The GRU members expelled from the Netherlands used basic OPSEC measures, such as throwing out their own rubbish while staying in a hotel; nevertheless, their arrest revealed the lack of other equally basic security measures, that undoubtedly will have given the Service plenty to talk about. Perhaps the proximity operations – at least in the Netherlands – were not considered as a risk by the GRU, perhaps they were considered human failures due to breach of regulations … who knows. The fact is that this poor OPSEC brought to light information on identities, targets, TTP … that allowed us to know the Service a little better during 2018 and that, had they acted otherwise, these evidences wouldn’t be so.
When we talk about OPSEC, beyond formal models and methodologies, we always talk about the three Cs[1]: Cover, Concealment, Compartmentation. The coverage of an operation must allow you to justify where you are (state) and what you are doing (action), the concealment must allow hiding activities or identities related to the operation and, finally, compartmentation, as a final line of defense, must minimize the impact in case things go wrong, not affecting other people, operations, etc.
In the case of the agents identified in the Netherlands, their coverage was, as we just said, a security inspection at the Russian embassy in the Netherlands, near the OPCW headquarters; this could justify that they were in the vicinity of said headquarters, but on the basis of the seized devices it would be quite difficult to justify the action, what they were specifically doing in that localization… but let me point out this fact: Are these security inspections military service? Wouldn’t that be the responsibility of the FSO or, in any case, the FSB? Curious… In any case, if the coverage was weak, the concealment is even weaker, so when we have four members of the Service traveling with real identities, diplomatic passports (with sequential numbers) … to an operation, and moreover, keeping among their belongings not only electronic devices, but also something as mundane as a taxi ticket from the headquarters of the Unit to the airport, just to give an example (ticket confirmed as true by the corresponding Moscow taxi company). This lack of security measures motivated different analysts to obtain personal data of different agents, from public sources, such as their profiles on social networks or the football clubs in which they play. For instance, Aleksei SERGEYEVICH MORENETS’ profile on the website mylove.ru, a Russian dating site, in which the member of Unit 26165 appears in a photo taken in Moscow, a few meters from the headquarters of the Service.
If the measures of coverage and concealment of arrested agents in the Netherlands are poor, those of compartmentation are perhaps even poorer. Seized computers not only show data from the deployed operation, but also data from other operations that had little or nothing to do with it. From a photo taken at the 2016 Rio Olympics – a fact that confirms that MORENETS was there, we don’t know if for personal or professional reasons, to navigation history and search for possible targets outside the OPCW or WiFi connections at Kuala Lumpur hotels, supposedly in line with the Malaysia investigations of the MH17 case. In spite of the fact that one of the agents tried to destroy his mobile phone while being caught, according to the Dutch government, the electronic devices exposed traces of some very interesting activities of the members of the Service. Whether these activities were related to the operations of the GRU – or not – is something we don’t know, but in any case, this information should NOT have been in those devices in any way.
How can these errors occur? Well, attackers also have budgets, bosses, deadlines…and we all make mistakes. Although my personal opinion is that an operation, no matter how simple or risky it may be a priori, requires minimum OPSEC measures. I don’t know the reason (technical, political, budgetary, …) why in this case they were not applied. However, it is necessary to point out that apparently serious OPSEC failures are not exclusive to the GRU; the FSB is not lagging behind in historical errors in terms of operational security measures, as evidenced in the cyber environment by alleged Canadian CSEC documents leaked by Snowden[2], which explain how the operators of Turla (linked to the FSB?) use the operating environments of a campaign for personal use (mail and social networks, browsing …). Also, in a physical environment, members of the FSB made very serious mistakes, such as when in 2016 a new promotion of agents celebrated the end of the academic course by photographing themselves in Moscow and taking an off-road Mercedes ride around the Russian capital; images of the event can still be found on social networks. The FSB rewarded this attitude by assigning them to the areas of Chukotka and Kamchatka, in the far east of Russia, more than eight hours flight from Moscow. Whoever is free from sin…
References
[1] TheGrugq. OPSEC in the age of the egotistical giraffe. HITBSecConf, 2014.
[2] Canada CSEC. Hackers are humans too. Cyber leads to CI leads.