Information operations · Information Warfare · Russia

Why we know so much about Russia’s GRU operations

Russian President Vladimir Putin stands with a gun at a shooting gallery of the new GRU military intelligence headquarters building as he visits it in Moscow November 8, 2006. [Reuters]
The curious question is “why”.  

Why is the GRU so sloppy?  Why is the GRU using public databases?  Why can the GRU be so easily tracked?  Why are GRU operations so bullheaded and stupid?

The answer is fairly simple. The FSB and the SVR have higher priority when it comes to cover status, using private databases, and dedicated cover operations. 

Another consideration is the fact that the GRU is military, and therefore might be considered less than the FSB and SVR in the pecking order. Lesser status means less access to the means necessary to hide their status, obfuscate their travel plans, perhaps prevents them from receiving the proper training. Last, and the most curious part, there should be no need to keep taxi receipts.

Colonel General Igor Korobov

I see two outcomes.  Colonel General Igor Korobov will demand adequate access to the resources necessary to properly prepare cover status documents, planning, and operations for the GRU. The second choice is the GRU will refuse to do these type operations which doctrinally fall within the realm of the SVR, outside Russia.  This would put an undue burden on the SVR.  No Russian intelligence agency would ever ask for a reduction in their operational scope.  Consequently, General Korobov will demand greater access to the resources necessary to properly train and equip his people to do covert operations. 

No?  General Korobov will be forced to internally shift resources and make the capabilities “out of hide“.  Unit 26165 will also have a new commander, goodbye Colonel Dmitry Aleksandrovich Mikhailov. He’s only been there since January 2018, so sad.

The change will not be immediate but in about six months time we should see some changes. 

<End editorial>

Russia’s military intelligence has failed spectacularly to cover up its tracks at home and abroad.


On March 16, 2015, I received an email saying that there has been an attempt to break into my Gmail account and that I needed to change my password immediately. The blue “change password” button looked indeed quite tempting on the screen of my phone, but before pressing it, I noticed that the address from which the email was sent was a bit strange:

The mobile version of Gmail would normally cut off part of this address and most users would not notice its weird tail. But I did.

In the coming months, I kept receiving such emails which I ended up sending to four cybersecurity organisations. Investigating the emails, they all reached the same conclusion: that the hacker group APT28, also known as Fancy Bear and Pawn Storm, was behind these phishing attempts.

And I was not the only one targeted by APT28. Dozens of other Russian journalists, activists and NGO workers received such emails, and so did state institutions of many Western countries.

A year later, Fancy Bear became known internationally. In July 2016, the whistle-blower website WikiLeaks published the contents of the Democratic National Committee’s mail server, which some believe ended up costing Hillary Clinton the presidency. The hack was attributed to that same cyber group.

Over the past two years, Russian hackers have also been accused of attacking NATO, the Organization for Security and Cooperation in Europe (OSCE), the Organisation for the Prohibition of Chemical Weapons (OPCW), the International Olympic Committee, the World Anti-Doping Agency, various ministries in Denmark, Italy, and Germany, the Joint Investigation Team tasked with investigating the downing of flight MH17 over Ukraine, and various other institutions in the Czech Republic, Poland, Germany, Lithuania, Latvia, Estonia, Ukraine, Norway, etc.

In the fall of 2017, Russian hackers attacked the election campaign of Emmanuel Macron ahead of the French presidential vote and released a number of files and emails. But in doing so, they made one major mistake: they left behind metadata which contained a Russian name – Georgy Petrovich Roshka.

I, along with a number of colleagues, was able to identify this man as a member of the special army unit 26165 of the GRU. A year later, the US Department of Justice published a list of 12 GRU agents, some of whom are members of that same unit, who are accused of being behind the DNC server attack.

Now, more than three years after the first phishing attempt on my email, the tables have turned. The hackers failed to obtain my personal information, but I have succeeded in uncovering theirs. As I’m writing this, I have on my screen a list of 305 potential GRU agents with their names, surnames, passport numbers and even their mobile phones.

All of them had registered their cars at the same address in Moscow, Komsomolsky Prospekt 20, the address of unit 26165. The reason we were looking for these registrations in a publicly available traffic police database is that one of the GRU officers the Netherlands is accusing of trying to hack into the OPCW has a car registered to that address.

The man in question, Alexey Morenets, was named as one of four GRU agents caught in April in a parking lot in The Hague while trying to hack into the OPCW. The Dutch authorities also uncovered that the four were looking into hacking a laboratory in Switzerland that had tested samples of the substance used in the poisoning of former Russian double agent Sergei Skripal in Salisbury, UK, earlier this year. Apart from hacking equipment, Dutch police also uncovered a taxi receipt for a trip from the GRU office directly to an airport in Moscow. It is kind of funny that a GRU agent would keep such an incriminating receipt, probably hoping to expense his taxi ride after coming back from the “business trip”.

Apart from car registration records, another way for us to uncover GRU agents has been their passport number sequencing. A few weeks ago, British authorities released the passport details of the two Russian men, Alexander Petrov and Ruslan Boshirov, they suspect of being behind the Skripal poisoning. We noticed that their passport numbers were almost completely identical except for one of the last digits. Our investigation showed that there are other GRU agents who have passports with this sequence of numbers.

When I wrote in September about the blunders of the GRU, I did not even think that it would be so easy to uncover the names of hundreds of potential agents. If journalists like me are able to access this information through open source investigations, then imagine what western intelligence services can do.

Over the past few years, the Kremlin has used the GRU for a number of subversive operations abroad including assassinations, cyber attacks and infiltration of border territories. Every time, it has denied responsibility but has also failed to properly cover up its tracks.

Today there is so much evidence uncovered of Russian intelligence operations abroad, that even people in Russia, where Petrov and Boshirov became internet memes, do not believe the Kremlin’s claim to innocence.

If the GRU’s mission was to incite divisions and instability in the West, it seems to have failed. As a result of Russia’s aggressive intelligence activities, the West has formed an increasingly united front against it and even spoilers like Donald Trump and Brexit will not be able to bring it down.

New sanctions on Russia are being prepared, and it seems that hopes for a rapprochement or a restart in relations have been dashed.

While in 2016, Trump was able to challenge speculations of Russian involvement in the DNC hack, today he no longer can. We have plenty of evidence about it and other crimes, and we have the identities of the perpetrators with their names, passport details and even mobile phone numbers.

The views expressed in this article are the author’s own and do not necessarily reflect Al Jazeera’s editorial policy. 



4 thoughts on “Why we know so much about Russia’s GRU operations

  1. What I don’t understand is this: (1) How come the 4 men had diplomatic passports with consecutive serial numbers: this only proves they were part of the same gang. (2) How come one of them carried a laptop with details of the operation, but also about an old unrelated operation, that of the cover up of the separatists using a BUK missile system to down flight MH-17 over Eastern Ukraine, mistaking it for an Ukrainian troop transport aircraft? This is very amateurish.

    The GRU has a significantly greater budget for foreign operations than the SVR, as far as I know.

    1. The SVR/GRU working relationship and assignments appear to be morphing. I know the folks in Finland are working against the SVR exclusively but the folks in Ukraine are taking on the FSB as well as the GRU. I wonder who is their NDI?

      The GRU is operating in the UK in what appears to be for an assassination only, leaving the SVR to do normal clandestine work. This leaves the limited UK SVR assets unblemished and unexposed. I’ve been seeing this tendency lately, it seems to be a trend. ‘not sure, just supposing…

      This also appears to be the case in The Hague, with the GRU doing the once and done task, leaving the SVR to do their normal, deeper work.

      Why would they carry that incriminating information with them? That mystifies, stupifies, and just plain old puzzles me. Bad training, lack of foresight, lack of supervision, too quick off the trigger (too quick to launch), or, perhaps, it’s sheer arrogance.

      I just confirmed you are correct for the GRU having six times the resources as the SVR, but that appears true in the 90s.

      This also appears to be a radical change from the Litvinenko assassination, carried out by the SVR in 2006. The SVR used to specialize in political assassinations.

      I still can’t rule out the Skripals were possibly assassinated because of a Russian Oligarch’s complaint they were hurt by Sergei Skripal when he was working in Spain with the Spanish and British authorities.

      1. Joel: All hacking operations in the US and Europe are also apparently conducted by the GRU (by the FSB in Russia’s near abroad). I hope we’ll learn form Yevgeniy Nikulin who’s now in the US..

Comments are closed.