(Cyber) GRU (VI): and now what?

The information that has come to light during 2018, both the official information of governments of the United Kingdom, the United States, the Netherlands and Canada, as well as the unofficial additional investigations, both individuals and from different organizations (highlighting Bellingcat and RFE/RL, Radio Free Europe/RadioLiberty) has exposed a lot of interesting information about the GRU. It has provided us with data on its units (identification, structure, functions, physical location…), on people who are part of the service (identities, jobs, functions, aliases, relationships, personal scope…) and its operations (objectives, TTP, software, artifacts, IOC…). In addition, they have revealed deficient operational security measures, which have made it possible to broaden the initial investigations even further and have brought to light identities, private homes, relatives… of members – or former members – of the GRU.

Of all the research carried out on the basis of data published by different governments, the most noteworthy are those carried out by Bellingcat, an organization that researches issues based mainly on open sources. We are now talking about private investigations, not endorsed by governments and based mostly on OSINT, something radically different from the statements of a government with evidentiary material that, of course, has not been obtained from public sources – we will talk about where this information may come from. We can even doubt the credibility of these sources, since there are many voices that defend that everything they publish is a lie, a Western montage, etc. Who knows… These investigations are based on open sources and we insist that Bellingcat is a private organization and therefore its investigations are also private; but on December 19, 2018, as we have previously advanced, the US government ([1]) seems to officially endorse one of Bellingcat’s main investigations, which it identifies as two members of the GRU, Heroes of the Russian Federation, the people who tried to assassinate the Skripal in March: from the details published by the British government about the false identities of the GRU agents that poisoned the Skripal (Alexander PETROV and Ruslan BOSHIROV), Bellincat published in the same month of September and early October different articles, such as [2], showing the real identities of the suspects and confirming their relationship with the GRU.

In any case, much more interesting for us is the list of members or former members of Unit 26165 of the Service ([3]), published on the same day October 4, in which different governments finished off the bad year of the GRU. That same day, based on the identities of the members of the Unit brought to light by the Dutch intelligence, Bellingcat performed a tracking in public and semi-public sources and identifies more than 300 members of the Unit thanks to the registration addresses of their cars, which coincided with the headquarters of the Service. In the RuNET there is private information of Russian citizens – homes, license plates, telephone numbers – available to any Internet user (we do not buy databases on the black market, which would also be possible); from an identity (for example a name, linked to a date of birth or to the address of the Unit) and with a little time it is possible to obtain personal data, and also possible to identify, for example, people who have registered a vehicle at a certain address. In this way, Bellingcat associates those potential members of Unit 26165 -or former members, or people who have had a relationship with the Unit- and extracts names, license plates, personal addresses, social network profiles, in what is considered one of the most important information leaks in history.

Without being Bellingcat, with a bit of time and using Google Translate for those who do not know Russian, any Internet user can get to those same personal data, finding more than interesting relationships. Of course, it is necessary to consider the reliability of the sources, although the data that we have been able to contrast directly suggest that, at least for the most part, the information extracted is true. We will talk at another time about the OSINT tracking in the RuNET, but in the following sections we will address what we have learned from the GRU during 2018: part of its cyber structure, some of its objectives, different TTP of its operations and certain OPSEC considerations that perhaps should have been taken into account before tackling a close access operation.


See also in:


  1. Thanks for sharing a valuable information