Last week was a rough one for Russia's military intelligence service. On Oct. 4, the U.S. Department of Justice announced the indictment of seven officers of the Main Intelligence Directorate (known as the GRU by its Russian acronym) in connection with hacking operations. At the same time, Dutch intelligence services released a report on the April arrest of four of the men that included their passport information and photos of their hacking equipment. Then independent investigators, using the internet and social media, dug up additional information on the GRU's cyberwarfare unit, confirming the identity of one of the suspects in a nerve agent poisoning in the United Kingdom and identifying the second suspect for the first time.
These developments emphasize how social media and open-source information on the internet — though inherently neutral — can be used for either good or ill. It is highly ironic that the GRU, which has been quite successful in using social media to stir up discord inside the United States and Europe, also has been embarrassed by open-source reporting. These recent developments also show how technological innovation is changing the spying game, and intelligence services are moving — sometimes not so quickly — to adapt.
As Russia continues its efforts to expand its influence, it uses all the tools of state power, including its intelligence services. This has resulted in an intelligence battle that has spanned the globe — and cyberspace. And the development of new technologies means that the Russian intelligence agencies and their opponents will have to adapt to the challenges and opportunities these innovations present.
GRU: Busted and Exposed
Last week, a federal grand jury in western Pennsylvania indicted seven GRU officers in connection with hacking operations against the World Anti-Doping Agency, Westinghouse Electric Co. and the Organization for the Prohibition of Chemical Weapons (OPCW). In a coordinated move, the Dutch Military Intelligence and Security Service (MIVD) revealed evidence from the April 13 arrest of four of the men in The Hague; they had been attempting to hack into the OPCW wireless data network. The Dutch had questioned them and then expelled them from the Netherlands; they had been traveling on Russian diplomatic passports. The Dutch report contained photos of the men and other items of interest, including a receipt from one, Aleksei Morenets. It showed that he had taken a taxi from GRU headquarters to Sheremetyevo International Airport in Moscow (yes, it appears that even GRU officers need to save receipts for their travel vouchers).
Sadly for Morenets, the receipt was not the end of his woes. A student in an intelligence seminar reportedly found an online dating profile for him, which happened to contain a selfie profile picture that showed the GRU building in the background. The student sleuth was associated with Bellingcat, an organization that uses open sources and social media to conduct online investigations. Working with the citizen journalism organization The Insider Russia, Bellingcat was able to confirm that Morenets was his real name, and not a pseudonym. They also discovered that his vehicle was registered to Komsomolsky Prospekt 20 in Moscow; that address is associated with Unit 26165 of the GRU, which U.S. and Dutch law enforcement say is its cyberwarfare department. Bellingcat reported that a search for other vehicles registered at that address turned up 305 names, potentially providing an extensive list of GRU cyberwarfare personnel — an embarrassing breach of operational security for the intelligence agency.
But the bad news for the GRU doesn't end there. On Oct. 2, Radio Liberty had reported that photos of Anatoly Vladimirovich Chepiga, a GRU officer who had been awarded the Hero of Russia, his country's highest medal, had indeed been featured in a Russian military museum, belying a Kremlin claim. Earlier in September, Bellingcat and The Insider had identified Chepiga as the true identity of Ruslan Boshirov, one of the two GRU officers that the British government has accused of poisoning former Russian agent Sergei Skripal and his daughter Yulia with the nerve agent Novichok in Salisbury, England. On Sept. 26, Kremlin spokesman Dmitry Peskov had claimed that President Vladimir Putin had never awarded the Hero of Russia to someone with that name, but Radio Liberty's reporting appears to support the assertions made by The Insider and Bellingcat.
And on Oct. 9, Bellingcat revealed the real name of the second Skripal suspect. The website reported that Alexander Petrov is actually Dr. Alexander Yevgenyevich Mishkin of the GRU. The report included a photo of his 2001 Russian passport and a brief history of his life.
These revelations by Bellingcat, The Insider and Radio Liberty demonstrate the power of open-source information available on the internet and through social media, and how such groups can serve as powerful force multipliers when governments release information on suspects in high-profile cases, including clandestine operations conducted by intelligence agencies.
Adapting to Technology
While these revelations have proved embarrassing for the GRU, they also illustrate the power of social media and the internet and demonstrate how neutral technologies can be weaponized. This principle, which can be applied to any technology, has repeatedly influenced intelligence operations for decades. The intelligence business has long had to adapt to technological advancements that challenge tradecraft practices. The advent of photography, for instance, allowed intelligence officers to record events and document items such as military equipment; it also allowed counterintelligence forces to take and distribute photos of the intelligence officers and their operations. The inventions of the telegraph, radio, automobiles, airplanes, satellites, cellphones, night vision and thermal imaging equipment have all handed useful tools to intelligence officers, while also creating hurdles for them to overcome as they practiced their clandestine duties.
In recent years, the proliferation of digital closed-circuit television (CCTV) coverage in many cities and venues has proved to be a test of an officer's abilities. This tradecraft vulnerability was perhaps first widely noticed by the public when CCTV video was released of the assassination team that killed Hamas leader Mahmoud al-Mabhouh in a hotel in Dubai, United Arab Emirates, in January 2010. Now, it is possible in many cities to track a subject using only cameras, without needing to have a surveillance team nearby. This means that intelligence officers need to beware of cameras as well as physical surveillance.
And recent advancements in digital media storage and retrieval have made CCTV a powerful investigative tool. Facial recognition software is being married to many CCTV systems, making the monitoring of people of interest — such as intelligence officers — even easier. Indeed, it was CCTV coverage that allowed British authorities to connect the GRU officers to the Skripal residence in Salisbury, and then track their activities back to their hotel and even their arrival at the airport.
But what is so remarkable about the Skripal case and the Dutch hacking arrests — besides the use of CCTV — is how open-source investigators were able to find additional information on the suspects. In the Skripal case, citizen journalists dug up the true identities of the GRU officers based on their photos and aliases. Russian nationalist netizens could potentially also dig up similar information on Western intelligence officers caught operating in Russia, and foreign intelligence officers could find themselves in similar predicaments in other countries.
Indeed, in the current atmosphere, it is more difficult than ever for intelligence agencies to construct robust cover identities (legends), including a false history of employment, schools, credit and relatives, for their officers. It may seem prudent for intelligence officers to abstain from any internet activity, but anyone who doesn't have a significant internet footprint is also suspect. The difficulty also extends to setting up front companies to backstop intelligence officers. It is no longer acceptable to merely open a post office box and use a receptionist to answer a listed phone number and say, "Acme Widgets." Front companies need to have deep links and digital footprints to be believable. As portrayed in the movie "Argo," the CIA showed true ingenuity in getting a group of U.S. diplomats out of Tehran in 1979 under the guise of filming a movie, but such subterfuge would be far more difficult in the internet age.
But none of the obstacles presented by new technologies are likely to prove insurmountable for intelligence agencies. They will undoubtedly require work and ingenuity to counter — likely through the advent of new technologies and techniques. The agencies are certainly conducting significant research on ways to spoof or jam CCTV cameras and developing techniques to fool facial recognition software and biometric screening systems. Those agencies are also certainly perfecting ways to forge convincing digital footprints for cover identities. Just as in the past, new technologies will present challenges to intelligence officers, but they will also find ways to use them to their own advantage. They will surely need to practice more care and concern for their operational security than the GRU has shown in recent operations.