When did Russian intelligence give WikiLeaks the e-mails that it hacked from the Democratic National Committee and John Podesta, and how did it transmit them? Shortly after the election, James Clapper, then the director of National Intelligence, testified before Congress that American intelligence officials could not clearly pinpoint these facts. “We don’t have good insight into the sequencing of the releases, or when the data may have been provided,” he said. Today, almost two years later, and after months of investigation, we know a lot more than we once did. But our insight into the timing—at least from publicly available information—remains uncertain.

The latest indictment issued by Robert Mueller, the special counsel, charged twelve members of the G.R.U., Russia’s military-intelligence directorate, with hacking and disseminating Democratic e-mails and other files during the election. It is a highly detailed document, in many ways remarkable. In it, we learn, for instance, that Western intelligence officers had penetrated the G.R.U. so thoroughly that they could track the keystrokes of individual Russian operatives at their desks in a Moscow building. We learn that these G.R.U. staff members essentially Googled vulnerabilities in the Democratic Congressional Campaign Committee before hacking into it. We learn that, from within the D.C.C.C., the G.R.U. hackers moved into the D.N.C. We learn that D.N.C. data were relayed to an American server in Illinois as they were being exfiltrated. We learn that G.R.U. officers used cryptocurrency to pay people around the world to provide things that the operation required—domain names, access to virtual private networks (V.P.N.s). The indictment may only be an accusation, but it hints at the remarkably granular forensic intelligence that has been gathered.

The over-all picture that the indictment offers of the “WikiLeaks connection,” as Clapper once put it, is entirely consistent with previous intelligence assessments, which said that the G.R.U. provided Julian Assange, the editor of WikiLeaks, with the D.N.C. and Podesta archives. But, at the level of evidence, the indictment offers a strange mix: tantalizing, fragmentary new details that suggest the when and how without quite revealing everything that happened.

Indictments are not the same as intelligence reports. They are sometimes intentionally written ambiguously, to give prosecutors flexibility in the way they decide to prove their case—emphasizing the strongest links in an argument while implying a bigger picture. It is likely that the charged G.R.U. officers will never face trial, but Mueller may still want to retain flexibility, given that his investigation is ongoing. It is also conceivable that this document was rushed out before Trump’s summit with the Russian President, Vladimir Putin. Herein lies the complication in using this to advance what we know. We can see only bits.

The “active measures” portion of the chronology in the indictment—including, by implication, the transmission of files to WikiLeaks—emerges for the first time in an early paragraph, under Count One, the charging of G.R.U. officers for conspiring to commit an offense against the United States:

6. Beginning in or around June 2016, the Conspirators staged and released tens of thousands of the stolen emails and documents. They did so using fictitious online personas, including “DCLeaks” and “Guccifer 2.0.”

To make sense of these two sentences, a bit of context is necessary. In 2016, the G.R.U. began a spear-phishing campaign that targeted hundreds of Democratic operatives. People affiliated with Hillary Clinton were targeted as early as March 10th. Podesta, her campaign’s chairman, was targeted nine days later, and his e-mails were stolen on March 21st. The G.R.U. created multiple false online identities to aid its work. By April, it began to set up a mechanism to publish hacked material, a Web site called DCLeaks, purportedly run by American “hacktivists.” The site went live on June 8th, after Clinton became the presumptive Democratic nominee, and published tens of thousands of e-mails from at least seven Clinton-campaign staffers, along with other American officials. Seven days later, the G.R.U. created Guccifer 2.0, which never released e-mails in bulk but published on WordPress, in June, screenshots of a Clinton-related e-mail that were so blurry they were unreadable. By then it is also conceivable that the G.R.U. was releasing material to intermediaries: e-mails that were not yet public but were on their way to becoming so.

How WikiLeaks enters into this behavior is unclear. But, in the following paragraph, the indictment notes that the G.R.U. relayed an apparently different archive to Assange, explicitly through Guccifer 2.0:

7. The Conspirators also used the Guccifer 2.0 persona to release additional stolen documents through a website maintained by an organization (“Organization 1”).

These two sections, together, suggest two separate acts: one, the staging and releasing of tens of thousands of e-mails starting in June; two, using Guccifer 2.0 to release documents to WikiLeaks.

What were those other documents?

It is worth taking a closer look at what happened in the spring and summer of 2016 to understand how the indictment’s sequence of facts and allegations leaves open some intriguing possibilities. On April 18th, the G.R.U. hacked the D.N.C. computers, and began to extract gigabytes’ worth of files, including opposition research, but it did not penetrate the D.N.C.’s Microsoft Exchange Server, to access its e-mails, until later. The indictment argues that the e-mails were stolen at some point between May 25th and June 1st.

What happens next seems significant. By June 1st, the G.R.U. was already in possession of tens of thousands of Clinton-campaign e-mails, including Podesta’s. It had gained access to the D.N.C. e-mails. It had just initiated steps to begin publishing hacked material, on DCLeaks. Then, on June 12th, four days after DCLeaks went live, Assange gave an interview to Britain’s ITV, in which he declared, “We have upcoming leaks in relation to Hillary Clinton, which is great. WikiLeaks has a very big year ahead.” A bit later in the interview, he added, “We have e-mails related to Hillary Clinton which are pending publication.”

At the time, the G.R.U. hacking operation had not been publicly exposed, and Assange had no reason to suspect that this admission would take on any special significance. What he could not have known was that the D.N.C. was quietly trying to address the G.R.U. hack. It had hired a cyber-security firm, CrowdStrike, to purge the Russian operatives from its computers. To manage the story, it had invited in the Washington Post, which published an article on June 14th disclosing the breach. The Mueller indictment describes in detail Moscow’s response to this news: G.R.U. officers “created the online persona Guccifer 2.0,” apparently rushing to mask the hacking operation by promoting the idea that the culprit was a lone Romanian hacker. As they scrambled, they looked up English translations for phrases that could be attributed to their imaginary hacker. Work on the persona, it appears, was finished within hours.