Highlights from the Mueller Report

The IRA later used social media accounts and interest groups to sow discord in the U.S. political system through what it termed “information warfare.” The campaign evolved from a generalized program designed in 2014 and 2015 to undermine the U.S. electoral system, to a targeted operation that by early 2016 favored candidate Trump and disparaged candidate Clinton.

At the same time that the IRA operation began to focus on supporting candidate Trump in early 2016, the Russian government employed a second form of interference: cyber intrusions (hacking) and releases of hacked materials damaging to the Clinton Campaign. The Russian intelligence service known as the Main Intelligence Directorate of the General Staff of the Russian Army (GRU) carried out these operations.

In March 2016, the GRU began hacking the email accounts of Clinton Campaign volunteers and employees, including campaign chairman John Podesta. In April 2016, the GRU hacked into the computer networks of the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC). The GRU stole hundreds of thousands of documents from the compromised email accounts and networks. Around the time that the DNC announced in mid-June 2016 the Russian government’s role in hacking its network, the GRU began disseminating stolen materials through the fictitious online personas “DCLeaks” and “Guccifer 2.0.” The GRU later released additional materials through the organization WikiLeaks. …

While the investigation identified numerous links between individuals with ties to the Russian government and individuals associated with the Trump Campaign, the evidence was not sufficient to support criminal charges. Among other things, the evidence was not sufficient to charge any Campaign official as an unregistered agent of the Russian government or other Russian principal. And our evidence about the June 9, 2016 meeting and WikiLeaks’s releases of hacked materials was not sufficient to charge a criminal campaign-finance violation. Further, the evidence was not sufficient to charge that any member of the Trump Campaign conspired with representatives of the Russian government to interfere in the 2016 election. …

The Office investigated several other events that have been publicly reported to involve potential Russia-related contacts. For example, the investigation established that interactions between Russian Ambassador Kislyak and Trump Campaign officials both at the candidate’s April 2016 foreign policy speech in Washington, D.C., and during the week of the Republican National Convention were brief, public, and non-substantive. And the investigation did not establish that one Campaign official’s efforts to dilute a portion of the Republican Party platform on providing assistance to Ukraine were undertaken at the behest of candidate Trump or Russia. The investigation also did not establish that a meeting between Kislyak and Sessions in September 2016 at Sessions’s Senate office included any more than a passing mention of the presidential campaign. …

Throughout 2016, IRA accounts published an increasing number of materials supporting the Trump Campaign and opposing the Clinton Campaign. For example, on May 31, 2016, the operational account “Matt Skiber” began to privately message dozens of pro-Trump Facebook groups asking them to help plan a “pro-Trump rally near Trump Tower.”55

To reach larger U.S. audiences, the IRA purchased advertisements from Facebook that promoted the IRA groups on the newsfeeds of U.S. audience members. According to Facebook, the IRA purchased over 3,500 advertisements, and the expenditures totaled approximately $100,000.56.

During the U.S. presidential campaign, many IRA-purchased advertisements explicitly supported or opposed a presidential candidate or promoted U.S. rallies organized by the IRA (discussed below). As early as March 2016, the IRA purchased advertisements that overtly opposed the Clinton Campaign. For example, on March 18, 2016, the IRA purchased an advertisement depicting candidate Clinton and a caption that read in part, “If one day God lets this liar enter the White House as a president – that day would be a real national tragedy.”57

Similarly, on April 6, 2016, the IRA purchased advertisements for its account “Black Matters” calling for a “flashmob” of U.S. persons to “take a photo with #HillaryClintonForPrison2016 or #nohillary2016.”58 IRA-purchased advertisements featuring Clinton were, with very few exceptions, negative.59

IRA-purchased advertisements referencing candidate Trump largely supported his campaign. The first known IRA advertisement explicitly endorsing the Trump Campaign was purchased on April 19, 2016. The IRA bought an advertisement for its Instagram account “Tea Party News” asking U.S. persons to help them “make a patriotic team of young Trump supporters” by uploading photos with the hashtag “#KIDS4TRUMP.”60 In subsequent months, the IRA purchased dozens of advertisements supporting the Trump Campaign, predominantly through the Facebook groups “Being Patriotic,” “Stop All Invaders,” and “Secured Borders.” …

The IRA operated individualized Twitter accounts similar to the operation of its Facebook accounts, by continuously posting original content to the accounts while also communicating with U.S. Twitter users directly (through public tweeting or Twitter’s private messaging).

The IRA used many of these accounts to attempt to influence U.S. audiences on the election. Individualized accounts used to influence the U.S. presidential election included @TEN_ GOP ( described above); @jenn _ abrams ( claiming to be a Virginian Trump supporter with 70,000 followers); @Pamela_Moore13 (claiming to be a Texan Trump supporter with 70,000 followers); and @America:__Ist_ (an anti-immigration persona with 24,000 followers).67 In May 2016, the IRA created the Twitter account @march_for_trump, which promoted IRA-organized rallies in support of the Trump Campaign (described below).68 …

The IRA organized and promoted political rallies inside the United States while posing as U.S. grassroots activists. First, the IRA used one of its preexisting social media personas (Facebook groups and Twitter accounts, for example) to announce and promote the event. The IRA then sent a large number of direct messages to followers of its social media account asking them to attend the event. From those who responded with interest in attending, the IRA then sought a U.S. person to serve as the event’s coordinator. In most cases, the IRA account operator would tell the U.S. person that they personally could not attend the event due to some preexisting conflict or because they were somewhere else in the United States.82 The IRA then further promoted the event by contacting U.S. media about the event and directing them to speak with the coordinator.83

After the event, the IRA posted videos and photographs of the event to the IRA’s social media accounts. 84

The Office identified dozens of U.S. rallies organized by the IRA. The earliest evidence of a rally was a “confederate rally” in November 2015. 85 The IRA continued to organize rallies even after the 2016 U.S. presidential election. The attendance at rallies varied. Some rallies appear to have drawn few (if any) participants while others drew hundreds. …

From June 2016 until the end of the presidential campaign, almost all of the U.S. rallies organized by the IRA focused on the U.S. election, often promoting the Trump Campaign and opposing the Clinton Campaign. Pro-Trump rallies included three in New York; a series of pro-Trump rallies in Florida in August 2016; and a series of pro-Trump rallies in October 2016 in Pennsylvania. The Florida rallies drew the attention of the Trump Campaign, which posted about the Miami rally on candidate Trump’s Facebook account (as discussed below).86 …

Starting in June 2016, the IRA contacted different U.S. persons affiliated with the Trump Campaign in an effort to coordinate pro-Trump IRA-organized rallies inside the United States. In all cases, the IRA contacted the Campaign while claiming to be U.S. political activists working on behalf of a conservative grassroots organization. The IRA’s contacts included requests for signs and other materials to use at rallies, 107 as well as requests to promote the rallies and help coordinate Iogistics.108 While certain campaign volunteers agreed to provide the requested support (for example, agreeing to set aside a number of signs), the investigation has not identified evidence that any Trump Campaign official understood the requests were coming from foreign nationals. …

Beginning in March 2016, units of the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU) hacked the computers and email accounts of organizations, employees, and volunteers supporting the Clinton Campaign, including the email account of campaign chairman John Podesta. Starting in April 2016, the GRU hacked into the computer networks of the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC). The GRU targeted hundreds of email accounts used by Clinton Campaign employees, advisors, and volunteers. In total, the GRU stole hundreds of thousands of documents from the compromised email accounts and networks. 109 The GRU later released stolen Clinton Campaign and DNC documents through online personas, “DCLeaks” and “Guccifer 2.0,” and later through the organization WikiLeaks. The release of the documents was designed and timed to interfere with the 2016 U.S. presidential election and undermine the Clinton Campaign. …

By no later than April 12, 2016, the GRU had gained access to the DCCC computer network using the credentials stolen from a DCCC employee who had been successfully spearphished the week before. Over the ensuing weeks, the GRU traversed the network, identifying different computers connected to the DCCC network. By stealing network access credentials along the way (including those of IT administrators with unrestricted access to the system), the GRU compromised approximately 29 different computers on the DCCC network. 119

Approximately six days after first hacking into the DCCC network, on April 18, 2016, GRU officers gained access to the DNC network via a virtual private network (VPN) connection120 between the DCCC and DNC networks.121 Between April 18, 2016 and June 8, 2016, Unit 26165 compromised more than 30 computers on the DNC network, including the DNC mail server and shared file server.122

Unit 26165 implanted on the DCCC and DNC networks two types of customized malware, 123 known as “X-Agent” and “X-Tunnel”; Mimikatz, a credential-harvesting tool; and rar.exe, a tool used in these intrusions to compile and compress materials for exfiltration. X-Agent was a multi-function hacking tool that allowed Unit 26165 to log keystrokes, take screenshots, and gather other data about the infected computers (e.g., file directories, operating systems).124 XTunnel was a hacking tool that created an encrypted connection between the victim DCCC/DNC computers and GRU-controlled computers outside the DCCC and DNC networks that was capable of large-scale data transfers. 125 GRU officers then used X-Tunnel to exfiltrate stolen data from the victim computers. …

Officers from Unit 26165 stole thousands of documents from the DCCC and DNCnetworks, including significant amounts of data pertaining to the 2016 U.S. federal elections.

Stolen documents included internal strategy documents, fundraising data, opposition research, and emails from the work inboxes of DNC employees.

The GRU began stealing DCCC data shortly after it gained access to the network. On April 14, 2016 (approximately three days after the initial intrusion) GRU officers downloaded rar.exe onto the DCCC’s document server. The following day, the GRU searched one compromised DCCC computer for files containing search terms that included “Hillary,” “DNC,” “Cruz,” and “Trump.”131 On April 25, 2016, the GRU collected and compressed PDF and Microsoft documents from folders on the DCCC’s shared file server that pertained to the 2016 election.132 The GRU appears to have compressed and exfiltrated over 70 gigabytes of data from this file server.133

In order to expand its interference in the 20 I 6 U.S. presidential election, the GRU units transferred many of the documents they stole from the DNC and the chairman of the Clinton Campaign to WikiLeaks. GRU officers used both the DCLeaks and Guccifer 2.0 personas to communicate with WikiLeaks through Twitter private messaging and through encrypted channels, including possibly through WikiLeaks’s private communication system. …

c. The GRU’s Transfer of Stolen Materials to WikiLeaks 

Both the GRU and WikiLeaks sought to hide their communications, which has limited the Office’s ability to collect all of the communications between them. Thus, although it is clear that the stolen DNC and Podesta documents were transferred from the GRU to WikiLeaks, [REDACTED] …

An analysis of the metadata collected from the WikiLeaks site revealed that the stolen Podesta emails show a creation date of September 19, 2016.171 Based on information about Assange’s computer and its possible operating system, this date may be when the GRU staged the stolen Podesta emails for transfer to WikiLeaks (as the GRU had previously done in July 2016 for the DNC emails). 172 The WikiLeaks site also released PDFs and other documents taken from Podesta that were attachments to emails in his account; these documents had a creation date of October 2, 2016, which appears to be the date the attachments were separately staged by WikiLeaks on its site. 173

Beginning on September 20, 2016, WikiLeaks and DCLeaks resumed communications in a brief exchange. On September 22, 2016, a DCLeaks email account dcleaksproject@gmail.com sent an email to a WikiLeaks account with the subject “Submission” and the message “Hi from DCLeaks.” The email contained a PGP-encrypted with the filename “wiki_mail.txt.gpg.” 174 …

As reports attributing the DNC and DCCC hacks to the Russian government emerged, WikiLeaks and Assange made several public statements apparently designed to obscure the source of the materials that WikiLeaks was releasing. The file-transfer evidence described above and other information uncovered during the investigation discredit WikiLeaks’s claims about the source of material that it posted.

Beginning in the summer of 2016, Assange and WikiLeaks made a number of statements about Seth Rich, a former DNC staff member who was killed in July 2016. The statements about Rich implied falsely that he had been the source of the stolen DNC emails. On August 9, 2016, the @WikiLeaks Twitter account posted: “ANNOUNCE: WikiLeaks has decided to issue a US$20k reward for information leading to conviction for the murder ofDNC staffer Seth Rich.” 180

Likewise, on August 25, 2016, Assange was asked in an interview, “Why are you so interested in Seth Rich’s killer?” and responded, “We’re very interested in anything that might be a threat to alleged Wikileaks sources.” The interviewer responded to Assange’s statement by commenting, “I know you don’t want to reveal your source, but it certainly sounds like you’re suggesting a man who leaked information to WikiLeaks was then murdered.” Assange replied, “If there’s someone who’s potentially connected to our publication, and that person has been murdered in suspicious circumstances, it doesn’t necessarily mean that the two are connected. But it is a very serious matter … that type of allegation is very serious, as it’s taken very seriously by us.”181

After the U.S. intelligence community publicly announced its assessment that Russia was behind the hacking operation, Assange continued to deny that the Clinton materials released by WikiLeaks had come from Russian hacking. According to media reports, Assange told a U.S. congressman that the DNC hack was an “inside job,” and purported to have “physical proof” that Russians did not give materials to Assange. 182