Investigative Report: On The Trail Of The 12 Indicted Russian Intelligence Officers
RFE/RL's Russian Service July 19, 2018
A U.S. grand jury charged 12 Russian citizens on July 13 with interfering in the 2016 U.S. presidential election by organizing cyberattacks on the computers of Democratic Party figures during the campaign.
The indictment contains the names of the dozen accused, who are described as "employees of the GRU," referring to Russian military intelligence. In addition, the indictment contains the numbers of the military units that they allegedly serve in and a relatively detailed account of the methods they purportedly used to break into the computers and publish the information they acquired in the hacking attacks.
RFE/RL has conducted its own open-source investigation into those accused intelligence operatives, although there is relatively little openly available information about the men or their military units.
But some information does seem important: One of the accused participated in a 2014 conference of hackers on the topic of "infiltration, hacking, and the national peculiarities of cyberwarfare." The building in the Moscow suburb of Khimki that is referred to in the indictment as "the Tower" can be connected to the founder of the pro-Kremlin Antimaidan propaganda organization.
And the military unit that allegedly carried out the distribution of the stolen information through WikiLeaks and anonymous social-media accounts is based at the same address as GRU officer Oleg Ivannikov (known as Orion), who has been named by the independent Bellingcat research organization as a participant in the events that led to the July 2014 downing of the MH-17 passenger jet over eastern Ukraine.
Unit No. 26165
According to the indictment, nine of the 12 accused GRU personnel serve in military unit No. 26165, which is based at Komsomolsky Prospekt No. 20 in Moscow. That building is part of a Defense Ministry complex located on the territory of the former Khamovnicheskiye barracks, built in the early 19th century.
There is no official sign at the entrance to the territory listing the units based there, but it is not difficult to establish that unit No. 26165 is, in fact, located at those barracks. It can be found under that address in the online Unified State Register of Legal Entities.
In Soviet times, that unit was assigned to the decoding and cryptanalysis of intercepted messages for the 6th Directorate of the GRU under the official name "85th Main Center of GRU Special Service."
These days, according to numerous citations available online, the unit is also involved in cutting-edge computer technologies.
The signature of the unit's commander, Viktor Borisovich Netyksho, who is the first name listed on the U.S. indictment, is found on cooperation agreements signed with several Moscow high schools specializing in mathematics, including high school Nos. 1507, 1573, and 1517. The earliest of these agreements dates from 2014 and they are signed personally by Netyksho. The agreement with school No. 1573 can be found here (archived copy). They are identical.
The first point of the agreement obligates the two parties to "prepare students for entry into the Institute of Cryptography, Communications, and Informatics of the Academy of the FSB (Federal Security Service)."
According to the above-mentioned register of legal entities, Netyksho headed military unit No. 26165 until January 2018. There are numerous online indications of this unit's activity, besides the agreements concluded with the math schools. For instance, in 2004, officers of the unit identified as P.M. Konovalchik, A.I. Ivanov, and A.D. Malevanchuk published an article in the journal Artificial Intelligence titled A Multiprocessor System Adapted To The Information Structure Of Various Classes Of Computations.
Netyksho himself earlier taught at the Moscow State Forestry University (since 2016, a branch of Moscow State Technical University). His candidate's degree dissertation is titled: Establishing The Parameters Of Discrete Devices Based On Reevaluating Probabilities Using Actual Threshold Ratios.
Other scholarly works by Netyksho dating from 2004-08 are also available online, including On The Neuronetworking Approach To Solving Systems Of Linear Inequalities, and On Refining The Estimate Of The Weight Of An Arbitrary Threshold Function.
In these publications, he is identified as an instructor at the Department of Higher Mathematics at Moscow State Forestry University and a candidate of technical sciences. In 2004, Netyksho published an article, On Some Probabilistic Properties Of Majority Functions, in the journal Machine-Building Technologies.
Netyksho also participated in the defense of several dissertations as an examiner. In September 2010, he served on the dissertation committee of Russian State Humanities University (RGGU) instructor Mikhail Levykin, whose dissertation on defending against hacking was titled Models And Means Of Detecting Threats Of Information-Security Violations In Standard Mechanisms For Detecting Hidden Information Actions In The Core Of The Windows Operating System.
Levykin, who still teaches at RGGU, declined to discuss the defense of the thesis with RFE/RL or to answer whether Netyksho was present.
Military unit No. 26165 came to light previously in connection with the e-mail hacking of Western politicians. In the spring of 2017, independent news site The Insider published a report that identified a man affiliated with the unit -- a "researcher" by the name of Georgy Roshka -- as a perpetrator of the e-mail hacking of French President Emmanuel Macron.
At present, Gizunov is deputy head of the Main Directorate of the General Staff of the Defense Ministry (following a 2010 reform, the Main Intelligence Directorate, or GRU, was renamed the Main Administration. It is still generally referred to as the GRU). The current commander of military unit No. 26165 is Colonel Dmitry Mikhailov.
Unit No. 74455
It is harder to find open-source information about military unit No. 74455, with which -- according to the U.S. indictment -- three of the accused are connected. They are GRU officers Aleksandr Osadchuk, Aleksei Potyomkin, and Anatoly Kovalyov. According to various citations that RFE/RL found, the unit has two different addresses -- and neither of them correspond to the address of the building identified in the indictment as "the Tower," which is located at Kirova No. 22 in Khimki.
According to the U.S. indictment, it was from this building that the GRU carried out its break-in of the U.S. computers, allegedly with the help of phishing e-mails. Also, the indictment says the hacked data was distributed from this address through the anonymous social-media accounts Guccifer 2.0 and DCLeaks.
At that address, one does find a 21-story "tower," which houses a business center that is known by various names, including Novator, Rota Tower, and Rota. (There is also another Rota Business Center in Khimki at the address Panfilova No. 19/4.) A 2017 Google Earth image shows the logo for a firm called Oboronstroi on the front of the building.
The building was originally called Rota Tower. It was built by a company within the Rota Group holding and the tower is seen in the group's logo.
There is direct evidence that the Novator business center belongs to the Rota Group. Its cadaster number (50:10:0010210:3612) can be found in a decision by the Moscow Oblast Arbitration Court from March 17, 2017.
The case stemmed from a 2015 dispute between two companies over the installation of a fire-alarm system in the Novator business center. One of the companies involved, called MDK, belongs to Rota Development, part of the Rota Group.
The general director of Rota Real Estate is Alla Sablina (maiden name: Nalcha), who is the niece of former Moscow Oblast Governor and General Boris Gromov and the wife of Dmitry Sablin, the founder of the pro-Kremlin propaganda organization Antimaidan.
Sablin is the first deputy chairman of the national public veterans organization Fighting Fraternity (Boyevoye bratstvo), of which Gromov is chairman.
Sablin is also a deputy in the Russian State Duma from the ruling United Russia party.
He is also the official owner or co-owner of several assets of the Rota Group, including the firm Rota-Krym, which owns real estate on Ukraine's Crimean Peninsula, which was illegally annexed by Russia in 2014. The independent Dozhd TV identified Sablin as the owner of the entire Rota holding company.
Dozhd also said that, in terms of family assets, Sablin is among the five richest deputies in the Duma.
Another member of the board of directors of Rota Real Estate is Ivan Ageyenko, the former head of the Border Service of the FSB in Kabardino-Balkaria and Daghestan. He is also a deputy chairman of the Fighting Fraternity.
The independent website Meduza reported that the Rota Group sold the Khimki tower to Oboronstroi in February 2016, one month before the first phishing attack on computers tied to the U.S. Democratic Party.
Oboronstroi is part of a group of companies called Garnizon, which is controlled by the Russian Defense Ministry. According to the Garnizon website, Oboronstroi "works in the spheres of design, construction, production, logistics, and energy and works out a unified development strategy and tactics of action for daughter organizations and enterprises, arranges inter-organization communications, and coordinated the participation of all partners for the effective execution of any order and the realization of large-scale projects in the interests of the Armed Forces of the Russian Federation."
The legal address of Oboronstroi is Komsomolsky Prospekt No. 3 in Moscow. This building is part of the complex of the former Khamavonicheskiye barracks, which is home to military unit No. 26165, as mentioned earlier. In short, both of the buildings mentioned in the U.S. indictment as Russian hacker bases are controlled by the Defense Ministry's Oboronstroi company.
RFE/RL was not able to establish a solid connection between Dmitry Sablin and the GRU. However, Sablin personally oversaw the installation in May at the "alley of heroes" at a Moscow military academy of a bust of former GRU head Igor Sergun.
Officially, Sergun died at an FSB resort in January 2016, but there have been reports that he actually died in Lebanon.
The building would not be an unlikely place for the GRU to base a group of young hackers who do not have access to secret GRU facilities.
The few results returned in searches for military unit No. 74455 are extremely interesting. The unit is mentioned in a Defense Ministry order from March 20, 2012, that was signed by then-Defense Minister Anatoly Serdyukov. The order determines the payment of bonuses to servicemen for "outstanding service achievements," and the alleged hacker unit is mentioned together with two other units (Nos. 99450 and 29155) as candidates for bonuses in Section 4.
Interestingly, military unit No. 99450 was just created at that same time in an expansion of the Special Operations Forces Center, based in the Moscow Oblast town of Senezh. This base has been identified as the source of the "little green men" who participated in operations in Crimea.
Another online document possibly connects military unit No. 744755 with an address in Moscow. The document is a court decision in a suit by the Defense Ministry against a company called Slavyanka, which is a major provider of communal services in Russia.
According to the court's ruling, the defendant "inappropriately provided the plaintiff services at barracks and housing facilities of military compounds." One of the units named is No. 74455, which was reported to be located at Military Compound No. 48, Svobody No. 21/22 in Moscow. There is another reference to the unit being located on Svobody street in an online forum at Otvety@mail.ru from a user who claimed to have served in the unit.
Unit No. 40904
According to Wikimapia.org, there is a military organization at that address, which they identify as "the 177th separate center for managing technical innovation (military unit No. 40904)."
In fact, that unit is officially located in a neighboring building with the address Meshcheryakova No. 2, according to state tender files.
What does military unit No. 40904 do? The construction firm Vismut mentions the unit in an advertisement in connection with "the reconstruction of the buildings of Object K-200." That facility is mentioned in the book The Security System Of The Soviet Union by Aleksandr Shevyakin: "The space-intelligence directorate of the GRU collects intelligence information with the help of satellites. The directorate controls the activities of the OSNAZ special operations units of the first and second sections of the Sixth Directorate of the GRU. Their functions include radio and signals intelligence. The analysis and refinement of the information gained in this way is assigned to the Dozor System, which is located in the central building of the GRU on Khoroshyovskoye shosse (Object K-200)."
In other words, the activity of military unit No. 40904 is apparently historically connected with the processing of radio and signals intelligence.
According to the comments on the Wikimapia page, the 28th Communications Control Center is also located at this Svobody street address. Apparently, this is a reference to one of the central nodes of the radio-interception system Krug, which was created in the 1950s to monitor the movements of enemy aircraft, the conversations of the crews of U.S. and NATO strategic bombers, and the communications of the satellite communications of the U.S. Joint Chiefs of Staff.
It would appear that at least part of the Krug system is operational to the present day. The system has been discussed in an online forum for radio enthusiasts.
One commentator wrote: "Krug still exists. Behind the building of the training company of military unit No. 34608 there is a monument and 11 markers with the numbers and names of military units from which Krug was formed for the GRU." The author then provides a list of the code names of the Krug communications nodes.
Most of the nodes were located in Russia or other republics of the Soviet Union. Several were located in Cuba, Vietnam, Burma, and Mongolia. Gudok, the main Krug center, was located in the Moscow suburb of Klimovsk, where military unit No. 34608 is based and the monument described on the radio enthusiasts' forum is supposedly located.
One of the listening nodes named on the forum was Avrora, which was the central facility where all the signals intelligence was gathered. "From [the node] Barka we regularly received confirmation of bearings before reporting to Avrora," one purported former radio operator wrote.
RFE/RL has been unable to confirm from other sources that the Avrora monitoring node, the central unit of Krug, was located or is located at the Svobody address. On another forum, one user states that he served in "military unit No. 40273, communications node Avrora, 2001-2006."
But according to other open sources, unit No. 40273 is located on Khoroshyovskoye shosse in the main headquarters of the GRU.
It would seem that, similar to unit No. 74455 mentioned in the U.S. indictment, other military units with similar profiles use multiple addresses. Several of them might not even be independent units, but structural subunits of other units. But it seems clear that the military compound on Svobody street is connected with signals intelligence and to the 6th Directorate of the GRU. In front of the building at Svobody 22/2 there is a large, green parabolic antenna.
There is yet one other address that crops up in connection with military unit No. 74455 – Khoroshyovskoye shosse No. 76, Building B. This is one building of a large GRU complex located near Kodynskoye polye park. It was from this building, according to an investigation by the Bellingcat research organization, that GRU officer Oleg Ivannikov worked. Bellingcat believes it has tied Ivannikov to the operation to send a Buk antiaircraft system from Russia to Ukraine in July 2014 that was then used to shoot down the MH-17 passenger jet, killing all 298 people aboard.
The building figures as the address of military unit No. 74455 in a 2011 document from a branch of the Slavyanka communal-services company.
One can also find online a service medal that shows the number of unit No. 74455 and, apparently, its insignia: a crystal pierced by lightning and a sword. It is extremely similar to the insignia of the Main Computations Center of the Russian General Staff.
Besides Viktor Netyksho, RFE/RL was able to find only one other individual mentioned in the U.S. indictment using open sources. The exception is the third individual listed on the indictment: Dmitry Sergeyevich Badin.
According to the indictment, he was a military serviceman with unit No. 26165 and an assistant to Boris Antonov, head of the subunit that allegedly hacked the computers of the Democratic Party. Badin and Antonov purportedly controlled the other participants in the alleged criminal group.
A person with Badin's exact name can be found on the Internet as a registered participant of the forum Positive Hack Days IV, which took place in Moscow in 2014 (an archived copy of his registration is here).
The Positive Hack Days IV forum is organized by the company Positive Technologies and was the fourth time the event was held (earlier this year, it was held for the eighth time). Positive Technologies describes itself as "a leader on the domestic and European markets of systems for analyzing security and standards compliance, as well as protecting web applications."
In 2011, the publication itWeek called Positive Hack Days "one of the main events in the Russian information-security market." One of the sponsors of the forum is Kaspersky Laboratories. The 2014 forum took place on May 21-22, just 10 days after Russian media published detailed descriptions of the "cyberforce" that was announced by Defense Minister Sergei Shoigu in late 2013.
Here is how Moskovsky Komsomolets described this force, citing an inside source in the Defense Ministry:
"The military has not made any official statements about the composition of the cyberunit. But it is already known who forms the skeleton of this cyberstructure. Last year, Defense Minister Sergei Shoigu announced a 'big search' for programmers. In addition, the force will include mathematicians, cryptographers, officers of signals intelligence, and radio operators. Officers of the cyberforce will have to pass through language training to learn a foreign language. It is possible that young men currently serving in 'academic' companies will be recruited. In addition to repelling attacks from the Internet, the new structure will form a shield against a cyberattack on closed military networks, such as missile-defense systems. It is known that the Pentagon has devoted enormous resources to developing spyware that can penetrate even completely closed networks and this creates a threat to the national security of the Russian Federation."
It is possible that some of the "cybersoldiers" who might have been involved in the hack of the Democratic Party were recruited at the Positive Hack Days forums. The official site of the 2014 forum says that "representatives of the FSB" will be participating and the official program included reports on the general topic of "the national peculiarities of cyberwarfare." Some of the reports had titles such as, Big Data In Social Networks: Special Monitoring By The NSA Not Needed; Life After Snowden: Modern Tools Of Internet Intelligence; How To Listen In On A Person On The Other Side Of The World; Comparing The Hackers Of Iran, China, And North Korea; and The State And Information Security.
In response to a query from RFE/RL, Positive Technologies said it did not handle the sale or confirmation of tickets to the Positive Hack Days IV forum, having outsourced that work to a company called Runet-ID. Positive Technologies said applicants who want to attend the forum had to provide some personal information, including place of employment, but that information remained with Runet-ID.
Telephone calls to Runet-ID went unanswered.
RFE/RL was unable to confirm from other sources whether the Dmitry Sergeyevich Badin identified in the U.S. indictment as serving in military unit No. 26165 attended the Positive Hack Days IV forum.
Many commentators and security experts believe the office of U.S. Special Counsel Robert Mueller will soon release new details about the alleged "Russian hacker" case.
From the detailed indictment already released, experts have concluded that the American investigators have, in addition to their own data, information from insiders in Russia. Some have speculated that one source of this information could be two employees of the FSB's Information Security Center, FSB Colonel Sergei Mikhailov and his deputy, Dmitry Dokuchayev; Kaspersky Laboratories employee Ruslan Stoyanov; and entrepreneur Georgy Fomchenkov. All four men were arrested in early 2017 and accused of state treason.
In April, it was reported that Dokuchayev and Fomchenkov had made partial confessions. According to unconfirmed reports, they confessed to giving information to foreign intelligence agencies and agreed to have their case handled in an accelerated manner (without an examination of the evidence).
It is unknown when the trials will begin, but they will be held behind closed doors since most of the documents involved are classified.
Translated by Robert Coalson
Copyright (c) 2018. RFE/RL, Inc. Reprinted with the permission of Radio Free Europe/Radio Liberty, 1201 Connecticut Ave., N.W. Washington DC 20036.
|Join the GlobalSecurity.org mailing list|