the home of online investigations

305 Car Registrations May Point to Massive GRU Security Breach

October 4, 2018

By Bellingcat Investigation Team

Translations: Русский

In an unprecedented step, the Dutch Military Intelligence and Security Service (MIVD) and the United Kingdom’s Ministry of Justice on October 4, 2018 disclosed the identities under which four Russian individuals, believed to be officers of the cyber-warfare division of the Russia’s Main Directorate of the General Staff of the Armed Forces (GRU). The four individuals travelled to the Netherlands in April 2018 in an attempt to hack into the computer network of the Organisation for the Prohibition of Chemical Weapons (OPCW), based in The Hague. These four men travelled under diplomatic passports, two of which had consecutive issue numbers.

Following this disclosure, Bellingcat and its Russian investigative partner, The Insider, attempted to verify that the identities disclosed by the Dutch authorities were in fact the authentic identities of the persons involved. Comparing data from different databases dated 2002 to 2014, Bellingcat was able to confirm that these identities are indeed real, as opposed to cover personas, which is the case with the two GRU officers involved in the Skripal poisoning case.

Figure 1. Aleksei Morenets, one of the four accused GRU officers, as seen on the diplomatic passport disclosed by the Dutch authorities.

Figure 2. Data on Aleksei Morenets from a 2010 Russian database.

Figure 3. Personal records on Aleksei Minin, a second suspect. The address at which Aleksei Minin was registered as of 2011 was listed as Ulitsa Narodnogo Opolcneniya 50, the official address of the GRU Conservatory.

Figure 4. Records on the third suspect, Oleg Sotnikov

Registration at the GRU Conservatory

Database records for one of the four suspects indicated that he was registered as residing at Ulitsa Narodnogo Opolcheniya 50, an address in Moscow where the Military Academy of the Ministry of Defence is situated. This Academy is popularly known as the GRU Conservatory.

In the course of researching the authenticity of the personal data of the four individuals, Bellingcat was able to locate one of the four GRU officers identified by the MIVD in a Russian automobile ownership database. As of 2011, Alexey Morenets was the registered user and/or owner of a Lada (VAZ 21093) car.

Figure 5. Vehicle registration information for Alexey Morenets. The highlighted address is Komsomolsky Prospekt 20, the address of military unit 26165 of the GRU.

The address to which the car was registered, Komsomolsky Prospekt 20, coincides with the address of military unit 26165, described by Dutch and U.S. law enforcement as GRU’s cyber warfare department. The database entry contained Morenets’s passport number.

305 Cars for 305 Officers

By searching for other vehicles registered to the same address, Bellingcat was able to produce a list of 305 individuals who operated cars registered to the same address. The individuals range in age from 27 to 53 years of age.

Figure 6. A part of the list of 305 individuals who operate cars registered to the same address as Mr Morinets

The database contains their full names and passport numbers, as well as — in most cases — mobile telephone numbers. Besides the physical street address, the address entry points out the specific Military Unit: 26165. This is the same unit as the one identified in the United States Department of Justice indictments that were also announced on October 4, 2018.

If these 305 individuals — whose full personal data is available in the automobile registration database consulted by Bellingcat — are indeed officers or otherwise affiliated with the GRU’s military unit 26165, their listing in a publicly accessible database may constitute one of the largest mass breaches of personal data of an intelligence service in recent history.

Bellingcat Investigation Team

The Bellingcat Investigation Team is an award winning group of volunteers and full time investigators who make up the core of the Bellingcat's investigative efforts.

Join the Bellingcat Mailing List:

Enter your email address to receive a weekly digest of Bellingcat posts, links to open source research articles, and more.

Support Bellingcat

You can support the work of Bellingcat by donating through the below link:

185 Comments

  1. Karel

    That means that identities of 305 russian spies are known to public, their faces will be surely recognized by security forces every time they try to leave Russia. That’s briliant.

    Reply
  2. Norman Mackillop

    By publishing your methods of detection, surely the GRU will close this gap? Is this wise?

    Reply
  3. Jack

    Well done. Great investagative technique and outcome. But I agree with the above. If British intelligence have been using this loophole for years as an entry point to get names surely all bellingcat has done is close this avenue of data collection for the intelligence services because the Russians sill surely be all over this mistake soon?

    Reply
  4. John

    “dude – October 12, 2018
    GRU not exists since 2010. You can look in yandex maps at Ulitsa Narodnogo Opolcheniya 50: https://yandex.ru/maps/213/moscow/?

    In this building cannot not be secret sevices.”

    Haha surely this guy is one of the St. Petersburg troll factory idiots or “secret” service…seems the only two who believe these 2 don’t exist are Russia and their secret service themselves….the rest of the world knows lol

    Reply
  5. John

    Geert – is clearly 100% either one of these Kremlin sponsored St Petersburg troll factory idiots hired to muddy the waters and confuse everybody or GRU or both…

    Reply
    • Jeroen

      RIGA – Russia’s Main Directorate of the General Staff of the Armed Forces (GRU) in the past years has repeatedly implemented attacks on Latvia’s cyber space and most often they had been aimed at state institutions, including foreign and defense sectors, LETA learned from the Constitution Protection Bureau (SAB).
      SAB reports that GRU is one of the most active foreign services actively working against the Western countries, including Latvia.
      The same groups of hackers representing Russia’s intelligence service that attacked the Organization for the Prohibition of Chemical Weapons (OPCW), the World Anti-Doping Agency, and the Malaysian institutions that investigated downing of MH17 plane, in the past years had also implemented attacks on Latvia’s cyber space, SAB said.
      http://m.baltictimes.com/article/jcms/id/142238/

      Reply
  6. Geert Welling

    It is difficult to conceive how much idiocy runs around as if any like knowledged in regard to state security matters these days. And a couple of plain old traitors as well, eager for warmongering under disguise of defense of peace.

    It is mindboggling that people supposedly worried and caring for what are called ‘free western democracies’ are sometimes reverting to disgusting methods as influencing public opinion in lack of real reasons.

    Mindboggling to read about ‘this and than detective’ talking about ‘real piece of art work’ about this supposed ‘research’, is it difficult to acknowledge that sensitive western state security information should not be stored at OPCW headquarters and NEVER behind wireless network configurations accessible from the street?

    I mean, some of you don’t grasp that but those same some of you supposedly would be capable reporting about western state security affairs?

    Get your head out of your arses please, this is just a disgusting display of western state security weakness which is not in western state security interest to show off to potential adversaries.

    Oh and besides, this was not an attack. Any of you around that received a little bit of understanding about these matters, anyone around that has received some degree from any western military academy?

    Reply
  7. Rik

    Well well, it’s Geert again. The Fake Dutch guy. As Dutch as Poetin’s son in law. Oh no… that one is actually a Dutchmen 🙂 .
    Forgot to mention that you’re allowed and received Geert?

    No one is listening to your bogus reasoning. Stop trolling and buy yourself a beer.

    На здоровье!

    Reply
  8. Geert Welling

    You’re most obviously behaving as a shame to western, and Dutch, security definitions and protocols, looking like a big idiot calling out facts as if in Russian interest thereby calling Dutch interest bullshit.

    Here, and this is superficial mainstream news media messages, not even ‘investigative journalism’, let alone ‘intelligence’ (can you still cope without starting to call these facts Russian interest too?);

    “Although espionage is considered an “acceptable” state behaviour and not a reasonable pretext for a forceful response, the theft of military secrets remains a serious threat to national security.”

    https://news.sky.com/story/mod-secrets-exposed-in-dozens-of-cyber-security-breaches-11524076

    Boy oh boy, have we been ‘attacked’ by dozens and dozens up to including state players, but now Russia that openly tries to intercept some OPCW communication (I mean, not NL/UK/US department of defence networks, but some international scientific institute) *COMING IN USING THEIR RUSSIAN DIPLOMATIC PASSPORTS* is suddenly real reason to worry, no?

    Rik, as the saying says: preferably get your head out of your ass. As of now you’re a shame to our national interest now, calling bullshit and bullshitting in Dutch interest and facts pro Russian, did you get your hands on some bling bling coins for sucking Putin off and/or did traitors pay you to try and troll western public opinion into idiocy?

    Reply

Leave a Reply

  • (will not be published)