On July 27, 2016, at the height of a heated campaign season, then-candidate Donald Trump jokingly took a jab at his rival Hillary Clinton: "Russia, if you're listening, I hope you’re able to find the 30,000 emails that are missing."
Apparently, not everyone thought it was a laughing matter. Late that same day, Russian hackers working for Moscow’s elite military intelligence agency, the GRU, attempted “to spearphish, for the first time, email accounts” used by Clinton’s personal office.
This startling detail is just one of many fresh allegations put forward in special counsel Robert Mueller’s latest indictment, which accuses a dozen Russian military cyber-spies of hacking the Democratic National Committee, releasing secret files, and targeting election administrators at the state level.
The surprise announcement Friday goes to the heart of claims made in an American intelligence assessment in January 2017 that concluded Russia tried to mess with the U.S. election. But the new indictment provides remarkably specific details about the timing and staffing of the effort, which Mueller tied, for the first time, directly to actors inside the Russian government.
The indictment shows that Mueller’s investigators have enough insight into the operation against the 2016 election that they'd be able to prove, in court, that it happened, an even higher standard than intelligence assessments, said Mimi Rocah, a former prosecutor for the U.S. Attorney’s office in the Southern District of New York.
“The fact that people have been indicted now means that our Department of Justice feels they can prove this beyond a reasonable doubt,” Rocah wrote in an email to VICE News. “That’s a very high standard, and it means they have a lot of actual evidence.”
Here’s what you need to know.
Direct line to Putin’s cyber-spies
Mueller’s team charges 12 Russians with running a wide-ranging hacking operation for Russia’s military intelligence agency, the GRU, during which they penetrated the Democratic National Committee and Hillary Clinton’s campaign chairman John Podesta.
The new indictment is Mueller’s second against actual Russian citizens, but this one draws a direct line to the heart of Russia’s intelligence complex.
A previous indictment, unveiled in February, targeted 13 Russian individuals for allegedly running a related online operation under the watch of a catering tycoon named Yevgeny Prigozhin. But while Prigozhin is widely believed to operate sensitive, secret missions on behalf of Russian President Vladimir Putin, he has no formal government status.
This time, Mueller went squarely after officials working for the Russian military.
The document details how Russian cyber-warriors posed under false online personas with bland-sounding American names. Russian military officer Ivan Yermakov allegedly masqueraded online as “Kate S. Milton” and “Karen W. Milton,” while pursuing a Russian government-backed spy mission to undermine the election, investigators charge.
The Russian cyber-spies implanted hundreds of files containing malicious computer code, and stole emails. They allegedly installed multiple versions of a program called “X-Agent” on at least 10 computers used by the Democratic Congressional Campaign Committee (DCCC), which allowed them to monitor keystrokes and steal passwords. They also allegedly attempted to siphon donations from DCCC site ActBlue by establishing a similar page — ActBlues.com.
The indictment says the effort was well underway by the time the U.S. primaries were in full swing in the spring of 2016, and lasted through the election. By April, the hackers had allegedly penetrated the computer networks of the DCCC, and were secretly monitoring the computers of dozens of Democratic staffers.
The internet and the Americans
The indictment also lays out the distribution process these cyber-spies used to push the stolen files out to their American audiences.
In April, the Russian spies reportedly attempted to register the domain “electionleaks.com,” before settling on another site: DCLeaks.com. They used a digital cryptocurrency to cover the cost. By the time it was shut down in the spring of 2017, the site had received over a million page-views.
Then, starting in about June 2016, they staged the release of tens of thousands of stolen emails and documents using both the DCLeaks site and a made-up hacker persona named “Guccifer 2.0,” the document says. To cover their trail, Guccifer 2.0 was presented as a lone Romanian hacker. On DCLeaks, the defendants posed as “American hacktivists,” according to Rosenstein.
Guccifer 2.0 famously communicated, before the election, with longtime Trump adviser and Republican operative Roger Stone.
In the wake of Mueller’s outing of Guccifer 2.0 as a Russian intelligence front on Friday, Stone downplayed that link.
“As I testified before the House Intelligence Committee under oath, my 24-word exchange with someone on Twitter claiming to be Guccifer 2.0 is benign based on its content, context, and timing,” Stone told The Daily Beast.
But Stone’s statements about these events appear to have evolved over time. In April, CNN reported that a review of Stone’s earlier interviews found that he said multiple times in July 2016 that Russia was the most likely source for hacked emails released by WikiLeaks during the Democratic National Convention.
Friday’s indictment didn’t mention WikiLeaks by name but said the accused operatives utilized a platform that sounds an awful lot like it, referred to as “Organization 1.”
The document also included a remarkable new accusation: In August 2016, an unnamed candidate for Congress reached out to Guccifer 2.0 to ask for stolen documents from another candidate. The spies responded by sending files that were stolen from the targeted opponent.
The document lists several cases in which Americans communicated with the Russian operatives through their fake online personas. But U.S. Deputy Attorney General Rod Rosenstein took pains in Friday’s press conference to stress that no Americans were being accused of wrongdoing in this round of indictments.
Still, the new charges are unlikely to be the last to drop in Mueller’s expanding probe, which has indicted some of Trump’s closest advisers, including his former National Security Adviser Michael Flynn and ex-campaign chairman Paul Manafort.
A suspect timeline
Trump and his team have consistently laughed off the American intelligence community’s assertions that Russia targeted his opponents in a bid to get him elected, but Mueller’s latest indictment makes that harder than ever to deny.
Beyond the timing of Trump's seemingly jokey request to uncover Clinton’s emails on July 27, Mueller's team highlights other instances where Russian interference appeared to coincide with supportive gestures from Trump's campaign.
For example, the document says the DCLeaks site was launched on June 8, 2016 — just one day before the top brass of the Trump campaign took a meeting in Trump Tower with a Russian lawyer billed as offering dirt on Clinton.
Less than a week later, on June 15, the cyber-spies created the online identify Guccifer 2.0 to take credit for the hacks into the Democratic National Committee, according to the indictment.
While the U.S. intel community has already called out Russian hackers for targeting registration rolls and voter systems in as many as 21 states, Friday’s indictment colors in the lines.
The document marks the first time Mueller’s team has acknowledged publicly that Russia’s 2016 meddling targeted private companies that administer elections.
Specifically, Mueller alleges that Russian spies “hacked into the computers of a U.S. vendor ('Vendor 1') that supplied software used to verify voter registration information for the 2016 U.S. elections.”
Rosenstein said Friday that Russian GRU officers hacked into the website of a state election board and stole information on 500,000 voters, and sent spearphishing emails to people involved in administering elections — with malware attached.
Rosenstein added that he briefed Trump about the allegations earlier this week, and that Trump was fully aware that Friday’s announcement was coming.
For outside observers, however, the news dropped without warning — and adds a volatile new dynamic to Trump’s upcoming summit, and scheduled joint press conference, with Putin in the Finnish capital of Helsinki on Monday.
Cover image: U.S. President Donald Trump gestures during a joint news conference with Britain's Prime Minister Theresa May in the grounds of Chequers near Aylesbury, Britain July 13, 2018. Jack Taylor/Pool via REUTERS