Heads rolling at the GRU? Blundering Russian intelligence
Analyse Diplomatie & Buitenlandse Zaken

Heads rolling at the GRU? Blundering Russian intelligence

23 Oct 2018 - 11:18
Photo: The doubleheaded eagle, the state emblem of Russia © Pixabay
Terug naar archief

Intelligence services of great powers, Russia included, often have a reputation of being all-powerful and well-oiled machines, ready to carry out any wish of the political leadership. They also often present themselves this way. Of course, intelligence services are not all-powerful and infallible, but are like the human beings who work for them and lead them: they frequently make mistakes, sometimes with serious consequences. Every now and then blunders come into the open, baffling outsiders with their amateurishness.

Recent operations by Russian intelligence services, in particular the military intelligence service GRU, are a case in point.1 Only rarely has an intelligence service of a major power received so much public attention for two spectacular failures over such a short period of time as has happened to the GRU in early 2018. The reference here, of course, is to the attempted murder of Sergei Skripal and his daughter in Salisbury, U.K., in March 2018 and the expulsion of four GRU operatives from The Netherlands a month later.

Aggressive anti-Western operations
The GRU has played a major role in a range of aggressive anti-Western operations on behalf of the Russian state. According to the Russian intelligence expert Andrei Soldatov, after the annexation of Crimea in 2014, the Ministry of Defence and the military rose in prominence in Moscow politics as well as in broader society, with a consecutive increase in GRU activity abroad.2 A GRU department known by international cyber security researchers as Advanced Persistent Threat (APT) 28, or Fancy Bear, was involved in hacking sites of the Democratic Party in the U.S. and passing the stolen mails to WikiLeaks. APT 28 has been responsible for a range of cyber-attacks, including a false flag operation taking French TV-station TV5 Monde offline (claiming it was the Cyber Caliphate that did it), and hacking a Ukrainian power station in 2015. The GRU has also played a role, perhaps a major one, in the annexation of the Crimea, the subsequent 'separatist rebellion' against the Kiev government in Eastern Ukraine and the downing of MH-17 in the same year, to give just a few examples.3 The attempted assassination of Sergei Skripal and his daughter in Salisbury with a novichok nerve agent and the failed attempt to hack the computer networks of the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague were definitely not success stories, however.

Sloppy tradecraft: three failed operations
In the case of the attempted assassination of Skripal and his daughter, the British government was almost immediately certain that the GRU was responsible. This was before the images of the two men who used the fake identities of 'Alexander Petrov' and 'Ruslan Boshirov', were seen all over the world as they walked the streets of Salisbury. In an ironic twist, both had apparently been decorated as 'Heroes of the Russian Federation', a high award personally bestowed by President Putin for their earlier GRU work in Eastern Ukraine. It is possible that British intelligence had intercepted Russian communications that led them to the perpetrators, or that they had a human source deep in Moscow that provided the information. After all, the British had previously provided to allies advance warning of GRU/APT 28 operations, and this would explain their certainty on the origin of the Skripal attack immediately after it occurred.

This excuse appears to be a good candidate for the weakest cover story of all time in the history of Russian intelligence 

Nonetheless, the GRU would have known in advance that the voluminous material from ubiquitous CCTV cameras in the UK would be analysed and would probably betray the movements of the attackers. And that is, as we know, exactly what happened. Apart from the fact that the operation was unsuccessful in that both victims survived, the suggestion that the whole enterprise was planned badly from the start seems confirmed by the lack of a proper cover story for the presence of the two men in Salisbury once they had been identified. The explanation they presented during the interview on the well-known Russian propaganda outlet RT, that they had come to view the world-famous cathedral was, of course, eminently laughable. This excuse appears to be a good candidate for the weakest cover story of all time in the history of Russian intelligence.

The operational blunders committed by the four expelled GRU officers in The Hague were highlighted in a press conference in The Hague on 4 October 2018. In contrast to the Skripal hit squad, the involved GRU operatives did not even bother to travel under cover, arriving on a direct flight from Moscow under their own names. A taxi receipt for the ride from GRU headquarters to the airport in Moscow was found on one of the four men when they were detained in April. It became instantly famous, and indicated that even GRU officers need to declare expenses. An equally amateurish operational mistake was a laptop they brought with them on their trip to The Hague. It contained a lot of information on previous missions. Even the various wifi-networks that the computer had previously logged onto had not been wiped, something that can be programmed automatically. The laptop betrayed visits to Malaysia, to hack government organisations in possession of information related to the investigation into the downing of MH-17 in July 2014, and to Rio de Janeiro, where the operative hacked officials of the World Anti-Doping Agency (WADA). While the GRU-operatives forgot to change the laptop for the mission in The Hague, they at least did take burner phones (disposable phones to be used only for the operation). Unfortunately, one of the logs showed that the first connection it made when switched on was to the cell phone tower nearest to GRU headquarters in Moscow.

All intelligence agencies struggle to adapt their HUMINT operations and tradecraft to the internet age, but the GRU is learning it the hard way

After the British authorities had released information on the Skripal suspects, and the Dutch on the OPCW-operatives, researchers from open-source collective Bellingcat and its reporting partner The Insider set to work. Using open-source tools they uncovered information that a professional foreign intelligence service would have been proud of. For the Skripal suspects, they managed to identify Petrov and Boshirov as Alexander Mishkin and Colonel Anatoliy Chepiga.4 Investigative reporters then delivered the coup-de-grace, travelling to the remote village where Mishkin grew up. They spoke to villagers who identified the GRU officer, and allegedly even visited his grandmother who proudly displayed the picture of President Putin decorating him with the Hero of the Russian Federation award. 5 The OPCW team was not spared either. One was found listed on a dating site, with his profile picture taken a stone’s throw away from GRU headquarters. Even worse, another had his car registered on a list of the Moscow traffic police, next to the address of GRU headquarters. It appeared that 305 other individuals also had their cars registered under the address of GRU headquarters, ostensibly to avoid traffic fines. As a result all their covers were blown, probably necessitating the cancellation of certain covert operations and the reassignment of some individuals from operational assignments to Moscow desk jobs.6 All intelligence agencies struggle to adapt their HUMINT operations and tradecraft to the internet age, but the GRU is learning it the hard way. 

Media in Salisbury after the attack © Ian Southwell / Flickr
Media in Salisbury after the attack © Ian Southwell / Flickr

The Litvinenko assassination in London 2006 was also characterized by sloppy tradecraft. According to observers, the murder of Litvinenko with the rare radioactive substance polonium-210 was not the work of the GRU; it seems more likely that the Federal Security Service (FSB) was behind it.7 Nevertheless, whichever organisation carried out this attack, it was certainly not conducted using professional tradecraft either. The most glaring blunder, of course, had to do with the trail of polonium that the two main perpetrators left all over London. Even wash basins in the hotel rooms where they stayed contained traces of polonium and one of the men left a trail of the substance in the German city of Hamburg as well. No wonder that even Russian security personnel could not take much pride in this operation. As a well-known Russian Kremlin watcher observed after the Litvinenko murder: 'My FSB friends told me that this [Litvinenko's bungled poisoning] would have never happened under Andropov [former KGB head and communist party chief]. They told me that the KGB was much more efficient at murdering back then.'8

Responses, punishments and reforms
One would think that such glaring levels of incompetence, especially in the case of the recent ones for which the GRU is responsible, would not go unpunished in Russia. Indeed, the first reports about heads rolling at the GRU, even though still largely unsubstantiated, have already appeared in print.
9 According to a recent article written by the Russian internet journalist Sergey Kanev, the GRU leadership in the person of General Igor Korobov was summoned by Putin personally. On his way home after his meeting with the Russian president, he apparently became unwell. According to the same story, another victim of the possible purge is Colonel Konstantin Bakhtin, the second secretary at the Russian embassy in The Hague.10 He was recalled to Moscow and probably faces an  uncertain future, allegedly since he was also involved in the OPCW operation in April. Interestingly, he apparently knew one of the assassins in the Skripal case well.

The OPCW headquarters © OPCW / Flickr
The OPCW headquarters © OPCW / Flickr

How to explain this recent series of intelligence blunders on the part of the GRU? For the Skripal operation, the risk of the publication of their pictures in Salisbury and at Heathrow airport was possibly taken into account by the GRU. But the publication of the suspects’ real names by Bellingcat will have come as a nasty surprise. For the OPCW team, the issue was not just sloppy tradecraft, but rather a faulty risk analysis. The GRU team conducted the close access operation quickly and under their own names, as they probably did not think they would get caught. Perhaps they judged the Netherlands, and their intended next destination Switzerland, as semi-permissive environments for HUMINT operations. This will change; the GRU will undoubtedly use better tradecraft next time. But the main reason the Netherlands, the U.K. and the U.S. chose to publically name and shame the GRU was that western politicians felt the need to impose a red line on brazen operations that transcend classic espionage. Regular assassinations, subversion or sabotage on the part of agencies such as the GRU are felt by many in the West to be unacceptable Russian state behaviour. It is unlikely that the GRU’s blunders will make it change its aggressive behaviour. It will, however, undoubtedly retailor its modus operandi, preferring the shadows to the limelight it has recently found itself in.     


Sergei Boeke
Researcher at Leiden University
Ben de Jong
Onderzoeker op het gebied van inlichtingendiensten