The indictment includes a significant amount of detail about the organizational structure of the GRU units allegedly involved in the wide-ranging information operations during the US presidential election. The source of the attribution is not revealed in the indictment. However, the level of detail—including when certain individuals connected to remote applications—indicates that US intelligence and law enforcement officials were working with more than just the forensic data provided by CrowdStrike. Trump's "where's the server?" protests seem even less well grounded in reality than they did before.
The details in the newest indictment get down to the organizational division of labor at GRU. "There was one unit that engaged in active cyber operations by stealing information," said Rosenstein, "and a different unit that was responsible for disseminating the stolen information."
The espionage operation was run by Unit 26165, commanded by GRU Officer Viktor Borisovich Netykshko. Unit 26165 appears to be the organization behind at least part of the "threat group" of tools, techniques, and procedures known as "Fancy Bear," "Sofacy," "APT28," and "Sednit." Within the unit, two divisions were involved in the breaches: one specializing in operations and the second in development and maintenance of hacking tools and infrastructure.
The operations division, supervised by Major Boris Alekseyevich Antonov, specialized in targeting organizations of intelligence interest through spear-phishing campaigns and the exploitation of stolen credentials. Antonov's group included Ivan Sergeyevich Yermakov and Senior Lieutenant Aleksey Viktorovich Lukashev, according to the indictment, and they were responsible for targeting the email accounts that were exposed on the "DCLeaks" site prior to the election operations.
The second division, overseen by Lieutenant Colonel Sergey Aleksandrovich Morgachev, managed the development and maintenance of malware and hacking tools used by Unit 26165,
including the X-Agent "implant." X-Agent is a signature tool of Fancy Bear operations—a cross-platform backdoor toolset with variants for Windows, MacOS, Android, and iOS. The Windows and MacOS versions of X-Agent are capable of recording keystrokes, taking screenshots, and exfiltrating files from infected systems back to a command and control server.
Lieutenant Captain Nikolay Kozacheck (who used the hacker monikers "kazak" and "blablabla1234465") was the primary developer and maintainer of X-Agent, according to the indictment, and he was assisted by another officer, Pavel Yershov, in preparing it for deployment. Once X-Agent was implanted on the DNC and DCCC networks, Second Lieutenant Artem Malyshev (AKA "djangomagicdev" and "realblatr") monitored the implants through the command and control network configured for the task.
The information operations unit, Unit 74455, was commanded by Colonel Aleksandr Vladimirovich Osadchuk. Unit 74455's members would be responsible for the distribution of some of the stolen data from the breaches through the
"DCLeaks" and "Guccifer 2.0" websites. This group famously also reached out to WikiLeaks (referred to as "Organization 1" in the indictment) to amplify their information operation, and they
promoted the leaks to journalists through GRU-controlled email and social media accounts.
Within Unit 74455, Officer Aleksy Potemkin—a department supervisor—oversaw information operations infrastructure. His group configured the DCLeaks and Guccifer 2.0 blogs and social media accounts that would later be used to spread data stolen from the DNC, DCCC, and Clinton campaigns. Osadchuk would also direct another information operation—assigning GRU Officer Anatoly Kovalev and others to conduct a campaign against state election boards and elections.