the home of online investigations

305 Car Registrations May Point to Massive GRU Security Breach

October 4, 2018

By Bellingcat Investigation Team

Translations: Русский

In an unprecedented step, the Dutch Military Intelligence and Security Service (MIVD) and the United Kingdom’s Ministry of Justice on October 4, 2018 disclosed the identities under which four Russian individuals, believed to be officers of the cyber-warfare division of the Russia’s Main Directorate of the General Staff of the Armed Forces (GRU). The four individuals travelled to the Netherlands in April 2018 in an attempt to hack into the computer network of the Organisation for the Prohibition of Chemical Weapons (OPCW), based in The Hague. These four men travelled under diplomatic passports, two of which had consecutive issue numbers.

Following this disclosure, Bellingcat and its Russian investigative partner, The Insider, attempted to verify that the identities disclosed by the Dutch authorities were in fact the authentic identities of the persons involved. Comparing data from different databases dated 2002 to 2014, Bellingcat was able to confirm that these identities are indeed real, as opposed to cover personas, which is the case with the two GRU officers involved in the Skripal poisoning case.

Figure 1. Aleksei Morenets, one of the four accused GRU officers, as seen on the diplomatic passport disclosed by the Dutch authorities.

Figure 2. Data on Aleksei Morenets from a 2010 Russian database.

Figure 3. Personal records on Aleksei Minin, a second suspect. The address at which Aleksei Minin was registered as of 2011 was listed as Ulitsa Narodnogo Opolcneniya 50, the official address of the GRU Conservatory.

Figure 4. Records on the third suspect, Oleg Sotnikov

Registration at the GRU Conservatory

Database records for one of the four suspects indicated that he was registered as residing at Ulitsa Narodnogo Opolcheniya 50, an address in Moscow where the Military Academy of the Ministry of Defence is situated. This Academy is popularly known as the GRU Conservatory.

In the course of researching the authenticity of the personal data of the four individuals, Bellingcat was able to locate one of the four GRU officers identified by the MIVD in a Russian automobile ownership database. As of 2011, Alexey Morenets was the registered user and/or owner of a Lada (VAZ 21093) car.

Figure 5. Vehicle registration information for Alexey Morenets. The highlighted address is Komsomolsky Prospekt 20, the address of military unit 26165 of the GRU.

The address to which the car was registered, Komsomolsky Prospekt 20, coincides with the address of military unit 26165, described by Dutch and U.S. law enforcement as GRU’s cyber warfare department. The database entry contained Morenets’s passport number.

305 Cars for 305 Officers

By searching for other vehicles registered to the same address, Bellingcat was able to produce a list of 305 individuals who operated cars registered to the same address. The individuals range in age from 27 to 53 years of age.

Figure 6. A part of the list of 305 individuals who operate cars registered to the same address as Mr Morinets

The database contains their full names and passport numbers, as well as — in most cases — mobile telephone numbers. Besides the physical street address, the address entry points out the specific Military Unit: 26165. This is the same unit as the one identified in the United States Department of Justice indictments that were also announced on October 4, 2018.

If these 305 individuals — whose full personal data is available in the automobile registration database consulted by Bellingcat — are indeed officers or otherwise affiliated with the GRU’s military unit 26165, their listing in a publicly accessible database may constitute one of the largest mass breaches of personal data of an intelligence service in recent history.

Bellingcat Investigation Team

The Bellingcat Investigation Team is an award winning group of volunteers and full time investigators who make up the core of the Bellingcat's investigative efforts.

Join the Bellingcat Mailing List:

Enter your email address to receive a weekly digest of Bellingcat posts, links to open source research articles, and more.

Support Bellingcat

You can support the work of Bellingcat by donating through the below link:

185 Comments

  1. Rik van Wiltenburg

    Zeg Geert, doe mij eens een lol.. Waar zat Dikkertje Dap? En wie is de bekendste geitebreier?

    Reply
  2. Geert Welling

    @Jeroen; Many other readers do not need your obviously lacking interpretation skills in order to explain them what to think, wouldn’t you consider such denoting denigrating wanabe participation rather insulting to people who got difficult jobs covering important western state security affairs such as corruption?

    Who are you, actually, to supposedly estimate both my intelligence quotient as those of other readers? Apparently you are suffering some problems at point of ‘intelligence’ before you impose as having achieved levels sufficient to estimate others. One of these apparent problems is that you continue to try and call pro fact pro Russian, as if pro western state intelligence would be pro bullshit. Another of these apparent problems is about your obviously lacking reading skills;

    ‘”Russian and/or seperatists firing Buk rockets at Dutch civilian aircrafts” didn’t you write that “Geert”?’

    Linguistically, adjectives are commonly ought to refer to first adverb used after the adjective, which is ‘civilian’ and not ‘aircrafts’. If you talk about a Turkish Tree Truck, the Turkish is rather referring to Tree instead of Truck. There are exceptions, but you can’t just assume different rules and blame others for it.

    Probable exceptions are not applicable here, since planes *are* not a nationality though at max *property* of a nation, sometimes property of international corporations. So Dutch pretty much *must be* referring to ‘citizen’ and probably not ‘plane’.

    Then, the very interesting information that I’m allowed to have received, that I’m also allowed to describe and got to describe throughout this forum discussion, is not about what exact nation would own the plane that crashed, though more about the way it crashed is notably different than portrayed throughout many media outlets. From analytical perspective about technical evidence it is not even so much of importance what nation, or corporation from a nation, would have owned the plane.

    Next, I’d like to assure you that what should participate in discussions about western state security matters should have worried about different factors than apparently made you worry! Also, basic understanding about these facts is *lawfully* expected from western security service operatives, for your information.

    theRiddler; You’d better stop about these supposed ‘tell tale signs’ and be careful that you’re not called a psychotic trying to ‘read signs’ that are published as clear, known and widespread facts.

    hermanboord; Ik mag bij geboorte prima de Nederlandse nationaliteit gekregen hebben. By the way, to any background security service operatives this should be known by now, it is also fairly easy to verfiy. Preferably don’t try to insult people, it is regarded a weakness from intelligence branche positions.

    bellingcat admin; some people consider it remarkable that this ‘hermanbrood’ person can just double post without you apparently checking/validating. Some would say unexpected glitch in the back of this system, some know different. Could you spill a bit of ‘juice’ out in the open or are you not allowed to?

    boshi; so while discredit this discussion as a westener imposing as if Russian, would you systematically and structurally, internationally, want to weaken western intelligence impressions?

    Jeroen; real hot security service operations do *not* come in using diplomatic passports and the staff behind such operations *does not* forget to care for expert passport / identification material.

    Real hot sensitive state security information would not be stored behind a wifi configuration at OPCW headquarters and then again, EVEN A WIFI ACCESSIBLE FROM THE STREETS WITHOUT ANY SPECIALIST TOOLS !!!!1!!!1!! (note the 1 among the exlclamation marks as well as what is written in caps, certain blurred visions might get a bit cleared by it).

    If any hot sensitive state security data would be unintendetly illegaly stored, collected or maintained behind a scientific institute wifi, the wifi signal would be jammed at property boundaries.

    OPCW should be independent scientific institute that is not part of any nations state security services framework. Hence, it should not be internationally discredited by allowing itself to serve any nations state security interest, decreasing its acceptance. Hence, as security services are prohibited from upholding political agenda instead of state of law interest such as constitution, state security framework is prohibited from actively engaging OPCW operations as intelligence affairs.

    If intelligence has infiltrated OPCW, which has indeed happened and does happen more often than many people might get to think lately, the infiltration process as well as infiltrating organizations interest should not be jeopardized by the intelligence official conducting security service work under banner of science. This would not just pollute science and pull attention where it isn’t desired, it would imply intelligence gathering does the same job as special forces operatives (who influence instead of just gather) which is a breach of western state security affairs. Infiltrating such institutions are done under the banner of regular science and in order to protect the infiltration process itself, only information is gathered and passed on. The intelligence officials job would then be the secretly passing on of gained results under disguise of actively committing scientific research.

    However immodest such infiltration of scientific institutes might seem, it does happen and in certain occasions it is not illegal according to security service protocols. Officials influencing the scientific results is not just illegal, it is illegal for several very strong reasons, by security service protocols as well as more public state of law definitions.

    If influencing of OPCW has not happened, there is nothing to find there.

    Get a clue before you continue war- and fear-mongering efforts.

    Certain very highly trained, equipped and knowledged operatives and officials are researching and watching. And they do *not* like treason.

    Reply
    • Craig

      I think all we’ve determined is that “Geert” has a lot of time on his hands and that his argument boils down to one thing: anything less than “top secret” is fair game for hacking by anyone. At the OPCW this might include social media and email accounts, employee databases, strategy documents, incomplete/contested findings, investigative evidence, finances, phone logs/backups, etc. I can’t imagine how an adversary might make use of that stuff!

      Reply
    • OhDear

      Geert, your warnings that Bellingcat are pretending to be “intelligence” and other closeted remarks are utterly redundant.

      Bellingcat is not pretending to be intelligence, or an intelligence agency, they are journalists and they are revealing what commonly available data may be revealed through open source, public records, metadata, FOI requests and similar banal data overlooked by the public (and seemingly even by GRU).

      This is the kind of information that underpins national intelligence agencies such as the NSA and GRU (who spend considerably larger resources doing exactly the same processes, but who keep this information from the public).

      The OPCW data in the end could compromise sources, methods, communication channels, much like this one vehicle registration can undermine potentially 300+ other vehicles. You know, like the same way the Climategate came about. Cherry picking select data to manipulate public domain information.

      Reply
    • Jeroen

      The plural of aircraft is aircraft NOT aircraftS.

      MH17 was shot down with a Buk from the Russian 53th ZA Brigade.
      On that Malaysan civil aircraft were 298 human being, 192 were with Dutch nationality, one with mixed US/Dutch nationality, so 90 others were of Australian, Belgian, British, Canadian, German, Philiphian, Indonesian Malaysian, Southafrican nationalty, to call MH17 a “Dutch civilians” aircraft would be rather strange wouldn’t it?

      Reply
  3. Geert Welling

    @Rik van Wiltenburg; wat denk jij in tegenstelling tot de vele feiten die ik hier mocht krijgen te posten dat belangrijk is? Dikkertje dap?

    Als je toch eens enig idee zou krijgen over hoe dit eruit ziet. Maar enfin, operatives en officials behoren zich ook ‘professioneel’ te gedragen bij sommige ruige homosexuelen die op sommige plaatsen soms nogal hilarisch minder bewust tussen serieuze operaties door krijgen te springen/kliederen.

    Reply
    • Rik

      This must be the worst Google translation ever !! Haha… You really failed this test “Geert”. And no Dutch person would drag in homosexuality in a discussion like this, that is a real give-away for the homophobic atmosphere that you encounter in your country every day.

      Reply
    • Big Bird

      Ah good! The weekend from”Geert” is over I guess. This comment is great. He couldn’t even use a proper translation. I almost feel sorry for him.

      Strange how you drag homosexuality in the discussion. I guess he is thinking along about that subject…

      Reply
  4. Geert Welling

    I’m less illeterate than some of you might have assumed.

    Did you know that certain intelligence officials and operatives tend to utilize small grammar, spelling mistakes and unconscious condititioning patterns to provoke discrediting ‘false news’ wanabe ‘intelligence’ come out of their unconstitutional and western state security affairs damaging holes?

    Don’t worry very small birds and frustrated rascists (hating whole countries without understanding what its about eager to pull majorities that don’t want wars into wars), Europe runs anti nationalism agenda, partly, and its disliked how certain nationalists think themselves able to (verbally) dispose whole nationalities into supposed ‘untermensch’ positions; kids are not prohibited from running around.

    Reply
    • John P

      Couldn’t agree more, I like the transparency of this site however threats from government agencies must be high – stay safe out there!

      Reply
    • Someguy

      With this bunch of ignorant pricks unfamiliar with the basic security measures for undercover work, what kind of a ‘hack’ would you expect? Still, maybe they will stick to good ol’ novichok way of solving this. I heard though they think Bellingcat is just a place where MI-6 (or similar) flush their data, so no point in attacking them…

      Reply
  5. Linda Britt

    Social media at its best and most powerful. Could bring down the corrupt Putin who has lined his own pockets at the expense of his own country, and single-handedly created a new cold war. Bring it on. His days are surely numbered……

    Reply
    • Neil

      He’s got a tight grip on the Russian public and authorities alike (and an even tighter grip on his opponents). The yardstick is to see how public opinion changes in light of these events.
      The Russian elites are used to being jabbed at by politicians via the western financial system. Nothing really bites though and money talks. Unless the west turn the financial screw in a concerted effort the Russian elites won’t look for an alternative head of state.

      Reply
  6. Martin

    I signed up for this site hoping to gain interesting information. Instead I find the comments full of sensless bickering. If any of you are actually GRU, is this the best work you can do?
    Poor old Putin!

    Reply
  7. Servus

    Very interesting and … and I have expected that already while reading the investigation about identification of the first of Skripals’ murderers.
    In one of the databases his home address was the GRU headquarter and some other unusual annotations. So, with modern data mining algorithms it would not be difficult to identified other similar records and potential agents.
    The point is, that it’s become more and more difficult to create false identities and create credible historical information, even more so because there exist old copies of these databases, so the governments lost the control of the past !
    It would be also interesting to run comparisons of the historical database with the latest copies and detect the appearance of past record in the latest versions, there were not there in older copies but should have been…

    One things is also obvious, Russians created massive false identities, it’s a large scale project and thus it’s difficult to control every single small detail like an address of “company car” registration pretending to be a private one …

    Reply
  8. Geert Welling

    Strange peculiar situation where very few people seem willing to provide answer why high profile wifi configurations would be accessible from the streets.

    Very few people seem able to answer how high profile security service infiltrations would come in using diplomatic passports from the country ‘committing the attack’.

    Few people have shown competence to explain how many hundreds, if not thousands, of attacks are not at all discussed as if these similar (to/or worse than) OPCW case infiltration efforts woul not be dangerous though from intelligence perspective not very interesting OPCW case would suddenly be an attack to western systems, note that OPCW is a scientific institute, nothing like the army administration or likewise.

    Very few people adequately point out that if any Russian would want to collect social media account information about OPCW participants/researchers, it would have been more easy to collect smartphone pings at summits, entrances or imposed as other OPCW researchers simply connected to the same network. Or just google the more or less publically known names affiliated to the organization, as an example.

    Very few people seem knowledged enough to explain why pro fact would be pro Russian instead of pro quality of western intelligence.

    Even less people seem to get understanding of how OPCW should conduct to scientific/research agenda and not any political, military or intelligence agenda because it would discredit OPCW and its resulting research reliability as a prominent institute, as it would be a breach of western state security.

    Then astounding small amount of people seem to have received the intelligence that if OPCW would *not* be conducting to bogus/malicious agenda, any infiltration would not really benefitial to whatever country. Disrupting, damaging, manipulating OPCW services or data through infiltration does only do harm to any infiltrating organization, is hence therefor not just unlikely, it would be breach of Russian state security to commit to that, meaning it would technically be considered an ‘attack´ but than one that primarily serves western interest.

    Than it’s fairly interesting to consider what the democratically accepted and scientifically long past proven results would be from refusing to share / witholding methods to detect chemical weapons attack, what would preventative influence be from such clearly proven *malicious* unscientific and illegal OPCW approach? Can any of you warmongering fools tell me how such would be a breach of western security?

    Then if its about human rights, also in the #skripal case, can *any of you* explain me why much worse Chinese behavior is hardly discussed at all but Russia need to be ‘eliminated’? Could you ‘professionally’ explain me how such would not be breach of UN, NATO and western security as well as international law definitions, *not just* about discrimination and inequality? Do any of you think that western intelligence cuttles spies committing treason, and do you have the least bit of clue about how not just spies but also whistleblowers were murdered and in what ways?

    Now let me be clear, I’m *NOT* pro #skripal murders. As up to including American CRS is against ridiculous wikileaks ‘witchhunt’.

    @bananaman; you don’t even know what you supposedly love, so thats not just not real love, you don’t know how to address your lack of knowledge. Do you assume, during this discussion about intelligence matters, that it would be about grammar mistakes? Did you receive the least bit of clue about the number of dyslectic though very professional intelligence officials and operatives? Or would you assume, during a discussion about intelligence problems, that somebody would not misspel exactly that word ‘illiterate’ on purpose? Now why would I do that?

    Kind of striking that instead of providing any reasoning, any answering, so much trolling is found instead.

    Thats not really the problem, its just a whole lot of ignorant wanabe participants to this discussions.

    It’s researched how some of them call pro western state security protocols ‘pro Russian’, meanwhile paid, trained and educated by tax money to know better in order to serve western interest.

    It’s researched how some people *think* they can discredit information under disguise of supposedly gathering it. It’s damaging western interest how some people *figure* ability to discredit in the name of western state security interest viable tactics when facts are pointed out and/or when answers are lacking.

    Treason is not just any crime. And boy, there are real officials and operativers around, and not specifically Russian.

    Any questions? Banana?

    Reply
    • Neil

      For someone smart, your arguments are narrow and narrow-minded.
      You seem to be trying to lead the discussion away into dark and muddy corners.
      Saying other countries did bad things doesn’t justify what the GRU and Putin did (I didn’t see it happen, but that’s the case with 99.99999% of my life and other people’s too. Which is why we have courts and due process.)
      By the way are you Dutch? Someone said you did a bad translation into Dutch, implying you are pretending to be Dutch.

      Reply
    • Karel

      these guys have had specialist tools, including strong wifi antennas, they used diplomatic passes because it provides them imunity, if they would use false passport from other country police would find out that they are from Russia anyway and they would have no imunity. Isn’t that obvious, tell me are you stupid, ignorant or troll?

      Reply
      • Geert Welling

        These ‘specialist’ tools as you name them, are tools scriptkids use on a daily basis, this is wholly different than the ossiloscopes and otherwise more of specialized equipment is used in more of specialized intelligence operations.

        Legal immunity is not automatically provided to just everybody who received a diplomatic passport, legal immunity is appointed as long as the passport holder commits to politic agenda. Russia does have several ties with several less suspected countries from up to other continents that would pretty easily enable security service personell travelling to the Netherlands using passports that are indestinguishable from real.

        Diplomatic passports are not appointed to provide legal immunity in relation to intelligence operations.

        These facts should be obvious.

        Tell me, instead of acting as a stupid ignorant troll, why would any sensitive data be stored, collected and/or maintained using configurations which are easily approached and infiltrated from the street, regardless whether such is done by scriptkids, operatives or p.e. any curious grandma, and *not* be a breach/weakness of security?

        So don’t talk about ‘attacks’ if you don’t understand what attacks really are and really are not. This is not some fancy james bond movie where bullshit is imposed as if reality. If this isn’t obvious by now, you should refrain from showing off foolishness.

        Reply
        • Neil

          So they were caught red-handed and your arguments are whimsical.
          Your notional that countries don’t use diplomatic passports in order to circumvent border controls or jurisprudence is farcical.
          Red-handed, they were caught absolutely red-handed.

          By the way are you pretending to be Dutch or not?

          Reply
        • Servus

          “ossiloscopes” – you made me laugh, there is no need for any oscilloscope in this situation all is happening at the logical access layer, a serve and some software , all is needed to make an attempt. BUT actually cracking WIFi protected with WEP2-AES (most likely this was how the OPCW network was set-up) and a strong password is consider not possible, but one can not exclude some yet unknown implementation issues.
          Nothing for scrip-kiddies though…

          Reply
  9. Joe

    Say what you will but you can not argue that Putin cares more for his country than than any other world leader. Tell me again, what country is it that does no wrong?

    Reply
    • Neil

      Yeah, you can argue that Putin has ostracized Russia and nurtured another cold war.
      That’s not good for the Russia people, is it? We’re pointing the finger at Putin this time because he’s given us so much ammunition. He loves power, and only his country folk inasmuch as they enable his lust. He certainly doesn’t love any of his country folk if they aren’t heterosexual.

      Reply

Leave a Reply

  • (will not be published)