118 employee. GRU officers stole tens of thousands of emails from spearphishing victims, including various Clinton Campaign-related communications. 2. Intrusions into the DCCC and DNC Networks a. Initial Access By no later than April 12, 2016, the GRU had gained access to the DCCC computer network using the credentials stolen from a DCCC employee who had been successfully spearphished the week before. Over the ensuing weeks, the GRU traversed the network, identifying different computers connected to the DCCC network. By stealing network access credentials along the way (including those of IT administrators with unrestricted access to the system), the GRU 119 compromised approximately 29 different computers on the DCCC network. Approximately six days after first hacking into the DCCC network, on April 18, 2016, GRU officers gained access to the DNC network via a virtual private 120 121 network (VPN) connection between the DCCC and DNC networks. Between April 18, 2016 and June 8, 2016, Unit 26165 compromised more than 30 computers on the DNC network, including the DNC mail server and shared 122 file server. b. Implantation of Malware on DCCC and DNC Networks Unit 26165 implanted on the DCCC and DNC networks two types of 123 customized malware, known as “X-Agent” and “X-Tunnel”; Mimikatz, a credential-harvesting tool; and rar.exe, a tool used in these intrusions to compile and compress materials for exfiltration. X-Agent was a multi-function hacking tool that allowed Unit 26165 to log keystrokes, take screenshots, and gather other data about the infected computers (e.g., file directories, operating 124 systems). X-Tunnel was a hacking tool that created an encrypted connection between the victim DCCC/DNC computers and GRU-controlled computers outside the DCCC and DNC networks that was capable of large-scale data 125 transfers. GRU officers then used X-Tunnel to exfiltrate stolen data from the victim computers.
Mueller Report PDF Page 55 Page 57