Understanding Russia’s Intelligence Agencies Part 3: The GRU explained

The GRU’s Role in Cyber Espionage and Sabotage

Introduction

This is the last section of my three-part series explaining Russian intelligence agencies. In part one we discussed the Federal Security Service (FSB), while in part two we explained the Foreign Intelligence Service (SVR).

In this article, we talk about the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), its role in supporting Russian military intelligence requirements, its cyber operations and geopolitical impact.

Although not a pure cyber agency, we will focus heavily on the GRU’s cyber operations as these have a more significant global impact.

Historical Evolution

The GRU was created in 1918, during the Bolshevik Revolution as the Soviet Union’s first military intelligence agency. They operated alongside the KGB and were heavily focused on collecting military and strategic intelligence all the way even after the collapse of the Soviet Union in 1991.

The 2008 Russo-Georgian War exposed the GRU’s shortcomings, leading to a period of decline. Blamed for the lack of proper intelligence, the GRU underwent leadership changes, downsizing, and a reduction in its responsibilities. This forced the GRU to start prioritizing aggressive operations such as assassinations, proxy warfare, and cyber operations. Their capabilities were shown during the 2014 annexation of Crimea, where the GRU proved crucial in providing intelligence that contributed to Russia’s victory.

Role of the GRU

The GRU is a part of the Russian armed forces. They are responsible for all levels of military intelligence which include Human Intelligence(HUMINT), Signals Intelligence(SIGINT) and Electronics Intelligence(ELINT). The GRU also commands the Russian Spetsnaz , a special forces unit which has a heavy focus on conducting field recon, raiding, sabotage and training of proxy and mercenary units.

Unlike the FSB and the SVR, the GRU is unique in its role as both an intelligence agency and a military organization. Although both the GRU and the SVR have the responsibility of collecting foreign intelligence, the GRU focuses on collection of military relevant information and the SVR on political intelligence.

Organizational Structure of the GRU:

According to the American Congressional Research Service, The GRU is divided into 15 directorates, 4 regional and 11 mission-specific. Within the directorates are multiple sub-directorates or individual units. For example, the GRU’s cyber capabilities are located within the Sixth Directorate and include Unit 26165 and Unit 74455.

Regional Directorates (4) and Mission-Specific Directorates (11)

1. First Directorate: European Union
2. Second Directorate: North and South America, United Kingdom, Australia, New Zealand
3. Third Directorate: Asia
4. Fourth Directorate: Africa
5. Fifth Directorate: Operational Intelligence
6. Sixth Directorate: Electronic/Signals Intelligence
7. Seventh Directorate: NATO
8. Eighth Directorate: Spetsnaz
9. Ninth Directorate: Military Technology
10. Tenth Directorate: Military Economy
11. Eleventh Directorate: Strategic Doctrine
12. Twelfth Directorate: Information Operations
13. Space Intelligence Directorate
14. Operational and Technical Directorate
15. External Relations Department

Spetsnaz GRU

The Spetsnaz is a specialized unit focused on field reconnaissance, sabotage, and combat missions. They also play the role in managing and creating proxy forces, often comprising of organized criminals, warlords, or former rebels. Spetsnaz operators typically act as overseers and trainers, directly subordinating these proxy units to the GRU. Notable examples include the Second Chechen War where pro-Russian Chechens were trained and managed by the Spetsnaz. Another one is during the Syrian civil war, where the Spetsnaz provided training to the Syrian army and other militia forces.

Cyber Operations

The GRU has two specialized cyber units that conduct espionage and sabotage operations based on the Kremlin’s requirements :

Unit 26165 (APT28 / Fancy Bear)

Known for targeting Western nations, particularly NATO countries. The group focuses on infiltrating government institutions and political entities to gather intelligence.

• 2015 German Bundestag: At the beginning of 2015, Fancy Bear launched a spear-phishing campaign and successfully infiltrated the German Federal Parliament’s network. The hackers accessed sensitive data, including confidential emails, schedules, and meeting details, and maintained unauthorized access for several months before detection. The breach, which resulted in the theft of approximately 16 GB of data, prompted a four-day shutdown of the Parliament’s computer system.
• 2016 Democratic National Committee (DNC): Fancy Bear, alongside Cozy Bear(part of the SVR), infiltrated the DNC’s network and stole over 19,000 emails and 8,000 attachments. The leaked emails caused a huge controversy, leading to the resignation of key DNC figures and altering the election campaign. U.S. intelligence agencies later concluded that the operation was part of Russia’s efforts to influence the election to sway public opinion and cause internal unrest.
• 2016 World Anti-Doping Agency (WADA): The WADA was targeted by Fancy Bear and the incident resulted in the unauthorized access and leak of medical records of multiple athletes. The group which posed as the “Fancy Bear Hack Team” released the data that included “Therapeutic Use Exemptions which allowed certain athletes to use banned substances for medical reasons. This operation was seen as a retaliation for the banning of multiple Russian athletes for doping and the exclusion from other sporting events. The leak aimed to discredit and undermine the credibility of the WADA.

Fancy Bears’ Hack Team

Unit 74455 (APT44 / Sandworm)

Infamous for causing destructive cyberattacks against critical infrastructure. Sandworm has established itself as Moscow’s primary cyber sabotage unit. A unique characteristic of Sandworm is their leverage of the Telegram channel of popular Russian hacktivist group “Народная CyberАрмия” (Cyber Army of Russia Reborn) to telegraph the success of their attacks and sharing of data leaks.

• 2015 and 2016 Cyberattack on Ukraine’s power grid: Sandworm is most known for its cyberattacks on Ukraine’s power grid, marking the first known instances of cyber operations causing power outages. In December 2015, Sandworm launched an attack on Ukraine’s power grid which caused blackouts that affected nearly 230,000 residents. In 2016, Sandworm escalated its efforts with a more advanced attack on Ukraine’s power infrastructure, deploying the Industroyer malware, designed specifically to disrupt industrial control systems.
• 2017 NotPetya: Disguised as a variant of the ransomware Petya, NotPetya’s initial spread was through Ukrainian networks and eventually found itself around the world. NotPetya was actually a wiper in disguise, designed to permanently encrypt and render data useless. the attack disrupted critical infrastructure, hospitals, power plants, and transportation systems. This led to disruptions in essential services and had a significant humanitarian impact. It was said that NotPetya caused roughly 10 billion dollars in global damages.
• 2018 Pyeongchang Winter Olympics disruption: In February 2018, Sandworm targeted the Pyeongchang Winter Olympics opening ceremony in South Korea. Known as the “Olympic Destroyer,” this malware disrupted the Olympic IT infrastructure, internet access, broadcast systems, and the official website. The attack was a false flag operation, initially designed to look like the work of North Korean or Chinese hackers. It was later attributed to Sandworm, as investigators identified the use of tools and tactics previously associated with the GRU.

Geopolitical Impact

The GRU’s attacks on Ukraine’s power grid have shown how cyber attacks can be used to cause physical damage. The targeting of critical infrastructure has allowed the GRU to not only cause significant physical disruption, but also a psychological terror that affects normal citizens, such as the blackouts that ensued after the power grids were hit. This raises a possibility that other threat actors will emulate such methods and use it as a tool of war by conducting cyber attacks on gas, water and power supplies in conjunction with a physical assault from the conventional military in a kind of hybrid warfare.

Sandworm’s use of hacktivist groups to telegraph the success of their cyber attacks is also unique and could lead to an interesting trend in the future. The current era of hacktivists often show a high level of patriotism for their country. APTs can take advantage of this behaviour by garnering support and providing them with advanced training. This could lead to hacktivists being used as proxies for the APTs in the same manner that Spetsnaz trains proxy units and subordinates them under the GRU. This strategy serves as a force multiplier and could increase the impact of future cyber attacks and complicate attribution efforts.

Conclusion

The transformation from a traditional military intelligence agency to one with advanced cyber capabilities shows us how the GRU is shifting from traditional intelligence methods to a focus on those in cyberspace. This has allowed Russia to project influence and cause disruption to their adversaries on a global scale.

Although most of the news we see of the GRU is of cyber attacks, it is important to remember that they are primarily a military organization. Their broader mandate allows the GRU to operate more aggressively compared to its intelligence counterparts.

As discussed earlier, the GRU’s cyber units are of significant interest. Fancy Bear has a heavy focus on cyber espionage and conducts high-profile hacks, while Sandworm has a huge emphasis on using its cyber capabilities for sabotage and to cause widespread destruction. By understanding their roles and being aware of notable cyber operations that have occurred, we can better appreciate the destructive cyber capabilities the GRU possesses.

Additional Resources:

1. GRU (Russian Federation)
2. Unearthing APT44: Russia’s Notorious Cyber Sabotage Unit Sandworm
3. APT28: AT THE CENTER OF THE STORM
4. Russian Military Intelligence: Background and Issues for Congress

Author’s notes:

This article was significantly harder to write compared to the rest due to the extent of the GRU’s military capabilities. It was challenging trying to condense the amount of information I had into easily readable paragraphs. I ended up putting more focus on its cyber operations instead of its traditional intelligence collection activities.