{ "id": "50392cb0-a383-4dd5-a9bf-7dd2c84ab375", "created_at": "2026-04-06T00:19:20.289198Z", "updated_at": "2026-04-10T13:11:41.291152Z", "deleted_at": null, "sha1_hash": "361a30aff60ece9a0dbcc8cb88705d97b6fe7eba", "title": "How they did it (and will likely try again): GRU hackers vs. US elections", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2217937, "plain_text": "How they did it (and will likely try again): GRU hackers vs. US\r\nelections\r\nBy Sean Gallagher\r\nPublished: 2018-07-27 · Archived: 2026-04-05 17:08:32 UTC\r\nSkip to content\r\nLatest Mueller indictment offers excruciating details to confirm known election pwnage.\r\n#Cyberz. Credit: Aurich Lawson / Getty\r\n#Cyberz. Credit: Aurich Lawson / Getty\r\nIn a press briefing just two weeks ago, Deputy Attorney General Rod Rosenstein announced that the grand jury\r\nassembled by Special Counsel Robert Mueller had returned an indictment against 12 officers of Russia’s Main\r\nIntelligence Directorate of the Russian General Staff (better known as Glavnoye razvedyvatel’noye upravleniye,\r\nor GRU). The indictment was for conducting “active cyber operations with the intent of interfering in the 2016\r\npresidential election.”\r\nThe filing [PDF] spells out the Justice Department’s first official, public accounting of the most high-profile\r\ninformation operations against the US presidential election to date. It provides details down to the names of those\r\nalleged to be behind the intrusions into the networks of the Democratic National Committee and the Democratic\r\nCongressional Campaign Committee, the theft of emails of members of former Secretary of State Hillary\r\nhttps://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/\r\nPage 1 of 17\n\nClinton’s presidential campaign team, and various efforts to steal voter data and undermine faith in voting systems\r\nacross multiple states in the run-up to the 2016 election.\r\nThe allegations are backed up by data collected from service provider logs, Bitcoin transaction tracing, and\r\nadditional forensics. The DOJ also relied on information collected by US (and likely foreign) intelligence and law\r\nenforcement agencies. Reading between the lines, the indictment reveals that the Mueller team and other US\r\ninvestigators likely gained access to things like Twitter direct messages and hosting company business records and\r\nlogs, and they obtained or directly monitored email messages associated with the GRU (and possibly WikiLeaks).\r\nIt also appears that the investigation ultimately had some level of access to internal activities of two GRU offices.\r\nThis is the first time that President Donald Trump’s Justice Department has filed official charges against members\r\nof a Russian government agency for taking actions intended to influence the outcome of the 2016 presidential\r\ncampaign—though Rosenstein was careful to assert that there was no allegation that votes were changed by this\r\noperation. The indictment details match up with much of what we’ve already learned about the information\r\noperations campaign run by the GRU. But the new findings went further, comfortably identifying each person\r\nbehind the various elements of the campaign, from the first spear phish to the final data theft.\r\nYet, after a summit meeting with Russia’s President Vladimir Putin just days following the indictment, Trump\r\npublicly expressed doubt that Russia was involved. The president has said that Putin strongly denied any\r\ninterference in the election—even as the United States’ own director of national Iintelligence, Dan Coats,\r\nreiterated the conclusion that Russia was responsible for the attacks. With such rhetoric, Trump has continued to\r\nsend mixed messages about the findings of his own intelligence and law enforcement teams, while seeming to put\r\nmore stock in Putin’s insistence that the Russian government had nothing to do with any of this.\r\nAfter digging into this latest indictment, the evidence suggests Trump may not have made a very good call on this\r\nmatter. But his blaming of the victims of the attacks for failing to have good enough security, while misguided,\r\ndoes strike on a certain truth: the Clinton campaign, the DNC, and DCC were poorly prepared for this sort of\r\nattack, failed to learn lessons from history, and ignored advice from some very knowledgeable third parties they\r\nenlisted for help.\r\nThe GRU order of battle\r\nhttps://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/\r\nPage 2 of 17\n\nAn organizational chart of the two GRU units involved in the DNC, DCCC, Clinton campaign and state election\r\norganization hacks based on Special Counsel Robert Mueller’s indictment.\r\nThe indictment includes a significant amount of detail about the organizational structure of the GRU units\r\nallegedly involved in the wide-ranging information operations during the US presidential election. The source of\r\nthe attribution is not revealed in the indictment. However, the level of detail—including when certain individuals\r\nconnected to remote applications—indicates that US intelligence and law enforcement officials were working with\r\nmore than just the forensic data provided by CrowdStrike. Trump’s “where’s the server?” protests seem even less\r\nwell grounded in reality than they did before.\r\nThe details in the newest indictment get down to the organizational division of labor at GRU. “There was one unit\r\nthat engaged in active cyber operations by stealing information,” said Rosenstein, “and a different unit that was\r\nresponsible for disseminating the stolen information.”\r\nhttps://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/\r\nPage 3 of 17\n\nThe espionage operation was run by Unit 26165, commanded by GRU Officer Viktor Borisovich Netykshko. Unit\r\n26165 appears to be the organization behind at least part of the “threat group” of tools, techniques, and procedures\r\nknown as “Fancy Bear,” “Sofacy,” “APT28,” and “Sednit.” Within the unit, two divisions were involved in the\r\nbreaches: one specializing in operations and the second in development and maintenance of hacking tools and\r\ninfrastructure.\r\nThe operations division, supervised by Major Boris Alekseyevich Antonov, specialized in targeting organizations\r\nof intelligence interest through spear-phishing campaigns and the exploitation of stolen credentials. Antonov’s\r\ngroup included Ivan Sergeyevich Yermakov and Senior Lieutenant Aleksey Viktorovich Lukashev, according to\r\nthe indictment, and they were responsible for targeting the email accounts that were exposed on the “DCLeaks”\r\nsite prior to the election operations.\r\nThe second division, overseen by Lieutenant Colonel Sergey Aleksandrovich Morgachev, managed the\r\ndevelopment and maintenance of malware and hacking tools used by Unit 26165, including the X-Agent\r\n“implant.” X-Agent is a signature tool of Fancy Bear operations—a cross-platform backdoor toolset with variants\r\nfor Windows, MacOS, Android, and iOS. The Windows and MacOS versions of X-Agent are capable of recording\r\nkeystrokes, taking screenshots, and exfiltrating files from infected systems back to a command and control server.\r\nLieutenant Captain Nikolay Kozacheck (who used the hacker monikers “kazak” and “blablabla1234465”) was the\r\nprimary developer and maintainer of X-Agent, according to the indictment, and he was assisted by another officer,\r\nPavel Yershov, in preparing it for deployment. Once X-Agent was implanted on the DNC and DCCC networks,\r\nSecond Lieutenant Artem Malyshev (AKA “djangomagicdev” and “realblatr”) monitored the implants through the\r\ncommand and control network configured for the task.\r\nThe information operations unit, Unit 74455, was commanded by Colonel Aleksandr Vladimirovich Osadchuk.\r\nUnit 74455’s members would be responsible for the distribution of some of the stolen data from the breaches\r\nthrough the “DCLeaks” and “Guccifer 2.0” websites. This group famously also reached out to WikiLeaks\r\n(referred to as “Organization 1” in the indictment) to amplify their information operation, and they promoted the\r\nleaks to journalists through GRU-controlled email and social media accounts.\r\nWithin Unit 74455, Officer Aleksy Potemkin—a department supervisor—oversaw information operations\r\ninfrastructure. His group configured the DCLeaks and Guccifer 2.0 blogs and social media accounts that would\r\nlater be used to spread data stolen from the DNC, DCCC, and Clinton campaigns. Osadchuk would also direct\r\nanother information operation—assigning GRU Officer Anatoly Kovalev and others to conduct a campaign\r\nagainst state election boards and elections.\r\nReconnaissance\r\nhttps://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/\r\nPage 4 of 17\n\nGRU officers scanned networks at the Democratic National Committee Headquarters in\r\nWashington, DC, shown here during a January 2017 protest, and gathered information on its\r\nsystems and service providers.\r\nGRU officers scanned networks at the Democratic National Committee Headquarters in\r\nWashington, DC, shown here during a January 2017 protest, and gathered information on its\r\nsystems and service providers.\r\nThe GRU operation had conducted wide-ranging spear-phishing attacks against both Democrats and Republicans\r\nas far back as October 2015 with limited success. Members of John McCain’s and Lindsey Graham’s campaign\r\nstaffs, as well as members of several other Republican congressional campaign staffs, had their emails stolen and\r\nlater posted on the DCLeaks site. But as the presidential field narrowed, the GRU began to focus on the\r\nDemocrats and Hillary Clinton’s campaign.\r\nStarting some time during or before March 2016, Antonov’s team began to conduct reconnaissance for attacks on\r\norganizations associated with the Democratic party. In mid-March, Yermakov performed some initial\r\nreconnaissance on the DNC and DCCC networks, scanning the DNC’s and DCCC’s Internet addresses to identify\r\ntheir infrastructure. He also performed some “open source” research on the organizations’ infrastructure and\r\nservice providers.\r\nIn the case of the Hillary For America campaign operation, according to the indictment, that infrastructure was\r\nlargely based on Google’s GSuite. However, many individuals still used personal Gmail accounts. Unfortunately,\r\nfew if any members of the Clinton campaign staff, DNC, or DCCC used two-factor authentication—despite\r\nadvice from outside advisors, including former DARPA cybersecurity program lead and longtime security\r\nresearcher Peiter “Mudge” Zatko. As Zatko recently recounted in a Twitter thread:\r\nhttps://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/\r\nPage 5 of 17\n\nThe most effort was expended on trying to get them (and any political candidacy that would listen to\r\nme) to implement rudimentary OPSEC protocols. [The] biggest pushback, from people now touting\r\nthemselves as candidates for security advisors to new politicos, was surprising: They refused to require\r\n2fa: it would be annoying. They pushed back on GSuite to enable document control/access/auditing:\r\nanother email is too much. The bare minimum defense, which GOOG has made pretty easy to achieve\r\n(they were already using GOOG), which disproportionately raises adversary costs, was too much to ask.\r\nI offered to deploy 2fa, hardened computers, and configure the communal (cloud) work systems to\r\nprotect their information. No cost. It was turned down. But I tried.\r\nThe lack of two-factor authentication left the Clinton campaign and other Democratic party officials particularly\r\nvulnerable to spear-phishing attacks… as the GRU would quickly demonstrate.\r\nInfrastructure, bought with Bitcoin\r\nI.T. Itch, a “bulletproof” domain registrar that was favored by the GRU and used to register at least\r\none spoofed domain for the DCCC hack with a Bitcoin transaction.\r\nI.T. Itch, a “bulletproof” domain registrar that was favored by the GRU and used to register at least\r\none spoofed domain for the DCCC hack with a Bitcoin transaction.\r\nThe GRU units used cryptocurrency to procure virtual private network services, domain names, and leased servers\r\n—spending about $90,000 worth of Bitcoin to finance election hacking operations, according to the DOJ.\r\nWhile they used hundreds of throwaway email addresses to obtain these services, a much smaller number of\r\ndedicated accounts associated with Bitcoin wallets were used as a sort of central GRU bank to make payments for\r\nthose services. By analyzing the blockchain of the cryptocurrency used, they were able to link specific purchases\r\nto emails requesting payments sent to these accounts.\r\nhttps://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/\r\nPage 6 of 17\n\nMany of the transactions from these accounts were initiated from computers used in the DNC/DCCC hacking\r\ncampaign. Some of the evidence of this activity likely comes from US-based payment processors, including a\r\nhosting provider that the GRU officers leased servers from. With those GRU servers, one was in an Illinois data\r\ncenter and acted as the relay for data exfiltration from the DNC and DCCC networks; two more were used later to\r\nattack the DNC’s cloud services. Another GRU account was used to lease a server in Arizona that acted as the\r\nprimary command and control server for the DNC and DCCC operations.\r\nYet another account tracked by investigators was connected to multiple infrastructure purchases. In 2015, it was\r\nused to pay for a renewal of “linuxkrnl.net”—a domain used as part of the infrastructure for a Linux version of the\r\nX-Agent implant that would eventually be discovered at the DNC. The same account was also used to finance the\r\nregistration of the “DCLeaks.com” domain through a Romanian registrar to help with spear-phishing domains\r\nsuch as accounts-qooqle.com and account-gooogle.com, and to lease a virtual private server. The email account\r\ntied to that server, dirbinsaabol@mail.com, was used to register a Bitly URL shortener account (“john356gh”)\r\nused for GRU spear-phishing operations.\r\nOn March 14, 2016, another of the Bitcoin accounts traced to the GRU was used to pay for a VPN service,\r\naccording to the indictment. That service would be used later to register the Guccifer 2.0 Twitter account. “The\r\nremaining funds from that bitcoin address were then used on or about April 28, 2016, to lease a Malaysian server\r\nthat hosted the dcleaks.com website,” the indictment stated.\r\nSpear phishing\r\nThe spear-phishing message sent to Clinton campaign volunteer William Rinehart. Similar emails\r\nwere sent to Clinton Campaign Chairman John Podesta and others working for Clinton.\r\nhttps://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/\r\nPage 7 of 17\n\nAccording to the indictment, on March 19, 2016, Lukashev worked with others on his team to craft spear-phishing\r\nemails, using a Bitly URL-shortening account registered under the user name “john356gh” to create malicious\r\nlinks back to a spoofed Google sign-in page. The Bitly account, as Ars reported in December of 2016, was heavily\r\nused by the GRU unit in a months-long string of spear-phishing attacks to steal email credentials.\r\nThe links, embedded in messages that spoofed a Google security warning, were sent to a number of Clinton\r\ncampaign senior staffers, including Clinton Campaign Chairman John Podesta, Campaign Manager Robby Mook,\r\nand Senior Foreign Policy Advisor Jake Sullivan. Podesta clicked on the link, thus giving up his Google account\r\ncredentials.\r\nAnother set of spear-phishing links was created on March 25 and used to target even more people associated with\r\nthe Clinton campaign. Two, referred to as “Victim 1” and “Victim 2” in the indictment, succumbed to spear-phishing messages sent three days later, after Lukashev and his team researched their connection to the campaign\r\nthrough social media. These would appear to be William Rinehart (a Clinton volunteer in Hawaii) and Sarah\r\nHamilton (a campaign PR consultant in Chicago)—both of whom had emails up until March 28 stolen (and later\r\nposted to DCLeaks). Both were using their personal Gmail accounts. Others targeted would include former\r\nSecretary of State Colin Powell and employees of the DNC and DCCC.\r\nOn April 6, according to the indictment, Lukashev and his team constructed a new spear-phishing attack using a\r\nmalicious link disguised as a spreadsheet named “hillary-clinton-favorable-rating.xlsx.” That document link,\r\nemailed from an address spoofing the account of a “known member of the Clinton campaign,” connected back to a\r\nGRU-controlled Web server and prompted targets for network login credentials. The email was sent to the\r\naccounts of more than 30 Clinton campaign workers. Another similar phishing email was sent to at least one\r\nemployee of the DCCC, who clicked the link and gave up her DCCC network credentials.\r\nThe pillaging commences\r\nWith the DCCC login credentials in hand, Lukashev and his team were able to remotely connect to the DCCC\r\nnetwork and begin to move laterally, installing X-Agent on at least 10 computers, according to the indictment.\r\nUsing the Arizona server as a relay point, they began to collect keystroke capture data and screenshots. They also\r\nremotely installed a file compression tool to make archives of files.\r\nKozachek’s X-Agent support team began monitoring the malware implants deployed by Lukashev’s group. On\r\nApril 19, Kozachek and Yershov configured a “middle” server on an overseas host to act as a relay between the X-Agent implants and the top-level command and control server to further obscure the data trail as they began to\r\nsteal files and other data.\r\nThat extra layer was deployed a day after a major score—X-Agent had recorded the credentials of a DCCC staffer\r\nwho had access to the DNC’s network, giving Unit 26165 a way to move laterally onto the DNC’s servers. Using\r\nX-Agent’s search function, the hacking team began to gather up documents from the DNC and DCCC servers,\r\nusing search terms that included “Hillary,” “Cruz,” and “Trump.”\r\nOn April 22, the GRU team began compressing the data into archive files for exfiltration. They then deployed X-Tunnel, another tool from the Fancy Bear kit, to provide an encrypted tunnel to move stolen files over to another\r\nserver GRU leased in Illinois, starting on April 28. To conceal the tunnel from prying eyes, they used the domain\r\nhttps://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/\r\nPage 8 of 17\n\nmisdepatrment.com—a misspelling of the domain of the DNC’s IT service provider MIS Department. The GRU\r\nhad registered this in March during the reconnaissance phase of the hack.\r\nIn the midst of everything, the distribution team at Unit 74455 was preparing to enter the game. On April 19,\r\nsomeone using the same Mail.com email address used to set up the Bitly account attempted to register the domain\r\nelectionleaks.com—and when that failed, this person pivoted to DCleaks.com. While the registration service\r\nprovided anonymity, the payment for the domain was made in cryptocurrency from an online account previously\r\nlinked to the email address by a payment for a virtual private server.\r\nNext came the mail servers. Yermakov was observed researching PowerShell commands related to Microsoft\r\nExchange Server between May 25 and June 1, and he managed to export thousands of emails from accounts on\r\nthe server. During the same period, Malyshev was observed using the command and control server to ship\r\nupgrades and additional modules to the X-Agent implants on the DNC and DCCC networks. Meanwhile, the\r\nhacking team regularly deleted Windows log files to cover their tracks—including purging an event log on May\r\n13.\r\nBurned and burning\r\nThe Guccifer 2.0 weblog on WordPress.com.\r\nThe Guccifer 2.0 weblog on WordPress.com.\r\nBy this time, the DNC’s IT staff had determined something bad was going on. The DNC called in CrowdStrike to\r\nassist in late May. Starting in June, Crowdstrike began to take steps to block communications from the implants,\r\nbut the Linux system infected with an X-Agent variant continued to be active until October 2016. The GRU\r\nhacking team wasn’t giving up its foothold without a fight.\r\nhttps://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/\r\nPage 9 of 17\n\nAs it became clearer that their X-Agent installs had been burned, Yermakov was tracking reporting from\r\nCrowdstrike about X-Agent and X-Tunnel. On June 1, as Crowdstrike began to try to shut down the intrusion on\r\nthe DNC network, the GRU hacking team tried to cover its tracks on the DCCC network—installing and running\r\nCCleaner to purge files.\r\nAs the intelligence stream was lost, the information operations game began—particularly with the launch of DC\r\nLeaks’ website, Facebook, and Twitter account on June 8. Logs from Twitter show that the @dcleaks_ account\r\nwas registered from the same computer used to create @BaltimoreIsWhr—an account that attempted to create\r\nbuzz around the hashtag #BlacksAgainstHillary through posts exhorting others to “join our flash mob.”\r\nThere was little to gain traction with in the first DC Leaks postings—the emails on the site were scattershot\r\nleftovers from previous phishing efforts, including those stolen emails from Republican congressional campaigns\r\nand others targeting military officers and defense contractors. When it came to the Democrats, initially the DC\r\nLeaks site posted only a few campaign-related materials. Only later would stolen emails from Clinton campaign\r\nvolunteers be added to the odd mix of documents eventually thrown up on the DC Leaks site.\r\nIn mid-June as Crowdstrike announced that the DNC had been hacked by what the company identified as Russian\r\ngovernment actors, the GRU units prepared a nasty going away present for the DCCC. They registered\r\nactblues.com, a domain similar to that of the DCCC’s fundraising contractor ActBlue. Using stolen DCCC\r\ncredentials, they gained access to the DCCC Web server and changed the link for contributions to direct visitors to\r\ntheir fake domain. This may have been intended to provide cover for the operation, making it look like a\r\nfinancially motivated attack.\r\nAt the same time, Unit 74455 launched the Guccifer 2.0 persona on WordPress. On June 15, as the unit prepared\r\nGuccifer’s first post, they logged in to a server in Moscow to search for translations of Russian phrases that were\r\nthen included in the first post—an attempt to convince the world that a single lone hacker had been responsible for\r\nthe whole DNC and DCCC hack.\r\nA little help from a friend\r\nhttps://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/\r\nPage 10 of 17\n\nThe WikiLeaks DNC email database. GRU transferred gigabytes of DNC, DCC, and Clinton\r\ncampaign data to WiklLeaks at the organization’s urging.\r\nThe WikiLeaks DNC email database. GRU transferred gigabytes of DNC, DCC, and Clinton\r\ncampaign data to WiklLeaks at the organization’s urging.\r\nIn the summer of 2016, the hacking team was cleaning house—wiping logs from the Arizona server on June 20 to\r\ncover their tracks, for instance. Simultaneously, these hackers were still trying to re-establish a foothold on the\r\nDNC and DCCC networks with previously stolen credentials.\r\nUltimately, the information ops team got rolling with a little help from the outside world. On June 22, someone\r\nfrom WikiLeaks sent a private message to Guccifer 2.0 on Twitter: “Send any new material here for us to review\r\nand it will have a much higher impact than what you are doing.” The GRU team attempted to send files multiple\r\ntimes, unsuccessfully.\r\nMeanwhile, the Unit 74455 team was busy reaching out to reporters, including The Smoking Gun. Via the\r\nGuccifer 2.0 persona, the hackers offered to give “private access” to files via the DC Leaks server on June 27.\r\nThey gave The Smoking Gun editor William Bastone access to the emails of Sarah Hamilton. (Bastone was the\r\nfirst to tie Guccifer 2.0 to DC Leaks).\r\nOn July 6, WikiLeaks messaged the Guccifer 2.0 Twitter account again, trying to close the deal: “If you have\r\nanything Hillary related we want it in the next tweo [sic] days prefable [sic] because the DNC [Democratic\r\nNational Convention] is approaching and she will solidify Bernie supporters behind her after.”\r\nThe Unit 74455 team responded: “ok … I see.”\r\nWhoever was using the WikiLeaks Twitter account soon expanded on the urgency of the request. “We think trump\r\nhas only a 25% chance of winning against Hillary … so conflict between Bernie and Hillary is interesting.”\r\nhttps://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/\r\nPage 11 of 17\n\nOn July 14, 2016, the GRU team finally sent an email to WikiLeaks with the attachment “wk dnc link1.txt.gpg”—\r\na PGP-encrypted file with instructions on how to get to archives of the stolen DNC documents. “The Conspirators\r\nexplained to [WikiLeaks] that the encrypted file contained instructions on how to access an online archive of\r\nstolen DNC documents,” the indictment states. A day later, someone from WikiLeaks replied that they had\r\ndownloaded “the 1Gb or so archive” and would push out a release of the documents within the week.\r\nWikiLeaks released the DNC emails and files on July 22, just three days before the Democratic National\r\nConvention. They declined to say where the cache came from. Then, in the month before the election, WikiLeaks\r\nreleased the stolen emails of John Podesta. “Between on or about October 7, 2016 and November 7, 2016,\r\nOrganization 1 released approximately thirty-three tranches of documents that had been stolen from the chairman\r\nof the Clinton Campaign,” Mueller said in the indictment. “In total, over 50,000 stolen documents were released.”\r\nRetargeting\r\nThe NSA analyst report that contractor Reality Winner leaked, revealing GRU attacks on county\r\nvoting agencies in Florida. Credit: Ars Technica\r\nOn the Russian side, efforts continued to re-establish a beachhead within the DNC and DCCC. In September,\r\nGRU hacking efforts were shifted away from the DNC’s internal network and turned on systems hosted in the\r\ncloud—including a development and test server for an analytics platform being used by DNC. The GRU team was\r\nable to obtain “snapshots” of the virtual machines with DNC data sets and then move them to an account that they\r\nhad set up with the same hosting service. The indictment does not name the service.\r\nOther hacking attempts pivoted to new targets. On July 27, just after then-candidate Donald Trump “joked” about\r\nRussia finding Clinton’s “missing emails” from her private mail server, Unit 26165 launched a renewed spear-phishing campaign against Clinton. An “after hours” wave of phishing messages directly targeted email accounts\r\non the domain used by Clinton’s personal office for the first time. In total, 76 accounts of Clinton campaign\r\nstaffers were also targeted in this wave.\r\nAlso in July, Unit 74455 finally diversified—in addition to intel distribution, the unit threw its hat into the hacking\r\nring. Kovalev and others had been performing reconnaissance on state boards of election and other state election-related systems since June, and they had performed searches for state political party email addresses, “including\r\nfiltered queries for email addresses listed on state Republican Party websites,” Mueller stated in the indictment.\r\nIn July, Kovalev and his team used that info to hack into the Illinois State Board of Elections‘ Paperless Online\r\nVoter Application system (identified in the indictment as “SBOE1”), stealing 500,000 voter registration records\r\nthat included names, dates of birth, addresses, partial Social Security numbers, and full driver’s license numbers.\r\nThe attack forced Illinois to revert to paper voter registration only for more than a week while the system was\r\nhardened.\r\nKovalev and others on his team would continue to probe state and county systems for vulnerabilities—in October,\r\nthey probed the websites of counties in Georgia, Iowa, and Florida in search of vulnerabilities, according to the\r\nindictment. And in the run-up to the election in November, Kovalev’s team sent spear-phishing emails to election\r\nofficials in some Florida county—spoofing an email account from the election systems vendor, VR Systems. “The\r\nhttps://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/\r\nPage 12 of 17\n\nspear-phishing emails contained malware that the conspirators embedded into Word documents bearing [VR\r\nSystem’s] logo,” the indictment noted.\r\nSome of the details of these network attacks were reported in an FBI “Flash” memo in August of 2016, while\r\nothers emerged from an NSA analyst report leaked last June by former NSA contractor Reality Winner. But the\r\nintent of the attacks was fairly clear: these GRU units wanted to disrupt voter registration and raise doubts about\r\nthe integrity of the election itself.\r\n“Could have been lots of people”\r\nThe allegations presented in Mueller’s indictment, Rosenstein said in his public statement, were backed by\r\nsignificant evidence. Rosenstein said it was enough evidence that he believed the Justice Department could win a\r\nconviction in court. Of course, it’s doubtful that any of the 12 indicted GRU officers will ever step into a US\r\ncourtroom. And, based on the assessment of the US intelligence community, as expressed by Director of National\r\nIntelligence Dan Coats at the recent Aspen Security Forum, the GRU and other Russian intelligence agencies are\r\ntargeting, and will continue to target, the upcoming US midterm elections.\r\nAfter apparently initially dismissing the findings of the investigation and of the US intelligence community in\r\nHelsinki, President Trump’s position on what to do has been fluid to say the least. First, in comments from the\r\nWhite House, Trump tried to say that he meant that he believed the intelligence community’s findings that Russia\r\nhad interfered in the 2016 election—but then added that it could have been others in an apparent detour from his\r\nscript. Statements he has made in interviews since have also been contradictory.\r\nIf anything, the indictment may provide the GRU with an important after-action report: it demonstrates where\r\ntheir own operational security failed, revealing their involvement. And while the DNC and DCCC may have\r\nimproved their defenses, state and local officials and individual congressional campaigns remain as vulnerable as\r\never. In fact, the president plans on holding a National Security Council meeting today, July 27, to discuss election\r\nsecurity ahead of the fall midterms. Right now, it seems likely the July 13 indictment won’t be the last time we\r\nread about the kinds of attacks that got the GRU inside the DNC, DCCC, and Clinton campaign.\r\nListing image: Aurich Lawson / Getty\r\nhttps://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/\r\nPage 13 of 17\n\nSean was previously Ars Technica's IT and National Security Editor. After over 20 years in technology journalism,\r\nincluding over 9 at Ars, he pivoted to cybersecurity threat research, first at Sophos and now as a security research\r\nengineer at Cisco ‘s Talos Intelligence Group. A former Navy officer, he lives and works in Baltimore, Maryland.\r\nhttps://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/\r\nPage 14 of 17\n\n654 Comments\r\nhttps://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/\r\nPage 15 of 17\n\n1.\r\n2.\r\n3.\r\n4.\r\n5.\r\nhttps://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/\r\nPage 16 of 17\n\nSource: https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-electio\r\nn/\r\nhttps://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/\r\nPage 17 of 17\n\n https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/ \nSean was previously Ars Technica's IT and National Security Editor. After over 20 years in technology journalism,\nincluding over 9 at Ars, he pivoted to cybersecurity threat research, first at Sophos and now as a security research\nengineer at Cisco ‘s Talos Intelligence Group. A former Navy officer, he lives and works in Baltimore, Maryland.\n Page 14 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/" ], "report_names": [ "from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election" ], "threat_actors": [ { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434760, "ts_updated_at": 1775826701, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/361a30aff60ece9a0dbcc8cb88705d97b6fe7eba.pdf", "text": "https://archive.orkl.eu/361a30aff60ece9a0dbcc8cb88705d97b6fe7eba.txt", "img": "https://archive.orkl.eu/361a30aff60ece9a0dbcc8cb88705d97b6fe7eba.jpg" } }