(Cyber) GRU (XIII): questions and conspiracies

Everything that happened in 2018 in relation to the GRU, both the public accusations of different governments and the private investigations in relation to their activities, make us ask ourselves different questions; surely all of them have an answer, but we do not know them, or at least not for sure… so, we can also talk about conspiracies when it comes to answering these questions. Let’s see them in this section.

How was this information obtained?

We do not know. Certainly not from public sources: surely we are talking about information obtained from human sources, for example, from a possible mole in the Service … or in another service that knows the GRU well.
Some analysts relate to the information that this year saw the arrest, in December 2016, among others of Sergei MIKHAILOV (Coronel of the FSB, Director of the Second Department of the ISC), Dmitry DOKUCHAEV (Commander of the FSB, assigned to the same department as MIKHAILOV and also sought by the FBI) and Ruslan STOYANOV (Kaspersky analyst, but previously linked to the FSB). All of them accused of high treason and could have sold sensitive information to the American intelligence. Could these people have betrayed the FSB, and by extension to the GRU, by providing data on operations, agents, techniques … used by the Service against foreign interests? Could any of the Russian services still have an active mole that sells this information to other intelligence services? Who knows?

Why was such a high level of detail publicly provided, especially the USA and the Netherlands?

We do not know. Without being a legal expert I doubt that a document of accusation requires giving data on jobs, addresses, specific dates of activities in an operation; and without being an expert in expositions of senior intelligence services, I also doubt that a public presentation would require that level of detail. I insist: without being an expert in any of the cases. Documents of intelligence services do contain this detailed information, but obviously they do not come to light, apart from exceptions (for example, [1]).

On the other hand, I can say, with a little more judgment, that technically making this data public can be counterproductive, with one exception: that the US and Dutch governments seek not only to accuse, but something as unthinkable as a show of force … Perhaps Theresa May’s words in her speech ([2]) are very significant: “We are increasing our understanding of what the GRU is doing in our countries, shining a light on their activities, exposing their methods and sharing them with our allies, just as we have done with Salisbury.” Mostly, “exposing their methods” … Did the British Prime Minister simply mean to share this information with her allies, or directly to bring it to light? Who knows?

Why was the shared information only about the GRU? Why has not FSB information been published?

We do not know. At least in the potential Russian interference in the 2016 US elections, not only did the GRU participate but the FSB also did, in the form of APT29. So, why only GRU members were charged in 2018?? Did MIKHAILOV, DOKUCHAEV and so on sell, if they really did, just GRU information? Does the American intelligence -or the British, or the Dutch- have information about the FSB that, for some reason, they do not want to publish? Or are they simply saving it and will release it in 2019, so that we can do an analysis and a special series of the FSB in a few months, as we did with the GRU? Who knows?

Is GRU’s Unit 26165 the group known as APT28? Is Unit 74455? Maybe both of them? Neither?

We do not know. We do know – or we think we know, because allied services say so -which can also be a mistake or a lie – that APT28 is directly linked to the GRU; in other words, that it is part of the Service, either as the only cyber capacity, or as a cyber capacity more within the GRU.

In my opinion, APT28 can be Unit 26165 if we understand APT28 as an advanced actor that compromises targets and steals information of potential interest for Russia. If we understand APT28 as, in addition to the above, the actor that handles such information -with infrastructure, sockpuppets, etc.-, in line with the Russian concept of information warfare or the confrontation of technical and psychological information to which we have referred, then perhaps APT28 is not only Unit 26165, but also Unit 74455.
It is logical that the handling of information (psychological confrontation) falls into a different group than the theft of information or CNO operations (the technical confrontation) for many reasons: quality, security … Thus, APT28 could just be Unit 26165, Unit 26165 and Unit 74455 together, coordinated at a higher level within the GRU, or we could even identify APT28 with the GRU as a whole, without ruling out that within the Service there are more APT groups, known or unknown at this point. Who knows?

Isn’t the GRU so good anymore? Will it still be operational in the cyber domain?

This we do know. The GRU has historically been very good (for some people, the best) and will continue to be so from now on, whatever name it may have, both in the cyber and in the non-cyber domains. We all make mistakes, sometimes serious ones. The GRU has always had a reputation for taking risks and when you take risks you can make mistakes. It’s that simple.
However, of all the successful operations that the Service may be carrying out at this time and that we are unaware of, we have probably only seen the tip of the iceberg.

Without a doubt, APT28 will not disappear; they will be able to change their TTP, some of their targets, some of their interests … and even their identification, but whatever the name they use or they are given by analysts from all over the world, they will continue to operate in the cyber field. To think otherwise would be quite naive.

References

[1] NSA. Report on Russia’s Spearphishing. https://cryptome.org/2017/06/NSA-Report-on-Russia-Spearphishing.pdf
[2] Gobierno UK. PM statement on the Salisbury investigation: 5 September, 2018.
September, 2018. https://www.gov.uk/government/speeches/pm-statement-on-the-salisbury-investigation-5-september-2018

See also in: