It has been widely reported that the 2016 election-related hacking of email accounts affiliated with the Democratic Party and Hillary Clinton campaign was the work of hackers affiliated with Russian military intelligence, the Glavnoye Razvedyvatel’noye Upravlenie (GRU), the Main Intelligence Directorate of the Armed Forces General Staff. Known as Advanced Persistent Threat (APT) 28, or “Fancy Bear”, among other terms, the GRU hacking unit has been one of the world’s most active. A number of recent documents released by the US Department of Justice and several allied governments have provided much greater detail on the GRU’s cyber activities.
Unit 26165
A July 13, 2018 indictment returned by a grand jury in the District of Columbia revealed that “Fancy Bear” is, in fact, part of the GRU. Known officially as Unit 26165, the section consists of Russian military intelligence officers trained in hacking and cyberespionage. Beginning in March 2016, Unit 26165 began targeting individuals affiliated with the Clinton campaign and Democratic Party:
In 2016, officials in Unit 26165 began spearphishing volunteers and employees of the presidential campaign of Hillary Clinton, including the campaign’s chairman. Through that process, officials in this unit were able to steal the usernames and passwords for numerous individuals and use those credentials to steal email content and hack into other computers. They also were able to hack into the computer networks of the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC) through these spearphishing techniques to steal emails and documents, covertly monitor the computer activity of dozens of employees, and implant hundreds of files of malicious computer code to steal passwords and maintain access to these networks. (Grand Jury Indicts 12 Russian Intelligence Officers)
According to the indictment, over 300 persons were targeted by Unit 26165 as part of their election-related hacking.
The stolen information was then weaponized as part of what is termed an “active measures” campaign, beginning in June 2016. This part of the operation, which involved releasing the various documents obtained in order to shape public opinion, was conducted by a separate GRU cyber element called Unit 74455. This unit created a website called DC Leaks, as well as a fake online persona called “Guccifer 2.0”, an alleged Romanian hacker who claimed credit for the DNC hack. In July, Guccifer 2.0 passed on the stolen material to WikiLeaks, who began releasing it later that month.
In all, 12 GRU officers were indicted on July 13. Nine of them were members of Unit 26165, including its commanding officer, Viktor Borisovich Netyksho. The other three were members of Unit 74455, including its commander, Colonel Aleksandr Vladimirovich Osadchuk.
Other GRU Hacking Operations
The broader scope of Unit 26165’s hacking was revealed by a second American indictment, this one from a grand jury in the Western District of Pennsylvania, and released on October 4, 2018. This indictment charged seven GRU officers with “computer hacking, wire fraud, aggravated identity theft, and money laundering.” Five of the seven men indicted were identified as part of Unit 26165, and three of those five had already been indicted in July for election-related hacking:
According to the indictment, beginning in or around December 2014 and continuing until at least May 2018, the conspiracy conducted persistent and sophisticated computer intrusions affecting U.S. persons, corporate entities, international organizations, and their respective employees located around the world, based on their strategic interest to the Russian government.
Among the goals of the conspiracy was to publicize stolen information as part of an influence and disinformation campaign designed to undermine, retaliate against, and otherwise delegitimize the efforts of international anti-doping organizations and officials who had publicly exposed a Russian state-sponsored athlete doping program and to damage the reputations of athletes around the world by falsely claiming that such athletes were using banned or performance-enhancing drugs. (U.S. Charges Russian GRU Officers)
Among the specific targets of these GRU cyberespionage efforts were: the World Anti-Doping Agency; the United States Anti-Doping Agency; The Organisation for the Prohibition of Chemical Weapons; and Westinghouse Electric Company. The international scope of the GRU’s efforts is corroborated by additional information released on October 4 in support of the US indictment, by the United Kingdom, Netherlands, and Canada.
Previous CWIS Blog Posts on the GRU:
The “Neighbors”: The GRU in America, from “Ales” to “Fancy Bear”
Federal Government and Other Primary Sources on Unit 26165:
Documents and Resources from the October 4, 2018 Press Conference. Department of Justice Office of Public Affairs, October 4, 2018.
Grand Jury Indicts 12 Russian Intelligence Officers for Hacking Offenses Related to the 2016 Election. Department of Justice Office of Public Affairs, July 13, 2018.
National Security Archive. Cyber Brief: GRU Cyber Operations.
-Collection of unclassified US government documents related to 2016 Russian election-related hacking and active measures.
Netherlands Defence Intelligence and Security Service Disrupts Russian Cyber Operation Targeting OPCW. Netherlands Ministry of Defence, October 4, 2018.
Reckless Campaign of Cyber Attacks by Russian Military intelligence Service Exposed. UK National Cyber Security Centre, October 4, 2018.
U.S. Charges Russian GRU Officers with International Hacking and Related Influence and Disinformation Operations. Department of Justice Office of Public Affairs, October 4, 2018.
U.S. v. Aleksei Sergeyevich Morenets, et al. Department of Justice, October 4, 2018.
U.S. v. Viktor Borisovich Netyksho, et al. Department of Justice, July 13, 2018.
