Why we know so much about Russia’s GRU operations

Russia’s military intelligence has failed spectacularly to cover up its tracks at home and abroad.

Vladimir Putin
Russian President Vladimir Putin stands with a gun at a shooting gallery of the new GRU military intelligence headquarters building as he visits it in Moscow November 8, 2006. [Reuters]

On March 16, 2015, I received an email saying that there has been an attempt to break into my Gmail account and that I needed to change my password immediately. The blue “change password” button looked indeed quite tempting on the screen of my phone, but before pressing it, I noticed that the address from which the email was sent was a bit strange: no-reply@accounts.google.com.mail.com

The mobile version of Gmail would normally cut off part of this address and most users would not notice its weird tail. But I did.

In the coming months, I kept receiving such emails which I ended up sending to four cybersecurity organisations. Investigating the emails, they all reached the same conclusion: that the hacker group APT28, also known as Fancy Bear and Pawn Storm, was behind these phishing attempts.

And I was not the only one targeted by APT28. Dozens of other Russian journalists, activists and NGO workers received such emails, and so did state institutions of many Western countries.

A year later, Fancy Bear became known internationally. In July 2016, the whistle-blower website WikiLeaks published the contents of the Democratic National Committee’s mail server, which some believe ended up costing Hillary Clinton the presidency. The hack was attributed to that same cyber group.

Over the past two years, Russian hackers have also been accused of attacking NATO, the Organization for Security and Cooperation in Europe (OSCE), the Organisation for the Prohibition of Chemical Weapons (OPCW), the International Olympic Committee, the World Anti-Doping Agency, various ministries in Denmark, Italy, and Germany, the Joint Investigation Team tasked with investigating the downing of flight MH17 over Ukraine, and various other institutions in the Czech Republic, Poland, Germany, Lithuania, Latvia, Estonia, Ukraine, Norway, etc.

In the fall of 2017, Russian hackers attacked the election campaign of Emmanuel Macron ahead of the French presidential vote and released a number of files and emails. But in doing so, they made one major mistake: they left behind metadata which contained a Russian name – Georgy Petrovich Roshka.

I, along with a number of colleagues, was able to identify this man as a member of the special army unit 26165 of the GRU. A year later, the US Department of Justice published a list of 12 GRU agents, some of whom are members of that same unit, who are accused of being behind the DNC server attack.

Now, more than three years after the first phishing attempt on my email, the tables have turned. The hackers failed to obtain my personal information, but I have succeeded in uncovering theirs. As I’m writing this, I have on my screen a list of 305 potential GRU agents with their names, surnames, passport numbers and even their mobile phones.

All of them had registered their cars at the same address in Moscow, Komsomolsky Prospekt 20, the address of unit 26165. The reason we were looking for these registrations in a publicly available traffic police database is that one of the GRU officers the Netherlands is accusing of trying to hack into the OPCW has a car registered to that address.

The man in question, Alexey Morenets, was named as one of four GRU agents caught in April in a parking lot in The Hague while trying to hack into the OPCW. The Dutch authorities also uncovered that the four were looking into hacking a laboratory in Switzerland that had tested samples of the substance used in the poisoning of former Russian double agent Sergei Skripal in Salisbury, UK, earlier this year. Apart from hacking equipment, Dutch police also uncovered a taxi receipt for a trip from the GRU office directly to an airport in Moscow. It is kind of funny that a GRU agent would keep such an incriminating receipt, probably hoping to expense his taxi ride after coming back from the “business trip”.

Apart from car registration records, another way for us to uncover GRU agents has been their passport number sequencing. A few weeks ago, British authorities released the passport details of the two Russian men, Alexander Petrov and Ruslan Boshirov, they suspect of being behind the Skripal poisoning. We noticed that their passport numbers were almost completely identical except for one of the last digits. Our investigation showed that there are other GRU agents who have passports with this sequence of numbers.

When I wrote in September about the blunders of the GRU, I did not even think that it would be so easy to uncover the names of hundreds of potential agents. If journalists like me are able to access this information through open source investigations, then imagine what western intelligence services can do.

Over the past few years, the Kremlin has used the GRU for a number of subversive operations abroad including assassinations, cyber attacks and infiltration of border territories. Every time, it has denied responsibility but has also failed to properly cover up its tracks.

Today there is so much evidence uncovered of Russian intelligence operations abroad, that even people in Russia, where Petrov and Boshirov became internet memes, do not believe the Kremlin’s claim to innocence.

If the GRU’s mission was to incite divisions and instability in the West, it seems to have failed. As a result of Russia’s aggressive intelligence activities, the West has formed an increasingly united front against it and even spoilers like Donald Trump and Brexit will not be able to bring it down.

New sanctions on Russia are being prepared, and it seems that hopes for a rapprochement or a restart in relations have been dashed.

While in 2016, Trump was able to challenge speculations of Russian involvement in the DNC hack, today he no longer can. We have plenty of evidence about it and other crimes, and we have the identities of the perpetrators with their names, passport details and even mobile phone numbers.

The views expressed in this article are the author’s own and do not necessarily reflect Al Jazeera’s editorial policy.