30+ Years of Freedom of Information Action

Cyber Brief: GRU Cyber Operations

Diagram from US-CERT's report on APT28 and APT29 (aka GRIZZLY STEPPE) Description by source: "The tactics and techniques used by APT29 and APT 28 to conduct cyber intrusions against target systems"

Published: Jul 18, 2018

Edited by Michael Martelle

For more information, contact:
202-994-7000 or nsarchiv@gwu.edu

Cyber Brief: GRU Cyber Operations

Robert Mueller, Special Counsel for the US Department of Justice, on Friday, July 13, 2018, indicted twelve Russian intelligence officers for “engaging in cyber operations that involved the staged release of documents stolen through computer intrusions.”  These cyber intrusions have come to be referred to as “Operation Grizzly Steppe.”  Today’s posting explores the US Government’s public conceptualization of Russian cyber operations and highlights the two GRU units suspected of being directly involved: Unit 26165 (a/k/a Cozy Bear, APT29) and Unit 74455 (a/k/a Fancy Bear, Pawn Storm,  APT28).

 

Map View >>

 

 

Documents

Sergei A. Medvedev, Naval Postgraduate School, Offense-defense theory analysis of Russian cyber capability, March 2015. Unclassified.

The central questions of this thesis are whether Russian cyber capabilities reflect an investment in offensive or defensive cyber weapons and whether Russia's cyber technology, doctrine, and policy indicate an offensive or defensive cyber posture. The discussion of Russian cyber capability includes several case studies of Russian cyber activity.


Department of Homeland Security and Federal Bureau of Investigation, Joint Analysis Report, GRIZZLY STEPPE - Malicious Cyber Activity, December 29, 2016. Unclassified.

This report presents the information that the U.S. government is willing to make public concerning the "the tools and infrastructure used by the Russian civilian and military intelligence Services (RIS) to compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sectors entities."


James R. Clapper, Marcel Lettre, Admiral Michael S. Rogers, Joint Statement for the Record to the Senate Armed Services Committee, "Foreign Cyber Threats to the United States," January 5, 2017. Unclassified.

In their joint statement, the DNI, Under Secretary Defense for Intelligence, and the Director of NSA/Commander, U.S. Cyber Command, discuss a variety of consequences of cyber threats - physical, commercial, psychological consequences - on cyber policy, diplomacy, and warfare. In addition, the statement discusses a number of cyber threat actors - nation states (Russia, China, North Korea, Iran), terrorists, and criminals - and responses to cyber threats.


National Cybersecurity and Communications Integration Center, Department of Homeland Security, AR-17-20045, Enhanced Analysis of GRIZZLY STEPPE Activity, February 10, 2017. Unclassified.

This report is a greatly expanded version of the GRIZZLY STEPPE analysis released in late December 2016, and focuses on the use of the Cyber Kill Chain model (whose components are reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on the objective) to analyze malicious cyber activity.


Michael Connell and Sarah Vogler, Center for Naval Analyses, Russia's Approach to Cyber Warfare, March 2017. Unclassified.

This paper examines both the theoretical and practical underpinnings of  the Russian approach to cyber warfare. It contains chapters on cyber as a subcomponent of information warfare, organizations and agencies, hacktivists and criminals, three case studies of Russian cyber operations (Estonia in 2007, Georgia in 2008, and the Ukraine from 2013 to the present), and chapters on bots, leaks, and trolls.


Janis Sarts, Director NATO Strategic Communications Centre of Excellence, "Russian Interference in European Elections," June 28, 2017. Unclassified.

In his testimony before the Senate Select Committee on Intelligence, Sarts presents case-study research conducted at the NATO Strategic Communications Centre of Excellence on the tools used by Russia in conducting influence operations and Western responses before making a series of policy recommendations.


Defense Intelligence Agency, Russian Military Power, June 2017. Unclassified.

One section of this study addresses Russian cyber activities, including cyber-enabled psychological operations (including the use of hacktivists, trolls, and bots) and information defense.


United States District Court for the District of Columbia, "US v Viktor Borisovich Netyksho, et al - Indictment", July 13 2018. Unclassified.

This document indicts 12 Russian intelligence officers for operations against Democratic Congressional Campaign Committee computer networks to interfere in the 2016 election.