In this work, we have analyzed mainly the structure, targets and TTP of the GRU in the cyber field, based on the information brought to light during 2018 and which allowed to obtain a detailed knowledge of the Service and its activities, not only to intelligence services, but also to poor analysts like us who do not have all the capabilities that a state can have. With what we know, even analyzing public sources, we have access to information that in some cases should be considered sensitive and that, without a doubt, is being -or has been- analyzed by services from all over the world, starting with Russia itself.

The fact that we know the GRU better than a year ago does not mean that now it is a worse service than before; it will remain part of the elite, fulfilling its missions and acting “in any part of the world where it is required“, said one of its former directors. The GRU, or APT28, or whatever you want to name it, will continue to be a very important player in the cyber field and, of course, in the non-cyber realm. We all make mistakes, and the GRU made them on that occasion – and they were published. However, it is more of a concern in certain circles that the GRU failed in its operations than to have leaked the identities or modus operandi of some of its members.

[Read more…]

Everything that happened in 2018 in relation to the GRU, both the public accusations of different governments and the private investigations in relation to their activities, make us ask ourselves different questions; surely all of them have an answer, but we do not know them, or at least not for sure… so, we can also talk about conspiracies when it comes to answering these questions. Let’s see them in this section.

How was this information obtained?

We do not know. Certainly not from public sources: surely we are talking about information obtained from human sources, for example, from a possible mole in the Service … or in another service that knows the GRU well.
Some analysts relate to the information that this year saw the arrest, in December 2016, among others of Sergei MIKHAILOV (Coronel of the FSB, Director of the Second Department of the ISC), Dmitry DOKUCHAEV (Commander of the FSB, assigned to the same department as MIKHAILOV and also sought by the FBI) and Ruslan STOYANOV (Kaspersky analyst, but previously linked to the FSB). All of them accused of high treason and could have sold sensitive information to the American intelligence. Could these people have betrayed the FSB, and by extension to the GRU, by providing data on operations, agents, techniques … used by the Service against foreign interests? Could any of the Russian services still have an active mole that sells this information to other intelligence services? Who knows?
[Read more…]

The GRU members expelled from the Netherlands used basic OPSEC measures, such as throwing out their own rubbish while staying in a hotel; nevertheless, their arrest revealed the lack of other equally basic security measures, that undoubtedly will have given the Service plenty to talk about. Perhaps the proximity operations – at least in the Netherlands – were not considered as a risk by the GRU, perhaps they were considered human failures due to breach of regulations … who knows. The fact is that this poor OPSEC brought to light information on identities, targets, TTP … that allowed us to know the Service a little better during 2018 and that, had they acted otherwise, these evidences wouldn’t be so.

When we talk about OPSEC, beyond formal models and methodologies, we always talk about the three Cs[1]: Cover, Concealment, Compartmentation. The coverage of an operation must allow you to justify where you are (state) and what you are doing (action), the concealment must allow hiding activities or identities related to the operation and, finally, compartmentation, as a final line of defense, must minimize the impact in case things go wrong, not affecting other people, operations, etc.
[Read more…]

In addition to the two previous units, which have gained prominence from the information brought to light in 2018, the GRU has other Military Units linked to signal intelligence, cybersecurity or information warfare. Some of which we can find data in public sources are the following:

• Military Unit 11135 (18th Central Research Institute). Historically ([1]) the Central Scientific Research Institute has been identified within the GRU, which from Moscow designs SIGINT equipment for the GRU and which is perhaps currently this Military Unit, focused today not only on interception of radio and satellite communications but also on wireless devices, SCADA systems or protection of communications ([2]).
• Military Unit 40904, known as the “177th Independent Center for the Management of Technological Development”. Located in Meshcheryakova, 2 (Moscow), with high probability, this unit specializes in signal intelligence processing ([3]).
• Military Unit 36360. Apparently it is a training unit of the GRU in which advanced intelligence courses are taught, at least since January 1949. This training, also apparently and according to open sources, includes topics closely linked to the cyber domain such as the following:
  • Telecommunications Engineering (communication by radio, radio broadcasting and television).
  • Technologies, networks and communication systems.
  • Information systems and technologies: information and analysis.
  • Software Engineering.
  • Applied Mathematics and Computer Science.
  • Information security.
  • Computer software.
  • Automated information processing and control systems.
  • Translation and translation studies (linguistics).
• Military Unit 54726 (46th Central Research Institute), a center focused on military technical information, especially on the capabilities of foreign countries, which potentially includes research in the cyber field.

[Read more…]

Apparently, Unit 74455 is linked to operations of disinformation, influence, propaganda … which would reconfirm the broad concept of information warfare of the Russian military doctrine. We have already referred to it repeatedly, and to the mixture of the purely technical field with the psychological field (dezinformatsiya, spetspropaganda, kompromat, etc.).

In fact, the US DIA speaks of the confrontation of Russian information (informatsionnoye protivoborstvo, IPb) as the term used by the Government for the information war conflict, with two major measures: technical, as a classic CNO, and psychological, as the attempt to manipulate the population in favour of Russian interests ([1]), speaking openly of “cyber” PSYOP. The first of these measures would correspond to Unit 26165 and the second to Unit 74455.

[Read more…]

The information that has come to light during 2018, both the official information of governments of the United Kingdom, the United States, the Netherlands and Canada, as well as the unofficial additional investigations, both individuals and from different organizations (highlighting Bellingcat and RFE/RL, Radio Free Europe/RadioLiberty) has exposed a lot of interesting information about the GRU. It has provided us with data on its units (identification, structure, functions, physical location…), on people who are part of the service (identities, jobs, functions, aliases, relationships, personal scope…) and its operations (objectives, TTP, software, artifacts, IOC…). In addition, they have revealed deficient operational security measures, which have made it possible to broaden the initial investigations even further and have brought to light identities, private homes, relatives… of members – or former members – of the GRU. [Read more…]

If 2018 was already a bad year for the GRU, on October 4th, different Western countries gave the final touch to the Service by publishing information about their operations and agents: it is the Netherlands, the United Kingdom, Canada and the United States – and immediately Australia and New Zealand, as is normal, supported their allies. Summarizing: Holland and FVEY finish off the annus horribilis of the Service, as we will see in this post.

Holland

On October 4th, the Dutch military intelligence, the MIVD (Militaire Inlichtingen- en Veiligheidsdienst) published in a press conference ([1]) the operation carried out in April in which four GRU members were identified and expelled from the country on charges of attacking the Organization for the Prohibition of Chemical Weapons (OPCW); as the US Department of Justice did in July, it provides a wealth of detail about the identities, techniques, security measures, objectives … of GRU agents operating on Dutch soil with diplomatic passports. According to this information, four agents of the Service (two assigned to Unit 26165, Aleksei SERGEYEVICH MORENETS and Evgenii MIKHAYLOVICH SEREBRIAKOV, and two possibly assigned to Unit 22177, Alexey VALEREVICH MININ and Oleg MIKHAYLOVICH SOTNIKOV) land on April 10 in the Netherlands and are received by staff from the Russian Embassy in this country, they rent a car and execute a close access operation to try to compromise the security of the OPCW. They are identified, money is seized in cash and technical equipment (which of course is analyzed in detail, showing data from other operations) that includes devices to attack wireless networks and are accompanied to an Aeroflot plane that returns them to Russia. In the face of serious Dutch accusations, Russia defends that its agents simply conducted a security inspection at the country’s embassy in the Netherlands. [Read more…]

Serguei Skripal was a GRU agent who was arrested in 2004. He was accused of collaborating with the British MI6 and sentenced for high treason until 2010, when he was exchanged for Russian agents arrested as part of the ‘Operation Illegal’. Since then, he had lived in the United Kingdom, apparently away from any “annoying” activity linked to his past as a member of the Service. However, in March 2018, he was found unconscious together with his daughter Yulia – she was visiting the United Kingdom – in a bank in Salisbury, allegedly the victim of an attack with Novichok, a Soviet nerve agent. The United Kingdom blames Russia for this attack without much detail.

At the end of June two Britons, a man and a woman, were admitted to the Salisbury District Hospital. An ambulance brought them from Amesbury, a few kilometres from where the former GRU agent and his daughter were poisoned. The investigation confirmed that they had also been poisoned with Novichok, apparently by accident: none of them had any previous connection with what happened in March and, possibly, they found by chance the nerve agent in what appeared to be a bottle of perfume abandoned in a park. The woman died in early July as a result of the effects of the poisoning.

[Read more…]