 Section 4 of Report on the Investigation into Russian Interference in the 2016 Presidential Election. This is a LibriVox recording. All LibriVox recordings are in the public domain. For more information or to volunteer, please visit LibriVox.org. Recording by Angelique G. Campbell. May 2019. Report on the Investigation into Russian Interference in the 2016 Presidential Election by Robert Mueller. Section 4. Report Section 3. Russian Hacking and Dumping Operations. Beginning in March 2016, units of the Russian Federation's main intelligence directorate of the general staff, GRU, hacked the computers and email accounts of organizations, employees, and volunteers supporting the Clinton campaign, including the email account of campaign chairman, John Podesta. Starting in April 2016, the GRU hacked into the computer networks of the Democratic Congressional Campaign Committee, DCCC, and the Democratic National Committee, DNC. The GRU targeted hundreds of email accounts used by Clinton campaign employees, advisors, and volunteers. In total, the GRU stole hundreds of thousands of documents from the compromised email accounts and networks. The GRU later released stolen Clinton campaign and DNC documents through online personas, DC Leaks and Guccifer 2.0, and later through the organization WikiLeaks. The release of the documents was designed and timed to interfere with the 2016 U.S. presidential election and undermine the Clinton campaign. Subsection A. GRU hacking directed at the Clinton campaign. Subsection 1. GRU units target the Clinton campaign. Two military units of the GRU carried out the computer intrusions into the Clinton campaign, DNC, and DCCC. Military units 26165 and 74455. Military unit 26165 is a GRU cyber unit dedicated to targeting military, political, governmental, and non-governmental organizations outside of Russia, including in the United States. The unit was subdivided into departments with different specialties. One department, for example, developed specialized militia software, malware, while another department conducted large-scale spearfishing campaigns, redaction for investigative technique. Military unit 74455 is a related GRU unit with multiple departments that engaged in cyber operations. Unit 74455 assisted in the release of documents stolen by unit 26165. The promotion of those releases and the publication of anti-Clinton content on social media accounts operated by the GRU. Officers from unit 74455 separately hacked computers belonging to state boards of elections, secretaries of state, and U.S. companies that supplied software and other technology related to the administration of U.S. elections. Beginning in mid-March 2016, unit 26165 had primary responsibility for hacking the DCCC and DNC, as well as email accounts of individuals affiliated with the Clinton campaign. Unit 26165 used redaction investigative technique. To learn about redaction investigative technique, different Democratic websites including Democrats.org, HillaryClinton.com, DNC.org, DCCC.org, two instances of redaction for investigative technique, began before the GRU had obtained any credentials or gained access to these networks, indicating that the later DCCC and DNC intrusions were not crimes of opportunity, but rather the result of targeting. GRU officers also sent hundreds of spearfishing emails to the work and personal email accounts of Clinton campaign employees and volunteers. Between March 10 and March 15, 2016, unit 26165 appears to have sent approximately 90 spearfishing emails to email accounts at HillaryClinton.com. Starting on March 15, 2016, the GRU began targeting Google email accounts used by Clinton campaign employees, along with a smaller number of DNC.org email accounts. The GRU spearfishing operation enabled it to gain access to numerous email accounts of Clinton campaign employees and volunteers, including campaign chairman John Podesta, junior volunteers assigned to the Clinton campaigns advance team, informal Clinton campaign advisors, and a DNC employee. GRU officers stole tens of thousands of emails from spearfishing victims, including various Clinton campaign related communications. Subsection 2, intrusions into the DCCC and DNC networks. Subsection A, initial access. By no later than April 12, 2016, the GRU had gained access to the DCCC computer network using the credentials stolen from a DCCC employee who had been successfully spearfished the week before. Over the ensuing weeks, the GRU traversed the network, identifying different computers connected to the DCCC network. By stealing network access credentials along the way, including those of IT administrators with unrestricted access to the system, the GRU compromised approximately 29 different computers on the DCCC network. Approximately six days after first hacking into the DCCC network on April 18, 2016, GRU officers gained access to the DNC network via a virtual private network VPN connection between the DCCC and DNC networks. Between April 18, 2016 and June 8, 2016, GRU 26165 compromised more than 30 computers on the DNC network, including the DNC mail server and shared file server. Subsection B, implementation of malware on DCCC and DNC networks. Unit 26165 implanted on the DCCC and DNC networks two types of customized malware, known as X-Agent and X-Tunnel, Mimicats, a credential harvesting tool, and RAR Execute, a tool used in these intrusions to compile and compress materials for expiltration. X-Agent was a multi-function hacking tool that allowed Unit 26165 to log keystrokes, take screenshots, and gather other data about infected computers, such as file directories and operating systems. X-Tunnel was a hacking tool that created an encrypted connection between the victim DCCC-DNC computers and GRU-controlled computers outside the DCCC and DNC networks that was capable of large-scale data transfers. GRU officers then used X-Tunnel to expiltrate stolen data from the victim computers. To operate X-Agent and X-Tunnel on the DCCC and DNC networks, Unit 26165 officers set up a group of computers outside those networks to communicate with the implanted malware. The first set of GRU-controlled computers, known by the GRU as middle servers, sent and received messages to and from malware on the DNC slash DCCC networks. The middle servers, in turn, relayed messages to a second set of GRU-controlled computers, labeled internally by the GRU as an AMS panel, the AMS panel Redaction for Investigative Technique, served as a nerve center through which GRU officers monitored and directed the malware's operations on the DNC DCCC networks. The AMS panel used to control X-Agent during the DCCC and DNC intrusions was housed on a leased computer located and redacted for Investigative Technique, Arizona. The remainder of Page 39 is redacted for Investigative Technique. The Arizona-based AMS panel also stores thousands of files containing key logging sessions captured through X-Agent. These sessions were captured as GRU officers monitored DCCC and DNC employees' work on infected computers regularly between April 2016 and June 2016. Data captured in these key logging sessions included passwords, internal communications between employees, banking information, and sensitive personal information. Subsection C, theft of documents from DNC and DCCC networks. Officers from Unit 26165 stole thousands of documents from the DCCC and DNC networks, including significant amounts of data pertaining to the 2016 U.S. federal elections. Stolen documents included internal strategy documents, fundraising data, opposition research, and emails from the work inboxes of DNC employees. The GRU began stealing DCCC data shortly after it gained access to the network. On April 14, 2016, approximately three days after the initial intrusion, GRU officers downloaded RAR Execute onto the DCCC's document server. The following day, the GRU searched one compromised DCCC computer for files containing search terms that included Hillary, DNC, Cruz, and Trump. On April 25, 2016, the GRU collected and compressed PDF and Microsoft documents from folders on the DCCC's shared file server that pertained to the 2016 election. The GRU appears to have compressed and exfiltrated over 70 gigabytes of data from this file server. The GRU also stole documents from the DNC network shortly after gaining access. On April 22, 2016, the GRU copied files from the DNC network to GRU-controlled computers. Stolen documents included the DNC's opposition research and the candidate Trump. Between approximately May 25, 2016 and June 1, 2016, GRU officers accessed the DNC's mail server from a GRU computer released inside the United States. During these connections, the remainder of page 40 is redacted for investigative technique. Unit 26165 officers appear to have stolen thousands of emails and attachments, which was later released by WikiLeaks in July 2016. Subsection B, dissemination of the hacked materials. The GRU's operations extended beyond stealing materials and included releasing documents stolen from the Clinton campaign and its supporters. The GRU carried out the anonymous release through two fictitious online personas that it created, DCLeaks and Guccifer 2.0 and later through the organization WikiLeaks. Subsection 1, DCLeaks. The GRU began planning the releases at least as early as April 19, 2016, when Unit 26165 registered the domain DCLeaks.com through a service that anonymized the registrant. Unit 26165 paid for the registration using a pool of Bitcoin that it admired. The DCLeaks.com landing page pointed to different tranches of stolen documents arranged by victim or subject matter. Other DCLeaks.com pages contained indexes of the stolen emails that were being released, bearing the sender, recipient, and date of the email. To control access and the timing of releases, pages were sometimes password protected for a period of time and later made unrestricted to the public. Starting in June 2016, the GRU posted stolen documents onto the website DCLeaks.com, including documents stolen from a number of individuals associated with the Clinton campaign. These documents appeared to have originated from personal email accounts, in particular Google and Microsoft accounts, rather than the DNC and DCCC computer networks. DCLeaks victims included an advisor to the Clinton campaign, a former DNC employee, and Clinton campaign employee, and four other campaign volunteers. The GRU released through DCLeaks.com thousands of documents, including personal identifying and financial information, internal correspondence related to the Clinton campaign and prior political jobs, and fundraising files and information. GRU officers operated a Facebook page under the DCLeaks moniker, which they primarily used to promote releases of materials. The Facebook page was administered through a small number of pre-existing GRU-controlled Facebook accounts. GRU officers also used the DCLeaks Facebook account, the Twitter account, at DCLeaks underscore, and the email account DCLeaksproject at gmail.com to communicate privately with reporters and other U.S. persons. GRU officers using the DCLeaks persona gave certain reporters early access to archives of leaked files by sending them links and passwords to pages on the DCLeaks.com website that had not yet become public. For example, on July 14, 2016, GRU officers operating under the DCLeaks persona sent a link and password for a non-public DCLeaks webpage to a U.S. reporter via the Facebook account. Similarly, on September 14, 2016, GRU officers sent reporters' Twitter direct messages from at DCLeaks underscore with a password to another non-public part of the DCLeaks.com website. The DCLeaks.com website remained operational and public until March 2017. Guccifer 2.0 On June 14, 2016, the DNC and its cyber-response team announced the breach of the DNC network and suspected theft of DNC documents. In the statements, the cyber-response team alleged that Russian state-sponsored actors, which they refer to as fancy bear, were responsible for the breach. Apparently in response to this announcement, on June 15, 2016, GRU officers using the persona Guccifer 2.0 created a WordPress blog. In the hours leading up to the launch of that WordPress blog, GRU officers logged into a Moscow-based server used and managed by Unit 74455 and searched for a number of specific words and phrases in English, including some hundred sheets, Illuminati and worldwide known. Approximately two hours after the last of those searches, Guccifer 2.0 published its first post, attributing the DNC server hack to a lone Romanian hacker and using several of the unique English words and phrases that the GRU officers had searched for that day. That same day, June 15, 2016, GRU also used the Guccifer 2.0 WordPress blog to begin releasing to the public documents stolen from the DNC and DCCC computer networks. The Guccifer 2.0 persona ultimately released thousands of documents stolen from the DNC and DCCC in a series of blog posts between June 15, 2016 and October 18, 2016. Released documents included opposition research performed by the DNC, including a memorandum analyzing potential criticisms of candidate Trump, internal policy documents, such as recommendations on how to address politically sensitive issues, analysis of specific congressional races, and fundraising documents. Releases were organized around thematic issues such as specific states, for example, Florida and Pennsylvania, that were perceived as competitive in the 2016 U.S. presidential election. Beginning in late June 2016, the GRU also used the Guccifer 2.0 persona to release documents directly to reporters and other interested individuals. Specifically, on June 27, 2016, Guccifer 2.0 sent an email to the news outlet, The Smoking Gun, offering to provide, quote, exclusive access to some leaked emails linked to Hillary Clinton staff, end quote. The GRU later sent the reporter a password and linked to a locked portion of the DCLeaks.com website that contained an archive of emails stolen by Unit 26165 from a Clinton campaign volunteer in March 2016 that the Guccifer 2.0 persona provided reporters access to a restrict portion of the DCLeaks website tends to indicate that both personas were operated by the same or a closely related group of people. The GRU continued its release efforts through Guccifer 2.0 into August 2016. For example, on August 15, 2016, the Guccifer 2.0 persona sent a candidate for the U.S. Congress documents related to the candidate's opponent. On August 22, 2016, the Guccifer 2.0 persona transferred approximately 2.5 gigabytes of Florida-related data stolen from the DCCC to a U.S. blogger covering Florida politics. On August 22, 2016, the Guccifer 2.0 persona sent a U.S. reporter document stolen from the DCCC pertaining to the Black Lives Matter movement. The GRU was also in contact through the Guccifer 2.0 Twitter account with Redaction, Harm to Ongoing Matter, with a former Trump campaign member. Redaction, Harm to Ongoing Matter. In early 2016, Redaction, Harm to Ongoing Matter. Twitter suspension of Guccifer 2.0 Twitter account. After it was reinstated, GRU officers posing as Guccifer 2.0 wrote, Redaction, Harm to Ongoing Matter, be a private message. Thank you for writing back. Did you find anything interesting in the docs I posted? On August 17, 2016, the GRU added, Please tell me if I can help you anyhow. It would be a great pleasure to me. On September 9, 2016, the GRU, again posing as Guccifer 2.0, referred to a stolen DCCC document posted online and asked, What do you think of the info on the turnout model for the Democrats' entire presidential campaign? Redaction for Harm to Ongoing Matter responded, Pretty standard. The investigator did not identify evidence of other communications between Redaction for Harm to Ongoing Matter and Guccifer 2.0. In order to expand its interference in the 2016 US presidential election, the GRU units transferred many of the documents they stole from the DNC and the chairman of the Clinton campaign to WikiLeaks. GRU officers used both the DCLeaks and Guccifer 2.0 personas to communicate with WikiLeaks through Twitter private messaging and through encrypted channels, including possibly through WikiLeaks' private communication system. Subsection A, WikiLeaks expressed opposition towards the Clinton campaign. WikiLeaks, and particularly its founder Julian Assange, privately expressed opposition to candidate Clinton well before the first release of stolen documents. In November 2015, Assange wrote to other members and associates of WikiLeaks that, quote, we believe it would be much better for GOP to win. Dems plus media plus liberals would then form a block to reign in its worst qualities. With Hillary in charge, GOP will be pushing for her worst qualities. Dems plus media plus neoliberals will be mute. She's a bright, well-connected, sadistic sociopath. End quote. Put note 156. On January 19, 2015, Assange also wrote that, quote, GOP will generate a lot opposition, including through dumb moves. Hillary will do the same thing, but co-opt the liberal opposition and the GOP opposition. Hence, Hillary has greater freedom to start wars than the GOP and has the will to do so. End footnote. In March 2016, WikiLeaks released a searchable archive of approximately 30,000 Clinton emails that had been obtained through Freedom of Information Act litigation. While designing the archive, one WikiLeaks member explained the reason for building the archive to another associate. Quote. We want this repository to become the place to search for background on Hillary's plotting at the State Department during 2009 to 2013. Firstly, because it's useful and it will annoy Hillary. But secondly, because we want to be seen as a resourced player in the U.S. election, because it may encourage people to send us even more important leaks. End quote. Section B. WikiLeaks first contact with Gucha for 2.0 and D.C. Leaks. Shortly after the GRU's first release of stolen documents through D.C.Leaks.com in June 2016, GRU officers also used the D.C. Leaks persona to contact WikiLeaks about possible coordination in the future release of stolen emails. On June 14, 2016, at D.C.Leaks underscore sent a direct message to at WikiLeaks noting, quote, you announced your organization was preparing to publish more Hillary emails. We are ready to support you. We have some sensitive information too, in particular her financial documents. Let's do it together. What do you think about publishing our information at the same moment? Thank you. End quote. Redaction for investigative technique. Around the same time, WikiLeaks initiated communications with the GRU persona, Gucha for 2.0, shortly after it was used to release documents stolen from the D.C. On June 22, 2016, seven days after Gucha for 2.0's first release of stolen D.C. documents, WikiLeaks used Twitter's direct message function to contact the Gucha for 2.0 Twitter account and suggest that Gucha for 2.0, quote, send any new materials stolen from the D.C. here for us to review and it will have a much higher impact than what you are doing. End quote. On July 6, 2016, WikiLeaks again contacted Gucha for 2.0 through Twitter's private messaging function, writing, quote, if you have anything Hillary related, we want it in the next two days, preferably because the D.N.C. is approaching and she will solidify burning supporters behind her after. End quote. The Gucha for 2.0 persona responded, quote, okay, I see. End quote. WikiLeaks also explained, quote, we think Trump has only a 25% chance of winning against Hillary. So conflict between Bernie and Hillary is interesting. End quote. Subsection C, the GRU's transfer of stolen materials to WikiLeaks. Both the GRU and WikiLeaks sought to hide their communications, which has limited the office's ability to collect all of the communications between them. Thus, although it is clear that the stolen D.N.C. and Podesta documents were transferred from GRU to WikiLeaks. Redaction, investigative technique. The office was able to identify when the GRU operating through its personas, Gucha for 2.0 and D.C. Leaks transferred some of the stolen documents to WikiLeaks through online archives set up by the GRU. Assange had access to the Internet from the Ecuadorian Embassy in London, England. Redaction, investigative technique. On July 14, 2016, GRU officers used a Gucha for 2.0 e-mail account to send WikiLeaks an e-mail bearing the subject, Big Archive, in the message, a new attempt. The e-mail contained an encrypted attachment with the name, quote, WKDNCLink1.Text.GPG or GNU Private Guard. Using the Gucha for 2.0 Twitter account, GRU officers sent WikiLeaks an encrypted file and instructions on how to open it. On July 18, 2016, WikiLeaks confirmed in a direct message to the Gucha for 2.0 account that it had, quote, the 1GB or so archive, end quote, and would make a release of the stolen documents this week. On July 22, 2016, WikiLeaks released over 20,000 e-mails and other documents stolen from the D.N.C. computer networks. The Democratic National Convention began three days later. Similar communications occurred between WikiLeaks and the GRU-operated persona, D.C. Leaks. On September 15, 2016, at D.C. Leaks wrote to at WikiLeaks, quote, Hi there, I'm from D.C. Leaks. How could we discuss some submission-related issues and trying to reach out to you via your secured chat by getting no response? I've got something that might interest you. You won't be disappointed, I promise. End quote. The WikiLeaks account responded, Hi there, without further elaboration. The at-dc-leaks.underscore account did not respond immediately. The same day, the Twitter account at Gucha for underscore 2 sent at-dc-leaks underscore a direct message, which is the known first contact between the personas. During subsequent communications, Gucha for 2.0 persona informed D.C. Leaks that WikiLeaks was trying to contact D.C. Leaks and arrange for a way to speak through encrypted emails. An analysis of the metadata collected from the WikiLeaks site revealed that the stolen Podesta e-mail showed a creation date of September 19, 2016. Based on information about Assange's computer and its possible operating system, this date may be when the GRU staged the stolen Podesta e-mails for transfer to WikiLeaks. As the GRU had previously done in July 2016 for the DNC e-mails, the WikiLeaks site also released PDFs and other documents taken from Podesta that were attachments to e-mails and as account. These documents had a creation date of October 2, 2016, which appears to be the date the attachments were separately staged by WikiLeaks on its site. Beginning on September 20, 2016, WikiLeaks and D.C. Leaks resumed communications in a brief exchange. On September 22, 2016, a D.C. Leaks e-mail account, D.C. Leaksproject at gmail.com, sent an e-mail to WikiLeaks account with a subject submission and the message, Hi from D.C. Leaks. The e-mail contained a PGP encrypted with the file name wiki-mail.text.gpg, Redaction Investigative Technique. The e-mail, however, bears a number of similarities to the July 14, 2016 e-mail in which GRU officers used the Guccifer 2.0 persona to give WikiLeaks access to the archive of DNC files. On September 22, 2016, the same day of D.C. Leaks e-mail to WikiLeaks, the Twitter account, D.C. Leaks sent a single message to WikiLeaks with the string of characters, Redaction, armed to ongoing matter. The office cannot roll out that stolen documents were transferred to WikiLeaks through intermediaries who visited during the summer of 2016. For example, public reporting identified Andrew Muller-Magan as a WikiLeaks associate who may have assisted with the transfer of these stolen documents to WikiLeaks. Redaction Investigative Technique. Redaction Investigative Technique. On October 7, 2016, WikiLeaks released the first e-mails stolen from the Podesta e-mail account. In total, WikiLeaks released 33 tranches of stolen e-mails between October 7, 2016 and November 7, 2016. The releases included private speeches given by Clinton, internal communications between Podesta and other high-ranking members of the Clinton campaign, and correspondence related to the Clinton Foundation. In total, WikiLeaks released over 50,000 documents stolen from Podesta's personal e-mail account. The last in-time e-mail released from Podesta's account was dated March 21, 2016, two days after Podesta received a spear-fishing e-mail sent by the GRU. Subsection D, WikiLeaks' statements dissembling about the source of stolen materials. As reports attributing the DNC and DCCC hacks to the Russian government emerged, WikiLeaks and Assange made several public statements apparently designed to obscure the source of the materials that WikiLeaks was releasing. While transfer evidence described above and other information uncovered during the investigation, discredit WikiLeaks' claims about the source of material that it posted. Beginning in the summer of 2016, Assange and WikiLeaks made a number of statements about Seth Rich, a former DNC staff member who was killed in July 2016. The statements about Rich implied falsely that he had been the source of the stolen DNC e-mails. On August 9, 2016, the at WikiLeaks Twitter account posted, quote, announced WikiLeaks has decided to issue a US $20,000 reward for information leading to conviction for the murder of DNC staffer, Seth Rich. Likewise, on August 25, 2016, Assange was asked in an interview, quote, why are you so interested in Seth Rich's killer, end quote, and responded, quote, were very interested in anything that might be a threat to alleged WikiLeaks sources, end quote. The interviewer responded to Assange's statement by commenting, quote, I know you don't want to reveal your source, but it certainly sounds like you're suggesting a man who leaked information to WikiLeaks was then murdered, end quote. Assange replied, quote, if there's someone who's potentially connected to our publication and that person has been murdered in suspicious circumstances, it doesn't necessarily mean that the two are connected, but it is a very serious matter. That type of allegation is very serious, and it's taken very seriously by us, end quote. After the US intelligence community publicly announced its assessment that Russia was behind the hacking operation, Assange continued to deny that the Clinton materials released by WikiLeaks had come from Russian hacking. According to media reports, Assange told a US congressman that the DNC hack was an inside job and purported to have physical proof that Russia did not give materials to Assange. Subsection C, additional GRU cyber operations. While releasing the stolen emails and documents through DC leaks, Guccifer 2.0 and WikiLeaks, GRU officers continued to target and hack victims linked to the Democratic campaign and eventually to target entities responsible for election administration in several states. Subsection 1, somewhere in fall 2016, operations targeting Democrat linked victims. On July 27th, 2016, Unit 26165 targeted email accounts connected to candidate Clinton's personal office redaction, personal privacy. Earlier that day, candidate Trump made public statements that included the following, quote, Russia, if you're listening, I hope you're able to find the 30,000 emails that are missing. I think you will probably be rewarded mortally by our press, end quote. The 30,000 emails were apparently a reference to emails described in media accounts as having been stored on a personal server that candidate Clinton had used while serving as Secretary of State. Within approximately five hours of Trump's statement, GRU officers targeted for the first time Clinton's personal office. After candidate Trump's remarks, Unit 26165 created and sent malicious links targeting 15 email accounts at the domain redaction, personal privacy, including an email account belonging to Clinton-aid redaction, personal privacy. The investigation did not find evidence of earlier GRU attempts to compromise accounts hosted on this domain. It is unclear how the GRU was able to identify these email accounts, which were not public. Unit 26165 officers also hacked into a DNC account based on a cloud computing service redaction, personal privacy. On September 20, 2016, the GRU began to generate copies of the DNC data using redaction, personal privacy, function designed to allow users to produce backups of databases referred to redaction, personal privacy as snapshots. The GRU then stole those snapshots by moving them to redaction, personal privacy, account that they controlled. From there, the copies were moved to GRU-controlled computers. The GRU stole approximately 300 gigabytes of data from the DNC cloud-based account. Subsection 2, intrusions targeting the administration of U.S. elections. In addition to targeting individuals involved in the Clinton campaign, GRU officers also targeted individuals and entities involved in the administration of the elections. Victims included U.S. state and local entities, such as state boards of elections, SBOEs, secretaries of state and county governments, as well as individuals who worked for those entities. The GRU also targeted private technology firms responsible for manufacturing and administering election-related software and hardware, such as voter registration software and electronic polling stations. The GRU continued to target these victims through the elections in November 2016. While the investigation identified evidence that the GRU targeted those individuals and entities, the office did not investigate further. The office did not, for instance, obtain or examine servers or other relevant items belonging to these victims. The office understands that the FBI, the U.S. Department of Homeland Security and the states have separately investigated that activity. By at least the summer of 2016, GRU officers sought to access the state and local computer networks by exploiting known software vulnerabilities on websites of state and local government entities. GRU officers, for example, targeted state and local databases of registered voters using a technique known as SQL injection, by which malicious code was sent to the state or local website in order to run commands, such as exfiltrating the database contents. In one instance, in approximately June 2016, the GRU compromised the computer network of the Illinois State Board of Elections by exploiting a vulnerability in the SBOE's website. The GRU then gained access to a database containing information on millions of registered Illinois voters and extracted data related to thousands of U.S. voters before the malicious activity was identified. GRU officers redacted investigative technique, scanned state and local websites of more than two dozen states redacted investigative technique. Unit 74455 also sent spearfishing emails to public officials involved in election administration and personnel involved in voting technology. In August 2016, GRU officers targeted employees of redaction, personal privacy, a voting technology company that developed software used by numerous U.S. counties to manage voter rolls and installed malware on the company network. Similarly, in November 2016, the GRU sent spearfishing emails to over 120 email accounts used by Florida County officials responsible for administering the 2016 U.S. election. The spearfishing emails contained an attached Word document coded with malicious software commonly referred to as a Trojan that permitted the GRU to access the infected computer. The FBI was separately responsible for this investigation. We understand the FBI believes that this operation enabled the GRU to gain access to the network of at least one Florida County government. The office did not independently verify that relief and, as explained above, did not undertake the investigative steps that would have been necessary to do so. Subsection D, Trump campaign and the dissemination of hacked materials. And WikiLeaks released materials of hacked materials through the summer and fall of 2016. Redaction, harm to ongoing matter. Subsection 1, redaction, harm to ongoing matter. Subsection A, background, redacted in entirety for harm to ongoing matter. Subsection B, contacts with the campaign about WikiLeaks. Redaction, harm to ongoing matter. Two other instances of redaction to harm to ongoing matter. On June 12, 2016, Assange claimed in a televised interview to, quote, have emails relating to Hillary Clinton which are pending publication, end quote, but provided no additional context. In debriefings with the office, former deputy campaign chairman Rick Gates said that redaction, two blocks for harm to ongoing matter. Gates recalled candidate Trump being generally frustrated that the Clinton emails had not been found. Manafort, who would later become campaign chairman, redaction for harm to ongoing matter, with footnote 197 visible, red here, as explained further in volume 1, section 1B, A, 8, Manafort entered into a plea agreement with her office. We determined that he breached the agreement by being untruthful in pro-offer sessions and before the grand jury. We have generally recounted his version of events in this report, only when his statements are sufficiently corroborated to be trustworthy to identify issues in which Manafort's untruthful responses made themselves be of evidentiary value or to provide Manafort's explanations for certain events even when we were unable to determine whether that explanation was credible. His accounts appear here principally because it aligns with those of other witnesses. End footnote. Michael Cohen, former executive vice president of the Trump Organization as special counsel to Donald J. Trump told the office that he recalled an incident in which he was in candidate Trump's office in Trump Tower redaction, harm to ongoing matter. Cohen further told the office that after WikiLeaks' subsequent release of stolen emails in July 2016, candidate Trump said to Cohen something to the effect of redaction, harm to ongoing matter. According to Gates by the late summer of 2016, the Trump campaign was planning a press strategy, a communications campaign, and messaging based on the possible release of Clinton emails by WikiLeaks. Redaction, harm to ongoing matter, while Trump and Gates were driving to LaGuardia Airport. Redaction, harm to ongoing matter. Shortly after the call candidate Trump told Gates that more releases of damaging information would be coming. Subsection C, two redactions for harm to ongoing matter. Corsi is an author who holds a doctorate in political science. In 2016 Corsi also worked for the media outlet WorldNetDaily. Redaction, harm to ongoing matter. Corsi told the office during interviews that he must have previously discussed Assange with Malak. Redaction, two instances of harm to ongoing matter when redaction for grand jury. According to Malak, Corsi asked him to put Corsi in touch with Assange whom Corsi wished to interview. Malak recalled that Corsi also suggested that individuals in the orbit of UK politician Nigel Farage might be able to contact Assange and asked if Malak knew them. Malak told Corsi that he would think about the request but made no actual attempt to connect Corsi with Assange. Redaction, two instances for harm to ongoing matter. Malak stated to investigators at beginning in or about August 2016 he and Corsi had multiple FaceTime discussions about WikiLeaks. Redaction, harm to ongoing matter. Had made a connection to Assange and that the hacked emails of John Podesta would be released prior to election day and would be helpful to the Trump campaign. In one conversation in or around August or September 2016 Corsi told Malak that the release of the Podesta emails was coming after which we were going to be in the driver's seat. The remainder of page 56 is redacted for harm to ongoing matter. Subsection D, WikiLeaks October 7 2016 release of stolen Podesta emails. On October 7, 2016, four days after the Assange press conference Redaction, harm to ongoing matter. The Washington Post published an Access Hollywood video that captured comments by candidate Trump some years earlier and that was expected to adversely affect the campaign. Less than an hour after the video's publication, WikiLeaks released the first set of emails stolen by the GRU from the account of Clinton campaign chairman John Podesta. Follows as five blocks of redaction for harm to ongoing matter. Corsi said that because he had no direct means of communicating with WikiLeaks, he told members of the news site WNO who are participating on a conference call with him that day to reach Assange immediately. Corsi claimed that the pressure was enormous and recall telling the conference call the Access Hollywood tape was coming. Corsi said that he was convinced that his efforts had caused WikiLeaks to release the emails when they did. In a later November 2018 interview, Corsi stated that he thought he had told people on a WND conference call about the forthcoming tape and it sent out a tweet asking whether anyone could contact Assange but then said that maybe he had done nothing. The office investigated Corsi's allegations about the events of October 7th but found little cooperation for his allegations about the day. Redaction of two blocks for harm to ongoing matter. However the phone records themselves do not indicate that the conversation was with any of the reporters who broke the Access Hollywood story and the office has not otherwise been able to identify the substance of the conversation. Redaction, harm to ongoing matter. However, the office has not identified any conference call participant or anyone who spoke to Corsi that day who say that they received non-public information about the tape from Corsi or acknowledged having contacted a member of WikiLeaks on October 7th 2016 after a conversation with Corsi. Subsection E Donald Trump Jr. Interaction with WikiLeaks Donald Trump Jr. had direct electronic communications with WikiLeaks during the campaign period. On September 20th, 2016 an individual named Jason Fishbean sent WikiLeaks the password for an unlaunched website focused on Trump's unprecedented and dangerous ties to Russia potentrump.org WikiLeaks publicly tweeted quote, let's bomb Iraq Progress for America pack to launch potentrump.org at 9.30 a.m. pw is potentrump potentrump.org end quote several hours later WikiLeaks sent a Twitter direct message to Donald Trump Jr. quote, a pack run anti-trump site potentrump.org is about to launch the pack is a recycled pro-Iraq war pack we have guessed the password it is potentrump see a belt for who is behind it any comments end quote several hours later Trump Jr. emailed a variety of senior campaign staff quote, guys I got a weird Twitter direct message from WikiLeaks, see below I tried the password and it works and the about section they reference contains the next pie in terms of who is behind it not sure if this is anything but it seems like it's really WikiLeaks asking me as I follow them and it is a DM do you know the people mentioned and what the conspiracy they are looking for could be these are just screenshots but it's a fully built out page claiming to be a pack let me know your thoughts and if we want to look into it end quote Trump Jr. attached a screenshot of the about page for the unlaunched site potentrump.org the next day after the website had launched publicly Trump Jr. sent a direct message to WikiLeaks quote off the record I don't know who that is but I'll ask around thanks unquote on October 3rd 2016 WikiLeaks sent another direct message to Trump Jr. asking you guys to help disseminate a link alleging candidate Clinton had advocated using a drone to target Julian Assange Trump Jr. responded that he already had done so and asked quote what's behind this Wednesday leak I keep reading about end quote WikiLeaks did not respond on October 12th 2016 WikiLeaks wrote again that it was quote great to see you and your dad talking about our publications strongly suggest your dad tweets this link if he mentions us WL search dot TK end quote WikiLeaks wrote that the link would help Trump in digging through leaked emails and stated quote we just released Podesta emails part 4 end quote two days later Trump Jr. publicly tweeted the WL search dot TK link subsection 2 other potential campaign interest Russian hacked materials throughout 2016 the Trump campaign expressed interest in Hillary Clinton's private email server and whether approximately 30,000 emails from that server had in fact been permanently destroyed as reported by the media several individuals associated with the campaign were contacted in 2016 about various efforts to obtain the missing Clinton emails and other stolen material in support of the Trump campaign some of these contacts were met with criticism and nothing came of them others were pursued to some degree the investigation did not find evidence that the Trump campaign recovered any such Clinton emails or that these contacts were part of a coordinated effort between Russia and the Trump campaign subsection a Henry Okanyansky aka Henry Greenberg in the spring of 2016 Trump campaign advisor Michael Caputo learned through a Florida based Russian business partner that another Florida based Russian Henry Okanyansky who also went by the name Henry Greenberg claimed to have information pertaining to Hillary Clinton Caputo notified Roger Stone and brokered communication between Stone and Okanyansky Okanyansky and Stone set up a May 2016 in person meeting Okanyansky was accompanied to the meeting by Alexey Rassen a Ukrainian associate involved in Florida real estate at the meeting Rassen offered to sell stone to rocketry information on Clinton that Rassen claimed to have obtained while working for Clinton Rassen claimed to possess financial statements demonstrating Clinton's involvement in money laundering with Rassen's companies according to Okanyansky Stone asked if the amounts in question totaled millions of dollars but was told it was closer to hundreds of thousands Stone refused the offer stating that Trump would not pay for opposition research Okanyansky claimed to the office that Rassen's motivation was financial according to Okanyansky Rassen had tried unsuccessfully to shop the Clinton information around to other interested parties and Okanyansky would receive a cut if the information was sold Rassen is noted in public source documents as the director and or registered agent for a number of Florida companies none of which appears to be connected to Clinton the office found no other evidence that Rassen worked for Clinton or any Clinton related entities in their statements to investigators Okanyansky and Caputo had contradictory recollections about the meeting Okanyansky claimed that Caputo accompanied Stone to the meeting and provided an introduction whereas Caputo did not tell us that he had attended and claimed that he was never told what information Okanyansky offered Caputo also stated that he was unaware Okanyansky sought to be paid for the information until Stone informed him after the fact the office did not locate Rassen in the United States although he confirmed Rassen had been issued a Florida driver's license the office otherwise was unable to determine the content and origin of the information he purportedly offered to Stone finally the investigation did not identify evidence of a connection between the outreach or the meeting and Russian interference efforts Subsection B campaign efforts to obtain deleted Clinton emails after candidate Trump stated on July 27th 2016 that he hoped Russia would quote 30,000 emails that are missing end quote Trump asked individuals affiliated with his campaign to find the deleted Clinton emails Michael Flynn who would later serve as national security advisor in the Trump administration recalled that Trump made this request repeatedly and Flynn subsequently contacted multiple people in an effort to obtain the emails Barbara Leiden and Peter Smith were among the people contacted by Flynn Leiden a longtime senate staffer who had previously solved the Clinton emails provided updates to Flynn about her efforts throughout the summer of 2016 Smith an investment advisor who was active in Republican politics also attempted to locate and obtain the deleted Clinton emails Leiden began her efforts to obtain the Clinton emails before Flynn's request as early as December 2015 on December 3rd 2015 she emailed Smith a proposal to obtain the email stating quote here's the proposal I briefly mentioned to you a person I described to you would be happy to talk with you either in person or over the phone the person getting at the emails which one were classified and two were parolined by our enemies that would demonstrate what needs to be demonstrated end quote attached to the email was a 25 page proposal stating that they quote Clinton email server was in all likelihood breached long ago and that the Chinese Russian and Iranian intelligence services could reassemble the service email content end quote the proposal called for a three phase approach the first two phases consisted of open source analysis the third phase consisted of checking with certain intelligent sources quote that have access through liaison work with various foreign services to determine if any of those services had gotten to the server the proposal noted even if a single email was recovered and the providence of the email was a foreign service it would be catastrophic to the Clinton campaign end quote Smith forwarded the email to two colleagues and wrote quote we can discuss to whom it should be referred end quote on December 16th 2015 Smith informed Leedon that he declined to participate in her initiative according to one of Smith's business associates Smith believed Leedon's initiative was not viable at that time just weeks after Trump's July 2016 request to find the Clinton emails however Smith tried to locate and obtain the emails himself he created a company raised tens of thousands of dollars and recruited security experts and business associates Smith made claims to others involved in the effort and those from whom he sought funding that he was in contact with hackers with ties and affiliations to Russia who had access to the emails and that his efforts were coordinated with the Trump campaign on August 28th 2016 Smith sent an email from an encrypted account with the subject secretary Clinton's unsecured private email server to an undisclosed list of recipients including campaign co-chairman Sam Clovis the email stated that Smith was quote just finishing two days of sensitive meetings here in DC with involved groups to poke and probe on the above it is clear that the Clinton's home based unprotected server was hacked with ease by both state related players and private mercenaries parties with varying interest are circling to release ahead of the election end quote on September 2nd 2016 Smith directed a business associate to establish KLS research LLC and furtherance of his search for the deleted Clinton emails one of the purposes of KLS research was to manage the funds Smith raised in support of his initiative KLS research received over $30,000 during the presidential campaign of those Smith represented that he raised even more money Smith recruited multiple people for his initiative including security experts to search for and authenticate the emails in early September 2016 as part of his recruitment and fundraising effort Smith circulated a document stating that his initiative was in coordination with the Trump campaign quote to the extent permitted as an independent expenditure organization end quote the document listed multiple individuals affiliated with the Trump campaign including Flynn, Clovis, Bannon and Kellyanne Conway the investigation established that Smith communicated with at least Flynn and Clovis about his search for the deleted Clinton emails where the office did not identify evidence that any of the listed individuals initiated or directed Smith's efforts in September 2016 Smith and Leiden got back in touch with each other about their respective efforts Leiden wrote to Smith quote wondering if you had some more detailed reports or emails or other data you could share because we have come a long way in our efforts since we last visited we would need as much technical discussion as possible so we could marry it against the new data we have found and then could share it back to you your eyes only end quote Leiden claimed to have obtained a trove of emails from what she described as the dark web that purported to be the deleted Clinton emails Leiden wanted to authenticate the emails and solicited contributions to fund that effort Prince provided funding to hire a tech advisor to ascertain the authenticity of the emails according to Prince the tech advisor determined that the emails were not authentic a backup of Smith's computer contained two files that had been downloaded from WikiLeaks and they were originally attached to emails received by John Podesta the file on Smith's computer had created dates of October 2nd 2016 which was prior to the date of their release by WikiLeaks forensic examination however established that the creation date did not reflect when the files were downloaded to Smith's computer it appears the creation date was when WikiLeaks staged the document for release as discussed above the investigation did not otherwise identify evidence that Smith obtained the files before their release by WikiLeaks Smith continued to send emails to an undisclosed recipient list about Clinton's deleted emails until shortly before the election for example on October 28th 2016 Smith wrote that there was a quote tug-of-war going on within WikiLeaks over its planned releases in the next few days and that WikiLeaks has maintained that it will save its best revelations for last under the theory this allows little time for response prior to the US election November 8th end quote an attachment to the email claimed that WikiLeaks would release all 33,000 deleted emails by November 1st no emails obtained from Clinton's server were subsequently released Smith drafted multiple emails stating or intimating that he was in contact with Russian hackers for example in one such email Smith claimed that in August 2016 KLS research had organized meetings with parties who had access to the deleted Clinton emails including parties with quote ties and affiliations to Russia end quote the investigation did not identify evidence that any such meetings occurred associates and security experts who worked with Smith on the initiative did not believe that Smith was in contact with Russian hackers and were aware of no such connection the investigation did not establish that Smith was in contact with Russian hackers or that Smith leaden or other individuals in touch with the Trump campaign ultimately obtained the deleted Clinton emails in some the investigation established that the GRU hacked in the email accounts of persons affiliated with the Clinton campaign as well as the computers of the DNC and DCCC the GRU then expoltrated data related to the 2016 election from these accounts and computers and disseminated that data through fictitious online personas DC leaks and Gucci for 2.0 and later through WikiLeaks the investigation also established that the Trump campaign displayed interest in the WikiLeaks releases and that redaction harm to ongoing matter as explained in volume 1 section bb further on the evidence was sufficient to support computer intrusion and other charges against GRU officers for their role in election related hacking this section ends with redaction harm to ongoing matter end of section 4 read by Angelique G. Campbell may 2019