GRU Spearphishing Emails Fooled Democrats, Clinton Campaign in 2016

Podesta, Clinton aides clicked on bad links triggering massive email and document theft

Hillary Clinton
Getty Images
April 23, 2019

Russia's GRU military intelligence service used fraudulent emails to gain access to large amounts of sensitive emails and documents that were then disseminated via covert GRU websites during the 2016 presidential election campaign influence operation, according to the report by Special Counsel Robert Mueller.

Two GRU intelligence units worked together in the spring of 2016 to first identify email servers for Democratic staff member Gmail accounts, and then a special cyber unit sent spearphishing emails that produced the implantation of special software inside Democratic computer networks.

The Mueller report provided new details of the cyber attacks carried out by two numbered GRU groups: Military Unit 74455, in charge of influence and disinformation operations, and Military Unit 26165, the main cyberattack group.

"The GRU spearphishing operation enabled it to gain access to numerous email accounts of Clinton campaign employees and volunteers, including campaign chairman John Podesta, junior volunteers assigned to the Clinton campaign's advance team, informal [Hillary] Clinton campaign advisors, and a DNC employee," the report said.

"GRU officers stole tens of thousands of emails from spearphishing victims, including various Clinton campaign-related communications."

During the operation, hundreds of email accounts used by Clinton campaign employees, advisers, and volunteers were targeted, and in total GRU obtained hundreds of thousands of documents from the compromised email accounts and networks.

The Mueller report debunked the two-year drumbeat of mainstream media and Democratic political narratives falsely asserting Trump and his campaign colluded with Russia in defeating Hillary Clinton.

"Although the investigation established that the Russian government perceived it would benefit from a Trump presidency and worked to secure that outcome, and that the campaign expected it would benefit electorally from information stolen and released through Russian efforts, the investigation did not establish that members of the Trump campaign conspired or coordinated with the Russian government in its election interference activities," the report concluded.

Mueller indicted 12 GRU officers associated with the election meddling in July 2018 on charges of conspiracy to conduct the computer intrusions. One of those was Col. Aleksandr V. Osadchuk, head of Unit 74455 and the highest ranking officer implicated in the operation.

A separate Russian "active measures" campaign was carried out by the St. Petersburg-based Internet Research Agency, which used advertising and social media to influence the presidential campaign in opposing Clinton.

The redacted Mueller report provided no information on whether the IRA was part of the Russian government or one of its intelligence services.

The report provides new details beyond those contained in last year's indictment, including the successful use of fraudulent emails and the several types of malware planted inside Democratic servers that vacuumed passwords and other email account information, along with emails and documents, and sent them electronically to Moscow.

The operation was described in the report as "hacking and dumping operations," distributed through two GRU websites,, and Guccifer 2.0, and through the anti-secrecy website WikiLeaks.

The report said WikiLeaks and its founder Julian Assange wanted to prevent Clinton from winning over concerns she would be unfettered from media and political opposition to "start wars."

The GRU also lured several news reporters who were not identified into publishing the stolen emails by giving them exclusive first access to the stolen electronic messages, the report said.

The operation began in mid-March 2016 when GRU Unit 26165 conducted cyber reconnaissance of Democratic computer servers using a sensitive method that was blacked out in the report. The systems spied on included,,, and Those domains belonged to the Clinton presidential campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee.

The report notes that the Russians did not stumble on to those domains and that the activities began before the GRU obtained login credentials or gained access to the sites. The planning showed the DCCC and DNC cyber attacks "were not crimes of opportunity but the result of targeting."

After the sites were surveyed, the GRU sent hundreds of spearphishing emails to work and personal emails of Clinton campaign workers.

"Between March 10, 2016 and March 15, 2016, Unit 26165 appears to have sent approximately 90 spearphishing emails to email accounts at," the report said. "Starting on March 15, 2016, the GRU began targeting Google email accounts used by Clinton Campaign employees, along with a smaller number of email accounts."

Spearphishing emails are messages designed to appear as if originating from a trusted source. They usually involve inviting the recipient to click on a link that leads to a hacker network that then loads malicious software. The malware then grants remote access to networks. The tactic is among the most effective hacking tools used by foreign spy services from Russia, China, and other states.

Among those who clicked on a bogus link in an email was Podesta, Clinton campaign chairman, along with several other junior campaign volunteers, informal campaign advisers and one DNC employee.

For the DCCC, the GRU hacked its network around April 12, 2016, using credentials stolen from a DCCC employee who was spearfished a week earlier.

The report reveals that cyber security was so poor for the Democrats that the GRU hackers operated unimpeded for eight weeks, and operations only ended once the DNC announced in June that its network had been hacked.

In the weeks after the hack, GRU operatives obtained login credentials of network administrators with unrestricted access to the systems and as a result the spies were inside about 29 different computers on the DCCC network.

On April 18, 2016, the GRU hacked the DNC using a virtual private network that connected the DCCC and DNC together electronically. "Between April 18, 2016 and June 8, 2016, Unit 26165 compromised more than 30 computers on the DNC network, including the DNC mail server and shared file server."

Once inside the systems, the GRU used two types of custom malware called X-Agent and X-Tunnel, along with a credential-copying tool called Mimikatz, and rar.exe that is used to compile and compress large amounts of documents in preparation for exfiltration.

"X-Agent was a multi -function hacking tool that allowed Unit 26165 to log keystrokes, take screenshots, and gather other data about the infected computers (e.g., file directories, operating systems)," the report said. "X-Tunnel was a hacking tool that created an encrypted connection between the victim DCCC/DNC computers and GRU-controlled computers outside the DCCC and DNC networks that was capable of large -scale data transfers. GRU officers then used X-Tunnel to exfiltrate stolen data from the victim computers."

The GRU set up two networks of computers, one in Arizona and the other around the world, that were used in the election operation.

The release of the emails began in June 2016 when they were posted on and later on Guccifer 2.0. The Russians also communicated privately with reporters and other Americans in timing the release.

"GRU officers using the DCLeaks persona gave certain reporters early access to archives of leaked files by sending them links and passwords to pages on the website that had not yet become public," the report said, noting the communications were sent through a Facebook for DCLeaks and Twitter direct messages.

The reporters were not identified by name.

The DNC announced it had been hacked on June 14, 2016, when a security firm disclosed the breach. A day later the GRU began releasing more documents on Guccifer 2.0 and also falsely announced on that platform that the DNC hack had been the work of a Romanian hacker known as Guccifer.

According to the report, the GRU provided a reporter from the website The Smoking Gun exclusive access to leaked emails linked to Clinton's staff. "The GRU later sent the reporter a password and link to a locked portion of the website that contained an archive of emails stolen by Unit 26165 from a Clinton campaign volunteer in March 2016," the report said. "That the Guccifer 2.0 persona provided reporters access to a restricted portion of the DCLeaks website tends to indicate that both personas were operated by the same or a closely-related group of people."

The information made public through the GRU sites included personal identifying and financial information, internal correspondence related to the Clinton campaign and prior political jobs, and fundraising files and information. Other leaked documents included DNC opposition research, including a memo analyzing potential criticism of Trump, internal policy documents such as recommendations on how to address politically sensitive issues, and analyses of specific congressional races.

The hacked emails set off a media feeding frenzy of disclosures in the press—until a leaked 2005 audiotape of Trump making vulgar comments about women was leaked.

The leaked emails revealed that the DNC had used covert smear tactics during the presidential primary campaign in a bid to support Clinton. Among the emails were messages revealing how the committee planned to generate negative publicity for socialist candidate Sen. Bernie Sanders by publicizing his atheism.

The disclosures led to the resignation of then-DNC chairwoman Debbie Wasserman Schultz on the eve of the 2016 convention.

Another leak by the Russians was an audiotape of a speech by Clinton in February 2016 when Clinton announced she favored canceling a new long-range cruise missile needed for U.S. nuclear modernization efforts. The audio was posted on

Also leaked were speeches by Clinton to banks and financial institutions for which she was paid some $3 million, including $675,000 for speeches to Goldman Sachs.

Clinton had been asked during the campaign to release transcripts of the speeches but only promised to look into the matter.

The emails were embarrassing for Clinton because she had been running further to the political left in a bid to compete more with Sanders, who as a socialist was seeking to rein in America's banks. The leaked speeches also disclosed that Clinton favored open borders—a major issue for Trump, who campaigned for closing off the borders to illegal immigrants.

A U.S. official disclosed that the senior intelligence official behind the GRU political operation in 2016 was Col. Gen. Sergei Beseda, head of the Federal Security Service's Fifth Service, known as the Directorate of Operational Information and International Communications. Beseda was hit with Treasury Department sanctions in July 2014 following Russia’s military annexation of Ukraine’s Crimea.

U.S. intelligence agencies concluded that the hacking and influence operation was targeted beyond supporting or harming the presidential candidates and was intended to sow widespread political discord in the United States, an objective widely viewed as successful.

Unit 26165 was also linked in an October 2018 federal indictment to hacking operations against the U.S. Anti-Doping Agency, the World Anti-Doping Agency, and other international sport associations.