{"id":150,"date":"2019-04-02T09:53:50","date_gmt":"2019-04-02T07:53:50","guid":{"rendered":"https:\/\/192.168.10.2\/blog\/?p=150"},"modified":"2024-10-11T09:57:07","modified_gmt":"2024-10-11T07:57:07","slug":"cyber-gru-vi-and-now-what","status":"publish","type":"post","link":"https:\/\/lab52.io\/blog\/cyber-gru-vi-and-now-what\/","title":{"rendered":"(Cyber) GRU (VI): and now what?"},"content":{"rendered":"\n

The information that has come to light during 2018, both the official\n information of governments of the United Kingdom, the United States, \nthe Netherlands and Canada, as well as the unofficial additional \ninvestigations, both individuals and from different organizations \n(highlighting Bellingcat and RFE\/RL, Radio Free Europe\/RadioLiberty) has\n exposed a lot of interesting information about the GRU. It has provided\n us with data on its units<\/strong> (identification, structure, functions, physical location\u2026), on people<\/strong> who are part of the service (identities, jobs, functions, aliases, relationships, personal scope\u2026) and its operations<\/strong>\n (objectives, TTP, software, artifacts, IOC\u2026). In addition, they have \nrevealed deficient operational security measures, which have made it \npossible to broaden the initial investigations even further and have \nbrought to light identities, private homes, relatives\u2026 of members \u2013 or \nformer members \u2013 of the GRU.<\/p>\n\n\n\n

Of all the research carried out on the basis of data published by \ndifferent governments, the most noteworthy are those carried out by \nBellingcat, an organization that researches issues based mainly on open \nsources. We are now talking about private investigations, not endorsed \nby governments and based mostly on OSINT, something radically different \nfrom the statements of a government with evidentiary material that, of \ncourse, has not been obtained from public sources \u2013 we will talk about \nwhere this information may come from. We can even doubt the credibility \nof these sources, since there are many voices that defend that \neverything they publish is a lie, a Western montage, etc. Who knows\u2026 \nThese investigations are based on open sources and we insist that \nBellingcat is a private organization and therefore its investigations \nare also private; but on December 19, 2018, as we have previously \nadvanced, the US government ([1]) seems to officially endorse one of \nBellingcat\u2019s main investigations, which it identifies as two members of \nthe GRU, Heroes of the Russian Federation, the people who tried to \nassassinate the Skripal in March: from the details published by the \nBritish government about the false identities of the GRU agents that \npoisoned the Skripal (Alexander PETROV and Ruslan BOSHIROV), Bellincat \npublished in the same month of September and early October different \narticles, such as [2], showing the real identities of the suspects and \nconfirming their relationship with the GRU.<\/p>\n\n\n\n

In any case, much more interesting for us is the list of members or \nformer members of Unit 26165 of the Service ([3]), published on the same\n day October 4, in which different governments finished off the bad year\n of the GRU. That same day, based on the identities of the members of \nthe Unit brought to light by the Dutch intelligence, Bellingcat \nperformed a tracking in public and semi-public sources and identifies \nmore than 300 members of the Unit thanks to the registration addresses \nof their cars, which coincided with the headquarters of the Service. In \nthe RuNET there is private information of Russian citizens \u2013 homes, \nlicense plates, telephone numbers \u2013 available to any Internet user (we \ndo not buy databases on the black market, which would also be possible);\n from an identity (for example a name, linked to a date of birth or to \nthe address of the Unit) and with a little time it is possible to obtain\n personal data, and also possible to identify, for example, people who \nhave registered a vehicle at a certain address. In this way, Bellingcat \nassociates those potential members of Unit 26165 -or former members, or \npeople who have had a relationship with the Unit- and extracts names, \nlicense plates, personal addresses, social network profiles, in what is \nconsidered one of the most important information leaks in history.<\/p>\n\n\n\n

Without being Bellingcat, with a bit of time and using Google \nTranslate for those who do not know Russian, any Internet user can get \nto those same personal data, finding more than interesting \nrelationships. Of course, it is necessary to consider the reliability of\n the sources, although the data that we have been able to contrast \ndirectly suggest that, at least for the most part, the information \nextracted is true. We will talk at another time about the OSINT tracking\n in the RuNET, but in the following sections we will address what we \nhave learned from the GRU during 2018: part of its cyber structure, some\n of its objectives, different TTP of its operations and certain OPSEC \nconsiderations that perhaps should have been taken into account before \ntackling a close access operation.<\/p>\n\n\n\n

References<\/strong><\/p>\n\n\n\n