A Tale of Two GRU Indictments

Yesterday, DOJ indicted a bunch of GRU hackers again, in part for hacks in retaliation for anti-doping associations’ reports finding a state-run Russian effort to help its athletes cheat (though also including hacks of Westinghouse and the Organization for the Prohibition of Chemical Weapons (OPCW)).

As the DNC GRU indictment did, this indictment provides a snapshot of the division of labor in GRU, made easier by the capture of four of these guys, with all their hacking toys in the trunk of their rented car, in the Netherlands. I find a comparison of the two indictments — of some of the same people for similar activity spanning the same period of time — instructive for a number of reasons.

The team

Consider the team.

There are Aleksei Morenets and Evgenii Serebriakov, whom the indictment calls “on-site GRU hackers who traveled to foreign countries with other conspirators, in some instances using Russian government issued diplomatic passports to conduct on-site operations.” Serebriakov even has a title, “Deputy Head of Directorate,” which sounds like a pretty senior person to travel around sniffing WiFi networks.

There are the three men we met in the DNC indictment, Ivan Yermakov, Artem Malyshev, and Dmitriy Badin, all of whom work  out of Moscow running hacks. Yermakov and Malyshev were closely involved in both hacks in 2016 (as demonstrated by the timeline below).

Finally, there are Oleg Sotnikov and Alexey Minin, who joined Morenets and Serebriakov as they tried to hack the Organization for the Prohibition of Chemical Weapons (OPCW) and tried to hack the Spiez Chemical laboratory that was analyzing the Novichok used to poison Sergei Skripal.

There are slightly different tactics than in the DNC hack. For example, GRU used a bunch of bit.ly links in this operation (though some of those are an earlier campaign against Westinghouse). And they sent out hackers to tap into targets’ WiFi networks directly, whereas none of the DNC hackers are alleged to have left Russia.

But there’s a ton of common activity, notably the spearphishing of targeted individuals and the use of their X-Agent hacking tool to exploit targeted machines.

Overlapping hack schedule

I’m also interested in the way the WADA hack, in particular, overlaps with the DNC one. I’ve got a timeline, below, of the two indictments look like (I’ve excluded both the Westinghouse and OPCW hacks from this timeline to focus on the overlapping 2016 operations).

Yermakov and Malyshev are described by name doing specific tasks in the DNC hack though May 2016. By August, they have turned to hacking anti-doping targets. Yermakov, in particular, seems to play the same research role in both hacks.

Given the impact of these operations, it’s fairly remarkable that such a small team conducted both.

Common bitcoin habits and possibly even infrastructure

There are also paragraphs in the WADA indictment, particularly those pertaining to the use of bitcoin to fund the operation used to substantiate the money laundering charge, that appear to be lifted in their entirety from the DNC one (or perhaps both come from DOJ or Western PA US Attorney boilerplate — remember that the DNC hack was originally investigated in Western PA, so this language likely originates there).

These include:

  •  58/106: Describing how conspirators primarily used bitcoin to pay for infrastructure
  • 59/107: Describing how bitcoin works, with examples specific to each operation provided
  • 60/108: Describing how conspirators used dedicated email accounts to track bitcoin transactions
  • 61/109: Describing how conspirators used the same computers to conduct hacking operations and facilitate bitcoin payments
  • 62/110: Describing how conspirators also mined bitcoin and then used it to pay for servers, with examples specific to each operation
  • 64/111: Describing how conspirators used the same funding structure and sometimes the same pool of funds to pay for hacking infrastructure, with examples specific to each operation provided

The similarity of these two passages suggests two things. First, it suggests that the August 8, 2016 transaction in the WADA indictment may have been orchestrated from the gfade147 email noted in the DNC indictment. With both, the indictment notes that “One of these dedicated accounts … received hundreds of bitcoin payment requests from approximately 100 different email accounts,” with the DNC indictment including the gfade147 address. (Compare paragraphs 60 in the DNC indictment with 108 in the WADA one.)  That would suggest these two operations overlap even more than suspect.

That said, there’s one paragraph in the DNC indictment that doesn’t have an analogue in the WADA one, 63. It describes conspirators,

purchasing bitcoin through peer-to-peer exchanges, moving funds through other digital currencies, and using pre-paid cards. They also enlisted the assistance of one or more third-party exchangers who facilitated layered transactions through digital currency exchange platforms providing heightened anonymity.

Given how loud much of these operations were, it raises questions about why some of the DNC hack (but not, at least by description) the WADA one would require “heightened anonymity.”

Different treatment of InfoOps

I’m perhaps most interested in the different treatment of the InfoOps side of the operation. As I noted here, in general there seems to be a division of labor at GRU between the actual hackers, in Unit 26165, which is located at  20 Komsomolskiy Prospekt, and the information operations officers, in Unit 74455, which is located in the “Tower” at 22 Kirova Street, Khimki. Both units were involved in both operations.

Yet the WADA indictment does not name or charge any Unit 74455 officers, in spite of describing (in paragraphs 1 and 11) how the unit acquired and maintained online social media accounts and associated infrastructure (paragraph 76 describes that infrastructure to be “procured and managed, at least in part, by conspirators in GRU Unit 74455”). Five of the seven named defendants in the WADA indictment are in Unit 26165, with Oleg Sotnikov and Alexey Minin not identified by unit.

By comparison, three of the 11 officers charged in the DNC indictment belong to Unit 744555.

And the WADA campaign did have a significant media component, as explained in paragraphs 76-87. The indictment even complains (as did DOJ officials as the press conference announcing this indictment) about,

reporters press[ing] for and receiv[ing] promises of exclusivity in such reporting, with one such reporter attempting to make arrangements for a right of first refusal for articles on all future leaks and actively suggesting methods with whicch the conspiracy could search the stolen materials for documents of interest to that reporter (e.g., keywords of interest).

That said, the language in much of this discussion (see paragraphs 77 through 81) uses the passive voice — “were registered,” “were named,” “was posted,” “were released,” “were released,” “were released,” “were released” — showing less certainty about who was running that infrastructure.

That’s particularly interesting given that the government clearly had emails between the Fancy Bear personas and journalists.

One difference may be, in part, that in the DNC indictment, there are specific hacking (not InfoOps) actions attributed to two of the Unit 74455 officers: Aleksandr Osadchuk and Anatoliy Kovalev. Indeed, Kovalev seems to have been added on just for that charge, as he doesn’t appear in the introduction section at the beginning of the indictment.

Whereas Unit 74455’s role in the WADA indictment seems to be limited to running the InfoOps infrastructure.

Importance of WikiLeaks and sharing with Republicans

It’s not clear how much we can conclude form all that. But the different structure in the DNC indictment does allow it to foreground the role of a number of others, such as WikiLeaks and Roger Stone and — as I suggested drop in some or all of  those others in a future conspiracy indictment — that were a key part of the election operation.


February 1, 2016: gfade147 0.026043 bitcoin transaction

March 2016: Conspirators hack email accounts of volunteers and employees of Hillary campaign, including John Podesta

March 2016: Yermakov spearphishes two accounts that would be leaked to DC Leaks

March 14, 2016 through April 28, 2016: Conspirators use same pool of bitcoin to purchase VPN and lease server in Malaysia

March 15, 2016: Yermakov runs technical query for DNC IP configurations and searches for open source info on DNC network, Dem Party, and Hillary

March 19, 2016: Lukashev spearphish Podesta personal email using john356gh

March 21, 2016: Lukashev steals contents of Podesta’s email account, over 50,000 emails (he is named Victim 3 later in indictment)

March 25, 2016: Lukashev spearphishes Victims 1 (personal email) and 2 using john356gh; their emails later released on DCLeaks

March 28, 2016: Yermakov researched Victims 1 and 2 on social media

April 2016: Kozachek customizes X-Agent

April 2016: Conspirators hack into DCCC and DNC networks, plant X-Agent malware

April 2016: Conspirators plan release of materials stolen from Clinton Campaign, DCCC, and DNC

April 6, 2016: Conspirators create email for fake Clinton Campaign team member to spearphish Clinton campaign; DCCC Employee 1 clicks spearphish link

April 7, 2016: Yermakov runs technical query for DCCC’s internet protocol configurations

April 12, 2016: Conspirators use stolen credentials of DCCC employee to access network; Victim 4 DCCC email victimized

April 14, 2016: Conspirators use X-Agent keylog and screenshot functions to surveil DCCC Employee 1

April 15, 2016: Conspirators search hacked DCCC computer for “hillary,” “cruz,” “trump” and copied “Benghazi investigations” folder

April 15, 2016: Victim 5 DCCC email victimized

April 18, 2016: Conspirators hack into DNC through DCCC using credentials of DCCC employee with access to DNC server; Victim 6 DCCC email victimized

April 19, 2016: Kozachek, Yershov, and co-conspirators remotely configure middle server

April 19, 2016: Conspirators register dcleaks using operational email [email protected]

April 20, 2016: Conspirators direct X-Agent malware on DCCC computers to connect to middle server

April 22, 2016: Conspirators use X-Agent keylog and screenshot function to surveil DCCC Employee 2

April 22, 2016: Conspirators compress oppo research for exfil to server in Illinois

April 26, 2016: George Papadopolous learns Russians are offering election assistance in the form of leaked emails

April 28, 2016: Conspirators use bitcoin associated with Guccifer 2.0 VPN to lease Malaysian server hosting dcleaks.com

April 28, 2016: Conspirators test IL server

May 2016: Yermakov hacks DNC server

May 10, 2016: Victim 7 DNC email victimized

May 13, 2016: Conspirators delete logs from DNC computer

May 25 through June 1, 2016: Conspirators hack DNC Microsoft Exchange Server; Yermakov researches PowerShell commands related to accessing it

May 30, 2016: Malyshev upgrades the AMS (AZ) server, which receives updates from 13 DCCC and DNC computers

May 31, 2016: Yermakov researches Crowdstrike and X-Agent and X-Tunnel malware

June 2016: Conspirators staged and released tens of thousands of stolen emails and documents

June 1, 2016: Conspirators attempt to delete presence on DCCC using CCleaner

June 2, 2016: Victim 2 personal victimized

June 8, 2016: Conspirators launch dcleaks.com, dcleaks Facebook account using Alive Donovan, Jason Scott, and Richard Gingrey IDs, and @dcleaks_ Twitter account, using same computer used for other

June 9, 2016: Don Jr, Paul Manafort, Jared Kushner have meeting expecting dirt from Russians, including Aras Agalarov employee Ike Kaveladze

June 10, 2016: Ike Kaveladze has calls with Russia and NY while still in NYC

June 14, 2016: Conspirators register actblues and redirect DCCC website to actblues

June 14, 2016: WaPo (before noon ET) and Crowdstrike announces DNC hack

June 15, 2016, between 4:19PM and 4:56 PM Moscow Standard Time (9:19 and 9:56 AM ET): Conspirators log into Moscow-based sever and search for words that would end up in first Guccifer 2.0 post, including “some hundred sheets,” “illuminati,” “think twice about company’s competence,” “worldwide known”

June 15, 2016, 7:02PM MST (12:02PM ET): Guccifer 2.0 posts first post

June 15 and 16, 2016: Ike Kaveladze places roaming calls from Russia, the only ones he places during the extended trip

June 20, 2016: Conspirators delete logs from AMS panel, including login history, attempt to reaccess DCCC using stolen credentials

June 22, 2016: Wikileaks sends a private message to Guccifer 2.0 to “send any new material here for us to review and it will have a much higher impact than what you are doing.”

June 27, 2016: Conspirators contact US reporter, send report password to access nonpublic portion of dcleaks

Late June, 2016: Failed attempts to transfer data to Wikileaks

July, 2016: Kovalev hacks into IL State Board of Elections and steals information on 500,000 voters

July 6, 2016: Conspirators use VPN to log into Guccifer 2.0 account

July 6, 2016: Wikileaks writes Guccifer 2.0 adding, “if you have anything hillary related we want it in the next tweo [sic] days prefabl [sic] because the DNC [Democratic National Convention] is approaching and she will solidify bernie supporters behind her after”

July 6, 2016: Victim 8 personal email victimized

July 10-19: Morenets travels to Rio de Janeiro

July 14, 2016: Conspirators send WikiLeaks an email with attachment titled wk dnc link1.txt.gpg providing instructions on how to access online archive of stolen DNC documents

July 18, 2016: WikiLeaks confirms it has “the 1Gb or so archive” and would make a release of stolen documents “this week”

July 22, 2016: WikiLeaks releases first dump of 20,000 emails

July 27, 2016: Trump asks Russia for Hillary emails

July 27, 2016: After hours, conspirators attempt to spearphish email accounts at a domain hosted by third party provider and used by Hillary’s personal office, as well as 76 email addresses at Clinton Campaign

August 2016: Kovalev hacks into VR systems

August 2-9, 2016: Conspirators use multiple IP addresses to connect to or scan WADA’s network

August 2-4, 2016: Yermakov researches WADA and its ADAM database (which includes the drug test results of the world’s athletes) and USADA

August 3, 2016: Conspirators register wada.awa.org

August 5, 9, 2016: Yermakov researches Cisco firewalls, he and Malyshev send specific WADA employees spearfish

August 8, 2016: Conspirators register wada-arna.org and tas-cass.org

August 8, 2016: .012684 bitcoin transaction directed by dedicated email account

August 13-19, 2016: Morenets and Serebriakov travel to Rio, while Yermakov supports with research in Moscow

August 14-18, 2016: SQL attacks against USADA

August 15, 2016: Conspirators receive request for stolen documents from candidate for US congress

August 15, 2016: First Guccifer 2.0 exchange with Roger Stone noted

August 19, 2016: Serebriakov compromises a specific anti-doping official and obtains credentials to access ADAM database

August 22, 2016: Conspirators transfer 2.5 GB of stolen DCCC data to registered FL state lobbyist Aaron Nevins

August 22, 2016: Conspirators send Lee Stranahan Black Lives Matter document

September 1, 2016: Domains fancybear.org and fancybear.net registered

September 6, 2016: Conspirators compromise credentials of USADA Board member while in Rio

September 7-14, 2016: Conspirators try, but fail, to use credentials stolen from USADA board member to access USADA systems

September 12, 2016: Data stolen from WADA and ADAMS first posted, initially focusing on US athletes

September 12, 2016 to January 17, 2018: Conspirators attempt to draw media attention to leaks via social media

September 18, 2016: Morenets and Serebriakov travel to Lausanne, staying in anti-doping hotels, to compromise hotel WiFi

September 19, 2016 to July 20, 2018: Conspirators attempt to draw media attention to leaks via email

September 2016: Conspirators access DNC computers hosted on cloud service, creating backups of analytics applications

October 2016: Linux version of X-Agent remains on DNC network

October 6, 2016: Emails stolen from USADA first released

October 7, 2016: WikiLeaks releases first set of Podesta emails

October 28, 2016: Kovalev visits counties in GA, IA, and FL to identify vulnerabilities

November 2016: Kovalev uses VR Systems email address to phish FL officials

December 6, 2016 – January 2, 2017: Using IP frequently used by Malyshev, conspirators compromise FIFA’s anti-doping files

December 13, 2016: Data stolen from CCES released

January 19-24, 2017: Conspirators compromise computers of four IAAF officials

June 22, 2017: Data stolen from IAAF’s network released

July 5, 2017: Data stolen from IAAF’s network released

August 28, 2017: Data stolen from FIFA released

As I said in July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

32 replies
  1. BobCon says:

    Have we seen any sign yet of coordination between the hackers and the trolls or analytics people?

    I’ve lost track of the degree to which the messaging and targeting was developed prior to the Wikileaks publishing of emails, and how much of it was developed after publishing.

  2. David Anderson says:

    Fascinating time line.  Thanks!

    Minor edit: “as I laid in July” should probably be “as I laid out in July” or possibly “as I said in July…”

    Keep up the good work.


  3. orionATL says:

    that this is russian military intelligence making strong efforts to damage not only the clinton election campaign, but also to damage media coverage of russian olympic athletes doping, as well as fifa (world soccer org) world cup location cheating/bribery effort, seems remarkable. it indicates to me that the top of the russian civilian government is using military intelligence to attack civilian electoral and athletic media activities in a large number of countries including african and south american.

    • orionATL says:

      can one infer that the program(s) for doping athletes is a russian government program? or only that the russian government wanted to gather information to disrupt negative coverage of its athletes? both, according to various parts the charge.

      para 71: members of the all-russia athletic foundation were suspended for their participation in a state-sponsered doping program.

      certainly the russian gov was all in to systematically steal information from a substantial number of anti-doping agencies as the complaint clearly states. this is illustrative:

      from para 90: upon their arrival in the netherlands, a russian diplomat escorted the four men thru customs.

      the fifa part of my comment above is wrong. the russian concern was again anti-doping with respect to fifa testing of russian athletes. see paras 73-75.

      the russian program of public disruption of repoting on russian doping of its athletes is discussed beginning with para 76.

      i found paras 85 and 86 on social media supplemented by contact with 70 reporters very interesting. the interest in info provided by the russian campaign info could be checked to determine the simple credulity, the voraciousness for news from whatever source, or the professional scepticism of reporters would make a great story of its own for an mms reporter.

      • orionATL says:

        discussion of the russian attack on the chemical weapons organizations which must surely have been focused on defending syrian government actions in that civil war is discussed in para 88-94.

        i wonder know about the stories in the media about the rebels being behind some of the chemical attacks on civilians.

        para 90, which i cited above, belongs with this attack on the chemical weapons analysts, not with the anti-doping campaign.

        para 92 discusses dutch intelligence catching the russians red-handed in the act of evesdropping on the chemical weapons agency. there’s a great photo of the trunk of the russian’s rented car crammed with hacking devices covered in plastic.

        the dutch seeem very good at this stuff, but they’ve got to be. they’ve got the hague to protect, as well as other agencies like the chem weapons organization.

        opsec? these russian thugs don’t have it.

        check out the stories at the guardian and wapo leading to the tracking down one of the two assassins of the screpols (with novachok) to his village in eastern siberia. this guy is a colonel in the gru and was made a “hero of the russian federation” for his special services actions in the ukraine. what do you imagine this psychopath (look at his face) did to earn his medal?

        fun reading about grim conduct by of the of world’s major rogue nations.


        • orionATL says:

          the guardian’s carol cadwaldr is the only other person i’ve read who will call the russian military intelligence attack in salisbury, u.k. what it was, a chemical warfare attack on the civilian population of a western nation:

          “…And it’s this that should alarm us more. Because last week, the New York Times published an article that delved into the reasons why the Kremlin targeted Sergei Skripal and why now. But it missed one possible answer: because it could. Just as it could inflict a devastating attack on the US election. And if you can carry out a chemical warfare attack undetected under the noses of Britain’s highest military ranking officers, what else can you do? . Carole Cadwalladr is a reporter and feature writer for the Observer…”


          the british tory party and gov strikes me as as completely corrrupted by russian assistance as is the american republican party and gov. brexit was almost certainly a russian v-i-c-t-o-r-y.

          it seems to me that cadwalladar’s reporting of britain’s tory govermnent takeover by russian covert political/media assistance and bribery has the same level of courage as carol rosenberg’s coverage of the guantanamo grotesquerie, designed to keep many prisoners from ever telling of the injustices they suffered at the hands of the american cia, militatary, and, in the first instance, their own compatriots.

          why do we have so cowardly an american media? because one would be subject to a barage of rightwing contempt (plus intensive harrassment) and have one’s reputation for “fair and balanced” lifted. despite fine reporters, the nytimes’ editors seem especially sensitive to this possibility.

        • readerOfTeaLeaves says:

          What we have is a media that has been financially on the ropes now for at least 20 years in terms of print.  And in terms of cable, technologies now move to streaming, so the old cable franchises are not what they once were.  In addition, the US has too few multilingual reporters, and not enough time to do research because of limited budgets.

          Fundamentally, too much of the MSM play by a set of rules that still assumes candidates running for public office can be held accountable, and are genuinely interested in policy.  Reporters who like to cover politics (electoral colleges, polling) are not equipped to recognize and research money laundering, criminal organizations hiding behind the facades of businesses (Trump), nor the depravity of someone like Manafort (in cahoots with dictators).  IOW, they did not see people clearly, and they did not recognize  the nature of the threat they pose: tragically, this made many of them useful idiots.

          Consequently, the MSM unwittingly helped sanitize Trumpism, legitimize Trumpism, and make it appear to be socially acceptable — even covering the Pussy Grabbing video as he said/she said — rather than ask WTF else had broken that day that the  tape was intended to drown out.  The press got completely played for dupes with that Access Hollywood tape when they failed to tell the puhlic what other news had broken, that prurient tapes might be intended to cover up.

          I don’t think the media are all gutless, but with very few exceptions (Jeremy Scahill, David Corn, Carol Cadwallader), they have failed to convey that many of the people they are covering are criminals posing as legitimate political operatives (Stone, Manafort), when they are basically a collection of mafiosos in need of political cover, banking services, and legal authority.

          When was the first time the MSM started to mention that Manafort was a skeeze?  He was lionized in July 2016 as a genius who could deliver the GOP nomination to Trump — his skeezy past was never brought into the light of day.  I only knew it from reading EW at least a decade ago; if I only read and watched the MSM, I’d have assumed that Manafort was a respectable ‘political advisor’ who had once worked for the uber-respectable Robert Dole.  Manafort came cloaked in borrowed respectability.

          If the MSM had looked into his history — even a little! — all kinds of alarm bells should have been going off.  Unfortunately, they didn’t even have a knife at a gun fight.  The Russians and Trumpistas have used the media to gaslight, and the costs is still not fully understood.

          On a nice note: I heard Brian Williams 10/4 introduce the GOP Judiciary Committee members as ‘average age 69, total years..? 400+’.  It was a small sign that they are starting to build in more metrics and specific, important details to their reporting.  Hope that continues.  But never underestimate the risk to anyone who might try to report on money laundering, or repression.

        • Trip says:

          The GOP was Trump, before there was Trump. The bad actors are everywhere within the party.

          It’s been a con. No one dares dig up the muck from the bottom of the pond. Where is the indepth coverage of McConnell, for example? Trump is just the turd floating on the surface.

        • BobCon says:

          The media’s financial issues are multiplied by self inflicted wounds. They’re plagued by upper management that has no sense how to find, develop and promote stories, which is why Murdoch has been eating their lunch for decades.

          They still think it’s because Murdoch ignores the truth, but at the heart of his success is his sense of storytelling, and his ability to hire management that understand this.

          In fact, Murdoch’s disregard for the truth puts him at a disadvantage, because his stories so often get cut short when events prevail. But the relentless short term focus of the mainstream media means they are fighting something with nothing.

          And when stories emerge, because the media are so bad at finding a narrative, they are so susceptible to buying one that is handy – what the right wing is selling.

  4. Taxidermist says:

    I went down the rabbit hole and read the links to lawfare and links from lawfare to nyt and back to lawfare and back to reference older posts at emptywheel.
    [I wrote down a bunch of dates and states where hacked info of democratics was both requested and used in 2016 elections (before and after gussifer2.0 publicly became known as a non-American hacker). Mostly because I want to see if anyone that won their election has been in the spotlight the last week.]

    I don’t understand why, if our DOJ has known since 2016 which high level Americans participated, requested or knowingly used the illegally gotten gains, nothing has happened.

    I assume the Special Council won’t be going after the president, so why let current government employees spend the next several YEARS in office, potentially doing more damage.

    EW crowd is a lot smarter than I am, so I’m genuinely asking.

    Thanks- this is my fav site!

    • BobCon says:

      We know very little about what Mueller is doing, so it’s hard to say what his strategy is, or why he has moved against some players by now and not others.

      It is known, though, that he is acting as a prosecutor, and he is building a conspiracy case. Attorneys can provide more details, but it is common to do this in a methodical way, revealing as little as possible about a case at any one time to avoid compromising other cases. You won’t see a move against Stone, for example, until he he has his case ready against Stone and has everything he can extract against his coconspirators.

      It’s worth noting that we are lacking other investigations that are common to other huge scandals. The GOP has locked up congressional investigations, and the press has largely abdicated its role. People like Jeffrey Zucker at CNN and Dean Baquet at the NY Times have made it clear they will minimize any reporting that connects the dots, to the point that the cooperation of Manafort, Flynn and Cohen is still seen as minor, isolated blips that say nothing as a whole.

  5. rst says:

    To OrionATL’s question about what GRU Colonel Anatoly Chepiga/Ruslan Boshirov did in the Ukraine to win his medal, we need not wonder. If a report from Mikhail Khodorkovsky’s “Dossier Center” is to be believed, it was for spiriting Viktor Yanukovych out of the Ukraine. As I’m not sure what the protocols of posting Russian URLs are, the articles I saw are in Meduza:

    “Anatoly Chepiga – the supposed real name of Salisbury poisoning suspect “Ruslan Boshirov” – received his Hero of the Russian Federation award for his part in rescuing deposed Ukrainian President Viktor Yanukovych from Ukraine in February 2014…”

    and Hromadske:

    “Russian intelligence service (GRU) colonel Anatoliy Chepiga (previously believed to be Ruslan Boshirov), who is one of the suspects in the poisoning of former agent Sergei Skripal in Salisbury, allegedly headed the operation to evacuate ex-Ukrainian President Viktor Yanukovych from Ukraine following the Euromaidan revolution…”

    A small step for Russia, a giant leap Paul Manafort!

  6. J R in WV says:

    I enjoy this site, so much information so well presented. But I do have a gripe. In times past style called for all acronyms and abbreviations to include the original full text and or meaning of the acronym or abbreviation.

    Now I’m seeing DNC GRU indictments used over and over – Democratic National Committee? Democratic National Convention? Do Not Call registry?

    I’m listing these in the order I find them in a Google search for DNC, so don’t go off on me for being weird here. My point is that once you are into federal acronyms, there is no telling what a three-letter abbreviation really means unless you spell it out for folks at the first use. Guessing now, Director of National C-something?

    I give up. I’m well educated, follow politics and national security as best as I can, but I’m lost on DNC GRU indictments. HELP!

    • SteveB says:

      DNC GRU indictment =


      The indictment alleges a detailed and wide-ranging conspiracy to hack into the computers of the Democratic Congressional Campaign Committee (DCCC), the Democratic National Committee (DNC), Hillary Clinton’s presidential campaign and others and to reveal information in order to interfere with the 2016 U.S. presidential election. The special counsel charges 12 officials of the Russian military intelligence agency (“GRU”) with targeting more than 300 individuals affiliated with the Democratic Party or the campaign and leaking tens of thousands of stolen documents.

      Starting in March 2016, the indictment alleges, a unit of Russia’s GRU military intelligence organization began sending emails to dozens of employees and volunteers in the Clinton campaign. The conspirators engaged in “spearphishing,” or sending fraudulent emails with embedded links to GRU-created websites disguised to look like trusted entities, such as Google security notifications, ostensibly asking recipients to change their password but, in reality, tricking the targeted users into revealing their login credentials.

  7. viget says:

    Random thought–

    Any Unit 74455 InfoOps guys known to ever work at or have ties with VKontakte?

    I still find it intriguing that one of the strings dangled in front of DJT was working with VK to reach Russian Americans… Never did buy that it was just about that.

  8. Willis Warren says:

    I can always tell how technical a Marcy post is by how few comments. This is a very good post, MW. One of the things I’ve always wanted to look at was whether or not bitcoin funded the NK nuke program. Thanks for this

    • orionATL says:

      i agree with your main point. this is a very i formative, useful post.

      as for bitcoin, yours is an interesting question. my immediate reaction was closer to home, to whit, was bitcoin used to fund any part of the republican campaign effort in 2016 – state or national level?

      i don’t know a lot about bitcoin or how it works so my secondary questions are:

      1) could you get (withdraw, buy) enough dough in bitcoin to give significant money from outside the u.s. to an american political campaign?

      2) would that purchase/withdrawal and subsequent deposit (if there was one) be well-disguised enough from swift?

      3) how would a foreign operative transfer that money to a campaign? it wouldn’t be $1000 bills in attachee cases would it?

  9. Willis Warren says:


    1) yes and no. You’d have to find someone dumb enough to take bitcoin as a currency to fund a serious campaign. That could eliminate a lot of traditional campaign vendors, but not online trolls.

    2) getting real currency for bitcoin is hard, but may not be hard for the russians and their client states like North Korea.

    3) I think I answered the question, but to go deeper. The bitcoin bubble was clearly manipulated by state actors, in my opinion. You just keep buying from yourself, with mulitple accounts, and you create the illusion of high demand. An initial 10k investment would have paid millions after a year or so.

    Now, getting this money into the hands of US political operatives seems like a big task, imo. You could have Oligarchs with real money just funnel that cash into the NRA and that would be easier.

    But bitcoin was clearly being used for nefarious purposes that don’t lend themselves to traditional markets.

    • BobCon says:

      The volatilty makes it unappealing for large scale vendors. They still need to launder their earnings, which typically takes time, and negotiating agreements for any long term dealings in Bitcoin would be something like agreeing to terms in the Guatamalan Quetzal. It can happen, but it’s a lot more risk in an already risky transaction.

    • orionATL says:

      ww and bobcon –

      these are very informative. thanks.

      p.s. i have learned a bit over the years about the quetzal :)

  10. orionATL says:

    i am interested in a small entry in the chronology – oct 28, 2016 “kovalev visits counties in ga, …”

    since ~2005 when republicans took over georgia government (following confederate symbol being removed from flag by dem gov and black speaker of house), the ga sec.of state’s office has been ground zero for republican vote suppression efforts, which have been extensive and blatant. in 2006, now congresswoman, then sec of state, karen handel, presided over implementing the first and one of the most suppressive measures taken in this country.


    current ga gubernatorial candidate and hard rightwinger, brian kemp, took over from handel as sec of state in 2010 and ramped up republican vote suppression efforts. he is still serving as sec of state, is still in charge of voting in the state, and still engaged in vote suppression:


    kemp’s secretary of state’s office was sued on july 3, 2017 with regard to its unsafe voting system. kemp’s office had been warned of the insecurity of the state voting system by a secutity expert in august, 2016. on july 7, 2017 voter records on a key server related to 2016 election at the state’s election records center at kennesaw state univ were destroyed. after 2017 data destruction, kemp moved all voter computer matters into his office.

    from the macon, ga. telegraph: https://www.macon.com/latest-news/article216031450.html

  11. Jeanne says:

    First-time commenter, grateful reader.

    I am still very curious about the precise times given in the GRU indictment, which I believe were only provided for the info about the term-search connected to the creation of the guccifer 2.0 persona and the first posting (June 15, 2016). Why is such detail included for this activity? Is it a signal to (co)-conspirators? And as a technical matter, would real-time observation have been needed,  or could the times have been reconstructed later?

    Also, 7:02 MST would be equivalent to 12:02 ET, yes?

    Again: so thankful for this Blog!

    • emptywheel says:

      I think those times are given to show that the searches on the GRU server clearly influenced the post, thereby proving that that first post came from GRU. But I agree that the time stamps on those searches are quite interesting, as they time up with daytime hours in ET.

      • Jeanne says:

        Thanks for the reply!

        And just to clarify my note regarding 7:02PM MST & 12:02PM ET: your timeline says 2:02PM ET.

Comments are closed.