National Security Agency, "Russia/Cybersecurity: Main Intelligence Directorate Cyber Actors, [Redacted] Target U.S. Companies and Local U.S. Government Officials Using Voter Registration-Themed Emails, Spoof Election-Related Products and Services, Research Absentee Ballot Email Addresses; August to November 2016," May 5, 2017. Top Secret//SI//ORCON//Rel to USA, FVEY/FISA.
National Security Archive
NSA’s 2017 briefing exposes a GRU‑run phishing campaign that first breached a U.S. election‑software firm, then used stolen tools to target local officials with voter‑registration emails.
Source: National Security Agency, "Russia/Cybersecurity: Main Intelligence Directorate Cyber Actors, [Redacted] Target U.S. Companies and Local U.S. Government Officials Using Voter Registration-Themed Emails, Spoof Election-Related Products and Services, Research Absentee Ballot Email Addresses; August to November 2016," May 5, 2017. Top Secret//SI//ORCON//Rel to USA, FVEY/FISA. Date: May 5, 2017 Archive: The Intercept .
Editorial Analysis
Original analysis by the DriftSeas editorial desk. The complete primary-source document, transcribed from the National Security Archive scan, appears in full below.
A GRU‑Powered Phishing Wave in the 2016 Election Cycle
The declassified NSA briefing dated 5 May 2017 is a forensic snapshot of a Russian cyber‑espionage campaign that straddled the final months of the 2016 U.S. presidential election. It was produced by the agency’s Signals Intelligence Directorate as an internal intelligence product, marked TOP SECRET//SI//ORCON and circulated only to U.S. and Five‑Eyes partners. Its purpose was two‑fold: to document a concrete instance of GRU (Main Intelligence Directorate) activity and to generate investigative leads for law‑enforcement and cyber‑defense teams.
The document’s chronology is tight. In late August 2016, GRU operators launched a spear‑phishing blast from a spoofed Gmail address that masqueraded as a Google Alert. The target list comprised employees of a specific U.S. technology firm—redacted as “U.S. Company 1”—whose products included election‑related hardware and software. By embedding a malicious link that redirected victims to a concealed domain, the attackers sought to harvest credentials and, presumably, to download the firm’s proprietary election‑management tools. The briefing notes that three of the seven addresses bounced, suggesting the campaign was still in a testing phase when the election approached.
A month later, the actors opened a second Gmail account, “vr.elections@gmail.com,” deliberately crafted to appear as an employee of the same company. From this mailbox they dispatched voter‑registration‑themed emails to local government officials, attaching trojanized Microsoft Word documents that executed a Visual Basic script and launched PowerShell to contact Russian‑controlled servers. The documents referenced “EViD” software—a real‑world polling application that checks voter registration status—indicating that the GRU had already acquired technical specifications of U.S. voting infrastructure. The briefing’s language—“likely used to obtain information on elections‑related software and hardware solutions”—makes clear that the initial corporate breach was a reconnaissance step feeding the later phishing operation.
The Broader Contest: Election Interference as a Strategic Objective
This NSA report sits squarely within the larger narrative of Russian interference that unfolded after the 2016 vote. While the public discourse has focused on social‑media disinformation, the intelligence community has long warned that cyber‑espionage was a parallel track. The GRU’s Main Intelligence Directorate, traditionally tasked with military intelligence, was repurposed to gather tactical data on U.S. election administration—a move that aligns with Moscow’s doctrine of hybrid warfare: combine overt political influence with covert technical intrusion.
The actors’ choice of a Gmail address and a Word macro payload reflects a pragmatic understanding of U.S. local government IT environments, which often rely on legacy Microsoft Office suites and lack robust endpoint protection. By embedding instructions for configuring EViD, the attackers not only demonstrated knowledge of the software’s architecture but also positioned themselves to manipulate or disrupt poll‑worker workflows if needed. Although the briefing does not confirm successful exfiltration of voter data, the very existence of a “test” email to fictitious absentee‑ballot accounts suggests an intent to create credible spoof services that could harvest personal information from unsuspecting voters.
Why This Document Matters Today
The briefing’s value lies in its granular detail: specific email addresses, document hashes, and the timeline of operational steps. Such forensic breadcrumbs allow cybersecurity practitioners to trace similar campaigns in later election cycles and to harden the supply chain of election‑technology vendors. Moreover, the report underscores a pattern—state actors first compromise a private vendor, then weaponize that access against municipal officials—that has recurred in subsequent disclosures about Russian, Chinese, and Iranian cyber activities.
From a policy perspective, the document reinforces the justification for the 2018 election‑security legislation that mandated vulnerability‑sharing between the private sector and federal agencies. It also illustrates the limits of attribution: the briefing repeatedly qualifies its conclusions with “likely” and “presumably,” reflecting the inherent uncertainty of signals intelligence. Nonetheless, the convergence of technical evidence (malicious macros, PowerShell beacons) and strategic intent (targeting election‑related software) provides a compelling case study of how cyber‑espionage can be a prelude to more overt interference.
In sum, the NSA’s May 2017 assessment transforms abstract accusations of Russian meddling into a concrete operational timeline. It reveals a GRU playbook that blended corporate espionage, credential harvesting, and voter‑registration phishing—all aimed at the fragile infrastructure of American elections. As election officials continue to grapple with cyber threats, the lessons embedded in this declassified file remain a stark reminder that the battlefield now extends into inboxes and Word documents.
TOP SECRET//SI//ORCON/REL TO USA, FVEY/FISA DIRNSA
National Security Agency
Russia/Cybersecurity: Main Intelligence Directorate Cyber Actors, Target U.S. Companies and Local U.S. Government Officials Using Voter Registration-Themed Emails, Spoof Election-Related Products and Services, Research Absentee Ballot Email Addresses; August to November 2016 (TS//SI//OC/REL TO USA, FVEY/FISA)
(U//FOUO) INTELLIGENCE PURPOSES ONLY: (U//FOUO) The information in this report is provided for intelligence purposes only but may be used to develop potential investigative leads. No information contained in this report, nor any information derived therefrom, may be used in any proceeding (whether criminal or civil), to include any trial, hearing, or other proceeding before any court, department, agency, regulatory body, or other authority of the United States without the advance approval of the Attorney General and/or the agency or department which originated the information contained in this report. These restrictions apply to any information extracted from this document and used in derivative publications or briefings.
(U//FOUO) CYBERSECURITY INFORMATION: (U//FOUO) The unclassified data in this report is protected from public disclosure by Federal Law. This report includes sensitive technical information related to computer network operations that could be used against U.S. Government information systems. Any scanning, probing, or electronic surveying of IP addresses, domains, email addresses, or user names identified in this report is strictly prohibited. Information identified as UNCLASSIFIED//FOR OFFICIAL USE ONLY may be shared for cybersecurity purposes at the UNCLASSIFIED level once it is disassociated from NSA/CSS. Consult the originator prior to release of this information to any foreign government outside of the original recipients.
SUMMARY (U)
(TS//SI//OC/REL TO USA, FVEY/FISA) Russian General Staff Main Intelligence Directorate actors executed cyber espionage operations against a named U.S. Company in August 2016, evidently to obtain information on elections-related software and hardware solutions, according to information that became available in April 2017. The actors likely used data obtained from that operation to create a new email account and launch a voter registration-themed spear-phishing campaign targeting U.S. local government organizations. The spear-phishing emails contained a Microsoft Word document trojanized with a Visual Basic script which, when opened, would spawn a PowerShell instance
Declassify On: 20420505 Page 1 TOP SECRET//SI//ORCON/REL TO USA, FVEY/FISA
TOP SECRET//SI//ORCON/REL TO USA, FVEY/FISA DIRNSA
and beacon out to malicious infrastructure. In October 2016, the actors also created a new email address that was potentially used to offer election-related products and services, presumably to U.S.-based targets. Lastly, the actors sent test emails to two non-existent accounts ostensibly associated with absentee balloting, presumably with the purpose of creating those accounts to mimic legitimate services.
Campaign Against U.S. Company 1 and Voter Registration-Themed Phishing of U.S. Local Government Officials (S//SI//REL TO USA, FVEY/FISA)
Russian Cyber Threat Actors Target U.S. Company 1 (S//REL TO USA, FVEY/FISA)
(TS//SI//OC/REL TO USA, FVEY/FISA) Cyber threat actors executed a spear- phishing campaign from the email address noreplyautomaticservice@gmail.com on 24 August 2016 targeting victims that included employees of U.S. Company 1, according to information that became available in April 2017.(1) This campaign appeared to be designed to obtain the end users' email credentials by enticing the victims to click on an embedded link within a spoofed Google Alert email, which would redirect the user to the malicious domain .(2) The following potential victims were identified:
- U.S. email address 1 associated with U.S. Company 1,
- U.S. email address 2 associated with U.S. Company 1,
- U.S. email address 3 associated with U.S. Company 1,
- U.S. email address 4 associated with U.S. Company 1,
- U.S. email address 5 associated with U.S. Company 1,
- U.S. email address 6 associated with U.S. Company 1, and
- U.S. email address 7 associated with U.S. Company 1.
(TS//SI//OC/REL TO USA, FVEY/FISA) Three of the malicious emails were rejected by the email server with the response message that the victim addresses did not exist. The three rejected email addresses were U.S. email address 1 to 3 associated with U.S. Company 1.
- (TS//SI//OC/REL TO USA, FVEY/FISA) The GRU is also rendered as military unit
- (TS//SI//OC/REL TO USA, FVEY/FISA) For additional information on and its cyber espionage mandate, specifically directed at U.S. and foreign elections, see Page 2 TOP SECRET//SI//ORCON/REL TO USA, FVEY/FISA
TOP SECRET//SI//ORCON/REL TO USA, FVEY/FISA DIRNSA
(TS//SI//OC/REL TO USA, FVEY) COMMENT: The [illegible] actors were probably trying to obtain information associated with election-related hardware and software applications. It is unknown whether the aforementioned spear-phishing deployment successfully compromised all the intended victims, and what potential data from the victim could have been exfiltrated. However, based upon subsequent targeting, it was likely that at least one account was compromised.
Cyber Threat Actors Create Spoofed Account and Voter Registration-Themed Targeting of Local Government Officials (TS//SI//OC/REL TO USA, FVEY/FISA)
(TS//SI//OC/REL TO USA, FVEY/FISA) The [illegible] cyber threat actors created a new operational email account vr.elections@gmail.com with the username "U.S. Company 1" on 27 October 2016. (COMMENT: It is likely that the cyber threat actors created this email address to appear as if they were an employee of U.S. Company 1.) The cyber threat actors had in the email account two trojanized Microsoft Word documents with the titles "New_EViD_User_Guides.docm" and "NEW_Staging_Checklist_AIO_Style_EViD.docm". Both of these documents had identical content and hash values, and contained the same malicious Visual Basic script. The body of the trojanized documents contained detailed instructions on how to configure EViD software on Microsoft Windows machines. According to EViD's FAQ website (UNCLASSIFIED), EViD software allows poll workers to quickly check a voter's registration status, name and address. (END OF COLLATERAL)
(TS//SI//OC/REL TO USA, FVEY/FISA) Subsequently, the cyber threat actors used the vr.elections@gmail.com account to contact U.S. email addresses 1 to 122 associated with named local government organizations. (COMMENT: It possible that the targeted email addresses were obtained from the previously compromised account(s) of U.S. Company 1.) The "NEW_Staging_Checklist_AIO_Style_EViD" document was last modified on 31 October 2016 and the "New_EViD_User_Guides" document was last modified on 1 November 2016. (COMMENT: This likely indicates that the spear-phishing campaign occurred either on 31 October or 1 November , although th e exact date of the spear-phishing campaign was not confirmed.)
(TS//SI//REL TO USA, FVEY) COMMENT: Given the content of the malicious email it was likely that the threat actor was targeting officials involved in the management of voter registration systems. It is unknown whether the aforementioned spear-phishing deployment successfully compromised the intended victims, and what potential data could have been accessed by the cyber actor.
Technical Analysis of the Trojanized Documents (U//FOUO)
(TS//SI//OC/REL TO USA, FVEY/FISA) Both trojanized Microsoft Word documents contained a malicious Visual Basic script that spawns PowerShell and uses it to execute a series of commands to retrieve and then
Page 3 TOP SECRET//SI//ORCON/REL TO USA, FVEY/FISA
TOP SECRET//SI//ORCON/REL TO USA, FVEY/FISA DIRNSA
run an unknown payload from malicious infrastructure located at a U.S. IP address on port 8080, probably running Microsoft-IIS/7.5 Server. (COMMENT: The unknown payload very likely installs a second payload which can then be used to establish persistent access or survey the victim for items of interest to the threat actors.) The request used a user-agent string of "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko". Lastly, the malicious Microsoft Word documents hashed to the following values:
- MD5 Hash:5617e7ffa923de3a3dc9822c3b01a1fd,
- SHA-1 Hash:602aa899a6fadeb6f461112f3c51439a36ccba40, and
- SHA-256 Hash:f48c9929f2de895425bdae2d5b232a726d66b9b2827d1a9ffc75d1ea37a7cf6c.
Operational Accounts Spoofing Legitimate Elections-Related Services (S//REL TO USA, FVEY)
Spoofing Email Address Associated With U.S. Company 2 (U//FOUO)
(TS//SI//OC/REL TO USA, FVEY/FISA) In parallel to the aforementioned campaign, the [illegible] cyber threat actors created another new operational email account elevationsystem@outlook.com on 19 October 2016. They then used this email address to send a test message to another known [illegible] operational email account. In that test email, which was written in English, the threat actors spoofed U.S. Company 2, and offered election-related products and services. All emails associated with this account were later deleted, and it was unknown if there was any targeting using this email account. (COMMENT: Given that the email body was written in English and prepared less than 1 month before the 2016 U.S. Presidential election, it was likely intended for U.S.-based targets.)
Spoofing Absentee Ballot Email Addresses (U//FOUO)
(TS//SI//OC/REL TO USA, FVEY/FISA) Additionally, the [illegible] cyber threat actors sent what appeared to be a test email to two other accounts, requestabsentee@americansamoa electionoffice.org and requestabsentee@americansamoa electionoffice.org. In both cases the actors received a response from the mail server on 18 October stating that the message failed to send, indicating that the two accounts did not exist.
(TS//SI//REL TO USA, FVEY) COMMENT: Given that the test email did not contain any malicious links or attachments, it appeared the threat actors' intent was to create the email accounts rather than compromise them, presumably with the purpose of mimicking a legitimate absentee ballot-related service provider.
Page 4 TOP SECRET//SI//ORCON/REL TO USA, FVEY/FISA
TOP SECRET//SI//ORCON/REL TO USA, FVEY/FISA TOP SECRET//SI//ORCON/REL TO USA, FVEY/FISA Spearphishing campaign
Spear-Phishing Campaign TTPs used Against U.S. and Foreign Government Political Entities
ADVERSARY SPACE
General Staff Main Intelligence Directorate (GRU)
Operators Probably within Registered with personal cell phone on one account Sent test email to personal account 0. Connect to
It is unknown if the GRU was able to successfully compromise any of the entities targeted as part of this campaign. While this cyber espionage program utilized some techniques that were similar to other Russian GRU cyber operations units, this activity demonstrated several characteristics that distinguish it from another major GRU spear-phishing program known as [illegible]
NEUTRAL SPACE
Email Addresses
- Use Operational Relay Boxes (ORB)
Staging
- Create Mimicked alerts from Google that were related to purported issues with the targeted user's account, enticing the recipient to click on a malicious embedded link
Email in native language of intended target Typical ruses included: lack of storage, password changes, and account verification requests related to the Steam web service
Actor-controlled website that closely resembles Google webmail page. Credential Harvesting Site
- Collect credentials
Credential Access
There were indications that the threat actors may have similar efforts against other web-based email services including Microsoft's live web mail, AOL, and Mail.ru.
Once the victim supplied this information to the actor-controlled website, it would be relayed to a legitimate Google service, but only after the [illegible] actors had successfully obtained the victim's password (and if two-factor, phone number and Google verification code) associated with that specific email account
TARGET SPACE
The malicious hyperlinks provided were associated with either customized Bitly links, a domain shortening service, or IP address, redirecting the unwitting victim to a credential-harvesting site where the [illegible] actors could conduct a man-in-the-middle attack.
- Send to
Delivery
U.S. and Foreign Government Political Entities Intended Target
- Clicks link; redirects to
- Prompts to enter password
- Enters password
Exploitation
- If 2FA Enabled, also enter: Phone Number Legitimate Verification Code
If the victim had previously enabled two-factor authentication (2FA), the actor-controlled website would further prompt the victim to provide their phone number and the legitimate Google verification code that was sent to their phone.
Legend Green Line - Confirmed Information Yellow Line - Analyst Judgement Gray Line - Contextual Information Orange Label Adversary Objectives
Page 1 of 2 TOP SECRET//SI//ORCON/REL TO USA, FVEY/FISA TOP SECRET//SI//ORCON/REL TO USA, FVEY/FISA
NATIONAL SECURITY ARCHIVE
National Security Archive, Suite 701, Gelman Library, The George Washington University, 2130 H Street, NW, Washington, D.C., 20037, Phone: 202/994-7000, Fax: 202/994-7005, nsarchiv@gwu.edu