In the war in Ukraine, one cyber skirmish has followed the next for 14 months. Now there is solid news from the cyber front, even largely verifiable: The Russian cyber troop APT 28, aka “Fancy Bear”, which became known through the attack on the German Bundestag in 2015, has a new commander and his details are now publicly available.
According to Ukrainian sources, this is said to be Lieutenant Sergei Morgachev, about whom a whole data collection has been published. Like all other such groups from Russia, which were noticed in a number of European states during peacetime, APT 28 is now deployed in Ukraine. The entire previous career of a first lieutenant in the GRU military intelligence service can be reconstructed from the document collection.
(Image: InformNapalm)
The GRU unit 26165
Immediately after his studies, Morgachev started his service in unit 26165 at the GRU. The documents that have now been published are largely up-to-date, the most recent ones are dated August 2022. The bundle allegedly came from “hacktivists” who had given this collection of documents to InformNapalm’s “Volunteer Intelligence Community” for analysis.
For a country at war like Ukraine, such a conglomeration of “volunteers” and “hacktivists” providing professional detection is somewhat conspicuous. Of course, the information cannot be checked, but the published documents can be checked to a certain extent. Lieutenant Morgachev’s participation in cyber attacks was not the first to attract attention during the Ukraine war.
The attack on the 2016 US presidential election
His name can be found in a US indictment from 2018 relating to the attacks on the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Congress (DNC) before the 2016 US presidential election. Morgachev was already in rank at the time a team leader in unit 26165, so he was one of the actors in “Fancy Bear”.
In 2018 he was accused of developing malware called “X-Agent” with which the networks of the Democratic Party were attacked. According to the indictment, Lieutenant Morgachev himself was in charge of the operational management of this attack. The documents captured there were used as “DCLeaks” for covert propaganda on the Internet against the presidential candidate Hillary Clinton.
(Bild: justice.gov)
Nothing scandalous, but a scandal
In 2016, the GRU’s cyber troops used a rental computer in a data center in Illinois to extract data from the Democratic Party’s network and subsequently transport it to Moscow. None of the attackers was actually on site in the USA. The attacks themselves were carried out during Moscow office hours, when everything in the US was still asleep.
The extent to which these cyber skirmishes actually influenced the outcome of the US presidential elections at the information level cannot be said with certainty even today. What is clear, however, is that Vladimir Putin wanted to prevent Hillary Clinton’s election as US President at all costs. And for this he had used his available resources in cyberspace.
The paradox of these leaks was that nothing scandalous emerged at all. The released documents showed only that a majority of the Democratic establishment had favored Hillary Clinton and wanted to prevent left-liberal Senator Bernard Sanders from getting too close to her in the primary.
Donald Trump’s election campaign brigade, supported by commentators from the right-wing tabloid broadcaster Fox and the global network of Russian state TV RT, made it the scandal of all scandals. Wikileaks had in this staging starred in a less than creditable role.
From GRU commander to malware developer
Morgachev was also on operational duty for the GRU in the first months of the 2022 Ukraine war, most recently as department commander of unit 26165. However, the published documents show that he was appointed to a new post in August 2022. Since then, Lieutenant Morgachev has been a “first-class programming technician”, so he is now a kind of malware developer for the GRU in a managerial position.
His current place of work is in Center for Special Technologies in St Petersburg. This center was sanctioned by all western states at the beginning of the war.
This scanned document was also found in Morgachev’s mail traffic. According to InformNapalm, it’s his request for an appropriate “security clearance” for his new post as malware architect.
(Image: InformNapalm)
Oddities in the mailbox
It is somewhat odd that a military intelligence officer trained in secrecy should keep such sensitive and, more importantly, telltale documents in his mailbox. After their publication, this first lieutenant of the GRU can already delete one of his presumed career goals, namely one of the coveted, because highly paid posts in an embassy of the Russian Federation.
In Vienna alone, several dozen Russian citizens are accredited as diplomats or technical staff at the Russian diplomatic mission to the United Nations. Some of them are busy evaluating the data streams that are drawn from the transponders of western satellites, and there are also satellite technicians, since individual dishes are regularly aimed at other targets. There’s always more than enough work to do for career intelligence people.
Epilogue to the attack on the IT of the German Bundestag
Like the vast majority of attacks by cyber troops of the GRU, the attack on the IT infrastructure of the German Bundestag in 2015 served less to obtain information than to demonstrate power. With the simultaneous activation of the previously smuggled malware on several computers across the IT department of the German Bundestag, the attack became public immediately. Ultimately, the Bundestag administration had to decide to replace the entire hardware, as it could not be ruled out that more malware would appear.
(tiw)
