The GRU Indictment: Compliance and Information-Security Takeaways

On October 4, the U.S. Department of Justice announced that a federal grand jury in the Western District of Pennsylvania indicted seven defendants — all officers in the Russian Main Intelligence Directorate (GRU), a military intelligence agency of the General Staff of the Russian Federation’s Armed Forces — for computer hacking, wire fraud, aggravated identity theft, and money laundering.  The Department stated that according to the October 3 indictment, “beginning in or around December 2014 and continuing until at least May 2018, the conspiracy conducted persistent and sophisticated computer intrusions affecting U.S. persons, corporate entities, international organizations, and their respective employees located around the world, based on their strategic interest to the Russian government.”

The goals of the conspiracy included publicizing stolen information “as part of an influence and disinformation campaign designed to undermine, retaliate against, and otherwise delegitimize the efforts of international anti-doping organizations and officials who had publicly exposed a Russian state-sponsored athlete doping program and to damage the reputations of athletes around the world by falsely claiming that such athletes were using banned or performance-enhancing drugs.”  The GRU officers allegedly unlawfully obtained the information to be exploited in several ways.  First, three of the indicted GRU officers and unindicted coconspirators, “often using fictitious personas and proxy servers, researched victims, sent spearphishing emails, and compiled, used, and monitored malware command and control servers.”  Second,

[w]hen the conspirators’ remote hacking efforts failed to capture log-in credentials, or if the accounts that were successfully compromised did not have the necessary access privileges for the sought-after information, teams of GRU technical intelligence officers, including [four of the defendants], traveled to locations around the world where targets were physically located.  Using specialized equipment, and with the remote support of conspirators in Russia, including [one of the defendants], these close access teams hacked computer networks used by victim organizations or their personnel through Wi-Fi connections, including hotel Wi-Fi networks.  After a successful hacking operation, the close access team transferred such access to conspirators in Russia for exploitation.

While the indictment indicates that the primary focus of the hacking and disinformation campaigns was to undermine anti-doping efforts in the aftermath of the ban of Russian athletes from the 2016 Olympic and Paralympic Games, members of the GRU team also conducted other operations apparently unrelated to the anti-doping disinformation campaign.  These included reconnaissance of Westinghouse Electric Company’s networks and personnel, and operations evidently prompted by the March 2018 poisoning of Sergei V. Skripal, a former Russian double agent who cooperated with British intelligence, and his daughter Yulia Skripal.

Those latter operations allegedly included four of the defendants traveling on diplomatic passports to The Hague in April 2018, to further “another close access operation targeting the Organisation for the Prohibition of Chemical Weapons (OPCW) computer networks through Wi-Fi connections.”  Their intention thereafter was to travel to Spiez, Switzerland, to target the Spiez Swiss Chemical Laboratory.  That facility is an accredited OPCW laboratory that was analyzing military chemical agents, including the Novichok chemical agent that the United Kingdom authorities connected to the Skripals’ poisoning.  Timely intervention by the Dutch Militaire Inlichtingen- en Veiligheidsdienst (MIVD) (Defense Intelligence & Security Service) disrupted the GRU team’ efforts to hack OPCW WiFi connections, and resulted in the four team members’ being “escorted” out of the Netherlands.

Note: Even though the indictment’s principal focus is the Russian targeting of anti-doping organizations and individuals, there are a number of more general takeaways from this case that corporate compliance and information-security teams can incorporate into training courses and presentations to senior executives:

  1. Foreign-government intelligence operations can and do target corporate entities for hacking and extraction of corporate data. To illustrate this point, training materials can include information from the MIVD’s public presentation about its disruption of the GRU team, such as photographs of and by the GRU team and of the hacking equipment that the MIVD found in the GRU team’ rental car.
  2. Simple and well-known hacking techniques continue to be used successfully to obtain unauthorized access to corporate networks and computers. The GRU case contains multiple examples of corporate employees failing to take basic computer-security precautions, such as refraining from using insecure hotel WiFi networks or opening spearphishing emails.
  3. The threat of “remote” access to corporate networks includes close access. The MIVD presentation also documents that the GRU team’ rental car, which contained equipment for hacking WiFi connections, was parked in a hotel parking lot within yards of the OPCW complex.
  4. Information-security defense activities can benefit from open-source data. Shortly after the October 4 announcements by S., British, and Dutch authorities, two news organizations, Bellingcat and The Insider, reportedly used open-source databases to check the names of the GRU team defendants and identified 305 other potential GRU agents. Few information-security programs are likely to have the same amount and quality of detail about hackers’ identities and physical appearances as this case had, but review of open-source data as appropriate should always be an element of such programs.

U.S. authorities are unlikely to apprehend or try any of the defendants in this case.  The parallel and independent investigation by the Royal Canadian Mounted Police, however, may yield additional information about GRU hacking methods and techniques from which information-security and compliance teams can benefit.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s