami My team just shared photos fom your TRUMP SIGN WAVING DAY, yesterday! I ove you™-and there ino ‘weston ~ TOGETHER, WE WILL MAKE AMERICA GREAT AGAIN?") 1 23/16 Faesbook Mesiags, ID 100009922908461 (Matt Skier) 0 1 Fy USS. Department of Justice 'b. Contact with Trump Campaign Officials in Connection to Rallies Surting in Jane 2016, the IRA contacted different US. persons affiliated withthe Trump ‘Campaign in an effort to coordinate pro“Trump [RA-organized rallies inside the United States. In all case, the IRA contacted the Campaign while claiming to be U.S. politieal activists working on behalf of a conservative grassroots organization, The IRA's contacts included requests for signs and other materials to se at ralis,” as well s requests o promote the rallies and help coordinate logistics. While certain campaign volunters agreed to provide the requested support (For example, agrecing to set aside a numberof signs), the investigation has not identified evidence that any Trump Campaign official understood the requests were coming fom foreign nationals, In sum, the investigation established tat Russia interfered in the 2016 presidential election through the “active measures” social media campaign cartied cut by the IRA, an organization funded by Prigozhin and companies that he controled. As explained further in Volume I, Section VA, infra, the Olfice concluded (and a grand jury has alleged) that Prigozhin, his companies, and IRA employees violated U.S. law through these operations, principally by undermining through deceptive acts the work of federal agencios charged with regulating foreign influence in U.S. cletions ™ See, eg $/6/16 Ema, joshnitont24@amail.com to if @donaldtramp com (asking for Pence sigs for’ Florida rally; 18/16. Ema JoshmionO24@2umailcom to cas) donaldremp.com (asking for Trump/Pence. signs for Florida rally); 13/16 Ema, Piron024@mailcom til @donaltrump.com (asking for “contact phane numbers fe Trump (Campaign affiliates” in various Flora cies and sgn). 5/6 A = joi locations to the “Florida Goes Trumpy Ts, W816 Ena, ° jeshmulton024@gmailcom (volunteering to send an email bast o follower) 35 US. Department of Justice “Sivonen Wor Broduet | May Conta ene eterno Fed RC Bc} TT, RUSSIAN HACKING AND DUMPING OPERATIONS Beginning in March 2016, nits ofthe Russian Federation's Main Ineligence Directorate ofthe General Staff (GRU) hacked the computers and email accounts of organizations, employees, and volunteers supporting the Clinton Campaign, including the email account of campaign ‘thirman Join Podesta, Starting in April 2016, the GRU hacked into the computer networks of the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committe (DNC), ‘The GRU targcted hundreds of email accounts used by Clinton Campaign ‘mployees, advises, and volunteers, In total the GRU stole hundreds of thousands of documeats from the compromised email sceounts and networks." The GRU later released stolen Clinton ‘Campaign and DNC documents trough online personas, “DCLeaks” and “Gucsifor 2.0," and ater through the organization WikiLeaks, ‘The release of the documents was designed and timed to interfere with the 2016 US, presidental election and undermine the Clinton Campaign ame diy a video (fom years earlier was published of Trump using graphic language about women. A. GRU Hacking Directed atthe Clinton Campaign 1. GRU Units Target the Clinton Campaign Two military units of the GRU carried out the computer intrusions into the Clinton Campaign, DNC, and DCCC: Military Units 26165 and 74455.!! Miltary Unit 26165 is a GRU cyber unit dedicated to targeting, military, politcal, governmental, and non-governmental ‘organizations outside of Russa, including inthe United States." ‘The unit was sub-divided into ‘departments with diferent specialties. One department, for example, developed specialized malicious software (‘malware”) while another department conducted large-scale spearphishing campaigns, ‘biteoin mining operation to % Ag dlscussed in Section V below, our Office charged 12.GRU officers fr crimes arising from the hacking ofthese computers, principally with conspiring commit computer intrusions voltion of 18 USC, 991050 and 371. See Volume l, Section VB, ina; Indictment, United Sates. Nets, No. LiBee2i5 (DD. uly 13,2018), Doe. 1 ¢ " °™ Netytsho Indictment 1 Separate fom this Offices indictment of GRU officers, in October 2018 a grand jury siting in the Westem Distt of Pennsylvania retired an ndctment charging cerain members of Uni 26165 with hacking the US. Anti-Doping Agency, the World Ant-Doping Agency, and other iteration spor associations. United State Aleksei Sergeyvich Morencs, No, 18-263 (WD. Pa). "4 spearphishing emails designed to appear a though it originates fom a usted sures, and solicits information to enable the sender to gain acces to an account or network, o causes the recipient to 36 US, Department of Justice Cayenne Stent de a secure bitcons used to purchase computer infrastructure usd in hacking opeations."* Military Unit 74455 isa related GRU unit with multiple departments that engaged in cyber ‘operations. Unit 74455 assisted in the release of documents stolen by Unit 26165, the promotion ‘of those releases, and the publication of anti-Clinton content on socal media accounts operated by the GRU, Officers from Unit 74455 separately hacked computes belonging to state boards of elections, secretaries of state, and U.S. companies that supplied software and other technology felated to the adminiseation of US. elections. "* Beginning in mid-March 2016, Unit 26165 had primary responsibilty for hacking the DCCC and DNC, as well as email accounts of individuals affliated with the Clinton Campaign: - i 2665 i ln 3 TT diferent Democrate webees aeing democrats. on illaeTion conde Ob an) Tmdtcating thatthe later DCCC and DNC intrusions were not erimes of ‘opportunity but rather the result of targeting, "* + GRU officers also sent hundreds of spearphishing emails to the work and personal email sccounts of Clinton Campaign employees and volunteers. Between March 10,2016 and March 15, 2016, Unit 26165 appears to have sent approximately 90 spearphshing emails to email accounts at hllayelinton.com, Starting on March 15, 2016, the GRU began targeting Google ‘email accounts used by Clinton Campaign employees, along with a smaller number of dne.org email accounts"? ‘The GRU spearphishing operation enabled itto gain acess to numerous email accounts of Clinton Campaign emplayees and volunteer, including campaign chairman John Podesta, volunteers assigned to the Clinton Campaign's advance team, informal Clinton Campaign advisors, and a DNC employee." GRU officers stole tens of thousands of emails from spearphishing vitims, including various Clinton Campaign-relsted communications. ‘download malware that enables the sender to gain acess to an account or network Nets Indietment 10 iin mine oi of sing aw iby aig amps poten. i kept nenly mod ents nan account on fe hcoln exc pao CEX io. To RE Forest the GRU ut finde it ter scone hoa anaconda to hue he ace Strands. Neptanoiemone 2 "Napa Indletment $8. 1 Napa Indetment 49, See SM-2SB910S, serials 144 & 495, oilman mo US. Department of lustice tematic titre | Bart icin Mates tteuteindes fed RoCnm Pre) 2, Intrusions into the DECC and DNC Networks 1 Initial Access By no later than April 12, 2016, the GRU had gained access to the DCCC computer network using the credentials stolen from a DCCC employee who had been successfully spearphished the week before, Over the ensuing weeks, the GRU traversed the network, identitying diferent computers connected to the DCCC network By stealing network access credeitals along the way Cinchiding those of IV admiistators with unrestricted aceess to the system), the GRU compromised approximately 29 different computers on the DCCC network.” Approximately six days afer frst hacking into the DCCC network, on April 18, 2016, ‘GRU officers gained access tothe DNC network via a virtual private network (VPN) connection’ ‘between the DECC and DNC nesworks."" Between April 18, 2016 and June 8, 2016, Unit 26165 compromised more than 30 computers onthe DNC network, including the DNC mail server snd shard file server ‘4 Implantation of Malware on DCCC and DNC Networks Unit 26165 implanted on the DCCC and DNC networks two types of customized malware, known as "X-Agent” and “X-Tunnel"; Mimikatz, a eredential-harvesting tool; and ‘ar.exe tool used in these intrusions to compile and compress materials for exiltration. X-Agent asa multi-function hacking tool that allowed Unit 26165 to log keystokes, take sereenshots, and 4gsther other data about the infected computers (efile directories, operating systems)" X- Tunnel was a hacking tool that ereated an encrypted connection between the vitim DCCC/DNC computers and GRU-controled computers outside the DCCC and DNC newworks that was capable ‘of large-scale data transfers. GRU officers then used X-Tunnel to exfiltate stolen data from the victim computers. A. VPN extends private network, allowing users to send and recive data across public networks (Such the internet asthe connecting computer was directly connected tothe private network ‘Tho VPN inthis case had been created to give a small number of DCCC employees acess to extn databases housed on the DNC network. Therefore, while the DCCC employees were ease the DNC's private network, thy could acess pars ofthe DNC ne NPISSOTOSHACK, se 5 "yaar is shor Tor malicious sofware, and here refers o software designed tallow athind pty to iit a computer without the cnsent or knowledge ofthe computers user or operator. 8 US. Department of Justice Attomey Merk Breet May-Comtain Materiel Protected tinder Fed Crim- He} To operate X-Agent and X-Tunnel on the DCCC and DNC networks, Unit 26165 officers set up a group of computers ouiside those networks to communicate with the implanted malware. The frst set of GRU-conteolled computers, known by the GRU as “mide servers, sent and received messages to and from malware on tke DNC/DCCC networks, The middle servers, in turn, relayed messages toa second set of GRU-contrlled computers, labeled internally by the GRU as an “AMS Panel” The AMS Pane! XGEGUCSCSMETORI served as 3 nerve center through which GRU officers monitored and directed the malware's operations onthe DNC/DCCC networks. ‘The AMS Panel used to control X-Agent during the DCCC and DNC intrusions was housed fn a leased computer located nas ery Dr "Sty connection with theve intrusions, the GRU used computers (visual pevate netwerks deticatd servers oper by hosting ct) that leaned fom thre party providers located al overthe word, Ts investigation nt sand payments or computs ovate er i, ES RC ich wre used tn the operations targeng he US eet © Neo Indien 425, © eptoho Indictment 4 24(0, » US. Department of Justice The Arizona-based AMS Panel also stored thousands of files containing keylogging sessions captured through X-Agent, These sessions were captured as GRU officers monitored DCCC and DNC employees’ work on infected computers regularly between April 2016 and June 2016. Data captured in these keylogging sessions included passwords, internal communications between employees, banking information, and sensitive personal information Theft of Documents from DNC and DCCC Networks Officers from Unit 26165 stole thousands of documents fiom the DCCC and DNC networks, including significant amounts of data pertaining to the 2016 U.S. federal elections ‘Stolen documents included intemal strategy documents, Fundraising data, opposition research, and ‘mails rom the work inboxes of DNC employees “The GRU began stealing DCCC data shonly after it gained acess to the network. On April 14, 2016 (approximately three days after the inital intrusion) GRU officers downloaded rarexe conto the DCCC’s document server. The following day, the GRU searched one compromised DCCC compute for files containing search terms that included “Hillary,” “DNC,” *Crw,” and “Trump.” On April 25,2016, the GRU collected and compressed PDF and Microsoft documents from folders on the ICC's share file server that pertained tothe 2016 election." The GRU appears to have compressed and exfiltrated over 70 gigabytes of data from ths file server. ‘The GRU also stole documents from the DNC network shortly after gaining access. On April 22, 2016, the GRU copied files from the DNC network to GRU-controlled computers Stolen ocuments included the DNC's opposition research into candidate Trump."™ — Between approximately May 25, 2016 and June 1, 2016, GRU officers accessed the DNC's mail server fiom a GRU-controtled computer leased inside the United Sttes."* During these connections, pepo ndconen 127-29 LESSEE = a and copies of relevant trafic logs. Nestsho Indetment $4 28-29 40 US. Department of Justice ‘Attomey Work Breet! May- Contain Materiel Protected tinder Fed R-Crite Pte} Unit 26165 officers appear to have stolen thousands of emu released by Wikileaks in July 2016."* I and attachments, which were later B, Dissemination ofthe Hacked Materials ‘The GRU’s operations extended beyond stealing materials, and included releasing documents stolen from the Clinton Campaign and its supporters. The GRU carried out the snonymous release through two fietitious online personas that i reatedDCLeaks and Gueciter 2.0. and later through the organization Wikileaks. 1. DCLeaks “The GRU began planning the rleass at least as early as April 19, 2016, when Unit 26165 ‘egstered the domain deleaks.com through a service that anonymized the registrant” Unit 26165 ‘aid forthe registration using a pool of btcoin that it had mined. The deleaks.com landing page pointed to different tanehes of stolen documents, arranged by vietim or subject matter. Other ‘eleaks.com pages contained indexes of the stolen emails that were being released (bearing the sender, recipient, and date ofthe email). To control access andthe timing of releases, pages Were sometimes password-proteted for a period of time and later made unrestricted tothe public, Siarting in June 2016, the GRU posted stolen documents onto the website deleaks.com, including documents stolen ffom a numberof individuals associated with the Clinton Campaign ‘These documents appeared to have originated from personal email accounts (in particular, Google and Mierosoft accounts), rather than the DNC and DCCC computer networks. DCLeaks victims included an advisor to the Clinton Campaign, a formee DNC employee and Clinton Campaign ‘employee, and four other campaign volunteers.” The GRU released through deleaks.com thousands of documents, including personal identifying and financial information, intemal coerespondence related tothe Clinton Campaign and prior political jobs, and fundraising files and information." ' Nowksho Indictment 29. The ls-ia-time DNC email released by WikiLeaks was dated May 25, 2016, te sane peti of time during which the GRU ined seoets tothe DNC's email server Nets tndciment 45, ° Netksho Indictment $35. Approximately a wosk before the registration of desks com, the a a ea cect ene eb Se SM.2580105, eral L815 Natta Indictment 2169, Seo, eg, Ineret Archive, “husks com archive dato Nov, 10,2016). Additionally, DeLeaks leased documents lating to |,

    You might also like