Sunday, October 07, 2018

How A Dutch Intelligence Agency Exposed Officers In Russia's Notorious GRU

Say hi to Alexsei Morenets.   
Alexsei is an officer specializing in internet technology in the cyber-warfare division of the Russia's Main Directorate of the General Staff of the Armed Forces, the by-now notorious GRU.  Alexei is one of four GRU intelligence agents who traveled to the Hague on diplomatic passports in April where they attempted to hack into the computer network of the Organization for the Prohibition of Chemical Weapons, which was trying to identify the nerve agent that felled former Russian double agent Sergei Skripal, his daughter and three other people in Salisbury, England in March.  
We know that Alexsei and his accomplices were in Holland for purposes other than sniffing the tulips because of the crack Dutch Military Intelligence and Security Service.   
Intelligence agencies tend to be overrated.  Lest we forget, the U.S. Central Intelligence Agency learned of the fall of the Berlin Wall and collapse of the Soviet Union in 1989 on CNN and didn't exactly covered itself in glory in its too-little-too-late investigation of Russia's cybertheft of the 2016 presidential election. 
But the Dutch MIVD is something else.   
The MIVD was the first intelligence agency to alert American authorities that it had evidence that Russia's Federal Security Service, the also by-now notorious FSB, had hacked into the Democratic National Committee's computer system. 
This was in November 2014 
Short-attention-span U.S. authorities shrugged when the MIVD said that hackers using the also by-now notorious name "Cozy Bear" were preparing for a major attack on State Department computers, a precursor to the main event in 2016 when the combined efforts of the GRU and FSB, along with other Russian malefactors, resulted in the improbable presidency of a monster by the name of Donald Trump. 
Oh, and by the way, the MIVD not only had hacked into the FSB's computer system but also had accessed the security camera system in the FSB's Moscow facility and could see who was coming and going in real time. 
Again, U.S. authorities shrugged.  
This is the backstory of how the tiny MIVD took a huge security lapse by the GRU that not only revealed who Alexsei and his fellow travelers were, and subsequently the identities of a total of an astounding three hundred and five people who probably are affiliated with the GRU were revealed by Bellingcat, a British investigative website. 
The first break for the MIVD came when it was realized that Alexsei's real name was Alexsei Morenets and his accomplices also were using their real names and not cover names, which had been used by the GRU officers who slipped into England in March to poison Skripal.
A public document -- a Russian automobile ownership database, of all things -- revealed that one of the four suspects was registered as living at Ulitsa Narodnogo Opolcheniya 50, an address in Moscow where the Military Academy of the Ministry of Defence is located. This academy is popularly known as the GRU Conservatory. 
According to the database, Alexei was the registered user and/or owner of a Lada automobile.   
The address to which the Lada was registered was Komsomolsky Prospekt 20 (circled in red in the image above), which happens to be the address of Military Unit 26165, which is GRU's cyber warfare department.  The database also helpfully contained Alexsei's passport number.   
Dutch authorities identified Alexsei's accomplices as Evgenii Serebriakov, who with Alexsei had consecutive passport numbers, and Oleg Sotnikov and Alexey Minin (seen in the image below at Amsterdam's Schiphol Airport on April 10 after arriving from Moscow).  
The four agents rented a Citron C3 on April 11 and parked it in a hotel parking lot as close as possible to the OPCW headquarters.

"They were doing some exploration work for a close-access hack operation," said Onno Eichelscheim, the head of Dutch counterintelligence.  "We know for sure they were not on holiday." 
The four agents planned to travel next to an OPCW-accredited Swiss laboratory in Bern that does research into chemical weapons, Eichelsheim said, but never boarded a train for which they bought tickets tickets for April 17 because Dutch authorities intervened on April 13 and expelled the "diplomats."   In the trunk of the Citron C3 they found laptop computers, an assortment of high-grade equipment used to hack Wi-Fi channels, including a so-called Wi-Fi pineapple, numerous mobile phones and an antenna covered by a coat.   
The laptops contained material related to the Dutch-led investigation into the 2014 downing of Malaysia Airlines Flight 17 over Ukraine by a Russian surface-to-air missile that took the lives of all 283 passengers and 15 crew.   
Russia, of course, has issued blanket denials for the Flight 17 disaster, the Skripal poisoning and the Hague hacking attempt.   
Enter Bellingcat, the investigative web site founded by Eliot Higgins and supported by fellow British citizen journalists.  (Bellingcat is derived from the idiom "belling the cat," which comes from the medieval fable about mice who discuss how to make a cat harmless. One suggests hooking a bell around his neck, and all the mice support the idea but none is willing to do it.)

By searching a database (the website does not say if it is the same automobile owner database) for the same address, Bellingcat was able to identify a total of 305 individuals, whose full names, ages (ranging from 27 to 53), passport numbers and, in most cases, mobile phone numbers are listed. 
If these 305 individuals are indeed officers or otherwise affiliated with the GRU's cyber warefare department, and there is no reason to believe otherwise, it may constitute one of the largest mass breaches of personal data of an intelligence service in recent history. 
Among the morals of this story is that you don't have to be a major player to have a major impact in the global cyberwars.  The MIVD certainly is not; it merely was smart and very clever.  And that the ubiquitousness of databases, whether in Russia or elsewhere, make it very difficult for the foot soldiers in the cyberwars to remain anonymous. 
Meanwhile, last Thursday the U.S. Justice Department announced the indictment of seven GRU officers on cyber hacking charges linked to the leaking of Olympic athletes' drug-test data in an alleged attempt to undermine international efforts to expose Russian doping.   Four of the officers -- Alexsei and his three pals -- also are charged with targeting organizations probing Russia's use of chemical weapons, including the poisoning of Skripal.   
This brings the number of indictments of Russian intelligence officers by Special Counsel Robert Mueller, the U.S. Justice Department and British authorities to 21.   
Not too bad for a witch hunt. 

Click HERE for a comprehensive timeline of the Russia scandal
and related developments.

5 comments:

Bscharlott said...

Ha! GRU agents getting exposed left and right. So the pro forma blanket denials by Moscow seems less and less credible all the time. I wonder if the denials are mainly for the benefit of gullible Russian citizens. But an interesting question is whether being a mendacious bad actor, as Putin is, actually pays benefits. It's been working in the short-term for Trump. Didn't work out so well for, say, Hitler, but he was insane by the end.

Shaun Mullen said...

From a New York Times editorial:

“As for the 2016 election, the Kremlin must be wondering whether helping to put Donald Trump into the White House was really a triumph, given that it has produced no tangible benefits while generating a huge amount of ill will and a barrage of accusations and investigations.

“ . . . Mr. Putin, a former K.G.B. agent, seems not to have fathomed that few in the West are fooled by his propaganda antics or impressed by his power plays, and that his irresponsible cyberattacks serve only to further diminish his country’s already dismal standing in the world.”

Carol Casey said...

This is the only news I have read today. Thanks, Shaun.

Shaun Mullen said...

Perhaps the only "good" news?

Dan Leo said...

Excellent job of reporting and summing-up, Shaun/