Indicting 12 Russian hackers could be Mueller’s biggest move yet (Wired)

“In some ways, special counsel Robert Mueller’s indictment of 12 Russian intelligence officers for their hacking and attack on the 2016 presidential election is Mueller’s least surprising move yet—but it might also be his single most significant.

News that paid employees of the Russian government—military intelligence officers, no less—interfered and sought to influence the 2016 presidential election, coming just days before the victor of that election will meet Russian president Vladimir Putin in Helsinki, amounts to nothing less than an international geopolitical bombshell.

Blow by Blow
The new charges, which come in an 11-count, 29-page indictment, lays out Russia’s alleged efforts in the excruciating detail and specificity that has become the Mueller investigative team’s hallmark. They also undermine President Trump’s long-running efforts to obfuscatewhether the US could determine who was behind the attacks. He’s previously speculated that it could be “some guy in his home in New Jersey,” and said, “I mean, it could be Russia, but it could also be China. It could also be lots of other people. It also could be somebody sitting on their bed that weighs 400 pounds, OK?”

While some of the details had previously been laid out in a DNC lawsuit, Friday’s blockbuster indictment is the first official blow-by-blow from the US government. It makes clear the attack was coordinated and run by the Russian military, the hacking team commonly known by the moniker Fancy Bear, which Mueller’s indictment names publicly for the first time as two specific units of the Main Intelligence Directorate of the Russian General Staff—known by the acronym GRU—that are called Unit 26165 and Unit 74455. (The hackers got their public Fancy Bear moniker from the security firm Crowdstrike, which spotted the phrase “Sofacy” in some of the unit’s malware, reminding analysts of Iggy Azalea’s song “Fancy.”)

The same unit, according to public reports, has been involved in attacks on French president Emmanuel Macron, NATO, the German Parliament, Georgia, and other government targets across Europe.

Deputy attorney general Rod Rosenstein announced the charges at a noon press conference Friday, following a tradition that has seen Mueller’s indictments handed down on Fridays, and breaking what had been more than four months of silence since Mueller’s last set of new charges.

As the Justice Department said, “These GRU officers, in their official capacities, engaged in a sustained effort to hack into the computer networks of the Democratic Congressional Campaign Committee, the Democratic National Committee, and the presidential campaign of Hillary Clinton, and released that information on the internet under the names ‘DCLeaks’ and ‘Guccifer 2.0’ and through another entity.”

Not only was it the GRU, the Justice Department said, but it was at least 12 specific, identified intelligence officers: Viktor Borisovich Netyksho, Boris Alekseyevich Antonov, Dmitriy Sergeyevich Badin, Ivan Sergeyevich Yermakov, Aleksey Viktorovich Lukashev, Sergey Aleksandrovich Morgachev, Nikolay Yuryevich Kozachek, Pavel Vyacheslavovich Yershov, Artem Andreyevich Malyshev, Aleksandr Vladimirovich Osadchuk, Aleksey Aleksandrovich Potemkin, and Anatoliy Sergeyevich Kovalev.

Mueller’s indictment, returned this morning by a federal grand jury in Washington, DC, focuses on two distinct efforts by the GRU: First, the hacking of the DNC, the DCCC, and the attack on Hillary Clinton’s campaign staff that famously included the theft and leaking of campaign chair John Podesta’s risotto recipe; second, the hacking of a state election board and theft of a half-million voters’ information, as well as related efforts to target an election software company and state and local election officials.

Each of Mueller’s indictments, as they have come down, have demonstrated the incredible wealth of knowledge amassed by US intelligence and his team of investigators, and Friday was no exception. The indictment includes the specific allegations that between 4:19 and 4:56 pm on June 15, 2016, the defendants used their Moscow-based server to search for the same English words and phrases that Guccifer 2.0 used in “his” first blog post, where “he” claimed to be a lone Romanian hacker and claimed to be solely responsible for the attacks on Democratic targets.

The indictment carefully traces how the scheme unfolded, including the “spearphishing” by four of the GRU officers targeting the Clinton campaign in March 2016—which enabled the Podesta email theft—and how the officers spoofed their email, hi.mymail@yandex.com, to make it appear to be from Google. The GRU also targeted Clinton campaign staffers by using an email account with a one-letter difference from a legitimate employee, and asking recipients to open a file entitled “hillary-clinton-favorable-rating.xlsx.com.”

At the same time, other hackers zeroed in on the DCCC, checking its internet protocol configurations, and sizing up a way into the system, which they were able to access after another successful spearphishing attack. Ultimately, according to the charging documents, the GRU gained access to more than 10 DCCC computers, and at least 33 DNC computers.

They were even learning along the way; Mueller’s indictment points to evidence of hackers researching their techniques and commands in real time as the attacks unfolded.

The intelligence officers then coordinated with their colleagues in Unit 74455 to gather and release publicly the stolen files through websites like DCLeaks, Guccifer 2.0, and what the indictment calls a “third entity.”

Rosenstein made clear that the new indictment doesn’t charge or allege that any American citizen was involved in the hacking effort, nor is there any allegation that the Russian effort changed the vote total or outcome of the 2016 election. He also said that he “briefed President Trump about this allegations earlier this week,” presumably before Trump left for a whirlwind trip that has seen him lash out at NATO and undermine UK prime minister Theresa May in her own country.

Rosenstein also indicated that unlike the other indictments and guilty pleas Mueller’s team has handed down so far, they don’t anticipate prosecuting any of the Russian intelligence officers anytime soon. Instead, the indictment will be handed off to the Justice Department’s National Security Division and its assistant attorney general John Demers to await a future prosecution on the slim chance any of the individuals wind up in US custody.

In a week that saw a marathon and dispiriting congressional Republican inquisition of FBI special agent Peter Strzok, who once helped lead this investigation, and saw President Trump refer, again, to Mueller’s investigation as a “Witch Hunt,” Rosenstein also offered pointed words about the political environment. “When we confront foreign interference in American elections, it is important for us to avoid thinking politically as Republicans or Democrats and instead to think patriotically as Americans. Our response must not depend on who was victimized,” he said, even as cable news screens split coverage between his huge announcement and President Trump’s welcome by Queen Elizabeth to her palace in the UK.

Fresh Answers, New Questions
While the new charges add tremendous detail to the public knowledge of Russia’s unprecedented attack on the election, Mueller’s indictment also leaves us with big, unanswered questions—and creates new questions, including three big ones:

What about Cozy Bear? The new indictment only covers the GRU hackers known as Fancy Bear. However, numerous public reports have pointed to involvement by the FSB, the Russian state intelligence service and successor to the KGB, and a hacking group there known as Cozy Bear. Reporting over the last year has hinted that Dutch intelligence provided detailed information to the US about the role and efforts in the 2016 election—up to and including individual photographs of intelligence officers at work in connection with the attacks. The Wall Street Journal reported last November that at least six individual Russian government hackers had been identified; it’s unclear whether Mueller’s indictment covers those six, but given the prevailing information that both the FSB and GRU were involved in the attacks, are there more charges pending about other FSB intelligence officers?

What about Roger Stone, George Papadopoulos, or any other Americans? One of the oddest storylines of the year-long Mueller probe has been Trump aide Roger Stone’s did-he-or-didn’t-he communications with the pseudonymous Guccifer 2.0 and WikiLeaks. Rosenstein made clear in his remarks, “The conspirators corresponded with several Americans through the internet. There is no allegation in the indictment that the Americans knew they were communicating with Russian intelligence officers.” But that phrasing seems carefully chosen—and mirrors his comments in the indictment of the Internet Research Agency about the limits of that indictment. It doesn’t rule out that future indictments might focus on the criminal behavior of Americans corresponding with the GRU or the IRA—nor would Americans necessarily have to know they were communicating with Russian intelligence officers to be guilty of various crimes.

As with other Mueller indictments (like the third unnamed “traveler” in Feburary’s IRA indictment), the charging documents include intriguing breadcrumbs. The indictment references at one point that Guccifer 2.0 communicated with an unnamed US congressional candidate and, especially intriguingly, that the GRU for the first time began an attack on Hillary Clinton’s personal emails just hours after Trump publicly asked Russia for help in finding them.

These open questions are additionally interesting because of one of the early tips to the US government that launched the FBI investigation eventually known by the codename CROSSFIRE HURRICANE: Trump aide George Papadopoulos telling an Australian diplomat in May 2016 that the Russians had dirt on Hillary Clinton, weeks before the GRU attacks became public. The charges against the GRU make clear that its effort began at least by March 2016. Papadopoulos, arrested last summer and already cooperating with Mueller’s team, might very have provided more information about where his information came from—and who, in addition to the Australians, he told.

What’s the role of WikiLeaks? Rosenstein pointedly noted that the individuals charged Friday “transferred stolen documents to another organization, not named in the indictment, and discussed timing the release of the documents in an attempt to enhance the impact on the election.” That organization almost certainly was the website WikiLeaks, or at least a cut-out that handed the documents to WikiLeaks, since that website ultimately published them. Then-CIA Director Mike Pompeo last year referred to WikiLeaks as “non-state hostile intelligence service,” saying the Julian Assange-founded website “walks like a hostile intelligence service and talks like a hostile intelligence service” and is “often abetted by state actors like Russia.” Pompeo also said that the Russian state TV channel RT, which was similarly deeply involved in many of the state-backed election propaganda efforts in 2016, has “actively collaborated” with WikiLeaks. Were his words omens that the controversial site itself would be the subject of a future indictment?

The unanswered questions are, in some ways, entirely consistent with Mueller’s approach thus far. Each indictment has carefully laid out only a specific picture of his multi-faceted investigation. As much as the President’s lawyer Rudy Giuliani rushed out after Friday’s announcement with the tired refrain that there’s no “collusion,” the indictment does continue tip-toeing towards a moment when the special counsel will begin to connect the dots publicly—and he surely knows already how they connect.

Thus far, Mueller’s probe has focused on five distinct areas of interest:
1. An investigation into money laundering and past business dealings with Russia by people like former Trump campaign chairman Paul Manafort
2. The active information influence operations by Russian trolls and bots on social media, involving the Russian Internet Research Agency
3. The active cyber penetrations and operations against the DNC, DCCC, and Clinton campaign leader John Podesta
4. Contacts with Russian officials by Trump campaign officials during the course of the 2016 election and the transition, like George Papadopoulos and former national security advisor Michael Flynn
5. Obstruction of justice, whether the President or those around him sought to obstruct the investigation into Russian interference

With Friday’s move, Mueller has now brought charges in the first four categories. Even before the new indictments of the GRU officers, he had brought more than 79 criminal charges, against a score of individuals and corporate entities, and elicited multiple guilty pleas from figures like Flynn, Papadopoulos, and Trump aide Rick Gates, as well as lesser figures involved in unknowingly facilitating the work of the Internet Research Agency.

What Mueller hasn’t done—yet—is show how these individual pieces come together. What level of coordination was there between the Internet Research Agency and the GRU or FSB? What ties, if any, exist between the business dealings of Manafort, Gates, and the Russian efforts to influence the election? How coordinated were unexplained oddities, like the June 2016 Trump Tower meeting between Russians, and the Russian government efforts by the IRA, GRU, and FSB?

Officials like former CIA director John Brennan and director of national intelligence James Clapper have made clear that the US knew by the fall of 2016 that these efforts were proceeding with the personal approval of Putin, but public evidence of that has yet to emerge.

Mueller’s indictment Friday underscores perhaps the clearest lesson yet of his probe: He knows far, far more than the public does. There was little sign in Friday’s indictment that any of it came from the cooperation and plea agreements he’s made with figures like Flynn, Gates, and Papadopoulos—meaning that their information, presumably critical enough to Mueller that he was willing to trade it for lighter sentencing, still hasn’t seen the light of day.

“The special counsel’s investigation is ongoing,” Rosenstein said, adding, “I want to caution you that people who speculate about federal investigations usually do not know all of the relevant facts. We do not try cases on television or in congressional hearings.”

Garrett M. Graff (@vermontgmg) is a contributing editor for WIRED and the author of The Threat Matrix: Inside Robert Mueller’s FBI. He can be reached at garrett.graff@gmail.com.”