MOSCOW—A curious game of spy versus spy has gone public in Russia over the last week. According to the official news agency of the Russian Federation, Rosbalt, agents of the Federal Security Service (the FSB) have staged raids on more than 60 state officials and private investigators to try to stanch the flow of leaks revealing the incompetence of Russia’s main military intelligence agency, the GRU (full name: Main Directorate of the General Staff of the Armed Forces of the Russian Federation).
That won’t be an easy job.
The GRU has gained a reputation of late as the most public and aggressive of Russia’s security services, Putin’s not-so-secret weapon. Election hacks in the U.S. (revealed in extraordinary detail by one of the Mueller investigation’s indictments), destructive cyberattacks targeting Ukraine, the Skripal poisonings in Britain, an attempted coup in Montenegro, traveling in person to hack investigations targeting Russian scandals such as the doping of Olympic athletes and the Russian role downing a Malaysian airliner over Ukraine in 2014—the GRU had a hand in all of those incidents, and more, Western governments say.
But at the same time and in many of those same operations, the GRU acquired a reputation for scoring what The Guardian calls “own goals,” the most obvious of which is the failure to preserve the anonymity of the murderers sent to Britain to poison GRU defector Sergei Skripal with the obscure and particularly Russian nerve agent known as novichok.
Only the Saudis have proved more incompetent at cover-ups.
Many of the FSB raids last week, according to Rosbalt, were meant to discover who let out the real names of "Alexander Petrov" and "Ruslan Boshirov," the two GRU officers initially said to have been visiting Salisbury, England—Skripal’s home—as mere tourists.
With so many missteps, it is unsurprising that the GRU is feeling pressure at home. Instead of a grand celebration for their recent 100th anniversary, the GRU reportedly had a senior meeting during which it was accused of “complete incompetence” and “boundless sloppiness.” There are even rumors that GRU Director Colonel General Igor Korobov met with Russian President Vladimir Putin to discuss his agency’s many failures, a meeting that Korobov found so stressful that he reportedly collapsed upon arriving home.
When Putin did speak at GRU headquarters to mark the anniversary last week, he is alleged to have referenced the name change eight years ago, when the Main Intelligence Directorate became the Main Directorate. “It’s unknown where the word ‘intelligence’ went," Putin reportedly told the hundreds of officials in attendance.
Putin, a former Soviet KGB agent who grew up fantasizing about the prowess of Russian spies, must be chagrined by an agency whose people look less like James Bond than they do Maxwell Smart.
JUST LAST WEEK, Russian journalist Sergei Kanev exposed yet another GRU screw-up: In order to conceal the identities of the children of officers living in a GRU housing complex, the agency registered them as 100 years older than they really are. This triggered an investigation by pension authorities, who suspected fraud. Kanev was able to confirm the existence of these centenarian children, and therefore their officer parents, using one of the numerous leaked databases of personal information available for sale and online in Russia.
Kanev has been digging for information about the GRU and the FSB, as well as Russian organized crime, for two decades. He was one of the first journalists to publish details of Boshirov’s and Petrov’s civilian passports, their addresses, their real names and proved that the two “tourists” were in fact GRU officers.
In an interview with The Daily Beast last Tuesday, Kanev was laughing about the FSB staging raids on its own employees. “I wonder if the FSB published fake news on Rosbalt about the arrests, hoping that I would get worried and check on my sources,” Kanev said. “But in fact, my sources are all free and they are happy to leak more information, it is just a matter of price,” Kanev told The Daily Beast.
Rosbalt reported that among people detained on Monday, the FSB arrested an FSB employee at the federal border service, who was accused of selling information about Petrov’s and Boshirov’s multiple trips to Europe.
For weeks Russian bloggers have been mocking Bashirov and Petrov as two failed spies. The famous Russian comedian Semyon Slepakov composed a naughty “Song About the Salisbury Spire,” mocking the two dumb Russian officers who supposedly went to see a cathedral, but who would be happy to obey any commander’s orders, even if the order was to have sex with each other.
Not everybody in Russia found the episode funny. “Putin publicly lied about the Skripal case and now, when it’s been proven that Bashirov and Petrov are two GRU officers, the president has to save face,” said Moscow municipal deputy Ilya Yashin.
It was easy for Kanev, a middle-aged reporter with a modest income, to find documents proving that Petrov’s real name was Yevgeny Mishkin: “Stupid people at the GRU registered him right on Khoroshevskoye Highway 76, at their headquarters; and Boshirov, who is GRU Colonel Anatoly Chepiga, was registered at the student dorm of Russian Humanitarian University. The GRU is a totally unprofessional agency, bad at hiding secrets,” Kanev told The Daily Beast.
Retired KGB officer Gennady Gudkov was embarrassed to hear about the FSB raids: “As often happens in Putin’s Russia, instead of reforming the system, the Kremlin sends the FSB to look for a scapegoat,” he said.
“So first President Putin tells us that Boshirov and Petrov visited Salisbury on the day of the attempt on Skripal as two ‘civilians’; and then the FSB raids dozens of addresses, investigating who has leaked personal data and the true identities of these ’tourists.’ It makes me wonder if the head of the FSB Alexander Bastrykin is undermining Putin’s authority,” Gudkov told The Daily Beast.
Gudkov, a long-time anti-corruption activist and politician, said that the Skripal scandal showed both the GRU and the FSB as ”two decaying agencies, badly affected by a brain drain.”
Kanev, for his part, has paid a high price for his investigation of Bashirov and Petrov, which originally was published by The Insider and Bellingcat. A few weeks ago the Russian state began to investigate him for an extremely serious and unlikely crime—plotting the assassination of Vladimir Putin. So the reporter had to flee his home country. But he continues exposing the GRU spies’ lack of professionalism.
THE HIGH PROFILE AND BASE STUPIDITY of the GRU’s recent blunders are new, but the agency has long had a reputation for errors and a lack of professionalism compared to Russia’s other leading security services. GRU cyberespionage campaigns are often noisier and less sophisticated, and operators more aggressive. Military cyberexperts also struggled domestically; after the military failed to deliver a functional national CERT (Cyber Emergency Response Team – essentially an organization for handling cybersecurity incidents at the national level), the presidential administration reassigned the task to the FSB.
With all this in mind, the sniggering and outright laughter present in much Western reporting—and in Russia—would appear to be well-earned. But it is not, at least not entirely. Despite their problems, and sometimes because of them, Russia’s military remains a powerful actor in the cyber sphere capable of causing real damage. Every failure earning laughs abroad is another degree of pressure to deliver a win at home, pressure exacerbated by high levels of infighting among Russia’s security services, and within the government in general.
Sometimes, their very incompetence is the problem. It is unlikely that the GRU wanted their destructive NotPetya cyberattacks to spread outside their target country, Ukraine, and cause billions of dollars in damages to companies worldwide. They also likely did not want to kill a British citizen and hospitalize another with left-over novichok poison. But they did, British officials say.
They can also be aggressive. It is tempting to scoff when military spies are caught with a laptop full of evidence and a receipt for the taxi to the Moscow airport from GRU headquarters, but those spies were caught because they were aggressive enough to travel in person to hack their targets in The Hague.
The Skripal poisonings were nothing if not aggressive, and deadly, and were possibly an effort to score a feelgood win by assassinating a traitor. An attempted coup in Montenegro, a country on the verge of joining NATO, risked much, but could have had a real impact on an issue Russia considers a top national security priority.
THE THREAT LIES IN WHAT THE GRU really can do. It has conducted tens of thousands of successful cyberespionage attacks over many years. These may not be as elegant as those by some other Russian security services, but the GRU has experience, a history of successes, and abilities greater than many of their targets.
The Czech Republic may be one example. The internal and external computer systems of Prague’s ministry of foreign affairs were thoroughly compromised. Jakub Janda, the director of the Prague-based European Values think-tank would like to see retaliation. “Our special services believe that the attack was conducted by the GRU, so in response we should expel at least 50 to 70 out 130 Russian diplomats based in the Czech Republic,” Janda told The Daily Beast. But the Czech parliament has not been able to make much headway. MP Jan Lipavsky and his team worked on investigating the cyber attack and noted that building a new computer system will be hugely closely, but since President Milos Zeman “is close to Moscow, our political elite has no courage to retaliate.” Indeed, nobody could find a good explanation for why the Kremlin would back the attacks on a country where Russia has its biggest embassy other than to undermine stability in the European Union.
As events in recent years pushed the GRU to evolve into a political operation, some attacks got easier. One does not need to be an elite operator to socially engineer Democratic National Committee Chairman John Podesta’s Gmail password or allegedly collaborate with WikiLeaks. Real wars in Ukraine and Syria have been an opportunity to develop attack and disinformation skillsets even further.
What is more, Russia is one of a very small number of countries willing to conduct destructive cyber attacks, and those that are attributed to Russia are attributed to the GRU. NotPetya is an example of this—it wiped computers at thousands of companies throughout the world and is the most damaging cyberattack on record. Another, according to the government in Kiev, is GRU attacks that cut power and infected other critical infrastructure in Ukraine. The GRU may have been preparing for another major attack using 500,000 infected routers, some of which it also may have used for intelligence operations.
Which brings us to a story that did not make the news in the same way that the GRU’s many failures have.
Last year, a Saudi petrochemical plant suffered an attack that could have caused an explosion, and possibly even killed people. Those at the plant were lucky: the attack could not be completed due to an error in the code that failed to prevent the plant’s fail-safe measures from doing their job.
At the time, many attributed the attack to Iran, Saudi Arabia’s strongest opponent, which has its own history of conducting destructive attacks on the Saudi petrochemical industry, albeit with wipers, and not efforts to insert critical errors in industrial control systems.
However, an investigation of the attack by cybersecurity company FireEye has found with “high confidence” that a Russian laboratory built at least one component in Triton, the malicious code used in the attack. Iran may still be involved: it is possible that Iran obtained initial access to the plant using the same means as that used to spread their destructive wipers, and then used the component provided by Russia to conduct the new type of attack, but the evidence does indicate that an individual in Moscow played an important role in the development of a key part of the attack.
The Russian institution in question is the Central Scientific Research Institute of Chemistry and Mechanics, which advertises itself as “a leading organization of the Ministry of Defense of the Russian Federation.” Public indications of the laboratory’s capabilities suggest that it could have created the malware used to attack the Saudi plant.
Even in the small world of destructive hacking, attacks that could cause real-world injuries are an extreme step. Iran may have been the country to infect the Saudi plant and send the message that such an attack is possible, but Russia’s military is the one that has the capacity. This is the same organization that already has a history of aggressive, norms-violating moves, and they are in a tight spot. This is not to say that a deadly attack is imminent, but more serious ones are likely. Their mistakes are real, but so are their abilities.
Anna Nemtsova reported from Moscow and Prague. Kimberly Zenz reported from the United States.