the home of online investigations

305 Car Registrations May Point to Massive GRU Security Breach

October 4, 2018

By Bellingcat Investigation Team

Translations: Русский

In an unprecedented step, the Dutch Military Intelligence and Security Service (MIVD) and the United Kingdom’s Ministry of Justice on October 4, 2018 disclosed the identities under which four Russian individuals, believed to be officers of the cyber-warfare division of the Russia’s Main Directorate of the General Staff of the Armed Forces (GRU). The four individuals travelled to the Netherlands in April 2018 in an attempt to hack into the computer network of the Organisation for the Prohibition of Chemical Weapons (OPCW), based in The Hague. These four men travelled under diplomatic passports, two of which had consecutive issue numbers.

Following this disclosure, Bellingcat and its Russian investigative partner, The Insider, attempted to verify that the identities disclosed by the Dutch authorities were in fact the authentic identities of the persons involved. Comparing data from different databases dated 2002 to 2014, Bellingcat was able to confirm that these identities are indeed real, as opposed to cover personas, which is the case with the two GRU officers involved in the Skripal poisoning case.

Figure 1. Aleksei Morenets, one of the four accused GRU officers, as seen on the diplomatic passport disclosed by the Dutch authorities.

Figure 2. Data on Aleksei Morenets from a 2010 Russian database.

Figure 3. Personal records on Aleksei Minin, a second suspect. The address at which Aleksei Minin was registered as of 2011 was listed as Ulitsa Narodnogo Opolcneniya 50, the official address of the GRU Conservatory.

Figure 4. Records on the third suspect, Oleg Sotnikov

Registration at the GRU Conservatory

Database records for one of the four suspects indicated that he was registered as residing at Ulitsa Narodnogo Opolcheniya 50, an address in Moscow where the Military Academy of the Ministry of Defence is situated. This Academy is popularly known as the GRU Conservatory.

In the course of researching the authenticity of the personal data of the four individuals, Bellingcat was able to locate one of the four GRU officers identified by the MIVD in a Russian automobile ownership database. As of 2011, Alexey Morenets was the registered user and/or owner of a Lada (VAZ 21093) car.

Figure 5. Vehicle registration information for Alexey Morenets. The highlighted address is Komsomolsky Prospekt 20, the address of military unit 26165 of the GRU.

The address to which the car was registered, Komsomolsky Prospekt 20, coincides with the address of military unit 26165, described by Dutch and U.S. law enforcement as GRU’s cyber warfare department. The database entry contained Morenets’s passport number.

305 Cars for 305 Officers

By searching for other vehicles registered to the same address, Bellingcat was able to produce a list of 305 individuals who operated cars registered to the same address. The individuals range in age from 27 to 53 years of age.

Figure 6. A part of the list of 305 individuals who operate cars registered to the same address as Mr Morinets

The database contains their full names and passport numbers, as well as — in most cases — mobile telephone numbers. Besides the physical street address, the address entry points out the specific Military Unit: 26165. This is the same unit as the one identified in the United States Department of Justice indictments that were also announced on October 4, 2018.

If these 305 individuals — whose full personal data is available in the automobile registration database consulted by Bellingcat — are indeed officers or otherwise affiliated with the GRU’s military unit 26165, their listing in a publicly accessible database may constitute one of the largest mass breaches of personal data of an intelligence service in recent history.

Bellingcat Investigation Team

The Bellingcat Investigation Team is an award winning group of volunteers and full time investigators who make up the core of the Bellingcat's investigative efforts.

Join the Bellingcat Mailing List:

Enter your email address to receive a weekly digest of Bellingcat posts, links to open source research articles, and more.

Support Bellingcat

You can support the work of Bellingcat by donating through the below link:

185 Comments

  1. Jeroen

    What exactly those 4 GRU agents targeted at the OPCW we will probably not learn, but that up to 305 identities of possible former and current GRU man and woman are now out on the street might cause some worries to some people.

    Reply
  2. Jeroen

    A GRU colonel working at the Russian embassy in The Hague was named by Russian journalist Sergey Kanev, and brought in connection with the hacking attempt, his name being Konstantin Bakhtin.

    Reply
  3. Jeroen

    Just last week, Russian journalist Sergei Kanev exposed yet another GRU screw-up: In order to conceal the identities of the children of officers living in a GRU housing complex, the agency registered them as 100 years older than they really are. This triggered an investigation by pension authorities, who suspected fraud. Kanev was able to confirm the existence of these centenarian children, and therefore their officer parents, using one of the numerous leaked databases of personal information available for sale and online in Russia.
    https://www.thedailybeast.com/russias-military-spies-are-a-laughing-stock-but-theyre-dangerous-as-hell?source=twitter&via=desktop

    Reply
    • Kathleen

      GRU up until now has not been known by it’s screw-ups. One wonders if there might be some purpose to mucking things up. Just a thought.

      Reply
  4. Jeroen

    De Dutch Military Intelligence did publish only the names of those 4 GRU operators, not the names of other embassy personnel who assisted them, or the names of other spies who left the Netherlands earlier.
    Also the Dutch Ministery of Foreign Affairs did not either, but now the NRC did some research on them and identified and named a number of them.
    The Russian diplomat who welcomed the 4 GRU operators at the airport was identified as Anton Naumkin.
    https://nl.linkedin.com/in/anton-naumkin-a983b965
    Though his face was blacked out on photos, his face mirrored in a window and the coat he was wearing made identification possible.
    The diplomat and GRU Colonel who coordinated the hacking attempt at the OPCW was Konstantin (Anton) Bakhtin (age 39).
    Bakhtin studied with Chepiga in Moskva and was his neighbour then, and it is believed he was collecting information on the MH17 case also.
    Other names identified by NRC are former embassy diplomats and GRU officers Andrei Gugnjajev, Vladimir Grekov, named in connection with spying in Netherlands further Sergei Larionov and Ivan Agafonov.
    https://www.nrc.nl/nieuws/2018/11/30/poetins-spionnen-in-nederland-a2879962

    Reply

Leave a Reply

  • (will not be published)