(Cyber) GRU (XIV): conclusions

In this work, we have analyzed mainly the structure, targets and TTP of the GRU in the cyber field, based on the information brought to light during 2018 and which allowed to obtain a detailed knowledge of the Service and its activities, not only to intelligence services, but also to poor analysts like us who do not have all the capabilities that a state can have. With what we know, even analyzing public sources, we have access to information that in some cases should be considered sensitive and that, without a doubt, is being -or has been- analyzed by services from all over the world, starting with Russia itself.

The fact that we know the GRU better than a year ago does not mean that now it is a worse service than before; it will remain part of the elite, fulfilling its missions and acting “in any part of the world where it is required“, said one of its former directors. The GRU, or APT28, or whatever you want to name it, will continue to be a very important player in the cyber field and, of course, in the non-cyber realm. We all make mistakes, and the GRU made them on that occasion – and they were published. However, it is more of a concern in certain circles that the GRU failed in its operations than to have leaked the identities or modus operandi of some of its members.

[Read more…]

(Cyber) GRU (XIII): questions and conspiracies

Everything that happened in 2018 in relation to the GRU, both the public accusations of different governments and the private investigations in relation to their activities, make us ask ourselves different questions; surely all of them have an answer, but we do not know them, or at least not for sure… so, we can also talk about conspiracies when it comes to answering these questions. Let’s see them in this section.

How was this information obtained?

We do not know. Certainly not from public sources: surely we are talking about information obtained from human sources, for example, from a possible mole in the Service … or in another service that knows the GRU well.
Some analysts relate to the information that this year saw the arrest, in December 2016, among others of Sergei MIKHAILOV (Coronel of the FSB, Director of the Second Department of the ISC), Dmitry DOKUCHAEV (Commander of the FSB, assigned to the same department as MIKHAILOV and also sought by the FBI) and Ruslan STOYANOV (Kaspersky analyst, but previously linked to the FSB). All of them accused of high treason and could have sold sensitive information to the American intelligence. Could these people have betrayed the FSB, and by extension to the GRU, by providing data on operations, agents, techniques … used by the Service against foreign interests? Could any of the Russian services still have an active mole that sells this information to other intelligence services? Who knows?
[Read more…]

(Cyber) GRU (XII): OPSEC

The GRU members expelled from the Netherlands used basic OPSEC measures, such as throwing out their own rubbish while staying in a hotel; nevertheless, their arrest revealed the lack of other equally basic security measures, that undoubtedly will have given the Service plenty to talk about. Perhaps the proximity operations – at least in the Netherlands – were not considered as a risk by the GRU, perhaps they were considered human failures due to breach of regulations … who knows. The fact is that this poor OPSEC brought to light information on identities, targets, TTP … that allowed us to know the Service a little better during 2018 and that, had they acted otherwise, these evidences wouldn’t be so.

When we talk about OPSEC, beyond formal models and methodologies, we always talk about the three Cs[1]: Cover, Concealment, Compartmentation. The coverage of an operation must allow you to justify where you are (state) and what you are doing (action), the concealment must allow hiding activities or identities related to the operation and, finally, compartmentation, as a final line of defense, must minimize the impact in case things go wrong, not affecting other people, operations, etc.
[Read more…]

(Cyber) GRU (XI): TTP

The information that has come to light in recent months, especially Mueller’s accusation, has identified different tactics and techniques of the GRU, some of them previously known – and in many cases linked to APT28 – and others that, although we could all imagine, no one had previously confirmed. These TTPs are summarized in the following table, based on an adaptation of the tactics and techniques published by MITRE in its ATT&CK framework:... Leer Más

(Cyber) GRU (X): objectives

Apart from some more specific objectives, such as Westinghouse Electric Company’s – with business in nuclear technology – or domestic routers that can be compromised to orchestrate a distributed attack against the real objective, the information published in 2018 has brought to light five major GRU objectives, consistent with the interests of the Service and consequently with those of the Russian Federation; are those exposed at this point.

It is striking that in most of these objectives – with the possible exception of Ukraine and its infrastructures – the GRU has, presumably always, an interest related more to the confrontation of psychological information to which we have referred than with a purely technical attack. In other words, it is unlikely that the GRU will attack targets such as the researchers of the use of Novichok or the demolition of the MH17, which we will see below, with the intention of technologically altering the results of these investigations … it is more likely that the real objective was to obtain information, on the one hand, to know first-hand the state at each moment and on the other, equally important, to obtain data that would allow the Service to initiate disinformation campaigns against these investigating bodies, so that in the face of society they would lose lost credibility in their claims, thus benefiting the interests of the Russian Federation. [Read more…]

(Cyber) GRU (IX): structure. Other units

In addition to the two previous units, which have gained prominence from the information brought to light in 2018, the GRU has other Military Units linked to signal intelligence, cybersecurity or information warfare. Some of which we can find data in public sources are the following:

  • Military Unit 11135 (18th Central Research Institute). Historically ([1]) the Central Scientific Research Institute has been identified within the GRU, which from Moscow designs SIGINT equipment for the GRU and which is perhaps currently this Military Unit, focused today not only on interception of radio and satellite communications but also on wireless devices, SCADA systems or protection of communications ([2]).
  • Military Unit 40904, known as the “177th Independent Center for the Management of Technological Development”. Located in Meshcheryakova, 2 (Moscow), with high probability, this unit specializes in signal intelligence processing ([3]).
  • Military Unit 36360. Apparently it is a training unit of the GRU in which advanced intelligence courses are taught, at least since January 1949. This training, also apparently and according to open sources, includes topics closely linked to the cyber domain such as the following:
    • Telecommunications Engineering (communication by radio, radio broadcasting and television).
    • Technologies, networks and communication systems.
    • Information systems and technologies: information and analysis.
    • Software Engineering.
    • Applied Mathematics and Computer Science.
    • Information security.
    • Computer software.
    • Automated information processing and control systems.
    • Translation and translation studies (linguistics).
  • Military Unit 54726 (46th Central Research Institute), a center focused on military technical information, especially on the capabilities of foreign countries, which potentially includes research in the cyber field.

[Read more…]

(Cyber) GRU (VIII): Structure. Unit 74455

Apparently, Unit 74455 is linked to operations of disinformation, influence, propaganda … which would reconfirm the broad concept of information warfare of the Russian military doctrine. We have already referred to it repeatedly, and to the mixture of the purely technical field with the psychological field (dezinformatsiya, spetspropaganda, kompromat, etc.).

In fact, the US DIA speaks of the confrontation of Russian information (informatsionnoye protivoborstvo, IPb) as the term used by the Government for the information war conflict, with two major measures: technical, as a classic CNO, and psychological, as the attempt to manipulate the population in favour of Russian interests ([1]), speaking openly of “cyber” PSYOP. The first of these measures would correspond to Unit 26165 and the second to Unit 74455.

[Read more…]

(Cyber) GRU (VII): Structure. Unit 26165

Unit 26165 (85th Special Service Center) is located at number 20 of Komsomolskiy Prospekt. Also, at this same address is the Military Unit 06410 (152nd Training Center) with Koval NIKOLAY NESTEROVICH in command, which was created on 08/27/1943. Apparently, this second Unit is not related to the cyber field from a technical point of view, according to available information in public sources such as articles or theses related to military education, psychology, etc.

In the Soviet era, the GRU Service of Decryption was located at number 20 of the Komsomolskiy Avenue in Moscow, to which we have already referred, intimately related to the Sixth Directorate (SIGINT) but not dependent on it. In fact, that historical Service of Decryption is apparently the very Unit 26165, created on May 23, 1953 according to open sources. Apparently, there is public information that confirms its existence at least in 1958, such as the medal commemorating the 60th anniversary of the Unit shown below:

[Read more…]

(Cyber) GRU (VI): and now what?

The information that has come to light during 2018, both the official information of governments of the United Kingdom, the United States, the Netherlands and Canada, as well as the unofficial additional investigations, both individuals and from different organizations (highlighting Bellingcat and RFE/RL, Radio Free Europe/RadioLiberty) has exposed a lot of interesting information about the GRU. It has provided us with data on its units (identification, structure, functions, physical location…), on people who are part of the service (identities, jobs, functions, aliases, relationships, personal scope…) and its operations (objectives, TTP, software, artifacts, IOC…). In addition, they have revealed deficient operational security measures, which have made it possible to broaden the initial investigations even further and have brought to light identities, private homes, relatives… of members – or former members – of the GRU. [Read more…]

(Cyber) GRU (V): October 2018

If 2018 was already a bad year for the GRU, on October 4th, different Western countries gave the final touch to the Service by publishing information about their operations and agents: it is the Netherlands, the United Kingdom, Canada and the United States – and immediately Australia and New Zealand, as is normal, supported their allies. Summarizing: Holland and FVEY finish off the annus horribilis of the Service, as we will see in this post.


On October 4th, the Dutch military intelligence, the MIVD (Militaire Inlichtingen- en Veiligheidsdienst) published in a press conference ([1]) the operation carried out in April in which four GRU members were identified and expelled from the country on charges of attacking the Organization for the Prohibition of Chemical Weapons (OPCW); as the US Department of Justice did in July, it provides a wealth of detail about the identities, techniques, security measures, objectives … of GRU agents operating on Dutch soil with diplomatic passports. According to this information, four agents of the Service (two assigned to Unit 26165, Aleksei SERGEYEVICH MORENETS and Evgenii MIKHAYLOVICH SEREBRIAKOV, and two possibly assigned to Unit 22177, Alexey VALEREVICH MININ and Oleg MIKHAYLOVICH SOTNIKOV) land on April 10 in the Netherlands and are received by staff from the Russian Embassy in this country, they rent a car and execute a close access operation to try to compromise the security of the OPCW. They are identified, money is seized in cash and technical equipment (which of course is analyzed in detail, showing data from other operations) that includes devices to attack wireless networks and are accompanied to an Aeroflot plane that returns them to Russia. In the face of serious Dutch accusations, Russia defends that its agents simply conducted a security inspection at the country’s embassy in the Netherlands. [Read more…]