(Cyber) GRU (III): July 2018

As we have said, if until this year the GRU was one of the most opaque services in the world, in 2018 everything changes. Three facts stand out in the chronography, which conclude with the death of Lieutenant General KOROBOV in November; we will see in this section the first of them -and in the coming ones the other two, which occurred in the month of July.

On July 13, the US Department of Justice (DoJ) publishes [1], a document accusing twelve GRU agents – directly summoned by name and surnames – of possible Russian interference in the 2016 presidential elections. The person signing the document is none other than Robert Mueller, an advisor to the DoJ who coordinates investigations in this area – that of Russia’s relationship with the US presidential elections- and who, among other things, was director of the FBI for more tan ten years. After this accusation, the FBI includes among its “Cyber most wanted” the twelve agents of the service, highlighting that they can be armed and dangerous. Until then, the only Russian service that had the privilege of having agents among the most wanted by the FBI was the FSB.

Search poster published by the FBI (July 2018)

U.S. intelligence had publicly pointed out to its Russian counterparts of interference in the 2016 electoral process ([2]), even linking the GRU to direct attacks and to the publication of exfiltrated information. However, the DoJ document goes into detail and identifies two units of the GRU -26165 and 74455- as directly responsible for activities in the cyber field aimed at interfering in said elections, marking unit 26165 as the direct operative (attacks against relevant actors, for example via spear phishing, document stealing, etc.) and unit 74455 as a significant actor in associated disinformation operations, such as the dissemination of documents or emails or the handling of Guccifer 2.0 sockpuppet. The accused by the DoJ are twelve Russian intelligence officers, nine belonging to unit 26165 and three belonging to unit 74455, as summarized in the following table:


Unit Name Job Position Aliases Accusations
26165 Viktor BORISOVICH NETYKSHO Coronel Unit Head Intrusion in DCCC y DNC
26165 Boris ALEKSEYEVICH ANTONOV Commander Department Head Intrusion
26165 Dmitriy SERGEYEVICH BADIN Assistant Department Head
26165 Ivan SERGEYEVICH YERMAKOV Kate S. Milton
James McMorgans
Karen W. Millen
26165 Aleksey VIKTOROVICH LUKASHEV Lieutenant Den Katenberg
Yuliana Martynova
26165 Sergey  ALEKSANDROVICH MORGACHEV Lieutenant Colonel Department Head Malware development
26165 Nikolay YURYEVICH KOZACHEK Capitán Kazak
blablabla1234565
Malware development
26165 Pavel VYACHESLAVOVICH YERSHOV Support for malware development
26165 Artem ANDREYEVICH MALYSHEV Lieutenant djangomagicdev
realblatr
Malware operation
74455 Aleksandr VLADIMIROVICH OSADCHUK Colonel Unit Head Publication of stolen information
74455 Aleksey ALEKSANDROVICH POTEMKIN Deparment Head Infraestructure and Identity Management
74455 Anatoliy SERGEYEVICH KOVALEV


The personnel of unit 26165, located at number 20 of Komsomolskiy Prospekt, and of unit 74455, located at number 22 of Kirova Street, in the Khimki district, in both cases in Moscow; details of each of these units are also given: they are commanded by a Colonel, they have different departments with specific tasks (malware development, zombie operation…) The DoJ indictment also describes the TTPs of the attackers with a amazing level of detail, as well as dates of actions as specific as the X-Agent implant in a victim or the name of the person performing such action, within the framework of GRU operations against the DCCC (Democratic Congressional Campaign Committee) and the DNC (Democratic National Committee). It also analyzes with the same level of detail the efforts of the hostile actor to persist in the victim or the handling of stolen information and its diffusion through the framework DCLeaks (sockpuppet, website, social networks…) and Guccifer 2.0., As well as the relationship between both.

As we have said, at all times, both in the technical area of intrusion and persistence and in the less technical area of the use of stolen information, the level of detail provided by the DoJ is impressive; without going into whether this level is usual in DoJ accusations relating to National Security – I have no criterion – certainly from an intelligence point of view, giving so much information of knowledge about an adversary is neither usual nor good … There are also, especially in October, as we will see later, unusual levels of detail in public sources about tactics, techniques, identities … of GRU agents and their operations. We will see, at the end of the work, some questions that we ask ourselves regarding the reason for this level of detail – and its possible answers.

References

[1] DoJ. July 2018. https://www.justice.gov/file/1080281/download 

[2] ODNI. Assessing Russian Activities and Intentions in Recent US Elections. January, 2017.

See also in: