OCR of the Document

View the Document >>

United States District Court for the District of Columbia, "US v Viktor Borisovich Netyksho, et al - Indictment", July 13 2018. Unclassified.

IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA UNITED STATES OF AMERICA CRIMINAL NO V VIKTOR BORISOVICH NETYKSHO BORIS ALEKSEYEVICH ANTONOV 18 and 3551 et U S C‘ §§ 2 371 1030 1028A 1956 seq BADIN IVAN SERGEYEVICH YERMAKOV % ALEKSEY VIKTOROVICH DMITRIY SERGEYEVICH RECEIVED LUKASHEV JUL 13 2018 SERGEY ALEKSANDROVICH MORGACHEV NIKOLAY YURYEVICH Clark % KOZACHEK PAVEL VYACHESLAVOVICH U S District Courts for the District Bankruptcy of Columbia YERSHOV ARTEM ANDREYEVICH MALYSHEV ALEKSANDR VLADIMIROVICH OSADCHUK ALEKSEY ALEKSANDROVICH POTEMKJN and ANATOLIY SERGEYEVICH KOVALEV Defendants INDICTMENT The Grand Jury for the District of Columbia charges COUNT ONE Conspiracy In 1 or multiple units scale an Offense around 2016 the Russian Federation agency called the Main staged to Commit Intelligence cyber operations to “Russia” operated Directorate of the General Staff including Units 26165 releases of documents stolen Against the United States and a military intelligence “GRU” The GRU had 74455 engaged in cyber operations that involved the through computer interfere with the 2016 US intrusions These units conducted presidential election large- 2 Defendants BORISOVICH VIKTOR ALEKSEYEVICH BORIS NETYKSHO ANTONOV DMITRIY SERGEYEVICH BADlN IVAN SERGEYEVICH YERMAKOV ALEKSEY VIKTOROVICH LUKASHEV SERGEY ALEKSANDROVICH MORGACHEV NIKOLAY YURYEVICH KOZACHEK PAVEL VYACHESLAVOVICH YERSHOV ARTEM ANDREYEVICH intentionally conspired with each other the “Conspirators” to and with persons known and unknown to the Grand Jury gain to “hack” into the computers of presidential election steal documents from unauthorized U S persons and entities involved in the 2016 U S who and and GRU were officers OSADCHUK knowingly ALEKSEY ALEKSANDROVICH POTEMKIN collectively VLADIMIROVICH ALEKSANDR MALYSHEV access those computers and stage releases of the stolen documents to interfere with the 2016 U S presidential 3 election Starting in at least March 2016 the Conspirators used a variety of means to accounts of volunteers and “Clinton 4 employees Campaign” including the By in The “DNC” and DNC employees implanted 5 By in Campaign’s “DCCC” and Clinton the chairman the Democratic National monitored the computers of dozens of DCCC of files hundreds Hillary also hacked into the computer networks of Committee Conspirators covertly of containing malicious computer code and stole emails and other documents from the DCCC and DNC or around from the Clinton 6 Conspirators Congressional Campaign Committee presidential campaign email account of the Clinton around April 2016 the or the Democratic “malware” of the U S hack the email April 2016 Campaign DCCC Beginning in or around the Conspirators began to plan the release of materials stolen and DNC June 2016 the of the stolen emails and documents They Conspirators staged and released tens did so using of thousands fictitious online personas including “DCLeaks” and “Guccifer 2 0 ” The 7 through a Conspirators also used the Guccifer 2 0 persona to release additional stolen documents website maintained by an that had organization “Organization 1” documents stolen from U S persons entities and the U S government continued their U S election-interference operations through in or The Conspirators false identities and made false statements about their identities To further avoid Conspirators and used a network of computers located paid for this infrastructure across Conspirators around November 2016 To hide their connections to Russia and the Russian government the 8 previously posted the world used detection the including in the United States using cryptocurrency Defendants 9 Defendant VIKTOR BORISOVICH NETYKSHO the Russian military oflicer in command of Unit HeTanmo BHKTOp Bopnconnq 26165 located at 20 Komsomolskiy Prospekt Moscow Russia Unit 26165 had primary responsibility for hacking the DCCC and DNC the email accounts of individuals affiliated with the Clinton as Defendant BORIS ALEKSEYEVICH ANTONOV 10 Maj or in the Russian military assigned Unit 26165 dedicated to organizations with who 11 AHTOHOB Bopnc AneKceeBm to Unit 26165 ANTONOV oversaw a emails and other computer intrusion the title “Head of Department ” In targeted the DCCC DNC or around as well Campaign targeting military political governmental spearphishing was and activity was a department within non-governmental ANTONOV held 2016 ANTONOV supervised other co-conspirators and individuals affiliated with the Clinton Defendant DMITRIY SERGEYEVICH BADIN Campaign EalIPIH IanTpnfi Cepreenmi was a Russian military officer assigned to Unit 26165 who held the title “Assistant Head of Department ” In or around 2016 BADIN the DCCC along withANTONOV supervised other re-conspirators who targeted DNC and individuals affiliated with the Clinton Campaign 3 Defendant IVAN SERGEYEVICH YERMAKOV 12 Russian military officer to ANTONOV’s assigned or and “Karen W to conduct Millen ” around March 2016 YERMAKOV which campaign-related YERMAKOV also were later released participated in were released hacking through Organization in hacking through the DNC email Senior Lieutenant in the Russian Martynova ” Clinton 14 In Campaign and affiliated individuals SERGEY Defendant AneKcaI-mponmr MORGACHEV was a the DCCC and DNC 15 around May 2016 DNC emails that stealing Aneiccefi Bmcropomm Katenberg” emails to members of the MORGACHEV as Campaign MopI‘aueB military assigned 26165 dedicated to GRU known and “Yuliana Cepreiz’l to Unit 26165 developing and managing “X-Agent ” During the hacking of networks MORGACHEV supervised the co-conspirators who developed and X-Agent malware implanted Captain in the Russian KOZACHEK used KOZACHEK or chairman of the Clinton on those computers Defendant NIKOLAY YURYEVICH KOZACHEK Lieutenant 26165 by the “Den spearphishing including the department within Unit used and In nyameB including ALEKSANDROVICH hacking tool behalf of Unit 26165 In at least two email accounts from server Lieutenant Colonel in the Russian oversaw a malware including monitored the a or military assigned to ANTONOV’s department within Unit around 2016 LUKASHEV sent or Since in a 1 LUKASHEV used various online personas 26165 on was Milton ” “James “Kate S DCLeaks Defendant ALEKSEY VIKTOROVICH LUKASHEV l3 was a documents including hacking operations participated Cepreeana within Unit 26165 department around 2010 YERMAKOV used various online personas McMorgans ” I IBaH EpMaKOB a military assigned to variety developed customized of KO3a‘IeK MORGACHEV’S monikers including and monitored HnKonai ‘I IOpLeBHq was a department within Unit “kazak” and “blablabla1234565 ” X-Agent malware used to hack the DCCC and DNC networks beginning in or around April 2016 Defendant PAVEL VYACHESLAVOVICH YERSHOV 16 was a Russian around BaqecnaBOBI Iq In or 2016 YERSHOV assisted KOZACHEK and other co-conspirators in testing and 17 before actual deployment and use Defendant ARTEM ANDREYEVICH MALYSHEV Second Lieutenant in the Russian military 26165 MALYSHEV used or Haaen military officer assigned to MORGACHEV’S department within Unit 26165 customizing X-Agent malware a Epmoa a MaJILIIIIeB ApTeM AmpeeBI I‘I was assigned to MORGACHEV’s department within Unit variety of monikers including “djangomagicdev” around 2016 MALYSHEV monitored X-Agent malware implanted on and “realblatr ” In the DCCC and DNC networks Defendant ALEKSANDR VLADIMJROVICH OSADCHUK 18 Bnanmvmpomq was a Colonel Unit 74455 GRU as was in the Russian Ocanqu AJICKCaH Ip military and the commanding officer of Unit 74455 located at 22 Kirova Street Khimki Moscow a building referred to Within the the “Tower ” Unit 74455 assisted in the release of stolen documents through the DCLeaks and Guccifer 2 0 personas the promotion of those releases and the publication of anti-Clinton r content 19 on social media accounts Defendant ALEKSEY AneKcaanoanq was a supervisor in a documents were through the DCLeaks POTEMKIN HoreMKnH military assigned to Unit 74455 within Unit 74455 cyber operations department GRU ALEKSANDROVICH officer in the Russian department infrastructure used in POTEMKIN’S an operated by the responsible Aneiccefi POTEMKIN was for the administration of computer Infrastructure and social media accounts administered used among other things and Guccifer 2 0 personas to by assist in the release of stolen Object The 20 object of the conspiracy involved in the 2016 US was of the Conspiracy computers of US persons and entities to hack into the presidential election steal documents from those computers and stage releases of the stolen documents to interfere with the 2016 US presidential election Manner and Means of the Conspiracv Spearphishing Operations ANTONOV BADIN YERMAKOV LUKASHEV and their co-conspirators targeted 21 Victims access using to their a technique known as spearphishing passwords or otherwise computers Beginning by at least March 2016 the Conspirators targeted individuals affiliated with the Clinton a to steal victims’ For example on or created and sent a Campaign DCCC LUKASHEV used the account lengthy website addresses “john356g LUKASHEV used the account to mask which directed the recipient to a co-conspirators email to the chairman of the Clinton referred a to ” at as an a Campaign online service that abbreviated “URL-shortening service” link contained in the spearphishing email GRU-created website LUKASHEV altered the appearance of the sender email address in order to make it look like the email a 300 and DNC about March 19 2016 LUKASHEV and his spearphishing over gain was security notification from Google a technique known as “spoofing” instructing the user to change his password by clicking the were followed their co-conspirators On or about March embedded link Those instructions 21 2016 LUKASHEV YERMAKOV and stole the contents of the chairman’s email account which consisted of over 50 000 emails b Starting on or spearphishing about March emails to the 19 2016 LUKASHEV and his co-conspirators personal sent accounts of other individuals affiliated with the Clinton advisor Campaign including its campaign manager and a senior foreign policy On or about March 25 2016 LUKASHEV used the spearphishing emails account to mask additional links included in individuals affiliated with the Clinton LUKASHEV sent these emails On c or the from sent to numerous email Russia-based appear to be from john356gh Victims 1 and 2 Campaign including hi mymail@yandex com that he spoofed to same account Google about March 28 2016 YERMAKOV researched the names of Victims 1 and 2 and their association with Clinton various social media sites on spearphishing operations LUKASHEV YERMAKOV successfully Campaign Many those from Victims l and 2 were numerous of these stolen later released their co-conspirators stole email credentials and thousands of emails from individuals affiliated with the Clinton including and their Through emails by the Conspirators through DCLeaks d On or with about a Clinton April 6 2016 the Conspirators one-letter deviation from the actual Campaign The In the embedded a link 22 The throughout a purporting spelling of a than to direct the thirty known member of the send spearphishing different Clinton LUKASHEV and his recipient to a name Campaign co-conspirators document titled In fact this link directed the “hillary- recipients’ computers GRU—created website Conspirators spearphished the more spearphishing emails clinton—favorable-rating xlsx ” to email account in the an Conspirators then used that account to emails to the work accounts of employees created summer of 2016 For individuals example affiliated on or about with the Clinton July 27 2016 the Campaign Conspirators attempted after hours to spearphish for the first time email accounts party provider and used by Clinton’s personal office At targeted seventy-six or at domain hosted a around the email addresses at the domain for the Clinton same by a third- time they also Campaign Hacking into the DCCC Network 23 in Beginning or around March 2016 the Conspirators in addition to their spearphishing efforts researched the DCCC and DNC computer networks to identify technical specifications and vulnerabilities For example beginning on or about March 15 2016 query for the DNC’s internet protocol On or about the same day or about internet protocol 24 the installed and a and ran a or about April of malware to Once a to spearphishing access they access network and steal data email from the and entered her password after versions of their X-Agent malware them to monitor individual access they gained the DCCC on DCCC on or about link Conspirators at least ten DCCC installed multiple computers which allowed employees’ computer activity to the DCCC network network Conspirators clicking on the Between in or around April 2016 and June 2016 the maintain regarding the DCCC 12 2016 the Conspirators used the stolen credentials of a DCCC 1 had received April 6 2016 technical query for the DCCC’s explore the DCCC Employee “DCCC Employee 1” Employee Hillary Clinton of YERMAKOV’s searches hacked into the DCCC computer network managed different types On Party configurations to identify connected devices By in or around April 2016 within days Conspirators technical YERMAKOV searched for open-source information YERMAKOV April 7 2016 ran a configurations to identify connected devices about the DNC network the Democratic On YERMAKOV steal passwords and X—Agent malware implanted c the victims’ computers Conspirators referred on to to the DCCC network transmitted information from GRU-leased a this server located in Arizona server their “AMS” as KOZACHEK panel MALYSHEV and their co-conspirators logged into the AMS panel X—Agent’s keylog and screenshot surveilling activity Conspirators to on functions in the the DCCC computers The of course keylog The to use monitoring and function allowed the capture keystrokes entered by DCCC employees The screenshot function allowed the Conspirators to take pictures of the DCCC employees’ computer screens d For example on or about X-Agent’s keylog and April 14 2016 the Conspirators repeatedly screenshot functions to surveil DCCC activated Employee 1’s computer activity over the course of eight hours During that time the Conspirators captured DCCC Employee 1’s communications with co-workers and the passwords she entered while on on or about working April 22 2016 fundraising the and voter outreach Conspirators activated projects Similarly X-Agent’s keylog screenshot fimctions to capture the discussions of another DCCC “DCCC Employee 2” about the DCCC’s finances as well as and Employee her individual banking information and other personal topics 25 On or configured AMS panel about April 19 2016 KOZACHEK YERSHOV and their an overseas computer and then tested referred to this computer as a to relay communications between X-Agent’s ability to connect to this “middle server ” The middle connection between malware at the DCCC and the server Conspirators’ co—conspirators remotely X-Agent computer acted AMS as a malware and the The Conspirators proxy to obscure the panel On or about April 20 2016 the Conspirators directed X-Agent malware middle server and receive directions from the the DCCC computers to connect to this on Conspirators Hacking into the DNC Network 26 their On or access of malware about to the DCCC network as they the Conspirators hacked into the DNC’s computers The Conspirators then installed and April 18 2016 did in the DCCC managed network to explore the DNC network and through different types steal documents 0 On a or about April 18 2016 the Conspirators activated screenshot functions to steal credentials of a DCCC to access the DNC network The the DCCC network Conspirators stolen credentials using and X-Agent’s keylog employee who was authorized hacked into the DNC network from By in around June 2016 or they gained access to approximately thirty—three DNC computers In b or around April 2016 the including network MALYSHEV and his AMS the Conspirators same installed versions co-conspirators X-Agent malware installed monitored the on the X-Agent panel and captured data from the victim computers on DCCC the DNC network malware from the The AMS panel collected thousands of keylog and screenshot results from the DCCC and DNC computers such as a screenshot and DCCC’s online keystroke capture of DCCC Employee 2 Viewing the banking information Theft of DCCC and DNC Documents 27 The Conspirators searched for and identified computers within the DCCC and DNC networks that stored information related to the 2016 US or about included April 15 2016 the “hillary ” “cruz ” Conspirators and “trump ” including “Benghazi Investigations ” The searched The one presidential election For example on hacked DCCC computer for terms that Conspirators also copied select DCCC folders Conspirators targeted computers containing information 10 such as 28 opposition research and To enable them to steal used Conspirators publicly a to move large a The elections number of documents at available tool to DCCC and DNC networks “X—Tunnel ” operation plans for the 2016 field and compress gather Conspirators once without multiple detection documents on the the then used other GRU malware known the stolen documents outside the DCCC and DNC networks as through channels encrypted For a example on or about April 22 2016 of data from DNC computers the Conspirators compressed gigabytes including opposition research The Conspirators later moved the compressed DNC data using X-Tunnel to a GRU-leased computer located in Illinois b On or about April 28 2016 the Conspirators connected to and tested the same computer located in Illinois Later that day the Conspirators used X-Tunnel connect to that 29 Between Microsoft Exchange During employees accessing 30 custom on or and On or about computer to steal additional documents from the DCCC network May 25 2016 and June 1 2016 the Conspirators hacked the that time YERMAKOV researched PowerShell commands related May 30 2016 AMS software on the MALYSHEV accessed the AMS That server During the hacking of the DCCC by intentionally deleting logs Conspirators to Microsoft Exchange Server day the AMS approximately thirteen different X—Agent malware implants 31 DNC Server and stole thousands of emails from the work accounts of DNC managing the about to and DNC and computer files cleared the event logs from a on panel in order to received DCCC and DNC networks the Conspirators For example DNC computer 11 panel on or about upgrade updates from computers covered their tracks May 13 2016 the On or about June 20 2016 the Conspirators deleted logs from the AMS that documented their activities panel on the panel including the login history Efforts to Remain 32 both the DCCC and DNC became to the DCCC and DNC Networks efl'orts to hide their Despite the Conspirators’ “Company 1” on aware that they had took steps to exclude intruders from the networks on communicate with the the DNC network until in 33 access In response to or a On or about about or around May 2016 By in or security company around June 2016 Despite these efforts GRU-registered a a domain Company 1 Linux-based version of linukal net remained around October 2016 Company to the DCCC and DNC in been hacked and hired extent of the intrusions identify the X-Agent programmed to activity beginning 1’s efforts the Conspirators took countermeasures to maintain networks May 31 2016 Company 1 and its YERMAKOV searched for open-source information reporting on X-Agent and X-Tunnel On 1 2016 the Conspirators attempted to delete traces of their presence or about June on the DCCC network using the computer program CCleaner On or about June 14 2016 the Conspirators registered the which mimicked the domain of DCCC donations page credentials to modify a domain political fundraising platform Shortly thereafter the Conspirators actblues com that included a used stolen DCCC the DCCC website and redirect visitors to the actblues com domain On or about June 20 2016 after network the Conspirators spent to X-Agent The Conspirators Company over seven 1 had disabled hours also tried to previously stolen credentials 12 X-Agent on the DCCC unsuccessfully trying to access connect the DCCC network using In 34 or around computers hosted on a analytics gathered data by creating backups cloud provider’s accounts own or they had registered with the After access to DNC These computers contained test service conducting reconnaissance Conspirators same successfully gained the Conspirators of the DNC’s cloud-based systems “snapshots ” The technology also Conspirators third-party cloud-computing related to the DNC’s applications the September 2016 then moved the snapshots using the to cloud-based service thereby stealing the data from the DNC Stolen Documents Released through DCLeaks More than 35 a month before the release of any online persona DCLeaks to release and April 19 2016 after attempting to the domain dcleaks com registered publicize register through used to pay for the dcleaks com domain service that the Conspirators the email account operational used to'register Clinton 36 the a documents the Conspirators constructed the stolen election-related documents On the domain electionleaks com the service that originated fiom anonymized an account at also used to fund the lease of a Virtual dirbinsaabol@mail com john356gh URL-shortening Conspirators registrant The funds online cryptocurrency an private server registered with The dirbinsaabol email account account used LUKASHEV to by about was also spearphish the Campaign chairman and other campaign-related individuals On or about June 8 2016 the they used to release stolen over one million page Conspirators launched the public website dcleaks com which emails Before it shutdown in Views The Conspirators falsely around March claimed in fact it by 37 Starting in or around June 2016 and continuing through the a group of “American hacktivists ” when or started the the or was on 2017 the site received the site that DCLeaks started was by the Conspirators 2016 US presidential election Conspirators used DCLeaks to release emails stolen from individuals affiliated with the Clinton Campaign The Conspirators operations including those also released documents they they had stolen in other spearphishing had conducted in 2015 that collected emails from individuals 13 affiliated with the 38 On was or Republican Party about June 8 2016 and at approximately the Conspirators name or managed by POTEMKJN about June 8 2016 the Conspirators operated the @dcleaks_ efforts to interfere with the 2016 US the same computer encouraged U S Conspirators of fictitious U S persons such audiences to and his presidential The election For account as Conspirators accessed co—conspirators created the Twitter account Twitter account from the operate the Twitter to names Gingrey” to promote the DCLeaks website these accounts from computers On In addition to the DCLeaks Facebook page “Alice Donovan ” used other social media accounts in the “Jason Scott” and “Richard 39 time that the dcleaks com website launched the Conspirators created a DCLeaks Facebook page using a preexisting social media account under the fictitious the same same @dcleaks_ The computer used for other example the Conspirators used which they @BaltimoreIsWhr through “ i oin our flash mob” opposing Clinton and to post images with the hashtag #BlacksAgainstHillary Stolen Documents Released 40 On or about June had been hacked persona Guccifer 2 0 and of Russian 41 or On managed by falsely actors In response the claimed to be responsibility for the about June 15 2016 the Unit 74455 Guccifer 2 0 14 2016 the DNC —through Company lupublicly announced that it by Russian government allegations through and between for certain words and phrases a Conspirators created the online lone Romanian hacker to undermine the intrusion Conspirators logged into a Moscow—based 4 19 PM and 4 56 PM Moscow Standard including 14 server used and Time searched “some hundreds of sheets” dcleaks illuminati mnpoxo naseernmfi nepenon widely known translation “worldwide known” “think twice about” “company’s competence” Later that 42 published by a lone at 7 02 PM Moscow Standard day its first post on a site created blog hacker ” the post used searched for earlier that numerous through Time the online persona Guccifer 2 0 WordPress Titled “DNC’s English words and phrases that the sewers hacked Conspirators had day bolded below Worldwide known cyber security company the Democratic National Committee DNC Company 1 servers announced that had been hacked by “sophisticated” hacker groups I’m very pleased the company Here are just a so highly» few does from many thousands I extracted when into DNC’s network hacking Some hundred sheets This’s I guess appreciated my skills Company 1 a serious case isn’t it customers should think twice about company’s competence Illuminati the F Companyl 43 Between in release documents or On their through WordPress that they had or conspiracies around June 2016 and October 2016 the Conspirators posing as a and Conspirators F used Guccifer 2 0 to stolen from the DCCC and DNC The Guccifer 2 0 also shared stolen documents with certain individuals about August 15 2016 the Conspirators posing as 15 Guccifer 2 0 received a request for stolen documents from Conspirators responded using a candidate for the US The Congress the Guccifer 2 0 persona and sent the candidate stolen documents related to the candidate’s opponent b On or about August 22 2016 the Conspirators posing as Guccifer 2 0 transferred approximately 2 5 gigabytes of data stolen from the DCCC to lobbyist and online source of political news and personal On c or about The The stolen data included donor records August 22 2016 the Conspirators posing to the Black Lives reporter responded by discussing when 44 then-registered state identifying information for more than 2 000 Democratic donors reporter stolen documents pertaining write a as Guccifer 2 0 sent Matter movement to release the documents and a The offering to article about their release an Conspirators posing as release of stolen documents On or Guccifer 2 0 also communicated with US persons about the about August 15 2016 the Conspirators posing as Guccifer 2 0 wrote to a person who was in regular contact with senior members of the presidential campaign Trump “thank of Donald J On posted ” anyhow about or as 45 The writing back a u do u find anyt h ing interesting think of the info The person tell me in the docs i if i can help u great pleasure to me ” On or about September 9 2016 the Conspirators Guccifer 2 0 referred to person “what do campaign ” for August 17 2016 the Conspirators added “please it would be again posing u on a stolen DCCC document posted online and asked the the turnout model for the democrats entire presidential responded “ p retty standard ” Conspirators conducted operations as Guccifer 2 0 and DCLeaks using overlapping computer infrastructure and financing a For example between on or about March 16 14 2016 and April 28 2016 the Conspirators network used the “VPN” same pool of bitcoin funds to account and to lease 2016 the Conspirators used the Malaysian On or about @Guccifer_2 the July 6 2016 the same server that was server Conspirators Twitter account The also used to in a server purchase a In Malaysia virtual or private around June to host the dcleaks com website used the VPN to Conspirators opened register malicious log into the that VPN account from domains for the hacking of the DCCC and DNC networks b On or about June 27 2016 the an The then sent the reporter the provide as Guccifer password to password-protected portion of dcleaks com containing emails by LUKASHEV YERMAKOV and their 2 0 contacted “Hillary Clinton’s stolen emails from U S reporter with Conspirators offer to Conspirators posing co-conspirators access a a staff ” nonpublic stolen from Victim l in or around March i 201 6 46 On WordPress no or about January 12 2017 the Conspirators published blog falsely claiming that the relation to the Russian a statement on the Guccifer 2 0 intrusions and release of stolen documents had “totally government ” Use of Organization 1 47 In order to expand their interference in the 2016 U S presidential election the Conspirators transferred many of the documents Campaign to Organization 1 The they stole from the DNC and the chairman of the Clinton Conspirators posing as the stolen documents and the timing of those releases with on the 2016 U S a presidential On to or any 2 0 discussed the release of Organization 1 to heighten their impact election about June 22 2016 “ s end Guccifer new material Organization 1 sent a private message to Guccifer 2 0 stolen from the DNC here for us to review 17 and it will have a much higher impact than 1 Organization tvveo is added “if you have only and hillary is interesting ” a about or attempts to 1 an instructions On documents about or on how to to a or about we the Democratic National Convention against hillary so her after ” 1 starting in that the The “we think trump conflict between bemie as attachment titled “wk dnc Organization access an Conspirators posing an July 6 2016 want it in the next Organization 1 explained i see ” late June 2016 on Guccifer 2 0 sent linkl txt gpg ” The encrypted file contained online archive of stolen DNC documents On 1 confirmed it had “the 1Gb July 18 2016 Organization would make 48 email with Conspirators explained On anything hillary related transfer the stolen documents July 14 2016 Organization about 25% chance of winning has After failed b “ck doing ” solidify bernie supporters behind and she will Conspirators responded are because the DNC sic days prefable sic approaching what you or so or archive” and release of the stolen documents “this week ” 1 released July 22 2016 Organization stolen from the DNC network by the over 20 000 emails and other This release occurred Conspirators approximately three days before the start of the Democratic National Convention Organization did not disclose Guccifer 2 0’s role in Organization 1 was dated on or hacked the DNC Microsoft 49 On or chairman of the Clinton Between on or about May 25 2016 Exchange about October providing them The latest-in—time email released approximately the same 1 through day the Conspirators Server 7 2016 Organization Campaign that had been 1 released the first set of emails from the stolen by LUKASHEV about October 7 2016 and November 7 2016 18 and his co-conspirators Organization 1 released approximately thirty—three Clinton In Campaign tranches of documents that had been stolen from the chairman of the total over 50 000 stolen documents were released Statutory Allegations 50 1 Paragraphs through 49 of this Indictment are re—alleged and incorporated by reference as if fully set forth herein 51 and From at least in or around March 2016 through November 2016 in the District of Columbia elsewhere Defendants NETYKSHO ANTONOV BADlN YERMAKOV LUKASHEV MORGACHEV KOZACHEK YERSHOV MALYSHEV OSADCHUK and POTEMKJN together with others known and unknown to the Grand Jury knowingly and intentionally conspired to commit offenses a To United States against the knowingly access to a access a namely computer without authorization and exceed authorized computer and to obtain thereby information from where the value of the information obtained exceeded a protected computer $5 000 in violation of Title 18 United States Code Sections 1030 a 2 C and 1030 c 2 B and b To knowingly command and cause as a authorization to completed person a would have caused loss during a one-year one year 52 and period 1030 a 5 A and In furtherance of the a result of such conduct to protected computer protected computer a the transmission of period program intentionally cause damage and where the offense did aggregating $5 000 from information code and a damage affecting related course at least ten in violation of Title cause without and if in Value to at least of conduct one affecting a protected computers during 18 United States Code Sections 1030 c 4 B Conspiracy committed the overt acts set forth in and to effect its illegal objects the Conspirators paragraphs 1 through 19 21 through 49 55 and 57 through 19 64 which are re-alleged and In furtherance of the 53 incorporated by reference Conspiracy and as as if fully set forth herein set forth in paragraphs 1 through 19 49 55 and 57 through 64 the Conspirators knowingly falsely registered knowingly used that domain name in the Conspirators registered domains including course of committing dcleaks com and an a 21 domain through name and offense namely the actblues com with false names and addresses and used those domains in the course of committing the felony offense charged in Count One All in violation of Title 18 United States Code Sections 371 and 3559 g 1 COUNTS TWO THROUGH NINE Aggravated Identity Theft 54 and 1 Paragraphs incorporated by reference 55 On or 21 through 19 as about the dates through 49 and 57 through 64 of this Indictment SERGEYEVICH specified below in the District of Columbia and KOZACHEK ANDREYEV'ICH elsewhere ANTONOV BADlN IVAN SERGEYEVICH YERMAKOV ALEKSEY VIKTOROVICH LUKASHEV SERGEY ALEKSANDROVICH YURYEVICH re-alleged if fully set forth herein Defendants VlKTOR BORISOVICH NETYKSHO BORIS ALEKSEYEVICH DMITRIY are MALYSHEV PAVEL MORGACHEV NIKOLAY VYACHESLAVOVICH ALEKSANDR YERSHOV VLADIMIROVICH ARTEM OSADCHUK and ALEKSEY ALEKSANDROVICH POTEMKIN did knowingly transfer possess and use without lawful authority a means of identification of another person violation enumerated in Title 18 United States in Violation of Title that the means during and in relation to a felony Code Section 1028A c namely computer fraud 18 United States Code Sections 1030 a 2 C and 1030 c 2 B knowing of identification belonged to another real person 20 ' Victim proximate Date 2 March 21 2016 Victim 3 3 March 25 2016 Victim 1 4 April 12 5 Apr11 15 V1ctnn 4 2016 Vlctirn 5 6 April 18 2016 Victim 6 7 May 10’ 2016 Victlm 7 Usemame and Usemame and Username and 9 July 6 Username and Username and password for D CC C computer network Username and password for DNC computer network Username and personal personal password for emall account Username and All in violation of Title password for computer network D CCC Victim 8 2016 password for DCC C computer network Victim 2 June 2 2016 Passwmd for emall account personal 8 Passwmd for emall account personal 2016 password for email account 18 United States Code Sections 1028A a 1 and 2 COUNT TEN ‘ Conspiracy to Launder Money 56 Paragraphs 1 through 19 21 through 49 and 55 are re—alleged and incorporated by reference V as if fully set forth herein 57 To facilitate the purchase of infrastructure used in their hacking activity—including hacking into the computers of U S persons and entities involved in the 2016 U S releasing the stolen documents—the Defendants $95 000 through cryptocurrencies 58 a conspired to Web of transactions structured to such as presidential election and launder the capitalize on the equivalent of more than perceived anonymity of bitcoin Although the Conspirators caused transactions to be conducted in a variety of currencies including U S dollars they principally used bitcoin when purchasing servers registering domains and otherwise making payments in furtherance of hacking activity Many of these payments were 21 processed by companies located in the United States that provided payment processing services to The hosting companies domain registrars and other Vendors both international and domestic of bitcoin allowed the to avoid direct Conspirators relationships with traditional financial institutions allowing them to evade greater scrutiny of their identities and 59 All bitcoin transactions Blockchain identifies the parties a new creating infrastructure Conspirators purchased account for each a public ledger to each transaction bitcoin addresses To further avoid using added to are a The purchase of funds sources Blockchain but the called the only by alpha numeric identifiers known centralized paper trail of all of their Conspirators used fictitious names some cases and addresses in order to obscure their identities and their links to Russia and the Russian government the dcleaks com domain example Feehan” and an ghfhgfh fdgfdg WA ” The approximately gfadel47 In On cases for as using the fictitious “Carrie part of the payment process the addresses such as “usa Denver AZ ”'“gfhgh One of these dedicated accounts facilitate bitcoin payments to vendors usemame “gfadel47 ” received hundreds of bitcoin payment requests from For example “ p lease send Shortly thereafter on or exactly a about February 1 2016 0 026043 bitcoin to” transaction matching a the certain those exact added to the Blockchain occasion the Conspirators facilitated bitcoin payments using the they used to name used several dedicated email accounts to track basic bitcoin transaction 100 different email accounts was paid For and “1 2 dwd District of Columbia ” character bitcoin address instructions and some nonsensical account received the instruction to thirty-four 61 to with the registered vendors with Conspirators information and registered address in New York Conspirators provided 60 was as purchases the hundreds of different email accounts in using use conduct their hacking activity including to 22 create and send test same computers that spearphishing emails Additionally the renew one of these dedicated accounts registration of domain a used was by the Conspirators encoded in certain linuxkrnlnet in or around 2015 to X-Agent malware installed I on the DNC network funded the purchase of computer infrastructure for their 62 The in part by “mining” bitcoin Conspirators verify and record payments power to be used to they are rewarded with mining activity dcleaks com 63 was freshly-minted bitcoin used for example through a In addition to Individuals and entities 64 The mining bitcoin funds currency Conspirators of fundsito pool by allowing their computing public ledger of bitcoin a service for which generated Romanian company to from the GRU’s register the domain payment processing company located in the United States through enlisted the assistance of one through digital a mine bitcoin the bitcoin The to pay the Conspirators acquired bitcoin through designed to obscure the origin of the funds exchanges moving on can hacking activity other or more a variety of means This included purchasing bitcoin through peer-to-peer digital currencies and third—party exchangers using pre-paid cards They also who facilitated layered transactions exchange platforms providing heightened anonymity used the purchase key same funding structure—and in some cases the very same accounts servers and domains used in their election—related pool hacking activity a The bitcoin also sent mining operation that funded the registration payment for dcleaks com newly-minted the persona that operation was bitcoin to used to also funded a renew through the and domains used in the GRU’s bitcoin address controlled “Daniel the domain linuxkrnlnet The bitcoin same bitcoin Farell ” mining address the purchase of servers spearphishing operations including qooqle com and account—gooogle com 23 by accounts- b On or about March 14 2016 purchased a VPN account which Twitter account The about or funds in using they a bitcoin address the later used to log into the Conspirators @Guccifer_2 remaining funds from that bitcoin address were April 28 2016 to lease Malaysian a server then used on that hosted the dcleaks com website The 0 Conspirators used DeClaur” and “Mike server a different set of fictitious Long” to send bitcoin to used to administer X-Tunnel malware networks and to lease two servers a including names “Ward US company in order to lease implanted on a the DCCC and DNC used to hack the DNC’s cloud network Statutogx Allegations 65 From at least in or around 2015 through 2016 within the District of Columbia and elsewhere Defendants VIKTOR BORISOVICH NETYKSHO BORIS ALEKSEYEVICH ANTONOV DMITRIY SERGEYEVICH ALEKSEY VIKTOROVICH BADlN IVAN SERGEYEVICH YERMAKOV LUKASHEV SERGEY ALEKSANDROVICH MORGACHEV NIKOLAY YURYEVICH KOZACHEK PAVEL VYACHESLAVOVICH YERSHOV ARTEM ANDREYEVICH ALEKSANDR MALYSHEV ALEKSEY ALEKSANDROVICH Grand Jury did a place a place to carrying and transport transmit and transfer monetary in the United States from and in the United States to and the intent to promote the OSADCHUK POTEMKIN together with others known and unknown to the knowingly and intentionally conspire instruments and funds to States and from VLADIMIROVICH on of specified through through a place unlawful 18 United States Code Section 1030 contrary to activity namely outside the United a violation of Title Title 18 United States Code Section Code Section 1956 h 24 place outside the United States with l956 a 2 A All in Violation of Title 18 United States a COUNT ELEVEN Conspiracy 66 Paragraphs 1 to Commit Offense an 8 of this Indictment through are Against the United States re-alleged and incorporated by reference as if fully set forth herein Defendants 67 Paragraph OSADCHUK is 18 of this re—alleged and Indictment relating ALEKSANDR to incorporated by reference as if fully set forth herein 68 Defendant ANATOLIY SERGEYEVICH KOVALEV was an officer in the Russian Street 69 KonaneB AHaronnfi CepreeBnq who worked in the GRU’s 22 Kirova building the Tower Defendants OSADCHUK and KOVALEV intentionally conspired with to hack into the U S military assigned to Unit 74455 VLADIMIROVICH were GRU officers who and knowingly each other and with persons known and unknown to the Grand Jury computers of U S persons and entities responsible for the administration of 2016 elections such as state boards of elections secretaries supplied software and other technology related to the of state and U S companies that administration of U S elections Object of the Conspiracy 70 The object of the conspiracy was to charged with the hack into protected computers administration of the 2016 U S elections in order to steal voter data and other information stored on of persons and entities access those computers and those computers Manner and Means of the Conspiracv 71 In or around June 2016 KOVALEV U S state boards of elections and his co—conspirators researched domains used by secretaries of state and other election-related entities for website vulnerabilities KOVALEV and his co-conspirators also searched for state addresses including filtered queries for email addresses listed 25 on state political party email Republican Party websites In 72 or around board of elections including names July 2016 “SBOE 1” KOVALEV and his co-conspirators hacked the and stole information related to website of a state approximately 500 000 voters addresses partial social security numbers dates of birth and driver’s license numbers In 73 or around August 2016 KOVALEV and his of a US vendor “Vendor 1” that supplied infrastructure to hack into Vendor 1 that 74 In or around hacking of SBOE software used to KOVALEV and his for the 2016 US elections August 2016 1 and identified co-conspirators hacked they had verify voter registration information used co-conspirators of the some same used to hack into SBOE 1 the Federal Bureau of some into the computers Investigation issued an alert about the of the infrastructure that was used to conduct the hacking KOVALEV and his In response KOVALEV deleted his search history deleted records from accounts used in their operations targeting co-conspirators also state boards of elections and similar election—related entities In 75 or around October 2016 KOVALEV and his co-conspirators further targeted county offices responsible for administering the 2016 US elections For example October 28 state and on or about 2016 KOVALEV and his co-conspirators visited the websites of certain counties in ‘ Georgia Iowa and Florida to around November 2016 and 76 In and his co-conspirators send over or 100 elections in Conspirators identify vulnerabilities used an spearphishing numerous prior to the email account emails to Florida counties 2016 US designed to organizations The embedded into Word documents presidential election look like and a personnel spearphishing KOVALEV Vendor 1 email address to involved in administering emails contained malware that the bearing Vendor 1’s logo Statutory Allegations 77 Between in or around June 2016 and November 2016 in the District of Columbia and 26 elsewhere Defendants OSADCHUK and to the Grand and Jury knowingly KOVALEV together with others known and unknown intentionally conspired to commit offenses against the United States namely a To knowingly access to a access a computer Without authorization and exceed authorized computer and to obtain thereby information from a protected computer where the value of the information obtained exceeded 18 United b To States knowingly cause command and as a authorization to completed person Code a a one-year and In furtherance of the conduct and a to through 76 which period from and information code and intentionally cause a related in violation of Title course least ten without damage and where the offense did damage affecting at cause and if to at least of conduct one affecting a protected computers during 18 United States Code Sections 1030 c 4 B Conspiracy are 1030 c 2 B program and to effect its KOVALEV and their co—conspirators committed the overt acts 69 and 71 and in violation of Title caused loss aggregating $5 000 in value one-year period 1030 a 5 A 78 result of such protected computer protected computer a 1030 a 2 C the transmission of would have during Sections $5 000 re-alleged and illegal objects OSADCHUK set forth in incorporated by paragraphs reference as if 67 fully through set forth herein All in Violation of Title 18 United States Code Section 371 FORFEITURE ALLEGATION 79 Pursuant to Federal Rule of Criminal Procedure 32 2 notice is that the United States will seek forfeiture as part of any hereby given to Defendants sentence in the event of Defendants’ convictions under Counts One Ten and Eleven of this Indictment Pursuant to Title 18 United 27 States Code One and Sections 982 a 2 and 1030 i upon conviction of the offenses charged in Counts Eleven Defendants NETYKSHO ANTONOV BADIN YERMAKOV LUKASHEV MORGACHEV KOZACHEK YERSHOV MALYSHEV OSADCHUK POTEMKIN and KOVALEV shall forfeit to the United States any is derived from proceeds personal property that was obtained used or directly or property indirectly intended to be offense charged in Count YERMAKOV LUKASHEV Ten result of such MORGACHEV or NETYKSHO KOZACHEK constitutes violation conviction the United States intends ANTONOV of money representing the property to be offset by the forfeiture of any a described in this judgment against paragraph as BADlN YERSHOV MALYSHEV to the United States any to seek and any upon conviction of property real or involved in such offense and any property traceable to such property Notice is further upon or to facilitate the commission Code Section 982 a 1 Defendants OSADCHUK and POTEMKIN shall forfeit as a personal which or used‘to commit of such offense Pursuant to Title 18 United States the real personal given that each Defendant for applicable a sum to each Defendant specific property Substitute Assets 80 If any of the property described above omission of any Defendant as being subject to forfeiture as a result of any act or -- a cannot be located upon the exercise of due b has been transferred c has been placed beyond the jurisdiction of the court d has been substantially diminished in value c has been commingled with other property that cannot be subdivided without or sold to or diligence deposited with a third party or difficulty it is the intent of the United States of America pursuant to Title 18 United States 28 Code Section 982 b and Title 28 Code Section 853 United States to Code Section 2461 0 incorporating Title 21 United States seek forfeiture of any other property of said Defendant Pursuant to 18 U S C §§ 982 and 1030 i 28 U S C §2461 c Mia r v Robert S ueller 111 Counsel Special Department of Justice US A TRUE BILL Foreperson Date July 13 2018 29 ' This document is from the holdings of The National Security Archive Suite 701 Gelman Library The George Washington University 2130 H Street NW Washington D C 20037 Phone 202 994-7000 Fax 202 994-7005 nsarchiv@gwu edu