Russia Hacker Indictments Should Make the Kremlin Squirm

(Bloomberg Opinion) -- The real bombshell in Special Counsel Robert Mueller’s latest indictment is the investigators’ apparent ability to link specific actions, such as searches and technical queries, to specific officers of the GRU, Russia’s military intelligence service. By making these connections, Mueller’s team has made an enormous leap from the U.S. intelligence community’s previous disclosures. They draw the first straight line from the hacking and spearphishing of U.S. Democrats to the Russian government — and pose some further questions for the media and the public to ask about this bizarre affair.

The indictment blames the Democratic National Committee hack and the spearphishing of Clinton campaign chairman John Podesta on Military Unit 26165, located at Komsomolsky Prospekt 20 in Moscow — in former hussar barracks which also house the Russian Defense Ministry’s Military University. Another military unit, 74445, allegedly only helped maintain the infrastructure and helped distribute the stolen data.

Unit 26165 is a highbrow one: It does cryptography for the GRU, and many of its officers are mathematicians and computer programmers. Its commander until January 2018, Viktor Netyksho, named in the indictment, is a mathematician and neural network expert. Netyksho’s predecessor, Sergey Gizunov, received a prestigious government prize for technological innovation; he is now deputy head of the GRU.

It’s plausible that Unit 26165 could have taken part in cyberattacks on the Democrats. The Russian investigative site The Insider, also known for unmasking GRU officers involved in Russia’s hybrid war in eastern Ukraine, discovered that Georgy Roshka, one of the unit’s officers, was involved in hacking French President Emmanuel Macron’s election campaign in the spring of 2017. Roshka’s name showed up in the metadata of several financial documents stolen from the campaign — a slip-up that allowed The Insider to trace the name to Unit 26165 by analyzing participant lists of a secretive regular conference called Parallel Computing Technologies.

No similar slip-ups took place during the Democratic National Committee hack or the theft of Podesta’s emails. While researchers found Russian language traces in metadata, they did not include any of the 12 names listed in the Mueller indictment. But Mueller appears to know which one of them performed which specific task linked to the hacks.

The indictment says, for example, that Nikolai Kozachek, a “lieutenant captain” (a non-existent rank in the Russian army so perhaps this is roughly translated into the American equivalent), developed X-Agent, the malware used to hack the DNC network, with the help of other officers, including Pavel Yershov. It says that Lieutenant Colonel Sergey Morgachev oversaw the development and that “Second Lieutenant” (another non-existent rank) Artem Malyshev monitored the specific installation of X-Agent at the DNC. It identifies Senior Lieutenant Aleksey Lukashev as the person who spearphished Podesta. It says Ivan Yermakov (rank not specified) ran specific technical queries to research the DNC’s computer network.

This level of detail is a major leap from the U.S. intelligence community’s January 2017 assessment concerning Russian interference in the 2016 election. That document merely said the GRU “probably began cyber operations aimed at the U.S. election by March 2016,” penetrated the Democrats’ networks and stole their documents. There is no longer any “probably” to the specific description of the GRU operation.

How were investigators able to get the real names and ranks (such as they are) of people behind specific actions? One possibility is that the U.S. had a mole within the GRU, who had to be protected until last Friday, so U.S. intelligence didn’t release the specifics or even hint at them before. In that case, which would suggest a recent defection, we may only find out what happened years from now — or earlier, if either the Russian or the U.S. side leaks.

Another scenario is that the U.S. or an ally penetrated the GRU network and watched the operation in real time. In January, Dutch journalists reported that the Dutch intelligence agency AIVD managed to hack into the network of a Russian government-connected hacking group located in a “university building next to Red Square in Moscow,” and watched it launch an attack on the DNC; it even identified the group’s members by watching the feed from a security camera in their space. Unit 26165 is, indeed, located in a university building (though not next to Red Square), but the Dutch scoop pointed to a different hacking group, APT-28 or Cozy Bear, linked to the SVR, Russia’s foreign intelligence, not to the GRU. 

The Dutch story, however, also contained this tidbit: “According to one American source, in late 2015, the NSA hackers manage to penetrate the mobile devices of several high ranking Russian intelligence officers. They learn that right before a hacking attack, the Russians search the internet for any news about the oncoming attack.” This could explain the level of detail in the indictment.

If, however, the U.S. or its allies watched the attacks in real time, it’s not clear why the GRU was allowed to steal and distribute the Democrats’ information without the U.S. government’s interfering. Was the information the U.S. was receiving about the GRU’s methods so valuable that any effect the hacks could have had on the campaign were of secondary importance to U.S. intelligence? Were the campaigns, Democratic and Republican ones, briefed as U.S. intelligence watched the Russian hacking operation unfold? Was the Obama administration briefed? These questions arise inevitably if one believes the hacks were monitored.

Whatever Mueller’s sourcing on it, Russian military intelligence appears to have been seriously compromised. Regardless of where the knowledge leads Mueller, the GRU appears to have underestimated what it’s up against in the U.S. In this cyberwar, the U.S. is not a powerless victim but a formidable rival. Americans, no matter what their politics, should take heart from that.

Leonid Bershidsky is a Bloomberg Opinion columnist covering European politics and business. He was the founding editor of the Russian business daily Vedomosti and founded the opinion website Slon.ru.

©2018 Bloomberg L.P.