GRU: Attack dog of Russian intelligence
The storyline’s straight out of a spy thriller: two men allegedly dispatched from Moscow to eliminate a defector in a quiet English city — but leaving traces of their movements everywhere to be painstakingly recreated by the intrepid British police.
British Prime Minister Theresa May went into great detail about the movements of the two middle-aged men on their brief visit to England in March. They entered the country using aliases, as Alexander Petrov and Ruslan Boshirov. They twice visited Salisbury, and, she says, on the second trip they applied the deadly nerve agent Novichok to the front door of Sergei Skripal’s home, before carelessly discarding a perfume bottle adapted to carry the poison.
That same evening, according to May, the duo left London’s Heathrow airport on a return flight to Moscow.
May said the U.K. intelligence services had established that both were officers of Russian military intelligence (the GRU).
“Were these two suspects within our jurisdiction there would be a clear basis in law for their arrest for murder,” May added, following the death of Dawn Sturgess when she came into contact with the disposed Novichok.
Inevitably, Kremlin spokesman Dmitry Peskov dismissed May’s account, saying that “neither top Russian authorities nor the lower-ranking authorities or any other officials had anything to do with the Salisbury events.”
In a rare interview earlier this year with a Russian Defense Ministry newspaper, a former head of the GRU, Fyodor Ladygin, said: “The Russian intelligence agency where I had the honor to work for many years… never resorted to such heinous acts as the ones that Britain is trying to implicate it in.”
But May’s account assembled evidence that brought strong support from the UK’s allies in the UN Security Council. So the question is: were these alleged agents incompetent — or just indifferent to being discovered? Did Russia want the world to know, yes, we did it? Are its operatives careless or is deniability deemed unnecessary?
The Main Directorate
While still commonly referred to as the GRU (Glavnoe Razvedyvatelnoe Upravlenie) or Main Intelligence Directorate, the agency actually changed its name to the Main Directorate (GU) in 2010. It very much sits within the military sphere; its head — currently Igor Korobov — reports to the Chief of the General Staff and Defense Minister.
In her statement on Wednesday, May described the GRU as as a “highly disciplined organization.” But it’s an agency where tradecraft is sometimes optional or sparingly applied. Digitally or otherwise, it leaves fingerprints. And it may not care.
Mark Galeotti of the Institute of International Relations in Prague and a seasoned watcher of the Russian security services, says the GRU is not like Russia’s other intelligence services because it’s essentially a “war-fighting instrument which is mission-oriented.”
In the eyes of the GRU, says Galeotti, “the biggest sin is not to take advantage of an opportunity.” It takes risks and is aggressive.
“By contrast, the foreign intelligence service or SVR is more like MI6, a white-collar organization with diplomatic cover that is risk-averse,” Galeotti says.
The Skripal case
“Petrov” and “Boshirov” didn’t take steps to camouflage their travel. They flew direct from Moscow on Russian passports, Britain’s Crown Prosecution Service said. They used public transport in England, where there are almost as many surveillance cameras as there are passengers.
Critically they stayed in a budget hotel where, according to British authorities, minute traces of Novichok were later found. They appear to have gone everywhere together, making them much easier to pick out for the detectives wading through more than 11,000 hours of surveillance video.
Britain’s Security Minister Ben Wallace said the duo had failed in their mission (if it was to kill Skripal.) “They couldn’t run a bath in the GRU,” Wallace told British media Thursday. Conservative MP Johnny Mercer tweeted after May’s disclosures: “I hope this toilet tradecraft will help reduce perception that Russia is some intelligence/military behemoth to be cowered from.”
But such scorn may miss the point.
The attack was meant to send a broader message to the U.K. government, says Galeotti. The Russians believed Sergei Skripal, a former GRU officer who arrived in the U.K. with a pardon as a result of a spy swap in 2010, was active again — with the connivance or encouragement of the U.K. intelligence services. And that — to Moscow — was out of order.
Whether the GRU proposed the operation or was directed to carry it out by the Kremlin will probably never be known, adds Galeotti. But he has no doubt that such an attack would have required a green light at a very high level.
Had such an audacious operation not been approved from above, there would have been consequences in the form of “unexpected retirements” at the GRU, Galeotti concludes. His sources suggest the agency remains “one of the favorite sons” of President Vladimir Putin.
The GRU has certainly been throwing its weight around in recent years and is an active participant in what the Chief of the General Staff, Valery Gerasimov, described in 2013 as a new form of warfare through “political, economic, informational, humanitarian, and other non-military measures.”
That has included an enthusiastic embrace of cyber-warfare. Thomas Rid, currently a Professor of Strategic Studies at Johns Hopkins University, told a U.S. Senate panel last year that “by early 2015, GRU was targeting military and diplomatic entities at high tempo, especially defense attaches world-wide. Among the targets are numerous senior U.S. military officers and defense civilians.”
At the beginning of 2017, the U.S. intelligence community released a report firmly tying the GRU to the hacking of Democratic Party email accounts in the previous year’s U.S. election campaign.
That report concluded: “We assess with high confidence that Russian military intelligence (General Staff Main Intelligence Directorate or GRU) used the Guccifer 2.0 persona and DCLeaks.com” to distribute hacked material.
The operation had begun by March 2016, according to the declassified version of the report.
Subsequently, the U.S. Special Prosecutor’s office, in a detailed indictment, identified 12 GRU officers as being involved in the hacking, saying that the “GRU had multiple units, including Units 26165 and 74455, engaged in cyber operations.” Several of the officers used a GRU malware called X-Agent.
The indictment included the addresses in Moscow where these units worked, and the online aliases used by some of the officers. Prosecutors say they were also able to trace the hackers’ lease of a server in Arizona and their inability on one occasion to connect to X-Agent.
Among other examples of careless tradecraft, according to the indictment, the GRU officers “operated the @dcleaks_ Twitter account from the same computer used for other efforts to interfere with the 2016 U.S. presidential election.”
Rid notes that the sort of hacking infrastructure repeatedly used by the GRU “allowed investigators to link the DNC breach to other breaches with high confidence, particularly to the German Bundestag hack” in 2015.
Again, it seems that results — sowing disruption — were more important than perfect tradecraft.
The Dutch intrusion
It’s not only the GRU whose work has left fingerprints. Part of the U.S. intelligence assessment early in 2017 appears to have been based on an extraordinary intrusion into the work of the Russian intelligence services by the Dutch agency AIVD.
While the agency itself won’t comment on its works, Dutch and other media say the AIVD’s Joint Sigint Cyber Unit penetrated the computer network at a university building next to Red Square in Moscow.
Later, according to a source familiar with Dutch operation, AIVD discovered the network was run by a Russian hacker group known as “Cozy Bear,” which has been involved in multiple hacking attacks on governments and companies for more than a decade.
The Dutch analysts deduced that Cozy Bear was a creature of the Russian Foreign Intelligence Service, the SVR. It was their work that tipped off the U.S. about Russia’s foray into the 2016 election.
The degree of cooperation and competition among Russian intelligence agencies ebbs and flows. Galeotti says the SVR and the domestic security service, the FSB, may share disdain for the “big boots” of the GRU, but it is unlikely any agency would actively impede the work of another.
The GRU has been an important player in eastern Ukraine, supporting the separatists with weapons procurement and training. Galeotti told CNN the GRU is ideally suited to acting in the region because it includes many former members of the Russian special forces, or Spetsnaz. The conflict in Ukraine was the perfect environment for an agency comfortable in lawless foreign regions and war zones. A number of former GRU officers have been sanctioned by the U.S. Treasury for their activities in Ukraine and Crimea.
The agency was also linked to a failed attempt to overthrow Montenegro’s government on the eve of parliamentary elections in October 2016. Montenegro’s chief special prosecutors says Russia was involved in that plot and also one to kill the country’s then prime minister. Kremlin spokesman Dmitry Peskov called the allegations “absurd.”
Galeotti believes the GRU was tasked with the effort in an attempt to prevent Montenegro from joining NATO. Within the last week, Estonia has arrested two men for supplying classified information and state secrets to the GRU over a period of five years, receiving undisclosed payments in return. One of them is a former artillery officer in the Estonian Defense Forces.
Whether the GRU has been effective with its “big boots” is open to question. The shooting down of MH17 rallied western governments behind a hard line on sanctions against Russia over its intervention in Ukraine. The Skripal affair united many governments in expelling Russian diplomats. Montenegro went ahead and joined NATO — just what Russia didn’t want.
Shortly before his death in 1952, Soviet leader Joseph Stalin convened a meeting to reorganize the country’s intelligence services. According to historical accounts of that meeting, Stalin said: “In intelligence, one should never work by launching an attack up front. Intelligence should be active in a roundabout way. Otherwise there will be failures and serious failures.”
The GRU seems to have adopted a different philosophy.