Indictment Reveals GRU Role in Election Meddling

Two Russian military spy units conducted hack, covertly disseminated hacked documents

GRU headquarters
GRU headquarters / Getty Images
August 17, 2018

A team of Russian GRU military intelligence officers specializing in covert influence operations played the key role in the 2016 election meddling operation while working out of an office building on 22 Kirova Street in Moscow called "The Tower" by GRU spies.

Beginning in April 2016, the GRU team known as Unit 74455 and headed by Col. Aleksandr V. Osadchuk was the key player in the major Russian influence operation aimed at swaying the 2016 presidential election through covertly disseminating hacked documents on the internet.

"Unit 74455 assisted in the release of stolen documents through the DCLeaks and Guccifer 2.0 personas, the promotion of those releases, and the publication of anti-Clinton content on social media accounts operated by the GRU," the federal grand jury indictment filed July 13 in Washington says.

Osadchuk was the highest-ranking GRU officer among the 12 spies charged with conspiracy and other crimes in the indictment.

The operation targeted the American candidate and party widely-expected to win the 2016 presidential election, former Secretary of State Hillary Clinton and the Democratic Party.

Until last month, federal authorities had only released details on the more overt elements of the Russian operation—the use of state-run Russian media, a St. Petersburg online troll farm, and the use of American social media as covert political influencers.

The July indictment for the first time revealed the sophisticated and secret GRU intelligence portion of the campaign that was carried out in a two-part operation: Hacking party and campaign computers for documents and emails, and then disseminating the stolen material on the internet.

Scant evidence has surfaced so far in U.S. investigations of Russian election meddling that would prove the January 2017 intelligence assessment that Moscow favored Trump.

What is clear is that Moscow opposed Clinton and focused its operations against her because she was the front runner to be president.

A part of the U.S. intelligence judgment that has held is the conclusion that the Russian influence campaign sought "to undermine public faith in the U.S. democratic process, denigrate Secretary Clinton, and harm her electability and potential presidency."

The effects of the Russian campaign continue to be seen in the current highly charged partisan wrangling in Washington that has led most Democrats to work against the Trump presidency as part of an unofficial political "resistance."

Deputy Attorney General Rod Rosenstein said in a speech last month that the Russian hack-and-release operation in 2016 was "just one tree in a growing forest, focusing merely on a single election, [and] misses the point."

Russian influence operations "are persistent, they are pervasive, they are meant to undermine democracy on a daily basis regardless of whether it is election time or not," he said.

Unprecedented details of the intelligence portion of the operation were obtained by American spy services, including the FBI, CIA, and National Security Agency during a lengthy investigation into the election meddling scheme.

The GRU operation was revealed in details in the federal grand jury indictment of 12 GRU officers made public in July by Special Counsel Robert Mueller who is probing alleged collusion between Moscow and the Trump campaign.

The Russian election meddling is one example of what are called active measures and disinformation operations and are not new. Moscow has been conducting aggressive covert influence operations since the days of the Soviet Union during the Cold War.

Past operations have included the influence campaign to sway U.S. government policies and public opinion against the American anti-missile program known as Strategic Defense Initiative program in the 1980s, and the aggressive covert influence campaign that utilized leftist anti-nuclear groups in Europe against U.S. plans to deploy intermediate-range nuclear missiles in Europe.

The unique feature of the election meddling operation in 2016 was GRU's use of a combination of techniques: technical cyber attacks to gain access to computer networks and steal information along with the sophisticated use of internet and social media outlets to disseminate the hacked information—all in a bid to influence the election.

GRU stands for Glavnoye Razvedyvatelnoye Upravleniye, or Main Intelligence Directorate, and traditionally is not Moscow's main group for conducting influence operations. In the past, the civilian KGB spy service, and its post-Soviet successor, the SVR, were primary agencies for active measures campaigns.

The GRU is Russia's largest overseas spying agency and its director answers to the chief of staff of the Russian military.

In the 2016 election operation, two GRU units played the prominent roles.

Unit 74455 was in charge of the dissemination of stolen documents and emails, and a second group known as Unit 26165, was an elite cyber operations unit based in a building on 20 Komsomolskiy Prospekt in Moscow that was the primary technical operations group.

Unit 26165 officers penetrated networks at the Democratic National Committee and Democratic Congressional Campaign Committee with relative ease. They also broke into accounts of officials of the Hillary Clinton presidential campaign that began in March 2016.

GRU Maj. Boris A. Antonov was the head of Unit 26165 that succeeded in breaking into the targeted computers using fraudulent emails that prompted unsuspecting Democrat officials to click on links to GRU malware websites.

The emails were sent to more than 30 different Clinton campaign employees from a bogus email account that used a one-letter deviation from the actual spelling of a known member of the Clinton team.

It urged those receiving the scam email to view a document named "hillary-clinton-favorable-rating.xlsx" that went to a GRU-controlled website.

The GRU then loaded a malware called X-Agent that was customized for the DNC servers.

At least 10 DCCC computers were infected with the virus, allowing the GRU to monitor their computer activity, steal passwords, and maintain access to the networks.

The spy service used a server leased from a company in Arizona for the operation, and later connected to a second server overseas.

The malware gave GRU officers the ability to monitor keystrokes of the infected computers and to take screenshots of their terminals—tools vital for gaining access to systems.

The GRU stole documents produced on the network using the terms "hillary," "cruz," and "trump," as well as "Benghazi Investigations." It also produced documents on DNC opposition research and field operations planned for the 2016 elections.

Once the documents were identified, a second GRU malware called "X-Tunnel" was used to compress gigabytes of documents and remove them clandestinely through encrypted channels.

Cyber security for the DNC servers was poor and the GRU was able to plant X-Agent malware on13 different DNC and DCC computers.

Around May, the DNC realized the penetration of their networks had been underway and called in the security firm Crowdstrike that identified two separate Russian intelligence units inside the DNC networks.

Perhaps the biggest GRU success from the DNC hack was the disclosure of emails in July 2016 showing a coordinated effort by the Democratic Party to favor Clinton over her political rivals in the primary elections. The emails contradicted public statements by Democrats that the process was fair to main challenger, Sen. Bernie Sanders.

The emails were released shortly before the Democratic National Convention and led to the resignation of DNC Chairwoman Rep. Debbie Wasserman Schultz.

The GRU dissemination of the documents was planned in April 2016, when the spy service was unable to register the name "" and instead picked ""

Beginning, on June 8, 2016, the GRU launched the DCLeaks website, falsely stating it was launched by "American hacktivists."

"Starting in or around June 2016 and continuing through the 2016 U.S. presidential election [the GRU] used DCLeaks to release emails stolen from individuals affiliated with the Clinton Campaign," the indictment states.

"The conspirators also released documents they had stolen in other spearphishing operations, including those they had conducted in 2015 that collected emails from individuals affiliated with the Republican Party."

A DCLeaks Facebook page and Twitter account also were created along with the false names associated with the page including "Alice Donovan," "Jason Scott," and "Richard Gingrey" whose social media accounts were used to promote DCLeaks.

A day after the DNC announced it had been hacked, the GRU launched the online persona known as Guccifer 2.0 and claimed it was the lone Romanian hacker once known as Guccifer.

The purpose of using Guccifer 2.0 appears intended to promote the idea that the DNC hack was not the work of Russian intelligence.

The GRU used Guccifer 2.0 from June to October 2016 to release stolen documents. Also, the GRU used their Guccifer 2.0 outlet to share documents with "certain individuals" not identified further in the indictment.

Documents would eventually be transferred by the GRU to the anti-secrecy website WikiLeaks, identified in the indictment only as Organization 1.

The indictment states that the GRU used Guccifer 2.0 to communicate with and "wrote to a person who was in regular contact with senior members of the presidential campaign of Donald J. Trump."

The person was not identified but the Russians thanked the person for responding to their contact and asked if the person found anything interesting in the posted documents.

The GRU financed some of its operations using bitcoin funds, including the purchase of a virtual private network account and to lease a computer server in Malaysia, that was used to host DCLeaks.

Michelle Van Cleave, former DNI national counterintelligence executive, said the indictment highlights the groundbreaking intelligence work in revealing GRU activities.
"The question is, what can be done to stop them?" she asked.
"Remember, the GRU and other Russian intelligence services are not only screwing with our elections, they’re also recruiting and planting spies, stealing sensitive technology, and hacking into our power grid," Van Cleave said.
Rather than chasing individual spies or cyber thieves, U.S. counterintelligence should target the services that dispatch them.
"That means getting inside hostile intelligence services, finding their vulnerabilities, and disrupting their ability to work against us," Van Cleave said. "I am confident that U.S. counterintelligence professionals can do that job—provided national leadership, including Congress—empowers them to act."

GRU operations in the United States have been underway for decades and were highlighted by the case of notorious FBI turncoat Robert Hanssen who spied for Moscow from 1979 until his arrest in 2001.

Hanssen began his spying career the Russian by delivering a package to a GRU officer at a Soviet trade organization in New York in 1979. He would be paid $21,000 over the next year and a half.

Hanssen first began spying for the Soviets in November 1979, just eight months after he transferred to a counterintelligence squad in the FBI's New York Office. While on duty, Hanssen volunteered his services to the GRU by delivering a package to a GRU officer at a Soviet trade organization. In his correspondence with the GRU, Hanssen revealed that he was an FBI agent, but offered no other identifying information. Over the next year and a half, Hanssen conducted clandestine exchanges with the GRU, receiving cash payments totaling at least $21,000.

In the spring of 1981, Hanssen ended his first stint at spying after his wife Bonnie discovered him reviewing a GRU communication.

Hanssen sought to minimize his espionage to his wife and later confessed to his Catholic priest.

Hanssen told investigators the priest granted him absolution and told him rather than turn himself in he should donated the GRU money to charity. The spy broke off contact with his GRU handler and made multiple donations of $1,000 to Mother Teresa's "Little Sisters of the Poor."

He began spying for the KGB, the GRU's civilian counterpart, in 1985 and is considered one of the most damaging spies in U.S. history.

During his early spying career, he disclosed to Moscow the identity of a long-time FBI informant inside the GRU.

The GRU has also been active in Syria and Ukraine by funding and equipping several mercenary organizations, including the Wagner group.

In May, security researchers linked the GRU to the Russian anti-aircraft missile attack on Malaysian Airlines Flight 17 over Ukraine in 2014, killing all 283 people on board.

"The internet allows foreign adversaries to attack America in new and unexpected ways," Rosenstein said in announcing the indictment.

"Free and fair elections are hard-fought and contentious," he added. "There will always be adversaries who work to exacerbate domestic differences and try to confuse, divide, and conquer us. So long as we are united in our commitment to the values enshrined in the Constitution, they will not succeed."

In addition to Osadchuk and Antonov, the other GRU officers indicted were Viktor Borisovich Netyksho, Dmitriy Sergeyevich Badin, Ivan Sergeyevich Yermakov, Aleksey Viktorovich Lukashev, Sergey Aleksandrovich Morgachev, Nikolay Yuryevich Kozachek, Pavel Vyacheslavovich Yershov, Artem Andreyevich Malyshev, Aleksey Aleksandrovich Potemkin, and Anatoliy Sergeyevich Kovalev.

Published under: 2016 Election , Russia